├── .env ├── .github ├── build-pkg-git.sh ├── build-pkg.sh └── workflows │ ├── debian-packaging.yml │ └── main.yml ├── .travis.yml ├── CHANGELOG.md ├── Dockerfile.debian ├── Dockerfile.debian-pkg ├── Dockerfile.ubuntu-trusty ├── ISSUES.md ├── LICENSE.txt ├── Makefile.Unix.in ├── Makefile.Win32.in ├── README.md ├── autoclean.sh ├── autogen.sh ├── config.guess ├── configure-win32.ac ├── configure.ac ├── doc ├── DEPS.md ├── FILTER.md ├── INDEX.md ├── PRE-BUILD.md ├── SERVER-CONF.md └── WIN32.md ├── docker-compose-unix.yml ├── docker-compose.yml ├── m4 └── ax_compare_version.m4 ├── scripts └── pkcs11proxyd.in └── src ├── bindings-pkcs11 ├── Makefile.in ├── Makefile.standalone.in ├── PRESENT_tables.h ├── helpers_pkcs11.h ├── original_pkcs11.h ├── pkcs11.cocci.new ├── pkcs11.cocci.old ├── pkcs11.h ├── pkcs11.idl ├── pkcs11.ml ├── pkcs11.mli ├── pkcs11_aliasing.h ├── pkcs11_functions.c ├── pkcs11_functions.h ├── pkcs11_stubs.c └── pkcs11_stubs.cocci ├── client-lib ├── Makefile.Win32 ├── Makefile.Win32.mingw ├── Makefile.in ├── client.ml ├── modwrap.c ├── modwrap.h ├── modwrap_camlrpc.c ├── modwrap_crpc.c ├── modwrap_crpc_ssl.c ├── pkcs11_rpc.h └── pkcs11_rpc_xdr.cocci ├── filter ├── Makefile.in ├── backend │ ├── Makefile.in │ └── backend.ml ├── filter │ ├── Makefile.in │ ├── filter.ml │ ├── filter_actions.ml │ ├── filter_actions_helpers │ │ └── helpers_patch.ml │ ├── filter_common.ml │ ├── filter_configuration.ml │ └── p11fix_patches │ │ ├── cmac.ml │ │ ├── conflicting_attributes_patch.ml │ │ ├── existing_sensitive_keys_patch.ml │ │ ├── non_local_objects_patch.ml │ │ ├── sanitize_creation_templates_patch.ml │ │ ├── secure_templates_patch.ml │ │ ├── sensitive_leak_patch.ml │ │ ├── sticky_attributes_patch.ml │ │ └── wrapping_format_patch.ml └── frontend │ ├── Makefile.in │ └── frontend.ml ├── pkcs11proxyd ├── Makefile.in ├── filter.conf ├── pkcs11proxyd.conf ├── server.ml └── server_ssl.ml ├── rpc-pkcs11 ├── Makefile.in ├── pkcs11_rpc.x ├── rpc_helpers.ml └── test_pkcs11.ml └── tests ├── Makefile.in ├── c-based ├── Makefile.in └── main-shared.c ├── integration ├── Dockerfile.debian-integration ├── Dockerfile.debian-integration-tls ├── Dockerfile.debian-integration-unix ├── Dockerfile.debian-integration-unix-tls ├── certs │ ├── ca-config.json │ ├── ca-key.pem │ ├── ca.csr │ ├── ca.json │ ├── ca.pem │ ├── client-key.pem │ ├── client.csr │ ├── client.json │ ├── client.pem │ ├── server-key.pem │ ├── server.csr │ ├── server.json │ ├── server.pem │ └── ssl-init.sh ├── filter.conf ├── pkcs11proxyd-tcp-tls.conf ├── pkcs11proxyd-tcp.conf ├── pkcs11proxyd-unix-tls.conf ├── pkcs11proxyd-unix.conf ├── run-tests.sh └── wait-for-it.sh └── ocaml ├── HOW_TO_PERFORM_TESTS.md ├── Makefile.in ├── create_object_1.ml ├── create_object_2.ml ├── destroy.ml ├── digest_test.ml ├── double_unwrap.ml ├── encdec_test.ml ├── encrypt_and_unwrap.ml ├── extractable_is_sticky.ml ├── generic_scenario.ml ├── get_sensitive_key.ml ├── misc_scenario.ml ├── p11_common.ml ├── p11_for_generic.ml ├── pkcs11.conf ├── sensitive_is_sticky.ml ├── test_pkcs11.ml ├── wrap_and_decrypt_1.ml ├── wrap_and_decrypt_2.ml ├── wrap_and_decrypt_3.ml ├── wrap_and_decrypt_4.ml └── wrap_unwrap.ml /.env: -------------------------------------------------------------------------------- 1 | DIST=debian 2 | FLAVOR=sid -------------------------------------------------------------------------------- /.github/build-pkg-git.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #set parameters needed for gbp import 4 | git config --global user.email "calderon.thomas@gmail" 5 | git config --global user.name "Thomas Calderon" 6 | 7 | echo Generating package for $BRANCH_NAME, will output in $DEB_OUTPUT_CONTAINER 8 | 9 | COMMIT_SHORT=1.0.x-$(git rev-parse --short HEAD) 10 | git archive --format=tar.gz --prefix=caml-crush-$COMMIT_SHORT/ HEAD > ../caml-crush-$COMMIT_SHORT.tar.gz 11 | 12 | #Track needed branches 13 | git checkout --track origin/upstream 14 | git checkout --track origin/debian 15 | 16 | gbp import-orig --debian-branch=debian -u $COMMIT_SHORT ../caml-crush-$COMMIT_SHORT.tar.gz 17 | 18 | COMMIT_TS=$(git show -s --pretty=format:%ct HEAD) 19 | COMMIT_DATE=$(date --date="@${COMMIT_TS}" +%Y%m%d%H%M) 20 | GBP_SINCE_PARAM="--auto" 21 | export DEBEMAIL="calderon.thomas@gmail.com" 22 | export DEBFULLNAME="Thomas Calderon" 23 | gbp dch $GBP_SINCE_PARAM --snapshot --snapshot-number="${COMMIT_DATE}" --no-multimaint --ignore-branch 24 | 25 | gbp buildpackage -uc -us --git-no-sign-tags --git-debian-branch=debian --git-ignore-new 26 | 27 | #copy all artefacts in output directory 28 | mv ../caml-crush* $DEB_OUTPUT_CONTAINER/ -------------------------------------------------------------------------------- /.github/build-pkg.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | OUTPUT=/tmp/output 4 | 5 | git checkout debian 6 | gbp buildpackage -uc -us -S --git-no-sign-tags --git-debian-branch=debian --git-ignore-new --git-export-dir=$OUTPUT 7 | 8 | # Build AMD64 package 9 | #docker run --rm -it -e DEB_BUILD_OPTIONS='parallel=1' -v ${OUTPUT}:/tmp/output caml-crush-pkgsid gbp buildpackage -uc -us --git-no-sign-tags --git-debian-branch=debian --git-ignore-new --git-export-dir=/tmp/output -------------------------------------------------------------------------------- /.github/workflows/debian-packaging.yml: -------------------------------------------------------------------------------- 1 | name: Debian 2 | on: push 3 | env: 4 | CHANGELOG_AUTHOR_NAME: "Thomas Calderon" 5 | CHANGELOG_AUTHOR_EMAIL: "calderon.thomas@gmail.com" 6 | DEB_OUTPUT: "/tmp/cc-output" 7 | DEB_OUTPUT_CONTAINER: "/tmp/output" 8 | 9 | jobs: 10 | build-debian-package: 11 | runs-on: ubuntu-latest 12 | strategy: 13 | matrix: 14 | include: 15 | - dist: "debian" 16 | flavor: "sid" 17 | # - dist: "debian" 18 | # flavor: "testing" 19 | # - dist: "debian" 20 | # flavor: "bullseye" 21 | # - dist: "debian" 22 | # flavor: "buster" 23 | # # Ubuntu Focal does not have coccinelle package, skip for now 24 | # # - dist: "ubuntu" 25 | # # flavor: "focal" 26 | # - dist: "ubuntu" 27 | # flavor: "bionic" 28 | # - dist: "ubuntu" 29 | # flavor: "xenial" 30 | steps: 31 | - name: Checkout code 32 | uses: actions/checkout@v2 33 | with: 34 | fetch-depth: 0 35 | - name: Get branch name (merge) 36 | if: github.event_name != 'pull_request' 37 | shell: bash 38 | run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV 39 | 40 | - name: Get branch name (pull request) 41 | if: github.event_name == 'pull_request' 42 | shell: bash 43 | run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr / -)" >> $GITHUB_ENV 44 | - name: Show branch detail 45 | shell: bash 46 | run: echo "echo ${BRANCH_NAME}" 47 | - name: build docker container to build 48 | env: 49 | DIST: ${{ matrix.dist }} 50 | FLAVOR: ${{ matrix.flavor }} 51 | run: | 52 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 53 | sudo add-apt-repository \ 54 | "deb https://download.docker.com/linux/ubuntu \ 55 | $(lsb_release -cs) \ 56 | stable" 57 | sudo apt-get update 58 | sudo apt-get install -y --no-install-recommends docker-ce 59 | docker build -t caml-crush-pkg-${FLAVOR} \ 60 | --build-arg flavor=${DIST} \ 61 | --build-arg flavor=${FLAVOR} \ 62 | -f Dockerfile.debian-pkg . 63 | # - name: Setup tmate session 64 | # uses: mxschmitt/action-tmate@v3 65 | - name: build package in container 66 | env: 67 | DIST: ${{ matrix.dist }} 68 | FLAVOR: ${{ matrix.flavor }} 69 | BRANCH_NAME: ${{ env.BRANCH_NAME }} 70 | DEB_OUTPUT: ${{ env.DEB_OUTPUT }} 71 | DEB_OUTPUT_CONTAINER: ${{ env.DEB_OUTPUT_CONTAINER }} 72 | run: | 73 | mkdir -p ${DEB_OUTPUT} 74 | docker run --rm \ 75 | -e BRANCH_NAME=${BRANCH_NAME} \ 76 | -e DEB_OUTPUT_CONTAINER=${DEB_OUTPUT_CONTAINER} \ 77 | -v ${DEB_OUTPUT}:${DEB_OUTPUT_CONTAINER} \ 78 | caml-crush-pkg-${FLAVOR} \ 79 | bash -x .github/build-pkg-git.sh 80 | - name: Upload artifacts 81 | uses: actions/upload-artifact@v2 82 | with: 83 | name: deb 84 | path: ${{env.DEB_OUTPUT}}/ 85 | if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` 86 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: push 3 | 4 | jobs: 5 | build: 6 | runs-on: ubuntu-latest 7 | strategy: 8 | matrix: 9 | include: 10 | - dist: "debian" 11 | flavor: "sid" 12 | - dist: "debian" 13 | flavor: "testing" 14 | - dist: "debian" 15 | flavor: "bullseye" 16 | - dist: "debian" 17 | flavor: "buster" 18 | - dist: "ubuntu" 19 | flavor: "jammy" 20 | # Ubuntu Focal does not have coccinelle package, skip for now 21 | # - dist: "ubuntu" 22 | # flavor: "focal" 23 | - dist: "ubuntu" 24 | flavor: "bionic" 25 | - dist: "ubuntu" 26 | flavor: "xenial" 27 | steps: 28 | - name: Checkout code 29 | uses: actions/checkout@v2 30 | - name: docker-build 31 | env: 32 | DIST: ${{ matrix.dist }} 33 | FLAVOR: ${{ matrix.flavor }} 34 | run: | 35 | apt-get update && apt-get install -y --no-install-recommends docker docker-compose 36 | docker-compose build 37 | docker-compose -f docker-compose-unix.yml build 38 | - name: run integration tests 39 | env: 40 | DIST: ${{ matrix.dist }} 41 | FLAVOR: ${{ matrix.flavor }} 42 | run: | 43 | # important to use -p so that different compose-project name are used to avoid collision between CI-runs 44 | docker-compose -p cc-test-${FLAVOR} up --force-recreate --exit-code-from client client 45 | docker-compose -p cc-test-${FLAVOR} up --force-recreate --exit-code-from client-tls client-tls 46 | docker-compose -p cc-test-${FLAVOR} -f docker-compose-unix.yml up --exit-code-from client-unix client-unix 47 | docker-compose -p cc-test-${FLAVOR} -f docker-compose-unix.yml up --exit-code-from client-unix-tls client-unix-tls 48 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: c 2 | 3 | compiler: gcc 4 | services: docker 5 | 6 | dist: bionic 7 | 8 | jobs: 9 | include: 10 | - stage: Debian builds 11 | name: Stretch 12 | script: docker build -t caml-crush-stretch --build-arg flavor=stretch -f Dockerfile.debian . 13 | - 14 | name: Jessie 15 | script: docker build -t caml-crush-jessie --build-arg flavor=jessie -f Dockerfile.debian . 16 | - 17 | name: Buster 18 | script: docker build -t caml-crush-buster --build-arg flavor=buster -f Dockerfile.debian . 19 | - 20 | name: Sid 21 | script: docker build -t caml-crush-sid --build-arg flavor=sid -f Dockerfile.debian . 22 | - stage: Ubuntu builds 23 | name: Trusty 24 | script: docker build -t caml-crush-trusty -f Dockerfile.ubuntu-trusty . 25 | - 26 | name: Jammy 27 | script: docker build -t caml-crush-jammy --build-arg dist=ubuntu --build-arg flavor=jammy -f Dockerfile.debian . 28 | - 29 | name: Xenial 30 | script: docker build -t caml-crush-xenial --build-arg dist=ubuntu --build-arg flavor=xenial -f Dockerfile.debian . 31 | - 32 | name: Bionic 33 | script: docker build -t caml-crush-bionic --build-arg dist=ubuntu --build-arg flavor=bionic -f Dockerfile.debian . 34 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # ChangeLog 2 | 3 | ## [Unreleased][unreleased] 4 | 5 | ## [1.0.12] - 2021-11-25 6 | * Build fixes 7 | ## [1.0.11] - 2021-11-19 8 | * TIRPC support 9 | * Ocaml > 4.10 support 10 | * Better integration tests 11 | ## [1.0.10] - 2020-09-22 12 | * Sequential compilation 13 | * GCC-10 fixes 14 | * Travis-CI fixes 15 | 16 | ## [1.0.9] - 2020-05-22 17 | * Fix compilation for recent coccinelle versions 18 | * MinGW fixes 19 | * Travis-CI is now used 20 | * Docker can be used to compile recent/older targets 21 | 22 | ## [1.0.8] - 2016-07-05 23 | * OpenSSL 1.1.0 support (#23) 24 | * Fix some Win32 compilation issues 25 | * Improved support for TLS mutual auth when using Ocamlnet 4.x 26 | 27 | ## [1.0.7] - 2015-11-23 28 | * Merge support for OCamlnet 4.x (#13) 29 | * Fix uninstall target (#18), credits to louis@louisroche.net 30 | 31 | ## [1.0.6] - 2015-05-28 32 | * Switch to MIT license for the project. 33 | 34 | ## [1.0.5] - 2015-04-17 35 | 36 | ### Security 37 | * Ability to configure your own wrapping format key. 38 | 39 | ### Added 40 | * Add key escrow filter to the engine. 41 | * pkcs11proxyd can use PFS ciphersuites (#12). 42 | * OCaml PKCS#11 bindings can be compiled separately with `--without-caml-crush`. 43 | * Documentation of PKCS#11 patchsets. 44 | 45 | ### Changed 46 | * Modify erroneous LICENSE.txt file to CeCILL-B. 47 | * Switch back to GPLv2 pkcs11.h file. 48 | * Remove dependency on des.h file, use CeCILL-B feature instead. 49 | * TLS is now restricted to TLS1.2. 50 | * ocaml-ssl 0.4.7 is required for TLS support. 51 | 52 | ### Fixed 53 | * Various fixup to configure script. 54 | * More robust slot aliasing. 55 | * Do not exit when pkcs11proxyd cannot be reached (#4, contrib from Nikos Mavrogiannopoulos). 56 | 57 | ## [1.0.4] - 2014-12-02 58 | ### Changed 59 | * Move debian directory to dedicated branch. 60 | 61 | ### Fixed 62 | * Support installing client library in dedicated directory. 63 | 64 | ## [1.0.3] - 2014-11-20 65 | ### Added 66 | * Various documentation improvements. 67 | * Initial Debian package support. 68 | * Improved Win32 support. 69 | * Client library can fetch module alias from file. 70 | * Add support for PKCS#11 v2.20 amendment 3. 71 | * Add support for white listing of SSL clients on the server-side. 72 | * Add support for setting multiple SSL server certificates on the client-side. 73 | * Add support for using a custom RPC timeout value. 74 | 75 | ### Fixed 76 | * Fix potential overflow in C to OCaml functions. 77 | * correct conflicting attribute patch regarding. 78 | * GnuTLS ressource deallocation issue. 79 | 80 | [unreleased]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.12...HEAD 81 | [1.0.12]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.11...v1.0.12 82 | [1.0.11]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.10...v1.0.11 83 | [1.0.10]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.9...v1.0.10 84 | [1.0.9]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.8...v1.0.9 85 | [1.0.8]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.7...v1.0.8 86 | [1.0.7]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.6...v1.0.7 87 | [1.0.6]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.5...v1.0.6 88 | [1.0.5]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.4...v1.0.5 89 | [1.0.4]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.3...v1.0.4 90 | [1.0.3]: https://github.com/caml-pkcs11/caml-crush/compare/v1.0.2...v1.0.3 91 | -------------------------------------------------------------------------------- /Dockerfile.debian: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y --no-install-recommends autoconf make gcc \ 10 | automake autotools-dev \ 11 | ocaml-nox camlidl coccinelle \ 12 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 13 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 14 | libssl-dev gnutls-dev \ 15 | libconfig-file-ocaml-dev camlp4 16 | 17 | FROM builder 18 | COPY . /build 19 | 20 | WORKDIR /build 21 | 22 | RUN ./autogen.sh 23 | RUN ./configure --with-idlgen --with-rpcgen --with-libnames=foo --with-ssl --with-ssl-clientfiles='env' 24 | RUN make -------------------------------------------------------------------------------- /Dockerfile.debian-pkg: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | ENV DEBIAN_FRONTEND=noninteractive 8 | 9 | RUN apt-get update 10 | RUN apt-get -y upgrade 11 | RUN apt-get install -y --no-install-recommends autoconf make gcc \ 12 | automake autotools-dev \ 13 | ocaml-nox camlidl coccinelle \ 14 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 15 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 16 | libssl-dev gnutls-dev \ 17 | libconfig-file-ocaml-dev camlp4 \ 18 | git-buildpackage debhelper \ 19 | dh-exec dh-autoreconf build-essential 20 | 21 | RUN apt-get install -y --no-install-recommends ca-certificates fakeroot debhelper 22 | 23 | FROM builder 24 | 25 | WORKDIR /build/git 26 | COPY . . 27 | 28 | RUN mkdir /tmp/output 29 | -------------------------------------------------------------------------------- /Dockerfile.ubuntu-trusty: -------------------------------------------------------------------------------- 1 | FROM ubuntu:trusty as builder 2 | 3 | 4 | RUN apt-get update 5 | RUN apt-get install -y --no-install-recommends autoconf make gcc \ 6 | automake autotools-dev \ 7 | ocaml-nox camlidl coccinelle libocamlnet-ocaml-dev \ 8 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 9 | libocamlnet-ocaml-bin libconfig-file-ocaml-dev camlp4 \ 10 | libssl-dev libgnutls-dev ca-certificates pkg-config \ 11 | ocaml-findlib wget 12 | 13 | FROM builder 14 | COPY . /build 15 | 16 | WORKDIR /build 17 | 18 | # install findlib 19 | RUN wget http://download.camlcity.org/download/findlib-1.5.6.tar.gz -O /tmp/findlib-1.5.6.tar.gz 20 | RUN cd /tmp && tar xzf findlib-1.5.6.tar.gz && cd findlib-1.5.6 && \ 21 | ./configure -config /etc/ocamlfind.conf -bindir /usr/bin/ \ 22 | -sitelib /usr/lib/ocaml -with-toolbox && \ 23 | make all && make opt && sudo make install 24 | 25 | # install ocaml-ssl 26 | RUN wget https://github.com/savonet/ocaml-ssl/releases/download/0.5.5/ocaml-ssl-0.5.5.tar.gz -O /tmp/ocaml-ssl-0.5.5.tar.gz 27 | RUN cd /tmp && tar xzf /tmp/ocaml-ssl-0.5.5.tar.gz && cd ocaml-ssl-0.5.5 && ./configure && make && sudo make install 28 | 29 | RUN cd /build 30 | 31 | RUN ./autogen.sh 32 | RUN ./configure --with-idlgen --with-rpcgen --with-libnames=foo 33 | RUN make -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright ANSSI (2013-2016) 4 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 5 | Thomas CALDERON [calderon.thomas@gmail.com] 6 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in 16 | all copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 24 | THE SOFTWARE. 25 | 26 | Except as contained in this notice, the name(s) of the above copyright holders 27 | shall not be used in advertising or otherwise to promote the sale, use or other 28 | dealings in this Software without prior written authorization. 29 | -------------------------------------------------------------------------------- /Makefile.Unix.in: -------------------------------------------------------------------------------- 1 | bindings_dir = src/bindings-pkcs11 2 | rpc_dir = src/rpc-pkcs11 3 | server_dir = src/pkcs11proxyd 4 | client_dir = src/client-lib 5 | filter_dir = src/filter 6 | tests_dir = src/tests 7 | 8 | .PHONY: all bindings rpc server client filter install uninstall tests 9 | .NOTPARALLEL: all bindings rpc server client filter install uninstall tests 10 | 11 | all: @with_bindings@ @with_rpc@ @with_filter@ @with_server@ @with_client@ 12 | 13 | bindings: 14 | @MAKEPROG@ @debug_mode@ -C $(bindings_dir) 15 | rpc: 16 | @MAKEPROG@ -C $(rpc_dir) 17 | server: 18 | @MAKEPROG@ -C $(server_dir) 19 | client: 20 | @MAKEPROG@ @debug_mode@ -C $(client_dir) 21 | filter: 22 | @MAKEPROG@ -C $(filter_dir) 23 | tests: 24 | @MAKEPROG@ -C $(tests_dir) 25 | 26 | install: 27 | @MAKEPROG@ install -C $(server_dir) 28 | @MAKEPROG@ install -C $(client_dir) 29 | 30 | uninstall: 31 | @MAKEPROG@ uninstall -C $(server_dir) 32 | @MAKEPROG@ uninstall -C $(client_dir) 33 | 34 | 35 | clean: @with_bindings_clean@ @with_rpc_clean@ @with_server_clean@ @with_client_clean@ @with_filter_clean@ tests_clean 36 | 37 | bindings_clean: 38 | @MAKEPROG@ clean -C $(bindings_dir) 39 | 40 | rpc_clean: 41 | @MAKEPROG@ clean -C $(rpc_dir) 42 | 43 | server_clean: 44 | @MAKEPROG@ clean -C $(server_dir) 45 | 46 | client_clean: 47 | @MAKEPROG@ clean -C $(client_dir) 48 | 49 | filter_clean: 50 | @MAKEPROG@ clean -C $(filter_dir) 51 | 52 | tests_clean: 53 | @MAKEPROG@ clean -C $(tests_dir) 54 | -------------------------------------------------------------------------------- /Makefile.Win32.in: -------------------------------------------------------------------------------- 1 | bindings_dir = src/bindings-pkcs11 2 | rpc_dir = src/rpc-pkcs11 3 | server_dir = src/pkcs11proxyd 4 | client_dir = src/client-lib 5 | filter_dir = src/filter 6 | tests_dir = src/tests 7 | 8 | .PHONY: all bindings rpc server client filter install uninstall tests 9 | .NOTPARALLEL: all bindings rpc server client filter install uninstall tests 10 | 11 | #all: bindings rpc @with_filter@ server client 12 | all: bindings client 13 | 14 | bindings: 15 | @MAKEPROG@ @debug_mode@ -C $(bindings_dir) 16 | rpc: 17 | @MAKEPROG@ -C $(rpc_dir) 18 | server: 19 | @MAKEPROG@ -C $(server_dir) 20 | client: 21 | @MAKEPROG@ @debug_mode@ -C $(client_dir) 22 | filter: 23 | @MAKEPROG@ -C $(filter_dir) 24 | tests: 25 | @MAKEPROG@ -C $(tests_dir) 26 | 27 | install: 28 | @MAKEPROG@ install -C $(server_dir) 29 | @MAKEPROG@ install -C $(client_dir) 30 | 31 | uninstall: 32 | @MAKEPROG@ uninstall -C $(server_dir) 33 | @MAKEPROG@ uninstall -C $(client_dir) 34 | 35 | 36 | #clean: bindings_clean rpc_clean server_clean client_clean @with_filter_clean@ tests_clean 37 | clean: bindings_clean client_clean 38 | 39 | bindings_clean: 40 | @MAKEPROG@ clean -C $(bindings_dir) 41 | 42 | rpc_clean: 43 | @MAKEPROG@ clean -C $(rpc_dir) 44 | 45 | server_clean: 46 | @MAKEPROG@ clean -C $(server_dir) 47 | 48 | client_clean: 49 | @MAKEPROG@ clean -C $(client_dir) 50 | 51 | filter_clean: 52 | @MAKEPROG@ clean -C $(filter_dir) 53 | 54 | tests_clean: 55 | @MAKEPROG@ clean -C $(tests_dir) 56 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Caml Crush: an OCaml PKCS#11 filtering proxy 2 | [![Build Status](https://travis-ci.com/caml-pkcs11/caml-crush.svg?branch=master)](https://travis-ci.com/caml-pkcs11/caml-crush) 3 | 4 | This software is a computer program whose purpose is to implement 5 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 6 | in mind. 7 | 8 | ## Introduction 9 | 10 | The following projects aim to offer a PKCS#11 proxy with filtering capabilities. 11 | 12 | The project is divided in submodules which are detailed below. 13 | 14 | >1] OCaml/C PKCS#11 bindings (using OCaml IDL). 15 | 16 | >2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 17 | 18 | >3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 19 | 20 | >4] A PKCS#11 filtering module used as a backend to the RPC server. 21 | 22 | >5] A PKCS#11 client module that comes as a dynamic library offering 23 | the PKCS#11 API to the software. 24 | 25 | There is one "optional" part: 26 | 27 | >6] Tests in C and OCaml to be used with client module 5] or with the 28 | bindings 1] 29 | 30 | Here is a big picture of how the PKCS#11 proxy works: 31 | 32 | 33 | ---------------------- -------- socket (TCP or Unix) -------------------- 34 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 35 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 36 | | -------- | |2] RPC | PKCS#11 | 37 | ---------------------- | | Layer |functions| 38 | | 4] PKCS#11 filter | | -------- | 39 | ---------------------- -------------------- 40 | | | 41 | ---------------------- | 42 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 43 | | bindings | | 44 | ---------------------- APPLICATION 45 | | 46 | | 47 | { PKCS#11 INTERFACE } 48 | | 49 | REAL PKCS#11 MIDDLEWARE 50 | (shared library) 51 | 52 | ## Authors 53 | 54 | * Ryad Benadjila () 55 | * Thomas Calderon () 56 | * Marion Daubignard () 57 | 58 | ## Quickstart 59 | 60 | ### Dependencies - Debian/Ubuntu 61 | 62 | sudo apt-get install autoconf make gcc ocaml-nox camlidl coccinelle \ 63 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 64 | libconfig-file-ocaml-dev camlp4 65 | 66 | ### Build 67 | 68 | ./autogen.sh 69 | 70 | ./configure --with-idlgen --with-rpcgen --with-libnames=foo 71 | 72 | make 73 | 74 | sudo make install 75 | 76 | 77 | ### Configure the middleware to use 78 | 79 | Edit **/usr/local/etc/pkcs11proxyd/filter.conf**, uncomment the **modules** parameter to 80 | have it point to the PKCS#11 middleware you want to use. 81 | 82 | Example using the OpenSC middleware: 83 | 84 | ```ocaml 85 | ... 86 | modules = [("foo", "/usr/lib/opensc-pkcs11.so")] 87 | ... 88 | ``` 89 | 90 | 91 | ### Run the proxy server 92 | 93 | /usr/local/bin/pkcs11proxyd -fg -conf /usr/local/etc/pkcs11proxyd/pkcs11proxyd.conf 94 | 95 | 96 | ### Test it 97 | 98 | You can test that everything is working with a PKCS#11 application, 99 | **pkcs11-tool** from the OpenSC suite for example. The following command will 100 | list the available slots. 101 | 102 | 103 | pkcs11-tool --module /usr/local/lib/libp11clientfoo.so -L 104 | 105 | [Dedicated tests](src/tests/ocaml/HOW_TO_PERFORM_TESTS.md) are also implemented. 106 | 107 | ## Documentation 108 | 109 | * More detailed documentation can be found [here](doc/INDEX.md). 110 | * Detailed documentation on the filter can be found [here](doc/FILTER.md). 111 | * Explanation on current issues and/or limitations can be found [here](ISSUES.md). 112 | * Explanations on how to run some tests to ensure that issues are addressed can be found [here](src/tests/ocaml/HOW_TO_PERFORM_TESTS.md). 113 | -------------------------------------------------------------------------------- /autoclean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | main_dir="./" 4 | bindings_dir="src/bindings-pkcs11" 5 | rpc_dir="src/rpc-pkcs11" 6 | server_dir="src/pkcs11proxyd" 7 | client_dir="src/client-lib" 8 | filter_dir="src/filter" 9 | filter_filter_dir="src/filter/filter" 10 | filter_backend_dir="src/filter/backend" 11 | filter_frontend_dir="src/filter/frontend" 12 | tests_dir="src/tests" 13 | ocaml_tests_dir="src/tests/ocaml" 14 | c_tests_dir="src/tests/c-based" 15 | scripts_dir="scripts" 16 | 17 | clean_dirs=($main_dir $bindings_dir $rpc_dir $server_dir $client_dir $filter_dir $filter_filter_dir $filter_backend_dir $filter_frontend_dir $tests_dir $ocaml_tests_dir $c_tests_dir) 18 | 19 | echo "Cleaning the project ..." 20 | make clean &> /dev/null 21 | echo "Cleaning AUTOCONF files ..." 22 | rm -rf aclocal.m4 autom4te.cache config.log config.status configure summary 23 | echo "Cleaning Makefiles ..." 24 | for (( i = 0 ; i < ${#clean_dirs[*]} ; i++ )) 25 | do 26 | rm -f ${clean_dirs[i]}/Makefile 27 | done 28 | rm -f ${bindings_dir}/Makefile.standalone 29 | #Cleaning Makefile.in which will be cp depending on platform 30 | rm -f ${main_dir}/Makefile.in 31 | echo "Cleaning initrc file ..." 32 | rm -rf ${scripts_dir}/pkcs11proxyd 33 | echo "Cleaning the SSL related files ..." 34 | rm -f create_ssl_files.c create_ssl_files src/client-lib/cert_file.h src/client-lib/ca_file.h src/client-lib/private_key_file.h src/rpc-pkcs11/ca_file.inc src/rpc-pkcs11/cert_file.inc src/rpc-pkcs11/private_key_file.inc server_certs.crt 35 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "[Generating configure file ...]" 4 | aclocal 5 | if [ "${OS}" = "Windows_NT" ] 6 | then 7 | echo " |-> Using Cygwin environment" 8 | cp Makefile.Win32.in Makefile.in 9 | autoconf configure-win32.ac > configure 10 | else 11 | cp Makefile.Unix.in Makefile.in 12 | autoupdate 13 | autoconf configure.ac > configure 14 | fi 15 | echo " |-> Run ./configure with the desired options, and then make" 16 | chmod +x ./configure 17 | -------------------------------------------------------------------------------- /doc/DEPS.md: -------------------------------------------------------------------------------- 1 | # Caml Crush: an OCaml PKCS#11 filtering proxy 2 | 3 | ## Detailed project dependencies 4 | 5 | 0] The projects has the following generic dependencies: 6 | 7 | * autoconf 8 | * make 9 | * sed 10 | * C compiler (tested with GCC and Clang) 11 | 12 | 1] The bindings have the following dependencies: 13 | 14 | * [ocaml][] (`>`= 3.12) 15 | * [camlidl][] (`>`= 1.05) 16 | * [coccinelle][] (`>`= 1.0rc10) 17 | 18 | [ocaml]: http://caml.inria.fr/ocaml/index.fr.html 19 | [coccinelle]: http://coccinelle.lip6.fr/ 20 | [camlidl]: http://caml.inria.fr/pub/old_caml_site/camlidl/ 21 | 22 | 2] The XDR RPC generators (to be used with ocamlrpcgen for the server and the OCaml client, 23 | and/or rpcgen for the C client). 24 | 25 | * ocamlrpcgen (libocamlnet-ocaml-bin) shipped with [ocamlnet][] 26 | * rpcgen (shipped with libc) 27 | 28 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 29 | 30 | * [ocamlnet][] (`>`= 3.5.1, libocamlnet-ocaml-dev) 31 | * with ocamlnet-ssl if build with SSL 32 | (libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev) 33 | 34 | [ocamlnet]: http://projects.camlcity.org/projects/ocamlnet.html 35 | 36 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 37 | 38 | * [config-file][], simple OCaml configuration parser (libconfig-file-ocaml-dev) 39 | 40 | [config-file]: http://config-file.forge.ocamlcore.org/ 41 | 5] The client library has the following dependencies: 42 | 43 | * RPC client code 44 | * C client (default and recommended) 45 | * built-in "rpcgen" binary (shipped with libc) 46 | * [OpenSSL][]/[GnuTLS][] if SSL/TLS support is enabled 47 | 48 | [OpenSSL]: http://www.openssl.org/ 49 | [GnuTLS]: http://www.gnutls.org/ 50 | 51 | * OCaml client (given as an alternative) 52 | * ocamlnet 53 | * ocamlnet-ssl if SSL/TLS support is enabled 54 | * OCaml static libasmrun.a compiled with -fPIC 55 | * We noticed that OCaml is not built with -fPIC by default, you will 56 | need to recompile OCaml and all the other libraries to get this working. 57 | 58 | -------------------------------------------------------------------------------- /doc/PRE-BUILD.md: -------------------------------------------------------------------------------- 1 | # Caml Crush: an OCaml PKCS#11 filtering proxy 2 | 3 | ## Pre-build checklist 4 | 5 | ### IDL and RPC code generation 6 | 7 | Some portions of code are generated with tools. 8 | The code in the source tree was generated on a *64-bit* machine. 9 | If you want to compile on an 32-bit architecture, you have to trigger the generation of those files. 10 | This is done at configure time with the flags described below. 11 | 12 | To re-generate the OCaml/C stubbing code, use: 13 | 14 | * --with-idlgen 15 | 16 | To re-generate the RPC client/server code as well: 17 | 18 | * --with-rpcgen 19 | 20 | ### Client type selection 21 | We support two types of client libraries, an OCaml/C hybrid version and a full C version. 22 | The two implementations have the same feature set, the main difference being that the hybrid one relies on 23 | ocamlnet for the transport layer. The compiled library embeds the OCaml runtime which is rather big (~3MB). 24 | The C version has a lighter memory footprint, it is the default at compile-time. 25 | 26 | To compile the client library with native C RPC code (this is the DEFAULT): 27 | 28 | * --with-cclient 29 | 30 | To compile the hybrid OCaml/C client library: 31 | 32 | * --with-ocamlclient 33 | 34 | ### PKCS#11 multi-module support 35 | When the client connects to the proxy server it asks for a specific PKCS#11 module to be loaded. This allows the proxy server to support 36 | multiple PKCS#11 libraries (so called "middlewares"). 37 | The server looks up in its configuration file for a matching module name (ex: "opensc") with a library path to load (ex: /usr/lib/opensc-pkcs11.so). 38 | By default, the client library will read the module name from the **.camlcrushlibname** file located in the current user's directory. In this case, a single client library is compiled `libp11client.so` 39 | 40 | The --with-libname-file flag enables the behavior previously described (this is the DEFAULT). 41 | 42 | This behavior can be modified to compile as many client libraries as supported modules. 43 | The generated client libraries have the following syntax `libp11client.so` 44 | 45 | The --with-libnames can be used to compile multiple client libraries with different module names. 46 | 47 | * --with-libnames="opensc,mysuperhsm" 48 | * (libp11clientopensc.so and libp11clientmysuperhsm.so are generated) 49 | 50 | In the two cases described above, an environment variable can be used to change the module name that will be sent to the proxy server. 51 | This behavior is controlled using the `PKCS11PROXY_LIBNAME` variable. 52 | 53 | ### Client socket configuration 54 | The client library socket is defined at compile time. 55 | Use --with-client-socket to configure the client socket. 56 | 57 | * --with-client-socket=unix,/run/pkcs11-socket 58 | * (client will connect to UNIX domain socket located at /run/pkcs11-socket) 59 | * --with-client-socket=tcp,127.0.0.1:4444 60 | * (client will establish a TCP socket with remote peer 127.0.0.1 and port 4444) 61 | 62 | However, an environment variable can be used to change the socket parameters. 63 | This behavior is controlled using the `PKCS11PROXY_SOCKET_PATH` variable. 64 | Please note that you cannot change the socket type, only UNIX path or TCP parameters. 65 | 66 | ### Enable SSL/TLS support 67 | The link between the client and the server can be secured using TLS mutual 68 | authentication via certificates. 69 | To enable SSL use one of the following flag: 70 | 71 | * --with-ssl 72 | * --with-gnutls 73 | 74 | OpenSSL or GnuTLS stacks can be used by the client library, the OCaml stack only uses bindings to OpenSSL. 75 | 76 | #### Client SSL/TLS support 77 | Use --with-ssl-clientfiles to provide CA chain and client certificate and private key. 78 | 79 | The client can be compiled to use three modes, file lookup, environment variables (default) or embedding the credentials inside the code. 80 | 81 | * --with-ssl-clientfiles='path;ca=path-to-ca,cert=path-to-cert,privkey=path-to-key' 82 | * (client will load files with given path at runtime) 83 | 84 | * --with-ssl-clientfiles='env' 85 | * (client will lookup the following environment variables `PKCS11PROXY_CA_FILE`, `PKCS11PROXY_CERT_FILE` and `PKCS11PROXY_PRIVKEY_FILE`) 86 | 87 | * --with-ssl-clientfiles='embed;ca=path-to-ca,cert=path-to-cert,privkey=path-to-key' 88 | * (the files will be parsed and embedded within the compiled code through C headers) 89 | 90 | #### Server SSL/TLS support 91 | The server uses its configuration file to enable SSL/TLS and to configure its private key and the path to certificates. 92 | 93 | ### Disable filtering capabilities 94 | You can compile the proxy server without filtering capabilities with the --without-filter switch. 95 | In this case, the server will directly send PKCS#11 requests to the PKCS#11 library. 96 | This is NOT recommended and should not be used in production. 97 | -------------------------------------------------------------------------------- /doc/SERVER-CONF.md: -------------------------------------------------------------------------------- 1 | # Caml Crush: an OCaml PKCS#11 filtering proxy 2 | 3 | ## Detailed Server configuration 4 | The server process is based on the Netplex library from ocamlnet. 5 | It uses a configuration file to setup the basic netplex features ([netplex documentation][]). 6 | 7 | Several items were added in order to feed the proxy with some parameters, they are detailed 8 | below. 9 | 10 | [netplex documentation]: http://projects.camlcity.org/projects/ocamlnet.html 11 | 12 | ### Server socket configuration 13 | Netplex has the following syntax for the socket configuration. 14 | 15 | To configure a UNIX domain: 16 | 17 | ```ocaml 18 | ... 19 | protocol{ 20 | ... 21 | type = "local"; 22 | path = "/run/pkcs11-socket"; 23 | ... 24 | } 25 | ... 26 | ``` 27 | 28 | To configure a TCP socket listening on 127.0.0.1 and port 4444: 29 | 30 | ```ocaml 31 | ... 32 | protocol{ 33 | ... 34 | type = "internet"; 35 | bind = "127.0.0.1:4444"; 36 | ... 37 | } 38 | ... 39 | ``` 40 | 41 | ### Server SSL/TLS configuration for versions > 1.0.6 42 | The SSL/TLS support can be turned on with the following configuration directives: 43 | 44 | ```ocaml 45 | ... 46 | processor { 47 | ... 48 | tls { 49 | (* Ciphersuites, GnuTLS syntax *) 50 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 51 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 52 | 53 | (* Uncomment to enable DHE parameters, used for PFS *) 54 | (* 55 | dh_params { 56 | (* Pre-computed DH parameters *) 57 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 58 | (* Run-time DH parameters, warning: this takes a long time *) 59 | (*bits = 2048;*) 60 | }; 61 | *) 62 | x509 { 63 | key { 64 | crt_file = "server.pem"; 65 | key_file = "server.key"; 66 | }; 67 | trust { 68 | crt_file = "cacert.pem"; 69 | }; 70 | } 71 | }; 72 | ... 73 | }; 74 | ... 75 | ``` 76 | 77 | Please note that the current implementation expects PEM files and that 78 | the private key has to be un-encrypted. 79 | 80 | The algorithm parameter accepts GnuTLS cipher list, the default only allows TLS 1.2 and modern PFS-enabled suites. 81 | The dh\_params can be configured to enable DHE suites. Also, parameters can be generated at startup but note that it will slow down startup. 82 | 83 | ### Server SSL/TLS configuration for older releases 84 | The SSL/TLS support can be turned on with the following configuration directives: 85 | 86 | ```ocaml 87 | ... 88 | processor { 89 | ... 90 | use_ssl = true; 91 | (* Provide full certificate chain in cafile *) 92 | cafile = "/etc/pkcs11proxy/certs/ca.crt"; 93 | certfile = "/etc/pkcs11proxy/certs/server.crt"; 94 | certkey = "/etc/pkcs11proxy/certs/server.key"; 95 | (* OpenSSL cipher syntax, one or many suites can be configured, or alias such as HIGH *) 96 | cipher_suite = "AES256-SHA256"; 97 | (* Optional, allows to use DHE cipher suites, generate custom DH paramerters *) 98 | dh_params = "/usr/local/etc/tests/certs/dhparams.pem"; 99 | (* Optional, allows to use ECDHE cipher suites *) 100 | ec_curve_name = "prime256v1"; 101 | (* Optional, allows to use a custom certificate verification depth *) 102 | verify_depth = 4; 103 | ... 104 | }; 105 | ... 106 | ``` 107 | 108 | Please note that the current implementation expects PEM files and that 109 | the private key has to be un-encrypted. 110 | 111 | The cipher\_suite parameter accepts the classic OpenSSL "colon" separated cipher list. 112 | Please note that the following ciphers are explicitely turned off: 113 | 114 | !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4 115 | 116 | 117 | **WARNING**: Since Caml Crush 1.0.5, we require ocaml-ssl 0.4.7. This allows to enable PFS support and force TLS 1.2. Hence, if you want to link against older ocaml-ssl, you must manually modify the source code or use an older release. 118 | 119 | ### Server PKCS#11 module support configuration (when filtering is DISABLED) 120 | As mentionned previously, the client asks for a specific module name. 121 | If you disabled the filtering engine during compilation, you have to configure the module path of the different libraries in the server configuration. 122 | 123 | The "libnames" parameter binds module "names" and the path to the corresponding PKCS#11 library. 124 | 125 | ```ocaml 126 | ... 127 | processor { 128 | ... 129 | libnames="opensc:/usr/lib/opensc-pkcs11.so;mysuperhsm:/usr/local/lib/libmysuperhsm.so;"; 130 | ... 131 | }; 132 | ... 133 | ``` 134 | 135 | This parameter is ignored when the project is compiled with filtering capabilities. 136 | 137 | ### Server PKCS#11 filter configuration path 138 | 139 | When filtering is enabled, the PKCS#11 server fetches the filtering rules from a file whose path must 140 | be provided in the main server configuration file, in the `processor` section. 141 | 142 | ```ocaml 143 | ... 144 | processor { 145 | ... 146 | filter_config="PATH/filter.conf"; 147 | ... 148 | }; 149 | ... 150 | ``` 151 | -------------------------------------------------------------------------------- /doc/WIN32.md: -------------------------------------------------------------------------------- 1 | # Caml Crush: an OCaml PKCS#11 filtering proxy 2 | 3 | ## Windows support 4 | 5 | This page explains how to build on Microsoft Windows. 6 | Please note that this support is experimental and incomplete. 7 | 8 | ## Client library 9 | Because of the lack of proper tool on Windows, you will have to 10 | download and prepare the source on a "Linux" environment (it can be 11 | done in Cygwin). 12 | 13 | Download the source code and prepare it with the following commands: 14 | 15 | cd src/client-lib 16 | #Copy file in order to get correct include path in file generated 17 | cp ../rpc-pkcs11/pkcs11_rpc.x ./ 18 | #Generate header for Win32 compatibility (i.e. without MT support) 19 | rpcgen -h -N pkcs11_rpc.x > pkcs11_rpc.h 20 | #Generate xdr helpers 21 | rpcgen -c -N pkcs11_rpc.x > pkcs11_rpc_xdr.c 22 | #Generate client stubs 23 | rpcgen -l -N pkcs11_rpc.x > pkcs11_rpc_clnt.c 24 | #Remove local copy of XDR file 25 | rm pkcs11_rpc.x 26 | #Patch generated xdr implementation (optional: remove unused buffer) 27 | spatch --no-show-diff --sp-file ./pkcs11_rpc_xdr.cocci ./pkcs11_rpc_xdr.c --in-place 28 | 29 | 30 | ### Dependencies 31 | There is not native support of ONC RPC for Microsoft Windows. However some porting efforts have been made 32 | in the past. The open source oncrpc-win32 has been modified and is used in order to provide the 33 | RPC layer in the client library. 34 | 35 | There is no upstream, so you will have to use our modified version of [oncrpc-win32][]. 36 | You can use the projects file with Visual Studio to build the "librpc" target. 37 | 38 | [oncrpc-win32]: https://github.com/tc-anssi/oncrpc-win32 39 | 40 | The build has been tested on Visual Studio 2012. 41 | 42 | Please note that you will have to select the "right" target depending on your need. 43 | We have tried both static and DLL approach. 44 | The Makefile.Win32 that we provide will expect a static library "oncrpc.lib" to link against. 45 | (Modify the solution properties to your need (arch, DLL/Static, C-Runtime). 46 | 47 | ### Configuring Windows build environment 48 | Please refer to Makefile.Win32 and adapt the include paths. 49 | 50 | Note that you will have to adapt the makefile to configure the 51 | client to reach the proxy server. 52 | 53 | ### Build 54 | Once the oncrpc library and the client source code is prepared, copy the code on the Windows build environment 55 | and compile with the following commands. 56 | 57 | cd src\client-lib 58 | nmake /f Makefile.Win32 nodebug=1 59 | 60 | This should start the compilation, you will end up with a DLL matching the libname you 61 | provided in the Makefile (libclientp11.dll). 62 | 63 | To build the debug target, remove the "nodebug=1" parameter. However note that you have to 64 | link against a coherent (Debug/Release) version of oncrpc.lib 65 | 66 | ### Test it 67 | 68 | You can test that everything is working with a PKCS#11 application, 69 | **pkcs11-tool** from the OpenSC suite for example. The following command will 70 | list the available slots. 71 | 72 | 73 | pkcs11-tool --module \libp11client.dll 74 | -------------------------------------------------------------------------------- /docker-compose-unix.yml: -------------------------------------------------------------------------------- 1 | version: '3.6' 2 | services: 3 | pkcs11proxyd-unix: 4 | image: "pkcs11proxyd-unix:${FLAVOR}" 5 | build: 6 | context: . 7 | dockerfile: src/tests/integration/Dockerfile.debian-integration-unix 8 | args: 9 | dist: "${DIST}" 10 | flavor: "${FLAVOR}" 11 | volumes: 12 | - ./src/tests/integration/filter.conf:/build/src/tests/integration/filter.conf:ro 13 | - ./src/tests/integration/pkcs11proxyd-unix.conf:/build/src/tests/integration/pkcs11proxyd.conf:ro 14 | - vol-pkcs11proxyd-unix:/var/run/ 15 | entrypoint: '/usr/local/bin/pkcs11proxyd -fg -conf /build/src/tests/integration/pkcs11proxyd.conf' 16 | pkcs11proxydtls-unix: 17 | image: "pkcs11proxydtls-unix:${FLAVOR}" 18 | build: 19 | context: . 20 | dockerfile: src/tests/integration/Dockerfile.debian-integration-unix-tls 21 | args: 22 | dist: "${DIST}" 23 | flavor: "${FLAVOR}" 24 | volumes: 25 | - ./src/tests/integration/filter.conf:/build/src/tests/integration/filter.conf:ro 26 | - ./src/tests/integration/pkcs11proxyd-unix-tls.conf:/build/src/tests/integration/pkcs11proxyd.conf:ro 27 | - ./src/tests/integration/certs/ca.pem:/build/src/tests/integration/ca.pem:ro 28 | - ./src/tests/integration/certs/server.pem:/build/src/tests/integration/server.pem:ro 29 | - ./src/tests/integration/certs/server-key.pem:/build/src/tests/integration/server-key.pem:ro 30 | - vol-pkcs11proxydtls-unix:/var/run/ 31 | entrypoint: '/usr/local/bin/pkcs11proxyd -fg -conf /build/src/tests/integration/pkcs11proxyd.conf' 32 | client-unix: 33 | image: "pkcs11proxyd-unix:${FLAVOR}" 34 | depends_on: 35 | - "pkcs11proxyd-unix" 36 | volumes: 37 | - vol-pkcs11proxyd-unix:/var/run/ 38 | environment: 39 | - PKCS11PROXY_LIBNAME=softhsm 40 | entrypoint: /build/src/tests/integration/run-tests.sh 41 | client-unix-tls: 42 | image: "pkcs11proxydtls-unix:${FLAVOR}" 43 | depends_on: 44 | - "pkcs11proxydtls-unix" 45 | environment: 46 | - PKCS11PROXY_LIBNAME=softhsm 47 | - PKCS11PROXY_CA_FILE=/tmp/ca.pem 48 | - PKCS11PROXY_CERT_FILE=/tmp/client.pem 49 | - PKCS11PROXY_PRIVKEY_FILE=/tmp/client-key.pem 50 | volumes: 51 | - vol-pkcs11proxydtls-unix:/var/run/ 52 | - ./src/tests/integration/certs/ca.pem:/tmp/ca.pem:ro 53 | - ./src/tests/integration/certs/client.pem:/tmp/client.pem:ro 54 | - ./src/tests/integration/certs/client-key.pem:/tmp/client-key.pem:ro 55 | entrypoint: /build/src/tests/integration/run-tests.sh 56 | volumes: 57 | vol-pkcs11proxyd-unix: 58 | vol-pkcs11proxydtls-unix: -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.6' 2 | services: 3 | pkcs11proxyd: 4 | image: "pkcs11proxyd:${FLAVOR}" 5 | build: 6 | context: . 7 | dockerfile: src/tests/integration/Dockerfile.debian-integration 8 | args: 9 | dist: "${DIST}" 10 | flavor: "${FLAVOR}" 11 | # ports: 12 | # - '4444:4444' 13 | volumes: 14 | - ./src/tests/integration/filter.conf:/build/src/tests/integration/filter.conf:ro 15 | - ./src/tests/integration/pkcs11proxyd-tcp.conf:/build/src/tests/integration/pkcs11proxyd.conf:ro 16 | entrypoint: '/usr/local/bin/pkcs11proxyd -fg -conf /build/src/tests/integration/pkcs11proxyd.conf' 17 | pkcs11proxydtls: 18 | image: "pkcs11proxydtls:${FLAVOR}" 19 | build: 20 | context: . 21 | dockerfile: src/tests/integration/Dockerfile.debian-integration-tls 22 | args: 23 | dist: "${DIST}" 24 | flavor: "${FLAVOR}" 25 | volumes: 26 | - ./src/tests/integration/filter.conf:/build/src/tests/integration/filter.conf:ro 27 | - ./src/tests/integration/pkcs11proxyd-tcp-tls.conf:/build/src/tests/integration/pkcs11proxyd.conf:ro 28 | - ./src/tests/integration/certs/ca.pem:/build/src/tests/integration/ca.pem:ro 29 | - ./src/tests/integration/certs/server.pem:/build/src/tests/integration/server.pem:ro 30 | - ./src/tests/integration/certs/server-key.pem:/build/src/tests/integration/server-key.pem:ro 31 | entrypoint: '/usr/local/bin/pkcs11proxyd -fg -conf /build/src/tests/integration/pkcs11proxyd.conf' 32 | client: 33 | image: "pkcs11proxyd:${FLAVOR}" 34 | depends_on: 35 | - "pkcs11proxyd" 36 | environment: 37 | - PKCS11PROXY_LIBNAME=softhsm 38 | - PKCS11PROXY_SOCKET_PATH=pkcs11proxyd:4444 39 | entrypoint: "/build/src/tests/integration/wait-for-it.sh pkcs11proxyd:4444 -- /build/src/tests/integration/run-tests.sh" 40 | client-tls: 41 | image: "pkcs11proxydtls:${FLAVOR}" 42 | depends_on: 43 | - "pkcs11proxydtls" 44 | environment: 45 | - PKCS11PROXY_LIBNAME=softhsm 46 | - PKCS11PROXY_SOCKET_PATH=pkcs11proxydtls:4444 47 | - PKCS11PROXY_CA_FILE=/tmp/ca.pem 48 | - PKCS11PROXY_CERT_FILE=/tmp/client.pem 49 | - PKCS11PROXY_PRIVKEY_FILE=/tmp/client-key.pem 50 | volumes: 51 | - ./src/tests/integration/certs/ca.pem:/tmp/ca.pem:ro 52 | - ./src/tests/integration/certs/client.pem:/tmp/client.pem:ro 53 | - ./src/tests/integration/certs/client-key.pem:/tmp/client-key.pem:ro 54 | entrypoint: "/build/src/tests/integration/wait-for-it.sh pkcs11proxydtls:4444 -- /build/src/tests/integration/run-tests.sh" 55 | -------------------------------------------------------------------------------- /m4/ax_compare_version.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://www.gnu.org/software/autoconf-archive/ax_compare_version.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_COMPARE_VERSION(VERSION_A, OP, VERSION_B, [ACTION-IF-TRUE], [ACTION-IF-FALSE]) 8 | # 9 | # DESCRIPTION 10 | # 11 | # This macro compares two version strings. Due to the various number of 12 | # minor-version numbers that can exist, and the fact that string 13 | # comparisons are not compatible with numeric comparisons, this is not 14 | # necessarily trivial to do in a autoconf script. This macro makes doing 15 | # these comparisons easy. 16 | # 17 | # The six basic comparisons are available, as well as checking equality 18 | # limited to a certain number of minor-version levels. 19 | # 20 | # The operator OP determines what type of comparison to do, and can be one 21 | # of: 22 | # 23 | # eq - equal (test A == B) 24 | # ne - not equal (test A != B) 25 | # le - less than or equal (test A <= B) 26 | # ge - greater than or equal (test A >= B) 27 | # lt - less than (test A < B) 28 | # gt - greater than (test A > B) 29 | # 30 | # Additionally, the eq and ne operator can have a number after it to limit 31 | # the test to that number of minor versions. 32 | # 33 | # eq0 - equal up to the length of the shorter version 34 | # ne0 - not equal up to the length of the shorter version 35 | # eqN - equal up to N sub-version levels 36 | # neN - not equal up to N sub-version levels 37 | # 38 | # When the condition is true, shell commands ACTION-IF-TRUE are run, 39 | # otherwise shell commands ACTION-IF-FALSE are run. The environment 40 | # variable 'ax_compare_version' is always set to either 'true' or 'false' 41 | # as well. 42 | # 43 | # Examples: 44 | # 45 | # AX_COMPARE_VERSION([3.15.7],[lt],[3.15.8]) 46 | # AX_COMPARE_VERSION([3.15],[lt],[3.15.8]) 47 | # 48 | # would both be true. 49 | # 50 | # AX_COMPARE_VERSION([3.15.7],[eq],[3.15.8]) 51 | # AX_COMPARE_VERSION([3.15],[gt],[3.15.8]) 52 | # 53 | # would both be false. 54 | # 55 | # AX_COMPARE_VERSION([3.15.7],[eq2],[3.15.8]) 56 | # 57 | # would be true because it is only comparing two minor versions. 58 | # 59 | # AX_COMPARE_VERSION([3.15.7],[eq0],[3.15]) 60 | # 61 | # would be true because it is only comparing the lesser number of minor 62 | # versions of the two values. 63 | # 64 | # Note: The characters that separate the version numbers do not matter. An 65 | # empty string is the same as version 0. OP is evaluated by autoconf, not 66 | # configure, so must be a string, not a variable. 67 | # 68 | # The author would like to acknowledge Guido Draheim whose advice about 69 | # the m4_case and m4_ifvaln functions make this macro only include the 70 | # portions necessary to perform the specific comparison specified by the 71 | # OP argument in the final configure script. 72 | # 73 | # LICENSE 74 | # 75 | # Copyright (c) 2008 Tim Toolan 76 | # 77 | # Copying and distribution of this file, with or without modification, are 78 | # permitted in any medium without royalty provided the copyright notice 79 | # and this notice are preserved. This file is offered as-is, without any 80 | # warranty. 81 | 82 | #serial 11 83 | 84 | dnl ######################################################################### 85 | AC_DEFUN([AX_COMPARE_VERSION], [ 86 | AC_REQUIRE([AC_PROG_AWK]) 87 | 88 | # Used to indicate true or false condition 89 | ax_compare_version=false 90 | 91 | # Convert the two version strings to be compared into a format that 92 | # allows a simple string comparison. The end result is that a version 93 | # string of the form 1.12.5-r617 will be converted to the form 94 | # 0001001200050617. In other words, each number is zero padded to four 95 | # digits, and non digits are removed. 96 | AS_VAR_PUSHDEF([A],[ax_compare_version_A]) 97 | A=`echo "$1" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \ 98 | -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \ 99 | -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \ 100 | -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \ 101 | -e 's/[[^0-9]]//g'` 102 | 103 | AS_VAR_PUSHDEF([B],[ax_compare_version_B]) 104 | B=`echo "$3" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \ 105 | -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \ 106 | -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \ 107 | -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \ 108 | -e 's/[[^0-9]]//g'` 109 | 110 | dnl # In the case of le, ge, lt, and gt, the strings are sorted as necessary 111 | dnl # then the first line is used to determine if the condition is true. 112 | dnl # The sed right after the echo is to remove any indented white space. 113 | m4_case(m4_tolower($2), 114 | [lt],[ 115 | ax_compare_version=`echo "x$A 116 | x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/false/;s/x${B}/true/;1q"` 117 | ], 118 | [gt],[ 119 | ax_compare_version=`echo "x$A 120 | x$B" | sed 's/^ *//' | sort | sed "s/x${A}/false/;s/x${B}/true/;1q"` 121 | ], 122 | [le],[ 123 | ax_compare_version=`echo "x$A 124 | x$B" | sed 's/^ *//' | sort | sed "s/x${A}/true/;s/x${B}/false/;1q"` 125 | ], 126 | [ge],[ 127 | ax_compare_version=`echo "x$A 128 | x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/true/;s/x${B}/false/;1q"` 129 | ],[ 130 | dnl Split the operator from the subversion count if present. 131 | m4_bmatch(m4_substr($2,2), 132 | [0],[ 133 | # A count of zero means use the length of the shorter version. 134 | # Determine the number of characters in A and B. 135 | ax_compare_version_len_A=`echo "$A" | $AWK '{print(length)}'` 136 | ax_compare_version_len_B=`echo "$B" | $AWK '{print(length)}'` 137 | 138 | # Set A to no more than B's length and B to no more than A's length. 139 | A=`echo "$A" | sed "s/\(.\{$ax_compare_version_len_B\}\).*/\1/"` 140 | B=`echo "$B" | sed "s/\(.\{$ax_compare_version_len_A\}\).*/\1/"` 141 | ], 142 | [[0-9]+],[ 143 | # A count greater than zero means use only that many subversions 144 | A=`echo "$A" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"` 145 | B=`echo "$B" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"` 146 | ], 147 | [.+],[ 148 | AC_WARNING( 149 | [illegal OP numeric parameter: $2]) 150 | ],[]) 151 | 152 | # Pad zeros at end of numbers to make same length. 153 | ax_compare_version_tmp_A="$A`echo $B | sed 's/./0/g'`" 154 | B="$B`echo $A | sed 's/./0/g'`" 155 | A="$ax_compare_version_tmp_A" 156 | 157 | # Check for equality or inequality as necessary. 158 | m4_case(m4_tolower(m4_substr($2,0,2)), 159 | [eq],[ 160 | test "x$A" = "x$B" && ax_compare_version=true 161 | ], 162 | [ne],[ 163 | test "x$A" != "x$B" && ax_compare_version=true 164 | ],[ 165 | AC_WARNING([illegal OP parameter: $2]) 166 | ]) 167 | ]) 168 | 169 | AS_VAR_POPDEF([A])dnl 170 | AS_VAR_POPDEF([B])dnl 171 | 172 | dnl # Execute ACTION-IF-TRUE / ACTION-IF-FALSE. 173 | if test "$ax_compare_version" = "true" ; then 174 | m4_ifvaln([$4],[$4],[:])dnl 175 | m4_ifvaln([$5],[else $5])dnl 176 | fi 177 | ]) dnl AX_COMPARE_VERSION 178 | -------------------------------------------------------------------------------- /scripts/pkcs11proxyd.in: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | ### BEGIN INIT INFO 3 | # Provides: pkcs11proxyd 4 | # Required-Start: $syslog 5 | # Required-Stop: $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 0 1 6 8 | # Short-Description: OCaml filtering PKCS#11 proxy daemon 9 | # Description: This init script is used to launch the pkcs11proxyd 10 | # service. 11 | ### END INIT INFO 12 | 13 | # Author: Thomas Calderon 14 | # 15 | 16 | # Do NOT "set -e" 17 | 18 | # PATH should only include /usr/* if it runs after the mountnfs.sh script 19 | PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/local/lib 20 | DESC="OCaml filtering PKCS#11 proxy daemon" 21 | NAME=pkcs11proxyd 22 | DAEMON=@prefix@/bin/$NAME 23 | DAEMON_ARGS="-conf @sysconfdir@/pkcs11proxyd/pkcs11proxyd.conf" 24 | PIDFILE=/var/run/$NAME.pid 25 | SCRIPTNAME=/etc/init.d/$NAME 26 | 27 | # Exit if the package is not installed 28 | [ -x "$DAEMON" ] || exit 0 29 | 30 | # Read configuration variable file if it is present 31 | [ -r /etc/default/$NAME ] && . /etc/default/$NAME 32 | 33 | # Load the VERBOSE setting and other rcS variables 34 | . /lib/init/vars.sh 35 | 36 | # Define LSB log_* functions. 37 | # Depend on lsb-base (>= 3.2-14) to ensure that this file is present 38 | # and status_of_proc is working. 39 | . /lib/lsb/init-functions 40 | 41 | # 42 | # Function that starts the daemon/service 43 | # 44 | do_start() 45 | { 46 | # Return 47 | # 0 if daemon has been started 48 | # 1 if daemon was already running 49 | # 2 if daemon could not be started 50 | start-stop-daemon --start --quiet --exec $DAEMON --test > /dev/null \ 51 | || return 1 52 | start-stop-daemon --start --quiet $PIDFILE --exec $DAEMON -- \ 53 | $DAEMON_ARGS \ 54 | || return 2 55 | # Add code here, if necessary, that waits for the process to be ready 56 | # to handle requests from services started subsequently which depend 57 | # on this one. As a last resort, sleep for some time. 58 | } 59 | 60 | # 61 | # Function that stops the daemon/service 62 | # 63 | do_stop() 64 | { 65 | # Return 66 | # 0 if daemon has been stopped 67 | # 1 if daemon was already stopped 68 | # 2 if daemon could not be stopped 69 | # other if a failure occurred 70 | start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME 71 | RETVAL="$?" 72 | [ "$RETVAL" = 2 ] && return 2 73 | # Wait for children to finish too if this is a daemon that forks 74 | # and if the daemon is only ever run from this initscript. 75 | # If the above conditions are not satisfied then add some other code 76 | # that waits for the process to drop all resources that could be 77 | # needed by services started subsequently. A last resort is to 78 | # sleep for some time. 79 | start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON 80 | [ "$?" = 2 ] && return 2 81 | # Many daemons don't delete their pidfiles when they exit. 82 | rm -f $PIDFILE 83 | return "$RETVAL" 84 | } 85 | 86 | # 87 | # Function that sends a SIGHUP to the daemon/service 88 | # 89 | do_reload() { 90 | # 91 | # If the daemon can reload its configuration without 92 | # restarting (for example, when it is sent a SIGHUP), 93 | # then implement that here. 94 | # 95 | start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME 96 | return 0 97 | } 98 | 99 | case "$1" in 100 | start) 101 | [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" 102 | do_start 103 | case "$?" in 104 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 105 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 106 | esac 107 | ;; 108 | stop) 109 | [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" 110 | do_stop 111 | case "$?" in 112 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 113 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 114 | esac 115 | ;; 116 | status) 117 | status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? 118 | ;; 119 | #reload|force-reload) 120 | # 121 | # If do_reload() is not implemented then leave this commented out 122 | # and leave 'force-reload' as an alias for 'restart'. 123 | # 124 | #log_daemon_msg "Reloading $DESC" "$NAME" 125 | #do_reload 126 | #log_end_msg $? 127 | #;; 128 | restart|force-reload) 129 | # 130 | # If the "reload" option is implemented then remove the 131 | # 'force-reload' alias 132 | # 133 | log_daemon_msg "Restarting $DESC" "$NAME" 134 | do_stop 135 | case "$?" in 136 | 0|1) 137 | do_start 138 | case "$?" in 139 | 0) log_end_msg 0 ;; 140 | 1) log_end_msg 1 ;; # Old process is still running 141 | *) log_end_msg 1 ;; # Failed to start 142 | esac 143 | ;; 144 | *) 145 | # Failed to stop 146 | log_end_msg 1 147 | ;; 148 | esac 149 | ;; 150 | *) 151 | #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 152 | echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 153 | exit 3 154 | ;; 155 | esac 156 | 157 | : 158 | -------------------------------------------------------------------------------- /src/bindings-pkcs11/Makefile.in: -------------------------------------------------------------------------------- 1 | CC=@CC@ 2 | CFLAGS_OPT = -Wall -Wextra -pedantic -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wuninitialized -fcommon 3 | CFLAGS_OPT += ${CPPFLAGS} 4 | CFLAGS = -O2 -fPIC $(CFLAGS_OPT) -I@OCAMLLIB@ 5 | CFLAGS_DBG = -g -fPIC -I@OCAMLLIB@ $(CFLAGS_OPT) 6 | caml_link_dirs = @OCAMLLIB@ 7 | LDFLAGS = -cclib -L$(caml_link_dirs) -cclib -lcamlidl 8 | 9 | all: @idl_gen@ 10 | $(CC) @srcdir@/pkcs11_stubs.c -DSERVER_ROLE -c $(CFLAGS) 11 | $(CC) @srcdir@/pkcs11_functions.c @aliasing_def@ -DSERVER_ROLE -c $(CFLAGS) 12 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -o pkcs11 -c @srcdir@/pkcs11.mli 13 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -o pkcs11 -c @srcdir@/pkcs11.ml 14 | ocamlmklib -o pkcs11 pkcs11.cmx pkcs11_functions.o pkcs11_stubs.o $(LDFLAGS) 15 | 16 | debug: @idl_gen@ 17 | $(CC) @srcdir@/pkcs11_stubs.c -DSERVER_ROLE -DDEBUG -g -c $(CFLAGS_DBG) 18 | $(CC) @srcdir@/pkcs11_functions.c @aliasing_def@ -DSERVER_ROLE -g -DDEBUG -c $(CFLAGS_DBG) 19 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -g -o pkcs11 -c @srcdir@/pkcs11.mli 20 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -g -o pkcs11 -c @srcdir@/pkcs11.ml 21 | ocamlmklib -o pkcs11 pkcs11.cmx pkcs11_functions.o pkcs11_stubs.o $(LDFLAGS) 22 | 23 | idl: 24 | @rm -f @idl_clean@ 25 | camlidl @idl_ocaml_bytes_module_define@ -header @srcdir@/pkcs11.idl 26 | cat @srcdir@/pkcs11_stubs.c | sed -e 's/Begin_roots_block(\(.*\)).*/Begin_roots_block(\1);/g' | sed -e 's/Begin_root(\(.*\)).*/Begin_root(\1);/g' | sed -e 's/End_roots(\(.*\)).*/End_roots(\1);/g' > ./tmp 27 | mv ./tmp @srcdir@/pkcs11_stubs.c 28 | #Sed to patch (GetSlotList/GetMechList/FindObjects/GetObjectSize) 29 | sed -i "s/* int/\* nativeint/g" @srcdir@/pkcs11.mli 30 | sed -i "s/* int/\* nativeint/g" @srcdir@/pkcs11.ml 31 | #Handle recent IDL (as they rename some functions and cocci patches will not be applied otherwise) 32 | sed -i "s/caml_modify/modify/g" @srcdir@/pkcs11_stubs.c 33 | sed -i "s/caml_copy_nativeint/custom_copy_int/g" @srcdir@/pkcs11_stubs.c 34 | sed -i "s/caml_invalid_argument/invalid_argument/g" @srcdir@/pkcs11_stubs.c 35 | # Patch the stubs with cocci 36 | spatch --no-show-diff --in-place --sp-file @srcdir@/pkcs11_stubs.cocci @srcdir@/pkcs11_stubs.c 37 | #Sed because spatch is not able to preprocess 38 | sed -i 's/^_CAMLIDL_EXTERN_C/extern/g' @srcdir@/pkcs11.h 39 | #Sed to change the structure packing pragma in WIN32 mode: CamlIDL fixes it to 8 while 40 | #PKCS11 header fixes it to 1 => this can create binary interoperability issues 41 | sed -i 's/push,8/push,1\/* Replaced for PKCS11 compatibiliy *\//g' @srcdir@/pkcs11.h 42 | spatch --no-show-diff --in-place --sp-file @srcdir@/@pkcs11_cocci_patch@ @srcdir@/pkcs11.h 43 | #Sed to force the produced idl variable context and some values to be tagged 'unused' 44 | sed -i 's/\(.*\), camlidl_ctx _ctx)$$/#ifdef __GNUC__\n\1, __attribute__((unused)) camlidl_ctx _ctx)\n#else\n\1, camlidl_ctx _ctx)\n#endif/g' @srcdir@/pkcs11_stubs.c 45 | sed -i 's/\(.*\)value _unit)$$/#ifdef __GNUC__\n\1__attribute__((unused))value _unit)\n#else\n\1value _unit)\n#endif/g' @srcdir@/pkcs11_stubs.c 46 | #Sed to disable the warnings on shadowing caml__roots_block 47 | sed -i 's/\(.*\)Begin_root(\(.*\)/\/* We add this because of possible shadow warning *\/\n\/* (this is not our code: these are camlidl macros)*\/\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic push\n#pragma GCC diagnostic ignored \"-Wshadow\"\n#endif\n\1Begin_root(\2\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic pop\n#endif/g' @srcdir@/pkcs11_stubs.c 48 | sed -i 's/\(.*\)Begin_roots_block(\(.*\)/\/* We add this because of possible shadow warning *\/\n\/* (this is not our code: these are camlidl macros)*\/\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic push\n#pragma GCC diagnostic ignored \"-Wshadow\"\n#endif\n\1Begin_roots_block(\2\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic pop\n#endif/g' @srcdir@/pkcs11_stubs.c 49 | 50 | clean_idl: 51 | @rm -f @srcdir@/pkcs11.h @srcdir@/pkcs11_stubs.c @srcdir@/pkcs11.mli @srcdir@/pkcs11.ml 52 | clean: 53 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.cmo @srcdir@/*~ @srcdir@/*.opt @srcdir@/*.cmxa @srcdir@/*.a @srcdir@/*.cma @srcdir@/*.so 54 | -------------------------------------------------------------------------------- /src/bindings-pkcs11/Makefile.standalone.in: -------------------------------------------------------------------------------- 1 | CC=@CC@ 2 | CFLAGS_OPT = -Wall -Wextra -pedantic -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wuninitialized 3 | CFLAGS_OPT += ${CPPFLAGS} 4 | CFLAGS = -O2 -fPIC $(CFLAGS_OPT) -I@OCAMLLIB@ 5 | CFLAGS_DBG = -g -fPIC -I@OCAMLLIB@ $(CFLAGS_OPT) 6 | caml_link_dirs = @OCAMLLIB@ 7 | LDFLAGS = -cclib -L$(caml_link_dirs) -cclib -lcamlidl 8 | 9 | all: @idl_gen@ 10 | $(CC) @srcdir@/pkcs11_stubs.c -c $(CFLAGS) 11 | $(CC) @srcdir@/pkcs11_functions.c @aliasing_def@ -c $(CFLAGS) 12 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -o pkcs11 -c @srcdir@/pkcs11.mli 13 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -o pkcs11 -c @srcdir@/pkcs11.ml 14 | ocamlmklib -o pkcs11_standalone pkcs11.cmx pkcs11_functions.o pkcs11_stubs.o $(LDFLAGS) 15 | 16 | debug: @idl_gen@ 17 | $(CC) @srcdir@/pkcs11_stubs.c -DSERVER_ROLE -DDEBUG -g -c $(CFLAGS_DBG) 18 | $(CC) @srcdir@/pkcs11_functions.c @aliasing_def@ -DSERVER_ROLE -g -DDEBUG -c $(CFLAGS_DBG) 19 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -g -o pkcs11 -c @srcdir@/pkcs11.mli 20 | ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@" -g -o pkcs11 -c @srcdir@/pkcs11.ml 21 | ocamlmklib -o pkcs11_standalone pkcs11.cmx pkcs11_functions.o pkcs11_stubs.o $(LDFLAGS) 22 | 23 | idl: 24 | @rm -f @idl_clean@ 25 | camlidl @idl_ocaml_bytes_module_define@ -header @srcdir@/pkcs11.idl 26 | cat @srcdir@/pkcs11_stubs.c | sed -e 's/Begin_roots_block(\(.*\)).*/Begin_roots_block(\1);/g' | sed -e 's/Begin_root(\(.*\)).*/Begin_root(\1);/g' | sed -e 's/End_roots(\(.*\)).*/End_roots(\1);/g' > ./tmp 27 | mv ./tmp @srcdir@/pkcs11_stubs.c 28 | #Sed to patch (GetSlotList/GetMechList/FindObjects/GetObjectSize) 29 | sed -i "s/* int/\* nativeint/g" @srcdir@/pkcs11.mli 30 | sed -i "s/* int/\* nativeint/g" @srcdir@/pkcs11.ml 31 | #Handle recent IDL (as they rename some functions and cocci patches will not be applied otherwise) 32 | sed -i "s/caml_modify/modify/g" @srcdir@/pkcs11_stubs.c 33 | sed -i "s/caml_copy_nativeint/custom_copy_int/g" @srcdir@/pkcs11_stubs.c 34 | sed -i "s/caml_invalid_argument/invalid_argument/g" @srcdir@/pkcs11_stubs.c 35 | # Patch the stubs with cocci 36 | spatch --no-show-diff --in-place --sp-file @srcdir@/pkcs11_stubs.cocci @srcdir@/pkcs11_stubs.c 37 | #Sed because spatch is not able to preprocess 38 | sed -i 's/^_CAMLIDL_EXTERN_C/extern/g' @srcdir@/pkcs11.h 39 | #Sed to change the structure packing pragma in WIN32 mode: CamlIDL fixes it to 8 while 40 | #PKCS11 header fixes it to 1 => this can create binary interoperability issues 41 | sed -i 's/push,8/push,1\/* Replaced for PKCS11 compatibiliy *\//g' @srcdir@/pkcs11.h 42 | spatch --no-show-diff --in-place --sp-file @srcdir@/@pkcs11_cocci_patch@ @srcdir@/pkcs11.h 43 | #Sed to force the produced idl variable context and some values to be tagged 'unused' 44 | sed -i 's/\(.*\), camlidl_ctx _ctx)$$/#ifdef __GNUC__\n\1, __attribute__((unused)) camlidl_ctx _ctx)\n#else\n\1, camlidl_ctx _ctx)\n#endif/g' @srcdir@/pkcs11_stubs.c 45 | sed -i 's/\(.*\)value _unit)$$/#ifdef __GNUC__\n\1__attribute__((unused))value _unit)\n#else\n\1value _unit)\n#endif/g' @srcdir@/pkcs11_stubs.c 46 | #Sed to disable the warnings on shadowing caml__roots_block 47 | sed -i 's/\(.*\)Begin_root(\(.*\)/\/* We add this because of possible shadow warning *\/\n\/* (this is not our code: these are camlidl macros)*\/\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic push\n#pragma GCC diagnostic ignored \"-Wshadow\"\n#endif\n\1Begin_root(\2\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic pop\n#endif/g' @srcdir@/pkcs11_stubs.c 48 | sed -i 's/\(.*\)Begin_roots_block(\(.*\)/\/* We add this because of possible shadow warning *\/\n\/* (this is not our code: these are camlidl macros)*\/\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic push\n#pragma GCC diagnostic ignored \"-Wshadow\"\n#endif\n\1Begin_roots_block(\2\n#if GCC_VERSION > 40600\n#pragma GCC diagnostic pop\n#endif/g' @srcdir@/pkcs11_stubs.c 49 | 50 | clean_idl: 51 | @rm -f @srcdir@/pkcs11.h @srcdir@/pkcs11_stubs.c @srcdir@/pkcs11.mli @srcdir@/pkcs11.ml 52 | clean: 53 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.cmo @srcdir@/*~ @srcdir@/*.opt @srcdir@/*.cmxa @srcdir@/*.a @srcdir@/*.cma @srcdir@/*.so 54 | -------------------------------------------------------------------------------- /src/bindings-pkcs11/pkcs11.cocci.new: -------------------------------------------------------------------------------- 1 | @@ 2 | typedef ck_rv_t; 3 | typedef ck_session_handle_t; 4 | @@ 5 | - ck_rv_t ML_CK_C_Encrypt(/*in*/ ck_session_handle_t session, /*in*/ unsigned char *data, /*in*/ unsigned long data_len, /*out*/ unsigned char *encrypted, /*in*/ unsigned long *encrypted_len); 6 | + ck_rv_t ML_CK_C_Encrypt(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 7 | 8 | @@ 9 | typedef ck_rv_t; 10 | typedef ck_session_handle_t; 11 | @@ 12 | - ck_rv_t ML_CK_C_EncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 13 | + ck_rv_t ML_CK_C_EncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 14 | 15 | @@ 16 | typedef ck_rv_t; 17 | typedef ck_session_handle_t; 18 | @@ 19 | - ck_rv_t ML_CK_C_DigestEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 20 | + ck_rv_t ML_CK_C_DigestEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 21 | 22 | @@ 23 | typedef ck_rv_t; 24 | typedef ck_session_handle_t; 25 | @@ 26 | - ck_rv_t ML_CK_C_SignEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 27 | + ck_rv_t ML_CK_C_SignEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 28 | 29 | @@ 30 | typedef ck_rv_t; 31 | typedef ck_session_handle_t; 32 | @@ 33 | - ck_rv_t ML_CK_C_EncryptFinal(ck_session_handle_t session, unsigned char *encrypted, unsigned long *encrypted_len); 34 | + ck_rv_t ML_CK_C_EncryptFinal(ck_session_handle_t session, unsigned char **encrypted, unsigned long *encrypted_len); 35 | 36 | @@ 37 | typedef ck_rv_t; 38 | typedef ck_session_handle_t; 39 | @@ 40 | - ck_rv_t ML_CK_C_Decrypt(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *decrypted, unsigned long *decrypted_len); 41 | + ck_rv_t ML_CK_C_Decrypt(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **decrypted, unsigned long *decrypted_len); 42 | 43 | @@ 44 | typedef ck_rv_t; 45 | typedef ck_session_handle_t; 46 | @@ 47 | - ck_rv_t ML_CK_C_VerifyRecover(ck_session_handle_t session, unsigned char *signature, unsigned long signature_len, unsigned char *data, unsigned long *data_len); 48 | + ck_rv_t ML_CK_C_VerifyRecover(ck_session_handle_t session, unsigned char *signature, unsigned long signature_len, unsigned char **data, unsigned long *data_len); 49 | 50 | @@ 51 | typedef ck_rv_t; 52 | typedef ck_session_handle_t; 53 | @@ 54 | - ck_rv_t ML_CK_C_DecryptUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 55 | + ck_rv_t ML_CK_C_DecryptUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 56 | 57 | @@ 58 | typedef ck_rv_t; 59 | typedef ck_session_handle_t; 60 | @@ 61 | - ck_rv_t ML_CK_C_DecryptDigestUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 62 | + ck_rv_t ML_CK_C_DecryptDigestUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 63 | 64 | @@ 65 | typedef ck_rv_t; 66 | typedef ck_session_handle_t; 67 | @@ 68 | - ck_rv_t ML_CK_C_DecryptVerifyUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 69 | + ck_rv_t ML_CK_C_DecryptVerifyUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 70 | 71 | @@ 72 | typedef ck_rv_t; 73 | typedef ck_session_handle_t; 74 | @@ 75 | - ck_rv_t ML_CK_C_DecryptFinal(ck_session_handle_t session, unsigned char *decrypted, unsigned long *decrypted_len); 76 | + ck_rv_t ML_CK_C_DecryptFinal(ck_session_handle_t session, unsigned char **decrypted, unsigned long *decrypted_len); 77 | 78 | @@ 79 | typedef ck_rv_t; 80 | typedef ck_session_handle_t; 81 | @@ 82 | - ck_rv_t ML_CK_C_GetOperationState(ck_session_handle_t session, unsigned char *data, unsigned long *data_len); 83 | + ck_rv_t ML_CK_C_GetOperationState(ck_session_handle_t session, unsigned char **data, unsigned long *data_len); 84 | 85 | @@ 86 | @@ 87 | - void char_array_to_ulong(/*in*/ unsigned char *data, /*out*/ unsigned long output); 88 | + void char_array_to_ulong(/*in*/ unsigned char *data, /*in*/ size_t data_size, /*out*/ unsigned long *output); 89 | 90 | @@ 91 | symbol in, out, out_len; 92 | @@ 93 | - void hton_char_array(/*in*/ unsigned char *in, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 94 | + void hton_char_array(/*in*/ unsigned char *in, unsigned long in_len, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 95 | 96 | @@ 97 | symbol in, out, out_len; 98 | @@ 99 | - void ntoh_char_array(/*in*/ unsigned char *in, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 100 | + void ntoh_char_array(/*in*/ unsigned char *in, unsigned long in_len, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 101 | 102 | -------------------------------------------------------------------------------- /src/bindings-pkcs11/pkcs11.cocci.old: -------------------------------------------------------------------------------- 1 | @@ 2 | typedef ck_rv_t; 3 | typedef ck_session_handle_t; 4 | identifier session, encrypted, encrypted_len, data, data_len; 5 | @@ 6 | - ck_rv_t ML_CK_C_Encrypt(/*in*/ ck_session_handle_t session, /*in*/ unsigned char *data, /*in*/ unsigned long data_len, /*out*/ unsigned char *encrypted, /*in*/ unsigned long *encrypted_len); 7 | + ck_rv_t ML_CK_C_Encrypt(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 8 | 9 | @@ 10 | identifier session, encrypted, encrypted_len, data, data_len; 11 | @@ 12 | - ck_rv_t ML_CK_C_EncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 13 | + ck_rv_t ML_CK_C_EncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 14 | 15 | @@ 16 | identifier session, encrypted, encrypted_len, data, data_len; 17 | @@ 18 | - ck_rv_t ML_CK_C_DigestEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 19 | + ck_rv_t ML_CK_C_DigestEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 20 | 21 | @@ 22 | identifier session, encrypted, encrypted_len, data, data_len; 23 | @@ 24 | - ck_rv_t ML_CK_C_SignEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char *encrypted, unsigned long *encrypted_len); 25 | + ck_rv_t ML_CK_C_SignEncryptUpdate(ck_session_handle_t session, unsigned char *data, unsigned long data_len, unsigned char **encrypted, unsigned long *encrypted_len); 26 | 27 | @@ 28 | identifier session, encrypted, encrypted_len; 29 | @@ 30 | - ck_rv_t ML_CK_C_EncryptFinal(ck_session_handle_t session, unsigned char *encrypted, unsigned long *encrypted_len); 31 | + ck_rv_t ML_CK_C_EncryptFinal(ck_session_handle_t session, unsigned char **encrypted, unsigned long *encrypted_len); 32 | 33 | @@ 34 | identifier session, encrypted, encrypted_len, decrypted, decrypted_len; 35 | @@ 36 | - ck_rv_t ML_CK_C_Decrypt(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *decrypted, unsigned long *decrypted_len); 37 | + ck_rv_t ML_CK_C_Decrypt(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **decrypted, unsigned long *decrypted_len); 38 | 39 | @@ 40 | identifier session, signature, signature_len, data, data_len; 41 | @@ 42 | - ck_rv_t ML_CK_C_VerifyRecover(ck_session_handle_t session, unsigned char *signature, unsigned long signature_len, unsigned char *data, unsigned long *data_len); 43 | + ck_rv_t ML_CK_C_VerifyRecover(ck_session_handle_t session, unsigned char *signature, unsigned long signature_len, unsigned char **data, unsigned long *data_len); 44 | 45 | @@ 46 | identifier session, encrypted, encrypted_len, data, data_len; 47 | @@ 48 | - ck_rv_t ML_CK_C_DecryptUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 49 | + ck_rv_t ML_CK_C_DecryptUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 50 | 51 | @@ 52 | identifier session, encrypted, encrypted_len, data, data_len; 53 | @@ 54 | - ck_rv_t ML_CK_C_DecryptDigestUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 55 | + ck_rv_t ML_CK_C_DecryptDigestUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 56 | 57 | @@ 58 | identifier session, encrypted, encrypted_len, data, data_len; 59 | @@ 60 | - ck_rv_t ML_CK_C_DecryptVerifyUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char *data, unsigned long *data_len); 61 | + ck_rv_t ML_CK_C_DecryptVerifyUpdate(ck_session_handle_t session, unsigned char *encrypted, unsigned long encrypted_len, unsigned char **data, unsigned long *data_len); 62 | 63 | @@ 64 | identifier session, decrypted, decrypted_len; 65 | @@ 66 | - ck_rv_t ML_CK_C_DecryptFinal(ck_session_handle_t session, unsigned char *decrypted, unsigned long *decrypted_len); 67 | + ck_rv_t ML_CK_C_DecryptFinal(ck_session_handle_t session, unsigned char **decrypted, unsigned long *decrypted_len); 68 | 69 | @@ 70 | identifier session, data, data_len; 71 | @@ 72 | - ck_rv_t ML_CK_C_GetOperationState(ck_session_handle_t session, unsigned char *data, unsigned long *data_len); 73 | + ck_rv_t ML_CK_C_GetOperationState(ck_session_handle_t session, unsigned char **data, unsigned long *data_len); 74 | 75 | @@ 76 | identifier data, output; 77 | @@ 78 | - void char_array_to_ulong(/*in*/ unsigned char *data, /*out*/ unsigned long output); 79 | + void char_array_to_ulong(/*in*/ unsigned char *data, /*in*/ size_t data_size, /*out*/ unsigned long *output); 80 | 81 | @@ 82 | identifier in, out, out_len; 83 | @@ 84 | - void hton_char_array(/*in*/ unsigned char *in, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 85 | + void hton_char_array(/*in*/ unsigned char *in, unsigned long in_len, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 86 | 87 | @@ 88 | identifier in, out, out_len; 89 | @@ 90 | - void ntoh_char_array(/*in*/ unsigned char *in, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 91 | + void ntoh_char_array(/*in*/ unsigned char *in, unsigned long in_len, /*out*/ unsigned char *out, /*in*/ unsigned long *out_len); 92 | 93 | -------------------------------------------------------------------------------- /src/client-lib/Makefile.Win32: -------------------------------------------------------------------------------- 1 | #Define target systems 2 | APPVER = 6.1 3 | TARGETOS = WINNT 4 | #For now force AMD64, comment it if you need x86 5 | CPU=AMD64 6 | 7 | #You need to add the include directory to win32.mak 8 | # for instance (set include=%include%;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Include) 9 | 10 | #To compile the Debug version: nmake /f Makefile.Win32 11 | #To compile the Release version: nmake /f Makefile.Win32 nodebug=1 12 | #We have to include Windows specific helpers (cvarsmt, cdebug, etc) 13 | !include 14 | 15 | #Path to ONC-RPC library and generated STATIC lib file. 16 | #WARNING: your oncrpc.lib have to match your build configuration (Debug/Release), otherwise it will fail 17 | #Please download and compile your own () 18 | RPC_INC=C:\Users\dev\Desktop\oncrpc-win32\win32\include 19 | RPC_LIB=C:\Users\dev\Desktop\oncrpc-win32\win32\bin\oncrpc.lib 20 | 21 | #Local include directory 22 | BINDING_INC=..\bindings-pkcs11 23 | 24 | # Libname to compile 25 | LIBNAME="softhsm" 26 | 27 | # Output LIB 28 | CLIENTLIB=libp11client 29 | 30 | #__STDC__ is needed to avoid issue with "lazy" prototypes 31 | #We need to define ONCRPC_STATIC to get the correct function declaration 32 | #Modify SOCKET_PATH LIBNAME to your convenience 33 | LCFLAGS=-I$(RPC_INC) -I$(BINDING_INC) -I. \ 34 | -D__STDC__ \ 35 | -DONCRPC_STATIC\ 36 | -DCRPC \ 37 | -DTCP_SOCKET -DSOCKET_PATH=192.168.39.30:4444\ 38 | -DLIBNAME=$(LIBNAME) 39 | 40 | LINK_FLAGS=$(RPC_LIB) 41 | 42 | CC=cl 43 | 44 | TARGETS=prepare $(CLIENTLIB).dll restore 45 | TRASH=*.pdb *.lib *.exp *.idb *.manifest 46 | 47 | CLIENT_OBJ = \ 48 | pkcs11_rpc_xdr.obj \ 49 | pkcs11_rpc_clnt.obj \ 50 | modwrap.obj \ 51 | modwrap_crpc.obj \ 52 | modwrap_crpc_ssl.obj \ 53 | $(NULL) 54 | 55 | .SUFFIXES: .c .obj .OBJ .rc .res .Obj .dll 56 | 57 | #The $(cvarsmt) indicates to link with the local C Runtime, we 58 | # do not use $(cvarsdll) to avoid linking to MSVCRT (shipping redistribuable DLL). 59 | .c.obj: 60 | $(CC) $(LCFLAGS) $(cdebug) $(cflags) $(cvarsmt) $< 61 | 62 | .rc.res: 63 | rc $(DEFINES) $< 64 | 65 | all: $(TARGETS) 66 | 67 | clean: 68 | del $(TARGETS) $(CLIENT_OBJ) $(TRASH) 69 | 70 | #Compile and link 71 | $(CLIENTLIB).dll: $(CLIENT_OBJ) $(LINK_FLAGS) 72 | link /OUT:$*.dll $(CLIENT_OBJ) $(ldebug) $(dlllflags) $(conlibsdll) $(LINK_FLAGS) 73 | if EXIST $*.dll.manifest mt -manifest $*.dll.manifest -outputresource:$*.dll;2 74 | !IF "$(_NMAKE_VER)" >= "8.00" 75 | mt.exe -manifest $(CLIENTLIB).dll.manifest -outputresource:"$(CLIENTLIB).dll;2" 76 | !ENDIF 77 | -------------------------------------------------------------------------------- /src/client-lib/Makefile.Win32.mingw: -------------------------------------------------------------------------------- 1 | #Path to ONC-RPC library and generated STATIC lib file. 2 | #WARNING: your oncrpc.lib have to match your build configuration (Debug/Release), otherwise it will fail 3 | #Please download and compile your own () 4 | RPC_INC=../../../oncrpc-win32/win32/include 5 | RPC_LIB32=../../../oncrpc-win32/win32/bin32/oncrpc.lib 6 | RPC_LIB64=../../../oncrpc-win32/win32/bin64/oncrpc.lib 7 | SSL_INC=../../../openssl-1.1.0f/include 8 | SSL_LIB32=../../../openssl-1.1.0f/win32/libssl.a 9 | CRYPTO_LIB32=../../../openssl-1.1.0f/win32/libcrypto.a 10 | SSL_LIB64=../../../openssl-1.1.0f/win64/libssl.a 11 | CRYPTO_LIB64=../../../openssl-1.1.0f/win64/libcrypto.a 12 | 13 | #Local include directory 14 | BINDING_INC=../bindings-pkcs11 15 | 16 | # Libname to compile 17 | LIBNAME="softhsm" 18 | 19 | # Output LIB 20 | CLIENTLIB=libp11client 21 | 22 | #Modify SOCKET_PATH LIBNAME to your convenience 23 | LCFLAGS=-g -I$(RPC_INC) -I$(BINDING_INC) -I.\ 24 | -DONCRPC_STATIC\ 25 | -DCRPC \ 26 | -fno-builtin-bcopy -fno-builtin-bcmp -fno-builtin-bzero \ 27 | -DTCP_SOCKET -DSOCKET_PATH=127.0.0.1:4444\ 28 | -DLIBNAME=$(LIBNAME)\ 29 | 30 | LINK_FLAGS32=$(RPC_LIB32) 31 | LINK_FLAGS64=$(RPC_LIB64) 32 | 33 | #Modify SOCKET_PATH LIBNAME to your convenience 34 | LCFLAGS_SSL=-g -I$(RPC_INC) -I$(BINDING_INC) -I. -I$(SSL_INC)\ 35 | -DONCRPC_STATIC\ 36 | -DCRPC \ 37 | -fno-builtin-bcopy -fno-builtin-bcmp -fno-builtin-bzero \ 38 | -DTCP_SOCKET -DSOCKET_PATH=127.0.0.1:4444\ 39 | -DLIBNAME=$(LIBNAME)\ 40 | -DWITH_SSL -DSSL_FILES_ENV 41 | 42 | LINK_FLAGS32_SSL=$(RPC_LIB32) $(SSL_LIB32) $(CRYPTO_LIB32) -static-libgcc 43 | LINK_FLAGS64_SSL=$(RPC_LIB64) $(SSL_LIB64) $(CRYPTO_LIB64) -static-libgcc 44 | 45 | 46 | # Change to 64-bit mingw if you want 64-bit binaries 47 | MINGW32=i686-w64-mingw32 48 | MINGW64=x86_64-w64-mingw32 49 | CC32=$(MINGW32)-gcc 50 | CC64=$(MINGW64)-gcc 51 | 52 | TARGETS32=$(CLIENTLIB)_32.dll 53 | TARGETS64=$(CLIENTLIB)_64.dll 54 | TARGETS32_SSL=$(CLIENTLIB)_32_ssl.dll 55 | TARGETS64_SSL=$(CLIENTLIB)_64_ssl.dll 56 | TRASH=*.pdb *.lib *.exp *.idb *.manifest 57 | 58 | CLIENT_SRC = \ 59 | pkcs11_rpc_xdr.c \ 60 | pkcs11_rpc_clnt.c \ 61 | modwrap.c \ 62 | modwrap_crpc.c \ 63 | modwrap_crpc_ssl.c \ 64 | 65 | CLIENT_OBJ = $(patsubst %.c, %.o, $(CLIENT_SRC)) 66 | 67 | all: winrpc objs32 clientlib32 objs64 clientlib64 objs32ssl clientlib32ssl objs64ssl clientlib64ssl 68 | 69 | clean: 70 | rm -f $(TARGETS32) $(TARGETS64) $(TARGETS32_SSL) $(TARGETS64_SSL) $(CLIENT_OBJ) $(TRASH) 71 | 72 | # Copy the xdr files and generate the headers properly for 73 | # the Win32 target 74 | winrpc: 75 | #Copy file in order to get correct include path in file generated 76 | cp ../rpc-pkcs11/pkcs11_rpc.x ./ 77 | #Generate header for Win32 compatibility (i.e. without MT support) 78 | rpcgen -h -N pkcs11_rpc.x > pkcs11_rpc.h 79 | #Generate xdr helpers 80 | rpcgen -c -N pkcs11_rpc.x > pkcs11_rpc_xdr.c 81 | #Generate client stubs 82 | rpcgen -l -N pkcs11_rpc.x > pkcs11_rpc_clnt.c 83 | #Remove local copy of XDR file 84 | rm pkcs11_rpc.x 85 | #Patch generated xdr implementation (optional: remove unused buffer) 86 | spatch --no-show-diff --sp-file ./pkcs11_rpc_xdr.cocci ./pkcs11_rpc_xdr.c --in-place 87 | 88 | 89 | #Compile and link 32-bit 90 | objs32: 91 | $(CC32) $(LCFLAGS) -c $(CLIENT_SRC) 92 | 93 | clientlib32: $(CLIENT_OBJ) 94 | $(CC32) -shared -o $(TARGETS32) $(CLIENT_OBJ) $(LINK_FLAGS32) -lwsock32 95 | 96 | objs32ssl: 97 | $(CC32) $(LCFLAGS_SSL) -c $(CLIENT_SRC) 98 | 99 | clientlib32ssl: $(CLIENT_OBJ) 100 | $(CC32) -shared -o $(TARGETS32_SSL) $(CLIENT_OBJ) $(LINK_FLAGS32_SSL) -lwsock32 -lgdi32 -lws2_32 101 | 102 | #Compile and link 64-bit 103 | objs64: 104 | $(CC64) $(LCFLAGS) -c $(CLIENT_SRC) 105 | 106 | clientlib64: $(CLIENT_OBJ) 107 | $(CC64) -shared -o $(TARGETS64) $(CLIENT_OBJ) $(LINK_FLAGS64) -lwsock32 108 | 109 | objs64ssl: 110 | $(CC64) $(LCFLAGS_SSL) -c $(CLIENT_SRC) 111 | 112 | clientlib64ssl: $(CLIENT_OBJ) 113 | $(CC64) -shared -o $(TARGETS64_SSL) $(CLIENT_OBJ) $(LINK_FLAGS64_SSL) -lwsock32 -lgdi32 -lws2_32 114 | -------------------------------------------------------------------------------- /src/client-lib/Makefile.in: -------------------------------------------------------------------------------- 1 | CC = @CC@ 2 | CFLAGS_OPT = -O2 -Wall -fPIC -Wextra -pedantic -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wuninitialized -fstack-protector-all -fcommon 3 | CFLAGS_OPT += ${CPPFLAGS} @RPC_CPPFLAGS@ 4 | LD_FLAGS = -lpthread @c_ssl_package@ @RPC_LDFLAGS@ @LDFLAGS@ 5 | mem_prot_opt_caml=-ccopt -Wl,-z,relro,-z,now -ccopt -fstack-protector 6 | mem_prot_opt=-Wl,-z,relro,-z,now 7 | 8 | c_include_dirs = -I@srcdir@ -I$(bindings_dir) -I@OCAMLLIB@ 9 | include_dirs = -I $(build_bindings_dir) -I $(build_rpc_dir) 10 | caml_link_flags = -cclib -lcamlidl -cclib -L@OCAMLLIB@ 11 | bindings_dir = @top_srcdir@/src/bindings-pkcs11 12 | rpc_dir = @top_srcdir@/src/rpc-pkcs11 13 | build_bindings_dir = ../bindings-pkcs11 14 | build_rpc_dir = ../rpc-pkcs11 15 | libdir = @libdir@ 16 | prefix = ${DESTDIR}@prefix@ 17 | 18 | 19 | CLIENTLIBS = @lib_names@ 20 | 21 | ifeq ($(CUSTOM_SONAME),"") 22 | CUSTOM_SONAME=libp11client.so.0 23 | endif 24 | 25 | camlrpccompileclient = ocamlfind ocamlopt @ocaml_options@ -verbose -pp "camlp4o pa_macro.cmo @caml_client_ssl_define@ -D@socket_type@ -DSOCKET_PATH=\\\"@socket_path@\\\" @caml_client_ssl_files@ @caml_client_ssl_ca_file@ @caml_client_ssl_cert_file@ @caml_client_ssl_privkey_file@ @caml_client_ssl_server@" -package "str,rpc" @caml_client_ssl_package@ $(include_dirs) -o client -c @srcdir@/client.ml 26 | camlrpccompilestubs = cp @srcdir@/modwrap.c modwrap_$(1).c && $(CC) $(2) -D@socket_type@ -DCAMLRPC -DLIBNAME=$(1) @libname_file@ -c modwrap_$(1).c @srcdir@/modwrap_camlrpc.c $(bindings_dir)/pkcs11_stubs.c $(c_include_dirs) $(CFLAGS_OPT) && rm modwrap_$(1).c 27 | camlrpccompilelib = ocamlfind ocamlopt @ocaml_options@ -verbose $(2) $(mem_prot_opt_caml) -package "str,rpc" @caml_client_ssl_package@ -linkpkg -output-obj -o libp11client$(1).so pkcs11_stubs.o $(build_bindings_dir)/pkcs11_functions.o modwrap_$(1).o modwrap_camlrpc.o $(build_bindings_dir)/pkcs11.cmx $(build_rpc_dir)/pkcs11_rpclib.cmxa client.cmx $(caml_link_flags) 28 | 29 | crpccompilestubs = cp @srcdir@/modwrap.c modwrap_$(1).c && $(CC) $(2) @rpc_mt_define@ @c_ssl_define@ @c_gnutls_define@ -D@socket_type@ -DSOCKET_PATH=@socket_path@ -DLIBNAME=$(1) @libname_file@ @c_client_ssl_files@ @c_client_ssl_ca_file@ @c_client_ssl_cert_file@ @c_client_ssl_privkey_file@ @c_client_ssl_server@ -DCRPC -c @srcdir@/pkcs11_rpc_xdr.c @srcdir@/pkcs11_rpc_clnt.c modwrap_$(1).c @srcdir@/modwrap_crpc.c @srcdir@/modwrap_crpc_ssl.c $(c_include_dirs) $(CFLAGS_OPT) && rm modwrap_$(1).c 30 | crpccompilelib = $(CC) $(2) $(mem_prot_opt) -shared -Wl,-soname,$(CUSTOM_SONAME) -fPIC -o libp11client$(1).so pkcs11_rpc_xdr.o pkcs11_rpc_clnt.o modwrap_$(1).o modwrap_crpc.o modwrap_crpc_ssl.o $(LD_FLAGS) 31 | 32 | all : @c_rpc_gen@ @linux_c_rpc_patch@ @client_to_compile@ 33 | 34 | client: 35 | $(call camlrpccompileclient) 36 | 37 | crpc: 38 | $(foreach lib,$(CLIENTLIBS),$(call crpccompilestubs,$(lib));) 39 | $(foreach lib,$(CLIENTLIBS),$(call crpccompilelib,$(lib));) 40 | 41 | camlrpc: client 42 | @$(foreach lib,$(CLIENTLIBS),$(call camlrpccompilestubs,$(lib));) 43 | @$(foreach lib,$(CLIENTLIBS),$(call camlrpccompilelib,$(lib));) 44 | 45 | crpc_debug: 46 | @$(foreach lib,$(CLIENTLIBS),$(call crpccompilestubs,$(lib),-DDEBUG -g);) 47 | @$(foreach lib,$(CLIENTLIBS),$(call crpccompilelib,$(lib));) 48 | 49 | camlrpc_debug: client 50 | $(foreach lib,$(CLIENTLIBS),$(call camlrpccompilestubs,$(lib),-DDEBUG -g);) 51 | $(foreach lib,$(CLIENTLIBS),$(call camlrpccompilelib,$(lib),-ccopt -DDEBUG -ccopt -g);) 52 | 53 | rpc: 54 | cp $(rpc_dir)/pkcs11_rpc.x ./ 55 | #Generate header 56 | rpcgen -h -N -M pkcs11_rpc.x > @srcdir@/pkcs11_rpc.h 57 | #Generate xdr helpers 58 | rpcgen -c -N -M pkcs11_rpc.x > @srcdir@/pkcs11_rpc_xdr.c 59 | #Generate client stubs 60 | rpcgen -l -N -M pkcs11_rpc.x > @srcdir@/pkcs11_rpc_clnt.c 61 | @rm pkcs11_rpc.x 62 | 63 | linux_c_rpc_patch: 64 | #Patch generated pkcs_rpc_xrc.c to remove useless buf (Linux specific) 65 | spatch --no-show-diff --sp-file @srcdir@/pkcs11_rpc_xdr.cocci @srcdir@/pkcs11_rpc_xdr.c --in-place 66 | 67 | debug: @c_rpc_gen@ @linux_c_rpc_patch@ @client_to_compile_debug@ 68 | 69 | install_lib = echo "Installing libp11client$(1).so to $(DESTDIR)$(libdir)/libp11client$(1).so" && install -D libp11client$(1).so $(DESTDIR)$(libdir)/libp11client$(1).so 70 | uninstall_lib = echo "Uninstalling $(DESTDIR)$(libdir)/libp11client$(1).so" && rm $(DESTDIR)$(libdir)/libp11client$(1).so 71 | 72 | install: 73 | @$(foreach lib,$(CLIENTLIBS),$(call install_lib,$(lib));) 74 | 75 | uninstall: 76 | @$(foreach lib,$(CLIENTLIBS),$(call uninstall_lib,$(lib));) 77 | 78 | clean_rpc: 79 | # Remove rpc generated files 80 | @rm -f @c_rpc_clean@ 81 | 82 | clean: 83 | @rm -f *.cmi *.cmx *.o *.cmo *.cmxa *.cma *.so *.a *~ 84 | -------------------------------------------------------------------------------- /src/client-lib/pkcs11_rpc_xdr.cocci: -------------------------------------------------------------------------------- 1 | @remove_useless_buf@ 2 | identifier func; 3 | typedef int32_t; 4 | identifier buf; 5 | @@ 6 | func(...){ 7 | <... 8 | - register int32_t *buf; 9 | ...> 10 | } 11 | -------------------------------------------------------------------------------- /src/filter/Makefile.in: -------------------------------------------------------------------------------- 1 | backend_dir = backend 2 | filter_dir = filter 3 | frontend_dir = frontend 4 | 5 | all: 6 | @MAKEPROG@ -C $(backend_dir) 7 | @MAKEPROG@ -C $(filter_dir) 8 | @MAKEPROG@ -C $(frontend_dir) 9 | 10 | 11 | clean: 12 | @MAKEPROG@ clean -C $(backend_dir) 13 | @MAKEPROG@ clean -C $(filter_dir) 14 | @MAKEPROG@ clean -C $(frontend_dir) 15 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.cmo @srcdir@/*~ @srcdir@/*.opt 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/filter/backend/Makefile.in: -------------------------------------------------------------------------------- 1 | bindings_dir = ../../bindings-pkcs11/ 2 | 3 | all: 4 | ocamlopt @ocaml_options@ -I $(bindings_dir) -o backend -c @srcdir@/backend.ml 5 | clean: 6 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.cmo @srcdir@/*~ @srcdir@/*.opt 7 | -------------------------------------------------------------------------------- /src/filter/filter/Makefile.in: -------------------------------------------------------------------------------- 1 | all: 2 | ocamlfind ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@ -I @srcdir@ " -package "str,config-file,netplex" -I ../../bindings-pkcs11 -I ../backend -o filter_common -c @srcdir@/filter_common.ml 3 | ocamlfind ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@ -I @srcdir@ " -package "str,config-file,netplex" -I ../../bindings-pkcs11 -I ../backend -o filter_actions -c @srcdir@/filter_actions.ml 4 | ocamlfind ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@ -I @srcdir@ " -package "str,config-file,netplex" -I ../../bindings-pkcs11 -I ../backend -o filter_configuration -c @srcdir@/filter_configuration.ml 5 | ocamlfind ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@ -I @srcdir@ " -package "str,config-file,netplex" -I ../../bindings-pkcs11 -I ../backend -o filter -c @srcdir@/filter.ml 6 | clean: 7 | @rm -f *.cmi *.cmx *.o *.cmo *~ *.opt 8 | -------------------------------------------------------------------------------- /src/filter/frontend/Makefile.in: -------------------------------------------------------------------------------- 1 | filter_dir = ../filter 2 | 3 | all: 4 | ocamlopt @ocaml_options@ -I $(filter_dir) -o frontend -c @srcdir@/frontend.ml 5 | clean: 6 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.cmo @srcdir@/*~ @srcdir@/*.opt 7 | -------------------------------------------------------------------------------- /src/pkcs11proxyd/Makefile.in: -------------------------------------------------------------------------------- 1 | filter_filter_dir = ../filter/filter 2 | filter_backend_dir = ../filter/backend 3 | filter_frontend_dir = ../filter/frontend 4 | caml_link_dirs = -cclib -lpthread -cclib -lcamlidl -cclib -L$(bindings_dir) 5 | bindings_dir = ../bindings-pkcs11 6 | rpc-pkcs11_dir = ../rpc-pkcs11 7 | mem_prot_opt_caml=-ccopt -O2 -ccopt -fPIC -ccopt -fPIE -ccopt -Wl,-z,relro,-z,now -ccopt -fstack-protector -ccopt -DFORTIFY_SOURCE=2 8 | server_name = pkcs11proxyd 9 | prefix=${DESTDIR}@prefix@ 10 | sysconf=${DESTDIR}@sysconfdir@ 11 | 12 | all: 13 | #Compile Server 14 | ocamlfind ocamlopt @ocaml_options@ -pp "camlp4o pa_macro.cmo @ocaml_bytes_module_define@ -I @srcdir@ @caml_server_daemonize_define@ @caml_server_ssl_define@ @filter_define@" -package "netplex" @filter_include@ @caml_server_ssl_package@ -I $(bindings_dir) -I $(rpc-pkcs11_dir) -o server -c @srcdir@/server.ml 15 | ocamlfind ocamlopt @ocaml_options@ @filter_include@ -package "str,netplex,config-file" @caml_server_ssl_package@ -linkpkg $(bindings_dir)/pkcs11.cmxa @filter_files@ $(rpc-pkcs11_dir)/pkcs11_rpclib.cmxa server.cmx $(caml_link_dirs) $(mem_prot_opt_caml) -o $(server_name) 16 | 17 | install: 18 | echo "Installing $(server_name) to ${prefix}/bin/$(server_name)" 19 | install -D $(server_name) ${prefix}/bin/$(server_name) 20 | echo "Installing @srcdir@/$(server_name).conf to ${sysconf}/$(server_name)/$(server_name).conf" 21 | install -m 640 -D @srcdir@/$(server_name).conf ${sysconf}/$(server_name)/$(server_name).conf 22 | install -m 640 -D @srcdir@/filter.conf ${sysconf}/$(server_name)/filter.conf 23 | 24 | uninstall: 25 | echo "Removing $(server_name) from ${prefix}/bin/$(server_name)" 26 | rm ${prefix}/bin/$(server_name) 27 | echo "Removing $(server_name).conf from ${sysconf}/$(server_name)/$(server_name).conf" 28 | rm ${sysconf}/$(server_name)/$(server_name).conf 29 | rm ${sysconf}/$(server_name)/filter.conf 30 | 31 | clean: 32 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmo @srcdir@/*.cma @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.a @srcdir@/*.cmxa @srcdir@/dll* @srcdir@/packlist-* @srcdir@/ocamldoc.dump @srcdir@/META @srcdir@/depend @srcdir@/$(server_name) @srcdir@/*.astamp @srcdir@/*.cstamp @srcdir@/*.s2stamp 33 | -------------------------------------------------------------------------------- /src/pkcs11proxyd/pkcs11proxyd.conf: -------------------------------------------------------------------------------- 1 | netplex { 2 | controller { 3 | max_level = "debug"; (* Log level *) 4 | 5 | (* configure "admin" socket directory, default "/tmp/.netplex" *) 6 | (* 7 | socket_directory = "/home/pkcs11proxyd/.netplex"; 8 | *) 9 | 10 | logging { 11 | (* type can either be "stderr", "syslog", "file", "multi_file" 12 | * see http://projects.camlcity.org/projects/dl/ocamlnet-3.6/doc/html-main/Netplex_admin.html 13 | *) 14 | type = "stderr"; (* Log to stderr *) 15 | }; 16 | }; 17 | service { 18 | name = "PKCS#11 Filtering Proxy"; 19 | (* These parameters can be used to change UID/GID of worker processes *) 20 | (* 21 | user = "pkcs11proxyd"; 22 | group = "pkcs11proxyd"; 23 | *) 24 | 25 | (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *) 26 | conn_limit = 1; 27 | 28 | protocol { 29 | (* This section creates the socket *) 30 | name = "rpc_pkcs11"; 31 | 32 | (* OCamlnet 4 support the following to set Unix socket permissions:*) 33 | (* 34 | local_chmod = "0o777"; 35 | *) 36 | 37 | (* This section creates the socket *) 38 | (* Socket can either be TCP or UNIX *) 39 | address { 40 | (* Default here is TCP localhost on port 4444 *) 41 | type = "internet"; 42 | bind = "127.0.0.1:4444"; 43 | 44 | (* For Unix 45 | WARNING: For OCamlnet < 4 it is not possible to set the socket permission, 46 | you will have to manually fix it to allow multi-user 47 | access (e.g. chmod 777 , or umask prior launching). 48 | *) 49 | (* 50 | type = "local"; 51 | path = "/var/run/pkcs11proxyd.socket"; 52 | *) 53 | }; 54 | }; 55 | processor { 56 | (* This section specifies how to process data of the socket *) 57 | type = "rpc_pkcs11"; 58 | 59 | (* libnames param is used when the proxy is compiled WITHOUT filtering support *) 60 | (* syntax is: libnames=":;<...>:<...>;"; *) 61 | (* 62 | libnames="softhsm:/usr/local/lib/softhsm/libsofthsm.so;opencryptoki:/usr/lib/libopencryptoki.so;"; 63 | *) 64 | 65 | (* filter_config is used to supply the filtering configuration when compiled in *) 66 | filter_config="/usr/local/etc/pkcs11proxyd/filter.conf"; 67 | 68 | (*************** TLS support begin ***********************) 69 | (* use_ssl = false to disable SSL support on server side *) 70 | (* use_ssl = true to enable SSL support on server side *) 71 | use_ssl = false; 72 | 73 | (* TLS support for Caml Crush compiled with OCamlnet 4.x *) 74 | (* Uncomment to enable TLS when using OCamlnet 4.x *) 75 | (* 76 | tls { 77 | (* Ciphersuites, GnuTLS syntax *) 78 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 79 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 80 | 81 | (* Force peer client authentication *) 82 | peer_auth = "required"; 83 | 84 | (* Uncomment to enable DHE parameters, used for PFS *) 85 | (* 86 | dh_params { 87 | (* Pre-computed DH parameters *) 88 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 89 | (* Run-time created DH parameters, warning: this takes a long time *) 90 | (*bits = 2048;*) 91 | }; 92 | *) 93 | x509 { 94 | key { 95 | crt_file = "server.pem"; 96 | key_file = "server.key"; 97 | }; 98 | trust { 99 | crt_file = "cacert.pem"; 100 | }; 101 | } 102 | }; 103 | *) 104 | 105 | (* LEGACY SSL support for Caml Crush <= 1.0.6 or OCamlnet 3.x *) 106 | (* OpenSSL cipher syntax, one or many suites can be configured, or alias such as HIGH *) 107 | cipher_suite="DHE-RSA-AES128-SHA"; 108 | (* Provide full certificate chain in cafile *) 109 | cafile = "/usr/local/etc/tests/certs/ca.crt"; 110 | certfile = "/usr/local/etc/tests/certs/server.crt"; 111 | certkey = "/usr/local/etc/tests/certs/server.key"; 112 | (* Optional, allows to use DHE cipher suites, generate custom DH paramerters *) 113 | dh_params = "/usr/local/etc/tests/certs/dhparams.pem"; 114 | (* Optional, allows to use ECDHE cipher suites *) 115 | ec_curve_name = "prime256v1"; 116 | (* Optional, allows to use a custom certificate verification depth *) 117 | verify_depth = 4; 118 | 119 | (***************TLS support end *************************) 120 | 121 | }; 122 | workload_manager { 123 | type = "dynamic"; 124 | max_jobs_per_thread = 1; (* Everything else is senseless *) 125 | min_free_jobs_capacity = 1; 126 | max_free_jobs_capacity = 1; 127 | max_threads = 100; 128 | }; 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /src/rpc-pkcs11/Makefile.in: -------------------------------------------------------------------------------- 1 | filter_filter_dir = @top_srcdir@/src/filter/filter 2 | filter_backend_dir = @top_srcdir@/src/filter/backend 3 | filter_frontend_dir = @top_srcdir@/src/filter/frontend 4 | caml_link_dirs = -cclib -lcamlidl -cclib -L$(bindings_dir) 5 | bindings_dir = ../bindings-pkcs11 6 | mem_prot_opt_caml=-ccopt -fPIC -ccopt -fPIE -ccopt -Wl,-z,relro,-z,now -ccopt -fstack-protector 7 | 8 | all: @caml_rpc_gen@ 9 | #Compile RPC files 10 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_aux -c @srcdir@/pkcs11_rpc_aux.mli 11 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_aux -c @srcdir@/pkcs11_rpc_aux.ml 12 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_clnt -c @srcdir@/pkcs11_rpc_clnt.mli 13 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_clnt -c @srcdir@/pkcs11_rpc_clnt.ml 14 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_srv -c @srcdir@/pkcs11_rpc_srv.mli 15 | ocamlfind ocamlopt @ocaml_options@ -package "rpc" -o pkcs11_rpc_srv -c @srcdir@/pkcs11_rpc_srv.ml 16 | #Build RPC helpers 17 | ocamlopt @ocaml_options@ -I $(bindings_dir) -o rpc_helpers -c @srcdir@/rpc_helpers.ml 18 | #Build a library from RPC files 19 | ocamlopt @ocaml_options@ -o pkcs11_rpclib.cmxa -a pkcs11_rpc_aux.cmx pkcs11_rpc_clnt.cmx pkcs11_rpc_srv.cmx rpc_helpers.cmx 20 | 21 | rpc: 22 | #Ocaml RPC Generation 23 | ocamlrpcgen -aux -int unboxed -hyper int64 @srcdir@/pkcs11_rpc.x 24 | ocamlrpcgen -clnt -int unboxed -hyper int64 @srcdir@/pkcs11_rpc.x 25 | ocamlrpcgen -srv2 -int unboxed -hyper int64 @srcdir@/pkcs11_rpc.x 26 | 27 | #test: 28 | # #Compile Test file 29 | # ocamlopt $(include_dirs) -c test_pkcs11.ml 30 | # ocamlfind ocamlopt -package "rpc" -linkpkg $(bindings_dir)/pkcs11.cmxa pkcs11_rpclib.cmxa client.cmx test_pkcs11.cmx $(caml_link_dirs) -o test_pkcs11_rpc 31 | 32 | clean_rpc: 33 | # Rmove old RPC generated files 34 | @rm -f @caml_rpc_clean@ 35 | 36 | clean: 37 | @rm -f @srcdir@/*.cmi @srcdir@/*.cmo @srcdir@/*.cma @srcdir@/*.cmx @srcdir@/*.o @srcdir@/*.a @srcdir@/*.cmxa @srcdir@/dll* @srcdir@/packlist-* @srcdir@/ocamldoc.dump @srcdir@/META @srcdir@/*.astamp @srcdir@/*.cstamp @srcdir@/*.s2stamp @srcdir@/test_pkcs11_rpc 38 | -------------------------------------------------------------------------------- /src/tests/Makefile.in: -------------------------------------------------------------------------------- 1 | ocaml_tests = ./ocaml 2 | #c_tests = ./c-based 3 | 4 | all: 5 | @MAKEPROG@ -C $(ocaml_tests) 6 | #@MAKEPROG@ -C $(c_tests) 7 | 8 | clean: 9 | @MAKEPROG@ clean -C $(ocaml_tests) 10 | #@MAKEPROG@ clean -C $(c_tests) 11 | -------------------------------------------------------------------------------- /src/tests/c-based/Makefile.in: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | #CFLAGS_OPT = -Wall -Wextra -pedantic -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wuninitialized 3 | CFLAGS_OPT = -g -Wall 4 | 5 | c_include_dirs = -I$(bindings_dir) 6 | bindings_dir = ../../bindings-pkcs11 7 | rpc_dir = ../rpc-pkcs11 8 | 9 | 10 | all : mainshared 11 | 12 | mainshared: 13 | $(CC) -g -o main-shared.opt main-shared.c -ldl $(c_include_dirs) 14 | 15 | clean: 16 | @rm -f *.o *~ *.opt 17 | -------------------------------------------------------------------------------- /src/tests/integration/Dockerfile.debian-integration: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | 8 | RUN apt-get update && apt-get install -y --no-install-recommends autoconf make gcc \ 9 | automake autotools-dev \ 10 | ocaml-nox camlidl coccinelle \ 11 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 12 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 13 | libssl-dev gnutls-dev \ 14 | libconfig-file-ocaml-dev camlp4 \ 15 | opensc libtool pkg-config unzip g++ wget 16 | 17 | WORKDIR /softhsm 18 | RUN wget --no-check-certificate https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.zip && unzip 2.6.1.zip 19 | 20 | WORKDIR /softhsm/SoftHSMv2-2.6.1 21 | RUN ./autogen.sh && ./configure && make && make install 22 | 23 | FROM builder 24 | COPY . /build 25 | 26 | WORKDIR /build 27 | 28 | RUN ./autogen.sh 29 | RUN ./configure --with-idlgen --with-rpcgen --with-libnames=foo 30 | RUN make 31 | RUN make install 32 | 33 | RUN softhsm2-util --init-token --slot 0 --label caml-crush-int-tests --pin 1234 --so-pin 123456 34 | 35 | ENTRYPOINT [ "/build/src/tests/integration/run-tests.sh" ] -------------------------------------------------------------------------------- /src/tests/integration/Dockerfile.debian-integration-tls: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | 8 | RUN apt-get update && apt-get install -y --no-install-recommends autoconf make gcc \ 9 | automake autotools-dev \ 10 | ocaml-nox camlidl coccinelle \ 11 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 12 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 13 | libssl-dev gnutls-dev \ 14 | libconfig-file-ocaml-dev camlp4 \ 15 | opensc libtool pkg-config unzip g++ wget 16 | 17 | WORKDIR /softhsm 18 | RUN wget --no-check-certificate https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.zip && unzip 2.6.1.zip 19 | 20 | WORKDIR /softhsm/SoftHSMv2-2.6.1 21 | RUN ./autogen.sh && ./configure && make && make install 22 | 23 | FROM builder 24 | COPY . /build 25 | 26 | WORKDIR /build 27 | 28 | RUN ./autogen.sh 29 | RUN ./configure --with-idlgen --with-rpcgen --with-ssl --with-ssl-clientfiles='env' --with-libnames=foo 30 | RUN make 31 | RUN make install 32 | 33 | RUN softhsm2-util --init-token --slot 0 --label caml-crush-int-tests --pin 1234 --so-pin 123456 34 | 35 | ENTRYPOINT [ "/build/src/tests/integration/run-tests.sh" ] -------------------------------------------------------------------------------- /src/tests/integration/Dockerfile.debian-integration-unix: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | 8 | RUN apt-get update && apt-get install -y --no-install-recommends autoconf make gcc \ 9 | automake autotools-dev \ 10 | ocaml-nox camlidl coccinelle \ 11 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 12 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 13 | libssl-dev gnutls-dev \ 14 | libconfig-file-ocaml-dev camlp4 \ 15 | opensc libtool pkg-config unzip g++ wget 16 | 17 | WORKDIR /softhsm 18 | RUN wget --no-check-certificate https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.zip && unzip 2.6.1.zip 19 | 20 | WORKDIR /softhsm/SoftHSMv2-2.6.1 21 | RUN ./autogen.sh && ./configure && make && make install 22 | 23 | FROM builder 24 | COPY . /build 25 | 26 | WORKDIR /build 27 | 28 | RUN ./autogen.sh 29 | RUN ./configure --with-idlgen --with-rpcgen --with-libnames=foo --with-client-socket=unix,/var/run/pkcs11proxyd.socket 30 | RUN make 31 | RUN make install 32 | 33 | RUN softhsm2-util --init-token --slot 0 --label caml-crush-int-tests --pin 1234 --so-pin 123456 34 | 35 | ENTRYPOINT [ "/build/src/tests/integration/run-tests.sh" ] -------------------------------------------------------------------------------- /src/tests/integration/Dockerfile.debian-integration-unix-tls: -------------------------------------------------------------------------------- 1 | # Override with --build-arg dist=ubuntu --build-arg flavor=bionic 2 | ARG dist=debian 3 | ARG flavor=sid 4 | 5 | FROM ${dist}:${flavor} as builder 6 | 7 | 8 | RUN apt-get update && apt-get install -y --no-install-recommends autoconf make gcc \ 9 | automake autotools-dev \ 10 | ocaml-nox camlidl coccinelle \ 11 | libocamlnet-ocaml-dev libocamlnet-ocaml-bin \ 12 | libocamlnet-ssl-ocaml libocamlnet-ssl-ocaml-dev \ 13 | libssl-dev gnutls-dev \ 14 | libconfig-file-ocaml-dev camlp4 \ 15 | opensc libtool pkg-config unzip g++ wget 16 | 17 | WORKDIR /softhsm 18 | RUN wget --no-check-certificate https://github.com/opendnssec/SoftHSMv2/archive/refs/tags/2.6.1.zip && unzip 2.6.1.zip 19 | 20 | WORKDIR /softhsm/SoftHSMv2-2.6.1 21 | RUN ./autogen.sh && ./configure && make && make install 22 | 23 | FROM builder 24 | COPY . /build 25 | 26 | WORKDIR /build 27 | 28 | RUN ./autogen.sh 29 | RUN ./configure --with-idlgen --with-rpcgen --with-ssl --with-ssl-clientfiles='env' --with-libnames=foo --with-client-socket=unix,/var/run/pkcs11proxyd.socket 30 | RUN make 31 | RUN make install 32 | 33 | RUN softhsm2-util --init-token --slot 0 --label caml-crush-int-tests --pin 1234 --so-pin 123456 34 | 35 | ENTRYPOINT [ "/build/src/tests/integration/run-tests.sh" ] -------------------------------------------------------------------------------- /src/tests/integration/certs/ca-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "signing": { 3 | "default": { 4 | "expiry": "168h" 5 | }, 6 | "profiles": { 7 | "server": { 8 | "expiry": "8760h", 9 | "usages": [ 10 | "signing", 11 | "key encipherment", 12 | "server auth" 13 | ] 14 | }, 15 | "client": { 16 | "expiry": "8760h", 17 | "usages": [ 18 | "signing", 19 | "key encipherment", 20 | "client auth" 21 | ] 22 | } 23 | } 24 | } 25 | } 26 | 27 | -------------------------------------------------------------------------------- /src/tests/integration/certs/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpQIBAAKCAQEA1oxLTdpPOGLneo52GEDuTe0fz2sKNrXYaMQ3HfqgjKuZ4QK+ 3 | LbT+muULrm8MeYlhcXiUQBTMkk9GoLCkomtwMk/6j3EydZeCntOBVStab/zfZALE 4 | 8ekmMcT5m0LvYdO64fZXVpptF//0aLsGTAYyoPrlvS/+WcfMLUcdzrbypnLCIt3M 5 | UM5gFVrmK/KV/2G0tdX/yc3dSJBH3M9aOZ3gRLnRK+vCVpwESNIVUKUren4nKYra 6 | Q57W8LT0Ns/x28ilHh1JdV6iLspxgKbMosmNNTwtzY3Cac8A+/qrul+tnnXkrLNf 7 | KwdUx3R1Vgge4woAIS1fUYFGausvthHxgg8XZQIDAQABAoIBAQCPtWVzfnl18XnP 8 | s8ESudtlwyF9k9tBjkio1FV+9TO5RfBKscWlZAjuw+ExNB0NA6KLmRLkYYotroBG 9 | fkuop4J9kOjqUA5Wiefqbw3AeMuZG66elORKjbsRtzjicNFbm7EgThtuXP4aB041 10 | IKE1JymefrCIKq+af6QZ5/rlTdH2/sknG3zaIpn24vp92OWZgWpX0bmOCa3/kjAJ 11 | H/4J3fZpYdi/GQZqPoBkAXiaXKs0+lfXrVSq+m8rvd1rKz17ar5bNAkgK0oymrxS 12 | 6gHlZR8L7jcu2ZcbPKtJeSLXw/W5HfcIijLO85VpVFtpY3D0K66zeZsicnx5imPo 13 | j1yo+O55AoGBAOETkT8PlxhgeYxj6miaA/QdgRs28PvgHUeOf72bMVOQLIDFdeKV 14 | 8rxvID4Zh74Vy7B6VIoJNSHPwJ9d+gwo6/qtG4VLASTvebKUIM7VHsvKrakTmNz1 15 | 0Xh33tj0L1gewOqJXQQ31A3CcXBe+QGnNb/Qhb7PIqH+rtURuqgfRijDAoGBAPQG 16 | a2DdtPzXmMLmF5OEsyoPWzHbVP1whOshEYhKVLVARy5oVu8SJel9kPg8QEezBP0y 17 | xLuxZYIBy6GNGeoXigUu2YyHpYspkcOLb3D7o2G2Pq0NXmdX8+5lINM5Sky4wSQi 18 | j3OQkoHJP/fPa/zksyU50+XQGMjn39rXLKBhmPy3AoGACrDsQEuUSMMkYufIFanj 19 | MDBKlqlYbw5pNaHuLWp2wFpj0sYOYHHw8sRwiqKZ0Qyl/T8CTwA69t0wcCF9pCA5 20 | fVHFseIrLr71T+c7W7fB27pH33Uf2LcQeSFwg2ut6Ail7z4RHgcs2m53Bvhr6Ykw 21 | w2i7QaIDKiC320UZUa0SnxMCgYEA7iv5z/B0frd6/PcQmcXSDMIyMwYs/LQ+tzNu 22 | ZkSOSt2y2+OwveRLpooM3YwI/TIIM4zCoaLyPSK9ei861NUmvApPAS8/7wSipWXJ 23 | Xk/s1ijHIaZDtsAMcGi50g8/qoRE1pz4wEWiCRTA34DOmGUrSLEZVVt3ZVeTkIel 24 | od/ALx8CgYEAyCErlcx/CnxuW1j18W63aFhtNItJtPVMiT4IApJFTUhkSSeucYG6 25 | yU+zyX+Z7LDIRj0GsIPcJ2/WOCm4M7KmVfvVHkpo9tXfC9zf+4N9BTntEUBxxuTz 26 | oxgW32dNf2VzKp98bR8D8ob9aKMWyWZQlB5y7DPKe68kJjwPU4nguG8= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /src/tests/integration/certs/ca.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIICmTCCAYECAQAwVDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEXMBUG 3 | A1UEChMOQ2FtbCBDcnVzaCBPcmcxGzAZBgNVBAMTEkNhbWwgQ3J1c2ggVGVzdCBD 4 | QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANaMS03aTzhi53qOdhhA 5 | 7k3tH89rCja12GjENx36oIyrmeECvi20/prlC65vDHmJYXF4lEAUzJJPRqCwpKJr 6 | cDJP+o9xMnWXgp7TgVUrWm/832QCxPHpJjHE+ZtC72HTuuH2V1aabRf/9Gi7BkwG 7 | MqD65b0v/lnHzC1HHc628qZywiLdzFDOYBVa5ivylf9htLXV/8nN3UiQR9zPWjmd 8 | 4ES50SvrwlacBEjSFVClK3p+JymK2kOe1vC09DbP8dvIpR4dSXVeoi7KcYCmzKLJ 9 | jTU8Lc2NwmnPAPv6q7pfrZ515KyzXysHVMd0dVYIHuMKACEtX1GBRmrrL7YR8YIP 10 | F2UCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCm7Va0OXlAs3bBqeuOdk2QPPRW 11 | Wk7EyGSgYizRDUK3fcnPqITeEUYoRJvbKpzTYFZxeXoqSbyVXNklY05uQgVQkgKK 12 | wERJpNTXRaCwifJoV3REElBU9Oj6Pmaj/dJB3fcWKT2sWb9UiBFdbu/Jyeiy8WzX 13 | BY4GUr3TzUekboyc0YDFUtArBHQnbthypov2M1K9k8+4eDOqqyFT21Ui7DJeUlVu 14 | IDNFjAHcnHIi/zkbdnHYcDV3nPZ+8QK1eVZ/C60tAf4JQZuATvIrbceVG7gK5h82 15 | l+RWOO162M1mwj4KvOLSkDpi7Xfvli85wqVkRnWPaBZyQsYzL3QtWMbzWZFI 16 | -----END CERTIFICATE REQUEST----- 17 | -------------------------------------------------------------------------------- /src/tests/integration/certs/ca.json: -------------------------------------------------------------------------------- 1 | { 2 | "CN": "Caml Crush Test CA", 3 | "key": { 4 | "algo": "rsa", 5 | "size": 2048 6 | }, 7 | "names": [ 8 | { 9 | "C": "GB", 10 | "O": "Caml Crush Org", 11 | "ST": "London" 12 | } 13 | ] 14 | } -------------------------------------------------------------------------------- /src/tests/integration/certs/ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDeDCCAmCgAwIBAgIUYltQ6kD1bMXQ7wR0Zmqm8TLQtEkwDQYJKoZIhvcNAQEL 3 | BQAwVDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEXMBUGA1UEChMOQ2Ft 4 | bCBDcnVzaCBPcmcxGzAZBgNVBAMTEkNhbWwgQ3J1c2ggVGVzdCBDQTAeFw0yMTA4 5 | MjYxMDQ4MDBaFw0yNjA4MjUxMDQ4MDBaMFQxCzAJBgNVBAYTAkdCMQ8wDQYDVQQI 6 | EwZMb25kb24xFzAVBgNVBAoTDkNhbWwgQ3J1c2ggT3JnMRswGQYDVQQDExJDYW1s 7 | IENydXNoIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW 8 | jEtN2k84Yud6jnYYQO5N7R/Pawo2tdhoxDcd+qCMq5nhAr4ttP6a5Quubwx5iWFx 9 | eJRAFMyST0agsKSia3AyT/qPcTJ1l4Ke04FVK1pv/N9kAsTx6SYxxPmbQu9h07rh 10 | 9ldWmm0X//RouwZMBjKg+uW9L/5Zx8wtRx3OtvKmcsIi3cxQzmAVWuYr8pX/YbS1 11 | 1f/Jzd1IkEfcz1o5neBEudEr68JWnARI0hVQpSt6ficpitpDntbwtPQ2z/HbyKUe 12 | HUl1XqIuynGApsyiyY01PC3NjcJpzwD7+qu6X62edeSss18rB1THdHVWCB7jCgAh 13 | LV9RgUZq6y+2EfGCDxdlAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB 14 | Af8EBTADAQH/MB0GA1UdDgQWBBQK8Z4LQF692R6SsqqOnMUhR5JMwDANBgkqhkiG 15 | 9w0BAQsFAAOCAQEAedy4hBpBXq/Ka/ax4Iacb2aOamjBb00HV/CbkgAf8v7whh9C 16 | ABLrGXqI0xmXlKInAO6INlqik3hwH1qhcVwB+gN1IXFIqiOKa5uSCEeqqPuthCod 17 | yBOSPmRUxzAVG3djaeBTABOaUqUjzxH7qg2YlYmidY3KHsWMI6oLaArnpAlBcBrZ 18 | ZZaQwP+G/ymR4tYFzsgvuJdXE+FDM10e3NF7qxknTRIzTPzXlXzHsIQ92aAdnsBc 19 | liT9oo+HKQxZrFOP6i1L0ChX/brqfr3VtrAi94oMxf5T1uq6LmRrho9op3yEY20y 20 | CBg3C9Tdu5AxSbAPbS0ACLc00GytpDcSgp/P1A== 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /src/tests/integration/certs/client-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEA1d8oGGMOX7YkK5pXXgWQ8BYKoipsue+3339jFQ81u986lefK 3 | K07sd5cnWzNraCN1bnbwSeMjXLeCcKzuiuzPsGJ9elrV5WNlzq7T5HGN9BIZfbke 4 | 9Q+EfUQer5pdqt39e+W2pJpFicpbbZXAsELHHOmU3B4NLMRUu9RTgxl7lwskfRS/ 5 | /xsjSkqjMmDaN9i/Xba/9aWrLmr1ThCQ+2DfnnjK4y8ZpaVF4mnZs9iIoBCM9Ww+ 6 | yGXADwOQapCPWoCSgTf1HIxH+KWY7EFhT7o0QFxwDq/xEF3TMwxuPctS+6u8ZIdT 7 | sh33eFJVU0n0FQ0xoodNENnD+HkvKDVWUVkA4QIDAQABAoIBAQCLne2P1gKJKt97 8 | 83q7b0jJ4qm4aZem3j4b0g49rjs21ShqufE5yoEGJQ/VMsEYL6W2okCFC5mHKmkl 9 | 406qNKP0kqc1W90srXHFtk2vYQ35WmN3toTmF+Y23GRn4I7rP5X97t0HoYppxEdh 10 | R5SNvFo9nqLF+3xAUD68i4SlHdqXo8XW2CA+7ArsKAJ7Cb34OgFIhFmtrjK628ub 11 | sw6l/d1r3U/bskfYSZDW+RNzXGHDEXwtg5SpNGrNrYnAcMMeaiIVm468boT/tCvp 12 | /xu2EF21NwFT6NYfCHIhpz1Wz5w561sfnUE8iUoNtgrlWgP2XGMRwe4hj0DAgsuv 13 | UXrhgk1BAoGBAOJXiUfnIRHwsALQS93HIrw/Tfevfc76Gr2DnLatLJ1MV3d1lKoq 14 | BMuF1nft+uCUMopoxR+WFMmwjGYq/1BflJwwjJ3n51zpPj8QBgrhiHVIlvjKhg75 15 | XmjbyaGZ4MK8Edl9m6gEA+3U7mPxR2JoHnPg9MF/PSHUYqv99ET6ZW3pAoGBAPHl 16 | UO4gpsUTJYKPZqzhop864cJhQzWKWYB3OLOyzgT0KfremrUeHgt7ECa0kWldU+AH 17 | kK0PHSAro1WCruv3qkOpalyb5avLF8tSaNC8Zo8wzbbRylwDoZD4j5gSxTN8drO3 18 | Acf/AoxT8cbLa047LLYxIFRLaLFvyk2QAXjQykg5AoGBALduKZtT/MEFRh+Bn3pE 19 | gCn/Q7iPSG4M0s7zcnW5Mobn75qod6rQEsK93GmlO8P1VmBFODu47W/m3GGQRwlj 20 | 7JQH5G20GxR5EjEZU0xOKsCh63gE6VAJWDGyrV2Bz10B/ZU87oDjgCumfOwSBcAC 21 | kWtny/Nkoq5f6PdqACRGqRzBAoGAen0maA68pBq36c73rR9sm7jTTPy3bcsq2zSD 22 | z+sBC90fzNsf+ArSJ/ofCZpx76rEqDLsfdWjaADw6oIMVYzJ+Q02wMJooH9tAxYt 23 | 4VUlkeiioqrFD6b/D0vuWpFWrmWeLg7DpiRpg+mWCpZDNhAc6f0iY8zzrLXw+Sms 24 | tSL063ECgYAQTbI+Zxo08B9gHpOga85iyFBH4S/nhR+5h9DSS3S31QwryMnW46qq 25 | a0581muYJaRxxOqDHlrY0KepLJIFbFGHk1m56ejBJvsR588h6coywqT74TfH0eaP 26 | tdefcYqdXRTLzZk5IzGFAgfP8Nsi7G45TVHmq+rAtkngUU4ZejsncQ== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /src/tests/integration/certs/client.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIICfzCCAWcCAQAwOjELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkxvbmRvbjEaMBgG 3 | A1UEAxMRY2FtbC1jcnVzaC1jbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 4 | ggEKAoIBAQDV3ygYYw5ftiQrmldeBZDwFgqiKmy577fff2MVDzW73zqV58orTux3 5 | lydbM2toI3VudvBJ4yNct4JwrO6K7M+wYn16WtXlY2XOrtPkcY30Ehl9uR71D4R9 6 | RB6vml2q3f175bakmkWJylttlcCwQscc6ZTcHg0sxFS71FODGXuXCyR9FL//GyNK 7 | SqMyYNo32L9dtr/1pasuavVOEJD7YN+eeMrjLxmlpUXiadmz2IigEIz1bD7IZcAP 8 | A5BqkI9agJKBN/UcjEf4pZjsQWFPujRAXHAOr/EQXdMzDG49y1L7q7xkh1OyHfd4 9 | UlVTSfQVDTGih00Q2cP4eS8oNVZRWQDhAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC 10 | AQEAM4IT+ayzj+npnkKNg5WUk2l0usLutPIMvtn3OelaB0oExS8dfWTfE/bJJKWr 11 | lqFTY/pl3qm/OTBOufYVuL6lkWZ+xVMGxVt7cyX/hy1c2dptirsnKQjSEcjUEP93 12 | tKngeIVawhX8D1FdPQlOtEFqcsZbPl4sCedF44VLolKJpdwZjSD7NYN8p6Q2uRVB 13 | k4IxR3iGKoLUQCB9v2kkBmGFScft8WprenKgYJdQ4P5R3PLRnxNz8s6Jq0W6vlnn 14 | 5eanrfiJQX9FliSUbBKUC/Sd8hmQGJrUOoi/zt74L6VBGyp05LupJ8BfLhfcJ4MB 15 | 5SpmoaJ+bB8sd27z7nIfoCIWoQ== 16 | -----END CERTIFICATE REQUEST----- 17 | -------------------------------------------------------------------------------- /src/tests/integration/certs/client.json: -------------------------------------------------------------------------------- 1 | { 2 | "CN": "caml-crush-client", 3 | "key": { 4 | "algo": "rsa", 5 | "size": 2048 6 | }, 7 | "names": [ 8 | { 9 | "C": "GB", 10 | "L": "London" 11 | } 12 | ] 13 | } 14 | 15 | -------------------------------------------------------------------------------- /src/tests/integration/certs/client.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDkTCCAnmgAwIBAgIUMhl+AVO4/je3OZs1IV8UsSgJnjswDQYJKoZIhvcNAQEL 3 | BQAwVDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEXMBUGA1UEChMOQ2Ft 4 | bCBDcnVzaCBPcmcxGzAZBgNVBAMTEkNhbWwgQ3J1c2ggVGVzdCBDQTAeFw0yMTA4 5 | MjYxMDQ4MDBaFw0yMjA4MjYxMDQ4MDBaMDoxCzAJBgNVBAYTAkdCMQ8wDQYDVQQH 6 | EwZMb25kb24xGjAYBgNVBAMTEWNhbWwtY3J1c2gtY2xpZW50MIIBIjANBgkqhkiG 7 | 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1d8oGGMOX7YkK5pXXgWQ8BYKoipsue+3339j 8 | FQ81u986lefKK07sd5cnWzNraCN1bnbwSeMjXLeCcKzuiuzPsGJ9elrV5WNlzq7T 9 | 5HGN9BIZfbke9Q+EfUQer5pdqt39e+W2pJpFicpbbZXAsELHHOmU3B4NLMRUu9RT 10 | gxl7lwskfRS//xsjSkqjMmDaN9i/Xba/9aWrLmr1ThCQ+2DfnnjK4y8ZpaVF4mnZ 11 | s9iIoBCM9Ww+yGXADwOQapCPWoCSgTf1HIxH+KWY7EFhT7o0QFxwDq/xEF3TMwxu 12 | PctS+6u8ZIdTsh33eFJVU0n0FQ0xoodNENnD+HkvKDVWUVkA4QIDAQABo3UwczAO 13 | BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw 14 | ADAdBgNVHQ4EFgQU5167zMemHtIkweQ4wKLtrIz4CYMwHwYDVR0jBBgwFoAUCvGe 15 | C0BevdkekrKqjpzFIUeSTMAwDQYJKoZIhvcNAQELBQADggEBAH2W/GhNtIlSZTw+ 16 | pS1t6c1TK2T8mBoeIxF3TyKmwznCO+ERjBiqF3UxVJyG87fea4betCVAHmm3RvZX 17 | cvr8adfLnUVGxSeDmcxStlMOSjbvbzu17yK6Bc8zB43i21fEwD7FCJ8yIfRaGSG4 18 | s18CUSKwR9HTcc7NtW1LzJUds3Ahn5chtNHmdIHjRacKkWw72sJIVuice9O/mBXo 19 | AG+5bra/igSfYrVPcUCgzn4RpSMO8snOxRXTg1oAqPNgZbDcOJyOt4tdMPZqZwSa 20 | 4dp4YA5RSPJQMNMq9A4pWCTLavCbKDxtd9GMZopxeJReM29kntdKWlli7HC0r9Ze 21 | iM3e61s= 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /src/tests/integration/certs/server-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAxIyJ3squHS+FlQesJ58peuxtcE+/9YKDa/QSdoQLUdQSuvqI 3 | t0lAiZ1CHW0SHogyuBSx3VsRtcfDUfe/bOQVlfrOLNx3U1XS7rwvksPR0MVAuen4 4 | WHmK2onMRcrvi7rblU53+DhwXkB9DQOWTAywS/4R6j0/Bt4PYUI65h0aSVxbK9g4 5 | cgxMo7wwHbsNyBCRSEWpm9fnwzZG6kJOJzBHV+zwQmWn1yzxfaHuYVvx9QU4LYpC 6 | khicEkWuk/tPelinc8S4a9+Os9TA0UoqGR7UIZ+VQqBRZt1g8fig6zRJwRYwcwce 7 | hQqNdK4NPrxZ6/GIshvICb1fQtlDKA+mn7H0fQIDAQABAoIBAC7HfDDocFRF8Tct 8 | Ik4z1X2KM+ndMUTPkVPqPVKzzrXlEagq5Msqxg96vDegtAVMSTYCxup2OFrZdqVV 9 | n9vc1T5i+Rs4RbYx4QgtBe2aaZ+UsvkMtKzqEKA+171stWK+UHDSwj7zv9rO4nRs 10 | fCMRigwsJjtn5E5QH7z4NGh8WLtIsybeGt2gpjvpaRuU6X9wjBQz5Lhl4J6DdQUQ 11 | DO+iHUrmjOmkwo7icTbaup2WlItSmQ/r0gDgZEQpcfsqFKnDScA0FIY5JKDSalfk 12 | Siq2WEUSsAvbmKc/Za63/mf9VZUEOvH1985cetGmGP6RqNOKNgQxPiAIivpUvPVh 13 | ujJKywECgYEA5IrysHB3/W+KXo6euh37Vf+3+GmJWI762qa51qFSF14abICDgvhO 14 | 16skuzF9owZonjw4d0QMFM5vprdu1W2cIW+VPxWA6c/muPFCwUeGZPGP7DE8lqaQ 15 | SA85yOe0YdmoNnm+Omv5Eff8ZFzmCh9IMJxDztuPml3PN3DGeu1aTWECgYEA3CmX 16 | SBFop5/dktj3SGZU/C6W7wAseHuf6DOQDKacGJaHtc/W2VjDHgkLcCuMeWBD1kQW 17 | xsvkdqWG9B+1BKNnFrdQDpYe6tck1DQ2xkl+6dSYhWlMzzhOuSJVEGgk/QmSBMUc 18 | e6TuAyZIxi8HuQx0qu2lQQNEEsX94SPspQyggJ0CgYBngEXIgibVL96KVCyuPUXF 19 | /LlkVudMo/QXccpX2VdEHen5mXn1pl6ObYOFAzTSz+QxRTSNTtPp2FPYPNqE7c73 20 | lYERwLtRKEZlG14QCkRjEsMLRIEb+PL+r2aMBeM7LUdw5FGyQ5PY/2XeTfQgQWqA 21 | GUTcObMfRbzCbuB0a2mqAQKBgQCBeEPqsbIlwTGABe+FuAgKNSu1aRi90ZV767au 22 | edwZ6YvtM0hZkIVNyGvdjv6Q8jdybaAnUAgObdErBupgy+b3yN1fdpC/8b1KvVno 23 | yZfE0qzO59mvkqFY5gO4HkaCN3qTK4dQfvEpEP6C7W1ROS3yxsYDsXP6xkxCdenY 24 | NdC9UQKBgHRl3kVRaGUFQpSeLkCaTRIoATbDzd49rcRcuTg1fzIlWNcUsHPJZzd8 25 | XBzE9+iv8nWkXZjgxu8/Ewh4hJF8p5sUyt7zjox1N61G6wwKyOR9PxB6Pb1kxtKJ 26 | cuWrPOYqOd+89SSFrHGQJSHJehyyw1BJV7+n/S1ZJHkL8mtDYmaj 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /src/tests/integration/certs/server.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIICqDCCAZACAQAwNzELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkxvbmRvbjEXMBUG 3 | A1UEAxMOcGtjMTFwcm94eWR0bHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK 4 | AoIBAQDEjIneyq4dL4WVB6wnnyl67G1wT7/1goNr9BJ2hAtR1BK6+oi3SUCJnUId 5 | bRIeiDK4FLHdWxG1x8NR979s5BWV+s4s3HdTVdLuvC+Sw9HQxUC56fhYeYraicxF 6 | yu+LutuVTnf4OHBeQH0NA5ZMDLBL/hHqPT8G3g9hQjrmHRpJXFsr2DhyDEyjvDAd 7 | uw3IEJFIRamb1+fDNkbqQk4nMEdX7PBCZafXLPF9oe5hW/H1BTgtikKSGJwSRa6T 8 | +096WKdzxLhr346z1MDRSioZHtQhn5VCoFFm3WDx+KDrNEnBFjBzBx6FCo10rg0+ 9 | vFnr8YiyG8gJvV9C2UMoD6afsfR9AgMBAAGgLDAqBgkqhkiG9w0BCQ4xHTAbMBkG 10 | A1UdEQQSMBCCDnBrYzExcHJveHlkdGxzMA0GCSqGSIb3DQEBCwUAA4IBAQABhU4T 11 | lTPiOc4Bvq7rMDu3I6aCL2Wo7GnKWxx8SxorUoBt5ugi414K2lNwA6czL3IP7iJ8 12 | qqiTm2RkbO093ikdrkCVCD6Mxr/kWzaK7EY9PuavFkTQwtteHWjbTbjdQbOKzk9v 13 | +hPzFWj/mJ7icGWi/LuuwmT9/rufGYaJz8CjiM1syy3/sMNutELMXHvmMvlhLq69 14 | m8LAajHCzRUyGaAet4G0tIHXMvemHlCt+Zmx/bpVkiN2xZeakx8jmX5wtLlQBUpd 15 | zTKG9Zf61QfnUcfPezXpY931zR9jIrb0L28FlHWcAuPCeBK+cpO/AY4Bj4nGm/Dk 16 | Cp68Ukydael0XkzK 17 | -----END CERTIFICATE REQUEST----- 18 | -------------------------------------------------------------------------------- /src/tests/integration/certs/server.json: -------------------------------------------------------------------------------- 1 | { 2 | "CN": "pkc11proxydtls", 3 | "hosts": [ 4 | "pkc11proxydtls" 5 | ], 6 | "key": { 7 | "algo": "rsa", 8 | "size": 2048 9 | }, 10 | "names": [ 11 | { 12 | "C": "GB", 13 | "L": "London" 14 | } 15 | ] 16 | } 17 | 18 | -------------------------------------------------------------------------------- /src/tests/integration/certs/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDqzCCApOgAwIBAgIUAnpmr19LEylmSLJmemnbngf22bcwDQYJKoZIhvcNAQEL 3 | BQAwVDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEXMBUGA1UEChMOQ2Ft 4 | bCBDcnVzaCBPcmcxGzAZBgNVBAMTEkNhbWwgQ3J1c2ggVGVzdCBDQTAeFw0yMTA4 5 | MjYxMDQ4MDBaFw0yMjA4MjYxMDQ4MDBaMDcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQH 6 | EwZMb25kb24xFzAVBgNVBAMTDnBrYzExcHJveHlkdGxzMIIBIjANBgkqhkiG9w0B 7 | AQEFAAOCAQ8AMIIBCgKCAQEAxIyJ3squHS+FlQesJ58peuxtcE+/9YKDa/QSdoQL 8 | UdQSuvqIt0lAiZ1CHW0SHogyuBSx3VsRtcfDUfe/bOQVlfrOLNx3U1XS7rwvksPR 9 | 0MVAuen4WHmK2onMRcrvi7rblU53+DhwXkB9DQOWTAywS/4R6j0/Bt4PYUI65h0a 10 | SVxbK9g4cgxMo7wwHbsNyBCRSEWpm9fnwzZG6kJOJzBHV+zwQmWn1yzxfaHuYVvx 11 | 9QU4LYpCkhicEkWuk/tPelinc8S4a9+Os9TA0UoqGR7UIZ+VQqBRZt1g8fig6zRJ 12 | wRYwcwcehQqNdK4NPrxZ6/GIshvICb1fQtlDKA+mn7H0fQIDAQABo4GRMIGOMA4G 13 | A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA 14 | MB0GA1UdDgQWBBQwlFpNmFxhYU5THk4dMtwxkD9JqzAfBgNVHSMEGDAWgBQK8Z4L 15 | QF692R6SsqqOnMUhR5JMwDAZBgNVHREEEjAQgg5wa2MxMXByb3h5ZHRsczANBgkq 16 | hkiG9w0BAQsFAAOCAQEAFv84RjZJ/WJ3yC10eK8MqaAb/5B9ncr9DUxVdjbHXfp/ 17 | SER4SXw7BX02GFlzkC14/c0Ffph7CHfab5vnOStmMKd/s4LvmjFxPPsimbl/Boro 18 | 5OEOxZml1VKu6Wt27A2ExD1lsDTI4R84DV/0tWeSt/h8buT5c3K5zEarPhFdvQpe 19 | yTxQgv7XXCsdkrz2XVDrMCwwrki6sS2IdSCnXddMiReTMhptYDQSuEmGuIbwAQgD 20 | GHGBjeEzTUXmu6xDfnj16SzHswZWJd3UrBhTWcM8k9LKvZsBdpCzA5TNT/X9do3o 21 | 5GBgzN2GP9pBUwMjOuqcLp9YojNrV1XTcZqE+k7dzw== 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /src/tests/integration/certs/ssl-init.sh: -------------------------------------------------------------------------------- 1 | #No need to run but those were the commends to setup certificates 2 | cfssl genkey -initca ca.json | cfssljson -bare ca 3 | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server 4 | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client -------------------------------------------------------------------------------- /src/tests/integration/pkcs11proxyd-tcp-tls.conf: -------------------------------------------------------------------------------- 1 | netplex { 2 | controller { 3 | max_level = "debug"; (* Log level *) 4 | 5 | (* configure "admin" socket directory, default "/tmp/.netplex" *) 6 | (* 7 | socket_directory = "/tmp/.netplex"; 8 | *) 9 | 10 | logging { 11 | (* type can either be "stderr", "syslog", "file", "multi_file" 12 | * see http://projects.camlcity.org/projects/dl/ocamlnet-3.6/doc/html-main/Netplex_admin.html 13 | *) 14 | type = "stderr"; (* Log to stderr *) 15 | }; 16 | }; 17 | service { 18 | name = "PKCS#11 Filtering Proxy"; 19 | (* These parameters can be used to change UID/GID of worker processes *) 20 | (* 21 | user = "root"; 22 | group = "root"; 23 | *) 24 | 25 | (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *) 26 | conn_limit = 1; 27 | 28 | protocol { 29 | (* This section creates the socket *) 30 | name = "rpc_pkcs11"; 31 | 32 | (* OCamlnet 4 support the following to set Unix socket permissions:*) 33 | (* 34 | local_chmod = "0o777"; 35 | *) 36 | 37 | (* This section creates the socket *) 38 | (* Socket can either be TCP or UNIX *) 39 | address { 40 | (* Default here is TCP localhost on port 4444 *) 41 | type = "internet"; 42 | bind = "0.0.0.0:4444"; 43 | 44 | (* For Unix 45 | WARNING: For OCamlnet < 4 it is not possible to set the socket permission, 46 | you will have to manually fix it to allow multi-user 47 | access (e.g. chmod 777 , or umask prior launching). 48 | *) 49 | (* 50 | type = "local"; 51 | path = "/var/run/pkcs11proxyd.socket"; 52 | *) 53 | }; 54 | }; 55 | processor { 56 | (* This section specifies how to process data of the socket *) 57 | type = "rpc_pkcs11"; 58 | 59 | (* libnames param is used when the proxy is compiled WITHOUT filtering support *) 60 | (* syntax is: libnames=":;<...>:<...>;"; *) 61 | (* 62 | libnames="softhsm:/usr/lib/softhsm/libsofthsm2.so;"; 63 | *) 64 | 65 | (* filter_config is used to supply the filtering configuration when compiled in *) 66 | filter_config="/build/src/tests/integration/filter.conf"; 67 | 68 | (*************** TLS support begin ***********************) 69 | (* use_ssl = false to disable SSL support on server side *) 70 | (* use_ssl = true to enable SSL support on server side *) 71 | use_ssl = true; 72 | 73 | (* TLS support for Caml Crush compiled with OCamlnet 4.x *) 74 | (* Uncomment to enable TLS when using OCamlnet 4.x *) 75 | 76 | tls { 77 | (* Ciphersuites, GnuTLS syntax *) 78 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 79 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 80 | 81 | (* Force peer client authentication *) 82 | peer_auth = "required"; 83 | 84 | (* Uncomment to enable DHE parameters, used for PFS *) 85 | (* 86 | dh_params { 87 | (* Pre-computed DH parameters *) 88 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 89 | (* Run-time created DH parameters, warning: this takes a long time *) 90 | (*bits = 2048;*) 91 | }; 92 | *) 93 | x509 { 94 | key { 95 | crt_file = "server.pem"; 96 | key_file = "server-key.pem"; 97 | }; 98 | trust { 99 | crt_file = "ca.pem"; 100 | }; 101 | } 102 | }; 103 | 104 | (***************TLS support end *************************) 105 | 106 | }; 107 | workload_manager { 108 | type = "dynamic"; 109 | max_jobs_per_thread = 1; (* Everything else is senseless *) 110 | min_free_jobs_capacity = 1; 111 | max_free_jobs_capacity = 1; 112 | max_threads = 100; 113 | }; 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /src/tests/integration/pkcs11proxyd-tcp.conf: -------------------------------------------------------------------------------- 1 | netplex { 2 | controller { 3 | max_level = "debug"; (* Log level *) 4 | 5 | (* configure "admin" socket directory, default "/tmp/.netplex" *) 6 | (* 7 | socket_directory = "/tmp/.netplex"; 8 | *) 9 | 10 | logging { 11 | (* type can either be "stderr", "syslog", "file", "multi_file" 12 | * see http://projects.camlcity.org/projects/dl/ocamlnet-3.6/doc/html-main/Netplex_admin.html 13 | *) 14 | type = "stderr"; (* Log to stderr *) 15 | }; 16 | }; 17 | service { 18 | name = "PKCS#11 Filtering Proxy"; 19 | (* These parameters can be used to change UID/GID of worker processes *) 20 | (* 21 | user = "root"; 22 | group = "root"; 23 | *) 24 | 25 | (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *) 26 | conn_limit = 1; 27 | 28 | protocol { 29 | (* This section creates the socket *) 30 | name = "rpc_pkcs11"; 31 | 32 | (* OCamlnet 4 support the following to set Unix socket permissions:*) 33 | (* 34 | local_chmod = "0o777"; 35 | *) 36 | 37 | (* This section creates the socket *) 38 | (* Socket can either be TCP or UNIX *) 39 | address { 40 | (* Default here is TCP localhost on port 4444 *) 41 | type = "internet"; 42 | bind = "0.0.0.0:4444"; 43 | 44 | (* For Unix 45 | WARNING: For OCamlnet < 4 it is not possible to set the socket permission, 46 | you will have to manually fix it to allow multi-user 47 | access (e.g. chmod 777 , or umask prior launching). 48 | *) 49 | (* 50 | type = "local"; 51 | path = "/var/run/pkcs11proxyd.socket"; 52 | *) 53 | }; 54 | }; 55 | processor { 56 | (* This section specifies how to process data of the socket *) 57 | type = "rpc_pkcs11"; 58 | 59 | (* libnames param is used when the proxy is compiled WITHOUT filtering support *) 60 | (* syntax is: libnames=":;<...>:<...>;"; *) 61 | (* 62 | libnames="softhsm:/usr/lib/softhsm/libsofthsm2.so;"; 63 | *) 64 | 65 | (* filter_config is used to supply the filtering configuration when compiled in *) 66 | filter_config="/build/src/tests/integration/filter.conf"; 67 | 68 | (*************** TLS support begin ***********************) 69 | (* use_ssl = false to disable SSL support on server side *) 70 | (* use_ssl = true to enable SSL support on server side *) 71 | use_ssl = false; 72 | 73 | (* TLS support for Caml Crush compiled with OCamlnet 4.x *) 74 | (* Uncomment to enable TLS when using OCamlnet 4.x *) 75 | (* 76 | tls { 77 | (* Ciphersuites, GnuTLS syntax *) 78 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 79 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 80 | 81 | (* Force peer client authentication *) 82 | peer_auth = "required"; 83 | 84 | (* Uncomment to enable DHE parameters, used for PFS *) 85 | (* 86 | dh_params { 87 | (* Pre-computed DH parameters *) 88 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 89 | (* Run-time created DH parameters, warning: this takes a long time *) 90 | (*bits = 2048;*) 91 | }; 92 | *) 93 | x509 { 94 | key { 95 | crt_file = "server.pem"; 96 | key_file = "server.key"; 97 | }; 98 | trust { 99 | crt_file = "cacert.pem"; 100 | }; 101 | } 102 | }; 103 | *) 104 | 105 | (* LEGACY SSL support for Caml Crush <= 1.0.6 or OCamlnet 3.x *) 106 | (* OpenSSL cipher syntax, one or many suites can be configured, or alias such as HIGH *) 107 | cipher_suite="DHE-RSA-AES128-SHA"; 108 | (* Provide full certificate chain in cafile *) 109 | cafile = "/usr/local/etc/tests/certs/ca.crt"; 110 | certfile = "/usr/local/etc/tests/certs/server.crt"; 111 | certkey = "/usr/local/etc/tests/certs/server.key"; 112 | (* Optional, allows to use DHE cipher suites, generate custom DH paramerters *) 113 | dh_params = "/usr/local/etc/tests/certs/dhparams.pem"; 114 | (* Optional, allows to use ECDHE cipher suites *) 115 | ec_curve_name = "prime256v1"; 116 | (* Optional, allows to use a custom certificate verification depth *) 117 | verify_depth = 4; 118 | 119 | (***************TLS support end *************************) 120 | 121 | }; 122 | workload_manager { 123 | type = "dynamic"; 124 | max_jobs_per_thread = 1; (* Everything else is senseless *) 125 | min_free_jobs_capacity = 1; 126 | max_free_jobs_capacity = 1; 127 | max_threads = 100; 128 | }; 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /src/tests/integration/pkcs11proxyd-unix-tls.conf: -------------------------------------------------------------------------------- 1 | netplex { 2 | controller { 3 | max_level = "debug"; (* Log level *) 4 | 5 | (* configure "admin" socket directory, default "/tmp/.netplex" *) 6 | (* 7 | socket_directory = "/tmp/.netplex"; 8 | *) 9 | 10 | logging { 11 | (* type can either be "stderr", "syslog", "file", "multi_file" 12 | * see http://projects.camlcity.org/projects/dl/ocamlnet-3.6/doc/html-main/Netplex_admin.html 13 | *) 14 | type = "stderr"; (* Log to stderr *) 15 | }; 16 | }; 17 | service { 18 | name = "PKCS#11 Filtering Proxy"; 19 | (* These parameters can be used to change UID/GID of worker processes *) 20 | (* 21 | user = "root"; 22 | group = "root"; 23 | *) 24 | 25 | (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *) 26 | conn_limit = 1; 27 | 28 | protocol { 29 | (* This section creates the socket *) 30 | name = "rpc_pkcs11"; 31 | 32 | (* OCamlnet 4 support the following to set Unix socket permissions:*) 33 | (* 34 | local_chmod = "0o777"; 35 | *) 36 | 37 | (* This section creates the socket *) 38 | (* Socket can either be TCP or UNIX *) 39 | address { 40 | type = "local"; 41 | path = "/var/run/pkcs11proxyd.socket"; 42 | 43 | }; 44 | }; 45 | processor { 46 | (* This section specifies how to process data of the socket *) 47 | type = "rpc_pkcs11"; 48 | 49 | (* libnames param is used when the proxy is compiled WITHOUT filtering support *) 50 | (* syntax is: libnames=":;<...>:<...>;"; *) 51 | (* 52 | libnames="softhsm:/usr/lib/softhsm/libsofthsm2.so;"; 53 | *) 54 | 55 | (* filter_config is used to supply the filtering configuration when compiled in *) 56 | filter_config="/build/src/tests/integration/filter.conf"; 57 | 58 | (*************** TLS support begin ***********************) 59 | (* use_ssl = false to disable SSL support on server side *) 60 | (* use_ssl = true to enable SSL support on server side *) 61 | use_ssl = true; 62 | 63 | (* TLS support for Caml Crush compiled with OCamlnet 4.x *) 64 | (* Uncomment to enable TLS when using OCamlnet 4.x *) 65 | 66 | tls { 67 | (* Ciphersuites, GnuTLS syntax *) 68 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 69 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 70 | 71 | (* Force peer client authentication *) 72 | peer_auth = "required"; 73 | 74 | (* Uncomment to enable DHE parameters, used for PFS *) 75 | (* 76 | dh_params { 77 | (* Pre-computed DH parameters *) 78 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 79 | (* Run-time created DH parameters, warning: this takes a long time *) 80 | (*bits = 2048;*) 81 | }; 82 | *) 83 | x509 { 84 | key { 85 | crt_file = "server.pem"; 86 | key_file = "server-key.pem"; 87 | }; 88 | trust { 89 | crt_file = "ca.pem"; 90 | }; 91 | } 92 | }; 93 | 94 | (***************TLS support end *************************) 95 | 96 | }; 97 | workload_manager { 98 | type = "dynamic"; 99 | max_jobs_per_thread = 1; (* Everything else is senseless *) 100 | min_free_jobs_capacity = 1; 101 | max_free_jobs_capacity = 1; 102 | max_threads = 100; 103 | }; 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /src/tests/integration/pkcs11proxyd-unix.conf: -------------------------------------------------------------------------------- 1 | netplex { 2 | controller { 3 | max_level = "debug"; (* Log level *) 4 | 5 | (* configure "admin" socket directory, default "/tmp/.netplex" *) 6 | (* 7 | socket_directory = "/tmp/.netplex"; 8 | *) 9 | 10 | logging { 11 | (* type can either be "stderr", "syslog", "file", "multi_file" 12 | * see http://projects.camlcity.org/projects/dl/ocamlnet-3.6/doc/html-main/Netplex_admin.html 13 | *) 14 | type = "stderr"; (* Log to stderr *) 15 | }; 16 | }; 17 | service { 18 | name = "PKCS#11 Filtering Proxy"; 19 | (* These parameters can be used to change UID/GID of worker processes *) 20 | (* 21 | user = "root"; 22 | group = "root"; 23 | *) 24 | 25 | (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *) 26 | conn_limit = 1; 27 | 28 | protocol { 29 | (* This section creates the socket *) 30 | name = "rpc_pkcs11"; 31 | 32 | (* OCamlnet 4 support the following to set Unix socket permissions:*) 33 | (* 34 | local_chmod = "0o777"; 35 | *) 36 | 37 | (* This section creates the socket *) 38 | (* Socket can either be TCP or UNIX *) 39 | address { 40 | type = "local"; 41 | path = "/var/run/pkcs11proxyd.socket"; 42 | }; 43 | }; 44 | processor { 45 | (* This section specifies how to process data of the socket *) 46 | type = "rpc_pkcs11"; 47 | 48 | (* libnames param is used when the proxy is compiled WITHOUT filtering support *) 49 | (* syntax is: libnames=":;<...>:<...>;"; *) 50 | (* 51 | libnames="softhsm:/usr/lib/softhsm/libsofthsm2.so;"; 52 | *) 53 | 54 | (* filter_config is used to supply the filtering configuration when compiled in *) 55 | filter_config="/build/src/tests/integration/filter.conf"; 56 | 57 | (*************** TLS support begin ***********************) 58 | (* use_ssl = false to disable SSL support on server side *) 59 | (* use_ssl = true to enable SSL support on server side *) 60 | use_ssl = false; 61 | 62 | (* TLS support for Caml Crush compiled with OCamlnet 4.x *) 63 | (* Uncomment to enable TLS when using OCamlnet 4.x *) 64 | (* 65 | tls { 66 | (* Ciphersuites, GnuTLS syntax *) 67 | (* TLS 1.2, PFS-only suites, no DSS, no CAMELLIA *) 68 | algorithms = "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"; 69 | 70 | (* Force peer client authentication *) 71 | peer_auth = "required"; 72 | 73 | (* Uncomment to enable DHE parameters, used for PFS *) 74 | (* 75 | dh_params { 76 | (* Pre-computed DH parameters *) 77 | pkcs3_file = "/etc/pkcs11proxyd/dhparams.pem"; 78 | (* Run-time created DH parameters, warning: this takes a long time *) 79 | (*bits = 2048;*) 80 | }; 81 | *) 82 | x509 { 83 | key { 84 | crt_file = "server.pem"; 85 | key_file = "server.key"; 86 | }; 87 | trust { 88 | crt_file = "cacert.pem"; 89 | }; 90 | } 91 | }; 92 | *) 93 | 94 | (* LEGACY SSL support for Caml Crush <= 1.0.6 or OCamlnet 3.x *) 95 | (* OpenSSL cipher syntax, one or many suites can be configured, or alias such as HIGH *) 96 | cipher_suite="DHE-RSA-AES128-SHA"; 97 | (* Provide full certificate chain in cafile *) 98 | cafile = "/usr/local/etc/tests/certs/ca.crt"; 99 | certfile = "/usr/local/etc/tests/certs/server.crt"; 100 | certkey = "/usr/local/etc/tests/certs/server.key"; 101 | (* Optional, allows to use DHE cipher suites, generate custom DH paramerters *) 102 | dh_params = "/usr/local/etc/tests/certs/dhparams.pem"; 103 | (* Optional, allows to use ECDHE cipher suites *) 104 | ec_curve_name = "prime256v1"; 105 | (* Optional, allows to use a custom certificate verification depth *) 106 | verify_depth = 4; 107 | 108 | (***************TLS support end *************************) 109 | 110 | }; 111 | workload_manager { 112 | type = "dynamic"; 113 | max_jobs_per_thread = 1; (* Everything else is senseless *) 114 | min_free_jobs_capacity = 1; 115 | max_free_jobs_capacity = 1; 116 | max_threads = 100; 117 | }; 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /src/tests/integration/run-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | pkcs11-tool --module /usr/local/lib/caml-crush/libp11clientfoo.so -t --pin 1234 -------------------------------------------------------------------------------- /src/tests/integration/wait-for-it.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Use this script to test if a given TCP host/port are available 3 | 4 | WAITFORIT_cmdname=${0##*/} 5 | 6 | echoerr() { if [[ $WAITFORIT_QUIET -ne 1 ]]; then echo "$@" 1>&2; fi } 7 | 8 | usage() 9 | { 10 | cat << USAGE >&2 11 | Usage: 12 | $WAITFORIT_cmdname host:port [-s] [-t timeout] [-- command args] 13 | -h HOST | --host=HOST Host or IP under test 14 | -p PORT | --port=PORT TCP port under test 15 | Alternatively, you specify the host and port as host:port 16 | -s | --strict Only execute subcommand if the test succeeds 17 | -q | --quiet Don't output any status messages 18 | -t TIMEOUT | --timeout=TIMEOUT 19 | Timeout in seconds, zero for no timeout 20 | -- COMMAND ARGS Execute command with args after the test finishes 21 | USAGE 22 | exit 1 23 | } 24 | 25 | wait_for() 26 | { 27 | if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then 28 | echoerr "$WAITFORIT_cmdname: waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT" 29 | else 30 | echoerr "$WAITFORIT_cmdname: waiting for $WAITFORIT_HOST:$WAITFORIT_PORT without a timeout" 31 | fi 32 | WAITFORIT_start_ts=$(date +%s) 33 | while : 34 | do 35 | if [[ $WAITFORIT_ISBUSY -eq 1 ]]; then 36 | nc -z $WAITFORIT_HOST $WAITFORIT_PORT 37 | WAITFORIT_result=$? 38 | else 39 | (echo -n > /dev/tcp/$WAITFORIT_HOST/$WAITFORIT_PORT) >/dev/null 2>&1 40 | WAITFORIT_result=$? 41 | fi 42 | if [[ $WAITFORIT_result -eq 0 ]]; then 43 | WAITFORIT_end_ts=$(date +%s) 44 | echoerr "$WAITFORIT_cmdname: $WAITFORIT_HOST:$WAITFORIT_PORT is available after $((WAITFORIT_end_ts - WAITFORIT_start_ts)) seconds" 45 | break 46 | fi 47 | sleep 1 48 | done 49 | return $WAITFORIT_result 50 | } 51 | 52 | wait_for_wrapper() 53 | { 54 | # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692 55 | if [[ $WAITFORIT_QUIET -eq 1 ]]; then 56 | timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --quiet --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT & 57 | else 58 | timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT & 59 | fi 60 | WAITFORIT_PID=$! 61 | trap "kill -INT -$WAITFORIT_PID" INT 62 | wait $WAITFORIT_PID 63 | WAITFORIT_RESULT=$? 64 | if [[ $WAITFORIT_RESULT -ne 0 ]]; then 65 | echoerr "$WAITFORIT_cmdname: timeout occurred after waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT" 66 | fi 67 | return $WAITFORIT_RESULT 68 | } 69 | 70 | # process arguments 71 | while [[ $# -gt 0 ]] 72 | do 73 | case "$1" in 74 | *:* ) 75 | WAITFORIT_hostport=(${1//:/ }) 76 | WAITFORIT_HOST=${WAITFORIT_hostport[0]} 77 | WAITFORIT_PORT=${WAITFORIT_hostport[1]} 78 | shift 1 79 | ;; 80 | --child) 81 | WAITFORIT_CHILD=1 82 | shift 1 83 | ;; 84 | -q | --quiet) 85 | WAITFORIT_QUIET=1 86 | shift 1 87 | ;; 88 | -s | --strict) 89 | WAITFORIT_STRICT=1 90 | shift 1 91 | ;; 92 | -h) 93 | WAITFORIT_HOST="$2" 94 | if [[ $WAITFORIT_HOST == "" ]]; then break; fi 95 | shift 2 96 | ;; 97 | --host=*) 98 | WAITFORIT_HOST="${1#*=}" 99 | shift 1 100 | ;; 101 | -p) 102 | WAITFORIT_PORT="$2" 103 | if [[ $WAITFORIT_PORT == "" ]]; then break; fi 104 | shift 2 105 | ;; 106 | --port=*) 107 | WAITFORIT_PORT="${1#*=}" 108 | shift 1 109 | ;; 110 | -t) 111 | WAITFORIT_TIMEOUT="$2" 112 | if [[ $WAITFORIT_TIMEOUT == "" ]]; then break; fi 113 | shift 2 114 | ;; 115 | --timeout=*) 116 | WAITFORIT_TIMEOUT="${1#*=}" 117 | shift 1 118 | ;; 119 | --) 120 | shift 121 | WAITFORIT_CLI=("$@") 122 | break 123 | ;; 124 | --help) 125 | usage 126 | ;; 127 | *) 128 | echoerr "Unknown argument: $1" 129 | usage 130 | ;; 131 | esac 132 | done 133 | 134 | if [[ "$WAITFORIT_HOST" == "" || "$WAITFORIT_PORT" == "" ]]; then 135 | echoerr "Error: you need to provide a host and port to test." 136 | usage 137 | fi 138 | 139 | WAITFORIT_TIMEOUT=${WAITFORIT_TIMEOUT:-15} 140 | WAITFORIT_STRICT=${WAITFORIT_STRICT:-0} 141 | WAITFORIT_CHILD=${WAITFORIT_CHILD:-0} 142 | WAITFORIT_QUIET=${WAITFORIT_QUIET:-0} 143 | 144 | # Check to see if timeout is from busybox? 145 | WAITFORIT_TIMEOUT_PATH=$(type -p timeout) 146 | WAITFORIT_TIMEOUT_PATH=$(realpath $WAITFORIT_TIMEOUT_PATH 2>/dev/null || readlink -f $WAITFORIT_TIMEOUT_PATH) 147 | 148 | WAITFORIT_BUSYTIMEFLAG="" 149 | if [[ $WAITFORIT_TIMEOUT_PATH =~ "busybox" ]]; then 150 | WAITFORIT_ISBUSY=1 151 | # Check if busybox timeout uses -t flag 152 | # (recent Alpine versions don't support -t anymore) 153 | if timeout &>/dev/stdout | grep -q -e '-t '; then 154 | WAITFORIT_BUSYTIMEFLAG="-t" 155 | fi 156 | else 157 | WAITFORIT_ISBUSY=0 158 | fi 159 | 160 | if [[ $WAITFORIT_CHILD -gt 0 ]]; then 161 | wait_for 162 | WAITFORIT_RESULT=$? 163 | exit $WAITFORIT_RESULT 164 | else 165 | if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then 166 | wait_for_wrapper 167 | WAITFORIT_RESULT=$? 168 | else 169 | wait_for 170 | WAITFORIT_RESULT=$? 171 | fi 172 | fi 173 | 174 | if [[ $WAITFORIT_CLI != "" ]]; then 175 | if [[ $WAITFORIT_RESULT -ne 0 && $WAITFORIT_STRICT -eq 1 ]]; then 176 | echoerr "$WAITFORIT_cmdname: strict mode, refusing to execute subprocess" 177 | exit $WAITFORIT_RESULT 178 | fi 179 | exec "${WAITFORIT_CLI[@]}" 180 | else 181 | exit $WAITFORIT_RESULT 182 | fi 183 | -------------------------------------------------------------------------------- /src/tests/ocaml/Makefile.in: -------------------------------------------------------------------------------- 1 | bindings_dir = ../../bindings-pkcs11 2 | CFLAGS = -I $(bindings_dir) 3 | LDFLAGS = -cclib -lcamlidl -cclib -L$(bindings_dir) 4 | 5 | all: build_bindings_standalone p11_common p11_for_generic complete_test digest_test encdec_test wrap_unwrap_test destroy_objects generic_scenario 6 | 7 | build_bindings_standalone: 8 | cd $(bindings_dir) && make -f Makefile.standalone && cd - 9 | 10 | p11_common: 11 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c p11_common.ml 12 | 13 | p11_for_generic: 14 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c p11_for_generic.ml 15 | 16 | complete_test: 17 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c test_pkcs11.ml 18 | ocamlfind ocamlopt -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx test_pkcs11.cmx $(LDFLAGS) -o pkcs11.opt 19 | 20 | destroy_objects: 21 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c destroy.ml 22 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx destroy.cmx $(LDFLAGS) -o destroy_objects.opt 23 | 24 | digest_test: 25 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c digest_test.ml 26 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx digest_test.cmx $(LDFLAGS) -o digest_test.opt 27 | 28 | encdec_test: 29 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c encdec_test.ml 30 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx encdec_test.cmx $(LDFLAGS) -o encdec_test.opt 31 | 32 | wrap_unwrap_test: 33 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c wrap_unwrap.ml 34 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx wrap_unwrap.cmx $(LDFLAGS) -o wrap_unwrap_test.opt 35 | 36 | generic_scenario: build_bindings_standalone p11_common p11_for_generic 37 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c get_sensitive_key.ml 38 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c sensitive_is_sticky.ml 39 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c extractable_is_sticky.ml 40 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c encrypt_and_unwrap.ml 41 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c misc_scenario.ml 42 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c double_unwrap.ml 43 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c wrap_and_decrypt_1.ml 44 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c wrap_and_decrypt_2.ml 45 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c wrap_and_decrypt_3.ml 46 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c wrap_and_decrypt_4.ml 47 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c create_object_1.ml 48 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c create_object_2.ml 49 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" $(CFLAGS) -c generic_scenario.ml 50 | ocamlfind ocamlopt @ocaml_options@ -package "config-file" -linkpkg $(bindings_dir)/pkcs11_standalone.cmxa p11_common.cmx p11_for_generic.cmx get_sensitive_key.cmx sensitive_is_sticky.cmx extractable_is_sticky.cmx encrypt_and_unwrap.cmx misc_scenario.cmx double_unwrap.cmx wrap_and_decrypt_1.cmx wrap_and_decrypt_2.cmx wrap_and_decrypt_3.cmx wrap_and_decrypt_4.cmx create_object_1.cmx create_object_2.cmx generic_scenario.cmx $(LDFLAGS) -o generic_scenario.opt 51 | 52 | 53 | clean: 54 | @rm -f *.cmi *.cmx *.o *.cmo *~ *.opt *.cmxa *.a *.cma *.so 55 | -------------------------------------------------------------------------------- /src/tests/ocaml/create_object_1.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/create_object_1.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | 74 | let this_scenario = 75 | let template_wrap = [| attr_wrap |] in 76 | let empty = ( [||] : Pkcs11.ck_attribute array ) in 77 | [ ( ("empty", empty ), C( [| attr_wrap |] ) ) ; (("empty", empty), W) ] 78 | 79 | (* we try here the creation of an object (worth a string of zeroes 80 | of the adequate length), and then we try to use it to wrap 81 | the key to leak. This would be bad since the result of the 82 | unwrapping can be decrypted using zeroes as a key value. *) 83 | -------------------------------------------------------------------------------- /src/tests/ocaml/create_object_2.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/create_object_2.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | 74 | let this_scenario = 75 | let template_w = [| attr_wrap |] in 76 | let empty = ( [||] : Pkcs11.ck_attribute array ) in 77 | [ (("empty", empty), C([||])) ; ( ("empty", empty), F ); (("template_w", template_w), W)] 78 | 79 | (* we try here the creation of an object (worth a string of zeroes 80 | of the adequate length), try to set the wrap attribute to true, 81 | and then we try to use it to wrap 82 | the key to leak. This would be bad since the result of the 83 | unwrapping can be decrypted using zeroes as a key value. *) 84 | -------------------------------------------------------------------------------- /src/tests/ocaml/destroy.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/destroy.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open Printf 71 | open P11_common 72 | 73 | let destroy_all session obj = 74 | let ret_value = Pkcs11.mL_CK_C_DestroyObject session obj in 75 | printf "C_DestroyObject ret: %s for object %s\n" (Pkcs11.match_cKR_value ret_value) (Nativeint.to_string obj) 76 | 77 | let _ = 78 | let _ = init_module in 79 | let conf_user_pin = fetch_pin in 80 | let ret_value = Pkcs11.mL_CK_C_Initialize () in 81 | printf "C_Initialize ret: %s\n" (Pkcs11.match_cKR_value ret_value); 82 | (* GetSlotList *) 83 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n 0n in 84 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 85 | Pkcs11.print_int_array slot_list_; 86 | 87 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n count in 88 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 89 | Pkcs11.print_int_array slot_list_; 90 | 91 | (* Print SlotInfo and TokenInfo *) 92 | Array.iter print_slots slot_list_; 93 | 94 | (* hardcoded take first available slot *) 95 | let slot_id = slot_list_.(0) in 96 | 97 | let (_, session) = Pkcs11.mL_CK_C_OpenSession slot_id (Nativeint.logor Pkcs11.cKF_SERIAL_SESSION Pkcs11.cKF_RW_SESSION) in 98 | let pin = Pkcs11.string_to_char_array conf_user_pin in 99 | let ret_value = Pkcs11.mL_CK_C_Login session Pkcs11.cKU_USER pin in 100 | printf "C_Login ret: %s\n" (Pkcs11.match_cKR_value ret_value); 101 | 102 | let ret_value = Pkcs11.mL_CK_C_FindObjectsInit session [||] in 103 | printf "C_FindObjectsInit ret: %s\n" (Pkcs11.match_cKR_value ret_value); 104 | let (ret_value, found_, number_) = Pkcs11.mL_CK_C_FindObjects session 100n in 105 | printf "C_FindObjects ret: %s\n" (Pkcs11.match_cKR_value ret_value); 106 | let ret_value = Pkcs11.mL_CK_C_FindObjectsFinal session in 107 | printf "C_FindObjectsFinal ret %s Found %s objects\n" (Pkcs11.match_cKR_value ret_value) (Nativeint.to_string number_); 108 | 109 | Array.iter (destroy_all session) found_; 110 | 111 | let ret_value = Pkcs11.mL_CK_C_Logout session in 112 | printf "C_Logout ret: %s\n" (Pkcs11.match_cKR_value ret_value); 113 | let ret_value = Pkcs11.mL_CK_C_CloseSession session in 114 | printf "C_CloseSession ret: %s\n" (Pkcs11.match_cKR_value ret_value); 115 | let ret_value = Pkcs11.mL_CK_C_Finalize () in 116 | printf "C_Finalize ret: %s\n" (Pkcs11.match_cKR_value ret_value) 117 | -------------------------------------------------------------------------------- /src/tests/ocaml/digest_test.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/digest_test.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open Printf 71 | open P11_common 72 | 73 | let digest_some_data_with_mech_type session string_to_digest mech = 74 | let digest_mech = { Pkcs11.mechanism = mech ; Pkcs11.parameter = [| |] } in 75 | 76 | printf "--------------\n"; 77 | printf "%s digest\n" (Pkcs11.match_cKM_value mech); 78 | let digest_ = digest_some_data session digest_mech string_to_digest in 79 | printf "\tthrough Digest single call is:\n"; 80 | Pkcs11.print_hex_array digest_ 81 | 82 | 83 | let _ = 84 | let _ = init_module in 85 | (* Initialize module OUTSIDE LOOP *) 86 | let ret_value = Pkcs11.mL_CK_C_Initialize () in 87 | let _ = check_ret ret_value C_InitializeError false in 88 | printf "C_Initialize ret: %s\n" (Pkcs11.match_cKR_value ret_value); 89 | 90 | while true do 91 | begin 92 | 93 | (* Fetch slot count by passing 0n (present) 0n (count) *) 94 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n 0n in 95 | let _ = check_ret ret_value C_GetSlotListError false in 96 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 97 | 98 | Pkcs11.print_int_array slot_list_; 99 | 100 | (* Fetch slot list by passing 0n count *) 101 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n count in 102 | let _ = check_ret ret_value C_GetSlotListError false in 103 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 104 | Pkcs11.print_int_array slot_list_; 105 | 106 | Array.iter print_slots slot_list_; 107 | 108 | (* hardcoded take first available slot *) 109 | let slot_id = slot_list_.(0) in 110 | 111 | (* GetMechList *) 112 | let mechanism_list_ = get_mechanism_list_for_slot slot_id in 113 | 114 | let mechanisms = Array.map Pkcs11.match_cKM_value mechanism_list_ in 115 | Pkcs11.print_string_array mechanisms; 116 | 117 | let (ret_value, session) = Pkcs11.mL_CK_C_OpenSession slot_id (Nativeint.logor Pkcs11.cKF_SERIAL_SESSION Pkcs11.cKF_RW_SESSION) in 118 | let _ = check_ret ret_value C_OpenSessionError false in 119 | printf "C_OpenSession ret: %s\n" (Pkcs11.match_cKR_value ret_value); 120 | 121 | (* Digest *) 122 | let digest_to_test = ["CKM_MD5"; "CKM_SHA_1"; "CKM_SHA256"; "CKM_SHA384"; "CKM_SHA512" ] in 123 | 124 | let digest_to_test = List.map Pkcs11.string_to_cKM_value digest_to_test in 125 | let token_supports = Array.to_list (mechanism_list_) in 126 | let mech_intersect = intersect digest_to_test token_supports in 127 | 128 | (* GenerateRandom to get a random string to digest *) 129 | (* 130 | let string_to_digest = "the brown fox jumps over the lazy dog" in 131 | *) 132 | let (ret_value, rand_) = Pkcs11.mL_CK_C_GenerateRandom session 32n in 133 | let _ = check_ret ret_value C_GenerateRandomError false in 134 | let string_to_digest = Pkcs11.char_array_to_string rand_ in 135 | List.iter (digest_some_data_with_mech_type session string_to_digest) mech_intersect; 136 | 137 | (* CloseAllSessions and finalize *) 138 | 139 | let ret_value = Pkcs11.mL_CK_C_CloseSession session in 140 | let _ = check_ret ret_value C_CloseSessionError false in 141 | printf "C_CloseSession ret: %s\n" (Pkcs11.match_cKR_value ret_value); 142 | 143 | let ret_value = Pkcs11.mL_CK_C_CloseAllSessions slot_id in 144 | let _ = check_ret ret_value C_CloseAllSessionsError false in 145 | printf "C_CloseAllSessions ret: %s\n" (Pkcs11.match_cKR_value ret_value); 146 | 147 | flush stdout; 148 | Gc.full_major() 149 | end 150 | done; 151 | let ret_value = Pkcs11.mL_CK_C_Finalize () in 152 | let _ = check_ret ret_value C_FinalizeError false in 153 | printf "C_Finalize ret: %s\n" (Pkcs11.match_cKR_value ret_value) 154 | -------------------------------------------------------------------------------- /src/tests/ocaml/double_unwrap.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/double_unwrap.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | let this_scenario = 74 | let template_w = [| attr_wrap |] in 75 | let template_d = [| attr_decrypt |] in 76 | let template_e = [| attr_extractable|] in 77 | [(("token_wd", template_w), C(template_e)); (("empty", [||] ), WW); (("empty", [||] ), DoubleU(template_w, template_d))] 78 | 79 | (* in this test 80 | - we create a key that can wrap (which is done using the named 81 | template), and then create another key to be wrapped (with the create 82 | opcode), 83 | - then we wrap the 84 | - then we try to have this wrapped key unwrapped with twice with different 85 | attribute values, namely, so that one instance of the key can 86 | be used to decrypt and the other to wrap. 87 | We could then continue with the wrap and decrypt scenario. 88 | *) 89 | -------------------------------------------------------------------------------- /src/tests/ocaml/encdec_test.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/encdec_test.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open Printf 71 | open P11_common 72 | 73 | let encrypt_decrypt_some_data_with_mech_type session pubkey_ privkey_ data mech_type = 74 | let enc_mech = { Pkcs11.mechanism = mech_type ; Pkcs11.parameter = [| |] } in 75 | printf "--------------\n"; 76 | printf "%s encrypt/decrypt\n" (Pkcs11.match_cKM_value mech_type); 77 | let enc_data_ = encrypt_some_data session enc_mech pubkey_ data in 78 | printf "\tthrough Encrypt single call is:\n"; 79 | Pkcs11.print_hex_array enc_data_; 80 | let dec_data_ = decrypt_some_data session enc_mech privkey_ enc_data_ in 81 | printf "\tthrough Decrypt single call is:\n"; 82 | Printf.printf "'%s'\n" (Pkcs11.char_array_to_string dec_data_) 83 | 84 | let _ = 85 | let _ = init_module in 86 | let conf_user_pin = fetch_pin in 87 | (* Initialize module *) 88 | let ret_value = Pkcs11.mL_CK_C_Initialize () in 89 | let _ = check_ret ret_value C_InitializeError false in 90 | printf "C_Initialize ret: %s\n" (Pkcs11.match_cKR_value ret_value); 91 | 92 | (* Fetch slot count by passing 0n (present) 0n (count) *) 93 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n 0n in 94 | let _ = check_ret ret_value C_GetSlotListError false in 95 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 96 | 97 | Pkcs11.print_int_array slot_list_; 98 | 99 | (* Fetch slot list by passing 0n count *) 100 | let (ret_value, slot_list_, count) = Pkcs11.mL_CK_C_GetSlotList 0n count in 101 | let _ = check_ret ret_value C_GetSlotListError false in 102 | printf "C_GetSlotList ret: %s, Count = %s, slot_list =" (Nativeint.to_string ret_value) (Nativeint.to_string count); 103 | Pkcs11.print_int_array slot_list_; 104 | 105 | Array.iter print_slots slot_list_; 106 | 107 | (* hardcoded take first available slot *) 108 | let slot_id = slot_list_.(0) in 109 | 110 | (* GetMechList *) 111 | let mechanism_list_ = get_mechanism_list_for_slot slot_id in 112 | 113 | let mechanisms = Array.map Pkcs11.match_cKM_value mechanism_list_ in 114 | Pkcs11.print_string_array mechanisms; 115 | 116 | (* OpenSession and Login *) 117 | let (ret_value, session) = Pkcs11.mL_CK_C_OpenSession slot_id (Nativeint.logor Pkcs11.cKF_SERIAL_SESSION Pkcs11.cKF_RW_SESSION) in 118 | let _ = check_ret ret_value C_OpenSessionError false in 119 | printf "C_OpenSession ret: %s\n" (Pkcs11.match_cKR_value ret_value); 120 | let user_pin = Pkcs11.string_to_char_array conf_user_pin in 121 | let ret_value = Pkcs11.mL_CK_C_Login session Pkcs11.cKU_USER user_pin in 122 | let _ = check_ret ret_value C_LoginError false in 123 | printf "C_Login ret: %s\n" (Pkcs11.match_cKR_value ret_value); 124 | 125 | while true do 126 | 127 | begin 128 | (* Use higher level function to generate RSA template and create keypair *) 129 | let (pub_template_, priv_template_) = generate_rsa_template 1024n (Some "mytest") (Some "1234") in 130 | let (pubkey_, privkey_) = generate_rsa_key_pair session 1024n pub_template_ priv_template_ in 131 | 132 | let enc_to_test = ["CKM_RSA_PKCS" ] in 133 | 134 | let enc_to_test = List.map Pkcs11.string_to_cKM_value enc_to_test in 135 | let mech_intersect = intersect enc_to_test (Array.to_list mechanism_list_) in 136 | 137 | let _ = List.map (encrypt_decrypt_some_data_with_mech_type session pubkey_ privkey_ "mysecretdata") mech_intersect in 138 | 139 | (* Destroy All objects *) 140 | let _ = List.map (destroy_some_object session) [privkey_; pubkey_] in 141 | 142 | flush stdout; 143 | Gc.full_major() 144 | end 145 | done; 146 | (* Logout and finalize *) 147 | let ret_value = Pkcs11.mL_CK_C_Logout session in 148 | printf "C_Logout ret: %s\n" (Pkcs11.match_cKR_value ret_value); 149 | let _ = check_ret ret_value C_LogoutError false in 150 | let ret_value = Pkcs11.mL_CK_C_CloseSession session in 151 | let _ = check_ret ret_value C_CloseSessionError false in 152 | printf "C_CloseSession ret: %s\n" (Pkcs11.match_cKR_value ret_value); 153 | 154 | let ret_value = Pkcs11.mL_CK_C_Finalize () in 155 | let _ = check_ret ret_value C_FinalizeError false in 156 | printf "C_Finalize ret: %s\n" (Pkcs11.match_cKR_value ret_value) 157 | -------------------------------------------------------------------------------- /src/tests/ocaml/encrypt_and_unwrap.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/encrypt_and_unwrap.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | let this_scenario = 74 | let template_w = [| attr_wrap |] in 75 | [(("token_ue", template_token_ue), E); 76 | (("empty", [||] ), U(template_w)); (("empty", [||] ), W) ] 77 | 78 | (* in this test we try to create a key that can unwrap and encrypt, 79 | then we encrypt zeroes with it 80 | then try to unwrap this zero string to import a key that can wrap, 81 | and then we try to wrap the key_to_leak with it. 82 | If it works, this is bad because we can decrypt the wrapping result (it is encrypted with zeroes...). *) 83 | -------------------------------------------------------------------------------- /src/tests/ocaml/extractable_is_sticky.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/extractable_is_sticky.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | let this_scenario = 74 | let template_e = [| attr_extractable |] in 75 | let template_ef = [| attr_extractablef |] in 76 | [(("extractable", template_e), S); (("extractable", template_ef), G)] 77 | 78 | (* creating an extractable key and then trying to set extractable to false and get the key value *) 79 | -------------------------------------------------------------------------------- /src/tests/ocaml/get_sensitive_key.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/get_sensitive_key.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_for_generic 71 | 72 | let this_scenario = [(("empty", [||]), GKTL)] 73 | (* trying to get the value of a sensitive key (key_to_leak, directly) *) 74 | -------------------------------------------------------------------------------- /src/tests/ocaml/misc_scenario.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/misc_scenario.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | let this_scenario = 74 | let template_wd = [| attr_wrap ; attr_decrypt |] in 75 | let template_w = [| attr_wrap |] in 76 | [(("token_ue", template_token_ue), E); 77 | (("empty", [||] ), U(template_w)); (("empty", [||]), G); (("empty", [||] ), W) ; (("empty", [||] ), D);(("empty", [||]), GKTL)] 78 | (* in this test we try to create a key that can unwrap and encrypt, 79 | then we encrypt zeroes with it 80 | then try to unwrap this zero string to import a key that can wrap and decrypt, 81 | then we try to get its value (it is not sensitive so it should work and there should be zeroes) 82 | and then we try to wrap the key_to_leak with it, 83 | If it works, this is bad because we can decrypt the wrapping result (it is encrypted with zeroes...). 84 | We then try to use the token to perform the decryption for us, 85 | and try to get the key_to_leak to compare values. 86 | This test combines many possible flaws in the underlying implementation ! *) 87 | -------------------------------------------------------------------------------- /src/tests/ocaml/pkcs11.conf: -------------------------------------------------------------------------------- 1 | (* Path to PKCS#11 Library to use *) 2 | (* Libname should point to the library to be tested *) 3 | Libname = "/usr/local/lib/softhsm/libsofthsm.so" 4 | (* Libname = "../../client-lib/libp11clientfoo.so" *) 5 | (* PIN for the token under test *) 6 | Pin = "mytestPIN" 7 | -------------------------------------------------------------------------------- /src/tests/ocaml/sensitive_is_sticky.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/sensitive_is_sticky.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | let this_scenario = 74 | let template_s = [| attr_sensitive |] in 75 | let template_sf = [| attr_sensitivef |] in 76 | [(("sensitive", template_s), S); (("non_sensitive", template_sf), G)] 77 | 78 | (* creating a sensitive key and then trying to set sensitive to false and get the key value *) 79 | 80 | -------------------------------------------------------------------------------- /src/tests/ocaml/wrap_and_decrypt_1.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/wrap_and_decrypt_1.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | 71 | open P11_common 72 | open P11_for_generic 73 | 74 | 75 | let this_scenario = 76 | let template_wd = [| attr_wrap ; attr_decrypt |] in 77 | [ ( ("template_wd", template_wd), W) ; ( ("empty", [||]), D ) ] 78 | 79 | (* this test creates a key with attributes wrap and decrypt set to true 80 | and uses this key to wrap key_to_leak before decrypting the 81 | result of the wrap, which should yield the value of key_to_leak. *) 82 | -------------------------------------------------------------------------------- /src/tests/ocaml/wrap_and_decrypt_2.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/wrap_and_decrypt_2.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | 74 | let this_scenario = 75 | let template_w = [| attr_wrap |] in 76 | let template_d = [| attr_decrypt |] in 77 | [ ( ("template_w", template_w), W) ; ( ("template_d", template_d), D ) ] 78 | 79 | (* this test creates a key with attribute wrap set to true 80 | and uses this key to wrap key_to_leak before setting the decrypt 81 | attribute to true and trying to decrypt the 82 | result of the wrap, which should yield the value of key_to_leak. *) 83 | -------------------------------------------------------------------------------- /src/tests/ocaml/wrap_and_decrypt_3.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/wrap_and_decrypt_3.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | 74 | let this_scenario = 75 | let template_w = [| attr_wrap |] in 76 | let template_wfd = [| attr_wrapf; attr_decrypt |] in 77 | [ ( ("template_w", template_w), W) ; ( ("template_wfd", template_wfd), D ) ] 78 | 79 | (* this test creates a key with attribute wrap set to true 80 | and uses this key to wrap key_to_leak before setting the wrap attribute 81 | to false and decrypt 82 | attribute to true and trying to decrypt the 83 | result of the wrap, which should yield the value of key_to_leak. *) 84 | 85 | -------------------------------------------------------------------------------- /src/tests/ocaml/wrap_and_decrypt_4.ml: -------------------------------------------------------------------------------- 1 | (************************* MIT License HEADER ************************************ 2 | Copyright ANSSI (2013-2015) 3 | Contributors : Ryad BENADJILA [ryadbenadjila@gmail.com], 4 | Thomas CALDERON [calderon.thomas@gmail.com] 5 | Marion DAUBIGNARD [marion.daubignard@ssi.gouv.fr] 6 | 7 | This software is a computer program whose purpose is to implement 8 | a PKCS#11 proxy as well as a PKCS#11 filter with security features 9 | in mind. The project source tree is subdivided in six parts. 10 | There are five main parts: 11 | 1] OCaml/C PKCS#11 bindings (using OCaml IDL). 12 | 2] XDR RPC generators (to be used with ocamlrpcgen and/or rpcgen). 13 | 3] A PKCS#11 RPC server (daemon) in OCaml using a Netplex RPC basis. 14 | 4] A PKCS#11 filtering module used as a backend to the RPC server. 15 | 5] A PKCS#11 client module that comes as a dynamic library offering 16 | the PKCS#11 API to the software. 17 | There is one "optional" part: 18 | 6] Tests in C and OCaml to be used with client module 5] or with the 19 | bindings 1] 20 | 21 | Here is a big picture of how the PKCS#11 proxy works: 22 | 23 | ---------------------- -------- socket (TCP or Unix) -------------------- 24 | | 3] PKCS#11 RPC server|-|2] RPC |<+++++++++++++++++++> | 5] Client library | 25 | ---------------------- | Layer | [SSL/TLS optional] | -------- | 26 | | -------- | |2] RPC | PKCS#11 | 27 | ---------------------- | | Layer |functions| 28 | | 4] PKCS#11 filter | | -------- | 29 | ---------------------- -------------------- 30 | | | 31 | ---------------------- | 32 | | 1] PKCS#11 OCaml | { PKCS#11 INTERFACE } 33 | | bindings | | 34 | ---------------------- APPLICATION 35 | | 36 | | 37 | { PKCS#11 INTERFACE } 38 | | 39 | REAL PKCS#11 MIDDLEWARE 40 | (shared library) 41 | 42 | Permission is hereby granted, free of charge, to any person obtaining a copy 43 | of this software and associated documentation files (the "Software"), to deal 44 | in the Software without restriction, including without limitation the rights 45 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 46 | copies of the Software, and to permit persons to whom the Software is 47 | furnished to do so, subject to the following conditions: 48 | 49 | The above copyright notice and this permission notice shall be included in 50 | all copies or substantial portions of the Software. 51 | 52 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 53 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 54 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 55 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 56 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 57 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 58 | THE SOFTWARE. 59 | 60 | Except as contained in this notice, the name(s) of the above copyright holders 61 | shall not be used in advertising or otherwise to promote the sale, use or other 62 | dealings in this Software without prior written authorization. 63 | 64 | The current source code is part of the tests 6] source tree. 65 | 66 | Project: PKCS#11 Filtering Proxy 67 | File: src/tests/ocaml/wrap_and_decrypt_4.ml 68 | 69 | ************************** MIT License HEADER ***********************************) 70 | open P11_common 71 | open P11_for_generic 72 | 73 | 74 | let this_scenario = 75 | let template_w = [| attr_wrap |] in 76 | let template_d = [| attr_decrypt |] in 77 | let template_wf = [| attr_wrapf |] in 78 | [ ( ("template_w", template_w), W) ; ( ("template_wf", template_wf), S ) ; ( ("template_d", template_d), D ) ] 79 | (* this test creates a key with attribute wrap set to true 80 | and uses this key to wrap key_to_leak before setting the wrap attribute 81 | to false, and then setting the decrypt 82 | attribute to true and trying to decrypt the 83 | result of the wrap, which should yield the value of key_to_leak. *) 84 | 85 | --------------------------------------------------------------------------------