rm -f regress/unittests/pkcs11/*.o

	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)

	rm -f regress/unittests/pkcs11/*.o

	rm -f regress/unittests/pkcs11/test_pkcs11

	$(MKDIR_P) `pwd`/regress/unittests/pkcs11

regress/soft-pkcs11.so: $(srcdir)/regress/soft-pkcs11.c $(REGRESSLIBS)

	$(CC) $(CFLAGS) $(CPPFLAGS) -fpic -c $(srcdir)/regress/soft-pkcs11.c \

	 -o $(srcdir)/regress/soft-pkcs11.o

	$(CC) -shared -o $@ $(srcdir)/regress/soft-pkcs11.o

UNITTESTS_TEST_PKCS11_OBJS=\

	regress/unittests/pkcs11/tests.o

regress/unittests/pkcs11/test_pkcs11$(EXEEXT): \

    ${UNITTESTS_TEST_PKCS11_OBJS} \

    regress/unittests/test_helper/libtest_helper.a libssh.a

	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \

	    regress/unittests/test_helper/libtest_helper.a \

	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

	regress/soft-pkcs11.so \

	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \

SCARD_MSG="yes"

			SCARD_MSG="no"

# Check whether we have a p11-kit, we got default provider on command line

DEFAULT_PKCS11_PROVIDER_MSG="no"

AC_ARG_WITH([default-pkcs11-provider],

	[  --with-default-pkcs11-provider[[=PATH]]   Use default pkcs11 provider (p11-kit detected by default)],

	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then

		if test "x$withval" = "xyes" ; then

			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])

			if test "x$PKGCONFIG" != "xno"; then

				AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])

				if "$PKGCONFIG" "p11-kit-1"; then

					AC_MSG_RESULT([yes])

					use_pkgconfig_for_p11kit=yes

				else

					AC_MSG_RESULT([no])

				fi

			fi

		else

			PKCS11_PATH="${withval}"

		fi

		if test "x$use_pkgconfig_for_p11kit" = "xyes"; then

			PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`

		fi

		AC_CHECK_FILE("$PKCS11_PATH",

			[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])

			  DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"

			],

			[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]

		)

	else

		AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])

	fi ]

)

echo "          Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"

		pkcs11 \

		agent-pkcs11 \

		$$V ${.OBJDIR}/unittests/pkcs11/test_pkcs11 ; \

# requires ssh-agent built with correct path to ssh-pkcs11-helper

# otherwise it fails to start the helper

strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"

if [ $? -ne 0 ]; then

	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"

fi

/*

 * Copyright (c) 2004, Stockholms universitet

 * (Stockholm University, Stockholm Sweden)

 * All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 *

 * 3. Neither the name of the university nor the names of its contributors

 *    may be used to endorse or promote products derived from this software

 *    without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

 * POSSIBILITY OF SUCH DAMAGE.

 */

/* $Id: locl.h,v 1.5 2005/08/28 15:30:31 lha Exp $ */

#ifdef HAVE_CONFIG_H

#include <config.h>

#endif

#include <openssl/err.h>

#include <openssl/evp.h>

#include <openssl/pem.h>

#include <openssl/rand.h>

#include <openssl/x509.h>

#include "../libcrypto-compat.h"

#include <ctype.h>

#include <errno.h>

#include <pwd.h>

#include <stdarg.h>

#define _GNU_SOURCE

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include "../pkcs11.h"

#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R)			\

{									\

  unsigned char *p;							\

  (BL) = i2d_##T((S), NULL);						\

  if ((BL) <= 0) {							\

     (R) = EINVAL;							\

  } else {								\

    (B) = malloc((BL));							\

    if ((B) == NULL) {							\

       (R) = ENOMEM;							\

    } else {								\

        p = (B);							\

        (R) = 0;							\

        (BL) = i2d_##T((S), &p);					\

        if ((BL) <= 0) {						\

           free((B));                                          		\

           (R) = EINVAL;						\

        }								\

    }									\

  }									\

}

#

#  Copyright (c) 2017 Red Hat

#

#  Authors: Jakub Jelen <jjelen@redhat.com>

#

#  Permission to use, copy, modify, and distribute this software for any

#  purpose with or without fee is hereby granted, provided that the above

#  copyright notice and this permission notice appear in all copies.

#

#  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

#  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

#  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

#  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

#  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

#  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

#  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

tid="pkcs11 tests with soft token"

TEST_SSH_PIN=""

TEST_SSH_PKCS11=$OBJ/soft-pkcs11.so

test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

# requires ssh-agent built with correct path to ssh-pkcs11-helper

# otherwise it fails to start the helper

strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"

if [ $? -ne 0 ]; then

	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"

fi

# setup environment for soft-pkcs11 token

SOFTPKCS11RC=$OBJ/pkcs11.info

rm -f $SOFTPKCS11RC

export SOFTPKCS11RC

# prevent ssh-agent from calling ssh-askpass

SSH_ASKPASS=/usr/bin/true

export SSH_ASKPASS

unset DISPLAY

# start command w/o tty, so ssh accepts pin from stdin (from agent-pkcs11.sh)

notty() {

	perl -e 'use POSIX; POSIX::setsid();

	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"

}

create_key() {

	ID=$1

	LABEL=$2

	rm -f $OBJ/pkcs11-${ID}.key $OBJ/pkcs11-${ID}.crt

	openssl genrsa -out $OBJ/pkcs11-${ID}.key 2048 > /dev/null 2>&1

	chmod 600 $OBJ/pkcs11-${ID}.key

	openssl req -key $OBJ/pkcs11-${ID}.key -new -x509 \

	    -out $OBJ/pkcs11-${ID}.crt -text -subj '/CN=pkcs11 test' >/dev/null

	printf "${ID}\t${LABEL}\t$OBJ/pkcs11-${ID}.crt\t$OBJ/pkcs11-${ID}.key\n" \

	    >> $SOFTPKCS11RC

}

trace "Create a key pairs on soft token"

ID1="02"

ID2="04"

create_key "$ID1" "SSH RSA Key"

create_key "$ID2" "SSH RSA Key 2"

trace "List the keys in the ssh-keygen with PKCS#11 URIs"

${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys

if [ $? -ne 0 ]; then

	fail "keygen fails to enumerate keys on PKCS#11 token"

fi

grep "pkcs11:" $OBJ/token_keys > /dev/null

if [ $? -ne 0 ]; then

	fail "The keys from ssh-keygen do not contain PKCS#11 URI as a comment"

fi

tail -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER

trace "Simple connect with ssh (without PKCS#11 URI)"

echo ${TEST_SSH_PIN} | notty ${SSH} -I ${TEST_SSH_PKCS11} \

    -F $OBJ/ssh_proxy somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with pkcs11 failed (exit code $r)"

fi

trace "Connect with PKCS#11 URI"

trace "  (second key should succeed)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

    -i "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

fi

trace "  (first key should fail)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

     -i "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -eq 5 ]; then

	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

fi

trace "Connect with various filtering options in PKCS#11 URI"

trace "  (by object label, second key should succeed)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

    -i "pkcs11:object=SSH%20RSA%20Key%202?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

fi

trace "  (by object label, first key should fail)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

     -i "pkcs11:object=SSH%20RSA%20Key?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -eq 5 ]; then

	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

fi

trace "  (by token label, second key should succeed)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

    -i "pkcs11:id=${ID2};token=SoftToken%20(token)?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

fi

trace "  (by wrong token label, should fail)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

     -i "pkcs11:token=SoftToken?module-path=${TEST_SSH_PKCS11}" somehost exit 5

r=$?

if [ $r -eq 5 ]; then

	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

fi

trace "Test PKCS#11 URI specification in configuration files"

echo "IdentityFile pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

    >> $OBJ/ssh_proxy

trace "  (second key should succeed)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI in config failed (exit code $r)"

fi

trace "  (first key should fail)"

head -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

r=$?

if [ $r -eq 5 ]; then

	fail "ssh connect with PKCS#11 URI in config succeeded (should fail)"

fi

sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

trace "Test PKCS#11 URI specification in configuration files with bogus spaces"

echo "IdentityFile     pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}    " \

    >> $OBJ/ssh_proxy

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI with bogus spaces in config failed" \

	    "(exit code $r)"

fi

sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

trace "Combination of PKCS11Provider and PKCS11URI on commandline"

trace "  (first key should succeed)"

echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

    -i "pkcs11:id=${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5

r=$?

if [ $r -ne 5 ]; then

	fail "ssh connect with PKCS#11 URI and provider combination" \

	    "failed (exit code $r)"

fi

trace "Regress: Missing provider in PKCS11URI option"

${SSH} -F $OBJ/ssh_proxy \

    -o IdentityFile='pkcs11:token=segfault' somehost exit 5

r=$?

if [ $r -eq 139 ]; then

	fail "ssh connect with missing provider_id from configuration option" \

	    "crashed (exit code $r)"

fi

trace "SSH Agent can work with PKCS#11 URI"

trace "start the agent"

eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null

r=$?

if [ $r -ne 0 ]; then

	fail "could not start ssh-agent: exit code $r"

else

	trace "add whole provider to agent"

	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

	    "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add failed with whole provider: exit code $r"

	fi

	trace " pkcs11 list via agent (all keys)"

	${SSHADD} -l > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add -l failed with whole provider: exit code $r"

	fi

	trace " pkcs11 connect via agent (all keys)"

	${SSH} -F $OBJ/ssh_proxy somehost exit 5

	r=$?

	if [ $r -ne 5 ]; then

		fail "ssh connect failed with whole provider (exit code $r)"

	fi

	trace " remove pkcs11 keys (all keys)"

	${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add -d failed with whole provider: exit code $r"

	fi

	trace "add only first key to the agent"

	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

	    "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add failed with first key: exit code $r"

	fi

	trace " pkcs11 connect via agent (first key)"

	${SSH} -F $OBJ/ssh_proxy somehost exit 5

	r=$?

	if [ $r -ne 5 ]; then

		fail "ssh connect failed with first key (exit code $r)"

	fi

	trace " remove first pkcs11 key"

	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \

	    > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add -d failed with first key: exit code $r"

	fi

	trace "add only second key to the agent"

	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

	    "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add failed with second key: exit code $r"

	fi

	trace " pkcs11 connect via agent (second key should fail)"

	${SSH} -F $OBJ/ssh_proxy somehost exit 5

	r=$?

	if [ $r -eq 5 ]; then

		fail "ssh connect passed without key (should fail)"

	fi

	trace " remove second pkcs11 key"

	${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

	    > /dev/null 2>&1

	r=$?

	if [ $r -ne 0 ]; then

		fail "ssh-add -d failed with second key: exit code $r"

	fi

	trace " remove already-removed pkcs11 key should fail"

	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \

	    > /dev/null 2>&1

	r=$?

	if [ $r -eq 0 ]; then

		fail "ssh-add -d passed with non-existing key (should fail)"

	fi

	trace "kill agent"

	${SSHAGENT} -k > /dev/null

fi

rm -rf $OBJ/.tokens $OBJ/token_keys

/*

 * Copyright (c) 2004-2006, Stockholms universitet

 * (Stockholm University, Stockholm Sweden)

 * All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 *

 * 3. Neither the name of the university nor the names of its contributors

 *    may be used to endorse or promote products derived from this software

 *    without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

 * POSSIBILITY OF SUCH DAMAGE.

 */

#include "locl.h"

/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */

#define OBJECT_ID_MASK		0xfff

#define HANDLE_OBJECT_ID(h)	((h) & OBJECT_ID_MASK)

#define OBJECT_ID(obj)		HANDLE_OBJECT_ID((obj)->object_handle)

#if OPENSSL_VERSION_NUMBER < 0x10100000L

 #define RSA_PKCS1_SSLeay RSA_PKCS1_OpenSSL

#endif

struct st_attr {

    CK_ATTRIBUTE attribute;

    int secret;

};

struct st_object {

    CK_OBJECT_HANDLE object_handle;

    struct st_attr *attrs;

    int num_attributes;

    enum {

	STO_T_CERTIFICATE,

	STO_T_PRIVATE_KEY,

	STO_T_PUBLIC_KEY

    } type;

    union {

	X509 *cert;

	EVP_PKEY *public_key;

	struct {

	    const char *file;

	    EVP_PKEY *key;

	    X509 *cert;

	} private_key;

    } u;

};

static struct soft_token {

    CK_VOID_PTR application;

    CK_NOTIFY notify;

    struct {

	struct st_object **objs;

	int num_objs;

    } object;

    struct {

	int hardware_slot;

	int app_error_fatal;

	int login_done;

    } flags;

    int open_sessions;

    struct session_state {

	CK_SESSION_HANDLE session_handle;

	struct {

	    CK_ATTRIBUTE *attributes;

	    CK_ULONG num_attributes;

	    int next_object;

	} find;

	int encrypt_object;

	CK_MECHANISM_PTR encrypt_mechanism;

	int decrypt_object;

	CK_MECHANISM_PTR decrypt_mechanism;

	int sign_object;

	CK_MECHANISM_PTR sign_mechanism;

	int verify_object;

	CK_MECHANISM_PTR verify_mechanism;

	int digest_object;

    } state[10];

#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))

    FILE *logfile;

} soft_token;

static void

application_error(const char *fmt, ...)

{

    va_list ap;

    va_start(ap, fmt);

    vprintf(fmt, ap);

    va_end(ap);

    if (soft_token.flags.app_error_fatal)

	abort();

}

static void

st_logf(const char *fmt, ...)

{

    va_list ap;

    if (soft_token.logfile == NULL)

	return;

    va_start(ap, fmt);

    vfprintf(soft_token.logfile, fmt, ap);

    va_end(ap);

    fflush(soft_token.logfile);

}

static void

snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)

{

    int len;

    va_list ap;

    len = vsnprintf(str, size, fmt, ap);

    va_end(ap);

    if (len < 0 || len > (int) size)

	return;

    while(len < (int) size)

	str[len++] = fillchar;

}

#ifndef TEST_APP

#define printf error_use_st_logf

#endif

#define VERIFY_SESSION_HANDLE(s, state)			\

{							\

    CK_RV ret;						\

    ret = verify_session_handle(s, state);		\

    if (ret != CKR_OK) {				\

	/* return CKR_OK */;				\

    }							\

}

static CK_RV

verify_session_handle(CK_SESSION_HANDLE hSession,

		      struct session_state **state)

{

    size_t i;

    for (i = 0; i < MAX_NUM_SESSION; i++){

	if (soft_token.state[i].session_handle == hSession)

	    break;

    }

    if (i == MAX_NUM_SESSION) {

	application_error("use of invalid handle: 0x%08lx\n",

			  (unsigned long)hSession);

	return CKR_SESSION_HANDLE_INVALID;

    }

    if (state)

	*state = &soft_token.state[i];

    return CKR_OK;

}

static CK_RV

object_handle_to_object(CK_OBJECT_HANDLE handle,

			struct st_object **object)

{

    int i = HANDLE_OBJECT_ID(handle);

    *object = NULL;

    if (i >= soft_token.object.num_objs)

	return CKR_ARGUMENTS_BAD;

    if (soft_token.object.objs[i] == NULL)

	return CKR_ARGUMENTS_BAD;

    if (soft_token.object.objs[i]->object_handle != handle)

	return CKR_ARGUMENTS_BAD;

    *object = soft_token.object.objs[i];

    return CKR_OK;

}

static int

attributes_match(const struct st_object *obj,

		 const CK_ATTRIBUTE *attributes,

		 CK_ULONG num_attributes)

{

    CK_ULONG i;

    int j;

    st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));

    for (i = 0; i < num_attributes; i++) {

	int match = 0;

	for (j = 0; j < obj->num_attributes; j++) {

	    if (attributes[i].type == obj->attrs[j].attribute.type &&

		attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&

		memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,

		       attributes[i].ulValueLen) == 0) {

		match = 1;

		break;

	    }

	}

	if (match == 0) {

	    st_logf("type %d attribute have no match\n", attributes[i].type);

	    return 0;

	}

    }

    st_logf("attribute matches\n");

    return 1;

}

static void

print_attributes(const CK_ATTRIBUTE *attributes,

		 CK_ULONG num_attributes)

{

    CK_ULONG i;

    st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes);

    for (i = 0; i < num_attributes; i++) {

	st_logf("  type: ");

	switch (attributes[i].type) {

	case CKA_TOKEN: {

	    CK_BBOOL *ck_true;

	    if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) {

		application_error("token attribute wrong length\n");

		break;

	    }

	    ck_true = attributes[i].pValue;

	    st_logf("token: %s", *ck_true ? "TRUE" : "FALSE");

	    break;

	}

	case CKA_CLASS: {

	    CK_OBJECT_CLASS *class;

	    if (attributes[i].ulValueLen != sizeof(CK_ULONG)) {

		application_error("class attribute wrong length\n");

		break;

	    }

	    class = attributes[i].pValue;

	    st_logf("class ");

	    switch (*class) {

	    case CKO_CERTIFICATE:

		st_logf("certificate");

		break;

	    case CKO_PUBLIC_KEY:

		st_logf("public key");

		break;

	    case CKO_PRIVATE_KEY:

		st_logf("private key");

		break;

	    case CKO_SECRET_KEY:

		st_logf("secret key");

		break;

	    case CKO_DOMAIN_PARAMETERS:

		st_logf("domain parameters");

		break;

	    default:

		st_logf("[class %lx]", (long unsigned)*class);

		break;

	    }

	    break;

	}

	case CKA_PRIVATE:

	    st_logf("private");

	    break;

	case CKA_LABEL:

	    st_logf("label");

	    break;

	case CKA_APPLICATION:

	    st_logf("application");

	    break;

	case CKA_VALUE:

	    st_logf("value");

	    break;

	case CKA_ID:

	    st_logf("id");

	    break;

	default:

	    st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type);

	    break;

	}

	st_logf("\n");

    }

}

static struct st_object *

add_st_object(void)

{

    struct st_object *o, **objs;

    int i;

    o = malloc(sizeof(*o));

    if (o == NULL)

	return NULL;

    memset(o, 0, sizeof(*o));

    o->attrs = NULL;

    o->num_attributes = 0;

    for (i = 0; i < soft_token.object.num_objs; i++) {

	if (soft_token.object.objs == NULL) {

	    soft_token.object.objs[i] = o;

	    break;

	}

    }

    if (i == soft_token.object.num_objs) {

	objs = realloc(soft_token.object.objs,

		       (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));

	if (objs == NULL) {

	    free(o);

	    return NULL;

	}

	soft_token.object.objs = objs;

	soft_token.object.objs[soft_token.object.num_objs++] = o;

    }	

    soft_token.object.objs[i]->object_handle =

	(random() & (~OBJECT_ID_MASK)) | i;

    return o;

}

static CK_RV

add_object_attribute(struct st_object *o,

		     int secret,

		     CK_ATTRIBUTE_TYPE type,

		     CK_VOID_PTR pValue,

		     CK_ULONG ulValueLen)

{

    struct st_attr *a;

    int i;

    i = o->num_attributes;

    a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));

    if (a == NULL)

	return CKR_DEVICE_MEMORY;

    o->attrs = a;

    o->attrs[i].secret = secret;

    o->attrs[i].attribute.type = type;

    o->attrs[i].attribute.pValue = malloc(ulValueLen);

    if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)

	return CKR_DEVICE_MEMORY;

    memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);

    o->attrs[i].attribute.ulValueLen = ulValueLen;

    o->num_attributes++;

    return CKR_OK;

}

static CK_RV

add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)

{

    switch (key_type) {

    case CKK_RSA: {

	CK_BYTE *modulus = NULL;

	size_t modulus_len = 0;

	CK_ULONG modulus_bits = 0;

	CK_BYTE *exponent = NULL;

	size_t exponent_len = 0;

	RSA* rsa = NULL;

	const BIGNUM *n = NULL, *e = NULL;

	rsa = EVP_PKEY_get0_RSA(key);

	RSA_get0_key(rsa, &n, &e, NULL);

	modulus_bits = BN_num_bits(n);

	modulus_len = BN_num_bytes(n);

	modulus = malloc(modulus_len);

	BN_bn2bin(n, modulus);

	exponent_len = BN_num_bytes(e);

	exponent = malloc(exponent_len);

	BN_bn2bin(e, exponent);

	add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);

	add_object_attribute(o, 0, CKA_MODULUS_BITS,

			     &modulus_bits, sizeof(modulus_bits));

	add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,

			     exponent, exponent_len);

	RSA_set_method(rsa, RSA_PKCS1_OpenSSL());

	free(modulus);

	free(exponent);

    }

    default:

	/* XXX */

	break;

    }

    return CKR_OK;

}

static int

pem_callback(char *buf, int num, int w, void *key)

{

    return -1;

}

static CK_RV

add_certificate(char *label,

		const char *cert_file,

		const char *private_key_file,

		char *id,

		int anchor)

{

    struct st_object *o = NULL;

    CK_BBOOL bool_true = CK_TRUE;

    CK_BBOOL bool_false = CK_FALSE;

    CK_OBJECT_CLASS c;

    CK_CERTIFICATE_TYPE cert_type = CKC_X_509;

    CK_KEY_TYPE key_type;

    CK_MECHANISM_TYPE mech_type;

    void *cert_data = NULL;

    size_t cert_length;

    void *subject_data = NULL;

    size_t subject_length;

    void *issuer_data = NULL;

    size_t issuer_length;

    void *serial_data = NULL;

    size_t serial_length;

    CK_RV ret = CKR_GENERAL_ERROR;

    X509 *cert;

    EVP_PKEY *public_key;

    size_t id_len = strlen(id);

    {

	FILE *f;

	f = fopen(cert_file, "r");

	if (f == NULL) {

	    st_logf("failed to open file %s\n", cert_file);

	    return CKR_GENERAL_ERROR;

	}

	cert = PEM_read_X509(f, NULL, NULL, NULL);

	fclose(f);

	if (cert == NULL) {

	    st_logf("failed reading PEM cert\n");

	    return CKR_GENERAL_ERROR;

	}

	OPENSSL_ASN1_MALLOC_ENCODE(X509, cert_data, cert_length, cert, ret);

	if (ret)

	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, issuer_data, issuer_length,

				   X509_get_issuer_name(cert), ret);

	if (ret)

	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, subject_data, subject_length,

				   X509_get_subject_name(cert), ret);

	if (ret)

	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(ASN1_INTEGER, serial_data, serial_length,

				   X509_get_serialNumber(cert), ret);

	if (ret)

	    goto out;

    }

    st_logf("done parsing, adding to internal structure\n");

    o = add_st_object();

    if (o == NULL) {

	ret = CKR_DEVICE_MEMORY;

	goto out;

    }

    o->type = STO_T_CERTIFICATE;

    o->u.cert = cert;

    public_key = X509_get_pubkey(o->u.cert);

    switch (EVP_PKEY_base_id(public_key)) {

    case EVP_PKEY_RSA:

	key_type = CKK_RSA;

	break;

    case EVP_PKEY_DSA:

	key_type = CKK_DSA;

	break;

    default:

	/* XXX */

	break;

    }

    c = CKO_CERTIFICATE;

    add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));

    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));

    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

    add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));

    add_object_attribute(o, 0, CKA_ID, id, id_len);

    add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);

    add_object_attribute(o, 0, CKA_ISSUER, issuer_data, issuer_length);

    add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data, serial_length);

    add_object_attribute(o, 0, CKA_VALUE, cert_data, cert_length);

    if (anchor)

	add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));

    else

	add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));

    st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));

    o = add_st_object();

    if (o == NULL) {

	ret = CKR_DEVICE_MEMORY;

	goto out;

    }

    o->type = STO_T_PUBLIC_KEY;

    o->u.public_key = public_key;

    c = CKO_PUBLIC_KEY;

    add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));

    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));

    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

    add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));

    add_object_attribute(o, 0, CKA_ID, id, id_len);

    add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */

    add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */

    add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));

    mech_type = CKM_RSA_X_509;

    add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));

    add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);

    add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));

    add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));

    add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));

    add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));

    add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));

    add_pubkey_info(o, key_type, public_key);

    st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));

    if (private_key_file) {

	CK_FLAGS flags;

	FILE *f;

	o = add_st_object();

	if (o == NULL) {

	    ret = CKR_DEVICE_MEMORY;

	    goto out;

	}

	o->type = STO_T_PRIVATE_KEY;

	o->u.private_key.file = strdup(private_key_file);

	o->u.private_key.key = NULL;

	o->u.private_key.cert = cert;

	c = CKO_PRIVATE_KEY;

	add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));

	add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));

	add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));

	add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

	add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));

	add_object_attribute(o, 0, CKA_ID, id, id_len);

	add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */

	add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */

	add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));

	add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));

	mech_type = CKM_RSA_X_509;

	add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));

	add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);

	add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));

	flags = 0;

	add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));

	add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));

	add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));

	add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));

	add_pubkey_info(o, key_type, public_key);

	f = fopen(private_key_file, "r");

	if (f == NULL) {

	    st_logf("failed to open private key\n");

	    return CKR_GENERAL_ERROR;

	}

	o->u.private_key.key = PEM_read_PrivateKey(f, NULL, pem_callback, NULL);

	fclose(f);

	if (o->u.private_key.key == NULL) {

	    st_logf("failed to read private key a startup\n");

	    /* don't bother with this failure for now,

	       fix it at C_Login time */;

	} else {

	    /* XXX verify keytype */

	    if (key_type == CKK_RSA) {

		RSA *rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);

		RSA_set_method(rsa, RSA_PKCS1_OpenSSL());

	    }

	    if (X509_check_private_key(cert, o->u.private_key.key) != 1) {

		EVP_PKEY_free(o->u.private_key.key);

		o->u.private_key.key = NULL;

		st_logf("private key doesn't verify\n");

	    } else {

		st_logf("private key usable\n");

		soft_token.flags.login_done = 1;

	    }

	}

    }

    ret = CKR_OK;

 out:

    if (ret != CKR_OK) {

	st_logf("something went wrong when adding cert!\n");

	/* XXX wack o */;

    }

    free(cert_data);

    free(serial_data);

    free(issuer_data);

    free(subject_data);

    return ret;

}

static void

find_object_final(struct session_state *state)

{

    if (state->find.attributes) {

	CK_ULONG i;

	for (i = 0; i < state->find.num_attributes; i++) {

	    if (state->find.attributes[i].pValue)

		free(state->find.attributes[i].pValue);

	}

	free(state->find.attributes);

	state->find.attributes = NULL;

	state->find.num_attributes = 0;

	state->find.next_object = -1;

    }

}

static void

reset_crypto_state(struct session_state *state)

{

    state->encrypt_object = -1;

    if (state->encrypt_mechanism)

	free(state->encrypt_mechanism);

    state->encrypt_mechanism = NULL_PTR;

    state->decrypt_object = -1;

    if (state->decrypt_mechanism)

	free(state->decrypt_mechanism);

    state->decrypt_mechanism = NULL_PTR;

    state->sign_object = -1;

    if (state->sign_mechanism)

	free(state->sign_mechanism);

    state->sign_mechanism = NULL_PTR;

    state->verify_object = -1;

    if (state->verify_mechanism)

	free(state->verify_mechanism);

    state->verify_mechanism = NULL_PTR;

    state->digest_object = -1;

}

static void

close_session(struct session_state *state)

{

    if (state->find.attributes) {

	application_error("application didn't do C_FindObjectsFinal\n");

	find_object_final(state);

    }

    state->session_handle = CK_INVALID_HANDLE;

    soft_token.application = NULL_PTR;

    soft_token.notify = NULL_PTR;

    reset_crypto_state(state);

}

static const char *

has_session(void)

{

    return soft_token.open_sessions > 0 ? "yes" : "no";

}

static void

read_conf_file(const char *fn)

{

    char buf[1024], *cert, *key, *id, *label, *s, *p;

    int anchor;

    FILE *f;

    f = fopen(fn, "r");

    if (f == NULL) {

	st_logf("can't open configuration file %s\n", fn);

	return;

    }

    while(fgets(buf, sizeof(buf), f) != NULL) {

	buf[strcspn(buf, "\n")] = '\0';

	anchor = 0;

	st_logf("line: %s\n", buf);

	p = buf;

	while (isspace(*p))

	    p++;

	if (*p == '#')

	    continue;

	while (isspace(*p))

	    p++;

	s = NULL;

	id = strtok_r(p, "\t", &s);

	if (id == NULL)

	    continue;

	label = strtok_r(NULL, "\t", &s);

	if (label == NULL)

	    continue;

	cert = strtok_r(NULL, "\t", &s);

	if (cert == NULL)

	    continue;

	key = strtok_r(NULL, "\t", &s);

	/* XXX */

	if (strcmp(id, "anchor") == 0) {

	    id = "\x00\x00";

	    anchor = 1;

	}

	st_logf("adding: %s\n", label);

	add_certificate(label, cert, key, id, anchor);

    }

}

static CK_RV

func_not_supported(void)

{

    st_logf("function not supported\n");

    return CKR_FUNCTION_NOT_SUPPORTED;

}

CK_RV

C_Initialize(CK_VOID_PTR a)

{

    CK_C_INITIALIZE_ARGS_PTR args = a;

    st_logf("Initialize\n");

    size_t i;

    OpenSSL_add_all_algorithms();

    ERR_load_crypto_strings();

    srandom(getpid() ^ time(NULL));

    for (i = 0; i < MAX_NUM_SESSION; i++) {

	soft_token.state[i].session_handle = CK_INVALID_HANDLE;

	soft_token.state[i].find.attributes = NULL;

	soft_token.state[i].find.num_attributes = 0;

	soft_token.state[i].find.next_object = -1;

	reset_crypto_state(&soft_token.state[i]);

    }

    soft_token.flags.hardware_slot = 1;

    soft_token.flags.app_error_fatal = 0;

    soft_token.flags.login_done = 0;

    soft_token.object.objs = NULL;

    soft_token.object.num_objs = 0;

    soft_token.logfile = NULL;

#if 1

//     soft_token.logfile = stdout;

#endif

#if 0

    soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a");

#endif

    if (a != NULL_PTR) {

	st_logf("\tCreateMutex:\t%p\n", args->CreateMutex);

	st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex);

	st_logf("\tLockMutext\t%p\n", args->LockMutex);

	st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex);

	st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);

    }

    {

	char *fn = NULL, *home = NULL;

	if (getuid() == geteuid()) {

	    fn = getenv("SOFTPKCS11RC");

	    if (fn)

		fn = strdup(fn);

	    home = getenv("HOME");

	}

	if (fn == NULL && home == NULL) {

	    struct passwd *pw = getpwuid(getuid());	

	    if(pw != NULL)

		home = pw->pw_dir;

	}

	if (fn == NULL) {

	    if (home)

		asprintf(&fn, "%s/.soft-token.rc", home);

	    else

		fn = strdup("/etc/soft-token.rc");

	}

	read_conf_file(fn);

	free(fn);

    }

    return CKR_OK;

}

CK_RV

C_Finalize(CK_VOID_PTR args)

{

    size_t i;

    st_logf("Finalize\n");

    for (i = 0; i < MAX_NUM_SESSION; i++) {

	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) {

	    application_error("application finalized without "

			      "closing session\n");

	    close_session(&soft_token.state[i]);

	}

    }

    return CKR_OK;

}

CK_RV

C_GetInfo(CK_INFO_PTR args)

{

    st_logf("GetInfo\n");

    memset(args, 17, sizeof(*args));

    args->cryptokiVersion.major = 2;

    args->cryptokiVersion.minor = 10;

    snprintf_fill((char *)args->manufacturerID,

		  sizeof(args->manufacturerID),

		  ' ',

		  "SoftToken");

    snprintf_fill((char *)args->libraryDescription,

		  sizeof(args->libraryDescription), ' ',

		  "SoftToken");

    args->libraryVersion.major = 1;

    args->libraryVersion.minor = 8;

    return CKR_OK;

}

extern CK_FUNCTION_LIST funcs;

CK_RV

C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)

{

    *ppFunctionList = &funcs;

    return CKR_OK;

}

CK_RV

C_GetSlotList(CK_BBOOL tokenPresent,

	      CK_SLOT_ID_PTR pSlotList,

	      CK_ULONG_PTR   pulCount)

{

    st_logf("GetSlotList: %s\n",

	    tokenPresent ? "tokenPresent" : "token not Present");

    if (pSlotList)

	pSlotList[0] = 1;

    *pulCount = 1;

    return CKR_OK;

}

CK_RV

C_GetSlotInfo(CK_SLOT_ID slotID,

	      CK_SLOT_INFO_PTR pInfo)

{

    st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session());

    memset(pInfo, 18, sizeof(*pInfo));

    if (slotID != 1)

	return CKR_ARGUMENTS_BAD;

    snprintf_fill((char *)pInfo->slotDescription,

		  sizeof(pInfo->slotDescription),

		  ' ',

		  "SoftToken (slot)");

    snprintf_fill((char *)pInfo->manufacturerID,

		  sizeof(pInfo->manufacturerID),

		  ' ',

		  "SoftToken (slot)");

    pInfo->flags = CKF_TOKEN_PRESENT;

    if (soft_token.flags.hardware_slot)

	pInfo->flags |= CKF_HW_SLOT;

    pInfo->hardwareVersion.major = 1;

    pInfo->hardwareVersion.minor = 0;

    pInfo->firmwareVersion.major = 1;

    pInfo->firmwareVersion.minor = 0;

    return CKR_OK;

}

CK_RV

C_GetTokenInfo(CK_SLOT_ID slotID,

	       CK_TOKEN_INFO_PTR pInfo)

{

    st_logf("GetTokenInfo: %s\n", has_session());

    memset(pInfo, 19, sizeof(*pInfo));

    snprintf_fill((char *)pInfo->label,

		  sizeof(pInfo->label),

		  ' ',

		  "SoftToken (token)");

    snprintf_fill((char *)pInfo->manufacturerID,

		  sizeof(pInfo->manufacturerID),

		  ' ',

		  "SoftToken (token)");

    snprintf_fill((char *)pInfo->model,

		  sizeof(pInfo->model),

		  ' ',

		  "SoftToken (token)");

    snprintf_fill((char *)pInfo->serialNumber,

		  sizeof(pInfo->serialNumber),

		  ' ',

		  "4711");

    pInfo->flags =

	CKF_TOKEN_INITIALIZED |

	CKF_USER_PIN_INITIALIZED;

    if (soft_token.flags.login_done == 0)

	pInfo->flags |= CKF_LOGIN_REQUIRED;

    /* CFK_RNG |

       CKF_RESTORE_KEY_NOT_NEEDED |

    */

    pInfo->ulMaxSessionCount = MAX_NUM_SESSION;

    pInfo->ulSessionCount = soft_token.open_sessions;

    pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION;

    pInfo->ulRwSessionCount = soft_token.open_sessions;

    pInfo->ulMaxPinLen = 1024;

    pInfo->ulMinPinLen = 0;

    pInfo->ulTotalPublicMemory = 4711;

    pInfo->ulFreePublicMemory = 4712;

    pInfo->ulTotalPrivateMemory = 4713;

    pInfo->ulFreePrivateMemory = 4714;

    pInfo->hardwareVersion.major = 2;

    pInfo->hardwareVersion.minor = 0;

    pInfo->firmwareVersion.major = 2;

    pInfo->firmwareVersion.minor = 0;

    return CKR_OK;

}

CK_RV

C_GetMechanismList(CK_SLOT_ID slotID,

		   CK_MECHANISM_TYPE_PTR pMechanismList,

		   CK_ULONG_PTR pulCount)

{

    st_logf("GetMechanismList\n");

    *pulCount = 2;

    if (pMechanismList == NULL_PTR)

	return CKR_OK;

    pMechanismList[0] = CKM_RSA_X_509;

    pMechanismList[1] = CKM_RSA_PKCS;

    return CKR_OK;

}

CK_RV

C_GetMechanismInfo(CK_SLOT_ID slotID,

		   CK_MECHANISM_TYPE type,

		   CK_MECHANISM_INFO_PTR pInfo)

{

    st_logf("GetMechanismInfo: slot %d type: %d\n",

	    (int)slotID, (int)type);

    return CKR_FUNCTION_NOT_SUPPORTED;

}

CK_RV

C_InitToken(CK_SLOT_ID slotID,

	    CK_UTF8CHAR_PTR pPin,

	    CK_ULONG ulPinLen,

	    CK_UTF8CHAR_PTR pLabel)

{

    st_logf("InitToken: slot %d\n", (int)slotID);

    return CKR_FUNCTION_NOT_SUPPORTED;

}

CK_RV

C_OpenSession(CK_SLOT_ID slotID,

	      CK_FLAGS flags,

	      CK_VOID_PTR pApplication,

	      CK_NOTIFY Notify,

	      CK_SESSION_HANDLE_PTR phSession)

{

    size_t i;

    st_logf("OpenSession: slot: %d\n", (int)slotID);

    if (soft_token.open_sessions == MAX_NUM_SESSION)

	return CKR_SESSION_COUNT;

    soft_token.application = pApplication;

    soft_token.notify = Notify;

    for (i = 0; i < MAX_NUM_SESSION; i++)

	if (soft_token.state[i].session_handle == CK_INVALID_HANDLE)

	    break;

    if (i == MAX_NUM_SESSION)

	abort();

    soft_token.open_sessions++;

    soft_token.state[i].session_handle =

	(CK_SESSION_HANDLE)(random() & 0xfffff);

    *phSession = soft_token.state[i].session_handle;

    return CKR_OK;

}

CK_RV

C_CloseSession(CK_SESSION_HANDLE hSession)

{

    struct session_state *state;

    st_logf("CloseSession\n");

    if (verify_session_handle(hSession, &state) != CKR_OK)

	application_error("closed session not open");

    else

	close_session(state);

    return CKR_OK;

}

CK_RV

C_CloseAllSessions(CK_SLOT_ID slotID)

{

    size_t i;

    st_logf("CloseAllSessions\n");

    for (i = 0; i < MAX_NUM_SESSION; i++)

	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE)

	    close_session(&soft_token.state[i]);

    return CKR_OK;

}

CK_RV

C_GetSessionInfo(CK_SESSION_HANDLE hSession,

		 CK_SESSION_INFO_PTR pInfo)

{

    st_logf("GetSessionInfo\n");

    VERIFY_SESSION_HANDLE(hSession, NULL);

    memset(pInfo, 20, sizeof(*pInfo));

    pInfo->slotID = 1;

    if (soft_token.flags.login_done)

	pInfo->state = CKS_RO_USER_FUNCTIONS;

    else

	pInfo->state = CKS_RO_PUBLIC_SESSION;

    pInfo->flags = CKF_SERIAL_SESSION;

    pInfo->ulDeviceError = 0;

    return CKR_OK;

}

CK_RV

C_Login(CK_SESSION_HANDLE hSession,

	CK_USER_TYPE userType,

	CK_UTF8CHAR_PTR pPin,

	CK_ULONG ulPinLen)

{

    char *pin = NULL;

    int i;

    st_logf("Login\n");

    VERIFY_SESSION_HANDLE(hSession, NULL);

    if (pPin != NULL_PTR) {

	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);

	st_logf("type: %d password: %s\n", (int)userType, pin);

    }

    for (i = 0; i < soft_token.object.num_objs; i++) {

	struct st_object *o = soft_token.object.objs[i];

	FILE *f;

	if (o->type != STO_T_PRIVATE_KEY)

	    continue;

	if (o->u.private_key.key)

	    continue;

	f = fopen(o->u.private_key.file, "r");

	if (f == NULL) {

	    st_logf("can't open private file: %s\n", o->u.private_key.file);

	    continue;

	}

	o->u.private_key.key = PEM_read_PrivateKey(f, NULL, NULL, pin);

	fclose(f);

	if (o->u.private_key.key == NULL) {

	    st_logf("failed to read key: %s error: %s\n",

		    o->u.private_key.file,

		    ERR_error_string(ERR_get_error(), NULL));

	    /* just ignore failure */;

	    continue;

	}

	/* XXX check keytype */

	RSA *rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);

	RSA_set_method(rsa, RSA_PKCS1_OpenSSL());

	if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {

	    EVP_PKEY_free(o->u.private_key.key);

	    o->u.private_key.key = NULL;

	    st_logf("private key %s doesn't verify\n", o->u.private_key.file);

	    continue;

	}

	soft_token.flags.login_done = 1;

    }

    free(pin);

    return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT;

}

CK_RV

C_Logout(CK_SESSION_HANDLE hSession)

{

    st_logf("Logout\n");

    VERIFY_SESSION_HANDLE(hSession, NULL);

    return CKR_FUNCTION_NOT_SUPPORTED;

}

CK_RV

C_GetObjectSize(CK_SESSION_HANDLE hSession,

		CK_OBJECT_HANDLE hObject,

		CK_ULONG_PTR pulSize)

{

    st_logf("GetObjectSize\n");

    VERIFY_SESSION_HANDLE(hSession, NULL);

    return CKR_FUNCTION_NOT_SUPPORTED;

}

CK_RV

C_GetAttributeValue(CK_SESSION_HANDLE hSession,

		    CK_OBJECT_HANDLE hObject,

		    CK_ATTRIBUTE_PTR pTemplate,

		    CK_ULONG ulCount)

{

    struct session_state *state;

    struct st_object *obj;

    CK_ULONG i;

    CK_RV ret;

    int j;

    st_logf("GetAttributeValue: %lx\n",

	    (unsigned long)HANDLE_OBJECT_ID(hObject));

    VERIFY_SESSION_HANDLE(hSession, &state);

    if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) {

	st_logf("object not found: %lx\n",

		(unsigned long)HANDLE_OBJECT_ID(hObject));

	return ret;

    }

    ret = CKR_OK;

    for (i = 0; i < ulCount; i++) {

	st_logf("	getting 0x%08lx\n", (unsigned long)pTemplate[i].type);

	for (j = 0; j < obj->num_attributes; j++) {

	    if (obj->attrs[j].secret) {

		pTemplate[i].ulValueLen = (CK_ULONG)-1;

		break;

	    }

	    if (pTemplate[i].type == obj->attrs[j].attribute.type) {

		if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) {

		    if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen)

			memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue,

			       obj->attrs[j].attribute.ulValueLen);

		}

		pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen;

		break;

	    }

	}

	if (j == obj->num_attributes) {

	    st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type);

	    pTemplate[i].ulValueLen = (CK_ULONG)-1;

            ret = CKR_ATTRIBUTE_TYPE_INVALID;

	}

    }

    return ret;

}

CK_RV

C_FindObjectsInit(CK_SESSION_HANDLE hSession,

		  CK_ATTRIBUTE_PTR pTemplate,

		  CK_ULONG ulCount)

{

    struct session_state *state;

    st_logf("FindObjectsInit\n");

    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->find.next_object != -1) {

	application_error("application didn't do C_FindObjectsFinal\n");

	find_object_final(state);

    }

    if (ulCount) {

	CK_ULONG i;

	print_attributes(pTemplate, ulCount);

	state->find.attributes =

	    calloc(1, ulCount * sizeof(state->find.attributes[0]));

	if (state->find.attributes == NULL)

	    return CKR_DEVICE_MEMORY;

	for (i = 0; i < ulCount; i++) {

	    state->find.attributes[i].pValue =

		malloc(pTemplate[i].ulValueLen);

	    if (state->find.attributes[i].pValue == NULL) {

		find_object_final(state);