unsigned pkcs11h_getLogLevel (void) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); return _g_pkcs11h_loglevel; }
CK_RV _pkcs11h_mem_duplicate ( OUT const void * * const dest, OUT size_t * const p_dest_size, IN const void * const src, IN const size_t mem_size ) { CK_RV rv = CKR_FUNCTION_FAILED; _PKCS11H_ASSERT (dest!=NULL); /*_PKCS11H_ASSERT (dest_size!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (!(mem_size!=0&&src==NULL)); *dest = NULL; if (p_dest_size != NULL) { *p_dest_size = 0; } if (src != NULL) { if ((rv = _pkcs11h_mem_malloc (dest, mem_size)) != CKR_OK) { goto cleanup; } if (p_dest_size != NULL) { *p_dest_size = mem_size; } memmove ((void*)*dest, src, mem_size); } rv = CKR_OK; cleanup: return rv; }
CK_RV _pkcs11h_mem_malloc ( OUT const void * * const p, IN const size_t s ) { CK_RV rv = CKR_OK; _PKCS11H_ASSERT (p!=NULL); _PKCS11H_ASSERT (s!=0); *p = NULL; if (s > 0) { if ( (*p = (void *)_g_pkcs11h_sys_engine.malloc (s)) == NULL ) { rv = CKR_HOST_MEMORY; } else { memset ((void *)*p, 0, s); } } return rv; }
CK_RV pkcs11h_token_freeTokenIdList ( IN const pkcs11h_token_id_list_t token_id_list ) { pkcs11h_token_id_list_t _id = token_id_list; _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); /*_PKCS11H_ASSERT (token_id_list!=NULL); NOT NEEDED*/ _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=%p", (void *)token_id_list ); while (_id != NULL) { pkcs11h_token_id_list_t x = _id; _id = _id->next; if (x->token_id != NULL) { pkcs11h_token_freeTokenId (x->token_id); } x->next = NULL; _pkcs11h_mem_free ((void *)&x); } _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_token_freeTokenIdList return" ); return CKR_OK; }
static int __pkcs11h_crypto_gnutls_certificate_get_dn ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT char * const dn, IN const size_t dn_max ) { gnutls_x509_crt_t cert = NULL; gnutls_datum_t datum; size_t s; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (dn!=NULL); _PKCS11H_ASSERT (dn_max>0); dn[0] = '\x0'; if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) { /* gnutls sets output */ cert = NULL; goto cleanup; } datum.data = (unsigned char *)blob; datum.size = blob_size; if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { goto cleanup; } s = dn_max; if ( gnutls_x509_crt_get_dn ( cert, dn, &s ) != GNUTLS_E_SUCCESS ) { /* gnutls sets output */ dn[0] = '\x0'; goto cleanup; } cleanup: if (cert != NULL) { gnutls_x509_crt_deinit (cert); cert = NULL; } return dn[0] != '\x0'; }
static int __pkcs11h_crypto_win32_certificate_get_expiration ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT time_t * const expiration ) { __crypto_win32_data_t data = (__crypto_win32_data_t)global_data; PCCERT_CONTEXT cert = NULL; PKCS11H_BOOL ok = FALSE; SYSTEMTIME ust, st; struct tm tm1; _PKCS11H_ASSERT (global_data!=NULL); _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (expiration!=NULL); *expiration = (time_t)0; if ( (cert = data->p_CertCreateCertificateContext ( PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, blob, blob_size )) == NULL || !FileTimeToSystemTime ( &cert->pCertInfo->NotAfter, &ust ) ) { goto cleanup; } SystemTimeToTzSpecificLocalTime (NULL, &ust, &st); memset (&tm1, 0, sizeof (tm1)); tm1.tm_year = st.wYear - 1900; tm1.tm_mon = st.wMonth - 1; tm1.tm_mday = st.wDay; tm1.tm_hour = st.wHour; tm1.tm_min = st.wMinute; tm1.tm_sec = st.wSecond; *expiration = mktime (&tm1); ok = TRUE; cleanup: if (cert != NULL) { data->p_CertFreeCertificateContext (cert); cert = NULL; } return ok != FALSE; }
void pkcs11h_openssl_freeSession ( IN const pkcs11h_openssl_session_t openssl_session ) { CK_RV rv; _PKCS11H_ASSERT (openssl_session!=NULL); _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_openssl_freeSession - entry openssl_session=%p, count=%d", (void *)openssl_session, openssl_session->reference_count ); #if defined(ENABLE_PKCS11H_THREADING) if ((rv = _pkcs11h_threading_mutexLock(&openssl_session->reference_count_lock)) != CKR_OK) { _PKCS11H_LOG (PKCS11H_LOG_ERROR, "PKCS#11: Cannot lock mutex %ld:'%s'", rv, pkcs11h_getMessage (rv)); goto cleanup; } #endif openssl_session->reference_count--; #if defined(ENABLE_PKCS11H_THREADING) _pkcs11h_threading_mutexRelease(&openssl_session->reference_count_lock); #endif _PKCS11H_ASSERT (openssl_session->reference_count>=0); if (openssl_session->reference_count == 0) { #if defined(ENABLE_PKCS11H_THREADING) _pkcs11h_threading_mutexFree(&openssl_session->reference_count_lock); #endif if (openssl_session->cleanup_hook != NULL) { openssl_session->cleanup_hook (openssl_session->certificate); } if (openssl_session->x509 != NULL) { X509_free (openssl_session->x509); openssl_session->x509 = NULL; } if (openssl_session->certificate != NULL) { pkcs11h_certificate_freeCertificate (openssl_session->certificate); openssl_session->certificate = NULL; } _pkcs11h_mem_free ((void *)&openssl_session); } cleanup: _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_openssl_freeSession - return" ); }
CK_RV pkcs11h_setPINCachePeriod ( IN const int pin_cache_period ) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _g_pkcs11h_data->pin_cache_period = pin_cache_period; return CKR_OK; }
CK_RV pkcs11h_setMaxLoginRetries ( IN const unsigned max_retries ) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _g_pkcs11h_data->max_retries = max_retries; return CKR_OK; }
CK_RV pkcs11h_setProtectedAuthentication ( IN const PKCS11H_BOOL allow_protected_auth ) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _g_pkcs11h_data->allow_protected_auth = allow_protected_auth; return CKR_OK; }
static int __pkcs11h_crypto_gnutls_certificate_get_expiration ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT time_t * const expiration ) { gnutls_x509_crt_t cert = NULL; gnutls_datum_t datum; time_t now = time (NULL); time_t notBefore; time_t notAfter; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (expiration!=NULL); *expiration = (time_t)0; if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) { /* gnutls sets output */ cert = NULL; goto cleanup; } datum.data = (unsigned char *)blob; datum.size = blob_size; if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { goto cleanup; } notBefore = gnutls_x509_crt_get_activation_time (cert); notAfter = gnutls_x509_crt_get_expiration_time (cert); if ( now >= notBefore && now <= notAfter ) { *expiration = notAfter; } cleanup: if (cert != NULL) { gnutls_x509_crt_deinit (cert); cert = NULL; } return *expiration != (time_t)0; }
CK_RV pkcs11h_setForkMode ( IN const PKCS11H_BOOL safe ) { #if defined(ENABLE_PKCS11H_THREADING) && !defined(_WIN32) _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _g_pkcs11h_data->safefork = safe; #endif return CKR_OK; }
static int __pkcs11h_crypto_nss_certificate_get_expiration ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT time_t * const expiration ) { CERTCertificate *cert = NULL; PRTime pr_notBefore, pr_notAfter; time_t notBefore, notAfter; time_t now = time (NULL); (void)global_data; *expiration = (time_t)0; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (expiration!=NULL); if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) { goto cleanup; } if (CERT_GetCertTimes (cert, &pr_notBefore, &pr_notAfter) != SECSuccess) { goto cleanup; } notBefore = pr_notBefore/1000000; notAfter = pr_notAfter/1000000; notBefore = mktime (gmtime (¬Before)); notBefore += (int)(mktime (localtime (¬Before)) - mktime (gmtime (¬Before))); notAfter = mktime (gmtime (¬After)); notAfter += (int)(mktime (localtime (¬After)) - mktime (gmtime (¬After))); if ( now >= notBefore && now <= notAfter ) { *expiration = notAfter; } cleanup: if (cert != NULL) { CERT_DestroyCertificate (cert); } return *expiration != (time_t)0; }
CK_RV _pkcs11h_session_release ( IN const _pkcs11h_session_t session ) { #if defined(ENABLE_PKCS11H_THREADING) PKCS11H_BOOL mutex_locked = TRUE; #endif CK_RV rv = CKR_FUNCTION_FAILED; _PKCS11H_ASSERT (session!=NULL); _PKCS11H_ASSERT (session->reference_count>=0); _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_session_release entry session=%p", (void *)session ); #if defined(ENABLE_PKCS11H_THREADING) if ((rv = _pkcs11h_threading_mutexLock (&session->mutex)) != CKR_OK) { goto cleanup; } mutex_locked = TRUE; #endif /* * Never logout for now */ if (session->reference_count > 0) { session->reference_count--; } rv = CKR_OK; #if defined(ENABLE_PKCS11H_THREADING) cleanup: if (mutex_locked) { _pkcs11h_threading_mutexRelease (&session->mutex); mutex_locked = FALSE; } #endif _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_session_release return rv=%lu-'%s'", rv, pkcs11h_getMessage (rv) ); return rv; }
CK_RV pkcs11h_setTokenPromptHook ( IN const pkcs11h_hook_token_prompt_t hook, IN void * const global_data ) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _PKCS11H_ASSERT (hook!=NULL); _g_pkcs11h_data->hooks.token_prompt = hook; _g_pkcs11h_data->hooks.token_prompt_data = global_data; return CKR_OK; }
CK_RV pkcs11h_setLogHook ( IN const pkcs11h_hook_log_t hook, IN void * const global_data ) { _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _PKCS11H_ASSERT (hook!=NULL); _g_pkcs11h_data->hooks.log = hook; _g_pkcs11h_data->hooks.log_data = global_data; return CKR_OK; }
PKCS11H_BOOL pkcs11h_token_sameTokenId ( IN const pkcs11h_token_id_t a, IN const pkcs11h_token_id_t b ) { _PKCS11H_ASSERT (a!=NULL); _PKCS11H_ASSERT (b!=NULL); return ( !strcmp (a->manufacturerID, b->manufacturerID) && !strcmp (a->model, b->model) && !strcmp (a->serialNumber, b->serialNumber) && !strcmp (a->label, b->label) ); }
static PKCS11H_BOOL __pkcs11h_hooks_default_pin_prompt ( IN void * const global_data, IN void * const user_data, IN const pkcs11h_token_id_t token, IN const unsigned retry, OUT char * const pin, IN const size_t pin_max ) { /*_PKCS11H_ASSERT (global_data) NOT NEEDED */ /*_PKCS11H_ASSERT (user_data) NOT NEEDED */ _PKCS11H_ASSERT (token!=NULL); (void)global_data; (void)user_data; (void)retry; (void)pin; (void)pin_max; _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: __pkcs11h_hooks_default_pin_prompt global_data=%p, user_data=%p, display='%s'", global_data, user_data, token->display ); return FALSE; }
CK_RV _pkcs11h_session_freeObjectAttributes ( IN OUT const CK_ATTRIBUTE_PTR attrs, IN const unsigned count ) { unsigned i; _PKCS11H_ASSERT (attrs!=NULL); _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=%p, count=%u", (void *)attrs, count ); for (i=0;i<count;i++) { if (attrs[i].pValue != NULL) { _pkcs11h_mem_free ((void *)&attrs[i].pValue); attrs[i].pValue = NULL; } } _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_session_freeObjectAttributes return" ); return CKR_OK; }
static pkcs11h_certificate_t __pkcs11h_openssl_ecdsa_get_pkcs11h_certificate ( IN EC_KEY *ec ) { pkcs11h_openssl_session_t session = NULL; _PKCS11H_ASSERT (ec!=NULL); session = (pkcs11h_openssl_session_t)ECDSA_get_ex_data (ec, __openssl_methods.ecdsa_index); _PKCS11H_ASSERT (session!=NULL); _PKCS11H_ASSERT (session->certificate!=NULL); return session->certificate; }
static pkcs11h_certificate_t __pkcs11h_openssl_dsa_get_pkcs11h_certificate ( IN DSA *dsa ) { pkcs11h_openssl_session_t session = NULL; _PKCS11H_ASSERT (dsa!=NULL); session = (pkcs11h_openssl_session_t)DSA_get_ex_data (dsa, __openssl_methods.dsa_index); _PKCS11H_ASSERT (session!=NULL); _PKCS11H_ASSERT (session->certificate!=NULL); return session->certificate; }
CK_RV _pkcs11h_token_newTokenId ( OUT pkcs11h_token_id_t * const p_token_id ) { CK_RV rv = CKR_FUNCTION_FAILED; pkcs11h_token_id_t token_id = NULL; _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _PKCS11H_ASSERT (p_token_id!=NULL); _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=%p", (void *)p_token_id ); *p_token_id = NULL; if ((rv = _pkcs11h_mem_malloc ((void *)&token_id, sizeof (struct pkcs11h_token_id_s))) != CKR_OK) { goto cleanup; } *p_token_id = token_id; token_id = NULL; rv = CKR_OK; cleanup: if (token_id != NULL) { _pkcs11h_mem_free ((void *)&token_id); token_id = NULL; } _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_token_newTokenId return rv=%lu-'%s', *p_token_id=%p", rv, pkcs11h_getMessage (rv), (void *)*p_token_id ); return rv; }
pkcs11h_hook_openssl_cleanup_t pkcs11h_openssl_getCleanupHook ( IN const pkcs11h_openssl_session_t openssl_session ) { _PKCS11H_ASSERT (openssl_session!=NULL); return openssl_session->cleanup_hook; }
static int __pkcs11h_crypto_openssl_certificate_get_dn ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT char * const dn, IN const size_t dn_max ) { X509 *x509 = NULL; __pkcs11_openssl_d2i_t d2i; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (dn!=NULL); _PKCS11H_ASSERT (dn_max>0); dn[0] = '\x0'; if ((x509 = X509_new ()) == NULL) { goto cleanup; } d2i = (__pkcs11_openssl_d2i_t)blob; if (!d2i_X509 (&x509, &d2i, blob_size)) { goto cleanup; } X509_NAME_oneline ( X509_get_subject_name (x509), dn, dn_max ); cleanup: if (x509 != NULL) { X509_free (x509); x509 = NULL; } return dn[0] != '\x0'; }
CK_RV pkcs11h_token_duplicateTokenId ( OUT pkcs11h_token_id_t * const to, IN const pkcs11h_token_id_t from ) { CK_RV rv = CKR_FUNCTION_FAILED; _PKCS11H_ASSERT (_g_pkcs11h_data!=NULL); _PKCS11H_ASSERT (_g_pkcs11h_data->initialized); _PKCS11H_ASSERT (to!=NULL); _PKCS11H_ASSERT (from!=NULL); _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_token_duplicateTokenId entry to=%p form=%p", (void *)to, (void *)from ); *to = NULL; if ( (rv = _pkcs11h_mem_duplicate ( (void*)to, NULL, from, sizeof (struct pkcs11h_token_id_s) )) != CKR_OK ) { goto cleanup; } rv = CKR_OK; cleanup: _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: pkcs11h_token_duplicateTokenId return rv=%lu-'%s', *to=%p", rv, pkcs11h_getMessage (rv), (void *)*to ); return rv; }
static int __pkcs11h_crypto_nss_certificate_is_issuer ( IN void * const global_data, IN const unsigned char * const issuer_blob, IN const size_t issuer_blob_size, IN const unsigned char * const cert_blob, IN const size_t cert_blob_size ) { PKCS11H_BOOL is_issuer = FALSE; CERTCertificate *cert = NULL; CERTCertificate *issuer = NULL; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (issuer_blob!=NULL); _PKCS11H_ASSERT (cert_blob!=NULL); if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) { goto cleanup; } if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) { goto cleanup; } is_issuer = CERT_VerifySignedDataWithPublicKeyInfo ( &cert->signatureWrap, &issuer->subjectPublicKeyInfo, NULL ) == SECSuccess; cleanup: if (cert != NULL) { CERT_DestroyCertificate (cert); } if (issuer != NULL) { CERT_DestroyCertificate (issuer); } return is_issuer; }
void pkcs11h_openssl_setCleanupHook ( IN const pkcs11h_openssl_session_t openssl_session, IN const pkcs11h_hook_openssl_cleanup_t cleanup ) { _PKCS11H_ASSERT (openssl_session!=NULL); openssl_session->cleanup_hook = cleanup; }
static int __pkcs11h_crypto_mbedtls_certificate_get_expiration ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT time_t * const expiration ) { x509_crt x509; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (expiration!=NULL); *expiration = (time_t)0; memset(&x509, 0, sizeof(x509)); if (0 != x509_crt_parse (&x509, blob, blob_size)) { goto cleanup; } if (0 == x509_time_expired(&x509.valid_to)) { struct tm tm1; memset (&tm1, 0, sizeof (tm1)); tm1.tm_year = x509.valid_to.year - 1900; tm1.tm_mon = x509.valid_to.mon - 1; tm1.tm_mday = x509.valid_to.day; tm1.tm_hour = x509.valid_to.hour - 1; tm1.tm_min = x509.valid_to.min - 1; tm1.tm_sec = x509.valid_to.sec - 1; *expiration = mktime (&tm1); *expiration += (int)(mktime (localtime (expiration)) - mktime (gmtime (expiration))); } cleanup: x509_crt_free(&x509); return *expiration != (time_t)0; }
CK_RV pkcs11h_engine_setSystem ( IN const pkcs11h_engine_system_t * const engine ) { _PKCS11H_ASSERT (engine!=NULL); memmove (&_g_pkcs11h_sys_engine, engine, sizeof (pkcs11h_engine_system_t)); return CKR_OK; }
static int __pkcs11h_crypto_mbedtls_certificate_is_issuer ( IN void * const global_data, IN const unsigned char * const issuer_blob, IN const size_t issuer_blob_size, IN const unsigned char * const cert_blob, IN const size_t cert_blob_size ) { x509_crt x509_issuer; x509_crt x509_cert; uint32_t verify_flags = 0; PKCS11H_BOOL is_issuer = FALSE; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (issuer_blob!=NULL); _PKCS11H_ASSERT (cert_blob!=NULL); memset(&x509_issuer, 0, sizeof(x509_issuer)); if (0 != x509_crt_parse (&x509_issuer, issuer_blob, issuer_blob_size)) { goto cleanup; } memset(&x509_cert, 0, sizeof(x509_cert)); if (0 != x509_crt_parse (&x509_cert, cert_blob, cert_blob_size)) { goto cleanup; } if ( 0 == x509_crt_verify(&x509_cert, &x509_issuer, NULL, NULL, &verify_flags, NULL, NULL )) { is_issuer = TRUE; } cleanup: x509_crt_free(&x509_cert); x509_crt_free(&x509_issuer); return is_issuer; }