summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ssh/ssh-pkcs11.c126
1 files changed, 98 insertions, 28 deletions
diff --git a/usr.bin/ssh/ssh-pkcs11.c b/usr.bin/ssh/ssh-pkcs11.c
index e91895c9e3b..5b301dac5fe 100644
--- a/usr.bin/ssh/ssh-pkcs11.c
+++ b/usr.bin/ssh/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.9 2013/11/02 20:03:54 markus Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -23,6 +23,8 @@
#include <string.h>
#include <dlfcn.h>
+#include <openssl/x509.h>
+
#define CRYPTOKI_COMPAT
#include "pkcs11.h"
@@ -373,32 +375,73 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
* add 'wrapped' public keys to the 'keysp' array and increment nkeys.
* keysp points to an (possibly empty) array with *nkeys keys.
*/
+static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
+ CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *)
+ __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));
+
static int
-pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
- int *nkeys)
+pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+ Key ***keysp, int *nkeys)
{
- Key *key;
- RSA *rsa;
- int i;
- CK_RV rv;
- CK_OBJECT_HANDLE obj;
- CK_ULONG nfound;
- CK_SESSION_HANDLE session;
- CK_FUNCTION_LIST *f;
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_ATTRIBUTE pubkey_filter[] = {
{ CKA_CLASS, &pubkey_class, sizeof(pubkey_class) }
};
- CK_ATTRIBUTE attribs[] = {
+ CK_ATTRIBUTE cert_filter[] = {
+ { CKA_CLASS, &cert_class, sizeof(cert_class) }
+ };
+ CK_ATTRIBUTE pubkey_attribs[] = {
{ CKA_ID, NULL, 0 },
{ CKA_MODULUS, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 }
};
+ CK_ATTRIBUTE cert_attribs[] = {
+ { CKA_ID, NULL, 0 },
+ { CKA_SUBJECT, NULL, 0 },
+ { CKA_VALUE, NULL, 0 }
+ };
+
+ if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,
+ keysp, nkeys) < 0 ||
+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,
+ keysp, nkeys) < 0)
+ return (-1);
+ return (0);
+}
+
+static int
+pkcs11_key_included(Key ***keysp, int *nkeys, Key *key)
+{
+ int i;
+
+ for (i = 0; i < *nkeys; i++)
+ if (key_equal(key, *keysp[i]))
+ return (1);
+ return (0);
+}
+
+static int
+pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
+ CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],
+ Key ***keysp, int *nkeys)
+{
+ Key *key;
+ RSA *rsa;
+ X509 *x509;
+ EVP_PKEY *evp;
+ int i;
+ const u_char *cp;
+ CK_RV rv;
+ CK_OBJECT_HANDLE obj;
+ CK_ULONG nfound;
+ CK_SESSION_HANDLE session;
+ CK_FUNCTION_LIST *f;
f = p->function_list;
session = p->slotinfo[slotidx].session;
/* setup a filter the looks for public keys */
- if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) {
+ if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) {
error("C_FindObjectsInit failed: %lu", rv);
return (-1);
}
@@ -426,32 +469,59 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
/* allocate buffers for attributes */
for (i = 0; i < 3; i++)
attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
- /* retrieve ID, modulus and public exponent of RSA key */
+ /*
+ * retrieve ID, modulus and public exponent of RSA key,
+ * or ID, subject and value for certificates.
+ */
+ rsa = NULL;
if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))
!= CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
- } else if ((rsa = RSA_new()) == NULL) {
- error("RSA_new failed");
+ } else if (attribs[1].type == CKA_MODULUS ) {
+ if ((rsa = RSA_new()) == NULL) {
+ error("RSA_new failed");
+ } else {
+ rsa->n = BN_bin2bn(attribs[1].pValue,
+ attribs[1].ulValueLen, NULL);
+ rsa->e = BN_bin2bn(attribs[2].pValue,
+ attribs[2].ulValueLen, NULL);
+ }
} else {
- rsa->n = BN_bin2bn(attribs[1].pValue,
- attribs[1].ulValueLen, NULL);
- rsa->e = BN_bin2bn(attribs[2].pValue,
- attribs[2].ulValueLen, NULL);
- if (rsa->n && rsa->e &&
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
- key = key_new(KEY_UNSPEC);
- key->rsa = rsa;
- key->type = KEY_RSA;
- key->flags |= KEY_FLAG_EXT;
+ cp = attribs[2].pValue;
+ if ((x509 = X509_new()) == NULL) {
+ error("X509_new failed");
+ } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen)
+ == NULL) {
+ error("d2i_X509 failed");
+ } else if ((evp = X509_get_pubkey(x509)) == NULL ||
+ evp->type != EVP_PKEY_RSA ||
+ evp->pkey.rsa == NULL) {
+ debug("X509_get_pubkey failed or no rsa");
+ } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
+ == NULL) {
+ error("RSAPublicKey_dup");
+ }
+ if (x509)
+ X509_free(x509);
+ }
+ if (rsa && rsa->n && rsa->e &&
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
+ key = key_new(KEY_UNSPEC);
+ key->rsa = rsa;
+ key->type = KEY_RSA;
+ key->flags |= KEY_FLAG_EXT;
+ if (pkcs11_key_included(keysp, nkeys, key)) {
+ key_free(key);
+ } else {
/* expand key array and add key */
*keysp = xrealloc(*keysp, *nkeys + 1,
sizeof(Key *));
(*keysp)[*nkeys] = key;
*nkeys = *nkeys + 1;
debug("have %d keys", *nkeys);
- } else {
- RSA_free(rsa);
}
+ } else if (rsa) {
+ RSA_free(rsa);
}
for (i = 0; i < 3; i++)
free(attribs[i].pValue);