p11tool: allow setting the CKA_ID on object initialization/generation

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-11-29 08:31:13 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-11-29 16:27:40 +0100
commit: 6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d (patch)
tree: 8b529b8c122fb07e4d3e609c85eeb6b108f093b0
parent: 6df48c0b935d86fd5b88706b4f0f6f4a2a415be5 (diff)
download: gnutls-6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d.tar.gz
4 files changed, 54 insertions, 15 deletions
diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index ac17acb7d5..5f8b390b2f 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -143,6 +143,13 @@ flag = {
 };
 
 flag = {
+    name      = id;
+    arg-type  = string;
+    descrip   = "Sets an ID for the write operation";
+    doc       = "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.";
+};
+
+flag = {
     name      = mark-wrap;
     disable   = "no";
     disabled;
diff --git a/src/p11tool.c b/src/p11tool.c
index 8fbdbd545b..ff1a507c26 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -108,7 +108,7 @@ static void cmd_parser(int argc, char **argv)
 	const char *url = NULL;
 	unsigned int detailed_url = 0, optct;
 	unsigned int bits = 0;
-	const char *label = NULL, *sec_param = NULL;
+	const char *label = NULL, *sec_param = NULL, *id = NULL;
 	unsigned flags;
 
 	optct = optionProcess(&p11toolOptions, argc, argv);
@@ -210,6 +210,10 @@ static void cmd_parser(int argc, char **argv)
 		label = OPT_ARG(LABEL);
 	}
 
+	if (HAVE_OPT(ID)) {
+		id = OPT_ARG(ID);
+	}
+
 	if (HAVE_OPT(BITS)) {
 		bits = OPT_VALUE_BITS;
 	}
@@ -280,7 +284,7 @@ static void cmd_parser(int argc, char **argv)
 	} else if (HAVE_OPT(EXPORT_CHAIN)) {
 		pkcs11_export_chain(outfile, url, flags, &cinfo);
 	} else if (HAVE_OPT(WRITE)) {
-		pkcs11_write(outfile, url, label,
+		pkcs11_write(outfile, url, label, id,
 			     flags, &cinfo);
 	} else if (HAVE_OPT(INITIALIZE))
 		pkcs11_init(outfile, url, label, &cinfo);
@@ -290,19 +294,19 @@ static void cmd_parser(int argc, char **argv)
 		key_type = GNUTLS_PK_EC;
 		pkcs11_generate(outfile, url, key_type,
 				get_bits(key_type, bits, sec_param, 0),
-				label, detailed_url,
+				label, id, detailed_url,
 				flags, &cinfo);
 	} else if (HAVE_OPT(GENERATE_RSA)) {
 		key_type = GNUTLS_PK_RSA;
 		pkcs11_generate(outfile, url, key_type,
 				get_bits(key_type, bits, sec_param, 0),
-				label, detailed_url,
+				label, id, detailed_url,
 				flags, &cinfo);
 	} else if (HAVE_OPT(GENERATE_DSA)) {
 		key_type = GNUTLS_PK_DSA;
 		pkcs11_generate(outfile, url, key_type,
 				get_bits(key_type, bits, sec_param, 0),
-				label, detailed_url,
+				label, id, detailed_url,
 				flags, &cinfo);
 	} else if (HAVE_OPT(EXPORT_PUBKEY)) {
 		pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo);
diff --git a/src/p11tool.h b/src/p11tool.h
index 422d680840..9acd7732c3 100644
--- a/src/p11tool.h
+++ b/src/p11tool.h
@@ -41,7 +41,7 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags,
 void pkcs11_token_list(FILE * outfile, unsigned int detailed,
 		       common_info_st *, unsigned brief);
 void pkcs11_write(FILE * outfile, const char *pkcs11_url,
-		  const char *label,
+		  const char *label, const char *id,
 		  unsigned int flags, common_info_st *);
 void pkcs11_delete(FILE * outfile, const char *pkcs11_url,
 		   unsigned int flags, common_info_st *);
@@ -49,7 +49,7 @@ void pkcs11_init(FILE * outfile, const char *pkcs11_url, const char *label,
 		 common_info_st *);
 void pkcs11_generate(FILE * outfile, const char *url,
 		     gnutls_pk_algorithm_t type, unsigned int bits,
-		     const char *label, int detailed,
+		     const char *label, const char *id, int detailed,
 		     unsigned int flags, common_info_st * info);
 void pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed,
 		     unsigned int flags, common_info_st * info);
diff --git a/src/pkcs11.c b/src/pkcs11.c
index e9900ec284..b80b16be5a 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -522,13 +522,16 @@ pkcs11_token_list(FILE * outfile, unsigned int detailed,
 
 void
 pkcs11_write(FILE * outfile, const char *url, const char *label,
-	     unsigned flags, common_info_st * info)
+	     const char *id, unsigned flags, common_info_st * info)
 {
 	gnutls_x509_crt_t xcrt;
 	gnutls_x509_privkey_t xkey;
 	int ret;
 	unsigned int key_usage = 0;
 	gnutls_datum_t *secret_key;
+	unsigned char raw_id[128];
+	size_t raw_id_size;
+	gnutls_datum_t cid = {NULL, 0};
 
 	pkcs11_common(info);
 
@@ -539,6 +542,17 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 		label = read_str("warning: The object's label was not specified.\nLabel: ");
 	}
 
+	if (id != NULL) {
+		raw_id_size = sizeof(raw_id);
+		ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size);
+		if (ret < 0) {
+			fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret));
+			exit(1);
+		}
+		cid.data = raw_id;
+		cid.size = raw_id_size;
+	}
+
 	secret_key = load_secret_key(0, info);
 	if (secret_key != NULL) {
 		ret =
@@ -555,7 +569,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 
 	xcrt = load_cert(0, info);
 	if (xcrt != NULL) {
-		ret = gnutls_pkcs11_copy_x509_crt(url, xcrt, label, flags);
+		ret = gnutls_pkcs11_copy_x509_crt2(url, xcrt, label, &cid, flags);
 		if (ret < 0) {
 			fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret));
 			if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) ||
@@ -571,10 +585,10 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 	xkey = load_x509_private_key(0, info);
 	if (xkey != NULL) {
 		ret =
-		    gnutls_pkcs11_copy_x509_privkey(url, xkey, label,
-						    key_usage,
-						    flags |
-						    GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
+		    gnutls_pkcs11_copy_x509_privkey2(url, xkey, label,
+						     &cid, key_usage,
+						     flags |
+						     GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
 		if (ret < 0) {
 			fprintf(stderr, "Error in %s:%d: %s\n", __func__,
 				__LINE__, gnutls_strerror(ret));
@@ -594,17 +608,31 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 void
 pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk,
 		unsigned int bits,
-		const char *label, int detailed,
+		const char *label, const char *id, int detailed,
 		unsigned int flags, common_info_st * info)
 {
 	int ret;
 	gnutls_datum_t pubkey;
+	unsigned char raw_id[128];
+	size_t raw_id_size;
+	gnutls_datum_t cid = {NULL, 0};
 
 	pkcs11_common(info);
 
 	FIX(url, outfile, detailed, info);
 	CHECK_LOGIN_FLAG(flags);
 
+	if (id != NULL) {
+		raw_id_size = sizeof(raw_id);
+		ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size);
+		if (ret < 0) {
+			fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret));
+			exit(1);
+		}
+		cid.data = raw_id;
+		cid.size = raw_id_size;
+	}
+
 	if (outfile == stderr || outfile == stdout) {
 		fprintf(stderr, "warning: no --outfile was specified and the generated public key will be printed on screen.\n");
 		fprintf(stderr, "note: in some tokens it is impossible to obtain the public key in any other way after generation.\n");
@@ -616,7 +644,7 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk,
 	}
 
 	ret =
-	    gnutls_pkcs11_privkey_generate2(url, pk, bits, label,
+	    gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid,
 					    GNUTLS_X509_FMT_PEM, &pubkey,
 					    flags);
 	if (ret < 0) {
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-11-29 08:31:13 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-11-29 16:27:40 +0100
commit	6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d (patch)
tree	8b529b8c122fb07e4d3e609c85eeb6b108f093b0
parent	6df48c0b935d86fd5b88706b4f0f6f4a2a415be5 (diff)
download	gnutls-6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d.tar.gz