libelfsign/common/libelfsign.h

	libelfsign.h revision 735564919188238196dbd0d320770dda59b38369
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#ifndef _LIBELFSIGN_H
#define _LIBELFSIGN_H

#ifdef __cplusplus
extern "C" {
#endif

/*
 * libelfsign Private Interfaces
 * This Header file should not be shipped as part of Solaris binary or
 * source products.
 */

#include <sys/crypto/elfsign.h>
#include <libelf.h>
#include <fcntl.h>
#include <md5.h>
#include <sha1.h>
#include <kmfapi.h>

/*
 * Certificate-related definitions
 */
#define ELFSIGN_CRYPTO      "Solaris Cryptographic Framework"
#define USAGELIMITED        "OU=UsageLimited"
#define ESA         ".esa"
#define ESA_LEN         sizeof (".esa")

typedef enum ELFCert_VStatus_e {
    E_UNCHECKED,
    E_OK,
    E_IS_TA,
    E_FAILED
} ELFCert_VStatus_t;

typedef struct ELFCert_s {
    ELFCert_VStatus_t   c_verified;
    char            *c_subject;
    char            *c_issuer;
    KMF_X509_DER_CERT   c_cert;
    KMF_KEY_HANDLE      c_privatekey;
}   *ELFCert_t;

#define CRYPTO_CERTS_DIR    "/etc/crypto/certs"
#define ETC_CERTS_DIR       "/etc/certs"

/*
 * libelfsign actions
 */
enum ES_ACTION {
    ES_GET,
    ES_GET_CRYPTO,
    ES_GET_FIPS140,
    ES_UPDATE,
    ES_UPDATE_RSA_MD5_SHA1,
    ES_UPDATE_RSA_SHA1
};
#define ES_ACTISUPDATE(a)   ((a) >= ES_UPDATE)

/*
 * Context for elfsign operation
 */
struct ELFsign_s {
    Elf *es_elf;
    char    *es_pathname;
    char    *es_certpath;
    int es_fd;
    size_t  es_shstrndx;
    enum ES_ACTION  es_action;
    KMF_KEY_HANDLE      es_privatekey;
    filesig_vers_t  es_version;
    boolean_t   es_same_endian;
    boolean_t   es_has_phdr;
    char        es_ei_class;
    struct flock    es_flock;
    KMF_HANDLE_T    es_kmfhandle;
    void        *es_callbackctx;
    void        (*es_sigvercallback)(void *, void *, size_t, ELFCert_t);
    void        (*es_certCAcallback)(void *, ELFCert_t, char *);
    void        (*es_certvercallback)(void *, ELFCert_t, ELFCert_t);
};

#define ES_FMT_RSA_MD5_SHA1 "rsa_md5_sha1"
#define ES_FMT_RSA_SHA1     "rsa_sha1"

/*
 * ELF signature handling
 */
typedef struct ELFsign_s *ELFsign_t;
struct ELFsign_sig_info {
    char    *esi_format;
    char    *esi_signer;
    time_t  esi_time;
};

extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess,
    struct filesignatures *fsp, const char *dn, int dn_len,
    const uchar_t *sig, int sig_len, const char *oid, int oid_len);
extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess,
    struct filesignatures *fsp, uchar_t *sig, size_t *sig_len);
extern ELFsign_status_t elfsign_begin(const char *,
    enum ES_ACTION, ELFsign_t *);
extern void elfsign_end(ELFsign_t ess);
extern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path);
extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess,
    struct ELFsign_sig_info **esipp);
extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash,
    size_t *hash_len);
extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess,
    uchar_t *hash, size_t *hash_len);
extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess,
    uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len);
extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
    enum ES_ACTION action);

extern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx);
extern void elfsign_setsigvercallback(ELFsign_t ess,
    void (*cb)(void *, void *, size_t, ELFCert_t));
extern ELFsign_status_t elfsign_signatures(ELFsign_t ess,
    struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action);

extern char const *elfsign_strerror(ELFsign_status_t);
extern boolean_t elfsign_sig_info(struct filesignatures *fssp,
    struct ELFsign_sig_info **esipp);
extern void elfsign_sig_info_free(struct ELFsign_sig_info *);

/*
 * ELF "Certificate Library"
 */

extern const char _PATH_ELFSIGN_CERTS[];

#define ELFCERT_MAX_DN_LEN  255

extern boolean_t elfcertlib_init(ELFsign_t);
extern void elfcertlib_fini(ELFsign_t);
extern boolean_t elfcertlib_settoken(ELFsign_t, char *);
extern void elfcertlib_setcertCAcallback(ELFsign_t ess,
    void (*cb)(void *, ELFCert_t, char *));
extern void elfcertlib_setcertvercallback(ELFsign_t ess,
    void (*cb)(void *, ELFCert_t, ELFCert_t));

extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
    char *signer_DN, ELFCert_t *certp, enum ES_ACTION action);
extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t);
extern char *elfcertlib_getdn(ELFCert_t cert);
extern char *elfcertlib_getissuer(ELFCert_t cert);

extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert,
    const char *path);
extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
    const char *token_id, const char *pin);

extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
    const uchar_t *data, size_t data_len, uchar_t *sig,
    size_t *sig_len);

extern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert);
extern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
    const uchar_t *sig, size_t sig_len,
    const uchar_t *data, size_t data_len);

#ifdef __cplusplus
}
#endif

#endif /* _LIBELFSIGN_H */