增加获取HSM私钥句柄

安装包增加libcertex库
增加HSM配置文件rcsp.con

program/include/cert_conf.h

@@ -86,6 +86,9 @@ struct cert_store_policy{
     uint16_t store_port;
     char store_ip[46];
 
+    char password[128];
+    char label[128];
+
     char ca_path[128];
     char uninsec_path[128];
 };

program/src/cert_session.cpp

@@ -785,6 +785,7 @@ int pkcs11_signature_algotonid(unsigned long algo)
     	case CKM_SHA1_RSA_PKCS:
 			return NID_sha1WithRSAEncryption;
 		case CKM_RSA_PKCS:
+		case CKM_CERTEX_GOSTR3410_2001:
     	case CKM_SHA256_RSA_PKCS:
 			return NID_sha256WithRSAEncryption;
 		default:
@@ -792,40 +793,85 @@ int pkcs11_signature_algotonid(unsigned long algo)
     }
 	return 0;
 }
-
-int X509_pkcs11_sign(X509* x509, unsigned long pkcs11_signing_algo, CK_SESSION_HANDLE pkcs11_session)
+int x509_find_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hObject)
 {
-	int rv =0;
-	CK_OBJECT_HANDLE pkcs11_key_handle = 0;
+	int xret=0;
+	CK_ULONG objcount;
+	CK_OBJECT_CLASS sec_class =  CKO_PRIVATE_KEY;
+	CK_BBOOL xtrue = 1;
 
-    // set signature algorithm in the certificate
+	CK_ATTRIBUTE  key_attr[] =
+	{
+		{CKA_CLASS,   &sec_class, sizeof(sec_class) },
+		{CKA_PRIVATE, &xtrue,    sizeof (xtrue)   },
+		{CKA_LABEL,   g_certstore_policy->label, strlen((const char *)g_certstore_policy->label)}
+	};
+
+	xret = FC_FindObjectsInit( session, key_attr, sizeof(key_attr)/sizeof(CK_ATTRIBUTE) );
+	if (xret != CKR_OK)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Object failed to initialize");
+		goto finish;
+
+	}
+	xret = FC_FindObjects(session, hObject, 1,&objcount);
+	if (xret != CKR_OK || objcount == 0)
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get private key handle");
+		goto finish;
+	}
+	return 0;
+finish:
+	*hObject = CK_INVALID_HANDLE;
+	return -1;
+}
+
+int X509_hsm_sign(X509* x509, unsigned long mech, CK_SESSION_HANDLE session)
+{
+	int xret =1;
+	CK_OBJECT_HANDLE hObject = 0;
+
+	xret = x509_find_object(session, &hObject);
+	if(xret != 0 || hObject == CK_INVALID_HANDLE)
+	{
+		return 0;
+	}
+
+	CK_MECHANISM  sign_mechanism;
+	memset (&sign_mechanism, 0, sizeof (sign_mechanism));
+	sign_mechanism.mechanism = mech;
+	xret = FC_SignInit (session, &sign_mechanism, hObject);
+	if (xret != CKR_OK )
+	{
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "There was an error initializing the sign function");
+		return 0;
+	}
+	 // set signature algorithm in the certificate
 	const X509_ALGOR *tsig_alg_org = X509_get0_tbs_sigalg(x509);
 	X509_ALGOR *tsig_alg=const_cast<X509_ALGOR *>(tsig_alg_org);
 	if (tsig_alg)
     {
-        const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
+        const int signingAlgoNid = pkcs11_signature_algotonid(mech);
         X509_ALGOR_set0(tsig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
     }
-
 	const X509_ALGOR *sig_alg_org;
 	X509_get0_signature(NULL, &sig_alg_org, x509);
 	X509_ALGOR *sig_alg=const_cast<X509_ALGOR *>(sig_alg_org);
     if (sig_alg)
     {
-        const int signingAlgoNid = pkcs11_signature_algotonid(pkcs11_signing_algo);
+        const int signingAlgoNid = pkcs11_signature_algotonid(mech);
         X509_ALGOR_set0(sig_alg, OBJ_nid2obj(signingAlgoNid), V_ASN1_NULL, NULL);
     }
 
-    // DER-encode certificate
-    unsigned char *x509_der_buf;
+	// DER-encode certificate
+    unsigned char *x509_der_buf;CK_ULONG signature_size = 0;
 	const size_t x509_der_len = i2d_re_X509_tbs(x509, &x509_der_buf);
+	xret = FC_Sign (session, x509_der_buf, x509_der_len, NULL, &signature_size);
+	if (xret != CKR_OK)
+	{
+		return 0;
+	}
 
-    CK_MECHANISM mechanism = { pkcs11_signing_algo, NULL_PTR, 0 };
-    rv = funcs->C_SignInit(pkcs11_session, &mechanism, pkcs11_key_handle);
-
-    // determine signature size
-    CK_ULONG signature_size = 0;
-    rv= funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, NULL, &signature_size);
     // sign
 	const ASN1_BIT_STRING *psig_org;
 	X509_get0_signature(&psig_org, NULL, x509);
@@ -834,13 +880,14 @@ int X509_pkcs11_sign(X509* x509, unsigned long pkcs11_signing_algo, CK_SESSION_H
         OPENSSL_free(psig->data);
     psig->data = (unsigned char*)OPENSSL_malloc(signature_size);
     psig->length = signature_size;
-    rv = funcs->C_Sign(pkcs11_session, x509_der_buf, x509_der_len, psig->data, &signature_size);
-
+    xret = FC_Sign(session, x509_der_buf, x509_der_len, psig->data, &signature_size);
     psig->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
     psig->flags|=ASN1_STRING_FLAG_BITS_LEFT;
-    OPENSSL_free(x509_der_buf);
 
-	return rv;
+	OPENSSL_free(x509_der_buf);
+	FC_FindObjectsFinal(session);
+
+	return xret;
 }
 
 X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, int *expire_time, char *crlurl, char *public_algo, CK_SESSION_HANDLE session)
@@ -947,7 +994,7 @@ X509 *ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, char *pkey, in
 	}
 	else
 	{
-		if(!X509_pkcs11_sign(crt, CKM_RSA_PKCS, session))
+		if(!X509_hsm_sign(crt, CKM_CERTEX_GOSTR3410_2001, session))
 			goto errout;
 	}
 
@@ -1115,6 +1162,11 @@ long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
 		if (pxy_obj->stack_ca)
 			sk_X509_pop_free(pxy_obj->stack_ca, X509_free);
 
+		if(pxy_obj->session)
+		{
+			 FC_Logout(pxy_obj->session);
+			 FC_CloseSession(pxy_obj->session);
+		}
         free(pxy_obj);
         pxy_obj = NULL;
         *ad=NULL;
@@ -2256,6 +2308,7 @@ static int field_stat_init(struct cert_store_policy *certstore_policy, const cha
     return 0;
 }
 
+#if 0
 static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
 {
 	struct pxy_profile_hsm* ply_profile=NULL;
@@ -2267,6 +2320,7 @@ static struct pxy_profile_hsm* get_profile_by_id(int profile_id)
 	ply_profile = (struct pxy_profile_hsm*)Maat_plugin_get_EX_data(g_certstore_policy->feather, table_id, (const char*)cfg_id_str);
 	return ply_profile;
 }
+#endif
 
 CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id)
 {
@@ -2274,30 +2328,26 @@ CK_SESSION_HANDLE keyring_pkcs11_login(int slot_id)
 	CK_FLAGS flags;
 	CK_SESSION_HANDLE session=0;
 
-	struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
-	if(ply_profile == NULL || funcs->C_OpenSession==NULL)
-	{
-		goto error;
-	}
-
+	//struct pxy_profile_hsm* ply_profile = get_profile_by_id(0);
 	flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
-	ret = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
-	if(ret)
+	ret = FC_OpenSession(slot_id, flags, NULL, NULL, &session);
+	if(ret != CKR_OK)
 	{
-		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk open session faild, error : %d", ret);
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Hsm open session faild, error : %d", ret);
 		goto error;
 	}
-	ret = funcs->C_Login(session, CKU_USER, (CK_UTF8CHAR_PTR)ply_profile->passwd, strlen(ply_profile->passwd));
-	if(ret)
+	ret = FC_Login(session, CKU_USER, (CK_UTF8CHAR_PTR)g_certstore_policy->password, strlen(g_certstore_policy->password));
+	if(ret != CKR_OK)
 	{
-		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "hsm_sdk login faild, error : %d", ret);
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Hsm login faild, error : %d", ret);
 		goto error;
 	}
 	return session;
 error:
 	if(session)
 	{
-		funcs->C_CloseSession(session);
+		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Init FC_OpenSession faild, error : %d", ret);
+		FC_CloseSession(session);
 	}
 	return 0;
 }
@@ -2558,12 +2608,14 @@ int maat_feather_init(struct cert_store_policy *certstore_policy, const char *ma
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_PROFILE_KEYRING failed");
     }
 
+#if 0
 	table_id = maat_table_ex_init("PXY_PROFILE_HSM", POLICY_PROFILE_TABLE_HSM, hsm_profile_table_start_cb, hsm_profile_table_free_cb, hsm_profile_table_dup_cb);
     if(table_id<0)
     {
         mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table PXY_PROFILE_HSM failed");
 		return 0;
     }
+#endif
 
 	field_stat_init(certstore_policy, main_profile);
 
@@ -2583,6 +2635,8 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m
 
 	MESA_load_profile_uint_nodef(main_profile, "certex_hsm", "enable", &(certstore_policy->enable));
 	MESA_load_profile_string_def(main_profile, "certex_hsm", "library_path", library_path, sizeof(library_path), "");
+	MESA_load_profile_string_def(main_profile, "certex_hsm", "password", g_certstore_policy->password, sizeof(g_certstore_policy->password), "987654321");
+	MESA_load_profile_string_def(main_profile, "certex_hsm", "label", g_certstore_policy->label, sizeof(g_certstore_policy->label), "TEST");
 
 	if(certstore_policy->enable == 0)
 	{
@@ -2595,17 +2649,20 @@ int pkcs11_module_init(struct cert_store_policy *certstore_policy, const char *m
 		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Load %s failed", library_path);
 		goto finish;
 	}
+#if 0
 	xret = do_user_GetFunctionList();
 	if(xret!=0 || funcs->C_Initialize==NULL)
 	{
 		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get function list failed, errro = %d",xret);
 		goto finish;
 	}
+#endif
 	memset(&cinit_args, 0x0, sizeof(cinit_args));
 	cinit_args.flags = CKF_OS_LOCKING_OK;
-	xret = funcs->C_Initialize(&cinit_args);
+	xret = FC_Initialize(&cinit_args);
 	if(xret!=0)
 	{
+		//FreePkcsLib();
 		mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Function Initialize failed");
 	}
 finish:
@@ -2614,10 +2671,10 @@ finish:
 
 int cert_store_session_init(struct cert_store_policy *certstore_policy, const char *main_profile)
 {
-    maat_feather_init(certstore_policy, main_profile);
-
 	pkcs11_module_init(certstore_policy, main_profile);
 
+    maat_feather_init(certstore_policy, main_profile);
+
     keyring_server_init(certstore_policy);
 
     return 0;