diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-31 00:17:14 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-06-03 19:55:02 +0200 |
| commit | f0bb0ff371418b5a32fefd50e329733a9afc4b6d (patch) | |
| tree | a51abb196c93f7d06764423e8bccd913beb3cebe | |
| parent | 0a120e76db70a0db2713d7bcddda07b027ca1842 (diff) | |
| download | gnutls-f0bb0ff371418b5a32fefd50e329733a9afc4b6d.tar.gz | |
Several fixes after big rebase.
| -rw-r--r-- | doc/gnutls.texi | 2 | ||||
| -rw-r--r-- | lib/Makefile.am | 10 | ||||
| -rwxr-xr-x | lib/build-aux/config.rpath | 34 | ||||
| -rw-r--r-- | lib/gcrypt/pk.c | 8 | ||||
| -rw-r--r-- | lib/gnutls_privkey.c | 4 | ||||
| -rw-r--r-- | lib/pkcs11.c | 226 | ||||
| -rw-r--r-- | lib/pkcs11_privkey.c | 2 | ||||
| -rw-r--r-- | lib/x509/privkey.c | 3 | ||||
| -rw-r--r-- | lib/x509/sign.c | 20 | ||||
| -rw-r--r-- | lib/x509/sign.h | 2 | ||||
| -rw-r--r-- | lib/x509/verify.c | 5 | ||||
| -rw-r--r-- | lib/x509/x509.c | 3 | ||||
| -rw-r--r-- | src/pkcs11.c | 164 |
13 files changed, 76 insertions, 407 deletions
diff --git a/doc/gnutls.texi b/doc/gnutls.texi index bbecd1f8bf..eb8c1c73dc 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -102,6 +102,8 @@ Documentation License''. @include cha-tls-app.texi +@include cha-gtls-app.texi + @include cha-programs.texi @include cha-functions.texi diff --git a/lib/Makefile.am b/lib/Makefile.am index d795fa7a29..22fae3f6be 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -95,16 +95,6 @@ else SUBDIRS += gcrypt endif -if ENABLE_PKCS11 -COBJECTS += pkcs11.c pkcs11_privkey.c -endif - -if ENABLE_NETTLE -SUBDIRS += nettle -else -SUBDIRS += gcrypt -endif - if ENABLE_OPRFI COBJECTS += $(OPRFI_COBJECTS) endif diff --git a/lib/build-aux/config.rpath b/lib/build-aux/config.rpath index 17298f2348..c547c68825 100755 --- a/lib/build-aux/config.rpath +++ b/lib/build-aux/config.rpath @@ -2,7 +2,7 @@ # Output a system dependent set of variables, describing how to set the # run time search path of shared libraries in an executable. # -# Copyright 1996-2010 Free Software Foundation, Inc. +# Copyright 1996-2007 Free Software Foundation, Inc. # Taken from GNU libtool, 2001 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 # @@ -47,7 +47,7 @@ for cc_temp in $CC""; do done cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'` -# Code taken from libtool.m4's _LT_COMPILER_PIC. +# Code taken from libtool.m4's AC_LIBTOOL_PROG_COMPILER_PIC. wl= if test "$GCC" = yes; then @@ -64,7 +64,7 @@ else ;; esac ;; - mingw* | cygwin* | pw32* | os2* | cegcc*) + mingw* | cygwin* | pw32* | os2*) ;; hpux9* | hpux10* | hpux11*) wl='-Wl,' @@ -76,13 +76,7 @@ else ;; linux* | k*bsd*-gnu) case $cc_basename in - ecc*) - wl='-Wl,' - ;; - icc* | ifort*) - wl='-Wl,' - ;; - lf95*) + icc* | ecc*) wl='-Wl,' ;; pgcc | pgf77 | pgf90) @@ -130,7 +124,7 @@ else esac fi -# Code taken from libtool.m4's _LT_LINKER_SHLIBS. +# Code taken from libtool.m4's AC_LIBTOOL_PROG_LD_SHLIBS. hardcode_libdir_flag_spec= hardcode_libdir_separator= @@ -138,7 +132,7 @@ hardcode_direct=no hardcode_minus_L=no case "$host_os" in - cygwin* | mingw* | pw32* | cegcc*) + cygwin* | mingw* | pw32*) # FIXME: the MSVC++ port hasn't been tested in a loooong time # When not using gcc, we currently assume that we are using # Microsoft Visual C++. @@ -164,7 +158,7 @@ if test "$with_gnu_ld" = yes; then # option of GNU ld is called -rpath, not --rpath. hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' case "$host_os" in - aix[3-9]*) + aix3* | aix4* | aix5*) # On AIX/PPC, the GNU linker is very broken if test "$host_cpu" != ia64; then ld_shlibs=no @@ -188,7 +182,7 @@ if test "$with_gnu_ld" = yes; then ld_shlibs=no fi ;; - cygwin* | mingw* | pw32* | cegcc*) + cygwin* | mingw* | pw32*) # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. hardcode_libdir_flag_spec='-L$libdir' @@ -260,7 +254,7 @@ else hardcode_direct=unsupported fi ;; - aix[4-9]*) + aix4* | aix5*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. @@ -270,7 +264,7 @@ else # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) + case $host_os in aix4.[23]|aix4.[23].*|aix5*) for ld_flag in $LDFLAGS; do if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then aix_use_runtimelinking=yes @@ -332,7 +326,7 @@ else ;; bsdi[45]*) ;; - cygwin* | mingw* | pw32* | cegcc*) + cygwin* | mingw* | pw32*) # When not using gcc, we currently assume that we are using # Microsoft Visual C++. # hardcode_libdir_flag_spec is actually meaningless, as there is @@ -500,7 +494,7 @@ else fi # Check dynamic linker characteristics -# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER. +# Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER. # Unlike libtool.m4, here we don't care about _all_ names of the library, but # only about the one the linker finds when passed -lNAME. This is the last # element of library_names_spec in libtool.m4, or possibly two of them if the @@ -511,7 +505,7 @@ case "$host_os" in aix3*) library_names_spec='$libname.a' ;; - aix[4-9]*) + aix4* | aix5*) library_names_spec='$libname$shrext' ;; amigaos*) @@ -523,7 +517,7 @@ case "$host_os" in bsdi[45]*) library_names_spec='$libname$shrext' ;; - cygwin* | mingw* | pw32* | cegcc*) + cygwin* | mingw* | pw32*) shrext=.dll library_names_spec='$libname.dll.a $libname.lib' ;; diff --git a/lib/gcrypt/pk.c b/lib/gcrypt/pk.c index f8af1ec4ea..c0b0005161 100644 --- a/lib/gcrypt/pk.c +++ b/lib/gcrypt/pk.c @@ -800,7 +800,7 @@ wrap_gcry_pk_fixup (gnutls_pk_algorithm_t algo, gnutls_direction_t direction, gnutls_pk_params_st * params) { - int ret; + int ret, result; /* only for RSA we invert the coefficient --pgp type */ @@ -821,9 +821,9 @@ wrap_gcry_pk_fixup (gnutls_pk_algorithm_t algo, if (direction == GNUTLS_IMPORT) { /* calculate exp1 [6] and exp2 [7] */ - _gnutls_mpi_release(&pk_params.params[6]); - _gnutls_mpi_release(&pk_params.params[7]); - result = _gnutls_calc_rsa_exp(pk_params.params, RSA_PRIVATE_PARAMS); + _gnutls_mpi_release(¶ms->params[6]); + _gnutls_mpi_release(¶ms->params[7]); + result = _gnutls_calc_rsa_exp(params->params, RSA_PRIVATE_PARAMS); if (result < 0) { gnutls_assert(); diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c index 9c5d4f0439..185a1e966e 100644 --- a/lib/gnutls_privkey.c +++ b/lib/gnutls_privkey.c @@ -202,7 +202,7 @@ int gnutls_privkey_import_openpgp (gnutls_privkey_t pkey, gnutls_openpgp_privkey /** * gnutls_privkey_sign_data: * @signer: Holds the key - * @digest: should be MD5 or SHA1 + * @digest: should be a digest algorithm * @flags: should be 0 for now * @data: holds the data to be signed * @signature: will contain the signature allocate with gnutls_malloc() @@ -234,7 +234,7 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer, } break; case GNUTLS_PK_DSA: - ret = pk_dsa_hash(data, &digest); + ret = pk_dsa_hash(hash, data, &digest); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 24617a1c98..fbdab0ff36 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -47,9 +47,8 @@ struct flags_find_data_st { unsigned int slot_flags; }; -struct flags_find_data_st { - struct pkcs11_url_info info; - unsigned int slot_flags; +struct url_find_data_st { + gnutls_pkcs11_obj_t crt; }; struct crt_find_data_st { @@ -60,6 +59,7 @@ struct crt_find_data_st { struct pkcs11_url_info info; }; + static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS]; static int active_providers = 0; @@ -481,14 +481,12 @@ size_t l; gnutls_assert(); goto cleanup; } - - memcpy(info->id, p1, l); - info->id[l] = 0; } ret = 0; cleanup: + return ret; } @@ -628,7 +626,6 @@ cleanup: int gnutls_pkcs11_obj_init(gnutls_pkcs11_obj_t * crt) { *crt = gnutls_calloc(1, sizeof(struct gnutls_pkcs11_obj_st)); - if (*crt == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -935,28 +932,7 @@ static int pkcs11_obj_import(unsigned int class, gnutls_pkcs11_obj_t crt, const default: crt->type = GNUTLS_PKCS11_OBJ_UNKNOWN; } - - switch(class) { - case CKO_CERTIFICATE: - crt->type = GNUTLS_PKCS11_OBJ_X509_CRT; - break; - case CKO_PUBLIC_KEY: - crt->type = GNUTLS_PKCS11_OBJ_PUBKEY; - break; - case CKO_PRIVATE_KEY: - crt->type = GNUTLS_PKCS11_OBJ_PRIVKEY; - break; - case CKO_SECRET_KEY: - crt->type = GNUTLS_PKCS11_OBJ_SECRET_KEY; - break; - case CKO_DATA: - crt->type = GNUTLS_PKCS11_OBJ_DATA; - break; - default: - crt->type = GNUTLS_PKCS11_OBJ_UNKNOWN; - } ->>>>>>> Added gnutls_pubkey_t abstract type to handle public keys. It can currently:lib/pkcs11.c if (crt->type != GNUTLS_PKCS11_OBJ_UNKNOWN) strcpy(crt->info.type, pkcs11_obj_type_to_str(crt->type)); @@ -1666,175 +1642,6 @@ static int find_privkeys(pakchois_session_t *pks, struct token_info* info, struc return 0; } -struct pkey_list { - gnutls_string *key_ids; - size_t key_ids_size; -}; - -int pkcs11_login(pakchois_session_t *pks, struct token_info *info) -{ - int attempt = 0; - ck_rv_t rv; - - if (pakchois_get_token_info(info->prov->module, info->sid, &info->tinfo) != CKR_OK) { - gnutls_assert(); - _gnutls_debug_log( "pk11: GetTokenInfo failed\n"); - return GNUTLS_E_PKCS11_ERROR; - } - - /* force login on HW tokens. Some tokens will not list private keys - * if login has not been performed. - */ - if ((info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0) { - gnutls_assert(); - _gnutls_debug_log( "pk11: No login required.\n"); - return 0; - } - - /* For a token with a "protected" (out-of-band) authentication - * path, calling login with a NULL username is all that is - * required. */ - if (info->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { - if (pakchois_login(pks, CKU_USER, NULL, 0) == CKR_OK) { - return 0; - } - else { - gnutls_assert(); - _gnutls_debug_log( "pk11: Protected login failed.\n"); - return GNUTLS_E_PKCS11_ERROR; - } - } - - /* Otherwise, PIN entry is necessary for login, so fail if there's - * no callback. */ - if (!pin_func) { - gnutls_assert(); - _gnutls_debug_log("pk11: No pin callback but login required.\n"); - return GNUTLS_E_PKCS11_ERROR; - } - - terminate_string(info->sinfo.slot_description, sizeof info->sinfo.slot_description); - - do { - char pin[GNUTLS_PKCS11_MAX_PIN_LEN]; - unsigned int flags = 0; - - /* If login has been attempted once already, check the token - * status again, the flags might change. */ - if (attempt) { - if (pakchois_get_token_info(info->prov->module, info->sid, - &info->tinfo) != CKR_OK) { - gnutls_assert(); - _gnutls_debug_log( "pk11: GetTokenInfo failed\n"); - return GNUTLS_E_PKCS11_ERROR; - } - } - - if (info->tinfo.flags & CKF_USER_PIN_COUNT_LOW) - flags |= GNUTLS_PKCS11_PIN_COUNT_LOW; - if (info->tinfo.flags & CKF_USER_PIN_FINAL_TRY) - flags |= GNUTLS_PKCS11_PIN_FINAL_TRY; - - terminate_string(info->tinfo.label, sizeof info->tinfo.label); - - if (pin_func(pin_data, attempt++, - (char *)info->sinfo.slot_description, - (char *)info->tinfo.label, flags, pin, sizeof(pin))) { - gnutls_assert(); - return GNUTLS_E_PKCS11_PIN_ERROR; - } - - rv = pakchois_login(pks, CKU_USER, (unsigned char *)pin, strlen(pin)); - /* Try to scrub the pin off the stack. Clever compilers will - * probably optimize this away, oh well. */ - memset(pin, 0, sizeof pin); - } while (rv == CKR_PIN_INCORRECT); - - _gnutls_debug_log("pk11: Login result = %lu\n", rv); - - return (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN) ? 0 : GNUTLS_E_PKCS11_ERROR; -} - -static int find_privkeys(pakchois_session_t *pks, struct token_info* info, struct pkey_list *list) -{ - struct ck_attribute a[3]; - ck_object_class_t class; - ck_rv_t rv; - ck_object_handle_t obj; - unsigned long count, current; - char certid_tmp[PKCS11_ID_SIZE]; - - class = CKO_PRIVATE_KEY; - - /* Find an object with private key class and a certificate ID - * which matches the certificate. */ - /* FIXME: also match the cert subject. */ - a[0].type = CKA_CLASS; - a[0].value = &class; - a[0].value_len = sizeof class; - - rv = pakchois_find_objects_init(pks, a, 1); - if (rv != CKR_OK) { - gnutls_assert(); - return GNUTLS_E_PKCS11_ERROR; - } - - list->key_ids_size = 0; - while (pakchois_find_objects(pks, &obj, 1, &count) == CKR_OK - && count == 1) { - list->key_ids_size++; - } - - pakchois_find_objects_final(pks); - - if (list->key_ids_size == 0) { - gnutls_assert(); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - list->key_ids = gnutls_malloc(sizeof(gnutls_string)*list->key_ids_size); - if (list->key_ids == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - /* actual search */ - a[0].type = CKA_CLASS; - a[0].value = &class; - a[0].value_len = sizeof class; - - rv = pakchois_find_objects_init(pks, a, 1); - if (rv != CKR_OK) { - gnutls_assert(); - return GNUTLS_E_PKCS11_ERROR; - } - - current = 0; - while (pakchois_find_objects(pks, &obj, 1, &count) == CKR_OK - && count == 1) { - - a[0].type = CKA_ID; - a[0].value = certid_tmp; - a[0].value_len = sizeof(certid_tmp); - - _gnutls_string_init(&list->key_ids[current], gnutls_malloc, gnutls_realloc, gnutls_free); - - if (pakchois_get_attribute_value(pks, obj, a, 1) == CKR_OK) { - _gnutls_string_append_data(&list->key_ids[current], a[0].value, a[0].value_len); - current++; - } - - if (current > list->key_ids_size) - break; - } - - pakchois_find_objects_final(pks); - - list->key_ids_size = current-1; - - return 0; -} - /* Recover certificate list from tokens */ @@ -2062,7 +1869,6 @@ static int find_objs(pakchois_session_t *pks, struct token_info *info, void* inp } else { ret = pkcs11_obj_import(class, find_data->p_list[find_data->current], &value, &id, &label, &info->tinfo); } - if (ret < 0) { gnutls_assert(); goto fail; @@ -2318,3 +2124,27 @@ const char* gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t type) } } +int pkcs11_token_matches_info( struct pkcs11_url_info* info, struct ck_token_info* tinfo) +{ + if (info->manufacturer[0] != 0) { + if (strcmp(info->manufacturer, tinfo->manufacturer_id) != 0) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (info->token[0] != 0) { + if (strcmp(info->token, tinfo->label) != 0) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (info->model[0] != 0) { + if (strcmp(info->model, tinfo->model) != 0) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (info->serial[0] != 0) { + if (strcmp(info->serial, tinfo->serial_number) != 0) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + return 0; +} diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index d2d453c826..6423839514 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -169,7 +169,7 @@ gnutls_pkcs11_privkey_sign_data(gnutls_pkcs11_privkey_t signer, } break; case GNUTLS_PK_DSA: - ret = pk_dsa_hash(data, &digest); + ret = pk_dsa_hash(hash, data, &digest); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 99ce0b9c89..7de84d22bc 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1649,7 +1649,8 @@ gnutls_x509_privkey_sign_data2 (gnutls_x509_privkey_t signer, } break; case GNUTLS_PK_DSA: - ret = pk_dsa_hash (data, &digest); + /* override hash for DSA */ + ret = pk_dsa_hash (_gnutls_dsa_q_to_hash(signer->params[1]), data, &digest); if (ret < 0) { gnutls_assert (); diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 22b1a57eb7..ca0f768f09 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -163,17 +163,21 @@ pk_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, } int -pk_dsa_hash (const gnutls_datum_t * text, gnutls_datum_t * hash) +pk_dsa_hash (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, gnutls_datum_t * digest) { int ret; digest_hd_st hd; - gnutls_datum_t digest; - gnutls_digest_algorithm_t hash = _gnutls_dsa_q_to_hash(params[1]); + if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA224 && + hash != GNUTLS_DIG_SHA256) + { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - hash->size = _gnutls_hash_get_algo_len(hash); - hash->data = gnutls_malloc( hash->size); - if (hash->data == NULL) + digest->size = _gnutls_hash_get_algo_len(hash); + digest->data = gnutls_malloc( digest->size); + if (digest->data == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -188,12 +192,12 @@ pk_dsa_hash (const gnutls_datum_t * text, gnutls_datum_t * hash) _gnutls_hash (&hd, text->data, text->size); - _gnutls_hash_deinit (&hd, hash->data); + _gnutls_hash_deinit (&hd, digest->data); return 0; fail: - gnutls_free(hash->data); + gnutls_free(digest->data); return ret; } diff --git a/lib/x509/sign.h b/lib/x509/sign.h index 291458ddcd..cce2ca8786 100644 --- a/lib/x509/sign.h +++ b/lib/x509/sign.h @@ -2,6 +2,6 @@ # define GNUTLS_SIGN_H int pk_pkcs1_rsa_hash (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, gnutls_datum_t * output); -int pk_dsa_hash (const gnutls_datum_t * text, gnutls_datum_t * hash); +int pk_dsa_hash (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, gnutls_datum_t * output); #endif diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 143c90b4f6..81beea04aa 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -934,11 +934,6 @@ _gnutls_x509_verify_algorithm (gnutls_mac_algorithm_t * hash, } cleanup: - /* release allocated mpis */ - for (i = 0; i < issuer_params_size; i++) - { - _gnutls_mpi_release (&issuer_params[i]); - } return ret; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 17bd34a1e7..0a4229cdef 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2542,9 +2542,6 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt, * This function will verify the given signed data, using the * parameters from the certificate. * - * Note: Use gnutls_x509_crt_verify_hash() instead. This function - * does not do the implied hashing of the data. - * * Returns: In case of a verification failure 0 is returned, and 1 on * success. **/ diff --git a/src/pkcs11.c b/src/pkcs11.c index c27dd03e25..dc3e8a355a 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -372,177 +372,33 @@ int ret; unsigned int flags = 0; unsigned int key_usage; -} - -void pkcs11_export(FILE* outfile, const char* url) -{ -gnutls_pkcs11_crt_t crt; -gnutls_x509_crt_t xcrt; -int ret; -size_t size; - pkcs11_common(); if (url == NULL) url = "pkcs11:"; - ret = gnutls_pkcs11_obj_init(&crt); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_pkcs11_obj_import_url( crt, url); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - switch(gnutls_pkcs11_obj_get_type(crt)) { - case GNUTLS_PKCS11_OBJ_X509_CRT: - ret = gnutls_x509_crt_init(&xcrt); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_x509_crt_import_pkcs11(xcrt, crt); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - size = buffer_size; - ret = gnutls_x509_crt_export (xcrt, GNUTLS_X509_FMT_PEM, buffer, &size); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - fwrite (buffer, 1, size, outfile); - - gnutls_x509_crt_deinit(xcrt); - break; - case GNUTLS_PKCS11_OBJ_PUBKEY: - ret = gnutls_pubkey_init(&pubkey); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - ret = gnutls_pubkey_import_pkcs11(pubkey, crt, 0); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - size = buffer_size; - ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_PEM, buffer, &size); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - fwrite (buffer, 1, size, outfile); - - gnutls_pubkey_deinit(pubkey); - break; - default: { - gnutls_datum data, enc; - - size = buffer_size; - ret = gnutls_pkcs11_obj_export (crt, buffer, &size); - if (ret < 0) { - break; - } - - data.data = buffer; - data.size = size; - - ret = gnutls_pem_base64_encode_alloc("DATA", &data, &enc); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - fwrite (enc.data, 1, enc.size, outfile); - - gnutls_free(enc.data); - break; - } - } - fputs("\n\n", outfile); - - - gnutls_pkcs11_obj_deinit(crt); - - return; - -} - -void pkcs11_token_list(FILE* outfile) -{ -int ret; -int i; -char *url; -char buf[128]; -size_t size; - - pkcs11_common(); - - for (i=0;;i++) { - ret = gnutls_pkcs11_token_get_url(i, &url); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - + xcrt = load_cert(0); + if (xcrt != NULL) { + if (trusted) + flags |= GNUTLS_PKCS11_OBJ_FLAG_TRUSTED; + ret = gnutls_pkcs11_copy_x509_crt(url, xcrt, label, flags); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } - fprintf(outfile, "Token %d:\n\tURL: %s\n", i, url); - - size = sizeof(buf); - ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_LABEL, buf, &size); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - fprintf(outfile, "\tLabel: %s\n", buf); - - size = sizeof(buf); - ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_MANUFACTURER, buf, &size); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - fprintf(outfile, "\tManufacturer: %s\n", buf); - - size = sizeof(buf); - ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_MODEL, buf, &size); - if (ret < 0) { - fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); - exit(1); - } - - fprintf(outfile, "\tModel: %s\n", buf); + gnutls_x509_crt_get_key_usage(xcrt, &key_usage, NULL); + } - size = sizeof(buf); - ret = gnutls_pkcs11_token_get_info(url, GNUTLS_PKCS11_TOKEN_SERIAL, buf, &size); + xkey = load_private_key(0); + if (xkey != NULL) { + ret = gnutls_pkcs11_copy_x509_privkey(url, xkey, label, key_usage); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } - - fprintf(outfile, "\tSerial: %s\n", buf); - fprintf(outfile, "\n\n"); - - gnutls_free(url); - } - return; - if (xkey == NULL && xcrt == NULL) { fprintf(stderr, "You must use --load-privkey or --load-certificate to load the file to be copied\n"); exit (1); |