Add URI field of PKCS#11 objects pkcs11-tool output

Resolves: RHEL-53115
2024-10-10 14:01:40 +02:00 · 2024-10-10 14:01:40 +02:00 · a7c1d8d550
commit a7c1d8d550
parent 646507bcfa
2 changed files with 450 additions and 0 deletions
--- a/opensc-0.23.0-pkcs11-uri.patch
+++ b/opensc-0.23.0-pkcs11-uri.patch
@ -0,0 +1,446 @@
+From 700b6e767391fdec3e9ed3865780f6bf7828ac85 Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Fri, 19 Apr 2024 16:02:13 +0200
+Subject: [PATCH 1/2] Include uri in pkcs11-tool -L option
+
+Fixes: #3123
+
+Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
+---
+ src/tools/pkcs11-tool.c | 66 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 5b2abf590c..c165945872 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -621,6 +621,7 @@ static void		generate_random(CK_SESSION_HANDLE session);
+ static CK_RV		find_object_with_attributes(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *out,
+ 				CK_ATTRIBUTE *attrs, CK_ULONG attrsLen, CK_ULONG obj_index);
+ static CK_ULONG		get_private_key_length(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE prkey);
+static const char *percent_encode(CK_UTF8CHAR *, size_t);
+ 
+ /* win32 needs this in open(2) */
+ #ifndef O_BINARY
+@@ -1681,6 +1682,15 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
+	printf("  uri                : pkcs11:model=");
+	printf("%s", percent_encode(info.model, sizeof(info.model)));
+	printf(";manufacturer=");
+	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
+	printf(";serial=");
+	printf("%s", percent_encode(info.serialNumber, sizeof(info.serialNumber)));
+	printf(";token=");
+	printf("%s", percent_encode(info.label, sizeof(info.label)));
+	printf("\n");
+ }
+ 
+ static void list_mechs(CK_SLOT_ID slot)
+@@ -8293,6 +8303,62 @@ static const char *p11_utf8_to_local(CK_UTF8CHAR *string, size_t len)
+ 	return buffer;
+ }
+ 
+static CK_BBOOL
+p11_is_percent_format_reserved_char(CK_UTF8CHAR c)
+{
+	switch (c) {
+	case ' ':
+	case '!':
+	case '"':
+	case '#':
+	case '$':
+	case '%':
+	case '&':
+	case '\'':
+	case '(':
+	case ')':
+	case '*':
+	case '+':
+	case ',':
+	case '/':
+	case ':':
+	case ';':
+	case '=':
+	case '?':
+	case '@':
+	case '[':
+	case ']':
+		return CK_TRUE;
+	}
+	return CK_FALSE;
+}
+
+static const char *
+percent_encode(CK_UTF8CHAR *string, size_t len)
+{
+	static char buffer[1024];
+	size_t output_index, input_index;
+
+	while (len && string[len - 1] == ' ')
+		len--;
+
+	for (output_index = input_index = 0; output_index < sizeof(buffer) - 3;
+			output_index++) {
+		if (input_index >= len) {
+			break;
+		}
+		if (p11_is_percent_format_reserved_char(string[input_index])) {
+			snprintf(&buffer[output_index], 4, "%%%x", string[input_index]);
+			output_index += 2;
+		} else {
+			buffer[output_index] = string[input_index];
+		}
+		input_index++;
+	}
+	buffer[output_index] = '\0';
+	return buffer;
+}
+
+ static void p11_fatal(const char *func, CK_RV rv)
+ {
+ 	if (p11)
+
+From d9119d0695ea207dca50d651f78ec5fd0a9023ba Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Thu, 25 Apr 2024 13:42:14 +0200
+Subject: [PATCH 2/2] Update src/tools/pkcs11-tool.c
+
+Co-authored-by: Jakub Jelen <jakuje@gmail.com>
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index c165945872..46f8b735e5 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -1682,8 +1682,8 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
+-	printf("  uri                : pkcs11:model=");
+-	printf("%s", percent_encode(info.model, sizeof(info.model)));
+	printf("  uri                : pkcs11:");
+	printf("model=%s", percent_encode(info.model, sizeof(info.model)));
+ 	printf(";manufacturer=");
+ 	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
+ 	printf(";serial=");
+
+From 5289269d4a57563bdcd604ec091e6eda0f0547fd Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Tue, 30 Apr 2024 18:30:16 +0200
+Subject: [PATCH] Include URIs for PKCS#11 objects
+
+Fixes: #3129
+
+Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
+---
+ src/tests/fuzzing/fuzz_pkcs15init.c |   7 +-
+ src/tools/pkcs11-tool.c             | 119 ++++++++++++++++++++++------
+ tests/test-pkcs11-tool-test.sh      |  20 ++++-
+ 3 files changed, 116 insertions(+), 30 deletions(-)
+
+diff --git a/src/tests/fuzzing/fuzz_pkcs15init.c b/src/tests/fuzzing/fuzz_pkcs15init.c
+index e44e3aae35..85810ded77 100644
+--- a/src/tests/fuzzing/fuzz_pkcs15init.c
+++ b/src/tests/fuzzing/fuzz_pkcs15init.c
+@@ -109,7 +109,7 @@ int fuzz_get_reader_data(const uint8_t *from, size_t from_size, const uint8_t **
+     size_t i = 0;
+     while(i < from_size - 1 && from[i] != '\0')
+         i++;
+-        
+
+     if (from[i] != '\0')
+         return 0;
+ 
+@@ -126,6 +126,7 @@ void do_init_app(struct sc_profile *profile, struct sc_pkcs15_card *p15card, sc_
+     int                           so_puk_disabled = 0;
+ 
+     memset(&init_args, 0, sizeof(init_args));
+    memset(&info, 0, sizeof(info));
+     sc_pkcs15init_get_pin_info(profile, SC_PKCS15INIT_SO_PIN, &info);
+     if ((info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED) &&
+         (info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN))
+@@ -150,7 +151,7 @@ void do_store_pin(struct sc_profile *profile, struct sc_pkcs15_card *p15card, sc
+     struct sc_pkcs15init_pinargs pin_args;
+     char   pin_id[SC_PKCS15_MAX_ID_SIZE] = "1\0";
+     sc_pkcs15init_set_p15card(profile, p15card);
+-    
+
+     memcpy(pin, "1234555678\0", 11); /* Set new pin */
+     memset(&pin_args, 0, sizeof(pin_args));
+ 
+@@ -363,6 +364,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+     if (card)
+ 	    sc_disconnect_card(card);
+     sc_release_context(ctx);
+-        
+
+     return 0;
+ }
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 46f8b735e5..4e1668290f 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -1648,6 +1648,43 @@ static void list_slots(int tokens, int refresh, int print)
+ 	}
+ }
+ 
+static const char *
+copy_key_value_to_uri(const char *key, const char *value, CK_BBOOL last)
+{
+	static char URI[1024];
+	static size_t shift = 0;
+	if (key && (shift + strlen(key) < sizeof(URI))) {
+		strcpy(&URI[shift], key);
+		shift += strlen(key);
+	}
+	if (value && (shift + strlen(value) < sizeof(URI))) {
+		strcpy(&URI[shift], value);
+		shift += strlen(value);
+	}
+	if (key && value && !last && shift < sizeof(URI)) {
+		URI[shift++] = ';';
+	}
+	if (last && shift < sizeof(URI)) {
+		URI[shift] = '\0';
+		shift = 0;
+	}
+	return URI;
+}
+
+static const char *
+get_uri(CK_TOKEN_INFO_PTR info)
+{
+	copy_key_value_to_uri("pkcs11:", NULL, CK_FALSE);
+	const char *model = percent_encode(info->model, sizeof(info->model));
+	copy_key_value_to_uri("model=", model, CK_FALSE);
+	const char *manufacturer = percent_encode(info->manufacturerID, sizeof(info->manufacturerID));
+	copy_key_value_to_uri("manufacturer=", manufacturer, CK_FALSE);
+	const char *serial = percent_encode(info->serialNumber, sizeof(info->serialNumber));
+	copy_key_value_to_uri("serial=", serial, CK_FALSE);
+	const char *token = percent_encode(info->label, sizeof(info->label));
+	return copy_key_value_to_uri("token=", token, CK_TRUE);
+}
+
+ static void show_token(CK_SLOT_ID slot)
+ {
+ 	CK_TOKEN_INFO	info;
+@@ -1682,14 +1719,7 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
+-	printf("  uri                : pkcs11:");
+-	printf("model=%s", percent_encode(info.model, sizeof(info.model)));
+-	printf(";manufacturer=");
+-	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
+-	printf(";serial=");
+-	printf("%s", percent_encode(info.serialNumber, sizeof(info.serialNumber)));
+-	printf(";token=");
+-	printf("%s", percent_encode(info.label, sizeof(info.label)));
+	printf("  uri                : %s", get_uri(&info));
+ 	printf("\n");
+ }
+ 
+@@ -5045,13 +5075,14 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	CK_MECHANISM_TYPE_PTR mechs = NULL;
+ 	CK_KEY_TYPE	key_type = getKEY_TYPE(sess, obj);
+-	CK_ULONG	size = 0;
+	CK_ULONG size, idsize = 0;
+ 	unsigned char	*id, *oid, *value;
+ 	const char      *sepa;
+ 	char		*label;
+ 	char		*unique_id;
+ 	int		pub = 1;
+ 	int		sec = 0;
+	CK_TOKEN_INFO info;
+ 
+ 	switch(getCLASS(sess, obj)) {
+ 		case CKO_PRIVATE_KEY:
+@@ -5243,17 +5274,15 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("  label:      %s\n", label);
+-		free(label);
+ 	}
+ 
+-	if ((id = getID(sess, obj, &size)) != NULL && size) {
+	if ((id = getID(sess, obj, &idsize)) != NULL && idsize) {
+ 		unsigned int	n;
+ 
+ 		printf("  ID:         ");
+-		for (n = 0; n < size; n++)
+		for (n = 0; n < idsize; n++)
+ 			printf("%02x", id[n]);
+ 		printf("\n");
+-		free(id);
+ 	}
+ 
+ 	printf("  Usage:      ");
+@@ -5355,7 +5384,26 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		printf("  Unique ID:  %s\n", unique_id);
+ 		free(unique_id);
+ 	}
+-
+	get_token_info(opt_slot, &info);
+	printf("  uri:        %s", get_uri(&info));
+	if (id != NULL && idsize) {
+		printf(";id=%%");
+		for (unsigned int n = 0; n < idsize; n++)
+			printf("%02x", id[n]);
+		free(id);
+	}
+	if (label != NULL) {
+		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
+		printf(";object=%s", pelabel);
+		free(label);
+	}
+	if (sec) {
+		printf(";type=secret-key\n");
+	} else if (pub) {
+		printf(";type=public\n");
+	} else {
+		printf(";type=private\n");
+	}
+ 	suppress_warn = 0;
+ }
+ 
+@@ -5363,6 +5411,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	CK_CERTIFICATE_TYPE	cert_type = getCERTIFICATE_TYPE(sess, obj);
+ 	CK_ULONG	size;
+	CK_TOKEN_INFO info;
+ 	unsigned char	*id;
+ 	char		*label;
+ 	char		*unique_id;
+@@ -5389,7 +5438,6 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("  label:      %s\n", label);
+-		free(label);
+ 	}
+ 
+ #if defined(ENABLE_OPENSSL)
+@@ -5433,37 +5481,49 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		for (n = 0; n < size; n++)
+ 			printf("%02x", id[n]);
+ 		printf("\n");
+-		free(id);
+ 	}
+ 	if ((unique_id = getUNIQUE_ID(sess, obj, NULL)) != NULL) {
+ 		printf("  Unique ID:  %s\n", unique_id);
+ 		free(unique_id);
+ 	}
+	get_token_info(opt_slot, &info);
+	printf("  uri:        %s", get_uri(&info));
+	if (id != NULL && size) {
+		printf(";id=%%");
+		for (unsigned int n = 0; n < size; n++)
+			printf("%02x", id[n]);
+		free(id);
+	}
+	if (label != NULL) {
+		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
+		printf(";object=%s", pelabel);
+		free(label);
+	}
+	printf(";type=cert\n");
+ }
+ 
+ static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	unsigned char *oid_buf;
+ 	char *label;
+	char *application;
+ 	CK_ULONG    size = 0;
+	CK_TOKEN_INFO info;
+ 
+ 	suppress_warn = 1;
+ 	printf("Data object %u\n", (unsigned int) obj);
+ 	printf("  label:          ");
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("'%s'\n", label);
+-		free(label);
+-	}
+-	else   {
+	} else {
+ 		printf("<empty>\n");
+ 	}
+ 
+ 	printf("  application:    ");
+-	if ((label = getAPPLICATION(sess, obj, NULL)) != NULL) {
+-		printf("'%s'\n", label);
+-		free(label);
+-	}
+-	else   {
+	if ((application = getAPPLICATION(sess, obj, NULL)) != NULL) {
+		printf("'%s'\n", application);
+		free(application);
+	} else {
+ 		printf("<empty>\n");
+ 	}
+ 
+@@ -5494,8 +5554,16 @@ static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		printf(" private");
+ 	if (!getMODIFIABLE(sess, obj) && !getPRIVATE(sess, obj))
+ 		printf("<empty>");
+	printf("\n");
+ 
+-	printf ("\n");
+	get_token_info(opt_slot, &info);
+	printf("  uri:            %s", get_uri(&info));
+	if (label != NULL) {
+		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
+		printf(";object=%s", pelabel);
+		free(label);
+	}
+	printf(";type=data\n");
+ 	suppress_warn = 0;
+ }
+ 
+@@ -8337,6 +8405,7 @@ static const char *
+ percent_encode(CK_UTF8CHAR *string, size_t len)
+ {
+ 	static char buffer[1024];
+	memset(buffer, 0, 1024);
+ 	size_t output_index, input_index;
+ 
+ 	while (len && string[len - 1] == ' ')
+diff --git a/tests/test-pkcs11-tool-test.sh b/tests/test-pkcs11-tool-test.sh
+index 2a1f43b8bc..1a96cbd754 100755
+--- a/tests/test-pkcs11-tool-test.sh
+++ b/tests/test-pkcs11-tool-test.sh
+@@ -20,12 +20,28 @@ assert $? "Failed to set up card"
+ echo "======================================================="
+ echo "Test"
+ echo "======================================================="
+-$PKCS11_TOOL --test -p $PIN --module $P11LIB
+$PKCS11_TOOL --test -p "${PIN}" --module "${P11LIB}"
+ assert $? "Failed running tests"
+ 
+echo "======================================================="
+echo "Test objects URI"
+echo "======================================================="
+$PKCS11_TOOL -O 2>/dev/null | grep 'uri:' 2>/dev/null >/dev/null
+assert $? "Failed running objects URI tests"
+$PKCS11_TOOL -O 2>/dev/null | grep 'uri:' | awk -F 'uri:' '{print $2}' | tr -d ' ' | grep ^"pkcs11:" 2>/dev/null >/dev/null
+assert $? "Failed running objects URI tests"
+
+echo "======================================================="
+echo "Test slots URI"
+echo "======================================================="
+$PKCS11_TOOL -L 2>/dev/null | grep 'uri' 2>/dev/null >/dev/null
+assert $? "Failed running slots URI tests"
+$PKCS11_TOOL -O 2>/dev/null | grep 'uri' | awk -F 'uri*:' '{print $2}' | tr -d ' '  | grep ^"pkcs11:" 2>/dev/null >/dev/null
+assert $? "Failed running slots URI tests"
+
+ echo "======================================================="
+ echo "Cleanup"
+ echo "======================================================="
+ card_cleanup
+ 
+-exit $ERRORS
+exit "${ERRORS}"
--- a/opensc.spec
+++ b/opensc.spec
@ -56,6 +56,9 @@ Patch16:        %{name}-0.23.0-myeid-sym.patch
 # https://github.com/OpenSC/OpenSC/pull/2948
 # https://github.com/OpenSC/OpenSC/pull/3016
 Patch17:        %{name}-0.23.0-constant-time-pkcs1.5.patch
+# https://github.com/OpenSC/OpenSC/pull/3125
+# https://github.com/OpenSC/OpenSC/pull/3130
+Patch18:        %{name}-0.23.0-pkcs11-uri.patch

 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@ -104,6 +107,7 @@ every software/card that does so, too.
 %patch15 -p1 -b .pkcs15init
 %patch16 -p1 -b .myeid-sym
 %patch17 -p1 -b .constant-time-pkcs1
+%patch18 -p1 -b .pkcs11-uri

 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .