/*-
* gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
* @cert: is a DER encoded private key
*
* This function will return the public key algorithm of a DER encoded private
* key.
*
* Returns a member of the gnutls_pk_algorithm_t enumeration on success,
* or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
*
-*/
int
gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t * key)
{
gnutls_x509_privkey_t pkey;
int ret, pk;
ret = gnutls_x509_privkey_init (&pkey);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_x509_privkey_import (pkey, key, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
pk = gnutls_x509_privkey_get_pk_algorithm (pkey);
gnutls_x509_privkey_deinit (pkey);
return pk;
}
/**
* gnutls_privkey_import_x509:
* @pkey: The private key
* @key: The private key to be imported
* @flags: Flags for the import
*
* This function will import the given private key to the abstract
* #gnutls_privkey_t type.
*
* The #gnutls_x509_privkey_t object must not be deallocated
* during the lifetime of this structure.
*
* @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
* and %GNUTLS_PRIVKEY_IMPORT_COPY.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
**/
int
gnutls_privkey_import_x509(gnutls_privkey_t pkey,
gnutls_x509_privkey_t key, unsigned int flags)
{
int ret;
ret = check_if_clean(pkey);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (flags & GNUTLS_PRIVKEY_IMPORT_COPY) {
ret = gnutls_x509_privkey_init(&pkey->key.x509);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_privkey_cpy(pkey->key.x509, key);
if (ret < 0) {
gnutls_x509_privkey_deinit(pkey->key.x509);
return gnutls_assert_val(ret);
}
} else
pkey->key.x509 = key;
pkey->type = GNUTLS_PRIVKEY_X509;
pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm(key);
pkey->flags = flags;
return 0;
}
/**
* gnutls_privkey_get_pk_algorithm:
* @key: should contain a #gnutls_privkey_t type
* @bits: If set will return the number of bits of the parameters (may be NULL)
*
* This function will return the public key algorithm of a private
* key and if possible will return a number of bits that indicates
* the security parameter of the key.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
* success, or a negative error code on error.
*
* Since: 2.12.0
**/
int gnutls_privkey_get_pk_algorithm(gnutls_privkey_t key, unsigned int *bits)
{
switch (key->type) {
#ifdef ENABLE_OPENPGP
case GNUTLS_PRIVKEY_OPENPGP:
return gnutls_openpgp_privkey_get_pk_algorithm(key->key.openpgp,
bits);
#endif
#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return gnutls_pkcs11_privkey_get_pk_algorithm(key->key.pkcs11,
bits);
#endif
case GNUTLS_PRIVKEY_X509:
if (bits)
*bits =
_gnutls_mpi_get_nbits(key->key.x509->
params.params[0]);
return gnutls_x509_privkey_get_pk_algorithm(key->key.x509);
case GNUTLS_PRIVKEY_EXT:
if (bits)
*bits = 0;
return key->pk_algorithm;
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
}
/**
* gnutls_privkey_import_x509:
* @pkey: The private key
* @key: The private key to be imported
* @flags: should be zero
*
* This function will import the given private key to the abstract
* #gnutls_privkey_t structure.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_privkey_import_x509 (gnutls_privkey_t pkey,
gnutls_x509_privkey_t key, unsigned int flags)
{
pkey->key.x509 = key;
pkey->type = GNUTLS_PRIVKEY_X509;
pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm (key);
pkey->flags = flags;
return 0;
}
/**
* gnutls_pkcs11_copy_x509_privkey:
* @token_url: A PKCS #11 URL specifying a token
* @key: A private key
* @label: A name to be used for the stored data
* @key_usage: One of GNUTLS_KEY_*
* @flags: One of GNUTLS_PKCS11_OBJ_* flags
*
* This function will copy a private key into a PKCS #11 token specified by
* a URL. It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
* unless there is a strong reason not to.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int
gnutls_pkcs11_copy_x509_privkey (const char *token_url,
gnutls_x509_privkey_t key,
const char *label,
unsigned int key_usage, unsigned int flags)
{
int ret;
pakchois_session_t *pks;
struct pkcs11_url_info info;
ck_rv_t rv;
size_t id_size;
opaque id[20];
struct ck_attribute a[16];
ck_object_class_t class = CKO_PRIVATE_KEY;
ck_object_handle_t obj;
ck_key_type_t type;
unsigned int tval = 1;
int a_val;
gnutls_pk_algorithm_t pk;
gnutls_datum_t p, q, g, y, x;
gnutls_datum_t m, e, d, u, exp1, exp2;
ret = pkcs11_url_to_info (token_url, &info);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
id_size = sizeof (id);
ret = gnutls_x509_privkey_get_key_id (key, 0, id, &id_size);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
ret =
pkcs11_open_session (&pks, &info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
if (ret < 0)
{
gnutls_assert ();
return ret;
}
/* FIXME: copy key usage flags */
a_val = 0;
a[a_val].type = CKA_CLASS;
a[a_val].value = &class;
a[a_val].value_len = sizeof (class);
a_val++;
a[a_val].type = CKA_ID;
a[a_val].value = id;
a[a_val].value_len = id_size;
a_val++;
a[a_val].type = CKA_KEY_TYPE;
a[a_val].value = &type;
a[a_val].value_len = sizeof (type);
a_val++;
a[a_val].type = CKA_TOKEN;
a[a_val].value = &tval;
a[a_val].value_len = sizeof (tval);
a_val++;
a[a_val].type = CKA_PRIVATE;
a[a_val].value = &tval;
a[a_val].value_len = sizeof (tval);
a_val++;
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE)
tval = 1;
else
tval = 0;
a[a_val].type = CKA_SENSITIVE;
a[a_val].value = &tval;
a[a_val].value_len = sizeof (tval);
a_val++;
pk = gnutls_x509_privkey_get_pk_algorithm (key);
switch (pk)
{
case GNUTLS_PK_RSA:
{
ret =
gnutls_x509_privkey_export_rsa_raw2 (key, &m,
&e, &d, &p,
&q, &u, &exp1, &exp2);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
type = CKK_RSA;
a[a_val].type = CKA_MODULUS;
a[a_val].value = m.data;
a[a_val].value_len = m.size;
a_val++;
a[a_val].type = CKA_PUBLIC_EXPONENT;
a[a_val].value = e.data;
a[a_val].value_len = e.size;
a_val++;
a[a_val].type = CKA_PRIVATE_EXPONENT;
a[a_val].value = d.data;
a[a_val].value_len = d.size;
a_val++;
a[a_val].type = CKA_PRIME_1;
a[a_val].value = p.data;
a[a_val].value_len = p.size;
a_val++;
a[a_val].type = CKA_PRIME_2;
a[a_val].value = q.data;
a[a_val].value_len = q.size;
a_val++;
a[a_val].type = CKA_COEFFICIENT;
a[a_val].value = u.data;
a[a_val].value_len = u.size;
a_val++;
a[a_val].type = CKA_EXPONENT_1;
a[a_val].value = exp1.data;
a[a_val].value_len = exp1.size;
a_val++;
a[a_val].type = CKA_EXPONENT_2;
a[a_val].value = exp2.data;
a[a_val].value_len = exp2.size;
a_val++;
break;
}
case GNUTLS_PK_DSA:
{
ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
if (ret < 0)
{
gnutls_assert ();
goto cleanup;
}
type = CKK_DSA;
a[a_val].type = CKA_PRIME;
a[a_val].value = p.data;
a[a_val].value_len = p.size;
a_val++;
a[a_val].type = CKA_SUBPRIME;
a[a_val].value = q.data;
a[a_val].value_len = q.size;
a_val++;
a[a_val].type = CKA_BASE;
a[a_val].value = g.data;
a[a_val].value_len = g.size;
a_val++;
a[a_val].type = CKA_VALUE;
a[a_val].value = x.data;
a[a_val].value_len = x.size;
a_val++;
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INVALID_REQUEST;
goto cleanup;
}
rv = pakchois_create_object (pks, a, a_val, &obj);
if (rv != CKR_OK)
{
gnutls_assert ();
_gnutls_debug_log ("pkcs11: %s\n", pakchois_error (rv));
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
/* generated!
*/
switch (pk)
{
case GNUTLS_PK_RSA:
{
gnutls_free (m.data);
gnutls_free (e.data);
gnutls_free (d.data);
gnutls_free (p.data);
gnutls_free (q.data);
gnutls_free (u.data);
gnutls_free (exp1.data);
gnutls_free (exp2.data);
break;
}
case GNUTLS_PK_DSA:
{
gnutls_free (p.data);
gnutls_free (q.data);
gnutls_free (g.data);
gnutls_free (y.data);
gnutls_free (x.data);
break;
}
default:
gnutls_assert ();
ret = GNUTLS_E_INVALID_REQUEST;
goto cleanup;
}
ret = 0;
cleanup:
pakchois_close_session (pks);
return ret;
}
/**
* gnutls_pkcs11_copy_x509_privkey2:
* @token_url: A PKCS #11 URL specifying a token
* @key: A private key
* @label: A name to be used for the stored data
* @cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
* @key_usage: One of GNUTLS_KEY_*
* @flags: One of GNUTLS_PKCS11_OBJ_* flags
*
* This function will copy a private key into a PKCS #11 token specified by
* a URL. It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
* unless there is a strong reason not to.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
**/
int
gnutls_pkcs11_copy_x509_privkey2(const char *token_url,
gnutls_x509_privkey_t key,
const char *label,
const gnutls_datum_t *cid,
unsigned int key_usage, unsigned int flags)
{
int ret;
struct p11_kit_uri *info = NULL;
ck_rv_t rv;
size_t id_size;
uint8_t id[20];
struct ck_attribute a[32];
ck_object_class_t class = CKO_PRIVATE_KEY;
ck_object_handle_t ctx;
ck_key_type_t type;
int a_val;
gnutls_pk_algorithm_t pk;
gnutls_datum_t p, q, g, y, x;
gnutls_datum_t m, e, d, u, exp1, exp2;
struct pkcs11_session_info sinfo;
PKCS11_CHECK_INIT;
memset(&p, 0, sizeof(p));
memset(&q, 0, sizeof(q));
memset(&g, 0, sizeof(g));
memset(&y, 0, sizeof(y));
memset(&x, 0, sizeof(x));
memset(&m, 0, sizeof(m));
memset(&e, 0, sizeof(e));
memset(&d, 0, sizeof(d));
memset(&u, 0, sizeof(u));
memset(&exp1, 0, sizeof(exp1));
memset(&exp2, 0, sizeof(exp2));
ret = pkcs11_url_to_info(token_url, &info, 0);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
pkcs11_open_session(&sinfo, NULL, info,
SESSION_WRITE |
pkcs11_obj_flags_to_int(flags));
p11_kit_uri_free(info);
if (ret < 0) {
gnutls_assert();
return ret;
}
pk = gnutls_x509_privkey_get_pk_algorithm(key);
FIX_KEY_USAGE(pk, key_usage);
/* FIXME: copy key usage flags */
a_val = 0;
a[a_val].type = CKA_CLASS;
a[a_val].value = &class;
a[a_val].value_len = sizeof(class);
a_val++;
a[a_val].type = CKA_ID;
if (cid == NULL || cid->size == 0) {
id_size = sizeof(id);
ret = gnutls_x509_privkey_get_key_id(key, 0, id, &id_size);
if (ret < 0) {
p11_kit_uri_free(info);
gnutls_assert();
return ret;
}
a[a_val].value = id;
a[a_val].value_len = id_size;
} else {
a[a_val].value = cid->data;
a[a_val].value_len = cid->size;
}
a_val++;
a[a_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
a[a_val].value = (void*)&tval;
a[a_val].value_len = sizeof(tval);
} else {
a[a_val].value = (void*)&fval;
a[a_val].value_len = sizeof(fval);
}
a_val++;
if (pk == GNUTLS_PK_RSA) {
a[a_val].type = CKA_DECRYPT;
if (key_usage & (GNUTLS_KEY_ENCIPHER_ONLY|GNUTLS_KEY_DECIPHER_ONLY)) {
a[a_val].value = (void*)&tval;
a[a_val].value_len = sizeof(tval);
} else {
a[a_val].value = (void*)&fval;
a[a_val].value_len = sizeof(fval);
}
a_val++;
}
a[a_val].type = CKA_TOKEN;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
/* a private key is set always as private unless
* requested otherwise
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) {
a[a_val].type = CKA_PRIVATE;
a[a_val].value = (void *) &fval;
a[a_val].value_len = sizeof(fval);
a_val++;
} else {
a[a_val].type = CKA_PRIVATE;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH) {
a[a_val].type = CKA_ALWAYS_AUTHENTICATE;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE) {
a[a_val].type = CKA_EXTRACTABLE;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
(a_val)++;
} else {
a[a_val].type = CKA_EXTRACTABLE;
a[a_val].value = (void *) &fval;
a[a_val].value_len = sizeof(fval);
(a_val)++;
}
if (label) {
a[a_val].type = CKA_LABEL;
a[a_val].value = (void *) label;
a[a_val].value_len = strlen(label);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) {
a[a_val].type = CKA_SENSITIVE;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
} else {
a[a_val].type = CKA_SENSITIVE;
a[a_val].value = (void *) &fval;
a[a_val].value_len = sizeof(fval);
a_val++;
}
switch (pk) {
case GNUTLS_PK_RSA:
{
ret =
gnutls_x509_privkey_export_rsa_raw2(key, &m,
&e, &d, &p,
&q, &u,
&exp1,
&exp2);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
type = CKK_RSA;
skip_leading_zeros(&m);
skip_leading_zeros(&e);
skip_leading_zeros(&d);
skip_leading_zeros(&p);
skip_leading_zeros(&q);
skip_leading_zeros(&u);
skip_leading_zeros(&exp1);
skip_leading_zeros(&exp2);
a[a_val].type = CKA_MODULUS;
a[a_val].value = m.data;
a[a_val].value_len = m.size;
a_val++;
a[a_val].type = CKA_PUBLIC_EXPONENT;
a[a_val].value = e.data;
a[a_val].value_len = e.size;
a_val++;
a[a_val].type = CKA_PRIVATE_EXPONENT;
a[a_val].value = d.data;
a[a_val].value_len = d.size;
a_val++;
a[a_val].type = CKA_PRIME_1;
a[a_val].value = p.data;
a[a_val].value_len = p.size;
a_val++;
a[a_val].type = CKA_PRIME_2;
a[a_val].value = q.data;
a[a_val].value_len = q.size;
a_val++;
a[a_val].type = CKA_COEFFICIENT;
a[a_val].value = u.data;
a[a_val].value_len = u.size;
a_val++;
a[a_val].type = CKA_EXPONENT_1;
a[a_val].value = exp1.data;
a[a_val].value_len = exp1.size;
a_val++;
a[a_val].type = CKA_EXPONENT_2;
a[a_val].value = exp2.data;
a[a_val].value_len = exp2.size;
a_val++;
break;
}
case GNUTLS_PK_DSA:
{
ret =
gnutls_x509_privkey_export_dsa_raw(key, &p, &q,
&g, &y, &x);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
type = CKK_DSA;
skip_leading_zeros(&p);
skip_leading_zeros(&q);
skip_leading_zeros(&g);
skip_leading_zeros(&y);
skip_leading_zeros(&x);
a[a_val].type = CKA_PRIME;
a[a_val].value = p.data;
a[a_val].value_len = p.size;
a_val++;
a[a_val].type = CKA_SUBPRIME;
a[a_val].value = q.data;
a[a_val].value_len = q.size;
a_val++;
a[a_val].type = CKA_BASE;
a[a_val].value = g.data;
a[a_val].value_len = g.size;
a_val++;
a[a_val].type = CKA_VALUE;
a[a_val].value = x.data;
a[a_val].value_len = x.size;
a_val++;
break;
}
case GNUTLS_PK_EC:
{
ret =
_gnutls_x509_write_ecc_params(key->params.flags,
&p);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_mpi_dprint(key->params.
params[ECC_K], &x);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
type = CKK_ECDSA;
a[a_val].type = CKA_EC_PARAMS;
a[a_val].value = p.data;
a[a_val].value_len = p.size;
a_val++;
a[a_val].type = CKA_VALUE;
a[a_val].value = x.data;
a[a_val].value_len = x.size;
a_val++;
break;
}
default:
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
goto cleanup;
}
a[a_val].type = CKA_KEY_TYPE;
a[a_val].value = &type;
a[a_val].value_len = sizeof(type);
a_val++;
rv = pkcs11_create_object(sinfo.module, sinfo.pks, a, a_val, &ctx);
if (rv != CKR_OK) {
gnutls_assert();
_gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv));
ret = pkcs11_rv_to_err(rv);
goto cleanup;
}
ret = 0;
cleanup:
switch (pk) {
case GNUTLS_PK_RSA:
{
gnutls_free(m.data);
gnutls_free(e.data);
gnutls_free(d.data);
gnutls_free(p.data);
gnutls_free(q.data);
gnutls_free(u.data);
gnutls_free(exp1.data);
gnutls_free(exp2.data);
break;
}
case GNUTLS_PK_DSA:
{
gnutls_free(p.data);
gnutls_free(q.data);
gnutls_free(g.data);
gnutls_free(y.data);
gnutls_free(x.data);
break;
}
case GNUTLS_PK_EC:
{
gnutls_free(p.data);
gnutls_free(x.data);
break;
}
default:
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
break;
}
if (sinfo.pks != 0)
pkcs11_close_session(&sinfo);
return ret;
}
