bool
pkcs11_initialize(
const bool protected_auth,
const int nPINCachePeriod
) {
CK_RV rv = CKR_FUNCTION_FAILED;
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_initialize - entered"
);
if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_initialize()) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level()));
if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setPINCachePeriod(nPINCachePeriod)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
rv = CKR_OK;
cleanup:
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_initialize - return %ld-'%s'",
rv,
pkcs11h_getMessage(rv)
);
return rv == CKR_OK;
}
void
show_pkcs11_ids(
const char *const provider,
bool cert_private
) {
struct gc_arena gc = gc_new();
pkcs11h_certificate_id_list_t user_certificates = NULL;
pkcs11h_certificate_id_list_t current = NULL;
CK_RV rv = CKR_FUNCTION_FAILED;
if ((rv = pkcs11h_initialize()) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level()));
if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if (
(rv = pkcs11h_addProvider(
provider,
provider,
TRUE,
0,
FALSE,
0,
cert_private ? TRUE : FALSE
)) != CKR_OK
)
{
msg(M_FATAL, "PKCS#11: Cannot add provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
goto cleanup;
}
if (
(rv = pkcs11h_certificate_enumCertificateIds(
PKCS11H_ENUM_METHOD_CACHE_EXIST,
NULL,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
NULL,
&user_certificates
)) != CKR_OK
)
{
msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
}
msg(
M_INFO|M_NOPREFIX|M_NOLF,
(
"\n"
"The following objects are available for use.\n"
"Each object shown below may be used as parameter to\n"
"--pkcs11-id option please remember to use single quote mark.\n"
)
);
for (current = user_certificates; current != NULL; current = current->next) {
pkcs11h_certificate_t certificate = NULL;
char *dn = NULL;
char serial[1024] = {0};
char *ser = NULL;
size_t ser_len = 0;
if (
(rv = pkcs11h_certificate_serializeCertificateId(
NULL,
&ser_len,
current->certificate_id
)) != CKR_OK
)
{
msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup1;
}
if (
rv == CKR_OK
&& (ser = (char *)malloc(ser_len)) == NULL
)
{
msg(M_FATAL, "PKCS#11: Cannot allocate memory");
goto cleanup1;
}
if (
(rv = pkcs11h_certificate_serializeCertificateId(
ser,
&ser_len,
current->certificate_id
)) != CKR_OK
)
{
msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup1;
}
if (
(rv = pkcs11h_certificate_create(
current->certificate_id,
NULL,
PKCS11H_PROMPT_MASK_ALLOW_ALL,
PKCS11H_PIN_CACHE_INFINITE,
&certificate
))
)
{
msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup1;
}
if (
(dn = pkcs11_certificate_dn(
certificate,
&gc
)) == NULL
)
{
goto cleanup1;
}
if (
(pkcs11_certificate_serial(
certificate,
serial,
sizeof(serial)
))
)
{
goto cleanup1;
}
msg(
M_INFO|M_NOPREFIX|M_NOLF,
(
"\n"
"Certificate\n"
" DN: %s\n"
" Serial: %s\n"
" Serialized id: %s\n"
),
dn,
serial,
ser
);
cleanup1:
if (certificate != NULL)
{
pkcs11h_certificate_freeCertificate(certificate);
certificate = NULL;
}
if (ser != NULL)
{
free(ser);
ser = NULL;
}
}
cleanup:
if (user_certificates != NULL)
{
pkcs11h_certificate_freeCertificateIdList(user_certificates);
user_certificates = NULL;
}
pkcs11h_terminate();
gc_free(&gc);
}
bool
pkcs11_initialize (
IN const bool fProtectedAuthentication,
IN const int nPINCachePeriod
) {
CK_RV rv = CKR_OK;
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_initialize - entered"
);
if (
rv == CKR_OK &&
(rv = pkcs11h_initialize ()) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
rv == CKR_OK &&
(rv = pkcs11h_setLogHook (_pkcs11_openvpn_log, NULL)) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (rv == CKR_OK) {
pkcs11h_setLogLevel (_pkcs11_msg_openvpn2pkcs11 (get_debug_level ()));
}
if (
rv == CKR_OK &&
(rv = pkcs11h_setTokenPromptHook (_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
rv == CKR_OK &&
(rv = pkcs11h_setPINPromptHook (_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
rv == CKR_OK &&
(rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
rv == CKR_OK &&
(rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK
) {
msg (M_FATAL, "PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_initialize - return %ld-'%s'",
rv,
pkcs11h_getMessage (rv)
);
return rv == CKR_OK;
}
