22#include <winpr/library.h>
23#include <winpr/assert.h>
24#include <winpr/spec.h>
25#include <winpr/smartcard.h>
26#include <winpr/asn1.h>
32#include "pkcs11-headers/pkcs11.h"
34#define TAG WINPR_TAG("ncryptp11")
38#define MAX_KEYS_PER_SLOT 64
46 CK_FUNCTION_LIST_PTR p11;
48} NCryptP11ProviderHandle;
54 NCryptP11ProviderHandle* provider;
56 CK_BYTE keyCertId[64];
57 CK_ULONG keyCertIdLen;
65 CK_CHAR keyLabel[256];
73 CK_SLOT_ID slots[MAX_SLOTS];
75 NCryptKeyEnum keys[MAX_KEYS];
84static const piv_cert_tags_t piv_cert_tags[] = {
85 {
"X.509 Certificate for PIV Authentication", { 0x5F, 0xC1, 0x05 } },
86 {
"X.509 Certificate for Digital Signature", { 0x5F, 0xC1, 0x0A } },
87 {
"X.509 Certificate for Key Management", { 0x5F, 0xC1, 0x0B } },
88 {
"X.509 Certificate for Card Authentication", { 0x5F, 0xC1, 0x01 } },
90 {
"Certificate for PIV Authentication", { 0x5F, 0xC1, 0x05 } },
91 {
"Certificate for Digital Signature", { 0x5F, 0xC1, 0x0A } },
92 {
"Certificate for Key Management", { 0x5F, 0xC1, 0x0B } },
93 {
"Certificate for Card Authentication", { 0x5F, 0xC1, 0x01 } },
96static const BYTE APDU_PIV_SELECT_AID[] = { 0x00, 0xA4, 0x04, 0x00, 0x09, 0xA0, 0x00, 0x00,
97 0x03, 0x08, 0x00, 0x00, 0x10, 0x00, 0x00 };
98static const BYTE APDU_PIV_GET_CHUID[] = { 0x00, 0xCB, 0x3F, 0xFF, 0x05, 0x5C,
99 0x03, 0x5F, 0xC1, 0x02, 0x00 };
100static const BYTE APDU_PIV_GET_MSCMAP[] = { 0x00, 0xCB, 0x3F, 0xFF, 0x05, 0x5C,
101 0x03, 0x5F, 0xFF, 0x10, 0x00 };
102static const BYTE APDU_GET_RESPONSE[] = { 0x00, 0xC0, 0x00, 0x00, 0x00 };
104#define PIV_CONTAINER_NAME_LEN 36
105#define MAX_CONTAINER_NAME_LEN 39
106#define MSCMAP_RECORD_SIZE 107
107#define MSCMAP_SLOT_OFFSET 80
116static const piv_tag_to_slot_t piv_tag_to_slot[] = {
117 { { 0x5F, 0xC1, 0x05 }, 0x9A },
118 { { 0x5F, 0xC1, 0x0A }, 0x9C },
119 { { 0x5F, 0xC1, 0x0B }, 0x9D },
120 { { 0x5F, 0xC1, 0x01 }, 0x9E },
121 { { 0x5F, 0xC1, 0x0D }, 0x82 },
122 { { 0x5F, 0xC1, 0x0E }, 0x83 },
123 { { 0x5F, 0xC1, 0x0F }, 0x84 },
124 { { 0x5F, 0xC1, 0x10 }, 0x85 },
125 { { 0x5F, 0xC1, 0x11 }, 0x86 },
126 { { 0x5F, 0xC1, 0x12 }, 0x87 },
127 { { 0x5F, 0xC1, 0x13 }, 0x88 },
128 { { 0x5F, 0xC1, 0x14 }, 0x89 },
129 { { 0x5F, 0xC1, 0x15 }, 0x8A },
130 { { 0x5F, 0xC1, 0x16 }, 0x8B },
131 { { 0x5F, 0xC1, 0x17 }, 0x8C },
132 { { 0x5F, 0xC1, 0x18 }, 0x8D },
133 { { 0x5F, 0xC1, 0x19 }, 0x8E },
134 { { 0x5F, 0xC1, 0x1A }, 0x8F },
135 { { 0x5F, 0xC1, 0x1B }, 0x90 },
136 { { 0x5F, 0xC1, 0x1C }, 0x91 },
137 { { 0x5F, 0xC1, 0x1D }, 0x92 },
138 { { 0x5F, 0xC1, 0x1E }, 0x93 },
139 { { 0x5F, 0xC1, 0x1F }, 0x94 },
140 { { 0x5F, 0xC1, 0x20 }, 0x95 },
143static CK_OBJECT_CLASS object_class_public_key = CKO_PUBLIC_KEY;
144static CK_BBOOL object_verify = CK_TRUE;
146static CK_ATTRIBUTE public_key_filter[] = { { CKA_CLASS, &object_class_public_key,
147 sizeof(object_class_public_key) },
148 { CKA_VERIFY, &object_verify,
sizeof(object_verify) } };
150static const char* CK_RV_error_string(CK_RV rv);
152static SECURITY_STATUS NCryptP11StorageProvider_dtor(NCRYPT_HANDLE handle)
154 NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)handle;
159 if (provider->p11 && provider->p11->C_Finalize)
160 rv = provider->p11->C_Finalize(
nullptr);
162 WLog_WARN(TAG,
"C_Finalize failed with %s [0x%08lx]", CK_RV_error_string(rv), rv);
164 free(provider->modulePath);
166 if (provider->library)
167 FreeLibrary(provider->library);
170 return winpr_NCryptDefault_dtor(handle);
173static void fix_padded_string(
char* str,
size_t maxlen)
179 char* ptr = &str[maxlen - 1];
181 while ((ptr > str) && (*ptr ==
' '))
188static BOOL attributes_have_unallocated_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count)
190 for (CK_ULONG i = 0; i < count; i++)
192 if (!attributes[i].pValue && (attributes[i].ulValueLen != CK_UNAVAILABLE_INFORMATION))
199static BOOL attribute_allocate_attribute_array(CK_ATTRIBUTE_PTR attribute)
201 WINPR_ASSERT(attribute);
202 attribute->pValue = calloc(attribute->ulValueLen,
sizeof(
void*));
203 return !!attribute->pValue;
206static BOOL attribute_allocate_ulong_array(CK_ATTRIBUTE_PTR attribute)
208 attribute->pValue = calloc(attribute->ulValueLen,
sizeof(CK_ULONG));
209 return !!attribute->pValue;
212static BOOL attribute_allocate_buffer(CK_ATTRIBUTE_PTR attribute)
214 attribute->pValue = calloc(attribute->ulValueLen, 1);
215 return !!attribute->pValue;
218static BOOL attributes_allocate_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count)
222 for (CK_ULONG i = 0; i < count; i++)
224 if (attributes[i].pValue || (attributes[i].ulValueLen == CK_UNAVAILABLE_INFORMATION))
227 switch (attributes[i].type)
229 case CKA_WRAP_TEMPLATE:
230 case CKA_UNWRAP_TEMPLATE:
231 ret &= attribute_allocate_attribute_array(&attributes[i]);
234 case CKA_ALLOWED_MECHANISMS:
235 ret &= attribute_allocate_ulong_array(&attributes[i]);
239 ret &= attribute_allocate_buffer(&attributes[i]);
247static CK_RV object_load_attributes(NCryptP11ProviderHandle* provider, CK_SESSION_HANDLE session,
248 CK_OBJECT_HANDLE
object, CK_ATTRIBUTE_PTR attributes,
251 WINPR_ASSERT(provider);
252 WINPR_ASSERT(provider->p11);
253 WINPR_ASSERT(provider->p11->C_GetAttributeValue);
255 CK_RV rv = provider->p11->C_GetAttributeValue(session,
object, attributes, count);
260 if (!attributes_have_unallocated_buffers(attributes, count))
264 case CKR_ATTRIBUTE_SENSITIVE:
265 case CKR_ATTRIBUTE_TYPE_INVALID:
266 case CKR_BUFFER_TOO_SMALL:
268 if (!attributes_allocate_buffers(attributes, count))
269 return CKR_HOST_MEMORY;
271 rv = provider->p11->C_GetAttributeValue(session,
object, attributes, count);
273 WLog_WARN(TAG,
"C_GetAttributeValue failed with %s [0x%08lx]",
274 CK_RV_error_string(rv), rv);
277 WLog_WARN(TAG,
"C_GetAttributeValue failed with %s [0x%08lx]", CK_RV_error_string(rv),
284 case CKR_ATTRIBUTE_SENSITIVE:
285 case CKR_ATTRIBUTE_TYPE_INVALID:
286 case CKR_BUFFER_TOO_SMALL:
288 "C_GetAttributeValue failed with %s [0x%08lx] even after buffer allocation",
289 CK_RV_error_string(rv), rv);
297static const char* CK_RV_error_string(CK_RV rv)
299 static char generic_buffer[200];
300#define ERR_ENTRY(X) \
307 ERR_ENTRY(CKR_CANCEL);
308 ERR_ENTRY(CKR_HOST_MEMORY);
309 ERR_ENTRY(CKR_SLOT_ID_INVALID);
310 ERR_ENTRY(CKR_GENERAL_ERROR);
311 ERR_ENTRY(CKR_FUNCTION_FAILED);
312 ERR_ENTRY(CKR_ARGUMENTS_BAD);
313 ERR_ENTRY(CKR_NO_EVENT);
314 ERR_ENTRY(CKR_NEED_TO_CREATE_THREADS);
315 ERR_ENTRY(CKR_CANT_LOCK);
316 ERR_ENTRY(CKR_ATTRIBUTE_READ_ONLY);
317 ERR_ENTRY(CKR_ATTRIBUTE_SENSITIVE);
318 ERR_ENTRY(CKR_ATTRIBUTE_TYPE_INVALID);
319 ERR_ENTRY(CKR_ATTRIBUTE_VALUE_INVALID);
320 ERR_ENTRY(CKR_DATA_INVALID);
321 ERR_ENTRY(CKR_DATA_LEN_RANGE);
322 ERR_ENTRY(CKR_DEVICE_ERROR);
323 ERR_ENTRY(CKR_DEVICE_MEMORY);
324 ERR_ENTRY(CKR_DEVICE_REMOVED);
325 ERR_ENTRY(CKR_ENCRYPTED_DATA_INVALID);
326 ERR_ENTRY(CKR_ENCRYPTED_DATA_LEN_RANGE);
327 ERR_ENTRY(CKR_FUNCTION_CANCELED);
328 ERR_ENTRY(CKR_FUNCTION_NOT_PARALLEL);
329 ERR_ENTRY(CKR_FUNCTION_NOT_SUPPORTED);
330 ERR_ENTRY(CKR_KEY_HANDLE_INVALID);
331 ERR_ENTRY(CKR_KEY_SIZE_RANGE);
332 ERR_ENTRY(CKR_KEY_TYPE_INCONSISTENT);
333 ERR_ENTRY(CKR_KEY_NOT_NEEDED);
334 ERR_ENTRY(CKR_KEY_CHANGED);
335 ERR_ENTRY(CKR_KEY_NEEDED);
336 ERR_ENTRY(CKR_KEY_INDIGESTIBLE);
337 ERR_ENTRY(CKR_KEY_FUNCTION_NOT_PERMITTED);
338 ERR_ENTRY(CKR_KEY_NOT_WRAPPABLE);
339 ERR_ENTRY(CKR_KEY_UNEXTRACTABLE);
340 ERR_ENTRY(CKR_MECHANISM_INVALID);
341 ERR_ENTRY(CKR_MECHANISM_PARAM_INVALID);
342 ERR_ENTRY(CKR_OBJECT_HANDLE_INVALID);
343 ERR_ENTRY(CKR_OPERATION_ACTIVE);
344 ERR_ENTRY(CKR_OPERATION_NOT_INITIALIZED);
345 ERR_ENTRY(CKR_PIN_INCORRECT);
346 ERR_ENTRY(CKR_PIN_INVALID);
347 ERR_ENTRY(CKR_PIN_LEN_RANGE);
348 ERR_ENTRY(CKR_PIN_EXPIRED);
349 ERR_ENTRY(CKR_PIN_LOCKED);
350 ERR_ENTRY(CKR_SESSION_CLOSED);
351 ERR_ENTRY(CKR_SESSION_COUNT);
352 ERR_ENTRY(CKR_SESSION_HANDLE_INVALID);
353 ERR_ENTRY(CKR_SESSION_PARALLEL_NOT_SUPPORTED);
354 ERR_ENTRY(CKR_SESSION_READ_ONLY);
355 ERR_ENTRY(CKR_SESSION_EXISTS);
356 ERR_ENTRY(CKR_SESSION_READ_ONLY_EXISTS);
357 ERR_ENTRY(CKR_SESSION_READ_WRITE_SO_EXISTS);
358 ERR_ENTRY(CKR_SIGNATURE_INVALID);
359 ERR_ENTRY(CKR_SIGNATURE_LEN_RANGE);
360 ERR_ENTRY(CKR_TEMPLATE_INCOMPLETE);
361 ERR_ENTRY(CKR_TEMPLATE_INCONSISTENT);
362 ERR_ENTRY(CKR_TOKEN_NOT_PRESENT);
363 ERR_ENTRY(CKR_TOKEN_NOT_RECOGNIZED);
364 ERR_ENTRY(CKR_TOKEN_WRITE_PROTECTED);
365 ERR_ENTRY(CKR_UNWRAPPING_KEY_HANDLE_INVALID);
366 ERR_ENTRY(CKR_UNWRAPPING_KEY_SIZE_RANGE);
367 ERR_ENTRY(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT);
368 ERR_ENTRY(CKR_USER_ALREADY_LOGGED_IN);
369 ERR_ENTRY(CKR_USER_NOT_LOGGED_IN);
370 ERR_ENTRY(CKR_USER_PIN_NOT_INITIALIZED);
371 ERR_ENTRY(CKR_USER_TYPE_INVALID);
372 ERR_ENTRY(CKR_USER_ANOTHER_ALREADY_LOGGED_IN);
373 ERR_ENTRY(CKR_USER_TOO_MANY_TYPES);
374 ERR_ENTRY(CKR_WRAPPED_KEY_INVALID);
375 ERR_ENTRY(CKR_WRAPPED_KEY_LEN_RANGE);
376 ERR_ENTRY(CKR_WRAPPING_KEY_HANDLE_INVALID);
377 ERR_ENTRY(CKR_WRAPPING_KEY_SIZE_RANGE);
378 ERR_ENTRY(CKR_WRAPPING_KEY_TYPE_INCONSISTENT);
379 ERR_ENTRY(CKR_RANDOM_SEED_NOT_SUPPORTED);
380 ERR_ENTRY(CKR_RANDOM_NO_RNG);
381 ERR_ENTRY(CKR_DOMAIN_PARAMS_INVALID);
382 ERR_ENTRY(CKR_BUFFER_TOO_SMALL);
383 ERR_ENTRY(CKR_SAVED_STATE_INVALID);
384 ERR_ENTRY(CKR_INFORMATION_SENSITIVE);
385 ERR_ENTRY(CKR_STATE_UNSAVEABLE);
386 ERR_ENTRY(CKR_CRYPTOKI_NOT_INITIALIZED);
387 ERR_ENTRY(CKR_CRYPTOKI_ALREADY_INITIALIZED);
388 ERR_ENTRY(CKR_MUTEX_BAD);
389 ERR_ENTRY(CKR_MUTEX_NOT_LOCKED);
390 ERR_ENTRY(CKR_FUNCTION_REJECTED);
392 (void)snprintf(generic_buffer,
sizeof(generic_buffer),
"unknown 0x%lx", rv);
393 return generic_buffer;
398#define loge(tag, msg, rv, index, slot) \
399 log_((tag), (msg), (rv), (index), (slot), __FILE__, __func__, __LINE__)
400static void log_(
const char* tag,
const char* msg, CK_RV rv, CK_ULONG index, CK_SLOT_ID slot,
401 const char* file,
const char* fkt,
size_t line)
403 const DWORD log_level = WLOG_ERROR;
404 static wLog* log_cached_ptr =
nullptr;
406 log_cached_ptr = WLog_Get(tag);
407 if (!WLog_IsLevelActive(log_cached_ptr, log_level))
410 WLog_PrintTextMessage(log_cached_ptr, log_level, line, file, fkt,
411 "%s for slot #%lu(%lu), rv=%s", msg, index, slot, CK_RV_error_string(rv));
414static SECURITY_STATUS collect_keys(NCryptP11ProviderHandle* provider, P11EnumKeysState* state)
416 CK_OBJECT_HANDLE slotObjects[MAX_KEYS_PER_SLOT] = WINPR_C_ARRAY_INIT;
418 WINPR_ASSERT(provider);
420 CK_FUNCTION_LIST_PTR p11 = provider->p11;
423 WLog_DBG(TAG,
"checking %lx slots for valid keys...", state->nslots);
425 for (CK_ULONG i = 0; i < state->nslots; i++)
427 CK_SESSION_HANDLE session = 0;
431 WINPR_ASSERT(p11->C_GetSlotInfo);
432 CK_RV rv = p11->C_GetSlotInfo(state->slots[i], &slotInfo);
435 loge(TAG,
"unable to retrieve information", rv, i, state->slots[i]);
439 fix_padded_string((
char*)slotInfo.slotDescription,
sizeof(slotInfo.slotDescription));
440 WLog_DBG(TAG,
"collecting keys for slot #%lx(%lu) descr='%s' flags=0x%lx", i,
441 state->slots[i], slotInfo.slotDescription, slotInfo.flags);
445 if (!(slotInfo.flags & CKF_TOKEN_PRESENT))
447 WLog_INFO(TAG,
"token not present for slot #%lu(%lu)", i, state->slots[i]);
451 WINPR_ASSERT(p11->C_GetTokenInfo);
452 rv = p11->C_GetTokenInfo(state->slots[i], &tokenInfo);
454 loge(TAG,
"unable to retrieve token info", rv, i, state->slots[i]);
457 fix_padded_string((
char*)tokenInfo.label,
sizeof(tokenInfo.label));
458 WLog_DBG(TAG,
"token, label='%s' flags=0x%lx", tokenInfo.label, tokenInfo.flags);
461 WINPR_ASSERT(p11->C_OpenSession);
462 rv = p11->C_OpenSession(state->slots[i], CKF_SERIAL_SESSION,
nullptr,
nullptr, &session);
465 WLog_ERR(TAG,
"unable to openSession for slot #%lu(%lu), session=%p rv=%s", i,
466 state->slots[i], WINPR_CXX_COMPAT_CAST(
const void*, session),
467 CK_RV_error_string(rv));
471 WINPR_ASSERT(p11->C_FindObjectsInit);
472 rv = p11->C_FindObjectsInit(session, public_key_filter, ARRAYSIZE(public_key_filter));
476 loge(TAG,
"unable to initiate search", rv, i, state->slots[i]);
477 goto cleanup_FindObjectsInit;
481 CK_ULONG nslotObjects = 0;
482 WINPR_ASSERT(p11->C_FindObjects);
484 p11->C_FindObjects(session, &slotObjects[0], ARRAYSIZE(slotObjects), &nslotObjects);
487 loge(TAG,
"unable to findObjects", rv, i, state->slots[i]);
488 goto cleanup_FindObjects;
491 WLog_DBG(TAG,
"slot has %lu objects", nslotObjects);
492 for (CK_ULONG j = 0; j < nslotObjects; j++)
494 NCryptKeyEnum* key = &state->keys[state->nKeys];
495 CK_OBJECT_CLASS dataClass = CKO_PUBLIC_KEY;
497 { CKA_ID, &key->id,
sizeof(key->id) },
498 { CKA_CLASS, &dataClass,
sizeof(dataClass) },
499 { CKA_LABEL, &key->keyLabel,
sizeof(key->keyLabel) },
500 { CKA_KEY_TYPE, &key->keyType,
sizeof(key->keyType) }
503 rv = object_load_attributes(provider, session, slotObjects[j], key_or_certAttrs,
504 ARRAYSIZE(key_or_certAttrs));
507 WLog_ERR(TAG,
"error getting attributes, rv=%s", CK_RV_error_string(rv));
511 key->idLen = key_or_certAttrs[0].ulValueLen;
512 key->slotId = state->slots[i];
513 key->slotInfo = slotInfo;
519 WINPR_ASSERT(p11->C_FindObjectsFinal);
520 rv = p11->C_FindObjectsFinal(session);
522 loge(TAG,
"error during C_FindObjectsFinal", rv, i, state->slots[i]);
523 cleanup_FindObjectsInit:
524 WINPR_ASSERT(p11->C_CloseSession);
525 rv = p11->C_CloseSession(session);
527 loge(TAG,
"error closing session", rv, i, state->slots[i]);
530 return ERROR_SUCCESS;
533static BOOL convertKeyType(CK_KEY_TYPE k, LPWSTR dest, DWORD len, DWORD* outlen)
535 const WCHAR* r =
nullptr;
538#define ALGO_CASE(V, S) \
541 retLen = _wcsnlen((S), ARRAYSIZE((S))); \
545 ALGO_CASE(CKK_RSA, BCRYPT_RSA_ALGORITHM);
546 ALGO_CASE(CKK_DSA, BCRYPT_DSA_ALGORITHM);
547 ALGO_CASE(CKK_DH, BCRYPT_DH_ALGORITHM);
548 ALGO_CASE(CKK_EC, BCRYPT_ECDSA_ALGORITHM);
549 ALGO_CASE(CKK_RC2, BCRYPT_RC2_ALGORITHM);
550 ALGO_CASE(CKK_RC4, BCRYPT_RC4_ALGORITHM);
551 ALGO_CASE(CKK_DES, BCRYPT_DES_ALGORITHM);
552 ALGO_CASE(CKK_DES3, BCRYPT_3DES_ALGORITHM);
556 case CKK_GENERIC_SECRET:
574 if (retLen > UINT32_MAX)
578 *outlen = (UINT32)retLen;
589 if (retLen + 1 > len)
591 WLog_ERR(TAG,
"target buffer is too small for algo name");
595 memcpy(dest, r,
sizeof(WCHAR) * retLen);
602static void wprintKeyName(LPWSTR str, CK_SLOT_ID slotId, CK_BYTE*
id, CK_ULONG idLen)
604 char asciiName[128] = WINPR_C_ARRAY_INIT;
605 char* ptr = asciiName;
606 const CK_BYTE* bytePtr =
nullptr;
611 bytePtr = ((CK_BYTE*)&slotId);
612 for (CK_ULONG i = 0; i <
sizeof(slotId); i++, bytePtr++, ptr += 2)
613 (
void)snprintf(ptr, 3,
"%.2x", *bytePtr);
618 for (CK_ULONG i = 0; i < idLen; i++,
id++, ptr += 2)
619 (
void)snprintf(ptr, 3,
"%.2x", *
id);
621 (void)ConvertUtf8NToWChar(asciiName, ARRAYSIZE(asciiName), str,
622 strnlen(asciiName, ARRAYSIZE(asciiName)) + 1);
625static size_t parseHex(
const char* str,
const char* end, CK_BYTE* target)
629 for (; str != end && *str; str++, ret++, target++)
632 if (*str <=
'9' && *str >=
'0')
636 else if (*str <=
'f' && *str >=
'a')
638 v = (10 + *str -
'a');
640 else if (*str <=
'F' && *str >=
'A')
642 v |= (10 + *str -
'A');
651 if (!*str || str == end)
654 if (*str <=
'9' && *str >=
'0')
658 else if (*str <=
'f' && *str >=
'a')
660 v |= (10 + *str -
'a');
662 else if (*str <=
'F' && *str >=
'A')
664 v |= (10 + *str -
'A');
676static SECURITY_STATUS parseKeyName(LPCWSTR pszKeyName, CK_SLOT_ID* slotId, CK_BYTE*
id,
679 char asciiKeyName[128] = WINPR_C_ARRAY_INIT;
682 if (ConvertWCharToUtf8(pszKeyName, asciiKeyName, ARRAYSIZE(asciiKeyName)) < 0)
685 if (*asciiKeyName !=
'\\')
688 pos = strchr(&asciiKeyName[1],
'\\');
692 if ((
size_t)(pos - &asciiKeyName[1]) >
sizeof(CK_SLOT_ID) * 2ull)
695 *slotId = (CK_SLOT_ID)0;
696 if (parseHex(&asciiKeyName[1], pos, (CK_BYTE*)slotId) !=
sizeof(CK_SLOT_ID))
699 *idLen = parseHex(pos + 1,
nullptr,
id);
703 return ERROR_SUCCESS;
706static SECURITY_STATUS NCryptP11EnumKeys(NCRYPT_PROV_HANDLE hProvider, LPCWSTR pszScope,
708 WINPR_ATTR_UNUSED DWORD dwFlags)
710 NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)hProvider;
711 P11EnumKeysState* state = (P11EnumKeysState*)*ppEnumState;
712 CK_RV rv = WINPR_C_ARRAY_INIT;
713 CK_SLOT_ID currentSlot = WINPR_C_ARRAY_INIT;
714 CK_SESSION_HANDLE currentSession = 0;
715 char slotFilterBuffer[65] = WINPR_C_ARRAY_INIT;
716 char* slotFilter =
nullptr;
717 size_t slotFilterLen = 0;
719 SECURITY_STATUS ret = checkNCryptHandle((NCRYPT_HANDLE)hProvider, WINPR_NCRYPT_PROVIDER);
720 if (ret != ERROR_SUCCESS)
729 char asciiScope[128 + 6 + 1] = WINPR_C_ARRAY_INIT;
730 size_t asciiScopeLen = 0;
732 if (ConvertWCharToUtf8(pszScope, asciiScope, ARRAYSIZE(asciiScope) - 1) < 0)
734 WLog_WARN(TAG,
"Invalid scope");
735 return NTE_INVALID_PARAMETER;
738 if (strstr(asciiScope,
"\\\\.\\") != asciiScope)
740 WLog_WARN(TAG,
"Invalid scope '%s'", asciiScope);
741 return NTE_INVALID_PARAMETER;
744 asciiScopeLen = strnlen(asciiScope, ARRAYSIZE(asciiScope));
745 if ((asciiScopeLen < 1) || (asciiScope[asciiScopeLen - 1] !=
'\\'))
747 WLog_WARN(TAG,
"Invalid scope '%s'", asciiScope);
748 return NTE_INVALID_PARAMETER;
751 asciiScope[asciiScopeLen - 1] = 0;
753 strncpy(slotFilterBuffer, &asciiScope[4],
sizeof(slotFilterBuffer));
754 slotFilter = slotFilterBuffer;
755 slotFilterLen = asciiScopeLen - 5;
760 state = (P11EnumKeysState*)calloc(1,
sizeof(*state));
762 return NTE_NO_MEMORY;
764 WINPR_ASSERT(provider->p11->C_GetSlotList);
765 rv = provider->p11->C_GetSlotList(CK_TRUE,
nullptr, &state->nslots);
770 WLog_WARN(TAG,
"C_GetSlotList failed with %s [0x%08lx]", CK_RV_error_string(rv), rv);
774 if (state->nslots > MAX_SLOTS)
775 state->nslots = MAX_SLOTS;
777 rv = provider->p11->C_GetSlotList(CK_TRUE, state->slots, &state->nslots);
782 WLog_WARN(TAG,
"C_GetSlotList failed with %s [0x%08lx]", CK_RV_error_string(rv), rv);
786 ret = collect_keys(provider, state);
787 if (ret != ERROR_SUCCESS)
793 *ppEnumState = state;
796 for (; state->keyIndex < state->nKeys; state->keyIndex++)
799 NCryptKeyEnum* key = &state->keys[state->keyIndex];
800 CK_OBJECT_CLASS oclass = CKO_CERTIFICATE;
801 CK_CERTIFICATE_TYPE ctype = CKC_X_509;
802 CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass,
sizeof(oclass) },
803 { CKA_CERTIFICATE_TYPE, &ctype,
sizeof(ctype) },
804 { CKA_ID, key->id, key->idLen } };
805 CK_ULONG ncertObjects = 0;
806 CK_OBJECT_HANDLE certObject = 0;
809 if (slotFilter && memcmp(key->slotInfo.slotDescription, slotFilter, slotFilterLen) != 0)
812 if (!currentSession || (currentSlot != key->slotId))
818 WINPR_ASSERT(provider->p11->C_CloseSession);
819 rv = provider->p11->C_CloseSession(currentSession);
821 WLog_WARN(TAG,
"C_CloseSession failed with %s [0x%08lx]",
822 CK_RV_error_string(rv), rv);
826 WINPR_ASSERT(provider->p11->C_OpenSession);
827 rv = provider->p11->C_OpenSession(key->slotId, CKF_SERIAL_SESSION,
nullptr,
nullptr,
831 WLog_ERR(TAG,
"C_OpenSession failed with %s [0x%08lx] for slot %lu",
832 CK_RV_error_string(rv), rv, key->slotId);
835 currentSlot = key->slotId;
839 WINPR_ASSERT(provider->p11->C_FindObjectsInit);
840 rv = provider->p11->C_FindObjectsInit(currentSession, certificateFilter,
841 ARRAYSIZE(certificateFilter));
844 WLog_ERR(TAG,
"C_FindObjectsInit failed with %s [0x%08lx] for slot %lu",
845 CK_RV_error_string(rv), rv, key->slotId);
849 WINPR_ASSERT(provider->p11->C_FindObjects);
850 rv = provider->p11->C_FindObjects(currentSession, &certObject, 1, &ncertObjects);
853 WLog_ERR(TAG,
"C_FindObjects failed with %s [0x%08lx] for slot %lu",
854 CK_RV_error_string(rv), rv, currentSlot);
855 goto cleanup_FindObjects;
862 size_t KEYNAME_SZ = (1ull + (
sizeof(key->slotId) * 2ull) + 1ull +
863 (key->idLen * 2ull) + 1ull) *
866 convertKeyType(key->keyType,
nullptr, 0, &algoSz);
867 KEYNAME_SZ += (1ULL + algoSz) *
sizeof(WCHAR);
869 keyName = calloc(1,
sizeof(*keyName) + KEYNAME_SZ);
872 WLog_ERR(TAG,
"unable to allocate keyName");
873 goto cleanup_FindObjects;
875 keyName->dwLegacyKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE;
876 keyName->dwFlags = NCRYPT_MACHINE_KEY_FLAG;
877 keyName->pszName = (LPWSTR)(keyName + 1);
878 wprintKeyName(keyName->pszName, key->slotId, key->id, key->idLen);
880 keyName->pszAlgid = keyName->pszName + _wcslen(keyName->pszName) + 1;
881 convertKeyType(key->keyType, keyName->pszAlgid, algoSz + 1,
nullptr);
885 WINPR_ASSERT(provider->p11->C_FindObjectsFinal);
886 rv = provider->p11->C_FindObjectsFinal(currentSession);
888 WLog_ERR(TAG,
"C_FindObjectsFinal failed with %s [0x%08lx]", CK_RV_error_string(rv),
893 *ppKeyName = keyName;
895 return ERROR_SUCCESS;
899 return NTE_NO_MORE_ITEMS;
902static BOOL piv_check_sw(DWORD buf_len,
const BYTE* buf, BYTE expected_sw1)
904 return (buf_len >= 2) && (buf[buf_len - 2] == expected_sw1);
907static BOOL piv_check_sw_success(DWORD buf_len,
const BYTE* buf)
909 return (buf_len >= 2) && (buf[buf_len - 2] == 0x90) && (buf[buf_len - 1] == 0x00);
912static SECURITY_STATUS get_piv_container_name_from_mscmap(SCARDHANDLE card,
914 const BYTE* piv_tag, BYTE* output,
917 BYTE buf[258] = WINPR_C_ARRAY_INIT;
918 BYTE mscmap_buf[2148] = WINPR_C_ARRAY_INIT;
919 DWORD buf_len =
sizeof(buf);
920 DWORD mscmap_total = 0;
922 if (SCardTransmit(card, pci, APDU_PIV_GET_MSCMAP,
sizeof(APDU_PIV_GET_MSCMAP),
nullptr, buf,
923 &buf_len) != SCARD_S_SUCCESS)
924 return NTE_NOT_FOUND;
926 if (piv_check_sw_success(buf_len, buf))
928 mscmap_total = buf_len - 2;
929 if (mscmap_total >
sizeof(mscmap_buf))
930 return NTE_NOT_FOUND;
931 memcpy(mscmap_buf, buf, mscmap_total);
933 else if (piv_check_sw(buf_len, buf, 0x61))
935 mscmap_total = buf_len - 2;
936 if (mscmap_total <=
sizeof(mscmap_buf))
937 memcpy(mscmap_buf, buf, mscmap_total);
939 while (piv_check_sw(buf_len, buf, 0x61) && mscmap_total <
sizeof(mscmap_buf))
941 BYTE get_resp[5] = { 0x00, 0xC0, 0x00, 0x00, 0x00 };
942 get_resp[4] = buf[buf_len - 1];
943 buf_len =
sizeof(buf);
944 if (SCardTransmit(card, pci, get_resp,
sizeof(get_resp),
nullptr, buf, &buf_len) !=
947 DWORD chunk = piv_check_sw_success(buf_len, buf) ? (buf_len - 2)
948 : piv_check_sw(buf_len, buf, 0x61) ? (buf_len - 2)
950 if (chunk == 0 || mscmap_total + chunk >
sizeof(mscmap_buf))
952 memcpy(mscmap_buf + mscmap_total, buf, chunk);
953 mscmap_total += chunk;
955 if (!piv_check_sw_success(buf_len, buf))
956 return NTE_NOT_FOUND;
959 return NTE_NOT_FOUND;
962 const BYTE* mscmap_data = mscmap_buf;
963 DWORD mscmap_data_len = mscmap_total;
965 for (
int tlv_pass = 0; tlv_pass < 2; tlv_pass++)
967 if (mscmap_data_len < 2)
969 BYTE tlv_tag = mscmap_data[0];
970 if (tlv_tag != 0x53 && tlv_tag != 0x81)
973 if (mscmap_data[1] == 0x82 && mscmap_data_len > 4)
975 else if (mscmap_data[1] == 0x81 && mscmap_data_len > 3)
978 mscmap_data_len -= (DWORD)hdr;
982 BYTE target_slot = 0;
983 for (
size_t i = 0; i < ARRAYSIZE(piv_tag_to_slot); i++)
985 if (memcmp(piv_tag, piv_tag_to_slot[i].tag, 3) == 0)
987 target_slot = piv_tag_to_slot[i].slot;
991 if (target_slot == 0)
992 return NTE_NOT_FOUND;
995 size_t num_records = mscmap_data_len / MSCMAP_RECORD_SIZE;
996 for (
size_t i = 0; i < num_records; i++)
998 const BYTE* record = mscmap_data + (i * MSCMAP_RECORD_SIZE);
999 if (record[MSCMAP_SLOT_OFFSET] == target_slot)
1001 size_t copy_len = (MAX_CONTAINER_NAME_LEN + 1) *
sizeof(WCHAR);
1002 if (copy_len > output_len)
1003 copy_len = output_len;
1004 memcpy(output, record, copy_len);
1005 return ERROR_SUCCESS;
1008 return NTE_NOT_FOUND;
1011static SECURITY_STATUS get_piv_container_name_from_chuid(SCARDHANDLE card,
1013 const BYTE* piv_tag, BYTE* output,
1016 BYTE buf[258] = WINPR_C_ARRAY_INIT;
1017 DWORD buf_len =
sizeof(buf);
1018 char container_name[PIV_CONTAINER_NAME_LEN + 1] = WINPR_C_ARRAY_INIT;
1020 if (SCardTransmit(card, pci, APDU_PIV_GET_CHUID,
sizeof(APDU_PIV_GET_CHUID),
nullptr, buf,
1021 &buf_len) != SCARD_S_SUCCESS)
1023 if (!piv_check_sw_success(buf_len, buf) && !piv_check_sw(buf_len, buf, 0x61))
1031 WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_BER, buf, buf_len);
1032 if (!WinPrAsn1DecReadTagAndLen(&dec, &tag, &len) || tag != 0x53)
1034 while (WinPrAsn1DecReadTagLenValue(&dec, &tag, &len, &dec2) && tag != 0x34)
1036 if (tag != 0x34 || len != 16)
1039 wStream s = WinPrAsn1DecGetStream(&dec2);
1040 BYTE* p = Stream_Buffer(&s);
1042 (void)snprintf(container_name, PIV_CONTAINER_NAME_LEN + 1,
1043 "%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x", p[3],
1044 p[2], p[1], p[0], p[5], p[4], p[7], p[6], p[8], p[9], p[10], p[11], p[12],
1045 piv_tag[0], piv_tag[1], piv_tag[2]);
1053 if (ConvertUtf8NToWChar(container_name, ARRAYSIZE(container_name), cnv.wc,
1054 output_len /
sizeof(WCHAR)) > 0)
1055 return ERROR_SUCCESS;
1059static SECURITY_STATUS get_piv_container_name(NCryptP11KeyHandle* key,
const BYTE* piv_tag,
1060 BYTE* output,
size_t output_len)
1063 CK_FUNCTION_LIST_PTR p11 =
nullptr;
1064 WCHAR* reader =
nullptr;
1065 SCARDCONTEXT context = 0;
1066 SCARDHANDLE card = 0;
1069 BYTE buf[258] = WINPR_C_ARRAY_INIT;
1071 SECURITY_STATUS ret = NTE_BAD_KEY;
1074 WINPR_ASSERT(piv_tag);
1076 WINPR_ASSERT(key->provider);
1077 p11 = key->provider->p11;
1080 WINPR_ASSERT(p11->C_GetSlotInfo);
1081 if (p11->C_GetSlotInfo(key->slotId, &slot_info) != CKR_OK)
1084 fix_padded_string((
char*)slot_info.slotDescription,
sizeof(slot_info.slotDescription));
1085 reader = ConvertUtf8NToWCharAlloc((
char*)slot_info.slotDescription,
1086 ARRAYSIZE(slot_info.slotDescription),
nullptr);
1087 ret = NTE_NO_MEMORY;
1092 if (SCardEstablishContext(SCARD_SCOPE_USER,
nullptr,
nullptr, &context) != SCARD_S_SUCCESS)
1095 if (SCardConnectW(context, reader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_Tx, &card, &proto) !=
1098 pci = (proto == SCARD_PROTOCOL_T0) ? SCARD_PCI_T0 : SCARD_PCI_T1;
1100 buf_len =
sizeof(buf);
1101 if (SCardTransmit(card, pci, APDU_PIV_SELECT_AID,
sizeof(APDU_PIV_SELECT_AID),
nullptr, buf,
1102 &buf_len) != SCARD_S_SUCCESS)
1104 if (!piv_check_sw_success(buf_len, buf) && !piv_check_sw(buf_len, buf, 0x61))
1108 ret = get_piv_container_name_from_mscmap(card, pci, piv_tag, output, output_len);
1109 if (ret != ERROR_SUCCESS)
1110 ret = get_piv_container_name_from_chuid(card, pci, piv_tag, output, output_len);
1115 SCardDisconnect(card, SCARD_LEAVE_CARD);
1117 SCardReleaseContext(context);
1121static SECURITY_STATUS check_for_piv_container_name(NCryptP11KeyHandle* key, BYTE* pbOutput,
1122 DWORD cbOutput, DWORD* pcbResult,
char* label,
1125 for (
size_t i = 0; i < ARRAYSIZE(piv_cert_tags); i++)
1127 const piv_cert_tags_t* cur = &piv_cert_tags[i];
1128 if (strncmp(label, cur->label, label_len) == 0)
1130 *pcbResult = (MAX_CONTAINER_NAME_LEN + 1) *
sizeof(WCHAR);
1132 return ERROR_SUCCESS;
1133 else if (cbOutput < (MAX_CONTAINER_NAME_LEN + 1) *
sizeof(WCHAR))
1134 return NTE_NO_MEMORY;
1136 return get_piv_container_name(key, cur->tag, pbOutput, cbOutput);
1139 return NTE_NOT_FOUND;
1142static SECURITY_STATUS NCryptP11KeyGetProperties(NCryptP11KeyHandle* keyHandle,
1143 NCryptKeyGetPropertyEnum property, PBYTE pbOutput,
1144 DWORD cbOutput, DWORD* pcbResult,
1145 WINPR_ATTR_UNUSED DWORD dwFlags)
1147 SECURITY_STATUS ret = NTE_FAIL;
1149 CK_SESSION_HANDLE session = 0;
1150 CK_OBJECT_HANDLE objectHandle = 0;
1151 CK_ULONG objectCount = 0;
1152 NCryptP11ProviderHandle* provider =
nullptr;
1153 CK_OBJECT_CLASS oclass = CKO_CERTIFICATE;
1154 CK_CERTIFICATE_TYPE ctype = CKC_X_509;
1155 CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass,
sizeof(oclass) },
1156 { CKA_CERTIFICATE_TYPE, &ctype,
sizeof(ctype) },
1157 { CKA_ID, keyHandle->keyCertId,
1158 keyHandle->keyCertIdLen } };
1160 CK_ULONG objectFilterLen = ARRAYSIZE(certificateFilter);
1162 WINPR_ASSERT(keyHandle);
1163 provider = keyHandle->provider;
1164 WINPR_ASSERT(provider);
1169 case NCRYPT_PROPERTY_CERTIFICATE:
1170 case NCRYPT_PROPERTY_NAME:
1172 case NCRYPT_PROPERTY_READER:
1176 WINPR_ASSERT(provider->p11->C_GetSlotInfo);
1177 rv = provider->p11->C_GetSlotInfo(keyHandle->slotId, &slotInfo);
1181#define SLOT_DESC_SZ sizeof(slotInfo.slotDescription)
1182 fix_padded_string((
char*)slotInfo.slotDescription, SLOT_DESC_SZ);
1183 const size_t len = 2ULL * (strnlen((
char*)slotInfo.slotDescription, SLOT_DESC_SZ) + 1);
1184 if (len > UINT32_MAX)
1185 return NTE_BAD_DATA;
1186 *pcbResult = (UINT32)len;
1195 if (cbOutput < *pcbResult)
1196 return NTE_NO_MEMORY;
1198 if (ConvertUtf8NToWChar((
char*)slotInfo.slotDescription, SLOT_DESC_SZ, cnv.wc,
1199 cbOutput /
sizeof(WCHAR)) < 0)
1200 return NTE_NO_MEMORY;
1202 return ERROR_SUCCESS;
1204 case NCRYPT_PROPERTY_SLOTID:
1209 UINT32* ptr = (UINT32*)pbOutput;
1212 return NTE_NO_MEMORY;
1213 if (keyHandle->slotId > UINT32_MAX)
1218 *ptr = (UINT32)keyHandle->slotId;
1220 return ERROR_SUCCESS;
1222 case NCRYPT_PROPERTY_UNKNOWN:
1224 return NTE_NOT_SUPPORTED;
1227 WINPR_ASSERT(provider->p11->C_OpenSession);
1228 rv = provider->p11->C_OpenSession(keyHandle->slotId, CKF_SERIAL_SESSION,
nullptr,
nullptr,
1232 WLog_ERR(TAG,
"error opening session on slot %lu", keyHandle->slotId);
1236 WINPR_ASSERT(provider->p11->C_FindObjectsInit);
1237 rv = provider->p11->C_FindObjectsInit(session, objectFilter, objectFilterLen);
1240 WLog_ERR(TAG,
"unable to initiate search for slot %lu", keyHandle->slotId);
1244 WINPR_ASSERT(provider->p11->C_FindObjects);
1245 rv = provider->p11->C_FindObjects(session, &objectHandle, 1, &objectCount);
1248 WLog_ERR(TAG,
"unable to findObjects for slot %lu", keyHandle->slotId);
1253 ret = NTE_NOT_FOUND;
1259 case NCRYPT_PROPERTY_CERTIFICATE:
1261 CK_ATTRIBUTE certValue = { CKA_VALUE, pbOutput, cbOutput };
1263 WINPR_ASSERT(provider->p11->C_GetAttributeValue);
1264 rv = provider->p11->C_GetAttributeValue(session, objectHandle, &certValue, 1);
1270 if (certValue.ulValueLen > UINT32_MAX)
1275 *pcbResult = (UINT32)certValue.ulValueLen;
1276 ret = ERROR_SUCCESS;
1279 case NCRYPT_PROPERTY_NAME:
1282 char* label =
nullptr;
1284 WINPR_ASSERT(provider->p11->C_GetAttributeValue);
1285 rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1);
1288 label = calloc(1, attr.ulValueLen);
1291 ret = NTE_NO_MEMORY;
1295 attr.pValue = label;
1296 rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1);
1302 ret = check_for_piv_container_name(keyHandle, pbOutput, cbOutput, pcbResult, label,
1306 if (ret == NTE_NOT_FOUND)
1313 const size_t olen = pbOutput ? cbOutput /
sizeof(WCHAR) : 0;
1315 SSIZE_T size = ConvertUtf8NToWChar(label, attr.ulValueLen, cnv.wc, olen);
1317 ret = ERROR_CONVERT_TO_LARGE;
1319 ret = ERROR_SUCCESS;
1327 ret = NTE_NOT_SUPPORTED;
1332 WINPR_ASSERT(provider->p11->C_FindObjectsFinal);
1333 rv = provider->p11->C_FindObjectsFinal(session);
1336 WLog_ERR(TAG,
"error in C_FindObjectsFinal() for slot %lu", keyHandle->slotId);
1339 WINPR_ASSERT(provider->p11->C_CloseSession);
1340 rv = provider->p11->C_CloseSession(session);
1343 WLog_ERR(TAG,
"error in C_CloseSession() for slot %lu", keyHandle->slotId);
1348static SECURITY_STATUS NCryptP11GetProperty(NCRYPT_HANDLE hObject, NCryptKeyGetPropertyEnum prop,
1349 PBYTE pbOutput, DWORD cbOutput, DWORD* pcbResult,
1357 case WINPR_NCRYPT_PROVIDER:
1358 return ERROR_CALL_NOT_IMPLEMENTED;
1359 case WINPR_NCRYPT_KEY:
1360 return NCryptP11KeyGetProperties((NCryptP11KeyHandle*)hObject, prop, pbOutput, cbOutput,
1361 pcbResult, dwFlags);
1363 return ERROR_INVALID_HANDLE;
1365 return ERROR_SUCCESS;
1368static SECURITY_STATUS NCryptP11OpenKey(NCRYPT_PROV_HANDLE hProvider, NCRYPT_KEY_HANDLE* phKey,
1369 LPCWSTR pszKeyName, WINPR_ATTR_UNUSED DWORD dwLegacyKeySpec,
1370 WINPR_ATTR_UNUSED DWORD dwFlags)
1372 SECURITY_STATUS ret = 0;
1373 CK_SLOT_ID slotId = 0;
1374 CK_BYTE keyCertId[64] = WINPR_C_ARRAY_INIT;
1375 CK_ULONG keyCertIdLen = 0;
1376 NCryptP11KeyHandle* keyHandle =
nullptr;
1378 ret = parseKeyName(pszKeyName, &slotId, keyCertId, &keyCertIdLen);
1379 if (ret != ERROR_SUCCESS)
1382 keyHandle = (NCryptP11KeyHandle*)ncrypt_new_handle(
1383 WINPR_NCRYPT_KEY,
sizeof(*keyHandle), NCryptP11GetProperty, winpr_NCryptDefault_dtor);
1385 return NTE_NO_MEMORY;
1387 keyHandle->provider = (NCryptP11ProviderHandle*)hProvider;
1388 keyHandle->slotId = slotId;
1389 memcpy(keyHandle->keyCertId, keyCertId,
sizeof(keyCertId));
1390 keyHandle->keyCertIdLen = keyCertIdLen;
1391 *phKey = (NCRYPT_KEY_HANDLE)keyHandle;
1392 return ERROR_SUCCESS;
1395static SECURITY_STATUS initialize_pkcs11(HANDLE handle,
1396 CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR),
1397 NCRYPT_PROV_HANDLE* phProvider)
1399 SECURITY_STATUS status = ERROR_SUCCESS;
1400 NCryptP11ProviderHandle* ret =
nullptr;
1403 WINPR_ASSERT(c_get_function_list);
1404 WINPR_ASSERT(phProvider);
1406 ret = (NCryptP11ProviderHandle*)ncrypt_new_handle(
1407 WINPR_NCRYPT_PROVIDER,
sizeof(*ret), NCryptP11GetProperty, NCryptP11StorageProvider_dtor);
1409 return NTE_NO_MEMORY;
1411 ret->library = handle;
1412 ret->baseProvider.enumKeysFn = NCryptP11EnumKeys;
1413 ret->baseProvider.openKeyFn = NCryptP11OpenKey;
1415 rv = c_get_function_list(&ret->p11);
1418 status = NTE_PROVIDER_DLL_FAIL;
1422 WINPR_ASSERT(ret->p11);
1423 WINPR_ASSERT(ret->p11->C_Initialize);
1424 rv = ret->p11->C_Initialize(
nullptr);
1427 status = NTE_PROVIDER_DLL_FAIL;
1431 *phProvider = (NCRYPT_PROV_HANDLE)ret;
1434 if (status != ERROR_SUCCESS)
1435 ret->baseProvider.baseHandle.releaseFn((NCRYPT_HANDLE)ret);
1439SECURITY_STATUS NCryptOpenP11StorageProviderEx(NCRYPT_PROV_HANDLE* phProvider,
1440 WINPR_ATTR_UNUSED LPCWSTR pszProviderName,
1441 WINPR_ATTR_UNUSED DWORD dwFlags, LPCSTR* modulePaths)
1443 SECURITY_STATUS status = ERROR_INVALID_PARAMETER;
1444 LPCSTR defaultPaths[] = {
"p11-kit-proxy.so",
"opensc-pkcs11.so",
nullptr };
1447 return ERROR_INVALID_PARAMETER;
1450 modulePaths = defaultPaths;
1452 while (*modulePaths)
1454 const char* modulePath = *modulePaths++;
1455 HANDLE library = LoadLibrary(modulePath);
1456 typedef CK_RV (*c_get_function_list_t)(CK_FUNCTION_LIST_PTR_PTR);
1457 NCryptP11ProviderHandle* provider =
nullptr;
1459 WLog_DBG(TAG,
"Trying pkcs11 module '%s'", modulePath);
1462 status = NTE_PROV_DLL_NOT_FOUND;
1463 goto out_load_library;
1467 c_get_function_list_t c_get_function_list =
1468 GetProcAddressAs(library,
"C_GetFunctionList", c_get_function_list_t);
1470 if (!c_get_function_list)
1472 status = NTE_PROV_TYPE_ENTRY_BAD;
1473 goto out_load_library;
1476 status = initialize_pkcs11(library, c_get_function_list, phProvider);
1478 if (status != ERROR_SUCCESS)
1480 status = NTE_PROVIDER_DLL_FAIL;
1481 goto out_load_library;
1484 provider = (NCryptP11ProviderHandle*)*phProvider;
1485 provider->modulePath = _strdup(modulePath);
1486 if (!provider->modulePath)
1488 status = NTE_NO_MEMORY;
1489 goto out_load_library;
1492 WLog_DBG(TAG,
"module '%s' loaded", modulePath);
1493 return ERROR_SUCCESS;
1497 FreeLibrary(library);
1503const char* NCryptGetModulePath(NCRYPT_PROV_HANDLE phProvider)
1505 NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)phProvider;
1507 WINPR_ASSERT(provider);
1509 return provider->modulePath;
common ncrypt handle items
common ncrypt provider items
1.9.8