[rs-commit] r37 - in /redwax-tool/trunk: redwax-tool.c redwax-tool.h redwax_openssl.c redwax_p11kit.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Thu Nov 18 14:07:29 CET 2021
Author: minfrin at redwax.eu
Date: Thu Nov 18 14:07:29 2021
New Revision: 37
Log:
Add --key-in and --no-key-in, triggering smartcard login.
Modified:
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_openssl.c
redwax-tool/trunk/redwax_p11kit.c
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Thu Nov 18 14:07:29 2021
@@ -143,20 +143,22 @@
#define REDWAX_TOOL_NO_TRUST_OUT 271
#define REDWAX_TOOL_CRL_OUT 272
#define REDWAX_TOOL_NO_CRL_OUT 273
-#define REDWAX_TOOL_KEY_OUT 274
-#define REDWAX_TOOL_NO_KEY_OUT 275
-#define REDWAX_TOOL_AUTO_OUT 276
-#define REDWAX_TOOL_NO_AUTO_OUT 277
-#define REDWAX_TOOL_VERIFY_PARAM 278
-#define REDWAX_TOOL_SECRET_SUFFIX_IN 279
-#define REDWAX_TOOL_SECRET_SUFFIX_OUT 280
-#define REDWAX_TOOL_LABEL_OUT 281
-#define REDWAX_TOOL_NSS_OUT 282
-#define REDWAX_TOOL_NSS_SLOT_OUT 283
-#define REDWAX_TOOL_PEM_OUT 284
-#define REDWAX_TOOL_PKCS12_OUT 285
-#define REDWAX_TOOL_PKCS11_OUT 286
-#define REDWAX_TOOL_PKCS11_MODULE_OUT 287
+#define REDWAX_TOOL_KEY_IN 274
+#define REDWAX_TOOL_NO_KEY_IN 275
+#define REDWAX_TOOL_KEY_OUT 276
+#define REDWAX_TOOL_NO_KEY_OUT 277
+#define REDWAX_TOOL_AUTO_OUT 278
+#define REDWAX_TOOL_NO_AUTO_OUT 279
+#define REDWAX_TOOL_VERIFY_PARAM 280
+#define REDWAX_TOOL_SECRET_SUFFIX_IN 281
+#define REDWAX_TOOL_SECRET_SUFFIX_OUT 282
+#define REDWAX_TOOL_LABEL_OUT 283
+#define REDWAX_TOOL_NSS_OUT 284
+#define REDWAX_TOOL_NSS_SLOT_OUT 285
+#define REDWAX_TOOL_PEM_OUT 286
+#define REDWAX_TOOL_PKCS12_OUT 287
+#define REDWAX_TOOL_PKCS11_OUT 288
+#define REDWAX_TOOL_PKCS11_MODULE_OUT 289
#define REDWAX_EXIT_OK 0
#define REDWAX_EXIT_INIT 1
@@ -207,6 +209,10 @@
" --crl-out\t\t\tInclude certificate revocation lists in the output." },
{ "no-crl-out", REDWAX_TOOL_NO_CRL_OUT, 0,
" --no-crl-out\t\t\tExclude certificate revocation lists from the output." },
+ { "key-in", REDWAX_TOOL_KEY_IN, 0,
+ " --key-in\t\t\tRead private keys in the input. This will trigger a\n\t\t\t\tlogin attempt if needed." },
+ { "no-key-in", REDWAX_TOOL_NO_KEY_IN, 0,
+ " --no-key-in\t\t\tExclude keys from the input." },
{ "key-out", REDWAX_TOOL_KEY_OUT, 0,
" --key-out\t\t\tInclude keys in the output." },
{ "no-key-out", REDWAX_TOOL_NO_KEY_OUT, 0,
@@ -1656,6 +1662,20 @@
return APR_SUCCESS;
}
+static apr_status_t redwax_set_key_in(redwax_tool_t *r)
+{
+ r->key_in = 1;
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_set_no_key_in(redwax_tool_t *r)
+{
+ r->key_in = 0;
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_set_key_out(redwax_tool_t *r)
{
r->key_out = 1;
@@ -1858,6 +1878,14 @@
== APR_SUCCESS) {
switch (optch) {
+ case REDWAX_TOOL_KEY_IN: {
+ redwax_set_key_in(r);
+ break;
+ }
+ case REDWAX_TOOL_NO_KEY_IN: {
+ redwax_set_no_key_in(r);
+ break;
+ }
case REDWAX_TOOL_SECRET_SUFFIX_IN: {
redwax_set_secret_suffix_in(r, optarg);
break;
@@ -2400,6 +2428,8 @@
apr_file_open_stdin(&r.in, r.pool);
apr_file_open_stdout(&r.out, r.pool);
+ r.key_in = 1;
+
r.certs_in = apr_array_make(r.pool, 10, sizeof(redwax_certificate_t));
r.intermediates_in = apr_array_make(r.pool, 10, sizeof(redwax_certificate_t));
r.trusted_in = apr_array_make(r.pool, 10, sizeof(redwax_certificate_t));
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Thu Nov 18 14:07:29 2021
@@ -83,6 +83,7 @@
int root_out;
int trust_out;
int crl_out;
+ int key_in;
int key_out;
int auto_out;
int quiet;
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Thu Nov 18 14:07:29 2021
@@ -975,7 +975,7 @@
}
- else if (strcmp(name, PEM_STRING_RSA) == 0) {
+ else if (r->key_in && strcmp(name, PEM_STRING_RSA) == 0) {
if (!(pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &der, len)) ||
!(p8inf = EVP_PKEY2PKCS8(pkey))) {
@@ -987,7 +987,7 @@
}
- else if (strcmp(name, PEM_STRING_DSA) == 0) {
+ else if (r->key_in && strcmp(name, PEM_STRING_DSA) == 0) {
if (!(pkey = d2i_PrivateKey(EVP_PKEY_DSA, NULL, &der, len)) ||
!(p8inf = EVP_PKEY2PKCS8(pkey))) {
@@ -999,7 +999,7 @@
}
- else if (strcmp(name, PEM_STRING_ECPRIVATEKEY) == 0) {
+ else if (r->key_in && strcmp(name, PEM_STRING_ECPRIVATEKEY) == 0) {
if (!(pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &der, len)) ||
!(p8inf = EVP_PKEY2PKCS8(pkey))) {
@@ -1010,7 +1010,7 @@
}
}
- else if (strcmp(name, PEM_STRING_PKCS8INF) == 0) {
+ else if (r->key_in && strcmp(name, PEM_STRING_PKCS8INF) == 0) {
BIO *kbio;
Modified: redwax-tool/trunk/redwax_p11kit.c
==============================================================================
--- redwax-tool/trunk/redwax_p11kit.c (original)
+++ redwax-tool/trunk/redwax_p11kit.c Thu Nov 18 14:07:29 2021
@@ -723,7 +723,7 @@
static apr_status_t redwax_p11kit_handle_token_login(redwax_tool_t *r,
apr_pool_t *pool, P11KitUri *parsed, CK_FUNCTION_LIST *module,
CK_TOKEN_INFO *tokenInfo, CK_SLOT_ID_PTR slot_id,
- CK_SESSION_HANDLE session)
+ CK_SESSION_HANDLE session, const char *direction)
{
redwax_pkcs11_session_t *s;
@@ -748,8 +748,8 @@
}
else if (ret == CKR_PIN_INCORRECT) {
- redwax_print_error(r, "pkcs11-out: login to '%s' with user PIN "
- "on pinpad, try again: %s\n",
+ redwax_print_error(r, "%s: login to '%s' with user PIN "
+ "on pinpad, try again: %s\n", direction,
redwax_pstrntrim(pool, (const char*) tokenInfo->label,
sizeof(tokenInfo->label)), pkcs11_errstr(ret));
@@ -758,8 +758,8 @@
}
if (ret != CKR_OK) {
- redwax_print_error(r, "pkcs11-out: login to '%s' with user PIN "
- "on pinpad failed: %s\n",
+ redwax_print_error(r, "%s: login to '%s' with user PIN "
+ "on pinpad failed: %s\n", direction,
redwax_pstrntrim(pool, (const char*) tokenInfo->label,
sizeof(tokenInfo->label)), pkcs11_errstr(ret));
@@ -780,8 +780,8 @@
ret = module->C_Login(session, CKU_USER, userPIN, userPIN_len);
if (ret != CKR_OK) {
- redwax_print_error(r, "pkcs11-out: login to '%s' with user PIN "
- "failed, skipping: %s\n",
+ redwax_print_error(r, "%s: login to '%s' with user PIN "
+ "failed, skipping: %s\n", direction,
redwax_pstrntrim(pool, (const char*) tokenInfo->label,
sizeof(tokenInfo->label)), pkcs11_errstr(ret));
@@ -819,13 +819,13 @@
status = apr_password_get(prompt, buf, &max);
if (APR_ENAMETOOLONG == status) {
redwax_print_error(r,
- "pkcs11-out: user PIN was longer than %" APR_SSIZE_T_FMT
- ", try again.\n", max);
+ "%s: user PIN was longer than %" APR_SSIZE_T_FMT
+ ", try again.\n", direction, max);
continue;
}
if (APR_SUCCESS != status) {
redwax_print_error(r,
- "pkcs11-out: could not read user PIN: %pm\n", &status);
+ "%s: could not read user PIN: %pm\n", direction, &status);
return status;
}
@@ -833,15 +833,15 @@
if (len < min) {
redwax_print_error(r,
- "pkcs11-out: user PIN was shorter than %"
- APR_SSIZE_T_FMT " characters, try again.\n", min);
+ "%s: user PIN was shorter than %"
+ APR_SSIZE_T_FMT " characters, try again.\n", direction, min);
continue;
}
else if (len > max) {
redwax_print_error(r,
- "pkcs11-out: user PIN was longer than %"
- APR_SSIZE_T_FMT " characters, try again.\n", max);
+ "%s: user PIN was longer than %"
+ APR_SSIZE_T_FMT " characters, try again.\n", direction, max);
continue;
}
@@ -859,7 +859,8 @@
else if (ret == CKR_PIN_INCORRECT) {
redwax_print_error(r,
- "pkcs11-out: login to '%s' with user PIN failed, try again: %s\n",
+ "%s: login to '%s' with user PIN failed, try again: %s\n",
+ direction,
redwax_pstrntrim(pool, (const char*) tokenInfo->label,
sizeof(tokenInfo->label)), pkcs11_errstr(ret));
@@ -869,7 +870,8 @@
if (ret != CKR_OK) {
redwax_print_error(r,
- "pkcs11-out: login to '%s' with user PIN failed: %s\n",
+ "%s: login to '%s' with user PIN failed: %s\n",
+ direction,
redwax_pstrntrim(pool, (const char*) tokenInfo->label,
sizeof(tokenInfo->label)), pkcs11_errstr(ret));
@@ -938,7 +940,7 @@
apr_pool_cleanup_null);
status = redwax_p11kit_handle_token_login(r, pool, parsed,
- module, tokenInfo, slot_id, session);
+ module, tokenInfo, slot_id, session, "pkcs11-out");
if (status != APR_SUCCESS) {
return status;
}
@@ -1091,16 +1093,18 @@
apr_pool_cleanup_register(pool, s, cleanup_session,
apr_pool_cleanup_null);
- // fixme: warnings say pkcs11-out
-
-// status = redwax_p11kit_handle_token_login(r, pool, parsed,
-// module, tokenInfo, slot_id, session);
-// if (status != APR_SUCCESS) {
-
-// apr_pool_destroy(pool);
-
-// return status;
-// }
+ if (r->key_in) {
+ apr_status_t status;
+
+ status = redwax_p11kit_handle_token_login(r, pool, parsed,
+ module, tokenInfo, slot_id, session, "pkcs11-in");
+ if (status != APR_SUCCESS) {
+
+ apr_pool_destroy(pool);
+
+ return status;
+ }
+ }
attrs = p11_kit_uri_get_attributes (parsed, &n_attrs);
@@ -1137,8 +1141,8 @@
class_template, class_template_len);
if (ret != CKR_OK) {
- /* ignore anything we cannot read */
- continue;
+ /* ignore anything we cannot read */
+ continue;
}
clazz = *(CK_OBJECT_CLASS_PTR)class_template[0].pValue;
@@ -1146,7 +1150,7 @@
/* 4.6 Certificate objects */
if (CKO_CERTIFICATE == clazz) {
- CK_CERTIFICATE_TYPE type;
+ CK_CERTIFICATE_TYPE type;
CK_ATTRIBUTE type_template[] = {
{CKA_CERTIFICATE_TYPE, NULL_PTR, 0}
@@ -1158,8 +1162,8 @@
type_template, type_template_len);
if (ret != CKR_OK) {
- /* ignore anything we cannot read */
- continue;
+ /* ignore anything we cannot read */
+ continue;
}
type = *(CK_CERTIFICATE_TYPE *)class_template[0].pValue;
@@ -1168,110 +1172,110 @@
/* 4.6.5 X.509 attribute certificate objects */
if (CKC_X_509 == type || CKC_X_509_ATTR_CERT == type) {
- CK_ATTRIBUTE cert_template[] =
- { { CKA_VALUE, NULL_PTR, 0 }, { CKA_TRUSTED, NULL_PTR, 0 } };
- int cert_template_len = 2;
-
- ret = redwax_p11kit_read_attributes(pool, module, session, object,
- cert_template, cert_template_len);
- if (ret == CKR_OK || ret == CKR_ATTRIBUTE_SENSITIVE
- || ret == CKR_ATTRIBUTE_TYPE_INVALID) {
-
- CK_BBOOL trusted = *(CK_BBOOL *)cert_template[1].pValue;
-
- redwax_certificate_t *cert = apr_pcalloc(pool,
- sizeof(redwax_certificate_t));
-
- apr_pool_create(&cert->pool, r->pool);
-
- cert->common.type = REDWAX_CERTIFICATE_X509;
-
- cert->der = apr_pmemdup(cert->pool,
- cert_template[0].pValue,
- cert_template[0].ulValueLen);
- cert->len = cert_template[0].ulValueLen;
-
- rt_run_normalise_certificate(r, cert, 1);
-
- if (REDWAX_CERTIFICATE_INTERMEDIATE
- == cert->common.category && trusted) {
- cert->common.category = REDWAX_CERTIFICATE_TRUSTED;
- }
-
- switch (cert->common.category) {
- case REDWAX_CERTIFICATE_END_ENTITY: {
-
- redwax_certificate_t *c = apr_array_push(r->certs_in);
- memcpy(c, cert, sizeof(*cert));
-
- redwax_print_error(r, "pkcs11-in: certificate: %s\n",
- cert->common.subject);
-
- break;
- }
- case REDWAX_CERTIFICATE_INTERMEDIATE: {
-
- redwax_certificate_t *c = apr_array_push(r->intermediates_in);
- memcpy(c, cert, sizeof(*cert));
-
- redwax_print_error(r, "pkcs11-in: intermediate: %s\n",
- cert->common.subject);
-
- break;
- }
- case REDWAX_CERTIFICATE_ROOT: {
-
- // fixme: root, but nowhere to put it
-
- redwax_certificate_t *c = apr_array_push(r->trusted_in);
- memcpy(c, cert, sizeof(*cert));
-
- redwax_print_error(r, "pkcs11-in: root: %s\n",
- cert->common.subject);
-
- break;
- }
- case REDWAX_CERTIFICATE_TRUSTED: {
-
- redwax_certificate_t *c = apr_array_push(r->trusted_in);
- memcpy(c, cert, sizeof(*cert));
-
- redwax_print_error(r, "pkcs11-in: trusted: %s\n",
- cert->common.subject);
-
- break;
- }
- default: {
-
- redwax_print_error(r, "pkcs11-in: unrecognised "
- "certificate, skipped: %s\n",
- cert->common.subject);
-
- break;
- }
- }
-
- }
+ CK_ATTRIBUTE cert_template[] =
+ { { CKA_VALUE, NULL_PTR, 0 }, { CKA_TRUSTED, NULL_PTR, 0 } };
+ int cert_template_len = 2;
+
+ ret = redwax_p11kit_read_attributes(pool, module, session, object,
+ cert_template, cert_template_len);
+ if (ret == CKR_OK || ret == CKR_ATTRIBUTE_SENSITIVE
+ || ret == CKR_ATTRIBUTE_TYPE_INVALID) {
+
+ CK_BBOOL trusted = *(CK_BBOOL *)cert_template[1].pValue;
+
+ redwax_certificate_t *cert = apr_pcalloc(pool,
+ sizeof(redwax_certificate_t));
+
+ apr_pool_create(&cert->pool, r->pool);
+
+ cert->common.type = REDWAX_CERTIFICATE_X509;
+
+ cert->der = apr_pmemdup(cert->pool,
+ cert_template[0].pValue,
+ cert_template[0].ulValueLen);
+ cert->len = cert_template[0].ulValueLen;
+
+ rt_run_normalise_certificate(r, cert, 1);
+
+ if (REDWAX_CERTIFICATE_INTERMEDIATE
+ == cert->common.category && trusted) {
+ cert->common.category = REDWAX_CERTIFICATE_TRUSTED;
+ }
+
+ switch (cert->common.category) {
+ case REDWAX_CERTIFICATE_END_ENTITY: {
+
+ redwax_certificate_t *c = apr_array_push(r->certs_in);
+ memcpy(c, cert, sizeof(*cert));
+
+ redwax_print_error(r, "pkcs11-in: certificate: %s\n",
+ cert->common.subject);
+
+ break;
+ }
+ case REDWAX_CERTIFICATE_INTERMEDIATE: {
+
+ redwax_certificate_t *c = apr_array_push(r->intermediates_in);
+ memcpy(c, cert, sizeof(*cert));
+
+ redwax_print_error(r, "pkcs11-in: intermediate: %s\n",
+ cert->common.subject);
+
+ break;
+ }
+ case REDWAX_CERTIFICATE_ROOT: {
+
+ // fixme: root, but nowhere to put it
+
+ redwax_certificate_t *c = apr_array_push(r->trusted_in);
+ memcpy(c, cert, sizeof(*cert));
+
+ redwax_print_error(r, "pkcs11-in: root: %s\n",
+ cert->common.subject);
+
+ break;
+ }
+ case REDWAX_CERTIFICATE_TRUSTED: {
+
+ redwax_certificate_t *c = apr_array_push(r->trusted_in);
+ memcpy(c, cert, sizeof(*cert));
+
+ redwax_print_error(r, "pkcs11-in: trusted: %s\n",
+ cert->common.subject);
+
+ break;
+ }
+ default: {
+
+ redwax_print_error(r, "pkcs11-in: unrecognised "
+ "certificate, skipped: %s\n",
+ cert->common.subject);
+
+ break;
+ }
+ }
+
+ }
}
/* 4.6.4 WTLS public key certificate objects */
else if (CKC_WTLS == type) {
- redwax_print_error(r,
- "pkcs11-in: WTLS certificate found on '%s', skipping\n",
- redwax_pstrntrim(pool, (const char*) tokenInfo->label,
- sizeof(tokenInfo->label)));
+ redwax_print_error(r,
+ "pkcs11-in: WTLS certificate found on '%s', skipping\n",
+ redwax_pstrntrim(pool, (const char*) tokenInfo->label,
+ sizeof(tokenInfo->label)));
}
/* all other certs */
else {
- redwax_print_error(r,
- "pkcs11-in: Certificate '%s' with type %d not understood, skipping\n",
- redwax_pstrntrim(pool, (const char*) tokenInfo->label,
- sizeof(tokenInfo->label)), (int)type);
+ redwax_print_error(r,
+ "pkcs11-in: Certificate '%s' with type %d not understood, skipping\n",
+ redwax_pstrntrim(pool, (const char*) tokenInfo->label,
+ sizeof(tokenInfo->label)), (int)type);
}
@@ -1279,24 +1283,24 @@
else if (CKO_PUBLIC_KEY == clazz) {
- /* we ignore public keys for now */
+ /* we ignore public keys for now */
}
else if (CKO_PRIVATE_KEY == clazz) {
- redwax_print_error(r,
- "pkcs11-in: Private key found on '%s', skipping\n",
- redwax_pstrntrim(pool, (const char*) tokenInfo->label,
- sizeof(tokenInfo->label)));
+ redwax_print_error(r,
+ "pkcs11-in: Private key found on '%s', skipping\n",
+ redwax_pstrntrim(pool, (const char*) tokenInfo->label,
+ sizeof(tokenInfo->label)));
}
else {
- redwax_print_error(r,
- "pkcs11-in: Object %d found on '%s', skipping\n",
- (int)clazz, redwax_pstrntrim(pool, (const char*) tokenInfo->label,
- sizeof(tokenInfo->label)));
+ redwax_print_error(r,
+ "pkcs11-in: Object %d found on '%s', skipping\n",
+ (int)clazz, redwax_pstrntrim(pool, (const char*) tokenInfo->label,
+ sizeof(tokenInfo->label)));
}
More information about the rs-commit
mailing list