Merged PKCS#11 patch.

Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@604 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2005-10-13 08:38:41 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2005-10-13 08:38:41 +0000
commit: ce98fd24bd72d479805cb121ca8e118826f1ed76 (patch)
tree: b109113870455d2c5595a0833301f234353578e3 /options.c
parent: Renamed plugin to plugins to work around (diff)
download: openvpn-ce98fd24bd72d479805cb121ca8e118826f1ed76.tar.xz
1 files changed, 184 insertions, 0 deletions
diff --git a/options.c b/options.c
index c4a1b20..eccb63e 100644
--- a/options.c
+++ b/options.c
@@ -45,6 +45,7 @@
 #include "misc.h"
 #include "socket.h"
 #include "packet_id.h"
+#include "pkcs11.h"
 #include "win32.h"
 #include "push.h"
 #include "pool.h"
@@ -406,6 +407,24 @@ static const char usage_message[] =
   "--key file      : Local private key in .pem format.\n"
   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
   "                  and root CA certificate.\n"
+#ifdef ENABLE_PKCS11
+  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
+  "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
+  "                              auto    : Try  to determind automatically (default).\n"
+  "                              recover : Use SignRecover.\n"
+  "                              sign    : Use Sign.\n"
+  "--pkcs11-slot-type method   : Slot locate method:\n"
+  "                              id      : By slot id (numeric [prov#:]slot#).\n"
+  "                              name    : By slot name.\n"
+  "                              label   : By the card label that resides in slot.\n"
+  "--pkcs11-slot name          : The slot name.\n"
+  "--pkcs11-id-type method     : Certificate and key locate method:\n"
+  "                              id      : By the object id (hex format).\n"
+  "                              label   : By the object label (string).\n"
+  "                              subject : By certificate subject (String).\n"
+  "--pkcs11-id name            : The object name.\n"
+  "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n"
+#endif
 #ifdef WIN32
   "--cryptoapicert select-string : Load the certificate and private key from the\n"
   "                  Windows Certificate System Store.\n"
@@ -517,6 +536,14 @@ static const char usage_message[] =
   "--dev tunX|tapX : tun/tap device\n"
   "--dev-type dt   : Device type.  See tunnel options above for details.\n"
 #endif
+#ifdef USE_SSL
+#ifdef ENABLE_PKCS11
+  "\n"
+  "PKCS#11 specific:\n"
+  "--show-pkcs11-slots provider        : Show PKCS#11 provider available slots.\n"
+  "--show-pkcs11-objects provider slot : Show PKCS#11 token objects.\n" 
+#endif
+#endif
  ;
 
 #endif /* !ENABLE_SMALL */
@@ -601,6 +628,9 @@ init_options (struct options *o)
   o->renegotiate_seconds = 3600;
   o->handshake_window = 60;
   o->transition_window = 3600;
+#ifdef ENABLE_PKCS11
+  o->pkcs11_protected_authentication = false;
+#endif
 #endif
 #endif
 }
@@ -1114,6 +1144,23 @@ show_settings (const struct options *o)
   SHOW_STR (cert_file);
   SHOW_STR (priv_key_file);
   SHOW_STR (pkcs12_file);
+#ifdef ENABLE_PKCS11
+  {
+    int i;
+    for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
+      SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
+  }
+  {
+    int i;
+    for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++)
+      SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s");
+  }
+  SHOW_STR (pkcs11_slot_type);
+  SHOW_STR (pkcs11_slot);
+  SHOW_STR (pkcs11_id_type);
+  SHOW_STR (pkcs11_id);
+  SHOW_BOOL (pkcs11_protected_authentication);
+#endif
 #ifdef WIN32
   SHOW_STR (cryptoapi_cert);
 #endif
@@ -1570,6 +1617,58 @@ options_postprocess (struct options *options, bool first_time)
     }
   if (options->tls_server || options->tls_client)
     {
+#ifdef ENABLE_PKCS11
+      if (options->pkcs11_providers[0])
+       {
+        int j;
+        notnull (options->ca_file, "CA file (--ca)");
+	
+	for (j=0;j<MAX_PARMS && options->pkcs11_sign_mode[j] != NULL;j++)
+	 {
+	  if (
+	   !string_defined_equal (options->pkcs11_sign_mode[j], "auto") &&
+	   !string_defined_equal (options->pkcs11_sign_mode[j], "recover") &&
+	   !string_defined_equal (options->pkcs11_sign_mode[j], "sign")
+	  )
+	    msg(M_USAGE, "Parameter --pkcs11-sign-mode value is invalid.");
+	 }
+
+	if (
+	  !string_defined_equal (options->pkcs11_slot_type, "id") &&
+	  !string_defined_equal (options->pkcs11_slot_type, "name") &&
+	  !string_defined_equal (options->pkcs11_slot_type, "label")
+	)
+	  msg(M_USAGE, "Parameter --pkcs11-slot-type value is invalid.");
+
+	notnull (options->pkcs11_slot, "PKCS#11 slot name (--pkcs11-slot)");
+
+	if (
+	  !string_defined_equal (options->pkcs11_id_type, "id") &&
+	  !string_defined_equal (options->pkcs11_id_type, "label") &&
+	  !string_defined_equal (options->pkcs11_id_type, "subject")
+	)
+	  msg(M_USAGE, "Parameter --pkcs11-id-type value is invalid.");
+
+	notnull (options->pkcs11_id, "PKCS#11 id (--pkcs11-id)");
+
+	if (options->pkcs11_protected_authentication && options->key_pass_file != NULL)
+	  msg(M_USAGE, "Parameter --askpass cannot be used when --pkcs11-protected-authentication is also specified.");
+	if (!options->pkcs11_protected_authentication && options->key_pass_file == NULL)
+	  msg (M_USAGE, "Please specify one of --askpass or --pkcs11-protected-autentication options.");
+
+	if (options->cert_file)
+	  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
+	if (options->priv_key_file)
+	  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
+	if (options->pkcs12_file)
+	  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
+#ifdef WIN32
+	if (options->cryptoapi_cert)
+	  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
+#endif
+       }
+      else
+#endif
 #ifdef WIN32
       if (options->cryptoapi_cert)
 	{
@@ -1650,6 +1749,14 @@ options_postprocess (struct options *options, bool first_time)
       MUST_BE_UNDEF (crl_file);
       MUST_BE_UNDEF (key_method);
       MUST_BE_UNDEF (ns_cert_type);
+#ifdef ENABLE_PKCS11
+      MUST_BE_UNDEF (pkcs11_providers[0]);
+      MUST_BE_UNDEF (pkcs11_sign_mode[0]);
+      MUST_BE_UNDEF (pkcs11_slot_type);
+      MUST_BE_UNDEF (pkcs11_slot);
+      MUST_BE_UNDEF (pkcs11_id_type);
+      MUST_BE_UNDEF (pkcs11_id);
+#endif
 
       if (pull)
 	msg (M_USAGE, err, "--pull");
@@ -4554,6 +4661,83 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->cert_file = p[1];
     }
+#ifdef ENABLE_PKCS11
+  else if (streq (p[0], "show-pkcs11-slots") && p[1])
+    {
+      char *module =  p[i++];
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module);
+      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+    }
+  else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2])
+    {
+      char *provider =  p[i++];
+      char *slot = p[i++];
+      struct gc_arena gc = gc_new ();
+      struct buffer pass_prompt = alloc_buf_gc (128, &gc);
+      char pin[256];
+
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      buf_printf (&pass_prompt, "PIN:");
+
+      if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin)))
+        msg (M_FATAL, "Cannot read password from stdin");
+      
+      gc_free (&gc);
+      
+      show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin);
+      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+    }
+  else if (streq (p[0], "pkcs11-providers") && p[1])
+    {
+      int j;
+      
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
+      	options->pkcs11_providers[j-1] = p[j];
+    }
+  else if (streq (p[0], "pkcs11-sign-mode") && p[1])
+    {
+      int j;
+      
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
+      	options->pkcs11_sign_mode[j-1] = p[j];
+    }
+  else if (streq (p[0], "pkcs11-slot-type") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_slot_type = p[1];
+    }
+  else if (streq (p[0], "pkcs11-slot") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_slot = p[1];
+    }
+  else if (streq (p[0], "pkcs11-id-type") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_id_type = p[1];
+    }
+  else if (streq (p[0], "pkcs11-id") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_id = p[1];
+    }
+  else if (streq (p[0], "pkcs11-protected-authentication"))
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_protected_authentication = true;
+    }
+#endif
 #ifdef WIN32
   else if (streq (p[0], "cryptoapicert") && p[1])
     {
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2005-10-13 08:38:41 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2005-10-13 08:38:41 +0000
commit	ce98fd24bd72d479805cb121ca8e118826f1ed76 (patch)
tree	b109113870455d2c5595a0833301f234353578e3 /options.c
parent	Renamed plugin to plugins to work around (diff)
download	openvpn-ce98fd24bd72d479805cb121ca8e118826f1ed76.tar.xz