/**
Return certificate contents. Line contains the percent-plus escaped
certificate ID.
*/
gpg_error_t cmd_readcert (assuan_context_t ctx, char *line)
{
gpg_err_code_t error = GPG_ERR_GENERAL;
pkcs11h_certificate_id_t cert_id = NULL;
pkcs11h_certificate_t cert = NULL;
unsigned char *blob = NULL;
size_t blob_size;
if (
(error = _get_certificate_by_name (
ctx,
line,
0,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR ||
(error = get_cert_blob (ctx, cert_id, &blob, &blob_size)) != GPG_ERR_NO_ERROR ||
(error = assuan_send_data (ctx, blob, blob_size)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (cert != NULL) {
pkcs11h_certificate_freeCertificate (cert);
cert = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
if (blob != NULL) {
free (blob);
blob = NULL;
}
return gpg_error (error);
}
int
tls_ctx_use_pkcs11(
struct tls_root_ctx *const ssl_ctx,
bool pkcs11_id_management,
const char *const pkcs11_id
) {
pkcs11h_certificate_id_t certificate_id = NULL;
pkcs11h_certificate_t certificate = NULL;
CK_RV rv = CKR_OK;
bool ok = false;
ASSERT(ssl_ctx!=NULL);
ASSERT(pkcs11_id_management || pkcs11_id!=NULL);
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'",
(void *)ssl_ctx,
pkcs11_id_management ? 1 : 0,
pkcs11_id
);
if (pkcs11_id_management)
{
struct user_pass id_resp;
CLEAR(id_resp);
id_resp.defined = false;
id_resp.nocache = true;
openvpn_snprintf(
id_resp.username,
sizeof(id_resp.username),
"Please specify PKCS#11 id to use"
);
if (
!get_user_pass(
&id_resp,
NULL,
"pkcs11-id-request",
GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL
)
)
{
goto cleanup;
}
if (
(rv = pkcs11h_certificate_deserializeCertificateId(
&certificate_id,
id_resp.password
)) != CKR_OK
)
{
msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
}
else
{
if (
(rv = pkcs11h_certificate_deserializeCertificateId(
&certificate_id,
pkcs11_id
)) != CKR_OK
)
{
msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
}
if (
(rv = pkcs11h_certificate_create(
certificate_id,
NULL,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
PKCS11H_PIN_CACHE_INFINITE,
&certificate
)) != CKR_OK
)
{
msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if (
(pkcs11_init_tls_session(
certificate,
ssl_ctx
))
)
{
/* Handled by SSL context free */
certificate = NULL;
goto cleanup;
}
/* Handled by SSL context free */
certificate = NULL;
ok = true;
cleanup:
if (certificate != NULL)
{
pkcs11h_certificate_freeCertificate(certificate);
certificate = NULL;
}
if (certificate_id != NULL)
{
pkcs11h_certificate_freeCertificateId(certificate_id);
certificate_id = NULL;
}
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld",
ok ? 1 : 0,
rv
);
return ok ? 1 : 0;
}
/** Sign data (set by SETDATA) with certificate id in line. */
gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
{
static const unsigned char rmd160_prefix[] = /* (1.3.36.3.2.1) */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
0x02, 0x01, 0x05, 0x00, 0x04, 0x14 };
static const unsigned char md5_prefix[] = /* (1.2.840.113549.2.5) */
{ 0x30, 0x2c, 0x30, 0x09, 0x06, 0x08, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
static const unsigned char sha1_prefix[] = /* (1.3.14.3.2.26) */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
static const unsigned char sha224_prefix[] = /* (2.16.840.1.101.3.4.2.4) */
{ 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
0x1C };
static const unsigned char sha256_prefix[] = /* (2.16.840.1.101.3.4.2.1) */
{ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
0x00, 0x04, 0x20 };
static const unsigned char sha384_prefix[] = /* (2.16.840.1.101.3.4.2.2) */
{ 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
0x00, 0x04, 0x30 };
static const unsigned char sha512_prefix[] = /* (2.16.840.1.101.3.4.2.3) */
{ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
0x00, 0x04, 0x40 };
gpg_err_code_t error = GPG_ERR_GENERAL;
pkcs11h_certificate_id_t cert_id = NULL;
pkcs11h_certificate_t cert = NULL;
cmd_data_t *data = (cmd_data_t *)assuan_get_pointer (ctx);
cmd_data_t *_data = data;
int need_free__data = 0;
int session_locked = 0;
unsigned char *sig = NULL;
size_t sig_len;
char hash[100] = "";
enum {
INJECT_NONE,
INJECT_RMD160,
INJECT_MD5,
INJECT_SHA1,
INJECT_SHA224,
INJECT_SHA256,
INJECT_SHA384,
INJECT_SHA512
} inject = INJECT_NONE;
if (data->data == NULL) {
error = GPG_ERR_INV_DATA;
goto cleanup;
}
while (*line != '\x0' && (isspace (*line) || *line == '-')) {
if (*line == '-') {
static const char *hashprm = "--hash=";
char *p = line;
while (*line != '\x0' && !isspace (*line)) {
line++;
}
line++;
if (!strncmp (p, hashprm, strlen (hashprm))) {
p += strlen (hashprm);
*(line-1) = '\0';
snprintf (hash, sizeof(hash), "%s", p);
}
}
else {
line++;
}
}
if (*line == '\x0') {
error = GPG_ERR_INV_DATA;
goto cleanup;
}
/*
* sender prefixed data with algorithm OID
*/
if (strcmp(hash, "")) {
if (!strcmp(hash, "rmd160") && data->size == (0x14 + sizeof(rmd160_prefix)) &&
!memcmp (data->data, rmd160_prefix, sizeof (rmd160_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "rmd160") && data->size == 0x14) {
inject = INJECT_RMD160;
}
else if (!strcmp(hash, "md5") && data->size == (0x10 + sizeof(md5_prefix)) &&
!memcmp (data->data, md5_prefix, sizeof (md5_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "md5") && data->size == 0x10) {
inject = INJECT_MD5;
}
else if (!strcmp(hash, "sha1") && data->size == (0x14 + sizeof(sha1_prefix)) &&
!memcmp (data->data, sha1_prefix, sizeof (sha1_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "sha1") && data->size == 0x14) {
inject = INJECT_SHA1;
}
else if (!strcmp(hash, "sha224") && data->size == (0x1c + sizeof(sha224_prefix)) &&
!memcmp (data->data, sha224_prefix, sizeof (sha224_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "sha224") && data->size == 0x1c) {
inject = INJECT_SHA224;
}
else if (!strcmp(hash, "sha256") && data->size == (0x20 + sizeof(sha256_prefix)) &&
!memcmp (data->data, sha256_prefix, sizeof (sha256_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "sha256") && data->size == 0x20) {
inject = INJECT_SHA256;
}
else if (!strcmp(hash, "sha384") && data->size == (0x30 + sizeof(sha384_prefix)) &&
!memcmp (data->data, sha384_prefix, sizeof (sha384_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "sha384") && data->size == 0x30) {
inject = INJECT_SHA384;
}
else if (!strcmp(hash, "sha512") && data->size == (0x40 + sizeof(sha512_prefix)) &&
!memcmp (data->data, sha512_prefix, sizeof (sha512_prefix))) {
inject = INJECT_NONE;
}
else if (!strcmp(hash, "sha512") && data->size == 0x40) {
inject = INJECT_SHA512;
}
else {
common_log (LOG_DEBUG, "unsupported hash algo (hash=%s,size=%d)", hash, data->size);
error = GPG_ERR_UNSUPPORTED_ALGORITHM;
goto cleanup;
}
}
else {
if (
data->size == 0x10 + sizeof (md5_prefix) ||
data->size == 0x14 + sizeof (sha1_prefix) ||
data->size == 0x14 + sizeof (rmd160_prefix)
) {
if (
memcmp (data->data, md5_prefix, sizeof (md5_prefix)) &&
memcmp (data->data, sha1_prefix, sizeof (sha1_prefix)) &&
memcmp (data->data, rmd160_prefix, sizeof (rmd160_prefix))
) {
error = GPG_ERR_UNSUPPORTED_ALGORITHM;
goto cleanup;
}
}
else {
/*
* unknown hash algorithm;
* gnupg's scdaemon forces to SHA1
*/
inject = INJECT_SHA1;
}
}
if (inject != INJECT_NONE) {
const unsigned char *oid;
size_t oid_size;
switch (inject) {
case INJECT_RMD160:
oid = rmd160_prefix;
oid_size = sizeof (rmd160_prefix);
break;
case INJECT_MD5:
oid = md5_prefix;
oid_size = sizeof (md5_prefix);
break;
case INJECT_SHA1:
oid = sha1_prefix;
oid_size = sizeof (sha1_prefix);
break;
case INJECT_SHA224:
oid = sha224_prefix;
oid_size = sizeof (sha224_prefix);
break;
case INJECT_SHA256:
oid = sha256_prefix;
oid_size = sizeof(sha256_prefix);
break;
case INJECT_SHA384:
oid = sha384_prefix;
oid_size = sizeof(sha384_prefix);
break;
case INJECT_SHA512:
oid = sha512_prefix;
oid_size = sizeof(sha512_prefix);
break;
default:
error = GPG_ERR_INV_DATA;
goto cleanup;
}
need_free__data = 1;
if ((_data = (cmd_data_t *)malloc (sizeof (cmd_data_t))) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if ((_data->data = (unsigned char *)malloc (data->size + oid_size)) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
_data->size = 0;
memmove (_data->data+_data->size, oid, oid_size);
_data->size += oid_size;
memmove (_data->data+_data->size, data->data, data->size);
_data->size += data->size;
}
if (
(error = _get_certificate_by_name (
ctx,
line,
OPENPGP_SIGN,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_create (
cert_id,
ctx,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
PKCS11H_PIN_CACHE_INFINITE,
&cert
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_lockSession (cert)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
session_locked = 1;
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_signAny (
cert,
CKM_RSA_PKCS,
_data->data,
_data->size,
NULL,
&sig_len
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if ((sig = (unsigned char *)malloc (sig_len)) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_signAny (
cert,
CKM_RSA_PKCS,
_data->data,
_data->size,
sig,
&sig_len
)
)) != GPG_ERR_NO_ERROR ||
(error = assuan_send_data(ctx, sig, sig_len)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (session_locked) {
pkcs11h_certificate_releaseSession (cert);
session_locked = 0;
}
if (cert != NULL) {
pkcs11h_certificate_freeCertificate (cert);
cert = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
if (sig != NULL) {
free (sig);
sig = NULL;
}
if (need_free__data) {
free (_data->data);
_data->data = NULL;
free (_data);
_data = NULL;
}
return gpg_error (error);
}
/** Read key given cert id in line. */
gpg_error_t cmd_readkey (assuan_context_t ctx, char *line)
{
gpg_err_code_t error = GPG_ERR_GENERAL;
pkcs11h_certificate_id_t cert_id = NULL;
gcry_sexp_t sexp = NULL;
unsigned char *blob = NULL;
size_t blob_size;
if (
(error = _get_certificate_by_name (
ctx,
line,
0,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR ||
(error = get_cert_sexp (ctx, cert_id, &sexp)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if ((blob_size = gcry_sexp_sprint (sexp, GCRYSEXP_FMT_CANON, NULL, 0)) == 0) {
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
if ((blob = (unsigned char *)malloc (blob_size)) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if (gcry_sexp_sprint (sexp, GCRYSEXP_FMT_CANON, blob, blob_size) == 0) {
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
if (
(error = assuan_send_data(
ctx,
blob,
gcry_sexp_canon_len (blob, 0, NULL, NULL)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (sexp != NULL) {
gcry_sexp_release(sexp);
sexp = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
if (blob != NULL) {
free (blob);
blob = NULL;
}
return gpg_error (error);
}
int _get_certificate_by_name (assuan_context_t ctx, char *name, int typehint, pkcs11h_certificate_id_t *p_cert_id, char **p_key) {
cmd_data_t *data = (cmd_data_t *)assuan_get_pointer (ctx);
gpg_err_code_t error = GPG_ERR_BAD_KEY;
pkcs11h_certificate_id_list_t user_certificates = NULL;
pkcs11h_certificate_id_list_t curr_cert;
pkcs11h_certificate_id_t cert_id = NULL;
char *key_hexgrip = NULL;
gcry_sexp_t sexp = NULL;
char *key = NULL;
int type;
*p_cert_id = NULL;
if (p_key != NULL) {
*p_key = NULL;
}
if (name == NULL) {
type = typehint;
}
else if ( /* gnupg-2.0 mode */
data->config->openpgp_sign != NULL ||
data->config->openpgp_encr != NULL ||
data->config->openpgp_auth != NULL
) {
type = typehint;
}
else if (strncmp (name, OPENPGP_KEY_NAME_PREFIX, strlen (OPENPGP_KEY_NAME_PREFIX))) {
return common_map_pkcs11_error (
pkcs11h_certificate_deserializeCertificateId (p_cert_id, name)
);
}
else {
type = atoi(name + strlen (OPENPGP_KEY_NAME_PREFIX));
}
switch (type) {
case OPENPGP_SIGN:
key = data->config->openpgp_sign;
break;
case OPENPGP_ENCR:
key = data->config->openpgp_encr;
break;
case OPENPGP_AUTH:
key = data->config->openpgp_auth;
break;
default:
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
if (key == NULL) {
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_enumCertificateIds (
PKCS11H_ENUM_METHOD_CACHE_EXIST,
ctx,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
NULL,
&user_certificates
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
for (
curr_cert = user_certificates;
curr_cert != NULL && cert_id == NULL;
curr_cert = curr_cert->next
) {
if ((error = get_cert_sexp (ctx, curr_cert->certificate_id, &sexp)) != GPG_ERR_NO_ERROR) {
goto cleanup;
}
if ((key_hexgrip = keyutil_get_cert_hexgrip (sexp)) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if (!strcmp (key_hexgrip, key)) {
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_duplicateCertificateId (
&cert_id,
curr_cert->certificate_id
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
}
}
if (cert_id == NULL) {
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
*p_cert_id = cert_id;
cert_id = NULL;
if (p_key != NULL) {
*p_key = key;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (sexp != NULL) {
gcry_sexp_release(sexp);
sexp = NULL;
}
if (key_hexgrip != NULL) {
free (key_hexgrip);
key_hexgrip = NULL;
}
if (user_certificates != NULL) {
pkcs11h_certificate_freeCertificateIdList (user_certificates);
user_certificates = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
return error;
}
gpg_error_t cmd_genkey (assuan_context_t ctx, char *line)
{
gpg_err_code_t error = GPG_ERR_GENERAL;
pkcs11h_certificate_id_t cert_id = NULL;
gcry_mpi_t n_mpi = NULL;
gcry_mpi_t e_mpi = NULL;
unsigned char *n_hex = NULL;
unsigned char *e_hex = NULL;
char *n_resp = strdup ("n ");
char *e_resp = strdup ("e ");
unsigned char *blob = NULL;
char *serial = NULL;
char *key = NULL;
size_t blob_size;
char timestamp[100] = {0};
while (*line != '\x0' && !isdigit (*line)) {
if (*line == '-') {
static const char *ts = "--timestamp=";
char *p = line;
while (*line != '\x0' && !isspace (*line)) {
line++;
}
line++;
if (!strncmp (p, ts, strlen (ts))) {
p += strlen (ts);
sprintf (timestamp, "%d", (int)isotime2epoch (p));
}
}
else {
line++;
}
}
if (*line == '\x0') {
error = GPG_ERR_INV_DATA;
goto cleanup;
}
if (strlen (timestamp) == 0) {
sprintf (timestamp, "%d", (int)time (NULL));
}
if (
(error = _get_certificate_by_name (
ctx,
NULL,
atoi(line),
&cert_id,
&key
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = assuan_write_status (
ctx,
"KEY-FPR",
key
)) != GPG_ERR_NO_ERROR ||
(error = assuan_write_status(
ctx,
"KEY-CREATED-AT",
timestamp
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if ((error = get_serial_of_tokenid(cert_id->token_id, &serial)) != GPG_ERR_NO_ERROR) {
goto cleanup;
}
if (
(error = assuan_write_status (
ctx,
"SERIALNO",
serial
)) != GPG_ERR_NO_ERROR ||
(error = get_cert_blob (
ctx,
cert_id,
&blob,
&blob_size
)) != GPG_ERR_NO_ERROR ||
(error = keyutil_get_cert_mpi (
blob,
blob_size,
&n_mpi,
&e_mpi
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
gcry_mpi_aprint (
GCRYMPI_FMT_HEX,
&n_hex,
NULL,
n_mpi
) ||
gcry_mpi_aprint (
GCRYMPI_FMT_HEX,
&e_hex,
NULL,
e_mpi
)
) {
error = GPG_ERR_BAD_KEY;
goto cleanup;
}
if (
!encoding_strappend (&n_resp, (char *)n_hex) ||
!encoding_strappend (&e_resp, (char *)e_hex)
) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if (
(error = assuan_write_status(
ctx,
"KEY-DATA",
n_resp
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = assuan_write_status(
ctx,
"KEY-DATA",
e_resp
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (n_mpi != NULL) {
gcry_mpi_release (n_mpi);
n_mpi = NULL;
}
if (e_mpi != NULL) {
gcry_mpi_release (e_mpi);
e_mpi = NULL;
}
if (n_hex != NULL) {
gcry_free (n_hex);
n_hex = NULL;
}
if (e_hex != NULL) {
gcry_free (e_hex);
e_hex = NULL;
}
if (n_resp != NULL) {
free (n_resp);
n_resp = NULL;
}
if (e_resp != NULL) {
free (e_resp);
e_resp = NULL;
}
if (blob != NULL) {
free (blob);
blob = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
if (serial != NULL) {
free(serial);
serial = NULL;
}
return gpg_error (error);
}
/** Decrypt data (set by SETDATA) with certificate id in line. */
gpg_error_t cmd_pkdecrypt (assuan_context_t ctx, char *line)
{
gpg_err_code_t error = GPG_ERR_GENERAL;
pkcs11h_certificate_id_t cert_id = NULL;
pkcs11h_certificate_t cert = NULL;
unsigned char *ptext = NULL;
size_t ptext_len;
int session_locked = 0;
cmd_data_t *data = (cmd_data_t *)assuan_get_pointer (ctx);
cmd_data_t _data;
if (
data == NULL ||
data->data == NULL
) {
error = GPG_ERR_INV_DATA;
goto cleanup;
}
/*
* Guess.. taken from openpgp card implementation
* and java PKCS#11 provider.
*/
_data.data = data->data;
_data.size = data->size;
if (
*_data.data == 0 && (
_data.size == 129 ||
_data.size == 193 ||
_data.size == 257 ||
_data.size == 385 ||
_data.size == 513
)
) {
_data.data++;
_data.size--;
}
if (
(error = _get_certificate_by_name (
ctx,
line,
OPENPGP_ENCR,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_create (
cert_id,
ctx,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
PKCS11H_PIN_CACHE_INFINITE,
&cert
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_lockSession (cert)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
session_locked = 1;
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_decryptAny (
cert,
CKM_RSA_PKCS,
_data.data,
_data.size,
NULL,
&ptext_len
)
)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
if ((ptext = (unsigned char *)malloc (ptext_len)) == NULL) {
error = GPG_ERR_ENOMEM;
goto cleanup;
}
if (
(error = common_map_pkcs11_error (
pkcs11h_certificate_decryptAny (
cert,
CKM_RSA_PKCS,
_data.data,
_data.size,
ptext,
&ptext_len
)
)) != GPG_ERR_NO_ERROR ||
(error = assuan_write_status(ctx, "PADDING", "0")) != GPG_ERR_NO_ERROR ||
(error = assuan_send_data(ctx, ptext, ptext_len)) != GPG_ERR_NO_ERROR
) {
goto cleanup;
}
error = GPG_ERR_NO_ERROR;
cleanup:
if (session_locked) {
pkcs11h_certificate_releaseSession (cert);
session_locked = 0;
}
if (cert != NULL) {
pkcs11h_certificate_freeCertificate (cert);
cert = NULL;
}
if (cert_id != NULL) {
pkcs11h_certificate_freeCertificateId (cert_id);
cert_id = NULL;
}
if (ptext != NULL) {
free (ptext);
ptext = NULL;
}
return gpg_error (error);
}
CK_RV
pkcs11h_certificate_deserializeCertificateId (
OUT pkcs11h_certificate_id_t * const p_certificate_id,
IN const char * const sz
) {
pkcs11h_certificate_id_t certificate_id = NULL;
CK_RV rv = CKR_FUNCTION_FAILED;
char *p = NULL;
char *_sz = NULL;
_PKCS11H_ASSERT (p_certificate_id!=NULL);
_PKCS11H_ASSERT (sz!=NULL);
*p_certificate_id = NULL;
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
(void *)p_certificate_id,
sz
);
if (
(rv = _pkcs11h_mem_strdup (
(void *)&_sz,
sz
)) != CKR_OK
) {
goto cleanup;
}
p = _sz;
if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
goto cleanup;
}
if ((p = strrchr (_sz, '/')) == NULL) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto cleanup;
}
*p = '\x0';
p++;
if (
(rv = pkcs11h_token_deserializeTokenId (
&certificate_id->token_id,
_sz
)) != CKR_OK
) {
goto cleanup;
}
certificate_id->attrCKA_ID_size = strlen (p)/2;
if (
(rv = _pkcs11h_mem_malloc (
(void *)&certificate_id->attrCKA_ID,
certificate_id->attrCKA_ID_size)
) != CKR_OK ||
(rv = _pkcs11h_util_hexToBinary (
certificate_id->attrCKA_ID,
p,
&certificate_id->attrCKA_ID_size
)) != CKR_OK
) {
goto cleanup;
}
*p_certificate_id = certificate_id;
certificate_id = NULL;
rv = CKR_OK;
cleanup:
if (certificate_id != NULL) {
pkcs11h_certificate_freeCertificateId (certificate_id);
certificate_id = NULL;
}
if (_sz != NULL) {
_pkcs11h_mem_free ((void *)&_sz);
}
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'",
rv,
pkcs11h_getMessage (rv)
);
return rv;
}
