2010-08-06 15:02:41 +00:00
|
|
|
/*
|
2011-11-02 16:24:37 +00:00
|
|
|
* Copyright (C) 2011 Tobias Brunner
|
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
|
*
|
2010-08-06 15:02:41 +00:00
|
|
|
* Copyright (C) 2010 Martin Willi
|
|
|
|
|
* Copyright (C) 2010 revosec AG
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* for more details.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "pkcs11_public_key.h"
|
|
|
|
|
|
|
|
|
|
#include "pkcs11.h"
|
|
|
|
|
#include "pkcs11_private_key.h"
|
|
|
|
|
#include "pkcs11_manager.h"
|
|
|
|
|
|
|
|
|
|
#include <debug.h>
|
|
|
|
|
|
|
|
|
|
typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private data of an pkcs11_public_key_t object.
|
|
|
|
|
*/
|
|
|
|
|
struct private_pkcs11_public_key_t {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public pkcs11_public_key_t interface.
|
|
|
|
|
*/
|
|
|
|
|
pkcs11_public_key_t public;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Type of the key
|
|
|
|
|
*/
|
|
|
|
|
key_type_t type;
|
|
|
|
|
|
|
|
|
|
/**
|
2011-11-02 17:48:51 +00:00
|
|
|
* Key size in bits
|
2010-08-06 15:02:41 +00:00
|
|
|
*/
|
|
|
|
|
size_t k;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* PKCS#11 library this key uses
|
|
|
|
|
*/
|
|
|
|
|
pkcs11_library_t *lib;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Slot the token is in
|
|
|
|
|
*/
|
|
|
|
|
CK_SLOT_ID slot;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Session we use
|
|
|
|
|
*/
|
|
|
|
|
CK_SESSION_HANDLE session;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Object handle to the key
|
|
|
|
|
*/
|
|
|
|
|
CK_OBJECT_HANDLE object;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* References to this key
|
|
|
|
|
*/
|
|
|
|
|
refcount_t ref;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, get_type, key_type_t,
|
|
|
|
|
private_pkcs11_public_key_t *this)
|
|
|
|
|
{
|
|
|
|
|
return this->type;
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-11 10:12:37 +00:00
|
|
|
METHOD(public_key_t, get_keysize, int,
|
|
|
|
|
private_pkcs11_public_key_t *this)
|
|
|
|
|
{
|
2011-11-02 17:48:51 +00:00
|
|
|
return this->k;
|
2010-08-11 10:12:37 +00:00
|
|
|
}
|
|
|
|
|
|
2010-08-06 15:02:41 +00:00
|
|
|
METHOD(public_key_t, verify, bool,
|
|
|
|
|
private_pkcs11_public_key_t *this, signature_scheme_t scheme,
|
|
|
|
|
chunk_t data, chunk_t sig)
|
|
|
|
|
{
|
|
|
|
|
CK_MECHANISM_PTR mechanism;
|
2011-11-02 16:24:37 +00:00
|
|
|
CK_SESSION_HANDLE session;
|
2010-08-06 15:02:41 +00:00
|
|
|
CK_RV rv;
|
|
|
|
|
|
2010-08-11 10:12:37 +00:00
|
|
|
mechanism = pkcs11_signature_scheme_to_mech(scheme);
|
2010-08-06 15:02:41 +00:00
|
|
|
if (!mechanism)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_LIB, "signature scheme %N not supported",
|
|
|
|
|
signature_scheme_names, scheme);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2010-08-06 15:32:32 +00:00
|
|
|
if (sig.len && sig.ptr[0] == 0)
|
|
|
|
|
{ /* trim leading zero byte in sig */
|
|
|
|
|
sig = chunk_skip(sig, 1);
|
|
|
|
|
}
|
2011-11-02 16:24:37 +00:00
|
|
|
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
|
|
|
|
|
&session);
|
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
rv = this->lib->f->C_VerifyInit(session, mechanism, this->object);
|
2010-08-06 15:02:41 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
2011-11-02 16:24:37 +00:00
|
|
|
this->lib->f->C_CloseSession(session);
|
2010-08-06 15:02:41 +00:00
|
|
|
DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2011-11-02 16:24:37 +00:00
|
|
|
rv = this->lib->f->C_Verify(session, data.ptr, data.len, sig.ptr, sig.len);
|
|
|
|
|
this->lib->f->C_CloseSession(session);
|
2010-08-06 15:02:41 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, encrypt, bool,
|
2010-08-10 12:38:44 +00:00
|
|
|
private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
|
2010-08-11 10:12:37 +00:00
|
|
|
chunk_t plain, chunk_t *crypt)
|
2010-08-06 15:02:41 +00:00
|
|
|
{
|
2010-08-11 10:12:37 +00:00
|
|
|
CK_MECHANISM_PTR mechanism;
|
2011-11-02 16:24:37 +00:00
|
|
|
CK_SESSION_HANDLE session;
|
2010-08-11 10:12:37 +00:00
|
|
|
CK_BYTE_PTR buf;
|
|
|
|
|
CK_ULONG len;
|
|
|
|
|
CK_RV rv;
|
2010-08-06 15:02:41 +00:00
|
|
|
|
2010-08-11 10:12:37 +00:00
|
|
|
mechanism = pkcs11_encryption_scheme_to_mech(scheme);
|
|
|
|
|
if (!mechanism)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_LIB, "encryption scheme %N not supported",
|
|
|
|
|
encryption_scheme_names, scheme);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2011-11-02 16:24:37 +00:00
|
|
|
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
|
|
|
|
|
&session);
|
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
rv = this->lib->f->C_EncryptInit(session, mechanism, this->object);
|
2010-08-11 10:12:37 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
2011-11-02 16:24:37 +00:00
|
|
|
this->lib->f->C_CloseSession(session);
|
2010-08-11 10:12:37 +00:00
|
|
|
DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
len = (get_keysize(this) + 7) / 8;
|
|
|
|
|
buf = malloc(len);
|
2011-11-02 16:24:37 +00:00
|
|
|
rv = this->lib->f->C_Encrypt(session, plain.ptr, plain.len, buf, &len);
|
|
|
|
|
this->lib->f->C_CloseSession(session);
|
2010-08-11 10:12:37 +00:00
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
|
|
|
|
|
free(buf);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
*crypt = chunk_create(buf, len);
|
|
|
|
|
return TRUE;
|
2010-08-06 15:02:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Encode RSA key using a given encoding type
|
|
|
|
|
*/
|
|
|
|
|
static bool encode_rsa(private_pkcs11_public_key_t *this,
|
|
|
|
|
cred_encoding_type_t type, void *cache, chunk_t *encoding)
|
|
|
|
|
{
|
2011-11-02 17:38:52 +00:00
|
|
|
enumerator_t *enumerator;
|
2010-08-06 15:02:41 +00:00
|
|
|
bool success = FALSE;
|
|
|
|
|
CK_ATTRIBUTE attr[] = {
|
|
|
|
|
{CKA_MODULUS, NULL, 0},
|
|
|
|
|
{CKA_PUBLIC_EXPONENT, NULL, 0},
|
|
|
|
|
};
|
|
|
|
|
|
2011-11-02 17:38:52 +00:00
|
|
|
enumerator = this->lib->create_object_attr_enumerator(this->lib,
|
|
|
|
|
this->session, this->object, attr, countof(attr));
|
|
|
|
|
if (enumerator && enumerator->enumerate(enumerator, NULL) &&
|
|
|
|
|
attr[0].ulValueLen > 0 && attr[1].ulValueLen > 0)
|
2010-08-06 15:02:41 +00:00
|
|
|
{
|
2011-11-02 17:38:52 +00:00
|
|
|
chunk_t n, e;
|
2010-08-06 15:02:41 +00:00
|
|
|
n = chunk_create(attr[0].pValue, attr[0].ulValueLen);
|
2011-11-02 17:43:27 +00:00
|
|
|
if (n.ptr[0] & 0x80)
|
|
|
|
|
{ /* add leading 0x00, encoders expect it already like this */
|
|
|
|
|
n = chunk_cata("cc", chunk_from_chars(0x00), n);
|
|
|
|
|
}
|
2010-08-06 15:02:41 +00:00
|
|
|
e = chunk_create(attr[1].pValue, attr[1].ulValueLen);
|
|
|
|
|
success = lib->encoding->encode(lib->encoding, type, cache, encoding,
|
|
|
|
|
CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
|
|
|
|
|
}
|
2011-11-02 17:38:52 +00:00
|
|
|
DESTROY_IF(enumerator);
|
2010-08-06 15:02:41 +00:00
|
|
|
return success;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, get_encoding, bool,
|
|
|
|
|
private_pkcs11_public_key_t *this, cred_encoding_type_t type,
|
|
|
|
|
chunk_t *encoding)
|
|
|
|
|
{
|
|
|
|
|
switch (this->type)
|
|
|
|
|
{
|
|
|
|
|
case KEY_RSA:
|
|
|
|
|
return encode_rsa(this, type, NULL, encoding);
|
|
|
|
|
default:
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, get_fingerprint, bool,
|
|
|
|
|
private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
|
|
|
|
|
{
|
|
|
|
|
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
|
|
|
|
|
{
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
switch (this->type)
|
|
|
|
|
{
|
|
|
|
|
case KEY_RSA:
|
|
|
|
|
return encode_rsa(this, type, this, fp);
|
|
|
|
|
default:
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, get_ref, public_key_t*,
|
|
|
|
|
private_pkcs11_public_key_t *this)
|
|
|
|
|
{
|
|
|
|
|
ref_get(&this->ref);
|
|
|
|
|
return &this->public.key;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(public_key_t, destroy, void,
|
|
|
|
|
private_pkcs11_public_key_t *this)
|
|
|
|
|
{
|
|
|
|
|
if (ref_put(&this->ref))
|
|
|
|
|
{
|
|
|
|
|
lib->encoding->clear_cache(lib->encoding, this);
|
|
|
|
|
this->lib->f->C_CloseSession(this->session);
|
|
|
|
|
free(this);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Create an empty PKCS#11 public key
|
|
|
|
|
*/
|
|
|
|
|
static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
|
|
|
|
|
pkcs11_library_t *p11, CK_SLOT_ID slot,
|
|
|
|
|
CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
|
|
|
|
|
{
|
|
|
|
|
private_pkcs11_public_key_t *this;
|
|
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
|
.public = {
|
|
|
|
|
.key = {
|
|
|
|
|
.get_type = _get_type,
|
|
|
|
|
.verify = _verify,
|
|
|
|
|
.encrypt = _encrypt,
|
|
|
|
|
.equals = public_key_equals,
|
|
|
|
|
.get_keysize = _get_keysize,
|
|
|
|
|
.get_fingerprint = _get_fingerprint,
|
|
|
|
|
.has_fingerprint = public_key_has_fingerprint,
|
|
|
|
|
.get_encoding = _get_encoding,
|
|
|
|
|
.get_ref = _get_ref,
|
|
|
|
|
.destroy = _destroy,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
.type = type,
|
2011-11-02 17:57:57 +00:00
|
|
|
.k = k,
|
2010-08-06 15:02:41 +00:00
|
|
|
.lib = p11,
|
|
|
|
|
.slot = slot,
|
|
|
|
|
.session = session,
|
|
|
|
|
.object = object,
|
2010-08-06 15:32:32 +00:00
|
|
|
.ref = 1,
|
2010-08-06 15:02:41 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
return this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Find a key object, including PKCS11 library and slot
|
|
|
|
|
*/
|
2011-11-02 17:57:57 +00:00
|
|
|
static private_pkcs11_public_key_t* find_key(key_type_t type, size_t keylen,
|
|
|
|
|
CK_ATTRIBUTE_PTR tmpl, int count)
|
2010-08-06 15:02:41 +00:00
|
|
|
{
|
|
|
|
|
private_pkcs11_public_key_t *this = NULL;
|
|
|
|
|
pkcs11_manager_t *manager;
|
|
|
|
|
enumerator_t *enumerator, *keys;
|
|
|
|
|
pkcs11_library_t *p11;
|
|
|
|
|
CK_SLOT_ID slot;
|
|
|
|
|
|
2011-08-24 13:45:59 +00:00
|
|
|
manager = lib->get(lib, "pkcs11-manager");
|
2010-08-06 15:02:41 +00:00
|
|
|
if (!manager)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
enumerator = manager->create_token_enumerator(manager);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &p11, &slot))
|
|
|
|
|
{
|
|
|
|
|
CK_OBJECT_HANDLE object;
|
|
|
|
|
CK_SESSION_HANDLE session;
|
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
|
|
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
|
|
|
|
|
&session);
|
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
keys = p11->create_object_enumerator(p11, session, tmpl, count,
|
|
|
|
|
NULL, 0);
|
2010-08-06 15:02:41 +00:00
|
|
|
if (keys->enumerate(keys, &object))
|
|
|
|
|
{
|
2011-11-02 17:57:57 +00:00
|
|
|
this = create(type, keylen, p11, slot, session, object);
|
2010-08-06 15:02:41 +00:00
|
|
|
keys->destroy(keys);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
keys->destroy(keys);
|
|
|
|
|
p11->f->C_CloseSession(session);
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
return this;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-02 17:57:57 +00:00
|
|
|
/**
|
|
|
|
|
* Find an RSA key object
|
|
|
|
|
*/
|
|
|
|
|
static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e,
|
|
|
|
|
size_t keylen)
|
|
|
|
|
{
|
|
|
|
|
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
|
|
|
|
|
CK_KEY_TYPE type = CKK_RSA;
|
|
|
|
|
CK_ATTRIBUTE tmpl[] = {
|
|
|
|
|
{CKA_CLASS, &class, sizeof(class)},
|
|
|
|
|
{CKA_KEY_TYPE, &type, sizeof(type)},
|
|
|
|
|
{CKA_MODULUS, n.ptr, n.len},
|
|
|
|
|
{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
|
|
|
|
|
};
|
|
|
|
|
return find_key(KEY_RSA, keylen, tmpl, countof(tmpl));
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-06 15:32:32 +00:00
|
|
|
/**
|
|
|
|
|
* Create a key object in a suitable token session
|
|
|
|
|
*/
|
2011-11-02 17:57:57 +00:00
|
|
|
static private_pkcs11_public_key_t* create_key(key_type_t type, size_t keylen,
|
|
|
|
|
CK_MECHANISM_TYPE_PTR mechanisms, int mcount,
|
|
|
|
|
CK_ATTRIBUTE_PTR tmpl, int count)
|
2010-08-06 15:32:32 +00:00
|
|
|
{
|
|
|
|
|
private_pkcs11_public_key_t *this = NULL;
|
|
|
|
|
pkcs11_manager_t *manager;
|
|
|
|
|
enumerator_t *enumerator, *mechs;
|
|
|
|
|
pkcs11_library_t *p11;
|
|
|
|
|
CK_SLOT_ID slot;
|
|
|
|
|
|
2011-08-24 13:45:59 +00:00
|
|
|
manager = lib->get(lib, "pkcs11-manager");
|
2010-08-06 15:32:32 +00:00
|
|
|
if (!manager)
|
|
|
|
|
{
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
enumerator = manager->create_token_enumerator(manager);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &p11, &slot))
|
|
|
|
|
{
|
|
|
|
|
CK_MECHANISM_TYPE mech;
|
|
|
|
|
CK_MECHANISM_INFO info;
|
|
|
|
|
CK_OBJECT_HANDLE object;
|
|
|
|
|
CK_SESSION_HANDLE session;
|
|
|
|
|
CK_RV rv;
|
|
|
|
|
|
|
|
|
|
mechs = p11->create_mechanism_enumerator(p11, slot);
|
|
|
|
|
while (mechs->enumerate(mechs, &mech, &info))
|
|
|
|
|
{
|
2011-11-02 17:57:57 +00:00
|
|
|
bool found = FALSE;
|
|
|
|
|
int i;
|
2010-08-06 15:32:32 +00:00
|
|
|
if (!(info.flags & CKF_VERIFY))
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
for (i = 0; i < mcount; i++)
|
2010-08-06 15:32:32 +00:00
|
|
|
{
|
2011-11-02 17:57:57 +00:00
|
|
|
if (mechanisms[i] == mech)
|
|
|
|
|
{
|
|
|
|
|
found = TRUE;
|
2010-08-06 15:32:32 +00:00
|
|
|
break;
|
2011-11-02 17:57:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!found)
|
|
|
|
|
{
|
|
|
|
|
continue;
|
2010-08-06 15:32:32 +00:00
|
|
|
}
|
|
|
|
|
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
|
|
|
|
|
&session);
|
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
|
|
|
|
|
ck_rv_names, rv);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
rv = p11->f->C_CreateObject(session, tmpl, count, &object);
|
2010-08-06 15:32:32 +00:00
|
|
|
if (rv == CKR_OK)
|
|
|
|
|
{
|
2011-11-02 17:57:57 +00:00
|
|
|
this = create(type, keylen, p11, slot, session, object);
|
|
|
|
|
DBG2(DBG_CFG, "created %N public key on token '%s':%d ",
|
|
|
|
|
key_type_names, type, p11->get_name(p11), slot);
|
2010-08-06 15:32:32 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2011-11-02 17:57:57 +00:00
|
|
|
DBG1(DBG_CFG, "creating %N public key on token '%s':%d "
|
|
|
|
|
"failed: %N", key_type_names, type, p11->get_name(p11),
|
|
|
|
|
slot, ck_rv_names, rv);
|
2010-08-06 15:32:32 +00:00
|
|
|
p11->f->C_CloseSession(session);
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
break;
|
2010-08-06 15:32:32 +00:00
|
|
|
}
|
|
|
|
|
mechs->destroy(mechs);
|
|
|
|
|
if (this)
|
|
|
|
|
{
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
return this;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-02 17:57:57 +00:00
|
|
|
/**
|
|
|
|
|
* Create an RSA key object in a suitable token session
|
|
|
|
|
*/
|
|
|
|
|
static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e,
|
|
|
|
|
size_t keylen)
|
|
|
|
|
{
|
|
|
|
|
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
|
|
|
|
|
CK_KEY_TYPE type = CKK_RSA;
|
|
|
|
|
CK_ATTRIBUTE tmpl[] = {
|
|
|
|
|
{CKA_CLASS, &class, sizeof(class)},
|
|
|
|
|
{CKA_KEY_TYPE, &type, sizeof(type)},
|
|
|
|
|
{CKA_MODULUS, n.ptr, n.len},
|
|
|
|
|
{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
|
|
|
|
|
};
|
|
|
|
|
CK_MECHANISM_TYPE mechs[] = {
|
|
|
|
|
CKM_RSA_PKCS,
|
|
|
|
|
CKM_SHA1_RSA_PKCS,
|
|
|
|
|
CKM_SHA256_RSA_PKCS,
|
|
|
|
|
CKM_SHA384_RSA_PKCS,
|
|
|
|
|
CKM_SHA512_RSA_PKCS,
|
|
|
|
|
CKM_MD5_RSA_PKCS,
|
|
|
|
|
};
|
|
|
|
|
return create_key(KEY_RSA, keylen, mechs, countof(mechs), tmpl,
|
|
|
|
|
countof(tmpl));
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-06 15:02:41 +00:00
|
|
|
/**
|
|
|
|
|
* See header
|
|
|
|
|
*/
|
|
|
|
|
pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
|
|
|
|
|
{
|
|
|
|
|
private_pkcs11_public_key_t *this;
|
|
|
|
|
chunk_t n, e;
|
2011-11-02 17:57:57 +00:00
|
|
|
size_t keylen;
|
2010-08-06 15:02:41 +00:00
|
|
|
|
|
|
|
|
n = e = chunk_empty;
|
|
|
|
|
while (TRUE)
|
|
|
|
|
{
|
|
|
|
|
switch (va_arg(args, builder_part_t))
|
|
|
|
|
{
|
|
|
|
|
case BUILD_RSA_MODULUS:
|
|
|
|
|
n = va_arg(args, chunk_t);
|
|
|
|
|
continue;
|
|
|
|
|
case BUILD_RSA_PUB_EXP:
|
|
|
|
|
e = va_arg(args, chunk_t);
|
|
|
|
|
continue;
|
|
|
|
|
case BUILD_END:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (type == KEY_RSA && e.ptr && n.ptr)
|
|
|
|
|
{
|
2010-08-06 15:32:32 +00:00
|
|
|
if (n.len && n.ptr[0] == 0)
|
|
|
|
|
{ /* trim leading zero byte in modulus */
|
|
|
|
|
n = chunk_skip(n, 1);
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
keylen = n.len * 8;
|
|
|
|
|
this = find_rsa_key(n, e, keylen);
|
2010-08-06 15:02:41 +00:00
|
|
|
if (this)
|
|
|
|
|
{
|
|
|
|
|
return &this->public;
|
|
|
|
|
}
|
2011-11-02 17:57:57 +00:00
|
|
|
this = create_rsa_key(n, e, keylen);
|
2010-08-06 15:32:32 +00:00
|
|
|
if (this)
|
|
|
|
|
{
|
|
|
|
|
return &this->public;
|
|
|
|
|
}
|
2010-08-06 15:02:41 +00:00
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
