release 2.2.0

.gitmodules

@@ -1,6 +1,6 @@
 [submodule ".gnulib"]
 	path = .gnulib
-	url = https://git.savannah.gnu.org/git/gnulib.git
+	url = https://github.com/coreutils/gnulib.git
 [submodule "include/oasis-pkcs11"]
 	path = include/oasis-pkcs11
 	url = https://github.com/oasis-tcs/pkcs11.git

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+=======
+# [2.2.0]
+### Added
+- p11kcv will compute a Key Check Value on `CK_GENERIC_SECRET` keys as well. These are mapped to HMAC-SHA256.
+- p11slotinfo now prints library version
+- support for FreeBSD ports and packaging
+- for Edwards curve based keys, allow providing curve name instead of OID when generating a key
+
 # [2.1.3] - 2021-03-25
 ### Fixed
 - ensure that openssl 1.1.1e or above is used, issue #27

bootstrap.sh

@@ -1,12 +1,65 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
-# pull submodule stuff
-git submodule update --init .gnulib
-git submodule update --init include/oasis-pkcs11
+# Copyright (c) 2021 Mastercard
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#   http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+########################################################################
+# bootstrap.sh: used to bootstrap project once cloned from git
+#               or during FreeBSD package build
+########################################################################
+
+# no tolerance to errors
+set -e
+
+cleanup() {
+    if [ -n ${oldpath} ]; then
+	cd ${oldpath}
+    fi
+}
+
+trap cleanup EXIT
+
+oldpath=$PWD
+cd ${oldpath}
+
+# detect if we are in a git repo
+if [ -d .git ]; then
+    # pull submodule stuff
+    git submodule update --init
+    #    git submodule update --init .gnulib
+    #    git submodule update --init include/oasis-pkcs11
+else
+    # if not a git repo, then two possibilities:
+    # 1) we are building a FreeBSD port, in which case
+    #    BUILD_PORT is set
+    # 2) we are not, in which case we choke and die
+    #
+    if [ -z ${BUILD_PORT} ]; then
+	echo "***Error: $0 is not invoked from a git repository."
+	exit 1
+    fi
+fi
 
 # invoke gnulib
 .gnulib/gnulib-tool --import --dir=. --lib=libgnu --source-base=gl --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=. --no-conditional-dependencies --no-libtool --macro-prefix=gl byteswap gethostname getline getopt-gnu malloc-gnu calloc-gnu realloc-gnu regex strcase termios time sysexits
 
 # create configure scripts
 autoreconf -vfi
 
+cat <<EOF
+========================================================================
+Bootstrap complete. 
+Execute './configure' and 'make' to build the project.
+
+EOF

configure.ac

@@ -14,7 +14,7 @@ dnl limitations under the License.
 
 
 AC_PREREQ([2.64])
-AC_INIT([pkcs11-tools], [2.1.3], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
+AC_INIT([pkcs11-tools], [2.2.0], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
 AC_CONFIG_MACRO_DIR([m4])
 
 dnl adding AM_MAINTAINER_MODE to address autotools issues with git

include/pkcs11lib.h

@@ -103,6 +103,7 @@ typedef struct s_p11_ctx {
     CK_SLOT_ID slot;
     int slotindex;
     CK_SESSION_HANDLE Session;
+    CK_BBOOL initialized;
     CK_BBOOL logged_in;
 
     /* in support to rfc3394: */
@@ -675,6 +676,7 @@ CK_OBJECT_HANDLE pkcs11_import_component_final(KeyImportCtx *kctx);
 const char *get_mechanism_name(CK_MECHANISM_TYPE mech); /* pkcs11_mechanism.c */
 CK_ATTRIBUTE_TYPE get_attribute_type_from_name(char *name); /* pkcs11_attrdesc.c */
 
+func_rc pkcs11_info_library(pkcs11Context *p11Context);
 func_rc pkcs11_info_slot(pkcs11Context *p11Context);
 func_rc pkcs11_info_ecsupport(pkcs11Context *p11Context);
 

lib/Makefile.am

@@ -58,6 +58,7 @@ libp11_la_SOURCES += pkcs11_attr.c \
 	pkcs11_kcv.c \
 	pkcs11_keycomp.c \
 	pkcs11_keygen.c \
+	pkcs11_libinfo.c \
 	pkcs11_ls.c \
 	pkcs11_masq.c \
 	pkcs11_mechanism.c \

lib/pkcs11_context.c

@@ -128,7 +128,8 @@ func_rc pkcs11_initialize( pkcs11Context * p11Context )
 
     pC_Initialize = pFunctionList->C_Initialize;
 
-    if ( ( rv = pC_Initialize( &InitArgs ) ) != CKR_OK )
+    rv = pC_Initialize( &InitArgs );
+    if ( rv!=CKR_OK && rv!=CKR_CRYPTOKI_ALREADY_INITIALIZED )
     {
 	if(p11Context->nssinitparams==NULL) {
 	    /* if we don't have NSS parameters, */
@@ -138,28 +139,24 @@ func_rc pkcs11_initialize( pkcs11Context * p11Context )
 	    goto err;
 	}
 
-	else if ( rv == CKR_CRYPTOKI_ALREADY_INITIALIZED ) {
-	    rc = rc_ok;
-	}
-
 	else if ( rv == CKR_ARGUMENTS_BAD )
 	{
 	    rv = pC_Initialize( &NSS_InitArgs );
-
 	    if ( rv == CKR_ARGUMENTS_BAD )
 	    {
 		pkcs11_error( rv, "C_Initialize" );
 
 		rv = pC_Initialize( NULL_PTR );
-
 		if ( rv == CKR_ARGUMENTS_BAD ) {
 		    pkcs11_error( rv, "C_Initialize" );
 		    rc = rc_error_pkcs11_api;
+		    goto err;
 		}
 	    }
 	}
     }
 
+    p11Context->initialized = CK_TRUE;
 err:
     return rc;
 }
@@ -169,14 +166,16 @@ func_rc pkcs11_finalize( pkcs11Context * p11Context )
     func_rc rc = rc_ok;
     CK_RV retCode;
 
-    if(p11Context) {
+    if(p11Context && p11Context->initialized) {
 	if( p11Context->FunctionList.C_Finalize ) {
 	    if ( ( retCode = p11Context->FunctionList.C_Finalize( NULL_PTR ) ) != CKR_OK ) {
 		pkcs11_error( retCode, "C_Finalize" );
 		rc = rc_error_pkcs11_api;
 	    }
 	}
 
+	p11Context->initialized = CK_FALSE;
+
 	if(p11Context->libhandle) {
 	    pkcs11_ll_dynlib_close(p11Context->libhandle);
 	    p11Context->libhandle=NULL;

lib/pkcs11_ec.c

@@ -29,6 +29,9 @@
 #include <openssl/objects.h>
 #include <openssl/err.h>
 
+static const uint8_t id_edwards25519[] = { 0x13, 0x0C, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', '1', '9' };
+static const uint8_t id_edwards448[] = { 0x13, 0x0A, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' };
+
 bool pkcs11_ex_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len, key_type_t keytype)
 {
     bool rc = false;
@@ -70,13 +73,11 @@ bool pkcs11_ex_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len, key_typ
 	OBJ_obj2txt(repr, sizeof repr - 1, obj, 1);
 
 	/* TODO do a better job at doing this */
-	if( ( keytype == ec && ( strncmp(ANSI_X9_62_CURVES, repr, strlen(ANSI_X9_62_CURVES)) == 0
-				 ||
-				 strncmp(CERTICOM_CURVES, repr, strlen(CERTICOM_CURVES)) == 0
-				 ||
-				 strncmp(WAP_WSG_CURVES, repr, strlen(WAP_WSG_CURVES)) == 0 ) )
-	    || ( keytype == ed && ( strncmp(ED25519, repr, strlen(ED25519)) == 0
-				    || strncmp(ED448, repr, strlen(ED448)) == 0 ) ) ) {
+	if( keytype == ec && ( strncmp(ANSI_X9_62_CURVES, repr, strlen(ANSI_X9_62_CURVES)) == 0
+			       ||
+			       strncmp(CERTICOM_CURVES, repr, strlen(CERTICOM_CURVES)) == 0
+			       ||
+			       strncmp(WAP_WSG_CURVES, repr, strlen(WAP_WSG_CURVES)) == 0 ) ) {
 
 	    /* if it is EC, we allocate the DER space onto target pointer */
 	    i2dlen = i2d_ASN1_OBJECT(obj, NULL);
@@ -104,6 +105,36 @@ bool pkcs11_ex_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len, key_typ
 		rc = true;
 	    }
 	}
+	/* although we could use the OID for key generation,                       */
+	/* it seems like HSM implementtions prefer using the curve strings instead */
+	/* note that PKCS#11 3.0 requires to support both ways.                    */
+	if ( keytype == ed ) {
+	    size_t wanted_len;
+
+	    if (strncmp(ED25519, repr, strlen(ED25519)) == 0) {
+		wanted_len = sizeof id_edwards25519;
+		pp = (uint8_t *)id_edwards25519;
+	    }
+	    else if (strncmp(ED448, repr, strlen(ED448)) == 0 ) {
+		wanted_len = sizeof id_edwards448;
+		pp = (uint8_t *)id_edwards448;
+	    }
+	    else {
+		fprintf(stderr, "Error: unsupported edwards curve");
+		goto err;
+	    }
+
+	    *where = OPENSSL_malloc(wanted_len);
+
+	    if(*where==NULL) {
+		P_ERR();
+		goto err;
+	    }
+	    memcpy(*where,pp,wanted_len);
+
+	    *len = wanted_len;
+	    rc = true;
+	}
     }
 
 err:
@@ -179,9 +210,6 @@ static char * pkcs11_ex_oid2curvename(CK_BYTE *param, CK_ULONG param_len, char *
 	       13 0a 65 64 77 61 72 64 73 34 34 38              ..edwards448
 	     */
 	{
-	    static const uint8_t id_edwards25519[] = { 0x13, 0x0C, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', '1', '9' };
-	    static const uint8_t id_edwards448[] = { 0x13, 0x0A, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' };
-
 	    if( ( obj = d2i_ASN1_OBJECT(NULL, &pp, param_len) ) != NULL) { /* case 1: OID - from public key */
 		if( OBJ_obj2txt(where, maxlen, obj, 0) == 0 ) {
 		    P_ERR();

lib/pkcs11_kcv.c

@@ -168,6 +168,7 @@ void pkcs11_display_kcv( pkcs11Context *p11Context, char *label )
 			    break;
 
 			case CKK_SHA256_HMAC:
+			case CKK_GENERIC_SECRET:
 			    mechanism = &sha256_hmac;
 			    cleartext_len = 0L;
 			    encrypted_len = 32L;

lib/pkcs11_libinfo.c

@@ -0,0 +1,73 @@
+/* -*- mode: c; c-file-style:"stroustrup"; -*- */
+
+/*
+ * Copyright (c) 2018 Mastercard
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#include <config.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <openssl/objects.h>
+#include <openssl/ec.h>
+#include "pkcs11lib.h"
+
+
+#define HAS_FLAG(a,fl,t,f) ( (a & fl) ? t : f )
+#define IS_VENDOR_DEFINED(m,t,f) ( (m & CKM_VENDOR_DEFINED) == CKM_VENDOR_DEFINED ? t : f )
+
+/* high-level search functions */
+
+func_rc pkcs11_info_library(pkcs11Context *p11Context)
+{
+    func_rc rc=rc_error_library;
+
+    if(p11Context && p11Context->initialized==CK_TRUE) {
+	CK_INFO libinfo;
+	CK_RV rv;
+
+	if((rv = p11Context->FunctionList.C_GetInfo(&libinfo)) != CKR_OK ) {
+	    pkcs11_error( rv, "C_GetInfo" );
+	    rc = rc_error_pkcs11_api;
+	    goto error;
+	}
+
+	fprintf( stdout, 		     
+		 "PKCS#11 Library\n" 
+		 "---------------\n"
+		 "Name        : %s\n"
+		 "Lib version : %d.%d\n"
+		 "API version : %d.%d\n"
+		 "Description : %.*s\n"
+		 "Manufacturer: %.*s\n"
+		 "\n",
+		 p11Context->library,
+		 libinfo.libraryVersion.major, libinfo.libraryVersion.minor,
+		 libinfo.cryptokiVersion.major, libinfo.cryptokiVersion.minor,
+		 (int)sizeof(libinfo.libraryDescription), libinfo.libraryDescription,
+		 (int)sizeof(libinfo.manufacturerID), libinfo.manufacturerID
+	    );
+
+	rc = rc_ok;
+    }
+
+error:
+    return rc;
+}
+
+/* EOF */

src/p11slotinfo.c

@@ -176,17 +176,21 @@ int main( int argc, char ** argv )
     }
 
     {
-
-	retcode = pkcs11_open_session( p11Context, slot, tokenlabel, password, so, interactive);
-
+	retcode = pkcs11_info_library(p11Context);
+
 	if( retcode == rc_ok ) {
-	    pkcs11_info_slot(p11Context);
 
-	    if(ec_support==1) {
-		pkcs11_info_ecsupport(p11Context);
-	    }
+	    retcode = pkcs11_open_session( p11Context, slot, tokenlabel, password, so, interactive);
+
+	    if( retcode == rc_ok ) {
+		pkcs11_info_slot(p11Context);
 
-	    pkcs11_close_session( p11Context );
+		if(ec_support==1) {
+		    pkcs11_info_ecsupport(p11Context);
+		}
+
+		pkcs11_close_session( p11Context );
+	    }
 	}
     }