From 718526e0e9efbcf6f8aa5cfa411c06c21429011d Mon Sep 17 00:00:00 2001 From: james Date: Mon, 22 Oct 2007 20:06:14 +0000 Subject: Use pkcs11-helper as external library, can be downloaded from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2418 e7ae566f-a301-0410-adde-c780ea21d3b5 --- options.c | 112 ++++++++++++-------------------------------------------------- 1 file changed, 21 insertions(+), 91 deletions(-) (limited to 'options.c') diff --git a/options.c b/options.c index 5cc7f23..8c5a268 100644 --- a/options.c +++ b/options.c @@ -75,6 +75,9 @@ const char title_string[] = #endif #ifdef USE_PTHREAD " [PTHREAD]" +#endif +#ifdef ENABLE_PKCS11 + " [PKCS11]" #endif " built on " __DATE__ ; @@ -501,25 +504,17 @@ static const char usage_message[] = "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n" " path. Set for each provider.\n" - "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" - " auto : Try to determind automatically (default).\n" - " sign : Use Sign.\n" - " recover : Use SignRecover.\n" - " any : Use Sign and then SignRecover.\n" + "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n" + " 0 : Try to determind automatically (default).\n" + " 1 : Use Sign.\n" + " 2 : Use SignRecover.\n" + " 4 : Use Decrypt.\n" + " 8 : Use Unwrap.\n" "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" " certificate can be accessed. Set for each provider.\n" "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" " cache until token is removed.\n" - "--pkcs11-slot-type method : Slot locate method:\n" - " id : By slot id (numeric [prov:]slot#).\n" - " name : By slot name.\n" - " label : By the card label that resides in slot.\n" - "--pkcs11-slot name : The slot name.\n" - "--pkcs11-id-type method : Certificate and key locate method:\n" - " id : By the object id (hex format).\n" - " label : By the object label (string).\n" - " subject : By certificate subject (String).\n" - "--pkcs11-id name : The object name.\n" + "--pkcs11-id serialized-id : Identity to use, get using standalone --show-pkcs11-ids\n" #endif /* ENABLE_PKCS11 */ "\n" "SSL Library information:\n" @@ -600,8 +595,8 @@ static const char usage_message[] = #ifdef ENABLE_PKCS11 "\n" "PKCS#11 standalone options:\n" - "--show-pkcs11-slots provider : Show PKCS#11 provider available slots.\n" - "--show-pkcs11-objects provider slot : Show PKCS#11 token objects.\n" + "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n" + " --verb option can be added *BEFORE* this.\n" #endif /* ENABLE_PKCS11 */ ; @@ -1280,8 +1275,8 @@ show_settings (const struct options *o) } { int i; - for (i=0;ipkcs11_sign_mode[i] != NULL;i++) - SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s"); + for (i=0;ipkcs11_private_mode[i], "%08x"); } { int i; @@ -1289,9 +1284,6 @@ show_settings (const struct options *o) SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); } SHOW_INT (pkcs11_pin_cache_period); - SHOW_STR (pkcs11_slot_type); - SHOW_STR (pkcs11_slot); - SHOW_STR (pkcs11_id_type); SHOW_STR (pkcs11_id); #endif /* ENABLE_PKCS11 */ @@ -1764,35 +1756,7 @@ options_postprocess (struct options *options, bool first_time) #ifdef ENABLE_PKCS11 if (options->pkcs11_providers[0]) { - int j; notnull (options->ca_file, "CA file (--ca)"); - - for (j=0;jpkcs11_sign_mode[j] != NULL;j++) - { - if ( - !string_defined_equal (options->pkcs11_sign_mode[j], "auto") && - !string_defined_equal (options->pkcs11_sign_mode[j], "recover") && - !string_defined_equal (options->pkcs11_sign_mode[j], "sign") - ) - msg(M_USAGE, "Parameter --pkcs11-sign-mode value is invalid."); - } - - if ( - !string_defined_equal (options->pkcs11_slot_type, "id") && - !string_defined_equal (options->pkcs11_slot_type, "name") && - !string_defined_equal (options->pkcs11_slot_type, "label") - ) - msg(M_USAGE, "Parameter --pkcs11-slot-type value is invalid."); - - notnull (options->pkcs11_slot, "PKCS#11 slot name (--pkcs11-slot)"); - - if ( - !string_defined_equal (options->pkcs11_id_type, "id") && - !string_defined_equal (options->pkcs11_id_type, "label") && - !string_defined_equal (options->pkcs11_id_type, "subject") - ) - msg(M_USAGE, "Parameter --pkcs11-id-type value is invalid."); - notnull (options->pkcs11_id, "PKCS#11 id (--pkcs11-id)"); if (options->cert_file) @@ -1895,10 +1859,7 @@ options_postprocess (struct options *options, bool first_time) MUST_BE_UNDEF (remote_cert_eku); #ifdef ENABLE_PKCS11 MUST_BE_UNDEF (pkcs11_providers[0]); - MUST_BE_UNDEF (pkcs11_sign_mode[0]); - MUST_BE_UNDEF (pkcs11_slot_type); - MUST_BE_UNDEF (pkcs11_slot); - MUST_BE_UNDEF (pkcs11_id_type); + MUST_BE_UNDEF (pkcs11_private_mode); MUST_BE_UNDEF (pkcs11_id); #endif @@ -5098,31 +5059,15 @@ add_option (struct options *options, #endif /* USE_SSL */ #endif /* USE_CRYPTO */ #ifdef ENABLE_PKCS11 - else if (streq (p[0], "show-pkcs11-slots") && p[1]) - { - char *module = p[1]; - VERIFY_PERMISSION (OPT_P_GENERAL); - show_pkcs11_slots (module); - openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ - } - else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2]) + else if (streq (p[0], "show-pkcs11-ids") && p[1]) { char *provider = p[1]; - char *slot = p[2]; - struct gc_arena gc = gc_new (); - struct buffer pass_prompt = alloc_buf_gc (128, &gc); - char pin[256]; + bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 )); VERIFY_PERMISSION (OPT_P_GENERAL); - buf_printf (&pass_prompt, "PIN:"); - - if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin))) - msg (M_FATAL, "Cannot read password from stdin"); - - gc_free (&gc); - - show_pkcs11_objects (provider, slot, pin); + set_debug_level (options->verbosity, SDL_CONSTRAIN); + show_pkcs11_ids (provider, cert_private); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } else if (streq (p[0], "pkcs11-providers") && p[1]) @@ -5143,14 +5088,14 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0; } - else if (streq (p[0], "pkcs11-sign-mode") && p[1]) + else if (streq (p[0], "pkcs11-private-mode") && p[1]) { int j; VERIFY_PERMISSION (OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - options->pkcs11_sign_mode[j-1] = p[j]; + sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1])); } else if (streq (p[0], "pkcs11-cert-private")) { @@ -5166,21 +5111,6 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_pin_cache_period = atoi (p[1]); } - else if (streq (p[0], "pkcs11-slot-type") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_slot_type = p[1]; - } - else if (streq (p[0], "pkcs11-slot") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_slot = p[1]; - } - else if (streq (p[0], "pkcs11-id-type") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_id_type = p[1]; - } else if (streq (p[0], "pkcs11-id") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); -- cgit