From w.bergsten at sirrix.com Mon Aug 4 15:39:04 2014 From: w.bergsten at sirrix.com (Wolfgang Meyer zu Bergsten) Date: Mon, 4 Aug 2014 15:39:04 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation Message-ID: <53DF8CF8.70605@sirrix.com> Hello, find attached a patch for improving the compatibilty of key generation with the "CardOS API 5.1" PKCS#11 library. regards Wolfgang -------------- next part -------------- >From 85380b62e121456b188995836ced4b68b888ad20 Mon Sep 17 00:00:00 2001 From: Wolfgang Meyer zu Bergsten Date: Mon, 4 Aug 2014 15:32:53 +0200 Subject: [PATCH] improve compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template --- devel/openssl | 1 - lib/pkcs11_privkey.c | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) delete mode 160000 devel/openssl diff --git a/devel/openssl b/devel/openssl deleted file mode 160000 index e09ea62..0000000 --- a/devel/openssl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e09ea622bba106e13ab85173c205f354b0f1d481 diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index aba9f9d..686a85e 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -684,6 +684,8 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, mech.parameter_len = 0; mech.mechanism = pk_to_genmech(pk, &key_type); + char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001 + switch (pk) { case GNUTLS_PK_RSA: p[p_val].type = CKA_DECRYPT; @@ -696,6 +698,11 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, p[p_val].value_len = sizeof(tval); p_val++; + p[p_val].type = CKA_UNWRAP; + p[p_val].value = (void*)&tval; + p[p_val].value_len = sizeof(tval); + p_val++; + a[a_val].type = CKA_ENCRYPT; a[a_val].value = (void *) &tval; a[a_val].value_len = sizeof(tval); @@ -706,10 +713,21 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, a[a_val].value_len = sizeof(tval); a_val++; + a[a_val].type = CKA_WRAP; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof(tval); + a_val++; + a[a_val].type = CKA_MODULUS_BITS; a[a_val].value = &_bits; a[a_val].value_len = sizeof(_bits); a_val++; + + a[a_val].type = CKA_PUBLIC_EXPONENT; + a[a_val].value = pubEx; + a[a_val].value_len = sizeof(pubEx); + a_val++; + break; case GNUTLS_PK_DSA: p[p_val].type = CKA_SIGN; -- 1.9.3 From w.bergsten at sirrix.com Mon Aug 4 15:25:14 2014 From: w.bergsten at sirrix.com (Wolfgang Meyer zu Bergsten) Date: Mon, 4 Aug 2014 15:25:14 +0200 Subject: [gnutls-devel] [PATCH] add pubkey export from private key in pkcs11 subsystem Message-ID: <53DF89BA.8070708@sirrix.com> Hello, there are cases where we need to export the public key of private key at a later time. Previously, the public key was only available immediately after creation of a key pair. This patch allows to retrieve the public key of a private key at any time after creation. regards Wolfgang Meyer zu Bergsten -------------- next part -------------- >From 7f74419681967435fecb4bc1ee965ca4ed8cea0f Mon Sep 17 00:00:00 2001 From: Wolfgang Meyer zu Bergsten Date: Mon, 4 Aug 2014 15:09:05 +0200 Subject: [PATCH] add pubkey export from private key in pkcs11 subsystem There are cases where we need to export the public key of private key at a later time. Previously, the public key was only available immediately after creation of a key pair. This patch allows to retrieve the public key of a private key at any time after creation. --- lib/includes/gnutls/pkcs11.h | 6 +++ lib/libgnutls.map | 1 + lib/pkcs11_privkey.c | 117 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 87a54f2..e7445b8 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -349,6 +349,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, unsigned int flags); int +gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, + gnutls_x509_crt_fmt_t fmt, + gnutls_datum_t * pubkey, + unsigned int flags); + +int gnutls_pkcs11_token_get_random(const char *token_url, void *data, size_t len); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 263ad0e..9a47be7 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -856,6 +856,7 @@ GNUTLS_3_1_0 { gnutls_ocsp_status_request_is_checked; gnutls_sign_is_secure; gnutls_pkcs11_privkey_generate2; + gnutls_pkcs11_privkey_get_pubkey; gnutls_x509_crt_get_policy; gnutls_x509_policy_release; gnutls_x509_crt_set_policy; diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index a9c473e..aba9f9d 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -864,6 +864,123 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, return ret; } +/* + * gnutls_pkcs11_privkey_get_pubkey + * @url: a private key url + * @pk: the public key algorithm + * @fmt: the format of output params. PEM or DER. + * @pubkey: will hold the public key + * @flags: should be zero + * + * This function will extract the public key (modulus and public + * exponent) from the private key specified by the @url private key. + * This public key will be stored in @pubkey in the format specified + * by @fmt. @pubkey should be deinitialized using gnutls_free(). + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a + * negative error value. + **/ +int +gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, + gnutls_x509_crt_fmt_t fmt, + gnutls_datum_t * pubkey, + unsigned int flags) +{ + ck_object_handle_t priv = NULL; + struct pkcs11_session_info sinfo; + struct p11_kit_uri *info = NULL; + struct ck_mechanism mech; + gnutls_pubkey_t pkey = NULL; + gnutls_pkcs11_obj_t obj = NULL; + gnutls_pkcs11_privkey_t privkey = NULL; + int ret; + + memset(&sinfo, 0, sizeof(sinfo)); + + if (!pubkey) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + /* extract the public key */ + ret = gnutls_pkcs11_privkey_init(&privkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + ret = gnutls_pkcs11_privkey_import_url(privkey, url, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv = privkey->obj; + + ret = gnutls_pubkey_init(&pkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pkcs11_obj_init(&obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (privkey->sinfo.init) { + memcpy(&sinfo, &privkey->sinfo, sizeof(sinfo)); + } else { + ret = pkcs11_url_to_info(url, &info); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = pkcs11_open_session(&sinfo, NULL, info, + pkcs11_obj_flags_to_int(flags)); + p11_kit_uri_free(info); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + obj->pk_algorithm = pk; + obj->type = GNUTLS_PKCS11_OBJ_PUBKEY; + mech.mechanism = pk_to_genmech(pk); + ret = pkcs11_read_pubkey(sinfo.module, sinfo.pks, priv, mech.mechanism, obj->pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pubkey_import_pkcs11(pkey, obj, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pubkey_export2(pkey, fmt, pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + + cleanup: + if (obj != NULL) + gnutls_pkcs11_obj_deinit(obj); + if (pkey != NULL) + gnutls_pubkey_deinit(pkey); + if (privkey != NULL) + gnutls_privkey_deinit(privkey); + if (sinfo.pks != 0) + pkcs11_close_session(&sinfo); + + return ret; +} + /** * gnutls_pkcs11_privkey_set_pin_function: * @key: The private key -- 1.9.3 From nmav at gnutls.org Tue Aug 5 13:41:17 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 5 Aug 2014 13:41:17 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation In-Reply-To: <53DF8CF8.70605@sirrix.com> References: <53DF8CF8.70605@sirrix.com> Message-ID: On Mon, Aug 4, 2014 at 3:39 PM, Wolfgang Meyer zu Bergsten wrote: > Hello, > find attached a patch for improving the compatibilty of key generation > with the "CardOS API 5.1" PKCS#11 library. Hello, Wouldn't that be better if both unwrap and fixed exponent be set using special flags? That is create the flags, e.g., GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP, GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific functionality for the key. regards, Nikos From nmav at gnutls.org Tue Aug 5 13:52:49 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 5 Aug 2014 13:52:49 +0200 Subject: [gnutls-devel] [PATCH] add pubkey export from private key in pkcs11 subsystem In-Reply-To: <53DF89BA.8070708@sirrix.com> References: <53DF89BA.8070708@sirrix.com> Message-ID: On Mon, Aug 4, 2014 at 3:25 PM, Wolfgang Meyer zu Bergsten wrote: > Hello, > there are cases where we need to export the public key of private > key at a later time. Previously, the public key was only available > immediately after creation of a key pair. This patch allows to > retrieve the public key of a private key at any time after > creation. Hello, That's a nice functionality and it would allow _gnutls_privkey_get_mpis() work for pkcs11 private keys as well. > int > gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, > gnutls_x509_crt_fmt_t fmt, > gnutls_datum_t * pubkey, > unsigned int flags) The pk parameter looks a bit awkward. Wouldn't it be straightforward to omit it, and use gnutls_pkcs11_privkey_get_pk_algorithm() to obtain it on demand? regards, Nikos From w.bergsten at sirrix.com Tue Aug 5 14:10:36 2014 From: w.bergsten at sirrix.com (Wolfgang Meyer zu Bergsten) Date: Tue, 5 Aug 2014 14:10:36 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation In-Reply-To: References: <53DF8CF8.70605@sirrix.com> Message-ID: <53E0C9BC.4080106@sirrix.com> Hello. Am 05.08.2014 13:41, schrieb Nikos Mavrogiannopoulos: > On Mon, Aug 4, 2014 at 3:39 PM, Wolfgang Meyer zu Bergsten > wrote: >> Hello, >> find attached a patch for improving the compatibilty of key generation >> with the "CardOS API 5.1" PKCS#11 library. > > Hello, > Wouldn't that be better if both unwrap and fixed exponent be set > using special flags? That is create the flags, e.g., > GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP, > GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific > functionality for the key. Regarding the exponent, 0x10001 is the standard exponent that is used by PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it explicitly only improves compatibility with some PKCS#11 providers. (see http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html) Thus the library behaviour does not change and the flag should not be necessary. Do you still want the change? Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according to your proposal. regards Wolfgang From nmav at gnutls.org Tue Aug 5 14:15:12 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 5 Aug 2014 14:15:12 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation In-Reply-To: <53E0C9BC.4080106@sirrix.com> References: <53DF8CF8.70605@sirrix.com> <53E0C9BC.4080106@sirrix.com> Message-ID: On Tue, Aug 5, 2014 at 2:10 PM, Wolfgang Meyer zu Bergsten wrote: >> Wouldn't that be better if both unwrap and fixed exponent be set >> using special flags? That is create the flags, e.g., >> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP, >> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific >> functionality for the key. > Regarding the exponent, 0x10001 is the standard exponent that is used by > PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it > explicitly only improves compatibility with some PKCS#11 providers. > (see > http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html) > Thus the library behaviour does not change and the flag should not be > necessary. Do you still want the change? > Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according > to your proposal. That makes sense. I.e., only the wrap and unwrap flags are needed. regards, Nikos From m at mqas.net Wed Aug 6 11:06:53 2014 From: m at mqas.net (m) Date: Wed, 06 Aug 2014 19:06:53 +1000 Subject: [gnutls-devel] query server with ECDSA server cert Message-ID: <53E1F02D.1090903@mqas.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 i don't seem to get all expected results when querying my server $ gnutls-cli-debug -p 443 mqas.net Resolving 'mqas.net'... Connecting to '58.96.67.63:443'... Checking for SSL 3.0 support... no Checking whether %COMPAT is required... no Checking for TLS 1.0 support... no Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.2 support... no Checking whether we need to disable TLS 1.2... yes Checking whether we need to disable TLS 1.1... yes Checking whether we need to disable TLS 1.0... N/A Checking for Safe renegotiation support... no Checking for Safe renegotiation support (SCSV)... no Checking for HTTPS server name... not checked Checking for version rollback bug in RSA PMS... yes Checking for version rollback bug in Client Hello... yes Checking whether the server ignores the RSA PMS version... no Checking whether the server can accept Hello Extensions... no Checking whether the server can accept HeartBeat Extension... no Checking whether the server can accept small records (512 bytes)... no Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes Checking whether the server can accept a bogus TLS record version in the client hello... no Checking for certificate information... N/A Checking for trusted CAs... N/A Checking whether the server understands TLS closure alerts... no Checking whether the server supports session resumption... no Checking for anonymous authentication support... no Checking anonymous Diffie-Hellman group info... N/A Checking for ephemeral Diffie-Hellman support... no Checking ephemeral Diffie-Hellman group info... N/A Checking for ephemeral EC Diffie-Hellman support... no Checking ephemeral EC Diffie-Hellman group info... N/A Checking for AES-GCM cipher support... yes Checking for AES-CBC cipher support... yes Checking for CAMELLIA-GCM cipher support... no Checking for CAMELLIA-CBC cipher support... no Checking for 3DES-CBC cipher support... no Checking for ARCFOUR 128 cipher support... no Checking for MD5 MAC support... no Checking for SHA1 MAC support... yes Checking for SHA256 MAC support... yes Checking for ZLIB compression support... no Checking for max record size... no Checking for OpenPGP authentication support... no ? -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT4fAtAAoJECduEOi/w7g4CqMP/jnVCiKANu608YH2Libz45ea bhxagujpkFycnvEPm8qZi8Ctk55tO5KCscXZOuuh+35KQNfAsTM9EC8sKzBCprTM Vio88z80qmXJFxY5IWGpCPJa7P8m8jNL+3jBR9RexEeDrUWZRbVZc1OJAYjmNOxP waLpMNHmxkvCXCJLF4ENqip7u1yBxBcCblk3o2VYgGctAPKW1aVX37FDMbBnPiYd G5wGITAyxv9P8oc5hl21TMBY5kCBGblfH+ZUp4vJ3tLO9RfuC74aXMYcfMkNtQEM K76Geoxknevo4oy7o5nCgROQz9NGnpzcO9q4TiLIrrqh9H7yuUyYhav995jSzW8A GFpM0AMbVs/brAVeM52LQJ7zZFA5FQiP9vOvMWv6lSt0f0yG8Yxcf43l5i+SlhNY fOReNreAO94WDrPb8o0vpoeR7IWhuxK7l5qHmSBuDfbidPC3RSb0r+/0LR0NRzy8 J9JVw3aIG3WI0AxBXCSWY4pkf5aoozXFAs8ThMXGyJ3mlR0k9kIOQH0c79Cc0p5V 35Jnk4qXgm6lueA6LO8QzpTRSPAx6Tw6p0Ttj4BFdoebxPKVTA+bR1yxB1L1LpKo /ehiFRwtiBcn1nLff1aDLsE0cljYCpqfYOCWXxK4QKw03DBOOJ6vbPm2o6rQuKVs IDXzHnBeUqW0TO+RM/40 =HvKb -----END PGP SIGNATURE----- From nmav at gnutls.org Wed Aug 6 13:44:26 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 6 Aug 2014 13:44:26 +0200 Subject: [gnutls-devel] query server with ECDSA server cert In-Reply-To: <53E1F02D.1090903@mqas.net> References: <53E1F02D.1090903@mqas.net> Message-ID: On Wed, Aug 6, 2014 at 11:06 AM, m wrote: > i don't seem to get all expected results when querying my server > Checking for ephemeral EC Diffie-Hellman support... no > Checking ephemeral EC Diffie-Hellman group info... N/A Is it the ones above you're referring to? It seems the list of default ciphers was made long time ago and that caused gnutls-cli-debug to misbehave on servers that have only AES. It's now fixed at: https://www.gitorious.org/gnutls/gnutls/commit/a2e717a31212aa2f09f19e533cba7e7163e1a0e9 regards, Nikos From w.bergsten at sirrix.com Wed Aug 6 14:34:44 2014 From: w.bergsten at sirrix.com (Wolfgang Meyer zu Bergsten) Date: Wed, 6 Aug 2014 14:34:44 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation In-Reply-To: References: <53DF8CF8.70605@sirrix.com> <53E0C9BC.4080106@sirrix.com> Message-ID: <53E220E4.8020105@sirrix.com> Hello Am 05.08.2014 14:15, schrieb Nikos Mavrogiannopoulos: > On Tue, Aug 5, 2014 at 2:10 PM, Wolfgang Meyer zu Bergsten > wrote: > >>> Wouldn't that be better if both unwrap and fixed exponent be set >>> using special flags? That is create the flags, e.g., >>> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP, >>> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific >>> functionality for the key. >> Regarding the exponent, 0x10001 is the standard exponent that is used by >> PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it >> explicitly only improves compatibility with some PKCS#11 providers. >> (see >> http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html) >> Thus the library behaviour does not change and the flag should not be >> necessary. Do you still want the change? >> Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according >> to your proposal. > > That makes sense. I.e., only the wrap and unwrap flags are needed. I added just one flag GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP because: * KEY_WRAP without KEY_UNWRAP are corresponding to the public vs. private part of the key and I cannot think of uses that require just one parameter to be set. Therefore only one flag. * the parameter gets passed into the function like the other _OBJ_ flags. Therefore the name. If you have any objections, I will change things accordingly. regards Wolfgang -------------- next part -------------- >From 286a153debe07482e6a6b1d3ffdbea3ec3e965fe Mon Sep 17 00:00:00 2001 From: Wolfgang Meyer zu Bergsten Date: Mon, 4 Aug 2014 15:32:53 +0200 Subject: [PATCH 1/3] improve compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten --- lib/includes/gnutls/pkcs11.h | 1 + lib/pkcs11_privkey.c | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 87a54f2..8f2d2d7 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -104,6 +104,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, #define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The object must be fully compared */ #define GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE (1<<10) /* The object must be present in a marked as trusted module */ #define GNUTLS_PKCS11_OBJ_FLAG_MARK_CA (1<<11) /* object marked as CA */ +#define GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP (1<<12) /* generated keypair shall support key wrap/unwrap */ /** * gnutls_pkcs11_url_type_t: diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index a9c473e..5575efc 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -655,6 +655,7 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, gnutls_pkcs11_obj_t obj = NULL; gnutls_datum_t der = {NULL, 0}; ck_key_type_t key_type; + char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001 PKCS11_CHECK_INIT; @@ -710,6 +711,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, a[a_val].value = &_bits; a[a_val].value_len = sizeof(_bits); a_val++; + + a[a_val].type = CKA_PUBLIC_EXPONENT; + a[a_val].value = pubEx; + a[a_val].value_len = sizeof(pubEx); + a_val++; + break; case GNUTLS_PK_DSA: p[p_val].type = CKA_SIGN; @@ -760,6 +767,20 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, goto cleanup; } + /* + * on request, add the CKA_WRAP/CKA_UNWRAP key attribute + */ + if (flags & GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP) { + p[p_val].type = CKA_UNWRAP; + p[p_val].value = (void*)&tval; + p[p_val].value_len = sizeof(tval); + p_val++; + a[a_val].type = CKA_WRAP; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof(tval); + a_val++; + } + /* a private key is set always as private unless * requested otherwise */ -- 1.9.3 From w.bergsten at sirrix.com Wed Aug 6 14:34:57 2014 From: w.bergsten at sirrix.com (Wolfgang Meyer zu Bergsten) Date: Wed, 6 Aug 2014 14:34:57 +0200 Subject: [gnutls-devel] [PATCH] add pubkey export from private key in pkcs11 subsystem In-Reply-To: References: <53DF89BA.8070708@sirrix.com> Message-ID: <53E220F1.6060000@sirrix.com> Hello Am 05.08.2014 13:52, schrieb Nikos Mavrogiannopoulos: > On Mon, Aug 4, 2014 at 3:25 PM, Wolfgang Meyer zu Bergsten > wrote: >> Hello, >> there are cases where we need to export the public key of private >> key at a later time. Previously, the public key was only available >> immediately after creation of a key pair. This patch allows to >> retrieve the public key of a private key at any time after >> creation. > > Hello, > That's a nice functionality and it would allow > _gnutls_privkey_get_mpis() work for pkcs11 private keys as well. > >> int >> gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, >> gnutls_x509_crt_fmt_t fmt, >> gnutls_datum_t * pubkey, >> unsigned int flags) > > The pk parameter looks a bit awkward. Wouldn't it be straightforward > to omit it, and use gnutls_pkcs11_privkey_get_pk_algorithm() to obtain > it on demand? I changed it accordingly. Furthermore, I added the functionality to p11tool. See the attached patches. regards Wolfgang -------------- next part -------------- >From 6faa2029c7d093592f34ddad21f4a34bd6aa2b46 Mon Sep 17 00:00:00 2001 From: Wolfgang Meyer zu Bergsten Date: Mon, 4 Aug 2014 15:09:05 +0200 Subject: [PATCH 2/3] add pubkey export from private key in pkcs11 subsystem There are cases where we need to export the public key of private key at a later time. Previously, the public key was only available immediately after creation of a key pair. This patch allows to retrieve the public key of a private key at any time after creation. Signed-off-by: Wolfgang Meyer zu Bergsten --- lib/includes/gnutls/pkcs11.h | 6 +++ lib/libgnutls.map | 1 + lib/pkcs11_privkey.c | 117 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 8f2d2d7..75a16c4 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -350,6 +350,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, unsigned int flags); int +gnutls_pkcs11_privkey_get_pubkey (const char* url, + gnutls_x509_crt_fmt_t fmt, + gnutls_datum_t * pubkey, + unsigned int flags); + +int gnutls_pkcs11_token_get_random(const char *token_url, void *data, size_t len); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index bc5837d..2989e74 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -856,6 +856,7 @@ GNUTLS_3_1_0 { gnutls_ocsp_status_request_is_checked; gnutls_sign_is_secure; gnutls_pkcs11_privkey_generate2; + gnutls_pkcs11_privkey_get_pubkey; gnutls_x509_crt_get_policy; gnutls_x509_policy_release; gnutls_x509_crt_set_policy; diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 5575efc..b67e482 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -885,6 +885,123 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, return ret; } +/* + * gnutls_pkcs11_privkey_get_pubkey + * @url: a private key url + * @fmt: the format of output params. PEM or DER. + * @pubkey: will hold the public key + * @flags: should be zero + * + * This function will extract the public key (modulus and public + * exponent) from the private key specified by the @url private key. + * This public key will be stored in @pubkey in the format specified + * by @fmt. @pubkey should be deinitialized using gnutls_free(). + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a + * negative error value. + **/ +int +gnutls_pkcs11_privkey_get_pubkey (const char* url, + gnutls_x509_crt_fmt_t fmt, + gnutls_datum_t * pubkey, + unsigned int flags) +{ + ck_object_handle_t priv; + struct pkcs11_session_info sinfo; + struct p11_kit_uri *info = NULL; + struct ck_mechanism mech; + gnutls_pubkey_t pkey = NULL; + gnutls_pkcs11_obj_t obj = NULL; + gnutls_pkcs11_privkey_t privkey = NULL; + ck_key_type_t key_type; + int ret; + + memset(&sinfo, 0, sizeof(sinfo)); + + if (!pubkey) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } + + /* extract the public key */ + ret = gnutls_pkcs11_privkey_init(&privkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + ret = gnutls_pkcs11_privkey_import_url(privkey, url, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv = privkey->obj; + + ret = gnutls_pubkey_init(&pkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pkcs11_obj_init(&obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (privkey->sinfo.init) { + memcpy(&sinfo, &privkey->sinfo, sizeof(sinfo)); + } else { + ret = pkcs11_url_to_info(url, &info); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = pkcs11_open_session(&sinfo, NULL, info, + pkcs11_obj_flags_to_int(flags)); + p11_kit_uri_free(info); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + obj->pk_algorithm = gnutls_pkcs11_privkey_get_pk_algorithm(privkey, 0); + obj->type = GNUTLS_PKCS11_OBJ_PUBKEY; + mech.mechanism = pk_to_genmech(obj->pk_algorithm, &key_type); + ret = pkcs11_read_pubkey(sinfo.module, sinfo.pks, priv, mech.mechanism, obj->pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pubkey_import_pkcs11(pkey, obj, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_pubkey_export2(pkey, fmt, pubkey); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + + cleanup: + if (obj != NULL) + gnutls_pkcs11_obj_deinit(obj); + if (pkey != NULL) + gnutls_pubkey_deinit(pkey); + if (privkey != NULL) + gnutls_pkcs11_privkey_deinit(privkey); + if (sinfo.pks != 0) + pkcs11_close_session(&sinfo); + + return ret; +} + /** * gnutls_pkcs11_privkey_set_pin_function: * @key: The private key -- 1.9.3 -------------- next part -------------- >From e93fe75937679ad4b95c396e1e4bdfec68d75977 Mon Sep 17 00:00:00 2001 From: Wolfgang Meyer zu Bergsten Date: Wed, 6 Aug 2014 13:20:24 +0200 Subject: [PATCH 3/3] add public key export to p11tool Signed-off-by: Wolfgang Meyer zu Bergsten --- src/p11tool-args.def | 7 +++++++ src/p11tool.c | 2 ++ src/p11tool.h | 2 ++ src/pkcs11.c | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+) diff --git a/src/p11tool-args.def b/src/p11tool-args.def index a20d2ef..807be43 100644 --- a/src/p11tool-args.def +++ b/src/p11tool-args.def @@ -122,6 +122,13 @@ flag = { doc = "Generates an RSA private-public key pair on the specified token."; }; + +flag = { + name = export-pubkey; + descrip = "Export the public key for a private key"; + doc = "Exports the public key for the specified private key"; +}; + flag = { name = label; arg-type = string; diff --git a/src/p11tool.c b/src/p11tool.c index e2d30ed..afd4413 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -269,6 +269,8 @@ static void cmd_parser(int argc, char **argv) get_bits(key_type, bits, sec_param, 0), label, ENABLED_OPT(PRIVATE), detailed_url, login, &cinfo); + } else if (HAVE_OPT(EXPORT_PUBKEY)) { + pkcs11_export_pubkey(outfile, url, detailed_url, login, &cinfo); } else { USAGE(1); } diff --git a/src/p11tool.h b/src/p11tool.h index ba2ef1b..24dd060 100644 --- a/src/p11tool.h +++ b/src/p11tool.h @@ -52,6 +52,8 @@ void pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t type, unsigned int bits, const char *label, int private, int detailed, unsigned int login, common_info_st * info); +void pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, + unsigned int login, common_info_st * info); #define PKCS11_TYPE_CRT_ALL 1 #define PKCS11_TYPE_TRUSTED 2 diff --git a/src/pkcs11.c b/src/pkcs11.c index de91f43..47bfaac 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -577,6 +577,41 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, } void +pkcs11_export_pubkey(FILE * outfile, const char *url, int detailed, unsigned int login_flags, common_info_st * info) +{ + int ret; + unsigned int flags = 0; + gnutls_datum_t pubkey; + + if (login_flags) flags = login_flags; + + pkcs11_common(info); + + FIX(url, outfile, detailed, info); + CHECK_LOGIN_FLAG(login_flags); + + if (outfile == stderr || outfile == stdout) { + fprintf(stderr, "warning: no --outfile was specified and the public key will be printed on screen.\n"); + sleep(3); + } + + ret = + gnutls_pkcs11_privkey_get_pubkey(url, + GNUTLS_X509_FMT_PEM, &pubkey, + flags); + if (ret < 0) { + fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, + gnutls_strerror(ret)); + exit(1); + } + + fwrite(pubkey.data, 1, pubkey.size, outfile); + gnutls_free(pubkey.data); + + return; +} + +void pkcs11_init(FILE * outfile, const char *url, const char *label, common_info_st * info) { -- 1.9.3 From nmav at gnutls.org Wed Aug 6 14:50:06 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 6 Aug 2014 14:50:06 +0200 Subject: [gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation In-Reply-To: <53E220E4.8020105@sirrix.com> References: <53DF8CF8.70605@sirrix.com> <53E0C9BC.4080106@sirrix.com> <53E220E4.8020105@sirrix.com> Message-ID: On Wed, Aug 6, 2014 at 2:34 PM, Wolfgang Meyer zu Bergsten wrote: > Hello >>>> Wouldn't that be better if both unwrap and fixed exponent be set >>>> using special flags? That is create the flags, e.g., >>>> GNUTLS_PKCS11_GEN_RSA_EXP_65537, GNUTLS_PKCS11_GEN_KEY_UNWRAP, >>>> GNUTLS_PKCS11_GEN_KEY_WRAP, which will enable that specific >>>> functionality for the key. >>> Regarding the exponent, 0x10001 is the standard exponent that is used by >>> PKCS#11 libraries if no CKA_PUBLIC_EXPONENT is provided. So stating it >>> explicitly only improves compatibility with some PKCS#11 providers. >>> (see >>> http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html) >>> Thus the library behaviour does not change and the flag should not be >>> necessary. Do you still want the change? >>> Regarding the KEY_UNWRAP and KEY_WRAP flags: I will change it according >>> to your proposal. >> That makes sense. I.e., only the wrap and unwrap flags are needed. > I added just one flag GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP because: > * KEY_WRAP without KEY_UNWRAP are corresponding to the public vs. > private part of the key and I cannot think of uses that require just > one parameter to be set. Therefore only one flag. > * the parameter gets passed into the function like the other _OBJ_ > flags. Therefore the name. > If you have any objections, I will change things accordingly. Applied, thank you. From nmav at gnutls.org Wed Aug 6 15:18:51 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 6 Aug 2014 15:18:51 +0200 Subject: [gnutls-devel] [PATCH] add pubkey export from private key in pkcs11 subsystem In-Reply-To: <53E220F1.6060000@sirrix.com> References: <53DF89BA.8070708@sirrix.com> <53E220F1.6060000@sirrix.com> Message-ID: Thank you. Applied. On Wed, Aug 6, 2014 at 2:34 PM, Wolfgang Meyer zu Bergsten wrote: > Hello > > Am 05.08.2014 13:52, schrieb Nikos Mavrogiannopoulos: >> On Mon, Aug 4, 2014 at 3:25 PM, Wolfgang Meyer zu Bergsten >> wrote: >>> Hello, >>> there are cases where we need to export the public key of private >>> key at a later time. Previously, the public key was only available >>> immediately after creation of a key pair. This patch allows to >>> retrieve the public key of a private key at any time after >>> creation. >> >> Hello, >> That's a nice functionality and it would allow >> _gnutls_privkey_get_mpis() work for pkcs11 private keys as well. >> >>> int >>> gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, >>> gnutls_x509_crt_fmt_t fmt, >>> gnutls_datum_t * pubkey, >>> unsigned int flags) >> >> The pk parameter looks a bit awkward. Wouldn't it be straightforward >> to omit it, and use gnutls_pkcs11_privkey_get_pk_algorithm() to obtain >> it on demand? > > I changed it accordingly. Furthermore, I added the functionality to > p11tool. See the attached patches. > > regards > Wolfgang From nmav at gnutls.org Wed Aug 6 15:59:18 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 6 Aug 2014 15:59:18 +0200 Subject: [gnutls-devel] [PATCH] add pubkey export from private key in pkcs11 subsystem In-Reply-To: References: <53DF89BA.8070708@sirrix.com> <53E220F1.6060000@sirrix.com> Message-ID: >>>> gnutls_pkcs11_privkey_get_pubkey (const char* url, gnutls_pk_algorithm_t pk, >>>> gnutls_x509_crt_fmt_t fmt, >>>> gnutls_datum_t * pubkey, >>>> unsigned int flags) >>> The pk parameter looks a bit awkward. Wouldn't it be straightforward >>> to omit it, and use gnutls_pkcs11_privkey_get_pk_algorithm() to obtain >>> it on demand? >> I changed it accordingly. Furthermore, I added the functionality to >> p11tool. See the attached patches. After some consideration I modified the prototype to accept a gnutls_pkcs11_privkey_t instead of directly the URL. That would ease usage when a private key is already imported, at a small inconvenience otherwise. The new prototype being (renamed to export for consistency): int gnutls_pkcs11_privkey_export_pubkey (gnutls_pkcs11_privkey_t pkey, gnutls_x509_crt_fmt_t fmt, gnutls_datum_t * pubkey, unsigned int flags); regards, Nikos From INVALID.NOREPLY at gnu.org Mon Aug 18 18:47:44 2014 From: INVALID.NOREPLY at gnu.org (Armin Burgmeier) Date: Mon, 18 Aug 2014 16:47:44 +0000 Subject: [gnutls-devel] [sr #108634] Getter functions for gnutls_certificate_credentials_t Message-ID: <20140818-164743.sv96363.52612@savannah.gnu.org> URL: Summary: Getter functions for gnutls_certificate_credentials_t Project: GnuTLS Submitted by: aburgm Submitted on: Mon 18 Aug 2014 04:47:43 PM GMT Category: Core library Priority: 5 - Normal Severity: 1 - Wish Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Operating System: None _______________________________________________________ Details: There are setter functions to set certificate verification flags, trusted CA certificates, and other properties of a gnutls_certificate_credentials_t structure, but there are no corresponding getter functions. Is there a particular reason for this? I find myself often in the situation where I would like to access some of the fields that I have previously set in the gnutls_certificate_credentials_t structure. For example, I want to verify a certificate, and if the certificate is invalid because the issuer is not found (this I can do with gnutls_certificate_verify_peers), I want to re-validate it with different flags to see whether there are other issues with the certificate (for example, expired). Or after I set the trusted certificates with gnutls_certificate_set_x509_system_trust(), I want to present a list of these certificates in a user interface, so it would be good if I could obtain the list of trusted CAs from the gnutls_certificate_credentials_t structure. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From nmav at gnutls.org Sun Aug 24 10:04:38 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 Aug 2014 10:04:38 +0200 Subject: [gnutls-devel] gnutls 3.3.7 Message-ID: <1408867478.1937.3.camel@nomad.lan> Hello, I've just released gnutls 3.3.7. This is a bug-fix release on the next-stable branch. * Version 3.3.7 (released 2014-08-24) ** libgnutls: Added function to export the public key of a PKCS #11 private key. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. That improves compatibility with certain PKCS #11 modules. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: When generating a PKCS #11 private key allow setting the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session to the key. ** libgnutls: bundle replacements of inet_pton and inet_aton if not available. ** libgnutls: initialize parameters variable on PKCS #8 decryption. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 requirement of checking the Common Name (CN) part of DN only if there is a single CN present in the certificate. ** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used to force the FIPS mode, when set to 1. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** p11tool: Added --info parameter. ** certtool: Added --mark-wrap parameter. ** danetool: --check will attempt to retrieve the server's certificate chain and verify against it. ** danetool/gnutls-cli-debug: Added --app-proto parameters which can be used to enforce starttls (currently only SMTP and IMAP) on the connection. ** danetool: Added openssl linking exception, to allow linking with libunbound. ** API and ABI modifications: GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added gnutls_pkcs11_privkey_export_pubkey: Added gnutls_pkcs11_obj_flags_get_str: Added gnutls_pkcs11_obj_get_flags: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.7.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.7.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.7.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.7.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sun Aug 24 10:01:58 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 Aug 2014 10:01:58 +0200 Subject: [gnutls-devel] gnutls 3.1.26 Message-ID: <1408867318.1937.1.camel@nomad.lan> Hello, I've just released gnutls 3.1.26. This is a bug-fix release on the previous stable branch. * Version 3.1.26 (released 2014-08-24) ** libgnutls: Do not call the post client hello callback twice when resuming using session tickets. ** libgnutls: When the decoding of a printable DN element fails, then treat it as unknown and print its hex value rather than failing. That works around an issue in a TURKTRST root certificate which improperly encodes the X520countryName element. ** libgnutls: initialize parameters variable on PKCS #8 decryption. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: when checking the hostname of a certificate with multiple CNs ensure that the "most specific" CN is being used. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** p11tool: will not implicitly enable so-login for certain types of objects. That avoids issues with tokens that require different login types. ** p11tool: Added --so-login option to force login as security officer (admin). ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.26.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.26.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.26.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.26.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sun Aug 24 10:03:07 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 Aug 2014 10:03:07 +0200 Subject: [gnutls-devel] gnutls 3.2.17 Message-ID: <1408867387.1937.2.camel@nomad.lan> Hello, I've just released gnutls 3.2.17. This is a bugfix release on the current stable branch. * Version 3.2.17 (released 2014-08-24) ** libgnutls: initialize parameters variable on PKCS #8 decryption. ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. That improves compatibility with certain PKCS #11 modules. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: when checking the hostname of a certificate with multiple CNs ensure that the "most specific" CN is being used. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.17.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.17.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.17.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.17.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From alon.barlev at gmail.com Sun Aug 24 20:57:50 2014 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 24 Aug 2014 21:57:50 +0300 Subject: [gnutls-devel] [PATCH] build: tests: x509cert-tl: support separate builddir Message-ID: <1408906670-11981-1-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- tests/Makefile.am | 1 + tests/x509cert-tl.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/Makefile.am b/tests/Makefile.am index 6638fce..6081358 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -128,6 +128,7 @@ TESTS_ENVIRONMENT = \ PKCS12FILE_2=$(srcdir)/pkcs12-decode/pkcs12_2certs.p12 \ PKCS12PASSWORD_2="" \ PKCS12PATH=$(srcdir)/pkcs12-decode/ \ + X509CERTDIR=$(srcdir)/x509cert-dir/ \ EXEEXT=$(EXEEXT) \ top_builddir="$(top_builddir)" \ srcdir="$(srcdir)" diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c index dad7860..5ecc03e 100644 --- a/tests/x509cert-tl.c +++ b/tests/x509cert-tl.c @@ -189,6 +189,7 @@ static time_t mytime(time_t * t) void doit(void) { int ret; + const char *path; gnutls_datum_t data; gnutls_x509_crt_t server_crt, ca_crt2; gnutls_x509_trust_list_t tl; @@ -209,7 +210,10 @@ void doit(void) gnutls_x509_crt_init(&server_crt); gnutls_x509_crt_init(&ca_crt2); - ret = gnutls_x509_trust_list_add_trust_dir(tl, "./x509cert-dir", NULL, GNUTLS_X509_FMT_PEM, 0, 0); + path = getenv("X509CERTDIR"); + if (!path) + path = "./x509cert-dir"; + ret = gnutls_x509_trust_list_add_trust_dir(tl, path, NULL, GNUTLS_X509_FMT_PEM, 0, 0); if (ret != 1) fail("gnutls_x509_trust_list_add_trust_dir: %d\n", ret); -- 1.8.5.5 From alon.barlev at gmail.com Sun Aug 24 20:26:19 2014 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 24 Aug 2014 21:26:19 +0300 Subject: [gnutls-devel] [PATCH] build: condition pkcs11 block Message-ID: <1408904779-4216-1-git-send-email-alon.barlev@gmail.com> Signed-off-by: Alon Bar-Lev --- lib/gnutls_privkey.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c index 24ed6f2..647777e 100644 --- a/lib/gnutls_privkey.c +++ b/lib/gnutls_privkey.c @@ -198,6 +198,7 @@ _gnutls_privkey_get_mpis(gnutls_privkey_t key, gnutls_pk_params_st * params) case GNUTLS_PRIVKEY_X509: ret = _gnutls_pk_params_copy(params, &key->key.x509->params); break; +#ifdef ENABLE_PKCS11 case GNUTLS_PRIVKEY_PKCS11: { gnutls_pubkey_t pubkey; @@ -210,6 +211,7 @@ _gnutls_privkey_get_mpis(gnutls_privkey_t key, gnutls_pk_params_st * params) break; } +#endif default: gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; -- 1.8.5.5 From lists at schamschula.com Mon Aug 25 01:24:01 2014 From: lists at schamschula.com (Marius Schamschula) Date: Sun, 24 Aug 2014 18:24:01 -0500 Subject: [gnutls-devel] Build failure for GnuTLS 3.3.7 Message-ID: Hello, I?m the maintainer of the MacPorts port of GnuTLS. I updated the Portfile to the current version this afternoon. The build went smoothly on my OS X 10.9.4 system, but the buildbots failed to build GnuTLS 3.3.7: The problem seems to be a missing stdnoreturn.h header file in src/libopts/autoopts.h: Making all in libopts make[4]: Entering directory `/opt/local/var/macports/build/_opt_mports_dports_devel_gnutls/gnutls/work/gnutls-3.3.7/src/libopts' /bin/sh ../../libtool --tag=CC --mode=compile /usr/bin/clang -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/opt/local/include -pipe -Os -arch x86_64 -MT libopts_la-libopts.lo -MD -MP -MF .deps/libopts_la-libopts.Tpo -c -o libopts_la-libopts.lo `test -f 'libopts.c' || echo './'`libopts.c libtool: compile: /usr/bin/clang -DHAVE_CONFIG_H -I. -I../.. -I../.. -I/opt/local/include -pipe -Os -arch x86_64 -MT libopts_la-libopts.lo -MD -MP -MF .deps/libopts_la-libopts.Tpo -c libopts.c -fno-common -DPIC -o .libs/libopts_la-libopts.o In file included from libopts.c:12: ./autoopts.h:35:10: fatal error: 'stdnoreturn.h' file not found #include ^ 1 error generated. make[4]: *** [libopts_la-libopts.lo] Error 1 The file seems to be part of libopts, the problem seems to have been introduced in version 3.3.7. stdnoreturn.h is part of the next C standard, and seems to be unavailable on older systems. Upstream commit that added the change was commit 3d1a66d4f2716c72b146c6ec1feb2d886e2ef3b3 Author: Nikos Mavrogiannopoulos Date: Tue Jul 29 22:21:36 2014 +0200 updated to lib opts 5.18.3 Is there a workaround for older systems? Marius -- Marius Schamschula From nmav at gnutls.org Mon Aug 25 19:26:10 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 25 Aug 2014 19:26:10 +0200 Subject: [gnutls-devel] [PATCH] build: condition pkcs11 block In-Reply-To: <1408904779-4216-1-git-send-email-alon.barlev@gmail.com> References: <1408904779-4216-1-git-send-email-alon.barlev@gmail.com> Message-ID: <1408987570.2484.1.camel@nomad.lan> On Sun, 2014-08-24 at 21:26 +0300, Alon Bar-Lev wrote: > Signed-off-by: Alon Bar-Lev Thank you. Both applied. I couldn't find your DCO to the archives. If you haven't sent already could you send the DCO [0] to the list? regards, Nikos [0]. http://www.gnutls.org/devel.html From alon.barlev at gmail.com Mon Aug 25 19:29:40 2014 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon, 25 Aug 2014 20:29:40 +0300 Subject: [gnutls-devel] [PATCH] build: condition pkcs11 block In-Reply-To: <1408987570.2484.1.camel@nomad.lan> References: <1408904779-4216-1-git-send-email-alon.barlev@gmail.com> <1408987570.2484.1.camel@nomad.lan> Message-ID: On Mon, Aug 25, 2014 at 8:26 PM, Nikos Mavrogiannopoulos wrote: > > On Sun, 2014-08-24 at 21:26 +0300, Alon Bar-Lev wrote: > > Signed-off-by: Alon Bar-Lev > > Thank you. Both applied. I couldn't find your DCO to the archives. If > you haven't sent already could you send the DCO [0] to the list? Sent, thanks. > > regards, > Nikos > > [0]. http://www.gnutls.org/devel.html > > From INVALID.NOREPLY at gnu.org Mon Aug 25 19:34:39 2014 From: INVALID.NOREPLY at gnu.org (Nikos Mavrogiannopoulos) Date: Mon, 25 Aug 2014 17:34:39 +0000 Subject: [gnutls-devel] [sr #108634] Getter functions for gnutls_certificate_credentials_t In-Reply-To: <20140818-164743.sv96363.52612@savannah.gnu.org> References: <20140818-164743.sv96363.52612@savannah.gnu.org> Message-ID: <20140825-203439.sv707.32318@savannah.gnu.org> Follow-up Comment #1, sr #108634 (project gnutls): Indeed it would be convenient to have these functions. The reason they are not there is because they are supposed to be shared between sessions, so it was assumed that all sessions could somehow get access it (e.g. by gnutls_session_set_ptr/get_ptr). I should reconsider though as it would reduce the code required in several cases. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ From nmav at gnutls.org Mon Aug 25 19:31:37 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 25 Aug 2014 19:31:37 +0200 Subject: [gnutls-devel] Build failure for GnuTLS 3.3.7 In-Reply-To: References: Message-ID: <1408987897.2484.3.camel@nomad.lan> On Sun, 2014-08-24 at 18:24 -0500, Marius Schamschula wrote: > Hello, > > I?m the maintainer of the MacPorts port of GnuTLS. I updated the Portfile to the current version this afternoon. The build went smoothly on my OS X 10.9.4 system, but the buildbots failed to build GnuTLS 3.3.7: > > The problem seems to be a missing stdnoreturn.h header file in src/libopts/autoopts.h: Thank you for reporting it. I've applied a local fix at the link below, but I'd appreciate if you could report that in autogen upstream, so we could avoid a future breakage. https://gitorious.org/gnutls/gnutls/commit/7df42875d1a77189374ca0a9195720cef200c601 regards, Nikos From lists at schamschula.com Mon Aug 25 20:37:42 2014 From: lists at schamschula.com (Marius Schamschula) Date: Mon, 25 Aug 2014 13:37:42 -0500 Subject: [gnutls-devel] Build failure for GnuTLS 3.3.7 In-Reply-To: <1408987897.2484.3.camel@nomad.lan> References: <1408987897.2484.3.camel@nomad.lan> Message-ID: <863AA65B-DBAF-432E-8555-2D91B843A334@schamschula.com> Thanks Nikos, This did the trick. Marius On Aug 25, 2014, at 12:31 PM, Nikos Mavrogiannopoulos wrote: > On Sun, 2014-08-24 at 18:24 -0500, Marius Schamschula wrote: >> Hello, >> >> I?m the maintainer of the MacPorts port of GnuTLS. I updated the Portfile to the current version this afternoon. The build went smoothly on my OS X 10.9.4 system, but the buildbots failed to build GnuTLS 3.3.7: >> >> The problem seems to be a missing stdnoreturn.h header file in src/libopts/autoopts.h: > > Thank you for reporting it. I've applied a local fix at the link below, > but I'd appreciate if you could report that in autogen upstream, so we > could avoid a future breakage. > > https://gitorious.org/gnutls/gnutls/commit/7df42875d1a77189374ca0a9195720cef200c601 > > regards, > Nikos > > -- Marius Schamschula From jacknagel at gmail.com Tue Aug 26 00:03:21 2014 From: jacknagel at gmail.com (Jack Nagel) Date: Mon, 25 Aug 2014 22:03:21 +0000 (UTC) Subject: [gnutls-devel] Build failure for GnuTLS 3.3.7 References: <1408987897.2484.3.camel@nomad.lan> Message-ID: Nikos Mavrogiannopoulos gnutls.org> writes: > Thank you for reporting it. I've applied a local fix at the link below, > but I'd appreciate if you could report that in autogen upstream, so we > could avoid a future breakage. > > https://gitorious.org/gnutls/gnutls/commit/7df42875d1a77189374 I've run into the same issue in 3.2.17, so if this fix could be applied to that branch as well it would be appreciated. Thanks, Jack From nmav at gnutls.org Tue Aug 26 08:52:03 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 26 Aug 2014 08:52:03 +0200 Subject: [gnutls-devel] Build failure for GnuTLS 3.3.7 In-Reply-To: References: <1408987897.2484.3.camel@nomad.lan> Message-ID: On Tue, Aug 26, 2014 at 12:03 AM, Jack Nagel wrote: >> Thank you for reporting it. I've applied a local fix at the link below, >> but I'd appreciate if you could report that in autogen upstream, so we >> could avoid a future breakage. >> https://gitorious.org/gnutls/gnutls/commit/7df42875d1a77189374 > I've run into the same issue in 3.2.17, so if this fix could be applied to that > branch as well it would be appreciated. I've applied it. regards, Nikos From le.businessman at gmail.com Fri Aug 29 19:42:09 2014 From: le.businessman at gmail.com (Tristan Matthews) Date: Fri, 29 Aug 2014 13:42:09 -0400 Subject: [gnutls-devel] [PATCH] alpn: fix version documentation Message-ID: <1409334129-23119-1-git-send-email-le.businessman@gmail.com> --- lib/ext/alpn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c index b2f0f11..8ddaa97 100644 --- a/lib/ext/alpn.c +++ b/lib/ext/alpn.c @@ -206,7 +206,7 @@ _gnutls_alpn_send_params(gnutls_session_t session, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. * - * Since 3.1.11 + * Since 3.2.0 **/ int gnutls_alpn_get_selected_protocol(gnutls_session_t session, @@ -253,7 +253,7 @@ gnutls_alpn_get_selected_protocol(gnutls_session_t session, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. * - * Since 3.1.11 + * Since 3.2.0 **/ int gnutls_alpn_set_protocols(gnutls_session_t session, -- 1.9.3 From nmav at gnutls.org Sat Aug 30 11:35:43 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 30 Aug 2014 11:35:43 +0200 Subject: [gnutls-devel] [PATCH] alpn: fix version documentation In-Reply-To: <1409334129-23119-1-git-send-email-le.businessman@gmail.com> References: <1409334129-23119-1-git-send-email-le.businessman@gmail.com> Message-ID: <1409391343.2511.0.camel@nomad.lan> On Fri, 2014-08-29 at 13:42 -0400, Tristan Matthews wrote: > --- > lib/ext/alpn.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Thank you both. Patch applied. regards, Nikos From remi at remlab.net Sat Aug 30 11:14:04 2014 From: remi at remlab.net (=?UTF-8?q?R=C3=A9mi=20Denis-Courmont?=) Date: Sat, 30 Aug 2014 12:14:04 +0300 Subject: [gnutls-devel] [PATCH] alpn: correct documented minimum supported version Message-ID: <1409390044-5708-1-git-send-email-remi@remlab.net> --- lib/ext/alpn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c index 4f19f07..6007f2e 100644 --- a/lib/ext/alpn.c +++ b/lib/ext/alpn.c @@ -189,7 +189,7 @@ _gnutls_alpn_send_params (gnutls_session_t session, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. * - * Since 3.1.11 + * Since 3.2.0 **/ int gnutls_alpn_get_selected_protocol (gnutls_session_t session, @@ -231,7 +231,7 @@ gnutls_alpn_get_selected_protocol (gnutls_session_t session, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. * - * Since 3.1.11 + * Since 3.2.0 **/ int gnutls_alpn_set_protocols (gnutls_session_t session, -- 2.1.0