[pkg-opensc-commit] [libp11] 200/239: reload the key object on fork
Eric Dorland
eric at moszumanska.debian.org
Sat Oct 17 06:21:33 UTC 2015
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit fc86004ff7026bee05cdec95336b82f5eb762adc
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Fri Jul 17 09:33:03 2015 +0200
reload the key object on fork
---
src/libp11-int.h | 14 ++++++++++++++
src/libp11.h | 4 ++--
src/p11_key.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
src/p11_ops.c | 14 +++++++-------
4 files changed, 70 insertions(+), 10 deletions(-)
diff --git a/src/libp11-int.h b/src/libp11-int.h
index f2af5e3..0eacdb2 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -121,6 +121,17 @@ typedef struct pkcs11_slot_private {
UNLOCK(__spriv); \
}
+#define CHECK_KEY_FORK(key) { \
+ PKCS11_KEY_private *__priv = PRIVKEY(key); \
+ PKCS11_SLOT *__slot = TOKEN2SLOT(__priv->parent); \
+ PKCS11_SLOT_private *__spriv = PRIVSLOT(__slot); \
+ CHECK_SLOT_FORK(__slot); \
+ if (__spriv->forkid != __priv->forkid) { \
+ pkcs11_reload_keys(key); \
+ __priv->forkid = __spriv->forkid; \
+ } \
+ }
+
typedef struct pkcs11_token_private {
PKCS11_SLOT *parent;
int nkeys, nprkeys;
@@ -144,6 +155,7 @@ typedef struct pkcs11_key_private {
unsigned char id[255];
size_t id_len;
PKCS11_KEY_ops *ops;
+ unsigned int forkid;
} PKCS11_KEY_private;
#define PRIVKEY(key) ((PKCS11_KEY_private *) key->_private)
#define KEY2SLOT(key) TOKEN2SLOT(KEY2TOKEN(key))
@@ -203,6 +215,8 @@ extern int pkcs11_getattr_var(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
extern int pkcs11_getattr_bn(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
unsigned int, BIGNUM **);
+extern int pkcs11_reload_keys(PKCS11_KEY * keyin);
+
#define key_getattr(key, t, p, s) \
pkcs11_getattr(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))
diff --git a/src/libp11.h b/src/libp11.h
index dfd278d..7664ace 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -366,9 +366,9 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
/* rsa private key operations */
extern int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
- unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key);
+ unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
extern int PKCS11_private_encrypt(int flen, const unsigned char *from,
- unsigned char *to, const PKCS11_KEY * rsa, int padding);
+ unsigned char *to, PKCS11_KEY * rsa, int padding);
/**
* Decrypts data using the private key
*
diff --git a/src/p11_key.c b/src/p11_key.c
index d93ccfa..e7694d2 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -110,7 +110,7 @@ PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
if (count < 2) /* must be at least two key to have a match */
return NULL;
for (n = 0; n < count; n++, key++) {
- kpriv = PRIVKEY(key);
+ kpriv = PRIVKEY(key);
if (keyin->isPrivate != key->isPrivate
&& kinpriv->id_len == kpriv->id_len
&& !memcmp(kinpriv->id, kpriv->id, kinpriv->id_len))
@@ -118,6 +118,51 @@ PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
}
return NULL;
}
+
+/* Reopens the object associated with the key
+ */
+int pkcs11_reload_keys(PKCS11_KEY * keyin)
+{
+ PKCS11_TOKEN_private *tpriv;
+ PKCS11_KEY_private *kinpriv;
+ PKCS11_KEY *key;
+ unsigned int n;
+ long int count;
+ CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;;
+ CK_ATTRIBUTE attrs[2];
+ int rv;
+ PKCS11_CTX *ctx;
+ PKCS11_SLOT *slot;
+
+ kinpriv = PRIVKEY(keyin);
+ tpriv = PRIVTOKEN(KEY2TOKEN(keyin));
+ ctx = TOKEN2CTX(KEY2TOKEN(keyin));
+ slot = TOKEN2SLOT(KEY2TOKEN(keyin));
+
+ /* We want to use all the keys, the above only returns count for private */
+ count = tpriv->nkeys;
+
+ for (n = 0; n < count; n++, key++) {
+ attrs[0].type = CKA_CLASS;
+ attrs[0].pValue = &kclass;
+ attrs[0].ulValueLen = sizeof(kclass);
+ attrs[1].type = CKA_ID;
+ attrs[1].pValue = kinpriv->id;
+ attrs[1].ulValueLen = kinpriv->id_len;
+
+ rv = CRYPTOKI_call(ctx, C_FindObjectsInit(PRIVSLOT(slot)->session, attrs, 2));
+ CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+ rv = CRYPTOKI_call(ctx, C_FindObjects(PRIVSLOT(slot)->session, &kinpriv->object, 1, &count));
+ CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+ CRYPTOKI_call(ctx, C_FindObjectsFinal(PRIVSLOT(slot)->session));
+
+ kinpriv->forkid = _P11_get_forkid();
+ }
+ return 0;
+}
+
/*
* Store a private key on the token
*/
@@ -331,6 +376,7 @@ static int pkcs11_init_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
if (pkcs11_getattr_var(token, obj, CKA_ID, kpriv->id, &kpriv->id_len))
kpriv->id_len = 0;
kpriv->ops = ops;
+ kpriv->forkid = _P11_get_forkid();
if (ret)
*ret = key;
diff --git a/src/p11_ops.c b/src/p11_ops.c
index ef92ed4..e13eedd 100644
--- a/src/p11_ops.c
+++ b/src/p11_ops.c
@@ -26,7 +26,7 @@
int
PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
- unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key)
+ unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key)
{
/* signature size is the issue, will assume caller has a big buffer ! */
/* No padding or other stuff needed, we can cal PKCS11 from here */
@@ -42,7 +42,7 @@ PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
priv = PRIVKEY(key);
slot = TOKEN2SLOT(priv->parent);
- CHECK_SLOT_FORK(slot);
+ CHECK_KEY_FORK(key);
session = PRIVSLOT(slot)->session;
@@ -70,7 +70,7 @@ PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
/* Following used for RSA */
int
PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
- unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key)
+ unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key)
{
int rv, ssl = ((type == NID_md5_sha1) ? 1 : 0);
unsigned char *encoded = NULL;
@@ -84,7 +84,7 @@ PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
priv = PRIVKEY(key);
slot = TOKEN2SLOT(priv->parent);
- CHECK_SLOT_FORK(slot);
+ CHECK_KEY_FORK(key);
sigsize = PKCS11_get_key_size(key);
@@ -134,7 +134,7 @@ PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
int
PKCS11_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
- const PKCS11_KEY * key, int padding)
+ PKCS11_KEY * key, int padding)
{
PKCS11_KEY_private *priv;
PKCS11_SLOT *slot;
@@ -157,7 +157,7 @@ PKCS11_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
priv = PRIVKEY(key);
slot = TOKEN2SLOT(priv->parent);
- CHECK_SLOT_FORK(slot);
+ CHECK_KEY_FORK(key);
session = PRIVSLOT(slot)->session;
@@ -216,7 +216,7 @@ PKCS11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
ctx = KEY2CTX(key);
priv = PRIVKEY(key);
slot = TOKEN2SLOT(priv->parent);
- CHECK_SLOT_FORK(slot);
+ CHECK_KEY_FORK(key);
session = PRIVSLOT(slot)->session;
memset(&mechanism, 0, sizeof(mechanism));
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list