Hello,
I am using Mozilla applications for a long time I enjoy it,
but the PKCS#11 implementation always worried me.
1. It prompts for PIN every time the token is accessed (Does
not use the public objects if exists).
2. It does not prompt for token insert if the token is
unavailable. For example, you started SSL session using a
certificate on a token, then remove it, at next negotiation
you should be prompted to insert your token.
3. Every key negotiation there is a PIN prompt without reuse
of last credentials.
4. Every key negotiation all objects are re-read from token.
Lately, I spent time in introducing PKCS#11 to open source
projects, started with OpenVPN (merged), then OpenSSH (not
yet), lately I've finished integrating PKCS#11 into QCA (Qt
Cryptographic Architecture, merged) so that KDE 4 will be
able to use smartcards.
Now I think I am ready to help you.
If you like, I am willing to help you make the PKCS#11
implementation better. I guess this cannot be done without
making some changes in the NSS interface.
I've implemented a pkcs11-helper module that abstracts the
use of PKCS#11. It handles multiple providers, works on
Linux and Windows, supports session caching, object
serialization, PIN prompt, token prompt, PIN cache period,
protected authentication and more.
Attached is my header file so you might get an idea of what
can be done.
Best Regards,
Alon Bar-Lev.
/*
* Copyright (c) 2005-2006 Alon Bar-Lev <[EMAIL PROTECTED]>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modifi-
* cation, are permitted provided that the following conditions are met:
*
* o Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* o Redistributions in binary form must reproduce the above copyright no-
* tice, this list of conditions and the following disclaimer in the do-
* cumentation and/or other materials provided with the distribution.
*
* o The names of the contributors may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
* ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
* TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
* ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
* LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
* THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* The routines in this file deal with providing private key cryptography
* using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
*
*/
#ifndef __PKCS11H_HELPER_H
#define __PKCS11H_HELPER_H
#if defined(__cplusplus)
extern "C" {
#endif
#include "pkcs11-helper-config.h"
#if defined(ENABLE_PKCS11H_SLOTEVENT) && !defined(ENABLE_PKCS11H_THREADING)
#error PKCS#11: ENABLE_PKCS11H_SLOTEVENT requires ENABLE_PKCS11H_THREADING
#endif
#if defined(ENABLE_PKCS11H_OPENSSL) && !defined(ENABLE_PKCS11H_CERTIFICATE)
#error PKCS#11: ENABLE_PKCS11H_OPENSSL requires ENABLE_PKCS11H_CERTIFICATE
#endif
#define PKCS11H_LOG_DEBUG2 5
#define PKCS11H_LOG_DEBUG1 4
#define PKCS11H_LOG_INFO 3
#define PKCS11H_LOG_WARN 2
#define PKCS11H_LOG_ERROR 1
#define PKCS11H_LOG_QUITE 0
#define PKCS11H_PIN_CACHE_INFINITE -1
#define PKCS11H_SIGNMODE_MASK_SIGN (1<<0)
#define PKCS11H_SIGNMODE_MASK_RECOVER (1<<1)
#define PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT (1<<0)
#define PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT (1<<1)
#define PKCS11H_SLOTEVENT_METHOD_AUTO 0
#define PKCS11H_SLOTEVENT_METHOD_TRIGGER 1
#define PKCS11H_SLOTEVENT_METHOD_POLL 2
#define PKCS11H_ENUM_METHOD_CACHE 0
#define PKCS11H_ENUM_METHOD_CACHE_EXIST 1
#define PKCS11H_ENUM_METHOD_RELOAD 2
typedef void (*pkcs11h_output_print_t)(
IN const void *pData,
IN const char * const szFormat,
IN ...
)
#ifdef __GNUC__
__attribute__ ((format (printf, 2, 3)))
#endif
;
struct pkcs11h_token_id_s;
typedef struct pkcs11h_token_id_s *pkcs11h_token_id_t;
#if defined(ENABLE_PKCS11H_CERTIFICATE)
struct pkcs11h_certificate_id_s;
struct pkcs11h_certificate_s;
typedef struct pkcs11h_certificate_id_s *pkcs11h_certificate_id_t;
typedef struct pkcs11h_certificate_s *pkcs11h_certificate_t;
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#if defined(ENABLE_PKCS11H_ENUM)
struct pkcs11h_token_id_list_s;
typedef struct pkcs11h_token_id_list_s *pkcs11h_token_id_list_t;
#if defined(ENABLE_PKCS11H_DATA)
struct pkcs11h_data_id_list_s;
typedef struct pkcs11h_data_id_list_s *pkcs11h_data_id_list_t;
#endif /* ENABLE_PKCS11H_DATA */
#if defined(ENABLE_PKCS11H_CERTIFICATE)
struct pkcs11h_certificate_id_list_s;
typedef struct pkcs11h_certificate_id_list_s *pkcs11h_certificate_id_list_t;
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#endif /* ENABLE_PKCS11H_ENUM */
typedef void (*pkcs11h_hook_log_t)(
IN const void *pData,
IN const unsigned flags,
IN const char * const szFormat,
IN va_list args
);
typedef void (*pkcs11h_hook_slotevent_t)(
IN const void *pData
);
typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)(
IN const void *pData,
IN const pkcs11h_token_id_t token
);
typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)(
IN const void *pData,
IN const pkcs11h_token_id_t token,
OUT char * const szPIN,
IN const size_t nMaxPIN
);
struct pkcs11h_token_id_s {
char label[1024];
char manufacturerID[sizeof (((CK_TOKEN_INFO *)NULL)->manufacturerID)+1];
char model[sizeof (((CK_TOKEN_INFO *)NULL)->model)+1];
char serialNumber[sizeof (((CK_TOKEN_INFO *)NULL)->serialNumber)+1];
};
#if defined(ENABLE_PKCS11H_CERTIFICATE)
struct pkcs11h_certificate_id_s {
pkcs11h_token_id_t token_id;
char displayName[1024];
CK_BYTE_PTR attrCKA_ID;
size_t attrCKA_ID_size;
unsigned char *certificate_blob;
size_t certificate_blob_size;
};
#endif
#if defined(ENABLE_PKCS11H_ENUM)
struct pkcs11h_token_id_list_s {
pkcs11h_token_id_list_t next;
pkcs11h_token_id_t token_id;
};
#if defined(ENABLE_PKCS11H_DATA)
struct pkcs11h_data_id_list_s {
pkcs11h_data_id_list_t next;
char *application;
char *label;
};
#endif /* ENABLE_PKCS11H_DATA */
#if defined(ENABLE_PKCS11H_CERTIFICATE)
struct pkcs11h_certificate_id_list_s {
pkcs11h_certificate_id_list_t next;
pkcs11h_certificate_id_t certificate_id;
};
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#if defined(ENABLE_PKCS11H_OPENSSL)
struct pkcs11h_openssl_session_s;
typedef struct pkcs11h_openssl_session_s *pkcs11h_openssl_session_t;
#endif /* ENABLE_PKCS11H_OPENSSL */
/*
* pkcs11h_getMessage - Get message by return value.
*
* Parameters:
* rv - Return value.
*/
char *
pkcs11h_getMessage (
IN const int rv
);
/*
* pkcs11h_initialize - Inititalize helper interface.
*
* Must be called once, from main thread.
* Defaults:
* Protected authentication enabled.
* PIN cached is infinite.
*/
CK_RV
pkcs11h_initialize ();
/*
* pkcs11h_terminate - Terminate helper interface.
*
* Must be called once, from main thread, after all
* related resources freed.
*/
CK_RV
pkcs11h_terminate ();
/*
* pkcs11h_setLogLevel - Set current log level of the helper.
*
* Parameters:
* flags - current log level.
*
* The log level can be set to maximum, but setting it to lower
* level will improve performance.
*/
void
pkcs11h_setLogLevel (
IN const unsigned flags
);
/*
* pkcs11h_getLogLevel - Get current log level.
*/
unsigned
pkcs11h_getLogLevel ();
/*
* pkcs11h_setLogHook - Set a log callback.
*
* Parameters:
* hook - Callback.
* pData - Data to send to callback.
*/
CK_RV
pkcs11h_setLogHook (
IN const pkcs11h_hook_log_t hook,
IN void * const pData
);
/*
* pkcs11h_setSlotEventHook - Set a slot event callback.
*
* Parameters:
* hook - Callback.
* pData - Data to send to callback.
*
* Calling this function initialize slot event notifications, these
* notifications can be started, but never terminate due to PKCS#11 limitation.
*
* In order to use slot events you must have threading enabled.
*/
CK_RV
pkcs11h_setSlotEventHook (
IN const pkcs11h_hook_slotevent_t hook,
IN void * const pData
);
/*
* pkcs11h_setTokenPromptHook - Set a token prompt callback.
*
* Parameters:
* hook - Callback.
* pData - Data to send to callback.
*/
CK_RV
pkcs11h_setTokenPromptHook (
IN const pkcs11h_hook_token_prompt_t hook,
IN void * const pData
);
/*
* pkcs11h_setPINPromptHook - Set a pin prompt callback.
*
* Parameters:
* hook - Callback.
* pData - Data to send to callback.
*/
CK_RV
pkcs11h_setPINPromptHook (
IN const pkcs11h_hook_pin_prompt_t hook,
IN void * const pData
);
/*
* pkcs11h_setProtectedAuthentication - Set global protected authentication mode.
*
* Parameters:
* fProtectedAuthentication - Allow protected authentication if enabled by token.
*/
CK_RV
pkcs11h_setProtectedAuthentication (
IN const PKCS11H_BOOL fProtectedAuthentication
);
/*
* pkcs11h_setPINCachePeriod - Set global PIN cache timeout.
*
* Parameters:
* nPINCachePeriod - Cache period in seconds, or PKCS11H_PIN_CACHE_INFINITE.
*/
CK_RV
pkcs11h_setPINCachePeriod (
IN const int nPINCachePeriod
);
/*
* pkcs11h_setMaxLoginRetries - Set global login retries attempts.
*
* Parameters:
* nMaxLoginRetries - Login retries handled by the helper.
*/
CK_RV
pkcs11h_setMaxLoginRetries (
IN const int nMaxLoginRetries
);
/*
* pkcs11h_addProvider - Add a PKCS#11 provider.
*
* Parameters:
* szReferenceName - Reference name for this provider.
* szProvider - Provider library location.
* fProtectedAuthentication - Allow this provider to use protected authentication.
* maskSignMode - Provider signmode override.
* nSlotEventMethod - Provider slot event method.
* nSlotEventPollInterval - Slot event poll interval (If in polling mode).
* fCertIsPrivate - Provider's certificate access should be done after login.
*
* This function must be called from the main thread.
*
* The global fProtectedAuthentication must be enabled in order to allow provider specific.
* The maskSignMode can be 0 in order to automatically detect key sign mode.
*/
CK_RV
pkcs11h_addProvider (
IN const char * const szReferenceName,
IN const char * const szProvider,
IN const PKCS11H_BOOL fProtectedAuthentication,
IN const unsigned maskSignMode,
IN const int nSlotEventMethod,
IN const int nSlotEventPollInterval,
IN const PKCS11H_BOOL fCertIsPrivate
);
/*
* pkcs11h_delProvider - Delete a PKCS#11 provider.
*
* Parameters:
* szReferenceName - Reference name for this provider.
*
* This function must be called from the main thread.
*/
CK_RV
pkcs11h_removeProvider (
IN const char * const szReferenceName
);
/*
* pkcs11h_forkFixup - Handle special case of Unix fork()
*
* This function should be called after fork is called. This is required
* due to a limitation of the PKCS#11 standard.
*
* This function must be called from the main thread.
*
* The helper library handles fork automatically if ENABLE_PKCS11H_THREADING
* is set on configuration file, by use of pthread_atfork.
*/
CK_RV
pkcs11h_forkFixup ();
/*
* pkcs11h_plugAndPlay - Handle slot rescan.
*
* This function must be called from the main thread.
*
* PKCS#11 providers do not allow plug&play, plug&play can be established by
* finalizing all providers and initializing them again.
*
* The cost of this process is invalidating all sessions, and require user
* login at the next access.
*/
CK_RV
pkcs11h_plugAndPlay ();
/*
* pkcs11h_freeTokenId - Free token_id object.
*/
CK_RV
pkcs11h_freeTokenId (
IN pkcs11h_token_id_t certificate_id
);
/*
* pkcs11h_duplicateTokenId - Duplicate token_id object.
*/
CK_RV
pkcs11h_duplicateTokenId (
OUT pkcs11h_token_id_t * const to,
IN const pkcs11h_token_id_t from
);
/*
* pkcs11h_sameTokenId - Returns TRUE if same token id
*/
PKCS11H_BOOL
pkcs11h_sameTokenId (
IN const pkcs11h_token_id_t a,
IN const pkcs11h_token_id_t b
);
#if defined(ENABLE_PKCS11H_TOKEN)
/*
* pkcs11h_token_ensureAccess - Ensure token is accessible.
*
* Parameters:
* token_id - Token id object.
* maskPrompt - Allow prompt.
*/
CK_RV
pkcs11h_token_ensureAccess (
IN const pkcs11h_token_id_t token_id,
IN const unsigned maskPrompt
);
#endif /* ENABLE_PKCS11H_TOKEN */
#if defined(ENABLE_PKCS11H_DATA)
CK_RV
pkcs11h_data_get (
IN const pkcs11h_token_id_t token_id,
IN const PKCS11H_BOOL fPublic,
IN const char * const szApplication,
IN const char * const szLabel,
OUT char * const blob,
IN OUT size_t * const p_blob_size
);
CK_RV
pkcs11h_data_put (
IN const pkcs11h_token_id_t token_id,
IN const PKCS11H_BOOL fPublic,
IN const char * const szApplication,
IN const char * const szLabel,
OUT char * const blob,
IN const size_t blob_size
);
CK_RV
pkcs11h_data_del (
IN const pkcs11h_token_id_t token_id,
IN const PKCS11H_BOOL fPublic,
IN const char * const szApplication,
IN const char * const szLabel
);
#endif /* ENABLE_PKCS11H_DATA */
#if defined(ENABLE_PKCS11H_CERTIFICATE)
/*======================================================================*
* CERTIFICATE INTERFACE
*======================================================================*/
/*
* pkcs11h_freeCertificateId - Free certificate_id object.
*/
CK_RV
pkcs11h_freeCertificateId (
IN pkcs11h_certificate_id_t certificate_id
);
/*
* pkcs11h_duplicateCertificateId - Duplicate certificate_id object.
*/
CK_RV
pkcs11h_duplicateCertificateId (
OUT pkcs11h_certificate_id_t * const to,
IN const pkcs11h_certificate_id_t from
);
/*
* pkcs11h_freeCertificate - Free certificate object.
*/
CK_RV
pkcs11h_freeCertificate (
IN pkcs11h_certificate_t certificate
);
/*
* pkcs11h_certificate_create - Create a certificate object out of certificate_id.
*
* Parameters:
* certificate_id - Certificate id object to be based on.
* nPINCachePeriod - Session specific cache period.
* p_certificate - Receives certificate object.
*
* The certificate id object may not specify the full certificate.
* The certificate object must be freed by caller.
*/
CK_RV
pkcs11h_certificate_create (
IN const pkcs11h_certificate_id_t certificate_id,
IN const int nPINCachePeriod,
OUT pkcs11h_certificate_t * const p_certificate
);
/*
* pkcs11h_certificate_getCertificateId - Get certifiate id object out of a certifiate
*
* Parameters:
* certificate - Certificate object.
* p_certificate_id - Certificate id object pointer.
*
* The certificate id must be freed by caller.
*/
CK_RV
pkcs11h_certificate_getCertificateId (
IN const pkcs11h_certificate_t certificate,
OUT pkcs11h_certificate_id_t * const p_certificate_id
);
/*
* pkcs11h_certificate_getCertificateBlob - Get the certificate blob out of the certificate object.
*
* ParametersL
* certificate - Certificate object.
* certificate_blob - Buffer.
* certificate_blob_size - Buffer size.
*
* Buffer may be NULL in order to get size.
*/
CK_RV
pkcs11h_certificate_getCertificateBlob (
IN const pkcs11h_certificate_t certificate,
OUT unsigned char * const certificate_blob,
IN OUT size_t * const p_certificate_blob_size
);
/*
* pkcs11h_certificate_ensureCertificateAccess - Ensure certificate is accessible.
*
* Parameters:
* certificate - Certificate object.
* maskPrompt - Allow prompt.
*/
CK_RV
pkcs11h_certificate_ensureCertificateAccess (
IN const pkcs11h_certificate_t certificate,
IN const unsigned maskPrompt
);
/*
* pkcs11h_certificate_ensureKeyAccess - Ensure key is accessible.
*
* Parameters:
* certificate - Certificate object.
* maskPrompt - Allow prompt.
*/
CK_RV
pkcs11h_certificate_ensureKeyAccess (
IN const pkcs11h_certificate_t certificate,
IN const unsigned maskPrompt
);
/*
* pkcs11h_certificate_sign - Sign data.
*
* Parameters:
* certificate - Certificate object.
* mech_type - PKCS#11 mechanism.
* source - Buffer to sign.
* source_size - Buffer size.
* target - Target buffer, can be NULL to get size.
* target_size - Target buffer size.
*/
CK_RV
pkcs11h_certificate_sign (
IN const pkcs11h_certificate_t certificate,
IN const CK_MECHANISM_TYPE mech_type,
IN const unsigned char * const source,
IN const size_t source_size,
OUT unsigned char * const target,
IN OUT size_t * const p_target_size
);
/*
* pkcs11h_certificate_signRecover - Sign data.
*
* Parameters:
* certificate - Certificate object.
* mech_type - PKCS#11 mechanism.
* source - Buffer to sign.
* source_size - Buffer size.
* target - Target buffer, can be NULL to get size.
* target_size - Target buffer size.
*/
CK_RV
pkcs11h_certificate_signRecover (
IN const pkcs11h_certificate_t certificate,
IN const CK_MECHANISM_TYPE mech_type,
IN const unsigned char * const source,
IN const size_t source_size,
OUT unsigned char * const target,
IN OUT size_t * const p_target_size
);
/*
* pkcs11h_certificate_signAny - Sign data mechanism determined by key attributes.
*
* Parameters:
* certificate - Certificate object.
* mech_type - PKCS#11 mechanism.
* source - Buffer to sign.
* source_size - Buffer size.
* target - Target buffer, can be NULL to get size.
* target_size - Target buffer size.
*/
CK_RV
pkcs11h_certificate_signAny (
IN const pkcs11h_certificate_t certificate,
IN const CK_MECHANISM_TYPE mech_type,
IN const unsigned char * const source,
IN const size_t source_size,
OUT unsigned char * const target,
IN OUT size_t * const p_target_size
);
/*
* pkcs11h_certificate_decrypt - Decrypt data.
*
* Parameters:
* certificate - Certificate object.
* mech_type - PKCS#11 mechanism.
* source - Buffer to sign.
* source_size - Buffer size.
* target - Target buffer, can be NULL to get size.
* target_size - Target buffer size.
*/
CK_RV
pkcs11h_certificate_decrypt (
IN const pkcs11h_certificate_t certificate,
IN const CK_MECHANISM_TYPE mech_type,
IN const unsigned char * const source,
IN const size_t source_size,
OUT unsigned char * const target,
IN OUT size_t * const p_target_size
);
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#if defined(ENABLE_PKCS11H_LOCATE)
/*======================================================================*
* LOCATE INTERFACE
*======================================================================*/
#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
/*
* pkcs11h_locate_token - Locate token based on atributes.
*
* Parameters:
* szSlotType - How to locate slot.
* szSlot - Slot name.
* p_token_id - Token object.
*
* Slot:
* id - Slot number.
* name - Slot name.
* label - Available token label.
*
* Caller must free token id.
*/
CK_RV
pkcs11h_locate_token (
IN const char * const szSlotType,
IN const char * const szSlot,
OUT pkcs11h_token_id_t * const p_token_id
);
#endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
#if defined(ENABLE_PKCS11H_CERTIFICATE)
/*
* pkcs11h_locate_certificate - Locate certificate based on atributes.
*
* Parameters:
* szSlotType - How to locate slot.
* szSlot - Slot name.
* szIdType - How to locate object.
* szId - Object name.
* p_certificate_id - Certificate object.
*
* Slot:
* Same as pkcs11h_locate_token.
*
* Object:
* id - Certificate CKA_ID (hex string) (Fastest).
* label - Certificate CKA_LABEL (string).
* subject - Certificate subject (OpenSSL DN).
*
* Caller must free certificate id.
*/
CK_RV
pkcs11h_locate_certificate (
IN const char * const szSlotType,
IN const char * const szSlot,
IN const char * const szIdType,
IN const char * const szId,
OUT pkcs11h_certificate_id_t * const p_certificate_id
);
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#endif /* ENABLE_PKCS11H_LOCATE */
#if defined(ENABLE_PKCS11H_ENUM)
/*======================================================================*
* ENUM INTERFACE
*======================================================================*/
#if defined(ENABLE_PKCS11H_TOKEN)
/*
* pkcs11h_freeCertificateIdList - Free certificate_id list.
*/
CK_RV
pkcs11h_freeTokenIdList (
IN const pkcs11h_token_id_list_t token_id_list
);
/*
* pkcs11h_enum_getTokenIds - Enumerate available tokens
*
* Parameters:
* p_token_id_list - A list of token ids.
*
* Caller must free the list.
*/
CK_RV
pkcs11h_enum_getTokenIds (
IN const int method,
OUT pkcs11h_token_id_list_t * const p_token_id_list
);
#endif /* ENABLE_PKCS11H_TOKEN */
#if defined(ENABLE_PKCS11H_DATA)
CK_RV
pkcs11h_freeDataIdList (
IN const pkcs11h_data_id_list_t data_id_list
);
CK_RV
pkcs11h_enumDataObjects (
IN const pkcs11h_token_id_t token_id,
IN const PKCS11H_BOOL fPublic,
OUT pkcs11h_data_id_list_t * const p_data_id_list
);
#endif /* ENABLE_PKCS11H_DATA */
#if defined(ENABLE_PKCS11H_CERTIFICATE)
/*
* pkcs11h_freeCertificateIdList - Free certificate_id list.
*/
CK_RV
pkcs11h_freeCertificateIdList (
IN const pkcs11h_certificate_id_list_t cert_id_list
);
/*
* pkcs11h_enum_getTokenCertificateIds - Enumerate available certificates on specific token
*
* Parameters:
* token_id - Token id to enum.
* method - How to fetch certificates.
* p_cert_id_issuers_list - Receives issues list, can be NULL.
* p_cert_id_end_list - Receives end certificates list.
*
* This function will likely take long time.
*
* Method can be one of the following:
* PKCS11H_ENUM_METHOD_CACHE
* Return available certificates, even if token was once detected and
* was removed.
* PKCS11H_ENUM_METHOD_CACHE_EXIST
* Return available certificates for available tokens only, don't
* read the contents of the token if already read, even if this token
* removed and inserted.
* PKCS11H_ENUM_METHOD_RELOAD
* Clear all caches and then enum.
*
* Caller must free the lists.
*/
CK_RV
pkcs11h_enum_getTokenCertificateIds (
IN const pkcs11h_token_id_t token_id,
IN const int method,
OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
);
/*
* pkcs11h_enum_getCertificateIds - Enumerate available certificates.
*
* Parameters:
* method - How to fetch certificates.
* p_cert_id_issuers_list - Receives issues list, can be NULL.
* p_cert_id_end_list - Receives end certificates list.
*
* This function will likely take long time.
*
* Method can be one of the following:
* PKCS11H_ENUM_METHOD_CACHE
* Return available certificates, even if token was once detected and
* was removed.
* PKCS11H_ENUM_METHOD_CACHE_EXIST
* Return available certificates for available tokens only, don't
* read the contents of the token if already read, even if this token
* removed and inserted.
* PKCS11H_ENUM_METHOD_RELOAD
* Clear all caches and then enum.
*
* Caller must free lists.
*/
CK_RV
pkcs11h_enum_getCertificateIds (
IN const int method,
OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
);
#endif /* ENABLE_PKCS11H_CERTIFICATE */
#endif /* ENABLE_PKCS11H_ENUM */
#if defined(ENABLE_PKCS11H_OPENSSL)
/*======================================================================*
* OPENSSL INTERFACE
*======================================================================*/
/*
* pkcs11h_openssl_createSession - Create OpenSSL session based on a certificate object.
*
* Parameters:
* certificate - Certificate object.
*
* The certificate object will be freed by the OpenSSL interface on session end.
*/
pkcs11h_openssl_session_t
pkcs11h_openssl_createSession (
IN const pkcs11h_certificate_t certificate
);
/*
* pkcs11h_openssl_freeSession - Free OpenSSL session.
*
* Parameters:
* openssl_session - Session to free.
*
* The openssl_session object has a reference count just like other OpenSSL objects.
*/
void
pkcs11h_openssl_freeSession (
IN const pkcs11h_openssl_session_t openssl_session
);
/*
* pkcs11h_openssl_getRSA - Returns an RSA object out of the openssl_session object.
*
* Parameters:
* openssl_session - Session.
*/
RSA *
pkcs11h_openssl_getRSA (
IN const pkcs11h_openssl_session_t openssl_session
);
/*
* pkcs11h_openssl_getX509 - Returns an X509 object out of the openssl_session object.
*
* Parameters:
* openssl_session - Session.
*/
X509 *
pkcs11h_openssl_getX509 (
IN const pkcs11h_openssl_session_t openssl_session
);
#endif /* ENABLE_PKCS11H_OPENSSL */
#if defined(ENABLE_PKCS11H_STANDALONE)
/*======================================================================*
* STANDALONE INTERFACE
*======================================================================*/
void
pkcs11h_standalone_dump_slots (
IN const pkcs11h_output_print_t my_output,
IN const void *pData,
IN const char * const provider
);
void
pkcs11h_standalone_dump_objects (
IN const pkcs11h_output_print_t my_output,
IN const void *pData,
IN const char * const provider,
IN const char * const slot,
IN const char * const pin
);
#endif /* ENABLE_PKCS11H_STANDALONE */
#ifdef __cplusplus
}
#endif
#endif /* __PKCS11H_HELPER_H */
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
