libelfsign/common/libelfsign.h

df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER START
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * The contents of this file are subject to the terms of the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Common Development and Distribution License (the "License").
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You may not use this file except in compliance with the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * or http://www.opensolaris.org/os/licensing.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * See the License for the specific language governing permissions
df8bdeb362277e8d95a74d6c097341fe97409948johnz * and limitations under the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * When distributing Covered Code, include this CDDL HEADER in each
df8bdeb362277e8d95a74d6c097341fe97409948johnz * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If applicable, add the following below this CDDL HEADER, with the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * fields enclosed by brackets "[]" replaced with your own identifying
df8bdeb362277e8d95a74d6c097341fe97409948johnz * information: Portions Copyright [yyyy] [name of copyright owner]
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER END
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
9b009fc1b553084f6003dcd46b171890049de0ffValerie Bubb Fenwick * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#ifndef _LIBELFSIGN_H
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define _LIBELFSIGN_H
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#ifdef __cplusplus
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern "C" {
df8bdeb362277e8d95a74d6c097341fe97409948johnz#endif
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * libelfsign Private Interfaces
9b009fc1b553084f6003dcd46b171890049de0ffValerie Bubb Fenwick * This header file should not be shipped as part of Solaris binary or
df8bdeb362277e8d95a74d6c097341fe97409948johnz * source products.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/crypto/elfsign.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <libelf.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <fcntl.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <md5.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sha1.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <kmfapi.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Certificate-related definitions
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ELFSIGN_CRYPTO      "Solaris Cryptographic Framework"
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define USAGELIMITED        "OU=UsageLimited"
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnztypedef enum ELFCert_VStatus_e {
df8bdeb362277e8d95a74d6c097341fe97409948johnz    E_UNCHECKED,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    E_OK,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    E_IS_TA,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    E_FAILED
df8bdeb362277e8d95a74d6c097341fe97409948johnz} ELFCert_VStatus_t;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnztypedef struct ELFCert_s {
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ELFCert_VStatus_t   c_verified;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char            *c_subject;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char            *c_issuer;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    KMF_X509_DER_CERT   c_cert;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    KMF_KEY_HANDLE      c_privatekey;
df8bdeb362277e8d95a74d6c097341fe97409948johnz}   *ELFCert_t;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define CRYPTO_CERTS_DIR    "/etc/crypto/certs"
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ETC_CERTS_DIR       "/etc/certs"
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * libelfsign actions
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzenum ES_ACTION {
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ES_GET,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ES_GET_CRYPTO,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino    ES_GET_FIPS140,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ES_UPDATE,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ES_UPDATE_RSA_MD5_SHA1,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    ES_UPDATE_RSA_SHA1
df8bdeb362277e8d95a74d6c097341fe97409948johnz};
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ES_ACTISUPDATE(a)   ((a) >= ES_UPDATE)
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Context for elfsign operation
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstruct ELFsign_s {
df8bdeb362277e8d95a74d6c097341fe97409948johnz    Elf *es_elf;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char    *es_pathname;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char    *es_certpath;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    int es_fd;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    size_t  es_shstrndx;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    enum ES_ACTION  es_action;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    KMF_KEY_HANDLE      es_privatekey;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    filesig_vers_t  es_version;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    boolean_t   es_same_endian;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    boolean_t   es_has_phdr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char        es_ei_class;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct flock    es_flock;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    KMF_HANDLE_T    es_kmfhandle;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void        *es_callbackctx;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void        (*es_sigvercallback)(void *, void *, size_t, ELFCert_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void        (*es_certCAcallback)(void *, ELFCert_t, char *);
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void        (*es_certvercallback)(void *, ELFCert_t, ELFCert_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnz};
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ES_FMT_RSA_MD5_SHA1 "rsa_md5_sha1"
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ES_FMT_RSA_SHA1     "rsa_sha1"
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * ELF signature handling
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnztypedef struct ELFsign_s *ELFsign_t;
df8bdeb362277e8d95a74d6c097341fe97409948johnzstruct ELFsign_sig_info {
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char    *esi_format;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char    *esi_signer;
df8bdeb362277e8d95a74d6c097341fe97409948johnz    time_t  esi_time;
df8bdeb362277e8d95a74d6c097341fe97409948johnz};
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern struct filesignatures *elfsign_insert_dso(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct filesignatures *fsp, const char *dn, int dn_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const uchar_t *sig, int sig_len, const char *oid, int oid_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern filesig_vers_t elfsign_extract_sig(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct filesignatures *fsp, uchar_t *sig, size_t *sig_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_begin(const char *,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    enum ES_ACTION, ELFsign_t *);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfsign_end(ELFsign_t ess);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct ELFsign_sig_info **esipp);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    size_t *hash_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    uchar_t *hash, size_t *hash_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    enum ES_ACTION action);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfsign_setsigvercallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void (*cb)(void *, void *, size_t, ELFCert_t));
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern ELFsign_status_t elfsign_signatures(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern char const *elfsign_strerror(ELFsign_status_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfsign_sig_info(struct filesignatures *fssp,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    struct ELFsign_sig_info **esipp);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfsign_sig_info_free(struct ELFsign_sig_info *);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * ELF "Certificate Library"
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern const char _PATH_ELFSIGN_CERTS[];
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#define ELFCERT_MAX_DN_LEN  255
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_init(ELFsign_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfcertlib_fini(ELFsign_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_settoken(ELFsign_t, char *);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfcertlib_setcertCAcallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void (*cb)(void *, ELFCert_t, char *));
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfcertlib_setcertvercallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    void (*cb)(void *, ELFCert_t, ELFCert_t));
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    char *signer_DN, ELFCert_t *certp, enum ES_ACTION action);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern void elfcertlib_releasecert(ELFsign_t, ELFCert_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern char *elfcertlib_getdn(ELFCert_t cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern char *elfcertlib_getissuer(ELFCert_t cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const char *path);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const char *token_id, const char *pin);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const uchar_t *data, size_t data_len, uchar_t *sig,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    size_t *sig_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnzextern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const uchar_t *sig, size_t sig_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz    const uchar_t *data, size_t data_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#ifdef __cplusplus
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz#endif
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#endif /* _LIBELFSIGN_H */