2 * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: ks_p11.c 22071 2007-11-14 20:04:50Z lha $");
47 #define P11_SESSION_IN_USE 2
48 #define P11_LOGIN_REQ 4
49 #define P11_LOGIN_DONE 8
50 #define P11_TOKEN_PRESENT 16
51 CK_SESSION_HANDLE session;
58 CK_MECHANISM_TYPE_PTR list;
60 CK_MECHANISM_INFO_PTR *infos;
66 CK_FUNCTION_LIST_PTR funcs;
68 unsigned int refcount;
69 struct p11_slot *slot;
72 #define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
74 static int p11_get_session(hx509_context,
79 static int p11_put_session(struct p11_module *,
82 static void p11_release_module(struct p11_module *);
84 static int p11_list_keys(hx509_context,
97 struct p11_slot *slot;
98 CK_OBJECT_HANDLE private_key;
99 CK_OBJECT_HANDLE public_key;
103 p11_rsa_public_encrypt(int flen,
104 const unsigned char *from,
113 p11_rsa_public_decrypt(int flen,
114 const unsigned char *from,
124 p11_rsa_private_encrypt(int flen,
125 const unsigned char *from,
130 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
131 CK_OBJECT_HANDLE key = p11rsa->private_key;
132 CK_SESSION_HANDLE session;
133 CK_MECHANISM mechanism;
137 if (padding != RSA_PKCS1_PADDING)
140 memset(&mechanism, 0, sizeof(mechanism));
141 mechanism.mechanism = CKM_RSA_PKCS;
143 ck_sigsize = RSA_size(rsa);
145 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
149 ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
151 p11_put_session(p11rsa->p, p11rsa->slot, session);
155 ret = P11FUNC(p11rsa->p, Sign,
156 (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
157 p11_put_session(p11rsa->p, p11rsa->slot, session);
165 p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
166 RSA * rsa, int padding)
168 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
169 CK_OBJECT_HANDLE key = p11rsa->private_key;
170 CK_SESSION_HANDLE session;
171 CK_MECHANISM mechanism;
175 if (padding != RSA_PKCS1_PADDING)
178 memset(&mechanism, 0, sizeof(mechanism));
179 mechanism.mechanism = CKM_RSA_PKCS;
181 ck_sigsize = RSA_size(rsa);
183 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
187 ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
189 p11_put_session(p11rsa->p, p11rsa->slot, session);
193 ret = P11FUNC(p11rsa->p, Decrypt,
194 (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
195 p11_put_session(p11rsa->p, p11rsa->slot, session);
203 p11_rsa_init(RSA *rsa)
209 p11_rsa_finish(RSA *rsa)
211 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
212 p11_release_module(p11rsa->p);
217 static const RSA_METHOD p11_rsa_pkcs1_method = {
218 "hx509 PKCS11 PKCS#1 RSA",
219 p11_rsa_public_encrypt,
220 p11_rsa_public_decrypt,
221 p11_rsa_private_encrypt,
222 p11_rsa_private_decrypt,
238 p11_mech_info(hx509_context context,
239 struct p11_module *p,
240 struct p11_slot *slot,
246 ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
248 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
249 "Failed to get mech list count for slot %d",
251 return HX509_PKCS11_NO_MECH;
254 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
255 "no mech supported for slot %d", num);
256 return HX509_PKCS11_NO_MECH;
258 slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
259 if (slot->mechs.list == NULL) {
260 hx509_set_error_string(context, 0, ENOMEM,
265 ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
267 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
268 "Failed to get mech list for slot %d",
270 return HX509_PKCS11_NO_MECH;
272 assert(i == slot->mechs.num);
274 slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
275 if (slot->mechs.list == NULL) {
276 hx509_set_error_string(context, 0, ENOMEM,
281 for (i = 0; i < slot->mechs.num; i++) {
282 slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
283 if (slot->mechs.infos[i] == NULL) {
284 hx509_set_error_string(context, 0, ENOMEM,
288 ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
289 slot->mechs.infos[i]));
291 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
292 "Failed to get mech info for slot %d",
294 return HX509_PKCS11_NO_MECH;
302 p11_init_slot(hx509_context context,
303 struct p11_module *p,
307 struct p11_slot *slot)
309 CK_SESSION_HANDLE session;
310 CK_SLOT_INFO slot_info;
311 CK_TOKEN_INFO token_info;
317 ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
319 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
320 "Failed to init PKCS11 slot %d",
322 return HX509_PKCS11_TOKEN_CONFUSED;
325 for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
326 char c = slot_info.slotDescription[i];
327 if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
333 asprintf(&slot->name, "%.*s",
334 i, slot_info.slotDescription);
336 if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
339 ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
341 hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
342 "Failed to init PKCS11 slot %d "
345 return HX509_PKCS11_NO_TOKEN;
347 slot->flags |= P11_TOKEN_PRESENT;
349 if (token_info.flags & CKF_LOGIN_REQUIRED)
350 slot->flags |= P11_LOGIN_REQ;
352 ret = p11_get_session(context, p, slot, lock, &session);
356 ret = p11_mech_info(context, p, slot, num);
360 ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
362 p11_put_session(p, slot, session);
368 p11_get_session(hx509_context context,
369 struct p11_module *p,
370 struct p11_slot *slot,
372 CK_SESSION_HANDLE *psession)
376 if (slot->flags & P11_SESSION_IN_USE)
377 _hx509_abort("slot already in session");
379 if (slot->flags & P11_SESSION) {
380 slot->flags |= P11_SESSION_IN_USE;
381 *psession = slot->session;
385 ret = P11FUNC(p, OpenSession, (slot->id,
392 hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
393 "Failed to OpenSession for slot id %d "
394 "with error: 0x%08x",
396 return HX509_PKCS11_OPEN_SESSION;
399 slot->flags |= P11_SESSION;
402 * If we have have to login, and haven't tried before and have a
403 * prompter or known to work pin code.
405 * This code is very conversative and only uses the prompter in
406 * the hx509_lock, the reason is that it's bad to try many
407 * passwords on a pkcs11 token, it might lock up and have to be
408 * unlocked by a administrator.
410 * XXX try harder to not use pin several times on the same card.
413 if ( (slot->flags & P11_LOGIN_REQ)
414 && (slot->flags & P11_LOGIN_DONE) == 0
415 && (lock || slot->pin))
421 slot->flags |= P11_LOGIN_DONE;
423 if (slot->pin == NULL) {
425 memset(&prompt, 0, sizeof(prompt));
427 asprintf(&str, "PIN code for %s: ", slot->name);
429 prompt.type = HX509_PROMPT_TYPE_PASSWORD;
430 prompt.reply.data = pin;
431 prompt.reply.length = sizeof(pin);
433 ret = hx509_lock_prompt(lock, &prompt);
437 hx509_set_error_string(context, 0, ret,
438 "Failed to get pin code for slot "
439 "id %d with error: %d",
445 strlcpy(pin, slot->pin, sizeof(pin));
448 ret = P11FUNC(p, Login, (slot->session, CKU_USER,
449 (unsigned char*)pin, strlen(pin)));
452 hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
453 "Failed to login on slot id %d "
454 "with error: 0x%08x",
456 p11_put_session(p, slot, slot->session);
457 return HX509_PKCS11_LOGIN;
459 if (slot->pin == NULL) {
460 slot->pin = strdup(pin);
461 if (slot->pin == NULL) {
463 hx509_set_error_string(context, 0, ENOMEM,
465 p11_put_session(p, slot, slot->session);
470 slot->flags |= P11_LOGIN_DONE;
472 slot->flags |= P11_SESSION_IN_USE;
474 *psession = slot->session;
480 p11_put_session(struct p11_module *p,
481 struct p11_slot *slot,
482 CK_SESSION_HANDLE session)
484 if ((slot->flags & P11_SESSION_IN_USE) == 0)
485 _hx509_abort("slot not in session");
486 slot->flags &= ~P11_SESSION_IN_USE;
492 iterate_entries(hx509_context context,
493 struct p11_module *p, struct p11_slot *slot,
494 CK_SESSION_HANDLE session,
495 CK_ATTRIBUTE *search_data, int num_search_data,
496 CK_ATTRIBUTE *query, int num_query,
497 int (*func)(hx509_context,
498 struct p11_module *, struct p11_slot *,
499 CK_SESSION_HANDLE session,
500 CK_OBJECT_HANDLE object,
501 void *, CK_ATTRIBUTE *, int), void *ptr)
503 CK_OBJECT_HANDLE object;
504 CK_ULONG object_count;
507 ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
512 ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
516 if (object_count == 0)
519 for (i = 0; i < num_query; i++)
520 query[i].pValue = NULL;
522 ret = P11FUNC(p, GetAttributeValue,
523 (session, object, query, num_query));
527 for (i = 0; i < num_query; i++) {
528 query[i].pValue = malloc(query[i].ulValueLen);
529 if (query[i].pValue == NULL) {
534 ret = P11FUNC(p, GetAttributeValue,
535 (session, object, query, num_query));
541 ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
545 for (i = 0; i < num_query; i++) {
547 free(query[i].pValue);
548 query[i].pValue = NULL;
553 for (i = 0; i < num_query; i++) {
555 free(query[i].pValue);
556 query[i].pValue = NULL;
559 ret = P11FUNC(p, FindObjectsFinal, (session));
569 getattr_bn(struct p11_module *p,
570 struct p11_slot *slot,
571 CK_SESSION_HANDLE session,
572 CK_OBJECT_HANDLE object,
581 query.ulValueLen = 0;
583 ret = P11FUNC(p, GetAttributeValue,
584 (session, object, &query, 1));
588 query.pValue = malloc(query.ulValueLen);
590 ret = P11FUNC(p, GetAttributeValue,
591 (session, object, &query, 1));
596 bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
603 collect_private_key(hx509_context context,
604 struct p11_module *p, struct p11_slot *slot,
605 CK_SESSION_HANDLE session,
606 CK_OBJECT_HANDLE object,
607 void *ptr, CK_ATTRIBUTE *query, int num_query)
609 struct hx509_collector *collector = ptr;
610 hx509_private_key key;
611 heim_octet_string localKeyId;
614 struct p11_rsa *p11rsa;
616 localKeyId.data = query[0].pValue;
617 localKeyId.length = query[0].ulValueLen;
619 ret = _hx509_private_key_init(&key, NULL, NULL);
625 _hx509_abort("out of memory");
628 * The exponent and modulus should always be present according to
629 * the pkcs11 specification, but some smartcards leaves it out,
630 * let ignore any failure to fetch it.
632 rsa->n = getattr_bn(p, slot, session, object, CKA_MODULUS);
633 rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
635 p11rsa = calloc(1, sizeof(*p11rsa));
637 _hx509_abort("out of memory");
641 p11rsa->private_key = object;
644 if (p->refcount == 0)
645 _hx509_abort("pkcs11 refcount to high");
647 RSA_set_method(rsa, &p11_rsa_pkcs1_method);
648 ret = RSA_set_app_data(rsa, p11rsa);
650 _hx509_abort("RSA_set_app_data");
652 _hx509_private_key_assign_rsa(key, rsa);
654 ret = _hx509_collector_private_key_add(context,
656 hx509_signature_rsa(),
662 _hx509_private_key_free(&key);
669 p11_cert_release(hx509_cert cert, void *ctx)
671 struct p11_module *p = ctx;
672 p11_release_module(p);
677 collect_cert(hx509_context context,
678 struct p11_module *p, struct p11_slot *slot,
679 CK_SESSION_HANDLE session,
680 CK_OBJECT_HANDLE object,
681 void *ptr, CK_ATTRIBUTE *query, int num_query)
683 struct hx509_collector *collector = ptr;
687 if ((CK_LONG)query[0].ulValueLen == -1 ||
688 (CK_LONG)query[1].ulValueLen == -1)
693 ret = hx509_cert_init_data(context, query[1].pValue,
694 query[1].ulValueLen, &cert);
699 if (p->refcount == 0)
700 _hx509_abort("pkcs11 refcount to high");
702 _hx509_cert_set_release(cert, p11_cert_release, p);
705 heim_octet_string data;
707 data.data = query[0].pValue;
708 data.length = query[0].ulValueLen;
710 _hx509_set_cert_attribute(context,
712 oid_id_pkcs_9_at_localKeyId(),
716 if ((CK_LONG)query[2].ulValueLen != -1) {
719 asprintf(&str, "%.*s",
720 (int)query[2].ulValueLen, (char *)query[2].pValue);
722 hx509_cert_set_friendly_name(cert, str);
727 ret = _hx509_collector_certs_add(context, collector, cert);
728 hx509_cert_free(cert);
735 p11_list_keys(hx509_context context,
736 struct p11_module *p,
737 struct p11_slot *slot,
738 CK_SESSION_HANDLE session,
742 struct hx509_collector *collector;
743 CK_OBJECT_CLASS key_class;
744 CK_ATTRIBUTE search_data[] = {
745 {CKA_CLASS, NULL, 0},
747 CK_ATTRIBUTE query_data[3] = {
749 {CKA_VALUE, NULL, 0},
754 search_data[0].pValue = &key_class;
755 search_data[0].ulValueLen = sizeof(key_class);
758 lock = _hx509_empty_lock;
760 ret = _hx509_collector_alloc(context, lock, &collector);
764 key_class = CKO_PRIVATE_KEY;
765 ret = iterate_entries(context, p, slot, session,
768 collect_private_key, collector);
772 key_class = CKO_CERTIFICATE;
773 ret = iterate_entries(context, p, slot, session,
776 collect_cert, collector);
780 ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
783 _hx509_collector_free(collector);
790 p11_init(hx509_context context,
791 hx509_certs certs, void **data, int flags,
792 const char *residue, hx509_lock lock)
794 CK_C_GetFunctionList getFuncs;
795 struct p11_module *p;
801 list = strdup(residue);
805 p = calloc(1, sizeof(*p));
813 str = strchr(list, ',');
818 strnext = strchr(str, ',');
822 if (strncasecmp(str, "slot=", 5) == 0)
823 p->selected_slot = atoi(str + 5);
828 p->dl_handle = dlopen(list, RTLD_NOW);
830 if (p->dl_handle == NULL) {
831 ret = HX509_PKCS11_LOAD;
832 hx509_set_error_string(context, 0, ret,
833 "Failed to open %s: %s", list, dlerror());
837 getFuncs = dlsym(p->dl_handle, "C_GetFunctionList");
838 if (getFuncs == NULL) {
839 ret = HX509_PKCS11_LOAD;
840 hx509_set_error_string(context, 0, ret,
841 "C_GetFunctionList missing in %s: %s",
846 ret = (*getFuncs)(&p->funcs);
848 ret = HX509_PKCS11_LOAD;
849 hx509_set_error_string(context, 0, ret,
850 "C_GetFunctionList failed in %s", list);
854 ret = P11FUNC(p, Initialize, (NULL_PTR));
856 ret = HX509_PKCS11_TOKEN_CONFUSED;
857 hx509_set_error_string(context, 0, ret,
858 "Failed initialize the PKCS11 module");
862 ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
864 ret = HX509_PKCS11_TOKEN_CONFUSED;
865 hx509_set_error_string(context, 0, ret,
866 "Failed to get number of PKCS11 slots");
870 if (p->num_slots == 0) {
871 ret = HX509_PKCS11_NO_SLOT;
872 hx509_set_error_string(context, 0, ret,
873 "Selected PKCS11 module have no slots");
879 CK_SLOT_ID_PTR slot_ids;
880 int i, num_tokens = 0;
882 slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
883 if (slot_ids == NULL) {
884 hx509_clear_error_string(context);
889 ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
892 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
893 "Failed getting slot-list from "
895 ret = HX509_PKCS11_TOKEN_CONFUSED;
899 p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
900 if (p->slot == NULL) {
902 hx509_set_error_string(context, 0, ENOMEM,
903 "Failed to get memory for slot-list");
908 for (i = 0; i < p->num_slots; i++) {
909 ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
912 if (p->slot[i].flags & P11_TOKEN_PRESENT)
918 if (num_tokens == 0) {
919 ret = HX509_PKCS11_NO_TOKEN;
928 p11_release_module(p);
933 p11_release_module(struct p11_module *p)
937 if (p->refcount == 0)
938 _hx509_abort("pkcs11 refcount to low");
939 if (--p->refcount > 0)
942 for (i = 0; i < p->num_slots; i++) {
943 if (p->slot[i].flags & P11_SESSION_IN_USE)
944 _hx509_abort("pkcs11 module release while session in use");
945 if (p->slot[i].flags & P11_SESSION) {
948 ret = P11FUNC(p, CloseSession, (p->slot[i].session));
954 free(p->slot[i].name);
955 if (p->slot[i].pin) {
956 memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
957 free(p->slot[i].pin);
959 if (p->slot[i].mechs.num) {
960 free(p->slot[i].mechs.list);
962 if (p->slot[i].mechs.infos) {
965 for (j = 0 ; j < p->slot[i].mechs.num ; j++)
966 free(p->slot[i].mechs.infos[j]);
967 free(p->slot[i].mechs.infos);
974 P11FUNC(p, Finalize, (NULL));
977 dlclose(p->dl_handle);
979 memset(p, 0, sizeof(*p));
984 p11_free(hx509_certs certs, void *data)
986 struct p11_module *p = data;
989 for (i = 0; i < p->num_slots; i++) {
990 if (p->slot[i].certs)
991 hx509_certs_free(&p->slot[i].certs);
993 p11_release_module(p);
1003 p11_iter_start(hx509_context context,
1004 hx509_certs certs, void *data, void **cursor)
1006 struct p11_module *p = data;
1007 struct p11_cursor *c;
1010 c = malloc(sizeof(*c));
1012 hx509_clear_error_string(context);
1015 ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
1021 for (i = 0 ; i < p->num_slots; i++) {
1022 if (p->slot[i].certs == NULL)
1024 ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
1026 hx509_certs_free(&c->certs);
1032 ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
1034 hx509_certs_free(&c->certs);
1044 p11_iter(hx509_context context,
1045 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
1047 struct p11_cursor *c = cursor;
1048 return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
1052 p11_iter_end(hx509_context context,
1053 hx509_certs certs, void *data, void *cursor)
1055 struct p11_cursor *c = cursor;
1057 ret = hx509_certs_end_seq(context, c->certs, c->cursor);
1058 hx509_certs_free(&c->certs);
1063 #define MECHFLAG(x) { "unknown-flag-" #x, x }
1064 static struct units mechflags[] = {
1065 MECHFLAG(0x80000000),
1066 MECHFLAG(0x40000000),
1067 MECHFLAG(0x20000000),
1068 MECHFLAG(0x10000000),
1069 MECHFLAG(0x08000000),
1070 MECHFLAG(0x04000000),
1071 {"ec-compress", 0x2000000 },
1072 {"ec-uncompress", 0x1000000 },
1073 {"ec-namedcurve", 0x0800000 },
1074 {"ec-ecparameters", 0x0400000 },
1075 {"ec-f-2m", 0x0200000 },
1076 {"ec-f-p", 0x0100000 },
1077 {"derive", 0x0080000 },
1078 {"unwrap", 0x0040000 },
1079 {"wrap", 0x0020000 },
1080 {"genereate-key-pair", 0x0010000 },
1081 {"generate", 0x0008000 },
1082 {"verify-recover", 0x0004000 },
1083 {"verify", 0x0002000 },
1084 {"sign-recover", 0x0001000 },
1085 {"sign", 0x0000800 },
1086 {"digest", 0x0000400 },
1087 {"decrypt", 0x0000200 },
1088 {"encrypt", 0x0000100 },
1102 p11_printinfo(hx509_context context,
1105 int (*func)(void *, const char *),
1108 struct p11_module *p = data;
1111 _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
1112 p->num_slots, p->num_slots > 1 ? "s" : "");
1114 for (i = 0; i < p->num_slots; i++) {
1115 struct p11_slot *s = &p->slot[i];
1117 _hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
1118 i, (int)s->id, s->name, s->flags);
1120 _hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu",
1121 (unsigned long)s->mechs.num);
1122 for (j = 0; j < s->mechs.num; j++) {
1123 const char *mechname = "unknown";
1124 char flags[256], unknownname[40];
1125 #define MECHNAME(s,n) case s: mechname = n; break
1126 switch(s->mechs.list[j]) {
1127 MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
1128 MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
1129 MECHNAME(CKM_RSA_X_509, "rsa-x-509");
1130 MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
1131 MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
1132 MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
1133 MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
1134 MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
1135 MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
1136 MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
1137 MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
1138 MECHNAME(CKM_SHA512, "sha512");
1139 MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
1140 MECHNAME(CKM_SHA384, "sha384");
1141 MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
1142 MECHNAME(CKM_SHA256, "sha256");
1143 MECHNAME(CKM_SHA_1, "sha1");
1144 MECHNAME(CKM_MD5, "md5");
1145 MECHNAME(CKM_MD2, "md2");
1146 MECHNAME(CKM_RIPEMD160, "ripemd-160");
1147 MECHNAME(CKM_DES_ECB, "des-ecb");
1148 MECHNAME(CKM_DES_CBC, "des-cbc");
1149 MECHNAME(CKM_AES_ECB, "aes-ecb");
1150 MECHNAME(CKM_AES_CBC, "aes-cbc");
1151 MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
1153 snprintf(unknownname, sizeof(unknownname),
1155 (unsigned long)s->mechs.list[j]);
1156 mechname = unknownname;
1160 unparse_flags(s->mechs.infos[j]->flags, mechflags,
1161 flags, sizeof(flags));
1163 _hx509_pi_printf(func, ctx, " %s: %s", mechname, flags);
1170 static struct hx509_keyset_ops keyset_pkcs11 = {
1184 #endif /* HAVE_DLOPEN */
1187 _hx509_ks_pkcs11_register(hx509_context context)
1190 _hx509_ks_register(context, &keyset_pkcs11);