pkcs11 0.2.4-x64-mingw32

data/lib/pkcs11/slot.rb

@@ -0,0 +1,102 @@
+require 'pkcs11/helper'
+
+module PKCS11
+  # Each slot corresponds to a physical reader or other device interface.
+  # It may contain a token.
+  class Slot
+    include Helper
+
+    # @private
+    def initialize(pkcs11, slot) # :nodoc:
+      @pk, @slot = pkcs11, slot
+    end
+
+    # The slot handle.
+    # @return [Integer]
+    def to_int
+      @slot
+    end
+    alias to_i to_int
+
+    # @private
+    def inspect # :nodoc:
+      "#<#{self.class} #{@slot.inspect}>"
+    end
+
+    # Obtains information about a particular slot in the system.
+    # @return [PKCS11::CK_SLOT_INFO]
+    def C_GetSlotInfo
+      @pk.C_GetSlotInfo(@slot)
+    end
+    alias info C_GetSlotInfo
+
+    # Obtains information about a particular token in the system.
+    # @return [PKCS11::CK_TOKEN_INFO]
+    def C_GetTokenInfo
+      @pk.C_GetTokenInfo(@slot)
+    end
+    alias token_info C_GetTokenInfo
+
+    # C_GetMechanismList is used to obtain a list of mechanism types supported by a token.
+    # @return [Array<PKCS11::CKM_*>]
+    def C_GetMechanismList
+      @pk.C_GetMechanismList(@slot)
+    end
+    alias mechanisms C_GetMechanismList
+
+    # Obtains information about a particular mechanism possibly
+    # supported by a token.
+    #
+    # @param [Integer, Symbol] mechanism
+    # @return [CK_MECHANISM_INFO]
+    def C_GetMechanismInfo(mechanism)
+      @pk.C_GetMechanismInfo(@slot, string_to_handle('CKM_', mechanism))
+    end
+    alias mechanism_info C_GetMechanismInfo
+
+    # Initializes a token.
+    # @param [String] pin is the SO's initial PIN
+    # @param [String] label is the label of the token (max 32-byte).
+    #
+    # The standard allows PIN
+    # values to contain any valid UTF8 character, but the token may impose subset restrictions.
+    # @return [PKCS11::Slot]
+    def C_InitToken(pin, label)
+      @pk.C_InitToken(@slot, pin, label.ljust(32, " "))
+      self
+    end
+    alias init_token C_InitToken
+
+    # Opens a Session between an application and a token in a particular slot.
+    #
+    # @param [Integer] flags  indicates the type of session. Default is read-only,
+    #         use <tt>CKF_SERIAL_SESSION | CKF_RW_SESSION</tt> for read-write session.
+    #
+    # * If called with block, yields the block with the session and closes the session
+    #   when the is finished.
+    # * If called without block, returns the session object.
+    # @return [PKCS11::Session]
+    def C_OpenSession(flags=CKF_SERIAL_SESSION)
+      nr = @pk.C_OpenSession(@slot, flags)
+      sess = Session.new @pk, nr
+      if block_given?
+        begin
+          yield sess
+        ensure
+          sess.close
+        end
+      else
+        sess
+      end
+    end
+    alias open C_OpenSession
+
+    # Closes all sessions an application has with a token.
+    # @return [PKCS11::Slot]
+    def C_CloseAllSessions
+      @pk.C_CloseAllSessions(@slot)
+      self
+    end
+    alias close_all_sessions C_CloseAllSessions
+  end
+end

data/pkcs11_protect_server/Manifest.txt

@@ -0,0 +1,14 @@
+.gemtest
+.yardopts
+Manifest.txt
+README_PROTECT_SERVER.rdoc
+Rakefile
+ext/extconf.rb
+ext/generate_constants.rb
+ext/generate_structs.rb
+ext/pk11s.c
+lib/pkcs11_protect_server.rb
+lib/pkcs11_protect_server/extensions.rb
+test/helper.rb
+test/test_pkcs11_protect_server.rb
+test/test_pkcs11_protect_server_crypt.rb

data/pkcs11_protect_server/README_PROTECT_SERVER.rdoc

@@ -0,0 +1,89 @@
+= PKCS #11/Ruby Interface for Safenet Protect Server HSM
+
+* Homepage: http://github.com/larskanis/pkcs11
+* API documentation: http://pkcs11.rubyforge.org/pkcs11/
+* Safenet[http://www.safenet-inc.com] - Protect Server HSM
+
+This ruby gem is an add-on to ruby-pkcs11[http://github.com/larskanis/pkcs11] .
+It allowes to use Protect Server specific extensions, which are beyond the PKCS#11 standard.
+That means CKA_EXPORT, CKM_DES3_DERIVE_CBC, structs like CK_DES3_CBC_PARAMS, special functions and so on.
+The module works on the Unix like operating systems and win32.
+
+== Requirements
+
+* ProtectServer PTKC-SDK to compile the module
+* pkcs11 gem installed (use: <tt>gem install pkcs11</tt> )
+
+== Installation
+
+  gem install pkcs11_protect_server -- --with-protect-server-sdk-dir=/path/to/ETcpsdk
+
+This installs the ProtectServer-PKCS#11 extension along with pkcs11-gem either by compiling (Unix)
+or by using the precompiled gem for Win32.
+
+  git clone git://github.com/larskanis/pkcs11.git
+  cd pkcs11_protect_server
+  rake gem PROTECT_SERVER_SDK_DIR=/path/to/ETcpsdk
+  gem install -l pkg/pkcs11_protect_server -- --with-protect-server-sdk-dir=/path/to/ETcpsdk
+
+Downloads and installs the gem from git source.
+
+== Usage
+
+Open the software emulation library and login to a session:
+
+  require "rubygems"
+  require "pkcs11_protect_server"
+
+  pkcs11 = PKCS11::ProtectServer::Library.new(:sw)
+  p pkcs11.info
+  session = pkcs11.active_slots.last.open
+  session.login(:USER, "1234")
+  # ... crypto operations
+  session.logout
+  session.close
+
+{PKCS11::ProtectServer::Library#initialize} tries to find the library file in
+the standard installation directory on Windows or Linux.
+
+== Cross compiling for mswin32
+
+Using rake-compiler a cross compiled pkcs11_protect_server.gem can be build on a linux host for
+the win32 platform. There are no runtime dependencies to any but the standard Windows DLLs.
+
+Install mingw32. On a debian based system this should work:
+
+  apt-get install mingw32
+
+On MacOS X, if you have MacPorts installed:
+
+  port install i386-mingw32-gcc
+
+Install the rake-compiler:
+
+  gem install rake-compiler
+
+Download and cross compile ruby for win32:
+
+  rake-compiler cross-ruby VERSION=1.8.7-p352
+  rake-compiler cross-ruby VERSION=1.9.2-p290
+
+Download and cross compile pkcs11_protect_server for win32:
+
+  rake cross native gem PROTECT_SERVER_SDK_DIR=/path/to/ETcpsdk
+
+If everything works, there should be pkcs11_protect_server-VERSION-x86-mswin32.gem in the pkg
+directory.
+
+
+== ToDo
+
+* implement ProtectServer specific function calls
+* implement possibility to use callbacks
+* add all structs and constants
+
+== Authors
+* Lars Kanis <kanis@comcard.de>
+
+== Copying
+See MIT-LICENSE included in the package.

data/test/helper.rb

@@ -0,0 +1,58 @@
+require "pkcs11"
+
+def find_softokn
+  if RUBY_PLATFORM =~ /mswin|mingw/
+    lLIBSOFTOKEN3_SO = "softokn3.dll"
+
+    # Try to find the firefox path.
+    unless so_path = ENV['SOFTOKN_PATH']
+      require 'win32/registry'
+      begin
+        firefox_path = Win32::Registry::HKEY_LOCAL_MACHINE.open('SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe'){|reg|
+          reg.read('Path')[1]
+        }
+      rescue Win32::Registry::Error
+      end
+      if firefox_path
+        ENV['Path'] = ENV['Path'] + ";" + firefox_path
+        so_path = File.join(firefox_path, lLIBSOFTOKEN3_SO)
+      end
+    end
+  else
+    lLIBSOFTOKEN3_SO = "libsoftokn3.so"
+    lLIBNSS_PATHS = %w(
+      /usr/lib64
+      /usr/lib
+      /usr/lib64/nss
+      /usr/lib/nss
+      /usr/lib/i386-linux-gnu/nss
+      /usr/lib/x86_64-linux-gnu/nss
+    )
+    unless so_path = ENV['SOFTOKN_PATH']
+      paths = lLIBNSS_PATHS.collect{|path| File.join(path, lLIBSOFTOKEN3_SO) }
+      so_path = paths.find do |path|
+        File.exist?(path) && open_softokn(path).close rescue false
+      end
+    end
+  end
+
+  raise "#{lLIBSOFTOKEN3_SO} not found - please install firefox or libnss3 or set ENV['SOFTOKN_PATH']" unless so_path
+  so_path
+end
+
+def softokn_params
+  dir = File.join(File.dirname(__FILE__), 'fixtures/softokn')
+  [
+  "configDir='#{dir}'",
+  "secmod='secmod.db'",
+  "flags='readWrite'",
+  ]
+end
+
+def softokn_params_string
+  softokn_params.join(" ")
+end
+
+def open_softokn(so_path=nil)
+  PKCS11.open(so_path || find_softokn, :flags=>0, :pReserved=>softokn_params_string)
+end

data/test/test_pkcs11.rb

@@ -0,0 +1,71 @@
+require "test/unit"
+require "pkcs11"
+require "test/helper"
+
+class TestPkcs11 < Test::Unit::TestCase
+  attr_reader :pk
+
+  def open
+    @pk = open_softokn
+  end
+
+  def close
+    @pk.close
+    @pk = nil
+    GC.start
+  end
+
+  def test_info
+    open
+    info = pk.info
+    assert info.inspect =~ /cryptokiVersion=/, 'There should be a version in the library info'
+    close
+  end
+
+  def test_slots
+    open
+    slots = pk.active_slots
+    assert slots.length>=1, 'Hope there is at least one active slot'
+    close
+  end
+
+  def test_close
+    open
+    pk.close
+    pk.unload_library
+    assert_raise(PKCS11::Error){ pk.info }
+
+    @pk = PKCS11.open
+    pk.load_library(find_softokn)
+
+    pk.C_GetFunctionList
+
+    pargs = PKCS11::CK_C_INITIALIZE_ARGS.new
+    pargs.flags = 0
+    pargs.pReserved = softokn_params.join(" ")
+    pk.C_Initialize(pargs)
+
+    pk.info
+    close
+  end
+
+  def test_C_Initialize_with_Hash
+    pk = PKCS11.open
+    pk.load_library(find_softokn)
+    pk.C_GetFunctionList
+    pk.C_Initialize(:flags=>0, :pReserved=>softokn_params_string)
+    pk.info
+    pk.close
+  end
+
+  def test_wait_for_slot_event
+    open
+    # Softokn's C_WaitForSlotEvent() currently raises PKCS11::CKR_FUNCTION_NOT_SUPPORTED.
+    # So just check, that the call goes to softokn at all.
+    begin
+      pk.wait_for_slot_event
+    rescue PKCS11::Error
+    end
+    close
+  end
+end

data/test/test_pkcs11_crypt.rb

@@ -0,0 +1,220 @@
+require "test/unit"
+require "pkcs11"
+require "test/helper"
+require "openssl"
+
+class TestPkcs11Crypt < Test::Unit::TestCase
+  include PKCS11
+
+  attr_reader :slots
+  attr_reader :slot
+  attr_reader :session
+  attr_reader :rsa_priv_key
+  attr_reader :rsa_pub_key
+  attr_reader :secret_key
+
+  def setup
+    $pkcs11 ||= open_softokn
+    @slots = pk.active_slots
+    @slot = slots.last
+    @session = slot.open
+#     session.login(:USER, "")
+
+    @rsa_pub_key = session.find_objects(:CLASS => CKO_PUBLIC_KEY,
+                        :KEY_TYPE => CKK_RSA).first
+    @rsa_priv_key = session.find_objects(:CLASS => CKO_PRIVATE_KEY,
+                        :KEY_TYPE => CKK_RSA).first
+    @secret_key = session.create_object(
+      :CLASS=>CKO_SECRET_KEY,
+      :KEY_TYPE=>CKK_DES2,
+      :ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false,
+      :VALUE=>'0123456789abcdef',
+      :LABEL=>'test_secret_key')
+  end
+
+  def teardown
+    @secret_key.destroy
+#     @session.logout
+    @session.close
+  end
+
+  def pk
+    $pkcs11
+  end
+
+  def test_endecrypt_rsa
+    plaintext1 = "secret text"
+    cryptogram = session.encrypt( :RSA_PKCS, rsa_pub_key, plaintext1)
+    assert cryptogram.length>10, 'The cryptogram should contain some data'
+    assert_not_equal cryptogram, plaintext1, 'The cryptogram should be different to plaintext'
+
+    plaintext2 = session.decrypt( :RSA_PKCS, rsa_priv_key, cryptogram)
+    assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
+  end
+
+  def test_endecrypt_des
+    plaintext1 = "secret message "
+    cryptogram = session.encrypt( {:DES3_CBC_PAD=>"\0"*8}, secret_key, plaintext1)
+    assert_equal 16, cryptogram.length, 'The cryptogram should contain some data'
+    assert_not_equal cryptogram, plaintext1, 'The cryptogram should be different to plaintext'
+
+    cryptogram2 = ''
+    cryptogram2 << session.encrypt( {:DES3_CBC_PAD=>"\0"*8}, secret_key ) do |cipher|
+      cryptogram2 << cipher.update(plaintext1[0, 8])
+      cryptogram2 << cipher.update(plaintext1[8..-1])
+    end
+    assert_equal cryptogram, cryptogram2, "Encrypt with and w/o block should be lead to the same result"
+
+    plaintext2 = session.decrypt( {:DES3_CBC_PAD=>"\0"*8}, secret_key, cryptogram)
+    assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
+  end
+
+  def test_sign_verify
+    plaintext = "important text"
+    signature = session.sign( :SHA1_RSA_PKCS, rsa_priv_key, plaintext)
+    assert signature.length>10, 'The signature should contain some data'
+
+    signature2 = session.sign( :SHA1_RSA_PKCS, rsa_priv_key){|c|
+      c.update(plaintext[0..3])
+      c.update(plaintext[4..-1])
+    }
+    assert_equal signature, signature2, 'results of one-step and two-step signatures should be equal'
+
+    valid = session.verify( :SHA1_RSA_PKCS, rsa_pub_key, signature, plaintext)
+    assert  valid, 'The signature should be correct'
+
+    assert_raise(CKR_SIGNATURE_INVALID, 'The signature should be invalid on different text') do
+      session.verify( :SHA1_RSA_PKCS, rsa_pub_key, signature, "modified text")
+    end
+  end
+
+  def create_openssl_cipher(pk11_key)
+    rsa = OpenSSL::PKey::RSA.new
+    rsa.n = OpenSSL::BN.new pk11_key[:MODULUS], 2
+    rsa.e = OpenSSL::BN.new pk11_key[:PUBLIC_EXPONENT], 2
+    rsa
+  end
+
+  def test_compare_sign_with_openssl
+    signature = session.sign( :SHA1_RSA_PKCS, rsa_priv_key, "important text")
+
+    osslc = create_openssl_cipher rsa_pub_key
+    valid = osslc.verify(OpenSSL::Digest::SHA1.new, signature, "important text")
+    assert valid, 'The signature should be correct'
+  end
+
+  def test_compare_endecrypt_with_openssl
+    plaintext1 = "secret text"
+    osslc = create_openssl_cipher rsa_pub_key
+    cryptogram = osslc.public_encrypt(plaintext1)
+
+    plaintext2 = session.decrypt( :RSA_PKCS, rsa_priv_key, cryptogram)
+    assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
+  end
+
+  def test_digest
+    plaintext = "secret text"
+    digest1 = session.digest( :SHA_1, plaintext)
+    digest2 = OpenSSL::Digest::SHA1.new(plaintext).digest
+    assert_equal digest1, digest2, 'Digests should be equal'
+    digest3 = session.digest(:SHA_1){|c|
+      c.update(plaintext[0..3])
+      c.update(plaintext[4..-1])
+    }
+    assert_equal digest1, digest3, 'Digests should be equal'
+
+    digest3 = session.digest(:SHA256){|c|
+      c.update(plaintext)
+      c.digest_key(secret_key)
+    }
+  end
+
+  def test_wrap_key
+    wrapped_key_value = session.wrap_key(:DES3_ECB, secret_key, secret_key)
+    assert_equal 16, wrapped_key_value.length, '112 bit 3DES key should have same size wrapped'
+
+    unwrapped_key = session.unwrap_key(:DES3_ECB, secret_key, wrapped_key_value, :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_DES2, :ENCRYPT=>true, :DECRYPT=>true)
+
+    secret_key_kcv = session.encrypt( :DES3_ECB, secret_key, "\0"*8)
+    unwrapped_key_kcv = session.encrypt( :DES3_ECB, unwrapped_key, "\0"*8)
+    assert_equal secret_key_kcv, unwrapped_key_kcv, 'Key check values of original and wrapped/unwrapped key should be equal'
+  end
+
+  def test_wrap_private_key
+    wrapped_key_value = session.wrap_key({:DES3_CBC_PAD=>"\0"*8}, secret_key, rsa_priv_key)
+    assert wrapped_key_value.length>100, 'RSA private key should have bigger size wrapped'
+  end
+
+  def test_generate_secret_key
+    key = session.generate_key(:DES2_KEY_GEN,
+      {:ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+    assert_equal true, key[:LOCAL], 'Keys created on the token should be marked as local'
+    assert_equal CKK_DES2, key[:KEY_TYPE], 'Should be a 2 key 3des key'
+
+		# other ways to use mechanisms
+    key = session.generate_key(CKM_DES2_KEY_GEN,
+      {:ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+    assert_equal CKK_DES2, key[:KEY_TYPE], 'Should be a 2 key 3des key'
+    key = session.generate_key(CK_MECHANISM.new(CKM_DES2_KEY_GEN, nil),
+      {:ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+    assert_equal CKK_DES2, key[:KEY_TYPE], 'Should be a 2 key 3des key'
+  end
+
+  def test_generate_key_pair
+    pub_key, priv_key = session.generate_key_pair(:RSA_PKCS_KEY_PAIR_GEN,
+      {:ENCRYPT=>true, :VERIFY=>true, :WRAP=>true, :MODULUS_BITS=>768, :PUBLIC_EXPONENT=>[3].pack("N"), :TOKEN=>false},
+      {:PRIVATE=>true, :SUBJECT=>'test', :ID=>[123].pack("n"),
+       :SENSITIVE=>true, :DECRYPT=>true, :SIGN=>true, :UNWRAP=>true, :TOKEN=>false, :LOCAL=>true})
+
+    assert_equal true, priv_key[:LOCAL], 'Private keys created on the token should be marked as local'
+    assert_equal priv_key[:CLASS], CKO_PRIVATE_KEY
+    assert_equal pub_key[:CLASS], CKO_PUBLIC_KEY
+    assert_equal true, priv_key[:SENSITIVE], 'Private key should be sensitive'
+  end
+
+  def test_derive_key
+    # Generate DH key for side 1
+    key1 = OpenSSL::PKey::DH.new(512)
+
+    # Generate key side 2 with same prime and base as side 1
+    pub_key2, priv_key2 = session.generate_key_pair(:DH_PKCS_KEY_PAIR_GEN,
+      {:PRIME=>key1.p.to_s(2), :BASE=>key1.g.to_s(2), :TOKEN=>false},
+      {:VALUE_BITS=>512, :DERIVE=>true, :TOKEN=>false})
+
+    # Derive secret DES key for side 1 with OpenSSL
+    new_key1 = key1.compute_key(OpenSSL::BN.new pub_key2[:VALUE], 2)
+
+    # Derive secret DES key for side 2 with softokn3
+    new_key2 = session.derive_key( {:DH_PKCS_DERIVE=>key1.pub_key.to_s(2)}, priv_key2,
+      :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_AES, :VALUE_LEN=>16, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>false )
+
+    # Some versions of softokn3 use left- and some use rightmost bits of exchanged key
+    assert_operator [new_key1[0,16], new_key1[-16..-1]], :include?, new_key2[:VALUE], 'Exchanged session key should be equal'
+  end
+
+  def test_derive_key2
+    deriv_data = "\0"*16
+    new_key1 = session.derive_key( {CKM_XOR_BASE_AND_DATA => {:pData => deriv_data}}, secret_key,
+      :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_AES, :VALUE_LEN=>16, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>false )
+
+    assert_equal secret_key[:VALUE], new_key1[:VALUE], 'Derived key should have equal key value'
+  end
+
+  def test_ssl3
+    pm_key = session.generate_key({:SSL3_PRE_MASTER_KEY_GEN => {:major=>3, :minor=>0}},
+        {:TOKEN=>false})
+    assert_equal 48, pm_key[:VALUE_LEN], "SSL3 pre master key should be 48 bytes long"
+
+    dp = CK_SSL3_MASTER_KEY_DERIVE_PARAMS.new
+    dp.RandomInfo.pServerRandom = 'srandom ' * 4
+    dp.RandomInfo.pClientRandom = 'crandom ' * 4
+    dp.pVersion = CK_VERSION.new
+    dp.pVersion.major = 3
+    dp.pVersion.minor = 1
+    ms_key = session.derive_key( {CKM_SSL3_MASTER_KEY_DERIVE => dp}, pm_key )
+
+    assert_equal 48, ms_key[:VALUE_LEN], "SSL3 master secret key should be 48 bytes long"
+    assert_equal 0, dp.pVersion.minor, 'SSL3 version number should have changed'
+  end
+
+end