summaryrefslogtreecommitdiff
path: root/lib/pkcs11_int.h
blob: 6c5f266840444bdf57e480f58cd30a16d800bf66 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
/*
 * GnuTLS PKCS#11 support
 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
 * 
 * Authors: Nikos Mavrogiannopoulos, Stef Walter
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 */

#ifndef PKCS11_INT_H
#define PKCS11_INT_H

#ifdef ENABLE_PKCS11

#define CRYPTOKI_GNU
#include <p11-kit/pkcs11.h>
#include <gnutls/pkcs11.h>
#include <x509/x509_int.h>

#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128

#include <p11-kit/uri.h>
typedef unsigned char ck_bool_t;

struct pkcs11_session_info {
	struct ck_function_list *module;
	struct ck_token_info tinfo;
	struct ck_slot_info slot_info;
	ck_session_handle_t pks;
	ck_slot_id_t sid;
	unsigned int init;
};

struct gnutls_pkcs11_obj_st {
	gnutls_datum_t raw;
	gnutls_pkcs11_obj_type_t type;
	ck_object_class_t class;

	unsigned int flags;
	struct p11_kit_uri *info;

	/* only when pubkey */
	gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE];
	unsigned pubkey_size;
	gnutls_pk_algorithm_t pk_algorithm;
	unsigned int key_usage;

	struct pin_info_st pin;
};

/* This must be called on every function that uses a PKCS #11 function
 * directly */
int _gnutls_pkcs11_check_init(void);

#define FIX_KEY_USAGE(pk, usage) \
	if (usage == 0) { \
		if (pk == GNUTLS_PK_RSA) \
			usage = GNUTLS_KEY_DECIPHER_ONLY|GNUTLS_KEY_DIGITAL_SIGNATURE; \
		else \
			usage = GNUTLS_KEY_DIGITAL_SIGNATURE; \
	}

#define PKCS11_CHECK_INIT \
	ret = _gnutls_pkcs11_check_init(); \
	if (ret < 0) \
		return gnutls_assert_val(ret)

#define PKCS11_CHECK_INIT_RET(x) \
	ret = _gnutls_pkcs11_check_init(); \
	if (ret < 0) \
		return gnutls_assert_val(x)

/* thus function is called for every token in the traverse_tokens
 * function. Once everything is traversed it is called with NULL tinfo.
 * It should return 0 if found what it was looking for.
 */
typedef int (*find_func_t) (struct ck_function_list *, struct pkcs11_session_info *,
			    struct ck_token_info * tinfo, struct ck_info *,
			    void *input);

int pkcs11_rv_to_err(ck_rv_t rv);
int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info, unsigned flags);
int
pkcs11_find_slot(struct ck_function_list **module, ck_slot_id_t * slot,
		 struct p11_kit_uri *info, struct ck_token_info *_tinfo,
		 struct ck_slot_info *_slot_info);

int pkcs11_read_pubkey(struct ck_function_list *module,
		       ck_session_handle_t pks, ck_object_handle_t obj,
		       ck_key_type_t key_type, gnutls_pkcs11_obj_t pobj);

int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t *spki, gnutls_datum_t *der);

int pkcs11_get_info(struct p11_kit_uri *info,
		    gnutls_pkcs11_obj_info_t itype, void *output,
		    size_t * output_size);
int pkcs11_login(struct pkcs11_session_info *sinfo,
		 struct pin_info_st *pin_info,
		 struct p11_kit_uri *info, unsigned so,
		 unsigned reauth);

int pkcs11_call_token_func(struct p11_kit_uri *info, const unsigned retry);

extern gnutls_pkcs11_token_callback_t _gnutls_token_func;
extern void *_gnutls_token_data;

void pkcs11_rescan_slots(void);
int pkcs11_info_to_url(struct p11_kit_uri *info,
		       gnutls_pkcs11_url_type_t detailed, char **url);

int
_gnutls_x509_crt_import_pkcs11_url(gnutls_x509_crt_t crt,
				  const char *url, unsigned int flags);

#define SESSION_WRITE (1<<0)
#define SESSION_LOGIN (1<<1)
#define SESSION_SO (1<<2)	/* security officer session */
#define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */
int pkcs11_open_session(struct pkcs11_session_info *sinfo,
			struct pin_info_st *pin_info,
			struct p11_kit_uri *info, unsigned int flags);
int _pkcs11_traverse_tokens(find_func_t find_func, void *input,
			    struct p11_kit_uri *info,
			    struct pin_info_st *pin_info,
			    unsigned int flags);
ck_object_class_t pkcs11_strtype_to_class(const char *type);

/* Additional internal flags for gnutls_pkcs11_obj_flags */
/* @GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT: When importing an object, provide a hint on the type, to allow incomplete URLs
 * @GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY: Hint for private key */
#define GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT (1<<29)
#define GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY (1<<30)
#define GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY (1<<31)

int pkcs11_token_matches_info(struct p11_kit_uri *info,
			      struct ck_token_info *tinfo,
			      struct ck_info *lib_info);

unsigned int pkcs11_obj_flags_to_int(unsigned int flags);

int
_gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
				 const gnutls_datum_t * hash,
				 gnutls_datum_t * signature);

int
_gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
				    unsigned int flags,
				    const gnutls_datum_t * ciphertext,
				    gnutls_datum_t * plaintext);

int
_pkcs11_privkey_get_pubkey (gnutls_pkcs11_privkey_t pkey, gnutls_pubkey_t *pub, unsigned flags);

static inline int pk_to_mech(gnutls_pk_algorithm_t pk)
{
	if (pk == GNUTLS_PK_DSA)
		return CKM_DSA;
	else if (pk == GNUTLS_PK_EC)
		return CKM_ECDSA;
	else
		return CKM_RSA_PKCS;
}

static inline int pk_to_key_type(gnutls_pk_algorithm_t pk)
{
	if (pk == GNUTLS_PK_DSA)
		return CKK_DSA;
	else if (pk == GNUTLS_PK_EC)
		return CKK_ECDSA;
	else
		return CKK_RSA;
}

static inline gnutls_pk_algorithm_t key_type_to_pk(ck_key_type_t m)
{
	if (m == CKK_RSA)
		return GNUTLS_PK_RSA;
	else if (m == CKK_DSA)
		return GNUTLS_PK_DSA;
	else if (m == CKK_ECDSA)
		return GNUTLS_PK_EC;
	else
		return GNUTLS_PK_UNKNOWN;
}

static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type)
{
	if (pk == GNUTLS_PK_DSA) {
		*type = CKK_DSA;
		return CKM_DSA_KEY_PAIR_GEN;
	} else if (pk == GNUTLS_PK_EC) {
		*type = CKK_ECDSA;
		return CKM_ECDSA_KEY_PAIR_GEN;
	} else {
		*type = CKK_RSA;
		return CKM_RSA_PKCS_KEY_PAIR_GEN;
	}
}

ck_object_class_t pkcs11_type_to_class(gnutls_pkcs11_obj_type_t type);

ck_rv_t
pkcs11_generate_key_pair(struct ck_function_list * module,
			 ck_session_handle_t sess,
			 struct ck_mechanism * mechanism,
			 struct ck_attribute * pub_templ,
			 unsigned long pub_templ_count,
			 struct ck_attribute * priv_templ,
			 unsigned long priv_templ_count,
			 ck_object_handle_t * pub,
			 ck_object_handle_t * priv);

ck_rv_t
pkcs11_get_slot_list(struct ck_function_list *module,
		     unsigned char token_present,
		     ck_slot_id_t * slot_list, unsigned long *count);

ck_rv_t
pkcs11_get_module_info(struct ck_function_list *module,
		       struct ck_info *info);

ck_rv_t
pkcs11_get_slot_info(struct ck_function_list *module,
		     ck_slot_id_t slot_id, struct ck_slot_info *info);

ck_rv_t
pkcs11_get_token_info(struct ck_function_list *module,
		      ck_slot_id_t slot_id, struct ck_token_info *info);

ck_rv_t
pkcs11_find_objects_init(struct ck_function_list *module,
			 ck_session_handle_t sess,
			 struct ck_attribute *templ, unsigned long count);

ck_rv_t
pkcs11_find_objects(struct ck_function_list *module,
		    ck_session_handle_t sess,
		    ck_object_handle_t * objects,
		    unsigned long max_object_count,
		    unsigned long *object_count);

ck_rv_t pkcs11_find_objects_final(struct pkcs11_session_info *);

ck_rv_t pkcs11_close_session(struct pkcs11_session_info *);

ck_rv_t
pkcs11_set_attribute_value(struct ck_function_list * module,
			   ck_session_handle_t sess,
			   ck_object_handle_t object,
			   struct ck_attribute * templ,
			   unsigned long count);

ck_rv_t
pkcs11_get_attribute_value(struct ck_function_list *module,
			   ck_session_handle_t sess,
			   ck_object_handle_t object,
			   struct ck_attribute *templ,
			   unsigned long count);

ck_rv_t
pkcs11_get_attribute_avalue(struct ck_function_list * module,
			   ck_session_handle_t sess,
			   ck_object_handle_t object,
			   ck_attribute_type_t type,
			   gnutls_datum_t *res);

ck_rv_t
pkcs11_get_mechanism_list(struct ck_function_list *module,
			  ck_slot_id_t slot_id,
			  ck_mechanism_type_t * mechanism_list,
			  unsigned long *count);

ck_rv_t
pkcs11_sign_init(struct ck_function_list *module,
		 ck_session_handle_t sess,
		 struct ck_mechanism *mechanism, ck_object_handle_t key);

ck_rv_t
pkcs11_sign(struct ck_function_list *module,
	    ck_session_handle_t sess,
	    unsigned char *data,
	    unsigned long data_len,
	    unsigned char *signature, unsigned long *signature_len);

ck_rv_t
pkcs11_decrypt_init(struct ck_function_list *module,
		    ck_session_handle_t sess,
		    struct ck_mechanism *mechanism,
		    ck_object_handle_t key);

ck_rv_t
pkcs11_decrypt(struct ck_function_list *module,
	       ck_session_handle_t sess,
	       unsigned char *encrypted_data,
	       unsigned long encrypted_data_len,
	       unsigned char *data, unsigned long *data_len);

ck_rv_t
pkcs11_create_object(struct ck_function_list *module,
		     ck_session_handle_t sess,
		     struct ck_attribute *templ,
		     unsigned long count, ck_object_handle_t * object);

ck_rv_t
pkcs11_destroy_object(struct ck_function_list *module,
		      ck_session_handle_t sess, ck_object_handle_t object);

ck_rv_t
pkcs11_init_token(struct ck_function_list *module,
		  ck_slot_id_t slot_id, unsigned char *pin,
		  unsigned long pin_len, unsigned char *label);

ck_rv_t
pkcs11_init_pin(struct ck_function_list *module,
		ck_session_handle_t sess,
		unsigned char *pin, unsigned long pin_len);

ck_rv_t
pkcs11_set_pin(struct ck_function_list *module,
	       ck_session_handle_t sess,
	       const char *old_pin,
	       unsigned long old_len,
	       const char *new_pin, unsigned long new_len);

ck_rv_t
_gnutls_pkcs11_get_random(struct ck_function_list *module,
		  ck_session_handle_t sess, void *data, size_t len);


const char *pkcs11_strerror(ck_rv_t rv);

inline static bool is_object_pkcs11_url(const char *url)
{
	if (strstr(url, "id=") != 0 || strstr(url, "object=") != 0)
		return 1;
	return 0;
}

#endif				/* ENABLE_PKCS11 */

#endif