pkcs11: use the same initialization code for provider

This makes the pkcs11-provider code use the thread-safe module
initialization code introduced in commit
aa5f15a872e62e54abe58624ee393e68d1faf689. As the mechanism works over
p11-kit managed modules, this switches the "path" config option to
using PKCS#11 URI, through the "url" keyword.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/doc/cha-config.texi b/doc/cha-config.texi
index 25ff0edaf3016d886affb9a1d22a790a1f15d6ea..8a9df42b481133b01fdfa7e1b4932cf03294834f 100644 (file)
--- a/doc/cha-config.texi
+++ b/doc/cha-config.texi
@@ -313,10 +313,10 @@ and override the default cryptographic backend of the library with the
 cryptographic functions provided by the module.
 
 A PKCS#11 module can be configured to serve as cryptographic backend by adding
-@code{path} and @code{pin} in the @code{[provider]} section.
+@code{url} and @code{pin} in the @code{[provider]} section.
 
 @itemize
-@item @code{path}: path to the PKCS#11 module.
+@item @code{url}: URL of the PKCS#11 module.
 @item @code{pin}: PIN for logging into the PKCS#11 token.
 @end itemize
 
@@ -327,6 +327,6 @@ Note that the module has to be initialized first.
 
 @example
 [provider]
-path = /usr/lib64/pkcs11/libkryoptic_pkcs11.so
+url = pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token
 pin = 1234
 @end example

diff --git a/lib/global.c b/lib/global.c
index feda32eb32fe0445c22581a78fc5bac9af2b6917..03947cf7bcfbb308abcfb86eefde2f3d6b2da3ee 100644 (file)
--- a/lib/global.c
+++ b/lib/global.c
@@ -249,7 +249,7 @@ static int _gnutls_global_init(unsigned constructor)
        int level;
        const char *e;
 #if defined(ENABLE_PKCS11) && defined(ENABLE_FIPS140)
-       const char *p11_provider_path = NULL;
+       const char *p11_provider_url = NULL;
        const char *p11_provider_pin = NULL;
 #endif
 
@@ -411,11 +411,11 @@ static int _gnutls_global_init(unsigned constructor)
        _gnutls_prepare_to_load_system_priorities();
 
 #if defined(ENABLE_PKCS11) && defined(ENABLE_FIPS140)
-       p11_provider_path = _gnutls_config_get_p11_provider_path();
+       p11_provider_url = _gnutls_config_get_p11_provider_url();
        p11_provider_pin = _gnutls_config_get_p11_provider_pin();
 
-       if (res == 1 && p11_provider_path != NULL) {
-               ret = _p11_provider_init(p11_provider_path,
+       if (res == 1 && p11_provider_url != NULL) {
+               ret = _p11_provider_init(p11_provider_url,
                                         (const uint8_t *)p11_provider_pin,
                                         strlen(p11_provider_pin));
                if (ret < 0) {

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index f3caea1170718a15303ad17f07dea4418c1ca31a..54d3c9f6726563e63d6f00f03da5d04b355eebcb 100644 (file)
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1808,7 +1808,7 @@ extern unsigned int _gnutls_global_version;
 bool _gnutls_config_is_ktls_enabled(void);
 bool _gnutls_config_is_rsa_pkcs1_encrypt_allowed(void);
 int _gnutls_config_set_certificate_compression_methods(gnutls_session_t session);
-const char *_gnutls_config_get_p11_provider_path(void);
+const char *_gnutls_config_get_p11_provider_url(void);
 const char *_gnutls_config_get_p11_provider_pin(void);
 
 #endif /* GNUTLS_LIB_GNUTLS_INT_H */

diff --git a/lib/pkcs11/p11_provider.c b/lib/pkcs11/p11_provider.c
index faf75d219df76f7ab502fc7441f806dcca65a0a6..c786d9fa8c1b8712aa908dea49f913bafd9d1f03 100644 (file)
--- a/lib/pkcs11/p11_provider.c
+++ b/lib/pkcs11/p11_provider.c
@@ -28,91 +28,70 @@
 #include "p11_mac.h"
 #include "p11_provider.h"
 
-#define P11_KIT_FUTURE_UNSTABLE_API
-#include <p11-kit/iter.h>
-
 static struct {
        struct ck_function_list *module;
        ck_slot_id_t slot;
-       uint8_t *pin;
-       size_t pin_size;
+       gnutls_datum_t pin;
        bool initialized;
 } p11_provider;
 
-int _p11_provider_init(const char *module_path, const uint8_t *pin,
+int _p11_provider_init(const char *url, const uint8_t *pin_data,
                       size_t pin_size)
 {
        int ret;
-       ck_rv_t rv;
-       P11KitIter *iter = NULL;
-       struct ck_function_list *modules[2] = { 0 };
-       ck_slot_id_t slot = 0;
-       uint8_t *_pin = NULL;
+       struct p11_kit_uri *uinfo = NULL;
+       gnutls_datum_t pin = { NULL, 0 };
+       struct ck_function_list *module;
+       ck_slot_id_t slot;
 
        if (p11_provider.initialized)
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-       modules[0] = p11_kit_module_load(module_path, 0);
-       if (modules[0] == NULL)
-               return gnutls_assert_val(GNUTLS_E_PKCS11_LOAD_ERROR);
+       PKCS11_CHECK_INIT;
 
-       rv = p11_kit_module_initialize(modules[0]);
-       if (rv != CKR_OK) {
-               p11_kit_module_release(modules[0]);
-               return gnutls_assert_val(GNUTLS_E_PKCS11_ERROR);
-       }
+       uinfo = p11_kit_uri_new();
+       if (uinfo == NULL)
+               return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 
-       iter = p11_kit_iter_new(NULL, P11_KIT_ITER_WITH_TOKENS |
-                                             P11_KIT_ITER_WITHOUT_OBJECTS);
-       if (iter == NULL) {
-               ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-               goto error;
+       ret = p11_kit_uri_parse(url, P11_KIT_URI_FOR_TOKEN, uinfo);
+       if (ret != P11_KIT_URI_OK) {
+               ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+               goto cleanup;
        }
 
-       p11_kit_iter_begin(iter, modules);
-       rv = p11_kit_iter_next(iter);
-       if (rv != CKR_OK) {
-               ret = gnutls_assert_val(GNUTLS_E_PKCS11_ERROR);
-               goto error;
+       ret = _gnutls_set_datum(&pin, pin_data, pin_size);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
        }
 
-       slot = p11_kit_iter_get_slot(iter);
-       p11_kit_iter_free(iter);
-
-       _pin = gnutls_malloc(pin_size);
-       if (_pin == NULL) {
-               ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-               goto error;
+       ret = pkcs11_find_slot(&module, &slot, uinfo, NULL, NULL, NULL);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
        }
-       memcpy(_pin, pin, pin_size);
 
-       ret = _p11_ciphers_init(modules[0], slot);
+       ret = _p11_ciphers_init(module, slot);
        if (ret < 0) {
                gnutls_assert();
-               goto error;
+               goto cleanup;
        }
 
-       ret = _p11_macs_init(modules[0], slot);
+       ret = _p11_macs_init(module, slot);
        if (ret < 0) {
                gnutls_assert();
-               goto error;
+               goto cleanup;
        }
 
-       p11_provider.module = modules[0];
+       p11_provider.module = module;
        p11_provider.slot = slot;
-       p11_provider.pin = _pin;
-       p11_provider.pin_size = pin_size;
+       p11_provider.pin = _gnutls_steal_datum(&pin);
        p11_provider.initialized = true;
        return 0;
 
-error:
-       if (iter != NULL)
-               p11_kit_iter_free(iter);
-       gnutls_free(_pin);
-       p11_kit_module_finalize(modules[0]);
-       p11_kit_module_release(modules[0]);
-       _p11_ciphers_deinit();
-       _p11_macs_deinit();
+cleanup:
+       p11_kit_uri_free(uinfo);
+       _gnutls_free_key_datum(&pin);
        return ret;
 }
 
@@ -121,12 +100,11 @@ void _p11_provider_deinit(void)
        if (!p11_provider.initialized)
                return;
 
-       gnutls_free(p11_provider.pin);
-       p11_kit_module_finalize(p11_provider.module);
-       p11_kit_module_release(p11_provider.module);
-       memset(&p11_provider, 0, sizeof(p11_provider));
        _p11_ciphers_deinit();
        _p11_macs_deinit();
+
+       _gnutls_free_key_datum(&p11_provider.pin);
+       p11_provider.initialized = false;
 }
 
 bool _p11_provider_is_initialized(void)
@@ -145,8 +123,9 @@ ck_session_handle_t _p11_provider_open_session(void)
        if (rv != CKR_OK)
                return CK_INVALID_HANDLE;
 
-       rv = p11_provider.module->C_Login(session, CKU_USER, p11_provider.pin,
-                                         p11_provider.pin_size);
+       rv = p11_provider.module->C_Login(session, CKU_USER,
+                                         p11_provider.pin.data,
+                                         p11_provider.pin.size);
        if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
                p11_provider.module->C_CloseSession(session);
                return CK_INVALID_HANDLE;

diff --git a/lib/priority.c b/lib/priority.c
index 25a2de95a80c5def6a6cf66c8e4c8fa40fd6d2be..e705158a7191e3e03dd5e4345ecc53899885c5ee 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1022,7 +1022,7 @@ struct cfg {
        gnutls_compression_method_t
                cert_comp_algs[MAX_COMPRESS_CERTIFICATE_METHODS + 1];
 
-       char *p11_provider_path;
+       char *p11_provider_url;
        char *p11_provider_pin;
 
        ext_master_secret_t force_ext_master_secret;
@@ -1042,7 +1042,7 @@ static inline void cfg_deinit(struct cfg *cfg)
        }
        gnutls_free(cfg->priority_string);
        gnutls_free(cfg->default_priority_string);
-       gnutls_free(cfg->p11_provider_path);
+       gnutls_free(cfg->p11_provider_url);
        gnutls_free(cfg->p11_provider_pin);
 }
 
@@ -1144,8 +1144,8 @@ static inline void cfg_steal(struct cfg *dst, struct cfg *src)
        dst->default_priority_string = src->default_priority_string;
        src->default_priority_string = NULL;
 
-       dst->p11_provider_path = src->p11_provider_path;
-       src->p11_provider_path = NULL;
+       dst->p11_provider_url = src->p11_provider_url;
+       src->p11_provider_url = NULL;
 
        dst->p11_provider_pin = src->p11_provider_pin;
        src->p11_provider_pin = NULL;
@@ -1620,15 +1620,15 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name,
                if (ret < 0)
                        return 0;
        } else if (c_strcasecmp(section, PROVIDER_SECTION) == 0) {
-               if (c_strcasecmp(name, "path") == 0) {
-                       gnutls_free(cfg->p11_provider_path);
-                       cfg->p11_provider_path = NULL;
+               if (c_strcasecmp(name, "url") == 0) {
+                       gnutls_free(cfg->p11_provider_url);
+                       cfg->p11_provider_url = NULL;
                        p = clear_spaces(value, str);
                        _gnutls_debug_log(
-                               "cfg: adding pkcs11 provider path %s\n", p);
+                               "cfg: adding pkcs11 provider url %s\n", p);
                        if (strlen(p) > 0) {
-                               cfg->p11_provider_path = gnutls_strdup(p);
-                               if (cfg->p11_provider_path == NULL) {
+                               cfg->p11_provider_url = gnutls_strdup(p);
+                               if (cfg->p11_provider_url == NULL) {
                                        _gnutls_debug_log(
                                                "cfg: failed setting pkcs11 provider path\n");
                                        return 0;
@@ -4095,9 +4095,9 @@ int _gnutls_config_set_certificate_compression_methods(gnutls_session_t session)
        return 0;
 }
 
-const char *_gnutls_config_get_p11_provider_path(void)
+const char *_gnutls_config_get_p11_provider_url(void)
 {
-       return system_wide_config.p11_provider_path;
+       return system_wide_config.p11_provider_url;
 }
 
 const char *_gnutls_config_get_p11_provider_pin(void)

diff --git a/tests/pkcs11-provider/test-pkcs11-provider.sh b/tests/pkcs11-provider/test-pkcs11-provider.sh
index 3c867b68826286b8250ffdda0379c6f8d7427e60..69f4284d462023f71ee9db5bc6e4545ed67637ff 100755 (executable)
--- a/tests/pkcs11-provider/test-pkcs11-provider.sh
+++ b/tests/pkcs11-provider/test-pkcs11-provider.sh
@@ -50,7 +50,7 @@ cat >"${PRIORITY_FILE}" <<_EOF_
 allow-rsa-pkcs1-encrypt = true
 
 [provider]
-path = ${MODULE}
+url = pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token
 pin = ${PIN}
 _EOF_