#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
#include <credentials/certificates/ac.h>
+#include <credentials/sets/mem_cred.h>
#include <utils/linked_list.h>
#include <utils/lexparser.h>
#include <threading/rwlock.h>
private_key_t *key = NULL;
u_int slot;
chunk_t chunk;
+ shared_key_t *shared;
+ identification_t *id;
+ mem_cred_t *mem;
+ callback_set_t *cb;
enum {
SC_FORMAT_SLOT_MODULE_KEYID,
SC_FORMAT_SLOT_KEYID,
DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
return FALSE;
}
-
- chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-
if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
{
if (prompt)
{
passphrase_cb_data_t data = {
.prompt = prompt,
- .file = smartcard,
+ .file = path,
};
- switch (format)
- {
- case SC_FORMAT_SLOT_MODULE_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_SLOT, slot,
- BUILD_PKCS11_MODULE, module,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE_CALLBACK,
- smartcard_cb, &data, BUILD_END);
- break;
- case SC_FORMAT_SLOT_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_SLOT, slot,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE_CALLBACK,
- smartcard_cb, &data, BUILD_END);
- break;
- case SC_FORMAT_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE_CALLBACK,
- smartcard_cb, &data, BUILD_END);
- break;
- }
- }
- }
- else
- {
- switch (format)
- {
- case SC_FORMAT_SLOT_MODULE_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_SLOT, slot,
- BUILD_PKCS11_MODULE, module,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE, secret, BUILD_END);
- break;
- case SC_FORMAT_SLOT_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_SLOT, slot,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE, secret, BUILD_END);
- break;
- case SC_FORMAT_KEYID:
- key = lib->creds->create(lib->creds,
- CRED_PRIVATE_KEY, KEY_ANY,
- BUILD_PKCS11_KEYID, chunk,
- BUILD_PASSPHRASE, secret, BUILD_END);
- break;
- }
+ /* provide our pin in a temporary credential set */
+ shared = shared_key_create(SHARED_PIN, secret);
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ id = identification_create_from_encoding(ID_KEY_ID, chunk);
+ set = mem_cred_create();
+ set->add_shared(set, shared, id, NULL);
+ lib->credmgr->add_local_set(lib->credmgr, &set->set);
+ /* unlock: smartcard needs the pin and potentially calls public set */
+ this->lock->unlock(this->lock);
+ switch (format)
+ {
+ case SC_FORMAT_SLOT_MODULE_KEYID:
+ key = lib->creds->create(lib->creds,
+ CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_SLOT, slot,
+ BUILD_PKCS11_MODULE, module,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ break;
+ case SC_FORMAT_SLOT_KEYID:
+ key = lib->creds->create(lib->creds,
+ CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_SLOT, slot,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ break;
+ case SC_FORMAT_KEYID:
+ key = lib->creds->create(lib->creds,
+ CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ break;
}
- free(chunk.ptr);
+ this->lock->write_lock(this->lock);
+ lib->credmgr->remove_local_set(lib->credmgr, &set->set);
+ set->destroy(set);
+
if (key)
{
DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr);
this->private->insert_last(this->private, key);
}
- chunk_clear(&secret);
return TRUE;
}
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
credentials/cert_validator.h \
database/database.h database/database_factory.h database/database_factory.c \
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_cred.h"
+
+typedef struct private_callback_cred_t private_callback_cred_t;
+
+/**
+ * Private data of an callback_cred_t object.
+ */
+struct private_callback_cred_t {
+
+ /**
+ * Public callback_cred_t interface.
+ */
+ callback_cred_t public;
+
+ /**
+ * Callback of this set, for all types, and generic
+ */
+ union {
+ void *generic;
+ callback_cred_shared_cb_t shared;
+ } cb;
+
+ /**
+ * Data to pass to callback
+ */
+ void *data;
+};
+
+/**
+ * Shared key enumerator on callbacks
+ */
+typedef struct {
+ /* implements enumerator_t */
+ enumerator_t public;
+ /* backref to this */
+ private_callback_cred_t *this;
+ /* own identity to match */
+ identification_t *me;
+ /* other identity to match */
+ identification_t *other;
+ /* current shared key */
+ shared_key_t *current;
+} shared_enumerator_t;
+
+METHOD(enumerator_t, shared_enumerate, bool,
+ shared_enumerator_t *this, shared_key_t **out,
+ id_match_t *match_me, id_match_t *match_other)
+{
+ DESTROY_IF(this->current);
+ this->current = this->this->cb.shared(this->this->data,
+ this->me, this->other, match_me, match_other);
+ if (this->current)
+ {
+ *out = this->current;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(enumerator_t, shared_destroy, void,
+ shared_enumerator_t *this)
+{
+ DESTROY_IF(this->current);
+ free(this);
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+ private_callback_cred_t *this, shared_key_type_t type,
+ identification_t *me, identification_t *other)
+{
+ shared_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)_shared_enumerate,
+ .destroy = _shared_destroy,
+ },
+ .this = this,
+ .me = me,
+ .other = other,
+ );
+ return &enumerator->public;
+}
+
+METHOD(callback_cred_t, destroy, void,
+ private_callback_cred_t *this)
+{
+ free(this);
+}
+
+/**
+ * Create a generic callback credential set
+ */
+static private_callback_cred_t* create_generic(void *cb, void *data)
+{
+ private_callback_cred_t *this;
+
+ INIT(this,
+ .public = {
+ .set = {
+ .create_shared_enumerator = (void*)return_null,
+ .create_private_enumerator = (void*)return_null,
+ .create_cert_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ .cb.generic = cb,
+ .data = data,
+ );
+ return this;
+}
+
+/**
+ * See header
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+ void *data)
+{
+ private_callback_cred_t *this = create_generic(cb, data);
+
+ this->public.set.create_shared_enumerator = _create_shared_enumerator;
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_cred callback_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef CALLBACK_CRED_H_
+#define CALLBACK_CRED_H_
+
+typedef struct callback_cred_t callback_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Callback function to get shared keys.
+ *
+ * @param me own identity
+ * @param other other identity
+ * @param match_me match result of own identity
+ * @param match_other match result of other identity
+ */
+typedef shared_key_t* (*callback_cred_shared_cb_t)(void *data,
+ identification_t *me, identification_t *other,
+ id_match_t *match_me, id_match_t *match_other);
+
+/**
+ * Generic callbcack using user specified callback functions.
+ */
+struct callback_cred_t {
+
+ /**
+ * Implements credential_set_t.
+ */
+ credential_set_t set;
+
+ /**
+ * Destroy a callback_cred_t.
+ */
+ void (*destroy)(callback_cred_t *this);
+};
+
+/**
+ * Create a callback_cred instance, for a shared key.
+ *
+ * @param cb callback function
+ * @param data data to pass to callback
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+ void *data);
+
+#endif /** CALLBACK_CRED_H_ @}*/
}
/**
- * Try a login to the session
+ * Find a PIN and try to log in
*/
-static bool login(private_pkcs11_private_key_t *this, chunk_t pin, int slot)
+static bool login(private_pkcs11_private_key_t *this, chunk_t keyid, int slot)
{
+ identification_t *id;
+ shared_key_t *shared;
+ chunk_t pin;
CK_RV rv;
+ id = identification_create_from_encoding(ID_KEY_ID, keyid);
+ shared = lib->credmgr->get_shared(lib->credmgr, SHARED_PIN, id, NULL);
+ id->destroy(id);
+ if (!shared)
+ {
+ DBG1(DBG_CFG, "no PIN found for PKCS#11 key %#B", keyid);
+ return FALSE;
+ }
+ pin = shared->get_key(shared);
rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
+ shared->destroy(shared);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "login to '%s':%d failed: %N",
pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
{
private_pkcs11_private_key_t *this;
- chunk_t (*cb)(void *data, int try) = NULL;
- void *cb_data = NULL;
char *module = NULL;
- chunk_t keyid, pin;
- int slot = -1, try = 0;
+ chunk_t keyid = chunk_empty;
+ int slot = -1;
CK_RV rv;
- keyid = pin = chunk_empty;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
case BUILD_PKCS11_KEYID:
keyid = va_arg(args, chunk_t);
continue;
- case BUILD_PASSPHRASE:
- pin = va_arg(args, chunk_t);
- continue;
- case BUILD_PASSPHRASE_CALLBACK:
- cb = va_arg(args, void*);
- cb_data = va_arg(args, void*);
- continue;
case BUILD_PKCS11_SLOT:
slot = va_arg(args, int);
continue;
}
break;
}
- if (!keyid.len || (!pin.len && !cb))
+ if (!keyid.len)
{
return NULL;
}
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- if (pin.ptr)
- {
- if (!login(this, pin, slot))
- {
- destroy(this);
- return NULL;
- }
- }
- else
+ if (!login(this, keyid, slot))
{
- while (TRUE)
- {
- pin = cb(cb_data, ++try);
- if (!pin.len)
- {
- destroy(this);
- return NULL;
- }
- if (login(this, pin, slot))
- {
- break;
- }
- }
+ destroy(this);
+ return NULL;
}
if (!find_key(this, keyid))
projects / thirdparty / strongswan.git / commitdiff
