oxidize: Prep directory structure for Rust translation

- Keeps: `lib`, `tool`
- Deletes everything else except for `COPYING` (i.e. license)
- Replaces `.gitignore` with a more standard Rust one
This commit is contained in:
Tony Arcieri
2019-08-10 10:02:26 -07:00
parent f794d02392
commit a226b56696
59 changed files with 2 additions and 13294 deletions
+2 -124
View File
@@ -1,124 +1,2 @@
.deps/ /target
.vagrant/ **/*.rs.bk
Makefile
Makefile.in
aclocal.m4
autom4te.cache/
config.log
config.status
configure
doxygen-doc/
libtool
m4/libtool.m4
m4/ltoptions.m4
m4/ltsugar.m4
m4/ltversion.m4
m4/lt~obsolete.m4
*.c~
*.h~
*.plist
.libs
ChangeLog
build-aux/ar-lib
build-aux/compile
build-aux/config.guess
build-aux/config.sub
build-aux/depcomp
build-aux/install-sh
build-aux/ltmain.sh
build-aux/missing
build-aux/test-driver
GPATH
GRTAGS
GTAGS
tmp32/
tmp64/
yubico-piv-tool-*-win32.zip
yubico-piv-tool-*-win32.zip.sig
yubico-piv-tool-*-win64.zip
yubico-piv-tool-*-win64.zip.sig
yubico-piv-tool-*.tar.gz
yubico-piv-tool-*.tar.gz.sig
yubico-piv-tool-*-mac.zip
yubico-piv-tool-*-mac.zip.sig
lib/tests/api
lib/tests/api.log
lib/tests/api.o
lib/tests/api.trs
lib/tests/basic
lib/tests/basic.log
lib/tests/basic.o
lib/tests/basic.trs
lib/tests/parse_key
lib/tests/parse_key.log
lib/tests/parse_key.o
lib/tests/parse_key.trs
lib/tests/test-suite.log
lib/error.lo
lib/error.o
lib/internal.la
lib/internal.lo
lib/internal.o
lib/libykpiv.la
lib/util.la
lib/util.lo
lib/util.o
lib/version.lo
lib/version.o
lib/ykpiv-version.h
lib/ykpiv.lo
lib/ykpiv.o
lib/ykpiv.pc
lib/.libs/
tool/cmdline.c
tool/cmdline.h
tool/cmdline.o
tool/yubico-piv-tool
tool/yubico-piv-tool.1
tool/yubico-piv-tool.exe
tool/yubico-piv-tool.o
tool/.libs/
tool/libpiv_cmd.la
tool/libpiv_cmd_la-cmdline.lo
tool/libpiv_cmd_la-cmdline.o
tool/libpiv_util.la
tool/openssl-compat.lo
tool/openssl-compat.o
tool/util.lo
tool/util.o
tool/tests/cert_9a.pem
tool/tests/cert_9e.pem
tool/tests/basic.sh.log
tool/tests/basic.sh.trs
tool/tests/key_9a.pub
tool/tests/parse_name
tool/tests/parse_name.log
tool/tests/parse_name.o
tool/tests/parse_name.trs
tool/tests/req_9e.pem
tool/tests/test_inout
tool/tests/test_inout.log
tool/tests/test_inout.o
tool/tests/test_inout.trs
tool/tests/test-suite.log
coverage/
lib/error.gcno
lib/version.gcno
lib/ykpiv.gcno
tool/util.gcno
tool/yubico-piv-tool.gcda
tool/yubico-piv-tool.gcno
ykcs11/.libs/
ykcs11/*.o
ykcs11/*.lo
ykcs11/ykcs11.pc
ykcs11/libykcs11.la
ykcs11/ykcs11-version.h
ykcs11/tests/reset.sh.log
ykcs11/tests/reset.sh.trs
ykcs11/tests/test-suite.log
ykcs11/tests/ykcs11_tests
ykcs11/tests/ykcs11_tests.log
ykcs11/tests/ykcs11_tests.o
ykcs11/tests/ykcs11_tests.trs
yubico-piv-tool.1.txt
-25
View File
@@ -1,25 +0,0 @@
language: c
os:
- osx
- linux
compiler:
- gcc
- clang
env:
- EXTRA=libpcsclite-dev
script:
- ./build-and-test.sh
matrix:
include:
- compiler: gcc
os: linux
env: EXTRA="wine mingw-w64 mingw-w64-i686-dev" REMOVE=mingw32 ARCH=32
- compiler: gcc
os: linux
env: EXTRA="wine mingw-w64 mingw-w64-x86-64-dev" REMOVE=mingw32 ARCH=64
- compiler: gcc
os: linux
env: COVERAGE="--enable-coverage" EXTRA="libpcsclite-dev lcov"
- compiler: gcc
os: linux
env: BUILD_OPENSSL_VERSION="1.1" EXTRA="libpcsclite-dev"
-102
View File
@@ -1,102 +0,0 @@
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SUBDIRS = lib tool ykcs11
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl ykcs11/tests/reset.sh
EXTRA_DIST += doc/Attestation.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc
if ENABLE_COV
cov-reset:
rm -fr coverage
find . -name "*.gcda" -exec rm {} \;
lcov --directory . --zerocounters
cov-report:
mkdir -p coverage
lcov --compat-libtool --directory . --capture --output-file coverage/app.info
lcov --extract coverage/app.info '*.c' --output-file coverage/app2.info
genhtml -o coverage/ coverage/app2.info
cov:
make cov-report
clean-local:
make cov-reset
check:
make cov
endif
if ENABLE_CPPCHECK
cppcheck:
$(CPPCHECK) -q -v -f --enable=all -i tool/cmdline.c lib tool ykcs11
endif
# Maintainer rules.
if DX_COND_html
doxygen:
doxygen lib/Doxyfile
endif
hwcheck:
@$(srcdir)/tools/confirm.sh && YKPIV_ENV_HWTESTS_CONFIRMED="1" $(MAKE) check
check-doc-dist:
perl -pe "s,^EXTRA_DIST \+= .*,EXTRA_DIST += `cd $(srcdir) && ls doc/*.adoc | xargs echo`," < $(srcdir)/Makefile.am > check-doc-dist.tmp
diff -ur $(srcdir)/Makefile.am check-doc-dist.tmp || \
(rm -f check-doc-dist.tmp; echo 'error: please update $(srcdir)/Makefile.am to include all docs'; exit 1)
rm -f check-doc-dist.tmp
ChangeLog:
cd $(srcdir) && git2cl > ChangeLog
release:
@if test -z "$(KEYID)"; then \
echo "Try this instead:"; \
echo " make release KEYID=[PGPKEYID]"; \
echo "For example:"; \
echo " make release KEYID=2117364A"; \
exit 1; \
fi
head -3 $(srcdir)/NEWS | \
grep -q "Version $(VERSION) .released `date -I`" || \
(echo 'error: Update date/version in $(srcdir)/NEWS.'; exit 1)
rm -f $(srcdir)/ChangeLog
make check-doc-dist ChangeLog distcheck
gpg --detach-sign --default-key $(KEYID) $(PACKAGE)-$(VERSION).tar.gz
gpg --verify $(PACKAGE)-$(VERSION).tar.gz.sig
git tag -sm "$(PACKAGE)-$(VERSION)" $(PACKAGE)-$(VERSION)
git push
git push --tags
$(HELP2ADOC) -e tool/yubico-piv-tool -n "Yubico PIV Tool" -i tool/yubico-piv-tool.h2m > yubico-piv-tool.1.txt
$(YUBICO_GITHUB_REPO)/save-mans $(PACKAGE) yubico-piv-tool.1.txt
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION).tar.gz*
-298
View File
@@ -1,298 +0,0 @@
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
* Version 1.7.1 (unreleased)
* Version 1.7.0 (released 2019-04-03)
** Add ykpiv_get_serial() to API.
** Add version and serial to status output.
** FASC-N fixes for CHUID.
** ykcs11: Fix ECDSA signatures.
** Make selfsigned X.509 extensions have correct extensions to match openssl.
** Security fixes.
** Documentation fixes.
** Try to clear memory that might contain secrets.
* Version 1.6.2 (released 2018-09-14)
** Compare reader names case insensitive.
** Fix certificate and certificate request signatures with OpenSSL 1.1.
* Version 1.6.1 (released 2018-08-17)
** Compilation warning fixes for OpenSSL 1.1 builds.
** Fix length when encoding exactly 0xff bytes.
** Check length of objects correctly before storing in buffer.
** Check length of certificate correctly when storing.
* Version 1.6.0 (released 2018-08-08)
** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].
** Allow builiding against LibreSSL.
** Bugfixes in OpenSSL 1.1 code.
** Fix compilation warnings.
** Fix ykcs11 key generation to work with OpenSSL 1.1.
** Ykcs11 compatibility fixes.
* Version 1.5.0 (released 2017-11-29)
** API additions: Higher-level "util" API added to libykpiv.
** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
** Added functions for using existing PCSC card handle.
** Support using custom memory allocator.
** Documentation updates. 'make doxygen' for HTML format.
** Expanded automated tests for hardware devices, moved to 'make hwcheck'.
** OpenSSL 1.1 support
** Moderate internal refactoring. Many small bugs fixed.
* Version 1.4.4 (released 2017-10-17)
** Documentation updates.
** Add pin caching to work around disconnect problems.
** Disable RSA key generation on YubiKey 4 before 4.3.5.
See https://yubi.co/ysa201701/ for details.
* Version 1.4.3 (released 2017-04-18)
** Encode RSA x509 certificates correctly.
** Documentation updates.
** In ykcs11 return CKA_MODULUS correctly for private keys.
** In ykcs11 fix for signature size approximation.
** Fix PSS signatures in ykcs11.
** Add a CLI flag --stdin-input to make batch execution easier.
* Version 1.4.2 (released 2016-08-12)
** Clarify license headers and clean up YKCS11 licensing.
Now uses pkcs11.h from the Scute project.
** Don't install ykcs11-version.h.
** No cflags in ykcs11.pc.
** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
* Version 1.4.1 (released 2016-08-11)
** Documentation updates
** Add possibility to export certificates in SSH format.
** Make certificate serial number random by default.
* Version 1.4.0 (released 2016-05-03)
** Add attest action
When used on a slot with a generated key, outputs a signed x509 certificate for
that slot showing that the key was generated in hardware. Available in firmware
4.3.0 and newer.
** Add cached parameter for touch-policy
With cached, the touch is valid for an additional 15s. Available in firmware
4.3.0 and newer.
** Enforce a minimum PIN length of 6 characters.
** Fix a bug with list-readers action where it fell through processing into
write-object.
* Version 1.3.1 (released 2016-04-19)
** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
** Clarifications with help texts.
* Version 1.3.0 (released 2016-02-19)
** Fixed extraction of RSA modulus and exponent for pkcs11.
** Implemented C_SetPIN for pkcs11.
** Add generic write and read object actions for the tool.
Supports hex/binary/base64 formats
** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
** Print CCC with status action.
** Address bugs with pkcs11 on windows.
** Add --valid-days and --serial to tool for selfsign-certificate action.
** Ask for password for pkcs12 if none is given.
* Version 1.2.2 (released 2015-12-08)
** Fix old buffer overflow in change-pin functionality.
* Version 1.2.1 (released 2015-12-08)
** Fix issue with big certificates and status.
* Version 1.2.0 (released 2015-12-07)
** On OSX use @loader_path instead of @executable_path for ykcs11.
** Add ykpiv_import_private_key to libykpiv.
** Raise buffer sizes to support bigger objects.
** Change behavior of action status, only list populated slots.
** Add retired keys to ykcs11.
** In ykcs11 support login with non null terminated pin.
** Add a new action set-ccc to yubico-piv-tool to set the CCC.
* Version 1.1.2 (released 2015-11-13)
** Properly handle DER encoding in ECDSA signatures.
* Version 1.1.1 (released 2015-11-11)
** Make sure SCardContext is properly acquired and released.
* Version 1.1.0 (released 2015-11-06)
** Add support for new YubiKey 4.
** Add ykcs11.
* Version 1.0.3 (released 2015-10-01)
** Correct wording on unblock-pin action.
** Show pin retries correctly.
** Use a bigger buffer for receiving data.
* Version 1.0.2 (released 2015-09-04)
** Query for different passwords/pins on stdin if they're not supplied.
** If a reader fails continue trying matching readers.
** Authentication failed is supposed to be 0x63cX not 0x630X.
* Version 1.0.1 (released 2015-07-10)
** Project relicensed to 2-clause BSD license
** Minor fixes found with clang scan-build
* Version 1.0.0 (released 2015-06-23)
** Add a test-decipher action.
** Check that e is 0x10001 on importing rsa keys
** Use PCSC transactions when sending and receiving data
* Version 0.1.6 (released 2015-03-23)
** Add a read-certificate action to the tool.
** Add a status action to the tool.
** Fix a library bug so NULL can be passed to ykpiv_verify()
** Add a test-signature action to the tool.
* Version 0.1.5 (released 2015-02-04)
** Revert the check for parity and just set parity before the weak check.
* Version 0.1.4 (released 2015-02-02)
** Prompt for input if input is stdin.
** Mark all bits of the signature as used is certs and requests.
** Correct error for unblock-pin.
** Fix hex decode to decode capital letters and return error.
** Check parity of new management keys.
* Version 0.1.3 (released 2014-12-18)
** Add format DER for importing certificates.
** Make sure diagnostic feedback ends up on stderr.
** Add positive feedback for a couple of actions.
* Version 0.1.2 (released 2014-11-14)
** Fix an issue where shorter component of RSA keys where not packed correctly.
* Version 0.1.1 (released 2014-11-10)
** Correct broken CHUID that made windows work inconsistently.
** Add support for compressed certificates.
** Fix broken unblock-pin action.
** Don't try to accept to short keys for mgm key.
** Only do applet authentication if needed.
** Add --hash for selecting what hash to use for signatures.
** Add hidden --sign command. Should probably not be used.
** Fix for signature algorithm in selfsigned cert.
* Version 0.1.0 (released 2014-08-25)
** Break out functionality into a library.
** More testing.
* Version 0.0.3 (released 2014-05-26)
** Add delete-certificate action.
** Fix minor bugs.
* Version 0.0.2 (released 2014-02-19)
** Fix an offset bug with CHUID.
** Do full mutual auth with the applet.
* Version 0.0.1 (released 2014-02-11)
** Initial release.
-139
View File
@@ -1,139 +0,0 @@
== Yubico PIV Tool
=== Introduction
The Yubico PIV tool is used for interacting with the Privilege and
Identification Card (PIV) application on a https://www.yubico.com[YubiKey].
With it you may generate keys on the device, importing keys and
certificates, and create certificate requests, and other operations.
A shared library and a command-line tool is included.
==== Usage guides
For information and examples on what you can do with a PIV enabled YubiKey,
see https://developers.yubico.com/PIV/
=== License
In general the project is covered by the following BSD license. The
file ykcs11/pkcs11.h has additional copyright and licensing
information, please see it for more information. Some other files
(e.g., m4/*) have other licenses too but are only part of the build
infrastructure.
----
Copyright (c) 2014-2016 Yubico AB
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
----
=== Building
After downloading and unpacking the package tarball, you build it as
follows.
$ ./configure
$ make
$ sudo make install
The backend to use is decided at compile time, see the summary at the
end of the ./configure output. Use --with-backend=foo to chose
backend, replacing foo with the backend you want to use. The backends
available are "pcsc", "macscard", and "winscard" using the PCSC
interface, with slightly different shared library linkage and
header file names: "pcsc" is used under GNU-like systems, "macscard"
under Mac OS X, and "winscard" is used under Windows. In most
situations, running ./configure should automatically find the proper
backend to use.
=== Building from Git
Recent versions of autoconf, automake, check, pkg-config, and libtool
must be installed. Help2man is used to generate the manpages. Gengetopt
version 2.22.6 or later is needed for command line parameter handling.
The
link:https://github.com/Yubico/yubico-piv-tool/tree/master/vagrant/development[Vagrant
VM] has all these dependencies preinstalled.
Generate the build system using:
$ autoreconf --install
Then you follow the normal build instructions, see above.
To turn on all warnings add --enable-gcc-warnings to ./configure
=== Portability
The main development platform is Debian GNU/Linux. The project is
cross-compiled to Windows using MinGW (see windows.mk) using the PCSC
backend. It may also be built for Mac OS X (see mac.mk), also using
the PCSC backend.
=== Example Usage
For a list of all available options --help can be given. For more information
on exactly what happens --verbose or --verbose=2 may be added.
Generate a new ECC-P256 key on device in slot 9a, will print the public
key on stdout:
$ yubico-piv-tool -s9a -AECCP256 -agenerate
Generate a certificate request with public key from stdin, will print
the resulting request on stdout:
$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
Generate a self-signed certificate with public key from stdin, will print
the certificate, for later import, on stdout:
$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign
Import a certificate from stdin:
$ yubico-piv-tool -s9a -aimport-certificate
Set a random chuid, import a key and import a certificate from a PKCS12
file, into slot 9c:
$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
-aimport-cert
Change the management key used for administrative authentication:
$ yubico-piv-tool -aset-mgm-key
Delete a certificate in slot 9a, with management key being asked for:
$ yubico-piv-tool -adelete-certificate -s9a -k
Show some information on certificates and other data:
$ yubico-piv-tool -astatus
Read out the certificate from a slot and then run a signature test:
$ yubico-piv-tool -aread-cert -s9a
$ yubico-piv-tool -averify-pin -atest-signature -s9a
Import a key into slot 85 (only available on YubiKey 4) and set the
touch policy (also only available on YubiKey 4):
$ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
-1
View File
@@ -1 +0,0 @@
README
-77
View File
@@ -1,77 +0,0 @@
#!/bin/sh
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then
sudo apt-get update -qq
sudo apt-get remove -qq -y $REMOVE
sudo apt-get autoremove -qq
sudo apt-get install -qq -y gengetopt help2man check $EXTRA
TAR=tar
else
ARCH=osx
brew update
brew uninstall libtool
brew install libtool
brew install help2man
brew install check
brew install pkg-config
brew install gengetopt
brew install gnu-tar
TAR=gtar
fi
set -e
autoreconf -ifv
if [ "x$ARCH" != "x" ]; then
version=`cat NEWS | grep unreleased | cut -d' ' -f3`
set +e
$TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz .
set -e
if [ "x$ARCH" != "xosx" ]; then
make -f windows.mk ${ARCH}bit VERSION=$version
else
make -f mac.mk mac VERSION=$version
fi
elif [ "x$BUILD_OPENSSL_VERSION" = "x1.1" ]; then
version=`cat NEWS | grep unreleased | cut -d' ' -f3`
set +e
$TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz .
set -e
make -f linux.mk VERSION=$version
else
./configure $COVERAGE
make all check
if [ "x$COVERAGE" != "x" ]; then
gem install coveralls-lcov
coveralls-lcov coverage/app2.info
fi
fi
-690
View File
@@ -1,690 +0,0 @@
#! /bin/sh
# Output a system dependent set of variables, describing how to set the
# run time search path of shared libraries in an executable.
#
# Copyright 1996-2013 Free Software Foundation, Inc.
# Taken from GNU libtool, 2001
# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# The first argument passed to this file is the canonical host specification,
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
# or
# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld
# should be set by the caller.
#
# The set of defined variables is at the end of this script.
# Known limitations:
# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer
# than 256 bytes, otherwise the compiler driver will dump core. The only
# known workaround is to choose shorter directory names for the build
# directory and/or the installation directory.
# All known linkers require a '.a' archive for static linking (except MSVC,
# which needs '.lib').
libext=a
shrext=.so
host="$1"
host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
# Code taken from libtool.m4's _LT_CC_BASENAME.
for cc_temp in $CC""; do
case $cc_temp in
compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
\-*) ;;
*) break;;
esac
done
cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'`
# Code taken from libtool.m4's _LT_COMPILER_PIC.
wl=
if test "$GCC" = yes; then
wl='-Wl,'
else
case "$host_os" in
aix*)
wl='-Wl,'
;;
mingw* | cygwin* | pw32* | os2* | cegcc*)
;;
hpux9* | hpux10* | hpux11*)
wl='-Wl,'
;;
irix5* | irix6* | nonstopux*)
wl='-Wl,'
;;
linux* | k*bsd*-gnu | kopensolaris*-gnu)
case $cc_basename in
ecc*)
wl='-Wl,'
;;
icc* | ifort*)
wl='-Wl,'
;;
lf95*)
wl='-Wl,'
;;
nagfor*)
wl='-Wl,-Wl,,'
;;
pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
wl='-Wl,'
;;
ccc*)
wl='-Wl,'
;;
xl* | bgxl* | bgf* | mpixl*)
wl='-Wl,'
;;
como)
wl='-lopt='
;;
*)
case `$CC -V 2>&1 | sed 5q` in
*Sun\ F* | *Sun*Fortran*)
wl=
;;
*Sun\ C*)
wl='-Wl,'
;;
esac
;;
esac
;;
newsos6)
;;
*nto* | *qnx*)
;;
osf3* | osf4* | osf5*)
wl='-Wl,'
;;
rdos*)
;;
solaris*)
case $cc_basename in
f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
wl='-Qoption ld '
;;
*)
wl='-Wl,'
;;
esac
;;
sunos4*)
wl='-Qoption ld '
;;
sysv4 | sysv4.2uw2* | sysv4.3*)
wl='-Wl,'
;;
sysv4*MP*)
;;
sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
wl='-Wl,'
;;
unicos*)
wl='-Wl,'
;;
uts4*)
;;
esac
fi
# Code taken from libtool.m4's _LT_LINKER_SHLIBS.
hardcode_libdir_flag_spec=
hardcode_libdir_separator=
hardcode_direct=no
hardcode_minus_L=no
case "$host_os" in
cygwin* | mingw* | pw32* | cegcc*)
# FIXME: the MSVC++ port hasn't been tested in a loooong time
# When not using gcc, we currently assume that we are using
# Microsoft Visual C++.
if test "$GCC" != yes; then
with_gnu_ld=no
fi
;;
interix*)
# we just hope/assume this is gcc and not c89 (= MSVC++)
with_gnu_ld=yes
;;
openbsd*)
with_gnu_ld=no
;;
esac
ld_shlibs=yes
if test "$with_gnu_ld" = yes; then
# Set some defaults for GNU ld with shared library support. These
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
# Unlike libtool, we use -rpath here, not --rpath, since the documented
# option of GNU ld is called -rpath, not --rpath.
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
case "$host_os" in
aix[3-9]*)
# On AIX/PPC, the GNU linker is very broken
if test "$host_cpu" != ia64; then
ld_shlibs=no
fi
;;
amigaos*)
case "$host_cpu" in
powerpc)
;;
m68k)
hardcode_libdir_flag_spec='-L$libdir'
hardcode_minus_L=yes
;;
esac
;;
beos*)
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
:
else
ld_shlibs=no
fi
;;
cygwin* | mingw* | pw32* | cegcc*)
# hardcode_libdir_flag_spec is actually meaningless, as there is
# no search path for DLLs.
hardcode_libdir_flag_spec='-L$libdir'
if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
:
else
ld_shlibs=no
fi
;;
haiku*)
;;
interix[3-9]*)
hardcode_direct=no
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
;;
gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
:
else
ld_shlibs=no
fi
;;
netbsd*)
;;
solaris*)
if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
ld_shlibs=no
elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
:
else
ld_shlibs=no
fi
;;
sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
case `$LD -v 2>&1` in
*\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
ld_shlibs=no
;;
*)
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
else
ld_shlibs=no
fi
;;
esac
;;
sunos4*)
hardcode_direct=yes
;;
*)
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
:
else
ld_shlibs=no
fi
;;
esac
if test "$ld_shlibs" = no; then
hardcode_libdir_flag_spec=
fi
else
case "$host_os" in
aix3*)
# Note: this linker hardcodes the directories in LIBPATH if there
# are no directories specified by -L.
hardcode_minus_L=yes
if test "$GCC" = yes; then
# Neither direct hardcoding nor static linking is supported with a
# broken collect2.
hardcode_direct=unsupported
fi
;;
aix[4-9]*)
if test "$host_cpu" = ia64; then
# On IA64, the linker does run time linking by default, so we don't
# have to do anything special.
aix_use_runtimelinking=no
else
aix_use_runtimelinking=no
# Test if we are trying to use run time linking or normal
# AIX style linking. If -brtl is somewhere in LDFLAGS, we
# need to do runtime linking.
case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
for ld_flag in $LDFLAGS; do
if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
aix_use_runtimelinking=yes
break
fi
done
;;
esac
fi
hardcode_direct=yes
hardcode_libdir_separator=':'
if test "$GCC" = yes; then
case $host_os in aix4.[012]|aix4.[012].*)
collect2name=`${CC} -print-prog-name=collect2`
if test -f "$collect2name" && \
strings "$collect2name" | grep resolve_lib_name >/dev/null
then
# We have reworked collect2
:
else
# We have old collect2
hardcode_direct=unsupported
hardcode_minus_L=yes
hardcode_libdir_flag_spec='-L$libdir'
hardcode_libdir_separator=
fi
;;
esac
fi
# Begin _LT_AC_SYS_LIBPATH_AIX.
echo 'int main () { return 0; }' > conftest.c
${CC} ${LDFLAGS} conftest.c -o conftest
aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; }
}'`
if test -z "$aix_libpath"; then
aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; }
}'`
fi
if test -z "$aix_libpath"; then
aix_libpath="/usr/lib:/lib"
fi
rm -f conftest.c conftest
# End _LT_AC_SYS_LIBPATH_AIX.
if test "$aix_use_runtimelinking" = yes; then
hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
else
if test "$host_cpu" = ia64; then
hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
else
hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
fi
fi
;;
amigaos*)
case "$host_cpu" in
powerpc)
;;
m68k)
hardcode_libdir_flag_spec='-L$libdir'
hardcode_minus_L=yes
;;
esac
;;
bsdi[45]*)
;;
cygwin* | mingw* | pw32* | cegcc*)
# When not using gcc, we currently assume that we are using
# Microsoft Visual C++.
# hardcode_libdir_flag_spec is actually meaningless, as there is
# no search path for DLLs.
hardcode_libdir_flag_spec=' '
libext=lib
;;
darwin* | rhapsody*)
hardcode_direct=no
if { case $cc_basename in ifort*) true;; *) test "$GCC" = yes;; esac; }; then
:
else
ld_shlibs=no
fi
;;
dgux*)
hardcode_libdir_flag_spec='-L$libdir'
;;
freebsd2.2*)
hardcode_libdir_flag_spec='-R$libdir'
hardcode_direct=yes
;;
freebsd2*)
hardcode_direct=yes
hardcode_minus_L=yes
;;
freebsd* | dragonfly*)
hardcode_libdir_flag_spec='-R$libdir'
hardcode_direct=yes
;;
hpux9*)
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
hardcode_libdir_separator=:
hardcode_direct=yes
# hardcode_minus_L: Not really in the search PATH,
# but as the default location of the library.
hardcode_minus_L=yes
;;
hpux10*)
if test "$with_gnu_ld" = no; then
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
hardcode_libdir_separator=:
hardcode_direct=yes
# hardcode_minus_L: Not really in the search PATH,
# but as the default location of the library.
hardcode_minus_L=yes
fi
;;
hpux11*)
if test "$with_gnu_ld" = no; then
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
hardcode_libdir_separator=:
case $host_cpu in
hppa*64*|ia64*)
hardcode_direct=no
;;
*)
hardcode_direct=yes
# hardcode_minus_L: Not really in the search PATH,
# but as the default location of the library.
hardcode_minus_L=yes
;;
esac
fi
;;
irix5* | irix6* | nonstopux*)
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
hardcode_libdir_separator=:
;;
netbsd*)
hardcode_libdir_flag_spec='-R$libdir'
hardcode_direct=yes
;;
newsos6)
hardcode_direct=yes
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
hardcode_libdir_separator=:
;;
*nto* | *qnx*)
;;
openbsd*)
if test -f /usr/libexec/ld.so; then
hardcode_direct=yes
if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
else
case "$host_os" in
openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
hardcode_libdir_flag_spec='-R$libdir'
;;
*)
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
;;
esac
fi
else
ld_shlibs=no
fi
;;
os2*)
hardcode_libdir_flag_spec='-L$libdir'
hardcode_minus_L=yes
;;
osf3*)
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
hardcode_libdir_separator=:
;;
osf4* | osf5*)
if test "$GCC" = yes; then
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
else
# Both cc and cxx compiler support -rpath directly
hardcode_libdir_flag_spec='-rpath $libdir'
fi
hardcode_libdir_separator=:
;;
solaris*)
hardcode_libdir_flag_spec='-R$libdir'
;;
sunos4*)
hardcode_libdir_flag_spec='-L$libdir'
hardcode_direct=yes
hardcode_minus_L=yes
;;
sysv4)
case $host_vendor in
sni)
hardcode_direct=yes # is this really true???
;;
siemens)
hardcode_direct=no
;;
motorola)
hardcode_direct=no #Motorola manual says yes, but my tests say they lie
;;
esac
;;
sysv4.3*)
;;
sysv4*MP*)
if test -d /usr/nec; then
ld_shlibs=yes
fi
;;
sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
;;
sysv5* | sco3.2v5* | sco5v6*)
hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
hardcode_libdir_separator=':'
;;
uts4*)
hardcode_libdir_flag_spec='-L$libdir'
;;
*)
ld_shlibs=no
;;
esac
fi
# Check dynamic linker characteristics
# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER.
# Unlike libtool.m4, here we don't care about _all_ names of the library, but
# only about the one the linker finds when passed -lNAME. This is the last
# element of library_names_spec in libtool.m4, or possibly two of them if the
# linker has special search rules.
library_names_spec= # the last element of library_names_spec in libtool.m4
libname_spec='lib$name'
case "$host_os" in
aix3*)
library_names_spec='$libname.a'
;;
aix[4-9]*)
library_names_spec='$libname$shrext'
;;
amigaos*)
case "$host_cpu" in
powerpc*)
library_names_spec='$libname$shrext' ;;
m68k)
library_names_spec='$libname.a' ;;
esac
;;
beos*)
library_names_spec='$libname$shrext'
;;
bsdi[45]*)
library_names_spec='$libname$shrext'
;;
cygwin* | mingw* | pw32* | cegcc*)
shrext=.dll
library_names_spec='$libname.dll.a $libname.lib'
;;
darwin* | rhapsody*)
shrext=.dylib
library_names_spec='$libname$shrext'
;;
dgux*)
library_names_spec='$libname$shrext'
;;
freebsd* | dragonfly*)
case "$host_os" in
freebsd[123]*)
library_names_spec='$libname$shrext$versuffix' ;;
*)
library_names_spec='$libname$shrext' ;;
esac
;;
gnu*)
library_names_spec='$libname$shrext'
;;
haiku*)
library_names_spec='$libname$shrext'
;;
hpux9* | hpux10* | hpux11*)
case $host_cpu in
ia64*)
shrext=.so
;;
hppa*64*)
shrext=.sl
;;
*)
shrext=.sl
;;
esac
library_names_spec='$libname$shrext'
;;
interix[3-9]*)
library_names_spec='$libname$shrext'
;;
irix5* | irix6* | nonstopux*)
library_names_spec='$libname$shrext'
case "$host_os" in
irix5* | nonstopux*)
libsuff= shlibsuff=
;;
*)
case $LD in
*-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;;
*-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;;
*-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;;
*) libsuff= shlibsuff= ;;
esac
;;
esac
;;
linux*oldld* | linux*aout* | linux*coff*)
;;
linux* | k*bsd*-gnu | kopensolaris*-gnu)
library_names_spec='$libname$shrext'
;;
knetbsd*-gnu)
library_names_spec='$libname$shrext'
;;
netbsd*)
library_names_spec='$libname$shrext'
;;
newsos6)
library_names_spec='$libname$shrext'
;;
*nto* | *qnx*)
library_names_spec='$libname$shrext'
;;
openbsd*)
library_names_spec='$libname$shrext$versuffix'
;;
os2*)
libname_spec='$name'
shrext=.dll
library_names_spec='$libname.a'
;;
osf3* | osf4* | osf5*)
library_names_spec='$libname$shrext'
;;
rdos*)
;;
solaris*)
library_names_spec='$libname$shrext'
;;
sunos4*)
library_names_spec='$libname$shrext$versuffix'
;;
sysv4 | sysv4.3*)
library_names_spec='$libname$shrext'
;;
sysv4*MP*)
library_names_spec='$libname$shrext'
;;
sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
library_names_spec='$libname$shrext'
;;
tpf*)
library_names_spec='$libname$shrext'
;;
uts4*)
library_names_spec='$libname$shrext'
;;
esac
sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"`
shlibext=`echo "$shrext" | sed -e 's,^\.,,'`
escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF
# How to pass a linker flag through the compiler.
wl="$escaped_wl"
# Static library suffix (normally "a").
libext="$libext"
# Shared library suffix (normally "so").
shlibext="$shlibext"
# Format of library name prefix.
libname_spec="$escaped_libname_spec"
# Library names that the linker finds when passed -lNAME.
library_names_spec="$escaped_library_names_spec"
# Flag to hardcode \$libdir into a binary during linking.
# This must work even if \$libdir does not exist.
hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec"
# Whether we need a single -rpath flag with a separated argument.
hardcode_libdir_separator="$hardcode_libdir_separator"
# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
# resulting binary.
hardcode_direct="$hardcode_direct"
# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
# resulting binary.
hardcode_minus_L="$hardcode_minus_L"
EOF
-313
View File
@@ -1,313 +0,0 @@
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
AC_INIT([yubico-piv-tool], [1.7.1])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
# Library code modified: REVISION++
# Interfaces changed/added/removed: CURRENT++ REVISION=0
# Interfaces added: AGE++
# Interfaces removed: AGE=0
AC_SUBST([LT_CURRENT], 6)
AC_SUBST([LT_REVISION], 1)
AC_SUBST([LT_AGE], 5)
AM_INIT_AUTOMAKE([-Wall -Werror foreign])
AM_SILENT_RULES([yes])
AC_PROG_CC
m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
AC_LIBTOOL_WIN32_DLL
AC_PROG_LIBTOOL
AM_MISSING_PROG(HELP2MAN, help2man, $missing_dir)
AM_MISSING_PROG(HELP2ADOC, help2adoc, $missing_dir)
AM_MISSING_PROG(GENGETOPT, gengetopt, $missing_dir)
PKG_PROG_PKG_CONFIG
PKG_CHECK_MODULES([OPENSSL], [libcrypto], [OPENSSL_VERSION=`$PKG_CONFIG --modversion libcrypto`])
PKG_CHECK_MODULES([CHECK], [check >= 0.9.6])
DX_HTML_FEATURE(ON)
DX_INIT_DOXYGEN(libykpiv,lib/Doxyfile)
gl_LD_VERSION_SCRIPT
gl_VALGRIND_TESTS
# Check for clang
AC_CACHE_CHECK([for clang],
_cv_clang,[
AC_TRY_COMPILE([], [
#ifdef __clang__
#else
#error "NOT CLANG"
#endif
return 0;
],
[_cv_clang=yes],
[_cv_clang=no],
[])
])
AM_CONDITIONAL([COMPILER_CLANG], [test "$_cv_clang" = yes])
AC_ARG_WITH([backend],
[AS_HELP_STRING([--with-backend=ARG],
[use specific backend/linkage; 'pcsc', 'macscard' or 'winscard'])],
[],
[with_backend=check])
AC_ARG_WITH([pcsclib],
[AS_HELP_STRING([--with-pcsclib=ARG],
[Name of custom PCSC lib])],
[],
[with_pcsclib=])
AC_ARG_WITH([pcscdir],
[AS_HELP_STRING([--with-pcscdir=ARG],
[Path to custom PCSC lib dir (use with --with-pcsclib)])],
[],
[with_pcscdir=])
case "$with_backend$host" in
check*-darwin*)
AC_MSG_NOTICE([Detected Mac: selecting macscard backend])
AC_MSG_NOTICE([use --with-backend to override])
with_backend=macscard ;;
check*-mingw*)
AC_MSG_NOTICE([Detected Windows: selecting winscard backend])
AC_MSG_NOTICE([use --with-backend to override])
with_backend=winscard ;;
esac
if test "x$with_backend" = xcheck || test "x$with_backend" = xpcsc; then
PKG_CHECK_MODULES([PCSC], [libpcsclite],
[with_backend=pcsc], [:])
fi
if test "x$with_backend" = xcheck; then
AC_CHECK_HEADERS([PCSC/winscard.h])
AC_CHECK_HEADERS([winscard.h])
AC_MSG_CHECKING([between Mac/Windows winscard])
if test "x$ac_cv_header_PCSC_winscard_h" = xyes; then
with_backend=macscard
AC_MSG_RESULT([Mac])
elif test "x$ac_cv_header_winscard_h" = xyes; then
with_backend=winscard
AC_MSG_RESULT([Windows])
else
AC_MSG_RESULT([no])
fi
fi
if test "x$with_backend" = xwinscard; then
AC_MSG_NOTICE([checking for winscard with Windows linkage])
AC_CHECK_HEADERS([winscard.h])
PCSC_WIN_LIBS="-lwinscard"
save_LIBS="$LIBS"
LIBS="$LIBS $PCSC_WIN_LIBS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <winscard.h>]],
[[SCardBeginTransaction(0)]])],
[AC_SUBST([PCSC_WIN_LIBS])],
[AC_MSG_ERROR([cannot find Windows PCSC library/headers])])
LIBS="$save_LIBS"
fi
if test "x$with_backend" = xmacscard; then
AC_MSG_NOTICE([checking for PCSC with Mac linkage])
AC_CHECK_HEADERS([PCSC/winscard.h])
PCSC_MACOSX_LIBS="-Wl,-framework -Wl,PCSC"
save_LIBS="$LIBS"
LIBS="$LIBS $PCSC_MACOSX_LIBS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <PCSC/wintypes.h>
#include <PCSC/winscard.h>]],
[[SCardBeginTransaction(0)]])],
[AC_SUBST([PCSC_MACOSX_LIBS])],
[AC_MSG_ERROR([cannot find Mac PCSC library/headers])])
LIBS="$save_LIBS"
fi
if test "x$with_pcsclib" != x; then
AC_MSG_NOTICE([checking for PCSC with custom lib])
AC_CHECK_HEADERS([PCSC/winscard.h])
if test "x$with_pcscdir" != x; then
PCSC_CUSTOM_LIBS="-Wl,-L$with_pcscdir -Wl,-l$with_pcsclib -Wl,-rpath,$with_pcscdir"
else
PCSC_CUSTOM_LIBS="-Wl,-l$with_pcsclib"
fi
save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $PCSC_CFLAGS"
save_LIBS="$LIBS"
LIBS="$LIBS $PCSC_CUSTOM_LIBS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <PCSC/winscard.h>]],
[[SCardBeginTransaction(0)]])],
[AC_SUBST([PCSC_CUSTOM_LIBS])],
[AC_MSG_ERROR([cannot find custom PCSC library/headers])])
LIBS="$save_LIBS"
CFLAGS="$save_CFLAGS"
PCSC_MACOSX_LIBS=
PCSC_WIN_LIBS=
PCSC_LIBS=
fi
if test "x$with_backend" = xpcsc || test "x$with_backend" = xwinscard \
|| test "x$with_backend" = xmacscard || test "x$with_pcsclib" != x; then
AC_DEFINE([BACKEND_PCSC], 1, [Define to 1 if you the PCSC backend.])
else
AC_MSG_ERROR([cannot find PCSC library])
fi
AC_ARG_ENABLE([coverage],
[AS_HELP_STRING([--enable-coverage],
[use Gcov to test the test suite])],
[],
[enable_cov=no])
AM_CONDITIONAL([ENABLE_COV],[test '!' "$enable_cov" = no])
AC_ARG_ENABLE([cppcheck],
[AS_HELP_STRING([--enable-cppcheck],
[run cppcheck])],
[enable_cppcheck="$enableval"],
[enable_cppcheck="no"])
have_cppcheck=no
AS_IF([test "x$enable_cppcheck" != xno],
[AC_PATH_PROG([CPPCHECK], [cppcheck], [NONE])
AS_IF([test "x$enable_cppcheck" != xno],
[have_cppcheck=yes
AC_SUBST([CPPCHECK])],
[have_cppcheck=no
AS_IF([test "x$enable_cppcheck" != xauto],
[AC_MSG_ERROR([cannot find cppcheck])])])])
AM_CONDITIONAL([ENABLE_CPPCHECK],[test '!' "$have_cppcheck" = no])
AC_ARG_ENABLE([gcc-warnings],
[AS_HELP_STRING([--enable-gcc-warnings],
[turn on lots of GCC warnings (for developers)])],
[case $enableval in
yes|no) ;;
*) AC_MSG_ERROR([bad value $enableval for gcc-warnings option]) ;;
esac
gl_gcc_warnings=$enableval],
[gl_gcc_warnings=no]
)
if test "$gl_gcc_warnings" = yes; then
nw="$nw -Wsystem-headers" # Don't let system headers trigger warnings
nw="$nw -Wpadded" # Struct's arenot padded
nw="$nw -Wc++-compat" # We don't care strongly about C++ compilers
nw="$nw -Wtraditional" # Warns on #elif which we use often
nw="$nw -Wtraditional-conversion" # Too many warnings for now
nw="$nw -Wconversion" # Too many warnings for now
nw="$nw -Wsuggest-attribute=pure" # Is it worth using attributes?
nw="$nw -Wsuggest-attribute=const" # Is it worth using attributes?
nw="$nw -Waggregate-return" # returning structs shouldn't be a problem
gl_MANYWARN_ALL_GCC([ws])
gl_MANYWARN_COMPLEMENT(ws, [$ws], [$nw])
for w in $ws; do
gl_WARN_ADD([$w])
done
gl_WARN_ADD([-fdiagnostics-show-option])
fi
AC_ARG_ENABLE([ykcs11-debug],
[AS_HELP_STRING([--enable-ykcs11-debug],
[enables YKCS11 debug messages])],
[enable_ykcs11_debug="$enableval"],
[enable_ykcs11_debug="no"])
AS_IF([test "x$enable_ykcs11_debug" != xno],
[AC_DEFINE([YKCS11_DBG], [1], [Regular debug flag])
AC_DEFINE([YKCS11_DINOUT], [1], [Function accessed/left debug flag])
ykcs11_debug="ENABLED"],
[true],
[AC_DEFINE([YKCS11_DBG], [0], [Regular debug flag])
AC_DEFINE([YKCS11_DINOUT], [0], [Function accessed/left debug flag])
ykcs11_debug="DISABLED"])
AC_ARG_ENABLE([hardware-tests],
[AS_HELP_STRING([--enable-hardware-tests],
[enables tests that require a YubiKey to be plugged in])],
[enable_hardware_tests="$enableval"],
[enable_hardware_tests="no"])
AS_IF([test "x$enable_hardware_tests" != xno],
[AC_DEFINE([HW_TESTS], [1], [Flag for hardware tests])
hw_tests="ENABLED"],
[true],
[hw_tests="DISABLED"])
AC_SUBST(YKPIV_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`)
AC_SUBST(YKPIV_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`)
AC_SUBST(YKPIV_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`)
AC_SUBST(YKPIV_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKPIV_VERSION_MAJOR $YKPIV_VERSION_MINOR $YKPIV_VERSION_PATCH`)
AC_SUBST(YKCS11_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`)
AC_SUBST(YKCS11_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`)
AC_SUBST(YKCS11_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`)
AC_SUBST(YKCS11_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKCS11_VERSION_MAJOR $YKCS11_VERSION_MINOR $YKCS11_VERSION_PATCH`)
AC_CONFIG_FILES([
Makefile
lib/Makefile
lib/tests/Makefile
tool/Makefile
tool/tests/Makefile
lib/ykpiv-version.h
lib/ykpiv.pc
ykcs11/Makefile
ykcs11/ykcs11-version.h
ykcs11/ykcs11.pc
ykcs11/tests/Makefile
])
AC_OUTPUT
AC_MSG_NOTICE([summary of build options:
Version: ${VERSION}
Host type: ${host}
Install prefix: ${prefix}
Compiler: ${CC}
CFLAGS: ${CFLAGS}
CPPFLAGS: ${CPPFLAGS}
Warnings: ${WARN_CFLAGS}
Backend: ${with_backend}
OpenSSL version: ${OPENSSL_VERSION}
PCSC
CFLAGS: ${PCSC_CFLAGS}
LIBS: ${PCSC_LIBS}
Winscard
LIBS: ${PCSC_WIN_LIBS}
Mac PCSC
LIBS: ${PCSC_MACOSX_LIBS}
Custom PCSC
LIBS: ${PCSC_CUSTOM_LIBS}
YKCS11 debug: ${ykcs11_debug}
Hardware tests: ${hw_tests}
])
-36
View File
@@ -1,36 +0,0 @@
== Using Attestation
=== Introduction
This feature is only available in YubiKey 4.3 and newer.
A high level description of the thinking and how this can be used can be found
at https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
=== Usage
Attestation works through a special key slot called “f9” this comes
pre-loaded from factory with a key and cert signed by Yubico, but can be
overwritten.
After a key has been generated in a normal slot it can be attested by this
special key, this can be realised by using the yubico-piv-tool action attest:
$ yubico-piv-tool --action=generate --slot=9a
...
$ yubico-piv-tool --action=attest --slot=9a
The output of this is a PEM encoded certificate, signed by the key in slot f9.
=== Verifying
To verify an attestation step 1 is to build the certificate chain. Put the
attestation root certificate in a file (or if you trust several put all
of them in said file). The Yubico root certificate can be found at
https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem
Then add the keys attestation certificate to that file:
$ yubico-piv-tool --action=read-certificate --slot=f9 >> certs.pem
Now we're ready to verify the attestation:
$ yubico-piv-tool --action=attest --slot=9a > attestation.pem
$ openssl verify -CAfile certs.pem attestation.pem
attestation.pem: OK
-120
View File
@@ -1,120 +0,0 @@
== YKCS11
This is a PKCS#11 module that allows to communicate with the PIV
application running on a YubiKey.
This module is based on version 2.40 of the PKCS#11 (Cryptoki)
specifications.
The complete specifications are available at
https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html.
=== BUILDING
YKCS11 is automatically built as part of `yubico-piv-tool` and the
following command will suffice:
$ autoreconf --install
$ ./configure
$ make
$ sudo make install
More info about building yubico-piv-tool can be found in the related
`README` file or over at
https://developers.yubico.com/yubico-piv-tool/.
Once installed, the module will be found by default in
/usr/local/lib/libykcs11.so otherwise it will be built locally in
yubico-piv-tool/ykcs11/.libs/libykcs11.so
=== PORTABILITY
The module has been developed and tested using Debian GNU/Linux and
Ubuntu Linux. It is however possible to cross-compile it for Windows
and Mac OS X using the relative makefiles (windows.mk and mac.mk).
Both use PCSC as a backend.
Further testing at this stage has *not* been carried out, so
additional tweaks might be needed to use operating systems different
from Linux.
=== SUPPORTED FUNCTIONALITY AND KNOWN ISSUES
YKCS11 is not a full implementation of PKCS#11. Some functionality are
not present and others are not yet implemented.
In its current form YKCS11 implements a smaller subset of
functionality:
- RSA key generation +
1024 or 2048 bit keys can be generated;
- EC key generation +
curve prime256v1 is supported (256 bit keys);
- RSA signature +
supported mechanisms are RSA-X-509 (raw RSA), PKCS1 (unhashed),
PKCS1 with SHA1/256/384/512 and PSS with SHA1/256/384/512. The
latter is implemented but has not been tested, hence is provided as
is;
- ECDSA signature +
supported mechanism are ECDSA (raw) and ECDSA with SHA1;
- RSA and EC public key (X.509 certificate) import;
- RSA and EC private key import +
with possibility of setting individual PIN policies and touch to
sign (where supported);
- Public key deletion.
PKCS#11 defines two types of users: a regular user and a security
officer (SO). These have been mapped to perform regular usage of the
private key material (PIN-associated operations) and device management
(management-key associated operations).
==== Key Mapping
The module provides four main keys that can be used. These correspond
to the four main keys in PIV and accessible through yubico-piv-tool.
The mapping is as follows:
[cols="2*^", options="header"]
|===
|ykcs11 id|PIV
|0|9a
|1|9e
|2|9c
|3|9d
|===
==== PINs and Management Key
The default user PIN for the YubiKey is `123456`. +
The default management key is
`010203040506070801020304050607080102030405060708`. +
All the YubiKey personalization (e.g. changing PIN, changing
management key, resetting PINs, resetting the application) is
currently done using yubico-piv-tool.
In order to perform operations involving the private keys, a regular
user must be logged in (i.e. using the PIN). However, given the
different PIN policies for different keys, subsequent operations might
require a new login. Currently this is supported by the module
allowing multiple _Login_ operations with the appropriate user.
According to PKCS#11 however, a special user called `CONTEXT_SPECIFIC`
should be used for such operations. This is also supported and *might
become the only available mechanism in the future*.
==== Key Generation
Key pair generation is a particular operation, in the sense that
within PIV this is the only moment where the newly created public key
is given back to the user. To prevent the key from being lost it is
automatically stored within the YubiKey by wrapping it in an X.509
certificate. This certificate is however empty. It does not have other
valid information except for the public key.
==== DEBUGGING
By default the module has debugging disabled. This is _highly_ verbose
and might be confusing. In order to enabled it rebuild the project as
follows:
$ autoreconf --install
$ ./configure --enable-ykcs11-debug
$ make
$ sudo make install
-95
View File
@@ -1,95 +0,0 @@
== Yubico PIV Tool
The YubiKey supports the Personal Identity Verification (PIV) card
interface specified in NIST SP 800-73 document "Cryptographic
Algorithms and Key Sizes for PIV". PIV enables you to perform RSA or
ECC sign/decrypt operations using a private key stored on the
smartcard, through common interfaces like PKCS#11. This project
contain the library, tools and PKCS#11 module to interact with the
hardware functionality.
* PIV Standards https://csrc.nist.gov/groups/SNS/piv/standards.html
=== General information
The default PIN code is 123456. The default PUK code is 12345678.
The default 3DES management key (9B) is
010203040506070801020304050607080102030405060708.
The following key slots exists:
* 9A, 9C, 9D, 9E: RSA 1024, RSA 2048, or ECC secp256r1 keys
(algorithms 6, 7, 11 respectively).
* 9B: Triple-DES key (algorithm 3) for PIV management.
The maximum size of stored objects is 2025/3049 bytes for current versions of
YubiKey NEO and YubiKey 4, respectively.
Currently all functionality are available over both contact and
contactless interfaces (contrary to what the specifications mandate).
=== Preparing a YubiKey for real use
You would typically change the management key to make sure nobody but
you can modify the state of the PIV application on the YubiKey. Make sure to
keep a copy of the key around for later use.
All of these invocations will leave traces of keys and pins in the command line
history, this can be avoided by leaving the argument out all-together and the
software will ask for key/pin to be input. For the management key option (-k)
this is achieved by leaving out the value but will specifying -k.
$ key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)
$ echo ${key}
$ yubico-piv-tool -aset-mgm-key -n${key}
The PIN and PUK should be changed as well.
$ pin=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w6 | head -1)
$ echo ${pin}
$ puk=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w8 | head -1)
$ echo ${puk}
$ yubico-piv-tool -achange-pin -P123456 -N${pin}
$ yubico-piv-tool -achange-puk -P12345678 -N${puk}
=== Other useful commands
To generate a new private key:
$ yubico-piv-tool -k${key} -agenerate -s9c
To reset PIN/PUK retry counter AND codes (default pin 123456 puk
12345678):
$ yubico-piv-tool -k${key} -averify -P${pin} -apin-retries --pin-retries=3 --puk-retries=3
To reset the application (PIN/PUK need to be blocked hence trying a couple
of times -- you need to modify this if you have changed the default
number of PIN/PUK retries).
$ yubico-piv-tool -averify-pin -P471112
$ yubico-piv-tool -averify-pin -P471112
$ yubico-piv-tool -averify-pin -P471112
$ yubico-piv-tool -averify-pin -P471112
$ yubico-piv-tool -achange-puk -P471112 -N6756789
$ yubico-piv-tool -achange-puk -P471112 -N6756789
$ yubico-piv-tool -achange-puk -P471112 -N6756789
$ yubico-piv-tool -achange-puk -P471112 -N6756789
$ yubico-piv-tool -areset
=== Software
Card management has been tested with the tools from the OpenSC
project, specifically piv-tool, and Yubico's PIV software (see
below). Basic features should work with any PIV compliant
middleware.
* https://github.com/OpenSC/OpenSC/wiki
* https://developers.yubico.com/yubico-piv-tool/
* https://developers.yubico.com/yubikey-piv-manager/
* https://github.com/OpenSC/OpenSC/wiki/US-PIV
* https://github.com/OpenSC/OpenSC/wiki/PivTool
=== Card Holder Unique Identifier
For the application to be usable in windows the object CHUID (Card Holder
Unique Identifier) has to be set and unique. The card contents are
also aggressively cached so the CHUID has to be changed if the card
contents change.
-58
View File
@@ -1,58 +0,0 @@
# Copyright (c) 2014-2017 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Note: this build script is for testing OpenSSL 1.1 builds. The official
# Linux release builds are handled by the standard Makefile.
#
PACKAGE=yubico-piv-tool
OPENSSLVERSION=1.1.0g
all: linux
doit:
rm -rf tmp && mkdir tmp && cd tmp && \
mkdir -p root/licenses && \
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
tar xfz openssl-$(OPENSSLVERSION).tar.gz && \
cd openssl-$(OPENSSLVERSION) && \
./Configure linux-x86_64 shared --prefix=$(PWD)/tmp/root $(CFLAGS) && \
make all install VERSION="$(OPENSSLVERSION)" && \
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
cd .. && \
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
tar xfz $(PACKAGE)-$(VERSION).tar.gz && \
cd $(PACKAGE)-$(VERSION)/ && \
CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \
make install $(CHECK) && \
cd .. && \
cd root && \
zip -r ../../$(PACKAGE)-$(VERSION)-linux-openssl-$(OPENSSLVERSION).zip *
linux:
$(MAKE) -f linux.mk doit CHECK=check
-312
View File
@@ -1,312 +0,0 @@
# This file is part of Autoconf. -*- Autoconf -*-
# Copyright (C) 2004 Oren Ben-Kiki
# This file is distributed under the same terms as the Autoconf macro files.
# Generate automatic documentation using Doxygen. Works in concert with the
# aminclude.m4 file and a compatible doxygen configuration file. Defines the
# following public macros:
#
# DX_???_FEATURE(ON|OFF) - control the default setting fo a Doxygen feature.
# Supported features are 'DOXYGEN' itself, 'DOT' for generating graphics,
# 'HTML' for plain HTML, 'CHM' for compressed HTML help (for MS users), 'CHI'
# for generating a seperate .chi file by the .chm file, and 'MAN', 'RTF',
# 'XML', 'PDF' and 'PS' for the appropriate output formats. The environment
# variable DOXYGEN_PAPER_SIZE may be specified to override the default 'a4wide'
# paper size.
#
# By default, HTML, PDF and PS documentation is generated as this seems to be
# the most popular and portable combination. MAN pages created by Doxygen are
# usually problematic, though by picking an appropriate subset and doing some
# massaging they might be better than nothing. CHM and RTF are specific for MS
# (note that you can't generate both HTML and CHM at the same time). The XML is
# rather useless unless you apply specialized post-processing to it.
#
# The macro mainly controls the default state of the feature. The use can
# override the default by specifying --enable or --disable. The macros ensure
# that contradictory flags are not given (e.g., --enable-doxygen-html and
# --enable-doxygen-chm, --enable-doxygen-anything with --disable-doxygen, etc.)
# Finally, each feature will be automatically disabled (with a warning) if the
# required programs are missing.
#
# Once all the feature defaults have been specified, call DX_INIT_DOXYGEN with
# the following parameters: a one-word name for the project for use as a
# filename base etc., an optional configuration file name (the default is
# 'Doxyfile', the same as Doxygen's default), and an optional output directory
# name (the default is 'doxygen-doc').
## ----------##
## Defaults. ##
## ----------##
DX_ENV=""
AC_DEFUN([DX_FEATURE_doc], ON)
AC_DEFUN([DX_FEATURE_dot], ON)
AC_DEFUN([DX_FEATURE_man], OFF)
AC_DEFUN([DX_FEATURE_html], ON)
AC_DEFUN([DX_FEATURE_chm], OFF)
AC_DEFUN([DX_FEATURE_chi], OFF)
AC_DEFUN([DX_FEATURE_rtf], OFF)
AC_DEFUN([DX_FEATURE_xml], OFF)
AC_DEFUN([DX_FEATURE_pdf], ON)
AC_DEFUN([DX_FEATURE_ps], ON)
## --------------- ##
## Private macros. ##
## --------------- ##
# DX_ENV_APPEND(VARIABLE, VALUE)
# ------------------------------
# Append VARIABLE="VALUE" to DX_ENV for invoking doxygen.
AC_DEFUN([DX_ENV_APPEND], [AC_SUBST([DX_ENV], ["$DX_ENV $1='$2'"])])
# DX_DIRNAME_EXPR
# ---------------
# Expand into a shell expression prints the directory part of a path.
AC_DEFUN([DX_DIRNAME_EXPR],
[[expr ".$1" : '\(\.\)[^/]*$' \| "x$1" : 'x\(.*\)/[^/]*$']])
# DX_IF_FEATURE(FEATURE, IF-ON, IF-OFF)
# -------------------------------------
# Expands according to the M4 (static) status of the feature.
AC_DEFUN([DX_IF_FEATURE], [ifelse(DX_FEATURE_$1, ON, [$2], [$3])])
# DX_REQUIRE_PROG(VARIABLE, PROGRAM)
# ----------------------------------
# Require the specified program to be found for the DX_CURRENT_FEATURE to work.
AC_DEFUN([DX_REQUIRE_PROG], [
AC_PATH_TOOL([$1], [$2])
if test "$DX_FLAG_[]DX_CURRENT_FEATURE$$1" = 1; then
AC_MSG_WARN([$2 not found - will not DX_CURRENT_DESCRIPTION])
AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0)
fi
])
# DX_TEST_FEATURE(FEATURE)
# ------------------------
# Expand to a shell expression testing whether the feature is active.
AC_DEFUN([DX_TEST_FEATURE], [test "$DX_FLAG_$1" = 1])
# DX_CHECK_DEPEND(REQUIRED_FEATURE, REQUIRED_STATE)
# -------------------------------------------------
# Verify that a required features has the right state before trying to turn on
# the DX_CURRENT_FEATURE.
AC_DEFUN([DX_CHECK_DEPEND], [
test "$DX_FLAG_$1" = "$2" \
|| AC_MSG_ERROR([doxygen-DX_CURRENT_FEATURE ifelse([$2], 1,
requires, contradicts) doxygen-DX_CURRENT_FEATURE])
])
# DX_CLEAR_DEPEND(FEATURE, REQUIRED_FEATURE, REQUIRED_STATE)
# ----------------------------------------------------------
# Turn off the DX_CURRENT_FEATURE if the required feature is off.
AC_DEFUN([DX_CLEAR_DEPEND], [
test "$DX_FLAG_$1" = "$2" || AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0)
])
# DX_FEATURE_ARG(FEATURE, DESCRIPTION,
# CHECK_DEPEND, CLEAR_DEPEND,
# REQUIRE, DO-IF-ON, DO-IF-OFF)
# --------------------------------------------
# Parse the command-line option controlling a feature. CHECK_DEPEND is called
# if the user explicitly turns the feature on (and invokes DX_CHECK_DEPEND),
# otherwise CLEAR_DEPEND is called to turn off the default state if a required
# feature is disabled (using DX_CLEAR_DEPEND). REQUIRE performs additional
# requirement tests (DX_REQUIRE_PROG). Finally, an automake flag is set and
# DO-IF-ON or DO-IF-OFF are called according to the final state of the feature.
AC_DEFUN([DX_ARG_ABLE], [
AC_DEFUN([DX_CURRENT_FEATURE], [$1])
AC_DEFUN([DX_CURRENT_DESCRIPTION], [$2])
AC_ARG_ENABLE(doxygen-$1,
[AS_HELP_STRING(DX_IF_FEATURE([$1], [--disable-doxygen-$1],
[--enable-doxygen-$1]),
DX_IF_FEATURE([$1], [don't $2], [$2]))],
[
case "$enableval" in
#(
y|Y|yes|Yes|YES)
AC_SUBST([DX_FLAG_$1], 1)
$3
;; #(
n|N|no|No|NO)
AC_SUBST([DX_FLAG_$1], 0)
;; #(
*)
AC_MSG_ERROR([invalid value '$enableval' given to doxygen-$1])
;;
esac
], [
AC_SUBST([DX_FLAG_$1], [DX_IF_FEATURE([$1], 1, 0)])
$4
])
if DX_TEST_FEATURE([$1]); then
$5
:
fi
if DX_TEST_FEATURE([$1]); then
AM_CONDITIONAL(DX_COND_$1, :)
$6
:
else
AM_CONDITIONAL(DX_COND_$1, false)
$7
:
fi
])
## -------------- ##
## Public macros. ##
## -------------- ##
# DX_XXX_FEATURE(DEFAULT_STATE)
# -----------------------------
AC_DEFUN([DX_DOXYGEN_FEATURE], [AC_DEFUN([DX_FEATURE_doc], [$1])])
AC_DEFUN([DX_MAN_FEATURE], [AC_DEFUN([DX_FEATURE_man], [$1])])
AC_DEFUN([DX_HTML_FEATURE], [AC_DEFUN([DX_FEATURE_html], [$1])])
AC_DEFUN([DX_CHM_FEATURE], [AC_DEFUN([DX_FEATURE_chm], [$1])])
AC_DEFUN([DX_CHI_FEATURE], [AC_DEFUN([DX_FEATURE_chi], [$1])])
AC_DEFUN([DX_RTF_FEATURE], [AC_DEFUN([DX_FEATURE_rtf], [$1])])
AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])])
AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])])
AC_DEFUN([DX_PDF_FEATURE], [AC_DEFUN([DX_FEATURE_pdf], [$1])])
AC_DEFUN([DX_PS_FEATURE], [AC_DEFUN([DX_FEATURE_ps], [$1])])
# DX_INIT_DOXYGEN(PROJECT, [CONFIG-FILE], [OUTPUT-DOC-DIR])
# ---------------------------------------------------------
# PROJECT also serves as the base name for the documentation files.
# The default CONFIG-FILE is "Doxyfile" and OUTPUT-DOC-DIR is "doxygen-doc".
AC_DEFUN([DX_INIT_DOXYGEN], [
# Files:
AC_SUBST([DX_PROJECT], [$1])
AC_SUBST([DX_CONFIG], [ifelse([$2], [], Doxyfile, [$2])])
AC_SUBST([DX_DOCDIR], [ifelse([$3], [], doxygen-doc, [$3])])
# Environment variables used inside doxygen.cfg:
DX_ENV_APPEND(SRCDIR, $srcdir)
DX_ENV_APPEND(PROJECT, $DX_PROJECT)
DX_ENV_APPEND(DOCDIR, $DX_DOCDIR)
DX_ENV_APPEND(VERSION, $PACKAGE_VERSION)
# Doxygen itself:
DX_ARG_ABLE(doc, [generate any doxygen documentation],
[],
[],
[DX_REQUIRE_PROG([DX_DOXYGEN], doxygen)
DX_REQUIRE_PROG([DX_PERL], perl)],
[DX_ENV_APPEND(PERL_PATH, $DX_PERL)])
# Dot for graphics:
DX_ARG_ABLE(dot, [generate graphics for doxygen documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[DX_REQUIRE_PROG([DX_DOT], dot)],
[DX_ENV_APPEND(HAVE_DOT, YES)
DX_ENV_APPEND(DOT_PATH, [`DX_DIRNAME_EXPR($DX_DOT)`])],
[DX_ENV_APPEND(HAVE_DOT, NO)])
# Man pages generation:
DX_ARG_ABLE(man, [generate doxygen manual pages],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[],
[DX_ENV_APPEND(GENERATE_MAN, YES)],
[DX_ENV_APPEND(GENERATE_MAN, NO)])
# RTF file generation:
DX_ARG_ABLE(rtf, [generate doxygen RTF documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[],
[DX_ENV_APPEND(GENERATE_RTF, YES)],
[DX_ENV_APPEND(GENERATE_RTF, NO)])
# XML file generation:
DX_ARG_ABLE(xml, [generate doxygen XML documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[],
[DX_ENV_APPEND(GENERATE_XML, YES)],
[DX_ENV_APPEND(GENERATE_XML, NO)])
# (Compressed) HTML help generation:
DX_ARG_ABLE(chm, [generate doxygen compressed HTML help documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[DX_REQUIRE_PROG([DX_HHC], hhc)],
[DX_ENV_APPEND(HHC_PATH, $DX_HHC)
DX_ENV_APPEND(GENERATE_HTML, YES)
DX_ENV_APPEND(GENERATE_HTMLHELP, YES)],
[DX_ENV_APPEND(GENERATE_HTMLHELP, NO)])
# Seperate CHI file generation.
DX_ARG_ABLE(chi, [generate doxygen seperate compressed HTML help index file],
[DX_CHECK_DEPEND(chm, 1)],
[DX_CLEAR_DEPEND(chm, 1)],
[],
[DX_ENV_APPEND(GENERATE_CHI, YES)],
[DX_ENV_APPEND(GENERATE_CHI, NO)])
# Plain HTML pages generation:
DX_ARG_ABLE(html, [generate doxygen plain HTML documentation],
[DX_CHECK_DEPEND(doc, 1) DX_CHECK_DEPEND(chm, 0)],
[DX_CLEAR_DEPEND(doc, 1) DX_CLEAR_DEPEND(chm, 0)],
[],
[DX_ENV_APPEND(GENERATE_HTML, YES)],
[DX_TEST_FEATURE(chm) || DX_ENV_APPEND(GENERATE_HTML, NO)])
# PostScript file generation:
DX_ARG_ABLE(ps, [generate doxygen PostScript documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[DX_REQUIRE_PROG([DX_LATEX], latex)
DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex)
DX_REQUIRE_PROG([DX_DVIPS], dvips)
DX_REQUIRE_PROG([DX_EGREP], egrep)])
# PDF file generation:
DX_ARG_ABLE(pdf, [generate doxygen PDF documentation],
[DX_CHECK_DEPEND(doc, 1)],
[DX_CLEAR_DEPEND(doc, 1)],
[DX_REQUIRE_PROG([DX_PDFLATEX], pdflatex)
DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex)
DX_REQUIRE_PROG([DX_EGREP], egrep)])
# LaTeX generation for PS and/or PDF:
if DX_TEST_FEATURE(ps) || DX_TEST_FEATURE(pdf); then
AM_CONDITIONAL(DX_COND_latex, :)
DX_ENV_APPEND(GENERATE_LATEX, YES)
else
AM_CONDITIONAL(DX_COND_latex, false)
DX_ENV_APPEND(GENERATE_LATEX, NO)
fi
# Paper size for PS and/or PDF:
AC_ARG_VAR(DOXYGEN_PAPER_SIZE,
[a4wide (default), a4, letter, legal or executive])
case "$DOXYGEN_PAPER_SIZE" in
#(
"")
AC_SUBST(DOXYGEN_PAPER_SIZE, "")
;; #(
a4wide|a4|letter|legal|executive)
DX_ENV_APPEND(PAPER_SIZE, $DOXYGEN_PAPER_SIZE)
;; #(
*)
AC_MSG_ERROR([unknown DOXYGEN_PAPER_SIZE='$DOXYGEN_PAPER_SIZE'])
;;
esac
#For debugging:
#echo DX_FLAG_doc=$DX_FLAG_doc
#echo DX_FLAG_dot=$DX_FLAG_dot
#echo DX_FLAG_man=$DX_FLAG_man
#echo DX_FLAG_html=$DX_FLAG_html
#echo DX_FLAG_chm=$DX_FLAG_chm
#echo DX_FLAG_chi=$DX_FLAG_chi
#echo DX_FLAG_rtf=$DX_FLAG_rtf
#echo DX_FLAG_xml=$DX_FLAG_xml
#echo DX_FLAG_pdf=$DX_FLAG_pdf
#echo DX_FLAG_ps=$DX_FLAG_ps
#echo DX_ENV=$DX_ENV
])
-53
View File
@@ -1,53 +0,0 @@
# ld-version-script.m4 serial 3
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl From Simon Josefsson
# FIXME: The test below returns a false positive for mingw
# cross-compiles, 'local:' statements does not reduce number of
# exported symbols in a DLL. Use --disable-ld-version-script to work
# around the problem.
# gl_LD_VERSION_SCRIPT
# --------------------
# Check if LD supports linker scripts, and define automake conditional
# HAVE_LD_VERSION_SCRIPT if so.
AC_DEFUN([gl_LD_VERSION_SCRIPT],
[
AC_ARG_ENABLE([ld-version-script],
AS_HELP_STRING([--enable-ld-version-script],
[enable linker version script (default is enabled when possible)]),
[have_ld_version_script=$enableval], [])
if test -z "$have_ld_version_script"; then
AC_MSG_CHECKING([if LD -Wl,--version-script works])
save_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map"
cat > conftest.map <<EOF
foo
EOF
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
[accepts_syntax_errors=yes], [accepts_syntax_errors=no])
if test "$accepts_syntax_errors" = no; then
cat > conftest.map <<EOF
VERS_1 {
global: sym;
};
VERS_2 {
global: sym;
} VERS_1;
EOF
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
[have_ld_version_script=yes], [have_ld_version_script=no])
else
have_ld_version_script=no
fi
rm -f conftest.map
LDFLAGS="$save_LDFLAGS"
AC_MSG_RESULT($have_ld_version_script)
fi
AM_CONDITIONAL(HAVE_LD_VERSION_SCRIPT, test "$have_ld_version_script" = "yes")
])
-182
View File
@@ -1,182 +0,0 @@
# manywarnings.m4 serial 4
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl From Simon Josefsson
# gl_MANYWARN_COMPLEMENT(OUTVAR, LISTVAR, REMOVEVAR)
# --------------------------------------------------
# Copy LISTVAR to OUTVAR except for the entries in REMOVEVAR.
# Elements separated by whitespace. In set logic terms, the function
# does OUTVAR = LISTVAR \ REMOVEVAR.
AC_DEFUN([gl_MANYWARN_COMPLEMENT],
[
gl_warn_set=
set x $2; shift
for gl_warn_item
do
case " $3 " in
*" $gl_warn_item "*)
;;
*)
gl_warn_set="$gl_warn_set $gl_warn_item"
;;
esac
done
$1=$gl_warn_set
])
# gl_MANYWARN_ALL_GCC(VARIABLE)
# -----------------------------
# Add all documented GCC warning parameters to variable VARIABLE.
# Note that you need to test them using gl_WARN_ADD if you want to
# make sure your gcc understands it.
AC_DEFUN([gl_MANYWARN_ALL_GCC],
[
dnl First, check if -Wno-missing-field-initializers is needed.
dnl -Wmissing-field-initializers is implied by -W, but that issues
dnl warnings with GCC version before 4.7, for the common idiom
dnl of initializing types on the stack to zero, using { 0, }
AC_REQUIRE([AC_PROG_CC])
if test -n "$GCC"; then
dnl First, check -W -Werror -Wno-missing-field-initializers is supported
dnl with the current $CC $CFLAGS $CPPFLAGS.
AC_MSG_CHECKING([whether -Wno-missing-field-initializers is supported])
AC_CACHE_VAL([gl_cv_cc_nomfi_supported], [
gl_save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -W -Werror -Wno-missing-field-initializers"
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[]], [[]])],
[gl_cv_cc_nomfi_supported=yes],
[gl_cv_cc_nomfi_supported=no])
CFLAGS="$gl_save_CFLAGS"])
AC_MSG_RESULT([$gl_cv_cc_nomfi_supported])
if test "$gl_cv_cc_nomfi_supported" = yes; then
dnl Now check whether -Wno-missing-field-initializers is needed
dnl for the { 0, } construct.
AC_MSG_CHECKING([whether -Wno-missing-field-initializers is needed])
AC_CACHE_VAL([gl_cv_cc_nomfi_needed], [
gl_save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -W -Werror"
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[void f (void)
{
typedef struct { int a; int b; } s_t;
s_t s1 = { 0, };
}
]],
[[]])],
[gl_cv_cc_nomfi_needed=no],
[gl_cv_cc_nomfi_needed=yes])
CFLAGS="$gl_save_CFLAGS"
])
AC_MSG_RESULT([$gl_cv_cc_nomfi_needed])
fi
fi
gl_manywarn_set=
for gl_manywarn_item in \
-Wall \
-W \
-Wformat-y2k \
-Wformat-nonliteral \
-Wformat-security \
-Winit-self \
-Wmissing-include-dirs \
-Wswitch-default \
-Wswitch-enum \
-Wunused \
-Wunknown-pragmas \
-Wstrict-aliasing \
-Wstrict-overflow \
-Wsystem-headers \
-Wfloat-equal \
-Wtraditional \
-Wtraditional-conversion \
-Wdeclaration-after-statement \
-Wundef \
-Wshadow \
-Wunsafe-loop-optimizations \
-Wpointer-arith \
-Wbad-function-cast \
-Wc++-compat \
-Wcast-qual \
-Wcast-align \
-Wwrite-strings \
-Wconversion \
-Wsign-conversion \
-Wlogical-op \
-Waggregate-return \
-Wstrict-prototypes \
-Wold-style-definition \
-Wmissing-prototypes \
-Wmissing-declarations \
-Wmissing-noreturn \
-Wmissing-format-attribute \
-Wpacked \
-Wpadded \
-Wredundant-decls \
-Wnested-externs \
-Wunreachable-code \
-Winline \
-Winvalid-pch \
-Wlong-long \
-Wvla \
-Wvolatile-register-var \
-Wdisabled-optimization \
-Wstack-protector \
-Woverlength-strings \
-Wbuiltin-macro-redefined \
-Wpacked-bitfield-compat \
-Wsync-nand \
; do
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
done
# The following are not documented in the manual but are included in
# output from gcc --help=warnings.
for gl_manywarn_item in \
-Wattributes \
-Wcoverage-mismatch \
-Wunused-macros \
; do
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
done
# More warnings from gcc 4.6.2 --help=warnings.
for gl_manywarn_item in \
-Wabi \
-Wcpp \
-Wdeprecated \
-Wdeprecated-declarations \
-Wdiv-by-zero \
-Wdouble-promotion \
-Wendif-labels \
-Wextra \
-Wformat-contains-nul \
-Wformat-extra-args \
-Wformat-zero-length \
-Wformat=2 \
-Wmultichar \
-Wnormalized=nfc \
-Woverflow \
-Wpointer-to-int-cast \
-Wpragmas \
-Wsuggest-attribute=const \
-Wsuggest-attribute=noreturn \
-Wsuggest-attribute=pure \
-Wtrampolines \
; do
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
done
# Disable the missing-field-initializers warning if needed
if test "$gl_cv_cc_nomfi_needed" = yes; then
gl_manywarn_set="$gl_manywarn_set -Wno-missing-field-initializers"
fi
$1=$gl_manywarn_set
])
-157
View File
@@ -1,157 +0,0 @@
# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
#
# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# PKG_PROG_PKG_CONFIG([MIN-VERSION])
# ----------------------------------
AC_DEFUN([PKG_PROG_PKG_CONFIG],
[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
fi
if test -n "$PKG_CONFIG"; then
_pkg_min_version=m4_default([$1], [0.9.0])
AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
PKG_CONFIG=""
fi
fi[]dnl
])# PKG_PROG_PKG_CONFIG
# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
#
# Check to see whether a particular set of modules exists. Similar
# to PKG_CHECK_MODULES(), but does not set variables or print errors.
#
#
# Similar to PKG_CHECK_MODULES, make sure that the first instance of
# this or PKG_CHECK_MODULES is called, or make sure to call
# PKG_CHECK_EXISTS manually
# --------------------------------------------------------------
AC_DEFUN([PKG_CHECK_EXISTS],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
if test -n "$PKG_CONFIG" && \
AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
m4_ifval([$2], [$2], [:])
m4_ifvaln([$3], [else
$3])dnl
fi])
# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
# ---------------------------------------------
m4_define([_PKG_CONFIG],
[if test -n "$PKG_CONFIG"; then
if test -n "$$1"; then
pkg_cv_[]$1="$$1"
else
PKG_CHECK_EXISTS([$3],
[pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
[pkg_failed=yes])
fi
else
pkg_failed=untried
fi[]dnl
])# _PKG_CONFIG
# _PKG_SHORT_ERRORS_SUPPORTED
# -----------------------------
AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
_pkg_short_errors_supported=yes
else
_pkg_short_errors_supported=no
fi[]dnl
])# _PKG_SHORT_ERRORS_SUPPORTED
# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
# [ACTION-IF-NOT-FOUND])
#
#
# Note that if there is a possibility the first call to
# PKG_CHECK_MODULES might not happen, you should be sure to include an
# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
#
#
# --------------------------------------------------------------
AC_DEFUN([PKG_CHECK_MODULES],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
pkg_failed=no
AC_MSG_CHECKING([for $1])
_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
_PKG_CONFIG([$1][_LIBS], [libs], [$2])
m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
and $1[]_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.])
if test $pkg_failed = yes; then
_PKG_SHORT_ERRORS_SUPPORTED
if test $_pkg_short_errors_supported = yes; then
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
else
$1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
fi
# Put the nasty error message in config.log where it belongs
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
ifelse([$4], , [AC_MSG_ERROR(dnl
[Package requirements ($2) were not met:
$$1_PKG_ERRORS
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
_PKG_TEXT
])],
[AC_MSG_RESULT([no])
$4])
elif test $pkg_failed = untried; then
ifelse([$4], , [AC_MSG_FAILURE(dnl
[The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
_PKG_TEXT
To get pkg-config, see <https://www.freedesktop.org/wiki/Software/pkg-config/>.])],
[$4])
else
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
AC_MSG_RESULT([yes])
ifelse([$3], , :, [$3])
fi[]dnl
])# PKG_CHECK_MODULES
-37
View File
@@ -1,37 +0,0 @@
# valgrind-tests.m4 serial 3
dnl Copyright (C) 2008-2014 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl From Simon Josefsson
# gl_VALGRIND_TESTS()
# -------------------
# Check if valgrind is available, and set VALGRIND to it if available.
AC_DEFUN([gl_VALGRIND_TESTS],
[
AC_ARG_ENABLE(valgrind-tests,
AS_HELP_STRING([--enable-valgrind-tests],
[run self tests under valgrind]),
[opt_valgrind_tests=$enableval], [opt_valgrind_tests=yes])
# Run self-tests under valgrind?
if test "$opt_valgrind_tests" = "yes" && test "$cross_compiling" = no; then
AC_CHECK_PROGS(VALGRIND, valgrind)
fi
OPTS="-q --error-exitcode=1 --leak-check=full"
if test -n "$VALGRIND" \
&& $VALGRIND $OPTS $SHELL -c 'exit 0' > /dev/null 2>&1; then
opt_valgrind_tests=yes
VALGRIND="$VALGRIND $OPTS"
else
opt_valgrind_tests=no
VALGRIND=
fi
AC_MSG_CHECKING([whether self tests are run under valgrind])
AC_MSG_RESULT($opt_valgrind_tests)
])
-61
View File
@@ -1,61 +0,0 @@
# warnings.m4 serial 7
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
dnl From Simon Josefsson
# gl_AS_VAR_APPEND(VAR, VALUE)
# ----------------------------
# Provide the functionality of AS_VAR_APPEND if Autoconf does not have it.
m4_ifdef([AS_VAR_APPEND],
[m4_copy([AS_VAR_APPEND], [gl_AS_VAR_APPEND])],
[m4_define([gl_AS_VAR_APPEND],
[AS_VAR_SET([$1], [AS_VAR_GET([$1])$2])])])
# gl_COMPILER_OPTION_IF(OPTION, [IF-SUPPORTED], [IF-NOT-SUPPORTED],
# [PROGRAM = AC_LANG_PROGRAM()])
# -----------------------------------------------------------------
# Check if the compiler supports OPTION when compiling PROGRAM.
#
# FIXME: gl_Warn must be used unquoted until we can assume Autoconf
# 2.64 or newer.
AC_DEFUN([gl_COMPILER_OPTION_IF],
[AS_VAR_PUSHDEF([gl_Warn], [gl_cv_warn_[]_AC_LANG_ABBREV[]_$1])dnl
AS_VAR_PUSHDEF([gl_Flags], [_AC_LANG_PREFIX[]FLAGS])dnl
AC_CACHE_CHECK([whether _AC_LANG compiler handles $1], m4_defn([gl_Warn]), [
gl_save_compiler_FLAGS="$gl_Flags"
gl_AS_VAR_APPEND(m4_defn([gl_Flags]), [" $1"])
AC_COMPILE_IFELSE([m4_default([$4], [AC_LANG_PROGRAM([])])],
[AS_VAR_SET(gl_Warn, [yes])],
[AS_VAR_SET(gl_Warn, [no])])
gl_Flags="$gl_save_compiler_FLAGS"
])
AS_VAR_IF(gl_Warn, [yes], [$2], [$3])
AS_VAR_POPDEF([gl_Flags])dnl
AS_VAR_POPDEF([gl_Warn])dnl
])
# gl_WARN_ADD(OPTION, [VARIABLE = WARN_CFLAGS],
# [PROGRAM = AC_LANG_PROGRAM()])
# ---------------------------------------------
# Adds parameter to WARN_CFLAGS if the compiler supports it when
# compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]).
#
# If VARIABLE is a variable name, AC_SUBST it.
AC_DEFUN([gl_WARN_ADD],
[gl_COMPILER_OPTION_IF([$1],
[gl_AS_VAR_APPEND(m4_if([$2], [], [[WARN_CFLAGS]], [[$2]]), [" $1"])],
[],
[$3])
m4_ifval([$2],
[AS_LITERAL_IF([$2], [AC_SUBST([$2])])],
[AC_SUBST([WARN_CFLAGS])])dnl
])
# Local Variables:
# mode: autoconf
# End:
-98
View File
@@ -1,98 +0,0 @@
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PACKAGE=yubico-piv-tool
OPENSSLVERSION=1.0.2r
CFLAGS="-mmacosx-version-min=10.6"
all: usage mac
.PHONY: usage
usage:
@if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \
echo "Try this instead:"; \
echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \
echo "For example:"; \
echo " make PGPKEYID=2117364A VERSION=1.6.0"; \
exit 1; \
fi
doit:
rm -rf tmp && mkdir tmp && cd tmp && \
mkdir -p root/licenses && \
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
tar xfz openssl-$(OPENSSLVERSION).tar.gz && \
cd openssl-$(OPENSSLVERSION) && \
./Configure darwin64-x86_64-cc shared no-ssl2 no-ssl3 no-engines --prefix=$(PWD)/tmp/root $(CFLAGS) && \
make all install_sw VERSION="$(OPENSSLVERSION)" && \
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
rm -rf $(PWD)/tmp/root/ssl/ && \
rm -rf $(PWD)/tmp/root/bin/ && \
rm -rf $(PWD)/tmp/root/lib/engines/ && \
rm -rf $(PWD)/tmp/root/lib/libssl* && \
rm $(PWD)/tmp/root/lib/pkgconfig/libssl.pc && \
rm $(PWD)/tmp/root/lib/pkgconfig/openssl.pc && \
cd .. && \
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
tar xfz $(PACKAGE)-$(VERSION).tar.gz && \
cd $(PACKAGE)-$(VERSION)/ && \
CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \
make install $(CHECK) && \
chmod u+w $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \
install_name_tool -id @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \
install_name_tool -id @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \
install_name_tool -id @loader_path/libykcs11.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @executable_path/../lib/libcrypto.1.0.0.dylib $(PWD)/tmp/root/bin/yubico-piv-tool && \
install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @executable_path/../lib/libykpiv.1.dylib $(PWD)/tmp/root/bin/yubico-piv-tool ; \
if otool -L $(PWD)/tmp/root/lib/*.dylib $(PWD)/tmp/root/bin/* | grep '$(PWD)/tmp/root' | grep -q compatibility; then \
echo "something is incorrectly linked!"; \
exit 1; \
fi && \
rm $(PWD)/tmp/root/lib/*.la && \
rm -rf $(PWD)/tmp/root/lib/pkgconfig && \
cp COPYING $(PWD)/tmp/root/licenses/$(PACKAGE).txt && \
cd .. && \
cd root && \
zip -r ../../$(PACKAGE)-$(VERSION)-mac.zip *
mac:
$(MAKE) -f mac.mk doit CHECK=check
upload-mac:
@if test ! -d "$(YUBICO_GITHUB_REPO)"; then \
echo "yubico.github.com repo not found!"; \
echo "Make sure that YUBICO_GITHUB_REPO is set"; \
exit 1; \
fi
gpg --detach-sign --default-key $(PGPKEYID) \
$(PACKAGE)-$(VERSION)-mac.zip
gpg --verify $(PACKAGE)-$(VERSION)-mac.zip.sig
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-mac.zip*
-29
View File
@@ -1,29 +0,0 @@
#!/bin/bash
# Output redirected to fd 0 so it can be run from 'make check' scripts.
echo >&0
echo "Hardware tests enabled!" >&0
echo >&0
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
echo >&0
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
echo >&0
echo " ALL DATA WILL BE ERASED ON CONNECTED YUBIKEYS " >&0
echo >&0
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
echo >&0
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
echo >&0
echo -n "Are you SURE you wish to proceed? If so, type 'CONFIRM': " >&0
read CONFIRM
if [[ "x$CONFIRM" != "xCONFIRM" ]]; then
echo "1"
exit 1
fi
echo "0"
-94
View File
@@ -1,94 +0,0 @@
#!/usr/bin/perl
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This little perl program takes an input like:
# S9999F9999F999999F0F1F0000000000300001E
# and outputs that in hex, encoded in the 5-bit form described in
# "Technical Implementation Guidance: Smart Card Enabled Physical Access
# Control Systems Version 2.2", Section 6.2, Figure 7.
use strict;
use Bit::Vector;
my %encoding = (
0 => "00001",
1 => "10000",
2 => "01000",
3 => "11001",
4 => "00100",
5 => "10101",
6 => "01101",
7 => "11100",
8 => "00010",
9 => "10011",
S => "11010",
F => "10110",
E => "11111",
);
my $in = shift;
my @ones = (0, 0, 0, 0);
my $bits;
foreach my $char (split(//, $in)) {
my $enc = $encoding{$char};
for(my $i = 0; $i < 4; $i++) {
my $char = substr($enc, $i, 1);
if($char eq '1') {
$ones[$i]++;
}
}
$bits .= $enc;
}
my $lrc = "";
my $lrc_one = 0;
foreach my $one (@ones) {
if($one % 2 == 0) {
$lrc .= '0';
} else {
$lrc .= '1';
$lrc_one++;
}
}
if($lrc_one % 2 == 0) {
$lrc .= '1';
} else {
$lrc .= '0';
}
$bits .= $lrc;
my $vector = Bit::Vector->new(200);
$vector->from_Bin($bits);
my $hex = $vector->to_Hex();
for(my $i = 0; $i < length($hex); $i += 2) {
print "0x" . substr($hex, $i , 2) . ", ";
}
print "\n";
-16
View File
@@ -1,16 +0,0 @@
Vagrant VM for development
===
Usage:
alice@work $ cd yubico-piv-tool/vagrant/development
alice@work $ vagrant up
alice@work $ vagrant ssh
ubuntu@ubuntu-xenial $ cd /vagrant
ubuntu@ubuntu-xenial $ autoreconf --install
ubuntu@ubuntu-xenial $ ./configure
ubuntu@ubuntu-xenial $ make
ubuntu@ubuntu-xenial $ sudo make install
ubuntu@ubuntu-xenial $ yubico-piv-tool --help
ubuntu@ubuntu-xenial $ exit
alice@work $ vagrant destroy
-42
View File
@@ -1,42 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
# Use Ubuntu 16.04 Xenial as a base box.
config.vm.box = "ubuntu/xenial64"
# Install dependencies needed for yubikey-piv-manager development.
config.vm.provision "shell", path: "provision.sh"
# Sync repository to /vagrant
config.vm.synced_folder '../..', '/vagrant'
# VirtualBox configuration
config.vm.provider "virtualbox" do |vb|
vb.name = "yubikey-piv-tool_development"
end
# Uncomment this to add a USB filter for YubiKeys.
# This will connect the YubiKey to the VM when re-inserted.
# This filter uses VirtualBox as provider.
# Modify the paramters as needed depending on the device.
FILTER_NAME="YubiKey 4"
MANUFACTURER="Yubico"
VENDOR_ID="0x1050"
PRODUCT_ID="0x0407"
PRODUCT="Yubikey 4 OTP+U2F+CCID"
config.vm.provider "virtualbox" do |vb|
vb.customize ['modifyvm', :id, '--usb', 'on']
vb.customize ['usbfilter', 'add', '0',
'--target', :id,
'--name', FILTER_NAME,
'--manufacturer', MANUFACTURER,
'--vendorid', VENDOR_ID,
'--productid', PRODUCT_ID,
'--product', PRODUCT]
end
end
-19
View File
@@ -1,19 +0,0 @@
#! /usr/bin/env bash
# Install development dependencies
sudo apt-get update -qq
sudo apt-get install -qq software-properties-common
sudo add-apt-repository -y ppa:yubico/stable
sudo apt-get update -qq && apt-get -qq upgrade
sudo apt-get install -qq \
autoconf \
automake \
check \
gengetopt \
help2man \
libpcsclite-dev \
libssl-dev \
libtool \
libykpiv1 \
pkg-config \
virtualbox-guest-dkms
-102
View File
@@ -1,102 +0,0 @@
# Copyright (c) 2014-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PACKAGE=yubico-piv-tool
OPENSSLVERSION=1.0.2r
CHECKVERSION=0.12.0
all: usage 32bit 64bit
.PHONY: usage
usage:
@if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \
echo "Try this instead:"; \
echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \
echo "For example:"; \
echo " make PGPKEYID=2117364A VERSION=1.6.0"; \
exit 1; \
fi
doit:
rm -rf tmp$(ARCH) && mkdir tmp$(ARCH) && cd tmp$(ARCH) && \
mkdir -p root/licenses && \
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
tar xfa openssl-$(OPENSSLVERSION).tar.gz && \
cd openssl-$(OPENSSLVERSION) && \
CROSS_COMPILE="$(HOST)-" ./Configure mingw$(64) no-ssl2 no-ssl3 no-engines shared --prefix=$(PWD)/tmp$(ARCH)/root -static-libgcc && \
make depend all install_sw VERSION="$(OPENSSLVERSION)" && \
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
rm -rf $(PWD)/tmp$(ARCH)/root/ssl/ && \
rm $(PWD)/tmp$(ARCH)/root/bin/openssl.exe && \
rm $(PWD)/tmp$(ARCH)/root/bin/c_rehash && \
rm -rf $(PWD)/tmp$(ARCH)/root/lib/engines/ && \
cd .. && \
cp ../check-$(CHECKVERSION).tar.gz . || \
curl -L -O "https://github.com/libcheck/check/releases/download/$(CHECKVERSION)/check-$(CHECKVERSION).tar.gz" && \
tar xfa check-$(CHECKVERSION).tar.gz && \
cd check-$(CHECKVERSION) && \
CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root --disable-subunit --enable-static --disable-shared && \
make all install && \
cd .. && \
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
tar xfa $(PACKAGE)-$(VERSION).tar.gz && \
cd $(PACKAGE)-$(VERSION)/ && \
CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig lt_cv_deplibs_check_method=pass_all ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root LDFLAGS=-L$(PWD)/tmp$(ARCH)/root/lib CPPFLAGS=-I$(PWD)/tmp$(ARCH)/root/include && \
WINEPATH="/usr/$(HOST)/lib/" make install $(CHECK) && \
rm $(PWD)/tmp$(ARCH)/root/lib/*.la && \
rm -rf $(PWD)/tmp$(ARCH)/root/lib/pkgconfig/ && \
cp COPYING $(PWD)/tmp$(ARCH)/root/licenses/$(PACKAGE).txt && \
cd .. && \
cd check-$(CHECKVERSION) && \
make uninstall && \
cd .. && \
cd root && \
zip -r ../../$(PACKAGE)-$(VERSION)-win$(ARCH).zip *
32bit:
$(MAKE) -f windows.mk doit ARCH=32 HOST=i686-w64-mingw32 CHECK=check
64bit:
$(MAKE) -f windows.mk doit ARCH=64 HOST=x86_64-w64-mingw32 64=64 CHECK=check
upload:
@if test ! -d "$(YUBICO_GITHUB_REPO)"; then \
echo "yubico.github.com repo not found!"; \
echo "Make sure that YUBICO_GITHUB_REPO is set"; \
exit 1; \
fi
gpg --detach-sign --default-key $(PGPKEYID) \
$(PACKAGE)-$(VERSION)-win$(ARCH).zip
gpg --verify $(PACKAGE)-$(VERSION)-win$(ARCH).zip.sig
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-win${ARCH}.zip*
upload-32bit:
$(MAKE) -f windows.mk upload ARCH=32
upload-64bit:
$(MAKE) -f windows.mk upload ARCH=64
-70
View File
@@ -1,70 +0,0 @@
# Copyright (c) 2015-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SUBDIRS = . tests
AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS)
AM_CPPFLAGS = $(OPENSSL_CFLAGS) $(PCSC_CFLAGS)
AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib
AM_CPPFLAGS += -I$(top_srcdir)/tool -I$(top_builddir)/tool
lib_LTLIBRARIES = libykcs11.la
libykcs11_la_SOURCES = ykcs11.c ykcs11.pc.in ykcs11.map
libykcs11_la_SOURCES += ykcs11.h debug.h
libykcs11_la_SOURCES += vendors.c vendors.h vendor_ids.h
libykcs11_la_SOURCES += slot_vendors.c slot_vendors.h
libykcs11_la_SOURCES += token_vendors.c token_vendors.h
libykcs11_la_SOURCES += mechanisms.c mechanisms.h
libykcs11_la_SOURCES += yubico_slot.c yubico_slot.h yubico_token.c yubico_token.h
libykcs11_la_SOURCES += utils.c utils.h
libykcs11_la_SOURCES += openssl_utils.c openssl_utils.h openssl_types.h
libykcs11_la_SOURCES += objects.c objects.h obj_types.h
libykcs11_la_SOURCES += pkcs11.h pkcs11y.h
libykcs11_la_SOURCES += ykcs11-version.h
EXTRA_libykcs11_la_DEPENDENCIES = ykcs11.map
libykcs11_la_LIBADD = ../lib/libykpiv.la
libykcs11_la_LIBADD += ../tool/libpiv_util.la
libykcs11_la_LDFLAGS = -no-undefined
libykcs11_la_LDFLAGS += -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE)
if HAVE_LD_VERSION_SCRIPT
libykcs11_la_LDFLAGS += -Wl,--version-script=$(srcdir)/ykcs11.map
else
libykcs11_la_LDFLAGS += -export-symbols-regex '^C_.*'
endif
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = ykcs11.pc
if ENABLE_COV
AM_CFLAGS += --coverage
AM_LDFLAGS = --coverage
endif
-55
View File
@@ -1,55 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef DEBUG_H
#define DEBUG_H
#define D(x...) do { \
fprintf (stderr, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
fprintf (stderr, x); \
fprintf (stderr, "\n"); \
} while (0)
#if YKCS11_DBG
#include <stdio.h>
#define DBG(x...) D(x);
#else
#define DBG(x...)
#endif
#if YKCS11_DINOUT
#define DIN D(("In"));
#define DOUT D(("Out"));
#else
#define DIN
#define DOUT
#endif
#endif
-553
View File
@@ -1,553 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "mechanisms.h"
#include "openssl_utils.h"
#include "utils.h"
#include "debug.h"
#include <string.h>
#define F4 "\x01\x00\x01"
#define PRIME256V1 "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07"
// Supported mechanisms for signature
static const CK_MECHANISM_TYPE sign_mechanisms[] = {
CKM_RSA_PKCS,
CKM_RSA_PKCS_PSS,
CKM_RSA_X_509,
CKM_SHA1_RSA_PKCS,
CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,
CKM_SHA512_RSA_PKCS,
CKM_SHA1_RSA_PKCS_PSS,
CKM_SHA256_RSA_PKCS_PSS,
CKM_SHA384_RSA_PKCS_PSS,
CKM_SHA512_RSA_PKCS_PSS,
CKM_ECDSA,
CKM_ECDSA_SHA1,
CKM_ECDSA_SHA256
};
// Supported mechanisms for key pair generation
static const CK_MECHANISM_TYPE generation_mechanisms[] = {
CKM_RSA_PKCS_KEY_PAIR_GEN,
//CKM_ECDSA_KEY_PAIR_GEN, Deperecated
CKM_EC_KEY_PAIR_GEN
};
// Supported mechanisms for hashing
static const CK_MECHANISM_TYPE hash_mechanisms[] = {
CKM_SHA_1,
CKM_SHA256,
CKM_SHA384,
CKM_SHA512
};
CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m) {
CK_ULONG i;
CK_BBOOL supported = CK_FALSE;
token_vendor_t token;
CK_MECHANISM_INFO info;
// Check if the mechanism is supported by the module
for (i = 0; i < sizeof(sign_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
if (m->mechanism == sign_mechanisms[i]) {
supported = CK_TRUE;
break;
}
}
if (supported == CK_FALSE)
return CKR_MECHANISM_INVALID;
// Check if the mechanism is supported by the token
token = get_token_vendor(s->slot->token->vid);
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
return CKR_MECHANISM_INVALID;
// TODO: also check that parametes make sense if any? And key size is in [min max]
return CKR_OK;
}
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m) {
switch (m) {
case CKM_RSA_PKCS_KEY_PAIR_GEN:
case CKM_RSA_PKCS:
case CKM_RSA_9796:
case CKM_RSA_X_509:
case CKM_SHA1_RSA_PKCS:
// case CKM_SHA224_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
// case CKM_RIPEMD128_RSA_PKCS:
// case CKM_RIPEMD160_RSA_PKCS:
// case CKM_RSA_PKCS_OAEP:
// case CKM_RSA_X9_31_KEY_PAIR_GEN:
// case CKM_RSA_X9_31:
// case CKM_SHA1_RSA_X9_31:
case CKM_RSA_PKCS_PSS:
case CKM_SHA1_RSA_PKCS_PSS:
// case CKM_SHA224_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
// case CKM_RSA_PKCS_TPM_1_1:
// case CKM_RSA_PKCS_OAEP_TPM_1_1:
// case CKM_RSA_AES_KEY_WRAP:
return CK_TRUE;
default:
return CK_FALSE;
}
// Not reached
return CK_FALSE;
}
CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m) {
switch (m) {
case CKM_RSA_PKCS_PSS:
case CKM_SHA1_RSA_PKCS_PSS:
// case CKM_SHA224_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
return CK_TRUE;
default:
return CK_FALSE;
}
// Not reached
return CK_FALSE;
}
CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m) {
switch (m) {
case CKM_SHA1_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
case CKM_ECDSA_SHA1:
case CKM_ECDSA_SHA256:
case CKM_SHA_1:
case CKM_SHA256:
case CKM_SHA384:
case CKM_SHA512:
return CK_TRUE;
default:
return CK_FALSE;
}
// Not reached
return CK_FALSE;
}
CK_RV apply_sign_mechanism_init(op_info_t *op_info) {
if (op_info->type != YKCS11_SIGN)
return CKR_FUNCTION_FAILED;
switch (op_info->mechanism.mechanism) {
case CKM_RSA_PKCS:
case CKM_RSA_PKCS_PSS:
case CKM_RSA_X_509:
case CKM_ECDSA:
// No hash required for this mechanism
op_info->op.sign.md_ctx = NULL;
return CKR_OK;
case CKM_SHA1_RSA_PKCS:
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_ECDSA_SHA1:
return do_md_init(YKCS11_SHA1, &op_info->op.sign.md_ctx);
case CKM_SHA256_RSA_PKCS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_ECDSA_SHA256:
return do_md_init(YKCS11_SHA256, &op_info->op.sign.md_ctx);
case CKM_SHA384_RSA_PKCS:
case CKM_SHA384_RSA_PKCS_PSS:
return do_md_init(YKCS11_SHA384, &op_info->op.sign.md_ctx);
case CKM_SHA512_RSA_PKCS:
case CKM_SHA512_RSA_PKCS_PSS:
return do_md_init(YKCS11_SHA512, &op_info->op.sign.md_ctx);
default:
return CKR_FUNCTION_FAILED;
}
// Never reached
return CKR_FUNCTION_FAILED;
}
CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len) {
CK_RV rv;
if (op_info->type != YKCS11_SIGN)
return CKR_FUNCTION_FAILED;
switch (op_info->mechanism.mechanism) {
case CKM_RSA_PKCS:
case CKM_RSA_PKCS_PSS:
case CKM_ECDSA:
case CKM_RSA_X_509:
// Mechanism not suitable for multipart signatures
return CKR_FUNCTION_FAILED;
case CKM_SHA1_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
case CKM_ECDSA_SHA1:
case CKM_ECDSA_SHA256:
rv = do_md_update(op_info->op.sign.md_ctx, in, in_len);
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
return CKR_OK;
default:
return CKR_FUNCTION_FAILED;
}
}
CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
CK_RV rv;
int nid = NID_undef;
CK_ULONG len;
if (op_info->type != YKCS11_SIGN)
return CKR_FUNCTION_FAILED;
switch (op_info->mechanism.mechanism) {
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
// Finalize the hash
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
case CKM_RSA_PKCS_PSS:
// Compute padding for all PSS variants
// TODO: digestinfo/paraminfo ?
rv = do_pkcs_pss(op_info->op.sign.key, op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
do_free_rsa_public_key(op_info->op.sign.key);
return rv;
case CKM_RSA_X_509:
// Padding in this case consists of prepending zeroes
len = (op_info->op.sign.key_len / 8) - op_info->buf_len;
memmove(op_info->buf + len, op_info->buf, op_info->buf_len);
memset(op_info->buf, 0, len);
op_info->buf_len = op_info->op.sign.key_len / 8;
return CKR_OK;
case CKM_SHA1_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
// Finalize the hash add digest info
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
case CKM_RSA_PKCS:
// Add digest info if needed
if (nid != NID_undef) {
rv = do_pkcs_1_digest_info(op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
}
// Compute padding for all PKCS1 variants
len = op_info->buf_len;
op_info->buf_len = sizeof(op_info->buf);
return do_pkcs_1_t1(op_info->buf, len, op_info->buf, &op_info->buf_len, op_info->op.sign.key_len);
case CKM_ECDSA_SHA1:
case CKM_ECDSA_SHA256:
// Finalize the hash
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
case CKM_ECDSA:
return CKR_OK;
default:
return CKR_FUNCTION_FAILED;
}
}
CK_RV sign_mechanism_cleanup(op_info_t *op_info) {
if (op_info->op.sign.md_ctx != NULL) {
do_md_cleanup(op_info->op.sign.md_ctx);
op_info->op.sign.md_ctx = NULL;
}
return CKR_OK;
}
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) {
CK_ULONG i;
CK_BBOOL supported = CK_FALSE;
token_vendor_t token;
CK_MECHANISM_INFO info;
// Check if the mechanism is supported by the module
for (i = 0; i < sizeof(generation_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
if (m->mechanism == generation_mechanisms[i]) {
supported = CK_TRUE;
break;
}
}
if (supported == CK_FALSE)
return CKR_MECHANISM_INVALID;
// Check if the mechanism is supported by the token
token = get_token_vendor(s->slot->token->vid);
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
return CKR_MECHANISM_INVALID;
// TODO: also check that parametes make sense if any? And key size is in [min max]
return CKR_OK;
}
CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) {
CK_ULONG i;
op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism);
for (i = 0; i < n; i++) {
switch (templ[i].type) {
case CKA_CLASS:
if (*((CK_ULONG_PTR) templ[i].pValue) != CKO_PUBLIC_KEY)
return CKR_TEMPLATE_INCONSISTENT;
break;
case CKA_KEY_TYPE:
if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) ||
(op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA))
return CKR_TEMPLATE_INCONSISTENT;
break;
case CKA_PUBLIC_EXPONENT:
if (op_info->op.gen.rsa == CK_FALSE)
return CKR_ATTRIBUTE_VALUE_INVALID;
// Only support F4
if (templ[i].ulValueLen != 3 || memcmp((CK_BYTE_PTR)templ[i].pValue, F4, 3) != 0) {
DBG("Unsupported public exponent");
return CKR_ATTRIBUTE_VALUE_INVALID;
}
break;
case CKA_MODULUS_BITS:
if (op_info->op.gen.rsa == CK_FALSE)
return CKR_ATTRIBUTE_VALUE_INVALID;
if (*((CK_ULONG_PTR) templ[i].pValue) != 1024 &&
*((CK_ULONG_PTR) templ[i].pValue) != 2048) { // TODO: make define?
DBG("Unsupported MODULUS_BITS (key length)");
return CKR_ATTRIBUTE_VALUE_INVALID;
}
op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue);
break;
case CKA_EC_PARAMS:
// Only support PRIME256V1
if (templ[i].ulValueLen != 10 || memcmp((CK_BYTE_PTR)templ[i].pValue, PRIME256V1, 10) != 0)
return CKR_FUNCTION_FAILED;
op_info->op.gen.key_len = 256;
break;
case CKA_ID:
if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE)
return CKR_ATTRIBUTE_VALUE_INVALID;
op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue);
break;
case CKA_TOKEN:
case CKA_ENCRYPT:
case CKA_VERIFY:
case CKA_WRAP:
case CKA_DERIVE:
case CKA_PRIVATE:
case CKA_LABEL:
// Ignore these attributes for now
break;
default:
DBG("Invalid attribute %lx in public key template", templ[i].type);
return CKR_ATTRIBUTE_TYPE_INVALID;
}
}
return CKR_OK;
}
CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) {
CK_ULONG i;
op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism);
op_info->op.gen.vendor_defined = 0;
for (i = 0; i < n; i++) {
switch (templ[i].type) {
case CKA_CLASS:
if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_PRIVATE_KEY)
return CKR_TEMPLATE_INCONSISTENT;
break;
case CKA_KEY_TYPE:
if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) ||
(op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA))
return CKR_TEMPLATE_INCONSISTENT;
break;
/* case CKA_MODULUS_BITS:
if (op_info->op.gen.rsa == CK_FALSE)
return CKR_MECHANISM_PARAM_INVALID;
if (*((CK_ULONG_PTR)templ[i].pValue) != 1024 &&
*((CK_ULONG_PTR) templ[i].pValue) != 2048) // TODO: make define?
return CKR_MECHANISM_PARAM_INVALID;
op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue); // TODO: check length?
break;*/
case CKA_ID:
if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE)
return CKR_ATTRIBUTE_VALUE_INVALID;
// Check if ID was already specified in the public key template
// In that case it has to match
if (op_info->op.gen.key_id != 0 &&
op_info->op.gen.key_id != (*((CK_BYTE_PTR)templ[i].pValue) + PIV_PVTK_OBJ_PIV_AUTH))
return CKR_TEMPLATE_INCONSISTENT;
op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue);
break;
case CKA_VENDOR_DEFINED:
op_info->op.gen.vendor_defined = (*((CK_ULONG_PTR)templ[i].pValue));
case CKA_SENSITIVE:
case CKA_DECRYPT:
case CKA_UNWRAP:
case CKA_SIGN:
case CKA_PRIVATE:
case CKA_TOKEN:
case CKA_DERIVE:
case CKA_LABEL:
// Ignore these attributes for now
break;
default:
DBG("Invalid attribute %lx in private key template", templ[i].type);
return CKR_ATTRIBUTE_TYPE_INVALID;
}
}
return CKR_OK;
}
CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) {
CK_ULONG i;
CK_BBOOL supported = CK_FALSE;
token_vendor_t token;
CK_MECHANISM_INFO info;
// Check if the mechanism is supported by the module
for (i = 0; i < sizeof(hash_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
if (m->mechanism == hash_mechanisms[i]) {
supported = CK_TRUE;
break;
}
}
if (supported == CK_FALSE)
return CKR_MECHANISM_INVALID;
// Check if the mechanism is supported by the token
token = get_token_vendor(s->slot->token->vid);
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
return CKR_MECHANISM_INVALID;
// TODO: also check that parametes make sense if any? And key size is in [min max]
return CKR_OK;
}
-52
View File
@@ -1,52 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef MECHANISMS_H
#define MECHANISMS_H
#include "ykcs11.h"
CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m);
CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m);
CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m);
CK_RV apply_sign_mechanism_init(op_info_t *op_info);
CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len);
CK_RV apply_sign_mechanism_finalize(op_info_t *op_info);
CK_RV sign_mechanism_cleanup(op_info_t *op_info);
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c
CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c
CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
#endif
-201
View File
@@ -1,201 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef OBJ_TYPES_H
#define OBJ_TYPES_H
#include "pkcs11y.h"
#include <openssl/x509.h>
// TODO: this is mostly from OpenSC, how to give credit?
typedef enum {
PIV_DATA_OBJ_X509_PIV_AUTH = 0, // PIV authentication
PIV_DATA_OBJ_X509_CARD_AUTH, // Card authentication
PIV_DATA_OBJ_X509_DS, // Digital signature
PIV_DATA_OBJ_X509_KM, // Key management
PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1
PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2
PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3
PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4
PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5
PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6
PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7
PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8
PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9
PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10
PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11
PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12
PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13
PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14
PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15
PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16
PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17
PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18
PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19
PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20
PIV_DATA_OBJ_CCC, // Card capability container
PIV_DATA_OBJ_CHUI, // Cardholder unique id
PIV_DATA_OBJ_CHF, // Cardholder fingerprints
PIV_DATA_OBJ_SEC_OBJ, // Security object
PIV_DATA_OBJ_CHFI, // Cardholder facial images
PIV_DATA_OBJ_PI, // Cardholder printed information
PIV_DATA_OBJ_DISCOVERY, // Discovery object
PIV_DATA_OBJ_HISTORY, // History object
PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images
PIV_DATA_OBJ_BITGT, // Biometric information templates group template
PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer
PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data
PIV_DATA_OBJ_LAST,
PIV_CERT_OBJ_X509_PIV_AUTH, // Certificate for PIV authentication
PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication
PIV_CERT_OBJ_X509_DS, // Certificate for digital signature
PIV_CERT_OBJ_X509_KM, // Certificate for key management
PIV_CERT_OBJ_X509_RETIRED1, // Certificate for retired key 1
PIV_CERT_OBJ_X509_RETIRED2, // Certificate for retired key 2
PIV_CERT_OBJ_X509_RETIRED3, // Certificate for retired key 3
PIV_CERT_OBJ_X509_RETIRED4, // Certificate for retired key 4
PIV_CERT_OBJ_X509_RETIRED5, // Certificate for retired key 5
PIV_CERT_OBJ_X509_RETIRED6, // Certificate for retired key 6
PIV_CERT_OBJ_X509_RETIRED7, // Certificate for retired key 7
PIV_CERT_OBJ_X509_RETIRED8, // Certificate for retired key 8
PIV_CERT_OBJ_X509_RETIRED9, // Certificate for retired key 9
PIV_CERT_OBJ_X509_RETIRED10, // Certificate for retired key 10
PIV_CERT_OBJ_X509_RETIRED11, // Certificate for retired key 11
PIV_CERT_OBJ_X509_RETIRED12, // Certificate for retired key 12
PIV_CERT_OBJ_X509_RETIRED13, // Certificate for retired key 13
PIV_CERT_OBJ_X509_RETIRED14, // Certificate for retired key 14
PIV_CERT_OBJ_X509_RETIRED15, // Certificate for retired key 15
PIV_CERT_OBJ_X509_RETIRED16, // Certificate for retired key 16
PIV_CERT_OBJ_X509_RETIRED17, // Certificate for retired key 17
PIV_CERT_OBJ_X509_RETIRED18, // Certificate for retired key 18
PIV_CERT_OBJ_X509_RETIRED19, // Certificate for retired key 19
PIV_CERT_OBJ_X509_RETIRED20, // Certificate for retired key 20
PIV_CERT_OBJ_LAST,
PIV_PVTK_OBJ_PIV_AUTH, // Private key for PIV authentication
PIV_PVTK_OBJ_CARD_AUTH, // Private key for card authentication
PIV_PVTK_OBJ_DS, // Private key for digital signature
PIV_PVTK_OBJ_KM, // Private key for key management
PIV_PVTK_OBJ_RETIRED1, // Private key for retired key 1
PIV_PVTK_OBJ_RETIRED2, // Private key for retired key 2
PIV_PVTK_OBJ_RETIRED3, // Private key for retired key 3
PIV_PVTK_OBJ_RETIRED4, // Private key for retired key 4
PIV_PVTK_OBJ_RETIRED5, // Private key for retired key 5
PIV_PVTK_OBJ_RETIRED6, // Private key for retired key 6
PIV_PVTK_OBJ_RETIRED7, // Private key for retired key 7
PIV_PVTK_OBJ_RETIRED8, // Private key for retired key 8
PIV_PVTK_OBJ_RETIRED9, // Private key for retired key 9
PIV_PVTK_OBJ_RETIRED10, // Private key for retired key 10
PIV_PVTK_OBJ_RETIRED11, // Private key for retired key 11
PIV_PVTK_OBJ_RETIRED12, // Private key for retired key 12
PIV_PVTK_OBJ_RETIRED13, // Private key for retired key 13
PIV_PVTK_OBJ_RETIRED14, // Private key for retired key 14
PIV_PVTK_OBJ_RETIRED15, // Private key for retired key 15
PIV_PVTK_OBJ_RETIRED16, // Private key for retired key 16
PIV_PVTK_OBJ_RETIRED17, // Private key for retired key 17
PIV_PVTK_OBJ_RETIRED18, // Private key for retired key 18
PIV_PVTK_OBJ_RETIRED19, // Private key for retired key 19
PIV_PVTK_OBJ_RETIRED20, // Private key for retired key 20
PIV_PVTK_OBJ_LAST,
PIV_PUBK_OBJ_PIV_AUTH, // Public key for PIV authentication
PIV_PUBK_OBJ_CARD_AUTH, // Public key for card authentication
PIV_PUBK_OBJ_DS, // Public key for digital signature
PIV_PUBK_OBJ_KM, // Public key for key management
PIV_PUBK_OBJ_RETIRED1, // Public key for retired key 1
PIV_PUBK_OBJ_RETIRED2, // Public key for retired key 2
PIV_PUBK_OBJ_RETIRED3, // Public key for retired key 3
PIV_PUBK_OBJ_RETIRED4, // Public key for retired key 4
PIV_PUBK_OBJ_RETIRED5, // Public key for retired key 5
PIV_PUBK_OBJ_RETIRED6, // Public key for retired key 6
PIV_PUBK_OBJ_RETIRED7, // Public key for retired key 7
PIV_PUBK_OBJ_RETIRED8, // Public key for retired key 8
PIV_PUBK_OBJ_RETIRED9, // Public key for retired key 9
PIV_PUBK_OBJ_RETIRED10, // Public key for retired key 10
PIV_PUBK_OBJ_RETIRED11, // Public key for retired key 11
PIV_PUBK_OBJ_RETIRED12, // Public key for retired key 12
PIV_PUBK_OBJ_RETIRED13, // Public key for retired key 13
PIV_PUBK_OBJ_RETIRED14, // Public key for retired key 14
PIV_PUBK_OBJ_RETIRED15, // Public key for retired key 15
PIV_PUBK_OBJ_RETIRED16, // Public key for retired key 16
PIV_PUBK_OBJ_RETIRED17, // Public key for retired key 17
PIV_PUBK_OBJ_RETIRED18, // Public key for retired key 18
PIV_PUBK_OBJ_RETIRED19, // Public key for retired key 19
PIV_PUBK_OBJ_RETIRED20, // Public key for retired key 20
PIV_PUBK_OBJ_LAST
} piv_obj_id_t;
#define OBJECT_INVALID (PIV_PUBK_OBJ_LAST + 1)
typedef CK_RV (*get_attr_f)(CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR);
typedef struct {
const char *oid;
CK_BYTE tag_len;
CK_BYTE tag_value[3]; // TODO: needed?
CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed?
} piv_data_obj_t;
typedef struct {
X509 *data;
} piv_cert_obj_t;
typedef struct { // TODO: enough to use the public key for the parameters?
CK_BBOOL decrypt;
CK_BBOOL sign;
CK_BBOOL unwrap;
CK_BBOOL derive;
CK_BBOOL always_auth;
} piv_pvtk_obj_t;
typedef struct {
EVP_PKEY *data; // TODO: make custom type for this and X509
CK_BBOOL encrypt;
CK_BBOOL verify;
CK_BBOOL wrap;
CK_BBOOL derive;
} piv_pubk_obj_t;
typedef struct {
piv_obj_id_t piv_id; // TODO: technically redundant
CK_BBOOL token; // TODO: not used yet
CK_BBOOL private;
CK_BBOOL modifiable;
const char *label;
CK_BBOOL copyable; // TODO: Optional, not used so far (default TRUE)
CK_BBOOL destroyable; // TODO: Optional, not used so far (default TRUE)
get_attr_f get_attribute;
CK_BYTE sub_id; // Sub-object id
} piv_obj_t;
#endif
-1574
View File
File diff suppressed because it is too large Load Diff
-59
View File
@@ -1,59 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef OBJECTS_H
#define OBJECTS_H
#include "ykcs11.h"
CK_ULONG piv_2_ykpiv(piv_obj_id_t id);
CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template);
CK_BBOOL attribute_match(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR attribute);
CK_BBOOL is_private_object(ykcs11_session_t *s, CK_OBJECT_HANDLE obj);
CK_RV get_available_certificate_ids(ykcs11_session_t *s, piv_obj_id_t *cert_ids, CK_ULONG n_certs);
CK_RV store_cert(piv_obj_id_t cert_id, CK_BYTE_PTR data, CK_ULONG len);
CK_RV delete_cert(piv_obj_id_t cert_id);
CK_RV check_create_cert(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
CK_BYTE_PTR *value, CK_ULONG_PTR cert_len);
CK_RV check_create_ec_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
CK_BYTE_PTR *value, CK_ULONG_PTR value_len, CK_ULONG_PTR vendor_defined);
CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
CK_BYTE_PTR *p, CK_ULONG_PTR p_len,
CK_BYTE_PTR *q, CK_ULONG_PTR q_len,
CK_BYTE_PTR *dp, CK_ULONG_PTR dp_len,
CK_BYTE_PTR *dq, CK_ULONG_PTR dq_len,
CK_BYTE_PTR *qinv, CK_ULONG_PTR qinv_len,
CK_ULONG_PTR vendor_defined);
CK_RV check_delete_cert(CK_OBJECT_HANDLE hObject, CK_BYTE_PTR id);
#endif
-56
View File
@@ -1,56 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef OPENSSL_TYPES_H
#define OPENSSL_TYPES_H
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <openssl/ec.h>
typedef enum {
YKCS11_NO_HASH,
YKCS11_SHA1,
//YKCS11_SHA224,
YKCS11_SHA256,
YKCS11_SHA384,
YKCS11_SHA512,
//YKCS11_RIPEMD128_RSA_PKCS,
//YKCS11_RIPEMD160
} hash_t;
typedef EVP_MD_CTX ykcs11_md_ctx_t;
//typedef EVP_PKEY ykcs11_evp_pkey_t;
typedef RSA ykcs11_rsa_key_t;
#endif
-709
View File
@@ -1,709 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "openssl_utils.h"
#include <stdbool.h>
#include "../tool/util.h" // TODO: share this better?
#include "../tool/openssl-compat.h" // TODO: share this better?
#include "debug.h"
#include <string.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
# define X509_set_notBefore X509_set1_notBefore
# define X509_set_notAfter X509_set1_notAfter
#endif
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) {
const unsigned char *p = data; // Mandatory temp variable required by OpenSSL
int cert_len;
if (*p == 0x70) {
// The certificate is in "PIV" format 0x70 len 0x30 len ...
p++;
p += get_length(p, &cert_len);
}
else {
// Raw certificate 0x30 len ...
cert_len = 0;
cert_len += get_length(p + 1, &cert_len) + 1;
}
if ((CK_ULONG)cert_len > len)
return CKR_ARGUMENTS_BAD;
*cert = d2i_X509(NULL, &p, cert_len);
if (*cert == NULL)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
X509 *cert = NULL;
EVP_PKEY *key = NULL;
RSA *rsa = NULL;
BIGNUM *bignum_n = NULL;
BIGNUM *bignum_e = NULL;
BIGNUM *bignum_prv = NULL;
unsigned char zeroes[512] = {0};
EC_KEY *eck = NULL;
EC_GROUP *ecg = NULL;
EC_POINT *ecp = NULL;
ASN1_TIME *tm = NULL;
unsigned char *data_ptr;
unsigned char *p;
int len;
CK_RV rv = CKR_FUNCTION_FAILED;
cert = X509_new();
if (cert == NULL)
goto create_empty_cert_cleanup;
key = EVP_PKEY_new();
if (key == NULL)
goto create_empty_cert_cleanup;
if (is_rsa) {
// RSA
rsa = RSA_new();
if (rsa == NULL)
goto create_empty_cert_cleanup;
data_ptr = in + 5;
if (*data_ptr != 0x81)
goto create_empty_cert_cleanup;
data_ptr++;
data_ptr += get_length(data_ptr, &len);
bignum_n = BN_bin2bn(data_ptr, len, NULL);
if(bignum_n == NULL)
goto create_empty_cert_cleanup;
data_ptr += len;
if(*data_ptr != 0x82)
goto create_empty_cert_cleanup;
// OpenSSL 1.1 doesn't allow to set empty signatures
// Use a bogus private key
bignum_prv = BN_bin2bn(zeroes, len, NULL);
if (bignum_prv == NULL)
goto create_empty_cert_cleanup;
data_ptr++;
data_ptr += get_length(data_ptr, &len);
bignum_e = BN_bin2bn(data_ptr, len, NULL);
if(bignum_e == NULL)
goto create_empty_cert_cleanup;
if (RSA_set0_key(rsa, bignum_n, bignum_e, bignum_prv) == 0)
goto create_empty_cert_cleanup;
if (EVP_PKEY_set1_RSA(key, rsa) == 0)
goto create_empty_cert_cleanup;
}
else {
// ECCP256
data_ptr = in + 3;
eck = EC_KEY_new();
if (eck == NULL)
goto create_empty_cert_cleanup;
ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (ecg == NULL)
goto create_empty_cert_cleanup;
EC_GROUP_set_asn1_flag(ecg, NID_X9_62_prime256v1);
EC_KEY_set_group(eck, ecg);
ecp = EC_POINT_new(ecg);
if(*data_ptr++ != 0x86)
goto create_empty_cert_cleanup;
// The curve point should always be 65 bytes
if (*data_ptr++ != 65)
goto create_empty_cert_cleanup;
if (EC_POINT_oct2point(ecg, ecp, data_ptr, 65, NULL) == 0)
goto create_empty_cert_cleanup;
if (EC_KEY_set_public_key(eck, ecp) == 0)
goto create_empty_cert_cleanup;
// OpenSSL 1.1 doesn't allow to set empty signatures
// Use a bogus private key
bignum_prv = BN_bin2bn(zeroes, 65, NULL);
if (bignum_prv == NULL)
goto create_empty_cert_cleanup;
if (EC_KEY_set_private_key(eck, bignum_prv) == 0)
goto create_empty_cert_cleanup;
if (EVP_PKEY_set1_EC_KEY(key, eck) == 0)
goto create_empty_cert_cleanup;
}
if (X509_set_pubkey(cert, key) == 0) // TODO: there is also X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
goto create_empty_cert_cleanup;
tm = ASN1_TIME_new();
if (tm == NULL)
goto create_empty_cert_cleanup;
ASN1_TIME_set_string(tm, "000001010000Z");
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
// Write a bogus signature to make a valid certificate
if (X509_sign(cert, key, EVP_sha1()) == 0)
goto create_empty_cert_cleanup;
len = i2d_X509(cert, NULL);
if (len < 0)
goto create_empty_cert_cleanup;
if ((CK_ULONG)len > *out_len) {
rv = CKR_BUFFER_TOO_SMALL;
goto create_empty_cert_cleanup;
}
p = out;
if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0)
goto create_empty_cert_cleanup;
/********************/
/*BIO *STDout = BIO_new_fp(stderr, BIO_NOCLOSE);
X509_print_ex(STDout, cert, 0, 0);
BIO_free(STDout);*/
/********************/
rv = CKR_OK;
create_empty_cert_cleanup:
if (tm != NULL) {
ASN1_STRING_free(tm);
tm = NULL;
}
if (bignum_n != NULL) {
BN_free(bignum_n);
bignum_n = NULL;
}
if (bignum_e != NULL) {
BN_free(bignum_e);
bignum_e = NULL;
}
if (bignum_prv != NULL) {
BN_free(bignum_prv);
bignum_prv = NULL;
}
if (ecp != NULL) {
EC_POINT_free(ecp);
ecp = NULL;
}
if (ecg != NULL) {
EC_GROUP_free(ecg);
ecg = NULL;
}
if (eck != NULL) {
EC_KEY_free(eck);
eck = NULL;
}
if (key != NULL) {
EVP_PKEY_free(key);
key = NULL;
}
if (cert != NULL) {
X509_free(cert);
cert = NULL;
}
return rv;
}
CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len) {
X509 *cert;
const unsigned char *p = in; // Mandatory temp variable required by OpenSSL
int len;
len = 0;
len += get_length(p + 1, &len) + 1;
*cert_len = (CK_ULONG) len;
cert = d2i_X509(NULL, &p, (long) *cert_len);
if (cert == NULL)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
CK_BYTE_PTR p;
int len;
len = i2d_X509(cert, NULL);
if (len < 0)
return CKR_FUNCTION_FAILED;
if ((CK_ULONG)len > *out_len)
return CKR_BUFFER_TOO_SMALL;
p = out;
if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_RV do_delete_cert(X509 **cert) {
X509_free(*cert);
cert = NULL;
return CKR_OK;
}
/*CK_RV free_cert(X509 *cert) {
X509_free((X509 *) cert);
return CKR_OK;
}*/
CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) {
*key = X509_get_pubkey(cert);
if (*key == NULL)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) {
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
return CKK_RSA;
case EVP_PKEY_EC:
return CKK_ECDSA;
default:
return CKK_VENDOR_DEFINED; // Actually an error
}
}
CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) {
CK_ULONG key_len = 0;
RSA *rsa;
rsa = EVP_PKEY_get1_RSA(key);
if (rsa == NULL)
return 0;
key_len = (CK_ULONG) (RSA_size(rsa) * 8); // There is also RSA_bits but only in >= 1.1.0
RSA_free(rsa);
rsa = NULL;
return key_len;
}
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
RSA *rsa;
const BIGNUM *n;
rsa = EVP_PKEY_get1_RSA(key);
if (rsa == NULL)
return CKR_FUNCTION_FAILED;
RSA_get0_key(rsa, &n, NULL, NULL);
if ((CK_ULONG)BN_num_bytes(n) > *len) {
RSA_free(rsa);
rsa = NULL;
return CKR_BUFFER_TOO_SMALL;
}
*len = (CK_ULONG)BN_bn2bin(n, data);
RSA_free(rsa);
rsa = NULL;
return CKR_OK;
}
CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
CK_ULONG e = 0;
RSA *rsa;
const BIGNUM *bn_e;
rsa = EVP_PKEY_get1_RSA(key);
if (rsa == NULL)
return CKR_FUNCTION_FAILED;
RSA_get0_key(rsa, NULL, &bn_e, NULL);
if ((CK_ULONG)BN_num_bytes(bn_e) > *len) {
RSA_free(rsa);
rsa = NULL;
return CKR_BUFFER_TOO_SMALL;
}
*len = (CK_ULONG)BN_bn2bin(bn_e, data);
RSA_free(rsa);
rsa = NULL;
return e;
}
/* #include <stdio.h> */
/* #include <openssl/err.h> */
/* ERR_load_crypto_strings(); */
/* //SSL_load_error_strings(); */
/* fprintf(stderr, "ERROR %s\n", ERR_error_string(ERR_get_error(), NULL)); */
CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
RSA *rsa;
unsigned char *p;
EC_KEY *eck;
const EC_GROUP *ecg; // Alternative solution is to get i2d_PUBKEY and manually offset
const EC_POINT *ecp;
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
switch(EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
rsa = EVP_PKEY_get1_RSA(key);
if ((CK_ULONG)RSA_size(rsa) > *len) {
RSA_free(rsa);
rsa = NULL;
return CKR_BUFFER_TOO_SMALL;
}
p = data;
if ((*len = (CK_ULONG) i2d_RSAPublicKey(rsa, &p)) == 0) {
RSA_free(rsa);
rsa = NULL;
return CKR_FUNCTION_FAILED;
}
// TODO: this is the correct thing to do so that we strip out the exponent
// OTOH we also need a function to get the exponent out with CKA_PUBLIC_EXPONENT
/*BN_bn2bin(rsa->n, data);
*len = 256;*/
/* fprintf(stderr, "Public key is: \n"); */
/* dump_hex(data, *len, stderr, CK_TRUE); */
break;
case EVP_PKEY_EC:
eck = EVP_PKEY_get1_EC_KEY(key);
ecg = EC_KEY_get0_group(eck);
ecp = EC_KEY_get0_public_key(eck);
// Add the DER structure with length after extracting the point
data[0] = 0x04;
if ((*len = EC_POINT_point2oct(ecg, ecp, pcf, data + 2, *len - 2, NULL)) == 0) {
EC_KEY_free(eck);
eck = NULL;
return CKR_FUNCTION_FAILED;
}
data[1] = *len;
*len += 2;
EC_KEY_free(eck);
eck = NULL;
break;
default:
return CKR_FUNCTION_FAILED;
}
return CKR_OK;
}
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus,
CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen) {
ykcs11_rsa_key_t *k;
BIGNUM *k_n = NULL, *k_e = NULL;
if (modulus == NULL || exponent == NULL)
return CKR_ARGUMENTS_BAD;
if ((k = RSA_new()) == NULL)
return CKR_HOST_MEMORY;
if ((k_n = BN_bin2bn(modulus, mlen, NULL)) == NULL)
return CKR_FUNCTION_FAILED;
if ((k_e = BN_bin2bn(exponent, elen, NULL)) == NULL)
return CKR_FUNCTION_FAILED;
if (RSA_set0_key(k, k_n, k_e, NULL) == 0)
return CKR_FUNCTION_FAILED;
*key = k;
return CKR_OK;
}
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key) {
RSA_free(key);
return CKR_OK;
}
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
EC_KEY *eck;
const EC_GROUP *ecg;
unsigned char *p;
eck = EVP_PKEY_get1_EC_KEY(key);
ecg = EC_KEY_get0_group(eck);
p = data;
if ((*len = (CK_ULONG) i2d_ECPKParameters(ecg, &p)) == 0) {
EC_KEY_free(eck);
eck = NULL;
return CKR_FUNCTION_FAILED;
}
EC_KEY_free(eck);
eck = NULL;
return CKR_OK;
}
CK_RV do_delete_pubk(EVP_PKEY **key) {
EVP_PKEY_free(*key);
key = NULL;
return CKR_OK;
}
/*CK_RV free_key(EVP_PKEY *key) {
EVP_PKEY_free(key);
return CKR_OK;
}*/
CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len) {
unsigned char buffer[512];
key_len /= 8;
DBG("Apply padding to %lu bytes and get %lu\n", in_len, key_len);
// TODO: rand must be seeded first (should be automatic)
if (*out_len < key_len)
return CKR_BUFFER_TOO_SMALL;
if (RSA_padding_add_PKCS1_type_1(buffer, key_len, in, in_len) == 0)
return CKR_FUNCTION_FAILED;
memcpy(out, buffer, key_len);
*out_len = key_len;
return CKR_OK;
}
CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
unsigned int len;
CK_RV rv;
rv = prepare_rsa_signature(in, in_len, out, &len, nid);
if (!rv)
return CKR_FUNCTION_FAILED;
*out_len = len;
return CKR_OK;
}
CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
unsigned char em[RSA_size(key)];
#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_digests();
#endif
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
// TODO: rand must be seeded first (should be automatic)
if (out != in)
memcpy(out, in, in_len);
// In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD
if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
#endif
return CKR_FUNCTION_FAILED;
}
memcpy(out, em, sizeof(em));
*out_len = (CK_ULONG) sizeof(em);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
#endif
return CKR_OK;
}
CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx) {
const EVP_MD *md;
switch (hash) {
case YKCS11_NO_HASH:
return CKR_FUNCTION_FAILED;
case YKCS11_SHA1:
md = EVP_sha1();
break;
//case YKCS11_SHA224:
case YKCS11_SHA256:
md = EVP_sha256();
break;
case YKCS11_SHA384:
md = EVP_sha384();
break;
case YKCS11_SHA512:
md = EVP_sha512();
break;
//case YKCS11_RIPEMD128_RSA_PKCS_HASH:
//case YKCS11_RIPEMD160_HASH:
default:
return CKR_FUNCTION_FAILED;
}
*ctx = EVP_MD_CTX_create();
// The OpenSSL function above never fail
if (EVP_DigestInit_ex(*ctx, md, NULL) == 0) {
EVP_MD_CTX_destroy((EVP_MD_CTX *)*ctx);
return CKR_FUNCTION_FAILED;
}
return CKR_OK;
}
CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len) {
if (EVP_DigestUpdate(ctx, in, in_len) != 1) {
EVP_MD_CTX_destroy(ctx);
return CKR_FUNCTION_FAILED;
}
return CKR_OK;
}
CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid) {
int rv;
unsigned int len;
// Keep track of the md type if requested
if (nid != NULL)
*nid = EVP_MD_CTX_type(ctx);
// Finalize digest and store result
rv = EVP_DigestFinal_ex(ctx, out, &len);
// Destroy the md context
EVP_MD_CTX_destroy(ctx);
// Error if the previous call failed
if (rv != 1)
return CKR_FUNCTION_FAILED;
*out_len = len;
return CKR_OK;
}
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) ctx);
return CKR_OK;
}
-74
View File
@@ -1,74 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef OPENSSL_UTIL_H
#define OPENSSL_UTIL_H
/* #include <openssl/x509.h> */
/* #include <openssl/evp.h> */
/* #include <openssl/rsa.h> */
/* #include <openssl/ec.h> */
#include "openssl_types.h"
#include "pkcs11y.h"
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert);
CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
CK_BYTE_PTR out, CK_ULONG_PTR out_len);
CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len);
CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
CK_RV do_delete_cert(X509 **cert);
//CK_RV free_cert(X509 *cert);
CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key);
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key);
CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key);
CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_delete_pubk(EVP_PKEY **key);
//CK_RV free_key(EVP_PKEY *key);
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus, CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen);
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key);
CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len);
CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid,
CK_BYTE_PTR out, CK_ULONG_PTR out_len);
CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx);
CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len);
CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid);
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx);
#endif
-1437
View File
File diff suppressed because it is too large Load Diff
-46
View File
@@ -1,46 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef PKCS11Y_H
#define PKCS11Y_H
#include "pkcs11.h"
typedef CK_FLAGS * CK_FLAGS_PTR;
// YUBICO specific attributes
#define CKA_TOUCH_PIN_DEFAULT 0x00000000U
#define CKA_TOUCH_ALWAYS 0x00000001U
#define CKA_PIN_ONCE 0x00000002U
#define CKA_PIN_ALWAYS 0x00000004U
#define CKA_PIN_NEVER 0x00000008U
#define CKA_TOUCH_NEVER 0x00000016U
#endif
-54
View File
@@ -1,54 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "slot_vendors.h"
#include "yubico_slot.h"
#include <stdlib.h>
slot_vendor_t get_slot_vendor(vendor_id_t vid) {
slot_vendor_t v;
switch (vid) {
case YUBICO:
v.get_slot_manufacturer = YUBICO_get_slot_manufacturer;
v.get_slot_flags = YUBICO_get_slot_flags;
v.get_slot_version = YUBICO_get_slot_version;
break;
case UNKNOWN:
default:
v.get_slot_manufacturer = NULL;
v.get_slot_flags = NULL;
v.get_slot_version = NULL;
}
return v;
}
-50
View File
@@ -1,50 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef SLOT_VENDORS_H
#define SLOT_VENDORS_H
#include "pkcs11y.h"
#include "vendor_ids.h"
typedef CK_RV (*get_s_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG);
typedef CK_RV (*get_s_flags_f)(CK_FLAGS_PTR);
typedef CK_RV (*get_s_version_f)(CK_VERSION_PTR);
typedef struct {
get_s_manufacturer_f get_slot_manufacturer;
get_s_flags_f get_slot_flags;
get_s_version_f get_slot_version;
} slot_vendor_t;
slot_vendor_t get_slot_vendor(vendor_id_t vid);
#endif
-52
View File
@@ -1,52 +0,0 @@
# Copyright (c) 2015-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#TESTS_ENVIRONMENT = export VERSION=$(PACKAGE_VERSION); export EXEEXT=$(EXEEXT);
#LOG_COMPILER = $(VALGRIND)
AM_CFLAGS = $(WARN_CFLAGS) @CHECK_CFLAGS@
AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_builddir)/lib
AM_CPPFLAGS += -I$(top_srcdir)/ykcs11 -I$(top_builddir)/ykcs11
AM_CPPFLAGS += $(OPENSSL_CFLAGS)
AM_LDFLAGS = @CHECK_LIBS@
if COMPILER_CLANG
AM_LDFLAGS += -no-fast-install
else
AM_LDFLAGS += -no-install
endif
ykcs11_tests_LDADD = ../libykcs11.la $(OPENSSL_LIBS) ../../tool/libpiv_util.la
ykcs11_tests_SOURCES = ykcs11_tests.c
check_PROGRAMS = ykcs11_tests
TESTS = reset.sh $(check_PROGRAMS)
if ENABLE_COV
AM_LDFLAGS += --coverage
endif
-20
View File
@@ -1,20 +0,0 @@
BIN="../../tool/yubico-piv-tool${EXEEXT}"
# Verify that user has confirmed destructive hw-tests
if [ "x$YKPIV_ENV_HWTESTS_CONFIRMED" != "x1" ]; then
printf "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n" >&0
exit 77 # exit code 77 == skipped tests
fi
# Reset
$BIN -averify-pin -P000000 || true
$BIN -averify-pin -P000000 || true
$BIN -averify-pin -P000000 || true
$BIN -averify-pin -P000000 || true
$BIN -averify-pin -P000000 || true
$BIN -achange-puk -P000000 -N00000000 || true
$BIN -achange-puk -P000000 -N00000000 || true
$BIN -achange-puk -P000000 -N00000000 || true
$BIN -achange-puk -P000000 -N00000000 || true
$BIN -achange-puk -P000000 -N00000000 || true
$BIN -areset
-721
View File
@@ -1,721 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "../../tool/openssl-compat.h"
#include <ykcs11.h>
#include <ykcs11-version.h>
#include <string.h>
#include <openssl/rsa.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/rand.h>
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wpointer-sign"
#ifdef __MINGW32__
#define dprintf(fd, ...) fprintf(stdout, __VA_ARGS__)
#endif
void dump_hex(const unsigned char *buf, unsigned int len, FILE *output, int space) {
unsigned int i;
for (i = 0; i < len; i++) {
fprintf(output, "%02x%s", buf[i], space == 1 ? " " : "");
}
fprintf(output, "\n");
}
CK_FUNCTION_LIST_PTR funcs;
#define asrt(c, e, m) _asrt(__LINE__, c, e, m);
static void _asrt(int line, CK_ULONG check, CK_ULONG expected, CK_CHAR_PTR msg) {
if (check == expected)
return;
fprintf(stderr, "<%s>:%d check failed with value %lu (0x%lx), expected %lu (0x%lx)\n",
msg, line, check, check, expected, expected);
exit(EXIT_FAILURE);
}
static void get_functions(CK_FUNCTION_LIST_PTR_PTR funcs) {
if (C_GetFunctionList(funcs) != CKR_OK) {
fprintf(stderr, "Get function list failed\n");
exit(EXIT_FAILURE);
}
}
static void test_lib_info() {
const CK_CHAR_PTR MANUFACTURER_ID = "Yubico (www.yubico.com)";
const CK_CHAR_PTR YKCS11_DESCRIPTION = "PKCS#11 PIV Library (SP-800-73)";
const CK_ULONG CRYPTOKI_VERSION_MAJ = 2;
const CK_ULONG CRYPTOKI_VERSION_MIN = 40;
CK_INFO info;
asrt(funcs->C_GetInfo(&info), CKR_OK, "GET_INFO");
asrt(strcmp(info.manufacturerID, MANUFACTURER_ID), 0, "MANUFACTURER");
asrt(info.cryptokiVersion.major, CRYPTOKI_VERSION_MAJ, "CK_MAJ");
asrt(info.cryptokiVersion.minor, CRYPTOKI_VERSION_MIN, "CK_MIN");
asrt(info.libraryVersion.major, YKCS11_VERSION_MAJOR, "LIB_MAJ");
asrt(info.libraryVersion.minor, ((YKCS11_VERSION_MINOR * 10) + YKCS11_VERSION_PATCH ), "LIB_MIN");
asrt(strcmp(info.libraryDescription, YKCS11_DESCRIPTION), 0, "LIB_DESC");
}
#ifdef HW_TESTS
static void test_initalize() {
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
static int test_token_info() {
const CK_CHAR_PTR TOKEN_LABEL = "YubiKey PIV";
const CK_CHAR_PTR TOKEN_MODEL = "YubiKey "; // Skip last 3 characters (version dependent)
const CK_CHAR_PTR TOKEN_MODEL_YK4 = "YubiKey YK4";
const CK_CHAR_PTR TOKEN_SERIAL = "1234";
const CK_FLAGS TOKEN_FLAGS = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED;
const CK_VERSION HW = {0, 0};
const CK_CHAR_PTR TOKEN_TIME = " ";
CK_TOKEN_INFO info;
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_GetTokenInfo(0, &info), CKR_OK, "GetTokeninfo");
asrt(strncmp(info.label, TOKEN_LABEL, strlen(TOKEN_LABEL)), 0, "TOKEN_LABEL");
// Skip manufacturer id (not used)
asrt(strncmp(info.model, TOKEN_MODEL, strlen(TOKEN_MODEL)), 0, "TOKEN_MODEL");
asrt(strncmp(info.serialNumber, TOKEN_SERIAL, strlen(TOKEN_SERIAL)), 0, "SERIAL_NUMBER");
asrt(info.flags, TOKEN_FLAGS, "TOKEN_FLAGS");
asrt(info.ulMaxSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_SESSION_COUNT");
asrt(info.ulSessionCount, CK_UNAVAILABLE_INFORMATION, "SESSION_COUNT");
asrt(info.ulMaxRwSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_RW_SESSION_COUNT");
asrt(info.ulRwSessionCount, CK_UNAVAILABLE_INFORMATION, "RW_SESSION_COUNT");
asrt(info.ulMaxPinLen, 8, "MAX_PIN_LEN");
asrt(info.ulMinPinLen, 6, "MIN_PIN_LEN");
asrt(info.ulTotalPublicMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PUB_MEM");
asrt(info.ulFreePublicMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PUB_MEM");
asrt(info.ulTotalPrivateMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PVT_MEM");
asrt(info.ulFreePrivateMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PVT_MEM");
if (strncmp(info.model, TOKEN_MODEL_YK4, strlen(TOKEN_MODEL_YK4)) != 0) {
dprintf(0, "\n\n** WARNING: Only YK4 supported. Skipping remaining tests.\n\n");
return -1;
}
asrt(info.hardwareVersion.major, HW.major, "HW_MAJ");
asrt(info.hardwareVersion.minor, HW.minor, "HW_MIN");
if (info.firmwareVersion.major != 4 && info.firmwareVersion.major != 0)
asrt(info.firmwareVersion.major, 4, "FW_MAJ");
asrt(strncmp(info.utcTime, TOKEN_TIME, sizeof(info.utcTime)), 0, "TOKEN_TIME");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
return 0;
}
static void test_mechanism_list_and_info() {
CK_MECHANISM_TYPE_PTR mechs;
CK_ULONG n_mechs;
CK_MECHANISM_INFO info;
CK_ULONG i;
static const CK_MECHANISM_TYPE token_mechanisms[] = {
CKM_RSA_PKCS_KEY_PAIR_GEN,
CKM_RSA_PKCS,
CKM_RSA_PKCS_PSS,
CKM_RSA_X_509,
CKM_SHA1_RSA_PKCS,
CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,
CKM_SHA512_RSA_PKCS,
CKM_SHA1_RSA_PKCS_PSS,
CKM_SHA256_RSA_PKCS_PSS,
CKM_SHA384_RSA_PKCS_PSS,
CKM_SHA512_RSA_PKCS_PSS,
CKM_EC_KEY_PAIR_GEN,
CKM_ECDSA,
CKM_ECDSA_SHA1,
CKM_ECDSA_SHA256,
CKM_SHA_1,
CKM_SHA256,
CKM_SHA384,
CKM_SHA512
};
static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms
{1024, 2048, CKF_HW | CKF_GENERATE_KEY_PAIR},
{1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{1024, 2048, CKF_HW | CKF_SIGN},
{256, 384, CKF_HW | CKF_GENERATE_KEY_PAIR},
{256, 384, CKF_HW | CKF_SIGN},
{256, 384, CKF_HW | CKF_SIGN},
{256, 384, CKF_HW | CKF_SIGN},
{0, 0, CKF_DIGEST},
{0, 0, CKF_DIGEST},
{0, 0, CKF_DIGEST},
{0, 0, CKF_DIGEST}
};
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_GetMechanismList(0, NULL, &n_mechs), CKR_OK, "GetMechanismList");
mechs = malloc(n_mechs * sizeof(CK_MECHANISM_TYPE));
asrt(funcs->C_GetMechanismList(0, mechs, &n_mechs), CKR_OK, "GetMechanismList");
asrt(memcmp(token_mechanisms, mechs, sizeof(token_mechanisms)), 0, "CHECK MECHS");
for (i = 0; i < n_mechs; i++) {
asrt(funcs->C_GetMechanismInfo(0, mechs[i], &info), CKR_OK, "GET MECH INFO");
asrt(memcmp(token_mechanism_infos + i, &info, sizeof(CK_MECHANISM_INFO)), 0, "CHECK MECH INFO");
}
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
static void test_session() {
CK_SESSION_HANDLE session;
CK_SESSION_INFO info;
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession2");
asrt(funcs->C_GetSessionInfo(session, &info), CKR_OK, "GetSessionInfo");
asrt(info.state, CKS_RW_PUBLIC_SESSION, "CHECK STATE");
asrt(info.flags, CKF_SERIAL_SESSION | CKF_RW_SESSION, "CHECK FLAGS");
asrt(info.ulDeviceError, 0, "CHECK DEVICE ERROR");
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession3");
asrt(funcs->C_CloseAllSessions(0), CKR_OK, "CloseAllSessions");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
static void test_login() {
CK_SESSION_HANDLE session;
CK_SESSION_INFO info;
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length,
unsigned char *sigret, unsigned int *siglen, const RSA *rsa) {
sigret = malloc(1);
sigret = "";
*siglen = 1;
return 0;
}
static void bogus_sign_cert(X509 *cert) {
EVP_PKEY *pkey = EVP_PKEY_new();
RSA *rsa = RSA_new();
RSA_METHOD *meth = RSA_meth_dup(RSA_get_default_method());
BIGNUM *e = BN_new();
BN_set_word(e, 65537);
RSA_generate_key_ex(rsa, 1024, e, NULL);
RSA_meth_set_sign(meth, bogus_sign);
RSA_set_method(rsa, meth);
EVP_PKEY_set1_RSA(pkey, rsa);
X509_sign(cert, pkey, EVP_md5());
EVP_PKEY_free(pkey);
}
#endif
// Import a newly generated P256 pvt key and a certificate
// to every slot and use the key to sign some data
static void test_import_and_sign_all_10() {
EVP_PKEY *evp;
EC_KEY *eck;
const EC_POINT *ecp;
const BIGNUM *bn;
char pvt[32];
X509 *cert;
ASN1_TIME *tm;
CK_BYTE i, j;
CK_BYTE some_data[32];
CK_ULONG class_k = CKO_PRIVATE_KEY;
CK_ULONG class_c = CKO_CERTIFICATE;
CK_ULONG kt = CKK_ECDSA;
CK_BYTE id = 0;
CK_BYTE params[] = {0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
CK_BYTE sig[64];
CK_ULONG recv_len;
CK_BYTE value_c[3100];
CK_ULONG cert_len;
CK_BYTE der_encoded[80];
CK_BYTE_PTR der_ptr;
CK_BYTE_PTR r_ptr;
CK_BYTE_PTR s_ptr;
CK_ULONG r_len;
CK_ULONG s_len;
unsigned char *p;
CK_ATTRIBUTE privateKeyTemplate[] = {
{CKA_CLASS, &class_k, sizeof(class_k)},
{CKA_KEY_TYPE, &kt, sizeof(kt)},
{CKA_ID, &id, sizeof(id)},
{CKA_EC_PARAMS, &params, sizeof(params)},
{CKA_VALUE, pvt, sizeof(pvt)}
};
CK_ATTRIBUTE publicKeyTemplate[] = {
{CKA_CLASS, &class_c, sizeof(class_c)},
{CKA_ID, &id, sizeof(id)},
{CKA_VALUE, value_c, sizeof(value_c)}
};
CK_OBJECT_HANDLE obj[24];
CK_SESSION_HANDLE session;
CK_MECHANISM mech = {CKM_ECDSA, NULL};
evp = EVP_PKEY_new();
if (evp == NULL)
exit(EXIT_FAILURE);
eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (eck == NULL)
exit(EXIT_FAILURE);
asrt(EC_KEY_generate_key(eck), 1, "GENERATE ECK");
bn = EC_KEY_get0_private_key(eck);
asrt(BN_bn2bin(bn, pvt), 32, "EXTRACT PVT");
if (EVP_PKEY_set1_EC_KEY(evp, eck) == 0)
exit(EXIT_FAILURE);
cert = X509_new();
if (cert == NULL)
exit(EXIT_FAILURE);
if (X509_set_pubkey(cert, evp) == 0)
exit(EXIT_FAILURE);
tm = ASN1_TIME_new();
if (tm == NULL)
exit(EXIT_FAILURE);
ASN1_TIME_set_string(tm, "000001010000Z");
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
cert->sig_alg->algorithm = OBJ_nid2obj(8);
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
#else
bogus_sign_cert(cert);
#endif
p = value_c;
if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || cert_len > sizeof(value_c))
exit(EXIT_FAILURE);
publicKeyTemplate[2].ulValueLen = cert_len;
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
for (i = 0; i < 24; i++) {
id = i;
asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT");
asrt(funcs->C_CreateObject(session, privateKeyTemplate, 5, obj + i), CKR_OK, "IMPORT KEY");
}
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
for (i = 0; i < 24; i++) {
for (j = 0; j < 10; j++) {
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
exit(EXIT_FAILURE);
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit");
recv_len = sizeof(sig);
asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign");
r_len = 32;
s_len = 32;
der_ptr = der_encoded;
*der_ptr++ = 0x30;
*der_ptr++ = 0xff; // placeholder, fix below
r_ptr = sig;
*der_ptr++ = 0x02;
*der_ptr++ = r_len;
if (*r_ptr >= 0x80) {
*(der_ptr - 1) = *(der_ptr - 1) + 1;
*der_ptr++ = 0x00;
}
else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) {
r_len--;
*(der_ptr - 1) = *(der_ptr - 1) - 1;
r_ptr++;
}
memcpy(der_ptr, r_ptr, r_len);
der_ptr+= r_len;
s_ptr = sig + 32;
*der_ptr++ = 0x02;
*der_ptr++ = s_len;
if (*s_ptr >= 0x80) {
*(der_ptr - 1) = *(der_ptr - 1) + 1;
*der_ptr++ = 0x00;
}
else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) {
s_len--;
*(der_ptr - 1) = *(der_ptr - 1) - 1;
s_ptr++;
}
memcpy(der_ptr, s_ptr, s_len);
der_ptr+= s_len;
der_encoded[1] = der_ptr - der_encoded - 2;
dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1);
asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION");
}
}
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
// Import a newly generated RSA1024 pvt key and a certificate
// to every slot and use the key to sign some data
static void test_import_and_sign_all_10_RSA() {
EVP_PKEY *evp;
RSA *rsak;
X509 *cert;
ASN1_TIME *tm;
CK_BYTE i, j;
CK_BYTE some_data[32];
CK_BYTE e[] = {0x01, 0x00, 0x01};
CK_BYTE p[64];
CK_BYTE q[64];
CK_BYTE dp[64];
CK_BYTE dq[64];
CK_BYTE qinv[64];
BIGNUM *e_bn;
CK_ULONG class_k = CKO_PRIVATE_KEY;
CK_ULONG class_c = CKO_CERTIFICATE;
CK_ULONG kt = CKK_RSA;
CK_BYTE id = 0;
CK_BYTE sig[64];
CK_ULONG recv_len;
CK_BYTE value_c[3100];
CK_ULONG cert_len;
CK_BYTE der_encoded[80];
CK_BYTE_PTR der_ptr;
CK_BYTE_PTR r_ptr;
CK_BYTE_PTR s_ptr;
CK_ULONG r_len;
CK_ULONG s_len;
const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1;
unsigned char *px;
CK_ATTRIBUTE privateKeyTemplate[] = {
{CKA_CLASS, &class_k, sizeof(class_k)},
{CKA_KEY_TYPE, &kt, sizeof(kt)},
{CKA_ID, &id, sizeof(id)},
{CKA_PUBLIC_EXPONENT, e, sizeof(e)},
{CKA_PRIME_1, p, sizeof(p)},
{CKA_PRIME_2, q, sizeof(q)},
{CKA_EXPONENT_1, dp, sizeof(dp)},
{CKA_EXPONENT_2, dq, sizeof(dq)},
{CKA_COEFFICIENT, qinv, sizeof(qinv)}
};
CK_ATTRIBUTE publicKeyTemplate[] = {
{CKA_CLASS, &class_c, sizeof(class_c)},
{CKA_ID, &id, sizeof(id)},
{CKA_VALUE, value_c, sizeof(value_c)}
};
CK_OBJECT_HANDLE obj[24];
CK_SESSION_HANDLE session;
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL};
evp = EVP_PKEY_new();
if (evp == NULL)
exit(EXIT_FAILURE);
rsak = RSA_new();
if (rsak == NULL)
exit(EXIT_FAILURE);
e_bn = BN_bin2bn(e, 3, NULL);
if (e_bn == NULL)
exit(EXIT_FAILURE);
asrt(RSA_generate_key_ex(rsak, 1024, e_bn, NULL), 1, "GENERATE RSAK");
RSA_get0_factors(rsak, &bp, &bq);
RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp);
asrt(BN_bn2bin(bp, p), 64, "GET P");
asrt(BN_bn2bin(bq, q), 64, "GET Q");
asrt(BN_bn2bin(bdmp1, dp), 64, "GET DP");
asrt(BN_bn2bin(bdmq1, dp), 64, "GET DQ");
asrt(BN_bn2bin(biqmp, qinv), 64, "GET QINV");
if (EVP_PKEY_set1_RSA(evp, rsak) == 0)
exit(EXIT_FAILURE);
cert = X509_new();
if (cert == NULL)
exit(EXIT_FAILURE);
if (X509_set_pubkey(cert, evp) == 0)
exit(EXIT_FAILURE);
tm = ASN1_TIME_new();
if (tm == NULL)
exit(EXIT_FAILURE);
ASN1_TIME_set_string(tm, "000001010000Z");
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
/* putting bogus data to signature to make some checks happy */
cert->sig_alg->algorithm = OBJ_nid2obj(8);
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
#else
bogus_sign_cert(cert);
#endif
px = value_c;
if ((cert_len = (CK_ULONG) i2d_X509(cert, &px)) == 0 || cert_len > sizeof(value_c))
exit(EXIT_FAILURE);
publicKeyTemplate[2].ulValueLen = cert_len;
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
for (i = 0; i < 24; i++) {
id = i;
asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT");
asrt(funcs->C_CreateObject(session, privateKeyTemplate, 9, obj + i), CKR_OK, "IMPORT KEY");
}
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
for (i = 0; i < 24; i++) {
for (j = 0; j < 10; j++) {
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
exit(EXIT_FAILURE);
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit");
recv_len = sizeof(sig);
asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign");
/* r_len = 32; */
/* s_len = 32; */
/* der_ptr = der_encoded; */
/* *der_ptr++ = 0x30; */
/* *der_ptr++ = 0xff; // placeholder, fix below */
/* r_ptr = sig; */
/* *der_ptr++ = 0x02; */
/* *der_ptr++ = r_len; */
/* if (*r_ptr >= 0x80) { */
/* *(der_ptr - 1) = *(der_ptr - 1) + 1; */
/* *der_ptr++ = 0x00; */
/* } */
/* else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) { */
/* r_len--; */
/* *(der_ptr - 1) = *(der_ptr - 1) - 1; */
/* r_ptr++; */
/* } */
/* memcpy(der_ptr, r_ptr, r_len); */
/* der_ptr+= r_len; */
/* s_ptr = sig + 32; */
/* *der_ptr++ = 0x02; */
/* *der_ptr++ = s_len; */
/* if (*s_ptr >= 0x80) { */
/* *(der_ptr - 1) = *(der_ptr - 1) + 1; */
/* *der_ptr++ = 0x00; */
/* } */
/* else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) { */
/* s_len--; */
/* *(der_ptr - 1) = *(der_ptr - 1) - 1; */
/* s_ptr++; */
/* } */
/* memcpy(der_ptr, s_ptr, s_len); */
/* der_ptr+= s_len; */
/* der_encoded[1] = der_ptr - der_encoded - 2; */
/* dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1); */
/* asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION"); */
}
}
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
}
#endif
int destruction_confirmed(void) {
char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED");
if (confirmed && confirmed[0] == '1')
return 1;
// Use dprintf() to write directly to stdout, since automake eats the standard stdout/stderr pointers.
dprintf(0, "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n");
return 0;
}
int main(void) {
get_functions(&funcs);
test_lib_info();
#ifdef HW_TESTS
// Require user confirmation to continue, since this test suite will clear
// any data stored on connected keys.
if (!destruction_confirmed())
exit(77); // exit code 77 == skipped tests
test_initalize();
// Require YK4 to continue. Skip if different model found.
if (test_token_info() != 0)
exit(77);
test_mechanism_list_and_info();
test_session();
test_login();
test_import_and_sign_all_10();
test_import_and_sign_all_10_RSA();
#else
fprintf(stderr, "HARDWARE TESTS DISABLED!, skipping...\n");
#endif
return EXIT_SUCCESS;
}
#pragma clang diagnostic pop
-365
View File
@@ -1,365 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "token_vendors.h"
#include "yubico_token.h"
#include "openssl_utils.h"
#include <string.h>
#include "debug.h"
#include <stdbool.h>
#include "../tool/util.h"
static CK_RV COMMON_token_login(ykpiv_state *state, CK_USER_TYPE user, CK_UTF8CHAR_PTR pin, CK_ULONG pin_len) {
int tries = 0; // TODO: this is effectively disregarded, should we add a better value in ykpiv_verify?
unsigned char key[24];
size_t key_len = sizeof(key);
unsigned char *term_pin;
ykpiv_rc res;
if (user == CKU_USER) {
// add null termination for the pin
term_pin = malloc(pin_len + 1);
if (term_pin == NULL) {
return CKR_HOST_MEMORY;
}
memcpy(term_pin, pin, pin_len);
term_pin[pin_len] = 0;
res = ykpiv_verify(state, (char *)term_pin, &tries);
OPENSSL_cleanse(term_pin, pin_len);
free(term_pin);
if (res != YKPIV_OK) {
DBG("Failed to login");
return CKR_PIN_INCORRECT;
}
}
else if (user == CKU_SO) {
if(ykpiv_hex_decode((char *)pin, pin_len, key, &key_len) != YKPIV_OK) {
DBG("Failed decoding key");
return CKR_FUNCTION_FAILED;
}
if(ykpiv_authenticate(state, key) != YKPIV_OK) {
DBG("Failed to authenticate");
return CKR_PIN_INCORRECT;
}
}
return CKR_OK;
}
static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa,
CK_BYTE key, CK_ULONG key_len, CK_ULONG vendor_defined) {
// TODO: make a function in ykpiv for this
unsigned char in_data[11];
unsigned char *in_ptr = in_data;
unsigned char data[1024];
unsigned char templ[] = {0, YKPIV_INS_GENERATE_ASYMMETRIC, 0, 0};
unsigned char *certptr;
unsigned long recv_len = sizeof(data);
int len_bytes;
int sw;
CK_RV rv;
if(rsa) {
char version[7];
if(ykpiv_get_version(state, version, sizeof(version)) == YKPIV_OK) {
int major, minor, build;
int match = sscanf(version, "%d.%d.%d", &major, &minor, &build);
if(match == 3 && major == 4 && (minor < 3 || (minor == 3 && build < 5))) {
DBG("On-chip RSA key generation on this YubiKey has been blocked.\n");
DBG("Please see https://yubi.co/ysa201701/ for details.\n");
return CKR_FUNCTION_FAILED;
}
} else {
DBG("Failed to communicate.\n");
return CKR_DEVICE_ERROR;
}
}
templ[3] = key;
*in_ptr++ = 0xac;
*in_ptr++ = 3;
*in_ptr++ = YKPIV_ALGO_TAG;
*in_ptr++ = 1;
switch(key_len) {
case 2048:
if (rsa == CK_TRUE)
*in_ptr++ = YKPIV_ALGO_RSA2048;
else
return CKR_FUNCTION_FAILED;
break;
case 1024:
if (rsa == CK_TRUE)
*in_ptr++ = YKPIV_ALGO_RSA1024;
else
return CKR_FUNCTION_FAILED;
break;
case 256:
if (rsa == CK_FALSE)
*in_ptr++ = YKPIV_ALGO_ECCP256;
else
return CKR_FUNCTION_FAILED;
break;
default:
return CKR_FUNCTION_FAILED;
}
// PIN policy and touch
if (vendor_defined != 0) {
if (vendor_defined & CKA_PIN_ONCE) {
in_data[1] += 3;
*in_ptr++ = YKPIV_PINPOLICY_TAG;
*in_ptr++ = 0x01;
*in_ptr++ = YKPIV_PINPOLICY_ONCE;
}
else if (vendor_defined & CKA_PIN_ALWAYS) {
in_data[1] += 3;
*in_ptr++ = YKPIV_PINPOLICY_TAG;
*in_ptr++ = 0x01;
*in_ptr++ = YKPIV_PINPOLICY_ALWAYS;
}
if (vendor_defined & CKA_TOUCH_ALWAYS) {
in_data[1] += 3;
*in_ptr++ = YKPIV_TOUCHPOLICY_TAG;
*in_ptr++ = 0x01;
*in_ptr++ = YKPIV_TOUCHPOLICY_ALWAYS;
}
}
if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data, &recv_len, &sw) != YKPIV_OK ||
sw != 0x9000)
return CKR_DEVICE_ERROR;
// Create a new empty certificate for the key
recv_len = sizeof(data);
if ((rv = do_create_empty_cert(data, recv_len, rsa, data, &recv_len)) != CKR_OK)
return rv;
if (recv_len < 0x80)
len_bytes = 1;
else if (recv_len < 0xff)
len_bytes = 2;
else
len_bytes = 3;
certptr = data;
memmove(data + len_bytes + 1, data, recv_len);
*certptr++ = 0x70;
certptr += set_length(certptr, recv_len);
certptr += recv_len;
*certptr++ = 0x71;
*certptr++ = 1;
*certptr++ = 0; /* certinfo (gzip etc) */
*certptr++ = 0xfe; /* LRC */
*certptr++ = 0;
// Store the certificate into the token
if (ykpiv_save_object(state, ykpiv_util_slot_object(key), data, (size_t)(certptr - data)) != YKPIV_OK)
return CKR_DEVICE_ERROR;
return CKR_OK;
}
static CK_RV COMMON_token_import_cert(ykpiv_state *state, CK_ULONG cert_id, CK_BYTE_PTR in) {
unsigned char certdata[3072];
unsigned char *certptr;
CK_ULONG cert_len;
CK_RV rv;
// Check whether or not we have a valid cert
if ((rv = do_check_cert(in, &cert_len)) != CKR_OK)
return rv;
if (cert_len > 3072)
return CKR_FUNCTION_FAILED;
certptr = certdata;
*certptr++ = 0x70;
certptr += set_length(certptr, cert_len);
memcpy(certptr, in, cert_len);
certptr += cert_len;
*certptr++ = 0x71;
*certptr++ = 1;
*certptr++ = 0; /* certinfo (gzip etc) */
*certptr++ = 0xfe; /* LRC */
*certptr++ = 0;
// Store the certificate into the token
if (ykpiv_save_object(state, cert_id, certdata, (size_t)(certptr - certdata)) != YKPIV_OK)
return CKR_DEVICE_ERROR;
return CKR_OK;
}
CK_RV COMMON_token_import_private_key(ykpiv_state *state, CK_BYTE key_id,
CK_BYTE_PTR p, CK_ULONG p_len,
CK_BYTE_PTR q, CK_ULONG q_len,
CK_BYTE_PTR dp, CK_ULONG dp_len,
CK_BYTE_PTR dq, CK_ULONG dq_len,
CK_BYTE_PTR qinv, CK_ULONG qinv_len,
CK_BYTE_PTR ec_data, CK_ULONG ec_data_len,
CK_ULONG vendor_defined) {
CK_BYTE pin_policy;
CK_BYTE touch_policy;
CK_BYTE algo;
ykpiv_rc rc;
if (p == NULL) {
if (ec_data_len == 32 || ec_data_len == 31)
algo = YKPIV_ALGO_ECCP256;
else
algo = YKPIV_ALGO_ECCP384;
}
else if (ec_data == NULL) {
if (p_len == 64)
algo = YKPIV_ALGO_RSA1024;
else
algo = YKPIV_ALGO_RSA2048;
}
else
return CKR_FUNCTION_FAILED;
pin_policy = YKPIV_PINPOLICY_DEFAULT;
touch_policy = YKPIV_TOUCHPOLICY_DEFAULT;
if (vendor_defined != 0) {
if (vendor_defined & CKA_PIN_ONCE) {
pin_policy = YKPIV_PINPOLICY_ONCE;
}
else if (vendor_defined & CKA_PIN_ALWAYS) {
pin_policy = YKPIV_PINPOLICY_ALWAYS;
}
else if (vendor_defined & CKA_PIN_NEVER) {
pin_policy = YKPIV_PINPOLICY_NEVER;
}
else
return CKR_ATTRIBUTE_VALUE_INVALID;
if (vendor_defined & CKA_TOUCH_ALWAYS) {
touch_policy = YKPIV_TOUCHPOLICY_ALWAYS;
}
else if (vendor_defined & CKA_TOUCH_NEVER) {
touch_policy = YKPIV_TOUCHPOLICY_NEVER;
}
else
return CKR_ATTRIBUTE_VALUE_INVALID;
}
rc = ykpiv_import_private_key(state, key_id, algo,
p, p_len,
q, q_len,
dp, dp_len,
dq, dq_len,
qinv, qinv_len,
ec_data, ec_data_len,
pin_policy, touch_policy);
if (rc != YKPIV_OK)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_RV COMMON_token_delete_cert(ykpiv_state *state, CK_ULONG cert_id) {
if (ykpiv_save_object(state, cert_id, NULL, 0) != YKPIV_OK)
return CKR_DEVICE_ERROR;
return CKR_OK;
}
token_vendor_t get_token_vendor(vendor_id_t vid) {
token_vendor_t v;
switch (vid) {
case YUBICO:
v.get_token_label = YUBICO_get_token_label;
v.get_token_manufacturer = YUBICO_get_token_manufacturer;
v.get_token_model = YUBICO_get_token_model;
v.get_token_flags = YUBICO_get_token_flags;
v.get_token_version = YUBICO_get_token_version;
v.get_token_serial = YUBICO_get_token_serial;
v.get_token_mechanisms_num = YUBICO_get_token_mechanisms_num;
v.get_token_mechanism_list = YUBICO_get_token_mechanism_list;
v.get_token_mechanism_info = YUBICO_get_token_mechanism_info;
v.get_token_objects_num = YUBICO_get_token_objects_num;
v.get_token_object_list = YUBICO_get_token_object_list;
v.get_token_raw_certificate = YUBICO_get_token_raw_certificate;
v.token_login = COMMON_token_login;
v.token_generate_key = COMMON_token_generate_key;
v.token_import_cert = COMMON_token_import_cert;
v.token_import_private_key = COMMON_token_import_private_key;
v.token_delete_cert = COMMON_token_delete_cert;
v.token_change_pin = YUBICO_token_change_pin;
break;
case UNKNOWN:
default:
v.get_token_label = NULL;
v.get_token_manufacturer = NULL;
v.get_token_model = NULL;
v.get_token_flags = NULL;
v.get_token_version = NULL;
v.get_token_serial = NULL;
v.get_token_mechanisms_num = NULL;
v.get_token_mechanism_list = NULL;
v.get_token_mechanism_info = NULL;
v.get_token_objects_num = NULL;
v.get_token_object_list = NULL;
v.get_token_raw_certificate = NULL;
v.token_login = NULL;
v.token_generate_key = NULL;
v.token_import_cert = NULL;
v.token_import_private_key = NULL;
v.token_delete_cert = NULL;
}
return v;
}
-92
View File
@@ -1,92 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef TOKEN_VENDORS_H
#define TOKEN_VENDORS_H
#include "pkcs11.h"
#include "vendor_ids.h"
#include "obj_types.h"
#include <ykpiv.h>
typedef CK_RV (*get_t_label_f)(CK_UTF8CHAR_PTR, CK_ULONG);
typedef CK_RV (*get_t_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG);
typedef CK_RV (*get_t_model_f)(ykpiv_state *, CK_UTF8CHAR_PTR, CK_ULONG);
typedef CK_RV (*get_t_flags_f)(CK_FLAGS_PTR);
typedef CK_RV (*get_t_version_f)(ykpiv_state *, CK_VERSION_PTR);
typedef CK_RV (*get_t_serial_f)(CK_CHAR_PTR, CK_ULONG);
typedef CK_RV (*get_t_mechanisms_num_f)(CK_ULONG_PTR);
typedef CK_RV (*get_t_mechanism_list_f)(CK_MECHANISM_TYPE_PTR, CK_ULONG);
typedef CK_RV (*get_t_mechanism_info_f)(CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR);
typedef CK_RV (*get_t_objects_num_f)(ykpiv_state *, CK_ULONG_PTR, CK_ULONG_PTR);
typedef CK_RV (*get_t_object_list_f)(ykpiv_state *, piv_obj_id_t *, CK_ULONG);
typedef CK_RV (*get_t_raw_certificate_f)(ykpiv_state *, piv_obj_id_t, CK_BYTE_PTR, CK_ULONG_PTR);
typedef CK_RV (*t_change_pin_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR, CK_ULONG);
// Common token functions below
typedef CK_RV (*t_login_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG);
typedef CK_RV (*t_generate_key_f)(ykpiv_state *, CK_BBOOL, CK_BYTE, CK_ULONG, CK_ULONG);
typedef CK_RV (*t_import_cert_f)(ykpiv_state *, CK_ULONG, CK_BYTE_PTR);
typedef CK_RV (*t_import_private_key_f)(ykpiv_state *, CK_BYTE,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG,
CK_ULONG);
typedef CK_RV (*t_delete_cert_f)(ykpiv_state *, CK_ULONG);
// TODO: replace all the common calls with functions defined in .c that use libykpiv
typedef struct {
get_t_label_f get_token_label;
get_t_manufacturer_f get_token_manufacturer;
get_t_model_f get_token_model;
get_t_flags_f get_token_flags;
get_t_version_f get_token_version;
get_t_serial_f get_token_serial;
get_t_mechanisms_num_f get_token_mechanisms_num;
get_t_mechanism_list_f get_token_mechanism_list;
get_t_mechanism_info_f get_token_mechanism_info;
get_t_objects_num_f get_token_objects_num;
get_t_object_list_f get_token_object_list;
get_t_raw_certificate_f get_token_raw_certificate;
t_login_f token_login;
t_generate_key_f token_generate_key;
t_import_cert_f token_import_cert;
t_import_private_key_f token_import_private_key;
t_delete_cert_f token_delete_cert;
t_change_pin_f token_change_pin;
} token_vendor_t;
token_vendor_t get_token_vendor(vendor_id_t vid);
#endif
-265
View File
@@ -1,265 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "utils.h"
#include <stdlib.h>
#include <string.h>
CK_BBOOL has_token(const ykcs11_slot_t *slot) {
return (slot->info.flags & CKF_TOKEN_PRESENT);
}
CK_RV parse_readers(ykpiv_state *state, const CK_BYTE_PTR readers, const CK_ULONG len,
ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token) {
CK_BYTE i;
CK_BYTE_PTR p;
CK_BYTE_PTR s;
CK_ULONG l;
slot_vendor_t slot;
*n_slots = 0;
*n_with_token = 0;
p = readers;
/*
* According to pcsc-lite, the format of a reader name is:
* name [interface] (serial) index slot
* https://ludovicrousseau.blogspot.se/2010/05/what-is-in-pcsc-reader-name.html
*/
for (i = 0; i < len; i++)
if (readers[i] == '\0' && i != len - 1) {
slots[*n_slots].vid = get_vendor_id((char *)p);
if (slots[*n_slots].vid == UNKNOWN) { // TODO: distinguish between tokenless and unsupported?
// Unknown slot, just save what info we have
memset(&slots[*n_slots].info, 0, sizeof(CK_SLOT_INFO));
memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription));
if (strlen((char *)p) <= sizeof(slots[*n_slots].info.slotDescription))
memcpy(slots[*n_slots].info.slotDescription, p, strlen((char *)p));
else
memcpy(slots[*n_slots].info.slotDescription, p, sizeof(slots[*n_slots].info.slotDescription));
}
else {
// Supported slot
slot = get_slot_vendor(slots[*n_slots].vid);
// Values must NOT be null terminated and ' ' padded
memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription));
s = slots[*n_slots].info.slotDescription;
l = sizeof(slots[*n_slots].info.slotDescription);
memcpy((char *)s, (char*)p, l);
memset(slots[*n_slots].info.manufacturerID, ' ', sizeof(slots[*n_slots].info.manufacturerID));
s = slots[*n_slots].info.manufacturerID;
l = sizeof(slots[*n_slots].info.manufacturerID);
if(slot.get_slot_manufacturer(s, l) != CKR_OK)
goto failure;
if (slot.get_slot_flags(&slots[*n_slots].info.flags) != CKR_OK)
goto failure;
// Treating hw and fw version the same
if (slot.get_slot_version(&slots[*n_slots].info.hardwareVersion) != CKR_OK)
goto failure;
if (slot.get_slot_version(&slots[*n_slots].info.firmwareVersion) != CKR_OK)
goto failure;
if (has_token(slots + *n_slots)) {
// Save token information
(*n_with_token)++;
if (create_token(state, p, slots + *n_slots) != CKR_OK)
goto failure;
}
}
(*n_slots)++;
p = readers + i + 1;
}
return CKR_OK;
failure:
// TODO: destroy all token objects
for (i = 0; i < *n_slots; i++)
if (has_token(slots + i))
destroy_token(slots + i);
return CKR_FUNCTION_FAILED;
}
CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot) {
token_vendor_t token;
CK_TOKEN_INFO_PTR t_info;
slot->token = malloc(sizeof(ykcs11_token_t)); // TODO: free
if (slot->token == NULL)
return CKR_HOST_MEMORY;
slot->token->vid = YUBICO; // TODO: this must become "slot_vendor.get_token_vid()"
token = get_token_vendor(slot->token->vid);
t_info = &slot->token->info;
memset(t_info->label, ' ', sizeof(t_info->label));
if (token.get_token_label(t_info->label, sizeof(t_info->label)) != CKR_OK)
return CKR_FUNCTION_FAILED;
memset(t_info->manufacturerID, ' ', sizeof(t_info->manufacturerID));
if(token.get_token_manufacturer(t_info->manufacturerID, sizeof(t_info->manufacturerID)) != CKR_OK)
return CKR_FUNCTION_FAILED;
if (ykpiv_connect(state, (char *)p) != YKPIV_OK)
return CKR_FUNCTION_FAILED;
memset(t_info->model, ' ', sizeof(t_info->model));
if(token.get_token_model(state, t_info->model, sizeof(t_info->model)) != CKR_OK) {
ykpiv_disconnect(state);
return CKR_FUNCTION_FAILED;
}
memset(t_info->serialNumber, ' ', sizeof(t_info->serialNumber));
if(token.get_token_serial(t_info->serialNumber, sizeof(t_info->serialNumber)) != CKR_OK) {
ykpiv_disconnect(state);
return CKR_FUNCTION_FAILED;
}
if (token.get_token_flags(&t_info->flags) != CKR_OK) {
ykpiv_disconnect(state);
return CKR_FUNCTION_FAILED;
}
t_info->ulMaxSessionCount = CK_UNAVAILABLE_INFORMATION;
t_info->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
t_info->ulMaxRwSessionCount = CK_UNAVAILABLE_INFORMATION;
t_info->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION;
t_info->ulMaxPinLen = 8;
t_info->ulMinPinLen = 6;
t_info->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
t_info->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
t_info->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
t_info->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION;
memset(&t_info->hardwareVersion, 0, sizeof(t_info->hardwareVersion));
// Ignore hardware version, report firmware version
if (token.get_token_version(state, &t_info->firmwareVersion) != CKR_OK) {
ykpiv_disconnect(state);
return CKR_FUNCTION_FAILED;
}
memset(t_info->utcTime, ' ', sizeof(t_info->utcTime)); // No clock present, clear
slot->token->objects = NULL;
slot->token->n_objects = 0;
ykpiv_disconnect(state);
return CKR_OK;
}
void destroy_token(ykcs11_slot_t *slot) {
free(slot->token);
slot->token = NULL;
}
CK_BBOOL is_valid_key_id(CK_BYTE id) {
// Valid ids are [0, 23] aka [0x00, 0x17]
if (id > 23)
return CK_FALSE;
return CK_TRUE;
}
void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len) {
CK_BYTE_PTR data_ptr;
CK_ULONG sig_halflen;
CK_BYTE buf[128];
CK_BYTE_PTR buf_ptr;
CK_BYTE elem_len;
// Maximum DER length for P256 is 2 + 2 + 33 + 2 + 33 = 72
if (*len <= 72)
sig_halflen = 32;
else
sig_halflen = 48;
memset(buf, 0, sizeof(buf));
data_ptr = data + 3;
buf_ptr = buf;
// copy r
elem_len = *data_ptr;
if (elem_len == (sig_halflen - 1))
buf_ptr++; // One shorter, prepend a zero
else if (elem_len == (sig_halflen + 1)) {
data_ptr++; // One longer, skip a zero
elem_len--;
}
data_ptr++;
memcpy(buf_ptr, data_ptr, elem_len);
data_ptr += elem_len;
buf_ptr += elem_len;
data_ptr++;
// copy s
elem_len = *data_ptr;
if (elem_len == (sig_halflen - 1))
buf_ptr++; // One shorter, prepend a zero
else if (elem_len == (sig_halflen + 1)) {
data_ptr++; // One longer, skip a zero
elem_len --;
}
data_ptr++;
memcpy(buf_ptr, data_ptr, elem_len);
*len = sig_halflen * 2;
memcpy(data, buf, *len);
}
-46
View File
@@ -1,46 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef UTILS_H
#define UTILS_H
#include "ykcs11.h"
CK_BBOOL has_token(const ykcs11_slot_t *slot);
CK_RV parse_readers(ykpiv_state *state,const CK_BYTE_PTR readers, const CK_ULONG len,
ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token);
CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot);
void destroy_token(ykcs11_slot_t *slot);
CK_BBOOL is_valid_key_id(CK_BYTE id);
void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len);
#endif
-40
View File
@@ -1,40 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef VENDOR_IDS_H
#define VENDOR_IDS_H
typedef enum {
UNKNOWN = 0x00,
YUBICO = 0x01
} vendor_id_t;
#endif
-40
View File
@@ -1,40 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "vendors.h"
#include <string.h>
vendor_id_t get_vendor_id(char *vendor_name) {
if (strstr(vendor_name, "Yubico") != NULL)
return YUBICO;
return UNKNOWN;
}
-40
View File
@@ -1,40 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef VENDORS_H
#define VENDORS_H
#include "vendor_ids.h"
#include "slot_vendors.h"
#include "token_vendors.h"
vendor_id_t get_vendor_id(char *vendor_name);
#endif
-89
View File
@@ -1,89 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef YKCS11_VERSION_H
#define YKCS11_VERSION_H
#ifdef __cplusplus
extern "C"
{
#endif
/**
* YKCS11_VERSION_STRING
*
* Pre-processor symbol with a string that describe the header file
* version number. Used together with ykneomgr_check_version() to verify
* header file and run-time library consistency.
*/
#define YKCS11_VERSION_STRING "@VERSION@"
/**
* YKCS11_VERSION_NUMBER
*
* Pre-processor symbol with a hexadecimal value describing the header
* file version number. For example, when the header version is 1.2.3
* this symbol will have the value 0x01020300. The last two digits
* are only used between public releases, and will otherwise be 00.
*/
#define YKCS11_VERSION_NUMBER @YKCS11_VERSION_NUMBER@
/**
* YKCS11_VERSION_MAJOR
*
* Pre-processor symbol with a decimal value that describe the major
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 1.
*/
#define YKCS11_VERSION_MAJOR @YKCS11_VERSION_MAJOR@
/**
* YKCS11_VERSION_MINOR
*
* Pre-processor symbol with a decimal value that describe the minor
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 2.
*/
#define YKCS11_VERSION_MINOR @YKCS11_VERSION_MINOR@
/**
* YKCS11_VERSION_PATCH
*
* Pre-processor symbol with a decimal value that describe the patch
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 3.
*/
#define YKCS11_VERSION_PATCH @YKCS11_VERSION_PATCH@
#ifdef __cplusplus
}
#endif
#endif
-2509
View File
File diff suppressed because it is too large Load Diff
-107
View File
@@ -1,107 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef YKCS11_H
#define YKCS11_H
#include "pkcs11y.h"
#include "obj_types.h"
#include "openssl_types.h"
#include "vendors.h"
#define YKCS11_OP_BUFSIZE 4096
typedef struct {
vendor_id_t vid;
CK_TOKEN_INFO info;
piv_obj_id_t *objects; // List of objects in the token
CK_ULONG n_objects; // TOTAL number of objects in the token
CK_ULONG n_certs; // Number of certificate objects in the token (portion of n_objects)
} ykcs11_token_t;
typedef struct {
vendor_id_t vid;
CK_SLOT_INFO info;
ykcs11_token_t *token;
} ykcs11_slot_t;
typedef struct {
CK_SESSION_HANDLE handle;
CK_SESSION_INFO info; /* slotid, state, flags, deviceerror */
ykcs11_slot_t *slot;
} ykcs11_session_t;
typedef enum {
YKCS11_NOOP,
YKCS11_GEN,
YKCS11_SIGN,
YKCS11_HASH,
YKCS11_DECRYPT
} ykcs11_op_type_t;
typedef struct {
CK_BBOOL rsa; // RSA or EC key
CK_BYTE key_id; // Key id
CK_ULONG key_len; // Length in bits
CK_ULONG vendor_defined; // Additional parameters (touch and PIN policy)
} gen_info_t;
typedef struct {
ykcs11_md_ctx_t *md_ctx; // Digest context
ykcs11_rsa_key_t *key; // Raw public key (needed for PSS)
CK_BYTE algo; // Algo for ykpiv // TODO: infer this from the key length?
CK_ULONG key_id; // Key id for ykpiv // TODO: make this a BYTE and store the id {0, 1, 2, 3}
CK_ULONG key_len; // Length in bits
} sign_info_t;
typedef struct {
CK_BYTE todo;
} hash_info_t;
typedef struct {
CK_BYTE todo;
} decrypt_info_t;
typedef union {
gen_info_t gen;
sign_info_t sign;
hash_info_t hash;
decrypt_info_t decrypt;
} op_t;
typedef struct {
ykcs11_op_type_t type;
CK_MECHANISM mechanism;
op_t op;
CK_BYTE buf[YKCS11_OP_BUFSIZE];
CK_ULONG buf_len;
} op_info_t;
#endif
-36
View File
@@ -1,36 +0,0 @@
# Copyright (c) 2015-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
YKCS11_0.1.0
{
global:
C_Initialize;
C_GetFunctionList;
# TODO: add more here
local:
*;
};
-37
View File
@@ -1,37 +0,0 @@
# Copyright (c) 2015-2016 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
Name: @PACKAGE@
Description: Yubico PIV PKCS#11 Module
URL: https://www.yubico.com/
Version: @VERSION@
Libs: -L${libdir} -lykcs11
-63
View File
@@ -1,63 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "yubico_slot.h"
#include "pkcs11.h"
#include <string.h>
static const CK_UTF8CHAR_PTR slot_manufacturer = (const CK_UTF8CHAR_PTR)"Yubico";
static const CK_FLAGS slot_flags = CKF_TOKEN_PRESENT | CKF_HW_SLOT;
static const CK_VERSION slot_version = {1, 0};
CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) {
if (strlen((const char*)slot_manufacturer) > len)
return CKR_BUFFER_TOO_SMALL;
memcpy(str, slot_manufacturer, strlen((const char*)slot_manufacturer));
return CKR_OK;
}
CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags) {
*flags = slot_flags;
return CKR_OK;
}
CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version) {
version->major = slot_version.major;
version->minor = slot_version.minor;
return CKR_OK;
}
-40
View File
@@ -1,40 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef YUBICO_SLOT_H
#define YUBICO_SLOT_H
#include "pkcs11y.h"
CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len);
CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags);
CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version);
#endif
-409
View File
@@ -1,409 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include "yubico_token.h"
#include "pkcs11.h"
#include <string.h>
#include "debug.h"
#include "objects.h"
#define MIN_RSA_KEY_SIZE 1024
#define MAX_RSA_KEY_SIZE 2048
#define MIN_ECC_KEY_SIZE 256
#define MAX_ECC_KEY_SIZE 384
static const char *token_label = "YubiKey PIV";
static const char *token_manufacturer = "Yubico";
static const char *token_model = "YubiKey XXX";
static const CK_FLAGS token_flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED;
static const char *token_serial = "1234";
static const CK_MECHANISM_TYPE token_mechanisms[] = { // KEEP ALIGNED WITH token_mechanism_infos
CKM_RSA_PKCS_KEY_PAIR_GEN,
CKM_RSA_PKCS,
CKM_RSA_PKCS_PSS,
CKM_RSA_X_509,
CKM_SHA1_RSA_PKCS,
CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,
CKM_SHA512_RSA_PKCS,
CKM_SHA1_RSA_PKCS_PSS,
CKM_SHA256_RSA_PKCS_PSS,
CKM_SHA384_RSA_PKCS_PSS,
CKM_SHA512_RSA_PKCS_PSS,
CKM_EC_KEY_PAIR_GEN,
//CKM_ECDSA_KEY_PAIR_GEN, Same as CKM_EC_KEY_PAIR_GEN, deprecated in 2.11
CKM_ECDSA,
CKM_ECDSA_SHA1,
CKM_ECDSA_SHA256,
CKM_SHA_1,
CKM_SHA256,
CKM_SHA384,
CKM_SHA512
// SUPPORT FOR OATH?
};
static const CK_ULONG token_mechanisms_num = sizeof(token_mechanisms) / sizeof(CK_MECHANISM_TYPE);
static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_RSA_PKCS_KEY_PAIR_GEN
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_PKCS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_RSA_PKCS_PSS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_X_509
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS_PSS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS_PSS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS_PSS
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS_PSS
{MIN_ECC_KEY_SIZE, MIN_ECC_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_EC_KEY_PAIR_GEN
//{, , }, // CKM_ECDSA_KEY_PAIR_GEN Same as CKM_EC_KEY_PAIR_GEN deprecated in 2.11
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA1
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA256
{0, 0, CKF_DIGEST}, // CKM_SHA_1
{0, 0, CKF_DIGEST}, // CKM_SHA256
{0, 0, CKF_DIGEST}, // CKM_SHA384
{0, 0, CKF_DIGEST} // CKM_SHA512
};
static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token?
PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication
PIV_DATA_OBJ_X509_CARD_AUTH, // card authentication
PIV_DATA_OBJ_X509_DS, // digital signature
PIV_DATA_OBJ_X509_KM, // key management
PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1
PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2
PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3
PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4
PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5
PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6
PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7
PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8
PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9
PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10
PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11
PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12
PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13
PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14
PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15
PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16
PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17
PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18
PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19
PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20
PIV_DATA_OBJ_CCC, // Card capability container
PIV_DATA_OBJ_CHUI, // Cardholder unique id
PIV_DATA_OBJ_CHF, // Cardholder fingerprints
PIV_DATA_OBJ_SEC_OBJ, // Security object
PIV_DATA_OBJ_CHFI, // Cardholder facial images
//PIV_DATA_OBJ_PI, // Cardholder printed information
//PIV_DATA_OBJ_DISCOVERY, // Discovery object
//PIV_DATA_OBJ_HISTORY, // History object
//PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images
//PIV_DATA_OBJ_BITGT, // Biometric information templates group template
//PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer
//PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data
};
static const CK_ULONG neo_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t) - 20;
static const CK_ULONG yk4_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t);
CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len) {
if (strlen(token_label) > len)
return CKR_BUFFER_TOO_SMALL;
memcpy(str, token_label, strlen(token_label));
return CKR_OK;
}
CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) {
if (strlen(token_manufacturer) > len)
return CKR_BUFFER_TOO_SMALL;
memcpy(str, token_manufacturer, strlen(token_manufacturer));
return CKR_OK;
}
CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len) {
char buf[16];
if (strlen(token_model) > len)
return CKR_BUFFER_TOO_SMALL;
if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK)
return CKR_FUNCTION_FAILED;
memcpy(str, token_model, strlen(token_model));
if (buf[0] >= '4')
memcpy(str + strlen(token_model) - 3, "YK4", 3);
else
memcpy(str + strlen(token_model) - 3, "NEO", 3);
return CKR_OK;
}
CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags) {
*flags = token_flags;
return CKR_OK;
}
CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version) {
char buf[16];
if (version == NULL)
return CKR_ARGUMENTS_BAD;
if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK)
return CKR_FUNCTION_FAILED;
version->major = (buf[0] - '0');
version->minor = (buf[2] - '0') * 100 + (buf[4] - '0');
return CKR_OK;
}
CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len) {
if (strlen(token_serial) > len)
return CKR_BUFFER_TOO_SMALL;
memcpy(str, token_serial, strlen(token_serial));
return CKR_OK;
}
CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num) {
*num = token_mechanisms_num;
return CKR_OK;
}
CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num) {
if (token_mechanisms_num > num)
return CKR_BUFFER_TOO_SMALL;
memcpy(mec, token_mechanisms, token_mechanisms_num * sizeof(CK_MECHANISM_TYPE));
return CKR_OK;
}
CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info) {
CK_ULONG i;
for (i = 0; i < token_mechanisms_num; i++)
if (token_mechanisms[i] == mec) {
memcpy((CK_BYTE_PTR) info, (CK_BYTE_PTR) (token_mechanism_infos + i), sizeof(CK_MECHANISM_INFO));
return CKR_OK;
}
return CKR_MECHANISM_INVALID;
}
static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only,
piv_obj_id_t *obj, CK_ULONG_PTR len, CK_ULONG_PTR num_certs) {
CK_BYTE buf[2048];
CK_ULONG buf_len;
CK_BYTE major;
CK_ULONG i;
piv_obj_id_t certs[24];
piv_obj_id_t pvtkeys[24];
piv_obj_id_t pubkeys[24];
CK_ULONG n_cert = 0;
CK_ULONG token_objects_num = neo_token_objects_num;
if (state == NULL || len == NULL_PTR)
return CKR_ARGUMENTS_BAD;
if (num_only == CK_FALSE && obj == NULL)
return CKR_ARGUMENTS_BAD;
if (ykpiv_get_version(state, (char *) buf, sizeof(buf)) != YKPIV_OK)
return CKR_FUNCTION_FAILED;
major = buf[0] - '0';
buf_len = sizeof(buf);
if (ykpiv_fetch_object(state, YKPIV_OBJ_AUTHENTICATION, buf, &buf_len) == YKPIV_OK) {
certs[n_cert] = PIV_CERT_OBJ_X509_PIV_AUTH;
pvtkeys[n_cert] = PIV_PVTK_OBJ_PIV_AUTH;
pubkeys[n_cert] = PIV_PUBK_OBJ_PIV_AUTH;
n_cert++;
DBG("Found AUTH cert (9a)");
}
buf_len = sizeof(buf);
if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) {
certs[n_cert] = PIV_CERT_OBJ_X509_CARD_AUTH;
pvtkeys[n_cert] = PIV_PVTK_OBJ_CARD_AUTH;
pubkeys[n_cert] = PIV_PUBK_OBJ_CARD_AUTH;
n_cert++;
DBG("Found CARD AUTH cert (9e)");
}
buf_len = sizeof(buf);
if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) {
certs[n_cert] = PIV_CERT_OBJ_X509_DS;
pvtkeys[n_cert] = PIV_PVTK_OBJ_DS;
pubkeys[n_cert] = PIV_PUBK_OBJ_DS;
n_cert++;
DBG("Found SIGNATURE cert (9c)");
}
buf_len = sizeof(buf);
if (ykpiv_fetch_object(state, YKPIV_OBJ_KEY_MANAGEMENT, buf, &buf_len) == YKPIV_OK) {
certs[n_cert] = PIV_CERT_OBJ_X509_KM;
pvtkeys[n_cert] = PIV_PVTK_OBJ_KM;
pubkeys[n_cert] = PIV_PUBK_OBJ_KM;
n_cert++;
DBG("Found KMK cert (9d)");
}
if (major >= 4) {
for (i = 0; i < 20; i++) {
buf_len = sizeof(buf);
if (ykpiv_fetch_object(state, YKPIV_OBJ_RETIRED1 + i, buf, &buf_len) == YKPIV_OK) {
certs[n_cert] = PIV_CERT_OBJ_X509_RETIRED1 + i;
pvtkeys[n_cert] = PIV_PVTK_OBJ_RETIRED1 + i;
pubkeys[n_cert] = PIV_PUBK_OBJ_RETIRED1 + i;
n_cert++;
DBG("Found RETIRED cert (%lx)", 0x82 + i);
}
}
token_objects_num = yk4_token_objects_num;
}
DBG("The total number of objects for this token is %lu", (n_cert * 3) + token_objects_num);
if (num_only == CK_TRUE) {
// We just want the number of objects
// Each cert object counts for 3: cert, pub key, pvt key
*len = (n_cert * 3) + token_objects_num;
if (num_certs != NULL)
*num_certs = n_cert;
return CKR_OK;
}
if (*len < (n_cert * 3) + token_objects_num)
return CKR_BUFFER_TOO_SMALL;
// Copy data objects
if (major >= 4) {
// YK4: just copy all the objects
memcpy(obj, token_objects, token_objects_num * sizeof(piv_obj_id_t));
}
else {
// NEO: remove retired keys
memcpy(obj, token_objects, 4 * sizeof(piv_obj_id_t));
memcpy(obj + 4, token_objects + 24, (neo_token_objects_num - 4) * sizeof(piv_obj_id_t));
}
// Copy certificates
if (n_cert > 0) {
memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t));
memcpy(obj + token_objects_num + n_cert, pvtkeys, n_cert * sizeof(piv_obj_id_t));
memcpy(obj + token_objects_num + (2 * n_cert), pubkeys, n_cert * sizeof(piv_obj_id_t));
}
return CKR_OK;
}
CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs) {
return get_objects(state, CK_TRUE, NULL, num, num_certs);
}
CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num) {
return get_objects(state, CK_FALSE, obj, &num, NULL);
}
CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len) {
if (ykpiv_fetch_object(state, piv_2_ykpiv(obj), data, len) != YKPIV_OK)
return CKR_FUNCTION_FAILED;
return CKR_OK;
}
CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen) {
int tries;
ykpiv_rc res;
switch(user_type){
case CKU_SO:{
unsigned char new_key[24];
size_t new_key_len = sizeof(new_key);
if(ykpiv_hex_decode((const char*)pNewPin, ulNewLen, new_key, &new_key_len) != YKPIV_OK) {
DBG("Failed to decode new pin")
return CKR_ARGUMENTS_BAD;
}
res = ykpiv_set_mgmkey(state, new_key);
break;
}
case CKU_USER:
if(ulOldLen >= 4 && strncmp((const char*)pOldPin, "puk:", 4) == 0){
DBG("Changing PUK pin")
res = ykpiv_change_puk(state, (const char*)pOldPin + 4, ulOldLen - 4, (const char*)pNewPin, ulNewLen, &tries);
}else{
DBG("Changing USER pin")
res = ykpiv_change_pin(state, (const char*)pOldPin, ulOldLen, (const char*)pNewPin, ulNewLen, &tries);
}
break;
default:
DBG("TODO implement other context specific pin change");
return CKR_FUNCTION_FAILED;
}
switch (res) {
case YKPIV_OK:
return CKR_OK;
case YKPIV_SIZE_ERROR:
return CKR_PIN_LEN_RANGE;
case YKPIV_WRONG_PIN:
return CKR_PIN_INCORRECT;
case YKPIV_PIN_LOCKED:
return CKR_PIN_LOCKED;
default:
return CKR_FUNCTION_FAILED;
}
}
-53
View File
@@ -1,53 +0,0 @@
/*
* Copyright (c) 2015-2016 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef YUBICO_TOKEN_H
#define YUBICO_TOKEN_H
#include "pkcs11.h"
#include "obj_types.h"
#include <ykpiv.h>
CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len);
CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len);
CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len);
CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags);
CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len);
CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version);
CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num);
CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num);
CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info);
CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs);
CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num);
CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen,
CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen);
#endif