static int
set_private_key(hx509_context context,
SecKeychainItemRef itemRef,
hx509_cert cert)
{
struct kc_rsa *kc;
hx509_private_key key;
RSA *rsa;
int ret;
ret = _hx509_private_key_init(&key, NULL, NULL);
if (ret)
return ret;
kc = calloc(1, sizeof(*kc));
if (kc == NULL)
_hx509_abort("out of memory");
kc->item = itemRef;
rsa = RSA_new();
if (rsa == NULL)
_hx509_abort("out of memory");
/* Argh, fake modulus since OpenSSL API is on crack */
{
SecKeychainAttributeList *attrs = NULL;
uint32_t size;
void *data;
rsa->n = BN_new();
if (rsa->n == NULL) abort();
ret = getAttribute(itemRef, kSecKeyKeySizeInBits, &attrs);
if (ret) abort();
size = *(uint32_t *)attrs->attr[0].data;
SecKeychainItemFreeAttributesAndData(attrs, NULL);
kc->keysize = (size + 7) / 8;
data = malloc(kc->keysize);
memset(data, 0xe0, kc->keysize);
BN_bin2bn(data, kc->keysize, rsa->n);
free(data);
}
rsa->e = NULL;
RSA_set_method(rsa, &kc_rsa_pkcs1_method);
ret = RSA_set_app_data(rsa, kc);
if (ret != 1)
_hx509_abort("RSA_set_app_data");
_hx509_private_key_assign_rsa(key, rsa);
_hx509_cert_assign_key(cert, key);
return 0;
}
Qt::HANDLE QSmartCard::key()
{
RSA *rsa = RSAPublicKey_dup( (RSA*)d->t.authCert().publicKey().handle() );
if ( !rsa )
return 0;
RSA_set_method( rsa, &d->method );
rsa->flags |= RSA_FLAG_SIGN_VER;
RSA_set_app_data( rsa, d );
EVP_PKEY *key = EVP_PKEY_new();
EVP_PKEY_set1_RSA( key, rsa );
RSA_free( rsa );
return Qt::HANDLE(key);
}
static int extract_certificate_and_pkey(PluginInstance *inst,
X509 **x509_out,
EVP_PKEY **pkey_out)
{
int r;
X509 *x509 = NULL;
struct sc_pkcs15_id cert_id;
struct sc_priv_data *priv = NULL;
EVP_PKEY *pkey = NULL;
RSA *rsa = NULL;
r = init_pkcs15(inst);
if (r)
goto err;
r = get_certificate(inst, &x509, &cert_id);
if (r)
goto err;
r = -1;
pkey = X509_get_pubkey(x509);
if (pkey == NULL)
goto err;
if (pkey->type != EVP_PKEY_RSA)
goto err;
rsa = EVP_PKEY_get1_RSA(pkey); /* increases ref count */
if (rsa == NULL)
goto err;
rsa->flags |= RSA_FLAG_SIGN_VER;
RSA_set_method(rsa, sc_get_method());
priv = (struct sc_priv_data *) calloc(1, sizeof(*priv));
if (priv == NULL)
goto err;
priv->cert_id = cert_id;
priv->ref_count = 1;
RSA_set_app_data(rsa, priv);
RSA_free(rsa); /* decreases ref count */
*x509_out = x509;
*pkey_out = pkey;
return 0;
err:
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
X509_free(x509);
return -1;
}
static void
convert_rsa_to_rsa1(Key * in, Key * out)
{
struct sc_priv_data *priv;
out->rsa->flags = in->rsa->flags;
out->flags = in->flags;
RSA_set_method(out->rsa, RSA_get_method(in->rsa));
BN_copy(out->rsa->n, in->rsa->n);
BN_copy(out->rsa->e, in->rsa->e);
priv = RSA_get_app_data(in->rsa);
priv->ref_count++;
RSA_set_app_data(out->rsa, priv);
return;
}
static int
collect_private_key(hx509_context context,
struct p11_module *p, struct p11_slot *slot,
CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object,
void *ptr, CK_ATTRIBUTE *query, int num_query)
{
struct hx509_collector *collector = ptr;
hx509_private_key key;
heim_octet_string localKeyId;
int ret;
RSA *rsa;
struct p11_rsa *p11rsa;
localKeyId.data = query[0].pValue;
localKeyId.length = query[0].ulValueLen;
ret = _hx509_private_key_init(&key, NULL, NULL);
if (ret)
return ret;
rsa = RSA_new();
if (rsa == NULL)
_hx509_abort("out of memory");
/*
* The exponent and modulus should always be present according to
* the pkcs11 specification, but some smartcards leaves it out,
* let ignore any failure to fetch it.
*/
rsa->n = getattr_bn(p, slot, session, object, CKA_MODULUS);
rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
p11rsa = calloc(1, sizeof(*p11rsa));
if (p11rsa == NULL)
_hx509_abort("out of memory");
p11rsa->p = p;
p11rsa->slot = slot;
p11rsa->private_key = object;
p->refcount++;
if (p->refcount == 0)
_hx509_abort("pkcs11 refcount to high");
RSA_set_method(rsa, &p11_rsa_pkcs1_method);
ret = RSA_set_app_data(rsa, p11rsa);
if (ret != 1)
_hx509_abort("RSA_set_app_data");
_hx509_private_key_assign_rsa(key, rsa);
ret = _hx509_collector_private_key_add(context,
collector,
hx509_signature_rsa(),
key,
NULL,
&localKeyId);
if (ret) {
_hx509_private_key_free(&key);
return ret;
}
return 0;
}
static int
set_private_key(hx509_context context, hx509_cert cert, SecKeyRef pkey)
{
const SubjectPublicKeyInfo *spi;
const Certificate *c;
struct kc_rsa *kc;
RSAPublicKey pk;
hx509_private_key key;
size_t size;
RSA *rsa;
int ret;
ret = hx509_private_key_init(&key, NULL, NULL);
if (ret)
return ret;
kc = calloc(1, sizeof(*kc));
if (kc == NULL)
_hx509_abort("out of memory");
CFRetain(pkey);
kc->pkey = pkey;
rsa = RSA_new();
if (rsa == NULL)
_hx509_abort("out of memory");
RSA_set_method(rsa, &kc_rsa_pkcs1_method);
ret = RSA_set_app_data(rsa, kc);
if (ret != 1)
_hx509_abort("RSA_set_app_data");
/*
* Set up n and e to please RSA_size()
*/
c = _hx509_get_cert(cert);
spi = &c->tbsCertificate.subjectPublicKeyInfo;
ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
spi->subjectPublicKey.length / 8,
&pk, &size);
if (ret) {
RSA_free(rsa);
return 0;
}
rsa->n = _hx509_int2BN(&pk.modulus);
rsa->e = _hx509_int2BN(&pk.publicExponent);
free_RSAPublicKey(&pk);
kc->keysize = BN_num_bytes(rsa->n);
/*
*
*/
hx509_private_key_assign_rsa(key, rsa);
_hx509_cert_set_key(cert, key);
hx509_private_key_free(&key);
return 0;
}
static int
sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
{
int r;
sc_pkcs15_cert_t *cert = NULL;
struct sc_priv_data *priv = NULL;
sc_pkcs15_cert_info_t *cinfo = cert_obj->data;
X509 *x509 = NULL;
EVP_PKEY *pubkey = NULL;
u8 *p;
char *tmp;
debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
if (r) {
logit("Certificate read failed: %s", sc_strerror(r));
goto err;
}
x509 = X509_new();
if (x509 == NULL) {
r = -1;
goto err;
}
p = cert->data;
if (!d2i_X509(&x509, &p, cert->data_len)) {
logit("Unable to parse X.509 certificate");
r = -1;
goto err;
}
sc_pkcs15_free_certificate(cert);
cert = NULL;
pubkey = X509_get_pubkey(x509);
X509_free(x509);
x509 = NULL;
if (pubkey->type != EVP_PKEY_RSA) {
logit("Public key is of unknown type");
r = -1;
goto err;
}
k->rsa = EVP_PKEY_get1_RSA(pubkey);
EVP_PKEY_free(pubkey);
k->rsa->flags |= RSA_FLAG_SIGN_VER;
RSA_set_method(k->rsa, sc_get_rsa_method());
priv = xmalloc(sizeof(struct sc_priv_data));
priv->cert_id = cinfo->id;
priv->ref_count = 1;
RSA_set_app_data(k->rsa, priv);
k->flags = KEY_FLAG_EXT;
tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
debug("fingerprint %d %s", key_size(k), tmp);
xfree(tmp);
return 0;
err:
if (cert)
sc_pkcs15_free_certificate(cert);
if (pubkey)
EVP_PKEY_free(pubkey);
if (x509)
X509_free(x509);
return r;
}
