int
pkcs11_certificate_dn (pkcs11h_certificate_t certificate, char *dn,
size_t dn_len)
{
X509 *x509 = NULL;
int ret = 1;
if ((x509 = pkcs11h_openssl_getX509 (certificate)) == NULL)
{
msg (M_FATAL, "PKCS#11: Cannot get X509");
ret = 1;
goto cleanup;
}
X509_NAME_oneline (X509_get_subject_name (x509), dn, dn_len);
ret = 0;
cleanup:
if (x509 != NULL)
{
X509_free (x509);
x509 = NULL;
}
return ret;
}
X509 *
pkcs11h_openssl_session_getX509 (
IN const pkcs11h_openssl_session_t openssl_session
) {
X509 *x509 = NULL;
PKCS11H_BOOL ok = FALSE;
_PKCS11H_ASSERT (openssl_session!=NULL);
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=%p",
(void *)openssl_session
);
if (
openssl_session->x509 == NULL &&
(openssl_session->x509 = pkcs11h_openssl_getX509 (openssl_session->certificate)) == NULL
) {
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
goto cleanup;
}
if ((x509 = X509_dup (openssl_session->x509)) == NULL) {
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot duplicate certificate object");
goto cleanup;
}
ok = TRUE;
cleanup:
if (!ok) {
if (x509 != NULL) {
X509_free (x509);
x509 = NULL;
}
}
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_openssl_session_getX509 - return x509=%p",
(void *)x509
);
return x509;
}
int
pkcs11_certificate_serial (pkcs11h_certificate_t certificate, char *serial,
size_t serial_len)
{
X509 *x509 = NULL;
BIO *bio = NULL;
int ret = 1;
int n;
if ((x509 = pkcs11h_openssl_getX509 (certificate)) == NULL)
{
msg (M_FATAL, "PKCS#11: Cannot get X509");
goto cleanup;
}
if ((bio = BIO_new (BIO_s_mem ())) == NULL)
{
msg (M_FATAL, "PKCS#11: Cannot create BIO");
goto cleanup;
}
i2a_ASN1_INTEGER(bio, X509_get_serialNumber (x509));
n = BIO_read (bio, serial, serial_len-1);
if (n<0) {
serial[0] = '\x0';
}
else {
serial[n] = 0;
}
ret = 0;
cleanup:
if (x509 != NULL)
{
X509_free (x509);
x509 = NULL;
}
return ret;
}
char *
pkcs11_certificate_dn (pkcs11h_certificate_t certificate, struct gc_arena *gc)
{
X509 *x509 = NULL;
char *dn = NULL;
if ((x509 = pkcs11h_openssl_getX509 (certificate)) == NULL)
{
msg (M_FATAL, "PKCS#11: Cannot get X509");
goto cleanup;
}
dn = x509_get_subject (x509, gc);
cleanup:
if (x509 != NULL)
{
X509_free (x509);
x509 = NULL;
}
return dn;
}
int
SSL_CTX_use_pkcs11 (
IN OUT SSL_CTX * const ssl_ctx,
IN const char * const pkcs11_slot_type,
IN const char * const pkcs11_slot,
IN const char * const pkcs11_id_type,
IN const char * const pkcs11_id
) {
X509 *x509 = NULL;
RSA *rsa = NULL;
pkcs11h_certificate_id_t certificate_id = NULL;
pkcs11h_certificate_t certificate = NULL;
pkcs11h_openssl_session_t openssl_session = NULL;
CK_RV rv = CKR_OK;
bool fOK = true;
ASSERT (ssl_ctx!=NULL);
ASSERT (pkcs11_slot_type!=NULL);
ASSERT (pkcs11_slot!=NULL);
ASSERT (pkcs11_id_type!=NULL);
ASSERT (pkcs11_id!=NULL);
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: SSL_CTX_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_slot_type='%s', pkcs11_slot='%s', pkcs11_id_type='%s', pkcs11_id='%s'",
(void *)ssl_ctx,
pkcs11_slot_type,
pkcs11_slot,
pkcs11_id_type,
pkcs11_id
);
ASSERT (ssl_ctx!=NULL);
ASSERT (pkcs11_slot_type!=NULL);
ASSERT (pkcs11_slot!=NULL);
ASSERT (pkcs11_id_type!=NULL);
ASSERT (pkcs11_id!=NULL);
if (
fOK &&
(rv = pkcs11h_locate_certificate (
pkcs11_slot_type,
pkcs11_slot,
pkcs11_id_type,
pkcs11_id,
&certificate_id
)) != CKR_OK
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set parameters %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
fOK &&
(rv = pkcs11h_certificate_create (
certificate_id,
PKCS11H_PIN_CACHE_INFINITE,
&certificate
)) != CKR_OK
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
fOK &&
(openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot initialize openssl session");
}
if (fOK) {
/*
* Will be released by openssl_session
*/
certificate = NULL;
}
if (
fOK &&
(rsa = pkcs11h_openssl_getRSA (openssl_session)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Unable get rsa object");
}
if (
fOK &&
(x509 = pkcs11h_openssl_getX509 (openssl_session)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Unable get certificate object");
}
if (
fOK &&
!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set private key for openssl");
}
if (
fOK &&
!SSL_CTX_use_certificate (ssl_ctx, x509)
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set certificate for openssl");
}
/*
* openssl objects have reference
* count, so release them
*/
if (x509 != NULL) {
X509_free (x509);
x509 = NULL;
}
if (rsa != NULL) {
RSA_free (rsa);
rsa = NULL;
}
if (certificate != NULL) {
pkcs11h_freeCertificate (certificate);
certificate = NULL;
}
if (certificate_id != NULL) {
pkcs11h_freeCertificateId (certificate_id);
certificate_id = NULL;
}
if (openssl_session != NULL) {
pkcs11h_openssl_freeSession (openssl_session);
openssl_session = NULL;
}
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: SSL_CTX_use_pkcs11 - return fOK=%d, rv=%ld",
fOK ? 1 : 0,
rv
);
return fOK ? 1 : 0;
}