[pkg-opensc-commit] [pkcs11-helper] 205/253: PolarSSL crypto engine by Adriaan de Jong

Eric Dorland eric at moszumanska.debian.org
Fri Jan 6 23:39:20 UTC 2017 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository pkcs11-helper.

commit 1a7935a704fb3692e6c5cf9375e84bb35b6a8fef
Author: Alon Bar-Lev <alon.barlev at gmail.com>
Date:   Mon Oct 24 14:41:39 2011 +0000

    PolarSSL crypto engine by Adriaan de Jong
---
 ChangeLog                                   |   4 +
 THANKS                                      |   3 +
 configure.ac                                |  38 ++++++
 include/pkcs11-helper-1.0/pkcs11h-core.h    |   2 +
 include/pkcs11-helper-1.0/pkcs11h-engines.h |   2 +
 lib/pkcs11h-core.c                          |   3 +
 lib/pkcs11h-crypto.c                        | 189 ++++++++++++++++++++++++++--
 7 files changed, 232 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7884193..571eb23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@ Copyright (c) 2005-2011 Alon Bar-Lev <alon.barlev at gmail.com>
 
 $Id$
 
+????-??-?? - Version 1.10
+
+ * PolarSSL crypto engine by Adriaan de Jong
+
 2011-08-16 - Version 1.09
 
  * Do not retry if CKR_BUFFER_TOO_SMALL and none NULL target.
diff --git a/THANKS b/THANKS
index 03fc5ef..074bb98 100644
--- a/THANKS
+++ b/THANKS
@@ -26,6 +26,9 @@ Eddy Nigg
 Sandro Wefel
  - For maintaining Debian packaging.
 
+PolarSSL crypto engine by Adriaan de Jong
+ - For PolarSSL support.
+
 Apologies to anyone I have missed.
 
 Alon Bar-Lev <alon.barlev at gmail.com>
diff --git a/configure.ac b/configure.ac
index e6047e6..bd212ec 100644
--- a/configure.ac
+++ b/configure.ac
@@ -201,6 +201,13 @@ AC_ARG_ENABLE(
 )
 
 AC_ARG_ENABLE(
+	[crypto-engine-polarssl],
+	[AS_HELP_STRING([--disable-crypto-engine-polarssl],[disable PolarSSL crypto engine])],
+	,
+	[enable_crypto_engine_polarssl="yes"]
+)
+
+AC_ARG_ENABLE(
 	[crypto-engine-win32],
 	[AS_HELP_STRING([--disable-crypto-engine-win32],[disable win32 native crypto engine on win32 systems])],
 	,
@@ -289,6 +296,22 @@ fi
 PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"])
 PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"])
 
+AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for PolarSSL])
+AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL])
+if test -z "${POLARSSL_LIBS}"; then
+	AC_CHECK_LIB(
+		[polarssl],
+		[x509parse_crt],
+		[
+			POLARSSL_LIBS="-lpolarssl"
+			have_polarssl="yes"
+		],
+		[have_polarssl="no"]
+	)
+else
+	have_polarssl="yes"
+fi
+
 # Checks for header files.
 AC_HEADER_STDC
 AX_CPP_VARARG_MACRO_ISO
@@ -388,6 +411,20 @@ else
 	AC_MSG_RESULT([no])
 fi
 
+AC_MSG_CHECKING([PolarSSL crypto engine])
+if test "${enable_crypto_engine_polarssl}" = "yes"; then
+	if test "${have_polarssl}" = "yes"; then
+		AC_MSG_RESULT([yes])
+		AC_DEFINE([ENABLE_PKCS11H_ENGINE_POLARSSL], [1], [Enable PolarSSL crypto engine])
+		CFLAGS="${CFLAGS} ${POLARSSL_CFLAGS}"
+		LIBS="${LIBS} ${POLARSSL_LIBS}"
+	else
+		AC_MSG_RESULT([no])
+	fi
+else
+	AC_MSG_RESULT([no])
+fi
+
 if test "${enable_pedantic}" = "yes"; then
 	enable_strict="yes"
 	CFLAGS="${CFLAGS} -ansi -pedantic -D__STRICT_ANSI__ -D_ISOC99_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE"
@@ -437,6 +474,7 @@ if test \
 	"${enable_crypto_engine_openssl}" = "yes" -o \
 	"${enable_crypto_engine_gnutls}" = "yes" -o \
 	"${enable_crypto_engine_nss}" = "yes" -o \
+	"${enable_crypto_engine_polarssl}" = "yes" -o \
 	"${enable_crypto_engine_win32}" = "yes"; then
 	PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto"
 fi
diff --git a/include/pkcs11-helper-1.0/pkcs11h-core.h b/include/pkcs11-helper-1.0/pkcs11h-core.h
index 2988d1e..28f0f2f 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-core.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-core.h
@@ -104,6 +104,8 @@ extern "C" {
 #define PKCS11H_FEATURE_MASK_SLOTEVENT			(1<< 8)
 /** OpenSSL interface is enabled. */
 #define PKCS11H_FEATURE_MASK_OPENSSL			(1<< 9)
+/** Engine PolarSSL is enabled. */
+#define PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL	(1<< 10)
 /** @} */
 
 /**
diff --git a/include/pkcs11-helper-1.0/pkcs11h-engines.h b/include/pkcs11-helper-1.0/pkcs11h-engines.h
index 13d43bc..bd9ba66 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-engines.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-engines.h
@@ -208,6 +208,8 @@ typedef struct pkcs11h_crypto_engine_s {
 #define PKCS11H_ENGINE_CRYPTO_WIN32	((pkcs11h_engine_crypto_t *)3)
 /** Select NSS. */
 #define PKCS11H_ENGINE_CRYPTO_NSS	((pkcs11h_engine_crypto_t *)4)
+/** Select PolarSSL. */
+#define PKCS11H_ENGINE_CRYPTO_POLARSSL	((pkcs11h_engine_crypto_t *)5)
 /** Auto select GPL enigne. */
 #define PKCS11H_ENGINE_CRYPTO_GPL	((pkcs11h_engine_crypto_t *)10)
 /** @} */
diff --git a/lib/pkcs11h-core.c b/lib/pkcs11h-core.c
index a2e6093..b139307 100644
--- a/lib/pkcs11h-core.c
+++ b/lib/pkcs11h-core.c
@@ -243,6 +243,9 @@ pkcs11h_getFeatures (void) {
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 		PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_WIN32 |
 #endif
+#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+		PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL |
+#endif
 #if defined(ENABLE_PKCS11H_DEBUG)
 		PKCS11H_FEATURE_MASK_DEBUG |
 #endif
diff --git a/lib/pkcs11h-crypto.c b/lib/pkcs11h-crypto.c
index 8493614..66dd223 100644
--- a/lib/pkcs11h-crypto.c
+++ b/lib/pkcs11h-crypto.c
@@ -70,6 +70,11 @@
 #include <cert.h>
 #endif
 
+#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+#include <polarssl/x509.h>
+#include <polarssl/version.h>
+#endif
+
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 #include <wincrypt.h>
 #if !defined(CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT)
@@ -1112,6 +1117,169 @@ static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_win32 = {
 
 #endif				/* ENABLE_PKCS11H_ENGINE_WIN32 */
 
+#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+
+static
+int
+__pkcs11h_crypto_polarssl_initialize (
+	IN void * const global_data
+) {
+	(void)global_data;
+
+	return TRUE;
+}
+
+static
+int
+__pkcs11h_crypto_polarssl_uninitialize (
+	IN void * const global_data
+) {
+	(void)global_data;
+
+	return TRUE;
+}
+
+static
+int
+__pkcs11h_crypto_polarssl_certificate_get_expiration (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT time_t * const expiration
+) {
+	x509_cert x509;
+
+	(void)global_data;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (blob!=NULL);
+	_PKCS11H_ASSERT (expiration!=NULL);
+
+	*expiration = (time_t)0;
+
+	memset(&x509, 0, sizeof(x509));
+	if (0 != x509parse_crt (&x509, blob, blob_size)) {
+		goto cleanup;
+	}
+
+	if (0 == x509parse_time_expired(&x509.valid_to)) {
+		struct tm tm1;
+
+		memset (&tm1, 0, sizeof (tm1));
+		tm1.tm_year = x509.valid_to.year - 1900;
+		tm1.tm_mon  = x509.valid_to.mon  - 1;
+		tm1.tm_mday = x509.valid_to.day;
+		tm1.tm_hour = x509.valid_to.hour - 1;
+		tm1.tm_min  = x509.valid_to.min  - 1;
+		tm1.tm_sec  = x509.valid_to.sec  - 1;
+
+		*expiration = mktime (&tm1);
+		*expiration += (int)(mktime (localtime (expiration)) - mktime (gmtime (expiration)));
+	}
+
+cleanup:
+
+	x509_free(&x509);
+
+	return *expiration != (time_t)0;
+}
+
+static
+int
+__pkcs11h_crypto_polarssl_certificate_get_dn (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT char * const dn,
+	IN const size_t dn_max
+) {
+	x509_cert x509;
+	int ret = FALSE;
+
+	(void)global_data;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (blob!=NULL);
+	_PKCS11H_ASSERT (dn!=NULL);
+	_PKCS11H_ASSERT (dn_max>0);
+
+	dn[0] = '\x0';
+
+	memset(&x509, 0, sizeof(x509));
+	if (0 != x509parse_crt (&x509, blob, blob_size)) {
+		goto cleanup;
+	}
+
+	if (-1 == x509parse_dn_gets(dn, dn_max, &x509.subject)) {
+		goto cleanup;
+	}
+
+	ret = TRUE;
+
+cleanup:
+
+	x509_free(&x509);
+
+	return ret;
+}
+
+static
+int
+__pkcs11h_crypto_polarssl_certificate_is_issuer (
+	IN void * const global_data,
+	IN const unsigned char * const issuer_blob,
+	IN const size_t issuer_blob_size,
+	IN const unsigned char * const cert_blob,
+	IN const size_t cert_blob_size
+) {
+	x509_cert x509_issuer;
+	x509_cert x509_cert;
+	int verify_flags = 0;
+
+	PKCS11H_BOOL is_issuer = FALSE;
+
+	(void)global_data;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (issuer_blob!=NULL);
+	_PKCS11H_ASSERT (cert_blob!=NULL);
+
+	memset(&x509_issuer, 0, sizeof(x509_issuer));
+	if (0 != x509parse_crt (&x509_issuer, issuer_blob, issuer_blob_size)) {
+		goto cleanup;
+	}
+
+	memset(&x509_cert, 0, sizeof(x509_cert));
+	if (0 != x509parse_crt (&x509_cert, cert_blob, cert_blob_size)) {
+		goto cleanup;
+	}
+
+#if (POLARSSL_VERSION_MAJOR == 0)
+	if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL,
+		&verify_flags ))
+#else
+	if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL,
+		&verify_flags, NULL, NULL ))
+#endif
+
+cleanup:
+	x509_free(&x509_cert);
+	x509_free(&x509_issuer);
+
+	return is_issuer;
+}
+
+static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_polarssl = {
+	NULL,
+	__pkcs11h_crypto_polarssl_initialize,
+	__pkcs11h_crypto_polarssl_uninitialize,
+	__pkcs11h_crypto_polarssl_certificate_get_expiration,
+	__pkcs11h_crypto_polarssl_certificate_get_dn,
+	__pkcs11h_crypto_polarssl_certificate_is_issuer
+};
+
+#endif				/* ENABLE_PKCS11H_ENGINE_POLARSSL */
+
 pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine = {
 	NULL,
 	NULL,
@@ -1137,6 +1305,8 @@ pkcs11h_engine_setCrypto (
 		_engine = &_g_pkcs11h_crypto_engine_openssl;
 #elif defined(ENABLE_PKCS11H_ENGINE_NSS)
 		_engine = &_g_pkcs11h_crypto_engine_nss;
+#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+		_engine = &_g_pkcs11h_crypto_engine_polarssl;
 #elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
 		_engine = &_g_pkcs11h_crypto_engine_gnutls;
 #else
@@ -1145,23 +1315,16 @@ pkcs11h_engine_setCrypto (
 #endif
 	}
 	else if (engine ==  PKCS11H_ENGINE_CRYPTO_GPL) {
-#if defined(_WIN32)
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 		_engine = &_g_pkcs11h_crypto_engine_win32;
+#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+		_engine = &_g_pkcs11h_crypto_engine_polarssl;
 #elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
 		_engine = &_g_pkcs11h_crypto_engine_gnutls;
 #else
 		rv = CKR_ATTRIBUTE_VALUE_INVALID;
 		goto cleanup;
 #endif
-#else
-#if defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
-		_engine = &_g_pkcs11h_crypto_engine_gnutls;
-#else
-		rv = CKR_ATTRIBUTE_VALUE_INVALID;
-		goto cleanup;
-#endif
-#endif
 	}
 	else if (engine == PKCS11H_ENGINE_CRYPTO_WIN32) {
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
@@ -1195,6 +1358,14 @@ pkcs11h_engine_setCrypto (
 		goto cleanup;
 #endif
 	}
+	else if (engine == PKCS11H_ENGINE_CRYPTO_POLARSSL) {
+#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
+		_engine = &_g_pkcs11h_crypto_engine_polarssl;
+#else
+		rv = CKR_ATTRIBUTE_VALUE_INVALID;
+		goto cleanup;
+#endif
+	}
 	else {
 		_engine = engine;
 	}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git

More information about the pkg-opensc-commit mailing list