Conversation
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
b99a779 to
cb36751
Compare
daemon/c_smartcard.c
Outdated
| if (smartcard->token_type == CONTAINER_TOKEN_TYPE_PKCS11) { | ||
| if (NULL == container_get_pkcs11_module(smartcard->container)) { | ||
| ERROR("PKCS#11 module missing in container config. Abort creation of container"); | ||
| mem_free0(smartcard); |
daemon/c_smartcard.c
Outdated
| smartcard->sock = sock_unix_create_and_connect(SOCK_SEQPACKET, scd_sock_path); | ||
| if (smartcard->sock < 0) { | ||
| mem_free0(smartcard); | ||
| mem_free0(smartcard); //? potential mem_leak for usbtoken |
There was a problem hiding this comment.
yes smartcard->token_serial may be allocated here. Thus should be freed, same counts for smartcard->pkcs11_module. May instead of return NULL in error cases. We introduce a jump mark err:
and do cleanup there
scd/p11token.h
Outdated
| #include "pkcs11-lib/pkcs11.h" | ||
| #include <stddef.h> | ||
|
|
||
| // todo: move to c-file -> hide implementation details to user |
scd/p11token.h
Outdated
| #define P11TOKEN_H | ||
|
|
||
| #include <stdbool.h> | ||
| #include "pkcs11-lib/pkcs11.h" |
There was a problem hiding this comment.
I think this header is not used here, -> move this to p11token.c
There was a problem hiding this comment.
Correct, header was only needed for struct p11token which is now defined in p11token.c. Will be moved.
scd/p11token.c
Outdated
| CK_UTF8CHAR label[32]; | ||
| unsigned int wrong_unlock_attempts; | ||
| CK_FUNCTION_LIST_PTR ctx; | ||
| CK_SESSION_HANDLE_PTR sh; |
There was a problem hiding this comment.
could we use the "GNU" typedefs of pkcs11.h? would be much better to read. (in the whole p11token.c)
e.g.:
ck_function_list_t *ctx;
ck_session_handle_t *sh;
scd/scd.c
Outdated
|
|
||
| create_data.type = scd_proto_to_tokentype(msg); | ||
|
|
||
| // ? why no switch statement here |
There was a problem hiding this comment.
yes a "switch" would look nicer here for me, too :)
| new_token->reset_auth = int_reset_auth_p11; | ||
| new_token->get_atr = int_get_atr_p11; | ||
| new_token->send_apdu = int_send_apdu_p11; | ||
| break; |
There was a problem hiding this comment.
For a followup refactoring, we should consider to introduce a struct for all those functions and hide
the token specific functions in the corresponding p11token.c/usbtoken.c files (analogues to the compartment_module_t)
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
14e15bd to
20f9bb3
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
2 times, most recently
from
eb35e2b to
2c49d9f
Compare
scd/pkcs11-lib/libpkcs11.c
Outdated
| #include <stdio.h> | ||
| #include <string.h> | ||
|
|
||
| #include "libscdl.h" |
There was a problem hiding this comment.
get rid of this wrapper lib, we do not need win32 compat.
directly call dlopen, dlsym and dlclose in the following.
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
2c49d9f to
28e753e
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
2 times, most recently
from
5e8f238 to
f8c7d67
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
3 times, most recently
from
3a80617 to
da880e5
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
da880e5 to
b07efe0
Compare
scd/p11token.c
Outdated
| return -1; | ||
| } | ||
|
|
||
| // internal helper functions |
There was a problem hiding this comment.
put those functions at the beginning of the c file where you now have the prototype definitions.
remove the prototype definitions and declare those functions static.
scd/Makefile
Outdated
| -DSCD_CONTROL_SOCKET=NULL | ||
| endif | ||
| ifeq ($(PKCS11), y) | ||
| # If requested, we build sc-hsm support into trustme |
There was a problem hiding this comment.
# If requested, we build pkcs11 support into the scd
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
fdc37d7 to
8352011
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
8352011 to
691ffaf
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
691ffaf to
b8549f6
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
b8549f6 to
1d8ae17
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
6e19fc5 to
b78b1f3
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
b78b1f3 to
54b8cd2
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
54b8cd2 to
7f2da99
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
7f2da99 to
06bef70
Compare
This commit unifies the usage of the 'const' qualifier in the token API. Signed-off-by: Maximilian Peisl <maximilian.peisl@aisec.fraunhofer.de>
The scd now supports a new tokentype which is build upon PKCS#11. In order to use the new token type a path to a valid PKCS#11-Module needs to be specified In order to use the new token type a path to a valid PKCS#11-Module needs to be specified. Signed-off-by: Maximilian Peisl <maximilian.peisl@aisec.fraunhofer.de>
Add support for new tokentype offered by scd. Add new 'pkcs11_module' configuration option. Similar to usbtoken or softtoken one can now configure a container to use a specific PKCS#11 module. Signed-off-by: Maximilian Peisl <maximilian.peisl@aisec.fraunhofer.de>
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
06bef70 to
997d86b
Compare
2 participants
Support for generic PKCS#11 tokens:
TODO: integration in daemonTODO: integration testing
TODO before merging: squash commits