softhsm2-util: support import certificate

The softhsm2-util already support importing keys, why not also import
certificates?

Useful for test scripts that require both keys and certificates.

Add --import-type <type> parameter, depreciate the --aes parameter.

Signed-off-by: Alon Bar-Lev <[email protected]>

Author: alonbl

src/bin/util/softhsm2-util-botan.cpp

@@ -47,6 +47,8 @@
 #include <botan/bigint.h>
 #include <botan/der_enc.h>
 #include <botan/oids.h>
+#include <botan/x509cert.h>
+#include <botan/x509_dn.h>
 
 // Init Botan
 void crypto_init()
@@ -833,4 +835,50 @@ void crypto_free_eddsa(eddsa_key_material_t* keyMat)
 	if (keyMat->bigA) free(keyMat->bigA);
 	free(keyMat);
 }
+
+// Import a key pair from given path
+int crypto_import_certificate
+(
+	CK_SESSION_HANDLE hSession,
+	char* filePath,
+	char* label,
+	char* objID,
+	size_t objIDLen
+)
+{
+	Botan::X509_Certificate cert(filePath);
+	std::vector<uint8_t> blob = cert.BER_encode();
+	std::vector<uint8_t> name = cert.subject_dn().BER_encode();
+	std::vector<uint8_t> issuer = cert.issuer_dn().BER_encode();
+	std::vector<uint8_t> serial = cert.serial_number();
+
+	CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE certType = CKC_X_509;
+	CK_BBOOL ckTrue = CK_TRUE, ckFalse = CK_FALSE, ckToken = CK_TRUE;
+	CK_ATTRIBUTE certTemplate[] = {
+		{ CKA_CLASS,            &certClass,       sizeof(certClass) },
+		{ CKA_CERTIFICATE_TYPE, &certType,        sizeof(certType) },
+		{ CKA_LABEL,            label,            strlen(label) },
+		{ CKA_ID,               objID,            objIDLen },
+		{ CKA_TOKEN,            &ckToken,         sizeof(ckToken) },
+		{ CKA_PRIVATE,          &ckFalse,         sizeof(ckTrue) },
+		{ CKA_VALUE,            &*blob.begin(),   (CK_ULONG)blob.size() },
+		{ CKA_SUBJECT,          &*name.begin(),   (CK_ULONG)name.size() },
+		{ CKA_ISSUER,           &*issuer.begin(), (CK_ULONG)issuer.size() },
+		{ CKA_SERIAL_NUMBER,    &*serial.begin(), (CK_ULONG)serial.size() }
+	};
+
+	CK_OBJECT_HANDLE hCert;
+	CK_RV rv = p11->C_CreateObject(hSession, certTemplate, 10, &hCert);
+	if (rv != CKR_OK)
+	{
+		fprintf(stderr, "ERROR: Could not save the certificate in the token.\n");
+		return 1;
+	}
+
+	printf("The certificate has been imported.\n");
+
+	return 0;
+}
+
 #endif

src/bin/util/softhsm2-util-ossl.cpp

@@ -990,4 +990,85 @@ void crypto_free_eddsa(eddsa_key_material_t* keyMat)
 	free(keyMat);
 }
 
+// Import a key pair from given path
+int crypto_import_certificate
+(
+	CK_SESSION_HANDLE hSession,
+	char* filePath,
+	char* label,
+	char* objID,
+	size_t objIDLen
+)
+{
+	BIO* in = NULL;
+
+	if (!(in = BIO_new_file(filePath, "rb")))
+	{
+		fprintf(stderr, "ERROR: Could open the PKCS#8 file: %s\n", filePath);
+		return 1;
+	}
+
+	X509* x509 = PEM_read_bio_X509(in, NULL, NULL, NULL);
+	BIO_free(in);
+
+	if (!x509)
+	{
+		fprintf(stderr, "ERROR: Could not read the certificate file.\n");
+		return 1;
+	}
+
+	int blobSize = i2d_X509(x509, NULL);
+	CK_BYTE_PTR blob = (CK_BYTE_PTR)malloc(blobSize);
+	CK_BYTE_PTR p;
+	p = blob;
+	blobSize = i2d_X509(x509, &p);
+
+	int nameSize = i2d_X509_NAME(X509_get_subject_name(x509), NULL);
+	CK_BYTE_PTR name = (CK_BYTE_PTR)malloc(nameSize);
+	p = name;
+	nameSize = i2d_X509_NAME(X509_get_subject_name(x509), &p);
+
+	int issuerSize = i2d_X509_NAME(X509_get_issuer_name(x509), NULL);
+	CK_BYTE_PTR issuer = (CK_BYTE_PTR)malloc(issuerSize);
+	p = issuer;
+	issuerSize = i2d_X509_NAME(X509_get_issuer_name(x509), &p);
+
+	int serialSize = i2d_ASN1_INTEGER(X509_get_serialNumber(x509), NULL);
+	CK_BYTE_PTR serial = (CK_BYTE_PTR)malloc(serialSize);
+	p = serial;
+	serialSize = i2d_ASN1_INTEGER(X509_get_serialNumber(x509), &p);
+
+	CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE certType = CKC_X_509;
+	CK_BBOOL ckTrue = CK_TRUE, ckFalse = CK_FALSE, ckToken = CK_TRUE;
+	CK_ATTRIBUTE certTemplate[] = {
+		{ CKA_CLASS,            &certClass,   sizeof(certClass) },
+		{ CKA_CERTIFICATE_TYPE, &certType,    sizeof(certType) },
+		{ CKA_LABEL,            label,        strlen(label) },
+		{ CKA_ID,               objID,        objIDLen },
+		{ CKA_TOKEN,            &ckToken,     sizeof(ckToken) },
+		{ CKA_PRIVATE,          &ckFalse,     sizeof(ckTrue) },
+		{ CKA_VALUE,            blob,         (CK_ULONG)blobSize },
+		{ CKA_SUBJECT,          name,         (CK_ULONG)nameSize },
+		{ CKA_ISSUER,           issuer,       (CK_ULONG)issuerSize },
+		{ CKA_SERIAL_NUMBER,    serial,       (CK_ULONG)serialSize }
+	};
+
+	CK_OBJECT_HANDLE hCert;
+	CK_RV rv = p11->C_CreateObject(hSession, certTemplate, 10, &hCert);
+	free(issuer);
+	free(name);
+	free(blob);
+	X509_free(x509);
+	if (rv != CKR_OK)
+	{
+		fprintf(stderr, "ERROR: Could not save the certificate in the token.\n");
+		return 1;
+	}
+
+	printf("The certificate has been imported.\n");
+
+	return 0;
+}
+
 #endif

src/bin/util/softhsm2-util.1

@@ -17,27 +17,23 @@ softhsm2-util \- support tool for libsofthsm2
 .PP
 .B softhsm2-util \-\-import
 .I path
+.RB [ \-\-import-type
+.IR type ]
+\\
+.ti +0.7i
 .RB [ \-\-file-pin
 .IR PIN ]
 .B \-\-token
 .I label
+.RB [ \-\-pin
+.I PIN]
+.B [\-\-no\-public\-key]
 \\
 .ti +0.7i
-.RB [ \-\-pin
-.I PIN
-.B \-\-no\-public\-key]
 .B \-\-label
 .I text
 .B \-\-id
 .I hex
-.PP
-.B softhsm2-util \-\-import
-.I path
-.B \-\-aes
-.B \-\-token
-.I label
-\\
-.ti +0.7i
 .RB [ \-\-pin
 .I PIN]
 .B \-\-label
@@ -122,11 +118,11 @@ Any content in token will be erased.
 Show the help information.
 .TP
 .B \-\-import \fIpath\fR
-Import a key pair from the given
+Import an object from the given
 .IR path .
-The file must be in PKCS#8-format.
 .br
 Use with
+.BR \-\-import-type,
 .BR \-\-slot
 or
 .BR \-\-token
@@ -138,10 +134,6 @@ or
 .BR \-\-label ,
 and
 .BR \-\-id .
-.br
-Can also be used with
-.BR \-\-aes
-to use file as is and import it as AES.
 .TP
 .B \-\-init-token
 Initialize the token at a given slot, token label or token serial.
@@ -173,8 +165,20 @@ Display all the available slots and their current status.
 Show the version info.
 .SH OPTIONS
 .TP
+.B \-\-import-type \fItype\fR
+Import object type, \fItype\fR may be one of:
+.RS
+.IP keypair\ [default]
+The file must be in PKCS#8 PEM format.
+.IP aes
+The file must be in binary format.
+.IP cert
+The file must be in X509 PEM format.
+.RE
+.TP
 .B \-\-aes
 Used to tell import to use file as is and import it as AES.
+Deprecated, use \fI--import-type aes\fR instead.
 .TP
 .B \-\-file-pin \fIPIN\fR
 The