2 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos
5 * This file is part of GnuTLS.
7 * GnuTLS is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include <gnutls/gnutls.h>
25 #include <gnutls/pkcs11.h>
26 #include <gnutls/abstract.h>
30 #include "certtool-cfg.h"
31 #include "certtool-common.h"
38 # define sleep(x) Sleep(x*1000)
42 char *get_single_token_url(common_info_st * info);
44 #define FIX(url, out, det, info) \
46 url = get_single_token_url(info); \
48 fprintf(stderr, "warning: no token URL was provided for this operation; the available tokens are:\n\n"); \
49 pkcs11_token_list(out, det, info, 1); \
54 #define CHECK_LOGIN_FLAG(flag) \
57 "warning: --login was not specified and it may be required for this operation.\n")
60 pkcs11_delete(FILE * outfile, const char *url,
61 unsigned int login_flags, common_info_st * info)
64 unsigned int obj_flags = 0;
66 if (login_flags) obj_flags = login_flags;
68 if (info->batch == 0) {
69 pkcs11_list(outfile, url, PKCS11_TYPE_ALL, login_flags,
70 GNUTLS_PKCS11_URL_LIB, info);
73 ("Are you sure you want to delete those objects? (y/N): ",
80 ret = gnutls_pkcs11_delete_url(url, obj_flags);
82 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
83 gnutls_strerror(ret));
87 fprintf(outfile, "\n%d objects deleted\n", ret);
92 /* lists certificates from a token
95 pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags,
96 unsigned int detailed, common_info_st * info)
98 gnutls_pkcs11_obj_t *crt_list;
99 unsigned int crt_list_size = 0, i, j;
102 int attrs, print_exts = 0;
103 gnutls_x509_ext_st *exts;
105 unsigned int obj_flags = flags;
109 FIX(url, outfile, detailed, info);
111 gnutls_pkcs11_token_get_flags(url, &flags);
112 if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED)
115 if (type == PKCS11_TYPE_TRUSTED) {
116 attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED;
117 } else if (type == PKCS11_TYPE_PK) {
118 attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY;
119 } else if (type == PKCS11_TYPE_CRT_ALL) {
120 attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL;
121 if (print_exts != 0) print_exts++;
122 } else if (type == PKCS11_TYPE_PRIVKEY) {
123 attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY;
124 } else if (type == PKCS11_TYPE_INFO) {
125 attrs = GNUTLS_PKCS11_OBJ_ATTR_MATCH;
127 attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;
130 /* give some initial value to avoid asking for the pkcs11 pin twice.
133 gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size,
134 url, attrs, obj_flags);
136 fprintf(stderr, "Error in crt_list_import (1): %s\n",
137 gnutls_strerror(ret));
141 if (crt_list_size == 0) {
142 fprintf(stderr, "No matching objects found\n");
146 for (i = 0; i < crt_list_size; i++) {
152 gnutls_pkcs11_obj_export_url(crt_list[i], detailed,
155 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
156 __LINE__, gnutls_strerror(ret));
160 if (info->only_urls) {
161 fprintf(outfile, "%s\n", output);
165 fprintf(outfile, "Object %d:\n\tURL: %s\n", i, output);
169 otype = gnutls_pkcs11_obj_get_type(crt_list[i]);
170 fprintf(outfile, "\tType: %s\n",
171 gnutls_pkcs11_type_get_name(otype));
175 gnutls_pkcs11_obj_get_info(crt_list[i],
176 GNUTLS_PKCS11_OBJ_LABEL,
179 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
180 __LINE__, gnutls_strerror(ret));
183 fprintf(outfile, "\tLabel: %s\n", buf);
186 ret = gnutls_pkcs11_obj_get_flags(crt_list[i], &oflags);
188 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
189 __LINE__, gnutls_strerror(ret));
192 str = gnutls_pkcs11_obj_flags_get_str(oflags);
194 fprintf(outfile, "\tFlags: %s\n", str);
200 gnutls_pkcs11_obj_get_info(crt_list[i],
201 GNUTLS_PKCS11_OBJ_ID_HEX,
204 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
205 __LINE__, gnutls_strerror(ret));
208 fprintf(outfile, "\tID: %s\n", buf);
210 if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && print_exts > 0) {
211 ret = gnutls_pkcs11_obj_get_exts(crt_list[i], &exts, &exts_size, 0);
212 if (ret >= 0 && exts_size > 0) {
215 if (print_exts > 1) {
216 fprintf(outfile, "\tAttached extensions:\n");
217 ret = gnutls_x509_ext_print(exts, exts_size, 0, &txt);
219 fprintf(outfile, "%s", (char*)txt.data);
220 gnutls_free(txt.data);
223 fprintf(outfile, "\tAttached extensions:");
224 for (j=0;j<exts_size;j++) {
225 fprintf(outfile, "%s%s", exts[j].oid, (j!=exts_size-1)?",":" ");
228 for (j=0;j<exts_size;j++) {
229 gnutls_x509_ext_deinit(&exts[j]);
232 fprintf(outfile, "\n");
236 fprintf(outfile, "\n");
242 #define TEST_DATA "Test data to sign"
245 pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags,
246 common_info_st * info)
248 gnutls_privkey_t privkey;
249 gnutls_pubkey_t pubkey;
251 gnutls_datum_t data, sig = {NULL, 0};
256 FIX(url, outfile, 0, info);
258 data.data = (void*)TEST_DATA;
259 data.size = sizeof(TEST_DATA)-1;
261 ret = gnutls_privkey_init(&privkey);
263 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
264 __LINE__, gnutls_strerror(ret));
268 ret = gnutls_pubkey_init(&pubkey);
270 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
271 __LINE__, gnutls_strerror(ret));
275 ret = gnutls_privkey_import_url(privkey, url, flags);
277 fprintf(stderr, "Cannot import private key: %s\n",
278 gnutls_strerror(ret));
282 ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags);
284 fprintf(stderr, "Cannot import public key: %s\n",
285 gnutls_strerror(ret));
289 ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &data, &sig);
291 fprintf(stderr, "Cannot sign data: %s\n",
292 gnutls_strerror(ret));
296 pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL);
298 fprintf(stderr, "Verifying against private key parameters... ");
299 ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
302 fprintf(stderr, "Cannot verify signed data: %s\n",
303 gnutls_strerror(ret));
307 fprintf(stderr, "ok\n");
309 /* now try to verify against a public key within the token */
310 gnutls_pubkey_deinit(pubkey);
311 ret = gnutls_pubkey_init(&pubkey);
313 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
314 __LINE__, gnutls_strerror(ret));
318 ret = gnutls_pubkey_import_url(pubkey, url, flags);
320 fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n",
321 gnutls_strerror(ret));
322 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
327 fprintf(stderr, "Verifying against public key in the token... ");
328 ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA1),
331 fprintf(stderr, "Cannot verify signed data: %s\n",
332 gnutls_strerror(ret));
336 fprintf(stderr, "ok\n");
338 gnutls_free(sig.data);
339 gnutls_pubkey_deinit(pubkey);
340 gnutls_privkey_deinit(privkey);
344 pkcs11_export(FILE * outfile, const char *url, unsigned int flags,
345 common_info_st * info)
347 gnutls_pkcs11_obj_t obj;
350 unsigned int obj_flags = flags;
354 FIX(url, outfile, 0, info);
356 ret = gnutls_pkcs11_obj_init(&obj);
358 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
359 gnutls_strerror(ret));
363 ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);
365 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
366 gnutls_strerror(ret));
370 ret = gnutls_pkcs11_obj_export3(obj, info->outcert_format, &t);
372 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
373 __LINE__, gnutls_strerror(ret));
377 fwrite(t.data, 1, t.size, outfile);
380 if (info->outcert_format == GNUTLS_X509_FMT_PEM)
381 fputs("\n\n", outfile);
383 gnutls_pkcs11_obj_deinit(obj);
389 pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags,
390 common_info_st * info)
392 gnutls_pkcs11_obj_t obj;
393 gnutls_x509_crt_t xcrt;
396 unsigned int obj_flags = flags;
400 FIX(url, outfile, 0, info);
402 ret = gnutls_pkcs11_obj_init(&obj);
404 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
405 gnutls_strerror(ret));
409 ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);
411 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
412 gnutls_strerror(ret));
417 ret = gnutls_x509_crt_init(&xcrt);
419 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
420 gnutls_strerror(ret));
424 ret = gnutls_x509_crt_import_pkcs11(xcrt, obj);
426 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
427 __LINE__, gnutls_strerror(ret));
431 ret = gnutls_pkcs11_obj_export3(obj, GNUTLS_X509_FMT_PEM, &t);
433 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
434 __LINE__, gnutls_strerror(ret));
437 fwrite(t.data, 1, t.size, outfile);
438 fputs("\n\n", outfile);
441 gnutls_pkcs11_obj_deinit(obj);
444 ret = gnutls_pkcs11_get_raw_issuer(url, xcrt, &t, GNUTLS_X509_FMT_PEM, 0);
445 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
448 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
449 __LINE__, gnutls_strerror(ret));
453 fwrite(t.data, 1, t.size, outfile);
454 fputs("\n\n", outfile);
456 gnutls_x509_crt_deinit(xcrt);
458 ret = gnutls_x509_crt_init(&xcrt);
460 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
461 __LINE__, gnutls_strerror(ret));
465 ret = gnutls_x509_crt_import(xcrt, &t, GNUTLS_X509_FMT_PEM);
467 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
468 __LINE__, gnutls_strerror(ret));
474 ret = gnutls_x509_crt_check_issuer(xcrt, xcrt);
485 /* If there is a single token only present, return its URL.
488 char *get_single_token_url(common_info_st * info)
491 char *url = NULL, *t = NULL;
495 ret = gnutls_pkcs11_token_get_url(0, 0, &url);
499 ret = gnutls_pkcs11_token_get_url(1, 0, &t);
500 if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
510 void print_type(FILE *outfile, unsigned flags)
514 fputs("\tType: ", outfile);
515 if (flags & GNUTLS_PKCS11_TOKEN_HW) {
516 fputs("Hardware token", outfile);
520 if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED) {
522 fputs(", ", outfile);
523 fputs("Trust module", outfile);
528 fputs("Generic token", outfile);
529 fputc('\n', outfile);
533 pkcs11_token_list(FILE * outfile, unsigned int detailed,
534 common_info_st * info, unsigned brief)
546 ret = gnutls_pkcs11_token_get_url(i, detailed, &url);
547 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
551 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
552 __LINE__, gnutls_strerror(ret));
557 fprintf(outfile, "%s\n", url);
560 fprintf(outfile, "Token %d:\n\tURL: %s\n", i, url);
565 gnutls_pkcs11_token_get_info(url,
566 GNUTLS_PKCS11_TOKEN_LABEL,
569 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
570 __LINE__, gnutls_strerror(ret));
574 fprintf(outfile, "\tLabel: %s\n", buf);
576 ret = gnutls_pkcs11_token_get_flags(url, &flags);
578 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
579 __LINE__, gnutls_strerror(ret));
581 print_type(outfile, flags);
586 gnutls_pkcs11_token_get_info(url,
587 GNUTLS_PKCS11_TOKEN_MANUFACTURER,
590 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
591 __LINE__, gnutls_strerror(ret));
595 fprintf(outfile, "\tManufacturer: %s\n", buf);
599 gnutls_pkcs11_token_get_info(url,
600 GNUTLS_PKCS11_TOKEN_MODEL,
603 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
604 __LINE__, gnutls_strerror(ret));
608 fprintf(outfile, "\tModel: %s\n", buf);
612 gnutls_pkcs11_token_get_info(url,
613 GNUTLS_PKCS11_TOKEN_SERIAL,
616 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
617 __LINE__, gnutls_strerror(ret));
621 fprintf(outfile, "\tSerial: %s\n", buf);
625 gnutls_pkcs11_token_get_info(url,
626 GNUTLS_PKCS11_TOKEN_MODNAME,
629 fprintf(outfile, "\tModule: %s\n", buf);
631 fprintf(outfile, "\n\n");
641 pkcs11_write(FILE * outfile, const char *url, const char *label,
642 const char *id, unsigned flags, common_info_st * info)
644 gnutls_x509_crt_t xcrt;
645 gnutls_x509_privkey_t xkey;
646 gnutls_pubkey_t xpubkey;
648 gnutls_datum_t *secret_key;
649 unsigned key_usage = 0;
650 unsigned char raw_id[128];
652 gnutls_datum_t cid = {NULL, 0};
656 FIX(url, outfile, 0, info);
657 CHECK_LOGIN_FLAG(flags);
659 if (label == NULL && info->batch == 0) {
660 label = read_str("warning: The object's label was not specified.\nLabel: ");
664 raw_id_size = sizeof(raw_id);
665 ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size);
667 fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret));
671 cid.size = raw_id_size;
674 secret_key = load_secret_key(0, info);
675 if (secret_key != NULL) {
677 gnutls_pkcs11_copy_secret_key(url, secret_key, label,
680 GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
682 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
683 __LINE__, gnutls_strerror(ret));
688 xcrt = load_cert(0, info);
690 ret = gnutls_pkcs11_copy_x509_crt2(url, xcrt, label, &cid, flags);
692 fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret));
693 if (((flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) ||
694 (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)) &&
695 (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0)
696 fprintf(stderr, "note: some tokens may require security officer login for this operation\n");
700 gnutls_x509_crt_get_key_usage(xcrt, &key_usage, NULL);
703 xkey = load_x509_private_key(0, info);
706 gnutls_pkcs11_copy_x509_privkey2(url, xkey, label,
707 &cid, key_usage|info->key_usage,
709 GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
711 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
712 __LINE__, gnutls_strerror(ret));
717 xpubkey = load_pubkey(0, info);
718 if (xpubkey != NULL) {
720 gnutls_pkcs11_copy_pubkey(url, xpubkey, label,
724 fprintf(stderr, "Error in %s:%d: %s\n", __func__,
725 __LINE__, gnutls_strerror(ret));
730 if (xkey == NULL && xcrt == NULL && secret_key == NULL && xpubkey == NULL) {
732 "You must use --load-privkey, --load-certificate, --load-pubkey or --secret-key to load the file to be copied\n");
740 pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk,
742 const char *label, const char *id, int detailed,
743 unsigned int flags, common_info_st * info)
746 gnutls_datum_t pubkey;
747 gnutls_datum_t cid = {NULL, 0};
748 unsigned char raw_id[128];
753 FIX(url, outfile, detailed, info);
754 CHECK_LOGIN_FLAG(flags);
757 raw_id_size = sizeof(raw_id);
758 ret = gnutls_hex2bin(id, strlen(id), raw_id, &raw_id_size);
760 fprintf(stderr, "Error converting hex: %s\n", gnutls_strerror(ret));
764 cid.size = raw_id_size;
767 if (outfile == stderr || outfile == stdout) {
768 fprintf(stderr, "warning: no --outfile was specified and the generated public key will be printed on screen.\n");
771 if (label == NULL && info->batch == 0) {
772 label = read_str("warning: Label was not specified.\nLabel: ");
776 gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid,
777 GNUTLS_X509_FMT_PEM, &pubkey,
781 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
782 gnutls_strerror(ret));
783 if (bits != 1024 && pk == GNUTLS_PK_RSA)
785 "note: several smart cards do not support arbitrary size keys; try --bits 1024 or 2048.\n");
789 fwrite(pubkey.data, 1, pubkey.size, outfile);
790 gnutls_free(pubkey.data);
796 pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int flags, common_info_st * info)
799 gnutls_datum_t pubkey;
800 gnutls_pkcs11_privkey_t pkey;
804 FIX(url, outfile, detailed, info);
805 CHECK_LOGIN_FLAG(flags);
807 if (outfile == stderr || outfile == stdout) {
808 fprintf(stderr, "warning: no --outfile was specified and the public key will be printed on screen.\n");
812 ret = gnutls_pkcs11_privkey_init(&pkey);
814 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
815 gnutls_strerror(ret));
819 ret = gnutls_pkcs11_privkey_import_url(pkey, url, 0);
821 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
822 gnutls_strerror(ret));
827 gnutls_pkcs11_privkey_export_pubkey(pkey,
828 GNUTLS_X509_FMT_PEM, &pubkey,
831 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
832 gnutls_strerror(ret));
835 gnutls_pkcs11_privkey_deinit(pkey);
837 fwrite(pubkey.data, 1, pubkey.size, outfile);
838 gnutls_free(pubkey.data);
844 pkcs11_init(FILE * outfile, const char *url, const char *label,
845 common_info_st * info)
854 fprintf(stderr, "error: no token URL given to initialize!\n");
858 if (info->so_pin != NULL)
861 pin = getenv("GNUTLS_SO_PIN");
862 if (pin == NULL && info->batch == 0)
863 pin = getpass("Enter Security Officer's PIN: ");
868 if (strlen(pin) >= sizeof(so_pin) || pin[0] == '\n')
873 if (info->so_pin != NULL) {
876 pin = getenv("GNUTLS_PIN");
877 if (pin == NULL && info->batch == 0)
878 pin = getpass("Enter new User's PIN: ");
886 ret = gnutls_pkcs11_token_init(url, so_pin, label);
888 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
889 gnutls_strerror(ret));
893 ret = gnutls_pkcs11_token_set_pin(url, NULL, pin, GNUTLS_PIN_USER);
895 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
896 gnutls_strerror(ret));
903 const char *mech_list[] = {
904 [0] = "CKM_RSA_PKCS_KEY_PAIR_GEN",
905 [1] = "CKM_RSA_PKCS",
906 [2] = "CKM_RSA_9796",
907 [3] = "CKM_RSA_X_509",
908 [4] = "CKM_MD2_RSA_PKCS",
909 [5] = "CKM_MD5_RSA_PKCS",
910 [6] = "CKM_SHA1_RSA_PKCS",
911 [7] = "CKM_RIPEMD128_RSA_PKCS",
912 [8] = "CKM_RIPEMD160_RSA_PKCS",
913 [9] = "CKM_RSA_PKCS_OAEP",
914 [0xa] = "CKM_RSA_X9_31_KEY_PAIR_GEN",
915 [0xb] = "CKM_RSA_X9_31",
916 [0xc] = "CKM_SHA1_RSA_X9_31",
917 [0xd] = "CKM_RSA_PKCS_PSS",
918 [0xe] = "CKM_SHA1_RSA_PKCS_PSS",
919 [0x10] = "CKM_DSA_KEY_PAIR_GEN",
921 [0x12] = "CKM_DSA_SHA1",
922 [0x20] = "CKM_DH_PKCS_KEY_PAIR_GEN",
923 [0x21] = "CKM_DH_PKCS_DERIVE",
924 [0x30] = "CKM_X9_42_DH_KEY_PAIR_GEN",
925 [0x31] = "CKM_X9_42_DH_DERIVE",
926 [0x32] = "CKM_X9_42_DH_HYBRID_DERIVE",
927 [0x33] = "CKM_X9_42_MQV_DERIVE",
928 [0x40] = "CKM_SHA256_RSA_PKCS",
929 [0x41] = "CKM_SHA384_RSA_PKCS",
930 [0x42] = "CKM_SHA512_RSA_PKCS",
931 [0x43] = "CKM_SHA256_RSA_PKCS_PSS",
932 [0x44] = "CKM_SHA384_RSA_PKCS_PSS",
933 [0x45] = "CKM_SHA512_RSA_PKCS_PSS",
934 [0x100] = "CKM_RC2_KEY_GEN",
935 [0x101] = "CKM_RC2_ECB",
936 [0x102] = "CKM_RC2_CBC",
937 [0x103] = "CKM_RC2_MAC",
938 [0x104] = "CKM_RC2_MAC_GENERAL",
939 [0x105] = "CKM_RC2_CBC_PAD",
940 [0x110] = "CKM_RC4_KEY_GEN",
942 [0x120] = "CKM_DES_KEY_GEN",
943 [0x121] = "CKM_DES_ECB",
944 [0x122] = "CKM_DES_CBC",
945 [0x123] = "CKM_DES_MAC",
946 [0x124] = "CKM_DES_MAC_GENERAL",
947 [0x125] = "CKM_DES_CBC_PAD",
948 [0x130] = "CKM_DES2_KEY_GEN",
949 [0x131] = "CKM_DES3_KEY_GEN",
950 [0x132] = "CKM_DES3_ECB",
951 [0x133] = "CKM_DES3_CBC",
952 [0x134] = "CKM_DES3_MAC",
953 [0x135] = "CKM_DES3_MAC_GENERAL",
954 [0x136] = "CKM_DES3_CBC_PAD",
955 [0x140] = "CKM_CDMF_KEY_GEN",
956 [0x141] = "CKM_CDMF_ECB",
957 [0x142] = "CKM_CDMF_CBC",
958 [0x143] = "CKM_CDMF_MAC",
959 [0x144] = "CKM_CDMF_MAC_GENERAL",
960 [0x145] = "CKM_CDMF_CBC_PAD",
962 [0x201] = "CKM_MD2_HMAC",
963 [0x202] = "CKM_MD2_HMAC_GENERAL",
965 [0x211] = "CKM_MD5_HMAC",
966 [0x212] = "CKM_MD5_HMAC_GENERAL",
967 [0x220] = "CKM_SHA_1",
968 [0x221] = "CKM_SHA_1_HMAC",
969 [0x222] = "CKM_SHA_1_HMAC_GENERAL",
970 [0x230] = "CKM_RIPEMD128",
971 [0x231] = "CKM_RIPEMD128_HMAC",
972 [0x232] = "CKM_RIPEMD128_HMAC_GENERAL",
973 [0x240] = "CKM_RIPEMD160",
974 [0x241] = "CKM_RIPEMD160_HMAC",
975 [0x242] = "CKM_RIPEMD160_HMAC_GENERAL",
976 [0x250] = "CKM_SHA256",
977 [0x251] = "CKM_SHA256_HMAC",
978 [0x252] = "CKM_SHA256_HMAC_GENERAL",
979 [0x260] = "CKM_SHA384",
980 [0x261] = "CKM_SHA384_HMAC",
981 [0x262] = "CKM_SHA384_HMAC_GENERAL",
982 [0x270] = "CKM_SHA512",
983 [0x271] = "CKM_SHA512_HMAC",
984 [0x272] = "CKM_SHA512_HMAC_GENERAL",
985 [0x300] = "CKM_CAST_KEY_GEN",
986 [0x301] = "CKM_CAST_ECB",
987 [0x302] = "CKM_CAST_CBC",
988 [0x303] = "CKM_CAST_MAC",
989 [0x304] = "CKM_CAST_MAC_GENERAL",
990 [0x305] = "CKM_CAST_CBC_PAD",
991 [0x310] = "CKM_CAST3_KEY_GEN",
992 [0x311] = "CKM_CAST3_ECB",
993 [0x312] = "CKM_CAST3_CBC",
994 [0x313] = "CKM_CAST3_MAC",
995 [0x314] = "CKM_CAST3_MAC_GENERAL",
996 [0x315] = "CKM_CAST3_CBC_PAD",
997 [0x320] = "CKM_CAST128_KEY_GEN",
998 [0x321] = "CKM_CAST128_ECB",
999 [0x322] = "CKM_CAST128_CBC",
1000 [0x323] = "CKM_CAST128_MAC",
1001 [0x324] = "CKM_CAST128_MAC_GENERAL",
1002 [0x325] = "CKM_CAST128_CBC_PAD",
1003 [0x330] = "CKM_RC5_KEY_GEN",
1004 [0x331] = "CKM_RC5_ECB",
1005 [0x332] = "CKM_RC5_CBC",
1006 [0x333] = "CKM_RC5_MAC",
1007 [0x334] = "CKM_RC5_MAC_GENERAL",
1008 [0x335] = "CKM_RC5_CBC_PAD",
1009 [0x340] = "CKM_IDEA_KEY_GEN",
1010 [0x341] = "CKM_IDEA_ECB",
1011 [0x342] = "CKM_IDEA_CBC",
1012 [0x343] = "CKM_IDEA_MAC",
1013 [0x344] = "CKM_IDEA_MAC_GENERAL",
1014 [0x345] = "CKM_IDEA_CBC_PAD",
1015 [0x350] = "CKM_GENERIC_SECRET_KEY_GEN",
1016 [0x360] = "CKM_CONCATENATE_BASE_AND_KEY",
1017 [0x362] = "CKM_CONCATENATE_BASE_AND_DATA",
1018 [0x363] = "CKM_CONCATENATE_DATA_AND_BASE",
1019 [0x364] = "CKM_XOR_BASE_AND_DATA",
1020 [0x365] = "CKM_EXTRACT_KEY_FROM_KEY",
1021 [0x370] = "CKM_SSL3_PRE_MASTER_KEY_GEN",
1022 [0x371] = "CKM_SSL3_MASTER_KEY_DERIVE",
1023 [0x372] = "CKM_SSL3_KEY_AND_MAC_DERIVE",
1024 [0x373] = "CKM_SSL3_MASTER_KEY_DERIVE_DH",
1025 [0x374] = "CKM_TLS_PRE_MASTER_KEY_GEN",
1026 [0x375] = "CKM_TLS_MASTER_KEY_DERIVE",
1027 [0x376] = "CKM_TLS_KEY_AND_MAC_DERIVE",
1028 [0x377] = "CKM_TLS_MASTER_KEY_DERIVE_DH",
1029 [0x380] = "CKM_SSL3_MD5_MAC",
1030 [0x381] = "CKM_SSL3_SHA1_MAC",
1031 [0x390] = "CKM_MD5_KEY_DERIVATION",
1032 [0x391] = "CKM_MD2_KEY_DERIVATION",
1033 [0x392] = "CKM_SHA1_KEY_DERIVATION",
1034 [0x3a0] = "CKM_PBE_MD2_DES_CBC",
1035 [0x3a1] = "CKM_PBE_MD5_DES_CBC",
1036 [0x3a2] = "CKM_PBE_MD5_CAST_CBC",
1037 [0x3a3] = "CKM_PBE_MD5_CAST3_CBC",
1038 [0x3a4] = "CKM_PBE_MD5_CAST128_CBC",
1039 [0x3a5] = "CKM_PBE_SHA1_CAST128_CBC",
1040 [0x3a6] = "CKM_PBE_SHA1_RC4_128",
1041 [0x3a7] = "CKM_PBE_SHA1_RC4_40",
1042 [0x3a8] = "CKM_PBE_SHA1_DES3_EDE_CBC",
1043 [0x3a9] = "CKM_PBE_SHA1_DES2_EDE_CBC",
1044 [0x3aa] = "CKM_PBE_SHA1_RC2_128_CBC",
1045 [0x3ab] = "CKM_PBE_SHA1_RC2_40_CBC",
1046 [0x3b0] = "CKM_PKCS5_PBKD2",
1047 [0x3c0] = "CKM_PBA_SHA1_WITH_SHA1_HMAC",
1048 [0x400] = "CKM_KEY_WRAP_LYNKS",
1049 [0x401] = "CKM_KEY_WRAP_SET_OAEP",
1050 [0x1000] = "CKM_SKIPJACK_KEY_GEN",
1051 [0x1001] = "CKM_SKIPJACK_ECB64",
1052 [0x1002] = "CKM_SKIPJACK_CBC64",
1053 [0x1003] = "CKM_SKIPJACK_OFB64",
1054 [0x1004] = "CKM_SKIPJACK_CFB64",
1055 [0x1005] = "CKM_SKIPJACK_CFB32",
1056 [0x1006] = "CKM_SKIPJACK_CFB16",
1057 [0x1007] = "CKM_SKIPJACK_CFB8",
1058 [0x1008] = "CKM_SKIPJACK_WRAP",
1059 [0x1009] = "CKM_SKIPJACK_PRIVATE_WRAP",
1060 [0x100a] = "CKM_SKIPJACK_RELAYX",
1061 [0x1010] = "CKM_KEA_KEY_PAIR_GEN",
1062 [0x1011] = "CKM_KEA_KEY_DERIVE",
1063 [0x1020] = "CKM_FORTEZZA_TIMESTAMP",
1064 [0x1030] = "CKM_BATON_KEY_GEN",
1065 [0x1031] = "CKM_BATON_ECB128",
1066 [0x1032] = "CKM_BATON_ECB96",
1067 [0x1033] = "CKM_BATON_CBC128",
1068 [0x1034] = "CKM_BATON_COUNTER",
1069 [0x1035] = "CKM_BATON_SHUFFLE",
1070 [0x1036] = "CKM_BATON_WRAP",
1071 [0x1040] = "CKM_ECDSA_KEY_PAIR_GEN",
1072 [0x1041] = "CKM_ECDSA",
1073 [0x1042] = "CKM_ECDSA_SHA1",
1074 [0x1050] = "CKM_ECDH1_DERIVE",
1075 [0x1051] = "CKM_ECDH1_COFACTOR_DERIVE",
1076 [0x1052] = "CKM_ECMQV_DERIVE",
1077 [0x1060] = "CKM_JUNIPER_KEY_GEN",
1078 [0x1061] = "CKM_JUNIPER_ECB128",
1079 [0x1062] = "CKM_JUNIPER_CBC128",
1080 [0x1063] = "CKM_JUNIPER_COUNTER",
1081 [0x1064] = "CKM_JUNIPER_SHUFFLE",
1082 [0x1065] = "CKM_JUNIPER_WRAP",
1083 [0x1070] = "CKM_FASTHASH",
1084 [0x1080] = "CKM_AES_KEY_GEN",
1085 [0x1081] = "CKM_AES_ECB",
1086 [0x1082] = "CKM_AES_CBC",
1087 [0x1083] = "CKM_AES_MAC",
1088 [0x1084] = "CKM_AES_MAC_GENERAL",
1089 [0x1085] = "CKM_AES_CBC_PAD",
1090 [0x2000] = "CKM_DSA_PARAMETER_GEN",
1091 [0x2001] = "CKM_DH_PKCS_PARAMETER_GEN",
1092 [0x2002] = "CKM_X9_42_DH_PARAMETER_GEN",
1093 [0x1200] = "CKM_GOSTR3410_KEY_PAIR_GEN",
1094 [0x1201] = "CKM_GOSTR3410",
1095 [0x1202] = "CKM_GOSTR3410_WITH_GOSTR3411",
1096 [0x1203] = "CKM_GOSTR3410_KEY_WRAP",
1097 [0x1204] = "CKM_GOSTR3410_DERIVE",
1098 [0x1210] = "CKM_GOSTR3411",
1099 [0x1211] = "CKM_GOSTR3411_HMAC",
1100 [0x255] = "CKM_SHA224",
1101 [0x256] = "CKM_SHA224_HMAC",
1102 [0x257] = "CKM_SHA224_HMAC_GENERAL",
1103 [0x46] = "CKM_SHA224_RSA_PKCS",
1104 [0x47] = "CKM_SHA224_RSA_PKCS_PSS",
1105 [0x396] = "CKM_SHA224_KEY_DERIVATION",
1106 [0x550] = "CKM_CAMELLIA_KEY_GEN",
1107 [0x551] = "CKM_CAMELLIA_ECB",
1108 [0x552] = "CKM_CAMELLIA_CBC",
1109 [0x553] = "CKM_CAMELLIA_MAC",
1110 [0x554] = "CKM_CAMELLIA_MAC_GENERAL",
1111 [0x555] = "CKM_CAMELLIA_CBC_PAD",
1112 [0x556] = "CKM_CAMELLIA_ECB_ENCRYPT_DATA",
1113 [0x557] = "CKM_CAMELLIA_CBC_ENCRYPT_DATA"
1117 pkcs11_mechanism_list(FILE * outfile, const char *url, unsigned int flags,
1118 common_info_st * info)
1122 unsigned long mechanism;
1125 pkcs11_common(info);
1127 FIX(url, outfile, 0, info);
1132 gnutls_pkcs11_token_get_mechanism(url, idx++,
1137 sizeof(mech_list) / sizeof(mech_list[0]))
1138 str = mech_list[mechanism];
1142 fprintf(outfile, "[0x%.4lx] %s\n", mechanism, str);
1152 pkcs11_get_random(FILE * outfile, const char *url, unsigned bytes,
1153 common_info_st * info)
1158 pkcs11_common(info);
1160 FIX(url, outfile, 0, info);
1162 output = malloc(bytes);
1163 if (output == NULL) {
1164 fprintf(stderr, "Memory error\n");
1168 ret = gnutls_pkcs11_token_get_random(url, output, bytes);
1170 fprintf(stderr, "gnutls_pkcs11_token_get_random: %s\n",
1171 gnutls_strerror(ret));
1175 fwrite(output, 1, bytes, outfile);
1181 void pkcs11_set_val(FILE * outfile, const char *url, int detailed,
1182 unsigned int flags, common_info_st * info,
1183 gnutls_pkcs11_obj_info_t val_type, const char *val)
1186 gnutls_pkcs11_obj_t obj;
1188 pkcs11_common(info);
1190 FIX(url, outfile, detailed, info);
1191 CHECK_LOGIN_FLAG(flags);
1193 ret = gnutls_pkcs11_obj_init(&obj);
1195 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
1196 gnutls_strerror(ret));
1200 ret = gnutls_pkcs11_obj_import_url(obj, url, flags);
1202 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
1203 gnutls_strerror(ret));
1208 gnutls_pkcs11_obj_set_info(obj, val_type, val, strlen(val), flags);
1210 fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
1211 gnutls_strerror(ret));
1214 gnutls_pkcs11_obj_deinit(obj);
1219 void pkcs11_set_id(FILE * outfile, const char *url, int detailed,
1220 unsigned int flags, common_info_st * info,
1223 return pkcs11_set_val(outfile, url, detailed, flags, info, GNUTLS_PKCS11_OBJ_ID_HEX, id);
1226 void pkcs11_set_label(FILE * outfile, const char *url, int detailed,
1227 unsigned int flags, common_info_st * info,
1230 return pkcs11_set_val(outfile, url, detailed, flags, info, GNUTLS_PKCS11_OBJ_LABEL, label);