|
Lines 73-78
struct pkcs11_key {
Link Here
|
| 73 |
int keyid_len; |
73 |
int keyid_len; |
| 74 |
}; |
74 |
}; |
| 75 |
|
75 |
|
|
|
76 |
static int pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin); |
| 77 |
static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, struct sshkey ***keysp, int *nkeys); |
| 78 |
static int pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key); |
| 79 |
|
| 76 |
int pkcs11_interactive = 0; |
80 |
int pkcs11_interactive = 0; |
| 77 |
|
81 |
|
| 78 |
int |
82 |
int |
|
Lines 218-223
pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
Link Here
|
| 218 |
return (ret); |
222 |
return (ret); |
| 219 |
} |
223 |
} |
| 220 |
|
224 |
|
|
|
225 |
int pkcs11_key_is_present(struct pkcs11_key *k11) |
| 226 |
{ |
| 227 |
CK_RV rv; |
| 228 |
CK_FUNCTION_LIST *f; |
| 229 |
CK_SLOT_INFO info; |
| 230 |
CK_TOKEN_INFO tokeninfo; |
| 231 |
CK_SESSION_HANDLE session; |
| 232 |
CK_SESSION_INFO sessioninfo; |
| 233 |
|
| 234 |
f = k11->provider->function_list; |
| 235 |
rv = f->C_GetSlotInfo(k11->slotidx, &info); |
| 236 |
if (rv != CKR_OK) { |
| 237 |
/* The cryptoki is not ready to work with this slot */ |
| 238 |
return -1; |
| 239 |
} |
| 240 |
if (!(info.flags & CKF_TOKEN_PRESENT)) { |
| 241 |
return -1; |
| 242 |
} |
| 243 |
|
| 244 |
rv = f->C_GetTokenInfo(k11->slotidx, &tokeninfo); |
| 245 |
if (rv != CKR_OK) { |
| 246 |
/* The cryptoki is not ready to work with this token */ |
| 247 |
return -1; |
| 248 |
} |
| 249 |
/* TODO check if the fields of the tokeninfo match the stored values */ |
| 250 |
|
| 251 |
session = k11->provider->slotinfo[k11->slotidx].session; |
| 252 |
rv = f->C_GetSessionInfo(session, &sessioninfo); |
| 253 |
if (rv != CKR_OK) { |
| 254 |
/* The cryptoki is not ready to work with this session */ |
| 255 |
return -1; |
| 256 |
} |
| 257 |
if (sessioninfo.slotID != k11->slotidx) { |
| 258 |
return -1; |
| 259 |
} |
| 260 |
return 0; |
| 261 |
} |
| 262 |
|
| 263 |
static int pkcs11_reload_key(struct sshkey *key, struct pkcs11_key *k11) |
| 264 |
{ |
| 265 |
unsigned char *pin = NULL; |
| 266 |
int r, i; |
| 267 |
struct sshkey **keysp = NULL; |
| 268 |
int nkeys = 0; |
| 269 |
|
| 270 |
/* No need to C_CloseSession(): It is already invalidated */ |
| 271 |
|
| 272 |
pin = read_passphrase("Enter PIN for smart card", RP_USE_ASKPASS); |
| 273 |
if (!pin) |
| 274 |
return -1; |
| 275 |
|
| 276 |
r = pkcs11_open_session(k11->provider, k11->slotidx, pin); |
| 277 |
|
| 278 |
explicit_bzero(pin, strlen(pin)); |
| 279 |
free(pin); |
| 280 |
|
| 281 |
if (r == -1) |
| 282 |
return -1; |
| 283 |
|
| 284 |
/* Check that the key we are using is present in the current card */ |
| 285 |
r = pkcs11_fetch_keys(k11->provider, k11->slotidx, &keysp, &nkeys); |
| 286 |
if (r < 0) |
| 287 |
return -1; |
| 288 |
|
| 289 |
r = -1; |
| 290 |
if (pkcs11_key_included(&keysp, &nkeys, key) == 1) |
| 291 |
r = 0; |
| 292 |
|
| 293 |
/* clean up the keys */ |
| 294 |
for (i = 0; i < nkeys; i++) |
| 295 |
sshkey_free(keysp[i]); |
| 296 |
free(keysp); |
| 297 |
return r; |
| 298 |
} |
| 299 |
|
| 300 |
int pkcs11_refresh_key(struct sshkey *key) |
| 301 |
{ |
| 302 |
struct pkcs11_key *k11; |
| 303 |
|
| 304 |
if ((k11 = RSA_get_app_data(key->rsa)) == NULL) { |
| 305 |
error("RSA_get_app_data failed for rsa %p", key->rsa); |
| 306 |
return (-1); |
| 307 |
} |
| 308 |
if (!k11->provider || !k11->provider->valid) { |
| 309 |
error("no pkcs11 (valid) provider for rsa %p", key->rsa); |
| 310 |
return (-1); |
| 311 |
} |
| 312 |
|
| 313 |
if (pkcs11_key_is_present(k11) == -1) |
| 314 |
if (pkcs11_reload_key(key, k11) == -1) |
| 315 |
return -1; |
| 316 |
|
| 317 |
return 0; |
| 318 |
} |
| 319 |
|
| 221 |
/* openssl callback doing the actual signing operation */ |
320 |
/* openssl callback doing the actual signing operation */ |
| 222 |
static int |
321 |
static int |
| 223 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
322 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |