summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stefw@collabora.co.uk>2011-06-07 20:20:17 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2011-08-01 18:05:24 +0200
commitff80f1ae165bdb30979da036c68b94f9c4a097d1 (patch)
tree82cd7c4b4aa93437c3938b67f1678fd78c49ba77
parent77f1d2a2d1f5a4bce8fff4e59494e8b2594b2b80 (diff)
downloadgnutls-ff80f1ae165bdb30979da036c68b94f9c4a097d1.tar.gz
The attached patch ports gnutls to p11-kit.
* p11-kit is added as a dependency. p11-kit itself has no dependencies outside of basic libc stuff. The source code for p11-kit is available both in git and tarball form. * If the gnutls dependency on p11-kit is disabled (via a configure option) then the PKCS#11 support is disabled. This is useful in bare bones embedded systems or places where very minimal dependencies are limited. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat
-rw-r--r--configure.ac14
-rw-r--r--doc/examples/Makefile.am5
-rw-r--r--lib/Makefile.am14
-rw-r--r--lib/auth_cert.c9
-rw-r--r--lib/configure.ac13
-rw-r--r--lib/gnutls_global.c4
-rw-r--r--lib/gnutls_privkey.c15
-rw-r--r--lib/gnutls_pubkey.c9
-rw-r--r--lib/gnutls_x509.c10
-rw-r--r--lib/includes/gnutls/pkcs11.h2
-rw-r--r--lib/pakchois/dlopen.c51
-rw-r--r--lib/pakchois/dlopen.h21
-rw-r--r--lib/pakchois/errors.c234
-rw-r--r--lib/pakchois/pakchois.c1242
-rw-r--r--lib/pakchois/pakchois.h380
-rw-r--r--lib/pakchois/pakchois11.h1369
-rw-r--r--lib/pkcs11.c1513
-rw-r--r--lib/pkcs11_int.h177
-rw-r--r--lib/pkcs11_privkey.c66
-rw-r--r--lib/pkcs11_secret.c15
-rw-r--r--lib/pkcs11_write.c134
-rw-r--r--src/Makefile.am23
-rw-r--r--src/certtool-common.c9
-rw-r--r--src/certtool.c6
-rw-r--r--src/cli.c8
-rw-r--r--src/p11tool.c2
-rw-r--r--src/serv.c2
27 files changed, 1056 insertions, 4291 deletions
diff --git a/configure.ac b/configure.ac
index 3ed57ea2bd..7dee081c61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -79,6 +79,19 @@ AC_DEFINE([HAVE_ERRNO_H], 1, [Hard-code for src/cfg/.])
AC_CHECK_FUNCS(fork,,)
AM_CONDITIONAL(HAVE_FORK, test "$ac_cv_func_fork" != "no")
+dnl Check for p11-kit
+AC_ARG_WITH(p11-kit,
+ AS_HELP_STRING([--without-p11-kit],
+ [Build without p11-kit and PKCS#11 support]))
+AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
+if test "$with_p11_kit" != "no"; then
+ PKG_CHECK_MODULES(P11_KIT, [p11-kit-1])
+ AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support])
+ CFLAGS="$CFLAGS $P11_KIT_CFLAGS"
+ LIBS="$LIBS $P11_KIT_LIBS"
+ with_p11_kit=yes
+fi
+
AC_CHECK_TYPES(uint,,, [
# include <sys/types.h>
])
@@ -312,4 +325,5 @@ AC_MSG_NOTICE([summary of build options:
OpenSSL library: $enable_openssl
/dev/crypto: $enable_cryptodev
Crypto library: $cryptolib
+ PKCS#11 support: $with_p11_kit
])
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index 068d7fc25c..706ccc2f3c 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -43,7 +43,6 @@ CXX_LDADD = $(LDADD) \
noinst_PROGRAMS = ex-client2 ex-client-resume
noinst_PROGRAMS += ex-cert-select ex-rfc2818
-noinst_PROGRAMS += ex-cert-select-pkcs11
if ENABLE_PKI
noinst_PROGRAMS += ex-crq ex-serv1
@@ -63,6 +62,10 @@ if ENABLE_OPENPGP
noinst_PROGRAMS += ex-serv-pgp
endif
+if ENABLE_PKCS11
+noinst_PROGRAMS += ex-cert-select-pkcs11
+endif
+
if ENABLE_PSK
noinst_PROGRAMS += ex-client-psk
if ENABLE_PKI
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 10307a132c..2e40e189af 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -80,9 +80,11 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c \
auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
crypto.c random.c ext_signature.c cryptodev.c system.c \
crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c \
- pkcs11.c pkcs11_privkey.c gnutls_pubkey.c pkcs11_write.c locks.c \
- pkcs11_secret.c
+ gnutls_pubkey.c locks.c
+if ENABLE_PKCS11
+COBJECTS += pkcs11.c pkcs11_privkey.c pkcs11_write.c pkcs11_secret.c
+endif
if ENABLE_NETTLE
SUBDIRS += nettle
@@ -105,11 +107,11 @@ HFILES = abstract_int.h debug.h gnutls_compress.h gnutls_cipher.h \
gnutls_helper.h auth_psk.h auth_psk_passwd.h \
gnutls_supplemental.h crypto.h random.h system.h \
ext_session_ticket.h ext_signature.h gnutls_cryptodev.h \
- ext_safe_renegotiation.h locks.h gnutls_mbuffers.h \
- pkcs11_int.h
+ ext_safe_renegotiation.h locks.h gnutls_mbuffers.h
-COBJECTS+=pakchois/pakchois.c pakchois/errors.c pakchois/dlopen.c
-HFILES+=pakchois/pakchois.h pakchois/pakchois11.h pakchois/dlopen.h
+if ENABLE_PKCS11
+HFILES += pkcs11_int.h pkcs11_spec.h
+endif
# Separate so we can create the documentation
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 978621155a..9dbb67722e 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -62,9 +62,10 @@ static gnutls_cert *alloc_and_load_x509_certs (gnutls_x509_crt_t * certs,
static gnutls_privkey_t alloc_and_load_x509_key (gnutls_x509_privkey_t key,
int deinit);
+#ifdef ENABLE_PKCS11
static gnutls_privkey_t alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t
key, int deinit);
-
+#endif
/* Copies data from a internal certificate struct (gnutls_cert) to
* exported certificate struct (cert_auth_info_t)
@@ -569,6 +570,7 @@ call_get_cert_callback (gnutls_session_t session,
}
break;
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
if (st2.key.pkcs11 != NULL)
{
@@ -582,6 +584,7 @@ call_get_cert_callback (gnutls_session_t session,
}
}
break;
+#endif
case GNUTLS_PRIVKEY_X509:
if (st2.key.x509 != NULL)
{
@@ -1970,6 +1973,8 @@ alloc_and_load_pgp_key (gnutls_openpgp_privkey_t key, int deinit)
}
#endif
+#ifdef ENABLE_PKCS11
+
/* converts the given raw key to gnutls_privkey* and allocates
* space for it.
*/
@@ -2003,6 +2008,8 @@ alloc_and_load_pkcs11_key (gnutls_pkcs11_privkey_t key, int deinit)
return local_key;
}
+#endif
+
void
_gnutls_selected_certs_deinit (gnutls_session_t session)
{
diff --git a/lib/configure.ac b/lib/configure.ac
index 8d873a2baa..9ad86a374a 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -96,6 +96,19 @@ fi
AC_SUBST(GNUTLS_REQUIRES_PRIVATE)
AC_SUBST(GNUTLS_ZLIB_LIBS_PRIVATE)
+dnl Check for p11-kit
+AC_ARG_WITH(p11-kit,
+ AS_HELP_STRING([--without-p11-kit],
+ [Build without p11-kit and PKCS#11 support]))
+AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
+if test "$with_p11_kit" != "no"; then
+ PKG_CHECK_MODULES(P11_KIT, [p11-kit-1])
+ AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support])
+ CFLAGS="$CFLAGS $P11_KIT_CFLAGS"
+ LIBS="$LIBS $P11_KIT_LIBS"
+ with_p11_kit=yes
+fi
+
lgl_INIT
AC_CHECK_FUNCS(getrusage,,)
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index 60656d62d3..572432cdee 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -248,7 +248,9 @@ gnutls_global_init (void)
goto out;
}
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
+#endif
_gnutls_cryptodev_init ();
@@ -277,7 +279,9 @@ gnutls_global_deinit (void)
asn1_delete_structure (&_gnutls_pkix1_asn);
_gnutls_crypto_deregister ();
_gnutls_cryptodev_deinit ();
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
}
_gnutls_init--;
}
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 2f5d06b5b5..499640e011 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -44,7 +43,9 @@ struct gnutls_privkey_st
union
{
gnutls_x509_privkey_t x509;
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_privkey_t pkcs11;
+#endif
#ifdef ENABLE_OPENPGP
gnutls_openpgp_privkey_t openpgp;
#endif
@@ -90,8 +91,10 @@ gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits)
case GNUTLS_PRIVKEY_OPENPGP:
return gnutls_openpgp_privkey_get_pk_algorithm (key->key.openpgp, bits);
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return gnutls_pkcs11_privkey_get_pk_algorithm (key->key.pkcs11, bits);
+#endif
case GNUTLS_PRIVKEY_X509:
if (bits)
*bits = _gnutls_mpi_get_nbits (key->key.x509->params[0]);
@@ -276,9 +279,11 @@ gnutls_privkey_deinit (gnutls_privkey_t key)
gnutls_openpgp_privkey_deinit (key->key.openpgp);
break;
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
gnutls_pkcs11_privkey_deinit (key->key.pkcs11);
break;
+#endif
case GNUTLS_PRIVKEY_X509:
gnutls_x509_privkey_deinit (key->key.x509);
break;
@@ -296,6 +301,8 @@ static int check_if_clean(gnutls_privkey_t key)
return 0;
}
+#ifdef ENABLE_PKCS11
+
/**
* gnutls_privkey_import_pkcs11:
* @pkey: The private key
@@ -332,6 +339,8 @@ int ret;
return 0;
}
+#endif /* ENABLE_PKCS11 */
+
/**
* gnutls_privkey_import_x509:
* @pkey: The private key
@@ -567,9 +576,11 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key,
return gnutls_openpgp_privkey_sign_hash (key->key.openpgp,
hash, signature);
#endif
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_sign_hash (key->key.pkcs11,
hash, signature);
+#endif
case GNUTLS_PRIVKEY_X509:
return _gnutls_soft_sign (key->key.x509->pk_algorithm,
key->key.x509->params,
@@ -616,10 +627,12 @@ gnutls_privkey_decrypt_data (gnutls_privkey_t key,
return _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext,
key->key.x509->params,
key->key.x509->params_size, 2);
+#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data (key->key.pkcs11,
flags,
ciphertext, plaintext);
+#endif
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 49688f7975..dc4f545482 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -32,7 +31,6 @@
#include <gnutls_pk.h>
#include <x509_int.h>
#include <openpgp/openpgp_int.h>
-#include <pkcs11_int.h>
#include <gnutls_num.h>
#include <x509/common.h>
#include <x509_b64.h>
@@ -272,6 +270,7 @@ gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key,
return ret;
}
+#ifdef ENABLE_PKCS11
/**
* gnutls_pubkey_import_pkcs11: Imports a public key from a pkcs11 key
@@ -325,6 +324,8 @@ gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
return 0;
}
+#endif /* ENABLE_PKCS11 */
+
#ifdef ENABLE_OPENPGP
/**
* gnutls_pubkey_import_openpgp: Imports a public key from an openpgp key
@@ -846,6 +847,8 @@ gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned int usage)
return 0;
}
+#ifdef ENABLE_PKCS11
+
/**
* gnutls_pubkey_import_pkcs11_url:
* @key: A key of type #gnutls_pubkey_t
@@ -895,6 +898,8 @@ cleanup:
return ret;
}
+#endif /* ENABLE_PKCS11 */
+
/**
* gnutls_pubkey_import_rsa_raw:
* @key: Is a structure will hold the parameters
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 6ee0549c5c..9b74ef5c70 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -491,6 +491,8 @@ read_key_mem (gnutls_certificate_credentials_t res,
return 0;
}
+#ifdef ENABLE_PKCS11
+
/* Reads a private key from a token.
*/
static int
@@ -688,6 +690,8 @@ read_cert_url (gnutls_certificate_credentials_t res, const char *url)
}
+#endif /* ENABLE_PKCS11 */
+
/* Reads a certificate file
*/
static int
@@ -698,10 +702,12 @@ read_cert_file (gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (certfile, "pkcs11:", 7) == 0)
{
return read_cert_url (res, certfile);
}
+#endif /* ENABLE_PKCS11 */
data = read_binary_file (certfile, &size);
@@ -731,10 +737,12 @@ read_key_file (gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (keyfile, "pkcs11:", 7) == 0)
{
return read_key_url (res, keyfile);
}
+#endif /* ENABLE_PKCS11 */
data = read_binary_file (keyfile, &size);
@@ -1449,10 +1457,12 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
size_t size;
char *data;
+#ifdef ENABLE_PKCS11
if (strncmp (cafile, "pkcs11:", 7) == 0)
{
return read_cas_url (res, cafile);
}
+#endif
data = read_binary_file (cafile, &size);
if (data == NULL)
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index c1b7981035..2610e76cfb 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -55,7 +55,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t;
* load = /lib/yyy-pkcs11.so
*/
-int gnutls_pkcs11_init (unsigned int flags, const char *configfile);
+int gnutls_pkcs11_init (unsigned int flags, const char *deprecated_config_file);
void gnutls_pkcs11_deinit (void);
void gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn,
void *userdata);
diff --git a/lib/pakchois/dlopen.c b/lib/pakchois/dlopen.c
deleted file mode 100644
index f74a45dabb..0000000000
--- a/lib/pakchois/dlopen.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2010
- * Free Software Foundation, Inc.
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * The GnuTLS is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA
- *
- */
-
-#include "dlopen.h"
-
-#ifdef _WIN32
-
-#include <windows.h>
-
-void *
-dlopen (const char *filename, int flag)
-{
- return LoadLibrary (filename);
-}
-
-
-void *
-dlsym (void *handle, const char *symbol)
-{
- return GetProcAddress ((HINSTANCE) handle, symbol);
-}
-
-int
-dlclose (void *handle)
-{
- return !FreeLibrary ((HINSTANCE) handle);
-}
-
-#endif
diff --git a/lib/pakchois/dlopen.h b/lib/pakchois/dlopen.h
deleted file mode 100644
index 47362cb035..0000000000
--- a/lib/pakchois/dlopen.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef DLOPEN_H
-#define DLOPEN_H
-
-#include "config.h"
-
-#ifdef _WIN32
-
-#define RTLD_LOCAL 0
-#define RTLD_NOW 1
-
-void *dlopen (const char *filename, int flag);
-void *dlsym (void *handle, const char *symbol);
-int dlclose (void *handle);
-
-#else
-
-#include <dlfcn.h>
-
-#endif
-
-#endif
diff --git a/lib/pakchois/errors.c b/lib/pakchois/errors.c
deleted file mode 100644
index d223239d8f..0000000000
--- a/lib/pakchois/errors.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- pakchois PKCS#11 interface -- error mapping
- Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-*/
-
-/*
- This code is directly derived from the scute.org PKCS#11 cryptoki
- interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#include "config.h"
-
-#include "pakchois.h"
-
-#ifdef ENABLE_NLS
-#include <libintl.h>
-#define _(x) dgettext(PACKAGE_NAME, x)
-#else
-#define _(x) x
-#endif
-
-const char *
-pakchois_error (ck_rv_t rv)
-{
- if (rv >= CKR_VENDOR_DEFINED)
- {
- return _("Vendor defined error");
- }
-
- switch (rv)
- {
- case CKR_OK:
- return _("OK");
- case CKR_CANCEL:
- return _("Cancel");
- case CKR_HOST_MEMORY:
- return _("Host memory");
- case CKR_SLOT_ID_INVALID:
- return _("Slot id invalid");
- case CKR_GENERAL_ERROR:
- return _("General error");
- case CKR_FUNCTION_FAILED:
- return _("Function failed");
- case CKR_ARGUMENTS_BAD:
- return _("Arguments bad");
- case CKR_NO_EVENT:
- return _("No event");
- case CKR_NEED_TO_CREATE_THREADS:
- return _("Need to create threads");
- case CKR_CANT_LOCK:
- return _("Can't lock");
- case CKR_ATTRIBUTE_READ_ONLY:
- return _("Attribute read only");
- case CKR_ATTRIBUTE_SENSITIVE:
- return _("Attribute sensitive");
- case CKR_ATTRIBUTE_TYPE_INVALID:
- return _("Attribute type invalid");
- case CKR_ATTRIBUTE_VALUE_INVALID:
- return _("Attribute value invalid");
- case CKR_DATA_INVALID:
- return _("Data invalid");
- case CKR_DATA_LEN_RANGE:
- return _("Data len range");
- case CKR_DEVICE_ERROR:
- return _("Device error");
- case CKR_DEVICE_MEMORY:
- return _("Device memory");
- case CKR_DEVICE_REMOVED:
- return _("Device removed");
- case CKR_ENCRYPTED_DATA_INVALID:
- return _("Encrypted data invalid");
- case CKR_ENCRYPTED_DATA_LEN_RANGE:
- return _("Encrypted data len range");
- case CKR_FUNCTION_CANCELED:
- return _("Function canceled");
- case CKR_FUNCTION_NOT_PARALLEL:
- return _("Function not parallel");
- case CKR_FUNCTION_NOT_SUPPORTED:
- return _("Function not supported");
- case CKR_KEY_HANDLE_INVALID:
- return _("Key handle invalid");
- case CKR_KEY_SIZE_RANGE:
- return _("Key size range");
- case CKR_KEY_TYPE_INCONSISTENT:
- return _("Key type inconsistent");
- case CKR_KEY_NOT_NEEDED:
- return _("Key not needed");
- case CKR_KEY_CHANGED:
- return _("Key changed");
- case CKR_KEY_NEEDED:
- return _("Key needed");
- case CKR_KEY_INDIGESTIBLE:
- return _("Key indigestible");
- case CKR_KEY_FUNCTION_NOT_PERMITTED:
- return _("Key function not permitted");
- case CKR_KEY_NOT_WRAPPABLE:
- return _("Key not wrappable");
- case CKR_KEY_UNEXTRACTABLE:
- return _("Key unextractable");
- case CKR_MECHANISM_INVALID:
- return _("Mechanism invalid");
- case CKR_MECHANISM_PARAM_INVALID:
- return _("Mechanism param invalid");
- case CKR_OBJECT_HANDLE_INVALID:
- return _("Object handle invalid");
- case CKR_OPERATION_ACTIVE:
- return _("Operation active");
- case CKR_OPERATION_NOT_INITIALIZED:
- return _("Operation not initialized");
- case CKR_PIN_INCORRECT:
- return _("PIN incorrect");
- case CKR_PIN_INVALID:
- return _("PIN invalid");
- case CKR_PIN_LEN_RANGE:
- return _("PIN len range");
- case CKR_PIN_EXPIRED:
- return _("PIN expired");
- case CKR_PIN_LOCKED:
- return _("PIN locked");
- case CKR_SESSION_CLOSED:
- return _("Session closed");
- case CKR_SESSION_COUNT:
- return _("Session count");
- case CKR_SESSION_HANDLE_INVALID:
- return _("Session handle invalid");
- case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
- return _("Session parallel not supported");
- case CKR_SESSION_READ_ONLY:
- return _("Session read only");
- case CKR_SESSION_EXISTS:
- return _("Session exists");
- case CKR_SESSION_READ_ONLY_EXISTS:
- return _("Session read only exists");
- case CKR_SESSION_READ_WRITE_SO_EXISTS:
- return _("Session read write so exists");
- case CKR_SIGNATURE_INVALID:
- return _("Signature invalid");
- case CKR_SIGNATURE_LEN_RANGE:
- return _("Signature length range");
- case CKR_TEMPLATE_INCOMPLETE:
- return _("Template incomplete");
- case CKR_TEMPLATE_INCONSISTENT:
- return _("Template inconsistent");
- case CKR_TOKEN_NOT_PRESENT:
- return _("Token not present");
- case CKR_TOKEN_NOT_RECOGNIZED:
- return _("Token not recognized");
- case CKR_TOKEN_WRITE_PROTECTED:
- return _("Token write protected");
- case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
- return _("Unwrapping key handle invalid");
- case CKR_UNWRAPPING_KEY_SIZE_RANGE:
- return _("Unwrapping key size range");
- case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
- return _("Unwrapping key type inconsistent");
- case CKR_USER_ALREADY_LOGGED_IN:
- return _("User already logged in");
- case CKR_USER_NOT_LOGGED_IN:
- return _("User not logged in");
- case CKR_USER_PIN_NOT_INITIALIZED:
- return _("User PIN not initialized");
- case CKR_USER_TYPE_INVALID:
- return _("User type invalid");
- case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
- return _("Another user already logged in");
- case CKR_USER_TOO_MANY_TYPES:
- return _("User too many types");
- case CKR_WRAPPED_KEY_INVALID:
- return _("Wrapped key invalid");
- case CKR_WRAPPED_KEY_LEN_RANGE:
- return _("Wrapped key length range");
- case CKR_WRAPPING_KEY_HANDLE_INVALID:
- return _("Wrapping key handle invalid");
- case CKR_WRAPPING_KEY_SIZE_RANGE:
- return _("Wrapping key size range");
- case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
- return _("Wrapping key type inconsistent");
- case CKR_RANDOM_SEED_NOT_SUPPORTED:
- return _("Random seed not supported");
- case CKR_RANDOM_NO_RNG:
- return _("Random no rng");
- case CKR_DOMAIN_PARAMS_INVALID:
- return _("Domain params invalid");
- case CKR_BUFFER_TOO_SMALL:
- return _("Buffer too small");
- case CKR_SAVED_STATE_INVALID:
- return _("Saved state invalid");
- case CKR_INFORMATION_SENSITIVE:
- return _("Information sensitive");
- case CKR_STATE_UNSAVEABLE:
- return _("State unsaveable");
- case CKR_CRYPTOKI_NOT_INITIALIZED:
- return _("Cryptoki not initialized");
- case CKR_CRYPTOKI_ALREADY_INITIALIZED:
- return _("Cryptoki already initialized");
- case CKR_MUTEX_BAD:
- return _("Mutex bad");
- case CKR_MUTEX_NOT_LOCKED:
- return _("Mutex not locked");
- case CKR_FUNCTION_REJECTED:
- return _("Function rejected");
- default:
- break;
- }
-
- return _("Unknown error");
-}
diff --git a/lib/pakchois/pakchois.c b/lib/pakchois/pakchois.c
deleted file mode 100644
index decd752c07..0000000000
--- a/lib/pakchois/pakchois.c
+++ /dev/null
@@ -1,1242 +0,0 @@
-/*
- pakchois PKCS#11 interface
- Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-*/
-
-/*
- The interface is directly derived from the scute.org PKCS#11
- cryptoki interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#include "config.h"
-
-#include <limits.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include "../locks.h"
-#include "../system.h"
-#include "dlopen.h"
-
-#ifdef HAVE_WORDEXP
-#include <wordexp.h>
-#endif
-#include "pakchois.h"
-
-struct provider
-{
- dev_t dev;
- ino_t ino;
- char *name;
- void *handle;
- void *mutex;
- const struct ck_function_list *fns;
- unsigned int refcount;
- unsigned int finalize:1; /* whether to finalize this one */
- struct provider *next, **prevref;
- void *reserved;
-};
-
-struct pakchois_module_s
-{
- struct slot *slots;
- struct provider *provider;
-};
-
-static void *provider_mutex = NULL;
-
-/* List of loaded providers; any modification to the list or any
- * individual module must performed whilst holding this mutex. */
-static struct provider *provider_list;
-
-struct pakchois_session_s
-{
- pakchois_module_t *module;
- ck_session_handle_t id;
- pakchois_notify_t notify;
- void *notify_data;
- /* Doubly-linked list. Either prevref = &previous->next or else
- * prevref = &slot->sessions for the list head. */
- pakchois_session_t **prevref;
- pakchois_session_t *next;
-};
-
-struct slot
-{
- ck_slot_id_t id;
- pakchois_session_t *sessions;
- struct slot *next;
-};
-
-#define DIR_DELIMITER '/'
-
-static char *
-pkcs11ize (const char *name)
-{
- int len;
- char *oname;
- char *base;
- char *suffix;
-
- oname = strdup (name);
- if (oname == NULL)
- {
- return NULL;
- }
-
- /* basename has too many ifs to use */
- base = strrchr (oname, DIR_DELIMITER);
- if (base == NULL)
- {
- base = oname;
- }
- else
- {
- base++;
- }
-
- suffix = strchr (base, '.');
- if (suffix != NULL)
- {
- if (strncmp (suffix, ".so", 3) == 0)
- {
- suffix[0] = 0; /* null terminate before . */
- }
- }
-
- /* check and remove for -p11 or -pkcs11 */
- suffix = base;
- while ((suffix = strchr (suffix, '-')) != NULL)
- {
- if (strncasecmp (suffix, "-p11", 4) == 0 ||
- strncasecmp (suffix, "-pkcs11", 7) == 0)
- {
- suffix[0] = 0;
- break;
- }
- suffix++;
- }
-
- len = strlen (base);
-
- memmove (oname, base, len);
- oname[len] = 0;
-
- return oname;
-}
-
-static const char *suffix_prefixes[][2] = {
- {"lib", "pk11.so"},
- {"", "-pkcs11.so"},
- {"", ".so"},
- {"lib", ".so"},
- {NULL, NULL}
-};
-
-#define CALL(name, args) (mod->provider->fns->C_ ## name) args
-#define CALLS(name, args) (sess->module->provider->fns->C_ ## name) args
-#define CALLS1(n, a) CALLS(n, (sess->id, a))
-#define CALLS2(n, a, b) CALLS(n, (sess->id, a, b))
-#define CALLS3(n, a, b, c) CALLS(n, (sess->id, a, b, c))
-#define CALLS4(n, a, b, c, d) CALLS(n, (sess->id, a, b, c, d))
-#define CALLS5(n, a, b, c, d, e) CALLS(n, (sess->id, a, b, c, d, e))
-#define CALLS7(n, a, b, c, d, e, f, g) CALLS(n, (sess->id, a, b, c, d, e, f, g))
-
-#ifndef PAKCHOIS_MODPATH
-#define PAKCHOIS_MODPATH "/lib:/usr/lib"
-#endif
-
-/* Returns an allocated name of the real module as well
- * as it's inode and device numbers.
- */
-static char *
-find_pkcs11_module_name (const char *hint, dev_t * dev, ino_t * ino)
-{
- char module_path[] = PAKCHOIS_MODPATH;
- char *next = module_path;
- struct stat st;
-
- while (next)
- {
- char *dir = next, *sep = strchr (next, ':');
- unsigned i;
-
- if (sep)
- {
- *sep++ = '\0';
- next = sep;
- }
- else
- {
- next = NULL;
- }
-
- for (i = 0; suffix_prefixes[i][0]; i++)
- {
- char path[PATH_MAX];
-
- snprintf (path, sizeof path, "%s/%s%s%s", dir,
- suffix_prefixes[i][0], hint, suffix_prefixes[i][1]);
-
- if (stat (path, &st) < 0)
- continue;
-
- *dev = st.st_dev;
- *ino = st.st_ino;
-
- return strdup (path);
- }
- }
-
- return NULL;
-}
-
-/* Expands the given filename and returns an allocated
- * string, if the expanded file exists. In that case
- * dev and ino are filled in as well.
- */
-static char *
-find_real_module_name (const char *name, dev_t * dev, ino_t * ino)
-{
- char *exname = NULL;
- struct stat st;
-#ifdef HAVE_WORDEXP
- int len;
- wordexp_t we;
-
- len = wordexp (name, &we, 0);
- if (len == 0)
- { /* success */
- if (we.we_wordc > 0)
- { /* we care about the 1st */
- exname = strdup (we.we_wordv[0]);
- }
- wordfree (&we);
- }
-#endif
-
- if (exname == NULL)
- exname = strdup (name);
-
- /* find file information */
- if (exname != NULL)
- {
- if (stat (exname, &st) >= 0)
- {
- *dev = st.st_dev;
- *ino = st.st_ino;
- }
- else
- {
- free (exname);
- return NULL;
- }
- }
-
- return exname;
-}
-
-static struct provider *
-find_provider (dev_t dev, ino_t ino)
-{
- struct provider *p;
-
- for (p = provider_list; p; p = p->next)
- {
- if (dev == p->dev && ino == p->ino)
- {
- return p;
- }
- }
-
- return NULL;
-}
-
-/* The provider list must be locked when calling it
- */
-static ck_rv_t
-load_pkcs11_module (struct provider **provider,
- const char *name, dev_t dev, ino_t ino, void *reserved)
-{
- struct provider *prov;
- CK_C_GetFunctionList gfl;
- struct ck_c_initialize_args args;
- struct ck_function_list *fns;
- void *h;
- ck_rv_t rv;
-
- /* try the plain name first */
- h = dlopen (name, RTLD_LOCAL | RTLD_NOW);
- if (h == NULL)
- {
- return CKR_GENERAL_ERROR;
- }
-
- gfl = dlsym (h, "C_GetFunctionList");
- if (!gfl)
- {
- rv = CKR_GENERAL_ERROR;
- goto fail_dso;
- }
-
- prov = malloc (sizeof *prov);
- if (prov == NULL)
- {
- rv = CKR_HOST_MEMORY;
- goto fail_dso;
- }
-
- if (gnutls_mutex_init (&prov->mutex))
- {
- rv = CKR_CANT_LOCK;
- goto fail_ctx;
- }
-
- rv = gfl (&fns);
- if (rv != CKR_OK)
- {
- goto fail_ctx;
- }
-
- prov->dev = dev;
- prov->ino = ino;
- prov->name = pkcs11ize (name);
- prov->handle = h;
- prov->fns = fns;
- prov->refcount = 1;
- prov->reserved = reserved;
-
- /* Require OS locking, the only sane option. */
- memset (&args, 0, sizeof args);
- args.flags = CKF_OS_LOCKING_OK;
- args.reserved = reserved;
-
- rv = fns->C_Initialize (&args);
- if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)
- {
- goto fail_ctx;
- }
-
- /* no need to finalize if someone else has
- * initialized the library before us.
- */
- if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED)
- prov->finalize = 0;
- else
- prov->finalize = 1;
-
- prov->next = provider_list;
- prov->prevref = &provider_list;
- if (prov->next)
- {
- prov->next->prevref = &prov->next;
- }
- provider_list = prov;
-
- *provider = prov;
- return CKR_OK;
-
-fail_ctx:
- free (prov);
-fail_dso:
- dlclose (h);
-
- return rv;
-}
-
-/* Will load a provider using the given name. If real_name is zero
- * name is used as a hint to find library otherwise it is used as
- * absolute name.
- */
-static ck_rv_t
-load_provider (struct provider **provider, const char *name,
- void *reserved, int real_name)
-{
- ck_rv_t rv;
- char *cname = NULL;
- dev_t dev;
- ino_t ino;
-
- if (gnutls_mutex_lock (&provider_mutex) != 0)
- {
- return CKR_CANT_LOCK;
- }
-
- if (real_name)
- {
- cname = find_real_module_name (name, &dev, &ino);
- }
- else
- {
- cname = find_pkcs11_module_name (name, &dev, &ino);
- }
-
- if (cname == NULL)
- {
- rv = CKR_ARGUMENTS_BAD;
- goto fail_locked;
- }
-
- *provider = find_provider (dev, ino);
- if (*provider)
- {
- (*provider)->refcount++;
- free (cname);
- gnutls_mutex_unlock (&provider_mutex);
- return CKR_OK;
- }
-
- rv = load_pkcs11_module (provider, cname, dev, ino, reserved);
- if (rv != CKR_OK)
- {
- goto fail_ndup;
- }
-
- rv = CKR_OK;
-
-fail_ndup:
- free (cname);
-fail_locked:
- gnutls_mutex_unlock (&provider_mutex);
- return rv;
-}
-
-static void
-providers_reinit (void)
-{
- struct ck_c_initialize_args args;
- ck_rv_t rv;
- struct provider *p;
-
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- memset (&args, 0, sizeof args);
- args.flags = CKF_OS_LOCKING_OK;
-
- for (p = provider_list; p; p = p->next)
- {
- args.reserved = p->reserved;
- rv = p->fns->C_Initialize (&args);
- assert (rv == CKR_OK); /* what can we do? */
- }
-
- gnutls_mutex_unlock (&provider_mutex);
-}
-
-static ck_rv_t
-load_module (pakchois_module_t ** module, const char *name,
- void *reserved, unsigned int real_name)
-{
- ck_rv_t rv;
- pakchois_module_t *pm = malloc (sizeof *pm);
- static int forkinit = 0;
-
- if (!pm)
- {
- return CKR_HOST_MEMORY;
- }
-
- if (provider_mutex == NULL)
- {
- gnutls_mutex_init (&provider_mutex);
- }
-
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- if (forkinit == 0)
- {
- _gnutls_atfork (NULL, NULL, providers_reinit);
- forkinit++;
- }
-
- gnutls_mutex_unlock (&provider_mutex);
-
- rv = load_provider (&pm->provider, name, reserved, real_name);
- if (rv)
- {
- return rv;
- }
-
- *module = pm;
- pm->slots = NULL;
-
- return CKR_OK;
-}
-
-ck_rv_t
-pakchois_module_load (pakchois_module_t ** module, const char *name)
-{
- return load_module (module, name, NULL, 0);
-}
-
-ck_rv_t
-pakchois_module_load_abs (pakchois_module_t ** module, const char *name)
-{
- return load_module (module, name, NULL, 1);
-}
-
-ck_rv_t
-pakchois_module_nssload (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix, const char *secmod_db)
-{
- char buf[256];
-
- snprintf (buf, sizeof buf,
- "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'",
- directory, cert_prefix ? cert_prefix : "",
- key_prefix ? key_prefix : "",
- secmod_db ? secmod_db : "secmod.db");
-
- return load_module (module, name, buf, 0);
-}
-
-ck_rv_t
-pakchois_module_nssload_abs (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix, const char *secmod_db)
-{
- char buf[256];
-
- snprintf (buf, sizeof buf,
- "configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s'",
- directory, cert_prefix ? cert_prefix : "",
- key_prefix ? key_prefix : "",
- secmod_db ? secmod_db : "secmod.db");
-
- return load_module (module, name, buf, 1);
-}
-
-/* Unreference a provider structure and destoy if, if necessary. Must
- * be called WIHTOUT the provider mutex held. */
-static void
-provider_unref (struct provider *prov)
-{
- assert (gnutls_mutex_lock (&provider_mutex) == 0);
-
- if (--prov->refcount == 0)
- {
- if (prov->finalize)
- prov->fns->C_Finalize (NULL);
- dlclose (prov->handle);
- *prov->prevref = prov->next;
- if (prov->next)
- {
- prov->next->prevref = prov->prevref;
- }
- free (prov->name);
- free (prov);
- }
- gnutls_mutex_unlock (&provider_mutex);
-}
-
-void
-pakchois_module_destroy (pakchois_module_t * mod)
-{
- provider_unref (mod->provider);
-
- while (mod->slots)
- {
- struct slot *slot = mod->slots;
- pakchois_close_all_sessions (mod, slot->id);
- mod->slots = slot->next;
- free (slot);
- }
-
- free (mod);
-}
-
-void pakchois_destructor (void)
-{
- if (provider_mutex != NULL)
- {
- gnutls_mutex_deinit (&provider_mutex);
- provider_mutex = NULL;
- }
-}
-
-ck_rv_t
-pakchois_get_info (pakchois_module_t * mod, struct ck_info *info)
-{
- return CALL (GetInfo, (info));
-}
-
-ck_rv_t
-pakchois_get_slot_list (pakchois_module_t * mod,
- unsigned char token_present,
- ck_slot_id_t * slot_list, unsigned long *count)
-{
- return CALL (GetSlotList, (token_present, slot_list, count));
-}
-
-ck_rv_t
-pakchois_get_slot_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id, struct ck_slot_info * info)
-{
- return CALL (GetSlotInfo, (slot_id, info));
-}
-
-ck_rv_t
-pakchois_get_token_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id, struct ck_token_info * info)
-{
- return CALL (GetTokenInfo, (slot_id, info));
-}
-
-ck_rv_t
-pakchois_wait_for_slot_event (pakchois_module_t * mod,
- ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved)
-{
- ck_rv_t rv;
-
- if (gnutls_mutex_lock (&mod->provider->mutex))
- {
- return CKR_CANT_LOCK;
- }
-
- rv = CALL (WaitForSlotEvent, (flags, slot, reserved));
- gnutls_mutex_unlock (&mod->provider->mutex);
- return rv;
-}
-
-ck_rv_t
-pakchois_get_mechanism_list (pakchois_module_t * mod,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count)
-{
- return CALL (GetMechanismList, (slot_id, mechanism_list, count));
-}
-
-ck_rv_t
-pakchois_get_mechanism_info (pakchois_module_t * mod,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t type,
- struct ck_mechanism_info * info)
-{
- return CALL (GetMechanismInfo, (slot_id, type, info));
-}
-
-ck_rv_t
-pakchois_init_token (pakchois_module_t * mod,
- ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label)
-{
- return CALL (InitToken, (slot_id, pin, pin_len, label));
-}
-
-ck_rv_t
-pakchois_init_pin (pakchois_session_t * sess, unsigned char *pin,
- unsigned long pin_len)
-{
- return CALLS2 (InitPIN, pin, pin_len);
-}
-
-ck_rv_t
-pakchois_set_pin (pakchois_session_t * sess, unsigned char *old_pin,
- unsigned long old_len, unsigned char *new_pin,
- unsigned long new_len)
-{
- return CALLS4 (SetPIN, old_pin, old_len, new_pin, new_len);
-}
-
-static ck_rv_t
-notify_thunk (ck_session_handle_t session,
- ck_notification_t event, void *application)
-{
- pakchois_session_t *sess = application;
-
- return sess->notify (sess, event, sess->notify_data);
-}
-
-static struct slot *
-find_slot (pakchois_module_t * mod, ck_slot_id_t id)
-{
- struct slot *slot;
-
- for (slot = mod->slots; slot; slot = slot->next)
- if (slot->id == id)
- return slot;
-
- return NULL;
-}
-
-static struct slot *
-find_or_create_slot (pakchois_module_t * mod, ck_slot_id_t id)
-{
- struct slot *slot = find_slot (mod, id);
-
- if (slot)
- {
- return slot;
- }
-
- slot = malloc (sizeof *slot);
- if (!slot)
- {
- return NULL;
- }
-
- slot->id = id;
- slot->sessions = NULL;
- slot->next = mod->slots;
- mod->slots = slot;
-
- return slot;
-}
-
-static ck_rv_t
-insert_session (pakchois_module_t * mod,
- pakchois_session_t * session, ck_slot_id_t id)
-{
- struct slot *slot = find_or_create_slot (mod, id);
-
- if (!slot)
- {
- return CKR_HOST_MEMORY;
- }
-
- session->prevref = &slot->sessions;
- session->next = slot->sessions;
- if (session->next)
- {
- session->next->prevref = session->prevref;
- }
- slot->sessions = session;
-
- return CKR_OK;
-}
-
-ck_rv_t
-pakchois_open_session (pakchois_module_t * mod,
- ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, pakchois_notify_t notify,
- pakchois_session_t ** session)
-{
- ck_session_handle_t sh;
- pakchois_session_t *sess;
- ck_rv_t rv;
-
- sess = calloc (1, sizeof *sess);
- if (sess == NULL)
- {
- return CKR_HOST_MEMORY;
- }
-
- rv = CALL (OpenSession, (slot_id, flags, sess, notify_thunk, &sh));
- if (rv != CKR_OK)
- {
- free (sess);
- return rv;
- }
-
- *session = sess;
- sess->module = mod;
- sess->id = sh;
-
- return insert_session (mod, sess, slot_id);
-}
-
-ck_rv_t
-pakchois_close_session (pakchois_session_t * sess)
-{
- /* PKCS#11 says that all bets are off on failure, so destroy the
- * session object and just return the error code. */
- ck_rv_t rv = CALLS (CloseSession, (sess->id));
- *sess->prevref = sess->next;
- if (sess->next)
- {
- sess->next->prevref = sess->prevref;
- }
- free (sess);
- return rv;
-}
-
-ck_rv_t
-pakchois_close_all_sessions (pakchois_module_t * mod, ck_slot_id_t slot_id)
-{
- struct slot *slot;
- ck_rv_t rv, frv = CKR_OK;
-
- slot = find_slot (mod, slot_id);
-
- if (!slot)
- {
- return CKR_SLOT_ID_INVALID;
- }
-
- while (slot->sessions)
- {
- rv = pakchois_close_session (slot->sessions);
- if (rv != CKR_OK)
- {
- frv = rv;
- }
- slot = slot->next;
- }
-
- return frv;
-}
-
-ck_rv_t
-pakchois_get_session_info (pakchois_session_t * sess,
- struct ck_session_info * info)
-{
- return CALLS1 (GetSessionInfo, info);
-}
-
-ck_rv_t
-pakchois_get_operation_state (pakchois_session_t * sess,
- unsigned char *operation_state,
- unsigned long *operation_state_len)
-{
- return CALLS2 (GetOperationState, operation_state, operation_state_len);
-}
-
-ck_rv_t
-pakchois_set_operation_state (pakchois_session_t * sess,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key)
-{
- return CALLS4 (SetOperationState, operation_state,
- operation_state_len, encryption_key, authentiation_key);
-}
-
-ck_rv_t
-pakchois_login (pakchois_session_t * sess, ck_user_type_t user_type,
- unsigned char *pin, unsigned long pin_len)
-{
- return CALLS3 (Login, user_type, pin, pin_len);
-}
-
-ck_rv_t
-pakchois_logout (pakchois_session_t * sess)
-{
- return CALLS (Logout, (sess->id));
-}
-
-ck_rv_t
-pakchois_create_object (pakchois_session_t * sess,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * object)
-{
- return CALLS3 (CreateObject, templ, count, object);
-}
-
-ck_rv_t
-pakchois_copy_object (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * new_object)
-{
- return CALLS4 (CopyObject, object, templ, count, new_object);
-}
-
-ck_rv_t
-pakchois_destroy_object (pakchois_session_t * sess, ck_object_handle_t object)
-{
- return CALLS1 (DestroyObject, object);
-}
-
-ck_rv_t
-pakchois_get_object_size (pakchois_session_t * sess,
- ck_object_handle_t object, unsigned long *size)
-{
- return CALLS2 (GetObjectSize, object, size);
-}
-
-ck_rv_t
-pakchois_get_attribute_value (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count)
-{
- return CALLS3 (GetAttributeValue, object, templ, count);
-}
-
-ck_rv_t
-pakchois_set_attribute_value (pakchois_session_t * sess,
- ck_object_handle_t object,
- struct ck_attribute * templ,
- unsigned long count)
-{
- return CALLS3 (SetAttributeValue, object, templ, count);
-}
-
-ck_rv_t
-pakchois_find_objects_init (pakchois_session_t * sess,
- struct ck_attribute * templ, unsigned long count)
-{
- return CALLS2 (FindObjectsInit, templ, count);
-}
-
-ck_rv_t
-pakchois_find_objects (pakchois_session_t * sess,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count)
-{
- return CALLS3 (FindObjects, object, max_object_count, object_count);
-}
-
-ck_rv_t
-pakchois_find_objects_final (pakchois_session_t * sess)
-{
- return CALLS (FindObjectsFinal, (sess->id));
-}
-
-ck_rv_t
-pakchois_encrypt_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (EncryptInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_encrypt (pakchois_session_t * sess,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len)
-{
- return CALLS4 (Encrypt, data, data_len, encrypted_data, encrypted_data_len);
-}
-
-ck_rv_t
-pakchois_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (EncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_encrypt_final (pakchois_session_t * sess,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len)
-{
- return CALLS2 (EncryptFinal, last_encrypted_part, last_encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (DecryptInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_decrypt (pakchois_session_t * sess,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len)
-{
- return CALLS4 (Decrypt, encrypted_data, encrypted_data_len, data, data_len);
-}
-
-ck_rv_t
-pakchois_decrypt_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptUpdate, encrypted_part, encrypted_part_len,
- part, part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_final (pakchois_session_t * sess,
- unsigned char *last_part,
- unsigned long *last_part_len)
-{
- return CALLS2 (DecryptFinal, last_part, last_part_len);
-}
-
-ck_rv_t
-pakchois_digest_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism)
-{
- return CALLS1 (DigestInit, mechanism);
-}
-
-ck_rv_t
-pakchois_digest (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *digest,
- unsigned long *digest_len)
-{
- return CALLS4 (Digest, data, data_len, digest, digest_len);
-}
-
-ck_rv_t
-pakchois_digest_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (DigestUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_digest_key (pakchois_session_t * sess, ck_object_handle_t key)
-{
- return CALLS1 (DigestKey, key);
-}
-
-ck_rv_t
-pakchois_digest_final (pakchois_session_t * sess,
- unsigned char *digest, unsigned long *digest_len)
-{
- return CALLS2 (DigestFinal, digest, digest_len);
-}
-
-ck_rv_t
-pakchois_sign_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism, ck_object_handle_t key)
-{
- return CALLS2 (SignInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_sign (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len)
-{
- return CALLS4 (Sign, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_sign_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (SignUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_sign_final (pakchois_session_t * sess,
- unsigned char *signature, unsigned long *signature_len)
-{
- return CALLS2 (SignFinal, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_sign_recover_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (SignRecoverInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_sign_recover (pakchois_session_t * sess,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature, unsigned long *signature_len)
-{
- return CALLS4 (SignRecover, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism, ck_object_handle_t key)
-{
- return CALLS2 (VerifyInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_verify (pakchois_session_t * sess, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long signature_len)
-{
- return CALLS4 (Verify, data, data_len, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_update (pakchois_session_t * sess,
- unsigned char *part, unsigned long part_len)
-{
- return CALLS2 (VerifyUpdate, part, part_len);
-}
-
-ck_rv_t
-pakchois_verify_final (pakchois_session_t * sess,
- unsigned char *signature, unsigned long signature_len)
-{
- return CALLS2 (VerifyFinal, signature, signature_len);
-}
-
-ck_rv_t
-pakchois_verify_recover_init (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key)
-{
- return CALLS2 (VerifyRecoverInit, mechanism, key);
-}
-
-ck_rv_t
-pakchois_verify_recover (pakchois_session_t * sess,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data, unsigned long *data_len)
-{
- return CALLS4 (VerifyRecover, signature, signature_len, data, data_len);
-}
-
-ck_rv_t
-pakchois_digest_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (DigestEncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_digest_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptDigestUpdate, encrypted_part,
- encrypted_part_len, part, part_len);
-}
-
-ck_rv_t
-pakchois_sign_encrypt_update (pakchois_session_t * sess,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len)
-{
- return CALLS4 (SignEncryptUpdate, part, part_len,
- encrypted_part, encrypted_part_len);
-}
-
-ck_rv_t
-pakchois_decrypt_verify_update (pakchois_session_t * sess,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len)
-{
- return CALLS4 (DecryptVerifyUpdate, encrypted_part,
- encrypted_part_len, part, part_len);
-}
-
-ck_rv_t
-pakchois_generate_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * key)
-{
- return CALLS4 (GenerateKey, mechanism, templ, count, key);
-}
-
-ck_rv_t
-pakchois_generate_key_pair (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- struct ck_attribute *
- public_key_template,
- unsigned long
- public_key_attribute_count,
- struct ck_attribute *
- private_key_template,
- unsigned long
- private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key)
-{
- return CALLS7 (GenerateKeyPair, mechanism,
- public_key_template, public_key_attribute_count,
- private_key_template, private_key_attribute_count,
- public_key, private_key);
-}
-
-ck_rv_t
-pakchois_wrap_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key,
- unsigned char *wrapped_key, unsigned long *wrapped_key_len)
-{
- return CALLS5 (WrapKey, mechanism, wrapping_key,
- key, wrapped_key, wrapped_key_len);
-}
-
-ck_rv_t
-pakchois_unwrap_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute * templ,
- unsigned long attribute_count, ck_object_handle_t * key)
-{
- return CALLS7 (UnwrapKey, mechanism, unwrapping_key,
- wrapped_key, wrapped_key_len, templ, attribute_count, key);
-}
-
-ck_rv_t
-pakchois_derive_key (pakchois_session_t * sess,
- struct ck_mechanism * mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute * templ,
- unsigned long attribute_count, ck_object_handle_t * key)
-{
- return CALLS5 (DeriveKey, mechanism, base_key, templ, attribute_count, key);
-}
-
-
-ck_rv_t
-pakchois_seed_random (pakchois_session_t * sess,
- unsigned char *seed, unsigned long seed_len)
-{
- return CALLS2 (SeedRandom, seed, seed_len);
-}
-
-ck_rv_t
-pakchois_generate_random (pakchois_session_t * sess,
- unsigned char *random_data,
- unsigned long random_len)
-{
- return CALLS2 (GenerateRandom, random_data, random_len);
-}
diff --git a/lib/pakchois/pakchois.h b/lib/pakchois/pakchois.h
deleted file mode 100644
index 16558ef034..0000000000
--- a/lib/pakchois/pakchois.h
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- pakchois PKCS#11 interface
- Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Library General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Library General Public License for more details.
-
- You should have received a copy of the GNU Library General Public
- License along with this library; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA
-
-*/
-
-/*
- This interface is directly derived from the scute.org PKCS#11
- cryptoki interface, which is:
-
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-*/
-
-#ifndef PAKCHOIS_H
-#define PAKCHOIS_H
-
-#define CRYPTOKI_GNU
-
-#include "pakchois11.h"
-
-/* API version: major is bumped for any backwards-incompatible
- * changes. minor is bumped for any new interfaces. Note that the API
- * is versioned independent of the project release version. */
-#define PAKCHOIS_API_MAJOR (0)
-#define PAKCHOIS_API_MINOR (2)
-
-/* API version history (note that API versions do not map directly to
- the project version!):
-
- 0.1: Initial release
- 0.2: Addition of pakchois_error()
- Concurrent access guarantee added for pakchois_module_load()
- Thread-safety guarantee added for pakchois_wait_for_slot_event()
-*/
-
-typedef struct pakchois_module_s pakchois_module_t;
-typedef struct pakchois_session_s pakchois_session_t;
-
-/* Load a PKCS#11 module by name (for example "opensc" or
- * "gnome-keyring"). Returns CKR_OK on success. Any module of given
- * name may be safely loaded multiple times within an application; the
- * underlying PKCS#11 provider will be loaded only once. */
-ck_rv_t pakchois_module_load (pakchois_module_t ** module, const char *name);
-
-/* Load a PKCS#11 module by absolute file name (for example "/lib/opensc-pkcs.so"
- * Returns CKR_OK on success. Any module of given name may be safely loaded
- * multiple times within an application; the underlying PKCS#11 provider will
- * be loaded only once. */
-ck_rv_t pakchois_module_load_abs (pakchois_module_t ** module,
- const char *name);
-
-/* Load an NSS "softokn" which violates the PKCS#11 standard in
- * initialization, with given name (e.g. "softokn3"). The directory
- * in which the NSS database resides must be specified; the other
- * arguments may be NULL to use defaults. Returns CKR_OK on
- * success. */
-ck_rv_t pakchois_module_nssload (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix,
- const char *secmod_db);
-
-ck_rv_t pakchois_module_nssload_abs (pakchois_module_t ** module,
- const char *name,
- const char *directory,
- const char *cert_prefix,
- const char *key_prefix,
- const char *secmod_db);
-
-/* Destroy a PKCS#11 module. */
-void pakchois_module_destroy (pakchois_module_t * module);
-
-void pakchois_destructor (void);
-
-/* Return the error string corresponding to the given return value.
- * Never returns NULL. */
-const char *pakchois_error (ck_rv_t rv);
-
-/* All following interfaces model the PKCS#11 equivalents, without the
- camel-cased naming convention. The PKCS#11 specification has
- detailed interface descriptions:
-
- http://www.rsa.com/rsalabs/node.asp?id=2133
-
- The differences between this interface and PKCS#11 are:
-
- 1. some interfaces take a module pointer as first argument
-
- 2. session handlers are represented as opaque objects
-
- 3. the notify callback type has changed accordingly
-
- 4. the C_Initialize, C_Finalize, and C_GetFunctionList interfaces
- are not exposed (these are called internally by
- pakchois_module_load and pakchois_module_destroy)
-
- 5. pakchois_wait_for_slot_event() is thread-safe against other
- callers of pakchois_wait_for_slot_event(); the call to the
- underlying provider's WaitForSlotEvent function is protected by a
- mutex.
-
- 6. pakchois_close_all_sessions() only closes sessions associated
- with the given module instance; any sessions opened by other users
- of the underlying provider are unaffected.
-
- If a module object is used concurrently from separate threads,
- undefined behaviour results. If a session object is used
- concurrently from separate threads, undefined behavioure results.
-
-*/
-ck_rv_t pakchois_get_info (pakchois_module_t * module, struct ck_info *info);
-
-ck_rv_t pakchois_get_slot_list (pakchois_module_t * module,
- unsigned char token_present,
- ck_slot_id_t * slot_list,
- unsigned long *count);
-
-ck_rv_t pakchois_get_slot_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- struct ck_slot_info *info);
-
-ck_rv_t pakchois_get_token_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- struct ck_token_info *info);
-
-ck_rv_t pakchois_wait_for_slot_event (pakchois_module_t * module,
- ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved);
-
-ck_rv_t pakchois_get_mechanism_list (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count);
-
-ck_rv_t pakchois_get_mechanism_info (pakchois_module_t * module,
- ck_slot_id_t slot_id,
- ck_mechanism_type_t type,
- struct ck_mechanism_info *info);
-
-ck_rv_t pakchois_init_token (pakchois_module_t * module,
- ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label);
-
-ck_rv_t pakchois_init_pin (pakchois_session_t * session, unsigned char *pin,
- unsigned long pin_len);
-
-ck_rv_t pakchois_set_pin (pakchois_session_t * session,
- unsigned char *old_pin, unsigned long old_len,
- unsigned char *new_pin, unsigned long new_len);
-
-typedef ck_rv_t (*pakchois_notify_t) (pakchois_session_t * sess,
- ck_notification_t event,
- void *application);
-
-ck_rv_t pakchois_open_session (pakchois_module_t * module,
- ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, pakchois_notify_t notify,
- pakchois_session_t ** session);
-
-ck_rv_t pakchois_close_session (pakchois_session_t * session);
-
-ck_rv_t pakchois_close_all_sessions (pakchois_module_t * module,
- ck_slot_id_t slot_id);
-
-ck_rv_t pakchois_get_session_info (pakchois_session_t * session,
- struct ck_session_info *info);
-ck_rv_t pakchois_get_operation_state (pakchois_session_t * session,
- unsigned char *operation_state,
- unsigned long *operation_state_len);
-ck_rv_t pakchois_set_operation_state (pakchois_session_t * session,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key);
-
-ck_rv_t pakchois_login (pakchois_session_t * session,
- ck_user_type_t user_type, unsigned char *pin,
- unsigned long pin_len);
-ck_rv_t pakchois_logout (pakchois_session_t * session);
-
-ck_rv_t pakchois_create_object (pakchois_session_t * session,
- struct ck_attribute *templ,
- unsigned long count,
- ck_object_handle_t * object);
-ck_rv_t pakchois_copy_object (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ, unsigned long count,
- ck_object_handle_t * new_object);
-ck_rv_t pakchois_destroy_object (pakchois_session_t * session,
- ck_object_handle_t object);
-ck_rv_t pakchois_get_object_size (pakchois_session_t * session,
- ck_object_handle_t object,
- unsigned long *size);
-
-ck_rv_t pakchois_get_attribute_value (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_set_attribute_value (pakchois_session_t * session,
- ck_object_handle_t object,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_find_objects_init (pakchois_session_t * session,
- struct ck_attribute *templ,
- unsigned long count);
-ck_rv_t pakchois_find_objects (pakchois_session_t * session,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count);
-ck_rv_t pakchois_find_objects_final (pakchois_session_t * session);
-
-ck_rv_t pakchois_encrypt_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_encrypt (pakchois_session_t * session,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len);
-ck_rv_t pakchois_encrypt_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_encrypt_final (pakchois_session_t * session,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len);
-
-ck_rv_t pakchois_decrypt_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_decrypt (pakchois_session_t * session,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len);
-ck_rv_t pakchois_decrypt_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-ck_rv_t pakchois_decrypt_final (pakchois_session_t * session,
- unsigned char *last_part,
- unsigned long *last_part_len);
-ck_rv_t pakchois_digest_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism);
-ck_rv_t pakchois_digest (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *digest,
- unsigned long *digest_len);
-ck_rv_t pakchois_digest_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_digest_key (pakchois_session_t * session,
- ck_object_handle_t key);
-ck_rv_t pakchois_digest_final (pakchois_session_t * session,
- unsigned char *digest,
- unsigned long *digest_len);
-
-ck_rv_t pakchois_sign_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_sign (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len);
-ck_rv_t pakchois_sign_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_sign_final (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long *signature_len);
-ck_rv_t pakchois_sign_recover_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_sign_recover (pakchois_session_t * session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len);
-
-ck_rv_t pakchois_verify_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_verify (pakchois_session_t * session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long signature_len);
-ck_rv_t pakchois_verify_update (pakchois_session_t * session,
- unsigned char *part, unsigned long part_len);
-ck_rv_t pakchois_verify_final (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long signature_len);
-ck_rv_t pakchois_verify_recover_init (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t key);
-ck_rv_t pakchois_verify_recover (pakchois_session_t * session,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data,
- unsigned long *data_len);
-
-ck_rv_t pakchois_digest_encrypt_update (pakchois_session_t * session,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_decrypt_digest_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-ck_rv_t pakchois_sign_encrypt_update (pakchois_session_t * session,
- unsigned char *part,
- unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len);
-ck_rv_t pakchois_decrypt_verify_update (pakchois_session_t * session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part,
- unsigned long *part_len);
-
-ck_rv_t pakchois_generate_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *templ,
- unsigned long count, ck_object_handle_t * key);
-ck_rv_t pakchois_generate_key_pair (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *public_key_template,
- unsigned long public_key_attribute_count,
- struct ck_attribute *private_key_template,
- unsigned long private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key);
-
-ck_rv_t pakchois_wrap_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key, unsigned char *wrapped_key,
- unsigned long *wrapped_key_len);
-ck_rv_t pakchois_unwrap_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute *templ,
- unsigned long attribute_count,
- ck_object_handle_t * key);
-ck_rv_t pakchois_derive_key (pakchois_session_t * session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute *templ,
- unsigned long attribute_count,
- ck_object_handle_t * key);
-
-ck_rv_t pakchois_seed_random (pakchois_session_t * session,
- unsigned char *seed, unsigned long seed_len);
-ck_rv_t pakchois_generate_random (pakchois_session_t * session,
- unsigned char *random_data,
- unsigned long random_len);
-
-#endif /* PAKCHOIS_H */
diff --git a/lib/pakchois/pakchois11.h b/lib/pakchois/pakchois11.h
deleted file mode 100644
index 3e29bb94fc..0000000000
--- a/lib/pakchois/pakchois11.h
+++ /dev/null
@@ -1,1369 +0,0 @@
-/* pkcs11.h
- Copyright 2006, 2007 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE. */
-
-/* Please submit changes back to the Scute project at
- http://www.scute.org/ (or send them to marcus@g10code.com), so that
- they can be picked up by other projects from there as well. */
-
-/* This file is a modified implementation of the PKCS #11 standard by
- RSA Security Inc. It is mostly a drop-in replacement, with the
- following change:
-
- This header file does not require any macro definitions by the user
- (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros
- for you (if useful, some are missing, let me know if you need
- more).
-
- There is an additional API available that does comply better to the
- GNU coding standard. It can be switched on by defining
- CRYPTOKI_GNU before including this header file. For this, the
- following changes are made to the specification:
-
- All structure types are changed to a "struct ck_foo" where CK_FOO
- is the type name in PKCS #11.
-
- All non-structure types are changed to ck_foo_t where CK_FOO is the
- lowercase version of the type name in PKCS #11. The basic types
- (CK_ULONG et al.) are removed without substitute.
-
- All members of structures are modified in the following way: Type
- indication prefixes are removed, and underscore characters are
- inserted before words. Then the result is lowercased.
-
- Note that function names are still in the original case, as they
- need for ABI compatibility.
-
- CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use
- <stdbool.h>.
-
- If CRYPTOKI_COMPAT is defined before including this header file,
- then none of the API changes above take place, and the API is the
- one defined by the PKCS #11 standard. */
-
-#ifndef PKCS11_H
-#define PKCS11_H 1
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-
-/* The version of cryptoki we implement. The revision is changed with
- each modification of this file. If you do not use the "official"
- version of this file, please consider deleting the revision macro
- (you may use a macro with a different name to keep track of your
- versions). */
-#define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 20
-#define CRYPTOKI_VERSION_REVISION 6
-
-
-/* Compatibility interface is default, unless CRYPTOKI_GNU is
- given. */
-#ifndef CRYPTOKI_GNU
-#ifndef CRYPTOKI_COMPAT
-#define CRYPTOKI_COMPAT 1
-#endif
-#endif
-
-/* System dependencies. */
-
-#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32
-
-/* There is a matching pop below. */
-#pragma pack(push, cryptoki, 1)
-
-#ifdef CRYPTOKI_EXPORTS
-#define CK_SPEC __declspec(dllexport)
-#else
-#define CK_SPEC __declspec(dllimport)
-#endif
-
-#else
-
-#define CK_SPEC
-
-#endif
-
-
-#ifdef CRYPTOKI_COMPAT
- /* If we are in compatibility mode, switch all exposed names to the
- PKCS #11 variant. There are corresponding #undefs below. */
-
-#define ck_flags_t CK_FLAGS
-#define ck_version _CK_VERSION
-
-#define ck_info _CK_INFO
-#define cryptoki_version cryptokiVersion
-#define manufacturer_id manufacturerID
-#define library_description libraryDescription
-#define library_version libraryVersion
-
-#define ck_notification_t CK_NOTIFICATION
-#define ck_slot_id_t CK_SLOT_ID
-
-#define ck_slot_info _CK_SLOT_INFO
-#define slot_description slotDescription
-#define hardware_version hardwareVersion
-#define firmware_version firmwareVersion
-
-#define ck_token_info _CK_TOKEN_INFO
-#define serial_number serialNumber
-#define max_session_count ulMaxSessionCount
-#define session_count ulSessionCount
-#define max_rw_session_count ulMaxRwSessionCount
-#define rw_session_count ulRwSessionCount
-#define max_pin_len ulMaxPinLen
-#define min_pin_len ulMinPinLen
-#define total_public_memory ulTotalPublicMemory
-#define free_public_memory ulFreePublicMemory
-#define total_private_memory ulTotalPrivateMemory
-#define free_private_memory ulFreePrivateMemory
-#define utc_time utcTime
-
-#define ck_session_handle_t CK_SESSION_HANDLE
-#define ck_user_type_t CK_USER_TYPE
-#define ck_state_t CK_STATE
-
-#define ck_session_info _CK_SESSION_INFO
-#define slot_id slotID
-#define device_error ulDeviceError
-
-#define ck_object_handle_t CK_OBJECT_HANDLE
-#define ck_object_class_t CK_OBJECT_CLASS
-#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
-#define ck_key_type_t CK_KEY_TYPE
-#define ck_certificate_type_t CK_CERTIFICATE_TYPE
-#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
-
-#define ck_attribute _CK_ATTRIBUTE
-#define value pValue
-#define value_len ulValueLen
-
-#define ck_date _CK_DATE
-
-#define ck_mechanism_type_t CK_MECHANISM_TYPE
-
-#define ck_mechanism _CK_MECHANISM
-#define parameter pParameter
-#define parameter_len ulParameterLen
-
-#define ck_mechanism_info _CK_MECHANISM_INFO
-#define min_key_size ulMinKeySize
-#define max_key_size ulMaxKeySize
-
-#define ck_rv_t CK_RV
-#define ck_notify_t CK_NOTIFY
-
-#define ck_function_list _CK_FUNCTION_LIST
-
-#define ck_createmutex_t CK_CREATEMUTEX
-#define ck_destroymutex_t CK_DESTROYMUTEX
-#define ck_lockmutex_t CK_LOCKMUTEX
-#define ck_unlockmutex_t CK_UNLOCKMUTEX
-
-#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
-#define create_mutex CreateMutex
-#define destroy_mutex DestroyMutex
-#define lock_mutex LockMutex
-#define unlock_mutex UnlockMutex
-#define reserved pReserved
-
-#endif /* CRYPTOKI_COMPAT */
-
-
-
- typedef unsigned long ck_flags_t;
-
- struct ck_version
- {
- unsigned char major;
- unsigned char minor;
- };
-
-
- struct ck_info
- {
- struct ck_version cryptoki_version;
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- unsigned char library_description[32];
- struct ck_version library_version;
- };
-
-
- typedef unsigned long ck_notification_t;
-
-#define CKN_SURRENDER (0)
-
-
- typedef unsigned long ck_slot_id_t;
-
-
- struct ck_slot_info
- {
- unsigned char slot_description[64];
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
- };
-
-
-#define CKF_TOKEN_PRESENT (1 << 0)
-#define CKF_REMOVABLE_DEVICE (1 << 1)
-#define CKF_HW_SLOT (1 << 2)
-#define CKF_ARRAY_ATTRIBUTE (1 << 30)
-
-
- struct ck_token_info
- {
- unsigned char label[32];
- unsigned char manufacturer_id[32];
- unsigned char model[16];
- unsigned char serial_number[16];
- ck_flags_t flags;
- unsigned long max_session_count;
- unsigned long session_count;
- unsigned long max_rw_session_count;
- unsigned long rw_session_count;
- unsigned long max_pin_len;
- unsigned long min_pin_len;
- unsigned long total_public_memory;
- unsigned long free_public_memory;
- unsigned long total_private_memory;
- unsigned long free_private_memory;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
- unsigned char utc_time[16];
- };
-
-
-#define CKF_RNG (1 << 0)
-#define CKF_WRITE_PROTECTED (1 << 1)
-#define CKF_LOGIN_REQUIRED (1 << 2)
-#define CKF_USER_PIN_INITIALIZED (1 << 3)
-#define CKF_RESTORE_KEY_NOT_NEEDED (1 << 5)
-#define CKF_CLOCK_ON_TOKEN (1 << 6)
-#define CKF_PROTECTED_AUTHENTICATION_PATH (1 << 8)
-#define CKF_DUAL_CRYPTO_OPERATIONS (1 << 9)
-#define CKF_TOKEN_INITIALIZED (1 << 10)
-#define CKF_SECONDARY_AUTHENTICATION (1 << 11)
-#define CKF_USER_PIN_COUNT_LOW (1 << 16)
-#define CKF_USER_PIN_FINAL_TRY (1 << 17)
-#define CKF_USER_PIN_LOCKED (1 << 18)
-#define CKF_USER_PIN_TO_BE_CHANGED (1 << 19)
-#define CKF_SO_PIN_COUNT_LOW (1 << 20)
-#define CKF_SO_PIN_FINAL_TRY (1 << 21)
-#define CKF_SO_PIN_LOCKED (1 << 22)
-#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23)
-
-#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1)
-#define CK_EFFECTIVELY_INFINITE (0)
-
-
- typedef unsigned long ck_session_handle_t;
-
-#define CK_INVALID_HANDLE (0)
-
-
- typedef unsigned long ck_user_type_t;
-
-#define CKU_SO (0)
-#define CKU_USER (1)
-#define CKU_CONTEXT_SPECIFIC (2)
-
-
- typedef unsigned long ck_state_t;
-
-#define CKS_RO_PUBLIC_SESSION (0)
-#define CKS_RO_USER_FUNCTIONS (1)
-#define CKS_RW_PUBLIC_SESSION (2)
-#define CKS_RW_USER_FUNCTIONS (3)
-#define CKS_RW_SO_FUNCTIONS (4)
-
-
- struct ck_session_info
- {
- ck_slot_id_t slot_id;
- ck_state_t state;
- ck_flags_t flags;
- unsigned long device_error;
- };
-
-#define CKF_RW_SESSION (1 << 1)
-#define CKF_SERIAL_SESSION (1 << 2)
-
-
- typedef unsigned long ck_object_handle_t;
-
-
- typedef unsigned long ck_object_class_t;
-
-#define CKO_DATA (0)
-#define CKO_CERTIFICATE (1)
-#define CKO_PUBLIC_KEY (2)
-#define CKO_PRIVATE_KEY (3)
-#define CKO_SECRET_KEY (4)
-#define CKO_HW_FEATURE (5)
-#define CKO_DOMAIN_PARAMETERS (6)
-#define CKO_MECHANISM (7)
-#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_hw_feature_type_t;
-
-#define CKH_MONOTONIC_COUNTER (1)
-#define CKH_CLOCK (2)
-#define CKH_USER_INTERFACE (3)
-#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_key_type_t;
-
-#define CKK_RSA (0)
-#define CKK_DSA (1)
-#define CKK_DH (2)
-#define CKK_ECDSA (3)
-#define CKK_EC (3)
-#define CKK_X9_42_DH (4)
-#define CKK_KEA (5)
-#define CKK_GENERIC_SECRET (0x10)
-#define CKK_RC2 (0x11)
-#define CKK_RC4 (0x12)
-#define CKK_DES (0x13)
-#define CKK_DES2 (0x14)
-#define CKK_DES3 (0x15)
-#define CKK_CAST (0x16)
-#define CKK_CAST3 (0x17)
-#define CKK_CAST128 (0x18)
-#define CKK_RC5 (0x19)
-#define CKK_IDEA (0x1a)
-#define CKK_SKIPJACK (0x1b)
-#define CKK_BATON (0x1c)
-#define CKK_JUNIPER (0x1d)
-#define CKK_CDMF (0x1e)
-#define CKK_AES (0x1f)
-#define CKK_BLOWFISH (0x20)
-#define CKK_TWOFISH (0x21)
-#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_certificate_type_t;
-
-#define CKC_X_509 (0)
-#define CKC_X_509_ATTR_CERT (1)
-#define CKC_WTLS (2)
-#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- typedef unsigned long ck_attribute_type_t;
-
-#define CKA_CLASS (0)
-#define CKA_TOKEN (1)
-#define CKA_PRIVATE (2)
-#define CKA_LABEL (3)
-#define CKA_APPLICATION (0x10)
-#define CKA_VALUE (0x11)
-#define CKA_OBJECT_ID (0x12)
-#define CKA_CERTIFICATE_TYPE (0x80)
-#define CKA_ISSUER (0x81)
-#define CKA_SERIAL_NUMBER (0x82)
-#define CKA_AC_ISSUER (0x83)
-#define CKA_OWNER (0x84)
-#define CKA_ATTR_TYPES (0x85)
-#define CKA_TRUSTED (0x86)
-#define CKA_CERTIFICATE_CATEGORY (0x87)
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88)
-#define CKA_URL (0x89)
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a)
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b)
-#define CKA_CHECK_VALUE (0x90)
-#define CKA_KEY_TYPE (0x100)
-#define CKA_SUBJECT (0x101)
-#define CKA_ID (0x102)
-#define CKA_SENSITIVE (0x103)
-#define CKA_ENCRYPT (0x104)
-#define CKA_DECRYPT (0x105)
-#define CKA_WRAP (0x106)
-#define CKA_UNWRAP (0x107)
-#define CKA_SIGN (0x108)
-#define CKA_SIGN_RECOVER (0x109)
-#define CKA_VERIFY (0x10a)
-#define CKA_VERIFY_RECOVER (0x10b)
-#define CKA_DERIVE (0x10c)
-#define CKA_START_DATE (0x110)
-#define CKA_END_DATE (0x111)
-#define CKA_MODULUS (0x120)
-#define CKA_MODULUS_BITS (0x121)
-#define CKA_PUBLIC_EXPONENT (0x122)
-#define CKA_PRIVATE_EXPONENT (0x123)
-#define CKA_PRIME_1 (0x124)
-#define CKA_PRIME_2 (0x125)
-#define CKA_EXPONENT_1 (0x126)
-#define CKA_EXPONENT_2 (0x127)
-#define CKA_COEFFICIENT (0x128)
-#define CKA_PRIME (0x130)
-#define CKA_SUBPRIME (0x131)
-#define CKA_BASE (0x132)
-#define CKA_PRIME_BITS (0x133)
-#define CKA_SUB_PRIME_BITS (0x134)
-#define CKA_VALUE_BITS (0x160)
-#define CKA_VALUE_LEN (0x161)
-#define CKA_EXTRACTABLE (0x162)
-#define CKA_LOCAL (0x163)
-#define CKA_NEVER_EXTRACTABLE (0x164)
-#define CKA_ALWAYS_SENSITIVE (0x165)
-#define CKA_KEY_GEN_MECHANISM (0x166)
-#define CKA_MODIFIABLE (0x170)
-#define CKA_ECDSA_PARAMS (0x180)
-#define CKA_EC_PARAMS (0x180)
-#define CKA_EC_POINT (0x181)
-#define CKA_SECONDARY_AUTH (0x200)
-#define CKA_AUTH_PIN_FLAGS (0x201)
-#define CKA_ALWAYS_AUTHENTICATE (0x202)
-#define CKA_WRAP_WITH_TRUSTED (0x210)
-#define CKA_HW_FEATURE_TYPE (0x300)
-#define CKA_RESET_ON_INIT (0x301)
-#define CKA_HAS_RESET (0x302)
-#define CKA_PIXEL_X (0x400)
-#define CKA_PIXEL_Y (0x401)
-#define CKA_RESOLUTION (0x402)
-#define CKA_CHAR_ROWS (0x403)
-#define CKA_CHAR_COLUMNS (0x404)
-#define CKA_COLOR (0x405)
-#define CKA_BITS_PER_PIXEL (0x406)
-#define CKA_CHAR_SETS (0x480)
-#define CKA_ENCODING_METHODS (0x481)
-#define CKA_MIME_TYPES (0x482)
-#define CKA_MECHANISM_TYPE (0x500)
-#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501)
-#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502)
-#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503)
-#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211)
-#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212)
-#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600)
-#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
- struct ck_attribute
- {
- ck_attribute_type_t type;
- void *value;
- unsigned long value_len;
- };
-
-
- struct ck_date
- {
- unsigned char year[4];
- unsigned char month[2];
- unsigned char day[2];
- };
-
-
- typedef unsigned long ck_mechanism_type_t;
-
-#define CKM_RSA_PKCS_KEY_PAIR_GEN (0)
-#define CKM_RSA_PKCS (1)
-#define CKM_RSA_9796 (2)
-#define CKM_RSA_X_509 (3)
-#define CKM_MD2_RSA_PKCS (4)
-#define CKM_MD5_RSA_PKCS (5)
-#define CKM_SHA1_RSA_PKCS (6)
-#define CKM_RIPEMD128_RSA_PKCS (7)
-#define CKM_RIPEMD160_RSA_PKCS (8)
-#define CKM_RSA_PKCS_OAEP (9)
-#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xa)
-#define CKM_RSA_X9_31 (0xb)
-#define CKM_SHA1_RSA_X9_31 (0xc)
-#define CKM_RSA_PKCS_PSS (0xd)
-#define CKM_SHA1_RSA_PKCS_PSS (0xe)
-#define CKM_DSA_KEY_PAIR_GEN (0x10)
-#define CKM_DSA (0x11)
-#define CKM_DSA_SHA1 (0x12)
-#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20)
-#define CKM_DH_PKCS_DERIVE (0x21)
-#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30)
-#define CKM_X9_42_DH_DERIVE (0x31)
-#define CKM_X9_42_DH_HYBRID_DERIVE (0x32)
-#define CKM_X9_42_MQV_DERIVE (0x33)
-#define CKM_SHA256_RSA_PKCS (0x40)
-#define CKM_SHA384_RSA_PKCS (0x41)
-#define CKM_SHA512_RSA_PKCS (0x42)
-#define CKM_SHA256_RSA_PKCS_PSS (0x43)
-#define CKM_SHA384_RSA_PKCS_PSS (0x44)
-#define CKM_SHA512_RSA_PKCS_PSS (0x45)
-#define CKM_RC2_KEY_GEN (0x100)
-#define CKM_RC2_ECB (0x101)
-#define CKM_RC2_CBC (0x102)
-#define CKM_RC2_MAC (0x103)
-#define CKM_RC2_MAC_GENERAL (0x104)
-#define CKM_RC2_CBC_PAD (0x105)
-#define CKM_RC4_KEY_GEN (0x110)
-#define CKM_RC4 (0x111)
-#define CKM_DES_KEY_GEN (0x120)
-#define CKM_DES_ECB (0x121)
-#define CKM_DES_CBC (0x122)
-#define CKM_DES_MAC (0x123)
-#define CKM_DES_MAC_GENERAL (0x124)
-#define CKM_DES_CBC_PAD (0x125)
-#define CKM_DES2_KEY_GEN (0x130)
-#define CKM_DES3_KEY_GEN (0x131)
-#define CKM_DES3_ECB (0x132)
-#define CKM_DES3_CBC (0x133)
-#define CKM_DES3_MAC (0x134)
-#define CKM_DES3_MAC_GENERAL (0x135)
-#define CKM_DES3_CBC_PAD (0x136)
-#define CKM_CDMF_KEY_GEN (0x140)
-#define CKM_CDMF_ECB (0x141)
-#define CKM_CDMF_CBC (0x142)
-#define CKM_CDMF_MAC (0x143)
-#define CKM_CDMF_MAC_GENERAL (0x144)
-#define CKM_CDMF_CBC_PAD (0x145)
-#define CKM_MD2 (0x200)
-#define CKM_MD2_HMAC (0x201)
-#define CKM_MD2_HMAC_GENERAL (0x202)
-#define CKM_MD5 (0x210)
-#define CKM_MD5_HMAC (0x211)
-#define CKM_MD5_HMAC_GENERAL (0x212)
-#define CKM_SHA_1 (0x220)
-#define CKM_SHA_1_HMAC (0x221)
-#define CKM_SHA_1_HMAC_GENERAL (0x222)
-#define CKM_RIPEMD128 (0x230)
-#define CKM_RIPEMD128_HMAC (0x231)
-#define CKM_RIPEMD128_HMAC_GENERAL (0x232)
-#define CKM_RIPEMD160 (0x240)
-#define CKM_RIPEMD160_HMAC (0x241)
-#define CKM_RIPEMD160_HMAC_GENERAL (0x242)
-#define CKM_SHA256 (0x250)
-#define CKM_SHA256_HMAC (0x251)
-#define CKM_SHA256_HMAC_GENERAL (0x252)
-#define CKM_SHA384 (0x260)
-#define CKM_SHA384_HMAC (0x261)
-#define CKM_SHA384_HMAC_GENERAL (0x262)
-#define CKM_SHA512 (0x270)
-#define CKM_SHA512_HMAC (0x271)
-#define CKM_SHA512_HMAC_GENERAL (0x272)
-#define CKM_CAST_KEY_GEN (0x300)
-#define CKM_CAST_ECB (0x301)
-#define CKM_CAST_CBC (0x302)
-#define CKM_CAST_MAC (0x303)
-#define CKM_CAST_MAC_GENERAL (0x304)
-#define CKM_CAST_CBC_PAD (0x305)
-#define CKM_CAST3_KEY_GEN (0x310)
-#define CKM_CAST3_ECB (0x311)
-#define CKM_CAST3_CBC (0x312)
-#define CKM_CAST3_MAC (0x313)
-#define CKM_CAST3_MAC_GENERAL (0x314)
-#define CKM_CAST3_CBC_PAD (0x315)
-#define CKM_CAST5_KEY_GEN (0x320)
-#define CKM_CAST128_KEY_GEN (0x320)
-#define CKM_CAST5_ECB (0x321)
-#define CKM_CAST128_ECB (0x321)
-#define CKM_CAST5_CBC (0x322)
-#define CKM_CAST128_CBC (0x322)
-#define CKM_CAST5_MAC (0x323)
-#define CKM_CAST128_MAC (0x323)
-#define CKM_CAST5_MAC_GENERAL (0x324)
-#define CKM_CAST128_MAC_GENERAL (0x324)
-#define CKM_CAST5_CBC_PAD (0x325)
-#define CKM_CAST128_CBC_PAD (0x325)
-#define CKM_RC5_KEY_GEN (0x330)
-#define CKM_RC5_ECB (0x331)
-#define CKM_RC5_CBC (0x332)
-#define CKM_RC5_MAC (0x333)
-#define CKM_RC5_MAC_GENERAL (0x334)
-#define CKM_RC5_CBC_PAD (0x335)
-#define CKM_IDEA_KEY_GEN (0x340)
-#define CKM_IDEA_ECB (0x341)
-#define CKM_IDEA_CBC (0x342)
-#define CKM_IDEA_MAC (0x343)
-#define CKM_IDEA_MAC_GENERAL (0x344)
-#define CKM_IDEA_CBC_PAD (0x345)
-#define CKM_GENERIC_SECRET_KEY_GEN (0x350)
-#define CKM_CONCATENATE_BASE_AND_KEY (0x360)
-#define CKM_CONCATENATE_BASE_AND_DATA (0x362)
-#define CKM_CONCATENATE_DATA_AND_BASE (0x363)
-#define CKM_XOR_BASE_AND_DATA (0x364)
-#define CKM_EXTRACT_KEY_FROM_KEY (0x365)
-#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370)
-#define CKM_SSL3_MASTER_KEY_DERIVE (0x371)
-#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372)
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373)
-#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374)
-#define CKM_TLS_MASTER_KEY_DERIVE (0x375)
-#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376)
-#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377)
-#define CKM_SSL3_MD5_MAC (0x380)
-#define CKM_SSL3_SHA1_MAC (0x381)
-#define CKM_MD5_KEY_DERIVATION (0x390)
-#define CKM_MD2_KEY_DERIVATION (0x391)
-#define CKM_SHA1_KEY_DERIVATION (0x392)
-#define CKM_PBE_MD2_DES_CBC (0x3a0)
-#define CKM_PBE_MD5_DES_CBC (0x3a1)
-#define CKM_PBE_MD5_CAST_CBC (0x3a2)
-#define CKM_PBE_MD5_CAST3_CBC (0x3a3)
-#define CKM_PBE_MD5_CAST5_CBC (0x3a4)
-#define CKM_PBE_MD5_CAST128_CBC (0x3a4)
-#define CKM_PBE_SHA1_CAST5_CBC (0x3a5)
-#define CKM_PBE_SHA1_CAST128_CBC (0x3a5)
-#define CKM_PBE_SHA1_RC4_128 (0x3a6)
-#define CKM_PBE_SHA1_RC4_40 (0x3a7)
-#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8)
-#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9)
-#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa)
-#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
-#define CKM_PKCS5_PBKD2 (0x3b0)
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0)
-#define CKM_KEY_WRAP_LYNKS (0x400)
-#define CKM_KEY_WRAP_SET_OAEP (0x401)
-#define CKM_SKIPJACK_KEY_GEN (0x1000)
-#define CKM_SKIPJACK_ECB64 (0x1001)
-#define CKM_SKIPJACK_CBC64 (0x1002)
-#define CKM_SKIPJACK_OFB64 (0x1003)
-#define CKM_SKIPJACK_CFB64 (0x1004)
-#define CKM_SKIPJACK_CFB32 (0x1005)
-#define CKM_SKIPJACK_CFB16 (0x1006)
-#define CKM_SKIPJACK_CFB8 (0x1007)
-#define CKM_SKIPJACK_WRAP (0x1008)
-#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009)
-#define CKM_SKIPJACK_RELAYX (0x100a)
-#define CKM_KEA_KEY_PAIR_GEN (0x1010)
-#define CKM_KEA_KEY_DERIVE (0x1011)
-#define CKM_FORTEZZA_TIMESTAMP (0x1020)
-#define CKM_BATON_KEY_GEN (0x1030)
-#define CKM_BATON_ECB128 (0x1031)
-#define CKM_BATON_ECB96 (0x1032)
-#define CKM_BATON_CBC128 (0x1033)
-#define CKM_BATON_COUNTER (0x1034)
-#define CKM_BATON_SHUFFLE (0x1035)
-#define CKM_BATON_WRAP (0x1036)
-#define CKM_ECDSA_KEY_PAIR_GEN (0x1040)
-#define CKM_EC_KEY_PAIR_GEN (0x1040)
-#define CKM_ECDSA (0x1041)
-#define CKM_ECDSA_SHA1 (0x1042)
-#define CKM_ECDH1_DERIVE (0x1050)
-#define CKM_ECDH1_COFACTOR_DERIVE (0x1051)
-#define CKM_ECMQV_DERIVE (0x1052)
-#define CKM_JUNIPER_KEY_GEN (0x1060)
-#define CKM_JUNIPER_ECB128 (0x1061)
-#define CKM_JUNIPER_CBC128 (0x1062)
-#define CKM_JUNIPER_COUNTER (0x1063)
-#define CKM_JUNIPER_SHUFFLE (0x1064)
-#define CKM_JUNIPER_WRAP (0x1065)
-#define CKM_FASTHASH (0x1070)
-#define CKM_AES_KEY_GEN (0x1080)
-#define CKM_AES_ECB (0x1081)
-#define CKM_AES_CBC (0x1082)
-#define CKM_AES_MAC (0x1083)
-#define CKM_AES_MAC_GENERAL (0x1084)
-#define CKM_AES_CBC_PAD (0x1085)
-#define CKM_DSA_PARAMETER_GEN (0x2000)
-#define CKM_DH_PKCS_PARAMETER_GEN (0x2001)
-#define CKM_X9_42_DH_PARAMETER_GEN (0x2002)
-#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-/* Ammendments */
-#define CKM_SHA224 (0x255)
-#define CKM_SHA224_HMAC (0x256)
-#define CKM_SHA224_HMAC_GENERAL (0x257)
-#define CKM_SHA224_RSA_PKCS (0x46)
-#define CKM_SHA224_RSA_PKCS_PSS (0x47)
-#define CKM_SHA224_KEY_DERIVATION (0x396)
-
-#define CKM_CAMELLIA_KEY_GEN (0x550)
-#define CKM_CAMELLIA_ECB (0x551)
-#define CKM_CAMELLIA_CBC (0x552)
-#define CKM_CAMELLIA_MAC (0x553)
-#define CKM_CAMELLIA_MAC_GENERAL (0x554)
-#define CKM_CAMELLIA_CBC_PAD (0x555)
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556)
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557)
-
-
- struct ck_mechanism
- {
- ck_mechanism_type_t mechanism;
- void *parameter;
- unsigned long parameter_len;
- };
-
-
- struct ck_mechanism_info
- {
- unsigned long min_key_size;
- unsigned long max_key_size;
- ck_flags_t flags;
- };
-
-#define CKF_HW (1 << 0)
-#define CKF_ENCRYPT (1 << 8)
-#define CKF_DECRYPT (1 << 9)
-#define CKF_DIGEST (1 << 10)
-#define CKF_SIGN (1 << 11)
-#define CKF_SIGN_RECOVER (1 << 12)
-#define CKF_VERIFY (1 << 13)
-#define CKF_VERIFY_RECOVER (1 << 14)
-#define CKF_GENERATE (1 << 15)
-#define CKF_GENERATE_KEY_PAIR (1 << 16)
-#define CKF_WRAP (1 << 17)
-#define CKF_UNWRAP (1 << 18)
-#define CKF_DERIVE (1 << 19)
-#define CKF_EXTENSION ((unsigned long) (1 << 31))
-
-
-/* Flags for C_WaitForSlotEvent. */
-#define CKF_DONT_BLOCK (1)
-
-
- typedef unsigned long ck_rv_t;
-
-
- typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
- ck_notification_t event, void *application);
-
-/* Forward reference. */
- struct ck_function_list;
-
-#define _CK_DECLARE_FUNCTION(name, args) \
-typedef ck_rv_t (*CK_ ## name) args; \
-ck_rv_t CK_SPEC name args
-
- _CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
- _CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
- _CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info * info));
- _CK_DECLARE_FUNCTION (C_GetFunctionList,
- (struct ck_function_list ** function_list));
-
- _CK_DECLARE_FUNCTION (C_GetSlotList,
- (unsigned char token_present,
- ck_slot_id_t * slot_list, unsigned long *count));
- _CK_DECLARE_FUNCTION (C_GetSlotInfo,
- (ck_slot_id_t slot_id, struct ck_slot_info * info));
- _CK_DECLARE_FUNCTION (C_GetTokenInfo,
- (ck_slot_id_t slot_id,
- struct ck_token_info * info));
- _CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
- (ck_flags_t flags, ck_slot_id_t * slot,
- void *reserved));
- _CK_DECLARE_FUNCTION (C_GetMechanismList,
- (ck_slot_id_t slot_id,
- ck_mechanism_type_t * mechanism_list,
- unsigned long *count));
- _CK_DECLARE_FUNCTION (C_GetMechanismInfo,
- (ck_slot_id_t slot_id, ck_mechanism_type_t type,
- struct ck_mechanism_info * info));
- _CK_DECLARE_FUNCTION (C_InitToken,
- (ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label));
- _CK_DECLARE_FUNCTION (C_InitPIN,
- (ck_session_handle_t session, unsigned char *pin,
- unsigned long pin_len));
- _CK_DECLARE_FUNCTION (C_SetPIN,
- (ck_session_handle_t session,
- unsigned char *old_pin, unsigned long old_len,
- unsigned char *new_pin, unsigned long new_len));
-
- _CK_DECLARE_FUNCTION (C_OpenSession,
- (ck_slot_id_t slot_id, ck_flags_t flags,
- void *application, ck_notify_t notify,
- ck_session_handle_t * session));
- _CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
- _CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
- _CK_DECLARE_FUNCTION (C_GetSessionInfo,
- (ck_session_handle_t session,
- struct ck_session_info * info));
- _CK_DECLARE_FUNCTION (C_GetOperationState,
- (ck_session_handle_t session,
- unsigned char *operation_state,
- unsigned long *operation_state_len));
- _CK_DECLARE_FUNCTION (C_SetOperationState,
- (ck_session_handle_t session,
- unsigned char *operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key));
- _CK_DECLARE_FUNCTION (C_Login,
- (ck_session_handle_t session,
- ck_user_type_t user_type, unsigned char *pin,
- unsigned long pin_len));
- _CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
-
- _CK_DECLARE_FUNCTION (C_CreateObject,
- (ck_session_handle_t session,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * object));
- _CK_DECLARE_FUNCTION (C_CopyObject,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count,
- ck_object_handle_t * new_object));
- _CK_DECLARE_FUNCTION (C_DestroyObject,
- (ck_session_handle_t session,
- ck_object_handle_t object));
- _CK_DECLARE_FUNCTION (C_GetObjectSize,
- (ck_session_handle_t session,
- ck_object_handle_t object, unsigned long *size));
- _CK_DECLARE_FUNCTION (C_GetAttributeValue,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_SetAttributeValue,
- (ck_session_handle_t session,
- ck_object_handle_t object,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_FindObjectsInit,
- (ck_session_handle_t session,
- struct ck_attribute * templ, unsigned long count));
- _CK_DECLARE_FUNCTION (C_FindObjects,
- (ck_session_handle_t session,
- ck_object_handle_t * object,
- unsigned long max_object_count,
- unsigned long *object_count));
- _CK_DECLARE_FUNCTION (C_FindObjectsFinal, (ck_session_handle_t session));
-
- _CK_DECLARE_FUNCTION (C_EncryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Encrypt,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *encrypted_data,
- unsigned long *encrypted_data_len));
- _CK_DECLARE_FUNCTION (C_EncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_EncryptFinal,
- (ck_session_handle_t session,
- unsigned char *last_encrypted_part,
- unsigned long *last_encrypted_part_len));
-
- _CK_DECLARE_FUNCTION (C_DecryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Decrypt,
- (ck_session_handle_t session,
- unsigned char *encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len));
- _CK_DECLARE_FUNCTION (C_DecryptUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
- _CK_DECLARE_FUNCTION (C_DecryptFinal,
- (ck_session_handle_t session,
- unsigned char *last_part,
- unsigned long *last_part_len));
-
- _CK_DECLARE_FUNCTION (C_DigestInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism));
- _CK_DECLARE_FUNCTION (C_Digest,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *digest, unsigned long *digest_len));
- _CK_DECLARE_FUNCTION (C_DigestUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_DigestKey,
- (ck_session_handle_t session,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_DigestFinal,
- (ck_session_handle_t session, unsigned char *digest,
- unsigned long *digest_len));
-
- _CK_DECLARE_FUNCTION (C_SignInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Sign,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len));
- _CK_DECLARE_FUNCTION (C_SignUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_SignFinal,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long *signature_len));
- _CK_DECLARE_FUNCTION (C_SignRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_SignRecover,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long *signature_len));
-
- _CK_DECLARE_FUNCTION (C_VerifyInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_Verify,
- (ck_session_handle_t session,
- unsigned char *data, unsigned long data_len,
- unsigned char *signature,
- unsigned long signature_len));
- _CK_DECLARE_FUNCTION (C_VerifyUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len));
- _CK_DECLARE_FUNCTION (C_VerifyFinal,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long signature_len));
- _CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t key));
- _CK_DECLARE_FUNCTION (C_VerifyRecover,
- (ck_session_handle_t session,
- unsigned char *signature,
- unsigned long signature_len,
- unsigned char *data, unsigned long *data_len));
-
- _CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
- _CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
- (ck_session_handle_t session,
- unsigned char *part, unsigned long part_len,
- unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
- _CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
- (ck_session_handle_t session,
- unsigned char *encrypted_part,
- unsigned long encrypted_part_len,
- unsigned char *part, unsigned long *part_len));
-
- _CK_DECLARE_FUNCTION (C_GenerateKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- struct ck_attribute * templ,
- unsigned long count, ck_object_handle_t * key));
- _CK_DECLARE_FUNCTION (C_GenerateKeyPair,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- struct ck_attribute * public_key_template,
- unsigned long public_key_attribute_count,
- struct ck_attribute * private_key_template,
- unsigned long private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key));
- _CK_DECLARE_FUNCTION (C_WrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t wrapping_key,
- ck_object_handle_t key,
- unsigned char *wrapped_key,
- unsigned long *wrapped_key_len));
- _CK_DECLARE_FUNCTION (C_UnwrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key,
- unsigned long wrapped_key_len,
- struct ck_attribute * templ,
- unsigned long attribute_count,
- ck_object_handle_t * key));
- _CK_DECLARE_FUNCTION (C_DeriveKey,
- (ck_session_handle_t session,
- struct ck_mechanism * mechanism,
- ck_object_handle_t base_key,
- struct ck_attribute * templ,
- unsigned long attribute_count,
- ck_object_handle_t * key));
-
- _CK_DECLARE_FUNCTION (C_SeedRandom,
- (ck_session_handle_t session, unsigned char *seed,
- unsigned long seed_len));
- _CK_DECLARE_FUNCTION (C_GenerateRandom,
- (ck_session_handle_t session,
- unsigned char *random_data,
- unsigned long random_len));
-
- _CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
- _CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
-
-
- struct ck_function_list
- {
- struct ck_version version;
- CK_C_Initialize C_Initialize;
- CK_C_Finalize C_Finalize;
- CK_C_GetInfo C_GetInfo;
- CK_C_GetFunctionList C_GetFunctionList;
- CK_C_GetSlotList C_GetSlotList;
- CK_C_GetSlotInfo C_GetSlotInfo;
- CK_C_GetTokenInfo C_GetTokenInfo;
- CK_C_GetMechanismList C_GetMechanismList;
- CK_C_GetMechanismInfo C_GetMechanismInfo;
- CK_C_InitToken C_InitToken;
- CK_C_InitPIN C_InitPIN;
- CK_C_SetPIN C_SetPIN;
- CK_C_OpenSession C_OpenSession;
- CK_C_CloseSession C_CloseSession;
- CK_C_CloseAllSessions C_CloseAllSessions;
- CK_C_GetSessionInfo C_GetSessionInfo;
- CK_C_GetOperationState C_GetOperationState;
- CK_C_SetOperationState C_SetOperationState;
- CK_C_Login C_Login;
- CK_C_Logout C_Logout;
- CK_C_CreateObject C_CreateObject;
- CK_C_CopyObject C_CopyObject;
- CK_C_DestroyObject C_DestroyObject;
- CK_C_GetObjectSize C_GetObjectSize;
- CK_C_GetAttributeValue C_GetAttributeValue;
- CK_C_SetAttributeValue C_SetAttributeValue;
- CK_C_FindObjectsInit C_FindObjectsInit;
- CK_C_FindObjects C_FindObjects;
- CK_C_FindObjectsFinal C_FindObjectsFinal;
- CK_C_EncryptInit C_EncryptInit;
- CK_C_Encrypt C_Encrypt;
- CK_C_EncryptUpdate C_EncryptUpdate;
- CK_C_EncryptFinal C_EncryptFinal;
- CK_C_DecryptInit C_DecryptInit;
- CK_C_Decrypt C_Decrypt;
- CK_C_DecryptUpdate C_DecryptUpdate;
- CK_C_DecryptFinal C_DecryptFinal;
- CK_C_DigestInit C_DigestInit;
- CK_C_Digest C_Digest;
- CK_C_DigestUpdate C_DigestUpdate;
- CK_C_DigestKey C_DigestKey;
- CK_C_DigestFinal C_DigestFinal;
- CK_C_SignInit C_SignInit;
- CK_C_Sign C_Sign;
- CK_C_SignUpdate C_SignUpdate;
- CK_C_SignFinal C_SignFinal;
- CK_C_SignRecoverInit C_SignRecoverInit;
- CK_C_SignRecover C_SignRecover;
- CK_C_VerifyInit C_VerifyInit;
- CK_C_Verify C_Verify;
- CK_C_VerifyUpdate C_VerifyUpdate;
- CK_C_VerifyFinal C_VerifyFinal;
- CK_C_VerifyRecoverInit C_VerifyRecoverInit;
- CK_C_VerifyRecover C_VerifyRecover;
- CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
- CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
- CK_C_SignEncryptUpdate C_SignEncryptUpdate;
- CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
- CK_C_GenerateKey C_GenerateKey;
- CK_C_GenerateKeyPair C_GenerateKeyPair;
- CK_C_WrapKey C_WrapKey;
- CK_C_UnwrapKey C_UnwrapKey;
- CK_C_DeriveKey C_DeriveKey;
- CK_C_SeedRandom C_SeedRandom;
- CK_C_GenerateRandom C_GenerateRandom;
- CK_C_GetFunctionStatus C_GetFunctionStatus;
- CK_C_CancelFunction C_CancelFunction;
- CK_C_WaitForSlotEvent C_WaitForSlotEvent;
- };
-
-
- typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
- typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
- typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
- typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
-
-
- struct ck_c_initialize_args
- {
- ck_createmutex_t create_mutex;
- ck_destroymutex_t destroy_mutex;
- ck_lockmutex_t lock_mutex;
- ck_unlockmutex_t unlock_mutex;
- ck_flags_t flags;
- void *reserved;
- };
-
-
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1 << 0)
-#define CKF_OS_LOCKING_OK (1 << 1)
-
-#define CKR_OK (0)
-#define CKR_CANCEL (1)
-#define CKR_HOST_MEMORY (2)
-#define CKR_SLOT_ID_INVALID (3)
-#define CKR_GENERAL_ERROR (5)
-#define CKR_FUNCTION_FAILED (6)
-#define CKR_ARGUMENTS_BAD (7)
-#define CKR_NO_EVENT (8)
-#define CKR_NEED_TO_CREATE_THREADS (9)
-#define CKR_CANT_LOCK (0xa)
-#define CKR_ATTRIBUTE_READ_ONLY (0x10)
-#define CKR_ATTRIBUTE_SENSITIVE (0x11)
-#define CKR_ATTRIBUTE_TYPE_INVALID (0x12)
-#define CKR_ATTRIBUTE_VALUE_INVALID (0x13)
-#define CKR_DATA_INVALID (0x20)
-#define CKR_DATA_LEN_RANGE (0x21)
-#define CKR_DEVICE_ERROR (0x30)
-#define CKR_DEVICE_MEMORY (0x31)
-#define CKR_DEVICE_REMOVED (0x32)
-#define CKR_ENCRYPTED_DATA_INVALID (0x40)
-#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41)
-#define CKR_FUNCTION_CANCELED (0x50)
-#define CKR_FUNCTION_NOT_PARALLEL (0x51)
-#define CKR_FUNCTION_NOT_SUPPORTED (0x54)
-#define CKR_KEY_HANDLE_INVALID (0x60)
-#define CKR_KEY_SIZE_RANGE (0x62)
-#define CKR_KEY_TYPE_INCONSISTENT (0x63)
-#define CKR_KEY_NOT_NEEDED (0x64)
-#define CKR_KEY_CHANGED (0x65)
-#define CKR_KEY_NEEDED (0x66)
-#define CKR_KEY_INDIGESTIBLE (0x67)
-#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
-#define CKR_KEY_NOT_WRAPPABLE (0x69)
-#define CKR_KEY_UNEXTRACTABLE (0x6a)
-#define CKR_MECHANISM_INVALID (0x70)
-#define CKR_MECHANISM_PARAM_INVALID (0x71)
-#define CKR_OBJECT_HANDLE_INVALID (0x82)
-#define CKR_OPERATION_ACTIVE (0x90)
-#define CKR_OPERATION_NOT_INITIALIZED (0x91)
-#define CKR_PIN_INCORRECT (0xa0)
-#define CKR_PIN_INVALID (0xa1)
-#define CKR_PIN_LEN_RANGE (0xa2)
-#define CKR_PIN_EXPIRED (0xa3)
-#define CKR_PIN_LOCKED (0xa4)
-#define CKR_SESSION_CLOSED (0xb0)
-#define CKR_SESSION_COUNT (0xb1)
-#define CKR_SESSION_HANDLE_INVALID (0xb3)
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4)
-#define CKR_SESSION_READ_ONLY (0xb5)
-#define CKR_SESSION_EXISTS (0xb6)
-#define CKR_SESSION_READ_ONLY_EXISTS (0xb7)
-#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8)
-#define CKR_SIGNATURE_INVALID (0xc0)
-#define CKR_SIGNATURE_LEN_RANGE (0xc1)
-#define CKR_TEMPLATE_INCOMPLETE (0xd0)
-#define CKR_TEMPLATE_INCONSISTENT (0xd1)
-#define CKR_TOKEN_NOT_PRESENT (0xe0)
-#define CKR_TOKEN_NOT_RECOGNIZED (0xe1)
-#define CKR_TOKEN_WRITE_PROTECTED (0xe2)
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0)
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1)
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2)
-#define CKR_USER_ALREADY_LOGGED_IN (0x100)
-#define CKR_USER_NOT_LOGGED_IN (0x101)
-#define CKR_USER_PIN_NOT_INITIALIZED (0x102)
-#define CKR_USER_TYPE_INVALID (0x103)
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104)
-#define CKR_USER_TOO_MANY_TYPES (0x105)
-#define CKR_WRAPPED_KEY_INVALID (0x110)
-#define CKR_WRAPPED_KEY_LEN_RANGE (0x112)
-#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113)
-#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114)
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115)
-#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120)
-#define CKR_RANDOM_NO_RNG (0x121)
-#define CKR_DOMAIN_PARAMS_INVALID (0x130)
-#define CKR_BUFFER_TOO_SMALL (0x150)
-#define CKR_SAVED_STATE_INVALID (0x160)
-#define CKR_INFORMATION_SENSITIVE (0x170)
-#define CKR_STATE_UNSAVEABLE (0x180)
-#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190)
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191)
-#define CKR_MUTEX_BAD (0x1a0)
-#define CKR_MUTEX_NOT_LOCKED (0x1a1)
-#define CKR_FUNCTION_REJECTED (0x200)
-#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31))
-
-
-
-/* Compatibility layer. */
-
-#ifdef CRYPTOKI_COMPAT
-
-#undef CK_DEFINE_FUNCTION
-#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
-
-/* For NULL. */
-#include <stddef.h>
-
- typedef unsigned char CK_BYTE;
- typedef unsigned char CK_CHAR;
- typedef unsigned char CK_UTF8CHAR;
- typedef unsigned char CK_BBOOL;
- typedef unsigned long int CK_ULONG;
- typedef long int CK_LONG;
- typedef CK_BYTE *CK_BYTE_PTR;
- typedef CK_CHAR *CK_CHAR_PTR;
- typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
- typedef CK_ULONG *CK_ULONG_PTR;
- typedef void *CK_VOID_PTR;
- typedef void **CK_VOID_PTR_PTR;
-#define CK_FALSE 0
-#define CK_TRUE 1
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE 0
-#endif
-#ifndef TRUE
-#define TRUE 1
-#endif
-#endif
-
- typedef struct ck_version CK_VERSION;
- typedef struct ck_version *CK_VERSION_PTR;
-
- typedef struct ck_info CK_INFO;
- typedef struct ck_info *CK_INFO_PTR;
-
- typedef ck_slot_id_t *CK_SLOT_ID_PTR;
-
- typedef struct ck_slot_info CK_SLOT_INFO;
- typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
-
- typedef struct ck_token_info CK_TOKEN_INFO;
- typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
-
- typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
-
- typedef struct ck_session_info CK_SESSION_INFO;
- typedef struct ck_session_info *CK_SESSION_INFO_PTR;
-
- typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
-
- typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
-
- typedef struct ck_attribute CK_ATTRIBUTE;
- typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
-
- typedef struct ck_date CK_DATE;
- typedef struct ck_date *CK_DATE_PTR;
-
- typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
-
- typedef struct ck_mechanism CK_MECHANISM;
- typedef struct ck_mechanism *CK_MECHANISM_PTR;
-
- typedef struct ck_mechanism_info CK_MECHANISM_INFO;
- typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
-
- typedef struct ck_function_list CK_FUNCTION_LIST;
- typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
- typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
-
- typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
- typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
-
-#define NULL_PTR NULL
-
-/* Delete the helper macros defined at the top of the file. */
-#undef ck_flags_t
-#undef ck_version
-
-#undef ck_info
-#undef cryptoki_version
-#undef manufacturer_id
-#undef library_description
-#undef library_version
-
-#undef ck_notification_t
-#undef ck_slot_id_t
-
-#undef ck_slot_info
-#undef slot_description
-#undef hardware_version
-#undef firmware_version
-
-#undef ck_token_info
-#undef serial_number
-#undef max_session_count
-#undef session_count
-#undef max_rw_session_count
-#undef rw_session_count
-#undef max_pin_len
-#undef min_pin_len
-#undef total_public_memory
-#undef free_public_memory
-#undef total_private_memory
-#undef free_private_memory
-#undef utc_time
-
-#undef ck_session_handle_t
-#undef ck_user_type_t
-#undef ck_state_t
-
-#undef ck_session_info
-#undef slot_id
-#undef device_error
-
-#undef ck_object_handle_t
-#undef ck_object_class_t
-#undef ck_hw_feature_type_t
-#undef ck_key_type_t
-#undef ck_certificate_type_t
-#undef ck_attribute_type_t
-
-#undef ck_attribute
-#undef value
-#undef value_len
-
-#undef ck_date
-
-#undef ck_mechanism_type_t
-
-#undef ck_mechanism
-#undef parameter
-#undef parameter_len
-
-#undef ck_mechanism_info
-#undef min_key_size
-#undef max_key_size
-
-#undef ck_rv_t
-#undef ck_notify_t
-
-#undef ck_function_list
-
-#undef ck_createmutex_t
-#undef ck_destroymutex_t
-#undef ck_lockmutex_t
-#undef ck_unlockmutex_t
-
-#undef ck_c_initialize_args
-#undef create_mutex
-#undef destroy_mutex
-#undef lock_mutex
-#undef unlock_mutex
-#undef reserved
-
-#endif /* CRYPTOKI_COMPAT */
-
-
-/* System dependencies. */
-#if defined _WIN32 || defined CRYPTOKI_FORCE_WIN32
-#pragma pack(pop, cryptoki)
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PKCS11_H */
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index ada3c5c522..d3c3d63c34 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -32,25 +32,26 @@
#include <gnutls_errors.h>
#include <gnutls_datum.h>
#include <pkcs11_int.h>
+#include <p11-kit/p11-kit.h>
+#include <errno.h>
#define MAX_PROVIDERS 16
-static void terminate_string (unsigned char *str, size_t len);
-
/* XXX: try to eliminate this */
#define MAX_CERT_SIZE 8*1024
struct gnutls_pkcs11_provider_s
{
- pakchois_module_t *module;
+ struct ck_function_list *module;
unsigned long nslots;
ck_slot_id_t *slots;
struct ck_info info;
+ int initialized;
};
struct flags_find_data_st
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int slot_flags;
};
@@ -65,12 +66,13 @@ struct crt_find_data_st
unsigned int *n_list;
unsigned int current;
gnutls_pkcs11_obj_attr_t flags;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
};
static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS];
static int active_providers = 0;
+static int initialized_registered = 0;
static gnutls_pkcs11_pin_callback_t pin_func;
static void *pin_data;
@@ -171,26 +173,13 @@ pkcs11_rescan_slots (void)
{
unsigned long slots;
- pakchois_get_slot_list (providers[active_providers - 1].module, 0,
+ pkcs11_get_slot_list (providers[active_providers - 1].module, 0,
NULL, &slots);
}
-/**
- * gnutls_pkcs11_add_provider:
- * @name: The filename of the module
- * @params: should be NULL
- *
- * This function will load and add a PKCS 11 module to the module
- * list used in gnutls. After this function is called the module will
- * be used for PKCS 11 operations.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value.
- **/
-int
-gnutls_pkcs11_add_provider (const char *name, const char *params)
+static int
+pkcs11_add_module (const char *name, struct ck_function_list *module)
{
-
if (active_providers >= MAX_PROVIDERS)
{
gnutls_assert ();
@@ -198,17 +187,10 @@ gnutls_pkcs11_add_provider (const char *name, const char *params)
}
active_providers++;
- if (pakchois_module_load_abs
- (&providers[active_providers - 1].module, name) != CKR_OK)
- {
- gnutls_assert ();
- _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
- active_providers--;
- return GNUTLS_E_PKCS11_LOAD_ERROR;
- }
+ providers[active_providers - 1].module = module;
/* cache the number of slots in this module */
- if (pakchois_get_slot_list
+ if (pkcs11_get_slot_list
(providers[active_providers - 1].module, 0, NULL,
&providers[active_providers - 1].nslots) != CKR_OK)
{
@@ -225,7 +207,7 @@ gnutls_pkcs11_add_provider (const char *name, const char *params)
goto fail;
}
- if (pakchois_get_slot_list
+ if (pkcs11_get_slot_list
(providers[active_providers - 1].module, 0,
providers[active_providers - 1].slots,
&providers[active_providers - 1].nslots) != CKR_OK)
@@ -237,15 +219,8 @@ gnutls_pkcs11_add_provider (const char *name, const char *params)
memset (&providers[active_providers - 1].info, 0,
sizeof (providers[active_providers - 1].info));
- pakchois_get_info (providers[active_providers - 1].module,
- &providers[active_providers - 1].info);
-
- terminate_string (providers[active_providers - 1].info.manufacturer_id,
- sizeof (providers[active_providers - 1].
- info.manufacturer_id));
- terminate_string (providers[active_providers - 1].info.library_description,
- sizeof (providers[active_providers - 1].
- info.library_description));
+ pkcs11_get_module_info (providers[active_providers - 1].module,
+ &providers[active_providers - 1].info);
_gnutls_debug_log ("p11: loaded provider '%s' with %d slots\n",
name, (int) providers[active_providers - 1].nslots);
@@ -253,10 +228,51 @@ gnutls_pkcs11_add_provider (const char *name, const char *params)
return 0;
fail:
- pakchois_module_destroy (providers[active_providers - 1].module);
active_providers--;
return GNUTLS_E_PKCS11_LOAD_ERROR;
+}
+
+
+/**
+ * gnutls_pkcs11_add_provider:
+ * @name: The filename of the module
+ * @params: should be NULL
+ *
+ * This function will load and add a PKCS 11 module to the module
+ * list used in gnutls. After this function is called the module will
+ * be used for PKCS 11 operations.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_pkcs11_add_provider (const char *name, const char *params)
+{
+ struct ck_function_list *module;
+ int ret;
+
+ active_providers++;
+ if (p11_kit_load_initialize_module (name, &module) != CKR_OK)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
+ active_providers--;
+ return GNUTLS_E_PKCS11_LOAD_ERROR;
+ }
+
+ ret = pkcs11_add_module (name, module);
+ if (ret == 0)
+ {
+ /* Mark this one as having been separately initialized */
+ providers[active_providers - 1].initialized = 1;
+ }
+ else
+ {
+ p11_kit_finalize_module (module);
+ gnutls_assert ();
+ }
+ return ret;
}
@@ -279,99 +295,240 @@ gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt,
gnutls_pkcs11_obj_info_t itype,
void *output, size_t * output_size)
{
- return pkcs11_get_info (&crt->info, itype, output, output_size);
+ return pkcs11_get_info (crt->info, itype, output, output_size);
}
int
-pkcs11_get_info (struct pkcs11_url_info *info,
+pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size)
{
+ struct ck_attribute *attr = NULL;
+ struct ck_version *version = NULL;
const char *str = NULL;
- size_t len;
+ size_t str_max = 0;
+ int terminate = 0;
+ int hexify = 0;
+ size_t length;
+ const char *data;
+ char buf[32];
+
+ /*
+ * Either attr, str or version is valid by the time switch
+ * finishes
+ */
switch (itype)
{
case GNUTLS_PKCS11_OBJ_ID:
- if (*output_size < info->certid_raw_size)
- {
- *output_size = info->certid_raw_size;
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
- if (output)
- memcpy (output, info->certid_raw, info->certid_raw_size);
- *output_size = info->certid_raw_size;
-
- return 0;
+ attr = p11_kit_uri_get_attribute (info, CKA_ID);
+ break;
case GNUTLS_PKCS11_OBJ_ID_HEX:
- str = info->id;
+ attr = p11_kit_uri_get_attribute (info, CKA_ID);
+ hexify = 1;
+ terminate = 1;
break;
case GNUTLS_PKCS11_OBJ_LABEL:
- str = info->label;
+ attr = p11_kit_uri_get_attribute (info, CKA_LABEL);
+ terminate = 1;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_LABEL:
- str = info->token;
+ str = p11_kit_uri_get_token_info (info)->label;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_SERIAL:
- str = info->serial;
+ str = p11_kit_uri_get_token_info (info)->serial_number;
+ str_max = 16;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER:
- str = info->manufacturer;
+ str = p11_kit_uri_get_token_info (info)->manufacturer_id;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_TOKEN_MODEL:
- str = info->model;
+ str = p11_kit_uri_get_token_info (info)->model;
+ str_max = 16;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION:
- str = info->lib_desc;
+ str = p11_kit_uri_get_module_info (info)->library_description;
+ str_max = 32;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_VERSION:
- str = info->lib_version;
+ version = &p11_kit_uri_get_module_info (info)->library_version;
break;
case GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER:
- str = info->lib_manufacturer;
+ str = p11_kit_uri_get_module_info (info)->manufacturer_id;
+ str_max = 32;
break;
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- len = strlen (str);
+ if (attr != NULL)
+ {
+ data = attr->value;
+ length = attr->value_len;
+ }
+ else if (str != NULL)
+ {
+ data = str;
+ length = p11_kit_space_strlen (str, str_max);
+ terminate = 1;
+ }
+ else if (version != NULL)
+ {
+ data = buf;
+ length = snprintf (buf, sizeof (buf), "%d.%d", (int)version->major,
+ (int)version->minor);
+ terminate = 1;
+ }
+ else
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); /* data and len are uninitialized */
- if (len + 1 > *output_size)
+ if (hexify)
{
- *output_size = len + 1;
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ /* terminate is assumed with hexify */
+ if (*output_size < length * 3)
+ {
+ *output_size = length * 3;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+ if (output)
+ _gnutls_bin2hex (data, length, output, *output_size, ":");
+ *output_size = length * 3;
+ return 0;
+ }
+ else
+ {
+ if (*output_size < length + terminate)
+ {
+ *output_size = length + terminate;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+ if (output)
+ {
+ memcpy (output, data, length);
+ if (terminate)
+ ((unsigned char*)output)[length] = '\0';
+ }
+ *output_size = length + terminate;
}
- strcpy (output, str);
+ return 0;
+}
- *output_size = len;
+static int init = 0;
+
+static int
+initialize_automatic_p11_kit (void)
+{
+ struct ck_function_list **modules;
+ const char *name;
+ ck_rv_t rv;
+ int i, ret;
+
+ rv = p11_kit_initialize_registered ();
+ if (rv != CKR_OK)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot initialize registered module: %s\n",
+ p11_kit_strerror (rv));
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ initialized_registered = 1;
+
+ modules = p11_kit_registered_modules ();
+ for (i = 0; modules[i] != NULL; i++)
+ {
+ name = p11_kit_registered_module_to_name (modules[i]);
+ ret = pkcs11_add_module (name, modules[i]);
+ if (ret != 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot add registered module: %s\n", name);
+ }
+ }
+
+ free (modules);
return 0;
}
-static int init = 0;
+static int
+initialize_automatic_legacy (const char *configfile)
+{
+ FILE *fp;
+ char line[512];
+ const char *library;
+ int ret;
+
+ if (configfile == NULL)
+ configfile = "/etc/gnutls/pkcs11.conf";
+
+ fp = fopen (configfile, "r");
+ if (fp == NULL)
+ {
+ if (errno == ENOENT)
+ return 0;
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot load %s\n", configfile);
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ while (fgets (line, sizeof (line), fp) != NULL)
+ {
+ if (strncmp (line, "load", sizeof ("load") - 1) == 0)
+ {
+ char *p;
+ p = strchr (line, '=');
+ if (p == NULL)
+ continue;
+ library = ++p;
+
+ p = strchr (line, '\n');
+ if (p != NULL)
+ {
+ *p = 0;
+ }
+
+ ret = gnutls_pkcs11_add_provider (library, NULL);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot load provider: %s\n", library);
+ continue;
+ }
+ }
+ }
+
+ fclose(fp);
+ return 0;
+}
/**
* gnutls_pkcs11_init:
* @flags: %GNUTLS_PKCS11_FLAG_MANUAL or %GNUTLS_PKCS11_FLAG_AUTO
- * @configfile: either NULL or the location of a configuration file
+ * @deprecated_config_file: either NULL or the location of a deprecated
+ * configuration file
*
* This function will initialize the PKCS 11 subsystem in gnutls. It will
- * read a configuration file if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
+ * read configuration files if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
* you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
* if %GNUTLS_PKCS11_FLAG_MANUAL is specified.
*
+ * Using a custom configfile is deprecated and will not be supported in future
+ * versions of gnutls.
+ *
* Normally you don't need to call this function since it is being called
- * by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If other option
- * is required then it must be called before it.
+ * by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If you need to
+ * call this function, you must call it before gnutls_global_init().
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
-gnutls_pkcs11_init (unsigned int flags, const char *configfile)
+gnutls_pkcs11_init (unsigned int flags, const char *deprecated_config_file)
{
int ret;
@@ -383,54 +540,19 @@ gnutls_pkcs11_init (unsigned int flags, const char *configfile)
init++;
if (flags == GNUTLS_PKCS11_FLAG_MANUAL)
- return 0;
+ {
+ ret = 0;
+ }
else
{
- FILE *fp;
- char line[512];
- const char *library;
-
- if (configfile == NULL)
- configfile = "/etc/gnutls/pkcs11.conf";
-
- fp = fopen (configfile, "r");
- if (fp == NULL)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Cannot load %s\n", configfile);
- return GNUTLS_E_FILE_ERROR;
- }
-
- while (fgets (line, sizeof (line), fp) != NULL)
- {
- if (strncmp (line, "load", sizeof ("load") - 1) == 0)
- {
- char *p;
- p = strchr (line, '=');
- if (p == NULL)
- continue;
-
- library = ++p;
+ if (deprecated_config_file == NULL)
+ ret = initialize_automatic_p11_kit ();
- p = strchr (line, '\n');
- if (p != NULL)
- {
- *p = 0;
- }
-
- ret = gnutls_pkcs11_add_provider (library, NULL);
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Cannot load provider: %s\n", library);
- continue;
- }
- }
- }
- fclose(fp);
+ if (ret == 0)
+ ret = initialize_automatic_legacy (deprecated_config_file);
}
- return 0;
+ return ret;
}
/**
@@ -455,10 +577,14 @@ gnutls_pkcs11_deinit (void)
for (i = 0; i < active_providers; i++)
{
- pakchois_module_destroy (providers[i].module);
+ if (providers[i].initialized)
+ p11_kit_finalize_module (providers[i].module);
}
active_providers = 0;
- pakchois_destructor();
+
+ if (initialized_registered != 0)
+ p11_kit_finalize_registered ();
+ initialized_registered = 0;
}
/**
@@ -516,398 +642,68 @@ gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn,
token_data = userdata;
}
-static int
-unescape_string (char *output, const char *input, size_t * size,
- char terminator)
-{
- gnutls_buffer_st str;
- int ret = 0;
- char *p;
- int len;
-
- _gnutls_buffer_init (&str);
-
- /* find terminator */
- p = strchr (input, terminator);
- if (p != NULL)
- len = p - input;
- else
- len = strlen (input);
-
- ret = _gnutls_buffer_append_data (&str, input, len);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_buffer_unescape (&str);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_buffer_append_data (&str, "", 1);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- _gnutls_buffer_pop_data (&str, output, size);
-
- _gnutls_buffer_clear (&str);
-
- return ret;
-}
-
int
-pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info)
+pkcs11_url_to_info (const char *url, struct p11_kit_uri **info)
{
+ int allocated = 0;
int ret;
- char *p1, *p2;
- size_t l;
-
- memset (info, 0, sizeof (*info));
-
- if (strstr (url, "pkcs11:") == NULL)
- {
- ret = GNUTLS_E_PARSING_ERROR;
- goto cleanup;
- }
-
- if ((p1 = strstr (url, "library-manufacturer=")) != NULL)
- {
- p1 += sizeof ("library-manufacturer=") - 1;
- l = sizeof (info->lib_manufacturer);
-
- ret = unescape_string (info->lib_manufacturer, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "library-description=")) != NULL)
- {
- p1 += sizeof ("library-description=") - 1;
- l = sizeof (info->lib_desc);
-
- ret = unescape_string (info->lib_desc, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "library-version=")) != NULL)
- {
- p1 += sizeof ("library-version=") - 1;
- l = sizeof (info->lib_version);
-
- ret = unescape_string (info->lib_version, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, ";manufacturer=")) != NULL ||
- (p1 = strstr (url, ":manufacturer=")) != NULL)
- {
-
- p1 += sizeof (";manufacturer=") - 1;
- l = sizeof (info->manufacturer);
- ret = unescape_string (info->manufacturer, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "token=")) != NULL)
- {
- p1 += sizeof ("token=") - 1;
- l = sizeof (info->token);
-
- ret = unescape_string (info->token, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "object=")) != NULL)
- {
- p1 += sizeof ("object=") - 1;
- l = sizeof (info->label);
-
- ret = unescape_string (info->label, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "serial=")) != NULL)
+ if (*info == NULL)
{
- p1 += sizeof ("serial=") - 1;
- l = sizeof (info->serial);
-
- ret = unescape_string (info->serial, p1, &l, ';');
- if (ret < 0)
+ *info = p11_kit_uri_new ();
+ if (*info == NULL)
{
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "model=")) != NULL)
- {
- p1 += sizeof ("model=") - 1;
- l = sizeof (info->model);
-
- ret = unescape_string (info->model, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
- }
- }
-
- if ((p1 = strstr (url, "objecttype=")) != NULL)
- {
- p1 += sizeof ("objecttype=") - 1;
- l = sizeof (info->type);
-
- ret = unescape_string (info->type, p1, &l, ';');
- if (ret < 0)
- {
- goto cleanup;
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
}
+ allocated = 1;
}
- if (((p1 = strstr (url, ";id=")) != NULL)
- || ((p1 = strstr (url, ":id=")) != NULL))
+ ret = p11_kit_uri_parse (url, P11_KIT_URI_FOR_ANY, *info);
+ if (ret < 0)
{
- p1 += sizeof (";id=") - 1;
- l = sizeof (info->certid_raw);
-
- ret = unescape_string (info->certid_raw, p1, &l, ';');
- if (ret < 0)
+ if (allocated)
{
- goto cleanup;
+ p11_kit_uri_free (*info);
+ *info = NULL;
}
- /* not null terminated */
- info->certid_raw_size = l-1;
-
- p2 = _gnutls_bin2hex(info->certid_raw, info->certid_raw_size,
- info->id, sizeof(info->id), ":");
- if (p2 == NULL)
- {
- ret = GNUTLS_E_PARSING_ERROR;
- goto cleanup;
- }
- }
-
- ret = 0;
-
-cleanup:
-
- return ret;
-
-}
-
-#define INVALID_CHARS "\\/\"'%&#@!?$* <>{}[]()`|:;,.+-"
-
-/* Appends @tname to @dest under the name @p11name.
- * init indicates whether it is the initial addition to buffer.
- */
-static int
-append (gnutls_buffer_st * dest, const void *tname, int tname_size,
- const char *p11name, int all, int init)
-{
- gnutls_buffer_st tmpstr;
- int ret;
-
- _gnutls_buffer_init (&tmpstr);
- if ((ret = _gnutls_buffer_append_data (&tmpstr, tname, tname_size)) < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- ret = _gnutls_buffer_escape (&tmpstr, all, INVALID_CHARS);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- if ((ret = _gnutls_buffer_append_data (&tmpstr, "", 1)) < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- if ((ret =
- _gnutls_buffer_append_printf (dest, "%s%s=%s",
- (init != 0) ? ";" : "", p11name,
- tmpstr.data)) < 0)
- {
gnutls_assert ();
- goto cleanup;
+ return ret == P11_KIT_URI_NO_MEMORY ?
+ GNUTLS_E_MEMORY_ERROR : GNUTLS_E_PARSING_ERROR;
}
- ret = 0;
-
-cleanup:
- _gnutls_buffer_clear (&tmpstr);
-
- return ret;
-
+ return 0;
}
-
int
-pkcs11_info_to_url (const struct pkcs11_url_info *info,
+pkcs11_info_to_url (struct p11_kit_uri *info,
gnutls_pkcs11_url_type_t detailed, char **url)
{
- gnutls_buffer_st str;
- int init = 0;
+ p11_kit_uri_type_t type = 0;
int ret;
- _gnutls_buffer_init (&str);
-
- _gnutls_buffer_append_str (&str, "pkcs11:");
-
- if (info->token[0])
- {
- ret = append (&str, info->token, strlen(info->token), "token", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->serial[0])
- {
- ret = append (&str, info->serial, strlen(info->serial), "serial", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->model[0])
- {
- ret = append (&str, info->model, strlen(info->model), "model", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
-
- if (info->manufacturer[0])
- {
- ret = append (&str, info->manufacturer, strlen(info->manufacturer), "manufacturer", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->label[0])
- {
- ret = append (&str, info->label, strlen(info->label), "object", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->type[0])
+ switch (detailed)
{
- ret = append (&str, info->type, strlen(info->type), "objecttype", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (detailed > GNUTLS_PKCS11_URL_GENERIC)
- {
- if (info->lib_manufacturer[0])
- {
- ret =
- append (&str, info->lib_manufacturer, strlen(info->lib_manufacturer), "library-manufacturer",
- 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
-
- if (info->lib_desc[0])
- {
- ret = append (&str, info->lib_desc, strlen(info->lib_desc), "library-description", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
- }
-
- if (detailed > GNUTLS_PKCS11_URL_LIB)
- {
- if (info->lib_version[0])
- {
- ret = append (&str, info->lib_version, strlen(info->lib_version), "library-version", 0, init);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- init = 1;
- }
+ case GNUTLS_PKCS11_URL_GENERIC:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN;
+ break;
+ case GNUTLS_PKCS11_URL_LIB:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE;
+ break;
+ case GNUTLS_PKCS11_URL_LIB_VERSION:
+ type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE | P11_KIT_URI_FOR_MODULE_WITH_VERSION;
+ break;
}
- if (info->certid_raw_size > 0)
+ ret = p11_kit_uri_format (info, type, url);
+ if (ret < 0)
{
- ret = append (&str, info->certid_raw, info->certid_raw_size, "id", 1, init);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ gnutls_assert ();
+ return ret == P11_KIT_URI_NO_MEMORY ?
+ GNUTLS_E_MEMORY_ERROR : GNUTLS_E_INTERNAL_ERROR;
}
- _gnutls_buffer_append_data (&str, "", 1);
-
- *url = str.data;
-
return 0;
-
-cleanup:
- _gnutls_buffer_clear (&str);
- return ret;
}
/**
@@ -929,6 +725,14 @@ gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj)
return GNUTLS_E_MEMORY_ERROR;
}
+ (*obj)->info = p11_kit_uri_new ();
+ if ((*obj)->info == NULL)
+ {
+ free (*obj);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
return 0;
}
@@ -942,6 +746,7 @@ void
gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj)
{
_gnutls_free_datum (&obj->raw);
+ p11_kit_uri_free (obj->info);
free (obj);
}
@@ -988,64 +793,30 @@ gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
return 0;
}
-static void
-terminate_string (unsigned char *str, size_t len)
-{
- unsigned char *ptr = str + len - 1;
-
- while ((*ptr == ' ' || *ptr == '\t' || *ptr == '\0') && ptr >= str)
- ptr--;
-
- if (ptr == str - 1)
- str[0] = '\0';
- else if (ptr == str + len - 1)
- str[len - 1] = '\0';
- else
- ptr[1] = '\0';
-}
-
int
-pkcs11_find_object (pakchois_session_t ** _pks,
+pkcs11_find_object (struct ck_function_list ** _module,
+ ck_session_handle_t * _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info, unsigned int flags)
+ struct p11_kit_uri *info, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- ck_object_class_t class;
- struct ck_attribute a[4];
- int a_vals = 0;
+ struct ck_attribute *attrs;
+ unsigned long attr_count;
unsigned long count;
ck_rv_t rv;
- class = pkcs11_strtype_to_class (info->type);
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
- ret = pkcs11_open_session (&pks, info, flags & SESSION_LOGIN);
+ ret = pkcs11_open_session (&module, &pks, info, flags & SESSION_LOGIN);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
- a_vals++;
-
- if (info->certid_raw_size > 0)
- {
- a[a_vals].type = CKA_ID;
- a[a_vals].value = info->certid_raw;
- a[a_vals].value_len = info->certid_raw_size;
- a_vals++;
- }
-
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ attrs = p11_kit_uri_get_attributes (info, &attr_count);
+ rv = pkcs11_find_objects_init (module, pks, attrs, attr_count);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -1054,38 +825,26 @@ pkcs11_find_object (pakchois_session_t ** _pks,
goto fail;
}
- if (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ if (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
*_obj = obj;
*_pks = pks;
- pakchois_find_objects_final (pks);
+ *_module = module;
+ pkcs11_find_objects_final (module, pks);
return 0;
}
ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
fail:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
-static void
-fix_strings (struct token_info *info)
-{
- terminate_string (info->tinfo.manufacturer_id,
- sizeof info->tinfo.manufacturer_id);
- terminate_string (info->tinfo.label, sizeof info->tinfo.label);
- terminate_string (info->tinfo.model, sizeof info->tinfo.model);
- terminate_string (info->tinfo.serial_number,
- sizeof info->tinfo.serial_number);
- terminate_string (info->sinfo.slot_description,
- sizeof info->sinfo.slot_description);
-}
-
int
-pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
- struct pkcs11_url_info *info, struct token_info *_tinfo)
+pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
+ struct p11_kit_uri *info, struct token_info *_tinfo)
{
int x, z;
@@ -1095,7 +854,7 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
{
struct token_info tinfo;
- if (pakchois_get_token_info
+ if (pkcs11_get_token_info
(providers[x].module, providers[x].slots[z],
&tinfo.tinfo) != CKR_OK)
{
@@ -1104,18 +863,15 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
tinfo.sid = providers[x].slots[z];
tinfo.prov = &providers[x];
- if (pakchois_get_slot_info
+ if (pkcs11_get_slot_info
(providers[x].module, providers[x].slots[z],
&tinfo.sinfo) != CKR_OK)
{
continue;
}
- /* XXX make wrapper for token_info? */
- fix_strings (&tinfo);
-
- if (pkcs11_token_matches_info (info, &tinfo.tinfo,
- &providers[x].info) < 0)
+ if (!p11_kit_uri_match_token_info (info, &tinfo.tinfo) ||
+ !p11_kit_uri_match_module_info (info, &providers[x].info))
{
continue;
}
@@ -1136,13 +892,13 @@ pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
}
int
-pkcs11_open_session (pakchois_session_t ** _pks,
- struct pkcs11_url_info *info, unsigned int flags)
+pkcs11_open_session (struct ck_function_list ** _module, ck_session_handle_t * _pks,
+ struct p11_kit_uri *info, unsigned int flags)
{
ck_rv_t rv;
int ret;
- pakchois_session_t *pks = NULL;
- pakchois_module_t *module;
+ ck_session_handle_t pks = 0;
+ struct ck_function_list *module;
ck_slot_id_t slot;
struct token_info tinfo;
@@ -1153,8 +909,7 @@ pkcs11_open_session (pakchois_session_t ** _pks,
return ret;
}
- rv = pakchois_open_session (module,
- slot,
+ rv = (module)->C_OpenSession (slot,
((flags & SESSION_WRITE)
? CKF_RW_SESSION : 0) |
CKF_SERIAL_SESSION, NULL, NULL, &pks);
@@ -1166,17 +921,18 @@ pkcs11_open_session (pakchois_session_t ** _pks,
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (pks, &tinfo, (flags & SESSION_SO) ? 1 : 0);
+ ret = pkcs11_login (module, pks, &tinfo, (flags & SESSION_SO) ? 1 : 0);
if (ret < 0)
{
gnutls_assert ();
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
}
/* ok found */
*_pks = pks;
+ *_module = module;
return 0;
}
@@ -1187,18 +943,19 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
{
ck_rv_t rv;
int found = 0, x, z, ret;
- pakchois_session_t *pks = NULL;
+ ck_session_handle_t pks = 0;
+ struct ck_function_list *module = NULL;
for (x = 0; x < active_providers; x++)
{
+ module = providers[x].module;
for (z = 0; z < providers[x].nslots; z++)
{
struct token_info info;
ret = GNUTLS_E_PKCS11_ERROR;
- if (pakchois_get_token_info
- (providers[x].module, providers[x].slots[z],
+ if (pkcs11_get_token_info (module, providers[x].slots[z],
&info.tinfo) != CKR_OK)
{
continue;
@@ -1206,21 +963,16 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
info.sid = providers[x].slots[z];
info.prov = &providers[x];
- if (pakchois_get_slot_info
- (providers[x].module, providers[x].slots[z],
+ if (pkcs11_get_slot_info (module, providers[x].slots[z],
&info.sinfo) != CKR_OK)
{
continue;
}
- /* XXX make wrapper for token_info? */
- fix_strings (&info);
-
- rv = pakchois_open_session (providers[x].module,
- providers[x].slots[z],
- ((flags & SESSION_WRITE)
- ? CKF_RW_SESSION : 0) |
- CKF_SERIAL_SESSION, NULL, NULL, &pks);
+ rv = (module)->C_OpenSession (providers[x].slots[z],
+ ((flags & SESSION_WRITE)
+ ? CKF_RW_SESSION : 0) |
+ CKF_SERIAL_SESSION, NULL, NULL, &pks);
if (rv != CKR_OK)
{
continue;
@@ -1228,7 +980,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (pks, &info, (flags & SESSION_SO) ? 1 : 0);
+ ret = pkcs11_login (module, pks, &info, (flags & SESSION_SO) ? 1 : 0);
if (ret < 0)
{
gnutls_assert ();
@@ -1236,7 +988,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
}
}
- ret = find_func (pks, &info, &providers[x].info, input);
+ ret = find_func (module, pks, &info, &providers[x].info, input);
if (ret == 0)
{
@@ -1245,8 +997,8 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
}
else
{
- pakchois_close_session (pks);
- pks = NULL;
+ pkcs11_close_session (module, pks);
+ pks = 0;
}
}
}
@@ -1256,52 +1008,34 @@ finish:
if (found == 0)
{
- ret = find_func (pks, NULL, NULL, input);
+ if (module)
+ ret = find_func (module, pks, NULL, NULL, input);
+ else
+ ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
}
else
{
ret = 0;
}
- if (pks != NULL)
+ if (pks != 0 && module != NULL)
{
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
}
return ret;
}
-static const char *
-pkcs11_obj_type_to_str (gnutls_pkcs11_obj_type_t type)
-{
- switch (type)
- {
- case GNUTLS_PKCS11_OBJ_X509_CRT:
- return "cert";
- case GNUTLS_PKCS11_OBJ_PUBKEY:
- return "public";
- case GNUTLS_PKCS11_OBJ_PRIVKEY:
- return "private";
- case GNUTLS_PKCS11_OBJ_SECRET_KEY:
- return "secretkey";
- case GNUTLS_PKCS11_OBJ_DATA:
- return "data";
- case GNUTLS_PKCS11_OBJ_UNKNOWN:
- default:
- return "unknown";
- }
-}
-
/* imports a raw certificate from a token to a pkcs11_obj_t structure.
*/
static int
-pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj,
+pkcs11_obj_import (ck_object_class_t class, gnutls_pkcs11_obj_t obj,
const gnutls_datum_t * data,
const gnutls_datum_t * id,
const gnutls_datum_t * label,
struct ck_token_info *tinfo, struct ck_info *lib_info)
{
- char *s;
+ struct ck_attribute attr;
int ret;
switch (class)
@@ -1323,10 +1057,18 @@ pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj,
break;
default:
obj->type = GNUTLS_PKCS11_OBJ_UNKNOWN;
+ break;
}
- if (obj->type != GNUTLS_PKCS11_OBJ_UNKNOWN)
- strcpy (obj->info.type, pkcs11_obj_type_to_str (obj->type));
+ attr.type = CKA_CLASS;
+ attr.value = &class;
+ attr.value_len = sizeof (class);
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
if (data && data->data)
{
@@ -1338,54 +1080,42 @@ pkcs11_obj_import (unsigned int class, gnutls_pkcs11_obj_t obj,
}
}
- terminate_string (tinfo->manufacturer_id, sizeof tinfo->manufacturer_id);
- terminate_string (tinfo->label, sizeof tinfo->label);
- terminate_string (tinfo->model, sizeof tinfo->model);
- terminate_string (tinfo->serial_number, sizeof tinfo->serial_number);
-
- /* write data */
- snprintf (obj->info.manufacturer, sizeof (obj->info.manufacturer),
- "%s", tinfo->manufacturer_id);
- snprintf (obj->info.token, sizeof (obj->info.token), "%s", tinfo->label);
- snprintf (obj->info.model, sizeof (obj->info.model), "%s", tinfo->model);
- snprintf (obj->info.serial, sizeof (obj->info.serial), "%s",
- tinfo->serial_number);
-
- snprintf (obj->info.lib_manufacturer, sizeof (obj->info.lib_manufacturer),
- "%s", lib_info->manufacturer_id);
- snprintf (obj->info.lib_desc, sizeof (obj->info.lib_desc), "%s",
- lib_info->library_description);
- snprintf (obj->info.lib_version, sizeof (obj->info.lib_version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
-
-
+ /* copy the token and library info into the uri */
+ memcpy (p11_kit_uri_get_token_info (obj->info), tinfo, sizeof (struct ck_token_info));
+ memcpy (p11_kit_uri_get_module_info (obj->info), lib_info, sizeof (struct ck_info));
if (label && label->data)
{
- memcpy (obj->info.label, label->data, label->size);
- obj->info.label[label->size] = 0;
+ attr.type = CKA_LABEL;
+ attr.value = label->data;
+ attr.value_len = label->size;
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
}
if (id && id->data)
{
- s = _gnutls_bin2hex (id->data, id->size, obj->info.id,
- sizeof (obj->info.id), ":");
- if (s == NULL)
+ attr.type = CKA_ID;
+ attr.value = id->data;
+ attr.value_len = id->size;
+ ret = p11_kit_uri_set_attribute (obj->info, &attr);
+ if (ret < 0)
{
gnutls_assert ();
- return GNUTLS_E_PKCS11_ERROR;
+ return GNUTLS_E_MEMORY_ERROR;
}
-
- memmove (obj->info.certid_raw, id->data, id->size);
- obj->info.certid_raw_size = id->size;
}
return 0;
}
static int
-pkcs11_obj_import_pubkey (pakchois_session_t * pks,
+pkcs11_obj_import_pubkey (struct ck_function_list *module,
+ ck_session_handle_t pks,
ck_object_handle_t obj,
gnutls_pkcs11_obj_t crt,
const gnutls_datum_t * id,
@@ -1405,7 +1135,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &key_type;
a[0].value_len = sizeof (key_type);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
switch (key_type)
{
@@ -1417,7 +1147,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
@@ -1452,7 +1182,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
_gnutls_set_datum (&crt->pubkey[0],
@@ -1484,7 +1214,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[1].value = tmp2;
a[1].value_len = sizeof (tmp2);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
ret =
_gnutls_set_datum (&crt->pubkey[2],
@@ -1523,7 +1253,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1535,7 +1265,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1549,7 +1279,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1563,7 +1293,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1575,7 +1305,7 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
a[0].value = &tval;
a[0].value_len = sizeof (tval);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
if (tval != 0)
{
@@ -1587,46 +1317,13 @@ pkcs11_obj_import_pubkey (pakchois_session_t * pks,
tinfo, lib_info);
}
-ck_object_class_t
-pkcs11_strtype_to_class (const char *type)
-{
- ck_object_class_t class;
-
- if (strcmp (type, "cert") == 0)
- {
- class = CKO_CERTIFICATE;
- }
- else if (strcmp (type, "public") == 0)
- {
- class = CKO_PUBLIC_KEY;
- }
- else if (strcmp (type, "private") == 0)
- {
- class = CKO_PRIVATE_KEY;
- }
- else if (strcmp (type, "secretkey") == 0)
- {
- class = CKO_SECRET_KEY;
- }
- else if (strcmp (type, "data") == 0)
- {
- class = CKO_DATA;
- }
- else
- {
- class = -1;
- }
-
- return class;
-}
-
-
static int
-find_obj_url (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_obj_url (struct ck_function_list *module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct url_find_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class = -1;
ck_certificate_type_t type = -1;
ck_rv_t rv;
@@ -1644,24 +1341,18 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info
- (&find_data->crt->info, &info->tinfo, lib_info) < 0)
+ if (!p11_kit_uri_match_token_info (find_data->crt->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->crt->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- if (find_data->crt->info.type[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
+ if (attr == NULL)
{
- class = pkcs11_strtype_to_class (find_data->crt->info.type);
- if (class == CKO_CERTIFICATE)
- type = CKC_X_509;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
}
/* search the token for the id */
@@ -1674,18 +1365,17 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
}
/* Find objects with given class and type */
-
- a[0].type = CKA_ID;
- a[0].value = find_data->crt->info.certid_raw;
- a[0].value_len = find_data->crt->info.certid_raw_size;
-
+ memcpy (a, attr, sizeof (struct ck_attribute));
a_vals = 1;
- if (class != -1)
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_CLASS);
+ if (attr)
{
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
+ if(attr->value && attr->value_len == sizeof (ck_object_class_t))
+ class = *((ck_object_class_t*)attr->value);
+ if (class == CKO_CERTIFICATE)
+ type = CKC_X_509;
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
@@ -1697,7 +1387,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
a_vals++;
}
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ rv = pkcs11_find_objects_init (module, pks, a, a_vals);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -1706,7 +1396,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
goto cleanup;
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
a[0].type = CKA_VALUE;
@@ -1716,18 +1406,20 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
a[1].value = label_tmp;
a[1].value_len = sizeof (label_tmp);
- if (pakchois_get_attribute_value (pks, obj, a, 2) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
{
- gnutls_datum_t id = { find_data->crt->info.certid_raw,
- find_data->crt->info.certid_raw_size
- };
+ gnutls_datum_t id;
gnutls_datum_t data = { a[0].value, a[0].value_len };
gnutls_datum_t label = { a[1].value, a[1].value_len };
+ attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
+ id.data = attr->value;
+ id.size = attr->value_len;
+
if (class == CKO_PUBLIC_KEY)
{
ret =
- pkcs11_obj_import_pubkey (pks, obj,
+ pkcs11_obj_import_pubkey (module, pks, obj,
find_data->crt,
&id, &label,
&info->tinfo, lib_info);
@@ -1767,7 +1459,7 @@ find_obj_url (pakchois_session_t * pks, struct token_info *info,
cleanup:
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return ret;
}
@@ -1831,13 +1523,14 @@ gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert, const char *url,
struct token_num
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int seq; /* which one we are looking for */
unsigned int current; /* which one are we now */
};
static int
-find_token_num (pakchois_session_t * pks,
+find_token_num (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info *tinfo,
struct ck_info *lib_info, void *input)
{
@@ -1851,18 +1544,8 @@ find_token_num (pakchois_session_t * pks,
if (find_data->current == find_data->seq)
{
- strcpy (find_data->info.manufacturer, tinfo->tinfo.manufacturer_id);
- strcpy (find_data->info.token, tinfo->tinfo.label);
- strcpy (find_data->info.model, tinfo->tinfo.model);
- strcpy (find_data->info.serial, tinfo->tinfo.serial_number);
-
- strcpy (find_data->info.lib_manufacturer, lib_info->manufacturer_id);
- strcpy (find_data->info.lib_desc, lib_info->library_description);
- snprintf (find_data->info.lib_version,
- sizeof (find_data->info.lib_version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
-
+ memcpy (p11_kit_uri_get_token_info (find_data->info), &tinfo->tinfo, sizeof (struct ck_token_info));
+ memcpy (p11_kit_uri_get_module_info (find_data->info), lib_info, sizeof (struct ck_info));
return 0;
}
@@ -1895,15 +1578,19 @@ gnutls_pkcs11_token_get_url (unsigned int seq,
memset (&tn, 0, sizeof (tn));
tn.seq = seq;
+ tn.info = p11_kit_uri_new ();
ret = _pkcs11_traverse_tokens (find_token_num, &tn, 0);
if (ret < 0)
{
+ p11_kit_uri_free (tn.info);
gnutls_assert ();
return ret;
}
- ret = pkcs11_info_to_url (&tn.info, detailed, url);
+ ret = pkcs11_info_to_url (tn.info, detailed, url);
+ p11_kit_uri_free (tn.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -1931,9 +1618,10 @@ gnutls_pkcs11_token_get_info (const char *url,
gnutls_pkcs11_token_info_t ttype,
void *output, size_t * output_size)
{
+ struct p11_kit_uri *info = NULL;
const char *str;
+ size_t str_max;
size_t len;
- struct pkcs11_url_info info;
int ret;
ret = pkcs11_url_to_info (url, &info);
@@ -1946,23 +1634,28 @@ gnutls_pkcs11_token_get_info (const char *url,
switch (ttype)
{
case GNUTLS_PKCS11_TOKEN_LABEL:
- str = info.token;
+ str = p11_kit_uri_get_token_info (info)->label;
+ str_max = 32;
break;
case GNUTLS_PKCS11_TOKEN_SERIAL:
- str = info.serial;
+ str = p11_kit_uri_get_token_info (info)->serial_number;
+ str_max = 16;
break;
case GNUTLS_PKCS11_TOKEN_MANUFACTURER:
- str = info.manufacturer;
+ str = p11_kit_uri_get_token_info (info)->manufacturer_id;
+ str_max = 32;
break;
case GNUTLS_PKCS11_TOKEN_MODEL:
- str = info.model;
+ str = p11_kit_uri_get_token_info (info)->model;
+ str_max = 16;
break;
default:
+ p11_kit_uri_free (info);
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- len = strlen (str);
+ len = p11_kit_space_strlen (str, str_max);
if (len + 1 > *output_size)
{
@@ -1970,10 +1663,12 @@ gnutls_pkcs11_token_get_info (const char *url,
return GNUTLS_E_SHORT_MEMORY_BUFFER;
}
- strcpy (output, str);
+ memcpy (output, str, len);
+ ((char*)output)[len] = '\0';
*output_size = len;
+ p11_kit_uri_free (info);
return 0;
}
@@ -1994,7 +1689,7 @@ gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj,
{
int ret;
- ret = pkcs11_info_to_url (&obj->info, detailed, url);
+ ret = pkcs11_info_to_url (obj->info, detailed, url);
if (ret < 0)
{
gnutls_assert ();
@@ -2026,14 +1721,15 @@ struct pkey_list
};
int
-pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
+pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
+ const struct token_info *info, int so)
{
int attempt = 0, ret;
ck_rv_t rv;
char *token_url;
int pin_len;
- struct pkcs11_url_info uinfo;
-
+ struct p11_kit_uri *uinfo;
+ char *label;
if (so == 0 && (info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
{
@@ -2042,12 +1738,11 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
return 0;
}
- memset (&uinfo, 0, sizeof (uinfo));
- strcpy (uinfo.manufacturer, info->tinfo.manufacturer_id);
- strcpy (uinfo.token, info->tinfo.label);
- strcpy (uinfo.model, info->tinfo.model);
- strcpy (uinfo.serial, info->tinfo.serial_number);
- ret = pkcs11_info_to_url (&uinfo, 1, &token_url);
+ uinfo = p11_kit_uri_new ();
+ memcpy (p11_kit_uri_get_token_info (uinfo), &info->tinfo, sizeof (struct ck_token_info));
+ ret = pkcs11_info_to_url (uinfo, 1, &token_url);
+ p11_kit_uri_free (uinfo);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2059,7 +1754,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
* required. */
if (info->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
{
- rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
+ rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
{
return 0;
@@ -2095,7 +1790,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
* status again, the flags might change. */
if (attempt)
{
- if (pakchois_get_token_info
+ if (pkcs11_get_token_info
(info->prov->module, info->sid, &tinfo) != CKR_OK)
{
gnutls_assert ();
@@ -2123,9 +1818,11 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
}
+ label = p11_kit_space_strdup (info->tinfo.label, sizeof (info->tinfo.label));
ret = pin_func (pin_data, attempt++,
- (char *) token_url,
- (char *) info->tinfo.label, flags, pin, sizeof (pin));
+ (char *) token_url, label, flags, pin, sizeof (pin));
+ free (label);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2134,7 +1831,7 @@ pkcs11_login (pakchois_session_t * pks, const struct token_info *info, int so)
}
pin_len = strlen (pin);
- rv = pakchois_login (pks, (so == 0) ? CKU_USER : CKU_SO,
+ rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO,
(unsigned char *) pin, pin_len);
/* Try to scrub the pin off the stack. Clever compilers will
@@ -2154,9 +1851,25 @@ cleanup:
return ret;
}
+int
+pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry)
+{
+ struct ck_token_info *tinfo;
+ char *label;
+ int ret = 0;
+
+ tinfo = p11_kit_uri_get_token_info (info);
+ label = p11_kit_space_strdup (tinfo->label, sizeof (tinfo->label));
+ ret = (token_func) (token_data, label, retry);
+ free (label);
+
+ return ret;
+}
+
+
static int
-find_privkeys (pakchois_session_t * pks, struct token_info *info,
- struct pkey_list *list)
+find_privkeys (struct ck_function_list *module, ck_session_handle_t pks,
+ struct token_info *info, struct pkey_list *list)
{
struct ck_attribute a[3];
ck_object_class_t class;
@@ -2174,7 +1887,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
a[0].value = &class;
a[0].value_len = sizeof class;
- rv = pakchois_find_objects_init (pks, a, 1);
+ rv = pkcs11_find_objects_init (module, pks, a, 1);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2182,12 +1895,12 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
}
list->key_ids_size = 0;
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
list->key_ids_size++;
}
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
if (list->key_ids_size == 0)
{
@@ -2208,7 +1921,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
a[0].value = &class;
a[0].value_len = sizeof class;
- rv = pakchois_find_objects_init (pks, a, 1);
+ rv = pkcs11_find_objects_init (module, pks, a, 1);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2216,7 +1929,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
}
current = 0;
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
a[0].type = CKA_ID;
@@ -2225,7 +1938,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
_gnutls_buffer_init (&list->key_ids[current]);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
_gnutls_buffer_append_data (&list->key_ids[current],
a[0].value, a[0].value_len);
@@ -2236,7 +1949,7 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
break;
}
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
list->key_ids_size = current - 1;
@@ -2247,11 +1960,12 @@ find_privkeys (pakchois_session_t * pks, struct token_info *info,
static int
-find_objs (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_objs (struct ck_function_list * module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct crt_find_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class = -1;
ck_certificate_type_t type = -1;
unsigned int trusted;
@@ -2279,34 +1993,18 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- if (find_data->info.type[0] != 0)
- {
- class = pkcs11_strtype_to_class (find_data->info.type);
- if (class == CKO_CERTIFICATE)
- type = CKC_X_509;
- else
- type = -1;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
- }
-
-
memset (&plist, 0, sizeof (plist));
if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
{
- ret = find_privkeys (pks, info, &plist);
+ ret = find_privkeys (module, pks, info, &plist);
if (ret < 0)
{
gnutls_assert ();
@@ -2408,15 +2106,14 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
goto fail;
}
- if (find_data->info.certid_raw_size != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID);
+ if (attr != NULL)
{
- a[tot_values].type = CKA_ID;
- a[tot_values].value = find_data->info.certid_raw;
- a[tot_values].value_len = find_data->info.certid_raw_size;
+ memcpy (a + tot_values, attr, sizeof (struct ck_attribute));
tot_values++;
}
- rv = pakchois_find_objects_init (pks, a, tot_values);
+ rv = pkcs11_find_objects_init (module, pks, a, tot_values);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2424,7 +2121,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
return pkcs11_rv_to_err (rv);
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
gnutls_datum_t label, id, value;
@@ -2432,7 +2129,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
a[0].value = label_tmp;
a[0].value_len = sizeof label_tmp;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
label.data = a[0].value;
label.size = a[0].value_len;
@@ -2447,7 +2144,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
a[0].value = certid_tmp;
a[0].value_len = sizeof certid_tmp;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
id.data = a[0].value;
id.size = a[0].value_len;
@@ -2461,7 +2158,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
a[0].type = CKA_VALUE;
a[0].value = cert_data;
a[0].value_len = MAX_CERT_SIZE;
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
value.data = a[0].value;
value.size = a[0].value_len;
@@ -2478,7 +2175,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
a[0].value = &class;
a[0].value_len = sizeof class;
- pakchois_get_attribute_value (pks, obj, a, 1);
+ pkcs11_get_attribute_value (module, pks, obj, a, 1);
}
if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
@@ -2509,7 +2206,7 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
if (class == CKO_PUBLIC_KEY)
{
ret =
- pkcs11_obj_import_pubkey (pks, obj,
+ pkcs11_obj_import_pubkey (module, pks, obj,
find_data->p_list
[find_data->current],
&id, &label,
@@ -2536,13 +2233,13 @@ find_objs (pakchois_session_t * pks, struct token_info *info,
}
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* continue until all tokens have been checked */
fail:
gnutls_free (cert_data);
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
if (plist.key_ids != NULL)
{
for (i = 0; i < plist.key_ids_size; i++)
@@ -2584,6 +2281,8 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t * p_list,
int ret;
struct crt_find_data_st find_data;
+ memset (&find_data, 0, sizeof (find_data));
+
/* fill in the find data structure */
find_data.p_list = p_list;
find_data.n_list = n_list;
@@ -2605,6 +2304,8 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t * p_list,
ret =
_pkcs11_traverse_tokens (find_objs, &find_data,
pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2733,8 +2434,8 @@ cleanup:
}
static int
-find_flags (pakchois_session_t * pks, struct token_info *info,
- struct ck_info *lib_info, void *input)
+find_flags (struct ck_function_list * module, ck_session_handle_t pks,
+ struct token_info *info, struct ck_info *lib_info, void *input)
{
struct flags_find_data_st *find_data = input;
@@ -2746,8 +2447,8 @@ find_flags (pakchois_session_t * pks, struct token_info *info,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
+ !p11_kit_uri_match_module_info (find_data->info, lib_info))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
@@ -2775,6 +2476,7 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags)
struct flags_find_data_st find_data;
int ret;
+ memset (&find_data, 0, sizeof (find_data));
ret = pkcs11_url_to_info (url, &find_data.info);
if (ret < 0)
{
@@ -2783,6 +2485,8 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags)
}
ret = _pkcs11_traverse_tokens (find_flags, &find_data, 0);
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2816,10 +2520,10 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx,
{
int ret;
ck_rv_t rv;
- pakchois_module_t *module;
+ struct ck_function_list *module;
ck_slot_id_t slot;
struct token_info tinfo;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info = NULL;
unsigned long count;
ck_mechanism_type_t mlist[400];
@@ -2831,7 +2535,9 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx,
}
- ret = pkcs11_find_slot (&module, &slot, &info, &tinfo);
+ ret = pkcs11_find_slot (&module, &slot, info, &tinfo);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -2839,7 +2545,7 @@ gnutls_pkcs11_token_get_mechanism (const char *url, int idx,
}
count = sizeof (mlist) / sizeof (mlist[0]);
- rv = pakchois_get_mechanism_list (module, slot, mlist, &count);
+ rv = pkcs11_get_mechanism_list (module, slot, mlist, &count);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -2880,57 +2586,176 @@ gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t type)
}
}
-int
-pkcs11_token_matches_info (struct pkcs11_url_info *info,
- struct ck_token_info *tinfo,
- struct ck_info *lib_info)
+ck_rv_t
+pkcs11_get_slot_list (struct ck_function_list * module, unsigned char token_present,
+ ck_slot_id_t *slot_list, unsigned long *count)
{
- if (info->manufacturer[0] != 0)
- {
- if (strcmp (info->manufacturer, tinfo->manufacturer_id) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ return (module)->C_GetSlotList (token_present, slot_list, count);
+}
- if (info->token[0] != 0)
- {
- if (strcmp (info->token, tinfo->label) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_module_info (struct ck_function_list * module,
+ struct ck_info * info)
+{
+ return (module)->C_GetInfo (info);
+}
- if (info->model[0] != 0)
- {
- if (strcmp (info->model, tinfo->model) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_slot_info(struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_slot_info *info)
+{
+ return (module)->C_GetSlotInfo (slot_id, info);
+}
- if (info->serial[0] != 0)
- {
- if (strcmp (info->serial, tinfo->serial_number) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_get_token_info (struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_token_info *info)
+{
+ return (module)->C_GetTokenInfo (slot_id, info);
+}
- if (info->lib_manufacturer[0] != 0)
- {
- if (strcmp (info->lib_manufacturer, lib_info->manufacturer_id) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_find_objects_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count)
+{
+ return (module)->C_FindObjectsInit (sess, templ, count);
+}
- if (info->lib_desc[0] != 0)
- {
- if (strcmp (info->lib_desc, lib_info->library_description) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_find_objects (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t *objects,
+ unsigned long max_object_count,
+ unsigned long *object_count)
+{
+ return (module)->C_FindObjects (sess, objects, max_object_count, object_count);
+}
- if (info->lib_version[0] != 0)
- {
- char version[16];
+ck_rv_t
+pkcs11_find_objects_final (struct ck_function_list *module,
+ ck_session_handle_t sess)
+{
+ return (module)->C_FindObjectsFinal (sess);
+}
- snprintf (version, sizeof (version), "%u.%u",
- (unsigned int) lib_info->library_version.major,
- (unsigned int) lib_info->library_version.minor);
- if (strcmp (info->lib_version, version) != 0)
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- }
+ck_rv_t
+pkcs11_close_session (struct ck_function_list *module,
+ ck_session_handle_t sess)
+{
+ return (module)->C_CloseSession (sess);
+}
- return 0;
+ck_rv_t
+pkcs11_get_attribute_value(struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object,
+ struct ck_attribute *templ,
+ unsigned long count)
+{
+ return (module)->C_GetAttributeValue (sess, object, templ, count);
+}
+
+ck_rv_t
+pkcs11_get_mechanism_list (struct ck_function_list *module,
+ ck_slot_id_t slot_id,
+ ck_mechanism_type_t *mechanism_list,
+ unsigned long *count)
+{
+ return (module)->C_GetMechanismList (slot_id, mechanism_list, count);
+}
+
+ck_rv_t
+pkcs11_sign_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key)
+{
+ return (module)->C_SignInit (sess, mechanism, key);
+}
+
+ck_rv_t
+pkcs11_sign (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *data,
+ unsigned long data_len,
+ unsigned char *signature,
+ unsigned long *signature_len)
+{
+ return (module)->C_Sign (sess, data, data_len, signature, signature_len);
+}
+
+ck_rv_t
+pkcs11_decrypt_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key)
+{
+ return (module)->C_DecryptInit (sess, mechanism, key);
+}
+
+ck_rv_t
+pkcs11_decrypt (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *encrypted_data,
+ unsigned long encrypted_data_len,
+ unsigned char *data, unsigned long *data_len)
+{
+ return (module)->C_Decrypt (sess, encrypted_data, encrypted_data_len,
+ data, data_len);
+}
+
+ck_rv_t
+pkcs11_create_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count,
+ ck_object_handle_t *object)
+{
+ return (module)->C_CreateObject (sess, templ, count, object);
+}
+
+ck_rv_t
+pkcs11_destroy_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object)
+{
+ return (module)->C_DestroyObject (sess, object);
+}
+
+ck_rv_t
+pkcs11_init_token (struct ck_function_list *module,
+ ck_slot_id_t slot_id, unsigned char *pin,
+ unsigned long pin_len, unsigned char *label)
+{
+ return (module)->C_InitToken (slot_id, pin, pin_len, label);
+}
+
+ck_rv_t
+pkcs11_init_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *pin,
+ unsigned long pin_len)
+{
+ return (module)->C_InitPIN (sess, pin, pin_len);
+}
+
+ck_rv_t
+pkcs11_set_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *old_pin,
+ unsigned long old_len,
+ unsigned char *new_pin,
+ unsigned long new_len)
+{
+ return (module)->C_SetPIN (sess, old_pin, old_len, new_pin, new_len);
+}
+
+const char *
+pkcs11_strerror (ck_rv_t rv)
+{
+ return p11_kit_strerror (rv);
}
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index b2c1d4606c..c0b8dde4f8 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -1,12 +1,17 @@
#ifndef PKCS11_INT_H
#define PKCS11_INT_H
-#include <pakchois/pakchois.h>
+#ifdef ENABLE_PKCS11
+
+#define CRYPTOKI_GNU
#include <gnutls/pkcs11.h>
#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128
+#define P11_KIT_API_SUBJECT_TO_CHANGE 1
+#include <p11-kit/uri.h>
+
typedef unsigned char ck_bool_t;
struct token_info
@@ -17,34 +22,11 @@ struct token_info
struct gnutls_pkcs11_provider_s *prov;
};
-struct pkcs11_url_info
-{
- /* everything here is null terminated strings */
- opaque id[PKCS11_ID_SIZE * 3 + 1]; /* hex with delimiters */
- opaque type[16]; /* cert/key etc. */
-
- opaque lib_manufacturer[sizeof
- (((struct ck_info *) NULL)->manufacturer_id) + 1];
- opaque lib_desc[sizeof
- (((struct ck_info *) NULL)->library_description) + 1];
- opaque lib_version[12];
-
- opaque manufacturer[sizeof
- (((struct ck_token_info *) NULL)->manufacturer_id) + 1];
- opaque token[sizeof (((struct ck_token_info *) NULL)->label) + 1];
- opaque serial[sizeof (((struct ck_token_info *) NULL)->serial_number) + 1];
- opaque model[sizeof (((struct ck_token_info *) NULL)->model) + 1];
- opaque label[PKCS11_LABEL_SIZE + 1];
-
- opaque certid_raw[PKCS11_ID_SIZE]; /* same as ID but raw */
- size_t certid_raw_size;
-};
-
struct gnutls_pkcs11_obj_st
{
gnutls_datum_t raw;
gnutls_pkcs11_obj_type_t type;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
/* only when pubkey */
gnutls_datum_t pubkey[MAX_PUBLIC_PARAMS_SIZE];
@@ -56,46 +38,50 @@ struct gnutls_pkcs11_obj_st
* function. Once everything is traversed it is called with NULL tinfo.
* It should return 0 if found what it was looking for.
*/
-typedef int (*find_func_t) (pakchois_session_t * pks,
+typedef int (*find_func_t) (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info * tinfo, struct ck_info *,
void *input);
int pkcs11_rv_to_err (ck_rv_t rv);
-int pkcs11_url_to_info (const char *url, struct pkcs11_url_info *info);
+int pkcs11_url_to_info (const char *url, struct p11_kit_uri **info);
int
-pkcs11_find_slot (pakchois_module_t ** module, ck_slot_id_t * slot,
- struct pkcs11_url_info *info, struct token_info *_tinfo);
+pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
+ struct p11_kit_uri *info, struct token_info *_tinfo);
-int pkcs11_get_info (struct pkcs11_url_info *info,
+int pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size);
-int pkcs11_login (pakchois_session_t * pks,
+int pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
const struct token_info *info, int admin);
+int pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry);
+
extern gnutls_pkcs11_token_callback_t token_func;
extern void *token_data;
void pkcs11_rescan_slots (void);
-int pkcs11_info_to_url (const struct pkcs11_url_info *info,
+int pkcs11_info_to_url (struct p11_kit_uri *info,
gnutls_pkcs11_url_type_t detailed, char **url);
#define SESSION_WRITE (1<<0)
#define SESSION_LOGIN (1<<1)
#define SESSION_SO (1<<2) /* security officer session */
-int pkcs11_open_session (pakchois_session_t ** _pks,
- struct pkcs11_url_info *info, unsigned int flags);
+int pkcs11_open_session (struct ck_function_list **_module, ck_session_handle_t * _pks,
+ struct p11_kit_uri *info, unsigned int flags);
int _pkcs11_traverse_tokens (find_func_t find_func, void *input,
unsigned int flags);
ck_object_class_t pkcs11_strtype_to_class (const char *type);
-int pkcs11_token_matches_info (struct pkcs11_url_info *info,
+int pkcs11_token_matches_info (struct p11_kit_uri *info,
struct ck_token_info *tinfo,
struct ck_info *lib_info);
/* flags are SESSION_* */
-int pkcs11_find_object (pakchois_session_t ** _pks,
+int pkcs11_find_object (struct ck_function_list ** _module,
+ ck_session_handle_t * _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info, unsigned int flags);
+ struct p11_kit_uri *info, unsigned int flags);
unsigned int pkcs11_obj_flags_to_int (unsigned int flags);
@@ -110,4 +96,121 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext);
+ck_rv_t
+pkcs11_get_slot_list (struct ck_function_list * module,
+ unsigned char token_present,
+ ck_slot_id_t *slot_list,
+ unsigned long *count);
+
+ck_rv_t
+pkcs11_get_module_info (struct ck_function_list * module,
+ struct ck_info * info);
+
+ck_rv_t
+pkcs11_get_slot_info(struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_slot_info *info);
+
+ck_rv_t
+pkcs11_get_token_info (struct ck_function_list * module,
+ ck_slot_id_t slot_id,
+ struct ck_token_info *info);
+
+ck_rv_t
+pkcs11_find_objects_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count);
+
+ck_rv_t
+pkcs11_find_objects (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t *objects,
+ unsigned long max_object_count,
+ unsigned long *object_count);
+
+ck_rv_t
+pkcs11_find_objects_final (struct ck_function_list *module,
+ ck_session_handle_t sess);
+
+ck_rv_t
+pkcs11_close_session (struct ck_function_list *module,
+ ck_session_handle_t sess);
+
+ck_rv_t
+pkcs11_get_attribute_value(struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object,
+ struct ck_attribute *templ,
+ unsigned long count);
+
+ck_rv_t
+pkcs11_get_mechanism_list (struct ck_function_list *module,
+ ck_slot_id_t slot_id,
+ ck_mechanism_type_t *mechanism_list,
+ unsigned long *count);
+
+ck_rv_t
+pkcs11_sign_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key);
+
+ck_rv_t
+pkcs11_sign (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *data,
+ unsigned long data_len,
+ unsigned char *signature,
+ unsigned long *signature_len);
+
+ck_rv_t
+pkcs11_decrypt_init (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_mechanism *mechanism,
+ ck_object_handle_t key);
+
+ck_rv_t
+pkcs11_decrypt (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *encrypted_data,
+ unsigned long encrypted_data_len,
+ unsigned char *data, unsigned long *data_len);
+
+ck_rv_t
+pkcs11_create_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ struct ck_attribute *templ,
+ unsigned long count,
+ ck_object_handle_t *object);
+
+ck_rv_t
+pkcs11_destroy_object (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ ck_object_handle_t object);
+
+ck_rv_t
+pkcs11_init_token (struct ck_function_list *module,
+ ck_slot_id_t slot_id, unsigned char *pin,
+ unsigned long pin_len, unsigned char *label);
+
+ck_rv_t
+pkcs11_init_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *pin,
+ unsigned long pin_len);
+
+ck_rv_t
+pkcs11_set_pin (struct ck_function_list *module,
+ ck_session_handle_t sess,
+ unsigned char *old_pin,
+ unsigned long old_len,
+ unsigned char *new_pin,
+ unsigned long new_len);
+
+const char *
+pkcs11_strerror (ck_rv_t rv);
+
+#endif /* ENABLE_PKCS11 */
+
#endif
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 9a66353b16..2d214ccd59 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -21,7 +21,6 @@
*/
#include <gnutls_int.h>
-#include <pakchois/pakchois.h>
#include <gnutls/pkcs11.h>
#include <stdio.h>
#include <string.h>
@@ -29,12 +28,13 @@
#include <gnutls_datum.h>
#include <pkcs11_int.h>
#include <gnutls_sig.h>
+#include <p11-kit/uri.h>
struct gnutls_pkcs11_privkey_st
{
gnutls_pk_algorithm_t pk_algorithm;
unsigned int flags;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
};
/**
@@ -56,6 +56,14 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key)
return GNUTLS_E_MEMORY_ERROR;
}
+ (*key)->info = p11_kit_uri_new ();
+ if ((*key)->info == NULL)
+ {
+ free (*key);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
return 0;
}
@@ -68,6 +76,7 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key)
void
gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key)
{
+ p11_kit_uri_free (key->info);
gnutls_free (key);
}
@@ -109,20 +118,20 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey,
gnutls_pkcs11_obj_info_t itype,
void *output, size_t * output_size)
{
- return pkcs11_get_info (&pkey->info, itype, output, output_size);
+ return pkcs11_get_info (pkey->info, itype, output, output_size);
}
-#define FIND_OBJECT(pks, obj, key) \
+#define FIND_OBJECT(module, pks, obj, key) \
do { \
int retries = 0; \
int rret; \
- ret = pkcs11_find_object (&pks, &obj, &key->info, \
+ ret = pkcs11_find_object (&module, &pks, &obj, key->info, \
SESSION_LOGIN); \
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { \
if (token_func) \
{ \
- rret = token_func(token_data, key->info.token, retries++); \
+ rret = pkcs11_call_token_func (key->info, retries++); \
if (rret == 0) continue; \
} \
gnutls_assert(); \
@@ -152,10 +161,11 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- FIND_OBJECT (pks, obj, key);
+ FIND_OBJECT (module, pks, obj, key);
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
@@ -164,7 +174,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_sign_init (pks, &mech, obj);
+ rv = pkcs11_sign_init (module, pks, &mech, obj);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -173,7 +183,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key,
}
/* Work out how long the signature must be: */
- rv = pakchois_sign (pks, hash->data, hash->size, NULL, &siglen);
+ rv = pkcs11_sign (module, pks, hash->data, hash->size, NULL, &siglen);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -184,7 +194,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key,
signature->data = gnutls_malloc (siglen);
signature->size = siglen;
- rv = pakchois_sign (pks, hash->data, hash->size, signature->data, &siglen);
+ rv = pkcs11_sign (module, pks, hash->data, hash->size, signature->data, &siglen);
if (rv != CKR_OK)
{
gnutls_free (signature->data);
@@ -198,7 +208,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -222,7 +232,9 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey,
const char *url, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ struct ck_attribute *attr;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
struct ck_attribute a[4];
ck_key_type_t key_type;
@@ -236,24 +248,27 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey,
pkey->flags = flags;
- if (pkey->info.type[0] != 0 && strcmp (pkey->info.type, "private") != 0)
+ attr = p11_kit_uri_get_attribute (pkey->info, CKA_CLASS);
+ if (!attr || attr->value_len != sizeof (ck_object_class_t) ||
+ *(ck_object_class_t*)attr->value != CKO_PRIVATE_KEY)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
- if (pkey->info.id[0] == 0)
+ attr = p11_kit_uri_get_attribute (pkey->info, CKA_ID);
+ if (!attr || !attr->value_len)
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- FIND_OBJECT (pks, obj, pkey);
+ FIND_OBJECT (module, pks, obj, pkey);
a[0].type = CKA_KEY_TYPE;
a[0].value = &key_type;
a[0].value_len = sizeof (key_type);
- if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK)
+ if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
{
switch (key_type)
{
@@ -273,7 +288,7 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -301,10 +316,11 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
- pakchois_session_t *pks;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
ck_object_handle_t obj;
- FIND_OBJECT (pks, obj, key);
+ FIND_OBJECT (module, pks, obj, key);
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
@@ -313,7 +329,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_decrypt_init (pks, &mech, obj);
+ rv = pkcs11_decrypt_init (module, pks, &mech, obj);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -322,7 +338,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
}
/* Work out how long the plaintext must be: */
- rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size,
+ rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size,
NULL, &siglen);
if (rv != CKR_OK)
{
@@ -334,7 +350,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
plaintext->data = gnutls_malloc (siglen);
plaintext->size = siglen;
- rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size,
+ rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size,
plaintext->data, &siglen);
if (rv != CKR_OK)
{
@@ -349,7 +365,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
@@ -372,7 +388,7 @@ gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key,
{
int ret;
- ret = pkcs11_info_to_url (&key->info, detailed, url);
+ ret = pkcs11_info_to_url (key->info, detailed, url);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c
index 037e5692ec..45b0e92f0c 100644
--- a/lib/pkcs11_secret.c
+++ b/lib/pkcs11_secret.c
@@ -50,8 +50,9 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key,
/* GNUTLS_PKCS11_OBJ_FLAG_* */ )
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
struct ck_attribute a[12];
ck_object_class_t class = CKO_SECRET_KEY;
@@ -77,8 +78,10 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key,
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -126,11 +129,11 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key,
a[a_val].value_len = sizeof (tval);
a_val++;
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -141,7 +144,7 @@ gnutls_pkcs11_copy_secret_key (const char *token_url, gnutls_datum_t * key,
ret = 0;
cleanup:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 823b715e25..948c973b4e 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -47,8 +47,9 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
size_t der_size, id_size;
opaque *der = NULL;
@@ -70,8 +71,10 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -162,11 +165,11 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
a_val++;
}
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -179,7 +182,7 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url,
cleanup:
gnutls_free (der);
_gnutls_free_datum(&subject);
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
@@ -207,8 +210,9 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
unsigned int key_usage, unsigned int flags)
{
int ret;
- pakchois_session_t *pks = NULL;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks = 0;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
size_t id_size;
opaque id[20];
@@ -234,13 +238,16 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
ret = gnutls_x509_privkey_get_key_id (key, 0, id, &id_size);
if (ret < 0)
{
+ p11_kit_uri_free (info);
gnutls_assert ();
goto cleanup;
}
ret =
- pkcs11_open_session (&pks, &info,
+ pkcs11_open_session (&module, &pks, info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -391,11 +398,11 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
goto cleanup;
}
- rv = pakchois_create_object (pks, a, a_val, &obj);
+ rv = pkcs11_create_object (module, pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
@@ -435,8 +442,8 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url,
ret = 0;
cleanup:
- if (pks != NULL)
- pakchois_close_session (pks);
+ if (pks != 0)
+ pkcs11_close_session (module, pks);
return ret;
@@ -444,17 +451,19 @@ cleanup:
struct delete_data_st
{
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info;
unsigned int deleted; /* how many */
};
static int
-delete_obj_url (pakchois_session_t * pks,
+delete_obj_url (struct ck_function_list *module,
+ ck_session_handle_t pks,
struct token_info *info,
struct ck_info *lib_info, void *input)
{
struct delete_data_st *find_data = input;
struct ck_attribute a[4];
+ struct ck_attribute *attr;
ck_object_class_t class;
ck_certificate_type_t type = -1;
ck_rv_t rv;
@@ -471,44 +480,35 @@ delete_obj_url (pakchois_session_t * pks,
/* do not bother reading the token if basic fields do not match
*/
- if (pkcs11_token_matches_info (&find_data->info, &info->tinfo, lib_info) <
- 0)
+ if (!p11_kit_uri_match_module_info (find_data->info, lib_info) ||
+ !p11_kit_uri_match_token_info (find_data->info, &info->tinfo))
{
gnutls_assert ();
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
+ /* Find objects with given class and type */
class = CKO_CERTIFICATE; /* default */
+ a_vals = 0;
- if (find_data->info.type[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_CLASS);
+ if (attr != NULL)
{
- class = pkcs11_strtype_to_class (find_data->info.type);
+ if(attr->value && attr->value_len == sizeof (ck_object_class_t))
+ class = *((ck_object_class_t*)attr->value);
if (class == CKO_CERTIFICATE)
type = CKC_X_509;
-
- if (class == -1)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
}
- a_vals = 0;
+ a[a_vals].type = CKA_CLASS;
+ a[a_vals].value = &class;
+ a[a_vals].value_len = sizeof (class);
+ a_vals++;
- /* Find objects with given class and type */
- if (find_data->info.certid_raw_size > 0)
- {
- a[a_vals].type = CKA_ID;
- a[a_vals].value = find_data->info.certid_raw;
- a[a_vals].value_len = find_data->info.certid_raw_size;
- a_vals++;
- }
-
- if (class != -1)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID);
+ if (attr != NULL)
{
- a[a_vals].type = CKA_CLASS;
- a[a_vals].value = &class;
- a[a_vals].value_len = sizeof class;
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
@@ -520,15 +520,14 @@ delete_obj_url (pakchois_session_t * pks,
a_vals++;
}
- if (find_data->info.label[0] != 0)
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_LABEL);
+ if (attr != NULL)
{
- a[a_vals].type = CKA_LABEL;
- a[a_vals].value = find_data->info.label;
- a[a_vals].value_len = strlen (find_data->info.label);
+ memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
a_vals++;
}
- rv = pakchois_find_objects_init (pks, a, a_vals);
+ rv = pkcs11_find_objects_init (module, pks, a, a_vals);
if (rv != CKR_OK)
{
gnutls_assert ();
@@ -537,13 +536,13 @@ delete_obj_url (pakchois_session_t * pks,
goto cleanup;
}
- while (pakchois_find_objects (pks, &obj, 1, &count) == CKR_OK && count == 1)
+ while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
{
- rv = pakchois_destroy_object (pks, obj);
+ rv = pkcs11_destroy_object (module, pks, obj);
if (rv != CKR_OK)
{
_gnutls_debug_log
- ("pkcs11: Cannot destroy object: %s\n", pakchois_error (rv));
+ ("pkcs11: Cannot destroy object: %s\n", pkcs11_strerror (rv));
}
else
{
@@ -564,7 +563,7 @@ delete_obj_url (pakchois_session_t * pks,
}
cleanup:
- pakchois_find_objects_final (pks);
+ pkcs11_find_objects_final (module, pks);
return ret;
}
@@ -598,6 +597,8 @@ gnutls_pkcs11_delete_url (const char *object_url, unsigned int flags)
ret =
_pkcs11_traverse_tokens (delete_obj_url, &find_data,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
+ p11_kit_uri_free (find_data.info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -626,9 +627,9 @@ gnutls_pkcs11_token_init (const char *token_url,
const char *so_pin, const char *label)
{
int ret;
- struct pkcs11_url_info info;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
- pakchois_module_t *module;
+ struct ck_function_list *module;
ck_slot_id_t slot;
char flabel[32];
@@ -639,7 +640,9 @@ gnutls_pkcs11_token_init (const char *token_url,
return ret;
}
- ret = pkcs11_find_slot (&module, &slot, &info, NULL);
+ ret = pkcs11_find_slot (&module, &slot, info, NULL);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -652,12 +655,12 @@ gnutls_pkcs11_token_init (const char *token_url,
memcpy (flabel, label, strlen (label));
rv =
- pakchois_init_token (module, slot, (char *) so_pin, strlen (so_pin),
- flabel);
+ pkcs11_init_token (module, slot, (char *) so_pin, strlen (so_pin),
+ flabel);
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
return pkcs11_rv_to_err (rv);
}
@@ -685,8 +688,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
const char *newpin, unsigned int flags)
{
int ret;
- pakchois_session_t *pks;
- struct pkcs11_url_info info;
+ struct ck_function_list *module;
+ ck_session_handle_t pks;
+ struct p11_kit_uri *info = NULL;
ck_rv_t rv;
unsigned int ses_flags;
@@ -703,7 +707,9 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
else
ses_flags = SESSION_WRITE | SESSION_LOGIN;
- ret = pkcs11_open_session (&pks, &info, ses_flags);
+ ret = pkcs11_open_session (&module, &pks, info, ses_flags);
+ p11_kit_uri_free (info);
+
if (ret < 0)
{
gnutls_assert ();
@@ -712,24 +718,24 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
if (oldpin == NULL)
{
- rv = pakchois_init_pin (pks, (char *) newpin, strlen (newpin));
+ rv = pkcs11_init_pin (module, pks, (char *) newpin, strlen (newpin));
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto finish;
}
}
else
{
- rv = pakchois_set_pin (pks,
- (char *) oldpin, strlen (oldpin),
- (char *) newpin, strlen (newpin));
+ rv = pkcs11_set_pin (module, pks,
+ (char *) oldpin, strlen (oldpin),
+ (char *) newpin, strlen (newpin));
if (rv != CKR_OK)
{
gnutls_assert ();
- _gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
+ _gnutls_debug_log ("pkcs11: %s\n", pkcs11_strerror (rv));
ret = pkcs11_rv_to_err (rv);
goto finish;
}
@@ -738,7 +744,7 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
ret = 0;
finish:
- pakchois_close_session (pks);
+ pkcs11_close_session (module, pks);
return ret;
}
diff --git a/src/Makefile.am b/src/Makefile.am
index bf39f397c9..82c6e31cc4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -32,15 +32,22 @@ AM_CPPFLAGS = \
noinst_PROGRAMS = benchmark
bin_PROGRAMS = gnutls-serv gnutls-cli psktool gnutls-cli-debug
if ENABLE_PKI
-bin_PROGRAMS += certtool p11tool
+bin_PROGRAMS += certtool
endif
if ENABLE_SRP
bin_PROGRAMS += srptool
endif
+if ENABLE_PKCS11
+bin_PROGRAMS += p11tool
+PKCS11_SRCS = p11common.c p11common.h
+else
+PKCS11_SRCS =
+endif
+
noinst_LTLIBRARIES =
-gnutls_serv_SOURCES = list.h serv.c common.h common.c certtool-common.h p11common.c p11common.h
+gnutls_serv_SOURCES = list.h serv.c common.h common.c certtool-common.h $(PKCS11_SRCS)
gnutls_serv_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
gnutls_serv_LDADD += libcmd-serv.la ../gl/libgnu.la
@@ -66,7 +73,7 @@ libcmd_psk_la_SOURCES = psk.gaa psk-gaa.h psk-gaa.c
benchmark_SOURCES = benchmark.c
benchmark_LDADD = ../lib/libgnutls.la ../gl/libgnu.la $(LIB_CLOCK_GETTIME)
-gnutls_cli_SOURCES = cli.c common.h common.c p11common.c p11common.h
+gnutls_cli_SOURCES = cli.c common.h common.c $(PKCS11_SRCS)
gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la
gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la
gnutls_cli_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB)
@@ -74,7 +81,7 @@ noinst_LTLIBRARIES += libcmd-cli.la
libcmd_cli_la_CFLAGS =
libcmd_cli_la_SOURCES = cli.gaa cli-gaa.h cli-gaa.c
-gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c p11common.c p11common.h
+gnutls_cli_debug_SOURCES = tls_test.c tests.h tests.c common.h common.c $(PKCS11_SRCS)
gnutls_cli_debug_LDADD = ../lib/libgnutls.la libcmd-cli-debug.la
gnutls_cli_debug_LDADD += ../gl/libgnu.la $(LIBSOCKET) $(GETADDRINFO_LIB)
noinst_LTLIBRARIES += libcmd-cli-debug.la
@@ -83,7 +90,7 @@ libcmd_cli_debug_la_SOURCES = tls_test.gaa tls_test-gaa.h tls_test-gaa.c
#certtool
-certtool_SOURCES = certtool.c prime.c certtool-common.c p11common.c p11common.h
+certtool_SOURCES = certtool.c prime.c certtool-common.c $(PKCS11_SRCS)
certtool_LDADD = ../lib/libgnutls.la
certtool_LDADD += libcmd-certtool.la ../gl/libgnu.la
certtool_LDADD += $(LTLIBGCRYPT)
@@ -107,6 +114,8 @@ libcmd_certtool_la_LIBADD += ../lib/libgnutls.la
libcmd_certtool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB)
# p11 tool
+if ENABLE_PKCS11
+
p11tool_gaa_CFLAGS =
p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h p11common.c
p11tool_LDADD = ../lib/libgnutls.la
@@ -118,6 +127,7 @@ p11tool_LDADD += -lcfg+
else
p11tool_LDADD += libcfg.la
endif
+
noinst_LTLIBRARIES += libcmd-p11tool.la
libcmd_p11tool_la_CFLAGS =
libcmd_p11tool_la_SOURCES = p11tool-gaa.c p11tool.gaa p11tool-gaa.h \
@@ -126,14 +136,17 @@ libcmd_p11tool_la_LIBADD = ../gl/libgnu.la $(LTLIBREADLINE)
libcmd_p11tool_la_LIBADD += ../lib/libgnutls.la
libcmd_p11tool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB)
+endif # ENABLE_PKCS11
psk-gaa.c: $(srcdir)/psk.gaa
-$(GAA) $< -o psk-gaa.c -i psk-gaa.h
crypt-gaa.c: $(srcdir)/crypt.gaa
-$(GAA) $< -o crypt-gaa.c -i crypt-gaa.h
+if ENABLE_PKCS11
p11tool-gaa.c: $(srcdir)/p11tool.gaa
-$(GAA) $< -o p11tool-gaa.c -i p11tool-gaa.h
+endif
certtool-gaa.c: $(srcdir)/certtool.gaa
-$(GAA) $< -o certtool-gaa.c -i certtool-gaa.h
cli-gaa.c: $(srcdir)/cli.gaa
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 91fbbeb314..1482d34b68 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -146,6 +146,8 @@ gnutls_x509_privkey_t xkey;
return key;
}
+#ifdef ENABLE_PKCS11
+
static gnutls_privkey_t _load_pkcs11_privkey(const char* url)
{
int ret;
@@ -257,6 +259,7 @@ unsigned int obj_flags = 0;
return pubkey;
}
+#endif /* ENABLE_PKCS11 */
/* Load the private key.
* @mand should be non zero if it is required to read a private key.
@@ -274,8 +277,10 @@ load_private_key (int mand, common_info_st * info)
if (info->privkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-privkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->privkey, "pkcs11:", 7) == 0)
return _load_pkcs11_privkey(info->privkey);
+#endif
dat.data = read_binary_file (info->privkey, &size);
dat.size = size;
@@ -480,8 +485,10 @@ load_ca_private_key (common_info_st * info)
if (info->ca_privkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-ca-privkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->ca_privkey, "pkcs11:", 7) == 0)
return _load_pkcs11_privkey(info->ca_privkey);
+#endif
dat.data = read_binary_file (info->ca_privkey, &size);
dat.size = size;
@@ -547,8 +554,10 @@ load_pubkey (int mand, common_info_st * info)
if (info->pubkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-pubkey");
+#ifdef ENABLE_PKCS11
if (strncmp(info->pubkey, "pkcs11:", 7) == 0)
return _load_pkcs11_pubkey(info->pubkey);
+#endif
ret = gnutls_pubkey_init (&key);
if (ret < 0)
diff --git a/src/certtool.c b/src/certtool.c
index 061980dad2..832ca533d6 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1076,8 +1076,10 @@ gaa_parser (int argc, char **argv)
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
-
+
+#ifdef ENABLE_PKCS11
pkcs11_common();
+#endif
memset (&cinfo, 0, sizeof (cinfo));
cinfo.privkey = info.privkey;
@@ -1174,7 +1176,9 @@ gaa_parser (int argc, char **argv)
}
fclose (outfile);
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
gnutls_global_deinit ();
}
diff --git a/src/cli.c b/src/cli.c
index 07c80a67ae..37ebb68398 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -174,6 +174,7 @@ load_keys (void)
if (x509_certfile != NULL && x509_keyfile != NULL)
{
+#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
@@ -195,6 +196,7 @@ load_keys (void)
x509_crt_size = 1;
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_certfile);
@@ -232,6 +234,7 @@ load_keys (void)
unload_file (data);
+#ifdef ENABLE_PKCS11
if (strncmp (x509_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
@@ -246,6 +249,7 @@ load_keys (void)
}
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_keyfile);
if (data.data == NULL)
@@ -295,6 +299,7 @@ load_keys (void)
unload_file (data);
+#ifdef ENABLE_PKCS11
if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
@@ -308,6 +313,7 @@ load_keys (void)
}
}
else
+#endif /* ENABLE_PKCS11 */
{
data = load_file (pgp_keyfile);
@@ -744,7 +750,9 @@ main (int argc, char **argv)
exit (1);
}
+#ifdef ENABLE_PKCS11
pkcs11_common ();
+#endif
gaa_parser (argc, argv);
if (hostname == NULL)
{
diff --git a/src/p11tool.c b/src/p11tool.c
index 7e97fb1d7d..ce3bebb0a5 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -161,6 +161,8 @@ gaa_parser (int argc, char **argv)
}
fclose (outfile);
+#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
+#endif
gnutls_global_deinit ();
}
diff --git a/src/serv.c b/src/serv.c
index 1c9071547b..2dfb4923c6 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -869,7 +869,9 @@ main (int argc, char **argv)
exit (1);
}
+#ifdef ENABLE_PKCS11
pkcs11_common ();
+#endif
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
View Lorry Controller Status