99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PKCS11 token KMF Plugin
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyssearch_certs(KMF_HANDLE_T, char *, char *, char *, KMF_BIGINT *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys boolean_t, KMF_CERT_VALIDITY, OBJLIST **, uint32_t *);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysgetObjectLabel(KMF_HANDLE_T, CK_OBJECT_HANDLE, char **);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyskeyObj2RawKey(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_KEY_DATA **);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_ConfigureKeystore(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_StoreCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_ImportCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_DeleteCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_CreateKeypair(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_DeleteKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_FindPrikeyByCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_CreateSymKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_SetTokenPin(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_ExportPK12(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys label = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "readonly" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_READONLY_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CK_SESSION_HANDLE hSession = (CK_SESSION_HANDLE)handle->pk11handle;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((ck_rv = C_Login(hSession, CKU_USER, (uchar_t *)cred->cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysPK11Cert2KMFCert(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE hObj,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CK_ULONG subject_len, value_len, issuer_len, serno_len, id_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, 0, CKA_CLASS, &class, sizeof (class));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Is this a certificate object ? */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_GetAttributeValue(kmfh->pk11handle, hObj, templ, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, 0, CKA_CERTIFICATE_TYPE, &cktype, sizeof (cktype));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_GetAttributeValue(kmfh->pk11handle, hObj, templ, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* What attributes are available and how big are they? */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys subject_len = issuer_len = serno_len = id_len = value_len = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys SETATTR(templ, i, CKA_SERIAL_NUMBER, NULL, serno_len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Query the object with NULL values in the pValue spot
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * so we know how much space to allocate for each field.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_GetAttributeValue(kmfh->pk11handle, hObj, templ, i);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_INTERNAL); /* TODO - Error messages ? */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * For PKCS#11 CKC_X_509 certificate objects,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the following attributes must be defined.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CKA_VALUE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Only fetch the value field if we are saving the data */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* re-query the object with room for the value attr */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The caller should make sure that the templ->pValue is NULL since
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * it will be overwritten below.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = C_GetAttributeValue(kmfh->pk11handle, obj, templ, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = C_GetAttributeValue(kmfh->pk11handle, obj, templ, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Match a certificate with an issuer and/or subject name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This is tricky because we cannot reliably compare DER encodings
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * because RDNs may have their AV-pairs in different orders even
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * if the values are the same. You must compare individual
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * AV pairs for the RDNs.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * RETURN: 0 for a match, non-zero for a non-match.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * delete "curr" node from the "newlist".
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* first node in the list */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * search_certs
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Because this code is shared by the FindCert and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * DeleteCert functions, put it in a separate routine
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * to save some work and make code easier to debug and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *label, char *issuer, char *subject, KMF_BIGINT *serial,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t num_ok_certs = 0; /* number of non-expired or expired certs */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&templ, 0, 10 * sizeof (CK_ATTRIBUTE));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&subjectDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_TOKEN, &true, sizeof (true)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_CLASS, &oclass, sizeof (oclass)); i++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_CERTIFICATE_TYPE, &ctype, sizeof (ctype)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_PRIVATE, &true, sizeof (true)); i++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_dn_parser(issuer, &issuerDN)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_dn_parser(subject, &subjectDN)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (serial != NULL && serial->val != NULL && serial->len > 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_SERIAL_NUMBER, serial->val, serial->len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_FindObjectsInit(kmfh->pk11handle, templ, i);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_FindObjects(kmfh->pk11handle, &tObj, 1, &num);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * 'matchcert' returns 0 if subject/issuer match
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If no match, move on to the next one
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Now check to see if any found certificate is expired
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * or valid.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if (rv ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * expired - remove it from list
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * valid - remove it from list
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The caller may pass a NULL value for kmf_cert below and the function will
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * just return the number of certs found (in num_certs).
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys num_certs = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the optional returned certificate list */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_cert = kmf_get_attr_ptr(KMF_X509_DER_CERT_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get optional search criteria attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_PRIVATE_BOOL_ATTR, attrlist, numattr,
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Start searching */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = search_certs(handle, certlabel, issuer, subject, serial, private,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv == KMF_OK && objlist != NULL && kmf_cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_FreeKMFCert(KMF_HANDLE_T handle, KMF_X509_DER_CERT *kmf_cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmf_cert != NULL && kmf_cert->certificate.Data != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *pKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_DATA Modulus, Exponent, Prime, Subprime, Base, Value;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaTemplate, 0, CKA_CLASS, &ckObjClass,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaTemplate, 1, CKA_KEY_TYPE, &ckKeyType,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaTemplate, 2, CKA_MODULUS, Modulus.Data,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaTemplate, 3, CKA_PUBLIC_EXPONENT,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the length of the fields */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now get the values */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This is the KEY algorithm, not the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * signature algorithm.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Encode the RSA Key Data */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 0, CKA_CLASS, &ckObjClass,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 1, CKA_KEY_TYPE, &ckKeyType,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 2, CKA_PRIME, Prime.Data,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 3, CKA_SUBPRIME, Subprime.Data,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 4, CKA_BASE, Base.Data,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(dsaTemplate, 5, CKA_VALUE, Value.Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the length of the fields */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now get the values */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This is the KEY algorithm, not the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * signature algorithm.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Encode the DSA Algorithm Parameters */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Encode the DSA Key Value */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* The EC_PARAMS are the PubKey algorithm parameters */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll PubKeyParams = calloc(1, sizeof (BerValue));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Get the length of the fields */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* The params are to be used as algorithm parameters */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll PubKeyParams->bv_len = ecdsaTemplate[0].ulValueLen;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * The EC_POINT is to be used as the subject pub key.
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll EncodedKey->bv_len = ecdsaTemplate[1].ulValueLen;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Use the EC_PUBLIC_KEY OID */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll Algorithm = (KMF_OID *)&KMFOID_EC_PUBLIC_KEY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now, build an SPKI structure for the final encoding step */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys spki.algorithm.parameters.Length = PubKeyParams->bv_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys spki.subjectPublicKey.Data = (uchar_t *)EncodedKey->bv_val;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Finally, encode the entire SPKI record */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysCreateCertObject(KMF_HANDLE_T handle, char *label, KMF_DATA *pcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The data *must* be a DER encoded X.509 certificate.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Convert it to a CSSM cert and then parse the fields so
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the PKCS#11 attributes can be filled in correctly.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = DerDecodeSignedCertificate((const KMF_DATA *)pcert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Encode fields into PKCS#11 attributes.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the subject name */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = DerEncodeName(&signed_cert_ptr->certificate.subject, &data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Encode the issuer */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = DerEncodeName(&signed_cert_ptr->certificate.issuer, &data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Encode serial number */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (signed_cert_ptr->certificate.serialNumber.len > 0 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys signed_cert_ptr->certificate.serialNumber.val != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys serial = signed_cert_ptr->certificate.serialNumber.val;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys serno_len = signed_cert_ptr->certificate.serialNumber.len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * RFC3280 says to gracefully handle certs with serial numbers
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Generate an ID from the SPKI data */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = GetIDFromSPKI(&signed_cert_ptr->certificate.subjectPublicKeyInfo,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(x509templ, i, CKA_CLASS, &certClass, sizeof (certClass)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_CERTIFICATE_TYPE, &certtype,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_TOKEN, &true, sizeof (true)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_SUBJECT, subject, subject_len); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_ISSUER, issuer, issuer_len); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_SERIAL_NUMBER, serial, serno_len); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_VALUE, pcert->Data, pcert->Length); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(x509templ, i, CKA_ID, Id.Data, Id.Length); i++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(x509templ, i, CKA_LABEL, label, strlen(label)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The cert object handle is actually "leaked" here. If the app
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * really wants to clean up the data space, it will have to call
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_DeleteCert and specify the softtoken keystore.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_CreateObject(kmfh->pk11handle, x509templ, i, &hCert);
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys /* Report authentication failures to the caller */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (cert == NULL || cert->Data == NULL || cert->Length == 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* label attribute is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys label = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_ImportCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Get the input cert filename attribute, check if it is a valid
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * certificate and auto-detect the file format of it.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Read in the CERT file */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The label attribute is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys label = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the input certificate is in PEM format, we need to convert
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * it to DER first.
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_DeleteCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the search criteria attributes. They are all optional. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_PRIVATE_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Start searching for certificates that match the criteria and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * delete them.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = search_certs(handle, certlabel, issuer, subject, serial,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ckrv = C_DestroyObject(kmfh->pk11handle, node->handle);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersollgendsa_keypair(KMF_HANDLE *kmfh, boolean_t storekey,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_SESSION_HANDLE hSession = kmfh->pk11handle;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll static CK_OBJECT_CLASS priClass = CKO_PRIVATE_KEY;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll static CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll { CKA_TOKEN, &true, sizeof (true)},
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys { CKA_PRIVATE, &false, sizeof (false)},
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys { CKA_SUBPRIME, &ckDsaSubPrime, sizeof (ckDsaSubPrime)},
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys { CKA_VERIFY, &true, sizeof (true) },
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define NUMBER_DSA_PUB_TEMPLATES (sizeof (ckDsaPubKeyTemplate) / \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define MAX_DSA_PUB_TEMPLATES (sizeof (ckDsaPubKeyTemplate) / \
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll {CKA_TOKEN, &true, sizeof (true)},
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys {CKA_PRIVATE, &true, sizeof (true)},
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys {CKA_SIGN, &true, sizeof (true)},
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll#define NUMBER_DSA_PRI_TEMPLATES (sizeof (ckDsaPriKeyTemplate) / \
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll#define MAX_DSA_PRI_TEMPLATES (sizeof (ckDsaPriKeyTemplate) / \
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_MECHANISM keyGenMech = {CKM_DSA_KEY_PAIR_GEN, NULL, 0};
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (storekey ? &true : &false), sizeof (CK_BBOOL));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = C_GenerateKeyPair(hSession, &keyGenMech,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (sizeof (ckDsaPubKeyTemplate)/sizeof (CK_ATTRIBUTE)),
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (sizeof (ckDsaPriKeyTemplate)/sizeof (CK_ATTRIBUTE)),
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersollgenrsa_keypair(KMF_HANDLE *kmfh, CK_ULONG modulusBits,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_SESSION_HANDLE hSession = kmfh->pk11handle;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_MECHANISM keyGenMech = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0};
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll static CK_BYTE PubExpo[3] = {0x01, 0x00, 0x01};
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPubKeyTemplate, numpubattr, CKA_TOKEN,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (storekey ? &true : &false), sizeof (CK_BBOOL));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPubKeyTemplate, numpubattr, CKA_MODULUS_BITS,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll if (rsaexp != NULL && (rsaexp->len > 0 && rsaexp->val != NULL)) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CKA_PUBLIC_EXPONENT, &PubExpo, sizeof (PubExpo));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPubKeyTemplate, numpubattr, CKA_ENCRYPT,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPubKeyTemplate, numpubattr, CKA_VERIFY,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPubKeyTemplate, numpubattr, CKA_WRAP,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPriKeyTemplate, numpriattr, CKA_TOKEN,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (storekey ? &true : &false), sizeof (CK_BBOOL));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPriKeyTemplate, numpriattr, CKA_PRIVATE, &true,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPriKeyTemplate, numpriattr, CKA_DECRYPT, &true,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPriKeyTemplate, numpriattr, CKA_SIGN, &true,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(rsaPriKeyTemplate, numpriattr, CKA_UNWRAP, &true,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = C_GenerateKeyPair(hSession, &keyGenMech,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_SESSION_HANDLE hSession = kmfh->pk11handle;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_MECHANISM keyGenMech = {CKM_EC_KEY_PAIR_GEN, NULL, 0};
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll const ulong_t privateKey = CKO_PRIVATE_KEY;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_CLASS,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_KEY_TYPE,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_EC_PARAMS,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_TOKEN,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ontoken ? &true : &false, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_VERIFY,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(public_template, numpubattr, CKA_PRIVATE,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &false, sizeof (false));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_CLASS,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_KEY_TYPE,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_TOKEN,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ontoken ? &true : &false, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_PRIVATE,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_SIGN,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(private_template, numpriattr, CKA_DERIVE,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll &true, sizeof (true));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = C_GenerateKeyPair(hSession, &keyGenMech,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_SESSION_HANDLE hSession = kmfh->pk11handle;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll uint32_t modulusBits_size = sizeof (CK_ULONG);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "storekey" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keytype is optional. KMF_RSA is default */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_KEYALG_ATTR, attlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Default modulusBits = 1024 */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rsaexp = kmf_get_attr_ptr(KMF_RSAEXP_ATTR, attlist, numattr);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Generate the RSA keypair */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = genrsa_keypair(kmfh, modulusBits, storekey,
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys SETATTR(modattr, 0, CKA_MODULUS, NULL, modulusLength);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the Modulus field to use as input for creating the ID */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Generate the DSA keypair */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = gendsa_keypair(kmfh, storekey, &pubKey, &priKey);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Get the Public Value to use as input for creating the ID */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll KMF_OID *eccoid = kmf_get_attr_ptr(KMF_ECC_CURVE_OID_ATTR,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = genecc_keypair(kmfh, storekey, eccoid,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Get the EC_POINT to use as input for creating the ID */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(valattr, 0, CKA_EC_POINT, NULL, &valueLen);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(labelattr, 0, CKA_LABEL, keylabel, strlen(keylabel));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Set the CKA_LABEL if one was indicated */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now, assign a CKA_ID value so it can be searched */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* ID_Input was assigned above in the RSA or DSA keygen section */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(idattr, 0, CKA_ID, IDOutput.Data, IDOutput.Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "destroy" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Report authentication failures to the caller */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (ckrv == CKR_PIN_EXPIRED || ckrv == CKR_SESSION_READ_ONLY)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *keyp,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_ATTRIBUTE subprime = { CKA_SUBPRIME, NULL, 0 };
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* These functions are available to the plugin from libkmf */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Get the PKCS11 signing key type and mechtype */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll if (get_pk11_data(AlgId, &keytype, &mechtype, &hashmech, 0))
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rv = PKCS_DigestData(handle, hSession, hashmech, tobesigned, &hashData,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll if (mechtype == CKM_DSA && hashmech == CKM_SHA256) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * FIPS 186-3 says that when signing with DSA
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * the hash must be truncated to the size of the
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* the mechtype from the 'get_pk11_info' refers to the signing */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_SignInit(hSession, &mechanism, (CK_OBJECT_HANDLE)keyp->keyp);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ckrv = C_Sign(hSession, hashData.Data, hashData.Length,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (e == NULL || (*msgstr = (char *)strdup(e)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysgetObjectKeytype(KMF_HANDLE_T handle, CK_OBJECT_HANDLE obj,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = C_GetAttributeValue(kmfh->pk11handle, obj, &templ, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysgetObjectLabel(KMF_HANDLE_T handle, CK_OBJECT_HANDLE obj,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = C_GetAttributeValue(kmfh->pk11handle, obj, &templ, 1);
4ba70ed0e487727de98a6297bc6d0a827001a390wyllysgetObjectKeyclass(KMF_HANDLE_T handle, CK_OBJECT_HANDLE obj,
4ba70ed0e487727de98a6297bc6d0a827001a390wyllys rv = C_GetAttributeValue(kmfh->pk11handle, obj, &templ, 1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the key handle */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the optional encoded format */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Decode the signer cert so we can get the SPKI data */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the public key info from the signer certificate */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys pubkey = &SignerCert->certificate.subjectPublicKeyInfo;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Generate an ID from the SPKI data */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the credential and login */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Start searching */
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll SETATTR(templ, 0, CKA_CLASS, &objClass, sizeof (objClass));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, 2, CKA_PRIVATE, &true, sizeof (true));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((ckrv = C_FindObjectsInit(kmfh->pk11handle, templ, 4)) != CKR_OK) {
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys if ((ckrv = C_FindObjects(kmfh->pk11handle, &pri_obj, 1,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = getObjectLabel(handle, (CK_OBJECT_HANDLE)key->keyp,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The key->keyalg value is needed if we need to convert the key
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * to raw key. However, the key->keyalg value will not be set if
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * this function is not called thru the kmf_find_prikey_by_cert()
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * framework function. To be safe, we will get the keytype from
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the key object and set key->keyalg value here.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ckrv = getObjectKeytype(handle, (CK_OBJECT_HANDLE)key->keyp,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* For asymmetric keys, we only support RSA and DSA */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CK_ULONG out_len = 0, block_len = 0, total_decrypted = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Map the Algorithm ID to a PKCS#11 mechanism */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll if (get_pk11_data(AlgId, &keytype, &mechtype, NULL, 0))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the modulus length */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Compute the number of times to do single-part decryption */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < blocks; i++) {
73cc0e021f4115db3085cd78083c42c8be4559e3wyllysget_bigint_attr(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj,
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys /* Mask this error so the caller can continue */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysget_raw_rsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_RSA_KEY *rawrsa)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CK_ULONG count = sizeof (rsa_pri_attrs) / sizeof (CK_ATTRIBUTE);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Tell the caller know why the key data cannot be retrieved. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Allocate memory for each attribute. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < count; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now that we have space, really get the attributes */
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys /* Now get the optional parameters */
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_PRIVATE_EXPONENT, &rawrsa->priexp);
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_PRIME_1, &rawrsa->prime1);
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_PRIME_2, &rawrsa->prime2);
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_EXPONENT_1, &rawrsa->exp1);
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_EXPONENT_2, &rawrsa->exp2);
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = get_bigint_attr(sess, obj, CKA_COEFFICIENT, &rawrsa->coef);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < count; i++) {
b60f2a0b921611326383e4789e0874e9e8a2e708fr#define DSA_PRIME_BUFSIZE CHARLEN2BIGNUMLEN(1024) /* 8192 bits */
b60f2a0b921611326383e4789e0874e9e8a2e708fr#define DSA_PRIVATE_BUFSIZE BIG_CHUNKS_FOR_160BITS /* 160 bits */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This function calculates the pubkey value from the prime,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * base and private key values of a DSA key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys BIGNUM p, g, x, y;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((err = big_init1(&p, DSA_PRIME_BUFSIZE, NULL, 0)) != BIG_OK) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys bytestring2bignum(&p, rawdsa->prime.val, rawdsa->prime.len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((err = big_init1(&g, DSA_PRIME_BUFSIZE, NULL, 0)) != BIG_OK) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys bytestring2bignum(&g, rawdsa->base.val, rawdsa->base.len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((err = big_init1(&x, DSA_PRIVATE_BUFSIZE, NULL, 0)) != BIG_OK) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys bytestring2bignum(&x, rawdsa->value.val, rawdsa->value.len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((err = big_init1(&y, DSA_PRIME_BUFSIZE, NULL, 0)) != BIG_OK) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersollget_raw_ec(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_EC_KEY *rawec)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll CK_ULONG count = sizeof (ec_attrs) / sizeof (CK_ATTRIBUTE);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Tell the caller know why the key data cannot be retrieved. */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll for (i = 0; i < count; i++) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll if (ec_attrs[i].ulValueLen == (CK_ULONG)-1 ||
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rawec->params.Length = ec_attrs[0].ulValueLen;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll for (i = 0; i < count; i++) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (void) memset(rawec, 0, sizeof (KMF_RAW_EC_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysget_raw_dsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_DSA_KEY *rawdsa)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CK_ULONG count = sizeof (dsa_pri_attrs) / sizeof (CK_ATTRIBUTE);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Tell the caller know why the key data cannot be retrieved. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Allocate memory for each attribute. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < count; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Fill in all the temp variables. They are all required. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys attr2bigint(&(dsa_pri_attrs[i++]), &rawdsa->subprime);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Compute the public key value and store it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < count; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysget_raw_sym(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_SYM_KEY *rawsym)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* find the key length first */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((ckrv = C_GetAttributeValue(sess, obj, sym_attr, 1)) != CKR_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Allocate memory for pValue */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* get the key data */
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys if ((ckrv = C_GetAttributeValue(sess, obj, sym_attr, 1)) != CKR_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyskeyObj2RawKey(KMF_HANDLE_T handle, KMF_KEY_HANDLE *inkey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_raw_rsa(kmfh, (CK_OBJECT_HANDLE)inkey->keyp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_raw_dsa(kmfh, (CK_OBJECT_HANDLE)inkey->keyp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_raw_sym(kmfh, (CK_OBJECT_HANDLE)inkey->keyp,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If sensitive or non-extractable, mark them as such
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * but return "OK" status so the keys get counted
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * when doing FindKey operations.
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rv = get_raw_ec(kmfh, (CK_OBJECT_HANDLE)inkey->keyp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyskmf2pk11keytype(KMF_KEY_ALG keyalg, CK_KEY_TYPE *type)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (-1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (-1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keyclass is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_TOKEN_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(pTmpl, i, CKA_CLASS, &class, sizeof (class));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys findLabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(pTmpl, i, CKA_LABEL, findLabel, strlen(findLabel));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keytype is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys idstr = kmf_get_attr_ptr(KMF_IDSTR_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * ID String parameter is assumed to be of form:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * XX:XX:XX:XX:XX ... :XX
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * where XX is a hex number.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * We must convert this back to binary in order to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * use it in a search.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(pTmpl, i, CKA_ID, iddata.Data, iddata.Length);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* is_private is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_PRIVATE_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(pTmpl, i, CKA_PRIVATE, &true, sizeof (true));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Authenticate if the object is a token object,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * a private or secred key, or if the user passed in credentials.
d00756ccb34596a328f8a15d1965da5412d366d0wyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* it is okay to have "keys" contains NULL */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_FindObjectsInit(kmfh->pk11handle, pTmpl, i);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (keytype ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* "numkeys" indicates the number that were actually found */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv == KMF_OK && keys != NULL && (*numkeys) > 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Convert keys to "rawkey" format */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < (*numkeys); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Report authentication failures to the caller */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if ((*numkeys) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic char *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) strftime(newtime, sizeof (newtime), "m%d", &tms);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* memory returned must be freed by the caller */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If the caller did not specify a label, see if the raw key
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * came with one (possible if it came from a PKCS#12 file).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_CLASS, &oClass, sizeof (CK_OBJECT_CLASS)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_KEY_TYPE, &keytype, sizeof (keytype)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_TOKEN, &cktrue, sizeof (cktrue)); i++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_PRIVATE, &cktrue, sizeof (cktrue)); i++;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(templ, i, CKA_DECRYPT, &cktrue, sizeof (cktrue)); i++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = DerDecodeSignedCertificate((const KMF_DATA *)cert, &x509);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = DerEncodeName(&x509->certificate.subject, &subject);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_SUBJECT, subject.Data, subject.Length);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_start_date_str(handle, cert, ¬before);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_end_date_str(handle, cert, ¬after);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (id.Data != NULL && id.Data != NULL && id.Length > 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This makes some potentially dangerous assumptions:
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * 1. that the startdate in the parameter block is
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * properly formatted as YYYYMMDD
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * 2. That the CK_DATE structure is always the same.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_get_cert_ku(cert, &kuext)) != KMF_OK &&
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = KMF_OK; /* reset if we got KMF_ERR_EXTENSION_NOT_FOUND */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Only set the KeyUsage stuff if the KU extension was present.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys condition = (kuext.KeyUsageBits & KMF_keyEncipherment) ?
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_UNWRAP, &condition, sizeof (CK_BBOOL));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys condition = (kuext.KeyUsageBits & KMF_dataEncipherment) ?
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_DECRYPT, &condition, sizeof (CK_BBOOL));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys condition = (kuext.KeyUsageBits & KMF_digitalSignature) ?
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_SIGN, &condition, sizeof (CK_BBOOL));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys condition = (kuext.KeyUsageBits & KMF_digitalSignature) ?
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_LABEL, keylabel, strlen(keylabel));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(templ, i, CKA_SIGN, &cktrue, sizeof (cktrue));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll SETATTR(templ, i, CKA_DERIVE, &cktrue, sizeof (cktrue));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ckrv = C_CreateObject(kmfh->pk11handle, templ, i, &keyobj);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Report authentication failures to the caller */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys symkey = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_SENSITIVE_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_NON_EXTRACTABLE_BOOL_ATTR, attrlist, numattr,
c197cb9db36685d2808c057fdbe5700734483ab2hylee * For AES, RC4, DES and 3DES, call C_GenerateKey() to create a key.
c197cb9db36685d2808c057fdbe5700734483ab2hylee * For a generic secret key, because it may not be supported in
c197cb9db36685d2808c057fdbe5700734483ab2hylee * C_GenerateKey() for some PKCS11 providers, we will handle it
c197cb9db36685d2808c057fdbe5700734483ab2hylee * differently.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEY_DATA_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keydata = kmf_get_attr_ptr(KMF_KEY_DATA_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This may override what the user gave on the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * command line.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If keydata was not given, key length must be
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * provided.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keylength is not required for DES and 3DES */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Only set CKA_VALUE_LEN if the key data was not given and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * we are creating an RC4 or AES key.
c197cb9db36685d2808c057fdbe5700734483ab2hylee /* Other keytypes */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_CLASS, &class, sizeof (class));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_KEY_TYPE, &secKeyType, sizeof (secKeyType));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_LABEL, keylabel, strlen(keylabel));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_SENSITIVE, &true, sizeof (true));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_SENSITIVE, &false, sizeof (false));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_EXTRACTABLE, &false, sizeof (false));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_EXTRACTABLE, &true, sizeof (true));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_PRIVATE, &true, sizeof (true));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_ENCRYPT, &true, sizeof (true));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SETATTR(templ, i, CKA_DECRYPT, &true, sizeof (true));
d00756ccb34596a328f8a15d1965da5412d366d0wyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If the key data was given, use C_CreateObject */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ckrv = C_CreateObject(hSession, templ, i, &keyhandle);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ckrv = C_GenerateKey(hSession, &keyGenMech, templ, i,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMFPK11_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the key is already in "raw" format, copy the data
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * to the new record if possible.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RAW_KEY_DATA *rawkey = (KMF_RAW_KEY_DATA *)symkey->keyp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_raw_sym(kmfh, (CK_OBJECT_HANDLE)symkey->keyp, rkey);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0)
d00756ccb34596a328f8a15d1965da5412d366d0wyllys oldcred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
d00756ccb34596a328f8a15d1965da5412d366d0wyllys newcred = kmf_get_attr_ptr(KMF_NEWPIN_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_SLOT_ID_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If a slot wasn't given, the user must pass
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * a token label so we can find the slot here.
d00756ccb34596a328f8a15d1965da5412d366d0wyllys tokenlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_pk11_token_lookup(handle, tokenlabel, &slotid);
47e946e784719ae402ace34695f67b0e6e76ae5cWyllys Ingersoll rv = kmf_get_attr(KMF_PK11_USER_TYPE_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = C_OpenSession(slotid, CKF_SERIAL_SESSION | CKF_RW_SESSION,
47e946e784719ae402ace34695f67b0e6e76ae5cWyllys Ingersoll rv = C_Login(session, user, (CK_BYTE *)oldcred->cred,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int numattr, KMF_ATTRIBUTE *attrlist, CK_OBJECT_HANDLE *key)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_SENSITIVE_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_NON_EXTRACTABLE_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEY_DATA_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the key data was not given, key length must
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * be provided.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Check the key size.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Generate a random number with the key size first.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys while ((random_fd = open(DEV_RANDOM, O_RDONLY)) < 0) {
c197cb9db36685d2808c057fdbe5700734483ab2hylee * Authenticate into the token and call C_CreateObject to generate
c197cb9db36685d2808c057fdbe5700734483ab2hylee * a generic secret token key.
c197cb9db36685d2808c057fdbe5700734483ab2hylee SETATTR(templ, i, CKA_KEY_TYPE, &secKeyType, sizeof (secKeyType));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(templ, i, CKA_LABEL, keylabel, strlen(keylabel));
c197cb9db36685d2808c057fdbe5700734483ab2hylee SETATTR(templ, i, CKA_SENSITIVE, &true, sizeof (true));
c197cb9db36685d2808c057fdbe5700734483ab2hylee SETATTR(templ, i, CKA_SENSITIVE, &false, sizeof (false));
c197cb9db36685d2808c057fdbe5700734483ab2hylee SETATTR(templ, i, CKA_EXTRACTABLE, &false, sizeof (false));
c197cb9db36685d2808c057fdbe5700734483ab2hylee SETATTR(templ, i, CKA_EXTRACTABLE, &true, sizeof (true));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = store_raw_key(handle, attlist, numattr, rawkey);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (key && key->kstype == KMF_KEYSTORE_PK11TOKEN) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SETATTR(tokenattr, 0, CKA_TOKEN, &btrue, sizeof (btrue));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Copy the key object to the token */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Replace the object handle with the new token-based one */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMFPK11_ExportPK12(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* First get the required attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12cred = kmf_get_attr_ptr(KMF_PK12CRED_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys filename = kmf_get_attr_ptr(KMF_OUTPUT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Find all the certificates that match the searching criteria */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(fc_attrlist, i, KMF_X509_DER_CERT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* For each certificate, find the matching private key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < numcerts; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEY_HANDLE_ATTR, &newkey, sizeof (KMF_KEY_HANDLE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = KMFPK11_FindPrikeyByCert(handle, j, fk_attrlist);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* it is OK if a key is not found */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_build_pk12(handle, numcerts, certlist, numkeys, keylist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < numcerts; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < numkeys; i++)