/*
* Copyright (C) 2011-2015 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "pkcs11_public_key.h"
#include "pkcs11.h"
#include "pkcs11_private_key.h"
#include "pkcs11_manager.h"
#include <asn1/oid.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
#include <utils/debug.h>
typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
/**
* Private data of an pkcs11_public_key_t object.
*/
struct private_pkcs11_public_key_t {
/**
* Public pkcs11_public_key_t interface.
*/
pkcs11_public_key_t public;
/**
* Type of the key
*/
key_type_t type;
/**
* Key size in bits
*/
size_t k;
/**
* PKCS#11 library this key uses
*/
pkcs11_library_t *lib;
/**
* Slot the token is in
*/
CK_SLOT_ID slot;
/**
* Session we use
*/
CK_SESSION_HANDLE session;
/**
* Object handle to the key
*/
CK_OBJECT_HANDLE object;
/**
* References to this key
*/
refcount_t ref;
};
/**
* Helper function that returns the base point order length in bits of the
* given named curve.
*
* Currently only a subset of defined curves is supported (namely the 5 curves
* over Fp recommended by NIST). IKEv2 only supports 3 out of these.
*
* 0 is returned if the given curve is not supported.
*/
static size_t basepoint_order_len(int oid)
{
switch (oid)
{
case OID_PRIME192V1:
return 192;
case OID_SECT224R1:
return 224;
case OID_PRIME256V1:
return 256;
case OID_SECT384R1:
return 384;
case OID_SECT521R1:
return 521;
default:
return 0;
}
}
/**
* Parses the given ecParameters (ASN.1) and returns the key length.
*/
static bool keylen_from_ecparams(chunk_t ecparams, size_t *keylen)
{
if (!asn1_parse_simple_object(&ecparams, ASN1_OID, 0, "named curve"))
{
return FALSE;
}
*keylen = basepoint_order_len(asn1_known_oid(ecparams));
return *keylen > 0;
}
/**
* ASN.1 definition of a subjectPublicKeyInfo structure when used with ECDSA
* we currently only support named curves.
*/
static const asn1Object_t pkinfoObjects[] = {
{ 0, "subjectPublicKeyInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
{ 1, "algorithmIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
{ 2, "algorithm", ASN1_OID, ASN1_BODY }, /* 2 */
{ 2, "namedCurve", ASN1_OID, ASN1_RAW }, /* 3 */
{ 1, "subjectPublicKey", ASN1_BIT_STRING, ASN1_BODY }, /* 4 */
{ 0, "exit", ASN1_EOC, ASN1_EXIT }
};
#define PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM 2
#define PKINFO_SUBJECT_PUBLIC_KEY_NAMEDCURVE 3
#define PKINFO_SUBJECT_PUBLIC_KEY 4
/**
* Extract the DER encoded Parameters and ECPoint from the given DER encoded
* subjectPublicKeyInfo.
* Memory for ecpoint is allocated.
*/
static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
chunk_t *ecpoint, size_t *keylen)
{
asn1_parser_t *parser;
chunk_t object;
int objectID;
bool success = FALSE;
parser = asn1_parser_create(pkinfoObjects, blob);
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
{
case PKINFO_SUBJECT_PUBLIC_KEY_ALGORITHM:
{
if (asn1_known_oid(object) != OID_EC_PUBLICKEY)
{
goto end;
}
break;
}
case PKINFO_SUBJECT_PUBLIC_KEY_NAMEDCURVE:
{
*ecparams = object;
if (!keylen_from_ecparams(object, keylen))
{
goto end;
}
break;
}
case PKINFO_SUBJECT_PUBLIC_KEY:
{
if (object.len > 0 && *object.ptr == 0x00)
{ /* skip initial bit string octet defining 0 unused bits */
object = chunk_skip(object, 1);
}
/* the correct way to encode an EC_POINT in PKCS#11 is as
* ASN.1 octet string */
*ecpoint = asn1_wrap(ASN1_OCTET_STRING, "c", object);
break;
}
}
}
success = parser->success(parser);
end:
parser->destroy(parser);
return success;
}
METHOD(public_key_t, get_type, key_type_t,
private_pkcs11_public_key_t *this)
{
return this->type;
}
METHOD(public_key_t, get_keysize, int,
private_pkcs11_public_key_t *this)
{
return this->k;
}
METHOD(public_key_t, verify, bool,
private_pkcs11_public_key_t *this, signature_scheme_t scheme, void *params,
chunk_t data, chunk_t sig)
{
CK_MECHANISM_PTR mechanism;
CK_SESSION_HANDLE session;
CK_RV rv;
hash_algorithm_t hash_alg;
chunk_t hash = chunk_empty, parse, r, s;
size_t len;
mechanism = pkcs11_signature_scheme_to_mech(this->lib, this->slot, scheme,
this->type, this->k, &hash_alg);
if (!mechanism)
{
DBG1(DBG_LIB, "signature scheme %N not supported",
signature_scheme_names, scheme);
return FALSE;
}
switch (scheme)
{
case SIGN_ECDSA_WITH_SHA1_DER:
case SIGN_ECDSA_WITH_SHA256_DER:
case SIGN_ECDSA_WITH_SHA384_DER:
case SIGN_ECDSA_WITH_SHA512_DER:
/* PKCS#11 expects the ECDSA signatures as simple concatenation of
* r and s, so unwrap the ASN.1 encoded sequence */
parse = sig;
if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE ||
asn1_unwrap(&parse, &r) != ASN1_INTEGER ||
asn1_unwrap(&parse, &s) != ASN1_INTEGER)
{
return FALSE;
}
r = chunk_skip_zero(r);
s = chunk_skip_zero(s);
len = (get_keysize(this) + 7) / 8;
if (r.len > len || s.len > len)
{
return FALSE;
}
/* concatenate r and s (forced to the defined length) */
sig = chunk_alloca(2*len);
memset(sig.ptr, 0, sig.len);
memcpy(sig.ptr + (len - r.len), r.ptr, r.len);
memcpy(sig.ptr + len + (len - s.len), s.ptr, s.len);
break;
default:
sig = chunk_skip_zero(sig);
break;
}
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
&session);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
return FALSE;
}
rv = this->lib->f->C_VerifyInit(session, mechanism, this->object);
if (rv != CKR_OK)
{
this->lib->f->C_CloseSession(session);
DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
return FALSE;
}
if (hash_alg != HASH_UNKNOWN)
{
hasher_t *hasher;
hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
{
DESTROY_IF(hasher);
this->lib->f->C_CloseSession(session);
return FALSE;
}
hasher->destroy(hasher);
switch (scheme)
{
case SIGN_RSA_EMSA_PKCS1_SHA1:
case SIGN_RSA_EMSA_PKCS1_SHA2_256:
case SIGN_RSA_EMSA_PKCS1_SHA2_384:
case SIGN_RSA_EMSA_PKCS1_SHA2_512:
/* encode PKCS#1 digestInfo if the token does not support it */
hash = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_algorithmIdentifier(
hasher_algorithm_to_oid(hash_alg)),
asn1_wrap(ASN1_OCTET_STRING, "m", hash));
break;
default:
break;
}
data = hash;
}
rv = this->lib->f->C_Verify(session, data.ptr, data.len, sig.ptr, sig.len);
this->lib->f->C_CloseSession(session);
chunk_free(&hash);
if (rv != CKR_OK)
{
DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
return FALSE;
}
return TRUE;
}
METHOD(public_key_t, encrypt, bool,
private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
chunk_t plain, chunk_t *crypt)
{
CK_MECHANISM_PTR mechanism;
CK_SESSION_HANDLE session;
CK_BYTE_PTR buf;
CK_ULONG len;
CK_RV rv;
mechanism = pkcs11_encryption_scheme_to_mech(scheme);
if (!mechanism)
{
DBG1(DBG_LIB, "encryption scheme %N not supported",
encryption_scheme_names, scheme);
return FALSE;
}
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
&session);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
return FALSE;
}
rv = this->lib->f->C_EncryptInit(session, mechanism, this->object);
if (rv != CKR_OK)
{
this->lib->f->C_CloseSession(session);
DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
return FALSE;
}
len = (get_keysize(this) + 7) / 8;
buf = malloc(len);
rv = this->lib->f->C_Encrypt(session, plain.ptr, plain.len, buf, &len);
this->lib->f->C_CloseSession(session);
if (rv != CKR_OK)
{
DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
free(buf);
return FALSE;
}
*crypt = chunk_create(buf, len);
return TRUE;
}
/**
* Encode ECDSA key using a given encoding type
*/
static bool encode_ecdsa(private_pkcs11_public_key_t *this,
cred_encoding_type_t type, chunk_t *encoding)
{
enumerator_t *enumerator;
bool success = FALSE;
CK_ATTRIBUTE attr[] = {
{CKA_EC_PARAMS, NULL, 0},
{CKA_EC_POINT, NULL, 0},
};
if (type != PUBKEY_SPKI_ASN1_DER && type != PUBKEY_PEM)
{
return FALSE;
}
enumerator = this->lib->create_object_attr_enumerator(this->lib,
this->session, this->object, attr, countof(attr));
if (enumerator && enumerator->enumerate(enumerator, NULL) &&
attr[0].ulValueLen > 0 && attr[1].ulValueLen > 0)
{
chunk_t ecparams, ecpoint;
ecparams = chunk_create(attr[0].pValue, attr[0].ulValueLen);
ecpoint = chunk_create(attr[1].pValue, attr[1].ulValueLen);
/* encode as subjectPublicKeyInfo */
*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_SEQUENCE, "mc",
asn1_build_known_oid(OID_EC_PUBLICKEY), ecparams),
asn1_bitstring("c", ecpoint));
success = TRUE;
if (type == PUBKEY_PEM)
{
chunk_t asn1 = *encoding;
success = lib->encoding->encode(lib->encoding, PUBKEY_PEM,
NULL, encoding, CRED_PART_ECDSA_PUB_ASN1_DER,
asn1, CRED_PART_END);
chunk_clear(&asn1);
}
}
DESTROY_IF(enumerator);
return success;
}
/**
* Compute fingerprint of an ECDSA key
*/
static bool fingerprint_ecdsa(private_pkcs11_public_key_t *this,
cred_encoding_type_t type, chunk_t *fp)
{
hasher_t *hasher;
chunk_t asn1;
switch (type)
{
case KEYID_PUBKEY_SHA1:
if (!this->lib->get_ck_attribute(this->lib, this->session,
this->object, CKA_EC_POINT, &asn1))
{
return FALSE;
}
break;
case KEYID_PUBKEY_INFO_SHA1:
if (!encode_ecdsa(this, PUBKEY_SPKI_ASN1_DER, &asn1))
{
return FALSE;
}
break;
default:
return FALSE;
}
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher || !hasher->allocate_hash(hasher, asn1, fp))
{
DESTROY_IF(hasher);
chunk_clear(&asn1);
return FALSE;
}
hasher->destroy(hasher);
chunk_clear(&asn1);
lib->encoding->cache(lib->encoding, type, this, *fp);
return TRUE;
}
/**
* Encode RSA key using a given encoding type
*/
static bool encode_rsa(private_pkcs11_public_key_t *this,
cred_encoding_type_t type, void *cache, chunk_t *encoding)
{
enumerator_t *enumerator;
bool success = FALSE;
CK_ATTRIBUTE attr[] = {
{CKA_MODULUS, NULL, 0},
{CKA_PUBLIC_EXPONENT, NULL, 0},
};
enumerator = this->lib->create_object_attr_enumerator(this->lib,
this->session, this->object, attr, countof(attr));
if (enumerator && enumerator->enumerate(enumerator, NULL) &&
attr[0].ulValueLen > 0 && attr[1].ulValueLen > 0)
{
chunk_t n, e;
/* some tokens/libraries add unnecessary 0x00 prefixes */
n = chunk_skip_zero(chunk_create(attr[0].pValue, attr[0].ulValueLen));
if (n.ptr[0] & 0x80)
{ /* add leading 0x00, encoders might expect it in two's complement */
n = chunk_cata("cc", chunk_from_chars(0x00), n);
}
e = chunk_skip_zero(chunk_create(attr[1].pValue, attr[1].ulValueLen));
if (e.ptr[0] & 0x80)
{
e = chunk_cata("cc", chunk_from_chars(0x00), e);
}
success = lib->encoding->encode(lib->encoding, type, cache, encoding,
CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
}
DESTROY_IF(enumerator);
return success;
}
METHOD(public_key_t, get_encoding, bool,
private_pkcs11_public_key_t *this, cred_encoding_type_t type,
chunk_t *encoding)
{
switch (this->type)
{
case KEY_RSA:
return encode_rsa(this, type, NULL, encoding);
case KEY_ECDSA:
return encode_ecdsa(this, type, encoding);
default:
return FALSE;
}
}
METHOD(public_key_t, get_fingerprint, bool,
private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
{
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
}
switch (this->type)
{
case KEY_RSA:
return encode_rsa(this, type, this, fp);
case KEY_ECDSA:
return fingerprint_ecdsa(this, type, fp);
default:
return FALSE;
}
}
METHOD(public_key_t, get_ref, public_key_t*,
private_pkcs11_public_key_t *this)
{
ref_get(&this->ref);
return &this->public.key;
}
METHOD(public_key_t, destroy, void,
private_pkcs11_public_key_t *this)
{
if (ref_put(&this->ref))
{
lib->encoding->clear_cache(lib->encoding, this);
this->lib->f->C_CloseSession(this->session);
free(this);
}
}
/**
* Create an empty PKCS#11 public key
*/
static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
pkcs11_library_t *p11, CK_SLOT_ID slot,
CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
{
private_pkcs11_public_key_t *this;
INIT(this,
.public = {
.key = {
.get_type = _get_type,
.verify = _verify,
.encrypt = _encrypt,
.equals = public_key_equals,
.get_keysize = _get_keysize,
.get_fingerprint = _get_fingerprint,
.has_fingerprint = public_key_has_fingerprint,
.get_encoding = _get_encoding,
.get_ref = _get_ref,
.destroy = _destroy,
},
},
.type = type,
.k = k,
.lib = p11,
.slot = slot,
.session = session,
.object = object,
.ref = 1,
);
return this;
}
/**
* Find a key object, including PKCS11 library and slot
*/
static private_pkcs11_public_key_t* find_key(key_type_t type, size_t keylen,
CK_ATTRIBUTE_PTR tmpl, int count)
{
private_pkcs11_public_key_t *this = NULL;
pkcs11_manager_t *manager;
enumerator_t *enumerator, *keys;
pkcs11_library_t *p11;
CK_SLOT_ID slot;
manager = lib->get(lib, "pkcs11-manager");
if (!manager)
{
return NULL;
}
enumerator = manager->create_token_enumerator(manager);
while (enumerator->enumerate(enumerator, &p11, &slot))
{
CK_OBJECT_HANDLE object;
CK_SESSION_HANDLE session;
CK_RV rv;
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
&session);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
continue;
}
keys = p11->create_object_enumerator(p11, session, tmpl, count,
NULL, 0);
if (keys->enumerate(keys, &object))
{
this = create(type, keylen, p11, slot, session, object);
keys->destroy(keys);
break;
}
keys->destroy(keys);
p11->f->C_CloseSession(session);
}
enumerator->destroy(enumerator);
return this;
}
/**
* Find an RSA key object
*/
static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e,
size_t keylen)
{
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE type = CKK_RSA;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &type, sizeof(type)},
{CKA_MODULUS, n.ptr, n.len},
{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
};
return find_key(KEY_RSA, keylen, tmpl, countof(tmpl));
}
/**
* Find an ECDSA key object
*/
static private_pkcs11_public_key_t* find_ecdsa_key(chunk_t ecparams,
chunk_t ecpoint,
size_t keylen)
{
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE type = CKK_ECDSA;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &type, sizeof(type)},
{CKA_EC_PARAMS, ecparams.ptr, ecparams.len},
{CKA_EC_POINT, ecpoint.ptr, ecpoint.len},
};
return find_key(KEY_ECDSA, keylen, tmpl, countof(tmpl));
}
/**
* Create a key object in a suitable token session
*/
static private_pkcs11_public_key_t* create_key(key_type_t type, size_t keylen,
CK_MECHANISM_TYPE_PTR mechanisms, int mcount,
CK_ATTRIBUTE_PTR tmpl, int count)
{
private_pkcs11_public_key_t *this = NULL;
pkcs11_manager_t *manager;
enumerator_t *enumerator, *mechs;
pkcs11_library_t *p11;
CK_SLOT_ID slot;
manager = lib->get(lib, "pkcs11-manager");
if (!manager)
{
return NULL;
}
enumerator = manager->create_token_enumerator(manager);
while (enumerator->enumerate(enumerator, &p11, &slot))
{
CK_MECHANISM_TYPE mech;
CK_MECHANISM_INFO info;
CK_OBJECT_HANDLE object;
CK_SESSION_HANDLE session;
CK_RV rv;
mechs = p11->create_mechanism_enumerator(p11, slot);
while (mechs->enumerate(mechs, &mech, &info))
{
bool found = FALSE;
int i;
if (!(info.flags & CKF_VERIFY))
{
continue;
}
for (i = 0; i < mcount; i++)
{
if (mechanisms[i] == mech)
{
found = TRUE;
break;
}
}
if (!found)
{
continue;
}
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
&session);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
ck_rv_names, rv);
continue;
}
rv = p11->f->C_CreateObject(session, tmpl, count, &object);
if (rv == CKR_OK)
{
this = create(type, keylen, p11, slot, session, object);
DBG2(DBG_CFG, "created %N public key on token '%s':%d ",
key_type_names, type, p11->get_name(p11), slot);
}
else
{
DBG1(DBG_CFG, "creating %N public key on token '%s':%d "
"failed: %N", key_type_names, type, p11->get_name(p11),
slot, ck_rv_names, rv);
p11->f->C_CloseSession(session);
}
break;
}
mechs->destroy(mechs);
if (this)
{
break;
}
}
enumerator->destroy(enumerator);
return this;
}
/**
* Create an RSA key object in a suitable token session
*/
static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e,
size_t keylen)
{
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE type = CKK_RSA;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &type, sizeof(type)},
{CKA_MODULUS, n.ptr, n.len},
{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
};
CK_MECHANISM_TYPE mechs[] = {
CKM_RSA_PKCS,
CKM_SHA1_RSA_PKCS,
CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,
CKM_SHA512_RSA_PKCS,
CKM_MD5_RSA_PKCS,
};
return create_key(KEY_RSA, keylen, mechs, countof(mechs), tmpl,
countof(tmpl));
}
/**
* Create an ECDSA key object in a suitable token session
*/
static private_pkcs11_public_key_t* create_ecdsa_key(chunk_t ecparams,
chunk_t ecpoint,
size_t keylen)
{
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE type = CKK_ECDSA;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_KEY_TYPE, &type, sizeof(type)},
{CKA_EC_PARAMS, ecparams.ptr, ecparams.len},
{CKA_EC_POINT, ecpoint.ptr, ecpoint.len},
};
CK_MECHANISM_TYPE mechs[] = {
CKM_ECDSA,
CKM_ECDSA_SHA1,
};
return create_key(KEY_ECDSA, keylen, mechs,
countof(mechs), tmpl, countof(tmpl));
}
/**
* See header
*/
pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
{
private_pkcs11_public_key_t *this;
chunk_t n, e, blob;
size_t keylen = 0;
n = e = blob = chunk_empty;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_BLOB_ASN1_DER:
blob = va_arg(args, chunk_t);
continue;
case BUILD_RSA_MODULUS:
n = va_arg(args, chunk_t);
continue;
case BUILD_RSA_PUB_EXP:
e = va_arg(args, chunk_t);
continue;
case BUILD_END:
break;
default:
return NULL;
}
break;
}
if (type == KEY_RSA && e.ptr && n.ptr)
{
if (n.len && n.ptr[0] == 0)
{ /* trim leading zero byte in modulus */
n = chunk_skip(n, 1);
}
keylen = n.len * 8;
this = find_rsa_key(n, e, keylen);
if (this)
{
return &this->public;
}
this = create_rsa_key(n, e, keylen);
if (this)
{
return &this->public;
}
}
else if (type == KEY_ECDSA && blob.ptr)
{
chunk_t ecparams, ecpoint;
ecparams = ecpoint = chunk_empty;
if (parse_ecdsa_public_key(blob, &ecparams, &ecpoint, &keylen))
{
this = find_ecdsa_key(ecparams, ecpoint, keylen);
if (!this)
{
this = create_ecdsa_key(ecparams, ecpoint, keylen);
}
chunk_free(&ecpoint);
if (this)
{
return &this->public;
}
}
}
return NULL;
}
static private_pkcs11_public_key_t *find_key_by_keyid(pkcs11_library_t *p11,
int slot, key_type_t key_type,
chunk_t keyid)
{
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE type;
CK_ATTRIBUTE tmpl[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_ID, keyid.ptr, keyid.len},
{CKA_KEY_TYPE, &type, sizeof(type)},
};
CK_OBJECT_HANDLE object;
CK_ATTRIBUTE attr[] = {
{CKA_KEY_TYPE, &type, sizeof(type)},
};
CK_SESSION_HANDLE session;
CK_RV rv;
enumerator_t *enumerator;
int count = countof(tmpl);
bool found = FALSE;
size_t keylen;
switch (key_type)
{
case KEY_RSA:
type = CKK_RSA;
break;
case KEY_ECDSA:
type = CKK_ECDSA;
break;
default:
/* don't specify key type on KEY_ANY */
count--;
break;
}
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, &session);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "opening public key session on '%s':%d failed: %N",
p11->get_name(p11), slot, ck_rv_names, rv);
return NULL;
}
enumerator = p11->create_object_enumerator(p11, session, tmpl, count, attr,
countof(attr));
if (enumerator->enumerate(enumerator, &object))
{
switch (type)
{
case CKK_ECDSA:
{
chunk_t ecparams;
if (p11->get_ck_attribute(p11, session, object, CKA_EC_PARAMS,
&ecparams) &&
keylen_from_ecparams(ecparams, &keylen))
{
chunk_free(&ecparams);
key_type = KEY_ECDSA;
found = TRUE;
}
break;
}
case CKK_RSA:
{
chunk_t n;
if (p11->get_ck_attribute(p11, session, object, CKA_MODULUS,
&n) && n.len > 0)
{
keylen = n.len * 8;
chunk_free(&n);
key_type = KEY_RSA;
found = TRUE;
}
break;
}
default:
DBG1(DBG_CFG, "PKCS#11 key type %d not supported", type);
break;
}
}
enumerator->destroy(enumerator);
if (found)
{
return create(key_type, keylen, p11, slot, session, object);
}
p11->f->C_CloseSession(session);
return NULL;
}
/**
* See header.
*/
public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
key_type_t type, chunk_t keyid)
{
private_pkcs11_public_key_t *this;
this = find_key_by_keyid(p11, slot, type, keyid);
if (!this)
{
return NULL;
}
return &this->public.key;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pkcs11_public_key.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / pkcs11