-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.21 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.22 2020/01/25 00:03:36 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
struct pkcs11_keyinfo {
struct sshkey *key;
- char *providername;
+ char *providername, *label;
TAILQ_ENTRY(pkcs11_keyinfo) next;
};
struct sshbuf *oqueue;
static void
-add_key(struct sshkey *k, char *name)
+add_key(struct sshkey *k, char *name, char *label)
{
struct pkcs11_keyinfo *ki;
ki = xcalloc(1, sizeof(*ki));
ki->providername = xstrdup(name);
ki->key = k;
+ ki->label = xstrdup(label);
TAILQ_INSERT_TAIL(&pkcs11_keylist, ki, next);
}
if (!strcmp(ki->providername, name)) {
TAILQ_REMOVE(&pkcs11_keylist, ki, next);
free(ki->providername);
+ free(ki->label);
sshkey_free(ki->key);
free(ki);
}
struct pkcs11_keyinfo *ki;
TAILQ_FOREACH(ki, &pkcs11_keylist, next) {
- debug("check %p %s", ki, ki->providername);
+ debug("check %p %s %s", ki, ki->providername, ki->label);
if (sshkey_equal(k, ki->key))
return (ki->key);
}
u_char *blob;
size_t blen;
struct sshbuf *msg;
+ char **labels = NULL;
if ((msg = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_cstring(iqueue, &pin, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) {
+ if ((nkeys = pkcs11_add_provider(name, pin, &keys, &labels)) > 0) {
if ((r = sshbuf_put_u8(msg,
SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
(r = sshbuf_put_u32(msg, nkeys)) != 0)
continue;
}
if ((r = sshbuf_put_string(msg, blob, blen)) != 0 ||
- (r = sshbuf_put_cstring(msg, name)) != 0)
+ (r = sshbuf_put_cstring(msg, labels[i])) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
free(blob);
- add_key(keys[i], name);
+ add_key(keys[i], name, labels[i]);
+ free(labels[i]);
}
} else {
if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0)
if ((r = sshbuf_put_u32(msg, -nkeys)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
}
- free(keys);
+ free(labels);
+ free(keys); /* keys themselves are transferred to pkcs11_keylist */
free(pin);
free(name);
send_msg(msg);
-/* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.47 2020/01/25 00:03:36 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
* Copyright (c) 2014 Pedro Martelletto. All rights reserved.
return (key);
}
-static struct sshkey *
+static int
pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
- CK_OBJECT_HANDLE *obj)
+ CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp)
{
CK_ATTRIBUTE cert_attr[3];
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
X509 *x509 = NULL;
+ X509_NAME *x509_name = NULL;
EVP_PKEY *evp;
RSA *rsa = NULL;
#ifdef OPENSSL_HAS_ECC
#ifdef HAVE_EC_KEY_METHOD_NEW
int nid;
#endif
- const u_char *cp;
+ const u_char *cp;
+ char *subject = NULL;
+
+ *keyp = NULL;
+ *labelp = NULL;
memset(&cert_attr, 0, sizeof(cert_attr));
cert_attr[0].type = CKA_ID;
rv = f->C_GetAttributeValue(session, *obj, cert_attr, 3);
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
- return (NULL);
+ return -1;
}
/*
if (cert_attr[1].ulValueLen == 0 ||
cert_attr[2].ulValueLen == 0) {
error("invalid attribute length");
- return (NULL);
+ return -1;
}
/* allocate buffers for attributes */
rv = f->C_GetAttributeValue(session, *obj, cert_attr, 3);
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
- goto fail;
+ goto out;
}
- x509 = X509_new();
- if (x509 == NULL) {
- error("x509_new failed");
- goto fail;
- }
+ /* Decode DER-encoded cert subject */
+ cp = cert_attr[2].pValue;
+ if ((x509_name = d2i_X509_NAME(NULL, &cp,
+ cert_attr[1].ulValueLen)) == NULL ||
+ (subject = X509_NAME_oneline(x509_name, NULL, 0)) == NULL)
+ subject = xstrdup("invalid subject");
+ X509_NAME_free(x509_name);
cp = cert_attr[2].pValue;
- if (d2i_X509(&x509, &cp, cert_attr[2].ulValueLen) == NULL) {
+ if ((x509 = d2i_X509(NULL, &cp, cert_attr[2].ulValueLen)) == NULL) {
error("d2i_x509 failed");
- goto fail;
+ goto out;
}
- evp = X509_get_pubkey(x509);
- if (evp == NULL) {
+ if ((evp = X509_get_pubkey(x509)) == NULL) {
error("X509_get_pubkey failed");
- goto fail;
+ goto out;
}
if (EVP_PKEY_base_id(evp) == EVP_PKEY_RSA) {
if (EVP_PKEY_get0_RSA(evp) == NULL) {
error("invalid x509; no rsa key");
- goto fail;
+ goto out;
}
if ((rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(evp))) == NULL) {
error("RSAPublicKey_dup failed");
- goto fail;
+ goto out;
}
if (pkcs11_rsa_wrap(p, slotidx, &cert_attr[0], rsa))
- goto fail;
+ goto out;
key = sshkey_new(KEY_UNSPEC);
if (key == NULL) {
error("sshkey_new failed");
- goto fail;
+ goto out;
}
key->rsa = rsa;
} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
error("invalid x509; no ec key");
- goto fail;
+ goto out;
}
if ((ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(evp))) == NULL) {
error("EC_KEY_dup failed");
- goto fail;
+ goto out;
}
nid = sshkey_ecdsa_key_to_nid(ec);
if (nid < 0) {
error("couldn't get curve nid");
- goto fail;
+ goto out;
}
if (pkcs11_ecdsa_wrap(p, slotidx, &cert_attr[0], ec))
- goto fail;
+ goto out;
key = sshkey_new(KEY_UNSPEC);
if (key == NULL) {
error("sshkey_new failed");
- goto fail;
+ goto out;
}
key->ecdsa = ec;
key->flags |= SSHKEY_FLAG_EXT;
ec = NULL; /* now owned by key */
#endif /* HAVE_EC_KEY_METHOD_NEW */
- } else
+ } else {
error("unknown certificate key type");
-
-fail:
+ goto out;
+ }
+ out:
for (i = 0; i < 3; i++)
free(cert_attr[i].pValue);
X509_free(x509);
#ifdef OPENSSL_HAS_ECC
EC_KEY_free(ec);
#endif
-
- return (key);
+ if (key == NULL) {
+ free(subject);
+ return -1;
+ }
+ /* success */
+ *keyp = key;
+ *labelp = subject;
+ return 0;
}
#if 0
*/
static int
pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
- struct sshkey ***keysp, int *nkeys)
+ struct sshkey ***keysp, char ***labelsp, int *nkeys)
{
struct sshkey *key = NULL;
CK_OBJECT_CLASS key_class;
CK_OBJECT_HANDLE obj;
CK_ULONG n = 0;
int ret = -1;
+ char *label;
memset(&key_attr, 0, sizeof(key_attr));
memset(&obj, 0, sizeof(obj));
goto fail;
}
+ key = NULL;
+ label = NULL;
switch (ck_cert_type) {
case CKC_X_509:
- key = pkcs11_fetch_x509_pubkey(p, slotidx, &obj);
+ if (pkcs11_fetch_x509_pubkey(p, slotidx, &obj,
+ &key, &label) != 0) {
+ error("failed to fetch key");
+ continue;
+ }
break;
default:
- /* XXX print key type? */
- key = NULL;
- error("skipping unsupported certificate type");
- }
-
- if (key == NULL) {
- error("failed to fetch key");
+ error("skipping unsupported certificate type %lu",
+ ck_cert_type);
continue;
}
*keysp = xrecallocarray(*keysp, *nkeys,
*nkeys + 1, sizeof(struct sshkey *));
(*keysp)[*nkeys] = key;
+ if (labelsp != NULL) {
+ *labelsp = xrecallocarray(*labelsp, *nkeys,
+ *nkeys + 1, sizeof(char *));
+ (*labelsp)[*nkeys] = xstrdup((char *)label);
+ }
*nkeys = *nkeys + 1;
debug("have %d keys", *nkeys);
}
*/
static int
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
- struct sshkey ***keysp, int *nkeys)
+ struct sshkey ***keysp, char ***labelsp, int *nkeys)
{
struct sshkey *key = NULL;
CK_OBJECT_CLASS key_class;
- CK_ATTRIBUTE key_attr[1];
+ CK_ATTRIBUTE key_attr[2];
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
while (1) {
CK_KEY_TYPE ck_key_type;
+ CK_UTF8CHAR label[256];
rv = f->C_FindObjects(session, &obj, 1, &n);
if (rv != CKR_OK) {
key_attr[0].type = CKA_KEY_TYPE;
key_attr[0].pValue = &ck_key_type;
key_attr[0].ulValueLen = sizeof(ck_key_type);
+ key_attr[1].type = CKA_LABEL;
+ key_attr[1].pValue = &label;
+ key_attr[1].ulValueLen = sizeof(label) - 1;
- rv = f->C_GetAttributeValue(session, obj, key_attr, 1);
+ rv = f->C_GetAttributeValue(session, obj, key_attr, 2);
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
goto fail;
}
+ label[key_attr[1].ulValueLen] = '\0';
+
switch (ck_key_type) {
case CKK_RSA:
key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
*keysp = xrecallocarray(*keysp, *nkeys,
*nkeys + 1, sizeof(struct sshkey *));
(*keysp)[*nkeys] = key;
+ if (labelsp != NULL) {
+ *labelsp = xrecallocarray(*labelsp, *nkeys,
+ *nkeys + 1, sizeof(char *));
+ (*labelsp)[*nkeys] = xstrdup((char *)label);
+ }
*nkeys = *nkeys + 1;
debug("have %d keys", *nkeys);
}
* keyp is provided, fetch keys.
*/
static int
-pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp,
+pkcs11_register_provider(char *provider_id, char *pin,
+ struct sshkey ***keyp, char ***labelsp,
struct pkcs11_provider **providerp, CK_ULONG user)
{
int nkeys, need_finalize = 0;
if (keyp != NULL)
*keyp = NULL;
+ if (labelsp != NULL)
+ *labelsp = NULL;
if (pkcs11_provider_lookup(provider_id) != NULL) {
debug("%s: provider already registered: %s",
if ((ret = pkcs11_open_session(p, i, pin, user)) != 0 ||
keyp == NULL)
continue;
- pkcs11_fetch_keys(p, i, keyp, &nkeys);
- pkcs11_fetch_certs(p, i, keyp, &nkeys);
+ pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys);
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys);
if (nkeys == 0 && !p->slotinfo[i].logged_in &&
pkcs11_interactive) {
/*
error("login failed");
continue;
}
- pkcs11_fetch_keys(p, i, keyp, &nkeys);
- pkcs11_fetch_certs(p, i, keyp, &nkeys);
+ pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys);
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys);
}
}
* fails if provider already exists
*/
int
-pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
+pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
+ char ***labelsp)
{
struct pkcs11_provider *p = NULL;
int nkeys;
- nkeys = pkcs11_register_provider(provider_id, pin, keyp, &p, CKU_USER);
+ nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
+ &p, CKU_USER);
/* no keys found or some other error, de-register provider */
if (nkeys <= 0 && p != NULL) {
if ((p = pkcs11_provider_lookup(provider_id)) != NULL)
debug("%s: provider \"%s\" available", __func__, provider_id);
- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, &p,
- CKU_SO)) < 0) {
+ else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL,
+ &p, CKU_SO)) < 0) {
debug("%s: could not register provider %s", __func__,
provider_id);
goto out;
if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
debug("%s: using provider \"%s\"", __func__, provider_id);
- } else if (pkcs11_register_provider(provider_id, pin, NULL, &p,
+ } else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p,
CKU_SO) < 0) {
debug("%s: could not register provider %s", __func__,
provider_id);
projects / thirdparty / openssh-portable.git / commitdiff
