├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── custom.md │ └── feature_request.md └── workflows │ ├── codeql.yml │ └── github-build-ubuntu-latest.yml ├── .gitignore ├── .gitmodules ├── .travis.yml ├── CHANGELOG.md ├── COPYING ├── LICENSE.md ├── Makefile.am ├── README.md ├── bootstrap.sh ├── configure.ac ├── dist ├── redhat │ ├── .gitignore │ └── pkcs11-tools.spec.in └── solaris │ ├── .gitignore │ ├── checkinstall.in │ ├── pkginfo.in │ └── pkgproto.in ├── docs ├── CONTRIBUTING.md ├── INSTALL.md ├── MANUAL.md └── TPLICENSES.md ├── include ├── .gitignore ├── cryptoki │ ├── awscloudhsm.h │ ├── cryptoki.h │ ├── nss.h │ └── pkcs11extra.h └── pkcs11lib.h ├── lib ├── .gitignore ├── Makefile.am ├── attribctx_helper.c ├── attribctx_helper.h ├── attribctx_lexer.c ├── attribctx_lexer.h ├── attribctx_lexer.l ├── attribctx_parser.c ├── attribctx_parser.h ├── attribctx_parser.y ├── gen_attrinfo_h.pl ├── gen_mechinfo_h.pl ├── pkcs11_attr.c ├── pkcs11_attrdesc.c ├── pkcs11_attribctx.c ├── pkcs11_cat.c ├── pkcs11_cert.c ├── pkcs11_cert_common.c ├── pkcs11_chattr.c ├── pkcs11_context.c ├── pkcs11_cp.c ├── pkcs11_data.c ├── pkcs11_dh.c ├── pkcs11_dsa.c ├── pkcs11_ec.c ├── pkcs11_error.c ├── pkcs11_kcv.c ├── pkcs11_keycomp.c ├── pkcs11_keygen.c ├── pkcs11_libinfo.c ├── pkcs11_ll_unix.c ├── pkcs11_ll_win.c ├── pkcs11_ls.c ├── pkcs11_masq.c ├── pkcs11_mechanism.c ├── pkcs11_more.c ├── pkcs11_mv.c ├── pkcs11_od.c ├── pkcs11_openssl.c ├── pkcs11_ossl.h ├── pkcs11_ossl_dsa_meth.c ├── pkcs11_ossl_ecdsa_meth.c ├── pkcs11_ossl_eddsa_meth.c ├── pkcs11_ossl_fake_sign.c ├── pkcs11_ossl_rsa_meth.c ├── pkcs11_peekpoke.c ├── pkcs11_pubk.c ├── pkcs11_random.c ├── pkcs11_req.c ├── pkcs11_rm.c ├── pkcs11_search.c ├── pkcs11_session.c ├── pkcs11_slotinfo.c ├── pkcs11_template.c ├── pkcs11_unwrap.c ├── pkcs11_utils.c ├── pkcs11_wctx.c ├── pkcs11_wrap.c ├── pkcs11_wrapoutput.c ├── pkcs11_x509.c ├── wrappedkey_helper.c ├── wrappedkey_helper.h ├── wrappedkey_lexer.c ├── wrappedkey_lexer.h ├── wrappedkey_lexer.l ├── wrappedkey_parser.c ├── wrappedkey_parser.h └── wrappedkey_parser.y ├── m4 ├── ax_create_target_h.m4 ├── ax_lib_socket_nsl.m4 └── ax_with_dmalloc.m4 ├── repoTagData.json ├── src ├── .gitignore ├── Makefile.am ├── masqreq.c ├── p11cat.c ├── p11cp.c ├── p11importcert.c ├── p11importdata.c ├── p11importpubk.c ├── p11kcv.c ├── p11keycomp.c ├── p11keygen.c ├── p11ls.c ├── p11mkcert.c ├── p11more.c ├── p11mv.c ├── p11od.c ├── p11req.c ├── p11rewrap.c ├── p11rm.c ├── p11setattr.c ├── p11slotinfo.c ├── p11unwrap.c ├── p11wrap.c ├── version.c └── win_applink.c ├── test ├── bigbigsan1000.sh ├── bigbigsan150.sh ├── bigsan.sh ├── littlesan.sh ├── reqtestcases.sh ├── san100.sh ├── san100gdb.sh ├── san125.sh ├── san138.sh ├── san144.sh ├── san150.sh ├── san50.sh ├── test.py └── with_nss ├── with_aws ├── with_beid ├── with_luna ├── with_nfast ├── with_nss ├── with_softhsm └── with_utimaco /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Operating System (please complete the following information):** 27 | - OS: [e.g. linux] 28 | - Version [e.g. kernel version] 29 | 30 | **Additional context** 31 | Add any other context about the problem here. 32 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/custom.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Custom issue template 3 | about: Describe this issue template's purpose here. 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ "master", "devel" ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ "master" ] 20 | schedule: 21 | - cron: '25 9 * * 6' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | # Runner size impacts CodeQL analysis time. To learn more, please see: 27 | # - https://gh.io/recommended-hardware-resources-for-running-codeql 28 | # - https://gh.io/supported-runners-and-hardware-resources 29 | # - https://gh.io/using-larger-runners 30 | # Consider using larger runners for possible analysis time improvements. 31 | runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} 32 | timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} 33 | permissions: 34 | actions: read 35 | contents: read 36 | security-events: write 37 | 38 | strategy: 39 | fail-fast: false 40 | matrix: 41 | language: [ 'cpp' ] 42 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] 43 | # Use only 'java' to analyze code written in Java, Kotlin or both 44 | # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both 45 | # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support 46 | 47 | steps: 48 | - name: Checkout repository 49 | uses: actions/checkout@v4 50 | 51 | # Initializes the CodeQL tools for scanning. 52 | - name: Initialize CodeQL 53 | uses: github/codeql-action/init@v3 54 | with: 55 | languages: ${{ matrix.language }} 56 | # If you wish to specify custom queries, you can do so here or in a config file. 57 | # By default, queries listed here will override any specified in a config file. 58 | # Prefix the list here with "+" to use these queries and those in the config file. 59 | 60 | # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs 61 | # queries: security-extended,security-and-quality 62 | 63 | # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). 64 | # If this step fails, then you should remove it and run the build manually (see below) 65 | # - name: Autobuild 66 | # uses: github/codeql-action/autobuild@v3 67 | 68 | # ℹ️ Command-line programs to run using the OS shell. 69 | # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun 70 | 71 | # If the Autobuild fails above, remove it and uncomment the following three lines. 72 | # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. 73 | 74 | # - run: | 75 | # echo "Run, Build Application using script" 76 | # ./location_of_script_within_repo/buildscript.sh 77 | 78 | - name: install build dependencies 79 | run: NEEDRESTART_MODE=l sudo apt -y install libssl-dev git clang autoconf libtool autoconf-archive bison flex make pkg-config perl 80 | 81 | - name: make bootstrap.sh executable 82 | run: chmod +x bootstrap.sh 83 | - name: run bootstrap.sh 84 | run: ./bootstrap.sh --shallow-clone # shallow-clone is used to speed up submodule cloning 85 | - name: run configure script 86 | run: ./configure 87 | - name: make 88 | run: make -j$(nproc) 89 | 90 | - name: Perform CodeQL Analysis 91 | uses: github/codeql-action/analyze@v3 92 | with: 93 | category: "/language:${{matrix.language}}" 94 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Compilation artefacts 2 | *.bak 3 | *.o 4 | *.a 5 | *.lo 6 | *.la 7 | *.sed 8 | .deps/ 9 | .libs/ 10 | 11 | ## development tools 12 | .gdb_history 13 | .python_version 14 | *.patch 15 | .idea 16 | 17 | ## autotools 18 | /aclocal.m4 19 | /ar-lib 20 | /autom4te.cache/ 21 | /compile 22 | Makefile 23 | Makefile.in 24 | /config.log 25 | /config.status 26 | /config.cache 27 | /config.guess 28 | /config.sub 29 | /configure 30 | /depcomp 31 | /gl/ 32 | /include/config.h.in 33 | /include/stamp-h1 34 | /install-sh 35 | /libtool 36 | /ltmain.sh 37 | .dirstamp 38 | /missing 39 | /ylwrap 40 | /m4 41 | !m4/ax_create_target_h.m4 42 | !m4/ax_lib_socket_nsl.m4 43 | !m4/ax_with_dmalloc.m4 44 | 45 | # Ignoring generated /bin directory 46 | /bin/ 47 | 48 | # Directories ending with .ign will be ignored 49 | *.ign/ 50 | 51 | # Tarballs 52 | *.tar.gz 53 | *.tar 54 | *.tgz 55 | 56 | # Solaris distribution files 57 | *.pkg 58 | /pkg/ 59 | 60 | # emacs files 61 | *~ 62 | /TAGS 63 | 64 | # key files 65 | *.pubk 66 | *.prvk 67 | *.crt 68 | *.pem 69 | *.wrap 70 | 71 | # pkcs11 wrapper script files 72 | .pkcs11rc 73 | 74 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule ".gnulib"] 2 | path = .gnulib 3 | url = https://github.com/coreutils/gnulib.git 4 | [submodule "include/oasis-pkcs11"] 5 | path = include/oasis-pkcs11 6 | url = https://github.com/oasis-tcs/pkcs11.git 7 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Mastercard 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ######################################################################## 16 | # Travis build file 17 | # As pkcs11-tools does not contain yet any testing, 18 | # This consists of ensuring that the package can be built properly. 19 | 20 | language: c 21 | os: linux 22 | dist: xenial 23 | 24 | compiler: clang 25 | 26 | script: 27 | - ./configure --prefix=$PWD 28 | - make install 29 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2018 Mastercard 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Terms of use 2 | Unless specifically stated inside the source file, the following license terms apply: 3 | 4 | ``` 5 | Copyright (c) 2018 Mastercard 6 | 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at 10 | 11 | http://www.apache.org/licenses/LICENSE-2.0 12 | 13 | Unless required by applicable law or agreed to in writing, software 14 | distributed under the License is distributed on an "AS IS" BASIS, 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | See the License for the specific language governing permissions and 17 | limitations under the License. 18 | ``` 19 | 20 | 21 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Mastercard 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | EXTRA_DIST = \ 16 | m4/ax_create_target_h.m4 \ 17 | m4/ax_lib_socket_nsl.m4 \ 18 | m4/ax_with_dmalloc.m4 \ 19 | include/cryptoki \ 20 | include/pkcs11lib.h \ 21 | include/oasis-pkcs11/working/3-00-current \ 22 | with_beid \ 23 | with_luna \ 24 | with_nfast \ 25 | with_nss \ 26 | with_softhsm \ 27 | with_utimaco \ 28 | with_aws \ 29 | docs/INSTALL.md \ 30 | docs/CONTRIBUTING.md \ 31 | docs/MANUAL.md \ 32 | docs/TPLICENSES.md \ 33 | README.md \ 34 | LICENSE.md \ 35 | CHANGELOG.md \ 36 | COPYING 37 | 38 | 39 | SUBDIRS = gl lib src 40 | 41 | ACLOCAL_AMFLAGS = -I m4 42 | 43 | 44 | install-exec-hook: 45 | $(INSTALL) \ 46 | $(srcdir)/with_beid \ 47 | $(srcdir)/with_luna \ 48 | $(srcdir)/with_nfast \ 49 | $(srcdir)/with_nss \ 50 | $(srcdir)/with_softhsm \ 51 | $(srcdir)/with_utimaco \ 52 | $(srcdir)/with_aws \ 53 | $(DESTDIR)$(bindir) 54 | 55 | dist-hook: 56 | -rm -rf $$(find $(distdir)/include -type d -name .svn) 57 | 58 | dist-solaris: install 59 | -$(MKDIR_P) pkg 60 | cp COPYING README.md CHANGELOG.md LICENSE.md docs 61 | pkgmk -o -f dist/solaris/pkgproto -p @pkginfo_timestamp@ -r . -d pkg 62 | @echo 63 | pkgtrans pkg ../$(distdir).pkg @pkginfo_pkgname@ 64 | rm docs/COPYING docs/README.md docs/CHANGELOG.md docs/LICENSE.md docs/TPLICENSES.md 65 | @echo "----------------------------------" 66 | @echo "package saved under $(distdir).pkg" 67 | @echo 68 | 69 | 70 | dist-bin: 71 | @$(TAR) -cvf @PACKAGE_TARNAME@-bin-$(target_triplet)-@PACKAGE_VERSION@.tar bin 72 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (c) 2021 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ######################################################################## 18 | # bootstrap.sh: used to bootstrap project once cloned from git 19 | # or during FreeBSD package build 20 | ######################################################################## 21 | 22 | # no tolerance to errors 23 | set -e 24 | 25 | cleanup() { 26 | if [ -n ${oldpath} ]; then 27 | cd ${oldpath} 28 | fi 29 | } 30 | 31 | trap cleanup EXIT 32 | 33 | oldpath=$PWD 34 | cd ${oldpath} 35 | 36 | # detect if we are in a git repo 37 | if [ -d .git ]; then 38 | # pull submodule stuff 39 | git submodule update --init 40 | # git submodule update --init .gnulib 41 | # git submodule update --init include/oasis-pkcs11 42 | 43 | # if running automake 1.13, checkout specific (older) commit 44 | if (automake --version | head -1 | grep -q 1\.13); then 45 | echo "Automake 1.13 detected, using an older, compatible version of gnulib" 46 | cd .gnulib 47 | git checkout 34e1754363b105180e7a85d319c2e1f464b93fb2 48 | cd .. 49 | fi 50 | else 51 | # if not a git repo, then two possibilities: 52 | # 1) we are building a FreeBSD port, in which case 53 | # BUILD_PORT is set 54 | # 2) we are not, in which case we choke and die 55 | # 56 | if [ -z ${BUILD_PORT} ]; then 57 | echo "***Error: $0 is not invoked from a git repository." 58 | exit 1 59 | fi 60 | fi 61 | 62 | # invoke gnulib 63 | .gnulib/gnulib-tool --import --dir=. --lib=libgnu --source-base=gl --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=. --no-conditional-dependencies --no-libtool --macro-prefix=gl byteswap gethostname getline getopt-gnu malloc-gnu calloc-gnu realloc-gnu regex strcase strsep termios time sysexits minmax 64 | 65 | # create configure scripts 66 | autoreconf -vfi 67 | 68 | # make sure configure script is executable 69 | chmod +x ./configure 70 | 71 | cat < 27 | 28 | %description 29 | The PKCS#11 toolkit provides with a set of commands that allow managing 30 | PKCS#11 cryptographic tokens in a UNIXish fashion. It leverages the 31 | OpenSSL library to export and import cryptographic material in convenient, 32 | widely supported formats. 33 | 34 | Supported platforms include Linux, MacOS, AIX, Solaris and Windows 35 | 36 | %bcond_with awscloudhsm 37 | 38 | %prep 39 | %setup -q 40 | 41 | %build 42 | %configure \ 43 | %{?_with_awscloudhsm} 44 | 45 | make %{?_smp_mflags} 46 | 47 | %install 48 | rm -rf $RPM_BUILD_ROOT 49 | make install DESTDIR=$RPM_BUILD_ROOT 50 | 51 | %clean 52 | rm -rf $RPM_BUILD_ROOT 53 | 54 | %files 55 | %defattr(-,root,root,-) 56 | %doc *.md COPYING docs/*.md 57 | %{_bindir}/* 58 | 59 | %changelog 60 | -------------------------------------------------------------------------------- /dist/solaris/.gitignore: -------------------------------------------------------------------------------- 1 | /checkinstall 2 | /pkginfo 3 | /pkgproto 4 | 5 | -------------------------------------------------------------------------------- /dist/solaris/checkinstall.in: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | #expected_release="5.10" 18 | expected_platform="@target_cpu@" 19 | # 20 | release=`uname -r` 21 | platform=`uname -p` 22 | # 23 | if [ ${platform} != ${expected_platform} ]; then 24 | echo "\n\n\n\tThis package must be installed on a ${expected_platform} architecture\n" 25 | echo "\tAborting installation.\n\n\n" 26 | exit 1 27 | fi 28 | #if [ ${release} != ${expected_release} ]; then 29 | # echo "\n\n\n\tThis package must be installed on a ${expected_release} machine\n" 30 | # echo "\tAborting installation.\n\n\n" 31 | # exit 1 32 | #fi 33 | 34 | exit 0 35 | -------------------------------------------------------------------------------- /dist/solaris/pkginfo.in: -------------------------------------------------------------------------------- 1 | PKG="@pkginfo_pkgname@" 2 | NAME="@PACKAGE_STRING@ a utility for managing PKCS#11 cryptographic tokens" 3 | VERSION="@PACKAGE_VERSION@" 4 | ARCH="@target_cpu@" 5 | CLASSES="commands docs" 6 | CATEGORY="utility" 7 | BASEDIR="@pkginfo_prefix@" 8 | PSTAMP="@pkginfo_timestamp@" 9 | -------------------------------------------------------------------------------- /dist/solaris/pkgproto.in: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Mastercard 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # pkginfo for pkcs11-tools 16 | # 17 | i pkginfo 18 | i checkinstall 19 | !default 755 root bin 20 | d commands bin 21 | f commands bin/masqreq 22 | f commands bin/p11cat 23 | f commands bin/p11cp 24 | f commands bin/p11importcert 25 | f commands bin/p11importdata 26 | f commands bin/p11importpubk 27 | f commands bin/p11kcv 28 | f commands bin/p11keycomp 29 | f commands bin/p11keygen 30 | f commands bin/p11ls 31 | f commands bin/p11mkcert 32 | f commands bin/p11more 33 | f commands bin/p11mv 34 | f commands bin/p11od 35 | f commands bin/p11req 36 | f commands bin/p11rewrap 37 | f commands bin/p11rm 38 | f commands bin/p11setattr 39 | f commands bin/p11slotinfo 40 | f commands bin/p11unwrap 41 | f commands bin/p11wrap 42 | f commands bin/with_beid 43 | f commands bin/with_luna 44 | f commands bin/with_nfast 45 | f commands bin/with_nss 46 | f commands bin/with_softhsm 47 | f commands bin/with_utimaco 48 | f docs CHANGELOG.md 49 | f docs LICENSE.md 50 | f docs README.md 51 | f docs COPYING 52 | f docs docs/CONTRIBUTING.md 53 | f docs docs/INSTALL.md 54 | f docs docs/MANUAL.md 55 | f docs docs/TPLICENSES.md 56 | -------------------------------------------------------------------------------- /docs/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | When contributing to this repository, please first discuss the change you wish to make via issue, 4 | or any other method with the owners of this repository before making a change. 5 | 6 | If you create additional source files, add them to the Makefile.am in the respective source folder. 7 | 8 | ## Pull Request Process 9 | 10 | 1. Pull requests should be made against master branch, which is also our latest stable version. 11 | 2. Ensure any install or build dependencies are removed before the end of the layer when doing a 12 | build. 13 | 3. Update the documentation with details of changes, this includes new environment variables, and useful 14 | file locations. 15 | 4. Increase the version numbers in any examples files and the README.md to the new version that this 16 | Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/). 17 | 5. You may merge the Pull Request in once you have the sign-off of the project maintainer. 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/TPLICENSES.md: -------------------------------------------------------------------------------- 1 | # Third-party licensing terms 2 | 3 | ## AWS CloudHSM 4 | 5 | AWS CloudHSM support requires using derived work from header files found at [github.com/aws-samples](https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/blob/9026b84691435e59759ffee1bcf7323605920994/include/pkcs11/v2.40/cloudhsm_pkcs11_vendor_defs.h). 6 | 7 | ### licensing terms 8 | 9 | ``` 10 | Copyright (c) 2017, Cavium, Inc. All rights reserved. 11 | 12 | Redistribution and use in source and binary forms, with or without 13 | modification, are permitted provided that the following conditions are met: 14 | 1. Redistributions of source code must retain the above copyright 15 | notice, this list of conditions and the following disclaimer. 16 | 2. Redistributions in binary form must reproduce the above copyright 17 | notice, this list of conditions and the following disclaimer in the 18 | documentation and/or other materials provided with the distribution. 19 | 3. Neither the name of the Cavium, Inc. nor the 20 | names of its contributors may be used to endorse or promote products 21 | derived from this software without specific prior written permission. 22 | 23 | THIS SOFTWARE IS PROVIDED BY CAVIUM INC. ''AS IS'' AND ANY 24 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 25 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 26 | DISCLAIMED. IN NO EVENT SHALL CAVIUM, INC. BE LIABLE FOR ANY 27 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 28 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 30 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 32 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 | ``` 34 | -------------------------------------------------------------------------------- /include/.gitignore: -------------------------------------------------------------------------------- 1 | /config.h 2 | /target.h 3 | -------------------------------------------------------------------------------- /include/cryptoki/awscloudhsm.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2023 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | /* This source code was built up from aws-cloudhsm-pkcs11-vendor-defs.h */ 21 | /* https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/blob/9026b84691435e59759ffee1bcf7323605920994/include/pkcs11/v2.40/cloudhsm_pkcs11_vendor_defs.h */ 22 | /* It has been modified to fit the need of the PKCS#11 toolkit */ 23 | /* The original license is stated here below. */ 24 | 25 | /* 26 | * Copyright (c) 2017, Cavium, Inc. All rights reserved. 27 | * 28 | * Redistribution and use in source and binary forms, with or without 29 | * modification, are permitted provided that the following conditions are met: 30 | * 1. Redistributions of source code must retain the above copyright 31 | * notice, this list of conditions and the following disclaimer. 32 | * 2. Redistributions in binary form must reproduce the above copyright 33 | * notice, this list of conditions and the following disclaimer in the 34 | * documentation and/or other materials provided with the distribution. 35 | * 3. Neither the name of the Cavium, Inc. nor the 36 | * names of its contributors may be used to endorse or promote products 37 | * derived from this software without specific prior written permission. 38 | * 39 | * THIS SOFTWARE IS PROVIDED BY CAVIUM INC. ''AS IS'' AND ANY 40 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 41 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 42 | * DISCLAIMED. IN NO EVENT SHALL CAVIUM, INC. BE LIABLE FOR ANY 43 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 44 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 46 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 47 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 48 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 49 | * 50 | */ 51 | 52 | #if !defined(_AWS_CLOUDHSM_H_) 53 | #define _AWS_CLOUDHSM_H_ 54 | 55 | /* HMAC KDF Mechanism, defined by PKCS#11 3.00 */ 56 | #define CKM_CLOUDHSM_SP800_108_COUNTER_KDF 0x80000001UL /* original name is CKM_SP800_108_COUNTER_KDF */ 57 | 58 | #define CKM_CLOUDHSM_AES_GCM 0x80001087UL 59 | 60 | // More information can be found at https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-aes-key-wrapping.html 61 | #define CKM_CLOUDHSM_AES_KEY_WRAP_NO_PAD 0x80002109UL 62 | #define CKM_CLOUDHSM_AES_KEY_WRAP_PKCS5_PAD 0x8000210AUL 63 | #define CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD 0x8000216FUL 64 | 65 | #define CKM_CLOUDHSM_DES3_NIST_WRAP 0x80008000UL 66 | 67 | 68 | #endif /* _AWS_CLOUDHSM_H_ */ 69 | -------------------------------------------------------------------------------- /include/cryptoki/cryptoki.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* this file is derived from the RSA Security Inc. PKCS #11 20 | * Cryptographic Token Interface (Cryptoki) 21 | * original license follows */ 22 | 23 | /* cryptoki.h include file for PKCS #11. */ 24 | /* $Revision: 1.4 $ */ 25 | 26 | /* License to copy and use this software is granted provided that it is 27 | * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface 28 | * (Cryptoki)" in all material mentioning or referencing this software. 29 | 30 | * License is also granted to make and use derivative works provided that 31 | * such works are identified as "derived from the RSA Security Inc. PKCS #11 32 | * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 33 | * referencing the derived work. 34 | 35 | * RSA Security Inc. makes no representations concerning either the 36 | * merchantability of this software or the suitability of this software for 37 | * any particular purpose. It is provided "as is" without express or implied 38 | * warranty of any kind. 39 | */ 40 | 41 | /* This is a sample file containing the top level include directives 42 | * for building Win32 Cryptoki libraries and applications. 43 | */ 44 | 45 | #ifndef CRYPTOKI_H 46 | #define CRYPTOKI_H 47 | 48 | 49 | #ifdef _MSC_VER 50 | #if defined(_WIN32) /* win32 */ 51 | #define CK_PTR * 52 | 53 | #ifdef _DLL /* Win32, DLL build */ 54 | #define CK_DEFINE_FUNCTION(returnType, name) \ 55 | returnType __declspec(dllexport) name 56 | #define CK_DECLARE_FUNCTION(returnType, name) \ 57 | returnType __declspec(dllimport) name 58 | #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 59 | returnType __declspec(dllimport) (* name) 60 | #else 61 | /* Win32, not DLL build */ 62 | #define CK_DEFINE_FUNCTION(returnType, name) \ 63 | returnType name 64 | #define CK_DECLARE_FUNCTION(returnType, name) \ 65 | returnType name 66 | #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 67 | returnType (* name) 68 | #endif 69 | 70 | #define CK_CALLBACK_FUNCTION(returnType, name) \ 71 | returnType (* name) 72 | 73 | #else 74 | #error "Unsupported platform" 75 | #endif 76 | 77 | #else /* not windows */ 78 | 79 | #define CK_PTR * 80 | #define CK_DEFINE_FUNCTION(returnType, name) \ 81 | returnType name 82 | #define CK_DECLARE_FUNCTION(returnType, name) \ 83 | returnType name 84 | #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 85 | returnType (* name) 86 | #define CK_CALLBACK_FUNCTION(returnType, name) \ 87 | returnType (* name) 88 | #endif 89 | 90 | #ifndef NULL_PTR 91 | #define NULL_PTR 0 92 | #endif 93 | 94 | #if defined(_WIN32) 95 | #pragma pack(push, cryptoki, 1) 96 | #endif 97 | 98 | /* The standard RSA supplied header */ 99 | #include "pkcs11.h" 100 | 101 | /* Non-standard API entry points, vendor defined constants */ 102 | #include "pkcs11extra.h" 103 | 104 | #if defined(_WIN32) 105 | #pragma pack(pop, cryptoki) 106 | #endif 107 | 108 | #endif /* CRYPTOKI_H */ 109 | -------------------------------------------------------------------------------- /include/cryptoki/pkcs11extra.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #ifndef PKCS11_EXTRA_H 20 | #define PKCS11_EXTRA_H 21 | 22 | #include "nss.h" /* Nescape Security Services */ 23 | 24 | #if defined(HAVE_NCIPHER) 25 | #include "ncipher.h" 26 | #endif 27 | 28 | #if defined(HAVE_LUNA) 29 | #include "luna.h" 30 | #endif 31 | 32 | #endif /* PKCS11_EXTRA_H */ 33 | -------------------------------------------------------------------------------- /lib/.gitignore: -------------------------------------------------------------------------------- 1 | # git- specific ignore files (those are generated) 2 | _attrinfo.h 3 | _mechinfo.h 4 | -------------------------------------------------------------------------------- /lib/Makefile.am: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Mastercard 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | SUFFIXES = .c .h .y .l 17 | 18 | ACLOCAL_AMFLAGS= -I m4 19 | 20 | AM_YFLAGS= -d 21 | 22 | AM_CPPFLAGS = \ 23 | -I$(top_builddir)/gl \ 24 | -I$(top_srcdir)/gl \ 25 | -I$(top_srcdir)/include \ 26 | -I$(top_srcdir)/include/oasis-pkcs11/working/3-00-current \ 27 | -I$(top_srcdir)/include/cryptoki 28 | 29 | noinst_LTLIBRARIES = libp11.la 30 | libp11_la_CFLAGS = $(LIBCRYPTO_CFLAGS) $(PTHREAD_CFLAGS) 31 | libp11_la_LIBADD = $(LIBCRYPTO_LIBS) $(PTHREAD_LIBS) 32 | 33 | # pick appropriate low-level routines file 34 | 35 | if TARGET_OS_MINGW32 36 | libp11_la_SOURCES = pkcs11_ll_win.c 37 | else 38 | libp11_la_SOURCES = pkcs11_ll_unix.c 39 | endif 40 | 41 | libp11_la_SOURCES += pkcs11_attr.c \ 42 | attribctx_lexer.l \ 43 | attribctx_parser.y \ 44 | attribctx_helper.c attribctx_helper.h \ 45 | wrappedkey_lexer.l \ 46 | wrappedkey_parser.y \ 47 | wrappedkey_helper.c wrappedkey_helper.h \ 48 | pkcs11_attribctx.c \ 49 | pkcs11_wctx.c \ 50 | pkcs11_wrapoutput.c \ 51 | pkcs11_peekpoke.c \ 52 | pkcs11_wrap.c \ 53 | pkcs11_unwrap.c \ 54 | pkcs11_random.c \ 55 | pkcs11_chattr.c \ 56 | pkcs11_od.c \ 57 | pkcs11_cat.c \ 58 | pkcs11_more.c \ 59 | pkcs11_cp.c \ 60 | pkcs11_error.c \ 61 | pkcs11_context.c \ 62 | pkcs11_session.c \ 63 | pkcs11_template.c \ 64 | pkcs11_kcv.c \ 65 | pkcs11_keycomp.c \ 66 | pkcs11_keygen.c \ 67 | pkcs11_libinfo.c \ 68 | pkcs11_ls.c \ 69 | pkcs11_masq.c \ 70 | pkcs11_mechanism.c \ 71 | pkcs11_attrdesc.c \ 72 | pkcs11_mv.c \ 73 | pkcs11_req.c \ 74 | pkcs11_cert.c \ 75 | pkcs11_cert_common.c \ 76 | pkcs11_rm.c \ 77 | pkcs11_search.c \ 78 | pkcs11_slotinfo.c \ 79 | pkcs11_utils.c \ 80 | pkcs11_x509.c \ 81 | pkcs11_pubk.c \ 82 | pkcs11_data.c \ 83 | pkcs11_ec.c \ 84 | pkcs11_openssl.c \ 85 | pkcs11_dsa.c \ 86 | pkcs11_dh.c \ 87 | pkcs11_ossl_rsa_meth.c \ 88 | pkcs11_ossl_dsa_meth.c \ 89 | pkcs11_ossl_ecdsa_meth.c \ 90 | pkcs11_ossl_eddsa_meth.c \ 91 | pkcs11_ossl_fake_sign.c 92 | 93 | 94 | dist_libp11_la_SOURCES = \ 95 | gen_attrinfo_h.pl gen_mechinfo_h.pl pkcs11_ossl.h \ 96 | wrappedkey_parser.h wrappedkey_parser.c \ 97 | wrappedkey_lexer.h wrappedkey_lexer.c \ 98 | attribctx_parser.h attribctx_parser.c \ 99 | attribctx_lexer.h attribctx_lexer.c 100 | 101 | CLEANFILES = _mechinfo.h _attrinfo.h 102 | BUILT_SOURCES = _mechinfo.h _attrinfo.h 103 | 104 | # The following files depends upon lexer and parser source files 105 | wrappedkey_lexer.c wrappedkey_lexer.h: wrappedkey_lexer.l 106 | wrappedkey_parser.c wrappedkey_parser.h: wrappedkey_parser.y 107 | 108 | wrappedkey_helper.c pkcs11_wrap.c pkcs11_unwrap.c pkcs11_wctx.c: \ 109 | wrappedkey_helper.h \ 110 | wrappedkey_lexer.c wrappedkey_lexer.h \ 111 | wrappedkey_parser.c wrappedkey_parser.h 112 | 113 | # The following files depends upon lexer and parser source files 114 | # note: _lexermech.h is actually needed by attribctx_lexer.l, 115 | # but this dependency is not set directly, as it would lead 116 | # to systematically invoke flex. We put it on the produced files instead. 117 | attribctx_lexer.c attribctx_lexer.h: attribctx_lexer.l 118 | attribctx_parser.c attribctx_parser.h: attribctx_parser.y 119 | 120 | attribctx_helper.c pkcs11_attribctx.c: \ 121 | attribctx_helper.h attribctx_lexer.l attribctx_parser.y 122 | 123 | pkcs11_mechanism.$(OBJEXT): _mechinfo.h 124 | 125 | _mechinfo.h: Makefile gen_mechinfo_h.pl 126 | $(AM_V_GEN) $(PERL) $(srcdir)/gen_mechinfo_h.pl \ 127 | $(top_srcdir)/include/cryptoki/*.h \ 128 | $(top_srcdir)/include/oasis-pkcs11/working/3-00-current/*.h \ 129 | >$@ 130 | 131 | pkcs11_attrdesc.$(OBJEXT): _attrinfo.h 132 | 133 | _attrinfo.h: Makefile gen_attrinfo_h.pl 134 | $(AM_V_GEN) $(PERL) $(srcdir)/gen_attrinfo_h.pl \ 135 | $(top_srcdir)/include/cryptoki/*.h \ 136 | $(top_srcdir)/include/oasis-pkcs11/working/3-00-current/*.h \ 137 | >$@ 138 | 139 | 140 | 141 | -------------------------------------------------------------------------------- /lib/attribctx_helper.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2021 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* attribctx_helper.c: contains routines used during parsing of wrap files or strings */ 20 | /* see attribctx_lexer.l and cmdline_parser.y for calling methods */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #include 29 | #include 30 | #include 31 | 32 | 33 | #include "pkcs11lib.h" 34 | #include "attribctx_helper.h" 35 | 36 | 37 | /* comparison function for attributes */ 38 | static int compare_CKA( const void *a, const void *b) 39 | { 40 | return ((CK_ATTRIBUTE_PTR)a)->type == ((CK_ATTRIBUTE_PTR)b)->type ? 0 : -1; 41 | } 42 | 43 | /* append an attribute to the attribute context */ 44 | /* when the attribute is a template, the buffer is simply transmitted (as it remains within the attribctx structure) */ 45 | /* when the attribute is CKM_ALLOWED_MECHANISMS, the buffer is stolen (note that the caller must free it) */ 46 | /* when the attribute is not a template attribute, the buffer is copied */ 47 | 48 | func_rc _attribctx_parser_append_attr(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrtyp, void *buffer, size_t len) 49 | { 50 | func_rc rc = rc_ok; 51 | CK_ATTRIBUTE stuffing; 52 | CK_ATTRIBUTE_PTR match=NULL; 53 | 54 | CK_ATTRIBUTE **attrlist=NULL; 55 | size_t *attrnum; 56 | 57 | /* point to the right (current) attribute list */ 58 | attrlist = &clctx->attrs[clctx->current_idx].attrlist; 59 | attrnum = &clctx->attrs[clctx->current_idx].attrnum; 60 | 61 | /* we need to create the buffer and stuff it with what is passed as parameter */ 62 | stuffing.type = attrtyp; 63 | 64 | if(pkcs11_attr_is_template(attrtyp) || pkcs11_attr_is_allowed_mechanisms(attrtyp)) { 65 | stuffing.pValue = buffer; /* we pass the pointer, we don't allocate */ 66 | } else { 67 | stuffing.pValue = malloc(len); 68 | 69 | if(stuffing.pValue == NULL) { 70 | fprintf(stderr, "Memory error\n"); 71 | rc = rc_error_memory; 72 | goto error; 73 | } 74 | 75 | memcpy(stuffing.pValue, buffer, len); /* copy the value */ 76 | } 77 | stuffing.ulValueLen = len; 78 | 79 | if(*attrnum==PARSING_MAX_ATTRS-1) { 80 | fprintf(stderr, "reached maximum number of attributes in parsing\n"); 81 | rc = rc_error_memory; 82 | goto error; 83 | } 84 | 85 | size_t argnum = *attrnum; /* trick to adapt on 32 bits architecture, as size(CK_ULONG)!=sizeof int */ 86 | 87 | match = (CK_ATTRIBUTE_PTR ) lsearch ( &stuffing, 88 | *attrlist, 89 | &argnum, 90 | sizeof(CK_ATTRIBUTE), 91 | compare_CKA ); 92 | 93 | *attrnum = argnum; /* trick to adapt on 32 bits architecture, as size(CK_ULONG)!=sizeof int */ 94 | 95 | if(match == &stuffing) { /* match, we may need to adjust the content */ 96 | if(match->pValue != NULL && !pkcs11_attr_is_template(match->type)) { 97 | free(match->pValue); /* just in case */ 98 | } 99 | 100 | match->ulValueLen = stuffing.ulValueLen; 101 | match->pValue = stuffing.pValue; /* we steal the pointer */ 102 | stuffing.pValue = NULL; /* forget it in stuffing */ 103 | } else { 104 | /* have the value inserted */ 105 | /* lsearch is stealing the whole "stuffing" object */ 106 | /* forget it */ 107 | stuffing.pValue = NULL; 108 | } 109 | 110 | error: 111 | /* clean up */ 112 | if(stuffing.pValue != NULL 113 | && !pkcs11_attr_is_template(stuffing.type) 114 | && !pkcs11_attr_is_allowed_mechanisms(stuffing.type)) { 115 | free(stuffing.pValue); 116 | } 117 | 118 | return rc; 119 | } 120 | 121 | func_rc _attribctx_parser_assign_list_to_template(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrtyp) 122 | { 123 | func_rc rc = rc_ok; 124 | 125 | switch(attrtyp) { 126 | case CKA_WRAP_TEMPLATE: 127 | if(clctx->has_wrap_template==true) { 128 | fprintf(stderr, "***Error: a wrap template can only be specified once\n"); 129 | rc = rc_error_parsing; 130 | goto error; 131 | } 132 | // clctx->wraptemplate_idx = clctx->saved_idx; /* saved_idx is set by lexer */ 133 | clctx->has_wrap_template = true; 134 | break; 135 | 136 | case CKA_UNWRAP_TEMPLATE: 137 | if(clctx->has_unwrap_template==true) { 138 | fprintf(stderr, "***Error: an unwrap template can only be specified once\n"); 139 | rc = rc_error_parsing; 140 | goto error; 141 | } 142 | // clctx->unwraptemplate_idx = clctx->saved_idx; /* saved_idx is set by lexer */ 143 | clctx->has_unwrap_template = true; 144 | break; 145 | 146 | case CKA_DERIVE_TEMPLATE: 147 | if(clctx->has_derive_template==true) { 148 | fprintf(stderr, "***Error: a derive template can only be specified once\n"); 149 | rc = rc_error_parsing; 150 | goto error; 151 | } 152 | // clctx->derivetemplate_idx = clctx->saved_idx; /* saved_idx is set by lexer */ 153 | clctx->has_derive_template = true; 154 | break; 155 | 156 | default: 157 | fprintf(stderr, "***Error: invalid template type - internal error\n"); 158 | rc = rc_error_oops; 159 | goto error; 160 | } 161 | 162 | /* now we need to add a template attribute to the main list */ 163 | rc = _attribctx_parser_append_attr(clctx, 164 | attrtyp, 165 | clctx->attrs[clctx->saved_idx].attrlist, 166 | clctx->attrs[clctx->saved_idx].attrnum * sizeof(CK_ATTRIBUTE) ); 167 | error: 168 | return rc; 169 | } 170 | 171 | 172 | 173 | /* EOF */ 174 | -------------------------------------------------------------------------------- /lib/attribctx_helper.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2021 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* attribctx_helper.h: header files for wrappedkey_helper.c */ 20 | 21 | #ifndef ATTRIBCTX_HELPER_H 22 | #define ATTRIBCTX_HELPER_H 23 | 24 | #include "pkcs11lib.h" 25 | 26 | /* internal functions used by parser */ 27 | func_rc _attribctx_parser_append_attr(attribCtx *ctx, CK_ATTRIBUTE_TYPE attrtyp, void *buffer, size_t len ); 28 | func_rc _attribctx_parser_assign_list_to_template(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrtyp ); 29 | 30 | #endif /* ATTRIBCTX_HELPER_H */ 31 | -------------------------------------------------------------------------------- /lib/attribctx_parser.h: -------------------------------------------------------------------------------- 1 | /* A Bison parser, made by GNU Bison 3.8.2. */ 2 | 3 | /* Bison interface for Yacc-like parsers in C 4 | 5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation, 6 | Inc. 7 | 8 | This program is free software: you can redistribute it and/or modify 9 | it under the terms of the GNU General Public License as published by 10 | the Free Software Foundation, either version 3 of the License, or 11 | (at your option) any later version. 12 | 13 | This program is distributed in the hope that it will be useful, 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | GNU General Public License for more details. 17 | 18 | You should have received a copy of the GNU General Public License 19 | along with this program. If not, see . */ 20 | 21 | /* As a special exception, you may create a larger work that contains 22 | part or all of the Bison parser skeleton and distribute that work 23 | under terms of your choice, so long as that work isn't itself a 24 | parser generator using the skeleton or a modified version thereof 25 | as a parser skeleton. Alternatively, if you modify or redistribute 26 | the parser skeleton itself, you may (at your option) remove this 27 | special exception, which will cause the skeleton and the resulting 28 | Bison output files to be licensed under the GNU General Public 29 | License without this special exception. 30 | 31 | This special exception was added by the Free Software Foundation in 32 | version 2.2 of Bison. */ 33 | 34 | /* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual, 35 | especially those whose name start with YY_ or yy_. They are 36 | private implementation details that can be changed or removed. */ 37 | 38 | #ifndef YY_CL_ATTRIBCTX_PARSER_H_INCLUDED 39 | # define YY_CL_ATTRIBCTX_PARSER_H_INCLUDED 40 | /* Debug traces. */ 41 | #ifndef CLDEBUG 42 | # if defined YYDEBUG 43 | #if YYDEBUG 44 | # define CLDEBUG 1 45 | # else 46 | # define CLDEBUG 0 47 | # endif 48 | # else /* ! defined YYDEBUG */ 49 | # define CLDEBUG 1 50 | # endif /* ! defined YYDEBUG */ 51 | #endif /* ! defined CLDEBUG */ 52 | #if CLDEBUG 53 | extern int cldebug; 54 | #endif 55 | /* "%code requires" blocks. */ 56 | #line 31 "attribctx_parser.y" 57 | 58 | #include "pkcs11lib.h" 59 | #include "attribctx_helper.h" 60 | 61 | #line 62 "attribctx_parser.h" 62 | 63 | /* Token kinds. */ 64 | #ifndef CLTOKENTYPE 65 | # define CLTOKENTYPE 66 | enum cltokentype 67 | { 68 | CLEMPTY = -2, 69 | CLEOF = 0, /* "end of file" */ 70 | CLerror = 256, /* error */ 71 | CLUNDEF = 257, /* "invalid token" */ 72 | STRING = 258, /* STRING */ 73 | CKATTR_BOOL = 259, /* CKATTR_BOOL */ 74 | CKATTR_STR = 260, /* CKATTR_STR */ 75 | CKATTR_DATE = 261, /* CKATTR_DATE */ 76 | CKATTR_KEY = 262, /* CKATTR_KEY */ 77 | CKATTR_CLASS = 263, /* CKATTR_CLASS */ 78 | CKATTR_TEMPLATE = 264, /* CKATTR_TEMPLATE */ 79 | CKATTR_ALLOWEDMECH = 265, /* CKATTR_ALLOWEDMECH */ 80 | CKMECH = 266, /* CKMECH */ 81 | TOK_BOOLEAN = 267, /* TOK_BOOLEAN */ 82 | TOK_DATE = 268, /* TOK_DATE */ 83 | KEYTYPE = 269, /* KEYTYPE */ 84 | OCLASS = 270, /* OCLASS */ 85 | NO = 271, /* NO */ 86 | ASSIGN = 272, /* ASSIGN */ 87 | CURLY_OPEN = 273, /* CURLY_OPEN */ 88 | CURLY_CLOSE = 274 /* CURLY_CLOSE */ 89 | }; 90 | typedef enum cltokentype cltoken_kind_t; 91 | #endif 92 | 93 | /* Value type. */ 94 | #if ! defined CLSTYPE && ! defined CLSTYPE_IS_DECLARED 95 | union CLSTYPE 96 | { 97 | #line 47 "attribctx_parser.y" 98 | 99 | CK_ATTRIBUTE_TYPE ckattr; 100 | CK_KEY_TYPE val_key; 101 | CK_OBJECT_CLASS val_cls; 102 | CK_BBOOL val_bool; 103 | CK_MECHANISM_TYPE val_mech; 104 | 105 | struct { /* HEX encoded - or real string */ 106 | char *val; 107 | size_t len; 108 | } val_str; 109 | 110 | union { 111 | struct { 112 | char year[4]; 113 | char month[2]; 114 | char day[2]; 115 | } as_ck_date; 116 | char as_buffer[8]; 117 | } val_date; 118 | 119 | #line 120 "attribctx_parser.h" 120 | 121 | }; 122 | typedef union CLSTYPE CLSTYPE; 123 | # define CLSTYPE_IS_TRIVIAL 1 124 | # define CLSTYPE_IS_DECLARED 1 125 | #endif 126 | 127 | 128 | extern CLSTYPE cllval; 129 | 130 | 131 | int clparse (attribCtx *ctx); 132 | 133 | /* "%code provides" blocks. */ 134 | #line 36 "attribctx_parser.y" 135 | 136 | #define YY_DECL int yylex(attribCtx* ctx) 137 | 138 | YY_DECL; 139 | extern void clerror(attribCtx *ctx, const char *s, ...); 140 | 141 | 142 | #line 143 "attribctx_parser.h" 143 | 144 | #endif /* !YY_CL_ATTRIBCTX_PARSER_H_INCLUDED */ 145 | -------------------------------------------------------------------------------- /lib/gen_attrinfo_h.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | use warnings; 18 | use Data::Dumper; 19 | 20 | 21 | my @lines; 22 | 23 | for $file(@ARGV) { 24 | open (FILE, $file) or die; 25 | while() { 26 | chomp; 27 | if( /^#define[[:space:]]+(CKA_[[:word:]]+)[[:space:]]+(.+)/ ) { 28 | # $1 contains the attribute name, 29 | # $2 contains the definition 30 | push @lines, [${1}, ${2}, $_, $file ] 31 | } 32 | } 33 | close FILE; 34 | } 35 | 36 | # uniquify array 37 | 38 | my %seen; 39 | my @uniq; 40 | 41 | foreach $item (@lines) { 42 | push(@uniq, $item) unless $seen{$item->[1] }++; 43 | } 44 | 45 | #print Dumper(@uniq); 46 | 47 | 48 | my @sorted = sort { $a->[0] cmp $b->[0] } @uniq; 49 | 50 | #print Dumper(@sorted); 51 | 52 | for $line(@sorted) { 53 | print "#if !defined($line->[0])\n"; 54 | print " $line->[2]\n"; 55 | print " /* from $line->[3] */\n"; 56 | print "#endif /* $line->[0] */\n"; 57 | print "\n"; 58 | } 59 | 60 | for $line(@sorted) { 61 | print "{ $line->[0], \"$line->[0]\" }, /* from $line->[3] */\n"; 62 | } 63 | 64 | 65 | -------------------------------------------------------------------------------- /lib/gen_mechinfo_h.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | use warnings; 18 | 19 | my @lines; 20 | 21 | for $file(@ARGV) { 22 | open (FILE, $file) or die; 23 | while() { 24 | chomp; 25 | if( /^#define CKM_([[:word:]]+)[[:space:]]+(0x[[:xdigit:]]+)/ ) { 26 | # $1 contains the attribute name, 27 | # $2 contains the hex code 28 | # $3 contains the original line 29 | # $4 contains the originating file name 30 | push @lines, [${1}, ${2}, $_, $file ] 31 | } 32 | } 33 | close FILE; 34 | } 35 | 36 | # uniquify array 37 | 38 | my %seen; 39 | my @uniq; 40 | 41 | foreach $item (@lines) { 42 | push(@uniq, $item) unless $seen{$item->[1] }++; 43 | } 44 | 45 | # sort. The key for CKM is the hex code. 46 | 47 | my @sorted = sort { $a->[1] cmp $b->[1] } @uniq; 48 | 49 | #print Dumper(@sorted); 50 | 51 | for $line(@sorted) { 52 | print "#if !defined(CKM_$line->[0])\n"; 53 | print " $line->[2]\n"; 54 | print " /* from $line->[3] */\n"; 55 | print "#endif /* CKM_$line->[0] */\n"; 56 | print "\n"; 57 | } 58 | 59 | for $line(@sorted) { 60 | print "{ CKM_$line->[0], \"CKM_$line->[0]\" }, /* from $line->[3] */\n"; 61 | } 62 | 63 | 64 | -------------------------------------------------------------------------------- /lib/pkcs11_attrdesc.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include "pkcs11lib.h" 24 | 25 | 26 | 27 | typedef struct s_attr_desc { 28 | CK_ATTRIBUTE_TYPE type; 29 | const char *desc; 30 | } AttributeDesc; 31 | 32 | 33 | /* ordered by name */ 34 | static AttributeDesc _a[] = { 35 | 36 | #include "_attrinfo.h" 37 | 38 | }; 39 | 40 | /* ordered by type */ 41 | static AttributeDesc _b[] = { 42 | 43 | #include "_attrinfo.h" 44 | 45 | }; 46 | static bool _b_sorted = false; 47 | 48 | 49 | static int compare_CKA_desc( const void *a, const void *b) 50 | { 51 | return strcasecmp(((AttributeDesc *)a)->desc, ((AttributeDesc *)b)->desc); 52 | } 53 | 54 | static int compare_CKA_type( const void *a, const void *b) 55 | { 56 | /* because we are making a comparison between unsigned long, int might not reflect well */ 57 | /* we need to use an intermediary value and divide it by itself (as absolute value) */ 58 | 59 | long long item = ((AttributeDesc *)a)->type - ((AttributeDesc *)b)->type; 60 | 61 | return item ? item/llabs(item) : 0; 62 | } 63 | 64 | 65 | CK_ATTRIBUTE_TYPE pkcs11_get_attribute_type_from_name(char *name) 66 | { 67 | 68 | CK_ATTRIBUTE_TYPE retval = 0xFFFFFFFF; 69 | 70 | size_t array_size = sizeof(_a)/sizeof(AttributeDesc); 71 | AttributeDesc candidate = { 0xFFFFFFFF, name }; 72 | AttributeDesc *match = bsearch( &candidate, _a, array_size, sizeof(AttributeDesc), compare_CKA_desc); 73 | 74 | if(match) { retval = ((AttributeDesc *)match)->type; } 75 | 76 | return retval; 77 | } 78 | 79 | 80 | const char *pkcs11_get_attribute_name_from_type(CK_ATTRIBUTE_TYPE attrtyp) 81 | { 82 | 83 | static char * attr_unknown = "CKA_UNKNOWN_ATTRIBUTE"; 84 | size_t array_size = sizeof(_b)/sizeof(AttributeDesc); 85 | AttributeDesc candidate = { attrtyp, NULL }; 86 | 87 | if(_b_sorted == false) { /* sort the table using type member*/ 88 | qsort( _b, array_size, sizeof(AttributeDesc), compare_CKA_type); 89 | _b_sorted = true; 90 | } 91 | 92 | AttributeDesc *match = bsearch( &candidate, _b, array_size, sizeof(AttributeDesc), compare_CKA_type); 93 | 94 | return match ? ((AttributeDesc *)match)->desc : attr_unknown; 95 | } 96 | 97 | /* EOF */ 98 | -------------------------------------------------------------------------------- /lib/pkcs11_chattr.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include "pkcs11lib.h" 26 | 27 | 28 | func_rc pkcs11_change_object_attributes(pkcs11Context *p11Context, char *label, CK_ATTRIBUTE *p_attr, size_t cnt, int interactive) 29 | { 30 | 31 | func_rc rv=rc_ok; 32 | pkcs11Search *search=NULL; 33 | pkcs11IdTemplate *idtmpl=NULL; 34 | 35 | idtmpl = pkcs11_create_id(label); 36 | 37 | if(idtmpl && pkcs11_sizeof_idtemplate(idtmpl)>0) { 38 | 39 | search = pkcs11_new_search_from_idtemplate( p11Context, idtmpl ); 40 | 41 | if(search) { /* we just need one hit */ 42 | 43 | CK_OBJECT_HANDLE hndl=0; 44 | 45 | while( (hndl = pkcs11_fetch_next(search))!=0 ) { 46 | /* set the attributes */ 47 | 48 | CK_RV rc; 49 | int ok_to_move=1; 50 | char choice; 51 | 52 | if(interactive) { 53 | pkcs11AttrList *attrs; 54 | char *prefixptr; 55 | ok_to_move=0; 56 | 57 | attrs = pkcs11_new_attrlist(p11Context, 58 | _ATTR(CKA_CLASS), 59 | _ATTR(CKA_LABEL), 60 | _ATTR(CKA_ID), 61 | _ATTR_END ); 62 | 63 | if( pkcs11_read_attr_from_handle (attrs, hndl) == true) { 64 | char buffer[81]; 65 | int buffer_len = sizeof buffer; 66 | 67 | CK_ATTRIBUTE_PTR oclass = pkcs11_get_attr_in_attrlist(attrs, CKA_CLASS); 68 | CK_ATTRIBUTE_PTR olabel = pkcs11_get_attr_in_attrlist(attrs, CKA_LABEL); 69 | CK_ATTRIBUTE_PTR oid = pkcs11_get_attr_in_attrlist(attrs, CKA_LABEL); 70 | 71 | 72 | if(oclass) { 73 | switch(*(CK_OBJECT_CLASS *)(oclass->pValue)) { 74 | case CKO_PRIVATE_KEY: 75 | prefixptr = "prvk/"; 76 | break; 77 | 78 | case CKO_PUBLIC_KEY: 79 | prefixptr = "pubk/"; 80 | break; 81 | 82 | case CKO_SECRET_KEY: 83 | prefixptr = "seck/"; 84 | break; 85 | 86 | case CKO_CERTIFICATE: 87 | prefixptr = "cert/"; 88 | break; 89 | 90 | case CKO_DATA: 91 | prefixptr = "data/"; 92 | break; 93 | 94 | default: 95 | prefixptr = "othr/"; 96 | break; 97 | } 98 | 99 | label_or_id(olabel, oid, buffer, buffer_len); 100 | 101 | fflush(stdin); 102 | fprintf(stderr, "set attributes on %s%s ? (y/N)", prefixptr, buffer ); 103 | fflush(stderr); 104 | 105 | choice = getchar(); 106 | /* eat rest of the line + carriage return */ 107 | { int c; while( (c = getchar()) != EOF && c!= '\n'); } 108 | 109 | if ( tolower(choice) == 'y') { 110 | ok_to_move = 1; 111 | } 112 | } 113 | } 114 | pkcs11_delete_attrlist(attrs); 115 | } 116 | 117 | 118 | if(ok_to_move) { 119 | 120 | rc = p11Context->FunctionList.C_SetAttributeValue( p11Context->Session, hndl, p_attr, cnt ); 121 | 122 | if ( rc != CKR_OK ) { 123 | pkcs11_error( rc, "C_SetAttributeValue" ); 124 | rc = rc_error_pkcs11_api; 125 | /* we carry on anyway to cycle through all objects */ 126 | } 127 | } 128 | } 129 | pkcs11_delete_search(search); 130 | } 131 | pkcs11_delete_idtemplate(idtmpl); 132 | } 133 | 134 | return rv; 135 | } 136 | -------------------------------------------------------------------------------- /lib/pkcs11_context.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | /* #include */ 25 | #include 26 | #include "pkcs11lib.h" 27 | 28 | pkcs11Context * pkcs11_newContext( char *libraryname, char *nssconfigdir ) 29 | { 30 | 31 | pkcs11Context * p11Context = NULL; 32 | char *nssinitparams = NULL; 33 | 34 | if ( ( access( libraryname, F_OK ) ) != 0 ) 35 | { 36 | fprintf( stderr, "Error: PKCS#11 Library [ %s ] does not exist!\n", libraryname ); 37 | goto err; 38 | } 39 | 40 | 41 | if(nssconfigdir!=NULL) { 42 | nssinitparams = malloc( strlen(nssconfigdir) + 13 ); /* configDir='' */ 43 | 44 | if(!nssinitparams) { 45 | fprintf(stderr, "Error: Cannot allocate memory\n"); 46 | goto err; 47 | } 48 | } 49 | 50 | p11Context = calloc(1,sizeof(pkcs11Context)); /* we want it be cleared */ 51 | 52 | if(p11Context==NULL) { 53 | fprintf(stderr, "Error: Cannot allocate memory\n"); 54 | goto err; 55 | } 56 | 57 | p11Context->library = libraryname; 58 | if(nssconfigdir!=NULL) { 59 | sprintf(nssinitparams, "configDir='%s'", nssconfigdir); 60 | } 61 | 62 | p11Context->nssinitparams = nssinitparams; 63 | nssinitparams = NULL; /* transfer ownership */ 64 | #ifdef HAVE_DUPLICATES_ENABLED 65 | p11Context->can_duplicate = false; 66 | #endif 67 | 68 | 69 | err: 70 | if(nssinitparams) free(nssinitparams); 71 | 72 | return p11Context; 73 | } 74 | 75 | 76 | void pkcs11_freeContext( pkcs11Context *p11Context ) 77 | { 78 | if(p11Context) { 79 | if(p11Context->nssinitparams) { free(p11Context->nssinitparams); p11Context->nssinitparams = NULL; } 80 | free(p11Context); 81 | } 82 | } 83 | 84 | func_rc pkcs11_initialize( pkcs11Context * p11Context ) 85 | { 86 | func_rc rc = rc_ok; 87 | CK_RV rv; 88 | CK_FUNCTION_LIST_PTR pFunctionList; 89 | CK_C_GetFunctionList pC_GetFunctionList = NULL; 90 | CK_C_Initialize pC_Initialize; 91 | CK_C_INITIALIZE_ARGS InitArgs; 92 | CK_NSS_C_INITIALIZE_ARGS NSS_InitArgs; 93 | 94 | 95 | if ( ( p11Context->libhandle = pkcs11_ll_dynlib_open((const char *) p11Context->library) ) == NULL ) 96 | { 97 | rc = rc_dlopen_error; 98 | goto err; 99 | } 100 | 101 | if ( ( pC_GetFunctionList = ( CK_C_GetFunctionList ) pkcs11_ll_dynlib_getfunc( p11Context->libhandle, "C_GetFunctionList" ) ) == NULL ) 102 | { 103 | rc = rc_dlsym_error; 104 | goto err; 105 | } 106 | 107 | if ( ( rv = pC_GetFunctionList( &pFunctionList ) ) != CKR_OK ) 108 | { 109 | pkcs11_error( rv, "C_GetFunctionList" ); 110 | rc = rc_dlfunc_error; 111 | goto err; 112 | } 113 | 114 | p11Context->FunctionList = *pFunctionList; 115 | 116 | InitArgs.CreateMutex = NULL_PTR; 117 | InitArgs.DestroyMutex = NULL_PTR; 118 | InitArgs.LockMutex = NULL_PTR; 119 | InitArgs.UnlockMutex = NULL_PTR; 120 | InitArgs.flags = CKF_OS_LOCKING_OK; /* just pretend we do multithread calls, with native OS locking */ 121 | /* we don't use multithread, but some p11 libs want to see that flag */ 122 | InitArgs.pReserved = NULL_PTR; 123 | 124 | NSS_InitArgs.CreateMutex = NULL_PTR; 125 | NSS_InitArgs.DestroyMutex = NULL_PTR; 126 | NSS_InitArgs.LockMutex = NULL_PTR; 127 | NSS_InitArgs.UnlockMutex = NULL_PTR; 128 | NSS_InitArgs.flags = CKF_OS_LOCKING_OK; 129 | NSS_InitArgs.LibraryParameters = (CK_CHAR_PTR *) p11Context->nssinitparams; 130 | NSS_InitArgs.pReserved = NULL_PTR; 131 | 132 | pC_Initialize = pFunctionList->C_Initialize; 133 | 134 | rv = pC_Initialize( &InitArgs ); 135 | if ( rv!=CKR_OK && rv!=CKR_CRYPTOKI_ALREADY_INITIALIZED ) 136 | { 137 | if(p11Context->nssinitparams==NULL) { 138 | /* if we don't have NSS parameters, */ 139 | /* then show an error */ 140 | pkcs11_error( rv, "C_Initialize" ); 141 | rc = rc_error_pkcs11_api; 142 | goto err; 143 | } 144 | 145 | else if ( rv == CKR_ARGUMENTS_BAD ) 146 | { 147 | rv = pC_Initialize( &NSS_InitArgs ); 148 | if ( rv == CKR_ARGUMENTS_BAD ) 149 | { 150 | pkcs11_error( rv, "C_Initialize" ); 151 | 152 | rv = pC_Initialize( NULL_PTR ); 153 | if ( rv == CKR_ARGUMENTS_BAD ) { 154 | pkcs11_error( rv, "C_Initialize" ); 155 | rc = rc_error_pkcs11_api; 156 | goto err; 157 | } 158 | } 159 | } 160 | } 161 | 162 | p11Context->initialized = CK_TRUE; 163 | err: 164 | return rc; 165 | } 166 | 167 | func_rc pkcs11_finalize( pkcs11Context * p11Context ) 168 | { 169 | func_rc rc = rc_ok; 170 | CK_RV retCode; 171 | 172 | if(p11Context && p11Context->initialized) { 173 | if( p11Context->FunctionList.C_Finalize ) { 174 | if ( ( retCode = p11Context->FunctionList.C_Finalize( NULL_PTR ) ) != CKR_OK ) { 175 | pkcs11_error( retCode, "C_Finalize" ); 176 | rc = rc_error_pkcs11_api; 177 | } 178 | } 179 | 180 | p11Context->initialized = CK_FALSE; 181 | 182 | if(p11Context->libhandle) { 183 | pkcs11_ll_dynlib_close(p11Context->libhandle); 184 | p11Context->libhandle=NULL; 185 | } 186 | } 187 | return rc; 188 | } 189 | 190 | 191 | void pkcs11_exit(pkcs11Context *p11Context, int status) 192 | { 193 | if(p11Context && p11Context->libhandle) { 194 | pkcs11_ll_dynlib_close(p11Context->libhandle); 195 | } 196 | exit(status); 197 | } 198 | 199 | /* 200 | *-------------------------------------------------------------------------------- 201 | * $Log$ 202 | *-------------------------------------------------------------------------------- 203 | */ 204 | -------------------------------------------------------------------------------- /lib/pkcs11_data.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include "pkcs11lib.h" 25 | 26 | 27 | typedef struct { 28 | CK_BYTE_PTR d; 29 | CK_ULONG l; 30 | } DATA; 31 | 32 | static DATA * new_DATA_from_file(char *filename) 33 | { 34 | DATA * rv = NULL; 35 | FILE *fp = NULL; 36 | 37 | fp = fopen(filename,"rb"); /* open in binary mode */ 38 | 39 | if(fp==NULL) { 40 | perror("***File error"); 41 | goto cleanup; 42 | } 43 | 44 | if(fseek(fp, 0L, SEEK_END)<0) { 45 | perror("***File error"); 46 | goto cleanup; 47 | } 48 | 49 | /* allocate structure */ 50 | rv = calloc(1, sizeof (DATA)); 51 | 52 | if(rv==NULL) { 53 | fprintf(stderr, "***malloc error"); 54 | goto cleanup; 55 | } 56 | 57 | rv->l = ftell(fp); /* find data len */ 58 | rv->d = malloc(rv->l); /* and allocate */ 59 | if(rv->d==NULL) { 60 | fprintf(stderr, "***malloc error"); 61 | goto cleanup; 62 | } 63 | 64 | if(rv->d) { 65 | rewind(fp); /* rewind */ 66 | fread(rv->d, 1, rv->l, fp); /* load into buffer*/ 67 | if(ferror(fp)) { 68 | perror("***file error"); 69 | rv->l = 0; /* mark we want to cleanup */ 70 | } 71 | } 72 | 73 | cleanup: 74 | 75 | /* if rv not null but rv->l==0, operation did not complete */ 76 | if(rv && rv->l==0) { 77 | /* special case: failure at fread() step */ 78 | if(rv->d!=NULL) { free(rv->d); } 79 | free(rv); 80 | rv=NULL; 81 | } 82 | 83 | /* close file */ 84 | if (fp!=NULL) { fclose(fp); fp=NULL; } 85 | 86 | return rv; 87 | } 88 | 89 | 90 | 91 | static void free_DATA(DATA *data) 92 | { 93 | if(data) { 94 | if(data->l>0 && data->d) { 95 | free(data->d); 96 | data->d=NULL; 97 | data->l=0; 98 | } 99 | free(data); 100 | } 101 | } 102 | 103 | 104 | CK_OBJECT_HANDLE pkcs11_importdata( pkcs11Context * p11Context, char *filename, char *label) 105 | { 106 | 107 | CK_OBJECT_HANDLE hDATA = NULL_PTR; 108 | 109 | CK_RV retCode; 110 | CK_OBJECT_CLASS objClass = CKO_DATA; 111 | 112 | CK_BBOOL ck_true = CK_TRUE; 113 | 114 | CK_ATTRIBUTE dataTemplate[] = { 115 | {CKA_CLASS, &objClass, sizeof objClass}, /* 0 */ 116 | {CKA_LABEL, label, strlen(label) }, /* 1 */ 117 | {CKA_TOKEN, &ck_true, sizeof ck_true }, /* 2 */ 118 | {CKA_PRIVATE, &ck_true, sizeof ck_true }, /* 3 */ 119 | {CKA_MODIFIABLE, &ck_true, sizeof ck_true }, /* 4 */ 120 | {CKA_VALUE, NULL, 0 }, /* 5 */ 121 | }; 122 | 123 | DATA * data = new_DATA_from_file(filename); 124 | 125 | if(data) { 126 | /* point to buffer */ 127 | dataTemplate[5].pValue = data->d; 128 | dataTemplate[5].ulValueLen = data->l; 129 | 130 | retCode = p11Context->FunctionList.C_CreateObject(p11Context->Session, 131 | dataTemplate, 132 | sizeof(dataTemplate) / sizeof(CK_ATTRIBUTE), 133 | &hDATA); 134 | 135 | if(retCode != CKR_OK) { 136 | pkcs11_error( retCode, "CreateObject" ); 137 | } 138 | 139 | free_DATA(data); 140 | } 141 | return hDATA; 142 | } 143 | -------------------------------------------------------------------------------- /lib/pkcs11_libinfo.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include "pkcs11lib.h" 29 | 30 | 31 | #define HAS_FLAG(a,fl,t,f) ( (a & fl) ? t : f ) 32 | #define IS_VENDOR_DEFINED(m,t,f) ( (m & CKM_VENDOR_DEFINED) == CKM_VENDOR_DEFINED ? t : f ) 33 | 34 | /* high-level search functions */ 35 | 36 | func_rc pkcs11_info_library(pkcs11Context *p11Context) 37 | { 38 | func_rc rc=rc_error_library; 39 | 40 | if(p11Context && p11Context->initialized==CK_TRUE) { 41 | CK_INFO libinfo; 42 | CK_RV rv; 43 | 44 | if((rv = p11Context->FunctionList.C_GetInfo(&libinfo)) != CKR_OK ) { 45 | pkcs11_error( rv, "C_GetInfo" ); 46 | rc = rc_error_pkcs11_api; 47 | goto error; 48 | } 49 | 50 | fprintf( stdout, 51 | "PKCS#11 Library\n" 52 | "---------------\n" 53 | "Name : %s\n" 54 | "Lib version : %d.%d\n" 55 | "API version : %d.%d\n" 56 | "Description : %.*s\n" 57 | "Manufacturer: %.*s\n" 58 | "\n", 59 | p11Context->library, 60 | libinfo.libraryVersion.major, libinfo.libraryVersion.minor, 61 | libinfo.cryptokiVersion.major, libinfo.cryptokiVersion.minor, 62 | (int)sizeof(libinfo.libraryDescription), libinfo.libraryDescription, 63 | (int)sizeof(libinfo.manufacturerID), libinfo.manufacturerID 64 | ); 65 | 66 | rc = rc_ok; 67 | } 68 | 69 | error: 70 | return rc; 71 | } 72 | 73 | /* EOF */ 74 | -------------------------------------------------------------------------------- /lib/pkcs11_ll_unix.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* -*- mode: cc; c-file-style:stroustrup; -*- */ 20 | 21 | /* pkcs11_ll_unix: low-level UNIX services */ 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include "pkcs11lib.h" 33 | 34 | 35 | 36 | void * pkcs11_ll_dynlib_open( const char *libname) { 37 | void * handle = NULL; 38 | 39 | if(libname) { 40 | if(( handle = dlopen( ( const char * ) libname, RTLD_LAZY|RTLD_GLOBAL ) ) == NULL ) 41 | { 42 | fprintf( stderr, "Error: dlopen() call failed: %s\n", dlerror() ); 43 | } 44 | } 45 | return handle; 46 | } 47 | 48 | 49 | void pkcs11_ll_dynlib_close( void * handle ) { 50 | 51 | if(handle) { 52 | if(dlclose(handle)!=0) 53 | { 54 | fprintf( stderr, "Warning: dlclose() call failed: %s\n", dlerror() ); 55 | } 56 | } 57 | } 58 | 59 | 60 | void * pkcs11_ll_dynlib_getfunc(void *handle, const char *funcname) { 61 | void * funcptr = NULL; 62 | 63 | if(handle && funcname) { 64 | if ((funcptr = dlsym( handle, funcname ) ) == NULL ) 65 | { 66 | fprintf( stderr, "Error: dlsym() call failed: %s\n", dlerror() ); 67 | } 68 | } 69 | 70 | return funcptr; 71 | } 72 | 73 | 74 | void pkcs11_ll_echo_off(void) 75 | { 76 | struct termios flags; 77 | 78 | if(tcgetattr(fileno(stdin), &flags) !=0 ) { 79 | perror("Issue with getting terminal attribute"); 80 | exit( RC_ERROR_READ_INPUT ); 81 | } 82 | 83 | flags.c_lflag &= ~ECHO; /* shut down ECHO */ 84 | flags.c_lflag |= ECHONL | ICANON; /* set canonical mode and echoes new line character */ 85 | 86 | if(tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { 87 | perror("Oops cannot set terminal mode"); 88 | exit( RC_ERROR_READ_INPUT ); 89 | } 90 | } 91 | 92 | 93 | void pkcs11_ll_echo_on(void) 94 | { 95 | struct termios flags; 96 | 97 | if(tcgetattr(fileno(stdin), &flags) !=0 ) { 98 | perror("Issue with getting terminal attribute"); 99 | exit( RC_ERROR_READ_INPUT ); 100 | } 101 | 102 | flags.c_lflag |= ECHO; /* enable ECHO */ 103 | flags.c_lflag |= ECHONL | ICANON; /* set canonical mode and echoes new line character */ 104 | 105 | if(tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { 106 | perror("Oops cannot set terminal mode"); 107 | exit( RC_ERROR_READ_INPUT ); 108 | } 109 | } 110 | 111 | void pkcs11_ll_clear_screen(void) 112 | { 113 | /* we clear the console using ANSI codes */ 114 | printf("\033c\033[2J\033[H"); 115 | 116 | } 117 | 118 | 119 | char *pkcs11_ll_basename(char *path) 120 | { 121 | char *base = strrchr(path, '/'); 122 | return base ? base+1 : path; 123 | } 124 | 125 | 126 | void pkcs11_ll_set_binary(FILE *fp) 127 | { 128 | // do nothing. On unix, makes no difference. 129 | } 130 | 131 | 132 | /* we leverage on gnulib to define bswap_32 appropriately */ 133 | /* whatever the UNIX platform. */ 134 | /* if there is an error a compile time, please check m4/local_fix_bswap.m4 */ 135 | /* add add according support */ 136 | 137 | inline unsigned long pkcs11_ll_bigendian_ul(unsigned long argul) 138 | { 139 | #if defined(WORDS_BIGENDIAN) /* we are in Big Endian */ 140 | return argul; 141 | #else /* we are in little Endian */ 142 | 143 | #if SIZEOF_UNSIGNED_LONG_INT==4 144 | return bswap_32(argul); 145 | #elif SIZEOF_UNSIGNED_LONG_INT==8 146 | return bswap_64(argul); 147 | #else 148 | #error "Error: unsupported unsigned long size." 149 | #endif 150 | #endif 151 | } 152 | -------------------------------------------------------------------------------- /lib/pkcs11_ll_win.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | /* pkcs11_ll_win: low-level Windows services */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | #include 30 | #include 31 | 32 | #include "pkcs11lib.h" 33 | 34 | 35 | 36 | void * pkcs11_ll_dynlib_open( const char *libname) { 37 | void * handle = NULL; 38 | 39 | if(libname) { 40 | if(( handle = LoadLibrary( ( const char * ) libname ) ) == NULL ) 41 | { 42 | fprintf( stderr, "Error: LoadLibrary() returned %08.8lx\n", GetLastError() ); 43 | } 44 | } 45 | return handle; 46 | } 47 | 48 | 49 | void pkcs11_ll_dynlib_close( void * handle ) { 50 | 51 | if(handle) { 52 | if(FreeLibrary(handle)!=TRUE) 53 | { 54 | fprintf( stderr, "Warning: FreeLibrary() returned %08.8lx\n", GetLastError() ); 55 | } 56 | } 57 | } 58 | 59 | 60 | void * pkcs11_ll_dynlib_getfunc(void *handle, const char *funcname) { 61 | void * funcptr = NULL; 62 | 63 | if(handle && funcname) { 64 | if ((funcptr = GetProcAddress( handle, funcname ) ) == NULL ) 65 | { 66 | fprintf( stderr, "Error: GetProcAddress() returned %08.8lx\n", GetLastError() ); 67 | } 68 | } 69 | 70 | return funcptr; 71 | } 72 | 73 | 74 | void pkcs11_ll_init_screen(void) {} 75 | 76 | void pkcs11_ll_release_screen(void) {} 77 | 78 | 79 | void pkcs11_ll_echo_off(void) 80 | { 81 | DWORD con_mode; 82 | HANDLE hIn=GetStdHandle(STD_INPUT_HANDLE); 83 | 84 | GetConsoleMode( hIn, &con_mode ); 85 | SetConsoleMode( hIn, con_mode & ~(ENABLE_ECHO_INPUT) ); 86 | } 87 | 88 | void pkcs11_ll_echo_on(void) 89 | { 90 | DWORD con_mode; 91 | HANDLE hIn=GetStdHandle(STD_INPUT_HANDLE); 92 | 93 | GetConsoleMode( hIn, &con_mode ); 94 | SetConsoleMode( hIn, con_mode | ENABLE_ECHO_INPUT ); 95 | } 96 | 97 | 98 | 99 | void pkcs11_ll_clear_screen(void) 100 | { 101 | /* the code below has been taken from http://support.microsoft.com/kb/99261 */ 102 | 103 | /* Standard error macro for reporting API errors */ 104 | #define PERR(bSuccess, api){if(!(bSuccess)) printf("%s:Error %d from %s on line %d\n", __FILE__, GetLastError(), api, __LINE__);} 105 | 106 | COORD coordScreen = { 0, 0 }; /* here's where we'll home the 107 | cursor */ 108 | BOOL bSuccess; 109 | DWORD cCharsWritten; 110 | CONSOLE_SCREEN_BUFFER_INFO csbi; /* to get buffer info */ 111 | DWORD dwConSize; /* number of character cells in 112 | the current buffer */ 113 | HANDLE hConsole; 114 | 115 | /* get the number of character cells in the current buffer */ 116 | hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 117 | 118 | bSuccess = GetConsoleScreenBufferInfo( hConsole, &csbi ); 119 | PERR( bSuccess, "GetConsoleScreenBufferInfo" ); 120 | dwConSize = csbi.dwSize.X * csbi.dwSize.Y; 121 | 122 | /* fill the entire screen with blanks */ 123 | 124 | bSuccess = FillConsoleOutputCharacter( hConsole, (TCHAR) ' ', dwConSize, coordScreen, &cCharsWritten ); 125 | PERR( bSuccess, "FillConsoleOutputCharacter" ); 126 | 127 | /* get the current text attribute */ 128 | 129 | bSuccess = GetConsoleScreenBufferInfo( hConsole, &csbi ); 130 | PERR( bSuccess, "ConsoleScreenBufferInfo" ); 131 | 132 | /* now set the buffer's attributes accordingly */ 133 | 134 | bSuccess = FillConsoleOutputAttribute( hConsole, csbi.wAttributes, dwConSize, coordScreen, &cCharsWritten ); 135 | PERR( bSuccess, "FillConsoleOutputAttribute" ); 136 | 137 | /* put the cursor at (0, 0) */ 138 | 139 | bSuccess = SetConsoleCursorPosition( hConsole, coordScreen ); 140 | PERR( bSuccess, "SetConsoleCursorPosition" ); 141 | } 142 | 143 | 144 | char *pkcs11_ll_basename(char *path) 145 | { 146 | char *base = strrchr(path, '\\'); 147 | return base ? base+1 : path; 148 | } 149 | 150 | 151 | void pkcs11_ll_set_binary(FILE *fp) 152 | { 153 | int result; 154 | 155 | result = _setmode ( _fileno (fp), _O_BINARY ); 156 | if(result== -1) { 157 | perror("Cannot set binary mode on file"); 158 | } 159 | } 160 | 161 | /* we leverage on gnulib to define bswap_32 appropriately */ 162 | /* whatever the UNIX platform. */ 163 | /* if there is an error a compile time, please check m4/local_fix_bswap.m4 */ 164 | /* add add according support */ 165 | 166 | inline unsigned long pkcs11_ll_bigendian_ul(unsigned long argul) 167 | { 168 | #if defined(WORDS_BIGENDIAN) /* we are in Big Endian */ 169 | return argul; /* very unlikely, but you never know... */ 170 | #else /* we are in little Endian */ 171 | #if SIZEOF_UNSIGNED_LONG_INT==4 172 | return _byteswap_ulong(argul); 173 | #elif SIZEOF_UNSIGNED_LONG_INT==8 174 | return _byteswap_uint64(argul); 175 | #else 176 | #error "Error: unsupported unsigned long size." 177 | #endif 178 | #endif 179 | } 180 | -------------------------------------------------------------------------------- /lib/pkcs11_mechanism.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | 27 | 28 | typedef struct s_mechanism_desc { 29 | CK_MECHANISM_TYPE type; 30 | const char *desc; 31 | } MechanismDesc; 32 | 33 | /* ordered by type - the default in _mechinfo.h */ 34 | static MechanismDesc _m[] = { 35 | 36 | #include "_mechinfo.h" 37 | 38 | }; 39 | 40 | /* ordered by name - we must sort before first use */ 41 | static MechanismDesc _n[] = { 42 | 43 | #include "_mechinfo.h" 44 | 45 | }; 46 | 47 | static bool _n_sorted = false; 48 | 49 | static int compare_CKM_desc( const void *a, const void *b) 50 | { 51 | return strcasecmp(((MechanismDesc *)a)->desc, ((MechanismDesc *)b)->desc); 52 | } 53 | 54 | 55 | static int compare_CKM_type( const void *a, const void *b) 56 | { 57 | /* because we are making a comparison between unsigned long, int might not reflect well */ 58 | /* we need to use an intermediary value and divide it by itself (as absolute value) */ 59 | 60 | /* we explicitely use "signed" as some platform (MIPS) seem to work with unsigned by default */ 61 | //avoiding undefined behaviour 62 | MechanismDesc* mech_a = (MechanismDesc*)a; 63 | MechanismDesc* mech_b = (MechanismDesc*)b; 64 | if(!mech_a || !mech_b) { 65 | fprintf(stderr, "***Error: failed to detect valid mechanism description...exiting.\n"); 66 | exit(rc_error_invalid_argument); 67 | } 68 | signed long long item = (signed long long)(mech_a->type) - (signed long long)(mech_b->type); 69 | return item ? item/llabs(item) : 0; 70 | } 71 | 72 | CK_MECHANISM_TYPE pkcs11_get_mechanism_type_from_name(char *name) 73 | { 74 | 75 | CK_MECHANISM_TYPE retval = 0xFFFFFFFF; 76 | 77 | size_t array_size = sizeof(_n)/sizeof(MechanismDesc); 78 | MechanismDesc candidate = { 0xFFFFFFFF, name }; 79 | 80 | if(_n_sorted == false) { /* sort the table using type member*/ 81 | qsort( _n, array_size, sizeof(MechanismDesc), compare_CKM_desc); 82 | _n_sorted = true; 83 | } 84 | 85 | MechanismDesc *match = bsearch( &candidate, _n, array_size, sizeof(MechanismDesc), compare_CKM_desc); 86 | 87 | if(match) { retval = ((MechanismDesc *)match)->type; } 88 | 89 | return retval; 90 | } 91 | 92 | const char *pkcs11_get_mechanism_name_from_type(CK_MECHANISM_TYPE mech) 93 | { 94 | const char *retval = "CKM_UNKNOWN_MECHANISM"; 95 | size_t array_size = sizeof(_m)/sizeof(MechanismDesc); 96 | MechanismDesc candidate = { mech, "" }; 97 | MechanismDesc *match = bsearch( &candidate, _m, array_size, sizeof(MechanismDesc), compare_CKM_type); 98 | 99 | if(match) { retval = ((MechanismDesc *)match)->desc; } 100 | else if(mech & CKM_VENDOR_DEFINED) { 101 | retval = "CKM_VENDOR_DEFINED"; 102 | } 103 | 104 | return retval; 105 | } 106 | 107 | 108 | -------------------------------------------------------------------------------- /lib/pkcs11_openssl.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include "pkcs11lib.h" 28 | 29 | /* OpenSSL version tag */ 30 | 31 | inline const char * pkcs11_openssl_version(void) 32 | { 33 | return SSLeay_version(SSLEAY_VERSION); 34 | } 35 | 36 | 37 | /* OpenSSL error management */ 38 | 39 | void pkcs11_openssl_error(char *file, int line) 40 | { 41 | static int strings_loaded=0; 42 | int err_line; 43 | const char *err_file; 44 | unsigned long err; 45 | 46 | 47 | if(strings_loaded==0) { 48 | ERR_load_crypto_strings(); 49 | strings_loaded=1; 50 | } 51 | 52 | err = ERR_get_error_line(&err_file, &err_line); 53 | if(err) { 54 | fprintf(stderr, "*** OpenSSL ERROR at %s:%d '%s' - (from %s:%d)\n", file, line, ERR_error_string(err,NULL), err_file, err_line ); 55 | } 56 | } 57 | 58 | 59 | /* SHA-1 goodies, namely used for generating SHA-1 over public key components */ 60 | /* to setup ID */ 61 | 62 | CK_ULONG pkcs11_openssl_alloc_and_sha1(CK_BYTE_PTR data, CK_ULONG datalen, CK_VOID_PTR_PTR buf) 63 | { 64 | CK_ULONG rv=0; 65 | 66 | if(data!=NULL && datalen>0 && *buf==NULL) { 67 | EVP_MD_CTX *mdctx = NULL; 68 | const EVP_MD *md = NULL; 69 | unsigned int md_len; 70 | 71 | if( (*buf = OPENSSL_malloc(SHA_DIGEST_LENGTH)) == NULL ) { 72 | P_ERR(); 73 | goto error; 74 | } 75 | 76 | if(*buf) { 77 | md = EVP_sha1(); 78 | if ((mdctx = EVP_MD_CTX_create()) == NULL ) { 79 | P_ERR(); 80 | goto error; 81 | } 82 | 83 | if(EVP_DigestInit_ex(mdctx, md, NULL) == 0 ){ 84 | P_ERR(); 85 | goto error; 86 | } 87 | 88 | if(EVP_DigestUpdate(mdctx, data, datalen) == 0) { 89 | P_ERR(); 90 | goto error; 91 | } 92 | 93 | if(EVP_DigestFinal_ex(mdctx, *buf, &md_len) == 0) { 94 | P_ERR(); 95 | goto error; 96 | } 97 | 98 | rv = md_len; 99 | } 100 | 101 | error: 102 | 103 | if(mdctx) { EVP_MD_CTX_destroy(mdctx); mdctx=NULL; } 104 | 105 | } 106 | return rv; 107 | } 108 | 109 | inline void pkcs11_openssl_free(CK_VOID_PTR_PTR buf) 110 | { 111 | if(buf && *buf) { 112 | OPENSSL_free(*buf); 113 | *buf=NULL; 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /lib/pkcs11_ossl.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2020 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #ifndef __PKCS11_OSSL_H__ 20 | #define __PKCS11_OSSL_H__ 21 | 22 | void fake_sign(unsigned char *sig, size_t siglen); 23 | 24 | 25 | #endif /* __PKCS11_OSSL_H__ */ 26 | -------------------------------------------------------------------------------- /lib/pkcs11_ossl_fake_sign.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2020 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include "pkcs11lib.h" 23 | 24 | void fake_sign(unsigned char *sig, size_t siglen) 25 | { 26 | /* we expect to get *siglen properly sized */ 27 | int i; 28 | 29 | /* the following sequence will let appear "++FAKE++" once encoded in base64 */ 30 | /* the same sesuence is repeated 3 times, but each time with a shift of 2 bits */ 31 | /* in order to cover all encoding possibilities */ 32 | 33 | unsigned char repeat[] = { 34 | 0xfb, 0xe1, 0x40, 0x28, 0x4f, 0xbe, 0x3e, 0xf8, 35 | 0x50, 0x0a, 0x13, 0xef, 0x8f, 0xbe, 0x14, 0x02, 36 | 0x84, 0xfb, 0xe0, 37 | }; 38 | 39 | for(i=0; i 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | func_rc pkcs11_getrandombytes(pkcs11Context *p11Context, CK_BYTE_PTR buffer, CK_ULONG desired_length) 27 | { 28 | func_rc rc=rc_ok; 29 | CK_RV rv; 30 | 31 | if(buffer==NULL) { 32 | fprintf(stderr, "input buffer not preallocated.\n"); 33 | rc = rc_error_invalid_parameter_for_method; 34 | goto error; 35 | } 36 | 37 | rv = p11Context->FunctionList.C_GenerateRandom(p11Context->Session, buffer, desired_length); 38 | 39 | if(rv!=CKR_OK) { 40 | pkcs11_error(rv, "C_GenerateRandom"); 41 | rc = rc_error_pkcs11_api; 42 | goto error; 43 | } 44 | 45 | 46 | error: 47 | 48 | return rc; 49 | } 50 | 51 | -------------------------------------------------------------------------------- /lib/pkcs11_rm.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include "pkcs11lib.h" 27 | 28 | 29 | 30 | /* high-level search functions */ 31 | 32 | int pkcs11_rm_objects_with_label(pkcs11Context *p11Context, char *label, int interactive, int verbose) 33 | { 34 | 35 | int rv=0; 36 | pkcs11Search *search=NULL; 37 | 38 | 39 | pkcs11IdTemplate *idtmpl=NULL; 40 | 41 | idtmpl = pkcs11_create_id(label); 42 | 43 | if(idtmpl && pkcs11_sizeof_idtemplate(idtmpl)>0) { 44 | 45 | search = pkcs11_new_search_from_idtemplate( p11Context, idtmpl ); 46 | 47 | if(search) { /* we just need one hit */ 48 | 49 | CK_OBJECT_HANDLE hndl=0; 50 | int ok_to_delete=1; 51 | 52 | while( (hndl = pkcs11_fetch_next(search))!=0 ) { 53 | 54 | if(interactive) { 55 | pkcs11AttrList *attrs; 56 | char * prefixptr; 57 | ok_to_delete=0; 58 | char choice; 59 | 60 | attrs = pkcs11_new_attrlist(p11Context, 61 | _ATTR(CKA_CLASS), 62 | _ATTR(CKA_LABEL), 63 | _ATTR(CKA_ID), 64 | _ATTR_END ); 65 | 66 | if( pkcs11_read_attr_from_handle (attrs, hndl) == true) { 67 | CK_ATTRIBUTE_PTR oclass = pkcs11_get_attr_in_attrlist(attrs, CKA_CLASS); 68 | CK_ATTRIBUTE_PTR olabel = pkcs11_get_attr_in_attrlist(attrs, CKA_LABEL); 69 | CK_ATTRIBUTE_PTR oid = pkcs11_get_attr_in_attrlist(attrs, CKA_ID); 70 | char labelorid[256]; 71 | 72 | if(oclass) { 73 | switch(*(CK_OBJECT_CLASS *)(oclass->pValue)) { 74 | case CKO_PRIVATE_KEY: 75 | prefixptr = "prvk/"; 76 | break; 77 | 78 | case CKO_PUBLIC_KEY: 79 | prefixptr = "pubk/"; 80 | break; 81 | 82 | case CKO_SECRET_KEY: 83 | prefixptr = "seck/"; 84 | break; 85 | 86 | case CKO_CERTIFICATE: 87 | prefixptr = "cert/"; 88 | break; 89 | 90 | case CKO_DATA: 91 | prefixptr = "data/"; 92 | break; 93 | 94 | default: 95 | prefixptr = "othr/"; 96 | break; 97 | } 98 | 99 | fprintf(stderr, 100 | "delete %s%s ? (y/N)", 101 | prefixptr, 102 | label_or_id( olabel, oid, labelorid, 256) 103 | ); 104 | 105 | fflush(stderr); 106 | 107 | choice = getchar(); 108 | /* eat rest of the line + carriage return */ 109 | { int c; while( (c = getchar()) != EOF && c!= '\n'); } 110 | 111 | if ( tolower(choice) == 'y') { 112 | ok_to_delete = 1; 113 | } 114 | } 115 | } 116 | pkcs11_delete_attrlist(attrs); 117 | } 118 | 119 | 120 | if(ok_to_delete) { 121 | CK_RV rc = p11Context->FunctionList.C_DestroyObject(p11Context->Session, hndl); 122 | if(rc != CKR_OK) { 123 | pkcs11_error( rc, "C_DestroyObject" ); 124 | } 125 | } 126 | 127 | } 128 | pkcs11_delete_search(search); 129 | } 130 | pkcs11_delete_idtemplate(idtmpl); 131 | } 132 | return rv; 133 | } 134 | 135 | /* EOF */ 136 | -------------------------------------------------------------------------------- /lib/pkcs11_wctx.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include 27 | #include 28 | #include 29 | 30 | #include "pkcs11lib.h" 31 | #include "wrappedkey_lexer.h" 32 | #include "wrappedkey_parser.h" 33 | 34 | 35 | /* wrappedKeyContext will hold information about wrapping/unwrapping keys 36 | 37 | several wrapping methods are supported: 38 | - the regular wrapping methods ( PKCS#1, OAEP, CBC_PAD, AES_KEY_WRAP, AES_KEY_WRAP_PAD ) 39 | - envelope wrapping, where a private key (RSA) wraps a symmetric key, that in turn wraps any kind of key 40 | 41 | to support both models, the structure contains a small array where actual wrapped key info is maintained. 42 | 43 | ... 44 | struct { 45 | CK_BYTE_PTR wrapped_key_buffer; 46 | CK_ULONG wrapped_key_len; 47 | enum wrappingmethod wrapping_meth; 48 | } key[2]; 49 | ... 50 | 51 | the first element is always for the outer key, which is used only for envelope wrapping. 52 | the second element is either used as the inner key in envelope mode, or as the lone key for other wrapping algorithms. 53 | 54 | */ 55 | 56 | 57 | wrappedKeyCtx *pkcs11_new_wrappedkeycontext(pkcs11Context *p11Context) 58 | { 59 | wrappedKeyCtx *ctx = NULL; 60 | 61 | if(p11Context) { 62 | ctx = calloc(1, sizeof (wrappedKeyCtx)); 63 | 64 | if(ctx==NULL) { 65 | fprintf(stderr, "Error: not enough memory when allocating memory for wrappedKeyCtx\n"); 66 | goto error; 67 | } 68 | 69 | ctx->p11Context = p11Context; 70 | 71 | ctx->oaep_params = calloc( 1, sizeof(CK_RSA_PKCS_OAEP_PARAMS) ); 72 | if(ctx->oaep_params == NULL) { 73 | fprintf(stderr, "Error: not enough memory when allocating memory for CK_RSA_PKCS_OAEP_PARAMS of wrappedKeyCtx\n"); 74 | goto error; 75 | } 76 | 77 | ctx->is_envelope = CK_FALSE; 78 | 79 | ctx->wrpkattribs = pkcs11_new_attribcontext(); 80 | if(ctx->wrpkattribs == NULL) { 81 | fprintf(stderr, "Error: not enough memory when allocating memory for wrpkattribs member\n"); 82 | goto error; 83 | } 84 | 85 | ctx->pubkattribs = pkcs11_new_attribcontext(); 86 | if(ctx->pubkattribs == NULL) { 87 | fprintf(stderr, "Error: not enough memory when allocating memory for pubkattribs member\n"); 88 | goto error; 89 | } 90 | } 91 | 92 | return ctx; 93 | 94 | error: 95 | if(ctx) { 96 | if(ctx->wrpkattribs) pkcs11_free_attribcontext(ctx->wrpkattribs); 97 | if(ctx->pubkattribs) pkcs11_free_attribcontext(ctx->pubkattribs); 98 | pkcs11_free_wrappedkeycontext(ctx); 99 | } 100 | return NULL; 101 | } 102 | 103 | inline void pkcs11_wctx_free_mechanisms(wrappedKeyCtx *wctx) 104 | { 105 | if(wctx && wctx->allowedmechs) { 106 | free(wctx->allowedmechs); 107 | wctx->allowedmechs = NULL; 108 | wctx->allowedmechs_len = 0; 109 | } 110 | } 111 | 112 | /* to use only for transfer of ownership */ 113 | inline void pkcs11_wctx_forget_mechanisms(wrappedKeyCtx *wctx) 114 | { 115 | if(wctx && wctx->allowedmechs) { 116 | wctx->allowedmechs = NULL; 117 | wctx->allowedmechs_len = 0; 118 | } 119 | } 120 | 121 | inline CK_MECHANISM_TYPE_PTR pkcs11_wctx_get_allowed_mechanisms(wrappedKeyCtx *ctx) 122 | { 123 | return ctx ? ctx->allowedmechs : NULL; 124 | } 125 | 126 | inline size_t pkcs11_wctx_get_allowed_mechanisms_len(wrappedKeyCtx *ctx) 127 | { 128 | return ctx ? ctx->allowedmechs_len : 0; 129 | } 130 | 131 | 132 | void pkcs11_free_wrappedkeycontext(wrappedKeyCtx *wctx) 133 | { 134 | 135 | if( wctx ) { 136 | 137 | /* free up wrappingkeylabel */ 138 | if(wctx->wrappingkeylabel) { 139 | free(wctx->wrappingkeylabel); 140 | wctx->wrappingkeylabel= NULL ; 141 | } 142 | 143 | /* free up wrappedkeylabel */ 144 | if(wctx->wrappedkeylabel) { 145 | free(wctx->wrappedkeylabel); 146 | wctx->wrappedkeylabel = NULL ; 147 | } 148 | 149 | /* free up filename */ 150 | if(wctx->filename) { 151 | free(wctx->filename); 152 | wctx->filename = NULL; 153 | } 154 | 155 | /* free up allowed mechanisms array */ 156 | pkcs11_wctx_free_mechanisms(wctx); 157 | 158 | /* free up buffers */ 159 | int i; 160 | for(i=0; i<2; ++i) { 161 | if(wctx->key[i].wrapped_key_buffer) { 162 | free(wctx->key[i].wrapped_key_buffer); 163 | wctx->key[i].wrapped_key_buffer = NULL; 164 | wctx->key[i].wrapped_key_len = 0; 165 | } 166 | } 167 | 168 | /* free up OAEP structure */ 169 | if(wctx->oaep_params) { 170 | if(wctx->oaep_params->pSourceData) { 171 | free(wctx->oaep_params->pSourceData); 172 | wctx->oaep_params->pSourceData=NULL; 173 | wctx->oaep_params->ulSourceDataLen=0L; 174 | } 175 | free(wctx->oaep_params); 176 | wctx->oaep_params = NULL; 177 | } 178 | 179 | /* free up iv member */ 180 | if(wctx->aes_params.iv) { 181 | free(wctx->aes_params.iv); 182 | wctx->aes_params.iv = NULL; 183 | wctx->aes_params.iv_len = 0L; 184 | } 185 | 186 | /* free up pubk_pem_buffer */ 187 | if(wctx->pubk_buffer) { 188 | free(wctx->pubk_buffer); 189 | wctx->pubk_buffer = NULL; 190 | wctx->pubk_len=0; 191 | } 192 | 193 | /* free up wrappedkeyattribs */ 194 | if(wctx->wrpkattribs) { 195 | pkcs11_free_attribcontext(wctx->wrpkattribs); 196 | wctx->wrpkattribs = NULL; 197 | } 198 | 199 | /* free up pubkeyattribs */ 200 | if(wctx->pubkattribs) { 201 | pkcs11_free_attribcontext(wctx->pubkattribs); 202 | wctx->pubkattribs = NULL; 203 | } 204 | 205 | free(wctx); /* eventually free up context mem */ 206 | } 207 | } 208 | -------------------------------------------------------------------------------- /lib/wrappedkey_helper.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* wrappedkey_helper.h: header files for wrappedkey_helper.c */ 20 | 21 | #ifndef WRAPPEDKEY_HELPER_H 22 | #define WRAPPEDKEY_HELPER_H 23 | 24 | #include "pkcs11lib.h" 25 | 26 | /* internal functions used by parser */ 27 | func_rc _wrappedkey_parser_wkey_append_attr(wrappedKeyCtx *ctx, CK_ATTRIBUTE_TYPE attrtyp, void *buffer, size_t len ); 28 | func_rc _wrappedkey_parser_wkey_append_cryptogram(wrappedKeyCtx *ctx, unsigned char *b64buffer, int keyindex); 29 | func_rc _wrappedkey_parser_wkey_set_wrapping_key(wrappedKeyCtx *ctx, void *buffer, size_t len); 30 | func_rc _wrappedkey_parser_wkey_set_wrapping_alg(wrappedKeyCtx *ctx, enum wrappingmethod meth, int keyindex ); 31 | func_rc _wrappedkey_parser_wkey_set_wrapping_param_hash(wrappedKeyCtx *ctx, CK_MECHANISM_TYPE hash); 32 | func_rc _wrappedkey_parser_wkey_set_wrapping_param_mgf(wrappedKeyCtx *ctx, CK_MECHANISM_TYPE mgf); 33 | func_rc _wrappedkey_parser_wkey_set_wrapping_param_label(wrappedKeyCtx *ctx, void *buffer, size_t len); 34 | func_rc _wrappedkey_parser_wkey_set_wrapping_param_iv(wrappedKeyCtx *ctx, void *buffer, size_t len); 35 | func_rc _wrappedkey_parser_wkey_set_wrapping_param_flavour(wrappedKeyCtx *wctx, CK_MECHANISM_TYPE wrapalg); 36 | 37 | func_rc _wrappedkey_parser_pubk_append_attr(wrappedKeyCtx *ctx, CK_ATTRIBUTE_TYPE attrtyp, void *buffer, size_t len ); 38 | func_rc _wrappedkey_parser_pubk_append_pem(wrappedKeyCtx *wctx, unsigned char *pem); 39 | 40 | func_rc _wrappedkey_parser_wkey_set_filename(wrappedKeyCtx *wctx, char *filename); 41 | 42 | func_rc _wrappedkey_parser_wkey_assign_list_to_template(wrappedKeyCtx *wctx, CK_ATTRIBUTE_TYPE attrtyp); 43 | func_rc _wrappedkey_parser_pubk_assign_list_to_template(wrappedKeyCtx *wctx, CK_ATTRIBUTE_TYPE attrtyp); 44 | func_rc _wrappedkey_parser_add_mechanism(wrappedKeyCtx *wctx, CK_MECHANISM_TYPE attrtype); 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /lib/wrappedkey_parser.h: -------------------------------------------------------------------------------- 1 | /* A Bison parser, made by GNU Bison 3.0.4. */ 2 | 3 | /* Bison interface for Yacc-like parsers in C 4 | 5 | Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc. 6 | 7 | This program is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | This program is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with this program. If not, see . */ 19 | 20 | /* As a special exception, you may create a larger work that contains 21 | part or all of the Bison parser skeleton and distribute that work 22 | under terms of your choice, so long as that work isn't itself a 23 | parser generator using the skeleton or a modified version thereof 24 | as a parser skeleton. Alternatively, if you modify or redistribute 25 | the parser skeleton itself, you may (at your option) remove this 26 | special exception, which will cause the skeleton and the resulting 27 | Bison output files to be licensed under the GNU General Public 28 | License without this special exception. 29 | 30 | This special exception was added by the Free Software Foundation in 31 | version 2.2 of Bison. */ 32 | 33 | #ifndef YY_YY_WRAPPEDKEY_PARSER_H_INCLUDED 34 | # define YY_YY_WRAPPEDKEY_PARSER_H_INCLUDED 35 | /* Debug traces. */ 36 | #ifndef YYDEBUG 37 | # define YYDEBUG 0 38 | #endif 39 | #if YYDEBUG 40 | extern int yydebug; 41 | #endif 42 | /* "%code requires" blocks. */ 43 | #line 40 "wrappedkey_parser.y" /* yacc.c:1909 */ 44 | 45 | 46 | #include "pkcs11lib.h" 47 | #include "wrappedkey_helper.h" 48 | 49 | extern void yyerror(wrappedKeyCtx *ctx, const char *s, ...); 50 | extern int yylex(void); 51 | 52 | 53 | #line 54 "wrappedkey_parser.h" /* yacc.c:1909 */ 54 | 55 | /* Token type. */ 56 | #ifndef YYTOKENTYPE 57 | # define YYTOKENTYPE 58 | enum yytokentype 59 | { 60 | OUTER = 258, 61 | INNER = 259, 62 | PUBK = 260, 63 | STRING = 261, 64 | CTYPE = 262, 65 | GRAMMAR_VERSION = 263, 66 | CTYPE_VAL = 264, 67 | WRAPPING_ALG = 265, 68 | WRAPPING_KEY = 266, 69 | PKCS1ALGO = 267, 70 | OAEPALGO = 268, 71 | CBCPADALGO = 269, 72 | RFC3394ALGO = 270, 73 | RFC5649ALGO = 271, 74 | ENVELOPEALGO = 272, 75 | PARAMHASH = 273, 76 | PARAMMGF = 274, 77 | MGFTYPE = 275, 78 | PARAMLABEL = 276, 79 | PARAMIV = 277, 80 | PARAMFLAVOUR = 278, 81 | PARAMOUTER = 279, 82 | PARAMINNER = 280, 83 | CKATTR_BOOL = 281, 84 | CKATTR_STR = 282, 85 | CKATTR_DATE = 283, 86 | CKATTR_KEY = 284, 87 | CKATTR_CLASS = 285, 88 | CKATTR_TEMPLATE = 286, 89 | CKATTR_ALLOWEDMECH = 287, 90 | TOK_BOOLEAN = 288, 91 | TOK_DATE = 289, 92 | KEYTYPE = 290, 93 | OCLASS = 291, 94 | CKMECH = 292, 95 | DOTTEDNUMBER = 293, 96 | WRAPPINGJOBHEADER = 294, 97 | P_WRAPPINGKEY = 295, 98 | P_FILENAME = 296, 99 | P_ALGORITHM = 297 100 | }; 101 | #endif 102 | 103 | /* Value type. */ 104 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED 105 | 106 | union YYSTYPE 107 | { 108 | #line 53 "wrappedkey_parser.y" /* yacc.c:1909 */ 109 | 110 | CK_ATTRIBUTE_TYPE ckattr; 111 | CK_KEY_TYPE val_key; 112 | CK_OBJECT_CLASS val_cls; 113 | CK_BBOOL val_bool; 114 | CK_MECHANISM_TYPE val_mech; 115 | CK_RSA_PKCS_MGF_TYPE val_mgf; 116 | 117 | enum contenttype val_contenttype; 118 | enum wrappingmethod val_wrappingmethod; 119 | CK_MECHANISM_TYPE val_wrapalg; 120 | 121 | struct { /* HEX encoded - or real string */ 122 | char *val; 123 | size_t len; 124 | } val_str; 125 | 126 | union { 127 | struct { 128 | char year[4]; 129 | char month[2]; 130 | char day[2]; 131 | } as_ck_date; 132 | char as_buffer[8]; 133 | } val_date; 134 | 135 | unsigned char *val_pem; /* used to hold PEM-encoded blocks */ 136 | char *val_dottednumber; 137 | 138 | #line 139 "wrappedkey_parser.h" /* yacc.c:1909 */ 139 | }; 140 | 141 | typedef union YYSTYPE YYSTYPE; 142 | # define YYSTYPE_IS_TRIVIAL 1 143 | # define YYSTYPE_IS_DECLARED 1 144 | #endif 145 | 146 | 147 | extern YYSTYPE yylval; 148 | 149 | int yyparse (wrappedKeyCtx *ctx); 150 | 151 | #endif /* !YY_YY_WRAPPEDKEY_PARSER_H_INCLUDED */ 152 | -------------------------------------------------------------------------------- /m4/ax_lib_socket_nsl.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # https://www.gnu.org/software/autoconf-archive/ax_lib_socket_nsl.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_LIB_SOCKET_NSL 8 | # 9 | # DESCRIPTION 10 | # 11 | # This macro figures out what libraries are required on this platform to 12 | # link sockets programs. 13 | # 14 | # The common cases are not to need any extra libraries, or to need 15 | # -lsocket and -lnsl. We need to avoid linking with libnsl unless we need 16 | # it, though, since on some OSes where it isn't necessary it will totally 17 | # break networking. Unisys also includes gethostbyname() in libsocket but 18 | # needs libnsl for socket(). 19 | # 20 | # LICENSE 21 | # 22 | # Copyright (c) 2008 Russ Allbery 23 | # Copyright (c) 2008 Stepan Kasal 24 | # Copyright (c) 2008 Warren Young 25 | # 26 | # Copying and distribution of this file, with or without modification, are 27 | # permitted in any medium without royalty provided the copyright notice 28 | # and this notice are preserved. This file is offered as-is, without any 29 | # warranty. 30 | 31 | #serial 7 32 | 33 | AU_ALIAS([LIB_SOCKET_NSL], [AX_LIB_SOCKET_NSL]) 34 | AC_DEFUN([AX_LIB_SOCKET_NSL], 35 | [ 36 | AC_SEARCH_LIBS([gethostbyname], [nsl]) 37 | AC_SEARCH_LIBS([socket], [socket], [], [ 38 | AC_CHECK_LIB([socket], [socket], [LIBS="-lsocket -lnsl $LIBS"], 39 | [], [-lnsl])]) 40 | ]) 41 | -------------------------------------------------------------------------------- /m4/ax_with_dmalloc.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # https://www.gnu.org/software/autoconf-archive/ax_with_dmalloc.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_WITH_DMALLOC 8 | # 9 | # DESCRIPTION 10 | # 11 | # Let the user enable/disable support for the dmalloc library available 12 | # from . 13 | # 14 | # The macro adds the command-line flag "--with-dmalloc". Furthermore, 15 | # "-IPREFIX/include" will be added to "$CPPFLAGS", "-LPREFIX/lib" to 16 | # "$LDFLAGS", and "-DDEBUG_DMALLOC" and "-DDMALLOC_FUNC_CHECK" to 17 | # "$CPPFLAGS". 18 | # 19 | # To enable dmalloc support in your code, add the following snippet to 20 | # your header files: 21 | # 22 | # #ifdef DEBUG_DMALLOC 23 | # # include 24 | # #endif 25 | # 26 | # LICENSE 27 | # 28 | # Copyright (c) 2008 Peter Simons 29 | # 30 | # Copying and distribution of this file, with or without modification, are 31 | # permitted in any medium without royalty provided the copyright notice 32 | # and this notice are preserved. This file is offered as-is, without any 33 | # warranty. 34 | 35 | #serial 8 36 | 37 | AC_DEFUN([AX_WITH_DMALLOC], [ 38 | AC_MSG_CHECKING(whether to use the dmalloc library) 39 | AC_ARG_WITH(dmalloc, 40 | [ --with-dmalloc[=PREFIX] Compile with dmalloc library], 41 | if test "$withval" = "" -o "$withval" = "yes"; then 42 | ac_cv_dmalloc="/usr/local" 43 | else 44 | ac_cv_dmalloc="$withval" 45 | fi 46 | AC_MSG_RESULT(yes) 47 | CPPFLAGS="$CPPFLAGS -DDEBUG_DMALLOC -DDMALLOC_FUNC_CHECK -I$ac_cv_dmalloc/include" 48 | LDFLAGS="$LDFLAGS -L$ac_cv_dmalloc/lib" 49 | LIBS="$LIBS -ldmalloc" 50 | ,AC_MSG_RESULT(no)) 51 | ])dnl 52 | -------------------------------------------------------------------------------- /repoTagData.json: -------------------------------------------------------------------------------- 1 | { 2 | "componentOf" : [ 3 | { 4 | "uuid": "0bff98e8-93bb-48db-bc8f-ef0d5ec9cc88", 5 | "type": "Technical Asset" 6 | } 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /src/.gitignore: -------------------------------------------------------------------------------- 1 | # ignoring generated files 2 | masqreq 3 | p11cat 4 | p11cp 5 | p11importcert 6 | p11importdata 7 | p11importpubk 8 | p11kcv 9 | p11keycomp 10 | p11keygen 11 | p11ls 12 | p11mkcert 13 | p11more 14 | p11mv 15 | p11od 16 | p11req 17 | p11rm 18 | p11setattr 19 | p11slotinfo 20 | p11unwrap 21 | p11wrap 22 | p11rewrap 23 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Mastercard 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | AM_CPPFLAGS = \ 16 | -I$(top_builddir)/gl \ 17 | -I$(top_srcdir)/gl \ 18 | -I$(top_srcdir)/include \ 19 | -I$(top_srcdir)/include/oasis-pkcs11/working/3-00-current \ 20 | -I$(top_srcdir)/include/cryptoki 21 | 22 | AM_CFLAGS = $(LIBCRYPTO_CFLAGS) $(PTHREAD_CFLAGS) 23 | AM_LIBS = $(PTHREAD_LIBS) 24 | 25 | if HAS_LIBCRYPTO_RPATH 26 | AM_LDFLAGS = -rpath $(LIBCRYPTO_RPATH) 27 | endif 28 | 29 | ################################################################################ 30 | # libcommon 31 | 32 | # libcommon contain code common to all executables. 33 | # it is statically linked. 34 | 35 | noinst_LTLIBRARIES = libcommon.la 36 | libcommon_la_SOURCES = version.c 37 | 38 | libcommon_la_CFLAGS = $(LIBCRYPTO_CFLAGS) 39 | libcommon_la_LDFLAGS = -static 40 | 41 | ################################################################################ 42 | # p11 toolkit 43 | 44 | # the actual list of programs being compiled 45 | bin_PROGRAMS = p11mkcert p11rewrap p11wrap p11unwrap p11cp p11ls p11cat p11more p11od p11rm p11mv p11slotinfo p11req p11importcert p11importpubk p11importdata p11keycomp p11setattr masqreq p11keygen p11kcv 46 | 47 | 48 | SOURCES = $(bin_PROGRAMS:%=%.c) 49 | 50 | LDADD = libcommon.la $(top_builddir)/lib/libp11.la $(top_builddir)/gl/libgnu.a $(LIBCRYPTO_LIBS) $(GETHOSTNAME_LIB) $(LIBSOCKET) $(LIBINTL) $(LIBTHREAD) 51 | 52 | $(SOURCES): $(top_srcdir)/include/pkcs11lib.h 53 | 54 | -------------------------------------------------------------------------------- /src/masqreq.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | #define COMMAND_SUMMARY \ 27 | "Masquerade PKCS#10 request - adapt subjet and extensions, without resigning.\n\n" 28 | 29 | #ifdef _WIN32 30 | #include 31 | #endif 32 | 33 | #define MAX_SAN 1000 34 | #define WARN_SAN 25 35 | 36 | 37 | /* prototypes */ 38 | void print_version_info(char *progname); 39 | void print_usage(char *); 40 | int main( int argc, char **argv); 41 | 42 | 43 | 44 | void print_usage(char *progname) 45 | { 46 | fprintf( stderr, 47 | "USAGE: %s ARGUMENTS\n" 48 | "\n" 49 | COMMAND_SUMMARY 50 | "* -c : input file with PKCS#10 request, to extract public key from\n" 51 | " -o : output file for PKCS#10 request (stdout if not specified)\n" 52 | " -H sha1|sha256|sha384|sha512: Hashing algorithm (default is sha1)\n" 53 | "* -d : subject DN, OpenSSL formatted, e.g. /CN=mysite.net/O=My Org/C=BE\n" 54 | " -r reverse order of subject DN (for compatibility with previous versions)\n" 55 | "+ -e : subject alternative Name field, OpenSSL formatted.\n" 56 | " possible values are: \n" 57 | " - DNS:[host name]\n" 58 | " - email:[rfc822 compatible mail address]\n" 59 | " - IP:[IPv4 address]\n" 60 | " -X : add Subject Key Identifier X509v3 to request (value is SHA1 of key modulus)\n" 61 | " -v be verbose, output content of generated PKCS#10 request to standard output\n" 62 | " -h : print usage information\n" 63 | " -V : print version information\n" 64 | "\n" 65 | "|\n" 66 | "+-> arguments marked with an asterix(*) are mandatory\n" 67 | "+-> arguments marked with a plus sign(+) can be repeated\n" 68 | "\n" 69 | , pkcs11_ll_basename(progname) ); 70 | exit(rc_error_usage); 71 | } 72 | 73 | int main( int argc, char ** argv ) 74 | { 75 | extern char *optarg; 76 | extern int optind, optopt; 77 | int argnum = 0; 78 | int errflag = 0; 79 | char *csrfilename = NULL; 80 | char * filename = NULL; 81 | char *dn = NULL; 82 | char *san[MAX_SAN]; 83 | size_t san_cnt=0; 84 | bool ski=false; /* add Subject Key Identifier */ 85 | bool verbose = false; 86 | bool reverse = false; 87 | x509_req_handle_t *req = NULL; 88 | 89 | func_rc retcode = rc_ok; 90 | 91 | /* get the command-line arguments */ 92 | while ( ( argnum = getopt( argc, argv, "c:o:d:re:XvhV" ) ) != -1 ) 93 | { 94 | switch ( argnum ) 95 | { 96 | case 'c': 97 | csrfilename = optarg; 98 | break; 99 | 100 | case 'o': 101 | filename = optarg; 102 | break; 103 | 104 | case 'd': 105 | if(!pkcs11_X509_check_DN(optarg)) { 106 | fprintf( stderr , "Error: invalid DN field\n"); 107 | errflag++; 108 | } else { 109 | dn = optarg; 110 | } 111 | break; 112 | 113 | case 'r': 114 | reverse=true; 115 | break; 116 | 117 | case 'e': 118 | if(san_cnt>MAX_SAN) { 119 | fprintf( stderr , "Error: too many SAN fields (max %d)\n", MAX_SAN); 120 | errflag++; 121 | } else { 122 | 123 | if(san_cnt==WARN_SAN) { 124 | fprintf( stderr , "Warning: many SAN fields (>=%d). You may encounter SSL/TLS performance issues.\n", WARN_SAN); 125 | } 126 | 127 | san[san_cnt++] = optarg; 128 | } 129 | break; 130 | 131 | case 'X': 132 | ski = true; /* we want a subject key identifier */ 133 | break; 134 | 135 | case 'v': 136 | verbose = true; 137 | break; 138 | 139 | case 'h': 140 | print_usage(argv[0]); 141 | break; 142 | 143 | case 'V': 144 | print_version_info(argv[0]); 145 | break; 146 | 147 | default: 148 | errflag++; 149 | break; 150 | 151 | } 152 | } 153 | 154 | 155 | if ( errflag ) { 156 | fprintf(stderr, "Try `%s -h' for more information.\n", argv[0]); 157 | retcode = rc_error_usage; 158 | goto err; 159 | } 160 | 161 | 162 | if ( dn == NULL || csrfilename == NULL ) { 163 | fprintf( stderr, "At least one required option or argument is wrong or missing.\n" 164 | "Try `%s -h' for more information.\n", argv[0]); 165 | retcode = rc_error_usage; 166 | goto err; 167 | } 168 | 169 | req = pkcs11_get_X509_REQ_from_file(csrfilename); 170 | 171 | if(!req) { 172 | fprintf(stderr, "Error: could not load PKCS#10 file <%s>\n", csrfilename); 173 | retcode = rc_error_object_not_found; 174 | goto err; 175 | } 176 | 177 | 178 | if(!pkcs11_masq_X509_REQ(req, dn, reverse, san, san_cnt, ski)) { 179 | fprintf(stderr, "Error: could not masquerade PKCS#10 file <%s>\n", csrfilename); 180 | retcode = rc_error_other_error; 181 | goto err; 182 | } 183 | 184 | write_X509_REQ(req, filename, verbose); 185 | 186 | retcode = rc_ok; 187 | err: 188 | 189 | if(req) { x509_req_handle_t_free(req); } 190 | return retcode; 191 | } 192 | -------------------------------------------------------------------------------- /src/p11more.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | #ifdef _WIN32 27 | #include 28 | #endif 29 | 30 | #define COMMAND_SUMMARY \ 31 | "Display in human-readable format non-sensitive content of PKCS#11 token object(s).\n\n" 32 | 33 | 34 | /* prototypes */ 35 | void print_version_info(char *progname); 36 | void print_usage(char *); 37 | int main( int argc, char **argv); 38 | 39 | 40 | void print_usage(char *progname) 41 | { 42 | fprintf( stderr, 43 | "USAGE: %s OPTIONS FILTERS\n" 44 | "\n" 45 | COMMAND_SUMMARY 46 | "OPTIONS:\n" 47 | "* -l : path to PKCS#11 library\n" 48 | " -m ( e.g. '.' or 'sql:.' ) : NSS db directory \n" 49 | " -s \n" 50 | " -t : if present, -s option is ignored\n" 51 | " -p | :::exec: | :::nologin\n" 52 | " -S : login with SO privilege\n" 53 | " -h : print usage information\n" 54 | " -V : print version information\n" 55 | "|\n" 56 | "+-> arguments marked with an asterix(*) are mandatory\n" 57 | "| (except if environment variable sets the value)\n" 58 | "+-> arguments marked with a plus sign(+) can be repeated\n" 59 | "\n" 60 | "FILTERS:\n" 61 | " FILTER [FILTER ...]: object filter to match, of the form:\n" 62 | " - TYPE\n" 63 | " - [TYPE/[ATTRIBUTE/]]VALUE\n" 64 | "\n" 65 | " TYPE can be 'cert', 'pubk', 'prvk', 'seck', 'data'\n" 66 | " when omitted, all objects are listed\n" 67 | "\n" 68 | " ATTRIBUTE is either:\n" 69 | " - 'id', 'label' or 'sn'\n" 70 | " - an actual PKCS#11 attribute name (e.g. CKA_ENCRYPT)\n" 71 | " when omitted, default is 'label'\n" 72 | "\n" 73 | " VALUE is either:\n" 74 | " - ASCII string\n" 75 | " - {hexadecimal values} between curly braces\n" 76 | "\n" 77 | " ENVIRONMENT VARIABLES:\n" 78 | " PKCS11LIB : path to PKCS#11 library,\n" 79 | " overriden by option -l\n" 80 | " PKCS11NSSDIR : NSS configuration directory directive,\n" 81 | " overriden by option -m\n" 82 | " PKCS11SLOT : token slot (integer)\n" 83 | " overriden by PKCS11TOKENLABEL,\n" 84 | " options -t or -s\n" 85 | " PKCS11TOKENLABEL : token label\n" 86 | " overriden by options -t or -s\n" 87 | " PKCS11PASSWORD : password\n" 88 | " overriden by option -p\n" 89 | "\n" 90 | , pkcs11_ll_basename(progname) ); 91 | 92 | exit( RC_ERROR_USAGE ); 93 | } 94 | 95 | int main( int argc, char ** argv ) 96 | { 97 | extern char *optarg; 98 | extern int optind, optopt; 99 | int argnum = 0; 100 | int errflag = 0; 101 | char * library = NULL; 102 | char * nsscfgdir = NULL; 103 | char * password = NULL; 104 | char * slotenv = NULL; 105 | int slot = -1; 106 | int interactive = 1; 107 | char * tokenlabel = NULL; 108 | int so=0; 109 | 110 | pkcs11Context * p11Context = NULL; 111 | func_rc retcode = rc_error_usage; 112 | 113 | library = getenv("PKCS11LIB"); 114 | nsscfgdir = getenv("PKCS11NSSDIR"); 115 | tokenlabel = getenv("PKCS11TOKENLABEL"); 116 | if(tokenlabel==NULL) { 117 | slotenv = getenv("PKCS11SLOT"); 118 | if (slotenv!=NULL) { 119 | slot=atoi(slotenv); 120 | } 121 | } 122 | password = getenv("PKCS11PASSWORD"); 123 | 124 | /* get the command-line arguments */ 125 | while ( ( argnum = getopt( argc, argv, "l:m:p:s:t:ShV" ) ) != -1 ) 126 | { 127 | switch ( argnum ) 128 | { 129 | case 'l' : 130 | library = optarg; 131 | break; 132 | 133 | case 'm': 134 | nsscfgdir = optarg; 135 | break; 136 | 137 | case 'p' : 138 | password = optarg; 139 | break; 140 | 141 | case 's': 142 | slot = atoi(optarg); 143 | interactive = 0; 144 | tokenlabel = NULL; 145 | break; 146 | 147 | case 't': 148 | tokenlabel = optarg; 149 | interactive = 0; 150 | slot = -1; 151 | break; 152 | 153 | case 'S': 154 | so=1; 155 | break; 156 | 157 | case 'h': 158 | print_usage(argv[0]); 159 | break; 160 | 161 | case 'V': 162 | print_version_info(argv[0]); 163 | break; 164 | 165 | default: 166 | errflag++; 167 | break; 168 | } 169 | } 170 | 171 | if ( errflag ) { 172 | fprintf(stderr, "Try `%s -h' for more information.\n", argv[0]); 173 | goto err; 174 | } 175 | 176 | 177 | if ( library == NULL || optind==argc ) { 178 | fprintf( stderr, "At least one required option or argument is wrong or missing.\n" 179 | "Try `%s -h' for more information.\n", argv[0]); 180 | goto err; 181 | } 182 | 183 | if((p11Context = pkcs11_newContext( library, nsscfgdir ))==NULL) { 184 | goto err; 185 | } 186 | 187 | /* validate the given provider library exists and can be opened */ 188 | if (( retcode = pkcs11_initialize( p11Context ) ) != CKR_OK ) { 189 | goto err; 190 | } 191 | 192 | 193 | retcode = pkcs11_open_session( p11Context, slot, tokenlabel, password, so, interactive); 194 | 195 | if ( retcode == rc_ok ) 196 | { 197 | while(optind 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | #ifdef _WIN32 27 | #include 28 | #endif 29 | 30 | #define COMMAND_SUMMARY \ 31 | "Delete object(s) from PKCS#11 token.\n\n" 32 | 33 | 34 | /* prototypes */ 35 | void print_version_info(char *progname); 36 | void print_usage(char *); 37 | int main( int argc, char **argv); 38 | 39 | 40 | void print_usage(char *progname) 41 | { 42 | fprintf( stderr, "USAGE: %s OPTIONS ARGUMENTS\n" 43 | "\n" 44 | COMMAND_SUMMARY 45 | "OPTIONS:\n" 46 | "* -l : path to PKCS#11 library\n" 47 | " -m ( e.g. '.' or 'sql:.' ) : NSS db directory \n" 48 | " -s \n" 49 | " -t : if present, -s option is ignored\n" 50 | " -p | :::exec: | :::nologin\n" 51 | " -S : login with SO privilege\n" 52 | " -y : force positive answer (non-interactive)\n" 53 | " -v : verbose\n" 54 | " -h : print usage information\n" 55 | " -V : print version information\n" 56 | "|\n" 57 | "+-> arguments marked with an asterix(*) are mandatory\n" 58 | "| (except if environment variable sets the value)\n" 59 | "+-> arguments marked with a plus sign(+) can be repeated\n" 60 | "\n" 61 | "ARGUMENTS:\n" 62 | " LABEL [LABEL ...]: object label(s) to erase\n" 63 | " can be prefixed with cert/, prvk/, pubk/ or seck/)\n" 64 | " if no prefix, objects from all classes sharing the\n" 65 | " same label are deleted\n" 66 | "\n" 67 | " ENVIRONMENT VARIABLES:\n" 68 | " PKCS11LIB : path to PKCS#11 library,\n" 69 | " overriden by option -l\n" 70 | " PKCS11NSSDIR : NSS configuration directory directive,\n" 71 | " overriden by option -m\n" 72 | " PKCS11SLOT : token slot (integer)\n" 73 | " overriden by PKCS11TOKENLABEL,\n" 74 | " options -t or -s\n" 75 | " PKCS11TOKENLABEL : token label\n" 76 | " overriden by options -t or -s\n" 77 | " PKCS11PASSWORD : password\n" 78 | " overriden by option -p\n" 79 | "\n" 80 | , pkcs11_ll_basename(progname) ); 81 | 82 | exit( RC_ERROR_USAGE ); 83 | } 84 | 85 | int main( int argc, char ** argv ) 86 | { 87 | extern char *optarg; 88 | extern int optind, optopt; 89 | int argnum = 0; 90 | int errflag = 0; 91 | char * library = NULL; 92 | char * nsscfgdir = NULL; 93 | char * password = NULL; 94 | char * slotenv = NULL; 95 | int slot = -1; 96 | int interactive = 1; 97 | char * tokenlabel = NULL; 98 | int so=0; 99 | int ask_confirm=1; 100 | int verbose=0; 101 | 102 | pkcs11Context * p11Context = NULL; 103 | func_rc retcode = rc_error_usage; 104 | 105 | library = getenv("PKCS11LIB"); 106 | nsscfgdir = getenv("PKCS11NSSDIR"); 107 | tokenlabel = getenv("PKCS11TOKENLABEL"); 108 | if(tokenlabel==NULL) { 109 | slotenv = getenv("PKCS11SLOT"); 110 | if (slotenv!=NULL) { 111 | slot=atoi(slotenv); 112 | } 113 | } 114 | password = getenv("PKCS11PASSWORD"); 115 | 116 | /* if a slot or a token is given, interactive is null */ 117 | if(slotenv!=NULL || tokenlabel!=NULL) { 118 | interactive=0; 119 | } 120 | 121 | /* get the command-line arguments */ 122 | while ( ( argnum = getopt( argc, argv, "l:m:p:s:t:yvShV" ) ) != -1 ) 123 | { 124 | switch ( argnum ) 125 | { 126 | case 'l' : 127 | library = optarg; 128 | break; 129 | 130 | case 'm': 131 | nsscfgdir = optarg; 132 | break; 133 | 134 | case 'p' : 135 | password = optarg; 136 | break; 137 | 138 | case 's': 139 | slot = atoi(optarg); 140 | tokenlabel = NULL; 141 | interactive=0; 142 | break; 143 | 144 | case 't': 145 | tokenlabel = optarg; 146 | slot = -1; 147 | interactive = 0; 148 | break; 149 | 150 | case 'y': 151 | ask_confirm = 0; 152 | break; 153 | 154 | case 'v': 155 | verbose = 1; 156 | break; 157 | 158 | case 'S': 159 | so=1; 160 | break; 161 | 162 | case 'h': 163 | print_usage(argv[0]); 164 | break; 165 | 166 | case 'V': 167 | print_version_info(argv[0]); 168 | break; 169 | 170 | default: 171 | errflag++; 172 | break; 173 | } 174 | } 175 | 176 | if ( errflag ) { 177 | fprintf(stderr, "Try `%s -h' for more information.\n", argv[0]); 178 | goto err; 179 | } 180 | 181 | 182 | if ( library == NULL || optind==argc ) { 183 | fprintf( stderr, "At least one required option or argument is wrong or missing.\n" 184 | "Try `%s -h' for more information.\n", argv[0]); 185 | goto err; 186 | } 187 | 188 | if((p11Context = pkcs11_newContext( library, nsscfgdir ))==NULL) { 189 | goto err; 190 | } 191 | 192 | /* validate the given provider library exists and can be opened */ 193 | if (( retcode = pkcs11_initialize( p11Context ) ) != CKR_OK ) { 194 | goto err; 195 | } 196 | 197 | retcode = pkcs11_open_session( p11Context, slot, tokenlabel, password, so, interactive); 198 | 199 | if ( retcode == rc_ok ) 200 | { 201 | while(optind 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "pkcs11lib.h" 25 | 26 | #ifdef _WIN32 27 | #include 28 | #endif 29 | 30 | #define COMMAND_SUMMARY \ 31 | "Print slot information/available methods of a PKCS#11 slot or token.\n\n" 32 | 33 | /* prototypes */ 34 | void print_version_info(char *progname); 35 | void print_usage(char *); 36 | int main( int argc, char **argv); 37 | 38 | 39 | void print_usage(char *progname) 40 | { 41 | fprintf( stderr, 42 | "USAGE: %s OPTIONS\n" 43 | "\n" 44 | COMMAND_SUMMARY 45 | "OPTIONS:\n" 46 | "* -l : path to PKCS#11 library\n" 47 | " -m ( e.g. '.' or 'sql:.' ) : NSS db directory\n" 48 | " -s \n" 49 | " -t : if present, -s option is ignored\n" 50 | " -S : login with SO privilege\n" 51 | " -e : list also named elliptic curves supported by the token\n" 52 | " -h : print usage information\n" 53 | " -V : print version information\n" 54 | "|\n" 55 | "+-> arguments marked with an asterix(*) are mandatory\n" 56 | "| (except if environment variable sets the value)\n" 57 | "+-> arguments marked with a plus sign(+) can be repeated\n" 58 | "\n" 59 | " ENVIRONMENT VARIABLES:\n" 60 | " PKCS11LIB : path to PKCS#11 library,\n" 61 | " overriden by option -l\n" 62 | " PKCS11NSSDIR : NSS configuration directory directive,\n" 63 | " overriden by option -m\n" 64 | " PKCS11SLOT : token slot (integer)\n" 65 | " overriden by PKCS11TOKENLABEL,\n" 66 | " options -t or -s\n" 67 | " PKCS11TOKENLABEL : token label\n" 68 | " overriden by options -t or -s\n" 69 | "\n" 70 | , pkcs11_ll_basename(progname) ); 71 | 72 | exit( RC_ERROR_USAGE ); 73 | } 74 | 75 | int main( int argc, char ** argv ) 76 | { 77 | extern char *optarg; 78 | extern int optind, optopt; 79 | int argnum = 0; 80 | int errflag = 0; 81 | char * library = NULL; 82 | char * nsscfgdir = NULL; 83 | char * password = ":::nologin"; 84 | char * slotenv = NULL; 85 | int slot = -1; 86 | int interactive = 1; 87 | char * tokenlabel = NULL; 88 | int ec_support = 0; 89 | int so=0; 90 | 91 | pkcs11Context * p11Context = NULL; 92 | func_rc retcode = rc_error_usage; 93 | 94 | library = getenv("PKCS11LIB"); 95 | nsscfgdir = getenv("PKCS11NSSDIR"); 96 | tokenlabel = getenv("PKCS11TOKENLABEL"); 97 | if(tokenlabel==NULL) { 98 | slotenv = getenv("PKCS11SLOT"); 99 | if (slotenv!=NULL) { 100 | slot=atoi(slotenv); 101 | } 102 | } 103 | /* we ignore password value */ 104 | 105 | /* if a slot or a token is given, interactive is null */ 106 | if(slotenv!=NULL || tokenlabel!=NULL) { 107 | interactive=0; 108 | } 109 | 110 | /* get the command-line arguments */ 111 | while ( ( argnum = getopt( argc, argv, "l:m:s:t:eShV" ) ) != -1 ) 112 | { 113 | switch ( argnum ) 114 | { 115 | case 'l' : 116 | library = optarg; 117 | break; 118 | 119 | case 'm': 120 | nsscfgdir = optarg; 121 | break; 122 | 123 | case 's': 124 | slot = atoi(optarg); 125 | tokenlabel = NULL; 126 | interactive = 0; 127 | break; 128 | 129 | case 't': 130 | tokenlabel = optarg; 131 | slot = -1; 132 | interactive = 0; 133 | break; 134 | 135 | case 'e': 136 | ec_support = 1; 137 | break; 138 | 139 | case 'S': 140 | so=1; 141 | break; 142 | 143 | case 'h': 144 | print_usage(argv[0]); 145 | break; 146 | 147 | case 'V': 148 | print_version_info(argv[0]); 149 | break; 150 | 151 | default: 152 | errflag++; 153 | break; 154 | } 155 | } 156 | 157 | if ( errflag ) { 158 | fprintf(stderr, "Try `%s -h' for more information.\n", argv[0]); 159 | goto err; 160 | } 161 | 162 | 163 | if ( library == NULL ) { 164 | fprintf( stderr, "At least one required option or argument is wrong or missing.\n" 165 | "Try `%s -h' for more information.\n", argv[0]); 166 | goto err; 167 | } 168 | 169 | if((p11Context = pkcs11_newContext( library, nsscfgdir ))==NULL) { 170 | goto err; 171 | } 172 | 173 | /* validate the given provider library exists and can be opened */ 174 | if (( retcode = pkcs11_initialize( p11Context ) ) != CKR_OK ) { 175 | goto err; 176 | } 177 | 178 | { 179 | retcode = pkcs11_info_library(p11Context); 180 | 181 | if( retcode == rc_ok ) { 182 | 183 | retcode = pkcs11_open_session( p11Context, slot, tokenlabel, password, so, interactive); 184 | 185 | if( retcode == rc_ok ) { 186 | pkcs11_info_slot(p11Context); 187 | 188 | if(ec_support==1) { 189 | pkcs11_info_ecsupport(p11Context); 190 | } 191 | 192 | pkcs11_close_session( p11Context ); 193 | } 194 | } 195 | } 196 | 197 | retcode = pkcs11_finalize( p11Context ); 198 | 199 | /* free allocated memory */ 200 | err: 201 | pkcs11_freeContext(p11Context); 202 | 203 | return ( retcode ); 204 | } 205 | -------------------------------------------------------------------------------- /src/version.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | #include "config.h" 20 | #include "target.h" 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include "pkcs11lib.h" 26 | 27 | void print_version_info(char *progname) 28 | { 29 | fprintf( stderr, 30 | "%s belongs to " PACKAGE_NAME " v" PACKAGE_VERSION " (" __DATE__ ")\n", 31 | pkcs11_ll_basename(progname) ); 32 | fprintf( stderr, "arch/CPU/OS: %s/%s/%s\n", TARGET_ARCH_TYPE, TARGET_CPU_TYPE,TARGET_OS_TYPE); 33 | fprintf( stderr, "using openssl library: %s\n", pkcs11_openssl_version() ); 34 | #ifdef HAVE_DUPLICATES_ENABLED 35 | fprintf( stderr, "compiled with enable duplicate extentions\n"); 36 | #endif 37 | #if defined(HAVE_NCIPHER) 38 | fprintf( stderr, "compiled with nCipher extensions\n"); 39 | #endif 40 | #if defined(HAVE_LUNA) 41 | fprintf( stderr, "compiled with Gemalto Safenet Luna extensions\n"); 42 | #endif 43 | #if defined(HAVE_AWSCLOUDHSM) 44 | fprintf( stderr, "compiled with AWS CloudHSM extensions\n"); 45 | #endif 46 | exit( RC_ERROR_USAGE ); 47 | } 48 | -------------------------------------------------------------------------------- /src/win_applink.c: -------------------------------------------------------------------------------- 1 | /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 | 3 | /* 4 | * Copyright (c) 2018 Mastercard 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | /* This glue code is needed under Windows, */ 20 | /* please refer to https://www.openssl.org/support/faq.html#PROG2 */ 21 | /* for more information */ 22 | 23 | 24 | #include 25 | #include 26 | 27 | 28 | /* EOF */ 29 | -------------------------------------------------------------------------------- /test/bigsan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan2 -k 2048 -h sha1 -d '/CN=mysantest150' \ 18 | -e DNS:sanentry-csr-1 \ 19 | -e DNS:sanentry-csr-2 \ 20 | -e DNS:sanentry-csr-3 \ 21 | -e DNS:sanentry-csr-4 \ 22 | -e DNS:sanentry-csr-5 \ 23 | -e DNS:sanentry-csr-6 \ 24 | -e DNS:sanentry-csr-7 \ 25 | -e DNS:sanentry-csr-8 \ 26 | -e DNS:sanentry-csr-9 \ 27 | -e DNS:sanentry-csr-10 \ 28 | -e DNS:sanentry-csr-11 \ 29 | -e DNS:sanentry-csr-12 \ 30 | -e DNS:sanentry-csr-13 \ 31 | -e DNS:sanentry-csr-14 \ 32 | -e DNS:sanentry-csr-15 \ 33 | -e DNS:sanentry-csr-16 \ 34 | -e DNS:sanentry-csr-17 \ 35 | -e DNS:sanentry-csr-18 \ 36 | -e DNS:sanentry-csr-19 \ 37 | -e DNS:sanentry-csr-20 \ 38 | -e DNS:sanentry-csr-21 \ 39 | -e DNS:sanentry-csr-22 \ 40 | -e DNS:sanentry-csr-23 \ 41 | -e DNS:sanentry-csr-24 \ 42 | -e DNS:sanentry-csr-25 \ 43 | -e DNS:sanentry-csr-26 \ 44 | -e DNS:sanentry-csr-27 \ 45 | -e DNS:sanentry-csr-28 \ 46 | -e DNS:sanentry-csr-29 \ 47 | -e DNS:sanentry-csr-30 \ 48 | -e DNS:sanentry-csr-31 \ 49 | -e DNS:sanentry-csr-32 \ 50 | -e DNS:sanentry-csr-33 \ 51 | -e DNS:sanentry-csr-34 \ 52 | -e DNS:sanentry-csr-35 \ 53 | -e DNS:sanentry-csr-36 \ 54 | -e DNS:sanentry-csr-37 \ 55 | -e DNS:sanentry-csr-38 \ 56 | -e DNS:sanentry-csr-39 \ 57 | -e DNS:sanentry-csr-40 \ 58 | -e DNS:sanentry-csr-41 \ 59 | -e DNS:sanentry-csr-42 \ 60 | -e DNS:sanentry-csr-43 \ 61 | -e DNS:sanentry-csr-44 \ 62 | -e DNS:sanentry-csr-45 \ 63 | -e DNS:sanentry-csr-46 \ 64 | -e DNS:sanentry-csr-47 \ 65 | -e DNS:sanentry-csr-48 \ 66 | -e DNS:sanentry-csr-49 \ 67 | -e DNS:sanentry-csr-50 \ 68 | -e DNS:sanentry-csr-51 \ 69 | -e DNS:sanentry-csr-52 \ 70 | -e DNS:sanentry-csr-53 \ 71 | -e DNS:sanentry-csr-54 \ 72 | -e DNS:sanentry-csr-55 \ 73 | -e DNS:sanentry-csr-56 \ 74 | -e DNS:sanentry-csr-57 \ 75 | -e DNS:sanentry-csr-58 \ 76 | -e DNS:sanentry-csr-59 \ 77 | -e DNS:sanentry-csr-60 \ 78 | -e DNS:sanentry-csr-61 \ 79 | -e DNS:sanentry-csr-62 \ 80 | -e DNS:sanentry-csr-63 \ 81 | -e DNS:sanentry-csr-64 \ 82 | -e DNS:sanentry-csr-65 \ 83 | -e DNS:sanentry-csr-66 \ 84 | -e DNS:sanentry-csr-67 \ 85 | -e DNS:sanentry-csr-68 \ 86 | -e DNS:sanentry-csr-69 \ 87 | -e DNS:sanentry-csr-70 \ 88 | -e DNS:sanentry-csr-71 \ 89 | -e DNS:sanentry-csr-72 \ 90 | -e DNS:sanentry-csr-73 \ 91 | -e DNS:sanentry-csr-74 \ 92 | -e DNS:sanentry-csr-75 \ 93 | -e DNS:sanentry-csr-76 \ 94 | -e DNS:sanentry-csr-77 \ 95 | -e DNS:sanentry-csr-78 \ 96 | -e DNS:sanentry-csr-79 \ 97 | -e DNS:sanentry-csr-80 \ 98 | -e DNS:sanentry-csr-81 \ 99 | -e DNS:sanentry-csr-82 \ 100 | -e DNS:sanentry-csr-83 \ 101 | -e DNS:sanentry-csr-84 \ 102 | -e DNS:sanentry-csr-85 \ 103 | -e DNS:sanentry-csr-86 \ 104 | -e DNS:sanentry-csr-87 \ 105 | -e DNS:sanentry-csr-88 \ 106 | -e DNS:sanentry-csr-89 \ 107 | -e DNS:sanentry-csr-90 \ 108 | -e DNS:sanentry-csr-91 \ 109 | -e DNS:sanentry-csr-92 \ 110 | -e DNS:sanentry-csr-93 \ 111 | -e DNS:sanentry-csr-94 \ 112 | -e DNS:sanentry-csr-95 \ 113 | -e DNS:sanentry-csr-96 \ 114 | -e DNS:sanentry-csr-97 \ 115 | -e DNS:sanentry-csr-98 \ 116 | -e DNS:sanentry-csr-99 \ 117 | -e DNS:sanentry-csr-100 \ 118 | -e DNS:sanentry-csr-101 \ 119 | -e DNS:sanentry-csr-102 \ 120 | -e DNS:sanentry-csr-103 \ 121 | -e DNS:sanentry-csr-104 \ 122 | -e DNS:sanentry-csr-105 \ 123 | -e DNS:sanentry-csr-106 \ 124 | -e DNS:sanentry-csr-107 \ 125 | -e DNS:sanentry-csr-108 \ 126 | -e DNS:sanentry-csr-109 \ 127 | -e DNS:sanentry-csr-110 \ 128 | -e DNS:sanentry-csr-111 \ 129 | -e DNS:sanentry-csr-112 \ 130 | -e DNS:sanentry-csr-113 \ 131 | -e DNS:sanentry-csr-114 \ 132 | -e DNS:sanentry-csr-115 \ 133 | -e DNS:sanentry-csr-116 \ 134 | -e DNS:sanentry-csr-117 \ 135 | -e DNS:sanentry-csr-118 \ 136 | -e DNS:sanentry-csr-119 \ 137 | -e DNS:sanentry-csr-120 \ 138 | -e DNS:sanentry-csr-121 \ 139 | -e DNS:sanentry-csr-122 \ 140 | -e DNS:sanentry-csr-123 \ 141 | -e DNS:sanentry-csr-124 \ 142 | -e DNS:sanentry-csr-125 \ 143 | -e DNS:sanentry-csr-126 \ 144 | -e DNS:sanentry-csr-127 \ 145 | -e DNS:sanentry-csr-128 \ 146 | -e DNS:sanentry-csr-129 \ 147 | -e DNS:sanentry-csr-130 \ 148 | -e DNS:sanentry-csr-131 \ 149 | -e DNS:sanentry-csr-132 \ 150 | -e DNS:sanentry-csr-133 \ 151 | -e DNS:sanentry-csr-134 \ 152 | -e DNS:sanentry-csr-135 \ 153 | -e DNS:sanentry-csr-136 \ 154 | -e DNS:sanentry-csr-137 \ 155 | -e DNS:sanentry-csr-138 \ 156 | -e DNS:sanentry-csr-139 \ 157 | -e DNS:sanentry-csr-140 \ 158 | -e DNS:sanentry-csr-141 \ 159 | -e DNS:sanentry-csr-142 \ 160 | -e DNS:sanentry-csr-143 \ 161 | -e DNS:sanentry-csr-144 \ 162 | -e DNS:sanentry-csr-145 \ 163 | -e DNS:sanentry-csr-146 \ 164 | -e DNS:sanentry-csr-147 \ 165 | -e DNS:sanentry-csr-148 \ 166 | -e DNS:sanentry-csr-149 \ 167 | -e DNS:sanentry-csr-150 168 | -------------------------------------------------------------------------------- /test/littlesan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan2 -k 2048 -h sha1 -d '/CN=mysantest' \ 18 | -e DNS:sanentry-csr1 \ 19 | -e DNS:sanentry-csr2 \ 20 | -e DNS:sanentry-csr3 21 | 22 | -------------------------------------------------------------------------------- /test/reqtestcases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./with_nss ../bin/p11req -i t001-rsa-2048 -d /CN=toto 18 | ./with_nss ../bin/p11req -i t001-rsa-2048 -d /CN=toto -X 19 | ./with_nss ../bin/p11req -i t001-rsa-2048 -d /CN=toto -e email:toto@toto.com 20 | ./with_nss ../bin/p11req -i t001-rsa-2048 -d /CN=toto -X -e email:toto@toto.com 21 | ./with_nss ../bin/p11req -i test-ecsda-prime256v1 -d /CN=toto 22 | ./with_nss ../bin/p11req -i test-ecsda-prime256v1 -d /CN=toto -X 23 | ./with_nss ../bin/p11req -i test-ecsda-prime256v1 -d /CN=toto -e email:toto@toto.com 24 | ./with_nss ../bin/p11req -i test-ecsda-prime256v1 -d /CN=toto -X -e email:toto@toto.com 25 | ./with_nss ../bin/p11req -i t002-dsa-1024 -d /CN=toto 26 | ./with_nss ../bin/p11req -i t002-dsa-1024 -d /CN=toto -X 27 | ./with_nss ../bin/p11req -i t002-dsa-1024 -d /CN=toto -e email:toto@toto.com 28 | ./with_nss ../bin/p11req -i t002-dsa-1024 -d /CN=toto -X -e email:toto@toto.com 29 | ./with_nss ../bin/p11req -i t003-dsa-2048 -d /CN=toto 30 | ./with_nss ../bin/p11req -i t003-dsa-2048 -d /CN=toto -X 31 | ./with_nss ../bin/p11req -i t003-dsa-2048 -d /CN=toto -e email:toto@toto.com 32 | ./with_nss ../bin/p11req -i t003-dsa-2048 -d /CN=toto -X -e email:toto@toto.com 33 | -------------------------------------------------------------------------------- /test/san100.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan2 -k 2048 -h sha1 -d '/CN=mysantest-125/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 18 | -e DNS:sanentry-csr-1 \ 19 | -e DNS:sanentry-csr-2 \ 20 | -e DNS:sanentry-csr-3 \ 21 | -e DNS:sanentry-csr-4 \ 22 | -e DNS:sanentry-csr-5 \ 23 | -e DNS:sanentry-csr-6 \ 24 | -e DNS:sanentry-csr-7 \ 25 | -e DNS:sanentry-csr-8 \ 26 | -e DNS:sanentry-csr-9 \ 27 | -e DNS:sanentry-csr-10 \ 28 | -e DNS:sanentry-csr-11 \ 29 | -e DNS:sanentry-csr-12 \ 30 | -e DNS:sanentry-csr-13 \ 31 | -e DNS:sanentry-csr-14 \ 32 | -e DNS:sanentry-csr-15 \ 33 | -e DNS:sanentry-csr-16 \ 34 | -e DNS:sanentry-csr-17 \ 35 | -e DNS:sanentry-csr-18 \ 36 | -e DNS:sanentry-csr-19 \ 37 | -e DNS:sanentry-csr-20 \ 38 | -e DNS:sanentry-csr-21 \ 39 | -e DNS:sanentry-csr-22 \ 40 | -e DNS:sanentry-csr-23 \ 41 | -e DNS:sanentry-csr-24 \ 42 | -e DNS:sanentry-csr-25 \ 43 | -e DNS:sanentry-csr-26 \ 44 | -e DNS:sanentry-csr-27 \ 45 | -e DNS:sanentry-csr-28 \ 46 | -e DNS:sanentry-csr-29 \ 47 | -e DNS:sanentry-csr-30 \ 48 | -e DNS:sanentry-csr-31 \ 49 | -e DNS:sanentry-csr-32 \ 50 | -e DNS:sanentry-csr-33 \ 51 | -e DNS:sanentry-csr-34 \ 52 | -e DNS:sanentry-csr-35 \ 53 | -e DNS:sanentry-csr-36 \ 54 | -e DNS:sanentry-csr-37 \ 55 | -e DNS:sanentry-csr-38 \ 56 | -e DNS:sanentry-csr-39 \ 57 | -e DNS:sanentry-csr-40 \ 58 | -e DNS:sanentry-csr-41 \ 59 | -e DNS:sanentry-csr-42 \ 60 | -e DNS:sanentry-csr-43 \ 61 | -e DNS:sanentry-csr-44 \ 62 | -e DNS:sanentry-csr-45 \ 63 | -e DNS:sanentry-csr-46 \ 64 | -e DNS:sanentry-csr-47 \ 65 | -e DNS:sanentry-csr-48 \ 66 | -e DNS:sanentry-csr-49 \ 67 | -e DNS:sanentry-csr-50 \ 68 | -e DNS:sanentry-csr-51 \ 69 | -e DNS:sanentry-csr-52 \ 70 | -e DNS:sanentry-csr-53 \ 71 | -e DNS:sanentry-csr-54 \ 72 | -e DNS:sanentry-csr-55 \ 73 | -e DNS:sanentry-csr-56 \ 74 | -e DNS:sanentry-csr-57 \ 75 | -e DNS:sanentry-csr-58 \ 76 | -e DNS:sanentry-csr-59 \ 77 | -e DNS:sanentry-csr-60 \ 78 | -e DNS:sanentry-csr-61 \ 79 | -e DNS:sanentry-csr-62 \ 80 | -e DNS:sanentry-csr-63 \ 81 | -e DNS:sanentry-csr-64 \ 82 | -e DNS:sanentry-csr-65 \ 83 | -e DNS:sanentry-csr-66 \ 84 | -e DNS:sanentry-csr-67 \ 85 | -e DNS:sanentry-csr-68 \ 86 | -e DNS:sanentry-csr-69 \ 87 | -e DNS:sanentry-csr-70 \ 88 | -e DNS:sanentry-csr-71 \ 89 | -e DNS:sanentry-csr-72 \ 90 | -e DNS:sanentry-csr-73 \ 91 | -e DNS:sanentry-csr-74 \ 92 | -e DNS:sanentry-csr-75 \ 93 | -e DNS:sanentry-csr-76 \ 94 | -e DNS:sanentry-csr-77 \ 95 | -e DNS:sanentry-csr-78 \ 96 | -e DNS:sanentry-csr-79 \ 97 | -e DNS:sanentry-csr-80 \ 98 | -e DNS:sanentry-csr-81 \ 99 | -e DNS:sanentry-csr-82 \ 100 | -e DNS:sanentry-csr-83 \ 101 | -e DNS:sanentry-csr-84 \ 102 | -e DNS:sanentry-csr-85 \ 103 | -e DNS:sanentry-csr-86 \ 104 | -e DNS:sanentry-csr-87 \ 105 | -e DNS:sanentry-csr-88 \ 106 | -e DNS:sanentry-csr-89 \ 107 | -e DNS:sanentry-csr-90 \ 108 | -e DNS:sanentry-csr-91 \ 109 | -e DNS:sanentry-csr-92 \ 110 | -e DNS:sanentry-csr-93 \ 111 | -e DNS:sanentry-csr-94 \ 112 | -e DNS:sanentry-csr-95 \ 113 | -e DNS:sanentry-csr-96 \ 114 | -e DNS:sanentry-csr-97 \ 115 | -e DNS:sanentry-csr-98 \ 116 | -e DNS:sanentry-csr-99 \ 117 | -e DNS:sanentry-csr-100 \ 118 | -e DNS:sanentry-csr-101 \ 119 | -e DNS:sanentry-csr-102 \ 120 | -e DNS:sanentry-csr-103 \ 121 | -e DNS:sanentry-csr-104 \ 122 | -e DNS:sanentry-csr-105 \ 123 | -e DNS:sanentry-csr-106 \ 124 | -e DNS:sanentry-csr-107 \ 125 | -e DNS:sanentry-csr-108 \ 126 | -e DNS:sanentry-csr-109 \ 127 | -e DNS:sanentry-csr-110 \ 128 | -e DNS:sanentry-csr-111 \ 129 | -e DNS:sanentry-csr-112 \ 130 | -e DNS:sanentry-csr-113 \ 131 | -e DNS:sanentry-csr-114 \ 132 | -e DNS:sanentry-csr-115 \ 133 | -e DNS:sanentry-csr-116 \ 134 | -e DNS:sanentry-csr-117 \ 135 | -e DNS:sanentry-csr-118 \ 136 | -e DNS:sanentry-csr-119 \ 137 | -e DNS:sanentry-csr-120 \ 138 | -e DNS:sanentry-csr-121 \ 139 | -e DNS:sanentry-csr-122 \ 140 | -e DNS:sanentry-csr-123 \ 141 | -e DNS:sanentry-csr-124 \ 142 | -e DNS:sanentry-csr-125 143 | 144 | -------------------------------------------------------------------------------- /test/san100gdb.sh: -------------------------------------------------------------------------------- 1 | LD_PRELOAD=/lib/x86_64-linux-gnu/libpthread.so.0 gdb --args ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan2 -k 2048 -h sha1 -d '/CN=mysantest-100/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 2 | -e DNS:sanentry-csr-1 \ 3 | -e DNS:sanentry-csr-2 \ 4 | -e DNS:sanentry-csr-3 \ 5 | -e DNS:sanentry-csr-4 \ 6 | -e DNS:sanentry-csr-5 \ 7 | -e DNS:sanentry-csr-6 \ 8 | -e DNS:sanentry-csr-7 \ 9 | -e DNS:sanentry-csr-8 \ 10 | -e DNS:sanentry-csr-9 \ 11 | -e DNS:sanentry-csr-10 \ 12 | -e DNS:sanentry-csr-11 \ 13 | -e DNS:sanentry-csr-12 \ 14 | -e DNS:sanentry-csr-13 \ 15 | -e DNS:sanentry-csr-14 \ 16 | -e DNS:sanentry-csr-15 \ 17 | -e DNS:sanentry-csr-16 \ 18 | -e DNS:sanentry-csr-17 \ 19 | -e DNS:sanentry-csr-18 \ 20 | -e DNS:sanentry-csr-19 \ 21 | -e DNS:sanentry-csr-20 \ 22 | -e DNS:sanentry-csr-21 \ 23 | -e DNS:sanentry-csr-22 \ 24 | -e DNS:sanentry-csr-23 \ 25 | -e DNS:sanentry-csr-24 \ 26 | -e DNS:sanentry-csr-25 \ 27 | -e DNS:sanentry-csr-26 \ 28 | -e DNS:sanentry-csr-27 \ 29 | -e DNS:sanentry-csr-28 \ 30 | -e DNS:sanentry-csr-29 \ 31 | -e DNS:sanentry-csr-30 \ 32 | -e DNS:sanentry-csr-31 \ 33 | -e DNS:sanentry-csr-32 \ 34 | -e DNS:sanentry-csr-33 \ 35 | -e DNS:sanentry-csr-34 \ 36 | -e DNS:sanentry-csr-35 \ 37 | -e DNS:sanentry-csr-36 \ 38 | -e DNS:sanentry-csr-37 \ 39 | -e DNS:sanentry-csr-38 \ 40 | -e DNS:sanentry-csr-39 \ 41 | -e DNS:sanentry-csr-40 \ 42 | -e DNS:sanentry-csr-41 \ 43 | -e DNS:sanentry-csr-42 \ 44 | -e DNS:sanentry-csr-43 \ 45 | -e DNS:sanentry-csr-44 \ 46 | -e DNS:sanentry-csr-45 \ 47 | -e DNS:sanentry-csr-46 \ 48 | -e DNS:sanentry-csr-47 \ 49 | -e DNS:sanentry-csr-48 \ 50 | -e DNS:sanentry-csr-49 \ 51 | -e DNS:sanentry-csr-50 \ 52 | -e DNS:sanentry-csr-51 \ 53 | -e DNS:sanentry-csr-52 \ 54 | -e DNS:sanentry-csr-53 \ 55 | -e DNS:sanentry-csr-54 \ 56 | -e DNS:sanentry-csr-55 \ 57 | -e DNS:sanentry-csr-56 \ 58 | -e DNS:sanentry-csr-57 \ 59 | -e DNS:sanentry-csr-58 \ 60 | -e DNS:sanentry-csr-59 \ 61 | -e DNS:sanentry-csr-60 \ 62 | -e DNS:sanentry-csr-61 \ 63 | -e DNS:sanentry-csr-62 \ 64 | -e DNS:sanentry-csr-63 \ 65 | -e DNS:sanentry-csr-64 \ 66 | -e DNS:sanentry-csr-65 \ 67 | -e DNS:sanentry-csr-66 \ 68 | -e DNS:sanentry-csr-67 \ 69 | -e DNS:sanentry-csr-68 \ 70 | -e DNS:sanentry-csr-69 \ 71 | -e DNS:sanentry-csr-70 \ 72 | -e DNS:sanentry-csr-71 \ 73 | -e DNS:sanentry-csr-72 \ 74 | -e DNS:sanentry-csr-73 \ 75 | -e DNS:sanentry-csr-74 \ 76 | -e DNS:sanentry-csr-75 \ 77 | -e DNS:sanentry-csr-76 \ 78 | -e DNS:sanentry-csr-77 \ 79 | -e DNS:sanentry-csr-78 \ 80 | -e DNS:sanentry-csr-79 \ 81 | -e DNS:sanentry-csr-80 \ 82 | -e DNS:sanentry-csr-81 \ 83 | -e DNS:sanentry-csr-82 \ 84 | -e DNS:sanentry-csr-83 \ 85 | -e DNS:sanentry-csr-84 \ 86 | -e DNS:sanentry-csr-85 \ 87 | -e DNS:sanentry-csr-86 \ 88 | -e DNS:sanentry-csr-87 \ 89 | -e DNS:sanentry-csr-88 \ 90 | -e DNS:sanentry-csr-89 \ 91 | -e DNS:sanentry-csr-90 \ 92 | -e DNS:sanentry-csr-91 \ 93 | -e DNS:sanentry-csr-92 \ 94 | -e DNS:sanentry-csr-93 \ 95 | -e DNS:sanentry-csr-94 \ 96 | -e DNS:sanentry-csr-95 \ 97 | -e DNS:sanentry-csr-96 \ 98 | -e DNS:sanentry-csr-97 \ 99 | -e DNS:sanentry-csr-98 \ 100 | -e DNS:sanentry-csr-99 \ 101 | -e DNS:sanentry-csr-100 102 | -------------------------------------------------------------------------------- /test/san125.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan2 -k 2048 -h sha1 -d '/CN=mysantest-125/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 18 | -e DNS:sanentry-csr-1 \ 19 | -e DNS:sanentry-csr-2 \ 20 | -e DNS:sanentry-csr-3 \ 21 | -e DNS:sanentry-csr-4 \ 22 | -e DNS:sanentry-csr-5 \ 23 | -e DNS:sanentry-csr-6 \ 24 | -e DNS:sanentry-csr-7 \ 25 | -e DNS:sanentry-csr-8 \ 26 | -e DNS:sanentry-csr-9 \ 27 | -e DNS:sanentry-csr-10 \ 28 | -e DNS:sanentry-csr-11 \ 29 | -e DNS:sanentry-csr-12 \ 30 | -e DNS:sanentry-csr-13 \ 31 | -e DNS:sanentry-csr-14 \ 32 | -e DNS:sanentry-csr-15 \ 33 | -e DNS:sanentry-csr-16 \ 34 | -e DNS:sanentry-csr-17 \ 35 | -e DNS:sanentry-csr-18 \ 36 | -e DNS:sanentry-csr-19 \ 37 | -e DNS:sanentry-csr-20 \ 38 | -e DNS:sanentry-csr-21 \ 39 | -e DNS:sanentry-csr-22 \ 40 | -e DNS:sanentry-csr-23 \ 41 | -e DNS:sanentry-csr-24 \ 42 | -e DNS:sanentry-csr-25 \ 43 | -e DNS:sanentry-csr-26 \ 44 | -e DNS:sanentry-csr-27 \ 45 | -e DNS:sanentry-csr-28 \ 46 | -e DNS:sanentry-csr-29 \ 47 | -e DNS:sanentry-csr-30 \ 48 | -e DNS:sanentry-csr-31 \ 49 | -e DNS:sanentry-csr-32 \ 50 | -e DNS:sanentry-csr-33 \ 51 | -e DNS:sanentry-csr-34 \ 52 | -e DNS:sanentry-csr-35 \ 53 | -e DNS:sanentry-csr-36 \ 54 | -e DNS:sanentry-csr-37 \ 55 | -e DNS:sanentry-csr-38 \ 56 | -e DNS:sanentry-csr-39 \ 57 | -e DNS:sanentry-csr-40 \ 58 | -e DNS:sanentry-csr-41 \ 59 | -e DNS:sanentry-csr-42 \ 60 | -e DNS:sanentry-csr-43 \ 61 | -e DNS:sanentry-csr-44 \ 62 | -e DNS:sanentry-csr-45 \ 63 | -e DNS:sanentry-csr-46 \ 64 | -e DNS:sanentry-csr-47 \ 65 | -e DNS:sanentry-csr-48 \ 66 | -e DNS:sanentry-csr-49 \ 67 | -e DNS:sanentry-csr-50 \ 68 | -e DNS:sanentry-csr-51 \ 69 | -e DNS:sanentry-csr-52 \ 70 | -e DNS:sanentry-csr-53 \ 71 | -e DNS:sanentry-csr-54 \ 72 | -e DNS:sanentry-csr-55 \ 73 | -e DNS:sanentry-csr-56 \ 74 | -e DNS:sanentry-csr-57 \ 75 | -e DNS:sanentry-csr-58 \ 76 | -e DNS:sanentry-csr-59 \ 77 | -e DNS:sanentry-csr-60 \ 78 | -e DNS:sanentry-csr-61 \ 79 | -e DNS:sanentry-csr-62 \ 80 | -e DNS:sanentry-csr-63 \ 81 | -e DNS:sanentry-csr-64 \ 82 | -e DNS:sanentry-csr-65 \ 83 | -e DNS:sanentry-csr-66 \ 84 | -e DNS:sanentry-csr-67 \ 85 | -e DNS:sanentry-csr-68 \ 86 | -e DNS:sanentry-csr-69 \ 87 | -e DNS:sanentry-csr-70 \ 88 | -e DNS:sanentry-csr-71 \ 89 | -e DNS:sanentry-csr-72 \ 90 | -e DNS:sanentry-csr-73 \ 91 | -e DNS:sanentry-csr-74 \ 92 | -e DNS:sanentry-csr-75 \ 93 | -e DNS:sanentry-csr-76 \ 94 | -e DNS:sanentry-csr-77 \ 95 | -e DNS:sanentry-csr-78 \ 96 | -e DNS:sanentry-csr-79 \ 97 | -e DNS:sanentry-csr-80 \ 98 | -e DNS:sanentry-csr-81 \ 99 | -e DNS:sanentry-csr-82 \ 100 | -e DNS:sanentry-csr-83 \ 101 | -e DNS:sanentry-csr-84 \ 102 | -e DNS:sanentry-csr-85 \ 103 | -e DNS:sanentry-csr-86 \ 104 | -e DNS:sanentry-csr-87 \ 105 | -e DNS:sanentry-csr-88 \ 106 | -e DNS:sanentry-csr-89 \ 107 | -e DNS:sanentry-csr-90 \ 108 | -e DNS:sanentry-csr-91 \ 109 | -e DNS:sanentry-csr-92 \ 110 | -e DNS:sanentry-csr-93 \ 111 | -e DNS:sanentry-csr-94 \ 112 | -e DNS:sanentry-csr-95 \ 113 | -e DNS:sanentry-csr-96 \ 114 | -e DNS:sanentry-csr-97 \ 115 | -e DNS:sanentry-csr-98 \ 116 | -e DNS:sanentry-csr-99 \ 117 | -e DNS:sanentry-csr-100 \ 118 | -e DNS:sanentry-csr-101 \ 119 | -e DNS:sanentry-csr-102 \ 120 | -e DNS:sanentry-csr-103 \ 121 | -e DNS:sanentry-csr-104 \ 122 | -e DNS:sanentry-csr-105 \ 123 | -e DNS:sanentry-csr-106 \ 124 | -e DNS:sanentry-csr-107 \ 125 | -e DNS:sanentry-csr-108 \ 126 | -e DNS:sanentry-csr-109 \ 127 | -e DNS:sanentry-csr-110 \ 128 | -e DNS:sanentry-csr-111 \ 129 | -e DNS:sanentry-csr-112 \ 130 | -e DNS:sanentry-csr-113 \ 131 | -e DNS:sanentry-csr-114 \ 132 | -e DNS:sanentry-csr-115 \ 133 | -e DNS:sanentry-csr-116 \ 134 | -e DNS:sanentry-csr-117 \ 135 | -e DNS:sanentry-csr-118 \ 136 | -e DNS:sanentry-csr-119 \ 137 | -e DNS:sanentry-csr-120 \ 138 | -e DNS:sanentry-csr-121 \ 139 | -e DNS:sanentry-csr-122 \ 140 | -e DNS:sanentry-csr-123 \ 141 | -e DNS:sanentry-csr-124 \ 142 | -e DNS:sanentry-csr-125 143 | 144 | -------------------------------------------------------------------------------- /test/san138.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | 18 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan138 -k 2048 -h sha1 -d '/CN=mysantest-138/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 19 | -e DNS:sanentry-csr-1 \ 20 | -e DNS:sanentry-csr-2 \ 21 | -e DNS:sanentry-csr-3 \ 22 | -e DNS:sanentry-csr-4 \ 23 | -e DNS:sanentry-csr-5 \ 24 | -e DNS:sanentry-csr-6 \ 25 | -e DNS:sanentry-csr-7 \ 26 | -e DNS:sanentry-csr-8 \ 27 | -e DNS:sanentry-csr-9 \ 28 | -e DNS:sanentry-csr-10 \ 29 | -e DNS:sanentry-csr-11 \ 30 | -e DNS:sanentry-csr-12 \ 31 | -e DNS:sanentry-csr-13 \ 32 | -e DNS:sanentry-csr-14 \ 33 | -e DNS:sanentry-csr-15 \ 34 | -e DNS:sanentry-csr-16 \ 35 | -e DNS:sanentry-csr-17 \ 36 | -e DNS:sanentry-csr-18 \ 37 | -e DNS:sanentry-csr-19 \ 38 | -e DNS:sanentry-csr-20 \ 39 | -e DNS:sanentry-csr-21 \ 40 | -e DNS:sanentry-csr-22 \ 41 | -e DNS:sanentry-csr-23 \ 42 | -e DNS:sanentry-csr-24 \ 43 | -e DNS:sanentry-csr-25 \ 44 | -e DNS:sanentry-csr-26 \ 45 | -e DNS:sanentry-csr-27 \ 46 | -e DNS:sanentry-csr-28 \ 47 | -e DNS:sanentry-csr-29 \ 48 | -e DNS:sanentry-csr-30 \ 49 | -e DNS:sanentry-csr-31 \ 50 | -e DNS:sanentry-csr-32 \ 51 | -e DNS:sanentry-csr-33 \ 52 | -e DNS:sanentry-csr-34 \ 53 | -e DNS:sanentry-csr-35 \ 54 | -e DNS:sanentry-csr-36 \ 55 | -e DNS:sanentry-csr-37 \ 56 | -e DNS:sanentry-csr-38 \ 57 | -e DNS:sanentry-csr-39 \ 58 | -e DNS:sanentry-csr-40 \ 59 | -e DNS:sanentry-csr-41 \ 60 | -e DNS:sanentry-csr-42 \ 61 | -e DNS:sanentry-csr-43 \ 62 | -e DNS:sanentry-csr-44 \ 63 | -e DNS:sanentry-csr-45 \ 64 | -e DNS:sanentry-csr-46 \ 65 | -e DNS:sanentry-csr-47 \ 66 | -e DNS:sanentry-csr-48 \ 67 | -e DNS:sanentry-csr-49 \ 68 | -e DNS:sanentry-csr-50 \ 69 | -e DNS:sanentry-csr-51 \ 70 | -e DNS:sanentry-csr-52 \ 71 | -e DNS:sanentry-csr-53 \ 72 | -e DNS:sanentry-csr-54 \ 73 | -e DNS:sanentry-csr-55 \ 74 | -e DNS:sanentry-csr-56 \ 75 | -e DNS:sanentry-csr-57 \ 76 | -e DNS:sanentry-csr-58 \ 77 | -e DNS:sanentry-csr-59 \ 78 | -e DNS:sanentry-csr-60 \ 79 | -e DNS:sanentry-csr-61 \ 80 | -e DNS:sanentry-csr-62 \ 81 | -e DNS:sanentry-csr-63 \ 82 | -e DNS:sanentry-csr-64 \ 83 | -e DNS:sanentry-csr-65 \ 84 | -e DNS:sanentry-csr-66 \ 85 | -e DNS:sanentry-csr-67 \ 86 | -e DNS:sanentry-csr-68 \ 87 | -e DNS:sanentry-csr-69 \ 88 | -e DNS:sanentry-csr-70 \ 89 | -e DNS:sanentry-csr-71 \ 90 | -e DNS:sanentry-csr-72 \ 91 | -e DNS:sanentry-csr-73 \ 92 | -e DNS:sanentry-csr-74 \ 93 | -e DNS:sanentry-csr-75 \ 94 | -e DNS:sanentry-csr-76 \ 95 | -e DNS:sanentry-csr-77 \ 96 | -e DNS:sanentry-csr-78 \ 97 | -e DNS:sanentry-csr-79 \ 98 | -e DNS:sanentry-csr-80 \ 99 | -e DNS:sanentry-csr-81 \ 100 | -e DNS:sanentry-csr-82 \ 101 | -e DNS:sanentry-csr-83 \ 102 | -e DNS:sanentry-csr-84 \ 103 | -e DNS:sanentry-csr-85 \ 104 | -e DNS:sanentry-csr-86 \ 105 | -e DNS:sanentry-csr-87 \ 106 | -e DNS:sanentry-csr-88 \ 107 | -e DNS:sanentry-csr-89 \ 108 | -e DNS:sanentry-csr-90 \ 109 | -e DNS:sanentry-csr-91 \ 110 | -e DNS:sanentry-csr-92 \ 111 | -e DNS:sanentry-csr-93 \ 112 | -e DNS:sanentry-csr-94 \ 113 | -e DNS:sanentry-csr-95 \ 114 | -e DNS:sanentry-csr-96 \ 115 | -e DNS:sanentry-csr-97 \ 116 | -e DNS:sanentry-csr-98 \ 117 | -e DNS:sanentry-csr-99 \ 118 | -e DNS:sanentry-csr-100 \ 119 | -e DNS:sanentry-csr-101 \ 120 | -e DNS:sanentry-csr-102 \ 121 | -e DNS:sanentry-csr-103 \ 122 | -e DNS:sanentry-csr-104 \ 123 | -e DNS:sanentry-csr-105 \ 124 | -e DNS:sanentry-csr-106 \ 125 | -e DNS:sanentry-csr-107 \ 126 | -e DNS:sanentry-csr-108 \ 127 | -e DNS:sanentry-csr-109 \ 128 | -e DNS:sanentry-csr-110 \ 129 | -e DNS:sanentry-csr-111 \ 130 | -e DNS:sanentry-csr-112 \ 131 | -e DNS:sanentry-csr-113 \ 132 | -e DNS:sanentry-csr-114 \ 133 | -e DNS:sanentry-csr-115 \ 134 | -e DNS:sanentry-csr-116 \ 135 | -e DNS:sanentry-csr-117 \ 136 | -e DNS:sanentry-csr-118 \ 137 | -e DNS:sanentry-csr-119 \ 138 | -e DNS:sanentry-csr-120 \ 139 | -e DNS:sanentry-csr-121 \ 140 | -e DNS:sanentry-csr-122 \ 141 | -e DNS:sanentry-csr-123 \ 142 | -e DNS:sanentry-csr-124 \ 143 | -e DNS:sanentry-csr-125 \ 144 | -e DNS:sanentry-csr-126 \ 145 | -e DNS:sanentry-csr-127 \ 146 | -e DNS:sanentry-csr-128 \ 147 | -e DNS:sanentry-csr-129 \ 148 | -e DNS:sanentry-csr-130 \ 149 | -e DNS:sanentry-csr-131 \ 150 | -e DNS:sanentry-csr-132 \ 151 | -e DNS:sanentry-csr-133 \ 152 | -e DNS:sanentry-csr-134 \ 153 | -e DNS:sanentry-csr-135 \ 154 | -e DNS:sanentry-csr-136 \ 155 | -e DNS:sanentry-csr-137 \ 156 | -e DNS:sanentry-csr-138 \ 157 | -s 1 -p changeit 158 | 159 | 160 | -------------------------------------------------------------------------------- /test/san144.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan144 -k 2048 -h sha1 -d '/CN=mysantest-144/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 18 | -e DNS:sanentry-csr-1 \ 19 | -e DNS:sanentry-csr-2 \ 20 | -e DNS:sanentry-csr-3 \ 21 | -e DNS:sanentry-csr-4 \ 22 | -e DNS:sanentry-csr-5 \ 23 | -e DNS:sanentry-csr-6 \ 24 | -e DNS:sanentry-csr-7 \ 25 | -e DNS:sanentry-csr-8 \ 26 | -e DNS:sanentry-csr-9 \ 27 | -e DNS:sanentry-csr-10 \ 28 | -e DNS:sanentry-csr-11 \ 29 | -e DNS:sanentry-csr-12 \ 30 | -e DNS:sanentry-csr-13 \ 31 | -e DNS:sanentry-csr-14 \ 32 | -e DNS:sanentry-csr-15 \ 33 | -e DNS:sanentry-csr-16 \ 34 | -e DNS:sanentry-csr-17 \ 35 | -e DNS:sanentry-csr-18 \ 36 | -e DNS:sanentry-csr-19 \ 37 | -e DNS:sanentry-csr-20 \ 38 | -e DNS:sanentry-csr-21 \ 39 | -e DNS:sanentry-csr-22 \ 40 | -e DNS:sanentry-csr-23 \ 41 | -e DNS:sanentry-csr-24 \ 42 | -e DNS:sanentry-csr-25 \ 43 | -e DNS:sanentry-csr-26 \ 44 | -e DNS:sanentry-csr-27 \ 45 | -e DNS:sanentry-csr-28 \ 46 | -e DNS:sanentry-csr-29 \ 47 | -e DNS:sanentry-csr-30 \ 48 | -e DNS:sanentry-csr-31 \ 49 | -e DNS:sanentry-csr-32 \ 50 | -e DNS:sanentry-csr-33 \ 51 | -e DNS:sanentry-csr-34 \ 52 | -e DNS:sanentry-csr-35 \ 53 | -e DNS:sanentry-csr-36 \ 54 | -e DNS:sanentry-csr-37 \ 55 | -e DNS:sanentry-csr-38 \ 56 | -e DNS:sanentry-csr-39 \ 57 | -e DNS:sanentry-csr-40 \ 58 | -e DNS:sanentry-csr-41 \ 59 | -e DNS:sanentry-csr-42 \ 60 | -e DNS:sanentry-csr-43 \ 61 | -e DNS:sanentry-csr-44 \ 62 | -e DNS:sanentry-csr-45 \ 63 | -e DNS:sanentry-csr-46 \ 64 | -e DNS:sanentry-csr-47 \ 65 | -e DNS:sanentry-csr-48 \ 66 | -e DNS:sanentry-csr-49 \ 67 | -e DNS:sanentry-csr-50 \ 68 | -e DNS:sanentry-csr-51 \ 69 | -e DNS:sanentry-csr-52 \ 70 | -e DNS:sanentry-csr-53 \ 71 | -e DNS:sanentry-csr-54 \ 72 | -e DNS:sanentry-csr-55 \ 73 | -e DNS:sanentry-csr-56 \ 74 | -e DNS:sanentry-csr-57 \ 75 | -e DNS:sanentry-csr-58 \ 76 | -e DNS:sanentry-csr-59 \ 77 | -e DNS:sanentry-csr-60 \ 78 | -e DNS:sanentry-csr-61 \ 79 | -e DNS:sanentry-csr-62 \ 80 | -e DNS:sanentry-csr-63 \ 81 | -e DNS:sanentry-csr-64 \ 82 | -e DNS:sanentry-csr-65 \ 83 | -e DNS:sanentry-csr-66 \ 84 | -e DNS:sanentry-csr-67 \ 85 | -e DNS:sanentry-csr-68 \ 86 | -e DNS:sanentry-csr-69 \ 87 | -e DNS:sanentry-csr-70 \ 88 | -e DNS:sanentry-csr-71 \ 89 | -e DNS:sanentry-csr-72 \ 90 | -e DNS:sanentry-csr-73 \ 91 | -e DNS:sanentry-csr-74 \ 92 | -e DNS:sanentry-csr-75 \ 93 | -e DNS:sanentry-csr-76 \ 94 | -e DNS:sanentry-csr-77 \ 95 | -e DNS:sanentry-csr-78 \ 96 | -e DNS:sanentry-csr-79 \ 97 | -e DNS:sanentry-csr-80 \ 98 | -e DNS:sanentry-csr-81 \ 99 | -e DNS:sanentry-csr-82 \ 100 | -e DNS:sanentry-csr-83 \ 101 | -e DNS:sanentry-csr-84 \ 102 | -e DNS:sanentry-csr-85 \ 103 | -e DNS:sanentry-csr-86 \ 104 | -e DNS:sanentry-csr-87 \ 105 | -e DNS:sanentry-csr-88 \ 106 | -e DNS:sanentry-csr-89 \ 107 | -e DNS:sanentry-csr-90 \ 108 | -e DNS:sanentry-csr-91 \ 109 | -e DNS:sanentry-csr-92 \ 110 | -e DNS:sanentry-csr-93 \ 111 | -e DNS:sanentry-csr-94 \ 112 | -e DNS:sanentry-csr-95 \ 113 | -e DNS:sanentry-csr-96 \ 114 | -e DNS:sanentry-csr-97 \ 115 | -e DNS:sanentry-csr-98 \ 116 | -e DNS:sanentry-csr-99 \ 117 | -e DNS:sanentry-csr-100 \ 118 | -e DNS:sanentry-csr-101 \ 119 | -e DNS:sanentry-csr-102 \ 120 | -e DNS:sanentry-csr-103 \ 121 | -e DNS:sanentry-csr-104 \ 122 | -e DNS:sanentry-csr-105 \ 123 | -e DNS:sanentry-csr-106 \ 124 | -e DNS:sanentry-csr-107 \ 125 | -e DNS:sanentry-csr-108 \ 126 | -e DNS:sanentry-csr-109 \ 127 | -e DNS:sanentry-csr-110 \ 128 | -e DNS:sanentry-csr-111 \ 129 | -e DNS:sanentry-csr-112 \ 130 | -e DNS:sanentry-csr-113 \ 131 | -e DNS:sanentry-csr-114 \ 132 | -e DNS:sanentry-csr-115 \ 133 | -e DNS:sanentry-csr-116 \ 134 | -e DNS:sanentry-csr-117 \ 135 | -e DNS:sanentry-csr-118 \ 136 | -e DNS:sanentry-csr-119 \ 137 | -e DNS:sanentry-csr-120 \ 138 | -e DNS:sanentry-csr-121 \ 139 | -e DNS:sanentry-csr-122 \ 140 | -e DNS:sanentry-csr-123 \ 141 | -e DNS:sanentry-csr-124 \ 142 | -e DNS:sanentry-csr-125 \ 143 | -e DNS:sanentry-csr-126 \ 144 | -e DNS:sanentry-csr-127 \ 145 | -e DNS:sanentry-csr-128 \ 146 | -e DNS:sanentry-csr-129 \ 147 | -e DNS:sanentry-csr-130 \ 148 | -e DNS:sanentry-csr-131 \ 149 | -e DNS:sanentry-csr-132 \ 150 | -e DNS:sanentry-csr-133 \ 151 | -e DNS:sanentry-csr-134 \ 152 | -e DNS:sanentry-csr-135 \ 153 | -e DNS:sanentry-csr-136 \ 154 | -e DNS:sanentry-csr-137 \ 155 | -e DNS:sanentry-csr-138 \ 156 | -e DNS:sanentry-csr-139 \ 157 | -e DNS:sanentry-csr-140 \ 158 | -e DNS:sanentry-csr-141 \ 159 | -e DNS:sanentry-csr-142 \ 160 | -e DNS:sanentry-csr-143 \ 161 | -e DNS:sanentry-csr-144 \ 162 | -s 1 -p changeit 163 | 164 | 165 | -------------------------------------------------------------------------------- /test/san150.sh: -------------------------------------------------------------------------------- 1 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan150 -k 2048 -h sha1 -d '/CN=mysantest-150/OU=KMS TS/O=MasterCard Worldwide/C=BE' \ 2 | -e DNS:sanentry-csr-1 \ 3 | -e DNS:sanentry-csr-2 \ 4 | -e DNS:sanentry-csr-3 \ 5 | -e DNS:sanentry-csr-4 \ 6 | -e DNS:sanentry-csr-5 \ 7 | -e DNS:sanentry-csr-6 \ 8 | -e DNS:sanentry-csr-7 \ 9 | -e DNS:sanentry-csr-8 \ 10 | -e DNS:sanentry-csr-9 \ 11 | -e DNS:sanentry-csr-10 \ 12 | -e DNS:sanentry-csr-11 \ 13 | -e DNS:sanentry-csr-12 \ 14 | -e DNS:sanentry-csr-13 \ 15 | -e DNS:sanentry-csr-14 \ 16 | -e DNS:sanentry-csr-15 \ 17 | -e DNS:sanentry-csr-16 \ 18 | -e DNS:sanentry-csr-17 \ 19 | -e DNS:sanentry-csr-18 \ 20 | -e DNS:sanentry-csr-19 \ 21 | -e DNS:sanentry-csr-20 \ 22 | -e DNS:sanentry-csr-21 \ 23 | -e DNS:sanentry-csr-22 \ 24 | -e DNS:sanentry-csr-23 \ 25 | -e DNS:sanentry-csr-24 \ 26 | -e DNS:sanentry-csr-25 \ 27 | -e DNS:sanentry-csr-26 \ 28 | -e DNS:sanentry-csr-27 \ 29 | -e DNS:sanentry-csr-28 \ 30 | -e DNS:sanentry-csr-29 \ 31 | -e DNS:sanentry-csr-30 \ 32 | -e DNS:sanentry-csr-31 \ 33 | -e DNS:sanentry-csr-32 \ 34 | -e DNS:sanentry-csr-33 \ 35 | -e DNS:sanentry-csr-34 \ 36 | -e DNS:sanentry-csr-35 \ 37 | -e DNS:sanentry-csr-36 \ 38 | -e DNS:sanentry-csr-37 \ 39 | -e DNS:sanentry-csr-38 \ 40 | -e DNS:sanentry-csr-39 \ 41 | -e DNS:sanentry-csr-40 \ 42 | -e DNS:sanentry-csr-41 \ 43 | -e DNS:sanentry-csr-42 \ 44 | -e DNS:sanentry-csr-43 \ 45 | -e DNS:sanentry-csr-44 \ 46 | -e DNS:sanentry-csr-45 \ 47 | -e DNS:sanentry-csr-46 \ 48 | -e DNS:sanentry-csr-47 \ 49 | -e DNS:sanentry-csr-48 \ 50 | -e DNS:sanentry-csr-49 \ 51 | -e DNS:sanentry-csr-50 \ 52 | -e DNS:sanentry-csr-51 \ 53 | -e DNS:sanentry-csr-52 \ 54 | -e DNS:sanentry-csr-53 \ 55 | -e DNS:sanentry-csr-54 \ 56 | -e DNS:sanentry-csr-55 \ 57 | -e DNS:sanentry-csr-56 \ 58 | -e DNS:sanentry-csr-57 \ 59 | -e DNS:sanentry-csr-58 \ 60 | -e DNS:sanentry-csr-59 \ 61 | -e DNS:sanentry-csr-60 \ 62 | -e DNS:sanentry-csr-61 \ 63 | -e DNS:sanentry-csr-62 \ 64 | -e DNS:sanentry-csr-63 \ 65 | -e DNS:sanentry-csr-64 \ 66 | -e DNS:sanentry-csr-65 \ 67 | -e DNS:sanentry-csr-66 \ 68 | -e DNS:sanentry-csr-67 \ 69 | -e DNS:sanentry-csr-68 \ 70 | -e DNS:sanentry-csr-69 \ 71 | -e DNS:sanentry-csr-70 \ 72 | -e DNS:sanentry-csr-71 \ 73 | -e DNS:sanentry-csr-72 \ 74 | -e DNS:sanentry-csr-73 \ 75 | -e DNS:sanentry-csr-74 \ 76 | -e DNS:sanentry-csr-75 \ 77 | -e DNS:sanentry-csr-76 \ 78 | -e DNS:sanentry-csr-77 \ 79 | -e DNS:sanentry-csr-78 \ 80 | -e DNS:sanentry-csr-79 \ 81 | -e DNS:sanentry-csr-80 \ 82 | -e DNS:sanentry-csr-81 \ 83 | -e DNS:sanentry-csr-82 \ 84 | -e DNS:sanentry-csr-83 \ 85 | -e DNS:sanentry-csr-84 \ 86 | -e DNS:sanentry-csr-85 \ 87 | -e DNS:sanentry-csr-86 \ 88 | -e DNS:sanentry-csr-87 \ 89 | -e DNS:sanentry-csr-88 \ 90 | -e DNS:sanentry-csr-89 \ 91 | -e DNS:sanentry-csr-90 \ 92 | -e DNS:sanentry-csr-91 \ 93 | -e DNS:sanentry-csr-92 \ 94 | -e DNS:sanentry-csr-93 \ 95 | -e DNS:sanentry-csr-94 \ 96 | -e DNS:sanentry-csr-95 \ 97 | -e DNS:sanentry-csr-96 \ 98 | -e DNS:sanentry-csr-97 \ 99 | -e DNS:sanentry-csr-98 \ 100 | -e DNS:sanentry-csr-99 \ 101 | -e DNS:sanentry-csr-100 \ 102 | -e DNS:sanentry-csr-101 \ 103 | -e DNS:sanentry-csr-102 \ 104 | -e DNS:sanentry-csr-103 \ 105 | -e DNS:sanentry-csr-104 \ 106 | -e DNS:sanentry-csr-105 \ 107 | -e DNS:sanentry-csr-106 \ 108 | -e DNS:sanentry-csr-107 \ 109 | -e DNS:sanentry-csr-108 \ 110 | -e DNS:sanentry-csr-109 \ 111 | -e DNS:sanentry-csr-110 \ 112 | -e DNS:sanentry-csr-111 \ 113 | -e DNS:sanentry-csr-112 \ 114 | -e DNS:sanentry-csr-113 \ 115 | -e DNS:sanentry-csr-114 \ 116 | -e DNS:sanentry-csr-115 \ 117 | -e DNS:sanentry-csr-116 \ 118 | -e DNS:sanentry-csr-117 \ 119 | -e DNS:sanentry-csr-118 \ 120 | -e DNS:sanentry-csr-119 \ 121 | -e DNS:sanentry-csr-120 \ 122 | -e DNS:sanentry-csr-121 \ 123 | -e DNS:sanentry-csr-122 \ 124 | -e DNS:sanentry-csr-123 \ 125 | -e DNS:sanentry-csr-124 \ 126 | -e DNS:sanentry-csr-125 \ 127 | -e DNS:sanentry-csr-126 \ 128 | -e DNS:sanentry-csr-127 \ 129 | -e DNS:sanentry-csr-128 \ 130 | -e DNS:sanentry-csr-129 \ 131 | -e DNS:sanentry-csr-130 \ 132 | -e DNS:sanentry-csr-131 \ 133 | -e DNS:sanentry-csr-132 \ 134 | -e DNS:sanentry-csr-133 \ 135 | -e DNS:sanentry-csr-134 \ 136 | -e DNS:sanentry-csr-135 \ 137 | -e DNS:sanentry-csr-136 \ 138 | -e DNS:sanentry-csr-137 \ 139 | -e DNS:sanentry-csr-138 \ 140 | -e DNS:sanentry-csr-139 \ 141 | -e DNS:sanentry-csr-140 \ 142 | -e DNS:sanentry-csr-141 \ 143 | -e DNS:sanentry-csr-142 \ 144 | -e DNS:sanentry-csr-143 \ 145 | -e DNS:sanentry-csr-144 \ 146 | -e DNS:sanentry-csr-145 \ 147 | -e DNS:sanentry-csr-146 \ 148 | -e DNS:sanentry-csr-147 \ 149 | -e DNS:sanentry-csr-148 \ 150 | -e DNS:sanentry-csr-149 \ 151 | -e DNS:sanentry-csr-150 \ 152 | -s 1 -p changeit 153 | 154 | 155 | -------------------------------------------------------------------------------- /test/san50.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (c) 2018 Mastercard 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ./p11req -l /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so -m sql:. -i testsan3 -k 2048 -h sha1 -d '/CN=mysantest50' \ 18 | -e DNS:sanentry-csr-1 \ 19 | -e DNS:sanentry-csr-2 \ 20 | -e DNS:sanentry-csr-3 \ 21 | -e DNS:sanentry-csr-4 \ 22 | -e DNS:sanentry-csr-5 \ 23 | -e DNS:sanentry-csr-6 \ 24 | -e DNS:sanentry-csr-7 \ 25 | -e DNS:sanentry-csr-8 \ 26 | -e DNS:sanentry-csr-9 \ 27 | -e DNS:sanentry-csr-10 \ 28 | -e DNS:sanentry-csr-11 \ 29 | -e DNS:sanentry-csr-12 \ 30 | -e DNS:sanentry-csr-13 \ 31 | -e DNS:sanentry-csr-14 \ 32 | -e DNS:sanentry-csr-15 \ 33 | -e DNS:sanentry-csr-16 \ 34 | -e DNS:sanentry-csr-17 \ 35 | -e DNS:sanentry-csr-18 \ 36 | -e DNS:sanentry-csr-19 \ 37 | -e DNS:sanentry-csr-20 \ 38 | -e DNS:sanentry-csr-21 \ 39 | -e DNS:sanentry-csr-22 \ 40 | -e DNS:sanentry-csr-23 \ 41 | -e DNS:sanentry-csr-24 \ 42 | -e DNS:sanentry-csr-25 \ 43 | -e DNS:sanentry-csr-26 \ 44 | -e DNS:sanentry-csr-27 \ 45 | -e DNS:sanentry-csr-28 \ 46 | -e DNS:sanentry-csr-29 \ 47 | -e DNS:sanentry-csr-30 \ 48 | -e DNS:sanentry-csr-31 \ 49 | -e DNS:sanentry-csr-32 \ 50 | -e DNS:sanentry-csr-33 \ 51 | -e DNS:sanentry-csr-34 \ 52 | -e DNS:sanentry-csr-35 \ 53 | -e DNS:sanentry-csr-36 \ 54 | -e DNS:sanentry-csr-37 \ 55 | -e DNS:sanentry-csr-38 \ 56 | -e DNS:sanentry-csr-39 \ 57 | -e DNS:sanentry-csr-40 \ 58 | -e DNS:sanentry-csr-41 \ 59 | -e DNS:sanentry-csr-42 \ 60 | -e DNS:sanentry-csr-43 \ 61 | -e DNS:sanentry-csr-44 \ 62 | -e DNS:sanentry-csr-45 \ 63 | -e DNS:sanentry-csr-46 \ 64 | -e DNS:sanentry-csr-47 \ 65 | -e DNS:sanentry-csr-48 \ 66 | -e DNS:sanentry-csr-49 \ 67 | -e DNS:sanentry-csr-50 68 | -------------------------------------------------------------------------------- /test/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # Copyright (c) 2018 Mastercard 5 | 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | 18 | 19 | import unittest 20 | from subprocess import PIPE, Popen 21 | 22 | # 23 | # trick from http://stackoverflow.com/questions/2798956/python-unittest-generate-multiple-tests-programmatically 24 | # 25 | def create_test_req(commandline): 26 | def do_test_req(self): 27 | p1 = Popen( commandline.split(), stdout=PIPE); 28 | p2 = Popen( "openssl req -verify -noout".split(), stdin=p1.stdout, stdout=PIPE); 29 | p1.stdout.close() # Allow p1 to receive a SIGPIPE if p2 exits. 30 | output = p2.communicate() 31 | self.assertTrue(p2.returncode==0) 32 | return do_test_req 33 | 34 | 35 | class TestReq(unittest.TestCase): 36 | pass 37 | 38 | 39 | if __name__ == '__main__': 40 | 41 | k=0 42 | with open('reqtestcases.txt') as testcases: 43 | for testcase in testcases: 44 | k+=1 45 | test_method = create_test_req(testcase) 46 | test_method.__name__ = 'test_req_%d' % k 47 | setattr (TestReq, test_method.__name__, test_method) 48 | 49 | unittest.main() 50 | -------------------------------------------------------------------------------- /test/with_nss: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PKCS11LIB=/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so 4 | PKCS11NSSDIR=sql:/home/eric/work/pkcs11/pkcs11-tools 5 | PKCS11SLOT=1 6 | PKCS11PASSWORD=changeit 7 | 8 | PKCS11LIB=$PKCS11LIB PKCS11NSSDIR=$PKCS11NSSDIR PKCS11SLOT=$PKCS11SLOT PKCS11PASSWORD=$PKCS11PASSWORD "$@" 9 | 10 | -------------------------------------------------------------------------------- /with_aws: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020-2023 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SHIM=/dev/stdout with_xxxx p11command args... ==> to interface with libpkcs11shim.so (github.com/Mastercard/libpkcs11shim) and print to stdout 33 | # SHIM=p11.log with_xxxx p11command args... ==> to interface with libpkcs11shim.so (github.com/Mastercard/libpkcs11shim) and write logs to p11.log 34 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 35 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 36 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 37 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 38 | # including those that are vendor-specific 39 | # 40 | # Note that SPY mode does not support NSS. 41 | 42 | PKCS11PASSWORD=${PKCS11PASSWORD:-user:changeit} 43 | 44 | #specific to vendor 45 | PKCS11_LIBNAME=libcloudhsm_pkcs11.so 46 | PKCS11_LIBPATHS=( /opt/cloudhsm/lib /usr/local/lib ) 47 | LIB_ENVVARS=() 48 | 49 | ######################################################################## 50 | 51 | # find_p11_lib: a trivial function to find a library. 52 | function find_p11_lib() 53 | { 54 | lib=${PKCS11_LIBNAME} 55 | paths=${PKCS11_LIBPATHS[@]} 56 | 57 | for path in ${paths[@]}; do 58 | if [ -e $path/$lib ]; then 59 | echo $path/$lib 60 | return 0 61 | fi 62 | done 63 | 64 | echo "NOT_FOUND" 65 | return 1 66 | } 67 | 68 | # find a configuration file, provided a file name and paths 69 | function find_cfg_file() 70 | { 71 | file=$1 # file name in $1 72 | paths=${@:2} # paths is an array ($2, $3, ...) 73 | 74 | for path in ${paths[@]}; do 75 | if [ -e $path/$lib ]; then 76 | echo $path/$lib 77 | return 0 78 | fi 79 | done 80 | 81 | echo "NOT_FOUND" 82 | return 1 83 | } 84 | 85 | # find_shim_lib: find libpkcs11shim.so 86 | function find_shim_lib() 87 | { 88 | lib=libpkcs11shim.so 89 | case "$(uname -s)" in 90 | *) 91 | paths=( /usr/local/lib /usr/lib ) 92 | ;; 93 | esac 94 | 95 | for path in ${paths[@]}; do 96 | if [ -e $path/$lib ]; then 97 | echo $path/$lib 98 | return 0 99 | fi 100 | done 101 | 102 | echo "NOT_FOUND" 103 | return 1 104 | } 105 | 106 | # find_spy_lib: find pkcs11-spy.so from OpenSC 107 | function find_spy_lib() 108 | { 109 | lib=pkcs11-spy.so 110 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 111 | 112 | for path in ${paths[@]}; do 113 | if [ -e $path/$lib ]; then 114 | echo $path/$lib 115 | return 0 116 | fi 117 | done 118 | 119 | echo "NOT_FOUND" 120 | return 1 121 | } 122 | 123 | 124 | # source .pkcs11rc from local directory, and if not, from $HOME directory 125 | if [ -z "$NORC" ]; then 126 | if [ -e ./.pkcs11rc ]; then 127 | source ./.pkcs11rc 128 | elif [ -e $HOME/.pkcs11rc ]; then 129 | source $HOME/.pkcs11rc 130 | fi 131 | fi 132 | 133 | ################################################################################ 134 | 135 | # library 136 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 137 | 138 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 139 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 140 | exit 1 141 | fi 142 | 143 | # if SHIM is set, we want to use the libpkcs11shim 144 | # 145 | if [ -n "$SHIM" ]; then 146 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 147 | PKCS11SHIM=$PKCS11LIB 148 | PKCS11SHIM_OUTPUT=$SHIM 149 | PKCS11LIB=$(find_shim_lib) 150 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 151 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 152 | exit 1 153 | fi 154 | elif [ -n "$SPY" ]; then 155 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 156 | PKCS11SPY=$PKCS11LIB 157 | PKCS11SPY_OUTPUT=$SPY 158 | PKCS11LIB=$(find_spy_lib) 159 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 160 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 161 | exit 1 162 | fi 163 | fi 164 | 165 | 166 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 167 | #(useful for p11slotinfo invocation) 168 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 169 | PKCS11SLOT=${PKCS11SLOT:-0} 170 | fi 171 | 172 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 173 | if [ -n "$NOSLOT" ]; then 174 | unset PKCS11TOKENLABEL PKCS11SLOT 175 | fi 176 | 177 | # Note: there is no default value for PKCS11TOKENLABEL 178 | 179 | ################################################################################ 180 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 181 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 182 | 183 | environment= 184 | for v in ${variables[@]}; do 185 | if [ -n "${!v}" ]; then 186 | environment+=("$v=${!v}") 187 | fi 188 | done 189 | 190 | for v in ${LIB_ENVVARS[@]}; do 191 | if [ -n "${!v}" ]; then 192 | environment+=("$v=${!v}") 193 | fi 194 | done 195 | 196 | quoted= 197 | for item in "$@"; do 198 | quoted+=($(printf "%q" "$item")) 199 | done 200 | 201 | eval ${environment[@]} ${quoted[@]} 202 | exit $? 203 | -------------------------------------------------------------------------------- /with_beid: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 33 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 34 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 35 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 36 | # including those that are vendor-specific 37 | # 38 | # Note that SPY mode does not support NSS. 39 | 40 | PKCS11SLOT=0 41 | # no PKCS11PASSWORD set 42 | 43 | #specific to vendor 44 | case $(uname -s) in 45 | Darwin) 46 | PKCS11_LIBNAME=libbeidpkcs11.dylib 47 | ;; 48 | *) 49 | PKCS11_LIBNAME=libbeidpkcs11.so 50 | ;; 51 | esac 52 | PKCS11_LIBPATHS=( /usr/lib /usr/lib/$(uname -m)-linux-gnu /usr/local/lib /usr/local/lib/pkcs11 ) 53 | 54 | LIB_ENVVARS=() 55 | 56 | ######################################################################## 57 | 58 | # find_p11_lib: a trivial function to find a library. 59 | function find_p11_lib() 60 | { 61 | lib=${PKCS11_LIBNAME} 62 | paths=${PKCS11_LIBPATHS[@]} 63 | 64 | for path in ${paths[@]}; do 65 | if [ -e $path/$lib ]; then 66 | echo $path/$lib 67 | return 0 68 | fi 69 | done 70 | 71 | echo "NOT_FOUND" 72 | return 1 73 | } 74 | 75 | # find a configuration file, provided a file name and paths 76 | function find_cfg_file() 77 | { 78 | file=$1 # file name in $1 79 | paths=${@:2} # paths is an array ($2, $3, ...) 80 | 81 | for path in ${paths[@]}; do 82 | if [ -e $path/$lib ]; then 83 | echo $path/$lib 84 | return 0 85 | fi 86 | done 87 | 88 | echo "NOT_FOUND" 89 | return 1 90 | } 91 | 92 | # find_shim_lib: find libpkcs11shim.so 93 | function find_shim_lib() 94 | { 95 | lib=libpkcs11shim.so 96 | case "$(uname -s)" in 97 | *) 98 | paths=( /usr/local/lib /usr/lib ) 99 | ;; 100 | esac 101 | 102 | for path in ${paths[@]}; do 103 | if [ -e $path/$lib ]; then 104 | echo $path/$lib 105 | return 0 106 | fi 107 | done 108 | 109 | echo "NOT_FOUND" 110 | return 1 111 | } 112 | 113 | # find_spy_lib: find pkcs11-spy.so from OpenSC 114 | function find_spy_lib() 115 | { 116 | lib=pkcs11-spy.so 117 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 118 | 119 | for path in ${paths[@]}; do 120 | if [ -e $path/$lib ]; then 121 | echo $path/$lib 122 | return 0 123 | fi 124 | done 125 | 126 | echo "NOT_FOUND" 127 | return 1 128 | } 129 | 130 | 131 | # source .pkcs11rc from local directory, and if not, from $HOME directory 132 | if [ -z "$NORC" ]; then 133 | if [ -e ./.pkcs11rc ]; then 134 | source ./.pkcs11rc 135 | elif [ -e $HOME/.pkcs11rc ]; then 136 | source $HOME/.pkcs11rc 137 | fi 138 | fi 139 | 140 | ################################################################################ 141 | 142 | # library 143 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 144 | 145 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 146 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 147 | exit 1 148 | fi 149 | 150 | # if SHIM is set, we want to use the libpkcs11shim 151 | # 152 | if [ -n "$SHIM" ]; then 153 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 154 | PKCS11SHIM=$PKCS11LIB 155 | PKCS11SHIM_OUTPUT=$SHIM 156 | PKCS11LIB=$(find_shim_lib) 157 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 158 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 159 | exit 1 160 | fi 161 | elif [ -n "$SPY" ]; then 162 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 163 | PKCS11SPY=$PKCS11LIB 164 | PKCS11SPY_OUTPUT=$SPY 165 | PKCS11LIB=$(find_spy_lib) 166 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 167 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 168 | exit 1 169 | fi 170 | fi 171 | 172 | 173 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 174 | #(useful for p11slotinfo invocation) 175 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 176 | PKCS11SLOT=${PKCS11SLOT:-0} 177 | fi 178 | 179 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 180 | if [ -n "$NOSLOT" ]; then 181 | unset PKCS11TOKENLABEL PKCS11SLOT 182 | fi 183 | 184 | # Note: there is no default value for PKCS11TOKENLABEL 185 | 186 | ################################################################################ 187 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 188 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 189 | 190 | environment= 191 | for v in ${variables[@]}; do 192 | if [ -n "${!v}" ]; then 193 | environment+=("$v=${!v}") 194 | fi 195 | done 196 | 197 | for v in ${LIB_ENVVARS[@]}; do 198 | if [ -n "${!v}" ]; then 199 | environment+=("$v=${!v}") 200 | fi 201 | done 202 | 203 | quoted= 204 | for item in "$@"; do 205 | quoted+=($(printf "%q" "$item")) 206 | done 207 | 208 | eval ${environment[@]} ${quoted[@]} 209 | exit $? 210 | 211 | -------------------------------------------------------------------------------- /with_luna: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 33 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 34 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 35 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 36 | # including those that are vendor-specific 37 | # 38 | # Note that SPY mode does not support NSS. 39 | 40 | PKCS11PASSWORD=${PKCS11PASSWORD:-changeit} 41 | 42 | #specific to vendor 43 | PKCS11_LIBNAME=libCryptoki2_64.so 44 | PKCS11_LIBPATHS=(/usr/lib /usr/safenet/lunaclient/lib /opt/safenet/lunaclient/lib) 45 | LIB_ENVVARS=() 46 | 47 | ######################################################################## 48 | 49 | # find_p11_lib: a trivial function to find a library. 50 | function find_p11_lib() 51 | { 52 | lib=${PKCS11_LIBNAME} 53 | paths=${PKCS11_LIBPATHS[@]} 54 | 55 | for path in ${paths[@]}; do 56 | if [ -e $path/$lib ]; then 57 | echo $path/$lib 58 | return 0 59 | fi 60 | done 61 | 62 | echo "NOT_FOUND" 63 | return 1 64 | } 65 | 66 | # find a configuration file, provided a file name and paths 67 | function find_cfg_file() 68 | { 69 | file=$1 # file name in $1 70 | paths=${@:2} # paths is an array ($2, $3, ...) 71 | 72 | for path in ${paths[@]}; do 73 | if [ -e $path/$lib ]; then 74 | echo $path/$lib 75 | return 0 76 | fi 77 | done 78 | 79 | echo "NOT_FOUND" 80 | return 1 81 | } 82 | 83 | # find_shim_lib: find libpkcs11shim.so 84 | function find_shim_lib() 85 | { 86 | lib=libpkcs11shim.so 87 | case "$(uname -s)" in 88 | *) 89 | paths=( /usr/local/lib /usr/lib ) 90 | ;; 91 | esac 92 | 93 | for path in ${paths[@]}; do 94 | if [ -e $path/$lib ]; then 95 | echo $path/$lib 96 | return 0 97 | fi 98 | done 99 | 100 | echo "NOT_FOUND" 101 | return 1 102 | } 103 | 104 | # find_spy_lib: find pkcs11-spy.so from OpenSC 105 | function find_spy_lib() 106 | { 107 | lib=pkcs11-spy.so 108 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 109 | 110 | for path in ${paths[@]}; do 111 | if [ -e $path/$lib ]; then 112 | echo $path/$lib 113 | return 0 114 | fi 115 | done 116 | 117 | echo "NOT_FOUND" 118 | return 1 119 | } 120 | function find_spy_lib() 121 | { 122 | lib=pkcs11-spy.so 123 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 124 | 125 | for path in ${paths[@]}; do 126 | if [ -e $path/$lib ]; then 127 | echo $path/$lib 128 | return 0 129 | fi 130 | done 131 | 132 | echo "NOT_FOUND" 133 | return 1 134 | } 135 | 136 | 137 | # source .pkcs11rc from local directory, and if not, from $HOME directory 138 | if [ -z "$NORC" ]; then 139 | if [ -e ./.pkcs11rc ]; then 140 | source ./.pkcs11rc 141 | elif [ -e $HOME/.pkcs11rc ]; then 142 | source $HOME/.pkcs11rc 143 | fi 144 | fi 145 | 146 | ################################################################################ 147 | 148 | # library 149 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 150 | 151 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 152 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 153 | exit 1 154 | fi 155 | 156 | # if SHIM is set, we want to use the libpkcs11shim 157 | # 158 | if [ -n "$SHIM" ]; then 159 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 160 | PKCS11SHIM=$PKCS11LIB 161 | PKCS11SHIM_OUTPUT=$SHIM 162 | PKCS11LIB=$(find_shim_lib) 163 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 164 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 165 | exit 1 166 | fi 167 | elif [ -n "$SPY" ]; then 168 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 169 | PKCS11SPY=$PKCS11LIB 170 | PKCS11SPY_OUTPUT=$SPY 171 | PKCS11LIB=$(find_spy_lib) 172 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 173 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 174 | exit 1 175 | fi 176 | fi 177 | 178 | 179 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 180 | #(useful for p11slotinfo invocation) 181 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 182 | PKCS11SLOT=${PKCS11SLOT:-0} 183 | fi 184 | 185 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 186 | if [ -n "$NOSLOT" ]; then 187 | unset PKCS11TOKENLABEL PKCS11SLOT 188 | fi 189 | 190 | # Note: there is no default value for PKCS11TOKENLABEL 191 | 192 | ################################################################################ 193 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 194 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 195 | 196 | environment= 197 | for v in ${variables[@]}; do 198 | if [ -n "${!v}" ]; then 199 | environment+=("$v=${!v}") 200 | fi 201 | done 202 | 203 | for v in ${LIB_ENVVARS[@]}; do 204 | if [ -n "${!v}" ]; then 205 | environment+=("$v=${!v}") 206 | fi 207 | done 208 | 209 | quoted= 210 | for item in "$@"; do 211 | quoted+=($(printf "%q" "$item")) 212 | done 213 | 214 | eval ${environment[@]} ${quoted[@]} 215 | exit $? 216 | -------------------------------------------------------------------------------- /with_nfast: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 33 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 34 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 35 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 36 | # including those that are vendor-specific 37 | # 38 | # Note that SPY mode does not support NSS. 39 | 40 | PKCS11SLOT=1 # OCS is the second slot, after accelerator slot 41 | PKCS11PASSWORD=${PKCS11PASSWORD:-changeit} 42 | 43 | #specific to vendor 44 | PKCS11_LIBNAME=libcknfast.so 45 | PKCS11_LIBPATHS=( /opt/nfast/toolkits/pkcs11 ) 46 | LIB_ENVVARS=(CKNFAST_LOADSHARING CKNFAST_FAKE_ACCELERATOR_LOGIN CKNFAST_DEBUG CKNFAST_DEBUGDIR CKNFAST_OVERRIDE_SECURITY_ASSURANCES) 47 | 48 | CKNFAST_LOADSHARING=1 49 | CKNFAST_FAKE_ACCELERATOR_LOGIN=1 50 | # CKNFAST_DEBUG=9 51 | # CKNFAST_DEBUGDIR=/var/tmp 52 | # CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all 53 | 54 | ######################################################################## 55 | 56 | # find_p11_lib: a trivial function to find a library. 57 | function find_p11_lib() 58 | { 59 | lib=${PKCS11_LIBNAME} 60 | paths=${PKCS11_LIBPATHS[@]} 61 | 62 | for path in ${paths[@]}; do 63 | if [ -e $path/$lib ]; then 64 | echo $path/$lib 65 | return 0 66 | fi 67 | done 68 | 69 | echo "NOT_FOUND" 70 | return 1 71 | } 72 | 73 | # find a configuration file, provided a file name and paths 74 | function find_cfg_file() 75 | { 76 | file=$1 # file name in $1 77 | paths=${@:2} # paths is an array ($2, $3, ...) 78 | 79 | for path in ${paths[@]}; do 80 | if [ -e $path/$lib ]; then 81 | echo $path/$lib 82 | return 0 83 | fi 84 | done 85 | 86 | echo "NOT_FOUND" 87 | return 1 88 | } 89 | 90 | # find_shim_lib: find libpkcs11shim.so 91 | function find_shim_lib() 92 | { 93 | lib=libpkcs11shim.so 94 | case "$(uname -s)" in 95 | *) 96 | paths=( /usr/local/lib /usr/lib ) 97 | ;; 98 | esac 99 | 100 | for path in ${paths[@]}; do 101 | if [ -e $path/$lib ]; then 102 | echo $path/$lib 103 | return 0 104 | fi 105 | done 106 | 107 | echo "NOT_FOUND" 108 | return 1 109 | } 110 | 111 | # find_spy_lib: find pkcs11-spy.so from OpenSC 112 | function find_spy_lib() 113 | { 114 | lib=pkcs11-spy.so 115 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 116 | 117 | for path in ${paths[@]}; do 118 | if [ -e $path/$lib ]; then 119 | echo $path/$lib 120 | return 0 121 | fi 122 | done 123 | 124 | echo "NOT_FOUND" 125 | return 1 126 | } 127 | 128 | 129 | # source .pkcs11rc from local directory, and if not, from $HOME directory 130 | if [ -z "$NORC" ]; then 131 | if [ -e ./.pkcs11rc ]; then 132 | source ./.pkcs11rc 133 | elif [ -e $HOME/.pkcs11rc ]; then 134 | source $HOME/.pkcs11rc 135 | fi 136 | fi 137 | 138 | ################################################################################ 139 | 140 | # library 141 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 142 | 143 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 144 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 145 | exit 1 146 | fi 147 | 148 | # if SHIM is set, we want to use the libpkcs11shim 149 | # 150 | if [ -n "$SHIM" ]; then 151 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 152 | PKCS11SHIM=$PKCS11LIB 153 | PKCS11SHIM_OUTPUT=$SHIM 154 | PKCS11LIB=$(find_shim_lib) 155 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 156 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 157 | exit 1 158 | fi 159 | elif [ -n "$SPY" ]; then 160 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 161 | PKCS11SPY=$PKCS11LIB 162 | PKCS11SPY_OUTPUT=$SPY 163 | PKCS11LIB=$(find_spy_lib) 164 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 165 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 166 | exit 1 167 | fi 168 | fi 169 | 170 | 171 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 172 | #(useful for p11slotinfo invocation) 173 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 174 | PKCS11SLOT=${PKCS11SLOT:-0} 175 | fi 176 | 177 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 178 | if [ -n "$NOSLOT" ]; then 179 | unset PKCS11TOKENLABEL PKCS11SLOT 180 | fi 181 | 182 | # Note: there is no default value for PKCS11TOKENLABEL 183 | 184 | ################################################################################ 185 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 186 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 187 | 188 | environment= 189 | for v in ${variables[@]}; do 190 | if [ -n "${!v}" ]; then 191 | environment+=("$v=${!v}") 192 | fi 193 | done 194 | 195 | for v in ${LIB_ENVVARS[@]}; do 196 | if [ -n "${!v}" ]; then 197 | environment+=("$v=${!v}") 198 | fi 199 | done 200 | 201 | quoted= 202 | for item in "$@"; do 203 | quoted+=($(printf "%q" "$item")) 204 | done 205 | 206 | eval ${environment[@]} ${quoted[@]} 207 | exit $? 208 | -------------------------------------------------------------------------------- /with_nss: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 33 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 34 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 35 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 36 | # including those that are vendor-specific 37 | # 38 | # Note that SPY mode does not support NSS. 39 | 40 | PKCS11SLOT=1 41 | PKCS11PASSWORD=${PKCS11PASSWORD:-changeit} 42 | # by default, we are looking for an NSS db inside the current directory 43 | PKCS11NSSDIR=sql:. 44 | 45 | # to create your NSS token: 46 | # $ modutil -dbdir sql:. -create 47 | # $ modutil -dbdir sql:. -changepw "NSS Certificate DB" 48 | 49 | #specific to vendor 50 | case $(uname -s) in 51 | Darwin) 52 | PKCS11_LIBNAME=libsoftokn3.dylib 53 | ;; 54 | *) 55 | PKCS11_LIBNAME=libsoftokn3.so 56 | ;; 57 | esac 58 | PKCS11_LIBPATHS=( /usr/lib /usr/lib/$(uname -m)-linux-gnu/nss /usr/lib64 /usr/local/lib /usr/local/opt/nss/lib ) 59 | 60 | LIB_ENVVARS=() 61 | 62 | ######################################################################## 63 | 64 | # find_p11_lib: a trivial function to find a library. 65 | function find_p11_lib() 66 | { 67 | lib=${PKCS11_LIBNAME} 68 | paths=${PKCS11_LIBPATHS[@]} 69 | 70 | for path in ${paths[@]}; do 71 | if [ -e $path/$lib ]; then 72 | echo $path/$lib 73 | return 0 74 | fi 75 | done 76 | 77 | echo "NOT_FOUND" 78 | return 1 79 | } 80 | 81 | # find a configuration file, provided a file name and paths 82 | function find_cfg_file() 83 | { 84 | file=$1 # file name in $1 85 | paths=${@:2} # paths is an array ($2, $3, ...) 86 | 87 | for path in ${paths[@]}; do 88 | if [ -e $path/$lib ]; then 89 | echo $path/$lib 90 | return 0 91 | fi 92 | done 93 | 94 | echo "NOT_FOUND" 95 | return 1 96 | } 97 | 98 | # find_shim_lib: find libpkcs11shim.so 99 | function find_shim_lib() 100 | { 101 | lib=libpkcs11shim.so 102 | case "$(uname -s)" in 103 | *) 104 | paths=( /usr/local/lib /usr/lib ) 105 | ;; 106 | esac 107 | 108 | for path in ${paths[@]}; do 109 | if [ -e $path/$lib ]; then 110 | echo $path/$lib 111 | return 0 112 | fi 113 | done 114 | 115 | echo "NOT_FOUND" 116 | return 1 117 | } 118 | 119 | # find_spy_lib: find pkcs11-spy.so from OpenSC 120 | function find_spy_lib() 121 | { 122 | lib=pkcs11-spy.so 123 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 124 | 125 | for path in ${paths[@]}; do 126 | if [ -e $path/$lib ]; then 127 | echo $path/$lib 128 | return 0 129 | fi 130 | done 131 | 132 | echo "NOT_FOUND" 133 | return 1 134 | } 135 | 136 | 137 | # source .pkcs11rc from local directory, and if not, from $HOME directory 138 | if [ -z "$NORC" ]; then 139 | if [ -e ./.pkcs11rc ]; then 140 | source ./.pkcs11rc 141 | elif [ -e $HOME/.pkcs11rc ]; then 142 | source $HOME/.pkcs11rc 143 | fi 144 | fi 145 | 146 | ################################################################################ 147 | 148 | # library 149 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 150 | 151 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 152 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 153 | exit 1 154 | fi 155 | 156 | # if SHIM is set, we want to use the libpkcs11shim 157 | # 158 | if [ -n "$SHIM" ]; then 159 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 160 | PKCS11SHIM=$PKCS11LIB 161 | PKCS11SHIM_OUTPUT=$SHIM 162 | PKCS11LIB=$(find_shim_lib) 163 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 164 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 165 | exit 1 166 | fi 167 | elif [ -n "$SPY" ]; then 168 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 169 | PKCS11SPY=$PKCS11LIB 170 | PKCS11SPY_OUTPUT=$SPY 171 | PKCS11LIB=$(find_spy_lib) 172 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 173 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 174 | exit 1 175 | fi 176 | fi 177 | 178 | 179 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 180 | #(useful for p11slotinfo invocation) 181 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 182 | PKCS11SLOT=${PKCS11SLOT:-0} 183 | fi 184 | 185 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 186 | if [ -n "$NOSLOT" ]; then 187 | unset PKCS11TOKENLABEL PKCS11SLOT 188 | fi 189 | 190 | # Note: there is no default value for PKCS11TOKENLABEL 191 | 192 | ################################################################################ 193 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 194 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 195 | 196 | environment= 197 | for v in ${variables[@]}; do 198 | if [ -n "${!v}" ]; then 199 | environment+=("$v=${!v}") 200 | fi 201 | done 202 | 203 | for v in ${LIB_ENVVARS[@]}; do 204 | if [ -n "${!v}" ]; then 205 | environment+=("$v=${!v}") 206 | fi 207 | done 208 | 209 | quoted= 210 | for item in "$@"; do 211 | quoted+=($(printf "%q" "$item")) 212 | done 213 | 214 | eval ${environment[@]} ${quoted[@]} 215 | exit $? 216 | 217 | -------------------------------------------------------------------------------- /with_softhsm: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2020 Mastercard 3 | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # 17 | # Usage: with_xxxx p11command args... ==> execute the command using presets for the token 18 | # 19 | # each platform has its defaults. 20 | # 21 | # if not otherwise specified: 22 | # - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override) 23 | # - default password is generally set to 'changeit' (define PKCS11PASSWORD to override) 24 | # 25 | # You can set all the PKCS11XXXX variables in a configuration file (sourced by this script). 26 | # Two possibilites: 27 | # - $PWD/.pkcs11rc for a setup bound to a directory 28 | # - $HOME/.pkcs11rc for a user-wide setup 29 | # 30 | # alternate invocations: 31 | # 32 | # SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout 33 | # SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log 34 | # NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode 35 | # PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like, 36 | # including those that are vendor-specific 37 | # 38 | # Note that SPY mode does not support NSS. 39 | 40 | PKCS11PASSWORD=${PKCS11PASSWORD:-changeit} 41 | 42 | #specific to vendor 43 | PKCS11_LIBNAME=libsofthsm2.so 44 | PKCS11_LIBPATHS=( /usr/local/lib/softhsm /usr/lib/softhsm /usr/lib /usr/lib64 /usr/local/opt/softhsm/lib/softhsm ) 45 | LIB_ENVVARS=(SOFTHSM2_CONF) 46 | 47 | ######################################################################## 48 | 49 | # find_p11_lib: a trivial function to find a library. 50 | function find_p11_lib() 51 | { 52 | lib=${PKCS11_LIBNAME} 53 | paths=${PKCS11_LIBPATHS[@]} 54 | 55 | for path in ${paths[@]}; do 56 | if [ -e $path/$lib ]; then 57 | echo $path/$lib 58 | return 0 59 | fi 60 | done 61 | 62 | echo "NOT_FOUND" 63 | return 1 64 | } 65 | 66 | # find a configuration file, provided a file name and paths 67 | function find_cfg_file() 68 | { 69 | file=$1 # file name in $1 70 | paths=${@:2} # paths is an array ($2, $3, ...) 71 | 72 | for path in ${paths[@]}; do 73 | if [ -e $path/$lib ]; then 74 | echo $path/$lib 75 | return 0 76 | fi 77 | done 78 | 79 | echo "NOT_FOUND" 80 | return 1 81 | } 82 | 83 | # find_shim_lib: find libpkcs11shim.so 84 | function find_shim_lib() 85 | { 86 | lib=libpkcs11shim.so 87 | case "$(uname -s)" in 88 | *) 89 | paths=( /usr/local/lib /usr/lib ) 90 | ;; 91 | esac 92 | 93 | for path in ${paths[@]}; do 94 | if [ -e $path/$lib ]; then 95 | echo $path/$lib 96 | return 0 97 | fi 98 | done 99 | 100 | echo "NOT_FOUND" 101 | return 1 102 | } 103 | 104 | # find_spy_lib: find pkcs11-spy.so from OpenSC 105 | function find_spy_lib() 106 | { 107 | lib=pkcs11-spy.so 108 | paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib ) 109 | 110 | for path in ${paths[@]}; do 111 | if [ -e $path/$lib ]; then 112 | echo $path/$lib 113 | return 0 114 | fi 115 | done 116 | 117 | echo "NOT_FOUND" 118 | return 1 119 | } 120 | 121 | 122 | # source .pkcs11rc from local directory, and if not, from $HOME directory 123 | if [ -z "$NORC" ]; then 124 | if [ -e ./.pkcs11rc ]; then 125 | source ./.pkcs11rc 126 | elif [ -e $HOME/.pkcs11rc ]; then 127 | source $HOME/.pkcs11rc 128 | fi 129 | fi 130 | 131 | ################################################################################ 132 | 133 | # library 134 | PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)} 135 | 136 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 137 | echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly." 138 | exit 1 139 | fi 140 | 141 | # if SHIM is set, we want to use the libpkcs11shim 142 | # 143 | if [ -n "$SHIM" ]; then 144 | echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM" 145 | PKCS11SHIM=$PKCS11LIB 146 | PKCS11SHIM_OUTPUT=$SHIM 147 | PKCS11LIB=$(find_shim_lib) 148 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 149 | echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option" 150 | exit 1 151 | fi 152 | elif [ -n "$SPY" ]; then 153 | echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY" 154 | PKCS11SPY=$PKCS11LIB 155 | PKCS11SPY_OUTPUT=$SPY 156 | PKCS11LIB=$(find_spy_lib) 157 | if [ "$PKCS11LIB" == "NOT_FOUND" ]; then 158 | echo "***Error: pkcs11-spy.so Library not found, can't use SPY option" 159 | exit 1 160 | fi 161 | fi 162 | 163 | 164 | #if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT 165 | #(useful for p11slotinfo invocation) 166 | if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then 167 | PKCS11SLOT=${PKCS11SLOT:-0} 168 | fi 169 | 170 | # also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT 171 | if [ -n "$NOSLOT" ]; then 172 | unset PKCS11TOKENLABEL PKCS11SLOT 173 | fi 174 | 175 | # Note: there is no default value for PKCS11TOKENLABEL 176 | 177 | ################################################################################ 178 | variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \ 179 | PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT) 180 | 181 | environment= 182 | for v in ${variables[@]}; do 183 | if [ -n "${!v}" ]; then 184 | environment+=("$v=${!v}") 185 | fi 186 | done 187 | 188 | for v in ${LIB_ENVVARS[@]}; do 189 | if [ -n "${!v}" ]; then 190 | environment+=("$v=${!v}") 191 | fi 192 | done 193 | 194 | quoted= 195 | for item in "$@"; do 196 | quoted+=($(printf "%q" "$item")) 197 | done 198 | 199 | eval ${environment[@]} ${quoted[@]} 200 | exit $? 201 | --------------------------------------------------------------------------------