diff options
-rw-r--r-- | configure.ac | 16 | ||||
-rw-r--r-- | doc/examples/Makefile.am | 5 | ||||
-rw-r--r-- | lib/Makefile.am | 17 | ||||
-rw-r--r-- | lib/auth/cert.c | 9 | ||||
-rw-r--r-- | lib/gnutls_global.c | 4 | ||||
-rw-r--r-- | lib/gnutls_privkey.c | 15 | ||||
-rw-r--r-- | lib/gnutls_pubkey.c | 9 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 10 | ||||
-rw-r--r-- | lib/pakchois/README | 3 | ||||
-rw-r--r-- | lib/pakchois/dlopen.c | 51 | ||||
-rw-r--r-- | lib/pakchois/dlopen.h | 21 | ||||
-rw-r--r-- | lib/pakchois/errors.c | 234 | ||||
-rw-r--r-- | lib/pakchois/pakchois.c | 1242 | ||||
-rw-r--r-- | lib/pakchois/pakchois.h | 380 | ||||
-rw-r--r-- | lib/pakchois/pakchois11.h | 1369 | ||||
-rw-r--r-- | lib/pkcs11.c | 1416 | ||||
-rw-r--r-- | lib/pkcs11_int.h | 178 | ||||
-rw-r--r-- | lib/pkcs11_privkey.c | 66 | ||||
-rw-r--r-- | lib/pkcs11_secret.c | 15 | ||||
-rw-r--r-- | lib/pkcs11_write.c | 134 | ||||
-rw-r--r-- | src/Makefile.am | 26 | ||||
-rw-r--r-- | src/certtool-common.c | 9 | ||||
-rw-r--r-- | src/certtool.c | 6 | ||||
-rw-r--r-- | src/cli.c | 9 | ||||
-rw-r--r-- | src/p11tool.c | 2 | ||||
-rw-r--r-- | src/serv.c | 2 |
26 files changed, 962 insertions, 4286 deletions
diff --git a/configure.ac b/configure.ac index a0f962f796..e16894aebb 100644 --- a/configure.ac +++ b/configure.ac @@ -119,8 +119,19 @@ AC_CHECK_FUNCS(fork,,) AM_CONDITIONAL(HAVE_FORK, test "$ac_cv_func_fork" != "no") AC_CHECK_FUNCS(getrusage,,) AC_LIB_HAVE_LINKFLAGS(pthread,, [#include <pthread.h>], [pthread_mutex_lock (0);]) -dnl for pakchois -AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dlclose (0);]) + +dnl Check for p11-kit +AC_ARG_WITH(p11-kit, + AS_HELP_STRING([--without-p11-kit], + [Build without p11-kit and PKCS#11 support])) +AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no") +if test "$with_p11_kit" != "no"; then + PKG_CHECK_MODULES(P11_KIT, [p11-kit-1]) + AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support]) + CFLAGS="$CFLAGS $P11_KIT_CFLAGS" + LIBS="$LIBS $P11_KIT_LIBS" + with_p11_kit=yes +fi dnl Check for libcfg+ SAVED_LIBS=$LIBS @@ -434,4 +445,5 @@ AC_MSG_NOTICE([summary of build options: /dev/crypto: $enable_cryptodev Hardware accel: $hw_accel Crypto library: $cryptolib + PKCS#11 support: $with_p11_kit ]) diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am index a91c0d32bf..112614fe70 100644 --- a/doc/examples/Makefile.am +++ b/doc/examples/Makefile.am @@ -43,7 +43,6 @@ CXX_LDADD = $(LDADD) \ noinst_PROGRAMS = ex-client2 ex-client-resume ex-client-udp noinst_PROGRAMS += ex-cert-select ex-rfc2818 -noinst_PROGRAMS += ex-cert-select-pkcs11 if ENABLE_PKI noinst_PROGRAMS += ex-crq ex-serv1 @@ -63,6 +62,10 @@ if ENABLE_OPENPGP noinst_PROGRAMS += ex-serv-pgp endif +if ENABLE_PKCS11 +noinst_PROGRAMS += ex-cert-select-pkcs11 +endif + if ENABLE_PSK noinst_PROGRAMS += ex-client-psk if ENABLE_PKI diff --git a/lib/Makefile.am b/lib/Makefile.am index 133fddb974..8a49c17039 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -23,7 +23,6 @@ ACLOCAL_AMFLAGS = -I ../m4 -I ../gl/m4 -EXTRA_DIST = pakchois/README SUBDIRS = includes x509 accelerated auth ext algorithms if ENABLE_MINITASN1 SUBDIRS += minitasn1 @@ -72,11 +71,13 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c \ gnutls_dh_primes.c gnutls_alert.c system.c \ gnutls_str.c gnutls_state.c gnutls_x509.c gnutls_rsa_export.c \ gnutls_helper.c gnutls_supplemental.c random.c \ - crypto-api.c gnutls_privkey.c gnutls_pcert.c \ - pkcs11.c pkcs11_privkey.c gnutls_pubkey.c pkcs11_write.c locks.c \ - pkcs11_secret.c hash.c gnutls_dtls.c system_override.c \ + crypto-api.c gnutls_privkey.c gnutls_pcert.c gnutls_pubkey.c \ + locks.c hash.c gnutls_dtls.c system_override.c \ crypto-backend.c +if ENABLE_PKCS11 +COBJECTS += pkcs11.c pkcs11_privkey.c pkcs11_write.c pkcs11_secret.c +endif if ENABLE_NETTLE SUBDIRS += nettle @@ -96,11 +97,11 @@ HFILES = abstract_int.h debug.h gnutls_compress.h gnutls_cipher.h \ gnutls_state.h gnutls_x509.h crypto-backend.h \ gnutls_rsa_export.h gnutls_srp.h auth/srp.h auth/srp_passwd.h \ gnutls_helper.h gnutls_supplemental.h crypto.h random.h system.h\ - locks.h gnutls_mbuffers.h pkcs11_int.h \ - hash.h gnutls_ecc.h + locks.h gnutls_mbuffers.h hash.h gnutls_ecc.h -COBJECTS+=pakchois/pakchois.c pakchois/errors.c pakchois/dlopen.c -HFILES+=pakchois/pakchois.h pakchois/pakchois11.h pakchois/dlopen.h +if ENABLE_PKCS11 +HFILES += pkcs11_int.h pkcs11_spec.h +endif # Separate so we can create the documentation diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 11cf1742c6..3ce233bf63 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -61,9 +61,10 @@ static gnutls_pcert_st *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs, static gnutls_privkey_t alloc_and_load_x509_key (gnutls_x509_privkey_t key, int deinit); +#ifdef ENABLE_PKCS11 static gnutls_privkey_t alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t key, int deinit); - +#endif /* Copies data from a internal certificate struct (gnutls_pcert_st) to * exported certificate struct (cert_auth_info_t) @@ -595,6 +596,7 @@ call_get_cert_callback (gnutls_session_t session, } break; #endif +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: if (st2.key.pkcs11 != NULL) { @@ -608,6 +610,7 @@ call_get_cert_callback (gnutls_session_t session, } } break; +#endif case GNUTLS_PRIVKEY_X509: if (st2.key.x509 != NULL) { @@ -2000,6 +2003,8 @@ alloc_and_load_pgp_key (gnutls_openpgp_privkey_t key, int deinit) } #endif +#ifdef ENABLE_PKCS11 + /* converts the given raw key to gnutls_privkey* and allocates * space for it. */ @@ -2033,6 +2038,8 @@ alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t key, int deinit) return local_key; } +#endif + void _gnutls_selected_certs_deinit (gnutls_session_t session) { diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index 0710f43f84..2f1c7440b2 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -269,7 +269,9 @@ gnutls_global_init (void) goto out; } +#ifdef ENABLE_PKCS11 gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL); +#endif _gnutls_cryptodev_init (); @@ -298,7 +300,9 @@ gnutls_global_deinit (void) asn1_delete_structure (&_gnutls_pkix1_asn); _gnutls_crypto_deregister (); _gnutls_cryptodev_deinit (); +#ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit (); +#endif } _gnutls_init--; } diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c index f1737c0754..f701ec426b 100644 --- a/lib/gnutls_privkey.c +++ b/lib/gnutls_privkey.c @@ -21,7 +21,6 @@ */ #include <gnutls_int.h> -#include <pakchois/pakchois.h> #include <gnutls/pkcs11.h> #include <stdio.h> #include <stdbool.h> @@ -45,7 +44,9 @@ struct gnutls_privkey_st union { gnutls_x509_privkey_t x509; +#ifdef ENABLE_PKCS11 gnutls_pkcs11_privkey_t pkcs11; +#endif #ifdef ENABLE_OPENPGP gnutls_openpgp_privkey_t openpgp; #endif @@ -91,8 +92,10 @@ gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits) case GNUTLS_PRIVKEY_OPENPGP: return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits); #endif +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits); +#endif case GNUTLS_PRIVKEY_X509: if (bits) *bits = _gnutls_mpi_get_nbits (key->key.x509->params.params[0]); @@ -277,9 +280,11 @@ gnutls_privkey_deinit (gnutls_privkey_t key) gnutls_openpgp_privkey_deinit (key->key.openpgp); break; #endif +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: gnutls_pkcs11_privkey_deinit (key->key.pkcs11); break; +#endif case GNUTLS_PRIVKEY_X509: gnutls_x509_privkey_deinit (key->key.x509); break; @@ -297,6 +302,8 @@ static int check_if_clean(gnutls_privkey_t key) return 0; } +#ifdef ENABLE_PKCS11 + /** * gnutls_privkey_import_pkcs11: * @pkey: The private key @@ -333,6 +340,8 @@ int ret; return 0; } +#endif /* ENABLE_PKCS11 */ + /** * gnutls_privkey_import_x509: * @pkey: The private key @@ -571,9 +580,11 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key, return gnutls_openpgp_privkey_sign_hash (key->key.openpgp, hash, signature); #endif +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11, hash, signature); +#endif case GNUTLS_PRIVKEY_X509: return _gnutls_soft_sign (key->key.x509->pk_algorithm, &key->key.x509->params, @@ -620,10 +631,12 @@ gnutls_privkey_decrypt_data (gnutls_privkey_t key, return _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext, &key->key.x509->params, 2); +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11, flags, ciphertext, plaintext); +#endif default: gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index 6352bbbeed..3199492ac2 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -21,7 +21,6 @@ */ #include <gnutls_int.h> -#include <pakchois/pakchois.h> #include <gnutls/pkcs11.h> #include <stdio.h> #include <stdbool.h> @@ -34,7 +33,6 @@ #include <gnutls_pk.h> #include <x509_int.h> #include <openpgp/openpgp_int.h> -#include <pkcs11_int.h> #include <gnutls_num.h> #include <x509/common.h> #include <x509_b64.h> @@ -252,6 +250,7 @@ gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key, return ret; } +#ifdef ENABLE_PKCS11 /** * gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key @@ -305,6 +304,8 @@ gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key, return 0; } +#endif /* ENABLE_PKCS11 */ + #ifdef ENABLE_OPENPGP /** * gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key @@ -919,6 +920,8 @@ gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage) return 0; } +#ifdef ENABLE_PKCS11 + /** * gnutls_pubkey_import_pkcs11_url: * @key: A key of type #gnutls_pubkey_t @@ -968,6 +971,8 @@ cleanup: return ret; } +#endif /* ENABLE_PKCS11 */ + /** * gnutls_pubkey_import_rsa_raw: * @key: Is a structure will hold the parameters diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index ea8da3f9c9..a5cdb0730d 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -475,6 +475,8 @@ read_key_mem (gnutls_certificate_credentials_t res, return 0; } +#ifdef ENABLE_PKCS11 + /* Reads a private key from a token. */ static int @@ -672,6 +674,8 @@ read_cert_url (gnutls_certificate_credentials_t res, const char *url) } +#endif /* ENABLE_PKCS11 */ + /* Reads a certificate file */ static int @@ -682,10 +686,12 @@ read_cert_file (gnutls_certificate_credentials_t res, size_t size; char *data; +#ifdef ENABLE_PKCS11 if (strncmp (certfile, "pkcs11:", 7) == 0) { return read_cert_url (res, certfile); } +#endif /* ENABLE_PKCS11 */ data = read_binary_file (certfile, &size); @@ -715,10 +721,12 @@ read_key_file (gnutls_certificate_credentials_t res, size_t size; char *data; +#ifdef ENABLE_PKCS11 if (strncmp (keyfile, "pkcs11:", 7) == 0) { return read_key_url (res, keyfile); } +#endif /* ENABLE_PKCS11 */ data = read_binary_file (keyfile, &size); @@ -1312,10 +1320,12 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res, size_t size; char *data; +#ifdef ENABLE_PKCS11 if (strncmp (cafile, "pkcs11:", 7) == 0) { return read_cas_url (res, cafile); } +#endif data = read_binary_file (cafile, &size); if (data == NULL) diff --git a/lib/pakchois/README b/lib/pakchois/README deleted file mode 100644 index 1d582fdade..0000000000 --- a/lib/pakchois/README +++ /dev/null @@ -1,3 +0,0 @@ -The pakchois library is not part of the GnuTLS library, but is used with -GnuTLS. Pakchois was written by Joe Orton and is under the Lesser GPL license. - diff --git a/lib/pakchois/dlopen.c b/lib/pakchois/dlopen.c deleted file mode 100644 index f74a45dabb..0000000000 --- a/lib/pakchois/dlopen.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (C) 2010 - * Free Software Foundation, Inc. - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * The GnuTLS is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -#include "dlopen.h" - -#ifdef _WIN32 - -#include <windows.h> - -void * -dlopen (const char *filename, int flag) -{ - return LoadLibrary (filename); -} - - -void * -dlsym (void *handle, const char *symbol) -{ - return GetProcAddress ((HINSTANCE) handle, symbol); -} - -int -dlclose (void *handle) -{ - return !FreeLibrary ((HINSTANCE) handle); -} - -#endif diff --git a/lib/pakchois/dlopen.h b/lib/pakchois/dlopen.h deleted file mode 100644 index 47362cb035..0000000000 --- a/lib/pakchois/dlopen.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef DLOPEN_H -#define DLOPEN_H - -#include "config.h" - -#ifdef _WIN32 - -#define RTLD_LOCAL 0 -#define RTLD_NOW 1 - -void *dlopen (const char *filename, int flag); -void *dlsym (void *handle, const char *symbol); -int dlclose (void *handle); - -#else - -#include <dlfcn.h> - -#endif - -#endif diff --git a/lib/pakchois/errors.c b/lib/pakchois/errors.c deleted file mode 100644 index d223239d8f..0000000000 --- a/lib/pakchois/errors.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - pakchois PKCS#11 interface -- error mapping - Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk> - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Library General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Library General Public - License along with this library; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA -*/ - -/* - This code is directly derived from the scute.org PKCS#11 cryptoki - interface, which is: - - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. -*/ - -#include "config.h" - -#include "pakchois.h" - -#ifdef ENABLE_NLS -#include <libintl.h> -#define _(x) dgettext(PACKAGE_NAME, x) -#else -#define _(x) x -#endif - -const char * -pakchois_error (ck_rv_t rv) -{ - if (rv >= CKR_VENDOR_DEFINED) - { - return _("Vendor defined error"); - } - - switch (rv) - { - case CKR_OK: - return _("OK"); - case CKR_CANCEL: - return _("Cancel"); - case CKR_HOST_MEMORY: - return _("Host memory"); - case CKR_SLOT_ID_INVALID: - return _("Slot id invalid"); - case CKR_GENERAL_ERROR: - return _("General error"); - case CKR_FUNCTION_FAILED: - return _("Function failed"); - case CKR_ARGUMENTS_BAD: - return _("Arguments bad"); - case CKR_NO_EVENT: - return _("No event"); - case CKR_NEED_TO_CREATE_THREADS: - return _("Need to create threads"); - case CKR_CANT_LOCK: - return _("Can't lock"); - case CKR_ATTRIBUTE_READ_ONLY: - return _("Attribute read only"); - case CKR_ATTRIBUTE_SENSITIVE: - return _("Attribute sensitive"); - case CKR_ATTRIBUTE_TYPE_INVALID: - return _("Attribute type invalid"); - case CKR_ATTRIBUTE_VALUE_INVALID: - return _("Attribute value invalid"); - case CKR_DATA_INVALID: - return _("Data invalid"); - case CKR_DATA_LEN_RANGE: - return _("Data len range"); - case CKR_DEVICE_ERROR: - return _("Device error"); - case CKR_DEVICE_MEMORY: - return _("Device memory"); - case CKR_DEVICE_REMOVED: - return _("Device removed"); - case CKR_ENCRYPTED_DATA_INVALID: - return _("Encrypted data invalid"); - case CKR_ENCRYPTED_DATA_LEN_RANGE: - return _("Encrypted data len range"); - case CKR_FUNCTION_CANCELED: - return _("Function canceled"); - case CKR_FUNCTION_NOT_PARALLEL: - return _("Function not parallel"); - case CKR_FUNCTION_NOT_SUPPORTED: - return _("Function not supported"); - case CKR_KEY_HANDLE_INVALID: - return _("Key handle invalid"); - case CKR_KEY_SIZE_RANGE: - return _("Key size range"); - case CKR_KEY_TYPE_INCONSISTENT: - return _("Key type inconsistent"); - case CKR_KEY_NOT_NEEDED: - return _("Key not needed"); - case CKR_KEY_CHANGED: - return _("Key changed"); - case CKR_KEY_NEEDED: - return _("Key needed"); - case CKR_KEY_INDIGESTIBLE: - return _("Key indigestible"); - case CKR_KEY_FUNCTION_NOT_PERMITTED: - return _("Key function not permitted"); - case CKR_KEY_NOT_WRAPPABLE: - return _("Key not wrappable"); - case CKR_KEY_UNEXTRACTABLE: - return _("Key unextractable"); - case CKR_MECHANISM_INVALID: - return _("Mechanism invalid"); - case CKR_MECHANISM_PARAM_INVALID: - return _("Mechanism param invalid"); - case CKR_OBJECT_HANDLE_INVALID: - return _("Object handle invalid"); - case CKR_OPERATION_ACTIVE: - return _("Operation active"); - case CKR_OPERATION_NOT_INITIALIZED: - return _("Operation not initialized"); - case CKR_PIN_INCORRECT: - return _("PIN incorrect"); - case CKR_PIN_INVALID: - return _("PIN invalid"); - case CKR_PIN_LEN_RANGE: - return _("PIN len range"); - case CKR_PIN_EXPIRED: - return _("PIN expired"); - case CKR_PIN_LOCKED: - return _("PIN locked"); - case CKR_SESSION_CLOSED: - return _("Session closed"); - case CKR_SESSION_COUNT: - return _("Session count"); - case CKR_SESSION_HANDLE_INVALID: - return _("Session handle invalid"); - case CKR_SESSION_PARALLEL_NOT_SUPPORTED: - return _("Session parallel not supported"); - case CKR_SESSION_READ_ONLY: - return _("Session read only"); - case CKR_SESSION_EXISTS: - return _("Session exists"); - case CKR_SESSION_READ_ONLY_EXISTS: - return _("Session read only exists"); - case CKR_SESSION_READ_WRITE_SO_EXISTS: - return _("Session read write so exists"); - case CKR_SIGNATURE_INVALID: - return _("Signature invalid"); - case CKR_SIGNATURE_LEN_RANGE: - return _("Signature length range"); - case CKR_TEMPLATE_INCOMPLETE: - return _("Template incomplete"); - case CKR_TEMPLATE_INCONSISTENT: - return _("Template inconsistent"); - case CKR_TOKEN_NOT_PRESENT: - return _("Token not present"); - case CKR_TOKEN_NOT_RECOGNIZED: - return _("Token not recognized"); - case CKR_TOKEN_WRITE_PROTECTED: - return _("Token write protected"); - case CKR_UNWRAPPING_KEY_HANDLE_INVALID: - return _("Unwrapping key handle invalid"); - case CKR_UNWRAPPING_KEY_SIZE_RANGE: - return _("Unwrapping key size range"); - case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT: - return _("Unwrapping key type inconsistent"); - case CKR_USER_ALREADY_LOGGED_IN: - return _("User already logged in"); - case CKR_USER_NOT_LOGGED_IN: - return _("User not logged in"); - case CKR_USER_PIN_NOT_INITIALIZED: - return _("User PIN not initialized"); - case CKR_USER_TYPE_INVALID: - return _("User type invalid"); - case CKR_USER_ANOTHER_ALREADY_LOGGED_IN: - return _("Another user already logged in"); - case CKR_USER_TOO_MANY_TYPES: - return _("User too many types"); - case CKR_WRAPPED_KEY_INVALID: - return _("Wrapped key invalid"); - case CKR_WRAPPED_KEY_LEN_RANGE: - return _("Wrapped key length range"); - case CKR_WRAPPING_KEY_HANDLE_INVALID: - return _("Wrapping key handle invalid"); - case CKR_WRAPPING_KEY_SIZE_RANGE: - return _("Wrapping key size range"); - case CKR_WRAPPING_KEY_TYPE_INCONSISTENT: - return _("Wrapping key type inconsistent"); - case CKR_RANDOM_SEED_NOT_SUPPORTED: - return _("Random seed not supported"); - case CKR_RANDOM_NO_RNG: - return _("Random no rng"); - case CKR_DOMAIN_PARAMS_INVALID: - return _("Domain params invalid"); - case CKR_BUFFER_TOO_SMALL: - return _("Buffer too small"); - case CKR_SAVED_STATE_INVALID: - return _("Saved state invalid"); - case CKR_INFORMATION_SENSITIVE: - return _("Information sensitive"); - case CKR_STATE_UNSAVEABLE: - return _("State unsaveable"); - case CKR_CRYPTOKI_NOT_INITIALIZED: - return _("Cryptoki not initialized"); - case CKR_CRYPTOKI_ALREADY_INITIALIZED: - return _("Cryptoki already initialized"); - case CKR_MUTEX_BAD: - return _("Mutex bad"); - case CKR_MUTEX_NOT_LOCKED: - return _("Mutex not locked"); - case CKR_FUNCTION_REJECTED: - return _("Function rejected"); - default: - break; - } - - return _("Unknown error"); -} diff --git a/lib/pakchois/pakchois.c b/lib/pakchois/pakchois.c deleted file mode 100644 index decd752c07..0000000000 --- a/lib/pakchois/pakchois.c +++ /dev/null @@ -1,1242 +0,0 @@ -/* - pakchois PKCS#11 interface - Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk> - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Library General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Library General Public - License along with this library; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA -*/ - -/* - The interface is directly derived from the scute.org PKCS#11 - cryptoki interface, which is: - - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. -*/ - -#include "config.h" - -#include <limits.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <assert.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <unistd.h> -#include "../locks.h" -#include "../system.h" -#include "dlopen.h" - -#ifdef HAVE_WORDEXP -#include <wordexp.h> -#endif -#include "pakchois.h" - -struct provider -{ - dev_t dev; - ino_t ino; - char *name; - void *handle; - void *mutex; - const struct ck_function_list *fns; - unsigned int refcount; - unsigned int finalize:1; /* whether to finalize this one */ - struct provider *next, **prevref; - void *reserved; -}; - -struct pakchois_module_s -{ - struct slot *slots; - struct provider *provider; -}; - -static void *provider_mutex = NULL; - -/* List of loaded providers; any modification to the list or any - * individual module must performed whilst holding this mutex. */ -static struct provider *provider_list; - -struct pakchois_session_s -{ - pakchois_module_t *module; - ck_session_handle_t id; - pakchois_notify_t notify; - void *notify_data; - /* Doubly-linked list. Either prevref = &previous->next or else - * prevref = &slot->sessions for the list head. */ - pakchois_session_t **prevref; - pakchois_session_t *next; -}; - -struct slot -{ - ck_slot_id_t id; - pakchois_session_t *sessions; - struct slot *next; -}; - -#define DIR_DELIMITER '/' - -static char * -pkcs11ize (const char *name) -{ - int len; - char *oname; - char *base; - char *suffix; - - oname = strdup (name); - if (oname == NULL) - { - return NULL; - } - - /* basename has too many ifs to use */ - base = strrchr (oname, DIR_DELIMITER); - if (base == NULL) - { - base = oname; - } - else - { - base++; - } - - suffix = strchr (base, '.'); - if (suffix != NULL) - { - if (strncmp (suffix, ".so", 3) == 0) - { - suffix[0] = 0; /* null terminate before . */ - } - } - - /* check and remove for -p11 or -pkcs11 */ - suffix = base; - while ((suffix = strchr (suffix, '-')) != NULL) - { - if (strncasecmp (suffix, "-p11", 4) == 0 || - strncasecmp (suffix, "-pkcs11", 7) == 0) - { - suffix[0] = 0; - break; - } - suffix++; - } - - len = strlen (base); - - memmove (oname, base, len); - oname[len] = 0; - - return oname; -} - -static const char *suffix_prefixes[][2] = { - {"lib", "pk11.so"}, - {"", "-pkcs11.so"}, - {"", ".so"}, - {"lib", ".so"}, - {NULL, NULL} -}; - -#define CALL(name, args) (mod->provider->fns->C_ ## name) args -#define CALLS(name, args) (sess->module->provider->fns->C_ ## name) args -#define CALLS1(n, a) CALLS(n, (sess->id, a)) -#define CALLS2(n, a, b) CALLS(n, (sess->id, a, b)) -#define CALLS3(n, a, b, c) CALLS(n, (sess->id, a, b, c)) -#define CALLS4(n, a, b, c, d) CALLS(n, (sess->id, a, b, c, d)) -#define CALLS5(n, a, b, c, d, e) CALLS(n, (sess->id, a, b, c, d, e)) -#define CALLS7(n, a, b, c, d, e, f, g) CALLS(n, (sess->id, a, b, c, d, e, f, g)) - -#ifndef PAKCHOIS_MODPATH -#define PAKCHOIS_MODPATH "/lib:/usr/lib" -#endif - -/* Returns an allocated name of the real module as well - * as it's inode and device numbers. - */ -static char * -find_pkcs11_module_name (const char *hint, dev_t * dev, ino_t * ino) -{ - char module_path[] = PAKCHOIS_MODPATH; - char *next = module_path; - struct stat st; - - while (next) - { - char *dir = next, *sep = strchr (next, ':'); - unsigned i; - - if (sep) - { - *sep++ = '\0'; - next = sep; - } - else - { - next = NULL; - } - - for (i = 0; suffix_prefixes[i][0]; i++) - { - char path[PATH_MAX]; - - snprintf (path, sizeof path, "%s/%s%s%s", dir, - suffix_prefixes[i][0], hint, suffix_prefixes[i][1]); - - if (stat (path, &st) < 0) - continue; - - *dev = st.st_dev; - *ino = st.st_ino; - - return strdup (path); - } - } - - return NULL; -} - -/* Expands the given filename and returns an allocated - * string, if the expanded file exists. In that case - * dev and ino are filled in as well. - */ -static char * -find_real_module_name (const char *name, dev_t * dev, ino_t * ino) -{ - char *exname = NULL; - struct stat st; -#ifdef HAVE_WORDEXP - int len; - wordexp_t we; - - len = wordexp (name, &we, 0); - if (len == 0) - { /* success */ - if (we.we_wordc > 0) - { /* we care about the 1st */ - exname = strdup (we.we_wordv[0]); - } - wordfree (&we); - } -#endif - - if (exname == NULL) - exname = strdup (name); - - /* find file information */ - if (exname != NULL) - { - if (stat (exname, &st) >= 0) - { - *dev = st.st_dev; - *ino = st.st_ino; - } - else - { - free (exname); - return NULL; - } - } - - return exname; -} - -static struct provider * -find_provider (dev_t dev, ino_t ino) -{ - struct provider *p; - - for (p = provider_list; p; p = p->next) - { - if (dev == p->dev && ino == p->ino) - { - return p; - } - } - - return NULL; -} - -/* The provider list must be locked when calling it - */ -static ck_rv_t -load_pkcs11_module (struct provider **provider, - const char *name, dev_t dev, ino_t ino, void *reserved) -{ - struct provider *prov; - CK_C_GetFunctionList gfl; - struct ck_c_initialize_args args; - struct ck_function_list *fns; - void *h; - ck_rv_t rv; - - /* try the plain name first */ - h = dlopen (name, RTLD_LOCAL | RTLD_NOW); - if (h == NULL) - { - return CKR_GENERAL_ERROR; - } - - gfl = dlsym (h, "C_GetFunctionList"); - if (!gfl) - { - rv = CKR_GENERAL_ERROR; - goto fail_dso; - } - - prov = malloc (sizeof *prov); - if (prov == NULL) - { - rv = CKR_HOST_MEMORY; - goto fail_dso; - } - - if (gnutls_mutex_init (&prov->mutex)) - { - rv = CKR_CANT_LOCK; - goto fail_ctx; - } - - rv = gfl (&fns); - if (rv != CKR_OK) - { - goto fail_ctx; - } - - prov->dev = dev; - prov->ino = ino; - prov->name = pkcs11ize (name); - prov->handle = h; - prov->fns = fns; - prov->refcount = 1; - prov->reserved = reserved; - - /* Require OS locking, the only sane option. */ - memset (&args, 0, sizeof args); - args.flags = CKF_OS_LOCKING_OK; - args.reserved = reserved; - - rv = fns->C_Initialize (&args); - if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) - { - goto fail_ctx; - } - - /* no need to finalize if someone else has - * initialized the library before us. - */ - if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) - prov->finalize = 0; - else - prov->finalize = 1; - - prov->next = provider_list; - prov->prevref = &provider_list; - if (prov->next) - { - prov->next->prevref = &prov->next; - } - provider_list = prov; - - *provider = prov; - return CKR_OK; - -fail_ctx: - free (prov); -fail_dso: - dlclose (h); - - return rv; -} - -/* Will load a provider using the given name. If real_name is zero - * name is used as a hint to find library otherwise it is used as - * absolute name. - */ -static ck_rv_t -load_provider (struct provider **provider, const char *name, - void *reserved, int real_name) -{ - ck_rv_t rv; - char *cname = NULL; - dev_t dev; - ino_t ino; - - if (gnutls_mutex_lock (&provider_mutex) != 0) - { - return CKR_CANT_LOCK; - } - - if (real_name) - { - cname = find_real_module_name (name, &dev, &ino); - } - else - { - cname = find_pkcs11_module_name (name, &dev, &ino); - } - - if (cname == NULL) - { - rv = CKR_ARGUMENTS_BAD; - goto fail_locked; - } - - *provider = find_provider (dev, ino); - if (*provider) - { - (*provider)->refcount++; - free (cname); - gnutls_mutex_unlock (&provider_mutex); - return CKR_OK; - } - - rv = load_pkcs11_module (provider, cname, dev, ino, reserved); - if (rv != CKR_OK) - { - goto fail_ndup; - } - - rv = CKR_OK; - -fail_ndup: - free (cname); -fail_locked: - gnutls_mutex_unlock (&provider_mutex); - return rv; -} - -static void -providers_reinit (void) -{ - struct ck_c_initialize_args args; - ck_rv_t rv; - struct provider *p; - - assert (gnutls_mutex_lock (&provider_mutex) == 0); - - memset (&args, 0, sizeof args); - args.flags = CKF_OS_LOCKING_OK; - - for (p = provider_list; p; p = p->next) - { - args.reserved = p->reserved; - rv = p->fns->C_Initialize (&args); - assert (rv == CKR_OK); /* what can we do? */ - } - - gnutls_mutex_unlock (&provider_mutex); -} - -static ck_rv_t -load_module (pakchois_module_t ** module, const char *name, - void *reserved, unsigned int real_name) -{ - ck_rv_t rv; - pakchois_module_t *pm = malloc (sizeof *pm); - static int forkinit = 0; - - if (!pm) - { - return CKR_HOST_MEMORY; - } - - if (provider_mutex == NULL) - { - gnutls_mutex_init (&provider_mutex); - } - - assert (gnutls_mutex_lock (&provider_mutex) == 0); - - if (forkinit == 0) - { - _gnutls_atfork (NULL, NULL, providers_reinit); - forkinit++; - } - - gnutls_mutex_unlock (&provider_mutex); - - rv = load_provider (&pm->provider, name, reserved, real_name); - if (rv) - { - return rv; - } - - *module = pm; - pm->slots = NULL; - - return CKR_OK; -} - -ck_rv_t -pakchois_module_load (pakchois_module_t ** module, const char *name) -{ - return load_module (module, name, NULL, 0); -} - -ck_rv_t -pakchois_module_load_abs (pakchois_module_t ** module, const char *name) -{ - return load_module (module, name, NULL, 1); -} - -ck_rv_t -pakchois_module_nssload (pakchois_module_t ** module, - const char *name, - const char *directory, - const char *cert_prefix, - const char *key_prefix, const char *secmod_db) -{ - char buf[256]; - - snprintf (buf, sizeof buf, - "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'", - directory, cert_prefix ? cert_prefix : "", - key_prefix ? key_prefix : "", - secmod_db ? secmod_db : "secmod.db"); - - return load_module (module, name, buf, 0); -} - -ck_rv_t -pakchois_module_nssload_abs (pakchois_module_t ** module, - const char *name, - const char *directory, - const char *cert_prefix, - const char *key_prefix, const char *secmod_db) -{ - char buf[256]; - - snprintf (buf, sizeof buf, - "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'", - directory, cert_prefix ? cert_prefix : "", - key_prefix ? key_prefix : "", - secmod_db ? secmod_db : "secmod.db"); - - return load_module (module, name, buf, 1); -} - -/* Unreference a provider structure and destoy if, if necessary. Must - * be called WIHTOUT the provider mutex held. */ -static void -provider_unref (struct provider *prov) -{ - assert (gnutls_mutex_lock (&provider_mutex) == 0); - - if (--prov->refcount == 0) - { - if (prov->finalize) - prov->fns->C_Finalize (NULL); - dlclose (prov->handle); - *prov->prevref = prov->next; - if (prov->next) - { - prov->next->prevref = prov->prevref; - } - free (prov->name); - free (prov); - } - gnutls_mutex_unlock (&provider_mutex); -} - -void -pakchois_module_destroy (pakchois_module_t * mod) -{ - provider_unref (mod->provider); - - while (mod->slots) - { - struct slot *slot = mod->slots; - pakchois_close_all_sessions (mod, slot->id); - mod->slots = slot->next; - free (slot); - } - - free (mod); -} - -void pakchois_destructor (void) -{ - if (provider_mutex != NULL) - { - gnutls_mutex_deinit (&provider_mutex); - provider_mutex = NULL; - } -} - -ck_rv_t -pakchois_get_info (pakchois_module_t * mod, struct ck_info *info) -{ - return CALL (GetInfo, (info)); -} - -ck_rv_t -pakchois_get_slot_list (pakchois_module_t * mod, - unsigned char token_present, - ck_slot_id_t * slot_list, unsigned long *count) -{ - return CALL (GetSlotList, (token_present, slot_list, count)); -} - -ck_rv_t -pakchois_get_slot_info (pakchois_module_t * mod, - ck_slot_id_t slot_id, struct ck_slot_info * info) -{ - return CALL (GetSlotInfo, (slot_id, info)); -} - -ck_rv_t -pakchois_get_token_info (pakchois_module_t * mod, - ck_slot_id_t slot_id, struct ck_token_info * info) -{ - return CALL (GetTokenInfo, (slot_id, info)); -} - -ck_rv_t -pakchois_wait_for_slot_event (pakchois_module_t * mod, - ck_flags_t flags, ck_slot_id_t * slot, - void *reserved) -{ - ck_rv_t rv; - - if (gnutls_mutex_lock (&mod->provider->mutex)) - { - return CKR_CANT_LOCK; - } - - rv = CALL (WaitForSlotEvent, (flags, slot, reserved)); - gnutls_mutex_unlock (&mod->provider->mutex); - return rv; -} - -ck_rv_t -pakchois_get_mechanism_list (pakchois_module_t * mod, - ck_slot_id_t slot_id, - ck_mechanism_type_t * mechanism_list, - unsigned long *count) -{ - return CALL (GetMechanismList, (slot_id, mechanism_list, count)); -} - -ck_rv_t -pakchois_get_mechanism_info (pakchois_module_t * mod, - ck_slot_id_t slot_id, - ck_mechanism_type_t type, - struct ck_mechanism_info * info) -{ - return CALL (GetMechanismInfo, (slot_id, type, info)); -} - -ck_rv_t -pakchois_init_token (pakchois_module_t * mod, - ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label) -{ - return CALL (InitToken, (slot_id, pin, pin_len, label)); -} - -ck_rv_t -pakchois_init_pin (pakchois_session_t * sess, unsigned char *pin, - unsigned long pin_len) -{ - return CALLS2 (InitPIN, pin, pin_len); -} - -ck_rv_t -pakchois_set_pin (pakchois_session_t * sess, unsigned char *old_pin, - unsigned long old_len, unsigned char *new_pin, - unsigned long new_len) -{ - return CALLS4 (SetPIN, old_pin, old_len, new_pin, new_len); -} - -static ck_rv_t -notify_thunk (ck_session_handle_t session, - ck_notification_t event, void *application) -{ - pakchois_session_t *sess = application; - - return sess->notify (sess, event, sess->notify_data); -} - -static struct slot * -find_slot (pakchois_module_t * mod, ck_slot_id_t id) -{ - struct slot *slot; - - for (slot = mod->slots; slot; slot = slot->next) - if (slot->id == id) - return slot; - - return NULL; -} - -static struct slot * -find_or_create_slot (pakchois_module_t * mod, ck_slot_id_t id) -{ - struct slot *slot = find_slot (mod, id); - - if (slot) - { - return slot; - } - - slot = malloc (sizeof *slot); - if (!slot) - { - return NULL; - } - - slot->id = id; - slot->sessions = NULL; - slot->next = mod->slots; - mod->slots = slot; - - return slot; -} - -static ck_rv_t -insert_session (pakchois_module_t * mod, - pakchois_session_t * session, ck_slot_id_t id) -{ - struct slot *slot = find_or_create_slot (mod, id); - - if (!slot) - { - return CKR_HOST_MEMORY; - } - - session->prevref = &slot->sessions; - session->next = slot->sessions; - if (session->next) - { - session->next->prevref = session->prevref; - } - slot->sessions = session; - - return CKR_OK; -} - -ck_rv_t -pakchois_open_session (pakchois_module_t * mod, - ck_slot_id_t slot_id, ck_flags_t flags, - void *application, pakchois_notify_t notify, - pakchois_session_t ** session) -{ - ck_session_handle_t sh; - pakchois_session_t *sess; - ck_rv_t rv; - - sess = calloc (1, sizeof *sess); - if (sess == NULL) - { - return CKR_HOST_MEMORY; - } - - rv = CALL (OpenSession, (slot_id, flags, sess, notify_thunk, &sh)); - if (rv != CKR_OK) - { - free (sess); - return rv; - } - - *session = sess; - sess->module = mod; - sess->id = sh; - - return insert_session (mod, sess, slot_id); -} - -ck_rv_t -pakchois_close_session (pakchois_session_t * sess) -{ - /* PKCS#11 says that all bets are off on failure, so destroy the - * session object and just return the error code. */ - ck_rv_t rv = CALLS (CloseSession, (sess->id)); - *sess->prevref = sess->next; - if (sess->next) - { - sess->next->prevref = sess->prevref; - } - free (sess); - return rv; -} - -ck_rv_t -pakchois_close_all_sessions (pakchois_module_t * mod, ck_slot_id_t slot_id) -{ - struct slot *slot; - ck_rv_t rv, frv = CKR_OK; - - slot = find_slot (mod, slot_id); - - if (!slot) - { - return CKR_SLOT_ID_INVALID; - } - - while (slot->sessions) - { - rv = pakchois_close_session (slot->sessions); - if (rv != CKR_OK) - { - frv = rv; - } - slot = slot->next; - } - - return frv; -} - -ck_rv_t -pakchois_get_session_info (pakchois_session_t * sess, - struct ck_session_info * info) -{ - return CALLS1 (GetSessionInfo, info); -} - -ck_rv_t -pakchois_get_operation_state (pakchois_session_t * sess, - unsigned char *operation_state, - unsigned long *operation_state_len) -{ - return CALLS2 (GetOperationState, operation_state, operation_state_len); -} - -ck_rv_t -pakchois_set_operation_state (pakchois_session_t * sess, - unsigned char *operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key) -{ - return CALLS4 (SetOperationState, operation_state, - operation_state_len, encryption_key, authentiation_key); -} - -ck_rv_t -pakchois_login (pakchois_session_t * sess, ck_user_type_t user_type, - unsigned char *pin, unsigned long pin_len) -{ - return CALLS3 (Login, user_type, pin, pin_len); -} - -ck_rv_t -pakchois_logout (pakchois_session_t * sess) -{ - return CALLS (Logout, (sess->id)); -} - -ck_rv_t -pakchois_create_object (pakchois_session_t * sess, - struct ck_attribute * templ, - unsigned long count, ck_object_handle_t * object) -{ - return CALLS3 (CreateObject, templ, count, object); -} - -ck_rv_t -pakchois_copy_object (pakchois_session_t * sess, - ck_object_handle_t object, - struct ck_attribute * templ, - unsigned long count, ck_object_handle_t * new_object) -{ - return CALLS4 (CopyObject, object, templ, count, new_object); -} - -ck_rv_t -pakchois_destroy_object (pakchois_session_t * sess, ck_object_handle_t object) -{ - return CALLS1 (DestroyObject, object); -} - -ck_rv_t -pakchois_get_object_size (pakchois_session_t * sess, - ck_object_handle_t object, unsigned long *size) -{ - return CALLS2 (GetObjectSize, object, size); -} - -ck_rv_t -pakchois_get_attribute_value (pakchois_session_t * sess, - ck_object_handle_t object, - struct ck_attribute * templ, - unsigned long count) -{ - return CALLS3 (GetAttributeValue, object, templ, count); -} - -ck_rv_t -pakchois_set_attribute_value (pakchois_session_t * sess, - ck_object_handle_t object, - struct ck_attribute * templ, - unsigned long count) -{ - return CALLS3 (SetAttributeValue, object, templ, count); -} - -ck_rv_t -pakchois_find_objects_init (pakchois_session_t * sess, - struct ck_attribute * templ, unsigned long count) -{ - return CALLS2 (FindObjectsInit, templ, count); -} - -ck_rv_t -pakchois_find_objects (pakchois_session_t * sess, - ck_object_handle_t * object, - unsigned long max_object_count, - unsigned long *object_count) -{ - return CALLS3 (FindObjects, object, max_object_count, object_count); -} - -ck_rv_t -pakchois_find_objects_final (pakchois_session_t * sess) -{ - return CALLS (FindObjectsFinal, (sess->id)); -} - -ck_rv_t -pakchois_encrypt_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t key) -{ - return CALLS2 (EncryptInit, mechanism, key); -} - -ck_rv_t -pakchois_encrypt (pakchois_session_t * sess, - unsigned char *data, unsigned long data_len, - unsigned char *encrypted_data, - unsigned long *encrypted_data_len) -{ - return CALLS4 (Encrypt, data, data_len, encrypted_data, encrypted_data_len); -} - -ck_rv_t -pakchois_encrypt_update (pakchois_session_t * sess, - unsigned char *part, - unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len) -{ - return CALLS4 (EncryptUpdate, part, part_len, - encrypted_part, encrypted_part_len); -} - -ck_rv_t -pakchois_encrypt_final (pakchois_session_t * sess, - unsigned char *last_encrypted_part, - unsigned long *last_encrypted_part_len) -{ - return CALLS2 (EncryptFinal, last_encrypted_part, last_encrypted_part_len); -} - -ck_rv_t -pakchois_decrypt_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t key) -{ - return CALLS2 (DecryptInit, mechanism, key); -} - -ck_rv_t -pakchois_decrypt (pakchois_session_t * sess, - unsigned char *encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len) -{ - return CALLS4 (Decrypt, encrypted_data, encrypted_data_len, data, data_len); -} - -ck_rv_t -pakchois_decrypt_update (pakchois_session_t * sess, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len) -{ - return CALLS4 (DecryptUpdate, encrypted_part, encrypted_part_len, - part, part_len); -} - -ck_rv_t -pakchois_decrypt_final (pakchois_session_t * sess, - unsigned char *last_part, - unsigned long *last_part_len) -{ - return CALLS2 (DecryptFinal, last_part, last_part_len); -} - -ck_rv_t -pakchois_digest_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism) -{ - return CALLS1 (DigestInit, mechanism); -} - -ck_rv_t -pakchois_digest (pakchois_session_t * sess, unsigned char *data, - unsigned long data_len, unsigned char *digest, - unsigned long *digest_len) -{ - return CALLS4 (Digest, data, data_len, digest, digest_len); -} - -ck_rv_t -pakchois_digest_update (pakchois_session_t * sess, - unsigned char *part, unsigned long part_len) -{ - return CALLS2 (DigestUpdate, part, part_len); -} - -ck_rv_t -pakchois_digest_key (pakchois_session_t * sess, ck_object_handle_t key) -{ - return CALLS1 (DigestKey, key); -} - -ck_rv_t -pakchois_digest_final (pakchois_session_t * sess, - unsigned char *digest, unsigned long *digest_len) -{ - return CALLS2 (DigestFinal, digest, digest_len); -} - -ck_rv_t -pakchois_sign_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, ck_object_handle_t key) -{ - return CALLS2 (SignInit, mechanism, key); -} - -ck_rv_t -pakchois_sign (pakchois_session_t * sess, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len) -{ - return CALLS4 (Sign, data, data_len, signature, signature_len); -} - -ck_rv_t -pakchois_sign_update (pakchois_session_t * sess, - unsigned char *part, unsigned long part_len) -{ - return CALLS2 (SignUpdate, part, part_len); -} - -ck_rv_t -pakchois_sign_final (pakchois_session_t * sess, - unsigned char *signature, unsigned long *signature_len) -{ - return CALLS2 (SignFinal, signature, signature_len); -} - -ck_rv_t -pakchois_sign_recover_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t key) -{ - return CALLS2 (SignRecoverInit, mechanism, key); -} - -ck_rv_t -pakchois_sign_recover (pakchois_session_t * sess, - unsigned char *data, unsigned long data_len, - unsigned char *signature, unsigned long *signature_len) -{ - return CALLS4 (SignRecover, data, data_len, signature, signature_len); -} - -ck_rv_t -pakchois_verify_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, ck_object_handle_t key) -{ - return CALLS2 (VerifyInit, mechanism, key); -} - -ck_rv_t -pakchois_verify (pakchois_session_t * sess, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long signature_len) -{ - return CALLS4 (Verify, data, data_len, signature, signature_len); -} - -ck_rv_t -pakchois_verify_update (pakchois_session_t * sess, - unsigned char *part, unsigned long part_len) -{ - return CALLS2 (VerifyUpdate, part, part_len); -} - -ck_rv_t -pakchois_verify_final (pakchois_session_t * sess, - unsigned char *signature, unsigned long signature_len) -{ - return CALLS2 (VerifyFinal, signature, signature_len); -} - -ck_rv_t -pakchois_verify_recover_init (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t key) -{ - return CALLS2 (VerifyRecoverInit, mechanism, key); -} - -ck_rv_t -pakchois_verify_recover (pakchois_session_t * sess, - unsigned char *signature, - unsigned long signature_len, - unsigned char *data, unsigned long *data_len) -{ - return CALLS4 (VerifyRecover, signature, signature_len, data, data_len); -} - -ck_rv_t -pakchois_digest_encrypt_update (pakchois_session_t * sess, - unsigned char *part, - unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len) -{ - return CALLS4 (DigestEncryptUpdate, part, part_len, - encrypted_part, encrypted_part_len); -} - -ck_rv_t -pakchois_decrypt_digest_update (pakchois_session_t * sess, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len) -{ - return CALLS4 (DecryptDigestUpdate, encrypted_part, - encrypted_part_len, part, part_len); -} - -ck_rv_t -pakchois_sign_encrypt_update (pakchois_session_t * sess, - unsigned char *part, - unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len) -{ - return CALLS4 (SignEncryptUpdate, part, part_len, - encrypted_part, encrypted_part_len); -} - -ck_rv_t -pakchois_decrypt_verify_update (pakchois_session_t * sess, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len) -{ - return CALLS4 (DecryptVerifyUpdate, encrypted_part, - encrypted_part_len, part, part_len); -} - -ck_rv_t -pakchois_generate_key (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - struct ck_attribute * templ, - unsigned long count, ck_object_handle_t * key) -{ - return CALLS4 (GenerateKey, mechanism, templ, count, key); -} - -ck_rv_t -pakchois_generate_key_pair (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - struct ck_attribute * - public_key_template, - unsigned long - public_key_attribute_count, - struct ck_attribute * - private_key_template, - unsigned long - private_key_attribute_count, - ck_object_handle_t * public_key, - ck_object_handle_t * private_key) -{ - return CALLS7 (GenerateKeyPair, mechanism, - public_key_template, public_key_attribute_count, - private_key_template, private_key_attribute_count, - public_key, private_key); -} - -ck_rv_t -pakchois_wrap_key (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t wrapping_key, - ck_object_handle_t key, - unsigned char *wrapped_key, unsigned long *wrapped_key_len) -{ - return CALLS5 (WrapKey, mechanism, wrapping_key, - key, wrapped_key, wrapped_key_len); -} - -ck_rv_t -pakchois_unwrap_key (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t unwrapping_key, - unsigned char *wrapped_key, - unsigned long wrapped_key_len, - struct ck_attribute * templ, - unsigned long attribute_count, ck_object_handle_t * key) -{ - return CALLS7 (UnwrapKey, mechanism, unwrapping_key, - wrapped_key, wrapped_key_len, templ, attribute_count, key); -} - -ck_rv_t -pakchois_derive_key (pakchois_session_t * sess, - struct ck_mechanism * mechanism, - ck_object_handle_t base_key, - struct ck_attribute * templ, - unsigned long attribute_count, ck_object_handle_t * key) -{ - return CALLS5 (DeriveKey, mechanism, base_key, templ, attribute_count, key); -} - - -ck_rv_t -pakchois_seed_random (pakchois_session_t * sess, - unsigned char *seed, unsigned long seed_len) -{ - return CALLS2 (SeedRandom, seed, seed_len); -} - -ck_rv_t -pakchois_generate_random (pakchois_session_t * sess, - unsigned char *random_data, - unsigned long random_len) -{ - return CALLS2 (GenerateRandom, random_data, random_len); -} diff --git a/lib/pakchois/pakchois.h b/lib/pakchois/pakchois.h deleted file mode 100644 index 16558ef034..0000000000 --- a/lib/pakchois/pakchois.h +++ /dev/null @@ -1,380 +0,0 @@ -/* - pakchois PKCS#11 interface - Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk> - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Library General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Library General Public - License along with this library; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA - -*/ - -/* - This interface is directly derived from the scute.org PKCS#11 - cryptoki interface, which is: - - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. -*/ - -#ifndef PAKCHOIS_H -#define PAKCHOIS_H - -#define CRYPTOKI_GNU - -#include "pakchois11.h" - -/* API version: major is bumped for any backwards-incompatible - * changes. minor is bumped for any new interfaces. Note that the API - * is versioned independent of the project release version. */ -#define PAKCHOIS_API_MAJOR (0) -#define PAKCHOIS_API_MINOR (2) - -/* API version history (note that API versions do not map directly to - the project version!): - - 0.1: Initial release - 0.2: Addition of pakchois_error() - Concurrent access guarantee added for pakchois_module_load() - Thread-safety guarantee added for pakchois_wait_for_slot_event() -*/ - -typedef struct pakchois_module_s pakchois_module_t; -typedef struct pakchois_session_s pakchois_session_t; - -/* Load a PKCS#11 module by name (for example "opensc" or - * "gnome-keyring"). Returns CKR_OK on success. Any module of given - * name may be safely loaded multiple times within an application; the - * underlying PKCS#11 provider will be loaded only once. */ -ck_rv_t pakchois_module_load (pakchois_module_t ** module, const char *name); - -/* Load a PKCS#11 module by absolute file name (for example "/lib/opensc-pkcs.so" - * Returns CKR_OK on success. Any module of given name may be safely loaded - * multiple times within an application; the underlying PKCS#11 provider will - * be loaded only once. */ -ck_rv_t pakchois_module_load_abs (pakchois_module_t ** module, - const char *name); - -/* Load an NSS "softokn" which violates the PKCS#11 standard in - * initialization, with given name (e.g. "softokn3"). The directory - * in which the NSS database resides must be specified; the other - * arguments may be NULL to use defaults. Returns CKR_OK on - * success. */ -ck_rv_t pakchois_module_nssload (pakchois_module_t ** module, - const char *name, - const char *directory, - const char *cert_prefix, - const char *key_prefix, - const char *secmod_db); - -ck_rv_t pakchois_module_nssload_abs (pakchois_module_t ** module, - const char *name, - const char *directory, - const char *cert_prefix, - const char *key_prefix, - const char *secmod_db); - -/* Destroy a PKCS#11 module. */ -void pakchois_module_destroy (pakchois_module_t * module); - -void pakchois_destructor (void); - -/* Return the error string corresponding to the given return value. - * Never returns NULL. */ -const char *pakchois_error (ck_rv_t rv); - -/* All following interfaces model the PKCS#11 equivalents, without the - camel-cased naming convention. The PKCS#11 specification has - detailed interface descriptions: - - http://www.rsa.com/rsalabs/node.asp?id=2133 - - The differences between this interface and PKCS#11 are: - - 1. some interfaces take a module pointer as first argument - - 2. session handlers are represented as opaque objects - - 3. the notify callback type has changed accordingly - - 4. the C_Initialize, C_Finalize, and C_GetFunctionList interfaces - are not exposed (these are called internally by - pakchois_module_load and pakchois_module_destroy) - - 5. pakchois_wait_for_slot_event() is thread-safe against other - callers of pakchois_wait_for_slot_event(); the call to the - underlying provider's WaitForSlotEvent function is protected by a - mutex. - - 6. pakchois_close_all_sessions() only closes sessions associated - with the given module instance; any sessions opened by other users - of the underlying provider are unaffected. - - If a module object is used concurrently from separate threads, - undefined behaviour results. If a session object is used - concurrently from separate threads, undefined behavioure results. - -*/ -ck_rv_t pakchois_get_info (pakchois_module_t * module, struct ck_info *info); - -ck_rv_t pakchois_get_slot_list (pakchois_module_t * module, - unsigned char token_present, - ck_slot_id_t * slot_list, - unsigned long *count); - -ck_rv_t pakchois_get_slot_info (pakchois_module_t * module, - ck_slot_id_t slot_id, - struct ck_slot_info *info); - -ck_rv_t pakchois_get_token_info (pakchois_module_t * module, - ck_slot_id_t slot_id, - struct ck_token_info *info); - -ck_rv_t pakchois_wait_for_slot_event (pakchois_module_t * module, - ck_flags_t flags, ck_slot_id_t * slot, - void *reserved); - -ck_rv_t pakchois_get_mechanism_list (pakchois_module_t * module, - ck_slot_id_t slot_id, - ck_mechanism_type_t * mechanism_list, - unsigned long *count); - -ck_rv_t pakchois_get_mechanism_info (pakchois_module_t * module, - ck_slot_id_t slot_id, - ck_mechanism_type_t type, - struct ck_mechanism_info *info); - -ck_rv_t pakchois_init_token (pakchois_module_t * module, - ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label); - -ck_rv_t pakchois_init_pin (pakchois_session_t * session, unsigned char *pin, - unsigned long pin_len); - -ck_rv_t pakchois_set_pin (pakchois_session_t * session, - unsigned char *old_pin, unsigned long old_len, - unsigned char *new_pin, unsigned long new_len); - -typedef ck_rv_t (*pakchois_notify_t) (pakchois_session_t * sess, - ck_notification_t event, - void *application); - -ck_rv_t pakchois_open_session (pakchois_module_t * module, - ck_slot_id_t slot_id, ck_flags_t flags, - void *application, pakchois_notify_t notify, - pakchois_session_t ** session); - -ck_rv_t pakchois_close_session (pakchois_session_t * session); - -ck_rv_t pakchois_close_all_sessions (pakchois_module_t * module, - ck_slot_id_t slot_id); - -ck_rv_t pakchois_get_session_info (pakchois_session_t * session, - struct ck_session_info *info); -ck_rv_t pakchois_get_operation_state (pakchois_session_t * session, - unsigned char *operation_state, - unsigned long *operation_state_len); -ck_rv_t pakchois_set_operation_state (pakchois_session_t * session, - unsigned char *operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key); - -ck_rv_t pakchois_login (pakchois_session_t * session, - ck_user_type_t user_type, unsigned char *pin, - unsigned long pin_len); -ck_rv_t pakchois_logout (pakchois_session_t * session); - -ck_rv_t pakchois_create_object (pakchois_session_t * session, - struct ck_attribute *templ, - unsigned long count, - ck_object_handle_t * object); -ck_rv_t pakchois_copy_object (pakchois_session_t * session, - ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t * new_object); -ck_rv_t pakchois_destroy_object (pakchois_session_t * session, - ck_object_handle_t object); -ck_rv_t pakchois_get_object_size (pakchois_session_t * session, - ck_object_handle_t object, - unsigned long *size); - -ck_rv_t pakchois_get_attribute_value (pakchois_session_t * session, - ck_object_handle_t object, - struct ck_attribute *templ, - unsigned long count); -ck_rv_t pakchois_set_attribute_value (pakchois_session_t * session, - ck_object_handle_t object, - struct ck_attribute *templ, - unsigned long count); -ck_rv_t pakchois_find_objects_init (pakchois_session_t * session, - struct ck_attribute *templ, - unsigned long count); -ck_rv_t pakchois_find_objects (pakchois_session_t * session, - ck_object_handle_t * object, - unsigned long max_object_count, - unsigned long *object_count); -ck_rv_t pakchois_find_objects_final (pakchois_session_t * session); - -ck_rv_t pakchois_encrypt_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_encrypt (pakchois_session_t * session, - unsigned char *data, unsigned long data_len, - unsigned char *encrypted_data, - unsigned long *encrypted_data_len); -ck_rv_t pakchois_encrypt_update (pakchois_session_t * session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len); -ck_rv_t pakchois_encrypt_final (pakchois_session_t * session, - unsigned char *last_encrypted_part, - unsigned long *last_encrypted_part_len); - -ck_rv_t pakchois_decrypt_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_decrypt (pakchois_session_t * session, - unsigned char *encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len); -ck_rv_t pakchois_decrypt_update (pakchois_session_t * session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, - unsigned long *part_len); -ck_rv_t pakchois_decrypt_final (pakchois_session_t * session, - unsigned char *last_part, - unsigned long *last_part_len); -ck_rv_t pakchois_digest_init (pakchois_session_t * session, - struct ck_mechanism *mechanism); -ck_rv_t pakchois_digest (pakchois_session_t * session, unsigned char *data, - unsigned long data_len, unsigned char *digest, - unsigned long *digest_len); -ck_rv_t pakchois_digest_update (pakchois_session_t * session, - unsigned char *part, unsigned long part_len); -ck_rv_t pakchois_digest_key (pakchois_session_t * session, - ck_object_handle_t key); -ck_rv_t pakchois_digest_final (pakchois_session_t * session, - unsigned char *digest, - unsigned long *digest_len); - -ck_rv_t pakchois_sign_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_sign (pakchois_session_t * session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len); -ck_rv_t pakchois_sign_update (pakchois_session_t * session, - unsigned char *part, unsigned long part_len); -ck_rv_t pakchois_sign_final (pakchois_session_t * session, - unsigned char *signature, - unsigned long *signature_len); -ck_rv_t pakchois_sign_recover_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_sign_recover (pakchois_session_t * session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long *signature_len); - -ck_rv_t pakchois_verify_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_verify (pakchois_session_t * session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long signature_len); -ck_rv_t pakchois_verify_update (pakchois_session_t * session, - unsigned char *part, unsigned long part_len); -ck_rv_t pakchois_verify_final (pakchois_session_t * session, - unsigned char *signature, - unsigned long signature_len); -ck_rv_t pakchois_verify_recover_init (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t key); -ck_rv_t pakchois_verify_recover (pakchois_session_t * session, - unsigned char *signature, - unsigned long signature_len, - unsigned char *data, - unsigned long *data_len); - -ck_rv_t pakchois_digest_encrypt_update (pakchois_session_t * session, - unsigned char *part, - unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len); -ck_rv_t pakchois_decrypt_digest_update (pakchois_session_t * session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, - unsigned long *part_len); -ck_rv_t pakchois_sign_encrypt_update (pakchois_session_t * session, - unsigned char *part, - unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len); -ck_rv_t pakchois_decrypt_verify_update (pakchois_session_t * session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, - unsigned long *part_len); - -ck_rv_t pakchois_generate_key (pakchois_session_t * session, - struct ck_mechanism *mechanism, - struct ck_attribute *templ, - unsigned long count, ck_object_handle_t * key); -ck_rv_t pakchois_generate_key_pair (pakchois_session_t * session, - struct ck_mechanism *mechanism, - struct ck_attribute *public_key_template, - unsigned long public_key_attribute_count, - struct ck_attribute *private_key_template, - unsigned long private_key_attribute_count, - ck_object_handle_t * public_key, - ck_object_handle_t * private_key); - -ck_rv_t pakchois_wrap_key (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t wrapping_key, - ck_object_handle_t key, unsigned char *wrapped_key, - unsigned long *wrapped_key_len); -ck_rv_t pakchois_unwrap_key (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t unwrapping_key, - unsigned char *wrapped_key, - unsigned long wrapped_key_len, - struct ck_attribute *templ, - unsigned long attribute_count, - ck_object_handle_t * key); -ck_rv_t pakchois_derive_key (pakchois_session_t * session, - struct ck_mechanism *mechanism, - ck_object_handle_t base_key, - struct ck_attribute *templ, - unsigned long attribute_count, - ck_object_handle_t * key); - -ck_rv_t pakchois_seed_random (pakchois_session_t * session, - unsigned char *seed, unsigned long seed_len); -ck_rv_t pakchois_generate_random (pakchois_session_t * session, - unsigned char *random_data, - unsigned long random_len); - -#endif /* PAKCHOIS_H */ diff --git a/lib/pakchois/pakchois11.h b/lib/pakchois/pakchois11.h deleted file mode 100644 index 3e29bb94fc..0000000000 --- a/lib/pakchois/pakchois11.h +++ /dev/null @@ -1,1369 +0,0 @@ -/* pkcs11.h - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. */ - -/* Please submit changes back to the Scute project at - http://www.scute.org/ (or send them to marcus@g10code.com), so that - they can be picked up by other projects from there as well. */ - -/* This file is a modified implementation of the PKCS #11 standard by - RSA Security Inc. It is mostly a drop-in replacement, with the - following change: - - This header file does not require any macro definitions by the user - (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros - for you (if useful, some are missing, let me know if you need - more). - - There is an additional API available that does comply better to the - GNU coding standard. It can be switched on by defining - CRYPTOKI_GNU before including this header file. For this, the - following changes are made to the specification: - - All structure types are changed to a "struct ck_foo" where CK_FOO - is the type name in PKCS #11. - - All non-structure types are changed to ck_foo_t where CK_FOO is the - lowercase version of the type name in PKCS #11. The basic types - (CK_ULONG et al.) are removed without substitute. - - All members of structures are modified in the following way: Type - indication prefixes are removed, and underscore characters are - inserted before words. Then the result is lowercased. - - Note that function names are still in the original case, as they - need for ABI compatibility. - - CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use - <stdbool.h>. - - If CRYPTOKI_COMPAT is defined before including this header file, - then none of the API changes above take place, and the API is the - one defined by the PKCS #11 standard. */ - -#ifndef PKCS11_H -#define PKCS11_H 1 - -#ifdef __cplusplus -extern "C" -{ -#endif - - -/* The version of cryptoki we implement. The revision is changed with - each modification of this file. If you do not use the "official" - version of this file, please consider deleting the revision macro - (you may use a macro with a different name to keep track of your - versions). */ -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 20 -#define CRYPTOKI_VERSION_REVISION 6 - - -/* Compatibility interface is default, unless CRYPTOKI_GNU is - given. */ -#ifndef CRYPTOKI_GNU -#ifndef CRYPTOKI_COMPAT -#define CRYPTOKI_COMPAT 1 -#endif -#endif - -/* System dependencies. */ - -#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32 - -/* There is a matching pop below. */ -#pragma pack(push, cryptoki, 1) - -#ifdef CRYPTOKI_EXPORTS -#define CK_SPEC __declspec(dllexport) -#else -#define CK_SPEC __declspec(dllimport) -#endif - -#else - -#define CK_SPEC - -#endif - - -#ifdef CRYPTOKI_COMPAT - /* If we are in compatibility mode, switch all exposed names to the - PKCS #11 variant. There are corresponding #undefs below. */ - -#define ck_flags_t CK_FLAGS -#define ck_version _CK_VERSION - -#define ck_info _CK_INFO -#define cryptoki_version cryptokiVersion -#define manufacturer_id manufacturerID -#define library_description libraryDescription -#define library_version libraryVersion - -#define ck_notification_t CK_NOTIFICATION -#define ck_slot_id_t CK_SLOT_ID - -#define ck_slot_info _CK_SLOT_INFO -#define slot_description slotDescription -#define hardware_version hardwareVersion -#define firmware_version firmwareVersion - -#define ck_token_info _CK_TOKEN_INFO -#define serial_number serialNumber -#define max_session_count ulMaxSessionCount -#define session_count ulSessionCount -#define max_rw_session_count ulMaxRwSessionCount -#define rw_session_count ulRwSessionCount -#define max_pin_len ulMaxPinLen -#define min_pin_len ulMinPinLen -#define total_public_memory ulTotalPublicMemory -#define free_public_memory ulFreePublicMemory -#define total_private_memory ulTotalPrivateMemory -#define free_private_memory ulFreePrivateMemory -#define utc_time utcTime - -#define ck_session_handle_t CK_SESSION_HANDLE -#define ck_user_type_t CK_USER_TYPE -#define ck_state_t CK_STATE - -#define ck_session_info _CK_SESSION_INFO -#define slot_id slotID -#define device_error ulDeviceError - -#define ck_object_handle_t CK_OBJECT_HANDLE -#define ck_object_class_t CK_OBJECT_CLASS -#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE -#define ck_key_type_t CK_KEY_TYPE -#define ck_certificate_type_t CK_CERTIFICATE_TYPE -#define ck_attribute_type_t CK_ATTRIBUTE_TYPE - -#define ck_attribute _CK_ATTRIBUTE -#define value pValue -#define value_len ulValueLen - -#define ck_date _CK_DATE - -#define ck_mechanism_type_t CK_MECHANISM_TYPE - -#define ck_mechanism _CK_MECHANISM -#define parameter pParameter -#define parameter_len ulParameterLen - -#define ck_mechanism_info _CK_MECHANISM_INFO -#define min_key_size ulMinKeySize -#define max_key_size ulMaxKeySize - -#define ck_rv_t CK_RV -#define ck_notify_t CK_NOTIFY - -#define ck_function_list _CK_FUNCTION_LIST - -#define ck_createmutex_t CK_CREATEMUTEX -#define ck_destroymutex_t CK_DESTROYMUTEX -#define ck_lockmutex_t CK_LOCKMUTEX -#define ck_unlockmutex_t CK_UNLOCKMUTEX - -#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS -#define create_mutex CreateMutex -#define destroy_mutex DestroyMutex -#define lock_mutex LockMutex -#define unlock_mutex UnlockMutex -#define reserved pReserved - -#endif /* CRYPTOKI_COMPAT */ - - - - typedef unsigned long ck_flags_t; - - struct ck_version - { - unsigned char major; - unsigned char minor; - }; - - - struct ck_info - { - struct ck_version cryptoki_version; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - unsigned char library_description[32]; - struct ck_version library_version; - }; - - - typedef unsigned long ck_notification_t; - -#define CKN_SURRENDER (0) - - - typedef unsigned long ck_slot_id_t; - - - struct ck_slot_info - { - unsigned char slot_description[64]; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - struct ck_version hardware_version; - struct ck_version firmware_version; - }; - - -#define CKF_TOKEN_PRESENT (1 << 0) -#define CKF_REMOVABLE_DEVICE (1 << 1) -#define CKF_HW_SLOT (1 << 2) -#define CKF_ARRAY_ATTRIBUTE (1 << 30) - - - struct ck_token_info - { - unsigned char label[32]; - unsigned char manufacturer_id[32]; - unsigned char model[16]; - unsigned char serial_number[16]; - ck_flags_t flags; - unsigned long max_session_count; - unsigned long session_count; - unsigned long max_rw_session_count; - unsigned long rw_session_count; - unsigned long max_pin_len; - unsigned long min_pin_len; - unsigned long total_public_memory; - unsigned long free_public_memory; - unsigned long total_private_memory; - unsigned long free_private_memory; - struct ck_version hardware_version; - struct ck_version firmware_version; - unsigned char utc_time[16]; - }; - - -#define CKF_RNG (1 << 0) -#define CKF_WRITE_PROTECTED (1 << 1) -#define CKF_LOGIN_REQUIRED (1 << 2) -#define CKF_USER_PIN_INITIALIZED (1 << 3) -#define CKF_RESTORE_KEY_NOT_NEEDED (1 << 5) -#define CKF_CLOCK_ON_TOKEN (1 << 6) -#define CKF_PROTECTED_AUTHENTICATION_PATH (1 << 8) -#define CKF_DUAL_CRYPTO_OPERATIONS (1 << 9) -#define CKF_TOKEN_INITIALIZED (1 << 10) -#define CKF_SECONDARY_AUTHENTICATION (1 << 11) -#define CKF_USER_PIN_COUNT_LOW (1 << 16) -#define CKF_USER_PIN_FINAL_TRY (1 << 17) -#define CKF_USER_PIN_LOCKED (1 << 18) -#define CKF_USER_PIN_TO_BE_CHANGED (1 << 19) -#define CKF_SO_PIN_COUNT_LOW (1 << 20) -#define CKF_SO_PIN_FINAL_TRY (1 << 21) -#define CKF_SO_PIN_LOCKED (1 << 22) -#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23) - -#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1) -#define CK_EFFECTIVELY_INFINITE (0) - - - typedef unsigned long ck_session_handle_t; - -#define CK_INVALID_HANDLE (0) - - - typedef unsigned long ck_user_type_t; - -#define CKU_SO (0) -#define CKU_USER (1) -#define CKU_CONTEXT_SPECIFIC (2) - - - typedef unsigned long ck_state_t; - -#define CKS_RO_PUBLIC_SESSION (0) -#define CKS_RO_USER_FUNCTIONS (1) -#define CKS_RW_PUBLIC_SESSION (2) -#define CKS_RW_USER_FUNCTIONS (3) -#define CKS_RW_SO_FUNCTIONS (4) - - - struct ck_session_info - { - ck_slot_id_t slot_id; - ck_state_t state; - ck_flags_t flags; - unsigned long device_error; - }; - -#define CKF_RW_SESSION (1 << 1) -#define CKF_SERIAL_SESSION (1 << 2) - - - typedef unsigned long ck_object_handle_t; - - - typedef unsigned long ck_object_class_t; - -#define CKO_DATA (0) -#define CKO_CERTIFICATE (1) -#define CKO_PUBLIC_KEY (2) -#define CKO_PRIVATE_KEY (3) -#define CKO_SECRET_KEY (4) -#define CKO_HW_FEATURE (5) -#define CKO_DOMAIN_PARAMETERS (6) -#define CKO_MECHANISM (7) -#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - typedef unsigned long ck_hw_feature_type_t; - -#define CKH_MONOTONIC_COUNTER (1) -#define CKH_CLOCK (2) -#define CKH_USER_INTERFACE (3) -#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - typedef unsigned long ck_key_type_t; - -#define CKK_RSA (0) -#define CKK_DSA (1) -#define CKK_DH (2) -#define CKK_ECDSA (3) -#define CKK_EC (3) -#define CKK_X9_42_DH (4) -#define CKK_KEA (5) -#define CKK_GENERIC_SECRET (0x10) -#define CKK_RC2 (0x11) -#define CKK_RC4 (0x12) -#define CKK_DES (0x13) -#define CKK_DES2 (0x14) -#define CKK_DES3 (0x15) -#define CKK_CAST (0x16) -#define CKK_CAST3 (0x17) -#define CKK_CAST128 (0x18) -#define CKK_RC5 (0x19) -#define CKK_IDEA (0x1a) -#define CKK_SKIPJACK (0x1b) -#define CKK_BATON (0x1c) -#define CKK_JUNIPER (0x1d) -#define CKK_CDMF (0x1e) -#define CKK_AES (0x1f) -#define CKK_BLOWFISH (0x20) -#define CKK_TWOFISH (0x21) -#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - typedef unsigned long ck_certificate_type_t; - -#define CKC_X_509 (0) -#define CKC_X_509_ATTR_CERT (1) -#define CKC_WTLS (2) -#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - typedef unsigned long ck_attribute_type_t; - -#define CKA_CLASS (0) -#define CKA_TOKEN (1) -#define CKA_PRIVATE (2) -#define CKA_LABEL (3) -#define CKA_APPLICATION (0x10) -#define CKA_VALUE (0x11) -#define CKA_OBJECT_ID (0x12) -#define CKA_CERTIFICATE_TYPE (0x80) -#define CKA_ISSUER (0x81) -#define CKA_SERIAL_NUMBER (0x82) -#define CKA_AC_ISSUER (0x83) -#define CKA_OWNER (0x84) -#define CKA_ATTR_TYPES (0x85) -#define CKA_TRUSTED (0x86) -#define CKA_CERTIFICATE_CATEGORY (0x87) -#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88) -#define CKA_URL (0x89) -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a) -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b) -#define CKA_CHECK_VALUE (0x90) -#define CKA_KEY_TYPE (0x100) -#define CKA_SUBJECT (0x101) -#define CKA_ID (0x102) -#define CKA_SENSITIVE (0x103) -#define CKA_ENCRYPT (0x104) -#define CKA_DECRYPT (0x105) -#define CKA_WRAP (0x106) -#define CKA_UNWRAP (0x107) -#define CKA_SIGN (0x108) -#define CKA_SIGN_RECOVER (0x109) -#define CKA_VERIFY (0x10a) -#define CKA_VERIFY_RECOVER (0x10b) -#define CKA_DERIVE (0x10c) -#define CKA_START_DATE (0x110) -#define CKA_END_DATE (0x111) -#define CKA_MODULUS (0x120) -#define CKA_MODULUS_BITS (0x121) -#define CKA_PUBLIC_EXPONENT (0x122) -#define CKA_PRIVATE_EXPONENT (0x123) -#define CKA_PRIME_1 (0x124) -#define CKA_PRIME_2 (0x125) -#define CKA_EXPONENT_1 (0x126) -#define CKA_EXPONENT_2 (0x127) -#define CKA_COEFFICIENT (0x128) -#define CKA_PRIME (0x130) -#define CKA_SUBPRIME (0x131) -#define CKA_BASE (0x132) -#define CKA_PRIME_BITS (0x133) -#define CKA_SUB_PRIME_BITS (0x134) -#define CKA_VALUE_BITS (0x160) -#define CKA_VALUE_LEN (0x161) -#define CKA_EXTRACTABLE (0x162) -#define CKA_LOCAL (0x163) -#define CKA_NEVER_EXTRACTABLE (0x164) -#define CKA_ALWAYS_SENSITIVE (0x165) -#define CKA_KEY_GEN_MECHANISM (0x166) -#define CKA_MODIFIABLE (0x170) -#define CKA_ECDSA_PARAMS (0x180) -#define CKA_EC_PARAMS (0x180) -#define CKA_EC_POINT (0x181) -#define CKA_SECONDARY_AUTH (0x200) -#define CKA_AUTH_PIN_FLAGS (0x201) -#define CKA_ALWAYS_AUTHENTICATE (0x202) -#define CKA_WRAP_WITH_TRUSTED (0x210) -#define CKA_HW_FEATURE_TYPE (0x300) -#define CKA_RESET_ON_INIT (0x301) -#define CKA_HAS_RESET (0x302) -#define CKA_PIXEL_X (0x400) -#define CKA_PIXEL_Y (0x401) -#define CKA_RESOLUTION (0x402) -#define CKA_CHAR_ROWS (0x403) -#define CKA_CHAR_COLUMNS (0x404) -#define CKA_COLOR (0x405) -#define CKA_BITS_PER_PIXEL (0x406) -#define CKA_CHAR_SETS (0x480) -#define CKA_ENCODING_METHODS (0x481) -#define CKA_MIME_TYPES (0x482) -#define CKA_MECHANISM_TYPE (0x500) -#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501) -#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502) -#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503) -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212) -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600) -#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - struct ck_attribute - { - ck_attribute_type_t type; - void *value; - unsigned long value_len; - }; - - - struct ck_date - { - unsigned char year[4]; - unsigned char month[2]; - unsigned char day[2]; - }; - - - typedef unsigned long ck_mechanism_type_t; - -#define CKM_RSA_PKCS_KEY_PAIR_GEN (0) -#define CKM_RSA_PKCS (1) -#define CKM_RSA_9796 (2) -#define CKM_RSA_X_509 (3) -#define CKM_MD2_RSA_PKCS (4) -#define CKM_MD5_RSA_PKCS (5) -#define CKM_SHA1_RSA_PKCS (6) -#define CKM_RIPEMD128_RSA_PKCS (7) -#define CKM_RIPEMD160_RSA_PKCS (8) -#define CKM_RSA_PKCS_OAEP (9) -#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xa) -#define CKM_RSA_X9_31 (0xb) -#define CKM_SHA1_RSA_X9_31 (0xc) -#define CKM_RSA_PKCS_PSS (0xd) -#define CKM_SHA1_RSA_PKCS_PSS (0xe) -#define CKM_DSA_KEY_PAIR_GEN (0x10) -#define CKM_DSA (0x11) -#define CKM_DSA_SHA1 (0x12) -#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20) -#define CKM_DH_PKCS_DERIVE (0x21) -#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30) -#define CKM_X9_42_DH_DERIVE (0x31) -#define CKM_X9_42_DH_HYBRID_DERIVE (0x32) -#define CKM_X9_42_MQV_DERIVE (0x33) -#define CKM_SHA256_RSA_PKCS (0x40) -#define CKM_SHA384_RSA_PKCS (0x41) -#define CKM_SHA512_RSA_PKCS (0x42) -#define CKM_SHA256_RSA_PKCS_PSS (0x43) -#define CKM_SHA384_RSA_PKCS_PSS (0x44) -#define CKM_SHA512_RSA_PKCS_PSS (0x45) -#define CKM_RC2_KEY_GEN (0x100) -#define CKM_RC2_ECB (0x101) -#define CKM_RC2_CBC (0x102) -#define CKM_RC2_MAC (0x103) -#define CKM_RC2_MAC_GENERAL (0x104) -#define CKM_RC2_CBC_PAD (0x105) -#define CKM_RC4_KEY_GEN (0x110) -#define CKM_RC4 (0x111) -#define CKM_DES_KEY_GEN (0x120) -#define CKM_DES_ECB (0x121) -#define CKM_DES_CBC (0x122) -#define CKM_DES_MAC (0x123) -#define CKM_DES_MAC_GENERAL (0x124) -#define CKM_DES_CBC_PAD (0x125) -#define CKM_DES2_KEY_GEN (0x130) -#define CKM_DES3_KEY_GEN (0x131) -#define CKM_DES3_ECB (0x132) -#define CKM_DES3_CBC (0x133) -#define CKM_DES3_MAC (0x134) -#define CKM_DES3_MAC_GENERAL (0x135) -#define CKM_DES3_CBC_PAD (0x136) -#define CKM_CDMF_KEY_GEN (0x140) -#define CKM_CDMF_ECB (0x141) -#define CKM_CDMF_CBC (0x142) -#define CKM_CDMF_MAC (0x143) -#define CKM_CDMF_MAC_GENERAL (0x144) -#define CKM_CDMF_CBC_PAD (0x145) -#define CKM_MD2 (0x200) -#define CKM_MD2_HMAC (0x201) -#define CKM_MD2_HMAC_GENERAL (0x202) -#define CKM_MD5 (0x210) -#define CKM_MD5_HMAC (0x211) -#define CKM_MD5_HMAC_GENERAL (0x212) -#define CKM_SHA_1 (0x220) -#define CKM_SHA_1_HMAC (0x221) -#define CKM_SHA_1_HMAC_GENERAL (0x222) -#define CKM_RIPEMD128 (0x230) -#define CKM_RIPEMD128_HMAC (0x231) -#define CKM_RIPEMD128_HMAC_GENERAL (0x232) -#define CKM_RIPEMD160 (0x240) -#define CKM_RIPEMD160_HMAC (0x241) -#define CKM_RIPEMD160_HMAC_GENERAL (0x242) -#define CKM_SHA256 (0x250) -#define CKM_SHA256_HMAC (0x251) -#define CKM_SHA256_HMAC_GENERAL (0x252) -#define CKM_SHA384 (0x260) -#define CKM_SHA384_HMAC (0x261) -#define CKM_SHA384_HMAC_GENERAL (0x262) -#define CKM_SHA512 (0x270) -#define CKM_SHA512_HMAC (0x271) -#define CKM_SHA512_HMAC_GENERAL (0x272) -#define CKM_CAST_KEY_GEN (0x300) -#define CKM_CAST_ECB (0x301) -#define CKM_CAST_CBC (0x302) -#define CKM_CAST_MAC (0x303) -#define CKM_CAST_MAC_GENERAL (0x304) -#define CKM_CAST_CBC_PAD (0x305) -#define CKM_CAST3_KEY_GEN (0x310) -#define CKM_CAST3_ECB (0x311) -#define CKM_CAST3_CBC (0x312) -#define CKM_CAST3_MAC (0x313) -#define CKM_CAST3_MAC_GENERAL (0x314) -#define CKM_CAST3_CBC_PAD (0x315) -#define CKM_CAST5_KEY_GEN (0x320) -#define CKM_CAST128_KEY_GEN (0x320) -#define CKM_CAST5_ECB (0x321) -#define CKM_CAST128_ECB (0x321) -#define CKM_CAST5_CBC (0x322) -#define CKM_CAST128_CBC (0x322) -#define CKM_CAST5_MAC (0x323) -#define CKM_CAST128_MAC (0x323) -#define CKM_CAST5_MAC_GENERAL (0x324) -#define CKM_CAST128_MAC_GENERAL (0x324) -#define CKM_CAST5_CBC_PAD (0x325) -#define CKM_CAST128_CBC_PAD (0x325) -#define CKM_RC5_KEY_GEN (0x330) -#define CKM_RC5_ECB (0x331) -#define CKM_RC5_CBC (0x332) -#define CKM_RC5_MAC (0x333) -#define CKM_RC5_MAC_GENERAL (0x334) -#define CKM_RC5_CBC_PAD (0x335) -#define CKM_IDEA_KEY_GEN (0x340) -#define CKM_IDEA_ECB (0x341) -#define CKM_IDEA_CBC (0x342) -#define CKM_IDEA_MAC (0x343) -#define CKM_IDEA_MAC_GENERAL (0x344) -#define CKM_IDEA_CBC_PAD (0x345) -#define CKM_GENERIC_SECRET_KEY_GEN (0x350) -#define CKM_CONCATENATE_BASE_AND_KEY (0x360) -#define CKM_CONCATENATE_BASE_AND_DATA (0x362) -#define CKM_CONCATENATE_DATA_AND_BASE (0x363) -#define CKM_XOR_BASE_AND_DATA (0x364) -#define CKM_EXTRACT_KEY_FROM_KEY (0x365) -#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370) -#define CKM_SSL3_MASTER_KEY_DERIVE (0x371) -#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372) -#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373) -#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374) -#define CKM_TLS_MASTER_KEY_DERIVE (0x375) -#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376) -#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377) -#define CKM_SSL3_MD5_MAC (0x380) -#define CKM_SSL3_SHA1_MAC (0x381) -#define CKM_MD5_KEY_DERIVATION (0x390) -#define CKM_MD2_KEY_DERIVATION (0x391) -#define CKM_SHA1_KEY_DERIVATION (0x392) -#define CKM_PBE_MD2_DES_CBC (0x3a0) -#define CKM_PBE_MD5_DES_CBC (0x3a1) -#define CKM_PBE_MD5_CAST_CBC (0x3a2) -#define CKM_PBE_MD5_CAST3_CBC (0x3a3) -#define CKM_PBE_MD5_CAST5_CBC (0x3a4) -#define CKM_PBE_MD5_CAST128_CBC (0x3a4) -#define CKM_PBE_SHA1_CAST5_CBC (0x3a5) -#define CKM_PBE_SHA1_CAST128_CBC (0x3a5) -#define CKM_PBE_SHA1_RC4_128 (0x3a6) -#define CKM_PBE_SHA1_RC4_40 (0x3a7) -#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) -#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) -#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) -#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) -#define CKM_PKCS5_PBKD2 (0x3b0) -#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0) -#define CKM_KEY_WRAP_LYNKS (0x400) -#define CKM_KEY_WRAP_SET_OAEP (0x401) -#define CKM_SKIPJACK_KEY_GEN (0x1000) -#define CKM_SKIPJACK_ECB64 (0x1001) -#define CKM_SKIPJACK_CBC64 (0x1002) -#define CKM_SKIPJACK_OFB64 (0x1003) -#define CKM_SKIPJACK_CFB64 (0x1004) -#define CKM_SKIPJACK_CFB32 (0x1005) -#define CKM_SKIPJACK_CFB16 (0x1006) -#define CKM_SKIPJACK_CFB8 (0x1007) -#define CKM_SKIPJACK_WRAP (0x1008) -#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009) -#define CKM_SKIPJACK_RELAYX (0x100a) -#define CKM_KEA_KEY_PAIR_GEN (0x1010) -#define CKM_KEA_KEY_DERIVE (0x1011) -#define CKM_FORTEZZA_TIMESTAMP (0x1020) -#define CKM_BATON_KEY_GEN (0x1030) -#define CKM_BATON_ECB128 (0x1031) -#define CKM_BATON_ECB96 (0x1032) -#define CKM_BATON_CBC128 (0x1033) -#define CKM_BATON_COUNTER (0x1034) -#define CKM_BATON_SHUFFLE (0x1035) -#define CKM_BATON_WRAP (0x1036) -#define CKM_ECDSA_KEY_PAIR_GEN (0x1040) -#define CKM_EC_KEY_PAIR_GEN (0x1040) -#define CKM_ECDSA (0x1041) -#define CKM_ECDSA_SHA1 (0x1042) -#define CKM_ECDH1_DERIVE (0x1050) -#define CKM_ECDH1_COFACTOR_DERIVE (0x1051) -#define CKM_ECMQV_DERIVE (0x1052) -#define CKM_JUNIPER_KEY_GEN (0x1060) -#define CKM_JUNIPER_ECB128 (0x1061) -#define CKM_JUNIPER_CBC128 (0x1062) -#define CKM_JUNIPER_COUNTER (0x1063) -#define CKM_JUNIPER_SHUFFLE (0x1064) -#define CKM_JUNIPER_WRAP (0x1065) -#define CKM_FASTHASH (0x1070) -#define CKM_AES_KEY_GEN (0x1080) -#define CKM_AES_ECB (0x1081) -#define CKM_AES_CBC (0x1082) -#define CKM_AES_MAC (0x1083) -#define CKM_AES_MAC_GENERAL (0x1084) -#define CKM_AES_CBC_PAD (0x1085) -#define CKM_DSA_PARAMETER_GEN (0x2000) -#define CKM_DH_PKCS_PARAMETER_GEN (0x2001) -#define CKM_X9_42_DH_PARAMETER_GEN (0x2002) -#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31)) - -/* Ammendments */ -#define CKM_SHA224 (0x255) -#define CKM_SHA224_HMAC (0x256) -#define CKM_SHA224_HMAC_GENERAL (0x257) -#define CKM_SHA224_RSA_PKCS (0x46) -#define CKM_SHA224_RSA_PKCS_PSS (0x47) -#define CKM_SHA224_KEY_DERIVATION (0x396) - -#define CKM_CAMELLIA_KEY_GEN (0x550) -#define CKM_CAMELLIA_ECB (0x551) -#define CKM_CAMELLIA_CBC (0x552) -#define CKM_CAMELLIA_MAC (0x553) -#define CKM_CAMELLIA_MAC_GENERAL (0x554) -#define CKM_CAMELLIA_CBC_PAD (0x555) -#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556) -#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557) - - - struct ck_mechanism - { - ck_mechanism_type_t mechanism; - void *parameter; - unsigned long parameter_len; - }; - - - struct ck_mechanism_info - { - unsigned long min_key_size; - unsigned long max_key_size; - ck_flags_t flags; - }; - -#define CKF_HW (1 << 0) -#define CKF_ENCRYPT (1 << 8) -#define CKF_DECRYPT (1 << 9) -#define CKF_DIGEST (1 << 10) -#define CKF_SIGN (1 << 11) -#define CKF_SIGN_RECOVER (1 << 12) -#define CKF_VERIFY (1 << 13) -#define CKF_VERIFY_RECOVER (1 << 14) -#define CKF_GENERATE (1 << 15) -#define CKF_GENERATE_KEY_PAIR (1 << 16) -#define CKF_WRAP (1 << 17) -#define CKF_UNWRAP (1 << 18) -#define CKF_DERIVE (1 << 19) -#define CKF_EXTENSION ((unsigned long) (1 << 31)) - - -/* Flags for C_WaitForSlotEvent. */ -#define CKF_DONT_BLOCK (1) - - - typedef unsigned long ck_rv_t; - - - typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session, - ck_notification_t event, void *application); - -/* Forward reference. */ - struct ck_function_list; - -#define _CK_DECLARE_FUNCTION(name, args) \ -typedef ck_rv_t (*CK_ ## name) args; \ -ck_rv_t CK_SPEC name args - - _CK_DECLARE_FUNCTION (C_Initialize, (void *init_args)); - _CK_DECLARE_FUNCTION (C_Finalize, (void *reserved)); - _CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info * info)); - _CK_DECLARE_FUNCTION (C_GetFunctionList, - (struct ck_function_list ** function_list)); - - _CK_DECLARE_FUNCTION (C_GetSlotList, - (unsigned char token_present, - ck_slot_id_t * slot_list, unsigned long *count)); - _CK_DECLARE_FUNCTION (C_GetSlotInfo, - (ck_slot_id_t slot_id, struct ck_slot_info * info)); - _CK_DECLARE_FUNCTION (C_GetTokenInfo, - (ck_slot_id_t slot_id, - struct ck_token_info * info)); - _CK_DECLARE_FUNCTION (C_WaitForSlotEvent, - (ck_flags_t flags, ck_slot_id_t * slot, - void *reserved)); - _CK_DECLARE_FUNCTION (C_GetMechanismList, - (ck_slot_id_t slot_id, - ck_mechanism_type_t * mechanism_list, - unsigned long *count)); - _CK_DECLARE_FUNCTION (C_GetMechanismInfo, - (ck_slot_id_t slot_id, ck_mechanism_type_t type, - struct ck_mechanism_info * info)); - _CK_DECLARE_FUNCTION (C_InitToken, - (ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label)); - _CK_DECLARE_FUNCTION (C_InitPIN, - (ck_session_handle_t session, unsigned char *pin, - unsigned long pin_len)); - _CK_DECLARE_FUNCTION (C_SetPIN, - (ck_session_handle_t session, - unsigned char *old_pin, unsigned long old_len, - unsigned char *new_pin, unsigned long new_len)); - - _CK_DECLARE_FUNCTION (C_OpenSession, - (ck_slot_id_t slot_id, ck_flags_t flags, - void *application, ck_notify_t notify, - ck_session_handle_t * session)); - _CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session)); - _CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id)); - _CK_DECLARE_FUNCTION (C_GetSessionInfo, - (ck_session_handle_t session, - struct ck_session_info * info)); - _CK_DECLARE_FUNCTION (C_GetOperationState, - (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long *operation_state_len)); - _CK_DECLARE_FUNCTION (C_SetOperationState, - (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key)); - _CK_DECLARE_FUNCTION (C_Login, - (ck_session_handle_t session, - ck_user_type_t user_type, unsigned char *pin, - unsigned long pin_len)); - _CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session)); - - _CK_DECLARE_FUNCTION (C_CreateObject, - (ck_session_handle_t session, - struct ck_attribute * templ, - unsigned long count, ck_object_handle_t * object)); - _CK_DECLARE_FUNCTION (C_CopyObject, - (ck_session_handle_t session, - ck_object_handle_t object, - struct ck_attribute * templ, unsigned long count, - ck_object_handle_t * new_object)); - _CK_DECLARE_FUNCTION (C_DestroyObject, - (ck_session_handle_t session, - ck_object_handle_t object)); - _CK_DECLARE_FUNCTION (C_GetObjectSize, - (ck_session_handle_t session, - ck_object_handle_t object, unsigned long *size)); - _CK_DECLARE_FUNCTION (C_GetAttributeValue, - (ck_session_handle_t session, - ck_object_handle_t object, - struct ck_attribute * templ, unsigned long count)); - _CK_DECLARE_FUNCTION (C_SetAttributeValue, - (ck_session_handle_t session, - ck_object_handle_t object, - struct ck_attribute * templ, unsigned long count)); - _CK_DECLARE_FUNCTION (C_FindObjectsInit, - (ck_session_handle_t session, - struct ck_attribute * templ, unsigned long count)); - _CK_DECLARE_FUNCTION (C_FindObjects, - (ck_session_handle_t session, - ck_object_handle_t * object, - unsigned long max_object_count, - unsigned long *object_count)); - _CK_DECLARE_FUNCTION (C_FindObjectsFinal, (ck_session_handle_t session)); - - _CK_DECLARE_FUNCTION (C_EncryptInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_Encrypt, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *encrypted_data, - unsigned long *encrypted_data_len)); - _CK_DECLARE_FUNCTION (C_EncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); - _CK_DECLARE_FUNCTION (C_EncryptFinal, - (ck_session_handle_t session, - unsigned char *last_encrypted_part, - unsigned long *last_encrypted_part_len)); - - _CK_DECLARE_FUNCTION (C_DecryptInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_Decrypt, - (ck_session_handle_t session, - unsigned char *encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len)); - _CK_DECLARE_FUNCTION (C_DecryptUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len)); - _CK_DECLARE_FUNCTION (C_DecryptFinal, - (ck_session_handle_t session, - unsigned char *last_part, - unsigned long *last_part_len)); - - _CK_DECLARE_FUNCTION (C_DigestInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism)); - _CK_DECLARE_FUNCTION (C_Digest, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *digest, unsigned long *digest_len)); - _CK_DECLARE_FUNCTION (C_DigestUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); - _CK_DECLARE_FUNCTION (C_DigestKey, - (ck_session_handle_t session, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_DigestFinal, - (ck_session_handle_t session, unsigned char *digest, - unsigned long *digest_len)); - - _CK_DECLARE_FUNCTION (C_SignInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_Sign, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long *signature_len)); - _CK_DECLARE_FUNCTION (C_SignUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); - _CK_DECLARE_FUNCTION (C_SignFinal, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long *signature_len)); - _CK_DECLARE_FUNCTION (C_SignRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_SignRecover, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long *signature_len)); - - _CK_DECLARE_FUNCTION (C_VerifyInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_Verify, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long signature_len)); - _CK_DECLARE_FUNCTION (C_VerifyUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); - _CK_DECLARE_FUNCTION (C_VerifyFinal, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long signature_len)); - _CK_DECLARE_FUNCTION (C_VerifyRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t key)); - _CK_DECLARE_FUNCTION (C_VerifyRecover, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long signature_len, - unsigned char *data, unsigned long *data_len)); - - _CK_DECLARE_FUNCTION (C_DigestEncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); - _CK_DECLARE_FUNCTION (C_DecryptDigestUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len)); - _CK_DECLARE_FUNCTION (C_SignEncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); - _CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len)); - - _CK_DECLARE_FUNCTION (C_GenerateKey, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - struct ck_attribute * templ, - unsigned long count, ck_object_handle_t * key)); - _CK_DECLARE_FUNCTION (C_GenerateKeyPair, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - struct ck_attribute * public_key_template, - unsigned long public_key_attribute_count, - struct ck_attribute * private_key_template, - unsigned long private_key_attribute_count, - ck_object_handle_t * public_key, - ck_object_handle_t * private_key)); - _CK_DECLARE_FUNCTION (C_WrapKey, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t wrapping_key, - ck_object_handle_t key, - unsigned char *wrapped_key, - unsigned long *wrapped_key_len)); - _CK_DECLARE_FUNCTION (C_UnwrapKey, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t unwrapping_key, - unsigned char *wrapped_key, - unsigned long wrapped_key_len, - struct ck_attribute * templ, - unsigned long attribute_count, - ck_object_handle_t * key)); - _CK_DECLARE_FUNCTION (C_DeriveKey, - (ck_session_handle_t session, - struct ck_mechanism * mechanism, - ck_object_handle_t base_key, - struct ck_attribute * templ, - unsigned long attribute_count, - ck_object_handle_t * key)); - - _CK_DECLARE_FUNCTION (C_SeedRandom, - (ck_session_handle_t session, unsigned char *seed, - unsigned long seed_len)); - _CK_DECLARE_FUNCTION (C_GenerateRandom, - (ck_session_handle_t session, - unsigned char *random_data, - unsigned long random_len)); - - _CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session)); - _CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session)); - - - struct ck_function_list - { - struct ck_version version; - CK_C_Initialize C_Initialize; - CK_C_Finalize C_Finalize; - CK_C_GetInfo C_GetInfo; - CK_C_GetFunctionList C_GetFunctionList; - CK_C_GetSlotList C_GetSlotList; - CK_C_GetSlotInfo C_GetSlotInfo; - CK_C_GetTokenInfo C_GetTokenInfo; - CK_C_GetMechanismList C_GetMechanismList; - CK_C_GetMechanismInfo C_GetMechanismInfo; - CK_C_InitToken C_InitToken; - CK_C_InitPIN C_InitPIN; - CK_C_SetPIN C_SetPIN; - CK_C_OpenSession C_OpenSession; - CK_C_CloseSession C_CloseSession; - CK_C_CloseAllSessions C_CloseAllSessions; - CK_C_GetSessionInfo C_GetSessionInfo; - CK_C_GetOperationState C_GetOperationState; - CK_C_SetOperationState C_SetOperationState; - CK_C_Login C_Login; - CK_C_Logout C_Logout; - CK_C_CreateObject C_CreateObject; - CK_C_CopyObject C_CopyObject; - CK_C_DestroyObject C_DestroyObject; - CK_C_GetObjectSize C_GetObjectSize; - CK_C_GetAttributeValue C_GetAttributeValue; - CK_C_SetAttributeValue C_SetAttributeValue; - CK_C_FindObjectsInit C_FindObjectsInit; - CK_C_FindObjects C_FindObjects; - CK_C_FindObjectsFinal C_FindObjectsFinal; - CK_C_EncryptInit C_EncryptInit; - CK_C_Encrypt C_Encrypt; - CK_C_EncryptUpdate C_EncryptUpdate; - CK_C_EncryptFinal C_EncryptFinal; - CK_C_DecryptInit C_DecryptInit; - CK_C_Decrypt C_Decrypt; - CK_C_DecryptUpdate C_DecryptUpdate; - CK_C_DecryptFinal C_DecryptFinal; - CK_C_DigestInit C_DigestInit; - CK_C_Digest C_Digest; - CK_C_DigestUpdate C_DigestUpdate; - CK_C_DigestKey C_DigestKey; - CK_C_DigestFinal C_DigestFinal; - CK_C_SignInit C_SignInit; - CK_C_Sign C_Sign; - CK_C_SignUpdate C_SignUpdate; - CK_C_SignFinal C_SignFinal; - CK_C_SignRecoverInit C_SignRecoverInit; - CK_C_SignRecover C_SignRecover; - CK_C_VerifyInit C_VerifyInit; - CK_C_Verify C_Verify; - CK_C_VerifyUpdate C_VerifyUpdate; - CK_C_VerifyFinal C_VerifyFinal; - CK_C_VerifyRecoverInit C_VerifyRecoverInit; - CK_C_VerifyRecover C_VerifyRecover; - CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; - CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; - CK_C_SignEncryptUpdate C_SignEncryptUpdate; - CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; - CK_C_GenerateKey C_GenerateKey; - CK_C_GenerateKeyPair C_GenerateKeyPair; - CK_C_WrapKey C_WrapKey; - CK_C_UnwrapKey C_UnwrapKey; - CK_C_DeriveKey C_DeriveKey; - CK_C_SeedRandom C_SeedRandom; - CK_C_GenerateRandom C_GenerateRandom; - CK_C_GetFunctionStatus C_GetFunctionStatus; - CK_C_CancelFunction C_CancelFunction; - CK_C_WaitForSlotEvent C_WaitForSlotEvent; - }; - - - typedef ck_rv_t (*ck_createmutex_t) (void **mutex); - typedef ck_rv_t (*ck_destroymutex_t) (void *mutex); - typedef ck_rv_t (*ck_lockmutex_t) (void *mutex); - typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex); - - - struct ck_c_initialize_args - { - ck_createmutex_t create_mutex; - ck_destroymutex_t destroy_mutex; - ck_lockmutex_t lock_mutex; - ck_unlockmutex_t unlock_mutex; - ck_flags_t flags; - void *reserved; - }; - - -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1 << 0) -#define CKF_OS_LOCKING_OK (1 << 1) - -#define CKR_OK (0) -#define CKR_CANCEL (1) -#define CKR_HOST_MEMORY (2) -#define CKR_SLOT_ID_INVALID (3) -#define CKR_GENERAL_ERROR (5) -#define CKR_FUNCTION_FAILED (6) -#define CKR_ARGUMENTS_BAD (7) -#define CKR_NO_EVENT (8) -#define CKR_NEED_TO_CREATE_THREADS (9) -#define CKR_CANT_LOCK (0xa) -#define CKR_ATTRIBUTE_READ_ONLY (0x10) -#define CKR_ATTRIBUTE_SENSITIVE (0x11) -#define CKR_ATTRIBUTE_TYPE_INVALID (0x12) -#define CKR_ATTRIBUTE_VALUE_INVALID (0x13) -#define CKR_DATA_INVALID (0x20) -#define CKR_DATA_LEN_RANGE (0x21) -#define CKR_DEVICE_ERROR (0x30) -#define CKR_DEVICE_MEMORY (0x31) -#define CKR_DEVICE_REMOVED (0x32) -#define CKR_ENCRYPTED_DATA_INVALID (0x40) -#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41) -#define CKR_FUNCTION_CANCELED (0x50) -#define CKR_FUNCTION_NOT_PARALLEL (0x51) -#define CKR_FUNCTION_NOT_SUPPORTED (0x54) -#define CKR_KEY_HANDLE_INVALID (0x60) -#define CKR_KEY_SIZE_RANGE (0x62) -#define CKR_KEY_TYPE_INCONSISTENT (0x63) -#define CKR_KEY_NOT_NEEDED (0x64) -#define CKR_KEY_CHANGED (0x65) -#define CKR_KEY_NEEDED (0x66) -#define CKR_KEY_INDIGESTIBLE (0x67) -#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) -#define CKR_KEY_NOT_WRAPPABLE (0x69) -#define CKR_KEY_UNEXTRACTABLE (0x6a) -#define CKR_MECHANISM_INVALID (0x70) -#define CKR_MECHANISM_PARAM_INVALID (0x71) -#define CKR_OBJECT_HANDLE_INVALID (0x82) -#define CKR_OPERATION_ACTIVE (0x90) -#define CKR_OPERATION_NOT_INITIALIZED (0x91) -#define CKR_PIN_INCORRECT (0xa0) -#define CKR_PIN_INVALID (0xa1) -#define CKR_PIN_LEN_RANGE (0xa2) -#define CKR_PIN_EXPIRED (0xa3) -#define CKR_PIN_LOCKED (0xa4) -#define CKR_SESSION_CLOSED (0xb0) -#define CKR_SESSION_COUNT (0xb1) -#define CKR_SESSION_HANDLE_INVALID (0xb3) -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4) -#define CKR_SESSION_READ_ONLY (0xb5) -#define CKR_SESSION_EXISTS (0xb6) -#define CKR_SESSION_READ_ONLY_EXISTS (0xb7) -#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8) -#define CKR_SIGNATURE_INVALID (0xc0) -#define CKR_SIGNATURE_LEN_RANGE (0xc1) -#define CKR_TEMPLATE_INCOMPLETE (0xd0) -#define CKR_TEMPLATE_INCONSISTENT (0xd1) -#define CKR_TOKEN_NOT_PRESENT (0xe0) -#define CKR_TOKEN_NOT_RECOGNIZED (0xe1) -#define CKR_TOKEN_WRITE_PROTECTED (0xe2) -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0) -#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1) -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2) -#define CKR_USER_ALREADY_LOGGED_IN (0x100) -#define CKR_USER_NOT_LOGGED_IN (0x101) -#define CKR_USER_PIN_NOT_INITIALIZED (0x102) -#define CKR_USER_TYPE_INVALID (0x103) -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104) -#define CKR_USER_TOO_MANY_TYPES (0x105) -#define CKR_WRAPPED_KEY_INVALID (0x110) -#define CKR_WRAPPED_KEY_LEN_RANGE (0x112) -#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113) -#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114) -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115) -#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120) -#define CKR_RANDOM_NO_RNG (0x121) -#define CKR_DOMAIN_PARAMS_INVALID (0x130) -#define CKR_BUFFER_TOO_SMALL (0x150) -#define CKR_SAVED_STATE_INVALID (0x160) -#define CKR_INFORMATION_SENSITIVE (0x170) -#define CKR_STATE_UNSAVEABLE (0x180) -#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190) -#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191) -#define CKR_MUTEX_BAD (0x1a0) -#define CKR_MUTEX_NOT_LOCKED (0x1a1) -#define CKR_FUNCTION_REJECTED (0x200) -#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31)) - - - -/* Compatibility layer. */ - -#ifdef CRYPTOKI_COMPAT - -#undef CK_DEFINE_FUNCTION -#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name - -/* For NULL. */ -#include <stddef.h> - - typedef unsigned char CK_BYTE; - typedef unsigned char CK_CHAR; - typedef unsigned char CK_UTF8CHAR; - typedef unsigned char CK_BBOOL; - typedef unsigned long int CK_ULONG; - typedef long int CK_LONG; - typedef CK_BYTE *CK_BYTE_PTR; - typedef CK_CHAR *CK_CHAR_PTR; - typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; - typedef CK_ULONG *CK_ULONG_PTR; - typedef void *CK_VOID_PTR; - typedef void **CK_VOID_PTR_PTR; -#define CK_FALSE 0 -#define CK_TRUE 1 -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE 0 -#endif -#ifndef TRUE -#define TRUE 1 -#endif -#endif - - typedef struct ck_version CK_VERSION; - typedef struct ck_version *CK_VERSION_PTR; - - typedef struct ck_info CK_INFO; - typedef struct ck_info *CK_INFO_PTR; - - typedef ck_slot_id_t *CK_SLOT_ID_PTR; - - typedef struct ck_slot_info CK_SLOT_INFO; - typedef struct ck_slot_info *CK_SLOT_INFO_PTR; - - typedef struct ck_token_info CK_TOKEN_INFO; - typedef struct ck_token_info *CK_TOKEN_INFO_PTR; - - typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; - - typedef struct ck_session_info CK_SESSION_INFO; - typedef struct ck_session_info *CK_SESSION_INFO_PTR; - - typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; - - typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; - - typedef struct ck_attribute CK_ATTRIBUTE; - typedef struct ck_attribute *CK_ATTRIBUTE_PTR; - - typedef struct ck_date CK_DATE; - typedef struct ck_date *CK_DATE_PTR; - - typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; - - typedef struct ck_mechanism CK_MECHANISM; - typedef struct ck_mechanism *CK_MECHANISM_PTR; - - typedef struct ck_mechanism_info CK_MECHANISM_INFO; - typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; - - typedef struct ck_function_list CK_FUNCTION_LIST; - typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; - typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; - - typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; - typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; - -#define NULL_PTR NULL - -/* Delete the helper macros defined at the top of the file. */ -#undef ck_flags_t -#undef ck_version - -#undef ck_info -#undef cryptoki_version -#undef manufacturer_id -#undef library_description -#undef library_version - -#undef ck_notification_t -#undef ck_slot_id_t - -#undef ck_slot_info -#undef slot_description -#undef hardware_version -#undef firmware_version - -#undef ck_token_info -#undef serial_number -#undef max_session_count -#undef session_count -#undef max_rw_session_count -#undef rw_session_count -#undef max_pin_len -#undef min_pin_len -#undef total_public_memory -#undef free_public_memory -#undef total_private_memory -#undef free_private_memory -#undef utc_time - -#undef ck_session_handle_t -#undef ck_user_type_t -#undef ck_state_t - -#undef ck_session_info -#undef slot_id -#undef device_error - -#undef ck_object_handle_t -#undef ck_object_class_t -#undef ck_hw_feature_type_t -#undef ck_key_type_t -#undef ck_certificate_type_t -#undef ck_attribute_type_t - -#undef ck_attribute -#undef value -#undef value_len - -#undef ck_date - -#undef ck_mechanism_type_t - -#undef ck_mechanism -#undef parameter -#undef parameter_len - -#undef ck_mechanism_info -#undef min_key_size -#undef max_key_size - -#undef ck_rv_t -#undef ck_notify_t - -#undef ck_function_list - -#undef ck_createmutex_t -#undef ck_destroymutex_t -#undef ck_lockmutex_t -#undef ck_unlockmutex_t - -#undef ck_c_initialize_args -#undef create_mutex -#undef destroy_mutex -#undef lock_mutex -#undef unlock_mutex -#undef reserved - -#endif /* CRYPTOKI_COMPAT */ - - -/* System dependencies. */ -#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32 -#pragma pack(pop, cryptoki) -#endif - -#ifdef __cplusplus -} -#endif - -#endif /* PKCS11_H */ diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 6ef1039efa..01527f27cb 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -32,25 +32,25 @@ #include <gnutls_errors.h> #include <gnutls_datum.h> #include <pkcs11_int.h> +#include <p11-kit/p11-kit.h> #define MAX_PROVIDERS 16 -static void terminate_string (unsigned char *str, size_t len); - /* XXX: try to eliminate this */ #define MAX_CERT_SIZE 8*1024 struct gnutls_pkcs11_provider_s { - pakchois_module_t *module; + struct ck_function_list *module; unsigned long nslots; ck_slot_id_t *slots; struct ck_info info; + int initialized; }; struct flags_find_data_st { - struct pkcs11_url_info info; + struct p11_kit_uri *info; unsigned int slot_flags; }; @@ -65,12 +65,13 @@ struct crt_find_data_st unsigned int *n_list; unsigned int current; gnutls_pkcs11_obj_attr_t flags; - struct pkcs11_url_info info; + struct p11_kit_uri *info; }; static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS]; static int active_providers = 0; +static int initialized_registered = 0; static gnutls_pkcs11_pin_callback_t pin_func; static void *pin_data; @@ -171,26 +172,13 @@ pkcs11_rescan_slots (void) { unsigned long slots; - pakchois_get_slot_list (providers[active_providers - 1].module, 0, + pkcs11_get_slot_list (providers[active_providers - 1].module, 0, NULL, &slots); } -/** - * gnutls_pkcs11_add_provider: - * @name: The filename of the module - * @params: should be NULL - * - * This function will load and add a PKCS 11 module to the module - * list used in gnutls. After this function is called the module will - * be used for PKCS 11 operations. - * - * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a - * negative error value. - **/ -int -gnutls_pkcs11_add_provider (const char *name, const char *params) +static int +pkcs11_add_module (const char *name, struct ck_function_list *module) { - if (active_providers >= MAX_PROVIDERS) { gnutls_assert (); @@ -198,17 +186,10 @@ gnutls_pkcs11_add_provider (const char *name, const char *params) } active_providers++; - if (pakchois_module_load_abs - (&providers[active_providers - 1].module, name) != CKR_OK) - { - gnutls_assert (); - _gnutls_debug_log ("p11: Cannot load provider %s\n", name); - active_providers--; - return GNUTLS_E_PKCS11_LOAD_ERROR; - } + providers[active_providers - 1].module = module; /* cache the number of slots in this module */ - if (pakchois_get_slot_list + if (pkcs11_get_slot_list (providers[active_providers - 1].module, 0, NULL, &providers[active_providers - 1].nslots) != CKR_OK) { @@ -225,7 +206,7 @@ gnutls_pkcs11_add_provider (const char *name, const char *params) goto fail; } - if (pakchois_get_slot_list + if (pkcs11_get_slot_list (providers[active_providers - 1].module, 0, providers[active_providers - 1].slots, &providers[active_providers - 1].nslots) != CKR_OK) @@ -237,15 +218,8 @@ gnutls_pkcs11_add_provider (const char *name, const char *params) memset (&providers[active_providers - 1].info, 0, sizeof (providers[active_providers - 1].info)); - pakchois_get_info (providers[active_providers - 1].module, - &providers[active_providers - 1].info); - - terminate_string (providers[active_providers - 1].info.manufacturer_id, - sizeof (providers[active_providers - 1]. - info.manufacturer_id)); - terminate_string (providers[active_providers - 1].info.library_description, - sizeof (providers[active_providers - 1]. - info.library_description)); + pkcs11_get_module_info (providers[active_providers - 1].module, + &providers[active_providers - 1].info); _gnutls_debug_log ("p11: loaded provider '%s' with %d slots\n", name, (int) providers[active_providers - 1].nslots); @@ -253,10 +227,51 @@ gnutls_pkcs11_add_provider (const char *name, const char *params) return 0; fail: - pakchois_module_destroy (providers[active_providers - 1].module); active_providers--; return GNUTLS_E_PKCS11_LOAD_ERROR; +} + +/** + * gnutls_pkcs11_add_provider: + * @name: The filename of the module + * @params: should be NULL + * + * This function will load and add a PKCS 11 module to the module + * list used in gnutls. After this function is called the module will + * be used for PKCS 11 operations. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ +int +gnutls_pkcs11_add_provider (const char *name, const char *params) +{ + struct ck_function_list *module; + int ret; + + active_providers++; + if (p11_kit_load_initialize_module (name, &module) != CKR_OK) + { + gnutls_assert (); + _gnutls_debug_log ("p11: Cannot load provider %s\n", name); + active_providers--; + return GNUTLS_E_PKCS11_LOAD_ERROR; + } + + ret = pkcs11_add_module (name, module); + if (ret == 0) + { + /* Mark this one as having been separately initialized */ + providers[active_providers - 1].initialized = 1; + } + else + { + p11_kit_finalize_module (module); + gnutls_assert (); + } + + return ret; } @@ -279,73 +294,124 @@ gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size) { - return pkcs11_get_info (&crt->info, itype, output, output_size); + return pkcs11_get_info (crt->info, itype, output, output_size); } int -pkcs11_get_info (struct pkcs11_url_info *info, +pkcs11_get_info (struct p11_kit_uri *info, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size) { + struct ck_attribute *attr = NULL; + struct ck_version *version = NULL; const char *str = NULL; - size_t len; + size_t str_max = 0; + int terminate = 0; + int hexify = 0; + size_t length; + const char *data; + char buf[32]; + + /* + * Either attr, str or version is valid by the time switch + * finishes + */ switch (itype) { case GNUTLS_PKCS11_OBJ_ID: - if (*output_size < info->certid_raw_size) - { - *output_size = info->certid_raw_size; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - if (output) - memcpy (output, info->certid_raw, info->certid_raw_size); - *output_size = info->certid_raw_size; - - return 0; + attr = p11_kit_uri_get_attribute (info, CKA_ID); + break; case GNUTLS_PKCS11_OBJ_ID_HEX: - str = info->id; + attr = p11_kit_uri_get_attribute (info, CKA_ID); + hexify = 1; + terminate = 1; break; case GNUTLS_PKCS11_OBJ_LABEL: - str = info->label; + attr = p11_kit_uri_get_attribute (info, CKA_LABEL); + terminate = 1; break; case GNUTLS_PKCS11_OBJ_TOKEN_LABEL: - str = info->token; + str = p11_kit_uri_get_token_info (info)->label; + str_max = 32; break; case GNUTLS_PKCS11_OBJ_TOKEN_SERIAL: - str = info->serial; + str = p11_kit_uri_get_token_info (info)->serial_number; + str_max = 16; break; case GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER: - str = info->manufacturer; + str = p11_kit_uri_get_token_info (info)->manufacturer_id; + str_max = 32; break; case GNUTLS_PKCS11_OBJ_TOKEN_MODEL: - str = info->model; + str = p11_kit_uri_get_token_info (info)->model; + str_max = 16; break; case GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION: - str = info->lib_desc; + str = p11_kit_uri_get_module_info (info)->library_description; + str_max = 32; break; case GNUTLS_PKCS11_OBJ_LIBRARY_VERSION: - str = info->lib_version; + version = &p11_kit_uri_get_module_info (info)->library_version; break; case GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER: - str = info->lib_manufacturer; + str = p11_kit_uri_get_module_info (info)->manufacturer_id; + str_max = 32; break; default: gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } - len = strlen (str); - - if (len + 1 > *output_size) + if (attr != NULL) { - *output_size = len + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; + data = attr->value; + length = attr->value_len; } + else if (str != NULL) + { + data = str; + length = p11_kit_space_strlen (str, str_max); + terminate = 1; + } + else if (version != NULL) + { + data = buf; + length = snprintf (buf, sizeof (buf), "%d.%d", (int)version->major, + (int)version->minor); + terminate = 1; + } + else + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); /* data and len are uninitialized */ - memcpy (output, str, len + 1); - - *output_size = len; + if (hexify) + { + /* terminate is assumed with hexify */ + if (*output_size < length * 3) + { + *output_size = length * 3; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + if (output) + _gnutls_bin2hex (data, length, output, *output_size, ":"); + *output_size = length * 3; + return 0; + } + else + { + if (*output_size < length + terminate) + { + *output_size = length + terminate; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + if (output) + { + memcpy (output, data, length); + if (terminate) + ((unsigned char*)output)[length] = '\0'; + } + *output_size = length + terminate; + } return 0; } @@ -373,7 +439,10 @@ static int init = 0; int gnutls_pkcs11_init (unsigned int flags, const char *configfile) { - int ret; + struct ck_function_list **modules; + const char *name; + ck_rv_t rv; + int i, ret; if (init != 0) { @@ -386,48 +455,29 @@ gnutls_pkcs11_init (unsigned int flags, const char *configfile) return 0; else { - FILE *fp; - char line[512]; - const char *library; - - if (configfile == NULL) - configfile = "/etc/gnutls/pkcs11.conf"; - - fp = fopen (configfile, "r"); - if (fp == NULL) + rv = p11_kit_initialize_registered (); + if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("Cannot load %s\n", configfile); - return GNUTLS_E_FILE_ERROR; + _gnutls_debug_log ("Cannot initialize registered module: %s\n", + p11_kit_strerror (rv)); + return GNUTLS_E_INTERNAL_ERROR; } - while (fgets (line, sizeof (line), fp) != NULL) + initialized_registered = 1; + + modules = p11_kit_registered_modules (); + for (i = 0; modules[i] != NULL; i++) { - if (strncmp (line, "load", sizeof ("load") - 1) == 0) + name = p11_kit_registered_module_to_name (modules[i]); + ret = pkcs11_add_module (name, modules[i]); + if (ret != 0) { - char *p; - p = strchr (line, '='); - if (p == NULL) - continue; - - library = ++p; - - p = strchr (line, '\n'); - if (p != NULL) - { - *p = 0; - } - - ret = gnutls_pkcs11_add_provider (library, NULL); - if (ret < 0) - { - gnutls_assert (); - _gnutls_debug_log ("Cannot load provider: %s\n", library); - continue; - } + gnutls_assert (); + _gnutls_debug_log ("Cannot add registered module: %s\n", name); } } - fclose(fp); + free (modules); } return 0; @@ -455,10 +505,14 @@ gnutls_pkcs11_deinit (void) for (i = 0; i < active_providers; i++) { - pakchois_module_destroy (providers[i].module); + if (providers[i].initialized) + p11_kit_finalize_module (providers[i].module); } active_providers = 0; - pakchois_destructor(); + + if (initialized_registered != 0) + p11_kit_finalize_registered (); + initialized_registered = 0; } /** @@ -516,398 +570,68 @@ gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn, token_data = userdata; } -static int -unescape_string (char *output, const char *input, size_t * size, - char terminator) -{ - gnutls_buffer_st str; - int ret = 0; - char *p; - int len; - - _gnutls_buffer_init (&str); - - /* find terminator */ - p = strchr (input, terminator); - if (p != NULL) - len = p - input; - else - len = strlen (input); - - ret = _gnutls_buffer_append_data (&str, input, len); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_buffer_unescape (&str); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_buffer_append_data (&str, "", 1); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - _gnutls_buffer_pop_data (&str, output, size); - - _gnutls_buffer_clear (&str); - - return ret; -} - int -pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info) +pkcs11_url_to_info (const char *url, struct p11_kit_uri **info) { + int allocated = 0; int ret; - char *p1, *p2; - size_t l; - - memset (info, 0, sizeof (*info)); - - if (strstr (url, "pkcs11:") == NULL) - { - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; - } - if ((p1 = strstr (url, "library-manufacturer=")) != NULL) + if (*info == NULL) { - p1 += sizeof ("library-manufacturer=") - 1; - l = sizeof (info->lib_manufacturer); - - ret = unescape_string (info->lib_manufacturer, p1, &l, ';'); - if (ret < 0) + *info = p11_kit_uri_new (); + if (*info == NULL) { - goto cleanup; - } - } - - if ((p1 = strstr (url, "library-description=")) != NULL) - { - p1 += sizeof ("library-description=") - 1; - l = sizeof (info->lib_desc); - - ret = unescape_string (info->lib_desc, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "library-version=")) != NULL) - { - p1 += sizeof ("library-version=") - 1; - l = sizeof (info->lib_version); - - ret = unescape_string (info->lib_version, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, ";manufacturer=")) != NULL || - (p1 = strstr (url, ":manufacturer=")) != NULL) - { - - p1 += sizeof (";manufacturer=") - 1; - l = sizeof (info->manufacturer); - - ret = unescape_string (info->manufacturer, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "token=")) != NULL) - { - p1 += sizeof ("token=") - 1; - l = sizeof (info->token); - - ret = unescape_string (info->token, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "object=")) != NULL) - { - p1 += sizeof ("object=") - 1; - l = sizeof (info->label); - - ret = unescape_string (info->label, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "serial=")) != NULL) - { - p1 += sizeof ("serial=") - 1; - l = sizeof (info->serial); - - ret = unescape_string (info->serial, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "model=")) != NULL) - { - p1 += sizeof ("model=") - 1; - l = sizeof (info->model); - - ret = unescape_string (info->model, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - } - - if ((p1 = strstr (url, "objecttype=")) != NULL) - { - p1 += sizeof ("objecttype=") - 1; - l = sizeof (info->type); - - ret = unescape_string (info->type, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; } + allocated = 1; } - if (((p1 = strstr (url, ";id=")) != NULL) - || ((p1 = strstr (url, ":id=")) != NULL)) + ret = p11_kit_uri_parse (url, P11_KIT_URI_FOR_ANY, *info); + if (ret < 0) { - p1 += sizeof (";id=") - 1; - l = sizeof (info->certid_raw); - - ret = unescape_string (info->certid_raw, p1, &l, ';'); - if (ret < 0) - { - goto cleanup; - } - /* not null terminated */ - info->certid_raw_size = l-1; - - p2 = _gnutls_bin2hex(info->certid_raw, info->certid_raw_size, - info->id, sizeof(info->id), ":"); - if (p2 == NULL) + if (allocated) { - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; + p11_kit_uri_free (*info); + *info = NULL; } - } - - ret = 0; - -cleanup: - - return ret; - -} - -#define INVALID_CHARS "\\/\"'%&#@!?$* <>{}[]()`|:;,.+-" - -/* Appends @tname to @dest under the name @p11name. - * init indicates whether it is the initial addition to buffer. - */ -static int -append (gnutls_buffer_st * dest, const void *tname, int tname_size, - const char *p11name, int all, int init) -{ - gnutls_buffer_st tmpstr; - int ret; - - _gnutls_buffer_init (&tmpstr); - if ((ret = _gnutls_buffer_append_data (&tmpstr, tname, tname_size)) < 0) - { gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_buffer_escape (&tmpstr, all, INVALID_CHARS); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if ((ret = _gnutls_buffer_append_data (&tmpstr, "", 1)) < 0) - { - gnutls_assert (); - goto cleanup; - } - - if ((ret = - _gnutls_buffer_append_printf (dest, "%s%s=%s", - (init != 0) ? ";" : "", p11name, - tmpstr.data)) < 0) - { - gnutls_assert (); - goto cleanup; + return ret == P11_KIT_URI_NO_MEMORY ? + GNUTLS_E_MEMORY_ERROR : GNUTLS_E_PARSING_ERROR; } - ret = 0; - -cleanup: - _gnutls_buffer_clear (&tmpstr); - - return ret; - + return 0; } - int -pkcs11_info_to_url (const struct pkcs11_url_info *info, +pkcs11_info_to_url (struct p11_kit_uri *info, gnutls_pkcs11_url_type_t detailed, char **url) { - gnutls_buffer_st str; - int init = 0; + p11_kit_uri_type_t type = 0; int ret; - _gnutls_buffer_init (&str); - - _gnutls_buffer_append_str (&str, "pkcs11:"); - - if (info->token[0]) + switch (detailed) { - ret = append (&str, info->token, strlen(info->token), "token", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (info->serial[0]) - { - ret = append (&str, info->serial, strlen(info->serial), "serial", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (info->model[0]) - { - ret = append (&str, info->model, strlen(info->model), "model", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - - if (info->manufacturer[0]) - { - ret = append (&str, info->manufacturer, strlen(info->manufacturer), "manufacturer", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (info->label[0]) - { - ret = append (&str, info->label, strlen(info->label), "object", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (info->type[0]) - { - ret = append (&str, info->type, strlen(info->type), "objecttype", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (detailed > GNUTLS_PKCS11_URL_GENERIC) - { - if (info->lib_manufacturer[0]) - { - ret = - append (&str, info->lib_manufacturer, strlen(info->lib_manufacturer), "library-manufacturer", - 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - - if (info->lib_desc[0]) - { - ret = append (&str, info->lib_desc, strlen(info->lib_desc), "library-description", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } - } - - if (detailed > GNUTLS_PKCS11_URL_LIB) - { - if (info->lib_version[0]) - { - ret = append (&str, info->lib_version, strlen(info->lib_version), "library-version", 0, init); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - init = 1; - } + case GNUTLS_PKCS11_URL_GENERIC: + type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN; + break; + case GNUTLS_PKCS11_URL_LIB: + type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE; + break; + case GNUTLS_PKCS11_URL_LIB_VERSION: + type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE | P11_KIT_URI_FOR_MODULE_WITH_VERSION; + break; } - if (info->certid_raw_size > 0) + ret = p11_kit_uri_format (info, type, url); + if (ret < 0) { - ret = append (&str, info->certid_raw, info->certid_raw_size, "id", 1, init); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + gnutls_assert (); + return ret == P11_KIT_URI_NO_MEMORY ? + GNUTLS_E_MEMORY_ERROR : GNUTLS_E_INTERNAL_ERROR; } - _gnutls_buffer_append_data (&str, "", 1); - - *url = str.data; - return 0; - -cleanup: - _gnutls_buffer_clear (&str); - return ret; } /** @@ -929,6 +653,14 @@ gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj) return GNUTLS_E_MEMORY_ERROR; } + (*obj)->info = p11_kit_uri_new (); + if ((*obj)->info == NULL) + { + free (*obj); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + return 0; } @@ -942,6 +674,7 @@ void gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj) { _gnutls_free_datum (&obj->raw); + p11_kit_uri_free (obj->info); free (obj); } @@ -988,64 +721,30 @@ gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj, return 0; } -static void -terminate_string (unsigned char *str, size_t len) -{ - unsigned char *ptr = str + len - 1; - - while ((*ptr == ' ' || *ptr == '\t' || *ptr == '\0') && ptr >= str) - ptr--; - - if (ptr == str - 1) - str[0] = '\0'; - else if (ptr == str + len - 1) - str[len - 1] = '\0'; - else - ptr[1] = '\0'; -} - int -pkcs11_find_object (pakchois_session_t ** _pks, +pkcs11_find_object (struct ck_function_list ** _module, + ck_session_handle_t * _pks, ck_object_handle_t * _obj, - struct pkcs11_url_info *info, unsigned int flags) + struct p11_kit_uri *info, unsigned int flags) { int ret; - pakchois_session_t *pks; + struct ck_function_list *module; + ck_session_handle_t pks; ck_object_handle_t obj; - ck_object_class_t class; - struct ck_attribute a[4]; - int a_vals = 0; + struct ck_attribute *attrs; + unsigned long attr_count; unsigned long count; ck_rv_t rv; - class = pkcs11_strtype_to_class (info->type); - if (class == -1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = pkcs11_open_session (&pks, info, flags & SESSION_LOGIN); + ret = pkcs11_open_session (&module, &pks, info, flags & SESSION_LOGIN); if (ret < 0) { gnutls_assert (); return ret; } - a[a_vals].type = CKA_CLASS; - a[a_vals].value = &class; - a[a_vals].value_len = sizeof class; - a_vals++; - - if (info->certid_raw_size > 0) - { - a[a_vals].type = CKA_ID; - a[a_vals].value = info->certid_raw; - a[a_vals].value_len = info->certid_raw_size; - a_vals++; - } - - rv = pakchois_find_objects_init (pks, a, a_vals); + attrs = p11_kit_uri_get_attributes (info, &attr_count); + rv = pkcs11_find_objects_init (module, pks, attrs, attr_count); if (rv != CKR_OK) { gnutls_assert (); @@ -1054,38 +753,26 @@ pkcs11_find_object (pakchois_session_t ** _pks, goto fail; } - if (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + if (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { *_obj = obj; *_pks = pks; - pakchois_find_objects_final (pks); + *_module = module; + pkcs11_find_objects_final (module, pks); return 0; } ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); fail: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } -static void -fix_strings (struct token_info *info) -{ - terminate_string (info->tinfo.manufacturer_id, - sizeof info->tinfo.manufacturer_id); - terminate_string (info->tinfo.label, sizeof info->tinfo.label); - terminate_string (info->tinfo.model, sizeof info->tinfo.model); - terminate_string (info->tinfo.serial_number, - sizeof info->tinfo.serial_number); - terminate_string (info->sinfo.slot_description, - sizeof info->sinfo.slot_description); -} - int -pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot, - struct pkcs11_url_info *info, struct token_info *_tinfo) +pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot, + struct p11_kit_uri *info, struct token_info *_tinfo) { int x, z; @@ -1095,7 +782,7 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot, { struct token_info tinfo; - if (pakchois_get_token_info + if (pkcs11_get_token_info (providers[x].module, providers[x].slots[z], &tinfo.tinfo) != CKR_OK) { @@ -1104,18 +791,15 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot, tinfo.sid = providers[x].slots[z]; tinfo.prov = &providers[x]; - if (pakchois_get_slot_info + if (pkcs11_get_slot_info (providers[x].module, providers[x].slots[z], &tinfo.sinfo) != CKR_OK) { continue; } - /* XXX make wrapper for token_info? */ - fix_strings (&tinfo); - - if (pkcs11_token_matches_info (info, &tinfo.tinfo, - &providers[x].info) < 0) + if (!p11_kit_uri_match_token_info (info, &tinfo.tinfo) || + !p11_kit_uri_match_module_info (info, &providers[x].info)) { continue; } @@ -1136,13 +820,13 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot, } int -pkcs11_open_session (pakchois_session_t ** _pks, - struct pkcs11_url_info *info, unsigned int flags) +pkcs11_open_session (struct ck_function_list ** _module, ck_session_handle_t * _pks, + struct p11_kit_uri *info, unsigned int flags) { ck_rv_t rv; int ret; - pakchois_session_t *pks = NULL; - pakchois_module_t *module; + ck_session_handle_t pks = 0; + struct ck_function_list *module; ck_slot_id_t slot; struct token_info tinfo; @@ -1153,8 +837,7 @@ pkcs11_open_session (pakchois_session_t ** _pks, return ret; } - rv = pakchois_open_session (module, - slot, + rv = (module)->C_OpenSession (slot, ((flags & SESSION_WRITE) ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, NULL, NULL, &pks); @@ -1166,17 +849,18 @@ pkcs11_open_session (pakchois_session_t ** _pks, if (flags & SESSION_LOGIN) { - ret = pkcs11_login (pks, &tinfo, (flags & SESSION_SO) ? 1 : 0); + ret = pkcs11_login (module, pks, &tinfo, (flags & SESSION_SO) ? 1 : 0); if (ret < 0) { gnutls_assert (); - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } } /* ok found */ *_pks = pks; + *_module = module; return 0; } @@ -1187,18 +871,19 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input, { ck_rv_t rv; int found = 0, x, z, ret; - pakchois_session_t *pks = NULL; + ck_session_handle_t pks = 0; + struct ck_function_list *module = NULL; for (x = 0; x < active_providers; x++) { + module = providers[x].module; for (z = 0; z < providers[x].nslots; z++) { struct token_info info; ret = GNUTLS_E_PKCS11_ERROR; - if (pakchois_get_token_info - (providers[x].module, providers[x].slots[z], + if (pkcs11_get_token_info (module, providers[x].slots[z], &info.tinfo) != CKR_OK) { continue; @@ -1206,21 +891,16 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input, info.sid = providers[x].slots[z]; info.prov = &providers[x]; - if (pakchois_get_slot_info - (providers[x].module, providers[x].slots[z], + if (pkcs11_get_slot_info (module, providers[x].slots[z], &info.sinfo) != CKR_OK) { continue; } - /* XXX make wrapper for token_info? */ - fix_strings (&info); - - rv = pakchois_open_session (providers[x].module, - providers[x].slots[z], - ((flags & SESSION_WRITE) - ? CKF_RW_SESSION : 0) | - CKF_SERIAL_SESSION, NULL, NULL, &pks); + rv = (module)->C_OpenSession (providers[x].slots[z], + ((flags & SESSION_WRITE) + ? CKF_RW_SESSION : 0) | + CKF_SERIAL_SESSION, NULL, NULL, &pks); if (rv != CKR_OK) { continue; @@ -1228,7 +908,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input, if (flags & SESSION_LOGIN) { - ret = pkcs11_login (pks, &info, (flags & SESSION_SO) ? 1 : 0); + ret = pkcs11_login (module, pks, &info, (flags & SESSION_SO) ? 1 : 0); if (ret < 0) { gnutls_assert (); @@ -1236,7 +916,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input, } } - ret = find_func (pks, &info, &providers[x].info, input); + ret = find_func (module, pks, &info, &providers[x].info, input); if (ret == 0) { @@ -1245,8 +925,8 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input, } else { - pakchois_close_session (pks); - pks = NULL; + pkcs11_close_session (module, pks); + pks = 0; } } } @@ -1256,52 +936,34 @@ finish: if (found == 0) { - ret = find_func (pks, NULL, NULL, input); + if (module) + ret = find_func (module, pks, NULL, NULL, input); + else + ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); } else { ret = 0; } - if (pks != NULL) + if (pks != 0 && module != NULL) { - pakchois_close_session (pks); + pkcs11_close_session (module, pks); } return ret; } -static const char * -pkcs11_obj_type_to_str (gnutls_pkcs11_obj_type_t type) -{ - switch (type) - { - case GNUTLS_PKCS11_OBJ_X509_CRT: - return "cert"; - case GNUTLS_PKCS11_OBJ_PUBKEY: - return "public"; - case GNUTLS_PKCS11_OBJ_PRIVKEY: - return "private"; - case GNUTLS_PKCS11_OBJ_SECRET_KEY: - return "secretkey"; - case GNUTLS_PKCS11_OBJ_DATA: - return "data"; - case GNUTLS_PKCS11_OBJ_UNKNOWN: - default: - return "unknown"; - } -} - /* imports a raw certificate from a token to a pkcs11_obj_t structure. */ static int -pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj, +pkcs11_obj_import (ck_object_class_t class, gnutls_pkcs11_obj_t obj, const gnutls_datum_t * data, const gnutls_datum_t * id, const gnutls_datum_t * label, struct ck_token_info *tinfo, struct ck_info *lib_info) { - char *s; + struct ck_attribute attr; int ret; switch (class) @@ -1325,8 +987,15 @@ pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj, obj->type = GNUTLS_PKCS11_OBJ_UNKNOWN; } - if (obj->type != GNUTLS_PKCS11_OBJ_UNKNOWN) - _gnutls_str_cpy (obj->info.type, sizeof(obj->info.type), pkcs11_obj_type_to_str (obj->type)); + attr.type = CKA_CLASS; + attr.value = &class; + attr.value_len = sizeof (class); + ret = p11_kit_uri_set_attribute (obj->info, &attr); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } if (data && data->data) { @@ -1338,54 +1007,42 @@ pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj, } } - terminate_string (tinfo->manufacturer_id, sizeof tinfo->manufacturer_id); - terminate_string (tinfo->label, sizeof tinfo->label); - terminate_string (tinfo->model, sizeof tinfo->model); - terminate_string (tinfo->serial_number, sizeof tinfo->serial_number); - - /* write data */ - snprintf (obj->info.manufacturer, sizeof (obj->info.manufacturer), - "%s", tinfo->manufacturer_id); - snprintf (obj->info.token, sizeof (obj->info.token), "%s", tinfo->label); - snprintf (obj->info.model, sizeof (obj->info.model), "%s", tinfo->model); - snprintf (obj->info.serial, sizeof (obj->info.serial), "%s", - tinfo->serial_number); - - snprintf (obj->info.lib_manufacturer, sizeof (obj->info.lib_manufacturer), - "%s", lib_info->manufacturer_id); - snprintf (obj->info.lib_desc, sizeof (obj->info.lib_desc), "%s", - lib_info->library_description); - snprintf (obj->info.lib_version, sizeof (obj->info.lib_version), "%u.%u", - (unsigned int) lib_info->library_version.major, - (unsigned int) lib_info->library_version.minor); - - + /* copy the token and library info into the uri */ + memcpy (p11_kit_uri_get_token_info (obj->info), tinfo, sizeof (struct ck_token_info)); + memcpy (p11_kit_uri_get_module_info (obj->info), lib_info, sizeof (struct ck_info)); if (label && label->data) { - memcpy (obj->info.label, label->data, label->size); - obj->info.label[label->size] = 0; + attr.type = CKA_LABEL; + attr.value = label->data; + attr.value_len = label->size; + ret = p11_kit_uri_set_attribute (obj->info, &attr); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } } if (id && id->data) { - s = _gnutls_bin2hex (id->data, id->size, obj->info.id, - sizeof (obj->info.id), ":"); - if (s == NULL) + attr.type = CKA_ID; + attr.value = id->data; + attr.value_len = id->size; + ret = p11_kit_uri_set_attribute (obj->info, &attr); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_PKCS11_ERROR; + return GNUTLS_E_MEMORY_ERROR; } - - memmove (obj->info.certid_raw, id->data, id->size); - obj->info.certid_raw_size = id->size; } return 0; } static int -pkcs11_obj_import_pubkey (pakchois_session_t * pks, +pkcs11_obj_import_pubkey (struct ck_function_list *module, + ck_session_handle_t pks, ck_object_handle_t obj, gnutls_pkcs11_obj_t crt, const gnutls_datum_t * id, @@ -1405,7 +1062,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &key_type; a[0].value_len = sizeof (key_type); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { switch (key_type) { @@ -1417,7 +1074,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[1].value = tmp2; a[1].value_len = sizeof (tmp2); - if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK) { ret = @@ -1452,7 +1109,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[1].value = tmp2; a[1].value_len = sizeof (tmp2); - if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK) { ret = _gnutls_set_datum (&crt->pubkey[0], @@ -1484,7 +1141,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[1].value = tmp2; a[1].value_len = sizeof (tmp2); - if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK) { ret = _gnutls_set_datum (&crt->pubkey[2], @@ -1523,7 +1180,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &tval; a[0].value_len = sizeof (tval); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { if (tval != 0) { @@ -1535,7 +1192,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &tval; a[0].value_len = sizeof (tval); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { if (tval != 0) { @@ -1549,7 +1206,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &tval; a[0].value_len = sizeof (tval); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { if (tval != 0) { @@ -1563,7 +1220,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &tval; a[0].value_len = sizeof (tval); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { if (tval != 0) { @@ -1575,7 +1232,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, a[0].value = &tval; a[0].value_len = sizeof (tval); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { if (tval != 0) { @@ -1587,46 +1244,13 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks, tinfo, lib_info); } -ck_object_class_t -pkcs11_strtype_to_class (const char *type) -{ - ck_object_class_t class; - - if (strcmp (type, "cert") == 0) - { - class = CKO_CERTIFICATE; - } - else if (strcmp (type, "public") == 0) - { - class = CKO_PUBLIC_KEY; - } - else if (strcmp (type, "private") == 0) - { - class = CKO_PRIVATE_KEY; - } - else if (strcmp (type, "secretkey") == 0) - { - class = CKO_SECRET_KEY; - } - else if (strcmp (type, "data") == 0) - { - class = CKO_DATA; - } - else - { - class = -1; - } - - return class; -} - - static int -find_obj_url (pakchois_session_t * pks, struct token_info *info, - struct ck_info *lib_info, void *input) +find_obj_url (struct ck_function_list *module, ck_session_handle_t pks, + struct token_info *info, struct ck_info *lib_info, void *input) { struct url_find_data_st *find_data = input; struct ck_attribute a[4]; + struct ck_attribute *attr; ck_object_class_t class = -1; ck_certificate_type_t type = -1; ck_rv_t rv; @@ -1644,24 +1268,18 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, /* do not bother reading the token if basic fields do not match */ - if (pkcs11_token_matches_info - (&find_data->crt->info, &info->tinfo, lib_info) < 0) + if (!p11_kit_uri_match_token_info (find_data->crt->info, &info->tinfo) || + !p11_kit_uri_match_module_info (find_data->crt->info, lib_info)) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (find_data->crt->info.type[0] != 0) + attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID); + if (attr == NULL) { - class = pkcs11_strtype_to_class (find_data->crt->info.type); - if (class == CKO_CERTIFICATE) - type = CKC_X_509; - - if (class == -1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; } /* search the token for the id */ @@ -1674,18 +1292,17 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, } /* Find objects with given class and type */ - - a[0].type = CKA_ID; - a[0].value = find_data->crt->info.certid_raw; - a[0].value_len = find_data->crt->info.certid_raw_size; - + memcpy (a, attr, sizeof (struct ck_attribute)); a_vals = 1; - if (class != -1) + attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_CLASS); + if (attr) { - a[a_vals].type = CKA_CLASS; - a[a_vals].value = &class; - a[a_vals].value_len = sizeof class; + if(attr->value && attr->value_len == sizeof (ck_object_class_t)) + class = *((ck_object_class_t*)attr->value); + if (class == CKO_CERTIFICATE) + type = CKC_X_509; + memcpy (a + a_vals, attr, sizeof (struct ck_attribute)); a_vals++; } @@ -1697,7 +1314,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, a_vals++; } - rv = pakchois_find_objects_init (pks, a, a_vals); + rv = pkcs11_find_objects_init (module, pks, a, a_vals); if (rv != CKR_OK) { gnutls_assert (); @@ -1706,7 +1323,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, goto cleanup; } - while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { a[0].type = CKA_VALUE; @@ -1716,18 +1333,20 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, a[1].value = label_tmp; a[1].value_len = sizeof (label_tmp); - if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK) { - gnutls_datum_t id = { find_data->crt->info.certid_raw, - find_data->crt->info.certid_raw_size - }; + gnutls_datum_t id; gnutls_datum_t data = { a[0].value, a[0].value_len }; gnutls_datum_t label = { a[1].value, a[1].value_len }; + attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID); + id.data = attr->value; + id.size = attr->value_len; + if (class == CKO_PUBLIC_KEY) { ret = - pkcs11_obj_import_pubkey (pks, obj, + pkcs11_obj_import_pubkey (module, pks, obj, find_data->crt, &id, &label, &info->tinfo, lib_info); @@ -1767,7 +1386,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info, cleanup: gnutls_free (cert_data); - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); return ret; } @@ -1829,13 +1448,14 @@ gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert, const char *url, struct token_num { - struct pkcs11_url_info info; + struct p11_kit_uri *info; unsigned int seq; /* which one we are looking for */ unsigned int current; /* which one are we now */ }; static int -find_token_num (pakchois_session_t * pks, +find_token_num (struct ck_function_list *module, + ck_session_handle_t pks, struct token_info *tinfo, struct ck_info *lib_info, void *input) { @@ -1849,18 +1469,8 @@ find_token_num (pakchois_session_t * pks, if (find_data->current == find_data->seq) { - _gnutls_str_cpy (find_data->info.manufacturer, sizeof(find_data->info.manufacturer), tinfo->tinfo.manufacturer_id); - _gnutls_str_cpy (find_data->info.token, sizeof(find_data->info.token), tinfo->tinfo.label); - _gnutls_str_cpy (find_data->info.model, sizeof(find_data->info.model), tinfo->tinfo.model); - _gnutls_str_cpy (find_data->info.serial, sizeof(find_data->info.serial), tinfo->tinfo.serial_number); - - _gnutls_str_cpy (find_data->info.lib_manufacturer, sizeof(find_data->info.lib_manufacturer), lib_info->manufacturer_id); - _gnutls_str_cpy (find_data->info.lib_desc, sizeof(find_data->info.lib_desc), lib_info->library_description); - snprintf (find_data->info.lib_version, - sizeof (find_data->info.lib_version), "%u.%u", - (unsigned int) lib_info->library_version.major, - (unsigned int) lib_info->library_version.minor); - + memcpy (p11_kit_uri_get_token_info (find_data->info), &tinfo->tinfo, sizeof (struct ck_token_info)); + memcpy (p11_kit_uri_get_module_info (find_data->info), lib_info, sizeof (struct ck_info)); return 0; } @@ -1893,15 +1503,19 @@ gnutls_pkcs11_token_get_url (unsigned int seq, memset (&tn, 0, sizeof (tn)); tn.seq = seq; + tn.info = p11_kit_uri_new (); ret = _pkcs11_traverse_tokens (find_token_num, &tn, 0); if (ret < 0) { + p11_kit_uri_free (tn.info); gnutls_assert (); return ret; } - ret = pkcs11_info_to_url (&tn.info, detailed, url); + ret = pkcs11_info_to_url (tn.info, detailed, url); + p11_kit_uri_free (tn.info); + if (ret < 0) { gnutls_assert (); @@ -1929,9 +1543,10 @@ gnutls_pkcs11_token_get_info (const char *url, gnutls_pkcs11_token_info_t ttype, void *output, size_t * output_size) { + struct p11_kit_uri *info = NULL; const char *str; + size_t str_max; size_t len; - struct pkcs11_url_info info; int ret; ret = pkcs11_url_to_info (url, &info); @@ -1944,23 +1559,28 @@ gnutls_pkcs11_token_get_info (const char *url, switch (ttype) { case GNUTLS_PKCS11_TOKEN_LABEL: - str = info.token; + str = p11_kit_uri_get_token_info (info)->label; + str_max = 32; break; case GNUTLS_PKCS11_TOKEN_SERIAL: - str = info.serial; + str = p11_kit_uri_get_token_info (info)->serial_number; + str_max = 16; break; case GNUTLS_PKCS11_TOKEN_MANUFACTURER: - str = info.manufacturer; + str = p11_kit_uri_get_token_info (info)->manufacturer_id; + str_max = 32; break; case GNUTLS_PKCS11_TOKEN_MODEL: - str = info.model; + str = p11_kit_uri_get_token_info (info)->model; + str_max = 16; break; default: + p11_kit_uri_free (info); gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } - len = strlen (str); + len = p11_kit_space_strlen (str, str_max); if (len + 1 > *output_size) { @@ -1968,10 +1588,12 @@ gnutls_pkcs11_token_get_info (const char *url, return GNUTLS_E_SHORT_MEMORY_BUFFER; } - memcpy (output, str, len+1); + memcpy (output, str, len); + ((char*)output)[len] = '\0'; *output_size = len; + p11_kit_uri_free (info); return 0; } @@ -1992,7 +1614,7 @@ gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj, { int ret; - ret = pkcs11_info_to_url (&obj->info, detailed, url); + ret = pkcs11_info_to_url (obj->info, detailed, url); if (ret < 0) { gnutls_assert (); @@ -2024,14 +1646,15 @@ struct pkey_list }; int -pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) +pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks, + const struct token_info *info, int so) { int attempt = 0, ret; ck_rv_t rv; char *token_url; int pin_len; - struct pkcs11_url_info uinfo; - + struct p11_kit_uri *uinfo; + char *label; if (so == 0 && (info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0) { @@ -2040,12 +1663,11 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) return 0; } - memset (&uinfo, 0, sizeof (uinfo)); - _gnutls_str_cpy (uinfo.manufacturer, sizeof(uinfo.manufacturer), info->tinfo.manufacturer_id); - _gnutls_str_cpy (uinfo.token, sizeof(uinfo.token), info->tinfo.label); - _gnutls_str_cpy (uinfo.model, sizeof(uinfo.model), info->tinfo.model); - _gnutls_str_cpy (uinfo.serial, sizeof(uinfo.serial), info->tinfo.serial_number); - ret = pkcs11_info_to_url (&uinfo, 1, &token_url); + uinfo = p11_kit_uri_new (); + memcpy (p11_kit_uri_get_token_info (uinfo), &info->tinfo, sizeof (struct ck_token_info)); + ret = pkcs11_info_to_url (uinfo, 1, &token_url); + p11_kit_uri_free (uinfo); + if (ret < 0) { gnutls_assert (); @@ -2057,7 +1679,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) * required. */ if (info->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { - rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0); + rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0); if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN) { return 0; @@ -2093,7 +1715,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) * status again, the flags might change. */ if (attempt) { - if (pakchois_get_token_info + if (pkcs11_get_token_info (info->prov->module, info->sid, &tinfo) != CKR_OK) { gnutls_assert (); @@ -2121,9 +1743,11 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) flags |= GNUTLS_PKCS11_PIN_FINAL_TRY; } + label = p11_kit_space_strdup (info->tinfo.label, sizeof (info->tinfo.label)); ret = pin_func (pin_data, attempt++, - (char *) token_url, - (char *) info->tinfo.label, flags, pin, sizeof (pin)); + (char *) token_url, label, flags, pin, sizeof (pin)); + free (label); + if (ret < 0) { gnutls_assert (); @@ -2132,7 +1756,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so) } pin_len = strlen (pin); - rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO, + rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, (unsigned char *) pin, pin_len); /* Try to scrub the pin off the stack. Clever compilers will @@ -2152,9 +1776,25 @@ cleanup: return ret; } +int +pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry) +{ + struct ck_token_info *tinfo; + char *label; + int ret = 0; + + tinfo = p11_kit_uri_get_token_info (info); + label = p11_kit_space_strdup (tinfo->label, sizeof (tinfo->label)); + ret = (token_func) (token_data, label, retry); + free (label); + + return ret; +} + + static int -find_privkeys (pakchois_session_t * pks, struct token_info *info, - struct pkey_list *list) +find_privkeys (struct ck_function_list *module, ck_session_handle_t pks, + struct token_info *info, struct pkey_list *list) { struct ck_attribute a[3]; ck_object_class_t class; @@ -2172,7 +1812,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, a[0].value = &class; a[0].value_len = sizeof class; - rv = pakchois_find_objects_init (pks, a, 1); + rv = pkcs11_find_objects_init (module, pks, a, 1); if (rv != CKR_OK) { gnutls_assert (); @@ -2180,12 +1820,12 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, } list->key_ids_size = 0; - while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { list->key_ids_size++; } - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); if (list->key_ids_size == 0) { @@ -2206,7 +1846,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, a[0].value = &class; a[0].value_len = sizeof class; - rv = pakchois_find_objects_init (pks, a, 1); + rv = pkcs11_find_objects_init (module, pks, a, 1); if (rv != CKR_OK) { gnutls_assert (); @@ -2214,7 +1854,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, } current = 0; - while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { a[0].type = CKA_ID; @@ -2223,7 +1863,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, _gnutls_buffer_init (&list->key_ids[current]); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { _gnutls_buffer_append_data (&list->key_ids[current], a[0].value, a[0].value_len); @@ -2234,7 +1874,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, break; } - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); list->key_ids_size = current - 1; @@ -2245,11 +1885,12 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info, static int -find_objs (pakchois_session_t * pks, struct token_info *info, - struct ck_info *lib_info, void *input) +find_objs (struct ck_function_list * module, ck_session_handle_t pks, + struct token_info *info, struct ck_info *lib_info, void *input) { struct crt_find_data_st *find_data = input; struct ck_attribute a[4]; + struct ck_attribute *attr; ck_object_class_t class = -1; ck_certificate_type_t type = -1; unsigned int trusted; @@ -2277,34 +1918,18 @@ find_objs (pakchois_session_t * pks, struct token_info *info, /* do not bother reading the token if basic fields do not match */ - if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) < - 0) + if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) || + !p11_kit_uri_match_module_info (find_data->info, lib_info)) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - if (find_data->info.type[0] != 0) - { - class = pkcs11_strtype_to_class (find_data->info.type); - if (class == CKO_CERTIFICATE) - type = CKC_X_509; - else - type = -1; - - if (class == -1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - } - - memset (&plist, 0, sizeof (plist)); if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) { - ret = find_privkeys (pks, info, &plist); + ret = find_privkeys (module, pks, info, &plist); if (ret < 0) { gnutls_assert (); @@ -2406,15 +2031,14 @@ find_objs (pakchois_session_t * pks, struct token_info *info, goto fail; } - if (find_data->info.certid_raw_size != 0) + attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID); + if (attr != NULL) { - a[tot_values].type = CKA_ID; - a[tot_values].value = find_data->info.certid_raw; - a[tot_values].value_len = find_data->info.certid_raw_size; + memcpy (a + tot_values, attr, sizeof (struct ck_attribute)); tot_values++; } - rv = pakchois_find_objects_init (pks, a, tot_values); + rv = pkcs11_find_objects_init (module, pks, a, tot_values); if (rv != CKR_OK) { gnutls_assert (); @@ -2422,7 +2046,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, return pkcs11_rv_to_err (rv); } - while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { gnutls_datum_t label, id, value; @@ -2430,7 +2054,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, a[0].value = label_tmp; a[0].value_len = sizeof label_tmp; - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { label.data = a[0].value; label.size = a[0].value_len; @@ -2445,7 +2069,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, a[0].value = certid_tmp; a[0].value_len = sizeof certid_tmp; - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { id.data = a[0].value; id.size = a[0].value_len; @@ -2459,7 +2083,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, a[0].type = CKA_VALUE; a[0].value = cert_data; a[0].value_len = MAX_CERT_SIZE; - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { value.data = a[0].value; value.size = a[0].value_len; @@ -2476,7 +2100,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, a[0].value = &class; a[0].value_len = sizeof class; - pakchois_get_attribute_value (pks, obj, a, 1); + pkcs11_get_attribute_value (module, pks, obj, a, 1); } if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) @@ -2507,7 +2131,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info, if (class == CKO_PUBLIC_KEY) { ret = - pkcs11_obj_import_pubkey (pks, obj, + pkcs11_obj_import_pubkey (module, pks, obj, find_data->p_list [find_data->current], &id, &label, @@ -2534,13 +2158,13 @@ find_objs (pakchois_session_t * pks, struct token_info *info, } gnutls_free (cert_data); - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* continue until all tokens have been checked */ fail: gnutls_free (cert_data); - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); if (plist.key_ids != NULL) { for (i = 0; i < plist.key_ids_size; i++) @@ -2582,6 +2206,8 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t * p_list, int ret; struct crt_find_data_st find_data; + memset (&find_data, 0, sizeof (find_data)); + /* fill in the find data structure */ find_data.p_list = p_list; find_data.n_list = n_list; @@ -2603,6 +2229,8 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t * p_list, ret = _pkcs11_traverse_tokens (find_objs, &find_data, pkcs11_obj_flags_to_int (flags)); + p11_kit_uri_free (find_data.info); + if (ret < 0) { gnutls_assert (); @@ -2731,8 +2359,8 @@ cleanup: } static int -find_flags (pakchois_session_t * pks, struct token_info *info, - struct ck_info *lib_info, void *input) +find_flags (struct ck_function_list * module, ck_session_handle_t pks, + struct token_info *info, struct ck_info *lib_info, void *input) { struct flags_find_data_st *find_data = input; @@ -2744,8 +2372,8 @@ find_flags (pakchois_session_t * pks, struct token_info *info, /* do not bother reading the token if basic fields do not match */ - if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) < - 0) + if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) || + !p11_kit_uri_match_module_info (find_data->info, lib_info)) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; @@ -2773,6 +2401,7 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags) struct flags_find_data_st find_data; int ret; + memset (&find_data, 0, sizeof (find_data)); ret = pkcs11_url_to_info (url, &find_data.info); if (ret < 0) { @@ -2781,6 +2410,8 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags) } ret = _pkcs11_traverse_tokens (find_flags, &find_data, 0); + p11_kit_uri_free (find_data.info); + if (ret < 0) { gnutls_assert (); @@ -2814,10 +2445,10 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx, { int ret; ck_rv_t rv; - pakchois_module_t *module; + struct ck_function_list *module; ck_slot_id_t slot; struct token_info tinfo; - struct pkcs11_url_info info; + struct p11_kit_uri *info = NULL; unsigned long count; ck_mechanism_type_t mlist[400]; @@ -2829,7 +2460,9 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx, } - ret = pkcs11_find_slot (&module, &slot, &info, &tinfo); + ret = pkcs11_find_slot (&module, &slot, info, &tinfo); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -2837,7 +2470,7 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx, } count = sizeof (mlist) / sizeof (mlist[0]); - rv = pakchois_get_mechanism_list (module, slot, mlist, &count); + rv = pkcs11_get_mechanism_list (module, slot, mlist, &count); if (rv != CKR_OK) { gnutls_assert (); @@ -2878,57 +2511,176 @@ gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t type) } } -int -pkcs11_token_matches_info (struct pkcs11_url_info *info, - struct ck_token_info *tinfo, - struct ck_info *lib_info) +ck_rv_t +pkcs11_get_slot_list (struct ck_function_list * module, unsigned char token_present, + ck_slot_id_t *slot_list, unsigned long *count) { - if (info->manufacturer[0] != 0) - { - if (strcmp (info->manufacturer, tinfo->manufacturer_id) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + return (module)->C_GetSlotList (token_present, slot_list, count); +} - if (info->token[0] != 0) - { - if (strcmp (info->token, tinfo->label) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_get_module_info (struct ck_function_list * module, + struct ck_info * info) +{ + return (module)->C_GetInfo (info); +} - if (info->model[0] != 0) - { - if (strcmp (info->model, tinfo->model) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_get_slot_info(struct ck_function_list * module, + ck_slot_id_t slot_id, + struct ck_slot_info *info) +{ + return (module)->C_GetSlotInfo (slot_id, info); +} - if (info->serial[0] != 0) - { - if (strcmp (info->serial, tinfo->serial_number) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_get_token_info (struct ck_function_list * module, + ck_slot_id_t slot_id, + struct ck_token_info *info) +{ + return (module)->C_GetTokenInfo (slot_id, info); +} - if (info->lib_manufacturer[0] != 0) - { - if (strcmp (info->lib_manufacturer, lib_info->manufacturer_id) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_find_objects_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_attribute *templ, + unsigned long count) +{ + return (module)->C_FindObjectsInit (sess, templ, count); +} - if (info->lib_desc[0] != 0) - { - if (strcmp (info->lib_desc, lib_info->library_description) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_find_objects (struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t *objects, + unsigned long max_object_count, + unsigned long *object_count) +{ + return (module)->C_FindObjects (sess, objects, max_object_count, object_count); +} - if (info->lib_version[0] != 0) - { - char version[16]; +ck_rv_t +pkcs11_find_objects_final (struct ck_function_list *module, + ck_session_handle_t sess) +{ + return (module)->C_FindObjectsFinal (sess); +} - snprintf (version, sizeof (version), "%u.%u", - (unsigned int) lib_info->library_version.major, - (unsigned int) lib_info->library_version.minor); - if (strcmp (info->lib_version, version) != 0) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } +ck_rv_t +pkcs11_close_session (struct ck_function_list *module, + ck_session_handle_t sess) +{ + return (module)->C_CloseSession (sess); +} - return 0; +ck_rv_t +pkcs11_get_attribute_value(struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count) +{ + return (module)->C_GetAttributeValue (sess, object, templ, count); +} + +ck_rv_t +pkcs11_get_mechanism_list (struct ck_function_list *module, + ck_slot_id_t slot_id, + ck_mechanism_type_t *mechanism_list, + unsigned long *count) +{ + return (module)->C_GetMechanismList (slot_id, mechanism_list, count); +} + +ck_rv_t +pkcs11_sign_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_mechanism *mechanism, + ck_object_handle_t key) +{ + return (module)->C_SignInit (sess, mechanism, key); +} + +ck_rv_t +pkcs11_sign (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *data, + unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len) +{ + return (module)->C_Sign (sess, data, data_len, signature, signature_len); +} + +ck_rv_t +pkcs11_decrypt_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_mechanism *mechanism, + ck_object_handle_t key) +{ + return (module)->C_DecryptInit (sess, mechanism, key); +} + +ck_rv_t +pkcs11_decrypt (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *encrypted_data, + unsigned long encrypted_data_len, + unsigned char *data, unsigned long *data_len) +{ + return (module)->C_Decrypt (sess, encrypted_data, encrypted_data_len, + data, data_len); +} + +ck_rv_t +pkcs11_create_object (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_attribute *templ, + unsigned long count, + ck_object_handle_t *object) +{ + return (module)->C_CreateObject (sess, templ, count, object); +} + +ck_rv_t +pkcs11_destroy_object (struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t object) +{ + return (module)->C_DestroyObject (sess, object); +} + +ck_rv_t +pkcs11_init_token (struct ck_function_list *module, + ck_slot_id_t slot_id, unsigned char *pin, + unsigned long pin_len, unsigned char *label) +{ + return (module)->C_InitToken (slot_id, pin, pin_len, label); +} + +ck_rv_t +pkcs11_init_pin (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *pin, + unsigned long pin_len) +{ + return (module)->C_InitPIN (sess, pin, pin_len); +} + +ck_rv_t +pkcs11_set_pin (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *old_pin, + unsigned long old_len, + unsigned char *new_pin, + unsigned long new_len) +{ + return (module)->C_SetPIN (sess, old_pin, old_len, new_pin, new_len); +} + +const char * +pkcs11_strerror (ck_rv_t rv) +{ + return p11_kit_strerror (rv); } diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index 19cb1dfacd..d0c892c03d 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -1,13 +1,19 @@ #ifndef PKCS11_INT_H #define PKCS11_INT_H -#include <pakchois/pakchois.h> +#ifdef ENABLE_PKCS11 + +#define CRYPTOKI_GNU +#include "pkcs11_spec.h" #include <gnutls/pkcs11.h> #include <x509/x509_int.h> #define PKCS11_ID_SIZE 128 #define PKCS11_LABEL_SIZE 128 +#define P11_KIT_API_SUBJECT_TO_CHANGE 1 +#include <p11-kit/uri.h> + struct token_info { struct ck_token_info tinfo; @@ -16,34 +22,11 @@ struct token_info struct gnutls_pkcs11_provider_s *prov; }; -struct pkcs11_url_info -{ - /* everything here is null terminated strings */ - opaque id[PKCS11_ID_SIZE * 3 + 1]; /* hex with delimiters */ - opaque type[16]; /* cert/key etc. */ - - opaque lib_manufacturer[sizeof - (((struct ck_info *) NULL)->manufacturer_id) + 1]; - opaque lib_desc[sizeof - (((struct ck_info *) NULL)->library_description) + 1]; - opaque lib_version[12]; - - opaque manufacturer[sizeof - (((struct ck_token_info *) NULL)->manufacturer_id) + 1]; - opaque token[sizeof (((struct ck_token_info *) NULL)->label) + 1]; - opaque serial[sizeof (((struct ck_token_info *) NULL)->serial_number) + 1]; - opaque model[sizeof (((struct ck_token_info *) NULL)->model) + 1]; - opaque label[PKCS11_LABEL_SIZE + 1]; - - opaque certid_raw[PKCS11_ID_SIZE]; /* same as ID but raw */ - size_t certid_raw_size; -}; - struct gnutls_pkcs11_obj_st { gnutls_datum_t raw; gnutls_pkcs11_obj_type_t type; - struct pkcs11_url_info info; + struct p11_kit_uri *info; /* only when pubkey */ gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE]; @@ -55,46 +38,50 @@ struct gnutls_pkcs11_obj_st * function. Once everything is traversed it is called with NULL tinfo. * It should return 0 if found what it was looking for. */ -typedef int (*find_func_t) (pakchois_session_t * pks, +typedef int (*find_func_t) (struct ck_function_list *module, + ck_session_handle_t pks, struct token_info * tinfo, struct ck_info *, void *input); int pkcs11_rv_to_err (ck_rv_t rv); -int pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info); +int pkcs11_url_to_info (const char *url, struct p11_kit_uri **info); int -pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot, - struct pkcs11_url_info *info, struct token_info *_tinfo); +pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot, + struct p11_kit_uri *info, struct token_info *_tinfo); -int pkcs11_get_info (struct pkcs11_url_info *info, +int pkcs11_get_info (struct p11_kit_uri *info, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size); -int pkcs11_login (pakchois_session_t * pks, +int pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks, const struct token_info *info, int admin); +int pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry); + extern gnutls_pkcs11_token_callback_t token_func; extern void *token_data; void pkcs11_rescan_slots (void); -int pkcs11_info_to_url (const struct pkcs11_url_info *info, +int pkcs11_info_to_url (struct p11_kit_uri *info, gnutls_pkcs11_url_type_t detailed, char **url); #define SESSION_WRITE (1<<0) #define SESSION_LOGIN (1<<1) #define SESSION_SO (1<<2) /* security officer session */ -int pkcs11_open_session (pakchois_session_t ** _pks, - struct pkcs11_url_info *info, unsigned int flags); +int pkcs11_open_session (struct ck_function_list **_module, ck_session_handle_t * _pks, + struct p11_kit_uri *info, unsigned int flags); int _pkcs11_traverse_tokens (find_func_t find_func, void *input, unsigned int flags); ck_object_class_t pkcs11_strtype_to_class (const char *type); -int pkcs11_token_matches_info (struct pkcs11_url_info *info, +int pkcs11_token_matches_info (struct p11_kit_uri *info, struct ck_token_info *tinfo, struct ck_info *lib_info); /* flags are SESSION_* */ -int pkcs11_find_object (pakchois_session_t ** _pks, +int pkcs11_find_object (struct ck_function_list ** _module, + ck_session_handle_t * _pks, ck_object_handle_t * _obj, - struct pkcs11_url_info *info, unsigned int flags); + struct p11_kit_uri *info, unsigned int flags); unsigned int pkcs11_obj_flags_to_int (unsigned int flags); @@ -109,4 +96,121 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext); +ck_rv_t +pkcs11_get_slot_list (struct ck_function_list * module, + unsigned char token_present, + ck_slot_id_t *slot_list, + unsigned long *count); + +ck_rv_t +pkcs11_get_module_info (struct ck_function_list * module, + struct ck_info * info); + +ck_rv_t +pkcs11_get_slot_info(struct ck_function_list * module, + ck_slot_id_t slot_id, + struct ck_slot_info *info); + +ck_rv_t +pkcs11_get_token_info (struct ck_function_list * module, + ck_slot_id_t slot_id, + struct ck_token_info *info); + +ck_rv_t +pkcs11_find_objects_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_attribute *templ, + unsigned long count); + +ck_rv_t +pkcs11_find_objects (struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t *objects, + unsigned long max_object_count, + unsigned long *object_count); + +ck_rv_t +pkcs11_find_objects_final (struct ck_function_list *module, + ck_session_handle_t sess); + +ck_rv_t +pkcs11_close_session (struct ck_function_list *module, + ck_session_handle_t sess); + +ck_rv_t +pkcs11_get_attribute_value(struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count); + +ck_rv_t +pkcs11_get_mechanism_list (struct ck_function_list *module, + ck_slot_id_t slot_id, + ck_mechanism_type_t *mechanism_list, + unsigned long *count); + +ck_rv_t +pkcs11_sign_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_mechanism *mechanism, + ck_object_handle_t key); + +ck_rv_t +pkcs11_sign (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *data, + unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len); + +ck_rv_t +pkcs11_decrypt_init (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_mechanism *mechanism, + ck_object_handle_t key); + +ck_rv_t +pkcs11_decrypt (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *encrypted_data, + unsigned long encrypted_data_len, + unsigned char *data, unsigned long *data_len); + +ck_rv_t +pkcs11_create_object (struct ck_function_list *module, + ck_session_handle_t sess, + struct ck_attribute *templ, + unsigned long count, + ck_object_handle_t *object); + +ck_rv_t +pkcs11_destroy_object (struct ck_function_list *module, + ck_session_handle_t sess, + ck_object_handle_t object); + +ck_rv_t +pkcs11_init_token (struct ck_function_list *module, + ck_slot_id_t slot_id, unsigned char *pin, + unsigned long pin_len, unsigned char *label); + +ck_rv_t +pkcs11_init_pin (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *pin, + unsigned long pin_len); + +ck_rv_t +pkcs11_set_pin (struct ck_function_list *module, + ck_session_handle_t sess, + unsigned char *old_pin, + unsigned long old_len, + unsigned char *new_pin, + unsigned long new_len); + +const char * +pkcs11_strerror (ck_rv_t rv); + +#endif /* ENABLE_PKCS11 */ + #endif diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 87878256a8..0485c9a243 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -21,7 +21,6 @@ */ #include <gnutls_int.h> -#include <pakchois/pakchois.h> #include <gnutls/pkcs11.h> #include <stdio.h> #include <stdbool.h> @@ -30,12 +29,13 @@ #include <gnutls_datum.h> #include <pkcs11_int.h> #include <gnutls_sig.h> +#include <p11-kit/uri.h> struct gnutls_pkcs11_privkey_st { gnutls_pk_algorithm_t pk_algorithm; unsigned int flags; - struct pkcs11_url_info info; + struct p11_kit_uri *info; }; /** @@ -57,6 +57,14 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key) return GNUTLS_E_MEMORY_ERROR; } + (*key)->info = p11_kit_uri_new (); + if ((*key)->info == NULL) + { + free (*key); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + return 0; } @@ -69,6 +77,7 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key) void gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key) { + p11_kit_uri_free (key->info); gnutls_free (key); } @@ -111,20 +120,20 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size) { - return pkcs11_get_info (&pkey->info, itype, output, output_size); + return pkcs11_get_info (pkey->info, itype, output, output_size); } -#define FIND_OBJECT(pks, obj, key) \ +#define FIND_OBJECT(module, pks, obj, key) \ do { \ int retries = 0; \ int rret; \ - ret = pkcs11_find_object (&pks, &obj, &key->info, \ + ret = pkcs11_find_object (&module, &pks, &obj, key->info, \ SESSION_LOGIN); \ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { \ if (token_func) \ { \ - rret = token_func(token_data, key->info.token, retries++); \ + rret = pkcs11_call_token_func (key->info, retries++); \ if (rret == 0) continue; \ } \ gnutls_assert(); \ @@ -154,10 +163,11 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, int ret; struct ck_mechanism mech; unsigned long siglen; - pakchois_session_t *pks; + struct ck_function_list *module; + ck_session_handle_t pks; ck_object_handle_t obj; - FIND_OBJECT (pks, obj, key); + FIND_OBJECT (module, pks, obj, key); mech.mechanism = key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS; @@ -166,7 +176,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, /* Initialize signing operation; using the private key discovered * earlier. */ - rv = pakchois_sign_init (pks, &mech, obj); + rv = pkcs11_sign_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); @@ -175,7 +185,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, } /* Work out how long the signature must be: */ - rv = pakchois_sign (pks, hash->data, hash->size, NULL, &siglen); + rv = pkcs11_sign (module, pks, hash->data, hash->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert (); @@ -186,7 +196,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, signature->data = gnutls_malloc (siglen); signature->size = siglen; - rv = pakchois_sign (pks, hash->data, hash->size, signature->data, &siglen); + rv = pkcs11_sign (module, pks, hash->data, hash->size, signature->data, &siglen); if (rv != CKR_OK) { gnutls_free (signature->data); @@ -200,7 +210,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -224,7 +234,9 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, const char *url, unsigned int flags) { int ret; - pakchois_session_t *pks; + struct ck_function_list *module; + struct ck_attribute *attr; + ck_session_handle_t pks; ck_object_handle_t obj; struct ck_attribute a[4]; ck_key_type_t key_type; @@ -238,24 +250,27 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, pkey->flags = flags; - if (pkey->info.type[0] != 0 && strcmp (pkey->info.type, "private") != 0) + attr = p11_kit_uri_get_attribute (pkey->info, CKA_CLASS); + if (!attr || attr->value_len != sizeof (ck_object_class_t) || + *(ck_object_class_t*)attr->value != CKO_PRIVATE_KEY) { gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } - if (pkey->info.id[0] == 0) + attr = p11_kit_uri_get_attribute (pkey->info, CKA_ID); + if (!attr || !attr->value_len) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - FIND_OBJECT (pks, obj, pkey); + FIND_OBJECT (module, pks, obj, pkey); a[0].type = CKA_KEY_TYPE; a[0].value = &key_type; a[0].value_len = sizeof (key_type); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { switch (key_type) { @@ -275,7 +290,7 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -303,10 +318,11 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, int ret; struct ck_mechanism mech; unsigned long siglen; - pakchois_session_t *pks; + struct ck_function_list *module; + ck_session_handle_t pks; ck_object_handle_t obj; - FIND_OBJECT (pks, obj, key); + FIND_OBJECT (module, pks, obj, key); mech.mechanism = key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS; @@ -315,7 +331,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, /* Initialize signing operation; using the private key discovered * earlier. */ - rv = pakchois_decrypt_init (pks, &mech, obj); + rv = pkcs11_decrypt_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); @@ -324,7 +340,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, } /* Work out how long the plaintext must be: */ - rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size, + rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, NULL, &siglen); if (rv != CKR_OK) { @@ -336,7 +352,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, plaintext->data = gnutls_malloc (siglen); plaintext->size = siglen; - rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size, + rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, plaintext->data, &siglen); if (rv != CKR_OK) { @@ -351,7 +367,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -374,7 +390,7 @@ gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key, { int ret; - ret = pkcs11_info_to_url (&key->info, detailed, url); + ret = pkcs11_info_to_url (key->info, detailed, url); if (ret < 0) { gnutls_assert (); diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c index 3b8a80c0ab..6ae355fca9 100644 --- a/lib/pkcs11_secret.c +++ b/lib/pkcs11_secret.c @@ -50,8 +50,9 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key, /* GNUTLS_PKCS11_OBJ_FLAG_* */ ) { int ret; - pakchois_session_t *pks; - struct pkcs11_url_info info; + struct ck_function_list *module; + ck_session_handle_t pks; + struct p11_kit_uri *info = NULL; ck_rv_t rv; struct ck_attribute a[12]; ck_object_class_t class = CKO_SECRET_KEY; @@ -77,8 +78,10 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key, } ret = - pkcs11_open_session (&pks, &info, + pkcs11_open_session (&module, &pks, info, SESSION_WRITE | pkcs11_obj_flags_to_int (flags)); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -126,11 +129,11 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key, a[a_val].value_len = sizeof (tval); a_val++; - rv = pakchois_create_object (pks, a, a_val, &obj); + rv = pkcs11_create_object (module, pks, a, a_val, &obj); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); ret = pkcs11_rv_to_err (rv); goto cleanup; } @@ -141,7 +144,7 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 8ab3aa3d9a..bc20b725cd 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -47,8 +47,9 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, unsigned int flags) { int ret; - pakchois_session_t *pks; - struct pkcs11_url_info info; + struct ck_function_list *module; + ck_session_handle_t pks; + struct p11_kit_uri *info = NULL; ck_rv_t rv; size_t der_size, id_size; opaque *der = NULL; @@ -68,8 +69,10 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, } ret = - pkcs11_open_session (&pks, &info, + pkcs11_open_session (&module, &pks, info, SESSION_WRITE | pkcs11_obj_flags_to_int (flags)); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -142,11 +145,11 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, a_val++; } - rv = pakchois_create_object (pks, a, a_val, &obj); + rv = pkcs11_create_object (module, pks, a, a_val, &obj); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); ret = pkcs11_rv_to_err (rv); goto cleanup; } @@ -158,7 +161,7 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, cleanup: gnutls_free (der); - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; @@ -186,8 +189,9 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, unsigned int key_usage, unsigned int flags) { int ret; - pakchois_session_t *pks = NULL; - struct pkcs11_url_info info; + struct ck_function_list *module; + ck_session_handle_t pks = 0; + struct p11_kit_uri *info = NULL; ck_rv_t rv; size_t id_size; opaque id[20]; @@ -213,13 +217,16 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, ret = gnutls_x509_privkey_get_key_id (key, 0, id, &id_size); if (ret < 0) { + p11_kit_uri_free (info); gnutls_assert (); goto cleanup; } ret = - pkcs11_open_session (&pks, &info, + pkcs11_open_session (&module, &pks, info, SESSION_WRITE | pkcs11_obj_flags_to_int (flags)); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -362,11 +369,11 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, goto cleanup; } - rv = pakchois_create_object (pks, a, a_val, &obj); + rv = pkcs11_create_object (module, pks, a, a_val, &obj); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); ret = pkcs11_rv_to_err (rv); goto cleanup; } @@ -406,8 +413,8 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, ret = 0; cleanup: - if (pks != NULL) - pakchois_close_session (pks); + if (pks != 0) + pkcs11_close_session (module, pks); return ret; @@ -415,17 +422,19 @@ cleanup: struct delete_data_st { - struct pkcs11_url_info info; + struct p11_kit_uri *info; unsigned int deleted; /* how many */ }; static int -delete_obj_url (pakchois_session_t * pks, +delete_obj_url (struct ck_function_list *module, + ck_session_handle_t pks, struct token_info *info, struct ck_info *lib_info, void *input) { struct delete_data_st *find_data = input; struct ck_attribute a[4]; + struct ck_attribute *attr; ck_object_class_t class; ck_certificate_type_t type = -1; ck_rv_t rv; @@ -442,44 +451,35 @@ delete_obj_url (pakchois_session_t * pks, /* do not bother reading the token if basic fields do not match */ - if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) < - 0) + if (!p11_kit_uri_match_module_info (find_data->info, lib_info) || + !p11_kit_uri_match_token_info (find_data->info, &info->tinfo)) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } + /* Find objects with given class and type */ class = CKO_CERTIFICATE; /* default */ + a_vals = 0; - if (find_data->info.type[0] != 0) + attr = p11_kit_uri_get_attribute (find_data->info, CKA_CLASS); + if (attr != NULL) { - class = pkcs11_strtype_to_class (find_data->info.type); + if(attr->value && attr->value_len == sizeof (ck_object_class_t)) + class = *((ck_object_class_t*)attr->value); if (class == CKO_CERTIFICATE) type = CKC_X_509; - - if (class == -1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } } - a_vals = 0; + a[a_vals].type = CKA_CLASS; + a[a_vals].value = &class; + a[a_vals].value_len = sizeof (class); + a_vals++; - /* Find objects with given class and type */ - if (find_data->info.certid_raw_size > 0) - { - a[a_vals].type = CKA_ID; - a[a_vals].value = find_data->info.certid_raw; - a[a_vals].value_len = find_data->info.certid_raw_size; - a_vals++; - } - - if (class != -1) + attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID); + if (attr != NULL) { - a[a_vals].type = CKA_CLASS; - a[a_vals].value = &class; - a[a_vals].value_len = sizeof class; + memcpy (a + a_vals, attr, sizeof (struct ck_attribute)); a_vals++; } @@ -491,15 +491,14 @@ delete_obj_url (pakchois_session_t * pks, a_vals++; } - if (find_data->info.label[0] != 0) + attr = p11_kit_uri_get_attribute (find_data->info, CKA_LABEL); + if (attr != NULL) { - a[a_vals].type = CKA_LABEL; - a[a_vals].value = find_data->info.label; - a[a_vals].value_len = strlen (find_data->info.label); + memcpy (a + a_vals, attr, sizeof (struct ck_attribute)); a_vals++; } - rv = pakchois_find_objects_init (pks, a, a_vals); + rv = pkcs11_find_objects_init (module, pks, a, a_vals); if (rv != CKR_OK) { gnutls_assert (); @@ -508,13 +507,13 @@ delete_obj_url (pakchois_session_t * pks, goto cleanup; } - while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1) + while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1) { - rv = pakchois_destroy_object (pks, obj); + rv = pkcs11_destroy_object (module, pks, obj); if (rv != CKR_OK) { _gnutls_debug_log - ("pkcs11: Cannot destroy object: %s\n", pakchois_error (rv)); + ("pkcs11: Cannot destroy object: %s\n", pkcs11_strerror (rv)); } else { @@ -535,7 +534,7 @@ delete_obj_url (pakchois_session_t * pks, } cleanup: - pakchois_find_objects_final (pks); + pkcs11_find_objects_final (module, pks); return ret; } @@ -569,6 +568,8 @@ gnutls_pkcs11_delete_url (const char *object_url, unsigned int flags) ret = _pkcs11_traverse_tokens (delete_obj_url, &find_data, SESSION_WRITE | pkcs11_obj_flags_to_int (flags)); + p11_kit_uri_free (find_data.info); + if (ret < 0) { gnutls_assert (); @@ -597,9 +598,9 @@ gnutls_pkcs11_token_init (const char *token_url, const char *so_pin, const char *label) { int ret; - struct pkcs11_url_info info; + struct p11_kit_uri *info = NULL; ck_rv_t rv; - pakchois_module_t *module; + struct ck_function_list *module; ck_slot_id_t slot; char flabel[32]; @@ -610,7 +611,9 @@ gnutls_pkcs11_token_init (const char *token_url, return ret; } - ret = pkcs11_find_slot (&module, &slot, &info, NULL); + ret = pkcs11_find_slot (&module, &slot, info, NULL); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -623,12 +626,12 @@ gnutls_pkcs11_token_init (const char *token_url, memcpy (flabel, label, strlen (label)); rv = - pakchois_init_token (module, slot, (char *) so_pin, strlen (so_pin), - flabel); + pkcs11_init_token (module, slot, (char *) so_pin, strlen (so_pin), + flabel); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); return pkcs11_rv_to_err (rv); } @@ -656,8 +659,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url, const char *newpin, unsigned int flags) { int ret; - pakchois_session_t *pks; - struct pkcs11_url_info info; + struct ck_function_list *module; + ck_session_handle_t pks; + struct p11_kit_uri *info = NULL; ck_rv_t rv; unsigned int ses_flags; @@ -674,7 +678,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url, else ses_flags = SESSION_WRITE | SESSION_LOGIN; - ret = pkcs11_open_session (&pks, &info, ses_flags); + ret = pkcs11_open_session (&module, &pks, info, ses_flags); + p11_kit_uri_free (info); + if (ret < 0) { gnutls_assert (); @@ -683,24 +689,24 @@ gnutls_pkcs11_token_set_pin (const char *token_url, if (oldpin == NULL) { - rv = pakchois_init_pin (pks, (char *) newpin, strlen (newpin)); + rv = pkcs11_init_pin (module, pks, (char *) newpin, strlen (newpin)); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); ret = pkcs11_rv_to_err (rv); goto finish; } } else { - rv = pakchois_set_pin (pks, - (char *) oldpin, strlen (oldpin), - (char *) newpin, strlen (newpin)); + rv = pkcs11_set_pin (module, pks, + (char *) oldpin, strlen (oldpin), + (char *) newpin, strlen (newpin)); if (rv != CKR_OK) { gnutls_assert (); - _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv)); + _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv)); ret = pkcs11_rv_to_err (rv); goto finish; } @@ -709,7 +715,7 @@ gnutls_pkcs11_token_set_pin (const char *token_url, ret = 0; finish: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } diff --git a/src/Makefile.am b/src/Makefile.am index 3cfbc08c92..316389fc9d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -31,19 +31,27 @@ AM_CPPFLAGS = \ noinst_PROGRAMS = benchmark-cipher benchmark-tls bin_PROGRAMS = gnutls-serv gnutls-cli psktool gnutls-cli-debug if ENABLE_PKI -bin_PROGRAMS += certtool p11tool +bin_PROGRAMS += certtool endif if ENABLE_SRP bin_PROGRAMS += srptool endif +if ENABLE_PKCS11 +bin_PROGRAMS += p11tool +PKCS11_SRCS = p11common.c p11common.h +else +PKCS11_SRCS = +endif + noinst_LTLIBRARIES = gnutls_serv_SOURCES = \ list.h serv.c \ udp-serv.c udp-serv.h \ - common.h common.c p11common.c \ - certtool-common.h p11common.h + common.h common.c \ + certtool-common.h \ + $(PKCS11_SRCS) gnutls_serv_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la gnutls_serv_LDADD += libcmd-serv.la ../gl/libgnu.la gnutls_serv_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB) @@ -71,7 +79,7 @@ benchmark_cipher_LDADD = ../lib/libgnutls.la ../gl/libgnu.la $(LIB_CLOCK_GETTIME benchmark_tls_SOURCES = benchmark-tls.c benchmark.c benchmark.h benchmark_tls_LDADD = ../lib/libgnutls.la ../gl/libgnu.la $(LIB_CLOCK_GETTIME) -gnutls_cli_SOURCES = cli.c common.h common.c p11common.c p11common.h +gnutls_cli_SOURCES = cli.c common.h common.c $(PKCS11_SRCS) gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la gnutls_cli_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB) @@ -79,7 +87,7 @@ noinst_LTLIBRARIES += libcmd-cli.la libcmd_cli_la_CFLAGS = libcmd_cli_la_SOURCES = cli.gaa cli-gaa.h cli-gaa.c -gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c p11common.c p11common.h +gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c $(PKCS11_SRCS) gnutls_cli_debug_LDADD = ../lib/libgnutls.la libcmd-cli-debug.la gnutls_cli_debug_LDADD += ../gl/libgnu.la $(LIBSOCKET) $(GETADDRINFO_LIB) noinst_LTLIBRARIES += libcmd-cli-debug.la @@ -88,7 +96,7 @@ libcmd_cli_debug_la_SOURCES = tls_test.gaa tls_test-gaa.h tls_test-gaa.c #certtool -certtool_SOURCES = certtool.c prime.c certtool-common.c p11common.c p11common.h +certtool_SOURCES = certtool.c prime.c certtool-common.c $(PKCS11_SRCS) certtool_LDADD = ../lib/libgnutls.la certtool_LDADD += libcmd-certtool.la ../gl/libgnu.la certtool_LDADD += $(LTLIBGCRYPT) @@ -112,6 +120,8 @@ libcmd_certtool_la_LIBADD += ../lib/libgnutls.la libcmd_certtool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB) # p11 tool +if ENABLE_PKCS11 + p11tool_gaa_CFLAGS = p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h p11tool_LDADD = ../lib/libgnutls.la @@ -123,6 +133,7 @@ p11tool_LDADD += -lcfg+ else p11tool_LDADD += libcfg.la endif + noinst_LTLIBRARIES += libcmd-p11tool.la libcmd_p11tool_la_CFLAGS = libcmd_p11tool_la_SOURCES = p11tool-gaa.c p11tool.gaa p11tool-gaa.h \ @@ -131,14 +142,17 @@ libcmd_p11tool_la_LIBADD = ../gl/libgnu.la $(LTLIBREADLINE) libcmd_p11tool_la_LIBADD += ../lib/libgnutls.la libcmd_p11tool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB) +endif # ENABLE_PKCS11 psk-gaa.c: $(srcdir)/psk.gaa -$(GAA) $< -o psk-gaa.c -i psk-gaa.h srptool-gaa.c: $(srcdir)/srptool.gaa -$(GAA) $< -o srptool-gaa.c -i srptool-gaa.h +if ENABLE_PKCS11 p11tool-gaa.c: $(srcdir)/p11tool.gaa -$(GAA) $< -o p11tool-gaa.c -i p11tool-gaa.h +endif certtool-gaa.c: $(srcdir)/certtool.gaa -$(GAA) $< -o certtool-gaa.c -i certtool-gaa.h cli-gaa.c: $(srcdir)/cli.gaa diff --git a/src/certtool-common.c b/src/certtool-common.c index 91fbbeb314..1482d34b68 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -146,6 +146,8 @@ gnutls_x509_privkey_t xkey; return key; } +#ifdef ENABLE_PKCS11 + static gnutls_privkey_t _load_pkcs11_privkey(const char* url) { int ret; @@ -257,6 +259,7 @@ unsigned int obj_flags = 0; return pubkey; } +#endif /* ENABLE_PKCS11 */ /* Load the private key. * @mand should be non zero if it is required to read a private key. @@ -274,8 +277,10 @@ load_private_key (int mand, common_info_st * info) if (info->privkey == NULL) error (EXIT_FAILURE, 0, "missing --load-privkey"); +#ifdef ENABLE_PKCS11 if (strncmp(info->privkey, "pkcs11:", 7) == 0) return _load_pkcs11_privkey(info->privkey); +#endif dat.data = read_binary_file (info->privkey, &size); dat.size = size; @@ -480,8 +485,10 @@ load_ca_private_key (common_info_st * info) if (info->ca_privkey == NULL) error (EXIT_FAILURE, 0, "missing --load-ca-privkey"); +#ifdef ENABLE_PKCS11 if (strncmp(info->ca_privkey, "pkcs11:", 7) == 0) return _load_pkcs11_privkey(info->ca_privkey); +#endif dat.data = read_binary_file (info->ca_privkey, &size); dat.size = size; @@ -547,8 +554,10 @@ load_pubkey (int mand, common_info_st * info) if (info->pubkey == NULL) error (EXIT_FAILURE, 0, "missing --load-pubkey"); +#ifdef ENABLE_PKCS11 if (strncmp(info->pubkey, "pkcs11:", 7) == 0) return _load_pkcs11_pubkey(info->pubkey); +#endif ret = gnutls_pubkey_init (&key); if (ret < 0) diff --git a/src/certtool.c b/src/certtool.c index f35efbb50c..226c9e4138 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1095,8 +1095,10 @@ gaa_parser (int argc, char **argv) if ((ret = gnutls_global_init ()) < 0) error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret)); - + +#ifdef ENABLE_PKCS11 pkcs11_common(); +#endif memset (&cinfo, 0, sizeof (cinfo)); cinfo.privkey = info.privkey; @@ -1196,7 +1198,9 @@ gaa_parser (int argc, char **argv) } fclose (outfile); +#ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit (); +#endif gnutls_global_deinit (); } @@ -177,6 +177,7 @@ load_keys (void) if (x509_certfile != NULL && x509_keyfile != NULL) { +#ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; @@ -198,6 +199,7 @@ load_keys (void) x509_crt_size = 1; } else +#endif /* ENABLE_PKCS11 */ { data = load_file (x509_certfile); @@ -254,6 +256,7 @@ load_keys (void) exit (1); } +#ifdef ENABLE_PKCS11 if (strncmp (x509_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); @@ -276,6 +279,7 @@ load_keys (void) } } else +#endif /* ENABLE_PKCS11 */ { data = load_file (x509_keyfile); if (data.data == NULL) @@ -350,6 +354,7 @@ load_keys (void) exit (1); } +#ifdef ENABLE_PKCS11 if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); @@ -371,6 +376,7 @@ load_keys (void) } } else +#endif /* ENABLE_PKCS11 */ { gnutls_openpgp_privkey_t tmp_pgp_key; @@ -730,7 +736,10 @@ main (int argc, char **argv) exit (1); } +#ifdef ENABLE_PKCS11 pkcs11_common (); +#endif + if (hostname == NULL) { fprintf (stderr, "No hostname given\n"); diff --git a/src/p11tool.c b/src/p11tool.c index 7e97fb1d7d..ce3bebb0a5 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -161,6 +161,8 @@ gaa_parser (int argc, char **argv) } fclose (outfile); +#ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit (); +#endif gnutls_global_deinit (); } diff --git a/src/serv.c b/src/serv.c index b02e8ff4e5..290aecaff4 100644 --- a/src/serv.c +++ b/src/serv.c @@ -939,7 +939,9 @@ main (int argc, char **argv) exit (1); } +#ifdef ENABLE_PKCS11 pkcs11_common (); +#endif /* Note that servers must generate parameters for * Diffie-Hellman. See gnutls_dh_params_generate(), and |