<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>PIN Callbacks: p11-kit</title>

<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">

<link rel="home" href="index.html" title="p11-kit">

<link rel="up" href="reference.html" title="API Reference">

<link rel="prev" href="p11-kit-URIs.html" title="URIs">

<link rel="next" href="p11-kit-Utilities.html" title="Utilities">

<meta name="generator" content="GTK-Doc V1.32 (XML mode)">

<link rel="stylesheet" href="style.css" type="text/css">

</head>

<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

Top  | 

                  Description

PIN Callbacks

PIN Callbacks — PIN Callbacks

Functions

P11KitPin *

p11_kit_pin_new ()

P11KitPin *

p11_kit_pin_new_for_buffer ()

P11KitPin *

p11_kit_pin_new_for_string ()

const unsigned char *

p11_kit_pin_get_value ()

size_t

p11_kit_pin_get_length ()

P11KitPin *

p11_kit_pin_ref ()

void

p11_kit_pin_unref ()

int

p11_kit_pin_register_callback ()

void

p11_kit_pin_unregister_callback ()

P11KitPin *

(*p11_kit_pin_callback) ()

P11KitPin *

p11_kit_pin_request ()

void

(*p11_kit_pin_destroy_func) ()

P11KitPin *

p11_kit_pin_file_callback ()

Types and Values

typedef

P11KitPin

enum

P11KitPinFlags

#define

P11_KIT_PIN_FALLBACK

Description

Applications can register a callback which will be called to provide a

password associated with a given pin source.

PKCS#11 URIs can contain a 'pin-source' attribute. The value of this attribute

is application dependent, but often references a file containing a PIN to

use.

Using these functions, an applications or libraries can register a

callback with p11_kit_pin_register_callback() to be called when a given

'pin-source' attribute value is requested. The application can then prompt

the user or retrieve a PIN for the given context. These registered

callbacks are only relevant and valid within the current process.

A fallback callback can be registered by passing the P11_KIT_PIN_FALLBACK

value to p11_kit_pin_register_callback(). This fallback callback will be

called for every 'pin-source' attribute request for which no callback has been

directly registered.

To request a PIN for a given 'pin-source' attribute, use the

p11_kit_pin_request() function. If this function returns NULL then either

no callbacks were registered or none of them could handle the request.

If multiple callbacks are registered for the same PIN source, then they are

called in last-registered-first-called order. They are called in turn until

one of them can handle the request. Fallback callbacks are not called if

a callback was registered specifically for a requested 'pin-source' attribute.

PINs themselves are handled inside of P11KitPin structures. These are thread

safe and allow the callback to specify how the PIN is stored in memory

and freed. A callback can use p11_kit_pin_new_for_string() or related

functions to create a PIN to be returned.

For example in order to handle the following PKCS#11 URI with a 'pin-source'

attribute

     pkcs11:id=\%69\%95\%3e\%5c\%f4\%bd\%ec\%91;pin-source=my-application

an application could register a callback like this:

        
1

2

3

4

5

6

7

8

9

10

        
static P11KitPin*

my_application_pin_callback (const char *pin_source, P11KitUri *pin_uri,

                             const char *pin_description, P11KitPinFlags pin_flags,

                             void *callback_data)

{

    return p11_kit_pin_new_from_string ("pin-value");

}

p11_kit_pin_register_callback ("my-application", my_application_pin_callback,

                               NULL, NULL);

Functions

p11_kit_pin_new ()

P11KitPin *

p11_kit_pin_new (const unsigned char *value,

                 size_t length);

Create a new P11KitPin with the given PIN value. This function is

usually used from within registered PIN callbacks.

Exactly length

 bytes from value

 are used. Null terminated strings,

or encodings are not considered. A copy of the value

 will be made.

Parameters

value

the value of the PIN

length

the length of value

Returns

 The newly allocated P11KitPin, which should be freed with

p11_kit_pin_unref() when no longer needed.

p11_kit_pin_new_for_buffer ()

P11KitPin *

p11_kit_pin_new_for_buffer (unsigned char *buffer,

                            size_t length,

                            p11_kit_pin_destroy_func destroy);

Create a new P11KitPin which will use buffer

 for the PIN value.

This function is usually used from within registered PIN callbacks.

The buffer will not be copied. String encodings and null characters

are not considered.

When the last reference to this PIN is lost, then the destroy

 callback

function will be called passing buffer

 as an argument. This allows the

caller to use a buffer as a PIN without copying it.

        
1

2

3

4

        
char *buffer = malloc (128);

P11KitPin *pin;

 ....

pin = p11_kit_pin_new_for_buffer (buffer, 128, free);

Parameters

buffer

the value of the PIN

length

the length of buffer

destroy

if not NULL, then called when PIN is destroyed.

Returns

 The newly allocated P11KitPin, which should be freed with

p11_kit_pin_unref() when no longer needed.

p11_kit_pin_new_for_string ()

P11KitPin *

p11_kit_pin_new_for_string (const char *value);

Create a new P11KitPin for the given null-terminated string, such as a

password. This function is usually used from within registered

PIN callbacks.

The PIN will consist of the string not including the null terminator.

String encoding is not considered. A copy of the value

 will be made.

Parameters

value

the value of the PIN

Returns

 The newly allocated P11KitPin, which should be freed with

p11_kit_pin_unref() when no longer needed.

p11_kit_pin_get_value ()

const unsigned char *

p11_kit_pin_get_value (P11KitPin *pin,

                       size_t *length);

Get the PIN value from a P11KitPin. length

 will be set to the

length of the value.

The value returned is owned by the P11KitPin and should not be modified.

It remains valid as long as a reference to the PIN is held. The PIN value

will not contain an extra null-terminator character.

Parameters

pin

the P11KitPin

length

a location to return the value length

Returns

 the value for the PIN.

p11_kit_pin_get_length ()

size_t

p11_kit_pin_get_length (P11KitPin *pin);

Get the length of the PIN value from a P11KitPin.

Parameters

pin

the P11KitPin

Returns

 the length of the PIN value.

p11_kit_pin_ref ()

P11KitPin *

p11_kit_pin_ref (P11KitPin *pin);

Add a reference to a P11KitPin. This should be matched with a later call

to p11_kit_pin_unref(). As long as at least one reference is held, the PIN

will remain valid and in memory.

Parameters

pin

the P11KitPin

Returns

 the pin

pointer, for convenience sake.

p11_kit_pin_unref ()

void

p11_kit_pin_unref (P11KitPin *pin);

Remove a reference from a P11KitPin. When all references have been removed

then the PIN will be freed and will no longer be in memory.

Parameters

pin

the P11KitPin

p11_kit_pin_register_callback ()

int

p11_kit_pin_register_callback (const char *pin_source,

                               p11_kit_pin_callback callback,

                               void *callback_data,

                               p11_kit_pin_destroy_func callback_destroy);

Register a callback to handle PIN requests for a given 'pin-source' attribute.

If pin_source

 is set to P11_KIT_PIN_FALLBACK then this will be a fallback

callback and will be called for requests for which no other callback has

been specifically registered.

If multiple callbacks are registered for the same pin_source

 value, then

the last registered callback will be the first to be called.

Parameters

pin_source

the 'pin-source' attribute this this callback is for

callback

the callback function

callback_data

data that will be passed to the callback

callback_destroy

a function that will be called with callback_data

when

the callback is unregistered.

Returns

 Returns negative if registering fails.

p11_kit_pin_unregister_callback ()

void

p11_kit_pin_unregister_callback (const char *pin_source,

                                 p11_kit_pin_callback callback,

                                 void *callback_data);

Unregister a callback that was previously registered with the

p11_kit_pin_register_callback() function. If more than one registered

callback matches the given arguments, then only one of those will be

removed.

Parameters

pin_source

the 'pin-source' attribute the callback was registered for

callback

the callback function that was registered

callback_data

data that was registered for the callback

p11_kit_pin_callback ()

P11KitPin *

(*p11_kit_pin_callback) (const char *pin_source,

                         P11KitUri *pin_uri,

                         const char *pin_description,

                         P11KitPinFlags pin_flags,

                         void *callback_data);

Represents a PIN callback function.

The various arguments are the same as the ones passed to

p11_kit_pin_request(). The callback_data

 argument was the one passed to

p11_kit_pin_register_callback() when registering this callback.

The function should return NULL if it could not provide a PIN, either

because of an error or a user cancellation.

If a PIN is returned, it will be unreferenced by the caller. So it should be

either newly allocated, or referenced before returning.

Parameters

pin_source

a 'pin-source' attribute string

pin_uri

a PKCS#11 URI that the PIN is for, or NULL

pin_description

a descrption of what the PIN is for

pin_flags

flags describing the PIN request

callback_data

data that was provided when registering this callback

Returns

 A PIN or NULL

p11_kit_pin_request ()

P11KitPin *

p11_kit_pin_request (const char *pin_source,

                     P11KitUri *pin_uri,

                     const char *pin_description,

                     P11KitPinFlags pin_flags);

Request a PIN for a given 'pin-source' attribute. The result depends on the

registered callbacks.

If not NULL, then the pin_uri

 attribute should point to the thing that the

PIN is being requested for. In most use cases this should be a PKCS#11 URI

pointing to a token.

The pin_description

 should always be specified. It is a string describing

what the PIN is for. For example this would be the token label, if the PIN

is for a token.

If more than one callback is registered for the pin_source

, then the latest

registered one will be called first. If that callback does not return a

PIN, then the next will be called in turn.

If no callback is registered for pin_source

, then the fallback callbacks will

be invoked in the same way. The fallback callbacks will not be called if any

callback has been registered specifically for pin_source

.

The PIN returned should be released with p11_kit_pin_unref().

Parameters

pin_source

the 'pin-source' attribute that is being requested

pin_uri

a PKCS#11 URI that the PIN is being requested for, optionally NULL.

pin_description

a description of what the PIN is for, must not be NULL.

pin_flags

various flags for this request

Returns

 the PIN which should be released with p11_kit_pin_unref(), or NULL

if no callback was registered or could proivde a PIN

p11_kit_pin_destroy_func ()

void

(*p11_kit_pin_destroy_func) (void *data);

A function called to free or cleanup data

.

Parameters

data

the data to destroy

p11_kit_pin_file_callback ()

P11KitPin *

p11_kit_pin_file_callback (const char *pin_source,

                           P11KitUri *pin_uri,

                           const char *pin_description,

                           P11KitPinFlags pin_flags,

                           void *callback_data);

This is a PIN callback function that looks up the 'pin-source' attribute in

a file with that name. This can be used to enable the normal PKCS#11 URI

behavior described in the RFC.

If pin_flags

 contains the P11_KIT_PIN_FLAGS_RETRY flag, then this

callback will always return NULL. This is to prevent endless loops

where an application is expecting to interact with a prompter, but

instead is interacting with this callback reading a file over and over.

This callback fails on files larger than 4 Kilobytes.

This callback is not registered by default. It may have security

implications depending on the source of the PKCS#11 URI and the PKCS#11

in use. To register it, use code like the following:

        
1

2

        
p11_kit_pin_register_callback (P11_KIT_PIN_FALLBACK, p11_kit_pin_file_callback,

                               NULL, NULL);

Parameters

pin_source

a 'pin-source' attribute string

pin_uri

a PKCS#11 URI that the PIN is for, or NULL

pin_description

a descrption of what the PIN is for

pin_flags

flags describing the PIN request