void doit(void) { unsigned rsa_size1, rsa_size2; global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); if (gnutls_fips140_mode_enabled()) { rsa_size1 = 2048; /* minimum allowed */ rsa_size2 = 2048; /* minimum allowed */ } else { rsa_size1 = 512; rsa_size2 = 1024; } test_sig(GNUTLS_PK_RSA, GNUTLS_DIG_SHA1, rsa_size1); test_sig(GNUTLS_PK_RSA, GNUTLS_DIG_SHA256, rsa_size2); test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA1, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1)); test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1)); test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1)); test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1)); gnutls_global_deinit(); }
static int dcrypt_gnutls_generate_keypair(struct dcrypt_keypair *pair_r, enum dcrypt_key_type kind, unsigned int bits, const char *curve, const char **error_r) { gnutls_pk_algorithm_t pk_algo; gnutls_ecc_curve_t pk_curve; if (kind == DCRYPT_KEY_EC) { pk_curve = gnutls_ecc_curve_get_id(curve); if (pk_curve == GNUTLS_ECC_CURVE_INVALID) { *error_r = "Invalid curve"; return -1; } bits = GNUTLS_CURVE_TO_BITS(pk_curve); #if GNUTLS_VERSION_NUMBER >= 0x030500 pk_algo = gnutls_curve_get_pk(pk_curve); #else pk_algo = GNUTLS_PK_EC; #endif } else if (kind == DCRYPT_KEY_RSA) { pk_algo = gnutls_pk_get_id("RSA"); } else { *error_r = "Unsupported key type"; return -1; } int ec; gnutls_privkey_t priv; if ((ec = gnutls_privkey_init(&priv)) != GNUTLS_E_SUCCESS) return dcrypt_gnutls_error(ec, error_r); #if GNUTLS_VERSION_NUMBER >= 0x030500 gnutls_privkey_set_flags(priv, GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); #endif ec = gnutls_privkey_generate(priv, pk_algo, bits, 0); if (ec != GNUTLS_E_SUCCESS) { gnutls_privkey_deinit(priv); return dcrypt_gnutls_error(ec, error_r); } pair_r->priv = (struct dcrypt_private_key*)priv; return dcrypt_gnutls_private_to_public_key(pair_r->priv, &pair_r->pub, error_r); }
static void cmd_parser(int argc, char **argv) { int ret, debug = 0; common_info_st cinfo; unsigned int pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN; const char *url = NULL; unsigned int detailed_url = 0, optct; unsigned int bits = 0; const char *label = NULL, *sec_param = NULL; unsigned flags; optct = optionProcess(&p11toolOptions, argc, argv); argc += optct; argv += optct; if (url == NULL && argc > 0) url = argv[0]; else url = "pkcs11:"; if (HAVE_OPT(DEBUG)) debug = OPT_VALUE_DEBUG; gnutls_global_set_log_function(tls_log_func); gnutls_global_set_log_level(debug); if (debug > 1) printf("Setting log level to %d\n", debug); if ((ret = gnutls_global_init()) < 0) { fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); exit(1); } if (HAVE_OPT(PROVIDER)) { ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret < 0) fprintf(stderr, "pkcs11_init: %s\n", gnutls_strerror(ret)); else { ret = gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER), NULL); if (ret < 0) { fprintf(stderr, "pkcs11_add_provider: %s\n", gnutls_strerror(ret)); exit(1); } } } else { ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL); if (ret < 0) fprintf(stderr, "pkcs11_init: %s\n", gnutls_strerror(ret)); } if (HAVE_OPT(OUTFILE)) { outfile = safe_open_rw(OPT_ARG(OUTFILE), 0); if (outfile == NULL) { fprintf(stderr, "cannot open %s\n", OPT_ARG(OUTFILE)); exit(1); } } else outfile = stdout; memset(&cinfo, 0, sizeof(cinfo)); flags = opt_to_flags(); if (HAVE_OPT(SECRET_KEY)) cinfo.secret_key = OPT_ARG(SECRET_KEY); if (HAVE_OPT(LOAD_PRIVKEY)) cinfo.privkey = OPT_ARG(LOAD_PRIVKEY); if (HAVE_OPT(PKCS8)) cinfo.pkcs8 = 1; if (HAVE_OPT(BATCH)) { batch = cinfo.batch = 1; } if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW)) cinfo.incert_format = GNUTLS_X509_FMT_DER; else cinfo.incert_format = GNUTLS_X509_FMT_PEM; if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW)) cinfo.outcert_format = GNUTLS_X509_FMT_DER; else cinfo.outcert_format = GNUTLS_X509_FMT_PEM; if (HAVE_OPT(SET_PIN)) cinfo.pin = OPT_ARG(SET_PIN); if (HAVE_OPT(SET_SO_PIN)) cinfo.so_pin = OPT_ARG(SET_SO_PIN); if (HAVE_OPT(LOAD_CERTIFICATE)) cinfo.cert = OPT_ARG(LOAD_CERTIFICATE); if (HAVE_OPT(LOAD_PUBKEY)) cinfo.pubkey = OPT_ARG(LOAD_PUBKEY); if (ENABLED_OPT(DETAILED_URL)) detailed_url = 1; if (HAVE_OPT(LABEL)) { label = OPT_ARG(LABEL); } if (HAVE_OPT(BITS)) { bits = OPT_VALUE_BITS; } if (HAVE_OPT(CURVE)) { bits = GNUTLS_CURVE_TO_BITS(str_to_curve(OPT_ARG(CURVE))); } if (HAVE_OPT(SEC_PARAM)) { sec_param = OPT_ARG(SEC_PARAM); } if (debug > 4) { if (HAVE_OPT(MARK_PRIVATE)) fprintf(stderr, "Private: %s\n", ENABLED_OPT(MARK_PRIVATE) ? "yes" : "no"); fprintf(stderr, "Trusted: %s\n", ENABLED_OPT(MARK_TRUSTED) ? "yes" : "no"); fprintf(stderr, "Wrap: %s\n", ENABLED_OPT(MARK_WRAP) ? "yes" : "no"); fprintf(stderr, "CA: %s\n", ENABLED_OPT(MARK_CA) ? "yes" : "no"); fprintf(stderr, "Login: %s\n", ENABLED_OPT(LOGIN) ? "yes" : "no"); fprintf(stderr, "SO Login: %s\n", ENABLED_OPT(SO_LOGIN) ? "yes" : "no"); fprintf(stderr, "Detailed URLs: %s\n", ENABLED_OPT(DETAILED_URL) ? "yes" : "no"); fprintf(stderr, "\n"); } /* handle actions */ if (HAVE_OPT(LIST_TOKENS)) { pkcs11_token_list(outfile, detailed_url, &cinfo, 0); } else if (HAVE_OPT(LIST_MECHANISMS)) { pkcs11_mechanism_list(outfile, url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_RANDOM)) { pkcs11_get_random(outfile, url, OPT_VALUE_GENERATE_RANDOM, &cinfo); } else if (HAVE_OPT(INFO)) { pkcs11_type = PKCS11_TYPE_INFO; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL)) { pkcs11_type = PKCS11_TYPE_ALL; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_CERTS)) { pkcs11_type = PKCS11_TYPE_CRT_ALL; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_CERTS)) { pkcs11_type = PKCS11_TYPE_PK; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_PRIVKEYS)) { pkcs11_type = PKCS11_TYPE_PRIVKEY; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_TRUSTED)) { pkcs11_type = PKCS11_TYPE_TRUSTED; pkcs11_list(outfile, url, pkcs11_type, flags, detailed_url, &cinfo); } else if (HAVE_OPT(EXPORT)) { pkcs11_export(outfile, url, flags, &cinfo); } else if (HAVE_OPT(EXPORT_CHAIN)) { pkcs11_export_chain(outfile, url, flags, &cinfo); } else if (HAVE_OPT(WRITE)) { pkcs11_write(outfile, url, label, flags, &cinfo); } else if (HAVE_OPT(INITIALIZE)) pkcs11_init(outfile, url, label, &cinfo); else if (HAVE_OPT(DELETE)) pkcs11_delete(outfile, url, flags, &cinfo); else if (HAVE_OPT(GENERATE_ECC)) { key_type = GNUTLS_PK_EC; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), label, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_RSA)) { key_type = GNUTLS_PK_RSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), label, detailed_url, flags, &cinfo); } else if (HAVE_OPT(GENERATE_DSA)) { key_type = GNUTLS_PK_DSA; pkcs11_generate(outfile, url, key_type, get_bits(key_type, bits, sec_param, 0), label, detailed_url, flags, &cinfo); } else if (HAVE_OPT(EXPORT_PUBKEY)) { pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo); } else { USAGE(1); } fclose(outfile); #ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit(); #endif gnutls_global_deinit(); }