[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-23-ge33
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-23-ge336851 |
|
Date: |
Mon, 01 Aug 2011 16:19:21 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e336851c74eea10c47f152aae98f742b5bd4f91b
The branch, gnutls_2_12_x has been updated
via e336851c74eea10c47f152aae98f742b5bd4f91b (commit)
via 6391e601b303b3949c038614942cdf2b6236ff42 (commit)
via 142dd3788d3be97709e7430241be8caa52ab47c8 (commit)
via b0cf82c468eed213e26e91241a34f08f12a9ac4e (commit)
via 19e57ff21061f4523e4ab91228103d32a118b108 (commit)
via 4afe40aab76d87b9ff77907d374d6e7f70ab6e21 (commit)
via 48392b2f88ac03e87df2dc376faa4376359b39f4 (commit)
via ff80f1ae165bdb30979da036c68b94f9c4a097d1 (commit)
via 77f1d2a2d1f5a4bce8fff4e59494e8b2594b2b80 (commit)
from a034ca1492733a7d84d3887142e5cb358754687e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e336851c74eea10c47f152aae98f742b5bd4f91b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Aug 1 18:19:15 2011 +0200
document p11-kit
commit 6391e601b303b3949c038614942cdf2b6236ff42
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Aug 1 18:15:19 2011 +0200
documented p11-kit addition.
commit 142dd3788d3be97709e7430241be8caa52ab47c8
Author: Stef Walter <address@hidden>
Date: Mon Aug 1 11:12:57 2011 +0200
Don't try to do PKCS#11 login if session is already logged in.
* It is possible for new PKCS#11 sessions to be logged in if
another logged in session already exists.
* In these cases, don't log in, but detect the condition and
return success.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit b0cf82c468eed213e26e91241a34f08f12a9ac4e
Author: Stef Walter <address@hidden>
Date: Mon Aug 1 11:11:01 2011 +0200
When finding private keys fail, return error code.
* Previously this would result in an endless loop.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 19e57ff21061f4523e4ab91228103d32a118b108
Author: Stef Walter <address@hidden>
Date: Thu Jul 7 19:05:17 2011 +0200
pkcs11: Use p11_kit_pin_xxx() functionality when 'pinfile' is in uris.
* This allows other apps to register a handler for a specific pinfile
and then that application will be able to provide the PIN for
those URIs.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 4afe40aab76d87b9ff77907d374d6e7f70ab6e21
Author: Stef Walter <address@hidden>
Date: Thu Jun 9 20:29:04 2011 +0200
Use pkcs11.h specification file from p11-kit.
* Remove one included briefly in gnutls.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 48392b2f88ac03e87df2dc376faa4376359b39f4
Author: Stef Walter <address@hidden>
Date: Thu Jun 9 10:38:38 2011 +0200
Fix up compiler warnings.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit ff80f1ae165bdb30979da036c68b94f9c4a097d1
Author: Stef Walter <address@hidden>
Date: Tue Jun 7 20:20:17 2011 +0200
The attached patch ports gnutls to p11-kit.
* p11-kit is added as a dependency. p11-kit itself has no dependencies
outside of basic libc stuff. The source code for p11-kit is available
both in git and tarball form.
* If the gnutls dependency on p11-kit is disabled (via a configure
option) then the PKCS#11 support is disabled. This is useful in bare
bones embedded systems or places where very minimal dependencies are
limited.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 77f1d2a2d1f5a4bce8fff4e59494e8b2594b2b80
Author: Stef Walter <address@hidden>
Date: Mon May 30 21:29:12 2011 +0200
gnutls-cli: Fix uninitialized variable when PKCS#11 uris in use.
* When PKCS#11 URIs are in use previously tried to free uninitialized
memory. Initialize to zero.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
NEWS | 4 +
README | 14 +-
README-alpha | 1 +
configure.ac | 14 +
doc/examples/Makefile.am | 5 +-
lib/Makefile.am | 14 +-
lib/auth_cert.c | 9 +-
lib/configure.ac | 13 +
lib/gnutls_global.c | 4 +
lib/gnutls_privkey.c | 15 +-
lib/gnutls_pubkey.c | 9 +-
lib/gnutls_x509.c | 10 +
lib/includes/gnutls/pkcs11.h | 6 +-
lib/pakchois/dlopen.c | 51 --
lib/pakchois/dlopen.h | 21 -
lib/pakchois/errors.c | 234 ------
lib/pakchois/pakchois.c | 1242 -----------------------------
lib/pakchois/pakchois.h | 380 ---------
lib/pakchois/pakchois11.h | 1369 --------------------------------
lib/pkcs11.c | 1761 ++++++++++++++++++++----------------------
lib/pkcs11_int.h | 182 ++++-
lib/pkcs11_privkey.c | 74 ++-
lib/pkcs11_secret.c | 15 +-
lib/pkcs11_write.c | 136 ++--
src/Makefile.am | 23 +-
src/certtool-common.c | 9 +
src/certtool.c | 6 +-
src/cli.c | 13 +-
src/p11common.c | 3 +-
src/p11tool.c | 2 +
src/pkcs11.c | 4 -
src/serv.c | 2 +
tests/suite/mini-eagain2.c | 2 +
33 files changed, 1274 insertions(+), 4373 deletions(-)
delete mode 100644 lib/pakchois/dlopen.c
delete mode 100644 lib/pakchois/dlopen.h
delete mode 100644 lib/pakchois/errors.c
delete mode 100644 lib/pakchois/pakchois.c
delete mode 100644 lib/pakchois/pakchois.h
delete mode 100644 lib/pakchois/pakchois11.h
diff --git a/NEWS b/NEWS
index 958dc71..83f4257 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ See the end for copying conditions.
* Version 2.12.8 (unreleased)
+** libgnutls: PKCS #11 back-end rewritten to use p11-kit
+http://p11-glue.freedesktop.org/p11-kit.html. Rewrite by
+Stef Walter.
+
** libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
diff --git a/README b/README
index 36c3f78..feb14f7 100644
--- a/README
+++ b/README
@@ -34,16 +34,18 @@ and libgnutls-extra.a), the shared object (libgnutls.so and
libgnutls-extra.so), and additional binaries such as certtool and
gnutls-cli.
-The library depends on libnettle OR libgcrypt (but never both). GnuTLS
-currently uses libnettle as the default cryptographic library. Versions
-2.10.3 and prior used libgcrypt as the default cryptographic library.
-Nettle can be found at http://www.gnu.org/software/nettle/, while
-libgcrypt can be found at <ftp://ftp.gnupg.org/pub/gcrypt/libgcrypt/>.
+The library depends on libnettle OR libgcrypt (but never both), as well
+as p11-kit. GnuTLS currently uses libnettle as the default cryptographic
+library. Versions 2.10.3 and prior used libgcrypt as the default
+cryptographic library. Nettle can be found at
http://www.gnu.org/software/nettle/,
+while libgcrypt can be found at <ftp://ftp.gnupg.org/pub/gcrypt/libgcrypt/>.
+p11-kit can be found at <http://p11-glue.freedesktop.org/p11-kit.html>.
+
To configure libnettle for installation and use by GnuTLS, a typical
command sequence would be:
- cd nettle-2.1
+ cd nettle-2.2
./configure --prefix=/usr --disable-openssl --enable-shared
make
sudo make install
diff --git a/README-alpha b/README-alpha
index 470f8fa..69e970d 100644
--- a/README-alpha
+++ b/README-alpha
@@ -26,6 +26,7 @@ We require several tools to build the software, including:
- Guile <http://www.gnu.org/software/guile/>
- Gaa <http://gaa.sf.net> (optional)
- libtasn1 <http://josefsson.org/libtasn1/> (optional)
+- p11-kit <http://p11-glue.freedesktop.org/p11-kit.html>
- datefudge <packages.debian.org/datefudge> (optional)
The required software is typically distributed with your operating
diff --git a/configure.ac b/configure.ac
index 3ed57ea..b7643fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -79,6 +79,19 @@ AC_DEFINE([HAVE_ERRNO_H], 1, [Hard-code for src/cfg/.])
AC_CHECK_FUNCS(fork,,)
AM_CONDITIONAL(HAVE_FORK, test "$ac_cv_func_fork" != "no")
+dnl Check for p11-kit
+AC_ARG_WITH(p11-kit,
+ AS_HELP_STRING([--without-p11-kit],
+ [Build without p11-kit and PKCS#11 support]))
+AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
+if test "$with_p11_kit" != "no"; then
+ PKG_CHECK_MODULES(P11_KIT, [p11-kit-1 >= 0.2])
+ AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support])
+ CFLAGS="$CFLAGS $P11_KIT_CFLAGS"
+ LIBS="$LIBS $P11_KIT_LIBS"
+ with_p11_kit=yes
+fi
+
AC_CHECK_TYPES(uint,,, [
# include <sys/types.h>
])
@@ -312,4 +325,5 @@ AC_MSG_NOTICE([summary of build options:
OpenSSL library: $enable_openssl
/dev/crypto: $enable_cryptodev
Crypto library: $cryptolib
+ PKCS#11 support: $with_p11_kit
])
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index 068d7fc..706ccc2 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -43,7 +43,6 @@ CXX_LDADD = $(LDADD) \
noinst_PROGRAMS = ex-client2 ex-client-resume
noinst_PROGRAMS += ex-cert-select ex-rfc2818
-noinst_PROGRAMS += ex-cert-select-pkcs11
if ENABLE_PKI
noinst_PROGRAMS += ex-crq ex-serv1
@@ -63,6 +62,10 @@ if ENABLE_OPENPGP
noinst_PROGRAMS += ex-serv-pgp
endif
+if ENABLE_PKCS11
+noinst_PROGRAMS += ex-cert-select-pkcs11
+endif
+
if ENABLE_PSK
noinst_PROGRAMS += ex-client-psk
if ENABLE_PKI
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 10307a1..0ef044a 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -80,9 +80,11 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c
gnutls_cipher.c \
auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
crypto.c random.c ext_signature.c cryptodev.c system.c \
crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c \
- pkcs11.c pkcs11_privkey.c gnutls_pubkey.c pkcs11_write.c locks.c \
- pkcs11_secret.c
+ gnutls_pubkey.c locks.c
+if ENABLE_PKCS11
+COBJECTS += pkcs11.c pkcs11_privkey.c pkcs11_write.c pkcs11_secret.c
+endif
if ENABLE_NETTLE
SUBDIRS += nettle
@@ -105,11 +107,11 @@ HFILES = abstract_int.h debug.h gnutls_compress.h
gnutls_cipher.h \
gnutls_helper.h auth_psk.h auth_psk_passwd.h \
gnutls_supplemental.h crypto.h random.h system.h \
ext_session_ticket.h ext_signature.h gnutls_cryptodev.h \
- ext_safe_renegotiation.h locks.h gnutls_mbuffers.h \
- pkcs11_int.h
+ ext_safe_renegotiation.h locks.h gnutls_mbuffers.h
-COBJECTS+=pakchois/pakchois.c pakchois/errors.c pakchois/dlopen.c
-HFILES+=pakchois/pakchois.h pakchois/pakchois11.h pakchois/dlopen.h
+if ENABLE_PKCS11
+HFILES += pkcs11_int.h
+endif
# Separate so we can create the documentation
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 9786211..9dbb677 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -62,9 +62,10 @@ static gnutls_cert *alloc_and_load_x509_certs
(gnutls_x509_crt_t * certs,
static gnutls_privkey_t alloc_and_load_x509_key (gnutls_x509_privkey_t key,
int deinit);
+#ifdef ENABLE_PKCS11
static gnutls_privkey_t alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t
key, int deinit);
-
+#endif
/* Copies data from a internal certificate struct (gnutls_cert) to
* exported certificate struct (cert_auth_info_t)
@@ -569,6 +570,7 @@ call_get_cert_callback (gnutls_session_t session,
}
break;
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
if (st2.key.pkcs11 != NULL)
{
@@ -582,6 +584,7 @@ call_get_cert_callback (gnutls_session_t session,
}
}
break;
+#endif
case GNUTLS_PRIVKEY_X509:
if (st2.key.x509 != NULL)
{
@@ -1970,6 +1973,8 @@ alloc_and_load_pgp_key (gnutls_openpgp_privkey_t key, int
deinit)
}
#endif
+#ifdef ENABLE_PKCS11
+
/* converts the given raw key to gnutls_privkey* and allocates
* space for it.
*/
@@ -2003,6 +2008,8 @@ alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t key,
int deinit)
return local_key;
}
+#endif
+
void
_gnutls_selected_certs_deinit (gnutls_session_t session)
{
diff --git a/lib/configure.ac b/lib/configure.ac
index 8d873a2..9ad86a3 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -96,6 +96,19 @@ fi
AC_SUBST(GNUTLS_REQUIRES_PRIVATE)
AC_SUBST(GNUTLS_ZLIB_LIBS_PRIVATE)
+dnl Check for p11-kit
+AC_ARG_WITH(p11-kit,
+ AS_HELP_STRING([--without-p11-kit],
+ [Build without p11-kit and PKCS#11 support]))
+AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
+if test "$with_p11_kit" != "no"; then
+ PKG_CHECK_MODULES(P11_KIT, [p11-kit-1])
+ AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support])
+ CFLAGS="$CFLAGS $P11_KIT_CFLAGS"
+ LIBS="$LIBS $P11_KIT_LIBS"
+ with_p11_kit=yes
+fi
+
lgl_INIT
AC_CHECK_FUNCS(getrusage,,)
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index 60656d6..572432c 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -248,7 +248,9 @@ gnutls_global_init (void)
goto out;
}
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
+#endif
_gnutls_cryptodev_init ();
@@ -277,7 +279,9 @@ gnutls_global_deinit (void)
asn1_delete_structure (&_gnutls_pkix1_asn);
_gnutls_crypto_deregister ();
_gnutls_cryptodev_deinit ();
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
}
_gnutls_init--;
}
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 2f5d06b..499640e 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -44,7 +43,9 @@ struct gnutls_privkey_st
union
{
gnutls_x509_privkey_t x509;
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_privkey_t pkcs11;
+#endif
#ifdef ENABLE_OPENPGP
gnutls_openpgp_privkey_t openpgp;
#endif
@@ -90,8 +91,10 @@ gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,
unsigned int *bits)
case GNUTLS_PRIVKEY_OPENPGP:
return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits);
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits);
+#endif
case GNUTLS_PRIVKEY_X509:
if (bits)
*bits = _gnutls_mpi_get_nbits (key->key.x509->params[0]);
@@ -276,9 +279,11 @@ gnutls_privkey_deinit (gnutls_privkey_t key)
gnutls_openpgp_privkey_deinit (key->key.openpgp);
break;
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
gnutls_pkcs11_privkey_deinit (key->key.pkcs11);
break;
+#endif
case GNUTLS_PRIVKEY_X509:
gnutls_x509_privkey_deinit (key->key.x509);
break;
@@ -296,6 +301,8 @@ static int check_if_clean(gnutls_privkey_t key)
return 0;
}
+#ifdef ENABLE_PKCS11
+
/**
* gnutls_privkey_import_pkcs11:
* @pkey: The private key
@@ -332,6 +339,8 @@ int ret;
return 0;
}
+#endif /* ENABLE_PKCS11 */
+
/**
* gnutls_privkey_import_x509:
* @pkey: The private key
@@ -567,9 +576,11 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key,
return gnutls_openpgp_privkey_sign_hash (key->key.openpgp,
hash, signature);
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11,
hash, signature);
+#endif
case GNUTLS_PRIVKEY_X509:
return _gnutls_soft_sign (key->key.x509->pk_algorithm,
key->key.x509->params,
@@ -616,10 +627,12 @@ gnutls_privkey_decrypt_data (gnutls_privkey_t key,
return _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext,
key->key.x509->params,
key->key.x509->params_size, 2);
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
flags,
ciphertext, plaintext);
+#endif
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 49688f7..dc4f545 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -32,7 +31,6 @@
#include <gnutls_pk.h>
#include <x509_int.h>
#include <openpgp/openpgp_int.h>
-#include <pkcs11_int.h>
#include <gnutls_num.h>
#include <x509/common.h>
#include <x509_b64.h>
@@ -272,6 +270,7 @@ gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t
key,
return ret;
}
+#ifdef ENABLE_PKCS11
/**
* gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key
@@ -325,6 +324,8 @@ gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
return 0;
}
+#endif /* ENABLE_PKCS11 */
+
#ifdef ENABLE_OPENPGP
/**
* gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key
@@ -846,6 +847,8 @@ gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned
int usage)
return 0;
}
+#ifdef ENABLE_PKCS11
+
/**
* gnutls_pubkey_import_pkcs11_url:
* @key: A key of type #gnutls_pubkey_t
@@ -895,6 +898,8 @@ cleanup:
return ret;
}
+#endif /* ENABLE_PKCS11 */
+
/**
* gnutls_pubkey_import_rsa_raw:
* @key: Is a structure will hold the parameters
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 6ee0549..9b74ef5 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -491,6 +491,8 @@ read_key_mem (gnutls_certificate_credentials_t res,
return 0;
}
+#ifdef ENABLE_PKCS11
+
/* Reads a private key from a token.
*/
static int
@@ -688,6 +690,8 @@ read_cert_url (gnutls_certificate_credentials_t res, const
char *url)
}
+#endif /* ENABLE_PKCS11 */
+
/* Reads a certificate file
*/
static int
@@ -698,10 +702,12 @@ read_cert_file (gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (certfile, "pkcs11:", 7) == 0)
{
return read_cert_url (res, certfile);
}
+#endif /* ENABLE_PKCS11 */
data = read_binary_file (certfile, &size);
@@ -731,10 +737,12 @@ read_key_file (gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (keyfile, "pkcs11:", 7) == 0)
{
return read_key_url (res, keyfile);
}
+#endif /* ENABLE_PKCS11 */
data = read_binary_file (keyfile, &size);
@@ -1449,10 +1457,12 @@ gnutls_certificate_set_x509_trust_file
(gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (cafile, "pkcs11:", 7) == 0)
{
return read_cas_url (res, cafile);
}
+#endif
data = read_binary_file (cafile, &size);
if (data == NULL)
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index c1b7981..18e9586 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -23,6 +23,7 @@ typedef int (*gnutls_pkcs11_token_callback_t) (void *const
global_data,
* gnutls_pkcs11_pin_flag_t:
* @GNUTLS_PKCS11_PIN_USER: The PIN for the user.
* @GNUTLS_PKCS11_PIN_SO: The PIN for the security officer.
+ * @GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC: The PIN is for a specific action and
key like signing.
* @GNUTLS_PKCS11_PIN_FINAL_TRY: This is the final try before blocking.
* @GNUTLS_PKCS11_PIN_COUNT_LOW: Few tries remain before token blocks.
*
@@ -32,8 +33,9 @@ typedef enum
{
GNUTLS_PKCS11_PIN_USER = (1 << 0),
GNUTLS_PKCS11_PIN_SO = (1 << 1),
+ GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC = (1 << 4),
GNUTLS_PKCS11_PIN_FINAL_TRY = (1 << 2),
- GNUTLS_PKCS11_PIN_COUNT_LOW = (1 << 3)
+ GNUTLS_PKCS11_PIN_COUNT_LOW = (1 << 3),
} gnutls_pkcs11_pin_flag_t;
typedef int (*gnutls_pkcs11_pin_callback_t) (void *userdata, int attempt,
@@ -55,7 +57,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t;
* load = /lib/yyy-pkcs11.so
*/
-int gnutls_pkcs11_init (unsigned int flags, const char *configfile);
+int gnutls_pkcs11_init (unsigned int flags, const char
*deprecated_config_file);
void gnutls_pkcs11_deinit (void);
void gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn,
void *userdata);
diff --git a/lib/pakchois/dlopen.c b/lib/pakchois/dlopen.c
deleted file mode 100644
index f74a45d..0000000
--- a/lib/pakchois/dlopen.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2010
- * Free Software Foundation, Inc.
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * The GnuTLS is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-#include "dlopen.h"
-
-#ifdef _WIN32
-
-#include <windows.h>
-
-void *
-dlopen (const char *filename, int flag)
-{
- return LoadLibrary (filename);
-}
-
-
-void *
-dlsym (void *handle, const char *symbol)
-{
- return GetProcAddress ((HINSTANCE) handle, symbol);
-}
-
-int
-dlclose (void *handle)
-{
- return !FreeLibrary ((HINSTANCE) handle);
-}
-
-#endif
diff --git a/lib/pakchois/dlopen.h b/lib/pakchois/dlopen.h
deleted file mode 100644
index 47362cb..0000000
--- a/lib/pakchois/dlopen.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef DLOPEN_H
-#define DLOPEN_H
-
-#include "config.h"
-
-#ifdef _WIN32
-
-#define RTLD_LOCAL 0
-#define RTLD_NOW 1
-
-void *dlopen (const char *filename, int flag);
-void *dlsym (void *handle, const char *symbol);
-int dlclose (void *handle);
-
-#else
-
-#include <dlfcn.h>
-
-#endif
-
-#endif
diff --git a/lib/pakchois/errors.c b/lib/pakchois/errors.c
deleted file mode 100644
index d223239..0000000
--- a/lib/pakchois/errors.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- pakchois PKCS#11 interface -- error mapping
- Copyright (C) 2008, Joe Orton <address@hidden>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-*/
-
-/*
- This code is directly derived from the scute.org PKCS#11 cryptoki
- interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#include "config.h"
-
-#include "pakchois.h"
-
-#ifdef ENABLE_NLS
-#include <libintl.h>
-#define _(x) dgettext(PACKAGE_NAME, x)
-#else
-#define _(x) x
-#endif
-
-const char *
-pakchois_error (ck_rv_t rv)
-{
- if (rv >= CKR_VENDOR_DEFINED)
- {
- return _("Vendor defined error");
- }
-
- switch (rv)
- {
- case CKR_OK:
- return _("OK");
- case CKR_CANCEL:
- return _("Cancel");
- case CKR_HOST_MEMORY:
- return _("Host memory");
- case CKR_SLOT_ID_INVALID:
- return _("Slot id invalid");
- case CKR_GENERAL_ERROR:
- return _("General error");
- case CKR_FUNCTION_FAILED:
- return _("Function failed");
- case CKR_ARGUMENTS_BAD:
- return _("Arguments bad");
- case CKR_NO_EVENT:
- return _("No event");
- case CKR_NEED_TO_CREATE_THREADS:
- return _("Need to create threads");
- case CKR_CANT_LOCK:
- return _("Can't lock");
- case CKR_ATTRIBUTE_READ_ONLY:
- return _("Attribute read only");
- case CKR_ATTRIBUTE_SENSITIVE:
- return _("Attribute sensitive");
- case CKR_ATTRIBUTE_TYPE_INVALID:
- return _("Attribute type invalid");
- case CKR_ATTRIBUTE_VALUE_INVALID:
- return _("Attribute value invalid");
- case CKR_DATA_INVALID:
- return _("Data invalid");
- case CKR_DATA_LEN_RANGE:
- return _("Data len range");
- case CKR_DEVICE_ERROR:
- return _("Device error");
- case CKR_DEVICE_MEMORY:
- return _("Device memory");
- case CKR_DEVICE_REMOVED:
- return _("Device removed");
- case CKR_ENCRYPTED_DATA_INVALID:
- return _("Encrypted data invalid");
- case CKR_ENCRYPTED_DATA_LEN_RANGE:
- return _("Encrypted data len range");
- case CKR_FUNCTION_CANCELED:
- return _("Function canceled");
- case CKR_FUNCTION_NOT_PARALLEL:
- return _("Function not parallel");
- case CKR_FUNCTION_NOT_SUPPORTED:
- return _("Function not supported");
- case CKR_KEY_HANDLE_INVALID:
- return _("Key handle invalid");
- case CKR_KEY_SIZE_RANGE:
- return _("Key size range");
- case CKR_KEY_TYPE_INCONSISTENT:
- return _("Key type inconsistent");
- case CKR_KEY_NOT_NEEDED:
- return _("Key not needed");
- case CKR_KEY_CHANGED:
- return _("Key changed");
- case CKR_KEY_NEEDED:
- return _("Key needed");
- case CKR_KEY_INDIGESTIBLE:
- return _("Key indigestible");
- case CKR_KEY_FUNCTION_NOT_PERMITTED:
- return _("Key function not permitted");
- case CKR_KEY_NOT_WRAPPABLE:
- return _("Key not wrappable");
- case CKR_KEY_UNEXTRACTABLE:
- return _("Key unextractable");
- case CKR_MECHANISM_INVALID:
- return _("Mechanism invalid");
- case CKR_MECHANISM_PARAM_INVALID:
- return _("Mechanism param invalid");
- case CKR_OBJECT_HANDLE_INVALID:
- return _("Object handle invalid");
- case CKR_OPERATION_ACTIVE:
- return _("Operation active");
- case CKR_OPERATION_NOT_INITIALIZED:
- return _("Operation not initialized");
- case CKR_PIN_INCORRECT:
- return _("PIN incorrect");
- case CKR_PIN_INVALID:
- return _("PIN invalid");
- case CKR_PIN_LEN_RANGE:
- return _("PIN len range");
- case CKR_PIN_EXPIRED:
- return _("PIN expired");
- case CKR_PIN_LOCKED:
- return _("PIN locked");
- case CKR_SESSION_CLOSED:
- return _("Session closed");
- case CKR_SESSION_COUNT:
- return _("Session count");
- case CKR_SESSION_HANDLE_INVALID:
- return _("Session handle invalid");
- case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
- return _("Session parallel not supported");
- case CKR_SESSION_READ_ONLY:
- return _("Session read only");
- case CKR_SESSION_EXISTS:
- return _("Session exists");
- case CKR_SESSION_READ_ONLY_EXISTS:
- return _("Session read only exists");
- case CKR_SESSION_READ_WRITE_SO_EXISTS:
- return _("Session read write so exists");
- case CKR_SIGNATURE_INVALID:
- return _("Signature invalid");
- case CKR_SIGNATURE_LEN_RANGE:
- return _("Signature length range");
- case CKR_TEMPLATE_INCOMPLETE:
- return _("Template incomplete");
- case CKR_TEMPLATE_INCONSISTENT:
- return _("Template inconsistent");
- case CKR_TOKEN_NOT_PRESENT:
- return _("Token not present");
- case CKR_TOKEN_NOT_RECOGNIZED:
- return _("Token not recognized");
- case CKR_TOKEN_WRITE_PROTECTED:
- return _("Token write protected");
- case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
- return _("Unwrapping key handle invalid");
- case CKR_UNWRAPPING_KEY_SIZE_RANGE:
- return _("Unwrapping key size range");
- case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
- return _("Unwrapping key type inconsistent");
- case CKR_USER_ALREADY_LOGGED_IN:
- return _("User already logged in");
- case CKR_USER_NOT_LOGGED_IN:
- return _("User not logged in");
- case CKR_USER_PIN_NOT_INITIALIZED:
- return _("User PIN not initialized");
- case CKR_USER_TYPE_INVALID:
- return _("User type invalid");
- case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
- return _("Another user already logged in");
- case CKR_USER_TOO_MANY_TYPES:
- return _("User too many types");
- case CKR_WRAPPED_KEY_INVALID:
- return _("Wrapped key invalid");
- case CKR_WRAPPED_KEY_LEN_RANGE:
- return _("Wrapped key length range");
- case CKR_WRAPPING_KEY_HANDLE_INVALID:
- return _("Wrapping key handle invalid");
- case CKR_WRAPPING_KEY_SIZE_RANGE:
- return _("Wrapping key size range");
- case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
- return _("Wrapping key type inconsistent");
- case CKR_RANDOM_SEED_NOT_SUPPORTED:
- return _("Random seed not supported");
- case CKR_RANDOM_NO_RNG:
- return _("Random no rng");
- case CKR_DOMAIN_PARAMS_INVALID:
- return _("Domain params invalid");
- case CKR_BUFFER_TOO_SMALL:
- return _("Buffer too small");
- case CKR_SAVED_STATE_INVALID:
- return _("Saved state invalid");
- case CKR_INFORMATION_SENSITIVE:
- return _("Information sensitive");
- case CKR_STATE_UNSAVEABLE:
- return _("State unsaveable");
- case CKR_CRYPTOKI_NOT_INITIALIZED:
- return _("Cryptoki not initialized");
- case CKR_CRYPTOKI_ALREADY_INITIALIZED:
- return _("Cryptoki already initialized");
- case CKR_MUTEX_BAD:
- return _("Mutex bad");
- case CKR_MUTEX_NOT_LOCKED:
- return _("Mutex not locked");
- case CKR_FUNCTION_REJECTED:
- return _("Function rejected");
- default:
- break;
- }
-
- return _("Unknown error");
-}
diff --git a/lib/pakchois/pakchois.c b/lib/pakchois/pakchois.c
deleted file mode 100644
index decd752..0000000
--- a/lib/pakchois/pakchois.c
+++ /dev/null
@@ -1,1242 +0,0 @@
-/*
- pakchois PKCS#11 interface
- Copyright (C) 2008, Joe Orton <address@hidden>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-*/
-
-/*
- The interface is directly derived from the scute.org PKCS#11
- cryptoki interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#include "config.h"
-
-#include <limits.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include "../locks.h"
-#include "../system.h"
-#include "dlopen.h"
-
-#ifdef HAVE_WORDEXP
-#include <wordexp.h>
-#endif
-#include "pakchois.h"
-
-struct provider
-{
- dev_t dev;
- ino_t ino;
- char *name;
- void *handle;
- void *mutex;
- const struct ck_function_list *fns;
- unsigned int refcount;
- unsigned int finalize:1; /* whether to finalize this one */
- struct provider *next, **prevref;
- void *reserved;
-};
-
-struct pakchois_module_s
-{
- struct slot *slots;
- struct provider *provider;
-};
-
-static void *provider_mutex = NULL;
-
-/* List of loaded providers; any modification to the list or any
- * individual module must performed whilst holding this mutex. */
-static struct provider *provider_list;
-
-struct pakchois_session_s
-{
- pakchois_module_t *module;
- ck_session_handle_t id;
- pakchois_notify_t notify;
- void *notify_data;
- /* Doubly-linked list. Either prevref = &previous->next or else
- * prevref = &slot->sessions for the list head. */
- pakchois_session_t **prevref;
- pakchois_session_t *next;
-};
-
-struct slot
-{
- ck_slot_id_t id;
- pakchois_session_t *sessions;
- struct slot *next;
-};
-
-#define DIR_DELIMITER '/'
-
-static char *
-pkcs11ize (const char *name)
-{
- int len;
- char *oname;
- char *base;
- char *suffix;
-
- oname = strdup (name);
- if (oname == NULL)
- {
- return NULL;
- }
-
- /* basename has too many ifs to use */
- base = strrchr (oname, DIR_DELIMITER);
- if (base == NULL)
- {
- base = oname;
- }
- else
- {
- base++;
- }
-
- suffix = strchr (base, '.');
- if (suffix != NULL)
- {
- if (strncmp (suffix, ".so", 3) == 0)
- {
- suffix[0] = 0; /* null terminate before . */
- }
- }
-
- /* check and remove for -p11 or -pkcs11 */
- suffix = base;
- while ((suffix = strchr (suffix, '-')) != NULL)
- {
- if (strncasecmp (suffix, "-p11", 4) == 0 ||
- strncasecmp (suffix, "-pkcs11", 7) == 0)
- {
- suffix[0] = 0;
- break;
- }
- suffix++;
- }
-
- len = strlen (base);
-
- memmove (oname, base, len);
- oname[len] = 0;
-
- return oname;
-}
-
-static const char *suffix_prefixes[][2] = {
- {"lib", "pk11.so"},
- {"", "-pkcs11.so"},
- {"", ".so"},
- {"lib", ".so"},
- {NULL, NULL}
-};
-
-#define CALL(name, args) (mod->provider->fns->C_ ## name) args
-#define CALLS(name, args) (sess->module->provider->fns->C_ ## name) args
-#define CALLS1(n, a) CALLS(n, (sess->id, a))
-#define CALLS2(n, a, b) CALLS(n, (sess->id, a, b))
-#define CALLS3(n, a, b, c) CALLS(n, (sess->id, a, b, c))
-#define CALLS4(n, a, b, c, d) CALLS(n, (sess->id, a, b, c, d))
-#define CALLS5(n, a, b, c, d, e) CALLS(n, (sess->id, a, b, c, d, e))
-#define CALLS7(n, a, b, c, d, e, f, g) CALLS(n, (sess->id, a, b, c, d, e, f,
g))
-
-#ifndef PAKCHOIS_MODPATH
-#define PAKCHOIS_MODPATH "/lib:/usr/lib"
-#endif
-
-/* Returns an allocated name of the real module as well
- * as it's inode and device numbers.
- */
-static char *
-find_pkcs11_module_name (const char *hint, dev_t * dev, ino_t * ino)
-{
- char module_path[] = PAKCHOIS_MODPATH;
- char *next = module_path;
- struct stat st;
-
- while (next)
- {
- char *dir = next, *sep = strchr (next, ':');
- unsigned i;
-
- if (sep)
- {
- *sep++ = '\0';
- next = sep;
- }
- else
- {
- next = NULL;
- }
-
- for (i = 0; suffix_prefixes[i][0]; i++)
- {
- char path[PATH_MAX];
-
- snprintf (path, sizeof path, "%s/%s%s%s", dir,
- suffix_prefixes[i][0], hint, suffix_prefixes[i][1]);
-
- if (stat (path, &st) < 0)
- continue;
-
- *dev = st.st_dev;
- *ino = st.st_ino;
-
- return strdup (path);
- }
- }
-
- return NULL;
-}
-
-/* Expands the given filename and returns an allocated
- * string, if the expanded file exists. In that case
- * dev and ino are filled in as well.
- */
-static char *
-find_real_module_name (const char *name, dev_t * dev, ino_t * ino)
-{
- char *exname = NULL;
- struct stat st;
-#ifdef HAVE_WORDEXP
- int len;
- wordexp_t we;
-
- len = wordexp (name, &we, 0);
- if (len == 0)
- { /* success */
- if (we.we_wordc > 0)
- { /* we care about the 1st */
- exname = strdup (we.we_wordv[0]);
- }
- wordfree (&we);
- }
-#endif
-
- if (exname == NULL)
- exname = strdup (name);
-
- /* find file information */
- if (exname != NULL)
- {
- if (stat (exname, &st) >= 0)
- {
- *dev = st.st_dev;
- *ino = st.st_ino;
- }
- else
- {
- free (exname);
- return NULL;
- }
- }
-
- return exname;
-}
-
-static struct provider *
-find_provider (dev_t dev, ino_t ino)
-{
- struct provider *p;
-
- for (p = provider_list; p; p = p->next)
- {
- if (dev == p->dev && ino == p->ino)
- {
- return p;
- }
- }
-
- return NULL;
-}
-
-/* The provider list must be locked when calling it
- */
-static ck_rv_t
-load_pkcs11_module (struct provider **provider,
- const char *name, dev_t dev, ino_t ino, void *reserved)
-{
- struct provider *prov;
- CK_C_GetFunctionList gfl;
- struct ck_c_initialize_args args;
- struct ck_function_list *fns;
- void *h;
- ck_rv_t rv;
-
- /* try the plain name first */
- h = dlopen (name, RTLD_LOCAL | RTLD_NOW);
- if (h == NULL)
- {
- return CKR_GENERAL_ERROR;
- }
-
- gfl = dlsym (h, "C_GetFunctionList");
- if (!gfl)
- {
- rv = CKR_GENERAL_ERROR;
- goto fail_dso;
- }
-
- prov = malloc (sizeof *prov);
- if (prov == NULL)
- {
- rv = CKR_HOST_MEMORY;
- goto fail_dso;
- }
-
- if (gnutls_mutex_init (&prov->mutex))
- {
- rv = CKR_CANT_LOCK;
- goto fail_ctx;
- }
-
- rv = gfl (&fns);
- if (rv != CKR_OK)
- {
- goto fail_ctx;
- }
-
- prov->dev = dev;
- prov->ino = ino;
- prov->name = pkcs11ize (name);
- prov->handle = h;
- prov->fns = fns;
- prov->refcount = 1;
- prov->reserved = reserved;
-
- /* Require OS locking, the only sane option. */
- memset (&args, 0, sizeof args);
- args.flags = CKF_OS_LOCKING_OK;
- args.reserved = reserved;
-
- rv = fns->C_Initialize (&args);
- if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)
- {
- goto fail_ctx;
- }
-
- /* no need to finalize if someone else has
- * initialized the library before us.
- */
- if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
- prov->finalize = 0;
- else
- prov->finalize = 1;
-
- prov->next = provider_list;
- prov->prevref = &provider_list;
- if (prov->next)
- {
- prov->next->prevref = &prov->next;
- }
- provider_list = prov;
-
- *provider = prov;
- return CKR_OK;
-
-fail_ctx:
- free (prov);
-fail_dso:
- dlclose (h);
-
- return rv;
-}
-
-/* Will load a provider using the given name. If real_name is zero
- * name is used as a hint to find library otherwise it is used as
- * absolute name.
- */
-static ck_rv_t
-load_provider (struct provider **provider, const char *name,
- void *reserved, int real_name)
-{
- ck_rv_t rv;
- char *cname = NULL;
- dev_t dev;
- ino_t ino;
-
- if (gnutls_mutex_lock (&provider_mutex) != 0)
- {
- return CKR_CANT_LOCK;
- }
-
- if (real_name)
- {
- cname = find_real_module_name (name, &dev, &ino);
- }
- else
- {
- cname = find_pkcs11_module_name (name, &dev, &ino);
- }
-
- if (cname == NULL)
- {
- rv = CKR_ARGUMENTS_BAD;
- goto fail_locked;
- }
-
- *provider = find_provider (dev, ino);
- if (*provider)
- {
- (*provider)->refcount++;
- free (cname);
- gnutls_mutex_unlock (&provider_mutex);
- return CKR_OK;
- }
-
- rv = load_pkcs11_module (provider, cname, dev, ino, reserved);
- if (rv != CKR_OK)
- {
- goto fail_ndup;
- }
-
- rv = CKR_OK;
-
-fail_ndup:
- free (cname);
-fail_locked:
- gnutls_mutex_unlock (&provider_mutex);
- return rv;
-}
-
-static void
-providers_reinit (void)
-{
- struct ck_c_initialize_args args;
- ck_rv_t rv;
- struct provider *p;
-
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- memset (&args, 0, sizeof args);
- args.flags = CKF_OS_LOCKING_OK;
-
- for (p = provider_list; p; p = p->next)
- {
- args.reserved = p->reserved;
- rv = p->fns->C_Initialize (&args);
- assert (rv == CKR_OK); /* what can we do? */
- }
-
- gnutls_mutex_unlock (&provider_mutex);
-}
-
-static ck_rv_t
-load_module (pakchois_module_t ** module, const char *name,
- void *reserved, unsigned int real_name)
-{
- ck_rv_t rv;
- pakchois_module_t *pm = malloc (sizeof *pm);
- static int forkinit = 0;
-
- if (!pm)
- {
- return CKR_HOST_MEMORY;
- }
-
- if (provider_mutex == NULL)
- {
- gnutls_mutex_init (&provider_mutex);
- }
-
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- if (forkinit == 0)
- {
- _gnutls_atfork (NULL, NULL, providers_reinit);
- forkinit++;
- }
-
- gnutls_mutex_unlock (&provider_mutex);
-
- rv = load_provider (&pm->provider, name, reserved, real_name);
- if (rv)
- {
- return rv;
- }
-
- *module = pm;
- pm->slots = NULL;
-
- return CKR_OK;
-}
-
-ck_rv_t
-pakchois_module_load (pakchois_module_t ** module, const char *name)
-{
- return load_module (module, name, NULL, 0);
-}
-
-ck_rv_t
-pakchois_module_load_abs (pakchois_module_t ** module, const char *name)
-{
- return load_module (module, name, NULL, 1);
-}
-
-ck_rv_t
-pakchois_module_nssload (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix, const char *secmod_db)
-{
- char buf[256];
-
- snprintf (buf, sizeof buf,
- "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'",
- directory, cert_prefix ? cert_prefix : "",
- key_prefix ? key_prefix : "",
- secmod_db ? secmod_db : "secmod.db");
-
- return load_module (module, name, buf, 0);
-}
-
-ck_rv_t
-pakchois_module_nssload_abs (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix, const char *secmod_db)
-{
- char buf[256];
-
- snprintf (buf, sizeof buf,
- "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'",
- directory, cert_prefix ? cert_prefix : "",
- key_prefix ? key_prefix : "",
- secmod_db ? secmod_db : "secmod.db");
-
- return load_module (module, name, buf, 1);
-}
-
-/* Unreference a provider structure and destoy if, if necessary. Must
- * be called WIHTOUT the provider mutex held. */
-static void
-provider_unref (struct provider *prov)
-{
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- if (--prov->refcount == 0)
- {
- if (prov->finalize)
- prov->fns->C_Finalize (NULL);
- dlclose (prov->handle);
- *prov->prevref = prov->next;
- if (prov->next)
- {
- prov->next->prevref = prov->prevref;
- }
- free (prov->name);
- free (prov);
- }
- gnutls_mutex_unlock (&provider_mutex);
-}
-
-void
-pakchois_module_destroy (pakchois_module_t * mod)
-{
- provider_unref (mod->provider);
-
- while (mod->slots)
- {
- struct slot *slot = mod->slots;
- pakchois_close_all_sessions (mod, slot->id);
- mod->slots = slot->next;
- free (slot);
- }
-
- free (mod);
-}
-
-void pakchois_destructor (void)
-{
- if (provider_mutex != NULL)
- {
- gnutls_mutex_deinit (&provider_mutex);
- provider_mutex = NULL;
- }
-}
-
-ck_rv_t
-pakchois_get_info (pakchois_module_t * mod, struct ck_info *info)
-{
- return CALL (GetInfo, (info));
-}
-
-ck_rv_t
-pakchois_get_slot_list (pakchois_module_t * mod,
- unsigned char token_present,
- ck_slot_id_t * slot_list, unsigned long *count)
-{
- return CALL (GetSlotList, (token_present, slot_list, count));
-}
-
-ck_rv_t
-pakchois_get_slot_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id, struct ck_slot_info * info)
-{
- return CALL (GetSlotInfo, (slot_id, info));
-}
-
-ck_rv_t
-pakchois_get_token_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id, struct ck_token_info * info)
-{
- return CALL (GetTokenInfo, (slot_id, info));
-}
-
-ck_rv_t
-pakchois_wait_for_slot_event (pakchois_module_t * mod,
- ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved)
-{
- ck_rv_t rv;
-
- if (gnutls_mutex_lock (&mod->provider->mutex))
- {
- return CKR_CANT_LOCK;
- }
-
- rv = CALL (WaitForSlotEvent, (flags, slot, reserved));
- gnutls_mutex_unlock (&mod->provider->mutex);
- return rv;
-}
-
-ck_rv_t
-pakchois_get_mechanism_list (pakchois_module_t * mod,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count)
-{
- return CALL (GetMechanismList, (slot_id, mechanism_list, count));
-}
-
-ck_rv_t
-pakchois_get_mechanism_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t type,
- struct ck_mechanism_info * info)
-{
- return CALL (GetMechanismInfo, (slot_id, type, info));
-}
-
-ck_rv_t
-pakchois_init_token (pakchois_module_t * mod,
- ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label)
-{
- return CALL (InitToken, (slot_id, pin, pin_len, label));
-}
-
-ck_rv_t
-pakchois_init_pin (pakchois_session_t * sess, unsigned char *pin,
- unsigned long pin_len)
-{
- return CALLS2 (InitPIN, pin, pin_len);
-}
-
-ck_rv_t
-pakchois_set_pin (pakchois_session_t * sess, unsigned char *old_pin,
- unsigned long old_len, unsigned char *new_pin,
- unsigned long new_len)
-{
- return CALLS4 (SetPIN, old_pin, old_len, new_pin, new_len);
-}
-
-static ck_rv_t
-notify_thunk (ck_session_handle_t session,
- ck_notification_t event, void *application)
-{
- pakchois_session_t *sess = application;
-
- return sess->notify (sess, event, sess->notify_data);
-}
-
-static struct slot *
-find_slot (pakchois_module_t * mod, ck_slot_id_t id)
-{
- struct slot *slot;
-
- for (slot = mod->slots; slot; slot = slot->next)
- if (slot->id == id)
- return slot;
-
- return NULL;
-}
-
-static struct slot *
-find_or_create_slot (pakchois_module_t * mod, ck_slot_id_t id)
-{
- struct slot *slot = find_slot (mod, id);
-
- if (slot)
- {
- return slot;
- }
-
- slot = malloc (sizeof *slot);
- if (!slot)
- {
- return NULL;
- }
-
- slot->id = id;
- slot->sessions = NULL;
- slot->next = mod->slots;
- mod->slots = slot;
-
- return slot;
-}
-
-static ck_rv_t
-insert_session (pakchois_module_t * mod,
- pakchois_session_t * session, ck_slot_id_t id)
-{
- struct slot *slot = find_or_create_slot (mod, id);
-
- if (!slot)
- {
- return CKR_HOST_MEMORY;
- }
-
- session->prevref = &slot->sessions;
- session->next = slot->sessions;
- if (session->next)
- {
- session->next->prevref = session->prevref;
- }
- slot->sessions = session;
-
- return CKR_OK;
-}
-
-ck_rv_t
-pakchois_open_session (pakchois_module_t * mod,
- ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, pakchois_notify_t notify,
- pakchois_session_t ** session)
-{
- ck_session_handle_t sh;
- pakchois_session_t *sess;
- ck_rv_t rv;
-
- sess = calloc (1, sizeof *sess);
- if (sess == NULL)
- {
- return CKR_HOST_MEMORY;
- }
-
- rv = CALL (OpenSession, (slot_id, flags, sess, notify_thunk, &sh));
- if (rv != CKR_OK)
- {
- free (sess);
- return rv;
- }
-
- *session = sess;
- sess->module = mod;
- sess->id = sh;
-
- return insert_session (mod, sess, slot_id);
-}
-
-ck_rv_t
-pakchois_close_session (pakchois_session_t * sess)
-{
- /* PKCS#11 says that all bets are off on failure, so destroy the
- * session object and just return the error code. */
- ck_rv_t rv = CALLS (CloseSession, (sess->id));
- *sess->prevref = sess->next;
- if (sess->next)
- {
- sess->next->prevref = sess->prevref;
- }
- free (sess);
- return rv;
-}
-
-ck_rv_t
-pakchois_close_all_sessions (pakchois_module_t * mod, ck_slot_id_t slot_id)
-{
- struct slot *slot;
- ck_rv_t rv, frv = CKR_OK;
-
- slot = find_slot (mod, slot_id);
-
- if (!slot)
- {
- return CKR_SLOT_ID_INVALID;
- }
-
- while (slot->sessions)
- {
- rv = pakchois_close_session (slot->sessions);
- if (rv != CKR_OK)
- {
- frv = rv;
- }
- slot = slot->next;
- }
-
- return frv;
-}
-
-ck_rv_t
-pakchois_get_session_info (pakchois_session_t * sess,
- struct ck_session_info * info)
-{
- return CALLS1 (GetSessionInfo, info);
-}
-
-ck_rv_t
-pakchois_get_operation_state (pakchois_session_t * sess,
- unsigned char *operation_state,
- unsigned long *operation_state_len)
-{
- return CALLS2 (GetOperationState, operation_state, operation_state_len);
-}
-
-ck_rv_t
-pakchois_set_operation_state (pakchois_session_t * sess,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key)
-{
- return CALLS4 (SetOperationState, operation_state,
- operation_state_len, encryption_key, authentiation_key);
-}
-
-ck_rv_t
-pakchois_login (pakchois_session_t * sess, ck_user_type_t user_type,
- unsigned char *pin, unsigned long pin_len)
-{
- return CALLS3 (Login, user_type, pin, pin_len);
-}
-
-ck_rv_t
-pakchois_logout (pakchois_session_t * sess)
-{
- return CALLS (Logout, (sess->id));
-}
-
-ck_rv_t
-pakchois_create_object (pakchois_session_t * sess,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * object)
-{
- return CALLS3 (CreateObject, templ, count, object);
-}
-
-ck_rv_t
-pakchois_copy_object (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * new_object)
-{
- return CALLS4 (CopyObject, object, templ, count, new_object);
-}
-
-ck_rv_t
-pakchois_destroy_object (pakchois_session_t * sess, ck_object_handle_t object)
-{
- return CALLS1 (DestroyObject, object);
-}
-
-ck_rv_t
-pakchois_get_object_size (pakchois_session_t * sess,
- ck_object_handle_t object, unsigned long *size)
-{
- return CALLS2 (GetObjectSize, object, size);
-}
-
-ck_rv_t
-pakchois_get_attribute_value (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count)
-{
- return CALLS3 (GetAttributeValue, object, templ, count);
-}
-
-ck_rv_t
-pakchois_set_attribute_value (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count)
-{
- return CALLS3 (SetAttributeValue, object, templ, count);
-}
-
-ck_rv_t
-pakchois_find_objects_init (pakchois_session_t * sess,
- struct ck_attribute * templ, unsigned long count)
-{
- return CALLS2 (FindObjectsInit, templ, count);
-}
-
-ck_rv_t
-pakchois_find_objects (pakchois_session_t * sess,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count)
-{
- return CALLS3 (FindObjects, object, max_object_count, object_count);
-}
-
-ck_rv_t
-pakchois_find_objects_final (pakchois_session_t * sess)
-{
- return CALLS (FindObjectsFinal, (sess->id));
-}
-
-ck_rv_t
-pakchois_encrypt_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (EncryptInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_encrypt (pakchois_session_t * sess,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len)
-{
- return CALLS4 (Encrypt, data, data_len, encrypted_data, encrypted_data_len);
-}
-
-ck_rv_t
-pakchois_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (EncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_encrypt_final (pakchois_session_t * sess,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len)
-{
- return CALLS2 (EncryptFinal, last_encrypted_part, last_encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (DecryptInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_decrypt (pakchois_session_t * sess,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len)
-{
- return CALLS4 (Decrypt, encrypted_data, encrypted_data_len, data, data_len);
-}
-
-ck_rv_t
-pakchois_decrypt_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptUpdate, encrypted_part, encrypted_part_len,
- part, part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_final (pakchois_session_t * sess,
- unsigned char *last_part,
- unsigned long *last_part_len)
-{
- return CALLS2 (DecryptFinal, last_part, last_part_len);
-}
-
-ck_rv_t
-pakchois_digest_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism)
-{
- return CALLS1 (DigestInit, mechanism);
-}
-
-ck_rv_t
-pakchois_digest (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *digest,
- unsigned long *digest_len)
-{
- return CALLS4 (Digest, data, data_len, digest, digest_len);
-}
-
-ck_rv_t
-pakchois_digest_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (DigestUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_digest_key (pakchois_session_t * sess, ck_object_handle_t key)
-{
- return CALLS1 (DigestKey, key);
-}
-
-ck_rv_t
-pakchois_digest_final (pakchois_session_t * sess,
- unsigned char *digest, unsigned long *digest_len)
-{
- return CALLS2 (DigestFinal, digest, digest_len);
-}
-
-ck_rv_t
-pakchois_sign_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism, ck_object_handle_t key)
-{
- return CALLS2 (SignInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_sign (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len)
-{
- return CALLS4 (Sign, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_sign_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (SignUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_sign_final (pakchois_session_t * sess,
- unsigned char *signature, unsigned long *signature_len)
-{
- return CALLS2 (SignFinal, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_sign_recover_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (SignRecoverInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_sign_recover (pakchois_session_t * sess,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature, unsigned long *signature_len)
-{
- return CALLS4 (SignRecover, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism, ck_object_handle_t key)
-{
- return CALLS2 (VerifyInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_verify (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long signature_len)
-{
- return CALLS4 (Verify, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (VerifyUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_verify_final (pakchois_session_t * sess,
- unsigned char *signature, unsigned long signature_len)
-{
- return CALLS2 (VerifyFinal, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_recover_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (VerifyRecoverInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_verify_recover (pakchois_session_t * sess,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data, unsigned long *data_len)
-{
- return CALLS4 (VerifyRecover, signature, signature_len, data, data_len);
-}
-
-ck_rv_t
-pakchois_digest_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (DigestEncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_digest_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptDigestUpdate, encrypted_part,
- encrypted_part_len, part, part_len);
-}
-
-ck_rv_t
-pakchois_sign_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (SignEncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_verify_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptVerifyUpdate, encrypted_part,
- encrypted_part_len, part, part_len);
-}
-
-ck_rv_t
-pakchois_generate_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * key)
-{
- return CALLS4 (GenerateKey, mechanism, templ, count, key);
-}
-
-ck_rv_t
-pakchois_generate_key_pair (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- struct ck_attribute *
- public_key_template,
- unsigned long
- public_key_attribute_count,
- struct ck_attribute *
- private_key_template,
- unsigned long
- private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key)
-{
- return CALLS7 (GenerateKeyPair, mechanism,
- public_key_template, public_key_attribute_count,
- private_key_template, private_key_attribute_count,
- public_key, private_key);
-}
-
-ck_rv_t
-pakchois_wrap_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key,
- unsigned char *wrapped_key, unsigned long *wrapped_key_len)
-{
- return CALLS5 (WrapKey, mechanism, wrapping_key,
- key, wrapped_key, wrapped_key_len);
-}
-
-ck_rv_t
-pakchois_unwrap_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute * templ,
- unsigned long attribute_count, ck_object_handle_t * key)
-{
- return CALLS7 (UnwrapKey, mechanism, unwrapping_key,
- wrapped_key, wrapped_key_len, templ, attribute_count, key);
-}
-
-ck_rv_t
-pakchois_derive_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute * templ,
- unsigned long attribute_count, ck_object_handle_t * key)
-{
- return CALLS5 (DeriveKey, mechanism, base_key, templ, attribute_count, key);
-}
-
-
-ck_rv_t
-pakchois_seed_random (pakchois_session_t * sess,
- unsigned char *seed, unsigned long seed_len)
-{
- return CALLS2 (SeedRandom, seed, seed_len);
-}
-
-ck_rv_t
-pakchois_generate_random (pakchois_session_t * sess,
- unsigned char *random_data,
- unsigned long random_len)
-{
- return CALLS2 (GenerateRandom, random_data, random_len);
-}
diff --git a/lib/pakchois/pakchois.h b/lib/pakchois/pakchois.h
deleted file mode 100644
index 16558ef..0000000
--- a/lib/pakchois/pakchois.h
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- pakchois PKCS#11 interface
- Copyright (C) 2008, Joe Orton <address@hidden>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-
-*/
-
-/*
- This interface is directly derived from the scute.org PKCS#11
- cryptoki interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#ifndef PAKCHOIS_H
-#define PAKCHOIS_H
-
-#define CRYPTOKI_GNU
-
-#include "pakchois11.h"
-
-/* API version: major is bumped for any backwards-incompatible
- * changes. minor is bumped for any new interfaces. Note that the API
- * is versioned independent of the project release version. */
-#define PAKCHOIS_API_MAJOR (0)
-#define PAKCHOIS_API_MINOR (2)
-
-/* API version history (note that API versions do not map directly to
- the project version!):
-
- 0.1: Initial release
- 0.2: Addition of pakchois_error()
- Concurrent access guarantee added for pakchois_module_load()
- Thread-safety guarantee added for pakchois_wait_for_slot_event()
-*/
-
-typedef struct pakchois_module_s pakchois_module_t;
-typedef struct pakchois_session_s pakchois_session_t;
-
-/* Load a PKCS#11 module by name (for example "opensc" or
- * "gnome-keyring"). Returns CKR_OK on success. Any module of given
- * name may be safely loaded multiple times within an application; the
- * underlying PKCS#11 provider will be loaded only once. */
-ck_rv_t pakchois_module_load (pakchois_module_t ** module, const char *name);
-
-/* Load a PKCS#11 module by absolute file name (for example
"/lib/opensc-pkcs.so"
- * Returns CKR_OK on success. Any module of given name may be safely loaded
- * multiple times within an application; the underlying PKCS#11 provider will
- * be loaded only once. */
-ck_rv_t pakchois_module_load_abs (pakchois_module_t ** module,
- const char *name);
-
-/* Load an NSS "softokn" which violates the PKCS#11 standard in
- * initialization, with given name (e.g. "softokn3"). The directory
- * in which the NSS database resides must be specified; the other
- * arguments may be NULL to use defaults. Returns CKR_OK on
- * success. */
-ck_rv_t pakchois_module_nssload (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix,
- const char *secmod_db);
-
-ck_rv_t pakchois_module_nssload_abs (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix,
- const char *secmod_db);
-
-/* Destroy a PKCS#11 module. */
-void pakchois_module_destroy (pakchois_module_t * module);
-
-void pakchois_destructor (void);
-
-/* Return the error string corresponding to the given return value.
- * Never returns NULL. */
-const char *pakchois_error (ck_rv_t rv);
-
-/* All following interfaces model the PKCS#11 equivalents, without the
- camel-cased naming convention. The PKCS#11 specification has
- detailed interface descriptions:
-
- http://www.rsa.com/rsalabs/node.asp?id=2133
-
- The differences between this interface and PKCS#11 are:
-
- 1. some interfaces take a module pointer as first argument
-
- 2. session handlers are represented as opaque objects
-
- 3. the notify callback type has changed accordingly
-
- 4. the C_Initialize, C_Finalize, and C_GetFunctionList interfaces
- are not exposed (these are called internally by
- pakchois_module_load and pakchois_module_destroy)
-
- 5. pakchois_wait_for_slot_event() is thread-safe against other
- callers of pakchois_wait_for_slot_event(); the call to the
- underlying provider's WaitForSlotEvent function is protected by a
- mutex.
-
- 6. pakchois_close_all_sessions() only closes sessions associated
- with the given module instance; any sessions opened by other users
- of the underlying provider are unaffected.
-
- If a module object is used concurrently from separate threads,
- undefined behaviour results. If a session object is used
- concurrently from separate threads, undefined behavioure results.
-
-*/
-ck_rv_t pakchois_get_info (pakchois_module_t * module, struct ck_info *info);
-
-ck_rv_t pakchois_get_slot_list (pakchois_module_t * module,
- unsigned char token_present,
- ck_slot_id_t * slot_list,
- unsigned long *count);
-
-ck_rv_t pakchois_get_slot_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- struct ck_slot_info *info);
-
-ck_rv_t pakchois_get_token_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- struct ck_token_info *info);
-
-ck_rv_t pakchois_wait_for_slot_event (pakchois_module_t * module,
- ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved);
-
-ck_rv_t pakchois_get_mechanism_list (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count);
-
-ck_rv_t pakchois_get_mechanism_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t type,
- struct ck_mechanism_info *info);
-
-ck_rv_t pakchois_init_token (pakchois_module_t * module,
- ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label);
-
-ck_rv_t pakchois_init_pin (pakchois_session_t * session, unsigned char *pin,
- unsigned long pin_len);
-
-ck_rv_t pakchois_set_pin (pakchois_session_t * session,
- unsigned char *old_pin, unsigned long old_len,
- unsigned char *new_pin, unsigned long new_len);
-
-typedef ck_rv_t (*pakchois_notify_t) (pakchois_session_t * sess,
- ck_notification_t event,
- void *application);
-
-ck_rv_t pakchois_open_session (pakchois_module_t * module,
- ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, pakchois_notify_t notify,
- pakchois_session_t ** session);
-
-ck_rv_t pakchois_close_session (pakchois_session_t * session);
-
-ck_rv_t pakchois_close_all_sessions (pakchois_module_t * module,
- ck_slot_id_t slot_id);
-
-ck_rv_t pakchois_get_session_info (pakchois_session_t * session,
- struct ck_session_info *info);
-ck_rv_t pakchois_get_operation_state (pakchois_session_t * session,
- unsigned char *operation_state,
- unsigned long *operation_state_len);
-ck_rv_t pakchois_set_operation_state (pakchois_session_t * session,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key);
-
-ck_rv_t pakchois_login (pakchois_session_t * session,
- ck_user_type_t user_type, unsigned char *pin,
- unsigned long pin_len);
-ck_rv_t pakchois_logout (pakchois_session_t * session);
-
-ck_rv_t pakchois_create_object (pakchois_session_t * session,
- struct ck_attribute *templ,
- unsigned long count,
- ck_object_handle_t * object);
-ck_rv_t pakchois_copy_object (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ, unsigned long count,
- ck_object_handle_t * new_object);
-ck_rv_t pakchois_destroy_object (pakchois_session_t * session,
- ck_object_handle_t object);
-ck_rv_t pakchois_get_object_size (pakchois_session_t * session,
- ck_object_handle_t object,
- unsigned long *size);
-
-ck_rv_t pakchois_get_attribute_value (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_set_attribute_value (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_find_objects_init (pakchois_session_t * session,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_find_objects (pakchois_session_t * session,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count);
-ck_rv_t pakchois_find_objects_final (pakchois_session_t * session);
-
-ck_rv_t pakchois_encrypt_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_encrypt (pakchois_session_t * session,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len);
-ck_rv_t pakchois_encrypt_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_encrypt_final (pakchois_session_t * session,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len);
-
-ck_rv_t pakchois_decrypt_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_decrypt (pakchois_session_t * session,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len);
-ck_rv_t pakchois_decrypt_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-ck_rv_t pakchois_decrypt_final (pakchois_session_t * session,
- unsigned char *last_part,
- unsigned long *last_part_len);
-ck_rv_t pakchois_digest_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism);
-ck_rv_t pakchois_digest (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *digest,
- unsigned long *digest_len);
-ck_rv_t pakchois_digest_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_digest_key (pakchois_session_t * session,
- ck_object_handle_t key);
-ck_rv_t pakchois_digest_final (pakchois_session_t * session,
- unsigned char *digest,
- unsigned long *digest_len);
-
-ck_rv_t pakchois_sign_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_sign (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len);
-ck_rv_t pakchois_sign_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_sign_final (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long *signature_len);
-ck_rv_t pakchois_sign_recover_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_sign_recover (pakchois_session_t * session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len);
-
-ck_rv_t pakchois_verify_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_verify (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long signature_len);
-ck_rv_t pakchois_verify_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_verify_final (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long signature_len);
-ck_rv_t pakchois_verify_recover_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_verify_recover (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data,
- unsigned long *data_len);
-
-ck_rv_t pakchois_digest_encrypt_update (pakchois_session_t * session,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_decrypt_digest_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-ck_rv_t pakchois_sign_encrypt_update (pakchois_session_t * session,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_decrypt_verify_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-
-ck_rv_t pakchois_generate_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *templ,
- unsigned long count, ck_object_handle_t * key);
-ck_rv_t pakchois_generate_key_pair (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *public_key_template,
- unsigned long public_key_attribute_count,
- struct ck_attribute *private_key_template,
- unsigned long private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key);
-
-ck_rv_t pakchois_wrap_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key, unsigned char *wrapped_key,
- unsigned long *wrapped_key_len);
-ck_rv_t pakchois_unwrap_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute *templ,
- unsigned long attribute_count,
- ck_object_handle_t * key);
-ck_rv_t pakchois_derive_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute *templ,
- unsigned long attribute_count,
- ck_object_handle_t * key);
-
-ck_rv_t pakchois_seed_random (pakchois_session_t * session,
- unsigned char *seed, unsigned long seed_len);
-ck_rv_t pakchois_generate_random (pakchois_session_t * session,
- unsigned char *random_data,
- unsigned long random_len);
-
-#endif /* PAKCHOIS_H */
diff --git a/lib/pakchois/pakchois11.h b/lib/pakchois/pakchois11.h
deleted file mode 100644
index 3e29bb9..0000000
--- a/lib/pakchois/pakchois11.h
+++ /dev/null
@@ -1,1369 +0,0 @@
-/* pkcs11.h
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE. */
-
-/* Please submit changes back to the Scute project at
- http://www.scute.org/ (or send them to address@hidden), so that
- they can be picked up by other projects from there as well. */
-
-/* This file is a modified implementation of the PKCS #11 standard by
- RSA Security Inc. It is mostly a drop-in replacement, with the
- following change:
-
- This header file does not require any macro definitions by the user
- (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros
- for you (if useful, some are missing, let me know if you need
- more).
-
- There is an additional API available that does comply better to the
- GNU coding standard. It can be switched on by defining
- CRYPTOKI_GNU before including this header file. For this, the
- following changes are made to the specification:
-
- All structure types are changed to a "struct ck_foo" where CK_FOO
- is the type name in PKCS #11.
-
- All non-structure types are changed to ck_foo_t where CK_FOO is the
- lowercase version of the type name in PKCS #11. The basic types
- (CK_ULONG et al.) are removed without substitute.
-
- All members of structures are modified in the following way: Type
- indication prefixes are removed, and underscore characters are
- inserted before words. Then the result is lowercased.
-
- Note that function names are still in the original case, as they
- need for ABI compatibility.
-
- CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use
- <stdbool.h>.
-
- If CRYPTOKI_COMPAT is defined before including this header file,
- then none of the API changes above take place, and the API is the
- one defined by the PKCS #11 standard. */
-
-#ifndef PKCS11_H
-#define PKCS11_H 1
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-
-/* The version of cryptoki we implement. The revision is changed with
- each modification of this file. If you do not use the "official"
- version of this file, please consider deleting the revision macro
- (you may use a macro with a different name to keep track of your
- versions). */
-#define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 20
-#define CRYPTOKI_VERSION_REVISION 6
-
-
-/* Compatibility interface is default, unless CRYPTOKI_GNU is
- given. */
-#ifndef CRYPTOKI_GNU
-#ifndef CRYPTOKI_COMPAT
-#define CRYPTOKI_COMPAT 1
-#endif
-#endif
-
-/* System dependencies. */
-
-#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32
-
-/* There is a matching pop below. */
-#pragma pack(push, cryptoki, 1)
-
-#ifdef CRYPTOKI_EXPORTS
-#define CK_SPEC __declspec(dllexport)
-#else
-#define CK_SPEC __declspec(dllimport)
-#endif
-
-#else
-
-#define CK_SPEC
-
-#endif
-�
-
-#ifdef CRYPTOKI_COMPAT
- /* If we are in compatibility mode, switch all exposed names to the
- PKCS #11 variant. There are corresponding #undefs below. */
-
-#define ck_flags_t CK_FLAGS
-#define ck_version _CK_VERSION
-
-#define ck_info _CK_INFO
-#define cryptoki_version cryptokiVersion
-#define manufacturer_id manufacturerID
-#define library_description libraryDescription
-#define library_version libraryVersion
-
-#define ck_notification_t CK_NOTIFICATION
-#define ck_slot_id_t CK_SLOT_ID
-
-#define ck_slot_info _CK_SLOT_INFO
-#define slot_description slotDescription
-#define hardware_version hardwareVersion
-#define firmware_version firmwareVersion
-
-#define ck_token_info _CK_TOKEN_INFO
-#define serial_number serialNumber
-#define max_session_count ulMaxSessionCount
-#define session_count ulSessionCount
-#define max_rw_session_count ulMaxRwSessionCount
-#define rw_session_count ulRwSessionCount
-#define max_pin_len ulMaxPinLen
-#define min_pin_len ulMinPinLen
-#define total_public_memory ulTotalPublicMemory
-#define free_public_memory ulFreePublicMemory
-#define total_private_memory ulTotalPrivateMemory
-#define free_private_memory ulFreePrivateMemory
-#define utc_time utcTime
-
-#define ck_session_handle_t CK_SESSION_HANDLE
-#define ck_user_type_t CK_USER_TYPE
-#define ck_state_t CK_STATE
-
-#define ck_session_info _CK_SESSION_INFO
-#define slot_id slotID
-#define device_error ulDeviceError
-
-#define ck_object_handle_t CK_OBJECT_HANDLE
-#define ck_object_class_t CK_OBJECT_CLASS
-#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
-#define ck_key_type_t CK_KEY_TYPE
-#define ck_certificate_type_t CK_CERTIFICATE_TYPE
-#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
-
-#define ck_attribute _CK_ATTRIBUTE
-#define value pValue
-#define value_len ulValueLen
-
-#define ck_date _CK_DATE
-
-#define ck_mechanism_type_t CK_MECHANISM_TYPE
-
-#define ck_mechanism _CK_MECHANISM
-#define parameter pParameter
-#define parameter_len ulParameterLen
-
-#define ck_mechanism_info _CK_MECHANISM_INFO
-#define min_key_size ulMinKeySize
-#define max_key_size ulMaxKeySize
-
-#define ck_rv_t CK_RV
-#define ck_notify_t CK_NOTIFY
-
-#define ck_function_list _CK_FUNCTION_LIST
-
-#define ck_createmutex_t CK_CREATEMUTEX
-#define ck_destroymutex_t CK_DESTROYMUTEX
-#define ck_lockmutex_t CK_LOCKMUTEX
-#define ck_unlockmutex_t CK_UNLOCKMUTEX
-
-#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
-#define create_mutex CreateMutex
-#define destroy_mutex DestroyMutex
-#define lock_mutex LockMutex
-#define unlock_mutex UnlockMutex
-#define reserved pReserved
-
-#endif /* CRYPTOKI_COMPAT */
-�
-
-
- typedef unsigned long ck_flags_t;
-
- struct ck_version
- {
- unsigned char major;
- unsigned char minor;
- };
-
-
- struct ck_info
- {
- struct ck_version cryptoki_version;
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- unsigned char library_description[32];
- struct ck_version library_version;
- };
-
-
- typedef unsigned long ck_notification_t;
-
-#define CKN_SURRENDER (0)
-
-
- typedef unsigned long ck_slot_id_t;
-
-
- struct ck_slot_info
- {
- unsigned char slot_description[64];
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
- };
-
-
-#define CKF_TOKEN_PRESENT (1 << 0)
-#define CKF_REMOVABLE_DEVICE (1 << 1)
-#define CKF_HW_SLOT (1 << 2)
-#define CKF_ARRAY_ATTRIBUTE (1 << 30)
-
-
- struct ck_token_info
- {
- unsigned char label[32];
- unsigned char manufacturer_id[32];
- unsigned char model[16];
- unsigned char serial_number[16];
- ck_flags_t flags;
- unsigned long max_session_count;
- unsigned long session_count;
- unsigned long max_rw_session_count;
- unsigned long rw_session_count;
- unsigned long max_pin_len;
- unsigned long min_pin_len;
- unsigned long total_public_memory;
- unsigned long free_public_memory;
- unsigned long total_private_memory;
- unsigned long free_private_memory;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
- unsigned char utc_time[16];
- };
-
-
-#define CKF_RNG (1 << 0)
-#define CKF_WRITE_PROTECTED (1 << 1)
-#define CKF_LOGIN_REQUIRED (1 << 2)
-#define CKF_USER_PIN_INITIALIZED (1 << 3)
-#define CKF_RESTORE_KEY_NOT_NEEDED (1 << 5)
-#define CKF_CLOCK_ON_TOKEN (1 << 6)
-#define CKF_PROTECTED_AUTHENTICATION_PATH (1 << 8)
-#define CKF_DUAL_CRYPTO_OPERATIONS (1 << 9)
-#define CKF_TOKEN_INITIALIZED (1 << 10)
-#define CKF_SECONDARY_AUTHENTICATION (1 << 11)
-#define CKF_USER_PIN_COUNT_LOW (1 << 16)
-#define CKF_USER_PIN_FINAL_TRY (1 << 17)
-#define CKF_USER_PIN_LOCKED (1 << 18)
-#define CKF_USER_PIN_TO_BE_CHANGED (1 << 19)
-#define CKF_SO_PIN_COUNT_LOW (1 << 20)
-#define CKF_SO_PIN_FINAL_TRY (1 << 21)
-#define CKF_SO_PIN_LOCKED (1 << 22)
-#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23)
-
-#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1)
-#define CK_EFFECTIVELY_INFINITE (0)
-
-
- typedef unsigned long ck_session_handle_t;
-
-#define CK_INVALID_HANDLE (0)
-
-
- typedef unsigned long ck_user_type_t;
-
-#define CKU_SO (0)
-#define CKU_USER (1)
-#define CKU_CONTEXT_SPECIFIC (2)
-
-
- typedef unsigned long ck_state_t;
-
-#define CKS_RO_PUBLIC_SESSION (0)
-#define CKS_RO_USER_FUNCTIONS (1)
-#define CKS_RW_PUBLIC_SESSION (2)
-#define CKS_RW_USER_FUNCTIONS (3)
-#define CKS_RW_SO_FUNCTIONS (4)
-
-
- struct ck_session_info
- {
- ck_slot_id_t slot_id;
- ck_state_t state;
- ck_flags_t flags;
- unsigned long device_error;
- };
-
-#define CKF_RW_SESSION (1 << 1)
-#define CKF_SERIAL_SESSION (1 << 2)
-
-
- typedef unsigned long ck_object_handle_t;
-
-
- typedef unsigned long ck_object_class_t;
-
-#define CKO_DATA (0)
-#define CKO_CERTIFICATE (1)
-#define CKO_PUBLIC_KEY (2)
-#define CKO_PRIVATE_KEY (3)
-#define CKO_SECRET_KEY (4)
-#define CKO_HW_FEATURE (5)
-#define CKO_DOMAIN_PARAMETERS (6)
-#define CKO_MECHANISM (7)
-#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_hw_feature_type_t;
-
-#define CKH_MONOTONIC_COUNTER (1)
-#define CKH_CLOCK (2)
-#define CKH_USER_INTERFACE (3)
-#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_key_type_t;
-
-#define CKK_RSA (0)
-#define CKK_DSA (1)
-#define CKK_DH (2)
-#define CKK_ECDSA (3)
-#define CKK_EC (3)
-#define CKK_X9_42_DH (4)
-#define CKK_KEA (5)
-#define CKK_GENERIC_SECRET (0x10)
-#define CKK_RC2 (0x11)
-#define CKK_RC4 (0x12)
-#define CKK_DES (0x13)
-#define CKK_DES2 (0x14)
-#define CKK_DES3 (0x15)
-#define CKK_CAST (0x16)
-#define CKK_CAST3 (0x17)
-#define CKK_CAST128 (0x18)
-#define CKK_RC5 (0x19)
-#define CKK_IDEA (0x1a)
-#define CKK_SKIPJACK (0x1b)
-#define CKK_BATON (0x1c)
-#define CKK_JUNIPER (0x1d)
-#define CKK_CDMF (0x1e)
-#define CKK_AES (0x1f)
-#define CKK_BLOWFISH (0x20)
-#define CKK_TWOFISH (0x21)
-#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_certificate_type_t;
-
-#define CKC_X_509 (0)
-#define CKC_X_509_ATTR_CERT (1)
-#define CKC_WTLS (2)
-#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_attribute_type_t;
-
-#define CKA_CLASS (0)
-#define CKA_TOKEN (1)
-#define CKA_PRIVATE (2)
-#define CKA_LABEL (3)
-#define CKA_APPLICATION (0x10)
-#define CKA_VALUE (0x11)
-#define CKA_OBJECT_ID (0x12)
-#define CKA_CERTIFICATE_TYPE (0x80)
-#define CKA_ISSUER (0x81)
-#define CKA_SERIAL_NUMBER (0x82)
-#define CKA_AC_ISSUER (0x83)
-#define CKA_OWNER (0x84)
-#define CKA_ATTR_TYPES (0x85)
-#define CKA_TRUSTED (0x86)
-#define CKA_CERTIFICATE_CATEGORY (0x87)
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88)
-#define CKA_URL (0x89)
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a)
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b)
-#define CKA_CHECK_VALUE (0x90)
-#define CKA_KEY_TYPE (0x100)
-#define CKA_SUBJECT (0x101)
-#define CKA_ID (0x102)
-#define CKA_SENSITIVE (0x103)
-#define CKA_ENCRYPT (0x104)
-#define CKA_DECRYPT (0x105)
-#define CKA_WRAP (0x106)
-#define CKA_UNWRAP (0x107)
-#define CKA_SIGN (0x108)
-#define CKA_SIGN_RECOVER (0x109)
-#define CKA_VERIFY (0x10a)
-#define CKA_VERIFY_RECOVER (0x10b)
-#define CKA_DERIVE (0x10c)
-#define CKA_START_DATE (0x110)
-#define CKA_END_DATE (0x111)
-#define CKA_MODULUS (0x120)
-#define CKA_MODULUS_BITS (0x121)
-#define CKA_PUBLIC_EXPONENT (0x122)
-#define CKA_PRIVATE_EXPONENT (0x123)
-#define CKA_PRIME_1 (0x124)
-#define CKA_PRIME_2 (0x125)
-#define CKA_EXPONENT_1 (0x126)
-#define CKA_EXPONENT_2 (0x127)
-#define CKA_COEFFICIENT (0x128)
-#define CKA_PRIME (0x130)
-#define CKA_SUBPRIME (0x131)
-#define CKA_BASE (0x132)
-#define CKA_PRIME_BITS (0x133)
-#define CKA_SUB_PRIME_BITS (0x134)
-#define CKA_VALUE_BITS (0x160)
-#define CKA_VALUE_LEN (0x161)
-#define CKA_EXTRACTABLE (0x162)
-#define CKA_LOCAL (0x163)
-#define CKA_NEVER_EXTRACTABLE (0x164)
-#define CKA_ALWAYS_SENSITIVE (0x165)
-#define CKA_KEY_GEN_MECHANISM (0x166)
-#define CKA_MODIFIABLE (0x170)
-#define CKA_ECDSA_PARAMS (0x180)
-#define CKA_EC_PARAMS (0x180)
-#define CKA_EC_POINT (0x181)
-#define CKA_SECONDARY_AUTH (0x200)
-#define CKA_AUTH_PIN_FLAGS (0x201)
-#define CKA_ALWAYS_AUTHENTICATE (0x202)
-#define CKA_WRAP_WITH_TRUSTED (0x210)
-#define CKA_HW_FEATURE_TYPE (0x300)
-#define CKA_RESET_ON_INIT (0x301)
-#define CKA_HAS_RESET (0x302)
-#define CKA_PIXEL_X (0x400)
-#define CKA_PIXEL_Y (0x401)
-#define CKA_RESOLUTION (0x402)
-#define CKA_CHAR_ROWS (0x403)
-#define CKA_CHAR_COLUMNS (0x404)
-#define CKA_COLOR (0x405)
-#define CKA_BITS_PER_PIXEL (0x406)
-#define CKA_CHAR_SETS (0x480)
-#define CKA_ENCODING_METHODS (0x481)
-#define CKA_MIME_TYPES (0x482)
-#define CKA_MECHANISM_TYPE (0x500)
-#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501)
-#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502)
-#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503)
-#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211)
-#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212)
-#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600)
-#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- struct ck_attribute
- {
- ck_attribute_type_t type;
- void *value;
- unsigned long value_len;
- };
-
-
- struct ck_date
- {
- unsigned char year[4];
- unsigned char month[2];
- unsigned char day[2];
- };
-
-
- typedef unsigned long ck_mechanism_type_t;
-
-#define CKM_RSA_PKCS_KEY_PAIR_GEN (0)
-#define CKM_RSA_PKCS (1)
-#define CKM_RSA_9796 (2)
-#define CKM_RSA_X_509 (3)
-#define CKM_MD2_RSA_PKCS (4)
-#define CKM_MD5_RSA_PKCS (5)
-#define CKM_SHA1_RSA_PKCS (6)
-#define CKM_RIPEMD128_RSA_PKCS (7)
-#define CKM_RIPEMD160_RSA_PKCS (8)
-#define CKM_RSA_PKCS_OAEP (9)
-#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xa)
-#define CKM_RSA_X9_31 (0xb)
-#define CKM_SHA1_RSA_X9_31 (0xc)
-#define CKM_RSA_PKCS_PSS (0xd)
-#define CKM_SHA1_RSA_PKCS_PSS (0xe)
-#define CKM_DSA_KEY_PAIR_GEN (0x10)
-#define CKM_DSA (0x11)
-#define CKM_DSA_SHA1 (0x12)
-#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20)
-#define CKM_DH_PKCS_DERIVE (0x21)
-#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30)
-#define CKM_X9_42_DH_DERIVE (0x31)
-#define CKM_X9_42_DH_HYBRID_DERIVE (0x32)
-#define CKM_X9_42_MQV_DERIVE (0x33)
-#define CKM_SHA256_RSA_PKCS (0x40)
-#define CKM_SHA384_RSA_PKCS (0x41)
-#define CKM_SHA512_RSA_PKCS (0x42)
-#define CKM_SHA256_RSA_PKCS_PSS (0x43)
-#define CKM_SHA384_RSA_PKCS_PSS (0x44)
-#define CKM_SHA512_RSA_PKCS_PSS (0x45)
-#define CKM_RC2_KEY_GEN (0x100)
-#define CKM_RC2_ECB (0x101)
-#define CKM_RC2_CBC (0x102)
-#define CKM_RC2_MAC (0x103)
-#define CKM_RC2_MAC_GENERAL (0x104)
-#define CKM_RC2_CBC_PAD (0x105)
-#define CKM_RC4_KEY_GEN (0x110)
-#define CKM_RC4 (0x111)
-#define CKM_DES_KEY_GEN (0x120)
-#define CKM_DES_ECB (0x121)
-#define CKM_DES_CBC (0x122)
-#define CKM_DES_MAC (0x123)
-#define CKM_DES_MAC_GENERAL (0x124)
-#define CKM_DES_CBC_PAD (0x125)
-#define CKM_DES2_KEY_GEN (0x130)
-#define CKM_DES3_KEY_GEN (0x131)
-#define CKM_DES3_ECB (0x132)
-#define CKM_DES3_CBC (0x133)
-#define CKM_DES3_MAC (0x134)
-#define CKM_DES3_MAC_GENERAL (0x135)
-#define CKM_DES3_CBC_PAD (0x136)
-#define CKM_CDMF_KEY_GEN (0x140)
-#define CKM_CDMF_ECB (0x141)
-#define CKM_CDMF_CBC (0x142)
-#define CKM_CDMF_MAC (0x143)
-#define CKM_CDMF_MAC_GENERAL (0x144)
-#define CKM_CDMF_CBC_PAD (0x145)
-#define CKM_MD2 (0x200)
-#define CKM_MD2_HMAC (0x201)
-#define CKM_MD2_HMAC_GENERAL (0x202)
-#define CKM_MD5 (0x210)
-#define CKM_MD5_HMAC (0x211)
-#define CKM_MD5_HMAC_GENERAL (0x212)
-#define CKM_SHA_1 (0x220)
-#define CKM_SHA_1_HMAC (0x221)
-#define CKM_SHA_1_HMAC_GENERAL (0x222)
-#define CKM_RIPEMD128 (0x230)
-#define CKM_RIPEMD128_HMAC (0x231)
-#define CKM_RIPEMD128_HMAC_GENERAL (0x232)
-#define CKM_RIPEMD160 (0x240)
-#define CKM_RIPEMD160_HMAC (0x241)
-#define CKM_RIPEMD160_HMAC_GENERAL (0x242)
-#define CKM_SHA256 (0x250)
-#define CKM_SHA256_HMAC (0x251)
-#define CKM_SHA256_HMAC_GENERAL (0x252)
-#define CKM_SHA384 (0x260)
-#define CKM_SHA384_HMAC (0x261)
-#define CKM_SHA384_HMAC_GENERAL (0x262)
-#define CKM_SHA512 (0x270)
-#define CKM_SHA512_HMAC (0x271)
-#define CKM_SHA512_HMAC_GENERAL (0x272)
-#define CKM_CAST_KEY_GEN (0x300)
-#define CKM_CAST_ECB (0x301)
-#define CKM_CAST_CBC (0x302)
-#define CKM_CAST_MAC (0x303)
-#define CKM_CAST_MAC_GENERAL (0x304)
-#define CKM_CAST_CBC_PAD (0x305)
-#define CKM_CAST3_KEY_GEN (0x310)
-#define CKM_CAST3_ECB (0x311)
-#define CKM_CAST3_CBC (0x312)
-#define CKM_CAST3_MAC (0x313)
-#define CKM_CAST3_MAC_GENERAL (0x314)
-#define CKM_CAST3_CBC_PAD (0x315)
-#define CKM_CAST5_KEY_GEN (0x320)
-#define CKM_CAST128_KEY_GEN (0x320)
-#define CKM_CAST5_ECB (0x321)
-#define CKM_CAST128_ECB (0x321)
-#define CKM_CAST5_CBC (0x322)
-#define CKM_CAST128_CBC (0x322)
-#define CKM_CAST5_MAC (0x323)
-#define CKM_CAST128_MAC (0x323)
-#define CKM_CAST5_MAC_GENERAL (0x324)
-#define CKM_CAST128_MAC_GENERAL (0x324)
-#define CKM_CAST5_CBC_PAD (0x325)
-#define CKM_CAST128_CBC_PAD (0x325)
-#define CKM_RC5_KEY_GEN (0x330)
-#define CKM_RC5_ECB (0x331)
-#define CKM_RC5_CBC (0x332)
-#define CKM_RC5_MAC (0x333)
-#define CKM_RC5_MAC_GENERAL (0x334)
-#define CKM_RC5_CBC_PAD (0x335)
-#define CKM_IDEA_KEY_GEN (0x340)
-#define CKM_IDEA_ECB (0x341)
-#define CKM_IDEA_CBC (0x342)
-#define CKM_IDEA_MAC (0x343)
-#define CKM_IDEA_MAC_GENERAL (0x344)
-#define CKM_IDEA_CBC_PAD (0x345)
-#define CKM_GENERIC_SECRET_KEY_GEN (0x350)
-#define CKM_CONCATENATE_BASE_AND_KEY (0x360)
-#define CKM_CONCATENATE_BASE_AND_DATA (0x362)
-#define CKM_CONCATENATE_DATA_AND_BASE (0x363)
-#define CKM_XOR_BASE_AND_DATA (0x364)
-#define CKM_EXTRACT_KEY_FROM_KEY (0x365)
-#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370)
-#define CKM_SSL3_MASTER_KEY_DERIVE (0x371)
-#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372)
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373)
-#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374)
-#define CKM_TLS_MASTER_KEY_DERIVE (0x375)
-#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376)
-#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377)
-#define CKM_SSL3_MD5_MAC (0x380)
-#define CKM_SSL3_SHA1_MAC (0x381)
-#define CKM_MD5_KEY_DERIVATION (0x390)
-#define CKM_MD2_KEY_DERIVATION (0x391)
-#define CKM_SHA1_KEY_DERIVATION (0x392)
-#define CKM_PBE_MD2_DES_CBC (0x3a0)
-#define CKM_PBE_MD5_DES_CBC (0x3a1)
-#define CKM_PBE_MD5_CAST_CBC (0x3a2)
-#define CKM_PBE_MD5_CAST3_CBC (0x3a3)
-#define CKM_PBE_MD5_CAST5_CBC (0x3a4)
-#define CKM_PBE_MD5_CAST128_CBC (0x3a4)
-#define CKM_PBE_SHA1_CAST5_CBC (0x3a5)
-#define CKM_PBE_SHA1_CAST128_CBC (0x3a5)
-#define CKM_PBE_SHA1_RC4_128 (0x3a6)
-#define CKM_PBE_SHA1_RC4_40 (0x3a7)
-#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8)
-#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9)
-#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa)
-#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
-#define CKM_PKCS5_PBKD2 (0x3b0)
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0)
-#define CKM_KEY_WRAP_LYNKS (0x400)
-#define CKM_KEY_WRAP_SET_OAEP (0x401)
-#define CKM_SKIPJACK_KEY_GEN (0x1000)
-#define CKM_SKIPJACK_ECB64 (0x1001)
-#define CKM_SKIPJACK_CBC64 (0x1002)
-#define CKM_SKIPJACK_OFB64 (0x1003)
-#define CKM_SKIPJACK_CFB64 (0x1004)
-#define CKM_SKIPJACK_CFB32 (0x1005)
-#define CKM_SKIPJACK_CFB16 (0x1006)
-#define CKM_SKIPJACK_CFB8 (0x1007)
-#define CKM_SKIPJACK_WRAP (0x1008)
-#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009)
-#define CKM_SKIPJACK_RELAYX (0x100a)
-#define CKM_KEA_KEY_PAIR_GEN (0x1010)
-#define CKM_KEA_KEY_DERIVE (0x1011)
-#define CKM_FORTEZZA_TIMESTAMP (0x1020)
-#define CKM_BATON_KEY_GEN (0x1030)
-#define CKM_BATON_ECB128 (0x1031)
-#define CKM_BATON_ECB96 (0x1032)
-#define CKM_BATON_CBC128 (0x1033)
-#define CKM_BATON_COUNTER (0x1034)
-#define CKM_BATON_SHUFFLE (0x1035)
-#define CKM_BATON_WRAP (0x1036)
-#define CKM_ECDSA_KEY_PAIR_GEN (0x1040)
-#define CKM_EC_KEY_PAIR_GEN (0x1040)
-#define CKM_ECDSA (0x1041)
-#define CKM_ECDSA_SHA1 (0x1042)
-#define CKM_ECDH1_DERIVE (0x1050)
-#define CKM_ECDH1_COFACTOR_DERIVE (0x1051)
-#define CKM_ECMQV_DERIVE (0x1052)
-#define CKM_JUNIPER_KEY_GEN (0x1060)
-#define CKM_JUNIPER_ECB128 (0x1061)
-#define CKM_JUNIPER_CBC128 (0x1062)
-#define CKM_JUNIPER_COUNTER (0x1063)
-#define CKM_JUNIPER_SHUFFLE (0x1064)
-#define CKM_JUNIPER_WRAP (0x1065)
-#define CKM_FASTHASH (0x1070)
-#define CKM_AES_KEY_GEN (0x1080)
-#define CKM_AES_ECB (0x1081)
-#define CKM_AES_CBC (0x1082)
-#define CKM_AES_MAC (0x1083)
-#define CKM_AES_MAC_GENERAL (0x1084)
-#define CKM_AES_CBC_PAD (0x1085)
-#define CKM_DSA_PARAMETER_GEN (0x2000)
-#define CKM_DH_PKCS_PARAMETER_GEN (0x2001)
-#define CKM_X9_42_DH_PARAMETER_GEN (0x2002)
-#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-/* Ammendments */
-#define CKM_SHA224 (0x255)
-#define CKM_SHA224_HMAC (0x256)
-#define CKM_SHA224_HMAC_GENERAL (0x257)
-#define CKM_SHA224_RSA_PKCS (0x46)
-#define CKM_SHA224_RSA_PKCS_PSS (0x47)
-#define CKM_SHA224_KEY_DERIVATION (0x396)
-
-#define CKM_CAMELLIA_KEY_GEN (0x550)
-#define CKM_CAMELLIA_ECB (0x551)
-#define CKM_CAMELLIA_CBC (0x552)
-#define CKM_CAMELLIA_MAC (0x553)
-#define CKM_CAMELLIA_MAC_GENERAL (0x554)
-#define CKM_CAMELLIA_CBC_PAD (0x555)
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556)
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557)
-
-
- struct ck_mechanism
- {
- ck_mechanism_type_t mechanism;
- void *parameter;
- unsigned long parameter_len;
- };
-
-
- struct ck_mechanism_info
- {
- unsigned long min_key_size;
- unsigned long max_key_size;
- ck_flags_t flags;
- };
-
-#define CKF_HW (1 << 0)
-#define CKF_ENCRYPT (1 << 8)
-#define CKF_DECRYPT (1 << 9)
-#define CKF_DIGEST (1 << 10)
-#define CKF_SIGN (1 << 11)
-#define CKF_SIGN_RECOVER (1 << 12)
-#define CKF_VERIFY (1 << 13)
-#define CKF_VERIFY_RECOVER (1 << 14)
-#define CKF_GENERATE (1 << 15)
-#define CKF_GENERATE_KEY_PAIR (1 << 16)
-#define CKF_WRAP (1 << 17)
-#define CKF_UNWRAP (1 << 18)
-#define CKF_DERIVE (1 << 19)
-#define CKF_EXTENSION ((unsigned long) (1 << 31))
-
-
-/* Flags for C_WaitForSlotEvent. */
-#define CKF_DONT_BLOCK (1)
-
-
- typedef unsigned long ck_rv_t;
-
-
- typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
- ck_notification_t event, void *application);
-
-/* Forward reference. */
- struct ck_function_list;
-
-#define _CK_DECLARE_FUNCTION(name, args) \
-typedef ck_rv_t (*CK_ ## name) args; \
-ck_rv_t CK_SPEC name args
-
- _CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
- _CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
- _CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info * info));
- _CK_DECLARE_FUNCTION (C_GetFunctionList,
- (struct ck_function_list ** function_list));
-
- _CK_DECLARE_FUNCTION (C_GetSlotList,
- (unsigned char token_present,
- ck_slot_id_t * slot_list, unsigned long *count));
- _CK_DECLARE_FUNCTION (C_GetSlotInfo,
- (ck_slot_id_t slot_id, struct ck_slot_info * info));
- _CK_DECLARE_FUNCTION (C_GetTokenInfo,
- (ck_slot_id_t slot_id,
- struct ck_token_info * info));
- _CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
- (ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved));
- _CK_DECLARE_FUNCTION (C_GetMechanismList,
- (ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count));
- _CK_DECLARE_FUNCTION (C_GetMechanismInfo,
- (ck_slot_id_t slot_id, ck_mechanism_type_t type,
- struct ck_mechanism_info * info));
- _CK_DECLARE_FUNCTION (C_InitToken,
- (ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label));
- _CK_DECLARE_FUNCTION (C_InitPIN,
- (ck_session_handle_t session, unsigned char *pin,
- unsigned long pin_len));
- _CK_DECLARE_FUNCTION (C_SetPIN,
- (ck_session_handle_t session,
- unsigned char *old_pin, unsigned long old_len,
- unsigned char *new_pin, unsigned long new_len));
-
- _CK_DECLARE_FUNCTION (C_OpenSession,
- (ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, ck_notify_t notify,
- ck_session_handle_t * session));
- _CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
- _CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
- _CK_DECLARE_FUNCTION (C_GetSessionInfo,
- (ck_session_handle_t session,
- struct ck_session_info * info));
- _CK_DECLARE_FUNCTION (C_GetOperationState,
- (ck_session_handle_t session,
- unsigned char *operation_state,
- unsigned long *operation_state_len));
- _CK_DECLARE_FUNCTION (C_SetOperationState,
- (ck_session_handle_t session,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key));
- _CK_DECLARE_FUNCTION (C_Login,
- (ck_session_handle_t session,
- ck_user_type_t user_type, unsigned char *pin,
- unsigned long pin_len));
- _CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
-
- _CK_DECLARE_FUNCTION (C_CreateObject,
- (ck_session_handle_t session,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * object));
- _CK_DECLARE_FUNCTION (C_CopyObject,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count,
- ck_object_handle_t * new_object));
- _CK_DECLARE_FUNCTION (C_DestroyObject,
- (ck_session_handle_t session,
- ck_object_handle_t object));
- _CK_DECLARE_FUNCTION (C_GetObjectSize,
- (ck_session_handle_t session,
- ck_object_handle_t object, unsigned long *size));
- _CK_DECLARE_FUNCTION (C_GetAttributeValue,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_SetAttributeValue,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_FindObjectsInit,
- (ck_session_handle_t session,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_FindObjects,
- (ck_session_handle_t session,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count));
- _CK_DECLARE_FUNCTION (C_FindObjectsFinal, (ck_session_handle_t session));
-
- _CK_DECLARE_FUNCTION (C_EncryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Encrypt,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len));
- _CK_DECLARE_FUNCTION (C_EncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_EncryptFinal,
- (ck_session_handle_t session,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len));
-
- _CK_DECLARE_FUNCTION (C_DecryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Decrypt,
- (ck_session_handle_t session,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len));
- _CK_DECLARE_FUNCTION (C_DecryptUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
- _CK_DECLARE_FUNCTION (C_DecryptFinal,
- (ck_session_handle_t session,
- unsigned char *last_part,
- unsigned long *last_part_len));
-
- _CK_DECLARE_FUNCTION (C_DigestInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism));
- _CK_DECLARE_FUNCTION (C_Digest,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *digest, unsigned long *digest_len));
- _CK_DECLARE_FUNCTION (C_DigestUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_DigestKey,
- (ck_session_handle_t session,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_DigestFinal,
- (ck_session_handle_t session, unsigned char *digest,
- unsigned long *digest_len));
-
- _CK_DECLARE_FUNCTION (C_SignInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Sign,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len));
- _CK_DECLARE_FUNCTION (C_SignUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_SignFinal,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long *signature_len));
- _CK_DECLARE_FUNCTION (C_SignRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_SignRecover,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len));
-
- _CK_DECLARE_FUNCTION (C_VerifyInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Verify,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long signature_len));
- _CK_DECLARE_FUNCTION (C_VerifyUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_VerifyFinal,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long signature_len));
- _CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_VerifyRecover,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data, unsigned long *data_len));
-
- _CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
- _CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
-
- _CK_DECLARE_FUNCTION (C_GenerateKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * key));
- _CK_DECLARE_FUNCTION (C_GenerateKeyPair,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- struct ck_attribute * public_key_template,
- unsigned long public_key_attribute_count,
- struct ck_attribute * private_key_template,
- unsigned long private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key));
- _CK_DECLARE_FUNCTION (C_WrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key,
- unsigned char *wrapped_key,
- unsigned long *wrapped_key_len));
- _CK_DECLARE_FUNCTION (C_UnwrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute * templ,
- unsigned long attribute_count,
- ck_object_handle_t * key));
- _CK_DECLARE_FUNCTION (C_DeriveKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute * templ,
- unsigned long attribute_count,
- ck_object_handle_t * key));
-
- _CK_DECLARE_FUNCTION (C_SeedRandom,
- (ck_session_handle_t session, unsigned char *seed,
- unsigned long seed_len));
- _CK_DECLARE_FUNCTION (C_GenerateRandom,
- (ck_session_handle_t session,
- unsigned char *random_data,
- unsigned long random_len));
-
- _CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
- _CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
-
-
- struct ck_function_list
- {
- struct ck_version version;
- CK_C_Initialize C_Initialize;
- CK_C_Finalize C_Finalize;
- CK_C_GetInfo C_GetInfo;
- CK_C_GetFunctionList C_GetFunctionList;
- CK_C_GetSlotList C_GetSlotList;
- CK_C_GetSlotInfo C_GetSlotInfo;
- CK_C_GetTokenInfo C_GetTokenInfo;
- CK_C_GetMechanismList C_GetMechanismList;
- CK_C_GetMechanismInfo C_GetMechanismInfo;
- CK_C_InitToken C_InitToken;
- CK_C_InitPIN C_InitPIN;
- CK_C_SetPIN C_SetPIN;
- CK_C_OpenSession C_OpenSession;
- CK_C_CloseSession C_CloseSession;
- CK_C_CloseAllSessions C_CloseAllSessions;
- CK_C_GetSessionInfo C_GetSessionInfo;
- CK_C_GetOperationState C_GetOperationState;
- CK_C_SetOperationState C_SetOperationState;
- CK_C_Login C_Login;
- CK_C_Logout C_Logout;
- CK_C_CreateObject C_CreateObject;
- CK_C_CopyObject C_CopyObject;
- CK_C_DestroyObject C_DestroyObject;
- CK_C_GetObjectSize C_GetObjectSize;
- CK_C_GetAttributeValue C_GetAttributeValue;
- CK_C_SetAttributeValue C_SetAttributeValue;
- CK_C_FindObjectsInit C_FindObjectsInit;
- CK_C_FindObjects C_FindObjects;
- CK_C_FindObjectsFinal C_FindObjectsFinal;
- CK_C_EncryptInit C_EncryptInit;
- CK_C_Encrypt C_Encrypt;
- CK_C_EncryptUpdate C_EncryptUpdate;
- CK_C_EncryptFinal C_EncryptFinal;
- CK_C_DecryptInit C_DecryptInit;
- CK_C_Decrypt C_Decrypt;
- CK_C_DecryptUpdate C_DecryptUpdate;
- CK_C_DecryptFinal C_DecryptFinal;
- CK_C_DigestInit C_DigestInit;
- CK_C_Digest C_Digest;
- CK_C_DigestUpdate C_DigestUpdate;
- CK_C_DigestKey C_DigestKey;
- CK_C_DigestFinal C_DigestFinal;
- CK_C_SignInit C_SignInit;
- CK_C_Sign C_Sign;
- CK_C_SignUpdate C_SignUpdate;
- CK_C_SignFinal C_SignFinal;
- CK_C_SignRecoverInit C_SignRecoverInit;
- CK_C_SignRecover C_SignRecover;
- CK_C_VerifyInit C_VerifyInit;
- CK_C_Verify C_Verify;
- CK_C_VerifyUpdate C_VerifyUpdate;
- CK_C_VerifyFinal C_VerifyFinal;
- CK_C_VerifyRecoverInit C_VerifyRecoverInit;
- CK_C_VerifyRecover C_VerifyRecover;
- CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
- CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
- CK_C_SignEncryptUpdate C_SignEncryptUpdate;
- CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
- CK_C_GenerateKey C_GenerateKey;
- CK_C_GenerateKeyPair C_GenerateKeyPair;
- CK_C_WrapKey C_WrapKey;
- CK_C_UnwrapKey C_UnwrapKey;
- CK_C_DeriveKey C_DeriveKey;
- CK_C_SeedRandom C_SeedRandom;
- CK_C_GenerateRandom C_GenerateRandom;
- CK_C_GetFunctionStatus C_GetFunctionStatus;
- CK_C_CancelFunction C_CancelFunction;
- CK_C_WaitForSlotEvent C_WaitForSlotEvent;
- };
-
-
- typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
- typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
- typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
- typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
-
-
- struct ck_c_initialize_args
- {
- ck_createmutex_t create_mutex;
- ck_destroymutex_t destroy_mutex;
- ck_lockmutex_t lock_mutex;
- ck_unlockmutex_t unlock_mutex;
- ck_flags_t flags;
- void *reserved;
- };
-
-
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1 << 0)
-#define CKF_OS_LOCKING_OK (1 << 1)
-
-#define CKR_OK (0)
-#define CKR_CANCEL (1)
-#define CKR_HOST_MEMORY (2)
-#define CKR_SLOT_ID_INVALID (3)
-#define CKR_GENERAL_ERROR (5)
-#define CKR_FUNCTION_FAILED (6)
-#define CKR_ARGUMENTS_BAD (7)
-#define CKR_NO_EVENT (8)
-#define CKR_NEED_TO_CREATE_THREADS (9)
-#define CKR_CANT_LOCK (0xa)
-#define CKR_ATTRIBUTE_READ_ONLY (0x10)
-#define CKR_ATTRIBUTE_SENSITIVE (0x11)
-#define CKR_ATTRIBUTE_TYPE_INVALID (0x12)
-#define CKR_ATTRIBUTE_VALUE_INVALID (0x13)
-#define CKR_DATA_INVALID (0x20)
-#define CKR_DATA_LEN_RANGE (0x21)
-#define CKR_DEVICE_ERROR (0x30)
-#define CKR_DEVICE_MEMORY (0x31)
-#define CKR_DEVICE_REMOVED (0x32)
-#define CKR_ENCRYPTED_DATA_INVALID (0x40)
-#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41)
-#define CKR_FUNCTION_CANCELED (0x50)
-#define CKR_FUNCTION_NOT_PARALLEL (0x51)
-#define CKR_FUNCTION_NOT_SUPPORTED (0x54)
-#define CKR_KEY_HANDLE_INVALID (0x60)
-#define CKR_KEY_SIZE_RANGE (0x62)
-#define CKR_KEY_TYPE_INCONSISTENT (0x63)
-#define CKR_KEY_NOT_NEEDED (0x64)
-#define CKR_KEY_CHANGED (0x65)
-#define CKR_KEY_NEEDED (0x66)
-#define CKR_KEY_INDIGESTIBLE (0x67)
-#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
-#define CKR_KEY_NOT_WRAPPABLE (0x69)
-#define CKR_KEY_UNEXTRACTABLE (0x6a)
-#define CKR_MECHANISM_INVALID (0x70)
-#define CKR_MECHANISM_PARAM_INVALID (0x71)
-#define CKR_OBJECT_HANDLE_INVALID (0x82)
-#define CKR_OPERATION_ACTIVE (0x90)
-#define CKR_OPERATION_NOT_INITIALIZED (0x91)
-#define CKR_PIN_INCORRECT (0xa0)
-#define CKR_PIN_INVALID (0xa1)
-#define CKR_PIN_LEN_RANGE (0xa2)
-#define CKR_PIN_EXPIRED (0xa3)
-#define CKR_PIN_LOCKED (0xa4)
-#define CKR_SESSION_CLOSED (0xb0)
-#define CKR_SESSION_COUNT (0xb1)
-#define CKR_SESSION_HANDLE_INVALID (0xb3)
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4)
-#define CKR_SESSION_READ_ONLY (0xb5)
-#define CKR_SESSION_EXISTS (0xb6)
-#define CKR_SESSION_READ_ONLY_EXISTS (0xb7)
-#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8)
-#define CKR_SIGNATURE_INVALID (0xc0)
-#define CKR_SIGNATURE_LEN_RANGE (0xc1)
-#define CKR_TEMPLATE_INCOMPLETE (0xd0)
-#define CKR_TEMPLATE_INCONSISTENT (0xd1)
-#define CKR_TOKEN_NOT_PRESENT (0xe0)
-#define CKR_TOKEN_NOT_RECOGNIZED (0xe1)
-#define CKR_TOKEN_WRITE_PROTECTED (0xe2)
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0)
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1)
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2)
-#define CKR_USER_ALREADY_LOGGED_IN (0x100)
-#define CKR_USER_NOT_LOGGED_IN (0x101)
-#define CKR_USER_PIN_NOT_INITIALIZED (0x102)
-#define CKR_USER_TYPE_INVALID (0x103)
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104)
-#define CKR_USER_TOO_MANY_TYPES (0x105)
-#define CKR_WRAPPED_KEY_INVALID (0x110)
-#define CKR_WRAPPED_KEY_LEN_RANGE (0x112)
-#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113)
-#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114)
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115)
-#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120)
-#define CKR_RANDOM_NO_RNG (0x121)
-#define CKR_DOMAIN_PARAMS_INVALID (0x130)
-#define CKR_BUFFER_TOO_SMALL (0x150)
-#define CKR_SAVED_STATE_INVALID (0x160)
-#define CKR_INFORMATION_SENSITIVE (0x170)
-#define CKR_STATE_UNSAVEABLE (0x180)
-#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190)
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191)
-#define CKR_MUTEX_BAD (0x1a0)
-#define CKR_MUTEX_NOT_LOCKED (0x1a1)
-#define CKR_FUNCTION_REJECTED (0x200)
-#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31))
-�
-
-
-/* Compatibility layer. */
-
-#ifdef CRYPTOKI_COMPAT
-
-#undef CK_DEFINE_FUNCTION
-#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
-
-/* For NULL. */
-#include <stddef.h>
-
- typedef unsigned char CK_BYTE;
- typedef unsigned char CK_CHAR;
- typedef unsigned char CK_UTF8CHAR;
- typedef unsigned char CK_BBOOL;
- typedef unsigned long int CK_ULONG;
- typedef long int CK_LONG;
- typedef CK_BYTE *CK_BYTE_PTR;
- typedef CK_CHAR *CK_CHAR_PTR;
- typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
- typedef CK_ULONG *CK_ULONG_PTR;
- typedef void *CK_VOID_PTR;
- typedef void **CK_VOID_PTR_PTR;
-#define CK_FALSE 0
-#define CK_TRUE 1
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE 0
-#endif
-#ifndef TRUE
-#define TRUE 1
-#endif
-#endif
-
- typedef struct ck_version CK_VERSION;
- typedef struct ck_version *CK_VERSION_PTR;
-
- typedef struct ck_info CK_INFO;
- typedef struct ck_info *CK_INFO_PTR;
-
- typedef ck_slot_id_t *CK_SLOT_ID_PTR;
-
- typedef struct ck_slot_info CK_SLOT_INFO;
- typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
-
- typedef struct ck_token_info CK_TOKEN_INFO;
- typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
-
- typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
-
- typedef struct ck_session_info CK_SESSION_INFO;
- typedef struct ck_session_info *CK_SESSION_INFO_PTR;
-
- typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
-
- typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
-
- typedef struct ck_attribute CK_ATTRIBUTE;
- typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
-
- typedef struct ck_date CK_DATE;
- typedef struct ck_date *CK_DATE_PTR;
-
- typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
-
- typedef struct ck_mechanism CK_MECHANISM;
- typedef struct ck_mechanism *CK_MECHANISM_PTR;
-
- typedef struct ck_mechanism_info CK_MECHANISM_INFO;
- typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
-
- typedef struct ck_function_list CK_FUNCTION_LIST;
- typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
- typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
-
- typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
- typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
-
-#define NULL_PTR NULL
-
-/* Delete the helper macros defined at the top of the file. */
-#undef ck_flags_t
-#undef ck_version
-
-#undef ck_info
-#undef cryptoki_version
-#undef manufacturer_id
-#undef library_description
-#undef library_version
-
-#undef ck_notification_t
-#undef ck_slot_id_t
-
-#undef ck_slot_info
-#undef slot_description
-#undef hardware_version
-#undef firmware_version
-
-#undef ck_token_info
-#undef serial_number
-#undef max_session_count
-#undef session_count
-#undef max_rw_session_count
-#undef rw_session_count
-#undef max_pin_len
-#undef min_pin_len
-#undef total_public_memory
-#undef free_public_memory
-#undef total_private_memory
-#undef free_private_memory
-#undef utc_time
-
-#undef ck_session_handle_t
-#undef ck_user_type_t
-#undef ck_state_t
-
-#undef ck_session_info
-#undef slot_id
-#undef device_error
-
-#undef ck_object_handle_t
-#undef ck_object_class_t
-#undef ck_hw_feature_type_t
-#undef ck_key_type_t
-#undef ck_certificate_type_t
-#undef ck_attribute_type_t
-
-#undef ck_attribute
-#undef value
-#undef value_len
-
-#undef ck_date
-
-#undef ck_mechanism_type_t
-
-#undef ck_mechanism
-#undef parameter
-#undef parameter_len
-
-#undef ck_mechanism_info
-#undef min_key_size
-#undef max_key_size
-
-#undef ck_rv_t
-#undef ck_notify_t
-
-#undef ck_function_list
-
-#undef ck_createmutex_t
-#undef ck_destroymutex_t
-#undef ck_lockmutex_t
-#undef ck_unlockmutex_t
-
-#undef ck_c_initialize_args
-#undef create_mutex
-#undef destroy_mutex
-#undef lock_mutex
-#undef unlock_mutex
-#undef reserved
-
-#endif /* CRYPTOKI_COMPAT */
-�
-
-/* System dependencies. */
-#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32
-#pragma pack(pop, cryptoki)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PKCS11_H */
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index ada3c5c..f5e4965 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -32,25 +32,27 @@
#include <gnutls_errors.h>
#include <gnutls_datum.h>
#include <pkcs11_int.h>
+#include <p11-kit/p11-kit.h>
+#include <p11-kit/pin.h>
+#include <errno.h>
#define MAX_PROVIDERS 16
-static void terminate_string (unsigned char *str, size_t len);
-
/* XXX: try to eliminate this */
#define MAX_CERT_SIZE 8*1024
struct gnutls_pkcs11_provider_s
{
- pakchois_module_t *module;
+ struct ck_function_list *module;
unsigned long nslots;
ck_slot_id_t *slots;
struct ck_info info;
+ int initialized;
};
struct flags_find_data_st
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int slot_flags;
};
@@ -65,12 +67,13 @@ struct crt_find_data_st
unsigned int *n_list;
unsigned int current;
gnutls_pkcs11_obj_attr_t flags;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
};
static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS];
static int active_providers = 0;
+static int initialized_registered = 0;
static gnutls_pkcs11_pin_callback_t pin_func;
static void *pin_data;
@@ -171,26 +174,13 @@ pkcs11_rescan_slots (void)
{
unsigned long slots;
- pakchois_get_slot_list (providers[active_providers - 1].module, 0,
+ pkcs11_get_slot_list (providers[active_providers - 1].module, 0,
NULL, &slots);
}
-/**
- * gnutls_pkcs11_add_provider:
- * @name: The filename of the module
- * @params: should be NULL
- *
- * This function will load and add a PKCS 11 module to the module
- * list used in gnutls. After this function is called the module will
- * be used for PKCS 11 operations.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value.
- **/
-int
-gnutls_pkcs11_add_provider (const char *name, const char *params)
+static int
+pkcs11_add_module (const char *name, struct ck_function_list *module)
{
-
if (active_providers >= MAX_PROVIDERS)
{
gnutls_assert ();
@@ -198,17 +188,10 @@ gnutls_pkcs11_add_provider (const char *name, const char
*params)
}
active_providers++;
- if (pakchois_module_load_abs
- (&providers[active_providers - 1].module, name) != CKR_OK)
- {
- gnutls_assert ();
- _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
- active_providers--;
- return GNUTLS_E_PKCS11_LOAD_ERROR;
- }
+ providers[active_providers - 1].module = module;
/* cache the number of slots in this module */
- if (pakchois_get_slot_list
+ if (pkcs11_get_slot_list
(providers[active_providers - 1].module, 0, NULL,
&providers[active_providers - 1].nslots) != CKR_OK)
{
@@ -225,7 +208,7 @@ gnutls_pkcs11_add_provider (const char *name, const char
*params)
goto fail;
}
- if (pakchois_get_slot_list
+ if (pkcs11_get_slot_list
(providers[active_providers - 1].module, 0,
providers[active_providers - 1].slots,
&providers[active_providers - 1].nslots) != CKR_OK)
@@ -237,15 +220,8 @@ gnutls_pkcs11_add_provider (const char *name, const char
*params)
memset (&providers[active_providers - 1].info, 0,
sizeof (providers[active_providers - 1].info));
- pakchois_get_info (providers[active_providers - 1].module,
- &providers[active_providers - 1].info);
-
- terminate_string (providers[active_providers - 1].info.manufacturer_id,
- sizeof (providers[active_providers - 1].
- info.manufacturer_id));
- terminate_string (providers[active_providers - 1].info.library_description,
- sizeof (providers[active_providers - 1].
- info.library_description));
+ pkcs11_get_module_info (providers[active_providers - 1].module,
+ &providers[active_providers - 1].info);
_gnutls_debug_log ("p11: loaded provider '%s' with %d slots\n",
name, (int) providers[active_providers - 1].nslots);
@@ -253,10 +229,51 @@ gnutls_pkcs11_add_provider (const char *name, const char
*params)
return 0;
fail:
- pakchois_module_destroy (providers[active_providers - 1].module);
active_providers--;
return GNUTLS_E_PKCS11_LOAD_ERROR;
+}
+
+
+/**
+ * gnutls_pkcs11_add_provider:
+ * @name: The filename of the module
+ * @params: should be NULL
+ *
+ * This function will load and add a PKCS 11 module to the module
+ * list used in gnutls. After this function is called the module will
+ * be used for PKCS 11 operations.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_pkcs11_add_provider (const char *name, const char *params)
+{
+ struct ck_function_list *module;
+ int ret;
+
+ active_providers++;
+ if (p11_kit_load_initialize_module (name, &module) != CKR_OK)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
+ active_providers--;
+ return GNUTLS_E_PKCS11_LOAD_ERROR;
+ }
+
+ ret = pkcs11_add_module (name, module);
+ if (ret == 0)
+ {
+ /* Mark this one as having been separately initialized */
+ providers[active_providers - 1].initialized = 1;
+ }
+ else
+ {
+ p11_kit_finalize_module (module);
+ gnutls_assert ();
+ }
+ return ret;
}
@@ -279,99 +296,238 @@ gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt,
gnutls_pkcs11_obj_info_t itype,
void *output, size_t * output_size)
{
- return pkcs11_get_info (&crt->info, itype, output, output_size);
+ return pkcs11_get_info (crt->info, itype, output, output_size);
}
int
-pkcs11_get_info (struct pkcs11_url_info *info,
+pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size)
{
+ struct ck_attribute *attr = NULL;
+ struct ck_version *version = NULL;
const char *str = NULL;
- size_t len;
+ size_t str_max = 0;
+ int terminate = 0;
+ int hexify = 0;
+ size_t length = 0;
+ const char *data = NULL;
+ char buf[32];
+
+ /*
+ * Either attr, str or version is valid by the time switch
+ * finishes
+ */
switch (itype)
{
case GNUTLS_PKCS11_OBJ_ID:
- if (*output_size < info->certid_raw_size)
- {
- *output_size = info->certid_raw_size;
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
- if (output)
- memcpy (output, info->certid_raw, info->certid_raw_size);
- *output_size = info->certid_raw_size;
-
- return 0;
+ attr = p11_kit_uri_get_attribute (info, CKA_ID);
+ break;
case GNUTLS_PKCS11_OBJ_ID_HEX:
- str = info->id;
+ attr = p11_kit_uri_get_attribute (info, CKA_ID);
+ hexify = 1;
+ terminate = 1;
break;
case GNUTLS_PKCS11_OBJ_LABEL:
- str = info->label;
+ attr = p11_kit_uri_get_attribute (info, CKA_LABEL);
+ terminate = 1;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_LABEL:
- str = info->token;
+ str = p11_kit_uri_get_token_info (info)->label;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_SERIAL:
- str = info->serial;
+ str = p11_kit_uri_get_token_info (info)->serial_number;
+ str_max = 16;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER:
- str = info->manufacturer;
+ str = p11_kit_uri_get_token_info (info)->manufacturer_id;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_MODEL:
- str = info->model;
+ str = p11_kit_uri_get_token_info (info)->model;
+ str_max = 16;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION:
- str = info->lib_desc;
+ str = p11_kit_uri_get_module_info (info)->library_description;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_VERSION:
- str = info->lib_version;
+ version = &p11_kit_uri_get_module_info (info)->library_version;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER:
- str = info->lib_manufacturer;
+ str = p11_kit_uri_get_module_info (info)->manufacturer_id;
+ str_max = 32;
break;
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- len = strlen (str);
+ if (attr != NULL)
+ {
+ data = attr->value;
+ length = attr->value_len;
+ }
+ else if (str != NULL)
+ {
+ data = str;
+ length = p11_kit_space_strlen (str, str_max);
+ terminate = 1;
+ }
+ else if (version != NULL)
+ {
+ data = buf;
+ length = snprintf (buf, sizeof (buf), "%d.%d", (int)version->major,
+ (int)version->minor);
+ terminate = 1;
+ }
- if (len + 1 > *output_size)
+ if (hexify)
{
- *output_size = len + 1;
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ /* terminate is assumed with hexify */
+ if (*output_size < length * 3)
+ {
+ *output_size = length * 3;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+ if (output)
+ _gnutls_bin2hex (data, length, output, *output_size, ":");
+ *output_size = length * 3;
+ return 0;
+ }
+ else
+ {
+ if (*output_size < length + terminate)
+ {
+ *output_size = length + terminate;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+ if (output)
+ {
+ memcpy (output, data, length);
+ if (terminate)
+ ((unsigned char*)output)[length] = '\0';
+ }
+ *output_size = length + terminate;
}
- strcpy (output, str);
+ return 0;
+}
- *output_size = len;
+static int init = 0;
+
+static int
+initialize_automatic_p11_kit (void)
+{
+ struct ck_function_list **modules;
+ const char *name;
+ ck_rv_t rv;
+ int i, ret;
+
+ rv = p11_kit_initialize_registered ();
+ if (rv != CKR_OK)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot initialize registered module: %s\n",
+ p11_kit_strerror (rv));
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+ initialized_registered = 1;
+
+ modules = p11_kit_registered_modules ();
+ for (i = 0; modules[i] != NULL; i++)
+ {
+ name = p11_kit_registered_module_to_name (modules[i]);
+ ret = pkcs11_add_module (name, modules[i]);
+ if (ret != 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot add registered module: %s\n", name);
+ }
+ }
+ free (modules);
return 0;
}
-static int init = 0;
+static int
+initialize_automatic_legacy (const char *configfile)
+{
+ FILE *fp;
+ char line[512];
+ const char *library;
+ int ret;
+ if (configfile == NULL)
+ configfile = "/etc/gnutls/pkcs11.conf";
+
+ fp = fopen (configfile, "r");
+ if (fp == NULL)
+ {
+ if (errno == ENOENT)
+ return 0;
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot load %s\n", configfile);
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ while (fgets (line, sizeof (line), fp) != NULL)
+ {
+ if (strncmp (line, "load", sizeof ("load") - 1) == 0)
+ {
+ char *p;
+ p = strchr (line, '=');
+ if (p == NULL)
+ continue;
+
+ library = ++p;
+
+ p = strchr (line, '\n');
+ if (p != NULL)
+ {
+ *p = 0;
+ }
+
+ ret = gnutls_pkcs11_add_provider (library, NULL);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot load provider: %s\n", library);
+ continue;
+ }
+ }
+ }
+
+ fclose(fp);
+ return 0;
+}
/**
* gnutls_pkcs11_init:
* @flags: %GNUTLS_PKCS11_FLAG_MANUAL or %GNUTLS_PKCS11_FLAG_AUTO
- * @configfile: either NULL or the location of a configuration file
+ * @deprecated_config_file: either NULL or the location of a deprecated
+ * configuration file
*
* This function will initialize the PKCS 11 subsystem in gnutls. It will
- * read a configuration file if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
+ * read configuration files if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
* you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
* if %GNUTLS_PKCS11_FLAG_MANUAL is specified.
*
+ * Using a custom configfile is deprecated and will not be supported in future
+ * versions of gnutls.
+ *
* Normally you don't need to call this function since it is being called
- * by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If other option
- * is required then it must be called before it.
+ * by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If you need to
+ * call this function, you must call it before gnutls_global_init().
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
-gnutls_pkcs11_init (unsigned int flags, const char *configfile)
+gnutls_pkcs11_init (unsigned int flags, const char *deprecated_config_file)
{
int ret;
@@ -383,54 +539,19 @@ gnutls_pkcs11_init (unsigned int flags, const char
*configfile)
init++;
if (flags == GNUTLS_PKCS11_FLAG_MANUAL)
- return 0;
+ {
+ ret = 0;
+ }
else
{
- FILE *fp;
- char line[512];
- const char *library;
-
- if (configfile == NULL)
- configfile = "/etc/gnutls/pkcs11.conf";
-
- fp = fopen (configfile, "r");
- if (fp == NULL)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Cannot load %s\n", configfile);
- return GNUTLS_E_FILE_ERROR;
- }
-
- while (fgets (line, sizeof (line), fp) != NULL)
- {
- if (strncmp (line, "load", sizeof ("load") - 1) == 0)
- {
- char *p;
- p = strchr (line, '=');
- if (p == NULL)
- continue;
-
- library = ++p;
+ if (deprecated_config_file == NULL)
+ ret = initialize_automatic_p11_kit ();
- p = strchr (line, '\n');
- if (p != NULL)
- {
- *p = 0;
- }
-
- ret = gnutls_pkcs11_add_provider (library, NULL);
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Cannot load provider: %s\n", library);
- continue;
- }
- }
- }
- fclose(fp);
+ if (ret == 0)
+ ret = initialize_automatic_legacy (deprecated_config_file);
}
- return 0;
+ return ret;
}
/**
@@ -455,10 +576,14 @@ gnutls_pkcs11_deinit (void)
for (i = 0; i < active_providers; i++)
{
- pakchois_module_destroy (providers[i].module);
+ if (providers[i].initialized)
+ p11_kit_finalize_module (providers[i].module);
}
active_providers = 0;
- pakchois_destructor();
+
+ if (initialized_registered != 0)
+ p11_kit_finalize_registered ();
+ initialized_registered = 0;
}
/**
@@ -516,398 +641,68 @@ gnutls_pkcs11_set_token_function
(gnutls_pkcs11_token_callback_t fn,
token_data = userdata;
}
-static int
-unescape_string (char *output, const char *input, size_t * size,
- char terminator)
-{
- gnutls_buffer_st str;
- int ret = 0;
- char *p;
- int len;
-
- _gnutls_buffer_init (&str);
-
- /* find terminator */
- p = strchr (input, terminator);
- if (p != NULL)
- len = p - input;
- else
- len = strlen (input);
-
- ret = _gnutls_buffer_append_data (&str, input, len);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_buffer_unescape (&str);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_buffer_append_data (&str, "", 1);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- _gnutls_buffer_pop_data (&str, output, size);
-
- _gnutls_buffer_clear (&str);
-
- return ret;
-}
-
int
-pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info)
+pkcs11_url_to_info (const char *url, struct p11_kit_uri **info)
{
+ int allocated = 0;
int ret;
- char *p1, *p2;
- size_t l;
-
- memset (info, 0, sizeof (*info));
-
- if (strstr (url, "pkcs11:") == NULL)
- {
- ret = GNUTLS_E_PARSING_ERROR;
- goto cleanup;
- }
-
- if ((p1 = strstr (url, "library-manufacturer=")) != NULL)
- {
- p1 += sizeof ("library-manufacturer=") - 1;
- l = sizeof (info->lib_manufacturer);
-
- ret = unescape_string (info->lib_manufacturer, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "library-description=")) != NULL)
- {
- p1 += sizeof ("library-description=") - 1;
- l = sizeof (info->lib_desc);
-
- ret = unescape_string (info->lib_desc, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "library-version=")) != NULL)
- {
- p1 += sizeof ("library-version=") - 1;
- l = sizeof (info->lib_version);
-
- ret = unescape_string (info->lib_version, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, ";manufacturer=")) != NULL ||
- (p1 = strstr (url, ":manufacturer=")) != NULL)
- {
-
- p1 += sizeof (";manufacturer=") - 1;
- l = sizeof (info->manufacturer);
-
- ret = unescape_string (info->manufacturer, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "token=")) != NULL)
- {
- p1 += sizeof ("token=") - 1;
- l = sizeof (info->token);
-
- ret = unescape_string (info->token, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "object=")) != NULL)
- {
- p1 += sizeof ("object=") - 1;
- l = sizeof (info->label);
-
- ret = unescape_string (info->label, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "serial=")) != NULL)
- {
- p1 += sizeof ("serial=") - 1;
- l = sizeof (info->serial);
-
- ret = unescape_string (info->serial, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "model=")) != NULL)
- {
- p1 += sizeof ("model=") - 1;
- l = sizeof (info->model);
-
- ret = unescape_string (info->model, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
- if ((p1 = strstr (url, "objecttype=")) != NULL)
+ if (*info == NULL)
{
- p1 += sizeof ("objecttype=") - 1;
- l = sizeof (info->type);
-
- ret = unescape_string (info->type, p1, &l, ';');
- if (ret < 0)
+ *info = p11_kit_uri_new ();
+ if (*info == NULL)
{
- goto cleanup;
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
}
+ allocated = 1;
}
- if (((p1 = strstr (url, ";id=")) != NULL)
- || ((p1 = strstr (url, ":id=")) != NULL))
+ ret = p11_kit_uri_parse (url, P11_KIT_URI_FOR_ANY, *info);
+ if (ret < 0)
{
- p1 += sizeof (";id=") - 1;
- l = sizeof (info->certid_raw);
-
- ret = unescape_string (info->certid_raw, p1, &l, ';');
- if (ret < 0)
+ if (allocated)
{
- goto cleanup;
+ p11_kit_uri_free (*info);
+ *info = NULL;
}
- /* not null terminated */
- info->certid_raw_size = l-1;
-
- p2 = _gnutls_bin2hex(info->certid_raw, info->certid_raw_size,
- info->id, sizeof(info->id), ":");
- if (p2 == NULL)
- {
- ret = GNUTLS_E_PARSING_ERROR;
- goto cleanup;
- }
- }
-
- ret = 0;
-
-cleanup:
-
- return ret;
-
-}
-
-#define INVALID_CHARS "\\/\"'%&address@hidden <>{}[]()`|:;,.+-"
-
-/* Appends @tname to @dest under the name @p11name.
- * init indicates whether it is the initial addition to buffer.
- */
-static int
-append (gnutls_buffer_st * dest, const void *tname, int tname_size,
- const char *p11name, int all, int init)
-{
- gnutls_buffer_st tmpstr;
- int ret;
-
- _gnutls_buffer_init (&tmpstr);
- if ((ret = _gnutls_buffer_append_data (&tmpstr, tname, tname_size)) < 0)
- {
gnutls_assert ();
- goto cleanup;
+ return ret == P11_KIT_URI_NO_MEMORY ?
+ GNUTLS_E_MEMORY_ERROR : GNUTLS_E_PARSING_ERROR;
}
- ret = _gnutls_buffer_escape (&tmpstr, all, INVALID_CHARS);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- if ((ret = _gnutls_buffer_append_data (&tmpstr, "", 1)) < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- if ((ret =
- _gnutls_buffer_append_printf (dest, "%s%s=%s",
- (init != 0) ? ";" : "", p11name,
- tmpstr.data)) < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- ret = 0;
-
-cleanup:
- _gnutls_buffer_clear (&tmpstr);
-
- return ret;
-
+ return 0;
}
-
int
-pkcs11_info_to_url (const struct pkcs11_url_info *info,
+pkcs11_info_to_url (struct p11_kit_uri *info,
gnutls_pkcs11_url_type_t detailed, char **url)
{
- gnutls_buffer_st str;
- int init = 0;
+ p11_kit_uri_type_t type = 0;
int ret;
- _gnutls_buffer_init (&str);
-
- _gnutls_buffer_append_str (&str, "pkcs11:");
-
- if (info->token[0])
- {
- ret = append (&str, info->token, strlen(info->token), "token", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->serial[0])
- {
- ret = append (&str, info->serial, strlen(info->serial), "serial", 0,
init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->model[0])
- {
- ret = append (&str, info->model, strlen(info->model), "model", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
-
- if (info->manufacturer[0])
- {
- ret = append (&str, info->manufacturer, strlen(info->manufacturer),
"manufacturer", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->label[0])
- {
- ret = append (&str, info->label, strlen(info->label), "object", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->type[0])
- {
- ret = append (&str, info->type, strlen(info->type), "objecttype", 0,
init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (detailed > GNUTLS_PKCS11_URL_GENERIC)
- {
- if (info->lib_manufacturer[0])
- {
- ret =
- append (&str, info->lib_manufacturer,
strlen(info->lib_manufacturer), "library-manufacturer",
- 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->lib_desc[0])
- {
- ret = append (&str, info->lib_desc, strlen(info->lib_desc),
"library-description", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
- }
-
- if (detailed > GNUTLS_PKCS11_URL_LIB)
+ switch (detailed)
{
- if (info->lib_version[0])
- {
- ret = append (&str, info->lib_version, strlen(info->lib_version),
"library-version", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
+ case GNUTLS_PKCS11_URL_GENERIC:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN;
+ break;
+ case GNUTLS_PKCS11_URL_LIB:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE;
+ break;
+ case GNUTLS_PKCS11_URL_LIB_VERSION:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE |
P11_KIT_URI_FOR_MODULE_WITH_VERSION;
+ break;
}
- if (info->certid_raw_size > 0)
+ ret = p11_kit_uri_format (info, type, url);
+ if (ret < 0)
{
- ret = append (&str, info->certid_raw, info->certid_raw_size, "id", 1,
init);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ gnutls_assert ();
+ return ret == P11_KIT_URI_NO_MEMORY ?
+ GNUTLS_E_MEMORY_ERROR : GNUTLS_E_INTERNAL_ERROR;
}
- _gnutls_buffer_append_data (&str, "", 1);
-
- *url = str.data;
-
return 0;
-
-cleanup:
- _gnutls_buffer_clear (&str);
- return ret;
}
/**
@@ -929,6 +724,14 @@ gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj)
return GNUTLS_E_MEMORY_ERROR;
}
+ (*obj)->info = p11_kit_uri_new ();
+ if ((*obj)->info == NULL)
+ {
+ free (*obj);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
return 0;
}
@@ -942,6 +745,7 @@ void
gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj)
{
_gnutls_free_datum (&obj->raw);
+ p11_kit_uri_free (obj->info);
free (obj);
}
@@ -988,64 +792,30 @@ gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
return 0;
}
-static void
-terminate_string (unsigned char *str, size_t len)
-{
- unsigned char *ptr = str + len - 1;
-
- while ((*ptr == ' ' || *ptr == '\t' || *ptr == '\0') && ptr >= str)
- ptr--;
-
- if (ptr == str - 1)
- str[0] = '\0';
- else if (ptr == str + len - 1)
- str[len - 1] = '\0';
- else
- ptr[1] = '\0';
-}
-
int
-pkcs11_find_object (pakchois_session_t ** _pks,
+pkcs11_find_object (struct ck_function_list ** _module,
+ ck_session_handle_t * _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info, unsigned int flags)
+ struct p11_kit_uri *info, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- ck_object_class_t class;
- struct ck_attribute a[4];
- int a_vals = 0;
+ struct ck_attribute *attrs;
+ unsigned long attr_count;
unsigned long count;
ck_rv_t rv;
- class = pkcs11_strtype_to_class (info->type);
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
- ret = pkcs11_open_session (&pks, info, flags & SESSION_LOGIN);
+ ret = pkcs11_open_session (&module, &pks, info, flags & SESSION_LOGIN);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
- a_vals++;
-
- if (info->certid_raw_size > 0)
- {
- a[a_vals].type = CKA_ID;
- a[a_vals].value = info->certid_raw;
- a[a_vals].value_len = info->certid_raw_size;
- a_vals++;
- }
-
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ attrs = p11_kit_uri_get_attributes (info, &attr_count);
+ rv = pkcs11_find_objects_init (module, pks, attrs, attr_count);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -1054,38 +824,26 @@ pkcs11_find_object (pakchois_session_t ** _pks,
goto fail;
}
- if (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ if (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count ==
1)
{
*_obj = obj;
*_pks = pks;
- pakchois_find_objects_final (pks);
+ *_module = module;
+ pkcs11_find_objects_final (module, pks);
return 0;
}
ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
fail:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
-static void
-fix_strings (struct token_info *info)
-{
- terminate_string (info->tinfo.manufacturer_id,
- sizeof info->tinfo.manufacturer_id);
- terminate_string (info->tinfo.label, sizeof info->tinfo.label);
- terminate_string (info->tinfo.model, sizeof info->tinfo.model);
- terminate_string (info->tinfo.serial_number,
- sizeof info->tinfo.serial_number);
- terminate_string (info->sinfo.slot_description,
- sizeof info->sinfo.slot_description);
-}
-
int
-pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
- struct pkcs11_url_info *info, struct token_info *_tinfo)
+pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
+ struct p11_kit_uri *info, struct token_info *_tinfo)
{
int x, z;
@@ -1095,7 +853,7 @@ pkcs11_find_slot (pakchois_module_t ** module,
ck_slot_id_t * slot,
{
struct token_info tinfo;
- if (pakchois_get_token_info
+ if (pkcs11_get_token_info
(providers[x].module, providers[x].slots[z],
&tinfo.tinfo) != CKR_OK)
{
@@ -1104,18 +862,15 @@ pkcs11_find_slot (pakchois_module_t ** module,
ck_slot_id_t * slot,
tinfo.sid = providers[x].slots[z];
tinfo.prov = &providers[x];
- if (pakchois_get_slot_info
+ if (pkcs11_get_slot_info
(providers[x].module, providers[x].slots[z],
&tinfo.sinfo) != CKR_OK)
{
continue;
}
- /* XXX make wrapper for token_info? */
- fix_strings (&tinfo);
-
- if (pkcs11_token_matches_info (info, &tinfo.tinfo,
- &providers[x].info) < 0)
+ if (!p11_kit_uri_match_token_info (info, &tinfo.tinfo) ||
+ !p11_kit_uri_match_module_info (info, &providers[x].info))
{
continue;
}
@@ -1136,13 +891,13 @@ pkcs11_find_slot (pakchois_module_t ** module,
ck_slot_id_t * slot,
}
int
-pkcs11_open_session (pakchois_session_t ** _pks,
- struct pkcs11_url_info *info, unsigned int flags)
+pkcs11_open_session (struct ck_function_list ** _module, ck_session_handle_t *
_pks,
+ struct p11_kit_uri *info, unsigned int flags)
{
ck_rv_t rv;
int ret;
- pakchois_session_t *pks = NULL;
- pakchois_module_t *module;
+ ck_session_handle_t pks = 0;
+ struct ck_function_list *module;
ck_slot_id_t slot;
struct token_info tinfo;
@@ -1153,8 +908,7 @@ pkcs11_open_session (pakchois_session_t ** _pks,
return ret;
}
- rv = pakchois_open_session (module,
- slot,
+ rv = (module)->C_OpenSession (slot,
((flags & SESSION_WRITE)
? CKF_RW_SESSION : 0) |
CKF_SERIAL_SESSION, NULL, NULL, &pks);
@@ -1166,61 +920,58 @@ pkcs11_open_session (pakchois_session_t ** _pks,
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (pks, &tinfo, (flags & SESSION_SO) ? 1 : 0);
+ ret = pkcs11_login (module, pks, &tinfo, info, (flags & SESSION_SO) ? 1
: 0);
if (ret < 0)
{
gnutls_assert ();
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
}
/* ok found */
*_pks = pks;
+ *_module = module;
return 0;
}
int
_pkcs11_traverse_tokens (find_func_t find_func, void *input,
- unsigned int flags)
+ struct p11_kit_uri *info, unsigned int flags)
{
ck_rv_t rv;
int found = 0, x, z, ret;
- pakchois_session_t *pks = NULL;
+ ck_session_handle_t pks = 0;
+ struct ck_function_list *module = NULL;
for (x = 0; x < active_providers; x++)
{
+ module = providers[x].module;
for (z = 0; z < providers[x].nslots; z++)
{
- struct token_info info;
+ struct token_info tinfo;
ret = GNUTLS_E_PKCS11_ERROR;
- if (pakchois_get_token_info
- (providers[x].module, providers[x].slots[z],
- &info.tinfo) != CKR_OK)
+ if (pkcs11_get_token_info (module, providers[x].slots[z],
+ &tinfo.tinfo) != CKR_OK)
{
continue;
}
- info.sid = providers[x].slots[z];
- info.prov = &providers[x];
+ tinfo.sid = providers[x].slots[z];
+ tinfo.prov = &providers[x];
- if (pakchois_get_slot_info
- (providers[x].module, providers[x].slots[z],
- &info.sinfo) != CKR_OK)
+ if (pkcs11_get_slot_info (module, providers[x].slots[z],
+ &tinfo.sinfo) != CKR_OK)
{
continue;
}
- /* XXX make wrapper for token_info? */
- fix_strings (&info);
-
- rv = pakchois_open_session (providers[x].module,
- providers[x].slots[z],
- ((flags & SESSION_WRITE)
- ? CKF_RW_SESSION : 0) |
- CKF_SERIAL_SESSION, NULL, NULL, &pks);
+ rv = (module)->C_OpenSession (providers[x].slots[z],
+ ((flags & SESSION_WRITE)
+ ? CKF_RW_SESSION : 0) |
+ CKF_SERIAL_SESSION, NULL, NULL, &pks);
if (rv != CKR_OK)
{
continue;
@@ -1228,7 +979,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void
*input,
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (pks, &info, (flags & SESSION_SO) ? 1 : 0);
+ ret = pkcs11_login (module, pks, &tinfo, info, (flags &
SESSION_SO) ? 1 : 0);
if (ret < 0)
{
gnutls_assert ();
@@ -1236,7 +987,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void
*input,
}
}
- ret = find_func (pks, &info, &providers[x].info, input);
+ ret = find_func (module, pks, &tinfo, &providers[x].info, input);
if (ret == 0)
{
@@ -1245,8 +996,8 @@ _pkcs11_traverse_tokens (find_func_t find_func, void
*input,
}
else
{
- pakchois_close_session (pks);
- pks = NULL;
+ pkcs11_close_session (module, pks);
+ pks = 0;
}
}
}
@@ -1256,52 +1007,34 @@ finish:
if (found == 0)
{
- ret = find_func (pks, NULL, NULL, input);
+ if (module)
+ ret = find_func (module, pks, NULL, NULL, input);
+ else
+ ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
}
else
{
ret = 0;
}
- if (pks != NULL)
- {
- pakchois_close_session (pks);
- }
-
- return ret;
-}
-
-static const char *
-pkcs11_obj_type_to_str (gnutls_pkcs11_obj_type_t type)
-{
- switch (type)
+ if (pks != 0 && module != NULL)
{
- case GNUTLS_PKCS11_OBJ_X509_CRT:
- return "cert";
- case GNUTLS_PKCS11_OBJ_PUBKEY:
- return "public";
- case GNUTLS_PKCS11_OBJ_PRIVKEY:
- return "private";
- case GNUTLS_PKCS11_OBJ_SECRET_KEY:
- return "secretkey";
- case GNUTLS_PKCS11_OBJ_DATA:
- return "data";
- case GNUTLS_PKCS11_OBJ_UNKNOWN:
- default:
- return "unknown";
+ pkcs11_close_session (module, pks);
}
+
+ return ret;
}
/* imports a raw certificate from a token to a pkcs11_obj_t structure.
*/
static int
-pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj,
+pkcs11_obj_import (ck_object_class_t class, gnutls_pkcs11_obj_t obj,
const gnutls_datum_t * data,
const gnutls_datum_t * id,
const gnutls_datum_t * label,
struct ck_token_info *tinfo, struct ck_info *lib_info)
{
- char *s;
+ struct ck_attribute attr;
int ret;
switch (class)
@@ -1323,10 +1056,18 @@ pkcs11_obj_import (unsigned int class,
gnutls_pkcs11_obj_t obj,
break;
default:
obj->type = GNUTLS_PKCS11_OBJ_UNKNOWN;
+ break;
}
- if (obj->type != GNUTLS_PKCS11_OBJ_UNKNOWN)
- strcpy (obj->info.type, pkcs11_obj_type_to_str (obj->type));
+ attr.type = CKA_CLASS;
+ attr.value = &class;
+ attr.value_len = sizeof (class);
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
if (data && data->data)
{
@@ -1338,54 +1079,42 @@ pkcs11_obj_import (unsigned int class,
gnutls_pkcs11_obj_t obj,
}
}
- terminate_string (tinfo->manufacturer_id, sizeof tinfo->manufacturer_id);
- terminate_string (tinfo->label, sizeof tinfo->label);
- terminate_string (tinfo->model, sizeof tinfo->model);
- terminate_string (tinfo->serial_number, sizeof tinfo->serial_number);
-
- /* write data */
- snprintf (obj->info.manufacturer, sizeof (obj->info.manufacturer),
- "%s", tinfo->manufacturer_id);
- snprintf (obj->info.token, sizeof (obj->info.token), "%s", tinfo->label);
- snprintf (obj->info.model, sizeof (obj->info.model), "%s", tinfo->model);
- snprintf (obj->info.serial, sizeof (obj->info.serial), "%s",
- tinfo->serial_number);
-
- snprintf (obj->info.lib_manufacturer, sizeof (obj->info.lib_manufacturer),
- "%s", lib_info->manufacturer_id);
- snprintf (obj->info.lib_desc, sizeof (obj->info.lib_desc), "%s",
- lib_info->library_description);
- snprintf (obj->info.lib_version, sizeof (obj->info.lib_version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
-
-
+ /* copy the token and library info into the uri */
+ memcpy (p11_kit_uri_get_token_info (obj->info), tinfo, sizeof (struct
ck_token_info));
+ memcpy (p11_kit_uri_get_module_info (obj->info), lib_info, sizeof (struct
ck_info));
if (label && label->data)
{
- memcpy (obj->info.label, label->data, label->size);
- obj->info.label[label->size] = 0;
+ attr.type = CKA_LABEL;
+ attr.value = label->data;
+ attr.value_len = label->size;
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
}
if (id && id->data)
{
- s = _gnutls_bin2hex (id->data, id->size, obj->info.id,
- sizeof (obj->info.id), ":");
- if (s == NULL)
+ attr.type = CKA_ID;
+ attr.value = id->data;
+ attr.value_len = id->size;
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
{
gnutls_assert ();
- return GNUTLS_E_PKCS11_ERROR;
+ return GNUTLS_E_MEMORY_ERROR;
}
-
- memmove (obj->info.certid_raw, id->data, id->size);
- obj->info.certid_raw_size = id->size;
}
return 0;
}
static int
-pkcs11_obj_import_pubkey (pakchois_session_t * pks,
+pkcs11_obj_import_pubkey (struct ck_function_list *module,
+ ck_session_handle_t pks,
ck_object_handle_t obj,
gnutls_pkcs11_obj_t crt,
const gnutls_datum_t * id,
@@ -1405,7 +1134,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &key_type;
a[0].value_len = sizeof (key_type);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
switch (key_type)
{
@@ -1417,7 +1146,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
@@ -1452,7 +1181,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
_gnutls_set_datum (&crt->pubkey[0],
@@ -1484,7 +1213,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
_gnutls_set_datum (&crt->pubkey[2],
@@ -1523,7 +1252,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1535,7 +1264,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1549,7 +1278,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1563,7 +1292,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1575,7 +1304,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1587,46 +1316,13 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
tinfo, lib_info);
}
-ck_object_class_t
-pkcs11_strtype_to_class (const char *type)
-{
- ck_object_class_t class;
-
- if (strcmp (type, "cert") == 0)
- {
- class = CKO_CERTIFICATE;
- }
- else if (strcmp (type, "public") == 0)
- {
- class = CKO_PUBLIC_KEY;
- }
- else if (strcmp (type, "private") == 0)
- {
- class = CKO_PRIVATE_KEY;
- }
- else if (strcmp (type, "secretkey") == 0)
- {
- class = CKO_SECRET_KEY;
- }
- else if (strcmp (type, "data") == 0)
- {
- class = CKO_DATA;
- }
- else
- {
- class = -1;
- }
-
- return class;
-}
-
-
static int
-find_obj_url (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_obj_url (struct ck_function_list *module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct url_find_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class = -1;
ck_certificate_type_t type = -1;
ck_rv_t rv;
@@ -1644,24 +1340,18 @@ find_obj_url (pakchois_session_t * pks, struct
token_info *info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info
- (&find_data->crt->info, &info->tinfo, lib_info) < 0)
+ if (!p11_kit_uri_match_token_info (find_data->crt->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->crt->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- if (find_data->crt->info.type[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
+ if (attr == NULL)
{
- class = pkcs11_strtype_to_class (find_data->crt->info.type);
- if (class == CKO_CERTIFICATE)
- type = CKC_X_509;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
}
/* search the token for the id */
@@ -1674,18 +1364,17 @@ find_obj_url (pakchois_session_t * pks, struct
token_info *info,
}
/* Find objects with given class and type */
-
- a[0].type = CKA_ID;
- a[0].value = find_data->crt->info.certid_raw;
- a[0].value_len = find_data->crt->info.certid_raw_size;
-
+ memcpy (a, attr, sizeof (struct ck_attribute));
a_vals = 1;
- if (class != -1)
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_CLASS);
+ if (attr)
{
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
+ if(attr->value && attr->value_len == sizeof (ck_object_class_t))
+ class = *((ck_object_class_t*)attr->value);
+ if (class == CKO_CERTIFICATE)
+ type = CKC_X_509;
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
@@ -1697,7 +1386,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info
*info,
a_vals++;
}
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ rv = pkcs11_find_objects_init (module, pks, a, a_vals);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -1706,7 +1395,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info
*info,
goto cleanup;
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count
== 1)
{
a[0].type = CKA_VALUE;
@@ -1716,18 +1405,20 @@ find_obj_url (pakchois_session_t * pks, struct
token_info *info,
a[1].value = label_tmp;
a[1].value_len = sizeof (label_tmp);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
- gnutls_datum_t id = { find_data->crt->info.certid_raw,
- find_data->crt->info.certid_raw_size
- };
+ gnutls_datum_t id;
gnutls_datum_t data = { a[0].value, a[0].value_len };
gnutls_datum_t label = { a[1].value, a[1].value_len };
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
+ id.data = attr->value;
+ id.size = attr->value_len;
+
if (class == CKO_PUBLIC_KEY)
{
ret =
- pkcs11_obj_import_pubkey (pks, obj,
+ pkcs11_obj_import_pubkey (module, pks, obj,
find_data->crt,
&id, &label,
&info->tinfo, lib_info);
@@ -1767,7 +1458,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info
*info,
cleanup:
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return ret;
}
@@ -1817,7 +1508,7 @@ gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert,
const char *url,
}
ret =
- _pkcs11_traverse_tokens (find_obj_url, &find_data,
+ _pkcs11_traverse_tokens (find_obj_url, &find_data, cert->info,
pkcs11_obj_flags_to_int (flags));
if (ret < 0)
@@ -1831,13 +1522,14 @@ gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert,
const char *url,
struct token_num
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int seq; /* which one we are looking for */
unsigned int current; /* which one are we now */
};
static int
-find_token_num (pakchois_session_t * pks,
+find_token_num (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info *tinfo,
struct ck_info *lib_info, void *input)
{
@@ -1851,18 +1543,8 @@ find_token_num (pakchois_session_t * pks,
if (find_data->current == find_data->seq)
{
- strcpy (find_data->info.manufacturer, tinfo->tinfo.manufacturer_id);
- strcpy (find_data->info.token, tinfo->tinfo.label);
- strcpy (find_data->info.model, tinfo->tinfo.model);
- strcpy (find_data->info.serial, tinfo->tinfo.serial_number);
-
- strcpy (find_data->info.lib_manufacturer, lib_info->manufacturer_id);
- strcpy (find_data->info.lib_desc, lib_info->library_description);
- snprintf (find_data->info.lib_version,
- sizeof (find_data->info.lib_version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
-
+ memcpy (p11_kit_uri_get_token_info (find_data->info), &tinfo->tinfo,
sizeof (struct ck_token_info));
+ memcpy (p11_kit_uri_get_module_info (find_data->info), lib_info, sizeof
(struct ck_info));
return 0;
}
@@ -1895,15 +1577,19 @@ gnutls_pkcs11_token_get_url (unsigned int seq,
memset (&tn, 0, sizeof (tn));
tn.seq = seq;
+ tn.info = p11_kit_uri_new ();
- ret = _pkcs11_traverse_tokens (find_token_num, &tn, 0);
+ ret = _pkcs11_traverse_tokens (find_token_num, &tn, NULL, 0);
if (ret < 0)
{
+ p11_kit_uri_free (tn.info);
gnutls_assert ();
return ret;
}
- ret = pkcs11_info_to_url (&tn.info, detailed, url);
+ ret = pkcs11_info_to_url (tn.info, detailed, url);
+ p11_kit_uri_free (tn.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -1931,9 +1617,10 @@ gnutls_pkcs11_token_get_info (const char *url,
gnutls_pkcs11_token_info_t ttype,
void *output, size_t * output_size)
{
+ struct p11_kit_uri *info = NULL;
const char *str;
+ size_t str_max;
size_t len;
- struct pkcs11_url_info info;
int ret;
ret = pkcs11_url_to_info (url, &info);
@@ -1946,23 +1633,28 @@ gnutls_pkcs11_token_get_info (const char *url,
switch (ttype)
{
case GNUTLS_PKCS11_TOKEN_LABEL:
- str = info.token;
+ str = p11_kit_uri_get_token_info (info)->label;
+ str_max = 32;
break;
case GNUTLS_PKCS11_TOKEN_SERIAL:
- str = info.serial;
+ str = p11_kit_uri_get_token_info (info)->serial_number;
+ str_max = 16;
break;
case GNUTLS_PKCS11_TOKEN_MANUFACTURER:
- str = info.manufacturer;
+ str = p11_kit_uri_get_token_info (info)->manufacturer_id;
+ str_max = 32;
break;
case GNUTLS_PKCS11_TOKEN_MODEL:
- str = info.model;
+ str = p11_kit_uri_get_token_info (info)->model;
+ str_max = 16;
break;
default:
+ p11_kit_uri_free (info);
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- len = strlen (str);
+ len = p11_kit_space_strlen (str, str_max);
if (len + 1 > *output_size)
{
@@ -1970,10 +1662,12 @@ gnutls_pkcs11_token_get_info (const char *url,
return GNUTLS_E_SHORT_MEMORY_BUFFER;
}
- strcpy (output, str);
+ memcpy (output, str, len);
+ ((char*)output)[len] = '\0';
*output_size = len;
+ p11_kit_uri_free (info);
return 0;
}
@@ -1994,7 +1688,7 @@ gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj,
{
int ret;
- ret = pkcs11_info_to_url (&obj->info, detailed, url);
+ ret = pkcs11_info_to_url (obj->info, detailed, url);
if (ret < 0)
{
gnutls_assert ();
@@ -2025,41 +1719,196 @@ struct pkey_list
size_t key_ids_size;
};
-int
-pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
+
+static int
+retrieve_pin_for_pinfile (const char *pinfile, struct ck_token_info
*token_info,
+ int attempts, ck_user_type_t user_type, struct
p11_kit_pin **pin)
{
- int attempt = 0, ret;
- ck_rv_t rv;
- char *token_url;
- int pin_len;
- struct pkcs11_url_info uinfo;
+ unsigned int flags = 0;
+ struct p11_kit_uri *token_uri;
+ struct p11_kit_pin *result;
+ char *label;
+
+ label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
+ if (label == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ token_uri = p11_kit_uri_new ();
+ if (token_uri == NULL)
+ {
+ free (label);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
+ sizeof (struct ck_token_info));
+
+ if (attempts)
+ flags |= P11_KIT_PIN_FLAGS_RETRY;
+ if (user_type == CKU_USER)
+ {
+ flags |= P11_KIT_PIN_FLAGS_USER_LOGIN;
+ if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
+ if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
+ }
+ else if (user_type == CKU_SO)
+ {
+ flags |= P11_KIT_PIN_FLAGS_SO_LOGIN;
+ if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
+ flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
+ if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
+ flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
+ }
+ else if (user_type == CKU_CONTEXT_SPECIFIC)
+ {
+ flags |= P11_KIT_PIN_FLAGS_CONTEXT_LOGIN;
+ }
+ result = p11_kit_pin_request (pinfile, token_uri, label, flags);
+ p11_kit_uri_free (token_uri);
+ free (label);
- if (so == 0 && (info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
+ if (result == NULL)
{
gnutls_assert ();
- _gnutls_debug_log ("pk11: No login required.\n");
- return 0;
+ return GNUTLS_E_PKCS11_PIN_ERROR;
+ }
+
+ *pin = result;
+ return 0;
+}
+
+static int
+retrieve_pin_for_callback (struct ck_token_info *token_info, int attempts,
+ ck_user_type_t user_type, struct p11_kit_pin **pin)
+{
+ char pin_value[GNUTLS_PKCS11_MAX_PIN_LEN];
+ unsigned int flags = 0;
+ char *token_str;
+ char *label;
+ struct p11_kit_uri *token_uri;
+ int ret = 0;
+
+ label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
+ if (label == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ token_uri = p11_kit_uri_new ();
+ if (token_uri == NULL)
+ {
+ free (label);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
}
- memset (&uinfo, 0, sizeof (uinfo));
- strcpy (uinfo.manufacturer, info->tinfo.manufacturer_id);
- strcpy (uinfo.token, info->tinfo.label);
- strcpy (uinfo.model, info->tinfo.model);
- strcpy (uinfo.serial, info->tinfo.serial_number);
- ret = pkcs11_info_to_url (&uinfo, 1, &token_url);
+ memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
+ sizeof (struct ck_token_info));
+ ret = pkcs11_info_to_url (token_uri, 1, &token_str);
+ p11_kit_uri_free (token_uri);
+
if (ret < 0)
{
+ free (label);
gnutls_assert ();
- return ret;
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ if (user_type == CKU_USER)
+ {
+ flags |= GNUTLS_PKCS11_PIN_USER;
+ if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ }
+ else if (user_type == CKU_SO)
+ {
+ flags |= GNUTLS_PKCS11_PIN_SO;
+ if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ }
+
+ ret = pin_func (pin_data, attempts, (char*)token_str, label,
+ flags, pin_value, GNUTLS_PKCS11_MAX_PIN_LEN);
+ free (token_str);
+ free (label);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_PKCS11_PIN_ERROR;
+ }
+
+ *pin = p11_kit_pin_new_for_string (pin_value);
+
+ /* Try to scrub the pin off the stack. Clever compilers will
+ * probably optimize this away, oh well. */
+ memset (pin, 0, sizeof pin);
+
+ return 0;
+}
+
+static int
+retrieve_pin (struct p11_kit_uri *info, struct ck_token_info *token_info,
+ int attempts, ck_user_type_t user_type, struct p11_kit_pin **pin)
+{
+ const char *pinfile;
+
+ *pin = NULL;
+
+ /* Check if a pinfile is specified, and use that if possible */
+ pinfile = p11_kit_uri_get_pinfile (info);
+ if (pinfile != NULL)
+ return retrieve_pin_for_pinfile (pinfile, token_info, attempts, user_type,
pin);
+
+ /* The global gnutls pin callback */
+ else if (pin_func)
+ return retrieve_pin_for_callback (token_info, attempts, user_type, pin);
+
+ /* Otherwise, PIN entry is necessary for login, so fail if there's
+ * no callback. */
+ else
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("pk11: No pin callback but login required.\n");
+ return GNUTLS_E_PKCS11_ERROR;
+ }
+}
+
+int
+pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
+ const struct token_info *tokinfo, struct p11_kit_uri *info, int
so)
+{
+ struct ck_session_info session_info;
+ int attempt = 0, ret;
+ ck_user_type_t user_type;
+ ck_rv_t rv;
+
+ user_type = (so == 0) ? CKU_USER : CKU_SO;
+ if (so == 0 && (tokinfo->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("pk11: No login required.\n");
+ return 0;
}
/* For a token with a "protected" (out-of-band) authentication
* path, calling login with a NULL username is all that is
* required. */
- if (info->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+ if (tokinfo->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
{
- rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
+ rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
{
return 0;
@@ -2073,30 +1922,28 @@ pkcs11_login (pakchois_session_t * pks, const struct
token_info *info, int so)
}
}
- /* Otherwise, PIN entry is necessary for login, so fail if there's
- * no callback. */
- if (!pin_func)
- {
- gnutls_assert ();
- _gnutls_debug_log ("pk11: No pin callback but login required.\n");
- ret = GNUTLS_E_PKCS11_ERROR;
- goto cleanup;
- }
-
do
{
+ struct p11_kit_pin *pin;
struct ck_token_info tinfo;
- char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
- unsigned int flags;
- memcpy(&tinfo, &info->tinfo, sizeof(tinfo));
+ memcpy (&tinfo, &tokinfo->tinfo, sizeof(tinfo));
+
+ /* Check whether the session is already logged in, and if so, just skip
*/
+ rv = (module)->C_GetSessionInfo (pks, &session_info);
+ if (rv == CKR_OK && (session_info.state == CKS_RO_USER_FUNCTIONS ||
+ session_info.state == CKS_RW_USER_FUNCTIONS))
+ {
+ ret = 0;
+ goto cleanup;
+ }
/* If login has been attempted once already, check the token
* status again, the flags might change. */
if (attempt)
{
- if (pakchois_get_token_info
- (info->prov->module, info->sid, &tinfo) != CKR_OK)
+ if (pkcs11_get_token_info
+ (tokinfo->prov->module, tokinfo->sid, &tinfo) != CKR_OK)
{
gnutls_assert ();
_gnutls_debug_log ("pk11: GetTokenInfo failed\n");
@@ -2105,41 +1952,18 @@ pkcs11_login (pakchois_session_t * pks, const struct
token_info *info, int so)
}
}
- flags = 0;
- if (so == 0)
- {
- flags |= GNUTLS_PKCS11_PIN_USER;
- if (tinfo.flags & CKF_USER_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (tinfo.flags & CKF_USER_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
- }
- else
- {
- flags |= GNUTLS_PKCS11_PIN_SO;
- if (tinfo.flags & CKF_SO_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (tinfo.flags & CKF_SO_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
- }
-
- ret = pin_func (pin_data, attempt++,
- (char *) token_url,
- (char *) info->tinfo.label, flags, pin, sizeof (pin));
+ ret = retrieve_pin (info, &tinfo, attempt, user_type, &pin);
if (ret < 0)
{
gnutls_assert ();
- ret = GNUTLS_E_PKCS11_PIN_ERROR;
goto cleanup;
}
- pin_len = strlen (pin);
- rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO,
- (unsigned char *) pin, pin_len);
+ rv = (module)->C_Login (pks, user_type,
+ (unsigned char *)p11_kit_pin_get_value (pin,
NULL),
+ p11_kit_pin_get_length (pin));
- /* Try to scrub the pin off the stack. Clever compilers will
- * probably optimize this away, oh well. */
- memset (pin, 0, sizeof pin);
+ p11_kit_pin_unref (pin);
}
while (rv == CKR_PIN_INCORRECT);
@@ -2150,13 +1974,28 @@ pkcs11_login (pakchois_session_t * pks, const struct
token_info *info, int so)
|| rv == CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err (rv);
cleanup:
- gnutls_free (token_url);
return ret;
}
+int
+pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry)
+{
+ struct ck_token_info *tinfo;
+ char *label;
+ int ret = 0;
+
+ tinfo = p11_kit_uri_get_token_info (info);
+ label = p11_kit_space_strdup (tinfo->label, sizeof (tinfo->label));
+ ret = (token_func) (token_data, label, retry);
+ free (label);
+
+ return ret;
+}
+
+
static int
-find_privkeys (pakchois_session_t * pks, struct token_info *info,
- struct pkey_list *list)
+find_privkeys (struct ck_function_list *module, ck_session_handle_t pks,
+ struct token_info *info, struct pkey_list *list)
{
struct ck_attribute a[3];
ck_object_class_t class;
@@ -2174,7 +2013,7 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
a[0].value = &class;
a[0].value_len = sizeof class;
- rv = pakchois_find_objects_init (pks, a, 1);
+ rv = pkcs11_find_objects_init (module, pks, a, 1);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2182,12 +2021,12 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
}
list->key_ids_size = 0;
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count
== 1)
{
list->key_ids_size++;
}
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
if (list->key_ids_size == 0)
{
@@ -2208,7 +2047,7 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
a[0].value = &class;
a[0].value_len = sizeof class;
- rv = pakchois_find_objects_init (pks, a, 1);
+ rv = pkcs11_find_objects_init (module, pks, a, 1);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2216,7 +2055,7 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
}
current = 0;
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count
== 1)
{
a[0].type = CKA_ID;
@@ -2225,7 +2064,7 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
_gnutls_buffer_init (&list->key_ids[current]);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
_gnutls_buffer_append_data (&list->key_ids[current],
a[0].value, a[0].value_len);
@@ -2236,7 +2075,7 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
break;
}
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
list->key_ids_size = current - 1;
@@ -2247,11 +2086,12 @@ find_privkeys (pakchois_session_t * pks, struct
token_info *info,
static int
-find_objs (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_objs (struct ck_function_list * module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct crt_find_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class = -1;
ck_certificate_type_t type = -1;
unsigned int trusted;
@@ -2279,34 +2119,18 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- if (find_data->info.type[0] != 0)
- {
- class = pkcs11_strtype_to_class (find_data->info.type);
- if (class == CKO_CERTIFICATE)
- type = CKC_X_509;
- else
- type = -1;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
- }
-
-
memset (&plist, 0, sizeof (plist));
if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
{
- ret = find_privkeys (pks, info, &plist);
+ ret = find_privkeys (module, pks, info, &plist);
if (ret < 0)
{
gnutls_assert ();
@@ -2408,15 +2232,14 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
goto fail;
}
- if (find_data->info.certid_raw_size != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID);
+ if (attr != NULL)
{
- a[tot_values].type = CKA_ID;
- a[tot_values].value = find_data->info.certid_raw;
- a[tot_values].value_len = find_data->info.certid_raw_size;
+ memcpy (a + tot_values, attr, sizeof (struct ck_attribute));
tot_values++;
}
- rv = pakchois_find_objects_init (pks, a, tot_values);
+ rv = pkcs11_find_objects_init (module, pks, a, tot_values);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2424,7 +2247,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
return pkcs11_rv_to_err (rv);
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count
== 1)
{
gnutls_datum_t label, id, value;
@@ -2432,7 +2255,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
a[0].value = label_tmp;
a[0].value_len = sizeof label_tmp;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
label.data = a[0].value;
label.size = a[0].value_len;
@@ -2447,7 +2270,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
a[0].value = certid_tmp;
a[0].value_len = sizeof certid_tmp;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
id.data = a[0].value;
id.size = a[0].value_len;
@@ -2461,7 +2284,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
a[0].type = CKA_VALUE;
a[0].value = cert_data;
a[0].value_len = MAX_CERT_SIZE;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
value.data = a[0].value;
value.size = a[0].value_len;
@@ -2478,7 +2301,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
a[0].value = &class;
a[0].value_len = sizeof class;
- pakchois_get_attribute_value (pks, obj, a, 1);
+ pkcs11_get_attribute_value (module, pks, obj, a, 1);
}
if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
@@ -2509,7 +2332,7 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
if (class == CKO_PUBLIC_KEY)
{
ret =
- pkcs11_obj_import_pubkey (pks, obj,
+ pkcs11_obj_import_pubkey (module, pks, obj,
find_data->p_list
[find_data->current],
&id, &label,
@@ -2536,13 +2359,13 @@ find_objs (pakchois_session_t * pks, struct token_info
*info,
}
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* continue until all tokens
have been checked */
fail:
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
if (plist.key_ids != NULL)
{
for (i = 0; i < plist.key_ids_size; i++)
@@ -2584,6 +2407,8 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *
p_list,
int ret;
struct crt_find_data_st find_data;
+ memset (&find_data, 0, sizeof (find_data));
+
/* fill in the find data structure */
find_data.p_list = p_list;
find_data.n_list = n_list;
@@ -2603,8 +2428,10 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *
p_list,
}
ret =
- _pkcs11_traverse_tokens (find_objs, &find_data,
+ _pkcs11_traverse_tokens (find_objs, &find_data, find_data.info,
pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2733,8 +2560,8 @@ cleanup:
}
static int
-find_flags (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_flags (struct ck_function_list * module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct flags_find_data_st *find_data = input;
@@ -2746,8 +2573,8 @@ find_flags (pakchois_session_t * pks, struct token_info
*info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
@@ -2775,6 +2602,7 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned
int *flags)
struct flags_find_data_st find_data;
int ret;
+ memset (&find_data, 0, sizeof (find_data));
ret = pkcs11_url_to_info (url, &find_data.info);
if (ret < 0)
{
@@ -2782,7 +2610,9 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned
int *flags)
return ret;
}
- ret = _pkcs11_traverse_tokens (find_flags, &find_data, 0);
+ ret = _pkcs11_traverse_tokens (find_flags, &find_data, find_data.info, 0);
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2816,10 +2646,10 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int
idx,
{
int ret;
ck_rv_t rv;
- pakchois_module_t *module;
+ struct ck_function_list *module;
ck_slot_id_t slot;
struct token_info tinfo;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info = NULL;
unsigned long count;
ck_mechanism_type_t mlist[400];
@@ -2831,7 +2661,9 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int
idx,
}
- ret = pkcs11_find_slot (&module, &slot, &info, &tinfo);
+ ret = pkcs11_find_slot (&module, &slot, info, &tinfo);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2839,7 +2671,7 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int
idx,
}
count = sizeof (mlist) / sizeof (mlist[0]);
- rv = pakchois_get_mechanism_list (module, slot, mlist, &count);
+ rv = pkcs11_get_mechanism_list (module, slot, mlist, &count);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2880,57 +2712,176 @@ gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t
type)
}
}
-int
-pkcs11_token_matches_info (struct pkcs11_url_info *info,
- struct ck_token_info *tinfo,
- struct ck_info *lib_info)
+ck_rv_t
+pkcs11_get_slot_list (struct ck_function_list * module, unsigned char
token_present,
+ ck_slot_id_t *slot_list, unsigned long *count)
{
- if (info->manufacturer[0] != 0)
- {
- if (strcmp (info->manufacturer, tinfo->manufacturer_id) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ return (module)->C_GetSlotList (token_present, slot_list, count);
+}
- if (info->token[0] != 0)
- {
- if (strcmp (info->token, tinfo->label) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_module_info (struct ck_function_list * module,
+ struct ck_info * info)
+{
+ return (module)->C_GetInfo (info);
+}
- if (info->model[0] != 0)
- {
- if (strcmp (info->model, tinfo->model) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_slot_info(struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_slot_info *info)
+{
+ return (module)->C_GetSlotInfo (slot_id, info);
+}
- if (info->serial[0] != 0)
- {
- if (strcmp (info->serial, tinfo->serial_number) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_token_info (struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_token_info *info)
+{
+ return (module)->C_GetTokenInfo (slot_id, info);
+}
- if (info->lib_manufacturer[0] != 0)
- {
- if (strcmp (info->lib_manufacturer, lib_info->manufacturer_id) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_find_objects_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count)
+{
+ return (module)->C_FindObjectsInit (sess, templ, count);
+}
- if (info->lib_desc[0] != 0)
- {
- if (strcmp (info->lib_desc, lib_info->library_description) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_find_objects (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t *objects,
+ unsigned long max_object_count,
+ unsigned long *object_count)
+{
+ return (module)->C_FindObjects (sess, objects, max_object_count,
object_count);
+}
- if (info->lib_version[0] != 0)
- {
- char version[16];
+ck_rv_t
+pkcs11_find_objects_final (struct ck_function_list *module,
+ ck_session_handle_t sess)
+{
+ return (module)->C_FindObjectsFinal (sess);
+}
- snprintf (version, sizeof (version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
- if (strcmp (info->lib_version, version) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_close_session (struct ck_function_list *module,
+ ck_session_handle_t sess)
+{
+ return (module)->C_CloseSession (sess);
+}
- return 0;
+ck_rv_t
+pkcs11_get_attribute_value(struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object,
+ struct ck_attribute *templ,
+ unsigned long count)
+{
+ return (module)->C_GetAttributeValue (sess, object, templ, count);
+}
+
+ck_rv_t
+pkcs11_get_mechanism_list (struct ck_function_list *module,
+ ck_slot_id_t slot_id,
+ ck_mechanism_type_t *mechanism_list,
+ unsigned long *count)
+{
+ return (module)->C_GetMechanismList (slot_id, mechanism_list, count);
+}
+
+ck_rv_t
+pkcs11_sign_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key)
+{
+ return (module)->C_SignInit (sess, mechanism, key);
+}
+
+ck_rv_t
+pkcs11_sign (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *data,
+ unsigned long data_len,
+ unsigned char *signature,
+ unsigned long *signature_len)
+{
+ return (module)->C_Sign (sess, data, data_len, signature,
signature_len);
+}
+
+ck_rv_t
+pkcs11_decrypt_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key)
+{
+ return (module)->C_DecryptInit (sess, mechanism, key);
+}
+
+ck_rv_t
+pkcs11_decrypt (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *encrypted_data,
+ unsigned long encrypted_data_len,
+ unsigned char *data, unsigned long *data_len)
+{
+ return (module)->C_Decrypt (sess, encrypted_data, encrypted_data_len,
+ data, data_len);
+}
+
+ck_rv_t
+pkcs11_create_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count,
+ ck_object_handle_t *object)
+{
+ return (module)->C_CreateObject (sess, templ, count, object);
+}
+
+ck_rv_t
+pkcs11_destroy_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object)
+{
+ return (module)->C_DestroyObject (sess, object);
+}
+
+ck_rv_t
+pkcs11_init_token (struct ck_function_list *module,
+ ck_slot_id_t slot_id, unsigned char *pin,
+ unsigned long pin_len, unsigned char *label)
+{
+ return (module)->C_InitToken (slot_id, pin, pin_len, label);
+}
+
+ck_rv_t
+pkcs11_init_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *pin,
+ unsigned long pin_len)
+{
+ return (module)->C_InitPIN (sess, pin, pin_len);
+}
+
+ck_rv_t
+pkcs11_set_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *old_pin,
+ unsigned long old_len,
+ unsigned char *new_pin,
+ unsigned long new_len)
+{
+ return (module)->C_SetPIN (sess, old_pin, old_len, new_pin, new_len);
+}
+
+const char *
+pkcs11_strerror (ck_rv_t rv)
+{
+ return p11_kit_strerror (rv);
}
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index b2c1d46..874f9ae 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -1,12 +1,18 @@
#ifndef PKCS11_INT_H
#define PKCS11_INT_H
-#include <pakchois/pakchois.h>
+#ifdef ENABLE_PKCS11
+
+#define CRYPTOKI_GNU
#include <gnutls/pkcs11.h>
#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128
+#define P11_KIT_API_SUBJECT_TO_CHANGE 1
+#include <p11-kit/uri.h>
+#include <p11-kit/pkcs11.h>
+
typedef unsigned char ck_bool_t;
struct token_info
@@ -17,34 +23,11 @@ struct token_info
struct gnutls_pkcs11_provider_s *prov;
};
-struct pkcs11_url_info
-{
- /* everything here is null terminated strings */
- opaque id[PKCS11_ID_SIZE * 3 + 1]; /* hex with delimiters */
- opaque type[16]; /* cert/key etc. */
-
- opaque lib_manufacturer[sizeof
- (((struct ck_info *) NULL)->manufacturer_id) + 1];
- opaque lib_desc[sizeof
- (((struct ck_info *) NULL)->library_description) + 1];
- opaque lib_version[12];
-
- opaque manufacturer[sizeof
- (((struct ck_token_info *) NULL)->manufacturer_id) + 1];
- opaque token[sizeof (((struct ck_token_info *) NULL)->label) + 1];
- opaque serial[sizeof (((struct ck_token_info *) NULL)->serial_number) + 1];
- opaque model[sizeof (((struct ck_token_info *) NULL)->model) + 1];
- opaque label[PKCS11_LABEL_SIZE + 1];
-
- opaque certid_raw[PKCS11_ID_SIZE]; /* same as ID but raw */
- size_t certid_raw_size;
-};
-
struct gnutls_pkcs11_obj_st
{
gnutls_datum_t raw;
gnutls_pkcs11_obj_type_t type;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
/* only when pubkey */
gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE];
@@ -56,46 +39,50 @@ struct gnutls_pkcs11_obj_st
* function. Once everything is traversed it is called with NULL tinfo.
* It should return 0 if found what it was looking for.
*/
-typedef int (*find_func_t) (pakchois_session_t * pks,
+typedef int (*find_func_t) (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info * tinfo, struct ck_info *,
void *input);
int pkcs11_rv_to_err (ck_rv_t rv);
-int pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info);
+int pkcs11_url_to_info (const char *url, struct p11_kit_uri **info);
int
-pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
- struct pkcs11_url_info *info, struct token_info *_tinfo);
+pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
+ struct p11_kit_uri *info, struct token_info *_tinfo);
-int pkcs11_get_info (struct pkcs11_url_info *info,
+int pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size);
-int pkcs11_login (pakchois_session_t * pks,
- const struct token_info *info, int admin);
+int pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
+ const struct token_info *tinfo, struct p11_kit_uri *info,
int admin);
+
+int pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry);
extern gnutls_pkcs11_token_callback_t token_func;
extern void *token_data;
void pkcs11_rescan_slots (void);
-int pkcs11_info_to_url (const struct pkcs11_url_info *info,
+int pkcs11_info_to_url (struct p11_kit_uri *info,
gnutls_pkcs11_url_type_t detailed, char **url);
#define SESSION_WRITE (1<<0)
#define SESSION_LOGIN (1<<1)
#define SESSION_SO (1<<2) /* security officer session */
-int pkcs11_open_session (pakchois_session_t ** _pks,
- struct pkcs11_url_info *info, unsigned int flags);
+int pkcs11_open_session (struct ck_function_list **_module,
ck_session_handle_t * _pks,
+ struct p11_kit_uri *info, unsigned int flags);
int _pkcs11_traverse_tokens (find_func_t find_func, void *input,
- unsigned int flags);
+ struct p11_kit_uri *info, unsigned int flags);
ck_object_class_t pkcs11_strtype_to_class (const char *type);
-int pkcs11_token_matches_info (struct pkcs11_url_info *info,
+int pkcs11_token_matches_info (struct p11_kit_uri *info,
struct ck_token_info *tinfo,
struct ck_info *lib_info);
/* flags are SESSION_* */
-int pkcs11_find_object (pakchois_session_t ** _pks,
+int pkcs11_find_object (struct ck_function_list ** _module,
+ ck_session_handle_t * _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info, unsigned int flags);
+ struct p11_kit_uri *info, unsigned int flags);
unsigned int pkcs11_obj_flags_to_int (unsigned int flags);
@@ -110,4 +97,121 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext);
+ck_rv_t
+pkcs11_get_slot_list (struct ck_function_list * module,
+ unsigned char token_present,
+ ck_slot_id_t *slot_list,
+ unsigned long *count);
+
+ck_rv_t
+pkcs11_get_module_info (struct ck_function_list * module,
+ struct ck_info * info);
+
+ck_rv_t
+pkcs11_get_slot_info(struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_slot_info *info);
+
+ck_rv_t
+pkcs11_get_token_info (struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_token_info *info);
+
+ck_rv_t
+pkcs11_find_objects_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count);
+
+ck_rv_t
+pkcs11_find_objects (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t *objects,
+ unsigned long max_object_count,
+ unsigned long *object_count);
+
+ck_rv_t
+pkcs11_find_objects_final (struct ck_function_list *module,
+ ck_session_handle_t sess);
+
+ck_rv_t
+pkcs11_close_session (struct ck_function_list *module,
+ ck_session_handle_t sess);
+
+ck_rv_t
+pkcs11_get_attribute_value(struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object,
+ struct ck_attribute *templ,
+ unsigned long count);
+
+ck_rv_t
+pkcs11_get_mechanism_list (struct ck_function_list *module,
+ ck_slot_id_t slot_id,
+ ck_mechanism_type_t *mechanism_list,
+ unsigned long *count);
+
+ck_rv_t
+pkcs11_sign_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key);
+
+ck_rv_t
+pkcs11_sign (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *data,
+ unsigned long data_len,
+ unsigned char *signature,
+ unsigned long *signature_len);
+
+ck_rv_t
+pkcs11_decrypt_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key);
+
+ck_rv_t
+pkcs11_decrypt (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *encrypted_data,
+ unsigned long encrypted_data_len,
+ unsigned char *data, unsigned long *data_len);
+
+ck_rv_t
+pkcs11_create_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count,
+ ck_object_handle_t *object);
+
+ck_rv_t
+pkcs11_destroy_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object);
+
+ck_rv_t
+pkcs11_init_token (struct ck_function_list *module,
+ ck_slot_id_t slot_id, unsigned char *pin,
+ unsigned long pin_len, unsigned char *label);
+
+ck_rv_t
+pkcs11_init_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *pin,
+ unsigned long pin_len);
+
+ck_rv_t
+pkcs11_set_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *old_pin,
+ unsigned long old_len,
+ unsigned char *new_pin,
+ unsigned long new_len);
+
+const char *
+pkcs11_strerror (ck_rv_t rv);
+
+#endif /* ENABLE_PKCS11 */
+
#endif
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 9a66353..a981062 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -29,12 +28,15 @@
#include <gnutls_datum.h>
#include <pkcs11_int.h>
#include <gnutls_sig.h>
+#include <p11-kit/uri.h>
struct gnutls_pkcs11_privkey_st
{
gnutls_pk_algorithm_t pk_algorithm;
unsigned int flags;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
+ gnutls_pkcs11_pin_callback_t pin_func;
+ void *pin_data;
};
/**
@@ -56,6 +58,14 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key)
return GNUTLS_E_MEMORY_ERROR;
}
+ (*key)->info = p11_kit_uri_new ();
+ if ((*key)->info == NULL)
+ {
+ free (*key);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
return 0;
}
@@ -68,6 +78,7 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key)
void
gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key)
{
+ p11_kit_uri_free (key->info);
gnutls_free (key);
}
@@ -109,26 +120,28 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t
pkey,
gnutls_pkcs11_obj_info_t itype,
void *output, size_t * output_size)
{
- return pkcs11_get_info (&pkey->info, itype, output, output_size);
+ return pkcs11_get_info (pkey->info, itype, output, output_size);
}
-#define FIND_OBJECT(pks, obj, key) \
+#define FIND_OBJECT(module, pks, obj, key) \
do { \
int retries = 0; \
int rret; \
- ret = pkcs11_find_object (&pks, &obj, &key->info, \
+ ret = pkcs11_find_object (&module, &pks, &obj, key->info, \
SESSION_LOGIN); \
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { \
if (token_func) \
{ \
- rret = token_func(token_data, key->info.token,
retries++); \
+ rret = pkcs11_call_token_func (key->info,
retries++); \
if (rret == 0) continue; \
} \
gnutls_assert(); \
return ret; \
- } \
- } while (ret < 0);
+ } else if (ret < 0) { \
+ return ret; \
+ } \
+ } while (0);
/*-
* _gnutls_pkcs11_privkey_sign_hash:
@@ -152,10 +165,11 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t
key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- FIND_OBJECT (pks, obj, key);
+ FIND_OBJECT (module, pks, obj, key);
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
@@ -164,7 +178,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t
key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_sign_init (pks, &mech, obj);
+ rv = pkcs11_sign_init (module, pks, &mech, obj);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -173,7 +187,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t
key,
}
/* Work out how long the signature must be: */
- rv = pakchois_sign (pks, hash->data, hash->size, NULL, &siglen);
+ rv = pkcs11_sign (module, pks, hash->data, hash->size, NULL, &siglen);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -184,7 +198,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t
key,
signature->data = gnutls_malloc (siglen);
signature->size = siglen;
- rv = pakchois_sign (pks, hash->data, hash->size, signature->data, &siglen);
+ rv = pkcs11_sign (module, pks, hash->data, hash->size, signature->data,
&siglen);
if (rv != CKR_OK)
{
gnutls_free (signature->data);
@@ -198,7 +212,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t
key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -222,7 +236,9 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t
pkey,
const char *url, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ struct ck_attribute *attr;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
struct ck_attribute a[4];
ck_key_type_t key_type;
@@ -236,24 +252,27 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t
pkey,
pkey->flags = flags;
- if (pkey->info.type[0] != 0 && strcmp (pkey->info.type, "private") != 0)
+ attr = p11_kit_uri_get_attribute (pkey->info, CKA_CLASS);
+ if (!attr || attr->value_len != sizeof (ck_object_class_t) ||
+ *(ck_object_class_t*)attr->value != CKO_PRIVATE_KEY)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- if (pkey->info.id[0] == 0)
+ attr = p11_kit_uri_get_attribute (pkey->info, CKA_ID);
+ if (!attr || !attr->value_len)
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- FIND_OBJECT (pks, obj, pkey);
+ FIND_OBJECT (module, pks, obj, pkey);
a[0].type = CKA_KEY_TYPE;
a[0].value = &key_type;
a[0].value_len = sizeof (key_type);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
switch (key_type)
{
@@ -273,7 +292,7 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t
pkey,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -301,10 +320,11 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- FIND_OBJECT (pks, obj, key);
+ FIND_OBJECT (module, pks, obj, key);
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
@@ -313,7 +333,7 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_decrypt_init (pks, &mech, obj);
+ rv = pkcs11_decrypt_init (module, pks, &mech, obj);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -322,7 +342,7 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
}
/* Work out how long the plaintext must be: */
- rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size,
+ rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size,
NULL, &siglen);
if (rv != CKR_OK)
{
@@ -334,7 +354,7 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
plaintext->data = gnutls_malloc (siglen);
plaintext->size = siglen;
- rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size,
+ rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size,
plaintext->data, &siglen);
if (rv != CKR_OK)
{
@@ -349,7 +369,7 @@ _gnutls_pkcs11_privkey_decrypt_data
(gnutls_pkcs11_privkey_t key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -372,7 +392,7 @@ gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t
key,
{
int ret;
- ret = pkcs11_info_to_url (&key->info, detailed, url);
+ ret = pkcs11_info_to_url (key->info, detailed, url);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c
index 037e569..45b0e92 100644
--- a/lib/pkcs11_secret.c
+++ b/lib/pkcs11_secret.c
@@ -50,8 +50,9 @@ gnutls_pkcs11_copy_secret_key (const char *token_url,
gnutls_datum_t * key,
/* GNUTLS_PKCS11_OBJ_FLAG_* */ )
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
struct ck_attribute a[12];
ck_object_class_t class = CKO_SECRET_KEY;
@@ -77,8 +78,10 @@ gnutls_pkcs11_copy_secret_key (const char *token_url,
gnutls_datum_t * key,
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -126,11 +129,11 @@ gnutls_pkcs11_copy_secret_key (const char *token_url,
gnutls_datum_t * key,
a[a_val].value_len = sizeof (tval);
a_val++;
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -141,7 +144,7 @@ gnutls_pkcs11_copy_secret_key (const char *token_url,
gnutls_datum_t * key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 823b715..18ca768 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -47,8 +47,9 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
size_t der_size, id_size;
opaque *der = NULL;
@@ -70,8 +71,10 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -162,11 +165,11 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
a_val++;
}
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -179,7 +182,7 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
cleanup:
gnutls_free (der);
_gnutls_free_datum(&subject);
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
@@ -207,8 +210,9 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
unsigned int key_usage, unsigned int flags)
{
int ret;
- pakchois_session_t *pks = NULL;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks = 0;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
size_t id_size;
opaque id[20];
@@ -234,13 +238,16 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
ret = gnutls_x509_privkey_get_key_id (key, 0, id, &id_size);
if (ret < 0)
{
+ p11_kit_uri_free (info);
gnutls_assert ();
goto cleanup;
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -391,11 +398,11 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
goto cleanup;
}
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -435,8 +442,8 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
ret = 0;
cleanup:
- if (pks != NULL)
- pakchois_close_session (pks);
+ if (pks != 0)
+ pkcs11_close_session (module, pks);
return ret;
@@ -444,17 +451,19 @@ cleanup:
struct delete_data_st
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int deleted; /* how many */
};
static int
-delete_obj_url (pakchois_session_t * pks,
+delete_obj_url (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info *info,
struct ck_info *lib_info, void *input)
{
struct delete_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class;
ck_certificate_type_t type = -1;
ck_rv_t rv;
@@ -471,44 +480,35 @@ delete_obj_url (pakchois_session_t * pks,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_module_info (find_data->info, lib_info) ||
+ !p11_kit_uri_match_token_info (find_data->info, &info->tinfo))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
+ /* Find objects with given class and type */
class = CKO_CERTIFICATE; /* default */
+ a_vals = 0;
- if (find_data->info.type[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_CLASS);
+ if (attr != NULL)
{
- class = pkcs11_strtype_to_class (find_data->info.type);
+ if(attr->value && attr->value_len == sizeof (ck_object_class_t))
+ class = *((ck_object_class_t*)attr->value);
if (class == CKO_CERTIFICATE)
type = CKC_X_509;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
}
- a_vals = 0;
+ a[a_vals].type = CKA_CLASS;
+ a[a_vals].value = &class;
+ a[a_vals].value_len = sizeof (class);
+ a_vals++;
- /* Find objects with given class and type */
- if (find_data->info.certid_raw_size > 0)
- {
- a[a_vals].type = CKA_ID;
- a[a_vals].value = find_data->info.certid_raw;
- a[a_vals].value_len = find_data->info.certid_raw_size;
- a_vals++;
- }
-
- if (class != -1)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID);
+ if (attr != NULL)
{
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
@@ -520,15 +520,14 @@ delete_obj_url (pakchois_session_t * pks,
a_vals++;
}
- if (find_data->info.label[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_LABEL);
+ if (attr != NULL)
{
- a[a_vals].type = CKA_LABEL;
- a[a_vals].value = find_data->info.label;
- a[a_vals].value_len = strlen (find_data->info.label);
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ rv = pkcs11_find_objects_init (module, pks, a, a_vals);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -537,13 +536,13 @@ delete_obj_url (pakchois_session_t * pks,
goto cleanup;
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count
== 1)
{
- rv = pakchois_destroy_object (pks, obj);
+ rv = pkcs11_destroy_object (module, pks, obj);
if (rv != CKR_OK)
{
_gnutls_debug_log
- ("pkcs11: Cannot destroy object: %s\n", pakchois_error (rv));
+ ("pkcs11: Cannot destroy object: %s\n", pkcs11_strerror (rv));
}
else
{
@@ -564,7 +563,7 @@ delete_obj_url (pakchois_session_t * pks,
}
cleanup:
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return ret;
}
@@ -596,8 +595,10 @@ gnutls_pkcs11_delete_url (const char *object_url, unsigned
int flags)
}
ret =
- _pkcs11_traverse_tokens (delete_obj_url, &find_data,
+ _pkcs11_traverse_tokens (delete_obj_url, &find_data, find_data.info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -626,9 +627,9 @@ gnutls_pkcs11_token_init (const char *token_url,
const char *so_pin, const char *label)
{
int ret;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
- pakchois_module_t *module;
+ struct ck_function_list *module;
ck_slot_id_t slot;
char flabel[32];
@@ -639,7 +640,9 @@ gnutls_pkcs11_token_init (const char *token_url,
return ret;
}
- ret = pkcs11_find_slot (&module, &slot, &info, NULL);
+ ret = pkcs11_find_slot (&module, &slot, info, NULL);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -652,12 +655,12 @@ gnutls_pkcs11_token_init (const char *token_url,
memcpy (flabel, label, strlen (label));
rv =
- pakchois_init_token (module, slot, (char *) so_pin, strlen (so_pin),
- flabel);
+ pkcs11_init_token (module, slot, (char *) so_pin, strlen (so_pin),
+ flabel);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
return pkcs11_rv_to_err (rv);
}
@@ -685,8 +688,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
const char *newpin, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
unsigned int ses_flags;
@@ -703,7 +707,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
else
ses_flags = SESSION_WRITE | SESSION_LOGIN;
- ret = pkcs11_open_session (&pks, &info, ses_flags);
+ ret = pkcs11_open_session (&module, &pks, info, ses_flags);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -712,24 +718,24 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
if (oldpin == NULL)
{
- rv = pakchois_init_pin (pks, (char *) newpin, strlen (newpin));
+ rv = pkcs11_init_pin (module, pks, (char *) newpin, strlen (newpin));
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto finish;
}
}
else
{
- rv = pakchois_set_pin (pks,
- (char *) oldpin, strlen (oldpin),
- (char *) newpin, strlen (newpin));
+ rv = pkcs11_set_pin (module, pks,
+ (char *) oldpin, strlen (oldpin),
+ (char *) newpin, strlen (newpin));
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto finish;
}
@@ -738,7 +744,7 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
ret = 0;
finish:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
diff --git a/src/Makefile.am b/src/Makefile.am
index bf39f39..82c6e31 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -32,15 +32,22 @@ AM_CPPFLAGS = \
noinst_PROGRAMS = benchmark
bin_PROGRAMS = gnutls-serv gnutls-cli psktool gnutls-cli-debug
if ENABLE_PKI
-bin_PROGRAMS += certtool p11tool
+bin_PROGRAMS += certtool
endif
if ENABLE_SRP
bin_PROGRAMS += srptool
endif
+if ENABLE_PKCS11
+bin_PROGRAMS += p11tool
+PKCS11_SRCS = p11common.c p11common.h
+else
+PKCS11_SRCS =
+endif
+
noinst_LTLIBRARIES =
-gnutls_serv_SOURCES = list.h serv.c common.h common.c certtool-common.h
p11common.c p11common.h
+gnutls_serv_SOURCES = list.h serv.c common.h common.c certtool-common.h
$(PKCS11_SRCS)
gnutls_serv_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
gnutls_serv_LDADD += libcmd-serv.la ../gl/libgnu.la
@@ -66,7 +73,7 @@ libcmd_psk_la_SOURCES = psk.gaa psk-gaa.h psk-gaa.c
benchmark_SOURCES = benchmark.c
benchmark_LDADD = ../lib/libgnutls.la ../gl/libgnu.la $(LIB_CLOCK_GETTIME)
-gnutls_cli_SOURCES = cli.c common.h common.c p11common.c p11common.h
+gnutls_cli_SOURCES = cli.c common.h common.c $(PKCS11_SRCS)
gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la
gnutls_cli_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB)
@@ -74,7 +81,7 @@ noinst_LTLIBRARIES += libcmd-cli.la
libcmd_cli_la_CFLAGS =
libcmd_cli_la_SOURCES = cli.gaa cli-gaa.h cli-gaa.c
-gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c
p11common.c p11common.h
+gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c
$(PKCS11_SRCS)
gnutls_cli_debug_LDADD = ../lib/libgnutls.la libcmd-cli-debug.la
gnutls_cli_debug_LDADD += ../gl/libgnu.la $(LIBSOCKET) $(GETADDRINFO_LIB)
noinst_LTLIBRARIES += libcmd-cli-debug.la
@@ -83,7 +90,7 @@ libcmd_cli_debug_la_SOURCES = tls_test.gaa tls_test-gaa.h
tls_test-gaa.c
#certtool
-certtool_SOURCES = certtool.c prime.c certtool-common.c p11common.c p11common.h
+certtool_SOURCES = certtool.c prime.c certtool-common.c $(PKCS11_SRCS)
certtool_LDADD = ../lib/libgnutls.la
certtool_LDADD += libcmd-certtool.la ../gl/libgnu.la
certtool_LDADD += $(LTLIBGCRYPT)
@@ -107,6 +114,8 @@ libcmd_certtool_la_LIBADD += ../lib/libgnutls.la
libcmd_certtool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB)
# p11 tool
+if ENABLE_PKCS11
+
p11tool_gaa_CFLAGS =
p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h
p11common.c
p11tool_LDADD = ../lib/libgnutls.la
@@ -118,6 +127,7 @@ p11tool_LDADD += -lcfg+
else
p11tool_LDADD += libcfg.la
endif
+
noinst_LTLIBRARIES += libcmd-p11tool.la
libcmd_p11tool_la_CFLAGS =
libcmd_p11tool_la_SOURCES = p11tool-gaa.c p11tool.gaa p11tool-gaa.h \
@@ -126,14 +136,17 @@ libcmd_p11tool_la_LIBADD = ../gl/libgnu.la
$(LTLIBREADLINE)
libcmd_p11tool_la_LIBADD += ../lib/libgnutls.la
libcmd_p11tool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB)
+endif # ENABLE_PKCS11
psk-gaa.c: $(srcdir)/psk.gaa
-$(GAA) $< -o psk-gaa.c -i psk-gaa.h
crypt-gaa.c: $(srcdir)/crypt.gaa
-$(GAA) $< -o crypt-gaa.c -i crypt-gaa.h
+if ENABLE_PKCS11
p11tool-gaa.c: $(srcdir)/p11tool.gaa
-$(GAA) $< -o p11tool-gaa.c -i p11tool-gaa.h
+endif
certtool-gaa.c: $(srcdir)/certtool.gaa
-$(GAA) $< -o certtool-gaa.c -i certtool-gaa.h
cli-gaa.c: $(srcdir)/cli.gaa
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 91fbbeb..1482d34 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -146,6 +146,8 @@ gnutls_x509_privkey_t xkey;
return key;
}
+#ifdef ENABLE_PKCS11
+
static gnutls_privkey_t _load_pkcs11_privkey(const char* url)
{
int ret;
@@ -257,6 +259,7 @@ unsigned int obj_flags = 0;
return pubkey;
}
+#endif /* ENABLE_PKCS11 */
/* Load the private key.
* @mand should be non zero if it is required to read a private key.
@@ -274,8 +277,10 @@ load_private_key (int mand, common_info_st * info)
if (info->privkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-privkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->privkey, "pkcs11:", 7) == 0)
return _load_pkcs11_privkey(info->privkey);
+#endif
dat.data = read_binary_file (info->privkey, &size);
dat.size = size;
@@ -480,8 +485,10 @@ load_ca_private_key (common_info_st * info)
if (info->ca_privkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-ca-privkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->ca_privkey, "pkcs11:", 7) == 0)
return _load_pkcs11_privkey(info->ca_privkey);
+#endif
dat.data = read_binary_file (info->ca_privkey, &size);
dat.size = size;
@@ -547,8 +554,10 @@ load_pubkey (int mand, common_info_st * info)
if (info->pubkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-pubkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->pubkey, "pkcs11:", 7) == 0)
return _load_pkcs11_pubkey(info->pubkey);
+#endif
ret = gnutls_pubkey_init (&key);
if (ret < 0)
diff --git a/src/certtool.c b/src/certtool.c
index 061980d..832ca53 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1076,8 +1076,10 @@ gaa_parser (int argc, char **argv)
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
-
+
+#ifdef ENABLE_PKCS11
pkcs11_common();
+#endif
memset (&cinfo, 0, sizeof (cinfo));
cinfo.privkey = info.privkey;
@@ -1174,7 +1176,9 @@ gaa_parser (int argc, char **argv)
}
fclose (outfile);
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
gnutls_global_deinit ();
}
diff --git a/src/cli.c b/src/cli.c
index b97a758..5372bae 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -170,10 +170,11 @@ load_keys (void)
{
unsigned int crt_num;
int ret;
- gnutls_datum_t data;
+ gnutls_datum_t data = { NULL, 0 };
if (x509_certfile != NULL && x509_keyfile != NULL)
{
+#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
@@ -195,6 +196,7 @@ load_keys (void)
x509_crt_size = 1;
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_certfile);
@@ -232,6 +234,7 @@ load_keys (void)
unload_file (data);
+#ifdef ENABLE_PKCS11
if (strncmp (x509_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
@@ -246,6 +249,7 @@ load_keys (void)
}
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_keyfile);
if (data.data == NULL)
@@ -295,6 +299,7 @@ load_keys (void)
unload_file (data);
+#ifdef ENABLE_PKCS11
if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
@@ -308,6 +313,7 @@ load_keys (void)
}
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (pgp_keyfile);
@@ -744,7 +750,9 @@ main (int argc, char **argv)
exit (1);
}
+#ifdef ENABLE_PKCS11
pkcs11_common ();
+#endif
gaa_parser (argc, argv);
if (hostname == NULL)
{
@@ -1160,11 +1168,10 @@ psk_callback (gnutls_session_t session, char
**username, gnutls_datum_t * key)
{
char *tmp = NULL;
size_t n;
- ssize_t len;
printf ("Enter PSK identity: ");
fflush (stdout);
- len = getline (&tmp, &n, stdin);
+ getline (&tmp, &n, stdin);
if (tmp == NULL)
{
diff --git a/src/p11common.c b/src/p11common.c
index 0060c88..1ef7c9c 100644
--- a/src/p11common.c
+++ b/src/p11common.c
@@ -102,7 +102,6 @@ static int
token_callback (void *user, const char *label, const unsigned retry)
{
char buf[32];
- char *p;
if (retry > 0)
{
@@ -110,7 +109,7 @@ token_callback (void *user, const char *label, const
unsigned retry)
return -1;
}
printf ("Please insert token '%s' in slot and press enter\n", label);
- p = fgets (buf, sizeof (buf), stdin);
+ fgets (buf, sizeof (buf), stdin);
return 0;
}
diff --git a/src/p11tool.c b/src/p11tool.c
index 7e97fb1..ce3bebb 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -161,6 +161,8 @@ gaa_parser (int argc, char **argv)
}
fclose (outfile);
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
gnutls_global_deinit ();
}
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 20a076f..cd42c6c 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -799,13 +799,9 @@ pkcs11_mechanism_list (FILE * outfile, const char *url,
unsigned int login,
{
int ret;
int idx;
- unsigned int obj_flags = 0;
unsigned long mechanism;
const char *str;
- if (login)
- obj_flags = GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
-
pkcs11_common ();
if (url == NULL)
diff --git a/src/serv.c b/src/serv.c
index 1c90715..2dfb492 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -869,7 +869,9 @@ main (int argc, char **argv)
exit (1);
}
+#ifdef ENABLE_PKCS11
pkcs11_common ();
+#endif
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
diff --git a/tests/suite/mini-eagain2.c b/tests/suite/mini-eagain2.c
index 284fdc9..59a096b 100644
--- a/tests/suite/mini-eagain2.c
+++ b/tests/suite/mini-eagain2.c
@@ -21,11 +21,13 @@
static int done = 0;
+#if 0
static void
tls_log_func (int level, const char *str)
{
fprintf(stderr, "|<%d>| %s", level, str);
}
+#endif
static const char*
SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_description_t status)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_7_a-23-ge336851,
Nikos Mavrogiannopoulos <=