|
Lines 216-221
pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
Link Here
|
| 216 |
return (ret); |
216 |
return (ret); |
| 217 |
} |
217 |
} |
| 218 |
|
218 |
|
|
|
219 |
|
| 220 |
static int |
| 221 |
pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si) |
| 222 |
{ |
| 223 |
char *pin = NULL, prompt[1024]; |
| 224 |
CK_RV rv; |
| 225 |
CK_FUNCTION_LIST *f; |
| 226 |
f = p->function_list; |
| 227 |
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { |
| 228 |
if (!pkcs11_interactive) { |
| 229 |
error("need pin entry%s", (si->token.flags & |
| 230 |
CKF_PROTECTED_AUTHENTICATION_PATH) ? |
| 231 |
" on reader keypad" : ""); |
| 232 |
return (-1); |
| 233 |
} |
| 234 |
if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) |
| 235 |
verbose("Deferring PIN entry to reader keypad."); |
| 236 |
else { |
| 237 |
snprintf(prompt, sizeof(prompt), |
| 238 |
"Enter PIN for '%s': ", si->token.label); |
| 239 |
pin = read_passphrase(prompt, RP_ALLOW_EOF); |
| 240 |
if (pin == NULL) |
| 241 |
return (-1); /* bail out */ |
| 242 |
} |
| 243 |
rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, |
| 244 |
(pin != NULL) ? strlen(pin) : 0); |
| 245 |
if (pin != NULL) { |
| 246 |
explicit_bzero(pin, strlen(pin)); |
| 247 |
free(pin); |
| 248 |
} |
| 249 |
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { |
| 250 |
error("C_Login failed: %lu", rv); |
| 251 |
return (-1); |
| 252 |
} |
| 253 |
si->logged_in = 1; |
| 254 |
} |
| 255 |
return 0; |
| 256 |
} |
| 257 |
|
| 258 |
|
| 219 |
/* openssl callback doing the actual signing operation */ |
259 |
/* openssl callback doing the actual signing operation */ |
| 220 |
static int |
260 |
static int |
| 221 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
261 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
|
Lines 237-243
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
Link Here
|
| 237 |
{CKA_ID, NULL, 0}, |
277 |
{CKA_ID, NULL, 0}, |
| 238 |
{CKA_SIGN, NULL, sizeof(true_val) } |
278 |
{CKA_SIGN, NULL, sizeof(true_val) } |
| 239 |
}; |
279 |
}; |
| 240 |
char *pin = NULL, prompt[1024]; |
|
|
| 241 |
int rval = -1; |
280 |
int rval = -1; |
| 242 |
|
281 |
|
| 243 |
key_filter[0].pValue = &private_key_class; |
282 |
key_filter[0].pValue = &private_key_class; |
|
Lines 253-285
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
Link Here
|
| 253 |
} |
292 |
} |
| 254 |
f = k11->provider->function_list; |
293 |
f = k11->provider->function_list; |
| 255 |
si = &k11->provider->slotinfo[k11->slotidx]; |
294 |
si = &k11->provider->slotinfo[k11->slotidx]; |
| 256 |
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { |
295 |
if (pkcs11_login(k11->provider, si)) { |
| 257 |
if (!pkcs11_interactive) { |
296 |
return (-1); |
| 258 |
error("need pin entry%s", (si->token.flags & |
|
|
| 259 |
CKF_PROTECTED_AUTHENTICATION_PATH) ? |
| 260 |
" on reader keypad" : ""); |
| 261 |
return (-1); |
| 262 |
} |
| 263 |
if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) |
| 264 |
verbose("Deferring PIN entry to reader keypad."); |
| 265 |
else { |
| 266 |
snprintf(prompt, sizeof(prompt), |
| 267 |
"Enter PIN for '%s': ", si->token.label); |
| 268 |
pin = read_passphrase(prompt, RP_ALLOW_EOF); |
| 269 |
if (pin == NULL) |
| 270 |
return (-1); /* bail out */ |
| 271 |
} |
| 272 |
rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, |
| 273 |
(pin != NULL) ? strlen(pin) : 0); |
| 274 |
if (pin != NULL) { |
| 275 |
explicit_bzero(pin, strlen(pin)); |
| 276 |
free(pin); |
| 277 |
} |
| 278 |
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { |
| 279 |
error("C_Login failed: %lu", rv); |
| 280 |
return (-1); |
| 281 |
} |
| 282 |
si->logged_in = 1; |
| 283 |
} |
297 |
} |
| 284 |
key_filter[1].pValue = k11->keyid; |
298 |
key_filter[1].pValue = k11->keyid; |
| 285 |
key_filter[1].ulValueLen = k11->keyid_len; |
299 |
key_filter[1].ulValueLen = k11->keyid_len; |
|
Lines 422-435
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
Link Here
|
| 422 |
{ CKA_SUBJECT, NULL, 0 }, |
436 |
{ CKA_SUBJECT, NULL, 0 }, |
| 423 |
{ CKA_VALUE, NULL, 0 } |
437 |
{ CKA_VALUE, NULL, 0 } |
| 424 |
}; |
438 |
}; |
|
|
439 |
int keys; |
| 440 |
int certs; |
| 441 |
int i; |
| 425 |
pubkey_filter[0].pValue = &pubkey_class; |
442 |
pubkey_filter[0].pValue = &pubkey_class; |
| 426 |
cert_filter[0].pValue = &cert_class; |
443 |
cert_filter[0].pValue = &cert_class; |
| 427 |
|
444 |
|
| 428 |
if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, |
445 |
for (i = 0; i < 2; i++) { |
| 429 |
keysp, nkeys) < 0 || |
446 |
/* i==0: legacy behavior try to find keys without login */ |
| 430 |
pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, |
447 |
/* i==1: try again, logged in */ |
| 431 |
keysp, nkeys) < 0) |
448 |
keys = pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, |
| 432 |
return (-1); |
449 |
pubkey_attribs, keysp, nkeys); |
|
|
450 |
certs = pkcs11_fetch_keys_filter(p, slotidx, cert_filter, |
| 451 |
cert_attribs, keysp, nkeys) < 0; |
| 452 |
if (keys < 0 || certs < 0) |
| 453 |
return (-1); |
| 454 |
if (keys > 0 && certs > 0) |
| 455 |
break; |
| 456 |
if (i == 0) { |
| 457 |
if (pkcs11_login(p, &p->slotinfo[slotidx])) |
| 458 |
return (-1); |
| 459 |
} |
| 460 |
} |
| 461 |
|
| 433 |
return (0); |
462 |
return (0); |
| 434 |
} |
463 |
} |
| 435 |
|
464 |
|