void cfg_p11token (char *item, int itemno, char *value) { unsigned int token_seq = 0; char *p11uri; #ifdef DEBUG fprintf (stdout, "DEBUG: DECLARE %s AS %s\n", item, value); #endif if (!configvars [CFGVAR_PKCS11_PATH]) { fprintf (stderr, "You must specify pkcs11_path before any number of pkcs11_token\n"); exit (1); } if (gnutls_pkcs11_add_provider (configvars [CFGVAR_PKCS11_PATH], NULL) != 0) { fprintf (stderr, "Failed to register PKCS #11 library %s with GnuTLS\n", configvars [CFGVAR_PKCS11_PATH]); exit (1); } while (gnutls_pkcs11_token_get_url (token_seq, 0, &p11uri) == 0) { #ifdef DEBUG printf ("DEBUG: Found token URI %s\n", p11uri); #endif //TODO// if (gnutls_pkcs11_token_get_info (p11uri, GNUTLS_PKCS11_TOKEN_LABEL-of-SERIAL-of-MANUFACTURER-of-MODEL, output, utput_size) == 0) { ... } gnutls_free (p11uri); token_seq++; } //TODO// Select token by name (value) //TODO// if PIN available then set it up //TODO:WHY?// free_p11pin (); }
void doit(void) { int ret, status; const char *lib; gnutls_privkey_t pkey; pid_t pid; signal(SIGPIPE, SIG_IGN); gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); lib = getenv("P11MOCKLIB1"); if (lib == NULL) lib = P11LIB; ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } assert(gnutls_privkey_init(&pkey) == 0); ret = gnutls_privkey_import_url(pkey, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); exit(1); } /* fork to force PKCS#11 reinitialization */ pid = fork(); if (pid == -1) { exit(1); } else if (pid) { waitpid(pid, &status, 0); check_wait_status(status); goto cleanup; } do_thread_stuff(pkey); cleanup: gnutls_privkey_deinit(pkey); }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t intermediate; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding intermediate certificate..."); ret = gnutls_x509_crt_init(&intermediate); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) intermediate_str; tmp.size = strlen(intermediate_str); ret = gnutls_x509_crt_import(intermediate, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } if (debug > 2) printf("done\n"); gnutls_x509_crt_print(intermediate, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tIntermediate Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug) printf("\tVerifying..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } /* try to extract an issuer when using an object URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, OBJ_URL, NULL, 0, 0, 0); if (ret != 1) { fail("gnutls_x509_trust_list_add_trust_file (with expl. object 0): %d\n", ret); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer (with expl. object) should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); gnutls_x509_trust_list_deinit(tl, 0); /* Try to extract issuers using PKCS #11 token URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[2], GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[0], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[1], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } gnutls_x509_trust_list_deinit(tl, 0); /* deinit */ if (debug) printf("\tCleanup..."); gnutls_x509_crt_deinit(intermediate); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }
void doit(void) { int ret; const char *lib; gnutls_privkey_t key; gnutls_pkcs11_obj_t obj; gnutls_datum_t sig = {NULL, 0}, data; unsigned flags = 0; lib = getenv("P11MOCKLIB1"); if (lib == NULL) lib = P11LIB; { void *dl; unsigned int *pflags; dl = dlopen(lib, RTLD_NOW); if (dl == NULL) { fail("could not dlopen %s\n", lib); exit(1); } pflags = dlsym(dl, "pkcs11_mock_flags"); if (pflags == NULL) { fail("could find pkcs11_mock_flags\n"); exit(1); } *pflags = MOCK_FLAG_ALWAYS_AUTH; } data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb"; data.size = 20; ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_obj_init(&obj); assert(ret>=0); gnutls_pkcs11_obj_set_pin_function(obj, pin_func, NULL); ret = gnutls_pkcs11_obj_import_url(obj, "pkcs11:object=test;type=private", GNUTLS_PKCS11_OBJ_FLAG_LOGIN); assert(ret>=0); ret = gnutls_pkcs11_obj_get_flags(obj, &flags); assert(ret>=0); if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH)) { fail("key object doesn't have the always authenticate flag\n"); } gnutls_pkcs11_obj_deinit(obj); ret = gnutls_privkey_init(&key); assert(ret>=0); gnutls_privkey_set_pin_function(key, pin_func, NULL); ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } pin_called = 0; ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } if (pin_called == 0) { fail("PIN function wasn't called!\n"); } pin_called = 0; gnutls_free(sig.data); /* call again - should re-authenticate */ ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } if (pin_called == 0) { fail("PIN function wasn't called twice!\n"); } pin_called = 0; gnutls_free(sig.data); if (debug) printf("done\n\n\n"); gnutls_privkey_deinit(key); gnutls_pkcs11_deinit(); gnutls_global_deinit(); }
static void cmd_parser (int argc, char **argv) { int ret, debug = 0; common_info_st cinfo; unsigned int pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN; const char* url = NULL; unsigned int detailed_url = 0, optct; unsigned int login = 0, bits = 0; const char* label = NULL, *sec_param = NULL; optct = optionProcess( &p11toolOptions, argc, argv); argc += optct; argv += optct; if (url == NULL && argc > 0) url = argv[0]; else url = "pkcs11:"; if (HAVE_OPT(DEBUG)) debug = OPT_VALUE_DEBUG; gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (debug); if (debug > 1) printf ("Setting log level to %d\n", debug); if ((ret = gnutls_global_init ()) < 0) error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret)); if (HAVE_OPT(PROVIDER)) { ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret < 0) fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret)); else { ret = gnutls_pkcs11_add_provider (OPT_ARG(PROVIDER), NULL); if (ret < 0) error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s", gnutls_strerror (ret)); } } else { ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL); if (ret < 0) fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret)); } if (HAVE_OPT(OUTFILE)) { outfile = safe_open_rw (OPT_ARG(OUTFILE), 0); if (outfile == NULL) error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE)); } else outfile = stdout; memset (&cinfo, 0, sizeof (cinfo)); if (HAVE_OPT(SECRET_KEY)) cinfo.secret_key = OPT_ARG(SECRET_KEY); if (HAVE_OPT(LOAD_PRIVKEY)) cinfo.privkey = OPT_ARG(LOAD_PRIVKEY); if (HAVE_OPT(PKCS8)) cinfo.pkcs8 = 1; if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW)) cinfo.incert_format = GNUTLS_X509_FMT_DER; else cinfo.incert_format = GNUTLS_X509_FMT_PEM; if (HAVE_OPT(LOAD_CERTIFICATE)) cinfo.cert = OPT_ARG(LOAD_CERTIFICATE); if (HAVE_OPT(LOAD_PUBKEY)) cinfo.pubkey = OPT_ARG(LOAD_PUBKEY); if (ENABLED_OPT(DETAILED_URL)) detailed_url = 1; if (ENABLED_OPT(LOGIN)) login = 1; if (HAVE_OPT(LABEL)) { label = OPT_ARG(LABEL); } if (HAVE_OPT(BITS)) { bits = OPT_VALUE_BITS; } if (HAVE_OPT(SEC_PARAM)) { sec_param = OPT_ARG(SEC_PARAM); } if (debug > 0) { if (HAVE_OPT(PRIVATE)) fprintf(stderr, "Private: %s\n", ENABLED_OPT(PRIVATE)?"yes":"no"); fprintf(stderr, "Trusted: %s\n", ENABLED_OPT(TRUSTED)?"yes":"no"); fprintf(stderr, "Login: %s\n", ENABLED_OPT(LOGIN)?"yes":"no"); fprintf(stderr, "Detailed URLs: %s\n", ENABLED_OPT(DETAILED_URL)?"yes":"no"); fprintf(stderr, "\n"); } /* handle actions */ if (HAVE_OPT(LIST_TOKENS)) pkcs11_token_list (outfile, detailed_url, &cinfo); else if (HAVE_OPT(LIST_MECHANISMS)) pkcs11_mechanism_list (outfile, url, login, &cinfo); else if (HAVE_OPT(LIST_ALL)) { pkcs11_type = PKCS11_TYPE_ALL; pkcs11_list (outfile, url, pkcs11_type, login, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_CERTS)) { pkcs11_type = PKCS11_TYPE_CRT_ALL; pkcs11_list (outfile, url, pkcs11_type, login, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_CERTS)) { pkcs11_type = PKCS11_TYPE_PK; pkcs11_list (outfile, url, pkcs11_type, login, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_PRIVKEYS)) { pkcs11_type = PKCS11_TYPE_PRIVKEY; pkcs11_list (outfile, url, pkcs11_type, login, detailed_url, &cinfo); } else if (HAVE_OPT(LIST_ALL_TRUSTED)) { pkcs11_type = PKCS11_TYPE_TRUSTED; pkcs11_list (outfile, url, pkcs11_type, login, detailed_url, &cinfo); } else if (HAVE_OPT(EXPORT)) { pkcs11_export (outfile, url, login, &cinfo); } else if (HAVE_OPT(WRITE)) { int priv; if (HAVE_OPT(PRIVATE)) priv = ENABLED_OPT(PRIVATE); else priv = -1; pkcs11_write (outfile, url, label, ENABLED_OPT(TRUSTED), priv, login, &cinfo); } else if (HAVE_OPT(INITIALIZE)) pkcs11_init (outfile, url, label, &cinfo); else if (HAVE_OPT(DELETE)) pkcs11_delete (outfile, url, 0, login, &cinfo); else if (HAVE_OPT(GENERATE_ECC)) { key_type = GNUTLS_PK_EC; pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param), label, ENABLED_OPT(PRIVATE), detailed_url, login, &cinfo); } else if (HAVE_OPT(GENERATE_RSA)) { key_type = GNUTLS_PK_RSA; pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param), label, ENABLED_OPT(PRIVATE), detailed_url, login, &cinfo); } else if (HAVE_OPT(GENERATE_DSA)) { key_type = GNUTLS_PK_DSA; pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param), label, ENABLED_OPT(PRIVATE), detailed_url, login, &cinfo); } else { USAGE(1); } fclose (outfile); #ifdef ENABLE_PKCS11 gnutls_pkcs11_deinit (); #endif gnutls_global_deinit (); }
void doit(void) { int ret; const char *lib; gnutls_privkey_t key; gnutls_pubkey_t pub; gnutls_datum_t m1, e1; gnutls_datum_t m2, e2; ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); lib = getenv("P11MOCKLIB1"); if (lib == NULL) lib = P11LIB; ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_privkey_init(&key); assert(ret>=0); ret = gnutls_pubkey_init(&pub); assert(ret>=0); gnutls_privkey_set_pin_function(key, pin_func, NULL); ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_export_rsa_raw(pub, &m1, &e1); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pubkey_deinit(pub); gnutls_privkey_deinit(key); /* try again using gnutls_pubkey_import_url */ ret = gnutls_pubkey_init(&pub); assert(ret>=0); ret = gnutls_pubkey_import_url(pub, "pkcs11:object=test;type=public", 0); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pubkey_export_rsa_raw(pub, &m2, &e2); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } assert(m1.size == m2.size); assert(e1.size == e2.size); assert(memcmp(e1.data, e2.data, e2.size)==0); assert(memcmp(m1.data, m2.data, m2.size)==0); gnutls_pubkey_deinit(pub); gnutls_free(m1.data); gnutls_free(e1.data); gnutls_free(m2.data); gnutls_free(e2.data); gnutls_pkcs11_deinit(); gnutls_global_deinit(); }
void doit(void) { char buf[128]; int ret; const char *lib, *bin; gnutls_x509_crt_t crt; gnutls_x509_privkey_t key; gnutls_datum_t tmp, sig; gnutls_privkey_t pkey; gnutls_pubkey_t pubkey; gnutls_pubkey_t pubkey2; unsigned i, sigalgo; bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin " PIN " --pin " PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret < 0) { fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); } if (verify_eddsa_presence() == 0) { fprintf(stderr, "Skipping test as no EDDSA mech is supported\n"); exit(77); } ret = gnutls_x509_crt_init(&crt); if (ret < 0) fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); if (debug) { gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); printf("\tCertificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); } ret = gnutls_x509_privkey_init(&key); if (ret < 0) { fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret)); } ret = gnutls_x509_privkey_import(key, &server_ca3_eddsa_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret)); } /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); if (ret < 0) { fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); } gnutls_x509_crt_deinit(crt); gnutls_x509_privkey_deinit(key); gnutls_pkcs11_set_pin_function(NULL, NULL); assert(gnutls_privkey_init(&pkey) == 0); ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL ";object=cert;object-type=private;pin-value=" PIN); if (ret < 0) { fail("error in gnutls_privkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); } assert(gnutls_pubkey_init(&pubkey) == 0); assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); assert(gnutls_pubkey_init(&pubkey2) == 0); assert(gnutls_pubkey_import_x509_raw (pubkey2, &server_ca3_eddsa_cert, GNUTLS_X509_FMT_PEM, 0) == 0); /* this is the algorithm supported by the certificate */ sigalgo = GNUTLS_SIGN_EDDSA_ED25519; for (i = 0; i < 20; i++) { /* check whether privkey and pubkey are operational * by signing and verifying */ ret = gnutls_privkey_sign_data2(pkey, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error signing data %s\n", gnutls_strerror(ret)); /* verify against the pubkey in PKCS #11 */ ret = gnutls_pubkey_verify_data2(pubkey, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error verifying data1: %s\n", gnutls_strerror(ret)); /* verify against the raw pubkey */ ret = gnutls_pubkey_verify_data2(pubkey2, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error verifying data2: %s\n", gnutls_strerror(ret)); gnutls_free(sig.data); } gnutls_pubkey_deinit(pubkey2); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(pkey); gnutls_global_deinit(); remove(CONFIG); }
static void gaa_parser (int argc, char **argv) { int ret; common_info_st cinfo; if (gaa (argc, argv, &info) != -1) { fprintf (stderr, "Try `%s --help' for more information.\n", program_name); exit (1); } gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (info.debug); if (info.debug > 1) printf ("Setting log level to %d\n", info.debug); if ((ret = gnutls_global_init ()) < 0) error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret)); if (info.pkcs11_provider != NULL) { ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret < 0) fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret)); else { ret = gnutls_pkcs11_add_provider (info.pkcs11_provider, NULL); if (ret < 0) error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s", gnutls_strerror (ret)); } } else { ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL); if (ret < 0) fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret)); } if (info.outfile) { outfile = safe_open_rw (info.outfile, 0); if (outfile == NULL) error (EXIT_FAILURE, errno, "%s", info.outfile); } else outfile = stdout; memset (&cinfo, 0, sizeof (cinfo)); cinfo.secret_key = info.secret_key; cinfo.privkey = info.privkey; cinfo.pkcs8 = info.pkcs8; cinfo.incert_format = info.incert_format; cinfo.cert = info.cert; switch (info.action) { case ACTION_PKCS11_LIST: pkcs11_list (outfile, info.pkcs11_url, info.pkcs11_type, info.pkcs11_login, info.pkcs11_detailed_url, &cinfo); break; case ACTION_PKCS11_TOKENS: pkcs11_token_list (outfile, info.pkcs11_detailed_url, &cinfo); break; case ACTION_PKCS11_MECHANISMS: pkcs11_mechanism_list (outfile, info.pkcs11_url, info.pkcs11_login, &cinfo); break; case ACTION_PKCS11_EXPORT_URL: pkcs11_export (outfile, info.pkcs11_url, info.pkcs11_login, &cinfo); break; case ACTION_PKCS11_WRITE_URL: pkcs11_write (outfile, info.pkcs11_url, info.pkcs11_label, info.pkcs11_trusted, info.pkcs11_login, &cinfo); break; case ACTION_PKCS11_TOKEN_INIT: pkcs11_init (outfile, info.pkcs11_url, info.pkcs11_label, &cinfo); break; case ACTION_PKCS11_DELETE_URL: pkcs11_delete (outfile, info.pkcs11_url, 0, info.pkcs11_login, &cinfo); break; default: gaa_help (); exit (0); } fclose (outfile); gnutls_pkcs11_deinit (); gnutls_global_deinit (); }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t end, ca; unsigned verify_status = 0; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding end certificate..."); ret = gnutls_x509_crt_init(&end); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[0]; tmp.size = strlen(v1_root_check[0]); ret = gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tEnd Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[1]; tmp.size = strlen(v1_root_check[1]); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("done\n"); if (debug) printf("\tChecking presence and verification..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_cas\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret != 0) { fail("gnutls_pkcs11_crt_is_known should have failed!\n"); exit(1); } ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1, NULL, 0, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL); if (ret < 0) { fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n"); exit(1); } if (verify_status != 0) { fail("verification should have succeeded: %.2x\n", verify_status); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crt_deinit(end); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }
void doit(void) { int ret; const char *lib; gnutls_privkey_t key; gnutls_datum_t sig = {NULL, 0}, data; pid_t pid; data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb"; data.size = 20; ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); lib = getenv("P11MOCKLIB1"); if (lib == NULL) lib = P11LIB; ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_privkey_init(&key); assert(ret>=0); gnutls_privkey_set_pin_function(key, pin_func, NULL); ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_free(sig.data); pid = fork(); if (pid != 0) { int status; assert(waitpid(pid, &status, 0) >= 0); if (WEXITSTATUS(status) != 0) { fail("child return status was unexpected: %d\n", WEXITSTATUS(status)); exit(1); } } else { /* child */ ret = gnutls_pkcs11_reinit(); assert(ret == 0); ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_free(sig.data); gnutls_privkey_deinit(key); gnutls_pkcs11_deinit(); gnutls_global_deinit(); exit(0); } if (debug) printf("done\n\n\n"); gnutls_privkey_deinit(key); gnutls_pkcs11_deinit(); gnutls_global_deinit(); }
void doit(void) { int ret; gnutls_x509_crt_t crt, ocrt; unsigned keyusage; const char *lib; ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } lib = getenv("P11MOCKLIB1"); if (lib == NULL) lib = P11LIB; gnutls_global_set_time_function(mytime); if (debug) { gnutls_global_set_log_level(4711); success("loading lib %s\n", lib); } ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } assert(gnutls_x509_crt_init(&crt)>=0); assert(gnutls_x509_crt_init(&ocrt)>=0); /* check high level certificate functions */ ret = gnutls_x509_crt_import_url(crt, "pkcs11:type=cert;object=cert1", 0); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_crt_import_url(ocrt, "pkcs11:type=cert;object=cert1", GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_crt_equals(crt, ocrt); if (ret != 0) { fail("exported certificates are equal!\n"); } ret = gnutls_x509_crt_get_ca_status(ocrt, NULL); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } if (ret == 0) { fail("overriden cert is not a CA!\n"); exit(1); } ret = gnutls_x509_crt_get_key_usage(ocrt, &keyusage, NULL); if (ret < 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } if (keyusage != (GNUTLS_KEY_KEY_ENCIPHERMENT|GNUTLS_KEY_ENCIPHER_ONLY|GNUTLS_KEY_KEY_CERT_SIGN)) { fail("Extension does not have the expected key usage!\n"); } gnutls_x509_crt_deinit(crt); gnutls_x509_crt_deinit(ocrt); if (debug) printf("done\n\n\n"); gnutls_global_deinit(); }