search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
better function naming.
[gnutls.git] / lib / pkcs11.c
blob4897f629e956f6008c220e7ea42e77b924729a2b
1 /*
2 * GnuTLS PKCS#11 support
3 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
4 * Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk>
5 *
6 * Authors: Nikos Mavrogiannopoulos, Stef Walter
7 *
8 * Inspired and some parts (pkcs11_login) based on neon PKCS #11 support
9 * by Joe Orton. More ideas came from the pkcs11-helper library by
10 * Alon Bar-Lev.
11 *
12 * The GnuTLS is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU Lesser General Public License
14 * as published by the Free Software Foundation; either version 3 of
15 * the License, or (at your option) any later version.
16 *
17 * This library is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * Lesser General Public License for more details.
21 *
22 * You should have received a copy of the GNU Lesser General Public License
23 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 */
25
26 #include <gnutls_int.h>
27 #include <gnutls/pkcs11.h>
28 #include <stdio.h>
29 #include <string.h>
30 #include <gnutls_errors.h>
31 #include <gnutls_datum.h>
32
33
34 #include <pkcs11_int.h>
35 #include <p11-kit/p11-kit.h>
36 #include <p11-kit/pin.h>
37
38 #define MAX_PROVIDERS 16
39
40 /* XXX: try to eliminate this */
41 #define MAX_CERT_SIZE 8*1024
42
43 struct gnutls_pkcs11_provider_s
44 {
45 struct ck_function_list *module;
46 unsigned long nslots;
47 ck_slot_id_t *slots;
48 struct ck_info info;
49 unsigned int initialized;
50 };
51
52 struct flags_find_data_st
53 {
54 struct p11_kit_uri *info;
55 unsigned int slot_flags;
56 };
57
58 struct url_find_data_st
59 {
60 gnutls_pkcs11_obj_t crt;
61 };
62
63 struct crt_find_data_st
64 {
65 gnutls_pkcs11_obj_t *p_list;
66 unsigned int *n_list;
67 unsigned int current;
68 gnutls_pkcs11_obj_attr_t flags;
69 struct p11_kit_uri *info;
70 };
71
72
73 static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS];
74 static unsigned int active_providers = 0;
75 static unsigned int initialized_registered = 0;
76
77 static gnutls_pkcs11_pin_callback_t pin_func;
78 static void *pin_data;
79
80 gnutls_pkcs11_token_callback_t token_func;
81 void *token_data;
82
83 int
84 pkcs11_rv_to_err (ck_rv_t rv)
85 {
86 switch (rv)
87 {
88 case CKR_OK:
89 return 0;
90 case CKR_HOST_MEMORY:
91 return GNUTLS_E_MEMORY_ERROR;
92 case CKR_SLOT_ID_INVALID:
93 return GNUTLS_E_PKCS11_SLOT_ERROR;
94 case CKR_ARGUMENTS_BAD:
95 case CKR_MECHANISM_PARAM_INVALID:
96 return GNUTLS_E_INVALID_REQUEST;
97 case CKR_NEED_TO_CREATE_THREADS:
98 case CKR_CANT_LOCK:
99 case CKR_FUNCTION_NOT_PARALLEL:
100 case CKR_MUTEX_BAD:
101 case CKR_MUTEX_NOT_LOCKED:
102 return GNUTLS_E_LOCKING_ERROR;
103 case CKR_ATTRIBUTE_READ_ONLY:
104 case CKR_ATTRIBUTE_SENSITIVE:
105 case CKR_ATTRIBUTE_TYPE_INVALID:
106 case CKR_ATTRIBUTE_VALUE_INVALID:
107 return GNUTLS_E_PKCS11_ATTRIBUTE_ERROR;
108 case CKR_DEVICE_ERROR:
109 case CKR_DEVICE_MEMORY:
110 case CKR_DEVICE_REMOVED:
111 return GNUTLS_E_PKCS11_DEVICE_ERROR;
112 case CKR_DATA_INVALID:
113 case CKR_DATA_LEN_RANGE:
114 case CKR_ENCRYPTED_DATA_INVALID:
115 case CKR_ENCRYPTED_DATA_LEN_RANGE:
116 case CKR_OBJECT_HANDLE_INVALID:
117 return GNUTLS_E_PKCS11_DATA_ERROR;
118 case CKR_FUNCTION_NOT_SUPPORTED:
119 case CKR_MECHANISM_INVALID:
120 return GNUTLS_E_PKCS11_UNSUPPORTED_FEATURE_ERROR;
121 case CKR_KEY_HANDLE_INVALID:
122 case CKR_KEY_SIZE_RANGE:
123 case CKR_KEY_TYPE_INCONSISTENT:
124 case CKR_KEY_NOT_NEEDED:
125 case CKR_KEY_CHANGED:
126 case CKR_KEY_NEEDED:
127 case CKR_KEY_INDIGESTIBLE:
128 case CKR_KEY_FUNCTION_NOT_PERMITTED:
129 case CKR_KEY_NOT_WRAPPABLE:
130 case CKR_KEY_UNEXTRACTABLE:
131 return GNUTLS_E_PKCS11_KEY_ERROR;
132 case CKR_PIN_INCORRECT:
133 case CKR_PIN_INVALID:
134 case CKR_PIN_LEN_RANGE:
135 return GNUTLS_E_PKCS11_PIN_ERROR;
136 case CKR_PIN_EXPIRED:
137 return GNUTLS_E_PKCS11_PIN_EXPIRED;
138 case CKR_PIN_LOCKED:
139 return GNUTLS_E_PKCS11_PIN_LOCKED;
140 case CKR_SESSION_CLOSED:
141 case CKR_SESSION_COUNT:
142 case CKR_SESSION_HANDLE_INVALID:
143 case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
144 case CKR_SESSION_READ_ONLY:
145 case CKR_SESSION_EXISTS:
146 case CKR_SESSION_READ_ONLY_EXISTS:
147 case CKR_SESSION_READ_WRITE_SO_EXISTS:
148 return GNUTLS_E_PKCS11_SESSION_ERROR;
149 case CKR_SIGNATURE_INVALID:
150 case CKR_SIGNATURE_LEN_RANGE:
151 return GNUTLS_E_PKCS11_SIGNATURE_ERROR;
152 case CKR_TOKEN_NOT_PRESENT:
153 case CKR_TOKEN_NOT_RECOGNIZED:
154 case CKR_TOKEN_WRITE_PROTECTED:
155 return GNUTLS_E_PKCS11_TOKEN_ERROR;
156 case CKR_USER_ALREADY_LOGGED_IN:
157 case CKR_USER_NOT_LOGGED_IN:
158 case CKR_USER_PIN_NOT_INITIALIZED:
159 case CKR_USER_TYPE_INVALID:
160 case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
161 case CKR_USER_TOO_MANY_TYPES:
162 return GNUTLS_E_PKCS11_USER_ERROR;
163 case CKR_BUFFER_TOO_SMALL:
164 return GNUTLS_E_SHORT_MEMORY_BUFFER;
165 default:
166 return GNUTLS_E_PKCS11_ERROR;
167 }
168 }
169
170 /* Fake scan */
171 void
172 pkcs11_rescan_slots (void)
173 {
174 unsigned long slots;
175
176 pkcs11_get_slot_list (providers[active_providers - 1].module, 0,
177 NULL, &slots);
178 }
179
180 static int
181 pkcs11_add_module (const char *name, struct ck_function_list *module)
182 {
183 struct ck_info info;
184 unsigned int i;
185
186 if (active_providers >= MAX_PROVIDERS)
187 {
188 gnutls_assert ();
189 return GNUTLS_E_CONSTRAINT_ERROR;
190 }
191
192 /* initially check if this module is a duplicate */
193 memset(&info, 0, sizeof(info));
194 pkcs11_get_module_info (module, &info);
195 for (i=0;i<active_providers;i++)
196 {
197 /* already loaded, skip the rest */
198 if (memcmp(&info, &providers[i].info, sizeof(info)) == 0)
199 {
200 _gnutls_debug_log("%s is already loaded.\n", name);
201 return GNUTLS_E_INT_RET_0;
202 }
203 }
204
205 active_providers++;
206 providers[active_providers - 1].module = module;
207
208 /* cache the number of slots in this module */
209 if (pkcs11_get_slot_list
210 (providers[active_providers - 1].module, 0, NULL,
211 &providers[active_providers - 1].nslots) != CKR_OK)
212 {
213 gnutls_assert ();
214 goto fail;
215 }
216
217 providers[active_providers - 1].slots =
218 gnutls_malloc (sizeof (*providers[active_providers - 1].slots) *
219 providers[active_providers - 1].nslots);
220 if (providers[active_providers - 1].slots == NULL)
221 {
222 gnutls_assert ();
223 goto fail;
224 }
225
226 if (pkcs11_get_slot_list
227 (providers[active_providers - 1].module, 0,
228 providers[active_providers - 1].slots,
229 &providers[active_providers - 1].nslots) != CKR_OK)
230 {
231 gnutls_assert ();
232 gnutls_free (providers[active_providers - 1].slots);
233 goto fail;
234 }
235
236 memcpy (&providers[active_providers - 1].info, &info, sizeof(info));
237
238 _gnutls_debug_log ("p11: loaded provider '%s' with %d slots\n",
239 name, (int) providers[active_providers - 1].nslots);
240
241 return 0;
242
243 fail:
244 active_providers--;
245 return GNUTLS_E_PKCS11_LOAD_ERROR;
246 }
247
248
249 /**
250 * gnutls_pkcs11_add_provider:
251 * @name: The filename of the module
252 * @params: should be NULL
253 *
254 * This function will load and add a PKCS 11 module to the module
255 * list used in gnutls. After this function is called the module will
256 * be used for PKCS 11 operations.
257 *
258 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
259 * negative error value.
260 *
261 * Since: 2.12.0
262 **/
263 int
264 gnutls_pkcs11_add_provider (const char *name, const char *params)
265 {
266 struct ck_function_list *module;
267 int ret;
268
269 active_providers++;
270 if (p11_kit_load_initialize_module (name, &module) != CKR_OK)
271 {
272 gnutls_assert ();
273 _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
274 active_providers--;
275 return GNUTLS_E_PKCS11_LOAD_ERROR;
276 }
277
278 ret = pkcs11_add_module (name, module);
279 if (ret == 0)
280 {
281 /* Mark this one as having been separately initialized */
282 providers[active_providers - 1].initialized = 1;
283 }
284 else
285 {
286 if (ret == GNUTLS_E_INT_RET_0) ret = 0;
287 p11_kit_finalize_module (module);
288 gnutls_assert ();
289 }
290
291 return ret;
292 }
293
294
295 /**
296 * gnutls_pkcs11_obj_get_info:
297 * @crt: should contain a #gnutls_pkcs11_obj_t structure
298 * @itype: Denotes the type of information requested
299 * @output: where output will be stored
300 * @output_size: contains the maximum size of the output and will be overwritten with actual
301 *
302 * This function will return information about the PKCS11 certificate
303 * such as the label, id as well as token information where the key is
304 * stored. When output is text it returns null terminated string
305 * although @output_size contains the size of the actual data only.
306 *
307 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
308 *
309 * Since: 2.12.0
310 **/
311 int
312 gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt,
313 gnutls_pkcs11_obj_info_t itype,
314 void *output, size_t * output_size)
315 {
316 return pkcs11_get_info (crt->info, itype, output, output_size);
317 }
318
319 int
320 pkcs11_get_info (struct p11_kit_uri *info,
321 gnutls_pkcs11_obj_info_t itype, void *output,
322 size_t * output_size)
323 {
324 struct ck_attribute *attr = NULL;
325 struct ck_version *version = NULL;
326 const uint8_t *str = NULL;
327 size_t str_max = 0;
328 int terminate = 0;
329 int hexify = 0;
330 size_t length = 0;
331 const char *data = NULL;
332 char buf[32];
333
334 /*
335 * Either attr, str or version is valid by the time switch
336 * finishes
337 */
338
339 switch (itype)
340 {
341 case GNUTLS_PKCS11_OBJ_ID:
342 attr = p11_kit_uri_get_attribute (info, CKA_ID);
343 break;
344 case GNUTLS_PKCS11_OBJ_ID_HEX:
345 attr = p11_kit_uri_get_attribute (info, CKA_ID);
346 hexify = 1;
347 terminate = 1;
348 break;
349 case GNUTLS_PKCS11_OBJ_LABEL:
350 attr = p11_kit_uri_get_attribute (info, CKA_LABEL);
351 terminate = 1;
352 break;
353 case GNUTLS_PKCS11_OBJ_TOKEN_LABEL:
354 str = p11_kit_uri_get_token_info (info)->label;
355 str_max = 32;
356 break;
357 case GNUTLS_PKCS11_OBJ_TOKEN_SERIAL:
358 str = p11_kit_uri_get_token_info (info)->serial_number;
359 str_max = 16;
360 break;
361 case GNUTLS_PKCS11_OBJ_TOKEN_MANUFACTURER:
362 str = p11_kit_uri_get_token_info (info)->manufacturer_id;
363 str_max = 32;
364 break;
365 case GNUTLS_PKCS11_OBJ_TOKEN_MODEL:
366 str = p11_kit_uri_get_token_info (info)->model;
367 str_max = 16;
368 break;
369 case GNUTLS_PKCS11_OBJ_LIBRARY_DESCRIPTION:
370 str = p11_kit_uri_get_module_info (info)->library_description;
371 str_max = 32;
372 break;
373 case GNUTLS_PKCS11_OBJ_LIBRARY_VERSION:
374 version = &p11_kit_uri_get_module_info (info)->library_version;
375 break;
376 case GNUTLS_PKCS11_OBJ_LIBRARY_MANUFACTURER:
377 str = p11_kit_uri_get_module_info (info)->manufacturer_id;
378 str_max = 32;
379 break;
380 default:
381 gnutls_assert ();
382 return GNUTLS_E_INVALID_REQUEST;
383 }
384
385 if (attr != NULL)
386 {
387 data = attr->value;
388 length = attr->value_len;
389 }
390 else if (str != NULL)
391 {
392 data = (void*)str;
393 length = p11_kit_space_strlen (str, str_max);
394 terminate = 1;
395 }
396 else if (version != NULL)
397 {
398 data = buf;
399 length = snprintf (buf, sizeof (buf), "%d.%d", (int)version->major,
400 (int)version->minor);
401 terminate = 1;
402 }
403 else
404 {
405 *output_size = 0;
406 if (output) ((uint8_t*)output)[0] = 0;
407 return 0;
408 }
409
410 if (hexify)
411 {
412 /* terminate is assumed with hexify */
413 if (*output_size < length * 3)
414 {
415 *output_size = length * 3;
416 return GNUTLS_E_SHORT_MEMORY_BUFFER;
417 }
418 if (output)
419 _gnutls_bin2hex (data, length, output, *output_size, ":");
420 *output_size = length * 3;
421 return 0;
422 }
423 else
424 {
425 if (*output_size < length + terminate)
426 {
427 *output_size = length + terminate;
428 return GNUTLS_E_SHORT_MEMORY_BUFFER;
429 }
430 if (output)
431 {
432 memcpy (output, data, length);
433 if (terminate)
434 ((unsigned char*)output)[length] = '\0';
435 }
436 *output_size = length + terminate;
437 }
438
439 return 0;
440 }
441
442 static int init = 0;
443
444 /* tries to load modules from /etc/gnutls/pkcs11.conf if it exists
445 */
446 static void _pkcs11_compat_init(const char* configfile)
447 {
448 FILE *fp;
449 int ret;
450 char line[512];
451 const char *library;
452
453 if (configfile == NULL)
454 configfile = "/etc/gnutls/pkcs11.conf";
455
456 fp = fopen (configfile, "r");
457 if (fp == NULL)
458 {
459 gnutls_assert ();
460 return;
461 }
462
463 _gnutls_debug_log ("Loading PKCS #11 libraries from %s\n", configfile);
464 while (fgets (line, sizeof (line), fp) != NULL)
465 {
466 if (strncmp (line, "load", sizeof ("load") - 1) == 0)
467 {
468 char *p;
469 p = strchr (line, '=');
470 if (p == NULL)
471 continue;
472
473 library = ++p;
474 p = strchr (line, '\n');
475 if (p != NULL)
476 *p = 0;
477
478 ret = gnutls_pkcs11_add_provider (library, NULL);
479 if (ret < 0)
480 {
481 gnutls_assert ();
482 _gnutls_debug_log ("Cannot load provider: %s\n", library);
483 continue;
484 }
485 }
486 }
487 fclose(fp);
488
489 return;
490 }
491
492 static int
493 initialize_automatic_p11_kit (void)
494 {
495 struct ck_function_list **modules;
496 char *name;
497 ck_rv_t rv;
498 int i, ret;
499
500 rv = p11_kit_initialize_registered ();
501 if (rv != CKR_OK)
502 {
503 gnutls_assert ();
504 _gnutls_debug_log ("Cannot initialize registered module: %s\n",
505 p11_kit_strerror (rv));
506 return GNUTLS_E_INTERNAL_ERROR;
507 }
508
509 initialized_registered = 1;
510
511 modules = p11_kit_registered_modules ();
512 for (i = 0; modules[i] != NULL; i++)
513 {
514 name = p11_kit_registered_module_to_name (modules[i]);
515 ret = pkcs11_add_module (name, modules[i]);
516 if (ret != 0 && ret != GNUTLS_E_INT_RET_0)
517 {
518 gnutls_assert ();
519 _gnutls_debug_log ("Cannot add registered module: %s\n", name);
520 }
521 free(name);
522 }
523
524 free (modules);
525 return 0;
526 }
527
528 /**
529 * gnutls_pkcs11_init:
530 * @flags: %GNUTLS_PKCS11_FLAG_MANUAL or %GNUTLS_PKCS11_FLAG_AUTO
531 * @deprecated_config_file: either NULL or the location of a deprecated
532 * configuration file
533 *
534 * This function will initialize the PKCS 11 subsystem in gnutls. It will
535 * read configuration files if %GNUTLS_PKCS11_FLAG_AUTO is used or allow
536 * you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
537 * if %GNUTLS_PKCS11_FLAG_MANUAL is specified.
538 *
539 * Normally you don't need to call this function since it is being called
540 * by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If other option
541 * is required then it must be called before it.
542 *
543 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
544 * negative error value.
545 *
546 * Since: 2.12.0
547 **/
548 int
549 gnutls_pkcs11_init (unsigned int flags, const char *deprecated_config_file)
550 {
551 int ret = 0;
552
553 if (init != 0)
554 {
555 init++;
556 return 0;
557 }
558 init++;
559
560 p11_kit_pin_register_callback (P11_KIT_PIN_FALLBACK, p11_kit_pin_file_callback,
561 NULL, NULL);
562
563 if (flags == GNUTLS_PKCS11_FLAG_MANUAL)
564 return 0;
565 else if (flags == GNUTLS_PKCS11_FLAG_AUTO)
566 {
567 if (deprecated_config_file == NULL)
568 ret = initialize_automatic_p11_kit ();
569
570 _pkcs11_compat_init(deprecated_config_file);
571
572 return ret;
573 }
574
575 return 0;
576 }
577
578 /**
579 * gnutls_pkcs11_reinit:
580 *
581 * This function will reinitialize the PKCS 11 subsystem in gnutls.
582 * This is required by PKCS 11 when an application uses fork(). The
583 * reinitialization function must be called on the child.
584 *
585 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
586 * negative error value.
587 *
588 * Since: 3.0
589 **/
590 int gnutls_pkcs11_reinit (void)
591 {
592 int rv;
593
594 rv = p11_kit_initialize_registered ();
595 if (rv != CKR_OK)
596 {
597 gnutls_assert ();
598 _gnutls_debug_log ("Cannot initialize registered module: %s\n",
599 p11_kit_strerror (rv));
600 return GNUTLS_E_INTERNAL_ERROR;
601 }
602
603 return 0;
604 }
605
606 /**
607 * gnutls_pkcs11_deinit:
608 *
609 * This function will deinitialize the PKCS 11 subsystem in gnutls.
610 *
611 * Since: 2.12.0
612 **/
613 void
614 gnutls_pkcs11_deinit (void)
615 {
616 unsigned int i;
617
618 init--;
619 if (init > 0)
620 return;
621 if (init < 0)
622 {
623 init = 0;
624 return;
625 }
626
627 for (i = 0; i < active_providers; i++)
628 {
629 if (providers[i].initialized)
630 p11_kit_finalize_module (providers[i].module);
631 }
632 active_providers = 0;
633
634 if (initialized_registered != 0)
635 p11_kit_finalize_registered ();
636 initialized_registered = 0;
637 }
638
639 /**
640 * gnutls_pkcs11_set_pin_function:
641 * @fn: The PIN callback, a gnutls_pkcs11_pin_callback_t() function.
642 * @userdata: data to be supplied to callback
643 *
644 * This function will set a callback function to be used when a PIN is
645 * required for PKCS 11 operations. See
646 * gnutls_pkcs11_pin_callback_t() on how the callback should behave.
647 *
648 * Since: 2.12.0
649 **/
650 void
651 gnutls_pkcs11_set_pin_function (gnutls_pkcs11_pin_callback_t fn,
652 void *userdata)
653 {
654 pin_func = fn;
655 pin_data = userdata;
656 }
657
658 /**
659 * gnutls_pkcs11_set_token_function:
660 * @fn: The token callback
661 * @userdata: data to be supplied to callback
662 *
663 * This function will set a callback function to be used when a token
664 * needs to be inserted to continue PKCS 11 operations.
665 *
666 * Since: 2.12.0
667 **/
668 void
669 gnutls_pkcs11_set_token_function (gnutls_pkcs11_token_callback_t fn,
670 void *userdata)
671 {
672 token_func = fn;
673 token_data = userdata;
674 }
675
676 int
677 pkcs11_url_to_info (const char *url, struct p11_kit_uri **info)
678 {
679 int allocated = 0;
680 int ret;
681
682 if (*info == NULL)
683 {
684 *info = p11_kit_uri_new ();
685 if (*info == NULL)
686 {
687 gnutls_assert ();
688 return GNUTLS_E_MEMORY_ERROR;
689 }
690 allocated = 1;
691 }
692
693 ret = p11_kit_uri_parse (url, P11_KIT_URI_FOR_ANY, *info);
694 if (ret < 0)
695 {
696 if (allocated)
697 {
698 p11_kit_uri_free (*info);
699 *info = NULL;
700 }
701 gnutls_assert ();
702 return ret == P11_KIT_URI_NO_MEMORY ?
703 GNUTLS_E_MEMORY_ERROR : GNUTLS_E_PARSING_ERROR;
704 }
705
706 return 0;
707 }
708
709 int
710 pkcs11_info_to_url (struct p11_kit_uri *info,
711 gnutls_pkcs11_url_type_t detailed, char **url)
712 {
713 p11_kit_uri_type_t type = 0;
714 int ret;
715
716 switch (detailed)
717 {
718 case GNUTLS_PKCS11_URL_GENERIC:
719 type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN;
720 break;
721 case GNUTLS_PKCS11_URL_LIB:
722 type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE;
723 break;
724 case GNUTLS_PKCS11_URL_LIB_VERSION:
725 type = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE | P11_KIT_URI_FOR_MODULE_WITH_VERSION;
726 break;
727 }
728
729 ret = p11_kit_uri_format (info, type, url);
730 if (ret < 0)
731 {
732 gnutls_assert ();
733 return ret == P11_KIT_URI_NO_MEMORY ?
734 GNUTLS_E_MEMORY_ERROR : GNUTLS_E_INTERNAL_ERROR;
735 }
736
737 return 0;
738 }
739
740 /**
741 * gnutls_pkcs11_obj_init:
742 * @obj: The structure to be initialized
743 *
744 * This function will initialize a pkcs11 certificate structure.
745 *
746 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
747 * negative error value.
748 *
749 * Since: 2.12.0
750 **/
751 int
752 gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj)
753 {
754 *obj = gnutls_calloc (1, sizeof (struct gnutls_pkcs11_obj_st));
755 if (*obj == NULL)
756 {
757 gnutls_assert ();
758 return GNUTLS_E_MEMORY_ERROR;
759 }
760
761 (*obj)->info = p11_kit_uri_new ();
762 if ((*obj)->info == NULL)
763 {
764 free (*obj);
765 gnutls_assert ();
766 return GNUTLS_E_MEMORY_ERROR;
767 }
768
769 return 0;
770 }
771
772 /**
773 * gnutls_pkcs11_obj_deinit:
774 * @obj: The structure to be initialized
775 *
776 * This function will deinitialize a certificate structure.
777 *
778 * Since: 2.12.0
779 **/
780 void
781 gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj)
782 {
783 _gnutls_free_datum (&obj->raw);
784 p11_kit_uri_free (obj->info);
785 free (obj);
786 }
787
788 /**
789 * gnutls_pkcs11_obj_export:
790 * @obj: Holds the object
791 * @output_data: will contain a certificate PEM or DER encoded
792 * @output_data_size: holds the size of output_data (and will be
793 * replaced by the actual size of parameters)
794 *
795 * This function will export the PKCS11 object data. It is normal for
796 * data to be inaccesible and in that case %GNUTLS_E_INVALID_REQUEST
797 * will be returned.
798 *
799 * If the buffer provided is not long enough to hold the output, then
800 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
801 * be returned.
802 *
803 * If the structure is PEM encoded, it will have a header
804 * of "BEGIN CERTIFICATE".
805 *
806 * Returns: In case of failure a negative error code will be
807 * returned, and %GNUTLS_E_SUCCESS (0) on success.
808 *
809 * Since: 2.12.0
810 **/
811 int
812 gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
813 void *output_data, size_t * output_data_size)
814 {
815 if (obj == NULL || obj->raw.data == NULL)
816 {
817 gnutls_assert ();
818 return GNUTLS_E_INVALID_REQUEST;
819 }
820
821 if (output_data == NULL || *output_data_size < obj->raw.size)
822 {
823 *output_data_size = obj->raw.size;
824 gnutls_assert ();
825 return GNUTLS_E_SHORT_MEMORY_BUFFER;
826 }
827 *output_data_size = obj->raw.size;
828
829 memcpy (output_data, obj->raw.data, obj->raw.size);
830 return 0;
831 }
832
833 int
834 pkcs11_find_object (struct ck_function_list ** _module,
835 ck_session_handle_t * _pks,
836 ck_object_handle_t * _obj,
837 struct p11_kit_uri *info, unsigned int flags)
838 {
839 int ret;
840 struct ck_function_list *module;
841 ck_session_handle_t pks;
842 ck_object_handle_t obj;
843 struct ck_attribute *attrs;
844 unsigned long attr_count;
845 unsigned long count;
846 ck_rv_t rv;
847
848 ret = pkcs11_open_session (&module, &pks, info, flags & SESSION_LOGIN);
849 if (ret < 0)
850 {
851 gnutls_assert ();
852 return ret;
853 }
854
855 attrs = p11_kit_uri_get_attributes (info, &attr_count);
856 rv = pkcs11_find_objects_init (module, pks, attrs, attr_count);
857 if (rv != CKR_OK)
858 {
859 gnutls_assert ();
860 _gnutls_debug_log ("pk11: FindObjectsInit failed.\n");
861 ret = pkcs11_rv_to_err (rv);
862 goto fail;
863 }
864
865 if (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
866 {
867 *_obj = obj;
868 *_pks = pks;
869 *_module = module;
870 pkcs11_find_objects_final (module, pks);
871 return 0;
872 }
873
874 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
875 pkcs11_find_objects_final (module, pks);
876 fail:
877 pkcs11_close_session (module, pks);
878
879 return ret;
880 }
881
882 int
883 pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
884 struct p11_kit_uri *info, struct token_info *_tinfo)
885 {
886 unsigned int x, z;
887
888 for (x = 0; x < active_providers; x++)
889 {
890 for (z = 0; z < providers[x].nslots; z++)
891 {
892 struct token_info tinfo;
893
894 if (pkcs11_get_token_info
895 (providers[x].module, providers[x].slots[z],
896 &tinfo.tinfo) != CKR_OK)
897 {
898 continue;
899 }
900 tinfo.sid = providers[x].slots[z];
901 tinfo.prov = &providers[x];
902
903 if (pkcs11_get_slot_info
904 (providers[x].module, providers[x].slots[z],
905 &tinfo.sinfo) != CKR_OK)
906 {
907 continue;
908 }
909
910 if (!p11_kit_uri_match_token_info (info, &tinfo.tinfo) ||
911 !p11_kit_uri_match_module_info (info, &providers[x].info))
912 {
913 continue;
914 }
915
916 /* ok found */
917 *module = providers[x].module;
918 *slot = providers[x].slots[z];
919
920 if (_tinfo != NULL)
921 memcpy (_tinfo, &tinfo, sizeof (tinfo));
922
923 return 0;
924 }
925 }
926
927 gnutls_assert ();
928 return GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE;
929 }
930
931 int
932 pkcs11_open_session (struct ck_function_list ** _module, ck_session_handle_t * _pks,
933 struct p11_kit_uri *info, unsigned int flags)
934 {
935 ck_rv_t rv;
936 int ret;
937 ck_session_handle_t pks = 0;
938 struct ck_function_list *module;
939 ck_slot_id_t slot;
940 struct token_info tinfo;
941
942 ret = pkcs11_find_slot (&module, &slot, info, &tinfo);
943 if (ret < 0)
944 {
945 gnutls_assert ();
946 return ret;
947 }
948
949 rv = (module)->C_OpenSession (slot,
950 ((flags & SESSION_WRITE)
951 ? CKF_RW_SESSION : 0) |
952 CKF_SERIAL_SESSION, NULL, NULL, &pks);
953 if (rv != CKR_OK)
954 {
955 gnutls_assert ();
956 return pkcs11_rv_to_err (rv);
957 }
958
959 if (flags & SESSION_LOGIN)
960 {
961 ret = pkcs11_login (module, pks, &tinfo, info, (flags & SESSION_SO) ? 1 : 0);
962 if (ret < 0)
963 {
964 gnutls_assert ();
965 pkcs11_close_session (module, pks);
966 return ret;
967 }
968 }
969
970 /* ok found */
971 *_pks = pks;
972 *_module = module;
973 return 0;
974 }
975
976
977 int
978 _pkcs11_traverse_tokens (find_func_t find_func, void *input,
979 struct p11_kit_uri *info, unsigned int flags)
980 {
981 ck_rv_t rv;
982 unsigned int found = 0, x, z;
983 int ret;
984 ck_session_handle_t pks = 0;
985 struct ck_function_list *module = NULL;
986
987 for (x = 0; x < active_providers; x++)
988 {
989 module = providers[x].module;
990 for (z = 0; z < providers[x].nslots; z++)
991 {
992 struct token_info tinfo;
993
994 ret = GNUTLS_E_PKCS11_ERROR;
995
996 if (pkcs11_get_token_info (module, providers[x].slots[z],
997 &tinfo.tinfo) != CKR_OK)
998 {
999 continue;
1000 }
1001 tinfo.sid = providers[x].slots[z];
1002 tinfo.prov = &providers[x];
1003
1004 if (pkcs11_get_slot_info (module, providers[x].slots[z],
1005 &tinfo.sinfo) != CKR_OK)
1006 {
1007 continue;
1008 }
1009
1010 rv = (module)->C_OpenSession (providers[x].slots[z],
1011 ((flags & SESSION_WRITE)
1012 ? CKF_RW_SESSION : 0) |
1013 CKF_SERIAL_SESSION, NULL, NULL, &pks);
1014 if (rv != CKR_OK)
1015 {
1016 continue;
1017 }
1018
1019 if (flags & SESSION_LOGIN)
1020 {
1021 ret = pkcs11_login (module, pks, &tinfo, info, (flags & SESSION_SO) ? 1 : 0);
1022 if (ret < 0)
1023 {
1024 gnutls_assert ();
1025 return ret;
1026 }
1027 }
1028
1029 ret = find_func (module, pks, &tinfo, &providers[x].info, input);
1030
1031 if (ret == 0)
1032 {
1033 found = 1;
1034 goto finish;
1035 }
1036 else
1037 {
1038 pkcs11_close_session (module, pks);
1039 pks = 0;
1040 }
1041 }
1042 }
1043
1044 finish:
1045 /* final call */
1046
1047 if (found == 0)
1048 {
1049 if (module)
1050 ret = find_func (module, pks, NULL, NULL, input);
1051 else
1052 ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
1053 }
1054 else
1055 {
1056 ret = 0;
1057 }
1058
1059 if (pks != 0 && module != NULL)
1060 {
1061 pkcs11_close_session (module, pks);
1062 }
1063
1064 return ret;
1065 }
1066
1067 /* imports a raw certificate from a token to a pkcs11_obj_t structure.
1068 */
1069 static int
1070 pkcs11_obj_import (ck_object_class_t class, gnutls_pkcs11_obj_t obj,
1071 const gnutls_datum_t * data,
1072 const gnutls_datum_t * id,
1073 const gnutls_datum_t * label,
1074 struct ck_token_info *tinfo, struct ck_info *lib_info)
1075 {
1076 struct ck_attribute attr;
1077 int ret;
1078
1079 switch (class)
1080 {
1081 case CKO_CERTIFICATE:
1082 obj->type = GNUTLS_PKCS11_OBJ_X509_CRT;
1083 break;
1084 case CKO_PUBLIC_KEY:
1085 obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
1086 break;
1087 case CKO_PRIVATE_KEY:
1088 obj->type = GNUTLS_PKCS11_OBJ_PRIVKEY;
1089 break;
1090 case CKO_SECRET_KEY:
1091 obj->type = GNUTLS_PKCS11_OBJ_SECRET_KEY;
1092 break;
1093 case CKO_DATA:
1094 obj->type = GNUTLS_PKCS11_OBJ_DATA;
1095 break;
1096 default:
1097 obj->type = GNUTLS_PKCS11_OBJ_UNKNOWN;
1098 }
1099
1100 attr.type = CKA_CLASS;
1101 attr.value = &class;
1102 attr.value_len = sizeof (class);
1103 ret = p11_kit_uri_set_attribute (obj->info, &attr);
1104 if (ret < 0)
1105 {
1106 gnutls_assert ();
1107 return GNUTLS_E_MEMORY_ERROR;
1108 }
1109
1110 if (data && data->data)
1111 {
1112 ret = _gnutls_set_datum (&obj->raw, data->data, data->size);
1113 if (ret < 0)
1114 {
1115 gnutls_assert ();
1116 return ret;
1117 }
1118 }
1119
1120 /* copy the token and library info into the uri */
1121 memcpy (p11_kit_uri_get_token_info (obj->info), tinfo, sizeof (struct ck_token_info));
1122 memcpy (p11_kit_uri_get_module_info (obj->info), lib_info, sizeof (struct ck_info));
1123
1124 if (label && label->data)
1125 {
1126 attr.type = CKA_LABEL;
1127 attr.value = label->data;
1128 attr.value_len = label->size;
1129 ret = p11_kit_uri_set_attribute (obj->info, &attr);
1130 if (ret < 0)
1131 {
1132 gnutls_assert ();
1133 return GNUTLS_E_MEMORY_ERROR;
1134 }
1135 }
1136
1137 if (id && id->data)
1138 {
1139 attr.type = CKA_ID;
1140 attr.value = id->data;
1141 attr.value_len = id->size;
1142 ret = p11_kit_uri_set_attribute (obj->info, &attr);
1143 if (ret < 0)
1144 {
1145 gnutls_assert ();
1146 return GNUTLS_E_MEMORY_ERROR;
1147 }
1148 }
1149
1150 return 0;
1151 }
1152
1153 static int read_pkcs11_pubkey(struct ck_function_list *module,
1154 ck_session_handle_t pks, ck_object_handle_t obj,
1155 ck_key_type_t key_type, gnutls_datum_t * pubkey)
1156 {
1157 struct ck_attribute a[4];
1158 uint8_t tmp1[2048];
1159 uint8_t tmp2[2048];
1160 int ret;
1161
1162 switch (key_type)
1163 {
1164 case CKK_RSA:
1165 a[0].type = CKA_MODULUS;
1166 a[0].value = tmp1;
1167 a[0].value_len = sizeof (tmp1);
1168 a[1].type = CKA_PUBLIC_EXPONENT;
1169 a[1].value = tmp2;
1170 a[1].value_len = sizeof (tmp2);
1171
1172 if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
1173 {
1174
1175 ret =
1176 _gnutls_set_datum (&pubkey[0],
1177 a[0].value, a[0].value_len);
1178
1179 if (ret >= 0)
1180 ret =
1181 _gnutls_set_datum (&pubkey
1182 [1], a[1].value, a[1].value_len);
1183
1184 if (ret < 0)
1185 {
1186 gnutls_assert ();
1187 _gnutls_free_datum (&pubkey[1]);
1188 _gnutls_free_datum (&pubkey[0]);
1189 return GNUTLS_E_MEMORY_ERROR;
1190 }
1191 }
1192 else
1193 {
1194 gnutls_assert ();
1195 return GNUTLS_E_PKCS11_ERROR;
1196 }
1197 break;
1198 case CKK_DSA:
1199 a[0].type = CKA_PRIME;
1200 a[0].value = tmp1;
1201 a[0].value_len = sizeof (tmp1);
1202 a[1].type = CKA_SUBPRIME;
1203 a[1].value = tmp2;
1204 a[1].value_len = sizeof (tmp2);
1205
1206 if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
1207 {
1208 ret =
1209 _gnutls_set_datum (&pubkey[0],
1210 a[0].value, a[0].value_len);
1211
1212 if (ret >= 0)
1213 ret =
1214 _gnutls_set_datum (&pubkey
1215 [1], a[1].value, a[1].value_len);
1216
1217 if (ret < 0)
1218 {
1219 gnutls_assert ();
1220 _gnutls_free_datum (&pubkey[1]);
1221 _gnutls_free_datum (&pubkey[0]);
1222 return GNUTLS_E_MEMORY_ERROR;
1223 }
1224 }
1225 else
1226 {
1227 gnutls_assert ();
1228 return GNUTLS_E_PKCS11_ERROR;
1229 }
1230
1231 a[0].type = CKA_BASE;
1232 a[0].value = tmp1;
1233 a[0].value_len = sizeof (tmp1);
1234 a[1].type = CKA_VALUE;
1235 a[1].value = tmp2;
1236 a[1].value_len = sizeof (tmp2);
1237
1238 if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
1239 {
1240 ret =
1241 _gnutls_set_datum (&pubkey[2],
1242 a[0].value, a[0].value_len);
1243
1244 if (ret >= 0)
1245 ret =
1246 _gnutls_set_datum (&pubkey
1247 [3], a[1].value, a[1].value_len);
1248
1249 if (ret < 0)
1250 {
1251 gnutls_assert ();
1252 _gnutls_free_datum (&pubkey[0]);
1253 _gnutls_free_datum (&pubkey[1]);
1254 _gnutls_free_datum (&pubkey[2]);
1255 _gnutls_free_datum (&pubkey[3]);
1256 return GNUTLS_E_MEMORY_ERROR;
1257 }
1258 }
1259 else
1260 {
1261 gnutls_assert ();
1262 return GNUTLS_E_PKCS11_ERROR;
1263 }
1264 break;
1265 case CKK_ECDSA:
1266 a[0].type = CKA_EC_PARAMS;
1267 a[0].value = tmp1;
1268 a[0].value_len = sizeof (tmp1);
1269 a[1].type = CKA_EC_POINT;
1270 a[1].value = tmp2;
1271 a[1].value_len = sizeof (tmp2);
1272
1273 if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
1274 {
1275 ret =
1276 _gnutls_set_datum (&pubkey[0],
1277 a[0].value, a[0].value_len);
1278
1279 if (ret >= 0)
1280 ret =
1281 _gnutls_set_datum (&pubkey
1282 [1], a[1].value, a[1].value_len);
1283
1284 if (ret < 0)
1285 {
1286 gnutls_assert ();
1287 _gnutls_free_datum (&pubkey[1]);
1288 _gnutls_free_datum (&pubkey[0]);
1289 return GNUTLS_E_MEMORY_ERROR;
1290 }
1291 }
1292 else
1293 {
1294 gnutls_assert ();
1295 return GNUTLS_E_PKCS11_ERROR;
1296 }
1297
1298 break;
1299 default:
1300 return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
1301 }
1302
1303 return 0;
1304 }
1305
1306 static int
1307 pkcs11_obj_import_pubkey (struct ck_function_list *module,
1308 ck_session_handle_t pks,
1309 ck_object_handle_t obj,
1310 gnutls_pkcs11_obj_t crt,
1311 const gnutls_datum_t * id,
1312 const gnutls_datum_t * label,
1313 struct ck_token_info *tinfo,
1314 struct ck_info *lib_info)
1315 {
1316 struct ck_attribute a[4];
1317 ck_key_type_t key_type;
1318 int ret;
1319 ck_bool_t tval;
1320
1321 a[0].type = CKA_KEY_TYPE;
1322 a[0].value = &key_type;
1323 a[0].value_len = sizeof (key_type);
1324
1325 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1326 {
1327 crt->pk_algorithm = mech_to_pk(key_type);
1328
1329 ret = read_pkcs11_pubkey(module, pks, obj, key_type, crt->pubkey);
1330 if (ret < 0)
1331 return gnutls_assert_val(ret);
1332 }
1333
1334 /* read key usage flags */
1335 a[0].type = CKA_ENCRYPT;
1336 a[0].value = &tval;
1337 a[0].value_len = sizeof (tval);
1338
1339 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1340 {
1341 if (tval != 0)
1342 {
1343 crt->key_usage |= GNUTLS_KEY_DATA_ENCIPHERMENT;
1344 }
1345 }
1346
1347 a[0].type = CKA_VERIFY;
1348 a[0].value = &tval;
1349 a[0].value_len = sizeof (tval);
1350
1351 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1352 {
1353 if (tval != 0)
1354 {
1355 crt->key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE |
1356 GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN
1357 | GNUTLS_KEY_NON_REPUDIATION;
1358 }
1359 }
1360
1361 a[0].type = CKA_VERIFY_RECOVER;
1362 a[0].value = &tval;
1363 a[0].value_len = sizeof (tval);
1364
1365 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1366 {
1367 if (tval != 0)
1368 {
1369 crt->key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE |
1370 GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN
1371 | GNUTLS_KEY_NON_REPUDIATION;
1372 }
1373 }
1374
1375 a[0].type = CKA_DERIVE;
1376 a[0].value = &tval;
1377 a[0].value_len = sizeof (tval);
1378
1379 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1380 {
1381 if (tval != 0)
1382 {
1383 crt->key_usage |= GNUTLS_KEY_KEY_AGREEMENT;
1384 }
1385 }
1386
1387 a[0].type = CKA_WRAP;
1388 a[0].value = &tval;
1389 a[0].value_len = sizeof (tval);
1390
1391 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
1392 {
1393 if (tval != 0)
1394 {
1395 crt->key_usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
1396 }
1397 }
1398
1399 return pkcs11_obj_import (CKO_PUBLIC_KEY, crt, NULL, id, label,
1400 tinfo, lib_info);
1401 }
1402
1403 static int
1404 find_obj_url (struct ck_function_list *module, ck_session_handle_t pks,
1405 struct token_info *info, struct ck_info *lib_info, void *input)
1406 {
1407 struct url_find_data_st *find_data = input;
1408 struct ck_attribute a[4];
1409 struct ck_attribute *attr;
1410 ck_object_class_t class = -1;
1411 ck_certificate_type_t type = (ck_certificate_type_t)-1;
1412 ck_rv_t rv;
1413 ck_object_handle_t obj;
1414 unsigned long count, a_vals;
1415 int found = 0, ret;
1416 uint8_t *cert_data = NULL;
1417 char label_tmp[PKCS11_LABEL_SIZE];
1418
1419 if (info == NULL)
1420 { /* we don't support multiple calls */
1421 gnutls_assert ();
1422 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1423 }
1424
1425 /* do not bother reading the token if basic fields do not match
1426 */
1427 if (!p11_kit_uri_match_token_info (find_data->crt->info, &info->tinfo) ||
1428 !p11_kit_uri_match_module_info (find_data->crt->info, lib_info))
1429 {
1430 gnutls_assert ();
1431 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1432 }
1433
1434 attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
1435 if (attr == NULL)
1436 {
1437 gnutls_assert ();
1438 return GNUTLS_E_INVALID_REQUEST;
1439 }
1440
1441 /* search the token for the id */
1442
1443 cert_data = gnutls_malloc (MAX_CERT_SIZE);
1444 if (cert_data == NULL)
1445 {
1446 gnutls_assert ();
1447 return GNUTLS_E_MEMORY_ERROR;
1448 }
1449
1450 /* Find objects with given class and type */
1451 memcpy (a, attr, sizeof (struct ck_attribute));
1452 a_vals = 1;
1453
1454 attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_CLASS);
1455 if (attr)
1456 {
1457 if(attr->value && attr->value_len == sizeof (ck_object_class_t))
1458 class = *((ck_object_class_t*)attr->value);
1459 if (class == CKO_CERTIFICATE)
1460 type = CKC_X_509;
1461 memcpy (a + a_vals, attr, sizeof (struct ck_attribute));
1462 a_vals++;
1463 }
1464
1465 if (type != (ck_certificate_type_t)-1)
1466 {
1467 a[a_vals].type = CKA_CERTIFICATE_TYPE;
1468 a[a_vals].value = &type;
1469 a[a_vals].value_len = sizeof type;
1470 a_vals++;
1471 }
1472
1473 rv = pkcs11_find_objects_init (module, pks, a, a_vals);
1474 if (rv != CKR_OK)
1475 {
1476 gnutls_assert ();
1477 _gnutls_debug_log ("pk11: FindObjectsInit failed.\n");
1478 ret = pkcs11_rv_to_err (rv);
1479 goto cleanup;
1480 }
1481
1482 while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
1483 {
1484
1485 a[0].type = CKA_VALUE;
1486 a[0].value = cert_data;
1487 a[0].value_len = MAX_CERT_SIZE;
1488 a[1].type = CKA_LABEL;
1489 a[1].value = label_tmp;
1490 a[1].value_len = sizeof (label_tmp);
1491
1492 if (pkcs11_get_attribute_value (module, pks, obj, a, 2) == CKR_OK)
1493 {
1494 gnutls_datum_t id;
1495 gnutls_datum_t data = { a[0].value, a[0].value_len };
1496 gnutls_datum_t label = { a[1].value, a[1].value_len };
1497
1498 attr = p11_kit_uri_get_attribute (find_data->crt->info, CKA_ID);
1499 id.data = attr->value;
1500 id.size = attr->value_len;
1501
1502 if (class == CKO_PUBLIC_KEY)
1503 {
1504 ret =
1505 pkcs11_obj_import_pubkey (module, pks, obj,
1506 find_data->crt,
1507 &id, &label,
1508 &info->tinfo, lib_info);
1509 }
1510 else
1511 {
1512 ret =
1513 pkcs11_obj_import (class,
1514 find_data->crt,
1515 &data, &id, &label,
1516 &info->tinfo, lib_info);
1517 }
1518 if (ret < 0)
1519 {
1520 gnutls_assert ();
1521 goto cleanup;
1522 }
1523
1524 found = 1;
1525 break;
1526 }
1527 else
1528 {
1529 _gnutls_debug_log ("pk11: Skipped cert, missing attrs.\n");
1530 }
1531 }
1532
1533 if (found == 0)
1534 {
1535 gnutls_assert ();
1536 ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1537 }
1538 else
1539 {
1540 ret = 0;
1541 }
1542
1543 cleanup:
1544 gnutls_free (cert_data);
1545 pkcs11_find_objects_final (module, pks);
1546
1547 return ret;
1548 }
1549
1550 unsigned int
1551 pkcs11_obj_flags_to_int (unsigned int flags)
1552 {
1553 unsigned int ret_flags = 0;
1554
1555 if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN)
1556 ret_flags |= SESSION_LOGIN;
1557 if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO)
1558 ret_flags |= SESSION_LOGIN|SESSION_SO;
1559
1560 return ret_flags;
1561 }
1562
1563 /**
1564 * gnutls_pkcs11_obj_import_url:
1565 * @cert: The structure to store the parsed certificate
1566 * @url: a PKCS 11 url identifying the key
1567 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
1568 *
1569 * This function will "import" a PKCS 11 URL identifying a certificate
1570 * key to the #gnutls_pkcs11_obj_t structure. This does not involve any
1571 * parsing (such as X.509 or OpenPGP) since the #gnutls_pkcs11_obj_t is
1572 * format agnostic. Only data are transferred.
1573 *
1574 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1575 * negative error value.
1576 *
1577 * Since: 2.12.0
1578 **/
1579 int
1580 gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert, const char *url,
1581 unsigned int flags)
1582 {
1583 int ret;
1584 struct url_find_data_st find_data;
1585
1586 /* fill in the find data structure */
1587 find_data.crt = cert;
1588
1589 ret = pkcs11_url_to_info (url, &cert->info);
1590 if (ret < 0)
1591 {
1592 gnutls_assert ();
1593 return ret;
1594 }
1595
1596 ret =
1597 _pkcs11_traverse_tokens (find_obj_url, &find_data, cert->info,
1598 pkcs11_obj_flags_to_int (flags));
1599
1600 if (ret < 0)
1601 {
1602 gnutls_assert ();
1603 return ret;
1604 }
1605
1606 return 0;
1607 }
1608
1609 struct token_num
1610 {
1611 struct p11_kit_uri *info;
1612 unsigned int seq; /* which one we are looking for */
1613 unsigned int current; /* which one are we now */
1614 };
1615
1616 static int
1617 find_token_num (struct ck_function_list *module,
1618 ck_session_handle_t pks,
1619 struct token_info *tinfo,
1620 struct ck_info *lib_info, void *input)
1621 {
1622 struct token_num *find_data = input;
1623
1624 if (tinfo == NULL)
1625 { /* we don't support multiple calls */
1626 gnutls_assert ();
1627 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1628 }
1629
1630 if (find_data->current == find_data->seq)
1631 {
1632 memcpy (p11_kit_uri_get_token_info (find_data->info), &tinfo->tinfo, sizeof (struct ck_token_info));
1633 memcpy (p11_kit_uri_get_module_info (find_data->info), lib_info, sizeof (struct ck_info));
1634 return 0;
1635 }
1636
1637 find_data->current++;
1638 /* search the token for the id */
1639
1640
1641 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* non zero is enough */
1642 }
1643
1644 /**
1645 * gnutls_pkcs11_token_get_url:
1646 * @seq: sequence number starting from 0
1647 * @detailed: non zero if a detailed URL is required
1648 * @url: will contain an allocated url
1649 *
1650 * This function will return the URL for each token available
1651 * in system. The url has to be released using gnutls_free()
1652 *
1653 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1654 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
1655 * exceeds the available tokens, otherwise a negative error value.
1656 *
1657 * Since: 2.12.0
1658 **/
1659 int
1660 gnutls_pkcs11_token_get_url (unsigned int seq,
1661 gnutls_pkcs11_url_type_t detailed, char **url)
1662 {
1663 int ret;
1664 struct token_num tn;
1665
1666 memset (&tn, 0, sizeof (tn));
1667 tn.seq = seq;
1668 tn.info = p11_kit_uri_new ();
1669
1670 ret = _pkcs11_traverse_tokens (find_token_num, &tn, NULL, 0);
1671 if (ret < 0)
1672 {
1673 p11_kit_uri_free (tn.info);
1674 gnutls_assert ();
1675 return ret;
1676 }
1677
1678 ret = pkcs11_info_to_url (tn.info, detailed, url);
1679 p11_kit_uri_free (tn.info);
1680
1681 if (ret < 0)
1682 {
1683 gnutls_assert ();
1684 return ret;
1685 }
1686
1687 return 0;
1688
1689 }
1690
1691 /**
1692 * gnutls_pkcs11_token_get_info:
1693 * @url: should contain a PKCS 11 URL
1694 * @ttype: Denotes the type of information requested
1695 * @output: where output will be stored
1696 * @output_size: contains the maximum size of the output and will be overwritten with actual
1697 *
1698 * This function will return information about the PKCS 11 token such
1699 * as the label, id, etc.
1700 *
1701 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code
1702 * on error.
1703 *
1704 * Since: 2.12.0
1705 **/
1706 int
1707 gnutls_pkcs11_token_get_info (const char *url,
1708 gnutls_pkcs11_token_info_t ttype,
1709 void *output, size_t * output_size)
1710 {
1711 struct p11_kit_uri *info = NULL;
1712 const uint8_t *str;
1713 size_t str_max;
1714 size_t len;
1715 int ret;
1716
1717 ret = pkcs11_url_to_info (url, &info);
1718 if (ret < 0)
1719 {
1720 gnutls_assert ();
1721 return ret;
1722 }
1723
1724 switch (ttype)
1725 {
1726 case GNUTLS_PKCS11_TOKEN_LABEL:
1727 str = p11_kit_uri_get_token_info (info)->label;
1728 str_max = 32;
1729 break;
1730 case GNUTLS_PKCS11_TOKEN_SERIAL:
1731 str = p11_kit_uri_get_token_info (info)->serial_number;
1732 str_max = 16;
1733 break;
1734 case GNUTLS_PKCS11_TOKEN_MANUFACTURER:
1735 str = p11_kit_uri_get_token_info (info)->manufacturer_id;
1736 str_max = 32;
1737 break;
1738 case GNUTLS_PKCS11_TOKEN_MODEL:
1739 str = p11_kit_uri_get_token_info (info)->model;
1740 str_max = 16;
1741 break;
1742 default:
1743 p11_kit_uri_free (info);
1744 gnutls_assert ();
1745 return GNUTLS_E_INVALID_REQUEST;
1746 }
1747
1748 len = p11_kit_space_strlen (str, str_max);
1749
1750 if (len + 1 > *output_size)
1751 {
1752 *output_size = len + 1;
1753 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1754 }
1755
1756 memcpy (output, str, len);
1757 ((char*)output)[len] = '\0';
1758
1759 *output_size = len;
1760
1761 p11_kit_uri_free (info);
1762 return 0;
1763 }
1764
1765 /**
1766 * gnutls_pkcs11_obj_export_url:
1767 * @obj: Holds the PKCS 11 certificate
1768 * @detailed: non zero if a detailed URL is required
1769 * @url: will contain an allocated url
1770 *
1771 * This function will export a URL identifying the given certificate.
1772 *
1773 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1774 * negative error value.
1775 *
1776 * Since: 2.12.0
1777 **/
1778 int
1779 gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t obj,
1780 gnutls_pkcs11_url_type_t detailed, char **url)
1781 {
1782 int ret;
1783
1784 ret = pkcs11_info_to_url (obj->info, detailed, url);
1785 if (ret < 0)
1786 {
1787 gnutls_assert ();
1788 return ret;
1789 }
1790
1791 return 0;
1792 }
1793
1794 /**
1795 * gnutls_pkcs11_obj_get_type:
1796 * @obj: Holds the PKCS 11 object
1797 *
1798 * This function will return the type of the certificate being
1799 * stored in the structure.
1800 *
1801 * Returns: The type of the certificate.
1802 *
1803 * Since: 2.12.0
1804 **/
1805 gnutls_pkcs11_obj_type_t
1806 gnutls_pkcs11_obj_get_type (gnutls_pkcs11_obj_t obj)
1807 {
1808 return obj->type;
1809 }
1810
1811 struct pkey_list
1812 {
1813 gnutls_buffer_st *key_ids;
1814 size_t key_ids_size;
1815 };
1816
1817
1818 static int
1819 retrieve_pin_from_source (const char *pinfile, struct ck_token_info *token_info,
1820 int attempts, ck_user_type_t user_type, struct p11_kit_pin **pin)
1821 {
1822 unsigned int flags = 0;
1823 struct p11_kit_uri *token_uri;
1824 struct p11_kit_pin *result;
1825 char *label;
1826
1827 label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
1828 if (label == NULL)
1829 {
1830 gnutls_assert ();
1831 return GNUTLS_E_MEMORY_ERROR;
1832 }
1833
1834 token_uri = p11_kit_uri_new ();
1835 if (token_uri == NULL)
1836 {
1837 free (label);
1838 gnutls_assert ();
1839 return GNUTLS_E_MEMORY_ERROR;
1840 }
1841
1842 memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
1843 sizeof (struct ck_token_info));
1844
1845 if (attempts)
1846 flags |= P11_KIT_PIN_FLAGS_RETRY;
1847 if (user_type == CKU_USER)
1848 {
1849 flags |= P11_KIT_PIN_FLAGS_USER_LOGIN;
1850 if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
1851 flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
1852 if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
1853 flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
1854 }
1855 else if (user_type == CKU_SO)
1856 {
1857 flags |= P11_KIT_PIN_FLAGS_SO_LOGIN;
1858 if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
1859 flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
1860 if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
1861 flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
1862 }
1863 else if (user_type == CKU_CONTEXT_SPECIFIC)
1864 {
1865 flags |= P11_KIT_PIN_FLAGS_CONTEXT_LOGIN;
1866 }
1867
1868 result = p11_kit_pin_request (pinfile, token_uri, label, flags);
1869 p11_kit_uri_free (token_uri);
1870 free (label);
1871
1872 if (result == NULL)
1873 {
1874 gnutls_assert ();
1875 return GNUTLS_E_PKCS11_PIN_ERROR;
1876 }
1877
1878 *pin = result;
1879 return 0;
1880 }
1881
1882 static int
1883 retrieve_pin_for_callback (struct ck_token_info *token_info, int attempts,
1884 ck_user_type_t user_type, struct p11_kit_pin **pin)
1885 {
1886 char pin_value[GNUTLS_PKCS11_MAX_PIN_LEN];
1887 unsigned int flags = 0;
1888 char *token_str;
1889 char *label;
1890 struct p11_kit_uri *token_uri;
1891 int ret = 0;
1892
1893 label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
1894 if (label == NULL)
1895 {
1896 gnutls_assert ();
1897 return GNUTLS_E_MEMORY_ERROR;
1898 }
1899
1900 token_uri = p11_kit_uri_new ();
1901 if (token_uri == NULL)
1902 {
1903 free (label);
1904 gnutls_assert ();
1905 return GNUTLS_E_MEMORY_ERROR;
1906 }
1907
1908 memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
1909 sizeof (struct ck_token_info));
1910 ret = pkcs11_info_to_url (token_uri, 1, &token_str);
1911 p11_kit_uri_free (token_uri);
1912
1913 if (ret < 0)
1914 {
1915 free (label);
1916 gnutls_assert ();
1917 return GNUTLS_E_MEMORY_ERROR;
1918 }
1919
1920 if (user_type == CKU_USER)
1921 {
1922 flags |= GNUTLS_PKCS11_PIN_USER;
1923 if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
1924 flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
1925 if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
1926 flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
1927 }
1928 else if (user_type == CKU_SO)
1929 {
1930 flags |= GNUTLS_PKCS11_PIN_SO;
1931 if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
1932 flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
1933 if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
1934 flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
1935 }
1936
1937 if (attempts > 0)
1938 flags |= GNUTLS_PKCS11_PIN_WRONG;
1939
1940 ret = pin_func (pin_data, attempts, (char*)token_str, label,
1941 flags, pin_value, GNUTLS_PKCS11_MAX_PIN_LEN);
1942 free (token_str);
1943 free (label);
1944
1945 if (ret < 0)
1946 return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
1947
1948 *pin = p11_kit_pin_new_for_string (pin_value);
1949
1950 if (*pin == NULL)
1951 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1952
1953 return 0;
1954 }
1955
1956 static int
1957 retrieve_pin (struct p11_kit_uri *info, struct ck_token_info *token_info,
1958 int attempts, ck_user_type_t user_type, struct p11_kit_pin **pin)
1959 {
1960 const char *pinfile;
1961 int ret = GNUTLS_E_PKCS11_PIN_ERROR;
1962
1963 *pin = NULL;
1964
1965 /* Check if a pinfile is specified, and use that if possible */
1966 pinfile = p11_kit_uri_get_pinfile (info);
1967 if (pinfile != NULL)
1968 {
1969 _gnutls_debug_log("pk11: Using pinfile to retrieve PIN\n");
1970 ret = retrieve_pin_from_source (pinfile, token_info, attempts, user_type, pin);
1971 }
1972
1973 /* The global gnutls pin callback */
1974 if (pin_func && ret < 0)
1975 ret = retrieve_pin_for_callback (token_info, attempts, user_type, pin);
1976
1977 /* Otherwise, PIN entry is necessary for login, so fail if there's
1978 * no callback. */
1979
1980 if (ret < 0)
1981 {
1982 gnutls_assert ();
1983 _gnutls_debug_log ("pk11: No suitable pin callback but login required.\n");
1984 }
1985
1986 return ret;
1987 }
1988
1989 int
1990 pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
1991 const struct token_info *tokinfo, struct p11_kit_uri *info, int so)
1992 {
1993 struct ck_session_info session_info;
1994 int attempt = 0, ret;
1995 ck_user_type_t user_type;
1996 ck_rv_t rv;
1997
1998 user_type = (so == 0) ? CKU_USER : CKU_SO;
1999 if (so == 0 && (tokinfo->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
2000 {
2001 gnutls_assert ();
2002 _gnutls_debug_log ("pk11: No login required.\n");
2003 return 0;
2004 }
2005
2006 /* For a token with a "protected" (out-of-band) authentication
2007 * path, calling login with a NULL username is all that is
2008 * required. */
2009 if (tokinfo->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
2010 {
2011 rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
2012 if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
2013 {
2014 return 0;
2015 }
2016 else
2017 {
2018 gnutls_assert ();
2019 _gnutls_debug_log ("pk11: Protected login failed.\n");
2020 ret = GNUTLS_E_PKCS11_ERROR;
2021 goto cleanup;
2022 }
2023 }
2024
2025 do
2026 {
2027 struct p11_kit_pin *pin;
2028 struct ck_token_info tinfo;
2029
2030 memcpy (&tinfo, &tokinfo->tinfo, sizeof(tinfo));
2031
2032 /* Check whether the session is already logged in, and if so, just skip */
2033 rv = (module)->C_GetSessionInfo (pks, &session_info);
2034 if (rv == CKR_OK && (session_info.state == CKS_RO_USER_FUNCTIONS ||
2035 session_info.state == CKS_RW_USER_FUNCTIONS))
2036 {
2037 ret = 0;
2038 goto cleanup;
2039 }
2040
2041 /* If login has been attempted once already, check the token
2042 * status again, the flags might change. */
2043 if (attempt)
2044 {
2045 if (pkcs11_get_token_info
2046 (tokinfo->prov->module, tokinfo->sid, &tinfo) != CKR_OK)
2047 {
2048 gnutls_assert ();
2049 _gnutls_debug_log ("pk11: GetTokenInfo failed\n");
2050 ret = GNUTLS_E_PKCS11_ERROR;
2051 goto cleanup;
2052 }
2053 }
2054
2055 ret = retrieve_pin (info, &tinfo, attempt++, user_type, &pin);
2056 if (ret < 0)
2057 {
2058 gnutls_assert ();
2059 goto cleanup;
2060 }
2061
2062 rv = (module)->C_Login (pks, user_type,
2063 (unsigned char *)p11_kit_pin_get_value (pin, NULL),
2064 p11_kit_pin_get_length (pin));
2065
2066 p11_kit_pin_unref (pin);
2067 }
2068 while (rv == CKR_PIN_INCORRECT);
2069
2070 _gnutls_debug_log ("pk11: Login result = %lu\n", rv);
2071
2072
2073 ret = (rv == CKR_OK
2074 || rv == CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err (rv);
2075
2076 cleanup:
2077 return ret;
2078 }
2079
2080 int
2081 pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry)
2082 {
2083 struct ck_token_info *tinfo;
2084 char *label;
2085 int ret = 0;
2086
2087 tinfo = p11_kit_uri_get_token_info (info);
2088 label = p11_kit_space_strdup (tinfo->label, sizeof (tinfo->label));
2089 ret = (token_func) (token_data, label, retry);
2090 free (label);
2091
2092 return ret;
2093 }
2094
2095
2096 static int
2097 find_privkeys (struct ck_function_list *module, ck_session_handle_t pks,
2098 struct token_info *info, struct pkey_list *list)
2099 {
2100 struct ck_attribute a[3];
2101 ck_object_class_t class;
2102 ck_rv_t rv;
2103 ck_object_handle_t obj;
2104 unsigned long count, current;
2105 char certid_tmp[PKCS11_ID_SIZE];
2106
2107 class = CKO_PRIVATE_KEY;
2108
2109 /* Find an object with private key class and a certificate ID
2110 * which matches the certificate. */
2111 /* FIXME: also match the cert subject. */
2112 a[0].type = CKA_CLASS;
2113 a[0].value = &class;
2114 a[0].value_len = sizeof class;
2115
2116 rv = pkcs11_find_objects_init (module, pks, a, 1);
2117 if (rv != CKR_OK)
2118 {
2119 gnutls_assert ();
2120 return pkcs11_rv_to_err (rv);
2121 }
2122
2123 list->key_ids_size = 0;
2124 while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
2125 {
2126 list->key_ids_size++;
2127 }
2128
2129 pkcs11_find_objects_final (module, pks);
2130
2131 if (list->key_ids_size == 0)
2132 {
2133 gnutls_assert ();
2134 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2135 }
2136
2137 list->key_ids =
2138 gnutls_malloc (sizeof (gnutls_buffer_st) * list->key_ids_size);
2139 if (list->key_ids == NULL)
2140 {
2141 gnutls_assert ();
2142 return GNUTLS_E_MEMORY_ERROR;
2143 }
2144
2145 /* actual search */
2146 a[0].type = CKA_CLASS;
2147 a[0].value = &class;
2148 a[0].value_len = sizeof class;
2149
2150 rv = pkcs11_find_objects_init (module, pks, a, 1);
2151 if (rv != CKR_OK)
2152 {
2153 gnutls_assert ();
2154 return pkcs11_rv_to_err (rv);
2155 }
2156
2157 current = 0;
2158 while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
2159 {
2160
2161 a[0].type = CKA_ID;
2162 a[0].value = certid_tmp;
2163 a[0].value_len = sizeof (certid_tmp);
2164
2165 _gnutls_buffer_init (&list->key_ids[current]);
2166
2167 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
2168 {
2169 _gnutls_buffer_append_data (&list->key_ids[current],
2170 a[0].value, a[0].value_len);
2171 current++;
2172 }
2173
2174 if (current > list->key_ids_size)
2175 break;
2176 }
2177
2178 pkcs11_find_objects_final (module, pks);
2179
2180 list->key_ids_size = current - 1;
2181
2182 return 0;
2183 }
2184
2185 /* Recover certificate list from tokens */
2186
2187
2188 static int
2189 find_objs (struct ck_function_list * module, ck_session_handle_t pks,
2190 struct token_info *info, struct ck_info *lib_info, void *input)
2191 {
2192 struct crt_find_data_st *find_data = input;
2193 struct ck_attribute a[4];
2194 struct ck_attribute *attr;
2195 ck_object_class_t class = (ck_object_class_t)-1;
2196 ck_certificate_type_t type = (ck_certificate_type_t)-1;
2197 unsigned int trusted;
2198 ck_rv_t rv;
2199 ck_object_handle_t obj;
2200 unsigned long count;
2201 uint8_t *cert_data;
2202 char certid_tmp[PKCS11_ID_SIZE];
2203 char label_tmp[PKCS11_LABEL_SIZE];
2204 int ret;
2205 struct pkey_list plist; /* private key holder */
2206 unsigned int i, tot_values = 0;
2207
2208 if (info == NULL)
2209 { /* final call */
2210 if (find_data->current <= *find_data->n_list)
2211 ret = 0;
2212 else
2213 ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
2214
2215 *find_data->n_list = find_data->current;
2216
2217 return ret;
2218 }
2219
2220 /* do not bother reading the token if basic fields do not match
2221 */
2222 if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
2223 !p11_kit_uri_match_module_info (find_data->info, lib_info))
2224 {
2225 gnutls_assert ();
2226 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2227 }
2228
2229 memset (&plist, 0, sizeof (plist));
2230
2231 if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
2232 {
2233 ret = find_privkeys (module, pks, info, &plist);
2234 if (ret < 0)
2235 {
2236 gnutls_assert ();
2237 return ret;
2238 }
2239
2240 if (plist.key_ids_size == 0)
2241 {
2242 gnutls_assert ();
2243 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2244 }
2245 }
2246
2247 cert_data = gnutls_malloc (MAX_CERT_SIZE);
2248 if (cert_data == NULL)
2249 {
2250 gnutls_assert ();
2251 return GNUTLS_E_MEMORY_ERROR;
2252 }
2253
2254 /* Find objects with cert class and X.509 cert type. */
2255
2256 tot_values = 0;
2257
2258 if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL
2259 || find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
2260 {
2261 class = CKO_CERTIFICATE;
2262 type = CKC_X_509;
2263 trusted = 1;
2264
2265 a[tot_values].type = CKA_CLASS;
2266 a[tot_values].value = &class;
2267 a[tot_values].value_len = sizeof class;
2268 tot_values++;
2269
2270 a[tot_values].type = CKA_CERTIFICATE_TYPE;
2271 a[tot_values].value = &type;
2272 a[tot_values].value_len = sizeof type;
2273 tot_values++;
2274
2275 }
2276 else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED)
2277 {
2278 class = CKO_CERTIFICATE;
2279 type = CKC_X_509;
2280 trusted = 1;
2281
2282 a[tot_values].type = CKA_CLASS;
2283 a[tot_values].value = &class;
2284 a[tot_values].value_len = sizeof class;
2285 tot_values++;
2286
2287 a[tot_values].type = CKA_TRUSTED;
2288 a[tot_values].value = &trusted;
2289 a[tot_values].value_len = sizeof trusted;
2290 tot_values++;
2291
2292 }
2293 else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PUBKEY)
2294 {
2295 class = CKO_PUBLIC_KEY;
2296
2297 a[tot_values].type = CKA_CLASS;
2298 a[tot_values].value = &class;
2299 a[tot_values].value_len = sizeof class;
2300 tot_values++;
2301 }
2302 else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY)
2303 {
2304 class = CKO_PRIVATE_KEY;
2305
2306 a[tot_values].type = CKA_CLASS;
2307 a[tot_values].value = &class;
2308 a[tot_values].value_len = sizeof class;
2309 tot_values++;
2310 }
2311 else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL)
2312 {
2313 if (class != (ck_object_class_t)-1)
2314 {
2315 a[tot_values].type = CKA_CLASS;
2316 a[tot_values].value = &class;
2317 a[tot_values].value_len = sizeof class;
2318 tot_values++;
2319 }
2320 if (type != (ck_certificate_type_t)-1)
2321 {
2322 a[tot_values].type = CKA_CERTIFICATE_TYPE;
2323 a[tot_values].value = &type;
2324 a[tot_values].value_len = sizeof type;
2325 tot_values++;
2326 }
2327 }
2328 else
2329 {
2330 gnutls_assert ();
2331 ret = GNUTLS_E_INVALID_REQUEST;
2332 goto fail;
2333 }
2334
2335 attr = p11_kit_uri_get_attribute (find_data->info, CKA_ID);
2336 if (attr != NULL)
2337 {
2338 memcpy (a + tot_values, attr, sizeof (struct ck_attribute));
2339 tot_values++;
2340 }
2341
2342 rv = pkcs11_find_objects_init (module, pks, a, tot_values);
2343 if (rv != CKR_OK)
2344 {
2345 gnutls_assert ();
2346 _gnutls_debug_log ("pk11: FindObjectsInit failed.\n");
2347 return pkcs11_rv_to_err (rv);
2348 }
2349
2350 while (pkcs11_find_objects (module, pks, &obj, 1, &count) == CKR_OK && count == 1)
2351 {
2352 gnutls_datum_t label, id, value;
2353
2354 a[0].type = CKA_LABEL;
2355 a[0].value = label_tmp;
2356 a[0].value_len = sizeof label_tmp;
2357
2358 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
2359 {
2360 label.data = a[0].value;
2361 label.size = a[0].value_len;
2362 }
2363 else
2364 {
2365 label.data = NULL;
2366 label.size = 0;
2367 }
2368
2369 a[0].type = CKA_ID;
2370 a[0].value = certid_tmp;
2371 a[0].value_len = sizeof certid_tmp;
2372
2373 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
2374 {
2375 id.data = a[0].value;
2376 id.size = a[0].value_len;
2377 }
2378 else
2379 {
2380 id.data = NULL;
2381 id.size = 0;
2382 }
2383
2384 a[0].type = CKA_VALUE;
2385 a[0].value = cert_data;
2386 a[0].value_len = MAX_CERT_SIZE;
2387 if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK)
2388 {
2389 value.data = a[0].value;
2390 value.size = a[0].value_len;
2391 }
2392 else
2393 {
2394 value.data = NULL;
2395 value.size = 0;
2396 }
2397
2398 if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL)
2399 {
2400 a[0].type = CKA_CLASS;
2401 a[0].value = &class;
2402 a[0].value_len = sizeof class;
2403
2404 pkcs11_get_attribute_value (module, pks, obj, a, 1);
2405 }
2406
2407 if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
2408 {
2409 for (i = 0; i < plist.key_ids_size; i++)
2410 {
2411 if (plist.key_ids[i].length !=
2412 a[1].value_len
2413 || memcmp (plist.key_ids[i].data,
2414 a[1].value, a[1].value_len) != 0)
2415 {
2416 /* not found */
2417 continue;
2418 }
2419 }
2420 }
2421
2422 if (find_data->current < *find_data->n_list)
2423 {
2424 ret =
2425 gnutls_pkcs11_obj_init (&find_data->p_list[find_data->current]);
2426 if (ret < 0)
2427 {
2428 gnutls_assert ();
2429 goto fail;
2430 }
2431
2432 if (class == CKO_PUBLIC_KEY)
2433 {
2434 ret =
2435 pkcs11_obj_import_pubkey (module, pks, obj,
2436 find_data->p_list
2437 [find_data->current],
2438 &id, &label,
2439 &info->tinfo, lib_info);
2440 }
2441 else
2442 {
2443 ret =
2444 pkcs11_obj_import (class,
2445 find_data->p_list
2446 [find_data->current],
2447 &value, &id, &label,
2448 &info->tinfo, lib_info);
2449 }
2450 if (ret < 0)
2451 {
2452 gnutls_assert ();
2453 goto fail;
2454 }
2455 }
2456
2457 find_data->current++;
2458
2459 }
2460
2461 gnutls_free (cert_data);
2462 pkcs11_find_objects_final (module, pks);
2463
2464 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; /* continue until all tokens have been checked */
2465
2466 fail:
2467 gnutls_free (cert_data);
2468 pkcs11_find_objects_final (module, pks);
2469 if (plist.key_ids != NULL)
2470 {
2471 for (i = 0; i < plist.key_ids_size; i++)
2472 {
2473 _gnutls_buffer_clear (&plist.key_ids[i]);
2474 }
2475 gnutls_free (plist.key_ids);
2476 }
2477 for (i = 0; i < find_data->current; i++)
2478 {
2479 gnutls_pkcs11_obj_deinit (find_data->p_list[i]);
2480 }
2481 find_data->current = 0;
2482
2483 return ret;
2484 }
2485
2486 /**
2487 * gnutls_pkcs11_obj_list_import_url:
2488 * @p_list: An uninitialized object list (may be NULL)
2489 * @n_list: initially should hold the maximum size of the list. Will contain the actual size.
2490 * @url: A PKCS 11 url identifying a set of objects
2491 * @attrs: Attributes of type #gnutls_pkcs11_obj_attr_t that can be used to limit output
2492 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
2493 *
2494 * This function will initialize and set values to an object list
2495 * by using all objects identified by a PKCS 11 URL.
2496 *
2497 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2498 * negative error value.
2499 *
2500 * Since: 2.12.0
2501 **/
2502 int
2503 gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t * p_list,
2504 unsigned int *n_list,
2505 const char *url,
2506 gnutls_pkcs11_obj_attr_t attrs,
2507 unsigned int flags)
2508 {
2509 int ret;
2510 struct crt_find_data_st find_data;
2511
2512 memset (&find_data, 0, sizeof (find_data));
2513
2514 /* fill in the find data structure */
2515 find_data.p_list = p_list;
2516 find_data.n_list = n_list;
2517 find_data.flags = attrs;
2518 find_data.current = 0;
2519
2520 if (url == NULL || url[0] == 0)
2521 {
2522 url = "pkcs11:";
2523 }
2524
2525 ret = pkcs11_url_to_info (url, &find_data.info);
2526 if (ret < 0)
2527 {
2528 gnutls_assert ();
2529 return ret;
2530 }
2531
2532 ret =
2533 _pkcs11_traverse_tokens (find_objs, &find_data, find_data.info,
2534 pkcs11_obj_flags_to_int (flags));
2535 p11_kit_uri_free (find_data.info);
2536
2537 if (ret < 0)
2538 {
2539 gnutls_assert ();
2540 return ret;
2541 }
2542
2543 return 0;
2544 }
2545
2546 /**
2547 * gnutls_x509_crt_import_pkcs11_url:
2548 * @crt: A certificate of type #gnutls_x509_crt_t
2549 * @url: A PKCS 11 url
2550 * @flags: One of GNUTLS_PKCS11_OBJ_* flags
2551 *
2552 * This function will import a PKCS 11 certificate directly from a token
2553 * without involving the #gnutls_pkcs11_obj_t structure. This function will
2554 * fail if the certificate stored is not of X.509 type.
2555 *
2556 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2557 * negative error value.
2558 *
2559 * Since: 2.12.0
2560 **/
2561 int
2562 gnutls_x509_crt_import_pkcs11_url (gnutls_x509_crt_t crt,
2563 const char *url, unsigned int flags)
2564 {
2565 gnutls_pkcs11_obj_t pcrt;
2566 int ret;
2567
2568 ret = gnutls_pkcs11_obj_init (&pcrt);
2569 if (ret < 0)
2570 {
2571 gnutls_assert ();
2572 return ret;
2573 }
2574
2575 ret = gnutls_pkcs11_obj_import_url (pcrt, url, flags);
2576 if (ret < 0)
2577 {
2578 gnutls_assert ();
2579 goto cleanup;
2580 }
2581
2582 ret = gnutls_x509_crt_import (crt, &pcrt->raw, GNUTLS_X509_FMT_DER);
2583 if (ret < 0)
2584 {
2585 gnutls_assert ();
2586 goto cleanup;
2587 }
2588
2589 ret = 0;
2590 cleanup:
2591
2592 gnutls_pkcs11_obj_deinit (pcrt);
2593
2594 return ret;
2595 }
2596
2597
2598 /**
2599 * gnutls_x509_crt_import_pkcs11:
2600 * @crt: A certificate of type #gnutls_x509_crt_t
2601 * @pkcs11_crt: A PKCS 11 object that contains a certificate
2602 *
2603 * This function will import a PKCS 11 certificate to a #gnutls_x509_crt_t
2604 * structure.
2605 *
2606 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2607 * negative error value.
2608 *
2609 * Since: 2.12.0
2610 **/
2611 int
2612 gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t crt,
2613 gnutls_pkcs11_obj_t pkcs11_crt)
2614 {
2615 return gnutls_x509_crt_import (crt, &pkcs11_crt->raw, GNUTLS_X509_FMT_DER);
2616 }
2617
2618 /**
2619 * gnutls_x509_crt_list_import_pkcs11:
2620 * @certs: A list of certificates of type #gnutls_x509_crt_t
2621 * @cert_max: The maximum size of the list
2622 * @objs: A list of PKCS 11 objects
2623 * @flags: 0 for now
2624 *
2625 * This function will import a PKCS 11 certificate list to a list of
2626 * #gnutls_x509_crt_t structure. These must not be initialized.
2627 *
2628 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2629 * negative error value.
2630 *
2631 * Since: 2.12.0
2632 **/
2633 int
2634 gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t * certs,
2635 unsigned int cert_max,
2636 gnutls_pkcs11_obj_t * const objs,
2637 unsigned int flags)
2638 {
2639 unsigned int i, j;
2640 int ret;
2641
2642 for (i = 0; i < cert_max; i++)
2643 {
2644 ret = gnutls_x509_crt_init (&certs[i]);
2645 if (ret < 0)
2646 {
2647 gnutls_assert ();
2648 goto cleanup;
2649 }
2650
2651 ret = gnutls_x509_crt_import_pkcs11 (certs[i], objs[i]);
2652 if (ret < 0)
2653 {
2654 gnutls_assert ();
2655 goto cleanup;
2656 }
2657 }
2658
2659 return 0;
2660
2661 cleanup:
2662 for (j = 0; j < i; j++)
2663 {
2664 gnutls_x509_crt_deinit (certs[j]);
2665 }
2666
2667 return ret;
2668 }
2669
2670 static int
2671 find_flags (struct ck_function_list * module, ck_session_handle_t pks,
2672 struct token_info *info, struct ck_info *lib_info, void *input)
2673 {
2674 struct flags_find_data_st *find_data = input;
2675
2676 if (info == NULL)
2677 { /* we don't support multiple calls */
2678 gnutls_assert ();
2679 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2680 }
2681
2682 /* do not bother reading the token if basic fields do not match
2683 */
2684 if (!p11_kit_uri_match_token_info (find_data->info, &info->tinfo) ||
2685 !p11_kit_uri_match_module_info (find_data->info, lib_info))
2686 {
2687 gnutls_assert ();
2688 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2689 }
2690
2691 /* found token! */
2692
2693 find_data->slot_flags = info->sinfo.flags;
2694
2695 return 0;
2696 }
2697
2698 /**
2699 * gnutls_pkcs11_token_get_flags:
2700 * @url: should contain a PKCS 11 URL
2701 * @flags: The output flags (GNUTLS_PKCS11_TOKEN_*)
2702 *
2703 * This function will return information about the PKCS 11 token flags.
2704 * The flags from the %gnutls_pkcs11_token_info_t enumeration.
2705 *
2706 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
2707 *
2708 * Since: 2.12.0
2709 **/
2710 int
2711 gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags)
2712 {
2713 struct flags_find_data_st find_data;
2714 int ret;
2715
2716 memset (&find_data, 0, sizeof (find_data));
2717 ret = pkcs11_url_to_info (url, &find_data.info);
2718 if (ret < 0)
2719 {
2720 gnutls_assert ();
2721 return ret;
2722 }
2723
2724 ret = _pkcs11_traverse_tokens (find_flags, &find_data, find_data.info, 0);
2725 p11_kit_uri_free (find_data.info);
2726
2727 if (ret < 0)
2728 {
2729 gnutls_assert ();
2730 return ret;
2731 }
2732
2733 *flags = 0;
2734 if (find_data.slot_flags & CKF_HW_SLOT)
2735 *flags |= GNUTLS_PKCS11_TOKEN_HW;
2736
2737 return 0;
2738
2739 }
2740
2741 /**
2742 * gnutls_pkcs11_token_get_mechanism:
2743 * @url: should contain a PKCS 11 URL
2744 * @idx: The index of the mechanism
2745 * @mechanism: The PKCS #11 mechanism ID
2746 *
2747 * This function will return the names of the supported mechanisms
2748 * by the token. It should be called with an increasing index until
2749 * it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
2750 *
2751 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
2752 *
2753 * Since: 2.12.0
2754 **/
2755 int
2756 gnutls_pkcs11_token_get_mechanism (const char *url, unsigned int idx,
2757 unsigned long *mechanism)
2758 {
2759 int ret;
2760 ck_rv_t rv;
2761 struct ck_function_list *module;
2762 ck_slot_id_t slot;
2763 struct token_info tinfo;
2764 struct p11_kit_uri *info = NULL;
2765 unsigned long count;
2766 ck_mechanism_type_t mlist[400];
2767
2768 ret = pkcs11_url_to_info (url, &info);
2769 if (ret < 0)
2770 {
2771 gnutls_assert ();
2772 return ret;
2773 }
2774
2775
2776 ret = pkcs11_find_slot (&module, &slot, info, &tinfo);
2777 p11_kit_uri_free (info);
2778
2779 if (ret < 0)
2780 {
2781 gnutls_assert ();
2782 return ret;
2783 }
2784
2785 count = sizeof (mlist) / sizeof (mlist[0]);
2786 rv = pkcs11_get_mechanism_list (module, slot, mlist, &count);
2787 if (rv != CKR_OK)
2788 {
2789 gnutls_assert ();
2790 return pkcs11_rv_to_err (rv);
2791 }
2792
2793 if (idx >= count)
2794 {
2795 gnutls_assert ();
2796 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2797 }
2798
2799 *mechanism = mlist[idx];
2800
2801 return 0;
2802
2803 }
2804
2805 /**
2806 * gnutls_pkcs11_type_get_name:
2807 * @type: Holds the PKCS 11 object type, a #gnutls_pkcs11_obj_type_t.
2808 *
2809 * This function will return a human readable description of the
2810 * PKCS11 object type @obj. It will return "Unknown" for unknown
2811 * types.
2812 *
2813 * Returns: human readable string labeling the PKCS11 object type
2814 * @type.
2815 *
2816 * Since: 2.12.0
2817 **/
2818 const char *
2819 gnutls_pkcs11_type_get_name (gnutls_pkcs11_obj_type_t type)
2820 {
2821 switch (type)
2822 {
2823 case GNUTLS_PKCS11_OBJ_X509_CRT:
2824 return "X.509 Certificate";
2825 case GNUTLS_PKCS11_OBJ_PUBKEY:
2826 return "Public key";
2827 case GNUTLS_PKCS11_OBJ_PRIVKEY:
2828 return "Private key";
2829 case GNUTLS_PKCS11_OBJ_SECRET_KEY:
2830 return "Secret key";
2831 case GNUTLS_PKCS11_OBJ_DATA:
2832 return "Data";
2833 case GNUTLS_PKCS11_OBJ_UNKNOWN:
2834 default:
2835 return "Unknown";
2836 }
2837 }
2838
2839 ck_rv_t
2840 pkcs11_get_slot_list (struct ck_function_list * module, unsigned char token_present,
2841 ck_slot_id_t *slot_list, unsigned long *count)
2842 {
2843 return (module)->C_GetSlotList (token_present, slot_list, count);
2844 }
2845
2846 ck_rv_t
2847 pkcs11_get_module_info (struct ck_function_list * module,
2848 struct ck_info * info)
2849 {
2850 return (module)->C_GetInfo (info);
2851 }
2852
2853 ck_rv_t
2854 pkcs11_get_slot_info(struct ck_function_list * module,
2855 ck_slot_id_t slot_id,
2856 struct ck_slot_info *info)
2857 {
2858 return (module)->C_GetSlotInfo (slot_id, info);
2859 }
2860
2861 ck_rv_t
2862 pkcs11_get_token_info (struct ck_function_list * module,
2863 ck_slot_id_t slot_id,
2864 struct ck_token_info *info)
2865 {
2866 return (module)->C_GetTokenInfo (slot_id, info);
2867 }
2868
2869 ck_rv_t
2870 pkcs11_find_objects_init (struct ck_function_list *module,
2871 ck_session_handle_t sess,
2872 struct ck_attribute *templ,
2873 unsigned long count)
2874 {
2875 return (module)->C_FindObjectsInit (sess, templ, count);
2876 }
2877
2878 ck_rv_t
2879 pkcs11_find_objects (struct ck_function_list *module,
2880 ck_session_handle_t sess,
2881 ck_object_handle_t *objects,
2882 unsigned long max_object_count,
2883 unsigned long *object_count)
2884 {
2885 return (module)->C_FindObjects (sess, objects, max_object_count, object_count);
2886 }
2887
2888 ck_rv_t
2889 pkcs11_find_objects_final (struct ck_function_list *module,
2890 ck_session_handle_t sess)
2891 {
2892 return (module)->C_FindObjectsFinal (sess);
2893 }
2894
2895 ck_rv_t
2896 pkcs11_close_session (struct ck_function_list *module,
2897 ck_session_handle_t sess)
2898 {
2899 return (module)->C_CloseSession (sess);
2900 }
2901
2902 ck_rv_t
2903 pkcs11_get_attribute_value(struct ck_function_list *module,
2904 ck_session_handle_t sess,
2905 ck_object_handle_t object,
2906 struct ck_attribute *templ,
2907 unsigned long count)
2908 {
2909 return (module)->C_GetAttributeValue (sess, object, templ, count);
2910 }
2911
2912 ck_rv_t
2913 pkcs11_get_mechanism_list (struct ck_function_list *module,
2914 ck_slot_id_t slot_id,
2915 ck_mechanism_type_t *mechanism_list,
2916 unsigned long *count)
2917 {
2918 return (module)->C_GetMechanismList (slot_id, mechanism_list, count);
2919 }
2920
2921 ck_rv_t
2922 pkcs11_sign_init (struct ck_function_list *module,
2923 ck_session_handle_t sess,
2924 struct ck_mechanism *mechanism,
2925 ck_object_handle_t key)
2926 {
2927 return (module)->C_SignInit (sess, mechanism, key);
2928 }
2929
2930 ck_rv_t
2931 pkcs11_sign (struct ck_function_list *module,
2932 ck_session_handle_t sess,
2933 unsigned char *data,
2934 unsigned long data_len,
2935 unsigned char *signature,
2936 unsigned long *signature_len)
2937 {
2938 return (module)->C_Sign (sess, data, data_len, signature, signature_len);
2939 }
2940
2941 ck_rv_t
2942 pkcs11_generate_key_pair (struct ck_function_list *module,
2943 ck_session_handle_t sess,
2944 struct ck_mechanism *mechanism,
2945 struct ck_attribute *pub_templ,
2946 unsigned long pub_templ_count,
2947 struct ck_attribute *priv_templ,
2948 unsigned long priv_templ_count,
2949 ck_object_handle_t *pub,
2950 ck_object_handle_t *priv)
2951 {
2952 return (module)->C_GenerateKeyPair (sess, mechanism, pub_templ, pub_templ_count,
2953 priv_templ, priv_templ_count, pub, priv);
2954 }
2955
2956 ck_rv_t
2957 pkcs11_decrypt_init (struct ck_function_list *module,
2958 ck_session_handle_t sess,
2959 struct ck_mechanism *mechanism,
2960 ck_object_handle_t key)
2961 {
2962 return (module)->C_DecryptInit (sess, mechanism, key);
2963 }
2964
2965 ck_rv_t
2966 pkcs11_decrypt (struct ck_function_list *module,
2967 ck_session_handle_t sess,
2968 unsigned char *encrypted_data,
2969 unsigned long encrypted_data_len,
2970 unsigned char *data, unsigned long *data_len)
2971 {
2972 return (module)->C_Decrypt (sess, encrypted_data, encrypted_data_len,
2973 data, data_len);
2974 }
2975
2976 ck_rv_t
2977 pkcs11_create_object (struct ck_function_list *module,
2978 ck_session_handle_t sess,
2979 struct ck_attribute *templ,
2980 unsigned long count,
2981 ck_object_handle_t *object)
2982 {
2983 return (module)->C_CreateObject (sess, templ, count, object);
2984 }
2985
2986 ck_rv_t
2987 pkcs11_destroy_object (struct ck_function_list *module,
2988 ck_session_handle_t sess,
2989 ck_object_handle_t object)
2990 {
2991 return (module)->C_DestroyObject (sess, object);
2992 }
2993
2994 ck_rv_t
2995 pkcs11_init_token (struct ck_function_list *module,
2996 ck_slot_id_t slot_id, unsigned char *pin,
2997 unsigned long pin_len, unsigned char *label)
2998 {
2999 return (module)->C_InitToken (slot_id, pin, pin_len, label);
3000 }
3001
3002 ck_rv_t
3003 pkcs11_init_pin (struct ck_function_list *module,
3004 ck_session_handle_t sess,
3005 unsigned char *pin,
3006 unsigned long pin_len)
3007 {
3008 return (module)->C_InitPIN (sess, pin, pin_len);
3009 }
3010
3011 ck_rv_t
3012 pkcs11_set_pin (struct ck_function_list *module,
3013 ck_session_handle_t sess,
3014 const char *old_pin,
3015 unsigned long old_len,
3016 const char *new_pin,
3017 unsigned long new_len)
3018 {
3019 return (module)->C_SetPIN (sess, (uint8_t*)old_pin, old_len, (uint8_t*)new_pin, new_len);
3020 }
3021
3022 const char *
3023 pkcs11_strerror (ck_rv_t rv)
3024 {
3025 return p11_kit_strerror (rv);
3026 }
Implementation of the SSL/TLS protocol