--- /dev/null
+
+ BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
+and some improvements, including user friendly PIN management. You may also
+use the original engine code.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token. Known to work on Linux and Windows 2003 server so
+should work on most operating systems. For AEP Keyper or any device used
+only for its protected key store, please switch to the sign-only engine.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+ define: PKCS11_SO_PATH
+ default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+ define: PKCS11_MODULE_PATH
+ default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
+a operating system which is not Solaris.)
+
+Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
+are functional.
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+ openssl_conf = openssl_def
+ - at any place these sections:
+ [ openssl_def ]
+ engines = engine_section
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+ [ pkcs11_section ]
+ PIN = put__your__pin__value__here
+
+Slot management
+
+The engine tries to use the first best slot but it is recommended
+to simply use the slot 0 (usual default, meta-slot on Solaris).
+
+Sign-only engine
+
+openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
+has only the useful functions (i.e., signature with a RSA private
+key in the device protected key store and key loading).
+
+This engine should be used with a device which provides mainly
+a protected store and no acceleration. AEP Keyper is an example
+of such a device (BTW with the fully capable engine, key export
+must be enabled on this device and this configuration is not yet
+supported).
+
+Original engine
+
+If you are using the original engine and getpassphrase() is not defined, add:
+#define getpassphrase(x) getpass(x)
+in openssl.../crypto/engine/hw_pk11_pub.c
+
+Notes
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
+Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
+The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
--- /dev/null
+Moved to ${top}/bin/pkcs11
+++ /dev/null
-/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_BYTE attr_id[2];
- CK_OBJECT_HANDLE akey[50];
- char *label = NULL;
- int error = 0;
- int id = 0, i = 0;
- int c, errflg = 0;
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = {
- {CKA_ID, &attr_id, sizeof(attr_id)}
- };
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
- switch (c) {
- case 's':
- slot = atoi(optarg);
- break;
- case 'i':
- id = atoi(optarg);
- id &= 0xffff;
- break;
- case 'l':
- label = optarg;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if (errflg || ((!id) && (!label))) {
- fprintf(stderr,
- "usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
- exit(1);
- }
- if (id) {
- printf("id %i\n", id);
- attr_id[0] = (id >> 8) & 0xff;
- attr_id[1] = id & 0xff;
- } else if (label) {
- printf("label %s\n", label);
- search_template[0].type = CKA_LABEL;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
- }
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- rv = C_FindObjectsInit(hSession, search_template,
- ((id != 0) || (label != NULL)) ? 1 : 0);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
-
- for (i = 0; i < ulObjectCount; i++) {
- CK_OBJECT_CLASS oclass = 0;
- CK_BYTE labelbuf[64 + 1];
- CK_BYTE idbuf[64];
- CK_ATTRIBUTE attr_template[] = {
- {CKA_CLASS, &oclass, sizeof(oclass)},
- {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
- {CKA_ID, idbuf, sizeof(idbuf)}
- };
- int j, len;
-
- memset(labelbuf, 0, sizeof(labelbuf));
- memset(idbuf, 0, sizeof(idbuf));
-
- rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
- error = 1;
- goto exit_search;
- }
- len = attr_template[2].ulValueLen;
- printf("object[%d]: class %d label '%s' id[%u] ",
- i, oclass, labelbuf, attr_template[2].ulValueLen);
- if (len > 4)
- len = 4;
- for (j = 0; j < len; j++)
- printf("%02x", idbuf[j]);
- if (attr_template[2].ulValueLen > len)
- printf("...\n");
- else
- printf("\n");
- }
-
- /* give a chance to kill this */
- printf("sleeping 5 seconds...\n");
- sleep(5);
-
- for (i = 0; i < ulObjectCount; i++) {
- rv = C_DestroyObject(hSession, akey[i]);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
- error = 1;
- }
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
-
- exit(error);
-}
+++ /dev/null
-/* genkey - pkcs11 rsa key generator
- *
- * create RSASHA1 key in the keystore of an SCA6000
- * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts
- * it into a zone file.
- *
- * usage:
- * genkey [-P] [-s slot] -b keysize -l label [-p pin]
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_MECHANISM genmech;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_ULONG modulusbits = 0;
- CK_CHAR *label = NULL;
- CK_OBJECT_HANDLE privatekey, publickey;
- CK_BYTE public_exponent[3];
- int error = 0;
- int i = 0;
- int c, errflg = 0;
- int hide = 1;
- CK_ULONG ulObjectCount;
- /* Set search template */
- CK_ATTRIBUTE search_template[] = {
- {CKA_LABEL, NULL_PTR, 0}
- };
- CK_ATTRIBUTE publickey_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof (truevalue)},
- {CKA_TOKEN, &truevalue, sizeof (truevalue)},
- {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
- {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
- };
- CK_ATTRIBUTE privatekey_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_SIGN, &truevalue, sizeof (truevalue)},
- {CKA_TOKEN, &truevalue, sizeof (truevalue)},
- {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
- {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
- {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
- };
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
- switch (c) {
- case 'P':
- hide = 0;
- break;
- case 's':
- slot = atoi(optarg);
- break;
- case 'b':
- modulusbits = atoi(optarg);
- break;
- case 'l':
- label = (CK_CHAR *)optarg;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if ((errflg) || (!modulusbits) || (!label)) {
- fprintf(stderr,
- "usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
- exit(2);
- }
-
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen((char *)label);
- publickey_template[0].pValue = label;
- publickey_template[0].ulValueLen = strlen((char *)label);
- privatekey_template[0].pValue = label;
- privatekey_template[0].ulValueLen = strlen((char *)label);
-
- /* Set public exponent to 65537 */
- public_exponent[0] = 0x01;
- public_exponent[1] = 0x00;
- public_exponent[2] = 0x01;
-
- /* Set up mechanism for generating key pair */
- genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
- genmech.pParameter = NULL_PTR;
- genmech.ulParameterLen = 0;
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
-
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
-
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- /* check if a key with the same id already exists */
- rv = C_FindObjectsInit(hSession, search_template, 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
- rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
- if (ulObjectCount != 0) {
- fprintf(stderr, "Key already exists.\n");
- error = 1;
- goto exit_search;
- }
-
- /* Set attributes if the key is not to be hidden */
- if (!hide) {
- privatekey_template[4].pValue = &falsevalue;
- privatekey_template[5].pValue = &truevalue;
- }
-
- /* Generate Key pair for signing/verifying */
- rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
- (sizeof (publickey_template) /
- sizeof (CK_ATTRIBUTE)),
- privatekey_template,
- (sizeof (privatekey_template) /
- sizeof (CK_ATTRIBUTE)),
- &publickey, &privatekey);
-
- if (rv != CKR_OK) {
- fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
-
- exit(error);
-}
+++ /dev/null
-#!/usr/bin/bash
-
-usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path"
-tmp_file=/tmp/cur_key.$$
-while getopts ":z:x:p:t:k:b:e:f" opt; do
- case $opt in
- z ) zone=$OPTARG ;;
- x ) ext=$OPTARG ;;
- p ) pin=$OPTARG ;;
- t ) id=$OPTARG ;;
- f ) flag="ksk" ;;
- e ) engine=$OPTARG ;;
- b ) bits=$OPTARG ;;
- k ) key_path=$OPTARG ;;
- \? ) echo $usage
- exit 1 ;;
- esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$zone" -o ! "$ext" -o ! "$pin" -o ! "$engine" -o ! "$bits" -o ! "$key_path" ] ; then
- echo $usage
- exit 1
-fi
-
-if [ "$flag" ] ; then
- label="$zone,$flag,$ext"
-else
- label="$zone,zsk,$ext"
-fi
-
-# for testing
-mypath=.
-
-echo "Generating key"
-$mypath/genkey -b $bits -l $label -p $pin
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Exporting public key"
-$mypath/PEM_write_pubkey -e $engine -p $pin -k pkcs11:$label -f $tmp_file
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Generating DNSKEY RR"
-if [ "$flag" ] ; then
- keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
-else
- keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone`
-fi
-
-if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi
-
-echo "Set key id"
-$mypath/set_key_id -l $label -n $keytag -p $pin
-
-rm $tmp_file
+++ /dev/null
-#!/usr/bin/perl -w
-
-use strict;
-use Crypt::OpenSSL::RSA;
-use Getopt::Std;
-use MIME::Base64;
-use Net::DNS;
-use Net::DNS::SEC;
-
-my %option;
-getopts('a:e:i:l:p:hk',\%option);
-
-die "usage: keyconv.pl [-a alg] [-k (to indicate KSK)] -e engine -l label [-p (path to store key)] -i filename domainname\n" if $option{h} || (not defined $option{i}) || (not defined $option{e}) || (not defined $option{l});
-
-# The default path is local.
-$option{p} || ($option{p}="./");
-
-# The default algorithm is 5.
-$option{a} || ($option{a}=5);
-
-$option{k} || ($option{k}=0);
-
-# The algorithm is either 5 or 133.
-$option{a}==5 || $option{a}==133 || die "algorithm must be 5 or 133\n";
-
-# standard flags (value is 256) plus optionally the KSK flag.
-my $flags=(256 + $option{k});
-
-open(PFILE, $option{i});
- my @fc = <PFILE>;
-close(PFILE);
-
-my $rsa = Crypt::OpenSSL::RSA->new_public_key(join "", @fc);
-
-my ($m,$e)= $rsa->get_key_parameters;
-
-(my $l=pack("Cn",0,length($e->to_bin))) =~ s/^\000{2}//;
-
-my $rrkey=$l.$e->to_bin.$m->to_bin;
-my $keystr = $ARGV[0]. ". IN DNSKEY $flags 3 $option{a} ".encode_base64($rrkey,"");
-my $keyrr = Net::DNS::RR->new($keystr);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".key");
-print PFILE $ARGV[0], ". IN DNSKEY $flags 3 $option{a} ",encode_base64($rrkey,"")."\n";
-close(PFILE);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".private");
-print PFILE "Private-key-format: v1.2\n";
-print PFILE "Algorithm: ", $option{a}, " (RSASHA1)\n";
-print PFILE "Modulus: ".encode_base64($m->to_bin,"")."\n";
-print PFILE "PublicExponent: ".encode_base64($e->to_bin,"")."\n";
-my $engine="";
-$engine=encode_base64($option{e}."\0","");
-print PFILE "Engine: ", $engine, "\n";
-my $label="";
-$option{k}==0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-$option{k}!=0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-print PFILE "Label: ", $label, "\n";
-close(PFILE);
-
-print $keyrr->keytag;
+++ /dev/null
-#!/usr/bin/perl -w
-
-use strict;
-use Getopt::Std;
-use Crypt::OpenSSL::RSA;
-use Net::DNS::SEC;
-
-my %option;
-getopts('k:p:o:h',\%option);
-
-$option{h} || (not defined $option{k}) || (not defined $option{p}) || (not defined $option{o}) && die "usage: keydump.pl -k Kxxx.key -p Kxxx.priv -o pem\n";
-
-my $rsa = Net::DNS::SEC::Private->new($option{p});
-
-open(PFILE, "> $option{o}");
-print PFILE $rsa->dump_rsa_private_der;
-close(PFILE);
-
-open(KFILE, "< $option{k}");
-my @fc = <KFILE>;
-close(KFILE);
-
-my $keyrr = Net::DNS::RR->new(join "", @fc);
-
-print $keyrr->flags;
-
+++ /dev/null
-/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_BYTE attr_id[2];
- CK_OBJECT_HANDLE akey[50];
- char *label = NULL;
- int error = 0, public = 0, all = 0;
- int i = 0, id = 0;
- int c, errflg = 0;
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = {
- {CKA_ID, &attr_id, sizeof(attr_id)}
- };
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
- switch (c) {
- case 'P':
- public = 1;
- break;
- case 's':
- slot = atoi(optarg);
- break;
- case 'i':
- id = atoi(optarg);
- id &= 0xffff;
- break;
- case 'l':
- label = optarg;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if (errflg) {
- fprintf(stderr,
- "usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
- exit(1);
- }
- if ((!id) && (!label))
- all = 1;
- if (slot)
- printf("slot %d\n", slot);
- if (id) {
- printf("id %i\n", id);
- attr_id[0] = (id >> 8) & 0xff;
- attr_id[1] = id & 0xff;
- } else if (label) {
- printf("label %s\n", label);
- search_template[0].type = CKA_LABEL;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
- }
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!public) {
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
- }
-
- rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- ulObjectCount = 1;
- while (ulObjectCount) {
- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
-
- for (i = 0; i < ulObjectCount; i++) {
- CK_OBJECT_CLASS oclass = 0;
- CK_BYTE labelbuf[64 + 1];
- CK_BYTE idbuf[64];
- CK_ATTRIBUTE attr_template[] = {
- {CKA_CLASS, &oclass, sizeof(oclass)},
- {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
- {CKA_ID, idbuf, sizeof(idbuf)}
- };
- int j, len;
-
- memset(labelbuf, 0, sizeof(labelbuf));
- memset(idbuf, 0, sizeof(idbuf));
-
- rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
- if (rv = CKR_BUFFER_TOO_SMALL)
- fprintf(stderr, "%d too small: %u %u %u\n", i,
- attr_template[0].ulValueLen,
- attr_template[1].ulValueLen,
- attr_template[2].ulValueLen);
- error = 1;
- continue;
- }
-
- len = attr_template[2].ulValueLen;
- printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
- i, akey[i], oclass,
- attr_template[1].ulValueLen, labelbuf,
- attr_template[2].ulValueLen);
- if (len == 2) {
- id = (idbuf[0] << 8) & 0xff00;
- id |= idbuf[1] & 0xff;
- printf("%i\n", id);
- } else {
- if (len > 8)
- len = 8;
- for (j = 0; j < len; j++)
- printf("%02x", idbuf[j]);
- if (attr_template[2].ulValueLen > len)
- printf("...\n");
- else
- printf("\n");
- }
- }
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
-
- exit(error);
-}
+++ /dev/null
-/* readkey [-s $slot] -l $label [-p $pin] -f $filename */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-
-static CK_BBOOL truevalue = TRUE;
-
-int
-main(int argc, char *argv[])
-{
- RSA *rsa = NULL;
- FILE *fp;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- char *label;
- CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;
- char *filename;
- int error = 0;
- int i = 0;
- int c, errflg = 0;
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = {
- {CKA_LABEL, NULL, 0},
- {CKA_TOKEN, &truevalue, sizeof (truevalue)},
- {CKA_CLASS, &kclass, sizeof (kclass)}
- };
- CK_BYTE id[32];
- CK_BYTE data[8][1024];
- CK_ATTRIBUTE attr_template[] = {
- {CKA_ID, &id, sizeof (id)},
- {CKA_MODULUS, (void *)data[0], 1024}, /* n */
- {CKA_PUBLIC_EXPONENT, (void *)data[1], 1024}, /* e */
- {CKA_PRIVATE_EXPONENT, (void *)data[2], 1024}, /* d */
- {CKA_PRIME_1, (void *)data[3], 1024}, /* p */
- {CKA_PRIME_2, (void *)data[4], 1024}, /* q */
- {CKA_EXPONENT_1, (void *)data[5], 1024}, /* dmp1 */
- {CKA_EXPONENT_2, (void *)data[6], 1024}, /* dmq1 */
- {CKA_COEFFICIENT, (void *)data[7], 1024} /* iqmp */
- };
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":s:l:p:f:")) != -1) {
- switch (c) {
- case 's':
- slot = atoi(optarg);
- break;
- case 'l':
- label = optarg;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case 'f':
- filename = optarg;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if ((errflg) || (!label) || (!filename)) {
- fprintf(stderr,
- "usage: readkey [-s slot] -l label [-p pin] -f filename\n");
- exit(1);
- }
- if (slot)
- printf("slot %d\n", slot);
-
- /* Initialize OpenSSL library */
- OPENSSL_config(NULL);
- rsa = RSA_new();
- if (!rsa) {
- fprintf(stderr, "RSA_new failed\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- /* Set search template. */
- if (strstr(label, "pkcs11:") == label)
- label = strstr(label, ":") + 1;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
-
- rv = C_FindObjectsInit(hSession, search_template, 3);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
- if (ulObjectCount == 0) {
- fprintf(stderr, "C_FindObjects: can't find the key\n");
- error = 1;
- goto exit_search;
- }
-
- rv = C_GetAttributeValue(hSession, key, attr_template, 9);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_GetAttributeValue: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
-
- printf("ID[%u]=", attr_template[0].ulValueLen);
- for (i = 0; i < attr_template[0].ulValueLen; i++)
- printf("%02x", id[i]);
- printf("\n");
-
- if (attr_template[1].ulValueLen > 0)
- rsa->n = BN_bin2bn(data[0], attr_template[1].ulValueLen, NULL);
- if (attr_template[2].ulValueLen > 0)
- rsa->e = BN_bin2bn(data[1], attr_template[2].ulValueLen, NULL);
- if (attr_template[3].ulValueLen > 0)
- rsa->d = BN_bin2bn(data[2], attr_template[3].ulValueLen, NULL);
- if (attr_template[4].ulValueLen > 0)
- rsa->p = BN_bin2bn(data[3], attr_template[4].ulValueLen, NULL);
- if (attr_template[5].ulValueLen > 0)
- rsa->q = BN_bin2bn(data[4], attr_template[5].ulValueLen, NULL);
- if (attr_template[6].ulValueLen > 0)
- rsa->dmp1 = BN_bin2bn(data[5], attr_template[6].ulValueLen, NULL);
- if (attr_template[7].ulValueLen > 0)
- rsa->dmq1 = BN_bin2bn(data[6], attr_template[7].ulValueLen, NULL);
- if (attr_template[8].ulValueLen > 0)
- rsa->iqmp = BN_bin2bn(data[7], attr_template[8].ulValueLen, NULL);
-
- rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
- if (ulObjectCount != 0) {
- fprintf(stderr, "C_FindObjects: found extra keys?\n");
- error = 1;
- goto exit_search;
- }
-
- printf("RSA=");
- RSA_print_fp(stdout, rsa, 4);
-
- fp = fopen(filename, "w");
- if (fp == NULL) {
- printf("Error opening output file.\n");
- error = 1;
- goto exit_search;
- }
-
- if (!PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL)) {
- printf("Error writing output file.\n");
- ERR_print_errors_fp(stderr);
- error = 1;
- goto exit_search;
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
-
- exit(error);
-}
+++ /dev/null
-/* set_key_id [-s slot] [-p $pin] -n $keytag {-i $id | -l $label} */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_BYTE old_id[2], new_id[2];
- CK_OBJECT_HANDLE akey;
- int error = 0;
- int i = 0;
- int c, errflg = 0;
- char *label = NULL;
- CK_ULONG ulObjectCount;
- int oid = 0, nid = 0;
- CK_ATTRIBUTE search_template[] = {
- {CKA_ID, &old_id, sizeof(old_id)}
- };
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":s:i:n:l:p:")) != -1) {
- switch (c) {
- case 's':
- slot = atoi(optarg);
- break;
- case 'i':
- oid = atoi(optarg);
- oid &= 0xffff;
- old_id[0] = (oid >> 8) & 0xff;
- old_id[1] = oid & 0xff;
- break;
- case 'n':
- nid = atoi(optarg);
- nid &= 0xffff;
- new_id[0] = (nid >> 8) & 0xff;
- new_id[1] = nid & 0xff;
- break;
- case 'l':
- label = optarg;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if ((errflg) || (!nid) || ((!oid) && (!label))) {
- fprintf(stderr,
- "usage: set_key_id [-s slot] [-p pin] -n new_id "
- "{ -i old_id | -l label }\n");
- exit(1);
- }
- if (!label)
- printf("old %i new %i\n", oid, nid);
- else {
- printf("label %s new %i\n", label, nid);
- search_template[0].type = CKA_LABEL;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
- }
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- rv = C_FindObjectsInit(hSession, search_template, 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- ulObjectCount = 1;
- while(ulObjectCount) {
- rv = C_FindObjects(hSession, &akey, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- } else if (ulObjectCount) {
- /* Set update template. */
- CK_ATTRIBUTE new_template[] = {
- {CKA_ID, &new_id, sizeof(new_id)}
- };
-
- rv = C_SetAttributeValue(hSession, akey, new_template, 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_SetAttributeValue: rv = 0x%.8X\n", rv);
- error = 1;
- }
- }
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
-
- exit(error);
-}
+++ /dev/null
-/* writekey [-s $slot] [-p $pin] -l $label -i $id -f $filename */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
- ENGINE *e;
- RSA *rsa = NULL;
- FILE *fp;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_BYTE new_id[2];
- CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS kclass;
- CK_KEY_TYPE ktype = CKK_RSA;
- CK_ATTRIBUTE template[50];
- CK_ULONG template_size;
- CK_BYTE data[8][1024];
- CK_ULONG ulObjectCount;
- char *label = NULL, *filename = NULL;
- int id = 0;
- int error = 0;
- int c, errflg = 0;
- extern char *optarg;
- extern int optopt;
-
- while ((c = getopt(argc, argv, ":s:l:i:p:f:")) != -1) {
- switch (c) {
- case 's':
- slot = atoi(optarg);
- break;
- case 'l':
- label = optarg;
- break;
- case 'i':
- id = atoi(optarg);
- id &= 0xffff;
- break;
- case 'p':
- pin = (CK_UTF8CHAR *)optarg;
- break;
- case 'f':
- filename = optarg;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n", optopt);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
- errflg++;
- }
- }
- if ((errflg) || (!label) || (!id) || (!filename)) {
- fprintf(stderr,
- "usage: writekey [-s slot] [-p pin] -l label -i id "
- "-f filename\n");
- exit(2);
- }
-
- /* Load the config file */
- OPENSSL_config(NULL);
-
- /* Register engine */
- e = ENGINE_by_id("pkcs11");
- if (!e) {
- /* the engine isn't available */
- printf("The engine isn't available\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- if (!ENGINE_init(e)) {
- /* the engine couldn't initialise, release 'e' */
- printf("The engine couldn't initialise\n");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- /* Read the key */
- fp = fopen(filename, "r");
- if (fp == NULL) {
- printf("Error opening input file.\n");
- ENGINE_free(e);
- exit(1);
- }
-
- rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
- (void) fclose(fp);
- if (rsa == NULL) {
- printf("Error reading input file.\n");
- ERR_print_errors_fp(stderr);
- ENGINE_free(e);
- exit(1);
- }
-
- /* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
- fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
- ENGINE_free(e);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_program;
- }
-
- /* Login to the Token (Keystore) */
- if (!pin)
-#ifndef HAVE_GETPASS
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
- pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
-
- /* fill the search template */
- if (strstr(label, "pkcs11:") == label)
- label = strstr(label, ":") + 1;
- kclass = CKO_PRIVATE_KEY;
- template[0].type = CKA_TOKEN;
- template[0].pValue = &truevalue;
- template[0].ulValueLen = sizeof (truevalue);
- template[1].type = CKA_CLASS;
- template[1].pValue = &kclass;
- template[1].ulValueLen = sizeof (kclass);
- template[2].type = CKA_LABEL;
- template[2].pValue = label;
- template[2].ulValueLen = strlen(label);
-
- /* check if a key with the same label already exists */
- rv = C_FindObjectsInit(hSession, template, 3);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_session;
- }
- rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
- if (ulObjectCount != 0) {
- fprintf(stderr, "Key already exists.\n");
- error = 1;
- goto exit_search;
- }
-
- /* fill attributes for the public key */
- new_id[0] = (id >> 8) & 0xff;
- new_id[1] = id & 0xff;
- kclass = CKO_PUBLIC_KEY;
- if (BN_num_bytes(rsa->n) > 1024) {
- fprintf(stderr, "RSA modulus too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->n, data[0]);
- if (BN_num_bytes(rsa->e) > 1024) {
- fprintf(stderr, "RSA public exponent too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->e, data[1]);
- if (BN_num_bytes(rsa->d) > 1024) {
- fprintf(stderr, "RSA private exponent too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->d, data[2]);
- if (BN_num_bytes(rsa->p) > 1024) {
- fprintf(stderr, "RSA prime 1 too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->p, data[3]);
- if (BN_num_bytes(rsa->q) > 1024) {
- fprintf(stderr, "RSA prime 2 too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->q, data[4]);
- if (BN_num_bytes(rsa->dmp1) > 1024) {
- fprintf(stderr, "RSA exponent 1 too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->dmp1, data[5]);
- if (BN_num_bytes(rsa->dmq1) > 1024) {
- fprintf(stderr, "RSA exponent 2 too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->dmq1, data[6]);
- if (BN_num_bytes(rsa->iqmp) > 1024) {
- fprintf(stderr, "RSA coefficient too large\n");
- error = 1;
- goto exit_search;
- }
- BN_bn2bin(rsa->iqmp, data[7]);
-
- template[0].type = CKA_TOKEN;
- template[0].pValue = &truevalue;
- template[0].ulValueLen = sizeof (truevalue);
- template[1].type = CKA_CLASS;
- template[1].pValue = &kclass;
- template[1].ulValueLen = sizeof (kclass);
- template[2].type = CKA_LABEL;
- template[2].pValue = label;
- template[2].ulValueLen = strlen(label);
- template[3].type = CKA_ID;
- template[3].pValue = new_id;
- template[3].ulValueLen = sizeof (new_id);
- template[4].type = CKA_KEY_TYPE;
- template[4].pValue = &ktype;
- template[4].ulValueLen = sizeof (ktype);
- template[5].type = CKA_ENCRYPT;
- template[5].pValue = &truevalue;
- template[5].ulValueLen = sizeof (truevalue);
- template[6].type = CKA_VERIFY;
- template[6].pValue = &truevalue;
- template[6].ulValueLen = sizeof (truevalue);
- template[7].type = CKA_VERIFY_RECOVER;
- template[7].pValue = &truevalue;
- template[7].ulValueLen = sizeof (truevalue);
- template[8].type = CKA_MODULUS;
- template[8].pValue = data[0];
- template[8].ulValueLen = BN_num_bytes(rsa->n);
- template[9].type = CKA_PUBLIC_EXPONENT;
- template[9].pValue = data[1];
- template[9].ulValueLen = BN_num_bytes(rsa->e);
-
- rv = C_CreateObject(hSession, template, 10, &key);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_CreateObject (pub): Error = 0x%.8X\n", rv);
- error = 1;
- goto exit_search;
- }
-
- /* fill attributes for the private key */
- kclass = CKO_PRIVATE_KEY;
- template[0].type = CKA_TOKEN;
- template[0].pValue = &truevalue;
- template[0].ulValueLen = sizeof (truevalue);
- template[1].type = CKA_CLASS;
- template[1].pValue = &kclass;
- template[1].ulValueLen = sizeof (kclass);
- template[2].type = CKA_LABEL;
- template[2].pValue = label;
- template[2].ulValueLen = strlen(label);
- template[3].type = CKA_ID;
- template[3].pValue = new_id;
- template[3].ulValueLen = sizeof (new_id);
- template[4].type = CKA_KEY_TYPE;
- template[4].pValue = &ktype;
- template[4].ulValueLen = sizeof (ktype);
- template[5].type = CKA_SENSITIVE;
- template[5].pValue = &falsevalue;
- template[5].ulValueLen = sizeof (falsevalue);
- template[6].type = CKA_EXTRACTABLE;
- template[6].pValue = &truevalue;
- template[6].ulValueLen = sizeof (truevalue);
- template[7].type = CKA_DECRYPT;
- template[7].pValue = &truevalue;
- template[7].ulValueLen = sizeof (truevalue);
- template[8].type = CKA_SIGN;
- template[8].pValue = &truevalue;
- template[8].ulValueLen = sizeof (truevalue);
- template[9].type = CKA_SIGN_RECOVER;
- template[9].pValue = &truevalue;
- template[9].ulValueLen = sizeof (truevalue);
- template[10].type = CKA_MODULUS;
- template[10].pValue = data[0];
- template[10].ulValueLen = BN_num_bytes(rsa->n);
- template[11].type = CKA_PUBLIC_EXPONENT;
- template[11].pValue = data[1];
- template[11].ulValueLen = BN_num_bytes(rsa->e);
- template[12].type = CKA_PRIVATE_EXPONENT;
- template[12].pValue = data[2];
- template[12].ulValueLen = BN_num_bytes(rsa->d);
- template[13].type = CKA_PRIME_1;
- template[13].pValue = data[3];
- template[13].ulValueLen = BN_num_bytes(rsa->p);
- template[14].type = CKA_PRIME_2;
- template[14].pValue = data[4];
- template[14].ulValueLen = BN_num_bytes(rsa->q);
- template[15].type = CKA_EXPONENT_1;
- template[15].pValue = data[5];
- template[15].ulValueLen = BN_num_bytes(rsa->dmp1);
- template[16].type = CKA_EXPONENT_2;
- template[16].pValue = data[6];
- template[16].ulValueLen = BN_num_bytes(rsa->dmq1);
- template[17].type = CKA_COEFFICIENT;
- template[17].pValue = data[7];
- template[17].ulValueLen = BN_num_bytes(rsa->iqmp);
-
- rv = C_CreateObject(hSession, template, 18, &key);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_CreateObject (priv): Error = 0x%.8X\n", rv);
- (void) C_DestroyObject(hSession, key);
- error = 1;
- goto exit_search;
- }
-
- exit_search:
- rv = C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
- error = 1;
- }
-
- exit_session:
- (void) C_CloseSession(hSession);
-
- exit_program:
- (void) C_Finalize(NULL_PTR);
- ENGINE_free(e);
- ENGINE_cleanup();
-
- exit(error);
-}
+++ /dev/null
-#!/bin/bash --debug
-
-usage="Usage: $0 -x ext -p pin -f keyrootname"
-tmp_file=/tmp/cur_pem.$$
-while getopts ":x:p:f:" opt; do
- case $opt in
- x ) ext=$OPTARG ;;
- p ) pin=$OPTARG ;;
- f ) root=$OPTARG ;;
- \? ) echo $usage
- exit 1 ;;
- esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$ext" -o ! "$pin" -o ! "$root" ] ; then
- echo $usage
- exit 1
-fi
-
-keyfile=${root}.key
-privfile=${root}.private
-file=`basename $root | sed 's/^K//'`
-zone=`echo $file | awk -F+ '{ print $1 }' | sed 's/\.$//'`
-algo=`echo $file | awk -F+ '{ print $2 }'`
-tag=`echo $file | awk -F+ '{ print $3 }'`
-
-# debug
-echo 'zone: ' $zone
-echo 'algo: ' $algo
-echo 'tag: ' $tag
-
-if [ ! -r "$keyfile" ] ; then
- echo "can't read " $keyfile
- exit 1
-fi
-if [ ! -r "$privfile" ] ; then
- echo "can't read " $privfile
- exit 1
-fi
-
-if [ "$algo" != "005" ] ; then
- echo 'algorithm must be 005'
- exit 1
-fi
-
-# for testing
-mypath=.
-
-echo 'Reading key files'
-flag=`$mypath/keydump.pl -k $keyfile -p $privfile -o $tmp_file`
-
-if [ "$flag" = "256" ] ; then
- label=$zone,zsk,$ext
-elif [ "$flag" = "257" ] ; then
- label=$zone,ksk,$ext
-else
- echo 'flag must be 256 or 257'
- rm $tmp_file
- exit 1
-fi
-
-echo "Label will be '"$label"'"
-$mypath/writekey -p $pin -l $label -i $tag -f $tmp_file
-
-rm $tmp_file
-
-echo 'Now you can add at the end of ' $privfile
-/usr/bin/perl <<EOF
-use MIME::Base64;
-print "Engine: ", encode_base64("pkcs11\0",""), "\n";
-print "Label: ", encode_base64("pkcs11:"."$label"."\0",""), "\n";
-EOF
projects / thirdparty / bind9.git / commitdiff
