diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-29 08:31:13 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-29 16:27:40 +0100 |
commit | 6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d (patch) | |
tree | 8b529b8c122fb07e4d3e609c85eeb6b108f093b0 | |
parent | 6df48c0b935d86fd5b88706b4f0f6f4a2a415be5 (diff) | |
download | gnutls-6f4bb1cdbe7b4ad0c2f0a80af56ea96ebcd2060d.tar.gz |
p11tool: allow setting the CKA_ID on object initialization/generation
-rw-r--r-- | src/p11tool-args.def | 7 | ||||
-rw-r--r-- | src/p11tool.c | 14 | ||||
-rw-r--r-- | src/p11tool.h | 4 | ||||
-rw-r--r-- | src/pkcs11.c | 44 |
4 files changed, 54 insertions, 15 deletions
diff --git a/src/p11tool-args.def b/src/p11tool-args.def index ac17acb7d5..5f8b390b2f 100644 --- a/src/p11tool-args.def +++ b/src/p11tool-args.def @@ -143,6 +143,13 @@ flag = { }; flag = { + name = id; + arg-type = string; + descrip = "Sets an ID for the write operation"; + doc = "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix."; +}; + +flag = { name = mark-wrap; disable = "no"; disabled; diff --git a/src/p11tool.c b/src/p11tool.c index 8fbdbd545b..ff1a507c26 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -108,7 +108,7 @@ static void cmd_parser(int argc, char **argv) const char *url = NULL; unsigned int detailed_url = 0, optct; unsigned int bits = 0; - const char *label = NULL, *sec_param = NULL; + const char *label = NULL, *sec_param = NULL, *id = NULL; unsigned flags; optct = optionProcess(&p11toolOptions, argc, argv); @@ -210,6 +210,10 @@ static void cmd_parser(int argc, char **argv) label = OPT_ARG(LABEL); } + if (HAVE_OPT(ID)) { + id = OPT_ARG(ID); + } + if (HAVE_OPT(BITS)) { bits = OPT_VALUE_BITS; } @@ -280,7 +284,7 @@ static void cmd_parser(int argc, char **argv) } else if (HAVE_OPT(EXPORT_CHAIN)) { pkcs11_export_chain(outfile, url, flags, &cinfo); } else if (HAVE_OPT(WRITE)) { - pkcs11_write(outfile, url, label, + pkcs11_write(outfile, url, label, id, flags, &cinfo); } else if (HAVE_OPT(INITIALIZE)) pkcs11_init(outfile, url, label, &cinfo); @@ -290,19 +294,19 @@ static void cmd_parser(int argc, char **argv) key_type = GNUTLS_PK_EC; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, detailed_url, + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_RSA)) { key_type = GNUTLS_PK_RSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, detailed_url, + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_DSA)) { key_type = GNUTLS_PK_DSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), - label, detailed_url, + label, id, detailed_url, flags, &cinfo); } else if (HAVE_OPT(EXPORT_PUBKEY)) { pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo); diff --git a/src/p11tool.h b/src/p11tool.h index 422d680840..9acd7732c3 100644 --- a/src/p11tool.h +++ b/src/p11tool.h @@ -41,7 +41,7 @@ pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags, void pkcs11_token_list(FILE * outfile, unsigned int detailed, common_info_st *, unsigned brief); void pkcs11_write(FILE * outfile, const char *pkcs11_url, - const char *label, + const char *label, const char *id, unsigned int flags, common_info_st *); void pkcs11_delete(FILE * outfile, const char *pkcs11_url, unsigned int flags, common_info_st *); @@ -49,7 +49,7 @@ void pkcs11_init(FILE * outfile, const char *pkcs11_url, const char *label, common_info_st *); void pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t type, unsigned int bits, - const char *label, int detailed, + const char *label, const char *id, int detailed, unsigned int flags, common_info_st * info); void pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int flags, common_info_st * info); diff --git a/src/pkcs11.c b/src/pkcs11.c index e9900ec284..b80b16be5a 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -522,13 +522,16 @@ pkcs11_token_list(FILE * outfile, unsigned int detailed, void pkcs11_write(FILE * outfile, const char *url, const char *label, - unsigned flags, common_info_st * info) + const char *id, unsigned flags, common_info_st * info) { gnutls_x509_crt_t xcrt; gnutls_x509_privkey_t xkey; int ret; unsigned int key_usage = 0; gnutls_datum_t *secret_key; + unsigned char raw_id[128]; + size_t raw_id_size; + gnutls_datum_t cid = {NULL, 0}; pkcs11_common(info); @@ -539,6 +542,17 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, label = read_str("warning: The object's label was not specified.\nLabel: "); } + if (id != NULL) { + raw_id_size = sizeof(raw_id); + ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size); + if (ret < 0) { + fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + exit(1); + } + cid.data = raw_id; + cid.size = raw_id_size; + } + secret_key = load_secret_key(0, info); if (secret_key != NULL) { ret = @@ -555,7 +569,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, xcrt = load_cert(0, info); if (xcrt != NULL) { - ret = gnutls_pkcs11_copy_x509_crt(url, xcrt, label, flags); + ret = gnutls_pkcs11_copy_x509_crt2(url, xcrt, label, &cid, flags); if (ret < 0) { fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret)); if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) || @@ -571,10 +585,10 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, xkey = load_x509_private_key(0, info); if (xkey != NULL) { ret = - gnutls_pkcs11_copy_x509_privkey(url, xkey, label, - key_usage, - flags | - GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); + gnutls_pkcs11_copy_x509_privkey2(url, xkey, label, + &cid, key_usage, + flags | + GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); @@ -594,17 +608,31 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, void pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, unsigned int bits, - const char *label, int detailed, + const char *label, const char *id, int detailed, unsigned int flags, common_info_st * info) { int ret; gnutls_datum_t pubkey; + unsigned char raw_id[128]; + size_t raw_id_size; + gnutls_datum_t cid = {NULL, 0}; pkcs11_common(info); FIX(url, outfile, detailed, info); CHECK_LOGIN_FLAG(flags); + if (id != NULL) { + raw_id_size = sizeof(raw_id); + ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size); + if (ret < 0) { + fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret)); + exit(1); + } + cid.data = raw_id; + cid.size = raw_id_size; + } + if (outfile == stderr || outfile == stdout) { fprintf(stderr, "warning: no --outfile was specified and the generated public key will be printed on screen.\n"); fprintf(stderr, "note: in some tokens it is impossible to obtain the public key in any other way after generation.\n"); @@ -616,7 +644,7 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, } ret = - gnutls_pkcs11_privkey_generate2(url, pk, bits, label, + gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid, GNUTLS_X509_FMT_PEM, &pubkey, flags); if (ret < 0) { |