From 45d6379135504814ab723b57f0eb8be23393a51d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 09:24:22 +0200 Subject: Adding upstream version 1:9.16.44. Signed-off-by: Daniel Baumann --- bin/pkcs11/Makefile.in | 82 ++++ bin/pkcs11/pkcs11-destroy.c | 268 +++++++++++++ bin/pkcs11/pkcs11-destroy.rst | 61 +++ bin/pkcs11/pkcs11-keygen.c | 476 ++++++++++++++++++++++++ bin/pkcs11/pkcs11-keygen.rst | 80 ++++ bin/pkcs11/pkcs11-list.c | 277 ++++++++++++++ bin/pkcs11/pkcs11-list.rst | 56 +++ bin/pkcs11/pkcs11-tokens.c | 103 +++++ bin/pkcs11/pkcs11-tokens.rst | 43 +++ bin/pkcs11/win32/pk11destroy.vcxproj.filters.in | 22 ++ bin/pkcs11/win32/pk11destroy.vcxproj.in | 121 ++++++ bin/pkcs11/win32/pk11destroy.vcxproj.user | 3 + bin/pkcs11/win32/pk11keygen.vcxproj.filters.in | 22 ++ bin/pkcs11/win32/pk11keygen.vcxproj.in | 121 ++++++ bin/pkcs11/win32/pk11keygen.vcxproj.user | 3 + bin/pkcs11/win32/pk11list.vcxproj.filters.in | 22 ++ bin/pkcs11/win32/pk11list.vcxproj.in | 121 ++++++ bin/pkcs11/win32/pk11list.vcxproj.user | 3 + bin/pkcs11/win32/pk11tokens.vcxproj.filters.in | 22 ++ bin/pkcs11/win32/pk11tokens.vcxproj.in | 121 ++++++ bin/pkcs11/win32/pk11tokens.vcxproj.user | 3 + 21 files changed, 2030 insertions(+) create mode 100644 bin/pkcs11/Makefile.in create mode 100644 bin/pkcs11/pkcs11-destroy.c create mode 100644 bin/pkcs11/pkcs11-destroy.rst create mode 100644 bin/pkcs11/pkcs11-keygen.c create mode 100644 bin/pkcs11/pkcs11-keygen.rst create mode 100644 bin/pkcs11/pkcs11-list.c create mode 100644 bin/pkcs11/pkcs11-list.rst create mode 100644 bin/pkcs11/pkcs11-tokens.c create mode 100644 bin/pkcs11/pkcs11-tokens.rst create mode 100644 bin/pkcs11/win32/pk11destroy.vcxproj.filters.in create mode 100644 bin/pkcs11/win32/pk11destroy.vcxproj.in create mode 100644 bin/pkcs11/win32/pk11destroy.vcxproj.user create mode 100644 bin/pkcs11/win32/pk11keygen.vcxproj.filters.in create mode 100644 bin/pkcs11/win32/pk11keygen.vcxproj.in create mode 100644 bin/pkcs11/win32/pk11keygen.vcxproj.user create mode 100644 bin/pkcs11/win32/pk11list.vcxproj.filters.in create mode 100644 bin/pkcs11/win32/pk11list.vcxproj.in create mode 100644 bin/pkcs11/win32/pk11list.vcxproj.user create mode 100644 bin/pkcs11/win32/pk11tokens.vcxproj.filters.in create mode 100644 bin/pkcs11/win32/pk11tokens.vcxproj.in create mode 100644 bin/pkcs11/win32/pk11tokens.vcxproj.user (limited to 'bin/pkcs11') diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in new file mode 100644 index 0000000..ad0da42 --- /dev/null +++ b/bin/pkcs11/Makefile.in @@ -0,0 +1,82 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} + +CDEFINES = + +ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +ISCDEPLIBS = ../../lib/isc/libisc.@A@ + +DEPLIBS = ${ISCDEPLIBS} + +# if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER} +LIBS = ${ISCLIBS} @LIBS@ + +SUBDIRS = benchmarks + +TARGETS = pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \ + pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@ +SRCS = pkcs11-list.c pkcs11-destroy.c \ + pkcs11-keygen.c pkcs11-tokens.c +OBJS = pkcs11-list.@O@ pkcs11-destroy.@O@ \ + pkcs11-keygen.@O@ pkcs11-tokens.@O@ + +@BIND9_MAKE_RULES@ + +pkcs11-list@EXEEXT@: pkcs11-list.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ pkcs11-list.@O@ ${LIBS} + +pkcs11-destroy@EXEEXT@: pkcs11-destroy.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ pkcs11-destroy.@O@ ${LIBS} + +pkcs11-keygen@EXEEXT@: pkcs11-keygen.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ pkcs11-keygen.@O@ ${LIBS} + +pkcs11-tokens@EXEEXT@: pkcs11-tokens.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ pkcs11-tokens.@O@ ${LIBS} + +installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + +install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ \ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \ + ${DESTDIR}${sbindir} + +uninstall:: + ${LIBTOOL_MODE_UNINSTALL} rm -f / + ${DESTDIR}${sbindir}/pkcs11-tokens@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f / + ${DESTDIR}${sbindir}/pkcs11-keygen@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f / + ${DESTDIR}${sbindir}/pkcs11-destroy@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f / + ${DESTDIR}${sbindir}/pkcs11-list@EXEEXT@ + +clean distclean:: + rm -f ${OBJS} ${TARGETS} diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c new file mode 100644 index 0000000..04f9682 --- /dev/null +++ b/bin/pkcs11/pkcs11-destroy.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Portions copyright (c) 2008 Nominet UK. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] + * [-p $pin] [ -w $wait ] + */ + +/*! \file */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include + +#ifdef WIN32 +#define sleep(x) Sleep(x) +#endif /* ifdef WIN32 */ + +int +main(int argc, char *argv[]) { + isc_result_t result; + CK_RV rv; + CK_SLOT_ID slot = 0; + CK_SESSION_HANDLE hSession; + CK_BYTE attr_id[2]; + CK_OBJECT_HANDLE akey[50]; + pk11_context_t pctx; + char *lib_name = NULL; + char *label = NULL; + char *pin = NULL; + int error = 0; + unsigned int id = 0, i = 0, wait = 5; + int c, errflg = 0; + CK_ULONG ulObjectCount; + CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, + sizeof(attr_id) } }; + unsigned int j, len; + + while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) { + switch (c) { + case 'm': + lib_name = isc_commandline_argument; + break; + case 's': + slot = atoi(isc_commandline_argument); + break; + case 'i': + id = atoi(isc_commandline_argument); + id &= 0xffff; + break; + case 'l': + label = isc_commandline_argument; + break; + case 'p': + pin = isc_commandline_argument; + break; + case 'w': + wait = atoi(isc_commandline_argument); + break; + case ':': + fprintf(stderr, "Option -%c requires an operand\n", + isc_commandline_option); + errflg++; + break; + case '?': + default: + fprintf(stderr, "Unrecognised option: -%c\n", + isc_commandline_option); + errflg++; + } + } + + if (errflg || (id && (label != NULL))) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] " + "{-i id | -l label} [-p pin] [-w waittime]\n"); + exit(1); + } + + if (id) { + attr_id[0] = (id >> 8) & 0xff; + attr_id[1] = id & 0xff; + } else if (label) { + search_template[0].type = CKA_LABEL; + search_template[0].pValue = label; + search_template[0].ulValueLen = strlen(label); + } + + pk11_result_register(); + + /* Initialize the CRYPTOKI library */ + if (lib_name != NULL) { + pk11_set_lib_name(lib_name); + } + + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } + + result = pk11_get_session(&pctx, OP_ANY, false, true, true, + (const char *)pin, slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) + { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, + "Unrecoverable error initializing " + "PKCS#11: %s\n", + isc_result_totext(result)); + exit(1); + } + + memset(pin, 0, strlen(pin)); + + hSession = pctx.session; + + rv = pkcs_C_FindObjectsInit(hSession, search_template, + ((id != 0) || (label != NULL)) ? 1 : 0); + + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_session; + } + + rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_search; + } + + if (ulObjectCount == 0) { + printf("No matching key objects found.\n"); + goto exit_search; + } else { + printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : ""); + } + + for (i = 0; i < ulObjectCount; i++) { + CK_OBJECT_CLASS oclass = 0; + CK_BYTE labelbuf[64 + 1]; + CK_BYTE idbuf[64]; + CK_ATTRIBUTE attr_template[] = { + { CKA_CLASS, &oclass, sizeof(oclass) }, + { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, + { CKA_ID, idbuf, sizeof(idbuf) } + }; + + memset(labelbuf, 0, sizeof(labelbuf)); + memset(idbuf, 0, sizeof(idbuf)); + + rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template, + 3); + if (rv != CKR_OK) { + fprintf(stderr, + "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, + rv); + error = 1; + goto exit_search; + } + len = attr_template[2].ulValueLen; + printf(" object[%u]: class %lu, label '%s', id[%lu] ", i, + oclass, labelbuf, attr_template[2].ulValueLen); + if (len > 4) { + len = 4; + } + if (len > 0) { + printf("0x"); + } + for (j = 0; j < len; j++) { + printf("%02x", idbuf[j]); + } + if (attr_template[2].ulValueLen > len) { + printf("...\n"); + } else { + printf("\n"); + } + } + + if (wait != 0) { + printf("WARNING: This action is irreversible! " + "Destroying key objects in %u seconds\n ", + wait); + for (i = 0; i < wait; i++) { + printf("."); + fflush(stdout); + sleep(1); + } + printf("\n"); + } + + for (i = 0; i < ulObjectCount; i++) { + rv = pkcs_C_DestroyObject(hSession, akey[i]); + if (rv != CKR_OK) { + fprintf(stderr, + "C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i, + rv); + error = 1; + } + } + + if (error == 0) { + printf("Destruction complete.\n"); + } + +exit_search: + rv = pkcs_C_FindObjectsFinal(hSession); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); + error = 1; + } + +exit_session: + pk11_return_session(&pctx); + (void)pk11_finalize(); + + exit(error); +} diff --git a/bin/pkcs11/pkcs11-destroy.rst b/bin/pkcs11/pkcs11-destroy.rst new file mode 100644 index 0000000..bad150c --- /dev/null +++ b/bin/pkcs11/pkcs11-destroy.rst @@ -0,0 +1,61 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. _man_pkcs11-destroy: + +pkcs11-destroy - destroy PKCS#11 objects + +Synopsis +~~~~~~~~ + +:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds] + +Description +~~~~~~~~~~~ + +``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified +by their ``ID`` or ``label``. + +Matching keys are displayed before being destroyed. By default, there is +a five-second delay to allow the user to interrupt the process before +the destruction takes place. + +Options +~~~~~~~ + +``-m module`` + This option specifies the PKCS#11 provider module. This must be the full path to a + shared library object implementing the PKCS#11 API for the device. + +``-s slot`` + This option opens the session with the given PKCS#11 slot. The default is slot 0. + +``-i ID`` + This option destroys keys with the given object ID. + +``-l label`` + This option destroys keys with the given label. + +``-p PIN`` + This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command + line, ``pkcs11-destroy`` prompts for it. + +``-w seconds`` + This option specifies how long, in seconds, to pause before carrying out key destruction. The + default is 5 seconds. If set to ``0``, destruction is + immediate. + +See Also +~~~~~~~~ + +:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c new file mode 100644 index 0000000..e1859b2 --- /dev/null +++ b/bin/pkcs11/pkcs11-keygen.c @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Portions copyright (c) 2008 Nominet UK. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* pkcs11-keygen - PKCS#11 key generator + * + * Create a key in the keystore of an HSM + * + * The calculation of key tag is left to the script + * that converts the key into a DNSKEY RR and inserts + * it into a zone file. + * + * usage: + * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize] + * [-i id] [-p pin] -l label + * + */ + +/*! \file */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include +#include + +/* Define static key template values */ +static CK_BBOOL truevalue = TRUE; +static CK_BBOOL falsevalue = FALSE; + +/* Static arrays of data used for key template initialization */ +static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1; +static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1; +static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519; +static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448; + +/* Key class: RSA, ECC, ECX, or unknown */ +typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; + +/* + * Private key template + */ +#define PRIVATE_LABEL 0 +#define PRIVATE_SIGN 1 +#define PRIVATE_TOKEN 2 +#define PRIVATE_PRIVATE 3 +#define PRIVATE_SENSITIVE 4 +#define PRIVATE_EXTRACTABLE 5 +#define PRIVATE_ID 6 +#define PRIVATE_ATTRS 7 +static CK_ATTRIBUTE private_template[] = { + { CKA_LABEL, NULL_PTR, 0 }, + { CKA_SIGN, &truevalue, sizeof(truevalue) }, + { CKA_TOKEN, &truevalue, sizeof(truevalue) }, + { CKA_PRIVATE, &truevalue, sizeof(truevalue) }, + { CKA_SENSITIVE, &truevalue, sizeof(truevalue) }, + { CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) }, + { CKA_ID, NULL_PTR, 0 } +}; + +/* + * Public key template for RSA keys + */ +#define RSA_LABEL 0 +#define RSA_VERIFY 1 +#define RSA_TOKEN 2 +#define RSA_PRIVATE 3 +#define RSA_MODULUS_BITS 4 +#define RSA_PUBLIC_EXPONENT 5 +#define RSA_ID 6 +#define RSA_ATTRS 7 +static CK_ATTRIBUTE rsa_template[] = { + { CKA_LABEL, NULL_PTR, 0 }, + { CKA_VERIFY, &truevalue, sizeof(truevalue) }, + { CKA_TOKEN, &truevalue, sizeof(truevalue) }, + { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, + { CKA_MODULUS_BITS, NULL_PTR, 0 }, + { CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }, + { CKA_ID, NULL_PTR, 0 } +}; + +/* + * Public key template for ECC/ECX keys + */ +#define ECC_LABEL 0 +#define ECC_VERIFY 1 +#define ECC_TOKEN 2 +#define ECC_PRIVATE 3 +#define ECC_PARAMS 4 +#define ECC_ID 5 +#define ECC_ATTRS 6 +static CK_ATTRIBUTE ecc_template[] = { + { CKA_LABEL, NULL_PTR, 0 }, + { CKA_VERIFY, &truevalue, sizeof(truevalue) }, + { CKA_TOKEN, &truevalue, sizeof(truevalue) }, + { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, + { CKA_EC_PARAMS, NULL_PTR, 0 }, + { CKA_ID, NULL_PTR, 0 } +}; + +/* + * Convert from text to key class. Accepts the names of DNSSEC + * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and + * NSEC3RSASHA1 maps to RSA. + */ +static key_class_t +keyclass_fromtext(const char *name) { + if (name == NULL) { + return (key_unknown); + } + + if (strncasecmp(name, "rsa", 3) == 0 || + strncasecmp(name, "nsec3rsa", 8) == 0) + { + return (key_rsa); + } else if (strncasecmp(name, "ecc", 3) == 0 || + strncasecmp(name, "ecdsa", 5) == 0) + { + return (key_ecc); + } else if (strncasecmp(name, "ecx", 3) == 0 || + strncasecmp(name, "ed", 2) == 0) + { + return (key_ecx); + } else { + return (key_unknown); + } +} + +static void +usage(void) { + fprintf(stderr, "Usage:\n" + "\tpkcs11-keygen -a algorithm -b keysize -l label\n" + "\t [-P] [-m module] " + "[-s slot] [-e] [-S] [-i id] [-p PIN]\n"); + exit(2); +} + +int +main(int argc, char *argv[]) { + isc_result_t result; + CK_RV rv; + CK_SLOT_ID slot = 0; + CK_MECHANISM mech; + CK_SESSION_HANDLE hSession; + char *lib_name = NULL; + char *pin = NULL; + CK_ULONG bits = 0; + CK_CHAR *label = NULL; + CK_OBJECT_HANDLE privatekey, publickey; + CK_BYTE exponent[5]; + CK_ULONG expsize = 0; + pk11_context_t pctx; + int error = 0; + int c, errflg = 0; + int hide = 1, quiet = 0; + int idlen = 0, id_offset = 0; + unsigned long id = 0; + CK_BYTE idbuf[4]; + CK_ULONG ulObjectCount; + CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } }; + CK_ATTRIBUTE *public_template = NULL; + CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS; + key_class_t keyclass = key_rsa; + pk11_optype_t op_type = OP_ANY; + +#define OPTIONS ":a:b:ei:l:m:Pp:qSs:" + while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { + switch (c) { + case 'a': + keyclass = keyclass_fromtext(isc_commandline_argument); + break; + case 'P': + hide = 0; + break; + case 'm': + lib_name = isc_commandline_argument; + break; + case 's': + slot = atoi(isc_commandline_argument); + break; + case 'e': + expsize = 5; + break; + case 'b': + bits = atoi(isc_commandline_argument); + break; + case 'l': + /* -l option is retained for backward compatibility * */ + label = (CK_CHAR *)isc_commandline_argument; + break; + case 'i': + id = strtoul(isc_commandline_argument, NULL, 0); + idlen = 4; + break; + case 'p': + pin = isc_commandline_argument; + break; + case 'q': + quiet = 1; + break; + case ':': + fprintf(stderr, "Option -%c requires an operand\n", + isc_commandline_option); + errflg++; + break; + case '?': + default: + fprintf(stderr, "Unrecognised option: -%c\n", + isc_commandline_option); + errflg++; + } + } + + if (label == NULL && isc_commandline_index < argc) { + label = (CK_CHAR *)argv[isc_commandline_index]; + } + + if (errflg || (label == NULL)) { + usage(); + } + + if (expsize != 0 && keyclass != key_rsa) { + fprintf(stderr, "The -e option is only compatible " + "with RSA key generation\n"); + exit(2); + } + + switch (keyclass) { + case key_rsa: + op_type = OP_RSA; + if (expsize == 0) { + expsize = 3; + } + if (bits == 0) { + usage(); + } + + mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; + mech.pParameter = NULL; + mech.ulParameterLen = 0; + + public_template = rsa_template; + public_attrcnt = RSA_ATTRS; + id_offset = RSA_ID; + + /* Set public exponent to F4 or F5 */ + exponent[0] = 0x01; + exponent[1] = 0x00; + if (expsize == 3) { + exponent[2] = 0x01; + } else { + exponent[2] = 0x00; + exponent[3] = 0x00; + exponent[4] = 0x01; + } + + public_template[RSA_MODULUS_BITS].pValue = &bits; + public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits); + public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent; + public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; + break; + case key_ecc: + op_type = OP_ECDSA; + if (bits == 0) { + bits = 256; + } else if (bits != 256 && bits != 384) { + fprintf(stderr, "ECC keys only support bit sizes of " + "256 and 384\n"); + exit(2); + } + + mech.mechanism = CKM_EC_KEY_PAIR_GEN; + mech.pParameter = NULL; + mech.ulParameterLen = 0; + + public_template = ecc_template; + public_attrcnt = ECC_ATTRS; + id_offset = ECC_ID; + + if (bits == 256) { + public_template[4].pValue = pk11_ecc_prime256v1; + public_template[4].ulValueLen = + sizeof(pk11_ecc_prime256v1); + } else { + public_template[4].pValue = pk11_ecc_secp384r1; + public_template[4].ulValueLen = + sizeof(pk11_ecc_secp384r1); + } + + break; + case key_ecx: + op_type = OP_EDDSA; + if (bits == 0) { + bits = 256; + } else if (bits != 256 && bits != 456) { + fprintf(stderr, "ECX keys only support bit sizes of " + "256 and 456\n"); + exit(2); + } + + mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN; + mech.pParameter = NULL; + mech.ulParameterLen = 0; + + public_template = ecc_template; + public_attrcnt = ECC_ATTRS; + id_offset = ECC_ID; + + if (bits == 256) { + public_template[4].pValue = pk11_ecx_ed25519; + public_template[4].ulValueLen = + sizeof(pk11_ecx_ed25519); + } else { + public_template[4].pValue = pk11_ecx_ed448; + public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); + } + + break; + case key_unknown: + usage(); + } + + search_template[0].pValue = label; + search_template[0].ulValueLen = strlen((char *)label); + public_template[0].pValue = label; + public_template[0].ulValueLen = strlen((char *)label); + private_template[0].pValue = label; + private_template[0].ulValueLen = strlen((char *)label); + + if (idlen == 0) { + public_attrcnt--; + private_attrcnt--; + } else { + if (id <= 0xffff) { + idlen = 2; + idbuf[0] = (CK_BYTE)(id >> 8); + idbuf[1] = (CK_BYTE)id; + } else { + idbuf[0] = (CK_BYTE)(id >> 24); + idbuf[1] = (CK_BYTE)(id >> 16); + idbuf[2] = (CK_BYTE)(id >> 8); + idbuf[3] = (CK_BYTE)id; + } + + public_template[id_offset].pValue = idbuf; + public_template[id_offset].ulValueLen = idlen; + private_template[PRIVATE_ID].pValue = idbuf; + private_template[PRIVATE_ID].ulValueLen = idlen; + } + + pk11_result_register(); + + /* Initialize the CRYPTOKI library */ + if (lib_name != NULL) { + pk11_set_lib_name(lib_name); + } + + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } + + result = pk11_get_session(&pctx, op_type, false, true, true, + (const char *)pin, slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) + { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, + "Unrecoverable error initializing " + "PKCS#11: %s\n", + isc_result_totext(result)); + exit(1); + } + + memset(pin, 0, strlen(pin)); + + hSession = pctx.session; + + /* check if a key with the same id already exists */ + rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_session; + } + rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_search; + } + if (ulObjectCount != 0) { + fprintf(stderr, "Key already exists.\n"); + error = 1; + goto exit_search; + } + + /* Set attributes if the key is not to be hidden */ + if (!hide) { + private_template[4].pValue = &falsevalue; + private_template[5].pValue = &truevalue; + } + + /* Generate Key pair for signing/verifying */ + rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template, + public_attrcnt, private_template, + private_attrcnt, &publickey, &privatekey); + + if (rv != CKR_OK) { + fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv); + error = 1; + } else if (!quiet) { + printf("Key pair generation complete.\n"); + } + +exit_search: + rv = pkcs_C_FindObjectsFinal(hSession); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); + error = 1; + } + +exit_session: + pk11_return_session(&pctx); + (void)pk11_finalize(); + + exit(error); +} diff --git a/bin/pkcs11/pkcs11-keygen.rst b/bin/pkcs11/pkcs11-keygen.rst new file mode 100644 index 0000000..9ce2fba --- /dev/null +++ b/bin/pkcs11/pkcs11-keygen.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. _man_pkcs11-keygen: + +pkcs11-keygen - generate keys on a PKCS#11 device +------------------------------------------------- + +Synopsis +~~~~~~~~ + +:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label + +Description +~~~~~~~~~~~ + +``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair +with the given ``label`` (which must be unique) and with ``keysize`` +bits of prime. + +Options +~~~~~~~ + +``-a algorithm`` + This option specifies the key algorithm class: supported classes are RSA, DSA, DH, + ECC, and ECX. In addition to these strings, the ``algorithm`` can be + specified as a DNSSEC signing algorithm to be used with this + key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to + ECC, and ED25519 to ECX. The default class is ``RSA``. + +``-b keysize`` + This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the + only valid values are 256 and 384, and the default is 256. For ECX + keys, the only valid values are 256 and 456, and the default is 256. + +``-e`` + For RSA keys only, this option specifies use of a large exponent. + +``-i id`` + This option creates key objects with ``id``. The ID is either an unsigned short 2-byte + or an unsigned long 4-byte number. + +``-m module`` + This option specifies the PKCS#11 provider module. This must be the full path to a + shared library object implementing the PKCS#11 API for the device. + +``-P`` + This option sets the new private key to be non-sensitive and extractable, and + allows the private key data to be read from the PKCS#11 device. The + default is for private keys to be sensitive and non-extractable. + +``-p PIN`` + This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command + line, ``pkcs11-keygen`` prompts for it. + +``-q`` + This option sets quiet mode, which suppresses unnecessary output. + +``-S`` + For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-, + or 1536-bit size and base (AKA generator) 2. If not specified, bit + size defaults to 1024. + +``-s slot`` + This option opens the session with the given PKCS#11 slot. The default is slot 0. + +See Also +~~~~~~~~ + +:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)` diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c new file mode 100644 index 0000000..1fdd8a8 --- /dev/null +++ b/bin/pkcs11/pkcs11-list.c @@ -0,0 +1,277 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Portions copyright (c) 2008 Nominet UK. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */ + +/*! \file */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include + +int +main(int argc, char *argv[]) { + isc_result_t result; + CK_RV rv; + CK_SLOT_ID slot = 0; + CK_SESSION_HANDLE hSession; + CK_BYTE attr_id[2]; + CK_OBJECT_HANDLE akey[50]; + pk11_context_t pctx; + char *lib_name = NULL; + char *label = NULL; + char *pin = NULL; + bool error = false, logon = true, all = false; + unsigned int i = 0, id = 0; + int c, errflg = 0; + CK_ULONG ulObjectCount; + CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, + sizeof(attr_id) } }; + + while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) { + switch (c) { + case 'P': + logon = false; + break; + case 'm': + lib_name = isc_commandline_argument; + break; + case 's': + slot = atoi(isc_commandline_argument); + break; + case 'i': + id = atoi(isc_commandline_argument); + id &= 0xffff; + break; + case 'l': + label = isc_commandline_argument; + break; + case 'p': + pin = isc_commandline_argument; + break; + case ':': + fprintf(stderr, "Option -%c requires an operand\n", + isc_commandline_option); + errflg++; + break; + case '?': + default: + fprintf(stderr, "Unrecognised option: -%c\n", + isc_commandline_option); + errflg++; + } + } + + if (errflg) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] " + "[-i id | -l label] [-p pin]\n"); + exit(1); + } + + if (!id && (label == NULL)) { + all = true; + } + + if (slot) { + printf("slot %lu\n", slot); + } + + if (id) { + printf("id %u\n", id); + attr_id[0] = (id >> 8) & 0xff; + attr_id[1] = id & 0xff; + } else if (label != NULL) { + printf("label %s\n", label); + search_template[0].type = CKA_LABEL; + search_template[0].pValue = label; + search_template[0].ulValueLen = strlen(label); + } + + pk11_result_register(); + + /* Initialize the CRYPTOKI library */ + if (lib_name != NULL) { + pk11_set_lib_name(lib_name); + } + + if (logon && pin == NULL) { + pin = getpass("Enter Pin: "); + } + + result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin, + slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) + { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, + "Unrecoverable error initializing " + "PKCS#11: %s\n", + isc_result_totext(result)); + fprintf(stderr, + "Unrecoverable error initializing " + "PKCS#11: %s\n", + isc_result_totext(result)); + exit(1); + } + + if (pin != NULL) { + memset(pin, 0, strlen(pin)); + } + + hSession = pctx.session; + + rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_session; + } + + ulObjectCount = 1; + while (ulObjectCount) { + rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); + error = 1; + goto exit_search; + } + for (i = 0; i < ulObjectCount; i++) { + unsigned int j, len; + + CK_OBJECT_CLASS oclass = 0; + CK_BYTE labelbuf[64 + 1]; + CK_BYTE idbuf[64]; + CK_BBOOL extract = TRUE; + CK_BBOOL never = FALSE; + CK_ATTRIBUTE template[] = { + { CKA_CLASS, &oclass, sizeof(oclass) }, + { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, + { CKA_ID, idbuf, sizeof(idbuf) } + }; + CK_ATTRIBUTE priv_template[] = { + { CKA_EXTRACTABLE, &extract, sizeof(extract) }, + { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) } + }; + + memset(labelbuf, 0, sizeof(labelbuf)); + memset(idbuf, 0, sizeof(idbuf)); + + rv = pkcs_C_GetAttributeValue(hSession, akey[i], + template, 3); + if (rv != CKR_OK) { + fprintf(stderr, + "C_GetAttributeValue[%u]: " + "rv = 0x%.8lX\n", + i, rv); + if (rv == CKR_BUFFER_TOO_SMALL) { + fprintf(stderr, + "%u too small: %lu %lu %lu\n", + i, template[0].ulValueLen, + template[1].ulValueLen, + template[2].ulValueLen); + } + error = 1; + continue; + } + + len = template[2].ulValueLen; + printf("object[%u]: handle %lu class %lu " + "label[%lu] '%s' id[%lu] ", + i, akey[i], oclass, template[1].ulValueLen, + labelbuf, template[2].ulValueLen); + if (len == 2) { + id = (idbuf[0] << 8) & 0xff00; + id |= idbuf[1] & 0xff; + printf("%u", id); + } else { + if (len > 8) { + len = 8; + } + if (len > 0) { + printf("0x"); + } + for (j = 0; j < len; j++) { + printf("%02x", idbuf[j]); + } + if (template[2].ulValueLen > len) { + printf("..."); + } + } + if ((oclass == CKO_PRIVATE_KEY || + oclass == CKO_SECRET_KEY) && + pkcs_C_GetAttributeValue(hSession, akey[i], + priv_template, + 2) == CKR_OK) + { + printf(" E:%s", + extract ? "true" + : (never ? "never" : "false")); + } + printf("\n"); + } + } + +exit_search: + rv = pkcs_C_FindObjectsFinal(hSession); + if (rv != CKR_OK) { + fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); + error = 1; + } + +exit_session: + pk11_return_session(&pctx); + (void)pk11_finalize(); + + exit(error); +} diff --git a/bin/pkcs11/pkcs11-list.rst b/bin/pkcs11/pkcs11-list.rst new file mode 100644 index 0000000..5cfe2da --- /dev/null +++ b/bin/pkcs11/pkcs11-list.rst @@ -0,0 +1,56 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. _man_pkcs11-list: + +pkcs11-list - list PKCS#11 objects +---------------------------------- + +:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN] + +Description +~~~~~~~~~~~ + +``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by +default, all objects. The object class, label, and ID are displayed for +all keys. For private or secret keys, the extractability attribute is +also displayed, as either ``true``, ``false``, or ``never``. + +Options +~~~~~~~ + +``-P`` + This option lists only the public objects. (Note that on some PKCS#11 devices, all + objects are private.) + +``-m module`` + This option specifies the PKCS#11 provider module. This must be the full path to a + shared library object implementing the PKCS#11 API for the device. + +``-s slot`` + This option opens the session with the given PKCS#11 slot. The default is slot 0. + +``-i ID`` + This option lists only key objects with the given object ID. + +``-l label`` + This option lists only key objects with the given label. + +``-p PIN`` + This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command + line, ``pkcs11-list`` prompts for it. + +See Also +~~~~~~~~ + +:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c new file mode 100644 index 0000000..e95fa4c --- /dev/null +++ b/bin/pkcs11/pkcs11-tokens.c @@ -0,0 +1,103 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* pkcs11-tokens [-m module] */ + +/*! \file */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include + +int +main(int argc, char *argv[]) { + isc_result_t result; + char *lib_name = NULL; + int c, errflg = 0; + isc_mem_t *mctx = NULL; + pk11_context_t pctx; + + while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) { + switch (c) { + case 'm': + lib_name = isc_commandline_argument; + break; + case 'v': + pk11_verbose_init = true; + break; + case ':': + fprintf(stderr, "Option -%c requires an operand\n", + isc_commandline_option); + errflg++; + break; + case '?': + default: + fprintf(stderr, "Unrecognised option: -%c\n", + isc_commandline_option); + errflg++; + } + } + + if (errflg) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n"); + exit(1); + } + + isc_mem_create(&mctx); + + pk11_result_register(); + + /* Initialize the CRYPTOKI library */ + if (lib_name != NULL) { + pk11_set_lib_name(lib_name); + } + + result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) + { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n\n"); + } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) { + fprintf(stderr, + "Unrecoverable error initializing " + "PKCS#11: %s\n", + isc_result_totext(result)); + exit(1); + } + + pk11_dump_tokens(); + + if (pctx.handle != NULL) { + pk11_return_session(&pctx); + } + (void)pk11_finalize(); + + isc_mem_destroy(&mctx); + + exit(0); +} diff --git a/bin/pkcs11/pkcs11-tokens.rst b/bin/pkcs11/pkcs11-tokens.rst new file mode 100644 index 0000000..3612105 --- /dev/null +++ b/bin/pkcs11/pkcs11-tokens.rst @@ -0,0 +1,43 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. _man_pkcs11-tokens: + +pkcs11-tokens - list PKCS#11 available tokens +--------------------------------------------- + +Synopsis +~~~~~~~~ + +:program:`pkcs11-tokens` [**-m** module] [**-v**] + +Description +~~~~~~~~~~~ + +``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from +the slot/token scan performed at application initialization. + +Options +~~~~~~~ + +``-m module`` + This option specifies the PKCS#11 provider module. This must be the full path to a + shared library object implementing the PKCS#11 API for the device. + +``-v`` + This option makes the PKCS#11 libisc initialization verbose. + +See Also +~~~~~~~~ + +:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)` diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in b/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in new file mode 100644 index 0000000..bdcc431 --- /dev/null +++ b/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.in b/bin/pkcs11/win32/pk11destroy.vcxproj.in new file mode 100644 index 0000000..4e006d5 --- /dev/null +++ b/bin/pkcs11/win32/pk11destroy.vcxproj.in @@ -0,0 +1,121 @@ + + + + + Debug + @PLATFORM@ + + + Release + @PLATFORM@ + + + + {5B3137E5-7E1F-49AA-8810-A09AA417D326} + Win32Proj + pk11destroy + @WINDOWS_TARGET_PLATFORM_VERSION@ + + + + Application + true + MultiByte + @PLATFORM_TOOLSET@ + + + Application + false + true + MultiByte + @PLATFORM_TOOLSET@ + + + + + + + + + + + + + true + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-destroy + + + false + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-destroy + + + + + + Level4 + false + Disabled + WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + true + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + Level1 + true + + + MaxSpeed + true + @INTRINSIC@ + WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + OnlyExplicitInline + false + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + false + true + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + Default + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + + + + + diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.user b/bin/pkcs11/win32/pk11destroy.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/pkcs11/win32/pk11destroy.vcxproj.user @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in b/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in new file mode 100644 index 0000000..412ff86 --- /dev/null +++ b/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.in b/bin/pkcs11/win32/pk11keygen.vcxproj.in new file mode 100644 index 0000000..137d251 --- /dev/null +++ b/bin/pkcs11/win32/pk11keygen.vcxproj.in @@ -0,0 +1,121 @@ + + + + + Debug + @PLATFORM@ + + + Release + @PLATFORM@ + + + + {5042D371-0402-4FA3-A52A-769708694422} + Win32Proj + pk11keygen + @WINDOWS_TARGET_PLATFORM_VERSION@ + + + + Application + true + MultiByte + @PLATFORM_TOOLSET@ + + + Application + false + true + MultiByte + @PLATFORM_TOOLSET@ + + + + + + + + + + + + + true + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-keygen + + + false + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-keygen + + + + + + Level4 + false + Disabled + WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + true + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + Level1 + true + + + MaxSpeed + true + @INTRINSIC@ + WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + OnlyExplicitInline + false + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + false + true + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + Default + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + + + + + diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.user b/bin/pkcs11/win32/pk11keygen.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/pkcs11/win32/pk11keygen.vcxproj.user @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11list.vcxproj.filters.in b/bin/pkcs11/win32/pk11list.vcxproj.filters.in new file mode 100644 index 0000000..6944afd --- /dev/null +++ b/bin/pkcs11/win32/pk11list.vcxproj.filters.in @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11list.vcxproj.in b/bin/pkcs11/win32/pk11list.vcxproj.in new file mode 100644 index 0000000..52c6f02 --- /dev/null +++ b/bin/pkcs11/win32/pk11list.vcxproj.in @@ -0,0 +1,121 @@ + + + + + Debug + @PLATFORM@ + + + Release + @PLATFORM@ + + + + {C663B088-F7BC-4C8C-8D06-A76636EED651} + Win32Proj + pk11list + @WINDOWS_TARGET_PLATFORM_VERSION@ + + + + Application + true + MultiByte + @PLATFORM_TOOLSET@ + + + Application + false + true + MultiByte + @PLATFORM_TOOLSET@ + + + + + + + + + + + + + true + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-list + + + false + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-list + + + + + + Level4 + false + Disabled + WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + true + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + Level1 + true + + + MaxSpeed + true + @INTRINSIC@ + WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + OnlyExplicitInline + false + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + ..\..\..\config.h + .\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + false + true + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + Default + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + + + + + diff --git a/bin/pkcs11/win32/pk11list.vcxproj.user b/bin/pkcs11/win32/pk11list.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/pkcs11/win32/pk11list.vcxproj.user @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in b/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in new file mode 100644 index 0000000..7c3b8ed --- /dev/null +++ b/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.in b/bin/pkcs11/win32/pk11tokens.vcxproj.in new file mode 100644 index 0000000..7bb41cb --- /dev/null +++ b/bin/pkcs11/win32/pk11tokens.vcxproj.in @@ -0,0 +1,121 @@ + + + + + Debug + @PLATFORM@ + + + Release + @PLATFORM@ + + + + {403FD4B1-A4F9-4159-9013-5860E3A4417D} + Win32Proj + pk11tokens + @WINDOWS_TARGET_PLATFORM_VERSION@ + + + + Application + true + MultiByte + @PLATFORM_TOOLSET@ + + + Application + false + true + MultiByte + @PLATFORM_TOOLSET@ + + + + + + + + + + + + + true + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-tokens + + + false + ..\..\..\Build\$(Configuration)\ + .\$(Configuration)\ + None + pkcs11-tokens + + + + + + Level4 + false + Disabled + WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + true + ..\..\..\config.h + .\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + Level1 + true + + + MaxSpeed + true + @INTRINSIC@ + WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + OnlyExplicitInline + false + true + .\$(Configuration)\$(ProjectName).pch + .\$(Configuration)\ + .\$(Configuration)\ + $(OutDir)$(TargetName).pdb + ..\..\..\config.h + .\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories) + CompileAsC + + + Console + false + true + true + ..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt) + Default + $(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories) + @OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies) + + + + + + + + + diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.user b/bin/pkcs11/win32/pk11tokens.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/pkcs11/win32/pk11tokens.vcxproj.user @@ -0,0 +1,3 @@ + + + \ No newline at end of file -- cgit v1.2.3