int
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
struct tls_root_ctx * const ssl_ctx)
{
int ret = 1;
X509 *x509 = NULL;
RSA *rsa = NULL;
pkcs11h_openssl_session_t openssl_session = NULL;
if ((openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL)
{
msg (M_WARN, "PKCS#11: Cannot initialize openssl session");
goto cleanup;
}
/*
* Will be released by openssl_session
*/
certificate = NULL;
if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL)
{
msg (M_WARN, "PKCS#11: Unable get rsa object");
goto cleanup;
}
if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL)
{
msg (M_WARN, "PKCS#11: Unable get certificate object");
goto cleanup;
}
if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx->ctx, rsa))
{
msg (M_WARN, "PKCS#11: Cannot set private key for openssl");
goto cleanup;
}
if (!SSL_CTX_use_certificate (ssl_ctx->ctx, x509))
{
msg (M_WARN, "PKCS#11: Cannot set certificate for openssl");
goto cleanup;
}
ret = 0;
cleanup:
/*
* Certificate freeing is usually handled by openssl_session.
* If something went wrong, creating the session we have to do it manually.
*/
if (certificate != NULL) {
pkcs11h_certificate_freeCertificate (certificate);
certificate = NULL;
}
/*
* openssl objects have reference
* count, so release them
*/
if (x509 != NULL)
{
X509_free (x509);
x509 = NULL;
}
if (rsa != NULL)
{
RSA_free (rsa);
rsa = NULL;
}
if (openssl_session != NULL)
{
pkcs11h_openssl_freeSession (openssl_session);
openssl_session = NULL;
}
return ret;
}
int
SSL_CTX_use_pkcs11 (
IN OUT SSL_CTX * const ssl_ctx,
IN const char * const pkcs11_slot_type,
IN const char * const pkcs11_slot,
IN const char * const pkcs11_id_type,
IN const char * const pkcs11_id
) {
X509 *x509 = NULL;
RSA *rsa = NULL;
pkcs11h_certificate_id_t certificate_id = NULL;
pkcs11h_certificate_t certificate = NULL;
pkcs11h_openssl_session_t openssl_session = NULL;
CK_RV rv = CKR_OK;
bool fOK = true;
ASSERT (ssl_ctx!=NULL);
ASSERT (pkcs11_slot_type!=NULL);
ASSERT (pkcs11_slot!=NULL);
ASSERT (pkcs11_id_type!=NULL);
ASSERT (pkcs11_id!=NULL);
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: SSL_CTX_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_slot_type='%s', pkcs11_slot='%s', pkcs11_id_type='%s', pkcs11_id='%s'",
(void *)ssl_ctx,
pkcs11_slot_type,
pkcs11_slot,
pkcs11_id_type,
pkcs11_id
);
ASSERT (ssl_ctx!=NULL);
ASSERT (pkcs11_slot_type!=NULL);
ASSERT (pkcs11_slot!=NULL);
ASSERT (pkcs11_id_type!=NULL);
ASSERT (pkcs11_id!=NULL);
if (
fOK &&
(rv = pkcs11h_locate_certificate (
pkcs11_slot_type,
pkcs11_slot,
pkcs11_id_type,
pkcs11_id,
&certificate_id
)) != CKR_OK
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set parameters %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
fOK &&
(rv = pkcs11h_certificate_create (
certificate_id,
PKCS11H_PIN_CACHE_INFINITE,
&certificate
)) != CKR_OK
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
}
if (
fOK &&
(openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot initialize openssl session");
}
if (fOK) {
/*
* Will be released by openssl_session
*/
certificate = NULL;
}
if (
fOK &&
(rsa = pkcs11h_openssl_getRSA (openssl_session)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Unable get rsa object");
}
if (
fOK &&
(x509 = pkcs11h_openssl_getX509 (openssl_session)) == NULL
) {
fOK = false;
msg (M_WARN, "PKCS#11: Unable get certificate object");
}
if (
fOK &&
!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set private key for openssl");
}
if (
fOK &&
!SSL_CTX_use_certificate (ssl_ctx, x509)
) {
fOK = false;
msg (M_WARN, "PKCS#11: Cannot set certificate for openssl");
}
/*
* openssl objects have reference
* count, so release them
*/
if (x509 != NULL) {
X509_free (x509);
x509 = NULL;
}
if (rsa != NULL) {
RSA_free (rsa);
rsa = NULL;
}
if (certificate != NULL) {
pkcs11h_freeCertificate (certificate);
certificate = NULL;
}
if (certificate_id != NULL) {
pkcs11h_freeCertificateId (certificate_id);
certificate_id = NULL;
}
if (openssl_session != NULL) {
pkcs11h_openssl_freeSession (openssl_session);
openssl_session = NULL;
}
dmsg (
D_PKCS11_DEBUG,
"PKCS#11: SSL_CTX_use_pkcs11 - return fOK=%d, rv=%ld",
fOK ? 1 : 0,
rv
);
return fOK ? 1 : 0;
}
