pkcs11 0.1.0

data/lib/pkcs11/slot.rb

@@ -0,0 +1,90 @@
+module PKCS11
+  # Each slot corresponds to a physical reader or other device interface.
+  # It may contain a token.
+  class Slot
+    def initialize(pkcs11, slot) # :nodoc:
+      @pk, @slot = pkcs11, slot
+    end
+
+    # The slot handle.
+    def to_int
+      @slot
+    end
+    alias to_i to_int
+
+    def inspect # :nodoc:
+      "#<#{self.class} #{@slot.inspect}>"
+    end
+
+    # Obtains information about a particular slot in the system.
+    def C_GetSlotInfo
+      @pk.C_GetSlotInfo(@slot)
+    end
+    alias info C_GetSlotInfo
+    
+    # Obtains information about a particular token in the system.
+    def C_GetTokenInfo
+      @pk.C_GetTokenInfo(@slot)
+    end
+    alias token_info C_GetTokenInfo
+    
+    # Waits for a slot event, such as token insertion or token removal, to
+    # occur. flags determines whether or not the C_WaitForSlotEvent call blocks (i.e., waits
+    # for a slot event to occur);
+    def C_WaitForSlotEvent(flags)
+      @pk.C_WaitForSlotEvent(@slot, flags)
+    end
+    alias wait_for_event C_WaitForSlotEvent
+
+    # C_GetMechanismList is used to obtain a list of mechanism types supported by a token.
+    def C_GetMechanismList
+      @pk.C_GetMechanismList(@slot).map{|mech|
+        Mechanism.new MECHANISMS, mech
+      }
+    end
+    alias mechanisms C_GetMechanismList
+
+    # Obtains information about a particular mechanism possibly
+    # supported by a token.
+    def C_GetMechanismInfo(mechanism)
+      @pk.C_GetMechanismInfo(@slot, Session.hash_to_mechanism(mechanism))
+    end
+    alias mechanism_info C_GetMechanismInfo
+
+    # Initializes a token. pin is the SO’s initial PIN; label is the label of the token (max 32-byte). This standard allows PIN
+    # values to contain any valid UTF8 character, but the token may impose subset restrictions.
+    def C_InitToken(pin, label)
+      @pk.C_InitToken(@slot, pin, label.ljust(32, " "))
+    end
+    alias init_token C_InitToken
+    
+    # Opens a Session between an application and a token in a particular slot.
+    #
+    # flags:: indicates the type of session. Default is read-only,
+    #         use <tt>CKF_SERIAL_SESSION | CKF_RW_SESSION</tt> for read-write session.
+    #
+    # * If called with block, yields the block with the session and closes the session
+    # when the is finished.
+    # * If called without block, returns the session object.
+    def C_OpenSession(flags=CKF_SERIAL_SESSION)
+      nr = @pk.C_OpenSession(@slot, flags)
+      sess = Session.new @pk, nr
+      if block_given?
+        begin
+          yield sess
+        ensure
+          sess.close
+        end
+      else
+        sess
+      end
+    end
+    alias open C_OpenSession
+    
+    # Closes all sessions an application has with a token.
+    def C_CloseAllSessions
+      @pk.C_CloseAllSessions(@slot)
+    end
+    alias close_all_sessions C_CloseAllSessions
+  end
+end

data/sample/firefox_certs.rb

@@ -0,0 +1,90 @@
+require "pkcs11"
+require "openssl"
+
+LIBSOFTOKEN3_SO = "libsoftokn3.so"
+LIBNSS_PATHS = %w(
+  /usr/lib64 /usr/lib/ /usr/lib64/nss /usr/lib/nss
+)
+unless so_path = ARGV.shift
+  paths = LIBNSS_PATHS.collect{|path| File.join(path, LIBSOFTOKEN3_SO) }
+  so_path = paths.find{|path| File.exist?(path) }
+end
+
+dir = Dir.glob(File.expand_path("~/.mozilla/firefox/*.default")).first
+NSS_INIT_ARGS = [
+ "configDir='#{dir}'",
+ "secmod='secmod.db'",
+ "flags='readOnly'",
+]
+
+args = PKCS11::CK_C_INITIALIZE_ARGS.new
+args.flags = 0
+args.pReserved = NSS_INIT_ARGS.join(" ")
+
+pk11 = PKCS11.new(so_path, args)
+info = pk11.C_GetInfo
+p [
+  info.cryptokiVersion, info.manufacturerID, info.flags,
+  info.libraryDescription, info.libraryVersion
+]
+
+slots = pk11.C_GetSlotList(false)
+p slots
+
+slot = 2
+sinfo = pk11.C_GetSlotInfo(slot)
+p [
+  sinfo.slotDescription, sinfo.manufacturerID, sinfo.flags,
+  sinfo.hardwareVersion, sinfo.firmwareVersion
+]
+mechanisms = pk11.C_GetMechanismList(slot)
+mechanisms.each do |m|
+  p PKCS11::MECHANISMS[m] || m
+end
+
+flags = PKCS11::CKF_SERIAL_SESSION | PKCS11::CKF_RW_SESSION
+session = pk11.C_OpenSession(slot, flags)
+p [:session, session]
+pk11.C_Login(session, PKCS11::CKU_USER, "")
+
+find_template = [
+  PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_CLASS, PKCS11::CKO_CERTIFICATE),
+]
+p pk11.C_FindObjectsInit(session, find_template)
+objs = pk11.C_FindObjects(session, 128)
+objs.each do |handle|
+  template = [
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_SUBJECT, nil),
+  ]
+  attrs = pk11.C_GetAttributeValue(session, handle, template)
+  attrs.each do |attr|
+    p OpenSSL::X509::Name.new(attr.value)
+  end
+end
+objs = pk11.C_FindObjectsFinal(session)
+
+find_template = [
+  PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_CLASS, PKCS11::CKO_PRIVATE_KEY),
+  PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_KEY_TYPE, PKCS11::CKK_RSA),
+]
+p pk11.C_FindObjectsInit(session, find_template)
+objs = pk11.C_FindObjects(session, 128)
+objs.each do |handle|
+  template = [
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_CLASS, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_KEY_TYPE, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_ID, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_SIGN, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_SIGN_RECOVER, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_DECRYPT, nil),
+    PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_EXTRACTABLE, nil),
+  ]
+  attrs = pk11.C_GetAttributeValue(session, handle, template)
+  attrs.each do |attr|
+    p [PKCS11::ATTRIBUTES[attr.type], attr.value]
+  end
+end
+objs = pk11.C_FindObjectsFinal(session)
+
+pk11.C_Logout(session)
+pk11.C_CloseSession(session)

data/sample/nssckbi.rb

@@ -0,0 +1,51 @@
+require "pkcs11"
+require "openssl"
+
+LIBNSSCKBI_SO = "libnssckbi.so"
+LIBNSS_PATHS = %w(
+  /usr/lib64 /usr/lib /usr/lib64/nss /usr/lib/nss
+  /usr/lib64/xulrunner /usr/lib/xulrunner
+  /usr/local/lib64/xulrunner /usr/local/lib/xulrunner
+)
+unless so_name = ARGV[0]
+  paths = LIBNSS_PATHS.collect{|path| File.join(path, LIBNSSCKBI_SO) }
+  so_name = paths.find{|path| File.exist?(path) }
+end
+
+pkcs11 = PKCS11.new(so_name)
+slot = pkcs11.C_GetSlotList(true).first
+session = pkcs11.C_OpenSession(slot, PKCS11::CKF_SERIAL_SESSION)
+
+pkcs11.C_FindObjectsInit(session, [
+  PKCS11::CK_ATTRIBUTE.new(PKCS11::CKA_CLASS, PKCS11::CKO_CERTIFICATE)
+])
+handles = pkcs11.C_FindObjects(session, 1000)
+pkcs11.C_FindObjectsFinal(session)
+
+attribute_types = [
+  PKCS11::CKA_CLASS,
+  PKCS11::CKA_TOKEN, PKCS11::CKA_PRIVATE, PKCS11::CKA_MODIFIABLE,
+  PKCS11::CKA_LABEL, PKCS11::CKA_CERTIFICATE_TYPE,
+  PKCS11::CKA_SUBJECT, PKCS11::CKA_ID, PKCS11::CKA_ISSUER,
+  PKCS11::CKA_SERIAL_NUMBER, PKCS11::CKA_VALUE,
+]
+template = attribute_types.collect{|a| PKCS11::CK_ATTRIBUTE.new(a, nil) }
+handles.each do |handle|
+  attributes = pkcs11.C_GetAttributeValue(session, handle, template)
+  attributes.each do |attribute|
+    type_name = PKCS11::ATTRIBUTES[attribute.type]
+    case attribute.type
+    when PKCS11::CKA_LABEL
+      p [type_name, attribute.value]
+    when PKCS11::CKA_SUBJECT, PKCS11::CKA_ISSUER
+      p [type_name, OpenSSL::X509::Name.new(attribute.value)]
+    when PKCS11::CKA_SERIAL_NUMBER
+      serial = OpenSSL::ASN1.decode(attribute.value).value rescue nil
+        attribute.value.unpack("w").first
+      p [type_name, serial]
+    when PKCS11::CKA_VALUE
+      cert = OpenSSL::X509::Certificate.new(attribute.value)
+      p [cert.serial, cert.not_before, cert.not_after]
+    end
+  end
+end

data/test/helper.rb

@@ -0,0 +1,43 @@
+require "openssl"
+
+def open_softokn
+  
+  if RUBY_PLATFORM =~ /win32/
+    lLIBSOFTOKEN3_SO = "softokn3.dll"
+    
+    # Try to find the firefox path.
+    unless ENV['SOFTOKN_PATH']
+      require 'win32/registry'
+      begin
+        firefox_path = Win32::Registry::HKEY_LOCAL_MACHINE.open('SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe'){|reg|
+          reg.read('Path')[1]
+        }
+      rescue Win32::Registry::Error
+      end
+      if firefox_path
+        ENV['Path'] = ENV['Path'] + ";" + firefox_path
+        so_path = File.join(firefox_path, lLIBSOFTOKEN3_SO)
+      end
+    end
+  else
+    lLIBSOFTOKEN3_SO = "libsoftokn3.so"
+    lLIBNSS_PATHS = %w(
+      /usr/lib64 /usr/lib/ /usr/lib64/nss /usr/lib/nss
+    )
+    unless so_path = ENV['SOFTOKN_PATH']
+      paths = lLIBNSS_PATHS.collect{|path| File.join(path, lLIBSOFTOKEN3_SO) }
+      so_path = paths.find{|path| File.exist?(path) }
+    end
+  end
+
+  raise "#{lLIBSOFTOKEN3_SO} not found - please install firefox or set ENV['SOFTOKN_PATH']" unless so_path
+
+  dir = File.join(File.dirname(__FILE__), 'fixtures/softokn')
+  nNSS_INIT_ARGS = [
+  "configDir='#{dir}'",
+  "secmod='secmod.db'",
+  "flags='readWrite'",
+  ]
+
+  pk11 = PKCS11.open(so_path, :flags=>0, :pReserved=>nNSS_INIT_ARGS.join(" "))
+end

data/test/test_pkcs11.rb

@@ -0,0 +1,36 @@
+require "test/unit"
+require "pkcs11"
+require "test/helper"
+
+class TestPkcs11 < Test::Unit::TestCase
+  def setup
+    @pk = open_softokn
+  end
+
+  def teardown
+    @pk.close
+    @pk = nil
+    GC.start
+  end
+
+  def pk
+    @pk
+  end
+  
+  def test_info
+    info = pk.info
+    assert info.inspect =~ /cryptokiVersion=/, 'There should be a version in the library info'
+  end
+
+  def test_slots
+    slots = pk.active_slots
+    assert slots.length>=1, 'Hope there is at least one active slot'
+  end
+
+  def test_close
+    pk.close
+    assert_raise(PKCS11::Error){ pk.info }
+    pk.close
+    assert_raise(PKCS11::Error){ pk.active_slots }
+  end
+end

data/test/test_pkcs11_crypt.rb

@@ -0,0 +1,167 @@
+require "test/unit"
+require "pkcs11"
+require "test/helper"
+require "openssl"
+
+class TestPkcs11Crypt < Test::Unit::TestCase
+  include PKCS11
+
+  attr_reader :slots
+  attr_reader :slot
+  attr_reader :session
+  attr_reader :rsa_priv_key
+  attr_reader :rsa_pub_key
+  attr_reader :secret_key
+
+  def setup
+    $pkcs11 ||= open_softokn
+    @slots = pk.active_slots
+    @slot = slots.last
+    @session = slot.open
+    session.login(:USER, "")
+    
+    @rsa_pub_key = session.find_objects(:CLASS => CKO_PUBLIC_KEY,
+                        :KEY_TYPE => CKK_RSA).first
+    @rsa_priv_key = session.find_objects(:CLASS => CKO_PRIVATE_KEY,
+                        :KEY_TYPE => CKK_RSA).first
+    @secret_key = session.create_object(
+      :CLASS=>CKO_SECRET_KEY,
+      :KEY_TYPE=>CKK_DES2,
+      :ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false,
+      :VALUE=>'0123456789abcdef',
+      :LABEL=>'test_secret_key')
+  end
+
+  def teardown
+    @secret_key.destroy
+    @session.logout
+    @session.close
+  end
+
+  def pk
+    $pkcs11
+  end
+
+  def test_endecrypt
+    plaintext1 = "secret text"
+    cryptogram = session.encrypt( :RSA_PKCS, rsa_pub_key, plaintext1)
+    assert cryptogram.length>10, 'The cryptogram should contain some data'
+    assert_not_equal cryptogram, plaintext1, 'The cryptogram should be different to plaintext'
+    
+    plaintext2 = session.decrypt( :RSA_PKCS, rsa_priv_key, cryptogram)
+    assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
+  end
+
+  def test_sign_verify
+    plaintext = "important text"
+    signature = session.sign( :SHA1_RSA_PKCS, rsa_priv_key, plaintext)
+    assert signature.length>10, 'The signature should contain some data'
+
+    signature2 = session.sign( :SHA1_RSA_PKCS, rsa_priv_key){|c|
+      c.update(plaintext[0..3])
+      c.update(plaintext[4..-1])
+    }
+    assert_equal signature, signature2, 'results of one-step and two-step signatures should be equal'
+
+    valid = session.verify( :SHA1_RSA_PKCS, rsa_pub_key, signature, plaintext)
+    assert  valid, 'The signature should be correct'
+    
+    assert_raise(PKCS11::Error, 'The signature should be invalid on different text') do
+      session.verify( :SHA1_RSA_PKCS, rsa_pub_key, signature, "modified text")
+    end
+  end
+
+  def create_openssl_cipher(pk11_key)
+    rsa = OpenSSL::PKey::RSA.new
+    rsa.n = OpenSSL::BN.new pk11_key[:MODULUS], 2
+    rsa.e = OpenSSL::BN.new pk11_key[:PUBLIC_EXPONENT], 2
+    rsa
+  end
+
+  def test_compare_sign_with_openssl
+    signature = session.sign( :SHA1_RSA_PKCS, rsa_priv_key, "important text")
+
+    osslc = create_openssl_cipher rsa_pub_key
+    valid = osslc.verify(OpenSSL::Digest::SHA1.new, signature, "important text")
+    assert valid, 'The signature should be correct'
+  end
+
+  def test_compare_endecrypt_with_openssl
+    plaintext1 = "secret text"
+    osslc = create_openssl_cipher rsa_pub_key
+    cryptogram = osslc.public_encrypt(plaintext1)
+
+    plaintext2 = session.decrypt( :RSA_PKCS, rsa_priv_key, cryptogram)
+    assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
+  end
+
+  def test_digest
+    plaintext = "secret text"
+    digest1 = session.digest( :SHA_1, plaintext)
+    digest2 = OpenSSL::Digest::SHA1.new(plaintext).digest
+    assert_equal digest1, digest2, 'Digests should be equal'
+    digest3 = session.digest(:SHA_1){|c|
+      c.update(plaintext[0..3])
+      c.update(plaintext[4..-1])
+    }
+    assert_equal digest1, digest3, 'Digests should be equal'
+
+    digest3 = session.digest(:SHA256){|c|
+      c.update(plaintext)
+      c.digest_key(secret_key)
+    }
+  end
+
+  def test_wrap_key
+    wrapped_key_value = session.wrap_key(:DES3_ECB, secret_key, secret_key)
+    assert_equal 16, wrapped_key_value.length, '112 bit 3DES key should have same size wrapped'
+
+    unwrapped_key = session.unwrap_key(:DES3_ECB, secret_key, wrapped_key_value, :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_DES2, :ENCRYPT=>true, :DECRYPT=>true)
+
+    secret_key_kcv = session.encrypt( :DES3_ECB, secret_key, "\0"*8)
+    unwrapped_key_kcv = session.encrypt( :DES3_ECB, unwrapped_key, "\0"*8)
+    assert_equal secret_key_kcv, unwrapped_key_kcv, 'Key check values of original and wrapped/unwrapped key should be equal'
+  end
+
+  def test_wrap_private_key
+    wrapped_key_value = session.wrap_key({:DES3_CBC_PAD=>"\0"*8}, secret_key, rsa_priv_key)
+    assert wrapped_key_value.length>100, 'RSA private key should have bigger size wrapped'
+  end
+
+  def test_generate_secret_key
+    key = session.generate_key(:DES2_KEY_GEN,
+      {:ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+    assert_equal true, key[:LOCAL], 'Keys created on the token should be marked as local'
+  end
+
+  def test_generate_key_pair
+    pub_key, priv_key = session.generate_key_pair(:RSA_PKCS_KEY_PAIR_GEN,
+      {:ENCRYPT=>true, :VERIFY=>true, :WRAP=>true, :MODULUS_BITS=>768, :PUBLIC_EXPONENT=>[3].pack("N"), :TOKEN=>false},
+      {:PRIVATE=>true, :SUBJECT=>'test', :ID=>[123].pack("n"),
+       :SENSITIVE=>true, :DECRYPT=>true, :SIGN=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+    
+    assert_equal true, priv_key[:LOCAL], 'Private keys created on the token should be marked as local'
+    assert_equal priv_key[:CLASS], CKO_PRIVATE_KEY
+    assert_equal pub_key[:CLASS], CKO_PUBLIC_KEY
+    assert_equal true, priv_key[:SENSITIVE], 'Private key should be sensitive'
+  end
+
+  def test_derive_key
+    # Generate DH key for side 1
+    key1 = OpenSSL::PKey::DH.new(512)
+
+    # Generate key side 2 with same prime and base as side 1
+    pub_key2, priv_key2 = session.generate_key_pair(:DH_PKCS_KEY_PAIR_GEN,
+      {:PRIME=>key1.p.to_s(2), :BASE=>key1.g.to_s(2), :TOKEN=>false},
+      {:VALUE_BITS=>512, :DERIVE=>true, :TOKEN=>false})
+
+    # Derive secret DES key for side 1 with OpenSSL
+    new_key1 = key1.compute_key(OpenSSL::BN.new pub_key2[:VALUE], 2)
+    
+    # Derive secret DES key for side 2 with softokn3
+    new_key2 = session.derive_key( {:DH_PKCS_DERIVE=>key1.pub_key.to_s(2)}, priv_key2,
+      :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_AES, :VALUE_LEN=>16, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>false )
+
+    assert_equal new_key1[0,16], new_key2[:VALUE], 'Exchanged session key should be equal'
+  end
+end