2 * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: ks_p11.c 20920 2007-06-05 05:47:06Z lha $");
47 #define P11_SESSION_IN_USE 2
48 #define P11_LOGIN_REQ 4
49 #define P11_LOGIN_DONE 8
50 #define P11_TOKEN_PRESENT 16
51 CK_SESSION_HANDLE session;
58 CK_MECHANISM_TYPE_PTR list;
60 CK_MECHANISM_INFO_PTR *infos;
66 CK_FUNCTION_LIST_PTR funcs;
68 unsigned int refcount;
69 struct p11_slot *slot;
72 #define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
74 static int p11_get_session(hx509_context,
79 static int p11_put_session(struct p11_module *,
82 static void p11_release_module(struct p11_module *);
84 static int p11_list_keys(hx509_context,
97 struct p11_slot *slot;
98 CK_OBJECT_HANDLE private_key;
99 CK_OBJECT_HANDLE public_key;
103 p11_rsa_public_encrypt(int flen,
104 const unsigned char *from,
113 p11_rsa_public_decrypt(int flen,
114 const unsigned char *from,
124 p11_rsa_private_encrypt(int flen,
125 const unsigned char *from,
130 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
131 CK_OBJECT_HANDLE key = p11rsa->private_key;
132 CK_SESSION_HANDLE session;
133 CK_MECHANISM mechanism;
137 if (padding != RSA_PKCS1_PADDING)
140 memset(&mechanism, 0, sizeof(mechanism));
141 mechanism.mechanism = CKM_RSA_PKCS;
143 ck_sigsize = RSA_size(rsa);
145 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
149 ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
151 p11_put_session(p11rsa->p, p11rsa->slot, session);
155 ret = P11FUNC(p11rsa->p, Sign,
156 (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
157 p11_put_session(p11rsa->p, p11rsa->slot, session);
165 p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
166 RSA * rsa, int padding)
168 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
169 CK_OBJECT_HANDLE key = p11rsa->private_key;
170 CK_SESSION_HANDLE session;
171 CK_MECHANISM mechanism;
175 if (padding != RSA_PKCS1_PADDING)
178 memset(&mechanism, 0, sizeof(mechanism));
179 mechanism.mechanism = CKM_RSA_PKCS;
181 ck_sigsize = RSA_size(rsa);
183 ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
187 ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
189 p11_put_session(p11rsa->p, p11rsa->slot, session);
193 ret = P11FUNC(p11rsa->p, Decrypt,
194 (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
195 p11_put_session(p11rsa->p, p11rsa->slot, session);
203 p11_rsa_init(RSA *rsa)
209 p11_rsa_finish(RSA *rsa)
211 struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
212 p11_release_module(p11rsa->p);
217 static const RSA_METHOD p11_rsa_pkcs1_method = {
218 "hx509 PKCS11 PKCS#1 RSA",
219 p11_rsa_public_encrypt,
220 p11_rsa_public_decrypt,
221 p11_rsa_private_encrypt,
222 p11_rsa_private_decrypt,
238 p11_mech_info(hx509_context context,
239 struct p11_module *p,
240 struct p11_slot *slot,
246 ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
248 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
249 "Failed to get mech list count for slot %d",
251 return HX509_PKCS11_NO_MECH;
254 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
255 "no mech supported for slot %d", num);
256 return HX509_PKCS11_NO_MECH;
258 slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
259 if (slot->mechs.list == NULL) {
260 hx509_set_error_string(context, 0, ENOMEM,
265 ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
267 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
268 "Failed to get mech list for slot %d",
270 return HX509_PKCS11_NO_MECH;
272 assert(i == slot->mechs.num);
274 slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
275 if (slot->mechs.list == NULL) {
276 hx509_set_error_string(context, 0, ENOMEM,
281 for (i = 0; i < slot->mechs.num; i++) {
282 slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
283 if (slot->mechs.infos[i] == NULL) {
284 hx509_set_error_string(context, 0, ENOMEM,
288 ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
289 slot->mechs.infos[i]));
291 hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
292 "Failed to get mech info for slot %d",
294 return HX509_PKCS11_NO_MECH;
302 p11_init_slot(hx509_context context,
303 struct p11_module *p,
307 struct p11_slot *slot)
309 CK_SESSION_HANDLE session;
310 CK_SLOT_INFO slot_info;
311 CK_TOKEN_INFO token_info;
317 ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
319 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
320 "Failed to init PKCS11 slot %d",
322 return HX509_PKCS11_TOKEN_CONFUSED;
325 for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
326 char c = slot_info.slotDescription[i];
327 if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
333 asprintf(&slot->name, "%.*s",
334 i, slot_info.slotDescription);
336 if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
339 ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
341 hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
342 "Failed to init PKCS11 slot %d "
345 return HX509_PKCS11_NO_TOKEN;
347 slot->flags |= P11_TOKEN_PRESENT;
349 if (token_info.flags & CKF_LOGIN_REQUIRED)
350 slot->flags |= P11_LOGIN_REQ;
352 ret = p11_get_session(context, p, slot, lock, &session);
356 ret = p11_mech_info(context, p, slot, num);
360 ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
362 p11_put_session(p, slot, session);
368 p11_get_session(hx509_context context,
369 struct p11_module *p,
370 struct p11_slot *slot,
372 CK_SESSION_HANDLE *psession)
376 if (slot->flags & P11_SESSION_IN_USE)
377 _hx509_abort("slot already in session");
379 if (slot->flags & P11_SESSION) {
380 slot->flags |= P11_SESSION_IN_USE;
381 *psession = slot->session;
385 ret = P11FUNC(p, OpenSession, (slot->id,
392 hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
393 "Failed to OpenSession for slot id %d "
394 "with error: 0x%08x",
396 return HX509_PKCS11_OPEN_SESSION;
399 slot->flags |= P11_SESSION;
402 * If we have have to login, and haven't tried before and have a
403 * prompter or known to work pin code.
405 * This code is very conversative and only uses the prompter in
406 * the hx509_lock, the reason is that its bad to try many
407 * passwords on a pkcs11 token, it might lock up and have to be
408 * unlocked by a administrator.
410 * XXX try harder to not use pin several times on the same card.
413 if ( (slot->flags & P11_LOGIN_REQ)
414 && (slot->flags & P11_LOGIN_DONE) == 0
415 && (lock || slot->pin))
421 slot->flags |= P11_LOGIN_DONE;
423 if (slot->pin == NULL) {
425 memset(&prompt, 0, sizeof(prompt));
427 asprintf(&str, "PIN code for %s: ", slot->name);
429 prompt.type = HX509_PROMPT_TYPE_PASSWORD;
430 prompt.reply.data = pin;
431 prompt.reply.length = sizeof(pin);
433 ret = hx509_lock_prompt(lock, &prompt);
437 hx509_set_error_string(context, 0, ret,
438 "Failed to get pin code for slot "
439 "id %d with error: %d",
445 strlcpy(pin, slot->pin, sizeof(pin));
448 ret = P11FUNC(p, Login, (slot->session, CKU_USER,
449 (unsigned char*)pin, strlen(pin)));
452 hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
453 "Failed to login on slot id %d "
454 "with error: 0x%08x",
456 p11_put_session(p, slot, slot->session);
457 return HX509_PKCS11_LOGIN;
459 if (slot->pin == NULL) {
460 slot->pin = strdup(pin);
461 if (slot->pin == NULL) {
463 hx509_set_error_string(context, 0, ENOMEM,
465 p11_put_session(p, slot, slot->session);
470 slot->flags |= P11_LOGIN_DONE;
472 slot->flags |= P11_SESSION_IN_USE;
474 *psession = slot->session;
480 p11_put_session(struct p11_module *p,
481 struct p11_slot *slot,
482 CK_SESSION_HANDLE session)
484 if ((slot->flags & P11_SESSION_IN_USE) == 0)
485 _hx509_abort("slot not in session");
486 slot->flags &= ~P11_SESSION_IN_USE;
492 iterate_entries(hx509_context context,
493 struct p11_module *p, struct p11_slot *slot,
494 CK_SESSION_HANDLE session,
495 CK_ATTRIBUTE *search_data, int num_search_data,
496 CK_ATTRIBUTE *query, int num_query,
497 int (*func)(hx509_context,
498 struct p11_module *, struct p11_slot *,
499 CK_SESSION_HANDLE session,
500 CK_OBJECT_HANDLE object,
501 void *, CK_ATTRIBUTE *, int), void *ptr)
503 CK_OBJECT_HANDLE object;
504 CK_ULONG object_count;
507 ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
512 ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
516 if (object_count == 0)
519 for (i = 0; i < num_query; i++)
520 query[i].pValue = NULL;
522 ret = P11FUNC(p, GetAttributeValue,
523 (session, object, query, num_query));
527 for (i = 0; i < num_query; i++) {
528 query[i].pValue = malloc(query[i].ulValueLen);
529 if (query[i].pValue == NULL) {
534 ret = P11FUNC(p, GetAttributeValue,
535 (session, object, query, num_query));
541 ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
545 for (i = 0; i < num_query; i++) {
547 free(query[i].pValue);
548 query[i].pValue = NULL;
553 for (i = 0; i < num_query; i++) {
555 free(query[i].pValue);
556 query[i].pValue = NULL;
559 ret = P11FUNC(p, FindObjectsFinal, (session));
569 getattr_bn(struct p11_module *p,
570 struct p11_slot *slot,
571 CK_SESSION_HANDLE session,
572 CK_OBJECT_HANDLE object,
581 query.ulValueLen = 0;
583 ret = P11FUNC(p, GetAttributeValue,
584 (session, object, &query, 1));
588 query.pValue = malloc(query.ulValueLen);
590 ret = P11FUNC(p, GetAttributeValue,
591 (session, object, &query, 1));
596 bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
603 collect_private_key(hx509_context context,
604 struct p11_module *p, struct p11_slot *slot,
605 CK_SESSION_HANDLE session,
606 CK_OBJECT_HANDLE object,
607 void *ptr, CK_ATTRIBUTE *query, int num_query)
609 struct hx509_collector *collector = ptr;
610 hx509_private_key key;
611 heim_octet_string localKeyId;
614 struct p11_rsa *p11rsa;
616 localKeyId.data = query[0].pValue;
617 localKeyId.length = query[0].ulValueLen;
619 ret = _hx509_private_key_init(&key, NULL, NULL);
625 _hx509_abort("out of memory");
628 * The exponent and modulus should always be present according to
629 * the pkcs11 specification, but some smartcards leaves it out,
630 * let ignore any failure to fetch it.
632 rsa->n = getattr_bn(p, slot, session, object, CKA_MODULUS);
633 rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
635 p11rsa = calloc(1, sizeof(*p11rsa));
637 _hx509_abort("out of memory");
641 p11rsa->private_key = object;
644 if (p->refcount == 0)
645 _hx509_abort("pkcs11 refcount to high");
647 RSA_set_method(rsa, &p11_rsa_pkcs1_method);
648 ret = RSA_set_app_data(rsa, p11rsa);
650 _hx509_abort("RSA_set_app_data");
652 _hx509_private_key_assign_rsa(key, rsa);
654 ret = _hx509_collector_private_key_add(context,
656 hx509_signature_rsa(),
662 _hx509_private_key_free(&key);
669 p11_cert_release(hx509_cert cert, void *ctx)
671 struct p11_module *p = ctx;
672 p11_release_module(p);
677 collect_cert(hx509_context context,
678 struct p11_module *p, struct p11_slot *slot,
679 CK_SESSION_HANDLE session,
680 CK_OBJECT_HANDLE object,
681 void *ptr, CK_ATTRIBUTE *query, int num_query)
683 struct hx509_collector *collector = ptr;
688 if ((CK_LONG)query[0].ulValueLen == -1 ||
689 (CK_LONG)query[1].ulValueLen == -1)
695 ret = decode_Certificate(query[1].pValue, query[1].ulValueLen,
698 hx509_clear_error_string(context);
702 ret = hx509_cert_init(context, &t, &cert);
703 free_Certificate(&t);
708 if (p->refcount == 0)
709 _hx509_abort("pkcs11 refcount to high");
711 _hx509_cert_set_release(cert, p11_cert_release, p);
714 heim_octet_string data;
716 data.data = query[0].pValue;
717 data.length = query[0].ulValueLen;
719 _hx509_set_cert_attribute(context,
721 oid_id_pkcs_9_at_localKeyId(),
725 if ((CK_LONG)query[2].ulValueLen != -1) {
728 asprintf(&str, "%.*s",
729 (int)query[2].ulValueLen, (char *)query[2].pValue);
731 hx509_cert_set_friendly_name(cert, str);
736 ret = _hx509_collector_certs_add(context, collector, cert);
737 hx509_cert_free(cert);
744 p11_list_keys(hx509_context context,
745 struct p11_module *p,
746 struct p11_slot *slot,
747 CK_SESSION_HANDLE session,
751 struct hx509_collector *collector;
752 CK_OBJECT_CLASS key_class;
753 CK_ATTRIBUTE search_data[] = {
754 {CKA_CLASS, NULL, 0},
756 CK_ATTRIBUTE query_data[3] = {
758 {CKA_VALUE, NULL, 0},
763 search_data[0].pValue = &key_class;
764 search_data[0].ulValueLen = sizeof(key_class);
767 lock = _hx509_empty_lock;
769 ret = _hx509_collector_alloc(context, lock, &collector);
773 key_class = CKO_PRIVATE_KEY;
774 ret = iterate_entries(context, p, slot, session,
777 collect_private_key, collector);
781 key_class = CKO_CERTIFICATE;
782 ret = iterate_entries(context, p, slot, session,
785 collect_cert, collector);
789 ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
792 _hx509_collector_free(collector);
799 p11_init(hx509_context context,
800 hx509_certs certs, void **data, int flags,
801 const char *residue, hx509_lock lock)
803 CK_C_GetFunctionList getFuncs;
804 struct p11_module *p;
810 list = strdup(residue);
814 p = calloc(1, sizeof(*p));
822 str = strchr(list, ',');
827 strnext = strchr(str, ',');
831 if (strncasecmp(str, "slot=", 5) == 0)
832 p->selected_slot = atoi(str + 5);
837 p->dl_handle = dlopen(list, RTLD_NOW);
839 if (p->dl_handle == NULL) {
840 ret = HX509_PKCS11_LOAD;
841 hx509_set_error_string(context, 0, ret,
842 "Failed to open %s: %s", list, dlerror());
846 getFuncs = dlsym(p->dl_handle, "C_GetFunctionList");
847 if (getFuncs == NULL) {
848 ret = HX509_PKCS11_LOAD;
849 hx509_set_error_string(context, 0, ret,
850 "C_GetFunctionList missing in %s: %s",
855 ret = (*getFuncs)(&p->funcs);
857 ret = HX509_PKCS11_LOAD;
858 hx509_set_error_string(context, 0, ret,
859 "C_GetFunctionList failed in %s", list);
863 ret = P11FUNC(p, Initialize, (NULL_PTR));
865 ret = HX509_PKCS11_TOKEN_CONFUSED;
866 hx509_set_error_string(context, 0, ret,
867 "Failed initialize the PKCS11 module");
871 ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
873 ret = HX509_PKCS11_TOKEN_CONFUSED;
874 hx509_set_error_string(context, 0, ret,
875 "Failed to get number of PKCS11 slots");
879 if (p->num_slots == 0) {
880 ret = HX509_PKCS11_NO_SLOT;
881 hx509_set_error_string(context, 0, ret,
882 "Selected PKCS11 module have no slots");
888 CK_SLOT_ID_PTR slot_ids;
889 int i, num_tokens = 0;
891 slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
892 if (slot_ids == NULL) {
893 hx509_clear_error_string(context);
898 ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
901 hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
902 "Failed getting slot-list from "
904 ret = HX509_PKCS11_TOKEN_CONFUSED;
908 p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
909 if (p->slot == NULL) {
911 hx509_set_error_string(context, 0, ENOMEM,
912 "Failed to get memory for slot-list");
917 for (i = 0; i < p->num_slots; i++) {
918 ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
921 if (p->slot[i].flags & P11_TOKEN_PRESENT)
927 if (num_tokens == 0) {
928 ret = HX509_PKCS11_NO_TOKEN;
937 p11_release_module(p);
942 p11_release_module(struct p11_module *p)
946 if (p->refcount == 0)
947 _hx509_abort("pkcs11 refcount to low");
948 if (--p->refcount > 0)
951 for (i = 0; i < p->num_slots; i++) {
952 if (p->slot[i].flags & P11_SESSION_IN_USE)
953 _hx509_abort("pkcs11 module release while session in use");
954 if (p->slot[i].flags & P11_SESSION) {
957 ret = P11FUNC(p, CloseSession, (p->slot[i].session));
963 free(p->slot[i].name);
964 if (p->slot[i].pin) {
965 memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
966 free(p->slot[i].pin);
968 if (p->slot[i].mechs.num) {
969 free(p->slot[i].mechs.list);
971 if (p->slot[i].mechs.infos) {
974 for (j = 0 ; j < p->slot[i].mechs.num ; j++)
975 free(p->slot[i].mechs.infos[j]);
976 free(p->slot[i].mechs.infos);
983 P11FUNC(p, Finalize, (NULL));
986 dlclose(p->dl_handle);
988 memset(p, 0, sizeof(*p));
993 p11_free(hx509_certs certs, void *data)
995 struct p11_module *p = data;
998 for (i = 0; i < p->num_slots; i++) {
999 if (p->slot[i].certs)
1000 hx509_certs_free(&p->slot[i].certs);
1002 p11_release_module(p);
1012 p11_iter_start(hx509_context context,
1013 hx509_certs certs, void *data, void **cursor)
1015 struct p11_module *p = data;
1016 struct p11_cursor *c;
1019 c = malloc(sizeof(*c));
1021 hx509_clear_error_string(context);
1024 ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
1030 for (i = 0 ; i < p->num_slots; i++) {
1031 if (p->slot[i].certs == NULL)
1033 ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
1035 hx509_certs_free(&c->certs);
1041 ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
1043 hx509_certs_free(&c->certs);
1053 p11_iter(hx509_context context,
1054 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
1056 struct p11_cursor *c = cursor;
1057 return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
1061 p11_iter_end(hx509_context context,
1062 hx509_certs certs, void *data, void *cursor)
1064 struct p11_cursor *c = cursor;
1066 ret = hx509_certs_end_seq(context, c->certs, c->cursor);
1067 hx509_certs_free(&c->certs);
1072 #define MECHFLAG(x) { "unknown-flag-" #x, x }
1073 static struct units mechflags[] = {
1074 MECHFLAG(0x80000000),
1075 MECHFLAG(0x40000000),
1076 MECHFLAG(0x20000000),
1077 MECHFLAG(0x10000000),
1078 MECHFLAG(0x08000000),
1079 MECHFLAG(0x04000000),
1080 {"ec-compress", 0x2000000 },
1081 {"ec-uncompress", 0x1000000 },
1082 {"ec-namedcurve", 0x0800000 },
1083 {"ec-ecparameters", 0x0400000 },
1084 {"ec-f-2m", 0x0200000 },
1085 {"ec-f-p", 0x0100000 },
1086 {"derive", 0x0080000 },
1087 {"unwrap", 0x0040000 },
1088 {"wrap", 0x0020000 },
1089 {"genereate-key-pair", 0x0010000 },
1090 {"generate", 0x0008000 },
1091 {"verify-recover", 0x0004000 },
1092 {"verify", 0x0002000 },
1093 {"sign-recover", 0x0001000 },
1094 {"sign", 0x0000800 },
1095 {"digest", 0x0000400 },
1096 {"decrypt", 0x0000200 },
1097 {"encrypt", 0x0000100 },
1111 p11_printinfo(hx509_context context,
1114 int (*func)(void *, const char *),
1117 struct p11_module *p = data;
1120 _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
1121 p->num_slots, p->num_slots > 1 ? "s" : "");
1123 for (i = 0; i < p->num_slots; i++) {
1124 struct p11_slot *s = &p->slot[i];
1126 _hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
1127 i, (int)s->id, s->name, s->flags);
1129 _hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu",
1130 (unsigned long)s->mechs.num);
1131 for (j = 0; j < s->mechs.num; j++) {
1132 const char *mechname = "unknown";
1133 char flags[256], unknownname[40];
1134 #define MECHNAME(s,n) case s: mechname = n; break
1135 switch(s->mechs.list[j]) {
1136 MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
1137 MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
1138 MECHNAME(CKM_RSA_X_509, "rsa-x-509");
1139 MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
1140 MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
1141 MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
1142 MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
1143 MECHNAME(CKM_SHA_1, "sha1");
1144 MECHNAME(CKM_MD5, "md5");
1145 MECHNAME(CKM_MD2, "md2");
1146 MECHNAME(CKM_RIPEMD160, "ripemd-160");
1147 MECHNAME(CKM_DES_ECB, "des-ecb");
1148 MECHNAME(CKM_DES_CBC, "des-cbc");
1149 MECHNAME(CKM_AES_ECB, "aes-ecb");
1150 MECHNAME(CKM_AES_CBC, "aes-cbc");
1151 MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
1153 snprintf(unknownname, sizeof(unknownname),
1155 (unsigned long)s->mechs.list[j]);
1156 mechname = unknownname;
1160 unparse_flags(s->mechs.infos[j]->flags, mechflags,
1161 flags, sizeof(flags));
1163 _hx509_pi_printf(func, ctx, " %s: %s", mechname, flags);
1170 static struct hx509_keyset_ops keyset_pkcs11 = {
1184 #endif /* HAVE_DLOPEN */
1187 _hx509_ks_pkcs11_register(hx509_context context)
1190 _hx509_ks_register(context, &keyset_pkcs11);