Commit 7f0a56f7 authored by Pascal J. Bourguignon's avatar Pascal J. Bourguignon

Moved in clext/pkcs11/. Sorry, but neither git filter-brancha or git subtree...

Moved in clext/pkcs11/.  Sorry, but neither git filter-brancha or git subtree seem to keep the history at all.
parent a94c0d52
all:ulong test-find-objects
ulong:ulong.c
gcc $(DEBUG_FLAGS) -I. -L. -o $@ $<
run::ulong
@ ./ulong && echo status = $$?
clean::
-rm -f ulong test-find-objects
-rm -f core
-rm -f *.lx64fsl *.dx64fsl *.o
DEBUG_FLAGS = -O0 -g3 -ggdb3 -g -ggdb -gdwarf
INCLUDES = -I$(HOME)/opt/include -I/usr/local/include -I. -I/usr/include/pkcs11-helper-1.0
LIBDIRS = -L$(HOME)/opt/lib -L/usr/local/lib -L.
LIBRARIES = -ldl
LDFLAGS += $(DEBUG_FLAGS) $(LIBDIRS)
CFLAGS += $(DEBUG_FLAGS) $(INCLUDES)
test-find-objects.o:test-find-objects.c
gcc $(DEBUG_FLAGS) $(CFLAGS) -c -o test-find-objects.o test-find-objects.c
test-find-objects:test-find-objects.o
gcc $(DEBUG_FLAGS) $(LDFLAGS) -o test-find-objects test-find-objects.o $(LIBRARIES)
run::test-find-objects
gdb test-find-objects
TEST_CERT_DIR=%TEST_CERT_DIR%
TESTCERT=test-cert
TESTKEY=test-key
certificate:
openssl req -config $(TESTCERT).options -new \
-x509 -sha256 -newkey rsa:2048 -nodes \
-keyout $(TESTKEY).pem -out $(TESTCERT).pem -days 3650
openssl x509 -in $(TESTCERT).pem -text -noout
@echo '# to install certificate use:'
@echo cp "$(TESTCERT).pem" "$(TEST_CERT_DIR)/Test_x509_cert_info.pem"
@echo cp Certificat-d-authentification1.pem "$(TEST_CERT_DIR)/Test_x509_cert_info.pem"
[req]
distinguished_name = subject
x509_extensions = v3_logon_cert
prompt = no
[req_distinguished_name]
C = US
ST = OR
L = Portland
O = MyCompany
OU = MyDivision
CN = www.mycompany.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.mycompany.com
DNS.2 = mycompany.com
DNS.3 = mycompany.net
[v3_logon_cert]
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#authorityInfoAccess = @customerca_aia
subjectAltName = otherName:msUPN;UTF8:testjean.testmartin.9999999@mintest.fr, email:testjean.testmartin@test.gouv.fr
certificatePolicies=ia5org
#certificatePolicies=ia5org,@rootca_polsect
[rootca_polsect]
[customerca_aia]
[subject]
C = FR
O = MINISTERE DES TESTS
OU = 0002 110014016
OU = PERSONNES
UID = 9999999
GN = TESTJEAN
SN = TESTMARTIN
CN = TESTJEAN TESTMARTIN 9999999
[issuer]
C = FR
O = MINISTERE DES TESTS
OU = 0002 110014016
CN = ADMINISTRATION CENTRALE DES TESTS
(defpackage "COM.INFORMATIMAGO.CLEXT.PKCS11.CFFI-DEBUG"
(:use "COMMON-LISP" "CFFI")
(:shadow "FOREIGN-ALLOC" "FOREIGN-FREE")
(:export "FOREIGN-ALLOC" "FOREIGN-FREE"
"*TRACE*"))
(in-package "COM.INFORMATIMAGO.CLEXT.PKCS11.CFFI-DEBUG")
(defparameter *allocated* (make-hash-table))
(defparameter *freed* (make-hash-table))
(defvar *trace* nil)
(defun foreign-alloc (type
&rest keyargs
&key (initial-element nil) (initial-contents nil)
(count 1) null-terminated-p)
(declare (ignorable initial-element initial-contents null-terminated-p))
(let ((ptr (apply (function cffi:foreign-alloc) type keyargs))
(size (* (foreign-type-size type) count)))
(setf (gethash (pointer-address ptr) *allocated*) size)
(when *trace*
(format *trace-output* "~&(foreign-alloc ~S ~{~S~^ ~}) -> ~S~%"
type keyargs ptr))
ptr))
(defun foreign-free (ptr)
(when *trace* (format *trace-output* "~&(foreign-free ~S)~%" ptr))
(let* ((address (pointer-address ptr))
(size (gethash address *allocated*)))
(if size
(progn
(setf (gethash address *freed*) size)
(remhash address *allocated*)
(cffi:foreign-free ptr))
(let ((size (gethash address *freed*)))
(if size
(warn "Double free of ~S (size = ~S)" ptr size)
(progn
(warn "Freeing unallocated pointer ~S" ptr)
(cffi:foreign-free ptr)))))))
;;;; THE END ;;;;
;;;; -*- mode:lisp;coding:utf-8 -*-
;;;;**************************************************************************
;;;;FILE: cffi-utils.lisp
;;;;LANGUAGE: Common-Lisp
;;;;SYSTEM: Common-Lisp
;;;;USER-INTERFACE: NONE
;;;;DESCRIPTION
;;;;
;;;; Small CFFI tools.
;;;;
;;;;AUTHORS
;;;; <PJB> Pascal J. Bourguignon <pjb@informatimago.com>
;;;;MODIFICATIONS
;;;; 2018-04-25 <PJB> Created.
;;;;BUGS
;;;;LEGAL
;;;; AGPL3
;;;;
;;;; Copyright Pascal J. Bourguignon 2018 - 2018
;;;;
;;;; This program is free software: you can redistribute it and/or modify
;;;; it under the terms of the GNU Affero General Public License as published by
;;;; the Free Software Foundation, either version 3 of the License, or
;;;; (at your option) any later version.
;;;;
;;;; This program is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;;; GNU Affero General Public License for more details.
;;;;
;;;; You should have received a copy of the GNU Affero General Public License
;;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
;;;;**************************************************************************
(defpackage "COM.INFORMATIMAGO.CLEXT.PKCS11.CFFI-UTILS"
(:use "COMMON-LISP" "CFFI")
(:export "*DUMP-PREFIX*" "DUMP"
"FOREIGN-VECTOR" "FOREIGN-VECTOR-COPY-FROM" "FOREIGN-VECTOR-COPY-TO"
"MEMCPY"))
(in-package "COM.INFORMATIMAGO.CLEXT.PKCS11.CFFI-UTILS")
(defun memcpy (destination source byte-count)
(loop
:repeat byte-count
:do (setf (mem-ref destination :uchar) (mem-ref source :uchar))
(incf-pointer destination)
(incf-pointer source)
:finally (return destination)))
(defun foreign-vector-copy-from (pointer ctype size lisp-vector
&key (convert (function identity))
(startf 0) (startl 0) (endl (length lisp-vector)))
"Copies SIZE elements from the lisp subsequence: VECTOR STARTL ENDL, to
the foreign vector of CTYPE at POINTER offset by STARTF, each
element being transformed by the CONVERT function.
Returns POINTER."
"Copies SIZE elements from the lisp VECTOR to the foreign vector of CTYPE at POINTER.
Returns the destination POINTER."
(loop
:repeat size
:for i :from startf
:for j :from startl :below endl
:do (setf (mem-aref pointer ctype i) (funcall convert (elt lisp-vector j)))
:finally (return pointer)))
(defun foreign-vector-copy-to (pointer ctype size lisp-vector
&key (convert (function identity))
(startf 0) (startl 0) (endl (length lisp-vector)))
"Copies SIZE elements from the foreign vector of CTYPE at POINTER
offset by STARTF, to the lisp subsequence: LISP-VECTOR STARTL ENDL,
each element being transformed by the CONVERT function.
Returns the destination LISP-VECTOR."
(loop
:repeat size
:for i :from startf
:for j :from startl :below endl
:do (setf (elt lisp-vector j) (funcall convert (mem-aref pointer ctype i)))
:finally (return lisp-vector)))
(defun foreign-vector (pointer ctype ltype size)
(foreign-vector-copy-to pointer ctype size (make-array size :element-type ltype)))
(defun foreign-null-terminated-vector-length (pointer ctype)
(loop
:for i :from 0
:until (zerop (mem-aref pointer ctype i))
:finally (return i)))
(defun foreign-null-terminated-vector (pointer ctype ltype size &key (convert (function identity)))
(let ((len (foreign-null-terminated-vector-length pointer ctype)))
(foreign-vector-copy-to pointer ctype len (make-array len :element-type ltype) :convert convert)))
(defvar *dump-prefix* "")
(defun dump (pointer size &key print-characters)
(let ((*print-circle* nil))
(loop
:for i :from 0 :by 16
:while (< i size)
:do (format t "~&~A~16,'0X: " *dump-prefix* (+ i (cffi:pointer-address pointer)))
(loop
:repeat 16
:for j :from i
:if (< j size)
:do (format t "~2,'0X " (cffi:mem-aref pointer :uint8 j))
:else
:do (write-string " "))
(when print-characters
(loop
:repeat 16
:for j :from i
:if (< j size)
:do (format t "~C" (let ((code (cffi:mem-aref pointer :uint8 j)))
(if (<= 32 code 126)
(code-char code)
#\.)))
:else
:do (write-string " "))))
:finally (terpri)))
;;;; THE END ;;;;
;;;; -*- mode:lisp;coding:utf-8 -*-
;;;;**************************************************************************
;;;;FILE: com.informatimago.clext.pkcs11.asd
;;;;LANGUAGE: Common-Lisp
;;;;SYSTEM: Common-Lisp
;;;;USER-INTERFACE: NONE
;;;;DESCRIPTION
;;;;
;;;; Lispy interface over Cryptoki pkcs11 version 2.02
;;;;
;;;;AUTHORS
;;;; <PJB> Pascal J. Bourguignon <pjb@informatimago.com>
;;;;MODIFICATIONS
;;;; 2018-09-23 <PJB> Created.
;;;;BUGS
;;;;LEGAL
;;;; AGPL3
;;;;
;;;; Copyright Pascal J. Bourguignon 2018 - 2018
;;;;
;;;; This program is free software: you can redistribute it and/or modify
;;;; it under the terms of the GNU Affero General Public License as published by
;;;; the Free Software Foundation, either version 3 of the License, or
;;;; (at your option) any later version.
;;;;
;;;; This program is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;;; GNU Affero General Public License for more details.
;;;;
;;;; You should have received a copy of the GNU Affero General Public License
;;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
;;;;**************************************************************************
(asdf:defsystem "com.informatimago.clext.pkcs11"
:description "PKCS11 wrapper."
:author "Pascal J. Bourguignon"
:version "0.0.0"
:license "AGPL3"
:depends-on ("cffi" "babel" "asinine")
:components ((:file "pkcs11-cffi" :depends-on ())
(:file "cffi-utils" :depends-on ())
(:file "cffi-debug" :depends-on ())
(:file "pkcs11" :depends-on ("pkcs11-cffi" "cffi-utils" "cffi-debug")))
#+adsf3 :in-order-to #+adsf3 ((asdf:test-op (asdf:test-op "com.informatimago.clext.pkcs11.tests"))))
;;;; THE END ;;;;
;;;; -*- mode:lisp;coding:utf-8 -*-
;;;;**************************************************************************
;;;;FILE: com.informatimago.clext.pkcs11.tests.asd
;;;;LANGUAGE: Common-Lisp
;;;;SYSTEM: Common-Lisp
;;;;USER-INTERFACE: NONE
;;;;DESCRIPTION
;;;;
;;;; System to test the com.informatimago.clext.pkcs11 package.
;;;;
;;;;AUTHORS
;;;; <PJB> Pascal J. Bourguignon <pjb@informatimago.com>
;;;;MODIFICATIONS
;;;; 2018-09-23 <PJB> Created.
;;;;BUGS
;;;;LEGAL
;;;; AGPL3
;;;;
;;;; Copyright Pascal J. Bourguignon 2018 - 2018
;;;;
;;;; This program is free software: you can redistribute it and/or modify
;;;; it under the terms of the GNU Affero General Public License as published by
;;;; the Free Software Foundation, either version 3 of the License, or
;;;; (at your option) any later version.
;;;;
;;;; This program is distributed in the hope that it will be useful,
;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;;; GNU Affero General Public License for more details.
;;;;
;;;; You should have received a copy of the GNU Affero General Public License
;;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
;;;;**************************************************************************
;;;;
(asdf:defsystem "com.informatimago.clext.pkcs11.tests"
:description "PKCS11 wrapper tests."
:author "Pascal J. Bourguignon"
:version "0.0.0"
:license "AGPL3"
:depends-on ("com.informatimago.clext.pkcs11"
"com.informatimago.common-lisp.interactive")
:components ((:file "tests" :depends-on ("pkcs11"))
(:file "debug" :depends-on ("pkcs11"))))
;;;; THE END ;;;;
# -*- mode:shell-script -*-
pkcs11_module=/usr/local/lib/libiaspkcs11.so
pkcs11_module=/usr/local/lib/opensc-pkcs11.so
pkcs11-tool --module "${pkcs11_module}" --list-objects > objects.txt
pkcs11-tool --module "${pkcs11_module}" --list-slots > slots.txt
pkcs11-tool --module "${pkcs11_module}" --list-mechanisms > mechanisms.txt
pkcs11-tool --module "${pkcs11_module}" --read-object --type pubkey --id e828bd080fd2500000104d494f4300010101 > 'Clé d'\''authentification1.public.der'
pkcs11-tool --module "${pkcs11_module}" --read-object --type pubkey --id e828bd080fd2500000104d494f4300010103 > 'Clé de signature1.public.der'
pkcs11-tool --module "${pkcs11_module}" --read-object --type cert --id e828bd080fd2500000104d494f4300010101 > 'Clé d'\''authentification1.cert.der'
pkcs11-tool --module "${pkcs11_module}" --read-object --type cert --id e828bd080fd2500000104d494f4300010103 > 'Clé de signature1.cert.der'
for f in *.cert.der ; do openssl x509 -in "${f}" -inform DER -out "${f/.der/.pem}" ; done
pkcs11_module="/usr/local/lib/opensc-pkcs11.so"
pkcs11_module="/usr/local/lib/libiaspkcs11.so"
encr_key="e828bd080fd2500000104d494f4300010101"
sign_key="e828bd080fd2500000104d494f4300010103"
sign_mec="SHA1-RSA-PKCS"
sign_mec="RSA-PKCS"
echo "data to sign (max 100 bytes)" > "data"
# prepare data with padding
( echo -ne "\x00\x01" && for i in `seq 224`; do echo -ne "\xff"; done && echo -ne "\00" && cat "data") > "data_pad"
# sign data
pkcs11-tool --id "${sign_key}" --sign --pin "${pin}" --mechanism RSA-X-509 --module "${pkcs11_module}" < "data_pad" > "data_pad.sig"
pkcs11-tool --id "${sign_key}" --sign --mechanism RSA-X-509 --module "${pkcs11_module}" < "data_pad" > "data_pad.sig"
# verify signature
openssl rsautl -verify -inkey "${sign_key}.pub" -in "data_pad.sig" -pubin -raw
echo "data to encrpyt should be longer, better, faster and whatever we need to hide in front of nasty eyes of the ones that should not see them. " > "data"
# Get certificate
pkcs11-tool -r -p "${pin}" --id "${encr_key}" --type cert --module "${pkcs11_module}" > "${encr_key}.cert"
pkcs11-tool -r --id "${encr_key}" --type cert --module "${pkcs11_module}" > "${encr_key}.cert"
# convert certificate to pem:
openssl x509 -inform DER -in "${encr_key}.cert" -pubkey > "${encr_key}.pub"
# Sign/Verify using private key/certificate
# Create a "data" to sign
echo "data to sign (max 100 bytes)" > "data"
# Get the certificate from the card:
pkcs11-tool -r -p "${pin}" --id "${sign_key}" --type cert --module "${pkcs11_module}" > "${sign_key}.cert"
# Convert it to the public key (PEM format)
openssl x509 -inform DER -in "${sign_key}.cert" -pubkey > "${sign_key}.pub"
# or
# Get the public key from the card:
pkcs11-tool -r -p "${pin}" --id "${sign_key}" --type pubkey --module "${pkcs11_module}" > "${sign_key}.der"
# Convert it to PEM format:
openssl rsa -inform DER -outform PEM -in "${sign_key}.der" -pubin > "${sign_key}.pub"
## RSA-PKCS
# Sign the "data" on the smartcard using private key:
cat "data" | pkcs11-tool --id "${sign_key}" -s -p "${pin}" -m RSA-PKCS --module "${pkcs11_module}" > "data.sig"
#Verify
openssl rsautl -verify -inkey "${sign_key}.pub" -in "data.sig" -pubin
## SHA1-RSA-PKCS
# Sign the "data" on the smartcard using private key:
cat "data" | pkcs11-tool --id "${sign_key}" -s -p "${pin}" -m SHA1-RSA-PKCS --module "${pkcs11_module}" > "data.sig"
# Verify and parse the returned ASN1 structure:
openssl rsautl -verify -inkey "${sign_key}.pub" -in "data.sig" -pubin | openssl asn1parse -inform DER
# Compare the result with the sha1 sum of the input file:
sha1sum "data"
# Similarily can be tested the SHA256, SHA384 and SHA512, just by replacing SHA1 with these hashes in above commands.
## SHA1-RSA-PKCS-PSS
# Sign the "data" on the smartcard using private key:
cat "data" | pkcs11-tool --id "${sign_key}" -s -p "${pin}" -m SHA1-RSA-PKCS-PSS --module "${pkcs11_module}" > "data.sig"
# Verify
openssl dgst -keyform DER -verify "${sign_key}.pub" -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature "data.sig" "data"
# For other parameters, replace the hash algorithsm, add a `--salt-len` parameter for the `pkcs11-tool` and adjust `rsa_pss_saltlen` argument of `openssl`.
## RSA-X-509
# Prepare "data" with padding:
(echo -ne "\x00\x01" && for i in `seq 224`; do echo -ne "\xff"; done && echo -ne "\00" && cat "data") > "data_pad"
# Sign the "data" on the smartcard using private key:
pkcs11-tool --id "${sign_key}" -s -p "${pin}" -m RSA-X-509 --module "${pkcs11_module}" < "data_pad" > "data_pad.sig"
# Verify
openssl rsautl -verify -inkey "${sign_key}.pub" -in "data_pad.sig" -pubin -raw
# Encrypt/Decrypt using private key/certificate
# Create a "data" to encrypt
echo "data to encrpyt should be longer, better, faster and whatever we need to hide in front of nasty eyes of the ones that should not see them. " > "data"
# Get the certificate from the card:
pkcs11-tool -r -p "${pin}" --id "${encr_key} "--type cert --module "${pkcs11_module}" > "${encr_key}.cert"
# Convert it to the public key (PEM format)
openssl x509 -inform DER -in "${encr_key}.cert" -pubkey > "${encr_key}.pub"
## RSA-PKCS
# Encrypt the "data" locally
openssl rsautl -encrypt -inkey "${encr_key}.pub" -in "data" -pubin -out "data.crypt"
# Decrypt the "data" on the card
pkcs11-tool --id "${encr_key} "--decrypt -p "${pin}" -m RSA-PKCS --module "${pkcs11_module}" < "data.crypt"
## RSA-X-509
# Prepare "data" with padding:
(echo -ne "\x00\x02" && for i in `seq 113`; do echo -ne "\xff"; done && echo -ne "\00" && cat "data") > "data_pad"
# Encrypt the "data" locally
openssl rsautl -encrypt -inkey "${encr_key}.pub" -in "data_pad" -pubin -out "data_pad.crypt" -raw
# Decrypt the "data" on the card
pkcs11-tool --id "${encr_key} "--decrypt -p "${pin}" -m RSA-X-509 --module "${pkcs11_module}" < "data_pad.crypt"
## RSA-PKCS-OAEP
# Encrypt the "data" locally
openssl rsautl -encrypt -inkey "${encr_key}.pub" -in "data" -pubin -out "data.crypt" -oaep
# or
openssl pkeyutl -encrypt -inkey "${encr_key}.pub" -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in "data" -out "data.sha256.crypt"
# Decrypt the "data" on the card
pkcs11-tool --id "${encr_key} "--decrypt -p "${pin}" -m RSA-PKCS-OAEP --module "${pkcs11_module}" < "data.crypt"
# or
pkcs11-tool --id "${encr_key} "--decrypt -p "${pin}" -m RSA-PKCS-OAEP --hash-algorithm=sha256 --module "${pkcs11_module}" < "data.sha256.crypt"
(in-package "COM.INFORMATIMAGO.CLEXT.PKCS11")
(defvar *dump-prefix* "")
(defun dump-vector (vector &key print-characters)
(let ((*print-circle* nil)
(size (length vector)))
(loop
:for i :from 0 :by 16
:while (< i size)
:do (format t "~&~A~16,'0X: " *dump-prefix* i)
(loop
:repeat 16
:for j :from i
:if (< j size)
:do (format t "~2,'0X " (aref vector j))
:else
:do (write-string " "))
(when print-characters
(loop
:repeat 16
:for j :from i
:if (< j size)
:do (format t "~C" (let ((code (aref vector j)))
(if (<= 32 code 126)
(code-char code)
#\.)))
:else
:do (write-string " "))))
:finally (terpri)))
;; (print (list :ok) *trace-output*) (finish-output *trace-output*)
;; (let ((*template* template))
;; (declare (special *template*))
;; (proclaim '(special *template*))
;; (com.informatimago.common-lisp.interactive.interactive:repl))
;; (print '(:attribute-sensitive :attribute-type-invalid :buffer-too-small) *trace-output*)
;; (print (list 'get-attribute-value (list 'template-decode template)) *trace-output*)
;; (finish-output *trace-output*)
;; (let ((*template* template)
;; (*error* err))
;; (declare (special *template* *error*))
;; (proclaim '(special *template* *error*))
;; (com.informatimago.common-lisp.interactive.interactive:repl))
(defun resume ()
(com.informatimago.common-lisp.interactive.interactive:repl-exit))
(defun pause (bindings message &rest arguments)
(format t "~&~?~%" message arguments)
(format t "Type (resume) to resume.~%")
(progv
(mapcar (function first) bindings)
(mapcar (function second) bindings)
(com.informatimago.common-lisp.interactive.interactive:repl)))
;;;; THE END ;;;;
;; (push #P"~/src/public/test/pkcs11/" asdf:*central-registry*)
(ql:quickload :com.informatimago.clext.pkcs11)
(com.informatimago.clext.pkcs11:load-library)
This diff is collapsed.
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
This diff is collapsed.
This diff is collapsed.
#include <stdio.h>
#include <limits.h>
int main()
{
unsigned long x = ~0;
unsigned long y = (unsigned long) -1;
printf("%lu\n", x);
printf("%lu\n", y);
printf("%lu\n", ULONG_MAX);
printf("%lu bytes\n", sizeof(x));
printf("%lu bits\n", sizeof(x) * CHAR_BIT);
return 0;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment