diff options
| author | Stef Walter <stefw@collabora.co.uk> | 2011-06-07 20:20:17 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-06-07 20:21:13 +0200 |
| commit | 18cb0a89d3eb08847fc3ecc8cd9438bb88c7b4fa (patch) | |
| tree | 1c5362536fc4df64222c6b837d9e1bae5d958456 /lib/pkcs11_privkey.c | |
| parent | 91b0db8967863694dee39d9722895e153ca8d580 (diff) | |
| download | gnutls-18cb0a89d3eb08847fc3ecc8cd9438bb88c7b4fa.tar.gz | |
The attached patch ports gnutls to p11-kit.
p11-kit is added as a dependency. p11-kit itself has no dependencies outside of basic libc stuff. The source code for p11-kit is available both in git and tarball form. [3]
If the gnutls dependency on p11-kit is disabled (via a configure option) then the PKCS#11 support is disabled. This is useful in bare bones embedded systems or places where very minimal dependencies are limited.
Diffstat (limited to 'lib/pkcs11_privkey.c')
| -rw-r--r-- | lib/pkcs11_privkey.c | 66 |
1 files changed, 41 insertions, 25 deletions
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 87878256a8..0485c9a243 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -21,7 +21,6 @@ */ #include <gnutls_int.h> -#include <pakchois/pakchois.h> #include <gnutls/pkcs11.h> #include <stdio.h> #include <stdbool.h> @@ -30,12 +29,13 @@ #include <gnutls_datum.h> #include <pkcs11_int.h> #include <gnutls_sig.h> +#include <p11-kit/uri.h> struct gnutls_pkcs11_privkey_st { gnutls_pk_algorithm_t pk_algorithm; unsigned int flags; - struct pkcs11_url_info info; + struct p11_kit_uri *info; }; /** @@ -57,6 +57,14 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key) return GNUTLS_E_MEMORY_ERROR; } + (*key)->info = p11_kit_uri_new (); + if ((*key)->info == NULL) + { + free (*key); + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + return 0; } @@ -69,6 +77,7 @@ gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t * key) void gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key) { + p11_kit_uri_free (key->info); gnutls_free (key); } @@ -111,20 +120,20 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size) { - return pkcs11_get_info (&pkey->info, itype, output, output_size); + return pkcs11_get_info (pkey->info, itype, output, output_size); } -#define FIND_OBJECT(pks, obj, key) \ +#define FIND_OBJECT(module, pks, obj, key) \ do { \ int retries = 0; \ int rret; \ - ret = pkcs11_find_object (&pks, &obj, &key->info, \ + ret = pkcs11_find_object (&module, &pks, &obj, key->info, \ SESSION_LOGIN); \ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { \ if (token_func) \ { \ - rret = token_func(token_data, key->info.token, retries++); \ + rret = pkcs11_call_token_func (key->info, retries++); \ if (rret == 0) continue; \ } \ gnutls_assert(); \ @@ -154,10 +163,11 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, int ret; struct ck_mechanism mech; unsigned long siglen; - pakchois_session_t *pks; + struct ck_function_list *module; + ck_session_handle_t pks; ck_object_handle_t obj; - FIND_OBJECT (pks, obj, key); + FIND_OBJECT (module, pks, obj, key); mech.mechanism = key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS; @@ -166,7 +176,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, /* Initialize signing operation; using the private key discovered * earlier. */ - rv = pakchois_sign_init (pks, &mech, obj); + rv = pkcs11_sign_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); @@ -175,7 +185,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, } /* Work out how long the signature must be: */ - rv = pakchois_sign (pks, hash->data, hash->size, NULL, &siglen); + rv = pkcs11_sign (module, pks, hash->data, hash->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert (); @@ -186,7 +196,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, signature->data = gnutls_malloc (siglen); signature->size = siglen; - rv = pakchois_sign (pks, hash->data, hash->size, signature->data, &siglen); + rv = pkcs11_sign (module, pks, hash->data, hash->size, signature->data, &siglen); if (rv != CKR_OK) { gnutls_free (signature->data); @@ -200,7 +210,7 @@ _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -224,7 +234,9 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, const char *url, unsigned int flags) { int ret; - pakchois_session_t *pks; + struct ck_function_list *module; + struct ck_attribute *attr; + ck_session_handle_t pks; ck_object_handle_t obj; struct ck_attribute a[4]; ck_key_type_t key_type; @@ -238,24 +250,27 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, pkey->flags = flags; - if (pkey->info.type[0] != 0 && strcmp (pkey->info.type, "private") != 0) + attr = p11_kit_uri_get_attribute (pkey->info, CKA_CLASS); + if (!attr || attr->value_len != sizeof (ck_object_class_t) || + *(ck_object_class_t*)attr->value != CKO_PRIVATE_KEY) { gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } - if (pkey->info.id[0] == 0) + attr = p11_kit_uri_get_attribute (pkey->info, CKA_ID); + if (!attr || !attr->value_len) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - FIND_OBJECT (pks, obj, pkey); + FIND_OBJECT (module, pks, obj, pkey); a[0].type = CKA_KEY_TYPE; a[0].value = &key_type; a[0].value_len = sizeof (key_type); - if (pakchois_get_attribute_value (pks, obj, a, 1) == CKR_OK) + if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { switch (key_type) { @@ -275,7 +290,7 @@ gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -303,10 +318,11 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, int ret; struct ck_mechanism mech; unsigned long siglen; - pakchois_session_t *pks; + struct ck_function_list *module; + ck_session_handle_t pks; ck_object_handle_t obj; - FIND_OBJECT (pks, obj, key); + FIND_OBJECT (module, pks, obj, key); mech.mechanism = key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS; @@ -315,7 +331,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, /* Initialize signing operation; using the private key discovered * earlier. */ - rv = pakchois_decrypt_init (pks, &mech, obj); + rv = pkcs11_decrypt_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); @@ -324,7 +340,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, } /* Work out how long the plaintext must be: */ - rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size, + rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, NULL, &siglen); if (rv != CKR_OK) { @@ -336,7 +352,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, plaintext->data = gnutls_malloc (siglen); plaintext->size = siglen; - rv = pakchois_decrypt (pks, ciphertext->data, ciphertext->size, + rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, plaintext->data, &siglen); if (rv != CKR_OK) { @@ -351,7 +367,7 @@ _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, ret = 0; cleanup: - pakchois_close_session (pks); + pkcs11_close_session (module, pks); return ret; } @@ -374,7 +390,7 @@ gnutls_pkcs11_privkey_export_url (gnutls_pkcs11_privkey_t key, { int ret; - ret = pkcs11_info_to_url (&key->info, detailed, url); + ret = pkcs11_info_to_url (key->info, detailed, url); if (ret < 0) { gnutls_assert (); |