static void g_tls_certificate_gnutls_pkcs11_copy (GTlsCertificateGnutls *gnutls, const gchar *interaction_id, gnutls_retr2_st *st) { GTlsCertificateGnutlsPkcs11 *self = G_TLS_CERTIFICATE_GNUTLS_PKCS11 (gnutls); gchar *uri; st->key.x509 = NULL; /* Let the base class copy certificate in */ G_TLS_CERTIFICATE_GNUTLS_CLASS (g_tls_certificate_gnutls_pkcs11_parent_class)->copy (gnutls, interaction_id, st); /* This is the allocation behavior we expect from base class */ g_assert (st->deinit_all); /* If the base class somehow put a key in, then respect that */ if (st->key.x509 == NULL) { uri = g_tls_certificate_gnutls_pkcs11_build_private_key_uri (self, interaction_id); if (uri != NULL) { gnutls_pkcs11_privkey_init (&st->key.pkcs11); gnutls_pkcs11_privkey_import_url (st->key.pkcs11, uri, GNUTLS_PKCS11_URL_GENERIC); st->key_type = GNUTLS_PRIVKEY_PKCS11; g_free (uri); } } }
/** * gnutls_privkey_export_pkcs11: * @pkey: The private key * @key: Location for the key to be exported. * * Converts the given abstract private key to a #gnutls_pkcs11_privkey_t * type. The key must be of type %GNUTLS_PRIVKEY_PKCS11. The key * returned in @key must be deinitialized with * gnutls_pkcs11_privkey_deinit(). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since: 3.4.0 */ int gnutls_privkey_export_pkcs11(gnutls_privkey_t pkey, gnutls_pkcs11_privkey_t *key) { int ret; if (pkey->type != GNUTLS_PRIVKEY_PKCS11) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } ret = gnutls_pkcs11_privkey_init(key); if (ret < 0) return gnutls_assert_val(ret); ret = gnutls_pkcs11_privkey_cpy(*key, pkey->key.pkcs11); if (ret < 0) { gnutls_pkcs11_privkey_deinit(*key); *key = NULL; return gnutls_assert_val(ret); } return 0; }
static gnutls_privkey_t _load_pkcs11_privkey(const char* url) { int ret; gnutls_pkcs11_privkey_t p11key; gnutls_privkey_t key; ret = gnutls_privkey_init (&key); if (ret < 0) error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret)); ret = gnutls_pkcs11_privkey_init (&p11key); if (ret < 0) error (EXIT_FAILURE, 0, "pkcs11_privkey_init: %s", gnutls_strerror (ret)); ret = gnutls_pkcs11_privkey_import_url(p11key, url, 0); if (ret < 0) error (EXIT_FAILURE, 0, "importing PKCS #11 key: %s: %s", url, gnutls_strerror (ret)); ret = gnutls_privkey_import_pkcs11(key, p11key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_privkey_import_pkcs11: %s", gnutls_strerror (ret)); return key; }
void pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int flags, common_info_st * info) { int ret; gnutls_datum_t pubkey; gnutls_pkcs11_privkey_t pkey; pkcs11_common(info); FIX(url, outfile, detailed, info); CHECK_LOGIN_FLAG(flags); if (outfile == stderr || outfile == stdout) { fprintf(stderr, "warning: no --outfile was specified and the public key will be printed on screen.\n"); sleep(3); } ret = gnutls_pkcs11_privkey_init(&pkey); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_privkey_import_url(pkey, url, 0); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } ret = gnutls_pkcs11_privkey_export_pubkey(pkey, GNUTLS_X509_FMT_PEM, &pubkey, flags); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_privkey_deinit(pkey); fwrite(pubkey.data, 1, pubkey.size, outfile); gnutls_free(pubkey.data); UNFIX; return; }
static int _gnutls_privkey_import_pkcs11_url(gnutls_privkey_t key, const char *url, unsigned flags) { gnutls_pkcs11_privkey_t pkey; int ret; ret = gnutls_pkcs11_privkey_init(&pkey); if (ret < 0) { gnutls_assert(); return ret; } if (key->pin.cb) gnutls_pkcs11_privkey_set_pin_function(pkey, key->pin.cb, key->pin.data); ret = gnutls_pkcs11_privkey_import_url(pkey, url, flags); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_privkey_import_pkcs11(key, pkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { gnutls_assert(); goto cleanup; } return 0; cleanup: gnutls_pkcs11_privkey_deinit(pkey); return ret; }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret, i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; #ifdef ENABLE_PKCS11 gnutls_pkcs11_privkey_t pkcs11_key; #endif gnutls_x509_privkey_t tmp_key; unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; gnutls_x509_crt_init (&crt_list[0]); ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } x509_crt_size = 1; } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (crt_list, &crt_num, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; } for (i=0;i<x509_crt_size;i++) { ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0); if (ret < 0) { fprintf(stderr, "*** Error importing crt to pcert: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt_list[i]); } unload_file (&data); ret = gnutls_privkey_init(&x509_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (x509_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, x509_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( x509_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } gnutls_x509_privkey_init (&tmp_key); ret = gnutls_x509_privkey_import (tmp_key, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading key file: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_x509( x509_key, tmp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (info.pgp_subkey != NULL) { get_keyid (keyid, info.pgp_subkey); } if (pgp_certfile != NULL && pgp_keyfile != NULL) { gnutls_openpgp_crt_t tmp_pgp_crt; data = load_file (pgp_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&tmp_pgp_crt); ret = gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, info.pgp_subkey!=NULL?keyid:NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); ret = gnutls_privkey_init(&pgp_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, pgp_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( pgp_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { gnutls_openpgp_privkey_t tmp_pgp_key; data = load_file (pgp_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP key file.\n"); exit (1); } gnutls_openpgp_privkey_init (&tmp_pgp_key); ret = gnutls_openpgp_privkey_import (tmp_pgp_key, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP key file: %s\n", gnutls_strerror (ret)); exit (1); } if (info.pgp_subkey != NULL) { ret = gnutls_openpgp_privkey_set_preferred_key_id (tmp_pgp_key, keyid); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } ret = gnutls_privkey_import_openpgp( pgp_key, tmp_pgp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed 1 client PGP certificate...\n"); } #endif }