bool pkcs11_initialize( const bool protected_auth, const int nPINCachePeriod ) { CK_RV rv = CKR_FUNCTION_FAILED; dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - entered" ); if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_initialize()) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINCachePeriod(nPINCachePeriod)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } rv = CKR_OK; cleanup: dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - return %ld-'%s'", rv, pkcs11h_getMessage(rv) ); return rv == CKR_OK; }
void show_pkcs11_ids( const char *const provider, bool cert_private ) { struct gc_arena gc = gc_new(); pkcs11h_certificate_id_list_t user_certificates = NULL; pkcs11h_certificate_id_list_t current = NULL; CK_RV rv = CKR_FUNCTION_FAILED; if ((rv = pkcs11h_initialize()) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_addProvider( provider, provider, TRUE, 0, FALSE, 0, cert_private ? TRUE : FALSE )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot add provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); goto cleanup; } if ( (rv = pkcs11h_certificate_enumCertificateIds( PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL, &user_certificates )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup; } msg( M_INFO|M_NOPREFIX|M_NOLF, ( "\n" "The following objects are available for use.\n" "Each object shown below may be used as parameter to\n" "--pkcs11-id option please remember to use single quote mark.\n" ) ); for (current = user_certificates; current != NULL; current = current->next) { pkcs11h_certificate_t certificate = NULL; char *dn = NULL; char serial[1024] = {0}; char *ser = NULL; size_t ser_len = 0; if ( (rv = pkcs11h_certificate_serializeCertificateId( NULL, &ser_len, current->certificate_id )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( rv == CKR_OK && (ser = (char *)malloc(ser_len)) == NULL ) { msg(M_FATAL, "PKCS#11: Cannot allocate memory"); goto cleanup1; } if ( (rv = pkcs11h_certificate_serializeCertificateId( ser, &ser_len, current->certificate_id )) != CKR_OK ) { msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( (rv = pkcs11h_certificate_create( current->certificate_id, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate )) ) { msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup1; } if ( (dn = pkcs11_certificate_dn( certificate, &gc )) == NULL ) { goto cleanup1; } if ( (pkcs11_certificate_serial( certificate, serial, sizeof(serial) )) ) { goto cleanup1; } msg( M_INFO|M_NOPREFIX|M_NOLF, ( "\n" "Certificate\n" " DN: %s\n" " Serial: %s\n" " Serialized id: %s\n" ), dn, serial, ser ); cleanup1: if (certificate != NULL) { pkcs11h_certificate_freeCertificate(certificate); certificate = NULL; } if (ser != NULL) { free(ser); ser = NULL; } } cleanup: if (user_certificates != NULL) { pkcs11h_certificate_freeCertificateIdList(user_certificates); user_certificates = NULL; } pkcs11h_terminate(); gc_free(&gc); }
bool pkcs11_initialize ( IN const bool fProtectedAuthentication, IN const int nPINCachePeriod ) { CK_RV rv = CKR_OK; dmsg ( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - entered" ); if ( rv == CKR_OK && (rv = pkcs11h_initialize ()) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv)); } if ( rv == CKR_OK && (rv = pkcs11h_setLogHook (_pkcs11_openvpn_log, NULL)) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv)); } if (rv == CKR_OK) { pkcs11h_setLogLevel (_pkcs11_msg_openvpn2pkcs11 (get_debug_level ())); } if ( rv == CKR_OK && (rv = pkcs11h_setTokenPromptHook (_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv)); } if ( rv == CKR_OK && (rv = pkcs11h_setPINPromptHook (_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv)); } if ( rv == CKR_OK && (rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv)); } if ( rv == CKR_OK && (rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK ) { msg (M_FATAL, "PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv)); } dmsg ( D_PKCS11_DEBUG, "PKCS#11: pkcs11_initialize - return %ld-'%s'", rv, pkcs11h_getMessage (rv) ); return rv == CKR_OK; }