diff --git a/.gitignore b/.gitignore index 310e9ed..53eaa21 100644 --- a/.gitignore +++ b/.gitignore @@ -1,124 +1,2 @@ -.deps/ -.vagrant/ -Makefile -Makefile.in -aclocal.m4 -autom4te.cache/ -config.log -config.status -configure -doxygen-doc/ -libtool -m4/libtool.m4 -m4/ltoptions.m4 -m4/ltsugar.m4 -m4/ltversion.m4 -m4/lt~obsolete.m4 -*.c~ -*.h~ -*.plist -.libs -ChangeLog -build-aux/ar-lib -build-aux/compile -build-aux/config.guess -build-aux/config.sub -build-aux/depcomp -build-aux/install-sh -build-aux/ltmain.sh -build-aux/missing -build-aux/test-driver -GPATH -GRTAGS -GTAGS -tmp32/ -tmp64/ -yubico-piv-tool-*-win32.zip -yubico-piv-tool-*-win32.zip.sig -yubico-piv-tool-*-win64.zip -yubico-piv-tool-*-win64.zip.sig -yubico-piv-tool-*.tar.gz -yubico-piv-tool-*.tar.gz.sig -yubico-piv-tool-*-mac.zip -yubico-piv-tool-*-mac.zip.sig -lib/tests/api -lib/tests/api.log -lib/tests/api.o -lib/tests/api.trs -lib/tests/basic -lib/tests/basic.log -lib/tests/basic.o -lib/tests/basic.trs -lib/tests/parse_key -lib/tests/parse_key.log -lib/tests/parse_key.o -lib/tests/parse_key.trs -lib/tests/test-suite.log -lib/error.lo -lib/error.o -lib/internal.la -lib/internal.lo -lib/internal.o -lib/libykpiv.la -lib/util.la -lib/util.lo -lib/util.o -lib/version.lo -lib/version.o -lib/ykpiv-version.h -lib/ykpiv.lo -lib/ykpiv.o -lib/ykpiv.pc -lib/.libs/ -tool/cmdline.c -tool/cmdline.h -tool/cmdline.o -tool/yubico-piv-tool -tool/yubico-piv-tool.1 -tool/yubico-piv-tool.exe -tool/yubico-piv-tool.o -tool/.libs/ -tool/libpiv_cmd.la -tool/libpiv_cmd_la-cmdline.lo -tool/libpiv_cmd_la-cmdline.o -tool/libpiv_util.la -tool/openssl-compat.lo -tool/openssl-compat.o -tool/util.lo -tool/util.o -tool/tests/cert_9a.pem -tool/tests/cert_9e.pem -tool/tests/basic.sh.log -tool/tests/basic.sh.trs -tool/tests/key_9a.pub -tool/tests/parse_name -tool/tests/parse_name.log -tool/tests/parse_name.o -tool/tests/parse_name.trs -tool/tests/req_9e.pem -tool/tests/test_inout -tool/tests/test_inout.log -tool/tests/test_inout.o -tool/tests/test_inout.trs -tool/tests/test-suite.log -coverage/ -lib/error.gcno -lib/version.gcno -lib/ykpiv.gcno -tool/util.gcno -tool/yubico-piv-tool.gcda -tool/yubico-piv-tool.gcno -ykcs11/.libs/ -ykcs11/*.o -ykcs11/*.lo -ykcs11/ykcs11.pc -ykcs11/libykcs11.la -ykcs11/ykcs11-version.h -ykcs11/tests/reset.sh.log -ykcs11/tests/reset.sh.trs -ykcs11/tests/test-suite.log -ykcs11/tests/ykcs11_tests -ykcs11/tests/ykcs11_tests.log -ykcs11/tests/ykcs11_tests.o -ykcs11/tests/ykcs11_tests.trs -yubico-piv-tool.1.txt +/target +**/*.rs.bk diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 09a447e..0000000 --- a/.travis.yml +++ /dev/null @@ -1,25 +0,0 @@ -language: c -os: - - osx - - linux -compiler: - - gcc - - clang -env: - - EXTRA=libpcsclite-dev -script: - - ./build-and-test.sh -matrix: - include: - - compiler: gcc - os: linux - env: EXTRA="wine mingw-w64 mingw-w64-i686-dev" REMOVE=mingw32 ARCH=32 - - compiler: gcc - os: linux - env: EXTRA="wine mingw-w64 mingw-w64-x86-64-dev" REMOVE=mingw32 ARCH=64 - - compiler: gcc - os: linux - env: COVERAGE="--enable-coverage" EXTRA="libpcsclite-dev lcov" - - compiler: gcc - os: linux - env: BUILD_OPENSSL_VERSION="1.1" EXTRA="libpcsclite-dev" diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index 853d538..0000000 --- a/Makefile.am +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright (c) 2014-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -SUBDIRS = lib tool ykcs11 - -ACLOCAL_AMFLAGS = -I m4 - -EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl ykcs11/tests/reset.sh - -EXTRA_DIST += doc/Attestation.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc - -if ENABLE_COV -cov-reset: - rm -fr coverage - find . -name "*.gcda" -exec rm {} \; - lcov --directory . --zerocounters - -cov-report: - mkdir -p coverage - lcov --compat-libtool --directory . --capture --output-file coverage/app.info - lcov --extract coverage/app.info '*.c' --output-file coverage/app2.info - genhtml -o coverage/ coverage/app2.info - -cov: - make cov-report - -clean-local: - make cov-reset - -check: - make cov -endif - -if ENABLE_CPPCHECK -cppcheck: - $(CPPCHECK) -q -v -f --enable=all -i tool/cmdline.c lib tool ykcs11 -endif - -# Maintainer rules. - -if DX_COND_html -doxygen: - doxygen lib/Doxyfile -endif - -hwcheck: - @$(srcdir)/tools/confirm.sh && YKPIV_ENV_HWTESTS_CONFIRMED="1" $(MAKE) check - -check-doc-dist: - perl -pe "s,^EXTRA_DIST \+= .*,EXTRA_DIST += `cd $(srcdir) && ls doc/*.adoc | xargs echo`," < $(srcdir)/Makefile.am > check-doc-dist.tmp - diff -ur $(srcdir)/Makefile.am check-doc-dist.tmp || \ - (rm -f check-doc-dist.tmp; echo 'error: please update $(srcdir)/Makefile.am to include all docs'; exit 1) - rm -f check-doc-dist.tmp - -ChangeLog: - cd $(srcdir) && git2cl > ChangeLog - -release: - @if test -z "$(KEYID)"; then \ - echo "Try this instead:"; \ - echo " make release KEYID=[PGPKEYID]"; \ - echo "For example:"; \ - echo " make release KEYID=2117364A"; \ - exit 1; \ - fi - head -3 $(srcdir)/NEWS | \ - grep -q "Version $(VERSION) .released `date -I`" || \ - (echo 'error: Update date/version in $(srcdir)/NEWS.'; exit 1) - rm -f $(srcdir)/ChangeLog - make check-doc-dist ChangeLog distcheck - gpg --detach-sign --default-key $(KEYID) $(PACKAGE)-$(VERSION).tar.gz - gpg --verify $(PACKAGE)-$(VERSION).tar.gz.sig - git tag -sm "$(PACKAGE)-$(VERSION)" $(PACKAGE)-$(VERSION) - git push - git push --tags - $(HELP2ADOC) -e tool/yubico-piv-tool -n "Yubico PIV Tool" -i tool/yubico-piv-tool.h2m > yubico-piv-tool.1.txt - $(YUBICO_GITHUB_REPO)/save-mans $(PACKAGE) yubico-piv-tool.1.txt - $(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION).tar.gz* diff --git a/NEWS b/NEWS deleted file mode 100644 index a440bdb..0000000 --- a/NEWS +++ /dev/null @@ -1,298 +0,0 @@ -yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- - -* Version 1.7.1 (unreleased) - -* Version 1.7.0 (released 2019-04-03) - -** Add ykpiv_get_serial() to API. - -** Add version and serial to status output. - -** FASC-N fixes for CHUID. - -** ykcs11: Fix ECDSA signatures. - -** Make selfsigned X.509 extensions have correct extensions to match openssl. - -** Security fixes. - -** Documentation fixes. - -** Try to clear memory that might contain secrets. - -* Version 1.6.2 (released 2018-09-14) - -** Compare reader names case insensitive. - -** Fix certificate and certificate request signatures with OpenSSL 1.1. - -* Version 1.6.1 (released 2018-08-17) - -** Compilation warning fixes for OpenSSL 1.1 builds. - -** Fix length when encoding exactly 0xff bytes. - -** Check length of objects correctly before storing in buffer. - -** Check length of certificate correctly when storing. - -* Version 1.6.0 (released 2018-08-08) - -** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03]. - -** Allow builiding against LibreSSL. - -** Bugfixes in OpenSSL 1.1 code. - -** Fix compilation warnings. - -** Fix ykcs11 key generation to work with OpenSSL 1.1. - -** Ykcs11 compatibility fixes. - -* Version 1.5.0 (released 2017-11-29) - -** API additions: Higher-level "util" API added to libykpiv. - -** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries() - -** Added functions for using existing PCSC card handle. - -** Support using custom memory allocator. - -** Documentation updates. 'make doxygen' for HTML format. - -** Expanded automated tests for hardware devices, moved to 'make hwcheck'. - -** OpenSSL 1.1 support - -** Moderate internal refactoring. Many small bugs fixed. - -* Version 1.4.4 (released 2017-10-17) - -** Documentation updates. - -** Add pin caching to work around disconnect problems. - -** Disable RSA key generation on YubiKey 4 before 4.3.5. -See https://yubi.co/ysa201701/ for details. - -* Version 1.4.3 (released 2017-04-18) - -** Encode RSA x509 certificates correctly. - -** Documentation updates. - -** In ykcs11 return CKA_MODULUS correctly for private keys. - -** In ykcs11 fix for signature size approximation. - -** Fix PSS signatures in ykcs11. - -** Add a CLI flag --stdin-input to make batch execution easier. - -* Version 1.4.2 (released 2016-08-12) - -** Clarify license headers and clean up YKCS11 licensing. -Now uses pkcs11.h from the Scute project. - -** Don't install ykcs11-version.h. - -** No cflags in ykcs11.pc. - -** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED. - -* Version 1.4.1 (released 2016-08-11) - -** Documentation updates - -** Add possibility to export certificates in SSH format. - -** Make certificate serial number random by default. - -* Version 1.4.0 (released 2016-05-03) - -** Add attest action -When used on a slot with a generated key, outputs a signed x509 certificate for -that slot showing that the key was generated in hardware. Available in firmware -4.3.0 and newer. - -** Add cached parameter for touch-policy -With cached, the touch is valid for an additional 15s. Available in firmware -4.3.0 and newer. - -** Enforce a minimum PIN length of 6 characters. - -** Fix a bug with list-readers action where it fell through processing into -write-object. - -* Version 1.3.1 (released 2016-04-19) - -** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. - -** Clarifications with help texts. - -* Version 1.3.0 (released 2016-02-19) - -** Fixed extraction of RSA modulus and exponent for pkcs11. - -** Implemented C_SetPIN for pkcs11. - -** Add generic write and read object actions for the tool. -Supports hex/binary/base64 formats - -** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin() - -** Print CCC with status action. - -** Address bugs with pkcs11 on windows. - -** Add --valid-days and --serial to tool for selfsign-certificate action. - -** Ask for password for pkcs12 if none is given. - -* Version 1.2.2 (released 2015-12-08) - -** Fix old buffer overflow in change-pin functionality. - -* Version 1.2.1 (released 2015-12-08) - -** Fix issue with big certificates and status. - -* Version 1.2.0 (released 2015-12-07) - -** On OSX use @loader_path instead of @executable_path for ykcs11. - -** Add ykpiv_import_private_key to libykpiv. - -** Raise buffer sizes to support bigger objects. - -** Change behavior of action status, only list populated slots. - -** Add retired keys to ykcs11. - -** In ykcs11 support login with non null terminated pin. - -** Add a new action set-ccc to yubico-piv-tool to set the CCC. - -* Version 1.1.2 (released 2015-11-13) - -** Properly handle DER encoding in ECDSA signatures. - -* Version 1.1.1 (released 2015-11-11) - -** Make sure SCardContext is properly acquired and released. - -* Version 1.1.0 (released 2015-11-06) - -** Add support for new YubiKey 4. - -** Add ykcs11. - -* Version 1.0.3 (released 2015-10-01) - -** Correct wording on unblock-pin action. - -** Show pin retries correctly. - -** Use a bigger buffer for receiving data. - -* Version 1.0.2 (released 2015-09-04) - -** Query for different passwords/pins on stdin if they're not supplied. - -** If a reader fails continue trying matching readers. - -** Authentication failed is supposed to be 0x63cX not 0x630X. - -* Version 1.0.1 (released 2015-07-10) - -** Project relicensed to 2-clause BSD license - -** Minor fixes found with clang scan-build - -* Version 1.0.0 (released 2015-06-23) - -** Add a test-decipher action. - -** Check that e is 0x10001 on importing rsa keys - -** Use PCSC transactions when sending and receiving data - -* Version 0.1.6 (released 2015-03-23) - -** Add a read-certificate action to the tool. - -** Add a status action to the tool. - -** Fix a library bug so NULL can be passed to ykpiv_verify() - -** Add a test-signature action to the tool. - -* Version 0.1.5 (released 2015-02-04) - -** Revert the check for parity and just set parity before the weak check. - -* Version 0.1.4 (released 2015-02-02) - -** Prompt for input if input is stdin. - -** Mark all bits of the signature as used is certs and requests. - -** Correct error for unblock-pin. - -** Fix hex decode to decode capital letters and return error. - -** Check parity of new management keys. - -* Version 0.1.3 (released 2014-12-18) - -** Add format DER for importing certificates. - -** Make sure diagnostic feedback ends up on stderr. - -** Add positive feedback for a couple of actions. - -* Version 0.1.2 (released 2014-11-14) - -** Fix an issue where shorter component of RSA keys where not packed correctly. - -* Version 0.1.1 (released 2014-11-10) - -** Correct broken CHUID that made windows work inconsistently. - -** Add support for compressed certificates. - -** Fix broken unblock-pin action. - -** Don't try to accept to short keys for mgm key. - -** Only do applet authentication if needed. - -** Add --hash for selecting what hash to use for signatures. - -** Add hidden --sign command. Should probably not be used. - -** Fix for signature algorithm in selfsigned cert. - -* Version 0.1.0 (released 2014-08-25) - -** Break out functionality into a library. - -** More testing. - -* Version 0.0.3 (released 2014-05-26) - -** Add delete-certificate action. - -** Fix minor bugs. - -* Version 0.0.2 (released 2014-02-19) - -** Fix an offset bug with CHUID. - -** Do full mutual auth with the applet. - -* Version 0.0.1 (released 2014-02-11) - -** Initial release. diff --git a/README b/README deleted file mode 100644 index 5c80b0c..0000000 --- a/README +++ /dev/null @@ -1,139 +0,0 @@ -== Yubico PIV Tool - -=== Introduction -The Yubico PIV tool is used for interacting with the Privilege and -Identification Card (PIV) application on a https://www.yubico.com[YubiKey]. - -With it you may generate keys on the device, importing keys and -certificates, and create certificate requests, and other operations. -A shared library and a command-line tool is included. - -==== Usage guides -For information and examples on what you can do with a PIV enabled YubiKey, -see https://developers.yubico.com/PIV/ - -=== License -In general the project is covered by the following BSD license. The -file ykcs11/pkcs11.h has additional copyright and licensing -information, please see it for more information. Some other files -(e.g., m4/*) have other licenses too but are only part of the build -infrastructure. - ----- - Copyright (c) 2014-2016 Yubico AB - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - - * Redistributions in binary form must reproduce the above - copyright notice, this list of conditions and the following - disclaimer in the documentation and/or other materials provided - with the distribution. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ----- - -=== Building -After downloading and unpacking the package tarball, you build it as -follows. - - $ ./configure - $ make - $ sudo make install - -The backend to use is decided at compile time, see the summary at the -end of the ./configure output. Use --with-backend=foo to chose -backend, replacing foo with the backend you want to use. The backends -available are "pcsc", "macscard", and "winscard" using the PCSC -interface, with slightly different shared library linkage and -header file names: "pcsc" is used under GNU-like systems, "macscard" -under Mac OS X, and "winscard" is used under Windows. In most -situations, running ./configure should automatically find the proper -backend to use. - -=== Building from Git -Recent versions of autoconf, automake, check, pkg-config, and libtool -must be installed. Help2man is used to generate the manpages. Gengetopt -version 2.22.6 or later is needed for command line parameter handling. -The -link:https://github.com/Yubico/yubico-piv-tool/tree/master/vagrant/development[Vagrant -VM] has all these dependencies preinstalled. - -Generate the build system using: - - $ autoreconf --install - -Then you follow the normal build instructions, see above. -To turn on all warnings add --enable-gcc-warnings to ./configure - -=== Portability -The main development platform is Debian GNU/Linux. The project is -cross-compiled to Windows using MinGW (see windows.mk) using the PCSC -backend. It may also be built for Mac OS X (see mac.mk), also using -the PCSC backend. - -=== Example Usage -For a list of all available options --help can be given. For more information -on exactly what happens --verbose or --verbose=2 may be added. - -Generate a new ECC-P256 key on device in slot 9a, will print the public -key on stdout: - - $ yubico-piv-tool -s9a -AECCP256 -agenerate - -Generate a certificate request with public key from stdin, will print -the resulting request on stdout: - - $ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest - -Generate a self-signed certificate with public key from stdin, will print -the certificate, for later import, on stdout: - - $ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign - -Import a certificate from stdin: - - $ yubico-piv-tool -s9a -aimport-certificate - -Set a random chuid, import a key and import a certificate from a PKCS12 -file, into slot 9c: - - $ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \ - -aimport-cert - -Change the management key used for administrative authentication: - - $ yubico-piv-tool -aset-mgm-key - -Delete a certificate in slot 9a, with management key being asked for: - - $ yubico-piv-tool -adelete-certificate -s9a -k - -Show some information on certificates and other data: - - $ yubico-piv-tool -astatus - -Read out the certificate from a slot and then run a signature test: - - $ yubico-piv-tool -aread-cert -s9a - $ yubico-piv-tool -averify-pin -atest-signature -s9a - -Import a key into slot 85 (only available on YubiKey 4) and set the -touch policy (also only available on YubiKey 4): - - $ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem diff --git a/README.adoc b/README.adoc deleted file mode 120000 index 100b938..0000000 --- a/README.adoc +++ /dev/null @@ -1 +0,0 @@ -README \ No newline at end of file diff --git a/build-and-test.sh b/build-and-test.sh deleted file mode 100755 index c771d9f..0000000 --- a/build-and-test.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2014-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then - sudo apt-get update -qq - sudo apt-get remove -qq -y $REMOVE - sudo apt-get autoremove -qq - sudo apt-get install -qq -y gengetopt help2man check $EXTRA - TAR=tar -else - ARCH=osx - brew update - brew uninstall libtool - brew install libtool - brew install help2man - brew install check - brew install pkg-config - brew install gengetopt - brew install gnu-tar - TAR=gtar -fi - -set -e - -autoreconf -ifv - -if [ "x$ARCH" != "x" ]; then - version=`cat NEWS | grep unreleased | cut -d' ' -f3` - set +e - $TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz . - set -e - if [ "x$ARCH" != "xosx" ]; then - make -f windows.mk ${ARCH}bit VERSION=$version - else - make -f mac.mk mac VERSION=$version - fi -elif [ "x$BUILD_OPENSSL_VERSION" = "x1.1" ]; then - version=`cat NEWS | grep unreleased | cut -d' ' -f3` - set +e - $TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz . - set -e - make -f linux.mk VERSION=$version -else - ./configure $COVERAGE - make all check - if [ "x$COVERAGE" != "x" ]; then - gem install coveralls-lcov - coveralls-lcov coverage/app2.info - fi -fi diff --git a/build-aux/config.rpath b/build-aux/config.rpath deleted file mode 100755 index c38b914..0000000 --- a/build-aux/config.rpath +++ /dev/null @@ -1,690 +0,0 @@ -#! /bin/sh -# Output a system dependent set of variables, describing how to set the -# run time search path of shared libraries in an executable. -# -# Copyright 1996-2013 Free Software Foundation, Inc. -# Taken from GNU libtool, 2001 -# Originally by Gordon Matzigkeit , 1996 -# -# This file is free software; the Free Software Foundation gives -# unlimited permission to copy and/or distribute it, with or without -# modifications, as long as this notice is preserved. -# -# The first argument passed to this file is the canonical host specification, -# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM -# or -# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM -# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld -# should be set by the caller. -# -# The set of defined variables is at the end of this script. - -# Known limitations: -# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer -# than 256 bytes, otherwise the compiler driver will dump core. The only -# known workaround is to choose shorter directory names for the build -# directory and/or the installation directory. - -# All known linkers require a '.a' archive for static linking (except MSVC, -# which needs '.lib'). -libext=a -shrext=.so - -host="$1" -host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` - -# Code taken from libtool.m4's _LT_CC_BASENAME. - -for cc_temp in $CC""; do - case $cc_temp in - compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; - distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; - \-*) ;; - *) break;; - esac -done -cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'` - -# Code taken from libtool.m4's _LT_COMPILER_PIC. - -wl= -if test "$GCC" = yes; then - wl='-Wl,' -else - case "$host_os" in - aix*) - wl='-Wl,' - ;; - mingw* | cygwin* | pw32* | os2* | cegcc*) - ;; - hpux9* | hpux10* | hpux11*) - wl='-Wl,' - ;; - irix5* | irix6* | nonstopux*) - wl='-Wl,' - ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) - case $cc_basename in - ecc*) - wl='-Wl,' - ;; - icc* | ifort*) - wl='-Wl,' - ;; - lf95*) - wl='-Wl,' - ;; - nagfor*) - wl='-Wl,-Wl,,' - ;; - pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) - wl='-Wl,' - ;; - ccc*) - wl='-Wl,' - ;; - xl* | bgxl* | bgf* | mpixl*) - wl='-Wl,' - ;; - como) - wl='-lopt=' - ;; - *) - case `$CC -V 2>&1 | sed 5q` in - *Sun\ F* | *Sun*Fortran*) - wl= - ;; - *Sun\ C*) - wl='-Wl,' - ;; - esac - ;; - esac - ;; - newsos6) - ;; - *nto* | *qnx*) - ;; - osf3* | osf4* | osf5*) - wl='-Wl,' - ;; - rdos*) - ;; - solaris*) - case $cc_basename in - f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) - wl='-Qoption ld ' - ;; - *) - wl='-Wl,' - ;; - esac - ;; - sunos4*) - wl='-Qoption ld ' - ;; - sysv4 | sysv4.2uw2* | sysv4.3*) - wl='-Wl,' - ;; - sysv4*MP*) - ;; - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - wl='-Wl,' - ;; - unicos*) - wl='-Wl,' - ;; - uts4*) - ;; - esac -fi - -# Code taken from libtool.m4's _LT_LINKER_SHLIBS. - -hardcode_libdir_flag_spec= -hardcode_libdir_separator= -hardcode_direct=no -hardcode_minus_L=no - -case "$host_os" in - cygwin* | mingw* | pw32* | cegcc*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$GCC" != yes; then - with_gnu_ld=no - fi - ;; - interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++) - with_gnu_ld=yes - ;; - openbsd*) - with_gnu_ld=no - ;; -esac - -ld_shlibs=yes -if test "$with_gnu_ld" = yes; then - # Set some defaults for GNU ld with shared library support. These - # are reset later if shared libraries are not supported. Putting them - # here allows them to be overridden if necessary. - # Unlike libtool, we use -rpath here, not --rpath, since the documented - # option of GNU ld is called -rpath, not --rpath. - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - case "$host_os" in - aix[3-9]*) - # On AIX/PPC, the GNU linker is very broken - if test "$host_cpu" != ia64; then - ld_shlibs=no - fi - ;; - amigaos*) - case "$host_cpu" in - powerpc) - ;; - m68k) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - ;; - esac - ;; - beos*) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - : - else - ld_shlibs=no - fi - ;; - cygwin* | mingw* | pw32* | cegcc*) - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec='-L$libdir' - if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then - : - else - ld_shlibs=no - fi - ;; - haiku*) - ;; - interix[3-9]*) - hardcode_direct=no - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - : - else - ld_shlibs=no - fi - ;; - netbsd*) - ;; - solaris*) - if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then - ld_shlibs=no - elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - : - else - ld_shlibs=no - fi - ;; - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) - case `$LD -v 2>&1` in - *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) - ld_shlibs=no - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`' - else - ld_shlibs=no - fi - ;; - esac - ;; - sunos4*) - hardcode_direct=yes - ;; - *) - if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then - : - else - ld_shlibs=no - fi - ;; - esac - if test "$ld_shlibs" = no; then - hardcode_libdir_flag_spec= - fi -else - case "$host_os" in - aix3*) - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L=yes - if test "$GCC" = yes; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct=unsupported - fi - ;; - aix[4-9]*) - if test "$host_cpu" = ia64; then - # On IA64, the linker does run time linking by default, so we don't - # have to do anything special. - aix_use_runtimelinking=no - else - aix_use_runtimelinking=no - # Test if we are trying to use run time linking or normal - # AIX style linking. If -brtl is somewhere in LDFLAGS, we - # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) - for ld_flag in $LDFLAGS; do - if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then - aix_use_runtimelinking=yes - break - fi - done - ;; - esac - fi - hardcode_direct=yes - hardcode_libdir_separator=':' - if test "$GCC" = yes; then - case $host_os in aix4.[012]|aix4.[012].*) - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - : - else - # We have old collect2 - hardcode_direct=unsupported - hardcode_minus_L=yes - hardcode_libdir_flag_spec='-L$libdir' - hardcode_libdir_separator= - fi - ;; - esac - fi - # Begin _LT_AC_SYS_LIBPATH_AIX. - echo 'int main () { return 0; }' > conftest.c - ${CC} ${LDFLAGS} conftest.c -o conftest - aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` - if test -z "$aix_libpath"; then - aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } -}'` - fi - if test -z "$aix_libpath"; then - aix_libpath="/usr/lib:/lib" - fi - rm -f conftest.c conftest - # End _LT_AC_SYS_LIBPATH_AIX. - if test "$aix_use_runtimelinking" = yes; then - hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" - else - if test "$host_cpu" = ia64; then - hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' - else - hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" - fi - fi - ;; - amigaos*) - case "$host_cpu" in - powerpc) - ;; - m68k) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - ;; - esac - ;; - bsdi[45]*) - ;; - cygwin* | mingw* | pw32* | cegcc*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec=' ' - libext=lib - ;; - darwin* | rhapsody*) - hardcode_direct=no - if { case $cc_basename in ifort*) true;; *) test "$GCC" = yes;; esac; }; then - : - else - ld_shlibs=no - fi - ;; - dgux*) - hardcode_libdir_flag_spec='-L$libdir' - ;; - freebsd2.2*) - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - ;; - freebsd2*) - hardcode_direct=yes - hardcode_minus_L=yes - ;; - freebsd* | dragonfly*) - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - ;; - hpux9*) - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - ;; - hpux10*) - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - fi - ;; - hpux11*) - if test "$with_gnu_ld" = no; then - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - case $host_cpu in - hppa*64*|ia64*) - hardcode_direct=no - ;; - *) - hardcode_direct=yes - # hardcode_minus_L: Not really in the search PATH, - # but as the default location of the library. - hardcode_minus_L=yes - ;; - esac - fi - ;; - irix5* | irix6* | nonstopux*) - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - netbsd*) - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - ;; - newsos6) - hardcode_direct=yes - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - *nto* | *qnx*) - ;; - openbsd*) - if test -f /usr/libexec/ld.so; then - hardcode_direct=yes - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - else - case "$host_os" in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - hardcode_libdir_flag_spec='-R$libdir' - ;; - *) - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - esac - fi - else - ld_shlibs=no - fi - ;; - os2*) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - ;; - osf3*) - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - osf4* | osf5*) - if test "$GCC" = yes; then - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - else - # Both cc and cxx compiler support -rpath directly - hardcode_libdir_flag_spec='-rpath $libdir' - fi - hardcode_libdir_separator=: - ;; - solaris*) - hardcode_libdir_flag_spec='-R$libdir' - ;; - sunos4*) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_direct=yes - hardcode_minus_L=yes - ;; - sysv4) - case $host_vendor in - sni) - hardcode_direct=yes # is this really true??? - ;; - siemens) - hardcode_direct=no - ;; - motorola) - hardcode_direct=no #Motorola manual says yes, but my tests say they lie - ;; - esac - ;; - sysv4.3*) - ;; - sysv4*MP*) - if test -d /usr/nec; then - ld_shlibs=yes - fi - ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) - ;; - sysv5* | sco3.2v5* | sco5v6*) - hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' - hardcode_libdir_separator=':' - ;; - uts4*) - hardcode_libdir_flag_spec='-L$libdir' - ;; - *) - ld_shlibs=no - ;; - esac -fi - -# Check dynamic linker characteristics -# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER. -# Unlike libtool.m4, here we don't care about _all_ names of the library, but -# only about the one the linker finds when passed -lNAME. This is the last -# element of library_names_spec in libtool.m4, or possibly two of them if the -# linker has special search rules. -library_names_spec= # the last element of library_names_spec in libtool.m4 -libname_spec='lib$name' -case "$host_os" in - aix3*) - library_names_spec='$libname.a' - ;; - aix[4-9]*) - library_names_spec='$libname$shrext' - ;; - amigaos*) - case "$host_cpu" in - powerpc*) - library_names_spec='$libname$shrext' ;; - m68k) - library_names_spec='$libname.a' ;; - esac - ;; - beos*) - library_names_spec='$libname$shrext' - ;; - bsdi[45]*) - library_names_spec='$libname$shrext' - ;; - cygwin* | mingw* | pw32* | cegcc*) - shrext=.dll - library_names_spec='$libname.dll.a $libname.lib' - ;; - darwin* | rhapsody*) - shrext=.dylib - library_names_spec='$libname$shrext' - ;; - dgux*) - library_names_spec='$libname$shrext' - ;; - freebsd* | dragonfly*) - case "$host_os" in - freebsd[123]*) - library_names_spec='$libname$shrext$versuffix' ;; - *) - library_names_spec='$libname$shrext' ;; - esac - ;; - gnu*) - library_names_spec='$libname$shrext' - ;; - haiku*) - library_names_spec='$libname$shrext' - ;; - hpux9* | hpux10* | hpux11*) - case $host_cpu in - ia64*) - shrext=.so - ;; - hppa*64*) - shrext=.sl - ;; - *) - shrext=.sl - ;; - esac - library_names_spec='$libname$shrext' - ;; - interix[3-9]*) - library_names_spec='$libname$shrext' - ;; - irix5* | irix6* | nonstopux*) - library_names_spec='$libname$shrext' - case "$host_os" in - irix5* | nonstopux*) - libsuff= shlibsuff= - ;; - *) - case $LD in - *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;; - *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;; - *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;; - *) libsuff= shlibsuff= ;; - esac - ;; - esac - ;; - linux*oldld* | linux*aout* | linux*coff*) - ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) - library_names_spec='$libname$shrext' - ;; - knetbsd*-gnu) - library_names_spec='$libname$shrext' - ;; - netbsd*) - library_names_spec='$libname$shrext' - ;; - newsos6) - library_names_spec='$libname$shrext' - ;; - *nto* | *qnx*) - library_names_spec='$libname$shrext' - ;; - openbsd*) - library_names_spec='$libname$shrext$versuffix' - ;; - os2*) - libname_spec='$name' - shrext=.dll - library_names_spec='$libname.a' - ;; - osf3* | osf4* | osf5*) - library_names_spec='$libname$shrext' - ;; - rdos*) - ;; - solaris*) - library_names_spec='$libname$shrext' - ;; - sunos4*) - library_names_spec='$libname$shrext$versuffix' - ;; - sysv4 | sysv4.3*) - library_names_spec='$libname$shrext' - ;; - sysv4*MP*) - library_names_spec='$libname$shrext' - ;; - sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - library_names_spec='$libname$shrext' - ;; - tpf*) - library_names_spec='$libname$shrext' - ;; - uts4*) - library_names_spec='$libname$shrext' - ;; -esac - -sed_quote_subst='s/\(["`$\\]\)/\\\1/g' -escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"` -shlibext=`echo "$shrext" | sed -e 's,^\.,,'` -escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` -escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` -escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` - -LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <= 0.9.6]) - -DX_HTML_FEATURE(ON) -DX_INIT_DOXYGEN(libykpiv,lib/Doxyfile) - -gl_LD_VERSION_SCRIPT -gl_VALGRIND_TESTS - -# Check for clang -AC_CACHE_CHECK([for clang], - _cv_clang,[ - AC_TRY_COMPILE([], [ - #ifdef __clang__ - #else - #error "NOT CLANG" - #endif - return 0; - ], - [_cv_clang=yes], - [_cv_clang=no], - []) -]) -AM_CONDITIONAL([COMPILER_CLANG], [test "$_cv_clang" = yes]) - -AC_ARG_WITH([backend], - [AS_HELP_STRING([--with-backend=ARG], - [use specific backend/linkage; 'pcsc', 'macscard' or 'winscard'])], - [], - [with_backend=check]) - -AC_ARG_WITH([pcsclib], - [AS_HELP_STRING([--with-pcsclib=ARG], - [Name of custom PCSC lib])], - [], - [with_pcsclib=]) - -AC_ARG_WITH([pcscdir], - [AS_HELP_STRING([--with-pcscdir=ARG], - [Path to custom PCSC lib dir (use with --with-pcsclib)])], - [], - [with_pcscdir=]) - -case "$with_backend$host" in - check*-darwin*) - AC_MSG_NOTICE([Detected Mac: selecting macscard backend]) - AC_MSG_NOTICE([use --with-backend to override]) - with_backend=macscard ;; - check*-mingw*) - AC_MSG_NOTICE([Detected Windows: selecting winscard backend]) - AC_MSG_NOTICE([use --with-backend to override]) - with_backend=winscard ;; -esac - -if test "x$with_backend" = xcheck || test "x$with_backend" = xpcsc; then - PKG_CHECK_MODULES([PCSC], [libpcsclite], - [with_backend=pcsc], [:]) -fi - -if test "x$with_backend" = xcheck; then - AC_CHECK_HEADERS([PCSC/winscard.h]) - AC_CHECK_HEADERS([winscard.h]) - AC_MSG_CHECKING([between Mac/Windows winscard]) - if test "x$ac_cv_header_PCSC_winscard_h" = xyes; then - with_backend=macscard - AC_MSG_RESULT([Mac]) - elif test "x$ac_cv_header_winscard_h" = xyes; then - with_backend=winscard - AC_MSG_RESULT([Windows]) - else - AC_MSG_RESULT([no]) - fi -fi - -if test "x$with_backend" = xwinscard; then - AC_MSG_NOTICE([checking for winscard with Windows linkage]) - AC_CHECK_HEADERS([winscard.h]) - PCSC_WIN_LIBS="-lwinscard" - save_LIBS="$LIBS" - LIBS="$LIBS $PCSC_WIN_LIBS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], - [[SCardBeginTransaction(0)]])], - [AC_SUBST([PCSC_WIN_LIBS])], - [AC_MSG_ERROR([cannot find Windows PCSC library/headers])]) - LIBS="$save_LIBS" -fi - -if test "x$with_backend" = xmacscard; then - AC_MSG_NOTICE([checking for PCSC with Mac linkage]) - AC_CHECK_HEADERS([PCSC/winscard.h]) - PCSC_MACOSX_LIBS="-Wl,-framework -Wl,PCSC" - save_LIBS="$LIBS" - LIBS="$LIBS $PCSC_MACOSX_LIBS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include - #include ]], - [[SCardBeginTransaction(0)]])], - [AC_SUBST([PCSC_MACOSX_LIBS])], - [AC_MSG_ERROR([cannot find Mac PCSC library/headers])]) - LIBS="$save_LIBS" -fi - -if test "x$with_pcsclib" != x; then - AC_MSG_NOTICE([checking for PCSC with custom lib]) - AC_CHECK_HEADERS([PCSC/winscard.h]) - if test "x$with_pcscdir" != x; then - PCSC_CUSTOM_LIBS="-Wl,-L$with_pcscdir -Wl,-l$with_pcsclib -Wl,-rpath,$with_pcscdir" - else - PCSC_CUSTOM_LIBS="-Wl,-l$with_pcsclib" - fi - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PCSC_CFLAGS" - save_LIBS="$LIBS" - LIBS="$LIBS $PCSC_CUSTOM_LIBS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], - [[SCardBeginTransaction(0)]])], - [AC_SUBST([PCSC_CUSTOM_LIBS])], - [AC_MSG_ERROR([cannot find custom PCSC library/headers])]) - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - PCSC_MACOSX_LIBS= - PCSC_WIN_LIBS= - PCSC_LIBS= -fi - -if test "x$with_backend" = xpcsc || test "x$with_backend" = xwinscard \ - || test "x$with_backend" = xmacscard || test "x$with_pcsclib" != x; then - AC_DEFINE([BACKEND_PCSC], 1, [Define to 1 if you the PCSC backend.]) -else - AC_MSG_ERROR([cannot find PCSC library]) -fi - -AC_ARG_ENABLE([coverage], - [AS_HELP_STRING([--enable-coverage], - [use Gcov to test the test suite])], - [], - [enable_cov=no]) -AM_CONDITIONAL([ENABLE_COV],[test '!' "$enable_cov" = no]) - -AC_ARG_ENABLE([cppcheck], - [AS_HELP_STRING([--enable-cppcheck], - [run cppcheck])], - [enable_cppcheck="$enableval"], - [enable_cppcheck="no"]) - -have_cppcheck=no -AS_IF([test "x$enable_cppcheck" != xno], - [AC_PATH_PROG([CPPCHECK], [cppcheck], [NONE]) - AS_IF([test "x$enable_cppcheck" != xno], - [have_cppcheck=yes - AC_SUBST([CPPCHECK])], - [have_cppcheck=no - AS_IF([test "x$enable_cppcheck" != xauto], - [AC_MSG_ERROR([cannot find cppcheck])])])]) -AM_CONDITIONAL([ENABLE_CPPCHECK],[test '!' "$have_cppcheck" = no]) - -AC_ARG_ENABLE([gcc-warnings], - [AS_HELP_STRING([--enable-gcc-warnings], - [turn on lots of GCC warnings (for developers)])], - [case $enableval in - yes|no) ;; - *) AC_MSG_ERROR([bad value $enableval for gcc-warnings option]) ;; - esac - gl_gcc_warnings=$enableval], - [gl_gcc_warnings=no] -) - -if test "$gl_gcc_warnings" = yes; then - nw="$nw -Wsystem-headers" # Don't let system headers trigger warnings - nw="$nw -Wpadded" # Struct's arenot padded - nw="$nw -Wc++-compat" # We don't care strongly about C++ compilers - nw="$nw -Wtraditional" # Warns on #elif which we use often - nw="$nw -Wtraditional-conversion" # Too many warnings for now - nw="$nw -Wconversion" # Too many warnings for now - nw="$nw -Wsuggest-attribute=pure" # Is it worth using attributes? - nw="$nw -Wsuggest-attribute=const" # Is it worth using attributes? - nw="$nw -Waggregate-return" # returning structs shouldn't be a problem - - gl_MANYWARN_ALL_GCC([ws]) - gl_MANYWARN_COMPLEMENT(ws, [$ws], [$nw]) - for w in $ws; do - gl_WARN_ADD([$w]) - done - - gl_WARN_ADD([-fdiagnostics-show-option]) -fi - -AC_ARG_ENABLE([ykcs11-debug], - [AS_HELP_STRING([--enable-ykcs11-debug], - [enables YKCS11 debug messages])], - [enable_ykcs11_debug="$enableval"], - [enable_ykcs11_debug="no"]) - -AS_IF([test "x$enable_ykcs11_debug" != xno], - [AC_DEFINE([YKCS11_DBG], [1], [Regular debug flag]) - AC_DEFINE([YKCS11_DINOUT], [1], [Function accessed/left debug flag]) - ykcs11_debug="ENABLED"], - [true], - [AC_DEFINE([YKCS11_DBG], [0], [Regular debug flag]) - AC_DEFINE([YKCS11_DINOUT], [0], [Function accessed/left debug flag]) - ykcs11_debug="DISABLED"]) - -AC_ARG_ENABLE([hardware-tests], - [AS_HELP_STRING([--enable-hardware-tests], - [enables tests that require a YubiKey to be plugged in])], - [enable_hardware_tests="$enableval"], - [enable_hardware_tests="no"]) - -AS_IF([test "x$enable_hardware_tests" != xno], - [AC_DEFINE([HW_TESTS], [1], [Flag for hardware tests]) - hw_tests="ENABLED"], - [true], - [hw_tests="DISABLED"]) - -AC_SUBST(YKPIV_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`) -AC_SUBST(YKPIV_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`) -AC_SUBST(YKPIV_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`) -AC_SUBST(YKPIV_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKPIV_VERSION_MAJOR $YKPIV_VERSION_MINOR $YKPIV_VERSION_PATCH`) - -AC_SUBST(YKCS11_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`) -AC_SUBST(YKCS11_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`) -AC_SUBST(YKCS11_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`) -AC_SUBST(YKCS11_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKCS11_VERSION_MAJOR $YKCS11_VERSION_MINOR $YKCS11_VERSION_PATCH`) - -AC_CONFIG_FILES([ - Makefile - lib/Makefile - lib/tests/Makefile - tool/Makefile - tool/tests/Makefile - lib/ykpiv-version.h - lib/ykpiv.pc - ykcs11/Makefile - ykcs11/ykcs11-version.h - ykcs11/ykcs11.pc - ykcs11/tests/Makefile -]) -AC_OUTPUT - -AC_MSG_NOTICE([summary of build options: - - Version: ${VERSION} - Host type: ${host} - Install prefix: ${prefix} - Compiler: ${CC} - CFLAGS: ${CFLAGS} - CPPFLAGS: ${CPPFLAGS} - Warnings: ${WARN_CFLAGS} - Backend: ${with_backend} - OpenSSL version: ${OPENSSL_VERSION} - PCSC - CFLAGS: ${PCSC_CFLAGS} - LIBS: ${PCSC_LIBS} - Winscard - LIBS: ${PCSC_WIN_LIBS} - Mac PCSC - LIBS: ${PCSC_MACOSX_LIBS} - Custom PCSC - LIBS: ${PCSC_CUSTOM_LIBS} - - YKCS11 debug: ${ykcs11_debug} - Hardware tests: ${hw_tests} -]) diff --git a/doc/Attestation.adoc b/doc/Attestation.adoc deleted file mode 100644 index 8327846..0000000 --- a/doc/Attestation.adoc +++ /dev/null @@ -1,36 +0,0 @@ -== Using Attestation - -=== Introduction -This feature is only available in YubiKey 4.3 and newer. - -A high level description of the thinking and how this can be used can be found -at https://developers.yubico.com/PIV/Introduction/PIV_attestation.html - -=== Usage -Attestation works through a special key slot called “f9” this comes -pre-loaded from factory with a key and cert signed by Yubico, but can be -overwritten. -After a key has been generated in a normal slot it can be attested by this -special key, this can be realised by using the yubico-piv-tool action attest: - - $ yubico-piv-tool --action=generate --slot=9a - ... - $ yubico-piv-tool --action=attest --slot=9a - -The output of this is a PEM encoded certificate, signed by the key in slot f9. - -=== Verifying -To verify an attestation step 1 is to build the certificate chain. Put the -attestation root certificate in a file (or if you trust several put all -of them in said file). The Yubico root certificate can be found at -https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem - -Then add the keys attestation certificate to that file: - - $ yubico-piv-tool --action=read-certificate --slot=f9 >> certs.pem - -Now we're ready to verify the attestation: - - $ yubico-piv-tool --action=attest --slot=9a > attestation.pem - $ openssl verify -CAfile certs.pem attestation.pem - attestation.pem: OK diff --git a/doc/YKCS11_release_notes.adoc b/doc/YKCS11_release_notes.adoc deleted file mode 100644 index 9c0a2c3..0000000 --- a/doc/YKCS11_release_notes.adoc +++ /dev/null @@ -1,120 +0,0 @@ -== YKCS11 -This is a PKCS#11 module that allows to communicate with the PIV -application running on a YubiKey. - -This module is based on version 2.40 of the PKCS#11 (Cryptoki) -specifications. - -The complete specifications are available at -https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html. - -=== BUILDING -YKCS11 is automatically built as part of `yubico-piv-tool` and the -following command will suffice: - - $ autoreconf --install - $ ./configure - $ make - $ sudo make install - -More info about building yubico-piv-tool can be found in the related -`README` file or over at -https://developers.yubico.com/yubico-piv-tool/. - -Once installed, the module will be found by default in -/usr/local/lib/libykcs11.so otherwise it will be built locally in -yubico-piv-tool/ykcs11/.libs/libykcs11.so - -=== PORTABILITY -The module has been developed and tested using Debian GNU/Linux and -Ubuntu Linux. It is however possible to cross-compile it for Windows -and Mac OS X using the relative makefiles (windows.mk and mac.mk). -Both use PCSC as a backend. - -Further testing at this stage has *not* been carried out, so -additional tweaks might be needed to use operating systems different -from Linux. - -=== SUPPORTED FUNCTIONALITY AND KNOWN ISSUES -YKCS11 is not a full implementation of PKCS#11. Some functionality are -not present and others are not yet implemented. - -In its current form YKCS11 implements a smaller subset of -functionality: - -- RSA key generation + - 1024 or 2048 bit keys can be generated; - -- EC key generation + - curve prime256v1 is supported (256 bit keys); - -- RSA signature + - supported mechanisms are RSA-X-509 (raw RSA), PKCS1 (unhashed), - PKCS1 with SHA1/256/384/512 and PSS with SHA1/256/384/512. The - latter is implemented but has not been tested, hence is provided as - is; - -- ECDSA signature + - supported mechanism are ECDSA (raw) and ECDSA with SHA1; - -- RSA and EC public key (X.509 certificate) import; - -- RSA and EC private key import + - with possibility of setting individual PIN policies and touch to - sign (where supported); - -- Public key deletion. - -PKCS#11 defines two types of users: a regular user and a security -officer (SO). These have been mapped to perform regular usage of the -private key material (PIN-associated operations) and device management -(management-key associated operations). - -==== Key Mapping -The module provides four main keys that can be used. These correspond -to the four main keys in PIV and accessible through yubico-piv-tool. -The mapping is as follows: - -[cols="2*^", options="header"] -|=== -|ykcs11 id|PIV -|0|9a -|1|9e -|2|9c -|3|9d -|=== - -==== PINs and Management Key -The default user PIN for the YubiKey is `123456`. + -The default management key is -`010203040506070801020304050607080102030405060708`. + -All the YubiKey personalization (e.g. changing PIN, changing -management key, resetting PINs, resetting the application) is -currently done using yubico-piv-tool. - -In order to perform operations involving the private keys, a regular -user must be logged in (i.e. using the PIN). However, given the -different PIN policies for different keys, subsequent operations might -require a new login. Currently this is supported by the module -allowing multiple _Login_ operations with the appropriate user. -According to PKCS#11 however, a special user called `CONTEXT_SPECIFIC` -should be used for such operations. This is also supported and *might -become the only available mechanism in the future*. - -==== Key Generation -Key pair generation is a particular operation, in the sense that -within PIV this is the only moment where the newly created public key -is given back to the user. To prevent the key from being lost it is -automatically stored within the YubiKey by wrapping it in an X.509 -certificate. This certificate is however empty. It does not have other -valid information except for the public key. - -==== DEBUGGING -By default the module has debugging disabled. This is _highly_ verbose -and might be confusing. In order to enabled it rebuild the project as -follows: - - $ autoreconf --install - $ ./configure --enable-ykcs11-debug - $ make - $ sudo make install diff --git a/doc/YubiKey_PIV_introduction.adoc b/doc/YubiKey_PIV_introduction.adoc deleted file mode 100644 index 73ac353..0000000 --- a/doc/YubiKey_PIV_introduction.adoc +++ /dev/null @@ -1,95 +0,0 @@ -== Yubico PIV Tool -The YubiKey supports the Personal Identity Verification (PIV) card -interface specified in NIST SP 800-73 document "Cryptographic -Algorithms and Key Sizes for PIV". PIV enables you to perform RSA or -ECC sign/decrypt operations using a private key stored on the -smartcard, through common interfaces like PKCS#11. This project -contain the library, tools and PKCS#11 module to interact with the -hardware functionality. - -* PIV Standards https://csrc.nist.gov/groups/SNS/piv/standards.html - -=== General information -The default PIN code is 123456. The default PUK code is 12345678. - -The default 3DES management key (9B) is -010203040506070801020304050607080102030405060708. - -The following key slots exists: - -* 9A, 9C, 9D, 9E: RSA 1024, RSA 2048, or ECC secp256r1 keys - (algorithms 6, 7, 11 respectively). - -* 9B: Triple-DES key (algorithm 3) for PIV management. - -The maximum size of stored objects is 2025/3049 bytes for current versions of -YubiKey NEO and YubiKey 4, respectively. - -Currently all functionality are available over both contact and -contactless interfaces (contrary to what the specifications mandate). - -=== Preparing a YubiKey for real use -You would typically change the management key to make sure nobody but -you can modify the state of the PIV application on the YubiKey. Make sure to -keep a copy of the key around for later use. -All of these invocations will leave traces of keys and pins in the command line -history, this can be avoided by leaving the argument out all-together and the -software will ask for key/pin to be input. For the management key option (-k) -this is achieved by leaving out the value but will specifying -k. - - $ key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1) - $ echo ${key} - $ yubico-piv-tool -aset-mgm-key -n${key} - -The PIN and PUK should be changed as well. - - $ pin=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w6 | head -1) - $ echo ${pin} - - $ puk=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w8 | head -1) - $ echo ${puk} - - $ yubico-piv-tool -achange-pin -P123456 -N${pin} - $ yubico-piv-tool -achange-puk -P12345678 -N${puk} - -=== Other useful commands -To generate a new private key: - - $ yubico-piv-tool -k${key} -agenerate -s9c - -To reset PIN/PUK retry counter AND codes (default pin 123456 puk -12345678): - - $ yubico-piv-tool -k${key} -averify -P${pin} -apin-retries --pin-retries=3 --puk-retries=3 - -To reset the application (PIN/PUK need to be blocked hence trying a couple -of times -- you need to modify this if you have changed the default -number of PIN/PUK retries). - - $ yubico-piv-tool -averify-pin -P471112 - $ yubico-piv-tool -averify-pin -P471112 - $ yubico-piv-tool -averify-pin -P471112 - $ yubico-piv-tool -averify-pin -P471112 - $ yubico-piv-tool -achange-puk -P471112 -N6756789 - $ yubico-piv-tool -achange-puk -P471112 -N6756789 - $ yubico-piv-tool -achange-puk -P471112 -N6756789 - $ yubico-piv-tool -achange-puk -P471112 -N6756789 - $ yubico-piv-tool -areset - -=== Software -Card management has been tested with the tools from the OpenSC -project, specifically piv-tool, and Yubico's PIV software (see -below). Basic features should work with any PIV compliant -middleware. - -* https://github.com/OpenSC/OpenSC/wiki -* https://developers.yubico.com/yubico-piv-tool/ -* https://developers.yubico.com/yubikey-piv-manager/ -* https://github.com/OpenSC/OpenSC/wiki/US-PIV -* https://github.com/OpenSC/OpenSC/wiki/PivTool - -=== Card Holder Unique Identifier -For the application to be usable in windows the object CHUID (Card Holder -Unique Identifier) has to be set and unique. The card contents are -also aggressively cached so the CHUID has to be changed if the card -contents change. diff --git a/linux.mk b/linux.mk deleted file mode 100644 index 3662505..0000000 --- a/linux.mk +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright (c) 2014-2017 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# -# Note: this build script is for testing OpenSSL 1.1 builds. The official -# Linux release builds are handled by the standard Makefile. -# -PACKAGE=yubico-piv-tool -OPENSSLVERSION=1.1.0g - -all: linux - -doit: - rm -rf tmp && mkdir tmp && cd tmp && \ - mkdir -p root/licenses && \ - cp ../openssl-$(OPENSSLVERSION).tar.gz . || \ - curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \ - tar xfz openssl-$(OPENSSLVERSION).tar.gz && \ - cd openssl-$(OPENSSLVERSION) && \ - ./Configure linux-x86_64 shared --prefix=$(PWD)/tmp/root $(CFLAGS) && \ - make all install VERSION="$(OPENSSLVERSION)" && \ - cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \ - cd .. && \ - cp ../$(PACKAGE)-$(VERSION).tar.gz . && \ - tar xfz $(PACKAGE)-$(VERSION).tar.gz && \ - cd $(PACKAGE)-$(VERSION)/ && \ - CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \ - make install $(CHECK) && \ - cd .. && \ - cd root && \ - zip -r ../../$(PACKAGE)-$(VERSION)-linux-openssl-$(OPENSSLVERSION).zip * - -linux: - $(MAKE) -f linux.mk doit CHECK=check diff --git a/m4/ac_doxygen.m4 b/m4/ac_doxygen.m4 deleted file mode 100644 index e9c56c2..0000000 --- a/m4/ac_doxygen.m4 +++ /dev/null @@ -1,312 +0,0 @@ -# This file is part of Autoconf. -*- Autoconf -*- - -# Copyright (C) 2004 Oren Ben-Kiki -# This file is distributed under the same terms as the Autoconf macro files. - -# Generate automatic documentation using Doxygen. Works in concert with the -# aminclude.m4 file and a compatible doxygen configuration file. Defines the -# following public macros: -# -# DX_???_FEATURE(ON|OFF) - control the default setting fo a Doxygen feature. -# Supported features are 'DOXYGEN' itself, 'DOT' for generating graphics, -# 'HTML' for plain HTML, 'CHM' for compressed HTML help (for MS users), 'CHI' -# for generating a seperate .chi file by the .chm file, and 'MAN', 'RTF', -# 'XML', 'PDF' and 'PS' for the appropriate output formats. The environment -# variable DOXYGEN_PAPER_SIZE may be specified to override the default 'a4wide' -# paper size. -# -# By default, HTML, PDF and PS documentation is generated as this seems to be -# the most popular and portable combination. MAN pages created by Doxygen are -# usually problematic, though by picking an appropriate subset and doing some -# massaging they might be better than nothing. CHM and RTF are specific for MS -# (note that you can't generate both HTML and CHM at the same time). The XML is -# rather useless unless you apply specialized post-processing to it. -# -# The macro mainly controls the default state of the feature. The use can -# override the default by specifying --enable or --disable. The macros ensure -# that contradictory flags are not given (e.g., --enable-doxygen-html and -# --enable-doxygen-chm, --enable-doxygen-anything with --disable-doxygen, etc.) -# Finally, each feature will be automatically disabled (with a warning) if the -# required programs are missing. -# -# Once all the feature defaults have been specified, call DX_INIT_DOXYGEN with -# the following parameters: a one-word name for the project for use as a -# filename base etc., an optional configuration file name (the default is -# 'Doxyfile', the same as Doxygen's default), and an optional output directory -# name (the default is 'doxygen-doc'). - -## ----------## -## Defaults. ## -## ----------## - -DX_ENV="" -AC_DEFUN([DX_FEATURE_doc], ON) -AC_DEFUN([DX_FEATURE_dot], ON) -AC_DEFUN([DX_FEATURE_man], OFF) -AC_DEFUN([DX_FEATURE_html], ON) -AC_DEFUN([DX_FEATURE_chm], OFF) -AC_DEFUN([DX_FEATURE_chi], OFF) -AC_DEFUN([DX_FEATURE_rtf], OFF) -AC_DEFUN([DX_FEATURE_xml], OFF) -AC_DEFUN([DX_FEATURE_pdf], ON) -AC_DEFUN([DX_FEATURE_ps], ON) - -## --------------- ## -## Private macros. ## -## --------------- ## - -# DX_ENV_APPEND(VARIABLE, VALUE) -# ------------------------------ -# Append VARIABLE="VALUE" to DX_ENV for invoking doxygen. -AC_DEFUN([DX_ENV_APPEND], [AC_SUBST([DX_ENV], ["$DX_ENV $1='$2'"])]) - -# DX_DIRNAME_EXPR -# --------------- -# Expand into a shell expression prints the directory part of a path. -AC_DEFUN([DX_DIRNAME_EXPR], - [[expr ".$1" : '\(\.\)[^/]*$' \| "x$1" : 'x\(.*\)/[^/]*$']]) - -# DX_IF_FEATURE(FEATURE, IF-ON, IF-OFF) -# ------------------------------------- -# Expands according to the M4 (static) status of the feature. -AC_DEFUN([DX_IF_FEATURE], [ifelse(DX_FEATURE_$1, ON, [$2], [$3])]) - -# DX_REQUIRE_PROG(VARIABLE, PROGRAM) -# ---------------------------------- -# Require the specified program to be found for the DX_CURRENT_FEATURE to work. -AC_DEFUN([DX_REQUIRE_PROG], [ -AC_PATH_TOOL([$1], [$2]) -if test "$DX_FLAG_[]DX_CURRENT_FEATURE$$1" = 1; then - AC_MSG_WARN([$2 not found - will not DX_CURRENT_DESCRIPTION]) - AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0) -fi -]) - -# DX_TEST_FEATURE(FEATURE) -# ------------------------ -# Expand to a shell expression testing whether the feature is active. -AC_DEFUN([DX_TEST_FEATURE], [test "$DX_FLAG_$1" = 1]) - -# DX_CHECK_DEPEND(REQUIRED_FEATURE, REQUIRED_STATE) -# ------------------------------------------------- -# Verify that a required features has the right state before trying to turn on -# the DX_CURRENT_FEATURE. -AC_DEFUN([DX_CHECK_DEPEND], [ -test "$DX_FLAG_$1" = "$2" \ -|| AC_MSG_ERROR([doxygen-DX_CURRENT_FEATURE ifelse([$2], 1, - requires, contradicts) doxygen-DX_CURRENT_FEATURE]) -]) - -# DX_CLEAR_DEPEND(FEATURE, REQUIRED_FEATURE, REQUIRED_STATE) -# ---------------------------------------------------------- -# Turn off the DX_CURRENT_FEATURE if the required feature is off. -AC_DEFUN([DX_CLEAR_DEPEND], [ -test "$DX_FLAG_$1" = "$2" || AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0) -]) - -# DX_FEATURE_ARG(FEATURE, DESCRIPTION, -# CHECK_DEPEND, CLEAR_DEPEND, -# REQUIRE, DO-IF-ON, DO-IF-OFF) -# -------------------------------------------- -# Parse the command-line option controlling a feature. CHECK_DEPEND is called -# if the user explicitly turns the feature on (and invokes DX_CHECK_DEPEND), -# otherwise CLEAR_DEPEND is called to turn off the default state if a required -# feature is disabled (using DX_CLEAR_DEPEND). REQUIRE performs additional -# requirement tests (DX_REQUIRE_PROG). Finally, an automake flag is set and -# DO-IF-ON or DO-IF-OFF are called according to the final state of the feature. -AC_DEFUN([DX_ARG_ABLE], [ - AC_DEFUN([DX_CURRENT_FEATURE], [$1]) - AC_DEFUN([DX_CURRENT_DESCRIPTION], [$2]) - AC_ARG_ENABLE(doxygen-$1, - [AS_HELP_STRING(DX_IF_FEATURE([$1], [--disable-doxygen-$1], - [--enable-doxygen-$1]), - DX_IF_FEATURE([$1], [don't $2], [$2]))], - [ -case "$enableval" in -#( -y|Y|yes|Yes|YES) - AC_SUBST([DX_FLAG_$1], 1) - $3 -;; #( -n|N|no|No|NO) - AC_SUBST([DX_FLAG_$1], 0) -;; #( -*) - AC_MSG_ERROR([invalid value '$enableval' given to doxygen-$1]) -;; -esac -], [ -AC_SUBST([DX_FLAG_$1], [DX_IF_FEATURE([$1], 1, 0)]) -$4 -]) -if DX_TEST_FEATURE([$1]); then - $5 - : -fi -if DX_TEST_FEATURE([$1]); then - AM_CONDITIONAL(DX_COND_$1, :) - $6 - : -else - AM_CONDITIONAL(DX_COND_$1, false) - $7 - : -fi -]) - -## -------------- ## -## Public macros. ## -## -------------- ## - -# DX_XXX_FEATURE(DEFAULT_STATE) -# ----------------------------- -AC_DEFUN([DX_DOXYGEN_FEATURE], [AC_DEFUN([DX_FEATURE_doc], [$1])]) -AC_DEFUN([DX_MAN_FEATURE], [AC_DEFUN([DX_FEATURE_man], [$1])]) -AC_DEFUN([DX_HTML_FEATURE], [AC_DEFUN([DX_FEATURE_html], [$1])]) -AC_DEFUN([DX_CHM_FEATURE], [AC_DEFUN([DX_FEATURE_chm], [$1])]) -AC_DEFUN([DX_CHI_FEATURE], [AC_DEFUN([DX_FEATURE_chi], [$1])]) -AC_DEFUN([DX_RTF_FEATURE], [AC_DEFUN([DX_FEATURE_rtf], [$1])]) -AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])]) -AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])]) -AC_DEFUN([DX_PDF_FEATURE], [AC_DEFUN([DX_FEATURE_pdf], [$1])]) -AC_DEFUN([DX_PS_FEATURE], [AC_DEFUN([DX_FEATURE_ps], [$1])]) - -# DX_INIT_DOXYGEN(PROJECT, [CONFIG-FILE], [OUTPUT-DOC-DIR]) -# --------------------------------------------------------- -# PROJECT also serves as the base name for the documentation files. -# The default CONFIG-FILE is "Doxyfile" and OUTPUT-DOC-DIR is "doxygen-doc". -AC_DEFUN([DX_INIT_DOXYGEN], [ - -# Files: -AC_SUBST([DX_PROJECT], [$1]) -AC_SUBST([DX_CONFIG], [ifelse([$2], [], Doxyfile, [$2])]) -AC_SUBST([DX_DOCDIR], [ifelse([$3], [], doxygen-doc, [$3])]) - -# Environment variables used inside doxygen.cfg: -DX_ENV_APPEND(SRCDIR, $srcdir) -DX_ENV_APPEND(PROJECT, $DX_PROJECT) -DX_ENV_APPEND(DOCDIR, $DX_DOCDIR) -DX_ENV_APPEND(VERSION, $PACKAGE_VERSION) - -# Doxygen itself: -DX_ARG_ABLE(doc, [generate any doxygen documentation], - [], - [], - [DX_REQUIRE_PROG([DX_DOXYGEN], doxygen) - DX_REQUIRE_PROG([DX_PERL], perl)], - [DX_ENV_APPEND(PERL_PATH, $DX_PERL)]) - -# Dot for graphics: -DX_ARG_ABLE(dot, [generate graphics for doxygen documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [DX_REQUIRE_PROG([DX_DOT], dot)], - [DX_ENV_APPEND(HAVE_DOT, YES) - DX_ENV_APPEND(DOT_PATH, [`DX_DIRNAME_EXPR($DX_DOT)`])], - [DX_ENV_APPEND(HAVE_DOT, NO)]) - -# Man pages generation: -DX_ARG_ABLE(man, [generate doxygen manual pages], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [], - [DX_ENV_APPEND(GENERATE_MAN, YES)], - [DX_ENV_APPEND(GENERATE_MAN, NO)]) - -# RTF file generation: -DX_ARG_ABLE(rtf, [generate doxygen RTF documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [], - [DX_ENV_APPEND(GENERATE_RTF, YES)], - [DX_ENV_APPEND(GENERATE_RTF, NO)]) - -# XML file generation: -DX_ARG_ABLE(xml, [generate doxygen XML documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [], - [DX_ENV_APPEND(GENERATE_XML, YES)], - [DX_ENV_APPEND(GENERATE_XML, NO)]) - -# (Compressed) HTML help generation: -DX_ARG_ABLE(chm, [generate doxygen compressed HTML help documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [DX_REQUIRE_PROG([DX_HHC], hhc)], - [DX_ENV_APPEND(HHC_PATH, $DX_HHC) - DX_ENV_APPEND(GENERATE_HTML, YES) - DX_ENV_APPEND(GENERATE_HTMLHELP, YES)], - [DX_ENV_APPEND(GENERATE_HTMLHELP, NO)]) - -# Seperate CHI file generation. -DX_ARG_ABLE(chi, [generate doxygen seperate compressed HTML help index file], - [DX_CHECK_DEPEND(chm, 1)], - [DX_CLEAR_DEPEND(chm, 1)], - [], - [DX_ENV_APPEND(GENERATE_CHI, YES)], - [DX_ENV_APPEND(GENERATE_CHI, NO)]) - -# Plain HTML pages generation: -DX_ARG_ABLE(html, [generate doxygen plain HTML documentation], - [DX_CHECK_DEPEND(doc, 1) DX_CHECK_DEPEND(chm, 0)], - [DX_CLEAR_DEPEND(doc, 1) DX_CLEAR_DEPEND(chm, 0)], - [], - [DX_ENV_APPEND(GENERATE_HTML, YES)], - [DX_TEST_FEATURE(chm) || DX_ENV_APPEND(GENERATE_HTML, NO)]) - -# PostScript file generation: -DX_ARG_ABLE(ps, [generate doxygen PostScript documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [DX_REQUIRE_PROG([DX_LATEX], latex) - DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex) - DX_REQUIRE_PROG([DX_DVIPS], dvips) - DX_REQUIRE_PROG([DX_EGREP], egrep)]) - -# PDF file generation: -DX_ARG_ABLE(pdf, [generate doxygen PDF documentation], - [DX_CHECK_DEPEND(doc, 1)], - [DX_CLEAR_DEPEND(doc, 1)], - [DX_REQUIRE_PROG([DX_PDFLATEX], pdflatex) - DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex) - DX_REQUIRE_PROG([DX_EGREP], egrep)]) - -# LaTeX generation for PS and/or PDF: -if DX_TEST_FEATURE(ps) || DX_TEST_FEATURE(pdf); then - AM_CONDITIONAL(DX_COND_latex, :) - DX_ENV_APPEND(GENERATE_LATEX, YES) -else - AM_CONDITIONAL(DX_COND_latex, false) - DX_ENV_APPEND(GENERATE_LATEX, NO) -fi - -# Paper size for PS and/or PDF: -AC_ARG_VAR(DOXYGEN_PAPER_SIZE, - [a4wide (default), a4, letter, legal or executive]) -case "$DOXYGEN_PAPER_SIZE" in -#( -"") - AC_SUBST(DOXYGEN_PAPER_SIZE, "") -;; #( -a4wide|a4|letter|legal|executive) - DX_ENV_APPEND(PAPER_SIZE, $DOXYGEN_PAPER_SIZE) -;; #( -*) - AC_MSG_ERROR([unknown DOXYGEN_PAPER_SIZE='$DOXYGEN_PAPER_SIZE']) -;; -esac - -#For debugging: -#echo DX_FLAG_doc=$DX_FLAG_doc -#echo DX_FLAG_dot=$DX_FLAG_dot -#echo DX_FLAG_man=$DX_FLAG_man -#echo DX_FLAG_html=$DX_FLAG_html -#echo DX_FLAG_chm=$DX_FLAG_chm -#echo DX_FLAG_chi=$DX_FLAG_chi -#echo DX_FLAG_rtf=$DX_FLAG_rtf -#echo DX_FLAG_xml=$DX_FLAG_xml -#echo DX_FLAG_pdf=$DX_FLAG_pdf -#echo DX_FLAG_ps=$DX_FLAG_ps -#echo DX_ENV=$DX_ENV -]) diff --git a/m4/ld-version-script.m4 b/m4/ld-version-script.m4 deleted file mode 100644 index 5ed93ef..0000000 --- a/m4/ld-version-script.m4 +++ /dev/null @@ -1,53 +0,0 @@ -# ld-version-script.m4 serial 3 -dnl Copyright (C) 2008-2012 Free Software Foundation, Inc. -dnl This file is free software; the Free Software Foundation -dnl gives unlimited permission to copy and/or distribute it, -dnl with or without modifications, as long as this notice is preserved. - -dnl From Simon Josefsson - -# FIXME: The test below returns a false positive for mingw -# cross-compiles, 'local:' statements does not reduce number of -# exported symbols in a DLL. Use --disable-ld-version-script to work -# around the problem. - -# gl_LD_VERSION_SCRIPT -# -------------------- -# Check if LD supports linker scripts, and define automake conditional -# HAVE_LD_VERSION_SCRIPT if so. -AC_DEFUN([gl_LD_VERSION_SCRIPT], -[ - AC_ARG_ENABLE([ld-version-script], - AS_HELP_STRING([--enable-ld-version-script], - [enable linker version script (default is enabled when possible)]), - [have_ld_version_script=$enableval], []) - if test -z "$have_ld_version_script"; then - AC_MSG_CHECKING([if LD -Wl,--version-script works]) - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" - cat > conftest.map < conftest.map <. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# PKG_PROG_PKG_CONFIG([MIN-VERSION]) -# ---------------------------------- -AC_DEFUN([PKG_PROG_PKG_CONFIG], -[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) -m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) -AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl -if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then - AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) -fi -if test -n "$PKG_CONFIG"; then - _pkg_min_version=m4_default([$1], [0.9.0]) - AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) - if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) - PKG_CONFIG="" - fi - -fi[]dnl -])# PKG_PROG_PKG_CONFIG - -# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# -# Check to see whether a particular set of modules exists. Similar -# to PKG_CHECK_MODULES(), but does not set variables or print errors. -# -# -# Similar to PKG_CHECK_MODULES, make sure that the first instance of -# this or PKG_CHECK_MODULES is called, or make sure to call -# PKG_CHECK_EXISTS manually -# -------------------------------------------------------------- -AC_DEFUN([PKG_CHECK_EXISTS], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -if test -n "$PKG_CONFIG" && \ - AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then - m4_ifval([$2], [$2], [:]) -m4_ifvaln([$3], [else - $3])dnl -fi]) - - -# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) -# --------------------------------------------- -m4_define([_PKG_CONFIG], -[if test -n "$PKG_CONFIG"; then - if test -n "$$1"; then - pkg_cv_[]$1="$$1" - else - PKG_CHECK_EXISTS([$3], - [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], - [pkg_failed=yes]) - fi -else - pkg_failed=untried -fi[]dnl -])# _PKG_CONFIG - -# _PKG_SHORT_ERRORS_SUPPORTED -# ----------------------------- -AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi[]dnl -])# _PKG_SHORT_ERRORS_SUPPORTED - - -# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], -# [ACTION-IF-NOT-FOUND]) -# -# -# Note that if there is a possibility the first call to -# PKG_CHECK_MODULES might not happen, you should be sure to include an -# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac -# -# -# -------------------------------------------------------------- -AC_DEFUN([PKG_CHECK_MODULES], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl -AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl - -pkg_failed=no -AC_MSG_CHECKING([for $1]) - -_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) -_PKG_CONFIG([$1][_LIBS], [libs], [$2]) - -m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS -and $1[]_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details.]) - -if test $pkg_failed = yes; then - _PKG_SHORT_ERRORS_SUPPORTED - if test $_pkg_short_errors_supported = yes; then - $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"` - else - $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"` - fi - # Put the nasty error message in config.log where it belongs - echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD - - ifelse([$4], , [AC_MSG_ERROR(dnl -[Package requirements ($2) were not met: - -$$1_PKG_ERRORS - -Consider adjusting the PKG_CONFIG_PATH environment variable if you -installed software in a non-standard prefix. - -_PKG_TEXT -])], - [AC_MSG_RESULT([no]) - $4]) -elif test $pkg_failed = untried; then - ifelse([$4], , [AC_MSG_FAILURE(dnl -[The pkg-config script could not be found or is too old. Make sure it -is in your PATH or set the PKG_CONFIG environment variable to the full -path to pkg-config. - -_PKG_TEXT - -To get pkg-config, see .])], - [$4]) -else - $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS - $1[]_LIBS=$pkg_cv_[]$1[]_LIBS - AC_MSG_RESULT([yes]) - ifelse([$3], , :, [$3]) -fi[]dnl -])# PKG_CHECK_MODULES diff --git a/m4/valgrind-tests.m4 b/m4/valgrind-tests.m4 deleted file mode 100644 index 5191a5f..0000000 --- a/m4/valgrind-tests.m4 +++ /dev/null @@ -1,37 +0,0 @@ -# valgrind-tests.m4 serial 3 -dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. -dnl This file is free software; the Free Software Foundation -dnl gives unlimited permission to copy and/or distribute it, -dnl with or without modifications, as long as this notice is preserved. - -dnl From Simon Josefsson - -# gl_VALGRIND_TESTS() -# ------------------- -# Check if valgrind is available, and set VALGRIND to it if available. -AC_DEFUN([gl_VALGRIND_TESTS], -[ - AC_ARG_ENABLE(valgrind-tests, - AS_HELP_STRING([--enable-valgrind-tests], - [run self tests under valgrind]), - [opt_valgrind_tests=$enableval], [opt_valgrind_tests=yes]) - - # Run self-tests under valgrind? - if test "$opt_valgrind_tests" = "yes" && test "$cross_compiling" = no; then - AC_CHECK_PROGS(VALGRIND, valgrind) - fi - - OPTS="-q --error-exitcode=1 --leak-check=full" - - if test -n "$VALGRIND" \ - && $VALGRIND $OPTS $SHELL -c 'exit 0' > /dev/null 2>&1; then - opt_valgrind_tests=yes - VALGRIND="$VALGRIND $OPTS" - else - opt_valgrind_tests=no - VALGRIND= - fi - - AC_MSG_CHECKING([whether self tests are run under valgrind]) - AC_MSG_RESULT($opt_valgrind_tests) -]) diff --git a/m4/warnings.m4 b/m4/warnings.m4 deleted file mode 100644 index 28b8294..0000000 --- a/m4/warnings.m4 +++ /dev/null @@ -1,61 +0,0 @@ -# warnings.m4 serial 7 -dnl Copyright (C) 2008-2012 Free Software Foundation, Inc. -dnl This file is free software; the Free Software Foundation -dnl gives unlimited permission to copy and/or distribute it, -dnl with or without modifications, as long as this notice is preserved. - -dnl From Simon Josefsson - -# gl_AS_VAR_APPEND(VAR, VALUE) -# ---------------------------- -# Provide the functionality of AS_VAR_APPEND if Autoconf does not have it. -m4_ifdef([AS_VAR_APPEND], -[m4_copy([AS_VAR_APPEND], [gl_AS_VAR_APPEND])], -[m4_define([gl_AS_VAR_APPEND], -[AS_VAR_SET([$1], [AS_VAR_GET([$1])$2])])]) - - -# gl_COMPILER_OPTION_IF(OPTION, [IF-SUPPORTED], [IF-NOT-SUPPORTED], -# [PROGRAM = AC_LANG_PROGRAM()]) -# ----------------------------------------------------------------- -# Check if the compiler supports OPTION when compiling PROGRAM. -# -# FIXME: gl_Warn must be used unquoted until we can assume Autoconf -# 2.64 or newer. -AC_DEFUN([gl_COMPILER_OPTION_IF], -[AS_VAR_PUSHDEF([gl_Warn], [gl_cv_warn_[]_AC_LANG_ABBREV[]_$1])dnl -AS_VAR_PUSHDEF([gl_Flags], [_AC_LANG_PREFIX[]FLAGS])dnl -AC_CACHE_CHECK([whether _AC_LANG compiler handles $1], m4_defn([gl_Warn]), [ - gl_save_compiler_FLAGS="$gl_Flags" - gl_AS_VAR_APPEND(m4_defn([gl_Flags]), [" $1"]) - AC_COMPILE_IFELSE([m4_default([$4], [AC_LANG_PROGRAM([])])], - [AS_VAR_SET(gl_Warn, [yes])], - [AS_VAR_SET(gl_Warn, [no])]) - gl_Flags="$gl_save_compiler_FLAGS" -]) -AS_VAR_IF(gl_Warn, [yes], [$2], [$3]) -AS_VAR_POPDEF([gl_Flags])dnl -AS_VAR_POPDEF([gl_Warn])dnl -]) - - -# gl_WARN_ADD(OPTION, [VARIABLE = WARN_CFLAGS], -# [PROGRAM = AC_LANG_PROGRAM()]) -# --------------------------------------------- -# Adds parameter to WARN_CFLAGS if the compiler supports it when -# compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]). -# -# If VARIABLE is a variable name, AC_SUBST it. -AC_DEFUN([gl_WARN_ADD], -[gl_COMPILER_OPTION_IF([$1], - [gl_AS_VAR_APPEND(m4_if([$2], [], [[WARN_CFLAGS]], [[$2]]), [" $1"])], - [], - [$3]) -m4_ifval([$2], - [AS_LITERAL_IF([$2], [AC_SUBST([$2])])], - [AC_SUBST([WARN_CFLAGS])])dnl -]) - -# Local Variables: -# mode: autoconf -# End: diff --git a/mac.mk b/mac.mk deleted file mode 100644 index 1bd215b..0000000 --- a/mac.mk +++ /dev/null @@ -1,98 +0,0 @@ -# Copyright (c) 2014-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -PACKAGE=yubico-piv-tool -OPENSSLVERSION=1.0.2r -CFLAGS="-mmacosx-version-min=10.6" - -all: usage mac - -.PHONY: usage -usage: - @if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \ - echo "Try this instead:"; \ - echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \ - echo "For example:"; \ - echo " make PGPKEYID=2117364A VERSION=1.6.0"; \ - exit 1; \ - fi - -doit: - rm -rf tmp && mkdir tmp && cd tmp && \ - mkdir -p root/licenses && \ - cp ../openssl-$(OPENSSLVERSION).tar.gz . || \ - curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \ - tar xfz openssl-$(OPENSSLVERSION).tar.gz && \ - cd openssl-$(OPENSSLVERSION) && \ - ./Configure darwin64-x86_64-cc shared no-ssl2 no-ssl3 no-engines --prefix=$(PWD)/tmp/root $(CFLAGS) && \ - make all install_sw VERSION="$(OPENSSLVERSION)" && \ - cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \ - rm -rf $(PWD)/tmp/root/ssl/ && \ - rm -rf $(PWD)/tmp/root/bin/ && \ - rm -rf $(PWD)/tmp/root/lib/engines/ && \ - rm -rf $(PWD)/tmp/root/lib/libssl* && \ - rm $(PWD)/tmp/root/lib/pkgconfig/libssl.pc && \ - rm $(PWD)/tmp/root/lib/pkgconfig/openssl.pc && \ - cd .. && \ - cp ../$(PACKAGE)-$(VERSION).tar.gz . && \ - tar xfz $(PACKAGE)-$(VERSION).tar.gz && \ - cd $(PACKAGE)-$(VERSION)/ && \ - CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \ - make install $(CHECK) && \ - chmod u+w $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \ - install_name_tool -id @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \ - install_name_tool -id @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \ - install_name_tool -id @loader_path/libykcs11.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \ - install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \ - install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \ - install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @executable_path/../lib/libcrypto.1.0.0.dylib $(PWD)/tmp/root/bin/yubico-piv-tool && \ - install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \ - install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @executable_path/../lib/libykpiv.1.dylib $(PWD)/tmp/root/bin/yubico-piv-tool ; \ - if otool -L $(PWD)/tmp/root/lib/*.dylib $(PWD)/tmp/root/bin/* | grep '$(PWD)/tmp/root' | grep -q compatibility; then \ - echo "something is incorrectly linked!"; \ - exit 1; \ - fi && \ - rm $(PWD)/tmp/root/lib/*.la && \ - rm -rf $(PWD)/tmp/root/lib/pkgconfig && \ - cp COPYING $(PWD)/tmp/root/licenses/$(PACKAGE).txt && \ - cd .. && \ - cd root && \ - zip -r ../../$(PACKAGE)-$(VERSION)-mac.zip * - -mac: - $(MAKE) -f mac.mk doit CHECK=check - -upload-mac: - @if test ! -d "$(YUBICO_GITHUB_REPO)"; then \ - echo "yubico.github.com repo not found!"; \ - echo "Make sure that YUBICO_GITHUB_REPO is set"; \ - exit 1; \ - fi - gpg --detach-sign --default-key $(PGPKEYID) \ - $(PACKAGE)-$(VERSION)-mac.zip - gpg --verify $(PACKAGE)-$(VERSION)-mac.zip.sig - $(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-mac.zip* diff --git a/tools/confirm.sh b/tools/confirm.sh deleted file mode 100755 index 81c10ac..0000000 --- a/tools/confirm.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -# Output redirected to fd 0 so it can be run from 'make check' scripts. - -echo >&0 -echo "Hardware tests enabled!" >&0 -echo >&0 -echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0 -echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0 -echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0 -echo >&0 -echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0 -echo >&0 -echo " ALL DATA WILL BE ERASED ON CONNECTED YUBIKEYS " >&0 -echo >&0 -echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0 -echo >&0 -echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0 -echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0 -echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0 -echo >&0 -echo -n "Are you SURE you wish to proceed? If so, type 'CONFIRM': " >&0 - -read CONFIRM -if [[ "x$CONFIRM" != "xCONFIRM" ]]; then - echo "1" - exit 1 -fi -echo "0" diff --git a/tools/fasc.pl b/tools/fasc.pl deleted file mode 100644 index 205b65a..0000000 --- a/tools/fasc.pl +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/perl - -# Copyright (c) 2014-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# This little perl program takes an input like: -# S9999F9999F999999F0F1F0000000000300001E -# and outputs that in hex, encoded in the 5-bit form described in -# "Technical Implementation Guidance: Smart Card Enabled Physical Access -# Control Systems Version 2.2", Section 6.2, Figure 7. - -use strict; -use Bit::Vector; - -my %encoding = ( - 0 => "00001", - 1 => "10000", - 2 => "01000", - 3 => "11001", - 4 => "00100", - 5 => "10101", - 6 => "01101", - 7 => "11100", - 8 => "00010", - 9 => "10011", - S => "11010", - F => "10110", - E => "11111", -); - -my $in = shift; - -my @ones = (0, 0, 0, 0); - -my $bits; -foreach my $char (split(//, $in)) { - my $enc = $encoding{$char}; - for(my $i = 0; $i < 4; $i++) { - my $char = substr($enc, $i, 1); - if($char eq '1') { - $ones[$i]++; - } - } - $bits .= $enc; -} -my $lrc = ""; -my $lrc_one = 0; -foreach my $one (@ones) { - if($one % 2 == 0) { - $lrc .= '0'; - } else { - $lrc .= '1'; - $lrc_one++; - } -} -if($lrc_one % 2 == 0) { - $lrc .= '1'; -} else { - $lrc .= '0'; -} -$bits .= $lrc; - -my $vector = Bit::Vector->new(200); -$vector->from_Bin($bits); -my $hex = $vector->to_Hex(); -for(my $i = 0; $i < length($hex); $i += 2) { - print "0x" . substr($hex, $i , 2) . ", "; -} - -print "\n"; diff --git a/vagrant/development/README.md b/vagrant/development/README.md deleted file mode 100644 index 61eddc4..0000000 --- a/vagrant/development/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Vagrant VM for development -=== - -Usage: - - alice@work $ cd yubico-piv-tool/vagrant/development - alice@work $ vagrant up - alice@work $ vagrant ssh - ubuntu@ubuntu-xenial $ cd /vagrant - ubuntu@ubuntu-xenial $ autoreconf --install - ubuntu@ubuntu-xenial $ ./configure - ubuntu@ubuntu-xenial $ make - ubuntu@ubuntu-xenial $ sudo make install - ubuntu@ubuntu-xenial $ yubico-piv-tool --help - ubuntu@ubuntu-xenial $ exit - alice@work $ vagrant destroy diff --git a/vagrant/development/Vagrantfile b/vagrant/development/Vagrantfile deleted file mode 100644 index e5ce751..0000000 --- a/vagrant/development/Vagrantfile +++ /dev/null @@ -1,42 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - - # Use Ubuntu 16.04 Xenial as a base box. - config.vm.box = "ubuntu/xenial64" - - # Install dependencies needed for yubikey-piv-manager development. - config.vm.provision "shell", path: "provision.sh" - - # Sync repository to /vagrant - config.vm.synced_folder '../..', '/vagrant' - - # VirtualBox configuration - config.vm.provider "virtualbox" do |vb| - vb.name = "yubikey-piv-tool_development" - end - - # Uncomment this to add a USB filter for YubiKeys. - # This will connect the YubiKey to the VM when re-inserted. - # This filter uses VirtualBox as provider. - # Modify the paramters as needed depending on the device. - - FILTER_NAME="YubiKey 4" - MANUFACTURER="Yubico" - VENDOR_ID="0x1050" - PRODUCT_ID="0x0407" - PRODUCT="Yubikey 4 OTP+U2F+CCID" - - config.vm.provider "virtualbox" do |vb| - vb.customize ['modifyvm', :id, '--usb', 'on'] - vb.customize ['usbfilter', 'add', '0', - '--target', :id, - '--name', FILTER_NAME, - '--manufacturer', MANUFACTURER, - '--vendorid', VENDOR_ID, - '--productid', PRODUCT_ID, - '--product', PRODUCT] - end - -end diff --git a/vagrant/development/provision.sh b/vagrant/development/provision.sh deleted file mode 100644 index dfe5c55..0000000 --- a/vagrant/development/provision.sh +++ /dev/null @@ -1,19 +0,0 @@ -#! /usr/bin/env bash - -# Install development dependencies -sudo apt-get update -qq -sudo apt-get install -qq software-properties-common -sudo add-apt-repository -y ppa:yubico/stable -sudo apt-get update -qq && apt-get -qq upgrade -sudo apt-get install -qq \ - autoconf \ - automake \ - check \ - gengetopt \ - help2man \ - libpcsclite-dev \ - libssl-dev \ - libtool \ - libykpiv1 \ - pkg-config \ - virtualbox-guest-dkms diff --git a/windows.mk b/windows.mk deleted file mode 100644 index b66a65e..0000000 --- a/windows.mk +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright (c) 2014-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -PACKAGE=yubico-piv-tool -OPENSSLVERSION=1.0.2r -CHECKVERSION=0.12.0 - -all: usage 32bit 64bit - -.PHONY: usage -usage: - @if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \ - echo "Try this instead:"; \ - echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \ - echo "For example:"; \ - echo " make PGPKEYID=2117364A VERSION=1.6.0"; \ - exit 1; \ - fi - -doit: - rm -rf tmp$(ARCH) && mkdir tmp$(ARCH) && cd tmp$(ARCH) && \ - mkdir -p root/licenses && \ - cp ../openssl-$(OPENSSLVERSION).tar.gz . || \ - curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \ - tar xfa openssl-$(OPENSSLVERSION).tar.gz && \ - cd openssl-$(OPENSSLVERSION) && \ - CROSS_COMPILE="$(HOST)-" ./Configure mingw$(64) no-ssl2 no-ssl3 no-engines shared --prefix=$(PWD)/tmp$(ARCH)/root -static-libgcc && \ - make depend all install_sw VERSION="$(OPENSSLVERSION)" && \ - cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \ - rm -rf $(PWD)/tmp$(ARCH)/root/ssl/ && \ - rm $(PWD)/tmp$(ARCH)/root/bin/openssl.exe && \ - rm $(PWD)/tmp$(ARCH)/root/bin/c_rehash && \ - rm -rf $(PWD)/tmp$(ARCH)/root/lib/engines/ && \ - cd .. && \ - cp ../check-$(CHECKVERSION).tar.gz . || \ - curl -L -O "https://github.com/libcheck/check/releases/download/$(CHECKVERSION)/check-$(CHECKVERSION).tar.gz" && \ - tar xfa check-$(CHECKVERSION).tar.gz && \ - cd check-$(CHECKVERSION) && \ - CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root --disable-subunit --enable-static --disable-shared && \ - make all install && \ - cd .. && \ - cp ../$(PACKAGE)-$(VERSION).tar.gz . && \ - tar xfa $(PACKAGE)-$(VERSION).tar.gz && \ - cd $(PACKAGE)-$(VERSION)/ && \ - CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig lt_cv_deplibs_check_method=pass_all ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root LDFLAGS=-L$(PWD)/tmp$(ARCH)/root/lib CPPFLAGS=-I$(PWD)/tmp$(ARCH)/root/include && \ - WINEPATH="/usr/$(HOST)/lib/" make install $(CHECK) && \ - rm $(PWD)/tmp$(ARCH)/root/lib/*.la && \ - rm -rf $(PWD)/tmp$(ARCH)/root/lib/pkgconfig/ && \ - cp COPYING $(PWD)/tmp$(ARCH)/root/licenses/$(PACKAGE).txt && \ - cd .. && \ - cd check-$(CHECKVERSION) && \ - make uninstall && \ - cd .. && \ - cd root && \ - zip -r ../../$(PACKAGE)-$(VERSION)-win$(ARCH).zip * - -32bit: - $(MAKE) -f windows.mk doit ARCH=32 HOST=i686-w64-mingw32 CHECK=check - -64bit: - $(MAKE) -f windows.mk doit ARCH=64 HOST=x86_64-w64-mingw32 64=64 CHECK=check - -upload: - @if test ! -d "$(YUBICO_GITHUB_REPO)"; then \ - echo "yubico.github.com repo not found!"; \ - echo "Make sure that YUBICO_GITHUB_REPO is set"; \ - exit 1; \ - fi - gpg --detach-sign --default-key $(PGPKEYID) \ - $(PACKAGE)-$(VERSION)-win$(ARCH).zip - gpg --verify $(PACKAGE)-$(VERSION)-win$(ARCH).zip.sig - $(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-win${ARCH}.zip* - -upload-32bit: - $(MAKE) -f windows.mk upload ARCH=32 - -upload-64bit: - $(MAKE) -f windows.mk upload ARCH=64 diff --git a/ykcs11/Makefile.am b/ykcs11/Makefile.am deleted file mode 100644 index 5c98edd..0000000 --- a/ykcs11/Makefile.am +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright (c) 2015-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -SUBDIRS = . tests - -AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) -AM_CPPFLAGS = $(OPENSSL_CFLAGS) $(PCSC_CFLAGS) -AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib -AM_CPPFLAGS += -I$(top_srcdir)/tool -I$(top_builddir)/tool - -lib_LTLIBRARIES = libykcs11.la - -libykcs11_la_SOURCES = ykcs11.c ykcs11.pc.in ykcs11.map -libykcs11_la_SOURCES += ykcs11.h debug.h -libykcs11_la_SOURCES += vendors.c vendors.h vendor_ids.h -libykcs11_la_SOURCES += slot_vendors.c slot_vendors.h -libykcs11_la_SOURCES += token_vendors.c token_vendors.h -libykcs11_la_SOURCES += mechanisms.c mechanisms.h -libykcs11_la_SOURCES += yubico_slot.c yubico_slot.h yubico_token.c yubico_token.h -libykcs11_la_SOURCES += utils.c utils.h -libykcs11_la_SOURCES += openssl_utils.c openssl_utils.h openssl_types.h -libykcs11_la_SOURCES += objects.c objects.h obj_types.h -libykcs11_la_SOURCES += pkcs11.h pkcs11y.h -libykcs11_la_SOURCES += ykcs11-version.h - -EXTRA_libykcs11_la_DEPENDENCIES = ykcs11.map - -libykcs11_la_LIBADD = ../lib/libykpiv.la -libykcs11_la_LIBADD += ../tool/libpiv_util.la - -libykcs11_la_LDFLAGS = -no-undefined -libykcs11_la_LDFLAGS += -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) - -if HAVE_LD_VERSION_SCRIPT -libykcs11_la_LDFLAGS += -Wl,--version-script=$(srcdir)/ykcs11.map -else -libykcs11_la_LDFLAGS += -export-symbols-regex '^C_.*' -endif - -pkgconfigdir = $(libdir)/pkgconfig -pkgconfig_DATA = ykcs11.pc - -if ENABLE_COV -AM_CFLAGS += --coverage -AM_LDFLAGS = --coverage -endif diff --git a/ykcs11/debug.h b/ykcs11/debug.h deleted file mode 100644 index 6574acf..0000000 --- a/ykcs11/debug.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef DEBUG_H -#define DEBUG_H - -#define D(x...) do { \ - fprintf (stderr, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ - fprintf (stderr, x); \ - fprintf (stderr, "\n"); \ - } while (0) - -#if YKCS11_DBG -#include -#define DBG(x...) D(x); -#else -#define DBG(x...) -#endif - -#if YKCS11_DINOUT -#define DIN D(("In")); -#define DOUT D(("Out")); -#else -#define DIN -#define DOUT -#endif - -#endif diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c deleted file mode 100644 index 04b4713..0000000 --- a/ykcs11/mechanisms.c +++ /dev/null @@ -1,553 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "mechanisms.h" -#include "openssl_utils.h" -#include "utils.h" -#include "debug.h" -#include - -#define F4 "\x01\x00\x01" -#define PRIME256V1 "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07" - -// Supported mechanisms for signature -static const CK_MECHANISM_TYPE sign_mechanisms[] = { - CKM_RSA_PKCS, - CKM_RSA_PKCS_PSS, - CKM_RSA_X_509, - CKM_SHA1_RSA_PKCS, - CKM_SHA256_RSA_PKCS, - CKM_SHA384_RSA_PKCS, - CKM_SHA512_RSA_PKCS, - CKM_SHA1_RSA_PKCS_PSS, - CKM_SHA256_RSA_PKCS_PSS, - CKM_SHA384_RSA_PKCS_PSS, - CKM_SHA512_RSA_PKCS_PSS, - CKM_ECDSA, - CKM_ECDSA_SHA1, - CKM_ECDSA_SHA256 -}; - -// Supported mechanisms for key pair generation -static const CK_MECHANISM_TYPE generation_mechanisms[] = { - CKM_RSA_PKCS_KEY_PAIR_GEN, - //CKM_ECDSA_KEY_PAIR_GEN, Deperecated - CKM_EC_KEY_PAIR_GEN -}; - -// Supported mechanisms for hashing -static const CK_MECHANISM_TYPE hash_mechanisms[] = { - CKM_SHA_1, - CKM_SHA256, - CKM_SHA384, - CKM_SHA512 -}; - -CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m) { - - CK_ULONG i; - CK_BBOOL supported = CK_FALSE; - token_vendor_t token; - CK_MECHANISM_INFO info; - - // Check if the mechanism is supported by the module - for (i = 0; i < sizeof(sign_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) { - if (m->mechanism == sign_mechanisms[i]) { - supported = CK_TRUE; - break; - } - } - if (supported == CK_FALSE) - return CKR_MECHANISM_INVALID; - - // Check if the mechanism is supported by the token - token = get_token_vendor(s->slot->token->vid); - - if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK) - return CKR_MECHANISM_INVALID; - - // TODO: also check that parametes make sense if any? And key size is in [min max] - - return CKR_OK; - -} - -CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m) { - - switch (m) { - case CKM_RSA_PKCS_KEY_PAIR_GEN: - case CKM_RSA_PKCS: - case CKM_RSA_9796: - case CKM_RSA_X_509: - case CKM_SHA1_RSA_PKCS: -// case CKM_SHA224_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: -// case CKM_RIPEMD128_RSA_PKCS: -// case CKM_RIPEMD160_RSA_PKCS: -// case CKM_RSA_PKCS_OAEP: -// case CKM_RSA_X9_31_KEY_PAIR_GEN: -// case CKM_RSA_X9_31: -// case CKM_SHA1_RSA_X9_31: - case CKM_RSA_PKCS_PSS: - case CKM_SHA1_RSA_PKCS_PSS: -// case CKM_SHA224_RSA_PKCS_PSS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_SHA512_RSA_PKCS_PSS: - case CKM_SHA384_RSA_PKCS_PSS: -// case CKM_RSA_PKCS_TPM_1_1: -// case CKM_RSA_PKCS_OAEP_TPM_1_1: -// case CKM_RSA_AES_KEY_WRAP: - return CK_TRUE; - - default: - return CK_FALSE; - } - - // Not reached - return CK_FALSE; -} - -CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m) { - - switch (m) { - case CKM_RSA_PKCS_PSS: - case CKM_SHA1_RSA_PKCS_PSS: -// case CKM_SHA224_RSA_PKCS_PSS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_SHA512_RSA_PKCS_PSS: - case CKM_SHA384_RSA_PKCS_PSS: - return CK_TRUE; - - default: - return CK_FALSE; - } - - // Not reached - return CK_FALSE; -} - -CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m) { - - switch (m) { - case CKM_SHA1_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: - case CKM_SHA1_RSA_PKCS_PSS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_SHA384_RSA_PKCS_PSS: - case CKM_SHA512_RSA_PKCS_PSS: - case CKM_ECDSA_SHA1: - case CKM_ECDSA_SHA256: - case CKM_SHA_1: - case CKM_SHA256: - case CKM_SHA384: - case CKM_SHA512: - return CK_TRUE; - - default: - return CK_FALSE; - } - - // Not reached - return CK_FALSE; -} - -CK_RV apply_sign_mechanism_init(op_info_t *op_info) { - - if (op_info->type != YKCS11_SIGN) - return CKR_FUNCTION_FAILED; - - switch (op_info->mechanism.mechanism) { - case CKM_RSA_PKCS: - case CKM_RSA_PKCS_PSS: - case CKM_RSA_X_509: - case CKM_ECDSA: - // No hash required for this mechanism - op_info->op.sign.md_ctx = NULL; - return CKR_OK; - - case CKM_SHA1_RSA_PKCS: - case CKM_SHA1_RSA_PKCS_PSS: - case CKM_ECDSA_SHA1: - return do_md_init(YKCS11_SHA1, &op_info->op.sign.md_ctx); - - case CKM_SHA256_RSA_PKCS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_ECDSA_SHA256: - return do_md_init(YKCS11_SHA256, &op_info->op.sign.md_ctx); - - case CKM_SHA384_RSA_PKCS: - case CKM_SHA384_RSA_PKCS_PSS: - return do_md_init(YKCS11_SHA384, &op_info->op.sign.md_ctx); - - case CKM_SHA512_RSA_PKCS: - case CKM_SHA512_RSA_PKCS_PSS: - return do_md_init(YKCS11_SHA512, &op_info->op.sign.md_ctx); - - default: - return CKR_FUNCTION_FAILED; - } - - // Never reached - return CKR_FUNCTION_FAILED; -} - -CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len) { - CK_RV rv; - - if (op_info->type != YKCS11_SIGN) - return CKR_FUNCTION_FAILED; - - switch (op_info->mechanism.mechanism) { - case CKM_RSA_PKCS: - case CKM_RSA_PKCS_PSS: - case CKM_ECDSA: - case CKM_RSA_X_509: - // Mechanism not suitable for multipart signatures - return CKR_FUNCTION_FAILED; - - case CKM_SHA1_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: - case CKM_SHA1_RSA_PKCS_PSS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_SHA384_RSA_PKCS_PSS: - case CKM_SHA512_RSA_PKCS_PSS: - case CKM_ECDSA_SHA1: - case CKM_ECDSA_SHA256: - rv = do_md_update(op_info->op.sign.md_ctx, in, in_len); - if (rv != CKR_OK) - return CKR_FUNCTION_FAILED; - - return CKR_OK; - - default: - return CKR_FUNCTION_FAILED; - } - -} - -CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) { - - CK_RV rv; - int nid = NID_undef; - CK_ULONG len; - - if (op_info->type != YKCS11_SIGN) - return CKR_FUNCTION_FAILED; - - switch (op_info->mechanism.mechanism) { - case CKM_SHA1_RSA_PKCS_PSS: - case CKM_SHA256_RSA_PKCS_PSS: - case CKM_SHA384_RSA_PKCS_PSS: - case CKM_SHA512_RSA_PKCS_PSS: - // Finalize the hash - rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid); - op_info->op.sign.md_ctx = NULL; - if (rv != CKR_OK) - return CKR_FUNCTION_FAILED; - - case CKM_RSA_PKCS_PSS: - // Compute padding for all PSS variants - // TODO: digestinfo/paraminfo ? - rv = do_pkcs_pss(op_info->op.sign.key, op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len); - do_free_rsa_public_key(op_info->op.sign.key); - - return rv; - - case CKM_RSA_X_509: - // Padding in this case consists of prepending zeroes - len = (op_info->op.sign.key_len / 8) - op_info->buf_len; - memmove(op_info->buf + len, op_info->buf, op_info->buf_len); - memset(op_info->buf, 0, len); - op_info->buf_len = op_info->op.sign.key_len / 8; - return CKR_OK; - - case CKM_SHA1_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: - // Finalize the hash add digest info - rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid); - op_info->op.sign.md_ctx = NULL; - if (rv != CKR_OK) - return CKR_FUNCTION_FAILED; - - case CKM_RSA_PKCS: - // Add digest info if needed - if (nid != NID_undef) { - rv = do_pkcs_1_digest_info(op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len); - if (rv != CKR_OK) - return CKR_FUNCTION_FAILED; - } - - // Compute padding for all PKCS1 variants - len = op_info->buf_len; - op_info->buf_len = sizeof(op_info->buf); - return do_pkcs_1_t1(op_info->buf, len, op_info->buf, &op_info->buf_len, op_info->op.sign.key_len); - - case CKM_ECDSA_SHA1: - case CKM_ECDSA_SHA256: - // Finalize the hash - rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid); - op_info->op.sign.md_ctx = NULL; - if (rv != CKR_OK) - return CKR_FUNCTION_FAILED; - - case CKM_ECDSA: - return CKR_OK; - - default: - return CKR_FUNCTION_FAILED; - } -} - -CK_RV sign_mechanism_cleanup(op_info_t *op_info) { - - if (op_info->op.sign.md_ctx != NULL) { - do_md_cleanup(op_info->op.sign.md_ctx); - op_info->op.sign.md_ctx = NULL; - } - - return CKR_OK; -} - -CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) { - - CK_ULONG i; - CK_BBOOL supported = CK_FALSE; - token_vendor_t token; - CK_MECHANISM_INFO info; - - // Check if the mechanism is supported by the module - for (i = 0; i < sizeof(generation_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) { - if (m->mechanism == generation_mechanisms[i]) { - supported = CK_TRUE; - break; - } - } - if (supported == CK_FALSE) - return CKR_MECHANISM_INVALID; - - // Check if the mechanism is supported by the token - token = get_token_vendor(s->slot->token->vid); - - if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK) - return CKR_MECHANISM_INVALID; - - // TODO: also check that parametes make sense if any? And key size is in [min max] - - return CKR_OK; - -} - -CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) { - - CK_ULONG i; - - op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism); - - for (i = 0; i < n; i++) { - switch (templ[i].type) { - case CKA_CLASS: - if (*((CK_ULONG_PTR) templ[i].pValue) != CKO_PUBLIC_KEY) - return CKR_TEMPLATE_INCONSISTENT; - - break; - - case CKA_KEY_TYPE: - if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) || - (op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA)) - return CKR_TEMPLATE_INCONSISTENT; - - break; - - case CKA_PUBLIC_EXPONENT: - if (op_info->op.gen.rsa == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - // Only support F4 - if (templ[i].ulValueLen != 3 || memcmp((CK_BYTE_PTR)templ[i].pValue, F4, 3) != 0) { - DBG("Unsupported public exponent"); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - break; - - case CKA_MODULUS_BITS: - if (op_info->op.gen.rsa == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (*((CK_ULONG_PTR) templ[i].pValue) != 1024 && - *((CK_ULONG_PTR) templ[i].pValue) != 2048) { // TODO: make define? - DBG("Unsupported MODULUS_BITS (key length)"); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue); - break; - - case CKA_EC_PARAMS: - // Only support PRIME256V1 - if (templ[i].ulValueLen != 10 || memcmp((CK_BYTE_PTR)templ[i].pValue, PRIME256V1, 10) != 0) - return CKR_FUNCTION_FAILED; - - op_info->op.gen.key_len = 256; - break; - - case CKA_ID: - if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue); - break; - - case CKA_TOKEN: - case CKA_ENCRYPT: - case CKA_VERIFY: - case CKA_WRAP: - case CKA_DERIVE: - case CKA_PRIVATE: - case CKA_LABEL: - // Ignore these attributes for now - break; - - default: - DBG("Invalid attribute %lx in public key template", templ[i].type); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - } - - return CKR_OK; - -} - -CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) { - - CK_ULONG i; - - op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism); - op_info->op.gen.vendor_defined = 0; - - for (i = 0; i < n; i++) { - switch (templ[i].type) { - case CKA_CLASS: - if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_PRIVATE_KEY) - return CKR_TEMPLATE_INCONSISTENT; - - break; - - case CKA_KEY_TYPE: - if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) || - (op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA)) - return CKR_TEMPLATE_INCONSISTENT; - - break; - -/* case CKA_MODULUS_BITS: - if (op_info->op.gen.rsa == CK_FALSE) - return CKR_MECHANISM_PARAM_INVALID; - - if (*((CK_ULONG_PTR)templ[i].pValue) != 1024 && - *((CK_ULONG_PTR) templ[i].pValue) != 2048) // TODO: make define? - return CKR_MECHANISM_PARAM_INVALID; - - op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue); // TODO: check length? - break;*/ - - case CKA_ID: - if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - // Check if ID was already specified in the public key template - // In that case it has to match - if (op_info->op.gen.key_id != 0 && - op_info->op.gen.key_id != (*((CK_BYTE_PTR)templ[i].pValue) + PIV_PVTK_OBJ_PIV_AUTH)) - return CKR_TEMPLATE_INCONSISTENT; - - op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue); - break; - - case CKA_VENDOR_DEFINED: - op_info->op.gen.vendor_defined = (*((CK_ULONG_PTR)templ[i].pValue)); - - case CKA_SENSITIVE: - case CKA_DECRYPT: - case CKA_UNWRAP: - case CKA_SIGN: - case CKA_PRIVATE: - case CKA_TOKEN: - case CKA_DERIVE: - case CKA_LABEL: - // Ignore these attributes for now - break; - - default: - DBG("Invalid attribute %lx in private key template", templ[i].type); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - } - - return CKR_OK; - -} - -CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) { - - CK_ULONG i; - CK_BBOOL supported = CK_FALSE; - token_vendor_t token; - CK_MECHANISM_INFO info; - - // Check if the mechanism is supported by the module - for (i = 0; i < sizeof(hash_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) { - if (m->mechanism == hash_mechanisms[i]) { - supported = CK_TRUE; - break; - } - } - if (supported == CK_FALSE) - return CKR_MECHANISM_INVALID; - - // Check if the mechanism is supported by the token - token = get_token_vendor(s->slot->token->vid); - - if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK) - return CKR_MECHANISM_INVALID; - - // TODO: also check that parametes make sense if any? And key size is in [min max] - - return CKR_OK; - -} diff --git a/ykcs11/mechanisms.h b/ykcs11/mechanisms.h deleted file mode 100644 index 7308ce2..0000000 --- a/ykcs11/mechanisms.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef MECHANISMS_H -#define MECHANISMS_H - -#include "ykcs11.h" - -CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m); -CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m); -CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m); -CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m); - -CK_RV apply_sign_mechanism_init(op_info_t *op_info); -CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len); -CK_RV apply_sign_mechanism_finalize(op_info_t *op_info); -CK_RV sign_mechanism_cleanup(op_info_t *op_info); - -CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m); -CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c -CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c - -CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m); - -#endif diff --git a/ykcs11/obj_types.h b/ykcs11/obj_types.h deleted file mode 100644 index 5d83200..0000000 --- a/ykcs11/obj_types.h +++ /dev/null @@ -1,201 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef OBJ_TYPES_H -#define OBJ_TYPES_H - -#include "pkcs11y.h" - -#include - -// TODO: this is mostly from OpenSC, how to give credit? -typedef enum { - PIV_DATA_OBJ_X509_PIV_AUTH = 0, // PIV authentication - PIV_DATA_OBJ_X509_CARD_AUTH, // Card authentication - PIV_DATA_OBJ_X509_DS, // Digital signature - PIV_DATA_OBJ_X509_KM, // Key management - PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1 - PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2 - PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3 - PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4 - PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5 - PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6 - PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7 - PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8 - PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9 - PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10 - PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11 - PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12 - PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13 - PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14 - PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15 - PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16 - PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17 - PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18 - PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19 - PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20 - PIV_DATA_OBJ_CCC, // Card capability container - PIV_DATA_OBJ_CHUI, // Cardholder unique id - PIV_DATA_OBJ_CHF, // Cardholder fingerprints - PIV_DATA_OBJ_SEC_OBJ, // Security object - PIV_DATA_OBJ_CHFI, // Cardholder facial images - PIV_DATA_OBJ_PI, // Cardholder printed information - PIV_DATA_OBJ_DISCOVERY, // Discovery object - PIV_DATA_OBJ_HISTORY, // History object - PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images - PIV_DATA_OBJ_BITGT, // Biometric information templates group template - PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer - PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data - PIV_DATA_OBJ_LAST, - - PIV_CERT_OBJ_X509_PIV_AUTH, // Certificate for PIV authentication - PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_CERT_OBJ_X509_DS, // Certificate for digital signature - PIV_CERT_OBJ_X509_KM, // Certificate for key management - PIV_CERT_OBJ_X509_RETIRED1, // Certificate for retired key 1 - PIV_CERT_OBJ_X509_RETIRED2, // Certificate for retired key 2 - PIV_CERT_OBJ_X509_RETIRED3, // Certificate for retired key 3 - PIV_CERT_OBJ_X509_RETIRED4, // Certificate for retired key 4 - PIV_CERT_OBJ_X509_RETIRED5, // Certificate for retired key 5 - PIV_CERT_OBJ_X509_RETIRED6, // Certificate for retired key 6 - PIV_CERT_OBJ_X509_RETIRED7, // Certificate for retired key 7 - PIV_CERT_OBJ_X509_RETIRED8, // Certificate for retired key 8 - PIV_CERT_OBJ_X509_RETIRED9, // Certificate for retired key 9 - PIV_CERT_OBJ_X509_RETIRED10, // Certificate for retired key 10 - PIV_CERT_OBJ_X509_RETIRED11, // Certificate for retired key 11 - PIV_CERT_OBJ_X509_RETIRED12, // Certificate for retired key 12 - PIV_CERT_OBJ_X509_RETIRED13, // Certificate for retired key 13 - PIV_CERT_OBJ_X509_RETIRED14, // Certificate for retired key 14 - PIV_CERT_OBJ_X509_RETIRED15, // Certificate for retired key 15 - PIV_CERT_OBJ_X509_RETIRED16, // Certificate for retired key 16 - PIV_CERT_OBJ_X509_RETIRED17, // Certificate for retired key 17 - PIV_CERT_OBJ_X509_RETIRED18, // Certificate for retired key 18 - PIV_CERT_OBJ_X509_RETIRED19, // Certificate for retired key 19 - PIV_CERT_OBJ_X509_RETIRED20, // Certificate for retired key 20 - PIV_CERT_OBJ_LAST, - - PIV_PVTK_OBJ_PIV_AUTH, // Private key for PIV authentication - PIV_PVTK_OBJ_CARD_AUTH, // Private key for card authentication - PIV_PVTK_OBJ_DS, // Private key for digital signature - PIV_PVTK_OBJ_KM, // Private key for key management - PIV_PVTK_OBJ_RETIRED1, // Private key for retired key 1 - PIV_PVTK_OBJ_RETIRED2, // Private key for retired key 2 - PIV_PVTK_OBJ_RETIRED3, // Private key for retired key 3 - PIV_PVTK_OBJ_RETIRED4, // Private key for retired key 4 - PIV_PVTK_OBJ_RETIRED5, // Private key for retired key 5 - PIV_PVTK_OBJ_RETIRED6, // Private key for retired key 6 - PIV_PVTK_OBJ_RETIRED7, // Private key for retired key 7 - PIV_PVTK_OBJ_RETIRED8, // Private key for retired key 8 - PIV_PVTK_OBJ_RETIRED9, // Private key for retired key 9 - PIV_PVTK_OBJ_RETIRED10, // Private key for retired key 10 - PIV_PVTK_OBJ_RETIRED11, // Private key for retired key 11 - PIV_PVTK_OBJ_RETIRED12, // Private key for retired key 12 - PIV_PVTK_OBJ_RETIRED13, // Private key for retired key 13 - PIV_PVTK_OBJ_RETIRED14, // Private key for retired key 14 - PIV_PVTK_OBJ_RETIRED15, // Private key for retired key 15 - PIV_PVTK_OBJ_RETIRED16, // Private key for retired key 16 - PIV_PVTK_OBJ_RETIRED17, // Private key for retired key 17 - PIV_PVTK_OBJ_RETIRED18, // Private key for retired key 18 - PIV_PVTK_OBJ_RETIRED19, // Private key for retired key 19 - PIV_PVTK_OBJ_RETIRED20, // Private key for retired key 20 - PIV_PVTK_OBJ_LAST, - - PIV_PUBK_OBJ_PIV_AUTH, // Public key for PIV authentication - PIV_PUBK_OBJ_CARD_AUTH, // Public key for card authentication - PIV_PUBK_OBJ_DS, // Public key for digital signature - PIV_PUBK_OBJ_KM, // Public key for key management - PIV_PUBK_OBJ_RETIRED1, // Public key for retired key 1 - PIV_PUBK_OBJ_RETIRED2, // Public key for retired key 2 - PIV_PUBK_OBJ_RETIRED3, // Public key for retired key 3 - PIV_PUBK_OBJ_RETIRED4, // Public key for retired key 4 - PIV_PUBK_OBJ_RETIRED5, // Public key for retired key 5 - PIV_PUBK_OBJ_RETIRED6, // Public key for retired key 6 - PIV_PUBK_OBJ_RETIRED7, // Public key for retired key 7 - PIV_PUBK_OBJ_RETIRED8, // Public key for retired key 8 - PIV_PUBK_OBJ_RETIRED9, // Public key for retired key 9 - PIV_PUBK_OBJ_RETIRED10, // Public key for retired key 10 - PIV_PUBK_OBJ_RETIRED11, // Public key for retired key 11 - PIV_PUBK_OBJ_RETIRED12, // Public key for retired key 12 - PIV_PUBK_OBJ_RETIRED13, // Public key for retired key 13 - PIV_PUBK_OBJ_RETIRED14, // Public key for retired key 14 - PIV_PUBK_OBJ_RETIRED15, // Public key for retired key 15 - PIV_PUBK_OBJ_RETIRED16, // Public key for retired key 16 - PIV_PUBK_OBJ_RETIRED17, // Public key for retired key 17 - PIV_PUBK_OBJ_RETIRED18, // Public key for retired key 18 - PIV_PUBK_OBJ_RETIRED19, // Public key for retired key 19 - PIV_PUBK_OBJ_RETIRED20, // Public key for retired key 20 - PIV_PUBK_OBJ_LAST - -} piv_obj_id_t; - -#define OBJECT_INVALID (PIV_PUBK_OBJ_LAST + 1) - -typedef CK_RV (*get_attr_f)(CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR); - -typedef struct { - const char *oid; - CK_BYTE tag_len; - CK_BYTE tag_value[3]; // TODO: needed? - CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? -} piv_data_obj_t; - -typedef struct { - X509 *data; -} piv_cert_obj_t; - -typedef struct { // TODO: enough to use the public key for the parameters? - CK_BBOOL decrypt; - CK_BBOOL sign; - CK_BBOOL unwrap; - CK_BBOOL derive; - CK_BBOOL always_auth; -} piv_pvtk_obj_t; - -typedef struct { - EVP_PKEY *data; // TODO: make custom type for this and X509 - CK_BBOOL encrypt; - CK_BBOOL verify; - CK_BBOOL wrap; - CK_BBOOL derive; -} piv_pubk_obj_t; - -typedef struct { - piv_obj_id_t piv_id; // TODO: technically redundant - CK_BBOOL token; // TODO: not used yet - CK_BBOOL private; - CK_BBOOL modifiable; - const char *label; - CK_BBOOL copyable; // TODO: Optional, not used so far (default TRUE) - CK_BBOOL destroyable; // TODO: Optional, not used so far (default TRUE) - get_attr_f get_attribute; - CK_BYTE sub_id; // Sub-object id -} piv_obj_t; - -#endif diff --git a/ykcs11/objects.c b/ykcs11/objects.c deleted file mode 100644 index 1a62f4b..0000000 --- a/ykcs11/objects.c +++ /dev/null @@ -1,1574 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "obj_types.h" -#include "objects.h" -#include -#include -#include -#include "openssl_utils.h" -#include "utils.h" -#include "debug.h" - -#define IS_CERT(x) (((x) >= PIV_CERT_OBJ_X509_PIV_AUTH && (x) < PIV_CERT_OBJ_LAST) ? CK_TRUE : CK_FALSE) - -#define F4 "\x01\x00\x01" // TODO: already define in mechanisms.c. Move -#define PRIME256V1 "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07" // TODO: already define in mechanisms.c. Move - -CK_RV get_doa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); // TODO: static? -CK_RV get_coa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); -CK_RV get_proa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); -CK_RV get_puoa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); - -//TODO: this is mostly a snippet from OpenSC how to give credit? Less and less so now -/* Must be in order, and one per enumerated PIV_OBJ */ -static piv_obj_t piv_objects[] = { - {PIV_DATA_OBJ_X509_PIV_AUTH, 1, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, get_doa, 0}, - {PIV_DATA_OBJ_X509_CARD_AUTH, 1, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, get_doa, 1}, - {PIV_DATA_OBJ_X509_DS, 1, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, get_doa, 2}, - {PIV_DATA_OBJ_X509_KM, 1, 0, 0, "X.509 Certificate for Key Management", 0, 0, get_doa, 3}, - {PIV_DATA_OBJ_X509_RETIRED1, 1, 0, 0, "X.509 Certificate for Retired Key 1", 0, 0, get_doa, 4}, - {PIV_DATA_OBJ_X509_RETIRED2, 1, 0, 0, "X.509 Certificate for Retired Key 2", 0, 0, get_doa, 5}, - {PIV_DATA_OBJ_X509_RETIRED3, 1, 0, 0, "X.509 Certificate for Retired Key 3", 0, 0, get_doa, 6}, - {PIV_DATA_OBJ_X509_RETIRED4, 1, 0, 0, "X.509 Certificate for Retired Key 4", 0, 0, get_doa, 7}, - {PIV_DATA_OBJ_X509_RETIRED5, 1, 0, 0, "X.509 Certificate for Retired Key 5", 0, 0, get_doa, 8}, - {PIV_DATA_OBJ_X509_RETIRED6, 1, 0, 0, "X.509 Certificate for Retired Key 6", 0, 0, get_doa, 9}, - {PIV_DATA_OBJ_X509_RETIRED7, 1, 0, 0, "X.509 Certificate for Retired Key 7", 0, 0, get_doa, 10}, - {PIV_DATA_OBJ_X509_RETIRED8, 1, 0, 0, "X.509 Certificate for Retired Key 8", 0, 0, get_doa, 11}, - {PIV_DATA_OBJ_X509_RETIRED9, 1, 0, 0, "X.509 Certificate for Retired Key 9", 0, 0, get_doa, 12}, - {PIV_DATA_OBJ_X509_RETIRED10, 1, 0, 0, "X.509 Certificate for Retired Key 10", 0, 0, get_doa, 13}, - {PIV_DATA_OBJ_X509_RETIRED11, 1, 0, 0, "X.509 Certificate for Retired Key 11", 0, 0, get_doa, 14}, - {PIV_DATA_OBJ_X509_RETIRED12, 1, 0, 0, "X.509 Certificate for Retired Key 12", 0, 0, get_doa, 15}, - {PIV_DATA_OBJ_X509_RETIRED13, 1, 0, 0, "X.509 Certificate for Retired Key 13", 0, 0, get_doa, 16}, - {PIV_DATA_OBJ_X509_RETIRED14, 1, 0, 0, "X.509 Certificate for Retired Key 14", 0, 0, get_doa, 17}, - {PIV_DATA_OBJ_X509_RETIRED15, 1, 0, 0, "X.509 Certificate for Retired Key 15", 0, 0, get_doa, 18}, - {PIV_DATA_OBJ_X509_RETIRED16, 1, 0, 0, "X.509 Certificate for Retired Key 16", 0, 0, get_doa, 19}, - {PIV_DATA_OBJ_X509_RETIRED17, 1, 0, 0, "X.509 Certificate for Retired Key 17", 0, 0, get_doa, 20}, - {PIV_DATA_OBJ_X509_RETIRED18, 1, 0, 0, "X.509 Certificate for Retired Key 18", 0, 0, get_doa, 21}, - {PIV_DATA_OBJ_X509_RETIRED19, 1, 0, 0, "X.509 Certificate for Retired Key 19", 0, 0, get_doa, 22}, - {PIV_DATA_OBJ_X509_RETIRED20, 1, 0, 0, "X.509 Certificate for Retired Key 20", 0, 0, get_doa, 23}, - {PIV_DATA_OBJ_CCC, 1, 0, 0, "Card Capability Container", 0, 0, get_doa, 24}, - {PIV_DATA_OBJ_CHUI, 1, 0, 0, "Card Holder Unique Identifier", 0, 0, get_doa, 25}, - {PIV_DATA_OBJ_CHF, 1, 1, 0, "Card Holder Fingerprints", 0, 0, get_doa, 26}, - {PIV_DATA_OBJ_SEC_OBJ, 1, 0, 0, "Security Object", 0, 0, get_doa, 27}, - {PIV_DATA_OBJ_CHFI, 1, 1, 0, "Cardholder Facial Images", 0, 0, get_doa, 28}, - {PIV_DATA_OBJ_PI, 1, 1, 0, "Printed Information", 0, 0, get_doa, 29}, - {PIV_DATA_OBJ_DISCOVERY, 1, 0, 0, "Discovery Object", 0, 0, get_doa, 30}, - {PIV_DATA_OBJ_HISTORY, 1, 0, 0, "Key History Object", 0, 0, get_doa, 31}, - {PIV_DATA_OBJ_IRIS_IMAGE, 1, 1, 0, "Cardholder Iris Images", 0, 0, get_doa, 32}, - {PIV_DATA_OBJ_BITGT, 1, 0, 0, "Biometric Information Templates Group Template", 0, 0, get_doa, 33}, - {PIV_DATA_OBJ_SM_SIGNER, 1, 0, 0, "Secure Messaging Certificate Signer", 0, 0, get_doa, 34}, - {PIV_DATA_OBJ_PC_REF_DATA, 1, 1, 0, "Pairing Code Reference Data Container", 0, 0, get_doa, 35}, - {PIV_DATA_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 36}, - - {PIV_CERT_OBJ_X509_PIV_AUTH, 1, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, get_coa, 0}, - {PIV_CERT_OBJ_X509_CARD_AUTH, 1, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, get_coa, 1}, - {PIV_CERT_OBJ_X509_DS, 1, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, get_coa, 2}, - {PIV_CERT_OBJ_X509_KM, 1, 0, 0, "X.509 Certificate for Key Management", 0, 0, get_coa, 3}, - {PIV_CERT_OBJ_X509_RETIRED1, 1, 0, 0, "X.509 Certificate for Retired Key 1", 0, 0, get_coa, 4}, - {PIV_CERT_OBJ_X509_RETIRED2, 1, 0, 0, "X.509 Certificate for Retired Key 2", 0, 0, get_coa, 5}, - {PIV_CERT_OBJ_X509_RETIRED3, 1, 0, 0, "X.509 Certificate for Retired Key 3", 0, 0, get_coa, 6}, - {PIV_CERT_OBJ_X509_RETIRED4, 1, 0, 0, "X.509 Certificate for Retired Key 4", 0, 0, get_coa, 7}, - {PIV_CERT_OBJ_X509_RETIRED5, 1, 0, 0, "X.509 Certificate for Retired Key 5", 0, 0, get_coa, 8}, - {PIV_CERT_OBJ_X509_RETIRED6, 1, 0, 0, "X.509 Certificate for Retired Key 6", 0, 0, get_coa, 9}, - {PIV_CERT_OBJ_X509_RETIRED7, 1, 0, 0, "X.509 Certificate for Retired Key 7", 0, 0, get_coa, 10}, - {PIV_CERT_OBJ_X509_RETIRED8, 1, 0, 0, "X.509 Certificate for Retired Key 8", 0, 0, get_coa, 11}, - {PIV_CERT_OBJ_X509_RETIRED9, 1, 0, 0, "X.509 Certificate for Retired Key 9", 0, 0, get_coa, 12}, - {PIV_CERT_OBJ_X509_RETIRED10, 1, 0, 0, "X.509 Certificate for Retired Key 10", 0, 0, get_coa, 13}, - {PIV_CERT_OBJ_X509_RETIRED11, 1, 0, 0, "X.509 Certificate for Retired Key 11", 0, 0, get_coa, 14}, - {PIV_CERT_OBJ_X509_RETIRED12, 1, 0, 0, "X.509 Certificate for Retired Key 12", 0, 0, get_coa, 15}, - {PIV_CERT_OBJ_X509_RETIRED13, 1, 0, 0, "X.509 Certificate for Retired Key 13", 0, 0, get_coa, 16}, - {PIV_CERT_OBJ_X509_RETIRED14, 1, 0, 0, "X.509 Certificate for Retired Key 14", 0, 0, get_coa, 17}, - {PIV_CERT_OBJ_X509_RETIRED15, 1, 0, 0, "X.509 Certificate for Retired Key 15", 0, 0, get_coa, 18}, - {PIV_CERT_OBJ_X509_RETIRED16, 1, 0, 0, "X.509 Certificate for Retired Key 16", 0, 0, get_coa, 19}, - {PIV_CERT_OBJ_X509_RETIRED17, 1, 0, 0, "X.509 Certificate for Retired Key 17", 0, 0, get_coa, 20}, - {PIV_CERT_OBJ_X509_RETIRED18, 1, 0, 0, "X.509 Certificate for Retired Key 18", 0, 0, get_coa, 21}, - {PIV_CERT_OBJ_X509_RETIRED19, 1, 0, 0, "X.509 Certificate for Retired Key 19", 0, 0, get_coa, 22}, - {PIV_CERT_OBJ_X509_RETIRED20, 1, 0, 0, "X.509 Certificate for Retired Key 20", 0, 0, get_coa, 23}, - {PIV_CERT_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 24}, - - {PIV_PVTK_OBJ_PIV_AUTH, 1, 1, 0, "Private key for PIV Authentication", 0, 0, get_proa, 0}, // 9a - {PIV_PVTK_OBJ_CARD_AUTH, 1, 1, 0, "Private key for Card Authentication", 0, 0, get_proa, 1}, // 9e - {PIV_PVTK_OBJ_DS, 1, 1, 0, "Private key for Digital Signature", 0, 0, get_proa, 2}, // 9c - {PIV_PVTK_OBJ_KM, 1, 1, 0, "Private key for Key Management", 0, 0, get_proa, 3}, // 9d - {PIV_PVTK_OBJ_RETIRED1, 1, 1, 0, "Private key for Retired Key 1", 0, 0, get_proa, 4}, - {PIV_PVTK_OBJ_RETIRED2, 1, 1, 0, "Private key for Retired Key 2", 0, 0, get_proa, 5}, - {PIV_PVTK_OBJ_RETIRED3, 1, 1, 0, "Private key for Retired Key 3", 0, 0, get_proa, 6}, - {PIV_PVTK_OBJ_RETIRED4, 1, 1, 0, "Private key for Retired Key 4", 0, 0, get_proa, 7}, - {PIV_PVTK_OBJ_RETIRED5, 1, 1, 0, "Private key for Retired Key 5", 0, 0, get_proa, 8}, - {PIV_PVTK_OBJ_RETIRED6, 1, 1, 0, "Private key for Retired Key 6", 0, 0, get_proa, 9}, - {PIV_PVTK_OBJ_RETIRED7, 1, 1, 0, "Private key for Retired Key 7", 0, 0, get_proa, 10}, - {PIV_PVTK_OBJ_RETIRED8, 1, 1, 0, "Private key for Retired Key 8", 0, 0, get_proa, 11}, - {PIV_PVTK_OBJ_RETIRED9, 1, 1, 0, "Private key for Retired Key 9", 0, 0, get_proa, 12}, - {PIV_PVTK_OBJ_RETIRED10, 1, 1, 0, "Private key forRretired Key 10", 0, 0, get_proa, 13}, - {PIV_PVTK_OBJ_RETIRED11, 1, 1, 0, "Private key forRretired Key 11", 0, 0, get_proa, 14}, - {PIV_PVTK_OBJ_RETIRED12, 1, 1, 0, "Private key forRretired Key 12", 0, 0, get_proa, 15}, - {PIV_PVTK_OBJ_RETIRED13, 1, 1, 0, "Private key forRretired Key 13", 0, 0, get_proa, 16}, - {PIV_PVTK_OBJ_RETIRED14, 1, 1, 0, "Private key forRretired Key 14", 0, 0, get_proa, 17}, - {PIV_PVTK_OBJ_RETIRED15, 1, 1, 0, "Private key forRretired Key 15", 0, 0, get_proa, 18}, - {PIV_PVTK_OBJ_RETIRED16, 1, 1, 0, "Private key forRretired Key 16", 0, 0, get_proa, 19}, - {PIV_PVTK_OBJ_RETIRED17, 1, 1, 0, "Private key forRretired Key 17", 0, 0, get_proa, 20}, - {PIV_PVTK_OBJ_RETIRED18, 1, 1, 0, "Private key forRretired Key 18", 0, 0, get_proa, 21}, - {PIV_PVTK_OBJ_RETIRED19, 1, 1, 0, "Private key forRretired Key 19", 0, 0, get_proa, 22}, - {PIV_PVTK_OBJ_RETIRED20, 1, 1, 0, "Private key forRretired Key 20", 0, 0, get_proa, 23}, - {PIV_PVTK_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 24}, - - {PIV_PUBK_OBJ_PIV_AUTH, 1, 0, 0, "Public key for PIV Authentication", 0, 0, get_puoa, 0}, - {PIV_PUBK_OBJ_CARD_AUTH, 1, 0, 0, "Public key for Card Authentication", 0, 0, get_puoa, 1}, - {PIV_PUBK_OBJ_DS, 1, 0, 0, "Public key for Digital Signature", 0, 0, get_puoa, 2}, - {PIV_PUBK_OBJ_KM, 1, 0, 0, "Public key for Key Management", 0, 0, get_puoa, 3}, - {PIV_PUBK_OBJ_RETIRED1, 1, 0, 0, "Public key for Retired Key 1", 0, 0, get_puoa, 4}, - {PIV_PUBK_OBJ_RETIRED2, 1, 0, 0, "Public key for Retired Key 2", 0, 0, get_puoa, 5}, - {PIV_PUBK_OBJ_RETIRED3, 1, 0, 0, "Public key for Retired Key 3", 0, 0, get_puoa, 6}, - {PIV_PUBK_OBJ_RETIRED4, 1, 0, 0, "Public key for Retired Key 4", 0, 0, get_puoa, 7}, - {PIV_PUBK_OBJ_RETIRED5, 1, 0, 0, "Public key for Retired Key 5", 0, 0, get_puoa, 8}, - {PIV_PUBK_OBJ_RETIRED6, 1, 0, 0, "Public key for Retired Key 6", 0, 0, get_puoa, 9}, - {PIV_PUBK_OBJ_RETIRED7, 1, 0, 0, "Public key for Retired Key 7", 0, 0, get_puoa, 10}, - {PIV_PUBK_OBJ_RETIRED8, 1, 0, 0, "Public key for Retired Key 8", 0, 0, get_puoa, 11}, - {PIV_PUBK_OBJ_RETIRED9, 1, 0, 0, "Public key for Retired Key 9", 0, 0, get_puoa, 12}, - {PIV_PUBK_OBJ_RETIRED10, 1, 0, 0, "Public key for Retired Key 10", 0, 0, get_puoa, 13}, - {PIV_PUBK_OBJ_RETIRED11, 1, 0, 0, "Public key for Retired Key 11", 0, 0, get_puoa, 14}, - {PIV_PUBK_OBJ_RETIRED12, 1, 0, 0, "Public key for Retired Key 12", 0, 0, get_puoa, 15}, - {PIV_PUBK_OBJ_RETIRED13, 1, 0, 0, "Public key for Retired Key 13", 0, 0, get_puoa, 16}, - {PIV_PUBK_OBJ_RETIRED14, 1, 0, 0, "Public key for Retired Key 14", 0, 0, get_puoa, 17}, - {PIV_PUBK_OBJ_RETIRED15, 1, 0, 0, "Public key for Retired Key 15", 0, 0, get_puoa, 18}, - {PIV_PUBK_OBJ_RETIRED16, 1, 0, 0, "Public key for Retired Key 16", 0, 0, get_puoa, 19}, - {PIV_PUBK_OBJ_RETIRED17, 1, 0, 0, "Public key for Retired Key 17", 0, 0, get_puoa, 20}, - {PIV_PUBK_OBJ_RETIRED18, 1, 0, 0, "Public key for Retired Key 18", 0, 0, get_puoa, 21}, - {PIV_PUBK_OBJ_RETIRED19, 1, 0, 0, "Public key for Retired Key 19", 0, 0, get_puoa, 22}, - {PIV_PUBK_OBJ_RETIRED20, 1, 0, 0, "Public key for Retired Key 20", 0, 0, get_puoa, 23}, - {PIV_PUBK_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 24} -}; - -static piv_data_obj_t data_objects[] = { - {"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01"}, // PIV Authentication - {"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00"}, // Card Authentication - {"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00"}, // Digital Signature - {"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02"}, // Key Management - {"2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01"}, // Retired Key 1 - {"2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02"}, // Retired Key 2 - {"2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03"}, // Retired Key 3 - {"2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04"}, // Retired Key 4 - {"2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05"}, // Retired Key 5 - {"2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06"}, // Retired Key 6 - {"2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07"}, // Retired Key 7 - {"2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08"}, // Retired Key 8 - {"2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09"}, // Retired Key 9 - {"2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A"}, // Retired Key 10 - {"2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B"}, // Retired Key 11 - {"2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C"}, // Retired Key 12 - {"2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D"}, // Retired Key 13 - {"2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E"}, // Retired Key 14 - {"2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F"}, // Retired Key 15 - {"2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10"}, // Retired Key 16 - {"2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11"}, // Retired Key 17 - {"2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12"}, // Retired Key 18 - {"2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13"}, // Retired Key 19 - {"2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14"}, // Retired Key 20 - {"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00"}, // CCC - {"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00"}, // CHUID - {"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10"}, // CHFP - {"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00"}, // Security Object - {"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30"}, // CHFI - {"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01"}, // Printed Information - {"2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50"}, // Discovery Object - {"2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60"}, // Key History Object - {"2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15"}, // CHII - {"2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16"}, // Biometric Information - {"2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17"}, // Secure Messaging Certificate Signer - {"2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18"}, // Pairing Code Reference Data Container - {"", 0, "", ""} -}; - -static piv_cert_obj_t cert_objects[] = { - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL}, - {NULL} -}; - -static piv_pvtk_obj_t pvtkey_objects[] = { - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0}, - {1, 1, 0, 0, 0} -}; - -static piv_pubk_obj_t pubkey_objects[] = { - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0}, - {NULL, 1, 1, 0, 0} -}; - -// Next two functions based off the code at -// https://github.com/m9aertner/oidConverter/blob/master/oid.c -// TODO: how to give credit? OR JUST STORE THE OID ALREADY ENCODED? -static void make_base128(unsigned long l, int first, CK_BYTE_PTR buf, CK_ULONG_PTR n) { - if (l > 127) - make_base128(l / 128, 0, buf, n); - - l %= 128; - - if (first) - buf[(*n)++] = (CK_BYTE)l; - else - buf[(*n)++] = 0x80 | (CK_BYTE)l; -} - -static CK_RV asn1_encode_oid(CK_CHAR_PTR oid, CK_BYTE_PTR asn1_oid, CK_ULONG_PTR len) { - CK_CHAR_PTR tmp = (CK_BYTE_PTR) strdup((char *)oid); - CK_CHAR_PTR p = tmp; - CK_BYTE_PTR q = NULL; - CK_ULONG n = 0; - CK_BYTE b = 0; - CK_ULONG l = 0; - CK_ULONG nodes; - - if (tmp == NULL) { - return CKR_HOST_MEMORY; - } - - q = p; - *len = 0; - nodes = 1; - while (*p != 0) { - if (*p == '.') - nodes++; - p++; - } - - n = 0; - b = 0; - p = q; - while (n < nodes) { - q = p; - while (*p != 0) { - if (*p == '.') - break; - p++; - } - - if (*p == '.') { - *p = 0; - l = (CK_ULONG) atoi((char *)q); - q = p + 1; - p = q; - } - else { - l = (CK_ULONG) atoi((char *)q); - // q = p; - } - - /* Digit is in l. */ - if (n == 0) - b = 40 * ((CK_BYTE)l); - else if (n == 1) { - b += (CK_BYTE) l; - asn1_oid[(*len)++] = b; - } - else { - make_base128(l, 1, asn1_oid, len); - } - n++; - } - - free(tmp); - - return CKR_OK; -} - -static CK_KEY_TYPE get_key_type(EVP_PKEY *key) { - return do_get_key_type(key); -} - -static CK_ULONG get_modulus_bits(EVP_PKEY *key) { - return do_get_rsa_modulus_length(key); -} - -static CK_RV get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - return do_get_public_exponent(key, data, len); -} - -static CK_RV get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - return do_get_modulus(key, data, len); -} - -static CK_RV get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - return do_get_public_key(key, data, len); -} - -static CK_RV get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - return do_get_curve_parameters(key, data, len); -} - -static CK_RV get_raw_cert(X509 *cert, CK_BYTE_PTR data, CK_ULONG_PTR len) { - return do_get_raw_cert(cert, data, len); -} - -/* Get data object attribute */ -CK_RV get_doa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { - CK_BYTE_PTR data; - CK_BYTE tmp[64]; - CK_ULONG len = 0; - CK_RV rv; - DBG("For data object %lu, get ", obj); - - switch (template->type) { - case CKA_CLASS: - DBG("CLASS"); - len = 1; - tmp[0] = CKO_DATA; - data = tmp; - break; - - case CKA_TOKEN: - // Technically all these objects are token objects - DBG("TOKEN"); - len = 1; - tmp[0] = piv_objects[obj].token; - data = tmp; - break; - - case CKA_PRIVATE: - DBG("PRIVATE"); - len = 1; - tmp[0] = piv_objects[obj].private; - data = tmp; - break; - - case CKA_LABEL: - DBG("LABEL"); - len = strlen(piv_objects[obj].label) + 1; - data = (CK_BYTE_PTR) piv_objects[obj].label; - break; - - case CKA_APPLICATION: - DBG("APPLICATION"); - len = strlen(piv_objects[obj].label) + 1; - data = (CK_BYTE_PTR) piv_objects[obj].label; - break; - - case CKA_VALUE: // TODO: this can be done with -r and -d|-a - DBG("VALUE TODO!!!"); - return CKR_FUNCTION_FAILED; - - case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? - DBG("OID"); - memcpy((char *)tmp, data_objects[piv_objects[obj].sub_id].oid, sizeof(tmp)); - if ((rv = asn1_encode_oid(tmp, tmp, &len)) != CKR_OK) { - return rv; - } - data = tmp; - break; - - case CKA_MODIFIABLE: - DBG("MODIFIABLE"); - len = 1; - tmp[0] = piv_objects[obj].modifiable; - data = tmp; - break; - - default: - DBG("UNKNOWN ATTRIBUTE %lx", template[0].type); - template->ulValueLen = CK_UNAVAILABLE_INFORMATION; - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - /* Just get the length */ - if (template->pValue == NULL_PTR) { - template->ulValueLen = len; - return CKR_OK; - } - - /* Actually get the attribute */ - if (template->ulValueLen < len) - return CKR_BUFFER_TOO_SMALL; - - template->ulValueLen = len; - memcpy(template->pValue, data, len); - - return CKR_OK; - -} - -/* Get certificate object attribute */ -CK_RV get_coa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { - CK_BYTE_PTR data; - CK_BYTE b_tmp[1024]; - CK_ULONG ul_tmp; - CK_ULONG len = 0; - DBG("For certificate object %lu, get ", obj); - - switch (template->type) { - case CKA_CLASS: - DBG("CLASS"); - len = sizeof(CK_ULONG); - ul_tmp = CKO_CERTIFICATE; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_TOKEN: - // Technically all these objects are token objects - DBG("TOKEN"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].token; - data = b_tmp; - break; - - case CKA_PRIVATE: - DBG("PRIVATE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].private; - data = b_tmp; - break; - - case CKA_LABEL: - DBG("LABEL"); - len = strlen(piv_objects[obj].label) + 1; - data = (CK_BYTE_PTR) piv_objects[obj].label; - break; - - case CKA_VALUE: - DBG("VALUE"); - len = sizeof(b_tmp); - if (get_raw_cert(cert_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_CERTIFICATE_TYPE: - DBG("CERTIFICATE TYPE"); - len = sizeof(CK_ULONG); - ul_tmp = CKC_X_509; // Support only X.509 certs - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_ISSUER: - DBG("ISSUER TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_SERIAL_NUMBER: - DBG("SERIAL NUMBER TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_SUBJECT: - DBG("SUBJECT TODO"); // Required - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_ID: - DBG("ID"); - len = sizeof(CK_BYTE); - b_tmp[0] = piv_objects[obj].sub_id; - data = b_tmp; - break; - - case CKA_START_DATE: - DBG("START DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_END_DATE: - DBG("END DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_MODIFIABLE: - DBG("MODIFIABLE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].modifiable; - data = b_tmp; - break; - - default: // TODO: there are other attributes for a (x509) certificate - DBG("UNKNOWN ATTRIBUTE %lx", template[0].type); - template->ulValueLen = CK_UNAVAILABLE_INFORMATION; - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - /* Just get the length */ - if (template->pValue == NULL_PTR) { - template->ulValueLen = len; - return CKR_OK; - } - - /* Actually get the attribute */ - if (template->ulValueLen < len) - return CKR_BUFFER_TOO_SMALL; - - template->ulValueLen = len; - memcpy(template->pValue, data, len); - - return CKR_OK; - -} - -/* Get private key object attribute */ -CK_RV get_proa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { - CK_BYTE_PTR data; - CK_BYTE b_tmp[1024]; - CK_ULONG ul_tmp; // TODO: fix elsewhere too - CK_ULONG len = 0; - DBG("For private key object %lu, get ", obj); - - switch (template->type) { - case CKA_CLASS: - DBG("CLASS"); - len = sizeof(CK_ULONG); - ul_tmp = CKO_PRIVATE_KEY; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_TOKEN: - // Technically all these objects are token objects - DBG("TOKEN"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].token; - data = b_tmp; - break; - - case CKA_PRIVATE: - DBG("PRIVATE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].private; - data = b_tmp; - break; - - case CKA_LABEL: - DBG("LABEL"); - len = strlen(piv_objects[obj].label) + 1; - data = (CK_BYTE_PTR) piv_objects[obj].label; - break; - - case CKA_KEY_TYPE: - DBG("KEY TYPE"); - len = sizeof(CK_ULONG); - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_SUBJECT: - DBG("SUBJECT TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_ID: - DBG("ID"); - len = sizeof(CK_BYTE); - ul_tmp = piv_objects[obj].sub_id; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_SENSITIVE: - DBG("SENSITIVE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_DECRYPT: - DBG("DECRYPT"); // Default empy - len = sizeof(CK_BBOOL); - b_tmp[0] = pvtkey_objects[piv_objects[obj].sub_id].decrypt; - data = b_tmp; - break; - - case CKA_UNWRAP: - DBG("UNWRAP"); // Default empty - len = sizeof(CK_BBOOL); - b_tmp[0] = pvtkey_objects[piv_objects[obj].sub_id].unwrap; - data = b_tmp; - break; - - case CKA_SIGN: - DBG("SIGN"); // Default empty - len = sizeof(CK_BBOOL); - b_tmp[0] = pvtkey_objects[piv_objects[obj].sub_id].sign; - data = b_tmp; - break; - - case CKA_SIGN_RECOVER: - DBG("SIGN RECOVER TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_DERIVE: - DBG("DERIVE"); // Default false - len = sizeof(CK_BBOOL); - b_tmp[0] = pvtkey_objects[piv_objects[obj].sub_id].derive; - data = b_tmp; - break; - - case CKA_START_DATE: - DBG("START DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_END_DATE: - DBG("END DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_MODULUS: - DBG("MODULUS"); - len = sizeof(b_tmp); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_modulus(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_EC_POINT: - DBG("EC_POINT"); - len = sizeof(b_tmp); - - // Make sure that this is an EC key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_ECDSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_public_key(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_EC_PARAMS: - // Here we want the curve parameters (DER encoded OID) - DBG("EC_PARAMS"); - len = sizeof(b_tmp); - - // Make sure that this is an EC key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_ECDSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_curve_parameters(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - - data = b_tmp; - break; - - case CKA_MODULUS_BITS: - DBG("MODULUS BITS"); - len = sizeof(CK_ULONG); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - ul_tmp = get_modulus_bits(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == 0) - return CKR_FUNCTION_FAILED; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_PUBLIC_EXPONENT: - DBG("PUBLIC EXPONENT"); - len = sizeof(CK_ULONG); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_public_exponent(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - /* case CKA_PRIVATE_EXPONENT: */ - /* case CKA_PRIME_1: */ - /* case CKA_PRIME_2: */ - /* case CKA_EXPONENT_1: */ - /* case CKA_EXPONENT_2: */ - /* case CKA_COEFFICIENT: */ - /* case CKA_PRIME: */ - /* case CKA_SUBPRIME: */ - /* case CKA_BASE: */ - /* case CKA_VALUE_BITS: */ - /* case CKA_VALUE_LEN: */ - /* case CKA_EXTRACTABLE: */ - case CKA_LOCAL: - DBG("LOCAL TODO"); // Required - return CKR_ATTRIBUTE_TYPE_INVALID; - - /* case CKA_NEVER_EXTRACTABLE: */ - /*case CKA_ALWAYS_SENSITIVE:*/ - - case CKA_ALWAYS_AUTHENTICATE: - DBG("ALWAYS AUTHENTICATE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = pvtkey_objects[piv_objects[obj].sub_id].always_auth; - data = b_tmp; - break; - - case CKA_MODIFIABLE: - DBG("MODIFIABLE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].modifiable; - data = b_tmp; - break; - - /*case CKA_VENDOR_DEFINED:*/ - default: - DBG("UNKNOWN ATTRIBUTE %lx", template[0].type); // TODO: there are other parameters for public keys, plus there is more if the key is RSA - template->ulValueLen = CK_UNAVAILABLE_INFORMATION; - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - /* Just get the length */ - if (template->pValue == NULL_PTR) { - template->ulValueLen = len; - return CKR_OK; - } - - /* Actually get the attribute */ - if (template->ulValueLen < len) - return CKR_BUFFER_TOO_SMALL; - - template->ulValueLen = len; - memcpy(template->pValue, data, len); - - return CKR_OK; - -} - -/* Get public key object attribute */ -CK_RV get_puoa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { - CK_BYTE_PTR data; - CK_BYTE b_tmp[1024]; - CK_ULONG ul_tmp; - CK_ULONG len = 0; - DBG("For public key object %lu, get ", obj); - - switch (template->type) { - case CKA_CLASS: - DBG("CLASS"); - len = sizeof(CK_ULONG); - ul_tmp = CKO_PUBLIC_KEY; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_TOKEN: - // Technically all these objects are token objects - DBG("TOKEN"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].token; - data = b_tmp; - break; - - case CKA_PRIVATE: - DBG("PRIVATE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].private; - data = b_tmp; - break; - - case CKA_LABEL: - DBG("LABEL"); - len = strlen(piv_objects[obj].label) + 1; - data = (CK_BYTE_PTR) piv_objects[obj].label; - break; - - case CKA_KEY_TYPE: - DBG("KEY TYPE"); - len = sizeof(CK_ULONG); - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); - if (ul_tmp == CKK_VENDOR_DEFINED) // This value is used as an error here - return CKR_FUNCTION_FAILED; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_SUBJECT: - DBG("SUBJECT TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_ID: - DBG("ID"); - len = sizeof(CK_BYTE); - b_tmp[0] = piv_objects[obj].sub_id; - data = b_tmp; - break; - - case CKA_ENCRYPT: - DBG("ENCRYPT"); - len = sizeof(CK_BBOOL); - b_tmp[0] = pubkey_objects[piv_objects[obj].sub_id].encrypt; - data = b_tmp; - break; - - case CKA_VERIFY: // TODO: what about verify recover ? - DBG("VERIFY"); - len = sizeof(CK_BBOOL); - b_tmp[0] = pubkey_objects[piv_objects[obj].sub_id].verify; - data = b_tmp; - break; - - case CKA_WRAP: - DBG("WRAP"); - len = sizeof(CK_BBOOL); - b_tmp[0] = pubkey_objects[piv_objects[obj].sub_id].wrap; - data = b_tmp; - break; - - case CKA_DERIVE: - DBG("DERIVE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = pubkey_objects[piv_objects[obj].sub_id].derive; - data = b_tmp; - break; - - case CKA_START_DATE: - DBG("START DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_END_DATE: - DBG("END DATE TODO"); // Default empty - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_EC_POINT: - DBG("EC_POINT"); - len = sizeof(b_tmp); - - // Make sure that this is an EC key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_ECDSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_public_key(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_EC_PARAMS: - // Here we want the curve parameters (DER encoded OID) - DBG("EC_PARAMS"); - len = sizeof(b_tmp); - - // Make sure that this is an EC key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_ECDSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_curve_parameters(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - - data = b_tmp; - break; - - case CKA_MODULUS: - DBG("MODULUS"); - len = sizeof(b_tmp); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_modulus(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_MODULUS_BITS: - DBG("MODULUS BITS"); - len = sizeof(CK_ULONG); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - ul_tmp = get_modulus_bits(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == 0) - return CKR_FUNCTION_FAILED; - data = (CK_BYTE_PTR) &ul_tmp; - break; - - case CKA_PUBLIC_EXPONENT: - DBG("PUBLIC EXPONENT"); - len = sizeof(CK_ULONG); - - // Make sure that this is an RSA key - ul_tmp = get_key_type(pubkey_objects[piv_objects[obj].sub_id].data); // Getting the info from the pubk - if (ul_tmp == CKK_VENDOR_DEFINED) - return CKR_FUNCTION_FAILED; - if (ul_tmp != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (get_public_exponent(pubkey_objects[piv_objects[obj].sub_id].data, b_tmp, &len) != CKR_OK) - return CKR_FUNCTION_FAILED; - data = b_tmp; - break; - - case CKA_LOCAL: - DBG("LOCAL TODO"); // Required - return CKR_ATTRIBUTE_TYPE_INVALID; - - case CKA_MODIFIABLE: - DBG("MODIFIABLE"); - len = sizeof(CK_BBOOL); - b_tmp[0] = piv_objects[obj].modifiable; - data = b_tmp; - break; - - default: - DBG("UNKNOWN ATTRIBUTE %lx", template[0].type); // TODO: there are other parameters for public keys - template->ulValueLen = CK_UNAVAILABLE_INFORMATION; - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - /* Just get the length */ - if (template->pValue == NULL_PTR) { - template->ulValueLen = len; - return CKR_OK; - } - - /* Actually get the attribute */ - if (template->ulValueLen < len) - return CKR_BUFFER_TOO_SMALL; - - template->ulValueLen = len; - memcpy(template->pValue, data, len); - - return CKR_OK; - -} - -CK_ULONG piv_2_ykpiv(piv_obj_id_t id) { - switch(id) { - case PIV_CERT_OBJ_X509_PIV_AUTH: - return YKPIV_OBJ_AUTHENTICATION; - - case PIV_CERT_OBJ_X509_CARD_AUTH: - return YKPIV_OBJ_CARD_AUTH; - - case PIV_CERT_OBJ_X509_DS: - return YKPIV_OBJ_SIGNATURE; - - case PIV_CERT_OBJ_X509_KM: - return YKPIV_OBJ_KEY_MANAGEMENT; - - case PIV_CERT_OBJ_X509_RETIRED1: - return YKPIV_OBJ_RETIRED1; - - case PIV_CERT_OBJ_X509_RETIRED2: - return YKPIV_OBJ_RETIRED2; - - case PIV_CERT_OBJ_X509_RETIRED3: - return YKPIV_OBJ_RETIRED3; - - case PIV_CERT_OBJ_X509_RETIRED4: - return YKPIV_OBJ_RETIRED4; - - case PIV_CERT_OBJ_X509_RETIRED5: - return YKPIV_OBJ_RETIRED5; - - case PIV_CERT_OBJ_X509_RETIRED6: - return YKPIV_OBJ_RETIRED6; - - case PIV_CERT_OBJ_X509_RETIRED7: - return YKPIV_OBJ_RETIRED7; - - case PIV_CERT_OBJ_X509_RETIRED8: - return YKPIV_OBJ_RETIRED8; - - case PIV_CERT_OBJ_X509_RETIRED9: - return YKPIV_OBJ_RETIRED9; - - case PIV_CERT_OBJ_X509_RETIRED10: - return YKPIV_OBJ_RETIRED10; - - case PIV_CERT_OBJ_X509_RETIRED11: - return YKPIV_OBJ_RETIRED11; - - case PIV_CERT_OBJ_X509_RETIRED12: - return YKPIV_OBJ_RETIRED12; - - case PIV_CERT_OBJ_X509_RETIRED13: - return YKPIV_OBJ_RETIRED13; - - case PIV_CERT_OBJ_X509_RETIRED14: - return YKPIV_OBJ_RETIRED14; - - case PIV_CERT_OBJ_X509_RETIRED15: - return YKPIV_OBJ_RETIRED15; - - case PIV_CERT_OBJ_X509_RETIRED16: - return YKPIV_OBJ_RETIRED16; - - case PIV_CERT_OBJ_X509_RETIRED17: - return YKPIV_OBJ_RETIRED17; - - case PIV_CERT_OBJ_X509_RETIRED18: - return YKPIV_OBJ_RETIRED18; - - case PIV_CERT_OBJ_X509_RETIRED19: - return YKPIV_OBJ_RETIRED19; - - case PIV_CERT_OBJ_X509_RETIRED20: - return YKPIV_OBJ_RETIRED20; - - case PIV_PVTK_OBJ_PIV_AUTH: - return YKPIV_KEY_AUTHENTICATION; - - case PIV_PVTK_OBJ_CARD_AUTH: - return YKPIV_KEY_CARDAUTH; - - case PIV_PVTK_OBJ_DS: - return YKPIV_KEY_SIGNATURE; - - case PIV_PVTK_OBJ_KM: - return YKPIV_KEY_KEYMGM; - - case PIV_PVTK_OBJ_RETIRED1: - return YKPIV_KEY_RETIRED1; - - case PIV_PVTK_OBJ_RETIRED2: - return YKPIV_KEY_RETIRED2; - - case PIV_PVTK_OBJ_RETIRED3: - return YKPIV_KEY_RETIRED3; - - case PIV_PVTK_OBJ_RETIRED4: - return YKPIV_KEY_RETIRED4; - - case PIV_PVTK_OBJ_RETIRED5: - return YKPIV_KEY_RETIRED5; - - case PIV_PVTK_OBJ_RETIRED6: - return YKPIV_KEY_RETIRED6; - - case PIV_PVTK_OBJ_RETIRED7: - return YKPIV_KEY_RETIRED7; - - case PIV_PVTK_OBJ_RETIRED8: - return YKPIV_KEY_RETIRED8; - - case PIV_PVTK_OBJ_RETIRED9: - return YKPIV_KEY_RETIRED9; - - case PIV_PVTK_OBJ_RETIRED10: - return YKPIV_KEY_RETIRED10; - - case PIV_PVTK_OBJ_RETIRED11: - return YKPIV_KEY_RETIRED11; - - case PIV_PVTK_OBJ_RETIRED12: - return YKPIV_KEY_RETIRED12; - - case PIV_PVTK_OBJ_RETIRED13: - return YKPIV_KEY_RETIRED13; - - case PIV_PVTK_OBJ_RETIRED14: - return YKPIV_KEY_RETIRED14; - - case PIV_PVTK_OBJ_RETIRED15: - return YKPIV_KEY_RETIRED15; - - case PIV_PVTK_OBJ_RETIRED16: - return YKPIV_KEY_RETIRED16; - - case PIV_PVTK_OBJ_RETIRED17: - return YKPIV_KEY_RETIRED17; - - case PIV_PVTK_OBJ_RETIRED18: - return YKPIV_KEY_RETIRED18; - - case PIV_PVTK_OBJ_RETIRED19: - return YKPIV_KEY_RETIRED19; - - case PIV_PVTK_OBJ_RETIRED20: - return YKPIV_KEY_RETIRED20; - - default: - return 0ul; - } -} - -CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { - CK_ULONG i; - - for (i = 0; i < s->slot->token->n_objects; i++) - if (s->slot->token->objects[i] == obj) { - return piv_objects[obj].get_attribute(obj, template); - } - - return CKR_OBJECT_HANDLE_INVALID; -} - -CK_BBOOL attribute_match(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR attribute) { - - CK_ATTRIBUTE to_match; - CK_BYTE_PTR data; - - // Get the size first - to_match.type = attribute->type; - to_match.pValue = NULL; - to_match.ulValueLen = 0; - - if (get_attribute(s, obj, &to_match) != CKR_OK) - return CK_FALSE; - - if (to_match.ulValueLen != attribute->ulValueLen) - return CK_FALSE; - - // Allocate space for the attribute - data = malloc(to_match.ulValueLen); - if (data == NULL) - return CK_FALSE; - - // Retrieve the attribute - to_match.pValue = data; - if (get_attribute(s, obj, &to_match) != CKR_OK) { - free(data); - data = NULL; - return CK_FALSE; - } - - // Compare the attributes - if (memcmp(attribute->pValue, to_match.pValue, to_match.ulValueLen) != 0) { - free(data); - data = NULL; - return CK_FALSE; - } - - free(data); - data = NULL; - - return CK_TRUE; -} - -CK_BBOOL is_private_object(ykcs11_session_t *s, CK_OBJECT_HANDLE obj) { - - CK_ATTRIBUTE attr; - CK_BYTE private; - - attr.type = CKA_PRIVATE; - attr.pValue = &private; - attr.ulValueLen = sizeof(private); - - if (get_attribute(s, obj, &attr) != CKR_OK) - return CK_FALSE; - - return private == CK_FALSE ? CK_FALSE : CK_TRUE; -} - -CK_RV get_available_certificate_ids(ykcs11_session_t *s, piv_obj_id_t *cert_ids, CK_ULONG n_certs) { - CK_ULONG i, j; - - if (n_certs > s->slot->token->n_objects) - return CKR_BUFFER_TOO_SMALL; - - j = 0; - for (i = 0; i < s->slot->token->n_objects; i++) - if (IS_CERT(s->slot->token->objects[i]) == CK_TRUE) - cert_ids[j++] = s->slot->token->objects[i]; - - return CKR_OK; -} - -CK_RV store_cert(piv_obj_id_t cert_id, CK_BYTE_PTR data, CK_ULONG len) { - - CK_RV rv; - - // Store the certificate as an object - rv = do_store_cert(data, len, &cert_objects[piv_objects[cert_id].sub_id].data); - if (rv != CKR_OK) - return rv; - - // Extract and store the public key as an object - rv = do_store_pubk(cert_objects[piv_objects[cert_id].sub_id].data, &pubkey_objects[piv_objects[cert_id].sub_id].data); - if (rv != CKR_OK) - return rv; - - return CKR_OK; -} - -CK_RV delete_cert(piv_obj_id_t cert_id) { - CK_RV rv; - - // Clear the object containing the certificate - rv = do_delete_cert(&cert_objects[piv_objects[cert_id].sub_id].data); - if (rv != CKR_OK) - return rv; - - // Clear the object containing the public key - rv = do_delete_pubk(&pubkey_objects[piv_objects[cert_id].sub_id].data); - if (rv != CKR_OK) - return rv; - - return CKR_OK; -} - -CK_RV check_create_cert(CK_ATTRIBUTE_PTR templ, CK_ULONG n, - CK_BYTE_PTR id, CK_BYTE_PTR *value, CK_ULONG_PTR cert_len) { - - CK_ULONG i; - CK_BBOOL has_id = CK_FALSE; - CK_BBOOL has_value = CK_FALSE; - - for (i = 0; i < n; i++) { - switch (templ[i].type) { - case CKA_CLASS: - // Technically redundant check - if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_CERTIFICATE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - break; - - case CKA_ID: - has_id = CK_TRUE; - if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - *id = *((CK_BYTE_PTR)templ[i].pValue); - break; - - case CKA_VALUE: - has_value = CK_TRUE; - *value = (CK_BYTE_PTR)templ[i].pValue; - - *cert_len = templ[i].ulValueLen; - break; - - case CKA_TOKEN: - case CKA_LABEL: - case CKA_SUBJECT: - case CKA_ISSUER: - case CKA_CERTIFICATE_TYPE: - case CKA_PRIVATE: - case CKA_SERIAL_NUMBER: - // Ignore other attributes - break; - - default: - DBG("Invalid %lx", templ[i].type); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - } - - if (has_id == CK_FALSE || - has_value == CK_FALSE) - return CKR_TEMPLATE_INCOMPLETE; - - return CKR_OK; -} - -CK_RV check_create_ec_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id, - CK_BYTE_PTR *value, CK_ULONG_PTR value_len, CK_ULONG_PTR vendor_defined) { - - CK_ULONG i; - CK_BBOOL has_id = CK_FALSE; - CK_BBOOL has_value = CK_FALSE; - CK_BBOOL has_params = CK_FALSE; - - CK_BYTE_PTR ec_params = NULL; - CK_ULONG ec_params_len = 0; - - *vendor_defined = 0; - - for (i = 0; i < n; i++) { - switch (templ[i].type) { - case CKA_CLASS: - if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_PRIVATE_KEY) - return CKR_ATTRIBUTE_VALUE_INVALID; - - break; - - case CKA_KEY_TYPE: - if (*((CK_ULONG_PTR)templ[i].pValue) != CKK_ECDSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - break; - - case CKA_ID: - has_id = CK_TRUE; - if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - *id = *((CK_BYTE_PTR)templ[i].pValue); - break; - - case CKA_VALUE: - has_value = CK_TRUE; - *value = (CK_BYTE_PTR)templ[i].pValue; - *value_len = templ[i].ulValueLen; - break; - - case CKA_EC_PARAMS: - has_params = CK_TRUE; - ec_params = (CK_BYTE_PTR)templ[i].pValue; - ec_params_len = templ[i].ulValueLen; - - break; - - case CKA_VENDOR_DEFINED: - *vendor_defined = *((CK_ULONG_PTR)templ[i].pValue); - break; - - case CKA_TOKEN: - case CKA_LABEL: - case CKA_SUBJECT: - case CKA_SENSITIVE: - case CKA_DERIVE: - // Ignore other attributes - break; - - default: - DBG("Invalid %lx", templ[i].type); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - } - - if (has_id == CK_FALSE || - has_value == CK_FALSE || - has_params == CK_FALSE) - return CKR_TEMPLATE_INCOMPLETE; - - if (*value_len == 32 || *value_len == 31) { - if (ec_params_len != 10 || memcmp(ec_params, PRIME256V1, ec_params_len) != 0) - return CKR_ATTRIBUTE_VALUE_INVALID; - } - else /*if () TODO: P384*/ - return CKR_ATTRIBUTE_VALUE_INVALID; - - return CKR_OK; -} - -CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id, - CK_BYTE_PTR *p, CK_ULONG_PTR p_len, - CK_BYTE_PTR *q, CK_ULONG_PTR q_len, - CK_BYTE_PTR *dp, CK_ULONG_PTR dp_len, - CK_BYTE_PTR *dq, CK_ULONG_PTR dq_len, - CK_BYTE_PTR *qinv, CK_ULONG_PTR qinv_len, - CK_ULONG_PTR vendor_defined) { - - CK_ULONG i; - CK_BBOOL has_id = CK_FALSE; - CK_BBOOL has_e = CK_FALSE; - CK_BBOOL has_p = CK_FALSE; - CK_BBOOL has_q = CK_FALSE; - CK_BBOOL has_dp = CK_FALSE; - CK_BBOOL has_dq = CK_FALSE; - CK_BBOOL has_qinv = CK_FALSE; - - *vendor_defined = 0; - - for (i = 0; i < n; i++) { - switch (templ[i].type) { - case CKA_CLASS: - if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_PRIVATE_KEY) - return CKR_ATTRIBUTE_VALUE_INVALID; - - break; - - case CKA_ID: - has_id = CK_TRUE; - if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE) - return CKR_ATTRIBUTE_VALUE_INVALID; - - *id = *((CK_BYTE_PTR)templ[i].pValue); - break; - - case CKA_KEY_TYPE: - if (*((CK_ULONG_PTR)templ[i].pValue) != CKK_RSA) - return CKR_ATTRIBUTE_VALUE_INVALID; - - break; - - case CKA_PUBLIC_EXPONENT: - has_e = CK_TRUE; - if (templ[i].ulValueLen != 3 || memcmp((CK_BYTE_PTR)templ[i].pValue, F4, 3) != 0) - return CKR_ATTRIBUTE_VALUE_INVALID; - break; - - case CKA_PRIME_1: - has_p = CK_TRUE; - *p = (CK_BYTE_PTR)templ[i].pValue; - *p_len = templ[i].ulValueLen; - - break; - - case CKA_PRIME_2: - has_q = CK_TRUE; - *q = (CK_BYTE_PTR)templ[i].pValue; - *q_len = templ[i].ulValueLen; - - break; - - case CKA_EXPONENT_1: - has_dp = CK_TRUE; - *dp = (CK_BYTE_PTR)templ[i].pValue; - *dp_len = templ[i].ulValueLen; - - break; - - case CKA_EXPONENT_2: - has_dq = CK_TRUE; - *dq = (CK_BYTE_PTR)templ[i].pValue; - *dq_len = templ[i].ulValueLen; - - break; - - case CKA_COEFFICIENT: - has_qinv = CK_TRUE; - *qinv = (CK_BYTE_PTR)templ[i].pValue; - *qinv_len = templ[i].ulValueLen; - - break; - - case CKA_VENDOR_DEFINED: - *vendor_defined = *((CK_ULONG_PTR)templ[i].pValue); - break; - - case CKA_TOKEN: - case CKA_LABEL: - case CKA_SUBJECT: - case CKA_SENSITIVE: - case CKA_DERIVE: - // Ignore other attributes - break; - - default: - DBG("Invalid %lx", templ[i].type); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - } - - if (has_id == CK_FALSE || - has_e == CK_FALSE || - has_p == CK_FALSE || - has_q == CK_FALSE || - has_dp == CK_FALSE || - has_dq == CK_FALSE || - has_qinv == CK_FALSE) - return CKR_TEMPLATE_INCOMPLETE; - - if (*p_len != 64 && *p_len != 128) - return CKR_ATTRIBUTE_VALUE_INVALID; - - - if (*q_len != *p_len || *dp_len > *p_len || - *dq_len > *p_len || *qinv_len > *p_len) - return CKR_ATTRIBUTE_VALUE_INVALID; - - return CKR_OK; -} - -CK_RV check_delete_cert(CK_OBJECT_HANDLE hObject, CK_BYTE_PTR id) { - - if (hObject < PIV_CERT_OBJ_X509_PIV_AUTH || hObject >= PIV_CERT_OBJ_LAST) - return CKR_FUNCTION_FAILED; - - *id = hObject - PIV_CERT_OBJ_X509_PIV_AUTH; - - return CKR_OK; -} diff --git a/ykcs11/objects.h b/ykcs11/objects.h deleted file mode 100644 index e59c8a0..0000000 --- a/ykcs11/objects.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef OBJECTS_H -#define OBJECTS_H - -#include "ykcs11.h" - -CK_ULONG piv_2_ykpiv(piv_obj_id_t id); - -CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); -CK_BBOOL attribute_match(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR attribute); -CK_BBOOL is_private_object(ykcs11_session_t *s, CK_OBJECT_HANDLE obj); - -CK_RV get_available_certificate_ids(ykcs11_session_t *s, piv_obj_id_t *cert_ids, CK_ULONG n_certs); -CK_RV store_cert(piv_obj_id_t cert_id, CK_BYTE_PTR data, CK_ULONG len); -CK_RV delete_cert(piv_obj_id_t cert_id); - -CK_RV check_create_cert(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id, - CK_BYTE_PTR *value, CK_ULONG_PTR cert_len); -CK_RV check_create_ec_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id, - CK_BYTE_PTR *value, CK_ULONG_PTR value_len, CK_ULONG_PTR vendor_defined); -CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id, - CK_BYTE_PTR *p, CK_ULONG_PTR p_len, - CK_BYTE_PTR *q, CK_ULONG_PTR q_len, - CK_BYTE_PTR *dp, CK_ULONG_PTR dp_len, - CK_BYTE_PTR *dq, CK_ULONG_PTR dq_len, - CK_BYTE_PTR *qinv, CK_ULONG_PTR qinv_len, - CK_ULONG_PTR vendor_defined); -CK_RV check_delete_cert(CK_OBJECT_HANDLE hObject, CK_BYTE_PTR id); - -#endif diff --git a/ykcs11/openssl_types.h b/ykcs11/openssl_types.h deleted file mode 100644 index 08170fc..0000000 --- a/ykcs11/openssl_types.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef OPENSSL_TYPES_H -#define OPENSSL_TYPES_H - -#include -#include -#include -#include -#include - -typedef enum { - YKCS11_NO_HASH, - YKCS11_SHA1, - //YKCS11_SHA224, - YKCS11_SHA256, - YKCS11_SHA384, - YKCS11_SHA512, - //YKCS11_RIPEMD128_RSA_PKCS, - //YKCS11_RIPEMD160 -} hash_t; - -typedef EVP_MD_CTX ykcs11_md_ctx_t; -//typedef EVP_PKEY ykcs11_evp_pkey_t; - -typedef RSA ykcs11_rsa_key_t; - -#endif diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c deleted file mode 100644 index ce12351..0000000 --- a/ykcs11/openssl_utils.c +++ /dev/null @@ -1,709 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "openssl_utils.h" -#include -#include "../tool/util.h" // TODO: share this better? -#include "../tool/openssl-compat.h" // TODO: share this better? -#include "debug.h" -#include - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L -# define X509_set_notBefore X509_set1_notBefore -# define X509_set_notAfter X509_set1_notAfter -#endif - -CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) { - - const unsigned char *p = data; // Mandatory temp variable required by OpenSSL - int cert_len; - - if (*p == 0x70) { - // The certificate is in "PIV" format 0x70 len 0x30 len ... - p++; - p += get_length(p, &cert_len); - } - else { - // Raw certificate 0x30 len ... - cert_len = 0; - cert_len += get_length(p + 1, &cert_len) + 1; - } - - if ((CK_ULONG)cert_len > len) - return CKR_ARGUMENTS_BAD; - - *cert = d2i_X509(NULL, &p, cert_len); - if (*cert == NULL) - return CKR_FUNCTION_FAILED; - - return CKR_OK; - -} - -CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, - CK_BYTE_PTR out, CK_ULONG_PTR out_len) { - - X509 *cert = NULL; - EVP_PKEY *key = NULL; - RSA *rsa = NULL; - BIGNUM *bignum_n = NULL; - BIGNUM *bignum_e = NULL; - BIGNUM *bignum_prv = NULL; - unsigned char zeroes[512] = {0}; - EC_KEY *eck = NULL; - EC_GROUP *ecg = NULL; - EC_POINT *ecp = NULL; - ASN1_TIME *tm = NULL; - - unsigned char *data_ptr; - unsigned char *p; - int len; - - CK_RV rv = CKR_FUNCTION_FAILED; - - cert = X509_new(); - if (cert == NULL) - goto create_empty_cert_cleanup; - - key = EVP_PKEY_new(); - if (key == NULL) - goto create_empty_cert_cleanup; - - if (is_rsa) { - // RSA - rsa = RSA_new(); - if (rsa == NULL) - goto create_empty_cert_cleanup; - - data_ptr = in + 5; - if (*data_ptr != 0x81) - goto create_empty_cert_cleanup; - - data_ptr++; - data_ptr += get_length(data_ptr, &len); - bignum_n = BN_bin2bn(data_ptr, len, NULL); - if(bignum_n == NULL) - goto create_empty_cert_cleanup; - - data_ptr += len; - - if(*data_ptr != 0x82) - goto create_empty_cert_cleanup; - - // OpenSSL 1.1 doesn't allow to set empty signatures - // Use a bogus private key - bignum_prv = BN_bin2bn(zeroes, len, NULL); - if (bignum_prv == NULL) - goto create_empty_cert_cleanup; - - data_ptr++; - data_ptr += get_length(data_ptr, &len); - bignum_e = BN_bin2bn(data_ptr, len, NULL); - if(bignum_e == NULL) - goto create_empty_cert_cleanup; - - if (RSA_set0_key(rsa, bignum_n, bignum_e, bignum_prv) == 0) - goto create_empty_cert_cleanup; - - if (EVP_PKEY_set1_RSA(key, rsa) == 0) - goto create_empty_cert_cleanup; - } - else { - // ECCP256 - data_ptr = in + 3; - - eck = EC_KEY_new(); - if (eck == NULL) - goto create_empty_cert_cleanup; - - ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); - if (ecg == NULL) - goto create_empty_cert_cleanup; - - EC_GROUP_set_asn1_flag(ecg, NID_X9_62_prime256v1); - EC_KEY_set_group(eck, ecg); - ecp = EC_POINT_new(ecg); - - if(*data_ptr++ != 0x86) - goto create_empty_cert_cleanup; - - // The curve point should always be 65 bytes - if (*data_ptr++ != 65) - goto create_empty_cert_cleanup; - - if (EC_POINT_oct2point(ecg, ecp, data_ptr, 65, NULL) == 0) - goto create_empty_cert_cleanup; - - if (EC_KEY_set_public_key(eck, ecp) == 0) - goto create_empty_cert_cleanup; - - // OpenSSL 1.1 doesn't allow to set empty signatures - // Use a bogus private key - bignum_prv = BN_bin2bn(zeroes, 65, NULL); - if (bignum_prv == NULL) - goto create_empty_cert_cleanup; - - if (EC_KEY_set_private_key(eck, bignum_prv) == 0) - goto create_empty_cert_cleanup; - - if (EVP_PKEY_set1_EC_KEY(key, eck) == 0) - goto create_empty_cert_cleanup; - } - - if (X509_set_pubkey(cert, key) == 0) // TODO: there is also X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); - goto create_empty_cert_cleanup; - - tm = ASN1_TIME_new(); - if (tm == NULL) - goto create_empty_cert_cleanup; - - ASN1_TIME_set_string(tm, "000001010000Z"); - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - - // Write a bogus signature to make a valid certificate - if (X509_sign(cert, key, EVP_sha1()) == 0) - goto create_empty_cert_cleanup; - - len = i2d_X509(cert, NULL); - if (len < 0) - goto create_empty_cert_cleanup; - - if ((CK_ULONG)len > *out_len) { - rv = CKR_BUFFER_TOO_SMALL; - goto create_empty_cert_cleanup; - } - - p = out; - if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0) - goto create_empty_cert_cleanup; - - /********************/ - /*BIO *STDout = BIO_new_fp(stderr, BIO_NOCLOSE); - - X509_print_ex(STDout, cert, 0, 0); - - BIO_free(STDout);*/ - /********************/ - - rv = CKR_OK; - -create_empty_cert_cleanup: - - if (tm != NULL) { - ASN1_STRING_free(tm); - tm = NULL; - } - - if (bignum_n != NULL) { - BN_free(bignum_n); - bignum_n = NULL; - } - - if (bignum_e != NULL) { - BN_free(bignum_e); - bignum_e = NULL; - } - - if (bignum_prv != NULL) { - BN_free(bignum_prv); - bignum_prv = NULL; - } - - if (ecp != NULL) { - EC_POINT_free(ecp); - ecp = NULL; - } - - if (ecg != NULL) { - EC_GROUP_free(ecg); - ecg = NULL; - } - - if (eck != NULL) { - EC_KEY_free(eck); - eck = NULL; - } - - if (key != NULL) { - EVP_PKEY_free(key); - key = NULL; - } - - if (cert != NULL) { - X509_free(cert); - cert = NULL; - } - - return rv; -} - -CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len) { - - X509 *cert; - const unsigned char *p = in; // Mandatory temp variable required by OpenSSL - int len; - - len = 0; - len += get_length(p + 1, &len) + 1; - - *cert_len = (CK_ULONG) len; - - cert = d2i_X509(NULL, &p, (long) *cert_len); - if (cert == NULL) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { - - CK_BYTE_PTR p; - int len; - - len = i2d_X509(cert, NULL); - - if (len < 0) - return CKR_FUNCTION_FAILED; - - if ((CK_ULONG)len > *out_len) - return CKR_BUFFER_TOO_SMALL; - - p = out; - if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -CK_RV do_delete_cert(X509 **cert) { - - X509_free(*cert); - cert = NULL; - - return CKR_OK; - -} - -/*CK_RV free_cert(X509 *cert) { - - X509_free((X509 *) cert); - - return CKR_OK; -}*/ - - -CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) { - - *key = X509_get_pubkey(cert); - - if (*key == NULL) - return CKR_FUNCTION_FAILED; - - return CKR_OK; - -} - -CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) { - - switch (EVP_PKEY_id(key)) { - case EVP_PKEY_RSA: - case EVP_PKEY_RSA2: - return CKK_RSA; - - case EVP_PKEY_EC: - return CKK_ECDSA; - - default: - return CKK_VENDOR_DEFINED; // Actually an error - } -} - -CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) { - - CK_ULONG key_len = 0; - RSA *rsa; - - rsa = EVP_PKEY_get1_RSA(key); - if (rsa == NULL) - return 0; - - key_len = (CK_ULONG) (RSA_size(rsa) * 8); // There is also RSA_bits but only in >= 1.1.0 - - RSA_free(rsa); - rsa = NULL; - - return key_len; - -} - -CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - RSA *rsa; - const BIGNUM *n; - - rsa = EVP_PKEY_get1_RSA(key); - if (rsa == NULL) - return CKR_FUNCTION_FAILED; - - RSA_get0_key(rsa, &n, NULL, NULL); - if ((CK_ULONG)BN_num_bytes(n) > *len) { - RSA_free(rsa); - rsa = NULL; - return CKR_BUFFER_TOO_SMALL; - } - - *len = (CK_ULONG)BN_bn2bin(n, data); - - RSA_free(rsa); - rsa = NULL; - - return CKR_OK; -} - -CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - - CK_ULONG e = 0; - RSA *rsa; - const BIGNUM *bn_e; - - rsa = EVP_PKEY_get1_RSA(key); - if (rsa == NULL) - return CKR_FUNCTION_FAILED; - - RSA_get0_key(rsa, NULL, &bn_e, NULL); - if ((CK_ULONG)BN_num_bytes(bn_e) > *len) { - RSA_free(rsa); - rsa = NULL; - return CKR_BUFFER_TOO_SMALL; - } - - *len = (CK_ULONG)BN_bn2bin(bn_e, data); - - RSA_free(rsa); - rsa = NULL; - - return e; -} - -/* #include */ -/* #include */ -/* ERR_load_crypto_strings(); */ -/* //SSL_load_error_strings(); */ -/* fprintf(stderr, "ERROR %s\n", ERR_error_string(ERR_get_error(), NULL)); */ -CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - - RSA *rsa; - unsigned char *p; - - EC_KEY *eck; - const EC_GROUP *ecg; // Alternative solution is to get i2d_PUBKEY and manually offset - const EC_POINT *ecp; - point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED; - - switch(EVP_PKEY_id(key)) { - case EVP_PKEY_RSA: - case EVP_PKEY_RSA2: - - rsa = EVP_PKEY_get1_RSA(key); - - if ((CK_ULONG)RSA_size(rsa) > *len) { - RSA_free(rsa); - rsa = NULL; - return CKR_BUFFER_TOO_SMALL; - } - - p = data; - - if ((*len = (CK_ULONG) i2d_RSAPublicKey(rsa, &p)) == 0) { - RSA_free(rsa); - rsa = NULL; - return CKR_FUNCTION_FAILED; - } - - // TODO: this is the correct thing to do so that we strip out the exponent - // OTOH we also need a function to get the exponent out with CKA_PUBLIC_EXPONENT - /*BN_bn2bin(rsa->n, data); - *len = 256;*/ - - /* fprintf(stderr, "Public key is: \n"); */ - /* dump_hex(data, *len, stderr, CK_TRUE); */ - - break; - - case EVP_PKEY_EC: - eck = EVP_PKEY_get1_EC_KEY(key); - ecg = EC_KEY_get0_group(eck); - ecp = EC_KEY_get0_public_key(eck); - - // Add the DER structure with length after extracting the point - data[0] = 0x04; - - if ((*len = EC_POINT_point2oct(ecg, ecp, pcf, data + 2, *len - 2, NULL)) == 0) { - EC_KEY_free(eck); - eck = NULL; - return CKR_FUNCTION_FAILED; - } - - data[1] = *len; - - *len += 2; - - EC_KEY_free(eck); - eck = NULL; - - break; - - default: - return CKR_FUNCTION_FAILED; - } - - return CKR_OK; - -} - -CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus, - CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen) { - ykcs11_rsa_key_t *k; - BIGNUM *k_n = NULL, *k_e = NULL; - if (modulus == NULL || exponent == NULL) - return CKR_ARGUMENTS_BAD; - - if ((k = RSA_new()) == NULL) - return CKR_HOST_MEMORY; - - if ((k_n = BN_bin2bn(modulus, mlen, NULL)) == NULL) - return CKR_FUNCTION_FAILED; - - if ((k_e = BN_bin2bn(exponent, elen, NULL)) == NULL) - return CKR_FUNCTION_FAILED; - - if (RSA_set0_key(k, k_n, k_e, NULL) == 0) - return CKR_FUNCTION_FAILED; - - *key = k; - return CKR_OK; -} - -CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key) { - RSA_free(key); - return CKR_OK; -} - -CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { - - EC_KEY *eck; - const EC_GROUP *ecg; - unsigned char *p; - - eck = EVP_PKEY_get1_EC_KEY(key); - ecg = EC_KEY_get0_group(eck); - - p = data; - - if ((*len = (CK_ULONG) i2d_ECPKParameters(ecg, &p)) == 0) { - EC_KEY_free(eck); - eck = NULL; - return CKR_FUNCTION_FAILED; - } - - EC_KEY_free(eck); - eck = NULL; - - return CKR_OK; -} - -CK_RV do_delete_pubk(EVP_PKEY **key) { - - EVP_PKEY_free(*key); - key = NULL; - - return CKR_OK; - -} - -/*CK_RV free_key(EVP_PKEY *key) { - - EVP_PKEY_free(key); - - return CKR_OK; - - }*/ - -CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len) { - unsigned char buffer[512]; - - key_len /= 8; - DBG("Apply padding to %lu bytes and get %lu\n", in_len, key_len); - - // TODO: rand must be seeded first (should be automatic) - if (*out_len < key_len) - return CKR_BUFFER_TOO_SMALL; - - if (RSA_padding_add_PKCS1_type_1(buffer, key_len, in, in_len) == 0) - return CKR_FUNCTION_FAILED; - - memcpy(out, buffer, key_len); - *out_len = key_len; - - return CKR_OK; -} - -CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { - - unsigned int len; - CK_RV rv; - - rv = prepare_rsa_signature(in, in_len, out, &len, nid); - if (!rv) - return CKR_FUNCTION_FAILED; - - *out_len = len; - - return CKR_OK; - -} - -CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len, - int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { - unsigned char em[RSA_size(key)]; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L - OpenSSL_add_all_digests(); -#endif - - DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key)); - - // TODO: rand must be seeded first (should be automatic) - if (out != in) - memcpy(out, in, in_len); - - // In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD - if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_cleanup(); -#endif - return CKR_FUNCTION_FAILED; - } - - memcpy(out, em, sizeof(em)); - *out_len = (CK_ULONG) sizeof(em); - -#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_cleanup(); -#endif - - return CKR_OK; -} - -CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx) { - - const EVP_MD *md; - - switch (hash) { - case YKCS11_NO_HASH: - return CKR_FUNCTION_FAILED; - - case YKCS11_SHA1: - md = EVP_sha1(); - break; - - //case YKCS11_SHA224: - - case YKCS11_SHA256: - md = EVP_sha256(); - break; - - case YKCS11_SHA384: - md = EVP_sha384(); - break; - - case YKCS11_SHA512: - md = EVP_sha512(); - break; - - //case YKCS11_RIPEMD128_RSA_PKCS_HASH: - //case YKCS11_RIPEMD160_HASH: - - default: - return CKR_FUNCTION_FAILED; - } - - *ctx = EVP_MD_CTX_create(); - - // The OpenSSL function above never fail - if (EVP_DigestInit_ex(*ctx, md, NULL) == 0) { - EVP_MD_CTX_destroy((EVP_MD_CTX *)*ctx); - return CKR_FUNCTION_FAILED; - } - - return CKR_OK; -} - -CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len) { - - if (EVP_DigestUpdate(ctx, in, in_len) != 1) { - EVP_MD_CTX_destroy(ctx); - return CKR_FUNCTION_FAILED; - } - - return CKR_OK; - -} - -CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid) { - - int rv; - unsigned int len; - - // Keep track of the md type if requested - if (nid != NULL) - *nid = EVP_MD_CTX_type(ctx); - - // Finalize digest and store result - rv = EVP_DigestFinal_ex(ctx, out, &len); - - // Destroy the md context - EVP_MD_CTX_destroy(ctx); - - // Error if the previous call failed - if (rv != 1) - return CKR_FUNCTION_FAILED; - - *out_len = len; - - return CKR_OK; -} - -CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx) { - - EVP_MD_CTX_destroy((EVP_MD_CTX *) ctx); - - return CKR_OK; -} diff --git a/ykcs11/openssl_utils.h b/ykcs11/openssl_utils.h deleted file mode 100644 index 08f2e0d..0000000 --- a/ykcs11/openssl_utils.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef OPENSSL_UTIL_H -#define OPENSSL_UTIL_H - -/* #include */ -/* #include */ -/* #include */ -/* #include */ - -#include "openssl_types.h" -#include "pkcs11y.h" - -CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert); -CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, - CK_BYTE_PTR out, CK_ULONG_PTR out_len); -CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len); -CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len); -CK_RV do_delete_cert(X509 **cert); -//CK_RV free_cert(X509 *cert); - -CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key); -CK_KEY_TYPE do_get_key_type(EVP_PKEY *key); -CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key); -CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); -CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); -CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); -CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); -CK_RV do_delete_pubk(EVP_PKEY **key); -//CK_RV free_key(EVP_PKEY *key); - -CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus, CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen); -CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key); - -CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len); -CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len); - -CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid, - CK_BYTE_PTR out, CK_ULONG_PTR out_len); - -CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx); -CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len); -CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid); -CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx); - -#endif diff --git a/ykcs11/pkcs11.h b/ykcs11/pkcs11.h deleted file mode 100644 index 80f0201..0000000 --- a/ykcs11/pkcs11.h +++ /dev/null @@ -1,1437 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -/* pkcs11.h - Copyright 2006, 2007 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus - - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. */ - -/* Please submit changes back to the Scute project at - https://www.scute.org/ (or send them to marcus@g10code.com), so that - they can be picked up by other projects from there as well. */ - -/* This file is a modified implementation of the PKCS #11 standard by - RSA Security Inc. It is mostly a drop-in replacement, with the - following change: - - This header file does not require any macro definitions by the user - (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros - for you (if useful, some are missing, let me know if you need - more). - - There is an additional API available that does comply better to the - GNU coding standard. It can be switched on by defining - CRYPTOKI_GNU before including this header file. For this, the - following changes are made to the specification: - - All structure types are changed to a "struct ck_foo" where CK_FOO - is the type name in PKCS #11. - - All non-structure types are changed to ck_foo_t where CK_FOO is the - lowercase version of the type name in PKCS #11. The basic types - (CK_ULONG et al.) are removed without substitute. - - All members of structures are modified in the following way: Type - indication prefixes are removed, and underscore characters are - inserted before words. Then the result is lowercased. - - Note that function names are still in the original case, as they - need for ABI compatibility. - - CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use - . - - If CRYPTOKI_COMPAT is defined before including this header file, - then none of the API changes above take place, and the API is the - one defined by the PKCS #11 standard. */ - -#ifndef PKCS11_H -#define PKCS11_H 1 - -#if defined(__cplusplus) -extern "C" { -#endif - - -/* The version of cryptoki we implement. The revision is changed with - each modification of this file. If you do not use the "official" - version of this file, please consider deleting the revision macro - (you may use a macro with a different name to keep track of your - versions). */ -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 20 -#define CRYPTOKI_VERSION_REVISION 6 - - -/* Compatibility interface is default, unless CRYPTOKI_GNU is - given. */ -#ifndef CRYPTOKI_GNU -#ifndef CRYPTOKI_COMPAT -#define CRYPTOKI_COMPAT 1 -#endif -#endif - -/* System dependencies. */ - -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) - -/* There is a matching pop below. */ -#pragma pack(push, cryptoki, 1) - -#ifdef CRYPTOKI_EXPORTS -#define CK_SPEC __declspec(dllexport) -#else -/* - * Yubico: we're using libtool to declare exports, this - * messes up the build. - * - * #define CK_SPEC __declspec(dllimport) - */ -#define CK_SPEC -#endif - -#else - -#define CK_SPEC - -#endif - -#ifdef CRYPTOKI_COMPAT - /* If we are in compatibility mode, switch all exposed names to the - PKCS #11 variant. There are corresponding #undefs below. */ - -#define ck_flags_t CK_FLAGS -#define ck_version _CK_VERSION - -#define ck_info _CK_INFO -#define cryptoki_version cryptokiVersion -#define manufacturer_id manufacturerID -#define library_description libraryDescription -#define library_version libraryVersion - -#define ck_notification_t CK_NOTIFICATION -#define ck_slot_id_t CK_SLOT_ID - -#define ck_slot_info _CK_SLOT_INFO -#define slot_description slotDescription -#define hardware_version hardwareVersion -#define firmware_version firmwareVersion - -#define ck_token_info _CK_TOKEN_INFO -#define serial_number serialNumber -#define max_session_count ulMaxSessionCount -#define session_count ulSessionCount -#define max_rw_session_count ulMaxRwSessionCount -#define rw_session_count ulRwSessionCount -#define max_pin_len ulMaxPinLen -#define min_pin_len ulMinPinLen -#define total_public_memory ulTotalPublicMemory -#define free_public_memory ulFreePublicMemory -#define total_private_memory ulTotalPrivateMemory -#define free_private_memory ulFreePrivateMemory -#define utc_time utcTime - -#define ck_session_handle_t CK_SESSION_HANDLE -#define ck_user_type_t CK_USER_TYPE -#define ck_state_t CK_STATE - -#define ck_session_info _CK_SESSION_INFO -#define slot_id slotID -#define device_error ulDeviceError - -#define ck_object_handle_t CK_OBJECT_HANDLE -#define ck_object_class_t CK_OBJECT_CLASS -#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE -#define ck_key_type_t CK_KEY_TYPE -#define ck_certificate_type_t CK_CERTIFICATE_TYPE -#define ck_attribute_type_t CK_ATTRIBUTE_TYPE - -#define ck_attribute _CK_ATTRIBUTE -#define value pValue -#define value_len ulValueLen - -#define ck_date _CK_DATE - -#define ck_mechanism_type_t CK_MECHANISM_TYPE - -#define ck_mechanism _CK_MECHANISM -#define parameter pParameter -#define parameter_len ulParameterLen - -#define ck_mechanism_info _CK_MECHANISM_INFO -#define min_key_size ulMinKeySize -#define max_key_size ulMaxKeySize - -#define ck_rv_t CK_RV -#define ck_notify_t CK_NOTIFY - -#define ck_function_list _CK_FUNCTION_LIST - -#define ck_createmutex_t CK_CREATEMUTEX -#define ck_destroymutex_t CK_DESTROYMUTEX -#define ck_lockmutex_t CK_LOCKMUTEX -#define ck_unlockmutex_t CK_UNLOCKMUTEX - -#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS -#define create_mutex CreateMutex -#define destroy_mutex DestroyMutex -#define lock_mutex LockMutex -#define unlock_mutex UnlockMutex -#define reserved pReserved - -#endif /* CRYPTOKI_COMPAT */ - - -typedef unsigned long ck_flags_t; - -struct ck_version -{ - unsigned char major; - unsigned char minor; -}; - - -struct ck_info -{ - struct ck_version cryptoki_version; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - unsigned char library_description[32]; - struct ck_version library_version; -}; - - -typedef unsigned long ck_notification_t; - -#define CKN_SURRENDER (0UL) - - -typedef unsigned long ck_slot_id_t; - - -struct ck_slot_info -{ - unsigned char slot_description[64]; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - struct ck_version hardware_version; - struct ck_version firmware_version; -}; - - -#define CKF_TOKEN_PRESENT (1UL << 0) -#define CKF_REMOVABLE_DEVICE (1UL << 1) -#define CKF_HW_SLOT (1UL << 2) -#define CKF_ARRAY_ATTRIBUTE (1UL << 30) - - -struct ck_token_info -{ - unsigned char label[32]; - unsigned char manufacturer_id[32]; - unsigned char model[16]; - unsigned char serial_number[16]; - ck_flags_t flags; - unsigned long max_session_count; - unsigned long session_count; - unsigned long max_rw_session_count; - unsigned long rw_session_count; - unsigned long max_pin_len; - unsigned long min_pin_len; - unsigned long total_public_memory; - unsigned long free_public_memory; - unsigned long total_private_memory; - unsigned long free_private_memory; - struct ck_version hardware_version; - struct ck_version firmware_version; - unsigned char utc_time[16]; -}; - - -#define CKF_RNG (1UL << 0) -#define CKF_WRITE_PROTECTED (1UL << 1) -#define CKF_LOGIN_REQUIRED (1UL << 2) -#define CKF_USER_PIN_INITIALIZED (1UL << 3) -#define CKF_RESTORE_KEY_NOT_NEEDED (1UL << 5) -#define CKF_CLOCK_ON_TOKEN (1UL << 6) -#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8) -#define CKF_DUAL_CRYPTO_OPERATIONS (1UL << 9) -#define CKF_TOKEN_INITIALIZED (1UL << 10) -#define CKF_SECONDARY_AUTHENTICATION (1UL << 11) -#define CKF_USER_PIN_COUNT_LOW (1UL << 16) -#define CKF_USER_PIN_FINAL_TRY (1UL << 17) -#define CKF_USER_PIN_LOCKED (1UL << 18) -#define CKF_USER_PIN_TO_BE_CHANGED (1UL << 19) -#define CKF_SO_PIN_COUNT_LOW (1UL << 20) -#define CKF_SO_PIN_FINAL_TRY (1UL << 21) -#define CKF_SO_PIN_LOCKED (1UL << 22) -#define CKF_SO_PIN_TO_BE_CHANGED (1UL << 23) - -#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1) -#define CK_EFFECTIVELY_INFINITE (0UL) - - -typedef unsigned long ck_session_handle_t; - -#define CK_INVALID_HANDLE (0UL) - - -typedef unsigned long ck_user_type_t; - -#define CKU_SO (0UL) -#define CKU_USER (1UL) -#define CKU_CONTEXT_SPECIFIC (2UL) - - -typedef unsigned long ck_state_t; - -#define CKS_RO_PUBLIC_SESSION (0UL) -#define CKS_RO_USER_FUNCTIONS (1UL) -#define CKS_RW_PUBLIC_SESSION (2UL) -#define CKS_RW_USER_FUNCTIONS (3UL) -#define CKS_RW_SO_FUNCTIONS (4UL) - - -struct ck_session_info -{ - ck_slot_id_t slot_id; - ck_state_t state; - ck_flags_t flags; - unsigned long device_error; -}; - -#define CKF_RW_SESSION (1UL << 1) -#define CKF_SERIAL_SESSION (1UL << 2) - - -typedef unsigned long ck_object_handle_t; - - -typedef unsigned long ck_object_class_t; - -#define CKO_DATA (0UL) -#define CKO_CERTIFICATE (1UL) -#define CKO_PUBLIC_KEY (2UL) -#define CKO_PRIVATE_KEY (3UL) -#define CKO_SECRET_KEY (4UL) -#define CKO_HW_FEATURE (5UL) -#define CKO_DOMAIN_PARAMETERS (6UL) -#define CKO_MECHANISM (7UL) -#define CKO_VENDOR_DEFINED (1UL << 31) - - -typedef unsigned long ck_hw_feature_type_t; - -#define CKH_MONOTONIC_COUNTER (1UL) -#define CKH_CLOCK (2UL) -#define CKH_USER_INTERFACE (3UL) -#define CKH_VENDOR_DEFINED (1UL << 31) - - -typedef unsigned long ck_key_type_t; - -#define CKK_RSA (0UL) -#define CKK_DSA (1UL) -#define CKK_DH (2UL) -#define CKK_ECDSA (3UL) -#define CKK_EC (3UL) -#define CKK_X9_42_DH (4UL) -#define CKK_KEA (5UL) -#define CKK_GENERIC_SECRET (0x10UL) -#define CKK_RC2 (0x11UL) -#define CKK_RC4 (0x12UL) -#define CKK_DES (0x13UL) -#define CKK_DES2 (0x14UL) -#define CKK_DES3 (0x15UL) -#define CKK_CAST (0x16UL) -#define CKK_CAST3 (0x17UL) -#define CKK_CAST128 (0x18UL) -#define CKK_RC5 (0x19UL) -#define CKK_IDEA (0x1aUL) -#define CKK_SKIPJACK (0x1bUL) -#define CKK_BATON (0x1cUL) -#define CKK_JUNIPER (0x1dUL) -#define CKK_CDMF (0x1eUL) -#define CKK_AES (0x1fUL) -#define CKK_BLOWFISH (0x20UL) -#define CKK_TWOFISH (0x21UL) -#define CKK_GOSTR3410 (0x30UL) -#define CKK_GOSTR3411 (0x31UL) -#define CKK_GOST28147 (0x32UL) -#define CKK_VENDOR_DEFINED (1UL << 31) - - -typedef unsigned long ck_certificate_type_t; - -#define CKC_X_509 (0UL) -#define CKC_X_509_ATTR_CERT (1UL) -#define CKC_WTLS (2UL) -#define CKC_VENDOR_DEFINED (1UL << 31) - - -typedef unsigned long ck_attribute_type_t; - -#define CKA_CLASS (0UL) -#define CKA_TOKEN (1UL) -#define CKA_PRIVATE (2UL) -#define CKA_LABEL (3UL) -#define CKA_APPLICATION (0x10UL) -#define CKA_VALUE (0x11UL) -#define CKA_OBJECT_ID (0x12UL) -#define CKA_CERTIFICATE_TYPE (0x80UL) -#define CKA_ISSUER (0x81UL) -#define CKA_SERIAL_NUMBER (0x82UL) -#define CKA_AC_ISSUER (0x83UL) -#define CKA_OWNER (0x84UL) -#define CKA_ATTR_TYPES (0x85UL) -#define CKA_TRUSTED (0x86UL) -#define CKA_CERTIFICATE_CATEGORY (0x87UL) -#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88UL) -#define CKA_URL (0x89UL) -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL) -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8bUL) -#define CKA_CHECK_VALUE (0x90UL) -#define CKA_KEY_TYPE (0x100UL) -#define CKA_SUBJECT (0x101UL) -#define CKA_ID (0x102UL) -#define CKA_SENSITIVE (0x103UL) -#define CKA_ENCRYPT (0x104UL) -#define CKA_DECRYPT (0x105UL) -#define CKA_WRAP (0x106UL) -#define CKA_UNWRAP (0x107UL) -#define CKA_SIGN (0x108UL) -#define CKA_SIGN_RECOVER (0x109UL) -#define CKA_VERIFY (0x10aUL) -#define CKA_VERIFY_RECOVER (0x10bUL) -#define CKA_DERIVE (0x10cUL) -#define CKA_START_DATE (0x110UL) -#define CKA_END_DATE (0x111UL) -#define CKA_MODULUS (0x120UL) -#define CKA_MODULUS_BITS (0x121UL) -#define CKA_PUBLIC_EXPONENT (0x122UL) -#define CKA_PRIVATE_EXPONENT (0x123UL) -#define CKA_PRIME_1 (0x124UL) -#define CKA_PRIME_2 (0x125UL) -#define CKA_EXPONENT_1 (0x126UL) -#define CKA_EXPONENT_2 (0x127UL) -#define CKA_COEFFICIENT (0x128UL) -#define CKA_PRIME (0x130UL) -#define CKA_SUBPRIME (0x131UL) -#define CKA_BASE (0x132UL) -#define CKA_PRIME_BITS (0x133UL) -#define CKA_SUB_PRIME_BITS (0x134UL) -#define CKA_VALUE_BITS (0x160UL) -#define CKA_VALUE_LEN (0x161UL) -#define CKA_EXTRACTABLE (0x162UL) -#define CKA_LOCAL (0x163UL) -#define CKA_NEVER_EXTRACTABLE (0x164UL) -#define CKA_ALWAYS_SENSITIVE (0x165UL) -#define CKA_KEY_GEN_MECHANISM (0x166UL) -#define CKA_MODIFIABLE (0x170UL) -#define CKA_ECDSA_PARAMS (0x180UL) -#define CKA_EC_PARAMS (0x180UL) -#define CKA_EC_POINT (0x181UL) -#define CKA_SECONDARY_AUTH (0x200UL) -#define CKA_AUTH_PIN_FLAGS (0x201UL) -#define CKA_ALWAYS_AUTHENTICATE (0x202UL) -#define CKA_WRAP_WITH_TRUSTED (0x210UL) -#define CKA_GOSTR3410_PARAMS (0x250UL) -#define CKA_GOSTR3411_PARAMS (0x251UL) -#define CKA_GOST28147_PARAMS (0x252UL) -#define CKA_HW_FEATURE_TYPE (0x300UL) -#define CKA_RESET_ON_INIT (0x301UL) -#define CKA_HAS_RESET (0x302UL) -#define CKA_PIXEL_X (0x400UL) -#define CKA_PIXEL_Y (0x401UL) -#define CKA_RESOLUTION (0x402UL) -#define CKA_CHAR_ROWS (0x403UL) -#define CKA_CHAR_COLUMNS (0x404UL) -#define CKA_COLOR (0x405UL) -#define CKA_BITS_PER_PIXEL (0x406UL) -#define CKA_CHAR_SETS (0x480UL) -#define CKA_ENCODING_METHODS (0x481UL) -#define CKA_MIME_TYPES (0x482UL) -#define CKA_MECHANISM_TYPE (0x500UL) -#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501UL) -#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502UL) -#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503UL) -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211UL) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212UL) -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600UL) -#define CKA_VENDOR_DEFINED (1UL << 31) - - -struct ck_attribute -{ - ck_attribute_type_t type; - void *value; - unsigned long value_len; -}; - - -struct ck_date -{ - unsigned char year[4]; - unsigned char month[2]; - unsigned char day[2]; -}; - - -typedef unsigned long ck_mechanism_type_t; - -#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL) -#define CKM_RSA_PKCS (1UL) -#define CKM_RSA_9796 (2UL) -#define CKM_RSA_X_509 (3UL) -#define CKM_MD2_RSA_PKCS (4UL) -#define CKM_MD5_RSA_PKCS (5UL) -#define CKM_SHA1_RSA_PKCS (6UL) -#define CKM_RIPEMD128_RSA_PKCS (7UL) -#define CKM_RIPEMD160_RSA_PKCS (8UL) -#define CKM_RSA_PKCS_OAEP (9UL) -#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xaUL) -#define CKM_RSA_X9_31 (0xbUL) -#define CKM_SHA1_RSA_X9_31 (0xcUL) -#define CKM_RSA_PKCS_PSS (0xdUL) -#define CKM_SHA1_RSA_PKCS_PSS (0xeUL) -#define CKM_DSA_KEY_PAIR_GEN (0x10UL) -#define CKM_DSA (0x11UL) -#define CKM_DSA_SHA1 (0x12UL) -#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20UL) -#define CKM_DH_PKCS_DERIVE (0x21UL) -#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30UL) -#define CKM_X9_42_DH_DERIVE (0x31UL) -#define CKM_X9_42_DH_HYBRID_DERIVE (0x32UL) -#define CKM_X9_42_MQV_DERIVE (0x33UL) -#define CKM_SHA256_RSA_PKCS (0x40UL) -#define CKM_SHA384_RSA_PKCS (0x41UL) -#define CKM_SHA512_RSA_PKCS (0x42UL) -#define CKM_SHA256_RSA_PKCS_PSS (0x43UL) -#define CKM_SHA384_RSA_PKCS_PSS (0x44UL) -#define CKM_SHA512_RSA_PKCS_PSS (0x45UL) -#define CKM_RC2_KEY_GEN (0x100UL) -#define CKM_RC2_ECB (0x101UL) -#define CKM_RC2_CBC (0x102UL) -#define CKM_RC2_MAC (0x103UL) -#define CKM_RC2_MAC_GENERAL (0x104UL) -#define CKM_RC2_CBC_PAD (0x105UL) -#define CKM_RC4_KEY_GEN (0x110UL) -#define CKM_RC4 (0x111UL) -#define CKM_DES_KEY_GEN (0x120UL) -#define CKM_DES_ECB (0x121UL) -#define CKM_DES_CBC (0x122UL) -#define CKM_DES_MAC (0x123UL) -#define CKM_DES_MAC_GENERAL (0x124UL) -#define CKM_DES_CBC_PAD (0x125UL) -#define CKM_DES2_KEY_GEN (0x130UL) -#define CKM_DES3_KEY_GEN (0x131UL) -#define CKM_DES3_ECB (0x132UL) -#define CKM_DES3_CBC (0x133UL) -#define CKM_DES3_MAC (0x134UL) -#define CKM_DES3_MAC_GENERAL (0x135UL) -#define CKM_DES3_CBC_PAD (0x136UL) -#define CKM_CDMF_KEY_GEN (0x140UL) -#define CKM_CDMF_ECB (0x141UL) -#define CKM_CDMF_CBC (0x142UL) -#define CKM_CDMF_MAC (0x143UL) -#define CKM_CDMF_MAC_GENERAL (0x144UL) -#define CKM_CDMF_CBC_PAD (0x145UL) -#define CKM_MD2 (0x200UL) -#define CKM_MD2_HMAC (0x201UL) -#define CKM_MD2_HMAC_GENERAL (0x202UL) -#define CKM_MD5 (0x210UL) -#define CKM_MD5_HMAC (0x211UL) -#define CKM_MD5_HMAC_GENERAL (0x212UL) -#define CKM_SHA_1 (0x220UL) -#define CKM_SHA_1_HMAC (0x221UL) -#define CKM_SHA_1_HMAC_GENERAL (0x222UL) -#define CKM_RIPEMD128 (0x230UL) -#define CKM_RIPEMD128_HMAC (0x231UL) -#define CKM_RIPEMD128_HMAC_GENERAL (0x232UL) -#define CKM_RIPEMD160 (0x240UL) -#define CKM_RIPEMD160_HMAC (0x241UL) -#define CKM_RIPEMD160_HMAC_GENERAL (0x242UL) -#define CKM_SHA256 (0x250UL) -#define CKM_SHA256_HMAC (0x251UL) -#define CKM_SHA256_HMAC_GENERAL (0x252UL) -#define CKM_SHA384 (0x260UL) -#define CKM_SHA384_HMAC (0x261UL) -#define CKM_SHA384_HMAC_GENERAL (0x262UL) -#define CKM_SHA512 (0x270UL) -#define CKM_SHA512_HMAC (0x271UL) -#define CKM_SHA512_HMAC_GENERAL (0x272UL) -#define CKM_CAST_KEY_GEN (0x300UL) -#define CKM_CAST_ECB (0x301UL) -#define CKM_CAST_CBC (0x302UL) -#define CKM_CAST_MAC (0x303UL) -#define CKM_CAST_MAC_GENERAL (0x304UL) -#define CKM_CAST_CBC_PAD (0x305UL) -#define CKM_CAST3_KEY_GEN (0x310UL) -#define CKM_CAST3_ECB (0x311UL) -#define CKM_CAST3_CBC (0x312UL) -#define CKM_CAST3_MAC (0x313UL) -#define CKM_CAST3_MAC_GENERAL (0x314UL) -#define CKM_CAST3_CBC_PAD (0x315UL) -#define CKM_CAST5_KEY_GEN (0x320UL) -#define CKM_CAST128_KEY_GEN (0x320UL) -#define CKM_CAST5_ECB (0x321UL) -#define CKM_CAST128_ECB (0x321UL) -#define CKM_CAST5_CBC (0x322UL) -#define CKM_CAST128_CBC (0x322UL) -#define CKM_CAST5_MAC (0x323UL) -#define CKM_CAST128_MAC (0x323UL) -#define CKM_CAST5_MAC_GENERAL (0x324UL) -#define CKM_CAST128_MAC_GENERAL (0x324UL) -#define CKM_CAST5_CBC_PAD (0x325UL) -#define CKM_CAST128_CBC_PAD (0x325UL) -#define CKM_RC5_KEY_GEN (0x330UL) -#define CKM_RC5_ECB (0x331UL) -#define CKM_RC5_CBC (0x332UL) -#define CKM_RC5_MAC (0x333UL) -#define CKM_RC5_MAC_GENERAL (0x334UL) -#define CKM_RC5_CBC_PAD (0x335UL) -#define CKM_IDEA_KEY_GEN (0x340UL) -#define CKM_IDEA_ECB (0x341UL) -#define CKM_IDEA_CBC (0x342UL) -#define CKM_IDEA_MAC (0x343UL) -#define CKM_IDEA_MAC_GENERAL (0x344UL) -#define CKM_IDEA_CBC_PAD (0x345UL) -#define CKM_GENERIC_SECRET_KEY_GEN (0x350UL) -#define CKM_CONCATENATE_BASE_AND_KEY (0x360UL) -#define CKM_CONCATENATE_BASE_AND_DATA (0x362UL) -#define CKM_CONCATENATE_DATA_AND_BASE (0x363UL) -#define CKM_XOR_BASE_AND_DATA (0x364UL) -#define CKM_EXTRACT_KEY_FROM_KEY (0x365UL) -#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370UL) -#define CKM_SSL3_MASTER_KEY_DERIVE (0x371UL) -#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372UL) -#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373UL) -#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL) -#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL) -#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL) -#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377UL) -#define CKM_SSL3_MD5_MAC (0x380UL) -#define CKM_SSL3_SHA1_MAC (0x381UL) -#define CKM_MD5_KEY_DERIVATION (0x390UL) -#define CKM_MD2_KEY_DERIVATION (0x391UL) -#define CKM_SHA1_KEY_DERIVATION (0x392UL) -#define CKM_PBE_MD2_DES_CBC (0x3a0UL) -#define CKM_PBE_MD5_DES_CBC (0x3a1UL) -#define CKM_PBE_MD5_CAST_CBC (0x3a2UL) -#define CKM_PBE_MD5_CAST3_CBC (0x3a3UL) -#define CKM_PBE_MD5_CAST5_CBC (0x3a4UL) -#define CKM_PBE_MD5_CAST128_CBC (0x3a4UL) -#define CKM_PBE_SHA1_CAST5_CBC (0x3a5UL) -#define CKM_PBE_SHA1_CAST128_CBC (0x3a5UL) -#define CKM_PBE_SHA1_RC4_128 (0x3a6UL) -#define CKM_PBE_SHA1_RC4_40 (0x3a7UL) -#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8UL) -#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9UL) -#define CKM_PBE_SHA1_RC2_128_CBC (0x3aaUL) -#define CKM_PBE_SHA1_RC2_40_CBC (0x3abUL) -#define CKM_PKCS5_PBKD2 (0x3b0UL) -#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0UL) -#define CKM_KEY_WRAP_LYNKS (0x400UL) -#define CKM_KEY_WRAP_SET_OAEP (0x401UL) -#define CKM_SKIPJACK_KEY_GEN (0x1000UL) -#define CKM_SKIPJACK_ECB64 (0x1001UL) -#define CKM_SKIPJACK_CBC64 (0x1002UL) -#define CKM_SKIPJACK_OFB64 (0x1003UL) -#define CKM_SKIPJACK_CFB64 (0x1004UL) -#define CKM_SKIPJACK_CFB32 (0x1005UL) -#define CKM_SKIPJACK_CFB16 (0x1006UL) -#define CKM_SKIPJACK_CFB8 (0x1007UL) -#define CKM_SKIPJACK_WRAP (0x1008UL) -#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009UL) -#define CKM_SKIPJACK_RELAYX (0x100aUL) -#define CKM_KEA_KEY_PAIR_GEN (0x1010UL) -#define CKM_KEA_KEY_DERIVE (0x1011UL) -#define CKM_FORTEZZA_TIMESTAMP (0x1020UL) -#define CKM_BATON_KEY_GEN (0x1030UL) -#define CKM_BATON_ECB128 (0x1031UL) -#define CKM_BATON_ECB96 (0x1032UL) -#define CKM_BATON_CBC128 (0x1033UL) -#define CKM_BATON_COUNTER (0x1034UL) -#define CKM_BATON_SHUFFLE (0x1035UL) -#define CKM_BATON_WRAP (0x1036UL) -#define CKM_ECDSA_KEY_PAIR_GEN (0x1040UL) -#define CKM_EC_KEY_PAIR_GEN (0x1040UL) -#define CKM_ECDSA (0x1041UL) -#define CKM_ECDSA_SHA1 (0x1042UL) -#define CKM_ECDSA_SHA224 (0x1043UL) -#define CKM_ECDSA_SHA256 (0x1044UL) -#define CKM_ECDSA_SHA384 (0x1045UL) -#define CKM_ECDSA_SHA512 (0x1046UL) -#define CKM_ECDH1_DERIVE (0x1050UL) -#define CKM_ECDH1_COFACTOR_DERIVE (0x1051UL) -#define CKM_ECMQV_DERIVE (0x1052UL) -#define CKM_JUNIPER_KEY_GEN (0x1060UL) -#define CKM_JUNIPER_ECB128 (0x1061UL) -#define CKM_JUNIPER_CBC128 (0x1062UL) -#define CKM_JUNIPER_COUNTER (0x1063UL) -#define CKM_JUNIPER_SHUFFLE (0x1064UL) -#define CKM_JUNIPER_WRAP (0x1065UL) -#define CKM_FASTHASH (0x1070UL) -#define CKM_AES_KEY_GEN (0x1080UL) -#define CKM_AES_ECB (0x1081UL) -#define CKM_AES_CBC (0x1082UL) -#define CKM_AES_MAC (0x1083UL) -#define CKM_AES_MAC_GENERAL (0x1084UL) -#define CKM_AES_CBC_PAD (0x1085UL) -#define CKM_AES_CTR (0x1086UL) -#define CKM_AES_GCM (0x1087UL) -#define CKM_AES_CCM (0x1088UL) -#define CKM_AES_CTS (0x1089UL) -#define CKM_BLOWFISH_KEY_GEN (0x1090UL) -#define CKM_BLOWFISH_CBC (0x1091UL) -#define CKM_TWOFISH_KEY_GEN (0x1092UL) -#define CKM_TWOFISH_CBC (0x1093UL) -#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL) -#define CKM_GOSTR3410 (0x1201UL) -#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL) -#define CKM_GOSTR3410_KEY_WRAP (0x1203UL) -#define CKM_GOSTR3410_DERIVE (0x1204UL) -#define CKM_GOSTR3411 (0x1210UL) -#define CKM_GOSTR3411_HMAC (0x1211UL) -#define CKM_GOST28147_KEY_GEN (0x1220UL) -#define CKM_GOST28147_ECB (0x1221UL) -#define CKM_GOST28147 (0x1222UL) -#define CKM_GOST28147_MAC (0x1223UL) -#define CKM_GOST28147_KEY_WRAP (0x1224UL) - -#define CKM_DSA_PARAMETER_GEN (0x2000UL) -#define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL) -#define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL) -#define CKM_VENDOR_DEFINED (1UL << 31) - - -struct ck_mechanism -{ - ck_mechanism_type_t mechanism; - void *parameter; - unsigned long parameter_len; -}; - - -struct ck_mechanism_info -{ - unsigned long min_key_size; - unsigned long max_key_size; - ck_flags_t flags; -}; - -#define CKF_HW (1UL << 0) -#define CKF_ENCRYPT (1UL << 8) -#define CKF_DECRYPT (1UL << 9) -#define CKF_DIGEST (1UL << 10) -#define CKF_SIGN (1UL << 11) -#define CKF_SIGN_RECOVER (1UL << 12) -#define CKF_VERIFY (1UL << 13) -#define CKF_VERIFY_RECOVER (1UL << 14) -#define CKF_GENERATE (1UL << 15) -#define CKF_GENERATE_KEY_PAIR (1UL << 16) -#define CKF_WRAP (1UL << 17) -#define CKF_UNWRAP (1UL << 18) -#define CKF_DERIVE (1UL << 19) -#define CKF_EXTENSION (1UL << 31) - -#define CKF_EC_F_P (1UL << 20) -#define CKF_EC_F_2M (1UL << 21) -#define CKF_EC_ECPARAMETERS (1UL << 22) -#define CKF_EC_NAMEDCURVE (1UL << 23) -#define CKF_EC_UNCOMPRESS (1UL << 24) -#define CKF_EC_COMPRESS (1UL << 25) - -/* Flags for C_WaitForSlotEvent. */ -#define CKF_DONT_BLOCK (1UL) - -/* Flags for Key derivation */ -#define CKD_NULL (1UL << 0) - -typedef struct CK_ECDH1_DERIVE_PARAMS { - unsigned long kdf; - unsigned long ulSharedDataLen; - unsigned char * pSharedData; - unsigned long ulPublicDataLen; - unsigned char * pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - - -typedef unsigned long ck_rv_t; - - -typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session, - ck_notification_t event, void *application); - -/* Forward reference. */ -struct ck_function_list; - -#define _CK_DECLARE_FUNCTION(name, args) \ -typedef ck_rv_t (*CK_ ## name) args; \ -ck_rv_t CK_SPEC name args - -_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args)); -_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved)); -_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info)); -_CK_DECLARE_FUNCTION (C_GetFunctionList, - (struct ck_function_list **function_list)); - -_CK_DECLARE_FUNCTION (C_GetSlotList, - (unsigned char token_present, ck_slot_id_t *slot_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION (C_GetSlotInfo, - (ck_slot_id_t slot_id, struct ck_slot_info *info)); -_CK_DECLARE_FUNCTION (C_GetTokenInfo, - (ck_slot_id_t slot_id, struct ck_token_info *info)); -_CK_DECLARE_FUNCTION (C_WaitForSlotEvent, - (ck_flags_t flags, ck_slot_id_t *slot, void *reserved)); -_CK_DECLARE_FUNCTION (C_GetMechanismList, - (ck_slot_id_t slot_id, - ck_mechanism_type_t *mechanism_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION (C_GetMechanismInfo, - (ck_slot_id_t slot_id, ck_mechanism_type_t type, - struct ck_mechanism_info *info)); -_CK_DECLARE_FUNCTION (C_InitToken, - (ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label)); -_CK_DECLARE_FUNCTION (C_InitPIN, - (ck_session_handle_t session, unsigned char *pin, - unsigned long pin_len)); -_CK_DECLARE_FUNCTION (C_SetPIN, - (ck_session_handle_t session, unsigned char *old_pin, - unsigned long old_len, unsigned char *new_pin, - unsigned long new_len)); - -_CK_DECLARE_FUNCTION (C_OpenSession, - (ck_slot_id_t slot_id, ck_flags_t flags, - void *application, ck_notify_t notify, - ck_session_handle_t *session)); -_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id)); -_CK_DECLARE_FUNCTION (C_GetSessionInfo, - (ck_session_handle_t session, - struct ck_session_info *info)); -_CK_DECLARE_FUNCTION (C_GetOperationState, - (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long *operation_state_len)); -_CK_DECLARE_FUNCTION (C_SetOperationState, - (ck_session_handle_t session, - unsigned char *operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key)); -_CK_DECLARE_FUNCTION (C_Login, - (ck_session_handle_t session, ck_user_type_t user_type, - unsigned char *pin, unsigned long pin_len)); -_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION (C_CreateObject, - (ck_session_handle_t session, - struct ck_attribute *templ, - unsigned long count, ck_object_handle_t *object)); -_CK_DECLARE_FUNCTION (C_CopyObject, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t *new_object)); -_CK_DECLARE_FUNCTION (C_DestroyObject, - (ck_session_handle_t session, - ck_object_handle_t object)); -_CK_DECLARE_FUNCTION (C_GetObjectSize, - (ck_session_handle_t session, - ck_object_handle_t object, - unsigned long *size)); -_CK_DECLARE_FUNCTION (C_GetAttributeValue, - (ck_session_handle_t session, - ck_object_handle_t object, - struct ck_attribute *templ, - unsigned long count)); -_CK_DECLARE_FUNCTION (C_SetAttributeValue, - (ck_session_handle_t session, - ck_object_handle_t object, - struct ck_attribute *templ, - unsigned long count)); -_CK_DECLARE_FUNCTION (C_FindObjectsInit, - (ck_session_handle_t session, - struct ck_attribute *templ, - unsigned long count)); -_CK_DECLARE_FUNCTION (C_FindObjects, - (ck_session_handle_t session, - ck_object_handle_t *object, - unsigned long max_object_count, - unsigned long *object_count)); -_CK_DECLARE_FUNCTION (C_FindObjectsFinal, - (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION (C_EncryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_Encrypt, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *encrypted_data, - unsigned long *encrypted_data_len)); -_CK_DECLARE_FUNCTION (C_EncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION (C_EncryptFinal, - (ck_session_handle_t session, - unsigned char *last_encrypted_part, - unsigned long *last_encrypted_part_len)); - -_CK_DECLARE_FUNCTION (C_DecryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_Decrypt, - (ck_session_handle_t session, - unsigned char *encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len)); -_CK_DECLARE_FUNCTION (C_DecryptUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, unsigned long *part_len)); -_CK_DECLARE_FUNCTION (C_DecryptFinal, - (ck_session_handle_t session, - unsigned char *last_part, - unsigned long *last_part_len)); - -_CK_DECLARE_FUNCTION (C_DigestInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism)); -_CK_DECLARE_FUNCTION (C_Digest, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *digest, - unsigned long *digest_len)); -_CK_DECLARE_FUNCTION (C_DigestUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); -_CK_DECLARE_FUNCTION (C_DigestKey, - (ck_session_handle_t session, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_DigestFinal, - (ck_session_handle_t session, - unsigned char *digest, - unsigned long *digest_len)); - -_CK_DECLARE_FUNCTION (C_SignInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_Sign, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION (C_SignUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); -_CK_DECLARE_FUNCTION (C_SignFinal, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION (C_SignRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_SignRecover, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long *signature_len)); - -_CK_DECLARE_FUNCTION (C_VerifyInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_Verify, - (ck_session_handle_t session, - unsigned char *data, unsigned long data_len, - unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION (C_VerifyUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len)); -_CK_DECLARE_FUNCTION (C_VerifyFinal, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION (C_VerifyRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t key)); -_CK_DECLARE_FUNCTION (C_VerifyRecover, - (ck_session_handle_t session, - unsigned char *signature, - unsigned long signature_len, - unsigned char *data, - unsigned long *data_len)); - -_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, - unsigned long *part_len)); -_CK_DECLARE_FUNCTION (C_SignEncryptUpdate, - (ck_session_handle_t session, - unsigned char *part, unsigned long part_len, - unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate, - (ck_session_handle_t session, - unsigned char *encrypted_part, - unsigned long encrypted_part_len, - unsigned char *part, - unsigned long *part_len)); - -_CK_DECLARE_FUNCTION (C_GenerateKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *templ, - unsigned long count, - ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION (C_GenerateKeyPair, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *public_key_template, - unsigned long public_key_attribute_count, - struct ck_attribute *private_key_template, - unsigned long private_key_attribute_count, - ck_object_handle_t *public_key, - ck_object_handle_t *private_key)); -_CK_DECLARE_FUNCTION (C_WrapKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t wrapping_key, - ck_object_handle_t key, - unsigned char *wrapped_key, - unsigned long *wrapped_key_len)); -_CK_DECLARE_FUNCTION (C_UnwrapKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t unwrapping_key, - unsigned char *wrapped_key, - unsigned long wrapped_key_len, - struct ck_attribute *templ, - unsigned long attribute_count, - ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION (C_DeriveKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t base_key, - struct ck_attribute *templ, - unsigned long attribute_count, - ck_object_handle_t *key)); - -_CK_DECLARE_FUNCTION (C_SeedRandom, - (ck_session_handle_t session, unsigned char *seed, - unsigned long seed_len)); -_CK_DECLARE_FUNCTION (C_GenerateRandom, - (ck_session_handle_t session, - unsigned char *random_data, - unsigned long random_len)); - -_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session)); - - -struct ck_function_list -{ - struct ck_version version; - CK_C_Initialize C_Initialize; - CK_C_Finalize C_Finalize; - CK_C_GetInfo C_GetInfo; - CK_C_GetFunctionList C_GetFunctionList; - CK_C_GetSlotList C_GetSlotList; - CK_C_GetSlotInfo C_GetSlotInfo; - CK_C_GetTokenInfo C_GetTokenInfo; - CK_C_GetMechanismList C_GetMechanismList; - CK_C_GetMechanismInfo C_GetMechanismInfo; - CK_C_InitToken C_InitToken; - CK_C_InitPIN C_InitPIN; - CK_C_SetPIN C_SetPIN; - CK_C_OpenSession C_OpenSession; - CK_C_CloseSession C_CloseSession; - CK_C_CloseAllSessions C_CloseAllSessions; - CK_C_GetSessionInfo C_GetSessionInfo; - CK_C_GetOperationState C_GetOperationState; - CK_C_SetOperationState C_SetOperationState; - CK_C_Login C_Login; - CK_C_Logout C_Logout; - CK_C_CreateObject C_CreateObject; - CK_C_CopyObject C_CopyObject; - CK_C_DestroyObject C_DestroyObject; - CK_C_GetObjectSize C_GetObjectSize; - CK_C_GetAttributeValue C_GetAttributeValue; - CK_C_SetAttributeValue C_SetAttributeValue; - CK_C_FindObjectsInit C_FindObjectsInit; - CK_C_FindObjects C_FindObjects; - CK_C_FindObjectsFinal C_FindObjectsFinal; - CK_C_EncryptInit C_EncryptInit; - CK_C_Encrypt C_Encrypt; - CK_C_EncryptUpdate C_EncryptUpdate; - CK_C_EncryptFinal C_EncryptFinal; - CK_C_DecryptInit C_DecryptInit; - CK_C_Decrypt C_Decrypt; - CK_C_DecryptUpdate C_DecryptUpdate; - CK_C_DecryptFinal C_DecryptFinal; - CK_C_DigestInit C_DigestInit; - CK_C_Digest C_Digest; - CK_C_DigestUpdate C_DigestUpdate; - CK_C_DigestKey C_DigestKey; - CK_C_DigestFinal C_DigestFinal; - CK_C_SignInit C_SignInit; - CK_C_Sign C_Sign; - CK_C_SignUpdate C_SignUpdate; - CK_C_SignFinal C_SignFinal; - CK_C_SignRecoverInit C_SignRecoverInit; - CK_C_SignRecover C_SignRecover; - CK_C_VerifyInit C_VerifyInit; - CK_C_Verify C_Verify; - CK_C_VerifyUpdate C_VerifyUpdate; - CK_C_VerifyFinal C_VerifyFinal; - CK_C_VerifyRecoverInit C_VerifyRecoverInit; - CK_C_VerifyRecover C_VerifyRecover; - CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; - CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; - CK_C_SignEncryptUpdate C_SignEncryptUpdate; - CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; - CK_C_GenerateKey C_GenerateKey; - CK_C_GenerateKeyPair C_GenerateKeyPair; - CK_C_WrapKey C_WrapKey; - CK_C_UnwrapKey C_UnwrapKey; - CK_C_DeriveKey C_DeriveKey; - CK_C_SeedRandom C_SeedRandom; - CK_C_GenerateRandom C_GenerateRandom; - CK_C_GetFunctionStatus C_GetFunctionStatus; - CK_C_CancelFunction C_CancelFunction; - CK_C_WaitForSlotEvent C_WaitForSlotEvent; -}; - - -typedef ck_rv_t (*ck_createmutex_t) (void **mutex); -typedef ck_rv_t (*ck_destroymutex_t) (void *mutex); -typedef ck_rv_t (*ck_lockmutex_t) (void *mutex); -typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex); - - -struct ck_c_initialize_args -{ - ck_createmutex_t create_mutex; - ck_destroymutex_t destroy_mutex; - ck_lockmutex_t lock_mutex; - ck_unlockmutex_t unlock_mutex; - ck_flags_t flags; - void *reserved; -}; - - -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0) -#define CKF_OS_LOCKING_OK (1UL << 1) - -#define CKR_OK (0UL) -#define CKR_CANCEL (1UL) -#define CKR_HOST_MEMORY (2UL) -#define CKR_SLOT_ID_INVALID (3UL) -#define CKR_GENERAL_ERROR (5UL) -#define CKR_FUNCTION_FAILED (6UL) -#define CKR_ARGUMENTS_BAD (7UL) -#define CKR_NO_EVENT (8UL) -#define CKR_NEED_TO_CREATE_THREADS (9UL) -#define CKR_CANT_LOCK (0xaUL) -#define CKR_ATTRIBUTE_READ_ONLY (0x10UL) -#define CKR_ATTRIBUTE_SENSITIVE (0x11UL) -#define CKR_ATTRIBUTE_TYPE_INVALID (0x12UL) -#define CKR_ATTRIBUTE_VALUE_INVALID (0x13UL) -#define CKR_DATA_INVALID (0x20UL) -#define CKR_DATA_LEN_RANGE (0x21UL) -#define CKR_DEVICE_ERROR (0x30UL) -#define CKR_DEVICE_MEMORY (0x31UL) -#define CKR_DEVICE_REMOVED (0x32UL) -#define CKR_ENCRYPTED_DATA_INVALID (0x40UL) -#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41UL) -#define CKR_FUNCTION_CANCELED (0x50UL) -#define CKR_FUNCTION_NOT_PARALLEL (0x51UL) -#define CKR_FUNCTION_NOT_SUPPORTED (0x54UL) -#define CKR_KEY_HANDLE_INVALID (0x60UL) -#define CKR_KEY_SIZE_RANGE (0x62UL) -#define CKR_KEY_TYPE_INCONSISTENT (0x63UL) -#define CKR_KEY_NOT_NEEDED (0x64UL) -#define CKR_KEY_CHANGED (0x65UL) -#define CKR_KEY_NEEDED (0x66UL) -#define CKR_KEY_INDIGESTIBLE (0x67UL) -#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68UL) -#define CKR_KEY_NOT_WRAPPABLE (0x69UL) -#define CKR_KEY_UNEXTRACTABLE (0x6aUL) -#define CKR_MECHANISM_INVALID (0x70UL) -#define CKR_MECHANISM_PARAM_INVALID (0x71UL) -#define CKR_OBJECT_HANDLE_INVALID (0x82UL) -#define CKR_OPERATION_ACTIVE (0x90UL) -#define CKR_OPERATION_NOT_INITIALIZED (0x91UL) -#define CKR_PIN_INCORRECT (0xa0UL) -#define CKR_PIN_INVALID (0xa1UL) -#define CKR_PIN_LEN_RANGE (0xa2UL) -#define CKR_PIN_EXPIRED (0xa3UL) -#define CKR_PIN_LOCKED (0xa4UL) -#define CKR_SESSION_CLOSED (0xb0UL) -#define CKR_SESSION_COUNT (0xb1UL) -#define CKR_SESSION_HANDLE_INVALID (0xb3UL) -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4UL) -#define CKR_SESSION_READ_ONLY (0xb5UL) -#define CKR_SESSION_EXISTS (0xb6UL) -#define CKR_SESSION_READ_ONLY_EXISTS (0xb7UL) -#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8UL) -#define CKR_SIGNATURE_INVALID (0xc0UL) -#define CKR_SIGNATURE_LEN_RANGE (0xc1UL) -#define CKR_TEMPLATE_INCOMPLETE (0xd0UL) -#define CKR_TEMPLATE_INCONSISTENT (0xd1UL) -#define CKR_TOKEN_NOT_PRESENT (0xe0UL) -#define CKR_TOKEN_NOT_RECOGNIZED (0xe1UL) -#define CKR_TOKEN_WRITE_PROTECTED (0xe2UL) -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0UL) -#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1UL) -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL) -#define CKR_USER_ALREADY_LOGGED_IN (0x100UL) -#define CKR_USER_NOT_LOGGED_IN (0x101UL) -#define CKR_USER_PIN_NOT_INITIALIZED (0x102UL) -#define CKR_USER_TYPE_INVALID (0x103UL) -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104UL) -#define CKR_USER_TOO_MANY_TYPES (0x105UL) -#define CKR_WRAPPED_KEY_INVALID (0x110UL) -#define CKR_WRAPPED_KEY_LEN_RANGE (0x112UL) -#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113UL) -#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114UL) -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115UL) -#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120UL) -#define CKR_RANDOM_NO_RNG (0x121UL) -#define CKR_DOMAIN_PARAMS_INVALID (0x130UL) -#define CKR_BUFFER_TOO_SMALL (0x150UL) -#define CKR_SAVED_STATE_INVALID (0x160UL) -#define CKR_INFORMATION_SENSITIVE (0x170UL) -#define CKR_STATE_UNSAVEABLE (0x180UL) -#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190UL) -#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191UL) -#define CKR_MUTEX_BAD (0x1a0UL) -#define CKR_MUTEX_NOT_LOCKED (0x1a1UL) -#define CKR_FUNCTION_REJECTED (0x200UL) -#define CKR_VENDOR_DEFINED (1UL << 31) - - -/* Compatibility layer. */ - -#ifdef CRYPTOKI_COMPAT - -#undef CK_DEFINE_FUNCTION -#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name - -/* For NULL. */ -#include - -typedef unsigned char CK_BYTE; -typedef unsigned char CK_CHAR; -typedef unsigned char CK_UTF8CHAR; -typedef unsigned char CK_BBOOL; -typedef unsigned long int CK_ULONG; -typedef long int CK_LONG; -typedef CK_BYTE *CK_BYTE_PTR; -typedef CK_CHAR *CK_CHAR_PTR; -typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; -typedef CK_ULONG *CK_ULONG_PTR; -typedef void *CK_VOID_PTR; -typedef void **CK_VOID_PTR_PTR; -#define CK_FALSE 0 -#define CK_TRUE 1 -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE 0 -#endif -#ifndef TRUE -#define TRUE 1 -#endif -#endif - -typedef struct ck_version CK_VERSION; -typedef struct ck_version *CK_VERSION_PTR; - -typedef struct ck_info CK_INFO; -typedef struct ck_info *CK_INFO_PTR; - -typedef ck_slot_id_t *CK_SLOT_ID_PTR; - -typedef struct ck_slot_info CK_SLOT_INFO; -typedef struct ck_slot_info *CK_SLOT_INFO_PTR; - -typedef struct ck_token_info CK_TOKEN_INFO; -typedef struct ck_token_info *CK_TOKEN_INFO_PTR; - -typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; - -typedef struct ck_session_info CK_SESSION_INFO; -typedef struct ck_session_info *CK_SESSION_INFO_PTR; - -typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; - -typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; - -typedef struct ck_attribute CK_ATTRIBUTE; -typedef struct ck_attribute *CK_ATTRIBUTE_PTR; - -typedef struct ck_date CK_DATE; -typedef struct ck_date *CK_DATE_PTR; - -typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; - -typedef struct ck_mechanism CK_MECHANISM; -typedef struct ck_mechanism *CK_MECHANISM_PTR; - -typedef struct ck_mechanism_info CK_MECHANISM_INFO; -typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; - -typedef struct ck_function_list CK_FUNCTION_LIST; -typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; -typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; - -typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; -typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; - -#define NULL_PTR NULL - -/* Delete the helper macros defined at the top of the file. */ -#undef ck_flags_t -#undef ck_version - -#undef ck_info -#undef cryptoki_version -#undef manufacturer_id -#undef library_description -#undef library_version - -#undef ck_notification_t -#undef ck_slot_id_t - -#undef ck_slot_info -#undef slot_description -#undef hardware_version -#undef firmware_version - -#undef ck_token_info -#undef serial_number -#undef max_session_count -#undef session_count -#undef max_rw_session_count -#undef rw_session_count -#undef max_pin_len -#undef min_pin_len -#undef total_public_memory -#undef free_public_memory -#undef total_private_memory -#undef free_private_memory -#undef utc_time - -#undef ck_session_handle_t -#undef ck_user_type_t -#undef ck_state_t - -#undef ck_session_info -#undef slot_id -#undef device_error - -#undef ck_object_handle_t -#undef ck_object_class_t -#undef ck_hw_feature_type_t -#undef ck_key_type_t -#undef ck_certificate_type_t -#undef ck_attribute_type_t - -#undef ck_attribute -#undef value -#undef value_len - -#undef ck_date - -#undef ck_mechanism_type_t - -#undef ck_mechanism -#undef parameter -#undef parameter_len - -#undef ck_mechanism_info -#undef min_key_size -#undef max_key_size - -#undef ck_rv_t -#undef ck_notify_t - -#undef ck_function_list - -#undef ck_createmutex_t -#undef ck_destroymutex_t -#undef ck_lockmutex_t -#undef ck_unlockmutex_t - -#undef ck_c_initialize_args -#undef create_mutex -#undef destroy_mutex -#undef lock_mutex -#undef unlock_mutex -#undef reserved - -#endif /* CRYPTOKI_COMPAT */ - -/* System dependencies. */ -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) -#pragma pack(pop, cryptoki) -#endif - -#if defined(__cplusplus) -} -#endif - -#endif /* PKCS11_H */ diff --git a/ykcs11/pkcs11y.h b/ykcs11/pkcs11y.h deleted file mode 100644 index db237ff..0000000 --- a/ykcs11/pkcs11y.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef PKCS11Y_H -#define PKCS11Y_H - -#include "pkcs11.h" - -typedef CK_FLAGS * CK_FLAGS_PTR; - -// YUBICO specific attributes -#define CKA_TOUCH_PIN_DEFAULT 0x00000000U -#define CKA_TOUCH_ALWAYS 0x00000001U -#define CKA_PIN_ONCE 0x00000002U -#define CKA_PIN_ALWAYS 0x00000004U -#define CKA_PIN_NEVER 0x00000008U -#define CKA_TOUCH_NEVER 0x00000016U - -#endif diff --git a/ykcs11/slot_vendors.c b/ykcs11/slot_vendors.c deleted file mode 100644 index f37c939..0000000 --- a/ykcs11/slot_vendors.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "slot_vendors.h" -#include "yubico_slot.h" -#include - -slot_vendor_t get_slot_vendor(vendor_id_t vid) { - slot_vendor_t v; - - switch (vid) { - case YUBICO: - v.get_slot_manufacturer = YUBICO_get_slot_manufacturer; - v.get_slot_flags = YUBICO_get_slot_flags; - v.get_slot_version = YUBICO_get_slot_version; - break; - - case UNKNOWN: - default: - v.get_slot_manufacturer = NULL; - v.get_slot_flags = NULL; - v.get_slot_version = NULL; - } - - return v; - -} diff --git a/ykcs11/slot_vendors.h b/ykcs11/slot_vendors.h deleted file mode 100644 index 584b440..0000000 --- a/ykcs11/slot_vendors.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef SLOT_VENDORS_H -#define SLOT_VENDORS_H - -#include "pkcs11y.h" -#include "vendor_ids.h" - -typedef CK_RV (*get_s_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG); -typedef CK_RV (*get_s_flags_f)(CK_FLAGS_PTR); -typedef CK_RV (*get_s_version_f)(CK_VERSION_PTR); - - -typedef struct { - get_s_manufacturer_f get_slot_manufacturer; - get_s_flags_f get_slot_flags; - get_s_version_f get_slot_version; -} slot_vendor_t; - -slot_vendor_t get_slot_vendor(vendor_id_t vid); - -#endif diff --git a/ykcs11/tests/Makefile.am b/ykcs11/tests/Makefile.am deleted file mode 100644 index 00f8881..0000000 --- a/ykcs11/tests/Makefile.am +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (c) 2015-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -#TESTS_ENVIRONMENT = export VERSION=$(PACKAGE_VERSION); export EXEEXT=$(EXEEXT); - -#LOG_COMPILER = $(VALGRIND) - -AM_CFLAGS = $(WARN_CFLAGS) @CHECK_CFLAGS@ -AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_builddir)/lib -AM_CPPFLAGS += -I$(top_srcdir)/ykcs11 -I$(top_builddir)/ykcs11 -AM_CPPFLAGS += $(OPENSSL_CFLAGS) - -AM_LDFLAGS = @CHECK_LIBS@ - -if COMPILER_CLANG -AM_LDFLAGS += -no-fast-install -else -AM_LDFLAGS += -no-install -endif - -ykcs11_tests_LDADD = ../libykcs11.la $(OPENSSL_LIBS) ../../tool/libpiv_util.la -ykcs11_tests_SOURCES = ykcs11_tests.c -check_PROGRAMS = ykcs11_tests -TESTS = reset.sh $(check_PROGRAMS) - -if ENABLE_COV -AM_LDFLAGS += --coverage -endif diff --git a/ykcs11/tests/reset.sh b/ykcs11/tests/reset.sh deleted file mode 100755 index 6c20551..0000000 --- a/ykcs11/tests/reset.sh +++ /dev/null @@ -1,20 +0,0 @@ -BIN="../../tool/yubico-piv-tool${EXEEXT}" - -# Verify that user has confirmed destructive hw-tests -if [ "x$YKPIV_ENV_HWTESTS_CONFIRMED" != "x1" ]; then - printf "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n" >&0 - exit 77 # exit code 77 == skipped tests -fi - -# Reset -$BIN -averify-pin -P000000 || true -$BIN -averify-pin -P000000 || true -$BIN -averify-pin -P000000 || true -$BIN -averify-pin -P000000 || true -$BIN -averify-pin -P000000 || true -$BIN -achange-puk -P000000 -N00000000 || true -$BIN -achange-puk -P000000 -N00000000 || true -$BIN -achange-puk -P000000 -N00000000 || true -$BIN -achange-puk -P000000 -N00000000 || true -$BIN -achange-puk -P000000 -N00000000 || true -$BIN -areset diff --git a/ykcs11/tests/ykcs11_tests.c b/ykcs11/tests/ykcs11_tests.c deleted file mode 100644 index 257c938..0000000 --- a/ykcs11/tests/ykcs11_tests.c +++ /dev/null @@ -1,721 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "../../tool/openssl-compat.h" -#include -#include - -#include - -#include -#include -#include -#include -#include - -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wpointer-sign" - -#ifdef __MINGW32__ -#define dprintf(fd, ...) fprintf(stdout, __VA_ARGS__) -#endif - -void dump_hex(const unsigned char *buf, unsigned int len, FILE *output, int space) { - unsigned int i; - for (i = 0; i < len; i++) { - fprintf(output, "%02x%s", buf[i], space == 1 ? " " : ""); - } - fprintf(output, "\n"); -} - -CK_FUNCTION_LIST_PTR funcs; - -#define asrt(c, e, m) _asrt(__LINE__, c, e, m); - -static void _asrt(int line, CK_ULONG check, CK_ULONG expected, CK_CHAR_PTR msg) { - - if (check == expected) - return; - - fprintf(stderr, "<%s>:%d check failed with value %lu (0x%lx), expected %lu (0x%lx)\n", - msg, line, check, check, expected, expected); - - exit(EXIT_FAILURE); - -} - -static void get_functions(CK_FUNCTION_LIST_PTR_PTR funcs) { - - if (C_GetFunctionList(funcs) != CKR_OK) { - fprintf(stderr, "Get function list failed\n"); - exit(EXIT_FAILURE); - } - -} - -static void test_lib_info() { - - const CK_CHAR_PTR MANUFACTURER_ID = "Yubico (www.yubico.com)"; - const CK_CHAR_PTR YKCS11_DESCRIPTION = "PKCS#11 PIV Library (SP-800-73)"; - const CK_ULONG CRYPTOKI_VERSION_MAJ = 2; - const CK_ULONG CRYPTOKI_VERSION_MIN = 40; - - - CK_INFO info; - - asrt(funcs->C_GetInfo(&info), CKR_OK, "GET_INFO"); - - asrt(strcmp(info.manufacturerID, MANUFACTURER_ID), 0, "MANUFACTURER"); - - asrt(info.cryptokiVersion.major, CRYPTOKI_VERSION_MAJ, "CK_MAJ"); - asrt(info.cryptokiVersion.minor, CRYPTOKI_VERSION_MIN, "CK_MIN"); - - asrt(info.libraryVersion.major, YKCS11_VERSION_MAJOR, "LIB_MAJ"); - asrt(info.libraryVersion.minor, ((YKCS11_VERSION_MINOR * 10) + YKCS11_VERSION_PATCH ), "LIB_MIN"); - - asrt(strcmp(info.libraryDescription, YKCS11_DESCRIPTION), 0, "LIB_DESC"); -} - -#ifdef HW_TESTS -static void test_initalize() { - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - -} - -static int test_token_info() { - - const CK_CHAR_PTR TOKEN_LABEL = "YubiKey PIV"; - const CK_CHAR_PTR TOKEN_MODEL = "YubiKey "; // Skip last 3 characters (version dependent) - const CK_CHAR_PTR TOKEN_MODEL_YK4 = "YubiKey YK4"; - const CK_CHAR_PTR TOKEN_SERIAL = "1234"; - const CK_FLAGS TOKEN_FLAGS = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED; - const CK_VERSION HW = {0, 0}; - const CK_CHAR_PTR TOKEN_TIME = " "; - CK_TOKEN_INFO info; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - - asrt(funcs->C_GetTokenInfo(0, &info), CKR_OK, "GetTokeninfo"); - asrt(strncmp(info.label, TOKEN_LABEL, strlen(TOKEN_LABEL)), 0, "TOKEN_LABEL"); - // Skip manufacturer id (not used) - asrt(strncmp(info.model, TOKEN_MODEL, strlen(TOKEN_MODEL)), 0, "TOKEN_MODEL"); - asrt(strncmp(info.serialNumber, TOKEN_SERIAL, strlen(TOKEN_SERIAL)), 0, "SERIAL_NUMBER"); - asrt(info.flags, TOKEN_FLAGS, "TOKEN_FLAGS"); - asrt(info.ulMaxSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_SESSION_COUNT"); - asrt(info.ulSessionCount, CK_UNAVAILABLE_INFORMATION, "SESSION_COUNT"); - asrt(info.ulMaxRwSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_RW_SESSION_COUNT"); - asrt(info.ulRwSessionCount, CK_UNAVAILABLE_INFORMATION, "RW_SESSION_COUNT"); - asrt(info.ulMaxPinLen, 8, "MAX_PIN_LEN"); - asrt(info.ulMinPinLen, 6, "MIN_PIN_LEN"); - asrt(info.ulTotalPublicMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PUB_MEM"); - asrt(info.ulFreePublicMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PUB_MEM"); - asrt(info.ulTotalPrivateMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PVT_MEM"); - asrt(info.ulFreePrivateMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PVT_MEM"); - - if (strncmp(info.model, TOKEN_MODEL_YK4, strlen(TOKEN_MODEL_YK4)) != 0) { - dprintf(0, "\n\n** WARNING: Only YK4 supported. Skipping remaining tests.\n\n"); - return -1; - } - - asrt(info.hardwareVersion.major, HW.major, "HW_MAJ"); - asrt(info.hardwareVersion.minor, HW.minor, "HW_MIN"); - - if (info.firmwareVersion.major != 4 && info.firmwareVersion.major != 0) - asrt(info.firmwareVersion.major, 4, "FW_MAJ"); - - asrt(strncmp(info.utcTime, TOKEN_TIME, sizeof(info.utcTime)), 0, "TOKEN_TIME"); - - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - return 0; -} - -static void test_mechanism_list_and_info() { - - CK_MECHANISM_TYPE_PTR mechs; - CK_ULONG n_mechs; - CK_MECHANISM_INFO info; - CK_ULONG i; - - static const CK_MECHANISM_TYPE token_mechanisms[] = { - CKM_RSA_PKCS_KEY_PAIR_GEN, - CKM_RSA_PKCS, - CKM_RSA_PKCS_PSS, - CKM_RSA_X_509, - CKM_SHA1_RSA_PKCS, - CKM_SHA256_RSA_PKCS, - CKM_SHA384_RSA_PKCS, - CKM_SHA512_RSA_PKCS, - CKM_SHA1_RSA_PKCS_PSS, - CKM_SHA256_RSA_PKCS_PSS, - CKM_SHA384_RSA_PKCS_PSS, - CKM_SHA512_RSA_PKCS_PSS, - CKM_EC_KEY_PAIR_GEN, - CKM_ECDSA, - CKM_ECDSA_SHA1, - CKM_ECDSA_SHA256, - CKM_SHA_1, - CKM_SHA256, - CKM_SHA384, - CKM_SHA512 - }; - - static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms - {1024, 2048, CKF_HW | CKF_GENERATE_KEY_PAIR}, - {1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {1024, 2048, CKF_HW | CKF_SIGN}, - {256, 384, CKF_HW | CKF_GENERATE_KEY_PAIR}, - {256, 384, CKF_HW | CKF_SIGN}, - {256, 384, CKF_HW | CKF_SIGN}, - {256, 384, CKF_HW | CKF_SIGN}, - {0, 0, CKF_DIGEST}, - {0, 0, CKF_DIGEST}, - {0, 0, CKF_DIGEST}, - {0, 0, CKF_DIGEST} -}; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - - asrt(funcs->C_GetMechanismList(0, NULL, &n_mechs), CKR_OK, "GetMechanismList"); - - mechs = malloc(n_mechs * sizeof(CK_MECHANISM_TYPE)); - asrt(funcs->C_GetMechanismList(0, mechs, &n_mechs), CKR_OK, "GetMechanismList"); - - asrt(memcmp(token_mechanisms, mechs, sizeof(token_mechanisms)), 0, "CHECK MECHS"); - - for (i = 0; i < n_mechs; i++) { - asrt(funcs->C_GetMechanismInfo(0, mechs[i], &info), CKR_OK, "GET MECH INFO"); - asrt(memcmp(token_mechanism_infos + i, &info, sizeof(CK_MECHANISM_INFO)), 0, "CHECK MECH INFO"); - } - - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); -} - -static void test_session() { - - CK_SESSION_HANDLE session; - CK_SESSION_INFO info; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1"); - asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession"); - - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession2"); - asrt(funcs->C_GetSessionInfo(session, &info), CKR_OK, "GetSessionInfo"); - asrt(info.state, CKS_RW_PUBLIC_SESSION, "CHECK STATE"); - asrt(info.flags, CKF_SERIAL_SESSION | CKF_RW_SESSION, "CHECK FLAGS"); - asrt(info.ulDeviceError, 0, "CHECK DEVICE ERROR"); - asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession"); - - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession3"); - asrt(funcs->C_CloseAllSessions(0), CKR_OK, "CloseAllSessions"); - - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - -} - -static void test_login() { - - CK_SESSION_HANDLE session; - CK_SESSION_INFO info; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1"); - - asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER"); - asrt(funcs->C_Logout(session), CKR_OK, "Logout USER"); - - asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO"); - asrt(funcs->C_Logout(session), CKR_OK, "Logout SO"); - - asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession"); - - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - -} - -#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) -static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, const RSA *rsa) { - sigret = malloc(1); - sigret = ""; - *siglen = 1; - return 0; -} - -static void bogus_sign_cert(X509 *cert) { - EVP_PKEY *pkey = EVP_PKEY_new(); - RSA *rsa = RSA_new(); - RSA_METHOD *meth = RSA_meth_dup(RSA_get_default_method()); - BIGNUM *e = BN_new(); - - BN_set_word(e, 65537); - RSA_generate_key_ex(rsa, 1024, e, NULL); - RSA_meth_set_sign(meth, bogus_sign); - RSA_set_method(rsa, meth); - EVP_PKEY_set1_RSA(pkey, rsa); - X509_sign(cert, pkey, EVP_md5()); - EVP_PKEY_free(pkey); -} -#endif - - -// Import a newly generated P256 pvt key and a certificate -// to every slot and use the key to sign some data -static void test_import_and_sign_all_10() { - - EVP_PKEY *evp; - EC_KEY *eck; - const EC_POINT *ecp; - const BIGNUM *bn; - char pvt[32]; - X509 *cert; - ASN1_TIME *tm; - CK_BYTE i, j; - CK_BYTE some_data[32]; - - CK_ULONG class_k = CKO_PRIVATE_KEY; - CK_ULONG class_c = CKO_CERTIFICATE; - CK_ULONG kt = CKK_ECDSA; - CK_BYTE id = 0; - CK_BYTE params[] = {0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}; - CK_BYTE sig[64]; - CK_ULONG recv_len; - CK_BYTE value_c[3100]; - CK_ULONG cert_len; - CK_BYTE der_encoded[80]; - CK_BYTE_PTR der_ptr; - CK_BYTE_PTR r_ptr; - CK_BYTE_PTR s_ptr; - CK_ULONG r_len; - CK_ULONG s_len; - - unsigned char *p; - - CK_ATTRIBUTE privateKeyTemplate[] = { - {CKA_CLASS, &class_k, sizeof(class_k)}, - {CKA_KEY_TYPE, &kt, sizeof(kt)}, - {CKA_ID, &id, sizeof(id)}, - {CKA_EC_PARAMS, ¶ms, sizeof(params)}, - {CKA_VALUE, pvt, sizeof(pvt)} - }; - - CK_ATTRIBUTE publicKeyTemplate[] = { - {CKA_CLASS, &class_c, sizeof(class_c)}, - {CKA_ID, &id, sizeof(id)}, - {CKA_VALUE, value_c, sizeof(value_c)} - }; - - CK_OBJECT_HANDLE obj[24]; - CK_SESSION_HANDLE session; - CK_MECHANISM mech = {CKM_ECDSA, NULL}; - - evp = EVP_PKEY_new(); - - if (evp == NULL) - exit(EXIT_FAILURE); - - eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - - if (eck == NULL) - exit(EXIT_FAILURE); - - asrt(EC_KEY_generate_key(eck), 1, "GENERATE ECK"); - - bn = EC_KEY_get0_private_key(eck); - - asrt(BN_bn2bin(bn, pvt), 32, "EXTRACT PVT"); - - if (EVP_PKEY_set1_EC_KEY(evp, eck) == 0) - exit(EXIT_FAILURE); - - cert = X509_new(); - - if (cert == NULL) - exit(EXIT_FAILURE); - - if (X509_set_pubkey(cert, evp) == 0) - exit(EXIT_FAILURE); - - tm = ASN1_TIME_new(); - if (tm == NULL) - exit(EXIT_FAILURE); - - ASN1_TIME_set_string(tm, "000001010000Z"); - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - cert->sig_alg->algorithm = OBJ_nid2obj(8); - cert->cert_info->signature->algorithm = OBJ_nid2obj(8); - - ASN1_BIT_STRING_set_bit(cert->signature, 8, 1); - ASN1_BIT_STRING_set(cert->signature, "\x00", 1); -#else - bogus_sign_cert(cert); -#endif - - p = value_c; - if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || cert_len > sizeof(value_c)) - exit(EXIT_FAILURE); - - publicKeyTemplate[2].ulValueLen = cert_len; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1"); - asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO"); - - for (i = 0; i < 24; i++) { - id = i; - asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT"); - asrt(funcs->C_CreateObject(session, privateKeyTemplate, 5, obj + i), CKR_OK, "IMPORT KEY"); - } - - asrt(funcs->C_Logout(session), CKR_OK, "Logout SO"); - - for (i = 0; i < 24; i++) { - for (j = 0; j < 10; j++) { - - if(RAND_bytes(some_data, sizeof(some_data)) == -1) - exit(EXIT_FAILURE); - - asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER"); - asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit"); - - recv_len = sizeof(sig); - asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign"); - - r_len = 32; - s_len = 32; - - der_ptr = der_encoded; - *der_ptr++ = 0x30; - *der_ptr++ = 0xff; // placeholder, fix below - - r_ptr = sig; - - *der_ptr++ = 0x02; - *der_ptr++ = r_len; - if (*r_ptr >= 0x80) { - *(der_ptr - 1) = *(der_ptr - 1) + 1; - *der_ptr++ = 0x00; - } - else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) { - r_len--; - *(der_ptr - 1) = *(der_ptr - 1) - 1; - r_ptr++; - } - memcpy(der_ptr, r_ptr, r_len); - der_ptr+= r_len; - - s_ptr = sig + 32; - - *der_ptr++ = 0x02; - *der_ptr++ = s_len; - if (*s_ptr >= 0x80) { - *(der_ptr - 1) = *(der_ptr - 1) + 1; - *der_ptr++ = 0x00; - } - else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) { - s_len--; - *(der_ptr - 1) = *(der_ptr - 1) - 1; - s_ptr++; - } - memcpy(der_ptr, s_ptr, s_len); - der_ptr+= s_len; - - der_encoded[1] = der_ptr - der_encoded - 2; - - dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1); - - asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION"); - - } - } - - asrt(funcs->C_Logout(session), CKR_OK, "Logout USER"); - - asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession"); - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - -} - -// Import a newly generated RSA1024 pvt key and a certificate -// to every slot and use the key to sign some data -static void test_import_and_sign_all_10_RSA() { - - EVP_PKEY *evp; - RSA *rsak; - X509 *cert; - ASN1_TIME *tm; - CK_BYTE i, j; - CK_BYTE some_data[32]; - CK_BYTE e[] = {0x01, 0x00, 0x01}; - CK_BYTE p[64]; - CK_BYTE q[64]; - CK_BYTE dp[64]; - CK_BYTE dq[64]; - CK_BYTE qinv[64]; - BIGNUM *e_bn; - CK_ULONG class_k = CKO_PRIVATE_KEY; - CK_ULONG class_c = CKO_CERTIFICATE; - CK_ULONG kt = CKK_RSA; - CK_BYTE id = 0; - CK_BYTE sig[64]; - CK_ULONG recv_len; - CK_BYTE value_c[3100]; - CK_ULONG cert_len; - CK_BYTE der_encoded[80]; - CK_BYTE_PTR der_ptr; - CK_BYTE_PTR r_ptr; - CK_BYTE_PTR s_ptr; - CK_ULONG r_len; - CK_ULONG s_len; - const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1; - - unsigned char *px; - - CK_ATTRIBUTE privateKeyTemplate[] = { - {CKA_CLASS, &class_k, sizeof(class_k)}, - {CKA_KEY_TYPE, &kt, sizeof(kt)}, - {CKA_ID, &id, sizeof(id)}, - {CKA_PUBLIC_EXPONENT, e, sizeof(e)}, - {CKA_PRIME_1, p, sizeof(p)}, - {CKA_PRIME_2, q, sizeof(q)}, - {CKA_EXPONENT_1, dp, sizeof(dp)}, - {CKA_EXPONENT_2, dq, sizeof(dq)}, - {CKA_COEFFICIENT, qinv, sizeof(qinv)} - }; - - CK_ATTRIBUTE publicKeyTemplate[] = { - {CKA_CLASS, &class_c, sizeof(class_c)}, - {CKA_ID, &id, sizeof(id)}, - {CKA_VALUE, value_c, sizeof(value_c)} - }; - - CK_OBJECT_HANDLE obj[24]; - CK_SESSION_HANDLE session; - CK_MECHANISM mech = {CKM_RSA_PKCS, NULL}; - - evp = EVP_PKEY_new(); - - if (evp == NULL) - exit(EXIT_FAILURE); - - rsak = RSA_new(); - - if (rsak == NULL) - exit(EXIT_FAILURE); - - e_bn = BN_bin2bn(e, 3, NULL); - - if (e_bn == NULL) - exit(EXIT_FAILURE); - - asrt(RSA_generate_key_ex(rsak, 1024, e_bn, NULL), 1, "GENERATE RSAK"); - - RSA_get0_factors(rsak, &bp, &bq); - RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp); - asrt(BN_bn2bin(bp, p), 64, "GET P"); - asrt(BN_bn2bin(bq, q), 64, "GET Q"); - asrt(BN_bn2bin(bdmp1, dp), 64, "GET DP"); - asrt(BN_bn2bin(bdmq1, dp), 64, "GET DQ"); - asrt(BN_bn2bin(biqmp, qinv), 64, "GET QINV"); - - - - if (EVP_PKEY_set1_RSA(evp, rsak) == 0) - exit(EXIT_FAILURE); - - cert = X509_new(); - - if (cert == NULL) - exit(EXIT_FAILURE); - - if (X509_set_pubkey(cert, evp) == 0) - exit(EXIT_FAILURE); - - tm = ASN1_TIME_new(); - if (tm == NULL) - exit(EXIT_FAILURE); - - ASN1_TIME_set_string(tm, "000001010000Z"); - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - /* putting bogus data to signature to make some checks happy */ - cert->sig_alg->algorithm = OBJ_nid2obj(8); - cert->cert_info->signature->algorithm = OBJ_nid2obj(8); - - ASN1_BIT_STRING_set_bit(cert->signature, 8, 1); - ASN1_BIT_STRING_set(cert->signature, "\x00", 1); -#else - bogus_sign_cert(cert); -#endif - - px = value_c; - if ((cert_len = (CK_ULONG) i2d_X509(cert, &px)) == 0 || cert_len > sizeof(value_c)) - exit(EXIT_FAILURE); - - publicKeyTemplate[2].ulValueLen = cert_len; - - asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE"); - asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1"); - asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO"); - - for (i = 0; i < 24; i++) { - id = i; - asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT"); - asrt(funcs->C_CreateObject(session, privateKeyTemplate, 9, obj + i), CKR_OK, "IMPORT KEY"); - } - - asrt(funcs->C_Logout(session), CKR_OK, "Logout SO"); - - for (i = 0; i < 24; i++) { - for (j = 0; j < 10; j++) { - - if(RAND_bytes(some_data, sizeof(some_data)) == -1) - exit(EXIT_FAILURE); - - asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER"); - asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit"); - - recv_len = sizeof(sig); - asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign"); - - /* r_len = 32; */ - /* s_len = 32; */ - - /* der_ptr = der_encoded; */ - /* *der_ptr++ = 0x30; */ - /* *der_ptr++ = 0xff; // placeholder, fix below */ - - /* r_ptr = sig; */ - - /* *der_ptr++ = 0x02; */ - /* *der_ptr++ = r_len; */ - /* if (*r_ptr >= 0x80) { */ - /* *(der_ptr - 1) = *(der_ptr - 1) + 1; */ - /* *der_ptr++ = 0x00; */ - /* } */ - /* else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) { */ - /* r_len--; */ - /* *(der_ptr - 1) = *(der_ptr - 1) - 1; */ - /* r_ptr++; */ - /* } */ - /* memcpy(der_ptr, r_ptr, r_len); */ - /* der_ptr+= r_len; */ - - /* s_ptr = sig + 32; */ - - /* *der_ptr++ = 0x02; */ - /* *der_ptr++ = s_len; */ - /* if (*s_ptr >= 0x80) { */ - /* *(der_ptr - 1) = *(der_ptr - 1) + 1; */ - /* *der_ptr++ = 0x00; */ - /* } */ - /* else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) { */ - /* s_len--; */ - /* *(der_ptr - 1) = *(der_ptr - 1) - 1; */ - /* s_ptr++; */ - /* } */ - /* memcpy(der_ptr, s_ptr, s_len); */ - /* der_ptr+= s_len; */ - - /* der_encoded[1] = der_ptr - der_encoded - 2; */ - - /* dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1); */ - - /* asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION"); */ - - } - } - - asrt(funcs->C_Logout(session), CKR_OK, "Logout USER"); - - asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession"); - asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE"); - -} -#endif - -int destruction_confirmed(void) { - char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED"); - if (confirmed && confirmed[0] == '1') - return 1; - // Use dprintf() to write directly to stdout, since automake eats the standard stdout/stderr pointers. - dprintf(0, "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n"); - return 0; -} - -int main(void) { - - get_functions(&funcs); - - test_lib_info(); - -#ifdef HW_TESTS - // Require user confirmation to continue, since this test suite will clear - // any data stored on connected keys. - if (!destruction_confirmed()) - exit(77); // exit code 77 == skipped tests - - test_initalize(); - // Require YK4 to continue. Skip if different model found. - if (test_token_info() != 0) - exit(77); - test_mechanism_list_and_info(); - test_session(); - test_login(); - test_import_and_sign_all_10(); - test_import_and_sign_all_10_RSA(); -#else - fprintf(stderr, "HARDWARE TESTS DISABLED!, skipping...\n"); -#endif - - return EXIT_SUCCESS; - -} - -#pragma clang diagnostic pop diff --git a/ykcs11/token_vendors.c b/ykcs11/token_vendors.c deleted file mode 100644 index 395b7fe..0000000 --- a/ykcs11/token_vendors.c +++ /dev/null @@ -1,365 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "token_vendors.h" -#include "yubico_token.h" -#include "openssl_utils.h" -#include -#include "debug.h" - -#include -#include "../tool/util.h" - -static CK_RV COMMON_token_login(ykpiv_state *state, CK_USER_TYPE user, CK_UTF8CHAR_PTR pin, CK_ULONG pin_len) { - - int tries = 0; // TODO: this is effectively disregarded, should we add a better value in ykpiv_verify? - unsigned char key[24]; - size_t key_len = sizeof(key); - unsigned char *term_pin; - ykpiv_rc res; - - if (user == CKU_USER) { - // add null termination for the pin - term_pin = malloc(pin_len + 1); - if (term_pin == NULL) { - return CKR_HOST_MEMORY; - } - memcpy(term_pin, pin, pin_len); - term_pin[pin_len] = 0; - - res = ykpiv_verify(state, (char *)term_pin, &tries); - - OPENSSL_cleanse(term_pin, pin_len); - free(term_pin); - - if (res != YKPIV_OK) { - DBG("Failed to login"); - return CKR_PIN_INCORRECT; - } - } - else if (user == CKU_SO) { - if(ykpiv_hex_decode((char *)pin, pin_len, key, &key_len) != YKPIV_OK) { - DBG("Failed decoding key"); - return CKR_FUNCTION_FAILED; - } - - if(ykpiv_authenticate(state, key) != YKPIV_OK) { - DBG("Failed to authenticate"); - return CKR_PIN_INCORRECT; - } - } - - return CKR_OK; -} - -static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa, - CK_BYTE key, CK_ULONG key_len, CK_ULONG vendor_defined) { - // TODO: make a function in ykpiv for this - unsigned char in_data[11]; - unsigned char *in_ptr = in_data; - unsigned char data[1024]; - unsigned char templ[] = {0, YKPIV_INS_GENERATE_ASYMMETRIC, 0, 0}; - unsigned char *certptr; - unsigned long recv_len = sizeof(data); - int len_bytes; - int sw; - - CK_RV rv; - - if(rsa) { - char version[7]; - if(ykpiv_get_version(state, version, sizeof(version)) == YKPIV_OK) { - int major, minor, build; - int match = sscanf(version, "%d.%d.%d", &major, &minor, &build); - if(match == 3 && major == 4 && (minor < 3 || (minor == 3 && build < 5))) { - DBG("On-chip RSA key generation on this YubiKey has been blocked.\n"); - DBG("Please see https://yubi.co/ysa201701/ for details.\n"); - return CKR_FUNCTION_FAILED; - } - } else { - DBG("Failed to communicate.\n"); - return CKR_DEVICE_ERROR; - } - } - - templ[3] = key; - - *in_ptr++ = 0xac; - *in_ptr++ = 3; - *in_ptr++ = YKPIV_ALGO_TAG; - *in_ptr++ = 1; - - switch(key_len) { - case 2048: - if (rsa == CK_TRUE) - *in_ptr++ = YKPIV_ALGO_RSA2048; - else - return CKR_FUNCTION_FAILED; - - break; - - case 1024: - if (rsa == CK_TRUE) - *in_ptr++ = YKPIV_ALGO_RSA1024; - else - return CKR_FUNCTION_FAILED; - - break; - - case 256: - if (rsa == CK_FALSE) - *in_ptr++ = YKPIV_ALGO_ECCP256; - else - return CKR_FUNCTION_FAILED; - - break; - - default: - return CKR_FUNCTION_FAILED; - } - // PIN policy and touch - if (vendor_defined != 0) { - if (vendor_defined & CKA_PIN_ONCE) { - in_data[1] += 3; - *in_ptr++ = YKPIV_PINPOLICY_TAG; - *in_ptr++ = 0x01; - *in_ptr++ = YKPIV_PINPOLICY_ONCE; - } - else if (vendor_defined & CKA_PIN_ALWAYS) { - in_data[1] += 3; - *in_ptr++ = YKPIV_PINPOLICY_TAG; - *in_ptr++ = 0x01; - *in_ptr++ = YKPIV_PINPOLICY_ALWAYS; - } - - if (vendor_defined & CKA_TOUCH_ALWAYS) { - in_data[1] += 3; - *in_ptr++ = YKPIV_TOUCHPOLICY_TAG; - *in_ptr++ = 0x01; - *in_ptr++ = YKPIV_TOUCHPOLICY_ALWAYS; - } - } - - if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data, &recv_len, &sw) != YKPIV_OK || - sw != 0x9000) - return CKR_DEVICE_ERROR; - - // Create a new empty certificate for the key - recv_len = sizeof(data); - if ((rv = do_create_empty_cert(data, recv_len, rsa, data, &recv_len)) != CKR_OK) - return rv; - - if (recv_len < 0x80) - len_bytes = 1; - else if (recv_len < 0xff) - len_bytes = 2; - else - len_bytes = 3; - - certptr = data; - memmove(data + len_bytes + 1, data, recv_len); - - *certptr++ = 0x70; - certptr += set_length(certptr, recv_len); - certptr += recv_len; - *certptr++ = 0x71; - *certptr++ = 1; - *certptr++ = 0; /* certinfo (gzip etc) */ - *certptr++ = 0xfe; /* LRC */ - *certptr++ = 0; - - // Store the certificate into the token - if (ykpiv_save_object(state, ykpiv_util_slot_object(key), data, (size_t)(certptr - data)) != YKPIV_OK) - return CKR_DEVICE_ERROR; - - return CKR_OK; -} - -static CK_RV COMMON_token_import_cert(ykpiv_state *state, CK_ULONG cert_id, CK_BYTE_PTR in) { - - unsigned char certdata[3072]; - unsigned char *certptr; - CK_ULONG cert_len; - - CK_RV rv; - - // Check whether or not we have a valid cert - if ((rv = do_check_cert(in, &cert_len)) != CKR_OK) - return rv; - - if (cert_len > 3072) - return CKR_FUNCTION_FAILED; - - certptr = certdata; - - *certptr++ = 0x70; - certptr += set_length(certptr, cert_len); - memcpy(certptr, in, cert_len); - certptr += cert_len; - - *certptr++ = 0x71; - *certptr++ = 1; - *certptr++ = 0; /* certinfo (gzip etc) */ - *certptr++ = 0xfe; /* LRC */ - *certptr++ = 0; - - // Store the certificate into the token - if (ykpiv_save_object(state, cert_id, certdata, (size_t)(certptr - certdata)) != YKPIV_OK) - return CKR_DEVICE_ERROR; - - return CKR_OK; -} - -CK_RV COMMON_token_import_private_key(ykpiv_state *state, CK_BYTE key_id, - CK_BYTE_PTR p, CK_ULONG p_len, - CK_BYTE_PTR q, CK_ULONG q_len, - CK_BYTE_PTR dp, CK_ULONG dp_len, - CK_BYTE_PTR dq, CK_ULONG dq_len, - CK_BYTE_PTR qinv, CK_ULONG qinv_len, - CK_BYTE_PTR ec_data, CK_ULONG ec_data_len, - CK_ULONG vendor_defined) { - - CK_BYTE pin_policy; - CK_BYTE touch_policy; - CK_BYTE algo; - ykpiv_rc rc; - - if (p == NULL) { - if (ec_data_len == 32 || ec_data_len == 31) - algo = YKPIV_ALGO_ECCP256; - else - algo = YKPIV_ALGO_ECCP384; - } - else if (ec_data == NULL) { - if (p_len == 64) - algo = YKPIV_ALGO_RSA1024; - else - algo = YKPIV_ALGO_RSA2048; - } - else - return CKR_FUNCTION_FAILED; - - pin_policy = YKPIV_PINPOLICY_DEFAULT; - touch_policy = YKPIV_TOUCHPOLICY_DEFAULT; - if (vendor_defined != 0) { - if (vendor_defined & CKA_PIN_ONCE) { - pin_policy = YKPIV_PINPOLICY_ONCE; - } - else if (vendor_defined & CKA_PIN_ALWAYS) { - pin_policy = YKPIV_PINPOLICY_ALWAYS; - } - else if (vendor_defined & CKA_PIN_NEVER) { - pin_policy = YKPIV_PINPOLICY_NEVER; - } - else - return CKR_ATTRIBUTE_VALUE_INVALID; - - if (vendor_defined & CKA_TOUCH_ALWAYS) { - touch_policy = YKPIV_TOUCHPOLICY_ALWAYS; - } - else if (vendor_defined & CKA_TOUCH_NEVER) { - touch_policy = YKPIV_TOUCHPOLICY_NEVER; - } - else - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - rc = ykpiv_import_private_key(state, key_id, algo, - p, p_len, - q, q_len, - dp, dp_len, - dq, dq_len, - qinv, qinv_len, - ec_data, ec_data_len, - pin_policy, touch_policy); - - if (rc != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -CK_RV COMMON_token_delete_cert(ykpiv_state *state, CK_ULONG cert_id) { - - if (ykpiv_save_object(state, cert_id, NULL, 0) != YKPIV_OK) - return CKR_DEVICE_ERROR; - - return CKR_OK; -} - -token_vendor_t get_token_vendor(vendor_id_t vid) { - token_vendor_t v; - - switch (vid) { - case YUBICO: - v.get_token_label = YUBICO_get_token_label; - v.get_token_manufacturer = YUBICO_get_token_manufacturer; - v.get_token_model = YUBICO_get_token_model; - v.get_token_flags = YUBICO_get_token_flags; - v.get_token_version = YUBICO_get_token_version; - v.get_token_serial = YUBICO_get_token_serial; - v.get_token_mechanisms_num = YUBICO_get_token_mechanisms_num; - v.get_token_mechanism_list = YUBICO_get_token_mechanism_list; - v.get_token_mechanism_info = YUBICO_get_token_mechanism_info; - v.get_token_objects_num = YUBICO_get_token_objects_num; - v.get_token_object_list = YUBICO_get_token_object_list; - v.get_token_raw_certificate = YUBICO_get_token_raw_certificate; - v.token_login = COMMON_token_login; - v.token_generate_key = COMMON_token_generate_key; - v.token_import_cert = COMMON_token_import_cert; - v.token_import_private_key = COMMON_token_import_private_key; - v.token_delete_cert = COMMON_token_delete_cert; - v.token_change_pin = YUBICO_token_change_pin; - break; - - case UNKNOWN: - default: - v.get_token_label = NULL; - v.get_token_manufacturer = NULL; - v.get_token_model = NULL; - v.get_token_flags = NULL; - v.get_token_version = NULL; - v.get_token_serial = NULL; - v.get_token_mechanisms_num = NULL; - v.get_token_mechanism_list = NULL; - v.get_token_mechanism_info = NULL; - v.get_token_objects_num = NULL; - v.get_token_object_list = NULL; - v.get_token_raw_certificate = NULL; - v.token_login = NULL; - v.token_generate_key = NULL; - v.token_import_cert = NULL; - v.token_import_private_key = NULL; - v.token_delete_cert = NULL; - } - - return v; - -} diff --git a/ykcs11/token_vendors.h b/ykcs11/token_vendors.h deleted file mode 100644 index 504eecf..0000000 --- a/ykcs11/token_vendors.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef TOKEN_VENDORS_H -#define TOKEN_VENDORS_H - -#include "pkcs11.h" -#include "vendor_ids.h" -#include "obj_types.h" -#include - -typedef CK_RV (*get_t_label_f)(CK_UTF8CHAR_PTR, CK_ULONG); -typedef CK_RV (*get_t_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG); -typedef CK_RV (*get_t_model_f)(ykpiv_state *, CK_UTF8CHAR_PTR, CK_ULONG); -typedef CK_RV (*get_t_flags_f)(CK_FLAGS_PTR); -typedef CK_RV (*get_t_version_f)(ykpiv_state *, CK_VERSION_PTR); -typedef CK_RV (*get_t_serial_f)(CK_CHAR_PTR, CK_ULONG); -typedef CK_RV (*get_t_mechanisms_num_f)(CK_ULONG_PTR); -typedef CK_RV (*get_t_mechanism_list_f)(CK_MECHANISM_TYPE_PTR, CK_ULONG); -typedef CK_RV (*get_t_mechanism_info_f)(CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR); -typedef CK_RV (*get_t_objects_num_f)(ykpiv_state *, CK_ULONG_PTR, CK_ULONG_PTR); -typedef CK_RV (*get_t_object_list_f)(ykpiv_state *, piv_obj_id_t *, CK_ULONG); -typedef CK_RV (*get_t_raw_certificate_f)(ykpiv_state *, piv_obj_id_t, CK_BYTE_PTR, CK_ULONG_PTR); -typedef CK_RV (*t_change_pin_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR, CK_ULONG); - -// Common token functions below -typedef CK_RV (*t_login_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG); -typedef CK_RV (*t_generate_key_f)(ykpiv_state *, CK_BBOOL, CK_BYTE, CK_ULONG, CK_ULONG); -typedef CK_RV (*t_import_cert_f)(ykpiv_state *, CK_ULONG, CK_BYTE_PTR); -typedef CK_RV (*t_import_private_key_f)(ykpiv_state *, CK_BYTE, - CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG, - CK_ULONG); -typedef CK_RV (*t_delete_cert_f)(ykpiv_state *, CK_ULONG); - -// TODO: replace all the common calls with functions defined in .c that use libykpiv - -typedef struct { - get_t_label_f get_token_label; - get_t_manufacturer_f get_token_manufacturer; - get_t_model_f get_token_model; - get_t_flags_f get_token_flags; - get_t_version_f get_token_version; - get_t_serial_f get_token_serial; - get_t_mechanisms_num_f get_token_mechanisms_num; - get_t_mechanism_list_f get_token_mechanism_list; - get_t_mechanism_info_f get_token_mechanism_info; - get_t_objects_num_f get_token_objects_num; - get_t_object_list_f get_token_object_list; - get_t_raw_certificate_f get_token_raw_certificate; - t_login_f token_login; - t_generate_key_f token_generate_key; - t_import_cert_f token_import_cert; - t_import_private_key_f token_import_private_key; - t_delete_cert_f token_delete_cert; - t_change_pin_f token_change_pin; -} token_vendor_t; - -token_vendor_t get_token_vendor(vendor_id_t vid); - -#endif diff --git a/ykcs11/utils.c b/ykcs11/utils.c deleted file mode 100644 index fd9867a..0000000 --- a/ykcs11/utils.c +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "utils.h" -#include -#include - -CK_BBOOL has_token(const ykcs11_slot_t *slot) { - - return (slot->info.flags & CKF_TOKEN_PRESENT); - -} - -CK_RV parse_readers(ykpiv_state *state, const CK_BYTE_PTR readers, const CK_ULONG len, - ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token) { - - CK_BYTE i; - CK_BYTE_PTR p; - CK_BYTE_PTR s; - CK_ULONG l; - slot_vendor_t slot; - - *n_slots = 0; - *n_with_token = 0; - p = readers; - - /* - * According to pcsc-lite, the format of a reader name is: - * name [interface] (serial) index slot - * https://ludovicrousseau.blogspot.se/2010/05/what-is-in-pcsc-reader-name.html - */ - - for (i = 0; i < len; i++) - if (readers[i] == '\0' && i != len - 1) { - slots[*n_slots].vid = get_vendor_id((char *)p); - - if (slots[*n_slots].vid == UNKNOWN) { // TODO: distinguish between tokenless and unsupported? - // Unknown slot, just save what info we have - memset(&slots[*n_slots].info, 0, sizeof(CK_SLOT_INFO)); - memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription)); - if (strlen((char *)p) <= sizeof(slots[*n_slots].info.slotDescription)) - memcpy(slots[*n_slots].info.slotDescription, p, strlen((char *)p)); - else - memcpy(slots[*n_slots].info.slotDescription, p, sizeof(slots[*n_slots].info.slotDescription)); - } - else { - // Supported slot - slot = get_slot_vendor(slots[*n_slots].vid); - - // Values must NOT be null terminated and ' ' padded - - memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription)); - s = slots[*n_slots].info.slotDescription; - l = sizeof(slots[*n_slots].info.slotDescription); - memcpy((char *)s, (char*)p, l); - - memset(slots[*n_slots].info.manufacturerID, ' ', sizeof(slots[*n_slots].info.manufacturerID)); - s = slots[*n_slots].info.manufacturerID; - l = sizeof(slots[*n_slots].info.manufacturerID); - if(slot.get_slot_manufacturer(s, l) != CKR_OK) - goto failure; - - if (slot.get_slot_flags(&slots[*n_slots].info.flags) != CKR_OK) - goto failure; - - // Treating hw and fw version the same - if (slot.get_slot_version(&slots[*n_slots].info.hardwareVersion) != CKR_OK) - goto failure; - - if (slot.get_slot_version(&slots[*n_slots].info.firmwareVersion) != CKR_OK) - goto failure; - - if (has_token(slots + *n_slots)) { - // Save token information - (*n_with_token)++; - - if (create_token(state, p, slots + *n_slots) != CKR_OK) - goto failure; - } - } - (*n_slots)++; - p = readers + i + 1; - } - - return CKR_OK; - -failure: - // TODO: destroy all token objects - for (i = 0; i < *n_slots; i++) - if (has_token(slots + i)) - destroy_token(slots + i); - - return CKR_FUNCTION_FAILED; -} - -CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot) { - - token_vendor_t token; - CK_TOKEN_INFO_PTR t_info; - - slot->token = malloc(sizeof(ykcs11_token_t)); // TODO: free - if (slot->token == NULL) - return CKR_HOST_MEMORY; - - slot->token->vid = YUBICO; // TODO: this must become "slot_vendor.get_token_vid()" - token = get_token_vendor(slot->token->vid); - - t_info = &slot->token->info; - - memset(t_info->label, ' ', sizeof(t_info->label)); - if (token.get_token_label(t_info->label, sizeof(t_info->label)) != CKR_OK) - return CKR_FUNCTION_FAILED; - - memset(t_info->manufacturerID, ' ', sizeof(t_info->manufacturerID)); - if(token.get_token_manufacturer(t_info->manufacturerID, sizeof(t_info->manufacturerID)) != CKR_OK) - return CKR_FUNCTION_FAILED; - - if (ykpiv_connect(state, (char *)p) != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - memset(t_info->model, ' ', sizeof(t_info->model)); - if(token.get_token_model(state, t_info->model, sizeof(t_info->model)) != CKR_OK) { - ykpiv_disconnect(state); - return CKR_FUNCTION_FAILED; - } - - memset(t_info->serialNumber, ' ', sizeof(t_info->serialNumber)); - if(token.get_token_serial(t_info->serialNumber, sizeof(t_info->serialNumber)) != CKR_OK) { - ykpiv_disconnect(state); - return CKR_FUNCTION_FAILED; - } - - if (token.get_token_flags(&t_info->flags) != CKR_OK) { - ykpiv_disconnect(state); - return CKR_FUNCTION_FAILED; - } - - t_info->ulMaxSessionCount = CK_UNAVAILABLE_INFORMATION; - - t_info->ulSessionCount = CK_UNAVAILABLE_INFORMATION; - - t_info->ulMaxRwSessionCount = CK_UNAVAILABLE_INFORMATION; - - t_info->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; - - t_info->ulMaxPinLen = 8; - - t_info->ulMinPinLen = 6; - - t_info->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION; - - t_info->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION; - - t_info->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION; - - t_info->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION; - - memset(&t_info->hardwareVersion, 0, sizeof(t_info->hardwareVersion)); - // Ignore hardware version, report firmware version - if (token.get_token_version(state, &t_info->firmwareVersion) != CKR_OK) { - ykpiv_disconnect(state); - return CKR_FUNCTION_FAILED; - } - - memset(t_info->utcTime, ' ', sizeof(t_info->utcTime)); // No clock present, clear - - slot->token->objects = NULL; - slot->token->n_objects = 0; - - ykpiv_disconnect(state); - - return CKR_OK; -} - -void destroy_token(ykcs11_slot_t *slot) { - free(slot->token); - slot->token = NULL; -} - -CK_BBOOL is_valid_key_id(CK_BYTE id) { - - // Valid ids are [0, 23] aka [0x00, 0x17] - if (id > 23) - return CK_FALSE; - - return CK_TRUE; -} - -void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len) { - - CK_BYTE_PTR data_ptr; - CK_ULONG sig_halflen; - CK_BYTE buf[128]; - CK_BYTE_PTR buf_ptr; - CK_BYTE elem_len; - - // Maximum DER length for P256 is 2 + 2 + 33 + 2 + 33 = 72 - if (*len <= 72) - sig_halflen = 32; - else - sig_halflen = 48; - - memset(buf, 0, sizeof(buf)); - data_ptr = data + 3; - buf_ptr = buf; - - // copy r - elem_len = *data_ptr; - if (elem_len == (sig_halflen - 1)) - buf_ptr++; // One shorter, prepend a zero - else if (elem_len == (sig_halflen + 1)) { - data_ptr++; // One longer, skip a zero - elem_len--; - } - - data_ptr++; - memcpy(buf_ptr, data_ptr, elem_len); - data_ptr += elem_len; - buf_ptr += elem_len; - - data_ptr++; - - // copy s - elem_len = *data_ptr; - if (elem_len == (sig_halflen - 1)) - buf_ptr++; // One shorter, prepend a zero - else if (elem_len == (sig_halflen + 1)) { - data_ptr++; // One longer, skip a zero - elem_len --; - } - - data_ptr++; - memcpy(buf_ptr, data_ptr, elem_len); - - *len = sig_halflen * 2; - memcpy(data, buf, *len); - -} diff --git a/ykcs11/utils.h b/ykcs11/utils.h deleted file mode 100644 index 023c51a..0000000 --- a/ykcs11/utils.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef UTILS_H -#define UTILS_H - -#include "ykcs11.h" - -CK_BBOOL has_token(const ykcs11_slot_t *slot); -CK_RV parse_readers(ykpiv_state *state,const CK_BYTE_PTR readers, const CK_ULONG len, - ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token); -CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot); -void destroy_token(ykcs11_slot_t *slot); - -CK_BBOOL is_valid_key_id(CK_BYTE id); - -void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len); - -#endif diff --git a/ykcs11/vendor_ids.h b/ykcs11/vendor_ids.h deleted file mode 100644 index 4dd812e..0000000 --- a/ykcs11/vendor_ids.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef VENDOR_IDS_H -#define VENDOR_IDS_H - -typedef enum { - UNKNOWN = 0x00, - YUBICO = 0x01 -} vendor_id_t; - - -#endif diff --git a/ykcs11/vendors.c b/ykcs11/vendors.c deleted file mode 100644 index fa2540c..0000000 --- a/ykcs11/vendors.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "vendors.h" -#include - -vendor_id_t get_vendor_id(char *vendor_name) { - - if (strstr(vendor_name, "Yubico") != NULL) - return YUBICO; - - return UNKNOWN; -} diff --git a/ykcs11/vendors.h b/ykcs11/vendors.h deleted file mode 100644 index b025b81..0000000 --- a/ykcs11/vendors.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef VENDORS_H -#define VENDORS_H - -#include "vendor_ids.h" -#include "slot_vendors.h" -#include "token_vendors.h" - -vendor_id_t get_vendor_id(char *vendor_name); - -#endif diff --git a/ykcs11/ykcs11-version.h.in b/ykcs11/ykcs11-version.h.in deleted file mode 100644 index 9888676..0000000 --- a/ykcs11/ykcs11-version.h.in +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef YKCS11_VERSION_H -#define YKCS11_VERSION_H - -#ifdef __cplusplus -extern "C" -{ -#endif - - /** - * YKCS11_VERSION_STRING - * - * Pre-processor symbol with a string that describe the header file - * version number. Used together with ykneomgr_check_version() to verify - * header file and run-time library consistency. - */ -#define YKCS11_VERSION_STRING "@VERSION@" - - /** - * YKCS11_VERSION_NUMBER - * - * Pre-processor symbol with a hexadecimal value describing the header - * file version number. For example, when the header version is 1.2.3 - * this symbol will have the value 0x01020300. The last two digits - * are only used between public releases, and will otherwise be 00. - */ -#define YKCS11_VERSION_NUMBER @YKCS11_VERSION_NUMBER@ - - /** - * YKCS11_VERSION_MAJOR - * - * Pre-processor symbol with a decimal value that describe the major - * level of the header file version number. For example, when the - * header version is 1.2.3 this symbol will be 1. - */ -#define YKCS11_VERSION_MAJOR @YKCS11_VERSION_MAJOR@ - - /** - * YKCS11_VERSION_MINOR - * - * Pre-processor symbol with a decimal value that describe the minor - * level of the header file version number. For example, when the - * header version is 1.2.3 this symbol will be 2. - */ -#define YKCS11_VERSION_MINOR @YKCS11_VERSION_MINOR@ - - /** - * YKCS11_VERSION_PATCH - * - * Pre-processor symbol with a decimal value that describe the patch - * level of the header file version number. For example, when the - * header version is 1.2.3 this symbol will be 3. - */ -#define YKCS11_VERSION_PATCH @YKCS11_VERSION_PATCH@ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c deleted file mode 100644 index 9a817bf..0000000 --- a/ykcs11/ykcs11.c +++ /dev/null @@ -1,2509 +0,0 @@ -/* - * Copyright (c) 2014-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "ykcs11.h" -#include "ykcs11-version.h" -#include -#include -#include -#include "obj_types.h" -#include "objects.h" -#include "utils.h" -#include "mechanisms.h" -#include "openssl_types.h" -#include "openssl_utils.h" -#include "debug.h" - -#include -#include "../tool/util.h" - -#define YKCS11_MANUFACTURER "Yubico (www.yubico.com)" -#define YKCS11_LIBDESC "PKCS#11 PIV Library (SP-800-73)" - -#define PIV_MIN_PIN_LEN 6 -#define PIV_MAX_PIN_LEN 8 -#define PIV_MGM_KEY_LEN 48 - -#define YKCS11_MAX_SLOTS 16 -//#define YKCS11_MAX_SIG_BUF_LEN 1024 - -#define YKCS11_SESSION_ID 5355104 - -static ykpiv_state *piv_state = NULL; - -static ykcs11_slot_t slots[YKCS11_MAX_SLOTS]; -static CK_ULONG n_slots = 0; -static CK_ULONG n_slots_with_token = 0; - -static ykcs11_session_t session; - -static struct { - CK_BBOOL active; - CK_ULONG num; - CK_ULONG idx; - piv_obj_id_t *objects; -} find_obj; - -op_info_t op_info; - -extern CK_FUNCTION_LIST function_list; - -/* General Purpose */ - -CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( - CK_VOID_PTR pInitArgs -) -{ - CK_BYTE readers[2048]; - size_t len = sizeof(readers); - - DIN; - - memset(readers, '\0', sizeof(readers)); - - if (piv_state != NULL) - return CKR_CRYPTOKI_ALREADY_INITIALIZED; - - if (ykpiv_init(&piv_state, YKCS11_DBG) != YKPIV_OK) { - DBG("Unable to initialize libykpiv"); - return CKR_FUNCTION_FAILED; - } - - if (ykpiv_list_readers(piv_state, (char*)readers, &len) != YKPIV_OK) { - DBG("Unable to list readers"); - return CKR_FUNCTION_FAILED; - } - - if (parse_readers(piv_state, readers, len, slots, &n_slots, &n_slots_with_token) != CKR_OK) - return CKR_FUNCTION_FAILED; - - DBG("Found %lu slot(s) of which %lu tokenless/unsupported", n_slots, n_slots - n_slots_with_token); - - find_obj.active = CK_FALSE; - // TODO: FILL OUT INIT ARGS; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Finalize)( - CK_VOID_PTR pReserved -) -{ - CK_ULONG i; - - DIN; - - if (pReserved != NULL_PTR) { - DBG("Finalized called with pReserved != NULL"); - return CKR_ARGUMENTS_BAD; - } - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - for (i = 0; i < n_slots; i++) { - destroy_token(slots + i); - } - memset(slots, 0, sizeof(slots)); - - ykpiv_done(piv_state); - piv_state = NULL; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)( - CK_INFO_PTR pInfo -) -{ - CK_VERSION ver = {YKCS11_VERSION_MAJOR, (YKCS11_VERSION_MINOR * 10) + YKCS11_VERSION_PATCH}; - - DIN; - - pInfo->cryptokiVersion = function_list.version; - - memset(pInfo->manufacturerID, ' ', sizeof(pInfo->manufacturerID)); - strcpy((char *)pInfo->manufacturerID, YKCS11_MANUFACTURER); - - pInfo->flags = 0; - - memset(pInfo->libraryDescription, ' ', sizeof(pInfo->libraryDescription)); - strcpy((char *)pInfo->libraryDescription, YKCS11_LIBDESC); - - pInfo->libraryVersion = ver; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionList)( - CK_FUNCTION_LIST_PTR_PTR ppFunctionList -) -{ - DIN; - - if(ppFunctionList == NULL_PTR) { - DBG("GetFunctionList called with ppFunctionList = NULL"); - return CKR_ARGUMENTS_BAD; - } - *ppFunctionList = &function_list; - - DOUT; - return CKR_OK; -} - -/* Slot and token management */ - -CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)( - CK_BBOOL tokenPresent, - CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount -) -{ - CK_ULONG i; - int j; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (pulCount) { - *pulCount = n_slots; - - if (tokenPresent) - *pulCount = n_slots_with_token; - else - *pulCount = n_slots; - } - - if (pSlotList == NULL_PTR) { - // Just return the number of slots - - DOUT; - return CKR_OK; - } - - if (!pulCount) { - DOUT; - return CKR_ARGUMENTS_BAD; - } - - if ((tokenPresent && *pulCount < n_slots_with_token) || (!tokenPresent && *pulCount < n_slots)) { - DBG("Buffer too small: needed %lu, provided %lu", n_slots, *pulCount); - return CKR_BUFFER_TOO_SMALL; - } - - for (j = 0, i = 0; i < n_slots; i++) { - if (tokenPresent) { - if (has_token(slots + i)) - pSlotList[j++] = i; - } - else - pSlotList[i] = i; - } - - DBG("token present is %d", tokenPresent); - DBG("number of slot(s) is %lu", *pulCount); - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetSlotInfo)( - CK_SLOT_ID slotID, - CK_SLOT_INFO_PTR pInfo -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (slotID >= n_slots) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - memcpy(pInfo, &slots[slotID].info, sizeof(CK_SLOT_INFO)); - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo)( - CK_SLOT_ID slotID, - CK_TOKEN_INFO_PTR pInfo -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (slotID >= n_slots) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - if (slots[slotID].vid == UNKNOWN) { - DBG("No support for slot %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - if (!has_token(slots + slotID)) { - DBG("Slot %lu has no token inserted", slotID); - return CKR_TOKEN_NOT_PRESENT; - } - - if (slots[slotID].token->vid == UNKNOWN) { - DBG("No support for token in slot %lu", slotID); - return CKR_TOKEN_NOT_RECOGNIZED; - } - - memcpy(pInfo, &slots[slotID].token->info, sizeof(CK_TOKEN_INFO)); - - // Overwrite values that are application specific - pInfo->ulMaxSessionCount = CK_UNAVAILABLE_INFORMATION; // TODO: should this be 1? - pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION; // number of sessions that this application currently has open with the token - pInfo->ulMaxRwSessionCount = CK_UNAVAILABLE_INFORMATION; // maximum number of read/write sessions that can be opened with the token at one time by a single TODO: should this be 1? - pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; // number of read/write sessions that this application currently has open with the token - pInfo->ulMaxPinLen = PIV_MAX_PIN_LEN; // maximum length in bytes of the PIN - pInfo->ulMinPinLen = PIV_MIN_PIN_LEN; // minimum length in bytes of the PIN - pInfo->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION; - pInfo->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION; - pInfo->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION; - pInfo->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_WaitForSlotEvent)( - CK_FLAGS flags, - CK_SLOT_ID_PTR pSlot, - CK_VOID_PTR pReserved -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismList)( - CK_SLOT_ID slotID, - CK_MECHANISM_TYPE_PTR pMechanismList, - CK_ULONG_PTR pulCount -) -{ - token_vendor_t token; - CK_ULONG count; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (slotID >= n_slots) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - if (pulCount == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - if (slots[slotID].vid == UNKNOWN) { - DBG("Slot %lu is tokenless/unsupported", slotID); - return CKR_SLOT_ID_INVALID; - } - - // TODO: check more return values - - token = get_token_vendor(slots[slotID].vid); - - if (token.get_token_mechanisms_num(&count) != CKR_OK) - return CKR_FUNCTION_FAILED; - - if (pMechanismList == NULL_PTR) { - *pulCount = count; - DBG("Found %lu mechanisms", *pulCount); - DOUT; - return CKR_OK; - } - - if (*pulCount < count) { - DBG("Buffer too small: needed %lu, provided %lu", count, *pulCount); - return CKR_BUFFER_TOO_SMALL; - } - - if (token.get_token_mechanism_list(pMechanismList, *pulCount) != CKR_OK) { - DBG("Unable to retrieve mechanism list"); - return CKR_FUNCTION_FAILED; - } - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismInfo)( - CK_SLOT_ID slotID, - CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo -) -{ - token_vendor_t token; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (slotID >= n_slots) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - if (pInfo == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - if (slots[slotID].vid == UNKNOWN) { - DBG("Slot %lu is tokenless/unsupported", slotID); - return CKR_SLOT_ID_INVALID; - } - - token = get_token_vendor(slots[slotID].vid); - - if (token.get_token_mechanism_info(type, pInfo) != CKR_OK) { - DBG("Unable to retrieve mechanism information"); - return CKR_MECHANISM_INVALID; - } - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_InitToken)( - CK_SLOT_ID slotID, - CK_UTF8CHAR_PTR pPin, - CK_ULONG ulPinLen, - CK_UTF8CHAR_PTR pLabel -) -{ - DIN; - DBG("Token initialization unsupported"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_InitPIN)( - CK_SESSION_HANDLE hSession, - CK_UTF8CHAR_PTR pPin, - CK_ULONG ulPinLen -) -{ - DIN; - DBG("PIN initialization unsupported"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)( - CK_SESSION_HANDLE hSession, - CK_UTF8CHAR_PTR pOldPin, - CK_ULONG ulOldLen, - CK_UTF8CHAR_PTR pNewPin, - CK_ULONG ulNewLen -) -{ - DIN; - CK_RV rv; - token_vendor_t token; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle == CK_INVALID_HANDLE) { - DBG("User called SetPIN on closed session"); - return CKR_SESSION_CLOSED; - } - - if (hSession != YKCS11_SESSION_ID) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - CK_USER_TYPE user_type = CKU_USER; - if (session.info.state == CKS_RW_SO_FUNCTIONS) { - user_type = CKU_SO; - } - - token = get_token_vendor(session.slot->token->vid); - rv = token.token_change_pin(piv_state, user_type, pOldPin, ulOldLen, pNewPin, ulNewLen); - if (rv != CKR_OK) { - DBG("Pin change failed %lx", rv); - return rv; - } - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)( - CK_SLOT_ID slotID, - CK_FLAGS flags, - CK_VOID_PTR pApplication, - CK_NOTIFY Notify, - CK_SESSION_HANDLE_PTR phSession -) -{ - token_vendor_t token; - CK_RV rv; - piv_obj_id_t *cert_ids; - CK_ULONG i; - CK_BYTE cert_data[3072]; // Max cert value for ykpiv - CK_ULONG cert_len = sizeof(cert_data); - - DIN; // TODO: pApplication and Notify - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (slotID >= n_slots) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - if (phSession == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - if (slots[slotID].vid == UNKNOWN) { - DBG("No support for slot %lu", slotID); - return CKR_TOKEN_NOT_RECOGNIZED; - } - - if (slots[slotID].token->vid == UNKNOWN) { - DBG("No support for token in slot %lu", slotID); - return CKR_TOKEN_NOT_RECOGNIZED; - } - - if (!has_token(slots + slotID)) { - DBG("Slot %lu has no token inserted", slotID); - return CKR_TOKEN_NOT_PRESENT; - } - - if (session.handle != CK_INVALID_HANDLE) { - DBG("A session with this or another token already exists"); - return CKR_SESSION_COUNT; - } - - if ((flags & CKF_SERIAL_SESSION) == 0) { - DBG("Open session called without CKF_SERIAL_SESSION set"); // Required by specs - return CKR_SESSION_PARALLEL_NOT_SUPPORTED; - } - - // Connect to the slot - if(ykpiv_connect(piv_state, (char *)slots[slotID].info.slotDescription) != YKPIV_OK) { - DBG("Unable to connect to reader"); - return CKR_FUNCTION_FAILED; - } - - token = get_token_vendor(slots[slotID].token->vid); - - // Store the slot - session.slot = slots + slotID; - //session.slot->info.slotID = slotID; // Redundant but required in CK_SESSION_INFO - - // Store session state - session.info.state = 0; - - if ((flags & CKF_RW_SESSION)) { - // R/W Session - session.info.state = CKS_RW_PUBLIC_SESSION; // Nobody has logged in, default RO session - } - else { - // R/O Session - session.info.state = CKS_RO_PUBLIC_SESSION; // Nobody has logged in, default RW session - } - - session.info.slotID = slotID; - session.info.flags = flags; - session.info.ulDeviceError = 0; - - // Get the number of token objects - rv = token.get_token_objects_num(piv_state, &session.slot->token->n_objects, &session.slot->token->n_certs); - if (rv != CKR_OK) { - DBG("Unable to retrieve number of token objects"); - return rv; - } - - // Get memory for the objects - session.slot->token->objects = malloc(sizeof(piv_obj_id_t) * session.slot->token->n_objects); - if (session.slot->token->objects == NULL) { - DBG("Unable to allocate memory for token object ids"); - return CKR_HOST_MEMORY; - } - - // Get memory for the certificates - cert_ids = malloc(sizeof(piv_obj_id_t) * session.slot->token->n_certs); - if (cert_ids == NULL) { - DBG("Unable to allocate memory for token certificate ids"); - return CKR_HOST_MEMORY; - } - - // Save a list of all the available objects in the token - rv = token.get_token_object_list(piv_state, session.slot->token->objects, session.slot->token->n_objects); - if (rv != CKR_OK) { - DBG("Unable to retrieve token objects"); - goto failure; - } - - // Get a list of object ids for available certificates object from the session - rv = get_available_certificate_ids(&session, cert_ids, session.slot->token->n_certs); - if (rv != CKR_OK) { - DBG("Unable to retrieve certificate ids from the session"); - goto failure; - } - - // Get the actual certificate data from the token and store it as an X509 object - for (i = 0; i < session.slot->token->n_certs; i++) { - cert_len = sizeof(cert_data); - rv = token.get_token_raw_certificate(piv_state, cert_ids[i], cert_data, &cert_len); - if (rv != CKR_OK) { - DBG("Unable to get certificate data from token"); - goto failure; - } - - rv = store_cert(cert_ids[i], cert_data, cert_len); - if (rv != CKR_OK) { - DBG("Unable to store certificate data"); - goto failure; - } - } - - free(cert_ids); - cert_ids = NULL; - - session.handle = YKCS11_SESSION_ID; - - *phSession = session.handle; - - DOUT; - return CKR_OK; - -failure: - if (session.slot->token->objects != NULL) { - free(session.slot->token->objects); - session.slot->token->objects = NULL; - } - - if (cert_ids != NULL) { - free(cert_ids); - cert_ids = NULL; - } - - //free_certs(); // TODO: remove the one allocated so far - - return rv; -} - -CK_DEFINE_FUNCTION(CK_RV, C_CloseSession)( - CK_SESSION_HANDLE hSession -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle == CK_INVALID_HANDLE) { - DBG("Trying to close a session, but there is no existing one"); - return CKR_SESSION_CLOSED; - } - - if (hSession != YKCS11_SESSION_ID) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - free(session.slot->token->objects); - session.slot->token->objects = NULL; - - memset(&session, 0, sizeof(ykcs11_session_t)); - session.handle = CK_INVALID_HANDLE; - - ykpiv_disconnect(piv_state); - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_CloseAllSessions)( - CK_SLOT_ID slotID -) -{ - CK_RV rv; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.slot != slots + slotID) { - DBG("Invalid slot ID %lu", slotID); - return CKR_SLOT_ID_INVALID; - } - - rv = C_CloseSession(session.handle); - - DOUT; - return rv; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetSessionInfo)( - CK_SESSION_HANDLE hSession, - CK_SESSION_INFO_PTR pInfo -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (pInfo == NULL) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - memcpy(pInfo, &session.info, sizeof(CK_SESSION_INFO)); - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetOperationState)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pOperationState, - CK_ULONG_PTR pulOperationStateLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SetOperationState)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pOperationState, - CK_ULONG ulOperationStateLen, - CK_OBJECT_HANDLE hEncryptionKey, - CK_OBJECT_HANDLE hAuthenticationKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Login)( - CK_SESSION_HANDLE hSession, - CK_USER_TYPE userType, - CK_UTF8CHAR_PTR pPin, - CK_ULONG ulPinLen -) -{ - DIN; - CK_RV rv; - token_vendor_t token; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (userType != CKU_SO && - userType != CKU_USER && - userType != CKU_CONTEXT_SPECIFIC) - return CKR_USER_TYPE_INVALID; - - DBG("user %lu, pin %s, pinlen %lu", userType, pPin, ulPinLen); - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (userType == CKU_SO && (session.info.flags & CKF_RW_SESSION) == 0) { // TODO: make macros for these? - DBG("Tried to log-in SO user to a read-only session"); - return CKR_SESSION_READ_ONLY_EXISTS; - } - - token = get_token_vendor(session.slot->token->vid); - - switch (userType) { - case CKU_USER: - if (ulPinLen < PIV_MIN_PIN_LEN || ulPinLen > PIV_MAX_PIN_LEN) - return CKR_ARGUMENTS_BAD; - - /*if (session.info.state == CKS_RW_USER_FUNCTIONS) { - DBG("This user type is already logged in"); - return CKR_USER_ALREADY_LOGGED_IN; - }*/ //TODO: FIx to allow multiple login. Decide on context specific. - - if (session.info.state == CKS_RW_SO_FUNCTIONS) { - DBG("A different uyser type is already logged in"); - return CKR_USER_ANOTHER_ALREADY_LOGGED_IN; - } - - rv = token.token_login(piv_state, CKU_USER, pPin, ulPinLen); - if (rv != CKR_OK) { - DBG("Unable to login as regular user"); - return rv; - } - - if ((session.info.flags & CKF_RW_SESSION) == 0) - session.info.state = CKS_RO_USER_FUNCTIONS; - else - session.info.state = CKS_RW_USER_FUNCTIONS; - break; - - case CKU_SO: - if (ulPinLen != PIV_MGM_KEY_LEN) - return CKR_ARGUMENTS_BAD; - - if (session.info.state == CKS_RW_SO_FUNCTIONS) - return CKR_USER_ALREADY_LOGGED_IN; - - if (session.info.state == CKS_RO_USER_FUNCTIONS || - session.info.state == CKS_RW_USER_FUNCTIONS) - return CKR_USER_ANOTHER_ALREADY_LOGGED_IN; - - rv = token.token_login(piv_state, CKU_SO, pPin, ulPinLen); - if (rv != CKR_OK) { - DBG("Unable to login as SO"); - return rv; - } - - session.info.state = CKS_RW_SO_FUNCTIONS; - break; - - case CKU_CONTEXT_SPECIFIC: - if (op_info.type == YKCS11_NOOP) { - DBG("No operation in progress. Context specific user is forbidden."); - return CKR_USER_TYPE_INVALID; - } - if (op_info.type == YKCS11_SIGN) { - return C_Login(hSession, CKU_USER, pPin, ulPinLen); - } - else - return C_Login(hSession, CKU_SO, pPin, ulPinLen); - - default: - return CKR_USER_TYPE_INVALID; - } - - DBG("Successfully logged in"); - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Logout)( - CK_SESSION_HANDLE hSession -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (session.info.state == CKS_RO_PUBLIC_SESSION || - session.info.state == CKS_RW_PUBLIC_SESSION) - return CKR_USER_NOT_LOGGED_IN; - - if ((session.info.flags & CKF_RW_SESSION) == 0) - session.info.state = CKS_RO_PUBLIC_SESSION; - else - session.info.state = CKS_RW_PUBLIC_SESSION; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_CreateObject)( - CK_SESSION_HANDLE hSession, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phObject -) -{ - CK_ULONG i; - CK_RV rv; - CK_OBJECT_CLASS class; - CK_BYTE id; - CK_BYTE_PTR value; - CK_ULONG value_len; - CK_BYTE_PTR p; - CK_BYTE_PTR q; - CK_BYTE_PTR dp; - CK_BYTE_PTR dq; - CK_BYTE_PTR qinv; - CK_ULONG p_len; - CK_ULONG q_len; - CK_ULONG dp_len; - CK_ULONG dq_len; - CK_ULONG qinv_len; - CK_BYTE_PTR ec_data; - CK_ULONG ec_data_len; - CK_ULONG vendor_defined; - token_vendor_t token; - CK_BBOOL is_new; - CK_BBOOL is_rsa; - CK_OBJECT_HANDLE object; - CK_ULONG cert_id; - CK_ULONG pvtk_id; - CK_ULONG pubk_id; - piv_obj_id_t *obj_ptr; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (session.info.state != CKS_RW_SO_FUNCTIONS) { - DBG("Authentication required to import objects"); - return CKR_SESSION_READ_ONLY; - } - - if (pTemplate == NULL_PTR || - phObject == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - class = CKO_VENDOR_DEFINED; // Use this as a known value - for (i = 0; i < ulCount; i++) { - if (pTemplate[i].type == CKA_CLASS) { - class = *((CK_ULONG_PTR)pTemplate[i].pValue); - - // Can only import certificates and private keys - if (*((CK_ULONG_PTR)pTemplate[i].pValue) != CKO_CERTIFICATE && - *((CK_ULONG_PTR)pTemplate[i].pValue) != CKO_PRIVATE_KEY) { - DBG("Unsupported class %lu", class); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - } - } - - if (class == CKO_VENDOR_DEFINED) { - DBG("Object class must be specified"); - return CKR_TEMPLATE_INCOMPLETE; - } - - token = get_token_vendor(session.slot->token->vid); - - switch (class) { - case CKO_CERTIFICATE: - DBG("Importing certificate"); - - rv = check_create_cert(pTemplate, ulCount, &id, &value, &value_len); - if (rv != CKR_OK) { - DBG("Certificate template not valid"); - return rv; - } - DBG("Certificate id is %u", id); - - object = PIV_CERT_OBJ_X509_PIV_AUTH + id; - - rv = token.token_import_cert(piv_state, piv_2_ykpiv(object), value); // TODO: make function to get cert id - if (rv != CKR_OK) { - DBG("Unable to import certificate"); - return rv; - } - - is_new = CK_TRUE; - for (i = 0; i < session.slot->token->n_objects; i++) { - if (session.slot->token->objects[i] == object) - is_new = CK_FALSE; - } - - cert_id = PIV_CERT_OBJ_X509_PIV_AUTH + id; // TODO: make function for these - pvtk_id = PIV_PVTK_OBJ_PIV_AUTH + id; - pubk_id = PIV_PUBK_OBJ_PIV_AUTH + id; - - // Check whether we created a new object or updated an existing one - if (is_new == CK_TRUE) { - // New object created, add it to the object list - - // Each object counts as three, even if we just only added a certificate - session.slot->token->n_objects += 3; - session.slot->token->n_certs++; - - obj_ptr = realloc(session.slot->token->objects, session.slot->token->n_objects * sizeof(piv_obj_id_t)); - if (obj_ptr == NULL) { - DBG("Unable to store new item in the session"); - return CKR_HOST_MEMORY; - } - session.slot->token->objects = obj_ptr; - - obj_ptr = session.slot->token->objects + session.slot->token->n_objects - 3; - *obj_ptr++ = cert_id; - *obj_ptr++ = pvtk_id; - *obj_ptr++ = pubk_id; - } - - rv = store_cert(cert_id, value, value_len); - if (rv != CKR_OK) { - DBG("Unable to store certificate data"); - return CKR_FUNCTION_FAILED; - } - *phObject = cert_id; - - break; - - case CKO_PRIVATE_KEY: - DBG("Importing private key"); - - // Try to parse the key as EC - is_rsa = CK_FALSE; - rv = check_create_ec_key(pTemplate, ulCount, &id, &ec_data, &ec_data_len, &vendor_defined); - if (rv != CKR_OK) { - // Try to parse the key as RSA - is_rsa = CK_TRUE; - rv = check_create_rsa_key(pTemplate, ulCount, &id, - &p, &p_len, - &q, &q_len, - &dp, &dp_len, - &dq, &dq_len, - &qinv, &qinv_len, - &vendor_defined); - if (rv != CKR_OK) { - DBG("Private key template not valid"); - return rv; - } - } - - DBG("Key id is %u", id); - - object = PIV_PVTK_OBJ_PIV_AUTH + id; - - if (is_rsa == CK_TRUE) { - DBG("Key is RSA"); - rv = token.token_import_private_key(piv_state, piv_2_ykpiv(object), - p, p_len, - q, q_len, - dp, dp_len, - dq, dq_len, - qinv, qinv_len, - NULL, 0, - vendor_defined); - if (rv != CKR_OK) { - DBG("Unable to import RSA private key"); - return rv; - } - } - else { - DBG("Key is ECDSA"); - rv = token.token_import_private_key(piv_state, piv_2_ykpiv(object), - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - ec_data, ec_data_len, - vendor_defined); - if (rv != CKR_OK) { - DBG("Unable to import ECDSA private key"); - return rv; - } - } - - *phObject = PIV_PVTK_OBJ_PIV_AUTH + id; - - break; - - default: - DBG("Unknown object type"); - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_CopyObject)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phNewObject -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DestroyObject)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject -) -{ - CK_RV rv; - token_vendor_t token; - CK_ULONG i; - CK_ULONG j; - CK_BYTE id; - CK_ULONG cert_id; - CK_ULONG pvtk_id; - CK_ULONG pubk_id; - piv_obj_id_t *obj_ptr; - - DIN; - - DBG("Deleting object %lu", hObject); - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - // Only certificates can be deleted - // SO must be logged in - if (session.info.state != CKS_RW_SO_FUNCTIONS) { - DBG("Unable to delete objects, SO must be logged in"); - return CKR_USER_NOT_LOGGED_IN; - } - - rv = check_delete_cert(hObject, &id); - if (rv != CKR_OK) { - DBG("Object %lu can not be deleted", hObject); - return rv; - } - - token = get_token_vendor(session.slot->token->vid); - - rv = token.token_delete_cert(piv_state, piv_2_ykpiv(hObject)); - if (rv != CKR_OK) { - DBG("Unable to delete object %lu", hObject); - return rv; - } - - // Remove the object from the session - // Do it in a slightly inefficient way but preserve ordering - - cert_id = PIV_CERT_OBJ_X509_PIV_AUTH + id; // TODO: make function for these - pvtk_id = PIV_PVTK_OBJ_PIV_AUTH + id; - pubk_id = PIV_PUBK_OBJ_PIV_AUTH + id; - - obj_ptr = malloc((session.slot->token->n_objects - 3) * sizeof(piv_obj_id_t)); - if (obj_ptr == NULL) { - DBG("Unable to allocate memory"); - return CKR_HOST_MEMORY; - } - - i = 0; - j = 0; - while (i < session.slot->token->n_objects) { - if (session.slot->token->objects[i] == cert_id || - session.slot->token->objects[i] == pvtk_id || - session.slot->token->objects[i] == pubk_id) { - i++; - continue; - } - - obj_ptr[j++] = session.slot->token->objects[i++]; - } - - rv = delete_cert(cert_id); - if (rv != CKR_OK) { - free(obj_ptr); - DBG("Unable to delete certificate data"); - return CKR_FUNCTION_FAILED; - } - - free(session.slot->token->objects); - - session.slot->token->n_objects -= 3; - session.slot->token->n_certs--; - session.slot->token->objects = obj_ptr; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetObjectSize)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ULONG_PTR pulSize -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) -{ - CK_ULONG i; - CK_RV rv, rv_final; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (pTemplate == NULL_PTR || ulCount == 0) - return CKR_ARGUMENTS_BAD; - - rv_final = CKR_OK; - for (i = 0; i < ulCount; i++) { - - rv = get_attribute(&session, hObject, pTemplate + i); - - // TODO: this function has some complex cases for return vlaue. Make sure to check them. - if (rv != CKR_OK) { - DBG("Unable to get attribute 0x%lx of object %lu", (pTemplate + i)->type, hObject); - rv_final = rv; - } - } - - DOUT; - return rv_final; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SetAttributeValue)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( - CK_SESSION_HANDLE hSession, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) -{ - CK_ULONG i; - CK_ULONG j; - CK_ULONG total; - CK_BBOOL private; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (find_obj.active == CK_TRUE) - return CKR_OPERATION_ACTIVE; - - if (ulCount != 0 && pTemplate == NULL_PTR) - return CKR_ARGUMENTS_BAD; - - find_obj.idx = 0; - find_obj.num = session.slot->token->n_objects; - - // Check if we should remove private objects - if (session.info.state == CKS_RO_PUBLIC_SESSION || - session.info.state == CKS_RW_PUBLIC_SESSION) { - DBG("Removing private objects because state is %lu", session.info.state); - private = CK_FALSE; - } - else { - DBG("Keeping private objects"); - private = CK_TRUE; - } - - find_obj.objects = malloc(sizeof(piv_obj_id_t) * find_obj.num); - if (find_obj.objects == NULL) { - DBG("Unable to allocate memory for finding objects"); - return CKR_HOST_MEMORY; - } - memcpy(find_obj.objects, session.slot->token->objects, sizeof(piv_obj_id_t) * find_obj.num); - - DBG("Initialized search with %lu parameters", ulCount); - - // Match parameters - total = find_obj.num; - for (i = 0; i < find_obj.num; i++) { - - if (find_obj.objects[i] == OBJECT_INVALID) - continue; // Object already discarded, keep going - - // Strip away private objects if needed - if (private == CK_FALSE) - if (is_private_object(&session, find_obj.objects[i]) == CK_TRUE) { - DBG("Stripping away private object %u", find_obj.objects[i]); - find_obj.objects[i] = OBJECT_INVALID; - total--; - continue; - } - - for (j = 0; j < ulCount; j++) { - DBG("Parameter %lu\nType: %lu Value: %lu Len: %lu", j, pTemplate[j].type, *((CK_ULONG_PTR)pTemplate[j].pValue), pTemplate[j].ulValueLen); - - if (attribute_match(&session, find_obj.objects[i], pTemplate + j) == CK_FALSE) { - DBG("Removing object %u from the list", find_obj.objects[i]); - find_obj.objects[i] = OBJECT_INVALID; // Object not matching, mark it - total--; - break; - } - else - DBG("Keeping object %u in the list", find_obj.objects[i]); - } - } - - DBG("%lu object(s) left after attribute matching", total); - - find_obj.active = CK_TRUE; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG ulMaxObjectCount, - CK_ULONG_PTR pulObjectCount -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (phObject == NULL_PTR || - ulMaxObjectCount == 0 || - pulObjectCount == NULL_PTR) - return CKR_ARGUMENTS_BAD; - - if (find_obj.active != CK_TRUE) - return CKR_OPERATION_NOT_INITIALIZED; - - DBG("Can return %lu object(s)", ulMaxObjectCount); - - // Return the next object, if any - while(find_obj.idx < find_obj.num && - find_obj.objects[find_obj.idx] == OBJECT_INVALID) - find_obj.idx++; - - if (find_obj.idx == find_obj.num) { - *pulObjectCount = 0; - DOUT; - return CKR_OK; - } - - *phObject = find_obj.objects[find_obj.idx++]; - *pulObjectCount = 1; - - DBG("Returning object %lu", *phObject); - - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsFinal)( - CK_SESSION_HANDLE hSession -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (find_obj.active != CK_TRUE) - return CKR_OPERATION_NOT_INITIALIZED; - - free(find_obj.objects); - find_obj.objects = NULL; - - find_obj.active = CK_FALSE; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_EncryptInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Encrypt)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_EncryptUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_EncryptFinal)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pLastEncryptedPart, - CK_ULONG_PTR pulLastEncryptedPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DecryptInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Decrypt)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedData, - CK_ULONG ulEncryptedDataLen, - CK_BYTE_PTR pData, - CK_ULONG_PTR pulDataLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DecryptUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DecryptFinal)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pLastPart, - CK_ULONG_PTR pulLastPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DigestInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism -) -{ - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (op_info.type != YKCS11_NOOP) { - DBG("Other operation in process"); - return CKR_OPERATION_ACTIVE; - } - - if (pMechanism == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - DBG("Trying to hash some data with mechanism %lu", pMechanism->mechanism); - - // Check if mechanism is supported - if (check_hash_mechanism(&session, pMechanism) != CKR_OK) { - DBG("Mechanism %lu is not supported either by the token or the module", pMechanism->mechanism); - return CKR_MECHANISM_INVALID; - } - memcpy(&op_info.mechanism, pMechanism, sizeof(CK_MECHANISM)); - - op_info.type = YKCS11_HASH; - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Digest)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DigestUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DigestKey)( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DigestFinal)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - CK_KEY_TYPE type = 0; - CK_ULONG key_len = 0; - CK_BYTE exp[3]; - CK_BYTE buf[1024] = {0}; - CK_ATTRIBUTE template[] = { - {CKA_KEY_TYPE, &type, sizeof(type)}, - {CKA_MODULUS_BITS, &key_len, sizeof(key_len)}, - {CKA_MODULUS, NULL, 0}, - {CKA_PUBLIC_EXPONENT, exp, sizeof(exp)}, - {CKA_EC_POINT, buf, sizeof(buf)}, - }; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (op_info.type != YKCS11_NOOP) { - DBG("Other operation in process"); - return CKR_OPERATION_ACTIVE; - } - - if (pMechanism == NULL_PTR) - return CKR_ARGUMENTS_BAD; - - DBG("Trying to sign some data with mechanism %lu and key %lu", pMechanism->mechanism, hKey); - - // Check if mechanism is supported - if (check_sign_mechanism(&session, pMechanism) != CKR_OK) { - DBG("Mechanism %lu is not supported either by the token or the module", pMechanism->mechanism); - return CKR_MECHANISM_INVALID; // TODO: also the key has a list of allowed mechanisms, check that - } - memcpy(&op_info.mechanism, pMechanism, sizeof(CK_MECHANISM)); - - // Get key algorithm - if (get_attribute(&session, hKey, template) != CKR_OK) { - DBG("Unable to get key type"); - return CKR_KEY_HANDLE_INVALID; - } - - DBG("Key type is %lu\n", type); - - // Get key length and algorithm type - if (type == CKK_RSA) { - // RSA key - if (get_attribute(&session, hKey, template + 1) != CKR_OK) { - DBG("Unable to get key length"); - return CKR_KEY_HANDLE_INVALID; - } - - op_info.op.sign.key_len = key_len; - - if (key_len == 1024) - op_info.op.sign.algo = YKPIV_ALGO_RSA1024; - else - op_info.op.sign.algo = YKPIV_ALGO_RSA2048; - - // Also store the raw public key if the mechanism is PSS - if (is_PSS_mechanism(pMechanism->mechanism)) { - template[2].pValue = buf; - template[2].ulValueLen = (key_len + 7) / 8 ; - - if (get_attribute(&session, hKey, template + 2) != CKR_OK) { - DBG("Unable to get public key"); - return CKR_KEY_HANDLE_INVALID; - } - - if (get_attribute(&session, hKey, template + 3) != CKR_OK) { - DBG("Unable to get public exponent"); - return CKR_KEY_HANDLE_INVALID; - } - - if (do_encode_rsa_public_key(&op_info.op.sign.key, buf, (key_len + 7) / 8, exp, sizeof(exp)) != CKR_OK) { - return CKR_FUNCTION_FAILED; - } - } - else { - op_info.op.sign.key = NULL; - } - - } - else { - // ECDSA key - if (get_attribute(&session, hKey, template + 4) != CKR_OK) { - DBG("Unable to get key length"); - return CKR_KEY_HANDLE_INVALID; - } - - // The buffer contains an uncompressed point of the form 04, len, 04, x, y - // Where len is |x| + |y| + 1 bytes - - op_info.op.sign.key_len = (CK_ULONG) (((buf[1] - 1) / 2) * 8); - - if (op_info.op.sign.key_len == 256) - op_info.op.sign.algo = YKPIV_ALGO_ECCP256; - /*else - op_info.op.sign.algo = YKPIV_ALGO_ECCP384;*/ // TODO: add support for P384 - } - - DBG("Key length is %lu bit", op_info.op.sign.key_len); - - op_info.op.sign.key_id = piv_2_ykpiv(hKey); - if (op_info.op.sign.key_id == 0) { - DBG("Incorrect key %lu", hKey); - return CKR_KEY_HANDLE_INVALID; - } - - DBG("Algorithm is %d", op_info.op.sign.algo); - // Make sure that both mechanism and key have the same algorithm - if ((is_RSA_mechanism(pMechanism->mechanism) && op_info.op.sign.algo == YKPIV_ALGO_ECCP256) || - (!is_RSA_mechanism(pMechanism->mechanism) && (op_info.op.sign.algo != YKPIV_ALGO_ECCP256))) { - DBG("Key and mechanism algorithm do not match"); - return CKR_ARGUMENTS_BAD; - } - - op_info.type = YKCS11_SIGN; - - // TODO: check mechanism parameters and key length and key supported parameters - - if (apply_sign_mechanism_init(&op_info) != CKR_OK) { - DBG("Unable to initialize signing operation"); - return CKR_FUNCTION_FAILED; - } - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Sign)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) -{ - ykpiv_rc piv_rv; - CK_RV rv; - size_t cbSignatureLen = 0; - - DIN; - - if (op_info.type != YKCS11_SIGN) { - DBG("Signature operation not initialized"); - rv = CKR_OPERATION_NOT_INITIALIZED; - goto sign_out; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - rv = CKR_SESSION_CLOSED; - goto sign_out; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - rv = CKR_SESSION_HANDLE_INVALID; - goto sign_out; - } - - if (session.info.state == CKS_RO_PUBLIC_SESSION || - session.info.state == CKS_RW_PUBLIC_SESSION) { - DBG("User is not logged in"); - rv = CKR_USER_NOT_LOGGED_IN; - goto sign_out; - } - - if (pSignature == NULL_PTR) { - // Just return the size of the signature - if (is_RSA_mechanism(op_info.mechanism.mechanism)) { - // RSA - *pulSignatureLen = (op_info.op.sign.key_len + 7) / 8; - } - else { - // ECDSA - *pulSignatureLen = ((op_info.op.sign.key_len + 7) / 8) * 2; - } - - DBG("The size of the signature will be %lu", *pulSignatureLen); - - DOUT; - return CKR_OK; - } - - DBG("Sending %lu bytes to sign", ulDataLen); -#if YKCS11_DBG == 1 - dump_data(pData, ulDataLen, stderr, CK_TRUE, format_arg_hex); -#endif - - if (is_hashed_mechanism(op_info.mechanism.mechanism) == CK_TRUE) { - if (apply_sign_mechanism_update(&op_info, pData, ulDataLen) != CKR_OK) { - DBG("Unable to perform signing operation step"); - rv = CKR_FUNCTION_FAILED; // TODO: every error in here must stop and clear the signing operation - goto sign_out; - } - } - else { - if (is_RSA_mechanism(op_info.mechanism.mechanism)) { - // RSA_X_509 - if (ulDataLen > (op_info.op.sign.key_len / 8)) { - DBG("Data must be shorter than key length (%lu bits)", op_info.op.sign.key_len); - rv = CKR_FUNCTION_FAILED; - goto sign_out; - } - } - else { - // ECDSA - if (ulDataLen > 128) { - // Specs say ECDSA only supports 1024 bit - DBG("Maximum data length for ECDSA is 128 bytes"); - rv = CKR_FUNCTION_FAILED; - goto sign_out; - } - } - - op_info.buf_len = ulDataLen; - memcpy(op_info.buf, pData, ulDataLen); - } - - if (apply_sign_mechanism_finalize(&op_info) != CKR_OK) { - DBG("Unable to finalize signing operation"); - rv = CKR_FUNCTION_FAILED; - goto sign_out; - } - - DBG("Using key %lx", op_info.op.sign.key_id); - DBG("After padding and transformation there are %lu bytes", op_info.buf_len); -#if YKCS11_DBG == 1 - dump_data(op_info.buf, op_info.buf_len, stderr, CK_TRUE, format_arg_hex); -#endif - - *pulSignatureLen = cbSignatureLen = sizeof(op_info.buf); - - piv_rv = ykpiv_sign_data(piv_state, op_info.buf, op_info.buf_len, op_info.buf, &cbSignatureLen, op_info.op.sign.algo, op_info.op.sign.key_id); - - *pulSignatureLen = cbSignatureLen; - - if (piv_rv != YKPIV_OK) { - if (piv_rv == YKPIV_AUTHENTICATION_ERROR) { - DBG("Operation requires authentication or touch"); - rv = CKR_USER_NOT_LOGGED_IN; - goto sign_out; - } - else { - DBG("Sign error, %s", ykpiv_strerror(piv_rv)); - rv = CKR_FUNCTION_FAILED; - goto sign_out; - } - } - - DBG("Got %lu bytes back", *pulSignatureLen); -#if YKCS11_DBG == 1 - dump_data(op_info.buf, *pulSignatureLen, stderr, CK_TRUE, format_arg_hex); -#endif - - if (!is_RSA_mechanism(op_info.mechanism.mechanism)) { - // ECDSA, we must remove the DER encoding and only return R,S - // as required by the specs - strip_DER_encoding_from_ECSIG(op_info.buf, pulSignatureLen); - - DBG("After removing DER encoding %lu", *pulSignatureLen); -#if YKCS11_DBG == 1 - dump_data(pSignature, *pulSignatureLen, stderr, CK_TRUE, format_arg_hex); -#endif - } - - memcpy(pSignature, op_info.buf, *pulSignatureLen); - - rv = CKR_OK; - - sign_out: - op_info.type = YKCS11_NOOP; - sign_mechanism_cleanup(&op_info); - - DOUT; - return rv; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignFinal)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignRecoverInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignRecover)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_VerifyInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_Verify)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_VerifyUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_VerifyFinal)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecoverInit)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecover)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen, - CK_BYTE_PTR pData, - CK_ULONG_PTR pulDataLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DigestEncryptUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DecryptDigestUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_SignEncryptUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DecryptVerifyUpdate)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GenerateKey)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyPair)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG ulPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG ulPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPublicKey, - CK_OBJECT_HANDLE_PTR phPrivateKey -) -{ - CK_RV rv; - token_vendor_t token; - CK_ULONG i; - CK_BBOOL is_new; - CK_ULONG dobj_id; - CK_ULONG cert_id; - CK_ULONG pvtk_id; - CK_ULONG pubk_id; - piv_obj_id_t *obj_ptr; - CK_BYTE cert_data[3072]; - CK_ULONG cert_len; - - DIN; - - if (piv_state == NULL) { - DBG("libykpiv is not initialized or already finalized"); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if (session.handle != YKCS11_SESSION_ID) { - DBG("Session is not open"); - return CKR_SESSION_CLOSED; - } - - if (hSession != session.handle) { - DBG("Unknown session %lu", hSession); - return CKR_SESSION_HANDLE_INVALID; - } - - if (session.info.state != CKS_RW_SO_FUNCTIONS) { - DBG("Authentication required to generate keys"); - return CKR_SESSION_READ_ONLY; - } - - if (op_info.type != YKCS11_NOOP) { - DBG("Other operation in process"); - return CKR_OPERATION_ACTIVE; - } - - if (pMechanism == NULL_PTR || - pPublicKeyTemplate == NULL_PTR || - pPrivateKeyTemplate == NULL_PTR || - phPublicKey == NULL_PTR || - phPrivateKey == NULL_PTR) { - DBG("Wrong/Missing parameter"); - return CKR_ARGUMENTS_BAD; - } - - DBG("Trying to generate a key pair with mechanism %lx", pMechanism->mechanism); - - DBG("Found %lu attributes for the public key and %lu attributes for the private key", ulPublicKeyAttributeCount, ulPrivateKeyAttributeCount); - - // Check if mechanism is supported - if ((rv = check_generation_mechanism(&session, pMechanism)) != CKR_OK) { - DBG("Mechanism %lu is not supported either by the token or the module", pMechanism->mechanism); - return rv; - } - memcpy(&op_info.mechanism, pMechanism, sizeof(CK_MECHANISM)); - - // Clear values - op_info.op.gen.key_len = 0; - op_info.op.gen.key_id = 0; - - // Check the template for the public key - if ((rv = check_pubkey_template(&op_info, pPublicKeyTemplate, ulPublicKeyAttributeCount)) != CKR_OK) { - DBG("Invalid public key template"); - return rv; - } - - // Check the template for the private key - if ((rv = check_pvtkey_template(&op_info, pPrivateKeyTemplate, ulPrivateKeyAttributeCount)) != CKR_OK) { - DBG("Invalid private key template"); - return rv; - } - - if (op_info.op.gen.key_len == 0) { - DBG("Key length not specified"); - return CKR_TEMPLATE_INCOMPLETE; - } - - if (op_info.op.gen.key_id == 0) { - DBG("Key id not specified"); - return CKR_TEMPLATE_INCOMPLETE; - } - - if (op_info.op.gen.rsa) { - DBG("Generating %lu bit RSA key in object %u", op_info.op.gen.key_len, op_info.op.gen.key_id); - } - else { - DBG("Generating %lu bit EC key in object %u", op_info.op.gen.key_len, op_info.op.gen.key_id); - } - - token = get_token_vendor(session.slot->token->vid); - - if ((rv = token.token_generate_key(piv_state, op_info.op.gen.rsa, piv_2_ykpiv(op_info.op.gen.key_id), op_info.op.gen.key_len, op_info.op.gen.vendor_defined)) != CKR_OK) { - DBG("Unable to generate key pair"); - return rv; - } - - is_new = CK_TRUE; - for (i = 0; i < session.slot->token->n_objects; i++) { - if (session.slot->token->objects[i] == op_info.op.gen.key_id) - is_new = CK_FALSE; - } - - dobj_id = op_info.op.gen.key_id - PIV_PVTK_OBJ_PIV_AUTH; // TODO: make function for these - cert_id = PIV_DATA_OBJ_LAST + 1 + dobj_id; - pvtk_id = op_info.op.gen.key_id; - pubk_id = PIV_PVTK_OBJ_LAST + 1 + dobj_id; - - // Check whether we created a new object or updated an existing one - if (is_new == CK_TRUE) { - // New object created, add it to the object list - - // Each object counts as three (data object is always there) - session.slot->token->n_objects += 3; - session.slot->token->n_certs++; - - obj_ptr = realloc(session.slot->token->objects, session.slot->token->n_objects * sizeof(piv_obj_id_t)); - if (obj_ptr == NULL) { - DBG("Unable to store new item in the session"); - return CKR_HOST_MEMORY; - } - session.slot->token->objects = obj_ptr; - - obj_ptr = session.slot->token->objects + session.slot->token->n_objects - 3; - *obj_ptr++ = cert_id; - *obj_ptr++ = pvtk_id; - *obj_ptr++ = pubk_id; - } - - // Write/Update the object - cert_len = sizeof(cert_data); - rv = token.get_token_raw_certificate(piv_state, cert_id, cert_data, &cert_len); - if (rv != CKR_OK) { - DBG("Unable to get certificate data from token"); - return CKR_FUNCTION_FAILED; - } - - rv = store_cert(cert_id, cert_data, cert_len); - if (rv != CKR_OK) { - DBG("Unable to store certificate data"); - return CKR_FUNCTION_FAILED; - } - - *phPrivateKey = op_info.op.gen.key_id; - *phPublicKey = op_info.op.gen.key_id - PIV_PVTK_OBJ_KM + PIV_PUBK_OBJ_KM; // TODO: make function for these? - - DOUT; - return CKR_OK; -} - -CK_DEFINE_FUNCTION(CK_RV, C_WrapKey)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hWrappingKey, - CK_OBJECT_HANDLE hKey, - CK_BYTE_PTR pWrappedKey, - CK_ULONG_PTR pulWrappedKeyLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_UnwrapKey)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hUnwrappingKey, - CK_BYTE_PTR pWrappedKey, - CK_ULONG ulWrappedKeyLen, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, - CK_OBJECT_HANDLE_PTR phKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_DeriveKey)( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, - CK_OBJECT_HANDLE_PTR phKey -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -/* Random number generation functions */ - -CK_DEFINE_FUNCTION(CK_RV, C_SeedRandom)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GenerateRandom)( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pRandomData, - CK_ULONG ulRandomLen -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionStatus)( - CK_SESSION_HANDLE hSession -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_DEFINE_FUNCTION(CK_RV, C_CancelFunction)( - CK_SESSION_HANDLE hSession -) -{ - DIN; - DBG("TODO!!!"); - DOUT; - return CKR_FUNCTION_FAILED; -} - -CK_FUNCTION_LIST function_list = { - { 2, 40 }, - C_Initialize, - C_Finalize, - C_GetInfo, - C_GetFunctionList, - C_GetSlotList, - C_GetSlotInfo, - C_GetTokenInfo, - C_GetMechanismList, - C_GetMechanismInfo, - C_InitToken, - C_InitPIN, - C_SetPIN, - C_OpenSession, - C_CloseSession, - C_CloseAllSessions, - C_GetSessionInfo, - C_GetOperationState, - C_SetOperationState, - C_Login, - C_Logout, - C_CreateObject, - C_CopyObject, - C_DestroyObject, - C_GetObjectSize, - C_GetAttributeValue, - C_SetAttributeValue, - C_FindObjectsInit, - C_FindObjects, - C_FindObjectsFinal, - C_EncryptInit, - C_Encrypt, - C_EncryptUpdate, - C_EncryptFinal, - C_DecryptInit, - C_Decrypt, - C_DecryptUpdate, - C_DecryptFinal, - C_DigestInit, - C_Digest, - C_DigestUpdate, - C_DigestKey, - C_DigestFinal, - C_SignInit, - C_Sign, - C_SignUpdate, - C_SignFinal, - C_SignRecoverInit, - C_SignRecover, - C_VerifyInit, - C_Verify, - C_VerifyUpdate, - C_VerifyFinal, - C_VerifyRecoverInit, - C_VerifyRecover, - C_DigestEncryptUpdate, - C_DecryptDigestUpdate, - C_SignEncryptUpdate, - C_DecryptVerifyUpdate, - C_GenerateKey, - C_GenerateKeyPair, - C_WrapKey, - C_UnwrapKey, - C_DeriveKey, - C_SeedRandom, - C_GenerateRandom, - C_GetFunctionStatus, - C_CancelFunction, - C_WaitForSlotEvent, -}; diff --git a/ykcs11/ykcs11.h b/ykcs11/ykcs11.h deleted file mode 100644 index b0c5cfa..0000000 --- a/ykcs11/ykcs11.h +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef YKCS11_H -#define YKCS11_H - -#include "pkcs11y.h" -#include "obj_types.h" -#include "openssl_types.h" -#include "vendors.h" - -#define YKCS11_OP_BUFSIZE 4096 - -typedef struct { - vendor_id_t vid; - CK_TOKEN_INFO info; - piv_obj_id_t *objects; // List of objects in the token - CK_ULONG n_objects; // TOTAL number of objects in the token - CK_ULONG n_certs; // Number of certificate objects in the token (portion of n_objects) -} ykcs11_token_t; - -typedef struct { - vendor_id_t vid; - CK_SLOT_INFO info; - ykcs11_token_t *token; -} ykcs11_slot_t; - -typedef struct { - CK_SESSION_HANDLE handle; - CK_SESSION_INFO info; /* slotid, state, flags, deviceerror */ - ykcs11_slot_t *slot; -} ykcs11_session_t; - -typedef enum { - YKCS11_NOOP, - YKCS11_GEN, - YKCS11_SIGN, - YKCS11_HASH, - YKCS11_DECRYPT -} ykcs11_op_type_t; - -typedef struct { - CK_BBOOL rsa; // RSA or EC key - CK_BYTE key_id; // Key id - CK_ULONG key_len; // Length in bits - CK_ULONG vendor_defined; // Additional parameters (touch and PIN policy) -} gen_info_t; - -typedef struct { - ykcs11_md_ctx_t *md_ctx; // Digest context - ykcs11_rsa_key_t *key; // Raw public key (needed for PSS) - CK_BYTE algo; // Algo for ykpiv // TODO: infer this from the key length? - CK_ULONG key_id; // Key id for ykpiv // TODO: make this a BYTE and store the id {0, 1, 2, 3} - CK_ULONG key_len; // Length in bits -} sign_info_t; - -typedef struct { - CK_BYTE todo; -} hash_info_t; - -typedef struct { - CK_BYTE todo; -} decrypt_info_t; - -typedef union { - gen_info_t gen; - sign_info_t sign; - hash_info_t hash; - decrypt_info_t decrypt; -} op_t; - -typedef struct { - ykcs11_op_type_t type; - CK_MECHANISM mechanism; - op_t op; - CK_BYTE buf[YKCS11_OP_BUFSIZE]; - CK_ULONG buf_len; -} op_info_t; - -#endif diff --git a/ykcs11/ykcs11.map b/ykcs11/ykcs11.map deleted file mode 100644 index 254e065..0000000 --- a/ykcs11/ykcs11.map +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (c) 2015-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -YKCS11_0.1.0 -{ -global: - C_Initialize; - C_GetFunctionList; -# TODO: add more here -local: - *; -}; diff --git a/ykcs11/ykcs11.pc.in b/ykcs11/ykcs11.pc.in deleted file mode 100644 index 1e85f0b..0000000 --- a/ykcs11/ykcs11.pc.in +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright (c) 2015-2016 Yubico AB -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -prefix=@prefix@ -exec_prefix=@exec_prefix@ -libdir=@libdir@ -includedir=@includedir@ - -Name: @PACKAGE@ -Description: Yubico PIV PKCS#11 Module -URL: https://www.yubico.com/ -Version: @VERSION@ -Libs: -L${libdir} -lykcs11 diff --git a/ykcs11/yubico_slot.c b/ykcs11/yubico_slot.c deleted file mode 100644 index f53787a..0000000 --- a/ykcs11/yubico_slot.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "yubico_slot.h" -#include "pkcs11.h" -#include - -static const CK_UTF8CHAR_PTR slot_manufacturer = (const CK_UTF8CHAR_PTR)"Yubico"; -static const CK_FLAGS slot_flags = CKF_TOKEN_PRESENT | CKF_HW_SLOT; -static const CK_VERSION slot_version = {1, 0}; - -CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) { - - if (strlen((const char*)slot_manufacturer) > len) - return CKR_BUFFER_TOO_SMALL; - - memcpy(str, slot_manufacturer, strlen((const char*)slot_manufacturer)); - return CKR_OK; - -} - -CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags) { - - *flags = slot_flags; - return CKR_OK; - -} - -CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version) { - - version->major = slot_version.major; - version->minor = slot_version.minor; - - return CKR_OK; - -} diff --git a/ykcs11/yubico_slot.h b/ykcs11/yubico_slot.h deleted file mode 100644 index c4fb5f6..0000000 --- a/ykcs11/yubico_slot.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef YUBICO_SLOT_H -#define YUBICO_SLOT_H - -#include "pkcs11y.h" - -CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len); -CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags); -CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version); - -#endif diff --git a/ykcs11/yubico_token.c b/ykcs11/yubico_token.c deleted file mode 100644 index 2cbc3dc..0000000 --- a/ykcs11/yubico_token.c +++ /dev/null @@ -1,409 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include "yubico_token.h" -#include "pkcs11.h" -#include -#include "debug.h" -#include "objects.h" - -#define MIN_RSA_KEY_SIZE 1024 -#define MAX_RSA_KEY_SIZE 2048 -#define MIN_ECC_KEY_SIZE 256 -#define MAX_ECC_KEY_SIZE 384 - -static const char *token_label = "YubiKey PIV"; -static const char *token_manufacturer = "Yubico"; -static const char *token_model = "YubiKey XXX"; -static const CK_FLAGS token_flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED; -static const char *token_serial = "1234"; -static const CK_MECHANISM_TYPE token_mechanisms[] = { // KEEP ALIGNED WITH token_mechanism_infos - CKM_RSA_PKCS_KEY_PAIR_GEN, - CKM_RSA_PKCS, - CKM_RSA_PKCS_PSS, - CKM_RSA_X_509, - CKM_SHA1_RSA_PKCS, - CKM_SHA256_RSA_PKCS, - CKM_SHA384_RSA_PKCS, - CKM_SHA512_RSA_PKCS, - CKM_SHA1_RSA_PKCS_PSS, - CKM_SHA256_RSA_PKCS_PSS, - CKM_SHA384_RSA_PKCS_PSS, - CKM_SHA512_RSA_PKCS_PSS, - CKM_EC_KEY_PAIR_GEN, - //CKM_ECDSA_KEY_PAIR_GEN, Same as CKM_EC_KEY_PAIR_GEN, deprecated in 2.11 - CKM_ECDSA, - CKM_ECDSA_SHA1, - CKM_ECDSA_SHA256, - CKM_SHA_1, - CKM_SHA256, - CKM_SHA384, - CKM_SHA512 - // SUPPORT FOR OATH? -}; -static const CK_ULONG token_mechanisms_num = sizeof(token_mechanisms) / sizeof(CK_MECHANISM_TYPE); - -static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_RSA_PKCS_KEY_PAIR_GEN - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_PKCS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_RSA_PKCS_PSS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_X_509 - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS_PSS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS_PSS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS_PSS - {MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS_PSS - {MIN_ECC_KEY_SIZE, MIN_ECC_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_EC_KEY_PAIR_GEN - //{, , }, // CKM_ECDSA_KEY_PAIR_GEN Same as CKM_EC_KEY_PAIR_GEN deprecated in 2.11 - {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA - {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA1 - {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA256 - {0, 0, CKF_DIGEST}, // CKM_SHA_1 - {0, 0, CKF_DIGEST}, // CKM_SHA256 - {0, 0, CKF_DIGEST}, // CKM_SHA384 - {0, 0, CKF_DIGEST} // CKM_SHA512 -}; - -static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token? - PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_DATA_OBJ_X509_CARD_AUTH, // card authentication - PIV_DATA_OBJ_X509_DS, // digital signature - PIV_DATA_OBJ_X509_KM, // key management - PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1 - PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2 - PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3 - PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4 - PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5 - PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6 - PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7 - PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8 - PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9 - PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10 - PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11 - PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12 - PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13 - PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14 - PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15 - PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16 - PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17 - PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18 - PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19 - PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20 - PIV_DATA_OBJ_CCC, // Card capability container - PIV_DATA_OBJ_CHUI, // Cardholder unique id - PIV_DATA_OBJ_CHF, // Cardholder fingerprints - PIV_DATA_OBJ_SEC_OBJ, // Security object - PIV_DATA_OBJ_CHFI, // Cardholder facial images - //PIV_DATA_OBJ_PI, // Cardholder printed information - //PIV_DATA_OBJ_DISCOVERY, // Discovery object - //PIV_DATA_OBJ_HISTORY, // History object - //PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images - //PIV_DATA_OBJ_BITGT, // Biometric information templates group template - //PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer - //PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data -}; -static const CK_ULONG neo_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t) - 20; -static const CK_ULONG yk4_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t); - -CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len) { - - if (strlen(token_label) > len) - return CKR_BUFFER_TOO_SMALL; - - memcpy(str, token_label, strlen(token_label)); - return CKR_OK; - -} - -CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) { - - if (strlen(token_manufacturer) > len) - return CKR_BUFFER_TOO_SMALL; - - memcpy(str, token_manufacturer, strlen(token_manufacturer)); - return CKR_OK; - -} - -CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len) { - - char buf[16]; - - if (strlen(token_model) > len) - return CKR_BUFFER_TOO_SMALL; - - if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - memcpy(str, token_model, strlen(token_model)); - - if (buf[0] >= '4') - memcpy(str + strlen(token_model) - 3, "YK4", 3); - else - memcpy(str + strlen(token_model) - 3, "NEO", 3); - - return CKR_OK; - -} - -CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags) { - - *flags = token_flags; - return CKR_OK; - -} - -CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version) { - - char buf[16]; - - if (version == NULL) - return CKR_ARGUMENTS_BAD; - - if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - version->major = (buf[0] - '0'); - version->minor = (buf[2] - '0') * 100 + (buf[4] - '0'); - - return CKR_OK; -} - -CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len) { - - if (strlen(token_serial) > len) - return CKR_BUFFER_TOO_SMALL; - - memcpy(str, token_serial, strlen(token_serial)); - return CKR_OK; - -} - -CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num) { - - *num = token_mechanisms_num; - return CKR_OK; - -} - -CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num) { - - if (token_mechanisms_num > num) - return CKR_BUFFER_TOO_SMALL; - - memcpy(mec, token_mechanisms, token_mechanisms_num * sizeof(CK_MECHANISM_TYPE)); - return CKR_OK; - -} - -CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info) { - - CK_ULONG i; - - for (i = 0; i < token_mechanisms_num; i++) - if (token_mechanisms[i] == mec) { - memcpy((CK_BYTE_PTR) info, (CK_BYTE_PTR) (token_mechanism_infos + i), sizeof(CK_MECHANISM_INFO)); - return CKR_OK; - } - - return CKR_MECHANISM_INVALID; - -} - -static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only, - piv_obj_id_t *obj, CK_ULONG_PTR len, CK_ULONG_PTR num_certs) { - CK_BYTE buf[2048]; - CK_ULONG buf_len; - CK_BYTE major; - CK_ULONG i; - - piv_obj_id_t certs[24]; - piv_obj_id_t pvtkeys[24]; - piv_obj_id_t pubkeys[24]; - CK_ULONG n_cert = 0; - CK_ULONG token_objects_num = neo_token_objects_num; - - if (state == NULL || len == NULL_PTR) - return CKR_ARGUMENTS_BAD; - - if (num_only == CK_FALSE && obj == NULL) - return CKR_ARGUMENTS_BAD; - - if (ykpiv_get_version(state, (char *) buf, sizeof(buf)) != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - major = buf[0] - '0'; - - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_AUTHENTICATION, buf, &buf_len) == YKPIV_OK) { - certs[n_cert] = PIV_CERT_OBJ_X509_PIV_AUTH; - pvtkeys[n_cert] = PIV_PVTK_OBJ_PIV_AUTH; - pubkeys[n_cert] = PIV_PUBK_OBJ_PIV_AUTH; - n_cert++; - DBG("Found AUTH cert (9a)"); - } - - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) { - certs[n_cert] = PIV_CERT_OBJ_X509_CARD_AUTH; - pvtkeys[n_cert] = PIV_PVTK_OBJ_CARD_AUTH; - pubkeys[n_cert] = PIV_PUBK_OBJ_CARD_AUTH; - n_cert++; - DBG("Found CARD AUTH cert (9e)"); - } - - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) { - certs[n_cert] = PIV_CERT_OBJ_X509_DS; - pvtkeys[n_cert] = PIV_PVTK_OBJ_DS; - pubkeys[n_cert] = PIV_PUBK_OBJ_DS; - n_cert++; - DBG("Found SIGNATURE cert (9c)"); - } - - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_KEY_MANAGEMENT, buf, &buf_len) == YKPIV_OK) { - certs[n_cert] = PIV_CERT_OBJ_X509_KM; - pvtkeys[n_cert] = PIV_PVTK_OBJ_KM; - pubkeys[n_cert] = PIV_PUBK_OBJ_KM; - n_cert++; - DBG("Found KMK cert (9d)"); - } - - if (major >= 4) { - for (i = 0; i < 20; i++) { - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_RETIRED1 + i, buf, &buf_len) == YKPIV_OK) { - certs[n_cert] = PIV_CERT_OBJ_X509_RETIRED1 + i; - pvtkeys[n_cert] = PIV_PVTK_OBJ_RETIRED1 + i; - pubkeys[n_cert] = PIV_PUBK_OBJ_RETIRED1 + i; - n_cert++; - DBG("Found RETIRED cert (%lx)", 0x82 + i); - } - } - token_objects_num = yk4_token_objects_num; - } - - DBG("The total number of objects for this token is %lu", (n_cert * 3) + token_objects_num); - - if (num_only == CK_TRUE) { - // We just want the number of objects - // Each cert object counts for 3: cert, pub key, pvt key - *len = (n_cert * 3) + token_objects_num; - if (num_certs != NULL) - *num_certs = n_cert; - return CKR_OK; - } - - if (*len < (n_cert * 3) + token_objects_num) - return CKR_BUFFER_TOO_SMALL; - - // Copy data objects - if (major >= 4) { - // YK4: just copy all the objects - memcpy(obj, token_objects, token_objects_num * sizeof(piv_obj_id_t)); - } - else { - // NEO: remove retired keys - memcpy(obj, token_objects, 4 * sizeof(piv_obj_id_t)); - memcpy(obj + 4, token_objects + 24, (neo_token_objects_num - 4) * sizeof(piv_obj_id_t)); - } - - // Copy certificates - if (n_cert > 0) { - memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t)); - memcpy(obj + token_objects_num + n_cert, pvtkeys, n_cert * sizeof(piv_obj_id_t)); - memcpy(obj + token_objects_num + (2 * n_cert), pubkeys, n_cert * sizeof(piv_obj_id_t)); - } - - return CKR_OK; -} - -CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs) { - return get_objects(state, CK_TRUE, NULL, num, num_certs); -} - -CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num) { - return get_objects(state, CK_FALSE, obj, &num, NULL); -} - -CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len) { - - if (ykpiv_fetch_object(state, piv_2_ykpiv(obj), data, len) != YKPIV_OK) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen) { - int tries; - ykpiv_rc res; - - switch(user_type){ - case CKU_SO:{ - unsigned char new_key[24]; - size_t new_key_len = sizeof(new_key); - if(ykpiv_hex_decode((const char*)pNewPin, ulNewLen, new_key, &new_key_len) != YKPIV_OK) { - DBG("Failed to decode new pin") - return CKR_ARGUMENTS_BAD; - } - res = ykpiv_set_mgmkey(state, new_key); - break; - } - case CKU_USER: - if(ulOldLen >= 4 && strncmp((const char*)pOldPin, "puk:", 4) == 0){ - DBG("Changing PUK pin") - res = ykpiv_change_puk(state, (const char*)pOldPin + 4, ulOldLen - 4, (const char*)pNewPin, ulNewLen, &tries); - }else{ - DBG("Changing USER pin") - res = ykpiv_change_pin(state, (const char*)pOldPin, ulOldLen, (const char*)pNewPin, ulNewLen, &tries); - } - break; - default: - DBG("TODO implement other context specific pin change"); - return CKR_FUNCTION_FAILED; - } - - switch (res) { - case YKPIV_OK: - return CKR_OK; - case YKPIV_SIZE_ERROR: - return CKR_PIN_LEN_RANGE; - case YKPIV_WRONG_PIN: - return CKR_PIN_INCORRECT; - case YKPIV_PIN_LOCKED: - return CKR_PIN_LOCKED; - default: - return CKR_FUNCTION_FAILED; - } -} diff --git a/ykcs11/yubico_token.h b/ykcs11/yubico_token.h deleted file mode 100644 index 68e8e11..0000000 --- a/ykcs11/yubico_token.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 2015-2016 Yubico AB - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef YUBICO_TOKEN_H -#define YUBICO_TOKEN_H - -#include "pkcs11.h" -#include "obj_types.h" -#include - -CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len); -CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len); -CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len); -CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags); -CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len); -CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version); -CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num); -CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num); -CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info); -CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs); -CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num); -CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len); -CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen, - CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen); - -#endif