Update Notary vendor to 0.6.0 release

We were on a slightly earlier random commit.

We should try to stay on releases where possible...

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack 2018-03-01 10:47:01 +00:00
parent c26f37c0cc
commit 9da428da2e
No known key found for this signature in database
GPG Key ID: 609102888A2EE3F9
15 changed files with 1637 additions and 1319 deletions

View File

@ -44,7 +44,7 @@ github.com/json-iterator/go 6240e1e7983a85228f7fd9c3e1b6932d46ec58e2
github.com/mailru/easyjson d5b7844b561a7bc640052f1b935f7b800330d7e0
github.com/mattn/go-shellwords v1.0.3
github.com/Microsoft/go-winio v0.4.6
github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
github.com/miekg/pkcs11 5f6e0d0dad6f472df908c8e968a98ef00c9224bb
github.com/mitchellh/mapstructure f3009df150dadf309fdee4a54ed65c124afad715
github.com/moby/buildkit aaff9d591ef128560018433fe61beb802e149de8
github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github.com/ijc25/Gotty
@ -62,7 +62,7 @@ github.com/sirupsen/logrus v1.0.3
github.com/spf13/cobra 34ceca591bcf34a17a8b7bad5b3ce5f9c165bee5
github.com/spf13/pflag 97afa5e7ca8a08a383cb259e06636b5e2cc7897f
github.com/stretchr/testify 4d4bfba8f1d1027c4fdbe371823030df51419987
github.com/theupdateframework/notary 05985dc5d1c71ee6c387e9cd276a00b9d424af53
github.com/theupdateframework/notary v0.6.0
github.com/tonistiigi/fsutil dea3a0da73aee887fc02142d995be764106ac5e2
github.com/xeipuuv/gojsonpointer e0fe6f68307607d540ed8eac07a342c33fa1b54a
github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45

View File

@ -1,4 +1,4 @@
# PKCS#11 [![Build Status](https://travis-ci.org/miekg/pkcs11.png?branch=master)](https://travis-ci.org/miekg/pkcs11)
# PKCS#11 [![Build Status](https://travis-ci.org/miekg/pkcs11.png?branch=master)](https://travis-ci.org/miekg/pkcs11) [![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)](http://godoc.org/github.com/miekg/pkcs11)
This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom
were it makes sense. It has been tested with SoftHSM.
@ -58,6 +58,10 @@ A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
Further examples are included in the tests.
To expose PKCS#11 keys using the
[crypto.Signer interface](https://golang.org/pkg/crypto/#Signer),
please see [github.com/thalesignite/crypto11](https://github.com/thalesignite/crypto11).
# TODO
* Fix/double check endian stuff, see types.go NewAttribute()

View File

@ -23,7 +23,19 @@ const (
CKO_VENDOR_DEFINED uint = 0x80000000
)
// Generated with: awk '/#define CK[AFKMRC]/{ print $2 "=" $3 }' pkcs11t.h
const (
CKG_MGF1_SHA1 uint = 0x00000001
CKG_MGF1_SHA224 uint = 0x00000005
CKG_MGF1_SHA256 uint = 0x00000002
CKG_MGF1_SHA384 uint = 0x00000003
CKG_MGF1_SHA512 uint = 0x00000004
)
const (
CKZ_DATA_SPECIFIED uint = 0x00000001
)
// Generated with: awk '/#define CK[AFKMRC]/{ print $2 " = " $3 }' pkcs11t.h | sed -e 's/UL$//g' -e 's/UL)$/)/g'
// All the flag (CKF_), attribute (CKA_), error code (CKR_), key type (CKK_), certificate type (CKC_) and
// mechanism (CKM_) constants as defined in PKCS#11.
@ -49,6 +61,7 @@ const (
CKF_SO_PIN_FINAL_TRY = 0x00200000
CKF_SO_PIN_LOCKED = 0x00400000
CKF_SO_PIN_TO_BE_CHANGED = 0x00800000
CKF_ERROR_STATE = 0x01000000
CKF_RW_SESSION = 0x00000002
CKF_SERIAL_SESSION = 0x00000004
CKK_RSA = 0x00000000
@ -82,6 +95,18 @@ const (
CKK_ACTI = 0x00000024
CKK_CAMELLIA = 0x00000025
CKK_ARIA = 0x00000026
CKK_SHA512_224_HMAC = 0x00000027
CKK_SHA512_256_HMAC = 0x00000028
CKK_SHA512_T_HMAC = 0x00000029
CKK_SHA_1_HMAC = 0x00000028
CKK_SHA224_HMAC = 0x0000002E
CKK_SHA256_HMAC = 0x0000002B
CKK_SHA384_HMAC = 0x0000002C
CKK_SHA512_HMAC = 0x0000002D
CKK_SEED = 0x00000050
CKK_GOSTR3410 = 0x00000060
CKK_GOSTR3411 = 0x00000061
CKK_GOST28147 = 0x00000062
CKK_VENDOR_DEFINED = 0x80000000
CKC_X_509 = 0x00000000
CKC_X_509_ATTR_CERT = 0x00000001
@ -107,6 +132,7 @@ const (
CKA_URL = 0x00000089
CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x0000008A
CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x0000008B
CKA_NAME_HASH_ALGORITHM = 0x0000008C
CKA_CHECK_VALUE = 0x00000090
CKA_KEY_TYPE = 0x00000100
CKA_SUBJECT = 0x00000101
@ -132,6 +158,7 @@ const (
CKA_EXPONENT_1 = 0x00000126
CKA_EXPONENT_2 = 0x00000127
CKA_COEFFICIENT = 0x00000128
CKA_PUBLIC_KEY_INFO = 0x00000129
CKA_PRIME = 0x00000130
CKA_SUBPRIME = 0x00000131
CKA_BASE = 0x00000132
@ -146,6 +173,8 @@ const (
CKA_ALWAYS_SENSITIVE = 0x00000165
CKA_KEY_GEN_MECHANISM = 0x00000166
CKA_MODIFIABLE = 0x00000170
CKA_COPYABLE = 0x00000171
CKA_DESTROYABLE = 0x00000172
CKA_ECDSA_PARAMS = 0x00000180
CKA_EC_PARAMS = 0x00000180
CKA_EC_POINT = 0x00000181
@ -169,6 +198,9 @@ const (
CKA_OTP_SERVICE_IDENTIFIER = 0x0000022B
CKA_OTP_SERVICE_LOGO = 0x0000022C
CKA_OTP_SERVICE_LOGO_TYPE = 0x0000022D
CKA_GOSTR3410_PARAMS = 0x00000250
CKA_GOSTR3411_PARAMS = 0x00000251
CKA_GOST28147_PARAMS = 0x00000252
CKA_HW_FEATURE_TYPE = 0x00000300
CKA_RESET_ON_INIT = 0x00000301
CKA_HAS_RESET = 0x00000302
@ -206,6 +238,11 @@ const (
CKM_DSA_KEY_PAIR_GEN = 0x00000010
CKM_DSA = 0x00000011
CKM_DSA_SHA1 = 0x00000012
CKM_DSA_FIPS_G_GEN = 0x00000013
CKM_DSA_SHA224 = 0x00000014
CKM_DSA_SHA256 = 0x00000015
CKM_DSA_SHA384 = 0x00000016
CKM_DSA_SHA512 = 0x00000017
CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020
CKM_DH_PKCS_DERIVE = 0x00000021
CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030
@ -220,6 +257,18 @@ const (
CKM_SHA512_RSA_PKCS_PSS = 0x00000045
CKM_SHA224_RSA_PKCS = 0x00000046
CKM_SHA224_RSA_PKCS_PSS = 0x00000047
CKM_SHA512_224 = 0x00000048
CKM_SHA512_224_HMAC = 0x00000049
CKM_SHA512_224_HMAC_GENERAL = 0x0000004A
CKM_SHA512_224_KEY_DERIVATION = 0x0000004B
CKM_SHA512_256 = 0x0000004C
CKM_SHA512_256_HMAC = 0x0000004D
CKM_SHA512_256_HMAC_GENERAL = 0x0000004E
CKM_SHA512_256_KEY_DERIVATION = 0x0000004F
CKM_SHA512_T = 0x00000050
CKM_SHA512_T_HMAC = 0x00000051
CKM_SHA512_T_HMAC_GENERAL = 0x00000052
CKM_SHA512_T_KEY_DERIVATION = 0x00000053
CKM_RC2_KEY_GEN = 0x00000100
CKM_RC2_ECB = 0x00000101
CKM_RC2_CBC = 0x00000102
@ -241,6 +290,8 @@ const (
CKM_DES3_MAC = 0x00000134
CKM_DES3_MAC_GENERAL = 0x00000135
CKM_DES3_CBC_PAD = 0x00000136
CKM_DES3_CMAC_GENERAL = 0x00000137
CKM_DES3_CMAC = 0x00000138
CKM_CDMF_KEY_GEN = 0x00000140
CKM_CDMF_ECB = 0x00000141
CKM_CDMF_CBC = 0x00000142
@ -366,6 +417,16 @@ const (
CKM_WTLS_PRF = 0x000003D3
CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE = 0x000003D4
CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE = 0x000003D5
CKM_TLS10_MAC_SERVER = 0x000003D6
CKM_TLS10_MAC_CLIENT = 0x000003D7
CKM_TLS12_MAC = 0x000003D8
CKM_TLS12_KDF = 0x000003D9
CKM_TLS12_MASTER_KEY_DERIVE = 0x000003E0
CKM_TLS12_KEY_AND_MAC_DERIVE = 0x000003E1
CKM_TLS12_MASTER_KEY_DERIVE_DH = 0x000003E2
CKM_TLS12_KEY_SAFE_DERIVE = 0x000003E3
CKM_TLS_MAC = 0x000003E4
CKM_TLS_KDF = 0x000003E5
CKM_KEY_WRAP_LYNKS = 0x00000400
CKM_KEY_WRAP_SET_OAEP = 0x00000401
CKM_CMS_SIG = 0x00000500
@ -389,6 +450,14 @@ const (
CKM_ARIA_CBC_PAD = 0x00000565
CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566
CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567
CKM_SEED_KEY_GEN = 0x00000650
CKM_SEED_ECB = 0x00000651
CKM_SEED_CBC = 0x00000652
CKM_SEED_MAC = 0x00000653
CKM_SEED_MAC_GENERAL = 0x00000654
CKM_SEED_CBC_PAD = 0x00000655
CKM_SEED_ECB_ENCRYPT_DATA = 0x00000656
CKM_SEED_CBC_ENCRYPT_DATA = 0x00000657
CKM_SKIPJACK_KEY_GEN = 0x00001000
CKM_SKIPJACK_ECB64 = 0x00001001
CKM_SKIPJACK_CBC64 = 0x00001002
@ -402,6 +471,7 @@ const (
CKM_SKIPJACK_RELAYX = 0x0000100a
CKM_KEA_KEY_PAIR_GEN = 0x00001010
CKM_KEA_KEY_DERIVE = 0x00001011
CKM_KEA_DERIVE = 0x00001012
CKM_FORTEZZA_TIMESTAMP = 0x00001020
CKM_BATON_KEY_GEN = 0x00001030
CKM_BATON_ECB128 = 0x00001031
@ -414,9 +484,15 @@ const (
CKM_EC_KEY_PAIR_GEN = 0x00001040
CKM_ECDSA = 0x00001041
CKM_ECDSA_SHA1 = 0x00001042
CKM_ECDSA_SHA224 = 0x00001043
CKM_ECDSA_SHA256 = 0x00001044
CKM_ECDSA_SHA384 = 0x00001045
CKM_ECDSA_SHA512 = 0x00001046
CKM_ECDH1_DERIVE = 0x00001050
CKM_ECDH1_COFACTOR_DERIVE = 0x00001051
CKM_ECMQV_DERIVE = 0x00001052
CKM_ECDH_AES_KEY_WRAP = 0x00001053
CKM_RSA_AES_KEY_WRAP = 0x00001054
CKM_JUNIPER_KEY_GEN = 0x00001060
CKM_JUNIPER_ECB128 = 0x00001061
CKM_JUNIPER_CBC128 = 0x00001062
@ -431,19 +507,52 @@ const (
CKM_AES_MAC_GENERAL = 0x00001084
CKM_AES_CBC_PAD = 0x00001085
CKM_AES_CTR = 0x00001086
CKM_AES_GCM = 0x00001087
CKM_AES_CCM = 0x00001088
CKM_AES_CMAC_GENERAL = 0x00001089
CKM_AES_CMAC = 0x0000108A
CKM_AES_CTS = 0x0000108B
CKM_AES_XCBC_MAC = 0x0000108C
CKM_AES_XCBC_MAC_96 = 0x0000108D
CKM_AES_GMAC = 0x0000108E
CKM_BLOWFISH_KEY_GEN = 0x00001090
CKM_BLOWFISH_CBC = 0x00001091
CKM_TWOFISH_KEY_GEN = 0x00001092
CKM_TWOFISH_CBC = 0x00001093
CKM_BLOWFISH_CBC_PAD = 0x00001094
CKM_TWOFISH_CBC_PAD = 0x00001095
CKM_DES_ECB_ENCRYPT_DATA = 0x00001100
CKM_DES_CBC_ENCRYPT_DATA = 0x00001101
CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102
CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103
CKM_AES_ECB_ENCRYPT_DATA = 0x00001104
CKM_AES_CBC_ENCRYPT_DATA = 0x00001105
CKM_GOSTR3410_KEY_PAIR_GEN = 0x00001200
CKM_GOSTR3410 = 0x00001201
CKM_GOSTR3410_WITH_GOSTR3411 = 0x00001202
CKM_GOSTR3410_KEY_WRAP = 0x00001203
CKM_GOSTR3410_DERIVE = 0x00001204
CKM_GOSTR3411 = 0x00001210
CKM_GOSTR3411_HMAC = 0x00001211
CKM_GOST28147_KEY_GEN = 0x00001220
CKM_GOST28147_ECB = 0x00001221
CKM_GOST28147 = 0x00001222
CKM_GOST28147_MAC = 0x00001223
CKM_GOST28147_KEY_WRAP = 0x00001224
CKM_DSA_PARAMETER_GEN = 0x00002000
CKM_DH_PKCS_PARAMETER_GEN = 0x00002001
CKM_X9_42_DH_PARAMETER_GEN = 0x00002002
CKM_DSA_PROBABLISTIC_PARAMETER_GEN = 0x00002003
CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN = 0x00002004
CKM_AES_OFB = 0x00002104
CKM_AES_CFB64 = 0x00002105
CKM_AES_CFB8 = 0x00002106
CKM_AES_CFB128 = 0x00002107
CKM_AES_CFB1 = 0x00002108
CKM_AES_KEY_WRAP = 0x00002109
CKM_AES_KEY_WRAP_PAD = 0x0000210A
CKM_RSA_PKCS_TPM_1_1 = 0x00004001
CKM_RSA_PKCS_OAEP_TPM_1_1 = 0x00004002
CKM_VENDOR_DEFINED = 0x80000000
CKF_HW = 0x00000001
CKF_ENCRYPT = 0x00000100
@ -479,6 +588,7 @@ const (
CKR_ATTRIBUTE_SENSITIVE = 0x00000011
CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012
CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013
CKR_ACTION_PROHIBITED = 0x0000001B
CKR_DATA_INVALID = 0x00000020
CKR_DATA_LEN_RANGE = 0x00000021
CKR_DEVICE_ERROR = 0x00000030
@ -541,6 +651,7 @@ const (
CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120
CKR_RANDOM_NO_RNG = 0x00000121
CKR_DOMAIN_PARAMS_INVALID = 0x00000130
CKR_CURVE_NOT_SUPPORTED = 0x00000140
CKR_BUFFER_TOO_SMALL = 0x00000150
CKR_SAVED_STATE_INVALID = 0x00000160
CKR_INFORMATION_SENSITIVE = 0x00000170
@ -551,6 +662,11 @@ const (
CKR_MUTEX_NOT_LOCKED = 0x000001A1
CKR_NEW_PIN_MODE = 0x000001B0
CKR_NEXT_OTP = 0x000001B1
CKR_EXCEEDED_MAX_ITERATIONS = 0x000001C0
CKR_FIPS_SELF_TEST_FAILED = 0x000001C1
CKR_LIBRARY_LOAD_FAILED = 0x000001C2
CKR_PIN_TOO_WEAK = 0x000001C3
CKR_PUBLIC_KEY_INVALID = 0x000001C4
CKR_FUNCTION_REJECTED = 0x00000200
CKR_VENDOR_DEFINED = 0x80000000
CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001

View File

@ -11,21 +11,21 @@ package pkcs11
// * CK_ULONG never overflows an Go int
/*
#cgo windows CFLAGS: -DREPACK_STRUCTURES
#cgo windows LDFLAGS: -lltdl
#cgo linux LDFLAGS: -lltdl -ldl
#cgo darwin CFLAGS: -I/usr/local/share/libtool
#cgo darwin LDFLAGS: -lltdl -L/usr/local/lib/
#cgo openbsd CFLAGS: -I/usr/local/include/
#cgo openbsd LDFLAGS: -lltdl -L/usr/local/lib/
#cgo LDFLAGS: -lltdl
#define CK_PTR *
#ifndef NULL_PTR
#define NULL_PTR 0
#endif
#define CK_DEFINE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ltdl.h>
#include <unistd.h>
#include "pkcs11.h"
#include "pkcs11go.h"
struct ctx {
lt_dlhandle handle;
@ -70,9 +70,12 @@ void Destroy(struct ctx *c)
free(c);
}
CK_RV Initialize(struct ctx * c, CK_VOID_PTR initArgs)
CK_RV Initialize(struct ctx * c)
{
return c->sym->C_Initialize(initArgs);
CK_C_INITIALIZE_ARGS args;
memset(&args, 0, sizeof(args));
args.flags = CKF_OS_LOCKING_OK;
return c->sym->C_Initialize(&args);
}
CK_RV Finalize(struct ctx * c)
@ -80,9 +83,19 @@ CK_RV Finalize(struct ctx * c)
return c->sym->C_Finalize(NULL);
}
CK_RV GetInfo(struct ctx * c, CK_INFO_PTR info)
CK_RV GetInfo(struct ctx * c, ckInfoPtr info)
{
return c->sym->C_GetInfo(info);
CK_INFO p;
CK_RV e = c->sym->C_GetInfo(&p);
if (e != CKR_OK) {
return e;
}
info->cryptokiVersion = p.cryptokiVersion;
memcpy(info->manufacturerID, p.manufacturerID, sizeof(p.manufacturerID));
info->flags = p.flags;
memcpy(info->libraryDescription, p.libraryDescription, sizeof(p.libraryDescription));
info->libraryVersion = p.libraryVersion;
return e;
}
CK_RV GetSlotList(struct ctx * c, CK_BBOOL tokenPresent,
@ -114,7 +127,8 @@ CK_RV GetMechanismList(struct ctx * c, CK_ULONG slotID,
{
CK_RV e =
c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, NULL, mechlen);
if (e != CKR_OK) {
// Gemaltos PKCS11 implementation returns CKR_BUFFER_TOO_SMALL on a NULL ptr instad of CKR_OK as the spec states.
if (e != CKR_OK && e != CKR_BUFFER_TOO_SMALL) {
return e;
}
*mech = calloc(*mechlen, sizeof(CK_MECHANISM_TYPE));
@ -222,18 +236,22 @@ CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session)
}
CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session,
CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
ckAttrPtr temp, CK_ULONG tempCount,
CK_OBJECT_HANDLE_PTR obj)
{
CK_RV e = c->sym->C_CreateObject(session, temp, tempCount, obj);
ATTR_TO_C(tempc, temp, tempCount, NULL);
CK_RV e = c->sym->C_CreateObject(session, tempc, tempCount, obj);
ATTR_FREE(tempc);
return e;
}
CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
ckAttrPtr temp, CK_ULONG tempCount,
CK_OBJECT_HANDLE_PTR obj)
{
CK_RV e = c->sym->C_CopyObject(session, o, temp, tempCount, obj);
ATTR_TO_C(tempc, temp, tempCount, NULL);
CK_RV e = c->sym->C_CopyObject(session, o, tempc, tempCount, obj);
ATTR_FREE(tempc);
return e;
}
@ -252,39 +270,47 @@ CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session,
}
CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
CK_OBJECT_HANDLE object, ckAttrPtr temp,
CK_ULONG templen)
{
ATTR_TO_C(tempc, temp, templen, NULL);
// Call for the first time, check the returned ulValue in the attributes, then
// allocate enough space and try again.
CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen);
CK_RV e = c->sym->C_GetAttributeValue(session, object, tempc, templen);
if (e != CKR_OK) {
ATTR_FREE(tempc);
return e;
}
CK_ULONG i;
for (i = 0; i < templen; i++) {
if ((CK_LONG) temp[i].ulValueLen == -1) {
if ((CK_LONG) tempc[i].ulValueLen == -1) {
// either access denied or no such object
continue;
}
temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE));
tempc[i].pValue = calloc(tempc[i].ulValueLen, sizeof(CK_BYTE));
}
e = c->sym->C_GetAttributeValue(session, object, temp, templen);
e = c->sym->C_GetAttributeValue(session, object, tempc, templen);
ATTR_FROM_C(temp, tempc, templen);
ATTR_FREE(tempc);
return e;
}
CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
CK_OBJECT_HANDLE object, ckAttrPtr temp,
CK_ULONG templen)
{
CK_RV e = c->sym->C_SetAttributeValue(session, object, temp, templen);
ATTR_TO_C(tempc, temp, templen, NULL);
CK_RV e = c->sym->C_SetAttributeValue(session, object, tempc, templen);
ATTR_FREE(tempc);
return e;
}
CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount)
ckAttrPtr temp, CK_ULONG tempCount)
{
CK_RV e = c->sym->C_FindObjectsInit(session, temp, tempCount);
ATTR_TO_C(tempc, temp, tempCount, NULL);
CK_RV e = c->sym->C_FindObjectsInit(session, tempc, tempCount);
ATTR_FREE(tempc);
return e;
}
@ -304,9 +330,10 @@ CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session)
}
CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
ckMechPtr mechanism, CK_OBJECT_HANDLE key)
{
CK_RV e = c->sym->C_EncryptInit(session, mechanism, key);
MECH_TO_C(m, mechanism);
CK_RV e = c->sym->C_EncryptInit(session, m, key);
return e;
}
@ -359,9 +386,10 @@ CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
}
CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
ckMechPtr mechanism, CK_OBJECT_HANDLE key)
{
CK_RV e = c->sym->C_DecryptInit(session, mechanism, key);
MECH_TO_C(m, mechanism);
CK_RV e = c->sym->C_DecryptInit(session, m, key);
return e;
}
@ -414,9 +442,10 @@ CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
}
CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism)
ckMechPtr mechanism)
{
CK_RV e = c->sym->C_DigestInit(session, mechanism);
MECH_TO_C(m, mechanism);
CK_RV e = c->sym->C_DigestInit(session, m);
return e;
}
@ -464,9 +493,10 @@ CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash,
}
CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
ckMechPtr mechanism, CK_OBJECT_HANDLE key)
{
CK_RV e = c->sym->C_SignInit(session, mechanism, key);
MECH_TO_C(m, mechanism);
CK_RV e = c->sym->C_SignInit(session, m, key);
return e;
}
@ -508,9 +538,10 @@ CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig,
}
CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE key)
ckMechPtr mech, CK_OBJECT_HANDLE key)
{
CK_RV rv = c->sym->C_SignRecoverInit(session, mech, key);
MECH_TO_C(m, mech);
CK_RV rv = c->sym->C_SignRecoverInit(session, m, key);
return rv;
}
@ -530,9 +561,10 @@ CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
}
CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE key)
ckMechPtr mech, CK_OBJECT_HANDLE key)
{
CK_RV rv = c->sym->C_VerifyInit(session, mech, key);
MECH_TO_C(m, mech);
CK_RV rv = c->sym->C_VerifyInit(session, m, key);
return rv;
}
@ -558,9 +590,10 @@ CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
}
CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE key)
ckMechPtr mech, CK_OBJECT_HANDLE key)
{
CK_RV rv = c->sym->C_VerifyRecoverInit(session, mech, key);
MECH_TO_C(m, mech);
CK_RV rv = c->sym->C_VerifyRecoverInit(session, m, key);
return rv;
}
@ -653,33 +686,39 @@ CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
}
CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp,
ckMechPtr mechanism, ckAttrPtr temp,
CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key)
{
CK_RV e =
c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key);
MECH_TO_C(m, mechanism);
ATTR_TO_C(tempc, temp, tempCount, NULL);
CK_RV e = c->sym->C_GenerateKey(session, m, tempc, tempCount, key);
ATTR_FREE(tempc);
return e;
}
CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub,
CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv,
ckMechPtr mechanism, ckAttrPtr pub,
CK_ULONG pubCount, ckAttrPtr priv,
CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey,
CK_OBJECT_HANDLE_PTR privkey)
{
CK_RV e =
c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount, priv,
privCount,
pubkey, privkey);
MECH_TO_C(m, mechanism);
ATTR_TO_C(pubc, pub, pubCount, NULL);
ATTR_TO_C(privc, priv, privCount, pubc);
CK_RV e = c->sym->C_GenerateKeyPair(session, m, pubc, pubCount,
privc, privCount, pubkey, privkey);
ATTR_FREE(pubc);
ATTR_FREE(privc);
return e;
}
CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey,
ckMechPtr mechanism, CK_OBJECT_HANDLE wrappingkey,
CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped,
CK_ULONG_PTR wrappedlen)
{
CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL,
MECH_TO_C(m, mechanism);
CK_RV rv = c->sym->C_WrapKey(session, m, wrappingkey, key, NULL,
wrappedlen);
if (rv != CKR_OK) {
return rv;
@ -688,26 +727,32 @@ CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
if (*wrapped == NULL) {
return CKR_HOST_MEMORY;
}
rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped,
rv = c->sym->C_WrapKey(session, m, wrappingkey, key, *wrapped,
wrappedlen);
return rv;
}
CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE basekey,
CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
ckMechPtr mech, CK_OBJECT_HANDLE basekey,
ckAttrPtr a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
{
CK_RV e = c->sym->C_DeriveKey(session, mech, basekey, a, alen, key);
MECH_TO_C(m, mech);
ATTR_TO_C(tempc, a, alen, NULL);
CK_RV e = c->sym->C_DeriveKey(session, m, basekey, tempc, alen, key);
ATTR_FREE(tempc);
return e;
}
CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session,
CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE unwrappingkey,
ckMechPtr mech, CK_OBJECT_HANDLE unwrappingkey,
CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen,
CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
ckAttrPtr a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
{
CK_RV e = c->sym->C_UnwrapKey(session, mech, unwrappingkey, wrappedkey,
wrappedkeylen, a, alen, key);
MECH_TO_C(m, mech);
ATTR_TO_C(tempc, a, alen, NULL);
CK_RV e = c->sym->C_UnwrapKey(session, m, unwrappingkey, wrappedkey,
wrappedkeylen, tempc, alen, key);
ATTR_FREE(tempc);
return e;
}
@ -735,6 +780,38 @@ CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot)
c->sym->C_WaitForSlotEvent(flags, (CK_SLOT_ID_PTR) slot, NULL);
return e;
}
#ifdef REPACK_STRUCTURES
CK_RV attrsToC(CK_ATTRIBUTE_PTR *attrOut, ckAttrPtr attrIn, CK_ULONG count) {
CK_ATTRIBUTE_PTR attr = calloc(count, sizeof(CK_ATTRIBUTE));
if (attr == NULL) {
return CKR_HOST_MEMORY;
}
for (int i = 0; i < count; i++) {
attr[i].type = attrIn[i].type;
attr[i].pValue = attrIn[i].pValue;
attr[i].ulValueLen = attrIn[i].ulValueLen;
}
*attrOut = attr;
return CKR_OK;
}
void attrsFromC(ckAttrPtr attrOut, CK_ATTRIBUTE_PTR attrIn, CK_ULONG count) {
for (int i = 0; i < count; i++) {
attrOut[i].type = attrIn[i].type;
attrOut[i].pValue = attrIn[i].pValue;
attrOut[i].ulValueLen = attrIn[i].ulValueLen;
}
}
void mechToC(CK_MECHANISM_PTR mechOut, ckMechPtr mechIn) {
mechOut->mechanism = mechIn->mechanism;
mechOut->pParameter = mechIn->pParameter;
mechOut->ulParameterLen = mechIn->ulParameterLen;
}
#endif
*/
import "C"
import "strings"
@ -748,6 +825,11 @@ type Ctx struct {
// New creates a new context and initializes the module/library for use.
func New(module string) *Ctx {
// libtool-ltdl will return an assertion error if passed an empty string, so
// we check for it explicitly.
if module == "" {
return nil
}
c := new(Ctx)
mod := C.CString(module)
defer C.free(unsafe.Pointer(mod))
@ -769,8 +851,7 @@ func (c *Ctx) Destroy() {
/* Initialize initializes the Cryptoki library. */
func (c *Ctx) Initialize() error {
args := &C.CK_C_INITIALIZE_ARGS{nil, nil, nil, nil, C.CKF_OS_LOCKING_OK, nil}
e := C.Initialize(c.ctx, C.CK_VOID_PTR(args))
e := C.Initialize(c.ctx)
return toError(e)
}
@ -785,8 +866,8 @@ func (c *Ctx) Finalize() error {
/* GetInfo returns general information about Cryptoki. */
func (c *Ctx) GetInfo() (Info, error) {
var p C.CK_INFO
e := C.GetInfo(c.ctx, C.CK_INFO_PTR(&p))
var p C.ckInfo
e := C.GetInfo(c.ctx, &p)
i := Info{
CryptokiVersion: toVersion(p.cryptokiVersion),
ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.manufacturerID[0]), 32)), " "),
@ -1041,11 +1122,11 @@ func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) {
func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) {
// copy the attribute list and make all the values nil, so that
// the C function can (allocate) fill them in
pa := make([]C.CK_ATTRIBUTE, len(a))
pa := make([]C.ckAttr, len(a))
for i := 0; i < len(a); i++ {
pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
}
e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), C.CK_ATTRIBUTE_PTR(&pa[0]), C.CK_ULONG(len(a)))
e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), C.ckAttrPtr(&pa[0]), C.CK_ULONG(len(a)))
if toError(e) != nil {
return nil, toError(e)
}
@ -1529,7 +1610,7 @@ func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHa
return ObjectHandle(key), toError(e)
}
// DeriveKey derives a key from a base key, creating a new key object. */
// DeriveKey derives a key from a base key, creating a new key object.
func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle, a []*Attribute) (ObjectHandle, error) {
var key C.CK_OBJECT_HANDLE
attrarena, ac, aclen := cAttributeList(a)

View File

@ -1,19 +1,12 @@
/* pkcs11.h include file for PKCS #11. */
/* $Revision: 1.2 $ */
/* Copyright (c) OASIS Open 2016. All Rights Reserved./
* /Distributed under the terms of the OASIS IPR Policy,
* [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
* IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
* PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
*/
/* License to copy and use this software is granted provided that it is
* identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
* (Cryptoki)" in all material mentioning or referencing this software.
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
* Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
* RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
/* Latest version of the specification:
* http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
*/
#ifndef _PKCS11_H_
@ -24,14 +17,14 @@ extern "C" {
#endif
/* Before including this file (pkcs11.h) (or pkcs11t.h by
* itself), 6 platform-specific macros must be defined. These
* itself), 5 platform-specific macros must be defined. These
* macros are described below, and typical definitions for them
* are also given. Be advised that these definitions can depend
* on both the platform and the compiler used (and possibly also
* on whether a Cryptoki library is linked statically or
* dynamically).
*
* In addition to defining these 6 macros, the packing convention
* In addition to defining these 5 macros, the packing convention
* for Cryptoki structures should be set. The Cryptoki
* convention on packing is that structures should be 1-byte
* aligned.
@ -81,39 +74,7 @@ extern "C" {
* #define CK_PTR *
*
*
* 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
* an exportable Cryptoki library function definition out of a
* return type and a function name. It should be used in the
* following fashion to define the exposed Cryptoki functions in
* a Cryptoki library:
*
* CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
* CK_VOID_PTR pReserved
* )
* {
* ...
* }
*
* If you're using Microsoft Developer Studio 5.0 to define a
* function in a Win32 Cryptoki .dll, it might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType __declspec(dllexport) name
*
* If you're using an earlier version of Microsoft Developer
* Studio to define a function in a Win16 Cryptoki .dll, it
* might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType __export _far _pascal name
*
* In a UNIX environment, it might be defined by:
*
* #define CK_DEFINE_FUNCTION(returnType, name) \
* returnType name
*
*
* 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
* 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
* an importable Cryptoki library function declaration out of a
* return type and a function name. It should be used in the
* following fashion:
@ -141,7 +102,7 @@ extern "C" {
* returnType name
*
*
* 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
* 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
* which makes a Cryptoki API function pointer declaration or
* function pointer type declaration out of a return type and a
* function name. It should be used in the following fashion:
@ -178,7 +139,7 @@ extern "C" {
* returnType (* name)
*
*
* 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
* 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
* a function pointer type for an application callback out of
* a return type for the callback and a name for the callback.
* It should be used in the following fashion:
@ -210,7 +171,7 @@ extern "C" {
* returnType (* name)
*
*
* 6. NULL_PTR: This macro is the value of a NULL pointer.
* 5. NULL_PTR: This macro is the value of a NULL pointer.
*
* In any ANSI/ISO C environment (and in many others as well),
* this should best be defined by
@ -222,7 +183,8 @@ extern "C" {
/* All the various Cryptoki types and #define'd values are in the
* file pkcs11t.h. */
* file pkcs11t.h.
*/
#include "pkcs11t.h"
#define __PASTE(x,y) x##y
@ -238,7 +200,8 @@ extern "C" {
extern CK_DECLARE_FUNCTION(CK_RV, name)
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
* function prototypes.
*/
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
@ -257,7 +220,8 @@ extern "C" {
typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
* function prototypes.
*/
#include "pkcs11f.h"
#undef CK_NEED_ARG_LIST
@ -282,7 +246,8 @@ struct CK_FUNCTION_LIST {
/* Pile all the function pointers into the CK_FUNCTION_LIST. */
/* pkcs11f.h has all the information about the Cryptoki
* function prototypes. */
* function prototypes.
*/
#include "pkcs11f.h"
};
@ -296,4 +261,5 @@ struct CK_FUNCTION_LIST {
}
#endif
#endif
#endif /* _PKCS11_H_ */

View File

@ -1,26 +1,20 @@
/* pkcs11f.h include file for PKCS #11. */
/* $Revision: 1.2 $ */
/* License to copy and use this software is granted provided that it is
* identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
* (Cryptoki)" in all material mentioning or referencing this software.
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
* Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
* RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
/* Copyright (c) OASIS Open 2016. All Rights Reserved./
* /Distributed under the terms of the OASIS IPR Policy,
* [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
* IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
* PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
*/
/* This header file contains pretty much everything about all the */
/* Cryptoki function prototypes. Because this information is */
/* used for more than just declaring function prototypes, the */
/* order of the functions appearing herein is important, and */
/* should not be altered. */
/* Latest version of the specification:
* http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
*/
/* This header file contains pretty much everything about all the
* Cryptoki function prototypes. Because this information is
* used for more than just declaring function prototypes, the
* order of the functions appearing herein is important, and
* should not be altered.
*/
/* General-purpose */
@ -30,13 +24,15 @@ CK_PKCS11_FUNCTION_INFO(C_Initialize)
(
CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
* cast to CK_C_INITIALIZE_ARGS_PTR
* and dereferenced */
* and dereferenced
*/
);
#endif
/* C_Finalize indicates that an application is done with the
* Cryptoki library. */
* Cryptoki library.
*/
CK_PKCS11_FUNCTION_INFO(C_Finalize)
#ifdef CK_NEED_ARG_LIST
(
@ -59,7 +55,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
#ifdef CK_NEED_ARG_LIST
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
* function list */
* function list
*/
);
#endif
@ -71,7 +68,7 @@ CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
#ifdef CK_NEED_ARG_LIST
(
CK_BBOOL tokenPresent, /* only slots with tokens? */
CK_BBOOL tokenPresent, /* only slots with tokens */
CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
CK_ULONG_PTR pulCount /* receives number of slots */
);
@ -79,7 +76,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
/* C_GetSlotInfo obtains information about a particular slot in
* the system. */
* the system.
*/
CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
#ifdef CK_NEED_ARG_LIST
(
@ -90,7 +88,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
/* C_GetTokenInfo obtains information about a particular token
* in the system. */
* in the system.
*/
CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
#ifdef CK_NEED_ARG_LIST
(
@ -101,7 +100,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
/* C_GetMechanismList obtains a list of mechanism types
* supported by a token. */
* supported by a token.
*/
CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
#ifdef CK_NEED_ARG_LIST
(
@ -113,7 +113,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
/* C_GetMechanismInfo obtains information about a particular
* mechanism possibly supported by a token. */
* mechanism possibly supported by a token.
*/
CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
#ifdef CK_NEED_ARG_LIST
(
@ -127,7 +128,6 @@ CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
/* C_InitToken initializes a token. */
CK_PKCS11_FUNCTION_INFO(C_InitToken)
#ifdef CK_NEED_ARG_LIST
/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
(
CK_SLOT_ID slotID, /* ID of the token's slot */
CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
@ -165,7 +165,8 @@ CK_PKCS11_FUNCTION_INFO(C_SetPIN)
/* Session management */
/* C_OpenSession opens a session between an application and a
* token. */
* token.
*/
CK_PKCS11_FUNCTION_INFO(C_OpenSession)
#ifdef CK_NEED_ARG_LIST
(
@ -179,7 +180,8 @@ CK_PKCS11_FUNCTION_INFO(C_OpenSession)
/* C_CloseSession closes a session between an application and a
* token. */
* token.
*/
CK_PKCS11_FUNCTION_INFO(C_CloseSession)
#ifdef CK_NEED_ARG_LIST
(
@ -187,6 +189,7 @@ CK_PKCS11_FUNCTION_INFO(C_CloseSession)
);
#endif
/* C_CloseAllSessions closes all sessions with a token. */
CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
#ifdef CK_NEED_ARG_LIST
@ -207,7 +210,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
/* C_GetOperationState obtains the state of the cryptographic operation
* in a session. */
* in a session.
*/
CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
#ifdef CK_NEED_ARG_LIST
(
@ -219,7 +223,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
/* C_SetOperationState restores the state of the cryptographic
* operation in a session. */
* operation in a session.
*/
CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
#ifdef CK_NEED_ARG_LIST
(
@ -267,8 +272,10 @@ CK_PKCS11_FUNCTION_INFO(C_CreateObject)
);
#endif
/* C_CopyObject copies an object, creating a new object for the
* copy. */
* copy.
*/
CK_PKCS11_FUNCTION_INFO(C_CopyObject)
#ifdef CK_NEED_ARG_LIST
(
@ -303,7 +310,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
/* C_GetAttributeValue obtains the value of one or more object
* attributes. */
* attributes.
*/
CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
@ -316,7 +324,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
/* C_SetAttributeValue modifies the value of one or more object
* attributes */
* attributes.
*/
CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
#ifdef CK_NEED_ARG_LIST
(
@ -329,7 +338,8 @@ CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
/* C_FindObjectsInit initializes a search for token and session
* objects that match a template. */
* objects that match a template.
*/
CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
#ifdef CK_NEED_ARG_LIST
(
@ -342,7 +352,8 @@ CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
/* C_FindObjects continues a search for token and session
* objects that match a template, obtaining additional object
* handles. */
* handles.
*/
CK_PKCS11_FUNCTION_INFO(C_FindObjects)
#ifdef CK_NEED_ARG_LIST
(
@ -355,7 +366,8 @@ CK_PKCS11_FUNCTION_INFO(C_FindObjects)
/* C_FindObjectsFinal finishes a search for token and session
* objects. */
* objects.
*/
CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -392,7 +404,8 @@ CK_PKCS11_FUNCTION_INFO(C_Encrypt)
/* C_EncryptUpdate continues a multiple-part encryption
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -406,7 +419,8 @@ CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
/* C_EncryptFinal finishes a multiple-part encryption
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -442,7 +456,8 @@ CK_PKCS11_FUNCTION_INFO(C_Decrypt)
/* C_DecryptUpdate continues a multiple-part decryption
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -456,7 +471,8 @@ CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
/* C_DecryptFinal finishes a multiple-part decryption
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -494,7 +510,8 @@ CK_PKCS11_FUNCTION_INFO(C_Digest)
/* C_DigestUpdate continues a multiple-part message-digesting
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -507,7 +524,8 @@ CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
/* C_DigestKey continues a multi-part message-digesting
* operation, by digesting the value of a secret key as part of
* the data already digested. */
* the data already digested.
*/
CK_PKCS11_FUNCTION_INFO(C_DigestKey)
#ifdef CK_NEED_ARG_LIST
(
@ -518,7 +536,8 @@ CK_PKCS11_FUNCTION_INFO(C_DigestKey)
/* C_DigestFinal finishes a multiple-part message-digesting
* operation. */
* operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -535,7 +554,8 @@ CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
/* C_SignInit initializes a signature (private key encryption)
* operation, where the signature is (will be) an appendix to
* the data, and plaintext cannot be recovered from the
*signature. */
* signature.
*/
CK_PKCS11_FUNCTION_INFO(C_SignInit)
#ifdef CK_NEED_ARG_LIST
(
@ -548,7 +568,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignInit)
/* C_Sign signs (encrypts with private key) data in a single
* part, where the signature is (will be) an appendix to the
* data, and plaintext cannot be recovered from the signature. */
* data, and plaintext cannot be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_Sign)
#ifdef CK_NEED_ARG_LIST
(
@ -563,7 +584,8 @@ CK_PKCS11_FUNCTION_INFO(C_Sign)
/* C_SignUpdate continues a multiple-part signature operation,
* where the signature is (will be) an appendix to the data,
* and plaintext cannot be recovered from the signature. */
* and plaintext cannot be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -575,7 +597,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
/* C_SignFinal finishes a multiple-part signature operation,
* returning the signature. */
* returning the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_SignFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -587,7 +610,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignFinal)
/* C_SignRecoverInit initializes a signature operation, where
* the data can be recovered from the signature. */
* the data can be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
@ -599,7 +623,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
/* C_SignRecover signs data in a single operation, where the
* data can be recovered from the signature. */
* data can be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_SignRecover)
#ifdef CK_NEED_ARG_LIST
(
@ -617,7 +642,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignRecover)
/* C_VerifyInit initializes a verification operation, where the
* signature is an appendix to the data, and plaintext cannot
* cannot be recovered from the signature (e.g. DSA). */
* cannot be recovered from the signature (e.g. DSA).
*/
CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
#ifdef CK_NEED_ARG_LIST
(
@ -630,7 +656,8 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
/* C_Verify verifies a signature in a single-part operation,
* where the signature is an appendix to the data, and plaintext
* cannot be recovered from the signature. */
* cannot be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_Verify)
#ifdef CK_NEED_ARG_LIST
(
@ -645,7 +672,8 @@ CK_PKCS11_FUNCTION_INFO(C_Verify)
/* C_VerifyUpdate continues a multiple-part verification
* operation, where the signature is an appendix to the data,
* and plaintext cannot be recovered from the signature. */
* and plaintext cannot be recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -657,7 +685,8 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
/* C_VerifyFinal finishes a multiple-part verification
* operation, checking the signature. */
* operation, checking the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
#ifdef CK_NEED_ARG_LIST
(
@ -669,7 +698,8 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
/* C_VerifyRecoverInit initializes a signature verification
* operation, where the data is recovered from the signature. */
* operation, where the data is recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
#ifdef CK_NEED_ARG_LIST
(
@ -681,7 +711,8 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
/* C_VerifyRecover verifies a signature in a single-part
* operation, where the data is recovered from the signature. */
* operation, where the data is recovered from the signature.
*/
CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
#ifdef CK_NEED_ARG_LIST
(
@ -698,7 +729,8 @@ CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
/* Dual-function cryptographic operations */
/* C_DigestEncryptUpdate continues a multiple-part digesting
* and encryption operation. */
* and encryption operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -712,7 +744,8 @@ CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
/* C_DecryptDigestUpdate continues a multiple-part decryption and
* digesting operation. */
* digesting operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -726,7 +759,8 @@ CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
/* C_SignEncryptUpdate continues a multiple-part signing and
* encryption operation. */
* encryption operation.
*/
CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -740,7 +774,8 @@ CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
/* C_DecryptVerifyUpdate continues a multiple-part decryption and
* verify operation. */
* verify operation.
*/
CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
#ifdef CK_NEED_ARG_LIST
(
@ -757,7 +792,8 @@ CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
/* Key management */
/* C_GenerateKey generates a secret key, creating a new key
* object. */
* object.
*/
CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
#ifdef CK_NEED_ARG_LIST
(
@ -771,30 +807,19 @@ CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
/* C_GenerateKeyPair generates a public-key/private-key pair,
* creating new key objects. */
* creating new key objects.
*/
CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* session
* handle */
CK_MECHANISM_PTR pMechanism, /* key-gen
* mech. */
CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
* for pub.
* key */
CK_ULONG ulPublicKeyAttributeCount, /* # pub.
* attrs. */
CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
* for priv.
* key */
CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
* attrs. */
CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
* key
* handle */
CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
* priv. key
* handle */
CK_SESSION_HANDLE hSession, /* session handle */
CK_MECHANISM_PTR pMechanism, /* key-gen mech. */
CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template for pub. key */
CK_ULONG ulPublicKeyAttributeCount, /* # pub. attrs. */
CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template for priv. key */
CK_ULONG ulPrivateKeyAttributeCount, /* # priv. attrs. */
CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. key handle */
CK_OBJECT_HANDLE_PTR phPrivateKey /* gets priv. key handle */
);
#endif
@ -814,7 +839,8 @@ CK_PKCS11_FUNCTION_INFO(C_WrapKey)
/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
* key object. */
* key object.
*/
CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
#ifdef CK_NEED_ARG_LIST
(
@ -831,7 +857,8 @@ CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
/* C_DeriveKey derives a key from a base key, creating a new key
* object. */
* object.
*/
CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
#ifdef CK_NEED_ARG_LIST
(
@ -849,7 +876,8 @@ CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
/* Random number generation */
/* C_SeedRandom mixes additional seed material into the token's
* random number generator. */
* random number generator.
*/
CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
#ifdef CK_NEED_ARG_LIST
(
@ -876,7 +904,8 @@ CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
/* C_GetFunctionStatus is a legacy function; it obtains an
* updated status of a function running in parallel with an
* application. */
* application.
*/
CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
#ifdef CK_NEED_ARG_LIST
(
@ -886,7 +915,8 @@ CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
/* C_CancelFunction is a legacy function; it cancels a function
* running in parallel. */
* running in parallel.
*/
CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
#ifdef CK_NEED_ARG_LIST
(
@ -895,11 +925,9 @@ CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
#endif
/* Functions added in for Cryptoki Version 2.01 or later */
/* C_WaitForSlotEvent waits for a slot event (token insertion,
* removal, etc.) to occur. */
* removal, etc.) to occur.
*/
CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
#ifdef CK_NEED_ARG_LIST
(
@ -908,3 +936,4 @@ CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
);
#endif

83
vendor/github.com/miekg/pkcs11/pkcs11go.h generated vendored Normal file
View File

@ -0,0 +1,83 @@
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//
#define CK_PTR *
#ifndef NULL_PTR
#define NULL_PTR 0
#endif
#define CK_DEFINE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
#include <unistd.h>
#ifdef REPACK_STRUCTURES
# pragma pack(push, 1)
# include "pkcs11.h"
# pragma pack(pop)
#else
# include "pkcs11.h"
#endif
#ifdef REPACK_STRUCTURES
// Go doesn't support structures with non-default packing, but PKCS#11 requires
// pack(1) on Windows. Use structures with the same members as the CK_ ones but
// default packing, and copy data between the two.
typedef struct ckInfo {
CK_VERSION cryptokiVersion;
CK_UTF8CHAR manufacturerID[32];
CK_FLAGS flags;
CK_UTF8CHAR libraryDescription[32];
CK_VERSION libraryVersion;
} ckInfo, *ckInfoPtr;
typedef struct ckAttr {
CK_ATTRIBUTE_TYPE type;
CK_VOID_PTR pValue;
CK_ULONG ulValueLen;
} ckAttr, *ckAttrPtr;
typedef struct ckMech {
CK_MECHANISM_TYPE mechanism;
CK_VOID_PTR pParameter;
CK_ULONG ulParameterLen;
} ckMech, *ckMechPtr;
CK_RV attrsToC(CK_ATTRIBUTE_PTR *attrOut, ckAttrPtr attrIn, CK_ULONG count);
void attrsFromC(ckAttrPtr attrOut, CK_ATTRIBUTE_PTR attrIn, CK_ULONG count);
void mechToC(CK_MECHANISM_PTR mechOut, ckMechPtr mechIn);
#define ATTR_TO_C(aout, ain, count, other) \
CK_ATTRIBUTE_PTR aout; \
{ \
CK_RV e = attrsToC(&aout, ain, count); \
if (e != CKR_OK ) { \
if (other != NULL) free(other); \
return e; \
} \
}
#define ATTR_FREE(aout) free(aout)
#define ATTR_FROM_C(aout, ain, count) attrsFromC(aout, ain, count)
#define MECH_TO_C(mout, min) \
CK_MECHANISM mval, *mout = &mval; \
if (min != NULL) { mechToC(mout, min); \
} else { mout = NULL; }
#else // REPACK_STRUCTURES
// Dummy types and macros to avoid any unnecessary copying on UNIX
typedef CK_INFO ckInfo, *ckInfoPtr;
typedef CK_ATTRIBUTE ckAttr, *ckAttrPtr;
typedef CK_MECHANISM ckMech, *ckMechPtr;
#define ATTR_TO_C(aout, ain, count, other) CK_ATTRIBUTE_PTR aout = ain
#define ATTR_FREE(aout)
#define ATTR_FROM_C(aout, ain, count)
#define MECH_TO_C(mout, min) CK_MECHANISM_PTR mout = min
#endif // REPACK_STRUCTURES

File diff suppressed because it is too large Load Diff

View File

@ -5,18 +5,9 @@
package pkcs11
/*
#define CK_PTR *
#ifndef NULL_PTR
#define NULL_PTR 0
#endif
#define CK_DEFINE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION(returnType, name) returnType name
#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
#include <stdlib.h>
#include <string.h>
#include "pkcs11.h"
#include "pkcs11go.h"
CK_ULONG Index(CK_ULONG_PTR array, CK_ULONG i)
{
@ -196,20 +187,22 @@ func NewAttribute(typ uint, x interface{}) *Attribute {
}
// cAttribute returns the start address and the length of an attribute list.
func cAttributeList(a []*Attribute) (arena, C.CK_ATTRIBUTE_PTR, C.CK_ULONG) {
func cAttributeList(a []*Attribute) (arena, C.ckAttrPtr, C.CK_ULONG) {
var arena arena
if len(a) == 0 {
return nil, nil, 0
}
pa := make([]C.CK_ATTRIBUTE, len(a))
pa := make([]C.ckAttr, len(a))
for i := 0; i < len(a); i++ {
pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
if a[i].Value == nil {
//skip attribute if length is 0 to prevent panic in arena.Allocate
if a[i].Value == nil || len(a[i].Value) == 0 {
continue
}
pa[i].pValue, pa[i].ulValueLen = arena.Allocate(a[i].Value)
}
return arena, C.CK_ATTRIBUTE_PTR(&pa[0]), C.CK_ULONG(len(a))
return arena, C.ckAttrPtr(&pa[0]), C.CK_ULONG(len(a))
}
func cDate(t time.Time) []byte {
@ -243,20 +236,22 @@ func NewMechanism(mech uint, x interface{}) *Mechanism {
return m
}
func cMechanismList(m []*Mechanism) (arena, C.CK_MECHANISM_PTR, C.CK_ULONG) {
func cMechanismList(m []*Mechanism) (arena, C.ckMechPtr, C.CK_ULONG) {
var arena arena
if len(m) == 0 {
return nil, nil, 0
}
pm := make([]C.CK_MECHANISM, len(m))
pm := make([]C.ckMech, len(m))
for i := 0; i < len(m); i++ {
pm[i].mechanism = C.CK_MECHANISM_TYPE(m[i].Mechanism)
if m[i].Parameter == nil {
//skip parameter if length is 0 to prevent panic in arena.Allocate
if m[i].Parameter == nil || len(m[i].Parameter) == 0 {
continue
}
pm[i].pParameter, pm[i].ulParameterLen = arena.Allocate(m[i].Parameter)
}
return arena, C.CK_MECHANISM_PTR(&pm[0]), C.CK_ULONG(len(m))
return arena, C.ckMechPtr(&pm[0]), C.CK_ULONG(len(m))
}
// MechanismInfo provides information about a particular mechanism.

View File

@ -1,6 +1,8 @@
<img src="docs/images/notary-blk.svg" alt="Notary" width="400px"/>
[![GoDoc](https://godoc.org/github.com/theupdateframework/notary?status.svg)](https://godoc.org/github.com/theupdateframework/notary)
[![Circle CI](https://circleci.com/gh/theupdateframework/notary/tree/master.svg?style=shield)](https://circleci.com/gh/theupdateframework/notary/tree/master) [![CodeCov](https://codecov.io/github/theupdateframework/notary/coverage.svg?branch=master)](https://codecov.io/github/theupdateframework/notary) [![GoReportCard](https://goreportcard.com/badge/theupdateframework/notary)](https://goreportcard.com/report/github.com/theupdateframework/notary)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_shield)
# Notice
@ -14,7 +16,7 @@ location via GitHub's redirect.
# Overview
The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting
with trusted collections. Please see the [service architecture](docs/service_architecture.md) documentation
with trusted collections. See the [service architecture](docs/service_architecture.md) documentation
for more information.
Notary aims to make the internet more secure by making it easy for people to
@ -44,26 +46,26 @@ Notary is based on [The Update Framework](https://www.theupdateframework.com/),
## Security
Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
Notary's last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
Any security vulnerabilities can be reported to security@docker.com.
# Getting started with the Notary CLI
Please get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary).
Get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary).
The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
To use the Notary CLI with Docker hub images, please have a look at our
To use the Notary CLI with Docker hub images, have a look at Notary's
[getting started docs](docs/getting_started.md).
For more advanced usage, please see the
For more advanced usage, see the
[advanced usage docs](docs/advanced_usage.md).
To use the CLI against a local Notary server rather than against Docker Hub:
1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
1. Ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path,
start up a local Notary server and signer and copy the config file and testing certs to your
local notary config directory:
@ -89,28 +91,31 @@ to use `notary` with Docker images.
## Building Notary
Note that our [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the
Note that Notary's [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the
[releases branch](https://github.com/theupdateframework/notary/tree/releases). The master branch is the development
branch and contains features for the next release.
Prerequisites:
- Go >= 1.7.1
- [godep](https://github.com/tools/godep) installed
- Fedora: `dnf install golang`
- libtool development headers installed
- Ubuntu: `apt-get install libltdl-dev`
- CentOS/RedHat: `yum install libtool-ltdl-devel`
- Fedora: `dnf install libtool-ltdl-devel`
- Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool`
Run `make client`, which creates the Notary Client CLI binary at `bin/notary`.
Note that `make client` assumes a standard Go directory structure, in which
Notary is checked out to the `src` directory in your `GOPATH`. For example:
```
$GOPATH/
src/
github.com/
docker/
notary/
Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run:
```bash
$ go get github.com/theupdateframework/notary
# build with pcks11 support by default to support yubikey
$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
$ notary
```
To build the server and signer, please run `docker-compose build`.
To build the server and signer, run `docker-compose build`.
## License
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large)

View File

@ -1,88 +1,4 @@
/*
Package client implements everything required for interacting with a Notary repository.
Usage
Use this package by creating a new repository object and calling methods on it.
package main
import (
"encoding/hex"
"fmt"
"net/http"
"os"
"time"
"github.com/docker/distribution/registry/client/auth"
"github.com/docker/distribution/registry/client/auth/challenge"
"github.com/docker/distribution/registry/client/transport"
notary "github.com/theupdateframework/notary/client"
"github.com/theupdateframework/notary/trustpinning"
"github.com/theupdateframework/notary/tuf/data"
)
func main() {
rootDir := ".trust"
if err := os.MkdirAll(rootDir, 0700); err != nil {
panic(err)
}
server := "https://notary.docker.io"
image := "docker.io/library/alpine"
repo, err := notary.NewFileCachedNotaryRepository(
rootDir,
data.GUN(image),
server,
makeHubTransport(server, image),
nil,
trustpinning.TrustPinConfig{},
)
targets, err := repo.ListTargets()
if err != nil {
panic(err)
}
for _, tgt := range targets {
fmt.Printf("%s\t%s\n", tgt.Name, hex.EncodeToString(tgt.Hashes["sha256"]))
}
}
func makeHubTransport(server, image string) http.RoundTripper {
base := http.DefaultTransport
modifiers := []transport.RequestModifier{
transport.NewHeaderRequestModifier(http.Header{
"User-Agent": []string{"my-client"},
}),
}
authTransport := transport.NewTransport(base, modifiers...)
pingClient := &http.Client{
Transport: authTransport,
Timeout: 5 * time.Second,
}
req, err := http.NewRequest("GET", server+"/v2/", nil)
if err != nil {
panic(err)
}
challengeManager := challenge.NewSimpleManager()
resp, err := pingClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
if err := challengeManager.AddResponse(resp); err != nil {
panic(err)
}
tokenHandler := auth.NewTokenHandler(base, nil, image, "pull")
modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, auth.NewBasicHandler(nil)))
return transport.NewTransport(base, modifiers...)
}
*/
//Package client implements everything required for interacting with a Notary repository.
package client
import (

View File

@ -3,6 +3,7 @@ package trustmanager
import (
"encoding/pem"
"errors"
"fmt"
"io"
"io/ioutil"
"path/filepath"
@ -102,6 +103,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
var (
writeTo string
toWrite []byte
errBlocks []string
)
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
handleLegacyPath(block)
@ -110,6 +112,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
loc, err := checkValidity(block)
if err != nil {
// already logged in checkValidity
errBlocks = append(errBlocks, err.Error())
continue
}
@ -157,6 +160,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
if toWrite != nil { // close out final iteration if there's data left
return importToStores(to, writeTo, toWrite)
}
if len(errBlocks) > 0 {
return fmt.Errorf("failed to import all keys: %s", strings.Join(errBlocks, ", "))
}
return nil
}

View File

@ -4,7 +4,9 @@ package yubikey
var possiblePkcs11Libs = []string{
"/usr/lib/libykcs11.so",
"/usr/lib/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
"/usr/lib64/libykcs11.so",
"/usr/lib64/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
"/usr/lib/x86_64-linux-gnu/libykcs11.so",
"/usr/local/lib/libykcs11.so",
}

View File

@ -248,18 +248,15 @@ func (tr *Repo) GetDelegationRole(name data.RoleName) (data.DelegationRole, erro
}
// Check all public key certificates in the role for expiry
// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
for keyID, pubKey := range delgRole.Keys {
for _, pubKey := range delgRole.Keys {
certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
if err != nil {
continue
}
if err := utils.ValidateCertificate(certFromKey, true); err != nil {
if _, ok := err.(data.ErrCertExpired); !ok {
// do not allow other invalid cert errors
//Don't check the delegation certificate expiry once added, use the TUF role expiry instead
if err := utils.ValidateCertificate(certFromKey, false); err != nil {
return err
}
logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
}
}
foundRole = &delgRole
return StopWalk{}

View File

@ -6,7 +6,7 @@ github.com/bugsnag/panicwrap e2c28503fcd0675329da73bf48b33404db873782
github.com/bugsnag/osext 0dd3f918b21bec95ace9dc86c7e70266cfc5c702
github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55
github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
github.com/dvsekhvalnov/jose2go 6387d3c1f5abd8443b223577d5a7e0f4e0e5731f # v1.2
github.com/go-sql-driver/mysql a0583e0143b1624142adab07e0e97fe106d99561 # v1.3
@ -15,22 +15,22 @@ github.com/jinzhu/gorm 5409931a1bb87e484d68d649af9367c207713ea2
github.com/jinzhu/inflection 1c35d901db3da928c72a72d8458480cc9ade058f
github.com/lib/pq 0dad96c0b94f8dee039aa40467f767467392a0af
github.com/mattn/go-sqlite3 b4142c444a8941d0d92b0b7103a24df9cd815e42 # v1.0.0
github.com/miekg/pkcs11 ba39b9c6300b7e0be41b115330145ef8afdff7d6
github.com/miekg/pkcs11 5f6e0d0dad6f472df908c8e968a98ef00c9224bb
github.com/mitchellh/go-homedir df55a15e5ce646808815381b3db47a8c66ea62f4
github.com/prometheus/client_golang 449ccefff16c8e2b7229f6be1921ba22f62461fe
github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6 # model-0.0.2-12-gfa8ad6f
github.com/prometheus/procfs b1afdc266f54247f5dc725544f5d351a8661f502
github.com/prometheus/common 4fdc91a58c9d3696b982e8a680f4997403132d44
github.com/golang/protobuf c3cefd437628a0b7d31b34fe44b3a7a540e98527
github.com/spf13/cobra f368244301305f414206f889b1735a54cfc8bde8
github.com/spf13/cobra 7b2c5ac9fc04fc5efafb60700713d4fa609b777b # v0.0.1
github.com/spf13/viper be5ff3e4840cf692388bde7a057595a474ef379e
golang.org/x/crypto 76eec36fa14229c4b25bb894c2d0e591527af429
golang.org/x/net 6a513affb38dc9788b449d59ffed099b8de18fa0
golang.org/x/sys 739734461d1c916b6c72a63d7efda2b27edb369f
golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993
google.golang.org/grpc 708a7f9f3283aa2d4f6132d287d78683babe55c8 # v1.0.5
github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
github.com/spf13/pflag cb88ea77998c3f024757528e3305022ab50b43be
github.com/spf13/pflag e57e3eeb33f795204c1ca35f56c44f83227c6e66 # v1.0.0
github.com/spf13/cast 4d07383ffe94b5e5a6fa3af9211374a4507a0184
gopkg.in/yaml.v2 bef53efd0c76e49e6de55ead051f886bea7e9420
gopkg.in/fatih/pool.v2 cba550ebf9bce999a02e963296d4bc7a486cb715