diff options
-rw-r--r-- | SoftHSMv2/configure.ac | 1 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/Makefile.am | 4 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/Makefile.am | 26 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/base64.c | 311 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-botan.cpp | 227 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-ossl.cpp | 261 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.1 | 63 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.cpp | 351 | ||||
-rw-r--r-- | SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.h | 134 | ||||
-rw-r--r-- | TPM2-Plugin/lib/include/hwpluginif.h | 11 | ||||
-rw-r--r-- | TPM2-Plugin/lib/include/tpm2_plugin_api.h | 3 | ||||
-rw-r--r-- | TPM2-Plugin/lib/tpm2_plugin_api.c | 69 | ||||
-rw-r--r-- | TPM2-Plugin/test/main.c | 5 |
13 files changed, 83 insertions, 1383 deletions
diff --git a/SoftHSMv2/configure.ac b/SoftHSMv2/configure.ac index eb95bdd..48a4bc2 100644 --- a/SoftHSMv2/configure.ac +++ b/SoftHSMv2/configure.ac @@ -219,7 +219,6 @@ AC_CONFIG_FILES([ src/bin/Makefile src/bin/common/Makefile src/bin/dump/Makefile - src/bin/keyconv/Makefile src/bin/migrate/Makefile src/bin/util/Makefile ]) diff --git a/SoftHSMv2/src/bin/Makefile.am b/SoftHSMv2/src/bin/Makefile.am index 06a03d9..b4a4f57 100644 --- a/SoftHSMv2/src/bin/Makefile.am +++ b/SoftHSMv2/src/bin/Makefile.am @@ -1,9 +1,9 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in -SUBDIRS = common keyconv util dump +SUBDIRS = common util dump if BUILD_MIGRATE SUBDIRS += migrate endif -#EXTRA_DIST = +#EXTRA_DIST = diff --git a/SoftHSMv2/src/bin/keyconv/Makefile.am b/SoftHSMv2/src/bin/keyconv/Makefile.am deleted file mode 100644 index b4268c2..0000000 --- a/SoftHSMv2/src/bin/keyconv/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -MAINTAINERCLEANFILES = $(srcdir)/Makefile.in - -AM_CPPFLAGS = -I$(srcdir)/../../lib/crypto \ - @CRYPTO_INCLUDES@ - -dist_man_MANS = softhsm2-keyconv.1 - -bin_PROGRAMS = softhsm2-keyconv - -softhsm2_keyconv_SOURCES = softhsm2-keyconv.cpp \ - base64.c -softhsm2_keyconv_LDADD = @CRYPTO_LIBS@ - -# Compile with OpenSSL support -if WITH_OPENSSL -softhsm2_keyconv_SOURCES += softhsm2-keyconv-ossl.cpp \ - ../../lib/crypto/OSSLComp.cpp -endif - -# Compile with Botan support -if WITH_BOTAN -softhsm2_keyconv_SOURCES += softhsm2-keyconv-botan.cpp -endif - -EXTRA_DIST = $(srcdir)/*.h \ - $(srcdir)/*.cpp diff --git a/SoftHSMv2/src/bin/keyconv/base64.c b/SoftHSMv2/src/bin/keyconv/base64.c deleted file mode 100644 index 3eb1201..0000000 --- a/SoftHSMv2/src/bin/keyconv/base64.c +++ /dev/null @@ -1,311 +0,0 @@ -/* $OpenBSD: base64.c,v 1.3 2002/06/09 08:13:07 todd Exp $ */ - -/* - * Copyright (c) 1996-1999 by Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - */ - -/* - * Portions Copyright (c) 1995 by International Business Machines, Inc. - * - * International Business Machines, Inc. (hereinafter called IBM) grants - * permission under its copyrights to use, copy, modify, and distribute this - * Software with or without fee, provided that the above copyright notice and - * all paragraphs of this notice appear in all copies, and that the name of IBM - * not be used in connection with the marketing of any product incorporating - * the Software or modifications thereof, without specific, written prior - * permission. - * - * To the extent it has a right to do so, IBM grants an immunity from suit - * under its patents, if any, for the use, sale or manufacture of products to - * the extent that such products are used for performing Domain Name System - * dynamic updates in TCP/IP networks by means of the Software. No immunity is - * granted for any product per se or for any other function of any product. - * - * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, - * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN - * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. - */ - -#if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$ISC: base64.c,v 8.6 1999/01/08 19:25:18 vixie Exp $"; -#endif /* not lint */ - -#include <sys/types.h> -#ifndef _WIN32 -#include <sys/param.h> -#include <sys/socket.h> -#endif - -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#define Assert(Cond) if (!(Cond)) abort() - -static const char Base64[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; -static const char Pad64 = '='; - -/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) - The following encoding technique is taken from RFC 1521 by Borenstein - and Freed. It is reproduced here in a slightly edited form for - convenience. - - A 65-character subset of US-ASCII is used, enabling 6 bits to be - represented per printable character. (The extra 65th character, "=", - is used to signify a special processing function.) - - The encoding process represents 24-bit groups of input bits as output - strings of 4 encoded characters. Proceeding from left to right, a - 24-bit input group is formed by concatenating 3 8-bit input groups. - These 24 bits are then treated as 4 concatenated 6-bit groups, each - of which is translated into a single digit in the base64 alphabet. - - Each 6-bit group is used as an index into an array of 64 printable - characters. The character referenced by the index is placed in the - output string. - - Table 1: The Base64 Alphabet - - Value Encoding Value Encoding Value Encoding Value Encoding - 0 A 17 R 34 i 51 z - 1 B 18 S 35 j 52 0 - 2 C 19 T 36 k 53 1 - 3 D 20 U 37 l 54 2 - 4 E 21 V 38 m 55 3 - 5 F 22 W 39 n 56 4 - 6 G 23 X 40 o 57 5 - 7 H 24 Y 41 p 58 6 - 8 I 25 Z 42 q 59 7 - 9 J 26 a 43 r 60 8 - 10 K 27 b 44 s 61 9 - 11 L 28 c 45 t 62 + - 12 M 29 d 46 u 63 / - 13 N 30 e 47 v - 14 O 31 f 48 w (pad) = - 15 P 32 g 49 x - 16 Q 33 h 50 y - - Special processing is performed if fewer than 24 bits are available - at the end of the data being encoded. A full encoding quantum is - always completed at the end of a quantity. When fewer than 24 input - bits are available in an input group, zero bits are added (on the - right) to form an integral number of 6-bit groups. Padding at the - end of the data is performed using the '=' character. - - Since all base64 input is an integral number of octets, only the - ------------------------------------------------- - following cases can arise: - - (1) the final quantum of encoding input is an integral - multiple of 24 bits; here, the final unit of encoded - output will be an integral multiple of 4 characters - with no "=" padding, - (2) the final quantum of encoding input is exactly 8 bits; - here, the final unit of encoded output will be two - characters followed by two "=" padding characters, or - (3) the final quantum of encoding input is exactly 16 bits; - here, the final unit of encoded output will be three - characters followed by one "=" padding character. - */ - -int -b64_ntop(unsigned char const *src, size_t srclength, char *target, size_t targsize) { - size_t datalength = 0; - unsigned char input[3]; - unsigned char output[4]; - size_t i; - - while (2 < srclength) { - input[0] = *src++; - input[1] = *src++; - input[2] = *src++; - srclength -= 3; - - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - output[3] = input[2] & 0x3f; - Assert(output[0] < 64); - Assert(output[1] < 64); - Assert(output[2] < 64); - Assert(output[3] < 64); - - if (datalength + 4 > targsize) - return (-1); - target[datalength++] = Base64[output[0]]; - target[datalength++] = Base64[output[1]]; - target[datalength++] = Base64[output[2]]; - target[datalength++] = Base64[output[3]]; - } - - /* Now we worry about padding. */ - if (0 != srclength) { - /* Get what's left. */ - input[0] = input[1] = input[2] = '\0'; - for (i = 0; i < srclength; i++) - input[i] = *src++; - - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - Assert(output[0] < 64); - Assert(output[1] < 64); - Assert(output[2] < 64); - - if (datalength + 4 > targsize) - return (-1); - target[datalength++] = Base64[output[0]]; - target[datalength++] = Base64[output[1]]; - if (srclength == 1) - target[datalength++] = Pad64; - else - target[datalength++] = Base64[output[2]]; - target[datalength++] = Pad64; - } - if (datalength >= targsize) - return (-1); - target[datalength] = '\0'; /* Returned value doesn't count \0. */ - return (datalength); -} - -/* skips all whitespace anywhere. - converts characters, four at a time, starting at (or after) - src from base - 64 numbers into three 8 bit bytes in the target area. - it returns the number of data bytes stored at the target, or -1 on error. - */ - -int -b64_pton(char const *src, unsigned char *target, size_t targsize) { - int tarindex, state, ch; - char *pos; - - state = 0; - tarindex = 0; - - while ((ch = *src++) != '\0') { - if (isspace(ch)) /* Skip whitespace anywhere. */ - continue; - - if (ch == Pad64) - break; - - pos = strchr(Base64, ch); - if (pos == 0) /* A non-base64 character. */ - return (-1); - - switch (state) { - case 0: - if (target) { - if ((size_t)tarindex >= targsize) - return (-1); - target[tarindex] = (pos - Base64) << 2; - } - state = 1; - break; - case 1: - if (target) { - if ((size_t)tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= (pos - Base64) >> 4; - target[tarindex+1] = ((pos - Base64) & 0x0f) - << 4 ; - } - tarindex++; - state = 2; - break; - case 2: - if (target) { - if ((size_t)tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= (pos - Base64) >> 2; - target[tarindex+1] = ((pos - Base64) & 0x03) - << 6; - } - tarindex++; - state = 3; - break; - case 3: - if (target) { - if ((size_t)tarindex >= targsize) - return (-1); - target[tarindex] |= (pos - Base64); - } - tarindex++; - state = 0; - break; - default: - abort(); - } - } - - /* - * We are done decoding Base-64 chars. Let's see if we ended - * on a byte boundary, and/or with erroneous trailing characters. - */ - - if (ch == Pad64) { /* We got a pad char. */ - ch = *src++; /* Skip it, get next. */ - switch (state) { - case 0: /* Invalid = in first position */ - case 1: /* Invalid = in second position */ - return (-1); - - case 2: /* Valid, means one byte of info */ - /* Skip any number of spaces. */ - for ((void)NULL; ch != '\0'; ch = *src++) - if (!isspace(ch)) - break; - /* Make sure there is another trailing = sign. */ - if (ch != Pad64) - return (-1); - ch = *src++; /* Skip the = */ - /* Fall through to "single trailing =" case. */ - /* FALLTHROUGH */ - - case 3: /* Valid, means two bytes of info */ - /* - * We know this char is an =. Is there anything but - * whitespace after it? - */ - for ((void)NULL; ch != '\0'; ch = *src++) - if (!isspace(ch)) - return (-1); - - /* - * Now make sure for cases 2 and 3 that the "extra" - * bits that slopped past the last full byte were - * zeros. If we don't check them, they become a - * subliminal channel. - */ - if (target && target[tarindex] != 0) - return (-1); - } - } else { - /* - * We ended by seeing the end of the string. Make sure we - * have no partial bytes lying around. - */ - if (state != 0) - return (-1); - } - - return (tarindex); -} diff --git a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-botan.cpp b/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-botan.cpp deleted file mode 100644 index cb5700f..0000000 --- a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-botan.cpp +++ /dev/null @@ -1,227 +0,0 @@ -/* - * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER - * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN - * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/***************************************************************************** - softhsm2-keyconv-botan.cpp - - Code specific for Botan - *****************************************************************************/ - -#include <config.h> -#define KEYCONV_BOTAN -#include "softhsm2-keyconv.h" - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <iostream> -#include <fstream> - -#include <botan/init.h> -#include <botan/auto_rng.h> -#include <botan/pkcs8.h> -#include <botan/rsa.h> -#include <botan/dsa.h> -#include <botan/bigint.h> -#include <botan/version.h> - -// Init Botan -void crypto_init() -{ - Botan::LibraryInitializer::initialize(); -} - -// Final Botan -void crypto_final() -{ - Botan::LibraryInitializer::deinitialize(); -} - -// Save the RSA key as a PKCS#8 file -int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey) -{ - int result = 0; - Botan::Private_Key* priv_key = NULL; - Botan::AutoSeeded_RNG* rng = NULL; - Botan::BigInt bigE, bigP, bigQ, bigN, bigD; - - // See if the key material was found. - if - ( - pkey[TAG_MODULUS].size <= 0 || - pkey[TAG_PUBEXP].size <= 0 || - pkey[TAG_PRIVEXP].size <= 0 || - pkey[TAG_PRIME1].size <= 0 || - pkey[TAG_PRIME2].size <= 0 - ) - { - fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n"); - return 1; - } - - bigE = Botan::BigInt((Botan::byte*)pkey[TAG_PUBEXP].big, pkey[TAG_PUBEXP].size); - bigP = Botan::BigInt((Botan::byte*)pkey[TAG_PRIME1].big, pkey[TAG_PRIME1].size); - bigQ = Botan::BigInt((Botan::byte*)pkey[TAG_PRIME2].big, pkey[TAG_PRIME2].size); - bigN = Botan::BigInt((Botan::byte*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size); - bigD = Botan::BigInt((Botan::byte*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size); - - rng = new Botan::AutoSeeded_RNG(); - - try - { -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,34) - priv_key = new Botan::RSA_PrivateKey(bigP, bigQ, bigE, bigD, bigN); -#else - priv_key = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD, bigN); -#endif - } - catch(std::exception& e) - { - fprintf(stderr, "%s\n", e.what()); - fprintf(stderr, "ERROR: Could not extract the private key from the file.\n"); - delete rng; - return 1; - } - - std::ofstream priv_file(out_path); - if (!priv_file.is_open()) - { - fprintf(stderr, "ERROR: Could not open file for output.\n"); - delete rng; - delete priv_key; - return 1; - } - - try - { - if (file_pin == NULL) - { - priv_file << Botan::PKCS8::PEM_encode(*priv_key); - } - else - { -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,0) - priv_file << Botan::PKCS8::PEM_encode(*priv_key, *rng, file_pin, std::chrono::milliseconds(300), "PBE-PKCS5v15(MD5,DES/CBC)"); -#else - priv_file << Botan::PKCS8::PEM_encode(*priv_key, *rng, file_pin, "PBE-PKCS5v15(MD5,DES/CBC)"); -#endif - } - - printf("The key has been written to %s\n", out_path); - } - catch(std::exception& e) - { - fprintf(stderr, "%s\n", e.what()); - fprintf(stderr, "ERROR: Could not write to file.\n"); - result = 1; - } - - delete rng; - delete priv_key; - priv_file.close(); - - return result; -} - -// Save the DSA key as a PKCS#8 file -int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey) -{ - int result = 0; - Botan::Private_Key* priv_key = NULL; - Botan::AutoSeeded_RNG* rng = NULL; - Botan::BigInt bigDP, bigDQ, bigDG, bigDX; - - // See if the key material was found. - if - ( - pkey[TAG_PRIME].size <= 0 || - pkey[TAG_SUBPRIME].size <= 0 || - pkey[TAG_BASE].size <= 0 || - pkey[TAG_PRIVVAL].size <= 0 - ) - { - fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n"); - return 1; - } - - bigDP = Botan::BigInt((Botan::byte*)pkey[TAG_PRIME].big, pkey[TAG_PRIME].size); - bigDQ = Botan::BigInt((Botan::byte*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size); - bigDG = Botan::BigInt((Botan::byte*)pkey[TAG_BASE].big, pkey[TAG_BASE].size); - bigDX = Botan::BigInt((Botan::byte*)pkey[TAG_PRIVVAL].big, pkey[TAG_PRIVVAL].size); - - rng = new Botan::AutoSeeded_RNG(); - - try - { - priv_key = new Botan::DSA_PrivateKey(*rng, Botan::DL_Group(bigDP, bigDQ, bigDG), bigDX); - } - catch (std::exception& e) - { - fprintf(stderr, "%s\n", e.what()); - fprintf(stderr, "ERROR: Could not extract the private key from the file.\n"); - delete rng; - return 1; - } - - std::ofstream priv_file(out_path); - if (!priv_file.is_open()) - { - fprintf(stderr, "ERROR: Could not open file for output.\n"); - delete rng; - delete priv_key; - return 1; - } - - try - { - if (file_pin == NULL) - { - priv_file << Botan::PKCS8::PEM_encode(*priv_key); - } - else - { -#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,0) - priv_file << Botan::PKCS8::PEM_encode(*priv_key, *rng, file_pin, std::chrono::milliseconds(300), "PBE-PKCS5v15(MD5,DES/CBC)"); -#else - priv_file << Botan::PKCS8::PEM_encode(*priv_key, *rng, file_pin, "PBE-PKCS5v15(MD5,DES/CBC)"); -#endif - } - - printf("The key has been written to %s\n", out_path); - } - catch (std::exception& e) - { - fprintf(stderr, "%s\n", e.what()); - fprintf(stderr, "ERROR: Could not write to file.\n"); - result = 1; - } - - delete rng; - delete priv_key; - priv_file.close(); - - return result; -} diff --git a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-ossl.cpp b/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-ossl.cpp deleted file mode 100644 index a5cd8eb..0000000 --- a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-ossl.cpp +++ /dev/null @@ -1,261 +0,0 @@ -/* - * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER - * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN - * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/***************************************************************************** - softhsm2-keyconv-ossl.cpp - - Code specific for OpenSSL - *****************************************************************************/ - -#include <config.h> -#define KEYCONV_OSSL -#include "softhsm2-keyconv.h" -#include "OSSLComp.h" - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <iostream> -#include <fstream> - -#include <openssl/pem.h> -#include <openssl/evp.h> -#include <openssl/err.h> -#include <openssl/pkcs12.h> -#include <openssl/dsa.h> -#include <openssl/rsa.h> - -// Init OpenSSL -void crypto_init() -{ - OpenSSL_add_all_algorithms(); -#ifdef WITH_FIPS - if (!FIPS_mode_set(1)) - { - fprintf(stderr, "ERROR: can't enter into FIPS mode.\n"); - exit(0); - } -#endif -} - -// Final OpenSSL -void crypto_final() -{ - EVP_cleanup(); - CRYPTO_cleanup_all_ex_data(); -} - -// Save the RSA key as a PKCS#8 file -int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey) -{ - RSA* rsa = NULL; - EVP_PKEY* ossl_pkey = NULL; - PKCS8_PRIV_KEY_INFO* p8inf = NULL; - BIO* out = NULL; - X509_SIG* p8 = NULL; - int result = 0; - - // See if the key material was found. - if - ( - pkey[TAG_MODULUS].size <= 0 || - pkey[TAG_PUBEXP].size <= 0 || - pkey[TAG_PRIVEXP].size <= 0 || - pkey[TAG_PRIME1].size <= 0 || - pkey[TAG_PRIME2].size <= 0 || - pkey[TAG_EXP1].size <= 0 || - pkey[TAG_EXP2].size <= 0 || - pkey[TAG_COEFF].size <= 0 - ) - { - fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n"); - return 1; - } - - rsa = RSA_new(); - BIGNUM* bn_p = BN_bin2bn((unsigned char*)pkey[TAG_PRIME1].big, pkey[TAG_PRIME1].size, NULL); - BIGNUM* bn_q = BN_bin2bn((unsigned char*)pkey[TAG_PRIME2].big, pkey[TAG_PRIME2].size, NULL); - BIGNUM* bn_d = BN_bin2bn((unsigned char*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size, NULL); - BIGNUM* bn_n = BN_bin2bn((unsigned char*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size, NULL); - BIGNUM* bn_e = BN_bin2bn((unsigned char*)pkey[TAG_PUBEXP].big, pkey[TAG_PUBEXP].size, NULL); - BIGNUM* bn_dmp1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP1].big, pkey[TAG_EXP1].size, NULL); - BIGNUM* bn_dmq1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP2].big, pkey[TAG_EXP2].size, NULL); - BIGNUM* bn_iqmp = BN_bin2bn((unsigned char*)pkey[TAG_COEFF].big, pkey[TAG_COEFF].size, NULL); - RSA_set0_factors(rsa, bn_p, bn_q); - RSA_set0_crt_params(rsa, bn_dmp1, bn_dmq1, bn_iqmp); - RSA_set0_key(rsa, bn_n, bn_e, bn_d); - - ossl_pkey = EVP_PKEY_new(); - - // Convert RSA to EVP_PKEY - if (!EVP_PKEY_set1_RSA(ossl_pkey, rsa)) - { - fprintf(stderr, "ERROR: Could not convert RSA key to EVP_PKEY.\n"); - RSA_free(rsa); - EVP_PKEY_free(ossl_pkey); - return 1; - } - RSA_free(rsa); - - // Convert EVP_PKEY to PKCS#8 - if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey))) - { - fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n"); - EVP_PKEY_free(ossl_pkey); - return 1; - } - EVP_PKEY_free(ossl_pkey); - - // Open output file - if (!(out = BIO_new_file (out_path, "wb"))) - { - fprintf(stderr, "ERROR: Could not open the output file.\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - return 1; - } - - // Write to disk - if (file_pin == NULL) - { - PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); - printf("The key has been written to %s\n", out_path); - } - else - { - // Encrypt p8 - if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL, - file_pin, strlen(file_pin), NULL, - 0, PKCS12_DEFAULT_ITER, p8inf))) - { - fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n"); - result = 1; - } - else - { - PEM_write_bio_PKCS8(out, p8); - X509_SIG_free(p8); - printf("The key has been written to %s\n", out_path); - } - } - - PKCS8_PRIV_KEY_INFO_free(p8inf); - BIO_free_all(out); - - return result; -} - -// Save the DSA key as a PKCS#8 file -int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey) -{ - DSA* dsa = NULL; - EVP_PKEY* ossl_pkey = NULL; - PKCS8_PRIV_KEY_INFO* p8inf = NULL; - BIO* out = NULL; - X509_SIG* p8 = NULL; - int result = 0; - - // See if the key material was found. - if - ( - pkey[TAG_PRIME].size <= 0 || - pkey[TAG_SUBPRIME].size <= 0 || - pkey[TAG_BASE].size <= 0 || - pkey[TAG_PRIVVAL].size <= 0 || - pkey[TAG_PUBVAL].size <= 0 - ) - { - fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n"); - return 1; - } - - dsa = DSA_new(); - BIGNUM* bn_p = BN_bin2bn((unsigned char*)pkey[TAG_PRIME].big, pkey[TAG_PRIME].size, NULL); - BIGNUM* bn_q = BN_bin2bn((unsigned char*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size, NULL); - BIGNUM* bn_g = BN_bin2bn((unsigned char*)pkey[TAG_BASE].big, pkey[TAG_BASE].size, NULL); - BIGNUM* bn_priv_key = BN_bin2bn((unsigned char*)pkey[TAG_PRIVVAL].big, pkey[TAG_PRIVVAL].size, NULL); - BIGNUM* bn_pub_key = BN_bin2bn((unsigned char*)pkey[TAG_PUBVAL].big, pkey[TAG_PUBVAL].size, NULL); - - DSA_set0_pqg(dsa, bn_p, bn_q, bn_g); - DSA_set0_key(dsa, bn_pub_key, bn_priv_key); - - ossl_pkey = EVP_PKEY_new(); - - // Convert DSA to EVP_PKEY - if (!EVP_PKEY_set1_DSA(ossl_pkey, dsa)) - { - fprintf(stderr, "ERROR: Could not convert DSA key to EVP_PKEY.\n"); - DSA_free(dsa); - EVP_PKEY_free(ossl_pkey); - return 1; - } - DSA_free(dsa); - - // Convert EVP_PKEY to PKCS#8 - if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey))) - { - fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n"); - EVP_PKEY_free(ossl_pkey); - return 1; - } - EVP_PKEY_free(ossl_pkey); - - // Open output file - if (!(out = BIO_new_file (out_path, "wb"))) - { - fprintf(stderr, "ERROR: Could not open the output file.\n"); - PKCS8_PRIV_KEY_INFO_free(p8inf); - return 1; - } - - // Write to disk - if (file_pin == NULL) - { - PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); - printf("The key has been written to %s\n", out_path); - } - else - { - // Encrypt p8 - if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL, - file_pin, strlen(file_pin), NULL, - 0, PKCS12_DEFAULT_ITER, p8inf))) - { - fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n"); - result = 1; - } - else - { - PEM_write_bio_PKCS8(out, p8); - X509_SIG_free(p8); - printf("The key has been written to %s\n", out_path); - } - } - - PKCS8_PRIV_KEY_INFO_free(p8inf); - BIO_free_all(out); - - return result; -} diff --git a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.1 b/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.1 deleted file mode 100644 index b716bc8..0000000 --- a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.1 +++ /dev/null @@ -1,63 +0,0 @@ -.TH SOFTHSM2-KEYCONV 1 "20 March 2014" "SoftHSM" -.SH NAME -softhsm2-keyconv \- converting from BIND to PKCS#8 key file format -.SH SYNOPSIS -.B softhsm2-keyconv -.B \-\-in -.I path -.B \-\-out -.I path -.RB [ \-\-pin -.IR PIN ] -.SH DESCRIPTION -.B softhsm2-keyconv -can convert BIND .private-key files to the PKCS#8 file format. -This is so that you can import the PKCS#8 file into -libsofthsm using the command -.BR softhsm2\-util . -If you have another file format, then -.B openssl -probably can help you to convert it into the PKCS#8 file format. -.SH OPTIONS -.B \-\-help\fR, \fB\-h\fR -Shows the help screen. -.TP -.B \-\-in \fIpath\fR -The -.I path -to the input file. -.TP -.B \-\-out \fIpath\fR -The -.I path -to the output file. -.TP -.B \-\-pin \fIPIN\fR -The -.I PIN -will be used to encrypt the PKCS#8 file. -If not given then the PKCS#8 file will be unencrypted. -.TP -.B \-\-version\fR, \fB\-v\fR -Show the version info. -.SH EXAMPLES -The following command can be used to convert a BIND .private-key file to a PKCS#8 file: -.LP -.RS -.nf -softhsm2-keyconv \-\-in Kexample.com.+007+05474.private \\ -.ti +0.7i -\-\-out rsa.pem -.fi -.RE -.LP -.SH AUTHORS -Written by Rickard Bellgrim, Francis Dupont, René Post, and Roland van Rijswijk. -.SH "SEE ALSO" -.IR softhsm2-migrate (1), -.IR softhsm2-util (1), -.IR softhsm2.conf (5), -.IR openssl (1), -.IR named (1), -.IR dnssec-keygen (1), -.IR dnssec-signzone (1) diff --git a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.cpp b/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.cpp deleted file mode 100644 index aeb75c3..0000000 --- a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.cpp +++ /dev/null @@ -1,351 +0,0 @@ -/* - * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER - * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN - * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/************************************************************ -* -* softhsm2-keyconv -* -* This program is for converting from BIND .private-key -* format to PKCS#8 key file format. So that keys can be -* imported from BIND to SoftHSM. -* -* Some of the design/code is from keyconv.c written by -* Hakan Olsson and Jakob Schlyter in 2000 and 2001. -* -************************************************************/ - -#include <config.h> -#include "softhsm2-keyconv.h" - -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> -#include <string.h> -#ifndef _WIN32 -#include <unistd.h> -#else -#include <io.h> -#define S_IRUSR 0400 -#define S_IWUSR 0200 -#define open _open -#define close _close -#endif -#include <iostream> -#include <fstream> -#include <stdint.h> -#include <errno.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> - -void usage() -{ - printf("Converting from BIND .private-key format to PKCS#8 key file format.\n"); - printf("Usage: softhsm2-keyconv [OPTIONS]\n"); - printf("Options:\n"); - printf(" -h Shows this help screen.\n"); - printf(" --help Shows this help screen.\n"); - printf(" --in <path> The path to the input file.\n"); - printf(" --out <path> The path to the output file.\n"); - printf(" --pin <PIN> To encrypt PKCS#8 file. Optional.\n"); - printf(" -v Show version info.\n"); - printf(" --version Show version info.\n"); -} - -// Give a number to each option -enum { - OPT_HELP = 0x100, - OPT_IN, - OPT_OUT, - OPT_PIN, - OPT_VERSION -}; - -// Define the options -static const struct option long_options[] = { - { "help", 0, NULL, OPT_HELP }, - { "in", 1, NULL, OPT_IN }, - { "out", 1, NULL, OPT_OUT }, - { "pin", 1, NULL, OPT_PIN }, - { "version", 0, NULL, OPT_VERSION }, - { NULL, 0, NULL, 0 } -}; - -int main(int argc, char* argv[]) -{ - int option_index = 0; - int opt, result; - - char* in_path = NULL; - char* out_path = NULL; - char* file_pin = NULL; - - if (argc == 1) - { - usage(); - exit(0); - } - - while ((opt = getopt_long(argc, argv, "hv", long_options, &option_index)) != -1) - { - switch (opt) - { - case OPT_IN: - in_path = optarg; - break; - case OPT_OUT: - out_path = optarg; - break; - case OPT_PIN: - file_pin = optarg; - break; - case OPT_VERSION: - case 'v': - printf("%s\n", PACKAGE_VERSION); - exit(0); - break; - case OPT_HELP: - case 'h': - default: - usage(); - exit(0); - break; - } - } - - // We should convert to PKCS#8 - result = to_pkcs8(in_path, out_path, file_pin); - - return result; -} - -// Convert from BIND to PKCS#8 -int to_pkcs8(char* in_path, char* out_path, char* file_pin) -{ - FILE* file_pointer = NULL; - char line[MAX_LINE], data[MAX_LINE]; - char* value_pointer = NULL; - int lineno = 0, m, n, error = 0, found, algorithm = DNS_KEYALG_ERROR, data_length; - uint32_t bitfield = 0; - key_material_t pkey[TAG_MAX]; - - if (in_path == NULL) - { - fprintf(stderr, "ERROR: A path to the input file must be supplied. Use --in <path>\n"); - return 1; - } - - if (out_path == NULL) - { - fprintf(stderr, "ERROR: A path to the output file must be supplied. Use --out <path>\n"); - return 1; - } - - file_pointer = fopen(in_path, "r"); - if (file_pointer == NULL) - { - fprintf(stderr, "ERROR: Could not open input file %.100s for reading.\n", in_path); - return 1; - } - - // Loop over all of the lines - while (fgets(line, MAX_LINE, file_pointer) != NULL) - { - lineno++; - - // Find the current text field in the BIND file. - for (m = 0, found = -1; found == -1 && file_tags[m]; m++) - { - if (strncasecmp(line, file_tags[m], strlen(file_tags[m])) == 0) - { - found = m; - } - } - - // The text files is not recognized. - if (found == -1) - { - fprintf(stderr, "ERROR: Unrecognized input line %i\n", lineno); - fprintf(stderr, "ERROR: --> %s", line); - continue; - } - - // Point to the data for this text field. - value_pointer = line + strlen(file_tags[found]) + 1; - - // Continue if we are at the end of the string - if (*value_pointer == 0) - { - continue; - } - - // Check that we do not get duplicates. - if (bitfield & (1 << found)) - { - fprintf(stderr, "ERROR: Duplicate \"%s\" field, line %i - ignored\n", - file_tags[found], lineno); - continue; - } - bitfield |= (1 << found); - - // Handle the data for this text field. - switch (found) - { - case TAG_VERSION: - if (sscanf(value_pointer, "v%i.%i", &m, &n) != 2) - { - fprintf(stderr, "ERROR: Invalid/unknown version string " - "(%.100s).\n", value_pointer); - error = 1; - break; - } - if (m > FILE_MAJOR_VERSION || (m == FILE_MAJOR_VERSION && n > FILE_MINOR_VERSION)) - { - fprintf(stderr, "ERROR: Cannot parse this version of file format, " - "v%i.%i.\n", m, n); - error = 1; - } - break; - case TAG_ALGORITHM: - algorithm = strtol(value_pointer, NULL, 10); - break; - // RSA - case TAG_MODULUS: - case TAG_PUBEXP: - case TAG_PRIVEXP: - case TAG_PRIME1: - case TAG_PRIME2: - case TAG_EXP1: - case TAG_EXP2: - case TAG_COEFF: - // DSA - case TAG_PRIME: - case TAG_SUBPRIME: - case TAG_BASE: - case TAG_PRIVVAL: - case TAG_PUBVAL: - data_length = b64_pton(value_pointer, (unsigned char*)data, MAX_LINE); - if (data_length == -1) - { - error = 1; - fprintf(stderr, "ERROR: Could not parse the base64 string on line %i.\n", lineno); - } - else - { - pkey[found].big = malloc(data_length); - if (!pkey[found].big) - { - fprintf(stderr, "ERROR: Could not allocate memory.\n"); - error = 1; - break; - } - memcpy(pkey[found].big, data, data_length); - pkey[found].size = data_length; - } - break; - // Do not need these - case TAG_CREATED: - case TAG_PUBLISH: - case TAG_ACTIVATE: - default: - break; - } - } - - fclose(file_pointer); - - // Something went wrong. Clean up and quit. - if (error) - { - free_key_material(pkey); - return error; - } - - // Create and set file permissions if the file does not exist. - int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR); - if (fd == -1) - { - fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", - out_path, errno); - free_key_material(pkey); - return 1; - } - ::close(fd); - - crypto_init(); - - // Save the the key to the disk - switch (algorithm) - { - case DNS_KEYALG_ERROR: - fprintf(stderr, "ERROR: The algorithm %i was not given in the file.\n", - algorithm); - error = 1; - break; - case DNS_KEYALG_RSAMD5: - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_RSASHA1_NSEC3_SHA1: - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: - error = save_rsa_pkcs8(out_path, file_pin, pkey); - break; - case DNS_KEYALG_DSA: - case DNS_KEYALG_DSA_NSEC3_SHA1: - error = save_dsa_pkcs8(out_path, file_pin, pkey); - break; - case DNS_KEYALG_ECC: - case DNS_KEYALG_ECC_GOST: - default: - fprintf(stderr, "ERROR: The algorithm %i is not supported.\n", - algorithm); - error = 1; - break; - } - - crypto_final(); - free_key_material(pkey); - - return error; -} - -// Free allocated memory -void free_key_material(key_material_t* pkey) -{ - int i; - - if (!pkey) - { - return; - } - - for (i = 0; i < TAG_MAX; i++) - { - if (pkey[i].big) - { - free(pkey[i].big); - } - } -} diff --git a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.h b/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.h deleted file mode 100644 index fdeb719..0000000 --- a/SoftHSMv2/src/bin/keyconv/softhsm2-keyconv.h +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER - * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN - * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _SOFTHSM_V2_SOFTHSM2_KEYCONV_H -#define _SOFTHSM_V2_SOFTHSM2_KEYCONV_H 1 - -#include <stdlib.h> - -typedef struct key_material_t { - unsigned long size; - void* big; - key_material_t() { - size = 0; - big = NULL; - } -} key_material_t; - -// Main functions - -void usage(); -int to_pkcs8(char* in_path, char* out_path, char* file_pin); - -// Support functions - -int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey); -int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey); -void free_key_material(key_material_t* pkey); -void crypto_init(); -void crypto_final(); - -// base64.c prototypes - -#ifdef __cplusplus -extern "C" { -#endif -int b64_pton(const char* , unsigned char*, size_t); -int b64_ntop(const unsigned char*, size_t, char*, size_t); -#ifdef __cplusplus -} -#endif - -// The BIND file version number. -#define FILE_MAJOR_VERSION 1 -#define FILE_MINOR_VERSION 3 - -// Key algorithm number -#define DNS_KEYALG_ERROR -1 -#define DNS_KEYALG_RSAMD5 1 -#define DNS_KEYALG_DSA 3 -#define DNS_KEYALG_ECC 4 -#define DNS_KEYALG_RSASHA1 5 -#define DNS_KEYALG_DSA_NSEC3_SHA1 6 -#define DNS_KEYALG_RSASHA1_NSEC3_SHA1 7 -#define DNS_KEYALG_RSASHA256 8 -#define DNS_KEYALG_RSASHA512 10 -#define DNS_KEYALG_ECC_GOST 12 - -// Maximum number of lines / line length -#define MAX_LINE 4096 - -// The text fields supported -#if !defined(KEYCONV_BOTAN) && !defined(KEYCONV_OSSL) -static const char* file_tags[] = { - "Private-key-format:", - "Algorithm:", - "Modulus:", - "PublicExponent:", - "PrivateExponent:", - "Prime1:", - "Prime2:", - "Exponent1:", - "Exponent2:", - "Coefficient:", - "Prime(p):", - "Private_value(x):", - "Public_value(y):", - "Subprime(q):", - "Base(g):", - "Created:", - "Publish:", - "Activate:", - NULL -}; -#endif - -// The number of each text field. -// Must match the tags above. -enum FILE_TAGS { - TAG_VERSION = 0, - TAG_ALGORITHM, - TAG_MODULUS, - TAG_PUBEXP, - TAG_PRIVEXP, - TAG_PRIME1, - TAG_PRIME2, - TAG_EXP1, - TAG_EXP2, - TAG_COEFF, - TAG_PRIME, - TAG_PRIVVAL, - TAG_PUBVAL, - TAG_SUBPRIME, - TAG_BASE, - TAG_CREATED, - TAG_PUBLISH, - TAG_ACTIVATE, - // So we know how long this list is - TAG_MAX -}; - -#endif /* _SOFTHSM_V2_SOFTHSM2_KEYCONV_H */ diff --git a/TPM2-Plugin/lib/include/hwpluginif.h b/TPM2-Plugin/lib/include/hwpluginif.h index 57c5e07..d016e37 100644 --- a/TPM2-Plugin/lib/include/hwpluginif.h +++ b/TPM2-Plugin/lib/include/hwpluginif.h @@ -88,6 +88,14 @@ typedef struct sshsm_hw_plugin_activate_in_info_s { buffer_info_t *buffer_info[MAX_BUFFER_SEGMENTS]; }SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t; +typedef struct sshsm_hw_plugin_import_public_key_info_s { + unsigned long modulus_size; + unsigned char *modulus; + unsigned long exponent_size; + //unsigned char *exponent; + unsigned int *exponent; +}SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t; + typedef int (*sshsm_hw_plugin_activate)( SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info ); @@ -130,7 +138,8 @@ typedef int (*sshsm_hw_plugin_activate)( typedef int (*sshsm_hw_plugin_load_key)( SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, - void **keyHandle + void **keyHandle, + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info ); typedef int (*sshsm_hw_plugin_unload_key)( diff --git a/TPM2-Plugin/lib/include/tpm2_plugin_api.h b/TPM2-Plugin/lib/include/tpm2_plugin_api.h index 2a0ace0..f45c0bd 100644 --- a/TPM2-Plugin/lib/include/tpm2_plugin_api.h +++ b/TPM2-Plugin/lib/include/tpm2_plugin_api.h @@ -146,7 +146,8 @@ int tpm2_plugin_uninit(); int tpm2_plugin_activate(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info); int tpm2_plugin_load_key( SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, - void **keyHandle + void **keyHandle, + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info ); int tpm2_rsa_create_object( diff --git a/TPM2-Plugin/lib/tpm2_plugin_api.c b/TPM2-Plugin/lib/tpm2_plugin_api.c index b9fc75b..356ce7b 100644 --- a/TPM2-Plugin/lib/tpm2_plugin_api.c +++ b/TPM2-Plugin/lib/tpm2_plugin_api.c @@ -27,6 +27,8 @@ #ifdef HAVE_TCTI_TABRMD #include <tcti/tcti-tabrmd.h> #endif +#define ARRAY_LEN(x) (sizeof(x)/sizeof(x[0])) + bool output_enabled = true; bool hexPasswd = false; TPM_HANDLE handle2048rsa; @@ -337,10 +339,66 @@ int load_key(TSS2_SYS_CONTEXT *sapi_context, return 0; } +int read_public(TSS2_SYS_CONTEXT *sapi_context, + TPM_HANDLE handle, + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info) +{ + + TPMS_AUTH_RESPONSE session_out_data; + TSS2_SYS_RSP_AUTHS sessions_out_data; + TPMS_AUTH_RESPONSE *session_out_data_array[1]; + + TPM2B_PUBLIC public = { + { 0, } + }; + + TPM2B_NAME name = TPM2B_TYPE_INIT(TPM2B_NAME, name); + + TPM2B_NAME qualified_name = TPM2B_TYPE_INIT(TPM2B_NAME, name); + + session_out_data_array[0] = &session_out_data; + sessions_out_data.rspAuths = &session_out_data_array[0]; + sessions_out_data.rspAuthsCount = ARRAY_LEN(session_out_data_array); + + TPM_RC rval = Tss2_Sys_ReadPublic(sapi_context, handle, 0, + &public, &name, &qualified_name, &sessions_out_data); + if (rval != TPM_RC_SUCCESS) { + printf("TPM2_ReadPublic error: rval = 0x%0x", rval); + return false; + } + + printf("\nTPM2_ReadPublic OutPut: \n"); + printf("name: \n"); + UINT16 i; + for (i = 0; i < name.t.size; i++) + printf("%02x ", name.t.name[i]); + printf("\n"); + + printf("qualified_name: \n"); + for (i = 0; i < qualified_name.t.size; i++) + printf("%02x ", qualified_name.t.name[i]); + printf("\n"); + + printf("public.t.publicArea.parameters.rsaDetail.keyBits = %d \n", public.t.publicArea.parameters.rsaDetail.keyBits); + printf("public.t.publicArea.parameters.rsaDetail.exponent = %d \n", public.t.publicArea.parameters.rsaDetail.exponent); + + importkey_info->modulus_size = public.t.publicArea.unique.rsa.t.size; + printf("importkey_info->modulus_size = %ld \n", importkey_info->modulus_size); + memcpy(importkey_info->modulus, &public.t.publicArea.unique.rsa.t.buffer, importkey_info->modulus_size); + + importkey_info->exponent_size = sizeof(public.t.publicArea.parameters.rsaDetail.exponent); + printf("importkey_info->exponent_size = %ld \n", importkey_info->exponent_size); + memcpy(importkey_info->exponent, &public.t.publicArea.parameters.rsaDetail.exponent, importkey_info->exponent_size); + //*importkey_info->exponent = public.t.publicArea.parameters.rsaDetail.exponent; + + return 0; +} + TPMS_CONTEXT loaded_key_context; int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, - void **keyHandle, TSS2_SYS_CONTEXT *sapi_context) + void **keyHandle, TSS2_SYS_CONTEXT *sapi_context, + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info) { TPMI_DH_OBJECT parentHandle; @@ -365,12 +423,14 @@ int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, memcpy(&inPrivate, loadkey_in_info->buffer_info[1]->buffer, loadkey_in_info->buffer_info[1]->length_of_buffer); - printf("we are here now\n"); returnVal = load_key (sapi_context, parentHandle, &inPublic, &inPrivate, 0); + returnVal = read_public(sapi_context, + handle2048rsa, + importkey_info); TPM_RC rval = Tss2_Sys_ContextSave(sapi_context, handle2048rsa, &loaded_key_context); if (rval != TPM_RC_SUCCESS) { @@ -382,7 +442,8 @@ int load_key_execute(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, } int tpm2_plugin_load_key(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info, - void **keyHandle) + void **keyHandle, + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info) { int ret = 1; common_opts_t opts = COMMON_OPTS_INITIALIZER; @@ -400,7 +461,7 @@ int tpm2_plugin_load_key(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_inf } } - ret = load_key_execute(loadkey_in_info, keyHandle, sapi_context); + ret = load_key_execute(loadkey_in_info, keyHandle, sapi_context, importkey_info); if (ret !=0) printf("Load key API failed in TPM plugin ! \n"); diff --git a/TPM2-Plugin/test/main.c b/TPM2-Plugin/test/main.c index c9d15c8..31fa7d6 100644 --- a/TPM2-Plugin/test/main.c +++ b/TPM2-Plugin/test/main.c @@ -32,6 +32,9 @@ void main(void) SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *activate_in_info; activate_in_info = malloc(sizeof(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t)); + SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t *importkey_info; + importkey_info = malloc(sizeof(SSHSM_HW_PLUGIN_IMPORT_PUBLIC_KEY_INFO_t)); + SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t *loadkey_in_info; loadkey_in_info = malloc(sizeof(SSHSM_HW_PLUGIN_ACTIVATE_LOAD_IN_INFO_t)); loadkey_in_info->num_buffers = 2; @@ -59,7 +62,7 @@ void main(void) tpm2_plugin_rsa_sign_init(keyHandle_sign, mechanism, param, len); printf("---------------------------------------------\n"); - tpm2_plugin_load_key(loadkey_in_info, keyHandle); + tpm2_plugin_load_key(loadkey_in_info, keyHandle, importkey_info); printf("---------------------------------------------\n"); tpm2_plugin_rsa_sign(keyHandle_sign, mechanism, msg, msg_len, sig, sig_len); |