30 #if defined(ENABLE_PKCS11)
32 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
53 __mygettimeofday(
struct timeval *tv)
55 return gettimeofday(tv, NULL);
61 __mysleep(
const unsigned long usec)
71 static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
85 _pkcs11_msg_pkcs112openvpn(
89 unsigned openvpn_flags;
93 case PKCS11H_LOG_DEBUG2:
97 case PKCS11H_LOG_DEBUG1:
101 case PKCS11H_LOG_INFO:
105 case PKCS11H_LOG_WARN:
109 case PKCS11H_LOG_ERROR:
118 #if defined(ENABLE_PKCS11_FORCE_DEBUG)
122 return openvpn_flags;
127 _pkcs11_msg_openvpn2pkcs11(
131 unsigned pkcs11_flags;
135 pkcs11_flags = PKCS11H_LOG_DEBUG2;
139 pkcs11_flags = PKCS11H_LOG_DEBUG1;
141 else if ((flags &
M_INFO) != 0)
143 pkcs11_flags = PKCS11H_LOG_INFO;
145 else if ((flags &
M_WARN) != 0)
147 pkcs11_flags = PKCS11H_LOG_WARN;
149 else if ((flags &
M_FATAL) != 0)
151 pkcs11_flags = PKCS11H_LOG_ERROR;
155 pkcs11_flags = PKCS11H_LOG_ERROR;
158 #if defined(ENABLE_PKCS11_FORCE_DEBUG)
159 pkcs11_flags = PKCS11H_LOG_DEBUG2;
168 void *
const global_data,
170 const char *
const szFormat,
174 char Buffer[10*1024];
178 vsnprintf(Buffer,
sizeof(Buffer), szFormat, args);
179 Buffer[
sizeof(Buffer)-1] = 0;
181 msg(_pkcs11_msg_pkcs112openvpn(flags),
"%s", Buffer);
186 _pkcs11_openvpn_token_prompt(
187 void *
const global_data,
188 void *
const user_data,
189 const pkcs11h_token_id_t token,
202 token_resp.defined =
false;
203 token_resp.nocache =
true;
206 sizeof(token_resp.username),
207 "Please insert %s token",
215 "token-insertion-request",
224 return strcmp(token_resp.password,
"ok") == 0;
230 _pkcs11_openvpn_pin_prompt(
231 void *
const global_data,
232 void *
const user_data,
233 const pkcs11h_token_id_t token,
234 const unsigned retry,
249 snprintf(prompt,
sizeof(prompt),
"%s token", token->label);
251 token_pass.defined =
false;
252 token_pass.nocache =
true;
267 strncpynt(pin, token_pass.password, pin_max);
270 if (strlen(pin) == 0)
283 const bool protected_auth,
284 const int nPINCachePeriod
287 CK_RV rv = CKR_FUNCTION_FAILED;
291 "PKCS#11: pkcs11_initialize - entered"
294 if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK)
296 msg(
M_FATAL,
"PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv));
300 if ((rv = pkcs11h_initialize()) != CKR_OK)
302 msg(
M_FATAL,
"PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
306 if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
308 msg(
M_FATAL,
"PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
314 if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK)
316 msg(
M_FATAL,
"PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
320 if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK)
322 msg(
M_FATAL,
"PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
326 if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
328 msg(
M_FATAL,
"PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
332 if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK)
334 msg(
M_FATAL,
"PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
338 if ((rv = pkcs11h_setPINCachePeriod(nPINCachePeriod)) != CKR_OK)
340 msg(
M_FATAL,
"PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage(rv));
349 "PKCS#11: pkcs11_initialize - return %ld-'%s'",
351 pkcs11h_getMessage(rv)
358 pkcs11_terminate(
void)
362 "PKCS#11: pkcs11_terminate - entered"
369 "PKCS#11: pkcs11_terminate - return"
375 const char *
const provider,
376 const bool protected_auth,
377 const unsigned private_mode,
378 const bool cert_private
387 "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x",
394 "PKCS#11: Adding PKCS#11 provider '%s'",
398 #if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0))
399 if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK)
401 msg(
M_WARN,
"PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
405 PKCS11H_BOOL allow_protected_auth = protected_auth;
406 PKCS11H_BOOL cert_is_private = cert_private;
408 rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1);
412 rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &allow_protected_auth,
sizeof(allow_protected_auth));
416 rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode,
sizeof(private_mode));
420 rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private,
sizeof(cert_is_private));
422 #if defined(WIN32) && defined(PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS)
425 unsigned loader_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
426 rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, &loader_flags,
sizeof(loader_flags));
430 if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider)) != CKR_OK)
432 msg(
M_WARN,
"PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
433 pkcs11h_removeProvider(provider);
438 (rv = pkcs11h_addProvider(
443 PKCS11H_SLOTEVENT_METHOD_AUTO,
449 msg(
M_WARN,
"PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
455 "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
457 pkcs11h_getMessage(rv)
466 return pkcs11h_logout() == CKR_OK;
470 pkcs11_management_id_count(
void)
472 pkcs11h_certificate_id_list_t id_list = NULL;
473 pkcs11h_certificate_id_list_t t = NULL;
479 "PKCS#11: pkcs11_management_id_count - entered"
483 (rv = pkcs11h_certificate_enumCertificateIds(
484 PKCS11H_ENUM_METHOD_CACHE_EXIST,
486 PKCS11H_PROMPT_MASK_ALLOW_ALL,
492 msg(
M_WARN,
"PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
496 for (count = 0, t = id_list; t != NULL; t = t->next)
503 pkcs11h_certificate_freeCertificateIdList(id_list);
508 "PKCS#11: pkcs11_management_id_count - return count=%d",
516 pkcs11_management_id_get(
522 pkcs11h_certificate_id_list_t id_list = NULL;
523 pkcs11h_certificate_id_list_t entry = NULL;
525 pkcs11h_certificate_id_t certificate_id = NULL;
527 pkcs11h_certificate_t certificate = NULL;
529 unsigned char *certificate_blob = NULL;
530 size_t certificate_blob_size = 0;
532 char *internal_id = NULL;
533 char *internal_base64 = NULL;
535 bool success =
false;
542 "PKCS#11: pkcs11_management_id_get - entered index=%d",
550 (rv = pkcs11h_certificate_enumCertificateIds(
551 PKCS11H_ENUM_METHOD_CACHE_EXIST,
553 PKCS11H_PROMPT_MASK_ALLOW_ALL,
559 msg(
M_WARN,
"PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
565 while (entry != NULL && count != index)
575 "PKCS#11: pkcs11_management_id_get - no certificate at index=%d",
582 (rv = pkcs11h_certificate_serializeCertificateId(
585 entry->certificate_id
589 msg(
M_WARN,
"PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
593 if ((internal_id = (
char *)malloc(max)) == NULL)
595 msg(
M_FATAL,
"PKCS#11: Cannot allocate memory");
600 (rv = pkcs11h_certificate_serializeCertificateId(
603 entry->certificate_id
607 msg(
M_WARN,
"PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
612 (rv = pkcs11h_certificate_create(
613 entry->certificate_id,
615 PKCS11H_PROMPT_MASK_ALLOW_ALL,
616 PKCS11H_PIN_CACHE_INFINITE,
621 msg(
M_WARN,
"PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
626 (rv = pkcs11h_certificate_getCertificateBlob(
629 &certificate_blob_size
633 msg(
M_WARN,
"PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
637 if ((certificate_blob = (
unsigned char *)malloc(certificate_blob_size)) == NULL)
639 msg(
M_FATAL,
"PKCS#11: Cannot allocate memory");
644 (rv = pkcs11h_certificate_getCertificateBlob(
647 &certificate_blob_size
651 msg(
M_WARN,
"PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
657 msg(
M_WARN,
"PKCS#11: Cannot encode certificate");
663 *base64 = internal_base64;
664 internal_base64 = NULL;
669 pkcs11h_certificate_freeCertificateIdList(id_list);
675 free(internal_base64);
676 internal_base64 = NULL;
678 free(certificate_blob);
679 certificate_blob = NULL;
683 "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'",
695 const char *
const pkcs11_id
698 pkcs11h_certificate_id_t certificate_id = NULL;
699 pkcs11h_certificate_t certificate = NULL;
709 "PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'",
721 id_resp.defined =
false;
722 id_resp.nocache =
true;
725 sizeof(id_resp.username),
726 "Please specify PKCS#11 id to use"
742 (rv = pkcs11h_certificate_deserializeCertificateId(
748 msg(
M_WARN,
"PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
755 (rv = pkcs11h_certificate_deserializeCertificateId(
761 msg(
M_WARN,
"PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
767 (rv = pkcs11h_certificate_create(
770 PKCS11H_PROMPT_MASK_ALLOW_ALL,
771 PKCS11H_PIN_CACHE_INFINITE,
776 msg(
M_WARN,
"PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
781 (pkcs11_init_tls_session(
797 if (certificate != NULL)
799 pkcs11h_certificate_freeCertificate(certificate);
803 if (certificate_id != NULL)
805 pkcs11h_certificate_freeCertificateId(certificate_id);
806 certificate_id = NULL;
811 "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld",
821 _pkcs11_openvpn_show_pkcs11_ids_pin_prompt(
822 void *
const global_data,
823 void *
const user_data,
824 const pkcs11h_token_id_t token,
825 const unsigned retry,
839 buf_printf(&pass_prompt,
"Please enter '%s' token PIN or 'cancel': ", token->display);
841 pin, pin_max,
false))
848 if (!strcmp(pin,
"cancel"))
860 const char *
const provider,
865 pkcs11h_certificate_id_list_t user_certificates = NULL;
866 pkcs11h_certificate_id_list_t current = NULL;
867 CK_RV rv = CKR_FUNCTION_FAILED;
869 if ((rv = pkcs11h_initialize()) != CKR_OK)
871 msg(
M_FATAL,
"PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
875 if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
877 msg(
M_FATAL,
"PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
883 if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK)
885 msg(
M_FATAL,
"PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv));
889 if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK)
891 msg(
M_FATAL,
"PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage(rv));
895 if (!pkcs11_addProvider(provider, TRUE, 0, cert_private ? TRUE : FALSE))
897 msg(
M_FATAL,
"Failed to add PKCS#11 provider '%s", provider);
902 (rv = pkcs11h_certificate_enumCertificateIds(
903 PKCS11H_ENUM_METHOD_CACHE_EXIST,
905 PKCS11H_PROMPT_MASK_ALLOW_ALL,
911 msg(
M_FATAL,
"PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv));
919 "The following objects are available for use.\n"
920 "Each object shown below may be used as parameter to\n"
921 "--pkcs11-id option please remember to use single quote mark.\n"
924 for (current = user_certificates; current != NULL; current = current->next)
926 pkcs11h_certificate_t certificate = NULL;
928 char serial[1024] = {0};
933 (rv = pkcs11h_certificate_serializeCertificateId(
936 current->certificate_id
940 msg(
M_FATAL,
"PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
946 && (ser = (
char *)malloc(ser_len)) == NULL
949 msg(
M_FATAL,
"PKCS#11: Cannot allocate memory");
954 (rv = pkcs11h_certificate_serializeCertificateId(
957 current->certificate_id
961 msg(
M_FATAL,
"PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
966 (rv = pkcs11h_certificate_create(
967 current->certificate_id,
969 PKCS11H_PROMPT_MASK_ALLOW_ALL,
970 PKCS11H_PIN_CACHE_INFINITE,
975 msg(
M_FATAL,
"PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
980 (dn = pkcs11_certificate_dn(
990 (pkcs11_certificate_serial(
1007 " Serialized id: %s\n"
1016 if (certificate != NULL)
1018 pkcs11h_certificate_freeCertificate(certificate);
1027 pkcs11h_certificate_freeCertificateIdList(user_certificates);
1028 user_certificates = NULL;
1030 pkcs11h_terminate();