From 9757296765624140ce25c0303b820c04f34a5b29 Mon Sep 17 00:00:00 2001 From: Packit Service Date: Dec 10 2020 00:18:12 +0000 Subject: Prepare for a new update Reverting patches so we can apply the latest update and changes can be seen in the spec file and sources. --- diff --git a/src/eng_back.c b/src/eng_back.c index 0dd697d..39a685a 100644 --- a/src/eng_back.c +++ b/src/eng_back.c @@ -375,10 +375,10 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, const int login) { PKCS11_SLOT *slot; - PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL; + PKCS11_SLOT *found_slot = NULL; PKCS11_TOKEN *tok, *match_tok = NULL; PKCS11_CERT *certs, *selected_cert = NULL; - X509 *x509 = NULL; + X509 *x509; unsigned int cert_count, n, m; unsigned char cert_id[MAX_VALUE_LEN / 2]; size_t cert_id_len = sizeof(cert_id); @@ -387,7 +387,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, size_t tmp_pin_len = MAX_PIN_LENGTH; int slot_nr = -1; char flags[64]; - size_t matched_count = 0; if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ return NULL; @@ -402,9 +401,11 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, "The certificate ID is not a valid PKCS#11 URI\n" "The PKCS#11 URI format is defined by RFC7512\n"); ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); - goto error; + return NULL; } if (tmp_pin_len > 0 && tmp_pin[0] != 0) { + if (!login) + return NULL; /* Process on second attempt */ ctx_destroy_pin(ctx); ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); if (ctx->pin != NULL) { @@ -423,7 +424,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, "The legacy ENGINE_pkcs11 ID format is also " "still accepted for now\n"); ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); - goto error; + return NULL; } } ctx_log(ctx, 1, "Looking in slot %d for certificate: ", @@ -439,13 +440,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, ctx_log(ctx, 1, "\n"); } - matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count, - sizeof(PKCS11_SLOT *)); - if (matched_slots == NULL) { - ctx_log(ctx, 0, "Could not allocate memory for matched slots\n"); - goto error; - } - for (n = 0; n < ctx->slot_count; n++) { slot = ctx->slot_list + n; flags[0] = '\0'; @@ -469,7 +463,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { found_slot = slot; } - if (match_tok && slot->token && (match_tok->label == NULL || !strcmp(match_tok->label, slot->token->label)) && @@ -490,115 +483,75 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, slot->token->label : "no label"); } ctx_log(ctx, 1, "\n"); + } - if (found_slot && found_slot->token && !found_slot->token->initialized) - ctx_log(ctx, 0, "Found uninitialized token\n"); - - /* Ignore slots without tokens or with uninitialized token */ - if (found_slot && found_slot->token && found_slot->token->initialized) { - matched_slots[matched_count] = found_slot; - matched_count++; + if (match_tok) { + OPENSSL_free(match_tok->model); + OPENSSL_free(match_tok->manufacturer); + OPENSSL_free(match_tok->serialnr); + OPENSSL_free(match_tok->label); + OPENSSL_free(match_tok); + } + if (found_slot) { + slot = found_slot; + } else if (match_tok) { + ctx_log(ctx, 0, "Specified object not found\n"); + return NULL; + } else if (slot_nr == -1) { + if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, + ctx->slot_list, ctx->slot_count))) { + ctx_log(ctx, 0, "No tokens found\n"); + return NULL; } - found_slot = NULL; + } else { + ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); + return NULL; } + tok = slot->token; - if (matched_count == 0) { - if (match_tok) { - ctx_log(ctx, 0, "Specified object not found\n"); - goto error; - } + if (tok == NULL) { + ctx_log(ctx, 0, "Empty token found\n"); + return NULL; + } - /* If the legacy slot ID format was used */ - if (slot_nr != -1) { - ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); - goto error; - } else { - found_slot = PKCS11_find_token(ctx->pkcs11_ctx, - ctx->slot_list, ctx->slot_count); - /* Ignore if the the token is not initialized */ - if (found_slot && found_slot->token && - found_slot->token->initialized) { - matched_slots[matched_count] = found_slot; - matched_count++; - } else { - ctx_log(ctx, 0, "No tokens found\n"); - goto error; - } - } + ctx_log(ctx, 1, "Found slot: %s\n", slot->description); + ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); + + /* In several tokens certificates are marked as private */ + if (login && !ctx_login(ctx, slot, tok, + ctx->ui_method, ctx->callback_data)) { + ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); + return NULL; } - for (n = 0; n < matched_count; n++) { - slot = matched_slots[n]; - tok = slot->token; - if (tok == NULL) { - ctx_log(ctx, 0, "Empty token found\n"); - break; - } + if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { + ctx_log(ctx, 0, "Unable to enumerate certificates\n"); + return NULL; + } - ctx_log(ctx, 1, "Found slot: %s\n", slot->description); - ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); - - /* In several tokens certificates are marked as private */ - if (login) { - /* Only try to login if login is required */ - if (tok->loginRequired) { - /* Only try to login if a single slot matched to avoiding trying - * the PIN against all matching slots */ - if (matched_count == 1) { - if (!ctx_login(ctx, slot, tok, - ctx->ui_method, ctx->callback_data)) { - ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); - goto error; - } - } else { - ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to" - " login\n", matched_count); - for (m = 0; m < matched_count; m++){ - slot = matched_slots[m]; - ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1, - slot->description? slot->description: - "(no description)", - (slot->token && slot->token->label)? - slot->token->label: "no label"); - } - goto error; - } - } - } + ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count, + (cert_count <= 1) ? "" : "s"); + if ((s_slot_cert_id && *s_slot_cert_id) && + (cert_id_len != 0 || cert_label != NULL)) { + for (n = 0; n < cert_count; n++) { + PKCS11_CERT *k = certs + n; - if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { - ctx_log(ctx, 0, "Unable to enumerate certificates\n"); - continue; + if (cert_label != NULL && strcmp(k->label, cert_label) == 0) + selected_cert = k; + if (cert_id_len != 0 && k->id_len == cert_id_len && + memcmp(k->id, cert_id, cert_id_len) == 0) + selected_cert = k; } - - ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count, - (cert_count <= 1) ? "" : "s"); - if ((s_slot_cert_id && *s_slot_cert_id) && - (cert_id_len != 0 || cert_label != NULL)) { - for (m = 0; m < cert_count; m++) { - PKCS11_CERT *k = certs + m; - - if (cert_label != NULL && strcmp(k->label, cert_label) == 0) - selected_cert = k; - if (cert_id_len != 0 && k->id_len == cert_id_len && - memcmp(k->id, cert_id, cert_id_len) == 0) - selected_cert = k; - } - } else { - for (m = 0; m < cert_count; m++) { - PKCS11_CERT *k = certs + m; - if (k->id && *(k->id)) { - selected_cert = k; /* Use the first certificate with nonempty id */ - break; - } + } else { + for (n = 0; n < cert_count; n++) { + PKCS11_CERT *k = certs + n; + if (k->id && *(k->id)) { + selected_cert = k; /* Use the first certificate with nonempty id */ + break; } - if (!selected_cert) - selected_cert = certs; /* Use the first certificate */ - } - - if (selected_cert) { - break; } + if (!selected_cert) + selected_cert = certs; /* Use the first certificate */ } if (selected_cert != NULL) { @@ -608,20 +561,8 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, ctx_log(ctx, 0, "Certificate not found.\n"); x509 = NULL; } -error: - /* Free the searched token data */ - if (match_tok) { - OPENSSL_free(match_tok->model); - OPENSSL_free(match_tok->manufacturer); - OPENSSL_free(match_tok->serialnr); - OPENSSL_free(match_tok->label); - OPENSSL_free(match_tok); - } - if (cert_label != NULL) OPENSSL_free(cert_label); - if (matched_slots != NULL) - free(matched_slots); return x509; } @@ -664,7 +605,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, const int isPrivate, const int login) { PKCS11_SLOT *slot; - PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL; + PKCS11_SLOT *found_slot = NULL; PKCS11_TOKEN *tok, *match_tok = NULL; PKCS11_KEY *keys, *selected_key = NULL; EVP_PKEY *pk = NULL; @@ -676,7 +617,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, char tmp_pin[MAX_PIN_LENGTH+1]; size_t tmp_pin_len = MAX_PIN_LENGTH; char flags[64]; - size_t matched_count = 0; if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ goto error; @@ -697,9 +637,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, goto error; } if (tmp_pin_len > 0 && tmp_pin[0] != 0) { - /* If the searched key is public, try without login once even - * when the PIN is provided */ - if (!login && isPrivate) + if (!login) goto error; /* Process on second attempt */ ctx_destroy_pin(ctx); ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); @@ -735,13 +673,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, ctx_log(ctx, 1, "\n"); } - matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count, - sizeof(PKCS11_SLOT *)); - if (matched_slots == NULL) { - ctx_log(ctx, 0, "Could not allocate memory for matched slots\n"); - goto error; - } - for (n = 0; n < ctx->slot_count; n++) { slot = ctx->slot_list + n; flags[0] = '\0'; @@ -765,7 +696,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { found_slot = slot; } - if (match_tok && slot->token && (match_tok->label == NULL || !strcmp(match_tok->label, slot->token->label)) && @@ -786,128 +716,92 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, slot->token->label : "no label"); } ctx_log(ctx, 1, "\n"); - - if (found_slot && found_slot->token && !found_slot->token->initialized) - ctx_log(ctx, 0, "Found uninitialized token\n"); - - /* Ignore slots without tokens or with uninitialized token */ - if (found_slot && found_slot->token && found_slot->token->initialized) { - matched_slots[matched_count] = found_slot; - matched_count++; - } - found_slot = NULL; } - if (matched_count == 0) { - if (match_tok) { - ctx_log(ctx, 0, "Specified object not found\n"); + if (match_tok) { + OPENSSL_free(match_tok->model); + OPENSSL_free(match_tok->manufacturer); + OPENSSL_free(match_tok->serialnr); + OPENSSL_free(match_tok->label); + OPENSSL_free(match_tok); + } + if (found_slot) { + slot = found_slot; + } else if (match_tok) { + ctx_log(ctx, 0, "Specified object not found\n"); + goto error; + } else if (slot_nr == -1) { + if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, + ctx->slot_list, ctx->slot_count))) { + ctx_log(ctx, 0, "No tokens found\n"); goto error; } + } else { + ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); + goto error; + } + tok = slot->token; - /* If the legacy slot ID format was used */ - if (slot_nr != -1) { - ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); - goto error; - } else { - found_slot = PKCS11_find_token(ctx->pkcs11_ctx, - ctx->slot_list, ctx->slot_count); - /* Ignore if the the token is not initialized */ - if (found_slot && found_slot->token && - found_slot->token->initialized) { - matched_slots[matched_count] = found_slot; - matched_count++; - } else { - ctx_log(ctx, 0, "No tokens found\n"); - goto error; - } - } + if (tok == NULL) { + ctx_log(ctx, 0, "Found empty token\n"); + goto error; } + /* The following check is non-critical to ensure interoperability + * with some other (which ones?) PKCS#11 libraries */ + if (!tok->initialized) + ctx_log(ctx, 0, "Found uninitialized token\n"); - for (n = 0; n < matched_count; n++) { - slot = matched_slots[n]; - tok = slot->token; - if (tok == NULL) { - ctx_log(ctx, 0, "Found empty token\n"); - break; - } + ctx_log(ctx, 1, "Found slot: %s\n", slot->description); + ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); - ctx_log(ctx, 1, "Found slot: %s\n", slot->description); - ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); - - /* Both private and public keys can have the CKA_PRIVATE attribute - * set and thus require login (even to retrieve attributes!) */ - if (login) { - /* Try to login only if login is required */ - if (tok->loginRequired) { - /* Try to login only if a single slot matched to avoiding trying - * the PIN against all matching slots */ - if (matched_count == 1) { - if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) { - ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); - goto error; - } - } else { - ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to" - " login\n", matched_count); - for (m = 0; m < matched_count; m++){ - slot = matched_slots[m]; - ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1, - slot->description? slot->description: - "(no description)", - (slot->token && slot->token->label)? - slot->token->label: "no label"); - } - goto error; - } - } - } + /* Both private and public keys can have the CKA_PRIVATE attribute + * set and thus require login (even to retrieve attributes!) */ + if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) { + ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); + goto error; + } - if (isPrivate) { - /* Make sure there is at least one private key on the token */ - if (PKCS11_enumerate_keys(tok, &keys, &key_count)) { - ctx_log(ctx, 0, "Unable to enumerate private keys\n"); - continue; - } - } else { - /* Make sure there is at least one public key on the token */ - if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) { - ctx_log(ctx, 0, "Unable to enumerate public keys\n"); - continue; - } - } - if (key_count == 0) { - if (login) /* Only print the error on the second attempt */ - ctx_log(ctx, 0, "No %s keys found.\n", - (char *)(isPrivate ? "private" : "public")); - continue; + if (isPrivate) { + /* Make sure there is at least one private key on the token */ + if (PKCS11_enumerate_keys(tok, &keys, &key_count)) { + ctx_log(ctx, 0, "Unable to enumerate private keys\n"); + goto error; } - ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count, - (char *)(isPrivate ? "private" : "public"), - (key_count == 1) ? "" : "s"); - - if (s_slot_key_id && *s_slot_key_id && - (key_id_len != 0 || key_label != NULL)) { - for (m = 0; m < key_count; m++) { - PKCS11_KEY *k = keys + m; - - ctx_log(ctx, 1, " %2u %c%c id=", m + 1, - k->isPrivate ? 'P' : ' ', - k->needLogin ? 'L' : ' '); - dump_hex(ctx, 1, k->id, k->id_len); - ctx_log(ctx, 1, " label=%s\n", k->label); - if (key_label != NULL && strcmp(k->label, key_label) == 0) - selected_key = k; - if (key_id_len != 0 && k->id_len == key_id_len - && memcmp(k->id, key_id, key_id_len) == 0) - selected_key = k; - } - } else { - selected_key = keys; /* Use the first key */ + } else { + /* Make sure there is at least one public key on the token */ + if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) { + ctx_log(ctx, 0, "Unable to enumerate public keys\n"); + goto error; } - - if (selected_key) { - break; + } + if (key_count == 0) { + if (login) /* Only print the error on the second attempt */ + ctx_log(ctx, 0, "No %s keys found.\n", + (char *)(isPrivate ? "private" : "public")); + goto error; + } + ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count, + (char *)(isPrivate ? "private" : "public"), + (key_count == 1) ? "" : "s"); + + if (s_slot_key_id && *s_slot_key_id && + (key_id_len != 0 || key_label != NULL)) { + for (n = 0; n < key_count; n++) { + PKCS11_KEY *k = keys + n; + + ctx_log(ctx, 1, " %2u %c%c id=", n + 1, + k->isPrivate ? 'P' : ' ', + k->needLogin ? 'L' : ' '); + dump_hex(ctx, 1, k->id, k->id_len); + ctx_log(ctx, 1, " label=%s\n", k->label); + if (key_label != NULL && strcmp(k->label, key_label) == 0) + selected_key = k; + if (key_id_len != 0 && k->id_len == key_id_len + && memcmp(k->id, key_id, key_id_len) == 0) + selected_key = k; } + } else { + selected_key = keys; /* Use the first key */ } if (selected_key != NULL) { @@ -919,20 +813,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, ctx_log(ctx, 0, "Key not found.\n"); pk = NULL; } - error: - /* Free the searched token data */ - if (match_tok) { - OPENSSL_free(match_tok->model); - OPENSSL_free(match_tok->manufacturer); - OPENSSL_free(match_tok->serialnr); - OPENSSL_free(match_tok->label); - OPENSSL_free(match_tok); - } if (key_label != NULL) OPENSSL_free(key_label); - if (matched_slots != NULL) - free(matched_slots); return pk; } diff --git a/src/p11_atfork.c b/src/p11_atfork.c index 43c38f7..8fc8689 100644 --- a/src/p11_atfork.c +++ b/src/p11_atfork.c @@ -23,7 +23,6 @@ #include "libp11-int.h" #ifndef _WIN32 -#include #ifndef __STDC_VERSION__ /* older than C90 */ diff --git a/src/p11_pkey.c b/src/p11_pkey.c index de0277e..7eaf761 100644 --- a/src/p11_pkey.c +++ b/src/p11_pkey.c @@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, ossl_sig = ECDSA_SIG_new(); if (ossl_sig == NULL) - return -1; + return-1; pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx); if (pkey == NULL) @@ -578,6 +578,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, return -1; if (!cpriv->sign_initialized) { + int padding; CK_MECHANISM mechanism; memset(&mechanism, 0, sizeof mechanism); @@ -665,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, EVP_PKEY_EC, 0 }; - EVP_PKEY_METHOD *pkey_method_rsa = NULL; - EVP_PKEY_METHOD *pkey_method_ec = NULL; + static EVP_PKEY_METHOD *pkey_method_rsa = NULL; + static EVP_PKEY_METHOD *pkey_method_ec = NULL; (void)e; /* squash the unused parameter warning */ /* all PKCS#11 engines currently share the same pkey_meths */ @@ -679,14 +680,16 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, /* get the EVP_PKEY_METHOD */ switch (nid) { case EVP_PKEY_RSA: - pkey_method_rsa = pkcs11_pkey_method_rsa(); + if (pkey_method_rsa == NULL) + pkey_method_rsa = pkcs11_pkey_method_rsa(); if (pkey_method_rsa == NULL) return 0; *pmeth = pkey_method_rsa; return 1; /* success */ #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: - pkey_method_ec = pkcs11_pkey_method_ec(); + if (pkey_method_ec == NULL) + pkey_method_ec = pkcs11_pkey_method_ec(); if (pkey_method_ec == NULL) return 0; *pmeth = pkey_method_ec; diff --git a/src/p11_rsa.c b/src/p11_rsa.c index 02d15cb..e699009 100644 --- a/src/p11_rsa.c +++ b/src/p11_rsa.c @@ -478,7 +478,7 @@ RSA_METHOD *PKCS11_get_rsa_method(void) if (ops == NULL) return NULL; RSA_meth_set1_name(ops, "libp11 RSA method"); - RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); + RSA_meth_set_flags(ops, 0); RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); RSA_meth_set_finish(ops, pkcs11_rsa_free_method); diff --git a/tests/Makefile.am b/tests/Makefile.am index 4fa22dc..e7d61ee 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -28,9 +28,7 @@ dist_check_SCRIPTS = \ rsa-pss-sign.softhsm \ rsa-oaep.softhsm \ case-insensitive.softhsm \ - ec-check-privkey.softhsm \ - pkcs11-uri-without-token.softhsm \ - search-all-matching-tokens.softhsm + ec-check-privkey.softhsm dist_check_DATA = \ rsa-cert.der rsa-prvkey.der rsa-pubkey.der \ ec-cert.der ec-prvkey.der ec-pubkey.der diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm deleted file mode 100755 index f82e1f4..0000000 --- a/tests/pkcs11-uri-without-token.softhsm +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2015 Nikos Mavrogiannopoulos -# -# GnuTLS is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 3 of the License, or (at -# your option) any later version. -# -# GnuTLS is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -# This test checks if it is possible to use the keys without specifying the -# token if there is only one initialized token available. - -outdir="output.$$" - -# Load common test functions -. ${srcdir}/rsa-common.sh - -# Do the common test initialization -common_init - -sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ - "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \ - <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" - -export OPENSSL_ENGINES="../src/.libs/" -export OPENSSL_CONF="${outdir}/engines.cnf" - -# These URIs don't contain the token specification -PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234" -PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234" - -# Create input file -echo "secret" >"${outdir}/in.txt" - -# Generate signature without specifying the token in the PKCS#11 URI -openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \ - -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? != 0;then - echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}" - exit 1; -fi - -# Verify the signature without specifying the token in the PKCS#11 URI -openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \ - -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? != 0;then - echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}" - exit 1; -fi - -rm -rf "$outdir" - -exit 0 diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh index e6e12cb..7db5ba0 100755 --- a/tests/rsa-common.sh +++ b/tests/rsa-common.sh @@ -86,13 +86,13 @@ init_db () { # Create a new device init_card () { - pin="$1" - puk="$2" - dev_label="$3" + PIN="$1" + PUK="$2" + DEV_LABEL="$3" - echo -n "* Initializing smart card ${dev_label}..." - ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \ - --so-pin "${puk}" --pin "${pin}" >/dev/null + echo -n "* Initializing smart card... " + ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \ + --so-pin "${PUK}" --pin "${PIN}" >/dev/null if test $? = 0; then echo ok else @@ -103,26 +103,22 @@ init_card () { # Import objects to the token import_objects () { - id=$1 - obj_label=$2 - token_label=$3 + ID=$1 + OBJ_LABEL=$2 - pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ - --token-label ${token_label} -a ${obj_label} -l -w \ + pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ${srcdir}/rsa-prvkey.der -y privkey >/dev/null if test $? != 0;then exit 1; fi - pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ - --token-label ${token_label} -a ${obj_label} -l -w \ + pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ${srcdir}/rsa-pubkey.der -y pubkey >/dev/null if test $? != 0;then exit 1; fi - pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ - --token-label ${token_label} -a ${obj_label} -l -w \ + pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ${srcdir}/rsa-cert.der -y cert >/dev/null if test $? != 0;then exit 1; @@ -152,34 +148,8 @@ common_init () { echo Importing # Import the used objects (private key, public key, and certificate) - import_objects 01020304 "server-key" "libp11-test" + import_objects 01020304 "server-key" # List the imported objects list_objects } - -create_devices () { - num_devices=$1 - pin="$2" - puk="$3" - common_label="$4" - object_label="$5" - - i=0 - while [ $i -le ${num_devices} ]; do - init_card ${pin} ${puk} "${common_label}-$i" - - echo "Importing objects to token ${common_label}-$i" - # Import objects with different labels - import_objects 01020304 "${object_label}-$i" "${common_label}-$i" - - pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \ - "${common_label}-$i" - if test $? != 0;then - echo Failed! - exit 1; - fi - - i=$(($i + 1)) - done -} diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm deleted file mode 100755 index 0db697e..0000000 --- a/tests/search-all-matching-tokens.softhsm +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2015 Nikos Mavrogiannopoulos -# -# GnuTLS is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 3 of the License, or (at -# your option) any later version. -# -# GnuTLS is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -# This test checks if the search for objects in tokens will continue past the -# first token found. -# -# Generic PKCS#11 URIs are used to make the search to match more than one -# token. The search should be able to find the objects in each device, which are -# labeled differently per token. -# -# This test also contains a negative test to verify that the engine will not try -# to login to a token if more than one token matched the search. This is why it -# is required to have only one match to be able to use a private key. - -outdir="output.$$" - -# Load common test functions -. ${srcdir}/rsa-common.sh - -PIN=1234 -PUK=1234 - -NUM_DEVICES=5 - -# Initialize the SoftHSM DB -init_db - -# Create some devices -create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label" - -sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" - -export OPENSSL_ENGINES="../src/.libs/" -export OPENSSL_CONF="${outdir}/engines.cnf" - -PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234" -PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234" -PUBLIC_KEY_ANY="pkcs11:type=public" -CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234" - -# Create input file -echo "secret" > "${outdir}/in.txt" - -# Verify that it doesn't try to login if more than one token matched the search -openssl pkeyutl -engine pkcs11 -keyform engine \ - -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \ - -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? = 0;then - echo "Did not fail when the PKCS#11 URI matched multiple tokens" - exit 1; -fi - -# Generate signature specifying the token in the PKCS#11 URI -openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \ - -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? != 0;then - echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}" - exit 1; -fi - -# Verify the signature using the public key from each token -i=0 -while [ $i -le ${NUM_DEVICES} ]; do - pubkey="pkcs11:object=label-$i;type=public;pin-value=1234" - openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \ - -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" - if test $? != 0;then - echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}" - exit 1; - fi - i=$(($i + 1)) -done - -# Verify the signature using a certificate without specifying the token -openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \ - -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? != 0;then - echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}" - exit 1; -fi - -# Verify the signature using the first public key found -openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \ - -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" -if test $? != 0;then - echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}." - exit 1; -fi - -rm -rf "$outdir" - -exit 0