aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-05-19More access control cleanup.Rob Austein
2017-05-19Start cleaning up info functions.Rob Austein
2017-05-19Consolidate session-state-based access control.Rob Austein
2017-05-18Translate more PKCS #11 attributes into HAL_KEY_FLAG_* settings.Rob Austein
2017-05-18Clean up a few gratuitous obscurities.Rob Austein
2017-05-10Clean up default location of PKCS #11 library.Rob Austein
2017-05-09Update README.md.Rob Austein
2017-05-04Regression tests for today's C_FindObjects() bugfixes.Rob Austein
2017-05-04Doh, C_FindObjects() works better if we preserve its state across calls.Rob Austein
2017-05-04Support using C_GetFunctionList() instead of library symbols.Rob Austein
The Python ctypes library allows us direct access to the public symbols of a shared library, so we never bothered to implement support for using the dispatch vector returned by C_GetFunctionList(). Well, it turns out that there are useful debugging tools like pkcs11-spy which require the dispatch vector support, so refactor to add it.
2017-04-14Python interface API will need to be cryptech.py11 for installation.Rob Austein
2017-04-11Track API changes on sw/libhal pkcs8 branch.Rob Austein
2017-04-08Track API changes in sw/libhal pkcs8 branch.Rob Austein
2017-03-08Check for cryptech_muxd when setting LIBHAL_TARGET.Rob Austein
2017-03-03Clean up time-signature script.Rob Austein
2017-03-01Flip default connection method from "serial" to "daemon".Rob Austein
2017-03-01Test all key types by default.Rob Austein
2017-03-01Timing test script.Rob Austein
2017-01-31Be more careful with handle cleanup, to support parallel testing.Rob Austein
2016-11-22Remove SQLite3 from build, no longer needed.Rob Austein
2016-11-22Doh, C_GetAttributeValue() lost descriptor lookup during conversion from SQL.Rob Austein
Track change from hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
2016-11-21Start shaking bugs out of new pkcs11.c code. Still pretty broken.Rob Austein
2016-11-20Compiles without SQLite3. Does not run (yet).Rob Austein
2016-11-19New branch for PKCS #11 without SQLite3. Checkpoint, doesn't compile yet.Rob Austein
We're going to want this in a separate branch from ksng at least for a little while, so that we can flip back and forth easily to run the same tests. Current code doesn't even compile yet, but is far enough along to be worth backing up off-machine.
2016-11-14hal_rpc_pkey_find() -> hal_rpc_pkey_open().Rob Austein
2016-10-25Remove unused column from schema.Rob Austein
2016-10-25Track libhal HAL_DIGEST_ALGORITHM_ change.Rob Austein
2016-10-16Clean Python compiled byte code too.Rob Austein
2016-10-07Track changes to libhal RPC pkey API.Rob Austein
2016-09-09Track removal of `type` argument from hal_rpc_pkey_find().Rob Austein
2016-09-03Hack PKCS #11 to work with revised libhal pkey API.Rob Austein
2016-08-16More pkcs11test fixes: nuanced read-only, error code proliferation.Rob Austein
PKCS #11's notion of a "read-only" session is odd: read-only sessions can still create/modify/destroy objects, just not "token" objects. C_SeedRandom() has its own special "nope, didn't implement that" error code, apparently the one everything else uses wasn't good enough. C_Login() has different error codes for "you're already logged in" and "you're already logged in as somebody else".
2016-08-14First round of fixes for bugs found by Google pkcs11test.Rob Austein
Testing against https://github.com/google/pkcs11test.git found various bugs, some trivial, some more interesting, some arguably places where the specification is looser than pkcs11test. I'm still digging through the test results, but this commit fixes several of the most obvious issues.
2016-08-10Shared library symbol versioning support from Ondrej Sury (thanks!).Rob Austein
Apparently this is how the cool kids handle hiding library-internal symbols now, using objcopy is old hat. Ondrey tells us that this should work on GNU/Linux and on *BSD, which, at the moment, just leaves OSX, which we already handle with an OSX-specific kludge.
2016-08-10Allow environment (eg, Debian build) to augment CFLAGS.Rob Austein
2016-08-10Add regression test for borked or missing PKCS #1.5 DigestInfo.Rob Austein
Oleg found a cute bug where C_SignUpdate() and C_SignFinal() would generate an incorrect signature which C_VerifyUpdate() and C_VerifyFinal() would think was fine because the verification code had essentially the same bug as the signature code. None of this applied to the (much) more commonly used C_Sign() and C_Verify() functions, which is why nobody noticed until now. Bug fixed in sw/libhal commit 36dfaf0adbddbb9f1f7852911228b3ab24ba01aa but we need a regression test to make sure we don't reintroduce the bug. So we add a test which computes the signature both ways, then verifies it with PyCrypto as well as both ways with our own code. We should probably be doing more comparisons of RSA results with PyCrypto. For ECDSA with non-deterministic signatures it's a bit harder, but more checking against the Python ecdsa library would still be a good idea.
2016-07-13Add "cryptech" to public "pkcs11" names.Rob Austein
Database location environment variable is now CRYPTECH_PKCS11_DATABASE. Installed library is now libcryptech-pkcs11.{so,dylib}.
2016-07-12Light the "user PIN initialized" bit, for OpenSSL's pkcs11 engine.Rob Austein
Like several other recent commits, this just nails up some value which really should be coming from the HSM via some as-yet-unwritten RPC call, but that can wait until after the upcoming workshop.
2016-07-12Whoops, CKR_BUFFER_TOO_SMALL doesn't terminate a sign or digest operation.Rob Austein
2016-07-12Add a few missing informational functions that pkcs11-tool wanted.Rob Austein
opensc's pkcs11-tool wants to use C_GetInfo(), C_GetSlotInfo(), and C_GetMechanismList(). All are trivial functions, but we hadn't implemented any of them. As with most of the informational functions, some of the returned values are nonsense: in the long run, fixing this just means adding one or more new informational queries to the RPC protocol, but I'm not going to do that while we're in, well, not code freeze, but at least code jello. Adding C_GetMechanismList() exposed that we had never added all the SHA-224 variants to pkcs11.c: since these are just a pass-through to libhal, adding them now seems low-risk (famous last words). Closes #40.
2016-07-07Disable RPC daemon on all platforms for now.Rob Austein
2016-07-07Clean up test code that made sense on the Novena but not on the Alpha.Rob Austein
2016-06-30libhal's RPC MUX daemon doesn't work with Apple's lame sockets implementation.Rob Austein
Apple, for reasons unknown, chose not to implement SOCK_SEQPACKET. This works on Linux and *BSD, and libhal's MUX daemon uses it to avoid having to add its own framing protocol on top of SOCK_STREAM. So, at least for now, Mac OS X will not support the multiplex daemon, only direct connection to the HSM by a single client.
2016-06-28Move hal_pkey_* columns from the object table intoRob Austein
{session,token}_object tables to preserve the mapping from pkcs11 token objects to libhal pkey objects.
2016-06-27Apparently sw/pkcs11 somehow missed the great ${foo_LIB} => ${foo_SRC}, ↵Rob Austein
${foo_BLD} Makefile cleanup.
2016-06-26libtfm assembly code has portability issues under pbuilder, and we don't ↵Rob Austein
really need it for libpkcs11.
2016-06-26More GNUmakefile cleanup.Rob Austein
2016-06-25Rename GNUmakefile to Makefile for consistency.Paul Selkirk
2016-06-24VPATH build for libpkcs11.so, and first cut at libpkcs11.dylib for Mac OS X.Rob Austein
The Mac OS X build compiles, but is otherwise completely untested, and won't even be testable until cryptech_rpcd support configuring high-speed UARTs on Mac OS X (OS-specific voodoo).
2016-06-23Reorder ld arguments to get search order right.Rob Austein