1 /* $NetBSD: ks_p11.c,v 1.1.1.2 2014/04/24 12:45:42 pettai Exp $ */
2
3 /*
4 * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "hx_locl.h"
37 #ifdef HAVE_DLFCN_H
38 #include <dlfcn.h>
39 #endif
40
41 #ifdef HAVE_DLOPEN
42
43 #include "pkcs11.h"
44
45 struct p11_slot {
46 int flags;
47 #define P11_SESSION 1
48 #define P11_SESSION_IN_USE 2
49 #define P11_LOGIN_REQ 4
50 #define P11_LOGIN_DONE 8
51 #define P11_TOKEN_PRESENT 16
52 CK_SESSION_HANDLE session;
53 CK_SLOT_ID id;
54 CK_BBOOL token;
55 char *name;
56 hx509_certs certs;
57 char *pin;
58 struct {
59 CK_MECHANISM_TYPE_PTR list;
60 CK_ULONG num;
61 CK_MECHANISM_INFO_PTR *infos;
62 } mechs;
63 };
64
65 struct p11_module {
66 void *dl_handle;
67 CK_FUNCTION_LIST_PTR funcs;
68 CK_ULONG num_slots;
69 unsigned int ref;
70 struct p11_slot *slot;
71 };
72
73 #define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
74
75 static int p11_get_session(hx509_context,
76 struct p11_module *,
77 struct p11_slot *,
78 hx509_lock,
79 CK_SESSION_HANDLE *);
80 static int p11_put_session(struct p11_module *,
81 struct p11_slot *,
82 CK_SESSION_HANDLE);
83 static void p11_release_module(struct p11_module *);
84
85 static int p11_list_keys(hx509_context,
86 struct p11_module *,
87 struct p11_slot *,
88 CK_SESSION_HANDLE,
89 hx509_lock,
90 hx509_certs *);
91
92 /*
93 *
94 */
95
96 struct p11_rsa {
97 struct p11_module *p;
98 struct p11_slot *slot;
99 CK_OBJECT_HANDLE private_key;
100 CK_OBJECT_HANDLE public_key;
101 };
102
103 static int
p11_rsa_public_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)104 p11_rsa_public_encrypt(int flen,
105 const unsigned char *from,
106 unsigned char *to,
107 RSA *rsa,
108 int padding)
109 {
110 return -1;
111 }
112
113 static int
p11_rsa_public_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)114 p11_rsa_public_decrypt(int flen,
115 const unsigned char *from,
116 unsigned char *to,
117 RSA *rsa,
118 int padding)
119 {
120 return -1;
121 }
122
123
124 static int
p11_rsa_private_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)125 p11_rsa_private_encrypt(int flen,
126 const unsigned char *from,
127 unsigned char *to,
128 RSA *rsa,
129 int padding)
130 {
131 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
132 CK_OBJECT_HANDLE key = p11rsa->private_key;
133 CK_SESSION_HANDLE session;
134 CK_MECHANISM mechanism;
135 CK_ULONG ck_sigsize;
136 int ret;
137
138 if (padding != RSA_PKCS1_PADDING)
139 return -1;
140
141 memset(&mechanism, 0, sizeof(mechanism));
142 mechanism.mechanism = CKM_RSA_PKCS;
143
144 ck_sigsize = RSA_size(rsa);
145
146 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
147 if (ret)
148 return -1;
149
150 ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
151 if (ret != CKR_OK) {
152 p11_put_session(p11rsa->p, p11rsa->slot, session);
153 return -1;
154 }
155
156 ret = P11FUNC(p11rsa->p, Sign,
157 (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
158 p11_put_session(p11rsa->p, p11rsa->slot, session);
159 if (ret != CKR_OK)
160 return -1;
161
162 return ck_sigsize;
163 }
164
165 static int
p11_rsa_private_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)166 p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
167 RSA * rsa, int padding)
168 {
169 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
170 CK_OBJECT_HANDLE key = p11rsa->private_key;
171 CK_SESSION_HANDLE session;
172 CK_MECHANISM mechanism;
173 CK_ULONG ck_sigsize;
174 int ret;
175
176 if (padding != RSA_PKCS1_PADDING)
177 return -1;
178
179 memset(&mechanism, 0, sizeof(mechanism));
180 mechanism.mechanism = CKM_RSA_PKCS;
181
182 ck_sigsize = RSA_size(rsa);
183
184 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
185 if (ret)
186 return -1;
187
188 ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
189 if (ret != CKR_OK) {
190 p11_put_session(p11rsa->p, p11rsa->slot, session);
191 return -1;
192 }
193
194 ret = P11FUNC(p11rsa->p, Decrypt,
195 (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
196 p11_put_session(p11rsa->p, p11rsa->slot, session);
197 if (ret != CKR_OK)
198 return -1;
199
200 return ck_sigsize;
201 }
202
203 static int
p11_rsa_init(RSA * rsa)204 p11_rsa_init(RSA *rsa)
205 {
206 return 1;
207 }
208
209 static int
p11_rsa_finish(RSA * rsa)210 p11_rsa_finish(RSA *rsa)
211 {
212 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
213 p11_release_module(p11rsa->p);
214 free(p11rsa);
215 return 1;
216 }
217
218 static const RSA_METHOD p11_rsa_pkcs1_method = {
219 "hx509 PKCS11 PKCS#1 RSA",
220 p11_rsa_public_encrypt,
221 p11_rsa_public_decrypt,
222 p11_rsa_private_encrypt,
223 p11_rsa_private_decrypt,
224 NULL,
225 NULL,
226 p11_rsa_init,
227 p11_rsa_finish,
228 0,
229 NULL,
230 NULL,
231 NULL
232 };
233
234 /*
235 *
236 */
237
238 static int
p11_mech_info(hx509_context context,struct p11_module * p,struct p11_slot * slot,int num)239 p11_mech_info(hx509_context context,
240 struct p11_module *p,
241 struct p11_slot *slot,
242 int num)
243 {
244 CK_ULONG i;
245 int ret;
246
247 ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
248 if (ret) {
249 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
250 "Failed to get mech list count for slot %d",
251 num);
252 return HX509_PKCS11_NO_MECH;
253 }
254 if (i == 0) {
255 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
256 "no mech supported for slot %d", num);
257 return HX509_PKCS11_NO_MECH;
258 }
259 slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
260 if (slot->mechs.list == NULL) {
261 hx509_set_error_string(context, 0, ENOMEM,
262 "out of memory");
263 return ENOMEM;
264 }
265 slot->mechs.num = i;
266 ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
267 if (ret) {
268 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
269 "Failed to get mech list for slot %d",
270 num);
271 return HX509_PKCS11_NO_MECH;
272 }
273 assert(i == slot->mechs.num);
274
275 slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
276 if (slot->mechs.list == NULL) {
277 hx509_set_error_string(context, 0, ENOMEM,
278 "out of memory");
279 return ENOMEM;
280 }
281
282 for (i = 0; i < slot->mechs.num; i++) {
283 slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
284 if (slot->mechs.infos[i] == NULL) {
285 hx509_set_error_string(context, 0, ENOMEM,
286 "out of memory");
287 return ENOMEM;
288 }
289 ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
290 slot->mechs.infos[i]));
291 if (ret) {
292 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
293 "Failed to get mech info for slot %d",
294 num);
295 return HX509_PKCS11_NO_MECH;
296 }
297 }
298
299 return 0;
300 }
301
302 static int
p11_init_slot(hx509_context context,struct p11_module * p,hx509_lock lock,CK_SLOT_ID id,int num,struct p11_slot * slot)303 p11_init_slot(hx509_context context,
304 struct p11_module *p,
305 hx509_lock lock,
306 CK_SLOT_ID id,
307 int num,
308 struct p11_slot *slot)
309 {
310 CK_SESSION_HANDLE session;
311 CK_SLOT_INFO slot_info;
312 CK_TOKEN_INFO token_info;
313 size_t i;
314 int ret;
315
316 slot->certs = NULL;
317 slot->id = id;
318
319 ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
320 if (ret) {
321 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
322 "Failed to init PKCS11 slot %d",
323 num);
324 return HX509_PKCS11_TOKEN_CONFUSED;
325 }
326
327 for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
328 char c = slot_info.slotDescription[i];
329 if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
330 continue;
331 i++;
332 break;
333 }
334
335 asprintf(&slot->name, "%.*s",
336 (int)i, slot_info.slotDescription);
337
338 if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
339 return 0;
340
341 ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
342 if (ret) {
343 hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
344 "Failed to init PKCS11 slot %d "
345 "with error 0x08x",
346 num, ret);
347 return HX509_PKCS11_NO_TOKEN;
348 }
349 slot->flags |= P11_TOKEN_PRESENT;
350
351 if (token_info.flags & CKF_LOGIN_REQUIRED)
352 slot->flags |= P11_LOGIN_REQ;
353
354 ret = p11_get_session(context, p, slot, lock, &session);
355 if (ret)
356 return ret;
357
358 ret = p11_mech_info(context, p, slot, num);
359 if (ret)
360 goto out;
361
362 ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
363 out:
364 p11_put_session(p, slot, session);
365
366 return ret;
367 }
368
369 static int
p11_get_session(hx509_context context,struct p11_module * p,struct p11_slot * slot,hx509_lock lock,CK_SESSION_HANDLE * psession)370 p11_get_session(hx509_context context,
371 struct p11_module *p,
372 struct p11_slot *slot,
373 hx509_lock lock,
374 CK_SESSION_HANDLE *psession)
375 {
376 CK_RV ret;
377
378 if (slot->flags & P11_SESSION_IN_USE)
379 _hx509_abort("slot already in session");
380
381 if (slot->flags & P11_SESSION) {
382 slot->flags |= P11_SESSION_IN_USE;
383 *psession = slot->session;
384 return 0;
385 }
386
387 ret = P11FUNC(p, OpenSession, (slot->id,
388 CKF_SERIAL_SESSION,
389 NULL,
390 NULL,
391 &slot->session));
392 if (ret != CKR_OK) {
393 if (context)
394 hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
395 "Failed to OpenSession for slot id %d "
396 "with error: 0x%08x",
397 (int)slot->id, ret);
398 return HX509_PKCS11_OPEN_SESSION;
399 }
400
401 slot->flags |= P11_SESSION;
402
403 /*
404 * If we have have to login, and haven't tried before and have a
405 * prompter or known to work pin code.
406 *
407 * This code is very conversative and only uses the prompter in
408 * the hx509_lock, the reason is that it's bad to try many
409 * passwords on a pkcs11 token, it might lock up and have to be
410 * unlocked by a administrator.
411 *
412 * XXX try harder to not use pin several times on the same card.
413 */
414
415 if ( (slot->flags & P11_LOGIN_REQ)
416 && (slot->flags & P11_LOGIN_DONE) == 0
417 && (lock || slot->pin))
418 {
419 hx509_prompt prompt;
420 char pin[20];
421 char *str;
422
423 if (slot->pin == NULL) {
424
425 memset(&prompt, 0, sizeof(prompt));
426
427 asprintf(&str, "PIN code for %s: ", slot->name);
428 prompt.prompt = str;
429 prompt.type = HX509_PROMPT_TYPE_PASSWORD;
430 prompt.reply.data = pin;
431 prompt.reply.length = sizeof(pin);
432
433 ret = hx509_lock_prompt(lock, &prompt);
434 if (ret) {
435 free(str);
436 if (context)
437 hx509_set_error_string(context, 0, ret,
438 "Failed to get pin code for slot "
439 "id %d with error: %d",
440 (int)slot->id, ret);
441 return ret;
442 }
443 free(str);
444 } else {
445 strlcpy(pin, slot->pin, sizeof(pin));
446 }
447
448 ret = P11FUNC(p, Login, (slot->session, CKU_USER,
449 (unsigned char*)pin, strlen(pin)));
450 if (ret != CKR_OK) {
451 if (context)
452 hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
453 "Failed to login on slot id %d "
454 "with error: 0x%08x",
455 (int)slot->id, ret);
456 return HX509_PKCS11_LOGIN;
457 } else
458 slot->flags |= P11_LOGIN_DONE;
459
460 if (slot->pin == NULL) {
461 slot->pin = strdup(pin);
462 if (slot->pin == NULL) {
463 if (context)
464 hx509_set_error_string(context, 0, ENOMEM,
465 "out of memory");
466 return ENOMEM;
467 }
468 }
469 } else
470 slot->flags |= P11_LOGIN_DONE;
471
472 slot->flags |= P11_SESSION_IN_USE;
473
474 *psession = slot->session;
475
476 return 0;
477 }
478
479 static int
p11_put_session(struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session)480 p11_put_session(struct p11_module *p,
481 struct p11_slot *slot,
482 CK_SESSION_HANDLE session)
483 {
484 if ((slot->flags & P11_SESSION_IN_USE) == 0)
485 _hx509_abort("slot not in session");
486 slot->flags &= ~P11_SESSION_IN_USE;
487
488 return 0;
489 }
490
491 static int
iterate_entries(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_ATTRIBUTE * search_data,int num_search_data,CK_ATTRIBUTE * query,int num_query,int (* func)(hx509_context,struct p11_module *,struct p11_slot *,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void *,CK_ATTRIBUTE *,int),void * ptr)492 iterate_entries(hx509_context context,
493 struct p11_module *p, struct p11_slot *slot,
494 CK_SESSION_HANDLE session,
495 CK_ATTRIBUTE *search_data, int num_search_data,
496 CK_ATTRIBUTE *query, int num_query,
497 int (*func)(hx509_context,
498 struct p11_module *, struct p11_slot *,
499 CK_SESSION_HANDLE session,
500 CK_OBJECT_HANDLE object,
501 void *, CK_ATTRIBUTE *, int), void *ptr)
502 {
503 CK_OBJECT_HANDLE object;
504 CK_ULONG object_count;
505 int ret, ret2, i;
506
507 ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
508 if (ret != CKR_OK) {
509 return -1;
510 }
511 while (1) {
512 ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
513 if (ret != CKR_OK) {
514 return -1;
515 }
516 if (object_count == 0)
517 break;
518
519 for (i = 0; i < num_query; i++)
520 query[i].pValue = NULL;
521
522 ret = P11FUNC(p, GetAttributeValue,
523 (session, object, query, num_query));
524 if (ret != CKR_OK) {
525 return -1;
526 }
527 for (i = 0; i < num_query; i++) {
528 query[i].pValue = malloc(query[i].ulValueLen);
529 if (query[i].pValue == NULL) {
530 ret = ENOMEM;
531 goto out;
532 }
533 }
534 ret = P11FUNC(p, GetAttributeValue,
535 (session, object, query, num_query));
536 if (ret != CKR_OK) {
537 ret = -1;
538 goto out;
539 }
540
541 ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
542 if (ret)
543 goto out;
544
545 for (i = 0; i < num_query; i++) {
546 if (query[i].pValue)
547 free(query[i].pValue);
548 query[i].pValue = NULL;
549 }
550 }
551 out:
552
553 for (i = 0; i < num_query; i++) {
554 if (query[i].pValue)
555 free(query[i].pValue);
556 query[i].pValue = NULL;
557 }
558
559 ret2 = P11FUNC(p, FindObjectsFinal, (session));
560 if (ret2 != CKR_OK) {
561 return ret2;
562 }
563
564 return ret;
565 }
566
567 static BIGNUM *
getattr_bn(struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,unsigned int type)568 getattr_bn(struct p11_module *p,
569 struct p11_slot *slot,
570 CK_SESSION_HANDLE session,
571 CK_OBJECT_HANDLE object,
572 unsigned int type)
573 {
574 CK_ATTRIBUTE query;
575 BIGNUM *bn;
576 int ret;
577
578 query.type = type;
579 query.pValue = NULL;
580 query.ulValueLen = 0;
581
582 ret = P11FUNC(p, GetAttributeValue,
583 (session, object, &query, 1));
584 if (ret != CKR_OK)
585 return NULL;
586
587 query.pValue = malloc(query.ulValueLen);
588
589 ret = P11FUNC(p, GetAttributeValue,
590 (session, object, &query, 1));
591 if (ret != CKR_OK) {
592 free(query.pValue);
593 return NULL;
594 }
595 bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
596 free(query.pValue);
597
598 return bn;
599 }
600
601 static int
collect_private_key(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void * ptr,CK_ATTRIBUTE * query,int num_query)602 collect_private_key(hx509_context context,
603 struct p11_module *p, struct p11_slot *slot,
604 CK_SESSION_HANDLE session,
605 CK_OBJECT_HANDLE object,
606 void *ptr, CK_ATTRIBUTE *query, int num_query)
607 {
608 struct hx509_collector *collector = ptr;
609 hx509_private_key key;
610 heim_octet_string localKeyId;
611 int ret;
612 RSA *rsa;
613 struct p11_rsa *p11rsa;
614
615 localKeyId.data = query[0].pValue;
616 localKeyId.length = query[0].ulValueLen;
617
618 ret = hx509_private_key_init(&key, NULL, NULL);
619 if (ret)
620 return ret;
621
622 rsa = RSA_new();
623 if (rsa == NULL)
624 _hx509_abort("out of memory");
625
626 /*
627 * The exponent and modulus should always be present according to
628 * the pkcs11 specification, but some smartcards leaves it out,
629 * let ignore any failure to fetch it.
630 */
631 rsa->n = getattr_bn(p, slot, session, object, CKA_MODULUS);
632 rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
633
634 p11rsa = calloc(1, sizeof(*p11rsa));
635 if (p11rsa == NULL)
636 _hx509_abort("out of memory");
637
638 p11rsa->p = p;
639 p11rsa->slot = slot;
640 p11rsa->private_key = object;
641
642 if (p->ref == 0)
643 _hx509_abort("pkcs11 ref == 0 on alloc");
644 p->ref++;
645 if (p->ref == UINT_MAX)
646 _hx509_abort("pkcs11 ref == UINT_MAX on alloc");
647
648 RSA_set_method(rsa, &p11_rsa_pkcs1_method);
649 ret = RSA_set_app_data(rsa, p11rsa);
650 if (ret != 1)
651 _hx509_abort("RSA_set_app_data");
652
653 hx509_private_key_assign_rsa(key, rsa);
654
655 ret = _hx509_collector_private_key_add(context,
656 collector,
657 hx509_signature_rsa(),
658 key,
659 NULL,
660 &localKeyId);
661
662 if (ret) {
663 hx509_private_key_free(&key);
664 return ret;
665 }
666 return 0;
667 }
668
669 static void
p11_cert_release(hx509_cert cert,void * ctx)670 p11_cert_release(hx509_cert cert, void *ctx)
671 {
672 struct p11_module *p = ctx;
673 p11_release_module(p);
674 }
675
676
677 static int
collect_cert(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void * ptr,CK_ATTRIBUTE * query,int num_query)678 collect_cert(hx509_context context,
679 struct p11_module *p, struct p11_slot *slot,
680 CK_SESSION_HANDLE session,
681 CK_OBJECT_HANDLE object,
682 void *ptr, CK_ATTRIBUTE *query, int num_query)
683 {
684 struct hx509_collector *collector = ptr;
685 hx509_cert cert;
686 int ret;
687
688 if ((CK_LONG)query[0].ulValueLen == -1 ||
689 (CK_LONG)query[1].ulValueLen == -1)
690 {
691 return 0;
692 }
693
694 ret = hx509_cert_init_data(context, query[1].pValue,
695 query[1].ulValueLen, &cert);
696 if (ret)
697 return ret;
698
699 if (p->ref == 0)
700 _hx509_abort("pkcs11 ref == 0 on alloc");
701 p->ref++;
702 if (p->ref == UINT_MAX)
703 _hx509_abort("pkcs11 ref to high");
704
705 _hx509_cert_set_release(cert, p11_cert_release, p);
706
707 {
708 heim_octet_string data;
709
710 data.data = query[0].pValue;
711 data.length = query[0].ulValueLen;
712
713 _hx509_set_cert_attribute(context,
714 cert,
715 &asn1_oid_id_pkcs_9_at_localKeyId,
716 &data);
717 }
718
719 if ((CK_LONG)query[2].ulValueLen != -1) {
720 char *str;
721
722 asprintf(&str, "%.*s",
723 (int)query[2].ulValueLen, (char *)query[2].pValue);
724 if (str) {
725 hx509_cert_set_friendly_name(cert, str);
726 free(str);
727 }
728 }
729
730 ret = _hx509_collector_certs_add(context, collector, cert);
731 hx509_cert_free(cert);
732
733 return ret;
734 }
735
736
737 static int
p11_list_keys(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,hx509_lock lock,hx509_certs * certs)738 p11_list_keys(hx509_context context,
739 struct p11_module *p,
740 struct p11_slot *slot,
741 CK_SESSION_HANDLE session,
742 hx509_lock lock,
743 hx509_certs *certs)
744 {
745 struct hx509_collector *collector;
746 CK_OBJECT_CLASS key_class;
747 CK_ATTRIBUTE search_data[] = {
748 {CKA_CLASS, NULL, 0},
749 };
750 CK_ATTRIBUTE query_data[3] = {
751 {CKA_ID, NULL, 0},
752 {CKA_VALUE, NULL, 0},
753 {CKA_LABEL, NULL, 0}
754 };
755 int ret;
756
757 search_data[0].pValue = &key_class;
758 search_data[0].ulValueLen = sizeof(key_class);
759
760 if (lock == NULL)
761 lock = _hx509_empty_lock;
762
763 ret = _hx509_collector_alloc(context, lock, &collector);
764 if (ret)
765 return ret;
766
767 key_class = CKO_PRIVATE_KEY;
768 ret = iterate_entries(context, p, slot, session,
769 search_data, 1,
770 query_data, 1,
771 collect_private_key, collector);
772 if (ret)
773 goto out;
774
775 key_class = CKO_CERTIFICATE;
776 ret = iterate_entries(context, p, slot, session,
777 search_data, 1,
778 query_data, 3,
779 collect_cert, collector);
780 if (ret)
781 goto out;
782
783 ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
784
785 out:
786 _hx509_collector_free(collector);
787
788 return ret;
789 }
790
791
792 static int
p11_init(hx509_context context,hx509_certs certs,void ** data,int flags,const char * residue,hx509_lock lock)793 p11_init(hx509_context context,
794 hx509_certs certs, void **data, int flags,
795 const char *residue, hx509_lock lock)
796 {
797 CK_C_GetFunctionList getFuncs;
798 struct p11_module *p;
799 char *list, *str;
800 int ret;
801
802 *data = NULL;
803
804 list = strdup(residue);
805 if (list == NULL)
806 return ENOMEM;
807
808 p = calloc(1, sizeof(*p));
809 if (p == NULL) {
810 free(list);
811 return ENOMEM;
812 }
813
814 p->ref = 1;
815
816 str = strchr(list, ',');
817 if (str)
818 *str++ = '\0';
819 while (str) {
820 char *strnext;
821 strnext = strchr(str, ',');
822 if (strnext)
823 *strnext++ = '\0';
824 #if 0
825 if (strncasecmp(str, "slot=", 5) == 0)
826 p->selected_slot = atoi(str + 5);
827 #endif
828 str = strnext;
829 }
830
831 p->dl_handle = dlopen(list, RTLD_NOW);
832 free(list);
833 if (p->dl_handle == NULL) {
834 ret = HX509_PKCS11_LOAD;
835 hx509_set_error_string(context, 0, ret,
836 "Failed to open %s: %s", list, dlerror());
837 goto out;
838 }
839
840 getFuncs = (CK_C_GetFunctionList) dlsym(p->dl_handle, "C_GetFunctionList");
841 if (getFuncs == NULL) {
842 ret = HX509_PKCS11_LOAD;
843 hx509_set_error_string(context, 0, ret,
844 "C_GetFunctionList missing in %s: %s",
845 list, dlerror());
846 goto out;
847 }
848
849 ret = (*getFuncs)(&p->funcs);
850 if (ret) {
851 ret = HX509_PKCS11_LOAD;
852 hx509_set_error_string(context, 0, ret,
853 "C_GetFunctionList failed in %s", list);
854 goto out;
855 }
856
857 ret = P11FUNC(p, Initialize, (NULL_PTR));
858 if (ret != CKR_OK) {
859 ret = HX509_PKCS11_TOKEN_CONFUSED;
860 hx509_set_error_string(context, 0, ret,
861 "Failed initialize the PKCS11 module");
862 goto out;
863 }
864
865 ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
866 if (ret) {
867 ret = HX509_PKCS11_TOKEN_CONFUSED;
868 hx509_set_error_string(context, 0, ret,
869 "Failed to get number of PKCS11 slots");
870 goto out;
871 }
872
873 if (p->num_slots == 0) {
874 ret = HX509_PKCS11_NO_SLOT;
875 hx509_set_error_string(context, 0, ret,
876 "Selected PKCS11 module have no slots");
877 goto out;
878 }
879
880
881 {
882 CK_SLOT_ID_PTR slot_ids;
883 int num_tokens = 0;
884 size_t i;
885
886 slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
887 if (slot_ids == NULL) {
888 hx509_clear_error_string(context);
889 ret = ENOMEM;
890 goto out;
891 }
892
893 ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
894 if (ret) {
895 free(slot_ids);
896 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
897 "Failed getting slot-list from "
898 "PKCS11 module");
899 ret = HX509_PKCS11_TOKEN_CONFUSED;
900 goto out;
901 }
902
903 p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
904 if (p->slot == NULL) {
905 free(slot_ids);
906 hx509_set_error_string(context, 0, ENOMEM,
907 "Failed to get memory for slot-list");
908 ret = ENOMEM;
909 goto out;
910 }
911
912 for (i = 0; i < p->num_slots; i++) {
913 ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
914 if (ret)
915 break;
916 if (p->slot[i].flags & P11_TOKEN_PRESENT)
917 num_tokens++;
918 }
919 free(slot_ids);
920 if (ret)
921 goto out;
922 if (num_tokens == 0) {
923 ret = HX509_PKCS11_NO_TOKEN;
924 goto out;
925 }
926 }
927
928 *data = p;
929
930 return 0;
931 out:
932 p11_release_module(p);
933 return ret;
934 }
935
936 static void
p11_release_module(struct p11_module * p)937 p11_release_module(struct p11_module *p)
938 {
939 size_t i;
940
941 if (p->ref == 0)
942 _hx509_abort("pkcs11 ref to low");
943 if (--p->ref > 0)
944 return;
945
946 for (i = 0; i < p->num_slots; i++) {
947 if (p->slot[i].flags & P11_SESSION_IN_USE)
948 _hx509_abort("pkcs11 module release while session in use");
949 if (p->slot[i].flags & P11_SESSION) {
950 P11FUNC(p, CloseSession, (p->slot[i].session));
951 }
952
953 if (p->slot[i].name)
954 free(p->slot[i].name);
955 if (p->slot[i].pin) {
956 memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
957 free(p->slot[i].pin);
958 }
959 if (p->slot[i].mechs.num) {
960 free(p->slot[i].mechs.list);
961
962 if (p->slot[i].mechs.infos) {
963 size_t j;
964
965 for (j = 0 ; j < p->slot[i].mechs.num ; j++)
966 free(p->slot[i].mechs.infos[j]);
967 free(p->slot[i].mechs.infos);
968 }
969 }
970 }
971 free(p->slot);
972
973 if (p->funcs)
974 P11FUNC(p, Finalize, (NULL));
975
976 if (p->dl_handle)
977 dlclose(p->dl_handle);
978
979 memset(p, 0, sizeof(*p));
980 free(p);
981 }
982
983 static int
p11_free(hx509_certs certs,void * data)984 p11_free(hx509_certs certs, void *data)
985 {
986 struct p11_module *p = data;
987 size_t i;
988
989 for (i = 0; i < p->num_slots; i++) {
990 if (p->slot[i].certs)
991 hx509_certs_free(&p->slot[i].certs);
992 }
993 p11_release_module(p);
994 return 0;
995 }
996
997 struct p11_cursor {
998 hx509_certs certs;
999 void *cursor;
1000 };
1001
1002 static int
p11_iter_start(hx509_context context,hx509_certs certs,void * data,void ** cursor)1003 p11_iter_start(hx509_context context,
1004 hx509_certs certs, void *data, void **cursor)
1005 {
1006 struct p11_module *p = data;
1007 struct p11_cursor *c;
1008 int ret;
1009 size_t i;
1010
1011 c = malloc(sizeof(*c));
1012 if (c == NULL) {
1013 hx509_clear_error_string(context);
1014 return ENOMEM;
1015 }
1016 ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
1017 if (ret) {
1018 free(c);
1019 return ret;
1020 }
1021
1022 for (i = 0 ; i < p->num_slots; i++) {
1023 if (p->slot[i].certs == NULL)
1024 continue;
1025 ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
1026 if (ret) {
1027 hx509_certs_free(&c->certs);
1028 free(c);
1029 return ret;
1030 }
1031 }
1032
1033 ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
1034 if (ret) {
1035 hx509_certs_free(&c->certs);
1036 free(c);
1037 return 0;
1038 }
1039 *cursor = c;
1040
1041 return 0;
1042 }
1043
1044 static int
p11_iter(hx509_context context,hx509_certs certs,void * data,void * cursor,hx509_cert * cert)1045 p11_iter(hx509_context context,
1046 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
1047 {
1048 struct p11_cursor *c = cursor;
1049 return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
1050 }
1051
1052 static int
p11_iter_end(hx509_context context,hx509_certs certs,void * data,void * cursor)1053 p11_iter_end(hx509_context context,
1054 hx509_certs certs, void *data, void *cursor)
1055 {
1056 struct p11_cursor *c = cursor;
1057 int ret;
1058 ret = hx509_certs_end_seq(context, c->certs, c->cursor);
1059 hx509_certs_free(&c->certs);
1060 free(c);
1061 return ret;
1062 }
1063
1064 #define MECHFLAG(x) { "unknown-flag-" #x, x }
1065 static struct units mechflags[] = {
1066 MECHFLAG(0x80000000),
1067 MECHFLAG(0x40000000),
1068 MECHFLAG(0x20000000),
1069 MECHFLAG(0x10000000),
1070 MECHFLAG(0x08000000),
1071 MECHFLAG(0x04000000),
1072 {"ec-compress", 0x2000000 },
1073 {"ec-uncompress", 0x1000000 },
1074 {"ec-namedcurve", 0x0800000 },
1075 {"ec-ecparameters", 0x0400000 },
1076 {"ec-f-2m", 0x0200000 },
1077 {"ec-f-p", 0x0100000 },
1078 {"derive", 0x0080000 },
1079 {"unwrap", 0x0040000 },
1080 {"wrap", 0x0020000 },
1081 {"genereate-key-pair", 0x0010000 },
1082 {"generate", 0x0008000 },
1083 {"verify-recover", 0x0004000 },
1084 {"verify", 0x0002000 },
1085 {"sign-recover", 0x0001000 },
1086 {"sign", 0x0000800 },
1087 {"digest", 0x0000400 },
1088 {"decrypt", 0x0000200 },
1089 {"encrypt", 0x0000100 },
1090 MECHFLAG(0x00080),
1091 MECHFLAG(0x00040),
1092 MECHFLAG(0x00020),
1093 MECHFLAG(0x00010),
1094 MECHFLAG(0x00008),
1095 MECHFLAG(0x00004),
1096 MECHFLAG(0x00002),
1097 {"hw", 0x0000001 },
1098 { NULL, 0x0000000 }
1099 };
1100 #undef MECHFLAG
1101
1102 static int
p11_printinfo(hx509_context context,hx509_certs certs,void * data,int (* func)(void *,const char *),void * ctx)1103 p11_printinfo(hx509_context context,
1104 hx509_certs certs,
1105 void *data,
1106 int (*func)(void *, const char *),
1107 void *ctx)
1108 {
1109 struct p11_module *p = data;
1110 size_t i, j;
1111
1112 _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
1113 p->num_slots, p->num_slots > 1 ? "s" : "");
1114
1115 for (i = 0; i < p->num_slots; i++) {
1116 struct p11_slot *s = &p->slot[i];
1117
1118 _hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
1119 i, (int)s->id, s->name, s->flags);
1120
1121 _hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu",
1122 (unsigned long)s->mechs.num);
1123 for (j = 0; j < s->mechs.num; j++) {
1124 const char *mechname = "unknown";
1125 char flags[256], unknownname[40];
1126 #define MECHNAME(s,n) case s: mechname = n; break
1127 switch(s->mechs.list[j]) {
1128 MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
1129 MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
1130 MECHNAME(CKM_RSA_X_509, "rsa-x-509");
1131 MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
1132 MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
1133 MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
1134 MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
1135 MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
1136 MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
1137 MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
1138 MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
1139 MECHNAME(CKM_SHA512, "sha512");
1140 MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
1141 MECHNAME(CKM_SHA384, "sha384");
1142 MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
1143 MECHNAME(CKM_SHA256, "sha256");
1144 MECHNAME(CKM_SHA_1, "sha1");
1145 MECHNAME(CKM_MD5, "md5");
1146 MECHNAME(CKM_RIPEMD160, "ripemd-160");
1147 MECHNAME(CKM_DES_ECB, "des-ecb");
1148 MECHNAME(CKM_DES_CBC, "des-cbc");
1149 MECHNAME(CKM_AES_ECB, "aes-ecb");
1150 MECHNAME(CKM_AES_CBC, "aes-cbc");
1151 MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
1152 default:
1153 snprintf(unknownname, sizeof(unknownname),
1154 "unknown-mech-%lu",
1155 (unsigned long)s->mechs.list[j]);
1156 mechname = unknownname;
1157 break;
1158 }
1159 #undef MECHNAME
1160 unparse_flags(s->mechs.infos[j]->flags, mechflags,
1161 flags, sizeof(flags));
1162
1163 _hx509_pi_printf(func, ctx, " %s: %s", mechname, flags);
1164 }
1165 }
1166
1167 return 0;
1168 }
1169
1170 static struct hx509_keyset_ops keyset_pkcs11 = {
1171 "PKCS11",
1172 0,
1173 p11_init,
1174 NULL,
1175 p11_free,
1176 NULL,
1177 NULL,
1178 p11_iter_start,
1179 p11_iter,
1180 p11_iter_end,
1181 p11_printinfo
1182 };
1183
1184 #endif /* HAVE_DLOPEN */
1185
1186 void
_hx509_ks_pkcs11_register(hx509_context context)1187 _hx509_ks_pkcs11_register(hx509_context context)
1188 {
1189 #ifdef HAVE_DLOPEN
1190 _hx509_ks_register(context, &keyset_pkcs11);
1191 #endif
1192 }
1193