oxidize: Prep directory structure for Rust translation
- Keeps: `lib`, `tool` - Deletes everything else except for `COPYING` (i.e. license) - Replaces `.gitignore` with a more standard Rust one
This commit is contained in:
+2
-124
@@ -1,124 +1,2 @@
|
||||
.deps/
|
||||
.vagrant/
|
||||
Makefile
|
||||
Makefile.in
|
||||
aclocal.m4
|
||||
autom4te.cache/
|
||||
config.log
|
||||
config.status
|
||||
configure
|
||||
doxygen-doc/
|
||||
libtool
|
||||
m4/libtool.m4
|
||||
m4/ltoptions.m4
|
||||
m4/ltsugar.m4
|
||||
m4/ltversion.m4
|
||||
m4/lt~obsolete.m4
|
||||
*.c~
|
||||
*.h~
|
||||
*.plist
|
||||
.libs
|
||||
ChangeLog
|
||||
build-aux/ar-lib
|
||||
build-aux/compile
|
||||
build-aux/config.guess
|
||||
build-aux/config.sub
|
||||
build-aux/depcomp
|
||||
build-aux/install-sh
|
||||
build-aux/ltmain.sh
|
||||
build-aux/missing
|
||||
build-aux/test-driver
|
||||
GPATH
|
||||
GRTAGS
|
||||
GTAGS
|
||||
tmp32/
|
||||
tmp64/
|
||||
yubico-piv-tool-*-win32.zip
|
||||
yubico-piv-tool-*-win32.zip.sig
|
||||
yubico-piv-tool-*-win64.zip
|
||||
yubico-piv-tool-*-win64.zip.sig
|
||||
yubico-piv-tool-*.tar.gz
|
||||
yubico-piv-tool-*.tar.gz.sig
|
||||
yubico-piv-tool-*-mac.zip
|
||||
yubico-piv-tool-*-mac.zip.sig
|
||||
lib/tests/api
|
||||
lib/tests/api.log
|
||||
lib/tests/api.o
|
||||
lib/tests/api.trs
|
||||
lib/tests/basic
|
||||
lib/tests/basic.log
|
||||
lib/tests/basic.o
|
||||
lib/tests/basic.trs
|
||||
lib/tests/parse_key
|
||||
lib/tests/parse_key.log
|
||||
lib/tests/parse_key.o
|
||||
lib/tests/parse_key.trs
|
||||
lib/tests/test-suite.log
|
||||
lib/error.lo
|
||||
lib/error.o
|
||||
lib/internal.la
|
||||
lib/internal.lo
|
||||
lib/internal.o
|
||||
lib/libykpiv.la
|
||||
lib/util.la
|
||||
lib/util.lo
|
||||
lib/util.o
|
||||
lib/version.lo
|
||||
lib/version.o
|
||||
lib/ykpiv-version.h
|
||||
lib/ykpiv.lo
|
||||
lib/ykpiv.o
|
||||
lib/ykpiv.pc
|
||||
lib/.libs/
|
||||
tool/cmdline.c
|
||||
tool/cmdline.h
|
||||
tool/cmdline.o
|
||||
tool/yubico-piv-tool
|
||||
tool/yubico-piv-tool.1
|
||||
tool/yubico-piv-tool.exe
|
||||
tool/yubico-piv-tool.o
|
||||
tool/.libs/
|
||||
tool/libpiv_cmd.la
|
||||
tool/libpiv_cmd_la-cmdline.lo
|
||||
tool/libpiv_cmd_la-cmdline.o
|
||||
tool/libpiv_util.la
|
||||
tool/openssl-compat.lo
|
||||
tool/openssl-compat.o
|
||||
tool/util.lo
|
||||
tool/util.o
|
||||
tool/tests/cert_9a.pem
|
||||
tool/tests/cert_9e.pem
|
||||
tool/tests/basic.sh.log
|
||||
tool/tests/basic.sh.trs
|
||||
tool/tests/key_9a.pub
|
||||
tool/tests/parse_name
|
||||
tool/tests/parse_name.log
|
||||
tool/tests/parse_name.o
|
||||
tool/tests/parse_name.trs
|
||||
tool/tests/req_9e.pem
|
||||
tool/tests/test_inout
|
||||
tool/tests/test_inout.log
|
||||
tool/tests/test_inout.o
|
||||
tool/tests/test_inout.trs
|
||||
tool/tests/test-suite.log
|
||||
coverage/
|
||||
lib/error.gcno
|
||||
lib/version.gcno
|
||||
lib/ykpiv.gcno
|
||||
tool/util.gcno
|
||||
tool/yubico-piv-tool.gcda
|
||||
tool/yubico-piv-tool.gcno
|
||||
ykcs11/.libs/
|
||||
ykcs11/*.o
|
||||
ykcs11/*.lo
|
||||
ykcs11/ykcs11.pc
|
||||
ykcs11/libykcs11.la
|
||||
ykcs11/ykcs11-version.h
|
||||
ykcs11/tests/reset.sh.log
|
||||
ykcs11/tests/reset.sh.trs
|
||||
ykcs11/tests/test-suite.log
|
||||
ykcs11/tests/ykcs11_tests
|
||||
ykcs11/tests/ykcs11_tests.log
|
||||
ykcs11/tests/ykcs11_tests.o
|
||||
ykcs11/tests/ykcs11_tests.trs
|
||||
yubico-piv-tool.1.txt
|
||||
/target
|
||||
**/*.rs.bk
|
||||
|
||||
-25
@@ -1,25 +0,0 @@
|
||||
language: c
|
||||
os:
|
||||
- osx
|
||||
- linux
|
||||
compiler:
|
||||
- gcc
|
||||
- clang
|
||||
env:
|
||||
- EXTRA=libpcsclite-dev
|
||||
script:
|
||||
- ./build-and-test.sh
|
||||
matrix:
|
||||
include:
|
||||
- compiler: gcc
|
||||
os: linux
|
||||
env: EXTRA="wine mingw-w64 mingw-w64-i686-dev" REMOVE=mingw32 ARCH=32
|
||||
- compiler: gcc
|
||||
os: linux
|
||||
env: EXTRA="wine mingw-w64 mingw-w64-x86-64-dev" REMOVE=mingw32 ARCH=64
|
||||
- compiler: gcc
|
||||
os: linux
|
||||
env: COVERAGE="--enable-coverage" EXTRA="libpcsclite-dev lcov"
|
||||
- compiler: gcc
|
||||
os: linux
|
||||
env: BUILD_OPENSSL_VERSION="1.1" EXTRA="libpcsclite-dev"
|
||||
-102
@@ -1,102 +0,0 @@
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
SUBDIRS = lib tool ykcs11
|
||||
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl ykcs11/tests/reset.sh
|
||||
|
||||
EXTRA_DIST += doc/Attestation.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc
|
||||
|
||||
if ENABLE_COV
|
||||
cov-reset:
|
||||
rm -fr coverage
|
||||
find . -name "*.gcda" -exec rm {} \;
|
||||
lcov --directory . --zerocounters
|
||||
|
||||
cov-report:
|
||||
mkdir -p coverage
|
||||
lcov --compat-libtool --directory . --capture --output-file coverage/app.info
|
||||
lcov --extract coverage/app.info '*.c' --output-file coverage/app2.info
|
||||
genhtml -o coverage/ coverage/app2.info
|
||||
|
||||
cov:
|
||||
make cov-report
|
||||
|
||||
clean-local:
|
||||
make cov-reset
|
||||
|
||||
check:
|
||||
make cov
|
||||
endif
|
||||
|
||||
if ENABLE_CPPCHECK
|
||||
cppcheck:
|
||||
$(CPPCHECK) -q -v -f --enable=all -i tool/cmdline.c lib tool ykcs11
|
||||
endif
|
||||
|
||||
# Maintainer rules.
|
||||
|
||||
if DX_COND_html
|
||||
doxygen:
|
||||
doxygen lib/Doxyfile
|
||||
endif
|
||||
|
||||
hwcheck:
|
||||
@$(srcdir)/tools/confirm.sh && YKPIV_ENV_HWTESTS_CONFIRMED="1" $(MAKE) check
|
||||
|
||||
check-doc-dist:
|
||||
perl -pe "s,^EXTRA_DIST \+= .*,EXTRA_DIST += `cd $(srcdir) && ls doc/*.adoc | xargs echo`," < $(srcdir)/Makefile.am > check-doc-dist.tmp
|
||||
diff -ur $(srcdir)/Makefile.am check-doc-dist.tmp || \
|
||||
(rm -f check-doc-dist.tmp; echo 'error: please update $(srcdir)/Makefile.am to include all docs'; exit 1)
|
||||
rm -f check-doc-dist.tmp
|
||||
|
||||
ChangeLog:
|
||||
cd $(srcdir) && git2cl > ChangeLog
|
||||
|
||||
release:
|
||||
@if test -z "$(KEYID)"; then \
|
||||
echo "Try this instead:"; \
|
||||
echo " make release KEYID=[PGPKEYID]"; \
|
||||
echo "For example:"; \
|
||||
echo " make release KEYID=2117364A"; \
|
||||
exit 1; \
|
||||
fi
|
||||
head -3 $(srcdir)/NEWS | \
|
||||
grep -q "Version $(VERSION) .released `date -I`" || \
|
||||
(echo 'error: Update date/version in $(srcdir)/NEWS.'; exit 1)
|
||||
rm -f $(srcdir)/ChangeLog
|
||||
make check-doc-dist ChangeLog distcheck
|
||||
gpg --detach-sign --default-key $(KEYID) $(PACKAGE)-$(VERSION).tar.gz
|
||||
gpg --verify $(PACKAGE)-$(VERSION).tar.gz.sig
|
||||
git tag -sm "$(PACKAGE)-$(VERSION)" $(PACKAGE)-$(VERSION)
|
||||
git push
|
||||
git push --tags
|
||||
$(HELP2ADOC) -e tool/yubico-piv-tool -n "Yubico PIV Tool" -i tool/yubico-piv-tool.h2m > yubico-piv-tool.1.txt
|
||||
$(YUBICO_GITHUB_REPO)/save-mans $(PACKAGE) yubico-piv-tool.1.txt
|
||||
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION).tar.gz*
|
||||
@@ -1,298 +0,0 @@
|
||||
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
|
||||
|
||||
* Version 1.7.1 (unreleased)
|
||||
|
||||
* Version 1.7.0 (released 2019-04-03)
|
||||
|
||||
** Add ykpiv_get_serial() to API.
|
||||
|
||||
** Add version and serial to status output.
|
||||
|
||||
** FASC-N fixes for CHUID.
|
||||
|
||||
** ykcs11: Fix ECDSA signatures.
|
||||
|
||||
** Make selfsigned X.509 extensions have correct extensions to match openssl.
|
||||
|
||||
** Security fixes.
|
||||
|
||||
** Documentation fixes.
|
||||
|
||||
** Try to clear memory that might contain secrets.
|
||||
|
||||
* Version 1.6.2 (released 2018-09-14)
|
||||
|
||||
** Compare reader names case insensitive.
|
||||
|
||||
** Fix certificate and certificate request signatures with OpenSSL 1.1.
|
||||
|
||||
* Version 1.6.1 (released 2018-08-17)
|
||||
|
||||
** Compilation warning fixes for OpenSSL 1.1 builds.
|
||||
|
||||
** Fix length when encoding exactly 0xff bytes.
|
||||
|
||||
** Check length of objects correctly before storing in buffer.
|
||||
|
||||
** Check length of certificate correctly when storing.
|
||||
|
||||
* Version 1.6.0 (released 2018-08-08)
|
||||
|
||||
** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].
|
||||
|
||||
** Allow builiding against LibreSSL.
|
||||
|
||||
** Bugfixes in OpenSSL 1.1 code.
|
||||
|
||||
** Fix compilation warnings.
|
||||
|
||||
** Fix ykcs11 key generation to work with OpenSSL 1.1.
|
||||
|
||||
** Ykcs11 compatibility fixes.
|
||||
|
||||
* Version 1.5.0 (released 2017-11-29)
|
||||
|
||||
** API additions: Higher-level "util" API added to libykpiv.
|
||||
|
||||
** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
|
||||
|
||||
** Added functions for using existing PCSC card handle.
|
||||
|
||||
** Support using custom memory allocator.
|
||||
|
||||
** Documentation updates. 'make doxygen' for HTML format.
|
||||
|
||||
** Expanded automated tests for hardware devices, moved to 'make hwcheck'.
|
||||
|
||||
** OpenSSL 1.1 support
|
||||
|
||||
** Moderate internal refactoring. Many small bugs fixed.
|
||||
|
||||
* Version 1.4.4 (released 2017-10-17)
|
||||
|
||||
** Documentation updates.
|
||||
|
||||
** Add pin caching to work around disconnect problems.
|
||||
|
||||
** Disable RSA key generation on YubiKey 4 before 4.3.5.
|
||||
See https://yubi.co/ysa201701/ for details.
|
||||
|
||||
* Version 1.4.3 (released 2017-04-18)
|
||||
|
||||
** Encode RSA x509 certificates correctly.
|
||||
|
||||
** Documentation updates.
|
||||
|
||||
** In ykcs11 return CKA_MODULUS correctly for private keys.
|
||||
|
||||
** In ykcs11 fix for signature size approximation.
|
||||
|
||||
** Fix PSS signatures in ykcs11.
|
||||
|
||||
** Add a CLI flag --stdin-input to make batch execution easier.
|
||||
|
||||
* Version 1.4.2 (released 2016-08-12)
|
||||
|
||||
** Clarify license headers and clean up YKCS11 licensing.
|
||||
Now uses pkcs11.h from the Scute project.
|
||||
|
||||
** Don't install ykcs11-version.h.
|
||||
|
||||
** No cflags in ykcs11.pc.
|
||||
|
||||
** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
|
||||
|
||||
* Version 1.4.1 (released 2016-08-11)
|
||||
|
||||
** Documentation updates
|
||||
|
||||
** Add possibility to export certificates in SSH format.
|
||||
|
||||
** Make certificate serial number random by default.
|
||||
|
||||
* Version 1.4.0 (released 2016-05-03)
|
||||
|
||||
** Add attest action
|
||||
When used on a slot with a generated key, outputs a signed x509 certificate for
|
||||
that slot showing that the key was generated in hardware. Available in firmware
|
||||
4.3.0 and newer.
|
||||
|
||||
** Add cached parameter for touch-policy
|
||||
With cached, the touch is valid for an additional 15s. Available in firmware
|
||||
4.3.0 and newer.
|
||||
|
||||
** Enforce a minimum PIN length of 6 characters.
|
||||
|
||||
** Fix a bug with list-readers action where it fell through processing into
|
||||
write-object.
|
||||
|
||||
* Version 1.3.1 (released 2016-04-19)
|
||||
|
||||
** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
|
||||
|
||||
** Clarifications with help texts.
|
||||
|
||||
* Version 1.3.0 (released 2016-02-19)
|
||||
|
||||
** Fixed extraction of RSA modulus and exponent for pkcs11.
|
||||
|
||||
** Implemented C_SetPIN for pkcs11.
|
||||
|
||||
** Add generic write and read object actions for the tool.
|
||||
Supports hex/binary/base64 formats
|
||||
|
||||
** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
|
||||
|
||||
** Print CCC with status action.
|
||||
|
||||
** Address bugs with pkcs11 on windows.
|
||||
|
||||
** Add --valid-days and --serial to tool for selfsign-certificate action.
|
||||
|
||||
** Ask for password for pkcs12 if none is given.
|
||||
|
||||
* Version 1.2.2 (released 2015-12-08)
|
||||
|
||||
** Fix old buffer overflow in change-pin functionality.
|
||||
|
||||
* Version 1.2.1 (released 2015-12-08)
|
||||
|
||||
** Fix issue with big certificates and status.
|
||||
|
||||
* Version 1.2.0 (released 2015-12-07)
|
||||
|
||||
** On OSX use @loader_path instead of @executable_path for ykcs11.
|
||||
|
||||
** Add ykpiv_import_private_key to libykpiv.
|
||||
|
||||
** Raise buffer sizes to support bigger objects.
|
||||
|
||||
** Change behavior of action status, only list populated slots.
|
||||
|
||||
** Add retired keys to ykcs11.
|
||||
|
||||
** In ykcs11 support login with non null terminated pin.
|
||||
|
||||
** Add a new action set-ccc to yubico-piv-tool to set the CCC.
|
||||
|
||||
* Version 1.1.2 (released 2015-11-13)
|
||||
|
||||
** Properly handle DER encoding in ECDSA signatures.
|
||||
|
||||
* Version 1.1.1 (released 2015-11-11)
|
||||
|
||||
** Make sure SCardContext is properly acquired and released.
|
||||
|
||||
* Version 1.1.0 (released 2015-11-06)
|
||||
|
||||
** Add support for new YubiKey 4.
|
||||
|
||||
** Add ykcs11.
|
||||
|
||||
* Version 1.0.3 (released 2015-10-01)
|
||||
|
||||
** Correct wording on unblock-pin action.
|
||||
|
||||
** Show pin retries correctly.
|
||||
|
||||
** Use a bigger buffer for receiving data.
|
||||
|
||||
* Version 1.0.2 (released 2015-09-04)
|
||||
|
||||
** Query for different passwords/pins on stdin if they're not supplied.
|
||||
|
||||
** If a reader fails continue trying matching readers.
|
||||
|
||||
** Authentication failed is supposed to be 0x63cX not 0x630X.
|
||||
|
||||
* Version 1.0.1 (released 2015-07-10)
|
||||
|
||||
** Project relicensed to 2-clause BSD license
|
||||
|
||||
** Minor fixes found with clang scan-build
|
||||
|
||||
* Version 1.0.0 (released 2015-06-23)
|
||||
|
||||
** Add a test-decipher action.
|
||||
|
||||
** Check that e is 0x10001 on importing rsa keys
|
||||
|
||||
** Use PCSC transactions when sending and receiving data
|
||||
|
||||
* Version 0.1.6 (released 2015-03-23)
|
||||
|
||||
** Add a read-certificate action to the tool.
|
||||
|
||||
** Add a status action to the tool.
|
||||
|
||||
** Fix a library bug so NULL can be passed to ykpiv_verify()
|
||||
|
||||
** Add a test-signature action to the tool.
|
||||
|
||||
* Version 0.1.5 (released 2015-02-04)
|
||||
|
||||
** Revert the check for parity and just set parity before the weak check.
|
||||
|
||||
* Version 0.1.4 (released 2015-02-02)
|
||||
|
||||
** Prompt for input if input is stdin.
|
||||
|
||||
** Mark all bits of the signature as used is certs and requests.
|
||||
|
||||
** Correct error for unblock-pin.
|
||||
|
||||
** Fix hex decode to decode capital letters and return error.
|
||||
|
||||
** Check parity of new management keys.
|
||||
|
||||
* Version 0.1.3 (released 2014-12-18)
|
||||
|
||||
** Add format DER for importing certificates.
|
||||
|
||||
** Make sure diagnostic feedback ends up on stderr.
|
||||
|
||||
** Add positive feedback for a couple of actions.
|
||||
|
||||
* Version 0.1.2 (released 2014-11-14)
|
||||
|
||||
** Fix an issue where shorter component of RSA keys where not packed correctly.
|
||||
|
||||
* Version 0.1.1 (released 2014-11-10)
|
||||
|
||||
** Correct broken CHUID that made windows work inconsistently.
|
||||
|
||||
** Add support for compressed certificates.
|
||||
|
||||
** Fix broken unblock-pin action.
|
||||
|
||||
** Don't try to accept to short keys for mgm key.
|
||||
|
||||
** Only do applet authentication if needed.
|
||||
|
||||
** Add --hash for selecting what hash to use for signatures.
|
||||
|
||||
** Add hidden --sign command. Should probably not be used.
|
||||
|
||||
** Fix for signature algorithm in selfsigned cert.
|
||||
|
||||
* Version 0.1.0 (released 2014-08-25)
|
||||
|
||||
** Break out functionality into a library.
|
||||
|
||||
** More testing.
|
||||
|
||||
* Version 0.0.3 (released 2014-05-26)
|
||||
|
||||
** Add delete-certificate action.
|
||||
|
||||
** Fix minor bugs.
|
||||
|
||||
* Version 0.0.2 (released 2014-02-19)
|
||||
|
||||
** Fix an offset bug with CHUID.
|
||||
|
||||
** Do full mutual auth with the applet.
|
||||
|
||||
* Version 0.0.1 (released 2014-02-11)
|
||||
|
||||
** Initial release.
|
||||
@@ -1,139 +0,0 @@
|
||||
== Yubico PIV Tool
|
||||
|
||||
=== Introduction
|
||||
The Yubico PIV tool is used for interacting with the Privilege and
|
||||
Identification Card (PIV) application on a https://www.yubico.com[YubiKey].
|
||||
|
||||
With it you may generate keys on the device, importing keys and
|
||||
certificates, and create certificate requests, and other operations.
|
||||
A shared library and a command-line tool is included.
|
||||
|
||||
==== Usage guides
|
||||
For information and examples on what you can do with a PIV enabled YubiKey,
|
||||
see https://developers.yubico.com/PIV/
|
||||
|
||||
=== License
|
||||
In general the project is covered by the following BSD license. The
|
||||
file ykcs11/pkcs11.h has additional copyright and licensing
|
||||
information, please see it for more information. Some other files
|
||||
(e.g., m4/*) have other licenses too but are only part of the build
|
||||
infrastructure.
|
||||
|
||||
----
|
||||
Copyright (c) 2014-2016 Yubico AB
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
|
||||
* Redistributions in binary form must reproduce the above
|
||||
copyright notice, this list of conditions and the following
|
||||
disclaimer in the documentation and/or other materials provided
|
||||
with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
----
|
||||
|
||||
=== Building
|
||||
After downloading and unpacking the package tarball, you build it as
|
||||
follows.
|
||||
|
||||
$ ./configure
|
||||
$ make
|
||||
$ sudo make install
|
||||
|
||||
The backend to use is decided at compile time, see the summary at the
|
||||
end of the ./configure output. Use --with-backend=foo to chose
|
||||
backend, replacing foo with the backend you want to use. The backends
|
||||
available are "pcsc", "macscard", and "winscard" using the PCSC
|
||||
interface, with slightly different shared library linkage and
|
||||
header file names: "pcsc" is used under GNU-like systems, "macscard"
|
||||
under Mac OS X, and "winscard" is used under Windows. In most
|
||||
situations, running ./configure should automatically find the proper
|
||||
backend to use.
|
||||
|
||||
=== Building from Git
|
||||
Recent versions of autoconf, automake, check, pkg-config, and libtool
|
||||
must be installed. Help2man is used to generate the manpages. Gengetopt
|
||||
version 2.22.6 or later is needed for command line parameter handling.
|
||||
The
|
||||
link:https://github.com/Yubico/yubico-piv-tool/tree/master/vagrant/development[Vagrant
|
||||
VM] has all these dependencies preinstalled.
|
||||
|
||||
Generate the build system using:
|
||||
|
||||
$ autoreconf --install
|
||||
|
||||
Then you follow the normal build instructions, see above.
|
||||
To turn on all warnings add --enable-gcc-warnings to ./configure
|
||||
|
||||
=== Portability
|
||||
The main development platform is Debian GNU/Linux. The project is
|
||||
cross-compiled to Windows using MinGW (see windows.mk) using the PCSC
|
||||
backend. It may also be built for Mac OS X (see mac.mk), also using
|
||||
the PCSC backend.
|
||||
|
||||
=== Example Usage
|
||||
For a list of all available options --help can be given. For more information
|
||||
on exactly what happens --verbose or --verbose=2 may be added.
|
||||
|
||||
Generate a new ECC-P256 key on device in slot 9a, will print the public
|
||||
key on stdout:
|
||||
|
||||
$ yubico-piv-tool -s9a -AECCP256 -agenerate
|
||||
|
||||
Generate a certificate request with public key from stdin, will print
|
||||
the resulting request on stdout:
|
||||
|
||||
$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
|
||||
|
||||
Generate a self-signed certificate with public key from stdin, will print
|
||||
the certificate, for later import, on stdout:
|
||||
|
||||
$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign
|
||||
|
||||
Import a certificate from stdin:
|
||||
|
||||
$ yubico-piv-tool -s9a -aimport-certificate
|
||||
|
||||
Set a random chuid, import a key and import a certificate from a PKCS12
|
||||
file, into slot 9c:
|
||||
|
||||
$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
|
||||
-aimport-cert
|
||||
|
||||
Change the management key used for administrative authentication:
|
||||
|
||||
$ yubico-piv-tool -aset-mgm-key
|
||||
|
||||
Delete a certificate in slot 9a, with management key being asked for:
|
||||
|
||||
$ yubico-piv-tool -adelete-certificate -s9a -k
|
||||
|
||||
Show some information on certificates and other data:
|
||||
|
||||
$ yubico-piv-tool -astatus
|
||||
|
||||
Read out the certificate from a slot and then run a signature test:
|
||||
|
||||
$ yubico-piv-tool -aread-cert -s9a
|
||||
$ yubico-piv-tool -averify-pin -atest-signature -s9a
|
||||
|
||||
Import a key into slot 85 (only available on YubiKey 4) and set the
|
||||
touch policy (also only available on YubiKey 4):
|
||||
|
||||
$ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem
|
||||
@@ -1 +0,0 @@
|
||||
README
|
||||
@@ -1,77 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get remove -qq -y $REMOVE
|
||||
sudo apt-get autoremove -qq
|
||||
sudo apt-get install -qq -y gengetopt help2man check $EXTRA
|
||||
TAR=tar
|
||||
else
|
||||
ARCH=osx
|
||||
brew update
|
||||
brew uninstall libtool
|
||||
brew install libtool
|
||||
brew install help2man
|
||||
brew install check
|
||||
brew install pkg-config
|
||||
brew install gengetopt
|
||||
brew install gnu-tar
|
||||
TAR=gtar
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
autoreconf -ifv
|
||||
|
||||
if [ "x$ARCH" != "x" ]; then
|
||||
version=`cat NEWS | grep unreleased | cut -d' ' -f3`
|
||||
set +e
|
||||
$TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz .
|
||||
set -e
|
||||
if [ "x$ARCH" != "xosx" ]; then
|
||||
make -f windows.mk ${ARCH}bit VERSION=$version
|
||||
else
|
||||
make -f mac.mk mac VERSION=$version
|
||||
fi
|
||||
elif [ "x$BUILD_OPENSSL_VERSION" = "x1.1" ]; then
|
||||
version=`cat NEWS | grep unreleased | cut -d' ' -f3`
|
||||
set +e
|
||||
$TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz .
|
||||
set -e
|
||||
make -f linux.mk VERSION=$version
|
||||
else
|
||||
./configure $COVERAGE
|
||||
make all check
|
||||
if [ "x$COVERAGE" != "x" ]; then
|
||||
gem install coveralls-lcov
|
||||
coveralls-lcov coverage/app2.info
|
||||
fi
|
||||
fi
|
||||
@@ -1,690 +0,0 @@
|
||||
#! /bin/sh
|
||||
# Output a system dependent set of variables, describing how to set the
|
||||
# run time search path of shared libraries in an executable.
|
||||
#
|
||||
# Copyright 1996-2013 Free Software Foundation, Inc.
|
||||
# Taken from GNU libtool, 2001
|
||||
# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
|
||||
#
|
||||
# This file is free software; the Free Software Foundation gives
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
#
|
||||
# The first argument passed to this file is the canonical host specification,
|
||||
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
|
||||
# or
|
||||
# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
|
||||
# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld
|
||||
# should be set by the caller.
|
||||
#
|
||||
# The set of defined variables is at the end of this script.
|
||||
|
||||
# Known limitations:
|
||||
# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer
|
||||
# than 256 bytes, otherwise the compiler driver will dump core. The only
|
||||
# known workaround is to choose shorter directory names for the build
|
||||
# directory and/or the installation directory.
|
||||
|
||||
# All known linkers require a '.a' archive for static linking (except MSVC,
|
||||
# which needs '.lib').
|
||||
libext=a
|
||||
shrext=.so
|
||||
|
||||
host="$1"
|
||||
host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
|
||||
host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
|
||||
host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
|
||||
|
||||
# Code taken from libtool.m4's _LT_CC_BASENAME.
|
||||
|
||||
for cc_temp in $CC""; do
|
||||
case $cc_temp in
|
||||
compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
|
||||
distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
|
||||
\-*) ;;
|
||||
*) break;;
|
||||
esac
|
||||
done
|
||||
cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'`
|
||||
|
||||
# Code taken from libtool.m4's _LT_COMPILER_PIC.
|
||||
|
||||
wl=
|
||||
if test "$GCC" = yes; then
|
||||
wl='-Wl,'
|
||||
else
|
||||
case "$host_os" in
|
||||
aix*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
mingw* | cygwin* | pw32* | os2* | cegcc*)
|
||||
;;
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
irix5* | irix6* | nonstopux*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
linux* | k*bsd*-gnu | kopensolaris*-gnu)
|
||||
case $cc_basename in
|
||||
ecc*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
icc* | ifort*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
lf95*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
nagfor*)
|
||||
wl='-Wl,-Wl,,'
|
||||
;;
|
||||
pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
ccc*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
xl* | bgxl* | bgf* | mpixl*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
como)
|
||||
wl='-lopt='
|
||||
;;
|
||||
*)
|
||||
case `$CC -V 2>&1 | sed 5q` in
|
||||
*Sun\ F* | *Sun*Fortran*)
|
||||
wl=
|
||||
;;
|
||||
*Sun\ C*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
newsos6)
|
||||
;;
|
||||
*nto* | *qnx*)
|
||||
;;
|
||||
osf3* | osf4* | osf5*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
rdos*)
|
||||
;;
|
||||
solaris*)
|
||||
case $cc_basename in
|
||||
f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
|
||||
wl='-Qoption ld '
|
||||
;;
|
||||
*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
sunos4*)
|
||||
wl='-Qoption ld '
|
||||
;;
|
||||
sysv4 | sysv4.2uw2* | sysv4.3*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
sysv4*MP*)
|
||||
;;
|
||||
sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
unicos*)
|
||||
wl='-Wl,'
|
||||
;;
|
||||
uts4*)
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Code taken from libtool.m4's _LT_LINKER_SHLIBS.
|
||||
|
||||
hardcode_libdir_flag_spec=
|
||||
hardcode_libdir_separator=
|
||||
hardcode_direct=no
|
||||
hardcode_minus_L=no
|
||||
|
||||
case "$host_os" in
|
||||
cygwin* | mingw* | pw32* | cegcc*)
|
||||
# FIXME: the MSVC++ port hasn't been tested in a loooong time
|
||||
# When not using gcc, we currently assume that we are using
|
||||
# Microsoft Visual C++.
|
||||
if test "$GCC" != yes; then
|
||||
with_gnu_ld=no
|
||||
fi
|
||||
;;
|
||||
interix*)
|
||||
# we just hope/assume this is gcc and not c89 (= MSVC++)
|
||||
with_gnu_ld=yes
|
||||
;;
|
||||
openbsd*)
|
||||
with_gnu_ld=no
|
||||
;;
|
||||
esac
|
||||
|
||||
ld_shlibs=yes
|
||||
if test "$with_gnu_ld" = yes; then
|
||||
# Set some defaults for GNU ld with shared library support. These
|
||||
# are reset later if shared libraries are not supported. Putting them
|
||||
# here allows them to be overridden if necessary.
|
||||
# Unlike libtool, we use -rpath here, not --rpath, since the documented
|
||||
# option of GNU ld is called -rpath, not --rpath.
|
||||
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
|
||||
case "$host_os" in
|
||||
aix[3-9]*)
|
||||
# On AIX/PPC, the GNU linker is very broken
|
||||
if test "$host_cpu" != ia64; then
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
amigaos*)
|
||||
case "$host_cpu" in
|
||||
powerpc)
|
||||
;;
|
||||
m68k)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
beos*)
|
||||
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
cygwin* | mingw* | pw32* | cegcc*)
|
||||
# hardcode_libdir_flag_spec is actually meaningless, as there is
|
||||
# no search path for DLLs.
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
haiku*)
|
||||
;;
|
||||
interix[3-9]*)
|
||||
hardcode_direct=no
|
||||
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
|
||||
;;
|
||||
gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
|
||||
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
netbsd*)
|
||||
;;
|
||||
solaris*)
|
||||
if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
|
||||
ld_shlibs=no
|
||||
elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
|
||||
case `$LD -v 2>&1` in
|
||||
*\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
|
||||
ld_shlibs=no
|
||||
;;
|
||||
*)
|
||||
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
|
||||
hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
sunos4*)
|
||||
hardcode_direct=yes
|
||||
;;
|
||||
*)
|
||||
if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
if test "$ld_shlibs" = no; then
|
||||
hardcode_libdir_flag_spec=
|
||||
fi
|
||||
else
|
||||
case "$host_os" in
|
||||
aix3*)
|
||||
# Note: this linker hardcodes the directories in LIBPATH if there
|
||||
# are no directories specified by -L.
|
||||
hardcode_minus_L=yes
|
||||
if test "$GCC" = yes; then
|
||||
# Neither direct hardcoding nor static linking is supported with a
|
||||
# broken collect2.
|
||||
hardcode_direct=unsupported
|
||||
fi
|
||||
;;
|
||||
aix[4-9]*)
|
||||
if test "$host_cpu" = ia64; then
|
||||
# On IA64, the linker does run time linking by default, so we don't
|
||||
# have to do anything special.
|
||||
aix_use_runtimelinking=no
|
||||
else
|
||||
aix_use_runtimelinking=no
|
||||
# Test if we are trying to use run time linking or normal
|
||||
# AIX style linking. If -brtl is somewhere in LDFLAGS, we
|
||||
# need to do runtime linking.
|
||||
case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
|
||||
for ld_flag in $LDFLAGS; do
|
||||
if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
|
||||
aix_use_runtimelinking=yes
|
||||
break
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
hardcode_direct=yes
|
||||
hardcode_libdir_separator=':'
|
||||
if test "$GCC" = yes; then
|
||||
case $host_os in aix4.[012]|aix4.[012].*)
|
||||
collect2name=`${CC} -print-prog-name=collect2`
|
||||
if test -f "$collect2name" && \
|
||||
strings "$collect2name" | grep resolve_lib_name >/dev/null
|
||||
then
|
||||
# We have reworked collect2
|
||||
:
|
||||
else
|
||||
# We have old collect2
|
||||
hardcode_direct=unsupported
|
||||
hardcode_minus_L=yes
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
hardcode_libdir_separator=
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
# Begin _LT_AC_SYS_LIBPATH_AIX.
|
||||
echo 'int main () { return 0; }' > conftest.c
|
||||
${CC} ${LDFLAGS} conftest.c -o conftest
|
||||
aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; }
|
||||
}'`
|
||||
if test -z "$aix_libpath"; then
|
||||
aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; }
|
||||
}'`
|
||||
fi
|
||||
if test -z "$aix_libpath"; then
|
||||
aix_libpath="/usr/lib:/lib"
|
||||
fi
|
||||
rm -f conftest.c conftest
|
||||
# End _LT_AC_SYS_LIBPATH_AIX.
|
||||
if test "$aix_use_runtimelinking" = yes; then
|
||||
hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
|
||||
else
|
||||
if test "$host_cpu" = ia64; then
|
||||
hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
|
||||
else
|
||||
hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
amigaos*)
|
||||
case "$host_cpu" in
|
||||
powerpc)
|
||||
;;
|
||||
m68k)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
bsdi[45]*)
|
||||
;;
|
||||
cygwin* | mingw* | pw32* | cegcc*)
|
||||
# When not using gcc, we currently assume that we are using
|
||||
# Microsoft Visual C++.
|
||||
# hardcode_libdir_flag_spec is actually meaningless, as there is
|
||||
# no search path for DLLs.
|
||||
hardcode_libdir_flag_spec=' '
|
||||
libext=lib
|
||||
;;
|
||||
darwin* | rhapsody*)
|
||||
hardcode_direct=no
|
||||
if { case $cc_basename in ifort*) true;; *) test "$GCC" = yes;; esac; }; then
|
||||
:
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
dgux*)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
;;
|
||||
freebsd2.2*)
|
||||
hardcode_libdir_flag_spec='-R$libdir'
|
||||
hardcode_direct=yes
|
||||
;;
|
||||
freebsd2*)
|
||||
hardcode_direct=yes
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
freebsd* | dragonfly*)
|
||||
hardcode_libdir_flag_spec='-R$libdir'
|
||||
hardcode_direct=yes
|
||||
;;
|
||||
hpux9*)
|
||||
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
hardcode_direct=yes
|
||||
# hardcode_minus_L: Not really in the search PATH,
|
||||
# but as the default location of the library.
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
hpux10*)
|
||||
if test "$with_gnu_ld" = no; then
|
||||
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
hardcode_direct=yes
|
||||
# hardcode_minus_L: Not really in the search PATH,
|
||||
# but as the default location of the library.
|
||||
hardcode_minus_L=yes
|
||||
fi
|
||||
;;
|
||||
hpux11*)
|
||||
if test "$with_gnu_ld" = no; then
|
||||
hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
case $host_cpu in
|
||||
hppa*64*|ia64*)
|
||||
hardcode_direct=no
|
||||
;;
|
||||
*)
|
||||
hardcode_direct=yes
|
||||
# hardcode_minus_L: Not really in the search PATH,
|
||||
# but as the default location of the library.
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
;;
|
||||
irix5* | irix6* | nonstopux*)
|
||||
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
;;
|
||||
netbsd*)
|
||||
hardcode_libdir_flag_spec='-R$libdir'
|
||||
hardcode_direct=yes
|
||||
;;
|
||||
newsos6)
|
||||
hardcode_direct=yes
|
||||
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
;;
|
||||
*nto* | *qnx*)
|
||||
;;
|
||||
openbsd*)
|
||||
if test -f /usr/libexec/ld.so; then
|
||||
hardcode_direct=yes
|
||||
if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
|
||||
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
|
||||
else
|
||||
case "$host_os" in
|
||||
openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
|
||||
hardcode_libdir_flag_spec='-R$libdir'
|
||||
;;
|
||||
*)
|
||||
hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
ld_shlibs=no
|
||||
fi
|
||||
;;
|
||||
os2*)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
osf3*)
|
||||
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
|
||||
hardcode_libdir_separator=:
|
||||
;;
|
||||
osf4* | osf5*)
|
||||
if test "$GCC" = yes; then
|
||||
hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
|
||||
else
|
||||
# Both cc and cxx compiler support -rpath directly
|
||||
hardcode_libdir_flag_spec='-rpath $libdir'
|
||||
fi
|
||||
hardcode_libdir_separator=:
|
||||
;;
|
||||
solaris*)
|
||||
hardcode_libdir_flag_spec='-R$libdir'
|
||||
;;
|
||||
sunos4*)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
hardcode_direct=yes
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
sysv4)
|
||||
case $host_vendor in
|
||||
sni)
|
||||
hardcode_direct=yes # is this really true???
|
||||
;;
|
||||
siemens)
|
||||
hardcode_direct=no
|
||||
;;
|
||||
motorola)
|
||||
hardcode_direct=no #Motorola manual says yes, but my tests say they lie
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
sysv4.3*)
|
||||
;;
|
||||
sysv4*MP*)
|
||||
if test -d /usr/nec; then
|
||||
ld_shlibs=yes
|
||||
fi
|
||||
;;
|
||||
sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
|
||||
;;
|
||||
sysv5* | sco3.2v5* | sco5v6*)
|
||||
hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
|
||||
hardcode_libdir_separator=':'
|
||||
;;
|
||||
uts4*)
|
||||
hardcode_libdir_flag_spec='-L$libdir'
|
||||
;;
|
||||
*)
|
||||
ld_shlibs=no
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Check dynamic linker characteristics
|
||||
# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER.
|
||||
# Unlike libtool.m4, here we don't care about _all_ names of the library, but
|
||||
# only about the one the linker finds when passed -lNAME. This is the last
|
||||
# element of library_names_spec in libtool.m4, or possibly two of them if the
|
||||
# linker has special search rules.
|
||||
library_names_spec= # the last element of library_names_spec in libtool.m4
|
||||
libname_spec='lib$name'
|
||||
case "$host_os" in
|
||||
aix3*)
|
||||
library_names_spec='$libname.a'
|
||||
;;
|
||||
aix[4-9]*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
amigaos*)
|
||||
case "$host_cpu" in
|
||||
powerpc*)
|
||||
library_names_spec='$libname$shrext' ;;
|
||||
m68k)
|
||||
library_names_spec='$libname.a' ;;
|
||||
esac
|
||||
;;
|
||||
beos*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
bsdi[45]*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
cygwin* | mingw* | pw32* | cegcc*)
|
||||
shrext=.dll
|
||||
library_names_spec='$libname.dll.a $libname.lib'
|
||||
;;
|
||||
darwin* | rhapsody*)
|
||||
shrext=.dylib
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
dgux*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
freebsd* | dragonfly*)
|
||||
case "$host_os" in
|
||||
freebsd[123]*)
|
||||
library_names_spec='$libname$shrext$versuffix' ;;
|
||||
*)
|
||||
library_names_spec='$libname$shrext' ;;
|
||||
esac
|
||||
;;
|
||||
gnu*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
haiku*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext=.so
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext=.sl
|
||||
;;
|
||||
*)
|
||||
shrext=.sl
|
||||
;;
|
||||
esac
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
interix[3-9]*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
irix5* | irix6* | nonstopux*)
|
||||
library_names_spec='$libname$shrext'
|
||||
case "$host_os" in
|
||||
irix5* | nonstopux*)
|
||||
libsuff= shlibsuff=
|
||||
;;
|
||||
*)
|
||||
case $LD in
|
||||
*-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;;
|
||||
*-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;;
|
||||
*-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;;
|
||||
*) libsuff= shlibsuff= ;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
linux*oldld* | linux*aout* | linux*coff*)
|
||||
;;
|
||||
linux* | k*bsd*-gnu | kopensolaris*-gnu)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
knetbsd*-gnu)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
netbsd*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
newsos6)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
*nto* | *qnx*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
openbsd*)
|
||||
library_names_spec='$libname$shrext$versuffix'
|
||||
;;
|
||||
os2*)
|
||||
libname_spec='$name'
|
||||
shrext=.dll
|
||||
library_names_spec='$libname.a'
|
||||
;;
|
||||
osf3* | osf4* | osf5*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
rdos*)
|
||||
;;
|
||||
solaris*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
sunos4*)
|
||||
library_names_spec='$libname$shrext$versuffix'
|
||||
;;
|
||||
sysv4 | sysv4.3*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
sysv4*MP*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
tpf*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
uts4*)
|
||||
library_names_spec='$libname$shrext'
|
||||
;;
|
||||
esac
|
||||
|
||||
sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
|
||||
escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"`
|
||||
shlibext=`echo "$shrext" | sed -e 's,^\.,,'`
|
||||
escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
|
||||
escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
|
||||
escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
|
||||
|
||||
LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF
|
||||
|
||||
# How to pass a linker flag through the compiler.
|
||||
wl="$escaped_wl"
|
||||
|
||||
# Static library suffix (normally "a").
|
||||
libext="$libext"
|
||||
|
||||
# Shared library suffix (normally "so").
|
||||
shlibext="$shlibext"
|
||||
|
||||
# Format of library name prefix.
|
||||
libname_spec="$escaped_libname_spec"
|
||||
|
||||
# Library names that the linker finds when passed -lNAME.
|
||||
library_names_spec="$escaped_library_names_spec"
|
||||
|
||||
# Flag to hardcode \$libdir into a binary during linking.
|
||||
# This must work even if \$libdir does not exist.
|
||||
hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec"
|
||||
|
||||
# Whether we need a single -rpath flag with a separated argument.
|
||||
hardcode_libdir_separator="$hardcode_libdir_separator"
|
||||
|
||||
# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
|
||||
# resulting binary.
|
||||
hardcode_direct="$hardcode_direct"
|
||||
|
||||
# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
|
||||
# resulting binary.
|
||||
hardcode_minus_L="$hardcode_minus_L"
|
||||
|
||||
EOF
|
||||
-313
@@ -1,313 +0,0 @@
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
AC_INIT([yubico-piv-tool], [1.7.1])
|
||||
AC_CONFIG_AUX_DIR([build-aux])
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
|
||||
# Library code modified: REVISION++
|
||||
# Interfaces changed/added/removed: CURRENT++ REVISION=0
|
||||
# Interfaces added: AGE++
|
||||
# Interfaces removed: AGE=0
|
||||
AC_SUBST([LT_CURRENT], 6)
|
||||
AC_SUBST([LT_REVISION], 1)
|
||||
AC_SUBST([LT_AGE], 5)
|
||||
|
||||
AM_INIT_AUTOMAKE([-Wall -Werror foreign])
|
||||
AM_SILENT_RULES([yes])
|
||||
AC_PROG_CC
|
||||
m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
|
||||
|
||||
AC_LIBTOOL_WIN32_DLL
|
||||
AC_PROG_LIBTOOL
|
||||
AM_MISSING_PROG(HELP2MAN, help2man, $missing_dir)
|
||||
AM_MISSING_PROG(HELP2ADOC, help2adoc, $missing_dir)
|
||||
AM_MISSING_PROG(GENGETOPT, gengetopt, $missing_dir)
|
||||
PKG_PROG_PKG_CONFIG
|
||||
|
||||
PKG_CHECK_MODULES([OPENSSL], [libcrypto], [OPENSSL_VERSION=`$PKG_CONFIG --modversion libcrypto`])
|
||||
PKG_CHECK_MODULES([CHECK], [check >= 0.9.6])
|
||||
|
||||
DX_HTML_FEATURE(ON)
|
||||
DX_INIT_DOXYGEN(libykpiv,lib/Doxyfile)
|
||||
|
||||
gl_LD_VERSION_SCRIPT
|
||||
gl_VALGRIND_TESTS
|
||||
|
||||
# Check for clang
|
||||
AC_CACHE_CHECK([for clang],
|
||||
_cv_clang,[
|
||||
AC_TRY_COMPILE([], [
|
||||
#ifdef __clang__
|
||||
#else
|
||||
#error "NOT CLANG"
|
||||
#endif
|
||||
return 0;
|
||||
],
|
||||
[_cv_clang=yes],
|
||||
[_cv_clang=no],
|
||||
[])
|
||||
])
|
||||
AM_CONDITIONAL([COMPILER_CLANG], [test "$_cv_clang" = yes])
|
||||
|
||||
AC_ARG_WITH([backend],
|
||||
[AS_HELP_STRING([--with-backend=ARG],
|
||||
[use specific backend/linkage; 'pcsc', 'macscard' or 'winscard'])],
|
||||
[],
|
||||
[with_backend=check])
|
||||
|
||||
AC_ARG_WITH([pcsclib],
|
||||
[AS_HELP_STRING([--with-pcsclib=ARG],
|
||||
[Name of custom PCSC lib])],
|
||||
[],
|
||||
[with_pcsclib=])
|
||||
|
||||
AC_ARG_WITH([pcscdir],
|
||||
[AS_HELP_STRING([--with-pcscdir=ARG],
|
||||
[Path to custom PCSC lib dir (use with --with-pcsclib)])],
|
||||
[],
|
||||
[with_pcscdir=])
|
||||
|
||||
case "$with_backend$host" in
|
||||
check*-darwin*)
|
||||
AC_MSG_NOTICE([Detected Mac: selecting macscard backend])
|
||||
AC_MSG_NOTICE([use --with-backend to override])
|
||||
with_backend=macscard ;;
|
||||
check*-mingw*)
|
||||
AC_MSG_NOTICE([Detected Windows: selecting winscard backend])
|
||||
AC_MSG_NOTICE([use --with-backend to override])
|
||||
with_backend=winscard ;;
|
||||
esac
|
||||
|
||||
if test "x$with_backend" = xcheck || test "x$with_backend" = xpcsc; then
|
||||
PKG_CHECK_MODULES([PCSC], [libpcsclite],
|
||||
[with_backend=pcsc], [:])
|
||||
fi
|
||||
|
||||
if test "x$with_backend" = xcheck; then
|
||||
AC_CHECK_HEADERS([PCSC/winscard.h])
|
||||
AC_CHECK_HEADERS([winscard.h])
|
||||
AC_MSG_CHECKING([between Mac/Windows winscard])
|
||||
if test "x$ac_cv_header_PCSC_winscard_h" = xyes; then
|
||||
with_backend=macscard
|
||||
AC_MSG_RESULT([Mac])
|
||||
elif test "x$ac_cv_header_winscard_h" = xyes; then
|
||||
with_backend=winscard
|
||||
AC_MSG_RESULT([Windows])
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "x$with_backend" = xwinscard; then
|
||||
AC_MSG_NOTICE([checking for winscard with Windows linkage])
|
||||
AC_CHECK_HEADERS([winscard.h])
|
||||
PCSC_WIN_LIBS="-lwinscard"
|
||||
save_LIBS="$LIBS"
|
||||
LIBS="$LIBS $PCSC_WIN_LIBS"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <winscard.h>]],
|
||||
[[SCardBeginTransaction(0)]])],
|
||||
[AC_SUBST([PCSC_WIN_LIBS])],
|
||||
[AC_MSG_ERROR([cannot find Windows PCSC library/headers])])
|
||||
LIBS="$save_LIBS"
|
||||
fi
|
||||
|
||||
if test "x$with_backend" = xmacscard; then
|
||||
AC_MSG_NOTICE([checking for PCSC with Mac linkage])
|
||||
AC_CHECK_HEADERS([PCSC/winscard.h])
|
||||
PCSC_MACOSX_LIBS="-Wl,-framework -Wl,PCSC"
|
||||
save_LIBS="$LIBS"
|
||||
LIBS="$LIBS $PCSC_MACOSX_LIBS"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <PCSC/wintypes.h>
|
||||
#include <PCSC/winscard.h>]],
|
||||
[[SCardBeginTransaction(0)]])],
|
||||
[AC_SUBST([PCSC_MACOSX_LIBS])],
|
||||
[AC_MSG_ERROR([cannot find Mac PCSC library/headers])])
|
||||
LIBS="$save_LIBS"
|
||||
fi
|
||||
|
||||
if test "x$with_pcsclib" != x; then
|
||||
AC_MSG_NOTICE([checking for PCSC with custom lib])
|
||||
AC_CHECK_HEADERS([PCSC/winscard.h])
|
||||
if test "x$with_pcscdir" != x; then
|
||||
PCSC_CUSTOM_LIBS="-Wl,-L$with_pcscdir -Wl,-l$with_pcsclib -Wl,-rpath,$with_pcscdir"
|
||||
else
|
||||
PCSC_CUSTOM_LIBS="-Wl,-l$with_pcsclib"
|
||||
fi
|
||||
save_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS $PCSC_CFLAGS"
|
||||
save_LIBS="$LIBS"
|
||||
LIBS="$LIBS $PCSC_CUSTOM_LIBS"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <PCSC/winscard.h>]],
|
||||
[[SCardBeginTransaction(0)]])],
|
||||
[AC_SUBST([PCSC_CUSTOM_LIBS])],
|
||||
[AC_MSG_ERROR([cannot find custom PCSC library/headers])])
|
||||
LIBS="$save_LIBS"
|
||||
CFLAGS="$save_CFLAGS"
|
||||
PCSC_MACOSX_LIBS=
|
||||
PCSC_WIN_LIBS=
|
||||
PCSC_LIBS=
|
||||
fi
|
||||
|
||||
if test "x$with_backend" = xpcsc || test "x$with_backend" = xwinscard \
|
||||
|| test "x$with_backend" = xmacscard || test "x$with_pcsclib" != x; then
|
||||
AC_DEFINE([BACKEND_PCSC], 1, [Define to 1 if you the PCSC backend.])
|
||||
else
|
||||
AC_MSG_ERROR([cannot find PCSC library])
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE([coverage],
|
||||
[AS_HELP_STRING([--enable-coverage],
|
||||
[use Gcov to test the test suite])],
|
||||
[],
|
||||
[enable_cov=no])
|
||||
AM_CONDITIONAL([ENABLE_COV],[test '!' "$enable_cov" = no])
|
||||
|
||||
AC_ARG_ENABLE([cppcheck],
|
||||
[AS_HELP_STRING([--enable-cppcheck],
|
||||
[run cppcheck])],
|
||||
[enable_cppcheck="$enableval"],
|
||||
[enable_cppcheck="no"])
|
||||
|
||||
have_cppcheck=no
|
||||
AS_IF([test "x$enable_cppcheck" != xno],
|
||||
[AC_PATH_PROG([CPPCHECK], [cppcheck], [NONE])
|
||||
AS_IF([test "x$enable_cppcheck" != xno],
|
||||
[have_cppcheck=yes
|
||||
AC_SUBST([CPPCHECK])],
|
||||
[have_cppcheck=no
|
||||
AS_IF([test "x$enable_cppcheck" != xauto],
|
||||
[AC_MSG_ERROR([cannot find cppcheck])])])])
|
||||
AM_CONDITIONAL([ENABLE_CPPCHECK],[test '!' "$have_cppcheck" = no])
|
||||
|
||||
AC_ARG_ENABLE([gcc-warnings],
|
||||
[AS_HELP_STRING([--enable-gcc-warnings],
|
||||
[turn on lots of GCC warnings (for developers)])],
|
||||
[case $enableval in
|
||||
yes|no) ;;
|
||||
*) AC_MSG_ERROR([bad value $enableval for gcc-warnings option]) ;;
|
||||
esac
|
||||
gl_gcc_warnings=$enableval],
|
||||
[gl_gcc_warnings=no]
|
||||
)
|
||||
|
||||
if test "$gl_gcc_warnings" = yes; then
|
||||
nw="$nw -Wsystem-headers" # Don't let system headers trigger warnings
|
||||
nw="$nw -Wpadded" # Struct's arenot padded
|
||||
nw="$nw -Wc++-compat" # We don't care strongly about C++ compilers
|
||||
nw="$nw -Wtraditional" # Warns on #elif which we use often
|
||||
nw="$nw -Wtraditional-conversion" # Too many warnings for now
|
||||
nw="$nw -Wconversion" # Too many warnings for now
|
||||
nw="$nw -Wsuggest-attribute=pure" # Is it worth using attributes?
|
||||
nw="$nw -Wsuggest-attribute=const" # Is it worth using attributes?
|
||||
nw="$nw -Waggregate-return" # returning structs shouldn't be a problem
|
||||
|
||||
gl_MANYWARN_ALL_GCC([ws])
|
||||
gl_MANYWARN_COMPLEMENT(ws, [$ws], [$nw])
|
||||
for w in $ws; do
|
||||
gl_WARN_ADD([$w])
|
||||
done
|
||||
|
||||
gl_WARN_ADD([-fdiagnostics-show-option])
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE([ykcs11-debug],
|
||||
[AS_HELP_STRING([--enable-ykcs11-debug],
|
||||
[enables YKCS11 debug messages])],
|
||||
[enable_ykcs11_debug="$enableval"],
|
||||
[enable_ykcs11_debug="no"])
|
||||
|
||||
AS_IF([test "x$enable_ykcs11_debug" != xno],
|
||||
[AC_DEFINE([YKCS11_DBG], [1], [Regular debug flag])
|
||||
AC_DEFINE([YKCS11_DINOUT], [1], [Function accessed/left debug flag])
|
||||
ykcs11_debug="ENABLED"],
|
||||
[true],
|
||||
[AC_DEFINE([YKCS11_DBG], [0], [Regular debug flag])
|
||||
AC_DEFINE([YKCS11_DINOUT], [0], [Function accessed/left debug flag])
|
||||
ykcs11_debug="DISABLED"])
|
||||
|
||||
AC_ARG_ENABLE([hardware-tests],
|
||||
[AS_HELP_STRING([--enable-hardware-tests],
|
||||
[enables tests that require a YubiKey to be plugged in])],
|
||||
[enable_hardware_tests="$enableval"],
|
||||
[enable_hardware_tests="no"])
|
||||
|
||||
AS_IF([test "x$enable_hardware_tests" != xno],
|
||||
[AC_DEFINE([HW_TESTS], [1], [Flag for hardware tests])
|
||||
hw_tests="ENABLED"],
|
||||
[true],
|
||||
[hw_tests="DISABLED"])
|
||||
|
||||
AC_SUBST(YKPIV_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`)
|
||||
AC_SUBST(YKPIV_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`)
|
||||
AC_SUBST(YKPIV_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`)
|
||||
AC_SUBST(YKPIV_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKPIV_VERSION_MAJOR $YKPIV_VERSION_MINOR $YKPIV_VERSION_PATCH`)
|
||||
|
||||
AC_SUBST(YKCS11_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`)
|
||||
AC_SUBST(YKCS11_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`)
|
||||
AC_SUBST(YKCS11_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`)
|
||||
AC_SUBST(YKCS11_VERSION_NUMBER, `printf "0x%02x%02x%02x" $YKCS11_VERSION_MAJOR $YKCS11_VERSION_MINOR $YKCS11_VERSION_PATCH`)
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Makefile
|
||||
lib/Makefile
|
||||
lib/tests/Makefile
|
||||
tool/Makefile
|
||||
tool/tests/Makefile
|
||||
lib/ykpiv-version.h
|
||||
lib/ykpiv.pc
|
||||
ykcs11/Makefile
|
||||
ykcs11/ykcs11-version.h
|
||||
ykcs11/ykcs11.pc
|
||||
ykcs11/tests/Makefile
|
||||
])
|
||||
AC_OUTPUT
|
||||
|
||||
AC_MSG_NOTICE([summary of build options:
|
||||
|
||||
Version: ${VERSION}
|
||||
Host type: ${host}
|
||||
Install prefix: ${prefix}
|
||||
Compiler: ${CC}
|
||||
CFLAGS: ${CFLAGS}
|
||||
CPPFLAGS: ${CPPFLAGS}
|
||||
Warnings: ${WARN_CFLAGS}
|
||||
Backend: ${with_backend}
|
||||
OpenSSL version: ${OPENSSL_VERSION}
|
||||
PCSC
|
||||
CFLAGS: ${PCSC_CFLAGS}
|
||||
LIBS: ${PCSC_LIBS}
|
||||
Winscard
|
||||
LIBS: ${PCSC_WIN_LIBS}
|
||||
Mac PCSC
|
||||
LIBS: ${PCSC_MACOSX_LIBS}
|
||||
Custom PCSC
|
||||
LIBS: ${PCSC_CUSTOM_LIBS}
|
||||
|
||||
YKCS11 debug: ${ykcs11_debug}
|
||||
Hardware tests: ${hw_tests}
|
||||
])
|
||||
@@ -1,36 +0,0 @@
|
||||
== Using Attestation
|
||||
|
||||
=== Introduction
|
||||
This feature is only available in YubiKey 4.3 and newer.
|
||||
|
||||
A high level description of the thinking and how this can be used can be found
|
||||
at https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
|
||||
|
||||
=== Usage
|
||||
Attestation works through a special key slot called “f9” this comes
|
||||
pre-loaded from factory with a key and cert signed by Yubico, but can be
|
||||
overwritten.
|
||||
After a key has been generated in a normal slot it can be attested by this
|
||||
special key, this can be realised by using the yubico-piv-tool action attest:
|
||||
|
||||
$ yubico-piv-tool --action=generate --slot=9a
|
||||
...
|
||||
$ yubico-piv-tool --action=attest --slot=9a
|
||||
|
||||
The output of this is a PEM encoded certificate, signed by the key in slot f9.
|
||||
|
||||
=== Verifying
|
||||
To verify an attestation step 1 is to build the certificate chain. Put the
|
||||
attestation root certificate in a file (or if you trust several put all
|
||||
of them in said file). The Yubico root certificate can be found at
|
||||
https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem
|
||||
|
||||
Then add the keys attestation certificate to that file:
|
||||
|
||||
$ yubico-piv-tool --action=read-certificate --slot=f9 >> certs.pem
|
||||
|
||||
Now we're ready to verify the attestation:
|
||||
|
||||
$ yubico-piv-tool --action=attest --slot=9a > attestation.pem
|
||||
$ openssl verify -CAfile certs.pem attestation.pem
|
||||
attestation.pem: OK
|
||||
@@ -1,120 +0,0 @@
|
||||
== YKCS11
|
||||
This is a PKCS#11 module that allows to communicate with the PIV
|
||||
application running on a YubiKey.
|
||||
|
||||
This module is based on version 2.40 of the PKCS#11 (Cryptoki)
|
||||
specifications.
|
||||
|
||||
The complete specifications are available at
|
||||
https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html.
|
||||
|
||||
=== BUILDING
|
||||
YKCS11 is automatically built as part of `yubico-piv-tool` and the
|
||||
following command will suffice:
|
||||
|
||||
$ autoreconf --install
|
||||
$ ./configure
|
||||
$ make
|
||||
$ sudo make install
|
||||
|
||||
More info about building yubico-piv-tool can be found in the related
|
||||
`README` file or over at
|
||||
https://developers.yubico.com/yubico-piv-tool/.
|
||||
|
||||
Once installed, the module will be found by default in
|
||||
/usr/local/lib/libykcs11.so otherwise it will be built locally in
|
||||
yubico-piv-tool/ykcs11/.libs/libykcs11.so
|
||||
|
||||
=== PORTABILITY
|
||||
The module has been developed and tested using Debian GNU/Linux and
|
||||
Ubuntu Linux. It is however possible to cross-compile it for Windows
|
||||
and Mac OS X using the relative makefiles (windows.mk and mac.mk).
|
||||
Both use PCSC as a backend.
|
||||
|
||||
Further testing at this stage has *not* been carried out, so
|
||||
additional tweaks might be needed to use operating systems different
|
||||
from Linux.
|
||||
|
||||
=== SUPPORTED FUNCTIONALITY AND KNOWN ISSUES
|
||||
YKCS11 is not a full implementation of PKCS#11. Some functionality are
|
||||
not present and others are not yet implemented.
|
||||
|
||||
In its current form YKCS11 implements a smaller subset of
|
||||
functionality:
|
||||
|
||||
- RSA key generation +
|
||||
1024 or 2048 bit keys can be generated;
|
||||
|
||||
- EC key generation +
|
||||
curve prime256v1 is supported (256 bit keys);
|
||||
|
||||
- RSA signature +
|
||||
supported mechanisms are RSA-X-509 (raw RSA), PKCS1 (unhashed),
|
||||
PKCS1 with SHA1/256/384/512 and PSS with SHA1/256/384/512. The
|
||||
latter is implemented but has not been tested, hence is provided as
|
||||
is;
|
||||
|
||||
- ECDSA signature +
|
||||
supported mechanism are ECDSA (raw) and ECDSA with SHA1;
|
||||
|
||||
- RSA and EC public key (X.509 certificate) import;
|
||||
|
||||
- RSA and EC private key import +
|
||||
with possibility of setting individual PIN policies and touch to
|
||||
sign (where supported);
|
||||
|
||||
- Public key deletion.
|
||||
|
||||
PKCS#11 defines two types of users: a regular user and a security
|
||||
officer (SO). These have been mapped to perform regular usage of the
|
||||
private key material (PIN-associated operations) and device management
|
||||
(management-key associated operations).
|
||||
|
||||
==== Key Mapping
|
||||
The module provides four main keys that can be used. These correspond
|
||||
to the four main keys in PIV and accessible through yubico-piv-tool.
|
||||
The mapping is as follows:
|
||||
|
||||
[cols="2*^", options="header"]
|
||||
|===
|
||||
|ykcs11 id|PIV
|
||||
|0|9a
|
||||
|1|9e
|
||||
|2|9c
|
||||
|3|9d
|
||||
|===
|
||||
|
||||
==== PINs and Management Key
|
||||
The default user PIN for the YubiKey is `123456`. +
|
||||
The default management key is
|
||||
`010203040506070801020304050607080102030405060708`. +
|
||||
All the YubiKey personalization (e.g. changing PIN, changing
|
||||
management key, resetting PINs, resetting the application) is
|
||||
currently done using yubico-piv-tool.
|
||||
|
||||
In order to perform operations involving the private keys, a regular
|
||||
user must be logged in (i.e. using the PIN). However, given the
|
||||
different PIN policies for different keys, subsequent operations might
|
||||
require a new login. Currently this is supported by the module
|
||||
allowing multiple _Login_ operations with the appropriate user.
|
||||
According to PKCS#11 however, a special user called `CONTEXT_SPECIFIC`
|
||||
should be used for such operations. This is also supported and *might
|
||||
become the only available mechanism in the future*.
|
||||
|
||||
==== Key Generation
|
||||
Key pair generation is a particular operation, in the sense that
|
||||
within PIV this is the only moment where the newly created public key
|
||||
is given back to the user. To prevent the key from being lost it is
|
||||
automatically stored within the YubiKey by wrapping it in an X.509
|
||||
certificate. This certificate is however empty. It does not have other
|
||||
valid information except for the public key.
|
||||
|
||||
==== DEBUGGING
|
||||
By default the module has debugging disabled. This is _highly_ verbose
|
||||
and might be confusing. In order to enabled it rebuild the project as
|
||||
follows:
|
||||
|
||||
$ autoreconf --install
|
||||
$ ./configure --enable-ykcs11-debug
|
||||
$ make
|
||||
$ sudo make install
|
||||
@@ -1,95 +0,0 @@
|
||||
== Yubico PIV Tool
|
||||
The YubiKey supports the Personal Identity Verification (PIV) card
|
||||
interface specified in NIST SP 800-73 document "Cryptographic
|
||||
Algorithms and Key Sizes for PIV". PIV enables you to perform RSA or
|
||||
ECC sign/decrypt operations using a private key stored on the
|
||||
smartcard, through common interfaces like PKCS#11. This project
|
||||
contain the library, tools and PKCS#11 module to interact with the
|
||||
hardware functionality.
|
||||
|
||||
* PIV Standards https://csrc.nist.gov/groups/SNS/piv/standards.html
|
||||
|
||||
=== General information
|
||||
The default PIN code is 123456. The default PUK code is 12345678.
|
||||
|
||||
The default 3DES management key (9B) is
|
||||
010203040506070801020304050607080102030405060708.
|
||||
|
||||
The following key slots exists:
|
||||
|
||||
* 9A, 9C, 9D, 9E: RSA 1024, RSA 2048, or ECC secp256r1 keys
|
||||
(algorithms 6, 7, 11 respectively).
|
||||
|
||||
* 9B: Triple-DES key (algorithm 3) for PIV management.
|
||||
|
||||
The maximum size of stored objects is 2025/3049 bytes for current versions of
|
||||
YubiKey NEO and YubiKey 4, respectively.
|
||||
|
||||
Currently all functionality are available over both contact and
|
||||
contactless interfaces (contrary to what the specifications mandate).
|
||||
|
||||
=== Preparing a YubiKey for real use
|
||||
You would typically change the management key to make sure nobody but
|
||||
you can modify the state of the PIV application on the YubiKey. Make sure to
|
||||
keep a copy of the key around for later use.
|
||||
All of these invocations will leave traces of keys and pins in the command line
|
||||
history, this can be avoided by leaving the argument out all-together and the
|
||||
software will ask for key/pin to be input. For the management key option (-k)
|
||||
this is achieved by leaving out the value but will specifying -k.
|
||||
|
||||
$ key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)
|
||||
$ echo ${key}
|
||||
$ yubico-piv-tool -aset-mgm-key -n${key}
|
||||
|
||||
The PIN and PUK should be changed as well.
|
||||
|
||||
$ pin=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w6 | head -1)
|
||||
$ echo ${pin}
|
||||
|
||||
$ puk=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w8 | head -1)
|
||||
$ echo ${puk}
|
||||
|
||||
$ yubico-piv-tool -achange-pin -P123456 -N${pin}
|
||||
$ yubico-piv-tool -achange-puk -P12345678 -N${puk}
|
||||
|
||||
=== Other useful commands
|
||||
To generate a new private key:
|
||||
|
||||
$ yubico-piv-tool -k${key} -agenerate -s9c
|
||||
|
||||
To reset PIN/PUK retry counter AND codes (default pin 123456 puk
|
||||
12345678):
|
||||
|
||||
$ yubico-piv-tool -k${key} -averify -P${pin} -apin-retries --pin-retries=3 --puk-retries=3
|
||||
|
||||
To reset the application (PIN/PUK need to be blocked hence trying a couple
|
||||
of times -- you need to modify this if you have changed the default
|
||||
number of PIN/PUK retries).
|
||||
|
||||
$ yubico-piv-tool -averify-pin -P471112
|
||||
$ yubico-piv-tool -averify-pin -P471112
|
||||
$ yubico-piv-tool -averify-pin -P471112
|
||||
$ yubico-piv-tool -averify-pin -P471112
|
||||
$ yubico-piv-tool -achange-puk -P471112 -N6756789
|
||||
$ yubico-piv-tool -achange-puk -P471112 -N6756789
|
||||
$ yubico-piv-tool -achange-puk -P471112 -N6756789
|
||||
$ yubico-piv-tool -achange-puk -P471112 -N6756789
|
||||
$ yubico-piv-tool -areset
|
||||
|
||||
=== Software
|
||||
Card management has been tested with the tools from the OpenSC
|
||||
project, specifically piv-tool, and Yubico's PIV software (see
|
||||
below). Basic features should work with any PIV compliant
|
||||
middleware.
|
||||
|
||||
* https://github.com/OpenSC/OpenSC/wiki
|
||||
* https://developers.yubico.com/yubico-piv-tool/
|
||||
* https://developers.yubico.com/yubikey-piv-manager/
|
||||
* https://github.com/OpenSC/OpenSC/wiki/US-PIV
|
||||
* https://github.com/OpenSC/OpenSC/wiki/PivTool
|
||||
|
||||
=== Card Holder Unique Identifier
|
||||
For the application to be usable in windows the object CHUID (Card Holder
|
||||
Unique Identifier) has to be set and unique. The card contents are
|
||||
also aggressively cached so the CHUID has to be changed if the card
|
||||
contents change.
|
||||
@@ -1,58 +0,0 @@
|
||||
# Copyright (c) 2014-2017 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
#
|
||||
# Note: this build script is for testing OpenSSL 1.1 builds. The official
|
||||
# Linux release builds are handled by the standard Makefile.
|
||||
#
|
||||
PACKAGE=yubico-piv-tool
|
||||
OPENSSLVERSION=1.1.0g
|
||||
|
||||
all: linux
|
||||
|
||||
doit:
|
||||
rm -rf tmp && mkdir tmp && cd tmp && \
|
||||
mkdir -p root/licenses && \
|
||||
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
|
||||
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
|
||||
tar xfz openssl-$(OPENSSLVERSION).tar.gz && \
|
||||
cd openssl-$(OPENSSLVERSION) && \
|
||||
./Configure linux-x86_64 shared --prefix=$(PWD)/tmp/root $(CFLAGS) && \
|
||||
make all install VERSION="$(OPENSSLVERSION)" && \
|
||||
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
|
||||
cd .. && \
|
||||
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
|
||||
tar xfz $(PACKAGE)-$(VERSION).tar.gz && \
|
||||
cd $(PACKAGE)-$(VERSION)/ && \
|
||||
CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \
|
||||
make install $(CHECK) && \
|
||||
cd .. && \
|
||||
cd root && \
|
||||
zip -r ../../$(PACKAGE)-$(VERSION)-linux-openssl-$(OPENSSLVERSION).zip *
|
||||
|
||||
linux:
|
||||
$(MAKE) -f linux.mk doit CHECK=check
|
||||
@@ -1,312 +0,0 @@
|
||||
# This file is part of Autoconf. -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 2004 Oren Ben-Kiki
|
||||
# This file is distributed under the same terms as the Autoconf macro files.
|
||||
|
||||
# Generate automatic documentation using Doxygen. Works in concert with the
|
||||
# aminclude.m4 file and a compatible doxygen configuration file. Defines the
|
||||
# following public macros:
|
||||
#
|
||||
# DX_???_FEATURE(ON|OFF) - control the default setting fo a Doxygen feature.
|
||||
# Supported features are 'DOXYGEN' itself, 'DOT' for generating graphics,
|
||||
# 'HTML' for plain HTML, 'CHM' for compressed HTML help (for MS users), 'CHI'
|
||||
# for generating a seperate .chi file by the .chm file, and 'MAN', 'RTF',
|
||||
# 'XML', 'PDF' and 'PS' for the appropriate output formats. The environment
|
||||
# variable DOXYGEN_PAPER_SIZE may be specified to override the default 'a4wide'
|
||||
# paper size.
|
||||
#
|
||||
# By default, HTML, PDF and PS documentation is generated as this seems to be
|
||||
# the most popular and portable combination. MAN pages created by Doxygen are
|
||||
# usually problematic, though by picking an appropriate subset and doing some
|
||||
# massaging they might be better than nothing. CHM and RTF are specific for MS
|
||||
# (note that you can't generate both HTML and CHM at the same time). The XML is
|
||||
# rather useless unless you apply specialized post-processing to it.
|
||||
#
|
||||
# The macro mainly controls the default state of the feature. The use can
|
||||
# override the default by specifying --enable or --disable. The macros ensure
|
||||
# that contradictory flags are not given (e.g., --enable-doxygen-html and
|
||||
# --enable-doxygen-chm, --enable-doxygen-anything with --disable-doxygen, etc.)
|
||||
# Finally, each feature will be automatically disabled (with a warning) if the
|
||||
# required programs are missing.
|
||||
#
|
||||
# Once all the feature defaults have been specified, call DX_INIT_DOXYGEN with
|
||||
# the following parameters: a one-word name for the project for use as a
|
||||
# filename base etc., an optional configuration file name (the default is
|
||||
# 'Doxyfile', the same as Doxygen's default), and an optional output directory
|
||||
# name (the default is 'doxygen-doc').
|
||||
|
||||
## ----------##
|
||||
## Defaults. ##
|
||||
## ----------##
|
||||
|
||||
DX_ENV=""
|
||||
AC_DEFUN([DX_FEATURE_doc], ON)
|
||||
AC_DEFUN([DX_FEATURE_dot], ON)
|
||||
AC_DEFUN([DX_FEATURE_man], OFF)
|
||||
AC_DEFUN([DX_FEATURE_html], ON)
|
||||
AC_DEFUN([DX_FEATURE_chm], OFF)
|
||||
AC_DEFUN([DX_FEATURE_chi], OFF)
|
||||
AC_DEFUN([DX_FEATURE_rtf], OFF)
|
||||
AC_DEFUN([DX_FEATURE_xml], OFF)
|
||||
AC_DEFUN([DX_FEATURE_pdf], ON)
|
||||
AC_DEFUN([DX_FEATURE_ps], ON)
|
||||
|
||||
## --------------- ##
|
||||
## Private macros. ##
|
||||
## --------------- ##
|
||||
|
||||
# DX_ENV_APPEND(VARIABLE, VALUE)
|
||||
# ------------------------------
|
||||
# Append VARIABLE="VALUE" to DX_ENV for invoking doxygen.
|
||||
AC_DEFUN([DX_ENV_APPEND], [AC_SUBST([DX_ENV], ["$DX_ENV $1='$2'"])])
|
||||
|
||||
# DX_DIRNAME_EXPR
|
||||
# ---------------
|
||||
# Expand into a shell expression prints the directory part of a path.
|
||||
AC_DEFUN([DX_DIRNAME_EXPR],
|
||||
[[expr ".$1" : '\(\.\)[^/]*$' \| "x$1" : 'x\(.*\)/[^/]*$']])
|
||||
|
||||
# DX_IF_FEATURE(FEATURE, IF-ON, IF-OFF)
|
||||
# -------------------------------------
|
||||
# Expands according to the M4 (static) status of the feature.
|
||||
AC_DEFUN([DX_IF_FEATURE], [ifelse(DX_FEATURE_$1, ON, [$2], [$3])])
|
||||
|
||||
# DX_REQUIRE_PROG(VARIABLE, PROGRAM)
|
||||
# ----------------------------------
|
||||
# Require the specified program to be found for the DX_CURRENT_FEATURE to work.
|
||||
AC_DEFUN([DX_REQUIRE_PROG], [
|
||||
AC_PATH_TOOL([$1], [$2])
|
||||
if test "$DX_FLAG_[]DX_CURRENT_FEATURE$$1" = 1; then
|
||||
AC_MSG_WARN([$2 not found - will not DX_CURRENT_DESCRIPTION])
|
||||
AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0)
|
||||
fi
|
||||
])
|
||||
|
||||
# DX_TEST_FEATURE(FEATURE)
|
||||
# ------------------------
|
||||
# Expand to a shell expression testing whether the feature is active.
|
||||
AC_DEFUN([DX_TEST_FEATURE], [test "$DX_FLAG_$1" = 1])
|
||||
|
||||
# DX_CHECK_DEPEND(REQUIRED_FEATURE, REQUIRED_STATE)
|
||||
# -------------------------------------------------
|
||||
# Verify that a required features has the right state before trying to turn on
|
||||
# the DX_CURRENT_FEATURE.
|
||||
AC_DEFUN([DX_CHECK_DEPEND], [
|
||||
test "$DX_FLAG_$1" = "$2" \
|
||||
|| AC_MSG_ERROR([doxygen-DX_CURRENT_FEATURE ifelse([$2], 1,
|
||||
requires, contradicts) doxygen-DX_CURRENT_FEATURE])
|
||||
])
|
||||
|
||||
# DX_CLEAR_DEPEND(FEATURE, REQUIRED_FEATURE, REQUIRED_STATE)
|
||||
# ----------------------------------------------------------
|
||||
# Turn off the DX_CURRENT_FEATURE if the required feature is off.
|
||||
AC_DEFUN([DX_CLEAR_DEPEND], [
|
||||
test "$DX_FLAG_$1" = "$2" || AC_SUBST([DX_FLAG_]DX_CURRENT_FEATURE, 0)
|
||||
])
|
||||
|
||||
# DX_FEATURE_ARG(FEATURE, DESCRIPTION,
|
||||
# CHECK_DEPEND, CLEAR_DEPEND,
|
||||
# REQUIRE, DO-IF-ON, DO-IF-OFF)
|
||||
# --------------------------------------------
|
||||
# Parse the command-line option controlling a feature. CHECK_DEPEND is called
|
||||
# if the user explicitly turns the feature on (and invokes DX_CHECK_DEPEND),
|
||||
# otherwise CLEAR_DEPEND is called to turn off the default state if a required
|
||||
# feature is disabled (using DX_CLEAR_DEPEND). REQUIRE performs additional
|
||||
# requirement tests (DX_REQUIRE_PROG). Finally, an automake flag is set and
|
||||
# DO-IF-ON or DO-IF-OFF are called according to the final state of the feature.
|
||||
AC_DEFUN([DX_ARG_ABLE], [
|
||||
AC_DEFUN([DX_CURRENT_FEATURE], [$1])
|
||||
AC_DEFUN([DX_CURRENT_DESCRIPTION], [$2])
|
||||
AC_ARG_ENABLE(doxygen-$1,
|
||||
[AS_HELP_STRING(DX_IF_FEATURE([$1], [--disable-doxygen-$1],
|
||||
[--enable-doxygen-$1]),
|
||||
DX_IF_FEATURE([$1], [don't $2], [$2]))],
|
||||
[
|
||||
case "$enableval" in
|
||||
#(
|
||||
y|Y|yes|Yes|YES)
|
||||
AC_SUBST([DX_FLAG_$1], 1)
|
||||
$3
|
||||
;; #(
|
||||
n|N|no|No|NO)
|
||||
AC_SUBST([DX_FLAG_$1], 0)
|
||||
;; #(
|
||||
*)
|
||||
AC_MSG_ERROR([invalid value '$enableval' given to doxygen-$1])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
AC_SUBST([DX_FLAG_$1], [DX_IF_FEATURE([$1], 1, 0)])
|
||||
$4
|
||||
])
|
||||
if DX_TEST_FEATURE([$1]); then
|
||||
$5
|
||||
:
|
||||
fi
|
||||
if DX_TEST_FEATURE([$1]); then
|
||||
AM_CONDITIONAL(DX_COND_$1, :)
|
||||
$6
|
||||
:
|
||||
else
|
||||
AM_CONDITIONAL(DX_COND_$1, false)
|
||||
$7
|
||||
:
|
||||
fi
|
||||
])
|
||||
|
||||
## -------------- ##
|
||||
## Public macros. ##
|
||||
## -------------- ##
|
||||
|
||||
# DX_XXX_FEATURE(DEFAULT_STATE)
|
||||
# -----------------------------
|
||||
AC_DEFUN([DX_DOXYGEN_FEATURE], [AC_DEFUN([DX_FEATURE_doc], [$1])])
|
||||
AC_DEFUN([DX_MAN_FEATURE], [AC_DEFUN([DX_FEATURE_man], [$1])])
|
||||
AC_DEFUN([DX_HTML_FEATURE], [AC_DEFUN([DX_FEATURE_html], [$1])])
|
||||
AC_DEFUN([DX_CHM_FEATURE], [AC_DEFUN([DX_FEATURE_chm], [$1])])
|
||||
AC_DEFUN([DX_CHI_FEATURE], [AC_DEFUN([DX_FEATURE_chi], [$1])])
|
||||
AC_DEFUN([DX_RTF_FEATURE], [AC_DEFUN([DX_FEATURE_rtf], [$1])])
|
||||
AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])])
|
||||
AC_DEFUN([DX_XML_FEATURE], [AC_DEFUN([DX_FEATURE_xml], [$1])])
|
||||
AC_DEFUN([DX_PDF_FEATURE], [AC_DEFUN([DX_FEATURE_pdf], [$1])])
|
||||
AC_DEFUN([DX_PS_FEATURE], [AC_DEFUN([DX_FEATURE_ps], [$1])])
|
||||
|
||||
# DX_INIT_DOXYGEN(PROJECT, [CONFIG-FILE], [OUTPUT-DOC-DIR])
|
||||
# ---------------------------------------------------------
|
||||
# PROJECT also serves as the base name for the documentation files.
|
||||
# The default CONFIG-FILE is "Doxyfile" and OUTPUT-DOC-DIR is "doxygen-doc".
|
||||
AC_DEFUN([DX_INIT_DOXYGEN], [
|
||||
|
||||
# Files:
|
||||
AC_SUBST([DX_PROJECT], [$1])
|
||||
AC_SUBST([DX_CONFIG], [ifelse([$2], [], Doxyfile, [$2])])
|
||||
AC_SUBST([DX_DOCDIR], [ifelse([$3], [], doxygen-doc, [$3])])
|
||||
|
||||
# Environment variables used inside doxygen.cfg:
|
||||
DX_ENV_APPEND(SRCDIR, $srcdir)
|
||||
DX_ENV_APPEND(PROJECT, $DX_PROJECT)
|
||||
DX_ENV_APPEND(DOCDIR, $DX_DOCDIR)
|
||||
DX_ENV_APPEND(VERSION, $PACKAGE_VERSION)
|
||||
|
||||
# Doxygen itself:
|
||||
DX_ARG_ABLE(doc, [generate any doxygen documentation],
|
||||
[],
|
||||
[],
|
||||
[DX_REQUIRE_PROG([DX_DOXYGEN], doxygen)
|
||||
DX_REQUIRE_PROG([DX_PERL], perl)],
|
||||
[DX_ENV_APPEND(PERL_PATH, $DX_PERL)])
|
||||
|
||||
# Dot for graphics:
|
||||
DX_ARG_ABLE(dot, [generate graphics for doxygen documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[DX_REQUIRE_PROG([DX_DOT], dot)],
|
||||
[DX_ENV_APPEND(HAVE_DOT, YES)
|
||||
DX_ENV_APPEND(DOT_PATH, [`DX_DIRNAME_EXPR($DX_DOT)`])],
|
||||
[DX_ENV_APPEND(HAVE_DOT, NO)])
|
||||
|
||||
# Man pages generation:
|
||||
DX_ARG_ABLE(man, [generate doxygen manual pages],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[],
|
||||
[DX_ENV_APPEND(GENERATE_MAN, YES)],
|
||||
[DX_ENV_APPEND(GENERATE_MAN, NO)])
|
||||
|
||||
# RTF file generation:
|
||||
DX_ARG_ABLE(rtf, [generate doxygen RTF documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[],
|
||||
[DX_ENV_APPEND(GENERATE_RTF, YES)],
|
||||
[DX_ENV_APPEND(GENERATE_RTF, NO)])
|
||||
|
||||
# XML file generation:
|
||||
DX_ARG_ABLE(xml, [generate doxygen XML documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[],
|
||||
[DX_ENV_APPEND(GENERATE_XML, YES)],
|
||||
[DX_ENV_APPEND(GENERATE_XML, NO)])
|
||||
|
||||
# (Compressed) HTML help generation:
|
||||
DX_ARG_ABLE(chm, [generate doxygen compressed HTML help documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[DX_REQUIRE_PROG([DX_HHC], hhc)],
|
||||
[DX_ENV_APPEND(HHC_PATH, $DX_HHC)
|
||||
DX_ENV_APPEND(GENERATE_HTML, YES)
|
||||
DX_ENV_APPEND(GENERATE_HTMLHELP, YES)],
|
||||
[DX_ENV_APPEND(GENERATE_HTMLHELP, NO)])
|
||||
|
||||
# Seperate CHI file generation.
|
||||
DX_ARG_ABLE(chi, [generate doxygen seperate compressed HTML help index file],
|
||||
[DX_CHECK_DEPEND(chm, 1)],
|
||||
[DX_CLEAR_DEPEND(chm, 1)],
|
||||
[],
|
||||
[DX_ENV_APPEND(GENERATE_CHI, YES)],
|
||||
[DX_ENV_APPEND(GENERATE_CHI, NO)])
|
||||
|
||||
# Plain HTML pages generation:
|
||||
DX_ARG_ABLE(html, [generate doxygen plain HTML documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1) DX_CHECK_DEPEND(chm, 0)],
|
||||
[DX_CLEAR_DEPEND(doc, 1) DX_CLEAR_DEPEND(chm, 0)],
|
||||
[],
|
||||
[DX_ENV_APPEND(GENERATE_HTML, YES)],
|
||||
[DX_TEST_FEATURE(chm) || DX_ENV_APPEND(GENERATE_HTML, NO)])
|
||||
|
||||
# PostScript file generation:
|
||||
DX_ARG_ABLE(ps, [generate doxygen PostScript documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[DX_REQUIRE_PROG([DX_LATEX], latex)
|
||||
DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex)
|
||||
DX_REQUIRE_PROG([DX_DVIPS], dvips)
|
||||
DX_REQUIRE_PROG([DX_EGREP], egrep)])
|
||||
|
||||
# PDF file generation:
|
||||
DX_ARG_ABLE(pdf, [generate doxygen PDF documentation],
|
||||
[DX_CHECK_DEPEND(doc, 1)],
|
||||
[DX_CLEAR_DEPEND(doc, 1)],
|
||||
[DX_REQUIRE_PROG([DX_PDFLATEX], pdflatex)
|
||||
DX_REQUIRE_PROG([DX_MAKEINDEX], makeindex)
|
||||
DX_REQUIRE_PROG([DX_EGREP], egrep)])
|
||||
|
||||
# LaTeX generation for PS and/or PDF:
|
||||
if DX_TEST_FEATURE(ps) || DX_TEST_FEATURE(pdf); then
|
||||
AM_CONDITIONAL(DX_COND_latex, :)
|
||||
DX_ENV_APPEND(GENERATE_LATEX, YES)
|
||||
else
|
||||
AM_CONDITIONAL(DX_COND_latex, false)
|
||||
DX_ENV_APPEND(GENERATE_LATEX, NO)
|
||||
fi
|
||||
|
||||
# Paper size for PS and/or PDF:
|
||||
AC_ARG_VAR(DOXYGEN_PAPER_SIZE,
|
||||
[a4wide (default), a4, letter, legal or executive])
|
||||
case "$DOXYGEN_PAPER_SIZE" in
|
||||
#(
|
||||
"")
|
||||
AC_SUBST(DOXYGEN_PAPER_SIZE, "")
|
||||
;; #(
|
||||
a4wide|a4|letter|legal|executive)
|
||||
DX_ENV_APPEND(PAPER_SIZE, $DOXYGEN_PAPER_SIZE)
|
||||
;; #(
|
||||
*)
|
||||
AC_MSG_ERROR([unknown DOXYGEN_PAPER_SIZE='$DOXYGEN_PAPER_SIZE'])
|
||||
;;
|
||||
esac
|
||||
|
||||
#For debugging:
|
||||
#echo DX_FLAG_doc=$DX_FLAG_doc
|
||||
#echo DX_FLAG_dot=$DX_FLAG_dot
|
||||
#echo DX_FLAG_man=$DX_FLAG_man
|
||||
#echo DX_FLAG_html=$DX_FLAG_html
|
||||
#echo DX_FLAG_chm=$DX_FLAG_chm
|
||||
#echo DX_FLAG_chi=$DX_FLAG_chi
|
||||
#echo DX_FLAG_rtf=$DX_FLAG_rtf
|
||||
#echo DX_FLAG_xml=$DX_FLAG_xml
|
||||
#echo DX_FLAG_pdf=$DX_FLAG_pdf
|
||||
#echo DX_FLAG_ps=$DX_FLAG_ps
|
||||
#echo DX_ENV=$DX_ENV
|
||||
])
|
||||
@@ -1,53 +0,0 @@
|
||||
# ld-version-script.m4 serial 3
|
||||
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
|
||||
dnl This file is free software; the Free Software Foundation
|
||||
dnl gives unlimited permission to copy and/or distribute it,
|
||||
dnl with or without modifications, as long as this notice is preserved.
|
||||
|
||||
dnl From Simon Josefsson
|
||||
|
||||
# FIXME: The test below returns a false positive for mingw
|
||||
# cross-compiles, 'local:' statements does not reduce number of
|
||||
# exported symbols in a DLL. Use --disable-ld-version-script to work
|
||||
# around the problem.
|
||||
|
||||
# gl_LD_VERSION_SCRIPT
|
||||
# --------------------
|
||||
# Check if LD supports linker scripts, and define automake conditional
|
||||
# HAVE_LD_VERSION_SCRIPT if so.
|
||||
AC_DEFUN([gl_LD_VERSION_SCRIPT],
|
||||
[
|
||||
AC_ARG_ENABLE([ld-version-script],
|
||||
AS_HELP_STRING([--enable-ld-version-script],
|
||||
[enable linker version script (default is enabled when possible)]),
|
||||
[have_ld_version_script=$enableval], [])
|
||||
if test -z "$have_ld_version_script"; then
|
||||
AC_MSG_CHECKING([if LD -Wl,--version-script works])
|
||||
save_LDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map"
|
||||
cat > conftest.map <<EOF
|
||||
foo
|
||||
EOF
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
|
||||
[accepts_syntax_errors=yes], [accepts_syntax_errors=no])
|
||||
if test "$accepts_syntax_errors" = no; then
|
||||
cat > conftest.map <<EOF
|
||||
VERS_1 {
|
||||
global: sym;
|
||||
};
|
||||
|
||||
VERS_2 {
|
||||
global: sym;
|
||||
} VERS_1;
|
||||
EOF
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
|
||||
[have_ld_version_script=yes], [have_ld_version_script=no])
|
||||
else
|
||||
have_ld_version_script=no
|
||||
fi
|
||||
rm -f conftest.map
|
||||
LDFLAGS="$save_LDFLAGS"
|
||||
AC_MSG_RESULT($have_ld_version_script)
|
||||
fi
|
||||
AM_CONDITIONAL(HAVE_LD_VERSION_SCRIPT, test "$have_ld_version_script" = "yes")
|
||||
])
|
||||
@@ -1,182 +0,0 @@
|
||||
# manywarnings.m4 serial 4
|
||||
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
|
||||
dnl This file is free software; the Free Software Foundation
|
||||
dnl gives unlimited permission to copy and/or distribute it,
|
||||
dnl with or without modifications, as long as this notice is preserved.
|
||||
|
||||
dnl From Simon Josefsson
|
||||
|
||||
# gl_MANYWARN_COMPLEMENT(OUTVAR, LISTVAR, REMOVEVAR)
|
||||
# --------------------------------------------------
|
||||
# Copy LISTVAR to OUTVAR except for the entries in REMOVEVAR.
|
||||
# Elements separated by whitespace. In set logic terms, the function
|
||||
# does OUTVAR = LISTVAR \ REMOVEVAR.
|
||||
AC_DEFUN([gl_MANYWARN_COMPLEMENT],
|
||||
[
|
||||
gl_warn_set=
|
||||
set x $2; shift
|
||||
for gl_warn_item
|
||||
do
|
||||
case " $3 " in
|
||||
*" $gl_warn_item "*)
|
||||
;;
|
||||
*)
|
||||
gl_warn_set="$gl_warn_set $gl_warn_item"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
$1=$gl_warn_set
|
||||
])
|
||||
|
||||
# gl_MANYWARN_ALL_GCC(VARIABLE)
|
||||
# -----------------------------
|
||||
# Add all documented GCC warning parameters to variable VARIABLE.
|
||||
# Note that you need to test them using gl_WARN_ADD if you want to
|
||||
# make sure your gcc understands it.
|
||||
AC_DEFUN([gl_MANYWARN_ALL_GCC],
|
||||
[
|
||||
dnl First, check if -Wno-missing-field-initializers is needed.
|
||||
dnl -Wmissing-field-initializers is implied by -W, but that issues
|
||||
dnl warnings with GCC version before 4.7, for the common idiom
|
||||
dnl of initializing types on the stack to zero, using { 0, }
|
||||
AC_REQUIRE([AC_PROG_CC])
|
||||
if test -n "$GCC"; then
|
||||
|
||||
dnl First, check -W -Werror -Wno-missing-field-initializers is supported
|
||||
dnl with the current $CC $CFLAGS $CPPFLAGS.
|
||||
AC_MSG_CHECKING([whether -Wno-missing-field-initializers is supported])
|
||||
AC_CACHE_VAL([gl_cv_cc_nomfi_supported], [
|
||||
gl_save_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -W -Werror -Wno-missing-field-initializers"
|
||||
AC_COMPILE_IFELSE(
|
||||
[AC_LANG_PROGRAM([[]], [[]])],
|
||||
[gl_cv_cc_nomfi_supported=yes],
|
||||
[gl_cv_cc_nomfi_supported=no])
|
||||
CFLAGS="$gl_save_CFLAGS"])
|
||||
AC_MSG_RESULT([$gl_cv_cc_nomfi_supported])
|
||||
|
||||
if test "$gl_cv_cc_nomfi_supported" = yes; then
|
||||
dnl Now check whether -Wno-missing-field-initializers is needed
|
||||
dnl for the { 0, } construct.
|
||||
AC_MSG_CHECKING([whether -Wno-missing-field-initializers is needed])
|
||||
AC_CACHE_VAL([gl_cv_cc_nomfi_needed], [
|
||||
gl_save_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -W -Werror"
|
||||
AC_COMPILE_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[[void f (void)
|
||||
{
|
||||
typedef struct { int a; int b; } s_t;
|
||||
s_t s1 = { 0, };
|
||||
}
|
||||
]],
|
||||
[[]])],
|
||||
[gl_cv_cc_nomfi_needed=no],
|
||||
[gl_cv_cc_nomfi_needed=yes])
|
||||
CFLAGS="$gl_save_CFLAGS"
|
||||
])
|
||||
AC_MSG_RESULT([$gl_cv_cc_nomfi_needed])
|
||||
fi
|
||||
fi
|
||||
|
||||
gl_manywarn_set=
|
||||
for gl_manywarn_item in \
|
||||
-Wall \
|
||||
-W \
|
||||
-Wformat-y2k \
|
||||
-Wformat-nonliteral \
|
||||
-Wformat-security \
|
||||
-Winit-self \
|
||||
-Wmissing-include-dirs \
|
||||
-Wswitch-default \
|
||||
-Wswitch-enum \
|
||||
-Wunused \
|
||||
-Wunknown-pragmas \
|
||||
-Wstrict-aliasing \
|
||||
-Wstrict-overflow \
|
||||
-Wsystem-headers \
|
||||
-Wfloat-equal \
|
||||
-Wtraditional \
|
||||
-Wtraditional-conversion \
|
||||
-Wdeclaration-after-statement \
|
||||
-Wundef \
|
||||
-Wshadow \
|
||||
-Wunsafe-loop-optimizations \
|
||||
-Wpointer-arith \
|
||||
-Wbad-function-cast \
|
||||
-Wc++-compat \
|
||||
-Wcast-qual \
|
||||
-Wcast-align \
|
||||
-Wwrite-strings \
|
||||
-Wconversion \
|
||||
-Wsign-conversion \
|
||||
-Wlogical-op \
|
||||
-Waggregate-return \
|
||||
-Wstrict-prototypes \
|
||||
-Wold-style-definition \
|
||||
-Wmissing-prototypes \
|
||||
-Wmissing-declarations \
|
||||
-Wmissing-noreturn \
|
||||
-Wmissing-format-attribute \
|
||||
-Wpacked \
|
||||
-Wpadded \
|
||||
-Wredundant-decls \
|
||||
-Wnested-externs \
|
||||
-Wunreachable-code \
|
||||
-Winline \
|
||||
-Winvalid-pch \
|
||||
-Wlong-long \
|
||||
-Wvla \
|
||||
-Wvolatile-register-var \
|
||||
-Wdisabled-optimization \
|
||||
-Wstack-protector \
|
||||
-Woverlength-strings \
|
||||
-Wbuiltin-macro-redefined \
|
||||
-Wpacked-bitfield-compat \
|
||||
-Wsync-nand \
|
||||
; do
|
||||
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
|
||||
done
|
||||
# The following are not documented in the manual but are included in
|
||||
# output from gcc --help=warnings.
|
||||
for gl_manywarn_item in \
|
||||
-Wattributes \
|
||||
-Wcoverage-mismatch \
|
||||
-Wunused-macros \
|
||||
; do
|
||||
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
|
||||
done
|
||||
# More warnings from gcc 4.6.2 --help=warnings.
|
||||
for gl_manywarn_item in \
|
||||
-Wabi \
|
||||
-Wcpp \
|
||||
-Wdeprecated \
|
||||
-Wdeprecated-declarations \
|
||||
-Wdiv-by-zero \
|
||||
-Wdouble-promotion \
|
||||
-Wendif-labels \
|
||||
-Wextra \
|
||||
-Wformat-contains-nul \
|
||||
-Wformat-extra-args \
|
||||
-Wformat-zero-length \
|
||||
-Wformat=2 \
|
||||
-Wmultichar \
|
||||
-Wnormalized=nfc \
|
||||
-Woverflow \
|
||||
-Wpointer-to-int-cast \
|
||||
-Wpragmas \
|
||||
-Wsuggest-attribute=const \
|
||||
-Wsuggest-attribute=noreturn \
|
||||
-Wsuggest-attribute=pure \
|
||||
-Wtrampolines \
|
||||
; do
|
||||
gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
|
||||
done
|
||||
|
||||
# Disable the missing-field-initializers warning if needed
|
||||
if test "$gl_cv_cc_nomfi_needed" = yes; then
|
||||
gl_manywarn_set="$gl_manywarn_set -Wno-missing-field-initializers"
|
||||
fi
|
||||
|
||||
$1=$gl_manywarn_set
|
||||
])
|
||||
@@ -1,157 +0,0 @@
|
||||
# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
|
||||
#
|
||||
# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
#
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
# configuration script generated by Autoconf, you may include it under
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
|
||||
# PKG_PROG_PKG_CONFIG([MIN-VERSION])
|
||||
# ----------------------------------
|
||||
AC_DEFUN([PKG_PROG_PKG_CONFIG],
|
||||
[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
|
||||
m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
|
||||
AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
|
||||
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
|
||||
AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
|
||||
fi
|
||||
if test -n "$PKG_CONFIG"; then
|
||||
_pkg_min_version=m4_default([$1], [0.9.0])
|
||||
AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
|
||||
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
|
||||
AC_MSG_RESULT([yes])
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
PKG_CONFIG=""
|
||||
fi
|
||||
|
||||
fi[]dnl
|
||||
])# PKG_PROG_PKG_CONFIG
|
||||
|
||||
# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
|
||||
#
|
||||
# Check to see whether a particular set of modules exists. Similar
|
||||
# to PKG_CHECK_MODULES(), but does not set variables or print errors.
|
||||
#
|
||||
#
|
||||
# Similar to PKG_CHECK_MODULES, make sure that the first instance of
|
||||
# this or PKG_CHECK_MODULES is called, or make sure to call
|
||||
# PKG_CHECK_EXISTS manually
|
||||
# --------------------------------------------------------------
|
||||
AC_DEFUN([PKG_CHECK_EXISTS],
|
||||
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
|
||||
if test -n "$PKG_CONFIG" && \
|
||||
AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
|
||||
m4_ifval([$2], [$2], [:])
|
||||
m4_ifvaln([$3], [else
|
||||
$3])dnl
|
||||
fi])
|
||||
|
||||
|
||||
# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
|
||||
# ---------------------------------------------
|
||||
m4_define([_PKG_CONFIG],
|
||||
[if test -n "$PKG_CONFIG"; then
|
||||
if test -n "$$1"; then
|
||||
pkg_cv_[]$1="$$1"
|
||||
else
|
||||
PKG_CHECK_EXISTS([$3],
|
||||
[pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
|
||||
[pkg_failed=yes])
|
||||
fi
|
||||
else
|
||||
pkg_failed=untried
|
||||
fi[]dnl
|
||||
])# _PKG_CONFIG
|
||||
|
||||
# _PKG_SHORT_ERRORS_SUPPORTED
|
||||
# -----------------------------
|
||||
AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
|
||||
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
|
||||
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
|
||||
_pkg_short_errors_supported=yes
|
||||
else
|
||||
_pkg_short_errors_supported=no
|
||||
fi[]dnl
|
||||
])# _PKG_SHORT_ERRORS_SUPPORTED
|
||||
|
||||
|
||||
# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
|
||||
# [ACTION-IF-NOT-FOUND])
|
||||
#
|
||||
#
|
||||
# Note that if there is a possibility the first call to
|
||||
# PKG_CHECK_MODULES might not happen, you should be sure to include an
|
||||
# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
|
||||
#
|
||||
#
|
||||
# --------------------------------------------------------------
|
||||
AC_DEFUN([PKG_CHECK_MODULES],
|
||||
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
|
||||
AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
|
||||
AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
|
||||
|
||||
pkg_failed=no
|
||||
AC_MSG_CHECKING([for $1])
|
||||
|
||||
_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
|
||||
_PKG_CONFIG([$1][_LIBS], [libs], [$2])
|
||||
|
||||
m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
|
||||
and $1[]_LIBS to avoid the need to call pkg-config.
|
||||
See the pkg-config man page for more details.])
|
||||
|
||||
if test $pkg_failed = yes; then
|
||||
_PKG_SHORT_ERRORS_SUPPORTED
|
||||
if test $_pkg_short_errors_supported = yes; then
|
||||
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
|
||||
else
|
||||
$1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
|
||||
fi
|
||||
# Put the nasty error message in config.log where it belongs
|
||||
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
|
||||
|
||||
ifelse([$4], , [AC_MSG_ERROR(dnl
|
||||
[Package requirements ($2) were not met:
|
||||
|
||||
$$1_PKG_ERRORS
|
||||
|
||||
Consider adjusting the PKG_CONFIG_PATH environment variable if you
|
||||
installed software in a non-standard prefix.
|
||||
|
||||
_PKG_TEXT
|
||||
])],
|
||||
[AC_MSG_RESULT([no])
|
||||
$4])
|
||||
elif test $pkg_failed = untried; then
|
||||
ifelse([$4], , [AC_MSG_FAILURE(dnl
|
||||
[The pkg-config script could not be found or is too old. Make sure it
|
||||
is in your PATH or set the PKG_CONFIG environment variable to the full
|
||||
path to pkg-config.
|
||||
|
||||
_PKG_TEXT
|
||||
|
||||
To get pkg-config, see <https://www.freedesktop.org/wiki/Software/pkg-config/>.])],
|
||||
[$4])
|
||||
else
|
||||
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
|
||||
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
|
||||
AC_MSG_RESULT([yes])
|
||||
ifelse([$3], , :, [$3])
|
||||
fi[]dnl
|
||||
])# PKG_CHECK_MODULES
|
||||
@@ -1,37 +0,0 @@
|
||||
# valgrind-tests.m4 serial 3
|
||||
dnl Copyright (C) 2008-2014 Free Software Foundation, Inc.
|
||||
dnl This file is free software; the Free Software Foundation
|
||||
dnl gives unlimited permission to copy and/or distribute it,
|
||||
dnl with or without modifications, as long as this notice is preserved.
|
||||
|
||||
dnl From Simon Josefsson
|
||||
|
||||
# gl_VALGRIND_TESTS()
|
||||
# -------------------
|
||||
# Check if valgrind is available, and set VALGRIND to it if available.
|
||||
AC_DEFUN([gl_VALGRIND_TESTS],
|
||||
[
|
||||
AC_ARG_ENABLE(valgrind-tests,
|
||||
AS_HELP_STRING([--enable-valgrind-tests],
|
||||
[run self tests under valgrind]),
|
||||
[opt_valgrind_tests=$enableval], [opt_valgrind_tests=yes])
|
||||
|
||||
# Run self-tests under valgrind?
|
||||
if test "$opt_valgrind_tests" = "yes" && test "$cross_compiling" = no; then
|
||||
AC_CHECK_PROGS(VALGRIND, valgrind)
|
||||
fi
|
||||
|
||||
OPTS="-q --error-exitcode=1 --leak-check=full"
|
||||
|
||||
if test -n "$VALGRIND" \
|
||||
&& $VALGRIND $OPTS $SHELL -c 'exit 0' > /dev/null 2>&1; then
|
||||
opt_valgrind_tests=yes
|
||||
VALGRIND="$VALGRIND $OPTS"
|
||||
else
|
||||
opt_valgrind_tests=no
|
||||
VALGRIND=
|
||||
fi
|
||||
|
||||
AC_MSG_CHECKING([whether self tests are run under valgrind])
|
||||
AC_MSG_RESULT($opt_valgrind_tests)
|
||||
])
|
||||
@@ -1,61 +0,0 @@
|
||||
# warnings.m4 serial 7
|
||||
dnl Copyright (C) 2008-2012 Free Software Foundation, Inc.
|
||||
dnl This file is free software; the Free Software Foundation
|
||||
dnl gives unlimited permission to copy and/or distribute it,
|
||||
dnl with or without modifications, as long as this notice is preserved.
|
||||
|
||||
dnl From Simon Josefsson
|
||||
|
||||
# gl_AS_VAR_APPEND(VAR, VALUE)
|
||||
# ----------------------------
|
||||
# Provide the functionality of AS_VAR_APPEND if Autoconf does not have it.
|
||||
m4_ifdef([AS_VAR_APPEND],
|
||||
[m4_copy([AS_VAR_APPEND], [gl_AS_VAR_APPEND])],
|
||||
[m4_define([gl_AS_VAR_APPEND],
|
||||
[AS_VAR_SET([$1], [AS_VAR_GET([$1])$2])])])
|
||||
|
||||
|
||||
# gl_COMPILER_OPTION_IF(OPTION, [IF-SUPPORTED], [IF-NOT-SUPPORTED],
|
||||
# [PROGRAM = AC_LANG_PROGRAM()])
|
||||
# -----------------------------------------------------------------
|
||||
# Check if the compiler supports OPTION when compiling PROGRAM.
|
||||
#
|
||||
# FIXME: gl_Warn must be used unquoted until we can assume Autoconf
|
||||
# 2.64 or newer.
|
||||
AC_DEFUN([gl_COMPILER_OPTION_IF],
|
||||
[AS_VAR_PUSHDEF([gl_Warn], [gl_cv_warn_[]_AC_LANG_ABBREV[]_$1])dnl
|
||||
AS_VAR_PUSHDEF([gl_Flags], [_AC_LANG_PREFIX[]FLAGS])dnl
|
||||
AC_CACHE_CHECK([whether _AC_LANG compiler handles $1], m4_defn([gl_Warn]), [
|
||||
gl_save_compiler_FLAGS="$gl_Flags"
|
||||
gl_AS_VAR_APPEND(m4_defn([gl_Flags]), [" $1"])
|
||||
AC_COMPILE_IFELSE([m4_default([$4], [AC_LANG_PROGRAM([])])],
|
||||
[AS_VAR_SET(gl_Warn, [yes])],
|
||||
[AS_VAR_SET(gl_Warn, [no])])
|
||||
gl_Flags="$gl_save_compiler_FLAGS"
|
||||
])
|
||||
AS_VAR_IF(gl_Warn, [yes], [$2], [$3])
|
||||
AS_VAR_POPDEF([gl_Flags])dnl
|
||||
AS_VAR_POPDEF([gl_Warn])dnl
|
||||
])
|
||||
|
||||
|
||||
# gl_WARN_ADD(OPTION, [VARIABLE = WARN_CFLAGS],
|
||||
# [PROGRAM = AC_LANG_PROGRAM()])
|
||||
# ---------------------------------------------
|
||||
# Adds parameter to WARN_CFLAGS if the compiler supports it when
|
||||
# compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]).
|
||||
#
|
||||
# If VARIABLE is a variable name, AC_SUBST it.
|
||||
AC_DEFUN([gl_WARN_ADD],
|
||||
[gl_COMPILER_OPTION_IF([$1],
|
||||
[gl_AS_VAR_APPEND(m4_if([$2], [], [[WARN_CFLAGS]], [[$2]]), [" $1"])],
|
||||
[],
|
||||
[$3])
|
||||
m4_ifval([$2],
|
||||
[AS_LITERAL_IF([$2], [AC_SUBST([$2])])],
|
||||
[AC_SUBST([WARN_CFLAGS])])dnl
|
||||
])
|
||||
|
||||
# Local Variables:
|
||||
# mode: autoconf
|
||||
# End:
|
||||
@@ -1,98 +0,0 @@
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
PACKAGE=yubico-piv-tool
|
||||
OPENSSLVERSION=1.0.2r
|
||||
CFLAGS="-mmacosx-version-min=10.6"
|
||||
|
||||
all: usage mac
|
||||
|
||||
.PHONY: usage
|
||||
usage:
|
||||
@if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \
|
||||
echo "Try this instead:"; \
|
||||
echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \
|
||||
echo "For example:"; \
|
||||
echo " make PGPKEYID=2117364A VERSION=1.6.0"; \
|
||||
exit 1; \
|
||||
fi
|
||||
|
||||
doit:
|
||||
rm -rf tmp && mkdir tmp && cd tmp && \
|
||||
mkdir -p root/licenses && \
|
||||
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
|
||||
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
|
||||
tar xfz openssl-$(OPENSSLVERSION).tar.gz && \
|
||||
cd openssl-$(OPENSSLVERSION) && \
|
||||
./Configure darwin64-x86_64-cc shared no-ssl2 no-ssl3 no-engines --prefix=$(PWD)/tmp/root $(CFLAGS) && \
|
||||
make all install_sw VERSION="$(OPENSSLVERSION)" && \
|
||||
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
|
||||
rm -rf $(PWD)/tmp/root/ssl/ && \
|
||||
rm -rf $(PWD)/tmp/root/bin/ && \
|
||||
rm -rf $(PWD)/tmp/root/lib/engines/ && \
|
||||
rm -rf $(PWD)/tmp/root/lib/libssl* && \
|
||||
rm $(PWD)/tmp/root/lib/pkgconfig/libssl.pc && \
|
||||
rm $(PWD)/tmp/root/lib/pkgconfig/openssl.pc && \
|
||||
cd .. && \
|
||||
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
|
||||
tar xfz $(PACKAGE)-$(VERSION).tar.gz && \
|
||||
cd $(PACKAGE)-$(VERSION)/ && \
|
||||
CFLAGS=$(CFLAGS) PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \
|
||||
make install $(CHECK) && \
|
||||
chmod u+w $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \
|
||||
install_name_tool -id @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \
|
||||
install_name_tool -id @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \
|
||||
install_name_tool -id @loader_path/libykcs11.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
|
||||
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \
|
||||
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @loader_path/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
|
||||
install_name_tool -change $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib @executable_path/../lib/libcrypto.1.0.0.dylib $(PWD)/tmp/root/bin/yubico-piv-tool && \
|
||||
install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @loader_path/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykcs11.1.dylib && \
|
||||
install_name_tool -change $(PWD)/tmp/root/lib/libykpiv.1.dylib @executable_path/../lib/libykpiv.1.dylib $(PWD)/tmp/root/bin/yubico-piv-tool ; \
|
||||
if otool -L $(PWD)/tmp/root/lib/*.dylib $(PWD)/tmp/root/bin/* | grep '$(PWD)/tmp/root' | grep -q compatibility; then \
|
||||
echo "something is incorrectly linked!"; \
|
||||
exit 1; \
|
||||
fi && \
|
||||
rm $(PWD)/tmp/root/lib/*.la && \
|
||||
rm -rf $(PWD)/tmp/root/lib/pkgconfig && \
|
||||
cp COPYING $(PWD)/tmp/root/licenses/$(PACKAGE).txt && \
|
||||
cd .. && \
|
||||
cd root && \
|
||||
zip -r ../../$(PACKAGE)-$(VERSION)-mac.zip *
|
||||
|
||||
mac:
|
||||
$(MAKE) -f mac.mk doit CHECK=check
|
||||
|
||||
upload-mac:
|
||||
@if test ! -d "$(YUBICO_GITHUB_REPO)"; then \
|
||||
echo "yubico.github.com repo not found!"; \
|
||||
echo "Make sure that YUBICO_GITHUB_REPO is set"; \
|
||||
exit 1; \
|
||||
fi
|
||||
gpg --detach-sign --default-key $(PGPKEYID) \
|
||||
$(PACKAGE)-$(VERSION)-mac.zip
|
||||
gpg --verify $(PACKAGE)-$(VERSION)-mac.zip.sig
|
||||
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-mac.zip*
|
||||
@@ -1,29 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Output redirected to fd 0 so it can be run from 'make check' scripts.
|
||||
|
||||
echo >&0
|
||||
echo "Hardware tests enabled!" >&0
|
||||
echo >&0
|
||||
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
||||
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
||||
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
||||
echo >&0
|
||||
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
||||
echo >&0
|
||||
echo " ALL DATA WILL BE ERASED ON CONNECTED YUBIKEYS " >&0
|
||||
echo >&0
|
||||
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
||||
echo >&0
|
||||
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
||||
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
||||
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
||||
echo >&0
|
||||
echo -n "Are you SURE you wish to proceed? If so, type 'CONFIRM': " >&0
|
||||
|
||||
read CONFIRM
|
||||
if [[ "x$CONFIRM" != "xCONFIRM" ]]; then
|
||||
echo "1"
|
||||
exit 1
|
||||
fi
|
||||
echo "0"
|
||||
@@ -1,94 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
# This little perl program takes an input like:
|
||||
# S9999F9999F999999F0F1F0000000000300001E
|
||||
# and outputs that in hex, encoded in the 5-bit form described in
|
||||
# "Technical Implementation Guidance: Smart Card Enabled Physical Access
|
||||
# Control Systems Version 2.2", Section 6.2, Figure 7.
|
||||
|
||||
use strict;
|
||||
use Bit::Vector;
|
||||
|
||||
my %encoding = (
|
||||
0 => "00001",
|
||||
1 => "10000",
|
||||
2 => "01000",
|
||||
3 => "11001",
|
||||
4 => "00100",
|
||||
5 => "10101",
|
||||
6 => "01101",
|
||||
7 => "11100",
|
||||
8 => "00010",
|
||||
9 => "10011",
|
||||
S => "11010",
|
||||
F => "10110",
|
||||
E => "11111",
|
||||
);
|
||||
|
||||
my $in = shift;
|
||||
|
||||
my @ones = (0, 0, 0, 0);
|
||||
|
||||
my $bits;
|
||||
foreach my $char (split(//, $in)) {
|
||||
my $enc = $encoding{$char};
|
||||
for(my $i = 0; $i < 4; $i++) {
|
||||
my $char = substr($enc, $i, 1);
|
||||
if($char eq '1') {
|
||||
$ones[$i]++;
|
||||
}
|
||||
}
|
||||
$bits .= $enc;
|
||||
}
|
||||
my $lrc = "";
|
||||
my $lrc_one = 0;
|
||||
foreach my $one (@ones) {
|
||||
if($one % 2 == 0) {
|
||||
$lrc .= '0';
|
||||
} else {
|
||||
$lrc .= '1';
|
||||
$lrc_one++;
|
||||
}
|
||||
}
|
||||
if($lrc_one % 2 == 0) {
|
||||
$lrc .= '1';
|
||||
} else {
|
||||
$lrc .= '0';
|
||||
}
|
||||
$bits .= $lrc;
|
||||
|
||||
my $vector = Bit::Vector->new(200);
|
||||
$vector->from_Bin($bits);
|
||||
my $hex = $vector->to_Hex();
|
||||
for(my $i = 0; $i < length($hex); $i += 2) {
|
||||
print "0x" . substr($hex, $i , 2) . ", ";
|
||||
}
|
||||
|
||||
print "\n";
|
||||
@@ -1,16 +0,0 @@
|
||||
Vagrant VM for development
|
||||
===
|
||||
|
||||
Usage:
|
||||
|
||||
alice@work $ cd yubico-piv-tool/vagrant/development
|
||||
alice@work $ vagrant up
|
||||
alice@work $ vagrant ssh
|
||||
ubuntu@ubuntu-xenial $ cd /vagrant
|
||||
ubuntu@ubuntu-xenial $ autoreconf --install
|
||||
ubuntu@ubuntu-xenial $ ./configure
|
||||
ubuntu@ubuntu-xenial $ make
|
||||
ubuntu@ubuntu-xenial $ sudo make install
|
||||
ubuntu@ubuntu-xenial $ yubico-piv-tool --help
|
||||
ubuntu@ubuntu-xenial $ exit
|
||||
alice@work $ vagrant destroy
|
||||
Vendored
-42
@@ -1,42 +0,0 @@
|
||||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
|
||||
# Use Ubuntu 16.04 Xenial as a base box.
|
||||
config.vm.box = "ubuntu/xenial64"
|
||||
|
||||
# Install dependencies needed for yubikey-piv-manager development.
|
||||
config.vm.provision "shell", path: "provision.sh"
|
||||
|
||||
# Sync repository to /vagrant
|
||||
config.vm.synced_folder '../..', '/vagrant'
|
||||
|
||||
# VirtualBox configuration
|
||||
config.vm.provider "virtualbox" do |vb|
|
||||
vb.name = "yubikey-piv-tool_development"
|
||||
end
|
||||
|
||||
# Uncomment this to add a USB filter for YubiKeys.
|
||||
# This will connect the YubiKey to the VM when re-inserted.
|
||||
# This filter uses VirtualBox as provider.
|
||||
# Modify the paramters as needed depending on the device.
|
||||
|
||||
FILTER_NAME="YubiKey 4"
|
||||
MANUFACTURER="Yubico"
|
||||
VENDOR_ID="0x1050"
|
||||
PRODUCT_ID="0x0407"
|
||||
PRODUCT="Yubikey 4 OTP+U2F+CCID"
|
||||
|
||||
config.vm.provider "virtualbox" do |vb|
|
||||
vb.customize ['modifyvm', :id, '--usb', 'on']
|
||||
vb.customize ['usbfilter', 'add', '0',
|
||||
'--target', :id,
|
||||
'--name', FILTER_NAME,
|
||||
'--manufacturer', MANUFACTURER,
|
||||
'--vendorid', VENDOR_ID,
|
||||
'--productid', PRODUCT_ID,
|
||||
'--product', PRODUCT]
|
||||
end
|
||||
|
||||
end
|
||||
@@ -1,19 +0,0 @@
|
||||
#! /usr/bin/env bash
|
||||
|
||||
# Install development dependencies
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get install -qq software-properties-common
|
||||
sudo add-apt-repository -y ppa:yubico/stable
|
||||
sudo apt-get update -qq && apt-get -qq upgrade
|
||||
sudo apt-get install -qq \
|
||||
autoconf \
|
||||
automake \
|
||||
check \
|
||||
gengetopt \
|
||||
help2man \
|
||||
libpcsclite-dev \
|
||||
libssl-dev \
|
||||
libtool \
|
||||
libykpiv1 \
|
||||
pkg-config \
|
||||
virtualbox-guest-dkms
|
||||
-102
@@ -1,102 +0,0 @@
|
||||
# Copyright (c) 2014-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
PACKAGE=yubico-piv-tool
|
||||
OPENSSLVERSION=1.0.2r
|
||||
CHECKVERSION=0.12.0
|
||||
|
||||
all: usage 32bit 64bit
|
||||
|
||||
.PHONY: usage
|
||||
usage:
|
||||
@if test -z "$(VERSION)" || test -z "$(PGPKEYID)"; then \
|
||||
echo "Try this instead:"; \
|
||||
echo " make PGPKEYID=[PGPKEYID] VERSION=[VERSION]"; \
|
||||
echo "For example:"; \
|
||||
echo " make PGPKEYID=2117364A VERSION=1.6.0"; \
|
||||
exit 1; \
|
||||
fi
|
||||
|
||||
doit:
|
||||
rm -rf tmp$(ARCH) && mkdir tmp$(ARCH) && cd tmp$(ARCH) && \
|
||||
mkdir -p root/licenses && \
|
||||
cp ../openssl-$(OPENSSLVERSION).tar.gz . || \
|
||||
curl -L -O "https://www.openssl.org/source/openssl-$(OPENSSLVERSION).tar.gz" && \
|
||||
tar xfa openssl-$(OPENSSLVERSION).tar.gz && \
|
||||
cd openssl-$(OPENSSLVERSION) && \
|
||||
CROSS_COMPILE="$(HOST)-" ./Configure mingw$(64) no-ssl2 no-ssl3 no-engines shared --prefix=$(PWD)/tmp$(ARCH)/root -static-libgcc && \
|
||||
make depend all install_sw VERSION="$(OPENSSLVERSION)" && \
|
||||
cp LICENSE $(PWD)/tmp$(ARCH)/root/licenses/openssl.txt && \
|
||||
rm -rf $(PWD)/tmp$(ARCH)/root/ssl/ && \
|
||||
rm $(PWD)/tmp$(ARCH)/root/bin/openssl.exe && \
|
||||
rm $(PWD)/tmp$(ARCH)/root/bin/c_rehash && \
|
||||
rm -rf $(PWD)/tmp$(ARCH)/root/lib/engines/ && \
|
||||
cd .. && \
|
||||
cp ../check-$(CHECKVERSION).tar.gz . || \
|
||||
curl -L -O "https://github.com/libcheck/check/releases/download/$(CHECKVERSION)/check-$(CHECKVERSION).tar.gz" && \
|
||||
tar xfa check-$(CHECKVERSION).tar.gz && \
|
||||
cd check-$(CHECKVERSION) && \
|
||||
CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root --disable-subunit --enable-static --disable-shared && \
|
||||
make all install && \
|
||||
cd .. && \
|
||||
cp ../$(PACKAGE)-$(VERSION).tar.gz . && \
|
||||
tar xfa $(PACKAGE)-$(VERSION).tar.gz && \
|
||||
cd $(PACKAGE)-$(VERSION)/ && \
|
||||
CC=$(HOST)-gcc PKG_CONFIG_PATH=$(PWD)/tmp$(ARCH)/root/lib/pkgconfig lt_cv_deplibs_check_method=pass_all ./configure --host=$(HOST) --build=x86_64-unknown-linux-gnu --prefix=$(PWD)/tmp$(ARCH)/root LDFLAGS=-L$(PWD)/tmp$(ARCH)/root/lib CPPFLAGS=-I$(PWD)/tmp$(ARCH)/root/include && \
|
||||
WINEPATH="/usr/$(HOST)/lib/" make install $(CHECK) && \
|
||||
rm $(PWD)/tmp$(ARCH)/root/lib/*.la && \
|
||||
rm -rf $(PWD)/tmp$(ARCH)/root/lib/pkgconfig/ && \
|
||||
cp COPYING $(PWD)/tmp$(ARCH)/root/licenses/$(PACKAGE).txt && \
|
||||
cd .. && \
|
||||
cd check-$(CHECKVERSION) && \
|
||||
make uninstall && \
|
||||
cd .. && \
|
||||
cd root && \
|
||||
zip -r ../../$(PACKAGE)-$(VERSION)-win$(ARCH).zip *
|
||||
|
||||
32bit:
|
||||
$(MAKE) -f windows.mk doit ARCH=32 HOST=i686-w64-mingw32 CHECK=check
|
||||
|
||||
64bit:
|
||||
$(MAKE) -f windows.mk doit ARCH=64 HOST=x86_64-w64-mingw32 64=64 CHECK=check
|
||||
|
||||
upload:
|
||||
@if test ! -d "$(YUBICO_GITHUB_REPO)"; then \
|
||||
echo "yubico.github.com repo not found!"; \
|
||||
echo "Make sure that YUBICO_GITHUB_REPO is set"; \
|
||||
exit 1; \
|
||||
fi
|
||||
gpg --detach-sign --default-key $(PGPKEYID) \
|
||||
$(PACKAGE)-$(VERSION)-win$(ARCH).zip
|
||||
gpg --verify $(PACKAGE)-$(VERSION)-win$(ARCH).zip.sig
|
||||
$(YUBICO_GITHUB_REPO)/publish $(PACKAGE) $(VERSION) $(PACKAGE)-$(VERSION)-win${ARCH}.zip*
|
||||
|
||||
upload-32bit:
|
||||
$(MAKE) -f windows.mk upload ARCH=32
|
||||
|
||||
upload-64bit:
|
||||
$(MAKE) -f windows.mk upload ARCH=64
|
||||
@@ -1,70 +0,0 @@
|
||||
# Copyright (c) 2015-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
SUBDIRS = . tests
|
||||
|
||||
AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS)
|
||||
AM_CPPFLAGS = $(OPENSSL_CFLAGS) $(PCSC_CFLAGS)
|
||||
AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib
|
||||
AM_CPPFLAGS += -I$(top_srcdir)/tool -I$(top_builddir)/tool
|
||||
|
||||
lib_LTLIBRARIES = libykcs11.la
|
||||
|
||||
libykcs11_la_SOURCES = ykcs11.c ykcs11.pc.in ykcs11.map
|
||||
libykcs11_la_SOURCES += ykcs11.h debug.h
|
||||
libykcs11_la_SOURCES += vendors.c vendors.h vendor_ids.h
|
||||
libykcs11_la_SOURCES += slot_vendors.c slot_vendors.h
|
||||
libykcs11_la_SOURCES += token_vendors.c token_vendors.h
|
||||
libykcs11_la_SOURCES += mechanisms.c mechanisms.h
|
||||
libykcs11_la_SOURCES += yubico_slot.c yubico_slot.h yubico_token.c yubico_token.h
|
||||
libykcs11_la_SOURCES += utils.c utils.h
|
||||
libykcs11_la_SOURCES += openssl_utils.c openssl_utils.h openssl_types.h
|
||||
libykcs11_la_SOURCES += objects.c objects.h obj_types.h
|
||||
libykcs11_la_SOURCES += pkcs11.h pkcs11y.h
|
||||
libykcs11_la_SOURCES += ykcs11-version.h
|
||||
|
||||
EXTRA_libykcs11_la_DEPENDENCIES = ykcs11.map
|
||||
|
||||
libykcs11_la_LIBADD = ../lib/libykpiv.la
|
||||
libykcs11_la_LIBADD += ../tool/libpiv_util.la
|
||||
|
||||
libykcs11_la_LDFLAGS = -no-undefined
|
||||
libykcs11_la_LDFLAGS += -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE)
|
||||
|
||||
if HAVE_LD_VERSION_SCRIPT
|
||||
libykcs11_la_LDFLAGS += -Wl,--version-script=$(srcdir)/ykcs11.map
|
||||
else
|
||||
libykcs11_la_LDFLAGS += -export-symbols-regex '^C_.*'
|
||||
endif
|
||||
|
||||
pkgconfigdir = $(libdir)/pkgconfig
|
||||
pkgconfig_DATA = ykcs11.pc
|
||||
|
||||
if ENABLE_COV
|
||||
AM_CFLAGS += --coverage
|
||||
AM_LDFLAGS = --coverage
|
||||
endif
|
||||
@@ -1,55 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef DEBUG_H
|
||||
#define DEBUG_H
|
||||
|
||||
#define D(x...) do { \
|
||||
fprintf (stderr, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
|
||||
fprintf (stderr, x); \
|
||||
fprintf (stderr, "\n"); \
|
||||
} while (0)
|
||||
|
||||
#if YKCS11_DBG
|
||||
#include <stdio.h>
|
||||
#define DBG(x...) D(x);
|
||||
#else
|
||||
#define DBG(x...)
|
||||
#endif
|
||||
|
||||
#if YKCS11_DINOUT
|
||||
#define DIN D(("In"));
|
||||
#define DOUT D(("Out"));
|
||||
#else
|
||||
#define DIN
|
||||
#define DOUT
|
||||
#endif
|
||||
|
||||
#endif
|
||||
@@ -1,553 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "mechanisms.h"
|
||||
#include "openssl_utils.h"
|
||||
#include "utils.h"
|
||||
#include "debug.h"
|
||||
#include <string.h>
|
||||
|
||||
#define F4 "\x01\x00\x01"
|
||||
#define PRIME256V1 "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07"
|
||||
|
||||
// Supported mechanisms for signature
|
||||
static const CK_MECHANISM_TYPE sign_mechanisms[] = {
|
||||
CKM_RSA_PKCS,
|
||||
CKM_RSA_PKCS_PSS,
|
||||
CKM_RSA_X_509,
|
||||
CKM_SHA1_RSA_PKCS,
|
||||
CKM_SHA256_RSA_PKCS,
|
||||
CKM_SHA384_RSA_PKCS,
|
||||
CKM_SHA512_RSA_PKCS,
|
||||
CKM_SHA1_RSA_PKCS_PSS,
|
||||
CKM_SHA256_RSA_PKCS_PSS,
|
||||
CKM_SHA384_RSA_PKCS_PSS,
|
||||
CKM_SHA512_RSA_PKCS_PSS,
|
||||
CKM_ECDSA,
|
||||
CKM_ECDSA_SHA1,
|
||||
CKM_ECDSA_SHA256
|
||||
};
|
||||
|
||||
// Supported mechanisms for key pair generation
|
||||
static const CK_MECHANISM_TYPE generation_mechanisms[] = {
|
||||
CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||||
//CKM_ECDSA_KEY_PAIR_GEN, Deperecated
|
||||
CKM_EC_KEY_PAIR_GEN
|
||||
};
|
||||
|
||||
// Supported mechanisms for hashing
|
||||
static const CK_MECHANISM_TYPE hash_mechanisms[] = {
|
||||
CKM_SHA_1,
|
||||
CKM_SHA256,
|
||||
CKM_SHA384,
|
||||
CKM_SHA512
|
||||
};
|
||||
|
||||
CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m) {
|
||||
|
||||
CK_ULONG i;
|
||||
CK_BBOOL supported = CK_FALSE;
|
||||
token_vendor_t token;
|
||||
CK_MECHANISM_INFO info;
|
||||
|
||||
// Check if the mechanism is supported by the module
|
||||
for (i = 0; i < sizeof(sign_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
|
||||
if (m->mechanism == sign_mechanisms[i]) {
|
||||
supported = CK_TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (supported == CK_FALSE)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// Check if the mechanism is supported by the token
|
||||
token = get_token_vendor(s->slot->token->vid);
|
||||
|
||||
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// TODO: also check that parametes make sense if any? And key size is in [min max]
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m) {
|
||||
|
||||
switch (m) {
|
||||
case CKM_RSA_PKCS_KEY_PAIR_GEN:
|
||||
case CKM_RSA_PKCS:
|
||||
case CKM_RSA_9796:
|
||||
case CKM_RSA_X_509:
|
||||
case CKM_SHA1_RSA_PKCS:
|
||||
// case CKM_SHA224_RSA_PKCS:
|
||||
case CKM_SHA256_RSA_PKCS:
|
||||
case CKM_SHA384_RSA_PKCS:
|
||||
case CKM_SHA512_RSA_PKCS:
|
||||
// case CKM_RIPEMD128_RSA_PKCS:
|
||||
// case CKM_RIPEMD160_RSA_PKCS:
|
||||
// case CKM_RSA_PKCS_OAEP:
|
||||
// case CKM_RSA_X9_31_KEY_PAIR_GEN:
|
||||
// case CKM_RSA_X9_31:
|
||||
// case CKM_SHA1_RSA_X9_31:
|
||||
case CKM_RSA_PKCS_PSS:
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
// case CKM_SHA224_RSA_PKCS_PSS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
// case CKM_RSA_PKCS_TPM_1_1:
|
||||
// case CKM_RSA_PKCS_OAEP_TPM_1_1:
|
||||
// case CKM_RSA_AES_KEY_WRAP:
|
||||
return CK_TRUE;
|
||||
|
||||
default:
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
// Not reached
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m) {
|
||||
|
||||
switch (m) {
|
||||
case CKM_RSA_PKCS_PSS:
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
// case CKM_SHA224_RSA_PKCS_PSS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
return CK_TRUE;
|
||||
|
||||
default:
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
// Not reached
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m) {
|
||||
|
||||
switch (m) {
|
||||
case CKM_SHA1_RSA_PKCS:
|
||||
case CKM_SHA256_RSA_PKCS:
|
||||
case CKM_SHA384_RSA_PKCS:
|
||||
case CKM_SHA512_RSA_PKCS:
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
case CKM_ECDSA_SHA1:
|
||||
case CKM_ECDSA_SHA256:
|
||||
case CKM_SHA_1:
|
||||
case CKM_SHA256:
|
||||
case CKM_SHA384:
|
||||
case CKM_SHA512:
|
||||
return CK_TRUE;
|
||||
|
||||
default:
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
// Not reached
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
CK_RV apply_sign_mechanism_init(op_info_t *op_info) {
|
||||
|
||||
if (op_info->type != YKCS11_SIGN)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
switch (op_info->mechanism.mechanism) {
|
||||
case CKM_RSA_PKCS:
|
||||
case CKM_RSA_PKCS_PSS:
|
||||
case CKM_RSA_X_509:
|
||||
case CKM_ECDSA:
|
||||
// No hash required for this mechanism
|
||||
op_info->op.sign.md_ctx = NULL;
|
||||
return CKR_OK;
|
||||
|
||||
case CKM_SHA1_RSA_PKCS:
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
case CKM_ECDSA_SHA1:
|
||||
return do_md_init(YKCS11_SHA1, &op_info->op.sign.md_ctx);
|
||||
|
||||
case CKM_SHA256_RSA_PKCS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_ECDSA_SHA256:
|
||||
return do_md_init(YKCS11_SHA256, &op_info->op.sign.md_ctx);
|
||||
|
||||
case CKM_SHA384_RSA_PKCS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
return do_md_init(YKCS11_SHA384, &op_info->op.sign.md_ctx);
|
||||
|
||||
case CKM_SHA512_RSA_PKCS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
return do_md_init(YKCS11_SHA512, &op_info->op.sign.md_ctx);
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
// Never reached
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len) {
|
||||
CK_RV rv;
|
||||
|
||||
if (op_info->type != YKCS11_SIGN)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
switch (op_info->mechanism.mechanism) {
|
||||
case CKM_RSA_PKCS:
|
||||
case CKM_RSA_PKCS_PSS:
|
||||
case CKM_ECDSA:
|
||||
case CKM_RSA_X_509:
|
||||
// Mechanism not suitable for multipart signatures
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
case CKM_SHA1_RSA_PKCS:
|
||||
case CKM_SHA256_RSA_PKCS:
|
||||
case CKM_SHA384_RSA_PKCS:
|
||||
case CKM_SHA512_RSA_PKCS:
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
case CKM_ECDSA_SHA1:
|
||||
case CKM_ECDSA_SHA256:
|
||||
rv = do_md_update(op_info->op.sign.md_ctx, in, in_len);
|
||||
if (rv != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
|
||||
|
||||
CK_RV rv;
|
||||
int nid = NID_undef;
|
||||
CK_ULONG len;
|
||||
|
||||
if (op_info->type != YKCS11_SIGN)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
switch (op_info->mechanism.mechanism) {
|
||||
case CKM_SHA1_RSA_PKCS_PSS:
|
||||
case CKM_SHA256_RSA_PKCS_PSS:
|
||||
case CKM_SHA384_RSA_PKCS_PSS:
|
||||
case CKM_SHA512_RSA_PKCS_PSS:
|
||||
// Finalize the hash
|
||||
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
|
||||
op_info->op.sign.md_ctx = NULL;
|
||||
if (rv != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
case CKM_RSA_PKCS_PSS:
|
||||
// Compute padding for all PSS variants
|
||||
// TODO: digestinfo/paraminfo ?
|
||||
rv = do_pkcs_pss(op_info->op.sign.key, op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
|
||||
do_free_rsa_public_key(op_info->op.sign.key);
|
||||
|
||||
return rv;
|
||||
|
||||
case CKM_RSA_X_509:
|
||||
// Padding in this case consists of prepending zeroes
|
||||
len = (op_info->op.sign.key_len / 8) - op_info->buf_len;
|
||||
memmove(op_info->buf + len, op_info->buf, op_info->buf_len);
|
||||
memset(op_info->buf, 0, len);
|
||||
op_info->buf_len = op_info->op.sign.key_len / 8;
|
||||
return CKR_OK;
|
||||
|
||||
case CKM_SHA1_RSA_PKCS:
|
||||
case CKM_SHA256_RSA_PKCS:
|
||||
case CKM_SHA384_RSA_PKCS:
|
||||
case CKM_SHA512_RSA_PKCS:
|
||||
// Finalize the hash add digest info
|
||||
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
|
||||
op_info->op.sign.md_ctx = NULL;
|
||||
if (rv != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
case CKM_RSA_PKCS:
|
||||
// Add digest info if needed
|
||||
if (nid != NID_undef) {
|
||||
rv = do_pkcs_1_digest_info(op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
|
||||
if (rv != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
// Compute padding for all PKCS1 variants
|
||||
len = op_info->buf_len;
|
||||
op_info->buf_len = sizeof(op_info->buf);
|
||||
return do_pkcs_1_t1(op_info->buf, len, op_info->buf, &op_info->buf_len, op_info->op.sign.key_len);
|
||||
|
||||
case CKM_ECDSA_SHA1:
|
||||
case CKM_ECDSA_SHA256:
|
||||
// Finalize the hash
|
||||
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
|
||||
op_info->op.sign.md_ctx = NULL;
|
||||
if (rv != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
case CKM_ECDSA:
|
||||
return CKR_OK;
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
CK_RV sign_mechanism_cleanup(op_info_t *op_info) {
|
||||
|
||||
if (op_info->op.sign.md_ctx != NULL) {
|
||||
do_md_cleanup(op_info->op.sign.md_ctx);
|
||||
op_info->op.sign.md_ctx = NULL;
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) {
|
||||
|
||||
CK_ULONG i;
|
||||
CK_BBOOL supported = CK_FALSE;
|
||||
token_vendor_t token;
|
||||
CK_MECHANISM_INFO info;
|
||||
|
||||
// Check if the mechanism is supported by the module
|
||||
for (i = 0; i < sizeof(generation_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
|
||||
if (m->mechanism == generation_mechanisms[i]) {
|
||||
supported = CK_TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (supported == CK_FALSE)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// Check if the mechanism is supported by the token
|
||||
token = get_token_vendor(s->slot->token->vid);
|
||||
|
||||
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// TODO: also check that parametes make sense if any? And key size is in [min max]
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) {
|
||||
|
||||
CK_ULONG i;
|
||||
|
||||
op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism);
|
||||
|
||||
for (i = 0; i < n; i++) {
|
||||
switch (templ[i].type) {
|
||||
case CKA_CLASS:
|
||||
if (*((CK_ULONG_PTR) templ[i].pValue) != CKO_PUBLIC_KEY)
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
|
||||
break;
|
||||
|
||||
case CKA_KEY_TYPE:
|
||||
if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) ||
|
||||
(op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA))
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
|
||||
break;
|
||||
|
||||
case CKA_PUBLIC_EXPONENT:
|
||||
if (op_info->op.gen.rsa == CK_FALSE)
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
|
||||
// Only support F4
|
||||
if (templ[i].ulValueLen != 3 || memcmp((CK_BYTE_PTR)templ[i].pValue, F4, 3) != 0) {
|
||||
DBG("Unsupported public exponent");
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
|
||||
break;
|
||||
|
||||
case CKA_MODULUS_BITS:
|
||||
if (op_info->op.gen.rsa == CK_FALSE)
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
|
||||
if (*((CK_ULONG_PTR) templ[i].pValue) != 1024 &&
|
||||
*((CK_ULONG_PTR) templ[i].pValue) != 2048) { // TODO: make define?
|
||||
DBG("Unsupported MODULUS_BITS (key length)");
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
|
||||
op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue);
|
||||
break;
|
||||
|
||||
case CKA_EC_PARAMS:
|
||||
// Only support PRIME256V1
|
||||
if (templ[i].ulValueLen != 10 || memcmp((CK_BYTE_PTR)templ[i].pValue, PRIME256V1, 10) != 0)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
op_info->op.gen.key_len = 256;
|
||||
break;
|
||||
|
||||
case CKA_ID:
|
||||
if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE)
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
|
||||
op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue);
|
||||
break;
|
||||
|
||||
case CKA_TOKEN:
|
||||
case CKA_ENCRYPT:
|
||||
case CKA_VERIFY:
|
||||
case CKA_WRAP:
|
||||
case CKA_DERIVE:
|
||||
case CKA_PRIVATE:
|
||||
case CKA_LABEL:
|
||||
// Ignore these attributes for now
|
||||
break;
|
||||
|
||||
default:
|
||||
DBG("Invalid attribute %lx in public key template", templ[i].type);
|
||||
return CKR_ATTRIBUTE_TYPE_INVALID;
|
||||
}
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n) {
|
||||
|
||||
CK_ULONG i;
|
||||
|
||||
op_info->op.gen.rsa = is_RSA_mechanism(op_info->mechanism.mechanism);
|
||||
op_info->op.gen.vendor_defined = 0;
|
||||
|
||||
for (i = 0; i < n; i++) {
|
||||
switch (templ[i].type) {
|
||||
case CKA_CLASS:
|
||||
if (*((CK_ULONG_PTR)templ[i].pValue) != CKO_PRIVATE_KEY)
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
|
||||
break;
|
||||
|
||||
case CKA_KEY_TYPE:
|
||||
if ((op_info->op.gen.rsa == CK_TRUE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_RSA) ||
|
||||
(op_info->op.gen.rsa == CK_FALSE && (*((CK_KEY_TYPE *)templ[i].pValue)) != CKK_ECDSA))
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
|
||||
break;
|
||||
|
||||
/* case CKA_MODULUS_BITS:
|
||||
if (op_info->op.gen.rsa == CK_FALSE)
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
|
||||
if (*((CK_ULONG_PTR)templ[i].pValue) != 1024 &&
|
||||
*((CK_ULONG_PTR) templ[i].pValue) != 2048) // TODO: make define?
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
|
||||
op_info->op.gen.key_len = *((CK_ULONG_PTR) templ[i].pValue); // TODO: check length?
|
||||
break;*/
|
||||
|
||||
case CKA_ID:
|
||||
if (is_valid_key_id(*((CK_BYTE_PTR)templ[i].pValue)) == CK_FALSE)
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
|
||||
// Check if ID was already specified in the public key template
|
||||
// In that case it has to match
|
||||
if (op_info->op.gen.key_id != 0 &&
|
||||
op_info->op.gen.key_id != (*((CK_BYTE_PTR)templ[i].pValue) + PIV_PVTK_OBJ_PIV_AUTH))
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
|
||||
op_info->op.gen.key_id = PIV_PVTK_OBJ_PIV_AUTH + *((CK_BYTE_PTR)templ[i].pValue);
|
||||
break;
|
||||
|
||||
case CKA_VENDOR_DEFINED:
|
||||
op_info->op.gen.vendor_defined = (*((CK_ULONG_PTR)templ[i].pValue));
|
||||
|
||||
case CKA_SENSITIVE:
|
||||
case CKA_DECRYPT:
|
||||
case CKA_UNWRAP:
|
||||
case CKA_SIGN:
|
||||
case CKA_PRIVATE:
|
||||
case CKA_TOKEN:
|
||||
case CKA_DERIVE:
|
||||
case CKA_LABEL:
|
||||
// Ignore these attributes for now
|
||||
break;
|
||||
|
||||
default:
|
||||
DBG("Invalid attribute %lx in private key template", templ[i].type);
|
||||
return CKR_ATTRIBUTE_TYPE_INVALID;
|
||||
}
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) {
|
||||
|
||||
CK_ULONG i;
|
||||
CK_BBOOL supported = CK_FALSE;
|
||||
token_vendor_t token;
|
||||
CK_MECHANISM_INFO info;
|
||||
|
||||
// Check if the mechanism is supported by the module
|
||||
for (i = 0; i < sizeof(hash_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) {
|
||||
if (m->mechanism == hash_mechanisms[i]) {
|
||||
supported = CK_TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (supported == CK_FALSE)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// Check if the mechanism is supported by the token
|
||||
token = get_token_vendor(s->slot->token->vid);
|
||||
|
||||
if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK)
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
// TODO: also check that parametes make sense if any? And key size is in [min max]
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
@@ -1,52 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef MECHANISMS_H
|
||||
#define MECHANISMS_H
|
||||
|
||||
#include "ykcs11.h"
|
||||
|
||||
CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
|
||||
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m);
|
||||
CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m);
|
||||
CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m);
|
||||
|
||||
CK_RV apply_sign_mechanism_init(op_info_t *op_info);
|
||||
CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len);
|
||||
CK_RV apply_sign_mechanism_finalize(op_info_t *op_info);
|
||||
CK_RV sign_mechanism_cleanup(op_info_t *op_info);
|
||||
|
||||
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
|
||||
CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c
|
||||
CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c
|
||||
|
||||
CK_RV check_hash_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
|
||||
|
||||
#endif
|
||||
@@ -1,201 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef OBJ_TYPES_H
|
||||
#define OBJ_TYPES_H
|
||||
|
||||
#include "pkcs11y.h"
|
||||
|
||||
#include <openssl/x509.h>
|
||||
|
||||
// TODO: this is mostly from OpenSC, how to give credit?
|
||||
typedef enum {
|
||||
PIV_DATA_OBJ_X509_PIV_AUTH = 0, // PIV authentication
|
||||
PIV_DATA_OBJ_X509_CARD_AUTH, // Card authentication
|
||||
PIV_DATA_OBJ_X509_DS, // Digital signature
|
||||
PIV_DATA_OBJ_X509_KM, // Key management
|
||||
PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1
|
||||
PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2
|
||||
PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3
|
||||
PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4
|
||||
PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5
|
||||
PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6
|
||||
PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7
|
||||
PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8
|
||||
PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9
|
||||
PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10
|
||||
PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11
|
||||
PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12
|
||||
PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13
|
||||
PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14
|
||||
PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15
|
||||
PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16
|
||||
PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17
|
||||
PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18
|
||||
PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19
|
||||
PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20
|
||||
PIV_DATA_OBJ_CCC, // Card capability container
|
||||
PIV_DATA_OBJ_CHUI, // Cardholder unique id
|
||||
PIV_DATA_OBJ_CHF, // Cardholder fingerprints
|
||||
PIV_DATA_OBJ_SEC_OBJ, // Security object
|
||||
PIV_DATA_OBJ_CHFI, // Cardholder facial images
|
||||
PIV_DATA_OBJ_PI, // Cardholder printed information
|
||||
PIV_DATA_OBJ_DISCOVERY, // Discovery object
|
||||
PIV_DATA_OBJ_HISTORY, // History object
|
||||
PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images
|
||||
PIV_DATA_OBJ_BITGT, // Biometric information templates group template
|
||||
PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer
|
||||
PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data
|
||||
PIV_DATA_OBJ_LAST,
|
||||
|
||||
PIV_CERT_OBJ_X509_PIV_AUTH, // Certificate for PIV authentication
|
||||
PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication
|
||||
PIV_CERT_OBJ_X509_DS, // Certificate for digital signature
|
||||
PIV_CERT_OBJ_X509_KM, // Certificate for key management
|
||||
PIV_CERT_OBJ_X509_RETIRED1, // Certificate for retired key 1
|
||||
PIV_CERT_OBJ_X509_RETIRED2, // Certificate for retired key 2
|
||||
PIV_CERT_OBJ_X509_RETIRED3, // Certificate for retired key 3
|
||||
PIV_CERT_OBJ_X509_RETIRED4, // Certificate for retired key 4
|
||||
PIV_CERT_OBJ_X509_RETIRED5, // Certificate for retired key 5
|
||||
PIV_CERT_OBJ_X509_RETIRED6, // Certificate for retired key 6
|
||||
PIV_CERT_OBJ_X509_RETIRED7, // Certificate for retired key 7
|
||||
PIV_CERT_OBJ_X509_RETIRED8, // Certificate for retired key 8
|
||||
PIV_CERT_OBJ_X509_RETIRED9, // Certificate for retired key 9
|
||||
PIV_CERT_OBJ_X509_RETIRED10, // Certificate for retired key 10
|
||||
PIV_CERT_OBJ_X509_RETIRED11, // Certificate for retired key 11
|
||||
PIV_CERT_OBJ_X509_RETIRED12, // Certificate for retired key 12
|
||||
PIV_CERT_OBJ_X509_RETIRED13, // Certificate for retired key 13
|
||||
PIV_CERT_OBJ_X509_RETIRED14, // Certificate for retired key 14
|
||||
PIV_CERT_OBJ_X509_RETIRED15, // Certificate for retired key 15
|
||||
PIV_CERT_OBJ_X509_RETIRED16, // Certificate for retired key 16
|
||||
PIV_CERT_OBJ_X509_RETIRED17, // Certificate for retired key 17
|
||||
PIV_CERT_OBJ_X509_RETIRED18, // Certificate for retired key 18
|
||||
PIV_CERT_OBJ_X509_RETIRED19, // Certificate for retired key 19
|
||||
PIV_CERT_OBJ_X509_RETIRED20, // Certificate for retired key 20
|
||||
PIV_CERT_OBJ_LAST,
|
||||
|
||||
PIV_PVTK_OBJ_PIV_AUTH, // Private key for PIV authentication
|
||||
PIV_PVTK_OBJ_CARD_AUTH, // Private key for card authentication
|
||||
PIV_PVTK_OBJ_DS, // Private key for digital signature
|
||||
PIV_PVTK_OBJ_KM, // Private key for key management
|
||||
PIV_PVTK_OBJ_RETIRED1, // Private key for retired key 1
|
||||
PIV_PVTK_OBJ_RETIRED2, // Private key for retired key 2
|
||||
PIV_PVTK_OBJ_RETIRED3, // Private key for retired key 3
|
||||
PIV_PVTK_OBJ_RETIRED4, // Private key for retired key 4
|
||||
PIV_PVTK_OBJ_RETIRED5, // Private key for retired key 5
|
||||
PIV_PVTK_OBJ_RETIRED6, // Private key for retired key 6
|
||||
PIV_PVTK_OBJ_RETIRED7, // Private key for retired key 7
|
||||
PIV_PVTK_OBJ_RETIRED8, // Private key for retired key 8
|
||||
PIV_PVTK_OBJ_RETIRED9, // Private key for retired key 9
|
||||
PIV_PVTK_OBJ_RETIRED10, // Private key for retired key 10
|
||||
PIV_PVTK_OBJ_RETIRED11, // Private key for retired key 11
|
||||
PIV_PVTK_OBJ_RETIRED12, // Private key for retired key 12
|
||||
PIV_PVTK_OBJ_RETIRED13, // Private key for retired key 13
|
||||
PIV_PVTK_OBJ_RETIRED14, // Private key for retired key 14
|
||||
PIV_PVTK_OBJ_RETIRED15, // Private key for retired key 15
|
||||
PIV_PVTK_OBJ_RETIRED16, // Private key for retired key 16
|
||||
PIV_PVTK_OBJ_RETIRED17, // Private key for retired key 17
|
||||
PIV_PVTK_OBJ_RETIRED18, // Private key for retired key 18
|
||||
PIV_PVTK_OBJ_RETIRED19, // Private key for retired key 19
|
||||
PIV_PVTK_OBJ_RETIRED20, // Private key for retired key 20
|
||||
PIV_PVTK_OBJ_LAST,
|
||||
|
||||
PIV_PUBK_OBJ_PIV_AUTH, // Public key for PIV authentication
|
||||
PIV_PUBK_OBJ_CARD_AUTH, // Public key for card authentication
|
||||
PIV_PUBK_OBJ_DS, // Public key for digital signature
|
||||
PIV_PUBK_OBJ_KM, // Public key for key management
|
||||
PIV_PUBK_OBJ_RETIRED1, // Public key for retired key 1
|
||||
PIV_PUBK_OBJ_RETIRED2, // Public key for retired key 2
|
||||
PIV_PUBK_OBJ_RETIRED3, // Public key for retired key 3
|
||||
PIV_PUBK_OBJ_RETIRED4, // Public key for retired key 4
|
||||
PIV_PUBK_OBJ_RETIRED5, // Public key for retired key 5
|
||||
PIV_PUBK_OBJ_RETIRED6, // Public key for retired key 6
|
||||
PIV_PUBK_OBJ_RETIRED7, // Public key for retired key 7
|
||||
PIV_PUBK_OBJ_RETIRED8, // Public key for retired key 8
|
||||
PIV_PUBK_OBJ_RETIRED9, // Public key for retired key 9
|
||||
PIV_PUBK_OBJ_RETIRED10, // Public key for retired key 10
|
||||
PIV_PUBK_OBJ_RETIRED11, // Public key for retired key 11
|
||||
PIV_PUBK_OBJ_RETIRED12, // Public key for retired key 12
|
||||
PIV_PUBK_OBJ_RETIRED13, // Public key for retired key 13
|
||||
PIV_PUBK_OBJ_RETIRED14, // Public key for retired key 14
|
||||
PIV_PUBK_OBJ_RETIRED15, // Public key for retired key 15
|
||||
PIV_PUBK_OBJ_RETIRED16, // Public key for retired key 16
|
||||
PIV_PUBK_OBJ_RETIRED17, // Public key for retired key 17
|
||||
PIV_PUBK_OBJ_RETIRED18, // Public key for retired key 18
|
||||
PIV_PUBK_OBJ_RETIRED19, // Public key for retired key 19
|
||||
PIV_PUBK_OBJ_RETIRED20, // Public key for retired key 20
|
||||
PIV_PUBK_OBJ_LAST
|
||||
|
||||
} piv_obj_id_t;
|
||||
|
||||
#define OBJECT_INVALID (PIV_PUBK_OBJ_LAST + 1)
|
||||
|
||||
typedef CK_RV (*get_attr_f)(CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR);
|
||||
|
||||
typedef struct {
|
||||
const char *oid;
|
||||
CK_BYTE tag_len;
|
||||
CK_BYTE tag_value[3]; // TODO: needed?
|
||||
CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed?
|
||||
} piv_data_obj_t;
|
||||
|
||||
typedef struct {
|
||||
X509 *data;
|
||||
} piv_cert_obj_t;
|
||||
|
||||
typedef struct { // TODO: enough to use the public key for the parameters?
|
||||
CK_BBOOL decrypt;
|
||||
CK_BBOOL sign;
|
||||
CK_BBOOL unwrap;
|
||||
CK_BBOOL derive;
|
||||
CK_BBOOL always_auth;
|
||||
} piv_pvtk_obj_t;
|
||||
|
||||
typedef struct {
|
||||
EVP_PKEY *data; // TODO: make custom type for this and X509
|
||||
CK_BBOOL encrypt;
|
||||
CK_BBOOL verify;
|
||||
CK_BBOOL wrap;
|
||||
CK_BBOOL derive;
|
||||
} piv_pubk_obj_t;
|
||||
|
||||
typedef struct {
|
||||
piv_obj_id_t piv_id; // TODO: technically redundant
|
||||
CK_BBOOL token; // TODO: not used yet
|
||||
CK_BBOOL private;
|
||||
CK_BBOOL modifiable;
|
||||
const char *label;
|
||||
CK_BBOOL copyable; // TODO: Optional, not used so far (default TRUE)
|
||||
CK_BBOOL destroyable; // TODO: Optional, not used so far (default TRUE)
|
||||
get_attr_f get_attribute;
|
||||
CK_BYTE sub_id; // Sub-object id
|
||||
} piv_obj_t;
|
||||
|
||||
#endif
|
||||
-1574
File diff suppressed because it is too large
Load Diff
@@ -1,59 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef OBJECTS_H
|
||||
#define OBJECTS_H
|
||||
|
||||
#include "ykcs11.h"
|
||||
|
||||
CK_ULONG piv_2_ykpiv(piv_obj_id_t id);
|
||||
|
||||
CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template);
|
||||
CK_BBOOL attribute_match(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR attribute);
|
||||
CK_BBOOL is_private_object(ykcs11_session_t *s, CK_OBJECT_HANDLE obj);
|
||||
|
||||
CK_RV get_available_certificate_ids(ykcs11_session_t *s, piv_obj_id_t *cert_ids, CK_ULONG n_certs);
|
||||
CK_RV store_cert(piv_obj_id_t cert_id, CK_BYTE_PTR data, CK_ULONG len);
|
||||
CK_RV delete_cert(piv_obj_id_t cert_id);
|
||||
|
||||
CK_RV check_create_cert(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
|
||||
CK_BYTE_PTR *value, CK_ULONG_PTR cert_len);
|
||||
CK_RV check_create_ec_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
|
||||
CK_BYTE_PTR *value, CK_ULONG_PTR value_len, CK_ULONG_PTR vendor_defined);
|
||||
CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
|
||||
CK_BYTE_PTR *p, CK_ULONG_PTR p_len,
|
||||
CK_BYTE_PTR *q, CK_ULONG_PTR q_len,
|
||||
CK_BYTE_PTR *dp, CK_ULONG_PTR dp_len,
|
||||
CK_BYTE_PTR *dq, CK_ULONG_PTR dq_len,
|
||||
CK_BYTE_PTR *qinv, CK_ULONG_PTR qinv_len,
|
||||
CK_ULONG_PTR vendor_defined);
|
||||
CK_RV check_delete_cert(CK_OBJECT_HANDLE hObject, CK_BYTE_PTR id);
|
||||
|
||||
#endif
|
||||
@@ -1,56 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef OPENSSL_TYPES_H
|
||||
#define OPENSSL_TYPES_H
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/ec.h>
|
||||
|
||||
typedef enum {
|
||||
YKCS11_NO_HASH,
|
||||
YKCS11_SHA1,
|
||||
//YKCS11_SHA224,
|
||||
YKCS11_SHA256,
|
||||
YKCS11_SHA384,
|
||||
YKCS11_SHA512,
|
||||
//YKCS11_RIPEMD128_RSA_PKCS,
|
||||
//YKCS11_RIPEMD160
|
||||
} hash_t;
|
||||
|
||||
typedef EVP_MD_CTX ykcs11_md_ctx_t;
|
||||
//typedef EVP_PKEY ykcs11_evp_pkey_t;
|
||||
|
||||
typedef RSA ykcs11_rsa_key_t;
|
||||
|
||||
#endif
|
||||
@@ -1,709 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "openssl_utils.h"
|
||||
#include <stdbool.h>
|
||||
#include "../tool/util.h" // TODO: share this better?
|
||||
#include "../tool/openssl-compat.h" // TODO: share this better?
|
||||
#include "debug.h"
|
||||
#include <string.h>
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
# define X509_set_notBefore X509_set1_notBefore
|
||||
# define X509_set_notAfter X509_set1_notAfter
|
||||
#endif
|
||||
|
||||
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) {
|
||||
|
||||
const unsigned char *p = data; // Mandatory temp variable required by OpenSSL
|
||||
int cert_len;
|
||||
|
||||
if (*p == 0x70) {
|
||||
// The certificate is in "PIV" format 0x70 len 0x30 len ...
|
||||
p++;
|
||||
p += get_length(p, &cert_len);
|
||||
}
|
||||
else {
|
||||
// Raw certificate 0x30 len ...
|
||||
cert_len = 0;
|
||||
cert_len += get_length(p + 1, &cert_len) + 1;
|
||||
}
|
||||
|
||||
if ((CK_ULONG)cert_len > len)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
*cert = d2i_X509(NULL, &p, cert_len);
|
||||
if (*cert == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
|
||||
CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
||||
|
||||
X509 *cert = NULL;
|
||||
EVP_PKEY *key = NULL;
|
||||
RSA *rsa = NULL;
|
||||
BIGNUM *bignum_n = NULL;
|
||||
BIGNUM *bignum_e = NULL;
|
||||
BIGNUM *bignum_prv = NULL;
|
||||
unsigned char zeroes[512] = {0};
|
||||
EC_KEY *eck = NULL;
|
||||
EC_GROUP *ecg = NULL;
|
||||
EC_POINT *ecp = NULL;
|
||||
ASN1_TIME *tm = NULL;
|
||||
|
||||
unsigned char *data_ptr;
|
||||
unsigned char *p;
|
||||
int len;
|
||||
|
||||
CK_RV rv = CKR_FUNCTION_FAILED;
|
||||
|
||||
cert = X509_new();
|
||||
if (cert == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
key = EVP_PKEY_new();
|
||||
if (key == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (is_rsa) {
|
||||
// RSA
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
data_ptr = in + 5;
|
||||
if (*data_ptr != 0x81)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
data_ptr++;
|
||||
data_ptr += get_length(data_ptr, &len);
|
||||
bignum_n = BN_bin2bn(data_ptr, len, NULL);
|
||||
if(bignum_n == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
data_ptr += len;
|
||||
|
||||
if(*data_ptr != 0x82)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
// OpenSSL 1.1 doesn't allow to set empty signatures
|
||||
// Use a bogus private key
|
||||
bignum_prv = BN_bin2bn(zeroes, len, NULL);
|
||||
if (bignum_prv == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
data_ptr++;
|
||||
data_ptr += get_length(data_ptr, &len);
|
||||
bignum_e = BN_bin2bn(data_ptr, len, NULL);
|
||||
if(bignum_e == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (RSA_set0_key(rsa, bignum_n, bignum_e, bignum_prv) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (EVP_PKEY_set1_RSA(key, rsa) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
}
|
||||
else {
|
||||
// ECCP256
|
||||
data_ptr = in + 3;
|
||||
|
||||
eck = EC_KEY_new();
|
||||
if (eck == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
if (ecg == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
EC_GROUP_set_asn1_flag(ecg, NID_X9_62_prime256v1);
|
||||
EC_KEY_set_group(eck, ecg);
|
||||
ecp = EC_POINT_new(ecg);
|
||||
|
||||
if(*data_ptr++ != 0x86)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
// The curve point should always be 65 bytes
|
||||
if (*data_ptr++ != 65)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (EC_POINT_oct2point(ecg, ecp, data_ptr, 65, NULL) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (EC_KEY_set_public_key(eck, ecp) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
// OpenSSL 1.1 doesn't allow to set empty signatures
|
||||
// Use a bogus private key
|
||||
bignum_prv = BN_bin2bn(zeroes, 65, NULL);
|
||||
if (bignum_prv == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (EC_KEY_set_private_key(eck, bignum_prv) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if (EVP_PKEY_set1_EC_KEY(key, eck) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
}
|
||||
|
||||
if (X509_set_pubkey(cert, key) == 0) // TODO: there is also X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
tm = ASN1_TIME_new();
|
||||
if (tm == NULL)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
ASN1_TIME_set_string(tm, "000001010000Z");
|
||||
X509_set_notBefore(cert, tm);
|
||||
X509_set_notAfter(cert, tm);
|
||||
|
||||
// Write a bogus signature to make a valid certificate
|
||||
if (X509_sign(cert, key, EVP_sha1()) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
len = i2d_X509(cert, NULL);
|
||||
if (len < 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
if ((CK_ULONG)len > *out_len) {
|
||||
rv = CKR_BUFFER_TOO_SMALL;
|
||||
goto create_empty_cert_cleanup;
|
||||
}
|
||||
|
||||
p = out;
|
||||
if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0)
|
||||
goto create_empty_cert_cleanup;
|
||||
|
||||
/********************/
|
||||
/*BIO *STDout = BIO_new_fp(stderr, BIO_NOCLOSE);
|
||||
|
||||
X509_print_ex(STDout, cert, 0, 0);
|
||||
|
||||
BIO_free(STDout);*/
|
||||
/********************/
|
||||
|
||||
rv = CKR_OK;
|
||||
|
||||
create_empty_cert_cleanup:
|
||||
|
||||
if (tm != NULL) {
|
||||
ASN1_STRING_free(tm);
|
||||
tm = NULL;
|
||||
}
|
||||
|
||||
if (bignum_n != NULL) {
|
||||
BN_free(bignum_n);
|
||||
bignum_n = NULL;
|
||||
}
|
||||
|
||||
if (bignum_e != NULL) {
|
||||
BN_free(bignum_e);
|
||||
bignum_e = NULL;
|
||||
}
|
||||
|
||||
if (bignum_prv != NULL) {
|
||||
BN_free(bignum_prv);
|
||||
bignum_prv = NULL;
|
||||
}
|
||||
|
||||
if (ecp != NULL) {
|
||||
EC_POINT_free(ecp);
|
||||
ecp = NULL;
|
||||
}
|
||||
|
||||
if (ecg != NULL) {
|
||||
EC_GROUP_free(ecg);
|
||||
ecg = NULL;
|
||||
}
|
||||
|
||||
if (eck != NULL) {
|
||||
EC_KEY_free(eck);
|
||||
eck = NULL;
|
||||
}
|
||||
|
||||
if (key != NULL) {
|
||||
EVP_PKEY_free(key);
|
||||
key = NULL;
|
||||
}
|
||||
|
||||
if (cert != NULL) {
|
||||
X509_free(cert);
|
||||
cert = NULL;
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len) {
|
||||
|
||||
X509 *cert;
|
||||
const unsigned char *p = in; // Mandatory temp variable required by OpenSSL
|
||||
int len;
|
||||
|
||||
len = 0;
|
||||
len += get_length(p + 1, &len) + 1;
|
||||
|
||||
*cert_len = (CK_ULONG) len;
|
||||
|
||||
cert = d2i_X509(NULL, &p, (long) *cert_len);
|
||||
if (cert == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
||||
|
||||
CK_BYTE_PTR p;
|
||||
int len;
|
||||
|
||||
len = i2d_X509(cert, NULL);
|
||||
|
||||
if (len < 0)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
if ((CK_ULONG)len > *out_len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
p = out;
|
||||
if ((*out_len = (CK_ULONG) i2d_X509(cert, &p)) == 0)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_delete_cert(X509 **cert) {
|
||||
|
||||
X509_free(*cert);
|
||||
cert = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
/*CK_RV free_cert(X509 *cert) {
|
||||
|
||||
X509_free((X509 *) cert);
|
||||
|
||||
return CKR_OK;
|
||||
}*/
|
||||
|
||||
|
||||
CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) {
|
||||
|
||||
*key = X509_get_pubkey(cert);
|
||||
|
||||
if (*key == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) {
|
||||
|
||||
switch (EVP_PKEY_id(key)) {
|
||||
case EVP_PKEY_RSA:
|
||||
case EVP_PKEY_RSA2:
|
||||
return CKK_RSA;
|
||||
|
||||
case EVP_PKEY_EC:
|
||||
return CKK_ECDSA;
|
||||
|
||||
default:
|
||||
return CKK_VENDOR_DEFINED; // Actually an error
|
||||
}
|
||||
}
|
||||
|
||||
CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) {
|
||||
|
||||
CK_ULONG key_len = 0;
|
||||
RSA *rsa;
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(key);
|
||||
if (rsa == NULL)
|
||||
return 0;
|
||||
|
||||
key_len = (CK_ULONG) (RSA_size(rsa) * 8); // There is also RSA_bits but only in >= 1.1.0
|
||||
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
|
||||
return key_len;
|
||||
|
||||
}
|
||||
|
||||
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
RSA *rsa;
|
||||
const BIGNUM *n;
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(key);
|
||||
if (rsa == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
RSA_get0_key(rsa, &n, NULL, NULL);
|
||||
if ((CK_ULONG)BN_num_bytes(n) > *len) {
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
*len = (CK_ULONG)BN_bn2bin(n, data);
|
||||
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
|
||||
CK_ULONG e = 0;
|
||||
RSA *rsa;
|
||||
const BIGNUM *bn_e;
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(key);
|
||||
if (rsa == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
RSA_get0_key(rsa, NULL, &bn_e, NULL);
|
||||
if ((CK_ULONG)BN_num_bytes(bn_e) > *len) {
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
*len = (CK_ULONG)BN_bn2bin(bn_e, data);
|
||||
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
|
||||
return e;
|
||||
}
|
||||
|
||||
/* #include <stdio.h> */
|
||||
/* #include <openssl/err.h> */
|
||||
/* ERR_load_crypto_strings(); */
|
||||
/* //SSL_load_error_strings(); */
|
||||
/* fprintf(stderr, "ERROR %s\n", ERR_error_string(ERR_get_error(), NULL)); */
|
||||
CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
|
||||
RSA *rsa;
|
||||
unsigned char *p;
|
||||
|
||||
EC_KEY *eck;
|
||||
const EC_GROUP *ecg; // Alternative solution is to get i2d_PUBKEY and manually offset
|
||||
const EC_POINT *ecp;
|
||||
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
|
||||
|
||||
switch(EVP_PKEY_id(key)) {
|
||||
case EVP_PKEY_RSA:
|
||||
case EVP_PKEY_RSA2:
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(key);
|
||||
|
||||
if ((CK_ULONG)RSA_size(rsa) > *len) {
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
p = data;
|
||||
|
||||
if ((*len = (CK_ULONG) i2d_RSAPublicKey(rsa, &p)) == 0) {
|
||||
RSA_free(rsa);
|
||||
rsa = NULL;
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
// TODO: this is the correct thing to do so that we strip out the exponent
|
||||
// OTOH we also need a function to get the exponent out with CKA_PUBLIC_EXPONENT
|
||||
/*BN_bn2bin(rsa->n, data);
|
||||
*len = 256;*/
|
||||
|
||||
/* fprintf(stderr, "Public key is: \n"); */
|
||||
/* dump_hex(data, *len, stderr, CK_TRUE); */
|
||||
|
||||
break;
|
||||
|
||||
case EVP_PKEY_EC:
|
||||
eck = EVP_PKEY_get1_EC_KEY(key);
|
||||
ecg = EC_KEY_get0_group(eck);
|
||||
ecp = EC_KEY_get0_public_key(eck);
|
||||
|
||||
// Add the DER structure with length after extracting the point
|
||||
data[0] = 0x04;
|
||||
|
||||
if ((*len = EC_POINT_point2oct(ecg, ecp, pcf, data + 2, *len - 2, NULL)) == 0) {
|
||||
EC_KEY_free(eck);
|
||||
eck = NULL;
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
data[1] = *len;
|
||||
|
||||
*len += 2;
|
||||
|
||||
EC_KEY_free(eck);
|
||||
eck = NULL;
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus,
|
||||
CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen) {
|
||||
ykcs11_rsa_key_t *k;
|
||||
BIGNUM *k_n = NULL, *k_e = NULL;
|
||||
if (modulus == NULL || exponent == NULL)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
if ((k = RSA_new()) == NULL)
|
||||
return CKR_HOST_MEMORY;
|
||||
|
||||
if ((k_n = BN_bin2bn(modulus, mlen, NULL)) == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
if ((k_e = BN_bin2bn(exponent, elen, NULL)) == NULL)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
if (RSA_set0_key(k, k_n, k_e, NULL) == 0)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
*key = k;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key) {
|
||||
RSA_free(key);
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
|
||||
EC_KEY *eck;
|
||||
const EC_GROUP *ecg;
|
||||
unsigned char *p;
|
||||
|
||||
eck = EVP_PKEY_get1_EC_KEY(key);
|
||||
ecg = EC_KEY_get0_group(eck);
|
||||
|
||||
p = data;
|
||||
|
||||
if ((*len = (CK_ULONG) i2d_ECPKParameters(ecg, &p)) == 0) {
|
||||
EC_KEY_free(eck);
|
||||
eck = NULL;
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
EC_KEY_free(eck);
|
||||
eck = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_delete_pubk(EVP_PKEY **key) {
|
||||
|
||||
EVP_PKEY_free(*key);
|
||||
key = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
/*CK_RV free_key(EVP_PKEY *key) {
|
||||
|
||||
EVP_PKEY_free(key);
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}*/
|
||||
|
||||
CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len) {
|
||||
unsigned char buffer[512];
|
||||
|
||||
key_len /= 8;
|
||||
DBG("Apply padding to %lu bytes and get %lu\n", in_len, key_len);
|
||||
|
||||
// TODO: rand must be seeded first (should be automatic)
|
||||
if (*out_len < key_len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
if (RSA_padding_add_PKCS1_type_1(buffer, key_len, in, in_len) == 0)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
memcpy(out, buffer, key_len);
|
||||
*out_len = key_len;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
||||
|
||||
unsigned int len;
|
||||
CK_RV rv;
|
||||
|
||||
rv = prepare_rsa_signature(in, in_len, out, &len, nid);
|
||||
if (!rv)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
*out_len = len;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
|
||||
int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
|
||||
unsigned char em[RSA_size(key)];
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OpenSSL_add_all_digests();
|
||||
#endif
|
||||
|
||||
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
|
||||
|
||||
// TODO: rand must be seeded first (should be automatic)
|
||||
if (out != in)
|
||||
memcpy(out, in, in_len);
|
||||
|
||||
// In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD
|
||||
if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
EVP_cleanup();
|
||||
#endif
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
memcpy(out, em, sizeof(em));
|
||||
*out_len = (CK_ULONG) sizeof(em);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
EVP_cleanup();
|
||||
#endif
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx) {
|
||||
|
||||
const EVP_MD *md;
|
||||
|
||||
switch (hash) {
|
||||
case YKCS11_NO_HASH:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
case YKCS11_SHA1:
|
||||
md = EVP_sha1();
|
||||
break;
|
||||
|
||||
//case YKCS11_SHA224:
|
||||
|
||||
case YKCS11_SHA256:
|
||||
md = EVP_sha256();
|
||||
break;
|
||||
|
||||
case YKCS11_SHA384:
|
||||
md = EVP_sha384();
|
||||
break;
|
||||
|
||||
case YKCS11_SHA512:
|
||||
md = EVP_sha512();
|
||||
break;
|
||||
|
||||
//case YKCS11_RIPEMD128_RSA_PKCS_HASH:
|
||||
//case YKCS11_RIPEMD160_HASH:
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
*ctx = EVP_MD_CTX_create();
|
||||
|
||||
// The OpenSSL function above never fail
|
||||
if (EVP_DigestInit_ex(*ctx, md, NULL) == 0) {
|
||||
EVP_MD_CTX_destroy((EVP_MD_CTX *)*ctx);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len) {
|
||||
|
||||
if (EVP_DigestUpdate(ctx, in, in_len) != 1) {
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid) {
|
||||
|
||||
int rv;
|
||||
unsigned int len;
|
||||
|
||||
// Keep track of the md type if requested
|
||||
if (nid != NULL)
|
||||
*nid = EVP_MD_CTX_type(ctx);
|
||||
|
||||
// Finalize digest and store result
|
||||
rv = EVP_DigestFinal_ex(ctx, out, &len);
|
||||
|
||||
// Destroy the md context
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
|
||||
// Error if the previous call failed
|
||||
if (rv != 1)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
*out_len = len;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx) {
|
||||
|
||||
EVP_MD_CTX_destroy((EVP_MD_CTX *) ctx);
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -1,74 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef OPENSSL_UTIL_H
|
||||
#define OPENSSL_UTIL_H
|
||||
|
||||
/* #include <openssl/x509.h> */
|
||||
/* #include <openssl/evp.h> */
|
||||
/* #include <openssl/rsa.h> */
|
||||
/* #include <openssl/ec.h> */
|
||||
|
||||
#include "openssl_types.h"
|
||||
#include "pkcs11y.h"
|
||||
|
||||
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert);
|
||||
CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
|
||||
CK_BYTE_PTR out, CK_ULONG_PTR out_len);
|
||||
CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len);
|
||||
CK_RV do_get_raw_cert(X509 *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
|
||||
CK_RV do_delete_cert(X509 **cert);
|
||||
//CK_RV free_cert(X509 *cert);
|
||||
|
||||
CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key);
|
||||
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key);
|
||||
CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key);
|
||||
CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
CK_RV do_delete_pubk(EVP_PKEY **key);
|
||||
//CK_RV free_key(EVP_PKEY *key);
|
||||
|
||||
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus, CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen);
|
||||
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key);
|
||||
|
||||
CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len);
|
||||
CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
|
||||
|
||||
CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid,
|
||||
CK_BYTE_PTR out, CK_ULONG_PTR out_len);
|
||||
|
||||
CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx);
|
||||
CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len);
|
||||
CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid);
|
||||
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx);
|
||||
|
||||
#endif
|
||||
-1437
File diff suppressed because it is too large
Load Diff
@@ -1,46 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef PKCS11Y_H
|
||||
#define PKCS11Y_H
|
||||
|
||||
#include "pkcs11.h"
|
||||
|
||||
typedef CK_FLAGS * CK_FLAGS_PTR;
|
||||
|
||||
// YUBICO specific attributes
|
||||
#define CKA_TOUCH_PIN_DEFAULT 0x00000000U
|
||||
#define CKA_TOUCH_ALWAYS 0x00000001U
|
||||
#define CKA_PIN_ONCE 0x00000002U
|
||||
#define CKA_PIN_ALWAYS 0x00000004U
|
||||
#define CKA_PIN_NEVER 0x00000008U
|
||||
#define CKA_TOUCH_NEVER 0x00000016U
|
||||
|
||||
#endif
|
||||
@@ -1,54 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "slot_vendors.h"
|
||||
#include "yubico_slot.h"
|
||||
#include <stdlib.h>
|
||||
|
||||
slot_vendor_t get_slot_vendor(vendor_id_t vid) {
|
||||
slot_vendor_t v;
|
||||
|
||||
switch (vid) {
|
||||
case YUBICO:
|
||||
v.get_slot_manufacturer = YUBICO_get_slot_manufacturer;
|
||||
v.get_slot_flags = YUBICO_get_slot_flags;
|
||||
v.get_slot_version = YUBICO_get_slot_version;
|
||||
break;
|
||||
|
||||
case UNKNOWN:
|
||||
default:
|
||||
v.get_slot_manufacturer = NULL;
|
||||
v.get_slot_flags = NULL;
|
||||
v.get_slot_version = NULL;
|
||||
}
|
||||
|
||||
return v;
|
||||
|
||||
}
|
||||
@@ -1,50 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef SLOT_VENDORS_H
|
||||
#define SLOT_VENDORS_H
|
||||
|
||||
#include "pkcs11y.h"
|
||||
#include "vendor_ids.h"
|
||||
|
||||
typedef CK_RV (*get_s_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_s_flags_f)(CK_FLAGS_PTR);
|
||||
typedef CK_RV (*get_s_version_f)(CK_VERSION_PTR);
|
||||
|
||||
|
||||
typedef struct {
|
||||
get_s_manufacturer_f get_slot_manufacturer;
|
||||
get_s_flags_f get_slot_flags;
|
||||
get_s_version_f get_slot_version;
|
||||
} slot_vendor_t;
|
||||
|
||||
slot_vendor_t get_slot_vendor(vendor_id_t vid);
|
||||
|
||||
#endif
|
||||
@@ -1,52 +0,0 @@
|
||||
# Copyright (c) 2015-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
#TESTS_ENVIRONMENT = export VERSION=$(PACKAGE_VERSION); export EXEEXT=$(EXEEXT);
|
||||
|
||||
#LOG_COMPILER = $(VALGRIND)
|
||||
|
||||
AM_CFLAGS = $(WARN_CFLAGS) @CHECK_CFLAGS@
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_builddir)/lib
|
||||
AM_CPPFLAGS += -I$(top_srcdir)/ykcs11 -I$(top_builddir)/ykcs11
|
||||
AM_CPPFLAGS += $(OPENSSL_CFLAGS)
|
||||
|
||||
AM_LDFLAGS = @CHECK_LIBS@
|
||||
|
||||
if COMPILER_CLANG
|
||||
AM_LDFLAGS += -no-fast-install
|
||||
else
|
||||
AM_LDFLAGS += -no-install
|
||||
endif
|
||||
|
||||
ykcs11_tests_LDADD = ../libykcs11.la $(OPENSSL_LIBS) ../../tool/libpiv_util.la
|
||||
ykcs11_tests_SOURCES = ykcs11_tests.c
|
||||
check_PROGRAMS = ykcs11_tests
|
||||
TESTS = reset.sh $(check_PROGRAMS)
|
||||
|
||||
if ENABLE_COV
|
||||
AM_LDFLAGS += --coverage
|
||||
endif
|
||||
@@ -1,20 +0,0 @@
|
||||
BIN="../../tool/yubico-piv-tool${EXEEXT}"
|
||||
|
||||
# Verify that user has confirmed destructive hw-tests
|
||||
if [ "x$YKPIV_ENV_HWTESTS_CONFIRMED" != "x1" ]; then
|
||||
printf "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n" >&0
|
||||
exit 77 # exit code 77 == skipped tests
|
||||
fi
|
||||
|
||||
# Reset
|
||||
$BIN -averify-pin -P000000 || true
|
||||
$BIN -averify-pin -P000000 || true
|
||||
$BIN -averify-pin -P000000 || true
|
||||
$BIN -averify-pin -P000000 || true
|
||||
$BIN -averify-pin -P000000 || true
|
||||
$BIN -achange-puk -P000000 -N00000000 || true
|
||||
$BIN -achange-puk -P000000 -N00000000 || true
|
||||
$BIN -achange-puk -P000000 -N00000000 || true
|
||||
$BIN -achange-puk -P000000 -N00000000 || true
|
||||
$BIN -achange-puk -P000000 -N00000000 || true
|
||||
$BIN -areset
|
||||
@@ -1,721 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "../../tool/openssl-compat.h"
|
||||
#include <ykcs11.h>
|
||||
#include <ykcs11-version.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
#pragma clang diagnostic push
|
||||
#pragma clang diagnostic ignored "-Wpointer-sign"
|
||||
|
||||
#ifdef __MINGW32__
|
||||
#define dprintf(fd, ...) fprintf(stdout, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
void dump_hex(const unsigned char *buf, unsigned int len, FILE *output, int space) {
|
||||
unsigned int i;
|
||||
for (i = 0; i < len; i++) {
|
||||
fprintf(output, "%02x%s", buf[i], space == 1 ? " " : "");
|
||||
}
|
||||
fprintf(output, "\n");
|
||||
}
|
||||
|
||||
CK_FUNCTION_LIST_PTR funcs;
|
||||
|
||||
#define asrt(c, e, m) _asrt(__LINE__, c, e, m);
|
||||
|
||||
static void _asrt(int line, CK_ULONG check, CK_ULONG expected, CK_CHAR_PTR msg) {
|
||||
|
||||
if (check == expected)
|
||||
return;
|
||||
|
||||
fprintf(stderr, "<%s>:%d check failed with value %lu (0x%lx), expected %lu (0x%lx)\n",
|
||||
msg, line, check, check, expected, expected);
|
||||
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
}
|
||||
|
||||
static void get_functions(CK_FUNCTION_LIST_PTR_PTR funcs) {
|
||||
|
||||
if (C_GetFunctionList(funcs) != CKR_OK) {
|
||||
fprintf(stderr, "Get function list failed\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
static void test_lib_info() {
|
||||
|
||||
const CK_CHAR_PTR MANUFACTURER_ID = "Yubico (www.yubico.com)";
|
||||
const CK_CHAR_PTR YKCS11_DESCRIPTION = "PKCS#11 PIV Library (SP-800-73)";
|
||||
const CK_ULONG CRYPTOKI_VERSION_MAJ = 2;
|
||||
const CK_ULONG CRYPTOKI_VERSION_MIN = 40;
|
||||
|
||||
|
||||
CK_INFO info;
|
||||
|
||||
asrt(funcs->C_GetInfo(&info), CKR_OK, "GET_INFO");
|
||||
|
||||
asrt(strcmp(info.manufacturerID, MANUFACTURER_ID), 0, "MANUFACTURER");
|
||||
|
||||
asrt(info.cryptokiVersion.major, CRYPTOKI_VERSION_MAJ, "CK_MAJ");
|
||||
asrt(info.cryptokiVersion.minor, CRYPTOKI_VERSION_MIN, "CK_MIN");
|
||||
|
||||
asrt(info.libraryVersion.major, YKCS11_VERSION_MAJOR, "LIB_MAJ");
|
||||
asrt(info.libraryVersion.minor, ((YKCS11_VERSION_MINOR * 10) + YKCS11_VERSION_PATCH ), "LIB_MIN");
|
||||
|
||||
asrt(strcmp(info.libraryDescription, YKCS11_DESCRIPTION), 0, "LIB_DESC");
|
||||
}
|
||||
|
||||
#ifdef HW_TESTS
|
||||
static void test_initalize() {
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
|
||||
}
|
||||
|
||||
static int test_token_info() {
|
||||
|
||||
const CK_CHAR_PTR TOKEN_LABEL = "YubiKey PIV";
|
||||
const CK_CHAR_PTR TOKEN_MODEL = "YubiKey "; // Skip last 3 characters (version dependent)
|
||||
const CK_CHAR_PTR TOKEN_MODEL_YK4 = "YubiKey YK4";
|
||||
const CK_CHAR_PTR TOKEN_SERIAL = "1234";
|
||||
const CK_FLAGS TOKEN_FLAGS = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED;
|
||||
const CK_VERSION HW = {0, 0};
|
||||
const CK_CHAR_PTR TOKEN_TIME = " ";
|
||||
CK_TOKEN_INFO info;
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
|
||||
asrt(funcs->C_GetTokenInfo(0, &info), CKR_OK, "GetTokeninfo");
|
||||
asrt(strncmp(info.label, TOKEN_LABEL, strlen(TOKEN_LABEL)), 0, "TOKEN_LABEL");
|
||||
// Skip manufacturer id (not used)
|
||||
asrt(strncmp(info.model, TOKEN_MODEL, strlen(TOKEN_MODEL)), 0, "TOKEN_MODEL");
|
||||
asrt(strncmp(info.serialNumber, TOKEN_SERIAL, strlen(TOKEN_SERIAL)), 0, "SERIAL_NUMBER");
|
||||
asrt(info.flags, TOKEN_FLAGS, "TOKEN_FLAGS");
|
||||
asrt(info.ulMaxSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_SESSION_COUNT");
|
||||
asrt(info.ulSessionCount, CK_UNAVAILABLE_INFORMATION, "SESSION_COUNT");
|
||||
asrt(info.ulMaxRwSessionCount, CK_UNAVAILABLE_INFORMATION, "MAX_RW_SESSION_COUNT");
|
||||
asrt(info.ulRwSessionCount, CK_UNAVAILABLE_INFORMATION, "RW_SESSION_COUNT");
|
||||
asrt(info.ulMaxPinLen, 8, "MAX_PIN_LEN");
|
||||
asrt(info.ulMinPinLen, 6, "MIN_PIN_LEN");
|
||||
asrt(info.ulTotalPublicMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PUB_MEM");
|
||||
asrt(info.ulFreePublicMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PUB_MEM");
|
||||
asrt(info.ulTotalPrivateMemory, CK_UNAVAILABLE_INFORMATION, "TOTAL_PVT_MEM");
|
||||
asrt(info.ulFreePrivateMemory, CK_UNAVAILABLE_INFORMATION, "FREE_PVT_MEM");
|
||||
|
||||
if (strncmp(info.model, TOKEN_MODEL_YK4, strlen(TOKEN_MODEL_YK4)) != 0) {
|
||||
dprintf(0, "\n\n** WARNING: Only YK4 supported. Skipping remaining tests.\n\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
asrt(info.hardwareVersion.major, HW.major, "HW_MAJ");
|
||||
asrt(info.hardwareVersion.minor, HW.minor, "HW_MIN");
|
||||
|
||||
if (info.firmwareVersion.major != 4 && info.firmwareVersion.major != 0)
|
||||
asrt(info.firmwareVersion.major, 4, "FW_MAJ");
|
||||
|
||||
asrt(strncmp(info.utcTime, TOKEN_TIME, sizeof(info.utcTime)), 0, "TOKEN_TIME");
|
||||
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void test_mechanism_list_and_info() {
|
||||
|
||||
CK_MECHANISM_TYPE_PTR mechs;
|
||||
CK_ULONG n_mechs;
|
||||
CK_MECHANISM_INFO info;
|
||||
CK_ULONG i;
|
||||
|
||||
static const CK_MECHANISM_TYPE token_mechanisms[] = {
|
||||
CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||||
CKM_RSA_PKCS,
|
||||
CKM_RSA_PKCS_PSS,
|
||||
CKM_RSA_X_509,
|
||||
CKM_SHA1_RSA_PKCS,
|
||||
CKM_SHA256_RSA_PKCS,
|
||||
CKM_SHA384_RSA_PKCS,
|
||||
CKM_SHA512_RSA_PKCS,
|
||||
CKM_SHA1_RSA_PKCS_PSS,
|
||||
CKM_SHA256_RSA_PKCS_PSS,
|
||||
CKM_SHA384_RSA_PKCS_PSS,
|
||||
CKM_SHA512_RSA_PKCS_PSS,
|
||||
CKM_EC_KEY_PAIR_GEN,
|
||||
CKM_ECDSA,
|
||||
CKM_ECDSA_SHA1,
|
||||
CKM_ECDSA_SHA256,
|
||||
CKM_SHA_1,
|
||||
CKM_SHA256,
|
||||
CKM_SHA384,
|
||||
CKM_SHA512
|
||||
};
|
||||
|
||||
static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms
|
||||
{1024, 2048, CKF_HW | CKF_GENERATE_KEY_PAIR},
|
||||
{1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_DECRYPT | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{1024, 2048, CKF_HW | CKF_SIGN},
|
||||
{256, 384, CKF_HW | CKF_GENERATE_KEY_PAIR},
|
||||
{256, 384, CKF_HW | CKF_SIGN},
|
||||
{256, 384, CKF_HW | CKF_SIGN},
|
||||
{256, 384, CKF_HW | CKF_SIGN},
|
||||
{0, 0, CKF_DIGEST},
|
||||
{0, 0, CKF_DIGEST},
|
||||
{0, 0, CKF_DIGEST},
|
||||
{0, 0, CKF_DIGEST}
|
||||
};
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
|
||||
asrt(funcs->C_GetMechanismList(0, NULL, &n_mechs), CKR_OK, "GetMechanismList");
|
||||
|
||||
mechs = malloc(n_mechs * sizeof(CK_MECHANISM_TYPE));
|
||||
asrt(funcs->C_GetMechanismList(0, mechs, &n_mechs), CKR_OK, "GetMechanismList");
|
||||
|
||||
asrt(memcmp(token_mechanisms, mechs, sizeof(token_mechanisms)), 0, "CHECK MECHS");
|
||||
|
||||
for (i = 0; i < n_mechs; i++) {
|
||||
asrt(funcs->C_GetMechanismInfo(0, mechs[i], &info), CKR_OK, "GET MECH INFO");
|
||||
asrt(memcmp(token_mechanism_infos + i, &info, sizeof(CK_MECHANISM_INFO)), 0, "CHECK MECH INFO");
|
||||
}
|
||||
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
}
|
||||
|
||||
static void test_session() {
|
||||
|
||||
CK_SESSION_HANDLE session;
|
||||
CK_SESSION_INFO info;
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
|
||||
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
|
||||
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession2");
|
||||
asrt(funcs->C_GetSessionInfo(session, &info), CKR_OK, "GetSessionInfo");
|
||||
asrt(info.state, CKS_RW_PUBLIC_SESSION, "CHECK STATE");
|
||||
asrt(info.flags, CKF_SERIAL_SESSION | CKF_RW_SESSION, "CHECK FLAGS");
|
||||
asrt(info.ulDeviceError, 0, "CHECK DEVICE ERROR");
|
||||
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
|
||||
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession3");
|
||||
asrt(funcs->C_CloseAllSessions(0), CKR_OK, "CloseAllSessions");
|
||||
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
|
||||
}
|
||||
|
||||
static void test_login() {
|
||||
|
||||
CK_SESSION_HANDLE session;
|
||||
CK_SESSION_INFO info;
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
|
||||
|
||||
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
|
||||
|
||||
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
|
||||
|
||||
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
|
||||
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
|
||||
}
|
||||
|
||||
#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
||||
static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length,
|
||||
unsigned char *sigret, unsigned int *siglen, const RSA *rsa) {
|
||||
sigret = malloc(1);
|
||||
sigret = "";
|
||||
*siglen = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void bogus_sign_cert(X509 *cert) {
|
||||
EVP_PKEY *pkey = EVP_PKEY_new();
|
||||
RSA *rsa = RSA_new();
|
||||
RSA_METHOD *meth = RSA_meth_dup(RSA_get_default_method());
|
||||
BIGNUM *e = BN_new();
|
||||
|
||||
BN_set_word(e, 65537);
|
||||
RSA_generate_key_ex(rsa, 1024, e, NULL);
|
||||
RSA_meth_set_sign(meth, bogus_sign);
|
||||
RSA_set_method(rsa, meth);
|
||||
EVP_PKEY_set1_RSA(pkey, rsa);
|
||||
X509_sign(cert, pkey, EVP_md5());
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
// Import a newly generated P256 pvt key and a certificate
|
||||
// to every slot and use the key to sign some data
|
||||
static void test_import_and_sign_all_10() {
|
||||
|
||||
EVP_PKEY *evp;
|
||||
EC_KEY *eck;
|
||||
const EC_POINT *ecp;
|
||||
const BIGNUM *bn;
|
||||
char pvt[32];
|
||||
X509 *cert;
|
||||
ASN1_TIME *tm;
|
||||
CK_BYTE i, j;
|
||||
CK_BYTE some_data[32];
|
||||
|
||||
CK_ULONG class_k = CKO_PRIVATE_KEY;
|
||||
CK_ULONG class_c = CKO_CERTIFICATE;
|
||||
CK_ULONG kt = CKK_ECDSA;
|
||||
CK_BYTE id = 0;
|
||||
CK_BYTE params[] = {0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
|
||||
CK_BYTE sig[64];
|
||||
CK_ULONG recv_len;
|
||||
CK_BYTE value_c[3100];
|
||||
CK_ULONG cert_len;
|
||||
CK_BYTE der_encoded[80];
|
||||
CK_BYTE_PTR der_ptr;
|
||||
CK_BYTE_PTR r_ptr;
|
||||
CK_BYTE_PTR s_ptr;
|
||||
CK_ULONG r_len;
|
||||
CK_ULONG s_len;
|
||||
|
||||
unsigned char *p;
|
||||
|
||||
CK_ATTRIBUTE privateKeyTemplate[] = {
|
||||
{CKA_CLASS, &class_k, sizeof(class_k)},
|
||||
{CKA_KEY_TYPE, &kt, sizeof(kt)},
|
||||
{CKA_ID, &id, sizeof(id)},
|
||||
{CKA_EC_PARAMS, ¶ms, sizeof(params)},
|
||||
{CKA_VALUE, pvt, sizeof(pvt)}
|
||||
};
|
||||
|
||||
CK_ATTRIBUTE publicKeyTemplate[] = {
|
||||
{CKA_CLASS, &class_c, sizeof(class_c)},
|
||||
{CKA_ID, &id, sizeof(id)},
|
||||
{CKA_VALUE, value_c, sizeof(value_c)}
|
||||
};
|
||||
|
||||
CK_OBJECT_HANDLE obj[24];
|
||||
CK_SESSION_HANDLE session;
|
||||
CK_MECHANISM mech = {CKM_ECDSA, NULL};
|
||||
|
||||
evp = EVP_PKEY_new();
|
||||
|
||||
if (evp == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
|
||||
if (eck == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
asrt(EC_KEY_generate_key(eck), 1, "GENERATE ECK");
|
||||
|
||||
bn = EC_KEY_get0_private_key(eck);
|
||||
|
||||
asrt(BN_bn2bin(bn, pvt), 32, "EXTRACT PVT");
|
||||
|
||||
if (EVP_PKEY_set1_EC_KEY(evp, eck) == 0)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
cert = X509_new();
|
||||
|
||||
if (cert == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
if (X509_set_pubkey(cert, evp) == 0)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
tm = ASN1_TIME_new();
|
||||
if (tm == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
ASN1_TIME_set_string(tm, "000001010000Z");
|
||||
X509_set_notBefore(cert, tm);
|
||||
X509_set_notAfter(cert, tm);
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
cert->sig_alg->algorithm = OBJ_nid2obj(8);
|
||||
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
|
||||
|
||||
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
|
||||
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
|
||||
#else
|
||||
bogus_sign_cert(cert);
|
||||
#endif
|
||||
|
||||
p = value_c;
|
||||
if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || cert_len > sizeof(value_c))
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
publicKeyTemplate[2].ulValueLen = cert_len;
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
|
||||
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
|
||||
|
||||
for (i = 0; i < 24; i++) {
|
||||
id = i;
|
||||
asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT");
|
||||
asrt(funcs->C_CreateObject(session, privateKeyTemplate, 5, obj + i), CKR_OK, "IMPORT KEY");
|
||||
}
|
||||
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
|
||||
|
||||
for (i = 0; i < 24; i++) {
|
||||
for (j = 0; j < 10; j++) {
|
||||
|
||||
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
|
||||
asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit");
|
||||
|
||||
recv_len = sizeof(sig);
|
||||
asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign");
|
||||
|
||||
r_len = 32;
|
||||
s_len = 32;
|
||||
|
||||
der_ptr = der_encoded;
|
||||
*der_ptr++ = 0x30;
|
||||
*der_ptr++ = 0xff; // placeholder, fix below
|
||||
|
||||
r_ptr = sig;
|
||||
|
||||
*der_ptr++ = 0x02;
|
||||
*der_ptr++ = r_len;
|
||||
if (*r_ptr >= 0x80) {
|
||||
*(der_ptr - 1) = *(der_ptr - 1) + 1;
|
||||
*der_ptr++ = 0x00;
|
||||
}
|
||||
else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) {
|
||||
r_len--;
|
||||
*(der_ptr - 1) = *(der_ptr - 1) - 1;
|
||||
r_ptr++;
|
||||
}
|
||||
memcpy(der_ptr, r_ptr, r_len);
|
||||
der_ptr+= r_len;
|
||||
|
||||
s_ptr = sig + 32;
|
||||
|
||||
*der_ptr++ = 0x02;
|
||||
*der_ptr++ = s_len;
|
||||
if (*s_ptr >= 0x80) {
|
||||
*(der_ptr - 1) = *(der_ptr - 1) + 1;
|
||||
*der_ptr++ = 0x00;
|
||||
}
|
||||
else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) {
|
||||
s_len--;
|
||||
*(der_ptr - 1) = *(der_ptr - 1) - 1;
|
||||
s_ptr++;
|
||||
}
|
||||
memcpy(der_ptr, s_ptr, s_len);
|
||||
der_ptr+= s_len;
|
||||
|
||||
der_encoded[1] = der_ptr - der_encoded - 2;
|
||||
|
||||
dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1);
|
||||
|
||||
asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
|
||||
|
||||
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
|
||||
}
|
||||
|
||||
// Import a newly generated RSA1024 pvt key and a certificate
|
||||
// to every slot and use the key to sign some data
|
||||
static void test_import_and_sign_all_10_RSA() {
|
||||
|
||||
EVP_PKEY *evp;
|
||||
RSA *rsak;
|
||||
X509 *cert;
|
||||
ASN1_TIME *tm;
|
||||
CK_BYTE i, j;
|
||||
CK_BYTE some_data[32];
|
||||
CK_BYTE e[] = {0x01, 0x00, 0x01};
|
||||
CK_BYTE p[64];
|
||||
CK_BYTE q[64];
|
||||
CK_BYTE dp[64];
|
||||
CK_BYTE dq[64];
|
||||
CK_BYTE qinv[64];
|
||||
BIGNUM *e_bn;
|
||||
CK_ULONG class_k = CKO_PRIVATE_KEY;
|
||||
CK_ULONG class_c = CKO_CERTIFICATE;
|
||||
CK_ULONG kt = CKK_RSA;
|
||||
CK_BYTE id = 0;
|
||||
CK_BYTE sig[64];
|
||||
CK_ULONG recv_len;
|
||||
CK_BYTE value_c[3100];
|
||||
CK_ULONG cert_len;
|
||||
CK_BYTE der_encoded[80];
|
||||
CK_BYTE_PTR der_ptr;
|
||||
CK_BYTE_PTR r_ptr;
|
||||
CK_BYTE_PTR s_ptr;
|
||||
CK_ULONG r_len;
|
||||
CK_ULONG s_len;
|
||||
const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1;
|
||||
|
||||
unsigned char *px;
|
||||
|
||||
CK_ATTRIBUTE privateKeyTemplate[] = {
|
||||
{CKA_CLASS, &class_k, sizeof(class_k)},
|
||||
{CKA_KEY_TYPE, &kt, sizeof(kt)},
|
||||
{CKA_ID, &id, sizeof(id)},
|
||||
{CKA_PUBLIC_EXPONENT, e, sizeof(e)},
|
||||
{CKA_PRIME_1, p, sizeof(p)},
|
||||
{CKA_PRIME_2, q, sizeof(q)},
|
||||
{CKA_EXPONENT_1, dp, sizeof(dp)},
|
||||
{CKA_EXPONENT_2, dq, sizeof(dq)},
|
||||
{CKA_COEFFICIENT, qinv, sizeof(qinv)}
|
||||
};
|
||||
|
||||
CK_ATTRIBUTE publicKeyTemplate[] = {
|
||||
{CKA_CLASS, &class_c, sizeof(class_c)},
|
||||
{CKA_ID, &id, sizeof(id)},
|
||||
{CKA_VALUE, value_c, sizeof(value_c)}
|
||||
};
|
||||
|
||||
CK_OBJECT_HANDLE obj[24];
|
||||
CK_SESSION_HANDLE session;
|
||||
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL};
|
||||
|
||||
evp = EVP_PKEY_new();
|
||||
|
||||
if (evp == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
rsak = RSA_new();
|
||||
|
||||
if (rsak == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
e_bn = BN_bin2bn(e, 3, NULL);
|
||||
|
||||
if (e_bn == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
asrt(RSA_generate_key_ex(rsak, 1024, e_bn, NULL), 1, "GENERATE RSAK");
|
||||
|
||||
RSA_get0_factors(rsak, &bp, &bq);
|
||||
RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp);
|
||||
asrt(BN_bn2bin(bp, p), 64, "GET P");
|
||||
asrt(BN_bn2bin(bq, q), 64, "GET Q");
|
||||
asrt(BN_bn2bin(bdmp1, dp), 64, "GET DP");
|
||||
asrt(BN_bn2bin(bdmq1, dp), 64, "GET DQ");
|
||||
asrt(BN_bn2bin(biqmp, qinv), 64, "GET QINV");
|
||||
|
||||
|
||||
|
||||
if (EVP_PKEY_set1_RSA(evp, rsak) == 0)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
cert = X509_new();
|
||||
|
||||
if (cert == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
if (X509_set_pubkey(cert, evp) == 0)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
tm = ASN1_TIME_new();
|
||||
if (tm == NULL)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
ASN1_TIME_set_string(tm, "000001010000Z");
|
||||
X509_set_notBefore(cert, tm);
|
||||
X509_set_notAfter(cert, tm);
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
/* putting bogus data to signature to make some checks happy */
|
||||
cert->sig_alg->algorithm = OBJ_nid2obj(8);
|
||||
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
|
||||
|
||||
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
|
||||
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
|
||||
#else
|
||||
bogus_sign_cert(cert);
|
||||
#endif
|
||||
|
||||
px = value_c;
|
||||
if ((cert_len = (CK_ULONG) i2d_X509(cert, &px)) == 0 || cert_len > sizeof(value_c))
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
publicKeyTemplate[2].ulValueLen = cert_len;
|
||||
|
||||
asrt(funcs->C_Initialize(NULL), CKR_OK, "INITIALIZE");
|
||||
asrt(funcs->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session), CKR_OK, "OpenSession1");
|
||||
asrt(funcs->C_Login(session, CKU_SO, "010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
|
||||
|
||||
for (i = 0; i < 24; i++) {
|
||||
id = i;
|
||||
asrt(funcs->C_CreateObject(session, publicKeyTemplate, 3, obj + i), CKR_OK, "IMPORT CERT");
|
||||
asrt(funcs->C_CreateObject(session, privateKeyTemplate, 9, obj + i), CKR_OK, "IMPORT KEY");
|
||||
}
|
||||
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
|
||||
|
||||
for (i = 0; i < 24; i++) {
|
||||
for (j = 0; j < 10; j++) {
|
||||
|
||||
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
|
||||
exit(EXIT_FAILURE);
|
||||
|
||||
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
|
||||
asrt(funcs->C_SignInit(session, &mech, obj[i]), CKR_OK, "SignInit");
|
||||
|
||||
recv_len = sizeof(sig);
|
||||
asrt(funcs->C_Sign(session, some_data, sizeof(some_data), sig, &recv_len), CKR_OK, "Sign");
|
||||
|
||||
/* r_len = 32; */
|
||||
/* s_len = 32; */
|
||||
|
||||
/* der_ptr = der_encoded; */
|
||||
/* *der_ptr++ = 0x30; */
|
||||
/* *der_ptr++ = 0xff; // placeholder, fix below */
|
||||
|
||||
/* r_ptr = sig; */
|
||||
|
||||
/* *der_ptr++ = 0x02; */
|
||||
/* *der_ptr++ = r_len; */
|
||||
/* if (*r_ptr >= 0x80) { */
|
||||
/* *(der_ptr - 1) = *(der_ptr - 1) + 1; */
|
||||
/* *der_ptr++ = 0x00; */
|
||||
/* } */
|
||||
/* else if (*r_ptr == 0x00 && *(r_ptr + 1) < 0x80) { */
|
||||
/* r_len--; */
|
||||
/* *(der_ptr - 1) = *(der_ptr - 1) - 1; */
|
||||
/* r_ptr++; */
|
||||
/* } */
|
||||
/* memcpy(der_ptr, r_ptr, r_len); */
|
||||
/* der_ptr+= r_len; */
|
||||
|
||||
/* s_ptr = sig + 32; */
|
||||
|
||||
/* *der_ptr++ = 0x02; */
|
||||
/* *der_ptr++ = s_len; */
|
||||
/* if (*s_ptr >= 0x80) { */
|
||||
/* *(der_ptr - 1) = *(der_ptr - 1) + 1; */
|
||||
/* *der_ptr++ = 0x00; */
|
||||
/* } */
|
||||
/* else if (*s_ptr == 0x00 && *(s_ptr + 1) < 0x80) { */
|
||||
/* s_len--; */
|
||||
/* *(der_ptr - 1) = *(der_ptr - 1) - 1; */
|
||||
/* s_ptr++; */
|
||||
/* } */
|
||||
/* memcpy(der_ptr, s_ptr, s_len); */
|
||||
/* der_ptr+= s_len; */
|
||||
|
||||
/* der_encoded[1] = der_ptr - der_encoded - 2; */
|
||||
|
||||
/* dump_hex(der_encoded, der_encoded[1] + 2, stderr, 1); */
|
||||
|
||||
/* asrt(ECDSA_verify(0, some_data, sizeof(some_data), der_encoded, der_encoded[1] + 2, eck), 1, "ECDSA VERIFICATION"); */
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
asrt(funcs->C_Logout(session), CKR_OK, "Logout USER");
|
||||
|
||||
asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
|
||||
asrt(funcs->C_Finalize(NULL), CKR_OK, "FINALIZE");
|
||||
|
||||
}
|
||||
#endif
|
||||
|
||||
int destruction_confirmed(void) {
|
||||
char *confirmed = getenv("YKPIV_ENV_HWTESTS_CONFIRMED");
|
||||
if (confirmed && confirmed[0] == '1')
|
||||
return 1;
|
||||
// Use dprintf() to write directly to stdout, since automake eats the standard stdout/stderr pointers.
|
||||
dprintf(0, "\n***\n*** Hardware tests skipped. Run \"make hwcheck\".\n***\n\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
|
||||
get_functions(&funcs);
|
||||
|
||||
test_lib_info();
|
||||
|
||||
#ifdef HW_TESTS
|
||||
// Require user confirmation to continue, since this test suite will clear
|
||||
// any data stored on connected keys.
|
||||
if (!destruction_confirmed())
|
||||
exit(77); // exit code 77 == skipped tests
|
||||
|
||||
test_initalize();
|
||||
// Require YK4 to continue. Skip if different model found.
|
||||
if (test_token_info() != 0)
|
||||
exit(77);
|
||||
test_mechanism_list_and_info();
|
||||
test_session();
|
||||
test_login();
|
||||
test_import_and_sign_all_10();
|
||||
test_import_and_sign_all_10_RSA();
|
||||
#else
|
||||
fprintf(stderr, "HARDWARE TESTS DISABLED!, skipping...\n");
|
||||
#endif
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
|
||||
}
|
||||
|
||||
#pragma clang diagnostic pop
|
||||
@@ -1,365 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "token_vendors.h"
|
||||
#include "yubico_token.h"
|
||||
#include "openssl_utils.h"
|
||||
#include <string.h>
|
||||
#include "debug.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include "../tool/util.h"
|
||||
|
||||
static CK_RV COMMON_token_login(ykpiv_state *state, CK_USER_TYPE user, CK_UTF8CHAR_PTR pin, CK_ULONG pin_len) {
|
||||
|
||||
int tries = 0; // TODO: this is effectively disregarded, should we add a better value in ykpiv_verify?
|
||||
unsigned char key[24];
|
||||
size_t key_len = sizeof(key);
|
||||
unsigned char *term_pin;
|
||||
ykpiv_rc res;
|
||||
|
||||
if (user == CKU_USER) {
|
||||
// add null termination for the pin
|
||||
term_pin = malloc(pin_len + 1);
|
||||
if (term_pin == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
memcpy(term_pin, pin, pin_len);
|
||||
term_pin[pin_len] = 0;
|
||||
|
||||
res = ykpiv_verify(state, (char *)term_pin, &tries);
|
||||
|
||||
OPENSSL_cleanse(term_pin, pin_len);
|
||||
free(term_pin);
|
||||
|
||||
if (res != YKPIV_OK) {
|
||||
DBG("Failed to login");
|
||||
return CKR_PIN_INCORRECT;
|
||||
}
|
||||
}
|
||||
else if (user == CKU_SO) {
|
||||
if(ykpiv_hex_decode((char *)pin, pin_len, key, &key_len) != YKPIV_OK) {
|
||||
DBG("Failed decoding key");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
if(ykpiv_authenticate(state, key) != YKPIV_OK) {
|
||||
DBG("Failed to authenticate");
|
||||
return CKR_PIN_INCORRECT;
|
||||
}
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa,
|
||||
CK_BYTE key, CK_ULONG key_len, CK_ULONG vendor_defined) {
|
||||
// TODO: make a function in ykpiv for this
|
||||
unsigned char in_data[11];
|
||||
unsigned char *in_ptr = in_data;
|
||||
unsigned char data[1024];
|
||||
unsigned char templ[] = {0, YKPIV_INS_GENERATE_ASYMMETRIC, 0, 0};
|
||||
unsigned char *certptr;
|
||||
unsigned long recv_len = sizeof(data);
|
||||
int len_bytes;
|
||||
int sw;
|
||||
|
||||
CK_RV rv;
|
||||
|
||||
if(rsa) {
|
||||
char version[7];
|
||||
if(ykpiv_get_version(state, version, sizeof(version)) == YKPIV_OK) {
|
||||
int major, minor, build;
|
||||
int match = sscanf(version, "%d.%d.%d", &major, &minor, &build);
|
||||
if(match == 3 && major == 4 && (minor < 3 || (minor == 3 && build < 5))) {
|
||||
DBG("On-chip RSA key generation on this YubiKey has been blocked.\n");
|
||||
DBG("Please see https://yubi.co/ysa201701/ for details.\n");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
} else {
|
||||
DBG("Failed to communicate.\n");
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
templ[3] = key;
|
||||
|
||||
*in_ptr++ = 0xac;
|
||||
*in_ptr++ = 3;
|
||||
*in_ptr++ = YKPIV_ALGO_TAG;
|
||||
*in_ptr++ = 1;
|
||||
|
||||
switch(key_len) {
|
||||
case 2048:
|
||||
if (rsa == CK_TRUE)
|
||||
*in_ptr++ = YKPIV_ALGO_RSA2048;
|
||||
else
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
break;
|
||||
|
||||
case 1024:
|
||||
if (rsa == CK_TRUE)
|
||||
*in_ptr++ = YKPIV_ALGO_RSA1024;
|
||||
else
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
break;
|
||||
|
||||
case 256:
|
||||
if (rsa == CK_FALSE)
|
||||
*in_ptr++ = YKPIV_ALGO_ECCP256;
|
||||
else
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
// PIN policy and touch
|
||||
if (vendor_defined != 0) {
|
||||
if (vendor_defined & CKA_PIN_ONCE) {
|
||||
in_data[1] += 3;
|
||||
*in_ptr++ = YKPIV_PINPOLICY_TAG;
|
||||
*in_ptr++ = 0x01;
|
||||
*in_ptr++ = YKPIV_PINPOLICY_ONCE;
|
||||
}
|
||||
else if (vendor_defined & CKA_PIN_ALWAYS) {
|
||||
in_data[1] += 3;
|
||||
*in_ptr++ = YKPIV_PINPOLICY_TAG;
|
||||
*in_ptr++ = 0x01;
|
||||
*in_ptr++ = YKPIV_PINPOLICY_ALWAYS;
|
||||
}
|
||||
|
||||
if (vendor_defined & CKA_TOUCH_ALWAYS) {
|
||||
in_data[1] += 3;
|
||||
*in_ptr++ = YKPIV_TOUCHPOLICY_TAG;
|
||||
*in_ptr++ = 0x01;
|
||||
*in_ptr++ = YKPIV_TOUCHPOLICY_ALWAYS;
|
||||
}
|
||||
}
|
||||
|
||||
if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data, &recv_len, &sw) != YKPIV_OK ||
|
||||
sw != 0x9000)
|
||||
return CKR_DEVICE_ERROR;
|
||||
|
||||
// Create a new empty certificate for the key
|
||||
recv_len = sizeof(data);
|
||||
if ((rv = do_create_empty_cert(data, recv_len, rsa, data, &recv_len)) != CKR_OK)
|
||||
return rv;
|
||||
|
||||
if (recv_len < 0x80)
|
||||
len_bytes = 1;
|
||||
else if (recv_len < 0xff)
|
||||
len_bytes = 2;
|
||||
else
|
||||
len_bytes = 3;
|
||||
|
||||
certptr = data;
|
||||
memmove(data + len_bytes + 1, data, recv_len);
|
||||
|
||||
*certptr++ = 0x70;
|
||||
certptr += set_length(certptr, recv_len);
|
||||
certptr += recv_len;
|
||||
*certptr++ = 0x71;
|
||||
*certptr++ = 1;
|
||||
*certptr++ = 0; /* certinfo (gzip etc) */
|
||||
*certptr++ = 0xfe; /* LRC */
|
||||
*certptr++ = 0;
|
||||
|
||||
// Store the certificate into the token
|
||||
if (ykpiv_save_object(state, ykpiv_util_slot_object(key), data, (size_t)(certptr - data)) != YKPIV_OK)
|
||||
return CKR_DEVICE_ERROR;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static CK_RV COMMON_token_import_cert(ykpiv_state *state, CK_ULONG cert_id, CK_BYTE_PTR in) {
|
||||
|
||||
unsigned char certdata[3072];
|
||||
unsigned char *certptr;
|
||||
CK_ULONG cert_len;
|
||||
|
||||
CK_RV rv;
|
||||
|
||||
// Check whether or not we have a valid cert
|
||||
if ((rv = do_check_cert(in, &cert_len)) != CKR_OK)
|
||||
return rv;
|
||||
|
||||
if (cert_len > 3072)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
certptr = certdata;
|
||||
|
||||
*certptr++ = 0x70;
|
||||
certptr += set_length(certptr, cert_len);
|
||||
memcpy(certptr, in, cert_len);
|
||||
certptr += cert_len;
|
||||
|
||||
*certptr++ = 0x71;
|
||||
*certptr++ = 1;
|
||||
*certptr++ = 0; /* certinfo (gzip etc) */
|
||||
*certptr++ = 0xfe; /* LRC */
|
||||
*certptr++ = 0;
|
||||
|
||||
// Store the certificate into the token
|
||||
if (ykpiv_save_object(state, cert_id, certdata, (size_t)(certptr - certdata)) != YKPIV_OK)
|
||||
return CKR_DEVICE_ERROR;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV COMMON_token_import_private_key(ykpiv_state *state, CK_BYTE key_id,
|
||||
CK_BYTE_PTR p, CK_ULONG p_len,
|
||||
CK_BYTE_PTR q, CK_ULONG q_len,
|
||||
CK_BYTE_PTR dp, CK_ULONG dp_len,
|
||||
CK_BYTE_PTR dq, CK_ULONG dq_len,
|
||||
CK_BYTE_PTR qinv, CK_ULONG qinv_len,
|
||||
CK_BYTE_PTR ec_data, CK_ULONG ec_data_len,
|
||||
CK_ULONG vendor_defined) {
|
||||
|
||||
CK_BYTE pin_policy;
|
||||
CK_BYTE touch_policy;
|
||||
CK_BYTE algo;
|
||||
ykpiv_rc rc;
|
||||
|
||||
if (p == NULL) {
|
||||
if (ec_data_len == 32 || ec_data_len == 31)
|
||||
algo = YKPIV_ALGO_ECCP256;
|
||||
else
|
||||
algo = YKPIV_ALGO_ECCP384;
|
||||
}
|
||||
else if (ec_data == NULL) {
|
||||
if (p_len == 64)
|
||||
algo = YKPIV_ALGO_RSA1024;
|
||||
else
|
||||
algo = YKPIV_ALGO_RSA2048;
|
||||
}
|
||||
else
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
pin_policy = YKPIV_PINPOLICY_DEFAULT;
|
||||
touch_policy = YKPIV_TOUCHPOLICY_DEFAULT;
|
||||
if (vendor_defined != 0) {
|
||||
if (vendor_defined & CKA_PIN_ONCE) {
|
||||
pin_policy = YKPIV_PINPOLICY_ONCE;
|
||||
}
|
||||
else if (vendor_defined & CKA_PIN_ALWAYS) {
|
||||
pin_policy = YKPIV_PINPOLICY_ALWAYS;
|
||||
}
|
||||
else if (vendor_defined & CKA_PIN_NEVER) {
|
||||
pin_policy = YKPIV_PINPOLICY_NEVER;
|
||||
}
|
||||
else
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
|
||||
if (vendor_defined & CKA_TOUCH_ALWAYS) {
|
||||
touch_policy = YKPIV_TOUCHPOLICY_ALWAYS;
|
||||
}
|
||||
else if (vendor_defined & CKA_TOUCH_NEVER) {
|
||||
touch_policy = YKPIV_TOUCHPOLICY_NEVER;
|
||||
}
|
||||
else
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
|
||||
rc = ykpiv_import_private_key(state, key_id, algo,
|
||||
p, p_len,
|
||||
q, q_len,
|
||||
dp, dp_len,
|
||||
dq, dq_len,
|
||||
qinv, qinv_len,
|
||||
ec_data, ec_data_len,
|
||||
pin_policy, touch_policy);
|
||||
|
||||
if (rc != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV COMMON_token_delete_cert(ykpiv_state *state, CK_ULONG cert_id) {
|
||||
|
||||
if (ykpiv_save_object(state, cert_id, NULL, 0) != YKPIV_OK)
|
||||
return CKR_DEVICE_ERROR;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
token_vendor_t get_token_vendor(vendor_id_t vid) {
|
||||
token_vendor_t v;
|
||||
|
||||
switch (vid) {
|
||||
case YUBICO:
|
||||
v.get_token_label = YUBICO_get_token_label;
|
||||
v.get_token_manufacturer = YUBICO_get_token_manufacturer;
|
||||
v.get_token_model = YUBICO_get_token_model;
|
||||
v.get_token_flags = YUBICO_get_token_flags;
|
||||
v.get_token_version = YUBICO_get_token_version;
|
||||
v.get_token_serial = YUBICO_get_token_serial;
|
||||
v.get_token_mechanisms_num = YUBICO_get_token_mechanisms_num;
|
||||
v.get_token_mechanism_list = YUBICO_get_token_mechanism_list;
|
||||
v.get_token_mechanism_info = YUBICO_get_token_mechanism_info;
|
||||
v.get_token_objects_num = YUBICO_get_token_objects_num;
|
||||
v.get_token_object_list = YUBICO_get_token_object_list;
|
||||
v.get_token_raw_certificate = YUBICO_get_token_raw_certificate;
|
||||
v.token_login = COMMON_token_login;
|
||||
v.token_generate_key = COMMON_token_generate_key;
|
||||
v.token_import_cert = COMMON_token_import_cert;
|
||||
v.token_import_private_key = COMMON_token_import_private_key;
|
||||
v.token_delete_cert = COMMON_token_delete_cert;
|
||||
v.token_change_pin = YUBICO_token_change_pin;
|
||||
break;
|
||||
|
||||
case UNKNOWN:
|
||||
default:
|
||||
v.get_token_label = NULL;
|
||||
v.get_token_manufacturer = NULL;
|
||||
v.get_token_model = NULL;
|
||||
v.get_token_flags = NULL;
|
||||
v.get_token_version = NULL;
|
||||
v.get_token_serial = NULL;
|
||||
v.get_token_mechanisms_num = NULL;
|
||||
v.get_token_mechanism_list = NULL;
|
||||
v.get_token_mechanism_info = NULL;
|
||||
v.get_token_objects_num = NULL;
|
||||
v.get_token_object_list = NULL;
|
||||
v.get_token_raw_certificate = NULL;
|
||||
v.token_login = NULL;
|
||||
v.token_generate_key = NULL;
|
||||
v.token_import_cert = NULL;
|
||||
v.token_import_private_key = NULL;
|
||||
v.token_delete_cert = NULL;
|
||||
}
|
||||
|
||||
return v;
|
||||
|
||||
}
|
||||
@@ -1,92 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef TOKEN_VENDORS_H
|
||||
#define TOKEN_VENDORS_H
|
||||
|
||||
#include "pkcs11.h"
|
||||
#include "vendor_ids.h"
|
||||
#include "obj_types.h"
|
||||
#include <ykpiv.h>
|
||||
|
||||
typedef CK_RV (*get_t_label_f)(CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_t_manufacturer_f)(CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_t_model_f)(ykpiv_state *, CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_t_flags_f)(CK_FLAGS_PTR);
|
||||
typedef CK_RV (*get_t_version_f)(ykpiv_state *, CK_VERSION_PTR);
|
||||
typedef CK_RV (*get_t_serial_f)(CK_CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_t_mechanisms_num_f)(CK_ULONG_PTR);
|
||||
typedef CK_RV (*get_t_mechanism_list_f)(CK_MECHANISM_TYPE_PTR, CK_ULONG);
|
||||
typedef CK_RV (*get_t_mechanism_info_f)(CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR);
|
||||
typedef CK_RV (*get_t_objects_num_f)(ykpiv_state *, CK_ULONG_PTR, CK_ULONG_PTR);
|
||||
typedef CK_RV (*get_t_object_list_f)(ykpiv_state *, piv_obj_id_t *, CK_ULONG);
|
||||
typedef CK_RV (*get_t_raw_certificate_f)(ykpiv_state *, piv_obj_id_t, CK_BYTE_PTR, CK_ULONG_PTR);
|
||||
typedef CK_RV (*t_change_pin_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
|
||||
// Common token functions below
|
||||
typedef CK_RV (*t_login_f)(ykpiv_state *, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG);
|
||||
typedef CK_RV (*t_generate_key_f)(ykpiv_state *, CK_BBOOL, CK_BYTE, CK_ULONG, CK_ULONG);
|
||||
typedef CK_RV (*t_import_cert_f)(ykpiv_state *, CK_ULONG, CK_BYTE_PTR);
|
||||
typedef CK_RV (*t_import_private_key_f)(ykpiv_state *, CK_BYTE,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_BYTE_PTR, CK_ULONG,
|
||||
CK_ULONG);
|
||||
typedef CK_RV (*t_delete_cert_f)(ykpiv_state *, CK_ULONG);
|
||||
|
||||
// TODO: replace all the common calls with functions defined in .c that use libykpiv
|
||||
|
||||
typedef struct {
|
||||
get_t_label_f get_token_label;
|
||||
get_t_manufacturer_f get_token_manufacturer;
|
||||
get_t_model_f get_token_model;
|
||||
get_t_flags_f get_token_flags;
|
||||
get_t_version_f get_token_version;
|
||||
get_t_serial_f get_token_serial;
|
||||
get_t_mechanisms_num_f get_token_mechanisms_num;
|
||||
get_t_mechanism_list_f get_token_mechanism_list;
|
||||
get_t_mechanism_info_f get_token_mechanism_info;
|
||||
get_t_objects_num_f get_token_objects_num;
|
||||
get_t_object_list_f get_token_object_list;
|
||||
get_t_raw_certificate_f get_token_raw_certificate;
|
||||
t_login_f token_login;
|
||||
t_generate_key_f token_generate_key;
|
||||
t_import_cert_f token_import_cert;
|
||||
t_import_private_key_f token_import_private_key;
|
||||
t_delete_cert_f token_delete_cert;
|
||||
t_change_pin_f token_change_pin;
|
||||
} token_vendor_t;
|
||||
|
||||
token_vendor_t get_token_vendor(vendor_id_t vid);
|
||||
|
||||
#endif
|
||||
-265
@@ -1,265 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "utils.h"
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
CK_BBOOL has_token(const ykcs11_slot_t *slot) {
|
||||
|
||||
return (slot->info.flags & CKF_TOKEN_PRESENT);
|
||||
|
||||
}
|
||||
|
||||
CK_RV parse_readers(ykpiv_state *state, const CK_BYTE_PTR readers, const CK_ULONG len,
|
||||
ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token) {
|
||||
|
||||
CK_BYTE i;
|
||||
CK_BYTE_PTR p;
|
||||
CK_BYTE_PTR s;
|
||||
CK_ULONG l;
|
||||
slot_vendor_t slot;
|
||||
|
||||
*n_slots = 0;
|
||||
*n_with_token = 0;
|
||||
p = readers;
|
||||
|
||||
/*
|
||||
* According to pcsc-lite, the format of a reader name is:
|
||||
* name [interface] (serial) index slot
|
||||
* https://ludovicrousseau.blogspot.se/2010/05/what-is-in-pcsc-reader-name.html
|
||||
*/
|
||||
|
||||
for (i = 0; i < len; i++)
|
||||
if (readers[i] == '\0' && i != len - 1) {
|
||||
slots[*n_slots].vid = get_vendor_id((char *)p);
|
||||
|
||||
if (slots[*n_slots].vid == UNKNOWN) { // TODO: distinguish between tokenless and unsupported?
|
||||
// Unknown slot, just save what info we have
|
||||
memset(&slots[*n_slots].info, 0, sizeof(CK_SLOT_INFO));
|
||||
memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription));
|
||||
if (strlen((char *)p) <= sizeof(slots[*n_slots].info.slotDescription))
|
||||
memcpy(slots[*n_slots].info.slotDescription, p, strlen((char *)p));
|
||||
else
|
||||
memcpy(slots[*n_slots].info.slotDescription, p, sizeof(slots[*n_slots].info.slotDescription));
|
||||
}
|
||||
else {
|
||||
// Supported slot
|
||||
slot = get_slot_vendor(slots[*n_slots].vid);
|
||||
|
||||
// Values must NOT be null terminated and ' ' padded
|
||||
|
||||
memset(slots[*n_slots].info.slotDescription, ' ', sizeof(slots[*n_slots].info.slotDescription));
|
||||
s = slots[*n_slots].info.slotDescription;
|
||||
l = sizeof(slots[*n_slots].info.slotDescription);
|
||||
memcpy((char *)s, (char*)p, l);
|
||||
|
||||
memset(slots[*n_slots].info.manufacturerID, ' ', sizeof(slots[*n_slots].info.manufacturerID));
|
||||
s = slots[*n_slots].info.manufacturerID;
|
||||
l = sizeof(slots[*n_slots].info.manufacturerID);
|
||||
if(slot.get_slot_manufacturer(s, l) != CKR_OK)
|
||||
goto failure;
|
||||
|
||||
if (slot.get_slot_flags(&slots[*n_slots].info.flags) != CKR_OK)
|
||||
goto failure;
|
||||
|
||||
// Treating hw and fw version the same
|
||||
if (slot.get_slot_version(&slots[*n_slots].info.hardwareVersion) != CKR_OK)
|
||||
goto failure;
|
||||
|
||||
if (slot.get_slot_version(&slots[*n_slots].info.firmwareVersion) != CKR_OK)
|
||||
goto failure;
|
||||
|
||||
if (has_token(slots + *n_slots)) {
|
||||
// Save token information
|
||||
(*n_with_token)++;
|
||||
|
||||
if (create_token(state, p, slots + *n_slots) != CKR_OK)
|
||||
goto failure;
|
||||
}
|
||||
}
|
||||
(*n_slots)++;
|
||||
p = readers + i + 1;
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
failure:
|
||||
// TODO: destroy all token objects
|
||||
for (i = 0; i < *n_slots; i++)
|
||||
if (has_token(slots + i))
|
||||
destroy_token(slots + i);
|
||||
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot) {
|
||||
|
||||
token_vendor_t token;
|
||||
CK_TOKEN_INFO_PTR t_info;
|
||||
|
||||
slot->token = malloc(sizeof(ykcs11_token_t)); // TODO: free
|
||||
if (slot->token == NULL)
|
||||
return CKR_HOST_MEMORY;
|
||||
|
||||
slot->token->vid = YUBICO; // TODO: this must become "slot_vendor.get_token_vid()"
|
||||
token = get_token_vendor(slot->token->vid);
|
||||
|
||||
t_info = &slot->token->info;
|
||||
|
||||
memset(t_info->label, ' ', sizeof(t_info->label));
|
||||
if (token.get_token_label(t_info->label, sizeof(t_info->label)) != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
memset(t_info->manufacturerID, ' ', sizeof(t_info->manufacturerID));
|
||||
if(token.get_token_manufacturer(t_info->manufacturerID, sizeof(t_info->manufacturerID)) != CKR_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
if (ykpiv_connect(state, (char *)p) != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
memset(t_info->model, ' ', sizeof(t_info->model));
|
||||
if(token.get_token_model(state, t_info->model, sizeof(t_info->model)) != CKR_OK) {
|
||||
ykpiv_disconnect(state);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
memset(t_info->serialNumber, ' ', sizeof(t_info->serialNumber));
|
||||
if(token.get_token_serial(t_info->serialNumber, sizeof(t_info->serialNumber)) != CKR_OK) {
|
||||
ykpiv_disconnect(state);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
if (token.get_token_flags(&t_info->flags) != CKR_OK) {
|
||||
ykpiv_disconnect(state);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
t_info->ulMaxSessionCount = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulMaxRwSessionCount = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulMaxPinLen = 8;
|
||||
|
||||
t_info->ulMinPinLen = 6;
|
||||
|
||||
t_info->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
t_info->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION;
|
||||
|
||||
memset(&t_info->hardwareVersion, 0, sizeof(t_info->hardwareVersion));
|
||||
// Ignore hardware version, report firmware version
|
||||
if (token.get_token_version(state, &t_info->firmwareVersion) != CKR_OK) {
|
||||
ykpiv_disconnect(state);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
memset(t_info->utcTime, ' ', sizeof(t_info->utcTime)); // No clock present, clear
|
||||
|
||||
slot->token->objects = NULL;
|
||||
slot->token->n_objects = 0;
|
||||
|
||||
ykpiv_disconnect(state);
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
void destroy_token(ykcs11_slot_t *slot) {
|
||||
free(slot->token);
|
||||
slot->token = NULL;
|
||||
}
|
||||
|
||||
CK_BBOOL is_valid_key_id(CK_BYTE id) {
|
||||
|
||||
// Valid ids are [0, 23] aka [0x00, 0x17]
|
||||
if (id > 23)
|
||||
return CK_FALSE;
|
||||
|
||||
return CK_TRUE;
|
||||
}
|
||||
|
||||
void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
|
||||
CK_BYTE_PTR data_ptr;
|
||||
CK_ULONG sig_halflen;
|
||||
CK_BYTE buf[128];
|
||||
CK_BYTE_PTR buf_ptr;
|
||||
CK_BYTE elem_len;
|
||||
|
||||
// Maximum DER length for P256 is 2 + 2 + 33 + 2 + 33 = 72
|
||||
if (*len <= 72)
|
||||
sig_halflen = 32;
|
||||
else
|
||||
sig_halflen = 48;
|
||||
|
||||
memset(buf, 0, sizeof(buf));
|
||||
data_ptr = data + 3;
|
||||
buf_ptr = buf;
|
||||
|
||||
// copy r
|
||||
elem_len = *data_ptr;
|
||||
if (elem_len == (sig_halflen - 1))
|
||||
buf_ptr++; // One shorter, prepend a zero
|
||||
else if (elem_len == (sig_halflen + 1)) {
|
||||
data_ptr++; // One longer, skip a zero
|
||||
elem_len--;
|
||||
}
|
||||
|
||||
data_ptr++;
|
||||
memcpy(buf_ptr, data_ptr, elem_len);
|
||||
data_ptr += elem_len;
|
||||
buf_ptr += elem_len;
|
||||
|
||||
data_ptr++;
|
||||
|
||||
// copy s
|
||||
elem_len = *data_ptr;
|
||||
if (elem_len == (sig_halflen - 1))
|
||||
buf_ptr++; // One shorter, prepend a zero
|
||||
else if (elem_len == (sig_halflen + 1)) {
|
||||
data_ptr++; // One longer, skip a zero
|
||||
elem_len --;
|
||||
}
|
||||
|
||||
data_ptr++;
|
||||
memcpy(buf_ptr, data_ptr, elem_len);
|
||||
|
||||
*len = sig_halflen * 2;
|
||||
memcpy(data, buf, *len);
|
||||
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef UTILS_H
|
||||
#define UTILS_H
|
||||
|
||||
#include "ykcs11.h"
|
||||
|
||||
CK_BBOOL has_token(const ykcs11_slot_t *slot);
|
||||
CK_RV parse_readers(ykpiv_state *state,const CK_BYTE_PTR readers, const CK_ULONG len,
|
||||
ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token);
|
||||
CK_RV create_token(ykpiv_state *state, CK_BYTE_PTR p, ykcs11_slot_t *slot);
|
||||
void destroy_token(ykcs11_slot_t *slot);
|
||||
|
||||
CK_BBOOL is_valid_key_id(CK_BYTE id);
|
||||
|
||||
void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
|
||||
#endif
|
||||
@@ -1,40 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef VENDOR_IDS_H
|
||||
#define VENDOR_IDS_H
|
||||
|
||||
typedef enum {
|
||||
UNKNOWN = 0x00,
|
||||
YUBICO = 0x01
|
||||
} vendor_id_t;
|
||||
|
||||
|
||||
#endif
|
||||
@@ -1,40 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "vendors.h"
|
||||
#include <string.h>
|
||||
|
||||
vendor_id_t get_vendor_id(char *vendor_name) {
|
||||
|
||||
if (strstr(vendor_name, "Yubico") != NULL)
|
||||
return YUBICO;
|
||||
|
||||
return UNKNOWN;
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef VENDORS_H
|
||||
#define VENDORS_H
|
||||
|
||||
#include "vendor_ids.h"
|
||||
#include "slot_vendors.h"
|
||||
#include "token_vendors.h"
|
||||
|
||||
vendor_id_t get_vendor_id(char *vendor_name);
|
||||
|
||||
#endif
|
||||
@@ -1,89 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef YKCS11_VERSION_H
|
||||
#define YKCS11_VERSION_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
{
|
||||
#endif
|
||||
|
||||
/**
|
||||
* YKCS11_VERSION_STRING
|
||||
*
|
||||
* Pre-processor symbol with a string that describe the header file
|
||||
* version number. Used together with ykneomgr_check_version() to verify
|
||||
* header file and run-time library consistency.
|
||||
*/
|
||||
#define YKCS11_VERSION_STRING "@VERSION@"
|
||||
|
||||
/**
|
||||
* YKCS11_VERSION_NUMBER
|
||||
*
|
||||
* Pre-processor symbol with a hexadecimal value describing the header
|
||||
* file version number. For example, when the header version is 1.2.3
|
||||
* this symbol will have the value 0x01020300. The last two digits
|
||||
* are only used between public releases, and will otherwise be 00.
|
||||
*/
|
||||
#define YKCS11_VERSION_NUMBER @YKCS11_VERSION_NUMBER@
|
||||
|
||||
/**
|
||||
* YKCS11_VERSION_MAJOR
|
||||
*
|
||||
* Pre-processor symbol with a decimal value that describe the major
|
||||
* level of the header file version number. For example, when the
|
||||
* header version is 1.2.3 this symbol will be 1.
|
||||
*/
|
||||
#define YKCS11_VERSION_MAJOR @YKCS11_VERSION_MAJOR@
|
||||
|
||||
/**
|
||||
* YKCS11_VERSION_MINOR
|
||||
*
|
||||
* Pre-processor symbol with a decimal value that describe the minor
|
||||
* level of the header file version number. For example, when the
|
||||
* header version is 1.2.3 this symbol will be 2.
|
||||
*/
|
||||
#define YKCS11_VERSION_MINOR @YKCS11_VERSION_MINOR@
|
||||
|
||||
/**
|
||||
* YKCS11_VERSION_PATCH
|
||||
*
|
||||
* Pre-processor symbol with a decimal value that describe the patch
|
||||
* level of the header file version number. For example, when the
|
||||
* header version is 1.2.3 this symbol will be 3.
|
||||
*/
|
||||
#define YKCS11_VERSION_PATCH @YKCS11_VERSION_PATCH@
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
-2509
File diff suppressed because it is too large
Load Diff
-107
@@ -1,107 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef YKCS11_H
|
||||
#define YKCS11_H
|
||||
|
||||
#include "pkcs11y.h"
|
||||
#include "obj_types.h"
|
||||
#include "openssl_types.h"
|
||||
#include "vendors.h"
|
||||
|
||||
#define YKCS11_OP_BUFSIZE 4096
|
||||
|
||||
typedef struct {
|
||||
vendor_id_t vid;
|
||||
CK_TOKEN_INFO info;
|
||||
piv_obj_id_t *objects; // List of objects in the token
|
||||
CK_ULONG n_objects; // TOTAL number of objects in the token
|
||||
CK_ULONG n_certs; // Number of certificate objects in the token (portion of n_objects)
|
||||
} ykcs11_token_t;
|
||||
|
||||
typedef struct {
|
||||
vendor_id_t vid;
|
||||
CK_SLOT_INFO info;
|
||||
ykcs11_token_t *token;
|
||||
} ykcs11_slot_t;
|
||||
|
||||
typedef struct {
|
||||
CK_SESSION_HANDLE handle;
|
||||
CK_SESSION_INFO info; /* slotid, state, flags, deviceerror */
|
||||
ykcs11_slot_t *slot;
|
||||
} ykcs11_session_t;
|
||||
|
||||
typedef enum {
|
||||
YKCS11_NOOP,
|
||||
YKCS11_GEN,
|
||||
YKCS11_SIGN,
|
||||
YKCS11_HASH,
|
||||
YKCS11_DECRYPT
|
||||
} ykcs11_op_type_t;
|
||||
|
||||
typedef struct {
|
||||
CK_BBOOL rsa; // RSA or EC key
|
||||
CK_BYTE key_id; // Key id
|
||||
CK_ULONG key_len; // Length in bits
|
||||
CK_ULONG vendor_defined; // Additional parameters (touch and PIN policy)
|
||||
} gen_info_t;
|
||||
|
||||
typedef struct {
|
||||
ykcs11_md_ctx_t *md_ctx; // Digest context
|
||||
ykcs11_rsa_key_t *key; // Raw public key (needed for PSS)
|
||||
CK_BYTE algo; // Algo for ykpiv // TODO: infer this from the key length?
|
||||
CK_ULONG key_id; // Key id for ykpiv // TODO: make this a BYTE and store the id {0, 1, 2, 3}
|
||||
CK_ULONG key_len; // Length in bits
|
||||
} sign_info_t;
|
||||
|
||||
typedef struct {
|
||||
CK_BYTE todo;
|
||||
} hash_info_t;
|
||||
|
||||
typedef struct {
|
||||
CK_BYTE todo;
|
||||
} decrypt_info_t;
|
||||
|
||||
typedef union {
|
||||
gen_info_t gen;
|
||||
sign_info_t sign;
|
||||
hash_info_t hash;
|
||||
decrypt_info_t decrypt;
|
||||
} op_t;
|
||||
|
||||
typedef struct {
|
||||
ykcs11_op_type_t type;
|
||||
CK_MECHANISM mechanism;
|
||||
op_t op;
|
||||
CK_BYTE buf[YKCS11_OP_BUFSIZE];
|
||||
CK_ULONG buf_len;
|
||||
} op_info_t;
|
||||
|
||||
#endif
|
||||
@@ -1,36 +0,0 @@
|
||||
# Copyright (c) 2015-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
YKCS11_0.1.0
|
||||
{
|
||||
global:
|
||||
C_Initialize;
|
||||
C_GetFunctionList;
|
||||
# TODO: add more here
|
||||
local:
|
||||
*;
|
||||
};
|
||||
@@ -1,37 +0,0 @@
|
||||
# Copyright (c) 2015-2016 Yubico AB
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are
|
||||
# met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials provided
|
||||
# with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
libdir=@libdir@
|
||||
includedir=@includedir@
|
||||
|
||||
Name: @PACKAGE@
|
||||
Description: Yubico PIV PKCS#11 Module
|
||||
URL: https://www.yubico.com/
|
||||
Version: @VERSION@
|
||||
Libs: -L${libdir} -lykcs11
|
||||
@@ -1,63 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "yubico_slot.h"
|
||||
#include "pkcs11.h"
|
||||
#include <string.h>
|
||||
|
||||
static const CK_UTF8CHAR_PTR slot_manufacturer = (const CK_UTF8CHAR_PTR)"Yubico";
|
||||
static const CK_FLAGS slot_flags = CKF_TOKEN_PRESENT | CKF_HW_SLOT;
|
||||
static const CK_VERSION slot_version = {1, 0};
|
||||
|
||||
CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) {
|
||||
|
||||
if (strlen((const char*)slot_manufacturer) > len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
memcpy(str, slot_manufacturer, strlen((const char*)slot_manufacturer));
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags) {
|
||||
|
||||
*flags = slot_flags;
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version) {
|
||||
|
||||
version->major = slot_version.major;
|
||||
version->minor = slot_version.minor;
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef YUBICO_SLOT_H
|
||||
#define YUBICO_SLOT_H
|
||||
|
||||
#include "pkcs11y.h"
|
||||
|
||||
CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len);
|
||||
CK_RV YUBICO_get_slot_flags(CK_FLAGS_PTR flags);
|
||||
CK_RV YUBICO_get_slot_version(CK_VERSION_PTR version);
|
||||
|
||||
#endif
|
||||
@@ -1,409 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "yubico_token.h"
|
||||
#include "pkcs11.h"
|
||||
#include <string.h>
|
||||
#include "debug.h"
|
||||
#include "objects.h"
|
||||
|
||||
#define MIN_RSA_KEY_SIZE 1024
|
||||
#define MAX_RSA_KEY_SIZE 2048
|
||||
#define MIN_ECC_KEY_SIZE 256
|
||||
#define MAX_ECC_KEY_SIZE 384
|
||||
|
||||
static const char *token_label = "YubiKey PIV";
|
||||
static const char *token_manufacturer = "Yubico";
|
||||
static const char *token_model = "YubiKey XXX";
|
||||
static const CK_FLAGS token_flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED;
|
||||
static const char *token_serial = "1234";
|
||||
static const CK_MECHANISM_TYPE token_mechanisms[] = { // KEEP ALIGNED WITH token_mechanism_infos
|
||||
CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||||
CKM_RSA_PKCS,
|
||||
CKM_RSA_PKCS_PSS,
|
||||
CKM_RSA_X_509,
|
||||
CKM_SHA1_RSA_PKCS,
|
||||
CKM_SHA256_RSA_PKCS,
|
||||
CKM_SHA384_RSA_PKCS,
|
||||
CKM_SHA512_RSA_PKCS,
|
||||
CKM_SHA1_RSA_PKCS_PSS,
|
||||
CKM_SHA256_RSA_PKCS_PSS,
|
||||
CKM_SHA384_RSA_PKCS_PSS,
|
||||
CKM_SHA512_RSA_PKCS_PSS,
|
||||
CKM_EC_KEY_PAIR_GEN,
|
||||
//CKM_ECDSA_KEY_PAIR_GEN, Same as CKM_EC_KEY_PAIR_GEN, deprecated in 2.11
|
||||
CKM_ECDSA,
|
||||
CKM_ECDSA_SHA1,
|
||||
CKM_ECDSA_SHA256,
|
||||
CKM_SHA_1,
|
||||
CKM_SHA256,
|
||||
CKM_SHA384,
|
||||
CKM_SHA512
|
||||
// SUPPORT FOR OATH?
|
||||
};
|
||||
static const CK_ULONG token_mechanisms_num = sizeof(token_mechanisms) / sizeof(CK_MECHANISM_TYPE);
|
||||
|
||||
static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH token_mechanisms
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_RSA_PKCS_KEY_PAIR_GEN
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_PKCS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_RSA_PKCS_PSS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_DECRYPT | CKF_SIGN}, // CKM_RSA_X_509
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA1_RSA_PKCS_PSS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA256_RSA_PKCS_PSS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA384_RSA_PKCS_PSS
|
||||
{MIN_RSA_KEY_SIZE, MAX_RSA_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_SHA512_RSA_PKCS_PSS
|
||||
{MIN_ECC_KEY_SIZE, MIN_ECC_KEY_SIZE, CKF_HW | CKF_GENERATE_KEY_PAIR}, // CKM_EC_KEY_PAIR_GEN
|
||||
//{, , }, // CKM_ECDSA_KEY_PAIR_GEN Same as CKM_EC_KEY_PAIR_GEN deprecated in 2.11
|
||||
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA
|
||||
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA1
|
||||
{MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA256
|
||||
{0, 0, CKF_DIGEST}, // CKM_SHA_1
|
||||
{0, 0, CKF_DIGEST}, // CKM_SHA256
|
||||
{0, 0, CKF_DIGEST}, // CKM_SHA384
|
||||
{0, 0, CKF_DIGEST} // CKM_SHA512
|
||||
};
|
||||
|
||||
static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token?
|
||||
PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication
|
||||
PIV_DATA_OBJ_X509_CARD_AUTH, // card authentication
|
||||
PIV_DATA_OBJ_X509_DS, // digital signature
|
||||
PIV_DATA_OBJ_X509_KM, // key management
|
||||
PIV_DATA_OBJ_X509_RETIRED1, // Retired key 1
|
||||
PIV_DATA_OBJ_X509_RETIRED2, // Retired key 2
|
||||
PIV_DATA_OBJ_X509_RETIRED3, // Retired key 3
|
||||
PIV_DATA_OBJ_X509_RETIRED4, // Retired key 4
|
||||
PIV_DATA_OBJ_X509_RETIRED5, // Retired key 5
|
||||
PIV_DATA_OBJ_X509_RETIRED6, // Retired key 6
|
||||
PIV_DATA_OBJ_X509_RETIRED7, // Retired key 7
|
||||
PIV_DATA_OBJ_X509_RETIRED8, // Retired key 8
|
||||
PIV_DATA_OBJ_X509_RETIRED9, // Retired key 9
|
||||
PIV_DATA_OBJ_X509_RETIRED10, // Retired key 10
|
||||
PIV_DATA_OBJ_X509_RETIRED11, // Retired key 11
|
||||
PIV_DATA_OBJ_X509_RETIRED12, // Retired key 12
|
||||
PIV_DATA_OBJ_X509_RETIRED13, // Retired key 13
|
||||
PIV_DATA_OBJ_X509_RETIRED14, // Retired key 14
|
||||
PIV_DATA_OBJ_X509_RETIRED15, // Retired key 15
|
||||
PIV_DATA_OBJ_X509_RETIRED16, // Retired key 16
|
||||
PIV_DATA_OBJ_X509_RETIRED17, // Retired key 17
|
||||
PIV_DATA_OBJ_X509_RETIRED18, // Retired key 18
|
||||
PIV_DATA_OBJ_X509_RETIRED19, // Retired key 19
|
||||
PIV_DATA_OBJ_X509_RETIRED20, // Retired key 20
|
||||
PIV_DATA_OBJ_CCC, // Card capability container
|
||||
PIV_DATA_OBJ_CHUI, // Cardholder unique id
|
||||
PIV_DATA_OBJ_CHF, // Cardholder fingerprints
|
||||
PIV_DATA_OBJ_SEC_OBJ, // Security object
|
||||
PIV_DATA_OBJ_CHFI, // Cardholder facial images
|
||||
//PIV_DATA_OBJ_PI, // Cardholder printed information
|
||||
//PIV_DATA_OBJ_DISCOVERY, // Discovery object
|
||||
//PIV_DATA_OBJ_HISTORY, // History object
|
||||
//PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images
|
||||
//PIV_DATA_OBJ_BITGT, // Biometric information templates group template
|
||||
//PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer
|
||||
//PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data
|
||||
};
|
||||
static const CK_ULONG neo_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t) - 20;
|
||||
static const CK_ULONG yk4_token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t);
|
||||
|
||||
CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len) {
|
||||
|
||||
if (strlen(token_label) > len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
memcpy(str, token_label, strlen(token_label));
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) {
|
||||
|
||||
if (strlen(token_manufacturer) > len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
memcpy(str, token_manufacturer, strlen(token_manufacturer));
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len) {
|
||||
|
||||
char buf[16];
|
||||
|
||||
if (strlen(token_model) > len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
memcpy(str, token_model, strlen(token_model));
|
||||
|
||||
if (buf[0] >= '4')
|
||||
memcpy(str + strlen(token_model) - 3, "YK4", 3);
|
||||
else
|
||||
memcpy(str + strlen(token_model) - 3, "NEO", 3);
|
||||
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags) {
|
||||
|
||||
*flags = token_flags;
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version) {
|
||||
|
||||
char buf[16];
|
||||
|
||||
if (version == NULL)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
if (ykpiv_get_version(state, buf, sizeof(buf)) != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
version->major = (buf[0] - '0');
|
||||
version->minor = (buf[2] - '0') * 100 + (buf[4] - '0');
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len) {
|
||||
|
||||
if (strlen(token_serial) > len)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
memcpy(str, token_serial, strlen(token_serial));
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num) {
|
||||
|
||||
*num = token_mechanisms_num;
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num) {
|
||||
|
||||
if (token_mechanisms_num > num)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
memcpy(mec, token_mechanisms, token_mechanisms_num * sizeof(CK_MECHANISM_TYPE));
|
||||
return CKR_OK;
|
||||
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info) {
|
||||
|
||||
CK_ULONG i;
|
||||
|
||||
for (i = 0; i < token_mechanisms_num; i++)
|
||||
if (token_mechanisms[i] == mec) {
|
||||
memcpy((CK_BYTE_PTR) info, (CK_BYTE_PTR) (token_mechanism_infos + i), sizeof(CK_MECHANISM_INFO));
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
return CKR_MECHANISM_INVALID;
|
||||
|
||||
}
|
||||
|
||||
static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only,
|
||||
piv_obj_id_t *obj, CK_ULONG_PTR len, CK_ULONG_PTR num_certs) {
|
||||
CK_BYTE buf[2048];
|
||||
CK_ULONG buf_len;
|
||||
CK_BYTE major;
|
||||
CK_ULONG i;
|
||||
|
||||
piv_obj_id_t certs[24];
|
||||
piv_obj_id_t pvtkeys[24];
|
||||
piv_obj_id_t pubkeys[24];
|
||||
CK_ULONG n_cert = 0;
|
||||
CK_ULONG token_objects_num = neo_token_objects_num;
|
||||
|
||||
if (state == NULL || len == NULL_PTR)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
if (num_only == CK_FALSE && obj == NULL)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
if (ykpiv_get_version(state, (char *) buf, sizeof(buf)) != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
major = buf[0] - '0';
|
||||
|
||||
buf_len = sizeof(buf);
|
||||
if (ykpiv_fetch_object(state, YKPIV_OBJ_AUTHENTICATION, buf, &buf_len) == YKPIV_OK) {
|
||||
certs[n_cert] = PIV_CERT_OBJ_X509_PIV_AUTH;
|
||||
pvtkeys[n_cert] = PIV_PVTK_OBJ_PIV_AUTH;
|
||||
pubkeys[n_cert] = PIV_PUBK_OBJ_PIV_AUTH;
|
||||
n_cert++;
|
||||
DBG("Found AUTH cert (9a)");
|
||||
}
|
||||
|
||||
buf_len = sizeof(buf);
|
||||
if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) {
|
||||
certs[n_cert] = PIV_CERT_OBJ_X509_CARD_AUTH;
|
||||
pvtkeys[n_cert] = PIV_PVTK_OBJ_CARD_AUTH;
|
||||
pubkeys[n_cert] = PIV_PUBK_OBJ_CARD_AUTH;
|
||||
n_cert++;
|
||||
DBG("Found CARD AUTH cert (9e)");
|
||||
}
|
||||
|
||||
buf_len = sizeof(buf);
|
||||
if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) {
|
||||
certs[n_cert] = PIV_CERT_OBJ_X509_DS;
|
||||
pvtkeys[n_cert] = PIV_PVTK_OBJ_DS;
|
||||
pubkeys[n_cert] = PIV_PUBK_OBJ_DS;
|
||||
n_cert++;
|
||||
DBG("Found SIGNATURE cert (9c)");
|
||||
}
|
||||
|
||||
buf_len = sizeof(buf);
|
||||
if (ykpiv_fetch_object(state, YKPIV_OBJ_KEY_MANAGEMENT, buf, &buf_len) == YKPIV_OK) {
|
||||
certs[n_cert] = PIV_CERT_OBJ_X509_KM;
|
||||
pvtkeys[n_cert] = PIV_PVTK_OBJ_KM;
|
||||
pubkeys[n_cert] = PIV_PUBK_OBJ_KM;
|
||||
n_cert++;
|
||||
DBG("Found KMK cert (9d)");
|
||||
}
|
||||
|
||||
if (major >= 4) {
|
||||
for (i = 0; i < 20; i++) {
|
||||
buf_len = sizeof(buf);
|
||||
if (ykpiv_fetch_object(state, YKPIV_OBJ_RETIRED1 + i, buf, &buf_len) == YKPIV_OK) {
|
||||
certs[n_cert] = PIV_CERT_OBJ_X509_RETIRED1 + i;
|
||||
pvtkeys[n_cert] = PIV_PVTK_OBJ_RETIRED1 + i;
|
||||
pubkeys[n_cert] = PIV_PUBK_OBJ_RETIRED1 + i;
|
||||
n_cert++;
|
||||
DBG("Found RETIRED cert (%lx)", 0x82 + i);
|
||||
}
|
||||
}
|
||||
token_objects_num = yk4_token_objects_num;
|
||||
}
|
||||
|
||||
DBG("The total number of objects for this token is %lu", (n_cert * 3) + token_objects_num);
|
||||
|
||||
if (num_only == CK_TRUE) {
|
||||
// We just want the number of objects
|
||||
// Each cert object counts for 3: cert, pub key, pvt key
|
||||
*len = (n_cert * 3) + token_objects_num;
|
||||
if (num_certs != NULL)
|
||||
*num_certs = n_cert;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
if (*len < (n_cert * 3) + token_objects_num)
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
// Copy data objects
|
||||
if (major >= 4) {
|
||||
// YK4: just copy all the objects
|
||||
memcpy(obj, token_objects, token_objects_num * sizeof(piv_obj_id_t));
|
||||
}
|
||||
else {
|
||||
// NEO: remove retired keys
|
||||
memcpy(obj, token_objects, 4 * sizeof(piv_obj_id_t));
|
||||
memcpy(obj + 4, token_objects + 24, (neo_token_objects_num - 4) * sizeof(piv_obj_id_t));
|
||||
}
|
||||
|
||||
// Copy certificates
|
||||
if (n_cert > 0) {
|
||||
memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t));
|
||||
memcpy(obj + token_objects_num + n_cert, pvtkeys, n_cert * sizeof(piv_obj_id_t));
|
||||
memcpy(obj + token_objects_num + (2 * n_cert), pubkeys, n_cert * sizeof(piv_obj_id_t));
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs) {
|
||||
return get_objects(state, CK_TRUE, NULL, num, num_certs);
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num) {
|
||||
return get_objects(state, CK_FALSE, obj, &num, NULL);
|
||||
}
|
||||
|
||||
CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||
|
||||
if (ykpiv_fetch_object(state, piv_2_ykpiv(obj), data, len) != YKPIV_OK)
|
||||
return CKR_FUNCTION_FAILED;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen) {
|
||||
int tries;
|
||||
ykpiv_rc res;
|
||||
|
||||
switch(user_type){
|
||||
case CKU_SO:{
|
||||
unsigned char new_key[24];
|
||||
size_t new_key_len = sizeof(new_key);
|
||||
if(ykpiv_hex_decode((const char*)pNewPin, ulNewLen, new_key, &new_key_len) != YKPIV_OK) {
|
||||
DBG("Failed to decode new pin")
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
}
|
||||
res = ykpiv_set_mgmkey(state, new_key);
|
||||
break;
|
||||
}
|
||||
case CKU_USER:
|
||||
if(ulOldLen >= 4 && strncmp((const char*)pOldPin, "puk:", 4) == 0){
|
||||
DBG("Changing PUK pin")
|
||||
res = ykpiv_change_puk(state, (const char*)pOldPin + 4, ulOldLen - 4, (const char*)pNewPin, ulNewLen, &tries);
|
||||
}else{
|
||||
DBG("Changing USER pin")
|
||||
res = ykpiv_change_pin(state, (const char*)pOldPin, ulOldLen, (const char*)pNewPin, ulNewLen, &tries);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
DBG("TODO implement other context specific pin change");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
switch (res) {
|
||||
case YKPIV_OK:
|
||||
return CKR_OK;
|
||||
case YKPIV_SIZE_ERROR:
|
||||
return CKR_PIN_LEN_RANGE;
|
||||
case YKPIV_WRONG_PIN:
|
||||
return CKR_PIN_INCORRECT;
|
||||
case YKPIV_PIN_LOCKED:
|
||||
return CKR_PIN_LOCKED;
|
||||
default:
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015-2016 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are
|
||||
* met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* * Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef YUBICO_TOKEN_H
|
||||
#define YUBICO_TOKEN_H
|
||||
|
||||
#include "pkcs11.h"
|
||||
#include "obj_types.h"
|
||||
#include <ykpiv.h>
|
||||
|
||||
CK_RV YUBICO_get_token_label(CK_UTF8CHAR_PTR str, CK_ULONG len);
|
||||
CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len);
|
||||
CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len);
|
||||
CK_RV YUBICO_get_token_flags(CK_FLAGS_PTR flags);
|
||||
CK_RV YUBICO_get_token_serial(CK_CHAR_PTR str, CK_ULONG len);
|
||||
CK_RV YUBICO_get_token_version(ykpiv_state *state, CK_VERSION_PTR version);
|
||||
CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num);
|
||||
CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num);
|
||||
CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info);
|
||||
CK_RV YUBICO_get_token_objects_num(ykpiv_state *state, CK_ULONG_PTR num, CK_ULONG_PTR num_certs);
|
||||
CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG num);
|
||||
CK_RV YUBICO_get_token_raw_certificate(ykpiv_state *state, piv_obj_id_t obj, CK_BYTE_PTR data, CK_ULONG_PTR len);
|
||||
CK_RV YUBICO_token_change_pin(ykpiv_state *state, CK_USER_TYPE user_type, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen,
|
||||
CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen);
|
||||
|
||||
#endif
|
||||
Reference in New Issue
Block a user