1 /*
2 * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35 #ifdef HAVE_DLFCN_H
36 #include <dlfcn.h>
37 #endif
38
39 #ifdef HAVE_DLOPEN
40
41 #include "pkcs11.h"
42
43 struct p11_slot {
44 int flags;
45 #define P11_SESSION 1
46 #define P11_SESSION_IN_USE 2
47 #define P11_LOGIN_REQ 4
48 #define P11_LOGIN_DONE 8
49 #define P11_TOKEN_PRESENT 16
50 CK_SESSION_HANDLE session;
51 CK_SLOT_ID id;
52 CK_BBOOL token;
53 char *name;
54 hx509_certs certs;
55 char *pin;
56 struct {
57 CK_MECHANISM_TYPE_PTR list;
58 CK_ULONG num;
59 CK_MECHANISM_INFO_PTR *infos;
60 } mechs;
61 };
62
63 struct p11_module {
64 void *dl_handle;
65 CK_FUNCTION_LIST_PTR funcs;
66 CK_ULONG num_slots;
67 unsigned int ref;
68 struct p11_slot *slot;
69 };
70
71 #define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
72
73 static int p11_get_session(hx509_context,
74 struct p11_module *,
75 struct p11_slot *,
76 hx509_lock,
77 CK_SESSION_HANDLE *);
78 static int p11_put_session(struct p11_module *,
79 struct p11_slot *,
80 CK_SESSION_HANDLE);
81 static void p11_release_module(struct p11_module *);
82
83 static int p11_list_keys(hx509_context,
84 struct p11_module *,
85 struct p11_slot *,
86 CK_SESSION_HANDLE,
87 hx509_lock,
88 hx509_certs *);
89
90 /*
91 *
92 */
93
94 struct p11_rsa {
95 struct p11_module *p;
96 struct p11_slot *slot;
97 CK_OBJECT_HANDLE private_key;
98 CK_OBJECT_HANDLE public_key;
99 };
100
101 static int
p11_rsa_public_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)102 p11_rsa_public_encrypt(int flen,
103 const unsigned char *from,
104 unsigned char *to,
105 RSA *rsa,
106 int padding)
107 {
108 return -1;
109 }
110
111 static int
p11_rsa_public_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)112 p11_rsa_public_decrypt(int flen,
113 const unsigned char *from,
114 unsigned char *to,
115 RSA *rsa,
116 int padding)
117 {
118 return -1;
119 }
120
121
122 static int
p11_rsa_private_encrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)123 p11_rsa_private_encrypt(int flen,
124 const unsigned char *from,
125 unsigned char *to,
126 RSA *rsa,
127 int padding)
128 {
129 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
130 CK_OBJECT_HANDLE key = p11rsa->private_key;
131 CK_SESSION_HANDLE session;
132 CK_MECHANISM mechanism;
133 CK_ULONG ck_sigsize;
134 int ret;
135
136 if (padding != RSA_PKCS1_PADDING)
137 return -1;
138
139 memset(&mechanism, 0, sizeof(mechanism));
140 mechanism.mechanism = CKM_RSA_PKCS;
141
142 ck_sigsize = RSA_size(rsa);
143
144 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
145 if (ret)
146 return -1;
147
148 ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
149 if (ret != CKR_OK) {
150 p11_put_session(p11rsa->p, p11rsa->slot, session);
151 return -1;
152 }
153
154 ret = P11FUNC(p11rsa->p, Sign,
155 (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
156 p11_put_session(p11rsa->p, p11rsa->slot, session);
157 if (ret != CKR_OK)
158 return -1;
159
160 return ck_sigsize;
161 }
162
163 static int
p11_rsa_private_decrypt(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)164 p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
165 RSA * rsa, int padding)
166 {
167 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
168 CK_OBJECT_HANDLE key = p11rsa->private_key;
169 CK_SESSION_HANDLE session;
170 CK_MECHANISM mechanism;
171 CK_ULONG ck_sigsize;
172 int ret;
173
174 if (padding != RSA_PKCS1_PADDING)
175 return -1;
176
177 memset(&mechanism, 0, sizeof(mechanism));
178 mechanism.mechanism = CKM_RSA_PKCS;
179
180 ck_sigsize = RSA_size(rsa);
181
182 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
183 if (ret)
184 return -1;
185
186 ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
187 if (ret != CKR_OK) {
188 p11_put_session(p11rsa->p, p11rsa->slot, session);
189 return -1;
190 }
191
192 ret = P11FUNC(p11rsa->p, Decrypt,
193 (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
194 p11_put_session(p11rsa->p, p11rsa->slot, session);
195 if (ret != CKR_OK)
196 return -1;
197
198 return ck_sigsize;
199 }
200
201 static int
p11_rsa_init(RSA * rsa)202 p11_rsa_init(RSA *rsa)
203 {
204 return 1;
205 }
206
207 static int
p11_rsa_finish(RSA * rsa)208 p11_rsa_finish(RSA *rsa)
209 {
210 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
211 p11_release_module(p11rsa->p);
212 free(p11rsa);
213 return 1;
214 }
215
216 static const RSA_METHOD *
get_p11_rsa_pkcs1_method(void)217 get_p11_rsa_pkcs1_method(void)
218 {
219 static const RSA_METHOD *p11_rsa_pkcs1_method;
220 RSA_METHOD *new_method;
221
222 if (p11_rsa_pkcs1_method != NULL)
223 return p11_rsa_pkcs1_method;
224
225 new_method = RSA_meth_new("hx509 PKCS11 PKCS#1 RSA", 0);
226 if (new_method == NULL)
227 return NULL;
228
229 if (RSA_meth_set_pub_enc(new_method, p11_rsa_public_encrypt) != 1)
230 goto out;
231
232 if (RSA_meth_set_pub_dec(new_method, p11_rsa_public_decrypt) != 1)
233 goto out;
234
235 if (RSA_meth_set_priv_enc(new_method, p11_rsa_private_encrypt) != 1)
236 goto out;
237
238 if (RSA_meth_set_priv_dec(new_method, p11_rsa_private_decrypt) != 1)
239 goto out;
240
241 if (RSA_meth_set_init(new_method, p11_rsa_init) != 1)
242 goto out;
243
244 if (RSA_meth_set_finish(new_method, p11_rsa_finish) != 1)
245 goto out;
246
247 /*
248 * This might overwrite a previously-created method if multiple
249 * threads invoke this concurrently which will leak memory.
250 */
251 p11_rsa_pkcs1_method = new_method;
252 return p11_rsa_pkcs1_method;
253 out:
254 RSA_meth_free(new_method);
255 return NULL;
256 }
257
258 /*
259 *
260 */
261
262 static int
p11_mech_info(hx509_context context,struct p11_module * p,struct p11_slot * slot,int num)263 p11_mech_info(hx509_context context,
264 struct p11_module *p,
265 struct p11_slot *slot,
266 int num)
267 {
268 CK_ULONG i;
269 int ret;
270
271 ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
272 if (ret) {
273 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
274 "Failed to get mech list count for slot %d",
275 num);
276 return HX509_PKCS11_NO_MECH;
277 }
278 if (i == 0) {
279 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
280 "no mech supported for slot %d", num);
281 return HX509_PKCS11_NO_MECH;
282 }
283 slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
284 if (slot->mechs.list == NULL) {
285 hx509_set_error_string(context, 0, ENOMEM,
286 "out of memory");
287 return ENOMEM;
288 }
289 slot->mechs.num = i;
290 ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
291 if (ret) {
292 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
293 "Failed to get mech list for slot %d",
294 num);
295 return HX509_PKCS11_NO_MECH;
296 }
297 assert(i == slot->mechs.num);
298
299 slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
300 if (slot->mechs.list == NULL) {
301 hx509_set_error_string(context, 0, ENOMEM,
302 "out of memory");
303 return ENOMEM;
304 }
305
306 for (i = 0; i < slot->mechs.num; i++) {
307 slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
308 if (slot->mechs.infos[i] == NULL) {
309 hx509_set_error_string(context, 0, ENOMEM,
310 "out of memory");
311 return ENOMEM;
312 }
313 ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
314 slot->mechs.infos[i]));
315 if (ret) {
316 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
317 "Failed to get mech info for slot %d",
318 num);
319 return HX509_PKCS11_NO_MECH;
320 }
321 }
322
323 return 0;
324 }
325
326 static int
p11_init_slot(hx509_context context,struct p11_module * p,hx509_lock lock,CK_SLOT_ID id,int num,struct p11_slot * slot)327 p11_init_slot(hx509_context context,
328 struct p11_module *p,
329 hx509_lock lock,
330 CK_SLOT_ID id,
331 int num,
332 struct p11_slot *slot)
333 {
334 CK_SESSION_HANDLE session;
335 CK_SLOT_INFO slot_info;
336 CK_TOKEN_INFO token_info;
337 size_t i;
338 int ret;
339
340 slot->certs = NULL;
341 slot->id = id;
342
343 ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
344 if (ret) {
345 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
346 "Failed to init PKCS11 slot %d",
347 num);
348 return HX509_PKCS11_TOKEN_CONFUSED;
349 }
350
351 for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
352 char c = slot_info.slotDescription[i];
353 if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
354 continue;
355 i++;
356 break;
357 }
358
359 asprintf(&slot->name, "%.*s",
360 (int)i, slot_info.slotDescription);
361
362 if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
363 return 0;
364
365 ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
366 if (ret) {
367 hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
368 "Failed to init PKCS11 slot %d "
369 "with error 0x08x",
370 num, ret);
371 return HX509_PKCS11_NO_TOKEN;
372 }
373 slot->flags |= P11_TOKEN_PRESENT;
374
375 if (token_info.flags & CKF_LOGIN_REQUIRED)
376 slot->flags |= P11_LOGIN_REQ;
377
378 ret = p11_get_session(context, p, slot, lock, &session);
379 if (ret)
380 return ret;
381
382 ret = p11_mech_info(context, p, slot, num);
383 if (ret)
384 goto out;
385
386 ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
387 out:
388 p11_put_session(p, slot, session);
389
390 return ret;
391 }
392
393 static int
p11_get_session(hx509_context context,struct p11_module * p,struct p11_slot * slot,hx509_lock lock,CK_SESSION_HANDLE * psession)394 p11_get_session(hx509_context context,
395 struct p11_module *p,
396 struct p11_slot *slot,
397 hx509_lock lock,
398 CK_SESSION_HANDLE *psession)
399 {
400 CK_RV ret;
401
402 if (slot->flags & P11_SESSION_IN_USE)
403 _hx509_abort("slot already in session");
404
405 if (slot->flags & P11_SESSION) {
406 slot->flags |= P11_SESSION_IN_USE;
407 *psession = slot->session;
408 return 0;
409 }
410
411 ret = P11FUNC(p, OpenSession, (slot->id,
412 CKF_SERIAL_SESSION,
413 NULL,
414 NULL,
415 &slot->session));
416 if (ret != CKR_OK) {
417 if (context)
418 hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
419 "Failed to OpenSession for slot id %d "
420 "with error: 0x%08x",
421 (int)slot->id, ret);
422 return HX509_PKCS11_OPEN_SESSION;
423 }
424
425 slot->flags |= P11_SESSION;
426
427 /*
428 * If we have have to login, and haven't tried before and have a
429 * prompter or known to work pin code.
430 *
431 * This code is very conversative and only uses the prompter in
432 * the hx509_lock, the reason is that it's bad to try many
433 * passwords on a pkcs11 token, it might lock up and have to be
434 * unlocked by a administrator.
435 *
436 * XXX try harder to not use pin several times on the same card.
437 */
438
439 if ( (slot->flags & P11_LOGIN_REQ)
440 && (slot->flags & P11_LOGIN_DONE) == 0
441 && (lock || slot->pin))
442 {
443 hx509_prompt prompt;
444 char pin[20];
445 char *str;
446
447 if (slot->pin == NULL) {
448
449 memset(&prompt, 0, sizeof(prompt));
450
451 asprintf(&str, "PIN code for %s: ", slot->name);
452 prompt.prompt = str;
453 prompt.type = HX509_PROMPT_TYPE_PASSWORD;
454 prompt.reply.data = pin;
455 prompt.reply.length = sizeof(pin);
456
457 ret = hx509_lock_prompt(lock, &prompt);
458 if (ret) {
459 free(str);
460 if (context)
461 hx509_set_error_string(context, 0, ret,
462 "Failed to get pin code for slot "
463 "id %d with error: %d",
464 (int)slot->id, ret);
465 return ret;
466 }
467 free(str);
468 } else {
469 strlcpy(pin, slot->pin, sizeof(pin));
470 }
471
472 ret = P11FUNC(p, Login, (slot->session, CKU_USER,
473 (unsigned char*)pin, strlen(pin)));
474 if (ret != CKR_OK) {
475 if (context)
476 hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
477 "Failed to login on slot id %d "
478 "with error: 0x%08x",
479 (int)slot->id, ret);
480 return HX509_PKCS11_LOGIN;
481 } else
482 slot->flags |= P11_LOGIN_DONE;
483
484 if (slot->pin == NULL) {
485 slot->pin = strdup(pin);
486 if (slot->pin == NULL) {
487 if (context)
488 hx509_set_error_string(context, 0, ENOMEM,
489 "out of memory");
490 return ENOMEM;
491 }
492 }
493 } else
494 slot->flags |= P11_LOGIN_DONE;
495
496 slot->flags |= P11_SESSION_IN_USE;
497
498 *psession = slot->session;
499
500 return 0;
501 }
502
503 static int
p11_put_session(struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session)504 p11_put_session(struct p11_module *p,
505 struct p11_slot *slot,
506 CK_SESSION_HANDLE session)
507 {
508 if ((slot->flags & P11_SESSION_IN_USE) == 0)
509 _hx509_abort("slot not in session");
510 slot->flags &= ~P11_SESSION_IN_USE;
511
512 return 0;
513 }
514
515 static int
iterate_entries(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_ATTRIBUTE * search_data,int num_search_data,CK_ATTRIBUTE * query,int num_query,int (* func)(hx509_context,struct p11_module *,struct p11_slot *,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void *,CK_ATTRIBUTE *,int),void * ptr)516 iterate_entries(hx509_context context,
517 struct p11_module *p, struct p11_slot *slot,
518 CK_SESSION_HANDLE session,
519 CK_ATTRIBUTE *search_data, int num_search_data,
520 CK_ATTRIBUTE *query, int num_query,
521 int (*func)(hx509_context,
522 struct p11_module *, struct p11_slot *,
523 CK_SESSION_HANDLE session,
524 CK_OBJECT_HANDLE object,
525 void *, CK_ATTRIBUTE *, int), void *ptr)
526 {
527 CK_OBJECT_HANDLE object;
528 CK_ULONG object_count;
529 int ret, ret2, i;
530
531 ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
532 if (ret != CKR_OK) {
533 return -1;
534 }
535 while (1) {
536 ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
537 if (ret != CKR_OK) {
538 return -1;
539 }
540 if (object_count == 0)
541 break;
542
543 for (i = 0; i < num_query; i++)
544 query[i].pValue = NULL;
545
546 ret = P11FUNC(p, GetAttributeValue,
547 (session, object, query, num_query));
548 if (ret != CKR_OK) {
549 return -1;
550 }
551 for (i = 0; i < num_query; i++) {
552 query[i].pValue = malloc(query[i].ulValueLen);
553 if (query[i].pValue == NULL) {
554 ret = ENOMEM;
555 goto out;
556 }
557 }
558 ret = P11FUNC(p, GetAttributeValue,
559 (session, object, query, num_query));
560 if (ret != CKR_OK) {
561 ret = -1;
562 goto out;
563 }
564
565 ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
566 if (ret)
567 goto out;
568
569 for (i = 0; i < num_query; i++) {
570 if (query[i].pValue)
571 free(query[i].pValue);
572 query[i].pValue = NULL;
573 }
574 }
575 out:
576
577 for (i = 0; i < num_query; i++) {
578 if (query[i].pValue)
579 free(query[i].pValue);
580 query[i].pValue = NULL;
581 }
582
583 ret2 = P11FUNC(p, FindObjectsFinal, (session));
584 if (ret2 != CKR_OK) {
585 return ret2;
586 }
587
588 return ret;
589 }
590
591 static BIGNUM *
getattr_bn(struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,unsigned int type)592 getattr_bn(struct p11_module *p,
593 struct p11_slot *slot,
594 CK_SESSION_HANDLE session,
595 CK_OBJECT_HANDLE object,
596 unsigned int type)
597 {
598 CK_ATTRIBUTE query;
599 BIGNUM *bn;
600 int ret;
601
602 query.type = type;
603 query.pValue = NULL;
604 query.ulValueLen = 0;
605
606 ret = P11FUNC(p, GetAttributeValue,
607 (session, object, &query, 1));
608 if (ret != CKR_OK)
609 return NULL;
610
611 query.pValue = malloc(query.ulValueLen);
612
613 ret = P11FUNC(p, GetAttributeValue,
614 (session, object, &query, 1));
615 if (ret != CKR_OK) {
616 free(query.pValue);
617 return NULL;
618 }
619 bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
620 free(query.pValue);
621
622 return bn;
623 }
624
625 static int
collect_private_key(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void * ptr,CK_ATTRIBUTE * query,int num_query)626 collect_private_key(hx509_context context,
627 struct p11_module *p, struct p11_slot *slot,
628 CK_SESSION_HANDLE session,
629 CK_OBJECT_HANDLE object,
630 void *ptr, CK_ATTRIBUTE *query, int num_query)
631 {
632 struct hx509_collector *collector = ptr;
633 hx509_private_key key;
634 heim_octet_string localKeyId;
635 int ret;
636 const RSA_METHOD *meth;
637 BIGNUM *n, *e;
638 RSA *rsa;
639 struct p11_rsa *p11rsa;
640
641 localKeyId.data = query[0].pValue;
642 localKeyId.length = query[0].ulValueLen;
643
644 ret = hx509_private_key_init(&key, NULL, NULL);
645 if (ret)
646 return ret;
647
648 rsa = RSA_new();
649 if (rsa == NULL)
650 _hx509_abort("out of memory");
651
652 /*
653 * The exponent and modulus should always be present according to
654 * the pkcs11 specification, but some smartcards leaves it out,
655 * let ignore any failure to fetch it.
656 */
657 n = getattr_bn(p, slot, session, object, CKA_MODULUS);
658 e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
659 if (RSA_set0_key(rsa, n, e, NULL) != 1) {
660 BN_free(n);
661 BN_free(e);
662 RSA_free(rsa);
663 hx509_private_key_free(&key);
664 return EINVAL;
665 }
666
667 p11rsa = calloc(1, sizeof(*p11rsa));
668 if (p11rsa == NULL)
669 _hx509_abort("out of memory");
670
671 p11rsa->p = p;
672 p11rsa->slot = slot;
673 p11rsa->private_key = object;
674
675 if (p->ref == 0)
676 _hx509_abort("pkcs11 ref == 0 on alloc");
677 p->ref++;
678 if (p->ref == UINT_MAX)
679 _hx509_abort("pkcs11 ref == UINT_MAX on alloc");
680
681 meth = get_p11_rsa_pkcs1_method();
682 if (meth == NULL)
683 _hx509_abort("failed to create RSA method");
684 RSA_set_method(rsa, meth);
685 ret = RSA_set_app_data(rsa, p11rsa);
686 if (ret != 1)
687 _hx509_abort("RSA_set_app_data");
688
689 hx509_private_key_assign_rsa(key, rsa);
690
691 ret = _hx509_collector_private_key_add(context,
692 collector,
693 hx509_signature_rsa(),
694 key,
695 NULL,
696 &localKeyId);
697
698 if (ret) {
699 hx509_private_key_free(&key);
700 return ret;
701 }
702 return 0;
703 }
704
705 static void
p11_cert_release(hx509_cert cert,void * ctx)706 p11_cert_release(hx509_cert cert, void *ctx)
707 {
708 struct p11_module *p = ctx;
709 p11_release_module(p);
710 }
711
712
713 static int
collect_cert(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,CK_OBJECT_HANDLE object,void * ptr,CK_ATTRIBUTE * query,int num_query)714 collect_cert(hx509_context context,
715 struct p11_module *p, struct p11_slot *slot,
716 CK_SESSION_HANDLE session,
717 CK_OBJECT_HANDLE object,
718 void *ptr, CK_ATTRIBUTE *query, int num_query)
719 {
720 struct hx509_collector *collector = ptr;
721 hx509_cert cert;
722 int ret;
723
724 if ((CK_LONG)query[0].ulValueLen == -1 ||
725 (CK_LONG)query[1].ulValueLen == -1)
726 {
727 return 0;
728 }
729
730 ret = hx509_cert_init_data(context, query[1].pValue,
731 query[1].ulValueLen, &cert);
732 if (ret)
733 return ret;
734
735 if (p->ref == 0)
736 _hx509_abort("pkcs11 ref == 0 on alloc");
737 p->ref++;
738 if (p->ref == UINT_MAX)
739 _hx509_abort("pkcs11 ref to high");
740
741 _hx509_cert_set_release(cert, p11_cert_release, p);
742
743 {
744 heim_octet_string data;
745
746 data.data = query[0].pValue;
747 data.length = query[0].ulValueLen;
748
749 _hx509_set_cert_attribute(context,
750 cert,
751 &asn1_oid_id_pkcs_9_at_localKeyId,
752 &data);
753 }
754
755 if ((CK_LONG)query[2].ulValueLen != -1) {
756 char *str;
757
758 asprintf(&str, "%.*s",
759 (int)query[2].ulValueLen, (char *)query[2].pValue);
760 if (str) {
761 hx509_cert_set_friendly_name(cert, str);
762 free(str);
763 }
764 }
765
766 ret = _hx509_collector_certs_add(context, collector, cert);
767 hx509_cert_free(cert);
768
769 return ret;
770 }
771
772
773 static int
p11_list_keys(hx509_context context,struct p11_module * p,struct p11_slot * slot,CK_SESSION_HANDLE session,hx509_lock lock,hx509_certs * certs)774 p11_list_keys(hx509_context context,
775 struct p11_module *p,
776 struct p11_slot *slot,
777 CK_SESSION_HANDLE session,
778 hx509_lock lock,
779 hx509_certs *certs)
780 {
781 struct hx509_collector *collector;
782 CK_OBJECT_CLASS key_class;
783 CK_ATTRIBUTE search_data[] = {
784 {CKA_CLASS, NULL, 0},
785 };
786 CK_ATTRIBUTE query_data[3] = {
787 {CKA_ID, NULL, 0},
788 {CKA_VALUE, NULL, 0},
789 {CKA_LABEL, NULL, 0}
790 };
791 int ret;
792
793 search_data[0].pValue = &key_class;
794 search_data[0].ulValueLen = sizeof(key_class);
795
796 if (lock == NULL)
797 lock = _hx509_empty_lock;
798
799 ret = _hx509_collector_alloc(context, lock, &collector);
800 if (ret)
801 return ret;
802
803 key_class = CKO_PRIVATE_KEY;
804 ret = iterate_entries(context, p, slot, session,
805 search_data, 1,
806 query_data, 1,
807 collect_private_key, collector);
808 if (ret)
809 goto out;
810
811 key_class = CKO_CERTIFICATE;
812 ret = iterate_entries(context, p, slot, session,
813 search_data, 1,
814 query_data, 3,
815 collect_cert, collector);
816 if (ret)
817 goto out;
818
819 ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
820
821 out:
822 _hx509_collector_free(collector);
823
824 return ret;
825 }
826
827
828 static int
p11_init(hx509_context context,hx509_certs certs,void ** data,int flags,const char * residue,hx509_lock lock)829 p11_init(hx509_context context,
830 hx509_certs certs, void **data, int flags,
831 const char *residue, hx509_lock lock)
832 {
833 CK_C_GetFunctionList getFuncs;
834 struct p11_module *p;
835 char *list, *str;
836 int ret;
837
838 *data = NULL;
839
840 list = strdup(residue);
841 if (list == NULL)
842 return ENOMEM;
843
844 p = calloc(1, sizeof(*p));
845 if (p == NULL) {
846 free(list);
847 return ENOMEM;
848 }
849
850 p->ref = 1;
851
852 str = strchr(list, ',');
853 if (str)
854 *str++ = '\0';
855 while (str) {
856 char *strnext;
857 strnext = strchr(str, ',');
858 if (strnext)
859 *strnext++ = '\0';
860 #if 0
861 if (strncasecmp(str, "slot=", 5) == 0)
862 p->selected_slot = atoi(str + 5);
863 #endif
864 str = strnext;
865 }
866
867 p->dl_handle = dlopen(list, RTLD_NOW);
868 free(list);
869 if (p->dl_handle == NULL) {
870 ret = HX509_PKCS11_LOAD;
871 hx509_set_error_string(context, 0, ret,
872 "Failed to open %s: %s", list, dlerror());
873 goto out;
874 }
875
876 getFuncs = (CK_C_GetFunctionList) dlsym(p->dl_handle, "C_GetFunctionList");
877 if (getFuncs == NULL) {
878 ret = HX509_PKCS11_LOAD;
879 hx509_set_error_string(context, 0, ret,
880 "C_GetFunctionList missing in %s: %s",
881 list, dlerror());
882 goto out;
883 }
884
885 ret = (*getFuncs)(&p->funcs);
886 if (ret) {
887 ret = HX509_PKCS11_LOAD;
888 hx509_set_error_string(context, 0, ret,
889 "C_GetFunctionList failed in %s", list);
890 goto out;
891 }
892
893 ret = P11FUNC(p, Initialize, (NULL_PTR));
894 if (ret != CKR_OK) {
895 ret = HX509_PKCS11_TOKEN_CONFUSED;
896 hx509_set_error_string(context, 0, ret,
897 "Failed initialize the PKCS11 module");
898 goto out;
899 }
900
901 ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
902 if (ret) {
903 ret = HX509_PKCS11_TOKEN_CONFUSED;
904 hx509_set_error_string(context, 0, ret,
905 "Failed to get number of PKCS11 slots");
906 goto out;
907 }
908
909 if (p->num_slots == 0) {
910 ret = HX509_PKCS11_NO_SLOT;
911 hx509_set_error_string(context, 0, ret,
912 "Selected PKCS11 module have no slots");
913 goto out;
914 }
915
916
917 {
918 CK_SLOT_ID_PTR slot_ids;
919 int num_tokens = 0;
920 size_t i;
921
922 slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
923 if (slot_ids == NULL) {
924 hx509_clear_error_string(context);
925 ret = ENOMEM;
926 goto out;
927 }
928
929 ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
930 if (ret) {
931 free(slot_ids);
932 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
933 "Failed getting slot-list from "
934 "PKCS11 module");
935 ret = HX509_PKCS11_TOKEN_CONFUSED;
936 goto out;
937 }
938
939 p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
940 if (p->slot == NULL) {
941 free(slot_ids);
942 hx509_set_error_string(context, 0, ENOMEM,
943 "Failed to get memory for slot-list");
944 ret = ENOMEM;
945 goto out;
946 }
947
948 for (i = 0; i < p->num_slots; i++) {
949 ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
950 if (ret)
951 break;
952 if (p->slot[i].flags & P11_TOKEN_PRESENT)
953 num_tokens++;
954 }
955 free(slot_ids);
956 if (ret)
957 goto out;
958 if (num_tokens == 0) {
959 ret = HX509_PKCS11_NO_TOKEN;
960 goto out;
961 }
962 }
963
964 *data = p;
965
966 return 0;
967 out:
968 p11_release_module(p);
969 return ret;
970 }
971
972 static void
p11_release_module(struct p11_module * p)973 p11_release_module(struct p11_module *p)
974 {
975 size_t i;
976
977 if (p->ref == 0)
978 _hx509_abort("pkcs11 ref to low");
979 if (--p->ref > 0)
980 return;
981
982 for (i = 0; i < p->num_slots; i++) {
983 if (p->slot[i].flags & P11_SESSION_IN_USE)
984 _hx509_abort("pkcs11 module release while session in use");
985 if (p->slot[i].flags & P11_SESSION) {
986 P11FUNC(p, CloseSession, (p->slot[i].session));
987 }
988
989 if (p->slot[i].name)
990 free(p->slot[i].name);
991 if (p->slot[i].pin) {
992 memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
993 free(p->slot[i].pin);
994 }
995 if (p->slot[i].mechs.num) {
996 free(p->slot[i].mechs.list);
997
998 if (p->slot[i].mechs.infos) {
999 size_t j;
1000
1001 for (j = 0 ; j < p->slot[i].mechs.num ; j++)
1002 free(p->slot[i].mechs.infos[j]);
1003 free(p->slot[i].mechs.infos);
1004 }
1005 }
1006 }
1007 free(p->slot);
1008
1009 if (p->funcs)
1010 P11FUNC(p, Finalize, (NULL));
1011
1012 if (p->dl_handle)
1013 dlclose(p->dl_handle);
1014
1015 memset(p, 0, sizeof(*p));
1016 free(p);
1017 }
1018
1019 static int
p11_free(hx509_certs certs,void * data)1020 p11_free(hx509_certs certs, void *data)
1021 {
1022 struct p11_module *p = data;
1023 size_t i;
1024
1025 for (i = 0; i < p->num_slots; i++) {
1026 if (p->slot[i].certs)
1027 hx509_certs_free(&p->slot[i].certs);
1028 }
1029 p11_release_module(p);
1030 return 0;
1031 }
1032
1033 struct p11_cursor {
1034 hx509_certs certs;
1035 void *cursor;
1036 };
1037
1038 static int
p11_iter_start(hx509_context context,hx509_certs certs,void * data,void ** cursor)1039 p11_iter_start(hx509_context context,
1040 hx509_certs certs, void *data, void **cursor)
1041 {
1042 struct p11_module *p = data;
1043 struct p11_cursor *c;
1044 int ret;
1045 size_t i;
1046
1047 c = malloc(sizeof(*c));
1048 if (c == NULL) {
1049 hx509_clear_error_string(context);
1050 return ENOMEM;
1051 }
1052 ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
1053 if (ret) {
1054 free(c);
1055 return ret;
1056 }
1057
1058 for (i = 0 ; i < p->num_slots; i++) {
1059 if (p->slot[i].certs == NULL)
1060 continue;
1061 ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
1062 if (ret) {
1063 hx509_certs_free(&c->certs);
1064 free(c);
1065 return ret;
1066 }
1067 }
1068
1069 ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
1070 if (ret) {
1071 hx509_certs_free(&c->certs);
1072 free(c);
1073 return 0;
1074 }
1075 *cursor = c;
1076
1077 return 0;
1078 }
1079
1080 static int
p11_iter(hx509_context context,hx509_certs certs,void * data,void * cursor,hx509_cert * cert)1081 p11_iter(hx509_context context,
1082 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
1083 {
1084 struct p11_cursor *c = cursor;
1085 return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
1086 }
1087
1088 static int
p11_iter_end(hx509_context context,hx509_certs certs,void * data,void * cursor)1089 p11_iter_end(hx509_context context,
1090 hx509_certs certs, void *data, void *cursor)
1091 {
1092 struct p11_cursor *c = cursor;
1093 int ret;
1094 ret = hx509_certs_end_seq(context, c->certs, c->cursor);
1095 hx509_certs_free(&c->certs);
1096 free(c);
1097 return ret;
1098 }
1099
1100 #define MECHFLAG(x) { "unknown-flag-" #x, x }
1101 static struct units mechflags[] = {
1102 MECHFLAG(0x80000000),
1103 MECHFLAG(0x40000000),
1104 MECHFLAG(0x20000000),
1105 MECHFLAG(0x10000000),
1106 MECHFLAG(0x08000000),
1107 MECHFLAG(0x04000000),
1108 {"ec-compress", 0x2000000 },
1109 {"ec-uncompress", 0x1000000 },
1110 {"ec-namedcurve", 0x0800000 },
1111 {"ec-ecparameters", 0x0400000 },
1112 {"ec-f-2m", 0x0200000 },
1113 {"ec-f-p", 0x0100000 },
1114 {"derive", 0x0080000 },
1115 {"unwrap", 0x0040000 },
1116 {"wrap", 0x0020000 },
1117 {"genereate-key-pair", 0x0010000 },
1118 {"generate", 0x0008000 },
1119 {"verify-recover", 0x0004000 },
1120 {"verify", 0x0002000 },
1121 {"sign-recover", 0x0001000 },
1122 {"sign", 0x0000800 },
1123 {"digest", 0x0000400 },
1124 {"decrypt", 0x0000200 },
1125 {"encrypt", 0x0000100 },
1126 MECHFLAG(0x00080),
1127 MECHFLAG(0x00040),
1128 MECHFLAG(0x00020),
1129 MECHFLAG(0x00010),
1130 MECHFLAG(0x00008),
1131 MECHFLAG(0x00004),
1132 MECHFLAG(0x00002),
1133 {"hw", 0x0000001 },
1134 { NULL, 0x0000000 }
1135 };
1136 #undef MECHFLAG
1137
1138 static int
p11_printinfo(hx509_context context,hx509_certs certs,void * data,int (* func)(void *,const char *),void * ctx)1139 p11_printinfo(hx509_context context,
1140 hx509_certs certs,
1141 void *data,
1142 int (*func)(void *, const char *),
1143 void *ctx)
1144 {
1145 struct p11_module *p = data;
1146 size_t i, j;
1147
1148 _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
1149 p->num_slots, p->num_slots > 1 ? "s" : "");
1150
1151 for (i = 0; i < p->num_slots; i++) {
1152 struct p11_slot *s = &p->slot[i];
1153
1154 _hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
1155 i, (int)s->id, s->name, s->flags);
1156
1157 _hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu",
1158 (unsigned long)s->mechs.num);
1159 for (j = 0; j < s->mechs.num; j++) {
1160 const char *mechname = "unknown";
1161 char flags[256], unknownname[40];
1162 #define MECHNAME(s,n) case s: mechname = n; break
1163 switch(s->mechs.list[j]) {
1164 MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
1165 MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
1166 MECHNAME(CKM_RSA_X_509, "rsa-x-509");
1167 MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
1168 MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
1169 MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
1170 MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
1171 MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
1172 MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
1173 MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
1174 MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
1175 MECHNAME(CKM_SHA512, "sha512");
1176 MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
1177 MECHNAME(CKM_SHA384, "sha384");
1178 MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
1179 MECHNAME(CKM_SHA256, "sha256");
1180 MECHNAME(CKM_SHA_1, "sha1");
1181 MECHNAME(CKM_MD5, "md5");
1182 MECHNAME(CKM_RIPEMD160, "ripemd-160");
1183 MECHNAME(CKM_DES_ECB, "des-ecb");
1184 MECHNAME(CKM_DES_CBC, "des-cbc");
1185 MECHNAME(CKM_AES_ECB, "aes-ecb");
1186 MECHNAME(CKM_AES_CBC, "aes-cbc");
1187 MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
1188 default:
1189 snprintf(unknownname, sizeof(unknownname),
1190 "unknown-mech-%lu",
1191 (unsigned long)s->mechs.list[j]);
1192 mechname = unknownname;
1193 break;
1194 }
1195 #undef MECHNAME
1196 unparse_flags(s->mechs.infos[j]->flags, mechflags,
1197 flags, sizeof(flags));
1198
1199 _hx509_pi_printf(func, ctx, " %s: %s", mechname, flags);
1200 }
1201 }
1202
1203 return 0;
1204 }
1205
1206 static struct hx509_keyset_ops keyset_pkcs11 = {
1207 "PKCS11",
1208 0,
1209 p11_init,
1210 NULL,
1211 p11_free,
1212 NULL,
1213 NULL,
1214 p11_iter_start,
1215 p11_iter,
1216 p11_iter_end,
1217 p11_printinfo
1218 };
1219
1220 #endif /* HAVE_DLOPEN */
1221
1222 void
_hx509_ks_pkcs11_register(hx509_context context)1223 _hx509_ks_pkcs11_register(hx509_context context)
1224 {
1225 #ifdef HAVE_DLOPEN
1226 _hx509_ks_register(context, &keyset_pkcs11);
1227 #endif
1228 }
1229