diff options
author | Antti Lyytinen | 2014-12-10 05:52:59 -0600 |
---|---|---|
committer | Antti Lyytinen | 2014-12-10 05:52:59 -0600 |
commit | 43c4f63a8d803fde2bcd8e4f8969e5fe9edf0e33 (patch) | |
tree | 8eedd24a49aa0b523bc1c1236527254e9df21d8f | |
parent | 7e6182d9b8460a91825f41e79c2de2dca606b858 (diff) | |
download | libp11-master.tar.gz libp11-master.tar.xz libp11-master.zip |
Secure storage #3HEADDEV.LIBP11-01.03.00.00master
-rw-r--r-- | src/libp11-int.h | 1 | ||||
-rw-r--r-- | src/p11_cert.c | 4 | ||||
-rw-r--r-- | src/p11_key.c | 95 | ||||
-rw-r--r-- | src/p11_load.c | 17 | ||||
-rw-r--r-- | src/p11_rsa.c | 1 |
5 files changed, 89 insertions, 29 deletions
diff --git a/src/libp11-int.h b/src/libp11-int.h index be3965f..99a540a 100644 --- a/src/libp11-int.h +++ b/src/libp11-int.h | |||
@@ -43,6 +43,7 @@ typedef struct pkcs11_ctx_private { | |||
43 | 43 | ||
44 | CK_SESSION_HANDLE session; | 44 | CK_SESSION_HANDLE session; |
45 | char *init_args; | 45 | char *init_args; |
46 | unsigned char key_gen_on_token; | ||
46 | } PKCS11_CTX_private; | 47 | } PKCS11_CTX_private; |
47 | #define PRIVCTX(ctx) ((PKCS11_CTX_private *) (ctx->_private)) | 48 | #define PRIVCTX(ctx) ((PKCS11_CTX_private *) (ctx->_private)) |
48 | 49 | ||
diff --git a/src/p11_cert.c b/src/p11_cert.c index 4b54bec..5a74f84 100644 --- a/src/p11_cert.c +++ b/src/p11_cert.c | |||
@@ -126,7 +126,7 @@ static int pkcs11_next_cert(PKCS11_CTX * ctx, PKCS11_TOKEN * token, | |||
126 | int rv; | 126 | int rv; |
127 | 127 | ||
128 | /* Get the next matching objects */ | 128 | /* Get the next matching objects */ |
129 | rv = CRYPTOKI_call(ctx, C_FindObjects(session, &obj, | 129 | rv = CRYPTOKI_call(ctx, C_FindObjects(session, &(obj[0]), |
130 | FIND_OBJ_CERT_CNT, &count)); | 130 | FIND_OBJ_CERT_CNT, &count)); |
131 | CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_CERTS, rv); | 131 | CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_CERTS, rv); |
132 | 132 | ||
@@ -134,7 +134,7 @@ static int pkcs11_next_cert(PKCS11_CTX * ctx, PKCS11_TOKEN * token, | |||
134 | return 1; | 134 | return 1; |
135 | 135 | ||
136 | for (i = 0; i < count; i++) | 136 | for (i = 0; i < count; i++) |
137 | if (pkcs11_init_cert(ctx, token, session, obj, NULL)) | 137 | if (pkcs11_init_cert(ctx, token, session, obj[i], NULL)) |
138 | return -1; | 138 | return -1; |
139 | 139 | ||
140 | return 0; | 140 | return 0; |
diff --git a/src/p11_key.c b/src/p11_key.c index 43cd5ee..e37f7bc 100644 --- a/src/p11_key.c +++ b/src/p11_key.c | |||
@@ -128,37 +128,80 @@ int | |||
128 | PKCS11_generate_key(PKCS11_TOKEN * token, | 128 | PKCS11_generate_key(PKCS11_TOKEN * token, |
129 | int algorithm, unsigned int bits, char *label, unsigned char* id, size_t id_len) | 129 | int algorithm, unsigned int bits, char *label, unsigned char* id, size_t id_len) |
130 | { | 130 | { |
131 | PKCS11_KEY *key_obj; | 131 | PKCS11_CTX *ctx = TOKEN2CTX(token); |
132 | EVP_PKEY *pk; | 132 | PKCS11_CTX_private *priv = PRIVCTX(ctx); |
133 | RSA *rsa; | 133 | int rc = -1; |
134 | BIO *err; | ||
135 | int rc; | ||
136 | |||
137 | if (algorithm != EVP_PKEY_RSA) { | ||
138 | PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_NOT_SUPPORTED); | ||
139 | return -1; | ||
140 | } | ||
141 | 134 | ||
142 | err = BIO_new_fp(stderr, BIO_NOCLOSE); | 135 | if(priv->key_gen_on_token) { |
143 | rsa = RSA_generate_key(bits, 0x10001, NULL, err); | 136 | PKCS11_SLOT *slot = TOKEN2SLOT(token); |
144 | BIO_free(err); | 137 | |
145 | if (rsa == NULL) { | 138 | CK_SESSION_HANDLE session; |
146 | PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_KEYGEN_FAILED); | 139 | CK_OBJECT_HANDLE hKey; |
147 | return -1; | 140 | CK_MECHANISM mechanism = {CKM_RSA_X9_31_KEY_PAIR_GEN, NULL_PTR, 0}; |
148 | } | 141 | CK_RV rv; |
149 | 142 | ||
150 | pk = EVP_PKEY_new(); | 143 | CK_ATTRIBUTE attrs[32]; |
151 | EVP_PKEY_assign_RSA(pk, rsa); | 144 | unsigned int n = 0; |
152 | rc = pkcs11_store_private_key(token, pk, label, id, id_len, &key_obj); | 145 | |
146 | /* First, make sure we have a session */ | ||
147 | if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 1)) { | ||
148 | return -1; | ||
149 | } | ||
150 | session = PRIVSLOT(slot)->session; | ||
153 | 151 | ||
154 | if (rc == 0) { | 152 | /* Now build the key attrs */ |
155 | PKCS11_KEY_private *kpriv; | 153 | pkcs11_addattr_int(attrs + n++, CKA_CLASS, CKO_PRIVATE_KEY); |
154 | pkcs11_addattr_int(attrs + n++, CKA_KEY_TYPE, CKK_RSA); | ||
155 | pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE); | ||
156 | pkcs11_addattr_int(attrs + n++, CKA_MODULUS_BITS, bits); | ||
157 | if (label) { | ||
158 | pkcs11_addattr_s(attrs + n++, CKA_LABEL, label); | ||
159 | } | ||
160 | if (id && id_len) { | ||
161 | pkcs11_addattr(attrs + n++, CKA_ID, id, id_len); | ||
162 | } | ||
156 | 163 | ||
157 | kpriv = PRIVKEY(key_obj); | 164 | rv = CRYPTOKI_call(ctx, C_GenerateKey(session, &mechanism, attrs, n, &hKey)); |
158 | rc = pkcs11_store_public_key(token, pk, label, | 165 | |
159 | kpriv->id, kpriv->id_len, NULL); | 166 | /* Zap all memory allocated when building the template */ |
167 | pkcs11_zap_attrs(attrs, n); | ||
168 | |||
169 | if (rv == CKR_OK) { | ||
170 | rc = 0; | ||
171 | } | ||
172 | } else { | ||
173 | |||
174 | PKCS11_KEY *key_obj; | ||
175 | EVP_PKEY *pk; | ||
176 | RSA *rsa; | ||
177 | BIO *err; | ||
178 | |||
179 | if (algorithm != EVP_PKEY_RSA) { | ||
180 | PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_NOT_SUPPORTED); | ||
181 | return -1; | ||
182 | } | ||
183 | |||
184 | err = BIO_new_fp(stderr, BIO_NOCLOSE); | ||
185 | rsa = RSA_generate_key(bits, 0x10001, NULL, err); | ||
186 | BIO_free(err); | ||
187 | if (rsa == NULL) { | ||
188 | PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_KEYGEN_FAILED); | ||
189 | return -1; | ||
190 | } | ||
191 | |||
192 | pk = EVP_PKEY_new(); | ||
193 | EVP_PKEY_assign_RSA(pk, rsa); | ||
194 | rc = pkcs11_store_private_key(token, pk, label, id, id_len, &key_obj); | ||
195 | |||
196 | if (rc == 0) { | ||
197 | PKCS11_KEY_private *kpriv; | ||
198 | |||
199 | kpriv = PRIVKEY(key_obj); | ||
200 | rc = pkcs11_store_public_key(token, pk, label, | ||
201 | kpriv->id, kpriv->id_len, NULL); | ||
202 | } | ||
203 | EVP_PKEY_free(pk); | ||
160 | } | 204 | } |
161 | EVP_PKEY_free(pk); | ||
162 | return rc; | 205 | return rc; |
163 | } | 206 | } |
164 | 207 | ||
diff --git a/src/p11_load.c b/src/p11_load.c index d315aa6..6528c31 100644 --- a/src/p11_load.c +++ b/src/p11_load.c | |||
@@ -58,6 +58,10 @@ int PKCS11_CTX_load(PKCS11_CTX * ctx, const char *name) | |||
58 | CK_C_INITIALIZE_ARGS _args; | 58 | CK_C_INITIALIZE_ARGS _args; |
59 | CK_C_INITIALIZE_ARGS *args = NULL; | 59 | CK_C_INITIALIZE_ARGS *args = NULL; |
60 | CK_INFO ck_info; | 60 | CK_INFO ck_info; |
61 | CK_SLOT_ID slot = 0; | ||
62 | CK_MECHANISM_TYPE mechanismList[8]; | ||
63 | CK_ULONG count = 8; | ||
64 | int i; | ||
61 | int rv; | 65 | int rv; |
62 | 66 | ||
63 | if (priv->libinfo != NULL) { | 67 | if (priv->libinfo != NULL) { |
@@ -89,6 +93,19 @@ int PKCS11_CTX_load(PKCS11_CTX * ctx, const char *name) | |||
89 | ctx->manufacturer = PKCS11_DUP(ck_info.manufacturerID); | 93 | ctx->manufacturer = PKCS11_DUP(ck_info.manufacturerID); |
90 | ctx->description = PKCS11_DUP(ck_info.libraryDescription); | 94 | ctx->description = PKCS11_DUP(ck_info.libraryDescription); |
91 | 95 | ||
96 | /* Check whether library supports key generation */ | ||
97 | priv->key_gen_on_token = 0; | ||
98 | rv = CRYPTOKI_call(ctx, C_GetMechanismList(slot, &mechanismList, &count)); | ||
99 | if(rv == 0) { | ||
100 | for(i=0; i<count; i++) { | ||
101 | if(mechanismList[i] == CKM_RSA_PKCS_KEY_PAIR_GEN) { | ||
102 | priv->key_gen_on_token = 1; | ||
103 | } | ||
104 | } | ||
105 | } else { | ||
106 | PKCS11err(PKCS11_F_PKCS11_CTX_LOAD, rv); | ||
107 | return -1; | ||
108 | } | ||
92 | return 0; | 109 | return 0; |
93 | } | 110 | } |
94 | 111 | ||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c index c25cf34..a96c654 100644 --- a/src/p11_rsa.c +++ b/src/p11_rsa.c | |||
@@ -124,7 +124,6 @@ static int pkcs11_rsa_decrypt(int flen, const unsigned char *from, | |||
124 | static int pkcs11_rsa_encrypt(int flen, const unsigned char *from, | 124 | static int pkcs11_rsa_encrypt(int flen, const unsigned char *from, |
125 | unsigned char *to, RSA * rsa, int padding) | 125 | unsigned char *to, RSA * rsa, int padding) |
126 | { | 126 | { |
127 | printf("PKCS11_rsa_encrypt: flen(%d)\n", flen); | ||
128 | return PKCS11_private_encrypt(flen,from,to,(PKCS11_KEY *) RSA_get_app_data(rsa), padding); | 127 | return PKCS11_private_encrypt(flen,from,to,(PKCS11_KEY *) RSA_get_app_data(rsa), padding); |
129 | } | 128 | } |
130 | 129 | ||