Merge branch 'softhsm:develop' into develop2

Author: larssilven

m4/acx_crypto_backend.m4

@@ -49,6 +49,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		AC_MSG_RESULT(no)
 	fi
 
+	# Option to disable usage engines
+
+	AC_ARG_ENABLE(openssl-engines,
+		AS_HELP_STRING([--disable-openssl-engines],
+			[Disable OpenSSL engines usage]
+		),
+		[enable_openssl_engines="${enableval}"],
+		[enable_openssl_engines="yes"]
+	)
+
 	# Then check what crypto library we want to use
 
 	AC_ARG_WITH(crypto-backend,
@@ -105,6 +115,22 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			ACX_OPENSSL_EVPAESWRAP
 		fi
 
+		AC_MSG_CHECKING(for OpenSSL engines support)
+		if test "x${enable_openssl_engines}" = "xyes"; then
+			ACX_OPENSSL_ENGINES
+			if test "x${have_lib_openssl_engines_support}" = "xyes"; then
+				AC_MSG_RESULT([yes])
+			else
+				AC_MSG_RESULT([no])
+				AC_DEFINE_UNQUOTED([WITHOUT_OPENSSL_ENGINES], [1],
+					[Compile without OpenSSL engines support as it is unavailable])
+			fi
+		else
+			AC_MSG_RESULT([disabled])
+			AC_DEFINE([WITHOUT_OPENSSL_ENGINES], [1],
+				[Compile without OpenSSL engines support as it is disabled])
+		fi
+
 		AC_DEFINE_UNQUOTED(
 			[WITH_RAW_PSS],
 			[1],

m4/acx_openssl_engines.m4

@@ -0,0 +1,35 @@
+AC_DEFUN([ACX_OPENSSL_ENGINES], [
+
+    tmp_CPPFLAGS=$CPPFLAGS
+    tmp_LIBS=$LIBS
+
+    CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+    LIBS="$CRYPTO_LIBS $LIBS"
+
+    AC_LANG_PUSH([C])
+    AC_CACHE_VAL([acx_cv_lib_openssl_engines_support], [
+        acx_cv_lib_openssl_engines_support=no
+        AC_COMPILE_IFELSE([
+            AC_LANG_SOURCE([[
+                #include <openssl/engine.h>
+                #ifdef OPENSSL_NO_ENGINE
+                #error "Engines are disabled"
+                #endif
+                int main() {
+                    ENGINE_load_builtin_engines();
+                    return 0;
+                }
+            ]])
+        ], [
+            acx_cv_lib_openssl_engines_support=yes
+        ], [
+            acx_cv_lib_openssl_engines_support=no
+        ])
+    ])
+    AC_LANG_POP([C])
+
+    CPPFLAGS=$tmp_CPPFLAGS
+    LIBS=$tmp_LIBS
+
+    have_lib_openssl_engines_support="${acx_cv_lib_openssl_engines_support}"
+])

src/bin/util/softhsm2-util-botan.cpp

@@ -47,6 +47,9 @@
 #include <botan/bigint.h>
 #include <botan/der_enc.h>
 #include <botan/oids.h>
+#include <botan/der_enc.h>
+#include <botan/x509cert.h>
+#include <botan/x509_dn.h>
 
 // Init Botan
 void crypto_init()
@@ -209,6 +212,64 @@ int crypto_import_key_pair
 	return result;
 }
 
+int crypto_import_certificate
+(
+	CK_SESSION_HANDLE hSession,
+	char* filePath,
+	char* label,
+	char* objID,
+	size_t objIDLen
+)
+{
+	auto _vector_ptr = [](std::vector<uint8_t> &v) {
+		return v.size() == 0 ? NULL : &v.front();
+	};
+
+	Botan::X509_Certificate cert(filePath);
+	std::vector<uint8_t> blob;
+	std::vector<uint8_t> subject;
+	std::vector<uint8_t> issuer;
+	std::vector<uint8_t> serial;
+
+	Botan::DER_Encoder blob_encoder(blob);
+	Botan::DER_Encoder subject_encoder(subject);
+	Botan::DER_Encoder issuer_encoder(issuer);
+	Botan::DER_Encoder serial_encoder(serial);
+
+	cert.encode_into(blob_encoder);
+	cert.subject_dn().encode_into(subject_encoder);
+	cert.issuer_dn().encode_into(issuer_encoder);
+	serial_encoder.encode(Botan::BigInt::decode(cert.serial_number()));
+
+	CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE certType = CKC_X_509;
+	CK_BBOOL ckFalse = CK_FALSE, ckTrue = CK_TRUE;
+	CK_ATTRIBUTE certTemplate[] = {
+		{ CKA_CLASS,            &certClass,          	sizeof(certClass) },
+		{ CKA_CERTIFICATE_TYPE, &certType,           	sizeof(certType) },
+		{ CKA_LABEL,            label,               	strlen(label) },
+		{ CKA_ID,               objID,               	objIDLen },
+		{ CKA_TOKEN,            &ckTrue,            	sizeof(ckTrue) },
+		{ CKA_PRIVATE,		&ckFalse,		sizeof(ckFalse) },
+		{ CKA_VALUE,            _vector_ptr(blob),    	(CK_ULONG)blob.size() },
+		{ CKA_SUBJECT,          _vector_ptr(subject), 	(CK_ULONG)subject.size() },
+		{ CKA_ISSUER,           _vector_ptr(issuer),  	(CK_ULONG)issuer.size() },
+		{ CKA_SERIAL_NUMBER,    _vector_ptr(serial),  	(CK_ULONG)serial.size() }
+	};
+
+	CK_OBJECT_HANDLE hCert;
+	CK_RV rv = p11->C_CreateObject(hSession, certTemplate, 10, &hCert);
+	if (rv != CKR_OK)
+	{
+		fprintf(stderr, "ERROR: Could not save the certificate in the token.\n");
+		return 1;
+	}
+
+	printf("The certificate has been imported.\n");
+
+	return 0;
+}
+
 // Read the key from file
 Botan::Private_Key* crypto_read_file(char* filePath, char* filePIN)
 {

src/bin/util/softhsm2-util-ossl.cpp

@@ -218,6 +218,151 @@ int crypto_import_key_pair
 	return result;
 }
 
+int crypto_import_certificate
+(
+	CK_SESSION_HANDLE hSession,
+	char* filePath,
+	char* label,
+	char* objID,
+	size_t objIDLen
+)
+{
+	BIO* in = NULL;
+	X509* x509 = NULL;
+	CK_BYTE_PTR blob = NULL;
+	CK_BYTE_PTR subject = NULL;
+	CK_BYTE_PTR issuer = NULL;
+	CK_BYTE_PTR serial = NULL;
+	CK_BYTE_PTR p;
+	int blobSize;
+	int subjectSize;
+	int issuerSize;
+	int serialSize;
+	int ret = 1;
+
+	if (!(in = BIO_new_file(filePath, "rb")))
+	{
+		fprintf(stderr, "ERROR: Could open the PKCS#8 file: %s\n", filePath);
+		goto cleanup;
+	}
+
+	if ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL)
+	{
+		fprintf(stderr, "ERROR: Could not read the certificate file: %s\n", filePath);
+		goto cleanup;
+	}
+
+	blobSize = i2d_X509(x509, NULL);
+	subjectSize = i2d_X509_NAME(X509_get_subject_name(x509), NULL);
+	issuerSize = i2d_X509_NAME(X509_get_issuer_name(x509), NULL);
+	serialSize = i2d_ASN1_INTEGER(X509_get_serialNumber(x509), NULL);
+
+	if
+	(
+		blobSize < 0 ||
+		subjectSize < 0 ||
+		issuerSize < 0 ||
+		serialSize < 0
+	)
+	{
+		fprintf(stderr, "ERROR: Could not convert certificate to DER.\n");
+		goto cleanup;
+	}
+
+	if (blobSize > 0)
+	{
+		if ((blob = (CK_BYTE_PTR)malloc(blobSize)) == NULL)
+		{
+			fprintf(stderr, "ERROR: Could not allocate memory.\n");
+			goto cleanup;
+		}
+		p = blob;
+		blobSize = i2d_X509(x509, &p);
+	}
+	if (subjectSize > 0) {
+		if ((subject = (CK_BYTE_PTR)malloc(subjectSize)) == NULL)
+		{
+			fprintf(stderr, "ERROR: Could not allocate memory.\n");
+			goto cleanup;
+		}
+		p = subject;
+		subjectSize = i2d_X509_NAME(X509_get_subject_name(x509), &p);
+	}
+	if (issuerSize > 0)
+	{
+		if ((issuer = (CK_BYTE_PTR)malloc(issuerSize)) == NULL)
+		{
+			fprintf(stderr, "ERROR: Could not allocate memory.\n");
+			goto cleanup;
+		}
+		p = issuer;
+		issuerSize = i2d_X509_NAME(X509_get_issuer_name(x509), &p);
+	}
+	if (serialSize > 0)
+	{
+		if ((serial = (CK_BYTE_PTR)malloc(serialSize)) == NULL)
+		{
+			fprintf(stderr, "ERROR: Could not allocate memory.\n");
+			goto cleanup;
+		}
+		p = serial;
+		serialSize = i2d_ASN1_INTEGER(X509_get_serialNumber(x509), &p);
+	}
+
+	if
+	(
+		blobSize < 0 ||
+		subjectSize < 0 ||
+		issuerSize < 0 ||
+		serialSize < 0
+	)
+	{
+		fprintf(stderr, "ERROR: Could not convert certificate to DER.\n");
+		goto cleanup;
+	}
+
+	{
+		CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+		CK_CERTIFICATE_TYPE certType = CKC_X_509;
+		CK_BBOOL ckFalse = CK_FALSE, ckTrue = CK_TRUE;
+		CK_ATTRIBUTE certTemplate[] = {
+			{ CKA_CLASS,            &certClass,   sizeof(certClass) },
+			{ CKA_CERTIFICATE_TYPE, &certType,    sizeof(certType) },
+			{ CKA_LABEL,            label,        strlen(label) },
+			{ CKA_ID,               objID,        objIDLen },
+			{ CKA_TOKEN,            &ckTrue,      sizeof(ckTrue) },
+			{ CKA_PRIVATE,          &ckFalse,     sizeof(ckFalse) },
+			{ CKA_VALUE,            blob,         (CK_ULONG)blobSize },
+			{ CKA_SUBJECT,          subject,      (CK_ULONG)subjectSize },
+			{ CKA_ISSUER,           issuer,       (CK_ULONG)issuerSize },
+			{ CKA_SERIAL_NUMBER,    serial,       (CK_ULONG)serialSize }
+		};
+
+		CK_OBJECT_HANDLE hCert;
+		CK_RV rv = p11->C_CreateObject(hSession, certTemplate, 10, &hCert);
+		if (rv != CKR_OK)
+		{
+			fprintf(stderr, "ERROR: Could not save the certificate in the token.\n");
+			goto cleanup;
+		}
+	}
+
+	printf("The certificate has been imported.\n");
+
+	ret = 0;
+
+cleanup:
+
+	free(blob);
+	free(subject);
+	free(issuer);
+	free(serial);
+	X509_free(x509);
+	BIO_free(in);
+
+	return ret;
+}
+
 // Read the key from file
 EVP_PKEY* crypto_read_file(char* filePath, char* filePIN)
 {

src/bin/util/softhsm2-util.1

@@ -20,27 +20,23 @@ softhsm2-util \- support tool for libsofthsm2
 .PP
 .B softhsm2-util \-\-import
 .I path
+.RB [ \-\-import-type
+.IR type ]
+\\
+.ti +0.7i
 .RB [ \-\-file-pin
 .IR PIN ]
 .B \-\-token
 .I label
+.RB [ \-\-pin
+.I PIN]
+.B [\-\-no\-public\-key]
 \\
 .ti +0.7i
-.RB [ \-\-pin
-.I PIN
-.B \-\-no\-public\-key]
 .B \-\-label
 .I text
 .B \-\-id
 .I hex
-.PP
-.B softhsm2-util \-\-import
-.I path
-.B \-\-aes
-.B \-\-token
-.I label
-\\
-.ti +0.7i
 .RB [ \-\-pin
 .I PIN]
 .B \-\-label
@@ -125,11 +121,11 @@ Any content in token will be erased.
 Show the help information.
 .TP
 .B \-\-import \fIpath\fR
-Import a key pair from the given
+Import an object from the given
 .IR path .
-The file must be in PKCS#8-format.
 .br
 Use with
+.BR \-\-import-type,
 .BR \-\-slot
 or
 .BR \-\-token
@@ -141,10 +137,6 @@ or
 .BR \-\-label ,
 and
 .BR \-\-id .
-.br
-Can also be used with
-.BR \-\-aes
-to use file as is and import it as AES.
 .TP
 .B \-\-init-token
 Initialize the token at a given slot, token label or token serial.
@@ -183,8 +175,20 @@ print the default PKCS#11 library.
 Show the version info.
 .SH OPTIONS
 .TP
+.B \-\-import-type \fItype\fR
+Import object type, \fItype\fR may be one of:
+.RS
+.IP keypair\ [default]
+The file must be in PKCS#8 PEM format.
+.IP aes
+The file must be in binary format.
+.IP cert
+The file must be in X509 PEM format.
+.RE
+.TP
 .B \-\-aes
 Used to tell import to use file as is and import it as AES.
+Deprecated, use \fI--import-type aes\fR instead.
 .TP
 .B \-\-file-pin \fIPIN\fR
 The