===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-pkcs11.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- src/usr.bin/ssh/ssh-pkcs11.c	2013/07/12 00:20:00	1.8
+++ src/usr.bin/ssh/ssh-pkcs11.c	2013/11/02 20:03:54	1.9
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.9 2013/11/02 20:03:54 markus Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -23,6 +23,8 @@
 #include <string.h>
 #include <dlfcn.h>
 
+#include <openssl/x509.h>
+
 #define CRYPTOKI_COMPAT
 #include "pkcs11.h"
 
@@ -373,32 +375,73 @@
  * add 'wrapped' public keys to the 'keysp' array and increment nkeys.
  * keysp points to an (possibly empty) array with *nkeys keys.
  */
+static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
+    CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *)
+	__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));
+
 static int
-pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
-    int *nkeys)
+pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+    Key ***keysp, int *nkeys)
 {
-	Key			*key;
-	RSA			*rsa;
-	int			i;
-	CK_RV			rv;
-	CK_OBJECT_HANDLE	obj;
-	CK_ULONG		nfound;
-	CK_SESSION_HANDLE	session;
-	CK_FUNCTION_LIST	*f;
 	CK_OBJECT_CLASS		pubkey_class = CKO_PUBLIC_KEY;
+	CK_OBJECT_CLASS		cert_class = CKO_CERTIFICATE;
 	CK_ATTRIBUTE		pubkey_filter[] = {
 		{ CKA_CLASS, &pubkey_class, sizeof(pubkey_class) }
 	};
-	CK_ATTRIBUTE		attribs[] = {
+	CK_ATTRIBUTE		cert_filter[] = {
+		{ CKA_CLASS, &cert_class, sizeof(cert_class) }
+	};
+	CK_ATTRIBUTE		pubkey_attribs[] = {
 		{ CKA_ID, NULL, 0 },
 		{ CKA_MODULUS, NULL, 0 },
 		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
 	};
+	CK_ATTRIBUTE		cert_attribs[] = {
+		{ CKA_ID, NULL, 0 },
+		{ CKA_SUBJECT, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
 
+	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,
+	    keysp, nkeys) < 0 ||
+	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,
+	    keysp, nkeys) < 0)
+		return (-1);
+	return (0);
+}
+
+static int
+pkcs11_key_included(Key ***keysp, int *nkeys, Key *key)
+{
+	int i;
+
+	for (i = 0; i < *nkeys; i++)
+		if (key_equal(key, *keysp[i]))
+			return (1);
+	return (0);
+}
+
+static int
+pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
+    CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],
+    Key ***keysp, int *nkeys)
+{
+	Key			*key;
+	RSA			*rsa;
+	X509 			*x509;
+	EVP_PKEY		*evp;
+	int			i;
+	const u_char		*cp;
+	CK_RV			rv;
+	CK_OBJECT_HANDLE	obj;
+	CK_ULONG		nfound;
+	CK_SESSION_HANDLE	session;
+	CK_FUNCTION_LIST	*f;
+
 	f = p->function_list;
 	session = p->slotinfo[slotidx].session;
 	/* setup a filter the looks for public keys */
-	if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) {
+	if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) {
 		error("C_FindObjectsInit failed: %lu", rv);
 		return (-1);
 	}
@@ -426,32 +469,59 @@
 		/* allocate buffers for attributes */
 		for (i = 0; i < 3; i++)
 			attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
-		/* retrieve ID, modulus and public exponent of RSA key */
+		/*
+		 * retrieve ID, modulus and public exponent of RSA key,
+		 * or ID, subject and value for certificates.
+		 */
+		rsa = NULL;
 		if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))
 		    != CKR_OK) {
 			error("C_GetAttributeValue failed: %lu", rv);
-		} else if ((rsa = RSA_new()) == NULL) {
-			error("RSA_new failed");
+		} else if (attribs[1].type == CKA_MODULUS ) {
+			if ((rsa = RSA_new()) == NULL) {
+				error("RSA_new failed");
+			} else {
+				rsa->n = BN_bin2bn(attribs[1].pValue,
+				    attribs[1].ulValueLen, NULL);
+				rsa->e = BN_bin2bn(attribs[2].pValue,
+				    attribs[2].ulValueLen, NULL);
+			}
 		} else {
-			rsa->n = BN_bin2bn(attribs[1].pValue,
-			    attribs[1].ulValueLen, NULL);
-			rsa->e = BN_bin2bn(attribs[2].pValue,
-			    attribs[2].ulValueLen, NULL);
-			if (rsa->n && rsa->e &&
-			    pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
-				key = key_new(KEY_UNSPEC);
-				key->rsa = rsa;
-				key->type = KEY_RSA;
-				key->flags |= KEY_FLAG_EXT;
+			cp = attribs[2].pValue;
+			if ((x509 = X509_new()) == NULL) {
+				error("X509_new failed");
+			} else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen)
+			    == NULL) {
+				error("d2i_X509 failed");
+			} else if ((evp = X509_get_pubkey(x509)) == NULL ||
+			    evp->type != EVP_PKEY_RSA ||
+			    evp->pkey.rsa == NULL) {
+				debug("X509_get_pubkey failed or no rsa");
+			} else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
+			    == NULL) {
+				error("RSAPublicKey_dup");
+			}
+			if (x509)
+				X509_free(x509);
+		}
+		if (rsa && rsa->n && rsa->e &&
+		    pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
+			key = key_new(KEY_UNSPEC);
+			key->rsa = rsa;
+			key->type = KEY_RSA;
+			key->flags |= KEY_FLAG_EXT;
+			if (pkcs11_key_included(keysp, nkeys, key)) {
+				key_free(key);
+			} else {
 				/* expand key array and add key */
 				*keysp = xrealloc(*keysp, *nkeys + 1,
 				    sizeof(Key *));
 				(*keysp)[*nkeys] = key;
 				*nkeys = *nkeys + 1;
 				debug("have %d keys", *nkeys);
-			} else {
-				RSA_free(rsa);
 			}
+		} else if (rsa) {
+			RSA_free(rsa);
 		}
 		for (i = 0; i < 3; i++)
 			free(attribs[i].pValue);