Pass the PKCS11 keyid as chunk, not as string

4 files changed, 25 insertions, 21 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index d683afa8a..6f59dbee6 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -932,6 +932,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 			char smartcard[64], keyid[64], module[64], *pos;
 			private_key_t *key;
 			u_int slot;
+			chunk_t chunk;
 			enum {
 				SC_FORMAT_SLOT_MODULE_KEYID,
 				SC_FORMAT_SLOT_KEYID,
@@ -998,6 +999,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 				goto error;
 			}
 
+			chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
 			switch (format)
 			{
 				case SC_FORMAT_SLOT_MODULE_KEYID:
@@ -1005,23 +1007,24 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 									CRED_PRIVATE_KEY, KEY_ANY,
 									BUILD_PKCS11_SLOT, slot,
 									BUILD_PKCS11_MODULE, module,
-									BUILD_PKCS11_KEYID, keyid,
+									BUILD_PKCS11_KEYID, chunk,
 									BUILD_PASSPHRASE, secret, BUILD_END);
 					break;
 				case SC_FORMAT_SLOT_KEYID:
 					key = lib->creds->create(lib->creds,
 									CRED_PRIVATE_KEY, KEY_ANY,
 									BUILD_PKCS11_SLOT, slot,
-									BUILD_PKCS11_KEYID, keyid,
+									BUILD_PKCS11_KEYID, chunk,
 									BUILD_PASSPHRASE, secret, BUILD_END);
 					break;
 				case SC_FORMAT_KEYID:
 					key = lib->creds->create(lib->creds,
 									CRED_PRIVATE_KEY, KEY_ANY,
-									BUILD_PKCS11_KEYID, keyid,
+									BUILD_PKCS11_KEYID, chunk,
 									BUILD_PASSPHRASE, secret, BUILD_END);
 					break;
 			}
+			free(chunk.ptr);
 			if (key)
 			{
 				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 891c178e0..24d8ce870 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -107,7 +107,7 @@ enum builder_part_t {
 	BUILD_PKCS11_MODULE,
 	/** slot specifier for a token in a PKCS#11 module, int */
 	BUILD_PKCS11_SLOT,
-	/** key ID of a key on a token, null terminated char* */
+	/** key ID of a key on a token, chunk_t */
 	BUILD_PKCS11_KEYID,
 	/** modulus (n) of a RSA key, chunk_t */
 	BUILD_RSA_MODULUS,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index d596fcf6b..3bca34244 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -451,9 +451,9 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
 	private_openssl_rsa_private_key_t *this;
-	char *keyid = NULL, *engine_id = NULL;
+	char *engine_id = NULL;
 	char keyname[64], pin[32];;
-	chunk_t secret = chunk_empty;
+	chunk_t secret = chunk_empty, keyid = chunk_empty;;
 	EVP_PKEY *key;
 	ENGINE *engine;
 	int slot = -1;
@@ -463,7 +463,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_PKCS11_KEYID:
-				keyid = va_arg(args, char*);
+				keyid = va_arg(args, chunk_t);
 				continue;
 			case BUILD_PASSPHRASE:
 				secret = va_arg(args, chunk_t);
@@ -481,19 +481,22 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		}
 		break;
 	}
-	if (!keyid || !secret.len || !secret.ptr)
+	if (!keyid.len || keyid.len > 40 || !secret.len)
 	{
 		return NULL;
 	}
 
-	if (slot == -1)
+	memset(keyname, 0, sizeof(keyname));
+	if (slot != -1)
 	{
-		snprintf(keyname, sizeof(keyname), "%s", keyid);
+		snprintf(keyname, sizeof(keyname), "%d:", slot);
 	}
-	else
+	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
 	{
-		snprintf(keyname, sizeof(keyname), "%d:%s", slot, keyid);
+		return NULL;
 	}
+	chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
+
 	snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 
 	if (!engine_id)
@@ -504,7 +507,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
-		DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
+		DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
 		return NULL;
 	}
 	if (!ENGINE_init(engine))
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cce6afbf1..0084fb400 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -276,17 +276,18 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 {
 	private_pkcs11_private_key_t *this;
-	char *keyid = NULL, *module = NULL;
+	char *module = NULL;
+	chunk_t keyid, pin;
 	int slot = -1;
 	CK_RV rv;
-	chunk_t chunk, pin = chunk_empty;
 
+	keyid = pin = chunk_empty;
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
 			case BUILD_PKCS11_KEYID:
-				keyid = va_arg(args, char*);
+				keyid = va_arg(args, chunk_t);
 				continue;
 			case BUILD_PASSPHRASE:
 				pin = va_arg(args, chunk_t);
@@ -304,7 +305,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		}
 		break;
 	}
-	if (!keyid || !pin.ptr || !pin.len || !module || slot == -1)
+	if (!keyid.len || !pin.len || !module || slot == -1)
 	{	/* we currently require all parameters, TODO: search for pubkeys */
 		return NULL;
 	}
@@ -356,14 +357,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-	if (!find_key(this, chunk))
+	if (!find_key(this, keyid))
 	{
-		free(chunk.ptr);
 		destroy(this);
 		return NULL;
 	}
-	free(chunk.ptr);
 
 	return &this->public;
 }