[pkg-opensc-commit] [libp11] 200/239: reload the key object on fork

Eric Dorland eric at moszumanska.debian.org
Sat Oct 17 06:21:33 UTC 2015 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit fc86004ff7026bee05cdec95336b82f5eb762adc
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date:   Fri Jul 17 09:33:03 2015 +0200

    reload the key object on fork
---
 src/libp11-int.h | 14 ++++++++++++++
 src/libp11.h     |  4 ++--
 src/p11_key.c    | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 src/p11_ops.c    | 14 +++++++-------
 4 files changed, 70 insertions(+), 10 deletions(-)

diff --git a/src/libp11-int.h b/src/libp11-int.h
index f2af5e3..0eacdb2 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -121,6 +121,17 @@ typedef struct pkcs11_slot_private {
 	UNLOCK(__spriv); \
 	}
 
+#define CHECK_KEY_FORK(key) { \
+	PKCS11_KEY_private *__priv = PRIVKEY(key); \
+	PKCS11_SLOT *__slot = TOKEN2SLOT(__priv->parent); \
+	PKCS11_SLOT_private *__spriv = PRIVSLOT(__slot); \
+	CHECK_SLOT_FORK(__slot); \
+	if (__spriv->forkid != __priv->forkid) { \
+		pkcs11_reload_keys(key); \
+		__priv->forkid = __spriv->forkid; \
+	} \
+	}
+
 typedef struct pkcs11_token_private {
 	PKCS11_SLOT *parent;
 	int nkeys, nprkeys;
@@ -144,6 +155,7 @@ typedef struct pkcs11_key_private {
 	unsigned char id[255];
 	size_t id_len;
 	PKCS11_KEY_ops *ops;
+	unsigned int forkid;
 } PKCS11_KEY_private;
 #define PRIVKEY(key)		((PKCS11_KEY_private *) key->_private)
 #define KEY2SLOT(key)		TOKEN2SLOT(KEY2TOKEN(key))
@@ -203,6 +215,8 @@ extern int pkcs11_getattr_var(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
 extern int pkcs11_getattr_bn(PKCS11_TOKEN *, CK_OBJECT_HANDLE,
 			     unsigned int, BIGNUM **);
 
+extern int pkcs11_reload_keys(PKCS11_KEY * keyin);
+
 #define key_getattr(key, t, p, s) \
 	pkcs11_getattr(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))
 
diff --git a/src/libp11.h b/src/libp11.h
index dfd278d..7664ace 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -366,9 +366,9 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
 
 /* rsa private key operations */
 extern int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
-	unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key);
+	unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
 extern int PKCS11_private_encrypt(int flen, const unsigned char *from,
-	unsigned char *to, const PKCS11_KEY * rsa, int padding);
+	unsigned char *to, PKCS11_KEY * rsa, int padding);
 /**
  * Decrypts data using the private key
  * 
diff --git a/src/p11_key.c b/src/p11_key.c
index d93ccfa..e7694d2 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -110,7 +110,7 @@ PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
         if (count < 2)  /* must be at least two key to have a match */
             return NULL;
         for (n = 0; n < count; n++, key++) {
-                kpriv = PRIVKEY(key);
+            kpriv = PRIVKEY(key);
             if (keyin->isPrivate != key->isPrivate
                     && kinpriv->id_len == kpriv->id_len
                     && !memcmp(kinpriv->id, kpriv->id, kinpriv->id_len))
@@ -118,6 +118,51 @@ PKCS11_KEY *PKCS11_find_key_from_key(PKCS11_KEY * keyin)
         }
         return NULL;
 }
+
+/* Reopens the object associated with the key
+ */
+int pkcs11_reload_keys(PKCS11_KEY * keyin)
+{
+        PKCS11_TOKEN_private *tpriv;
+        PKCS11_KEY_private *kinpriv;
+        PKCS11_KEY *key;
+        unsigned int n;
+        long int count;
+        CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;;
+        CK_ATTRIBUTE attrs[2];
+        int rv;
+	PKCS11_CTX *ctx;
+	PKCS11_SLOT *slot;
+
+        kinpriv = PRIVKEY(keyin);
+        tpriv = PRIVTOKEN(KEY2TOKEN(keyin));
+        ctx = TOKEN2CTX(KEY2TOKEN(keyin));
+        slot = TOKEN2SLOT(KEY2TOKEN(keyin));
+
+        /* We want to use all the keys, the above only returns count for private */
+        count = tpriv->nkeys;
+
+        for (n = 0; n < count; n++, key++) {
+	    attrs[0].type = CKA_CLASS;
+	    attrs[0].pValue = &kclass;
+	    attrs[0].ulValueLen = sizeof(kclass);
+	    attrs[1].type = CKA_ID;
+	    attrs[1].pValue = kinpriv->id;
+	    attrs[1].ulValueLen = kinpriv->id_len;
+
+	    rv = CRYPTOKI_call(ctx, C_FindObjectsInit(PRIVSLOT(slot)->session, attrs, 2));
+	    CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+	    rv = CRYPTOKI_call(ctx, C_FindObjects(PRIVSLOT(slot)->session, &kinpriv->object, 1, &count));
+	    CRYPTOKI_checkerr(PKCS11_F_PKCS11_ENUM_KEYS, rv);
+
+	    CRYPTOKI_call(ctx, C_FindObjectsFinal(PRIVSLOT(slot)->session));
+
+	    kinpriv->forkid = _P11_get_forkid();
+        }
+        return 0;
+}
+
 /*
  * Store a private key on the token
  */
@@ -331,6 +376,7 @@ static int pkcs11_init_key(PKCS11_CTX * ctx, PKCS11_TOKEN * token,
 	if (pkcs11_getattr_var(token, obj, CKA_ID, kpriv->id, &kpriv->id_len))
 		kpriv->id_len = 0;
 	kpriv->ops = ops;
+	kpriv->forkid = _P11_get_forkid();
 
 	if (ret)
 		*ret = key;
diff --git a/src/p11_ops.c b/src/p11_ops.c
index ef92ed4..e13eedd 100644
--- a/src/p11_ops.c
+++ b/src/p11_ops.c
@@ -26,7 +26,7 @@
 
 int
 PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
-		unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key)
+		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key)
 {
 /* signature size is the issue, will assume caller has a big buffer ! */
 /* No padding or other stuff needed, we can cal PKCS11 from here */
@@ -42,7 +42,7 @@ PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
 	priv = PRIVKEY(key);
 	slot = TOKEN2SLOT(priv->parent);
 
-	CHECK_SLOT_FORK(slot);
+	CHECK_KEY_FORK(key);
 
 	session = PRIVSLOT(slot)->session;
 
@@ -70,7 +70,7 @@ PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
 /* Following used for RSA */
 int
 PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
-		unsigned char *sigret, unsigned int *siglen, const PKCS11_KEY * key)
+		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key)
 {
 	int rv, ssl = ((type == NID_md5_sha1) ? 1 : 0);
 	unsigned char *encoded = NULL;
@@ -84,7 +84,7 @@ PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
 	priv = PRIVKEY(key);
 	slot = TOKEN2SLOT(priv->parent);
 
-	CHECK_SLOT_FORK(slot);
+	CHECK_KEY_FORK(key);
 
 	sigsize = PKCS11_get_key_size(key);
 
@@ -134,7 +134,7 @@ PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
 
 int
 PKCS11_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
-		   const PKCS11_KEY * key, int padding)
+		   PKCS11_KEY * key, int padding)
 {
 	PKCS11_KEY_private *priv;
 	PKCS11_SLOT *slot;
@@ -157,7 +157,7 @@ PKCS11_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
 	priv = PRIVKEY(key);
 	slot = TOKEN2SLOT(priv->parent);
 
-	CHECK_SLOT_FORK(slot);
+	CHECK_KEY_FORK(key);
 
 	session = PRIVSLOT(slot)->session;
 
@@ -216,7 +216,7 @@ PKCS11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 	ctx = KEY2CTX(key);
 	priv = PRIVKEY(key);
 	slot = TOKEN2SLOT(priv->parent);
-	CHECK_SLOT_FORK(slot);
+	CHECK_KEY_FORK(key);
 
 	session = PRIVSLOT(slot)->session;
 	memset(&mechanism, 0, sizeof(mechanism));

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git

More information about the pkg-opensc-commit mailing list