data_import.c

Linux下关于TPM的一些检测小工具

		     ( ERR_GET_REASON( ulError ) == PEM_R_NO_START_LINE ) ) {
			logInfo( TOKEN_OPENSSL_ERROR, ERR_error_string( ulError, NULL ) );
			rc = 0;
		}
		else
			logError( TOKEN_OPENSSL_ERROR, ERR_error_string( ulError, NULL ) );

		goto out;
	}

	rc = 0;

out:
	if ( a_pszFile && pFile )
		fclose( pFile );

	*a_pRsa = pRsa;

	return rc;
}

/*
 * checkRsaPubKey
 *   Use checkExistingObjects to search for RSA public key objects
 *   that match the attributes of the X509's RSA public key object
 *   to be imported.
 */
int
checkRsaPubKey( CK_SESSION_HANDLE  a_hSession ) {

	CK_OBJECT_CLASS  tPubKey  = CKO_PUBLIC_KEY;
	CK_KEY_TYPE      tRsa     = CKK_RSA;
	CK_ATTRIBUTE     tAttr[]  = {
			{ CKA_CLASS, &tPubKey, sizeof( tPubKey ) },
			{ CKA_KEY_TYPE, &tRsa, sizeof( tRsa ) },
		};
	CK_ULONG         ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	return checkExistingObjects( a_hSession, tAttr, ulAttrCount, TOKEN_ID_RSA_PUBKEY );
}

/*
 * checkRsaKey
 *   Use checkExistingObjects to search for RSA objects
 *   that match the attributes of the RSA object to be imported.
 */
int
checkRsaKey( CK_SESSION_HANDLE  a_hSession ) {

	CK_KEY_TYPE   tRsa        = CKK_RSA;
	CK_ATTRIBUTE  tAttr[]     = {
			{ CKA_KEY_TYPE, &tRsa, sizeof( tRsa ) },
		};
	CK_ULONG      ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	return checkExistingObjects( a_hSession, tAttr, ulAttrCount, TOKEN_ID_RSA_KEY );
}

/*
 * destroyRsaKeyObject
 *   Use destroyExistingObjects to destroy RSA objects
 *   that match the attributes of the RSA object to be imported.
 */
int
destroyRsaPubKeyObject( CK_SESSION_HANDLE  a_hSession ) {

	CK_OBJECT_CLASS  tPubKey     = CKO_PUBLIC_KEY;
	CK_KEY_TYPE      tRsa        = CKK_RSA;
	CK_ATTRIBUTE     tAttr[]     = {
			{ CKA_CLASS, &tPubKey, sizeof( tPubKey ) },
			{ CKA_KEY_TYPE, &tRsa, sizeof( tRsa ) },
		};
	CK_ULONG         ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	return destroyExistingObjects( a_hSession, tAttr, ulAttrCount );
}

/*
 * destroyRsaKeyObject
 *   Use destroyExistingObjects to destroy RSA objects
 *   that match the attributes of the RSA object to be imported.
 */
int
destroyRsaKeyObject( CK_SESSION_HANDLE  a_hSession ) {

	CK_KEY_TYPE   tRsa        = CKK_RSA;
	CK_ATTRIBUTE  tAttr[]     = {
			{ CKA_KEY_TYPE, &tRsa, sizeof( tRsa ) },
		};
	CK_ULONG      ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	return destroyExistingObjects( a_hSession, tAttr, ulAttrCount );
}

/*
 * createRsaPubKeyObject
 *   Create an RSA public key object.
 */
int
createRsaPubKeyObject( RSA               *a_pRsa,
                       CK_SESSION_HANDLE  a_hSession,
                       CK_OBJECT_HANDLE  *a_hObject ) {

	int  rc = -1;

	int  nLen = BN_num_bytes( a_pRsa->n );
	int  eLen = BN_num_bytes( a_pRsa->e );

	CK_RV  rv;

	CK_BBOOL  bTrue  = TRUE;
	CK_BBOOL  bFalse = FALSE;

	CK_BYTE *n = malloc( nLen );
	CK_BYTE *e = malloc( eLen );

	CK_OBJECT_CLASS  clPubClass  = CKO_PUBLIC_KEY;
	CK_KEY_TYPE      tKeyType    = CKK_RSA;
	CK_BBOOL         bPrivate    = ( !g_bPublic ) ? TRUE : FALSE;

	CK_ATTRIBUTE  tAttr[] = {
			{ CKA_CLASS, &clPubClass, sizeof( clPubClass ) },
			{ CKA_TOKEN, &bTrue, sizeof( bTrue ) },
			{ CKA_PRIVATE, &bPrivate, sizeof( bPrivate ) },
			{ CKA_MODIFIABLE, &bTrue, sizeof( bTrue ) },
			{ CKA_LABEL, g_pchName, g_ulNameLen },
			{ CKA_KEY_TYPE, &tKeyType, sizeof( tKeyType ) },
			{ CKA_ID, g_pchId, g_ulIdLen },
			{ CKA_SUBJECT, g_pchSubject, g_ulSubjectLen },
			{ CKA_ENCRYPT, &bTrue, sizeof( bTrue ) },
			{ CKA_VERIFY, &bTrue, sizeof( bTrue ) },
			{ CKA_VERIFY_RECOVER, &bFalse, sizeof( bFalse ) },
			{ CKA_WRAP, &bFalse, sizeof( bFalse ) },
			{ CKA_MODULUS, n, nLen },
			{ CKA_PUBLIC_EXPONENT, e, eLen },
		};
	CK_ULONG  ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	*a_hObject = 0;

	if ( !n || !e ) {
		logError( TOKEN_MEMORY_ERROR );
		goto out;
	}

	// Get binary representations of the RSA key information
	BN_bn2bin( a_pRsa->n, n );
	BN_bn2bin( a_pRsa->e, e );

	// Create the RSA public key object
	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
	if ( rv != CKR_OK )
		goto out;

	rc = 0;

out:
	free( n );
	free( e );

	return rc;
}

/*
 * createRsaPrivKeyObject
 *   Create an RSA private key object.
 */
int
createRsaPrivKeyObject( RSA               *a_pRsa,
                        CK_SESSION_HANDLE  a_hSession,
                        CK_OBJECT_HANDLE  *a_hObject ) {

	int  rc = -1;

	int  nLen = BN_num_bytes( a_pRsa->n );
	int  eLen = BN_num_bytes( a_pRsa->e );
	int  dLen = BN_num_bytes( a_pRsa->d );
	int  pLen = BN_num_bytes( a_pRsa->p );
	int  qLen = BN_num_bytes( a_pRsa->q );
	int  dmp1Len = BN_num_bytes( a_pRsa->dmp1 );
	int  dmq1Len = BN_num_bytes( a_pRsa->dmq1 );
	int  iqmpLen = BN_num_bytes( a_pRsa->iqmp );

	CK_RV  rv;

	CK_BBOOL  bTrue  = TRUE;
	CK_BBOOL  bFalse = FALSE;

	CK_BYTE *n = malloc( nLen );
	CK_BYTE *e = malloc( eLen );
	CK_BYTE *d = malloc( dLen );
	CK_BYTE *p = malloc( pLen );
	CK_BYTE *q = malloc( qLen );
	CK_BYTE *dmp1 = malloc( dmp1Len );
	CK_BYTE *dmq1 = malloc( dmq1Len );
	CK_BYTE *iqmp = malloc( iqmpLen );

	CK_OBJECT_CLASS  clPrivClass = CKO_PRIVATE_KEY;
	CK_KEY_TYPE      tKeyType    = CKK_RSA;
	CK_BBOOL         bPrivate    = ( !g_bPublic ) ? TRUE : FALSE;

	CK_ATTRIBUTE  tAttr[] = {
			{ CKA_CLASS, &clPrivClass, sizeof( clPrivClass ) },
			{ CKA_TOKEN, &bTrue, sizeof( bTrue ) },
			{ CKA_PRIVATE, &bPrivate, sizeof( bPrivate ) },
			{ CKA_MODIFIABLE, &bTrue, sizeof( bTrue ) },
			{ CKA_LABEL, g_pchName, g_ulNameLen },
			{ CKA_KEY_TYPE, &tKeyType, sizeof( tKeyType ) },
			{ CKA_ID, g_pchId, g_ulIdLen },
			{ CKA_SUBJECT, g_pchSubject, g_ulSubjectLen },
			{ CKA_SENSITIVE, &bTrue, sizeof( bTrue ) },
			{ CKA_DECRYPT, &bTrue, sizeof( bTrue ) },
			{ CKA_SIGN, &bTrue, sizeof( bTrue ) },
			{ CKA_SIGN_RECOVER, &bFalse, sizeof( bFalse ) },
			{ CKA_UNWRAP, &bFalse, sizeof( bFalse ) },
			{ CKA_EXTRACTABLE, &bFalse, sizeof( bFalse ) },
			{ CKA_MODULUS, n, nLen },
			{ CKA_PUBLIC_EXPONENT, e, eLen },
			{ CKA_PRIVATE_EXPONENT, d, dLen },
			{ CKA_PRIME_1, p, pLen },
			{ CKA_PRIME_2, q, qLen },
			{ CKA_EXPONENT_1, dmp1, dmp1Len },
			{ CKA_EXPONENT_2, dmq1, dmq1Len },
			{ CKA_COEFFICIENT, iqmp, iqmpLen },
		};
	CK_ULONG  ulAttrCount = sizeof( tAttr ) / sizeof( CK_ATTRIBUTE );

	*a_hObject = 0;

	if ( !n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp ) {
		logError( TOKEN_MEMORY_ERROR );
		goto out;
	}

	// Get binary representations of the RSA key information
	BN_bn2bin( a_pRsa->n, n );
	BN_bn2bin( a_pRsa->e, e );
	BN_bn2bin( a_pRsa->d, d );
	BN_bn2bin( a_pRsa->p, p );
	BN_bn2bin( a_pRsa->q, q );
	BN_bn2bin( a_pRsa->dmp1, dmp1 );
	BN_bn2bin( a_pRsa->dmq1, dmq1 );
	BN_bn2bin( a_pRsa->iqmp, iqmp );

	// Create the RSA private key object
	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
	if ( rv != CKR_OK )
		goto out;

	rc = 0;

out:
	free( n );
	free( e );
	free( d );
	free( p );
	free( q );
	free( dmp1 );
	free( dmq1 );
	free( iqmp );

	return rc;
}

/*
 * createRsaKeyObject
 *   Create an RSA key object (both public and private).
 */
int
createRsaKeyObject( RSA               *a_pRsa,
                    CK_SESSION_HANDLE  a_hSession ) {

	int  rc = -1;

	CK_OBJECT_HANDLE  hPubObject;
	CK_OBJECT_HANDLE  hPrivObject;

	// Create the RSA public key object
	if ( createRsaPubKeyObject( a_pRsa, a_hSession, &hPubObject ) == -1 )
		goto out;

	// Create the RSA private key object
	if ( createRsaPrivKeyObject( a_pRsa, a_hSession, &hPrivObject ) == -1 ) {
		// Private key object creation failed, destroy the public
		// key object just created
		destroyObject( a_hSession, hPubObject );
		goto out;
	}

	rc = 0;

out:
	return rc;
}

/*
 * doRsaPubKey
 *   Process an RSA public key for import.
 */
int
doRsaPubKey( RSA               *a_pRsa,
             CK_SESSION_HANDLE  a_hSession ) {

	int  rc = -1;

	CK_OBJECT_HANDLE  hObject;

	if ( destroyRsaPubKeyObject( a_hSession ) == -1 )
		goto out;

	if ( createRsaPubKeyObject( a_pRsa, a_hSession, &hObject ) == -1 )
		goto out;

	rc = 0;

out:
	return rc;
}

/*
 * doRsaKey
 *   Process an RSA key for import.
 */
int
doRsaKey( RSA               *a_pRsa,
          CK_SESSION_HANDLE  a_hSession ) {

	int  rc = -1;

	if ( destroyRsaKeyObject( a_hSession ) == -1 )
		goto out;

	if ( createRsaKeyObject( a_pRsa, a_hSession ) == -1 )
		goto out;

	rc = 0;

out:
	return rc;
}

/*
 * getSubjectId
 *   Extract the subject name and key identifier from an
 *   X509 certificate for use as the SUBJECT and ID attributes.
 */
int
getSubjectId( X509 *a_pX509 ) {

	int  rc = -1;

	char *pszReply = NULL;

	X509              *pX509    = a_pX509;
	X509_NAME         *pSubject = NULL;
	ASN1_OCTET_STRING *pSkid    = NULL;

	// Use the Id input file if specified
	if ( g_pszIdFile )
		if ( readX509Cert( g_pszIdFile, FALSE, &pX509 ) == -1 )
			goto out;

	if ( !pX509 ) {
		// Prompt the user about creating without it.
		if ( !g_bYes ) {
			// Prompt for whether to import without the attributes
			pszReply = getReply( TOKEN_ID_MISSING_PROMPT, 1 );
			if ( !pszReply ||
				( strlen( pszReply ) == 0 ) ||
				( strcasecmp( pszReply, TOKEN_ID_NO ) == 0 ) ) {
				goto out;
			}
		}

		rc = 0;
		goto out;
	}

	// Get the subject name from the X509 certificate
	pSubject = X509_get_subject_name( pX509 );
	if ( !pSubject ) {
		logInfo( TOKEN_OPENSSL_ERROR,
				ERR_error_string( ERR_get_error( ), NULL ) );
		goto out;
	}

	// Get the DER encoded format of the subject name
	g_ulSubjectLen = i2d_X509_NAME( pSubject, &g_pchSubject );
	if ( !g_ulSubjectLen < 0 ) {
		logInfo( TOKEN_OPENSSL_ERROR,
				ERR_error_string( ERR_get_error( ), NULL ) );
		goto out;
	}

	// Get the subject key identifier from the X509 certficate
	pSkid = X509_get_ext_d2i( pX509, NID_subject_key_identifier, NULL, NULL );
	if ( !pSkid ) {
		logInfo( TOKEN_OPENSSL_ERROR,
				ERR_error_string( ERR_get_error( ), NULL ) );
		goto out;
	}

	// Get the ASCII string format of the subject key identifier
	g_pchId = (CK_BYTE *)i2s_ASN1_OCTET_STRING( NULL, pSkid );
	if ( !g_pchId ) {
		logInfo( TOKEN_OPENSSL_ERROR,
				ERR_error_string( ERR_get_error( ), NULL ) );
		goto out;
	}
	g_ulIdLen = strlen( (char *)g_pchId );

	g_bAttrsValid = TRUE;

	rc = 0;

out:
	// Free the structure if it was created for this function
	if ( pX509 && ( pX509 != a_pX509 ) )
		X509_free( pX509 );

	ASN1_OCTET_STRING_free( pSkid );
	free( pszReply );

	return rc;
}

int
main( int    a_iArgc,
      char **a_pszArgv ) {

	int  rc = 1;

	char *pszPin    = NULL;

	CK_RV              rv        = CKR_OK;
	CK_SESSION_HANDLE  hSession  = 0;

	X509 *pX509   = NULL;
	RSA  *pPubRsa = NULL;
	RSA  *pRsa    = NULL;

	// Set up i18n
	initIntlSys( );

	// Initialize OpenSSL
	OpenSSL_add_all_algorithms( );
	ERR_load_crypto_strings( );

	// Parse the command
	if ( parseCmd( a_iArgc, a_pszArgv ) == -1 )
		goto out;

	// Open the PKCS#11 TPM Token
	rv = openToken( g_pszToken );
	if ( rv != CKR_OK )
		goto out;

	// Make sure the token is initialized
	if ( !isTokenInitialized( ) ) {
		logMsg( TOKEN_NOT_INIT_ERROR );
		goto out;
	}

	// Create the structures based on the input
	if ( !g_pszType ) {
		if ( readX509Cert( g_pszFile, TRUE, &pX509 ) == -1 )
			goto out;
		if ( readRsaKey( g_pszFile, &pRsa ) == -1 )
			goto out;
		if ( !pX509 && !pRsa ) {
			logError( TOKEN_OBJECT_ERROR );
			goto out;
		}
	}
	else if ( strcmp( g_pszType, TOKEN_OBJECT_CERT ) == 0 ) {
		if ( readX509Cert( g_pszFile, TRUE, &pX509 ) == -1 )
			goto out;
		if ( !pX509 ) {
			logError( TOKEN_OBJECT_ERROR );
			goto out;
		}
	}
	else if ( strcmp( g_pszType, TOKEN_OBJECT_KEY ) == 0 ) {
		if ( readRsaKey( g_pszFile, &pRsa ) == -1 )
			goto out;
		if ( !pRsa ) {
			logError( TOKEN_OBJECT_ERROR );
			goto out;
		}
	}

	// Open a session
	rv = openTokenSession( CKF_RW_SESSION, &hSession );
	if ( rv != CKR_OK )
		goto out;

	// Check the scope of the request, which will determine the login
	// requirements:
	//   Public  = no password, no login
	//   Private = user password, user login (default)
	if ( !g_bPublic ) {
		pszPin = getPlainPasswd( TOKEN_USER_PIN_PROMPT, FALSE );
		if ( !pszPin )
			goto out;

		// Login to the token
		rv = loginToken( hSession, CKU_USER, pszPin );
		if ( rv != CKR_OK )
			goto out;
	}

	// Obtain the subject name and id, these are used to
	// uniquely identify the certificate/key relation
	if ( getSubjectId( pX509 ) == -1 ) {
		logError( TOKEN_ID_ERROR );
		goto out;
	}

	// Now check for existing objects that may get replaced
	// prior to processing the request(s)
	if ( pX509 ) {
		if ( checkX509Cert( hSession ) == -1 ) {
			goto out;
		}

		// If we are not importing any RSA keys, use the
		// public key from the certificate
		if ( !pRsa ) {
			if ( checkRsaPubKey( hSession ) == -1 ) {
				goto out;
			}
		}

		pPubRsa = EVP_PKEY_get1_RSA( X509_get_pubkey( pX509 ) );
	}
	if ( pRsa ) {
		if ( checkRsaKey( hSession ) == -1 ) {
			goto out;
		}
	}

	// Process the request(s)
	if ( pX509 ) {
		if ( doX509Cert( pX509, hSession ) == -1 )
			goto out;

		// If we are not importing any RSA keys, use the
		// public key from the certificate
		if ( !pRsa ) {
			if ( doRsaPubKey( pPubRsa, hSession ) == -1 )
				goto out;
		}
	}
	if ( pRsa ) {
		if ( doRsaKey( pRsa, hSession ) == -1 )
			goto out;
	}

	rc = 0;

out:
	shredPasswd( pszPin );

	if ( hSession )
		closeTokenSession( hSession );

	closeToken( );

	free( g_pszFile );
	free( g_pszIdFile );
	free( g_pszType );
	X509_free( pX509 );
	RSA_free( pRsa );
	OPENSSL_free( g_pchSubject );
	OPENSSL_free( g_pchId );
	free( g_pchName );

	EVP_cleanup( );

	if ( rc == 0 )
		logInfo( TOKEN_CMD_SUCCESS, a_pszArgv[ 0 ] );
	else
		logInfo( TOKEN_CMD_FAILED, a_pszArgv[ 0 ] );

	return rc;
}