Add option to specify CKA_ID in generate-keypair and import-object

Signed-off-by: Zoltan Fridrich <[email protected]>
p11-glue · Jan 9, 2024 · 6a37821 · 6a37821
1 parent 304db35
commit 6a37821
Show file tree

Hide file tree

Showing 9 changed files with 321 additions and 21 deletions.
diff --git a/common/Makefile.am b/common/Makefile.am
@@ -76,6 +76,7 @@ c_tests += \
 	test-hash \
 	test-dict \
 	test-array \
+	test-hex \
 	test-constants \
 	test-attrs \
 	test-buffer \
@@ -93,6 +94,9 @@ test_argv_LDADD = $(common_LIBS)
 test_array_SOURCES = common/test-array.c
 test_array_LDADD = $(common_LIBS)
 
+test_hex_SOURCES = common/test-hex.c
+test_hex_LDADD = $(common_LIBS)
+
 test_attrs_SOURCES = common/test-attrs.c
 test_attrs_LDADD = $(common_LIBS)
 

diff --git a/common/hex.c b/common/hex.c
@@ -34,9 +34,12 @@
  */
 
 #include "config.h"
+
+#include "debug.h"
 #include "hex.h"
-#include <stdint.h>
+
 #include <stdlib.h>
+#include <string.h>
 
 static const char HEXC_LOWER[] = "0123456789abcdef";
 
@@ -48,6 +51,8 @@ hex_encode (const unsigned char *data,
 	size_t i;
 	size_t o;
 
+	return_val_if_fail (data != NULL, NULL);
+
 	if ((SIZE_MAX - 1) / 3 < n_data)
 		return NULL;
 	result = malloc (n_data * 3 + 1);
@@ -64,3 +69,57 @@ hex_encode (const unsigned char *data,
 	result[o] = 0;
 	return result;
 }
+
+unsigned char *
+hex_decode (const char *hex,
+            size_t *bin_len)
+{
+	int i, j;
+	size_t bin_len_, hex_len;
+	unsigned char *bin, c;
+	bool with_separator;
+
+	return_val_if_fail (hex != NULL, NULL);
+	return_val_if_fail (bin_len != NULL, NULL);
+
+	hex_len = strlen (hex);
+	if (hex_len == 0)
+		return NULL;
+
+	with_separator = hex_len > 2 && hex[2] == ':';
+	if (with_separator)
+		for (i = 5; i < hex_len; i += 3)
+			if (hex[i] != ':')
+				return NULL;
+
+	if (SIZE_MAX - 1 < hex_len ||
+	    (with_separator && (hex_len + 1) % 3 != 0) ||
+	    (!with_separator && hex_len % 2 != 0))
+		return NULL;
+
+	bin_len_ = with_separator ? (hex_len + 1) / 3 : hex_len / 2;
+	bin = calloc (bin_len_, 1);
+	if (bin == NULL)
+		return NULL;
+
+	for (i = 0; i < bin_len_; ++i) {
+		for (j = 0; j < 2; ++j) {
+			c = with_separator ? hex[i * 3 + j] : hex[i * 2 + j];
+			if ('0' <= c && c <= '9')
+				bin[i] |= c - '0';
+			else if ('a' <= c && c <= 'f')
+				bin[i] |= c - 'a' + 10;
+			else if ('A' <= c && c <= 'F')
+				bin[i] |= c - 'A' + 10;
+			else {
+				free (bin);
+				return NULL;
+			}
+			if (j == 0)
+				bin[i] <<= 4;
+		}
+	}
+
+	*bin_len = bin_len_;
+	return bin;
+}
diff --git a/common/hex.h b/common/hex.h
@@ -38,7 +38,12 @@
 
 #include <stddef.h>
 
-char *hex_encode (const unsigned char *data,
-		  size_t n_data);
+char *
+hex_encode (const unsigned char *data,
+	    size_t n_data);
+
+unsigned char *
+hex_decode (const char *hex,
+	    size_t *bin_len);
 
 #endif /* P11_HEX_H */
diff --git a/common/meson.build b/common/meson.build
@@ -150,6 +150,7 @@ if get_option('test')
     'test-hash',
     'test-dict',
     'test-array',
+    'test-hex',
     'test-constants',
     'test-attrs',
     'test-buffer',

diff --git a/common/test-hex.c b/common/test-hex.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2024, Red Hat Inc.
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Zoltan Fridrich <[email protected]>
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "hex.h"
+#include "test.h"
+
+#define assert_mem_eq(a1, a2, n) \
+	do { const char *__s1 = (a1); \
+	     const char *__s2 = (a2); \
+	     if (__s1 && __s2 && memcmp (__s1, __s2, n) == 0) ; else \
+	         p11_test_fail (__FILE__, __LINE__, __FUNCTION__, "assertion failed"); \
+	} while (0)
+
+static void
+assert_encode_eq (const char *out,
+		  const char *in,
+		  size_t in_len)
+{
+	char *hex = hex_encode ((const unsigned char *)in, in_len);
+	assert_str_eq (out, hex);
+	free (hex);
+}
+
+static void
+assert_decode_eq (const char *out,
+		  size_t out_len,
+		  const char *in)
+{
+	size_t bin_len = 0;
+	char *bin = (char *)hex_decode (in, &bin_len);
+	assert_num_eq (out_len, bin_len);
+	assert_mem_eq (out, bin, bin_len);
+	free (bin);
+}
+
+static void
+assert_decode_fail (const char *in)
+{
+	size_t i;
+	assert_ptr_eq (NULL, hex_decode (in, &i));
+}
+
+static void
+test_encode (void)
+{
+	assert_encode_eq ("", "", 0);
+	assert_encode_eq ("3a", "\x3a", 1);
+	assert_encode_eq ("3a:bc:f6:9a", "\x3a\xbc\xf6\x9a", 4);
+}
+
+static void
+test_decode (void)
+{
+	assert_decode_eq ("\x3a", 1, "3a");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3abcf69a");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3AbCf69a");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3ABCF69A");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3a:bc:f6:9a");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3a:Bc:F6:9A");
+	assert_decode_eq ("\x3a\xbc\xf6\x9a", 4, "3a:bc:f6:9a");
+	assert_decode_fail ("");
+	assert_decode_fail ("3");
+	assert_decode_fail (":a");
+	assert_decode_fail ("a:");
+	assert_decode_fail ("3ab");
+	assert_decode_fail ("3a:");
+	assert_decode_fail (":3a");
+	assert_decode_fail ("3a:b");
+	assert_decode_fail ("3:ab");
+	assert_decode_fail ("3a:bc:f6::9a");
+	assert_decode_fail ("3a:bc:f69a");
+	assert_decode_fail ("3a:bc:f6::9");
+	assert_decode_fail ("3a:bc:f69aa");
+	assert_decode_fail ("3a$bc:f6:9a");
+	assert_decode_fail ("3a:bc:f6$9a");
+}
+
+int
+main (int argc,
+      char *argv[])
+{
+	p11_test (test_encode, "/hex/encode");
+	p11_test (test_decode, "/hex/decode");
+	return p11_test_run (argc, argv);
+}
diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
@@ -176,7 +176,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Import object into PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Takes either an X.509 certificate or a public key in the form of a PEM file
@@ -199,6 +199,10 @@ $ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the imported object.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the imported object. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>
@@ -276,7 +280,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Generate key-pair on a PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Generate private-public key-pair of given type on the first
@@ -311,6 +315,10 @@ $ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &l
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the generated key-pair objects.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the generated key-pair objects. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>