From e25451b66ce773eed69ada005818ee3b40d0b555 Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Wed, 23 Sep 2009 10:54:46 +0000 Subject: [PATCH] pkcs11 tools were moved (20067) --- bin/pkcs11/OLD-PKCS11-NOTES | 94 ++++++++ contrib/pkcs11-keygen/README | 1 + contrib/pkcs11-keygen/destroyobj.c | 178 --------------- contrib/pkcs11-keygen/genkey.c | 201 ---------------- contrib/pkcs11-keygen/genkey.sh | 55 ----- contrib/pkcs11-keygen/keyconv.pl | 61 ----- contrib/pkcs11-keygen/keydump.pl | 26 --- contrib/pkcs11-keygen/listobjs.c | 192 ---------------- contrib/pkcs11-keygen/readkey.c | 225 ------------------ contrib/pkcs11-keygen/set_key_id.c | 154 ------------- contrib/pkcs11-keygen/writekey.c | 355 ----------------------------- contrib/pkcs11-keygen/writekey.sh | 73 ------ 12 files changed, 95 insertions(+), 1520 deletions(-) create mode 100644 bin/pkcs11/OLD-PKCS11-NOTES create mode 100644 contrib/pkcs11-keygen/README delete mode 100644 contrib/pkcs11-keygen/destroyobj.c delete mode 100644 contrib/pkcs11-keygen/genkey.c delete mode 100755 contrib/pkcs11-keygen/genkey.sh delete mode 100755 contrib/pkcs11-keygen/keyconv.pl delete mode 100755 contrib/pkcs11-keygen/keydump.pl delete mode 100644 contrib/pkcs11-keygen/listobjs.c delete mode 100644 contrib/pkcs11-keygen/readkey.c delete mode 100644 contrib/pkcs11-keygen/set_key_id.c delete mode 100644 contrib/pkcs11-keygen/writekey.c delete mode 100755 contrib/pkcs11-keygen/writekey.sh diff --git a/bin/pkcs11/OLD-PKCS11-NOTES b/bin/pkcs11/OLD-PKCS11-NOTES new file mode 100644 index 0000000000..2d07e9f2b5 --- /dev/null +++ b/bin/pkcs11/OLD-PKCS11-NOTES @@ -0,0 +1,94 @@ + + BIND-9 PKCS#11 support + +Prerequisite + +The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, +released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference +and some improvements, including user friendly PIN management. You may also +use the original engine code. + +Compilation + +"configure --with-pkcs11 ..." + +PKCS#11 Libraries + +Tested with Solaris one with a SCA board and with openCryptoki with the +software token. Known to work on Linux and Windows 2003 server so +should work on most operating systems. For AEP Keyper or any device used +only for its protected key store, please switch to the sign-only engine. + +OpenSSL Engines + +With PKCS#11 support the PKCS#11 engine is statically loaded but at its +initialization it dynamically loads the PKCS#11 objects. +Even the pre commands are therefore unused they are defined with: + SO_PATH: + define: PKCS11_SO_PATH + default: /usr/local/lib/engines/engine_pkcs11.so + MODULE_PATH: + define: PKCS11_MODULE_PATH + default: /usr/lib/libpkcs11.so +Without PKCS#11 support, a specific OpenSSL engine can be still used +by defining ENGINE_ID at compile time. + +PKCS#11 tools + +The contrib/pkcs11-keygen directory contains a set of experimental tools +to handle keys stored in a Hardware Security Module at the benefit of BIND. + +The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11 +for the way to use it (these are the original notes so with the original +path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on +a operating system which is not Solaris.) + +Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel +are functional. + +PIN management + +With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered +each time it is required. With the improved engine, the PIN should be +entered the first time it is required or can be configured in the +OpenSSL configuration file (aka. openssl.cnf) by adding in it: + - at the beginning: + openssl_conf = openssl_def + - at any place these sections: + [ openssl_def ] + engines = engine_section + [ engine_section ] + pkcs11 = pkcs11_section + [ pkcs11_section ] + PIN = put__your__pin__value__here + +Slot management + +The engine tries to use the first best slot but it is recommended +to simply use the slot 0 (usual default, meta-slot on Solaris). + +Sign-only engine + +openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain +a stripped down version of hw_pk11.c and hw_pk11_pub.c files which +has only the useful functions (i.e., signature with a RSA private +key in the device protected key store and key loading). + +This engine should be used with a device which provides mainly +a protected store and no acceleration. AEP Keyper is an example +of such a device (BTW with the fully capable engine, key export +must be enabled on this device and this configuration is not yet +supported). + +Original engine + +If you are using the original engine and getpassphrase() is not defined, add: +#define getpassphrase(x) getpass(x) +in openssl.../crypto/engine/hw_pk11_pub.c + +Notes + +Some names here are registered trademarks, at least Solaris is a trademark +of Sun Microsystems Inc... +Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3. +The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support. diff --git a/contrib/pkcs11-keygen/README b/contrib/pkcs11-keygen/README new file mode 100644 index 0000000000..caac9824d0 --- /dev/null +++ b/contrib/pkcs11-keygen/README @@ -0,0 +1 @@ +Moved to ${top}/bin/pkcs11 diff --git a/contrib/pkcs11-keygen/destroyobj.c b/contrib/pkcs11-keygen/destroyobj.c deleted file mode 100644 index e7068e4d62..0000000000 --- a/contrib/pkcs11-keygen/destroyobj.c +++ /dev/null @@ -1,178 +0,0 @@ -/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */ - -#include -#include -#include -#include -#include -#include -#include -#include - -int -main(int argc, char *argv[]) -{ - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - char *label = NULL; - int error = 0; - int id = 0, i = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { - {CKA_ID, &attr_id, sizeof(attr_id)} - }; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) { - switch (c) { - case 's': - slot = atoi(optarg); - break; - case 'i': - id = atoi(optarg); - id &= 0xffff; - break; - case 'l': - label = optarg; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if (errflg || ((!id) && (!label))) { - fprintf(stderr, - "usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n"); - exit(1); - } - if (id) { - printf("id %i\n", id); - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label) { - printf("label %s\n", label); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - if (rv != CKR_OK) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - rv = C_FindObjectsInit(hSession, search_template, - ((id != 0) || (label != NULL)) ? 1 : 0); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - rv = C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - - for (i = 0; i < ulObjectCount; i++) { - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_ATTRIBUTE attr_template[] = { - {CKA_CLASS, &oclass, sizeof(oclass)}, - {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1}, - {CKA_ID, idbuf, sizeof(idbuf)} - }; - int j, len; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3); - if (rv != CKR_OK) { - fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv); - error = 1; - goto exit_search; - } - len = attr_template[2].ulValueLen; - printf("object[%d]: class %d label '%s' id[%u] ", - i, oclass, labelbuf, attr_template[2].ulValueLen); - if (len > 4) - len = 4; - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (attr_template[2].ulValueLen > len) - printf("...\n"); - else - printf("\n"); - } - - /* give a chance to kill this */ - printf("sleeping 5 seconds...\n"); - sleep(5); - - for (i = 0; i < ulObjectCount; i++) { - rv = C_DestroyObject(hSession, akey[i]); - if (rv != CKR_OK) { - fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv); - error = 1; - } - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/genkey.c b/contrib/pkcs11-keygen/genkey.c deleted file mode 100644 index 45a9e3cd68..0000000000 --- a/contrib/pkcs11-keygen/genkey.c +++ /dev/null @@ -1,201 +0,0 @@ -/* genkey - pkcs11 rsa key generator - * - * create RSASHA1 key in the keystore of an SCA6000 - * The calculation of key tag is left to the script - * that converts the key into a DNSKEY RR and inserts - * it into a zone file. - * - * usage: - * genkey [-P] [-s slot] -b keysize -l label [-p pin] - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -/* Define static key template values */ -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -int -main(int argc, char *argv[]) -{ - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_MECHANISM genmech; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - CK_ULONG modulusbits = 0; - CK_CHAR *label = NULL; - CK_OBJECT_HANDLE privatekey, publickey; - CK_BYTE public_exponent[3]; - int error = 0; - int i = 0; - int c, errflg = 0; - int hide = 1; - CK_ULONG ulObjectCount; - /* Set search template */ - CK_ATTRIBUTE search_template[] = { - {CKA_LABEL, NULL_PTR, 0} - }; - CK_ATTRIBUTE publickey_template[] = { - {CKA_LABEL, NULL_PTR, 0}, - {CKA_VERIFY, &truevalue, sizeof (truevalue)}, - {CKA_TOKEN, &truevalue, sizeof (truevalue)}, - {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)}, - {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)} - }; - CK_ATTRIBUTE privatekey_template[] = { - {CKA_LABEL, NULL_PTR, 0}, - {CKA_SIGN, &truevalue, sizeof (truevalue)}, - {CKA_TOKEN, &truevalue, sizeof (truevalue)}, - {CKA_PRIVATE, &truevalue, sizeof (truevalue)}, - {CKA_SENSITIVE, &truevalue, sizeof (truevalue)}, - {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)} - }; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) { - switch (c) { - case 'P': - hide = 0; - break; - case 's': - slot = atoi(optarg); - break; - case 'b': - modulusbits = atoi(optarg); - break; - case 'l': - label = (CK_CHAR *)optarg; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if ((errflg) || (!modulusbits) || (!label)) { - fprintf(stderr, - "usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n"); - exit(2); - } - - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen((char *)label); - publickey_template[0].pValue = label; - publickey_template[0].ulValueLen = strlen((char *)label); - privatekey_template[0].pValue = label; - privatekey_template[0].ulValueLen = strlen((char *)label); - - /* Set public exponent to 65537 */ - public_exponent[0] = 0x01; - public_exponent[1] = 0x00; - public_exponent[2] = 0x01; - - /* Set up mechanism for generating key pair */ - genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; - genmech.pParameter = NULL_PTR; - genmech.ulParameterLen = 0; - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - - if (rv != CKR_OK) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - /* check if a key with the same id already exists */ - rv = C_FindObjectsInit(hSession, search_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount != 0) { - fprintf(stderr, "Key already exists.\n"); - error = 1; - goto exit_search; - } - - /* Set attributes if the key is not to be hidden */ - if (!hide) { - privatekey_template[4].pValue = &falsevalue; - privatekey_template[5].pValue = &truevalue; - } - - /* Generate Key pair for signing/verifying */ - rv = C_GenerateKeyPair(hSession, &genmech, publickey_template, - (sizeof (publickey_template) / - sizeof (CK_ATTRIBUTE)), - privatekey_template, - (sizeof (privatekey_template) / - sizeof (CK_ATTRIBUTE)), - &publickey, &privatekey); - - if (rv != CKR_OK) { - fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/genkey.sh b/contrib/pkcs11-keygen/genkey.sh deleted file mode 100755 index f5bf146899..0000000000 --- a/contrib/pkcs11-keygen/genkey.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/bash - -usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path" -tmp_file=/tmp/cur_key.$$ -while getopts ":z:x:p:t:k:b:e:f" opt; do - case $opt in - z ) zone=$OPTARG ;; - x ) ext=$OPTARG ;; - p ) pin=$OPTARG ;; - t ) id=$OPTARG ;; - f ) flag="ksk" ;; - e ) engine=$OPTARG ;; - b ) bits=$OPTARG ;; - k ) key_path=$OPTARG ;; - \? ) echo $usage - exit 1 ;; - esac -done -shift $(($OPTIND -1)) - -if [ ! "$zone" -o ! "$ext" -o ! "$pin" -o ! "$engine" -o ! "$bits" -o ! "$key_path" ] ; then - echo $usage - exit 1 -fi - -if [ "$flag" ] ; then - label="$zone,$flag,$ext" -else - label="$zone,zsk,$ext" -fi - -# for testing -mypath=. - -echo "Generating key" -$mypath/genkey -b $bits -l $label -p $pin -if [ $? -ne 0 ] ; then exit 1 ; fi - -echo "Exporting public key" -$mypath/PEM_write_pubkey -e $engine -p $pin -k pkcs11:$label -f $tmp_file -if [ $? -ne 0 ] ; then exit 1 ; fi - -echo "Generating DNSKEY RR" -if [ "$flag" ] ; then - keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone` -else - keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone` -fi - -if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi - -echo "Set key id" -$mypath/set_key_id -l $label -n $keytag -p $pin - -rm $tmp_file diff --git a/contrib/pkcs11-keygen/keyconv.pl b/contrib/pkcs11-keygen/keyconv.pl deleted file mode 100755 index c68124c81b..0000000000 --- a/contrib/pkcs11-keygen/keyconv.pl +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/perl -w - -use strict; -use Crypt::OpenSSL::RSA; -use Getopt::Std; -use MIME::Base64; -use Net::DNS; -use Net::DNS::SEC; - -my %option; -getopts('a:e:i:l:p:hk',\%option); - -die "usage: keyconv.pl [-a alg] [-k (to indicate KSK)] -e engine -l label [-p (path to store key)] -i filename domainname\n" if $option{h} || (not defined $option{i}) || (not defined $option{e}) || (not defined $option{l}); - -# The default path is local. -$option{p} || ($option{p}="./"); - -# The default algorithm is 5. -$option{a} || ($option{a}=5); - -$option{k} || ($option{k}=0); - -# The algorithm is either 5 or 133. -$option{a}==5 || $option{a}==133 || die "algorithm must be 5 or 133\n"; - -# standard flags (value is 256) plus optionally the KSK flag. -my $flags=(256 + $option{k}); - -open(PFILE, $option{i}); - my @fc = ; -close(PFILE); - -my $rsa = Crypt::OpenSSL::RSA->new_public_key(join "", @fc); - -my ($m,$e)= $rsa->get_key_parameters; - -(my $l=pack("Cn",0,length($e->to_bin))) =~ s/^\000{2}//; - -my $rrkey=$l.$e->to_bin.$m->to_bin; -my $keystr = $ARGV[0]. ". IN DNSKEY $flags 3 $option{a} ".encode_base64($rrkey,""); -my $keyrr = Net::DNS::RR->new($keystr); - -open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".key"); -print PFILE $ARGV[0], ". IN DNSKEY $flags 3 $option{a} ",encode_base64($rrkey,"")."\n"; -close(PFILE); - -open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".private"); -print PFILE "Private-key-format: v1.2\n"; -print PFILE "Algorithm: ", $option{a}, " (RSASHA1)\n"; -print PFILE "Modulus: ".encode_base64($m->to_bin,"")."\n"; -print PFILE "PublicExponent: ".encode_base64($e->to_bin,"")."\n"; -my $engine=""; -$engine=encode_base64($option{e}."\0",""); -print PFILE "Engine: ", $engine, "\n"; -my $label=""; -$option{k}==0 && ($label=encode_base64($option{e}.":".$option{l}."\0","")); -$option{k}!=0 && ($label=encode_base64($option{e}.":".$option{l}."\0","")); -print PFILE "Label: ", $label, "\n"; -close(PFILE); - -print $keyrr->keytag; diff --git a/contrib/pkcs11-keygen/keydump.pl b/contrib/pkcs11-keygen/keydump.pl deleted file mode 100755 index acbb00c36d..0000000000 --- a/contrib/pkcs11-keygen/keydump.pl +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/perl -w - -use strict; -use Getopt::Std; -use Crypt::OpenSSL::RSA; -use Net::DNS::SEC; - -my %option; -getopts('k:p:o:h',\%option); - -$option{h} || (not defined $option{k}) || (not defined $option{p}) || (not defined $option{o}) && die "usage: keydump.pl -k Kxxx.key -p Kxxx.priv -o pem\n"; - -my $rsa = Net::DNS::SEC::Private->new($option{p}); - -open(PFILE, "> $option{o}"); -print PFILE $rsa->dump_rsa_private_der; -close(PFILE); - -open(KFILE, "< $option{k}"); -my @fc = ; -close(KFILE); - -my $keyrr = Net::DNS::RR->new(join "", @fc); - -print $keyrr->flags; - diff --git a/contrib/pkcs11-keygen/listobjs.c b/contrib/pkcs11-keygen/listobjs.c deleted file mode 100644 index 3fb6eaa80f..0000000000 --- a/contrib/pkcs11-keygen/listobjs.c +++ /dev/null @@ -1,192 +0,0 @@ -/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */ - -#include -#include -#include -#include -#include -#include -#include -#include - -int -main(int argc, char *argv[]) -{ - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - char *label = NULL; - int error = 0, public = 0, all = 0; - int i = 0, id = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { - {CKA_ID, &attr_id, sizeof(attr_id)} - }; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) { - switch (c) { - case 'P': - public = 1; - break; - case 's': - slot = atoi(optarg); - break; - case 'i': - id = atoi(optarg); - id &= 0xffff; - break; - case 'l': - label = optarg; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if (errflg) { - fprintf(stderr, - "usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n"); - exit(1); - } - if ((!id) && (!label)) - all = 1; - if (slot) - printf("slot %d\n", slot); - if (id) { - printf("id %i\n", id); - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label) { - printf("label %s\n", label); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - if (rv != CKR_OK) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!public) { - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - } - - rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - ulObjectCount = 1; - while (ulObjectCount) { - rv = C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - - for (i = 0; i < ulObjectCount; i++) { - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_ATTRIBUTE attr_template[] = { - {CKA_CLASS, &oclass, sizeof(oclass)}, - {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1}, - {CKA_ID, idbuf, sizeof(idbuf)} - }; - int j, len; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv); - if (rv = CKR_BUFFER_TOO_SMALL) - fprintf(stderr, "%d too small: %u %u %u\n", i, - attr_template[0].ulValueLen, - attr_template[1].ulValueLen, - attr_template[2].ulValueLen); - error = 1; - continue; - } - - len = attr_template[2].ulValueLen; - printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ", - i, akey[i], oclass, - attr_template[1].ulValueLen, labelbuf, - attr_template[2].ulValueLen); - if (len == 2) { - id = (idbuf[0] << 8) & 0xff00; - id |= idbuf[1] & 0xff; - printf("%i\n", id); - } else { - if (len > 8) - len = 8; - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (attr_template[2].ulValueLen > len) - printf("...\n"); - else - printf("\n"); - } - } - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/readkey.c b/contrib/pkcs11-keygen/readkey.c deleted file mode 100644 index ced0fa9c0a..0000000000 --- a/contrib/pkcs11-keygen/readkey.c +++ /dev/null @@ -1,225 +0,0 @@ -/* readkey [-s $slot] -l $label [-p $pin] -f $filename */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static CK_BBOOL truevalue = TRUE; - -int -main(int argc, char *argv[]) -{ - RSA *rsa = NULL; - FILE *fp; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - char *label; - CK_OBJECT_HANDLE key = CK_INVALID_HANDLE; - CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY; - char *filename; - int error = 0; - int i = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { - {CKA_LABEL, NULL, 0}, - {CKA_TOKEN, &truevalue, sizeof (truevalue)}, - {CKA_CLASS, &kclass, sizeof (kclass)} - }; - CK_BYTE id[32]; - CK_BYTE data[8][1024]; - CK_ATTRIBUTE attr_template[] = { - {CKA_ID, &id, sizeof (id)}, - {CKA_MODULUS, (void *)data[0], 1024}, /* n */ - {CKA_PUBLIC_EXPONENT, (void *)data[1], 1024}, /* e */ - {CKA_PRIVATE_EXPONENT, (void *)data[2], 1024}, /* d */ - {CKA_PRIME_1, (void *)data[3], 1024}, /* p */ - {CKA_PRIME_2, (void *)data[4], 1024}, /* q */ - {CKA_EXPONENT_1, (void *)data[5], 1024}, /* dmp1 */ - {CKA_EXPONENT_2, (void *)data[6], 1024}, /* dmq1 */ - {CKA_COEFFICIENT, (void *)data[7], 1024} /* iqmp */ - }; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":s:l:p:f:")) != -1) { - switch (c) { - case 's': - slot = atoi(optarg); - break; - case 'l': - label = optarg; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case 'f': - filename = optarg; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if ((errflg) || (!label) || (!filename)) { - fprintf(stderr, - "usage: readkey [-s slot] -l label [-p pin] -f filename\n"); - exit(1); - } - if (slot) - printf("slot %d\n", slot); - - /* Initialize OpenSSL library */ - OPENSSL_config(NULL); - rsa = RSA_new(); - if (!rsa) { - fprintf(stderr, "RSA_new failed\n"); - ERR_print_errors_fp(stderr); - exit(1); - } - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - /* Set search template. */ - if (strstr(label, "pkcs11:") == label) - label = strstr(label, ":") + 1; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - - rv = C_FindObjectsInit(hSession, search_template, 3); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - rv = C_FindObjects(hSession, &key, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount == 0) { - fprintf(stderr, "C_FindObjects: can't find the key\n"); - error = 1; - goto exit_search; - } - - rv = C_GetAttributeValue(hSession, key, attr_template, 9); - if (rv != CKR_OK) { - fprintf(stderr, "C_GetAttributeValue: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - - printf("ID[%u]=", attr_template[0].ulValueLen); - for (i = 0; i < attr_template[0].ulValueLen; i++) - printf("%02x", id[i]); - printf("\n"); - - if (attr_template[1].ulValueLen > 0) - rsa->n = BN_bin2bn(data[0], attr_template[1].ulValueLen, NULL); - if (attr_template[2].ulValueLen > 0) - rsa->e = BN_bin2bn(data[1], attr_template[2].ulValueLen, NULL); - if (attr_template[3].ulValueLen > 0) - rsa->d = BN_bin2bn(data[2], attr_template[3].ulValueLen, NULL); - if (attr_template[4].ulValueLen > 0) - rsa->p = BN_bin2bn(data[3], attr_template[4].ulValueLen, NULL); - if (attr_template[5].ulValueLen > 0) - rsa->q = BN_bin2bn(data[4], attr_template[5].ulValueLen, NULL); - if (attr_template[6].ulValueLen > 0) - rsa->dmp1 = BN_bin2bn(data[5], attr_template[6].ulValueLen, NULL); - if (attr_template[7].ulValueLen > 0) - rsa->dmq1 = BN_bin2bn(data[6], attr_template[7].ulValueLen, NULL); - if (attr_template[8].ulValueLen > 0) - rsa->iqmp = BN_bin2bn(data[7], attr_template[8].ulValueLen, NULL); - - rv = C_FindObjects(hSession, &key, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount != 0) { - fprintf(stderr, "C_FindObjects: found extra keys?\n"); - error = 1; - goto exit_search; - } - - printf("RSA="); - RSA_print_fp(stdout, rsa, 4); - - fp = fopen(filename, "w"); - if (fp == NULL) { - printf("Error opening output file.\n"); - error = 1; - goto exit_search; - } - - if (!PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL)) { - printf("Error writing output file.\n"); - ERR_print_errors_fp(stderr); - error = 1; - goto exit_search; - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/set_key_id.c b/contrib/pkcs11-keygen/set_key_id.c deleted file mode 100644 index 3cb1cd3a04..0000000000 --- a/contrib/pkcs11-keygen/set_key_id.c +++ /dev/null @@ -1,154 +0,0 @@ -/* set_key_id [-s slot] [-p $pin] -n $keytag {-i $id | -l $label} */ - -#include -#include -#include -#include -#include -#include -#include -#include - -int -main(int argc, char *argv[]) -{ - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - CK_BYTE old_id[2], new_id[2]; - CK_OBJECT_HANDLE akey; - int error = 0; - int i = 0; - int c, errflg = 0; - char *label = NULL; - CK_ULONG ulObjectCount; - int oid = 0, nid = 0; - CK_ATTRIBUTE search_template[] = { - {CKA_ID, &old_id, sizeof(old_id)} - }; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":s:i:n:l:p:")) != -1) { - switch (c) { - case 's': - slot = atoi(optarg); - break; - case 'i': - oid = atoi(optarg); - oid &= 0xffff; - old_id[0] = (oid >> 8) & 0xff; - old_id[1] = oid & 0xff; - break; - case 'n': - nid = atoi(optarg); - nid &= 0xffff; - new_id[0] = (nid >> 8) & 0xff; - new_id[1] = nid & 0xff; - break; - case 'l': - label = optarg; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if ((errflg) || (!nid) || ((!oid) && (!label))) { - fprintf(stderr, - "usage: set_key_id [-s slot] [-p pin] -n new_id " - "{ -i old_id | -l label }\n"); - exit(1); - } - if (!label) - printf("old %i new %i\n", oid, nid); - else { - printf("label %s new %i\n", label, nid); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - if (rv != CKR_OK) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - rv = C_FindObjectsInit(hSession, search_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - ulObjectCount = 1; - while(ulObjectCount) { - rv = C_FindObjects(hSession, &akey, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } else if (ulObjectCount) { - /* Set update template. */ - CK_ATTRIBUTE new_template[] = { - {CKA_ID, &new_id, sizeof(new_id)} - }; - - rv = C_SetAttributeValue(hSession, akey, new_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_SetAttributeValue: rv = 0x%.8X\n", rv); - error = 1; - } - } - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/writekey.c b/contrib/pkcs11-keygen/writekey.c deleted file mode 100644 index b532963d4a..0000000000 --- a/contrib/pkcs11-keygen/writekey.c +++ /dev/null @@ -1,355 +0,0 @@ -/* writekey [-s $slot] [-p $pin] -l $label -i $id -f $filename */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Define static key template values */ -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -int -main(int argc, char *argv[]) -{ - ENGINE *e; - RSA *rsa = NULL; - FILE *fp; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_UTF8CHAR *pin = NULL; - CK_BYTE new_id[2]; - CK_OBJECT_HANDLE key = CK_INVALID_HANDLE; - CK_OBJECT_CLASS kclass; - CK_KEY_TYPE ktype = CKK_RSA; - CK_ATTRIBUTE template[50]; - CK_ULONG template_size; - CK_BYTE data[8][1024]; - CK_ULONG ulObjectCount; - char *label = NULL, *filename = NULL; - int id = 0; - int error = 0; - int c, errflg = 0; - extern char *optarg; - extern int optopt; - - while ((c = getopt(argc, argv, ":s:l:i:p:f:")) != -1) { - switch (c) { - case 's': - slot = atoi(optarg); - break; - case 'l': - label = optarg; - break; - case 'i': - id = atoi(optarg); - id &= 0xffff; - break; - case 'p': - pin = (CK_UTF8CHAR *)optarg; - break; - case 'f': - filename = optarg; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", optopt); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", optopt); - errflg++; - } - } - if ((errflg) || (!label) || (!id) || (!filename)) { - fprintf(stderr, - "usage: writekey [-s slot] [-p pin] -l label -i id " - "-f filename\n"); - exit(2); - } - - /* Load the config file */ - OPENSSL_config(NULL); - - /* Register engine */ - e = ENGINE_by_id("pkcs11"); - if (!e) { - /* the engine isn't available */ - printf("The engine isn't available\n"); - ERR_print_errors_fp(stderr); - exit(1); - } - - if (!ENGINE_init(e)) { - /* the engine couldn't initialise, release 'e' */ - printf("The engine couldn't initialise\n"); - ERR_print_errors_fp(stderr); - ENGINE_free(e); - exit(1); - } - - /* Read the key */ - fp = fopen(filename, "r"); - if (fp == NULL) { - printf("Error opening input file.\n"); - ENGINE_free(e); - exit(1); - } - - rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); - (void) fclose(fp); - if (rsa == NULL) { - printf("Error reading input file.\n"); - ERR_print_errors_fp(stderr); - ENGINE_free(e); - exit(1); - } - - /* Initialize the CRYPTOKI library */ - rv = C_Initialize(NULL_PTR); - if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) { - fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv); - ENGINE_free(e); - exit(1); - } - - /* Open a session on the slot found */ - rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, - NULL_PTR, NULL_PTR, &hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv); - error = 1; - goto exit_program; - } - - /* Login to the Token (Keystore) */ - if (!pin) -#ifndef HAVE_GETPASS - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -#else - pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); -#endif - rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); - memset(pin, 0, strlen((char *)pin)); - if (rv != CKR_OK) { - fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - - /* fill the search template */ - if (strstr(label, "pkcs11:") == label) - label = strstr(label, ":") + 1; - kclass = CKO_PRIVATE_KEY; - template[0].type = CKA_TOKEN; - template[0].pValue = &truevalue; - template[0].ulValueLen = sizeof (truevalue); - template[1].type = CKA_CLASS; - template[1].pValue = &kclass; - template[1].ulValueLen = sizeof (kclass); - template[2].type = CKA_LABEL; - template[2].pValue = label; - template[2].ulValueLen = strlen(label); - - /* check if a key with the same label already exists */ - rv = C_FindObjectsInit(hSession, template, 3); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv); - error = 1; - goto exit_session; - } - rv = C_FindObjects(hSession, &key, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount != 0) { - fprintf(stderr, "Key already exists.\n"); - error = 1; - goto exit_search; - } - - /* fill attributes for the public key */ - new_id[0] = (id >> 8) & 0xff; - new_id[1] = id & 0xff; - kclass = CKO_PUBLIC_KEY; - if (BN_num_bytes(rsa->n) > 1024) { - fprintf(stderr, "RSA modulus too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->n, data[0]); - if (BN_num_bytes(rsa->e) > 1024) { - fprintf(stderr, "RSA public exponent too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->e, data[1]); - if (BN_num_bytes(rsa->d) > 1024) { - fprintf(stderr, "RSA private exponent too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->d, data[2]); - if (BN_num_bytes(rsa->p) > 1024) { - fprintf(stderr, "RSA prime 1 too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->p, data[3]); - if (BN_num_bytes(rsa->q) > 1024) { - fprintf(stderr, "RSA prime 2 too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->q, data[4]); - if (BN_num_bytes(rsa->dmp1) > 1024) { - fprintf(stderr, "RSA exponent 1 too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->dmp1, data[5]); - if (BN_num_bytes(rsa->dmq1) > 1024) { - fprintf(stderr, "RSA exponent 2 too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->dmq1, data[6]); - if (BN_num_bytes(rsa->iqmp) > 1024) { - fprintf(stderr, "RSA coefficient too large\n"); - error = 1; - goto exit_search; - } - BN_bn2bin(rsa->iqmp, data[7]); - - template[0].type = CKA_TOKEN; - template[0].pValue = &truevalue; - template[0].ulValueLen = sizeof (truevalue); - template[1].type = CKA_CLASS; - template[1].pValue = &kclass; - template[1].ulValueLen = sizeof (kclass); - template[2].type = CKA_LABEL; - template[2].pValue = label; - template[2].ulValueLen = strlen(label); - template[3].type = CKA_ID; - template[3].pValue = new_id; - template[3].ulValueLen = sizeof (new_id); - template[4].type = CKA_KEY_TYPE; - template[4].pValue = &ktype; - template[4].ulValueLen = sizeof (ktype); - template[5].type = CKA_ENCRYPT; - template[5].pValue = &truevalue; - template[5].ulValueLen = sizeof (truevalue); - template[6].type = CKA_VERIFY; - template[6].pValue = &truevalue; - template[6].ulValueLen = sizeof (truevalue); - template[7].type = CKA_VERIFY_RECOVER; - template[7].pValue = &truevalue; - template[7].ulValueLen = sizeof (truevalue); - template[8].type = CKA_MODULUS; - template[8].pValue = data[0]; - template[8].ulValueLen = BN_num_bytes(rsa->n); - template[9].type = CKA_PUBLIC_EXPONENT; - template[9].pValue = data[1]; - template[9].ulValueLen = BN_num_bytes(rsa->e); - - rv = C_CreateObject(hSession, template, 10, &key); - if (rv != CKR_OK) { - fprintf(stderr, "C_CreateObject (pub): Error = 0x%.8X\n", rv); - error = 1; - goto exit_search; - } - - /* fill attributes for the private key */ - kclass = CKO_PRIVATE_KEY; - template[0].type = CKA_TOKEN; - template[0].pValue = &truevalue; - template[0].ulValueLen = sizeof (truevalue); - template[1].type = CKA_CLASS; - template[1].pValue = &kclass; - template[1].ulValueLen = sizeof (kclass); - template[2].type = CKA_LABEL; - template[2].pValue = label; - template[2].ulValueLen = strlen(label); - template[3].type = CKA_ID; - template[3].pValue = new_id; - template[3].ulValueLen = sizeof (new_id); - template[4].type = CKA_KEY_TYPE; - template[4].pValue = &ktype; - template[4].ulValueLen = sizeof (ktype); - template[5].type = CKA_SENSITIVE; - template[5].pValue = &falsevalue; - template[5].ulValueLen = sizeof (falsevalue); - template[6].type = CKA_EXTRACTABLE; - template[6].pValue = &truevalue; - template[6].ulValueLen = sizeof (truevalue); - template[7].type = CKA_DECRYPT; - template[7].pValue = &truevalue; - template[7].ulValueLen = sizeof (truevalue); - template[8].type = CKA_SIGN; - template[8].pValue = &truevalue; - template[8].ulValueLen = sizeof (truevalue); - template[9].type = CKA_SIGN_RECOVER; - template[9].pValue = &truevalue; - template[9].ulValueLen = sizeof (truevalue); - template[10].type = CKA_MODULUS; - template[10].pValue = data[0]; - template[10].ulValueLen = BN_num_bytes(rsa->n); - template[11].type = CKA_PUBLIC_EXPONENT; - template[11].pValue = data[1]; - template[11].ulValueLen = BN_num_bytes(rsa->e); - template[12].type = CKA_PRIVATE_EXPONENT; - template[12].pValue = data[2]; - template[12].ulValueLen = BN_num_bytes(rsa->d); - template[13].type = CKA_PRIME_1; - template[13].pValue = data[3]; - template[13].ulValueLen = BN_num_bytes(rsa->p); - template[14].type = CKA_PRIME_2; - template[14].pValue = data[4]; - template[14].ulValueLen = BN_num_bytes(rsa->q); - template[15].type = CKA_EXPONENT_1; - template[15].pValue = data[5]; - template[15].ulValueLen = BN_num_bytes(rsa->dmp1); - template[16].type = CKA_EXPONENT_2; - template[16].pValue = data[6]; - template[16].ulValueLen = BN_num_bytes(rsa->dmq1); - template[17].type = CKA_COEFFICIENT; - template[17].pValue = data[7]; - template[17].ulValueLen = BN_num_bytes(rsa->iqmp); - - rv = C_CreateObject(hSession, template, 18, &key); - if (rv != CKR_OK) { - fprintf(stderr, "C_CreateObject (priv): Error = 0x%.8X\n", rv); - (void) C_DestroyObject(hSession, key); - error = 1; - goto exit_search; - } - - exit_search: - rv = C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv); - error = 1; - } - - exit_session: - (void) C_CloseSession(hSession); - - exit_program: - (void) C_Finalize(NULL_PTR); - ENGINE_free(e); - ENGINE_cleanup(); - - exit(error); -} diff --git a/contrib/pkcs11-keygen/writekey.sh b/contrib/pkcs11-keygen/writekey.sh deleted file mode 100755 index 9b235d090a..0000000000 --- a/contrib/pkcs11-keygen/writekey.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash --debug - -usage="Usage: $0 -x ext -p pin -f keyrootname" -tmp_file=/tmp/cur_pem.$$ -while getopts ":x:p:f:" opt; do - case $opt in - x ) ext=$OPTARG ;; - p ) pin=$OPTARG ;; - f ) root=$OPTARG ;; - \? ) echo $usage - exit 1 ;; - esac -done -shift $(($OPTIND -1)) - -if [ ! "$ext" -o ! "$pin" -o ! "$root" ] ; then - echo $usage - exit 1 -fi - -keyfile=${root}.key -privfile=${root}.private -file=`basename $root | sed 's/^K//'` -zone=`echo $file | awk -F+ '{ print $1 }' | sed 's/\.$//'` -algo=`echo $file | awk -F+ '{ print $2 }'` -tag=`echo $file | awk -F+ '{ print $3 }'` - -# debug -echo 'zone: ' $zone -echo 'algo: ' $algo -echo 'tag: ' $tag - -if [ ! -r "$keyfile" ] ; then - echo "can't read " $keyfile - exit 1 -fi -if [ ! -r "$privfile" ] ; then - echo "can't read " $privfile - exit 1 -fi - -if [ "$algo" != "005" ] ; then - echo 'algorithm must be 005' - exit 1 -fi - -# for testing -mypath=. - -echo 'Reading key files' -flag=`$mypath/keydump.pl -k $keyfile -p $privfile -o $tmp_file` - -if [ "$flag" = "256" ] ; then - label=$zone,zsk,$ext -elif [ "$flag" = "257" ] ; then - label=$zone,ksk,$ext -else - echo 'flag must be 256 or 257' - rm $tmp_file - exit 1 -fi - -echo "Label will be '"$label"'" -$mypath/writekey -p $pin -l $label -i $tag -f $tmp_file - -rm $tmp_file - -echo 'Now you can add at the end of ' $privfile -/usr/bin/perl <