aboutsummaryrefslogtreecommitdiff
path: root/options.c
diff options
context:
space:
mode:
Diffstat (limited to 'options.c')
-rw-r--r--options.c112
1 files changed, 21 insertions, 91 deletions
diff --git a/options.c b/options.c
index 5cc7f23..8c5a268 100644
--- a/options.c
+++ b/options.c
@@ -76,6 +76,9 @@ const char title_string[] =
#ifdef USE_PTHREAD
" [PTHREAD]"
#endif
+#ifdef ENABLE_PKCS11
+ " [PKCS11]"
+#endif
" built on " __DATE__
;
@@ -501,25 +504,17 @@ static const char usage_message[] =
"--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
"--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
" path. Set for each provider.\n"
- "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
- " auto : Try to determind automatically (default).\n"
- " sign : Use Sign.\n"
- " recover : Use SignRecover.\n"
- " any : Use Sign and then SignRecover.\n"
+ "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
+ " 0 : Try to determind automatically (default).\n"
+ " 1 : Use Sign.\n"
+ " 2 : Use SignRecover.\n"
+ " 4 : Use Decrypt.\n"
+ " 8 : Use Unwrap.\n"
"--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
" certificate can be accessed. Set for each provider.\n"
"--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
" cache until token is removed.\n"
- "--pkcs11-slot-type method : Slot locate method:\n"
- " id : By slot id (numeric [prov:]slot#).\n"
- " name : By slot name.\n"
- " label : By the card label that resides in slot.\n"
- "--pkcs11-slot name : The slot name.\n"
- "--pkcs11-id-type method : Certificate and key locate method:\n"
- " id : By the object id (hex format).\n"
- " label : By the object label (string).\n"
- " subject : By certificate subject (String).\n"
- "--pkcs11-id name : The object name.\n"
+ "--pkcs11-id serialized-id : Identity to use, get using standalone --show-pkcs11-ids\n"
#endif /* ENABLE_PKCS11 */
"\n"
"SSL Library information:\n"
@@ -600,8 +595,8 @@ static const char usage_message[] =
#ifdef ENABLE_PKCS11
"\n"
"PKCS#11 standalone options:\n"
- "--show-pkcs11-slots provider : Show PKCS#11 provider available slots.\n"
- "--show-pkcs11-objects provider slot : Show PKCS#11 token objects.\n"
+ "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
+ " --verb option can be added *BEFORE* this.\n"
#endif /* ENABLE_PKCS11 */
;
@@ -1280,8 +1275,8 @@ show_settings (const struct options *o)
}
{
int i;
- for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++)
- SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s");
+ for (i=0;i<MAX_PARMS;i++)
+ SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
}
{
int i;
@@ -1289,9 +1284,6 @@ show_settings (const struct options *o)
SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
}
SHOW_INT (pkcs11_pin_cache_period);
- SHOW_STR (pkcs11_slot_type);
- SHOW_STR (pkcs11_slot);
- SHOW_STR (pkcs11_id_type);
SHOW_STR (pkcs11_id);
#endif /* ENABLE_PKCS11 */
@@ -1764,35 +1756,7 @@ options_postprocess (struct options *options, bool first_time)
#ifdef ENABLE_PKCS11
if (options->pkcs11_providers[0])
{
- int j;
notnull (options->ca_file, "CA file (--ca)");
-
- for (j=0;j<MAX_PARMS && options->pkcs11_sign_mode[j] != NULL;j++)
- {
- if (
- !string_defined_equal (options->pkcs11_sign_mode[j], "auto") &&
- !string_defined_equal (options->pkcs11_sign_mode[j], "recover") &&
- !string_defined_equal (options->pkcs11_sign_mode[j], "sign")
- )
- msg(M_USAGE, "Parameter --pkcs11-sign-mode value is invalid.");
- }
-
- if (
- !string_defined_equal (options->pkcs11_slot_type, "id") &&
- !string_defined_equal (options->pkcs11_slot_type, "name") &&
- !string_defined_equal (options->pkcs11_slot_type, "label")
- )
- msg(M_USAGE, "Parameter --pkcs11-slot-type value is invalid.");
-
- notnull (options->pkcs11_slot, "PKCS#11 slot name (--pkcs11-slot)");
-
- if (
- !string_defined_equal (options->pkcs11_id_type, "id") &&
- !string_defined_equal (options->pkcs11_id_type, "label") &&
- !string_defined_equal (options->pkcs11_id_type, "subject")
- )
- msg(M_USAGE, "Parameter --pkcs11-id-type value is invalid.");
-
notnull (options->pkcs11_id, "PKCS#11 id (--pkcs11-id)");
if (options->cert_file)
@@ -1895,10 +1859,7 @@ options_postprocess (struct options *options, bool first_time)
MUST_BE_UNDEF (remote_cert_eku);
#ifdef ENABLE_PKCS11
MUST_BE_UNDEF (pkcs11_providers[0]);
- MUST_BE_UNDEF (pkcs11_sign_mode[0]);
- MUST_BE_UNDEF (pkcs11_slot_type);
- MUST_BE_UNDEF (pkcs11_slot);
- MUST_BE_UNDEF (pkcs11_id_type);
+ MUST_BE_UNDEF (pkcs11_private_mode);
MUST_BE_UNDEF (pkcs11_id);
#endif
@@ -5098,31 +5059,15 @@ add_option (struct options *options,
#endif /* USE_SSL */
#endif /* USE_CRYPTO */
#ifdef ENABLE_PKCS11
- else if (streq (p[0], "show-pkcs11-slots") && p[1])
- {
- char *module = p[1];
- VERIFY_PERMISSION (OPT_P_GENERAL);
- show_pkcs11_slots (module);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
- }
- else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2])
+ else if (streq (p[0], "show-pkcs11-ids") && p[1])
{
char *provider = p[1];
- char *slot = p[2];
- struct gc_arena gc = gc_new ();
- struct buffer pass_prompt = alloc_buf_gc (128, &gc);
- char pin[256];
+ bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
VERIFY_PERMISSION (OPT_P_GENERAL);
- buf_printf (&pass_prompt, "PIN:");
-
- if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin)))
- msg (M_FATAL, "Cannot read password from stdin");
-
- gc_free (&gc);
-
- show_pkcs11_objects (provider, slot, pin);
+ set_debug_level (options->verbosity, SDL_CONSTRAIN);
+ show_pkcs11_ids (provider, cert_private);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
else if (streq (p[0], "pkcs11-providers") && p[1])
@@ -5143,14 +5088,14 @@ add_option (struct options *options,
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
}
- else if (streq (p[0], "pkcs11-sign-mode") && p[1])
+ else if (streq (p[0], "pkcs11-private-mode") && p[1])
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- options->pkcs11_sign_mode[j-1] = p[j];
+ sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
}
else if (streq (p[0], "pkcs11-cert-private"))
{
@@ -5166,21 +5111,6 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_pin_cache_period = atoi (p[1]);
}
- else if (streq (p[0], "pkcs11-slot-type") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_slot_type = p[1];
- }
- else if (streq (p[0], "pkcs11-slot") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_slot = p[1];
- }
- else if (streq (p[0], "pkcs11-id-type") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_id_type = p[1];
- }
else if (streq (p[0], "pkcs11-id") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);