1
/*
2
 * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of the Institute nor the names of its contributors
18
 *    may be used to endorse or promote products derived from this software
19
 *    without specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31
 * SUCH DAMAGE.
32
 */
33

34
#include "hx_locl.h"
35
#ifdef HAVE_DLFCN_H
36
#include <dlfcn.h>
37
#endif
38

39
#ifdef HAVE_DLOPEN
40

41
#include "pkcs11.h"
42

43
struct p11_slot {
44
    int flags;
45
#define P11_SESSION		1
46
#define P11_SESSION_IN_USE	2
47
#define P11_LOGIN_REQ		4
48
#define P11_LOGIN_DONE		8
49
#define P11_TOKEN_PRESENT	16
50
    CK_SESSION_HANDLE session;
51
    CK_SLOT_ID id;
52
    CK_BBOOL token;
53
    char *name;
54
    hx509_certs certs;
55
    char *pin;
56
    struct {
57
	CK_MECHANISM_TYPE_PTR list;
58
	CK_ULONG num;
59
	CK_MECHANISM_INFO_PTR *infos;
60
    } mechs;
61
};
62

63
struct p11_module {
64
    void *dl_handle;
65
    CK_FUNCTION_LIST_PTR funcs;
66
    CK_ULONG num_slots;
67
    unsigned int ref;
68
    struct p11_slot *slot;
69
};
70

71
#define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
72

73
static int p11_get_session(hx509_context,
74
			   struct p11_module *,
75
			   struct p11_slot *,
76
			   hx509_lock,
77
			   CK_SESSION_HANDLE *);
78
static int p11_put_session(struct p11_module *,
79
			   struct p11_slot *,
80
			   CK_SESSION_HANDLE);
81
static void p11_release_module(struct p11_module *);
82

83
static int p11_list_keys(hx509_context,
84
			 struct p11_module *,
85
			 struct p11_slot *,
86
			 CK_SESSION_HANDLE,
87
			 hx509_lock,
88
			 hx509_certs *);
89

90
/*
91
 *
92
 */
93

94
struct p11_rsa {
95
    struct p11_module *p;
96
    struct p11_slot *slot;
97
    CK_OBJECT_HANDLE private_key;
98
    CK_OBJECT_HANDLE public_key;
99
};
100

101
static int
102
p11_rsa_public_encrypt(int flen,
103
		       const unsigned char *from,
104
		       unsigned char *to,
105
		       RSA *rsa,
106
		       int padding)
107
{
108
    return -1;
109
}
110

111
static int
112
p11_rsa_public_decrypt(int flen,
113
		       const unsigned char *from,
114
		       unsigned char *to,
115
		       RSA *rsa,
116
		       int padding)
117
{
118
    return -1;
119
}
120

121

122
static int
123
p11_rsa_private_encrypt(int flen,
124
			const unsigned char *from,
125
			unsigned char *to,
126
			RSA *rsa,
127
			int padding)
128
{
129
    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
130
    CK_OBJECT_HANDLE key = p11rsa->private_key;
131
    CK_SESSION_HANDLE session;
132
    CK_MECHANISM mechanism;
133
    CK_ULONG ck_sigsize;
134
    int ret;
135

136
    if (padding != RSA_PKCS1_PADDING)
137
	return -1;
138

139
    memset(&mechanism, 0, sizeof(mechanism));
140
    mechanism.mechanism = CKM_RSA_PKCS;
141

142
    ck_sigsize = RSA_size(rsa);
143

144
    ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
145
    if (ret)
146
	return -1;
147

148
    ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
149
    if (ret != CKR_OK) {
150
	p11_put_session(p11rsa->p, p11rsa->slot, session);
151
	return -1;
152
    }
153

154
    ret = P11FUNC(p11rsa->p, Sign,
155
		  (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
156
    p11_put_session(p11rsa->p, p11rsa->slot, session);
157
    if (ret != CKR_OK)
158
	return -1;
159

160
    return ck_sigsize;
161
}
162

163
static int
164
p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
165
			RSA * rsa, int padding)
166
{
167
    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
168
    CK_OBJECT_HANDLE key = p11rsa->private_key;
169
    CK_SESSION_HANDLE session;
170
    CK_MECHANISM mechanism;
171
    CK_ULONG ck_sigsize;
172
    int ret;
173

174
    if (padding != RSA_PKCS1_PADDING)
175
	return -1;
176

177
    memset(&mechanism, 0, sizeof(mechanism));
178
    mechanism.mechanism = CKM_RSA_PKCS;
179

180
    ck_sigsize = RSA_size(rsa);
181

182
    ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
183
    if (ret)
184
	return -1;
185

186
    ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
187
    if (ret != CKR_OK) {
188
	p11_put_session(p11rsa->p, p11rsa->slot, session);
189
	return -1;
190
    }
191

192
    ret = P11FUNC(p11rsa->p, Decrypt,
193
		  (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
194
    p11_put_session(p11rsa->p, p11rsa->slot, session);
195
    if (ret != CKR_OK)
196
	return -1;
197

198
    return ck_sigsize;
199
}
200

201
static int
202
p11_rsa_init(RSA *rsa)
203
{
204
    return 1;
205
}
206

207
static int
208
p11_rsa_finish(RSA *rsa)
209
{
210
    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
211
    p11_release_module(p11rsa->p);
212
    free(p11rsa);
213
    return 1;
214
}
215

216
static const RSA_METHOD *
217
get_p11_rsa_pkcs1_method(void)
218
{
219
    static const RSA_METHOD *p11_rsa_pkcs1_method;
220
    RSA_METHOD *new_method;
221

222
    if (p11_rsa_pkcs1_method != NULL)
223
	return p11_rsa_pkcs1_method;
224

225
    new_method = RSA_meth_new("hx509 PKCS11 PKCS#1 RSA", 0);
226
    if (new_method == NULL)
227
	return NULL;
228

229
    if (RSA_meth_set_pub_enc(new_method, p11_rsa_public_encrypt) != 1)
230
	goto out;
231

232
    if (RSA_meth_set_pub_dec(new_method, p11_rsa_public_decrypt) != 1)
233
	goto out;
234

235
    if (RSA_meth_set_priv_enc(new_method, p11_rsa_private_encrypt) != 1)
236
	goto out;
237

238
    if (RSA_meth_set_priv_dec(new_method, p11_rsa_private_decrypt) != 1)
239
	goto out;
240

241
    if (RSA_meth_set_init(new_method, p11_rsa_init) != 1)
242
	goto out;
243

244
    if (RSA_meth_set_finish(new_method, p11_rsa_finish) != 1)
245
	goto out;
246

247
    /*
248
     * This might overwrite a previously-created method if multiple
249
     * threads invoke this concurrently which will leak memory.
250
     */
251
    p11_rsa_pkcs1_method = new_method;
252
    return p11_rsa_pkcs1_method;
253
out:
254
    RSA_meth_free(new_method);
255
    return NULL;
256
}
257

258
/*
259
 *
260
 */
261

262
static int
263
p11_mech_info(hx509_context context,
264
	      struct p11_module *p,
265
	      struct p11_slot *slot,
266
	      int num)
267
{
268
    CK_ULONG i;
269
    int ret;
270

271
    ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
272
    if (ret) {
273
	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
274
			       "Failed to get mech list count for slot %d",
275
			       num);
276
	return HX509_PKCS11_NO_MECH;
277
    }
278
    if (i == 0) {
279
	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
280
			       "no mech supported for slot %d", num);
281
	return HX509_PKCS11_NO_MECH;
282
    }
283
    slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
284
    if (slot->mechs.list == NULL) {
285
	hx509_set_error_string(context, 0, ENOMEM,
286
			       "out of memory");
287
	return ENOMEM;
288
    }
289
    slot->mechs.num = i;
290
    ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
291
    if (ret) {
292
	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
293
			       "Failed to get mech list for slot %d",
294
			       num);
295
	return HX509_PKCS11_NO_MECH;
296
    }
297
    assert(i == slot->mechs.num);
298

299
    slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
300
    if (slot->mechs.list == NULL) {
301
	hx509_set_error_string(context, 0, ENOMEM,
302
			       "out of memory");
303
	return ENOMEM;
304
    }
305

306
    for (i = 0; i < slot->mechs.num; i++) {
307
	slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
308
	if (slot->mechs.infos[i] == NULL) {
309
	    hx509_set_error_string(context, 0, ENOMEM,
310
				   "out of memory");
311
	    return ENOMEM;
312
	}
313
	ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
314
					    slot->mechs.infos[i]));
315
	if (ret) {
316
	    hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
317
				   "Failed to get mech info for slot %d",
318
				   num);
319
	    return HX509_PKCS11_NO_MECH;
320
	}
321
    }
322

323
    return 0;
324
}
325

326
static int
327
p11_init_slot(hx509_context context,
328
	      struct p11_module *p,
329
	      hx509_lock lock,
330
	      CK_SLOT_ID id,
331
	      int num,
332
	      struct p11_slot *slot)
333
{
334
    CK_SESSION_HANDLE session;
335
    CK_SLOT_INFO slot_info;
336
    CK_TOKEN_INFO token_info;
337
    size_t i;
338
    int ret;
339

340
    slot->certs = NULL;
341
    slot->id = id;
342

343
    ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
344
    if (ret) {
345
	hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
346
			       "Failed to init PKCS11 slot %d",
347
			       num);
348
	return HX509_PKCS11_TOKEN_CONFUSED;
349
    }
350

351
    for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
352
	char c = slot_info.slotDescription[i];
353
	if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
354
	    continue;
355
	i++;
356
	break;
357
    }
358

359
    asprintf(&slot->name, "%.*s",
360
	     (int)i, slot_info.slotDescription);
361

362
    if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
363
	return 0;
364

365
    ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
366
    if (ret) {
367
	hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
368
			       "Failed to init PKCS11 slot %d "
369
			       "with error 0x08x",
370
			       num, ret);
371
	return HX509_PKCS11_NO_TOKEN;
372
    }
373
    slot->flags |= P11_TOKEN_PRESENT;
374

375
    if (token_info.flags & CKF_LOGIN_REQUIRED)
376
	slot->flags |= P11_LOGIN_REQ;
377

378
    ret = p11_get_session(context, p, slot, lock, &session);
379
    if (ret)
380
	return ret;
381

382
    ret = p11_mech_info(context, p, slot, num);
383
    if (ret)
384
	goto out;
385

386
    ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
387
 out:
388
    p11_put_session(p, slot, session);
389

390
    return ret;
391
}
392

393
static int
394
p11_get_session(hx509_context context,
395
		struct p11_module *p,
396
		struct p11_slot *slot,
397
		hx509_lock lock,
398
		CK_SESSION_HANDLE *psession)
399
{
400
    CK_RV ret;
401

402
    if (slot->flags & P11_SESSION_IN_USE)
403
	_hx509_abort("slot already in session");
404

405
    if (slot->flags & P11_SESSION) {
406
	slot->flags |= P11_SESSION_IN_USE;
407
	*psession = slot->session;
408
	return 0;
409
    }
410

411
    ret = P11FUNC(p, OpenSession, (slot->id,
412
				   CKF_SERIAL_SESSION,
413
				   NULL,
414
				   NULL,
415
				   &slot->session));
416
    if (ret != CKR_OK) {
417
	if (context)
418
	    hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
419
				   "Failed to OpenSession for slot id %d "
420
				   "with error: 0x%08x",
421
				   (int)slot->id, ret);
422
	return HX509_PKCS11_OPEN_SESSION;
423
    }
424

425
    slot->flags |= P11_SESSION;
426

427
    /*
428
     * If we have have to login, and haven't tried before and have a
429
     * prompter or known to work pin code.
430
     *
431
     * This code is very conversative and only uses the prompter in
432
     * the hx509_lock, the reason is that it's bad to try many
433
     * passwords on a pkcs11 token, it might lock up and have to be
434
     * unlocked by a administrator.
435
     *
436
     * XXX try harder to not use pin several times on the same card.
437
     */
438

439
    if (   (slot->flags & P11_LOGIN_REQ)
440
	&& (slot->flags & P11_LOGIN_DONE) == 0
441
	&& (lock || slot->pin))
442
    {
443
	hx509_prompt prompt;
444
	char pin[20];
445
	char *str;
446

447
	if (slot->pin == NULL) {
448

449
	    memset(&prompt, 0, sizeof(prompt));
450

451
	    asprintf(&str, "PIN code for %s: ", slot->name);
452
	    prompt.prompt = str;
453
	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
454
	    prompt.reply.data = pin;
455
	    prompt.reply.length = sizeof(pin);
456

457
	    ret = hx509_lock_prompt(lock, &prompt);
458
	    if (ret) {
459
		free(str);
460
		if (context)
461
		    hx509_set_error_string(context, 0, ret,
462
					   "Failed to get pin code for slot "
463
					   "id %d with error: %d",
464
					   (int)slot->id, ret);
465
		return ret;
466
	    }
467
	    free(str);
468
	} else {
469
	    strlcpy(pin, slot->pin, sizeof(pin));
470
	}
471

472
	ret = P11FUNC(p, Login, (slot->session, CKU_USER,
473
				 (unsigned char*)pin, strlen(pin)));
474
	if (ret != CKR_OK) {
475
	    if (context)
476
		hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
477
				       "Failed to login on slot id %d "
478
				       "with error: 0x%08x",
479
				       (int)slot->id, ret);
480
	    return HX509_PKCS11_LOGIN;
481
	} else
482
	    slot->flags |= P11_LOGIN_DONE;
483

484
	if (slot->pin == NULL) {
485
	    slot->pin = strdup(pin);
486
	    if (slot->pin == NULL) {
487
		if (context)
488
		    hx509_set_error_string(context, 0, ENOMEM,
489
					   "out of memory");
490
		return ENOMEM;
491
	    }
492
	}
493
    } else
494
	slot->flags |= P11_LOGIN_DONE;
495

496
    slot->flags |= P11_SESSION_IN_USE;
497

498
    *psession = slot->session;
499

500
    return 0;
501
}
502

503
static int
504
p11_put_session(struct p11_module *p,
505
		struct p11_slot *slot,
506
		CK_SESSION_HANDLE session)
507
{
508
    if ((slot->flags & P11_SESSION_IN_USE) == 0)
509
	_hx509_abort("slot not in session");
510
    slot->flags &= ~P11_SESSION_IN_USE;
511

512
    return 0;
513
}
514

515
static int
516
iterate_entries(hx509_context context,
517
		struct p11_module *p, struct p11_slot *slot,
518
		CK_SESSION_HANDLE session,
519
		CK_ATTRIBUTE *search_data, int num_search_data,
520
		CK_ATTRIBUTE *query, int num_query,
521
		int (*func)(hx509_context,
522
			    struct p11_module *, struct p11_slot *,
523
			    CK_SESSION_HANDLE session,
524
			    CK_OBJECT_HANDLE object,
525
			    void *, CK_ATTRIBUTE *, int), void *ptr)
526
{
527
    CK_OBJECT_HANDLE object;
528
    CK_ULONG object_count;
529
    int ret, ret2, i;
530

531
    ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
532
    if (ret != CKR_OK) {
533
	return -1;
534
    }
535
    while (1) {
536
	ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
537
	if (ret != CKR_OK) {
538
	    return -1;
539
	}
540
	if (object_count == 0)
541
	    break;
542

543
	for (i = 0; i < num_query; i++)
544
	    query[i].pValue = NULL;
545

546
	ret = P11FUNC(p, GetAttributeValue,
547
		      (session, object, query, num_query));
548
	if (ret != CKR_OK) {
549
	    return -1;
550
	}
551
	for (i = 0; i < num_query; i++) {
552
	    query[i].pValue = malloc(query[i].ulValueLen);
553
	    if (query[i].pValue == NULL) {
554
		ret = ENOMEM;
555
		goto out;
556
	    }
557
	}
558
	ret = P11FUNC(p, GetAttributeValue,
559
		      (session, object, query, num_query));
560
	if (ret != CKR_OK) {
561
	    ret = -1;
562
	    goto out;
563
	}
564

565
	ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
566
	if (ret)
567
	    goto out;
568

569
	for (i = 0; i < num_query; i++) {
570
	    if (query[i].pValue)
571
		free(query[i].pValue);
572
	    query[i].pValue = NULL;
573
	}
574
    }
575
 out:
576

577
    for (i = 0; i < num_query; i++) {
578
	if (query[i].pValue)
579
	    free(query[i].pValue);
580
	query[i].pValue = NULL;
581
    }
582

583
    ret2 = P11FUNC(p, FindObjectsFinal, (session));
584
    if (ret2 != CKR_OK) {
585
	return ret2;
586
    }
587

588
    return ret;
589
}
590

591
static BIGNUM *
592
getattr_bn(struct p11_module *p,
593
	   struct p11_slot *slot,
594
	   CK_SESSION_HANDLE session,
595
	   CK_OBJECT_HANDLE object,
596
	   unsigned int type)
597
{
598
    CK_ATTRIBUTE query;
599
    BIGNUM *bn;
600
    int ret;
601

602
    query.type = type;
603
    query.pValue = NULL;
604
    query.ulValueLen = 0;
605

606
    ret = P11FUNC(p, GetAttributeValue,
607
		  (session, object, &query, 1));
608
    if (ret != CKR_OK)
609
	return NULL;
610

611
    query.pValue = malloc(query.ulValueLen);
612

613
    ret = P11FUNC(p, GetAttributeValue,
614
		  (session, object, &query, 1));
615
    if (ret != CKR_OK) {
616
	free(query.pValue);
617
	return NULL;
618
    }
619
    bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
620
    free(query.pValue);
621

622
    return bn;
623
}
624

625
static int
626
collect_private_key(hx509_context context,
627
		    struct p11_module *p, struct p11_slot *slot,
628
		    CK_SESSION_HANDLE session,
629
		    CK_OBJECT_HANDLE object,
630
		    void *ptr, CK_ATTRIBUTE *query, int num_query)
631
{
632
    struct hx509_collector *collector = ptr;
633
    hx509_private_key key;
634
    heim_octet_string localKeyId;
635
    int ret;
636
    const RSA_METHOD *meth;
637
    BIGNUM *n, *e;
638
    RSA *rsa;
639
    struct p11_rsa *p11rsa;
640

641
    localKeyId.data = query[0].pValue;
642
    localKeyId.length = query[0].ulValueLen;
643

644
    ret = hx509_private_key_init(&key, NULL, NULL);
645
    if (ret)
646
	return ret;
647

648
    rsa = RSA_new();
649
    if (rsa == NULL)
650
	_hx509_abort("out of memory");
651

652
    /*
653
     * The exponent and modulus should always be present according to
654
     * the pkcs11 specification, but some smartcards leaves it out,
655
     * let ignore any failure to fetch it.
656
     */
657
    n = getattr_bn(p, slot, session, object, CKA_MODULUS);
658
    e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
659
    if (RSA_set0_key(rsa, n, e, NULL) != 1) {
660
	BN_free(n);
661
	BN_free(e);
662
	RSA_free(rsa);
663
	hx509_private_key_free(&key);
664
	return EINVAL;
665
    }
666

667
    p11rsa = calloc(1, sizeof(*p11rsa));
668
    if (p11rsa == NULL)
669
	_hx509_abort("out of memory");
670

671
    p11rsa->p = p;
672
    p11rsa->slot = slot;
673
    p11rsa->private_key = object;
674

675
    if (p->ref == 0)
676
	_hx509_abort("pkcs11 ref == 0 on alloc");
677
    p->ref++;
678
    if (p->ref == UINT_MAX)
679
	_hx509_abort("pkcs11 ref == UINT_MAX on alloc");
680

681
    meth = get_p11_rsa_pkcs1_method();
682
    if (meth == NULL)
683
	_hx509_abort("failed to create RSA method");
684
    RSA_set_method(rsa, meth);
685
    ret = RSA_set_app_data(rsa, p11rsa);
686
    if (ret != 1)
687
	_hx509_abort("RSA_set_app_data");
688

689
    hx509_private_key_assign_rsa(key, rsa);
690

691
    ret = _hx509_collector_private_key_add(context,
692
					   collector,
693
					   hx509_signature_rsa(),
694
					   key,
695
					   NULL,
696
					   &localKeyId);
697

698
    if (ret) {
699
	hx509_private_key_free(&key);
700
	return ret;
701
    }
702
    return 0;
703
}
704

705
static void
706
p11_cert_release(hx509_cert cert, void *ctx)
707
{
708
    struct p11_module *p = ctx;
709
    p11_release_module(p);
710
}
711

712

713
static int
714
collect_cert(hx509_context context,
715
	     struct p11_module *p, struct p11_slot *slot,
716
	     CK_SESSION_HANDLE session,
717
	     CK_OBJECT_HANDLE object,
718
	     void *ptr, CK_ATTRIBUTE *query, int num_query)
719
{
720
    struct hx509_collector *collector = ptr;
721
    hx509_cert cert;
722
    int ret;
723

724
    if ((CK_LONG)query[0].ulValueLen == -1 ||
725
	(CK_LONG)query[1].ulValueLen == -1)
726
    {
727
	return 0;
728
    }
729

730
    ret = hx509_cert_init_data(context, query[1].pValue,
731
			       query[1].ulValueLen, &cert);
732
    if (ret)
733
	return ret;
734

735
    if (p->ref == 0)
736
	_hx509_abort("pkcs11 ref == 0 on alloc");
737
    p->ref++;
738
    if (p->ref == UINT_MAX)
739
	_hx509_abort("pkcs11 ref to high");
740

741
    _hx509_cert_set_release(cert, p11_cert_release, p);
742

743
    {
744
	heim_octet_string data;
745

746
	data.data = query[0].pValue;
747
	data.length = query[0].ulValueLen;
748

749
	_hx509_set_cert_attribute(context,
750
				  cert,
751
				  &asn1_oid_id_pkcs_9_at_localKeyId,
752
				  &data);
753
    }
754

755
    if ((CK_LONG)query[2].ulValueLen != -1) {
756
	char *str;
757

758
	asprintf(&str, "%.*s",
759
		 (int)query[2].ulValueLen, (char *)query[2].pValue);
760
	if (str) {
761
	    hx509_cert_set_friendly_name(cert, str);
762
	    free(str);
763
	}
764
    }
765

766
    ret = _hx509_collector_certs_add(context, collector, cert);
767
    hx509_cert_free(cert);
768

769
    return ret;
770
}
771

772

773
static int
774
p11_list_keys(hx509_context context,
775
	      struct p11_module *p,
776
	      struct p11_slot *slot,
777
	      CK_SESSION_HANDLE session,
778
	      hx509_lock lock,
779
	      hx509_certs *certs)
780
{
781
    struct hx509_collector *collector;
782
    CK_OBJECT_CLASS key_class;
783
    CK_ATTRIBUTE search_data[] = {
784
	{CKA_CLASS, NULL, 0},
785
    };
786
    CK_ATTRIBUTE query_data[3] = {
787
	{CKA_ID, NULL, 0},
788
	{CKA_VALUE, NULL, 0},
789
	{CKA_LABEL, NULL, 0}
790
    };
791
    int ret;
792

793
    search_data[0].pValue = &key_class;
794
    search_data[0].ulValueLen = sizeof(key_class);
795

796
    if (lock == NULL)
797
	lock = _hx509_empty_lock;
798

799
    ret = _hx509_collector_alloc(context, lock, &collector);
800
    if (ret)
801
	return ret;
802

803
    key_class = CKO_PRIVATE_KEY;
804
    ret = iterate_entries(context, p, slot, session,
805
			  search_data, 1,
806
			  query_data, 1,
807
			  collect_private_key, collector);
808
    if (ret)
809
	goto out;
810

811
    key_class = CKO_CERTIFICATE;
812
    ret = iterate_entries(context, p, slot, session,
813
			  search_data, 1,
814
			  query_data, 3,
815
			  collect_cert, collector);
816
    if (ret)
817
	goto out;
818

819
    ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
820

821
out:
822
    _hx509_collector_free(collector);
823

824
    return ret;
825
}
826

827

828
static int
829
p11_init(hx509_context context,
830
	 hx509_certs certs, void **data, int flags,
831
	 const char *residue, hx509_lock lock)
832
{
833
    CK_C_GetFunctionList getFuncs;
834
    struct p11_module *p;
835
    char *list, *str;
836
    int ret;
837

838
    *data = NULL;
839

840
    list = strdup(residue);
841
    if (list == NULL)
842
	return ENOMEM;
843

844
    p = calloc(1, sizeof(*p));
845
    if (p == NULL) {
846
	free(list);
847
	return ENOMEM;
848
    }
849

850
    p->ref = 1;
851

852
    str = strchr(list, ',');
853
    if (str)
854
	*str++ = '\0';
855
    while (str) {
856
	char *strnext;
857
	strnext = strchr(str, ',');
858
	if (strnext)
859
	    *strnext++ = '\0';
860
#if 0
861
	if (strncasecmp(str, "slot=", 5) == 0)
862
	    p->selected_slot = atoi(str + 5);
863
#endif
864
	str = strnext;
865
    }
866

867
    p->dl_handle = dlopen(list, RTLD_NOW);
868
    free(list);
869
    if (p->dl_handle == NULL) {
870
	ret = HX509_PKCS11_LOAD;
871
	hx509_set_error_string(context, 0, ret,
872
			       "Failed to open %s: %s", list, dlerror());
873
	goto out;
874
    }
875

876
    getFuncs = (CK_C_GetFunctionList) dlsym(p->dl_handle, "C_GetFunctionList");
877
    if (getFuncs == NULL) {
878
	ret = HX509_PKCS11_LOAD;
879
	hx509_set_error_string(context, 0, ret,
880
			       "C_GetFunctionList missing in %s: %s",
881
			       list, dlerror());
882
	goto out;
883
    }
884

885
    ret = (*getFuncs)(&p->funcs);
886
    if (ret) {
887
	ret = HX509_PKCS11_LOAD;
888
	hx509_set_error_string(context, 0, ret,
889
			       "C_GetFunctionList failed in %s", list);
890
	goto out;
891
    }
892

893
    ret = P11FUNC(p, Initialize, (NULL_PTR));
894
    if (ret != CKR_OK) {
895
	ret = HX509_PKCS11_TOKEN_CONFUSED;
896
	hx509_set_error_string(context, 0, ret,
897
			       "Failed initialize the PKCS11 module");
898
	goto out;
899
    }
900

901
    ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
902
    if (ret) {
903
	ret = HX509_PKCS11_TOKEN_CONFUSED;
904
	hx509_set_error_string(context, 0, ret,
905
			       "Failed to get number of PKCS11 slots");
906
	goto out;
907
    }
908

909
   if (p->num_slots == 0) {
910
	ret = HX509_PKCS11_NO_SLOT;
911
	hx509_set_error_string(context, 0, ret,
912
			       "Selected PKCS11 module have no slots");
913
	goto out;
914
   }
915

916

917
    {
918
	CK_SLOT_ID_PTR slot_ids;
919
	int num_tokens = 0;
920
	size_t i;
921

922
	slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
923
	if (slot_ids == NULL) {
924
	    hx509_clear_error_string(context);
925
	    ret = ENOMEM;
926
	    goto out;
927
	}
928

929
	ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
930
	if (ret) {
931
	    free(slot_ids);
932
	    hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
933
				   "Failed getting slot-list from "
934
				   "PKCS11 module");
935
	    ret = HX509_PKCS11_TOKEN_CONFUSED;
936
	    goto out;
937
	}
938

939
	p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
940
	if (p->slot == NULL) {
941
	    free(slot_ids);
942
	    hx509_set_error_string(context, 0, ENOMEM,
943
				   "Failed to get memory for slot-list");
944
	    ret = ENOMEM;
945
	    goto out;
946
	}
947

948
	for (i = 0; i < p->num_slots; i++) {
949
	    ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
950
	    if (ret)
951
		break;
952
	    if (p->slot[i].flags & P11_TOKEN_PRESENT)
953
		num_tokens++;
954
	}
955
	free(slot_ids);
956
	if (ret)
957
	    goto out;
958
	if (num_tokens == 0) {
959
	    ret = HX509_PKCS11_NO_TOKEN;
960
	    goto out;
961
	}
962
    }
963

964
    *data = p;
965

966
    return 0;
967
 out:
968
    p11_release_module(p);
969
    return ret;
970
}
971

972
static void
973
p11_release_module(struct p11_module *p)
974
{
975
    size_t i;
976

977
    if (p->ref == 0)
978
	_hx509_abort("pkcs11 ref to low");
979
    if (--p->ref > 0)
980
	return;
981

982
    for (i = 0; i < p->num_slots; i++) {
983
	if (p->slot[i].flags & P11_SESSION_IN_USE)
984
	    _hx509_abort("pkcs11 module release while session in use");
985
	if (p->slot[i].flags & P11_SESSION) {
986
	    P11FUNC(p, CloseSession, (p->slot[i].session));
987
	}
988

989
	if (p->slot[i].name)
990
	    free(p->slot[i].name);
991
	if (p->slot[i].pin) {
992
	    memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
993
	    free(p->slot[i].pin);
994
	}
995
	if (p->slot[i].mechs.num) {
996
	    free(p->slot[i].mechs.list);
997

998
	    if (p->slot[i].mechs.infos) {
999
		size_t j;
1000

1001
		for (j = 0 ; j < p->slot[i].mechs.num ; j++)
1002
		    free(p->slot[i].mechs.infos[j]);
1003
		free(p->slot[i].mechs.infos);
1004
	    }
1005
	}
1006
    }
1007
    free(p->slot);
1008

1009
    if (p->funcs)
1010
	P11FUNC(p, Finalize, (NULL));
1011

1012
    if (p->dl_handle)
1013
	dlclose(p->dl_handle);
1014

1015
    memset(p, 0, sizeof(*p));
1016
    free(p);
1017
}
1018

1019
static int
1020
p11_free(hx509_certs certs, void *data)
1021
{
1022
    struct p11_module *p = data;
1023
    size_t i;
1024

1025
    for (i = 0; i < p->num_slots; i++) {
1026
	if (p->slot[i].certs)
1027
	    hx509_certs_free(&p->slot[i].certs);
1028
    }
1029
    p11_release_module(p);
1030
    return 0;
1031
}
1032

1033
struct p11_cursor {
1034
    hx509_certs certs;
1035
    void *cursor;
1036
};
1037

1038
static int
1039
p11_iter_start(hx509_context context,
1040
	       hx509_certs certs, void *data, void **cursor)
1041
{
1042
    struct p11_module *p = data;
1043
    struct p11_cursor *c;
1044
    int ret;
1045
    size_t i;
1046

1047
    c = malloc(sizeof(*c));
1048
    if (c == NULL) {
1049
	hx509_clear_error_string(context);
1050
	return ENOMEM;
1051
    }
1052
    ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
1053
    if (ret) {
1054
	free(c);
1055
	return ret;
1056
    }
1057

1058
    for (i = 0 ; i < p->num_slots; i++) {
1059
	if (p->slot[i].certs == NULL)
1060
	    continue;
1061
	ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
1062
	if (ret) {
1063
	    hx509_certs_free(&c->certs);
1064
	    free(c);
1065
	    return ret;
1066
	}
1067
    }
1068

1069
    ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
1070
    if (ret) {
1071
	hx509_certs_free(&c->certs);
1072
	free(c);
1073
	return 0;
1074
    }
1075
    *cursor = c;
1076

1077
    return 0;
1078
}
1079

1080
static int
1081
p11_iter(hx509_context context,
1082
	 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
1083
{
1084
    struct p11_cursor *c = cursor;
1085
    return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
1086
}
1087

1088
static int
1089
p11_iter_end(hx509_context context,
1090
	     hx509_certs certs, void *data, void *cursor)
1091
{
1092
    struct p11_cursor *c = cursor;
1093
    int ret;
1094
    ret = hx509_certs_end_seq(context, c->certs, c->cursor);
1095
    hx509_certs_free(&c->certs);
1096
    free(c);
1097
    return ret;
1098
}
1099

1100
#define MECHFLAG(x) { "unknown-flag-" #x, x }
1101
static struct units mechflags[] = {
1102
	MECHFLAG(0x80000000),
1103
	MECHFLAG(0x40000000),
1104
	MECHFLAG(0x20000000),
1105
	MECHFLAG(0x10000000),
1106
	MECHFLAG(0x08000000),
1107
	MECHFLAG(0x04000000),
1108
	{"ec-compress",		0x2000000 },
1109
	{"ec-uncompress",	0x1000000 },
1110
	{"ec-namedcurve",	0x0800000 },
1111
	{"ec-ecparameters",	0x0400000 },
1112
	{"ec-f-2m",		0x0200000 },
1113
	{"ec-f-p",		0x0100000 },
1114
	{"derive",		0x0080000 },
1115
	{"unwrap",		0x0040000 },
1116
	{"wrap",		0x0020000 },
1117
	{"genereate-key-pair",	0x0010000 },
1118
	{"generate",		0x0008000 },
1119
	{"verify-recover",	0x0004000 },
1120
	{"verify",		0x0002000 },
1121
	{"sign-recover",	0x0001000 },
1122
	{"sign",		0x0000800 },
1123
	{"digest",		0x0000400 },
1124
	{"decrypt",		0x0000200 },
1125
	{"encrypt",		0x0000100 },
1126
	MECHFLAG(0x00080),
1127
	MECHFLAG(0x00040),
1128
	MECHFLAG(0x00020),
1129
	MECHFLAG(0x00010),
1130
	MECHFLAG(0x00008),
1131
	MECHFLAG(0x00004),
1132
	MECHFLAG(0x00002),
1133
	{"hw",			0x0000001 },
1134
	{ NULL,			0x0000000 }
1135
};
1136
#undef MECHFLAG
1137

1138
static int
1139
p11_printinfo(hx509_context context,
1140
	      hx509_certs certs,
1141
	      void *data,
1142
	      int (*func)(void *, const char *),
1143
	      void *ctx)
1144
{
1145
    struct p11_module *p = data;
1146
    size_t i, j;
1147

1148
    _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
1149
		     p->num_slots, p->num_slots > 1 ? "s" : "");
1150

1151
    for (i = 0; i < p->num_slots; i++) {
1152
	struct p11_slot *s = &p->slot[i];
1153

1154
	_hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
1155
			 i, (int)s->id, s->name, s->flags);
1156

1157
	_hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu",
1158
			 (unsigned long)s->mechs.num);
1159
	for (j = 0; j < s->mechs.num; j++) {
1160
	    const char *mechname = "unknown";
1161
	    char flags[256], unknownname[40];
1162
#define MECHNAME(s,n) case s: mechname = n; break
1163
	    switch(s->mechs.list[j]) {
1164
		MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
1165
		MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
1166
		MECHNAME(CKM_RSA_X_509, "rsa-x-509");
1167
		MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
1168
		MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
1169
		MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
1170
		MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
1171
		MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
1172
		MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
1173
		MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
1174
		MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
1175
		MECHNAME(CKM_SHA512, "sha512");
1176
		MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
1177
		MECHNAME(CKM_SHA384, "sha384");
1178
		MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
1179
		MECHNAME(CKM_SHA256, "sha256");
1180
		MECHNAME(CKM_SHA_1, "sha1");
1181
		MECHNAME(CKM_MD5, "md5");
1182
		MECHNAME(CKM_RIPEMD160, "ripemd-160");
1183
		MECHNAME(CKM_DES_ECB, "des-ecb");
1184
		MECHNAME(CKM_DES_CBC, "des-cbc");
1185
		MECHNAME(CKM_AES_ECB, "aes-ecb");
1186
		MECHNAME(CKM_AES_CBC, "aes-cbc");
1187
		MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
1188
	    default:
1189
		snprintf(unknownname, sizeof(unknownname),
1190
			 "unknown-mech-%lu",
1191
			 (unsigned long)s->mechs.list[j]);
1192
		mechname = unknownname;
1193
		break;
1194
	    }
1195
#undef MECHNAME
1196
	    unparse_flags(s->mechs.infos[j]->flags, mechflags,
1197
			  flags, sizeof(flags));
1198

1199
	    _hx509_pi_printf(func, ctx, "  %s: %s", mechname, flags);
1200
	}
1201
    }
1202

1203
    return 0;
1204
}
1205

1206
static struct hx509_keyset_ops keyset_pkcs11 = {
1207
    "PKCS11",
1208
    0,
1209
    p11_init,
1210
    NULL,
1211
    p11_free,
1212
    NULL,
1213
    NULL,
1214
    p11_iter_start,
1215
    p11_iter,
1216
    p11_iter_end,
1217
    p11_printinfo
1218
};
1219

1220
#endif /* HAVE_DLOPEN */
1221

1222
void
1223
_hx509_ks_pkcs11_register(hx509_context context)
1224
{
1225
#ifdef HAVE_DLOPEN
1226
    _hx509_ks_register(context, &keyset_pkcs11);
1227
#endif
1228
}
1229

1230