diff --git a/program/src/cert_session.cpp b/program/src/cert_session.cpp index 5f614cc..dfcf803 100644 --- a/program/src/cert_session.cpp +++ b/program/src/cert_session.cpp @@ -570,7 +570,7 @@ int ssl_x509_v3ext_add(X509V3_CTX * ctx, X509 * crt, const char *k, const char * { X509_EXTENSION * ext; - if (!(ext = X509V3_EXT_conf(NULL, ctx, k, v))) + if (!(ext = X509V3_EXT_conf(NULL, ctx, (char *)k, (char *)v))) { return -1; } @@ -826,17 +826,68 @@ finish: return -1; } +static int soft_find_object(CK_SESSION_HANDLE sess, CK_OBJECT_CLASS cls, CK_OBJECT_HANDLE_PTR ret) +{ + CK_ATTRIBUTE attrs[2]; + unsigned int nattrs = 0; + CK_ULONG count; + CK_RV rv; + + attrs[0].type = CKA_CLASS; + attrs[0].pValue = &cls; + attrs[0].ulValueLen = sizeof(cls); + nattrs++; + + rv = FC_FindObjectsInit(sess, attrs, nattrs); + if (rv != CKR_OK) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_FindObjectsInit(%lu)\n", rv); + } + rv = FC_FindObjects(sess, ret, 1, &count); + if (rv != CKR_OK) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_FindObjects(%lu)\n", rv); + } + if (count == 0) + *ret = CK_INVALID_HANDLE; + + FC_FindObjectsFinal(sess); + + return 0; +} + int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session) { int xret =1; CK_OBJECT_HANDLE hObject = 0; +#ifdef SOHT_HSM_ENABLE + mech = CKM_CERTEX_GOSTR3410_2001; + xret = soft_find_object(session, CKO_PRIVATE_KEY, &hObject); +#else xret = x509_find_object(session, &hObject); +#endif if(xret != 0 || hObject == CK_INVALID_HANDLE) { return 0; } + // set signature algorithm in the certificate + if (x509->cert_info->signature) + { + const int signingAlgoNid = pkcs11_signature_algotonid(mech); + X509_ALGOR_set0(x509->cert_info->signature, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL); + } + if (x509->sig_alg) + { + const int signingAlgoNid = pkcs11_signature_algotonid(mech); + X509_ALGOR_set0(x509->sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL); + } + + // DER-encode certificate + unsigned char *certDerBuf = NULL; + const size_t certDerLen = ASN1_item_i2d((ASN1_VALUE*)x509->cert_info, &certDerBuf, ASN1_ITEM_rptr(X509_CINF)); + CK_MECHANISM sign_mechanism; memset (&sign_mechanism, 0, sizeof (sign_mechanism)); sign_mechanism.mechanism = mech; @@ -846,48 +897,36 @@ int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "There was an error initializing the sign function"); return 0; } - // set signature algorithm in the certificate - const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509); - X509_ALGOR *tsig_alg=const_cast(tsig_alg_org); - if (tsig_alg) - { - const int signingAlgoNid = pkcs11_signature_algotonid(mech); - X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL); - } - const X509_ALGOR *sig_alg_org; - X509_get0_signature(NULL, &sig_alg_org, x509); - X509_ALGOR *sig_alg=const_cast(sig_alg_org); - if (sig_alg) - { - const int signingAlgoNid = pkcs11_signature_algotonid(mech); - X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL); - } - // DER-encode certificate - unsigned char *x509_der_buf;CK_ULONG signature_size = 0; - const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf); - xret = FC_Sign (session, x509_der_buf, x509_der_len, NULL, &signature_size); + // determine signature size + CK_ULONG signatureSize = 0; + xret = FC_Sign(session, certDerBuf, certDerLen, NULL, &signatureSize); if (xret != CKR_OK) { + OPENSSL_free(certDerBuf); + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "The length of the certificate failed"); return 0; } // sign - const ASN1_BIT_STRING *psig_org; - X509_get0_signature(&psig_org, NULL, x509); - ASN1_BIT_STRING *psig=const_cast(psig_org); - if (psig->data) - OPENSSL_free(psig->data); - psig->data = (unsigned char*)OPENSSL_malloc(signature_size); - psig->length = signature_size; - xret = FC_Sign(session, x509_der_buf, x509_der_len, psig->data, &signature_size); - psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); - psig->flags|=ASN1_STRING_FLAG_BITS_LEFT; + if (x509->signature->data) + OPENSSL_free(x509->signature->data); + x509->signature->data = (unsigned char*)OPENSSL_malloc(signatureSize); + x509->signature->length = signatureSize; + xret = FC_Sign(session, certDerBuf, certDerLen, x509->signature->data, &signatureSize); + if (xret != CKR_OK) + { + OPENSSL_free(certDerBuf); + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "HSM failed to issue the certificate"); + return 0; + } - OPENSSL_free(x509_der_buf); - FC_FindObjectsFinal(session); + x509->signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + x509->signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; - return xret; + OPENSSL_free(certDerBuf); + + return 1; } X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session) @@ -981,14 +1020,13 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in #ifdef DEBUG_CERTIFICATE ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL); #endif /* DEBUG_CERTIFICATE */ - - if (ssl_x509_set_md(md, cakey, origcrt)==NULL) - { - goto errout; - } - if(session==0) { + if (ssl_x509_set_md(md, cakey, origcrt)==NULL) + { + goto errout; + } + if (!X509_sign(crt, cakey, md)) goto errout; } @@ -1001,7 +1039,8 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in return crt; errout: X509_free(crt); - EVP_PKEY_free(key); + if(key) + EVP_PKEY_free(key); err: return NULL; } @@ -1303,8 +1342,8 @@ static int x509_online_append(struct x509_object_ctx *def, struct tfe_http_reque cakey = (is_valid == 1) ? def->key : def->insec_key; expire_time = g_certstore_policy->expire_after; mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Warning: HSM is not connected, use local keypair, sign cert!!!"); + goto modify; } - goto modify; } if (!STRCMP(pxy_obj->keyring_type, "end-entity")) { @@ -2308,26 +2347,57 @@ static int field_stat_init(struct cert_store_policy *certstore_policy, const cha return 0; } -#if 0 -static struct pxy_profile_hsm* get_profile_by_id(int profile_id) +static int gert_present_slot(int tokens) { - struct pxy_profile_hsm* ply_profile=NULL; + CK_RV xret; + CK_ULONG p11_num_slots = 0; + CK_SLOT_ID_PTR p11_slots = NULL; + CK_SLOT_ID opt_slot = 0; - char cfg_id_str[16] = {0}; - snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id); - int table_id = g_certstore_policy->plolicy_table_id[POLICY_PROFILE_TABLE_HSM]; + xret = FC_GetSlotList(tokens, NULL, &p11_num_slots); + if (xret != CKR_OK) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotList(%lu)", xret); + } + free(p11_slots); + p11_slots = (CK_SLOT_ID_PTR )calloc(p11_num_slots, sizeof(CK_SLOT_ID)); + if (p11_slots == NULL) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "calloc failed"); + exit(1); + } - ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str); - return ply_profile; + xret = FC_GetSlotList(tokens, p11_slots, &p11_num_slots); + if (xret != CKR_OK) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotList(%lu)", xret); + } + unsigned int i; + for (i = 0; i < p11_num_slots; i++) { + CK_SLOT_INFO info; + xret = FC_GetSlotInfo(p11_slots[i], &info); + if (xret != CKR_OK) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "C_GetSlotInfo(%lu)", xret); + } + if (info.flags & CKF_TOKEN_PRESENT) { + opt_slot = p11_slots[i]; + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Using slot %u with a present token (0x%lx)\n", i, opt_slot); + break; + } + } + return opt_slot; } -#endif -CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id) +CK_SESSION_HANDLE keyring_hsm_login(int slot_id) { int ret=0; CK_FLAGS flags; CK_SESSION_HANDLE session=0; +#ifdef SOHT_HSM_ENABLE + slot_id = gert_present_slot(0); +#endif //struct pxy_profile_hsm* ply_profile = get_profile_by_id(0); flags = CKF_SERIAL_SESSION | CKF_RW_SESSION; ret = FC_OpenSession(slot_id, flags, NULL, NULL, &session); @@ -2381,7 +2451,8 @@ void keyring_table_new_cb(int table_id, const char* key, const char* table_line, pxy_obj->op_time = time(NULL); /*Load PUBLICKEY***/ - if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ){ + if ((pxy_obj->issuer = x509_get_root_ca(public_file, include_root, pxy_obj->keyring_type, &pxy_obj->stack_ca)) == NULL ) + { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 publickey failed, the keyring id is %d", pxy_obj->keyring_id); goto finish; @@ -2398,7 +2469,7 @@ void keyring_table_new_cb(int table_id, const char* key, const char* table_line, } else { - pxy_obj->session = keyring_pkcs11_login(slot_id); + pxy_obj->session = keyring_hsm_login(slot_id); } mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d", @@ -2524,73 +2595,6 @@ error_out: return NULL; } -void hsm_profile_table_start_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) -{ - int ret=0, profile_id=0, is_valid=0; - char server_type[128]={0}; - char ip[46]={0}, passwd[128] = {0}; - char effective_range[256] = {0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, server_type, ip, passwd, effective_range, &is_valid); - if(ret!=6) - { - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse config failed: %s", table_line); - return; - } - - /*Whether to take effect**/ - - struct pxy_profile_hsm* ply_profile = (struct pxy_profile_hsm*)kmalloc(sizeof(struct pxy_profile_hsm), MPF_CLR, -1); - - ply_profile->profile_id=profile_id; - ply_profile->ref_cnt=1; - pthread_mutex_init(&(ply_profile->lock), NULL); - ply_profile->server_ip=strdup(ip); - ply_profile->passwd=strdup(passwd); - - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Policy table add success %d", profile_id); - *ad = ply_profile; - return; -} - -void hsm_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp) -{ - struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*from); - pthread_mutex_lock(&(ply_obj->lock)); - ply_obj->ref_cnt++; - pthread_mutex_unlock(&(ply_obj->lock)); - *to=ply_obj; -} - -void hsm_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp) -{ - if(*ad==NULL) - { - return; - } - struct pxy_profile_hsm* ply_obj=(struct pxy_profile_hsm*)(*ad); - if(ply_obj==NULL) - { - return; - } - - pthread_mutex_lock(&(ply_obj->lock)); - ply_obj->ref_cnt--; - if(ply_obj->ref_cnt>0) - { - pthread_mutex_unlock(&(ply_obj->lock)); - return; - } - pthread_mutex_unlock(&(ply_obj->lock)); - pthread_mutex_destroy(&(ply_obj->lock)); - - kfree(&ply_obj->server_ip); - kfree(&ply_obj->passwd); - kfree(&ply_obj); - *ad=NULL; - return; -} - int maat_feather_init(struct cert_store_policy *certstore_policy, const char *main_profile) { int table_id = 0; @@ -2608,26 +2612,12 @@ int maat_feather_init(struct cert_store_policy *certstore_policy, const char *ma mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed"); } -#if 0 - table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb); - if(table_id<0) - { - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed"); - return 0; - } -#endif - field_stat_init(certstore_policy, main_profile); return 0; } -int do_user_GetFunctionList(void) -{ - return FC_GetFunctionList(&funcs); -} - -int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *main_profile) +int hsm_module_init(struct cert_store_policy *certstore_policy, const char *main_profile) { int xret=0; char library_path[256]={0}; @@ -2635,7 +2625,7 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable)); MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), ""); - MESA_load_profile_string_def(main_profile, "certex_hsm", "password", g_certstore_policy->password, sizeof(g_certstore_policy->password), "987654321"); + MESA_load_profile_string_def(main_profile, "certex_hsm", "password", g_certstore_policy->password, sizeof(g_certstore_policy->password), ""); MESA_load_profile_string_def(main_profile, "certex_hsm", "label", g_certstore_policy->label, sizeof(g_certstore_policy->label), "TEST"); if(certstore_policy->enable == 0) @@ -2649,20 +2639,11 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path); goto finish; } -#if 0 - xret = do_user_GetFunctionList(); - if(xret!=0 || funcs->C_Initialize==NULL) - { - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret); - goto finish; - } -#endif memset(&cinit_args, 0x0, sizeof(cinit_args)); cinit_args.flags = CKF_OS_LOCKING_OK; xret = FC_Initialize(&cinit_args); if(xret!=0) { - //FreePkcsLib(); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed"); } finish: @@ -2671,7 +2652,7 @@ finish: int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile) { - pkcs11_module_init(certstore_policy, main_profile); + hsm_module_init(certstore_policy, main_profile); maat_feather_init(certstore_policy, main_profile); diff --git a/vendor/CMakeLists.txt b/vendor/CMakeLists.txt index b9fd592..50a1751 100644 --- a/vendor/CMakeLists.txt +++ b/vendor/CMakeLists.txt @@ -4,8 +4,8 @@ include(ExternalProject) ### OpenSSL 1.1.1 ExternalProject_Add(OpenSSL PREFIX openssl - URL ${CMAKE_CURRENT_SOURCE_DIR}/openssl-1.1.1.tar.gz - URL_MD5 d65944e4aa4de6ad9858e02c82d85183 + URL ${CMAKE_CURRENT_SOURCE_DIR}/openssl-1.0.2k.tar.gz + URL_MD5 1867fcc743aeefb16c99d915fc7440c8 CONFIGURE_COMMAND ./Configure enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers linux-x86_64 --prefix= --openssldir=/lib/ssl enable-ec_nistp_64_gcc_128 no-shared BUILD_COMMAND ${MAKE_COMMAND} diff --git a/vendor/openssl-1.0.2k.tar.gz b/vendor/openssl-1.0.2k.tar.gz new file mode 100644 index 0000000..c05ad1a Binary files /dev/null and b/vendor/openssl-1.0.2k.tar.gz differ diff --git a/vendor/openssl-1.1.1.tar.gz b/vendor/openssl-1.1.1.tar.gz deleted file mode 100644 index ceeca12..0000000 Binary files a/vendor/openssl-1.1.1.tar.gz and /dev/null differ