diff --git a/src/eng_back.c b/src/eng_back.c
index 0dd697d..39a685a 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -375,10 +375,10 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
const int login)
{
PKCS11_SLOT *slot;
- PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
+ PKCS11_SLOT *found_slot = NULL;
PKCS11_TOKEN *tok, *match_tok = NULL;
PKCS11_CERT *certs, *selected_cert = NULL;
- X509 *x509 = NULL;
+ X509 *x509;
unsigned int cert_count, n, m;
unsigned char cert_id[MAX_VALUE_LEN / 2];
size_t cert_id_len = sizeof(cert_id);
@@ -387,7 +387,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
size_t tmp_pin_len = MAX_PIN_LENGTH;
int slot_nr = -1;
char flags[64];
- size_t matched_count = 0;
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
return NULL;
@@ -402,9 +401,11 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
"The certificate ID is not a valid PKCS#11 URI\n"
"The PKCS#11 URI format is defined by RFC7512\n");
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
- goto error;
+ return NULL;
}
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
+ if (!login)
+ return NULL; /* Process on second attempt */
ctx_destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
if (ctx->pin != NULL) {
@@ -423,7 +424,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
"The legacy ENGINE_pkcs11 ID format is also "
"still accepted for now\n");
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
- goto error;
+ return NULL;
}
}
ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
@@ -439,13 +440,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
ctx_log(ctx, 1, "\n");
}
- matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
- sizeof(PKCS11_SLOT *));
- if (matched_slots == NULL) {
- ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
- goto error;
- }
-
for (n = 0; n < ctx->slot_count; n++) {
slot = ctx->slot_list + n;
flags[0] = '\0';
@@ -469,7 +463,6 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
found_slot = slot;
}
-
if (match_tok && slot->token &&
(match_tok->label == NULL ||
!strcmp(match_tok->label, slot->token->label)) &&
@@ -490,115 +483,75 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
slot->token->label : "no label");
}
ctx_log(ctx, 1, "\n");
+ }
- if (found_slot && found_slot->token && !found_slot->token->initialized)
- ctx_log(ctx, 0, "Found uninitialized token\n");
-
- /* Ignore slots without tokens or with uninitialized token */
- if (found_slot && found_slot->token && found_slot->token->initialized) {
- matched_slots[matched_count] = found_slot;
- matched_count++;
+ if (match_tok) {
+ OPENSSL_free(match_tok->model);
+ OPENSSL_free(match_tok->manufacturer);
+ OPENSSL_free(match_tok->serialnr);
+ OPENSSL_free(match_tok->label);
+ OPENSSL_free(match_tok);
+ }
+ if (found_slot) {
+ slot = found_slot;
+ } else if (match_tok) {
+ ctx_log(ctx, 0, "Specified object not found\n");
+ return NULL;
+ } else if (slot_nr == -1) {
+ if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
+ ctx->slot_list, ctx->slot_count))) {
+ ctx_log(ctx, 0, "No tokens found\n");
+ return NULL;
}
- found_slot = NULL;
+ } else {
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+ return NULL;
}
+ tok = slot->token;
- if (matched_count == 0) {
- if (match_tok) {
- ctx_log(ctx, 0, "Specified object not found\n");
- goto error;
- }
+ if (tok == NULL) {
+ ctx_log(ctx, 0, "Empty token found\n");
+ return NULL;
+ }
- /* If the legacy slot ID format was used */
- if (slot_nr != -1) {
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
- goto error;
- } else {
- found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
- ctx->slot_list, ctx->slot_count);
- /* Ignore if the the token is not initialized */
- if (found_slot && found_slot->token &&
- found_slot->token->initialized) {
- matched_slots[matched_count] = found_slot;
- matched_count++;
- } else {
- ctx_log(ctx, 0, "No tokens found\n");
- goto error;
- }
- }
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
+
+ /* In several tokens certificates are marked as private */
+ if (login && !ctx_login(ctx, slot, tok,
+ ctx->ui_method, ctx->callback_data)) {
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+ return NULL;
}
- for (n = 0; n < matched_count; n++) {
- slot = matched_slots[n];
- tok = slot->token;
- if (tok == NULL) {
- ctx_log(ctx, 0, "Empty token found\n");
- break;
- }
+ if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate certificates\n");
+ return NULL;
+ }
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
-
- /* In several tokens certificates are marked as private */
- if (login) {
- /* Only try to login if login is required */
- if (tok->loginRequired) {
- /* Only try to login if a single slot matched to avoiding trying
- * the PIN against all matching slots */
- if (matched_count == 1) {
- if (!ctx_login(ctx, slot, tok,
- ctx->ui_method, ctx->callback_data)) {
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
- goto error;
- }
- } else {
- ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
- " login\n", matched_count);
- for (m = 0; m < matched_count; m++){
- slot = matched_slots[m];
- ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
- slot->description? slot->description:
- "(no description)",
- (slot->token && slot->token->label)?
- slot->token->label: "no label");
- }
- goto error;
- }
- }
- }
+ ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
+ (cert_count <= 1) ? "" : "s");
+ if ((s_slot_cert_id && *s_slot_cert_id) &&
+ (cert_id_len != 0 || cert_label != NULL)) {
+ for (n = 0; n < cert_count; n++) {
+ PKCS11_CERT *k = certs + n;
- if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
- ctx_log(ctx, 0, "Unable to enumerate certificates\n");
- continue;
+ if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
+ selected_cert = k;
+ if (cert_id_len != 0 && k->id_len == cert_id_len &&
+ memcmp(k->id, cert_id, cert_id_len) == 0)
+ selected_cert = k;
}
-
- ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
- (cert_count <= 1) ? "" : "s");
- if ((s_slot_cert_id && *s_slot_cert_id) &&
- (cert_id_len != 0 || cert_label != NULL)) {
- for (m = 0; m < cert_count; m++) {
- PKCS11_CERT *k = certs + m;
-
- if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
- selected_cert = k;
- if (cert_id_len != 0 && k->id_len == cert_id_len &&
- memcmp(k->id, cert_id, cert_id_len) == 0)
- selected_cert = k;
- }
- } else {
- for (m = 0; m < cert_count; m++) {
- PKCS11_CERT *k = certs + m;
- if (k->id && *(k->id)) {
- selected_cert = k; /* Use the first certificate with nonempty id */
- break;
- }
+ } else {
+ for (n = 0; n < cert_count; n++) {
+ PKCS11_CERT *k = certs + n;
+ if (k->id && *(k->id)) {
+ selected_cert = k; /* Use the first certificate with nonempty id */
+ break;
}
- if (!selected_cert)
- selected_cert = certs; /* Use the first certificate */
- }
-
- if (selected_cert) {
- break;
}
+ if (!selected_cert)
+ selected_cert = certs; /* Use the first certificate */
}
if (selected_cert != NULL) {
@@ -608,20 +561,8 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
ctx_log(ctx, 0, "Certificate not found.\n");
x509 = NULL;
}
-error:
- /* Free the searched token data */
- if (match_tok) {
- OPENSSL_free(match_tok->model);
- OPENSSL_free(match_tok->manufacturer);
- OPENSSL_free(match_tok->serialnr);
- OPENSSL_free(match_tok->label);
- OPENSSL_free(match_tok);
- }
-
if (cert_label != NULL)
OPENSSL_free(cert_label);
- if (matched_slots != NULL)
- free(matched_slots);
return x509;
}
@@ -664,7 +605,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
const int isPrivate, const int login)
{
PKCS11_SLOT *slot;
- PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
+ PKCS11_SLOT *found_slot = NULL;
PKCS11_TOKEN *tok, *match_tok = NULL;
PKCS11_KEY *keys, *selected_key = NULL;
EVP_PKEY *pk = NULL;
@@ -676,7 +617,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
char tmp_pin[MAX_PIN_LENGTH+1];
size_t tmp_pin_len = MAX_PIN_LENGTH;
char flags[64];
- size_t matched_count = 0;
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
goto error;
@@ -697,9 +637,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
goto error;
}
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
- /* If the searched key is public, try without login once even
- * when the PIN is provided */
- if (!login && isPrivate)
+ if (!login)
goto error; /* Process on second attempt */
ctx_destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
@@ -735,13 +673,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
ctx_log(ctx, 1, "\n");
}
- matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
- sizeof(PKCS11_SLOT *));
- if (matched_slots == NULL) {
- ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
- goto error;
- }
-
for (n = 0; n < ctx->slot_count; n++) {
slot = ctx->slot_list + n;
flags[0] = '\0';
@@ -765,7 +696,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
found_slot = slot;
}
-
if (match_tok && slot->token &&
(match_tok->label == NULL ||
!strcmp(match_tok->label, slot->token->label)) &&
@@ -786,128 +716,92 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
slot->token->label : "no label");
}
ctx_log(ctx, 1, "\n");
-
- if (found_slot && found_slot->token && !found_slot->token->initialized)
- ctx_log(ctx, 0, "Found uninitialized token\n");
-
- /* Ignore slots without tokens or with uninitialized token */
- if (found_slot && found_slot->token && found_slot->token->initialized) {
- matched_slots[matched_count] = found_slot;
- matched_count++;
- }
- found_slot = NULL;
}
- if (matched_count == 0) {
- if (match_tok) {
- ctx_log(ctx, 0, "Specified object not found\n");
+ if (match_tok) {
+ OPENSSL_free(match_tok->model);
+ OPENSSL_free(match_tok->manufacturer);
+ OPENSSL_free(match_tok->serialnr);
+ OPENSSL_free(match_tok->label);
+ OPENSSL_free(match_tok);
+ }
+ if (found_slot) {
+ slot = found_slot;
+ } else if (match_tok) {
+ ctx_log(ctx, 0, "Specified object not found\n");
+ goto error;
+ } else if (slot_nr == -1) {
+ if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
+ ctx->slot_list, ctx->slot_count))) {
+ ctx_log(ctx, 0, "No tokens found\n");
goto error;
}
+ } else {
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+ goto error;
+ }
+ tok = slot->token;
- /* If the legacy slot ID format was used */
- if (slot_nr != -1) {
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
- goto error;
- } else {
- found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
- ctx->slot_list, ctx->slot_count);
- /* Ignore if the the token is not initialized */
- if (found_slot && found_slot->token &&
- found_slot->token->initialized) {
- matched_slots[matched_count] = found_slot;
- matched_count++;
- } else {
- ctx_log(ctx, 0, "No tokens found\n");
- goto error;
- }
- }
+ if (tok == NULL) {
+ ctx_log(ctx, 0, "Found empty token\n");
+ goto error;
}
+ /* The following check is non-critical to ensure interoperability
+ * with some other (which ones?) PKCS#11 libraries */
+ if (!tok->initialized)
+ ctx_log(ctx, 0, "Found uninitialized token\n");
- for (n = 0; n < matched_count; n++) {
- slot = matched_slots[n];
- tok = slot->token;
- if (tok == NULL) {
- ctx_log(ctx, 0, "Found empty token\n");
- break;
- }
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
-
- /* Both private and public keys can have the CKA_PRIVATE attribute
- * set and thus require login (even to retrieve attributes!) */
- if (login) {
- /* Try to login only if login is required */
- if (tok->loginRequired) {
- /* Try to login only if a single slot matched to avoiding trying
- * the PIN against all matching slots */
- if (matched_count == 1) {
- if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
- goto error;
- }
- } else {
- ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
- " login\n", matched_count);
- for (m = 0; m < matched_count; m++){
- slot = matched_slots[m];
- ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
- slot->description? slot->description:
- "(no description)",
- (slot->token && slot->token->label)?
- slot->token->label: "no label");
- }
- goto error;
- }
- }
- }
+ /* Both private and public keys can have the CKA_PRIVATE attribute
+ * set and thus require login (even to retrieve attributes!) */
+ if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+ goto error;
+ }
- if (isPrivate) {
- /* Make sure there is at least one private key on the token */
- if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
- ctx_log(ctx, 0, "Unable to enumerate private keys\n");
- continue;
- }
- } else {
- /* Make sure there is at least one public key on the token */
- if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
- ctx_log(ctx, 0, "Unable to enumerate public keys\n");
- continue;
- }
- }
- if (key_count == 0) {
- if (login) /* Only print the error on the second attempt */
- ctx_log(ctx, 0, "No %s keys found.\n",
- (char *)(isPrivate ? "private" : "public"));
- continue;
+ if (isPrivate) {
+ /* Make sure there is at least one private key on the token */
+ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate private keys\n");
+ goto error;
}
- ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
- (char *)(isPrivate ? "private" : "public"),
- (key_count == 1) ? "" : "s");
-
- if (s_slot_key_id && *s_slot_key_id &&
- (key_id_len != 0 || key_label != NULL)) {
- for (m = 0; m < key_count; m++) {
- PKCS11_KEY *k = keys + m;
-
- ctx_log(ctx, 1, " %2u %c%c id=", m + 1,
- k->isPrivate ? 'P' : ' ',
- k->needLogin ? 'L' : ' ');
- dump_hex(ctx, 1, k->id, k->id_len);
- ctx_log(ctx, 1, " label=%s\n", k->label);
- if (key_label != NULL && strcmp(k->label, key_label) == 0)
- selected_key = k;
- if (key_id_len != 0 && k->id_len == key_id_len
- && memcmp(k->id, key_id, key_id_len) == 0)
- selected_key = k;
- }
- } else {
- selected_key = keys; /* Use the first key */
+ } else {
+ /* Make sure there is at least one public key on the token */
+ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate public keys\n");
+ goto error;
}
-
- if (selected_key) {
- break;
+ }
+ if (key_count == 0) {
+ if (login) /* Only print the error on the second attempt */
+ ctx_log(ctx, 0, "No %s keys found.\n",
+ (char *)(isPrivate ? "private" : "public"));
+ goto error;
+ }
+ ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
+ (char *)(isPrivate ? "private" : "public"),
+ (key_count == 1) ? "" : "s");
+
+ if (s_slot_key_id && *s_slot_key_id &&
+ (key_id_len != 0 || key_label != NULL)) {
+ for (n = 0; n < key_count; n++) {
+ PKCS11_KEY *k = keys + n;
+
+ ctx_log(ctx, 1, " %2u %c%c id=", n + 1,
+ k->isPrivate ? 'P' : ' ',
+ k->needLogin ? 'L' : ' ');
+ dump_hex(ctx, 1, k->id, k->id_len);
+ ctx_log(ctx, 1, " label=%s\n", k->label);
+ if (key_label != NULL && strcmp(k->label, key_label) == 0)
+ selected_key = k;
+ if (key_id_len != 0 && k->id_len == key_id_len
+ && memcmp(k->id, key_id, key_id_len) == 0)
+ selected_key = k;
}
+ } else {
+ selected_key = keys; /* Use the first key */
}
if (selected_key != NULL) {
@@ -919,20 +813,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
ctx_log(ctx, 0, "Key not found.\n");
pk = NULL;
}
-
error:
- /* Free the searched token data */
- if (match_tok) {
- OPENSSL_free(match_tok->model);
- OPENSSL_free(match_tok->manufacturer);
- OPENSSL_free(match_tok->serialnr);
- OPENSSL_free(match_tok->label);
- OPENSSL_free(match_tok);
- }
if (key_label != NULL)
OPENSSL_free(key_label);
- if (matched_slots != NULL)
- free(matched_slots);
return pk;
}
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
index 43c38f7..8fc8689 100644
--- a/src/p11_atfork.c
+++ b/src/p11_atfork.c
@@ -23,7 +23,6 @@
#include "libp11-int.h"
#ifndef _WIN32
-#include <unistd.h>
#ifndef __STDC_VERSION__
/* older than C90 */
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index de0277e..7eaf761 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
ossl_sig = ECDSA_SIG_new();
if (ossl_sig == NULL)
- return -1;
+ return-1;
pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
if (pkey == NULL)
@@ -578,6 +578,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
return -1;
if (!cpriv->sign_initialized) {
+ int padding;
CK_MECHANISM mechanism;
memset(&mechanism, 0, sizeof mechanism);
@@ -665,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
EVP_PKEY_EC,
0
};
- EVP_PKEY_METHOD *pkey_method_rsa = NULL;
- EVP_PKEY_METHOD *pkey_method_ec = NULL;
+ static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
(void)e; /* squash the unused parameter warning */
/* all PKCS#11 engines currently share the same pkey_meths */
@@ -679,14 +680,16 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
/* get the EVP_PKEY_METHOD */
switch (nid) {
case EVP_PKEY_RSA:
- pkey_method_rsa = pkcs11_pkey_method_rsa();
+ if (pkey_method_rsa == NULL)
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
if (pkey_method_rsa == NULL)
return 0;
*pmeth = pkey_method_rsa;
return 1; /* success */
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
- pkey_method_ec = pkcs11_pkey_method_ec();
+ if (pkey_method_ec == NULL)
+ pkey_method_ec = pkcs11_pkey_method_ec();
if (pkey_method_ec == NULL)
return 0;
*pmeth = pkey_method_ec;
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 02d15cb..e699009 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -478,7 +478,7 @@ RSA_METHOD *PKCS11_get_rsa_method(void)
if (ops == NULL)
return NULL;
RSA_meth_set1_name(ops, "libp11 RSA method");
- RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
+ RSA_meth_set_flags(ops, 0);
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4fa22dc..e7d61ee 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -28,9 +28,7 @@ dist_check_SCRIPTS = \
rsa-pss-sign.softhsm \
rsa-oaep.softhsm \
case-insensitive.softhsm \
- ec-check-privkey.softhsm \
- pkcs11-uri-without-token.softhsm \
- search-all-matching-tokens.softhsm
+ ec-check-privkey.softhsm
dist_check_DATA = \
rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
ec-cert.der ec-prvkey.der ec-pubkey.der
diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
deleted file mode 100755
index f82e1f4..0000000
--- a/tests/pkcs11-uri-without-token.softhsm
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2015 Nikos Mavrogiannopoulos
-#
-# GnuTLS is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 3 of the License, or (at
-# your option) any later version.
-#
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GnuTLS; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-# This test checks if it is possible to use the keys without specifying the
-# token if there is only one initialized token available.
-
-outdir="output.$$"
-
-# Load common test functions
-. ${srcdir}/rsa-common.sh
-
-# Do the common test initialization
-common_init
-
-sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
- "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
- <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
-
-export OPENSSL_ENGINES="../src/.libs/"
-export OPENSSL_CONF="${outdir}/engines.cnf"
-
-# These URIs don't contain the token specification
-PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
-PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
-
-# Create input file
-echo "secret" >"${outdir}/in.txt"
-
-# Generate signature without specifying the token in the PKCS#11 URI
-openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
- -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? != 0;then
- echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
- exit 1;
-fi
-
-# Verify the signature without specifying the token in the PKCS#11 URI
-openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
- -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? != 0;then
- echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
- exit 1;
-fi
-
-rm -rf "$outdir"
-
-exit 0
diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
index e6e12cb..7db5ba0 100755
--- a/tests/rsa-common.sh
+++ b/tests/rsa-common.sh
@@ -86,13 +86,13 @@ init_db () {
# Create a new device
init_card () {
- pin="$1"
- puk="$2"
- dev_label="$3"
+ PIN="$1"
+ PUK="$2"
+ DEV_LABEL="$3"
- echo -n "* Initializing smart card ${dev_label}..."
- ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
- --so-pin "${puk}" --pin "${pin}" >/dev/null
+ echo -n "* Initializing smart card... "
+ ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
+ --so-pin "${PUK}" --pin "${PIN}" >/dev/null
if test $? = 0; then
echo ok
else
@@ -103,26 +103,22 @@ init_card () {
# Import objects to the token
import_objects () {
- id=$1
- obj_label=$2
- token_label=$3
+ ID=$1
+ OBJ_LABEL=$2
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
- --token-label ${token_label} -a ${obj_label} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
${srcdir}/rsa-prvkey.der -y privkey >/dev/null
if test $? != 0;then
exit 1;
fi
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
- --token-label ${token_label} -a ${obj_label} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
if test $? != 0;then
exit 1;
fi
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
- --token-label ${token_label} -a ${obj_label} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
${srcdir}/rsa-cert.der -y cert >/dev/null
if test $? != 0;then
exit 1;
@@ -152,34 +148,8 @@ common_init () {
echo Importing
# Import the used objects (private key, public key, and certificate)
- import_objects 01020304 "server-key" "libp11-test"
+ import_objects 01020304 "server-key"
# List the imported objects
list_objects
}
-
-create_devices () {
- num_devices=$1
- pin="$2"
- puk="$3"
- common_label="$4"
- object_label="$5"
-
- i=0
- while [ $i -le ${num_devices} ]; do
- init_card ${pin} ${puk} "${common_label}-$i"
-
- echo "Importing objects to token ${common_label}-$i"
- # Import objects with different labels
- import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
-
- pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
- "${common_label}-$i"
- if test $? != 0;then
- echo Failed!
- exit 1;
- fi
-
- i=$(($i + 1))
- done
-}
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
deleted file mode 100755
index 0db697e..0000000
--- a/tests/search-all-matching-tokens.softhsm
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2015 Nikos Mavrogiannopoulos
-#
-# GnuTLS is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 3 of the License, or (at
-# your option) any later version.
-#
-# GnuTLS is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GnuTLS; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-# This test checks if the search for objects in tokens will continue past the
-# first token found.
-#
-# Generic PKCS#11 URIs are used to make the search to match more than one
-# token. The search should be able to find the objects in each device, which are
-# labeled differently per token.
-#
-# This test also contains a negative test to verify that the engine will not try
-# to login to a token if more than one token matched the search. This is why it
-# is required to have only one match to be able to use a private key.
-
-outdir="output.$$"
-
-# Load common test functions
-. ${srcdir}/rsa-common.sh
-
-PIN=1234
-PUK=1234
-
-NUM_DEVICES=5
-
-# Initialize the SoftHSM DB
-init_db
-
-# Create some devices
-create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
-
-sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
-
-export OPENSSL_ENGINES="../src/.libs/"
-export OPENSSL_CONF="${outdir}/engines.cnf"
-
-PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
-PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
-PUBLIC_KEY_ANY="pkcs11:type=public"
-CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
-
-# Create input file
-echo "secret" > "${outdir}/in.txt"
-
-# Verify that it doesn't try to login if more than one token matched the search
-openssl pkeyutl -engine pkcs11 -keyform engine \
- -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
- -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? = 0;then
- echo "Did not fail when the PKCS#11 URI matched multiple tokens"
- exit 1;
-fi
-
-# Generate signature specifying the token in the PKCS#11 URI
-openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
- -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? != 0;then
- echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
- exit 1;
-fi
-
-# Verify the signature using the public key from each token
-i=0
-while [ $i -le ${NUM_DEVICES} ]; do
- pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
- openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
- -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
- if test $? != 0;then
- echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
- exit 1;
- fi
- i=$(($i + 1))
-done
-
-# Verify the signature using a certificate without specifying the token
-openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
- -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? != 0;then
- echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
- exit 1;
-fi
-
-# Verify the signature using the first public key found
-openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
- -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
-if test $? != 0;then
- echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
- exit 1;
-fi
-
-rm -rf "$outdir"
-
-exit 0