[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-11-g076b53b
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-11-g076b53b |
|
Date: |
Mon, 12 Nov 2012 17:25:04 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=076b53bbbedb8c6bd792ac9a80411242cad27f67
The branch, master has been updated
via 076b53bbbedb8c6bd792ac9a80411242cad27f67 (commit)
via ec025698630fbadbfd545b67d143a06cdbdbf41c (commit)
via 53cab3bdb4e7ecd78d7f090382aedfdf3c81aa8f (commit)
via 3ad3a70d4d2a3e4504890456d8bbd8bd79395e57 (commit)
via b1b8baac9929fec7f3c196865fa25d3ec0362cf7 (commit)
via 6efe5ad21ab9d01c40a224b8a2f01b6567999d97 (commit)
via 62609a1917b586d24f2004ebb8258c83874864ba (commit)
from 3d98785df958a2061dd9056bb38cc318be202b33 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 076b53bbbedb8c6bd792ac9a80411242cad27f67
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 18:24:50 2012 +0100
doc update
commit ec025698630fbadbfd545b67d143a06cdbdbf41c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 18:24:33 2012 +0100
optimizations in list import
commit 53cab3bdb4e7ecd78d7f090382aedfdf3c81aa8f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 18:24:04 2012 +0100
When listing all objects of a type, restrict their class to the specified.
commit 3ad3a70d4d2a3e4504890456d8bbd8bd79395e57
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 18:03:17 2012 +0100
Added some help on failure.
commit b1b8baac9929fec7f3c196865fa25d3ec0362cf7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 17:58:09 2012 +0100
pkcs11_find_object made static.
commit 6efe5ad21ab9d01c40a224b8a2f01b6567999d97
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 17:40:41 2012 +0100
get_bits() does not always warn.
commit 62609a1917b586d24f2004ebb8258c83874864ba
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Nov 12 01:31:08 2012 +0100
when generating a PKCS #11 private key print the public key.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 5 ++-
lib/includes/gnutls/pkcs11.h | 7 +++
lib/libgnutls.map | 1 +
lib/pkcs11.c | 60 ++++----------------
lib/pkcs11_int.h | 10 ++--
lib/pkcs11_privkey.c | 124 +++++++++++++++++++++++++++++++++++++++++-
src/certtool-common.c | 4 +-
src/certtool-common.h | 3 +-
src/certtool.c | 2 +-
src/dh.c | 2 +-
src/p11tool.c | 6 +-
src/pkcs11.c | 43 ++++-----------
src/tpmtool.c | 2 +-
13 files changed, 173 insertions(+), 96 deletions(-)
diff --git a/NEWS b/NEWS
index f5c11ae..382bfa0 100644
--- a/NEWS
+++ b/NEWS
@@ -8,8 +8,11 @@ See the end for copying conditions.
--load-privkey in order to print the corresponding public key of a private
key.
+** Added PKCS #11 key generation function that returns the public key
+on generation.
+
** API and ABI modifications:
-No changes since last version.
+gnutls_pkcs11_privkey_generate2: Added
* Version 3.1.4 (released 2012-11-10)
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 0e486ce..34a2a93 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -308,6 +308,13 @@ int gnutls_pkcs11_privkey_generate (const char* url,
unsigned int bits,
const char* label, unsigned int flags);
+int
+gnutls_pkcs11_privkey_generate2 (const char* url, gnutls_pk_algorithm_t pk,
+ unsigned int bits, const char* label,
+ gnutls_x509_crt_fmt_t fmt,
+ gnutls_datum_t * pubkey,
+ unsigned int flags);
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index a8c1c08..fb77313 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -870,6 +870,7 @@ GNUTLS_3_1_0 {
gnutls_srtp_set_mki;
gnutls_ocsp_status_request_is_checked;
gnutls_sign_is_secure;
+ gnutls_pkcs11_privkey_generate2;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 0357c7a..a4b7728 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -865,51 +865,6 @@ gnutls_pkcs11_obj_export2 (gnutls_pkcs11_obj_t obj,
}
int
-pkcs11_find_object (struct pkcs11_session_info* sinfo,
- struct pin_info_st * pin_info,
- ck_object_handle_t * _obj,
- struct p11_kit_uri *info, unsigned int flags)
-{
- int ret;
- ck_object_handle_t obj;
- struct ck_attribute *attrs;
- unsigned long attr_count;
- unsigned long count;
- ck_rv_t rv;
-
- ret = pkcs11_open_session (sinfo, pin_info, info, flags & SESSION_LOGIN);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- attrs = p11_kit_uri_get_attributes (info, &attr_count);
- rv = pkcs11_find_objects_init (sinfo->module, sinfo->pks, attrs, attr_count);
- if (rv != CKR_OK)
- {
- gnutls_assert ();
- _gnutls_debug_log ("pk11: FindObjectsInit failed.\n");
- ret = pkcs11_rv_to_err (rv);
- goto fail;
- }
-
- if (pkcs11_find_objects (sinfo->module, sinfo->pks, &obj, 1, &count) ==
CKR_OK && count == 1)
- {
- *_obj = obj;
- pkcs11_find_objects_final (sinfo);
- return 0;
- }
-
- ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
- pkcs11_find_objects_final (sinfo);
-fail:
- pkcs11_close_session (sinfo);
-
- return ret;
-}
-
-int
pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
struct p11_kit_uri *info, struct token_info *_tinfo)
{
@@ -1193,7 +1148,7 @@ pkcs11_obj_import (ck_object_class_t class,
gnutls_pkcs11_obj_t obj,
return 0;
}
-static int read_pkcs11_pubkey(struct ck_function_list *module,
+int pkcs11_read_pubkey(struct ck_function_list *module,
ck_session_handle_t pks, ck_object_handle_t obj,
ck_key_type_t key_type, gnutls_datum_t * pubkey)
{
@@ -1369,7 +1324,7 @@ pkcs11_obj_import_pubkey (struct ck_function_list *module,
{
crt->pk_algorithm = mech_to_pk(key_type);
- ret = read_pkcs11_pubkey(module, pks, obj, key_type, crt->pubkey);
+ ret = pkcs11_read_pubkey(module, pks, obj, key_type, crt->pubkey);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -1536,7 +1491,6 @@ find_obj_url (struct pkcs11_session_info *sinfo,
while (pkcs11_find_objects (sinfo->module, sinfo->pks, &obj, 1, &count) ==
CKR_OK && count == 1)
{
-
a[0].type = CKA_VALUE;
a[0].value = cert_data;
a[0].value_len = MAX_CERT_SIZE;
@@ -2307,6 +2261,16 @@ find_objs (struct pkcs11_session_info* sinfo,
}
}
+ /* Find objects with given class and type */
+ attr = p11_kit_uri_get_attribute (find_data->info, CKA_CLASS);
+ if (attr)
+ {
+ if(attr->value && attr->value_len == sizeof (ck_object_class_t))
+ class = *((ck_object_class_t*)attr->value);
+ if (class == CKO_CERTIFICATE)
+ type = CKC_X_509;
+ }
+
cert_data = gnutls_malloc (MAX_CERT_SIZE);
if (cert_data == NULL)
{
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index d5b0370..e7f266f 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -78,6 +78,10 @@ int
pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot,
struct p11_kit_uri *info, struct token_info *_tinfo);
+int pkcs11_read_pubkey(struct ck_function_list *module,
+ ck_session_handle_t pks, ck_object_handle_t obj,
+ ck_key_type_t key_type, gnutls_datum_t * pubkey);
+
int pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size);
@@ -109,12 +113,6 @@ int pkcs11_token_matches_info (struct p11_kit_uri *info,
struct ck_token_info *tinfo,
struct ck_info *lib_info);
-/* flags are SESSION_* */
-int pkcs11_find_object (struct pkcs11_session_info* sinfo,
- struct pin_info_st* pin_info,
- ck_object_handle_t * _obj,
- struct p11_kit_uri *info, unsigned int flags);
-
unsigned int pkcs11_obj_flags_to_int (unsigned int flags);
int
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 4e90657..a4ace84 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -128,12 +128,56 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t
pkey,
return pkcs11_get_info (pkey->info, itype, output, output_size);
}
+static int
+find_object (struct pkcs11_session_info* sinfo,
+ struct pin_info_st * pin_info,
+ ck_object_handle_t * _obj,
+ struct p11_kit_uri *info, unsigned int flags)
+{
+ int ret;
+ ck_object_handle_t obj;
+ struct ck_attribute *attrs;
+ unsigned long attr_count;
+ unsigned long count;
+ ck_rv_t rv;
+
+ ret = pkcs11_open_session (sinfo, pin_info, info, flags & SESSION_LOGIN);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return ret;
+ }
+
+ attrs = p11_kit_uri_get_attributes (info, &attr_count);
+ rv = pkcs11_find_objects_init (sinfo->module, sinfo->pks, attrs, attr_count);
+ if (rv != CKR_OK)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("pk11: FindObjectsInit failed.\n");
+ ret = pkcs11_rv_to_err (rv);
+ goto fail;
+ }
+
+ if (pkcs11_find_objects (sinfo->module, sinfo->pks, &obj, 1, &count) ==
CKR_OK && count == 1)
+ {
+ *_obj = obj;
+ pkcs11_find_objects_final (sinfo);
+ return 0;
+ }
+
+ ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ pkcs11_find_objects_final (sinfo);
+fail:
+ pkcs11_close_session (sinfo);
+
+ return ret;
+}
#define FIND_OBJECT(sinfo, pin_info, obj, key) \
do { \
int retries = 0; \
int rret; \
- ret = pkcs11_find_object (sinfo, pin_info, &obj, key->info, \
+ ret = find_object (sinfo, pin_info, &obj, key->info, \
SESSION_LOGIN); \
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { \
if (_gnutls_token_func) \
@@ -501,6 +545,37 @@ gnutls_pkcs11_privkey_generate (const char* url,
gnutls_pk_algorithm_t pk,
unsigned int bits, const char* label,
unsigned int flags)
{
+ return gnutls_pkcs11_privkey_generate2( url, pk, bits, label, 0, NULL,
flags);
+}
+
+/**
+ * gnutls_pkcs11_privkey_generate2:
+ * @url: a token URL
+ * @pk: the public key algorithm
+ * @bits: the security bits
+ * @label: a label
+ * @fmt: the format of output params. PEM or DER.
+ * @pubkey: will hold the public key (may be %NULL)
+ * @flags: should be zero
+ *
+ * This function will generate a private key in the specified
+ * by the @url token. The private key will be generate within
+ * the token and will not be exportable. This function will
+ * store the DER-encoded public key in the SubjectPublicKeyInfo format
+ * in @pubkey. The @pubkey should be deinitialized using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_pkcs11_privkey_generate2 (const char* url, gnutls_pk_algorithm_t pk,
+ unsigned int bits, const char* label,
+ gnutls_x509_crt_fmt_t fmt,
+ gnutls_datum_t * pubkey,
+ unsigned int flags)
+{
int ret;
const ck_bool_t tval = 1;
const ck_bool_t fval = 0;
@@ -512,6 +587,8 @@ gnutls_pkcs11_privkey_generate (const char* url,
gnutls_pk_algorithm_t pk,
unsigned long _bits = bits;
int a_val, p_val;
struct ck_mechanism mech;
+ gnutls_pubkey_t pkey = NULL;
+ gnutls_pkcs11_obj_t obj = NULL;
memset(&sinfo, 0, sizeof(sinfo));
@@ -664,9 +741,54 @@ gnutls_pkcs11_privkey_generate (const char* url,
gnutls_pk_algorithm_t pk,
ret = pkcs11_rv_to_err (rv);
goto cleanup;
}
+
+ /* extract the public key */
+ if (pubkey)
+ {
+ ret = gnutls_pubkey_init(&pkey);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = gnutls_pkcs11_obj_init(&obj);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ obj->pk_algorithm = pk;
+ obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
+ ret = pkcs11_read_pubkey(sinfo.module, sinfo.pks, pub, mech.mechanism,
obj->pubkey);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = gnutls_pubkey_import_pkcs11 (pkey, obj, 0);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+
+ ret = gnutls_pubkey_export2 (pkey, fmt, pubkey);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ }
cleanup:
+ if (obj != NULL)
+ gnutls_pkcs11_obj_deinit(obj);
+ if (pkey != NULL)
+ gnutls_pubkey_deinit(pkey);
if (sinfo.pks != 0)
pkcs11_close_session (&sinfo);
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 8935038..518367d 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -551,7 +551,7 @@ int ret;
}
int
-get_bits (gnutls_pk_algorithm_t key_type, int info_bits, const char*
info_sec_param)
+get_bits (gnutls_pk_algorithm_t key_type, int info_bits, const char*
info_sec_param, int warn)
{
int bits;
@@ -559,7 +559,7 @@ get_bits (gnutls_pk_algorithm_t key_type, int info_bits,
const char* info_sec_pa
{
static int warned = 0;
- if (warned == 0)
+ if (warned == 0 && warn != 0)
{
warned = 1;
fprintf (stderr,
diff --git a/src/certtool-common.h b/src/certtool-common.h
index c1c07ff..dcaed44 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -68,7 +68,8 @@ gnutls_datum_t *load_secret_key (int mand, common_info_st *
info);
gnutls_pubkey_t load_pubkey (int mand, common_info_st * info);
gnutls_x509_crt_t *load_cert_list (int mand, size_t * size,
common_info_st * info);
-int get_bits (gnutls_pk_algorithm_t key_type, int info_bits, const char*
info_sec_param);
+int get_bits (gnutls_pk_algorithm_t key_type, int info_bits, const char*
info_sec_param, int warn);
+
gnutls_sec_param_t str_to_sec_param (const char *str);
/* prime.c */
diff --git a/src/certtool.c b/src/certtool.c
index 7ec33a9..2f2eca7 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -113,7 +113,7 @@ generate_private_key_int (common_info_st * cinfo)
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
- bits = get_bits (key_type, cinfo->bits, cinfo->sec_param);
+ bits = get_bits (key_type, cinfo->bits, cinfo->sec_param, 1);
fprintf (stderr, "Generating a %d bit %s private key...\n",
bits, gnutls_pk_algorithm_get_name (key_type));
diff --git a/src/dh.c b/src/dh.c
index 88845bf..2050d4f 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -137,7 +137,7 @@ generate_prime (int how, common_info_st * info)
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
- int bits = get_bits (GNUTLS_PK_DH, info->bits, info->sec_param);
+ int bits = get_bits (GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0;
gnutls_dh_params_init (&dh_params);
diff --git a/src/p11tool.c b/src/p11tool.c
index 1ee3edf..6b58444 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -241,21 +241,21 @@ cmd_parser (int argc, char **argv)
else if (HAVE_OPT(GENERATE_ECC))
{
key_type = GNUTLS_PK_EC;
- pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param),
+ pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param, 0),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
else if (HAVE_OPT(GENERATE_RSA))
{
key_type = GNUTLS_PK_RSA;
- pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param),
+ pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param, 0),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
else if (HAVE_OPT(GENERATE_DSA))
{
key_type = GNUTLS_PK_DSA;
- pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param),
+ pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param, 0),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 203dafa..a8fc41f 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -113,17 +113,9 @@ pkcs11_list (FILE * outfile, const char *url, int type,
unsigned int login,
/* give some initial value to avoid asking for the pkcs11 pin twice.
*/
- crt_list_size = 128;
- crt_list = malloc (sizeof (*crt_list) * crt_list_size);
- if (crt_list == NULL)
- {
- fprintf (stderr, "Memory error\n");
- exit (1);
- }
-
- ret = gnutls_pkcs11_obj_list_import_url (crt_list, &crt_list_size, url,
+ ret = gnutls_pkcs11_obj_list_import_url2 (&crt_list, &crt_list_size, url,
attrs, obj_flags);
- if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ if (ret < 0)
{
fprintf (stderr, "Error in crt_list_import (1): %s\n",
gnutls_strerror (ret));
@@ -136,26 +128,6 @@ pkcs11_list (FILE * outfile, const char *url, int type,
unsigned int login,
exit (0);
}
- if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
- {
- crt_list = realloc (crt_list, sizeof (*crt_list) * crt_list_size);
- if (crt_list == NULL)
- {
- fprintf (stderr, "Memory error\n");
- exit (1);
- }
-
- ret =
- gnutls_pkcs11_obj_list_import_url (crt_list, &crt_list_size, url,
- attrs, obj_flags);
- if (ret < 0)
- {
- fprintf (stderr, "Error in crt_list_import: %s\n",
- gnutls_strerror (ret));
- exit (1);
- }
- }
-
for (i = 0; i < crt_list_size; i++)
{
char buf[128];
@@ -552,6 +524,7 @@ pkcs11_generate (FILE * outfile, const char *url,
gnutls_pk_algorithm_t pk,
{
int ret;
unsigned int flags = 0;
+ gnutls_datum_t pubkey;
if (login)
flags = GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
@@ -566,13 +539,21 @@ pkcs11_generate (FILE * outfile, const char *url,
gnutls_pk_algorithm_t pk,
else if (private == 0)
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE;
- ret = gnutls_pkcs11_privkey_generate(url, pk, bits, label, flags);
+ ret = gnutls_pkcs11_privkey_generate2(url, pk, bits, label,
GNUTLS_X509_FMT_PEM,
+ &pubkey, flags);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
gnutls_strerror (ret));
+ if (login == 0)
+ fprintf(stderr, "Note that --login was not specified and it may be
required for generation.\n");
+ else if (bits != 1024)
+ fprintf (stderr, "Note that several smart cards do not support
arbitrary size keys.\nTry --bits 1024 or 2048.\n");
exit(1);
}
+
+ fwrite (pubkey.data, 1, pubkey.size, outfile);
+ gnutls_free(pubkey.data);
return;
}
diff --git a/src/tpmtool.c b/src/tpmtool.c
index 7af4f63..9f21d06 100644
--- a/src/tpmtool.c
+++ b/src/tpmtool.c
@@ -162,7 +162,7 @@ cmd_parser (int argc, char **argv)
if (HAVE_OPT(GENERATE_RSA))
{
key_type = GNUTLS_PK_RSA;
- bits = get_bits (key_type, bits, sec_param);
+ bits = get_bits (key_type, bits, sec_param, 0);
tpm_generate (outfile, key_type, bits, genflags);
}
else if (HAVE_OPT(PUBKEY))
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_4-11-g076b53b,
Nikos Mavrogiannopoulos <=