pax_global_header00006660000000000000000000000064126521537410014520gustar00rootroot0000000000000052 comment=454abffab662bbf592648fb24daeaf745766241d engine_pkcs11-engine_pkcs11-0.2.1/000077500000000000000000000000001265215374100165745ustar00rootroot00000000000000engine_pkcs11-engine_pkcs11-0.2.1/.gitignore000066400000000000000000000010301265215374100205560ustar00rootroot00000000000000Makefile Makefile.in core archive acinclude.m4 aclocal.m4 autom4te.cache compile confdefs.h config.* configure conftest conftest.c depcomp install-sh libtool libtool.m4 ltmain.sh missing mkinstalldirs so_locations stamp-h* test-driver *.trs *.log .deps .libs .#*# .*.bak .*.orig .*.rej .*~ #*# *.bak *.d *.def *.dll *.exe *.la *.lib *.lo *.o *.orig *.pdb *.rej *.u *.res *.pc *~ *.gz *.bz2 *.[0-9] *.out m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 test-driver tests/evp-sign tests/*.log tests/*.trs tests/output.* engine_pkcs11-engine_pkcs11-0.2.1/.travis.sh000077500000000000000000000036441265215374100205300ustar00rootroot00000000000000#!/bin/sh set -e # # Copyright (c) 2016 Michał Trojnara # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. install_from_github() { echo "Installing $2" git clone https://github.com/$1/$2.git cd $2 autoreconf -fvi ./configure make sudo -E make install cd .. echo "$2 installed" sudo ldconfig } # ppa:pkg-opendnssec provides a less-obsolete softhsm sudo apt-add-repository -y ppa:pkg-opendnssec/ppa sudo apt-get update -qq # libpcsclite-dev is required for OpenSC # softhsm is required for "make check" sudo apt-get install -y libpcsclite-dev softhsm export CC=`which $CC` mkdir prerequisites cd prerequisites install_from_github OpenSC OpenSC install_from_github OpenSC libp11 cd .. rm -rf prerequisites engine_pkcs11-engine_pkcs11-0.2.1/.travis.yml000066400000000000000000000002701265215374100207040ustar00rootroot00000000000000sudo: true language: c compiler: - clang - gcc before_script: - ./.travis.sh - touch config.rpath && autoreconf -fvi && ./configure script: make && make check && make dist engine_pkcs11-engine_pkcs11-0.2.1/Makefile.am000066400000000000000000000014041265215374100206270ustar00rootroot00000000000000 AUTOMAKE_OPTIONS = foreign 1.10 ACLOCAL_AMFLAGS = -I m4 MAINTAINERCLEANFILES = \ config.log config.status \ $(srcdir)/Makefile.in \ $(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \ $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \ $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ $(srcdir)/config.guess $(srcdir)/config.sub \ $(srcdir)/m4/ltsugar.m4 $(srcdir)/m4/libtool.m4 \ $(srcdir)/m4/ltversion.m4 $(srcdir)/m4/lt~obsolete.m4 \ $(srcdir)/m4/ltoptions.m4 \ $(srcdir)/packaged # Prerequisites must be first on the list SUBDIRS = src tests dist_noinst_SCRIPTS = bootstrap dist_doc_DATA = NEWS README.md # Allow detection of packaged tarball dist-hook: $(MKDIR_P) "$(distdir)/m4" echo > "$(distdir)/packaged" # vim: set noexpandtab: engine_pkcs11-engine_pkcs11-0.2.1/Makefile.mak000066400000000000000000000002131265215374100207770ustar00rootroot00000000000000 SUBDIRS = src all:: all depend install clean:: @for %i in ( $(SUBDIRS) ) do \ @cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@" engine_pkcs11-engine_pkcs11-0.2.1/NEWS000066400000000000000000000043141265215374100172750ustar00rootroot00000000000000NEWS for Engine PKCS#11 -- History of user visible changes New in 0.2.1; 2016-01-27; Michał Trojnara * Fixed PIN-less access to public keys (Mouse) * Added OpenSSL engines directory autodetection (Michał Trojnara) * Added "--with-pkcs11-module" configure option; addresses #36 (Michał Trojnara) * Windows library name updated to "pkcs11.dll" to match other OpenSSL engines (Michał Trojnara) * Require the new libp11 0.3.1 library (Michał Trojnara) New in 0.2.0; 2015-10-09; Nikos Mavrogiannopoulos * Added support for ECDSA when compiled with libp11 0.3.0 (Douglas E. Engert) * Updated engine name to match other openssl engines * Added support for PKCS #11 URLs -RFC7512- when loading keys or certificates (David Woodhouse) * Added support for id_ legacy object identifier (Petr Písař) * When no module is set default to p11-kit-proxy.so, allowing to access any available PKCS #11 object in the system (David Woodhouse) New in 0.1.8; 2010-01-07; Andreas Jellinghaus * Fix problem causing slot_n parsing returning not certs or keys by Camille Moncelier * Fix missing declaration of set_init_args symbol by Arfrever Frehtes Taifersar Arahesis New in 0.1.7; 2009-10-20; Andreas Jellinghaus * Buffer overrun fixed by David Smith New in 0.1.6; 2009-06-15; Andreas Jellinghaus * Fixed set_pin (strdup causes segfault in OPENSSL_CLEANSE later) * Require new libp11 0.2.5 with new function to get the slot id. * Revert changes to slot parsing code - seems partial bogus and original author doesn't respond to questions. * print slot id in verbose mode (Douglas E. Engert). New in 0.1.5; 2008-07-31; Andreas Jellinghaus * Build system rewritten (NOTICE: configure options was modified). The build system can produce outputs for *NIX, cygwin and native windows (using mingw). * cleanup pin code, always use MAX_PIN_LENGTH, proper cleanup. * new use PKCS11_CTX_init_args (David Smith) * fix segfault in init_args code. * needs new version of libp11 (0.2.4 or later). New in 0.1.4; 2007-07-11; Andreas Jellinghaus * update wiki export script. * new urls. * disabled some dead code. * new max length for pin: 32 bytes. * make internal variables and code static. * parse slot as hex too. * support selecting slot by label. engine_pkcs11-engine_pkcs11-0.2.1/README.md000066400000000000000000000151461265215374100200620ustar00rootroot00000000000000# Build state [![Build Status](https://travis-ci.org/OpenSC/engine_pkcs11.png)](https://travis-ci.org/OpenSC/engine_pkcs11) [![Build status](https://ci.appveyor.com/api/projects/status/v1dd09ax199m0ev3?svg=true)](https://ci.appveyor.com/project/LudovicRousseau/engine-pkcs11) # engine_pkcs11: an OpenSSL engine for PKCS#11 modules engine_pkcs11 is an engine plug-in for the OpenSSL library allowing to access PKCS #11 modules in a semi-transparent way. ## PKCS#11 The PKCS#11 API is an abstract API to access operations on cryptographic objects such as private keys, without requiring access to the objects themselves. That is, it provides a logical separation of the keys from the operations. The PKCS #11 API is mainly used to access objects in smart cards and Hardware or Software Security Modules (HSMs). That is because in these modules the cryptographic keys are isolated in hardware or software and are not made available to the applications using them. PKCS#11 API is an OASIS standard and it is supported by various hardware and software vendors. Usually, hardware vendors provide a PKCS#11 module to access their devices. A prominent example is the OpenSC PKCS #11 module which provides access to a variety of smart cards. Other libraries like NSS or GnuTLS already take advantage of PKCS #11 to access cryptographic objects. ## OpenSSL engines OpenSSL implements various cipher, digest, and signing features and it can consume and produce keys. However plenty of people think that these features should be implemented in a separate hardware, like USB tokens, smart cards or hardware security modules. Therefore OpenSSL has an abstraction layer called engine which can delegate some of these features to different piece of software or hardware. engine_pkcs11 tries to fit the PKCS #11 API within the engine API of OpenSSL. That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine API. One has to register the engine into the OpenSSL and one has to provide path to a PKCS#11 module which should be gatewayed to. This can be done by editing the OpenSSL configuration file (not recommended), by engine specific controls, or by using the p11-kit proxy module. The p11-kit proxy module provides access to any configured PKCS #11 module in the system. See [the p11-kit web pages](http://p11-glue.freedesktop.org/p11-kit.html) for more information. # PKCS #11 module configuration ## Copying the engine shared object to the proper location OpenSSL has a location where engine shared objects can be placed and they will be automatically loaded when requested. It is recommended to copy engine_pkcs11 at that location as libpkcs11.so to ease usage. This is handle by 'make install' of engine_pkcs11. ## Using in systems with p11-kit In systems with p11-kit-proxy engine_pkcs11 has access to all the configured PKCS #11 modules and requires no further configuration. ## Using in systems without p11-kit In systems without p11-kit-proxy you need to configure OpenSSL to know about the engine and to use OpenSC PKCS#11 module by the engine_pkcs11. For that you add something like the following into your global OpenSSL configuration file (often in ``/etc/ssl/openssl.cnf``). ``` [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = libpkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so init = 0 ``` The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value is the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary identifier for OpenSSL applications to select the engine by the identifier. In systems with p11-kit-proxy installed and configured, you do not need to modify the OpenSSL configuration file; the configuration of p11-kit will be used. ## Testing the engine operation To verify that the engine is properly operating you can use the following example. ``` $ openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] ``` ## Using the engine from the command line tool This section demonstrates how to use the command line tool to create a self signed certificate for "Andreas Jellinghaus". The key of the certificate will be generated in the token and will not exportable. For the examples that follow, we need to generate a private key in the token and obtain its private key URL. The following commands utilize p11tool for that. ``` $ p11tool --provider /usr/lib/opensc-pkcs11.so --login --generate-rsa --bits 1024 --label test-key $ p11tool --provider /usr/lib/opensc-pkcs11.so --list-privkeys --login ``` Note the PKCS #11 URL shown above and use it in the commands below. To generate a certificate with its key in the PKCS #11 module, the following commands commands can be used. The first command creates a self signed Certificate for "Andreas Jellinghaus". The signing is done using the key specified by the URL. The second command creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request. Note that in a PKCS #11 URL you can specify the PIN using the "pin-value" attribute. ``` $ openssl OpenSSL> req -engine pkcs11 -new -key "pkcs11:object=test-key;type=private;pin-value=XXXX" \ -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" OpenSSL> x509 -engine pkcs11 -signkey "pkcs11:object=test-key;type=private;pin-value=XXXX" \ -keyform engine -in req.pem -out cert.pem ``` For the above commands to operate in systems without p11-kit you will need to provide the engine configuration explicitly. The following line loads engine_pkcs11 with the PKCS#11 module opensc-pkcs11.so. ``` OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/libpkcs11.so \ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so ``` ## Engine controls The supported engine controls are the following. * **SO_PATH**: Specifies the path to the 'pkcs11-engine' shared library * **MODULE_PATH**: Specifies the path to the pkcs11 module shared library * **PIN**: Specifies the pin code * **VERBOSE**: Print additional details * **QUIET**: Do not print additional details * **LOAD_CERT_CTRL**: Load a certificate from token An example code snippet setting specific module is shown below. ``` ENGINE_ctrl_cmd(engine, "MODULE_PATH", 0, "/path/to/pkcs11module.so", NULL, 1); ``` In systems with p11-kit, if this engine control is not called engine_pkcs11 defaults to loading the p11-kit proxy module. # Developer information ## Submitting pull requests For adding new features or extending functionality in addition to the code, please submit a test program which verifies the correctness of operation. See tests/ for the existing test suite. engine_pkcs11-engine_pkcs11-0.2.1/appveyor.yml000066400000000000000000000043721265215374100211720ustar00rootroot00000000000000version: 0.2.1.{build} platform: - x86 - x64 configuration: - Release - Debug environment: matrix: - VSVER: 12 # - VSVER: 10 install: - ps: if ($env:APPVEYOR_PULL_REQUEST_NUMBER -and $env:APPVEYOR_BUILD_NUMBER -ne ((Invoke-RestMethod ` https://ci.appveyor.com/api/projects/$env:APPVEYOR_ACCOUNT_NAME/$env:APPVEYOR_PROJECT_SLUG/history?recordsNumber=50).builds | ` Where-Object pullRequestId -eq $env:APPVEYOR_PULL_REQUEST_NUMBER)[0].buildNumber) { ` throw "There are newer queued builds for this pull request, failing early." } - date /T & time /T - set OPENSSL_VER=1_0_2e - ps: >- If ($env:Platform -Match "x86") { $env:VCVARS_PLATFORM="x86" $env:ENV_PLATFORM="x86" $env:NMAKE_ARCH="" $env:OPENSSL_PF="Win32" } Else { $env:VCVARS_PLATFORM="amd64" $env:ENV_PLATFORM="x64" $env:NMAKE_ARCH="BUILD_ON=WIN64 BUILD_FOR=WIN64" $env:OPENSSL_PF="Win64" } - ps: >- If (!(Test-Path -Path "C:\OpenSSL-${env:OPENSSL_PF}" )) { Start-FileDownload https://slproweb.com/download/${env:OPENSSL_PF}OpenSSL-${env:OPENSSL_VER}.exe -FileName C:\WinOpenSSL.exe C:\WinOpenSSL.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART } - ps: >- If ($env:Configuration -Like "*Debug*") { $env:NMAKE_EXTRA="DEBUG=yes ${env:NMAKE_EXTRA}" } - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS")) - echo "Using Visual Studio %VSVER%.0 at %VSCOMNTOOLS%" - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM% build_script: - git clone -q https://github.com/OpenSC/libp11.git C:\projects\libp11 - cd C:\projects\libp11 - nmake /f Makefile.mak %NMAKE_ARCH% %NMAKE_EXTRA% - appveyor PushArtifact src\libp11.dll - appveyor PushArtifact src\libp11.lib - ps: >- If ($env:Configuration -Like "*Debug*") { Push-AppveyorArtifact src\libp11.pdb } - cd C:\projects\engine-pkcs11 - nmake /f Makefile.mak %NMAKE_ARCH% %NMAKE_EXTRA% - appveyor PushArtifact src\pkcs11.dll - appveyor PushArtifact src\pkcs11.lib - ps: >- If ($env:Configuration -Like "*Debug*") { Push-AppveyorArtifact src\pkcs11.pdb } cache: - C:\OpenSSL-Win32 - C:\OpenSSL-Win64 engine_pkcs11-engine_pkcs11-0.2.1/bootstrap000077500000000000000000000000611265215374100205340ustar00rootroot00000000000000#!/bin/sh autoreconf --verbose --install --force engine_pkcs11-engine_pkcs11-0.2.1/configure.ac000066400000000000000000000125111265215374100210620ustar00rootroot00000000000000 AC_PREREQ(2.60) define([PACKAGE_VERSION_MAJOR], [0]) define([PACKAGE_VERSION_MINOR], [2]) define([PACKAGE_VERSION_FIX], [1]) define([PACKAGE_SUFFIX], []) AC_INIT([engine_pkcs11],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([src/config.h]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE ENGINE_PKCS11_VERSION_MAJOR="PACKAGE_VERSION_MAJOR" ENGINE_PKCS11_VERSION_MINOR="PACKAGE_VERSION_MINOR" ENGINE_PKCS11_VERSION_FIX="PACKAGE_VERSION_FIX" AC_CONFIG_SRCDIR([src/engine_pkcs11.c]) # silent build by default ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) AC_CANONICAL_HOST AC_PROG_CC PKG_PROG_PKG_CONFIG AC_C_BIGENDIAN AC_ARG_WITH( [cygwin-native], [AS_HELP_STRING([--with-cygwin-native],[compile native win32])], , [with_cygwin_native="no"] ) dnl Check for some target-specific stuff test -z "${WIN32}" && WIN32="no" test -z "${CYGWIN}" && CYGWIN="no" case "${host}" in *-mingw*|*-winnt*) WIN32="yes" CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" WIN_LIBPREFIX="lib" ;; *-cygwin*) AC_MSG_CHECKING([cygwin mode to use]) CYGWIN="yes" if test "${with_cygwin_native}" = "yes"; then AC_MSG_RESULT([Using native win32]) CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" CFLAGS="${CFLAGS} -mno-cygwin" WIN32="yes" else AC_MSG_RESULT([Using cygwin]) CPPFLAGS="${CPPFLAGS} -DCRYPTOKI_FORCE_WIN32" WIN_LIBPREFIX="cyg" AC_DEFINE([USE_CYGWIN], [1], [Define if you are on Cygwin.]) fi ;; esac AC_ARG_ENABLE( [strict], [AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])], , [enable_strict="no"] ) AC_ARG_ENABLE( [pedantic], [AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])], , [enable_pedantic="no"] ) AC_ARG_WITH( [enginesdir], [AS_HELP_STRING([--with-enginesdir], [OpenSSL engines directory])], [enginesdir="${withval}"], [ libcryptodir="`$PKG_CONFIG --variable=libdir --silence-errors libcrypto || \ $PKG_CONFIG --variable=libdir openssl`" case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ $PKG_CONFIG --modversion openssl`" in 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x debian_ssl_prefix="openssl-1.1.0";; 1.0.*) # Engines directory prefix for OpenSSL 1.0.x debian_ssl_prefix="openssl-1.0.0";; *) # Engines directory prefix for OpenSSL 0.9.x debian_ssl_prefix="ssl";; esac if test -d "$libcryptodir/$debian_ssl_prefix/engines"; then # Debian-based OpenSSL package (for example Ubuntu) enginesdir="$libcryptodir/$debian_ssl_prefix/engines" else # Default OpenSSL engines directory enginesdir="$libcryptodir/engines" fi if test "${prefix}" != "NONE" -o "${exec_prefix}" != "NONE"; then # Override the autodetected value with the default enginesdir="${libdir}" fi ] ) AC_ARG_WITH( [pkcs11-module], [AS_HELP_STRING([--with-pkcs11-module], [default PKCS11 module])], [pkcs11_module="${withval}"], [pkcs11_module="`$PKG_CONFIG --variable=proxy_module --silence-errors p11-kit-1`"]) dnl Checks for programs. AC_PROG_CPP AC_PROG_INSTALL AC_PROG_LN_S AC_PROG_MKDIR_P AC_PROG_SED AC_PROG_MAKE_SET dnl Add libtool support. ifdef( [LT_INIT], [ LT_INIT([win32-dll]) LT_LANG([Windows Resource]) ], [ AC_LIBTOOL_WIN32_DLL AC_LIBTOOL_RC AC_PROG_LIBTOOL ] ) dnl Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([ \ errno.h fcntl.h malloc.h stdlib.h inttypes.h \ string.h strings.h sys/time.h unistd.h \ locale.h getopt.h dlfcn.h utmp.h \ ]) PKG_CHECK_MODULES( [LIBP11], [libp11 >= 0.3.1], , [AC_MSG_ERROR([libp11 >= 0.3.1 is required])]) saved_LIBS=$LIBS LIBS="$LIBP11_LIBS" AC_CHECK_LIB( [p11], [PKCS11_ecdsa_method_free], , [AC_DEFINE([OPENSSL_NO_ECDSA], [1], [ECDSA support was not detected in libp11.])]) LIBS=$saved_LIBS # The "libcrypto" module is not defined in OpenSSL 0.9.7 # TODO: Deprecate OpenSSL 0.9.7 and stop checking for the "openssl" module PKG_CHECK_MODULES( [OPENSSL], [libcrypto >= 0.9.7], , [PKG_CHECK_MODULES( [OPENSSL], [openssl >= 0.9.7], , [AC_MSG_ERROR([libcrypto >= 0.9.7 is required])] )] ) if test -n "${pkcs11_module}"; then AC_DEFINE_UNQUOTED( [DEFAULT_PKCS11_MODULE], "${pkcs11_module}", [Default PKCS#11 module.]) fi AC_SUBST([enginesdir]) AC_SUBST([ENGINE_PKCS11_VERSION_MAJOR]) AC_SUBST([ENGINE_PKCS11_VERSION_MINOR]) AC_SUBST([ENGINE_PKCS11_VERSION_FIX]) AC_SUBST([WIN_LIBPREFIX]) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"]) if test "${enable_pedantic}" = "yes"; then enable_strict="yes"; CFLAGS="${CFLAGS} -pedantic" fi if test "${enable_strict}" = "yes"; then CFLAGS="${CFLAGS} -Wall -Wextra" fi AC_CONFIG_FILES([ Makefile src/Makefile src/versioninfo.rc tests/Makefile ]) AC_OUTPUT cat < # set -e verbose=0 verbose_msg () { if [ $verbose -ne 0 ]; then echo "libtool-bundle: $@" fi } error_msg () { echo 1>&2 "libtool-bundle: $@" } usage () { error_msg "Usage: $0 [-e extra XML data] [Mach-O bundle file] [destination directory] " exit 1 } case $1 in -e) shift; if [ "$1" ]; then extradata=$1; shift; else usage; fi; ;; esac [ $# -le 1 -o $# -ge 4 ] && usage sofile=$1 [ ! -f $sofile ] && error_msg "Not a file or file not found: $sofile" && exit 1 case "$sofile" in *.so*) # Assume it's ok ;; *) error_msg "Invalid bundle: $sofile" exit 1 ;; esac destdir=$2 [ ! -d $destdir -o ! -w $destdir ] && error_msg "Not a directory or no write access: $destdir" && exit 1 name="$sofile" [ $# -eq 3 ] && name=$3 name=`echo $name | sed -e "s@.*/@@" -e "s@\.so.*@@"` root="$destdir/${name}.bundle" verbose_msg "sofile: $sofile" verbose_msg "destdir: $destdir" verbose_msg "name: $name" verbose_msg "root: $root" arch=`uname` [ x$arch = xDarwin ] && arch=MacOS type="BNDL" creator="????" # Overwrite existing bundle [ -d "$root" ] && rm -rf "$root" mkdir -p "$root"/Contents/$arch cp "$sofile" "$root"/Contents/$arch/"$name" echo "$type$creator" > "$root"/Contents/PkgInfo create_info_plist () { echo "" echo "" echo "" echo "" echo " CFBundleDevelopmentRegion" echo " English" echo " CFBundleExecutable" echo " $name" echo " CFBundleInfoDictionaryVersion" echo " 6.0" echo " CFBundleName" echo " $name" echo " CFBundlePackageType" echo " $type" echo " CFBundleSignature" echo " $creator" echo " CFBundleVersion" echo " 0.0.1d1" if [ "$extradata" ]; then echo "" [ -f "$extradata" ]; cat $extradata fi echo "" echo "" } create_info_plist > "$root"/Contents/Info.plist echo "Installed $sofile as $root" engine_pkcs11-engine_pkcs11-0.2.1/m4/000077500000000000000000000000001265215374100171145ustar00rootroot00000000000000engine_pkcs11-engine_pkcs11-0.2.1/m4/.keep000066400000000000000000000000001265215374100200270ustar00rootroot00000000000000engine_pkcs11-engine_pkcs11-0.2.1/make.rules.mak000066400000000000000000000022541265215374100213370ustar00rootroot00000000000000#define OPENSSL_STATIC if you have visual studio compatible with OpenSSL's static binaries #OPENSSL_STATIC_DIR = static !IF "$(LIBP11_DIR)" == "" LIBP11_DIR = C:\projects\libp11 !ENDIF !IF "$(DEBUG)" != "" DEBUG_SUFFIX = d DEBUG_COMPILE = /DDEBUG /Zi /Od DEBUG_LINK = /DEBUG !ENDIF !IF "$(BUILD_FOR)" == "WIN64" MACHINE = /MACHINE:X64 !IF "$(OPENSSL_DIR)" == "" OPENSSL_DIR = C:\OpenSSL-Win64 !ENDIF !ELSE MACHINE = /MACHINE:X86 !IF "$(OPENSSL_DIR)" == "" OPENSSL_DIR = C:\OpenSSL-Win32 !ENDIF !ENDIF !IF "$(OPENSSL_INC)" == "" OPENSSL_INC = /I$(OPENSSL_DIR)\include !ENDIF !IF "$(OPENSSL_STATIC_DIR)" == "" OPENSSL_LIB = $(OPENSSL_DIR)\lib\libeay32.lib !ELSE OPENSSL_LIB = $(OPENSSL_DIR)\lib\VC\static\libeay32MT$(DEBUG_SUFFIX).lib !ENDIF !IF "$(LIBP11_INC)" == "" LIBP11_INC = /I$(LIBP11_DIR)\src !ENDIF !IF "$(LIBP11_LIB)" == "" LIBP11_LIB = $(LIBP11_DIR)\src\libp11.lib !ENDIF CLFLAGS = /nologo /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT$(DEBUG_SUFFIX) $(OPENSSL_INC) $(LIBP11_INC) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(DEBUG_COMPILE) LINKFLAGS = /NOLOGO /INCREMENTAL:NO $(MACHINE) /MANIFEST:NO /NXCOMPAT /DYNAMICBASE $(DEBUG_LINK) engine_pkcs11-engine_pkcs11-0.2.1/src/000077500000000000000000000000001265215374100173635ustar00rootroot00000000000000engine_pkcs11-engine_pkcs11-0.2.1/src/Makefile.am000066400000000000000000000021051265215374100214150ustar00rootroot00000000000000MAINTAINERCLEANFILES = $(srcdir)/Makefile.in EXTRA_DIST = Makefile.mak versioninfo.rc.in # ifeq ($(enginesdir),'') # enginesdir = INSTALL_DIR # endif engines_LTLIBRARIES = libpkcs11.la OPENSSL_EXTRA_CFLAGS = \ -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H \ -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -DENGINE_DYNAMIC_SUPPORT \ -DSHA1_ASM -DMD5_ASM -DRMD160_ASM libpkcs11_la_SOURCES = \ hw_pkcs11.c engine_pkcs11.c engine_pkcs11.h pkcs11.exports if WIN32 libpkcs11_la_SOURCES += versioninfo.rc else dist_noinst_DATA = versioninfo.rc endif libpkcs11_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_EXTRA_CFLAGS) $(OPENSSL_CFLAGS) \ $(LIBP11_CFLAGS) libpkcs11_la_LIBADD = $(OPENSSL_LIBS) $(LIBP11_LIBS) libpkcs11_la_LDFLAGS = $(AM_LDFLAGS) \ -module -shared -avoid-version \ -export-symbols "$(srcdir)/pkcs11.exports" \ -no-undefined RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" .rc.o: $(RCCOMPILE) -i "$<" -o "$@" # vim: set noexpandtab: engine_pkcs11-engine_pkcs11-0.2.1/src/Makefile.mak000066400000000000000000000012221265215374100215670ustar00rootroot00000000000000TOPDIR = .. # see ..\make.rules.mak to edit openssl or libp11 path !INCLUDE $(TOPDIR)\make.rules.mak TARGET = pkcs11.dll OBJECTS = engine_pkcs11.obj hw_pkcs11.obj all: $(TARGET) versioninfo.res RSC_PROJ=/l 0x809 /r /fo"versioninfo.res" versioninfo.res: versioninfo.rc rc $(RSC_PROJ) versioninfo.rc .c.obj:: cl $(CLFLAGS) /c $< $(TARGET): $(OBJECTS) versioninfo.res echo LIBRARY $* > $*.def echo EXPORTS >> $*.def type $*.exports >> $*.def link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$(TARGET) \ $(OBJECTS) $(OPENSSL_LIB) $(LIBP11_LIB) versioninfo.res if EXIST $*.dll.manifest mt -manifest $*.dll.manifest -outputresource:$*.dll;2 engine_pkcs11-engine_pkcs11-0.2.1/src/engine_pkcs11.c000066400000000000000000000665571265215374100222010ustar00rootroot00000000000000/* * Copyright (c) 2002 Juha Yrjölä. All rights reserved. * Copyright (c) 2001 Markus Friedl. * Copyright (c) 2002 Olaf Kirch * Copyright (c) 2003 Kevin Stefanik * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "engine_pkcs11.h" #include #include #include #include #include #include #ifdef _WIN32 #define strncasecmp strnicmp #endif /** The maximum length of an internally-allocated PIN */ #define MAX_PIN_LENGTH 32 static PKCS11_CTX *ctx; /** * The PIN used for login. Cache for the get_pin function. * The memory for this PIN is always owned internally, * and may be freed as necessary. Before freeing, the PIN * must be whitened, to prevent security holes. */ static char *pin = NULL; static int pin_length = 0; static int verbose = 0; static char *module = NULL; static char *init_args = NULL; int set_module(const char *modulename) { free (module); module = modulename ? strdup(modulename) : NULL; return 1; } /* Free PIN storage in secure way. */ static void zero_pin(void) { if (pin != NULL) { OPENSSL_cleanse(pin, pin_length); free(pin); pin = NULL; pin_length = 0; } } /** * Set the PIN used for login. A copy of the PIN shall be made. * * If the PIN cannot be assigned, the value 0 shall be returned * and errno shall be set as follows: * * EINVAL - a NULL PIN was supplied * ENOMEM - insufficient memory to copy the PIN * * @param _pin the pin to use for login. Must not be NULL. * * @return 1 on success, 0 on failure. */ int set_pin(const char *_pin) { /* Pre-condition check */ if (_pin == NULL) { errno = EINVAL; return 0; } /* Copy the PIN. If the string cannot be copied, NULL * shall be returned and errno shall be set. */ zero_pin(); pin = strdup(_pin); if (pin != NULL) pin_length = strlen(pin); return (pin != NULL); } int inc_verbose(void) { verbose++; return 1; } /* Get the PIN via asking user interface. The supplied call-back data are * passed to the user interface implemented by an application. Only the * application knows how to interpret the call-back data. * A (strdup'ed) copy of the PIN code will be stored in the pin variable. */ static int get_pin(UI_METHOD * ui_method, void *callback_data) { UI *ui; /* call ui to ask for a pin */ ui = UI_new(); if (ui == NULL) { fprintf(stderr, "UI_new failed\n"); return 0; } if (ui_method != NULL) UI_set_method(ui, ui_method); if (callback_data != NULL) UI_add_user_data(ui, callback_data); zero_pin(); pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char)); if (pin == NULL) return 0; pin_length = MAX_PIN_LENGTH; if (!UI_add_input_string(ui, "PKCS#11 token PIN: ", UI_INPUT_FLAG_DEFAULT_PWD, pin, 1, MAX_PIN_LENGTH)) { fprintf(stderr, "UI_add_input_string failed\n"); UI_free(ui); return 0; } if (UI_process(ui)) { fprintf(stderr, "UI_process failed\n"); UI_free(ui); return 0; } UI_free(ui); return 1; } int set_init_args(const char *init_args_orig) { free(init_args); init_args = init_args_orig ? strdup(init_args_orig) : NULL; return 1; } int pkcs11_finish(ENGINE * engine) { /* * TODO: Retrieve the libp11 context with: * ctx = ENGINE_get_ex_data(e, pkcs11_idx); * , free it, and set to NULL with: * ENGINE_set_ex_data(e, pkcs11_idx, NULL); * instead of using a global context */ (void)engine; if (ctx) { PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); ctx = NULL; } zero_pin(); return 1; } int pkcs11_init(ENGINE * engine) { char *mod = module; /* * TODO: Save the libp11 context with: * ENGINE_set_ex_data(e, pkcs11_idx, ctx); * instead of using a global context */ (void)engine; #ifdef DEFAULT_PKCS11_MODULE if (mod == NULL) mod = DEFAULT_PKCS11_MODULE; #endif if (verbose) { fprintf(stderr, "Initializing engine\n"); } ctx = PKCS11_CTX_new(); PKCS11_CTX_init_args(ctx, init_args); if (PKCS11_CTX_load(ctx, mod) < 0) { fprintf(stderr, "Unable to load module %s\n", mod); return 0; } return 1; } static int hex_to_bin(const char *in, unsigned char *out, size_t * outlen) { size_t left, count = 0; if (in == NULL || *in == '\0') { *outlen = 0; return 1; } left = *outlen; while (*in != '\0') { int byte = 0, nybbles = 2; while (nybbles-- && *in && *in != ':') { char c; byte <<= 4; c = *in++; if ('0' <= c && c <= '9') c -= '0'; else if ('a' <= c && c <= 'f') c = c - 'a' + 10; else if ('A' <= c && c <= 'F') c = c - 'A' + 10; else { fprintf(stderr, "hex_to_bin(): invalid char '%c' in hex string\n", c); *outlen = 0; return 0; } byte |= c; } if (*in == ':') in++; if (left <= 0) { fprintf(stderr, "hex_to_bin(): hex string too long\n"); *outlen = 0; return 0; } out[count++] = (unsigned char)byte; left--; } *outlen = count; return 1; } /* parse string containing slot and id information */ static int parse_slot_id_string(const char *slot_id, int *slot, unsigned char *id, size_t * id_len, char **label) { int n, i; if (slot_id == NULL) return 0; /* support for several formats */ #define HEXDIGITS "01234567890ABCDEFabcdef" #define DIGITS "0123456789" /* first: pure hex number (id, slot is undefined) */ if (strspn(slot_id, HEXDIGITS) == strlen(slot_id)) { /* ah, easiest case: only hex. */ if ((strlen(slot_id) + 1) / 2 > *id_len) { fprintf(stderr, "ID string too long!\n"); return 0; } *slot = -1; return hex_to_bin(slot_id, id, id_len); } /* second: slot:id. slot is an digital int. */ if (sscanf(slot_id, "%d", &n) == 1) { i = strspn(slot_id, DIGITS); if (slot_id[i] != ':') { fprintf(stderr, "Could not parse string!\n"); return 0; } i++; if (slot_id[i] == 0) { *slot = n; *id_len = 0; return 1; } if (strspn(slot_id + i, HEXDIGITS) + i != strlen(slot_id)) { fprintf(stderr, "Could not parse string!\n"); return 0; } /* ah, rest is hex */ if ((strlen(slot_id) - i + 1) / 2 > *id_len) { fprintf(stderr, "ID string too long!\n"); return 0; } *slot = n; return hex_to_bin(slot_id + i, id, id_len); } /* third: id_, slot is undefined */ if (strncmp(slot_id, "id_", 3) == 0) { if (strspn(slot_id + 3, HEXDIGITS) + 3 != strlen(slot_id)) { fprintf(stderr, "Could not parse string!\n"); return 0; } /* ah, rest is hex */ if ((strlen(slot_id) - 3 + 1) / 2 > *id_len) { fprintf(stderr, "ID string too long!\n"); return 0; } *slot = -1; return hex_to_bin(slot_id + 3, id, id_len); } /* label_