Overview
| Comment: | Better handling of singlepart signing |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
dfd4dfccb3ab18166d627f3cc5d3aead |
| User & Date: | rkeene on 2019-06-12 21:03:33 |
| Other Links: | manifest | tags |
Context
|
2019-06-12
| ||
| 21:04 | Additional cleanup check-in: 71e86b341f user: rkeene tags: trunk | |
| 21:03 | Better handling of singlepart signing check-in: dfd4dfccb3 user: rkeene tags: trunk | |
| 06:22 | More work on updating build system check-in: a09823afee user: rkeene tags: trunk | |
Changes
Modified tclpkcs11.c from [9bdc58f8f5] to [6a093d42b0].
| ︙ | ︙ | |||
58 59 60 61 62 63 64 | CK_SLOT_ID session_slot; CK_SESSION_HANDLE session; }; /* * Tcl <--> PKCS11 Bridge Functions */ | > | > > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > > > > > | 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 |
CK_SLOT_ID session_slot;
CK_SESSION_HANDLE session;
};
/*
* Tcl <--> PKCS11 Bridge Functions
*/
#define tclpkcs11_pkcs11_error(x) INTtclpkcs11_pkcs11_error(x, __LINE__)
MODULE_SCOPE Tcl_Obj *INTtclpkcs11_pkcs11_error(CK_RV errorCode, int lineNumber) {
Tcl_Obj *retval;
switch (errorCode) {
case CKR_OK:
retval = Tcl_NewStringObj("PKCS11_OK OK", -1);
break;
case CKR_CANCEL:
retval = Tcl_NewStringObj("PKCS11_ERROR CANCEL", -1);
break;
case CKR_HOST_MEMORY:
retval = Tcl_NewStringObj("PKCS11_ERROR HOST_MEMORY", -1);
break;
case CKR_SLOT_ID_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR SLOT_ID_INVALID", -1);
break;
case CKR_GENERAL_ERROR:
retval = Tcl_NewStringObj("PKCS11_ERROR GENERAL_ERROR", -1);
break;
case CKR_FUNCTION_FAILED:
retval = Tcl_NewStringObj("PKCS11_ERROR FUNCTION_FAILED", -1);
break;
case CKR_ARGUMENTS_BAD:
retval = Tcl_NewStringObj("PKCS11_ERROR ARGUMENTS_BAD", -1);
break;
case CKR_NO_EVENT:
retval = Tcl_NewStringObj("PKCS11_ERROR NO_EVENT", -1);
break;
case CKR_NEED_TO_CREATE_THREADS:
retval = Tcl_NewStringObj("PKCS11_ERROR NEED_TO_CREATE_THREADS", -1);
break;
case CKR_CANT_LOCK:
retval = Tcl_NewStringObj("PKCS11_ERROR CANT_LOCK", -1);
break;
case CKR_ATTRIBUTE_READ_ONLY:
retval = Tcl_NewStringObj("PKCS11_ERROR ATTRIBUTE_READ_ONLY", -1);
break;
case CKR_ATTRIBUTE_SENSITIVE:
retval = Tcl_NewStringObj("PKCS11_ERROR ATTRIBUTE_SENSITIVE", -1);
break;
case CKR_ATTRIBUTE_TYPE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR ATTRIBUTE_TYPE_INVALID", -1);
break;
case CKR_ATTRIBUTE_VALUE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR ATTRIBUTE_VALUE_INVALID", -1);
break;
case CKR_DATA_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR DATA_INVALID", -1);
break;
case CKR_DATA_LEN_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR DATA_LEN_RANGE", -1);
break;
case CKR_DEVICE_ERROR:
retval = Tcl_NewStringObj("PKCS11_ERROR DEVICE_ERROR", -1);
break;
case CKR_DEVICE_MEMORY:
retval = Tcl_NewStringObj("PKCS11_ERROR DEVICE_MEMORY", -1);
break;
case CKR_DEVICE_REMOVED:
retval = Tcl_NewStringObj("PKCS11_ERROR DEVICE_REMOVED", -1);
break;
case CKR_ENCRYPTED_DATA_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR ENCRYPTED_DATA_INVALID", -1);
break;
case CKR_ENCRYPTED_DATA_LEN_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR ENCRYPTED_DATA_LEN_RANGE", -1);
break;
case CKR_FUNCTION_CANCELED:
retval = Tcl_NewStringObj("PKCS11_ERROR FUNCTION_CANCELED", -1);
break;
case CKR_FUNCTION_NOT_PARALLEL:
retval = Tcl_NewStringObj("PKCS11_ERROR FUNCTION_NOT_PARALLEL", -1);
break;
case CKR_FUNCTION_NOT_SUPPORTED:
retval = Tcl_NewStringObj("PKCS11_ERROR FUNCTION_NOT_SUPPORTED", -1);
break;
case CKR_KEY_HANDLE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_HANDLE_INVALID", -1);
break;
case CKR_KEY_SIZE_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_SIZE_RANGE", -1);
break;
case CKR_KEY_TYPE_INCONSISTENT:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_TYPE_INCONSISTENT", -1);
break;
case CKR_KEY_NOT_NEEDED:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_NOT_NEEDED", -1);
break;
case CKR_KEY_CHANGED:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_CHANGED", -1);
break;
case CKR_KEY_NEEDED:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_NEEDED", -1);
break;
case CKR_KEY_INDIGESTIBLE:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_INDIGESTIBLE", -1);
break;
case CKR_KEY_FUNCTION_NOT_PERMITTED:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_FUNCTION_NOT_PERMITTED", -1);
break;
case CKR_KEY_NOT_WRAPPABLE:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_NOT_WRAPPABLE", -1);
break;
case CKR_KEY_UNEXTRACTABLE:
retval = Tcl_NewStringObj("PKCS11_ERROR KEY_UNEXTRACTABLE", -1);
break;
case CKR_MECHANISM_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR MECHANISM_INVALID", -1);
break;
case CKR_MECHANISM_PARAM_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR MECHANISM_PARAM_INVALID", -1);
break;
case CKR_OBJECT_HANDLE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR OBJECT_HANDLE_INVALID", -1);
break;
case CKR_OPERATION_ACTIVE:
retval = Tcl_NewStringObj("PKCS11_ERROR OPERATION_ACTIVE", -1);
break;
case CKR_OPERATION_NOT_INITIALIZED:
retval = Tcl_NewStringObj("PKCS11_ERROR OPERATION_NOT_INITIALIZED", -1);
break;
case CKR_PIN_INCORRECT:
retval = Tcl_NewStringObj("PKCS11_ERROR PIN_INCORRECT", -1);
break;
case CKR_PIN_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR PIN_INVALID", -1);
break;
case CKR_PIN_LEN_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR PIN_LEN_RANGE", -1);
break;
case CKR_PIN_EXPIRED:
retval = Tcl_NewStringObj("PKCS11_ERROR PIN_EXPIRED", -1);
break;
case CKR_PIN_LOCKED:
retval = Tcl_NewStringObj("PKCS11_ERROR PIN_LOCKED", -1);
break;
case CKR_SESSION_CLOSED:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_CLOSED", -1);
break;
case CKR_SESSION_COUNT:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_COUNT", -1);
break;
case CKR_SESSION_HANDLE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_HANDLE_INVALID", -1);
break;
case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_PARALLEL_NOT_SUPPORTED", -1);
break;
case CKR_SESSION_READ_ONLY:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_READ_ONLY", -1);
break;
case CKR_SESSION_EXISTS:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_EXISTS", -1);
break;
case CKR_SESSION_READ_ONLY_EXISTS:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_READ_ONLY_EXISTS", -1);
break;
case CKR_SESSION_READ_WRITE_SO_EXISTS:
retval = Tcl_NewStringObj("PKCS11_ERROR SESSION_READ_WRITE_SO_EXISTS", -1);
break;
case CKR_SIGNATURE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR SIGNATURE_INVALID", -1);
break;
case CKR_SIGNATURE_LEN_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR SIGNATURE_LEN_RANGE", -1);
break;
case CKR_TEMPLATE_INCOMPLETE:
retval = Tcl_NewStringObj("PKCS11_ERROR TEMPLATE_INCOMPLETE", -1);
break;
case CKR_TEMPLATE_INCONSISTENT:
retval = Tcl_NewStringObj("PKCS11_ERROR TEMPLATE_INCONSISTENT", -1);
break;
case CKR_TOKEN_NOT_PRESENT:
retval = Tcl_NewStringObj("PKCS11_ERROR TOKEN_NOT_PRESENT", -1);
break;
case CKR_TOKEN_NOT_RECOGNIZED:
retval = Tcl_NewStringObj("PKCS11_ERROR TOKEN_NOT_RECOGNIZED", -1);
break;
case CKR_TOKEN_WRITE_PROTECTED:
retval = Tcl_NewStringObj("PKCS11_ERROR TOKEN_WRITE_PROTECTED", -1);
break;
case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR UNWRAPPING_KEY_HANDLE_INVALID", -1);
break;
case CKR_UNWRAPPING_KEY_SIZE_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR UNWRAPPING_KEY_SIZE_RANGE", -1);
break;
case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
retval = Tcl_NewStringObj("PKCS11_ERROR UNWRAPPING_KEY_TYPE_INCONSISTENT", -1);
break;
case CKR_USER_ALREADY_LOGGED_IN:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_ALREADY_LOGGED_IN", -1);
break;
case CKR_USER_NOT_LOGGED_IN:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_NOT_LOGGED_IN", -1);
break;
case CKR_USER_PIN_NOT_INITIALIZED:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_PIN_NOT_INITIALIZED", -1);
break;
case CKR_USER_TYPE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_TYPE_INVALID", -1);
break;
case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_ANOTHER_ALREADY_LOGGED_IN", -1);
break;
case CKR_USER_TOO_MANY_TYPES:
retval = Tcl_NewStringObj("PKCS11_ERROR USER_TOO_MANY_TYPES", -1);
break;
case CKR_WRAPPED_KEY_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR WRAPPED_KEY_INVALID", -1);
break;
case CKR_WRAPPED_KEY_LEN_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR WRAPPED_KEY_LEN_RANGE", -1);
break;
case CKR_WRAPPING_KEY_HANDLE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR WRAPPING_KEY_HANDLE_INVALID", -1);
break;
case CKR_WRAPPING_KEY_SIZE_RANGE:
retval = Tcl_NewStringObj("PKCS11_ERROR WRAPPING_KEY_SIZE_RANGE", -1);
break;
case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
retval = Tcl_NewStringObj("PKCS11_ERROR WRAPPING_KEY_TYPE_INCONSISTENT", -1);
break;
case CKR_RANDOM_SEED_NOT_SUPPORTED:
retval = Tcl_NewStringObj("PKCS11_ERROR RANDOM_SEED_NOT_SUPPORTED", -1);
break;
case CKR_RANDOM_NO_RNG:
retval = Tcl_NewStringObj("PKCS11_ERROR RANDOM_NO_RNG", -1);
break;
case CKR_DOMAIN_PARAMS_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR DOMAIN_PARAMS_INVALID", -1);
break;
case CKR_BUFFER_TOO_SMALL:
retval = Tcl_NewStringObj("PKCS11_ERROR BUFFER_TOO_SMALL", -1);
break;
case CKR_SAVED_STATE_INVALID:
retval = Tcl_NewStringObj("PKCS11_ERROR SAVED_STATE_INVALID", -1);
break;
case CKR_INFORMATION_SENSITIVE:
retval = Tcl_NewStringObj("PKCS11_ERROR INFORMATION_SENSITIVE", -1);
break;
case CKR_STATE_UNSAVEABLE:
retval = Tcl_NewStringObj("PKCS11_ERROR STATE_UNSAVEABLE", -1);
break;
case CKR_CRYPTOKI_NOT_INITIALIZED:
retval = Tcl_NewStringObj("PKCS11_ERROR CRYPTOKI_NOT_INITIALIZED", -1);
break;
case CKR_CRYPTOKI_ALREADY_INITIALIZED:
retval = Tcl_NewStringObj("PKCS11_ERROR CRYPTOKI_ALREADY_INITIALIZED", -1);
break;
case CKR_MUTEX_BAD:
retval = Tcl_NewStringObj("PKCS11_ERROR MUTEX_BAD", -1);
break;
case CKR_MUTEX_NOT_LOCKED:
retval = Tcl_NewStringObj("PKCS11_ERROR MUTEX_NOT_LOCKED", -1);
break;
case CKR_NEW_PIN_MODE:
retval = Tcl_NewStringObj("PKCS11_ERROR NEW_PIN_MODE", -1);
break;
case CKR_NEXT_OTP:
retval = Tcl_NewStringObj("PKCS11_ERROR NEXT_OTP", -1);
break;
case CKR_FUNCTION_REJECTED:
retval = Tcl_NewStringObj("PKCS11_ERROR FUNCTION_REJECTED", -1);
break;
case CKR_VENDOR_DEFINED:
retval = Tcl_NewStringObj("PKCS11_ERROR VENDOR_DEFINED", -1);
break;
}
if (!retval) {
retval = Tcl_NewStringObj("PKCS11_ERROR UNKNOWN", -1);
}
Tcl_AppendPrintfToObj(retval, " LINE %i", lineNumber);
return(retval);
}
MODULE_SCOPE Tcl_Obj *tclpkcs11_bytearray_to_string(const unsigned char *data, unsigned long datalen) {
static char alphabet[] = "0123456789abcdef";
unsigned long idx, bufidx;
Tcl_Obj *retval;
char buf[1024];
|
| ︙ | ︙ | |||
1277 1278 1279 1280 1281 1282 1283 |
return(TCL_OK);
}
MODULE_SCOPE int tclpkcs11_perform_pki(int encrypt, ClientData cd, Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]) {
struct tclpkcs11_interpdata *interpdata;
struct tclpkcs11_handle *handle;
| | | | 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 |
return(TCL_OK);
}
MODULE_SCOPE int tclpkcs11_perform_pki(int encrypt, ClientData cd, Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]) {
struct tclpkcs11_interpdata *interpdata;
struct tclpkcs11_handle *handle;
unsigned char *input, resultbuf[1024], *dummybuf;
unsigned long tcl_strtobytearray_rv;
Tcl_HashEntry *tcl_handle_entry;
Tcl_Obj *pki_real_cmd;
Tcl_Obj *tcl_keylist, **tcl_keylist_values, *tcl_keylist_key, *tcl_keylist_val;
Tcl_Obj *tcl_mode, *tcl_input;
Tcl_Obj *tcl_handle = NULL, *tcl_slotid = NULL, *tcl_objid = NULL;
Tcl_Obj *tcl_result;
long slotid_long;
int tcl_keylist_llength, idx;
int input_len;
CK_ULONG resultbuf_len, dummybuf_len;
int sign, terminate;
int tcl_rv;
CK_SLOT_ID slotid;
CK_OBJECT_HANDLE hObject;
CK_ULONG foundObjs;
CK_OBJECT_CLASS objectclass_pk;
|
| ︙ | ︙ | |||
1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 |
chk_rv = handle->pkcs11->C_FindObjectsInit(handle->session, template, sizeof(template) / sizeof(template[0]));
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
return(TCL_ERROR);
}
chk_rv = handle->pkcs11->C_FindObjects(handle->session, &hObject, 1, &foundObjs);
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
handle->pkcs11->C_FindObjectsFinal(handle->session);
return(TCL_ERROR);
| > | 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 |
chk_rv = handle->pkcs11->C_FindObjectsInit(handle->session, template, sizeof(template) / sizeof(template[0]));
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
return(TCL_ERROR);
}
foundObjs = 0;
chk_rv = handle->pkcs11->C_FindObjects(handle->session, &hObject, 1, &foundObjs);
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
handle->pkcs11->C_FindObjectsFinal(handle->session);
return(TCL_ERROR);
|
| ︙ | ︙ | |||
1488 1489 1490 1491 1492 1493 1494 |
/* Perform the PKI operation (encrypt/decrypt) */
input = Tcl_GetByteArrayFromObj(tcl_input, &input_len);
if (encrypt) {
sign = 0;
chk_rv = handle->pkcs11->C_EncryptInit(handle->session, &mechanism, hObject);
if (chk_rv != CKR_OK) {
| < | | > | | | < < | 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 |
/* Perform the PKI operation (encrypt/decrypt) */
input = Tcl_GetByteArrayFromObj(tcl_input, &input_len);
if (encrypt) {
sign = 0;
chk_rv = handle->pkcs11->C_EncryptInit(handle->session, &mechanism, hObject);
if (chk_rv != CKR_OK) {
sign = 1;
chk_rv = handle->pkcs11->C_SignInit(handle->session, &mechanism, hObject);
}
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
return(TCL_ERROR);
}
resultbuf_len = sizeof(resultbuf);
if (!sign) {
chk_rv = handle->pkcs11->C_Encrypt(handle->session, input, input_len, resultbuf, &resultbuf_len);
} else {
/* Some PKCS#11 drivers will not accept pre-padded input, so we must unpad it here */
|
| ︙ | ︙ | |||
1525 1526 1527 1528 1529 1530 1531 | } } } chk_rv = handle->pkcs11->C_Sign(handle->session, input, input_len, resultbuf, &resultbuf_len); } | | | | < < < < > > | | | 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 |
}
}
}
chk_rv = handle->pkcs11->C_Sign(handle->session, input, input_len, resultbuf, &resultbuf_len);
}
terminate = 1;
if (chk_rv == CKR_OK || chk_rv == CKR_BUFFER_TOO_SMALL) {
terminate = 0;
}
if (terminate) {
dummybuf = (unsigned char *) "";
dummybuf_len = 0;
if (!sign) {
handle->pkcs11->C_EncryptFinal(handle->session, dummybuf, &dummybuf_len);
} else {
handle->pkcs11->C_SignFinal(handle->session, dummybuf, &dummybuf_len);
}
}
if (chk_rv != CKR_OK) {
Tcl_SetObjResult(interp, tclpkcs11_pkcs11_error(chk_rv));
return(TCL_ERROR);
|
| ︙ | ︙ |