2002-12-17 11:50:11 +00:00
|
|
|
/*
|
|
|
|
* pkcs11-tool.c: Tool for poking around pkcs11 modules/tokens
|
|
|
|
*
|
2015-10-05 12:06:23 +00:00
|
|
|
* Copyright (C) 2002 Olaf Kirch <okir@suse.de>
|
2002-12-17 11:50:11 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*/
|
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "config.h"
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2015-10-12 06:24:46 +00:00
|
|
|
#include <errno.h>
|
2011-05-22 10:52:44 +00:00
|
|
|
#include <fcntl.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
2015-10-12 06:24:46 +00:00
|
|
|
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/wait.h>
|
2017-07-17 20:53:07 +00:00
|
|
|
#include <unistd.h>
|
2015-10-12 06:24:46 +00:00
|
|
|
#else
|
2017-07-17 20:53:07 +00:00
|
|
|
#include <windows.h>
|
2015-10-12 06:24:46 +00:00
|
|
|
#include <io.h>
|
2015-05-13 23:43:40 +00:00
|
|
|
#endif
|
2015-10-12 06:24:46 +00:00
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2011-06-02 17:12:12 +00:00
|
|
|
#include <openssl/opensslv.h>
|
2011-05-22 10:52:44 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
2010-12-03 15:15:29 +00:00
|
|
|
#include <openssl/opensslconf.h>
|
2016-01-06 14:40:59 +00:00
|
|
|
#include <openssl/crypto.h>
|
2011-05-22 10:52:44 +00:00
|
|
|
#endif
|
|
|
|
#include <openssl/conf.h>
|
2010-03-04 08:14:36 +00:00
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/x509.h>
|
2016-01-06 14:40:59 +00:00
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
#include <openssl/asn1t.h>
|
2010-03-04 08:14:36 +00:00
|
|
|
#include <openssl/rsa.h>
|
2011-05-22 10:52:44 +00:00
|
|
|
#include <openssl/pem.h>
|
2018-08-22 17:26:33 +00:00
|
|
|
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
|
2010-12-01 20:08:42 +00:00
|
|
|
#include <openssl/ec.h>
|
2010-12-03 15:15:29 +00:00
|
|
|
#include <openssl/ecdsa.h>
|
|
|
|
#endif
|
2010-03-04 08:14:36 +00:00
|
|
|
#include <openssl/bn.h>
|
|
|
|
#include <openssl/err.h>
|
2003-01-03 14:33:17 +00:00
|
|
|
#endif
|
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "pkcs11/pkcs11.h"
|
|
|
|
#include "pkcs11/pkcs11-opensc.h"
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
#include "libopensc/asn1.h"
|
2015-01-24 19:17:26 +00:00
|
|
|
#include "common/compat_strlcat.h"
|
|
|
|
#include "common/compat_strlcpy.h"
|
2019-03-20 18:36:20 +00:00
|
|
|
#include "common/libpkcs11.h"
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "util.h"
|
2019-01-30 21:01:24 +00:00
|
|
|
#include "libopensc/sc-ossl-compat.h"
|
2010-03-04 08:14:36 +00:00
|
|
|
|
2016-08-16 08:33:05 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
#ifndef STDOUT_FILENO
|
|
|
|
#define STDOUT_FILENO 1
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
2019-01-18 15:13:57 +00:00
|
|
|
#ifndef ENABLE_SHARED
|
|
|
|
extern CK_FUNCTION_LIST pkcs11_function_list;
|
|
|
|
#endif
|
2006-12-19 22:11:07 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
#define NEED_SESSION_RO 0x01
|
|
|
|
#define NEED_SESSION_RW 0x02
|
|
|
|
|
2011-04-21 14:29:51 +00:00
|
|
|
static struct ec_curve_info {
|
|
|
|
const char *name;
|
|
|
|
const char *oid;
|
|
|
|
const char *oid_encoded;
|
|
|
|
size_t size;
|
|
|
|
} ec_curve_infos[] = {
|
2012-11-28 10:52:43 +00:00
|
|
|
{"secp192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192},
|
2014-11-04 16:11:34 +00:00
|
|
|
{"prime192v1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192},
|
2016-04-01 16:08:00 +00:00
|
|
|
{"prime192v2", "1.2.840.10045.3.1.2", "06082A8648CE3D030102", 192},
|
|
|
|
{"prime192v3", "1.2.840.10045.3.1.3", "06082A8648CE3D030103", 192},
|
2015-03-22 12:49:00 +00:00
|
|
|
{"nistp192", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192},
|
2012-11-28 10:52:43 +00:00
|
|
|
{"ansiX9p192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192},
|
2015-03-22 12:49:00 +00:00
|
|
|
|
|
|
|
{"secp224r1", "1.3.132.0.33", "06052b81040021", 224},
|
|
|
|
{"nistp224", "1.3.132.0.33", "06052b81040021", 224},
|
|
|
|
|
2012-11-28 10:52:43 +00:00
|
|
|
{"prime256v1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256},
|
|
|
|
{"secp256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256},
|
|
|
|
{"ansiX9p256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256},
|
2016-04-01 16:08:00 +00:00
|
|
|
{"frp256v1", "1.2.250.1.223.101.256.1", "060a2a817a01815f65820001", 256},
|
2015-03-22 12:49:00 +00:00
|
|
|
|
2012-11-28 10:52:43 +00:00
|
|
|
{"secp384r1", "1.3.132.0.34", "06052B81040022", 384},
|
|
|
|
{"prime384v1", "1.3.132.0.34", "06052B81040022", 384},
|
|
|
|
{"ansiX9p384r1", "1.3.132.0.34", "06052B81040022", 384},
|
2015-03-22 12:49:00 +00:00
|
|
|
|
|
|
|
{"secp521r1", "1.3.132.0.35", "06052B81040023", 521},
|
|
|
|
{"nistp521", "1.3.132.0.35", "06052B81040023", 521},
|
|
|
|
|
2012-09-24 20:12:01 +00:00
|
|
|
{"brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3", "06092B2403030208010103", 192},
|
|
|
|
{"brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5", "06092B2403030208010105", 224},
|
|
|
|
{"brainpoolP256r1", "1.3.36.3.3.2.8.1.1.7", "06092B2403030208010107", 256},
|
|
|
|
{"brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9", "06092B2403030208010109", 320},
|
2018-08-30 07:40:56 +00:00
|
|
|
{"brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11", "06092B240303020801010B", 384},
|
|
|
|
{"brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13", "06092B240303020801010D", 512},
|
2015-03-22 12:49:00 +00:00
|
|
|
|
2014-11-04 16:11:34 +00:00
|
|
|
{"secp192k1", "1.3.132.0.31", "06052B8104001F", 192},
|
|
|
|
{"secp256k1", "1.3.132.0.10", "06052B8104000A", 256},
|
2011-05-04 16:45:51 +00:00
|
|
|
{NULL, NULL, NULL, 0},
|
2011-04-21 14:29:51 +00:00
|
|
|
};
|
|
|
|
|
2019-03-25 09:39:36 +00:00
|
|
|
static const struct sc_aid GOST_HASH2001_PARAMSET_OID = { { 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01 }, 9 };
|
|
|
|
static const struct sc_aid GOST_HASH2012_256_PARAMSET_OID = { { 0x06, 0x08, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x01, 0x02, 0x02 }, 10 };
|
|
|
|
static const struct sc_aid GOST_HASH2012_512_PARAMSET_OID = { { 0x06, 0x08, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x01, 0x02, 0x03 }, 10 };
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
enum {
|
2003-04-11 11:28:09 +00:00
|
|
|
OPT_MODULE = 0x100,
|
2002-12-17 11:50:11 +00:00
|
|
|
OPT_SLOT,
|
2011-05-30 14:47:50 +00:00
|
|
|
OPT_SLOT_DESCRIPTION,
|
2010-09-21 16:11:26 +00:00
|
|
|
OPT_SLOT_INDEX,
|
2011-05-30 14:47:50 +00:00
|
|
|
OPT_TOKEN_LABEL,
|
2007-06-21 09:37:18 +00:00
|
|
|
OPT_APPLICATION_LABEL,
|
2004-07-26 18:47:23 +00:00
|
|
|
OPT_APPLICATION_ID,
|
2012-08-15 17:59:09 +00:00
|
|
|
OPT_ISSUER,
|
|
|
|
OPT_SUBJECT,
|
2005-05-07 22:22:07 +00:00
|
|
|
OPT_SO_PIN,
|
|
|
|
OPT_INIT_TOKEN,
|
|
|
|
OPT_INIT_PIN,
|
2005-05-21 10:21:53 +00:00
|
|
|
OPT_ATTR_FROM,
|
2006-09-18 05:30:41 +00:00
|
|
|
OPT_KEY_TYPE,
|
2012-06-01 14:44:28 +00:00
|
|
|
OPT_KEY_USAGE_SIGN,
|
|
|
|
OPT_KEY_USAGE_DECRYPT,
|
2014-08-26 14:59:40 +00:00
|
|
|
OPT_KEY_USAGE_DERIVE,
|
2010-01-08 15:41:07 +00:00
|
|
|
OPT_PRIVATE,
|
2017-09-12 13:08:22 +00:00
|
|
|
OPT_SENSITIVE,
|
2010-09-24 07:24:43 +00:00
|
|
|
OPT_TEST_HOTPLUG,
|
2010-01-08 15:41:07 +00:00
|
|
|
OPT_UNLOCK_PIN,
|
|
|
|
OPT_PUK,
|
|
|
|
OPT_NEW_PIN,
|
2011-04-21 16:18:23 +00:00
|
|
|
OPT_LOGIN_TYPE,
|
2012-06-01 14:44:28 +00:00
|
|
|
OPT_TEST_EC,
|
2015-04-30 11:50:28 +00:00
|
|
|
OPT_DERIVE,
|
2016-11-20 17:28:42 +00:00
|
|
|
OPT_DERIVE_PASS_DER,
|
2015-05-13 23:43:40 +00:00
|
|
|
OPT_DECRYPT,
|
|
|
|
OPT_TEST_FORK,
|
2016-06-23 16:18:55 +00:00
|
|
|
OPT_GENERATE_KEY,
|
2017-03-27 08:52:38 +00:00
|
|
|
OPT_GENERATE_RANDOM,
|
2017-09-21 09:19:22 +00:00
|
|
|
OPT_HASH_ALGORITHM,
|
|
|
|
OPT_MGF,
|
|
|
|
OPT_SALT,
|
2018-07-22 14:29:19 +00:00
|
|
|
OPT_VERIFY,
|
|
|
|
OPT_SIGNATURE_FILE,
|
2019-03-08 16:52:31 +00:00
|
|
|
OPT_ALWAYS_AUTH,
|
2019-03-31 21:33:41 +00:00
|
|
|
OPT_ALLOWED_MECHANISMS,
|
|
|
|
OPT_OBJECT_INDEX
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
2007-06-29 13:19:19 +00:00
|
|
|
static const struct option options[] = {
|
2011-05-17 13:27:09 +00:00
|
|
|
{ "module", 1, NULL, OPT_MODULE },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "show-info", 0, NULL, 'I' },
|
|
|
|
{ "list-slots", 0, NULL, 'L' },
|
2008-11-21 22:34:31 +00:00
|
|
|
{ "list-token-slots", 0, NULL, 'T' },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "list-mechanisms", 0, NULL, 'M' },
|
|
|
|
{ "list-objects", 0, NULL, 'O' },
|
|
|
|
|
|
|
|
{ "sign", 0, NULL, 's' },
|
2018-07-22 14:29:19 +00:00
|
|
|
{ "verify", 0, NULL, OPT_VERIFY },
|
2015-04-30 11:50:28 +00:00
|
|
|
{ "decrypt", 0, NULL, OPT_DECRYPT },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "hash", 0, NULL, 'h' },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "derive", 0, NULL, OPT_DERIVE },
|
2016-11-20 17:28:42 +00:00
|
|
|
{ "derive-pass-der", 0, NULL, OPT_DERIVE_PASS_DER },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "mechanism", 1, NULL, 'm' },
|
2017-09-21 09:19:22 +00:00
|
|
|
{ "hash-algorithm", 1, NULL, OPT_HASH_ALGORITHM },
|
|
|
|
{ "mgf", 1, NULL, OPT_MGF },
|
|
|
|
{ "salt-len", 1, NULL, OPT_SALT },
|
2007-06-21 12:58:57 +00:00
|
|
|
|
|
|
|
{ "login", 0, NULL, 'l' },
|
2016-06-23 16:18:55 +00:00
|
|
|
{ "login-type", 1, NULL, OPT_LOGIN_TYPE },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "pin", 1, NULL, 'p' },
|
2010-01-08 15:41:07 +00:00
|
|
|
{ "puk", 1, NULL, OPT_PUK },
|
|
|
|
{ "new-pin", 1, NULL, OPT_NEW_PIN },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "so-pin", 1, NULL, OPT_SO_PIN },
|
|
|
|
{ "init-token", 0, NULL, OPT_INIT_TOKEN },
|
|
|
|
{ "init-pin", 0, NULL, OPT_INIT_PIN },
|
|
|
|
{ "change-pin", 0, NULL, 'c' },
|
2010-01-08 15:41:07 +00:00
|
|
|
{ "unlock-pin", 0, NULL, OPT_UNLOCK_PIN },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "keypairgen", 0, NULL, 'k' },
|
2016-06-23 16:18:55 +00:00
|
|
|
{ "keygen", 0, NULL, OPT_GENERATE_KEY },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "key-type", 1, NULL, OPT_KEY_TYPE },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "usage-sign", 0, NULL, OPT_KEY_USAGE_SIGN },
|
|
|
|
{ "usage-decrypt", 0, NULL, OPT_KEY_USAGE_DECRYPT },
|
2014-08-26 14:59:40 +00:00
|
|
|
{ "usage-derive", 0, NULL, OPT_KEY_USAGE_DERIVE },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "write-object", 1, NULL, 'w' },
|
|
|
|
{ "read-object", 0, NULL, 'r' },
|
|
|
|
{ "delete-object", 0, NULL, 'b' },
|
|
|
|
{ "application-label", 1, NULL, OPT_APPLICATION_LABEL },
|
|
|
|
{ "application-id", 1, NULL, OPT_APPLICATION_ID },
|
2012-08-15 17:59:09 +00:00
|
|
|
{ "issuer", 1, NULL, OPT_ISSUER },
|
|
|
|
{ "subject", 1, NULL, OPT_SUBJECT },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "type", 1, NULL, 'y' },
|
|
|
|
{ "id", 1, NULL, 'd' },
|
|
|
|
{ "label", 1, NULL, 'a' },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "slot", 1, NULL, OPT_SLOT },
|
2011-05-30 14:47:50 +00:00
|
|
|
{ "slot-description", 1, NULL, OPT_SLOT_DESCRIPTION },
|
2010-09-21 16:11:26 +00:00
|
|
|
{ "slot-index", 1, NULL, OPT_SLOT_INDEX },
|
2019-03-31 21:33:41 +00:00
|
|
|
{ "object-index", 1, NULL, OPT_OBJECT_INDEX },
|
2011-05-30 14:47:50 +00:00
|
|
|
{ "token-label", 1, NULL, OPT_TOKEN_LABEL },
|
2012-06-01 14:44:28 +00:00
|
|
|
{ "set-id", 1, NULL, 'e' },
|
|
|
|
{ "attr-from", 1, NULL, OPT_ATTR_FROM },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "input-file", 1, NULL, 'i' },
|
2018-07-22 14:29:19 +00:00
|
|
|
{ "signature-file", 1, NULL, OPT_SIGNATURE_FILE },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "output-file", 1, NULL, 'o' },
|
2015-04-03 12:01:41 +00:00
|
|
|
{ "signature-format", 1, NULL, 'f' },
|
2019-03-08 16:52:31 +00:00
|
|
|
{ "allowed-mechanisms", 1, NULL, OPT_ALLOWED_MECHANISMS },
|
2007-06-21 12:58:57 +00:00
|
|
|
|
|
|
|
{ "test", 0, NULL, 't' },
|
2010-09-24 07:24:43 +00:00
|
|
|
{ "test-hotplug", 0, NULL, OPT_TEST_HOTPLUG },
|
2007-06-21 12:58:57 +00:00
|
|
|
{ "moz-cert", 1, NULL, 'z' },
|
|
|
|
{ "verbose", 0, NULL, 'v' },
|
|
|
|
{ "private", 0, NULL, OPT_PRIVATE },
|
2017-09-12 13:08:22 +00:00
|
|
|
{ "sensitive", 0, NULL, OPT_SENSITIVE },
|
2018-12-04 11:57:44 +00:00
|
|
|
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
|
2011-04-21 16:18:23 +00:00
|
|
|
{ "test-ec", 0, NULL, OPT_TEST_EC },
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
{ "test-fork", 0, NULL, OPT_TEST_FORK },
|
|
|
|
#endif
|
2017-03-27 08:52:38 +00:00
|
|
|
{ "generate-random", 1, NULL, OPT_GENERATE_RANDOM },
|
2012-06-01 14:44:28 +00:00
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
{ NULL, 0, NULL, 0 }
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
2007-06-29 13:19:19 +00:00
|
|
|
static const char *option_help[] = {
|
2014-12-19 21:12:25 +00:00
|
|
|
"Specify the module to load (default:" DEFAULT_PKCS11_PROVIDER ")",
|
2002-12-17 11:50:11 +00:00
|
|
|
"Show global token information",
|
2008-11-21 22:34:31 +00:00
|
|
|
"List available slots",
|
|
|
|
"List slots with tokens",
|
2002-12-17 11:50:11 +00:00
|
|
|
"List mechanisms supported by the token",
|
2004-12-20 20:05:47 +00:00
|
|
|
"Show objects on token",
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
"Sign some data",
|
2018-07-22 14:29:19 +00:00
|
|
|
"Verify a signature of some data",
|
2015-04-30 11:50:28 +00:00
|
|
|
"Decrypt some data",
|
2002-12-22 23:16:47 +00:00
|
|
|
"Hash some data",
|
2012-06-01 14:44:28 +00:00
|
|
|
"Derive a secret key using another key and some data",
|
2016-12-14 06:14:19 +00:00
|
|
|
"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations",
|
2018-03-27 00:48:05 +00:00
|
|
|
"Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234",
|
2017-10-19 20:12:47 +00:00
|
|
|
"Specify hash algorithm used with RSA-PKCS-PSS signature and RSA-PKCS-OAEP decryption",
|
|
|
|
"Specify MGF (Message Generation Function) used for RSA-PSS signature and RSA-OAEP decryption (possible values are MGF1-SHA1 to MGF1-SHA512)",
|
2017-09-21 09:19:22 +00:00
|
|
|
"Specify how many bytes should be used for salt in RSA-PSS signatures (default is digest size)",
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
"Log into the token first",
|
|
|
|
"Specify login type ('so', 'user', 'context-specific'; default:'user')",
|
2005-05-07 22:22:07 +00:00
|
|
|
"Supply User PIN on the command line (if used in scripts: careful!)",
|
2010-01-08 15:41:07 +00:00
|
|
|
"Supply User PUK on the command line",
|
|
|
|
"Supply new User PIN on the command line",
|
2005-05-07 22:22:07 +00:00
|
|
|
"Supply SO PIN on the command line (if used in scripts: careful!)",
|
|
|
|
"Initialize the token, its label and its SO PIN (use with --label and --so-pin)",
|
2010-01-08 15:41:07 +00:00
|
|
|
"Initialize the User PIN (use with --pin and --login)",
|
|
|
|
"Change User PIN",
|
2011-05-17 13:27:13 +00:00
|
|
|
"Unlock User PIN (without '--login' unlock in logged in session; otherwise '--login-type' has to be 'context-specific')",
|
2003-06-03 13:57:52 +00:00
|
|
|
"Key pair generation",
|
2016-06-23 16:18:55 +00:00
|
|
|
"Key generation",
|
2019-03-21 12:29:32 +00:00
|
|
|
"Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1 or GOSTR3410-2012-256:B",
|
2014-08-26 14:59:40 +00:00
|
|
|
"Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey)",
|
|
|
|
"Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey)",
|
|
|
|
"Specify 'derive' key usage flag (EC only)",
|
2007-06-21 09:37:18 +00:00
|
|
|
"Write an object (key, cert, data) to the card",
|
2004-07-26 18:47:23 +00:00
|
|
|
"Get object's CKA_VALUE attribute (use with --type)",
|
2016-08-18 07:29:18 +00:00
|
|
|
"Delete an object (use with --type cert/data/privkey/pubkey/secrkey)",
|
2007-06-21 09:37:18 +00:00
|
|
|
"Specify the application label of the data object (use with --type data)",
|
2011-05-17 13:27:13 +00:00
|
|
|
"Specify the application ID of the data object (use with --type data)",
|
2012-08-15 17:59:09 +00:00
|
|
|
"Specify the issuer in hexadecimal format (use with --type cert)",
|
|
|
|
"Specify the subject in hexadecimal format (use with --type cert/privkey/pubkey)",
|
2019-01-15 06:32:41 +00:00
|
|
|
"Specify the type of object (e.g. cert, privkey, pubkey, secrkey, data)",
|
2011-05-17 13:27:13 +00:00
|
|
|
"Specify the ID of the object",
|
2003-06-18 20:49:20 +00:00
|
|
|
"Specify the label of the object",
|
2010-09-21 16:11:26 +00:00
|
|
|
"Specify the ID of the slot to use",
|
2011-05-30 14:47:50 +00:00
|
|
|
"Specify the description of the slot to use",
|
2012-04-02 22:00:56 +00:00
|
|
|
"Specify the index of the slot to use",
|
2019-03-31 21:33:41 +00:00
|
|
|
"Specify the index of the object to use",
|
2011-05-30 14:47:50 +00:00
|
|
|
"Specify the token label of the slot to use",
|
2004-12-20 20:05:47 +00:00
|
|
|
"Set the CKA_ID of an object, <args>= the (new) CKA_ID",
|
2005-05-21 10:21:53 +00:00
|
|
|
"Use <arg> to create some attributes when writing an object",
|
2002-12-17 11:50:11 +00:00
|
|
|
"Specify the input file",
|
2018-07-22 14:29:19 +00:00
|
|
|
"Specify the file with signature for verification",
|
2002-12-17 11:50:11 +00:00
|
|
|
"Specify the output file",
|
2015-04-03 12:01:41 +00:00
|
|
|
"Format for ECDSA signature <arg>: 'rs' (default), 'sequence', 'openssl'",
|
2019-03-08 16:52:31 +00:00
|
|
|
"Specify the comma-separated list of allowed mechanisms when creating an object.",
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
"Test (best used with the --login or --pin option)",
|
2010-01-15 09:33:27 +00:00
|
|
|
"Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent)",
|
2004-06-13 20:13:12 +00:00
|
|
|
"Test Mozilla-like keypair gen and cert req, <arg>=certfile",
|
2010-09-21 16:11:36 +00:00
|
|
|
"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
|
2011-04-21 16:18:23 +00:00
|
|
|
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
|
2017-09-12 13:08:22 +00:00
|
|
|
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
|
2018-12-04 11:57:44 +00:00
|
|
|
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
|
2015-05-13 23:43:40 +00:00
|
|
|
"Test EC (best used with the --login or --pin option)",
|
|
|
|
#ifndef _WIN32
|
|
|
|
"Test forking and calling C_Initialize() in the child",
|
|
|
|
#endif
|
2018-12-04 11:57:44 +00:00
|
|
|
"Generate given amount of random data"
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
2007-06-29 13:19:19 +00:00
|
|
|
static const char * app_name = "pkcs11-tool"; /* for utils.c */
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2004-06-13 20:13:12 +00:00
|
|
|
static int verbose = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
static const char * opt_input = NULL;
|
|
|
|
static const char * opt_output = NULL;
|
2018-07-22 14:29:19 +00:00
|
|
|
static const char * opt_signature_file = NULL;
|
2014-12-19 21:12:25 +00:00
|
|
|
static const char * opt_module = DEFAULT_PKCS11_PROVIDER;
|
2010-09-21 16:11:26 +00:00
|
|
|
static int opt_slot_set = 0;
|
|
|
|
static CK_SLOT_ID opt_slot = 0;
|
2011-05-30 14:47:50 +00:00
|
|
|
static const char * opt_slot_description = NULL;
|
|
|
|
static const char * opt_token_label = NULL;
|
2010-09-21 16:11:26 +00:00
|
|
|
static CK_ULONG opt_slot_index = 0;
|
2010-10-08 08:36:48 +00:00
|
|
|
static int opt_slot_index_set = 0;
|
2019-03-31 21:33:41 +00:00
|
|
|
static CK_ULONG opt_object_index = 0;
|
|
|
|
static int opt_object_index_set = 0;
|
2010-09-21 16:11:26 +00:00
|
|
|
static CK_MECHANISM_TYPE opt_mechanism = 0;
|
|
|
|
static int opt_mechanism_used = 0;
|
2003-06-04 12:30:02 +00:00
|
|
|
static const char * opt_file_to_write = NULL;
|
2003-06-27 12:02:39 +00:00
|
|
|
static const char * opt_object_class_str = NULL;
|
|
|
|
static CK_OBJECT_CLASS opt_object_class = -1;
|
|
|
|
static CK_BYTE opt_object_id[100], new_object_id[100];
|
2005-05-21 10:21:53 +00:00
|
|
|
static const char * opt_attr_from_file = NULL;
|
2003-09-25 09:33:16 +00:00
|
|
|
static size_t opt_object_id_len = 0, new_object_id_len = 0;
|
2003-06-18 20:49:20 +00:00
|
|
|
static char * opt_object_label = NULL;
|
2014-11-04 20:44:02 +00:00
|
|
|
static const char * opt_pin = NULL;
|
|
|
|
static const char * opt_so_pin = NULL;
|
|
|
|
static const char * opt_puk = NULL;
|
|
|
|
static const char * opt_new_pin = NULL;
|
2007-06-21 09:37:18 +00:00
|
|
|
static char * opt_application_label = NULL;
|
2005-09-27 17:22:48 +00:00
|
|
|
static char * opt_application_id = NULL;
|
2012-08-15 17:59:09 +00:00
|
|
|
static char * opt_issuer = NULL;
|
|
|
|
static char * opt_subject = NULL;
|
2005-09-27 17:22:48 +00:00
|
|
|
static char * opt_key_type = NULL;
|
2015-04-03 12:01:41 +00:00
|
|
|
static char * opt_sig_format = NULL;
|
2019-03-08 16:52:31 +00:00
|
|
|
#define MAX_ALLOWED_MECHANISMS 20
|
|
|
|
static CK_MECHANISM_TYPE opt_allowed_mechanisms[MAX_ALLOWED_MECHANISMS];
|
|
|
|
static size_t opt_allowed_mechanisms_len = 0;
|
2010-09-21 16:11:31 +00:00
|
|
|
static int opt_is_private = 0;
|
2017-09-12 13:08:22 +00:00
|
|
|
static int opt_is_sensitive = 0;
|
2010-09-21 16:11:31 +00:00
|
|
|
static int opt_test_hotplug = 0;
|
|
|
|
static int opt_login_type = -1;
|
2012-06-01 14:44:28 +00:00
|
|
|
static int opt_key_usage_sign = 0;
|
|
|
|
static int opt_key_usage_decrypt = 0;
|
2014-08-26 14:59:40 +00:00
|
|
|
static int opt_key_usage_derive = 0;
|
|
|
|
static int opt_key_usage_default = 1; /* uses defaults if no opt_key_usage options */
|
2016-11-20 17:28:42 +00:00
|
|
|
static int opt_derive_pass_der = 0;
|
2017-03-27 08:52:38 +00:00
|
|
|
static unsigned long opt_random_bytes = 0;
|
2017-09-21 09:19:22 +00:00
|
|
|
static CK_MECHANISM_TYPE opt_hash_alg = 0;
|
|
|
|
static unsigned long opt_mgf = 0;
|
2018-07-22 14:29:19 +00:00
|
|
|
static long opt_salt_len = 0;
|
|
|
|
static int opt_salt_len_given = 0; /* 0 - not given, 1 - given with input parameters */
|
2018-11-26 15:02:59 +00:00
|
|
|
static int opt_always_auth = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2003-09-06 16:18:15 +00:00
|
|
|
static void *module = NULL;
|
2002-12-17 11:50:11 +00:00
|
|
|
static CK_FUNCTION_LIST_PTR p11 = NULL;
|
|
|
|
static CK_SLOT_ID_PTR p11_slots = NULL;
|
|
|
|
static CK_ULONG p11_num_slots = 0;
|
2012-09-24 09:48:33 +00:00
|
|
|
static int suppress_warn = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
struct flag_info {
|
|
|
|
CK_FLAGS value;
|
|
|
|
const char * name;
|
|
|
|
};
|
|
|
|
struct mech_info {
|
|
|
|
CK_MECHANISM_TYPE mech;
|
|
|
|
const char * name;
|
|
|
|
const char * short_name;
|
|
|
|
};
|
2005-05-21 10:21:53 +00:00
|
|
|
struct x509cert_info {
|
2018-07-01 00:24:30 +00:00
|
|
|
unsigned char subject[512];
|
2005-05-21 10:21:53 +00:00
|
|
|
int subject_len;
|
2018-07-01 00:24:30 +00:00
|
|
|
unsigned char issuer[512];
|
2005-05-21 10:21:53 +00:00
|
|
|
int issuer_len;
|
2005-07-06 12:59:45 +00:00
|
|
|
unsigned char serialnum[128];
|
2005-05-21 10:21:53 +00:00
|
|
|
int serialnum_len;
|
|
|
|
};
|
|
|
|
struct rsakey_info {
|
|
|
|
unsigned char *modulus;
|
|
|
|
int modulus_len;
|
|
|
|
unsigned char *public_exponent;
|
|
|
|
int public_exponent_len;
|
|
|
|
unsigned char *private_exponent;
|
|
|
|
int private_exponent_len;
|
|
|
|
unsigned char *prime_1;
|
|
|
|
int prime_1_len;
|
|
|
|
unsigned char *prime_2;
|
|
|
|
int prime_2_len;
|
|
|
|
unsigned char *exponent_1;
|
|
|
|
int exponent_1_len;
|
|
|
|
unsigned char *exponent_2;
|
|
|
|
int exponent_2_len;
|
|
|
|
unsigned char *coefficient;
|
|
|
|
int coefficient_len;
|
|
|
|
};
|
2011-05-22 10:52:44 +00:00
|
|
|
struct gostkey_info {
|
|
|
|
struct sc_lv_data param_oid;
|
|
|
|
struct sc_lv_data public;
|
|
|
|
struct sc_lv_data private;
|
|
|
|
};
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
static void show_cryptoki_info(void);
|
2010-01-15 09:36:00 +00:00
|
|
|
static void list_slots(int, int, int);
|
2003-01-16 20:10:28 +00:00
|
|
|
static void show_token(CK_SLOT_ID);
|
2002-12-17 11:50:11 +00:00
|
|
|
static void list_mechs(CK_SLOT_ID);
|
2011-04-11 13:00:57 +00:00
|
|
|
static void list_objects(CK_SESSION_HANDLE, CK_OBJECT_CLASS);
|
2005-05-07 22:22:07 +00:00
|
|
|
static int login(CK_SESSION_HANDLE, int);
|
|
|
|
static void init_token(CK_SLOT_ID);
|
|
|
|
static void init_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
|
2003-02-10 14:08:54 +00:00
|
|
|
static int change_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
|
2012-06-01 14:44:28 +00:00
|
|
|
static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type);
|
2002-12-17 11:50:11 +00:00
|
|
|
static void show_object(CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2010-12-17 23:02:03 +00:00
|
|
|
static void show_key(CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2003-01-27 13:33:28 +00:00
|
|
|
static void show_cert(CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2004-07-26 18:47:23 +00:00
|
|
|
static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj);
|
2015-04-30 11:50:28 +00:00
|
|
|
static void sign_data(CK_SLOT_ID, CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2018-07-22 14:29:19 +00:00
|
|
|
static void verify_signature(CK_SLOT_ID, CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2015-04-30 11:50:28 +00:00
|
|
|
static void decrypt_data(CK_SLOT_ID, CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2002-12-22 23:16:47 +00:00
|
|
|
static void hash_data(CK_SLOT_ID, CK_SESSION_HANDLE);
|
2012-06-01 14:44:28 +00:00
|
|
|
static void derive_key(CK_SLOT_ID, CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
|
2016-02-16 12:38:51 +00:00
|
|
|
static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE,
|
2005-09-27 17:22:48 +00:00
|
|
|
CK_OBJECT_HANDLE *, CK_OBJECT_HANDLE *, const char *);
|
2016-06-23 16:18:55 +00:00
|
|
|
static int gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE, CK_OBJECT_HANDLE *, const char *, char *);
|
2012-06-01 14:44:28 +00:00
|
|
|
static int write_object(CK_SESSION_HANDLE session);
|
|
|
|
static int read_object(CK_SESSION_HANDLE session);
|
|
|
|
static int delete_object(CK_SESSION_HANDLE session);
|
|
|
|
static void set_id_attr(CK_SESSION_HANDLE session);
|
2003-01-31 15:32:27 +00:00
|
|
|
static int find_object(CK_SESSION_HANDLE, CK_OBJECT_CLASS,
|
2003-01-03 14:33:17 +00:00
|
|
|
CK_OBJECT_HANDLE_PTR,
|
2003-01-31 15:32:27 +00:00
|
|
|
const unsigned char *, size_t id_len, int obj_index);
|
2012-08-12 19:19:57 +00:00
|
|
|
static int find_mechanism(CK_SLOT_ID, CK_FLAGS, CK_MECHANISM_TYPE_PTR, size_t, CK_MECHANISM_TYPE_PTR);
|
2011-05-30 14:47:50 +00:00
|
|
|
static int find_slot_by_description(const char *, CK_SLOT_ID_PTR);
|
|
|
|
static int find_slot_by_token_label(const char *, CK_SLOT_ID_PTR);
|
2002-12-17 11:50:11 +00:00
|
|
|
static void get_token_info(CK_SLOT_ID, CK_TOKEN_INFO_PTR);
|
2004-01-07 09:32:58 +00:00
|
|
|
static CK_ULONG get_mechanisms(CK_SLOT_ID,
|
|
|
|
CK_MECHANISM_TYPE_PTR *, CK_FLAGS);
|
2002-12-17 11:50:11 +00:00
|
|
|
static void p11_fatal(const char *, CK_RV);
|
2005-01-23 19:48:48 +00:00
|
|
|
static void p11_warn(const char *, CK_RV);
|
2002-12-17 11:50:11 +00:00
|
|
|
static const char * p11_slot_info_flags(CK_FLAGS);
|
|
|
|
static const char * p11_token_info_flags(CK_FLAGS);
|
|
|
|
static const char * p11_utf8_to_local(CK_UTF8CHAR *, size_t);
|
|
|
|
static const char * p11_flag_names(struct flag_info *, CK_FLAGS);
|
|
|
|
static const char * p11_mechanism_to_name(CK_MECHANISM_TYPE);
|
|
|
|
static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *);
|
2017-09-21 09:19:22 +00:00
|
|
|
static const char * p11_mgf_to_name(CK_RSA_PKCS_MGF_TYPE);
|
|
|
|
static CK_MECHANISM_TYPE p11_name_to_mgf(const char *);
|
2003-02-03 12:23:05 +00:00
|
|
|
static void p11_perror(const char *, CK_RV);
|
2002-12-22 23:16:47 +00:00
|
|
|
static const char * CKR2Str(CK_ULONG res);
|
2011-06-01 18:51:26 +00:00
|
|
|
static int p11_test(CK_SESSION_HANDLE session);
|
2010-09-24 07:24:43 +00:00
|
|
|
static int test_card_detection(int);
|
2003-06-24 09:14:57 +00:00
|
|
|
static int hex_to_bin(const char *in, CK_BYTE *out, size_t *outlen);
|
2016-06-03 23:02:01 +00:00
|
|
|
static void pseudo_randomize(unsigned char *data, size_t dataLen);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
static CK_SESSION_HANDLE test_kpgen_certwrite(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
|
2011-04-21 16:18:23 +00:00
|
|
|
static void test_ec(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
static void test_fork(void);
|
|
|
|
#endif
|
2017-03-27 08:52:38 +00:00
|
|
|
static void generate_random(CK_SESSION_HANDLE session);
|
2012-06-01 14:44:28 +00:00
|
|
|
static CK_RV find_object_with_attributes(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *out,
|
|
|
|
CK_ATTRIBUTE *attrs, CK_ULONG attrsLen, CK_ULONG obj_index);
|
2004-12-09 08:23:57 +00:00
|
|
|
static CK_ULONG get_private_key_length(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE prkey);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2003-01-20 10:02:07 +00:00
|
|
|
/* win32 needs this in open(2) */
|
|
|
|
#ifndef O_BINARY
|
|
|
|
# define O_BINARY 0
|
|
|
|
#endif
|
|
|
|
|
2017-06-14 20:53:41 +00:00
|
|
|
#define ATTR_METHOD(ATTR, TYPE) \
|
|
|
|
static TYPE \
|
|
|
|
get##ATTR(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj) \
|
|
|
|
{ \
|
|
|
|
TYPE type = 0; \
|
|
|
|
CK_ATTRIBUTE attr = { CKA_##ATTR, &type, sizeof(type) }; \
|
|
|
|
CK_RV rv; \
|
|
|
|
\
|
|
|
|
rv = p11->C_GetAttributeValue(sess, obj, &attr, 1); \
|
|
|
|
if (rv != CKR_OK) \
|
|
|
|
p11_warn("C_GetAttributeValue(" #ATTR ")", rv); \
|
|
|
|
return type; \
|
|
|
|
}
|
|
|
|
|
|
|
|
#define VARATTR_METHOD(ATTR, TYPE) \
|
|
|
|
static TYPE * \
|
|
|
|
get##ATTR(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj, CK_ULONG_PTR pulCount) \
|
|
|
|
{ \
|
|
|
|
CK_ATTRIBUTE attr = { CKA_##ATTR, NULL, 0 }; \
|
|
|
|
CK_RV rv; \
|
|
|
|
if (pulCount) \
|
|
|
|
*pulCount = 0; \
|
|
|
|
rv = p11->C_GetAttributeValue(sess, obj, &attr, 1); \
|
|
|
|
if (rv == CKR_OK) { \
|
|
|
|
if (attr.ulValueLen == (CK_ULONG)(-1)) \
|
|
|
|
return NULL; \
|
|
|
|
if (!(attr.pValue = calloc(1, attr.ulValueLen + 1))) \
|
|
|
|
util_fatal("out of memory in get" #ATTR ": %m"); \
|
|
|
|
rv = p11->C_GetAttributeValue(sess, obj, &attr, 1); \
|
|
|
|
if (attr.ulValueLen == (CK_ULONG)(-1)) { \
|
|
|
|
free(attr.pValue); \
|
|
|
|
return NULL; \
|
|
|
|
} \
|
|
|
|
if (pulCount) \
|
|
|
|
*pulCount = attr.ulValueLen / sizeof(TYPE); \
|
2019-03-08 16:52:31 +00:00
|
|
|
} else if (rv != CKR_ATTRIBUTE_TYPE_INVALID) { \
|
2017-06-14 20:53:41 +00:00
|
|
|
p11_warn("C_GetAttributeValue(" #ATTR ")", rv); \
|
|
|
|
} \
|
|
|
|
return (TYPE *) attr.pValue; \
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Define attribute accessors
|
|
|
|
*/
|
2018-03-29 14:00:30 +00:00
|
|
|
ATTR_METHOD(CLASS, CK_OBJECT_CLASS); /* getCLASS */
|
|
|
|
ATTR_METHOD(ALWAYS_AUTHENTICATE, CK_BBOOL); /* getALWAYS_AUTHENTICATE */
|
|
|
|
ATTR_METHOD(PRIVATE, CK_BBOOL); /* getPRIVATE */
|
|
|
|
ATTR_METHOD(MODIFIABLE, CK_BBOOL); /* getMODIFIABLE */
|
|
|
|
ATTR_METHOD(ENCRYPT, CK_BBOOL); /* getENCRYPT */
|
|
|
|
ATTR_METHOD(DECRYPT, CK_BBOOL); /* getDECRYPT */
|
|
|
|
ATTR_METHOD(SIGN, CK_BBOOL); /* getSIGN */
|
|
|
|
ATTR_METHOD(VERIFY, CK_BBOOL); /* getVERIFY */
|
|
|
|
ATTR_METHOD(WRAP, CK_BBOOL); /* getWRAP */
|
|
|
|
ATTR_METHOD(UNWRAP, CK_BBOOL); /* getUNWRAP */
|
|
|
|
ATTR_METHOD(DERIVE, CK_BBOOL); /* getDERIVE */
|
2019-03-20 14:14:55 +00:00
|
|
|
ATTR_METHOD(SENSITIVE, CK_BBOOL); /* getSENSITIVE */
|
|
|
|
ATTR_METHOD(ALWAYS_SENSITIVE, CK_BBOOL); /* getALWAYS_SENSITIVE */
|
|
|
|
ATTR_METHOD(EXTRACTABLE, CK_BBOOL); /* getEXTRACTABLE */
|
|
|
|
ATTR_METHOD(NEVER_EXTRACTABLE, CK_BBOOL); /* getNEVER_EXTRACTABLE */
|
|
|
|
ATTR_METHOD(LOCAL, CK_BBOOL); /* getLOCAL */
|
2018-03-29 14:00:30 +00:00
|
|
|
ATTR_METHOD(OPENSC_NON_REPUDIATION, CK_BBOOL); /* getOPENSC_NON_REPUDIATION */
|
|
|
|
ATTR_METHOD(KEY_TYPE, CK_KEY_TYPE); /* getKEY_TYPE */
|
|
|
|
ATTR_METHOD(CERTIFICATE_TYPE, CK_CERTIFICATE_TYPE); /* getCERTIFICATE_TYPE */
|
|
|
|
ATTR_METHOD(MODULUS_BITS, CK_ULONG); /* getMODULUS_BITS */
|
|
|
|
ATTR_METHOD(VALUE_LEN, CK_ULONG); /* getVALUE_LEN */
|
|
|
|
VARATTR_METHOD(LABEL, char); /* getLABEL */
|
|
|
|
VARATTR_METHOD(APPLICATION, char); /* getAPPLICATION */
|
|
|
|
VARATTR_METHOD(ID, unsigned char); /* getID */
|
|
|
|
VARATTR_METHOD(OBJECT_ID, unsigned char); /* getOBJECT_ID */
|
|
|
|
VARATTR_METHOD(MODULUS, CK_BYTE); /* getMODULUS */
|
2017-06-14 20:53:41 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2018-04-03 08:22:36 +00:00
|
|
|
VARATTR_METHOD(SUBJECT, unsigned char); /* getSUBJECT */
|
2018-03-29 14:00:30 +00:00
|
|
|
VARATTR_METHOD(PUBLIC_EXPONENT, CK_BYTE); /* getPUBLIC_EXPONENT */
|
2017-06-14 20:53:41 +00:00
|
|
|
#endif
|
2018-03-29 14:00:30 +00:00
|
|
|
VARATTR_METHOD(VALUE, unsigned char); /* getVALUE */
|
|
|
|
VARATTR_METHOD(GOSTR3410_PARAMS, unsigned char); /* getGOSTR3410_PARAMS */
|
2019-03-25 09:39:36 +00:00
|
|
|
VARATTR_METHOD(GOSTR3411_PARAMS, unsigned char); /* getGOSTR3411_PARAMS */
|
2018-03-29 14:00:30 +00:00
|
|
|
VARATTR_METHOD(EC_POINT, unsigned char); /* getEC_POINT */
|
|
|
|
VARATTR_METHOD(EC_PARAMS, unsigned char); /* getEC_PARAMS */
|
2019-03-08 16:52:31 +00:00
|
|
|
VARATTR_METHOD(ALLOWED_MECHANISMS, CK_MECHANISM_TYPE); /* getALLOWED_MECHANISMS */
|
2017-06-14 20:53:41 +00:00
|
|
|
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
int main(int argc, char * argv[])
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_SESSION_HANDLE session = CK_INVALID_HANDLE;
|
|
|
|
CK_OBJECT_HANDLE object = CK_INVALID_HANDLE;
|
|
|
|
int err = 0, c, long_optind = 0;
|
|
|
|
int do_show_info = 0;
|
|
|
|
int do_list_slots = 0;
|
2008-11-21 22:34:31 +00:00
|
|
|
int list_token_slots = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
int do_list_mechs = 0;
|
|
|
|
int do_list_objects = 0;
|
|
|
|
int do_sign = 0;
|
2018-07-22 14:29:19 +00:00
|
|
|
int do_verify = 0;
|
2015-04-30 11:50:28 +00:00
|
|
|
int do_decrypt = 0;
|
2002-12-22 23:16:47 +00:00
|
|
|
int do_hash = 0;
|
2012-06-01 14:44:28 +00:00
|
|
|
int do_derive = 0;
|
2003-06-03 13:57:52 +00:00
|
|
|
int do_gen_keypair = 0;
|
2016-06-23 16:18:55 +00:00
|
|
|
int do_gen_key = 0;
|
2003-06-04 12:30:02 +00:00
|
|
|
int do_write_object = 0;
|
2004-07-26 18:47:23 +00:00
|
|
|
int do_read_object = 0;
|
2007-06-21 09:37:18 +00:00
|
|
|
int do_delete_object = 0;
|
2003-06-27 12:02:39 +00:00
|
|
|
int do_set_id = 0;
|
2003-01-03 14:33:17 +00:00
|
|
|
int do_test = 0;
|
2003-07-24 11:29:08 +00:00
|
|
|
int do_test_kpgen_certwrite = 0;
|
2011-04-21 16:18:23 +00:00
|
|
|
int do_test_ec = 0;
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
int do_test_fork = 0;
|
|
|
|
#endif
|
2002-12-17 11:50:11 +00:00
|
|
|
int need_session = 0;
|
2017-01-26 13:23:40 +00:00
|
|
|
int opt_login = 0;
|
2005-05-07 22:22:07 +00:00
|
|
|
int do_init_token = 0;
|
|
|
|
int do_init_pin = 0;
|
2003-02-05 13:55:22 +00:00
|
|
|
int do_change_pin = 0;
|
2010-01-08 15:41:07 +00:00
|
|
|
int do_unlock_pin = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
int action_count = 0;
|
2017-03-27 08:52:38 +00:00
|
|
|
int do_generate_random = 0;
|
2019-03-08 16:52:31 +00:00
|
|
|
char *s = NULL;
|
2002-12-17 11:50:11 +00:00
|
|
|
CK_RV rv;
|
|
|
|
|
2012-08-15 21:06:58 +00:00
|
|
|
#ifdef _WIN32
|
2017-07-17 20:53:07 +00:00
|
|
|
char expanded_val[PATH_MAX];
|
|
|
|
DWORD expanded_len;
|
|
|
|
|
2013-07-10 14:32:56 +00:00
|
|
|
if(_setmode(_fileno(stdout), _O_BINARY ) == -1)
|
|
|
|
util_fatal("Cannot set FMODE to O_BINARY");
|
|
|
|
if(_setmode(_fileno(stdin), _O_BINARY ) == -1)
|
2012-08-15 21:06:58 +00:00
|
|
|
util_fatal("Cannot set FMODE to O_BINARY");
|
|
|
|
#endif
|
|
|
|
|
2011-05-22 10:52:44 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2018-08-22 17:26:33 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
2011-05-22 10:52:44 +00:00
|
|
|
OPENSSL_config(NULL);
|
|
|
|
/* OpenSSL magic */
|
2016-01-06 14:40:59 +00:00
|
|
|
OpenSSL_add_all_algorithms();
|
|
|
|
OPENSSL_malloc_init();
|
|
|
|
#endif
|
2011-05-22 10:52:44 +00:00
|
|
|
#endif
|
2002-12-17 11:50:11 +00:00
|
|
|
while (1) {
|
2015-04-03 12:01:41 +00:00
|
|
|
c = getopt_long(argc, argv, "ILMOTa:bd:e:hi:klm:o:p:scvf:ty:w:z:r",
|
2005-02-11 20:09:34 +00:00
|
|
|
options, &long_optind);
|
2002-12-17 11:50:11 +00:00
|
|
|
if (c == -1)
|
|
|
|
break;
|
|
|
|
switch (c) {
|
|
|
|
case 'I':
|
|
|
|
do_show_info = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
|
|
|
case 'L':
|
|
|
|
do_list_slots = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2008-11-21 22:34:31 +00:00
|
|
|
case 'T':
|
|
|
|
do_list_slots = 1;
|
|
|
|
list_token_slots = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
case 'M':
|
|
|
|
do_list_mechs = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
|
|
|
case 'O':
|
|
|
|
need_session |= NEED_SESSION_RO;
|
|
|
|
do_list_objects = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2003-01-03 14:33:17 +00:00
|
|
|
case 'h':
|
|
|
|
need_session |= NEED_SESSION_RO;
|
|
|
|
do_hash = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2003-06-04 12:30:02 +00:00
|
|
|
case 'k':
|
2003-06-03 13:57:52 +00:00
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_gen_keypair = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2016-06-23 16:18:55 +00:00
|
|
|
case OPT_GENERATE_KEY:
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_gen_key = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2003-06-04 12:30:02 +00:00
|
|
|
case 'w':
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_write_object = 1;
|
|
|
|
opt_file_to_write = optarg;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2004-07-26 18:47:23 +00:00
|
|
|
case 'r':
|
|
|
|
need_session |= NEED_SESSION_RO;
|
|
|
|
do_read_object = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2007-06-21 09:37:18 +00:00
|
|
|
case 'b':
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_delete_object = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2003-06-27 12:02:39 +00:00
|
|
|
case 'e':
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_set_id = 1;
|
|
|
|
new_object_id_len = sizeof(new_object_id);
|
|
|
|
if (!hex_to_bin(optarg, new_object_id, &new_object_id_len)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Invalid ID \"%s\"\n", optarg);
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2003-06-27 12:02:39 +00:00
|
|
|
}
|
|
|
|
action_count++;
|
|
|
|
break;
|
2005-05-21 10:21:53 +00:00
|
|
|
case OPT_ATTR_FROM:
|
|
|
|
opt_attr_from_file = optarg;
|
|
|
|
break;
|
2003-06-04 12:30:02 +00:00
|
|
|
case 'y':
|
2003-06-27 12:02:39 +00:00
|
|
|
opt_object_class_str = optarg;
|
|
|
|
if (strcmp(optarg, "cert") == 0)
|
|
|
|
opt_object_class = CKO_CERTIFICATE;
|
|
|
|
else if (strcmp(optarg, "privkey") == 0)
|
|
|
|
opt_object_class = CKO_PRIVATE_KEY;
|
2016-08-18 07:29:18 +00:00
|
|
|
else if (strcmp(optarg, "secrkey") == 0)
|
|
|
|
opt_object_class = CKO_SECRET_KEY;
|
2003-06-27 12:02:39 +00:00
|
|
|
else if (strcmp(optarg, "pubkey") == 0)
|
|
|
|
opt_object_class = CKO_PUBLIC_KEY;
|
2004-07-26 18:47:23 +00:00
|
|
|
else if (strcmp(optarg, "data") == 0)
|
|
|
|
opt_object_class = CKO_DATA;
|
2003-06-27 12:02:39 +00:00
|
|
|
else {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Unsupported object type \"%s\"\n", optarg);
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2003-06-27 12:02:39 +00:00
|
|
|
}
|
2003-06-04 12:30:02 +00:00
|
|
|
break;
|
2003-06-18 20:49:20 +00:00
|
|
|
case 'd':
|
2003-06-24 09:14:57 +00:00
|
|
|
opt_object_id_len = sizeof(opt_object_id);
|
|
|
|
if (!hex_to_bin(optarg, opt_object_id, &opt_object_id_len)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Invalid ID \"%s\"\n", optarg);
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2003-06-27 12:02:39 +00:00
|
|
|
}
|
2003-06-18 20:49:20 +00:00
|
|
|
break;
|
|
|
|
case 'a':
|
|
|
|
opt_object_label = optarg;
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
case 'i':
|
|
|
|
opt_input = optarg;
|
|
|
|
break;
|
2018-07-22 14:29:19 +00:00
|
|
|
case OPT_SIGNATURE_FILE:
|
|
|
|
opt_signature_file = optarg;
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
case 'l':
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
opt_login = 1;
|
|
|
|
break;
|
|
|
|
case 'm':
|
2010-09-21 16:11:26 +00:00
|
|
|
opt_mechanism_used = 1;
|
2002-12-17 11:50:11 +00:00
|
|
|
opt_mechanism = p11_name_to_mechanism(optarg);
|
|
|
|
break;
|
2017-09-21 09:19:22 +00:00
|
|
|
case OPT_HASH_ALGORITHM:
|
|
|
|
opt_hash_alg = p11_name_to_mechanism(optarg);
|
|
|
|
break;
|
|
|
|
case OPT_MGF:
|
|
|
|
opt_mgf = p11_name_to_mgf(optarg);
|
|
|
|
break;
|
|
|
|
case OPT_SALT:
|
2018-07-22 14:29:19 +00:00
|
|
|
opt_salt_len = (CK_ULONG) strtoul(optarg, NULL, 0);
|
|
|
|
opt_salt_len_given = 1;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
case 'o':
|
|
|
|
opt_output = optarg;
|
|
|
|
break;
|
2003-01-03 14:33:17 +00:00
|
|
|
case 'p':
|
2015-08-11 16:03:31 +00:00
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
opt_login = 1;
|
2014-11-04 20:44:02 +00:00
|
|
|
util_get_pin(optarg, &opt_pin);
|
2003-01-03 14:33:17 +00:00
|
|
|
break;
|
2003-02-05 13:55:22 +00:00
|
|
|
case 'c':
|
|
|
|
do_change_pin = 1;
|
2010-01-08 15:41:07 +00:00
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
action_count++;
|
|
|
|
break;
|
|
|
|
case OPT_UNLOCK_PIN:
|
|
|
|
do_unlock_pin = 1;
|
|
|
|
need_session |= NEED_SESSION_RW;
|
2003-02-05 13:55:22 +00:00
|
|
|
action_count++;
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
case 's':
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_sign = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2018-07-22 14:29:19 +00:00
|
|
|
case OPT_VERIFY:
|
|
|
|
need_session |= NEED_SESSION_RO;
|
|
|
|
do_verify = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2015-04-30 11:50:28 +00:00
|
|
|
case OPT_DECRYPT:
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_decrypt = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2015-04-03 12:01:41 +00:00
|
|
|
case 'f':
|
|
|
|
opt_sig_format = optarg;
|
|
|
|
break;
|
2003-01-03 14:33:17 +00:00
|
|
|
case 't':
|
2011-06-08 08:50:42 +00:00
|
|
|
need_session |= NEED_SESSION_RO;
|
2003-01-03 14:33:17 +00:00
|
|
|
do_test = 1;
|
2002-12-22 23:16:47 +00:00
|
|
|
action_count++;
|
|
|
|
break;
|
2003-07-24 11:29:08 +00:00
|
|
|
case 'z':
|
|
|
|
do_test_kpgen_certwrite = 1;
|
|
|
|
opt_file_to_write = optarg;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2004-06-13 20:13:12 +00:00
|
|
|
case 'v':
|
|
|
|
verbose++;
|
2002-12-17 11:50:11 +00:00
|
|
|
break;
|
|
|
|
case OPT_SLOT:
|
2010-01-15 09:36:00 +00:00
|
|
|
opt_slot = (CK_SLOT_ID) strtoul(optarg, NULL, 0);
|
2010-09-21 16:11:26 +00:00
|
|
|
opt_slot_set = 1;
|
|
|
|
if (verbose)
|
|
|
|
fprintf(stderr, "Using slot with ID 0x%lx\n", opt_slot);
|
2002-12-17 11:50:11 +00:00
|
|
|
break;
|
2011-05-30 14:47:50 +00:00
|
|
|
case OPT_SLOT_DESCRIPTION:
|
2010-09-21 16:11:26 +00:00
|
|
|
if (opt_slot_set) {
|
2011-05-30 14:47:50 +00:00
|
|
|
fprintf(stderr, "Error: Only one of --slot, --slot-label, --slot-index or --token-label can be used\n");
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2010-09-21 16:11:26 +00:00
|
|
|
}
|
2011-05-30 14:47:50 +00:00
|
|
|
opt_slot_description = optarg;
|
2003-05-15 11:32:21 +00:00
|
|
|
break;
|
2010-09-21 16:11:26 +00:00
|
|
|
case OPT_SLOT_INDEX:
|
2011-05-30 14:47:50 +00:00
|
|
|
if (opt_slot_set || opt_slot_description) {
|
|
|
|
fprintf(stderr, "Error: Only one of --slot, --slot-label, --slot-index or --token-label can be used\n");
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2010-09-21 16:11:26 +00:00
|
|
|
}
|
|
|
|
opt_slot_index = (CK_ULONG) strtoul(optarg, NULL, 0);
|
2010-10-08 08:36:48 +00:00
|
|
|
opt_slot_index_set = 1;
|
2010-09-21 16:11:26 +00:00
|
|
|
break;
|
2019-03-31 21:33:41 +00:00
|
|
|
case OPT_OBJECT_INDEX:
|
|
|
|
opt_object_index = (CK_ULONG) strtoul(optarg, NULL, 0);
|
|
|
|
opt_object_index_set = 1;
|
|
|
|
break;
|
2011-05-30 14:47:50 +00:00
|
|
|
case OPT_TOKEN_LABEL:
|
|
|
|
if (opt_slot_set || opt_slot_description || opt_slot_index_set) {
|
|
|
|
fprintf(stderr, "Error: Only one of --slot, --slot-label, --slot-index or --token-label can be used\n");
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2011-05-30 14:47:50 +00:00
|
|
|
}
|
|
|
|
opt_token_label = optarg;
|
|
|
|
break;
|
2002-12-19 09:24:58 +00:00
|
|
|
case OPT_MODULE:
|
|
|
|
opt_module = optarg;
|
|
|
|
break;
|
2007-06-21 09:37:18 +00:00
|
|
|
case OPT_APPLICATION_LABEL:
|
|
|
|
opt_application_label = optarg;
|
|
|
|
break;
|
2004-07-26 18:47:23 +00:00
|
|
|
case OPT_APPLICATION_ID:
|
|
|
|
opt_application_id = optarg;
|
|
|
|
break;
|
2012-08-15 17:59:09 +00:00
|
|
|
case OPT_ISSUER:
|
|
|
|
opt_issuer = optarg;
|
|
|
|
break;
|
|
|
|
case OPT_SUBJECT:
|
|
|
|
opt_subject = optarg;
|
|
|
|
break;
|
2010-01-08 15:41:07 +00:00
|
|
|
case OPT_NEW_PIN:
|
2014-11-04 20:44:02 +00:00
|
|
|
util_get_pin(optarg, &opt_new_pin);
|
2010-01-08 15:41:07 +00:00
|
|
|
break;
|
|
|
|
case OPT_PUK:
|
2014-11-04 20:44:02 +00:00
|
|
|
util_get_pin(optarg, &opt_puk);
|
2010-01-08 15:41:07 +00:00
|
|
|
break;
|
|
|
|
case OPT_LOGIN_TYPE:
|
|
|
|
if (!strcmp(optarg, "so"))
|
|
|
|
opt_login_type = CKU_SO;
|
|
|
|
else if (!strcmp(optarg, "user"))
|
|
|
|
opt_login_type = CKU_USER;
|
|
|
|
else if (!strcmp(optarg, "context-specific"))
|
|
|
|
opt_login_type = CKU_CONTEXT_SPECIFIC;
|
|
|
|
else {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Unsupported login type \"%s\"\n", optarg);
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2010-01-08 15:41:07 +00:00
|
|
|
}
|
|
|
|
break;
|
2005-05-07 22:22:07 +00:00
|
|
|
case OPT_SO_PIN:
|
2014-11-04 20:44:02 +00:00
|
|
|
util_get_pin(optarg, &opt_so_pin);
|
2005-05-07 22:22:07 +00:00
|
|
|
break;
|
|
|
|
case OPT_INIT_TOKEN:
|
|
|
|
do_init_token = 1;
|
|
|
|
action_count++;
|
|
|
|
break ;
|
|
|
|
case OPT_INIT_PIN:
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_init_pin = 1;
|
|
|
|
action_count++;
|
|
|
|
break ;
|
2005-09-27 17:22:48 +00:00
|
|
|
case OPT_KEY_TYPE:
|
|
|
|
opt_key_type = optarg;
|
|
|
|
break;
|
2012-06-01 14:44:28 +00:00
|
|
|
case OPT_KEY_USAGE_SIGN:
|
|
|
|
opt_key_usage_sign = 1;
|
2014-08-26 14:59:40 +00:00
|
|
|
opt_key_usage_default = 0;
|
2012-06-01 14:44:28 +00:00
|
|
|
break;
|
|
|
|
case OPT_KEY_USAGE_DECRYPT:
|
|
|
|
opt_key_usage_decrypt = 1;
|
2014-08-26 14:59:40 +00:00
|
|
|
opt_key_usage_default = 0;
|
2012-06-01 14:44:28 +00:00
|
|
|
break;
|
2014-08-26 14:59:40 +00:00
|
|
|
case OPT_KEY_USAGE_DERIVE:
|
|
|
|
opt_key_usage_derive = 1;
|
|
|
|
opt_key_usage_default = 0;
|
2012-06-01 14:44:28 +00:00
|
|
|
break;
|
2006-09-18 05:30:41 +00:00
|
|
|
case OPT_PRIVATE:
|
|
|
|
opt_is_private = 1;
|
|
|
|
break;
|
2017-09-12 13:08:22 +00:00
|
|
|
case OPT_SENSITIVE:
|
|
|
|
opt_is_sensitive = 1;
|
|
|
|
break;
|
2010-09-24 07:24:43 +00:00
|
|
|
case OPT_TEST_HOTPLUG:
|
2010-01-15 09:36:00 +00:00
|
|
|
opt_test_hotplug = 1;
|
2010-09-24 07:24:43 +00:00
|
|
|
action_count++;
|
2010-01-15 09:36:00 +00:00
|
|
|
break;
|
2011-04-21 16:18:23 +00:00
|
|
|
case OPT_TEST_EC:
|
|
|
|
do_test_ec = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2016-11-20 17:28:42 +00:00
|
|
|
case OPT_DERIVE_PASS_DER:
|
|
|
|
opt_derive_pass_der = 1;
|
|
|
|
/* fall through */
|
2012-06-01 14:44:28 +00:00
|
|
|
case OPT_DERIVE:
|
|
|
|
need_session |= NEED_SESSION_RW;
|
|
|
|
do_derive = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
case OPT_TEST_FORK:
|
|
|
|
do_test_fork = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
|
|
|
#endif
|
2017-03-27 08:52:38 +00:00
|
|
|
case OPT_GENERATE_RANDOM:
|
|
|
|
need_session |= NEED_SESSION_RO;
|
|
|
|
opt_random_bytes = strtoul(optarg, NULL, 0);
|
|
|
|
do_generate_random = 1;
|
|
|
|
action_count++;
|
|
|
|
break;
|
2018-11-26 15:02:59 +00:00
|
|
|
case OPT_ALWAYS_AUTH:
|
|
|
|
opt_always_auth = 1;
|
|
|
|
break;
|
2019-03-08 16:52:31 +00:00
|
|
|
case OPT_ALLOWED_MECHANISMS:
|
|
|
|
/* Parse the mechanism list and fail early */
|
|
|
|
s = strtok(optarg, ",");
|
|
|
|
while (s != NULL) {
|
|
|
|
if (opt_allowed_mechanisms_len > MAX_ALLOWED_MECHANISMS) {
|
|
|
|
fprintf(stderr, "Too many mechanisms provided"
|
|
|
|
" (max %d). Skipping the rest.", MAX_ALLOWED_MECHANISMS);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
opt_allowed_mechanisms[opt_allowed_mechanisms_len] =
|
|
|
|
p11_name_to_mechanism(s);
|
|
|
|
opt_allowed_mechanisms_len++;
|
|
|
|
s = strtok(NULL, ",");
|
|
|
|
}
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
default:
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (optind < argc) {
|
|
|
|
util_fatal("invalid option(s) given");
|
|
|
|
}
|
2011-05-17 13:27:09 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (action_count == 0)
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2017-07-17 20:53:07 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
expanded_len = PATH_MAX;
|
|
|
|
expanded_len = ExpandEnvironmentStringsA(opt_module, expanded_val, expanded_len);
|
|
|
|
if (0 < expanded_len && expanded_len < sizeof expanded_val)
|
|
|
|
opt_module = expanded_val;
|
|
|
|
#endif
|
|
|
|
|
2019-01-18 15:13:57 +00:00
|
|
|
#ifndef ENABLE_SHARED
|
|
|
|
if (strcmp(opt_module, DEFAULT_PKCS11_PROVIDER) == 0)
|
|
|
|
p11 = &pkcs11_function_list;
|
|
|
|
else
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
module = C_LoadModule(opt_module, &p11);
|
|
|
|
if (module == NULL)
|
|
|
|
util_fatal("Failed to load pkcs11 module");
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
rv = p11->C_Initialize(NULL);
|
2013-03-10 12:45:32 +00:00
|
|
|
if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "\n*** Cryptoki library has already been initialized ***\n");
|
2013-03-10 12:45:32 +00:00
|
|
|
else if (rv != CKR_OK)
|
2002-12-17 11:50:11 +00:00
|
|
|
p11_fatal("C_Initialize", rv);
|
|
|
|
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
if (do_test_fork)
|
|
|
|
test_fork();
|
|
|
|
#endif
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (do_show_info)
|
|
|
|
show_cryptoki_info();
|
|
|
|
|
2010-01-15 09:36:00 +00:00
|
|
|
list_slots(list_token_slots, 1, do_list_slots);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2010-09-24 07:24:43 +00:00
|
|
|
if (opt_test_hotplug) {
|
|
|
|
test_card_detection(0);
|
|
|
|
test_card_detection(1);
|
|
|
|
}
|
2010-09-21 16:11:44 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (p11_num_slots == 0) {
|
2008-11-21 22:34:31 +00:00
|
|
|
fprintf(stderr, "No slots.\n");
|
2002-12-17 11:50:11 +00:00
|
|
|
err = 1;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2010-09-21 16:11:26 +00:00
|
|
|
if (!opt_slot_set && (action_count > do_list_slots)) {
|
2011-05-30 14:47:50 +00:00
|
|
|
if (opt_slot_description) {
|
|
|
|
if (!find_slot_by_description(opt_slot_description, &opt_slot)) {
|
|
|
|
fprintf(stderr, "No slot named \"%s\" found\n", opt_slot_description);
|
2010-09-21 16:11:26 +00:00
|
|
|
err = 1;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
if (verbose)
|
2011-05-30 14:47:50 +00:00
|
|
|
fprintf(stderr, "Using slot with label \"%s\" (0x%lx)\n", opt_slot_description, opt_slot);
|
|
|
|
} else if (opt_token_label) {
|
|
|
|
if (!find_slot_by_token_label(opt_token_label, &opt_slot)) {
|
|
|
|
fprintf(stderr, "No slot with token named \"%s\" found\n", opt_token_label);
|
|
|
|
err = 1;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
if (verbose)
|
|
|
|
fprintf(stderr, "Using slot with label \"%s\" (0x%lx)\n", opt_slot_description, opt_slot);
|
2010-10-08 08:36:48 +00:00
|
|
|
} else if (opt_slot_index_set) {
|
2010-09-21 16:11:26 +00:00
|
|
|
if (opt_slot_index < p11_num_slots) {
|
|
|
|
opt_slot = p11_slots[opt_slot_index];
|
|
|
|
fprintf(stderr, "Using slot with index %lu (0x%lx)\n", opt_slot_index, opt_slot);
|
|
|
|
} else {
|
2010-09-21 16:11:49 +00:00
|
|
|
fprintf(stderr, "Slot with index %lu (counting from 0) is not available.\n", opt_slot_index);
|
2010-09-21 16:11:26 +00:00
|
|
|
fprintf(stderr, "You must specify a valid slot with either --slot, --slot-index or --slot-label.\n");
|
|
|
|
err = 1;
|
2012-04-02 22:00:56 +00:00
|
|
|
goto end;
|
2010-09-21 16:11:26 +00:00
|
|
|
}
|
2010-10-08 08:36:48 +00:00
|
|
|
} else {
|
|
|
|
/* use first slot with token present (or default slot on error) */
|
|
|
|
unsigned int i, found = 0;
|
|
|
|
for (i = 0; i < p11_num_slots; i++) {
|
|
|
|
CK_SLOT_INFO info;
|
|
|
|
rv = p11->C_GetSlotInfo(p11_slots[i], &info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetSlotInfo", rv);
|
|
|
|
if (info.flags & CKF_TOKEN_PRESENT) {
|
|
|
|
opt_slot = p11_slots[i];
|
|
|
|
fprintf(stderr, "Using slot %u with a present token (0x%lx)\n", i, opt_slot);
|
|
|
|
found = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!found) {
|
|
|
|
fprintf(stderr, "No slot with a token was found.\n");
|
|
|
|
err = 1;
|
|
|
|
goto end;
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2003-05-15 11:32:21 +00:00
|
|
|
}
|
2010-01-15 09:36:00 +00:00
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
if (do_list_mechs)
|
|
|
|
list_mechs(opt_slot);
|
|
|
|
|
2015-04-30 11:50:28 +00:00
|
|
|
if (do_sign || do_decrypt) {
|
2002-12-17 11:50:11 +00:00
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
|
|
|
|
get_token_info(opt_slot, &info);
|
|
|
|
if (!(info.flags & CKF_TOKEN_INITIALIZED))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Token not initialized");
|
2002-12-17 11:50:11 +00:00
|
|
|
if (info.flags & CKF_LOGIN_REQUIRED)
|
|
|
|
opt_login++;
|
|
|
|
}
|
|
|
|
|
2005-05-07 22:22:07 +00:00
|
|
|
if (do_init_token)
|
|
|
|
init_token(opt_slot);
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (need_session) {
|
|
|
|
int flags = CKF_SERIAL_SESSION;
|
|
|
|
|
|
|
|
if (need_session & NEED_SESSION_RW)
|
|
|
|
flags |= CKF_RW_SESSION;
|
|
|
|
rv = p11->C_OpenSession(opt_slot, flags,
|
|
|
|
NULL, NULL, &session);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
|
|
|
}
|
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
if (opt_login) {
|
|
|
|
int r;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
if (opt_login_type == -1)
|
|
|
|
opt_login_type = do_init_pin ? CKU_SO : CKU_USER;
|
2010-09-21 16:11:31 +00:00
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
r = login(session, opt_login_type);
|
|
|
|
if (r != 0)
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2003-02-05 13:55:22 +00:00
|
|
|
if (do_change_pin)
|
|
|
|
/* To be sure we won't mix things up with the -l or -p options,
|
|
|
|
* we safely stop here. */
|
|
|
|
return change_pin(opt_slot, session);
|
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
if (do_unlock_pin) {
|
|
|
|
if (opt_login_type != -1
|
|
|
|
&& opt_login_type != CKU_CONTEXT_SPECIFIC) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Invalid login type for 'Unlock User PIN' operation\n");
|
2012-06-01 14:44:28 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2010-01-08 15:41:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return unlock_pin(opt_slot, session, opt_login_type);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2005-05-07 22:22:07 +00:00
|
|
|
if (do_init_pin) {
|
|
|
|
init_pin(opt_slot, session);
|
|
|
|
/* We logged in as a CKU_SO user just to initialize
|
|
|
|
* the User PIN, we now have to exit. */
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2015-04-30 11:50:28 +00:00
|
|
|
if (do_sign || do_derive || do_decrypt) {
|
2010-09-21 16:11:31 +00:00
|
|
|
if (!find_object(session, CKO_PRIVATE_KEY, &object,
|
|
|
|
opt_object_id_len ? opt_object_id : NULL,
|
2010-04-11 17:44:39 +00:00
|
|
|
opt_object_id_len, 0))
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Private key not found");
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (do_verify) {
|
|
|
|
if (!find_object(session, CKO_PUBLIC_KEY, &object,
|
|
|
|
opt_object_id_len ? opt_object_id : NULL,
|
|
|
|
opt_object_id_len, 0) &&
|
|
|
|
!find_object(session, CKO_CERTIFICATE, &object,
|
|
|
|
opt_object_id_len ? opt_object_id : NULL,
|
|
|
|
opt_object_id_len, 0))
|
|
|
|
util_fatal("Public key nor certificate not found");
|
|
|
|
}
|
|
|
|
|
2012-06-01 14:44:28 +00:00
|
|
|
/* before list objects, so we can see a derived key */
|
|
|
|
if (do_derive)
|
|
|
|
derive_key(opt_slot, session, object);
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (do_list_objects)
|
2011-04-11 13:00:57 +00:00
|
|
|
list_objects(session, opt_object_class);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (do_sign)
|
|
|
|
sign_data(opt_slot, session, object);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (do_verify)
|
|
|
|
verify_signature(opt_slot, session, object);
|
|
|
|
|
2015-04-30 11:50:28 +00:00
|
|
|
if (do_decrypt)
|
|
|
|
decrypt_data(opt_slot, session, object);
|
|
|
|
|
2002-12-22 23:16:47 +00:00
|
|
|
if (do_hash)
|
|
|
|
hash_data(opt_slot, session);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
if (do_gen_keypair) {
|
|
|
|
CK_OBJECT_HANDLE hPublicKey, hPrivateKey;
|
2016-02-16 12:38:51 +00:00
|
|
|
gen_keypair(opt_slot, session, &hPublicKey, &hPrivateKey, opt_key_type);
|
2003-07-24 11:29:08 +00:00
|
|
|
}
|
2003-06-03 13:57:52 +00:00
|
|
|
|
2016-06-23 16:18:55 +00:00
|
|
|
if (do_gen_key) {
|
|
|
|
CK_OBJECT_HANDLE hSecretKey;
|
|
|
|
gen_key(opt_slot, session, &hSecretKey, opt_key_type, NULL);
|
|
|
|
}
|
|
|
|
|
2003-06-04 12:30:02 +00:00
|
|
|
if (do_write_object) {
|
2003-06-27 12:02:39 +00:00
|
|
|
if (opt_object_class_str == NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("You should specify the object type with the -y option");
|
2011-06-01 18:51:26 +00:00
|
|
|
write_object(session);
|
2003-06-04 12:30:02 +00:00
|
|
|
}
|
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
if (do_read_object) {
|
|
|
|
if (opt_object_class_str == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("You should specify type of the object to read");
|
2010-09-21 16:11:31 +00:00
|
|
|
if (opt_object_id_len == 0 && opt_object_label == NULL &&
|
2012-08-15 17:59:09 +00:00
|
|
|
opt_application_label == NULL && opt_application_id == NULL &&
|
|
|
|
opt_issuer == NULL && opt_subject == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("You should specify at least one of the "
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
"object ID, object label, application label or application ID");
|
2011-06-01 18:51:26 +00:00
|
|
|
read_object(session);
|
2004-07-26 18:47:23 +00:00
|
|
|
}
|
2007-06-21 09:37:18 +00:00
|
|
|
|
|
|
|
if (do_delete_object) {
|
|
|
|
if (opt_object_class_str == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("You should specify type of the object to delete");
|
2010-09-21 16:11:31 +00:00
|
|
|
if (opt_object_id_len == 0 && opt_object_label == NULL &&
|
2019-03-31 21:33:41 +00:00
|
|
|
opt_application_label == NULL && opt_application_id == NULL &&
|
|
|
|
opt_object_index_set == 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("You should specify at least one of the "
|
2019-03-31 21:33:41 +00:00
|
|
|
"object ID, object label, application label, application ID or object index");
|
2011-06-01 18:51:26 +00:00
|
|
|
delete_object(session);
|
2007-06-21 09:37:18 +00:00
|
|
|
}
|
|
|
|
|
2003-06-27 12:02:39 +00:00
|
|
|
if (do_set_id) {
|
|
|
|
if (opt_object_class_str == NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("You should specify the object type with the -y option");
|
2003-06-27 12:02:39 +00:00
|
|
|
if (opt_object_id_len == 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("You should specify the current ID with the -d option");
|
2011-06-01 18:51:26 +00:00
|
|
|
set_id_attr(session);
|
2003-06-27 12:02:39 +00:00
|
|
|
}
|
|
|
|
|
2010-09-24 07:24:43 +00:00
|
|
|
if (do_test)
|
2011-06-01 18:51:26 +00:00
|
|
|
p11_test(session);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (do_test_kpgen_certwrite) {
|
|
|
|
if (!opt_login)
|
|
|
|
fprintf(stderr, "ERR: login required\n");
|
|
|
|
else
|
|
|
|
session = test_kpgen_certwrite(opt_slot, session);
|
|
|
|
}
|
2003-07-24 11:29:08 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (do_test_ec) {
|
|
|
|
if (!opt_login)
|
|
|
|
fprintf(stderr, "ERR: login required\n");
|
|
|
|
else
|
|
|
|
test_ec(opt_slot, session);
|
|
|
|
}
|
2017-03-27 08:52:38 +00:00
|
|
|
|
|
|
|
if (do_generate_random) {
|
|
|
|
generate_random(session);
|
|
|
|
}
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
end:
|
2011-06-01 18:51:26 +00:00
|
|
|
if (session != CK_INVALID_HANDLE) {
|
|
|
|
rv = p11->C_CloseSession(session);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CloseSession", rv);
|
|
|
|
}
|
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (p11)
|
|
|
|
p11->C_Finalize(NULL_PTR);
|
|
|
|
if (module)
|
|
|
|
C_UnloadModule(module);
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
2007-06-21 12:58:57 +00:00
|
|
|
|
2017-06-14 20:53:41 +00:00
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void show_cryptoki_info(void)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_INFO info;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
rv = p11->C_GetInfo(&info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetInfo", rv);
|
|
|
|
|
|
|
|
printf("Cryptoki version %u.%u\n",
|
|
|
|
info.cryptokiVersion.major,
|
|
|
|
info.cryptokiVersion.minor);
|
|
|
|
printf("Manufacturer %s\n",
|
|
|
|
p11_utf8_to_local(info.manufacturerID,
|
|
|
|
sizeof(info.manufacturerID)));
|
|
|
|
printf("Library %s (ver %u.%u)\n",
|
|
|
|
p11_utf8_to_local(info.libraryDescription,
|
|
|
|
sizeof(info.libraryDescription)),
|
|
|
|
info.libraryVersion.major,
|
|
|
|
info.libraryVersion.minor);
|
|
|
|
}
|
|
|
|
|
2010-01-15 09:36:00 +00:00
|
|
|
static void list_slots(int tokens, int refresh, int print)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2010-09-21 16:11:26 +00:00
|
|
|
CK_SLOT_INFO info;
|
|
|
|
CK_ULONG n;
|
|
|
|
CK_RV rv;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2010-01-15 09:36:00 +00:00
|
|
|
/* Get the list of slots */
|
|
|
|
if (refresh) {
|
|
|
|
rv = p11->C_GetSlotList(tokens, NULL, &p11_num_slots);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetSlotList(NULL)", rv);
|
2015-12-09 07:22:24 +00:00
|
|
|
free(p11_slots);
|
Do not cast the return value of malloc(3) and calloc(3)
From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety
" Casting and type safety
malloc returns a void pointer (void *), which indicates that it is a
pointer to a region of unknown data type. One may "cast" (see type
conversion) this pointer to a specific type, as in
int *ptr = (int*)malloc(10 * sizeof (int));
When using C, this is considered bad practice; it is redundant under the
C standard. Moreover, putting in a cast may mask failure to include the
header stdlib.h, in which the prototype for malloc is found. In the
absence of a prototype for malloc, the C compiler will assume that
malloc returns an int, and will issue a warning in a context such as the
above, provided the error is not masked by a cast. On certain
architectures and data models (such as LP64 on 64 bit systems, where
long and pointers are 64 bit and int is 32 bit), this error can actually
result in undefined behavior, as the implicitly declared malloc returns
a 32 bit value whereas the actually defined function returns a 64 bit
value. Depending on calling conventions and memory layout, this may
result in stack smashing.
The returned pointer need not be explicitly cast to a more specific
pointer type, since ANSI C defines an implicit conversion between the
void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because malloc originally
returned a char *, but this cast is unnecessary in standard C
code.[4][5] Omitting the cast, however, creates an incompatibility with
C++, which does require it.
The lack of a specific pointer type returned from malloc is type-unsafe
behaviour: malloc allocates based on byte count but not on type. This
distinguishes it from the C++ new operator that returns a pointer whose
type relies on the operand. (see C Type Safety). "
See also
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
|
|
|
p11_slots = calloc(p11_num_slots, sizeof(CK_SLOT_ID));
|
2010-01-15 09:36:00 +00:00
|
|
|
if (p11_slots == NULL) {
|
|
|
|
perror("calloc failed");
|
2017-04-20 19:08:49 +00:00
|
|
|
exit(1);
|
2010-01-15 09:36:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_GetSlotList(tokens, p11_slots, &p11_num_slots);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetSlotList()", rv);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!print)
|
2002-12-17 11:50:11 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
printf("Available slots:\n");
|
|
|
|
for (n = 0; n < p11_num_slots; n++) {
|
2010-09-21 16:11:26 +00:00
|
|
|
printf("Slot %lu (0x%lx): ", n, p11_slots[n]);
|
2002-12-17 11:50:11 +00:00
|
|
|
rv = p11->C_GetSlotInfo(p11_slots[n], &info);
|
|
|
|
if (rv != CKR_OK) {
|
2010-09-21 16:11:44 +00:00
|
|
|
printf("(GetSlotInfo failed, %s)\n", CKR2Str(rv));
|
2002-12-17 11:50:11 +00:00
|
|
|
continue;
|
|
|
|
}
|
2009-11-25 18:01:30 +00:00
|
|
|
printf("%s\n", p11_utf8_to_local(info.slotDescription,
|
|
|
|
sizeof(info.slotDescription)));
|
2004-06-13 20:13:12 +00:00
|
|
|
if ((!verbose) && !(info.flags & CKF_TOKEN_PRESENT)) {
|
2009-11-25 18:01:30 +00:00
|
|
|
printf(" (empty)\n");
|
2002-12-17 11:50:11 +00:00
|
|
|
continue;
|
|
|
|
}
|
2009-11-25 18:01:30 +00:00
|
|
|
|
2004-06-13 20:13:12 +00:00
|
|
|
if (verbose) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(" manufacturer: %s\n", p11_utf8_to_local(info.manufacturerID,
|
|
|
|
sizeof(info.manufacturerID)));
|
|
|
|
printf(" hardware ver: %u.%u\n",
|
|
|
|
info.hardwareVersion.major,
|
|
|
|
info.hardwareVersion.minor);
|
|
|
|
printf(" firmware ver: %u.%u\n",
|
|
|
|
info.firmwareVersion.major,
|
|
|
|
info.firmwareVersion.minor);
|
|
|
|
printf(" flags: %s\n", p11_slot_info_flags(info.flags));
|
|
|
|
}
|
2003-01-16 20:10:28 +00:00
|
|
|
if (info.flags & CKF_TOKEN_PRESENT)
|
|
|
|
show_token(p11_slots[n]);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void show_token(CK_SLOT_ID slot)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_TOKEN_INFO info;
|
2010-10-08 08:36:56 +00:00
|
|
|
CK_RV rv;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-10-08 08:36:56 +00:00
|
|
|
rv = p11->C_GetTokenInfo(slot, &info);
|
|
|
|
if (rv == CKR_TOKEN_NOT_RECOGNIZED) {
|
|
|
|
printf(" (token not recognized)\n");
|
|
|
|
return;
|
2017-04-12 15:43:32 +00:00
|
|
|
} else if (rv != CKR_OK) {
|
|
|
|
printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv));
|
|
|
|
return;
|
2010-10-08 08:36:56 +00:00
|
|
|
}
|
2004-06-13 20:13:12 +00:00
|
|
|
if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(" token state: uninitialized\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2012-10-09 20:11:52 +00:00
|
|
|
printf(" token label : %s\n",
|
2002-12-17 11:50:11 +00:00
|
|
|
p11_utf8_to_local(info.label,
|
|
|
|
sizeof(info.label)));
|
2012-10-09 20:11:52 +00:00
|
|
|
printf(" token manufacturer : %s\n",
|
2002-12-17 11:50:11 +00:00
|
|
|
p11_utf8_to_local(info.manufacturerID,
|
|
|
|
sizeof(info.manufacturerID)));
|
2012-10-09 20:11:52 +00:00
|
|
|
printf(" token model : %s\n",
|
2002-12-17 11:50:11 +00:00
|
|
|
p11_utf8_to_local(info.model,
|
|
|
|
sizeof(info.model)));
|
2012-10-09 20:11:52 +00:00
|
|
|
printf(" token flags : %s\n",
|
2002-12-17 11:50:11 +00:00
|
|
|
p11_token_info_flags(info.flags));
|
2012-10-09 20:11:52 +00:00
|
|
|
printf(" hardware version : %d.%d\n", info.hardwareVersion.major, info.hardwareVersion.minor);
|
|
|
|
printf(" firmware version : %d.%d\n", info.firmwareVersion.major, info.firmwareVersion.minor);
|
|
|
|
printf(" serial num : %s\n", p11_utf8_to_local(info.serialNumber,
|
2003-12-23 16:31:09 +00:00
|
|
|
sizeof(info.serialNumber)));
|
2017-03-03 07:26:06 +00:00
|
|
|
printf(" pin min/max : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void list_mechs(CK_SLOT_ID slot)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_MECHANISM_TYPE *mechs = NULL;
|
|
|
|
CK_ULONG n, num_mechs = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
num_mechs = get_mechanisms(slot, &mechs, -1);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
printf("Supported mechanisms:\n");
|
|
|
|
for (n = 0; n < num_mechs; n++) {
|
|
|
|
CK_MECHANISM_INFO info;
|
|
|
|
|
|
|
|
printf(" %s", p11_mechanism_to_name(mechs[n]));
|
|
|
|
rv = p11->C_GetMechanismInfo(slot, mechs[n], &info);
|
|
|
|
if (rv == CKR_OK) {
|
2010-07-05 14:43:31 +00:00
|
|
|
if (info.ulMinKeySize || info.ulMaxKeySize) {
|
|
|
|
printf(", keySize={");
|
|
|
|
if (info.ulMinKeySize)
|
|
|
|
printf("%li", info.ulMinKeySize);
|
|
|
|
printf(",");
|
|
|
|
if (info.ulMaxKeySize)
|
|
|
|
printf("%li", info.ulMaxKeySize);
|
|
|
|
printf("}");
|
|
|
|
}
|
2010-11-28 23:46:12 +00:00
|
|
|
if (info.flags & CKF_HW) {
|
|
|
|
printf(", hw");
|
|
|
|
info.flags &= ~CKF_HW;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_ENCRYPT) {
|
|
|
|
printf(", encrypt");
|
|
|
|
info.flags &= ~CKF_ENCRYPT;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_DECRYPT) {
|
|
|
|
printf(", decrypt");
|
|
|
|
info.flags &= ~CKF_DECRYPT;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_DIGEST) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(", digest");
|
2010-11-28 23:46:12 +00:00
|
|
|
info.flags &= ~CKF_DIGEST;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_SIGN) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(", sign");
|
2010-11-28 23:46:12 +00:00
|
|
|
info.flags &= ~CKF_SIGN;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_SIGN_RECOVER) {
|
|
|
|
printf(", sign_recover");
|
|
|
|
info.flags &= ~CKF_SIGN_RECOVER;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_VERIFY) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(", verify");
|
2010-11-28 23:46:12 +00:00
|
|
|
info.flags &= ~CKF_VERIFY;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_VERIFY_RECOVER) {
|
|
|
|
printf(", verify_recover");
|
|
|
|
info.flags &= ~CKF_VERIFY_RECOVER;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_GENERATE) {
|
|
|
|
printf(", generate");
|
|
|
|
info.flags &= ~CKF_GENERATE;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_GENERATE_KEY_PAIR) {
|
|
|
|
printf(", generate_key_pair");
|
|
|
|
info.flags &= ~CKF_GENERATE_KEY_PAIR;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_WRAP) {
|
2003-09-29 13:45:07 +00:00
|
|
|
printf(", wrap");
|
2010-11-28 23:46:12 +00:00
|
|
|
info.flags &= ~CKF_WRAP;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_UNWRAP) {
|
2002-12-17 11:50:11 +00:00
|
|
|
printf(", unwrap");
|
2010-11-28 23:46:12 +00:00
|
|
|
info.flags &= ~CKF_UNWRAP;
|
|
|
|
}
|
|
|
|
if (info.flags & CKF_DERIVE) {
|
|
|
|
printf(", derive");
|
|
|
|
info.flags &= ~CKF_DERIVE;
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
if (info.flags)
|
|
|
|
printf(", other flags=0x%x", (unsigned int) info.flags);
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
}
|
2012-08-12 19:19:57 +00:00
|
|
|
|
|
|
|
if (mechs)
|
|
|
|
free(mechs);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
static int login(CK_SESSION_HANDLE session, int login_type)
|
2007-06-21 12:58:57 +00:00
|
|
|
{
|
2003-12-23 16:31:09 +00:00
|
|
|
char *pin = NULL;
|
2010-04-18 09:45:44 +00:00
|
|
|
size_t len = 0;
|
2010-04-18 08:32:35 +00:00
|
|
|
int pin_allocated = 0, r;
|
2003-12-23 16:31:09 +00:00
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_RV rv;
|
2016-07-24 22:50:37 +00:00
|
|
|
CK_FLAGS pin_flags;
|
2003-12-23 16:31:09 +00:00
|
|
|
|
|
|
|
get_token_info(opt_slot, &info);
|
|
|
|
|
|
|
|
/* Identify which pin to enter */
|
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
if (login_type == CKU_SO)
|
2014-11-04 20:44:02 +00:00
|
|
|
pin = (char *) opt_so_pin;
|
2010-01-08 15:41:07 +00:00
|
|
|
else if (login_type == CKU_USER)
|
2014-11-04 20:44:02 +00:00
|
|
|
pin = (char *) opt_pin;
|
2010-01-08 15:41:07 +00:00
|
|
|
else if (login_type == CKU_CONTEXT_SPECIFIC)
|
2014-11-04 20:44:02 +00:00
|
|
|
pin = opt_pin ? (char *) opt_pin : (char *) opt_puk;
|
2010-01-08 15:41:07 +00:00
|
|
|
|
2010-11-18 14:56:26 +00:00
|
|
|
if (!pin && !(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
|
2016-06-10 09:46:25 +00:00
|
|
|
printf("Logging in to \"%s\".\n", p11_utf8_to_local(info.label, sizeof(info.label)));
|
|
|
|
if (login_type == CKU_SO) {
|
2016-07-24 22:50:37 +00:00
|
|
|
pin_flags=info.flags & (
|
|
|
|
CKF_SO_PIN_COUNT_LOW |
|
|
|
|
CKF_SO_PIN_FINAL_TRY |
|
2017-09-12 13:08:22 +00:00
|
|
|
CKF_SO_PIN_LOCKED |
|
2016-07-24 22:50:37 +00:00
|
|
|
CKF_SO_PIN_TO_BE_CHANGED);
|
|
|
|
if(pin_flags)
|
|
|
|
printf("WARNING: %s\n",p11_token_info_flags(pin_flags));
|
2016-06-10 09:46:25 +00:00
|
|
|
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter SO PIN: ");
|
2016-06-10 09:46:25 +00:00
|
|
|
}
|
|
|
|
else if (login_type == CKU_USER) {
|
2016-07-24 22:50:37 +00:00
|
|
|
pin_flags=info.flags & (
|
|
|
|
CKF_USER_PIN_COUNT_LOW |
|
|
|
|
CKF_USER_PIN_FINAL_TRY |
|
2017-09-12 13:08:22 +00:00
|
|
|
CKF_USER_PIN_LOCKED |
|
2016-07-24 22:50:37 +00:00
|
|
|
CKF_USER_PIN_TO_BE_CHANGED);
|
|
|
|
if(pin_flags)
|
|
|
|
printf("WARNING: %s\n",p11_token_info_flags(pin_flags));
|
2016-06-10 09:46:25 +00:00
|
|
|
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter User PIN: ");
|
2016-06-10 09:46:25 +00:00
|
|
|
}
|
|
|
|
else if (login_type == CKU_CONTEXT_SPECIFIC) {
|
2010-09-21 16:11:49 +00:00
|
|
|
printf("Please enter context specific PIN: ");
|
2016-06-10 09:46:25 +00:00
|
|
|
}
|
|
|
|
|
2010-04-18 09:45:44 +00:00
|
|
|
r = util_getpass(&pin, &len, stdin);
|
2010-04-18 08:32:35 +00:00
|
|
|
if (r < 0)
|
2017-01-31 16:32:51 +00:00
|
|
|
util_fatal("util_getpass error");
|
2010-04-18 08:32:35 +00:00
|
|
|
pin_allocated = 1;
|
2003-12-23 16:31:09 +00:00
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
|
|
|
|
&& (!pin || !*pin)
|
|
|
|
&& login_type != CKU_CONTEXT_SPECIFIC)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
rv = p11->C_Login(session, login_type,
|
|
|
|
(CK_UTF8CHAR *) pin, pin == NULL ? 0 : strlen(pin));
|
2003-12-23 16:31:09 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Login", rv);
|
2010-04-18 08:32:35 +00:00
|
|
|
if (pin_allocated)
|
|
|
|
free(pin);
|
2003-12-23 16:31:09 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void init_token(CK_SLOT_ID slot)
|
2005-05-07 22:22:07 +00:00
|
|
|
{
|
2006-04-26 11:41:57 +00:00
|
|
|
unsigned char token_label[33];
|
2005-05-07 22:22:07 +00:00
|
|
|
char new_buf[21], *new_pin = NULL;
|
2010-04-18 09:45:44 +00:00
|
|
|
size_t len = 0;
|
2010-04-18 08:32:35 +00:00
|
|
|
int pin_allocated = 0, r;
|
2005-05-07 22:22:07 +00:00
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (!opt_object_label)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("The token label must be specified using --label");
|
2006-04-26 11:41:57 +00:00
|
|
|
snprintf((char *) token_label, sizeof (token_label), "%-32.32s",
|
2005-05-07 22:22:07 +00:00
|
|
|
opt_object_label);
|
|
|
|
|
|
|
|
get_token_info(slot, &info);
|
2014-11-03 14:49:28 +00:00
|
|
|
if (opt_so_pin != NULL) {
|
2015-02-09 22:16:31 +00:00
|
|
|
new_pin = (char *) opt_so_pin;
|
2014-11-03 14:49:28 +00:00
|
|
|
} else {
|
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter the new SO PIN: ");
|
2010-04-18 09:45:44 +00:00
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
2010-04-18 08:32:35 +00:00
|
|
|
if (r < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No PIN entered");
|
2005-05-07 22:22:07 +00:00
|
|
|
if (!new_pin || !*new_pin || strlen(new_pin) > 20)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Invalid SO PIN");
|
2015-01-24 19:17:26 +00:00
|
|
|
strlcpy(new_buf, new_pin, sizeof new_buf);
|
2010-04-18 08:32:35 +00:00
|
|
|
free(new_pin); new_pin = NULL;
|
|
|
|
printf("Please enter the new SO PIN (again): ");
|
2010-04-18 09:45:44 +00:00
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
2010-04-18 08:32:35 +00:00
|
|
|
if (r < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No PIN entered");
|
2005-05-07 22:22:07 +00:00
|
|
|
if (!new_pin || !*new_pin ||
|
|
|
|
strcmp(new_buf, new_pin) != 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Different new SO PINs");
|
2010-04-18 08:32:35 +00:00
|
|
|
pin_allocated = 1;
|
2005-05-07 22:22:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_InitToken(slot, (CK_UTF8CHAR *) new_pin,
|
|
|
|
new_pin == NULL ? 0 : strlen(new_pin), token_label);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_InitToken", rv);
|
|
|
|
printf("Token successfully initialized\n");
|
2010-04-18 08:32:35 +00:00
|
|
|
|
|
|
|
if (pin_allocated)
|
|
|
|
free(new_pin);
|
2005-05-07 22:22:07 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void init_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
|
2005-05-07 22:22:07 +00:00
|
|
|
{
|
2010-04-18 08:32:35 +00:00
|
|
|
char *pin;
|
2010-04-18 09:45:44 +00:00
|
|
|
char *new_pin1 = NULL, *new_pin2 = NULL;
|
|
|
|
size_t len1 = 0, len2 = 0;
|
2010-04-18 08:32:35 +00:00
|
|
|
int r;
|
2005-05-07 22:22:07 +00:00
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
get_token_info(slot, &info);
|
|
|
|
|
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
|
2010-04-18 08:32:35 +00:00
|
|
|
if (! opt_pin && !opt_new_pin) {
|
|
|
|
printf("Please enter the new PIN: ");
|
|
|
|
r = util_getpass(&new_pin1,&len1,stdin);
|
2010-09-21 16:11:31 +00:00
|
|
|
if (r < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No PIN entered");
|
2010-04-18 08:32:35 +00:00
|
|
|
if (!new_pin1 || !*new_pin1 || strlen(new_pin1) > 20)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Invalid User PIN");
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter the new PIN again: ");
|
2010-04-18 09:45:44 +00:00
|
|
|
r = util_getpass(&new_pin2, &len2, stdin);
|
2010-09-21 16:11:31 +00:00
|
|
|
if (r < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No PIN entered");
|
2010-04-18 08:32:35 +00:00
|
|
|
if (!new_pin2 || !*new_pin2 ||
|
|
|
|
strcmp(new_pin1, new_pin2) != 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Different new User PINs");
|
2005-05-07 22:22:07 +00:00
|
|
|
}
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2014-11-04 20:44:02 +00:00
|
|
|
pin = (char *) opt_pin;
|
|
|
|
if (!pin) pin = (char *) opt_new_pin;
|
2010-04-18 08:32:35 +00:00
|
|
|
if (!pin) pin = new_pin1;
|
|
|
|
|
|
|
|
rv = p11->C_InitPIN(sess, (CK_UTF8CHAR *) pin, pin == NULL ? 0 : strlen(pin));
|
|
|
|
|
|
|
|
if (new_pin1) {
|
|
|
|
memset(new_pin1, 0, len1);
|
|
|
|
free(new_pin1);
|
|
|
|
}
|
|
|
|
if (new_pin2) {
|
|
|
|
memset(new_pin2,0, len2);
|
|
|
|
free(new_pin2);
|
|
|
|
}
|
2005-05-07 22:22:07 +00:00
|
|
|
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_InitPIN", rv);
|
|
|
|
printf("User PIN successfully initialized\n");
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static int change_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
|
2003-02-05 13:55:22 +00:00
|
|
|
{
|
|
|
|
char old_buf[21], *old_pin = NULL;
|
|
|
|
char new_buf[21], *new_pin = NULL;
|
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_RV rv;
|
2010-04-18 08:32:35 +00:00
|
|
|
int r;
|
2010-04-18 09:45:44 +00:00
|
|
|
size_t len = 0;
|
2003-02-05 13:55:22 +00:00
|
|
|
|
|
|
|
get_token_info(slot, &info);
|
|
|
|
|
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
|
2012-04-02 22:00:56 +00:00
|
|
|
if (!opt_pin && !opt_so_pin) {
|
2011-06-02 19:20:11 +00:00
|
|
|
printf("Please enter the current PIN: ");
|
|
|
|
r = util_getpass(&old_pin, &len, stdin);
|
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
|
|
|
if (!old_pin || !*old_pin || strlen(old_pin) > 20)
|
|
|
|
return 1;
|
|
|
|
strcpy(old_buf, old_pin);
|
|
|
|
old_pin = old_buf;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
if (opt_so_pin)
|
2014-11-04 20:44:02 +00:00
|
|
|
old_pin = (char *) opt_so_pin;
|
2011-06-02 19:20:11 +00:00
|
|
|
else
|
2014-11-04 20:44:02 +00:00
|
|
|
old_pin = (char *) opt_pin;
|
2011-06-02 19:20:11 +00:00
|
|
|
}
|
2010-04-18 08:32:35 +00:00
|
|
|
|
2011-06-02 19:20:11 +00:00
|
|
|
if (!opt_new_pin) {
|
|
|
|
printf("Please enter the new PIN: ");
|
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
|
|
|
if (!new_pin || !*new_pin || strlen(new_pin) > 20)
|
|
|
|
return 1;
|
|
|
|
strcpy(new_buf, new_pin);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2011-06-02 19:20:11 +00:00
|
|
|
printf("Please enter the new PIN again: ");
|
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
2016-10-10 20:21:46 +00:00
|
|
|
if (!new_pin || !*new_pin || strcmp(new_buf, new_pin) != 0) {
|
|
|
|
free(new_pin);
|
2011-06-02 19:20:11 +00:00
|
|
|
return 1;
|
2016-10-10 20:21:46 +00:00
|
|
|
}
|
2011-06-02 19:20:11 +00:00
|
|
|
}
|
|
|
|
else {
|
2014-11-04 20:44:02 +00:00
|
|
|
new_pin = (char *) opt_new_pin;
|
2011-06-02 19:20:11 +00:00
|
|
|
}
|
2003-02-05 13:55:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_SetPIN(sess,
|
2003-09-25 09:33:16 +00:00
|
|
|
(CK_UTF8CHAR *) old_pin, old_pin == NULL ? 0 : strlen(old_pin),
|
|
|
|
(CK_UTF8CHAR *) new_pin, new_pin == NULL ? 0 : strlen(new_pin));
|
2003-02-05 13:55:22 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetPIN", rv);
|
2003-02-17 11:09:24 +00:00
|
|
|
printf("PIN successfully changed\n");
|
2003-02-05 13:55:22 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-01-08 15:41:07 +00:00
|
|
|
|
|
|
|
static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type)
|
|
|
|
{
|
|
|
|
char unlock_buf[21], *unlock_code = NULL;
|
|
|
|
char new_buf[21], *new_pin = NULL;
|
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_RV rv;
|
2010-04-18 08:32:35 +00:00
|
|
|
int r;
|
2010-04-18 09:45:44 +00:00
|
|
|
size_t len = 0;
|
2010-01-08 15:41:07 +00:00
|
|
|
|
|
|
|
get_token_info(slot, &info);
|
|
|
|
|
|
|
|
if (login_type == CKU_CONTEXT_SPECIFIC)
|
2014-11-04 20:44:02 +00:00
|
|
|
unlock_code = opt_pin ? (char *) opt_pin : (char *) opt_puk;
|
2010-01-08 15:41:07 +00:00
|
|
|
else if (login_type == -1)
|
2014-11-04 20:44:02 +00:00
|
|
|
unlock_code = (char *) opt_puk;
|
2010-09-21 16:11:31 +00:00
|
|
|
else
|
2010-01-08 15:41:07 +00:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) && !unlock_code) {
|
|
|
|
if (login_type == CKU_CONTEXT_SPECIFIC)
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter the 'Change PIN' context secret code: ");
|
2010-01-08 15:41:07 +00:00
|
|
|
else if (login_type == -1)
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter unblock code for User PIN: ");
|
2010-01-08 15:41:07 +00:00
|
|
|
|
2010-04-18 09:45:44 +00:00
|
|
|
r = util_getpass(&unlock_code, &len, stdin);
|
2010-04-18 08:32:35 +00:00
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
2010-01-08 15:41:07 +00:00
|
|
|
if (!unlock_code || !*unlock_code || strlen(unlock_code) > 20)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
strcpy(unlock_buf, unlock_code);
|
|
|
|
unlock_code = unlock_buf;
|
|
|
|
}
|
|
|
|
|
2014-11-04 20:44:02 +00:00
|
|
|
new_pin = (char *) opt_new_pin;
|
2010-01-08 15:41:07 +00:00
|
|
|
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) && !new_pin) {
|
2010-04-18 08:32:35 +00:00
|
|
|
printf("Please enter the new PIN: ");
|
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
2015-01-24 19:17:26 +00:00
|
|
|
strlcpy(new_buf, new_pin, sizeof new_buf);
|
2010-04-18 08:32:35 +00:00
|
|
|
|
|
|
|
printf("Please enter the new PIN again: ");
|
|
|
|
r = util_getpass(&new_pin, &len, stdin);
|
|
|
|
if (r < 0)
|
|
|
|
return 1;
|
2010-01-08 15:41:07 +00:00
|
|
|
if (!new_pin || !*new_pin || strcmp(new_buf, new_pin) != 0) {
|
2015-02-05 00:36:40 +00:00
|
|
|
if (new_pin != opt_new_pin)
|
|
|
|
free(new_pin);
|
2010-01-08 15:41:07 +00:00
|
|
|
printf(" different new PINs, exiting\n");
|
|
|
|
return -1;
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2015-02-05 00:36:40 +00:00
|
|
|
if (!new_pin || !*new_pin || strlen(new_pin) > 20) {
|
|
|
|
if (new_pin != opt_new_pin)
|
|
|
|
free(new_pin);
|
2010-01-08 15:41:07 +00:00
|
|
|
return 1;
|
2015-02-05 00:36:40 +00:00
|
|
|
}
|
2010-01-08 15:41:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_SetPIN(sess,
|
|
|
|
(CK_UTF8CHAR *) unlock_code, unlock_code == NULL ? 0 : strlen(unlock_code),
|
|
|
|
(CK_UTF8CHAR *) new_pin, new_pin == NULL ? 0 : strlen(new_pin));
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetPIN", rv);
|
|
|
|
printf("PIN successfully changed\n");
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
/* return digest length in bytes */
|
2018-07-22 14:29:19 +00:00
|
|
|
static unsigned long hash_length(const int hash) {
|
2017-09-21 09:19:22 +00:00
|
|
|
unsigned long sLen = 0;
|
|
|
|
switch (hash) {
|
|
|
|
case CKM_SHA_1:
|
|
|
|
sLen = 20;
|
|
|
|
break;
|
|
|
|
case CKM_SHA224:
|
|
|
|
sLen = 28;
|
|
|
|
break;
|
|
|
|
case CKM_SHA256:
|
|
|
|
sLen = 32;
|
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
|
|
|
sLen = 48;
|
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
|
|
|
sLen = 64;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
util_fatal("Unknown hash algorithm '%s' for RSA-PSS signatures",
|
|
|
|
p11_mechanism_to_name(hash));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return sLen;
|
|
|
|
}
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
static unsigned long
|
|
|
|
parse_pss_params(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key,
|
|
|
|
CK_MECHANISM *mech, CK_RSA_PKCS_PSS_PARAMS *pss_params)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2018-07-22 14:29:19 +00:00
|
|
|
unsigned long hashlen = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (pss_params == NULL)
|
|
|
|
return 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = 0;
|
2017-09-21 09:19:22 +00:00
|
|
|
|
|
|
|
if (opt_hash_alg != 0 && opt_mechanism != CKM_RSA_PKCS_PSS)
|
|
|
|
util_fatal("The hash-algorithm is applicable only to "
|
|
|
|
"RSA-PKCS-PSS mechanism");
|
|
|
|
|
|
|
|
/* set "default" MGF and hash algorithms. We can overwrite MGF later */
|
|
|
|
switch (opt_mechanism) {
|
|
|
|
case CKM_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = opt_hash_alg;
|
2017-09-21 09:19:22 +00:00
|
|
|
|
|
|
|
switch (opt_hash_alg) {
|
2017-10-19 20:12:47 +00:00
|
|
|
case CKM_SHA224:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = CKG_MGF1_SHA224;
|
2017-10-19 20:12:47 +00:00
|
|
|
break;
|
2017-09-21 09:19:22 +00:00
|
|
|
case CKM_SHA256:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = CKG_MGF1_SHA256;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = CKG_MGF1_SHA384;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = CKG_MGF1_SHA512;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
/* the PSS should use SHA-1 if not specified */
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA_1;
|
2017-09-21 09:19:22 +00:00
|
|
|
/* fallthrough */
|
|
|
|
case CKM_SHA_1:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = CKG_MGF1_SHA1;
|
2017-09-21 09:19:22 +00:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CKM_SHA1_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA_1;
|
|
|
|
pss_params->mgf = CKG_MGF1_SHA1;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
|
2017-10-19 20:12:47 +00:00
|
|
|
case CKM_SHA224_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA224;
|
|
|
|
pss_params->mgf = CKG_MGF1_SHA224;
|
2017-10-19 20:12:47 +00:00
|
|
|
break;
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
case CKM_SHA256_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA256;
|
|
|
|
pss_params->mgf = CKG_MGF1_SHA256;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case CKM_SHA384_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA384;
|
|
|
|
pss_params->mgf = CKG_MGF1_SHA384;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case CKM_SHA512_RSA_PKCS_PSS:
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->hashAlg = CKM_SHA512;
|
|
|
|
pss_params->mgf = CKG_MGF1_SHA512;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
2018-11-20 08:29:53 +00:00
|
|
|
|
|
|
|
default: /* The non-RSA-PSS algorithms do not need any parameters */
|
|
|
|
return 0;
|
2017-09-21 09:19:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* One of RSA-PSS mechanisms above: They need parameters */
|
2018-07-22 14:29:19 +00:00
|
|
|
if (pss_params->hashAlg) {
|
2017-09-21 09:19:22 +00:00
|
|
|
if (opt_mgf != 0)
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->mgf = opt_mgf;
|
2017-09-21 09:19:22 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
hashlen = hash_length(pss_params->hashAlg);
|
2017-09-21 09:19:22 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (opt_salt_len_given == 1) { /* salt size explicitly given */
|
|
|
|
unsigned long modlen = 0;
|
|
|
|
if (opt_salt_len < 0 && opt_salt_len != -1 && opt_salt_len != -2)
|
|
|
|
util_fatal("Salt length must be greater or equal "
|
|
|
|
"to zero, or equal to -1 (meaning: use digest size) "
|
|
|
|
"or to -2 (meaning: use maximum permissible size");
|
2019-02-01 10:35:25 +00:00
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
modlen = (get_private_key_length(session, key) + 7) / 8;
|
2018-07-22 14:29:19 +00:00
|
|
|
switch (opt_salt_len) {
|
2017-09-21 09:19:22 +00:00
|
|
|
case -1: /* salt size equals to digest size */
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->sLen = hashlen;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
case -2: /* maximum permissible salt len */
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->sLen = modlen - hashlen -2;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
|
|
|
default: /* use given size but its value must be >= 0 */
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->sLen = opt_salt_len;
|
2017-09-21 09:19:22 +00:00
|
|
|
break;
|
2018-07-22 14:29:19 +00:00
|
|
|
} /* end switch (opt_salt_len_given) */
|
2017-09-21 09:19:22 +00:00
|
|
|
} else { /* use default: salt len of digest size */
|
2018-07-22 14:29:19 +00:00
|
|
|
pss_params->sLen = hashlen;
|
2017-09-21 09:19:22 +00:00
|
|
|
}
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
mech->pParameter = pss_params;
|
|
|
|
mech->ulParameterLen = sizeof(*pss_params);
|
2017-10-19 20:12:47 +00:00
|
|
|
|
|
|
|
fprintf(stderr, "PSS parameters: hashAlg=%s, mgf=%s, salt_len=%lu B\n",
|
2018-07-22 14:29:19 +00:00
|
|
|
p11_mechanism_to_name(pss_params->hashAlg),
|
|
|
|
p11_mgf_to_name(pss_params->mgf),
|
|
|
|
pss_params->sLen);
|
2017-09-21 09:19:22 +00:00
|
|
|
}
|
2018-07-22 14:29:19 +00:00
|
|
|
return hashlen;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sign_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
|
|
|
|
CK_OBJECT_HANDLE key)
|
|
|
|
{
|
|
|
|
unsigned char in_buffer[1025], sig_buffer[512];
|
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_RSA_PKCS_PSS_PARAMS pss_params;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_ULONG sig_len;
|
|
|
|
int fd, r;
|
|
|
|
unsigned long hashlen;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_SIGN|CKF_HW, NULL, 0, &opt_mechanism))
|
|
|
|
util_fatal("Sign mechanism not supported");
|
|
|
|
|
|
|
|
fprintf(stderr, "Using signature algorithm %s\n", p11_mechanism_to_name(opt_mechanism));
|
|
|
|
memset(&mech, 0, sizeof(mech));
|
|
|
|
mech.mechanism = opt_mechanism;
|
|
|
|
hashlen = parse_pss_params(session, key, &mech, &pss_params);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
if (opt_input == NULL)
|
|
|
|
fd = 0;
|
2003-01-20 10:02:07 +00:00
|
|
|
else if ((fd = open(opt_input, O_RDONLY|O_BINARY)) < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Cannot open %s: %m", opt_input);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2011-05-22 07:13:09 +00:00
|
|
|
r = read(fd, in_buffer, sizeof(in_buffer));
|
|
|
|
if (r < 0)
|
|
|
|
util_fatal("Cannot read from %s: %m", opt_input);
|
|
|
|
|
2018-11-20 08:29:53 +00:00
|
|
|
if (opt_mechanism == CKM_RSA_PKCS_PSS && (unsigned long)r != hashlen) {
|
|
|
|
util_fatal("For %s mechanism, message size (got %d bytes) "
|
|
|
|
"must be equal to specified digest length (%lu)\n",
|
|
|
|
p11_mechanism_to_name(opt_mechanism), r, hashlen);
|
2018-07-22 14:29:19 +00:00
|
|
|
}
|
2017-10-19 20:12:47 +00:00
|
|
|
|
2011-05-22 07:13:09 +00:00
|
|
|
rv = CKR_CANCEL;
|
2018-07-22 14:29:19 +00:00
|
|
|
if (r < (int) sizeof(in_buffer)) {
|
2011-05-22 07:13:09 +00:00
|
|
|
rv = p11->C_SignInit(session, &mech, key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2011-05-22 07:13:09 +00:00
|
|
|
sig_len = sizeof(sig_buffer);
|
|
|
|
rv = p11->C_Sign(session, in_buffer, r, sig_buffer, &sig_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
rv = p11->C_SignInit(session, &mech, key);
|
2002-12-17 11:50:11 +00:00
|
|
|
if (rv != CKR_OK)
|
2011-05-22 07:13:09 +00:00
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2011-05-22 07:13:09 +00:00
|
|
|
do {
|
|
|
|
rv = p11->C_SignUpdate(session, in_buffer, r);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignUpdate", rv);
|
|
|
|
|
|
|
|
r = read(fd, in_buffer, sizeof(in_buffer));
|
|
|
|
} while (r > 0);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2011-05-22 07:13:09 +00:00
|
|
|
sig_len = sizeof(sig_buffer);
|
|
|
|
rv = p11->C_SignFinal(session, sig_buffer, &sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignFinal", rv);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
2011-05-22 07:13:09 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (fd != 0)
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
if (opt_output == NULL)
|
|
|
|
fd = 1;
|
2008-04-25 11:51:03 +00:00
|
|
|
else if ((fd = open(opt_output, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY, S_IRUSR|S_IWUSR)) < 0) {
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("failed to open %s: %m", opt_output);
|
2008-04-25 11:51:03 +00:00
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (opt_mechanism == CKM_ECDSA || opt_mechanism == CKM_ECDSA_SHA1 ||
|
|
|
|
opt_mechanism == CKM_ECDSA_SHA256 || opt_mechanism == CKM_ECDSA_SHA384 ||
|
|
|
|
opt_mechanism == CKM_ECDSA_SHA512 || opt_mechanism == CKM_ECDSA_SHA224) {
|
|
|
|
if (opt_sig_format && (!strcmp(opt_sig_format, "openssl") ||
|
|
|
|
!strcmp(opt_sig_format, "sequence"))) {
|
2015-04-03 12:01:41 +00:00
|
|
|
unsigned char *seq;
|
|
|
|
size_t seqlen;
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
if (sc_asn1_sig_value_rs_to_sequence(NULL, sig_buffer,
|
|
|
|
sig_len, &seq, &seqlen)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Failed to convert signature to ASN.1 sequence format");
|
2015-04-03 12:01:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
memcpy(sig_buffer, seq, seqlen);
|
|
|
|
sig_len = seqlen;
|
|
|
|
|
|
|
|
free(seq);
|
|
|
|
}
|
|
|
|
}
|
2011-05-22 07:13:09 +00:00
|
|
|
r = write(fd, sig_buffer, sig_len);
|
2015-04-03 12:01:41 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
if (r < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Failed to write to %s: %m", opt_output);
|
2002-12-17 11:50:11 +00:00
|
|
|
if (fd != 1)
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
static void verify_signature(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
|
|
|
|
CK_OBJECT_HANDLE key)
|
|
|
|
{
|
|
|
|
unsigned char in_buffer[1025], sig_buffer[512];
|
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_RSA_PKCS_PSS_PARAMS pss_params;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_ULONG sig_len;
|
|
|
|
int fd, fd2, r, r2;
|
|
|
|
unsigned long hashlen;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_VERIFY|CKF_HW, NULL, 0, &opt_mechanism))
|
|
|
|
util_fatal("Mechanism not supported for signature verification");
|
|
|
|
|
|
|
|
fprintf(stderr, "Using signature algorithm %s\n", p11_mechanism_to_name(opt_mechanism));
|
|
|
|
memset(&mech, 0, sizeof(mech));
|
|
|
|
mech.mechanism = opt_mechanism;
|
|
|
|
hashlen = parse_pss_params(session, key, &mech, &pss_params);
|
|
|
|
|
|
|
|
/* Open a signature file */
|
|
|
|
if (opt_signature_file == NULL)
|
|
|
|
util_fatal("No file with signature provided. Use --signature-file");
|
|
|
|
else if ((fd2 = open(opt_signature_file, O_RDONLY|O_BINARY)) < 0)
|
|
|
|
util_fatal("Cannot open %s: %m", opt_signature_file);
|
|
|
|
|
|
|
|
r2 = read(fd2, sig_buffer, sizeof(sig_buffer));
|
|
|
|
if (r2 < 0)
|
|
|
|
util_fatal("Cannot read from %s: %m", opt_signature_file);
|
|
|
|
|
|
|
|
close(fd2);
|
|
|
|
|
2019-02-18 15:03:41 +00:00
|
|
|
if (opt_mechanism == CKM_ECDSA || opt_mechanism == CKM_ECDSA_SHA1 ||
|
|
|
|
opt_mechanism == CKM_ECDSA_SHA256 || opt_mechanism == CKM_ECDSA_SHA384 ||
|
|
|
|
opt_mechanism == CKM_ECDSA_SHA512 || opt_mechanism == CKM_ECDSA_SHA224) {
|
|
|
|
if (opt_sig_format && (!strcmp(opt_sig_format, "openssl") ||
|
|
|
|
!strcmp(opt_sig_format, "sequence"))) {
|
|
|
|
|
|
|
|
CK_BYTE* bytes;
|
|
|
|
CK_ULONG len;
|
|
|
|
size_t rs_len = 0;
|
|
|
|
unsigned char rs_buffer[512];
|
|
|
|
bytes = getEC_POINT(session, key, &len);
|
|
|
|
free(bytes);
|
|
|
|
/*
|
|
|
|
* (We only support uncompressed for now)
|
|
|
|
* Uncompressed EC_POINT is DER OCTET STRING of "04||x||y"
|
|
|
|
* So a "256" bit key has x and y of 32 bytes each
|
|
|
|
* something like: "04 41 04||x||y"
|
|
|
|
* Do simple size calculation based on DER encoding
|
|
|
|
*/
|
|
|
|
if ((len - 2) <= 127)
|
|
|
|
rs_len = len - 3;
|
|
|
|
else if ((len - 3) <= 255)
|
|
|
|
rs_len = len - 4;
|
|
|
|
else
|
|
|
|
util_fatal("Key not supported");
|
|
|
|
|
|
|
|
if (sc_asn1_sig_value_sequence_to_rs(NULL, sig_buffer, r2,
|
|
|
|
rs_buffer, rs_len)) {
|
|
|
|
util_fatal("Failed to convert ASN.1 signature");
|
|
|
|
}
|
|
|
|
|
|
|
|
memcpy(sig_buffer, rs_buffer, rs_len);
|
|
|
|
r2 = rs_len;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-22 14:29:19 +00:00
|
|
|
/* Open the data file */
|
|
|
|
if (opt_input == NULL)
|
|
|
|
fd = 0;
|
|
|
|
else if ((fd = open(opt_input, O_RDONLY|O_BINARY)) < 0)
|
|
|
|
util_fatal("Cannot open %s: %m", opt_input);
|
|
|
|
|
|
|
|
r = read(fd, in_buffer, sizeof(in_buffer));
|
|
|
|
if (r < 0)
|
|
|
|
util_fatal("Cannot read from %s: %m", opt_input);
|
|
|
|
|
2018-11-20 08:29:53 +00:00
|
|
|
if (opt_mechanism == CKM_RSA_PKCS_PSS && (unsigned long)r != hashlen) {
|
|
|
|
util_fatal("For %s mechanism, message size (got %d bytes)"
|
|
|
|
" must be equal to specified digest length (%lu)\n",
|
|
|
|
p11_mechanism_to_name(opt_mechanism), r, hashlen);
|
2018-07-22 14:29:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rv = CKR_CANCEL;
|
|
|
|
if (r < (int) sizeof(in_buffer)) {
|
|
|
|
rv = p11->C_VerifyInit(session, &mech, key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_VerifyInit", rv);
|
|
|
|
|
|
|
|
sig_len = r2;
|
|
|
|
rv = p11->C_Verify(session, in_buffer, r, sig_buffer, sig_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
rv = p11->C_VerifyInit(session, &mech, key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_VerifyInit", rv);
|
|
|
|
|
|
|
|
do {
|
|
|
|
rv = p11->C_VerifyUpdate(session, in_buffer, r);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_VerifyUpdate", rv);
|
|
|
|
|
|
|
|
r = read(fd, in_buffer, sizeof(in_buffer));
|
|
|
|
} while (r > 0);
|
|
|
|
|
2019-02-01 08:10:02 +00:00
|
|
|
sig_len = r2;
|
2018-07-22 14:29:19 +00:00
|
|
|
rv = p11->C_VerifyFinal(session, sig_buffer, sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_VerifyFinal", rv);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fd != 0)
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
if (rv == CKR_OK)
|
|
|
|
printf("Signature is valid\n");
|
|
|
|
else if (rv == CKR_SIGNATURE_INVALID)
|
|
|
|
printf("Invalid signature\n");
|
|
|
|
else
|
|
|
|
printf("Cryptoki returned erorr: %s\n", CKR2Str(rv));
|
|
|
|
}
|
|
|
|
|
2015-04-30 11:50:28 +00:00
|
|
|
|
|
|
|
static void decrypt_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
|
|
|
|
CK_OBJECT_HANDLE key)
|
|
|
|
{
|
|
|
|
unsigned char in_buffer[1024], out_buffer[1024];
|
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_RV rv;
|
2017-10-19 20:12:47 +00:00
|
|
|
CK_RSA_PKCS_OAEP_PARAMS oaep_params;
|
2015-04-30 11:50:28 +00:00
|
|
|
CK_ULONG in_len, out_len;
|
|
|
|
int fd, r;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_DECRYPT|CKF_HW, NULL, 0, &opt_mechanism))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Decrypt mechanism not supported");
|
2015-04-30 11:50:28 +00:00
|
|
|
|
2016-01-19 19:54:02 +00:00
|
|
|
fprintf(stderr, "Using decrypt algorithm %s\n", p11_mechanism_to_name(opt_mechanism));
|
2015-04-30 11:50:28 +00:00
|
|
|
memset(&mech, 0, sizeof(mech));
|
|
|
|
mech.mechanism = opt_mechanism;
|
2017-10-19 20:12:47 +00:00
|
|
|
oaep_params.hashAlg = 0;
|
|
|
|
|
|
|
|
if (opt_hash_alg != 0 && opt_mechanism != CKM_RSA_PKCS_OAEP)
|
|
|
|
util_fatal("The hash-algorithm is applicable only to "
|
2019-02-01 10:35:25 +00:00
|
|
|
"RSA-PKCS-OAEP mechanism");
|
2015-04-30 11:50:28 +00:00
|
|
|
|
|
|
|
if (opt_input == NULL)
|
|
|
|
fd = 0;
|
|
|
|
else if ((fd = open(opt_input, O_RDONLY|O_BINARY)) < 0)
|
|
|
|
util_fatal("Cannot open %s: %m", opt_input);
|
|
|
|
|
|
|
|
r = read(fd, in_buffer, sizeof(in_buffer));
|
|
|
|
if (r < 0)
|
|
|
|
util_fatal("Cannot read from %s: %m", opt_input);
|
|
|
|
in_len = r;
|
|
|
|
|
2017-10-19 20:12:47 +00:00
|
|
|
/* set "default" MGF and hash algorithms. We can overwrite MGF later */
|
|
|
|
switch (opt_mechanism) {
|
|
|
|
case CKM_RSA_PKCS_OAEP:
|
|
|
|
oaep_params.hashAlg = opt_hash_alg;
|
|
|
|
switch (opt_hash_alg) {
|
|
|
|
case CKM_SHA224:
|
|
|
|
oaep_params.mgf = CKG_MGF1_SHA224;
|
|
|
|
break;
|
|
|
|
case CKM_SHA256:
|
|
|
|
oaep_params.mgf = CKG_MGF1_SHA256;
|
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
|
|
|
oaep_params.mgf = CKG_MGF1_SHA384;
|
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
|
|
|
oaep_params.mgf = CKG_MGF1_SHA512;
|
|
|
|
break;
|
2019-02-01 10:35:25 +00:00
|
|
|
default:
|
2017-10-19 20:12:47 +00:00
|
|
|
oaep_params.hashAlg = CKM_SHA_1;
|
2017-11-17 09:47:53 +00:00
|
|
|
/* fall through */
|
2017-10-19 20:12:47 +00:00
|
|
|
case CKM_SHA_1:
|
|
|
|
oaep_params.mgf = CKG_MGF1_SHA1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
2019-02-04 13:23:13 +00:00
|
|
|
case CKM_RSA_X_509:
|
2017-10-19 20:12:47 +00:00
|
|
|
case CKM_RSA_PKCS:
|
|
|
|
mech.pParameter = NULL;
|
|
|
|
mech.ulParameterLen = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
util_fatal("Mechanism %s illegal or not supported\n", p11_mechanism_to_name(opt_mechanism));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* If an RSA-OAEP mechanism, it needs parameters */
|
|
|
|
if (oaep_params.hashAlg) {
|
|
|
|
if (opt_mgf != 0)
|
|
|
|
oaep_params.mgf = opt_mgf;
|
|
|
|
|
|
|
|
/* These settings are compatible with OpenSSL 1.0.2L and 1.1.0+ */
|
|
|
|
oaep_params.source = 0UL; /* empty encoding parameter (label) */
|
|
|
|
oaep_params.pSourceData = NULL; /* PKCS#11 standard: this must be NULLPTR */
|
|
|
|
oaep_params.ulSourceDataLen = 0; /* PKCS#11 standard: this must be 0 */
|
|
|
|
|
|
|
|
mech.pParameter = &oaep_params;
|
|
|
|
mech.ulParameterLen = sizeof(oaep_params);
|
|
|
|
|
|
|
|
fprintf(stderr, "OAEP parameters: hashAlg=%s, mgf=%s, source_type=%lu, source_ptr=%p, source_len=%lu\n",
|
|
|
|
p11_mechanism_to_name(oaep_params.hashAlg),
|
|
|
|
p11_mgf_to_name(oaep_params.mgf),
|
|
|
|
oaep_params.source,
|
|
|
|
oaep_params.pSourceData,
|
|
|
|
oaep_params.ulSourceDataLen);
|
|
|
|
|
2019-02-01 10:35:25 +00:00
|
|
|
}
|
2017-10-19 20:12:47 +00:00
|
|
|
|
2015-04-30 11:50:28 +00:00
|
|
|
rv = p11->C_DecryptInit(session, &mech, key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DecryptInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2015-04-30 11:50:28 +00:00
|
|
|
|
|
|
|
out_len = sizeof(out_buffer);
|
|
|
|
rv = p11->C_Decrypt(session, in_buffer, in_len, out_buffer, &out_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Decrypt", rv);
|
|
|
|
|
|
|
|
if (fd != 0)
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
if (opt_output == NULL) {
|
|
|
|
fd = 1;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
fd = open(opt_output, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY, S_IRUSR|S_IWUSR);
|
|
|
|
if (fd < 0)
|
|
|
|
util_fatal("failed to open %s: %m", opt_output);
|
|
|
|
}
|
|
|
|
|
|
|
|
r = write(fd, out_buffer, out_len);
|
|
|
|
if (r < 0)
|
|
|
|
util_fatal("Failed to write to %s: %m", opt_output);
|
|
|
|
if (fd != 1)
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void hash_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
|
2002-12-22 23:16:47 +00:00
|
|
|
{
|
2003-01-20 10:02:07 +00:00
|
|
|
unsigned char buffer[64];
|
2002-12-22 23:16:47 +00:00
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_ULONG hash_len;
|
|
|
|
int fd, r;
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_DIGEST, NULL, 0, &opt_mechanism))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Digest mechanism is not supported");
|
2002-12-22 23:16:47 +00:00
|
|
|
|
2016-01-19 19:54:02 +00:00
|
|
|
fprintf(stderr, "Using digest algorithm %s\n", p11_mechanism_to_name(opt_mechanism));
|
2002-12-22 23:16:47 +00:00
|
|
|
memset(&mech, 0, sizeof(mech));
|
|
|
|
mech.mechanism = opt_mechanism;
|
|
|
|
|
|
|
|
rv = p11->C_DigestInit(session, &mech);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestInit", rv);
|
|
|
|
|
|
|
|
if (opt_input == NULL)
|
|
|
|
fd = 0;
|
2013-07-10 14:32:56 +00:00
|
|
|
else if ((fd = open(opt_input, O_RDONLY|O_BINARY)) < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Cannot open %s: %m", opt_input);
|
2002-12-22 23:16:47 +00:00
|
|
|
|
|
|
|
while ((r = read(fd, buffer, sizeof(buffer))) > 0) {
|
|
|
|
rv = p11->C_DigestUpdate(session, buffer, r);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestUpdate", rv);
|
|
|
|
}
|
2005-02-04 22:33:51 +00:00
|
|
|
|
2002-12-22 23:16:47 +00:00
|
|
|
if (fd != 0)
|
|
|
|
close(fd);
|
|
|
|
|
|
|
|
hash_len = sizeof(buffer);
|
|
|
|
rv = p11->C_DigestFinal(session, buffer, &hash_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestFinal", rv);
|
|
|
|
|
|
|
|
if (opt_output == NULL)
|
|
|
|
fd = 1;
|
2008-04-25 11:51:03 +00:00
|
|
|
else if ((fd = open(opt_output, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY, S_IRUSR|S_IWUSR)) < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("failed to open %s: %m", opt_output);
|
2002-12-22 23:16:47 +00:00
|
|
|
|
|
|
|
r = write(fd, buffer, hash_len);
|
|
|
|
if (r < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Failed to write to %s: %m", opt_output);
|
2002-12-22 23:16:47 +00:00
|
|
|
if (fd != 1)
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
|
2003-06-24 09:14:57 +00:00
|
|
|
#define FILL_ATTR(attr, typ, val, len) {(attr).type=(typ); (attr).pValue=(val); (attr).ulValueLen=len;}
|
2003-06-18 20:49:20 +00:00
|
|
|
|
2019-03-08 16:52:31 +00:00
|
|
|
/* Generate asymmetric key pair */
|
2016-02-16 12:38:51 +00:00
|
|
|
static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
|
2005-09-27 17:22:48 +00:00
|
|
|
CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPrivateKey, const char *type)
|
2003-06-03 13:57:52 +00:00
|
|
|
{
|
|
|
|
CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
|
2008-12-06 20:04:11 +00:00
|
|
|
CK_ULONG modulusBits = 1024;
|
2009-05-07 10:57:07 +00:00
|
|
|
CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in bytes */
|
2003-09-25 09:33:16 +00:00
|
|
|
CK_BBOOL _true = TRUE;
|
2017-04-13 09:35:54 +00:00
|
|
|
CK_BBOOL _false = FALSE;
|
2003-06-24 09:14:57 +00:00
|
|
|
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
|
|
|
|
CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
|
2003-06-18 20:49:20 +00:00
|
|
|
CK_ATTRIBUTE publicKeyTemplate[20] = {
|
2003-06-24 09:14:57 +00:00
|
|
|
{CKA_CLASS, &pubkey_class, sizeof(pubkey_class)},
|
2009-03-12 08:33:37 +00:00
|
|
|
{CKA_TOKEN, &_true, sizeof(_true)},
|
2003-06-03 13:57:52 +00:00
|
|
|
};
|
2014-08-26 14:59:40 +00:00
|
|
|
int n_pubkey_attr = 2;
|
2003-06-18 20:49:20 +00:00
|
|
|
CK_ATTRIBUTE privateKeyTemplate[20] = {
|
2003-06-24 09:14:57 +00:00
|
|
|
{CKA_CLASS, &privkey_class, sizeof(privkey_class)},
|
2003-09-25 09:33:16 +00:00
|
|
|
{CKA_TOKEN, &_true, sizeof(_true)},
|
|
|
|
{CKA_PRIVATE, &_true, sizeof(_true)},
|
|
|
|
{CKA_SENSITIVE, &_true, sizeof(_true)},
|
2003-06-03 13:57:52 +00:00
|
|
|
};
|
2014-08-26 14:59:40 +00:00
|
|
|
int n_privkey_attr = 4;
|
2011-04-21 14:29:51 +00:00
|
|
|
unsigned char *ecparams = NULL;
|
|
|
|
size_t ecparams_size;
|
2003-06-03 13:57:52 +00:00
|
|
|
CK_RV rv;
|
|
|
|
|
2005-09-27 17:22:48 +00:00
|
|
|
if (type != NULL) {
|
2016-03-04 10:30:51 +00:00
|
|
|
if (strncmp(type, "RSA:", strlen("RSA:")) == 0 || strncmp(type, "rsa:", strlen("rsa:")) == 0) {
|
|
|
|
CK_MECHANISM_TYPE mtypes[] = {CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_X9_31_KEY_PAIR_GEN};
|
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
2005-09-27 17:22:48 +00:00
|
|
|
CK_ULONG key_length;
|
|
|
|
const char *size = type + strlen("RSA:");
|
|
|
|
|
2016-02-16 12:38:51 +00:00
|
|
|
if (!opt_mechanism_used)
|
2016-03-04 10:30:51 +00:00
|
|
|
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Generate RSA mechanism not supported");
|
2016-02-16 12:38:51 +00:00
|
|
|
|
2005-09-27 17:22:48 +00:00
|
|
|
if (size == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Unknown key type %s", type);
|
2005-09-27 17:22:48 +00:00
|
|
|
key_length = (unsigned long)atol(size);
|
|
|
|
if (key_length != 0)
|
|
|
|
modulusBits = key_length;
|
2011-04-21 14:29:51 +00:00
|
|
|
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
|
2014-08-26 14:59:40 +00:00
|
|
|
if (opt_key_usage_default || opt_key_usage_sign) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_VERIFY, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_SIGN, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_key_usage_default || opt_key_usage_decrypt) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_ENCRYPT, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_DECRYPT, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_WRAP, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_UNWRAP, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
2011-04-21 14:29:51 +00:00
|
|
|
}
|
|
|
|
else if (!strncmp(type, "EC:", 3)) {
|
2016-03-04 10:30:51 +00:00
|
|
|
CK_MECHANISM_TYPE mtypes[] = {CKM_EC_KEY_PAIR_GEN};
|
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
2011-04-21 14:29:51 +00:00
|
|
|
int ii;
|
|
|
|
|
2016-02-16 12:38:51 +00:00
|
|
|
if (!opt_mechanism_used)
|
2016-03-04 10:30:51 +00:00
|
|
|
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
|
2016-02-16 12:38:51 +00:00
|
|
|
util_fatal("Generate EC key mechanism not supported\n");
|
|
|
|
|
2011-04-21 14:29:51 +00:00
|
|
|
for (ii=0; ec_curve_infos[ii].name; ii++) {
|
|
|
|
if (!strcmp(ec_curve_infos[ii].name, type + 3))
|
|
|
|
break;
|
|
|
|
if (!strcmp(ec_curve_infos[ii].oid, type + 3))
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (!ec_curve_infos[ii].name)
|
|
|
|
util_fatal("Unknown EC key params '%s'", type + 3);
|
|
|
|
|
|
|
|
ecparams_size = strlen(ec_curve_infos[ii].oid_encoded) / 2;
|
|
|
|
ecparams = malloc(ecparams_size);
|
|
|
|
if (!ecparams)
|
|
|
|
util_fatal("Allocation error", 0);
|
|
|
|
if (!hex_to_bin(ec_curve_infos[ii].oid_encoded, ecparams, &ecparams_size)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Cannot convert \"%s\"\n", ec_curve_infos[ii].oid_encoded);
|
2012-05-26 16:53:09 +00:00
|
|
|
util_print_usage_and_die(app_name, options, option_help, NULL);
|
2011-04-21 14:29:51 +00:00
|
|
|
}
|
|
|
|
|
2014-08-26 14:59:40 +00:00
|
|
|
if (opt_key_usage_default || opt_key_usage_sign) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_VERIFY, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_SIGN, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_key_usage_default || opt_key_usage_derive) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_DERIVE, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_DERIVE, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
2011-04-21 14:29:51 +00:00
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_EC_PARAMS, ecparams, ecparams_size);
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
2019-03-21 12:29:32 +00:00
|
|
|
else if (strncmp(type, "GOSTR3410", strlen("GOSTR3410")) == 0 || strncmp(type, "gostr3410", strlen("gostr3410")) == 0) {
|
|
|
|
const struct sc_aid GOST2001_PARAMSET_A_OID = { { 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 }, 9 };
|
|
|
|
const struct sc_aid GOST2001_PARAMSET_B_OID = { { 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x02 }, 9 };
|
|
|
|
const struct sc_aid GOST2001_PARAMSET_C_OID = { { 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x03 }, 9 };
|
|
|
|
const struct sc_aid GOST2012_256_PARAMSET_A_OID = { { 0x06, 0x09, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x02, 0x01, 0x01, 0x01 }, 11 };
|
|
|
|
const struct sc_aid GOST2012_512_PARAMSET_A_OID = { { 0x06, 0x09, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x02, 0x01, 0x02, 0x01 }, 11 };
|
|
|
|
const struct sc_aid GOST2012_512_PARAMSET_B_OID = { { 0x06, 0x09, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x02, 0x01, 0x02, 0x02 }, 11 };
|
|
|
|
const struct sc_aid GOST2012_512_PARAMSET_C_OID = { { 0x06, 0x09, 0x2A, 0x85, 0x03, 0x07, 0x01, 0x02, 0x01, 0x02, 0x03 }, 11 };
|
|
|
|
struct sc_aid key_paramset_encoded_oid;
|
|
|
|
struct sc_aid hash_paramset_encoded_oid;
|
|
|
|
unsigned long int gost_key_type = -1;
|
|
|
|
CK_MECHANISM_TYPE mtypes[] = {-1};
|
2017-06-09 08:30:40 +00:00
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
2019-03-21 12:29:32 +00:00
|
|
|
const char *p_param_set = type + strlen("GOSTR3410");
|
2017-06-09 08:30:40 +00:00
|
|
|
|
|
|
|
if (p_param_set == NULL)
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
|
2019-03-21 12:29:32 +00:00
|
|
|
if (!strcmp(":A", p_param_set) || !strcmp("-2001:A", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_A_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2001_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp(":B", p_param_set) || !strcmp("-2001:B", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_B_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2001_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp(":C", p_param_set) || !strcmp("-2001:C", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_C_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2001_PARAMSET_OID;
|
|
|
|
} else if (!strcmp("-2012-256:A", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2012_256_PARAMSET_A_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_256_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp("-2012-256:B", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_A_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_256_PARAMSET_OID;
|
2017-06-09 08:30:40 +00:00
|
|
|
}
|
2019-03-21 12:29:32 +00:00
|
|
|
else if (!strcmp("-2012-256:C", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_B_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_256_PARAMSET_OID;
|
2017-06-09 08:30:40 +00:00
|
|
|
}
|
2019-03-21 12:29:32 +00:00
|
|
|
else if (!strcmp("-2012-256:D", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2001_PARAMSET_C_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_256_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp("-2012-512:A", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410_512;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_512_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2012_512_PARAMSET_A_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_512_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp("-2012-512:B", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410_512;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_512_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2012_512_PARAMSET_B_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_512_PARAMSET_OID;
|
|
|
|
}
|
|
|
|
else if (!strcmp("-2012-512:C", p_param_set)) {
|
|
|
|
gost_key_type = CKK_GOSTR3410_512;
|
|
|
|
mtypes[0] = CKM_GOSTR3410_512_KEY_PAIR_GEN;
|
|
|
|
key_paramset_encoded_oid = GOST2012_512_PARAMSET_C_OID;
|
|
|
|
hash_paramset_encoded_oid = GOST_HASH2012_512_PARAMSET_OID;
|
2017-06-09 08:30:40 +00:00
|
|
|
}
|
|
|
|
else
|
2019-03-21 12:29:32 +00:00
|
|
|
util_fatal("Unknown key type %s, valid key types for mechanism GOSTR3410 are GOSTR3410-2001:{A,B,C},"
|
|
|
|
" GOSTR3410-2012-256:{A,B,C,D}, GOSTR3410-2012-512:{A,B,C}", type);
|
|
|
|
|
|
|
|
if (!opt_mechanism_used) {
|
|
|
|
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
|
|
|
|
util_fatal("Generate GOSTR3410%s mechanism not supported", gost_key_type == CKK_GOSTR3410_512 ? "-2012-512" : "");
|
|
|
|
}
|
2017-06-09 08:30:40 +00:00
|
|
|
|
2019-03-21 12:29:32 +00:00
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_GOSTR3410_PARAMS, key_paramset_encoded_oid.value, key_paramset_encoded_oid.len);
|
2017-06-09 08:30:40 +00:00
|
|
|
n_pubkey_attr++;
|
2019-03-21 12:29:32 +00:00
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_GOSTR3410_PARAMS, key_paramset_encoded_oid.value, key_paramset_encoded_oid.len);
|
2017-06-09 08:30:40 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
|
2019-03-21 12:29:32 +00:00
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_GOSTR3411_PARAMS, hash_paramset_encoded_oid.value, hash_paramset_encoded_oid.len);
|
2017-06-09 08:30:40 +00:00
|
|
|
n_pubkey_attr++;
|
2019-03-21 12:29:32 +00:00
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_GOSTR3411_PARAMS, hash_paramset_encoded_oid.value, hash_paramset_encoded_oid.len);
|
2017-06-09 08:30:40 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_KEY_TYPE, &gost_key_type, sizeof(gost_key_type));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_KEY_TYPE, &gost_key_type, sizeof(gost_key_type));
|
|
|
|
n_privkey_attr++;
|
|
|
|
|
|
|
|
if (opt_key_usage_default || opt_key_usage_sign) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_VERIFY, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_SIGN, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* do not set 'derive' attribute unless it is specified directly */
|
|
|
|
if (opt_key_usage_derive) {
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_DERIVE, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
}
|
2011-04-21 14:29:51 +00:00
|
|
|
else {
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Unknown key type %s", type);
|
2005-09-27 17:22:48 +00:00
|
|
|
}
|
2016-02-16 12:38:51 +00:00
|
|
|
|
2017-06-09 08:30:40 +00:00
|
|
|
mechanism.mechanism = opt_mechanism;
|
2005-09-27 17:22:48 +00:00
|
|
|
}
|
|
|
|
|
2003-06-18 20:49:20 +00:00
|
|
|
if (opt_object_label != NULL) {
|
2003-06-24 09:14:57 +00:00
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_LABEL,
|
2003-06-18 20:49:20 +00:00
|
|
|
opt_object_label, strlen(opt_object_label));
|
2003-06-24 09:14:57 +00:00
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_LABEL,
|
2003-06-18 20:49:20 +00:00
|
|
|
opt_object_label, strlen(opt_object_label));
|
2003-06-24 09:14:57 +00:00
|
|
|
n_pubkey_attr++;
|
|
|
|
n_privkey_attr++;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2003-06-18 20:49:20 +00:00
|
|
|
}
|
2003-06-24 09:14:57 +00:00
|
|
|
if (opt_object_id_len != 0) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_ID,
|
|
|
|
opt_object_id, opt_object_id_len);
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_ID,
|
|
|
|
opt_object_id, opt_object_id_len);
|
|
|
|
n_pubkey_attr++;
|
|
|
|
n_privkey_attr++;
|
2003-06-18 20:49:20 +00:00
|
|
|
}
|
|
|
|
|
2017-04-13 09:35:54 +00:00
|
|
|
if (opt_is_private != 0) {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_PRIVATE,
|
|
|
|
&_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_PRIVATE,
|
|
|
|
&_false, sizeof(_false));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
|
2018-11-26 15:02:59 +00:00
|
|
|
if (opt_always_auth != 0) {
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_ALWAYS_AUTHENTICATE,
|
|
|
|
&_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
2019-03-08 16:52:31 +00:00
|
|
|
if (opt_allowed_mechanisms_len > 0) {
|
|
|
|
FILL_ATTR(privateKeyTemplate[n_privkey_attr],
|
|
|
|
CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,
|
|
|
|
sizeof(CK_MECHANISM_TYPE) * opt_allowed_mechanisms_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
2003-06-03 13:57:52 +00:00
|
|
|
rv = p11->C_GenerateKeyPair(session, &mechanism,
|
2003-06-18 20:49:20 +00:00
|
|
|
publicKeyTemplate, n_pubkey_attr,
|
|
|
|
privateKeyTemplate, n_privkey_attr,
|
2003-07-24 11:29:08 +00:00
|
|
|
hPublicKey, hPrivateKey);
|
2003-06-03 13:57:52 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GenerateKeyPair", rv);
|
|
|
|
|
2011-04-21 14:29:51 +00:00
|
|
|
if (ecparams)
|
|
|
|
free(ecparams);
|
|
|
|
|
2003-06-03 13:57:52 +00:00
|
|
|
printf("Key pair generated:\n");
|
2003-07-24 11:29:08 +00:00
|
|
|
show_object(session, *hPrivateKey);
|
|
|
|
show_object(session, *hPublicKey);
|
|
|
|
|
|
|
|
return 1;
|
2003-06-03 13:57:52 +00:00
|
|
|
}
|
|
|
|
|
2019-03-08 16:52:31 +00:00
|
|
|
/* generate symmetric key */
|
2016-06-23 16:18:55 +00:00
|
|
|
static int
|
|
|
|
gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey,
|
|
|
|
const char *type, char *label)
|
|
|
|
{
|
|
|
|
CK_MECHANISM mechanism = {CKM_AES_KEY_GEN, NULL_PTR, 0};
|
|
|
|
CK_OBJECT_CLASS secret_key_class = CKO_SECRET_KEY;
|
|
|
|
CK_BBOOL _true = TRUE;
|
2017-09-12 13:08:22 +00:00
|
|
|
CK_BBOOL _false = FALSE;
|
2016-06-23 16:18:55 +00:00
|
|
|
CK_KEY_TYPE key_type = CKK_AES;
|
|
|
|
CK_ULONG key_length;
|
|
|
|
CK_ATTRIBUTE keyTemplate[20] = {
|
|
|
|
{CKA_CLASS, &secret_key_class, sizeof(secret_key_class)},
|
|
|
|
{CKA_TOKEN, &_true, sizeof(_true)},
|
|
|
|
};
|
|
|
|
int n_attr = 2;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (type != NULL) {
|
2019-03-31 20:33:14 +00:00
|
|
|
if (strncasecmp(type, "AES:", strlen("AES:")) == 0) {
|
2016-06-23 16:18:55 +00:00
|
|
|
CK_MECHANISM_TYPE mtypes[] = {CKM_AES_KEY_GEN};
|
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
|
|
|
const char *size = type + strlen("AES:");
|
|
|
|
|
|
|
|
key_type = CKK_AES;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
|
|
|
|
util_fatal("Generate Key mechanism not supported\n");
|
|
|
|
|
|
|
|
if (size == NULL)
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
key_length = (unsigned long)atol(size);
|
|
|
|
if (key_length == 0)
|
|
|
|
key_length = 32;
|
|
|
|
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
|
|
|
|
n_attr++;
|
2016-08-18 07:29:18 +00:00
|
|
|
}
|
2019-03-31 20:33:14 +00:00
|
|
|
else if (strncasecmp(type, "DES:", strlen("DES:")) == 0) {
|
2016-08-18 07:29:18 +00:00
|
|
|
CK_MECHANISM_TYPE mtypes[] = {CKM_DES_KEY_GEN};
|
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
|
|
|
const char *size = type + strlen("DES:");
|
|
|
|
|
|
|
|
key_type = CKK_DES;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
|
|
|
|
util_fatal("Generate Key mechanism not supported\n");
|
|
|
|
|
|
|
|
if (size == NULL)
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
key_length = (unsigned long)atol(size);
|
|
|
|
if (key_length == 0)
|
|
|
|
key_length = 8;
|
|
|
|
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
|
2016-06-23 16:18:55 +00:00
|
|
|
n_attr++;
|
2016-08-18 07:29:18 +00:00
|
|
|
}
|
2019-03-31 20:33:14 +00:00
|
|
|
else if (strncasecmp(type, "DES3:", strlen("DES3:")) == 0) {
|
2016-08-18 07:29:18 +00:00
|
|
|
CK_MECHANISM_TYPE mtypes[] = {CKM_DES3_KEY_GEN};
|
|
|
|
size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
|
|
|
|
const char *size = type + strlen("DES3:");
|
2016-06-23 16:18:55 +00:00
|
|
|
|
2016-08-18 07:29:18 +00:00
|
|
|
key_type = CKK_DES3;
|
|
|
|
|
|
|
|
if (!opt_mechanism_used)
|
|
|
|
if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
|
|
|
|
util_fatal("Generate Key mechanism not supported\n");
|
|
|
|
|
|
|
|
if (size == NULL)
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
key_length = (unsigned long)atol(size);
|
|
|
|
if (key_length == 0)
|
|
|
|
key_length = 16;
|
|
|
|
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
|
|
|
|
n_attr++;
|
2016-06-23 16:18:55 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
}
|
|
|
|
|
2017-09-12 13:08:22 +00:00
|
|
|
if (opt_is_sensitive != 0) {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_SENSITIVE, &_true, sizeof(_true));
|
|
|
|
n_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_SENSITIVE, &_false, sizeof(_false));
|
|
|
|
n_attr++;
|
|
|
|
}
|
2017-09-12 13:08:22 +00:00
|
|
|
|
2016-08-18 07:29:18 +00:00
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_ENCRYPT, &_true, sizeof(_true));
|
|
|
|
n_attr++;
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_DECRYPT, &_true, sizeof(_true));
|
|
|
|
n_attr++;
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_WRAP, &_true, sizeof(_true));
|
|
|
|
n_attr++;
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_UNWRAP, &_true, sizeof(_true));
|
|
|
|
n_attr++;
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_VALUE_LEN, &key_length, sizeof(key_length));
|
|
|
|
n_attr++;
|
|
|
|
|
2016-06-23 16:18:55 +00:00
|
|
|
mechanism.mechanism = opt_mechanism;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (label != NULL) {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_LABEL, label, strlen(label));
|
|
|
|
n_attr++;
|
|
|
|
}
|
|
|
|
else if (opt_object_label != NULL) {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
|
|
|
|
n_attr++;
|
|
|
|
}
|
|
|
|
|
2016-08-18 07:29:18 +00:00
|
|
|
if (opt_object_id_len != 0) {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr], CKA_ID, opt_object_id, opt_object_id_len);
|
2016-06-23 16:18:55 +00:00
|
|
|
n_attr++;
|
|
|
|
}
|
|
|
|
|
2019-03-08 16:52:31 +00:00
|
|
|
if (opt_allowed_mechanisms_len > 0) {
|
|
|
|
FILL_ATTR(keyTemplate[n_attr],
|
|
|
|
CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,
|
|
|
|
sizeof(CK_MECHANISM_TYPE) * opt_allowed_mechanisms_len);
|
|
|
|
n_attr++;
|
|
|
|
}
|
|
|
|
|
2016-06-23 16:18:55 +00:00
|
|
|
rv = p11->C_GenerateKey(session, &mechanism, keyTemplate, n_attr, hSecretKey);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GenerateKey", rv);
|
|
|
|
|
|
|
|
printf("Key generated:\n");
|
|
|
|
show_object(session, *hSecretKey);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2007-06-21 13:20:45 +00:00
|
|
|
static void parse_certificate(struct x509cert_info *cert,
|
2017-03-07 10:17:36 +00:00
|
|
|
unsigned char *data, int len, unsigned char *contents,
|
|
|
|
int *contents_len)
|
2005-05-21 10:21:53 +00:00
|
|
|
{
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
X509 *x = NULL;
|
2005-05-21 10:21:53 +00:00
|
|
|
unsigned char *p;
|
|
|
|
int n;
|
|
|
|
|
2017-03-07 10:17:36 +00:00
|
|
|
if (strstr((char *)data, "-----BEGIN CERTIFICATE-----")) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
BIO *mem = BIO_new_mem_buf(data, len);
|
|
|
|
x = PEM_read_bio_X509(mem, NULL, NULL, NULL);
|
2017-03-20 14:03:32 +00:00
|
|
|
/* Update what is written to the card to be DER encoded */
|
2017-03-07 10:17:36 +00:00
|
|
|
if (contents != NULL) {
|
|
|
|
unsigned char *contents_pointer = contents;
|
|
|
|
*contents_len = i2d_X509(x, &contents_pointer);
|
|
|
|
if (*contents_len < 0)
|
|
|
|
util_fatal("Failed to convert PEM to DER");
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
BIO_free(mem);
|
2017-03-07 10:17:36 +00:00
|
|
|
} else {
|
|
|
|
x = d2i_X509(NULL, (const unsigned char **)&data, len);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
}
|
2005-05-21 10:21:53 +00:00
|
|
|
if (!x) {
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("OpenSSL error during X509 certificate parsing");
|
2005-05-21 10:21:53 +00:00
|
|
|
}
|
2017-03-20 14:03:32 +00:00
|
|
|
/* convert only (if needed) */
|
|
|
|
if (cert == NULL)
|
|
|
|
return;
|
|
|
|
|
2014-04-10 14:40:12 +00:00
|
|
|
/* check length first */
|
2016-01-06 14:40:59 +00:00
|
|
|
n = i2d_X509_NAME(X509_get_subject_name(x), NULL);
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("OpenSSL error while encoding subject name");
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n > (int)sizeof (cert->subject))
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("subject name too long");
|
2014-04-10 14:40:12 +00:00
|
|
|
/* green light, actually do it */
|
|
|
|
p = cert->subject;
|
2016-01-06 14:40:59 +00:00
|
|
|
n = i2d_X509_NAME(X509_get_subject_name(x), &p);
|
2005-05-21 10:21:53 +00:00
|
|
|
cert->subject_len = n;
|
|
|
|
|
2014-04-10 14:40:12 +00:00
|
|
|
/* check length first */
|
2016-01-06 14:40:59 +00:00
|
|
|
n = i2d_X509_NAME(X509_get_issuer_name(x), NULL);
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("OpenSSL error while encoding issuer name");
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n > (int)sizeof (cert->issuer))
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("issuer name too long");
|
2014-04-10 14:40:12 +00:00
|
|
|
/* green light, actually do it */
|
|
|
|
p = cert->issuer;
|
2016-01-06 14:40:59 +00:00
|
|
|
n =i2d_X509_NAME(X509_get_issuer_name(x), &p);
|
2005-05-21 10:21:53 +00:00
|
|
|
cert->issuer_len = n;
|
|
|
|
|
2014-04-10 14:40:12 +00:00
|
|
|
/* check length first */
|
2016-01-06 14:40:59 +00:00
|
|
|
n = i2d_ASN1_INTEGER(X509_get_serialNumber(x), NULL);
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n < 0)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("OpenSSL error while encoding serial number");
|
2005-05-21 10:21:53 +00:00
|
|
|
if (n > (int)sizeof (cert->serialnum))
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("serial number too long");
|
2014-04-10 14:40:12 +00:00
|
|
|
/* green light, actually do it */
|
|
|
|
p = cert->serialnum;
|
2016-01-06 14:40:59 +00:00
|
|
|
n = i2d_ASN1_INTEGER(X509_get_serialNumber(x), &p);
|
2005-05-21 10:21:53 +00:00
|
|
|
cert->serialnum_len = n;
|
|
|
|
}
|
|
|
|
|
2012-04-02 22:00:56 +00:00
|
|
|
static int
|
2014-12-21 22:28:27 +00:00
|
|
|
do_read_key(unsigned char *data, size_t data_len, int private, EVP_PKEY **key)
|
2011-05-22 10:52:44 +00:00
|
|
|
{
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
BIO *mem = BIO_new_mem_buf(data, data_len);;
|
2011-05-22 10:52:44 +00:00
|
|
|
|
|
|
|
if (!key)
|
|
|
|
return -1;
|
2014-12-21 22:28:27 +00:00
|
|
|
|
|
|
|
if (private) {
|
2014-12-22 00:56:32 +00:00
|
|
|
if (!strstr((char *)data, "-----BEGIN "))
|
2014-12-21 22:28:27 +00:00
|
|
|
*key = d2i_PrivateKey_bio(mem, NULL);
|
|
|
|
else
|
|
|
|
*key = PEM_read_bio_PrivateKey(mem, NULL, NULL, NULL);
|
|
|
|
}
|
|
|
|
else {
|
2014-12-22 00:56:32 +00:00
|
|
|
if (!strstr((char *)data, "-----BEGIN "))
|
2014-12-21 22:28:27 +00:00
|
|
|
*key = d2i_PUBKEY_bio(mem, NULL);
|
|
|
|
else
|
|
|
|
*key = PEM_read_bio_PUBKEY(mem, NULL, NULL, NULL);
|
|
|
|
}
|
|
|
|
|
2011-05-22 10:52:44 +00:00
|
|
|
BIO_free(mem);
|
|
|
|
if (*key == NULL)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
#define RSA_GET_BN(RSA, LOCALNAME, BNVALUE) \
|
2005-05-21 10:21:53 +00:00
|
|
|
do { \
|
2016-01-06 14:40:59 +00:00
|
|
|
if (BNVALUE) { \
|
|
|
|
RSA->LOCALNAME = malloc(BN_num_bytes(BNVALUE)); \
|
|
|
|
if (!RSA->LOCALNAME) \
|
|
|
|
util_fatal("malloc() failure\n"); \
|
|
|
|
RSA->LOCALNAME##_len = BN_bn2bin(BNVALUE, RSA->LOCALNAME); \
|
|
|
|
} else { \
|
|
|
|
RSA->LOCALNAME##_len = 0; \
|
|
|
|
RSA->LOCALNAME = NULL; \
|
|
|
|
} \
|
2005-05-21 10:21:53 +00:00
|
|
|
} while (0)
|
|
|
|
|
2012-04-02 22:00:56 +00:00
|
|
|
static int
|
2014-12-21 22:28:27 +00:00
|
|
|
parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
|
2005-05-21 10:21:53 +00:00
|
|
|
{
|
2014-12-21 22:28:27 +00:00
|
|
|
RSA *r;
|
2016-01-06 14:40:59 +00:00
|
|
|
const BIGNUM *r_n, *r_e, *r_d;
|
|
|
|
const BIGNUM *r_p, *r_q;
|
|
|
|
const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
|
2005-05-21 10:21:53 +00:00
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
r = EVP_PKEY_get1_RSA(pkey);
|
2005-05-21 10:21:53 +00:00
|
|
|
if (!r) {
|
2014-12-21 22:28:27 +00:00
|
|
|
if (private)
|
|
|
|
util_fatal("OpenSSL error during RSA private key parsing");
|
|
|
|
else
|
|
|
|
util_fatal("OpenSSL error during RSA public key parsing");
|
2005-05-21 10:21:53 +00:00
|
|
|
}
|
2014-12-21 22:28:27 +00:00
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
RSA_get0_key(r, &r_n, &r_e, NULL);
|
|
|
|
RSA_GET_BN(rsa, modulus, r_n);
|
|
|
|
RSA_GET_BN(rsa, public_exponent, r_e);
|
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
if (private) {
|
2016-01-06 14:40:59 +00:00
|
|
|
RSA_get0_key(r, NULL, NULL, &r_d);
|
|
|
|
RSA_GET_BN(rsa, private_exponent, r_d);
|
|
|
|
|
|
|
|
RSA_get0_factors(r, &r_p, &r_q);
|
|
|
|
RSA_GET_BN(rsa, prime_1, r_p);
|
|
|
|
RSA_GET_BN(rsa, prime_2, r_q);
|
|
|
|
|
|
|
|
RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
|
|
|
|
RSA_GET_BN(rsa, exponent_1, r_dmp1);
|
|
|
|
RSA_GET_BN(rsa, exponent_2, r_dmq1);
|
|
|
|
RSA_GET_BN(rsa, coefficient, r_iqmp);
|
2010-03-16 14:11:39 +00:00
|
|
|
}
|
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
RSA_free(r);
|
|
|
|
|
|
|
|
return 0;
|
2010-03-16 14:11:39 +00:00
|
|
|
}
|
2011-05-22 10:52:44 +00:00
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
2014-12-21 22:28:27 +00:00
|
|
|
static int
|
|
|
|
parse_gost_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
|
2011-05-22 10:52:44 +00:00
|
|
|
{
|
2014-12-21 22:28:27 +00:00
|
|
|
EC_KEY *src = EVP_PKEY_get0(pkey);
|
2011-05-22 10:52:44 +00:00
|
|
|
unsigned char *pder;
|
|
|
|
const BIGNUM *bignum;
|
2014-12-21 22:28:27 +00:00
|
|
|
BIGNUM *X, *Y;
|
|
|
|
const EC_POINT *point;
|
2011-05-22 10:52:44 +00:00
|
|
|
int nid, rv;
|
|
|
|
|
|
|
|
if (!src)
|
|
|
|
return -1;
|
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(EVP_PKEY_get0(pkey)));
|
2011-05-22 10:52:44 +00:00
|
|
|
rv = i2d_ASN1_OBJECT(OBJ_nid2obj(nid), NULL);
|
|
|
|
if (rv < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
gost->param_oid.value = malloc(rv);
|
|
|
|
if (!gost->param_oid.value)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
pder = gost->param_oid.value;
|
|
|
|
rv = i2d_ASN1_OBJECT(OBJ_nid2obj(nid), &pder);
|
|
|
|
gost->param_oid.len = rv;
|
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
if (private) {
|
|
|
|
bignum = EC_KEY_get0_private_key(EVP_PKEY_get0(pkey));
|
2011-05-22 10:52:44 +00:00
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
gost->private.len = BN_num_bytes(bignum);
|
|
|
|
gost->private.value = malloc(gost->private.len);
|
|
|
|
if (!gost->private.value)
|
|
|
|
return -1;
|
|
|
|
BN_bn2bin(bignum, gost->private.value);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
X = BN_new();
|
|
|
|
Y = BN_new();
|
|
|
|
point = EC_KEY_get0_public_key(src);
|
|
|
|
rv = -1;
|
|
|
|
if (X && Y && point && EC_KEY_get0_group(src))
|
|
|
|
rv = EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(src),
|
|
|
|
point, X, Y, NULL);
|
|
|
|
if (rv == 1) {
|
|
|
|
gost->public.len = BN_num_bytes(X) + BN_num_bytes(Y);
|
|
|
|
gost->public.value = malloc(gost->public.len);
|
|
|
|
if (!gost->public.value)
|
|
|
|
rv = -1;
|
|
|
|
else
|
|
|
|
{
|
|
|
|
BN_bn2bin(Y, gost->public.value);
|
|
|
|
BN_bn2bin(X, gost->public.value + BN_num_bytes(Y));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
BN_free(X);
|
|
|
|
BN_free(Y);
|
|
|
|
if (rv != 1)
|
|
|
|
return -1;
|
|
|
|
}
|
2011-05-22 10:52:44 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
|
|
|
|
static int
|
|
|
|
parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
|
|
|
|
{
|
|
|
|
EC_KEY *src = EVP_PKEY_get0(pkey);
|
|
|
|
const BIGNUM *bignum;
|
|
|
|
|
|
|
|
if (!src)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
gost->param_oid.len = i2d_ECParameters(src, &gost->param_oid.value);
|
|
|
|
if (gost->param_oid.len <= 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (private) {
|
|
|
|
bignum = EC_KEY_get0_private_key(EVP_PKEY_get0(pkey));
|
|
|
|
|
|
|
|
gost->private.len = BN_num_bytes(bignum);
|
|
|
|
gost->private.value = malloc(gost->private.len);
|
|
|
|
if (!gost->private.value)
|
|
|
|
return -1;
|
|
|
|
BN_bn2bin(bignum, gost->private.value);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
unsigned char buf[512], *point;
|
|
|
|
int point_len, header_len;
|
|
|
|
const int MAX_HEADER_LEN = 3;
|
|
|
|
const EC_GROUP *ecgroup = EC_KEY_get0_group(src);
|
|
|
|
const EC_POINT *ecpoint = EC_KEY_get0_public_key(src);
|
|
|
|
if (!ecgroup || !ecpoint)
|
|
|
|
return -1;
|
|
|
|
point_len = EC_POINT_point2oct(ecgroup, ecpoint, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), NULL);
|
|
|
|
gost->public.value = malloc(MAX_HEADER_LEN+point_len);
|
|
|
|
if (!gost->public.value)
|
|
|
|
return -1;
|
|
|
|
point = gost->public.value;
|
|
|
|
ASN1_put_object(&point, 0, point_len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
|
|
|
|
header_len = point-gost->public.value;
|
|
|
|
memcpy(point, buf, point_len);
|
|
|
|
gost->public.len = header_len+point_len;
|
2018-03-19 07:58:21 +00:00
|
|
|
#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
gost->public.len -= header_len;
|
|
|
|
gost->public.value += header_len;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2011-05-22 10:52:44 +00:00
|
|
|
#endif
|
2005-05-21 10:21:53 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#define MAX_OBJECT_SIZE 5000
|
|
|
|
|
2010-03-16 14:11:39 +00:00
|
|
|
/* Currently for certificates (-type cert), private keys (-type privkey),
|
2014-12-21 22:28:27 +00:00
|
|
|
public keys (-type pubkey) and data objects (-type data). */
|
2011-06-01 18:51:26 +00:00
|
|
|
static int write_object(CK_SESSION_HANDLE session)
|
2003-06-04 12:30:02 +00:00
|
|
|
{
|
2003-09-25 09:33:16 +00:00
|
|
|
CK_BBOOL _true = TRUE;
|
2015-08-11 13:02:52 +00:00
|
|
|
CK_BBOOL _false = FALSE;
|
2012-06-01 14:44:28 +00:00
|
|
|
unsigned char contents[MAX_OBJECT_SIZE + 1];
|
2005-05-21 10:21:53 +00:00
|
|
|
int contents_len = 0;
|
|
|
|
unsigned char certdata[MAX_OBJECT_SIZE];
|
|
|
|
int certdata_len = 0;
|
2003-06-04 12:30:02 +00:00
|
|
|
FILE *f;
|
2019-03-31 20:33:14 +00:00
|
|
|
CK_OBJECT_HANDLE cert_obj, privkey_obj, pubkey_obj, seckey_obj, data_obj;
|
2019-04-25 13:35:09 +00:00
|
|
|
CK_ATTRIBUTE cert_templ[20], privkey_templ[30], pubkey_templ[20], seckey_templ[20], data_templ[20];
|
2019-03-31 20:33:14 +00:00
|
|
|
int n_cert_attr = 0, n_privkey_attr = 0, n_pubkey_attr = 0, n_seckey_attr = 0, n_data_attr = 0;
|
2007-06-21 09:37:18 +00:00
|
|
|
struct sc_object_id oid;
|
2003-06-04 12:30:02 +00:00
|
|
|
CK_RV rv;
|
2005-05-21 10:21:53 +00:00
|
|
|
int need_to_parse_certdata = 0;
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
unsigned char *oid_buf = NULL;
|
2014-02-25 09:41:18 +00:00
|
|
|
CK_OBJECT_CLASS clazz;
|
|
|
|
CK_CERTIFICATE_TYPE cert_type;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
CK_KEY_TYPE type = CKK_RSA;
|
2019-03-31 20:33:14 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2005-05-22 20:07:31 +00:00
|
|
|
struct x509cert_info cert;
|
|
|
|
struct rsakey_info rsa;
|
2011-05-22 10:52:44 +00:00
|
|
|
struct gostkey_info gost;
|
|
|
|
EVP_PKEY *evp_key = NULL;
|
2016-01-06 14:40:59 +00:00
|
|
|
int pk_type;
|
2005-05-22 20:07:31 +00:00
|
|
|
|
|
|
|
memset(&cert, 0, sizeof(cert));
|
|
|
|
memset(&rsa, 0, sizeof(rsa));
|
2011-05-22 10:52:44 +00:00
|
|
|
memset(&gost, 0, sizeof(gost));
|
2005-05-21 10:21:53 +00:00
|
|
|
#endif
|
2012-06-01 14:44:28 +00:00
|
|
|
|
|
|
|
memset(contents, 0, sizeof(contents));
|
|
|
|
memset(certdata, 0, sizeof(certdata));
|
|
|
|
|
2003-06-04 12:30:02 +00:00
|
|
|
f = fopen(opt_file_to_write, "rb");
|
|
|
|
if (f == NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Couldn't open file \"%s\"", opt_file_to_write);
|
2012-06-01 14:44:28 +00:00
|
|
|
contents_len = fread(contents, 1, sizeof(contents) - 1, f);
|
2003-06-04 12:30:02 +00:00
|
|
|
if (contents_len < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Couldn't read from file \"%s\"", opt_file_to_write);
|
2003-06-04 12:30:02 +00:00
|
|
|
fclose(f);
|
2012-06-01 14:44:28 +00:00
|
|
|
contents[contents_len] = '\0';
|
2003-06-04 12:30:02 +00:00
|
|
|
|
2005-05-21 10:21:53 +00:00
|
|
|
if (opt_attr_from_file) {
|
|
|
|
if (!(f = fopen(opt_attr_from_file, "rb")))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Couldn't open file \"%s\"", opt_attr_from_file);
|
2005-05-21 10:21:53 +00:00
|
|
|
certdata_len = fread(certdata, 1, sizeof(certdata), f);
|
2017-11-29 10:35:21 +00:00
|
|
|
fclose(f);
|
2005-05-21 10:21:53 +00:00
|
|
|
if (certdata_len < 0)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Couldn't read from file \"%s\"", opt_attr_from_file);
|
2017-11-29 10:35:21 +00:00
|
|
|
certdata[certdata_len] = '\0';
|
2005-05-21 10:21:53 +00:00
|
|
|
need_to_parse_certdata = 1;
|
|
|
|
}
|
2017-03-20 14:03:32 +00:00
|
|
|
if (opt_object_class == CKO_CERTIFICATE) {
|
|
|
|
if (opt_attr_from_file) {
|
|
|
|
/* Convert contents from PEM to DER if needed
|
|
|
|
* certdata already read and will be validated later
|
|
|
|
*/
|
|
|
|
#ifdef ENABLE_OPENSSL
|
|
|
|
parse_certificate(NULL, contents, contents_len, contents, &contents_len);
|
|
|
|
#else
|
|
|
|
util_fatal("No OpenSSL support, cannot parse certificate");
|
|
|
|
#endif
|
|
|
|
} else {
|
|
|
|
memcpy(certdata, contents, MAX_OBJECT_SIZE);
|
|
|
|
certdata_len = contents_len;
|
|
|
|
need_to_parse_certdata = 1;
|
|
|
|
}
|
2005-05-21 10:21:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (need_to_parse_certdata) {
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2017-03-20 14:03:32 +00:00
|
|
|
/* Validate and get the certificate fields (from certdata)
|
|
|
|
* and convert PEM to DER if needed
|
|
|
|
*/
|
2017-03-07 10:17:36 +00:00
|
|
|
parse_certificate(&cert, certdata, certdata_len,
|
|
|
|
(opt_attr_from_file ? NULL : contents), &contents_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
#else
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No OpenSSL support, cannot parse certificate");
|
2005-05-21 10:21:53 +00:00
|
|
|
#endif
|
|
|
|
}
|
2014-12-21 22:28:27 +00:00
|
|
|
if (opt_object_class == CKO_PRIVATE_KEY || opt_object_class == CKO_PUBLIC_KEY) {
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2016-02-29 17:05:17 +00:00
|
|
|
int is_private = opt_object_class == CKO_PRIVATE_KEY;
|
2012-04-02 22:00:56 +00:00
|
|
|
int rv;
|
2011-05-22 10:52:44 +00:00
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
rv = do_read_key(contents, contents_len, is_private, &evp_key);
|
|
|
|
if (rv) {
|
|
|
|
if (is_private)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot read private key");
|
2014-12-21 22:28:27 +00:00
|
|
|
else
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot read public key");
|
2014-12-21 22:28:27 +00:00
|
|
|
}
|
2011-05-22 10:52:44 +00:00
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
pk_type = EVP_PKEY_base_id(evp_key);
|
|
|
|
|
|
|
|
if (pk_type == EVP_PKEY_RSA) {
|
2014-12-21 22:28:27 +00:00
|
|
|
rv = parse_rsa_pkey(evp_key, is_private, &rsa);
|
2011-05-22 10:52:44 +00:00
|
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == NID_id_GostR3410_2001) {
|
2014-12-21 22:28:27 +00:00
|
|
|
rv = parse_gost_pkey(evp_key, is_private, &gost);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
type = CKK_GOSTR3410;
|
2016-01-06 14:40:59 +00:00
|
|
|
} else if (pk_type == EVP_PKEY_EC) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
rv = parse_ec_pkey(evp_key, is_private, &gost);
|
|
|
|
type = CKK_EC;
|
2011-05-22 10:52:44 +00:00
|
|
|
}
|
|
|
|
#endif
|
2014-12-21 22:28:27 +00:00
|
|
|
else
|
2016-01-06 14:40:59 +00:00
|
|
|
util_fatal("Unsupported key type: 0x%X", pk_type);
|
2011-05-22 10:52:44 +00:00
|
|
|
|
|
|
|
if (rv)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot parse key");
|
2005-05-21 10:21:53 +00:00
|
|
|
#else
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("No OpenSSL support, cannot parse key");
|
2010-03-16 14:11:39 +00:00
|
|
|
#endif
|
|
|
|
}
|
2005-05-21 10:21:53 +00:00
|
|
|
|
2019-03-31 20:33:14 +00:00
|
|
|
switch(opt_object_class)
|
|
|
|
{
|
|
|
|
case CKO_CERTIFICATE:
|
2014-02-25 09:41:18 +00:00
|
|
|
clazz = CKO_CERTIFICATE;
|
|
|
|
cert_type = CKC_X_509;
|
2003-06-04 12:30:02 +00:00
|
|
|
|
2003-09-25 09:33:16 +00:00
|
|
|
FILL_ATTR(cert_templ[0], CKA_TOKEN, &_true, sizeof(_true));
|
2003-06-04 12:30:02 +00:00
|
|
|
FILL_ATTR(cert_templ[1], CKA_VALUE, contents, contents_len);
|
|
|
|
FILL_ATTR(cert_templ[2], CKA_CLASS, &clazz, sizeof(clazz));
|
|
|
|
FILL_ATTR(cert_templ[3], CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[4], CKA_PRIVATE, &_false, sizeof(_false));
|
|
|
|
n_cert_attr = 5;
|
2003-06-18 20:49:20 +00:00
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[n_cert_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
|
2003-06-24 09:14:57 +00:00
|
|
|
n_cert_attr++;
|
2003-06-18 20:49:20 +00:00
|
|
|
}
|
2003-06-24 09:14:57 +00:00
|
|
|
if (opt_object_id_len != 0) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[n_cert_attr], CKA_ID, opt_object_id, opt_object_id_len);
|
2003-06-24 09:14:57 +00:00
|
|
|
n_cert_attr++;
|
2003-06-18 20:49:20 +00:00
|
|
|
}
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2005-05-21 10:21:53 +00:00
|
|
|
/* according to PKCS #11 CKA_SUBJECT MUST be specified */
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[n_cert_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
n_cert_attr++;
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[n_cert_attr], CKA_ISSUER, cert.issuer, cert.issuer_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
n_cert_attr++;
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(cert_templ[n_cert_attr], CKA_SERIAL_NUMBER, cert.serialnum, cert.serialnum_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
n_cert_attr++;
|
|
|
|
#endif
|
2019-03-31 20:33:14 +00:00
|
|
|
break;
|
|
|
|
case CKO_PRIVATE_KEY:
|
2014-02-25 09:41:18 +00:00
|
|
|
clazz = CKO_PRIVATE_KEY;
|
2005-05-21 10:21:53 +00:00
|
|
|
|
2011-05-22 10:52:44 +00:00
|
|
|
n_privkey_attr = 0;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_CLASS, &clazz, sizeof(clazz));
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_TOKEN, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_PRIVATE, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_SENSITIVE, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
2005-05-21 10:21:53 +00:00
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
2011-05-22 10:52:44 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
|
2005-05-21 10:21:53 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_object_id_len != 0) {
|
2011-05-22 10:52:44 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_ID, opt_object_id, opt_object_id_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
2015-04-22 15:40:36 +00:00
|
|
|
if (opt_key_usage_sign != 0) {
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_SIGN, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_key_usage_decrypt != 0) {
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_DECRYPT, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_key_usage_derive != 0) {
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_DERIVE, &_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
2018-11-26 15:02:59 +00:00
|
|
|
if (opt_always_auth != 0) {
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_ALWAYS_AUTHENTICATE,
|
|
|
|
&_true, sizeof(_true));
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
2019-03-08 16:52:31 +00:00
|
|
|
if (opt_allowed_mechanisms_len > 0) {
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr],
|
|
|
|
CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,
|
|
|
|
sizeof(CK_MECHANISM_TYPE) * opt_allowed_mechanisms_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
|
2015-04-22 15:40:36 +00:00
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2005-05-21 10:21:53 +00:00
|
|
|
if (cert.subject_len != 0) {
|
2011-05-22 10:52:44 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
|
2005-05-21 10:21:53 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
2016-01-06 14:40:59 +00:00
|
|
|
pk_type = EVP_PKEY_base_id(evp_key);
|
|
|
|
|
|
|
|
if (pk_type == EVP_PKEY_RSA) {
|
|
|
|
type = CKK_RSA;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_privkey_attr++;
|
2011-05-22 10:52:44 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_MODULUS, rsa.modulus, rsa.modulus_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_PUBLIC_EXPONENT, rsa.public_exponent, rsa.public_exponent_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_PRIVATE_EXPONENT, rsa.private_exponent, rsa.private_exponent_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_PRIME_1, rsa.prime_1, rsa.prime_1_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_PRIME_2, rsa.prime_2, rsa.prime_2_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_EXPONENT_1, rsa.exponent_1, rsa.exponent_1_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_EXPONENT_2, rsa.exponent_2, rsa.exponent_2_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_COEFFICIENT, rsa.coefficient, rsa.coefficient_len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == EVP_PKEY_EC) {
|
|
|
|
type = CKK_EC;
|
|
|
|
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_privkey_attr++;
|
2015-04-14 15:52:22 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_EC_PARAMS, gost.param_oid.value, gost.param_oid.len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_VALUE, gost.private.value, gost.private.len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == NID_id_GostR3410_2001) {
|
|
|
|
type = CKK_GOSTR3410;
|
|
|
|
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_privkey_attr++;
|
2011-05-22 10:52:44 +00:00
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_GOSTR3410_PARAMS, gost.param_oid.value, gost.param_oid.len);
|
|
|
|
n_privkey_attr++;
|
|
|
|
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_VALUE, gost.private.value, gost.private.len);
|
2011-05-29 17:55:26 +00:00
|
|
|
/* CKA_VALUE of the GOST key has to be in the little endian order */
|
|
|
|
rv = sc_mem_reverse(privkey_templ[n_privkey_attr].pValue, privkey_templ[n_privkey_attr].ulValueLen);
|
|
|
|
if (rv)
|
|
|
|
return rv;
|
2011-05-22 10:52:44 +00:00
|
|
|
n_privkey_attr++;
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
|
2011-05-22 10:52:44 +00:00
|
|
|
#endif
|
2010-03-16 14:11:39 +00:00
|
|
|
#endif
|
2019-03-31 20:33:14 +00:00
|
|
|
break;
|
|
|
|
case CKO_PUBLIC_KEY:
|
2014-02-25 09:41:18 +00:00
|
|
|
clazz = CKO_PUBLIC_KEY;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2016-01-06 14:40:59 +00:00
|
|
|
pk_type = EVP_PKEY_base_id(evp_key);
|
|
|
|
if (pk_type == EVP_PKEY_RSA)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
type = CKK_RSA;
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == EVP_PKEY_EC)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
type = CKK_EC;
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == NID_id_GostR3410_2001)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
type = CKK_GOSTR3410;
|
|
|
|
#endif
|
|
|
|
else
|
2016-01-06 14:40:59 +00:00
|
|
|
util_fatal("Unsupported public key type: 0x%X", pk_type);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
#endif
|
2010-03-16 14:11:39 +00:00
|
|
|
|
2014-12-21 22:28:27 +00:00
|
|
|
n_pubkey_attr = 0;
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_CLASS, &clazz, sizeof(clazz));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_TOKEN, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
2010-03-16 14:11:39 +00:00
|
|
|
|
|
|
|
if (opt_is_private != 0) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PRIVATE, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PRIVATE, &_false, sizeof(_false));
|
|
|
|
n_pubkey_attr++;
|
2010-03-16 14:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_LABEL,
|
|
|
|
opt_object_label, strlen(opt_object_label));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_object_id_len != 0) {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_ID,
|
|
|
|
opt_object_id, opt_object_id_len);
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
2015-04-22 15:40:36 +00:00
|
|
|
if (opt_key_usage_sign != 0) {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_VERIFY, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_key_usage_decrypt != 0) {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_ENCRYPT, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_key_usage_derive != 0) {
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_DERIVE, &_true, sizeof(_true));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
|
2010-03-16 14:11:39 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
|
|
|
if (cert.subject_len != 0) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
|
2010-03-16 14:11:39 +00:00
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
2016-01-06 14:40:59 +00:00
|
|
|
pk_type = EVP_PKEY_base_id(evp_key);
|
|
|
|
|
|
|
|
if (pk_type == EVP_PKEY_RSA) {
|
|
|
|
type = CKK_RSA;
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_MODULUS,
|
|
|
|
rsa.modulus, rsa.modulus_len);
|
2014-12-21 22:28:27 +00:00
|
|
|
n_pubkey_attr++;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PUBLIC_EXPONENT, rsa.public_exponent, rsa.public_exponent_len);
|
2014-12-21 22:28:27 +00:00
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == EVP_PKEY_EC) {
|
|
|
|
type = CKK_EC;
|
|
|
|
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_pubkey_attr++;
|
2014-12-21 22:28:27 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_EC_PARAMS, gost.param_oid.value, gost.param_oid.len);
|
|
|
|
n_pubkey_attr++;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_EC_POINT, gost.public.value, gost.public.len);
|
2014-12-21 22:28:27 +00:00
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
2016-01-06 14:40:59 +00:00
|
|
|
else if (pk_type == NID_id_GostR3410_2001) {
|
|
|
|
type = CKK_GOSTR3410;
|
|
|
|
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
n_pubkey_attr++;
|
2014-12-21 22:28:27 +00:00
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_GOSTR3410_PARAMS, gost.param_oid.value, gost.param_oid.len);
|
|
|
|
n_pubkey_attr++;
|
|
|
|
FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_VALUE, gost.public.value, gost.public.len);
|
|
|
|
/* CKA_VALUE of the GOST key has to be in the little endian order */
|
|
|
|
rv = sc_mem_reverse(pubkey_templ[n_pubkey_attr].pValue, pubkey_templ[n_pubkey_attr].ulValueLen);
|
|
|
|
if (rv)
|
|
|
|
return rv;
|
|
|
|
n_pubkey_attr++;
|
|
|
|
}
|
|
|
|
#endif
|
2005-05-21 10:21:53 +00:00
|
|
|
#endif
|
2019-03-31 20:33:14 +00:00
|
|
|
break;
|
|
|
|
case CKO_SECRET_KEY:
|
|
|
|
clazz = CKO_SECRET_KEY;
|
|
|
|
type = CKK_AES;
|
|
|
|
|
|
|
|
if (opt_key_type != 0) {
|
|
|
|
if (strncasecmp(opt_key_type, "AES:", strlen("AES:")) == 0)
|
|
|
|
type = CKK_AES;
|
|
|
|
else if (strncasecmp(opt_key_type, "DES3:", strlen("DES3:")) == 0)
|
|
|
|
type = CKK_DES3;
|
|
|
|
else
|
|
|
|
util_fatal("Unknown key type %s", type);
|
|
|
|
}
|
|
|
|
|
|
|
|
FILL_ATTR(seckey_templ[0], CKA_CLASS, &clazz, sizeof(clazz));
|
|
|
|
FILL_ATTR(seckey_templ[1], CKA_KEY_TYPE, &type, sizeof(type));
|
|
|
|
FILL_ATTR(seckey_templ[2], CKA_TOKEN, &_true, sizeof(_true));
|
|
|
|
FILL_ATTR(seckey_templ[3], CKA_VALUE, &contents, contents_len);
|
|
|
|
n_seckey_attr = 4;
|
|
|
|
|
|
|
|
if (opt_is_private != 0) {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_PRIVATE, &_true, sizeof(_true));
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_PRIVATE, &_false, sizeof(_false));
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_is_sensitive != 0) {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_SENSITIVE, &_true, sizeof(_true));
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_SENSITIVE, &_false, sizeof(_false));
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
if (opt_object_id_len != 0) {
|
|
|
|
FILL_ATTR(seckey_templ[n_seckey_attr], CKA_ID, opt_object_id, opt_object_id_len);
|
|
|
|
n_seckey_attr++;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case CKO_DATA:
|
2014-02-25 09:41:18 +00:00
|
|
|
clazz = CKO_DATA;
|
2006-09-18 05:30:41 +00:00
|
|
|
FILL_ATTR(data_templ[0], CKA_CLASS, &clazz, sizeof(clazz));
|
|
|
|
FILL_ATTR(data_templ[1], CKA_TOKEN, &_true, sizeof(_true));
|
|
|
|
FILL_ATTR(data_templ[2], CKA_VALUE, &contents, contents_len);
|
|
|
|
|
|
|
|
n_data_attr = 3;
|
|
|
|
|
|
|
|
if (opt_is_private != 0) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE, &_true, sizeof(_true));
|
|
|
|
n_data_attr++;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE, &_false, sizeof(_false));
|
2007-06-21 09:37:18 +00:00
|
|
|
n_data_attr++;
|
2006-09-18 05:30:41 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 09:37:18 +00:00
|
|
|
if (opt_application_label != NULL) {
|
2006-09-18 05:30:41 +00:00
|
|
|
FILL_ATTR(data_templ[n_data_attr], CKA_APPLICATION,
|
2007-06-21 09:37:18 +00:00
|
|
|
opt_application_label, strlen(opt_application_label));
|
|
|
|
n_data_attr++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_application_id != NULL) {
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
size_t len;
|
|
|
|
|
|
|
|
if (sc_format_oid(&oid, opt_application_id))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Invalid OID \"%s\"", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
if (sc_asn1_encode_object_id(&oid_buf, &len, &oid))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot encode OID \"%s\"", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
FILL_ATTR(data_templ[n_data_attr], CKA_OBJECT_ID, oid_buf, len);
|
2006-09-18 05:30:41 +00:00
|
|
|
n_data_attr++;
|
|
|
|
}
|
2007-06-21 09:37:18 +00:00
|
|
|
|
2006-09-18 05:30:41 +00:00
|
|
|
if (opt_object_label != NULL) {
|
2015-08-11 13:02:52 +00:00
|
|
|
FILL_ATTR(data_templ[n_data_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
|
2006-09-18 05:30:41 +00:00
|
|
|
n_data_attr++;
|
|
|
|
}
|
2019-03-31 20:33:14 +00:00
|
|
|
break;
|
|
|
|
default:
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Writing of a \"%s\" type not (yet) supported", opt_object_class_str);
|
2019-03-31 20:33:14 +00:00
|
|
|
break;
|
|
|
|
}
|
2003-06-04 12:30:02 +00:00
|
|
|
|
2006-09-18 05:30:41 +00:00
|
|
|
if (n_data_attr) {
|
|
|
|
rv = p11->C_CreateObject(session, data_templ, n_data_attr, &data_obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CreateObject", rv);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-07-21 09:50:10 +00:00
|
|
|
printf("Created Data Object:\n");
|
2006-09-18 05:30:41 +00:00
|
|
|
show_dobj(session, data_obj);
|
|
|
|
}
|
2003-06-04 12:30:02 +00:00
|
|
|
if (n_cert_attr) {
|
|
|
|
rv = p11->C_CreateObject(session, cert_templ, n_cert_attr, &cert_obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CreateObject", rv);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-07-21 09:50:10 +00:00
|
|
|
printf("Created certificate:\n");
|
2003-06-04 12:30:02 +00:00
|
|
|
show_object(session, cert_obj);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (n_pubkey_attr) {
|
|
|
|
rv = p11->C_CreateObject(session, pubkey_templ, n_pubkey_attr, &pubkey_obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CreateObject", rv);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-07-21 09:50:10 +00:00
|
|
|
printf("Created public key:\n");
|
2003-06-04 12:30:02 +00:00
|
|
|
show_object(session, pubkey_obj);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (n_privkey_attr) {
|
|
|
|
rv = p11->C_CreateObject(session, privkey_templ, n_privkey_attr, &privkey_obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CreateObject", rv);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2010-07-21 09:50:10 +00:00
|
|
|
printf("Created private key:\n");
|
2003-06-04 12:30:02 +00:00
|
|
|
show_object(session, privkey_obj);
|
|
|
|
}
|
2003-07-24 11:29:08 +00:00
|
|
|
|
2019-03-31 20:33:14 +00:00
|
|
|
if (n_seckey_attr) {
|
|
|
|
rv = p11->C_CreateObject(session, seckey_templ, n_seckey_attr, &seckey_obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_CreateObject", rv);
|
|
|
|
|
|
|
|
printf("Created secret key:\n");
|
|
|
|
show_object(session, seckey_obj);
|
|
|
|
}
|
|
|
|
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
if (oid_buf)
|
|
|
|
free(oid_buf);
|
2003-07-24 11:29:08 +00:00
|
|
|
return 1;
|
2003-06-04 12:30:02 +00:00
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static void set_id_attr(CK_SESSION_HANDLE session)
|
2003-06-27 12:02:39 +00:00
|
|
|
{
|
|
|
|
CK_OBJECT_HANDLE obj;
|
2003-08-05 17:28:29 +00:00
|
|
|
CK_ATTRIBUTE templ[] = {{CKA_ID, new_object_id, new_object_id_len}};
|
2003-06-27 12:02:39 +00:00
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (!find_object(session, opt_object_class, &obj, opt_object_id, opt_object_id_len, 0)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "set_id(): couldn't find the object\n");
|
2003-06-27 12:02:39 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_SetAttributeValue(session, obj, templ, 1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetAttributeValue", rv);
|
|
|
|
|
|
|
|
printf("Result:");
|
|
|
|
show_object(session, obj);
|
|
|
|
}
|
|
|
|
|
2011-05-30 14:47:50 +00:00
|
|
|
static int find_slot_by_description(const char *label, CK_SLOT_ID_PTR result)
|
|
|
|
{
|
|
|
|
CK_SLOT_INFO info;
|
|
|
|
CK_ULONG n, len;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (!p11_num_slots)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
len = strlen(label);
|
|
|
|
for (n = 0; n < p11_num_slots; n++) {
|
|
|
|
const char *slot_label;
|
|
|
|
|
|
|
|
rv = p11->C_GetSlotInfo(p11_slots[n], &info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
continue;
|
|
|
|
slot_label = p11_utf8_to_local(info.slotDescription, sizeof(info.slotDescription));
|
|
|
|
if (!strncmp(label, slot_label, len)) {
|
|
|
|
*result = p11_slots[n];
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int find_slot_by_token_label(const char *label, CK_SLOT_ID_PTR result)
|
2003-05-15 11:32:21 +00:00
|
|
|
{
|
|
|
|
CK_TOKEN_INFO info;
|
|
|
|
CK_ULONG n, len;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (!p11_num_slots)
|
2010-09-21 16:11:26 +00:00
|
|
|
return 0;
|
2003-05-15 11:32:21 +00:00
|
|
|
|
|
|
|
len = strlen(label);
|
|
|
|
for (n = 0; n < p11_num_slots; n++) {
|
|
|
|
const char *token_label;
|
|
|
|
|
2010-09-21 16:11:26 +00:00
|
|
|
rv = p11->C_GetTokenInfo(p11_slots[n], &info);
|
2003-05-15 11:32:21 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
continue;
|
|
|
|
token_label = p11_utf8_to_local(info.label, sizeof(info.label));
|
2010-09-21 16:11:26 +00:00
|
|
|
if (!strncmp(label, token_label, len)) {
|
|
|
|
*result = p11_slots[n];
|
|
|
|
return 1;
|
|
|
|
}
|
2003-05-15 11:32:21 +00:00
|
|
|
}
|
2010-09-21 16:11:26 +00:00
|
|
|
return 0;
|
2003-05-15 11:32:21 +00:00
|
|
|
}
|
|
|
|
|
2011-05-30 14:47:50 +00:00
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static int find_object(CK_SESSION_HANDLE sess, CK_OBJECT_CLASS cls,
|
2003-01-03 14:33:17 +00:00
|
|
|
CK_OBJECT_HANDLE_PTR ret,
|
2003-01-31 15:32:27 +00:00
|
|
|
const unsigned char *id, size_t id_len, int obj_index)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_ATTRIBUTE attrs[2];
|
|
|
|
unsigned int nattrs = 0;
|
|
|
|
CK_ULONG count;
|
|
|
|
CK_RV rv;
|
2003-01-31 15:32:27 +00:00
|
|
|
int i;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
attrs[0].type = CKA_CLASS;
|
|
|
|
attrs[0].pValue = &cls;
|
|
|
|
attrs[0].ulValueLen = sizeof(cls);
|
|
|
|
nattrs++;
|
|
|
|
if (id) {
|
2005-02-11 20:09:34 +00:00
|
|
|
attrs[nattrs].type = CKA_ID;
|
|
|
|
attrs[nattrs].pValue = (void *) id;
|
|
|
|
attrs[nattrs].ulValueLen = id_len;
|
|
|
|
nattrs++;
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_FindObjectsInit(sess, attrs, nattrs);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_FindObjectsInit", rv);
|
|
|
|
|
2003-01-31 15:32:27 +00:00
|
|
|
for (i = 0; i < obj_index; i++) {
|
|
|
|
rv = p11->C_FindObjects(sess, ret, 1, &count);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_FindObjects", rv);
|
|
|
|
if (count == 0)
|
|
|
|
goto done;
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
rv = p11->C_FindObjects(sess, ret, 1, &count);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_FindObjects", rv);
|
|
|
|
|
2003-05-16 16:33:42 +00:00
|
|
|
done: if (count == 0)
|
|
|
|
*ret = CK_INVALID_HANDLE;
|
2002-12-17 11:50:11 +00:00
|
|
|
p11->C_FindObjectsFinal(sess);
|
|
|
|
|
|
|
|
return count;
|
|
|
|
}
|
|
|
|
|
2007-06-21 13:38:16 +00:00
|
|
|
static CK_RV find_object_with_attributes(CK_SESSION_HANDLE session,
|
2010-09-21 16:11:31 +00:00
|
|
|
CK_OBJECT_HANDLE *out,
|
|
|
|
CK_ATTRIBUTE *attrs, CK_ULONG attrsLen,
|
2004-07-26 18:47:23 +00:00
|
|
|
CK_ULONG obj_index)
|
|
|
|
{
|
|
|
|
CK_ULONG count, ii;
|
|
|
|
CK_OBJECT_HANDLE ret;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
if (!out || !attrs || !attrsLen)
|
|
|
|
return CKR_ARGUMENTS_BAD;
|
2010-09-21 16:11:31 +00:00
|
|
|
else
|
2004-07-26 18:47:23 +00:00
|
|
|
*out = CK_INVALID_HANDLE;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
rv = p11->C_FindObjectsInit(session, attrs, attrsLen);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
return rv;
|
|
|
|
|
|
|
|
for (ii = 0; ii < obj_index; ii++) {
|
|
|
|
rv = p11->C_FindObjects(session, &ret, 1, &count);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
return rv;
|
|
|
|
else if (!count)
|
|
|
|
goto done;
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
rv = p11->C_FindObjects(session, &ret, 1, &count);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
return rv;
|
|
|
|
else if (count)
|
|
|
|
*out = ret;
|
|
|
|
|
2012-04-02 22:00:56 +00:00
|
|
|
done:
|
2004-07-26 18:47:23 +00:00
|
|
|
p11->C_FindObjectsFinal(session);
|
|
|
|
return CKR_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
static int
|
|
|
|
find_mechanism(CK_SLOT_ID slot, CK_FLAGS flags,
|
|
|
|
CK_MECHANISM_TYPE_PTR list, size_t list_len,
|
|
|
|
CK_MECHANISM_TYPE_PTR result)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2010-09-21 16:11:26 +00:00
|
|
|
CK_MECHANISM_TYPE *mechs = NULL;
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_ULONG count = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
count = get_mechanisms(slot, &mechs, flags);
|
2012-08-12 19:19:57 +00:00
|
|
|
if (count) {
|
|
|
|
if (list && list_len) {
|
2018-04-15 07:37:43 +00:00
|
|
|
unsigned ii = list_len, jj;
|
2012-08-12 19:19:57 +00:00
|
|
|
|
|
|
|
for (jj=0; jj<count; jj++) {
|
|
|
|
for (ii=0; ii<list_len; ii++)
|
|
|
|
if (*(mechs + jj) == *(list + ii))
|
|
|
|
break;
|
|
|
|
if (ii<list_len)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (jj < count && ii < list_len)
|
|
|
|
*result = mechs[jj];
|
|
|
|
else
|
|
|
|
count = 0;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
*result = mechs[0];
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
2015-04-29 23:45:23 +00:00
|
|
|
free(mechs);
|
2012-08-12 19:19:57 +00:00
|
|
|
|
2010-09-21 16:11:26 +00:00
|
|
|
return count;
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-04-11 13:00:57 +00:00
|
|
|
static void list_objects(CK_SESSION_HANDLE sess, CK_OBJECT_CLASS object_class)
|
|
|
|
{
|
|
|
|
CK_OBJECT_HANDLE object;
|
|
|
|
CK_ULONG count;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
rv = p11->C_FindObjectsInit(sess, NULL, 0);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_FindObjectsInit", rv);
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
rv = p11->C_FindObjects(sess, &object, 1, &count);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_FindObjects", rv);
|
|
|
|
if (count == 0)
|
|
|
|
break;
|
2011-04-19 09:18:12 +00:00
|
|
|
if ((int) object_class == -1 || object_class == getCLASS(sess, object))
|
2011-04-11 13:00:57 +00:00
|
|
|
show_object(sess, object);
|
|
|
|
}
|
|
|
|
p11->C_FindObjectsFinal(sess);
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void show_object(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_OBJECT_CLASS cls = getCLASS(sess, obj);
|
|
|
|
|
|
|
|
switch (cls) {
|
|
|
|
case CKO_PUBLIC_KEY:
|
|
|
|
case CKO_PRIVATE_KEY:
|
2012-06-01 14:44:28 +00:00
|
|
|
case CKO_SECRET_KEY:
|
2010-12-17 23:02:03 +00:00
|
|
|
show_key(sess, obj);
|
2002-12-17 11:50:11 +00:00
|
|
|
break;
|
2003-01-27 13:33:28 +00:00
|
|
|
case CKO_CERTIFICATE:
|
|
|
|
show_cert(sess, obj);
|
|
|
|
break;
|
2004-07-26 18:47:23 +00:00
|
|
|
case CKO_DATA:
|
|
|
|
show_dobj(sess, obj);
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
default:
|
|
|
|
printf("Object %u, type %u\n",
|
|
|
|
(unsigned int) obj,
|
|
|
|
(unsigned int) cls);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-06-01 14:44:28 +00:00
|
|
|
|
2016-08-07 11:08:19 +00:00
|
|
|
static CK_OBJECT_HANDLE
|
|
|
|
derive_ec_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, CK_MECHANISM_TYPE mech_mech)
|
2012-06-01 14:44:28 +00:00
|
|
|
{
|
2018-08-22 17:26:33 +00:00
|
|
|
#if defined(ENABLE_OPENSSL) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
|
2012-06-01 14:44:28 +00:00
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_OBJECT_CLASS newkey_class= CKO_SECRET_KEY;
|
|
|
|
CK_KEY_TYPE newkey_type = CKK_GENERIC_SECRET;
|
|
|
|
CK_BBOOL true = TRUE;
|
|
|
|
CK_BBOOL false = FALSE;
|
|
|
|
CK_OBJECT_HANDLE newkey = 0;
|
2016-11-20 17:28:42 +00:00
|
|
|
CK_ATTRIBUTE newkey_template[20] = {
|
2012-06-01 14:44:28 +00:00
|
|
|
{CKA_TOKEN, &false, sizeof(false)}, /* session only object */
|
|
|
|
{CKA_CLASS, &newkey_class, sizeof(newkey_class)},
|
|
|
|
{CKA_KEY_TYPE, &newkey_type, sizeof(newkey_type)},
|
2016-11-20 17:28:42 +00:00
|
|
|
{CKA_SENSITIVE, &false, sizeof(false)},
|
|
|
|
{CKA_EXTRACTABLE, &true, sizeof(true)},
|
2012-06-01 14:44:28 +00:00
|
|
|
{CKA_ENCRYPT, &true, sizeof(true)},
|
2016-11-20 17:28:42 +00:00
|
|
|
{CKA_DECRYPT, &true, sizeof(true)},
|
|
|
|
{CKA_WRAP, &true, sizeof(true)},
|
|
|
|
{CKA_UNWRAP, &true, sizeof(true)}
|
2012-06-01 14:44:28 +00:00
|
|
|
};
|
2016-11-20 17:28:42 +00:00
|
|
|
int n_attrs = 9;
|
2016-05-30 04:06:52 +00:00
|
|
|
CK_ECDH1_DERIVE_PARAMS ecdh_parms;
|
2016-08-07 11:08:19 +00:00
|
|
|
CK_RV rv;
|
|
|
|
BIO *bio_in = NULL;
|
|
|
|
EC_KEY *eckey = NULL;
|
|
|
|
const EC_GROUP *ecgroup = NULL;
|
|
|
|
const EC_POINT *ecpoint = NULL;
|
2016-11-20 17:28:42 +00:00
|
|
|
unsigned char *buf = NULL;
|
2016-08-07 11:08:19 +00:00
|
|
|
size_t buf_size = 0;
|
2016-11-20 17:28:42 +00:00
|
|
|
CK_ULONG key_len = 0;
|
|
|
|
ASN1_OCTET_STRING *octet = NULL;
|
|
|
|
unsigned char * der = NULL;
|
|
|
|
unsigned char * derp = NULL;
|
|
|
|
size_t der_size = 0;
|
2016-08-07 11:08:19 +00:00
|
|
|
|
|
|
|
printf("Using derive algorithm 0x%8.8lx %s\n", opt_mechanism, p11_mechanism_to_name(mech_mech));
|
|
|
|
memset(&mech, 0, sizeof(mech));
|
|
|
|
mech.mechanism = mech_mech;
|
|
|
|
|
|
|
|
/* Use OpenSSL to read the other public key, and get the raw version */
|
|
|
|
bio_in = BIO_new(BIO_s_file());
|
|
|
|
if (BIO_read_filename(bio_in, opt_input) <= 0)
|
|
|
|
util_fatal("Cannot open %s: %m", opt_input);
|
|
|
|
|
|
|
|
eckey = d2i_EC_PUBKEY_bio(bio_in, NULL);
|
|
|
|
if (!eckey)
|
|
|
|
util_fatal("Cannot read EC key from %s", opt_input);
|
|
|
|
|
|
|
|
ecpoint = EC_KEY_get0_public_key(eckey);
|
|
|
|
ecgroup = EC_KEY_get0_group(eckey);
|
2016-11-20 17:28:42 +00:00
|
|
|
|
2016-08-07 11:08:19 +00:00
|
|
|
if (!ecpoint || !ecgroup)
|
|
|
|
util_fatal("Failed to parse other EC key from %s", opt_input);
|
|
|
|
|
2016-11-20 17:28:42 +00:00
|
|
|
/* both eckeys must be same curve */
|
|
|
|
key_len = (EC_GROUP_get_degree(ecgroup) + 7) / 8;
|
|
|
|
FILL_ATTR(newkey_template[n_attrs], CKA_VALUE_LEN, &key_len, sizeof(key_len));
|
|
|
|
n_attrs++;
|
|
|
|
|
2019-03-08 16:52:31 +00:00
|
|
|
if (opt_allowed_mechanisms_len > 0) {
|
|
|
|
FILL_ATTR(newkey_template[n_attrs],
|
|
|
|
CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,
|
|
|
|
sizeof(CK_MECHANISM_TYPE) * opt_allowed_mechanisms_len);
|
|
|
|
n_attrs++;
|
|
|
|
}
|
|
|
|
|
2016-11-20 17:28:42 +00:00
|
|
|
buf_size = EC_POINT_point2oct(ecgroup, ecpoint, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
|
|
|
|
buf = (unsigned char *)malloc(buf_size);
|
|
|
|
if (buf == NULL)
|
|
|
|
util_fatal("malloc() failure\n");
|
|
|
|
buf_size = EC_POINT_point2oct(ecgroup, ecpoint, POINT_CONVERSION_UNCOMPRESSED, buf, buf_size, NULL);
|
|
|
|
|
|
|
|
if (opt_derive_pass_der) {
|
|
|
|
octet = ASN1_OCTET_STRING_new();
|
|
|
|
if (octet == NULL)
|
|
|
|
util_fatal("ASN1_OCTET_STRING_new failure\n");
|
|
|
|
ASN1_OCTET_STRING_set(octet, buf, buf_size);
|
|
|
|
der_size = i2d_ASN1_OCTET_STRING(octet, NULL);
|
|
|
|
derp = der = (unsigned char *) malloc(der_size);
|
|
|
|
if (der == NULL)
|
|
|
|
util_fatal("malloc() failure\n");
|
|
|
|
der_size = i2d_ASN1_OCTET_STRING(octet, &derp);
|
|
|
|
}
|
2016-08-07 11:08:19 +00:00
|
|
|
|
|
|
|
BIO_free(bio_in);
|
|
|
|
EC_KEY_free(eckey);
|
|
|
|
|
|
|
|
memset(&ecdh_parms, 0, sizeof(ecdh_parms));
|
|
|
|
ecdh_parms.kdf = CKD_NULL;
|
|
|
|
ecdh_parms.ulSharedDataLen = 0;
|
|
|
|
ecdh_parms.pSharedData = NULL;
|
2016-11-20 17:28:42 +00:00
|
|
|
if (opt_derive_pass_der) {
|
|
|
|
ecdh_parms.ulPublicDataLen = der_size;
|
|
|
|
ecdh_parms.pPublicData = der;
|
|
|
|
} else {
|
|
|
|
ecdh_parms.ulPublicDataLen = buf_size;
|
|
|
|
ecdh_parms.pPublicData = buf;
|
|
|
|
}
|
2016-08-07 11:08:19 +00:00
|
|
|
mech.pParameter = &ecdh_parms;
|
|
|
|
mech.ulParameterLen = sizeof(ecdh_parms);
|
|
|
|
|
2016-11-20 17:28:42 +00:00
|
|
|
rv = p11->C_DeriveKey(session, &mech, key, newkey_template, n_attrs, &newkey);
|
2016-08-07 11:08:19 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DeriveKey", rv);
|
|
|
|
|
2016-11-20 17:28:42 +00:00
|
|
|
if (der)
|
|
|
|
OPENSSL_free(der);
|
|
|
|
if (buf)
|
|
|
|
free(buf);
|
|
|
|
if (octet)
|
|
|
|
ASN1_OCTET_STRING_free(octet);
|
|
|
|
|
2016-08-07 11:08:19 +00:00
|
|
|
return newkey;
|
|
|
|
#else
|
|
|
|
util_fatal("Derive EC key not supported");
|
2016-10-14 12:34:41 +00:00
|
|
|
return 0;
|
2016-08-07 11:08:19 +00:00
|
|
|
#endif /* ENABLE_OPENSSL && !OPENSSL_NO_EC && !OPENSSL_NO_ECDSA */
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
derive_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key)
|
|
|
|
{
|
|
|
|
CK_BYTE *value = NULL;
|
|
|
|
CK_ULONG value_len = 0;
|
|
|
|
CK_OBJECT_HANDLE derived_key = 0;
|
|
|
|
int rv, fd;
|
|
|
|
|
2012-06-01 14:44:28 +00:00
|
|
|
if (!opt_mechanism_used)
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!find_mechanism(slot, CKF_DERIVE|CKF_HW, NULL, 0, &opt_mechanism))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Derive mechanism not supported");
|
2012-06-01 14:44:28 +00:00
|
|
|
|
|
|
|
switch(opt_mechanism) {
|
|
|
|
case CKM_ECDH1_COFACTOR_DERIVE:
|
|
|
|
case CKM_ECDH1_DERIVE:
|
2016-08-07 11:08:19 +00:00
|
|
|
derived_key= derive_ec_key(session, key, opt_mechanism);
|
2012-06-01 14:44:28 +00:00
|
|
|
break;
|
|
|
|
default:
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("mechanism not supported for derive");
|
2012-06-01 14:44:28 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2016-08-07 11:08:19 +00:00
|
|
|
value = getVALUE(session, derived_key, &value_len);
|
2012-06-01 14:44:28 +00:00
|
|
|
if (value && value_len > 0) {
|
2016-08-07 11:08:19 +00:00
|
|
|
fd = STDOUT_FILENO;
|
|
|
|
if (opt_output) {
|
2012-06-01 14:44:28 +00:00
|
|
|
fd = open(opt_output, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY, S_IRUSR|S_IWUSR);
|
|
|
|
if (fd < 0)
|
|
|
|
util_fatal("failed to open %s: %m", opt_output);
|
|
|
|
}
|
|
|
|
|
2016-08-07 11:08:19 +00:00
|
|
|
rv = write(fd, value, value_len);
|
|
|
|
if (rv < 0)
|
2012-06-01 14:44:28 +00:00
|
|
|
util_fatal("Failed to write to %s: %m", opt_output);
|
2016-08-07 11:08:19 +00:00
|
|
|
|
|
|
|
if (opt_output)
|
2012-06-01 14:44:28 +00:00
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2019-03-08 16:52:31 +00:00
|
|
|
CK_MECHANISM_TYPE_PTR mechs = NULL;
|
2002-12-17 11:50:11 +00:00
|
|
|
CK_KEY_TYPE key_type = getKEY_TYPE(sess, obj);
|
2010-12-17 23:02:03 +00:00
|
|
|
CK_ULONG size = 0;
|
2011-05-30 13:28:16 +00:00
|
|
|
unsigned char *id, *oid, *value;
|
2010-12-17 23:02:03 +00:00
|
|
|
const char *sepa;
|
2010-03-28 20:30:25 +00:00
|
|
|
char *label;
|
2012-06-01 14:44:28 +00:00
|
|
|
int pub = 1;
|
2016-06-23 16:18:55 +00:00
|
|
|
int sec = 0;
|
2010-12-17 23:02:03 +00:00
|
|
|
|
|
|
|
switch(getCLASS(sess, obj)) {
|
|
|
|
case CKO_PRIVATE_KEY:
|
|
|
|
printf("Private Key Object");
|
|
|
|
pub = 0;
|
|
|
|
break;
|
|
|
|
case CKO_PUBLIC_KEY:
|
|
|
|
printf("Public Key Object");
|
|
|
|
pub = 1;
|
|
|
|
break;
|
2012-06-01 14:44:28 +00:00
|
|
|
case CKO_SECRET_KEY:
|
|
|
|
printf("Secret Key Object");
|
|
|
|
sec = 1;
|
|
|
|
break;
|
2010-12-17 23:02:03 +00:00
|
|
|
default:
|
|
|
|
return;
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
|
|
|
|
switch (key_type) {
|
|
|
|
case CKK_RSA:
|
2004-12-09 08:23:57 +00:00
|
|
|
if (pub)
|
2006-05-01 10:02:50 +00:00
|
|
|
printf("; RSA %lu bits\n",
|
|
|
|
(unsigned long) getMODULUS_BITS(sess, obj));
|
2004-12-09 08:23:57 +00:00
|
|
|
else
|
2005-01-19 16:12:14 +00:00
|
|
|
printf("; RSA \n");
|
2002-12-17 11:50:11 +00:00
|
|
|
break;
|
2009-11-27 11:15:33 +00:00
|
|
|
case CKK_GOSTR3410:
|
2019-03-25 09:39:36 +00:00
|
|
|
case CKK_GOSTR3410_512:
|
|
|
|
oid = getGOSTR3411_PARAMS(sess, obj, &size);
|
|
|
|
if (oid) {
|
|
|
|
if (size == GOST_HASH2001_PARAMSET_OID.len && !memcmp(oid, GOST_HASH2001_PARAMSET_OID.value, size))
|
|
|
|
printf("; GOSTR3410\n");
|
|
|
|
else if (size == GOST_HASH2012_256_PARAMSET_OID.len && !memcmp(oid, GOST_HASH2012_256_PARAMSET_OID.value, size))
|
|
|
|
printf("; GOSTR3410-2012-256\n");
|
|
|
|
else if (size == GOST_HASH2012_512_PARAMSET_OID.len && !memcmp(oid, GOST_HASH2012_512_PARAMSET_OID.value, size))
|
|
|
|
printf("; GOSTR3410-2012-512\n");
|
|
|
|
else
|
|
|
|
printf("; unknown GOSTR3410 algorithm\n");
|
|
|
|
free(oid);
|
|
|
|
} else {
|
|
|
|
printf("; unknown GOSTR3410 algorithm\n");
|
|
|
|
}
|
|
|
|
|
2011-05-30 13:28:16 +00:00
|
|
|
oid = getGOSTR3410_PARAMS(sess, obj, &size);
|
|
|
|
if (oid) {
|
2009-11-27 11:15:33 +00:00
|
|
|
unsigned int n;
|
|
|
|
|
2011-05-30 13:28:16 +00:00
|
|
|
printf(" PARAMS OID: ");
|
2009-11-27 11:15:33 +00:00
|
|
|
for (n = 0; n < size; n++)
|
|
|
|
printf("%02x", oid[n]);
|
|
|
|
printf("\n");
|
|
|
|
free(oid);
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2011-05-30 13:28:16 +00:00
|
|
|
if (pub) {
|
|
|
|
value = getVALUE(sess, obj, &size);
|
|
|
|
if (value) {
|
|
|
|
unsigned int n;
|
|
|
|
|
|
|
|
printf(" VALUE: ");
|
|
|
|
for (n = 0; n < size; n++) {
|
|
|
|
if (n && (n%32)==0)
|
|
|
|
printf("\n ");
|
|
|
|
printf("%02x", value[n]);
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
free(value);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
2009-11-27 11:15:33 +00:00
|
|
|
break;
|
2010-12-01 20:08:42 +00:00
|
|
|
case CKK_EC:
|
|
|
|
printf("; EC");
|
2012-04-02 22:00:56 +00:00
|
|
|
if (pub) {
|
2010-12-01 20:08:42 +00:00
|
|
|
unsigned char *bytes = NULL;
|
2010-12-17 23:02:03 +00:00
|
|
|
unsigned int n;
|
2010-12-01 20:08:42 +00:00
|
|
|
int ksize;
|
2014-02-02 19:58:40 +00:00
|
|
|
|
2010-12-01 20:08:42 +00:00
|
|
|
bytes = getEC_POINT(sess, obj, &size);
|
2012-04-02 22:00:56 +00:00
|
|
|
/*
|
|
|
|
* (We only support uncompressed for now)
|
2018-04-14 17:38:34 +00:00
|
|
|
* Uncompressed EC_POINT is DER OCTET STRING of "04||x||y"
|
2010-12-01 20:08:42 +00:00
|
|
|
* So a "256" bit key has x and y of 32 bytes each
|
|
|
|
* something like: "04 41 04||x||y"
|
|
|
|
* Do simple size calculation based on DER encoding
|
|
|
|
*/
|
2012-04-02 22:00:56 +00:00
|
|
|
if ((size - 2) <= 127)
|
2010-12-01 20:08:42 +00:00
|
|
|
ksize = (size - 3) * 4;
|
2012-04-02 22:00:56 +00:00
|
|
|
else if ((size - 3) <= 255)
|
2010-12-01 20:08:42 +00:00
|
|
|
ksize = (size - 4) * 4;
|
2012-04-02 22:00:56 +00:00
|
|
|
else
|
2010-12-01 20:08:42 +00:00
|
|
|
ksize = (size - 5) * 4;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2014-02-02 19:58:40 +00:00
|
|
|
printf(" EC_POINT %d bits\n", ksize);
|
2010-12-01 20:08:42 +00:00
|
|
|
if (bytes) {
|
2010-12-17 23:02:03 +00:00
|
|
|
if ((CK_LONG)size > 0) { /* Will print the point here */
|
2014-02-02 19:58:40 +00:00
|
|
|
printf(" EC_POINT: ");
|
2010-12-01 20:08:42 +00:00
|
|
|
for (n = 0; n < size; n++)
|
|
|
|
printf("%02x", bytes[n]);
|
|
|
|
printf("\n");
|
|
|
|
}
|
|
|
|
free(bytes);
|
|
|
|
}
|
|
|
|
bytes = NULL;
|
|
|
|
bytes = getEC_PARAMS(sess, obj, &size);
|
2012-04-02 22:00:56 +00:00
|
|
|
if (bytes){
|
2010-12-17 23:02:03 +00:00
|
|
|
if ((CK_LONG)size > 0) {
|
2010-12-01 20:08:42 +00:00
|
|
|
printf(" EC_PARAMS: ");
|
|
|
|
for (n = 0; n < size; n++)
|
|
|
|
printf("%02x", bytes[n]);
|
|
|
|
printf("\n");
|
|
|
|
}
|
|
|
|
free(bytes);
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
printf("\n");
|
|
|
|
break;
|
2012-06-01 14:44:28 +00:00
|
|
|
case CKK_GENERIC_SECRET:
|
2016-06-23 16:18:55 +00:00
|
|
|
case CKK_AES:
|
2016-08-18 07:29:18 +00:00
|
|
|
case CKK_DES:
|
|
|
|
case CKK_DES3:
|
2016-06-23 16:18:55 +00:00
|
|
|
if (key_type == CKK_AES)
|
|
|
|
printf("; AES");
|
2016-08-18 07:29:18 +00:00
|
|
|
else if (key_type == CKK_DES)
|
|
|
|
printf("; DES");
|
|
|
|
else if (key_type == CKK_DES3)
|
|
|
|
printf("; DES3");
|
2016-06-23 16:18:55 +00:00
|
|
|
else
|
|
|
|
printf("; Generic secret");
|
|
|
|
size = getVALUE_LEN(sess, obj);
|
|
|
|
if (size)
|
|
|
|
printf(" length %li", size);
|
|
|
|
size = 0;
|
|
|
|
printf("\n");
|
2012-06-01 14:44:28 +00:00
|
|
|
value = getVALUE(sess, obj, &size);
|
|
|
|
if (value) {
|
|
|
|
unsigned int n;
|
|
|
|
|
|
|
|
printf(" VALUE: ");
|
|
|
|
for (n = 0; n < size; n++) {
|
|
|
|
if (n && (n%32)==0)
|
|
|
|
printf("\n ");
|
|
|
|
printf("%02x", value[n]);
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
free(value);
|
|
|
|
}
|
|
|
|
break;
|
2002-12-17 11:50:11 +00:00
|
|
|
default:
|
2006-05-01 10:02:50 +00:00
|
|
|
printf("; unknown key algorithm %lu\n",
|
|
|
|
(unsigned long) key_type);
|
2002-12-17 11:50:11 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((label = getLABEL(sess, obj, NULL)) != NULL) {
|
|
|
|
printf(" label: %s\n", label);
|
|
|
|
free(label);
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((id = getID(sess, obj, &size)) != NULL && size) {
|
|
|
|
unsigned int n;
|
|
|
|
|
2003-06-24 09:14:57 +00:00
|
|
|
printf(" ID: ");
|
2002-12-17 11:50:11 +00:00
|
|
|
for (n = 0; n < size; n++)
|
|
|
|
printf("%02x", id[n]);
|
|
|
|
printf("\n");
|
|
|
|
free(id);
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
|
|
|
|
printf(" Usage: ");
|
|
|
|
sepa = "";
|
2012-06-01 14:44:28 +00:00
|
|
|
if ((pub || sec) && getENCRYPT(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%sencrypt", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2012-06-01 14:44:28 +00:00
|
|
|
if ((!pub || sec) && getDECRYPT(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%sdecrypt", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2004-11-03 18:14:58 +00:00
|
|
|
if (!pub && getSIGN(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%ssign", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2012-09-24 09:48:33 +00:00
|
|
|
|
|
|
|
suppress_warn = 1;
|
2012-06-01 14:44:28 +00:00
|
|
|
if (!pub && getOPENSC_NON_REPUDIATION(sess, obj)) {
|
|
|
|
printf("%snon-repudiation", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2012-09-24 09:48:33 +00:00
|
|
|
suppress_warn = 0;
|
|
|
|
|
2004-11-03 18:14:58 +00:00
|
|
|
if (pub && getVERIFY(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%sverify", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2012-06-01 14:44:28 +00:00
|
|
|
if ((pub || sec) && getWRAP(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%swrap", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2012-06-01 14:44:28 +00:00
|
|
|
if ((!pub || sec) && getUNWRAP(sess, obj)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("%sunwrap", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2017-04-21 00:54:06 +00:00
|
|
|
if (getDERIVE(sess, obj)) {
|
2010-12-01 20:08:42 +00:00
|
|
|
printf("%sderive", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
if (!*sepa)
|
|
|
|
printf("none");
|
|
|
|
printf("\n");
|
2009-09-14 08:51:53 +00:00
|
|
|
|
2019-03-20 14:14:55 +00:00
|
|
|
printf(" Access: ");
|
|
|
|
sepa = "";
|
|
|
|
if (!pub && getALWAYS_AUTHENTICATE(sess, obj)) {
|
|
|
|
printf("%salways authenticate", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
if (!pub || sec) {
|
|
|
|
if (getSENSITIVE(sess, obj)) {
|
|
|
|
printf("%ssensitive", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
if (getALWAYS_SENSITIVE(sess, obj)) {
|
|
|
|
printf("%salways sensitive", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
if (getEXTRACTABLE(sess, obj)) {
|
|
|
|
printf("%sextractable", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
if (getNEVER_EXTRACTABLE(sess, obj)) {
|
|
|
|
printf("%snever extractable", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (getLOCAL(sess, obj)) {
|
|
|
|
printf("%slocal", sepa);
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
if (!*sepa)
|
|
|
|
printf("none");
|
|
|
|
printf("\n");
|
2019-03-08 16:52:31 +00:00
|
|
|
|
|
|
|
if (!pub) {
|
|
|
|
mechs = getALLOWED_MECHANISMS(sess, obj, &size);
|
|
|
|
if (mechs && size) {
|
|
|
|
unsigned int n;
|
|
|
|
|
|
|
|
printf(" Allowed mechanisms: ");
|
|
|
|
for (n = 0; n < size; n++) {
|
|
|
|
printf("%s%s", (n != 0 ? "," : ""),
|
|
|
|
p11_mechanism_to_name(mechs[n]));
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-09-24 09:48:33 +00:00
|
|
|
suppress_warn = 0;
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
|
2003-01-27 13:33:28 +00:00
|
|
|
{
|
|
|
|
CK_CERTIFICATE_TYPE cert_type = getCERTIFICATE_TYPE(sess, obj);
|
|
|
|
CK_ULONG size;
|
|
|
|
unsigned char *id;
|
|
|
|
char *label;
|
2018-03-29 14:00:30 +00:00
|
|
|
#if defined(ENABLE_OPENSSL)
|
|
|
|
unsigned char *subject;
|
|
|
|
#endif /* ENABLE_OPENSSL */
|
2003-01-27 13:33:28 +00:00
|
|
|
|
2017-01-27 23:59:28 +00:00
|
|
|
printf("Certificate Object; type = ");
|
2003-01-27 13:33:28 +00:00
|
|
|
switch (cert_type) {
|
|
|
|
case CKC_X_509:
|
|
|
|
printf("X.509 cert\n");
|
|
|
|
break;
|
|
|
|
case CKC_X_509_ATTR_CERT:
|
|
|
|
printf("X.509 attribute cert\n");
|
|
|
|
break;
|
|
|
|
case CKC_VENDOR_DEFINED:
|
2017-01-27 23:59:28 +00:00
|
|
|
printf("vendor defined\n");
|
2003-01-27 13:33:28 +00:00
|
|
|
break;
|
|
|
|
default:
|
2017-01-27 23:59:28 +00:00
|
|
|
printf("unknown cert type\n");
|
2003-01-27 13:33:28 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((label = getLABEL(sess, obj, NULL)) != NULL) {
|
|
|
|
printf(" label: %s\n", label);
|
|
|
|
free(label);
|
|
|
|
}
|
|
|
|
|
2018-03-29 14:00:30 +00:00
|
|
|
#if defined(ENABLE_OPENSSL)
|
|
|
|
if ((subject = getSUBJECT(sess, obj, &size)) != NULL) {
|
|
|
|
X509_NAME *name;
|
|
|
|
const unsigned char *tmp = subject;
|
|
|
|
|
|
|
|
name = d2i_X509_NAME(NULL, &tmp, size);
|
|
|
|
if(name) {
|
|
|
|
BIO *bio = BIO_new(BIO_s_file());
|
|
|
|
BIO_set_fp(bio, stdout, BIO_NOCLOSE);
|
|
|
|
printf(" subject: DN: ");
|
|
|
|
X509_NAME_print(bio, name, XN_FLAG_RFC2253);
|
|
|
|
printf("\n");
|
|
|
|
BIO_free(bio);
|
|
|
|
}
|
|
|
|
free(subject);
|
|
|
|
}
|
|
|
|
#endif /* ENABLE_OPENSSL */
|
|
|
|
|
2003-01-27 13:33:28 +00:00
|
|
|
if ((id = getID(sess, obj, &size)) != NULL && size) {
|
|
|
|
unsigned int n;
|
|
|
|
|
|
|
|
printf(" ID: ");
|
|
|
|
for (n = 0; n < size; n++)
|
|
|
|
printf("%02x", id[n]);
|
|
|
|
printf("\n");
|
|
|
|
free(id);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
|
2004-07-26 18:47:23 +00:00
|
|
|
{
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
unsigned char *oid_buf;
|
|
|
|
char *label;
|
2005-02-06 10:06:21 +00:00
|
|
|
CK_ULONG size = 0;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2012-09-24 09:48:33 +00:00
|
|
|
suppress_warn = 1;
|
2004-07-26 18:47:23 +00:00
|
|
|
printf("Data object %u\n", (unsigned int) obj);
|
|
|
|
printf(" label: ");
|
|
|
|
if ((label = getLABEL(sess, obj, NULL)) != NULL) {
|
|
|
|
printf("'%s'\n", label);
|
|
|
|
free(label);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
printf("<empty>\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
printf(" application: ");
|
|
|
|
if ((label = getAPPLICATION(sess, obj, NULL)) != NULL) {
|
|
|
|
printf("'%s'\n", label);
|
|
|
|
free(label);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
printf("<empty>\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
printf(" app_id: ");
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
oid_buf = getOBJECT_ID(sess, obj, &size);
|
|
|
|
if (oid_buf != NULL && size) {
|
2004-07-26 18:47:23 +00:00
|
|
|
unsigned int n;
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
struct sc_object_id oid;
|
|
|
|
|
|
|
|
sc_init_oid(&oid);
|
|
|
|
sc_asn1_decode_object_id(oid_buf, size, &oid);
|
|
|
|
printf("%i", oid.value[0]);
|
|
|
|
if (oid.value[0] >= 0)
|
|
|
|
for (n = 1; (n < SC_MAX_OBJECT_ID_OCTETS) && (oid.value[n] >= 0); n++)
|
|
|
|
printf(".%i", oid.value[n]);
|
2004-07-26 18:47:23 +00:00
|
|
|
printf("\n");
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
free(oid_buf);
|
2004-07-26 18:47:23 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
printf("<empty>\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
printf(" flags: ");
|
2010-09-21 16:11:31 +00:00
|
|
|
if (getMODIFIABLE(sess, obj))
|
2004-07-26 18:47:23 +00:00
|
|
|
printf(" modifiable");
|
2010-09-21 16:11:31 +00:00
|
|
|
if (getPRIVATE(sess, obj))
|
2004-07-26 18:47:23 +00:00
|
|
|
printf(" private");
|
2012-09-24 09:48:33 +00:00
|
|
|
if (!getMODIFIABLE(sess, obj) && !getPRIVATE(sess, obj))
|
2016-06-10 09:46:25 +00:00
|
|
|
printf("<empty>");
|
2012-09-24 09:48:33 +00:00
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
printf ("\n");
|
2012-09-24 09:48:33 +00:00
|
|
|
suppress_warn = 0;
|
2004-07-26 18:47:23 +00:00
|
|
|
}
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
|
|
|
|
static void
|
|
|
|
get_token_info(CK_SLOT_ID slot, CK_TOKEN_INFO_PTR info)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
rv = p11->C_GetTokenInfo(slot, info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetTokenInfo", rv);
|
|
|
|
}
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
|
|
|
|
static CK_ULONG
|
|
|
|
get_mechanisms(CK_SLOT_ID slot, CK_MECHANISM_TYPE_PTR *pList, CK_FLAGS flags)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2009-11-27 11:15:33 +00:00
|
|
|
CK_ULONG m, n, ulCount = 0;
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_RV rv;
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
rv = p11->C_GetMechanismList(slot, *pList, &ulCount);
|
2017-06-16 09:29:20 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetMechanismList", rv);
|
|
|
|
|
2015-01-24 19:11:16 +00:00
|
|
|
*pList = calloc(ulCount, sizeof(**pList));
|
2002-12-17 11:50:11 +00:00
|
|
|
if (*pList == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("calloc failed: %m");
|
2002-12-17 11:50:11 +00:00
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
rv = p11->C_GetMechanismList(slot, *pList, &ulCount);
|
2002-12-17 11:50:11 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_GetMechanismList", rv);
|
2004-01-07 09:32:58 +00:00
|
|
|
|
2006-02-15 17:05:05 +00:00
|
|
|
if (flags != (CK_FLAGS)-1) {
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_MECHANISM_TYPE *mechs = *pList;
|
|
|
|
CK_MECHANISM_INFO info;
|
|
|
|
|
|
|
|
for (m = n = 0; n < ulCount; n++) {
|
|
|
|
rv = p11->C_GetMechanismInfo(slot, mechs[n], &info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
continue;
|
|
|
|
if ((info.flags & flags) == flags)
|
|
|
|
mechs[m++] = mechs[n];
|
|
|
|
}
|
|
|
|
ulCount = m;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ulCount;
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2019-01-14 09:05:37 +00:00
|
|
|
unsigned char *BIO_copy_data(BIO *out, long *data_lenp) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
unsigned char *data, *tdata;
|
2019-01-14 09:05:37 +00:00
|
|
|
long data_len;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
|
|
|
|
data_len = BIO_get_mem_data(out, &tdata);
|
|
|
|
data = malloc(data_len+1);
|
|
|
|
if (data) {
|
|
|
|
memcpy(data, tdata, data_len);
|
|
|
|
data[data_len]='\0'; // Make sure it's \0 terminated, in case used as string
|
|
|
|
if (data_lenp) {
|
|
|
|
*data_lenp = data_len;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
util_fatal("malloc failed");
|
|
|
|
}
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
/*
|
|
|
|
* Read object CKA_VALUE attribute's value.
|
|
|
|
*/
|
2011-06-01 18:51:26 +00:00
|
|
|
static int read_object(CK_SESSION_HANDLE session)
|
2004-07-26 18:47:23 +00:00
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
CK_ATTRIBUTE attrs[20];
|
|
|
|
CK_OBJECT_CLASS clazz = opt_object_class;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
|
|
|
CK_KEY_TYPE type = CKK_RSA;
|
|
|
|
#endif
|
2004-07-26 18:47:23 +00:00
|
|
|
CK_OBJECT_HANDLE obj = CK_INVALID_HANDLE;
|
|
|
|
int nn_attrs = 0;
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
unsigned char *value = NULL, *oid_buf = NULL;
|
2010-12-17 23:02:03 +00:00
|
|
|
CK_ULONG len = 0;
|
2004-07-26 18:47:23 +00:00
|
|
|
FILE *out;
|
|
|
|
struct sc_object_id oid;
|
2012-08-15 17:59:09 +00:00
|
|
|
unsigned char subject[0x400], issuer[0x400];
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
if (opt_object_class_str != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_CLASS,
|
2004-07-26 18:47:23 +00:00
|
|
|
&clazz, sizeof(clazz));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_id_len != 0) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_ID,
|
2004-07-26 18:47:23 +00:00
|
|
|
opt_object_id, opt_object_id_len);
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_LABEL,
|
2004-07-26 18:47:23 +00:00
|
|
|
opt_object_label, strlen(opt_object_label));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
2007-06-21 09:37:18 +00:00
|
|
|
if (opt_application_label != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_APPLICATION,
|
2007-06-21 09:37:18 +00:00
|
|
|
opt_application_label, strlen(opt_application_label));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
if (opt_application_id != NULL) {
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
size_t oid_buf_len;
|
|
|
|
|
|
|
|
if (sc_format_oid(&oid, opt_application_id))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Invalid OID \"%s\"", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
if (sc_asn1_encode_object_id(&oid_buf, &oid_buf_len, &oid))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot encode OID \"%s\"", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_OBJECT_ID, oid_buf, oid_buf_len);
|
2004-07-26 18:47:23 +00:00
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
2012-08-15 17:59:09 +00:00
|
|
|
if (opt_issuer != NULL) {
|
|
|
|
size_t sz = sizeof(issuer);
|
|
|
|
|
|
|
|
if (sc_hex_to_bin(opt_issuer, issuer, &sz))
|
|
|
|
util_fatal("Invalid 'issuer' hexadecimal value");
|
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_ISSUER, issuer, sz);
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_subject != NULL) {
|
|
|
|
size_t sz = sizeof(subject);
|
|
|
|
|
|
|
|
if (sc_hex_to_bin(opt_subject, subject, &sz))
|
|
|
|
util_fatal("Invalid 'subject' hexadecimal value");
|
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_SUBJECT, subject, sz);
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
rv = find_object_with_attributes(session, &obj, attrs, nn_attrs, 0);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("find_object_with_attributes()", rv);
|
2010-09-21 16:11:31 +00:00
|
|
|
else if (obj==CK_INVALID_HANDLE)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("object not found");
|
2004-07-26 18:47:23 +00:00
|
|
|
|
2010-12-01 20:08:42 +00:00
|
|
|
/* TODO: -DEE should look at object class, and get appropriate values
|
2012-04-02 22:00:56 +00:00
|
|
|
* based on the object, and other attributes. For example EC keys do
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
* not have a VALUE But have a EC_POINT. DvO: done for RSA and EC public keys.
|
2010-12-01 20:08:42 +00:00
|
|
|
*/
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (clazz == CKO_PRIVATE_KEY) {
|
|
|
|
fprintf(stderr, "sorry, reading private keys not (yet) supported\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (clazz == CKO_PUBLIC_KEY) {
|
|
|
|
#ifdef ENABLE_OPENSSL
|
2019-01-14 09:05:37 +00:00
|
|
|
long derlen;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
BIO *pout = BIO_new(BIO_s_mem());
|
|
|
|
if (!pout)
|
|
|
|
util_fatal("out of memory");
|
|
|
|
|
|
|
|
type = getKEY_TYPE(session, obj);
|
|
|
|
if (type == CKK_RSA) {
|
|
|
|
RSA *rsa;
|
2016-01-06 14:40:59 +00:00
|
|
|
BIGNUM *rsa_n = NULL;
|
|
|
|
BIGNUM *rsa_e = NULL;
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
|
|
|
|
rsa = RSA_new();
|
|
|
|
if (rsa == NULL)
|
|
|
|
util_fatal("out of memory");
|
|
|
|
|
|
|
|
if ((value = getMODULUS(session, obj, &len))) {
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!(rsa_n = BN_bin2bn(value, len, NULL)))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("cannot parse MODULUS");
|
|
|
|
free(value);
|
|
|
|
} else
|
|
|
|
util_fatal("cannot obtain MODULUS");
|
|
|
|
|
|
|
|
if ((value = getPUBLIC_EXPONENT(session, obj, &len))) {
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!(rsa_e = BN_bin2bn(value, len, NULL)))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("cannot parse PUBLIC_EXPONENT");
|
|
|
|
free(value);
|
|
|
|
} else
|
|
|
|
util_fatal("cannot obtain PUBLIC_EXPONENT");
|
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) != 1)
|
|
|
|
util_fatal("cannot set RSA values");
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (!i2d_RSA_PUBKEY_bio(pout, rsa))
|
|
|
|
util_fatal("cannot convert RSA public key to DER");
|
|
|
|
RSA_free(rsa);
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC)
|
|
|
|
} else if (type == CKK_EC) {
|
|
|
|
EC_KEY *ec;
|
|
|
|
CK_BYTE *params;
|
|
|
|
const unsigned char *a;
|
|
|
|
ASN1_OCTET_STRING *os;
|
|
|
|
EC_KEY *success = NULL;
|
|
|
|
|
|
|
|
ec = EC_KEY_new();
|
|
|
|
if (ec == NULL)
|
|
|
|
util_fatal("out of memory");
|
|
|
|
|
|
|
|
if ((params = getEC_PARAMS(session, obj, &len))) {
|
|
|
|
const unsigned char *a = params;
|
|
|
|
if (!d2i_ECParameters(&ec, &a, (long)len))
|
|
|
|
util_fatal("cannot parse EC_PARAMS");
|
|
|
|
OPENSSL_free(params);
|
|
|
|
} else
|
|
|
|
util_fatal("cannot obtain EC_PARAMS");
|
|
|
|
|
|
|
|
value = getEC_POINT(session, obj, &len);
|
|
|
|
/* PKCS#11-compliant modules should return ASN1_OCTET_STRING */
|
|
|
|
a = value;
|
|
|
|
os = d2i_ASN1_OCTET_STRING(NULL, &a, (long)len);
|
|
|
|
if (os) {
|
|
|
|
a = os->data;
|
|
|
|
success = o2i_ECPublicKey(&ec, &a, os->length);
|
|
|
|
ASN1_STRING_free(os);
|
|
|
|
}
|
|
|
|
if (!success) { /* Workaround for broken PKCS#11 modules */
|
|
|
|
a = value;
|
|
|
|
success = o2i_ECPublicKey(&ec, &a, len);
|
|
|
|
}
|
|
|
|
free(value);
|
|
|
|
if (!success)
|
|
|
|
util_fatal("cannot obtain and parse EC_POINT");
|
|
|
|
if (!i2d_EC_PUBKEY_bio(pout, ec))
|
|
|
|
util_fatal("cannot convert EC public key to DER");
|
|
|
|
EC_KEY_free(ec);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
else
|
|
|
|
util_fatal("Reading public keys of type 0x%X not (yet) supported", type);
|
|
|
|
value = BIO_copy_data(pout, &derlen);
|
|
|
|
BIO_free(pout);
|
|
|
|
len = derlen;
|
|
|
|
#else
|
|
|
|
util_fatal("No OpenSSL support, cannot read public key");
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
else
|
|
|
|
value = getVALUE(session, obj, &len);
|
2004-12-09 08:23:57 +00:00
|
|
|
if (value == NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("get CKA_VALUE failed");
|
2004-07-26 18:47:23 +00:00
|
|
|
|
|
|
|
if (opt_output) {
|
|
|
|
out = fopen(opt_output, "wb");
|
|
|
|
if (out==NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("cannot open '%s'", opt_output);
|
2004-07-26 18:47:23 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
out = stdout;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2004-07-26 18:47:23 +00:00
|
|
|
if (fwrite(value, 1, len, out) != len)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("cannot write to '%s'", opt_output);
|
2004-07-26 18:47:23 +00:00
|
|
|
if (opt_output)
|
|
|
|
fclose(out);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
2016-10-10 20:21:46 +00:00
|
|
|
free(value);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
if (oid_buf)
|
|
|
|
free(oid_buf);
|
2012-04-02 22:00:56 +00:00
|
|
|
return 1;
|
2004-07-26 18:47:23 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 09:37:18 +00:00
|
|
|
/*
|
|
|
|
* Delete object.
|
|
|
|
*/
|
2011-06-01 18:51:26 +00:00
|
|
|
static int delete_object(CK_SESSION_HANDLE session)
|
2007-06-21 09:37:18 +00:00
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
CK_ATTRIBUTE attrs[20];
|
|
|
|
CK_OBJECT_CLASS clazz = opt_object_class;
|
|
|
|
CK_OBJECT_HANDLE obj = CK_INVALID_HANDLE;
|
|
|
|
int nn_attrs = 0;
|
|
|
|
struct sc_object_id oid;
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
unsigned char *oid_buf = NULL;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2007-06-21 09:37:18 +00:00
|
|
|
if (opt_object_class_str != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_CLASS,
|
2007-06-21 09:37:18 +00:00
|
|
|
&clazz, sizeof(clazz));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_id_len != 0) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_ID,
|
2007-06-21 09:37:18 +00:00
|
|
|
opt_object_id, opt_object_id_len);
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_object_label != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_LABEL,
|
2007-06-21 09:37:18 +00:00
|
|
|
opt_object_label, strlen(opt_object_label));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_application_label != NULL) {
|
2010-09-21 16:11:31 +00:00
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_APPLICATION,
|
2007-06-21 09:37:18 +00:00
|
|
|
opt_application_label, strlen(opt_application_label));
|
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt_application_id != NULL) {
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
size_t oid_buf_len;
|
|
|
|
|
|
|
|
if (sc_format_oid(&oid, opt_application_id))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Invalid OID '%s'", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
if (sc_asn1_encode_object_id(&oid_buf, &oid_buf_len, &oid))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Cannot encode OID \"%s\"", opt_application_id);
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
|
|
|
|
FILL_ATTR(attrs[nn_attrs], CKA_OBJECT_ID, oid_buf, oid_buf_len);
|
2007-06-21 09:37:18 +00:00
|
|
|
nn_attrs++;
|
|
|
|
}
|
|
|
|
|
2019-03-31 21:33:41 +00:00
|
|
|
rv = find_object_with_attributes(session, &obj, attrs, nn_attrs, opt_object_index);
|
2007-06-21 09:37:18 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("find_object_with_attributes()", rv);
|
2010-09-21 16:11:31 +00:00
|
|
|
else if (obj==CK_INVALID_HANDLE)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("object not found");
|
2007-06-21 09:37:18 +00:00
|
|
|
rv = p11->C_DestroyObject(session, obj);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DestroyObject()", rv);
|
|
|
|
|
libopensc: 'init', 'format', 'compare', 'is-valid' OID procedures
In a reason of number of bugs(*) that concern the OID management,
the general usage OID procedures 'init', 'format', 'compare', 'is-valid' are introduced.
These procedures should be used by all actors: libopensc, pkcs15, pkcs11, tools, ....
(*)
This bug reported by Andreas Schwier :
https://github.com/OpenSC/OpenSC/commit/8e75d971cb7eadfef9b5b50adb3cb6d18e641ed2#commitcomment-1792477
In pkcs15-algo sc_asn1_get_algorithm_info() can return the OID without ending '-1's:
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L452
https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/pkcs15-algo.c#L459
2012-09-01 22:12:57 +00:00
|
|
|
if (oid_buf)
|
|
|
|
free(oid_buf);
|
|
|
|
|
2007-06-21 09:37:18 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2004-12-09 08:23:57 +00:00
|
|
|
static CK_ULONG get_private_key_length(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE prkey)
|
|
|
|
{
|
|
|
|
unsigned char *id;
|
|
|
|
CK_ULONG idLen;
|
|
|
|
CK_OBJECT_HANDLE pubkey;
|
|
|
|
|
|
|
|
id = NULL;
|
|
|
|
id = getID(sess, prkey, &idLen);
|
|
|
|
if (id == NULL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "private key has no ID, can't lookup the corresponding pubkey\n");
|
2004-12-09 08:23:57 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!find_object(sess, CKO_PUBLIC_KEY, &pubkey, id, idLen, 0)) {
|
|
|
|
free(id);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "couldn't find the corresponding pubkey\n");
|
2004-12-09 08:23:57 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
free(id);
|
|
|
|
|
2010-09-21 16:11:31 +00:00
|
|
|
return getMODULUS_BITS(sess, pubkey);
|
2004-12-09 08:23:57 +00:00
|
|
|
}
|
2004-07-26 18:47:23 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_digest(CK_SESSION_HANDLE session)
|
2003-01-03 14:33:17 +00:00
|
|
|
{
|
|
|
|
int errors = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_MECHANISM ck_mech = { CKM_MD5, NULL, 0 };
|
|
|
|
CK_ULONG i, j;
|
|
|
|
unsigned char data[100];
|
|
|
|
unsigned char hash1[64], hash2[64];
|
|
|
|
CK_ULONG hashLen1, hashLen2;
|
|
|
|
CK_MECHANISM_TYPE firstMechType;
|
2011-06-01 18:51:26 +00:00
|
|
|
CK_SESSION_INFO sessionInfo;
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
CK_MECHANISM_TYPE mechTypes[] = {
|
|
|
|
CKM_MD5,
|
|
|
|
CKM_SHA_1,
|
|
|
|
CKM_RIPEMD160,
|
2003-01-14 19:55:45 +00:00
|
|
|
0xffffff
|
2003-01-03 14:33:17 +00:00
|
|
|
};
|
|
|
|
unsigned char *digests[] = {
|
2003-01-14 19:55:45 +00:00
|
|
|
(unsigned char *) "\x7a\x08\xb0\x7e\x84\x64\x17\x03\xe5\xf2\xc8\x36\xaa\x59\xa1\x70",
|
|
|
|
(unsigned char *) "\x29\xb0\xe7\x87\x82\x71\x64\x5f\xff\xb7\xee\xc7\xdb\x4a\x74\x73\xa1\xc0\x0b\xc1",
|
|
|
|
(unsigned char *) "\xda\x79\xa5\x8f\xb8\x83\x3d\x61\xf6\x32\x16\x17\xe3\xfd\xf0\x56\x26\x5f\xb7\xcd"
|
2003-01-03 14:33:17 +00:00
|
|
|
};
|
|
|
|
CK_ULONG digestLens[] = {
|
|
|
|
16,
|
|
|
|
20,
|
|
|
|
20
|
|
|
|
};
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
rv = p11->C_GetSessionInfo(session, &sessionInfo);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!find_mechanism(sessionInfo.slotID, CKF_DIGEST, NULL, 0, &firstMechType)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Digests: not implemented\n");
|
2003-01-03 14:33:17 +00:00
|
|
|
return errors;
|
2012-08-12 19:19:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2003-01-03 14:33:17 +00:00
|
|
|
printf("Digests:\n");
|
2012-08-12 19:19:57 +00:00
|
|
|
}
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
/* 1st test */
|
2016-06-03 23:02:01 +00:00
|
|
|
pseudo_randomize(data, sizeof(data));
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
ck_mech.mechanism = firstMechType;
|
|
|
|
rv = p11->C_DigestInit(session, &ck_mech);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestInit", rv);
|
|
|
|
|
|
|
|
rv = p11->C_DigestUpdate(session, data, 5);
|
|
|
|
if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
|
|
|
|
printf(" Note: C_DigestUpdate(), DigestFinal() not supported\n");
|
|
|
|
/* finish the digest operation */
|
|
|
|
hashLen2 = sizeof(hash2);
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), hash2,
|
|
|
|
&hashLen2);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Digest", rv);
|
|
|
|
} else {
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestUpdate", rv);
|
|
|
|
|
|
|
|
rv = p11->C_DigestUpdate(session, data + 5, 50);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestUpdate", rv);
|
|
|
|
|
|
|
|
rv = p11->C_DigestUpdate(session, data + 55,
|
|
|
|
sizeof(data) - 55);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestUpdate", rv);
|
|
|
|
|
|
|
|
hashLen1 = sizeof(hash1);
|
|
|
|
rv = p11->C_DigestFinal(session, hash1, &hashLen1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestFinal", rv);
|
|
|
|
|
|
|
|
rv = p11->C_DigestInit(session, &ck_mech);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestInit", rv);
|
|
|
|
|
|
|
|
hashLen2 = sizeof(hash2);
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), hash2,
|
|
|
|
&hashLen2);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Digest", rv);
|
|
|
|
|
|
|
|
if (hashLen1 != hashLen2) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: digest lengths returned by C_DigestFinal() different from C_Digest()\n");
|
|
|
|
} else if (memcmp(hash1, hash2, hashLen1) != 0) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: digests returned by C_DigestFinal() different from C_Digest()\n");
|
|
|
|
} else
|
|
|
|
printf(" all 4 digest functions seem to work\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 2nd test */
|
|
|
|
|
|
|
|
/* input = "01234567890123456...456789" */
|
|
|
|
for (i = 0; i < 10; i++)
|
|
|
|
for (j = 0; j < 10; j++)
|
|
|
|
data[10 * i + j] = (unsigned char) (0x30 + j);
|
|
|
|
|
|
|
|
|
2003-01-19 17:47:07 +00:00
|
|
|
for (i = 0; mechTypes[i] != 0xffffff; i++) {
|
2003-01-03 14:33:17 +00:00
|
|
|
ck_mech.mechanism = mechTypes[i];
|
|
|
|
|
|
|
|
rv = p11->C_DigestInit(session, &ck_mech);
|
2003-01-21 15:29:17 +00:00
|
|
|
if (rv == CKR_MECHANISM_INVALID)
|
2003-01-03 14:33:17 +00:00
|
|
|
continue; /* mechanism not implemented, don't test */
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestInit", rv);
|
|
|
|
|
|
|
|
printf(" %s: ", p11_mechanism_to_name(mechTypes[i]));
|
|
|
|
|
|
|
|
hashLen1 = sizeof(hash1);
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), hash1,
|
|
|
|
&hashLen1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Digest", rv);
|
|
|
|
|
|
|
|
if (hashLen1 != digestLens[i]) {
|
|
|
|
errors++;
|
|
|
|
printf("ERR: wrong digest length: %ld instead of %ld\n",
|
|
|
|
hashLen1, digestLens[i]);
|
|
|
|
} else if (memcmp(hash1, digests[i], hashLen1) != 0) {
|
|
|
|
errors++;
|
|
|
|
printf("ERR: wrong digest value\n");
|
|
|
|
} else
|
|
|
|
printf("OK\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 3rd test */
|
|
|
|
|
|
|
|
ck_mech.mechanism = firstMechType;
|
|
|
|
rv = p11->C_DigestInit(session, &ck_mech);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DigestInit", rv);
|
|
|
|
|
|
|
|
hashLen2 = 1; /* too short */
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), hash2, &hashLen2);
|
|
|
|
if (rv != CKR_BUFFER_TOO_SMALL) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: C_Digest() didn't return CKR_BUFFER_TOO_SMALL but %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
}
|
|
|
|
/* output buffer = NULL */
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), NULL, &hashLen2);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: C_Digest() didn't return CKR_OK for a NULL output buffer, but %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_Digest(session, data, sizeof(data), hash2, &hashLen2);
|
|
|
|
if (rv == CKR_OPERATION_NOT_INITIALIZED) {
|
|
|
|
printf(" ERR: digest operation ended prematurely\n");
|
|
|
|
errors++;
|
|
|
|
} else if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2005-02-04 22:33:51 +00:00
|
|
|
static EVP_PKEY *get_public_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privKeyObject)
|
2003-04-17 14:39:44 +00:00
|
|
|
{
|
2010-11-28 18:09:30 +00:00
|
|
|
CK_BYTE *id, *mod, *exp;
|
2010-12-18 00:44:12 +00:00
|
|
|
CK_ULONG idLen = 0, modLen = 0, expLen = 0;
|
2003-04-17 14:39:44 +00:00
|
|
|
CK_OBJECT_HANDLE pubkeyObject;
|
2007-06-24 21:03:30 +00:00
|
|
|
unsigned char *pubkey;
|
|
|
|
const unsigned char *pubkey_c;
|
2003-04-17 14:39:44 +00:00
|
|
|
CK_ULONG pubkeyLen;
|
|
|
|
EVP_PKEY *pkey;
|
2010-11-28 18:09:30 +00:00
|
|
|
RSA *rsa;
|
2016-01-06 14:40:59 +00:00
|
|
|
BIGNUM *rsa_n, *rsa_e;
|
2003-04-17 14:39:44 +00:00
|
|
|
|
|
|
|
id = NULL;
|
|
|
|
id = getID(session, privKeyObject, &idLen);
|
|
|
|
if (id == NULL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "private key has no ID, can't lookup the corresponding pubkey for verification\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!find_object(session, CKO_PUBLIC_KEY, &pubkeyObject, id, idLen, 0)) {
|
|
|
|
free(id);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "couldn't find the corresponding pubkey for validation\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
free(id);
|
|
|
|
|
2010-11-28 18:09:30 +00:00
|
|
|
switch(getKEY_TYPE(session, pubkeyObject)) {
|
|
|
|
case CKK_RSA:
|
|
|
|
pkey = EVP_PKEY_new();
|
|
|
|
rsa = RSA_new();
|
|
|
|
mod = getMODULUS(session, pubkeyObject, &modLen);
|
|
|
|
exp = getPUBLIC_EXPONENT(session, pubkeyObject, &expLen);
|
|
|
|
if ( !pkey || !rsa || !mod || !exp) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "public key not extractable\n");
|
2010-11-28 18:09:30 +00:00
|
|
|
if (pkey)
|
2015-04-29 22:07:11 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
2010-11-28 18:09:30 +00:00
|
|
|
if (rsa)
|
2015-04-29 22:07:11 +00:00
|
|
|
RSA_free(rsa);
|
2010-11-28 18:09:30 +00:00
|
|
|
if (mod)
|
|
|
|
free(mod);
|
|
|
|
if (exp)
|
|
|
|
free(exp);
|
|
|
|
return NULL;
|
|
|
|
}
|
2016-01-06 14:40:59 +00:00
|
|
|
rsa_n = BN_bin2bn(mod, modLen, NULL);
|
|
|
|
rsa_e = BN_bin2bn(exp, expLen, NULL);
|
|
|
|
if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) != 1)
|
|
|
|
return NULL;
|
|
|
|
|
2010-11-28 18:09:30 +00:00
|
|
|
EVP_PKEY_assign_RSA(pkey, rsa);
|
|
|
|
free(mod);
|
|
|
|
free(exp);
|
|
|
|
return pkey;
|
|
|
|
case CKK_DSA:
|
|
|
|
case CKK_ECDSA:
|
|
|
|
case CKK_GOSTR3410:
|
|
|
|
break;
|
|
|
|
default:
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "public key of unsupported type\n");
|
2010-11-28 18:09:30 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
pubkey = getVALUE(session, pubkeyObject, &pubkeyLen);
|
|
|
|
if (pubkey == NULL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "couldn't get the pubkey VALUE attribute, no validation done\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2007-06-24 21:03:30 +00:00
|
|
|
pubkey_c = pubkey;
|
|
|
|
pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &pubkey_c, pubkeyLen);
|
|
|
|
free(pubkey);
|
2003-04-17 14:39:44 +00:00
|
|
|
|
2003-04-25 10:03:09 +00:00
|
|
|
if (pkey == NULL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "couldn't parse pubkey, no verification done\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return pkey;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int sign_verify_openssl(CK_SESSION_HANDLE session,
|
2003-01-31 15:32:27 +00:00
|
|
|
CK_MECHANISM *ck_mech, CK_OBJECT_HANDLE privKeyObject,
|
|
|
|
unsigned char *data, CK_ULONG dataLen,
|
|
|
|
unsigned char *verifyData, CK_ULONG verifyDataLen,
|
2005-02-04 22:33:51 +00:00
|
|
|
CK_ULONG modLenBytes, int evp_md_index)
|
2003-01-31 15:32:27 +00:00
|
|
|
{
|
|
|
|
int errors = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
unsigned char sig1[1024];
|
|
|
|
CK_ULONG sigLen1;
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2003-01-31 15:32:27 +00:00
|
|
|
int err;
|
|
|
|
EVP_PKEY *pkey;
|
2015-04-29 22:07:11 +00:00
|
|
|
EVP_MD_CTX *md_ctx;
|
2003-01-31 15:32:27 +00:00
|
|
|
|
|
|
|
const EVP_MD *evp_mds[] = {
|
|
|
|
EVP_sha1(),
|
|
|
|
EVP_sha1(),
|
|
|
|
EVP_sha1(),
|
|
|
|
EVP_md5(),
|
2019-02-01 08:13:21 +00:00
|
|
|
#ifndef OPENSSL_NO_RIPEMD
|
2003-01-31 15:32:27 +00:00
|
|
|
EVP_ripemd160(),
|
2019-02-01 08:13:21 +00:00
|
|
|
#endif
|
2012-08-13 10:45:11 +00:00
|
|
|
EVP_sha256(),
|
2003-01-31 15:32:27 +00:00
|
|
|
};
|
|
|
|
#endif
|
|
|
|
|
|
|
|
rv = p11->C_SignInit(session, ck_mech, privKeyObject);
|
|
|
|
/* mechanism not implemented, don't test */
|
|
|
|
if (rv == CKR_MECHANISM_INVALID)
|
|
|
|
return errors;
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-13 09:21:32 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, privKeyObject))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2003-01-31 15:32:27 +00:00
|
|
|
printf(" %s: ", p11_mechanism_to_name(ck_mech->mechanism));
|
|
|
|
|
|
|
|
sigLen1 = sizeof(sig1);
|
|
|
|
rv = p11->C_Sign(session, data, dataLen, sig1,
|
|
|
|
&sigLen1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
if (sigLen1 != modLenBytes) {
|
|
|
|
errors++;
|
2003-02-03 12:23:05 +00:00
|
|
|
printf(" ERR: wrong signature length: %u instead of %u\n",
|
|
|
|
(unsigned int) sigLen1,
|
|
|
|
(unsigned int) modLenBytes);
|
2003-01-31 15:32:27 +00:00
|
|
|
}
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifndef ENABLE_OPENSSL
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "unable to verify signature (compile with ENABLE_OPENSSL)\n");
|
2003-01-31 15:32:27 +00:00
|
|
|
#else
|
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
if (!(pkey = get_public_key(session, privKeyObject)))
|
2003-01-31 15:32:27 +00:00
|
|
|
return errors;
|
|
|
|
|
2015-04-29 22:07:11 +00:00
|
|
|
md_ctx = EVP_MD_CTX_create();
|
|
|
|
if (!md_ctx)
|
|
|
|
err = -1;
|
|
|
|
else {
|
2019-03-05 23:34:31 +00:00
|
|
|
if (EVP_VerifyInit(md_ctx, evp_mds[evp_md_index])
|
|
|
|
&& EVP_VerifyUpdate(md_ctx, verifyData, verifyDataLen)) {
|
|
|
|
err = EVP_VerifyFinal(md_ctx, sig1, sigLen1, pkey);
|
|
|
|
} else {
|
|
|
|
err = -1;
|
|
|
|
}
|
2015-04-29 22:07:11 +00:00
|
|
|
EVP_MD_CTX_destroy(md_ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
}
|
2003-01-31 15:32:27 +00:00
|
|
|
if (err == 0) {
|
|
|
|
printf("ERR: verification failed\n");
|
|
|
|
errors++;
|
|
|
|
} else if (err != 1) {
|
|
|
|
printf("openssl error during verification: 0x%0x (%d)\n", err, err);
|
|
|
|
} else
|
|
|
|
printf("OK\n");
|
|
|
|
|
|
|
|
/* free(cert); */
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
/*
|
|
|
|
* Test signature functions
|
|
|
|
*/
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_signature(CK_SESSION_HANDLE sess)
|
2003-01-03 14:33:17 +00:00
|
|
|
{
|
|
|
|
int errors = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_OBJECT_HANDLE privKeyObject;
|
|
|
|
CK_MECHANISM ck_mech = { CKM_MD5, NULL, 0 };
|
|
|
|
CK_MECHANISM_TYPE firstMechType;
|
|
|
|
CK_SESSION_INFO sessionInfo;
|
|
|
|
CK_ULONG i, j;
|
2016-07-04 17:19:46 +00:00
|
|
|
unsigned char data[512]; /* FIXME: Will not work for keys above 4096 bits */
|
2010-04-18 09:45:44 +00:00
|
|
|
CK_ULONG modLenBytes = 0;
|
2003-01-03 14:33:17 +00:00
|
|
|
CK_ULONG dataLen;
|
|
|
|
unsigned char sig1[1024], sig2[1024];
|
|
|
|
CK_ULONG sigLen1, sigLen2;
|
2003-01-31 15:32:27 +00:00
|
|
|
unsigned char verifyData[100];
|
|
|
|
char *label;
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
CK_MECHANISM_TYPE mechTypes[] = {
|
|
|
|
CKM_RSA_X_509,
|
|
|
|
CKM_RSA_PKCS,
|
|
|
|
CKM_SHA1_RSA_PKCS,
|
|
|
|
CKM_MD5_RSA_PKCS,
|
2019-02-04 13:26:02 +00:00
|
|
|
#ifndef OPENSSL_NO_RIPEMD
|
2003-01-03 14:33:17 +00:00
|
|
|
CKM_RIPEMD160_RSA_PKCS,
|
2019-02-04 13:26:02 +00:00
|
|
|
#endif
|
2012-08-12 19:19:57 +00:00
|
|
|
CKM_SHA256_RSA_PKCS,
|
2003-01-14 19:55:45 +00:00
|
|
|
0xffffff
|
2003-01-03 14:33:17 +00:00
|
|
|
};
|
2012-08-12 19:19:57 +00:00
|
|
|
size_t mechTypes_num = sizeof(mechTypes)/sizeof(CK_MECHANISM_TYPE);
|
2003-01-03 14:33:17 +00:00
|
|
|
unsigned char *datas[] = {
|
|
|
|
/* PCKS1_wrap(SHA1_encode(SHA-1(verifyData))),
|
|
|
|
* is done further on
|
|
|
|
*/
|
|
|
|
NULL,
|
|
|
|
|
|
|
|
/* SHA1_encode(SHA-1(verifyData)) */
|
2003-01-14 19:55:45 +00:00
|
|
|
(unsigned char *) "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14\x29\xb0\xe7\x87\x82\x71\x64\x5f\xff\xb7\xee\xc7\xdb\x4a\x74\x73\xa1\xc0\x0b\xc1",
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
verifyData,
|
|
|
|
verifyData,
|
|
|
|
verifyData,
|
2012-08-13 10:45:11 +00:00
|
|
|
verifyData,
|
2003-01-03 14:33:17 +00:00
|
|
|
};
|
|
|
|
CK_ULONG dataLens[] = {
|
|
|
|
0, /* should be modulus length, is done further on */
|
|
|
|
35,
|
|
|
|
sizeof(verifyData),
|
|
|
|
sizeof(verifyData),
|
|
|
|
sizeof(verifyData),
|
2012-08-13 10:45:11 +00:00
|
|
|
sizeof(verifyData),
|
2003-01-03 14:33:17 +00:00
|
|
|
};
|
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_GetSessionInfo(sess, &sessionInfo);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
2017-01-26 13:34:29 +00:00
|
|
|
if (!(sessionInfo.state & CKS_RW_USER_FUNCTIONS)) {
|
|
|
|
printf("Signature: not a R/W session, skipping signature tests\n");
|
2017-01-26 13:23:40 +00:00
|
|
|
return errors;
|
2003-01-03 14:33:17 +00:00
|
|
|
}
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!find_mechanism(sessionInfo.slotID, CKF_SIGN | CKF_HW, mechTypes, mechTypes_num, &firstMechType)) {
|
2003-01-03 14:33:17 +00:00
|
|
|
printf("Signatures: not implemented\n");
|
|
|
|
return errors;
|
2003-05-16 16:33:42 +00:00
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("Signatures (currently only for RSA)\n");
|
2003-05-16 16:33:42 +00:00
|
|
|
for (j = 0; find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j); j++) {
|
|
|
|
printf(" testing key %ld ", j);
|
2003-02-17 11:09:24 +00:00
|
|
|
if ((label = getLABEL(sess, privKeyObject, NULL)) != NULL) {
|
2003-05-16 16:33:42 +00:00
|
|
|
printf("(%s) ", label);
|
2003-01-20 10:02:07 +00:00
|
|
|
free(label);
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (getKEY_TYPE(sess, privKeyObject) != CKK_RSA) {
|
|
|
|
printf(" -- non-RSA, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2010-04-18 08:32:35 +00:00
|
|
|
|
2003-05-16 16:33:42 +00:00
|
|
|
if (!getSIGN(sess, privKeyObject)) {
|
|
|
|
printf(" -- can't be used for signature, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2010-09-21 16:11:31 +00:00
|
|
|
|
2010-04-17 19:59:32 +00:00
|
|
|
modLenBytes = (get_private_key_length(sess, privKeyObject) + 7) / 8;
|
|
|
|
if(!modLenBytes) {
|
|
|
|
printf(" -- can't be used for signature, skipping: can't obtain modulus\n");
|
|
|
|
continue;
|
|
|
|
}
|
2003-05-16 16:33:42 +00:00
|
|
|
printf("\n");
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (privKeyObject == CK_INVALID_HANDLE) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Signatures: no private key found in this slot\n");
|
2003-05-16 16:33:42 +00:00
|
|
|
return 0;
|
2003-01-20 10:02:07 +00:00
|
|
|
}
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
/* 1st test */
|
|
|
|
|
2010-01-15 09:27:17 +00:00
|
|
|
/* assume --login has already authenticated the key */
|
2003-01-03 14:33:17 +00:00
|
|
|
switch (firstMechType) {
|
|
|
|
case CKM_RSA_PKCS:
|
|
|
|
dataLen = 35;
|
2003-11-23 15:43:38 +00:00
|
|
|
memcpy(data, datas[1], dataLen);
|
2003-01-27 13:33:28 +00:00
|
|
|
break;
|
2003-01-03 14:33:17 +00:00
|
|
|
case CKM_RSA_X_509:
|
|
|
|
dataLen = modLenBytes;
|
2017-09-13 15:41:20 +00:00
|
|
|
pseudo_randomize(data, dataLen);
|
2003-01-03 14:33:17 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
dataLen = sizeof(data); /* let's hope it's OK */
|
2017-09-13 15:41:20 +00:00
|
|
|
pseudo_randomize(data, dataLen);
|
2003-01-03 14:33:17 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2017-04-03 11:37:56 +00:00
|
|
|
if (firstMechType == CKM_RSA_X_509) {
|
|
|
|
/* make sure our data is smaller than the modulus */
|
|
|
|
data[0] = 0x00;
|
|
|
|
}
|
|
|
|
|
2003-01-03 14:33:17 +00:00
|
|
|
ck_mech.mechanism = firstMechType;
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignInit(sess, &ck_mech, privKeyObject);
|
2015-04-10 05:42:00 +00:00
|
|
|
/* mechanism not implemented, don't test */
|
|
|
|
if (rv == CKR_MECHANISM_INVALID)
|
|
|
|
return errors;
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
|
|
|
|
login(sess,CKU_CONTEXT_SPECIFIC);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignUpdate(sess, data, 5);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
|
2010-11-28 22:16:50 +00:00
|
|
|
p11_warn("C_SignUpdate", rv);
|
|
|
|
} else if (rv != CKR_OK) {
|
|
|
|
p11_perror("C_SignUpdate", rv);
|
|
|
|
errors++;
|
2003-01-03 14:33:17 +00:00
|
|
|
} else {
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignUpdate", rv);
|
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignUpdate(sess, data + 5, 10);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignUpdate", rv);
|
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignUpdate(sess, data + 15, dataLen - 15);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignUpdate", rv);
|
|
|
|
|
|
|
|
sigLen1 = sizeof(sig1);
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignFinal(sess, sig1, &sigLen1);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignFinal", rv);
|
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignInit(sess, &ck_mech, privKeyObject);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-13 09:21:32 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
|
|
|
|
login(sess,CKU_CONTEXT_SPECIFIC);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
|
|
|
sigLen2 = sizeof(sig2);
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_Sign(sess, data, dataLen, sig2, &sigLen2);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
if (sigLen1 != sigLen2) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: signature lengths returned by C_SignFinal() different from C_Sign()\n");
|
|
|
|
} else if (memcmp(sig1, sig2, sigLen1) != 0) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: signatures returned by C_SignFinal() different from C_Sign()\n");
|
|
|
|
} else
|
|
|
|
printf(" all 4 signature functions seem to work\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 2nd test */
|
|
|
|
|
|
|
|
ck_mech.mechanism = firstMechType;
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_SignInit(sess, &ck_mech, privKeyObject);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
|
|
|
|
|
|
|
sigLen2 = 1; /* too short */
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_Sign(sess, data, dataLen, sig2, &sigLen2);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_BUFFER_TOO_SMALL) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: C_Sign() didn't return CKR_BUFFER_TOO_SMALL but %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* output buf = NULL */
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_Sign(sess, data, dataLen, NULL, &sigLen2);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv != CKR_OK) {
|
|
|
|
errors++;
|
|
|
|
printf(" ERR: C_Sign() didn't return CKR_OK for a NULL output buf, but %s (0x%0x)\n",
|
|
|
|
CKR2Str(rv), (int) rv);
|
|
|
|
}
|
2017-06-13 09:21:32 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
|
|
|
|
login(sess,CKU_CONTEXT_SPECIFIC);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2003-02-17 11:09:24 +00:00
|
|
|
rv = p11->C_Sign(sess, data, dataLen, sig2, &sigLen2);
|
2003-01-03 14:33:17 +00:00
|
|
|
if (rv == CKR_OPERATION_NOT_INITIALIZED) {
|
|
|
|
printf(" ERR: signature operation ended prematurely\n");
|
|
|
|
errors++;
|
|
|
|
} else if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
/* 3rd test */
|
|
|
|
|
|
|
|
/* input = "01234567890123456...456789" */
|
|
|
|
for (i = 0; i < 10; i++)
|
|
|
|
for (j = 0; j < 10; j++)
|
|
|
|
verifyData[10 * i + j] = (unsigned char) (0x30 + j);
|
|
|
|
|
|
|
|
/* Fill in data[0] and dataLens[0] */
|
|
|
|
dataLen = modLenBytes;
|
2017-02-13 02:34:13 +00:00
|
|
|
data[0] = 0x00;
|
2003-01-03 14:33:17 +00:00
|
|
|
data[1] = 0x01;
|
|
|
|
memset(data + 2, 0xFF, dataLen - 3 - dataLens[1]);
|
2018-06-21 13:15:38 +00:00
|
|
|
if (dataLen >= 36)
|
|
|
|
data[dataLen - 36] = 0x00;
|
2003-01-03 14:33:17 +00:00
|
|
|
memcpy(data + (dataLen - dataLens[1]), datas[1], dataLens[1]);
|
|
|
|
datas[0] = data;
|
|
|
|
dataLens[0] = dataLen;
|
|
|
|
|
2003-01-31 15:32:27 +00:00
|
|
|
printf(" testing signature mechanisms:\n");
|
2003-01-21 15:29:17 +00:00
|
|
|
for (i = 0; mechTypes[i] != 0xffffff; i++) {
|
2003-01-03 14:33:17 +00:00
|
|
|
ck_mech.mechanism = mechTypes[i];
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += sign_verify_openssl(sess, &ck_mech, privKeyObject,
|
2003-01-31 15:32:27 +00:00
|
|
|
datas[i], dataLens[i], verifyData, sizeof(verifyData),
|
|
|
|
modLenBytes, i);
|
|
|
|
}
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2017-06-26 15:58:41 +00:00
|
|
|
/* 4th test: the other signature keys */
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2003-01-31 15:32:27 +00:00
|
|
|
for (i = 0; mechTypes[i] != 0xffffff; i++)
|
2016-07-04 17:19:46 +00:00
|
|
|
if (mechTypes[i] == firstMechType)
|
2003-01-31 15:32:27 +00:00
|
|
|
break;
|
|
|
|
ck_mech.mechanism = mechTypes[i];
|
|
|
|
j = 1; /* j-th signature key */
|
2003-02-17 11:09:24 +00:00
|
|
|
while (find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j++) != 0) {
|
2003-12-29 13:15:04 +00:00
|
|
|
CK_ULONG modLenBits;
|
|
|
|
|
|
|
|
label = getLABEL(sess, privKeyObject, NULL);
|
2004-12-09 08:23:57 +00:00
|
|
|
modLenBits = get_private_key_length(sess, privKeyObject);
|
2003-12-29 13:15:04 +00:00
|
|
|
modLenBytes = (modLenBits + 7) / 8;
|
|
|
|
|
2005-07-15 13:37:38 +00:00
|
|
|
printf(" testing key %d (%u bits%s%s) with 1 signature mechanism",
|
2003-12-29 13:15:04 +00:00
|
|
|
(int) (j-1),
|
|
|
|
(int) modLenBits,
|
|
|
|
label? ", label=" : "",
|
|
|
|
label? label : "");
|
|
|
|
if (label)
|
2003-01-31 15:32:27 +00:00
|
|
|
free(label);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (getKEY_TYPE(sess, privKeyObject) != CKK_RSA) {
|
|
|
|
printf(" -- non-RSA, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2005-07-15 13:37:38 +00:00
|
|
|
if (!getSIGN(sess, privKeyObject)) {
|
|
|
|
printf(" -- can't be used to sign/verify, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2010-04-18 08:32:35 +00:00
|
|
|
else if (!modLenBytes) {
|
2010-09-21 16:11:31 +00:00
|
|
|
printf(" -- can't be used to sign/verify, skipping: can't obtain modulus\n");
|
2010-04-17 19:59:32 +00:00
|
|
|
continue;
|
|
|
|
}
|
2010-04-18 08:32:35 +00:00
|
|
|
else {
|
2005-07-15 13:37:38 +00:00
|
|
|
printf("\n");
|
2010-04-17 19:59:32 +00:00
|
|
|
}
|
2005-07-15 13:37:38 +00:00
|
|
|
|
2017-06-26 15:58:41 +00:00
|
|
|
/* Fill in data[0] and dataLens[0] */
|
|
|
|
dataLen = modLenBytes;
|
|
|
|
data[0] = 0x00;
|
|
|
|
data[1] = 0x01;
|
|
|
|
memset(data + 2, 0xFF, dataLen - 3 - dataLens[1]);
|
|
|
|
data[dataLen - 36] = 0x00;
|
|
|
|
memcpy(data + (dataLen - dataLens[1]), datas[1], dataLens[1]);
|
|
|
|
datas[0] = data;
|
|
|
|
dataLens[0] = dataLen;
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += sign_verify_openssl(sess, &ck_mech, privKeyObject,
|
2003-01-31 15:32:27 +00:00
|
|
|
datas[i], dataLens[i], verifyData, sizeof(verifyData),
|
|
|
|
modLenBytes, i);
|
2003-01-03 14:33:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int sign_verify(CK_SESSION_HANDLE session,
|
2007-06-21 12:58:57 +00:00
|
|
|
CK_OBJECT_HANDLE priv_key, int key_len,
|
2003-07-22 09:54:20 +00:00
|
|
|
CK_OBJECT_HANDLE pub_key, int one_test)
|
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
CK_MECHANISM_TYPE mech_types[] = {
|
|
|
|
CKM_RSA_X_509,
|
|
|
|
CKM_RSA_PKCS,
|
|
|
|
CKM_SHA1_RSA_PKCS,
|
|
|
|
CKM_MD5_RSA_PKCS,
|
|
|
|
CKM_RIPEMD160_RSA_PKCS,
|
|
|
|
0xffffff
|
|
|
|
};
|
|
|
|
CK_MECHANISM_TYPE *mech_type;
|
|
|
|
unsigned char buf[512] = {0};
|
|
|
|
unsigned char *datas[] = {
|
|
|
|
buf,
|
2003-09-25 09:33:16 +00:00
|
|
|
(unsigned char *) "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14\x29\xb0\xe7\x87\x82\x71\x64\x5f\xff\xb7\xee\xc7\xdb\x4a\x74\x73\xa1\xc0\x0b\xc1",
|
2003-07-22 09:54:20 +00:00
|
|
|
buf,
|
|
|
|
buf,
|
|
|
|
buf
|
2012-04-02 22:00:56 +00:00
|
|
|
};
|
2003-07-22 09:54:20 +00:00
|
|
|
int data_lens[] = {
|
|
|
|
key_len,
|
|
|
|
35,
|
|
|
|
234,
|
|
|
|
345,
|
|
|
|
456
|
|
|
|
};
|
|
|
|
unsigned char signat[512];
|
2003-08-05 17:28:29 +00:00
|
|
|
CK_ULONG signat_len;
|
|
|
|
int j, errors = 0;
|
2003-07-22 09:54:20 +00:00
|
|
|
|
2005-02-11 20:09:34 +00:00
|
|
|
memcpy(buf, "\x00\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00", 11);
|
2004-09-27 08:38:51 +00:00
|
|
|
|
2003-07-22 09:54:20 +00:00
|
|
|
for (j = 0, mech_type = mech_types; *mech_type != 0xffffff; mech_type++, j++) {
|
|
|
|
CK_MECHANISM mech = {*mech_type, NULL, 0};
|
|
|
|
|
|
|
|
rv = p11->C_SignInit(session, &mech, priv_key);
|
|
|
|
if (rv == CKR_MECHANISM_INVALID)
|
2003-12-29 13:03:48 +00:00
|
|
|
continue;
|
2003-07-22 09:54:20 +00:00
|
|
|
if (rv != CKR_OK) {
|
|
|
|
printf(" ERR: C_SignInit() returned %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
return ++errors;
|
|
|
|
}
|
2017-06-13 09:21:32 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, priv_key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2017-06-14 20:53:41 +00:00
|
|
|
printf(" %s: ", p11_mechanism_to_name(*mech_type));
|
2003-07-22 09:54:20 +00:00
|
|
|
|
|
|
|
signat_len = sizeof(signat);
|
|
|
|
rv = p11->C_Sign(session, datas[j], data_lens[j], signat, &signat_len);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
printf(" ERR: C_Sign() returned %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
return ++errors;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_VerifyInit(session, &mech, pub_key);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
printf(" ERR: C_VerifyInit() returned %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
return ++errors;
|
|
|
|
}
|
|
|
|
rv = p11->C_Verify(session, datas[j], data_lens[j], signat, signat_len);
|
|
|
|
if (rv == CKR_SIGNATURE_INVALID) {
|
|
|
|
printf(" ERR: verification failed");
|
|
|
|
errors++;
|
2012-04-02 22:00:56 +00:00
|
|
|
}
|
2003-07-22 09:54:20 +00:00
|
|
|
if (rv != CKR_OK) {
|
|
|
|
printf(" ERR: C_Verify() returned %s (0x%0x)\n", CKR2Str(rv), (int) rv);
|
|
|
|
return ++errors;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
printf("OK\n");
|
|
|
|
|
|
|
|
if (one_test)
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_verify(CK_SESSION_HANDLE sess)
|
2003-07-22 09:54:20 +00:00
|
|
|
{
|
|
|
|
int key_len, i, errors = 0;
|
|
|
|
CK_OBJECT_HANDLE priv_key, pub_key;
|
|
|
|
CK_MECHANISM_TYPE first_mech_type;
|
2003-07-24 08:35:34 +00:00
|
|
|
CK_SESSION_INFO sessionInfo;
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
rv = p11->C_GetSessionInfo(sess, &sessionInfo);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
2017-01-26 13:34:29 +00:00
|
|
|
if (!(sessionInfo.state & CKS_RW_USER_FUNCTIONS)) {
|
|
|
|
printf("Verify: not a R/W session, skipping verify tests\n");
|
2017-01-26 13:23:40 +00:00
|
|
|
return errors;
|
2003-07-24 08:35:34 +00:00
|
|
|
}
|
2003-07-22 09:54:20 +00:00
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!find_mechanism(sessionInfo.slotID, CKF_VERIFY, NULL, 0, &first_mech_type)) {
|
2003-07-22 09:54:20 +00:00
|
|
|
printf("Verify: not implemented\n");
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("Verify (currently only for RSA)\n");
|
2003-07-22 09:54:20 +00:00
|
|
|
|
|
|
|
for (i = 0; find_object(sess, CKO_PRIVATE_KEY, &priv_key, NULL, 0, i); i++) {
|
2003-09-25 09:33:16 +00:00
|
|
|
char *label;
|
|
|
|
unsigned char *id;
|
2003-08-05 17:28:29 +00:00
|
|
|
CK_ULONG id_len;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2003-08-05 17:28:29 +00:00
|
|
|
printf(" testing key %d", i);
|
2003-07-22 09:54:20 +00:00
|
|
|
if ((label = getLABEL(sess, priv_key, NULL)) != NULL) {
|
|
|
|
printf(" (%s)", label);
|
|
|
|
free(label);
|
|
|
|
}
|
|
|
|
if (i != 0)
|
|
|
|
printf(" with 1 mechanism");
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (getKEY_TYPE(sess, priv_key) != CKK_RSA) {
|
|
|
|
printf(" -- non-RSA, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2003-07-22 09:54:20 +00:00
|
|
|
|
|
|
|
if (!getSIGN(sess, priv_key)) {
|
|
|
|
printf(" -- can't be used to sign/verify, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if ((id = getID(sess, priv_key, &id_len)) != NULL) {
|
|
|
|
int r;
|
|
|
|
|
|
|
|
r = find_object(sess, CKO_PUBLIC_KEY, &pub_key, id, id_len, 0);
|
|
|
|
free(id);
|
|
|
|
if (r == 0) {
|
|
|
|
printf(" -- can't find corresponding public key, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
printf(" -- can't get the ID for looking up the public key, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2004-12-09 08:23:57 +00:00
|
|
|
key_len = (get_private_key_length(sess, priv_key) + 7) / 8;
|
2010-04-17 19:59:32 +00:00
|
|
|
if(!key_len) {
|
|
|
|
printf(" -- can't get the modulus length, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2016-12-14 20:18:58 +00:00
|
|
|
printf("\n");
|
2003-07-22 09:54:20 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += sign_verify(sess, priv_key, key_len, pub_key, i != 0);
|
2003-07-22 09:54:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (i == 0)
|
|
|
|
printf(" No private key found for testing\n");
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2011-06-01 18:51:26 +00:00
|
|
|
static int wrap_unwrap(CK_SESSION_HANDLE session,
|
2003-04-22 17:00:38 +00:00
|
|
|
const EVP_CIPHER *algo, CK_OBJECT_HANDLE privKeyObject)
|
2003-04-17 14:39:44 +00:00
|
|
|
{
|
|
|
|
CK_OBJECT_HANDLE cipherKeyObject;
|
|
|
|
CK_RV rv;
|
|
|
|
EVP_PKEY *pkey;
|
2016-01-06 14:40:59 +00:00
|
|
|
EVP_CIPHER_CTX * seal_ctx;
|
2003-04-17 14:39:44 +00:00
|
|
|
unsigned char keybuf[512], *key = keybuf;
|
|
|
|
int key_len;
|
|
|
|
unsigned char iv[32], ciphered[1024], cleartext[1024];
|
|
|
|
int ciphered_len, cleartext_len, len;
|
|
|
|
CK_MECHANISM mech;
|
|
|
|
CK_ULONG key_type = CKM_DES_CBC;
|
2010-03-28 20:40:13 +00:00
|
|
|
CK_ULONG key_len_ul;
|
2003-04-17 14:39:44 +00:00
|
|
|
CK_ATTRIBUTE key_template = { CKA_KEY_TYPE, &key_type, sizeof(key_type) };
|
|
|
|
|
|
|
|
pkey = get_public_key(session, privKeyObject);
|
|
|
|
if (pkey == NULL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
printf(" %s: ", OBJ_nid2sn(EVP_CIPHER_nid(algo)));
|
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
seal_ctx = EVP_CIPHER_CTX_new();
|
|
|
|
if (seal_ctx == NULL) {
|
|
|
|
printf("Internal error.\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!EVP_SealInit(seal_ctx, algo,
|
2003-04-17 14:39:44 +00:00
|
|
|
&key, &key_len,
|
2015-02-02 23:51:04 +00:00
|
|
|
iv, &pkey, 1)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Internal error.\n");
|
2015-02-02 23:51:04 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2003-10-01 06:51:49 +00:00
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
/* Encrypt something */
|
|
|
|
len = sizeof(ciphered);
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!EVP_SealUpdate(seal_ctx, ciphered, &len, (const unsigned char *) "hello world", 11)) {
|
|
|
|
printf("Internal error.\n");
|
2015-02-02 23:51:04 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
ciphered_len = len;
|
|
|
|
|
|
|
|
len = sizeof(ciphered) - ciphered_len;
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!EVP_SealFinal(seal_ctx, ciphered + ciphered_len, &len)) {
|
|
|
|
printf("Internal error.\n");
|
2015-02-02 23:51:04 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
ciphered_len += len;
|
|
|
|
|
2003-10-01 06:51:49 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
mech.mechanism = CKM_RSA_PKCS;
|
|
|
|
rv = p11->C_UnwrapKey(session, &mech, privKeyObject,
|
|
|
|
key, key_len,
|
|
|
|
&key_template, 1,
|
|
|
|
&cipherKeyObject);
|
|
|
|
|
|
|
|
/* mechanism not implemented, don't test */
|
2004-01-07 09:32:58 +00:00
|
|
|
if (rv == CKR_MECHANISM_INVALID) {
|
|
|
|
printf("Wrap mechanism not supported, skipped\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return 0;
|
2004-01-07 09:32:58 +00:00
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
if (rv != CKR_OK) {
|
2003-04-30 12:24:40 +00:00
|
|
|
p11_perror("C_UnwrapKey", rv);
|
2003-04-17 14:39:44 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Try to decrypt */
|
2010-03-28 20:40:13 +00:00
|
|
|
key = getVALUE(session, cipherKeyObject, &key_len_ul);
|
|
|
|
key_len = key_len_ul;
|
2003-04-17 14:39:44 +00:00
|
|
|
if (key == NULL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Could not get unwrapped key\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
if (key_len != EVP_CIPHER_key_length(algo)) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "Key length mismatch (%d != %d)\n",
|
2003-04-17 14:39:44 +00:00
|
|
|
key_len, EVP_CIPHER_key_length(algo));
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!EVP_DecryptInit(seal_ctx, algo, key, iv)) {
|
|
|
|
printf("Internal error.\n");
|
2015-01-28 03:45:08 +00:00
|
|
|
return 1;
|
2015-02-02 23:51:04 +00:00
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
|
|
|
|
len = sizeof(cleartext);
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!EVP_DecryptUpdate(seal_ctx, cleartext, &len, ciphered, ciphered_len)) {
|
|
|
|
printf("Internal error.\n");
|
2015-02-02 23:51:04 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
|
|
|
|
cleartext_len = len;
|
|
|
|
len = sizeof(cleartext) - len;
|
2016-01-06 14:40:59 +00:00
|
|
|
if (!EVP_DecryptFinal(seal_ctx, cleartext + cleartext_len, &len)) {
|
|
|
|
printf("Internal error.\n");
|
2015-02-02 23:51:04 +00:00
|
|
|
return 1;
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
cleartext_len += len;
|
|
|
|
|
|
|
|
if (cleartext_len != 11
|
|
|
|
|| memcmp(cleartext, "hello world", 11)) {
|
2004-01-07 09:32:58 +00:00
|
|
|
printf("resulting cleartext doesn't match input\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
if (seal_ctx)
|
|
|
|
EVP_CIPHER_CTX_free(seal_ctx);
|
|
|
|
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("OK\n");
|
|
|
|
return 0;
|
|
|
|
}
|
2003-04-22 20:43:02 +00:00
|
|
|
#endif
|
2003-04-17 14:39:44 +00:00
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Test unwrap functions
|
|
|
|
*/
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_unwrap(CK_SESSION_HANDLE sess)
|
2003-04-17 14:39:44 +00:00
|
|
|
{
|
|
|
|
int errors = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_OBJECT_HANDLE privKeyObject;
|
|
|
|
CK_MECHANISM_TYPE firstMechType;
|
|
|
|
CK_SESSION_INFO sessionInfo;
|
|
|
|
CK_ULONG j;
|
|
|
|
char *label;
|
|
|
|
|
|
|
|
rv = p11->C_GetSessionInfo(sess, &sessionInfo);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
2010-01-15 09:36:00 +00:00
|
|
|
if (!(sessionInfo.state & CKS_RW_USER_FUNCTIONS)) {
|
|
|
|
printf("Key unwrap: not a R/W session, skipping key unwrap tests\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2012-08-12 19:19:57 +00:00
|
|
|
if (!find_mechanism(sessionInfo.slotID, CKF_UNWRAP | CKF_HW, NULL, 0, &firstMechType)) {
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("Unwrap: not implemented\n");
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("Key unwrap (currently only for RSA)\n");
|
2003-04-17 14:39:44 +00:00
|
|
|
for (j = 0; find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j); j++) {
|
|
|
|
printf(" testing key %ld ", j);
|
|
|
|
if ((label = getLABEL(sess, privKeyObject, NULL)) != NULL) {
|
|
|
|
printf("(%s) ", label);
|
|
|
|
free(label);
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (getKEY_TYPE(sess, privKeyObject) != CKK_RSA) {
|
|
|
|
printf(" -- non-RSA, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2003-04-30 12:24:40 +00:00
|
|
|
if (!getUNWRAP(sess, privKeyObject)) {
|
|
|
|
printf(" -- can't be used to unwrap, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2003-04-17 14:39:44 +00:00
|
|
|
printf("\n");
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifndef ENABLE_OPENSSL
|
2003-04-22 20:43:02 +00:00
|
|
|
printf("No OpenSSL support, unable to validate C_Unwrap\n");
|
|
|
|
#else
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += wrap_unwrap(sess, EVP_des_cbc(), privKeyObject);
|
|
|
|
errors += wrap_unwrap(sess, EVP_des_ede3_cbc(), privKeyObject);
|
|
|
|
errors += wrap_unwrap(sess, EVP_bf_cbc(), privKeyObject);
|
2019-02-04 13:26:02 +00:00
|
|
|
#ifndef OPENSSL_NO_CAST
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += wrap_unwrap(sess, EVP_cast5_cfb(), privKeyObject);
|
2019-02-04 13:26:02 +00:00
|
|
|
#endif
|
2003-04-22 20:43:02 +00:00
|
|
|
#endif
|
2003-04-17 14:39:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_OPENSSL
|
2011-06-01 18:51:26 +00:00
|
|
|
static int encrypt_decrypt(CK_SESSION_HANDLE session,
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_MECHANISM_TYPE mech_type,
|
|
|
|
CK_OBJECT_HANDLE privKeyObject)
|
2003-10-01 06:51:49 +00:00
|
|
|
{
|
|
|
|
EVP_PKEY *pkey;
|
2019-03-06 09:26:05 +00:00
|
|
|
unsigned char orig_data[512];
|
2003-10-01 06:51:49 +00:00
|
|
|
unsigned char encrypted[512], data[512];
|
|
|
|
CK_MECHANISM mech;
|
2003-10-02 08:29:32 +00:00
|
|
|
CK_ULONG encrypted_len, data_len;
|
2004-07-21 22:11:12 +00:00
|
|
|
int failed;
|
2003-10-01 06:51:49 +00:00
|
|
|
CK_RV rv;
|
2019-02-05 10:35:42 +00:00
|
|
|
int pad;
|
2019-02-07 09:42:48 +00:00
|
|
|
CK_MECHANISM_TYPE hash_alg = CKM_SHA256;
|
2019-04-24 12:03:35 +00:00
|
|
|
CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
|
2019-02-01 08:16:59 +00:00
|
|
|
CK_RSA_PKCS_OAEP_PARAMS oaep_params;
|
2003-10-01 06:51:49 +00:00
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
printf(" %s: ", p11_mechanism_to_name(mech_type));
|
|
|
|
|
2019-03-06 09:26:05 +00:00
|
|
|
pseudo_randomize(orig_data, sizeof(orig_data));
|
|
|
|
|
2003-10-01 06:51:49 +00:00
|
|
|
pkey = get_public_key(session, privKeyObject);
|
2004-01-07 09:32:58 +00:00
|
|
|
if (pkey == NULL)
|
2003-10-01 06:51:49 +00:00
|
|
|
return 0;
|
2004-01-07 09:32:58 +00:00
|
|
|
|
2006-02-15 17:05:05 +00:00
|
|
|
if (EVP_PKEY_size(pkey) > (int)sizeof(encrypted)) {
|
2017-09-13 15:42:28 +00:00
|
|
|
printf("Ciphertext buffer too small\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
return 0;
|
|
|
|
}
|
2019-02-05 10:35:42 +00:00
|
|
|
size_t in_len;
|
|
|
|
CK_ULONG mod_len = (get_private_key_length(session, privKeyObject) + 7) / 8;
|
|
|
|
switch (mech_type) {
|
|
|
|
case CKM_RSA_PKCS:
|
|
|
|
pad = RSA_PKCS1_PADDING;
|
|
|
|
/* Limit the input length to <= mod_len-11 */
|
|
|
|
in_len = mod_len-11;
|
|
|
|
break;
|
|
|
|
case CKM_RSA_PKCS_OAEP: {
|
2019-02-07 09:42:48 +00:00
|
|
|
if (opt_hash_alg != 0) {
|
2019-02-05 11:03:51 +00:00
|
|
|
hash_alg = opt_hash_alg;
|
|
|
|
}
|
2019-02-07 09:42:48 +00:00
|
|
|
switch (hash_alg) {
|
|
|
|
case CKM_SHA_1:
|
|
|
|
mgf = CKG_MGF1_SHA1;
|
|
|
|
break;
|
|
|
|
case CKM_SHA224:
|
|
|
|
mgf = CKG_MGF1_SHA224;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
printf("hash-algorithm %s unknown, defaulting to CKM_SHA256\n", p11_mechanism_to_name(hash_alg));
|
|
|
|
/* fall through */
|
|
|
|
case CKM_SHA256:
|
|
|
|
mgf = CKG_MGF1_SHA256;
|
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
|
|
|
mgf = CKG_MGF1_SHA384;
|
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
|
|
|
mgf = CKG_MGF1_SHA512;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (opt_mgf != 0) {
|
|
|
|
mgf = opt_mgf;
|
|
|
|
} else {
|
|
|
|
printf("mgf not set, defaulting to %s\n", p11_mgf_to_name(mgf));
|
|
|
|
}
|
|
|
|
|
2019-02-05 10:35:42 +00:00
|
|
|
pad = RSA_PKCS1_OAEP_PADDING;
|
|
|
|
/* Limit the input length to <= mod_len-2-2*hlen */
|
|
|
|
size_t len = 2+2*hash_length(hash_alg);
|
|
|
|
if (len >= mod_len) {
|
|
|
|
printf("Incompatible mechanism and key size\n");
|
2019-02-01 10:35:25 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2019-02-05 10:35:42 +00:00
|
|
|
in_len = mod_len-len;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case CKM_RSA_X_509:
|
|
|
|
pad = RSA_NO_PADDING;
|
|
|
|
/* Limit the input length to the modulus length */
|
|
|
|
in_len = mod_len;
|
|
|
|
break;
|
|
|
|
default:
|
2019-02-07 09:42:48 +00:00
|
|
|
printf("Unsupported mechanism %s, returning\n", p11_mechanism_to_name(mech_type));
|
2019-02-05 10:35:42 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2019-02-01 08:16:59 +00:00
|
|
|
|
2019-04-05 08:39:52 +00:00
|
|
|
if (in_len > sizeof(orig_data)) {
|
2019-04-05 08:38:12 +00:00
|
|
|
printf("Private key size is too long\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-02-05 10:35:42 +00:00
|
|
|
EVP_PKEY_CTX *ctx;
|
|
|
|
ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
|
|
|
if (!ctx) {
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
printf("EVP_PKEY_CTX_new failed, returning\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (EVP_PKEY_encrypt_init(ctx) <= 0) {
|
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
printf("EVP_PKEY_encrypt_init failed, returning\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_padding(ctx, pad) <= 0) {
|
2019-02-01 10:35:25 +00:00
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
2019-02-07 09:42:48 +00:00
|
|
|
printf("set padding failed, returning\n");
|
2019-02-05 10:35:42 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2019-02-07 09:42:48 +00:00
|
|
|
if (mech_type == CKM_RSA_PKCS_OAEP) {
|
|
|
|
const EVP_MD *md;
|
|
|
|
switch (hash_alg) {
|
|
|
|
case CKM_SHA_1:
|
|
|
|
md = EVP_sha1();
|
|
|
|
break;
|
|
|
|
case CKM_SHA224:
|
|
|
|
md = EVP_sha224();
|
|
|
|
break;
|
|
|
|
default: /* it should not happen, hash_alg is checked earlier */
|
|
|
|
/* fall through */
|
|
|
|
case CKM_SHA256:
|
|
|
|
md = EVP_sha256();
|
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
|
|
|
md = EVP_sha384();
|
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
|
|
|
md = EVP_sha512();
|
|
|
|
break;
|
|
|
|
}
|
2019-02-12 09:42:39 +00:00
|
|
|
#if defined(EVP_PKEY_CTX_set_rsa_oaep_md)
|
2019-02-07 09:42:48 +00:00
|
|
|
if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) <= 0) {
|
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
printf("set md failed, returning\n");
|
|
|
|
return 0;
|
|
|
|
}
|
2019-02-12 09:42:39 +00:00
|
|
|
#else
|
2019-02-12 13:09:26 +00:00
|
|
|
if (hash_alg != CKM_SHA_1) {
|
2019-03-06 10:35:11 +00:00
|
|
|
printf("This version of OpenSSL only supports SHA1 for OAEP, returning\n");
|
2019-02-12 09:42:39 +00:00
|
|
|
return 0;
|
2019-02-12 13:09:26 +00:00
|
|
|
}
|
2019-02-12 09:42:39 +00:00
|
|
|
#endif
|
2019-02-07 09:42:48 +00:00
|
|
|
switch (mgf) {
|
|
|
|
case CKG_MGF1_SHA1:
|
|
|
|
md = EVP_sha1();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA224:
|
|
|
|
md = EVP_sha224();
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
printf("mgf %s unknown, defaulting to CKG_MGF1_SHA256\n", p11_mgf_to_name(mgf));
|
|
|
|
mgf = CKG_MGF1_SHA256;
|
|
|
|
/* fall through */
|
|
|
|
case CKG_MGF1_SHA256:
|
|
|
|
md = EVP_sha256();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA384:
|
|
|
|
md = EVP_sha384();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA512:
|
|
|
|
md = EVP_sha512();
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) <= 0) {
|
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
printf("set mgf1 md failed, returning\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
2019-02-01 10:35:25 +00:00
|
|
|
|
2019-02-05 10:35:42 +00:00
|
|
|
size_t out_len = sizeof(encrypted);
|
|
|
|
if (EVP_PKEY_encrypt(ctx, encrypted, &out_len, orig_data, in_len) <= 0) {
|
|
|
|
EVP_PKEY_CTX_free(ctx);
|
2019-02-01 10:35:25 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
2017-09-13 15:42:28 +00:00
|
|
|
printf("Encryption failed, returning\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2019-02-05 10:35:42 +00:00
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
encrypted_len = out_len;
|
2019-02-01 08:16:59 +00:00
|
|
|
|
|
|
|
/* set "default" MGF and hash algorithms. We can overwrite MGF later */
|
|
|
|
switch (mech_type) {
|
|
|
|
case CKM_RSA_PKCS_OAEP:
|
2019-02-05 10:35:42 +00:00
|
|
|
oaep_params.hashAlg = hash_alg;
|
2019-02-07 09:42:48 +00:00
|
|
|
oaep_params.mgf = mgf;
|
2019-02-01 08:16:59 +00:00
|
|
|
|
|
|
|
/* These settings are compatible with OpenSSL 1.0.2L and 1.1.0+ */
|
|
|
|
oaep_params.source = 0UL; /* empty encoding parameter (label) */
|
|
|
|
oaep_params.pSourceData = NULL; /* PKCS#11 standard: this must be NULLPTR */
|
|
|
|
oaep_params.ulSourceDataLen = 0; /* PKCS#11 standard: this must be 0 */
|
|
|
|
|
2019-02-01 14:27:55 +00:00
|
|
|
/* If an RSA-OAEP mechanism, it needs parameters */
|
2019-02-01 08:16:59 +00:00
|
|
|
mech.pParameter = &oaep_params;
|
|
|
|
mech.ulParameterLen = sizeof(oaep_params);
|
|
|
|
|
|
|
|
fprintf(stderr, "OAEP parameters: hashAlg=%s, mgf=%s, source_type=%lu, source_ptr=%p, source_len=%lu\n",
|
|
|
|
p11_mechanism_to_name(oaep_params.hashAlg),
|
|
|
|
p11_mgf_to_name(oaep_params.mgf),
|
|
|
|
oaep_params.source,
|
|
|
|
oaep_params.pSourceData,
|
|
|
|
oaep_params.ulSourceDataLen);
|
2019-02-01 14:27:55 +00:00
|
|
|
break;
|
2019-02-04 13:23:13 +00:00
|
|
|
case CKM_RSA_X_509:
|
2019-02-01 14:27:55 +00:00
|
|
|
case CKM_RSA_PKCS:
|
|
|
|
mech.pParameter = NULL;
|
|
|
|
mech.ulParameterLen = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
util_fatal("Mechanism %s illegal or not supported\n", p11_mechanism_to_name(mech_type));
|
2003-10-01 06:51:49 +00:00
|
|
|
}
|
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
mech.mechanism = mech_type;
|
2003-10-01 06:51:49 +00:00
|
|
|
rv = p11->C_DecryptInit(session, &mech, privKeyObject);
|
2017-09-13 15:42:28 +00:00
|
|
|
if (rv == CKR_MECHANISM_INVALID || rv == CKR_MECHANISM_PARAM_INVALID) {
|
|
|
|
printf("Mechanism not supported\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DecryptInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, privKeyObject))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2003-10-01 06:51:49 +00:00
|
|
|
|
|
|
|
data_len = encrypted_len;
|
|
|
|
rv = p11->C_Decrypt(session, encrypted, encrypted_len, data, &data_len);
|
|
|
|
if (rv != CKR_OK)
|
2003-10-02 08:29:32 +00:00
|
|
|
p11_fatal("C_Decrypt", rv);
|
2003-10-01 06:51:49 +00:00
|
|
|
|
2019-02-05 10:35:42 +00:00
|
|
|
failed = data_len != in_len || memcmp(orig_data, data, data_len);
|
2004-07-21 22:11:12 +00:00
|
|
|
|
|
|
|
if (failed) {
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_ULONG n;
|
|
|
|
|
|
|
|
printf("resulting cleartext doesn't match input\n");
|
2004-07-21 22:11:12 +00:00
|
|
|
printf(" Original:");
|
2019-02-05 10:35:42 +00:00
|
|
|
for (n = 0; n < in_len; n++)
|
2004-07-21 22:11:12 +00:00
|
|
|
printf(" %02x", orig_data[n]);
|
|
|
|
printf("\n");
|
|
|
|
printf(" Decrypted:");
|
2004-01-07 09:32:58 +00:00
|
|
|
for (n = 0; n < data_len; n++)
|
|
|
|
printf(" %02x", data[n]);
|
|
|
|
printf("\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
printf("OK\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Test decryption functions
|
|
|
|
*/
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_decrypt(CK_SESSION_HANDLE sess)
|
2003-10-01 06:51:49 +00:00
|
|
|
{
|
|
|
|
int errors = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
CK_OBJECT_HANDLE privKeyObject;
|
2004-01-07 09:32:58 +00:00
|
|
|
CK_MECHANISM_TYPE *mechs = NULL;
|
2003-10-01 06:51:49 +00:00
|
|
|
CK_SESSION_INFO sessionInfo;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
CK_ULONG j, num_mechs = 0;
|
|
|
|
#ifdef ENABLE_OPENSSL
|
|
|
|
CK_ULONG n;
|
|
|
|
#endif
|
2003-10-01 06:51:49 +00:00
|
|
|
char *label;
|
|
|
|
|
|
|
|
rv = p11->C_GetSessionInfo(sess, &sessionInfo);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
2017-01-26 13:34:29 +00:00
|
|
|
if (!(sessionInfo.state & CKS_RW_USER_FUNCTIONS)) {
|
|
|
|
printf("Decryption: not a R/W session, skipping decryption tests\n");
|
2017-01-26 13:23:40 +00:00
|
|
|
return errors;
|
2003-10-01 06:51:49 +00:00
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
num_mechs = get_mechanisms(sessionInfo.slotID, &mechs, CKF_DECRYPT);
|
2004-01-07 09:32:58 +00:00
|
|
|
if (num_mechs == 0) {
|
2003-10-01 06:51:49 +00:00
|
|
|
printf("Decrypt: not implemented\n");
|
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("Decryption (currently only for RSA)\n");
|
2003-10-01 06:51:49 +00:00
|
|
|
for (j = 0; find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j); j++) {
|
|
|
|
printf(" testing key %ld ", j);
|
|
|
|
if ((label = getLABEL(sess, privKeyObject, NULL)) != NULL) {
|
|
|
|
printf("(%s) ", label);
|
|
|
|
free(label);
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (getKEY_TYPE(sess, privKeyObject) != CKK_RSA) {
|
|
|
|
printf(" -- non-RSA, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2004-01-07 09:32:58 +00:00
|
|
|
if (!getDECRYPT(sess, privKeyObject)) {
|
2003-10-01 06:51:49 +00:00
|
|
|
printf(" -- can't be used to decrypt, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifndef ENABLE_OPENSSL
|
2003-10-01 06:51:49 +00:00
|
|
|
printf("No OpenSSL support, unable to validate decryption\n");
|
|
|
|
#else
|
2004-01-07 09:32:58 +00:00
|
|
|
for (n = 0; n < num_mechs; n++) {
|
2019-02-01 10:37:47 +00:00
|
|
|
switch (mechs[n]) {
|
|
|
|
case CKM_RSA_PKCS:
|
|
|
|
case CKM_RSA_PKCS_OAEP:
|
|
|
|
case CKM_RSA_X_509:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
printf(" -- mechanism can't be used to decrypt, skipping\n");
|
|
|
|
continue;
|
|
|
|
}
|
2019-02-01 10:35:25 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += encrypt_decrypt(sess, mechs[n], privKeyObject);
|
2004-01-07 09:32:58 +00:00
|
|
|
}
|
2003-10-01 06:51:49 +00:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
free(mechs);
|
2003-10-01 06:51:49 +00:00
|
|
|
return errors;
|
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int test_random(CK_SESSION_HANDLE session)
|
2003-01-16 20:10:28 +00:00
|
|
|
{
|
|
|
|
CK_BYTE buf1[100], buf2[100];
|
|
|
|
CK_BYTE seed1[100];
|
|
|
|
CK_RV rv;
|
|
|
|
int errors = 0;
|
|
|
|
|
|
|
|
printf("C_SeedRandom() and C_GenerateRandom():\n");
|
|
|
|
|
2008-11-24 22:06:27 +00:00
|
|
|
rv = p11->C_SeedRandom(session, seed1, 100);
|
|
|
|
if (rv == CKR_RANDOM_NO_RNG) {
|
|
|
|
printf(" RNG not available\n");
|
2003-01-16 20:10:28 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2008-11-24 22:06:27 +00:00
|
|
|
|
|
|
|
if (rv == CKR_RANDOM_SEED_NOT_SUPPORTED || rv == CKR_FUNCTION_NOT_SUPPORTED)
|
2003-01-16 20:10:28 +00:00
|
|
|
printf(" seeding (C_SeedRandom) not supported\n");
|
2003-01-27 13:33:28 +00:00
|
|
|
else if (rv != CKR_OK) {
|
2003-02-03 12:23:05 +00:00
|
|
|
p11_perror("C_SeedRandom", rv);
|
2003-01-16 20:10:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_GenerateRandom(session, buf1, 10);
|
|
|
|
if (rv != CKR_OK) {
|
2003-02-03 12:23:05 +00:00
|
|
|
p11_perror("C_GenerateRandom", rv);
|
2003-01-16 20:10:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_GenerateRandom(session, buf1, 100);
|
|
|
|
if (rv != CKR_OK) {
|
2008-11-24 22:06:27 +00:00
|
|
|
p11_perror("C_GenerateRandom(buf1,100)", rv);
|
2003-01-16 20:10:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = p11->C_GenerateRandom(session, buf1, 0);
|
|
|
|
if (rv != CKR_OK) {
|
2008-11-24 22:06:27 +00:00
|
|
|
p11_perror("C_GenerateRandom(buf1,0)", rv);
|
2003-01-16 20:10:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2008-11-24 22:06:27 +00:00
|
|
|
rv = p11->C_GenerateRandom(session, buf2, 100);
|
2003-01-16 20:10:28 +00:00
|
|
|
if (rv != CKR_OK) {
|
2008-11-24 22:06:27 +00:00
|
|
|
p11_perror("C_GenerateRandom(buf2,100)", rv);
|
2003-01-16 20:10:28 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (memcmp(buf1, buf2, 100) == 0) {
|
|
|
|
printf(" ERR: C_GenerateRandom returned twice the same value!!!\n");
|
|
|
|
errors++;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf(" seems to be OK\n");
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static int test_card_detection(int wait_for_event)
|
2003-01-19 17:47:07 +00:00
|
|
|
{
|
|
|
|
char buffer[256];
|
2003-02-03 12:23:05 +00:00
|
|
|
CK_SLOT_ID slot_id;
|
|
|
|
CK_RV rv;
|
|
|
|
|
2010-01-15 09:36:00 +00:00
|
|
|
printf("Testing card detection using %s\n",
|
|
|
|
wait_for_event? "C_WaitForSlotEvent()" : "C_GetSlotList()");
|
2003-01-19 17:47:07 +00:00
|
|
|
|
|
|
|
while (1) {
|
2003-02-03 12:23:05 +00:00
|
|
|
printf("Please press return to continue, x to exit: ");
|
2003-01-19 17:47:07 +00:00
|
|
|
fflush(stdout);
|
|
|
|
if (fgets(buffer, sizeof(buffer), stdin) == NULL
|
|
|
|
|| buffer[0] == 'x')
|
|
|
|
break;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2003-02-03 12:23:05 +00:00
|
|
|
if (wait_for_event) {
|
|
|
|
printf("Calling C_WaitForSlotEvent: ");
|
|
|
|
fflush(stdout);
|
|
|
|
rv = p11->C_WaitForSlotEvent(0, &slot_id, NULL);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
printf("failed.\n");
|
|
|
|
p11_perror("C_WaitForSlotEvent", rv);
|
|
|
|
return 1;
|
|
|
|
}
|
2010-01-15 09:36:00 +00:00
|
|
|
printf("event on slot 0x%lx\n", slot_id);
|
2003-02-03 12:23:05 +00:00
|
|
|
}
|
2010-01-15 09:36:00 +00:00
|
|
|
list_slots(0, 1, 1);
|
2003-01-19 17:47:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
static int p11_test(CK_SESSION_HANDLE session)
|
2003-01-03 14:33:17 +00:00
|
|
|
{
|
2003-01-19 17:47:07 +00:00
|
|
|
int errors = 0;
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_random(session);
|
2003-01-16 20:10:28 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_digest(session);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_signature(session);
|
2003-01-03 14:33:17 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_verify(session);
|
2003-07-22 09:54:20 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_unwrap(session);
|
2003-04-17 14:39:44 +00:00
|
|
|
|
2011-06-01 18:51:26 +00:00
|
|
|
errors += test_decrypt(session);
|
2003-10-01 06:51:49 +00:00
|
|
|
|
2003-01-19 17:47:07 +00:00
|
|
|
if (errors == 0)
|
|
|
|
printf("No errors\n");
|
|
|
|
else
|
|
|
|
printf("%d errors\n", errors);
|
|
|
|
|
|
|
|
return errors;
|
2003-01-03 14:33:17 +00:00
|
|
|
}
|
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
/* Does about the same as Mozilla does when you go to an on-line CA
|
|
|
|
* for obtaining a certificate: key pair generation, signing the
|
|
|
|
* cert request + some other tests, writing certs and changing
|
|
|
|
* some attributes.
|
|
|
|
*/
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
static CK_SESSION_HANDLE test_kpgen_certwrite(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
|
2003-07-24 11:29:08 +00:00
|
|
|
{
|
|
|
|
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL_PTR, 0};
|
|
|
|
CK_MECHANISM_TYPE *mech_type = NULL;
|
|
|
|
CK_OBJECT_HANDLE pub_key, priv_key;
|
|
|
|
CK_ULONG i, num_mechs = 0;
|
|
|
|
CK_RV rv;
|
2014-02-25 08:07:09 +00:00
|
|
|
CK_BYTE buf[20], *tmp;
|
2003-07-24 11:29:08 +00:00
|
|
|
CK_BYTE md5_and_digestinfo[34] = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10";
|
|
|
|
CK_BYTE *data, sig[512];
|
|
|
|
CK_ULONG data_len, sig_len;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
CK_BYTE id[] = "abcdefghijklmnopqrst";
|
2005-02-06 10:06:21 +00:00
|
|
|
CK_ULONG id_len = 20, mod_len = 0;
|
2003-09-25 09:33:16 +00:00
|
|
|
CK_BYTE *label = (CK_BYTE *) "Just a label";
|
2003-07-24 11:29:08 +00:00
|
|
|
CK_ULONG label_len = 12;
|
|
|
|
CK_ATTRIBUTE attribs[3] = {
|
|
|
|
{CKA_ID, id, id_len},
|
|
|
|
{CKA_LABEL, label, label_len},
|
2003-09-25 09:33:16 +00:00
|
|
|
{CKA_SUBJECT, (void *) "This won't be used in our lib", 29}
|
2003-07-24 11:29:08 +00:00
|
|
|
};
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
FILE *f;
|
2003-07-24 11:29:08 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (!opt_object_id_len) {
|
|
|
|
fprintf(stderr, "ERR: must give an ID, e.g.: --id 01\n");
|
|
|
|
return session;
|
|
|
|
}
|
|
|
|
if (!opt_key_type) {
|
|
|
|
printf("ERR: must give an RSA key type, e.g.: --key-type RSA:1024\n");
|
|
|
|
return session;
|
|
|
|
}
|
2005-10-21 19:40:37 +00:00
|
|
|
printf("\n*** We already opened a session and logged in ***\n");
|
2003-12-23 16:31:09 +00:00
|
|
|
|
2004-01-07 09:32:58 +00:00
|
|
|
num_mechs = get_mechanisms(slot, &mech_type, -1);
|
2003-07-24 11:29:08 +00:00
|
|
|
for (i = 0; i < num_mechs; i++) {
|
|
|
|
if (mech_type[i] == CKM_RSA_PKCS_KEY_PAIR_GEN)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (i == num_mechs) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "ERR: no \"CKM_RSA_PKCS_KEY_PAIR_GEN\" found in the mechanism list\n");
|
|
|
|
return session;
|
2003-07-24 11:29:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
f = fopen(opt_file_to_write, "rb");
|
|
|
|
if (f == NULL)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Couldn't open file \"%s\"", opt_file_to_write);
|
2003-07-24 11:29:08 +00:00
|
|
|
fclose(f);
|
|
|
|
|
|
|
|
/* Get for a not-yet-existing ID */
|
|
|
|
while(find_object(session, CKO_PRIVATE_KEY, &priv_key, id, id_len, 0))
|
|
|
|
id[0]++;
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2012-06-01 14:44:28 +00:00
|
|
|
printf("\n*** Generating a %s key pair ***\n", opt_key_type);
|
2003-07-24 11:29:08 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (!gen_keypair(slot, session, &pub_key, &priv_key, opt_key_type)) {
|
|
|
|
printf("ERR: cannot generate new key pair\n");
|
|
|
|
return session;
|
|
|
|
}
|
2003-07-24 11:29:08 +00:00
|
|
|
|
2003-09-25 09:33:16 +00:00
|
|
|
tmp = getID(session, priv_key, (CK_ULONG *) &opt_object_id_len);
|
2015-01-28 06:39:35 +00:00
|
|
|
if (opt_object_id_len == 0) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "ERR: newly generated private key has no (or an empty) CKA_ID\n");
|
|
|
|
return session;
|
2003-07-24 11:29:08 +00:00
|
|
|
}
|
|
|
|
memcpy(opt_object_id, tmp, opt_object_id_len);
|
|
|
|
|
2003-12-04 16:43:41 +00:00
|
|
|
/* This is done in NSS */
|
2014-02-25 08:07:09 +00:00
|
|
|
getMODULUS(session, priv_key, &mod_len);
|
2018-04-14 17:38:34 +00:00
|
|
|
if (mod_len < 5 || mod_len > 10000) { /* should be reasonable limits */
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "ERR: GetAttribute(privkey, CKA_MODULUS) doesn't seem to work\n");
|
|
|
|
return session;
|
2003-12-04 16:43:41 +00:00
|
|
|
}
|
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
printf("\n*** Changing the CKA_ID of private and public key into one of 20 bytes ***\n");
|
|
|
|
|
|
|
|
rv = p11->C_SetAttributeValue(session, priv_key, attribs, 1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetAttributeValue(priv_key)", rv);
|
|
|
|
|
|
|
|
rv = p11->C_SetAttributeValue(session, pub_key, attribs, 1);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetAttributeValue(pub_key)", rv);
|
|
|
|
|
|
|
|
printf("\n*** Do a signature and verify it (presumably to test the keys) ***\n");
|
|
|
|
|
|
|
|
data = buf;
|
|
|
|
data_len = 20;
|
|
|
|
rv = p11->C_SignInit(session, &mech, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, priv_key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
rv = p11->C_Sign(session, data, data_len, NULL, &sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
sig_len = 20;
|
|
|
|
rv = p11->C_Sign(session, data, data_len, sig, &sig_len);
|
|
|
|
if (rv != CKR_BUFFER_TOO_SMALL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "ERR: C_Sign() didn't return CKR_BUFFER_TO_SMALL but %s\n", CKR2Str(rv));
|
|
|
|
return session;
|
2003-07-24 11:29:08 +00:00
|
|
|
}
|
|
|
|
rv = p11->C_Sign(session, data, data_len, sig, &sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
rv = p11->C_VerifyInit(session, &mech, pub_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_VerifyInit", rv);
|
|
|
|
rv = p11->C_Verify(session, data, data_len, sig, sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Verify", rv);
|
|
|
|
|
|
|
|
/* Sign the certificate request */
|
|
|
|
|
2003-12-23 16:31:09 +00:00
|
|
|
printf("\n*** Signing the certificate request ***\n");
|
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
data = md5_and_digestinfo;
|
|
|
|
data_len = 20;
|
|
|
|
rv = p11->C_SignInit(session, &mech, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, priv_key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2017-06-16 09:29:20 +00:00
|
|
|
|
2017-06-14 20:53:41 +00:00
|
|
|
rv = p11->C_Sign(session, data, data_len, sig, &sig_len);
|
2003-07-24 11:29:08 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
printf("\n*** Changing the CKA_LABEL, CKA_ID and CKA_SUBJECT of the public key ***\n");
|
|
|
|
|
|
|
|
rv = p11->C_SetAttributeValue(session, pub_key, attribs, 3);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SetAttributeValue", rv);
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("*** Deleting the private and the public key again ***\n");
|
|
|
|
|
|
|
|
rv = p11->C_DestroyObject(session, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DestroyObject()", rv);
|
|
|
|
rv = p11->C_DestroyObject(session, pub_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DestroyObject()", rv);
|
|
|
|
|
2003-12-23 16:31:09 +00:00
|
|
|
printf("\n*** Logging off and releasing pkcs11 lib ***\n");
|
|
|
|
|
|
|
|
rv = p11->C_CloseAllSessions(slot);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("CloseAllSessions", rv);
|
|
|
|
|
|
|
|
rv = p11->C_Finalize(NULL);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("Finalize", rv);
|
|
|
|
|
|
|
|
C_UnloadModule(module);
|
|
|
|
|
|
|
|
/* Now we assume the user turns of her PC and comes back tomorrow to see
|
2018-04-14 17:38:34 +00:00
|
|
|
* if here cert is already made and to install it (as is done next) */
|
2003-12-23 16:31:09 +00:00
|
|
|
|
|
|
|
printf("\n*** In real life, the cert req should now be sent to the CA ***\n");
|
|
|
|
|
|
|
|
printf("\n*** Loading the pkcs11 lib, opening a session and logging in ***\n");
|
|
|
|
|
|
|
|
module = C_LoadModule(opt_module, &p11);
|
|
|
|
if (module == NULL)
|
2008-03-06 16:06:59 +00:00
|
|
|
util_fatal("Failed to load pkcs11 module");
|
2003-12-23 16:31:09 +00:00
|
|
|
|
|
|
|
rv = p11->C_Initialize(NULL);
|
2013-03-10 12:45:32 +00:00
|
|
|
if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
|
|
|
|
printf("\n*** Cryptoki library has already been initialized ***\n");
|
|
|
|
else if (rv != CKR_OK)
|
2003-12-23 16:31:09 +00:00
|
|
|
p11_fatal("C_Initialize", rv);
|
|
|
|
|
|
|
|
rv = p11->C_OpenSession(opt_slot, CKF_SERIAL_SESSION| CKF_RW_SESSION,
|
|
|
|
NULL, NULL, &session);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_OpenSession", rv);
|
|
|
|
|
2010-01-15 09:27:17 +00:00
|
|
|
login(session, CKU_USER);
|
2003-12-23 16:31:09 +00:00
|
|
|
|
2003-07-24 11:29:08 +00:00
|
|
|
printf("\n*** Put a cert on the card (NOTE: doesn't correspond with the key!) ***\n");
|
|
|
|
|
|
|
|
opt_object_class = CKO_CERTIFICATE;
|
|
|
|
memcpy(opt_object_id, id, id_len);
|
|
|
|
opt_object_id_len = id_len;
|
2003-09-25 09:33:16 +00:00
|
|
|
opt_object_label = (char *) label;
|
2011-06-01 18:51:26 +00:00
|
|
|
if (!write_object(session))
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Failed to write certificate");
|
|
|
|
if (!delete_object(session))
|
|
|
|
util_fatal("Failed to delete certificate");
|
2003-07-24 11:29:08 +00:00
|
|
|
|
2018-04-14 17:38:34 +00:00
|
|
|
printf("\n==> OK, successful! Should work with Mozilla\n");
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
return session;
|
2003-07-24 11:29:08 +00:00
|
|
|
}
|
|
|
|
|
2011-04-21 16:18:23 +00:00
|
|
|
|
|
|
|
static void test_ec(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
|
|
|
|
{
|
|
|
|
CK_MECHANISM mech = {CKM_ECDSA_SHA1, NULL_PTR, 0};
|
|
|
|
CK_MECHANISM_TYPE *mech_type = NULL;
|
|
|
|
CK_OBJECT_HANDLE pub_key, priv_key;
|
|
|
|
CK_ULONG i, num_mechs = 0;
|
|
|
|
CK_RV rv;
|
2014-02-25 08:07:09 +00:00
|
|
|
CK_BYTE *tmp;
|
2011-04-21 16:18:23 +00:00
|
|
|
CK_BYTE *data_to_sign = (CK_BYTE *)"My Heart's in the Highland";
|
|
|
|
CK_BYTE *data, sig[512];
|
|
|
|
CK_ULONG data_len, sig_len;
|
|
|
|
CK_BYTE *id = (CK_BYTE *) "abcdefghijklmnopqrst";
|
|
|
|
CK_ULONG id_len = strlen((char *)id), ec_params_len, ec_point_len;
|
|
|
|
CK_BYTE *label = (CK_BYTE *) "Just a label";
|
|
|
|
CK_ULONG label_len = 12;
|
|
|
|
CK_ATTRIBUTE attribs[3] = {
|
|
|
|
{CKA_ID, id, id_len},
|
|
|
|
{CKA_LABEL, label, label_len},
|
|
|
|
{CKA_SUBJECT, (void *) "This won't be used in our lib", 29}
|
|
|
|
};
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (!opt_object_id_len) {
|
|
|
|
fprintf(stderr, "ERR: must give an ID, e.g.: --id 01\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (!opt_key_type) {
|
|
|
|
fprintf(stderr, "ERR: must give an EC key type, e.g.: --key-type EC:secp256r1\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2011-04-21 16:18:23 +00:00
|
|
|
printf("\n*** We already opened a session and logged in ***\n");
|
|
|
|
|
|
|
|
num_mechs = get_mechanisms(slot, &mech_type, -1);
|
|
|
|
for (i = 0; i < num_mechs; i++)
|
|
|
|
if (mech_type[i] == CKM_EC_KEY_PAIR_GEN)
|
|
|
|
break;
|
|
|
|
if (i == num_mechs) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("warning: no 'CKM_EC_KEY_PAIR_GEN' found in the mechanism list\n");
|
|
|
|
//return;
|
2011-04-21 16:18:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
printf("*** Generating EC key pair ***\n");
|
2016-02-16 12:38:51 +00:00
|
|
|
if (!gen_keypair(slot, session, &pub_key, &priv_key, opt_key_type))
|
2011-04-21 16:18:23 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
tmp = getID(session, priv_key, (CK_ULONG *) &opt_object_id_len);
|
2015-01-28 06:39:35 +00:00
|
|
|
if (opt_object_id_len == 0) {
|
2011-04-21 16:18:23 +00:00
|
|
|
printf("ERR: newly generated private key has no (or an empty) CKA_ID\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
memcpy(opt_object_id, tmp, opt_object_id_len);
|
|
|
|
|
|
|
|
/* This is done in NSS */
|
2014-02-25 08:07:09 +00:00
|
|
|
getEC_PARAMS(session, priv_key, &ec_params_len);
|
2011-04-21 16:18:23 +00:00
|
|
|
if (ec_params_len < 5 || ec_params_len > 10000) {
|
|
|
|
printf("ERR: GetAttribute(privkey, CKA_EC_PARAMS) doesn't seem to work\n");
|
|
|
|
return;
|
|
|
|
}
|
2014-02-25 08:07:09 +00:00
|
|
|
getEC_POINT(session, pub_key, &ec_point_len);
|
2011-04-21 16:18:23 +00:00
|
|
|
if (ec_point_len < 5 || ec_point_len > 10000) {
|
|
|
|
printf("ERR: GetAttribute(pubkey, CKA_EC_POINT) doesn't seem to work\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
printf("*** Changing the CKA_ID of private and public key into one of 20 bytes ***\n");
|
|
|
|
rv = p11->C_SetAttributeValue(session, priv_key, attribs, 1);
|
|
|
|
if (rv != CKR_OK)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
p11_warn("C_SetAttributeValue(priv_key)", rv);
|
2011-04-21 16:18:23 +00:00
|
|
|
|
|
|
|
rv = p11->C_SetAttributeValue(session, pub_key, attribs, 1);
|
|
|
|
if (rv != CKR_OK)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
p11_warn("C_SetAttributeValue(pub_key)", rv);
|
2011-04-21 16:18:23 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("*** Doing a signature ***\n");
|
2011-04-21 16:18:23 +00:00
|
|
|
data = data_to_sign;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
data_len = strlen((char *)data_to_sign);
|
2011-04-21 16:18:23 +00:00
|
|
|
rv = p11->C_SignInit(session, &mech, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, priv_key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2011-04-21 16:18:23 +00:00
|
|
|
rv = p11->C_Sign(session, data, data_len, NULL, &sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
sig_len -= 20;
|
2011-04-21 16:18:23 +00:00
|
|
|
rv = p11->C_Sign(session, data, data_len, sig, &sig_len);
|
|
|
|
if (rv != CKR_BUFFER_TOO_SMALL) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
printf("warning: C_Sign() didn't return CKR_BUFFER_TO_SMALL but %s\n", CKR2Str(rv));
|
|
|
|
// return;
|
|
|
|
}
|
|
|
|
sig_len += 20;
|
|
|
|
// re-doing C_SignInit after C_SignFinal to avoid CKR_OPERATION_NOT_INITIALIZED for CardOS
|
|
|
|
rv = p11->C_SignFinal(session, sig, &sig_len);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
p11_warn("C_SignFinal", rv);
|
2011-04-21 16:18:23 +00:00
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
rv = p11->C_SignInit(session, &mech, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_SignInit", rv);
|
2017-06-14 20:53:41 +00:00
|
|
|
if (getALWAYS_AUTHENTICATE(session, priv_key))
|
|
|
|
login(session,CKU_CONTEXT_SPECIFIC);
|
2011-04-21 16:18:23 +00:00
|
|
|
rv = p11->C_Sign(session, data, data_len, sig, &sig_len);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Sign", rv);
|
|
|
|
|
|
|
|
printf("*** Changing the CKA_LABEL, CKA_ID and CKA_SUBJECT of the public key ***\n");
|
|
|
|
rv = p11->C_SetAttributeValue(session, pub_key, attribs, 3);
|
|
|
|
if (rv != CKR_OK)
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
p11_warn("C_SetAttributeValue(pub_key)", rv);
|
|
|
|
|
|
|
|
printf("*** Deleting the private and the public key again ***\n");
|
|
|
|
rv = p11->C_DestroyObject(session, priv_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DestroyObject()", rv);
|
|
|
|
rv = p11->C_DestroyObject(session, pub_key);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_DestroyObject()", rv);
|
2011-04-21 16:18:23 +00:00
|
|
|
|
2012-04-02 22:00:56 +00:00
|
|
|
printf("==> OK\n");
|
2011-04-21 16:18:23 +00:00
|
|
|
}
|
|
|
|
|
2015-05-13 23:43:40 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
static void test_fork(void)
|
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
pid_t pid = fork();
|
|
|
|
|
|
|
|
if (!pid) {
|
|
|
|
printf("*** Calling C_Initialize in forked child process ***\n");
|
|
|
|
rv = p11->C_Initialize(NULL);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
p11_fatal("C_Initialize in child\n", rv);
|
|
|
|
exit(0);
|
|
|
|
} else if (pid < 0) {
|
|
|
|
util_fatal("Failed to fork for test: %s", strerror(errno));
|
|
|
|
} else {
|
|
|
|
int st;
|
|
|
|
waitpid(pid, &st, 0);
|
|
|
|
if (!WIFEXITED(st) || WEXITSTATUS(st))
|
|
|
|
util_fatal("Child process exited with status %d", st);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
#endif
|
2011-04-21 16:18:23 +00:00
|
|
|
|
2017-03-27 08:52:38 +00:00
|
|
|
static void generate_random(CK_SESSION_HANDLE session)
|
|
|
|
{
|
|
|
|
CK_RV rv;
|
|
|
|
CK_BYTE *buf;
|
|
|
|
FILE *out;
|
|
|
|
|
|
|
|
buf = malloc(opt_random_bytes);
|
|
|
|
if (!buf)
|
|
|
|
util_fatal("Not enough memory to allocate random data buffer");
|
|
|
|
|
|
|
|
rv = p11->C_GenerateRandom(session, buf, opt_random_bytes);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
util_fatal("Could not generate random bytes");
|
|
|
|
|
|
|
|
if (opt_output) {
|
|
|
|
out = fopen(opt_output, "wb");
|
|
|
|
if (out==NULL)
|
|
|
|
util_fatal("Cannot open '%s'", opt_output);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
out = stdout;
|
|
|
|
|
|
|
|
if (fwrite(buf, 1, opt_random_bytes, out) != opt_random_bytes)
|
|
|
|
util_fatal("Cannot write to '%s'", opt_output);
|
|
|
|
|
|
|
|
if (opt_output)
|
|
|
|
fclose(out);
|
|
|
|
|
|
|
|
free(buf);
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char *p11_flag_names(struct flag_info *list, CK_FLAGS value)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
static char buffer[1024];
|
|
|
|
const char *sepa = "";
|
|
|
|
|
|
|
|
buffer[0] = '\0';
|
|
|
|
while (list->value) {
|
|
|
|
if (list->value & value) {
|
2015-01-24 19:17:26 +00:00
|
|
|
strlcat(buffer, sepa, sizeof buffer);
|
|
|
|
strlcat(buffer, list->name, sizeof buffer);
|
2002-12-17 11:50:11 +00:00
|
|
|
value &= ~list->value;
|
|
|
|
sepa = ", ";
|
|
|
|
}
|
|
|
|
list++;
|
|
|
|
}
|
|
|
|
if (value) {
|
|
|
|
sprintf(buffer+strlen(buffer),
|
|
|
|
"%sother flags=0x%x", sepa,
|
|
|
|
(unsigned int) value);
|
|
|
|
}
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char *p11_slot_info_flags(CK_FLAGS value)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
static struct flag_info slot_flags[] = {
|
|
|
|
{ CKF_TOKEN_PRESENT, "token present" },
|
|
|
|
{ CKF_REMOVABLE_DEVICE, "removable device" },
|
|
|
|
{ CKF_HW_SLOT, "hardware slot" },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ 0, NULL }
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
return p11_flag_names(slot_flags, value);
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char *p11_token_info_flags(CK_FLAGS value)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
static struct flag_info slot_flags[] = {
|
|
|
|
{ CKF_LOGIN_REQUIRED, "login required" },
|
|
|
|
{ CKF_PROTECTED_AUTHENTICATION_PATH, "PIN pad present" },
|
2016-06-10 09:46:25 +00:00
|
|
|
{ CKF_RNG, "rng" },
|
|
|
|
{ CKF_SO_PIN_COUNT_LOW, "SO PIN count low" },
|
|
|
|
{ CKF_SO_PIN_FINAL_TRY, "final SO PIN try" },
|
|
|
|
{ CKF_SO_PIN_LOCKED, "SO PIN locked" },
|
2016-07-24 22:50:37 +00:00
|
|
|
{ CKF_SO_PIN_TO_BE_CHANGED, "SO PIN to be changed"},
|
2002-12-17 11:50:11 +00:00
|
|
|
{ CKF_TOKEN_INITIALIZED, "token initialized" },
|
2010-09-05 16:53:02 +00:00
|
|
|
{ CKF_USER_PIN_COUNT_LOW, "user PIN count low" },
|
|
|
|
{ CKF_USER_PIN_FINAL_TRY, "final user PIN try" },
|
2016-06-10 09:46:25 +00:00
|
|
|
{ CKF_USER_PIN_INITIALIZED, "PIN initialized" },
|
2010-09-05 16:53:02 +00:00
|
|
|
{ CKF_USER_PIN_LOCKED, "user PIN locked" },
|
2013-12-09 10:48:01 +00:00
|
|
|
{ CKF_USER_PIN_TO_BE_CHANGED, "user PIN to be changed"},
|
2016-06-10 09:46:25 +00:00
|
|
|
{ CKF_WRITE_PROTECTED, "readonly" },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ 0, NULL }
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
return p11_flag_names(slot_flags, value);
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char *p11_utf8_to_local(CK_UTF8CHAR *string, size_t len)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
static char buffer[512];
|
|
|
|
size_t n, m;
|
|
|
|
|
|
|
|
while (len && string[len-1] == ' ')
|
|
|
|
len--;
|
|
|
|
|
|
|
|
/* For now, simply copy this thing */
|
|
|
|
for (n = m = 0; n < sizeof(buffer) - 1; n++) {
|
|
|
|
if (m >= len)
|
|
|
|
break;
|
|
|
|
buffer[n] = string[m++];
|
|
|
|
}
|
|
|
|
buffer[n] = '\0';
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void p11_fatal(const char *func, CK_RV rv)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
2010-01-15 09:22:03 +00:00
|
|
|
if (p11)
|
|
|
|
p11->C_Finalize(NULL_PTR);
|
|
|
|
if (module)
|
|
|
|
C_UnloadModule(module);
|
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("PKCS11 function %s failed: rv = %s (0x%0x)", func, CKR2Str(rv), (unsigned int) rv);
|
2003-02-03 12:23:05 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void p11_warn(const char *func, CK_RV rv)
|
2005-01-23 19:48:48 +00:00
|
|
|
{
|
2012-09-24 09:48:33 +00:00
|
|
|
if (!suppress_warn)
|
|
|
|
util_warn("PKCS11 function %s failed: rv = %s (0x%0x)\n", func, CKR2Str(rv), (unsigned int) rv);
|
2005-01-23 19:48:48 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static void p11_perror(const char *msg, CK_RV rv)
|
2003-02-03 12:23:05 +00:00
|
|
|
{
|
2012-09-24 09:48:33 +00:00
|
|
|
fprintf(stderr, " ERR: %s failed: %s (0x%0x)\n", msg, CKR2Str(rv), (unsigned int) rv);
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static int hex_to_bin(const char *in, unsigned char *out, size_t *outlen)
|
2003-06-24 09:14:57 +00:00
|
|
|
{
|
|
|
|
size_t left, count = 0;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
int nybbles = 2;
|
2003-06-24 09:14:57 +00:00
|
|
|
|
|
|
|
if (in == NULL || *in == '\0') {
|
|
|
|
*outlen = 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2005-02-11 20:09:34 +00:00
|
|
|
left = *outlen;
|
2003-06-24 09:14:57 +00:00
|
|
|
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
if (strlen(in) % 2)
|
|
|
|
nybbles = 1; // any leading zero in output should be in most-significant byte, not last one!
|
2003-06-24 09:14:57 +00:00
|
|
|
while (*in != '\0') {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
int byte = 0;
|
2003-06-24 09:14:57 +00:00
|
|
|
|
|
|
|
while (nybbles-- && *in && *in != ':') {
|
2005-12-05 21:25:08 +00:00
|
|
|
char c;
|
2003-06-24 09:14:57 +00:00
|
|
|
byte <<= 4;
|
|
|
|
c = *in++;
|
|
|
|
if ('0' <= c && c <= '9')
|
|
|
|
c -= '0';
|
|
|
|
else
|
|
|
|
if ('a' <= c && c <= 'f')
|
|
|
|
c = c - 'a' + 10;
|
|
|
|
else
|
|
|
|
if ('A' <= c && c <= 'F')
|
|
|
|
c = c - 'A' + 10;
|
|
|
|
else {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "hex_to_bin(): invalid char '%c' in hex string\n", c);
|
2003-06-24 09:14:57 +00:00
|
|
|
*outlen = 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
byte |= c;
|
|
|
|
}
|
|
|
|
if (*in == ':')
|
|
|
|
in++;
|
|
|
|
if (left <= 0) {
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
fprintf(stderr, "hex_to_bin(): hex string too long");
|
2003-06-24 09:14:57 +00:00
|
|
|
*outlen = 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
out[count++] = (unsigned char) byte;
|
|
|
|
left--;
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
nybbles = 2;
|
2003-06-24 09:14:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
*outlen = count;
|
|
|
|
return 1;
|
|
|
|
}
|
2016-06-03 23:02:01 +00:00
|
|
|
|
|
|
|
static void pseudo_randomize(unsigned char *data, size_t dataLen)
|
|
|
|
{
|
|
|
|
size_t i = 0;
|
|
|
|
/* initialization with some data */
|
|
|
|
while (i < dataLen) {
|
|
|
|
*data = rand() & 0xFF;
|
|
|
|
data++;
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
}
|
2003-06-24 09:14:57 +00:00
|
|
|
|
2002-12-17 11:50:11 +00:00
|
|
|
static struct mech_info p11_mechanisms[] = {
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA-PKCS-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_RSA_PKCS, "RSA-PKCS", NULL },
|
|
|
|
{ CKM_RSA_9796, "RSA-9796", NULL },
|
|
|
|
{ CKM_RSA_X_509, "RSA-X-509", NULL },
|
2016-02-16 12:38:51 +00:00
|
|
|
{ CKM_MD2_RSA_PKCS, "MD2-RSA-PKCS", NULL },
|
|
|
|
{ CKM_MD5_RSA_PKCS, "MD5-RSA-PKCS", "rsa-md5" },
|
2002-12-17 11:50:11 +00:00
|
|
|
{ CKM_SHA1_RSA_PKCS, "SHA1-RSA-PKCS", "rsa-sha1" },
|
2017-10-19 20:12:47 +00:00
|
|
|
{ CKM_SHA224_RSA_PKCS, "SHA224-RSA-PKCS", "rsa-sha224" },
|
2007-02-02 22:15:14 +00:00
|
|
|
{ CKM_SHA256_RSA_PKCS, "SHA256-RSA-PKCS", "rsa-sha256" },
|
|
|
|
{ CKM_SHA384_RSA_PKCS, "SHA384-RSA-PKCS", "rsa-sha384" },
|
|
|
|
{ CKM_SHA512_RSA_PKCS, "SHA512-RSA-PKCS", "rsa-sha512" },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_RIPEMD128_RSA_PKCS, "RIPEMD128-RSA-PKCS", NULL },
|
2002-12-19 09:24:58 +00:00
|
|
|
{ CKM_RIPEMD160_RSA_PKCS, "RIPEMD160-RSA-PKCS", "rsa-ripemd160" },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_RSA_PKCS_OAEP, "RSA-PKCS-OAEP", NULL },
|
|
|
|
{ CKM_RSA_X9_31_KEY_PAIR_GEN,"RSA-X9-31-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_RSA_X9_31, "RSA-X9-31", NULL },
|
|
|
|
{ CKM_SHA1_RSA_X9_31, "SHA1-RSA-X9-31", NULL },
|
|
|
|
{ CKM_RSA_PKCS_PSS, "RSA-PKCS-PSS", NULL },
|
2017-09-21 09:19:22 +00:00
|
|
|
{ CKM_SHA1_RSA_PKCS_PSS, "SHA1-RSA-PKCS-PSS", "rsa-pss-sha1" },
|
2017-10-19 20:12:47 +00:00
|
|
|
{ CKM_SHA224_RSA_PKCS_PSS,"SHA224-RSA-PKCS-PSS", "rsa-pss-sha224" },
|
2017-09-21 09:19:22 +00:00
|
|
|
{ CKM_SHA256_RSA_PKCS_PSS,"SHA256-RSA-PKCS-PSS", "rsa-pss-sha256" },
|
|
|
|
{ CKM_SHA384_RSA_PKCS_PSS,"SHA384-RSA-PKCS-PSS", "rsa-pss-sha384" },
|
|
|
|
{ CKM_SHA512_RSA_PKCS_PSS,"SHA512-RSA-PKCS-PSS", "rsa-pss-sha512" },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_DSA_KEY_PAIR_GEN, "DSA-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_DSA, "DSA", NULL },
|
|
|
|
{ CKM_DSA_SHA1, "DSA-SHA1", NULL },
|
2019-01-15 09:10:45 +00:00
|
|
|
{ CKM_DSA_SHA224, "DSA-SHA224", NULL },
|
|
|
|
{ CKM_DSA_SHA256, "DSA-SHA256", NULL },
|
|
|
|
{ CKM_DSA_SHA384, "DSA-SHA384", NULL },
|
|
|
|
{ CKM_DSA_SHA512, "DSA-SHA512", NULL },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_DH_PKCS_KEY_PAIR_GEN,"DH-PKCS-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_DH_PKCS_DERIVE, "DH-PKCS-DERIVE", NULL },
|
|
|
|
{ CKM_X9_42_DH_KEY_PAIR_GEN,"X9-42-DH-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_X9_42_DH_DERIVE, "X9-42-DH-DERIVE", NULL },
|
|
|
|
{ CKM_X9_42_DH_HYBRID_DERIVE,"X9-42-DH-HYBRID-DERIVE", NULL },
|
|
|
|
{ CKM_X9_42_MQV_DERIVE, "X9-42-MQV-DERIVE", NULL },
|
|
|
|
{ CKM_RC2_KEY_GEN, "RC2-KEY-GEN", NULL },
|
|
|
|
{ CKM_RC2_ECB, "RC2-ECB", NULL },
|
|
|
|
{ CKM_RC2_CBC, "RC2-CBC", NULL },
|
|
|
|
{ CKM_RC2_MAC, "RC2-MAC", NULL },
|
|
|
|
{ CKM_RC2_MAC_GENERAL, "RC2-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_RC2_CBC_PAD, "RC2-CBC-PAD", NULL },
|
|
|
|
{ CKM_RC4_KEY_GEN, "RC4-KEY-GEN", NULL },
|
|
|
|
{ CKM_RC4, "RC4", NULL },
|
|
|
|
{ CKM_DES_KEY_GEN, "DES-KEY-GEN", NULL },
|
|
|
|
{ CKM_DES_ECB, "DES-ECB", NULL },
|
|
|
|
{ CKM_DES_CBC, "DES-CBC", NULL },
|
|
|
|
{ CKM_DES_MAC, "DES-MAC", NULL },
|
|
|
|
{ CKM_DES_MAC_GENERAL, "DES-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_DES_CBC_PAD, "DES-CBC-PAD", NULL },
|
|
|
|
{ CKM_DES2_KEY_GEN, "DES2-KEY-GEN", NULL },
|
|
|
|
{ CKM_DES3_KEY_GEN, "DES3-KEY-GEN", NULL },
|
|
|
|
{ CKM_DES3_ECB, "DES3-ECB", NULL },
|
|
|
|
{ CKM_DES3_CBC, "DES3-CBC", NULL },
|
|
|
|
{ CKM_DES3_MAC, "DES3-MAC", NULL },
|
|
|
|
{ CKM_DES3_MAC_GENERAL, "DES3-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_DES3_CBC_PAD, "DES3-CBC-PAD", NULL },
|
2019-01-15 09:10:45 +00:00
|
|
|
{ CKM_DES3_CMAC, "DES3-CMAC", NULL },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_CDMF_KEY_GEN, "CDMF-KEY-GEN", NULL },
|
|
|
|
{ CKM_CDMF_ECB, "CDMF-ECB", NULL },
|
|
|
|
{ CKM_CDMF_CBC, "CDMF-CBC", NULL },
|
|
|
|
{ CKM_CDMF_MAC, "CDMF-MAC", NULL },
|
|
|
|
{ CKM_CDMF_MAC_GENERAL, "CDMF-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_CDMF_CBC_PAD, "CDMF-CBC-PAD", NULL },
|
|
|
|
{ CKM_MD2, "MD2", NULL },
|
|
|
|
{ CKM_MD2_HMAC, "MD2-HMAC", NULL },
|
|
|
|
{ CKM_MD2_HMAC_GENERAL, "MD2-HMAC-GENERAL", NULL },
|
|
|
|
{ CKM_MD5, "MD5", NULL },
|
|
|
|
{ CKM_MD5_HMAC, "MD5-HMAC", NULL },
|
|
|
|
{ CKM_MD5_HMAC_GENERAL, "MD5-HMAC-GENERAL", NULL },
|
|
|
|
{ CKM_SHA_1, "SHA-1", NULL },
|
|
|
|
{ CKM_SHA_1_HMAC, "SHA-1-HMAC", NULL },
|
|
|
|
{ CKM_SHA_1_HMAC_GENERAL, "SHA-1-HMAC-GENERAL", NULL },
|
2017-10-19 20:12:47 +00:00
|
|
|
{ CKM_SHA224, "SHA224", NULL },
|
|
|
|
{ CKM_SHA224_HMAC, "SHA224-HMAC", NULL },
|
2007-02-02 22:15:14 +00:00
|
|
|
{ CKM_SHA256, "SHA256", NULL },
|
2017-08-16 12:21:22 +00:00
|
|
|
{ CKM_SHA256_HMAC, "SHA256-HMAC", NULL },
|
2007-02-02 22:15:14 +00:00
|
|
|
{ CKM_SHA384, "SHA384", NULL },
|
2017-08-16 12:21:22 +00:00
|
|
|
{ CKM_SHA384_HMAC, "SHA384-HMAC", NULL },
|
2007-02-02 22:15:14 +00:00
|
|
|
{ CKM_SHA512, "SHA512", NULL },
|
2017-08-16 12:21:22 +00:00
|
|
|
{ CKM_SHA512_HMAC, "SHA512-HMAC", NULL },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_RIPEMD128, "RIPEMD128", NULL },
|
|
|
|
{ CKM_RIPEMD128_HMAC, "RIPEMD128-HMAC", NULL },
|
|
|
|
{ CKM_RIPEMD128_HMAC_GENERAL,"RIPEMD128-HMAC-GENERAL", NULL },
|
|
|
|
{ CKM_RIPEMD160, "RIPEMD160", NULL },
|
|
|
|
{ CKM_RIPEMD160_HMAC, "RIPEMD160-HMAC", NULL },
|
|
|
|
{ CKM_RIPEMD160_HMAC_GENERAL,"RIPEMD160-HMAC-GENERAL", NULL },
|
|
|
|
{ CKM_CAST_KEY_GEN, "CAST-KEY-GEN", NULL },
|
|
|
|
{ CKM_CAST_ECB, "CAST-ECB", NULL },
|
|
|
|
{ CKM_CAST_CBC, "CAST-CBC", NULL },
|
|
|
|
{ CKM_CAST_MAC, "CAST-MAC", NULL },
|
|
|
|
{ CKM_CAST_MAC_GENERAL, "CAST-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_CAST_CBC_PAD, "CAST-CBC-PAD", NULL },
|
|
|
|
{ CKM_CAST3_KEY_GEN, "CAST3-KEY-GEN", NULL },
|
|
|
|
{ CKM_CAST3_ECB, "CAST3-ECB", NULL },
|
|
|
|
{ CKM_CAST3_CBC, "CAST3-CBC", NULL },
|
|
|
|
{ CKM_CAST3_MAC, "CAST3-MAC", NULL },
|
|
|
|
{ CKM_CAST3_MAC_GENERAL, "CAST3-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_CAST3_CBC_PAD, "CAST3-CBC-PAD", NULL },
|
|
|
|
{ CKM_CAST5_KEY_GEN, "CAST5-KEY-GEN", NULL },
|
|
|
|
{ CKM_CAST5_ECB, "CAST5-ECB", NULL },
|
|
|
|
{ CKM_CAST5_CBC, "CAST5-CBC", NULL },
|
|
|
|
{ CKM_CAST5_MAC, "CAST5-MAC", NULL },
|
|
|
|
{ CKM_CAST5_MAC_GENERAL, "CAST5-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_CAST5_CBC_PAD, "CAST5-CBC-PAD", NULL },
|
|
|
|
{ CKM_RC5_KEY_GEN, "RC5-KEY-GEN", NULL },
|
|
|
|
{ CKM_RC5_ECB, "RC5-ECB", NULL },
|
|
|
|
{ CKM_RC5_CBC, "RC5-CBC", NULL },
|
|
|
|
{ CKM_RC5_MAC, "RC5-MAC", NULL },
|
|
|
|
{ CKM_RC5_MAC_GENERAL, "RC5-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_RC5_CBC_PAD, "RC5-CBC-PAD", NULL },
|
|
|
|
{ CKM_IDEA_KEY_GEN, "IDEA-KEY-GEN", NULL },
|
|
|
|
{ CKM_IDEA_ECB, "IDEA-ECB", NULL },
|
|
|
|
{ CKM_IDEA_CBC, "IDEA-CBC", NULL },
|
|
|
|
{ CKM_IDEA_MAC, "IDEA-MAC", NULL },
|
|
|
|
{ CKM_IDEA_MAC_GENERAL, "IDEA-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_IDEA_CBC_PAD, "IDEA-CBC-PAD", NULL },
|
|
|
|
{ CKM_GENERIC_SECRET_KEY_GEN,"GENERIC-SECRET-KEY-GEN", NULL },
|
|
|
|
{ CKM_CONCATENATE_BASE_AND_KEY,"CONCATENATE-BASE-AND-KEY", NULL },
|
|
|
|
{ CKM_CONCATENATE_BASE_AND_DATA,"CONCATENATE-BASE-AND-DATA", NULL },
|
|
|
|
{ CKM_CONCATENATE_DATA_AND_BASE,"CONCATENATE-DATA-AND-BASE", NULL },
|
|
|
|
{ CKM_XOR_BASE_AND_DATA, "XOR-BASE-AND-DATA", NULL },
|
|
|
|
{ CKM_EXTRACT_KEY_FROM_KEY,"EXTRACT-KEY-FROM-KEY", NULL },
|
|
|
|
{ CKM_SSL3_PRE_MASTER_KEY_GEN,"SSL3-PRE-MASTER-KEY-GEN", NULL },
|
|
|
|
{ CKM_SSL3_MASTER_KEY_DERIVE,"SSL3-MASTER-KEY-DERIVE", NULL },
|
|
|
|
{ CKM_SSL3_KEY_AND_MAC_DERIVE,"SSL3-KEY-AND-MAC-DERIVE", NULL },
|
|
|
|
{ CKM_SSL3_MASTER_KEY_DERIVE_DH,"SSL3-MASTER-KEY-DERIVE-DH", NULL },
|
|
|
|
{ CKM_TLS_PRE_MASTER_KEY_GEN,"TLS-PRE-MASTER-KEY-GEN", NULL },
|
|
|
|
{ CKM_TLS_MASTER_KEY_DERIVE,"TLS-MASTER-KEY-DERIVE", NULL },
|
|
|
|
{ CKM_TLS_KEY_AND_MAC_DERIVE,"TLS-KEY-AND-MAC-DERIVE", NULL },
|
|
|
|
{ CKM_TLS_MASTER_KEY_DERIVE_DH,"TLS-MASTER-KEY-DERIVE-DH", NULL },
|
|
|
|
{ CKM_SSL3_MD5_MAC, "SSL3-MD5-MAC", NULL },
|
|
|
|
{ CKM_SSL3_SHA1_MAC, "SSL3-SHA1-MAC", NULL },
|
|
|
|
{ CKM_MD5_KEY_DERIVATION, "MD5-KEY-DERIVATION", NULL },
|
|
|
|
{ CKM_MD2_KEY_DERIVATION, "MD2-KEY-DERIVATION", NULL },
|
|
|
|
{ CKM_SHA1_KEY_DERIVATION,"SHA1-KEY-DERIVATION", NULL },
|
|
|
|
{ CKM_PBE_MD2_DES_CBC, "PBE-MD2-DES-CBC", NULL },
|
|
|
|
{ CKM_PBE_MD5_DES_CBC, "PBE-MD5-DES-CBC", NULL },
|
|
|
|
{ CKM_PBE_MD5_CAST_CBC, "PBE-MD5-CAST-CBC", NULL },
|
|
|
|
{ CKM_PBE_MD5_CAST3_CBC, "PBE-MD5-CAST3-CBC", NULL },
|
|
|
|
{ CKM_PBE_MD5_CAST5_CBC, "PBE-MD5-CAST5-CBC", NULL },
|
|
|
|
{ CKM_PBE_SHA1_CAST5_CBC, "PBE-SHA1-CAST5-CBC", NULL },
|
|
|
|
{ CKM_PBE_SHA1_RC4_128, "PBE-SHA1-RC4-128", NULL },
|
|
|
|
{ CKM_PBE_SHA1_RC4_40, "PBE-SHA1-RC4-40", NULL },
|
|
|
|
{ CKM_PBE_SHA1_DES3_EDE_CBC,"PBE-SHA1-DES3-EDE-CBC", NULL },
|
|
|
|
{ CKM_PBE_SHA1_DES2_EDE_CBC,"PBE-SHA1-DES2-EDE-CBC", NULL },
|
|
|
|
{ CKM_PBE_SHA1_RC2_128_CBC,"PBE-SHA1-RC2-128-CBC", NULL },
|
|
|
|
{ CKM_PBE_SHA1_RC2_40_CBC,"PBE-SHA1-RC2-40-CBC", NULL },
|
|
|
|
{ CKM_PKCS5_PBKD2, "PKCS5-PBKD2", NULL },
|
|
|
|
{ CKM_PBA_SHA1_WITH_SHA1_HMAC,"PBA-SHA1-WITH-SHA1-HMAC", NULL },
|
|
|
|
{ CKM_KEY_WRAP_LYNKS, "KEY-WRAP-LYNKS", NULL },
|
|
|
|
{ CKM_KEY_WRAP_SET_OAEP, "KEY-WRAP-SET-OAEP", NULL },
|
|
|
|
{ CKM_SKIPJACK_KEY_GEN, "SKIPJACK-KEY-GEN", NULL },
|
|
|
|
{ CKM_SKIPJACK_ECB64, "SKIPJACK-ECB64", NULL },
|
|
|
|
{ CKM_SKIPJACK_CBC64, "SKIPJACK-CBC64", NULL },
|
|
|
|
{ CKM_SKIPJACK_OFB64, "SKIPJACK-OFB64", NULL },
|
|
|
|
{ CKM_SKIPJACK_CFB64, "SKIPJACK-CFB64", NULL },
|
|
|
|
{ CKM_SKIPJACK_CFB32, "SKIPJACK-CFB32", NULL },
|
|
|
|
{ CKM_SKIPJACK_CFB16, "SKIPJACK-CFB16", NULL },
|
|
|
|
{ CKM_SKIPJACK_CFB8, "SKIPJACK-CFB8", NULL },
|
|
|
|
{ CKM_SKIPJACK_WRAP, "SKIPJACK-WRAP", NULL },
|
|
|
|
{ CKM_SKIPJACK_PRIVATE_WRAP,"SKIPJACK-PRIVATE-WRAP", NULL },
|
|
|
|
{ CKM_SKIPJACK_RELAYX, "SKIPJACK-RELAYX", NULL },
|
|
|
|
{ CKM_KEA_KEY_PAIR_GEN, "KEA-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_KEA_KEY_DERIVE, "KEA-KEY-DERIVE", NULL },
|
|
|
|
{ CKM_FORTEZZA_TIMESTAMP, "FORTEZZA-TIMESTAMP", NULL },
|
|
|
|
{ CKM_BATON_KEY_GEN, "BATON-KEY-GEN", NULL },
|
|
|
|
{ CKM_BATON_ECB128, "BATON-ECB128", NULL },
|
|
|
|
{ CKM_BATON_ECB96, "BATON-ECB96", NULL },
|
|
|
|
{ CKM_BATON_CBC128, "BATON-CBC128", NULL },
|
|
|
|
{ CKM_BATON_COUNTER, "BATON-COUNTER", NULL },
|
|
|
|
{ CKM_BATON_SHUFFLE, "BATON-SHUFFLE", NULL },
|
|
|
|
{ CKM_BATON_WRAP, "BATON-WRAP", NULL },
|
|
|
|
{ CKM_ECDSA_KEY_PAIR_GEN, "ECDSA-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_ECDSA, "ECDSA", NULL },
|
|
|
|
{ CKM_ECDSA_SHA1, "ECDSA-SHA1", NULL },
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
{ CKM_ECDSA_SHA224, "ECDSA-SHA224", NULL },
|
|
|
|
{ CKM_ECDSA_SHA256, "ECDSA-SHA256", NULL },
|
2017-08-25 01:27:47 +00:00
|
|
|
{ CKM_ECDSA_SHA384, "ECDSA-SHA384", NULL },
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
{ CKM_ECDSA_SHA512, "ECDSA-SHA512", NULL },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_ECDH1_DERIVE, "ECDH1-DERIVE", NULL },
|
|
|
|
{ CKM_ECDH1_COFACTOR_DERIVE,"ECDH1-COFACTOR-DERIVE", NULL },
|
|
|
|
{ CKM_ECMQV_DERIVE, "ECMQV-DERIVE", NULL },
|
|
|
|
{ CKM_JUNIPER_KEY_GEN, "JUNIPER-KEY-GEN", NULL },
|
|
|
|
{ CKM_JUNIPER_ECB128, "JUNIPER-ECB128", NULL },
|
|
|
|
{ CKM_JUNIPER_CBC128, "JUNIPER-CBC128", NULL },
|
|
|
|
{ CKM_JUNIPER_COUNTER, "JUNIPER-COUNTER", NULL },
|
|
|
|
{ CKM_JUNIPER_SHUFFLE, "JUNIPER-SHUFFLE", NULL },
|
|
|
|
{ CKM_JUNIPER_WRAP, "JUNIPER-WRAP", NULL },
|
|
|
|
{ CKM_FASTHASH, "FASTHASH", NULL },
|
|
|
|
{ CKM_AES_KEY_GEN, "AES-KEY-GEN", NULL },
|
|
|
|
{ CKM_AES_ECB, "AES-ECB", NULL },
|
|
|
|
{ CKM_AES_CBC, "AES-CBC", NULL },
|
|
|
|
{ CKM_AES_MAC, "AES-MAC", NULL },
|
|
|
|
{ CKM_AES_MAC_GENERAL, "AES-MAC-GENERAL", NULL },
|
|
|
|
{ CKM_AES_CBC_PAD, "AES-CBC-PAD", NULL },
|
2019-01-15 09:10:45 +00:00
|
|
|
{ CKM_AES_CTR, "AES-CTR", NULL },
|
|
|
|
{ CKM_AES_GCM, "AES-GCM", NULL },
|
|
|
|
{ CKM_AES_CMAC, "AES-CMAC", NULL },
|
|
|
|
{ CKM_DES_ECB_ENCRYPT_DATA, "DES-ECB-ENCRYPT-DATA", NULL },
|
|
|
|
{ CKM_DES_CBC_ENCRYPT_DATA, "DES-CBC-ENCRYPT-DATA", NULL },
|
|
|
|
{ CKM_DES3_ECB_ENCRYPT_DATA, "DES3-ECB-ENCRYPT-DATA", NULL },
|
|
|
|
{ CKM_DES3_CBC_ENCRYPT_DATA, "DES3-CBC-ENCRYPT-DATA", NULL },
|
|
|
|
{ CKM_AES_ECB_ENCRYPT_DATA, "AES-ECB-ENCRYPT-DATA", NULL },
|
|
|
|
{ CKM_AES_CBC_ENCRYPT_DATA, "AES-CBC-ENCRYPT-DATA", NULL },
|
2019-03-25 09:58:28 +00:00
|
|
|
{ CKM_GOST28147_KEY_GEN, "GOST28147-KEY-GEN", NULL },
|
|
|
|
{ CKM_GOST28147_ECB, "GOST28147-ECB", NULL },
|
|
|
|
{ CKM_GOST28147, "GOST28147", NULL },
|
|
|
|
{ CKM_GOST28147_MAC, "GOST28147-MAC", NULL },
|
|
|
|
{ CKM_GOST28147_KEY_WRAP, "GOST28147-KEY-WRAP", NULL },
|
2009-11-27 11:15:33 +00:00
|
|
|
{ CKM_GOSTR3410_KEY_PAIR_GEN,"GOSTR3410-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_GOSTR3410, "GOSTR3410", NULL },
|
2019-03-25 09:58:28 +00:00
|
|
|
{ CKM_GOSTR3410_DERIVE, "GOSTR3410-DERIVE", NULL },
|
2009-11-27 11:15:33 +00:00
|
|
|
{ CKM_GOSTR3410_WITH_GOSTR3411,"GOSTR3410-WITH-GOSTR3411", NULL },
|
2019-03-25 09:58:28 +00:00
|
|
|
{ CKM_GOSTR3410_512_KEY_PAIR_GEN, "GOSTR3410-512-KEY-PAIR-GEN", NULL },
|
|
|
|
{ CKM_GOSTR3410_512, "GOSTR3410_512", NULL },
|
|
|
|
{ CKM_GOSTR3410_12_DERIVE, "GOSTR3410-12-DERIVE", NULL },
|
|
|
|
{ CKM_GOSTR3410_WITH_GOSTR3411_12_256, "GOSTR3410-WITH-GOSTR3411-12-256", NULL },
|
|
|
|
{ CKM_GOSTR3410_WITH_GOSTR3411_12_512, "GOSTR3410-WITH-GOSTR3411-12-512", NULL },
|
2009-11-27 11:15:33 +00:00
|
|
|
{ CKM_GOSTR3411, "GOSTR3411", NULL },
|
2019-01-15 09:10:45 +00:00
|
|
|
{ CKM_GOSTR3411_HMAC, "GOSTR3411-HMAC", NULL },
|
2019-03-25 09:58:28 +00:00
|
|
|
{ CKM_GOSTR3411_12_256, "GOSTR3411-12-256", NULL },
|
|
|
|
{ CKM_GOSTR3411_12_512, "GOSTR3411-12-512", NULL },
|
|
|
|
{ CKM_GOSTR3411_12_256_HMAC, "GOSTR3411-12-256-HMAC", NULL },
|
|
|
|
{ CKM_GOSTR3411_12_512_HMAC, "GOSTR3411-12-512-HMAC", NULL },
|
2006-02-15 17:05:05 +00:00
|
|
|
{ CKM_DSA_PARAMETER_GEN, "DSA-PARAMETER-GEN", NULL },
|
|
|
|
{ CKM_DH_PKCS_PARAMETER_GEN,"DH-PKCS-PARAMETER-GEN", NULL },
|
|
|
|
{ CKM_X9_42_DH_PARAMETER_GEN,"X9-42-DH-PARAMETER-GEN", NULL },
|
2019-01-15 09:10:45 +00:00
|
|
|
{ CKM_AES_KEY_WRAP, "AES-KEY-WRAP", NULL},
|
2010-09-21 16:11:26 +00:00
|
|
|
{ 0, NULL, NULL }
|
2002-12-17 11:50:11 +00:00
|
|
|
};
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
static struct mech_info p11_mgf[] = {
|
|
|
|
{ CKG_MGF1_SHA1, "MGF1-SHA1", NULL },
|
|
|
|
{ CKG_MGF1_SHA224, "MGF1-SHA224", NULL },
|
|
|
|
{ CKG_MGF1_SHA256, "MGF1-SHA256", NULL },
|
|
|
|
{ CKG_MGF1_SHA384, "MGF1-SHA384", NULL },
|
|
|
|
{ CKG_MGF1_SHA512, "MGF1-SHA512", NULL },
|
|
|
|
{ 0, NULL, NULL }
|
|
|
|
};
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char *p11_mechanism_to_name(CK_MECHANISM_TYPE mech)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
static char temp[64];
|
|
|
|
struct mech_info *mi;
|
|
|
|
|
|
|
|
for (mi = p11_mechanisms; mi->name; mi++) {
|
|
|
|
if (mi->mech == mech)
|
|
|
|
return mi->name;
|
|
|
|
}
|
2016-06-03 08:19:30 +00:00
|
|
|
snprintf(temp, sizeof(temp), "mechtype-0x%lX", (unsigned long) mech);
|
2002-12-17 11:50:11 +00:00
|
|
|
return temp;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name)
|
2002-12-17 11:50:11 +00:00
|
|
|
{
|
|
|
|
struct mech_info *mi;
|
|
|
|
|
2018-03-27 00:48:05 +00:00
|
|
|
if (strncasecmp("0x", name, 2) == 0) {
|
|
|
|
return strtoul(name, NULL, 0);
|
|
|
|
}
|
2002-12-17 11:50:11 +00:00
|
|
|
for (mi = p11_mechanisms; mi->name; mi++) {
|
|
|
|
if (!strcasecmp(mi->name, name)
|
|
|
|
|| (mi->short_name && !strcasecmp(mi->short_name, name)))
|
|
|
|
return mi->mech;
|
|
|
|
}
|
pkcs11-tool: various improvements, extensions, fixes, cleanup
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
2016-06-29 12:18:56 +00:00
|
|
|
util_fatal("Unknown PKCS11 mechanism \"%s\"", name);
|
2010-09-21 16:11:26 +00:00
|
|
|
return 0; /* gcc food */
|
2002-12-17 11:50:11 +00:00
|
|
|
}
|
2002-12-22 23:16:47 +00:00
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
static CK_RSA_PKCS_MGF_TYPE p11_name_to_mgf(const char *name)
|
|
|
|
{
|
|
|
|
struct mech_info *mi;
|
|
|
|
|
|
|
|
for (mi = p11_mgf; mi->name; mi++) {
|
|
|
|
if (!strcasecmp(mi->name, name))
|
|
|
|
return mi->mech;
|
|
|
|
}
|
|
|
|
util_fatal("Unknown PKCS11 MGF \"%s\"", name);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const char *p11_mgf_to_name(CK_RSA_PKCS_MGF_TYPE mgf)
|
|
|
|
{
|
|
|
|
static char temp[64];
|
|
|
|
struct mech_info *mi;
|
|
|
|
|
|
|
|
for (mi = p11_mgf; mi->name; mi++) {
|
|
|
|
if (mi->mech == mgf)
|
|
|
|
return mi->name;
|
|
|
|
}
|
|
|
|
snprintf(temp, sizeof(temp), "mgf-0x%lX", (unsigned long) mgf);
|
|
|
|
return temp;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:58:57 +00:00
|
|
|
static const char * CKR2Str(CK_ULONG res)
|
2002-12-22 23:16:47 +00:00
|
|
|
{
|
|
|
|
switch (res) {
|
|
|
|
case CKR_OK:
|
|
|
|
return "CKR_OK";
|
|
|
|
case CKR_CANCEL:
|
|
|
|
return "CKR_CANCEL";
|
|
|
|
case CKR_HOST_MEMORY:
|
|
|
|
return "CKR_HOST_MEMORY";
|
|
|
|
case CKR_SLOT_ID_INVALID:
|
|
|
|
return "CKR_SLOT_ID_INVALID";
|
|
|
|
case CKR_GENERAL_ERROR:
|
|
|
|
return "CKR_GENERAL_ERROR";
|
|
|
|
case CKR_FUNCTION_FAILED:
|
|
|
|
return "CKR_FUNCTION_FAILED";
|
|
|
|
case CKR_ARGUMENTS_BAD:
|
|
|
|
return "CKR_ARGUMENTS_BAD";
|
|
|
|
case CKR_NO_EVENT:
|
|
|
|
return "CKR_NO_EVENT";
|
|
|
|
case CKR_NEED_TO_CREATE_THREADS:
|
|
|
|
return "CKR_NEED_TO_CREATE_THREADS";
|
|
|
|
case CKR_CANT_LOCK:
|
|
|
|
return "CKR_CANT_LOCK";
|
|
|
|
case CKR_ATTRIBUTE_READ_ONLY:
|
|
|
|
return "CKR_ATTRIBUTE_READ_ONLY";
|
|
|
|
case CKR_ATTRIBUTE_SENSITIVE:
|
|
|
|
return "CKR_ATTRIBUTE_SENSITIVE";
|
|
|
|
case CKR_ATTRIBUTE_TYPE_INVALID:
|
|
|
|
return "CKR_ATTRIBUTE_TYPE_INVALID";
|
|
|
|
case CKR_ATTRIBUTE_VALUE_INVALID:
|
|
|
|
return "CKR_ATTRIBUTE_VALUE_INVALID";
|
|
|
|
case CKR_DATA_INVALID:
|
|
|
|
return "CKR_DATA_INVALID";
|
|
|
|
case CKR_DATA_LEN_RANGE:
|
|
|
|
return "CKR_DATA_LEN_RANGE";
|
|
|
|
case CKR_DEVICE_ERROR:
|
|
|
|
return "CKR_DEVICE_ERROR";
|
|
|
|
case CKR_DEVICE_MEMORY:
|
|
|
|
return "CKR_DEVICE_MEMORY";
|
|
|
|
case CKR_DEVICE_REMOVED:
|
|
|
|
return "CKR_DEVICE_REMOVED";
|
|
|
|
case CKR_ENCRYPTED_DATA_INVALID:
|
|
|
|
return "CKR_ENCRYPTED_DATA_INVALID";
|
|
|
|
case CKR_ENCRYPTED_DATA_LEN_RANGE:
|
|
|
|
return "CKR_ENCRYPTED_DATA_LEN_RANGE";
|
|
|
|
case CKR_FUNCTION_CANCELED:
|
|
|
|
return "CKR_FUNCTION_CANCELED";
|
|
|
|
case CKR_FUNCTION_NOT_PARALLEL:
|
|
|
|
return "CKR_FUNCTION_NOT_PARALLEL";
|
|
|
|
case CKR_FUNCTION_NOT_SUPPORTED:
|
|
|
|
return "CKR_FUNCTION_NOT_SUPPORTED";
|
|
|
|
case CKR_KEY_HANDLE_INVALID:
|
|
|
|
return "CKR_KEY_HANDLE_INVALID";
|
|
|
|
case CKR_KEY_SIZE_RANGE:
|
|
|
|
return "CKR_KEY_SIZE_RANGE";
|
|
|
|
case CKR_KEY_TYPE_INCONSISTENT:
|
|
|
|
return "CKR_KEY_TYPE_INCONSISTENT";
|
|
|
|
case CKR_KEY_NOT_NEEDED:
|
|
|
|
return "CKR_KEY_NOT_NEEDED";
|
|
|
|
case CKR_KEY_CHANGED:
|
|
|
|
return "CKR_KEY_CHANGED";
|
|
|
|
case CKR_KEY_NEEDED:
|
|
|
|
return "CKR_KEY_NEEDED";
|
|
|
|
case CKR_KEY_INDIGESTIBLE:
|
|
|
|
return "CKR_KEY_INDIGESTIBLE";
|
|
|
|
case CKR_KEY_FUNCTION_NOT_PERMITTED:
|
|
|
|
return "CKR_KEY_FUNCTION_NOT_PERMITTED";
|
|
|
|
case CKR_KEY_NOT_WRAPPABLE:
|
|
|
|
return "CKR_KEY_NOT_WRAPPABLE";
|
|
|
|
case CKR_KEY_UNEXTRACTABLE:
|
|
|
|
return "CKR_KEY_UNEXTRACTABLE";
|
|
|
|
case CKR_MECHANISM_INVALID:
|
|
|
|
return "CKR_MECHANISM_INVALID";
|
|
|
|
case CKR_MECHANISM_PARAM_INVALID:
|
|
|
|
return "CKR_MECHANISM_PARAM_INVALID";
|
|
|
|
case CKR_OBJECT_HANDLE_INVALID:
|
|
|
|
return "CKR_OBJECT_HANDLE_INVALID";
|
|
|
|
case CKR_OPERATION_ACTIVE:
|
|
|
|
return "CKR_OPERATION_ACTIVE";
|
|
|
|
case CKR_OPERATION_NOT_INITIALIZED:
|
|
|
|
return "CKR_OPERATION_NOT_INITIALIZED";
|
|
|
|
case CKR_PIN_INCORRECT:
|
|
|
|
return "CKR_PIN_INCORRECT";
|
|
|
|
case CKR_PIN_INVALID:
|
|
|
|
return "CKR_PIN_INVALID";
|
|
|
|
case CKR_PIN_LEN_RANGE:
|
|
|
|
return "CKR_PIN_LEN_RANGE";
|
|
|
|
case CKR_PIN_EXPIRED:
|
|
|
|
return "CKR_PIN_EXPIRED";
|
|
|
|
case CKR_PIN_LOCKED:
|
|
|
|
return "CKR_PIN_LOCKED";
|
|
|
|
case CKR_SESSION_CLOSED:
|
|
|
|
return "CKR_SESSION_CLOSED";
|
|
|
|
case CKR_SESSION_COUNT:
|
|
|
|
return "CKR_SESSION_COUNT";
|
|
|
|
case CKR_SESSION_HANDLE_INVALID:
|
|
|
|
return "CKR_SESSION_HANDLE_INVALID";
|
|
|
|
case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
|
|
|
|
return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
|
|
|
|
case CKR_SESSION_READ_ONLY:
|
|
|
|
return "CKR_SESSION_READ_ONLY";
|
|
|
|
case CKR_SESSION_EXISTS:
|
|
|
|
return "CKR_SESSION_EXISTS";
|
|
|
|
case CKR_SESSION_READ_ONLY_EXISTS:
|
|
|
|
return "CKR_SESSION_READ_ONLY_EXISTS";
|
|
|
|
case CKR_SESSION_READ_WRITE_SO_EXISTS:
|
|
|
|
return "CKR_SESSION_READ_WRITE_SO_EXISTS";
|
|
|
|
case CKR_SIGNATURE_INVALID:
|
|
|
|
return "CKR_SIGNATURE_INVALID";
|
|
|
|
case CKR_SIGNATURE_LEN_RANGE:
|
|
|
|
return "CKR_SIGNATURE_LEN_RANGE";
|
|
|
|
case CKR_TEMPLATE_INCOMPLETE:
|
|
|
|
return "CKR_TEMPLATE_INCOMPLETE";
|
|
|
|
case CKR_TEMPLATE_INCONSISTENT:
|
|
|
|
return "CKR_TEMPLATE_INCONSISTENT";
|
|
|
|
case CKR_TOKEN_NOT_PRESENT:
|
|
|
|
return "CKR_TOKEN_NOT_PRESENT";
|
|
|
|
case CKR_TOKEN_NOT_RECOGNIZED:
|
|
|
|
return "CKR_TOKEN_NOT_RECOGNIZED";
|
|
|
|
case CKR_TOKEN_WRITE_PROTECTED:
|
|
|
|
return "CKR_TOKEN_WRITE_PROTECTED";
|
|
|
|
case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
|
|
|
|
return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
|
|
|
|
case CKR_UNWRAPPING_KEY_SIZE_RANGE:
|
|
|
|
return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
|
|
|
|
case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
|
|
|
|
return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
|
|
|
|
case CKR_USER_ALREADY_LOGGED_IN:
|
|
|
|
return "CKR_USER_ALREADY_LOGGED_IN";
|
|
|
|
case CKR_USER_NOT_LOGGED_IN:
|
|
|
|
return "CKR_USER_NOT_LOGGED_IN";
|
|
|
|
case CKR_USER_PIN_NOT_INITIALIZED:
|
|
|
|
return "CKR_USER_PIN_NOT_INITIALIZED";
|
|
|
|
case CKR_USER_TYPE_INVALID:
|
|
|
|
return "CKR_USER_TYPE_INVALID";
|
|
|
|
case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
|
|
|
|
return "CKR_USER_ANOTHER_ALREADY_LOGGED_IN";
|
|
|
|
case CKR_USER_TOO_MANY_TYPES:
|
|
|
|
return "CKR_USER_TOO_MANY_TYPES";
|
|
|
|
case CKR_WRAPPED_KEY_INVALID:
|
|
|
|
return "CKR_WRAPPED_KEY_INVALID";
|
|
|
|
case CKR_WRAPPED_KEY_LEN_RANGE:
|
|
|
|
return "CKR_WRAPPED_KEY_LEN_RANGE";
|
|
|
|
case CKR_WRAPPING_KEY_HANDLE_INVALID:
|
|
|
|
return "CKR_WRAPPING_KEY_HANDLE_INVALID";
|
|
|
|
case CKR_WRAPPING_KEY_SIZE_RANGE:
|
|
|
|
return "CKR_WRAPPING_KEY_SIZE_RANGE";
|
|
|
|
case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
|
|
|
|
return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
|
|
|
|
case CKR_RANDOM_SEED_NOT_SUPPORTED:
|
|
|
|
return "CKR_RANDOM_SEED_NOT_SUPPORTED";
|
|
|
|
case CKR_RANDOM_NO_RNG:
|
|
|
|
return "CKR_RANDOM_NO_RNG";
|
|
|
|
case CKR_DOMAIN_PARAMS_INVALID:
|
|
|
|
return "CKR_DOMAIN_PARAMS_INVALID";
|
|
|
|
case CKR_BUFFER_TOO_SMALL:
|
|
|
|
return "CKR_BUFFER_TOO_SMALL";
|
|
|
|
case CKR_SAVED_STATE_INVALID:
|
|
|
|
return "CKR_SAVED_STATE_INVALID";
|
|
|
|
case CKR_INFORMATION_SENSITIVE:
|
|
|
|
return "CKR_INFORMATION_SENSITIVE";
|
|
|
|
case CKR_STATE_UNSAVEABLE:
|
|
|
|
return "CKR_STATE_UNSAVEABLE";
|
|
|
|
case CKR_CRYPTOKI_NOT_INITIALIZED:
|
|
|
|
return "CKR_CRYPTOKI_NOT_INITIALIZED";
|
|
|
|
case CKR_CRYPTOKI_ALREADY_INITIALIZED:
|
|
|
|
return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
|
|
|
|
case CKR_MUTEX_BAD:
|
|
|
|
return "CKR_MUTEX_BAD";
|
|
|
|
case CKR_MUTEX_NOT_LOCKED:
|
|
|
|
return "CKR_MUTEX_NOT_LOCKED";
|
|
|
|
case CKR_VENDOR_DEFINED:
|
|
|
|
return "CKR_VENDOR_DEFINED";
|
|
|
|
}
|
|
|
|
return "unknown PKCS11 error";
|
|
|
|
}
|