void doit(void)
{
unsigned rsa_size1, rsa_size2;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
if (gnutls_fips140_mode_enabled()) {
rsa_size1 = 2048; /* minimum allowed */
rsa_size2 = 2048; /* minimum allowed */
} else {
rsa_size1 = 512;
rsa_size2 = 1024;
}
test_sig(GNUTLS_PK_RSA, GNUTLS_DIG_SHA1, rsa_size1);
test_sig(GNUTLS_PK_RSA, GNUTLS_DIG_SHA256, rsa_size2);
test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA1, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1));
test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1));
test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1));
test_sig(GNUTLS_PK_EC, GNUTLS_DIG_SHA256, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1));
gnutls_global_deinit();
}
static
int dcrypt_gnutls_generate_keypair(struct dcrypt_keypair *pair_r, enum dcrypt_key_type kind, unsigned int bits, const char *curve, const char **error_r)
{
gnutls_pk_algorithm_t pk_algo;
gnutls_ecc_curve_t pk_curve;
if (kind == DCRYPT_KEY_EC) {
pk_curve = gnutls_ecc_curve_get_id(curve);
if (pk_curve == GNUTLS_ECC_CURVE_INVALID) {
*error_r = "Invalid curve";
return -1;
}
bits = GNUTLS_CURVE_TO_BITS(pk_curve);
#if GNUTLS_VERSION_NUMBER >= 0x030500
pk_algo = gnutls_curve_get_pk(pk_curve);
#else
pk_algo = GNUTLS_PK_EC;
#endif
} else if (kind == DCRYPT_KEY_RSA) {
pk_algo = gnutls_pk_get_id("RSA");
} else {
*error_r = "Unsupported key type";
return -1;
}
int ec;
gnutls_privkey_t priv;
if ((ec = gnutls_privkey_init(&priv)) != GNUTLS_E_SUCCESS) return dcrypt_gnutls_error(ec, error_r);
#if GNUTLS_VERSION_NUMBER >= 0x030500
gnutls_privkey_set_flags(priv, GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
#endif
ec = gnutls_privkey_generate(priv, pk_algo, bits, 0);
if (ec != GNUTLS_E_SUCCESS) {
gnutls_privkey_deinit(priv);
return dcrypt_gnutls_error(ec, error_r);
}
pair_r->priv = (struct dcrypt_private_key*)priv;
return dcrypt_gnutls_private_to_public_key(pair_r->priv, &pair_r->pub, error_r);
}
static void cmd_parser(int argc, char **argv)
{
int ret, debug = 0;
common_info_st cinfo;
unsigned int pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN;
const char *url = NULL;
unsigned int detailed_url = 0, optct;
unsigned int bits = 0;
const char *label = NULL, *sec_param = NULL;
unsigned flags;
optct = optionProcess(&p11toolOptions, argc, argv);
argc += optct;
argv += optct;
if (url == NULL && argc > 0)
url = argv[0];
else
url = "pkcs11:";
if (HAVE_OPT(DEBUG))
debug = OPT_VALUE_DEBUG;
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug);
if (debug > 1)
printf("Setting log level to %d\n", debug);
if ((ret = gnutls_global_init()) < 0) {
fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
exit(1);
}
if (HAVE_OPT(PROVIDER)) {
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
fprintf(stderr, "pkcs11_init: %s\n",
gnutls_strerror(ret));
else {
ret =
gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER),
NULL);
if (ret < 0) {
fprintf(stderr, "pkcs11_add_provider: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
} else {
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
if (ret < 0)
fprintf(stderr, "pkcs11_init: %s\n",
gnutls_strerror(ret));
}
if (HAVE_OPT(OUTFILE)) {
outfile = safe_open_rw(OPT_ARG(OUTFILE), 0);
if (outfile == NULL) {
fprintf(stderr, "cannot open %s\n", OPT_ARG(OUTFILE));
exit(1);
}
} else
outfile = stdout;
memset(&cinfo, 0, sizeof(cinfo));
flags = opt_to_flags();
if (HAVE_OPT(SECRET_KEY))
cinfo.secret_key = OPT_ARG(SECRET_KEY);
if (HAVE_OPT(LOAD_PRIVKEY))
cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
if (HAVE_OPT(PKCS8))
cinfo.pkcs8 = 1;
if (HAVE_OPT(BATCH)) {
batch = cinfo.batch = 1;
}
if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW))
cinfo.incert_format = GNUTLS_X509_FMT_DER;
else
cinfo.incert_format = GNUTLS_X509_FMT_PEM;
if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW))
cinfo.outcert_format = GNUTLS_X509_FMT_DER;
else
cinfo.outcert_format = GNUTLS_X509_FMT_PEM;
if (HAVE_OPT(SET_PIN))
cinfo.pin = OPT_ARG(SET_PIN);
if (HAVE_OPT(SET_SO_PIN))
cinfo.so_pin = OPT_ARG(SET_SO_PIN);
if (HAVE_OPT(LOAD_CERTIFICATE))
cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
if (HAVE_OPT(LOAD_PUBKEY))
cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
if (ENABLED_OPT(DETAILED_URL))
detailed_url = 1;
if (HAVE_OPT(LABEL)) {
label = OPT_ARG(LABEL);
}
if (HAVE_OPT(BITS)) {
bits = OPT_VALUE_BITS;
}
if (HAVE_OPT(CURVE)) {
bits = GNUTLS_CURVE_TO_BITS(str_to_curve(OPT_ARG(CURVE)));
}
if (HAVE_OPT(SEC_PARAM)) {
sec_param = OPT_ARG(SEC_PARAM);
}
if (debug > 4) {
if (HAVE_OPT(MARK_PRIVATE))
fprintf(stderr, "Private: %s\n",
ENABLED_OPT(MARK_PRIVATE) ? "yes" : "no");
fprintf(stderr, "Trusted: %s\n",
ENABLED_OPT(MARK_TRUSTED) ? "yes" : "no");
fprintf(stderr, "Wrap: %s\n",
ENABLED_OPT(MARK_WRAP) ? "yes" : "no");
fprintf(stderr, "CA: %s\n",
ENABLED_OPT(MARK_CA) ? "yes" : "no");
fprintf(stderr, "Login: %s\n",
ENABLED_OPT(LOGIN) ? "yes" : "no");
fprintf(stderr, "SO Login: %s\n",
ENABLED_OPT(SO_LOGIN) ? "yes" : "no");
fprintf(stderr, "Detailed URLs: %s\n",
ENABLED_OPT(DETAILED_URL) ? "yes" : "no");
fprintf(stderr, "\n");
}
/* handle actions
*/
if (HAVE_OPT(LIST_TOKENS)) {
pkcs11_token_list(outfile, detailed_url, &cinfo, 0);
} else if (HAVE_OPT(LIST_MECHANISMS)) {
pkcs11_mechanism_list(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(GENERATE_RANDOM)) {
pkcs11_get_random(outfile, url, OPT_VALUE_GENERATE_RANDOM,
&cinfo);
} else if (HAVE_OPT(INFO)) {
pkcs11_type = PKCS11_TYPE_INFO;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL)) {
pkcs11_type = PKCS11_TYPE_ALL;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_CERTS)) {
pkcs11_type = PKCS11_TYPE_CRT_ALL;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_CERTS)) {
pkcs11_type = PKCS11_TYPE_PK;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_PRIVKEYS)) {
pkcs11_type = PKCS11_TYPE_PRIVKEY;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_TRUSTED)) {
pkcs11_type = PKCS11_TYPE_TRUSTED;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(EXPORT)) {
pkcs11_export(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(EXPORT_CHAIN)) {
pkcs11_export_chain(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(WRITE)) {
pkcs11_write(outfile, url, label,
flags, &cinfo);
} else if (HAVE_OPT(INITIALIZE))
pkcs11_init(outfile, url, label, &cinfo);
else if (HAVE_OPT(DELETE))
pkcs11_delete(outfile, url, flags, &cinfo);
else if (HAVE_OPT(GENERATE_ECC)) {
key_type = GNUTLS_PK_EC;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(GENERATE_RSA)) {
key_type = GNUTLS_PK_RSA;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(GENERATE_DSA)) {
key_type = GNUTLS_PK_DSA;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(EXPORT_PUBKEY)) {
pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo);
} else {
USAGE(1);
}
fclose(outfile);
#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit();
#endif
gnutls_global_deinit();
}
