From bd144cc6211df63b72b7a4bb44df019d1ebe3ee5 Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Tue, 28 Jul 2015 17:57:38 +0200 Subject: [PATCH] Yet another refactor of objects. --- ykcs11/Makefile.am | 1 + ykcs11/mechanisms.c | 70 +++- ykcs11/mechanisms.h | 6 +- ykcs11/obj_types.h | 181 +++++----- ykcs11/objects.c | 796 ++++++++++++++++++++++++++++++++--------- ykcs11/objects.h | 6 +- ykcs11/token_vendors.h | 2 +- ykcs11/utils.c | 2 +- ykcs11/utils.h | 1 + ykcs11/ykcs11.c | 81 +++-- ykcs11/ykcs11.h | 1 + ykcs11/yubico_token.c | 63 ++-- 12 files changed, 884 insertions(+), 326 deletions(-) diff --git a/ykcs11/Makefile.am b/ykcs11/Makefile.am index 339bcaa..d93c75c 100644 --- a/ykcs11/Makefile.am +++ b/ykcs11/Makefile.am @@ -37,6 +37,7 @@ libykcs11_la_SOURCES = ykcs11.c version.c ykcs11.pc.in ykcs11.map libykcs11_la_SOURCES += vendors.c vendor.h vendor_ids.h libykcs11_la_SOURCES += slot_vendors.c slot_vendor.h libykcs11_la_SOURCES += token_vendors.c token_vendor.h +libykcs11_la_SOURCES += mechanisms.c mechanisms.h libykcs11_la_SOURCES += yubico_slot.c yubico_slot.h yubico_token.c yubico_token.h libykcs11_la_SOURCES += utils.h utils.c libykcs11_la_SOURCES += obj_types.h objects.h objects.c diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c index b232d9d..b63ea59 100644 --- a/ykcs11/mechanisms.c +++ b/ykcs11/mechanisms.c @@ -1,7 +1,7 @@ #include "mechanisms.h" // Supported mechanisms for signature -static const CK_MECHANISM_TYPE sign[] = { +static const CK_MECHANISM_TYPE sign_mechanisms[] = { CKM_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_RSA_X_509, @@ -17,14 +17,16 @@ static const CK_MECHANISM_TYPE sign[] = { CKM_ECDSA_SHA1 }; -CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m, const CK_OBJECT_HANDLE k) { +CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m) { - CK_ULONG i; - CK_BBOOL supported = CK_FALSE; + CK_ULONG i; + CK_BBOOL supported = CK_FALSE; + token_vendor_t token; + CK_MECHANISM_INFO info; - /* Check if mechanism is supported by the module */ - for (i = 0; i < sizeof(sign) / sizeof(CK_MECHANISM_TYPE); i++) { - if (m->mechanism == sign[i]) { + // Check if the mechanism is supported by the module + for (i = 0; i < sizeof(sign_mechanisms) / sizeof(CK_MECHANISM_TYPE); i++) { + if (m->mechanism == sign_mechanisms[i]) { supported = CK_TRUE; break; } @@ -32,9 +34,53 @@ CK_RV check_sign_mechanism(const ykcs11_session_t *s, const CK_MECHANISM_PTR m, if (supported == CK_FALSE) return CKR_MECHANISM_INVALID; - /* Check if mechanism is supported by the token */ - - - CK_OK; - + // Check if the mechanism is supported by the token + token = get_token_vendor(s->slot->token->vid); + + if (token.get_token_mechanism_info(m->mechanism, &info) != CKR_OK) + return CKR_MECHANISM_INVALID; + + // TODO: also check that parametes make sens if any? + + CKR_OK; + +} + +CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m) { + + switch (m) { + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: +// case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: +// case CKM_RIPEMD128_RSA_PKCS: +// case CKM_RIPEMD160_RSA_PKCS: +// case CKM_RSA_PKCS_OAEP: +// case CKM_RSA_X9_31_KEY_PAIR_GEN: +// case CKM_RSA_X9_31: +// case CKM_SHA1_RSA_X9_31: + case CKM_RSA_PKCS_PSS: + case CKM_SHA1_RSA_PKCS_PSS: +// case CKM_SHA224_RSA_PKCS_PSS: + case CKM_SHA256_RSA_PKCS_PSS: + case CKM_SHA512_RSA_PKCS_PSS: + case CKM_SHA384_RSA_PKCS_PSS: +// case CKM_RSA_PKCS_TPM_1_1: +// case CKM_RSA_PKCS_OAEP_TPM_1_1: +// case CKM_RSA_AES_KEY_WRAP: + return CK_TRUE; + + default: + return CK_FALSE; + } + + // Not reached + return CK_FALSE; } diff --git a/ykcs11/mechanisms.h b/ykcs11/mechanisms.h index 5c5e02f..f95565e 100644 --- a/ykcs11/mechanisms.h +++ b/ykcs11/mechanisms.h @@ -1,10 +1,10 @@ #ifndef MECHANISMS_H #define MECHANISMS_H -#include "pkcs11t.h" +#include "ykcs11.h" -CK_RV check_sign_mechanism(const CK_MECHANISM_PTR m, const CK_OBJECT_HANDLE k); - +CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m); +CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m); #endif diff --git a/ykcs11/obj_types.h b/ykcs11/obj_types.h index 5e8aa4b..5d02a62 100644 --- a/ykcs11/obj_types.h +++ b/ykcs11/obj_types.h @@ -5,88 +5,96 @@ // TODO: this is mostly from OpenSC, how to give credit? typedef enum { - PIV_DATA_OBJ_CCC = 0, // Card capability container - PIV_DATA_OBJ_CHUI, // Cardholder unique id - /* PIV_DATA_OBJ_UCHUI is not in new with 800-73-2 */ - PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_DATA_OBJ_CHF, // Cardholder fingerprints - PIV_DATA_OBJ_SEC_OBJ, // Security object - PIV_DATA_OBJ_CHFI, // Cardholder facial images - PIV_DATA_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_DATA_OBJ_X509_DS, // Certificate for digital signature - PIV_DATA_OBJ_X509_KM, // Certificate for key management - PIV_DATA_OBJ_PI, // Cardholder printed information - PIV_DATA_OBJ_DISCOVERY, // Discovery object - PIV_DATA_OBJ_HISTORY, // History object - PIV_DATA_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 - PIV_DATA_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 - PIV_DATA_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 - PIV_DATA_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 - PIV_DATA_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 - PIV_DATA_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 - PIV_DATA_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 - PIV_DATA_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 - PIV_DATA_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 - PIV_DATA_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 - PIV_DATA_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 - PIV_DATA_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 - PIV_DATA_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 - PIV_DATA_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 - PIV_DATA_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 - PIV_DATA_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 - PIV_DATA_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 - PIV_DATA_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 - PIV_DATA_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 - PIV_DATA_OBJ_RETIRED_X509_20, // Retired certificate for KM 20 - PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images - PIV_DATA_OBJ_BITGT, // Biometric information templates group template - PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer - PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data + PIV_DATA_OBJ_X509_PIV_AUTH = 0, // PIV authentication + PIV_DATA_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_DATA_OBJ_X509_DS, // Certificate for digital signature + PIV_DATA_OBJ_X509_KM, // Certificate for key management + PIV_DATA_OBJ_CCC, // Card capability container + PIV_DATA_OBJ_CHUI, // Cardholder unique id + PIV_DATA_OBJ_CHF, // Cardholder fingerprints + PIV_DATA_OBJ_SEC_OBJ, // Security object + PIV_DATA_OBJ_CHFI, // Cardholder facial images + PIV_DATA_OBJ_PI, // Cardholder printed information + PIV_DATA_OBJ_DISCOVERY, // Discovery object + PIV_DATA_OBJ_HISTORY, // History object + PIV_DATA_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 + PIV_DATA_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 + PIV_DATA_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 + PIV_DATA_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 + PIV_DATA_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 + PIV_DATA_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 + PIV_DATA_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 + PIV_DATA_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 + PIV_DATA_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 + PIV_DATA_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 + PIV_DATA_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 + PIV_DATA_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 + PIV_DATA_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 + PIV_DATA_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 + PIV_DATA_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 + PIV_DATA_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 + PIV_DATA_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 + PIV_DATA_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 + PIV_DATA_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 + PIV_DATA_OBJ_RETIRED_X509_20, // Retired certificate for KM 20 + PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images + PIV_DATA_OBJ_BITGT, // Biometric information templates group template + PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer + PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data /* PIV_DATA_OBJ_9B03, // NON-STANDARD TODO: remove? - PIV_DATA_OBJ_9A06, // NON-STANDARD - PIV_DATA_OBJ_9C06, // NON-STANDARD - PIV_DATA_OBJ_9D06, // NON-STANDARD - PIV_DATA_OBJ_9E06, // NON-STANDARD - PIV_DATA_OBJ_8206, // NON-STANDARD - PIV_DATA_OBJ_8306, // NON-STANDARD - PIV_DATA_OBJ_8406, // NON-STANDARD - PIV_DATA_OBJ_8506, // NON-STANDARD - PIV_DATA_OBJ_8606, // NON-STANDARD - PIV_DATA_OBJ_8706, // NON-STANDARD - PIV_DATA_OBJ_8806, // NON-STANDARD - PIV_DATA_OBJ_8906, // NON-STANDARD - PIV_DATA_OBJ_8A06, // NON-STANDARD - PIV_DATA_OBJ_8B06, // NON-STANDARD - PIV_DATA_OBJ_8C06, // NON-STANDARD - PIV_DATA_OBJ_8D06, // NON-STANDARD - PIV_DATA_OBJ_8E06, // NON-STANDARD - PIV_DATA_OBJ_8F06, // NON-STANDARD - PIV_DATA_OBJ_9006, // NON-STANDARD - PIV_DATA_OBJ_9106, // NON-STANDARD - PIV_DATA_OBJ_9206, // NON-STANDARD - PIV_DATA_OBJ_9306, // NON-STANDARD - PIV_DATA_OBJ_9406, // NON-STANDARD - PIV_DATA_OBJ_9506, // NON-STANDARD*/ + PIV_DATA_OBJ_9A06, // NON-STANDARD + PIV_DATA_OBJ_9C06, // NON-STANDARD + PIV_DATA_OBJ_9D06, // NON-STANDARD + PIV_DATA_OBJ_9E06, // NON-STANDARD + PIV_DATA_OBJ_8206, // NON-STANDARD + PIV_DATA_OBJ_8306, // NON-STANDARD + PIV_DATA_OBJ_8406, // NON-STANDARD + PIV_DATA_OBJ_8506, // NON-STANDARD + PIV_DATA_OBJ_8606, // NON-STANDARD + PIV_DATA_OBJ_8706, // NON-STANDARD + PIV_DATA_OBJ_8806, // NON-STANDARD + PIV_DATA_OBJ_8906, // NON-STANDARD + PIV_DATA_OBJ_8A06, // NON-STANDARD + PIV_DATA_OBJ_8B06, // NON-STANDARD + PIV_DATA_OBJ_8C06, // NON-STANDARD + PIV_DATA_OBJ_8D06, // NON-STANDARD + PIV_DATA_OBJ_8E06, // NON-STANDARD + PIV_DATA_OBJ_8F06, // NON-STANDARD + PIV_DATA_OBJ_9006, // NON-STANDARD + PIV_DATA_OBJ_9106, // NON-STANDARD + PIV_DATA_OBJ_9206, // NON-STANDARD + PIV_DATA_OBJ_9306, // NON-STANDARD + PIV_DATA_OBJ_9406, // NON-STANDARD + PIV_DATA_OBJ_9506, // NON-STANDARD*/ PIV_DATA_OBJ_LAST, - PIV_CERT_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_CERT_OBJ_X509_DS, // Certificate for digital signature - PIV_CERT_OBJ_X509_KM, // Certificate for key management - PIV_CERT_OBJ_LAST - // TODO: private keys? + PIV_CERT_OBJ_X509_PIV_AUTH, // PIV authentication + PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_CERT_OBJ_X509_DS, // Certificate for digital signature + PIV_CERT_OBJ_X509_KM, // Certificate for key management + PIV_CERT_OBJ_LAST, + + PIV_PVTK_OBJ_PIV_AUTH, // Private key for PIV authentication + PIV_PVTK_OBJ_CARD_AUTH, // Private Key for card authentication + PIV_PVTK_OBJ_DS, // Private Key for digital signature + PIV_PVTK_OBJ_KM, // Private Key for key management + PIV_PVTK_OBJ_LAST, + + PIV_PUBK_OBJ_PIV_AUTH, // Public key for PIV authentication + PIV_PUBK_OBJ_CARD_AUTH, // Public Key for card authentication + PIV_PUBK_OBJ_DS, // Public Key for digital signature + PIV_PUBK_OBJ_KM, // Public Key for key management + PIV_PUBK_OBJ_LAST + } piv_obj_id_t; - -/*#define PIV_OBJECT_TYPE_CERT 1 // TODO: redundant now? -#define PIV_OBJECT_TYPE_PUBKEY 2 -#define PIV_OBJECT_NOT_PRESENT 4*/ +typedef CK_RV (*get_attr_f)(CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR); typedef struct { const char *oid; - CK_BYTE tag_len; // TODO: or ulong? - CK_BYTE tag_value[3]; // TODO: needed? - CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? + CK_BYTE tag_len; + CK_BYTE tag_value[3]; // TODO: needed? + CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? } piv_data_obj_t; typedef struct { @@ -94,14 +102,23 @@ typedef struct { } piv_cert_obj_t; typedef struct { - piv_obj_id_t type; // TODO: technically redundant - CK_BBOOL token; // TODO: not used yet - CK_BBOOL private; - CK_BBOOL modifiable; - const char *label; - CK_BBOOL copyable; - CK_BBOOL destroyable; -CK_ULONG sub_id; + CK_BBOOL todo; +} piv_pvtk_obj_t; + +typedef struct { + CK_BBOOL todo; +} piv_pubk_obj_t; + +typedef struct { + piv_obj_id_t piv_id; // TODO: technically redundant + CK_BBOOL token; // TODO: not used yet + CK_BBOOL private; + CK_BBOOL modifiable; + char *label; + CK_BBOOL copyable; // TODO: Optional, not used so far (default TRUE) + CK_BBOOL destroyable; // TODO: Optional, not used so far (default TRUE) + get_attr_f get_attribute; + CK_ULONG sub_id; // Sub-object id } piv_obj_t; #endif diff --git a/ykcs11/objects.c b/ykcs11/objects.c index 5845d53..cbc008e 100644 --- a/ykcs11/objects.c +++ b/ykcs11/objects.c @@ -1,91 +1,84 @@ +#include "obj_types.h" #include "objects.h" #include #include #include +CK_RV get_doa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); // TODO: static? +CK_RV get_coa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); +CK_RV get_proa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); +CK_RV get_puoa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); + //TODO: this is mostly a snippet from OpenSC how to give credit? Less and less so now /* Must be in order, and one per enumerated PIV_OBJ */ -static piv_obj_t objects[] = { - {PIV_DATA_OBJ_CCC, 0, 0, 0, "Card Capability Container", 0, 0, 0}, - {PIV_DATA_OBJ_CHUI, 0, 0, 0, "Card Holder Unique Identifier", 0, 0, 1}, - // PIV_DATA_OBJ_UCHUI - {PIV_DATA_OBJ_X509_PIV_AUTH, 0, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, 2}, - {PIV_DATA_OBJ_CHF, 0, 0, 0, "Card Holder Fingerprints", 0, 0, 3}, - {PIV_DATA_OBJ_SEC_OBJ, 0, 0, 0, "Security Object", 0, 0, 4}, - {PIV_DATA_OBJ_CHFI, 0, 0, 0, "Cardholder Facial Images", 0, 0, 5}, - {PIV_DATA_OBJ_X509_CARD_AUTH, 0, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, 6}, - {PIV_DATA_OBJ_X509_DS, 0, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, 7}, - {PIV_DATA_OBJ_X509_KM, 0, 0, 0, "X.509 Certificate for Key Management", 0, 0, 8}, - {PIV_DATA_OBJ_PI, 0, 0, 0, "Printed Information", 0, 0, 9}, - {PIV_DATA_OBJ_DISCOVERY, 0, 0, 0, "Discovery Object", 0, 0, 10}, - {PIV_DATA_OBJ_HISTORY, 0, 0, 0, "Key History Object", 0, 0, 11}, - {PIV_DATA_OBJ_RETIRED_X509_1, 0, 0, 0, "Retired X.509 Certificate for Key Management 1", 0, 0, 12}, - {PIV_DATA_OBJ_RETIRED_X509_2, 0, 0, 0, "Retired X.509 Certificate for Key Management 2", 0, 0, 13}, - {PIV_DATA_OBJ_RETIRED_X509_3, 0, 0, 0, "Retired X.509 Certificate for Key Management 3", 0, 0, 14}, - {PIV_DATA_OBJ_RETIRED_X509_4, 0, 0, 0, "Retired X.509 Certificate for Key Management 4", 0, 0, 15}, - {PIV_DATA_OBJ_RETIRED_X509_5, 0, 0, 0, "Retired X.509 Certificate for Key Management 5", 0, 0, 16}, - {PIV_DATA_OBJ_RETIRED_X509_6, 0, 0, 0, "Retired X.509 Certificate for Key Management 6", 0, 0, 17}, - {PIV_DATA_OBJ_RETIRED_X509_7, 0, 0, 0, "Retired X.509 Certificate for Key Management 7", 0, 0, 18}, - {PIV_DATA_OBJ_RETIRED_X509_8, 0, 0, 0, "Retired X.509 Certificate for Key Management 8", 0, 0, 19}, - {PIV_DATA_OBJ_RETIRED_X509_9, 0, 0, 0, "Retired X.509 Certificate for Key Management 9", 0, 0, 20}, - {PIV_DATA_OBJ_RETIRED_X509_10, 0, 0, 0, "Retired X.509 Certificate for Key Management 10", 0, 0, 21}, - {PIV_DATA_OBJ_RETIRED_X509_11, 0, 0, 0, "Retired X.509 Certificate for Key Management 11", 0, 0, 22}, - {PIV_DATA_OBJ_RETIRED_X509_12, 0, 0, 0, "Retired X.509 Certificate for Key Management 12", 0, 0, 23}, - {PIV_DATA_OBJ_RETIRED_X509_13, 0, 0, 0, "Retired X.509 Certificate for Key Management 13", 0, 0, 24}, - {PIV_DATA_OBJ_RETIRED_X509_14, 0, 0, 0, "Retired X.509 Certificate for Key Management 14", 0, 0, 25}, - {PIV_DATA_OBJ_RETIRED_X509_15, 0, 0, 0, "Retired X.509 Certificate for Key Management 15", 0, 0, 26}, - {PIV_DATA_OBJ_RETIRED_X509_16, 0, 0, 0, "Retired X.509 Certificate for Key Management 16", 0, 0, 27}, - {PIV_DATA_OBJ_RETIRED_X509_17, 0, 0, 0, "Retired X.509 Certificate for Key Management 17", 0, 0, 28}, - {PIV_DATA_OBJ_RETIRED_X509_18, 0, 0, 0, "Retired X.509 Certificate for Key Management 18", 0, 0, 29}, - {PIV_DATA_OBJ_RETIRED_X509_19, 0, 0, 0, "Retired X.509 Certificate for Key Management 19", 0, 0, 30}, - {PIV_DATA_OBJ_RETIRED_X509_20, 0, 0, 0, "Retired X.509 Certificate for Key Management 20", 0, 0, 31}, - {PIV_DATA_OBJ_IRIS_IMAGE, 0, 0, 0, "Cardholder Iris Images", 0, 0, 32}, - {PIV_DATA_OBJ_BITGT, 0, 0, 0, "Biometric Information Templates Group Template", 0, 0, 33}, - {PIV_DATA_OBJ_SM_SIGNER, 0, 0, 0, "Secure Messaging Certificate Signer", 0, 0, 34}, - {PIV_DATA_OBJ_PC_REF_DATA, 0, 0, 0, "Pairing Code Reference Data Container", 0, 0, 35}, -/* {PIV_DATA_OBJ_9B03, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9A06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9C06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9D06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9E06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8206, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8306, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8406, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8506, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8606, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8706, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8806, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8906, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8A06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8B06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8C06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8D06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8E06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_8F06, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9006, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9106, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9206, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9306, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9406, 0, 0, 0, "", 0, 0, }, - {PIV_DATA_OBJ_9506, 0, 0, 0, "", 0, 0, },*/ - {PIV_DATA_OBJ_LAST, 0, 0, 0, "", 0, 0, 36}, - {PIV_CERT_OBJ_X509_PIV_AUTH, 0, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, 0}, - {PIV_CERT_OBJ_X509_CARD_AUTH, 0, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, 1}, - {PIV_CERT_OBJ_X509_DS, 0, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, 2}, - {PIV_CERT_OBJ_X509_KM, 0, 0, 0, "X.509 Certificate for Key Management", 0, 0, 3}, - {PIV_CERT_OBJ_LAST, 0, 0, 0, "", 0, 41} +static piv_obj_t piv_objects[] = { + {PIV_DATA_OBJ_X509_PIV_AUTH, 1, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, get_doa, 0}, + {PIV_DATA_OBJ_X509_CARD_AUTH, 1, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, get_doa, 1}, + {PIV_DATA_OBJ_X509_DS, 1, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, get_doa, 2}, + {PIV_DATA_OBJ_X509_KM, 1, 0, 0, "X.509 Certificate for Key Management", 0, 0, get_doa, 3}, + {PIV_DATA_OBJ_CCC, 1, 0, 0, "Card Capability Container", 0, 0, get_doa, 4}, + {PIV_DATA_OBJ_CHUI, 1, 0, 0, "Card Holder Unique Identifier", 0, 0, get_doa, 5}, + {PIV_DATA_OBJ_CHF, 1, 1, 0, "Card Holder Fingerprints", 0, 0, get_doa, 6}, + {PIV_DATA_OBJ_SEC_OBJ, 1, 0, 0, "Security Object", 0, 0, get_doa, 7}, + {PIV_DATA_OBJ_CHFI, 1, 1, 0, "Cardholder Facial Images", 0, 0, get_doa, 8}, + {PIV_DATA_OBJ_PI, 1, 1, 0, "Printed Information", 0, 0, get_doa, 9}, + {PIV_DATA_OBJ_DISCOVERY, 1, 0, 0, "Discovery Object", 0, 0, get_doa, 10}, + {PIV_DATA_OBJ_HISTORY, 1, 0, 0, "Key History Object", 0, 0, get_doa, 11}, + {PIV_DATA_OBJ_RETIRED_X509_1, 1, 0, 0, "Retired X.509 Certificate for Key Management 1", 0, 0, get_doa, 12}, + {PIV_DATA_OBJ_RETIRED_X509_2, 1, 0, 0, "Retired X.509 Certificate for Key Management 2", 0, 0, get_doa, 13}, + {PIV_DATA_OBJ_RETIRED_X509_3, 1, 0, 0, "Retired X.509 Certificate for Key Management 3", 0, 0, get_doa, 14}, + {PIV_DATA_OBJ_RETIRED_X509_4, 1, 0, 0, "Retired X.509 Certificate for Key Management 4", 0, 0, get_doa, 15}, + {PIV_DATA_OBJ_RETIRED_X509_5, 1, 0, 0, "Retired X.509 Certificate for Key Management 5", 0, 0, get_doa, 16}, + {PIV_DATA_OBJ_RETIRED_X509_6, 1, 0, 0, "Retired X.509 Certificate for Key Management 6", 0, 0, get_doa, 17}, + {PIV_DATA_OBJ_RETIRED_X509_7, 1, 0, 0, "Retired X.509 Certificate for Key Management 7", 0, 0, get_doa, 18}, + {PIV_DATA_OBJ_RETIRED_X509_8, 1, 0, 0, "Retired X.509 Certificate for Key Management 8", 0, 0, get_doa, 19}, + {PIV_DATA_OBJ_RETIRED_X509_9, 1, 0, 0, "Retired X.509 Certificate for Key Management 9", 0, 0, get_doa, 20}, + {PIV_DATA_OBJ_RETIRED_X509_10, 1, 0, 0, "Retired X.509 Certificate for Key Management 10", 0, 0, get_doa, 21}, + {PIV_DATA_OBJ_RETIRED_X509_11, 1, 0, 0, "Retired X.509 Certificate for Key Management 11", 0, 0, get_doa, 22}, + {PIV_DATA_OBJ_RETIRED_X509_12, 1, 0, 0, "Retired X.509 Certificate for Key Management 12", 0, 0, get_doa, 23}, + {PIV_DATA_OBJ_RETIRED_X509_13, 1, 0, 0, "Retired X.509 Certificate for Key Management 13", 0, 0, get_doa, 24}, + {PIV_DATA_OBJ_RETIRED_X509_14, 1, 0, 0, "Retired X.509 Certificate for Key Management 14", 0, 0, get_doa, 25}, + {PIV_DATA_OBJ_RETIRED_X509_15, 1, 0, 0, "Retired X.509 Certificate for Key Management 15", 0, 0, get_doa, 26}, + {PIV_DATA_OBJ_RETIRED_X509_16, 1, 0, 0, "Retired X.509 Certificate for Key Management 16", 0, 0, get_doa, 27}, + {PIV_DATA_OBJ_RETIRED_X509_17, 1, 0, 0, "Retired X.509 Certificate for Key Management 17", 0, 0, get_doa, 28}, + {PIV_DATA_OBJ_RETIRED_X509_18, 1, 0, 0, "Retired X.509 Certificate for Key Management 18", 0, 0, get_doa, 29}, + {PIV_DATA_OBJ_RETIRED_X509_19, 1, 0, 0, "Retired X.509 Certificate for Key Management 19", 0, 0, get_doa, 30}, + {PIV_DATA_OBJ_RETIRED_X509_20, 1, 0, 0, "Retired X.509 Certificate for Key Management 20", 0, 0, get_doa, 31}, + {PIV_DATA_OBJ_IRIS_IMAGE, 1, 1, 0, "Cardholder Iris Images", 0, 0, get_doa, 32}, + {PIV_DATA_OBJ_BITGT, 1, 0, 0, "Biometric Information Templates Group Template", 0, 0, get_doa, 33}, + {PIV_DATA_OBJ_SM_SIGNER, 1, 0, 0, "Secure Messaging Certificate Signer", 0, 0, get_doa, 34}, + {PIV_DATA_OBJ_PC_REF_DATA, 1, 1, 0, "Pairing Code Reference Data Container", 0, 0, get_doa, 35}, + {PIV_DATA_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 36}, + + {PIV_CERT_OBJ_X509_PIV_AUTH, 1, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, get_coa, 0}, + {PIV_CERT_OBJ_X509_CARD_AUTH, 1, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, get_coa, 1}, + {PIV_CERT_OBJ_X509_DS, 1, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, get_coa, 2}, + {PIV_CERT_OBJ_X509_KM, 1, 0, 0, "X.509 Certificate for Key Management", 0, 0, get_coa, 3}, + {PIV_CERT_OBJ_LAST, 1, 0, 0, "", 0, 0, get_coa, 4}, + + {PIV_PVTK_OBJ_PIV_AUTH, 1, 0, 0, "Pivate key for PIV Authentication", 0, 0, get_proa, 0}, + {PIV_PVTK_OBJ_CARD_AUTH, 1, 0, 0, "Pivate key for Card Authentication", 0, 0, get_proa, 1}, + {PIV_PVTK_OBJ_DS, 1, 0, 0, "Pivate key for Digital Signature", 0, 0, get_proa, 2}, + {PIV_PVTK_OBJ_KM, 1, 0, 0, "Private key for Key Management", 0, 0, get_proa, 3}, + {PIV_PVTK_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 4}, + + {PIV_PUBK_OBJ_PIV_AUTH, 1, 0, 0, "Public key for PIV Authentication", 0, 0, get_proa, 0}, + {PIV_PUBK_OBJ_CARD_AUTH, 1, 0, 0, "Public key for Card Authentication", 0, 0, get_proa, 1}, + {PIV_PUBK_OBJ_DS, 1, 0, 0, "Public key for Digital Signature", 0, 0, get_proa, 2}, + {PIV_PUBK_OBJ_KM, 1, 0, 0, "Public key for Key Management", 0, 0, get_proa, 3}, + {PIV_PUBK_OBJ_LAST, 1, 0, 0, "", 0, 0, NULL, 4} }; static piv_data_obj_t data_objects[] = { - {"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00"}, - {"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00"}, {"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01"}, - {"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10"}, - {"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00"}, - {"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30"}, {"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00"}, {"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00"}, {"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02"}, + {"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00"}, + {"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00"}, + {"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10"}, + {"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00"}, + {"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30"}, {"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01"}, {"2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50"}, {"2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60"}, @@ -114,64 +107,6 @@ static piv_data_obj_t data_objects[] = { {"2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16"}, {"2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17"}, {"2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18"}, - -/* following not standard , to be used by piv-tool only for testing */ -/* {PIV_DATA_OBJ_9B03, "3DES-ECB ADM", - "2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0},*/ - /* Only used when signing a cert req, usually from engine - * after piv-tool generated the key and saved the pub key - * to a file. Note RSA key can be 1024, 2048 or 3072 - * but still use the "9x06" name. - */ -/* {PIV_DATA_OBJ_9A06, "RSA 9A Pub key from last genkey", - "2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9C06, "Pub 9C key from last genkey", - "2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9D06, "Pub 9D key from last genkey", - "2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9E06, "Pub 9E key from last genkey", - "2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY}, - - {PIV_DATA_OBJ_8206, "Pub 82 key ", - "2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8306, "Pub 83 key ", - "2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8406, "Pub 84 key ", - "2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8506, "Pub 85 key ", - "2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8606, "Pub 86 key ", - "2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8706, "Pub 87 key ", - "2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8806, "Pub 88 key ", - "2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8906, "Pub 89 key ", - "2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8A06, "Pub 8A key ", - "2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8B06, "Pub 8B key ", - "2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8C06, "Pub 8C key ", - "2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8D06, "Pub 8D key ", - "2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8E06, "Pub 8E key ", - "2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_8F06, "Pub 8F key ", - "2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9006, "Pub 90 key ", - "2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9106, "Pub 91 key ", - "2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9206, "Pub 92 key ", - "2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9306, "Pub 93 key ", - "2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9406, "Pub 94 key ", - "2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_DATA_OBJ_9506, "Pub 95 key ", - "2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY},*/ {"", 0, "", ""} }; @@ -183,17 +118,31 @@ static piv_cert_obj_t cert_objects[] = { {0} }; +static piv_pvtk_obj_t pvtkey_objects[] = { + {0}, + {0}, + {0}, + {0}, + {0} +}; -//static const CK_ULONG n_objects = sizeof(objects) / sizeof(piv_obj_t); +static piv_pubk_obj_t pubkey_objects[] = { + {0}, + {0}, + {0}, + {0}, + {0} +}; -static void get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { + +/*static void get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { if (obj >= 0 && obj < PIV_DATA_OBJ_LAST) *class = CKO_DATA; else if (obj > PIV_DATA_OBJ_LAST && obj < PIV_CERT_OBJ_LAST) *class = CKO_CERTIFICATE; else *class = CKO_VENDOR_DEFINED | CKO_DATA; // Invalid value -} + }*/ /*static void get_object_label(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR label) { strcpy((char *)label, objects[obj].name); @@ -286,67 +235,79 @@ static void get_object_key_id(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR key_id) { } */ -CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { +/* Get data object attribute */ +CK_RV get_doa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { CK_BYTE_PTR data; CK_BYTE tmp[64]; CK_ULONG len = 0; - fprintf(stderr, "FOR OBJECT %lu, I WANT ", obj); + fprintf(stderr, "FOR DATA OBJECT %lu, I WANT ", obj); switch (template->type) { case CKA_CLASS: fprintf(stderr, "CLASS\n"); len = 1; - get_object_class(obj, (CK_OBJECT_CLASS_PTR)tmp); + tmp[0] = CKO_DATA; + data = tmp; + break; + + case CKA_TOKEN: + // Technically all these objects are token objects + fprintf(stderr, "TOKEN\n"); + len = 1; + tmp[0] = piv_objects[obj].token; data = tmp; break; -// case CKA_TOKEN: case CKA_PRIVATE: - fprintf(stderr, "PRIVATE\n"); // TODO: check more - template->ulValueLen = CK_UNAVAILABLE_INFORMATION; - return CKR_OK; + fprintf(stderr, "PRIVATE\n"); + len = 1; + tmp[0] = piv_objects[obj].private; + data = tmp; + break; case CKA_LABEL: fprintf(stderr, "LABEL\n"); - len = strlen(objects[obj].label) + 1; - data = objects[obj].label; + len = strlen(piv_objects[obj].label) + 1; + data = piv_objects[obj].label; break; case CKA_APPLICATION: fprintf(stderr, "APPLICATION\n"); - len = strlen(objects[obj].label) + 1; - data = objects[obj].label; + len = strlen(piv_objects[obj].label) + 1; + data = piv_objects[obj].label; break; -// case CKA_VALUE: // TODO: this can be done with -r and -d|-a + case CKA_VALUE: // TODO: this can be done with -r and -d|-a + fprintf(stderr, "VALUE TODO!!!\n"); + return CKR_FUNCTION_FAILED; + case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? // This only makes sense for data objects fprintf(stderr, "OID\n"); - strcpy((char *)tmp, data_objects[objects[obj].sub_id].oid); + strcpy((char *)tmp, data_objects[piv_objects[obj].sub_id].oid); asn1_encode_oid(tmp, tmp, &len); data = tmp; break; - case CKA_CERTIFICATE_TYPE: - fprintf(stderr, "CERTIFICATE TYPE\n"); - len = 1; - tmp[0] = CKC_X_509; // Support only X.509 certs - data = tmp; - break; + /* case CKA_CERTIFICATE_TYPE: */ + /* fprintf(stderr, "CERTIFICATE TYPE\n"); */ + /* len = 1; */ + /* tmp[0] = CKC_X_509; // Support only X.509 certs */ + /* data = tmp; */ + /* break; */ // case CKA_ISSUER: // case CKA_SERIAL_NUMBER: - case CKA_KEY_TYPE: - fprintf(stderr, "Return the key type TODO!!!\n"); - return CKR_OK; + /* case CKA_KEY_TYPE: */ + /* fprintf(stderr, "Return the key type TODO!!!\n"); */ + /* return CKR_OK; */ /* case CKA_SUBJECT: */ - case CKA_ID: - // This only makes sense for data objects - fprintf(stderr, "ID\n"); - len = data_objects[objects[obj].sub_id].tag_len; - data = data_objects[objects[obj].sub_id].tag_value; - break; + /* case CKA_ID: */ + /* fprintf(stderr, "ID\n"); */ + /* len = data_objects[objects[obj].sub_id].tag_len; */ + /* data = data_objects[objects[obj].sub_id].tag_value; */ + /* break; */ /* case CKA_SENSITIVE: */ /* case CKA_ENCRYPT: */ @@ -381,28 +342,511 @@ CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { case CKA_MODIFIABLE: fprintf(stderr, "MODIFIABLE\n"); len = 1; - tmp[0] = CK_FALSE; + tmp[0] = piv_objects[obj].modifiable; data = tmp; break; - case CKA_VENDOR_DEFINED: + /* case CKA_VENDOR_DEFINED: */ default: fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lx\n", template[0].type); template->ulValueLen = CK_UNAVAILABLE_INFORMATION; return CKR_ATTRIBUTE_TYPE_INVALID; } - if (template->pValue == NULL_PTR) { - template->ulValueLen = len; // TODO: define? - return CKR_OK; - } - - if (template->ulValueLen < len) - return CKR_BUFFER_TOO_SMALL; - - template->ulValueLen = len; - memcpy(template->pValue, data, len); - + /* Just get the length */ + if (template->pValue == NULL_PTR) { + template->ulValueLen = len; // TODO: define? return CKR_OK; + } + + /* Actually get the attribute */ + if (template->ulValueLen < len) + return CKR_BUFFER_TOO_SMALL; + + template->ulValueLen = len; + memcpy(template->pValue, data, len); + + return CKR_OK; } + +/* Get certificate object attribute */ +CK_RV get_coa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { + CK_BYTE_PTR data; + CK_BYTE tmp[64]; + CK_ULONG len = 0; + fprintf(stderr, "FOR CERTIFICATE OBJECT %lu, I WANT ", obj); + + switch (template->type) { // TODO: is this needed here? or is it enough ot have one a "level" above? + case CKA_CLASS: + fprintf(stderr, "CLASS\n"); + len = 1; + tmp[0] = CKO_CERTIFICATE; + data = tmp; + break; + + case CKA_TOKEN: + // Technically all these objects are token objects + fprintf(stderr, "TOKEN\n"); + len = 1; + tmp[0] = piv_objects[obj].token; + data = tmp; + break; + + case CKA_PRIVATE: + fprintf(stderr, "PRIVATE\n"); + len = 1; + tmp[0] = piv_objects[obj].private; + data = tmp; + break; + + case CKA_LABEL: + fprintf(stderr, "LABEL\n"); + len = strlen(piv_objects[obj].label) + 1; + data = piv_objects[obj].label; + break; + + /* case CKA_APPLICATION: */ + /* fprintf(stderr, "APPLICATION\n"); */ + /* len = strlen(objects[obj].label) + 1; */ + /* data = objects[obj].label; */ + /* break; */ + + case CKA_VALUE: + fprintf(stderr, "VALUE TODO\n"); + return CKR_FUNCTION_FAILED; + + /* case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? */ + /* // This only makes sense for data objects */ + /* fprintf(stderr, "OID\n"); */ + /* strcpy((char *)tmp, certificate_objects[objects[obj].sub_id].oid); */ + /* asn1_encode_oid(tmp, tmp, &len); */ + /* data = tmp; */ + /* break; */ + + case CKA_CERTIFICATE_TYPE: + fprintf(stderr, "CERTIFICATE TYPE\n"); + len = 1; + tmp[0] = CKC_X_509; // Support only X.509 certs + data = tmp; + break; + + case CKA_ISSUER: + fprintf(stderr, "ISSUER TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_SERIAL_NUMBER: + fprintf(stderr, "SERIAL NUMBER TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + /* case CKA_KEY_TYPE: */ + /* fprintf(stderr, "Return the key type TODO!!!\n"); */ + /* return CKR_OK; */ + + case CKA_SUBJECT: + fprintf(stderr, "SUBJECT TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + case CKA_ID: + fprintf(stderr, "ID\n"); + len = 1; + tmp[0] = piv_objects[obj].sub_id; + data = tmp; + break; + + /* case CKA_SENSITIVE: */ + /* case CKA_ENCRYPT: */ + /* case CKA_DECRYPT: */ + /* case CKA_WRAP: */ + /* case CKA_UNWRAP: */ + /* case CKA_SIGN: */ + /* case CKA_SIGN_RECOVER: */ + /* case CKA_VERIFY: */ + /* case CKA_VERIFY_RECOVER: */ + /* case CKA_DERIVE: */ + case CKA_START_DATE: + fprintf(stderr, "START DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_END_DATE: + fprintf(stderr, "END DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + /* case CKA_MODULUS: */ + /* case CKA_MODULUS_BITS: */ + /* case CKA_PUBLIC_EXPONENT: */ + /* case CKA_PRIVATE_EXPONENT: */ + /* case CKA_PRIME_1: */ + /* case CKA_PRIME_2: */ + /* case CKA_EXPONENT_1: */ + /* case CKA_EXPONENT_2: */ + /* case CKA_COEFFICIENT: */ + /* case CKA_PRIME: */ + /* case CKA_SUBPRIME: */ + /* case CKA_BASE: */ + /* case CKA_VALUE_BITS: */ + /* case CKA_VALUE_LEN: */ + /* case CKA_EXTRACTABLE: */ + /* case CKA_LOCAL: */ + /* case CKA_NEVER_EXTRACTABLE: */ + /* case CKA_ALWAYS_SENSITIVE: */ + case CKA_MODIFIABLE: + fprintf(stderr, "MODIFIABLE\n"); + len = 1; + tmp[0] = piv_objects[obj].modifiable; + data = tmp; + break; + + /* case CKA_VENDOR_DEFINED: */ + default: // TODO: there are other attributes for a (x509) certificate + fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lx\n", template[0].type); + template->ulValueLen = CK_UNAVAILABLE_INFORMATION; + return CKR_ATTRIBUTE_TYPE_INVALID; + } + + /* Just get the length */ + if (template->pValue == NULL_PTR) { + template->ulValueLen = len; // TODO: define? + return CKR_OK; + } + + /* Actually get the attribute */ + if (template->ulValueLen < len) + return CKR_BUFFER_TOO_SMALL; + + template->ulValueLen = len; + memcpy(template->pValue, data, len); + + return CKR_OK; + +} + +/* Get private key object attribute */ +CK_RV get_proa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { + CK_BYTE_PTR data; + CK_BYTE tmp[64]; + CK_ULONG len = 0; + fprintf(stderr, "FOR PRIVATE KEY OBJECT %lu, I WANT ", obj); + + switch (template->type) { + case CKA_CLASS: + fprintf(stderr, "CLASS\n"); + len = 1; + tmp[0] = CKO_PRIVATE_KEY; + data = tmp; + break; + + case CKA_TOKEN: + // Technically all these objects are token objects + fprintf(stderr, "TOKEN\n"); + len = 1; + tmp[0] = piv_objects[obj].token; + data = tmp; + break; + + case CKA_PRIVATE: + fprintf(stderr, "PRIVATE\n"); + len = 1; + tmp[0] = piv_objects[obj].private; + data = tmp; + break; + + case CKA_LABEL: + fprintf(stderr, "LABEL\n"); + len = strlen(piv_objects[obj].label) + 1; + data = piv_objects[obj].label; + break; + + /* case CKA_APPLICATION: */ + /* fprintf(stderr, "APPLICATION\n"); */ + /* len = strlen(objects[obj].label) + 1; */ + /* data = objects[obj].label; */ + /* break; */ + +// case CKA_VALUE: // TODO: this can be done with -r and -d|-a + /* case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? */ + /* // This only makes sense for data objects */ + /* fprintf(stderr, "OID\n"); */ + /* strcpy((char *)tmp, pvtkey_objects[objects[obj].sub_id].oid); */ + /* asn1_encode_oid(tmp, tmp, &len); */ + /* data = tmp; */ + /* break; */ + + /* case CKA_CERTIFICATE_TYPE: */ + /* fprintf(stderr, "CERTIFICATE TYPE\n"); */ + /* len = 1; */ + /* tmp[0] = CKC_X_509; // Support only X.509 certs */ + /* data = tmp; */ + /* break; */ + +// case CKA_ISSUER: +// case CKA_SERIAL_NUMBER: + case CKA_KEY_TYPE: + fprintf(stderr, "KEY TYPE TODO\n"); + return CKR_FUNCTION_FAILED; + + case CKA_SUBJECT: + fprintf(stderr, "SUBJECT TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_ID: + fprintf(stderr, "ID\n"); + len = 1; + tmp[0] = piv_objects[obj].sub_id; + data = tmp; + break; + + case CKA_SENSITIVE: + fprintf(stderr, "SENSITIVE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + /* case CKA_ENCRYPT: */ + case CKA_DECRYPT: + fprintf(stderr, "DECRYPT TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + /* case CKA_WRAP: */ + case CKA_UNWRAP: + fprintf(stderr, "UNWRAP TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_SIGN: + fprintf(stderr, "SIGN TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_SIGN_RECOVER: + fprintf(stderr, "SIGN RECOVER TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + /* case CKA_VERIFY: */ + /* case CKA_VERIFY_RECOVER: */ + case CKA_DERIVE: + fprintf(stderr, "DERIVE TODO\n"); // Default false + return CKR_FUNCTION_FAILED; + + case CKA_START_DATE: + fprintf(stderr, "START DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_END_DATE: + fprintf(stderr, "END DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + /* case CKA_MODULUS: */ + /* case CKA_MODULUS_BITS: */ + /* case CKA_PUBLIC_EXPONENT: */ + /* case CKA_PRIVATE_EXPONENT: */ + /* case CKA_PRIME_1: */ + /* case CKA_PRIME_2: */ + /* case CKA_EXPONENT_1: */ + /* case CKA_EXPONENT_2: */ + /* case CKA_COEFFICIENT: */ + /* case CKA_PRIME: */ + /* case CKA_SUBPRIME: */ + /* case CKA_BASE: */ + /* case CKA_VALUE_BITS: */ + /* case CKA_VALUE_LEN: */ + /* case CKA_EXTRACTABLE: */ + case CKA_LOCAL: + fprintf(stderr, "LOCAL TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + /* case CKA_NEVER_EXTRACTABLE: */ + /* case CKA_ALWAYS_SENSITIVE: */ + case CKA_MODIFIABLE: + fprintf(stderr, "MODIFIABLE\n"); + len = 1; + tmp[0] = piv_objects[obj].modifiable; + data = tmp; + break; + + /*case CKA_VENDOR_DEFINED:*/ + default: + fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lx\n", template[0].type); // TODO: there are other parameters for public keys, plus there is more if the key is RSA + template->ulValueLen = CK_UNAVAILABLE_INFORMATION; + return CKR_ATTRIBUTE_TYPE_INVALID; + } + + /* Just get the length */ + if (template->pValue == NULL_PTR) { + template->ulValueLen = len; // TODO: define? + return CKR_OK; + } + + /* Actually get the attribute */ + if (template->ulValueLen < len) + return CKR_BUFFER_TOO_SMALL; + + template->ulValueLen = len; + memcpy(template->pValue, data, len); + + return CKR_OK; + +} + +/* Get public key object attribute */ +CK_RV get_puoa(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { + CK_BYTE_PTR data; + CK_BYTE tmp[64]; + CK_ULONG len = 0; + fprintf(stderr, "FOR PUBLIC KEY OBJECT %lu, I WANT ", obj); + + switch (template->type) { + case CKA_CLASS: + fprintf(stderr, "CLASS\n"); + len = 1; + tmp[0] = CKO_PUBLIC_KEY; + data = tmp; + break; + + case CKA_TOKEN: + // Technically all these objects are token objects + fprintf(stderr, "TOKEN\n"); + len = 1; + tmp[0] = piv_objects[obj].token; + data = tmp; + break; + + case CKA_PRIVATE: + fprintf(stderr, "PRIVATE\n"); + len = 1; + tmp[0] = piv_objects[obj].private; + data = tmp; + break; + + case CKA_LABEL: + fprintf(stderr, "LABEL\n"); + len = strlen(piv_objects[obj].label) + 1; + data = piv_objects[obj].label; + break; + + /* case CKA_APPLICATION: */ + /* fprintf(stderr, "APPLICATION\n"); */ + /* len = strlen(objects[obj].label) + 1; */ + /* data = objects[obj].label; */ + /* break; */ + +// case CKA_VALUE: // TODO: this can be done with -r and -d|-a + /* case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? */ + /* // This only makes sense for data objects */ + /* fprintf(stderr, "OID\n"); */ + /* strcpy((char *)tmp, pubkey_objects[objects[obj].sub_id].oid); */ + /* asn1_encode_oid(tmp, tmp, &len); */ + /* data = tmp; */ + /* break; */ + + /* case CKA_CERTIFICATE_TYPE: */ + /* fprintf(stderr, "CERTIFICATE TYPE\n"); */ + /* len = 1; */ + /* tmp[0] = CKC_X_509; // Support only X.509 certs */ + /* data = tmp; */ + /* break; */ + +// case CKA_ISSUER: +// case CKA_SERIAL_NUMBER: + case CKA_KEY_TYPE: + fprintf(stderr, "KEY TYPE TODO\n"); + return CKR_FUNCTION_FAILED; + + case CKA_SUBJECT: + fprintf(stderr, "SUBJECT TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_ID: + fprintf(stderr, "ID\n"); + len = 1; + tmp[0] = piv_objects[obj].sub_id; + data = tmp; + break; + + /* case CKA_SENSITIVE: */ + case CKA_ENCRYPT: + fprintf(stderr, "ENCRYPT TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + case CKA_DECRYPT: + fprintf(stderr, "DECRYPT TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + case CKA_WRAP: + fprintf(stderr, "WRAP TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + /* case CKA_UNWRAP: */ + /* case CKA_SIGN: */ + /* case CKA_SIGN_RECOVER: */ + /* case CKA_VERIFY: */ + /* case CKA_VERIFY_RECOVER: */ + case CKA_DERIVE: + fprintf(stderr, "DERIVE TODO\n"); // Defaul false + return CKR_FUNCTION_FAILED; + + case CKA_START_DATE: + fprintf(stderr, "START DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + + case CKA_END_DATE: + fprintf(stderr, "END DATE TODO\n"); // Default empty + return CKR_FUNCTION_FAILED; + /* case CKA_MODULUS: */ + /* case CKA_MODULUS_BITS: */ + /* case CKA_PUBLIC_EXPONENT: */ + /* case CKA_PRIVATE_EXPONENT: */ + /* case CKA_PRIME_1: */ + /* case CKA_PRIME_2: */ + /* case CKA_EXPONENT_1: */ + /* case CKA_EXPONENT_2: */ + /* case CKA_COEFFICIENT: */ + /* case CKA_PRIME: */ + /* case CKA_SUBPRIME: */ + /* case CKA_BASE: */ + /* case CKA_VALUE_BITS: */ + /* case CKA_VALUE_LEN: */ + /* case CKA_EXTRACTABLE: */ + case CKA_LOCAL: + fprintf(stderr, "LOCAL TODO\n"); // Required + return CKR_FUNCTION_FAILED; + + /* case CKA_NEVER_EXTRACTABLE: */ + /* case CKA_ALWAYS_SENSITIVE: */ + case CKA_MODIFIABLE: + fprintf(stderr, "MODIFIABLE\n"); + len = 1; + tmp[0] = piv_objects[obj].modifiable; + data = tmp; + break; + + /* case CKA_VENDOR_DEFINED: */ + default: + fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lx\n", template[0].type); // TODO: there are other parameters for public keys + template->ulValueLen = CK_UNAVAILABLE_INFORMATION; + return CKR_ATTRIBUTE_TYPE_INVALID; + } + + /* Just get the length */ + if (template->pValue == NULL_PTR) { + template->ulValueLen = len; // TODO: define? + return CKR_OK; + } + + /* Actually get the attribute */ + if (template->ulValueLen < len) + return CKR_BUFFER_TOO_SMALL; + + template->ulValueLen = len; + memcpy(template->pValue, data, len); + + return CKR_OK; + +} + +CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { + CK_ULONG i; + + for (i = 0; i < s->slot->token->n_objects; i++) + if (s->slot->token->objects[i] == obj) { + return piv_objects[obj].get_attribute(obj, template); + } + + + return CKR_OBJECT_HANDLE_INVALID; +} diff --git a/ykcs11/objects.h b/ykcs11/objects.h index e7539ea..439361e 100644 --- a/ykcs11/objects.h +++ b/ykcs11/objects.h @@ -1,12 +1,10 @@ #ifndef OBJECTS_H #define OBJECTS_H -#include "pkcs11t.h" -#include "obj_types.h" +#include "ykcs11.h" #include // TODO: delete -CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); -//CK_RV get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class); +CK_RV get_attribute(ykcs11_session_t *s, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template); #endif diff --git a/ykcs11/token_vendors.h b/ykcs11/token_vendors.h index 16b070e..a57a6cd 100644 --- a/ykcs11/token_vendors.h +++ b/ykcs11/token_vendors.h @@ -3,7 +3,7 @@ #include "pkcs11.h" #include "vendor_ids.h" -#include "objects.h" +#include "obj_types.h" #include typedef CK_RV (*get_t_label_f)(CK_UTF8CHAR_PTR, CK_ULONG); diff --git a/ykcs11/utils.c b/ykcs11/utils.c index 13ee44e..09fdc55 100644 --- a/ykcs11/utils.c +++ b/ykcs11/utils.c @@ -90,7 +90,7 @@ failure: return CKR_FUNCTION_FAILED; } - +#include // TODO: Delete CK_RV create_token(CK_BYTE_PTR p, ykcs11_slot_t *slot) { token_vendor_t token; diff --git a/ykcs11/utils.h b/ykcs11/utils.h index 6190913..5bcb8db 100644 --- a/ykcs11/utils.h +++ b/ykcs11/utils.h @@ -8,4 +8,5 @@ CK_RV parse_readers(const CK_BYTE_PTR readers, const CK_ULONG len, ykcs11_slot_t *slots, CK_ULONG_PTR n_slots, CK_ULONG_PTR n_with_token); CK_RV create_token(CK_BYTE_PTR p, ykcs11_slot_t *slot); void destroy_token(ykcs11_slot_t *slot); + #endif diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index 40a237d..46faef9 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -1,11 +1,12 @@ #include "ykcs11.h" -#include "pkcs11.h" +//#include "pkcs11.h" #include #include #include #include -//#include "vendors.h" +#include "obj_types.h" #include "utils.h" +#include "mechanisms.h" #define D(x) do { \ printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ @@ -14,7 +15,7 @@ } while (0) #define YKCS11_DBG 1 // General debug, must be either 1 or 0 -#define YKCS11_DINOUT 1 // Function in/out debug, must be either 1 or 0 +#define YKCS11_DINOUT 0 // Function in/out debug, must be either 1 or 0 #define YKCS11_MANUFACTURER "Yubico (www.yubico.com)" #define YKCS11_LIBDESC "PKCS#11 PIV Library (SP-800-73)" @@ -218,8 +219,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetSlotInfo)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (slotID >= n_slots) return CKR_ARGUMENTS_BAD; @@ -240,8 +243,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo)( token_vendor_t token; CK_BYTE buf[64]; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (slotID >= n_slots) return CKR_ARGUMENTS_BAD; @@ -429,8 +434,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)( token_vendor_t token; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (slotID >= n_slots || phSession == NULL) return CKR_ARGUMENTS_BAD; @@ -514,8 +521,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_CloseSession)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle == CK_INVALID_HANDLE) { DBG(("There is no existing session")); @@ -544,8 +553,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_CloseAllSessions)( DIN; CK_RV rv; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.slot != slots + slotID) return CKR_SLOT_ID_INVALID; @@ -563,8 +574,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetSessionInfo)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (pInfo == NULL) return CKR_ARGUMENTS_BAD; @@ -614,8 +627,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_Login)( DIN; CK_ULONG tries; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (userType != CKU_USER && userType != CKU_SO && @@ -736,9 +751,12 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)( ) { DIN; + CK_RV rv; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle != YKCS11_SESSION_ID) return CKR_SESSION_CLOSED; @@ -754,14 +772,19 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)( if (pTemplate[0].pValue == NULL_PTR) { DBG(("Just get size")); - get_attribute(hObject, pTemplate); // TODO: get attribute size + rv = get_attribute(&session, hObject, pTemplate); + + if (rv != CKR_OK) { + DBG(("Unable to get size for attribute %lu of object %lu", pTemplate->type, hObject)); + } DOUT; return CKR_OK; } - DBG(("Trying to get %lu attributes for object %lx", ulCount, hObject)); + DBG(("Trying to get %lu attribute(s) for object %lu", ulCount, hObject)); DBG(("Type: 0x%lx Value: %lu Len: %lu", pTemplate[0].type, *((CK_ULONG_PTR)pTemplate[0].pValue), pTemplate[0].ulValueLen)); - // TODO: here for i in ulCount - return get_attribute(hObject, pTemplate); + // TODO: here for i in ulCount (get all the attributes) + + return get_attribute(&session, hObject, pTemplate); DOUT; return CKR_OK; @@ -788,10 +811,11 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( { DIN; CK_ULONG i; - //token_vendor_t token; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle != YKCS11_SESSION_ID) return CKR_SESSION_CLOSED; @@ -833,8 +857,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( } // TODO: do it properly here, jsut a test now + //find_obj.objects = session.slot->token->objects + 3; + memmove(find_obj.objects, find_obj.objects + 3, sizeof(piv_obj_id_t) * (find_obj.num - 3)); find_obj.num = 1; - find_obj.objects = session.slot->token->objects + 3; DOUT; return CKR_OK; @@ -849,8 +874,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle != YKCS11_SESSION_ID) return CKR_SESSION_CLOSED; @@ -889,8 +916,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsFinal)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle != YKCS11_SESSION_ID) return CKR_SESSION_CLOSED; @@ -1082,8 +1111,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)( { DIN; - if (piv_state == NULL) + if (piv_state == NULL) { + DBG(("libykpiv is not initialized or already finalized")); return CKR_CRYPTOKI_NOT_INITIALIZED; + } if (session.handle != YKCS11_SESSION_ID) return CKR_SESSION_CLOSED; @@ -1095,11 +1126,15 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)( hKey == NULL_PTR) return CKR_ARGUMENTS_BAD; - DBG(("Trying to sign some data with mechanism %lu and key %lu more", pMechanism->mechanism, hKey)); + DBG(("Trying to sign some data with mechanism %lu and key %lu", pMechanism->mechanism, hKey)); - if (check_sign_mechanism(pMechanism, hKey) == CK_FALSE) // TODO: do we need session here? + if (check_sign_mechanism(&session, pMechanism) != CKR_OK) { + DBG(("Mechanism %lu is not supported either by the token or the slot", pMechanism->mechanism)); return CKR_MECHANISM_INVALID; + } + + sign_info.active = CK_TRUE; memcpy(&sign_info.mechanism, pMechanism, sizeof(CK_MECHANISM)); sign_info.key = hKey; diff --git a/ykcs11/ykcs11.h b/ykcs11/ykcs11.h index 0814875..2c9f644 100644 --- a/ykcs11/ykcs11.h +++ b/ykcs11/ykcs11.h @@ -2,6 +2,7 @@ #define YKCS11_H #include "pkcs11t.h" +#include "obj_types.h" #include "vendors.h" typedef struct { diff --git a/ykcs11/yubico_token.c b/ykcs11/yubico_token.c index d86dc17..3f0be65 100644 --- a/ykcs11/yubico_token.c +++ b/ykcs11/yubico_token.c @@ -63,15 +63,15 @@ static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH }; static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token? - PIV_DATA_OBJ_CCC, // Card capability container - PIV_DATA_OBJ_CHUI, // Cardholder unique id PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_DATA_OBJ_CHF, // Cardholder fingerprints - PIV_DATA_OBJ_SEC_OBJ, // Security object - PIV_DATA_OBJ_CHFI, // Cardholder facial images PIV_DATA_OBJ_X509_CARD_AUTH, // Certificate for card authentication PIV_DATA_OBJ_X509_DS, // Certificate for digital signature PIV_DATA_OBJ_X509_KM, // Certificate for key management + PIV_DATA_OBJ_CCC, // Card capability container + PIV_DATA_OBJ_CHUI, // Cardholder unique id + PIV_DATA_OBJ_CHF, // Cardholder fingerprints + PIV_DATA_OBJ_SEC_OBJ, // Security object + PIV_DATA_OBJ_CHFI, // Cardholder facial images //PIV_DATA_OBJ_PI, // Cardholder printed information //PIV_DATA_OBJ_DISCOVERY, // Discovery object //PIV_DATA_OBJ_HISTORY, // History object @@ -193,7 +193,7 @@ CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num) { memcpy(mec, token_mechanisms, token_mechanisms_num * sizeof(CK_MECHANISM_TYPE)); return CKR_OK; - + } CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info) { @@ -205,9 +205,9 @@ CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_P memcpy((CK_BYTE_PTR) info, (CK_BYTE_PTR) (token_mechanism_infos + i), sizeof(CK_MECHANISM_INFO)); return CKR_OK; } - + return CKR_MECHANISM_INVALID; - + } #include // TODO: delete static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only, piv_obj_id_t *obj, CK_ULONG_PTR len) { @@ -215,6 +215,8 @@ static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only, piv_obj_id_t *ob CK_ULONG buf_len; piv_obj_id_t certs[4]; + piv_obj_id_t pvtkeys[4]; + piv_obj_id_t pubkeys[4]; CK_ULONG n_cert = 0; if (state == NULL || len == NULL_PTR) @@ -222,51 +224,64 @@ static CK_RV get_objects(ykpiv_state *state, CK_BBOOL num_only, piv_obj_id_t *ob if (num_only == CK_FALSE && obj == NULL) return CKR_ARGUMENTS_BAD; - + buf_len = sizeof(buf); if (ykpiv_fetch_object(state, YKPIV_OBJ_AUTHENTICATION, buf, &buf_len) == YKPIV_OK) { + certs[n_cert] = PIV_CERT_OBJ_X509_PIV_AUTH; + pvtkeys[n_cert] = PIV_PVTK_OBJ_PIV_AUTH; + pubkeys[n_cert] = PIV_PUBK_OBJ_PIV_AUTH; n_cert++; - certs[0] = PIV_CERT_OBJ_X509_PIV_AUTH; fprintf(stderr, "Found AUTH cert (9a)\n"); } buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) { + if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) { + certs[n_cert] = PIV_CERT_OBJ_X509_CARD_AUTH; + pvtkeys[n_cert] = PIV_PVTK_OBJ_CARD_AUTH; + pubkeys[n_cert] = PIV_PUBK_OBJ_CARD_AUTH; + n_cert++; + fprintf(stderr, "Found CARD AUTH cert (9e)\n"); + } + + buf_len = sizeof(buf); + if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) { + certs[n_cert] = PIV_CERT_OBJ_X509_DS; + pvtkeys[n_cert] = PIV_PVTK_OBJ_DS; + pubkeys[n_cert] = PIV_PUBK_OBJ_DS; n_cert++; - certs[1] = PIV_CERT_OBJ_X509_DS; fprintf(stderr, "Found SIGNATURE cert (9c)\n"); } buf_len = sizeof(buf); if (ykpiv_fetch_object(state, YKPIV_OBJ_KEY_MANAGEMENT, buf, &buf_len) == YKPIV_OK) { + certs[n_cert] = PIV_CERT_OBJ_X509_KM; + pvtkeys[n_cert] = PIV_PVTK_OBJ_KM; + pubkeys[n_cert] = PIV_PUBK_OBJ_KM; n_cert++; - certs[2] = PIV_CERT_OBJ_X509_KM; fprintf(stderr, "Found KMK cert (9d)\n"); } - buf_len = sizeof(buf); - if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) { - n_cert++; - certs[3] = PIV_CERT_OBJ_X509_CARD_AUTH; - fprintf(stderr, "Found CARD AUTH cert (9e)\n"); - } + fprintf(stderr, "The total number of objects for this token is %lu\n", (n_cert * 3) + token_objects_num); - fprintf(stderr, "The total number of objects for this token is %lu\n", n_cert + token_objects_num); - if (num_only == CK_TRUE) { // We just want the number of objects - *len = n_cert + token_objects_num; + // Each cert object counts for 3: cert, pub key, pvt key + *len = (n_cert * 3) + token_objects_num; return CKR_OK; } - if (*len < n_cert + token_objects_num) + if (*len < (n_cert * 3) + token_objects_num) return CKR_BUFFER_TOO_SMALL; // Copy mandatory data objects memcpy(obj, token_objects, token_objects_num * sizeof(piv_obj_id_t)); // Copy certificates - memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t)); + if (n_cert > 0) { + memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t)); + memcpy(obj + token_objects_num + n_cert, pvtkeys, n_cert * sizeof(piv_obj_id_t)); + memcpy(obj + token_objects_num + (2 * n_cert), pubkeys, n_cert * sizeof(piv_obj_id_t)); + } return CKR_OK; }