Pass the PKCS11 keyid as chunk, not as string
authorMartin Willi <martin@revosec.ch>
Fri, 16 Jul 2010 08:48:29 +0000 (10:48 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 4 Aug 2010 07:26:20 +0000 (09:26 +0200)
src/libcharon/plugins/stroke/stroke_cred.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c

index d683afa..6f59dbe 100644 (file)
@@ -932,6 +932,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                        char smartcard[64], keyid[64], module[64], *pos;
                        private_key_t *key;
                        u_int slot;
+                       chunk_t chunk;
                        enum {
                                SC_FORMAT_SLOT_MODULE_KEYID,
                                SC_FORMAT_SLOT_KEYID,
@@ -998,6 +999,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                                goto error;
                        }
 
+                       chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
                        switch (format)
                        {
                                case SC_FORMAT_SLOT_MODULE_KEYID:
@@ -1005,23 +1007,24 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                                                                        CRED_PRIVATE_KEY, KEY_ANY,
                                                                        BUILD_PKCS11_SLOT, slot,
                                                                        BUILD_PKCS11_MODULE, module,
-                                                                       BUILD_PKCS11_KEYID, keyid,
+                                                                       BUILD_PKCS11_KEYID, chunk,
                                                                        BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                                case SC_FORMAT_SLOT_KEYID:
                                        key = lib->creds->create(lib->creds,
                                                                        CRED_PRIVATE_KEY, KEY_ANY,
                                                                        BUILD_PKCS11_SLOT, slot,
-                                                                       BUILD_PKCS11_KEYID, keyid,
+                                                                       BUILD_PKCS11_KEYID, chunk,
                                                                        BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                                case SC_FORMAT_KEYID:
                                        key = lib->creds->create(lib->creds,
                                                                        CRED_PRIVATE_KEY, KEY_ANY,
-                                                                       BUILD_PKCS11_KEYID, keyid,
+                                                                       BUILD_PKCS11_KEYID, chunk,
                                                                        BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                        }
+                       free(chunk.ptr);
                        if (key)
                        {
                                DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
index 891c178..24d8ce8 100644 (file)
@@ -107,7 +107,7 @@ enum builder_part_t {
        BUILD_PKCS11_MODULE,
        /** slot specifier for a token in a PKCS#11 module, int */
        BUILD_PKCS11_SLOT,
-       /** key ID of a key on a token, null terminated char* */
+       /** key ID of a key on a token, chunk_t */
        BUILD_PKCS11_KEYID,
        /** modulus (n) of a RSA key, chunk_t */
        BUILD_RSA_MODULUS,
index d596fcf..3bca342 100644 (file)
@@ -451,9 +451,9 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
        private_openssl_rsa_private_key_t *this;
-       char *keyid = NULL, *engine_id = NULL;
+       char *engine_id = NULL;
        char keyname[64], pin[32];;
-       chunk_t secret = chunk_empty;
+       chunk_t secret = chunk_empty, keyid = chunk_empty;;
        EVP_PKEY *key;
        ENGINE *engine;
        int slot = -1;
@@ -463,7 +463,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
                switch (va_arg(args, builder_part_t))
                {
                        case BUILD_PKCS11_KEYID:
-                               keyid = va_arg(args, char*);
+                               keyid = va_arg(args, chunk_t);
                                continue;
                        case BUILD_PASSPHRASE:
                                secret = va_arg(args, chunk_t);
@@ -481,19 +481,22 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
                }
                break;
        }
-       if (!keyid || !secret.len || !secret.ptr)
+       if (!keyid.len || keyid.len > 40 || !secret.len)
        {
                return NULL;
        }
 
-       if (slot == -1)
+       memset(keyname, 0, sizeof(keyname));
+       if (slot != -1)
        {
-               snprintf(keyname, sizeof(keyname), "%s", keyid);
+               snprintf(keyname, sizeof(keyname), "%d:", slot);
        }
-       else
+       if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
        {
-               snprintf(keyname, sizeof(keyname), "%d:%s", slot, keyid);
+               return NULL;
        }
+       chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
+
        snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 
        if (!engine_id)
@@ -504,7 +507,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
        engine = ENGINE_by_id(engine_id);
        if (!engine)
        {
-               DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
+               DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
                return NULL;
        }
        if (!ENGINE_init(engine))
index cce6afb..0084fb4 100644 (file)
@@ -276,17 +276,18 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 {
        private_pkcs11_private_key_t *this;
-       char *keyid = NULL, *module = NULL;
+       char *module = NULL;
+       chunk_t keyid, pin;
        int slot = -1;
        CK_RV rv;
-       chunk_t chunk, pin = chunk_empty;
 
+       keyid = pin = chunk_empty;
        while (TRUE)
        {
                switch (va_arg(args, builder_part_t))
                {
                        case BUILD_PKCS11_KEYID:
-                               keyid = va_arg(args, char*);
+                               keyid = va_arg(args, chunk_t);
                                continue;
                        case BUILD_PASSPHRASE:
                                pin = va_arg(args, chunk_t);
@@ -304,7 +305,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                }
                break;
        }
-       if (!keyid || !pin.ptr || !pin.len || !module || slot == -1)
+       if (!keyid.len || !pin.len || !module || slot == -1)
        {       /* we currently require all parameters, TODO: search for pubkeys */
                return NULL;
        }
@@ -356,14 +357,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                return NULL;
        }
 
-       chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-       if (!find_key(this, chunk))
+       if (!find_key(this, keyid))
        {
-               free(chunk.ptr);
                destroy(this);
                return NULL;
        }
-       free(chunk.ptr);
 
        return &this->public;
 }