upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-28 09:37:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pkcs11 tools were moved (20067)

Browse source
This commit is contained in:
Francis Dupont 2009-09-23 10:54:46 +00:00
parent 2946e44c86
commit e25451b66c
12 changed files with 95 additions and 1520 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
bin/pkcs11/OLD-PKCS11-NOTES Normal file
View file

@ -0,0 +1,94 @@
BIND-9 PKCS#11 support
Prerequisite
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
and some improvements, including user friendly PIN management. You may also
use the original engine code.
Compilation
"configure --with-pkcs11 ..."
PKCS#11 Libraries
Tested with Solaris one with a SCA board and with openCryptoki with the
software token. Known to work on Linux and Windows 2003 server so
should work on most operating systems. For AEP Keyper or any device used
only for its protected key store, please switch to the sign-only engine.
OpenSSL Engines
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
initialization it dynamically loads the PKCS#11 objects.
Even the pre commands are therefore unused they are defined with:
SO_PATH:
define: PKCS11_SO_PATH
default: /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH:
define: PKCS11_MODULE_PATH
default: /usr/lib/libpkcs11.so
Without PKCS#11 support, a specific OpenSSL engine can be still used
by defining ENGINE_ID at compile time.
PKCS#11 tools
The contrib/pkcs11-keygen directory contains a set of experimental tools
to handle keys stored in a Hardware Security Module at the benefit of BIND.
The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
for the way to use it (these are the original notes so with the original
path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
a operating system which is not Solaris.)
Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
are functional.
PIN management
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
each time it is required. With the improved engine, the PIN should be
entered the first time it is required or can be configured in the
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- at the beginning:
openssl_conf = openssl_def
- at any place these sections:
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = put__your__pin__value__here
Slot management
The engine tries to use the first best slot but it is recommended
to simply use the slot 0 (usual default, meta-slot on Solaris).
Sign-only engine
openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
has only the useful functions (i.e., signature with a RSA private
key in the device protected key store and key loading).
This engine should be used with a device which provides mainly
a protected store and no acceleration. AEP Keyper is an example
of such a device (BTW with the fully capable engine, key export
must be enabled on this device and this configuration is not yet
supported).
Original engine
If you are using the original engine and getpassphrase() is not defined, add:
#define getpassphrase(x) getpass(x)
in openssl.../crypto/engine/hw_pk11_pub.c
Notes
Some names here are registered trademarks, at least Solaris is a trademark
of Sun Microsystems Inc...
Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.

1
contrib/pkcs11-keygen/README Normal file
View file

@ -0,0 +1 @@
Moved to ${top}/bin/pkcs11

178
contrib/pkcs11-keygen/destroyobj.c
View file

@ -1,178 +0,0 @@
/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
int
main(int argc, char *argv[])
{
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
char *label = NULL;
int error = 0;
int id = 0, i = 0;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = {
{CKA_ID, &attr_id, sizeof(attr_id)}
};
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
switch (c) {
case 's':
slot = atoi(optarg);
break;
case 'i':
id = atoi(optarg);
id &= 0xffff;
break;
case 'l':
label = optarg;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if (errflg || ((!id) && (!label))) {
fprintf(stderr,
"usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
exit(1);
}
if (id) {
printf("id %i\n", id);
attr_id[0] = (id >> 8) & 0xff;
attr_id[1] = id & 0xff;
} else if (label) {
printf("label %s\n", label);
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjectsInit(hSession, search_template,
((id != 0) || (label != NULL)) ? 1 : 0);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
for (i = 0; i < ulObjectCount; i++) {
CK_OBJECT_CLASS oclass = 0;
CK_BYTE labelbuf[64 + 1];
CK_BYTE idbuf[64];
CK_ATTRIBUTE attr_template[] = {
{CKA_CLASS, &oclass, sizeof(oclass)},
{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
{CKA_ID, idbuf, sizeof(idbuf)}
};
int j, len;
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
if (rv != CKR_OK) {
fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
error = 1;
goto exit_search;
}
len = attr_template[2].ulValueLen;
printf("object[%d]: class %d label '%s' id[%u] ",
i, oclass, labelbuf, attr_template[2].ulValueLen);
if (len > 4)
len = 4;
for (j = 0; j < len; j++)
printf("%02x", idbuf[j]);
if (attr_template[2].ulValueLen > len)
printf("...\n");
else
printf("\n");
}
/* give a chance to kill this */
printf("sleeping 5 seconds...\n");
sleep(5);
for (i = 0; i < ulObjectCount; i++) {
rv = C_DestroyObject(hSession, akey[i]);
if (rv != CKR_OK) {
fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
error = 1;
}
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
exit(error);
}

201
contrib/pkcs11-keygen/genkey.c
View file

@ -1,201 +0,0 @@
/* genkey - pkcs11 rsa key generator
*
* create RSASHA1 key in the keystore of an SCA6000
* The calculation of key tag is left to the script
* that converts the key into a DNSKEY RR and inserts
* it into a zone file.
*
* usage:
* genkey [-P] [-s slot] -b keysize -l label [-p pin]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
int
main(int argc, char *argv[])
{
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_MECHANISM genmech;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
CK_ULONG modulusbits = 0;
CK_CHAR *label = NULL;
CK_OBJECT_HANDLE privatekey, publickey;
CK_BYTE public_exponent[3];
int error = 0;
int i = 0;
int c, errflg = 0;
int hide = 1;
CK_ULONG ulObjectCount;
/* Set search template */
CK_ATTRIBUTE search_template[] = {
{CKA_LABEL, NULL_PTR, 0}
};
CK_ATTRIBUTE publickey_template[] = {
{CKA_LABEL, NULL_PTR, 0},
{CKA_VERIFY, &truevalue, sizeof (truevalue)},
{CKA_TOKEN, &truevalue, sizeof (truevalue)},
{CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
{CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
};
CK_ATTRIBUTE privatekey_template[] = {
{CKA_LABEL, NULL_PTR, 0},
{CKA_SIGN, &truevalue, sizeof (truevalue)},
{CKA_TOKEN, &truevalue, sizeof (truevalue)},
{CKA_PRIVATE, &truevalue, sizeof (truevalue)},
{CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
{CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
};
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
switch (c) {
case 'P':
hide = 0;
break;
case 's':
slot = atoi(optarg);
break;
case 'b':
modulusbits = atoi(optarg);
break;
case 'l':
label = (CK_CHAR *)optarg;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if ((errflg) || (!modulusbits) || (!label)) {
fprintf(stderr,
"usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
exit(2);
}
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen((char *)label);
publickey_template[0].pValue = label;
publickey_template[0].ulValueLen = strlen((char *)label);
privatekey_template[0].pValue = label;
privatekey_template[0].ulValueLen = strlen((char *)label);
/* Set public exponent to 65537 */
public_exponent[0] = 0x01;
public_exponent[1] = 0x00;
public_exponent[2] = 0x01;
/* Set up mechanism for generating key pair */
genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
genmech.pParameter = NULL_PTR;
genmech.ulParameterLen = 0;
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
/* check if a key with the same id already exists */
rv = C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount != 0) {
fprintf(stderr, "Key already exists.\n");
error = 1;
goto exit_search;
}
/* Set attributes if the key is not to be hidden */
if (!hide) {
privatekey_template[4].pValue = &falsevalue;
privatekey_template[5].pValue = &truevalue;
}
/* Generate Key pair for signing/verifying */
rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
(sizeof (publickey_template) /
sizeof (CK_ATTRIBUTE)),
privatekey_template,
(sizeof (privatekey_template) /
sizeof (CK_ATTRIBUTE)),
&publickey, &privatekey);
if (rv != CKR_OK) {
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
error = 1;
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
exit(error);
}

55
contrib/pkcs11-keygen/genkey.sh
View file

@ -1,55 +0,0 @@
#!/usr/bin/bash
usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path"
tmp_file=/tmp/cur_key.$$
while getopts ":z:x:p:t:k:b:e:f" opt; do
case $opt in
z ) zone=$OPTARG ;;
x ) ext=$OPTARG ;;
p ) pin=$OPTARG ;;
t ) id=$OPTARG ;;
f ) flag="ksk" ;;
e ) engine=$OPTARG ;;
b ) bits=$OPTARG ;;
k ) key_path=$OPTARG ;;
\? ) echo $usage
exit 1 ;;
esac
done
shift $(($OPTIND -1))
if [ ! "$zone" -o ! "$ext" -o ! "$pin" -o ! "$engine" -o ! "$bits" -o ! "$key_path" ] ; then
echo $usage
exit 1
fi
if [ "$flag" ] ; then
label="$zone,$flag,$ext"
else
label="$zone,zsk,$ext"
fi
# for testing
mypath=.
echo "Generating key"
$mypath/genkey -b $bits -l $label -p $pin
if [ $? -ne 0 ] ; then exit 1 ; fi
echo "Exporting public key"
$mypath/PEM_write_pubkey -e $engine -p $pin -k pkcs11:$label -f $tmp_file
if [ $? -ne 0 ] ; then exit 1 ; fi
echo "Generating DNSKEY RR"
if [ "$flag" ] ; then
keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
else
keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone`
fi
if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi
echo "Set key id"
$mypath/set_key_id -l $label -n $keytag -p $pin
rm $tmp_file

61
contrib/pkcs11-keygen/keyconv.pl
View file

@ -1,61 +0,0 @@
#!/usr/bin/perl -w
use strict;
use Crypt::OpenSSL::RSA;
use Getopt::Std;
use MIME::Base64;
use Net::DNS;
use Net::DNS::SEC;
my %option;
getopts('a:e:i:l:p:hk',\%option);
die "usage: keyconv.pl [-a alg] [-k (to indicate KSK)] -e engine -l label [-p (path to store key)] -i filename domainname\n" if $option{h} || (not defined $option{i}) || (not defined $option{e}) || (not defined $option{l});
# The default path is local.
$option{p} || ($option{p}="./");
# The default algorithm is 5.
$option{a} || ($option{a}=5);
$option{k} || ($option{k}=0);
# The algorithm is either 5 or 133.
$option{a}==5 || $option{a}==133 || die "algorithm must be 5 or 133\n";
# standard flags (value is 256) plus optionally the KSK flag.
my $flags=(256 + $option{k});
open(PFILE, $option{i});
my @fc = <PFILE>;
close(PFILE);
my $rsa = Crypt::OpenSSL::RSA->new_public_key(join "", @fc);
my ($m,$e)= $rsa->get_key_parameters;
(my $l=pack("Cn",0,length($e->to_bin))) =~ s/^\000{2}//;
my $rrkey=$l.$e->to_bin.$m->to_bin;
my $keystr = $ARGV[0]. ". IN DNSKEY $flags 3 $option{a} ".encode_base64($rrkey,"");
my $keyrr = Net::DNS::RR->new($keystr);
open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".key");
print PFILE $ARGV[0], ". IN DNSKEY $flags 3 $option{a} ",encode_base64($rrkey,"")."\n";
close(PFILE);
open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".private");
print PFILE "Private-key-format: v1.2\n";
print PFILE "Algorithm: ", $option{a}, " (RSASHA1)\n";
print PFILE "Modulus: ".encode_base64($m->to_bin,"")."\n";
print PFILE "PublicExponent: ".encode_base64($e->to_bin,"")."\n";
my $engine="";
$engine=encode_base64($option{e}."\0","");
print PFILE "Engine: ", $engine, "\n";
my $label="";
$option{k}==0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
$option{k}!=0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
print PFILE "Label: ", $label, "\n";
close(PFILE);
print $keyrr->keytag;

26
contrib/pkcs11-keygen/keydump.pl
View file

@ -1,26 +0,0 @@
#!/usr/bin/perl -w
use strict;
use Getopt::Std;
use Crypt::OpenSSL::RSA;
use Net::DNS::SEC;
my %option;
getopts('k:p:o:h',\%option);
$option{h} || (not defined $option{k}) || (not defined $option{p}) || (not defined $option{o}) && die "usage: keydump.pl -k Kxxx.key -p Kxxx.priv -o pem\n";
my $rsa = Net::DNS::SEC::Private->new($option{p});
open(PFILE, "> $option{o}");
print PFILE $rsa->dump_rsa_private_der;
close(PFILE);
open(KFILE, "< $option{k}");
my @fc = <KFILE>;
close(KFILE);
my $keyrr = Net::DNS::RR->new(join "", @fc);
print $keyrr->flags;

192
contrib/pkcs11-keygen/listobjs.c
View file

@ -1,192 +0,0 @@
/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
int
main(int argc, char *argv[])
{
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
char *label = NULL;
int error = 0, public = 0, all = 0;
int i = 0, id = 0;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = {
{CKA_ID, &attr_id, sizeof(attr_id)}
};
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
switch (c) {
case 'P':
public = 1;
break;
case 's':
slot = atoi(optarg);
break;
case 'i':
id = atoi(optarg);
id &= 0xffff;
break;
case 'l':
label = optarg;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if (errflg) {
fprintf(stderr,
"usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
exit(1);
}
if ((!id) && (!label))
all = 1;
if (slot)
printf("slot %d\n", slot);
if (id) {
printf("id %i\n", id);
attr_id[0] = (id >> 8) & 0xff;
attr_id[1] = id & 0xff;
} else if (label) {
printf("label %s\n", label);
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!public) {
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
}
rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
ulObjectCount = 1;
while (ulObjectCount) {
rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
for (i = 0; i < ulObjectCount; i++) {
CK_OBJECT_CLASS oclass = 0;
CK_BYTE labelbuf[64 + 1];
CK_BYTE idbuf[64];
CK_ATTRIBUTE attr_template[] = {
{CKA_CLASS, &oclass, sizeof(oclass)},
{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
{CKA_ID, idbuf, sizeof(idbuf)}
};
int j, len;
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
if (rv = CKR_BUFFER_TOO_SMALL)
fprintf(stderr, "%d too small: %u %u %u\n", i,
attr_template[0].ulValueLen,
attr_template[1].ulValueLen,
attr_template[2].ulValueLen);
error = 1;
continue;
}
len = attr_template[2].ulValueLen;
printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
i, akey[i], oclass,
attr_template[1].ulValueLen, labelbuf,
attr_template[2].ulValueLen);
if (len == 2) {
id = (idbuf[0] << 8) & 0xff00;
id |= idbuf[1] & 0xff;
printf("%i\n", id);
} else {
if (len > 8)
len = 8;
for (j = 0; j < len; j++)
printf("%02x", idbuf[j]);
if (attr_template[2].ulValueLen > len)
printf("...\n");
else
printf("\n");
}
}
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
exit(error);
}

225
contrib/pkcs11-keygen/readkey.c
View file

@ -1,225 +0,0 @@
/* readkey [-s $slot] -l $label [-p $pin] -f $filename */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
static CK_BBOOL truevalue = TRUE;
int
main(int argc, char *argv[])
{
RSA *rsa = NULL;
FILE *fp;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
char *label;
CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;
char *filename;
int error = 0;
int i = 0;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = {
{CKA_LABEL, NULL, 0},
{CKA_TOKEN, &truevalue, sizeof (truevalue)},
{CKA_CLASS, &kclass, sizeof (kclass)}
};
CK_BYTE id[32];
CK_BYTE data[8][1024];
CK_ATTRIBUTE attr_template[] = {
{CKA_ID, &id, sizeof (id)},
{CKA_MODULUS, (void *)data[0], 1024}, /* n */
{CKA_PUBLIC_EXPONENT, (void *)data[1], 1024}, /* e */
{CKA_PRIVATE_EXPONENT, (void *)data[2], 1024}, /* d */
{CKA_PRIME_1, (void *)data[3], 1024}, /* p */
{CKA_PRIME_2, (void *)data[4], 1024}, /* q */
{CKA_EXPONENT_1, (void *)data[5], 1024}, /* dmp1 */
{CKA_EXPONENT_2, (void *)data[6], 1024}, /* dmq1 */
{CKA_COEFFICIENT, (void *)data[7], 1024} /* iqmp */
};
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":s:l:p:f:")) != -1) {
switch (c) {
case 's':
slot = atoi(optarg);
break;
case 'l':
label = optarg;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case 'f':
filename = optarg;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if ((errflg) || (!label) || (!filename)) {
fprintf(stderr,
"usage: readkey [-s slot] -l label [-p pin] -f filename\n");
exit(1);
}
if (slot)
printf("slot %d\n", slot);
/* Initialize OpenSSL library */
OPENSSL_config(NULL);
rsa = RSA_new();
if (!rsa) {
fprintf(stderr, "RSA_new failed\n");
ERR_print_errors_fp(stderr);
exit(1);
}
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
/* Set search template. */
if (strstr(label, "pkcs11:") == label)
label = strstr(label, ":") + 1;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
rv = C_FindObjectsInit(hSession, search_template, 3);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount == 0) {
fprintf(stderr, "C_FindObjects: can't find the key\n");
error = 1;
goto exit_search;
}
rv = C_GetAttributeValue(hSession, key, attr_template, 9);
if (rv != CKR_OK) {
fprintf(stderr, "C_GetAttributeValue: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
printf("ID[%u]=", attr_template[0].ulValueLen);
for (i = 0; i < attr_template[0].ulValueLen; i++)
printf("%02x", id[i]);
printf("\n");
if (attr_template[1].ulValueLen > 0)
rsa->n = BN_bin2bn(data[0], attr_template[1].ulValueLen, NULL);
if (attr_template[2].ulValueLen > 0)
rsa->e = BN_bin2bn(data[1], attr_template[2].ulValueLen, NULL);
if (attr_template[3].ulValueLen > 0)
rsa->d = BN_bin2bn(data[2], attr_template[3].ulValueLen, NULL);
if (attr_template[4].ulValueLen > 0)
rsa->p = BN_bin2bn(data[3], attr_template[4].ulValueLen, NULL);
if (attr_template[5].ulValueLen > 0)
rsa->q = BN_bin2bn(data[4], attr_template[5].ulValueLen, NULL);
if (attr_template[6].ulValueLen > 0)
rsa->dmp1 = BN_bin2bn(data[5], attr_template[6].ulValueLen, NULL);
if (attr_template[7].ulValueLen > 0)
rsa->dmq1 = BN_bin2bn(data[6], attr_template[7].ulValueLen, NULL);
if (attr_template[8].ulValueLen > 0)
rsa->iqmp = BN_bin2bn(data[7], attr_template[8].ulValueLen, NULL);
rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount != 0) {
fprintf(stderr, "C_FindObjects: found extra keys?\n");
error = 1;
goto exit_search;
}
printf("RSA=");
RSA_print_fp(stdout, rsa, 4);
fp = fopen(filename, "w");
if (fp == NULL) {
printf("Error opening output file.\n");
error = 1;
goto exit_search;
}
if (!PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL)) {
printf("Error writing output file.\n");
ERR_print_errors_fp(stderr);
error = 1;
goto exit_search;
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
exit(error);
}

154
contrib/pkcs11-keygen/set_key_id.c
View file

@ -1,154 +0,0 @@
/* set_key_id [-s slot] [-p $pin] -n $keytag {-i $id | -l $label} */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
int
main(int argc, char *argv[])
{
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
CK_BYTE old_id[2], new_id[2];
CK_OBJECT_HANDLE akey;
int error = 0;
int i = 0;
int c, errflg = 0;
char *label = NULL;
CK_ULONG ulObjectCount;
int oid = 0, nid = 0;
CK_ATTRIBUTE search_template[] = {
{CKA_ID, &old_id, sizeof(old_id)}
};
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":s:i:n:l:p:")) != -1) {
switch (c) {
case 's':
slot = atoi(optarg);
break;
case 'i':
oid = atoi(optarg);
oid &= 0xffff;
old_id[0] = (oid >> 8) & 0xff;
old_id[1] = oid & 0xff;
break;
case 'n':
nid = atoi(optarg);
nid &= 0xffff;
new_id[0] = (nid >> 8) & 0xff;
new_id[1] = nid & 0xff;
break;
case 'l':
label = optarg;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if ((errflg) || (!nid) || ((!oid) && (!label))) {
fprintf(stderr,
"usage: set_key_id [-s slot] [-p pin] -n new_id "
"{ -i old_id | -l label }\n");
exit(1);
}
if (!label)
printf("old %i new %i\n", oid, nid);
else {
printf("label %s new %i\n", label, nid);
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
ulObjectCount = 1;
while(ulObjectCount) {
rv = C_FindObjects(hSession, &akey, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
} else if (ulObjectCount) {
/* Set update template. */
CK_ATTRIBUTE new_template[] = {
{CKA_ID, &new_id, sizeof(new_id)}
};
rv = C_SetAttributeValue(hSession, akey, new_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_SetAttributeValue: rv = 0x%.8X\n", rv);
error = 1;
}
}
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
exit(error);
}

355
contrib/pkcs11-keygen/writekey.c
View file

@ -1,355 +0,0 @@
/* writekey [-s $slot] [-p $pin] -l $label -i $id -f $filename */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <opencryptoki/pkcs11.h>
#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
int
main(int argc, char *argv[])
{
ENGINE *e;
RSA *rsa = NULL;
FILE *fp;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR *pin = NULL;
CK_BYTE new_id[2];
CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
CK_OBJECT_CLASS kclass;
CK_KEY_TYPE ktype = CKK_RSA;
CK_ATTRIBUTE template[50];
CK_ULONG template_size;
CK_BYTE data[8][1024];
CK_ULONG ulObjectCount;
char *label = NULL, *filename = NULL;
int id = 0;
int error = 0;
int c, errflg = 0;
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":s:l:i:p:f:")) != -1) {
switch (c) {
case 's':
slot = atoi(optarg);
break;
case 'l':
label = optarg;
break;
case 'i':
id = atoi(optarg);
id &= 0xffff;
break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
case 'f':
filename = optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if ((errflg) || (!label) || (!id) || (!filename)) {
fprintf(stderr,
"usage: writekey [-s slot] [-p pin] -l label -i id "
"-f filename\n");
exit(2);
}
/* Load the config file */
OPENSSL_config(NULL);
/* Register engine */
e = ENGINE_by_id("pkcs11");
if (!e) {
/* the engine isn't available */
printf("The engine isn't available\n");
ERR_print_errors_fp(stderr);
exit(1);
}
if (!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */
printf("The engine couldn't initialise\n");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
/* Read the key */
fp = fopen(filename, "r");
if (fp == NULL) {
printf("Error opening input file.\n");
ENGINE_free(e);
exit(1);
}
rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
(void) fclose(fp);
if (rsa == NULL) {
printf("Error reading input file.\n");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
ENGINE_free(e);
exit(1);
}
/* Open a session on the slot found */
rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
NULL_PTR, NULL_PTR, &hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
error = 1;
goto exit_program;
}
/* Login to the Token (Keystore) */
if (!pin)
#ifndef HAVE_GETPASS
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
#else
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
#endif
rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
memset(pin, 0, strlen((char *)pin));
if (rv != CKR_OK) {
fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
/* fill the search template */
if (strstr(label, "pkcs11:") == label)
label = strstr(label, ":") + 1;
kclass = CKO_PRIVATE_KEY;
template[0].type = CKA_TOKEN;
template[0].pValue = &truevalue;
template[0].ulValueLen = sizeof (truevalue);
template[1].type = CKA_CLASS;
template[1].pValue = &kclass;
template[1].ulValueLen = sizeof (kclass);
template[2].type = CKA_LABEL;
template[2].pValue = label;
template[2].ulValueLen = strlen(label);
/* check if a key with the same label already exists */
rv = C_FindObjectsInit(hSession, template, 3);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
error = 1;
goto exit_session;
}
rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
if (ulObjectCount != 0) {
fprintf(stderr, "Key already exists.\n");
error = 1;
goto exit_search;
}
/* fill attributes for the public key */
new_id[0] = (id >> 8) & 0xff;
new_id[1] = id & 0xff;
kclass = CKO_PUBLIC_KEY;
if (BN_num_bytes(rsa->n) > 1024) {
fprintf(stderr, "RSA modulus too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->n, data[0]);
if (BN_num_bytes(rsa->e) > 1024) {
fprintf(stderr, "RSA public exponent too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->e, data[1]);
if (BN_num_bytes(rsa->d) > 1024) {
fprintf(stderr, "RSA private exponent too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->d, data[2]);
if (BN_num_bytes(rsa->p) > 1024) {
fprintf(stderr, "RSA prime 1 too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->p, data[3]);
if (BN_num_bytes(rsa->q) > 1024) {
fprintf(stderr, "RSA prime 2 too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->q, data[4]);
if (BN_num_bytes(rsa->dmp1) > 1024) {
fprintf(stderr, "RSA exponent 1 too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->dmp1, data[5]);
if (BN_num_bytes(rsa->dmq1) > 1024) {
fprintf(stderr, "RSA exponent 2 too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->dmq1, data[6]);
if (BN_num_bytes(rsa->iqmp) > 1024) {
fprintf(stderr, "RSA coefficient too large\n");
error = 1;
goto exit_search;
}
BN_bn2bin(rsa->iqmp, data[7]);
template[0].type = CKA_TOKEN;
template[0].pValue = &truevalue;
template[0].ulValueLen = sizeof (truevalue);
template[1].type = CKA_CLASS;
template[1].pValue = &kclass;
template[1].ulValueLen = sizeof (kclass);
template[2].type = CKA_LABEL;
template[2].pValue = label;
template[2].ulValueLen = strlen(label);
template[3].type = CKA_ID;
template[3].pValue = new_id;
template[3].ulValueLen = sizeof (new_id);
template[4].type = CKA_KEY_TYPE;
template[4].pValue = &ktype;
template[4].ulValueLen = sizeof (ktype);
template[5].type = CKA_ENCRYPT;
template[5].pValue = &truevalue;
template[5].ulValueLen = sizeof (truevalue);
template[6].type = CKA_VERIFY;
template[6].pValue = &truevalue;
template[6].ulValueLen = sizeof (truevalue);
template[7].type = CKA_VERIFY_RECOVER;
template[7].pValue = &truevalue;
template[7].ulValueLen = sizeof (truevalue);
template[8].type = CKA_MODULUS;
template[8].pValue = data[0];
template[8].ulValueLen = BN_num_bytes(rsa->n);
template[9].type = CKA_PUBLIC_EXPONENT;
template[9].pValue = data[1];
template[9].ulValueLen = BN_num_bytes(rsa->e);
rv = C_CreateObject(hSession, template, 10, &key);
if (rv != CKR_OK) {
fprintf(stderr, "C_CreateObject (pub): Error = 0x%.8X\n", rv);
error = 1;
goto exit_search;
}
/* fill attributes for the private key */
kclass = CKO_PRIVATE_KEY;
template[0].type = CKA_TOKEN;
template[0].pValue = &truevalue;
template[0].ulValueLen = sizeof (truevalue);
template[1].type = CKA_CLASS;
template[1].pValue = &kclass;
template[1].ulValueLen = sizeof (kclass);
template[2].type = CKA_LABEL;
template[2].pValue = label;
template[2].ulValueLen = strlen(label);
template[3].type = CKA_ID;
template[3].pValue = new_id;
template[3].ulValueLen = sizeof (new_id);
template[4].type = CKA_KEY_TYPE;
template[4].pValue = &ktype;
template[4].ulValueLen = sizeof (ktype);
template[5].type = CKA_SENSITIVE;
template[5].pValue = &falsevalue;
template[5].ulValueLen = sizeof (falsevalue);
template[6].type = CKA_EXTRACTABLE;
template[6].pValue = &truevalue;
template[6].ulValueLen = sizeof (truevalue);
template[7].type = CKA_DECRYPT;
template[7].pValue = &truevalue;
template[7].ulValueLen = sizeof (truevalue);
template[8].type = CKA_SIGN;
template[8].pValue = &truevalue;
template[8].ulValueLen = sizeof (truevalue);
template[9].type = CKA_SIGN_RECOVER;
template[9].pValue = &truevalue;
template[9].ulValueLen = sizeof (truevalue);
template[10].type = CKA_MODULUS;
template[10].pValue = data[0];
template[10].ulValueLen = BN_num_bytes(rsa->n);
template[11].type = CKA_PUBLIC_EXPONENT;
template[11].pValue = data[1];
template[11].ulValueLen = BN_num_bytes(rsa->e);
template[12].type = CKA_PRIVATE_EXPONENT;
template[12].pValue = data[2];
template[12].ulValueLen = BN_num_bytes(rsa->d);
template[13].type = CKA_PRIME_1;
template[13].pValue = data[3];
template[13].ulValueLen = BN_num_bytes(rsa->p);
template[14].type = CKA_PRIME_2;
template[14].pValue = data[4];
template[14].ulValueLen = BN_num_bytes(rsa->q);
template[15].type = CKA_EXPONENT_1;
template[15].pValue = data[5];
template[15].ulValueLen = BN_num_bytes(rsa->dmp1);
template[16].type = CKA_EXPONENT_2;
template[16].pValue = data[6];
template[16].ulValueLen = BN_num_bytes(rsa->dmq1);
template[17].type = CKA_COEFFICIENT;
template[17].pValue = data[7];
template[17].ulValueLen = BN_num_bytes(rsa->iqmp);
rv = C_CreateObject(hSession, template, 18, &key);
if (rv != CKR_OK) {
fprintf(stderr, "C_CreateObject (priv): Error = 0x%.8X\n", rv);
(void) C_DestroyObject(hSession, key);
error = 1;
goto exit_search;
}
exit_search:
rv = C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
error = 1;
}
exit_session:
(void) C_CloseSession(hSession);
exit_program:
(void) C_Finalize(NULL_PTR);
ENGINE_free(e);
ENGINE_cleanup();
exit(error);
}

73
contrib/pkcs11-keygen/writekey.sh
View file

@ -1,73 +0,0 @@
#!/bin/bash --debug
usage="Usage: $0 -x ext -p pin -f keyrootname"
tmp_file=/tmp/cur_pem.$$
while getopts ":x:p:f:" opt; do
case $opt in
x ) ext=$OPTARG ;;
p ) pin=$OPTARG ;;
f ) root=$OPTARG ;;
\? ) echo $usage
exit 1 ;;
esac
done
shift $(($OPTIND -1))
if [ ! "$ext" -o ! "$pin" -o ! "$root" ] ; then
echo $usage
exit 1
fi
keyfile=${root}.key
privfile=${root}.private
file=`basename $root | sed 's/^K//'`
zone=`echo $file | awk -F+ '{ print $1 }' | sed 's/\.$//'`
algo=`echo $file | awk -F+ '{ print $2 }'`
tag=`echo $file | awk -F+ '{ print $3 }'`
# debug
echo 'zone: ' $zone
echo 'algo: ' $algo
echo 'tag: ' $tag
if [ ! -r "$keyfile" ] ; then
echo "can't read " $keyfile
exit 1
fi
if [ ! -r "$privfile" ] ; then
echo "can't read " $privfile
exit 1
fi
if [ "$algo" != "005" ] ; then
echo 'algorithm must be 005'
exit 1
fi
# for testing
mypath=.
echo 'Reading key files'
flag=`$mypath/keydump.pl -k $keyfile -p $privfile -o $tmp_file`
if [ "$flag" = "256" ] ; then
label=$zone,zsk,$ext
elif [ "$flag" = "257" ] ; then
label=$zone,ksk,$ext
else
echo 'flag must be 256 or 257'
rm $tmp_file
exit 1
fi
echo "Label will be '"$label"'"
$mypath/writekey -p $pin -l $label -i $tag -f $tmp_file
rm $tmp_file
echo 'Now you can add at the end of ' $privfile
/usr/bin/perl <<EOF
use MIME::Base64;
print "Engine: ", encode_base64("pkcs11\0",""), "\n";
print "Label: ", encode_base64("pkcs11:"."$label"."\0",""), "\n";
EOF