--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_creds.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
+
+/**
+ * Private data of an pkcs11_creds_t object.
+ */
+struct private_pkcs11_creds_t {
+
+ /**
+ * Public pkcs11_creds_t interface.
+ */
+ pkcs11_creds_t public;
+
+ /**
+ * PKCS# library
+ */
+ pkcs11_library_t *lib;
+
+ /**
+ * Token slot
+ */
+ CK_SLOT_ID slot;
+
+ /**
+ * List of trusted certificates
+ */
+ linked_list_t *trusted;
+
+ /**
+ * List of untrusted certificates
+ */
+ linked_list_t *untrusted;
+};
+
+/**
+ * Handle a certificate object, optionally trusted
+ */
+static void handle_certificate(private_pkcs11_creds_t *this,
+ CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object,
+ CK_BBOOL trusted)
+{
+ CK_ATTRIBUTE attrs[] = {
+ {CKA_VALUE, NULL, 0},
+ {CKA_LABEL, NULL, 0},
+ };
+ CK_RV rv;
+ certificate_t *cert;
+
+ rv = this->lib->f->C_GetAttributeValue(session, object,
+ attrs, countof(attrs));
+ if (rv != CKR_OK)
+ {
+ DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+ return;
+ }
+ if (attrs[0].ulValueLen)
+ {
+ attrs[0].pValue = malloc(attrs[0].ulValueLen);
+ }
+ if (attrs[1].ulValueLen)
+ {
+ attrs[1].pValue = malloc(attrs[1].ulValueLen);
+ }
+ rv = this->lib->f->C_GetAttributeValue(session, object,
+ attrs, countof(attrs));
+ if (rv == CKR_OK)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER,
+ chunk_create(attrs[0].pValue, attrs[0].ulValueLen),
+ BUILD_END);
+ if (cert)
+ {
+ DBG1(DBG_CFG, " loaded %strusted cert '%.*s'",
+ trusted ? "" : "un", attrs[1].ulValueLen, attrs[1].pValue);
+ /* trusted certificates are also returned as untrusted */
+ this->untrusted->insert_last(this->untrusted, cert);
+ if (trusted)
+ {
+ this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading cert '%.*s' failed",
+ attrs[1].ulValueLen, attrs[1].pValue);
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, "C_GetAttributeValue() error: %N", ck_rv_names, rv);
+ }
+ free(attrs[0].pValue);
+ free(attrs[1].pValue);
+}
+
+/**
+ * Find certificates, optionally trusted
+ */
+static void find_certificates(private_pkcs11_creds_t *this,
+ CK_SESSION_HANDLE session, CK_BBOOL trusted)
+{
+ CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+ CK_CERTIFICATE_TYPE type = CKC_X_509;
+ CK_ATTRIBUTE template[] = {
+ {CKA_CLASS, &class, sizeof(class)},
+ {CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+ {CKA_TRUSTED, &trusted, sizeof(trusted)},
+ };
+ CK_OBJECT_HANDLE object;
+ CK_ULONG found;
+ CK_RV rv;
+
+ rv = this->lib->f->C_FindObjectsInit(session, template, countof(template));
+ if (rv == CKR_OK)
+ {
+ while (TRUE)
+ {
+ rv = this->lib->f->C_FindObjects(session, &object, 1, &found);
+ if (rv == CKR_OK)
+ {
+ if (found == 1)
+ {
+ handle_certificate(this, session, object, trusted);
+ }
+ else
+ {
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, "C_FindObjects() error: %N", ck_rv_names, rv);
+ break;
+ }
+ }
+ }
+ this->lib->f->C_FindObjectsFinal(session);
+}
+
+/**
+ * Load in the certificates from the token
+ */
+static bool load_certificates(private_pkcs11_creds_t *this)
+{
+ CK_SESSION_HANDLE session;
+ CK_RV rv;
+
+ rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION,
+ NULL, NULL, &session);
+ if (rv != CKR_OK)
+ {
+ DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv);
+ return FALSE;
+ }
+
+ find_certificates(this, session, CK_TRUE);
+ find_certificates(this, session, CK_FALSE);
+
+ this->lib->f->C_CloseSession(session);
+ return TRUE;
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(identification_t *id,
+ certificate_t **in, certificate_t **out)
+{
+ public_key_t *public;
+ certificate_t *cert = *in;
+
+ if (id == NULL || cert->has_subject(cert, id))
+ {
+ *out = *in;
+ return TRUE;
+ }
+ public = cert->get_public_key(cert);
+ if (public)
+ {
+ if (public->has_fingerprint(public, id->get_encoding(id)))
+ {
+ public->destroy(public);
+ *out = *in;
+ return TRUE;
+ }
+ public->destroy(public);
+ }
+ return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+ private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
+{
+ enumerator_t *inner;
+
+ if (cert != CERT_X509 && cert != CERT_ANY)
+ {
+ return NULL;
+ }
+ if (trusted)
+ {
+ inner = this->trusted->create_enumerator(this->trusted);
+ }
+ else
+ {
+ inner = this->untrusted->create_enumerator(this->untrusted);
+ }
+ return enumerator_create_filter(inner, (void*)certs_filter, id, NULL);
+}
+
+METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*,
+ private_pkcs11_creds_t *this)
+{
+ return this->lib;
+}
+
+METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID,
+ private_pkcs11_creds_t *this)
+{
+ return this->slot;
+}
+
+METHOD(pkcs11_creds_t, destroy, void,
+ private_pkcs11_creds_t *this)
+{
+ this->trusted->destroy_offset(this->trusted,
+ offsetof(certificate_t, destroy));
+ this->untrusted->destroy_offset(this->untrusted,
+ offsetof(certificate_t, destroy));
+ free(this);
+}
+
+/**
+ * See header
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
+{
+ private_pkcs11_creds_t *this;
+
+ INIT(this,
+ .public = {
+ .set = {
+ .create_shared_enumerator = (void*)enumerator_create_empty,
+ .create_private_enumerator = (void*)enumerator_create_empty,
+ .create_cert_enumerator = _create_cert_enumerator,
+ .create_cdp_enumerator = (void*)enumerator_create_empty,
+ .cache_cert = (void*)nop,
+ },
+ .get_library = _get_library,
+ .get_slot = _get_slot,
+ .destroy = _destroy,
+ },
+ .lib = p11,
+ .slot = slot,
+ .trusted = linked_list_create(),
+ .untrusted = linked_list_create(),
+ );
+
+ if (!load_certificates(this))
+ {
+ free(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_creds pkcs11_creds
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_CREDS_H_
+#define PKCS11_CREDS_H_
+
+typedef struct pkcs11_creds_t pkcs11_creds_t;
+
+#include "pkcs11_library.h"
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set on top on a PKCS#11 token.
+ */
+struct pkcs11_creds_t {
+
+ /**
+ * Implements credential_set_t.
+ */
+ credential_set_t set;
+
+ /**
+ * Get the PKCS#11 library this set uses.
+ *
+ * @return library
+ */
+ pkcs11_library_t* (*get_library)(pkcs11_creds_t *this);
+
+ /**
+ * Get the slot of the token this set uses.
+ *
+ * @return slot
+ */
+ CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this);
+
+ /**
+ * Destroy a pkcs11_creds_t.
+ */
+ void (*destroy)(pkcs11_creds_t *this);
+};
+
+/**
+ * Create a pkcs11_creds instance.
+ *
+ * @param p11 loaded PKCS#11 library
+ * @param slot slot of the token we hand out credentials
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
+
+#endif /** PKCS11_CREDS_H_ @}*/
#include <library.h>
#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
#include "pkcs11_manager.h"
+#include "pkcs11_creds.h"
typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
* PKCS#11 library/slot manager
*/
pkcs11_manager_t *manager;
+
+ /**
+ * List of credential sets, pkcs11_creds_t
+ */
+ linked_list_t *creds;
+
+ /**
+ * mutex to lock list
+ */
+ mutex_t *mutex;
};
/**
static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
CK_SLOT_ID slot, bool add)
{
+ enumerator_t *enumerator;
+ pkcs11_creds_t *creds, *found = NULL;;
+
+ if (add)
+ {
+ creds = pkcs11_creds_create(p11, slot);
+ if (creds)
+ {
+ this->mutex->lock(this->mutex);
+ this->creds->insert_last(this->creds, creds);
+ this->mutex->unlock(this->mutex);
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
+ }
+ }
+ else
+ {
+ this->mutex->lock(this->mutex);
+ enumerator = this->creds->create_enumerator(this->creds);
+ while (enumerator->enumerate(enumerator, &creds))
+ {
+ if (creds->get_library(creds) == p11 &&
+ creds->get_slot(creds) == slot)
+ {
+ found = creds;
+ this->creds->remove_at(this->creds, enumerator);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+
+ if (found)
+ {
+ lib->credmgr->remove_set(lib->credmgr, &found->set);
+ found->destroy(found);
+ /* flush the cache after a token is gone */
+ lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+ }
+ }
}
METHOD(plugin_t, destroy, void,
private_pkcs11_plugin_t *this)
{
+ pkcs11_creds_t *creds;
+
+ while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+ {
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+ }
+ this->creds->destroy(this->creds);
this->manager->destroy(this->manager);
+ this->mutex->destroy(this->mutex);
free(this);
}
INIT(this,
.public.plugin.destroy = _destroy,
+ .creds = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
this->manager = pkcs11_manager_create((void*)token_event_cb, this);