/** * gnutls_pkcs11_privkey_status: * @key: Holds the key * * Checks the status of the private key token. * * Returns: this function will return non-zero if the token * holding the private key is still available (inserted), and zero otherwise. * * Since: 3.1.9 * **/ int gnutls_pkcs11_privkey_status(gnutls_pkcs11_privkey_t key) { ck_rv_t rv; int ret; struct pkcs11_session_info _sinfo; struct pkcs11_session_info *sinfo; ck_object_handle_t obj; struct ck_session_info session_info; PKCS11_CHECK_INIT; if (key->sinfo.init != 0) { sinfo = &key->sinfo; obj = key->obj; } else { sinfo = &_sinfo; memset(sinfo, 0, sizeof(*sinfo)); FIND_OBJECT(sinfo, &key->pin, obj, key); } rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks, &session_info); if (rv != CKR_OK) { ret = 0; goto cleanup; } ret = 1; cleanup: if (sinfo != &key->sinfo) pkcs11_close_session(sinfo); return ret; }
/* callback function to be passed in _gnutls_pkcs11_check_init(). * It is run, only when a fork has been detected, and data have * been re-initialized. In that case we reset the session and re-open * the object. */ static int reopen_privkey_session(void * _privkey) { int ret; gnutls_pkcs11_privkey_t privkey = _privkey; memset(&privkey->sinfo, 0, sizeof(privkey->sinfo)); privkey->ref = 0; FIND_OBJECT(privkey); return 0; }
/** * gnutls_pkcs11_privkey_import_url: * @pkey: The private key * @url: a PKCS 11 url identifying the key * @flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags * * This function will "import" a PKCS 11 URL identifying a private * key to the #gnutls_pkcs11_privkey_t type. In reality since * in most cases keys cannot be exported, the private key structure * is being associated with the available operations on the token. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, const char *url, unsigned int flags) { int ret; struct ck_attribute *attr; struct ck_attribute a[4]; ck_key_type_t key_type; ck_bool_t reauth = 0; PKCS11_CHECK_INIT; memset(&pkey->sinfo, 0, sizeof(pkey->sinfo)); if (pkey->url) { gnutls_free(pkey->url); pkey->url = NULL; } if (pkey->uinfo) { p11_kit_uri_free(pkey->uinfo); pkey->uinfo = NULL; } pkey->url = gnutls_strdup(url); if (pkey->url == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ret = pkcs11_url_to_info(pkey->url, &pkey->uinfo, flags|GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY); if (ret < 0) { gnutls_assert(); goto cleanup; } pkey->flags = flags; attr = p11_kit_uri_get_attribute(pkey->uinfo, CKA_CLASS); if (!attr || attr->value_len != sizeof(ck_object_class_t) || *(ck_object_class_t *) attr->value != CKO_PRIVATE_KEY) { gnutls_assert(); ret = GNUTLS_E_INVALID_REQUEST; goto cleanup; } attr = p11_kit_uri_get_attribute(pkey->uinfo, CKA_ID); if (!attr) { attr = p11_kit_uri_get_attribute(pkey->uinfo, CKA_LABEL); if (!attr) { gnutls_assert(); ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; goto cleanup; } } FIND_OBJECT(pkey); pkey->pk_algorithm = GNUTLS_PK_UNKNOWN; a[0].type = CKA_KEY_TYPE; a[0].value = &key_type; a[0].value_len = sizeof(key_type); if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 1) == CKR_OK) { pkey->pk_algorithm = key_type_to_pk(key_type); } if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { _gnutls_debug_log ("Cannot determine PKCS #11 key algorithm\n"); ret = GNUTLS_E_UNKNOWN_ALGORITHM; goto cleanup; } a[0].type = CKA_ALWAYS_AUTHENTICATE; a[0].value = &reauth; a[0].value_len = sizeof(reauth); if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 1) == CKR_OK) { pkey->reauth = reauth; } ret = 0; return ret; cleanup: if (pkey->uinfo != NULL) { p11_kit_uri_free(pkey->uinfo); pkey->uinfo = NULL; } gnutls_free(pkey->url); pkey->url = NULL; return ret; }
/*- * _gnutls_pkcs11_privkey_decrypt_data: * @key: Holds the key * @flags: should be 0 for now * @ciphertext: holds the data to be signed * @plaintext: will contain the plaintext, allocated with gnutls_malloc() * * This function will decrypt the given data using the public key algorithm * supported by the private key. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key, unsigned int flags, const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext) { ck_rv_t rv; int ret; struct ck_mechanism mech; unsigned long siglen; ck_object_handle_t obj; struct pkcs11_session_info _sinfo; struct pkcs11_session_info *sinfo; PKCS11_CHECK_INIT; if (key->sinfo.init != 0) { sinfo = &key->sinfo; obj = key->obj; } else { sinfo = &_sinfo; memset(sinfo, 0, sizeof(*sinfo)); FIND_OBJECT(sinfo, &key->pin, obj, key); } if (key->pk_algorithm != GNUTLS_PK_RSA) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); mech.mechanism = CKM_RSA_PKCS; mech.parameter = NULL; mech.parameter_len = 0; /* Initialize signing operation; using the private key discovered * earlier. */ rv = pkcs11_decrypt_init(sinfo->module, sinfo->pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } /* Work out how long the plaintext must be: */ rv = pkcs11_decrypt(sinfo->module, sinfo->pks, ciphertext->data, ciphertext->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } plaintext->data = gnutls_malloc(siglen); plaintext->size = siglen; rv = pkcs11_decrypt(sinfo->module, sinfo->pks, ciphertext->data, ciphertext->size, plaintext->data, &siglen); if (rv != CKR_OK) { gnutls_free(plaintext->data); gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } plaintext->size = siglen; ret = 0; cleanup: if (key->sinfo.init == 0) pkcs11_close_session(sinfo); return ret; }
/** * gnutls_pkcs11_privkey_import_url: * @pkey: The structure to store the parsed key * @url: a PKCS 11 url identifying the key * @flags: sequence of GNUTLS_PKCS_PRIVKEY_* * * This function will "import" a PKCS 11 URL identifying a private * key to the #gnutls_pkcs11_privkey_t structure. In reality since * in most cases keys cannot be exported, the private key structure * is being associated with the available operations on the token. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, const char *url, unsigned int flags) { int ret; struct ck_attribute *attr; ck_object_handle_t obj; struct ck_attribute a[4]; ck_key_type_t key_type; struct pkcs11_session_info sinfo; PKCS11_CHECK_INIT; memset(&sinfo, 0, sizeof(sinfo)); ret = pkcs11_url_to_info(url, &pkey->info); if (ret < 0) { gnutls_assert(); return ret; } pkey->flags = flags; attr = p11_kit_uri_get_attribute(pkey->info, CKA_CLASS); if (!attr || attr->value_len != sizeof(ck_object_class_t) || *(ck_object_class_t *) attr->value != CKO_PRIVATE_KEY) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } attr = p11_kit_uri_get_attribute(pkey->info, CKA_ID); if (!attr || !attr->value_len) { attr = p11_kit_uri_get_attribute(pkey->info, CKA_LABEL); if (!attr || !attr->value_len) { gnutls_assert(); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } } FIND_OBJECT(&sinfo, &pkey->pin, obj, pkey); a[0].type = CKA_KEY_TYPE; a[0].value = &key_type; a[0].value_len = sizeof(key_type); if (pkcs11_get_attribute_value(sinfo.module, sinfo.pks, obj, a, 1) == CKR_OK) { pkey->pk_algorithm = mech_to_pk(key_type); if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { _gnutls_debug_log ("Cannot determine PKCS #11 key algorithm\n"); ret = GNUTLS_E_UNKNOWN_ALGORITHM; goto cleanup; } } ret = 0; if (pkey->sinfo.init) pkcs11_close_session(&pkey->sinfo); if (sinfo.tinfo.max_session_count != 1) { /* We do not keep the session open in tokens that can * only support a single session. */ memcpy(&pkey->sinfo, &sinfo, sizeof(pkey->sinfo)); pkey->obj = obj; return ret; } cleanup: pkcs11_close_session(&sinfo); return ret; }
/*- * _gnutls_pkcs11_privkey_sign_hash: * @key: Holds the key * @hash: holds the data to be signed (should be output of a hash) * @signature: will contain the signature allocated with gnutls_malloc() * * This function will sign the given data using a signature algorithm * supported by the private key. It is assumed that the given data * are the output of a hash function. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key, const gnutls_datum_t * hash, gnutls_datum_t * signature) { ck_rv_t rv; int ret; struct ck_mechanism mech; gnutls_datum_t tmp = { NULL, 0 }; unsigned long siglen; struct pkcs11_session_info _sinfo; struct pkcs11_session_info *sinfo; ck_object_handle_t obj; PKCS11_CHECK_INIT; if (key->sinfo.init != 0) { sinfo = &key->sinfo; obj = key->obj; } else { sinfo = &_sinfo; memset(sinfo, 0, sizeof(*sinfo)); FIND_OBJECT(sinfo, &key->pin, obj, key); } mech.mechanism = pk_to_mech(key->pk_algorithm); mech.parameter = NULL; mech.parameter_len = 0; /* Initialize signing operation; using the private key discovered * earlier. */ rv = pkcs11_sign_init(sinfo->module, sinfo->pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } /* Work out how long the signature must be: */ rv = pkcs11_sign(sinfo->module, sinfo->pks, hash->data, hash->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } tmp.data = gnutls_malloc(siglen); tmp.size = siglen; rv = pkcs11_sign(sinfo->module, sinfo->pks, hash->data, hash->size, tmp.data, &siglen); if (rv != CKR_OK) { gnutls_assert(); ret = pkcs11_rv_to_err(rv); goto cleanup; } if (key->pk_algorithm == GNUTLS_PK_EC || key->pk_algorithm == GNUTLS_PK_DSA) { unsigned int hlen = siglen / 2; gnutls_datum_t r, s; if (siglen % 2 != 0) { gnutls_assert(); ret = GNUTLS_E_PK_SIGN_FAILED; goto cleanup; } r.data = tmp.data; r.size = hlen; s.data = &tmp.data[hlen]; s.size = hlen; ret = _gnutls_encode_ber_rs_raw(signature, &r, &s); if (ret < 0) { gnutls_assert(); goto cleanup; } gnutls_free(tmp.data); tmp.data = NULL; } else { signature->size = siglen; signature->data = tmp.data; } ret = 0; cleanup: if (sinfo != &key->sinfo) pkcs11_close_session(sinfo); if (ret < 0) gnutls_free(tmp.data); return ret; }
GenericLayout *Theme::getLayoutById( const string &id ) { FIND_OBJECT( GenericLayoutPtr, m_layouts ); }
CtrlGeneric *Theme::getControlById( const string &id ) { FIND_OBJECT( CtrlGenericPtr, m_controls ); }
TopWindow *Theme::getWindowById( const string &id ) { FIND_OBJECT( TopWindowPtr, m_windows ); }
Popup *Theme::getPopupById( const string &id ) { FIND_OBJECT( PopupPtr, m_popups ); }
/*- * _gnutls_pkcs11_privkey_decrypt_data: * @key: Holds the key * @flags: should be 0 for now * @ciphertext: holds the data to be signed * @plaintext: will contain the plaintext, allocated with gnutls_malloc() * * This function will decrypt the given data using the public key algorithm * supported by the private key. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_pkcs11_privkey_decrypt_data (gnutls_pkcs11_privkey_t key, unsigned int flags, const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext) { ck_rv_t rv; int ret; struct ck_mechanism mech; unsigned long siglen; struct ck_function_list *module; ck_session_handle_t pks; ck_object_handle_t obj; FIND_OBJECT (module, pks, obj, key); if (key->pk_algorithm != GNUTLS_PK_RSA) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); mech.mechanism = CKM_RSA_PKCS; mech.parameter = NULL; mech.parameter_len = 0; /* Initialize signing operation; using the private key discovered * earlier. */ rv = pkcs11_decrypt_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } /* Work out how long the plaintext must be: */ rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } plaintext->data = gnutls_malloc (siglen); plaintext->size = siglen; rv = pkcs11_decrypt (module, pks, ciphertext->data, ciphertext->size, plaintext->data, &siglen); if (rv != CKR_OK) { gnutls_free (plaintext->data); gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } plaintext->size = siglen; ret = 0; cleanup: pkcs11_close_session (module, pks); return ret; }
/** * gnutls_pkcs11_privkey_import_url: * @pkey: The structure to store the parsed key * @url: a PKCS 11 url identifying the key * @flags: sequence of GNUTLS_PKCS_PRIVKEY_* * * This function will "import" a PKCS 11 URL identifying a private * key to the #gnutls_pkcs11_privkey_t structure. In reality since * in most cases keys cannot be exported, the private key structure * is being associated with the available operations on the token. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ int gnutls_pkcs11_privkey_import_url (gnutls_pkcs11_privkey_t pkey, const char *url, unsigned int flags) { int ret; struct ck_function_list *module; struct ck_attribute *attr; ck_session_handle_t pks; ck_object_handle_t obj; struct ck_attribute a[4]; ck_key_type_t key_type; ret = pkcs11_url_to_info (url, &pkey->info); if (ret < 0) { gnutls_assert (); return ret; } pkey->flags = flags; attr = p11_kit_uri_get_attribute (pkey->info, CKA_CLASS); if (!attr || attr->value_len != sizeof (ck_object_class_t) || *(ck_object_class_t*)attr->value != CKO_PRIVATE_KEY) { gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } attr = p11_kit_uri_get_attribute (pkey->info, CKA_ID); if (!attr || !attr->value_len) { attr = p11_kit_uri_get_attribute (pkey->info, CKA_LABEL); if (!attr || !attr->value_len) { gnutls_assert (); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } } FIND_OBJECT (module, pks, obj, pkey); a[0].type = CKA_KEY_TYPE; a[0].value = &key_type; a[0].value_len = sizeof (key_type); if (pkcs11_get_attribute_value (module, pks, obj, a, 1) == CKR_OK) { pkey->pk_algorithm = mech_to_pk(key_type); if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { _gnutls_debug_log("Cannot determine PKCS #11 key algorithm\n"); ret = GNUTLS_E_UNKNOWN_ALGORITHM; goto cleanup; } } ret = 0; cleanup: pkcs11_close_session (module, pks); return ret; }
/*- * _gnutls_pkcs11_privkey_sign_hash: * @key: Holds the key * @hash: holds the data to be signed (should be output of a hash) * @signature: will contain the signature allocated with gnutls_malloc() * * This function will sign the given data using a signature algorithm * supported by the private key. It is assumed that the given data * are the output of a hash function. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_pkcs11_privkey_sign_hash (gnutls_pkcs11_privkey_t key, const gnutls_datum_t * hash, gnutls_datum_t * signature) { ck_rv_t rv; int ret; struct ck_mechanism mech; unsigned long siglen; struct ck_function_list *module; ck_session_handle_t pks; ck_object_handle_t obj; FIND_OBJECT (module, pks, obj, key); mech.mechanism = pk_to_mech(key->pk_algorithm); mech.parameter = NULL; mech.parameter_len = 0; /* Initialize signing operation; using the private key discovered * earlier. */ rv = pkcs11_sign_init (module, pks, &mech, obj); if (rv != CKR_OK) { gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } /* Work out how long the signature must be: */ rv = pkcs11_sign (module, pks, hash->data, hash->size, NULL, &siglen); if (rv != CKR_OK) { gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } signature->data = gnutls_malloc (siglen); signature->size = siglen; rv = pkcs11_sign (module, pks, hash->data, hash->size, signature->data, &siglen); if (rv != CKR_OK) { gnutls_free (signature->data); gnutls_assert (); ret = pkcs11_rv_to_err (rv); goto cleanup; } signature->size = siglen; if (key->pk_algorithm == GNUTLS_PK_EC || key->pk_algorithm == GNUTLS_PK_DSA) { bigint_t r,s; if (siglen % 2 != 0) { gnutls_assert(); ret = GNUTLS_E_PK_SIGN_FAILED; goto cleanup; } ret = read_rs(&r, &s, signature->data, signature->size); if (ret < 0) { gnutls_assert(); goto cleanup; } gnutls_free(signature->data); ret = _gnutls_encode_ber_rs (signature, r, s); _gnutls_mpi_release(&r); _gnutls_mpi_release(&s); if (ret < 0) { gnutls_assert(); goto cleanup; } } ret = 0; cleanup: pkcs11_close_session (module, pks); return ret; }