void
pkcs11_export(FILE * outfile, const char *url, unsigned int flags,
common_info_st * info)
{
gnutls_pkcs11_obj_t obj;
gnutls_datum_t t;
int ret;
unsigned int obj_flags = flags;
pkcs11_common(info);
FIX(url, outfile, 0, info);
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_export3(obj, info->outcert_format, &t);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
fwrite(t.data, 1, t.size, outfile);
gnutls_free(t.data);
if (info->outcert_format == GNUTLS_X509_FMT_PEM)
fputs("\n\n", outfile);
gnutls_pkcs11_obj_deinit(obj);
UNFIX;
return;
}
static
void pkcs11_set_val(FILE * outfile, const char *url, int detailed,
unsigned int flags, common_info_st * info,
gnutls_pkcs11_obj_info_t val_type, const char *val)
{
int ret;
gnutls_pkcs11_obj_t obj;
pkcs11_common(info);
FIX(url, outfile, detailed, info);
CHECK_LOGIN_FLAG(flags);
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_import_url(obj, url, flags);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_pkcs11_obj_set_info(obj, val_type, val, strlen(val), flags);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_obj_deinit(obj);
return;
}
/**
* gnutls_pkcs11_privkey_generate3:
* @url: a token URL
* @pk: the public key algorithm
* @bits: the security bits
* @label: a label
* @cid: The CKA_ID to use for the new object
* @fmt: the format of output params. PEM or DER
* @pubkey: will hold the public key (may be %NULL)
* @key_usage: One of GNUTLS_KEY_*
* @flags: zero or an OR'ed sequence of %GNUTLS_PKCS11_OBJ_FLAGs
*
* This function will generate a private key in the specified
* by the @url token. The private key will be generate within
* the token and will not be exportable. This function will
* store the DER-encoded public key in the SubjectPublicKeyInfo format
* in @pubkey. The @pubkey should be deinitialized using gnutls_free().
*
* Note that when generating an elliptic curve key, the curve
* can be substituted in the place of the bits parameter using the
* GNUTLS_CURVE_TO_BITS() macro.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
**/
int
gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk,
unsigned int bits, const char *label,
const gnutls_datum_t *cid,
gnutls_x509_crt_fmt_t fmt,
gnutls_datum_t * pubkey,
unsigned int key_usage,
unsigned int flags)
{
int ret;
const ck_bool_t tval = 1;
const ck_bool_t fval = 0;
struct pkcs11_session_info sinfo;
struct p11_kit_uri *info = NULL;
ck_rv_t rv;
struct ck_attribute a[22], p[22];
ck_object_handle_t pub_ctx, priv_ctx;
unsigned long _bits = bits;
int a_val, p_val;
struct ck_mechanism mech;
gnutls_pubkey_t pkey = NULL;
gnutls_pkcs11_obj_t obj = NULL;
gnutls_datum_t der = {NULL, 0};
ck_key_type_t key_type;
uint8_t id[20];
struct dsa_params dsa_params;
PKCS11_CHECK_INIT;
FIX_KEY_USAGE(pk, key_usage);
memset(&sinfo, 0, sizeof(sinfo));
ret = pkcs11_url_to_info(url, &info, 0);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
pkcs11_open_session(&sinfo, NULL, info,
SESSION_WRITE |
pkcs11_obj_flags_to_int(flags));
p11_kit_uri_free(info);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* a holds the public key template
* and p the private key */
a_val = p_val = 0;
mech.parameter = NULL;
mech.parameter_len = 0;
mech.mechanism = pk_to_genmech(pk, &key_type);
if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY)) {
a[a_val].type = CKA_TOKEN;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_PRIVATE;
a[a_val].value = (void *) &fval;
a[a_val].value_len = sizeof(fval);
a_val++;
}
a[a_val].type = CKA_ID;
if (cid == NULL || cid->size == 0) {
ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
a[a_val].value = (void *) id;
a[a_val].value_len = sizeof(id);
} else {
a[a_val].value = (void *) cid->data;
a[a_val].value_len = cid->size;
}
p[p_val].type = CKA_ID;
p[p_val].value = a[a_val].value;
p[p_val].value_len = a[a_val].value_len;
a_val++;
p_val++;
switch (pk) {
case GNUTLS_PK_RSA:
p[p_val].type = CKA_DECRYPT;
if (key_usage & (GNUTLS_KEY_DECIPHER_ONLY|GNUTLS_KEY_ENCIPHER_ONLY)) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_ENCRYPT;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_MODULUS_BITS;
a[a_val].value = &_bits;
a[a_val].value_len = sizeof(_bits);
a_val++;
a[a_val].type = CKA_PUBLIC_EXPONENT;
a[a_val].value = (char*)def_rsa_pub_exp;
a[a_val].value_len = sizeof(def_rsa_pub_exp);
a_val++;
break;
case GNUTLS_PK_DSA:
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
ret = _dsa_params_generate(sinfo.module, sinfo.pks, _bits,
&dsa_params, a, &a_val);
if (ret < 0) {
goto cleanup;
}
break;
case GNUTLS_PK_EC:
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
if (GNUTLS_BITS_ARE_CURVE(bits)) {
bits = GNUTLS_BITS_TO_CURVE(bits);
} else {
bits = _gnutls_ecc_bits_to_curve(bits);
}
ret = _gnutls_x509_write_ecc_params(bits, &der);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
a[a_val].type = CKA_EC_PARAMS;
a[a_val].value = der.data;
a[a_val].value_len = der.size;
a_val++;
break;
default:
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
/*
* on request, add the CKA_WRAP/CKA_UNWRAP key attribute
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP) {
p[p_val].type = CKA_UNWRAP;
p[p_val].value = (void*)&tval;
p[p_val].value_len = sizeof(tval);
p_val++;
a[a_val].type = CKA_WRAP;
a[a_val].value = (void*)&tval;
a[a_val].value_len = sizeof(tval);
a_val++;
}
/* a private key is set always as private unless
* requested otherwise
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
} else {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
}
p[p_val].type = CKA_TOKEN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
if (label) {
p[p_val].type = CKA_LABEL;
p[p_val].value = (void *) label;
p[p_val].value_len = strlen(label);
p_val++;
a[a_val].type = CKA_LABEL;
a[a_val].value = (void *) label;
a[a_val].value_len = strlen(label);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
} else {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
}
rv = pkcs11_generate_key_pair(sinfo.module, sinfo.pks, &mech, a,
a_val, p, p_val, &pub_ctx, &priv_ctx);
if (rv != CKR_OK) {
gnutls_assert();
_gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv));
ret = pkcs11_rv_to_err(rv);
goto cleanup;
}
/* extract the public key */
if (pubkey) {
ret = gnutls_pubkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
obj->pk_algorithm = pk;
obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
ret =
pkcs11_read_pubkey(sinfo.module, sinfo.pks, pub_ctx,
key_type, obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_pkcs11(pkey, obj, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export2(pkey, fmt, pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
cleanup:
if (obj != NULL)
gnutls_pkcs11_obj_deinit(obj);
if (pkey != NULL)
gnutls_pubkey_deinit(pkey);
if (sinfo.pks != 0)
pkcs11_close_session(&sinfo);
gnutls_free(der.data);
return ret;
}
int
_pkcs11_privkey_get_pubkey (gnutls_pkcs11_privkey_t pkey, gnutls_pubkey_t *pub, unsigned flags)
{
gnutls_pubkey_t pubkey = NULL;
gnutls_pkcs11_obj_t obj = NULL;
ck_key_type_t key_type;
int ret;
PKCS11_CHECK_INIT_PRIVKEY(pkey);
if (!pkey) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
obj->pk_algorithm = gnutls_pkcs11_privkey_get_pk_algorithm(pkey, 0);
obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
pk_to_genmech(obj->pk_algorithm, &key_type);
gnutls_pubkey_set_pin_function(pubkey, pkey->pin.cb, pkey->pin.data);
/* we can only read the public key from RSA keys */
if (key_type != CKK_RSA) {
/* try opening the public key object if it exists */
ret = load_pubkey_obj(pkey, pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else {
ret = pkcs11_read_pubkey(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, key_type, obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_pkcs11(pubkey, obj, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
*pub = pubkey;
pubkey = NULL;
ret = 0;
cleanup:
if (obj != NULL)
gnutls_pkcs11_obj_deinit(obj);
if (pubkey != NULL)
gnutls_pubkey_deinit(pubkey);
return ret;
}
/**
* gnutls_pkcs11_privkey_generate2:
* @url: a token URL
* @pk: the public key algorithm
* @bits: the security bits
* @label: a label
* @fmt: the format of output params. PEM or DER.
* @pubkey: will hold the public key (may be %NULL)
* @flags: should be zero
*
* This function will generate a private key in the specified
* by the @url token. The private key will be generate within
* the token and will not be exportable. This function will
* store the DER-encoded public key in the SubjectPublicKeyInfo format
* in @pubkey. The @pubkey should be deinitialized using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.1.5
**/
int
gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
unsigned int bits, const char *label,
gnutls_x509_crt_fmt_t fmt,
gnutls_datum_t * pubkey,
unsigned int flags)
{
int ret;
const ck_bool_t tval = 1;
const ck_bool_t fval = 0;
struct pkcs11_session_info sinfo;
struct p11_kit_uri *info = NULL;
ck_rv_t rv;
struct ck_attribute a[10], p[10];
ck_object_handle_t pub, priv;
unsigned long _bits = bits;
int a_val, p_val;
struct ck_mechanism mech;
gnutls_pubkey_t pkey = NULL;
gnutls_pkcs11_obj_t obj = NULL;
PKCS11_CHECK_INIT;
memset(&sinfo, 0, sizeof(sinfo));
ret = pkcs11_url_to_info(url, &info);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
pkcs11_open_session(&sinfo, NULL, info,
SESSION_WRITE |
pkcs11_obj_flags_to_int(flags));
p11_kit_uri_free(info);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* a holds the public key template
* and p the private key */
a_val = p_val = 0;
mech.parameter = NULL;
mech.parameter_len = 0;
mech.mechanism = pk_to_genmech(pk);
switch (pk) {
case GNUTLS_PK_RSA:
p[p_val].type = CKA_DECRYPT;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
p[p_val].type = CKA_SIGN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
a[a_val].type = CKA_ENCRYPT;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_MODULUS_BITS;
a[a_val].value = &_bits;
a[a_val].value_len = sizeof(_bits);
a_val++;
break;
case GNUTLS_PK_DSA:
p[p_val].type = CKA_SIGN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_MODULUS_BITS;
a[a_val].value = &_bits;
a[a_val].value_len = sizeof(_bits);
a_val++;
break;
case GNUTLS_PK_EC:
p[p_val].type = CKA_SIGN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_MODULUS_BITS;
a[a_val].value = &_bits;
a[a_val].value_len = sizeof(_bits);
a_val++;
break;
default:
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
/* a private key is set always as private unless
* requested otherwise
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
} else {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
}
p[p_val].type = CKA_TOKEN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
if (label) {
p[p_val].type = CKA_LABEL;
p[p_val].value = (void *) label;
p[p_val].value_len = strlen(label);
p_val++;
a[a_val].type = CKA_LABEL;
a[a_val].value = (void *) label;
a[a_val].value_len = strlen(label);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
} else {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
}
rv = pkcs11_generate_key_pair(sinfo.module, sinfo.pks, &mech, a,
a_val, p, p_val, &pub, &priv);
if (rv != CKR_OK) {
gnutls_assert();
_gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv));
ret = pkcs11_rv_to_err(rv);
goto cleanup;
}
/* extract the public key */
if (pubkey) {
ret = gnutls_pubkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
obj->pk_algorithm = pk;
obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
ret =
pkcs11_read_pubkey(sinfo.module, sinfo.pks, pub,
mech.mechanism, obj->pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_pkcs11(pkey, obj, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export2(pkey, fmt, pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
cleanup:
if (obj != NULL)
gnutls_pkcs11_obj_deinit(obj);
if (pkey != NULL)
gnutls_pubkey_deinit(pkey);
if (sinfo.pks != 0)
pkcs11_close_session(&sinfo);
return ret;
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pkcs11_obj_t obj;
gnutls_datum_t sig = {NULL, 0}, data;
unsigned flags = 0;
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
{
void *dl;
unsigned int *pflags;
dl = dlopen(lib, RTLD_NOW);
if (dl == NULL) {
fail("could not dlopen %s\n", lib);
exit(1);
}
pflags = dlsym(dl, "pkcs11_mock_flags");
if (pflags == NULL) {
fail("could find pkcs11_mock_flags\n");
exit(1);
}
*pflags = MOCK_FLAG_ALWAYS_AUTH;
}
data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
data.size = 20;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_init(&obj);
assert(ret>=0);
gnutls_pkcs11_obj_set_pin_function(obj, pin_func, NULL);
ret = gnutls_pkcs11_obj_import_url(obj, "pkcs11:object=test;type=private", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
assert(ret>=0);
ret = gnutls_pkcs11_obj_get_flags(obj, &flags);
assert(ret>=0);
if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH)) {
fail("key object doesn't have the always authenticate flag\n");
}
gnutls_pkcs11_obj_deinit(obj);
ret = gnutls_privkey_init(&key);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
pin_called = 0;
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called!\n");
}
pin_called = 0;
gnutls_free(sig.data);
/* call again - should re-authenticate */
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called twice!\n");
}
pin_called = 0;
gnutls_free(sig.data);
if (debug)
printf("done\n\n\n");
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
static gnutls_pubkey_t _load_pkcs11_pubkey(const char* url)
{
int ret;
gnutls_pkcs11_obj_t obj;
gnutls_x509_crt_t xcrt;
gnutls_pubkey_t pubkey;
unsigned int obj_flags = 0;
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pkcs11_obj_init (&obj);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pkcs11_obj_import_url (obj, url, obj_flags);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s: %s\n", __func__, __LINE__,
gnutls_strerror (ret), url);
exit (1);
}
switch (gnutls_pkcs11_obj_get_type (obj))
{
case GNUTLS_PKCS11_OBJ_X509_CRT:
ret = gnutls_x509_crt_init (&xcrt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_x509_crt_import_pkcs11 (xcrt, obj);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pubkey_import_x509 (pubkey, xcrt, 0);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
gnutls_x509_crt_deinit (xcrt);
break;
case GNUTLS_PKCS11_OBJ_PUBKEY:
ret = gnutls_pubkey_import_pkcs11 (pubkey, obj, 0);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
break;
default:
{
fprintf(stderr, "Unsupported PKCS #11 object\n");
exit (1);
break;
}
}
gnutls_pkcs11_obj_deinit (obj);
return pubkey;
}
void
pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags,
common_info_st * info)
{
gnutls_pkcs11_obj_t obj;
gnutls_x509_crt_t xcrt;
gnutls_datum_t t;
int ret;
unsigned int obj_flags = flags;
pkcs11_common(info);
FIX(url, outfile, 0, info);
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
/* make a crt */
ret = gnutls_x509_crt_init(&xcrt);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_import_pkcs11(xcrt, obj);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_export3(obj, GNUTLS_X509_FMT_PEM, &t);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
fwrite(t.data, 1, t.size, outfile);
fputs("\n\n", outfile);
gnutls_free(t.data);
gnutls_pkcs11_obj_deinit(obj);
do {
ret = gnutls_pkcs11_get_raw_issuer(url, xcrt, &t, GNUTLS_X509_FMT_PEM, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
fwrite(t.data, 1, t.size, outfile);
fputs("\n\n", outfile);
gnutls_x509_crt_deinit(xcrt);
ret = gnutls_x509_crt_init(&xcrt);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_import(xcrt, &t, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "Error in %s:%d: %s\n", __func__,
__LINE__, gnutls_strerror(ret));
exit(1);
}
gnutls_free(t.data);
ret = gnutls_x509_crt_check_issuer(xcrt, xcrt);
if (ret != 0) {
/* self signed */
break;
}
} while(1);
UNFIX;
return;
}
void
pkcs11_export (FILE * outfile, const char *url, unsigned int login,
common_info_st * info)
{
gnutls_pkcs11_obj_t crt;
gnutls_x509_crt_t xcrt;
gnutls_pubkey_t pubkey;
int ret;
size_t size;
unsigned int obj_flags = 0;
if (login)
obj_flags = GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
pkcs11_common ();
if (url == NULL)
url = "pkcs11:";
ret = gnutls_pkcs11_obj_init (&crt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pkcs11_obj_import_url (crt, url, obj_flags);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
switch (gnutls_pkcs11_obj_get_type (crt))
{
case GNUTLS_PKCS11_OBJ_X509_CRT:
ret = gnutls_x509_crt_init (&xcrt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_x509_crt_import_pkcs11 (xcrt, crt);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
size = buffer_size;
ret = gnutls_x509_crt_export (xcrt, GNUTLS_X509_FMT_PEM, buffer, &size);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (buffer, 1, size, outfile);
gnutls_x509_crt_deinit (xcrt);
break;
case GNUTLS_PKCS11_OBJ_PUBKEY:
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_pubkey_import_pkcs11 (pubkey, crt, 0);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
size = buffer_size;
ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_PEM, buffer, &size);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (buffer, 1, size, outfile);
gnutls_pubkey_deinit (pubkey);
break;
default:
{
gnutls_datum_t data, enc;
size = buffer_size;
ret = gnutls_pkcs11_obj_export (crt, buffer, &size);
if (ret < 0)
{
break;
}
data.data = buffer;
data.size = size;
ret = gnutls_pem_base64_encode_alloc ("DATA", &data, &enc);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
exit (1);
}
fwrite (enc.data, 1, enc.size, outfile);
gnutls_free (enc.data);
break;
}
}
fputs ("\n\n", outfile);
gnutls_pkcs11_obj_deinit (crt);
return;
}
