/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
* Copyright 2012 Milan Jurik. All rights reserved.
*/
#include <stdlib.h>
#include <string.h>
#include <security/cryptoki.h>
#include <sys/crypto/common.h>
#include <aes_impl.h>
#include <blowfish_impl.h>
#include <arcfour.h>
#include <des_impl.h>
#include "kernelGlobal.h"
#include "kernelObject.h"
#include "kernelSession.h"
#include "kernelSlot.h"
/*
* This attribute table is used by the kernel_lookup_attr()
* to validate the attributes.
*/
CK_ATTRIBUTE_TYPE attr_map[] = {
CKA_PRIVATE,
CKA_LABEL,
CKA_APPLICATION,
CKA_OBJECT_ID,
CKA_CERTIFICATE_TYPE,
CKA_ISSUER,
CKA_SERIAL_NUMBER,
CKA_AC_ISSUER,
CKA_OWNER,
CKA_ATTR_TYPES,
CKA_SUBJECT,
CKA_ID,
CKA_SENSITIVE,
CKA_START_DATE,
CKA_END_DATE,
CKA_MODULUS,
CKA_MODULUS_BITS,
CKA_PUBLIC_EXPONENT,
CKA_PRIVATE_EXPONENT,
CKA_PRIME_1,
CKA_PRIME_2,
CKA_EXPONENT_1,
CKA_EXPONENT_2,
CKA_COEFFICIENT,
CKA_PRIME,
CKA_SUBPRIME,
CKA_BASE,
CKA_EXTRACTABLE,
CKA_LOCAL,
CKA_NEVER_EXTRACTABLE,
CKA_ALWAYS_SENSITIVE,
CKA_MODIFIABLE,
CKA_ECDSA_PARAMS,
CKA_EC_POINT,
CKA_SECONDARY_AUTH,
CKA_AUTH_PIN_FLAGS,
CKA_HW_FEATURE_TYPE,
CKA_RESET_ON_INIT,
CKA_HAS_RESET
};
/*
* attributes that exists only in public key objects
* Note: some attributes may also exist in one or two
* other object classes, but they are also listed
* because not all object have them.
*/
CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS[] =
{
CKA_SUBJECT,
CKA_ENCRYPT,
CKA_WRAP,
CKA_VERIFY,
CKA_VERIFY_RECOVER,
CKA_MODULUS,
CKA_MODULUS_BITS,
CKA_PUBLIC_EXPONENT,
CKA_PRIME,
CKA_SUBPRIME,
CKA_BASE,
CKA_TRUSTED,
CKA_ECDSA_PARAMS,
CKA_EC_PARAMS,
CKA_EC_POINT
};
/*
* attributes that exists only in private key objects
* Note: some attributes may also exist in one or two
* other object classes, but they are also listed
* because not all object have them.
*/
CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS[] =
{
CKA_DECRYPT,
CKA_UNWRAP,
CKA_SIGN,
CKA_SIGN_RECOVER,
CKA_MODULUS,
CKA_PUBLIC_EXPONENT,
CKA_PRIVATE_EXPONENT,
CKA_PRIME,
CKA_SUBPRIME,
CKA_BASE,
CKA_PRIME_1,
CKA_PRIME_2,
CKA_EXPONENT_1,
CKA_EXPONENT_2,
CKA_COEFFICIENT,
CKA_VALUE_BITS,
CKA_SUBJECT,
CKA_SENSITIVE,
CKA_EXTRACTABLE,
CKA_NEVER_EXTRACTABLE,
CKA_ALWAYS_SENSITIVE,
CKA_ECDSA_PARAMS,
CKA_EC_PARAMS
};
/*
* attributes that exists only in secret key objects
* Note: some attributes may also exist in one or two
* other object classes, but they are also listed
* because not all object have them.
*/
CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS[] =
{
CKA_VALUE_LEN,
CKA_ENCRYPT,
CKA_DECRYPT,
CKA_WRAP,
CKA_UNWRAP,
CKA_SIGN,
CKA_VERIFY,
CKA_SENSITIVE,
CKA_EXTRACTABLE,
CKA_NEVER_EXTRACTABLE,
CKA_ALWAYS_SENSITIVE
};
/*
* attributes that exists only in domain parameter objects
* Note: some attributes may also exist in one or two
* other object classes, but they are also listed
* because not all object have them.
*/
CK_ATTRIBUTE_TYPE DOMAIN_ATTRS[] =
{
CKA_PRIME,
CKA_SUBPRIME,
CKA_BASE,
CKA_PRIME_BITS,
CKA_SUBPRIME_BITS,
CKA_SUB_PRIME_BITS
};
/*
* attributes that exists only in hardware feature objects
*/
CK_ATTRIBUTE_TYPE HARDWARE_ATTRS[] =
{
CKA_HW_FEATURE_TYPE,
CKA_RESET_ON_INIT,
CKA_HAS_RESET
};
/*
* attributes that exists only in certificate objects
*/
CK_ATTRIBUTE_TYPE CERT_ATTRS[] =
{
CKA_CERTIFICATE_TYPE,
CKA_SUBJECT,
CKA_ID,
CKA_ISSUER,
CKA_AC_ISSUER,
CKA_SERIAL_NUMBER,
CKA_OWNER,
CKA_ATTR_TYPES
};
/*
* Validate the attribute by using binary search algorithm.
*/
CK_RV
kernel_lookup_attr(CK_ATTRIBUTE_TYPE type)
{
size_t lower, middle, upper;
lower = 0;
upper = (sizeof (attr_map) / sizeof (CK_ATTRIBUTE_TYPE)) - 1;
while (lower <= upper) {
/* Always starts from middle. */
middle = (lower + upper) / 2;
if (type > attr_map[middle]) {
/* Adjust the lower bound to upper half. */
lower = middle + 1;
continue;
}
if (type == attr_map[middle]) {
/* Found it. */
return (CKR_OK);
}
if (type < attr_map[middle]) {
/* Adjust the upper bound to lower half. */
upper = middle - 1;
continue;
}
}
/* Failed to find the matching attribute from the attribute table. */
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
/*
* Validate the attribute by using the following search algorithm:
*
* 1) Search for the most frequently used attributes first.
* 2) If not found, search for the usage-purpose attributes - these
* attributes have dense set of values, therefore compiler will
* optimize it with a branch table and branch to the appropriate
* case.
* 3) If still not found, use binary search for the rest of the
* attributes in the attr_map[] table.
*/
CK_RV
kernel_validate_attr(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
CK_OBJECT_CLASS *class)
{
CK_ULONG i;
CK_RV rv = CKR_OK;
for (i = 0; i < ulAttrNum; i++) {
/* First tier search */
switch (template[i].type) {
case CKA_CLASS:
*class = *((CK_OBJECT_CLASS*)template[i].pValue);
break;
case CKA_TOKEN:
break;
case CKA_KEY_TYPE:
break;
case CKA_VALUE:
break;
case CKA_VALUE_LEN:
break;
case CKA_VALUE_BITS:
break;
default:
/* Second tier search */
switch (template[i].type) {
case CKA_ENCRYPT:
break;
case CKA_DECRYPT:
break;
case CKA_WRAP:
break;
case CKA_UNWRAP:
break;
case CKA_SIGN:
break;
case CKA_SIGN_RECOVER:
break;
case CKA_VERIFY:
break;
case CKA_VERIFY_RECOVER:
break;
case CKA_DERIVE:
break;
default:
/* Third tier search */
rv = kernel_lookup_attr(template[i].type);
if (rv != CKR_OK)
return (rv);
break;
}
break;
}
}
return (rv);
}
/*
* Clean up and release all the storage in the extra attribute list
* of an object.
*/
void
kernel_cleanup_extra_attr(kernel_object_t *object_p)
{
CK_ATTRIBUTE_INFO_PTR extra_attr;
CK_ATTRIBUTE_INFO_PTR tmp;
extra_attr = object_p->extra_attrlistp;
while (extra_attr) {
tmp = extra_attr->next;
if (extra_attr->attr.pValue)
/*
* All extra attributes in the extra attribute
* list have pValue points to the value of the
* attribute (with simple byte array type).
* Free the storage for the value of the attribute.
*/
free(extra_attr->attr.pValue);
/* Free the storage for the attribute_info struct. */
free(extra_attr);
extra_attr = tmp;
}
object_p->extra_attrlistp = NULL;
}
/*
* Create the attribute_info struct to hold the object's attribute,
* and add it to the extra attribute list of an object.
*/
CK_RV
kernel_add_extra_attr(CK_ATTRIBUTE_PTR template, kernel_object_t *object_p)
{
CK_ATTRIBUTE_INFO_PTR attrp;
/* Allocate the storage for the attribute_info struct. */
attrp = calloc(1, sizeof (attribute_info_t));
if (attrp == NULL) {
return (CKR_HOST_MEMORY);
}
/* Set up attribute_info struct. */
attrp->attr.type = template->type;
attrp->attr.ulValueLen = template->ulValueLen;
if ((template->pValue != NULL) &&
(template->ulValueLen > 0)) {
/* Allocate storage for the value of the attribute. */
attrp->attr.pValue = malloc(template->ulValueLen);
if (attrp->attr.pValue == NULL) {
free(attrp);
return (CKR_HOST_MEMORY);
}
(void) memcpy(attrp->attr.pValue, template->pValue,
template->ulValueLen);
} else {
attrp->attr.pValue = NULL;
}
/* Insert the new attribute in front of extra attribute list. */
if (object_p->extra_attrlistp == NULL) {
object_p->extra_attrlistp = attrp;
attrp->next = NULL;
} else {
attrp->next = object_p->extra_attrlistp;
object_p->extra_attrlistp = attrp;
}
return (CKR_OK);
}
/*
* Copy the attribute_info struct from the old object to a new attribute_info
* struct, and add that new struct to the extra attribute list of the new
* object.
*/
CK_RV
kernel_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp,
kernel_object_t *object_p)
{
CK_ATTRIBUTE_INFO_PTR attrp;
/* Allocate attribute_info struct. */
attrp = calloc(1, sizeof (attribute_info_t));
if (attrp == NULL) {
return (CKR_HOST_MEMORY);
}
attrp->attr.type = old_attrp->attr.type;
attrp->attr.ulValueLen = old_attrp->attr.ulValueLen;
if ((old_attrp->attr.pValue != NULL) &&
(old_attrp->attr.ulValueLen > 0)) {
attrp->attr.pValue = malloc(old_attrp->attr.ulValueLen);
if (attrp->attr.pValue == NULL) {
free(attrp);
return (CKR_HOST_MEMORY);
}
(void) memcpy(attrp->attr.pValue, old_attrp->attr.pValue,
old_attrp->attr.ulValueLen);
} else {
attrp->attr.pValue = NULL;
}
/* Insert the new attribute in front of extra attribute list */
if (object_p->extra_attrlistp == NULL) {
object_p->extra_attrlistp = attrp;
attrp->next = NULL;
} else {
attrp->next = object_p->extra_attrlistp;
object_p->extra_attrlistp = attrp;
}
return (CKR_OK);
}
/*
* Get the attribute triple from the extra attribute list in the object
* (if the specified attribute type is found), and copy it to a template.
* Note the type of the attribute to be copied is specified by the template,
* and the storage is pre-allocated for the atrribute value in the template
* for doing the copy.
*/
CK_RV
get_extra_attr_from_object(kernel_object_t *object_p, CK_ATTRIBUTE_PTR template)
{
CK_ATTRIBUTE_INFO_PTR extra_attr;
CK_ATTRIBUTE_TYPE type = template->type;
extra_attr = object_p->extra_attrlistp;
while (extra_attr) {
if (type == extra_attr->attr.type) {
/* Found it. */
break;
} else {
/* Does not match, try next one. */
extra_attr = extra_attr->next;
}
}
if (extra_attr == NULL) {
/* A valid but un-initialized attribute. */
template->ulValueLen = 0;
return (CKR_OK);
}
/*
* We found the attribute in the extra attribute list.
*/
if (template->pValue == NULL) {
template->ulValueLen = extra_attr->attr.ulValueLen;
return (CKR_OK);
}
if (template->ulValueLen >= extra_attr->attr.ulValueLen) {
/*
* The buffer provided by the application is large
* enough to hold the value of the attribute.
*/
(void) memcpy(template->pValue, extra_attr->attr.pValue,
extra_attr->attr.ulValueLen);
template->ulValueLen = extra_attr->attr.ulValueLen;
return (CKR_OK);
} else {
/*
* The buffer provided by the application does
* not have enough space to hold the value.
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_BUFFER_TOO_SMALL);
}
}
/*
* Modify the attribute triple in the extra attribute list of the object
* if the specified attribute type is found. Otherwise, just add it to
* list.
*/
CK_RV
set_extra_attr_to_object(kernel_object_t *object_p, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE_PTR template)
{
CK_ATTRIBUTE_INFO_PTR extra_attr;
extra_attr = object_p->extra_attrlistp;
while (extra_attr) {
if (type == extra_attr->attr.type) {
/* Found it. */
break;
} else {
/* Does not match, try next one. */
extra_attr = extra_attr->next;
}
}
if (extra_attr == NULL) {
/*
* This attribute is a new one, go ahead adding it to
* the extra attribute list.
*/
return (kernel_add_extra_attr(template, object_p));
}
/* We found the attribute in the extra attribute list. */
if ((template->pValue != NULL) &&
(template->ulValueLen > 0)) {
if (template->ulValueLen > extra_attr->attr.ulValueLen) {
/* The old buffer is too small to hold the new value. */
if (extra_attr->attr.pValue != NULL)
/* Free storage for the old attribute value. */
free(extra_attr->attr.pValue);
/* Allocate storage for the new attribute value. */
extra_attr->attr.pValue = malloc(template->ulValueLen);
if (extra_attr->attr.pValue == NULL) {
return (CKR_HOST_MEMORY);
}
}
/* Replace the attribute with new value. */
extra_attr->attr.ulValueLen = template->ulValueLen;
(void) memcpy(extra_attr->attr.pValue, template->pValue,
template->ulValueLen);
} else {
extra_attr->attr.pValue = NULL;
}
return (CKR_OK);
}
/*
* Copy the big integer attribute value from template to a biginteger_t struct.
*/
CK_RV
get_bigint_attr_from_template(biginteger_t *big, CK_ATTRIBUTE_PTR template)
{
if ((template->pValue != NULL) &&
(template->ulValueLen > 0)) {
/* Allocate storage for the value of the attribute. */
big->big_value = malloc(template->ulValueLen);
if (big->big_value == NULL) {
return (CKR_HOST_MEMORY);
}
(void) memcpy(big->big_value, template->pValue,
template->ulValueLen);
big->big_value_len = template->ulValueLen;
} else {
big->big_value = NULL;
big->big_value_len = 0;
}
return (CKR_OK);
}
/*
* Copy the big integer attribute value from a biginteger_t struct in the
* object to a template.
*/
CK_RV
get_bigint_attr_from_object(biginteger_t *big, CK_ATTRIBUTE_PTR template)
{
if (template->pValue == NULL) {
template->ulValueLen = big->big_value_len;
return (CKR_OK);
}
if (big->big_value == NULL) {
template->ulValueLen = 0;
return (CKR_OK);
}
if (template->ulValueLen >= big->big_value_len) {
/*
* The buffer provided by the application is large
* enough to hold the value of the attribute.
*/
(void) memcpy(template->pValue, big->big_value,
big->big_value_len);
template->ulValueLen = big->big_value_len;
return (CKR_OK);
} else {
/*
* The buffer provided by the application does
* not have enough space to hold the value.
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_BUFFER_TOO_SMALL);
}
}
/*
* Copy the boolean data type attribute value from an object for the
* specified attribute to the template.
*/
CK_RV
get_bool_attr_from_object(kernel_object_t *object_p, CK_ULONG bool_flag,
CK_ATTRIBUTE_PTR template)
{
if (template->pValue == NULL) {
template->ulValueLen = sizeof (CK_BBOOL);
return (CKR_OK);
}
if (template->ulValueLen >= sizeof (CK_BBOOL)) {
/*
* The buffer provided by the application is large
* enough to hold the value of the attribute.
*/
if (object_p->bool_attr_mask & bool_flag) {
*((CK_BBOOL *)template->pValue) = B_TRUE;
} else {
*((CK_BBOOL *)template->pValue) = B_FALSE;
}
template->ulValueLen = sizeof (CK_BBOOL);
return (CKR_OK);
} else {
/*
* The buffer provided by the application does
* not have enough space to hold the value.
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_BUFFER_TOO_SMALL);
}
}
/*
* Set the boolean data type attribute value in the object.
*/
CK_RV
set_bool_attr_to_object(kernel_object_t *object_p, CK_ULONG bool_flag,
CK_ATTRIBUTE_PTR template)
{
if (*(CK_BBOOL *)template->pValue)
object_p->bool_attr_mask |= bool_flag;
else
object_p->bool_attr_mask &= ~bool_flag;
return (CKR_OK);
}
/*
* Copy the CK_ULONG data type attribute value from an object to the
* template.
*/
CK_RV
get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template)
{
if (template->pValue == NULL) {
template->ulValueLen = sizeof (CK_ULONG);
return (CKR_OK);
}
if (template->ulValueLen >= sizeof (CK_ULONG)) {
/*
* The buffer provided by the application is large
* enough to hold the value of the attribute.
*/
*(CK_ULONG_PTR)template->pValue = value;
template->ulValueLen = sizeof (CK_ULONG);
return (CKR_OK);
} else {
/*
* The buffer provided by the application does
* not have enough space to hold the value.
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_BUFFER_TOO_SMALL);
}
}
/*
* Copy the CK_ULONG data type attribute value from a template to the
* object.
*/
void
get_ulong_attr_from_template(CK_ULONG *value, CK_ATTRIBUTE_PTR template)
{
if (template->pValue != NULL) {
*value = *(CK_ULONG_PTR)template->pValue;
} else {
*value = 0;
}
}
/*
* Copy the big integer attribute value from source's biginteger_t to
* destination's biginteger_t.
*/
void
copy_bigint_attr(biginteger_t *src, biginteger_t *dst)
{
if ((src->big_value != NULL) &&
(src->big_value_len > 0)) {
/*
* To do the copy, just have dst's big_value points
* to src's.
*/
dst->big_value = src->big_value;
dst->big_value_len = src->big_value_len;
/*
* After the copy, nullify the src's big_value pointer.
* It prevents any double freeing the value.
*/
src->big_value = NULL;
src->big_value_len = 0;
} else {
dst->big_value = NULL;
dst->big_value_len = 0;
}
}
CK_RV
get_string_from_template(CK_ATTRIBUTE_PTR dest, CK_ATTRIBUTE_PTR src)
{
if ((src->pValue != NULL) &&
(src->ulValueLen > 0)) {
/* Allocate storage for the value of the attribute. */
dest->pValue = malloc(src->ulValueLen);
if (dest->pValue == NULL) {
return (CKR_HOST_MEMORY);
}
(void) memcpy(dest->pValue, src->pValue,
src->ulValueLen);
dest->ulValueLen = src->ulValueLen;
dest->type = src->type;
} else {
dest->pValue = NULL;
dest->ulValueLen = 0;
dest->type = src->type;
}
return (CKR_OK);
}
void
string_attr_cleanup(CK_ATTRIBUTE_PTR template)
{
if (template->pValue) {
free(template->pValue);
template->pValue = NULL;
template->ulValueLen = 0;
}
}
/*
* Release the storage allocated for object attribute with big integer
* value.
*/
void
bigint_attr_cleanup(biginteger_t *big)
{
if (big == NULL)
return;
if (big->big_value) {
(void) memset(big->big_value, 0, big->big_value_len);
free(big->big_value);
big->big_value = NULL;
big->big_value_len = 0;
}
}
/*
* Clean up and release all the storage allocated to hold the big integer
* attributes associated with the type (i.e. class) of the object. Also,
* release the storage allocated to the type of the object.
*/
void
kernel_cleanup_object_bigint_attrs(kernel_object_t *object_p)
{
CK_OBJECT_CLASS class = object_p->class;
CK_KEY_TYPE keytype = object_p->key_type;
switch (class) {
case CKO_PUBLIC_KEY:
if (OBJ_PUB(object_p)) {
switch (keytype) {
case CKK_RSA:
bigint_attr_cleanup(OBJ_PUB_RSA_MOD(
object_p));
bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO(
object_p));
break;
case CKK_DSA:
bigint_attr_cleanup(OBJ_PUB_DSA_PRIME(
object_p));
bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME(
object_p));
bigint_attr_cleanup(OBJ_PUB_DSA_BASE(
object_p));
bigint_attr_cleanup(OBJ_PUB_DSA_VALUE(
object_p));
break;
case CKK_DH:
bigint_attr_cleanup(OBJ_PUB_DH_PRIME(object_p));
bigint_attr_cleanup(OBJ_PUB_DH_BASE(object_p));
bigint_attr_cleanup(OBJ_PUB_DH_VALUE(object_p));
break;
case CKK_EC:
bigint_attr_cleanup(OBJ_PUB_EC_POINT(object_p));
break;
}
/* Release Public Key Object struct */
free(OBJ_PUB(object_p));
OBJ_PUB(object_p) = NULL;
}
break;
case CKO_PRIVATE_KEY:
if (OBJ_PRI(object_p)) {
switch (keytype) {
case CKK_RSA:
bigint_attr_cleanup(OBJ_PRI_RSA_MOD(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2(
object_p));
bigint_attr_cleanup(OBJ_PRI_RSA_COEF(
object_p));
break;
case CKK_DSA:
bigint_attr_cleanup(OBJ_PRI_DSA_PRIME(
object_p));
bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME(
object_p));
bigint_attr_cleanup(OBJ_PRI_DSA_BASE(
object_p));
bigint_attr_cleanup(OBJ_PRI_DSA_VALUE(
object_p));
break;
case CKK_DH:
bigint_attr_cleanup(OBJ_PRI_DH_PRIME(object_p));
bigint_attr_cleanup(OBJ_PRI_DH_BASE(object_p));
bigint_attr_cleanup(OBJ_PRI_DH_VALUE(object_p));
break;
case CKK_EC:
bigint_attr_cleanup(OBJ_PRI_EC_VALUE(object_p));
break;
}
/* Release Private Key Object struct. */
free(OBJ_PRI(object_p));
OBJ_PRI(object_p) = NULL;
}
break;
}
}
/*
* Parse the common attributes. Return to caller with appropriate return
* value to indicate if the supplied template specifies a valid attribute
* with a valid value.
*/
CK_RV
kernel_parse_common_attrs(CK_ATTRIBUTE_PTR template, kernel_session_t *sp,
uint64_t *attr_mask_p)
{
CK_RV rv = CKR_OK;
kernel_slot_t *pslot = slot_table[sp->ses_slotid];
switch (template->type) {
case CKA_CLASS:
break;
/* default boolean attributes */
case CKA_TOKEN:
if ((*(CK_BBOOL *)template->pValue) == TRUE) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
}
break;
case CKA_PRIVATE:
if ((*(CK_BBOOL *)template->pValue) == TRUE) {
/*
* Cannot create a private object if the token
* has a keystore and the user isn't logged in.
*/
if (pslot->sl_func_list.fl_object_create &&
pslot->sl_state != CKU_USER) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
} else {
*attr_mask_p |= PRIVATE_BOOL_ON;
}
}
break;
case CKA_MODIFIABLE:
if ((*(CK_BBOOL *)template->pValue) == FALSE) {
*attr_mask_p &= ~MODIFIABLE_BOOL_ON;
}
break;
case CKA_LABEL:
break;
default:
rv = CKR_TEMPLATE_INCONSISTENT;
}
return (rv);
}
/*
* Build a Public Key Object.
*
* - Parse the object's template, and when an error is detected such as
* invalid attribute type, invalid attribute value, etc., return
* with appropriate return value.
* - Set up attribute mask field in the object for the supplied common
* attributes that have boolean type.
* - Build the attribute_info struct to hold the value of each supplied
* attribute that has byte array type. Link attribute_info structs
* together to form the extra attribute list of the object.
* - Allocate storage for the Public Key object.
* - Build the Public Key object according to the key type. Allocate
* storage to hold the big integer value for the supplied attributes
* that are required for a certain key type.
*
*/
CK_RV
kernel_build_public_key_object(CK_ATTRIBUTE_PTR template,
CK_ULONG ulAttrNum, kernel_object_t *new_object, kernel_session_t *sp,
uint_t mode)
{
int i;
CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
uint64_t attr_mask = PUBLIC_KEY_DEFAULT;
CK_RV rv = CKR_OK;
int isLabel = 0;
/* Must set flags */
int isModulus = 0;
int isPubExpo = 0;
int isPrime = 0;
int isSubprime = 0;
int isBase = 0;
int isValue = 0;
int isPoint = 0;
int isParams = 0;
/* Must not set flags */
int isModulusBits = 0;
CK_ULONG modulus_bits = 0;
biginteger_t modulus;
biginteger_t pubexpo;
biginteger_t prime;
biginteger_t subprime;
biginteger_t base;
biginteger_t value;
biginteger_t point;
CK_ATTRIBUTE string_tmp;
CK_ATTRIBUTE param_tmp;
public_key_obj_t *pbk;
/* prevent bigint_attr_cleanup from freeing invalid attr value */
(void) memset(&modulus, 0x0, sizeof (biginteger_t));
(void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
(void) memset(&prime, 0x0, sizeof (biginteger_t));
(void) memset(&subprime, 0x0, sizeof (biginteger_t));
(void) memset(&base, 0x0, sizeof (biginteger_t));
(void) memset(&value, 0x0, sizeof (biginteger_t));
(void) memset(&point, 0x0, sizeof (biginteger_t));
string_tmp.pValue = NULL;
param_tmp.pValue = NULL;
for (i = 0; i < ulAttrNum; i++) {
/* Public Key Object Attributes */
switch (template[i].type) {
/* common key attributes */
case CKA_KEY_TYPE:
keytype = *((CK_KEY_TYPE*)template[i].pValue);
break;
case CKA_ID:
case CKA_START_DATE:
case CKA_END_DATE:
/* common public key attribute */
case CKA_SUBJECT:
/*
* Allocate storage to hold the attribute
* value with byte array type, and add it to
* the extra attribute list of the object.
*/
rv = kernel_add_extra_attr(&template[i],
new_object);
if (rv != CKR_OK) {
goto fail_cleanup;
}
break;
/*
* The following key related attribute types must
* not be specified by C_CreateObject.
*/
case CKA_LOCAL:
case CKA_KEY_GEN_MECHANISM:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
/* Key related boolean attributes */
case CKA_DERIVE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= DERIVE_BOOL_ON;
break;
case CKA_ENCRYPT:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= ENCRYPT_BOOL_ON;
else
attr_mask &= ~ENCRYPT_BOOL_ON;
break;
case CKA_VERIFY:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= VERIFY_BOOL_ON;
else
attr_mask &= ~VERIFY_BOOL_ON;
break;
case CKA_VERIFY_RECOVER:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= VERIFY_RECOVER_BOOL_ON;
else
attr_mask &= ~VERIFY_RECOVER_BOOL_ON;
break;
case CKA_WRAP:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= WRAP_BOOL_ON;
break;
case CKA_TRUSTED:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= TRUSTED_BOOL_ON;
break;
/*
* The following key related attribute types must
* be specified according to the key type by
* C_CreateObject.
*/
case CKA_MODULUS:
isModulus = 1;
/*
* Copyin big integer attribute from template
* to a local variable.
*/
rv = get_bigint_attr_from_template(&modulus,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PUBLIC_EXPONENT:
isPubExpo = 1;
rv = get_bigint_attr_from_template(&pubexpo,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PRIME:
isPrime = 1;
rv = get_bigint_attr_from_template(&prime,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_SUBPRIME:
isSubprime = 1;
rv = get_bigint_attr_from_template(&subprime,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_BASE:
isBase = 1;
rv = get_bigint_attr_from_template(&base,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_VALUE:
isValue = 1;
rv = get_bigint_attr_from_template(&value,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_MODULUS_BITS:
isModulusBits = 1;
get_ulong_attr_from_template(&modulus_bits,
&template[i]);
break;
case CKA_LABEL:
isLabel = 1;
rv = get_string_from_template(&string_tmp,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_EC_POINT:
isPoint = 1;
rv = get_bigint_attr_from_template(&point,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_EC_PARAMS:
isParams = 1;
rv = get_string_from_template(&param_tmp,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
default:
rv = kernel_parse_common_attrs(&template[i], sp,
&attr_mask);
if (rv != CKR_OK)
goto fail_cleanup;
break;
}
} /* For */
/* Allocate storage for Public Key Object. */
pbk = calloc(1, sizeof (public_key_obj_t));
if (pbk == NULL) {
rv = CKR_HOST_MEMORY;
goto fail_cleanup;
}
new_object->object_class_u.public_key = pbk;
new_object->class = CKO_PUBLIC_KEY;
if (keytype == (CK_KEY_TYPE)~0UL) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
new_object->key_type = keytype;
/* Supported key types of the Public Key Object */
switch (keytype) {
case CKK_RSA:
if (mode == KERNEL_CREATE_OBJ) {
if (isModulusBits || isPrime || isSubprime ||
isBase|| isValue) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
}
if (isModulus && isPubExpo) {
/*
* Copy big integer attribute value to the
* designated place in the public key object.
*/
copy_bigint_attr(&modulus,
KEY_PUB_RSA_MOD(pbk));
copy_bigint_attr(&pubexpo,
KEY_PUB_RSA_PUBEXPO(pbk));
} else {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
/* must be generating a RSA key pair by value */
if (isModulusBits) {
KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits;
}
break;
case CKK_DSA:
if (isModulusBits || isModulus || isPubExpo) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
if (!(isPrime && isSubprime && isBase && isValue)) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&prime, KEY_PUB_DSA_PRIME(pbk));
copy_bigint_attr(&subprime, KEY_PUB_DSA_SUBPRIME(pbk));
copy_bigint_attr(&base, KEY_PUB_DSA_BASE(pbk));
copy_bigint_attr(&value, KEY_PUB_DSA_VALUE(pbk));
break;
case CKK_DH:
if (!(isPrime && isBase && isValue)) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&prime, KEY_PUB_DH_PRIME(pbk));
copy_bigint_attr(&base, KEY_PUB_DH_BASE(pbk));
copy_bigint_attr(&value, KEY_PUB_DH_VALUE(pbk));
break;
case CKK_EC:
if (!isPoint || !isParams) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&point, KEY_PUB_EC_POINT(pbk));
rv = kernel_add_extra_attr(&param_tmp, new_object);
if (rv != CKR_OK)
goto fail_cleanup;
string_attr_cleanup(&param_tmp);
break;
default:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
/* Set up object. */
new_object->bool_attr_mask = attr_mask;
if (isLabel) {
rv = kernel_add_extra_attr(&string_tmp, new_object);
if (rv != CKR_OK)
goto fail_cleanup;
string_attr_cleanup(&string_tmp);
}
return (rv);
fail_cleanup:
/*
* cleanup the storage allocated to the local variables.
*/
bigint_attr_cleanup(&modulus);
bigint_attr_cleanup(&pubexpo);
bigint_attr_cleanup(&prime);
bigint_attr_cleanup(&subprime);
bigint_attr_cleanup(&base);
bigint_attr_cleanup(&value);
bigint_attr_cleanup(&point);
string_attr_cleanup(&string_tmp);
string_attr_cleanup(&param_tmp);
/*
* cleanup the storage allocated inside the object itself.
*/
kernel_cleanup_object(new_object);
return (rv);
}
/*
* Build a Private Key Object.
*
* - Parse the object's template, and when an error is detected such as
* invalid attribute type, invalid attribute value, etc., return
* with appropriate return value.
* - Set up attribute mask field in the object for the supplied common
* attributes that have boolean type.
* - Build the attribute_info struct to hold the value of each supplied
* attribute that has byte array type. Link attribute_info structs
* together to form the extra attribute list of the object.
* - Allocate storage for the Private Key object.
* - Build the Private Key object according to the key type. Allocate
* storage to hold the big integer value for the supplied attributes
* that are required for a certain key type.
*
*/
CK_RV
kernel_build_private_key_object(CK_ATTRIBUTE_PTR template,
CK_ULONG ulAttrNum, kernel_object_t *new_object, kernel_session_t *sp,
uint_t mode)
{
ulong_t i;
CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
uint64_t attr_mask = PRIVATE_KEY_DEFAULT;
CK_RV rv = CKR_OK;
int isLabel = 0;
/* Must set flags */
int isModulus = 0;
int isPriExpo = 0;
int isPrime = 0;
int isSubprime = 0;
int isBase = 0;
int isValue = 0;
int isParams = 0;
/* Must not set flags */
int isValueBits = 0;
CK_ULONG value_bits = 0;
/* Private Key RSA optional */
int isPubExpo = 0;
int isPrime1 = 0;
int isPrime2 = 0;
int isExpo1 = 0;
int isExpo2 = 0;
int isCoef = 0;
biginteger_t modulus;
biginteger_t priexpo;
biginteger_t prime;
biginteger_t subprime;
biginteger_t base;
biginteger_t value;
biginteger_t pubexpo;
biginteger_t prime1;
biginteger_t prime2;
biginteger_t expo1;
biginteger_t expo2;
biginteger_t coef;
CK_ATTRIBUTE string_tmp;
CK_ATTRIBUTE param_tmp;
private_key_obj_t *pvk;
/* prevent bigint_attr_cleanup from freeing invalid attr value */
(void) memset(&modulus, 0x0, sizeof (biginteger_t));
(void) memset(&priexpo, 0x0, sizeof (biginteger_t));
(void) memset(&prime, 0x0, sizeof (biginteger_t));
(void) memset(&subprime, 0x0, sizeof (biginteger_t));
(void) memset(&base, 0x0, sizeof (biginteger_t));
(void) memset(&value, 0x0, sizeof (biginteger_t));
(void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
(void) memset(&prime1, 0x0, sizeof (biginteger_t));
(void) memset(&prime2, 0x0, sizeof (biginteger_t));
(void) memset(&expo1, 0x0, sizeof (biginteger_t));
(void) memset(&expo2, 0x0, sizeof (biginteger_t));
(void) memset(&coef, 0x0, sizeof (biginteger_t));
string_tmp.pValue = NULL;
param_tmp.pValue = NULL;
for (i = 0; i < ulAttrNum; i++) {
/* Private Key Object Attributes */
switch (template[i].type) {
/* common key attributes */
case CKA_KEY_TYPE:
keytype = *((CK_KEY_TYPE*)template[i].pValue);
break;
case CKA_ID:
case CKA_START_DATE:
case CKA_END_DATE:
/* common private key attribute */
case CKA_SUBJECT:
/*
* Allocate storage to hold the attribute
* value with byte array type, and add it to
* the extra attribute list of the object.
*/
rv = kernel_add_extra_attr(&template[i],
new_object);
if (rv != CKR_OK) {
goto fail_cleanup;
}
break;
/*
* The following key related attribute types must
* not be specified by C_CreateObject.
*/
case CKA_LOCAL:
case CKA_KEY_GEN_MECHANISM:
case CKA_AUTH_PIN_FLAGS:
case CKA_ALWAYS_SENSITIVE:
case CKA_NEVER_EXTRACTABLE:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
/* Key related boolean attributes */
case CKA_DERIVE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= DERIVE_BOOL_ON;
break;
case CKA_SENSITIVE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= SENSITIVE_BOOL_ON;
break;
case CKA_SECONDARY_AUTH:
if (*(CK_BBOOL *)template[i].pValue) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKA_DECRYPT:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= DECRYPT_BOOL_ON;
else
attr_mask &= ~DECRYPT_BOOL_ON;
break;
case CKA_SIGN:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= SIGN_BOOL_ON;
else
attr_mask &= ~SIGN_BOOL_ON;
break;
case CKA_SIGN_RECOVER:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= SIGN_RECOVER_BOOL_ON;
else
attr_mask &= ~SIGN_RECOVER_BOOL_ON;
break;
case CKA_UNWRAP:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= UNWRAP_BOOL_ON;
break;
case CKA_EXTRACTABLE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= EXTRACTABLE_BOOL_ON;
else
attr_mask &= ~EXTRACTABLE_BOOL_ON;
break;
/*
* The following key related attribute types must
* be specified according to the key type by
* C_CreateObject.
*/
case CKA_MODULUS:
isModulus = 1;
/*
* Copyin big integer attribute from template
* to a local variable.
*/
rv = get_bigint_attr_from_template(&modulus,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PUBLIC_EXPONENT:
isPubExpo = 1;
rv = get_bigint_attr_from_template(&pubexpo,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PRIVATE_EXPONENT:
isPriExpo = 1;
rv = get_bigint_attr_from_template(&priexpo,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PRIME_1:
isPrime1 = 1;
rv = get_bigint_attr_from_template(&prime1,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PRIME_2:
isPrime2 = 1;
rv = get_bigint_attr_from_template(&prime2,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_EXPONENT_1:
isExpo1 = 1;
rv = get_bigint_attr_from_template(&expo1,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_EXPONENT_2:
isExpo2 = 1;
rv = get_bigint_attr_from_template(&expo2,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_COEFFICIENT:
isCoef = 1;
rv = get_bigint_attr_from_template(&coef,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_PRIME:
isPrime = 1;
rv = get_bigint_attr_from_template(&prime,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_SUBPRIME:
isSubprime = 1;
rv = get_bigint_attr_from_template(&subprime,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_BASE:
isBase = 1;
rv = get_bigint_attr_from_template(&base,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_VALUE:
isValue = 1;
rv = get_bigint_attr_from_template(&value,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_VALUE_BITS:
isValueBits = 1;
get_ulong_attr_from_template(&value_bits,
&template[i]);
break;
case CKA_LABEL:
isLabel = 1;
rv = get_string_from_template(&string_tmp,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
case CKA_EC_PARAMS:
isParams = 1;
rv = get_string_from_template(&param_tmp,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
default:
rv = kernel_parse_common_attrs(&template[i], sp,
&attr_mask);
if (rv != CKR_OK)
goto fail_cleanup;
break;
}
} /* For */
/* Allocate storage for Private Key Object. */
pvk = calloc(1, sizeof (private_key_obj_t));
if (pvk == NULL) {
rv = CKR_HOST_MEMORY;
goto fail_cleanup;
}
new_object->object_class_u.private_key = pvk;
new_object->class = CKO_PRIVATE_KEY;
if (keytype == (CK_KEY_TYPE)~0UL) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
new_object->key_type = keytype;
/* Supported key types of the Private Key Object */
switch (keytype) {
case CKK_RSA:
if (isPrime || isSubprime || isBase || isValue ||
isValueBits) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
if (isModulus && isPriExpo) {
/*
* Copy big integer attribute value to the
* designated place in the Private Key object.
*/
copy_bigint_attr(&modulus, KEY_PRI_RSA_MOD(pvk));
copy_bigint_attr(&priexpo, KEY_PRI_RSA_PRIEXPO(pvk));
} else {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
/* The following attributes are optional. */
if (isPubExpo) {
copy_bigint_attr(&pubexpo, KEY_PRI_RSA_PUBEXPO(pvk));
}
if (isPrime1) {
copy_bigint_attr(&prime1, KEY_PRI_RSA_PRIME1(pvk));
}
if (isPrime2) {
copy_bigint_attr(&prime2, KEY_PRI_RSA_PRIME2(pvk));
}
if (isExpo1) {
copy_bigint_attr(&expo1, KEY_PRI_RSA_EXPO1(pvk));
}
if (isExpo2) {
copy_bigint_attr(&expo2, KEY_PRI_RSA_EXPO2(pvk));
}
if (isCoef) {
copy_bigint_attr(&coef, KEY_PRI_RSA_COEF(pvk));
}
break;
case CKK_DSA:
if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
isPrime2 || isExpo1 || isExpo2 || isCoef ||
isValueBits) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
if (!(isPrime && isSubprime && isBase && isValue)) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&prime, KEY_PRI_DSA_PRIME(pvk));
copy_bigint_attr(&subprime, KEY_PRI_DSA_SUBPRIME(pvk));
copy_bigint_attr(&base, KEY_PRI_DSA_BASE(pvk));
copy_bigint_attr(&value, KEY_PRI_DSA_VALUE(pvk));
break;
case CKK_DH:
if (mode == KERNEL_CREATE_OBJ && isValueBits) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
if (!(isPrime && isBase && isValue)) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&prime, KEY_PRI_DH_PRIME(pvk));
copy_bigint_attr(&base, KEY_PRI_DH_BASE(pvk));
copy_bigint_attr(&value, KEY_PRI_DH_VALUE(pvk));
KEY_PRI_DH_VAL_BITS(pvk) = (isValueBits) ? value_bits : 0;
break;
case CKK_EC:
if (!isValue || !isParams) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
copy_bigint_attr(&value, KEY_PRI_EC_VALUE(pvk));
rv = kernel_add_extra_attr(&param_tmp, new_object);
if (rv != CKR_OK)
goto fail_cleanup;
string_attr_cleanup(&param_tmp);
break;
default:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
/* Set up object. */
new_object->bool_attr_mask = attr_mask;
if (isLabel) {
rv = kernel_add_extra_attr(&string_tmp, new_object);
if (rv != CKR_OK)
goto fail_cleanup;
string_attr_cleanup(&string_tmp);
}
return (rv);
fail_cleanup:
/*
* cleanup the storage allocated to the local variables.
*/
bigint_attr_cleanup(&modulus);
bigint_attr_cleanup(&priexpo);
bigint_attr_cleanup(&prime);
bigint_attr_cleanup(&subprime);
bigint_attr_cleanup(&base);
bigint_attr_cleanup(&value);
bigint_attr_cleanup(&pubexpo);
bigint_attr_cleanup(&prime1);
bigint_attr_cleanup(&prime2);
bigint_attr_cleanup(&expo1);
bigint_attr_cleanup(&expo2);
bigint_attr_cleanup(&coef);
string_attr_cleanup(&string_tmp);
string_attr_cleanup(&param_tmp);
/*
* cleanup the storage allocated inside the object itself.
*/
kernel_cleanup_object(new_object);
return (rv);
}
/*
* Build a Secret Key Object.
*
* - Parse the object's template, and when an error is detected such as
* invalid attribute type, invalid attribute value, etc., return
* with appropriate return value.
* - Set up attribute mask field in the object for the supplied common
* attributes that have boolean type.
* - Build the attribute_info struct to hold the value of each supplied
* attribute that has byte array type. Link attribute_info structs
* together to form the extra attribute list of the object.
* - Allocate storage for the Secret Key object.
* - Build the Secret Key object. Allocate storage to hold the big integer
* value for the attribute CKA_VALUE that is required for all the key
* types supported by secret key object.
*
*/
CK_RV
kernel_build_secret_key_object(CK_ATTRIBUTE_PTR template,
CK_ULONG ulAttrNum, kernel_object_t *new_object, kernel_session_t *sp)
{
int i;
CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
uint64_t attr_mask = SECRET_KEY_DEFAULT;
CK_RV rv = CKR_OK;
int isLabel = 0;
/* Must set flags */
int isValue = 0;
/* Must not set flags */
int isValueLen = 0;
CK_ATTRIBUTE string_tmp;
secret_key_obj_t *sck;
string_tmp.pValue = NULL;
/* Allocate storage for Secret Key Object. */
sck = calloc(1, sizeof (secret_key_obj_t));
if (sck == NULL) {
rv = CKR_HOST_MEMORY;
goto fail_cleanup;
}
new_object->object_class_u.secret_key = sck;
new_object->class = CKO_SECRET_KEY;
for (i = 0; i < ulAttrNum; i++) {
/* Secret Key Object Attributes */
switch (template[i].type) {
/* common key attributes */
case CKA_KEY_TYPE:
keytype = *((CK_KEY_TYPE*)template[i].pValue);
break;
case CKA_ID:
case CKA_START_DATE:
case CKA_END_DATE:
/*
* Allocate storage to hold the attribute
* value with byte array type, and add it to
* the extra attribute list of the object.
*/
rv = kernel_add_extra_attr(&template[i],
new_object);
if (rv != CKR_OK) {
goto fail_cleanup;
}
break;
/*
* The following key related attribute types must
* not be specified by C_CreateObject.
*/
case CKA_LOCAL:
case CKA_KEY_GEN_MECHANISM:
case CKA_ALWAYS_SENSITIVE:
case CKA_NEVER_EXTRACTABLE:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
/* Key related boolean attributes */
case CKA_DERIVE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= DERIVE_BOOL_ON;
break;
case CKA_SENSITIVE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= SENSITIVE_BOOL_ON;
break;
case CKA_ENCRYPT:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= ENCRYPT_BOOL_ON;
else
attr_mask &= ~ENCRYPT_BOOL_ON;
break;
case CKA_DECRYPT:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= DECRYPT_BOOL_ON;
else
attr_mask &= ~DECRYPT_BOOL_ON;
break;
case CKA_SIGN:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= SIGN_BOOL_ON;
else
attr_mask &= ~SIGN_BOOL_ON;
break;
case CKA_VERIFY:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= VERIFY_BOOL_ON;
else
attr_mask &= ~VERIFY_BOOL_ON;
break;
case CKA_WRAP:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= WRAP_BOOL_ON;
break;
case CKA_UNWRAP:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= UNWRAP_BOOL_ON;
break;
case CKA_EXTRACTABLE:
if (*(CK_BBOOL *)template[i].pValue)
attr_mask |= EXTRACTABLE_BOOL_ON;
else
attr_mask &= ~EXTRACTABLE_BOOL_ON;
break;
case CKA_VALUE:
isValue = 1;
if ((template[i].ulValueLen == 0) ||
(template[i].pValue == NULL)) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
/*
* Copyin attribute from template
* to a local variable.
*/
sck->sk_value = malloc(template[i].ulValueLen);
if (sck->sk_value == NULL) {
rv = CKR_HOST_MEMORY;
goto fail_cleanup;
}
(void) memcpy(sck->sk_value, template[i].pValue,
template[i].ulValueLen);
sck->sk_value_len = template[i].ulValueLen;
break;
case CKA_VALUE_LEN:
isValueLen = 1;
break;
case CKA_LABEL:
isLabel = 1;
rv = get_string_from_template(&string_tmp,
&template[i]);
if (rv != CKR_OK)
goto fail_cleanup;
break;
default:
rv = kernel_parse_common_attrs(&template[i], sp,
&attr_mask);
if (rv != CKR_OK)
goto fail_cleanup;
break;
}
} /* For */
if (keytype == (CK_KEY_TYPE)~0UL) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
new_object->key_type = keytype;
/* Supported key types of the Secret Key Object */
switch (keytype) {
case CKK_RC4:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) ||
(sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKK_GENERIC_SECRET:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
break;
case CKK_AES:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if (sck->sk_value_len < AES_MIN_KEY_BYTES) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKK_BLOWFISH:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if (sck->sk_value_len < BLOWFISH_MINBYTES) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKK_DES:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if (sck->sk_value_len != DES_KEYSIZE) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKK_DES2:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if (sck->sk_value_len != DES2_KEYSIZE) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
case CKK_DES3:
if (!isValue) {
rv = CKR_TEMPLATE_INCOMPLETE;
goto fail_cleanup;
}
if (sck->sk_value_len != DES3_KEYSIZE) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto fail_cleanup;
}
break;
default:
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
if (isValueLen) {
rv = CKR_TEMPLATE_INCONSISTENT;
goto fail_cleanup;
}
/* Set up object. */
new_object->bool_attr_mask = attr_mask;
if (isLabel) {
rv = kernel_add_extra_attr(&string_tmp, new_object);
if (rv != CKR_OK)
goto fail_cleanup;
string_attr_cleanup(&string_tmp);
}
return (rv);
fail_cleanup:
/*
* cleanup the storage allocated to the local variables.
*/
string_attr_cleanup(&string_tmp);
/*
* cleanup the storage allocated inside the object itself.
*/
kernel_cleanup_object(new_object);
return (rv);
}
/*
* Validate the attribute types in the object's template. Then,
* call the appropriate build function according to the class of
* the object specified in the template.
*
* Note: The following classes of objects are supported:
* - CKO_SECRET_KEY
* - CKO_PUBLIC_KEY
* - CKO_PRIVATE_KEY
*/
CK_RV
kernel_build_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
kernel_object_t *new_object, kernel_session_t *sp, uint_t mode)
{
CK_OBJECT_CLASS class = (CK_OBJECT_CLASS)~0UL;
CK_RV rv = CKR_OK;
if (template == NULL) {
return (CKR_ARGUMENTS_BAD);
}
/* Validate the attribute type in the template. */
rv = kernel_validate_attr(template, ulAttrNum, &class);
if (rv != CKR_OK)
return (rv);
if (class == (CK_OBJECT_CLASS)~0UL)
return (CKR_TEMPLATE_INCOMPLETE);
/*
* Call the appropriate function based on the supported class
* of the object.
*/
switch (class) {
case CKO_PUBLIC_KEY:
rv = kernel_build_public_key_object(template, ulAttrNum,
new_object, sp, mode);
break;
case CKO_PRIVATE_KEY:
rv = kernel_build_private_key_object(template, ulAttrNum,
new_object, sp, mode);
break;
case CKO_SECRET_KEY:
rv = kernel_build_secret_key_object(template, ulAttrNum,
new_object, sp);
break;
case CKO_DOMAIN_PARAMETERS:
case CKO_DATA:
case CKO_CERTIFICATE:
case CKO_HW_FEATURE:
case CKO_VENDOR_DEFINED:
default:
return (CKR_ATTRIBUTE_VALUE_INVALID);
}
return (rv);
}
/*
* Get the value of a requested attribute that is common to all supported
* classes (i.e. public key, private key, secret key classes).
*/
CK_RV
kernel_get_common_attrs(kernel_object_t *object_p, CK_ATTRIBUTE_PTR template)
{
CK_RV rv = CKR_OK;
switch (template->type) {
case CKA_CLASS:
return (get_ulong_attr_from_object(object_p->class,
template));
/* default boolean attributes */
case CKA_TOKEN:
template->ulValueLen = sizeof (CK_BBOOL);
if (template->pValue == NULL) {
return (CKR_OK);
}
/*
* A token object will not be created in the library, so we
* return FALSE.
*/
*((CK_BBOOL *)template->pValue) = B_FALSE;
break;
case CKA_PRIVATE:
template->ulValueLen = sizeof (CK_BBOOL);
if (template->pValue == NULL) {
return (CKR_OK);
}
if (object_p->bool_attr_mask & PRIVATE_BOOL_ON) {
*((CK_BBOOL *)template->pValue) = B_TRUE;
} else {
*((CK_BBOOL *)template->pValue) = B_FALSE;
}
break;
case CKA_MODIFIABLE:
template->ulValueLen = sizeof (CK_BBOOL);
if (template->pValue == NULL) {
return (CKR_OK);
}
if ((object_p->bool_attr_mask) & MODIFIABLE_BOOL_ON)
*((CK_BBOOL *)template->pValue) = B_TRUE;
else
*((CK_BBOOL *)template->pValue) = B_FALSE;
break;
case CKA_LABEL:
return (get_extra_attr_from_object(object_p,
template));
default:
/*
* The specified attribute for the object is invalid.
* (the object does not possess such an attribute.)
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
return (rv);
}
/*
* Get the value of a requested attribute that is common to all key objects
* (i.e. public key, private key and secret key).
*/
CK_RV
kernel_get_common_key_attrs(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template)
{
switch (template->type) {
case CKA_KEY_TYPE:
return (get_ulong_attr_from_object(object_p->key_type,
template));
case CKA_ID:
case CKA_START_DATE:
case CKA_END_DATE:
/*
* The above extra attributes have byte array type.
*/
return (get_extra_attr_from_object(object_p,
template));
/* Key related boolean attributes */
case CKA_LOCAL:
return (get_bool_attr_from_object(object_p,
LOCAL_BOOL_ON, template));
case CKA_DERIVE:
return (get_bool_attr_from_object(object_p,
DERIVE_BOOL_ON, template));
case CKA_KEY_GEN_MECHANISM:
return (get_ulong_attr_from_object(object_p->mechanism,
template));
default:
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
}
/*
* Get the value of a requested attribute of a Public Key Object.
*
* Rule: All the attributes in the public key object can be revealed.
*/
CK_RV
kernel_get_public_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template)
{
CK_RV rv = CKR_OK;
CK_KEY_TYPE keytype = object_p->key_type;
switch (template->type) {
case CKA_SUBJECT:
case CKA_EC_PARAMS:
/*
* The above extra attributes have byte array type.
*/
return (get_extra_attr_from_object(object_p,
template));
/* Key related boolean attributes */
case CKA_ENCRYPT:
return (get_bool_attr_from_object(object_p,
ENCRYPT_BOOL_ON, template));
case CKA_VERIFY:
return (get_bool_attr_from_object(object_p,
VERIFY_BOOL_ON, template));
case CKA_VERIFY_RECOVER:
return (get_bool_attr_from_object(object_p,
VERIFY_RECOVER_BOOL_ON, template));
case CKA_WRAP:
return (get_bool_attr_from_object(object_p,
WRAP_BOOL_ON, template));
case CKA_TRUSTED:
return (get_bool_attr_from_object(object_p,
TRUSTED_BOOL_ON, template));
case CKA_MODULUS:
/*
* This attribute is valid only for RSA public key
* object.
*/
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PUB_RSA_MOD(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_PUBLIC_EXPONENT:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PUB_RSA_PUBEXPO(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_MODULUS_BITS:
if (keytype == CKK_RSA) {
return (get_ulong_attr_from_object(
OBJ_PUB_RSA_MOD_BITS(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_PRIME:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PUB_DSA_PRIME(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PUB_DH_PRIME(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_SUBPRIME:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PUB_DSA_SUBPRIME(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_BASE:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PUB_DSA_BASE(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PUB_DH_BASE(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_VALUE:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PUB_DSA_VALUE(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PUB_DH_VALUE(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_EC_POINT:
switch (keytype) {
case CKK_EC:
return (get_bigint_attr_from_object(
OBJ_PUB_EC_POINT(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
default:
/*
* First, get the value of the request attribute defined
* in the list of common key attributes. If the request
* attribute is not found in that list, then get the
* attribute from the list of common attributes.
*/
rv = kernel_get_common_key_attrs(object_p, template);
if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
rv = kernel_get_common_attrs(object_p, template);
}
break;
}
return (rv);
}
/*
* Get the value of a requested attribute of a Private Key Object.
*
* Rule: All the attributes in the private key object can be revealed
* except those marked with footnote number "7" when the object
* has its CKA_SENSITIVE attribute set to TRUE or its
* CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
*/
CK_RV
kernel_get_private_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template)
{
CK_RV rv = CKR_OK;
CK_KEY_TYPE keytype = object_p->key_type;
/*
* If the following specified attributes for the private key
* object cannot be revealed because the object is sensitive
* or unextractable, then the ulValueLen is set to -1.
*/
if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
!(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
switch (template->type) {
case CKA_PRIVATE_EXPONENT:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:
case CKA_VALUE:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_SENSITIVE);
}
}
switch (template->type) {
case CKA_SUBJECT:
case CKA_EC_PARAMS:
/*
* The above extra attributes have byte array type.
*/
return (get_extra_attr_from_object(object_p,
template));
/* Key related boolean attributes */
case CKA_SENSITIVE:
return (get_bool_attr_from_object(object_p,
SENSITIVE_BOOL_ON, template));
case CKA_SECONDARY_AUTH:
return (get_bool_attr_from_object(object_p,
SECONDARY_AUTH_BOOL_ON, template));
case CKA_DECRYPT:
return (get_bool_attr_from_object(object_p,
DECRYPT_BOOL_ON, template));
case CKA_SIGN:
return (get_bool_attr_from_object(object_p,
SIGN_BOOL_ON, template));
case CKA_SIGN_RECOVER:
return (get_bool_attr_from_object(object_p,
SIGN_RECOVER_BOOL_ON, template));
case CKA_UNWRAP:
return (get_bool_attr_from_object(object_p,
UNWRAP_BOOL_ON, template));
case CKA_EXTRACTABLE:
return (get_bool_attr_from_object(object_p,
EXTRACTABLE_BOOL_ON, template));
case CKA_ALWAYS_SENSITIVE:
return (get_bool_attr_from_object(object_p,
ALWAYS_SENSITIVE_BOOL_ON, template));
case CKA_NEVER_EXTRACTABLE:
return (get_bool_attr_from_object(object_p,
NEVER_EXTRACTABLE_BOOL_ON, template));
case CKA_MODULUS:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_MOD(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_PUBLIC_EXPONENT:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_PUBEXPO(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_PRIVATE_EXPONENT:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_PRIEXPO(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_PRIME_1:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_PRIME1(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_PRIME_2:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_PRIME2(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_EXPONENT_1:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_EXPO1(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_EXPONENT_2:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_EXPO2(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_COEFFICIENT:
if (keytype == CKK_RSA) {
return (get_bigint_attr_from_object(
OBJ_PRI_RSA_COEF(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_VALUE_BITS:
if (keytype == CKK_DH) {
return (get_ulong_attr_from_object(
OBJ_PRI_DH_VAL_BITS(object_p), template));
} else {
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
case CKA_PRIME:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PRI_DSA_PRIME(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PRI_DH_PRIME(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_SUBPRIME:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PRI_DSA_SUBPRIME(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_BASE:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PRI_DSA_BASE(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PRI_DH_BASE(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
case CKA_VALUE:
switch (keytype) {
case CKK_DSA:
return (get_bigint_attr_from_object(
OBJ_PRI_DSA_VALUE(object_p), template));
case CKK_DH:
return (get_bigint_attr_from_object(
OBJ_PRI_DH_VALUE(object_p), template));
case CKK_EC:
return (get_bigint_attr_from_object(
OBJ_PRI_EC_VALUE(object_p), template));
default:
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
default:
/*
* First, get the value of the request attribute defined
* in the list of common key attributes. If the request
* attribute is not found in that list, then get the
* attribute from the list of common attributes.
*/
rv = kernel_get_common_key_attrs(object_p, template);
if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
rv = kernel_get_common_attrs(object_p, template);
}
break;
}
return (rv);
}
/*
* Get the value of a requested attribute of a Secret Key Object.
*
* Rule: All the attributes in the secret key object can be revealed
* except those marked with footnote number "7" when the object
* has its CKA_SENSITIVE attribute set to TRUE or its
* CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
*/
CK_RV
kernel_get_secret_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template)
{
CK_RV rv = CKR_OK;
CK_KEY_TYPE keytype = object_p->key_type;
switch (template->type) {
/* Key related boolean attributes */
case CKA_SENSITIVE:
return (get_bool_attr_from_object(object_p,
SENSITIVE_BOOL_ON, template));
case CKA_ENCRYPT:
return (get_bool_attr_from_object(object_p,
ENCRYPT_BOOL_ON, template));
case CKA_DECRYPT:
return (get_bool_attr_from_object(object_p,
DECRYPT_BOOL_ON, template));
case CKA_SIGN:
return (get_bool_attr_from_object(object_p,
SIGN_BOOL_ON, template));
case CKA_VERIFY:
return (get_bool_attr_from_object(object_p,
VERIFY_BOOL_ON, template));
case CKA_WRAP:
return (get_bool_attr_from_object(object_p,
WRAP_BOOL_ON, template));
case CKA_UNWRAP:
return (get_bool_attr_from_object(object_p,
UNWRAP_BOOL_ON, template));
case CKA_EXTRACTABLE:
return (get_bool_attr_from_object(object_p,
EXTRACTABLE_BOOL_ON, template));
case CKA_ALWAYS_SENSITIVE:
return (get_bool_attr_from_object(object_p,
ALWAYS_SENSITIVE_BOOL_ON, template));
case CKA_NEVER_EXTRACTABLE:
return (get_bool_attr_from_object(object_p,
NEVER_EXTRACTABLE_BOOL_ON, template));
case CKA_VALUE:
/*
* If the specified attribute for the secret key object
* cannot be revealed because the object is sensitive
* or unextractable, then the ulValueLen is set to -1.
*/
if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
!(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_SENSITIVE);
}
switch (keytype) {
case CKK_RC4:
case CKK_GENERIC_SECRET:
case CKK_RC5:
case CKK_DES:
case CKK_DES2:
case CKK_DES3:
case CKK_CDMF:
case CKK_AES:
case CKK_BLOWFISH:
/*
* Copy secret key object attributes to template.
*/
if (template->pValue == NULL) {
template->ulValueLen =
OBJ_SEC_VALUE_LEN(object_p);
return (CKR_OK);
}
if (OBJ_SEC_VALUE(object_p) == NULL) {
template->ulValueLen = 0;
return (CKR_OK);
}
if (template->ulValueLen >=
OBJ_SEC_VALUE_LEN(object_p)) {
(void) memcpy(template->pValue,
OBJ_SEC_VALUE(object_p),
OBJ_SEC_VALUE_LEN(object_p));
template->ulValueLen =
OBJ_SEC_VALUE_LEN(object_p);
return (CKR_OK);
} else {
template->ulValueLen = (CK_ULONG)-1;
return (CKR_BUFFER_TOO_SMALL);
}
default:
template->ulValueLen = (CK_ULONG)-1;
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
break;
case CKA_VALUE_LEN:
return (get_ulong_attr_from_object(OBJ_SEC_VALUE_LEN(object_p),
template));
default:
/*
* First, get the value of the request attribute defined
* in the list of common key attributes. If the request
* attribute is not found in that list, then get the
* attribute from the list of common attributes.
*/
rv = kernel_get_common_key_attrs(object_p, template);
if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
rv = kernel_get_common_attrs(object_p, template);
}
break;
}
return (rv);
}
/*
* Call the appropriate get attribute function according to the class
* of object.
*
* The caller of this function holds the lock on the object.
*/
CK_RV
kernel_get_attribute(kernel_object_t *object_p, CK_ATTRIBUTE_PTR template)
{
CK_RV rv = CKR_OK;
CK_OBJECT_CLASS class = object_p->class;
switch (class) {
case CKO_PUBLIC_KEY:
rv = kernel_get_public_key_attribute(object_p, template);
break;
case CKO_PRIVATE_KEY:
rv = kernel_get_private_key_attribute(object_p, template);
break;
case CKO_SECRET_KEY:
rv = kernel_get_secret_key_attribute(object_p, template);
break;
default:
/*
* If the specified attribute for the object is invalid
* (the object does not possess such as attribute), then
* the ulValueLen is modified to hold the value -1.
*/
template->ulValueLen = (CK_ULONG)-1;
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
return (rv);
}
/*
* Set the value of an attribute that is common to all key objects
* (i.e. public key, private key and secret key).
*/
CK_RV
kernel_set_common_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template, boolean_t copy, kernel_session_t *sp)
{
kernel_slot_t *pslot = slot_table[sp->ses_slotid];
CK_RV rv = CKR_OK;
switch (template->type) {
case CKA_LABEL:
/*
* Only the LABEL can be modified in the common storage
* object attributes after the object is created.
*/
return (set_extra_attr_to_object(object_p,
CKA_LABEL, template));
case CKA_ID:
return (set_extra_attr_to_object(object_p,
CKA_ID, template));
case CKA_START_DATE:
return (set_extra_attr_to_object(object_p,
CKA_START_DATE, template));
case CKA_END_DATE:
return (set_extra_attr_to_object(object_p,
CKA_END_DATE, template));
case CKA_DERIVE:
return (set_bool_attr_to_object(object_p,
DERIVE_BOOL_ON, template));
case CKA_CLASS:
case CKA_KEY_TYPE:
case CKA_LOCAL:
return (CKR_ATTRIBUTE_READ_ONLY);
case CKA_PRIVATE:
if (!copy) {
/* called from C_SetAttributeValue() */
return (CKR_ATTRIBUTE_READ_ONLY);
}
/* called from C_CopyObject() */
if ((*(CK_BBOOL *)template->pValue) != B_TRUE) {
return (CKR_OK);
}
(void) pthread_mutex_lock(&pslot->sl_mutex);
/*
* Cannot create a private object if the token
* has a keystore and the user isn't logged in.
*/
if (pslot->sl_func_list.fl_object_create &&
pslot->sl_state != CKU_USER) {
rv = CKR_USER_NOT_LOGGED_IN;
} else {
rv = set_bool_attr_to_object(object_p,
PRIVATE_BOOL_ON, template);
}
(void) pthread_mutex_unlock(&pslot->sl_mutex);
return (rv);
case CKA_MODIFIABLE:
if (copy) {
rv = set_bool_attr_to_object(object_p,
MODIFIABLE_BOOL_ON, template);
} else {
rv = CKR_ATTRIBUTE_READ_ONLY;
}
return (rv);
default:
return (CKR_TEMPLATE_INCONSISTENT);
}
}
/*
* Set the value of an attribute of a Public Key Object.
*
* Rule: The attributes marked with footnote number "8" in the PKCS11
* spec may be modified (p.88 in PKCS11 spec.).
*/
CK_RV
kernel_set_public_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template, boolean_t copy, kernel_session_t *sp)
{
CK_KEY_TYPE keytype = object_p->key_type;
switch (template->type) {
case CKA_SUBJECT:
return (set_extra_attr_to_object(object_p,
CKA_SUBJECT, template));
case CKA_ENCRYPT:
return (set_bool_attr_to_object(object_p,
ENCRYPT_BOOL_ON, template));
case CKA_VERIFY:
return (set_bool_attr_to_object(object_p,
VERIFY_BOOL_ON, template));
case CKA_VERIFY_RECOVER:
return (set_bool_attr_to_object(object_p,
VERIFY_RECOVER_BOOL_ON, template));
case CKA_WRAP:
return (set_bool_attr_to_object(object_p,
WRAP_BOOL_ON, template));
case CKA_MODULUS:
case CKA_MODULUS_BITS:
case CKA_PUBLIC_EXPONENT:
if (keytype == CKK_RSA)
return (CKR_ATTRIBUTE_READ_ONLY);
break;
case CKA_SUBPRIME:
case CKA_PRIME:
case CKA_BASE:
case CKA_VALUE:
if (keytype == CKK_DSA)
return (CKR_ATTRIBUTE_READ_ONLY);
break;
default:
/*
* Set the value of a common key attribute.
*/
return (kernel_set_common_key_attribute(object_p,
template, copy, sp));
}
/*
* If we got this far, then the combination of key type
* and requested attribute is invalid.
*/
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
/*
* Set the value of an attribute of a Private Key Object.
*
* Rule: The attributes marked with footnote number "8" in the PKCS11
* spec may be modified (p.88 in PKCS11 spec.).
*/
CK_RV
kernel_set_private_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template, boolean_t copy, kernel_session_t *sp)
{
CK_KEY_TYPE keytype = object_p->key_type;
switch (template->type) {
case CKA_SUBJECT:
return (set_extra_attr_to_object(object_p,
CKA_SUBJECT, template));
case CKA_SENSITIVE:
/*
* Cannot set SENSITIVE to FALSE if it is already ON.
*/
if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
(object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
return (CKR_ATTRIBUTE_READ_ONLY);
}
if (*(CK_BBOOL *)template->pValue)
object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
return (CKR_OK);
case CKA_DECRYPT:
return (set_bool_attr_to_object(object_p,
DECRYPT_BOOL_ON, template));
case CKA_SIGN:
return (set_bool_attr_to_object(object_p,
SIGN_BOOL_ON, template));
case CKA_SIGN_RECOVER:
return (set_bool_attr_to_object(object_p,
SIGN_RECOVER_BOOL_ON, template));
case CKA_UNWRAP:
return (set_bool_attr_to_object(object_p,
UNWRAP_BOOL_ON, template));
case CKA_EXTRACTABLE:
/*
* Cannot set EXTRACTABLE to TRUE if it is already OFF.
*/
if ((*(CK_BBOOL *)template->pValue) &&
!(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
return (CKR_ATTRIBUTE_READ_ONLY);
}
if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
return (CKR_OK);
case CKA_MODULUS:
case CKA_PUBLIC_EXPONENT:
case CKA_PRIVATE_EXPONENT:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:
if (keytype == CKK_RSA) {
return (CKR_ATTRIBUTE_READ_ONLY);
}
break;
case CKA_SUBPRIME:
case CKA_PRIME:
case CKA_BASE:
case CKA_VALUE:
if (keytype == CKK_DSA)
return (CKR_ATTRIBUTE_READ_ONLY);
break;
default:
/*
* Set the value of a common key attribute.
*/
return (kernel_set_common_key_attribute(object_p,
template, copy, sp));
}
/*
* If we got this far, then the combination of key type
* and requested attribute is invalid.
*/
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
/*
* Set the value of an attribute of a Secret Key Object.
*
* Rule: The attributes marked with footnote number "8" in the PKCS11
* spec may be modified (p.88 in PKCS11 spec.).
*/
CK_RV
kernel_set_secret_key_attribute(kernel_object_t *object_p,
CK_ATTRIBUTE_PTR template, boolean_t copy, kernel_session_t *sp)
{
CK_KEY_TYPE keytype = object_p->key_type;
switch (template->type) {
case CKA_SENSITIVE:
/*
* Cannot set SENSITIVE to FALSE if it is already ON.
*/
if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
(object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
return (CKR_ATTRIBUTE_READ_ONLY);
}
if (*(CK_BBOOL *)template->pValue)
object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
return (CKR_OK);
case CKA_ENCRYPT:
return (set_bool_attr_to_object(object_p,
ENCRYPT_BOOL_ON, template));
case CKA_DECRYPT:
return (set_bool_attr_to_object(object_p,
DECRYPT_BOOL_ON, template));
case CKA_SIGN:
return (set_bool_attr_to_object(object_p,
SIGN_BOOL_ON, template));
case CKA_VERIFY:
return (set_bool_attr_to_object(object_p,
VERIFY_BOOL_ON, template));
case CKA_WRAP:
return (set_bool_attr_to_object(object_p,
WRAP_BOOL_ON, template));
case CKA_UNWRAP:
return (set_bool_attr_to_object(object_p,
UNWRAP_BOOL_ON, template));
case CKA_EXTRACTABLE:
/*
* Cannot set EXTRACTABLE to TRUE if it is already OFF.
*/
if ((*(CK_BBOOL *)template->pValue) &&
!(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
return (CKR_ATTRIBUTE_READ_ONLY);
}
if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
return (CKR_OK);
case CKA_VALUE:
return (CKR_ATTRIBUTE_READ_ONLY);
case CKA_VALUE_LEN:
if ((keytype == CKK_RC4) ||
(keytype == CKK_GENERIC_SECRET) ||
(keytype == CKK_AES) ||
(keytype == CKK_BLOWFISH))
return (CKR_ATTRIBUTE_READ_ONLY);
break;
default:
/*
* Set the value of a common key attribute.
*/
return (kernel_set_common_key_attribute(object_p,
template, copy, sp));
}
/*
* If we got this far, then the combination of key type
* and requested attribute is invalid.
*/
return (CKR_ATTRIBUTE_TYPE_INVALID);
}
/*
* Call the appropriate set attribute function according to the class
* of object.
*
* The caller of this function does not hold the lock on the original
* object, since this function is setting the attribute on the new object
* that is being modified.
*
*/
CK_RV
kernel_set_attribute(kernel_object_t *object_p, CK_ATTRIBUTE_PTR template,
boolean_t copy, kernel_session_t *sp)
{
CK_RV rv = CKR_OK;
CK_OBJECT_CLASS class = object_p->class;
switch (class) {
case CKO_PUBLIC_KEY:
rv = kernel_set_public_key_attribute(object_p, template,
copy, sp);
break;
case CKO_PRIVATE_KEY:
rv = kernel_set_private_key_attribute(object_p, template,
copy, sp);
break;
case CKO_SECRET_KEY:
rv = kernel_set_secret_key_attribute(object_p, template,
copy, sp);
break;
default:
/*
* If the template specifies a value of an attribute
* which is incompatible with other existing attributes
* of the object, then fails with return code
* CKR_TEMPLATE_INCONSISTENT.
*/
rv = CKR_TEMPLATE_INCONSISTENT;
break;
}
return (rv);
}
static CK_RV
copy_bigint(biginteger_t *new_bigint, biginteger_t *old_bigint)
{
new_bigint->big_value =
malloc((sizeof (CK_BYTE) * new_bigint->big_value_len));
if (new_bigint->big_value == NULL) {
return (CKR_HOST_MEMORY);
}
(void) memcpy(new_bigint->big_value, old_bigint->big_value,
(sizeof (CK_BYTE) * new_bigint->big_value_len));
return (CKR_OK);
}
static void
free_public_key_attr(public_key_obj_t *pbk, CK_KEY_TYPE key_type)
{
if (pbk == NULL) {
return;
}
switch (key_type) {
case CKK_RSA:
bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk));
bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk));
break;
case CKK_DSA:
bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk));
bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk));
bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk));
bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk));
break;
default:
break;
}
free(pbk);
}
CK_RV
kernel_copy_public_key_attr(public_key_obj_t *old_pub_key_obj_p,
public_key_obj_t **new_pub_key_obj_p, CK_KEY_TYPE key_type)
{
public_key_obj_t *pbk;
CK_RV rv = CKR_OK;
pbk = calloc(1, sizeof (public_key_obj_t));
if (pbk == NULL) {
return (CKR_HOST_MEMORY);
}
switch (key_type) {
case CKK_RSA:
(void) memcpy(KEY_PUB_RSA(pbk),
KEY_PUB_RSA(old_pub_key_obj_p),
sizeof (rsa_pub_key_t));
/* copy modulus */
rv = copy_bigint(KEY_PUB_RSA_MOD(pbk),
KEY_PUB_RSA_MOD(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
/* copy public exponent */
rv = copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk),
KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
break;
case CKK_DSA:
(void) memcpy(KEY_PUB_DSA(pbk),
KEY_PUB_DSA(old_pub_key_obj_p),
sizeof (dsa_pub_key_t));
/* copy prime */
rv = copy_bigint(KEY_PUB_DSA_PRIME(pbk),
KEY_PUB_DSA_PRIME(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
/* copy subprime */
rv = copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk),
KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
/* copy base */
rv = copy_bigint(KEY_PUB_DSA_BASE(pbk),
KEY_PUB_DSA_BASE(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
/* copy value */
rv = copy_bigint(KEY_PUB_DSA_VALUE(pbk),
KEY_PUB_DSA_VALUE(old_pub_key_obj_p));
if (rv != CKR_OK) {
free_public_key_attr(pbk, key_type);
return (rv);
}
break;
default:
break;
}
*new_pub_key_obj_p = pbk;
return (rv);
}
static void
free_private_key_attr(private_key_obj_t *pbk, CK_KEY_TYPE key_type)
{
if (pbk == NULL) {
return;
}
switch (key_type) {
case CKK_RSA:
bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk));
bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk));
break;
case CKK_DSA:
bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk));
bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk));
bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk));
bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk));
break;
default:
break;
}
free(pbk);
}
CK_RV
kernel_copy_private_key_attr(private_key_obj_t *old_pri_key_obj_p,
private_key_obj_t **new_pri_key_obj_p, CK_KEY_TYPE key_type)
{
CK_RV rv = CKR_OK;
private_key_obj_t *pbk;
pbk = calloc(1, sizeof (private_key_obj_t));
if (pbk == NULL) {
return (CKR_HOST_MEMORY);
}
switch (key_type) {
case CKK_RSA:
(void) memcpy(KEY_PRI_RSA(pbk),
KEY_PRI_RSA(old_pri_key_obj_p),
sizeof (rsa_pri_key_t));
/* copy modulus */
rv = copy_bigint(KEY_PRI_RSA_MOD(pbk),
KEY_PRI_RSA_MOD(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy public exponent */
rv = copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk),
KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy private exponent */
rv = copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk),
KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy prime_1 */
rv = copy_bigint(KEY_PRI_RSA_PRIME1(pbk),
KEY_PRI_RSA_PRIME1(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy prime_2 */
rv = copy_bigint(KEY_PRI_RSA_PRIME2(pbk),
KEY_PRI_RSA_PRIME2(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy exponent_1 */
rv = copy_bigint(KEY_PRI_RSA_EXPO1(pbk),
KEY_PRI_RSA_EXPO1(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy exponent_2 */
rv = copy_bigint(KEY_PRI_RSA_EXPO2(pbk),
KEY_PRI_RSA_EXPO2(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy coefficient */
rv = copy_bigint(KEY_PRI_RSA_COEF(pbk),
KEY_PRI_RSA_COEF(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
break;
case CKK_DSA:
(void) memcpy(KEY_PRI_DSA(pbk),
KEY_PRI_DSA(old_pri_key_obj_p),
sizeof (dsa_pri_key_t));
/* copy prime */
rv = copy_bigint(KEY_PRI_DSA_PRIME(pbk),
KEY_PRI_DSA_PRIME(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy subprime */
rv = copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk),
KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy base */
rv = copy_bigint(KEY_PRI_DSA_BASE(pbk),
KEY_PRI_DSA_BASE(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
/* copy value */
rv = copy_bigint(KEY_PRI_DSA_VALUE(pbk),
KEY_PRI_DSA_VALUE(old_pri_key_obj_p));
if (rv != CKR_OK) {
free_private_key_attr(pbk, key_type);
return (rv);
}
break;
default:
break;
}
*new_pri_key_obj_p = pbk;
return (rv);
}
CK_RV
kernel_copy_secret_key_attr(secret_key_obj_t *old_secret_key_obj_p,
secret_key_obj_t **new_secret_key_obj_p)
{
secret_key_obj_t *sk;
sk = malloc(sizeof (secret_key_obj_t));
if (sk == NULL) {
return (CKR_HOST_MEMORY);
}
(void) memcpy(sk, old_secret_key_obj_p, sizeof (secret_key_obj_t));
/* copy the secret key value */
sk->sk_value = malloc((sizeof (CK_BYTE) * sk->sk_value_len));
if (sk->sk_value == NULL) {
free(sk);
return (CKR_HOST_MEMORY);
}
(void) memcpy(sk->sk_value, old_secret_key_obj_p->sk_value,
(sizeof (CK_BYTE) * sk->sk_value_len));
*new_secret_key_obj_p = sk;
return (CKR_OK);
}
/*
* If CKA_CLASS not given, guess CKA_CLASS using
* attributes on template .
*
* Some attributes are specific to an object class. If one or more
* of these attributes are in the template, make a list of classes
* that can have these attributes. This would speed up the search later,
* because we can immediately skip an object if the class of that
* object can not possibly contain one of the attributes.
*
*/
void
kernel_process_find_attr(CK_OBJECT_CLASS *pclasses,
CK_ULONG *num_result_pclasses, CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount)
{
ulong_t i;
int j;
boolean_t pub_found = B_FALSE,
priv_found = B_FALSE,
secret_found = B_FALSE,
domain_found = B_FALSE,
hardware_found = B_FALSE,
cert_found = B_FALSE;
int num_pub_key_attrs, num_priv_key_attrs,
num_secret_key_attrs, num_domain_attrs,
num_hardware_attrs, num_cert_attrs;
int num_pclasses = 0;
for (i = 0; i < ulCount; i++) {
if (pTemplate[i].type == CKA_CLASS) {
/*
* don't need to guess the class, it is specified.
* Just record the class, and return.
*/
pclasses[0] =
(*((CK_OBJECT_CLASS *)pTemplate[i].pValue));
*num_result_pclasses = 1;
return;
}
}
num_pub_key_attrs =
sizeof (PUB_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
num_priv_key_attrs =
sizeof (PRIV_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
num_secret_key_attrs =
sizeof (SECRET_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
num_domain_attrs =
sizeof (DOMAIN_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
num_hardware_attrs =
sizeof (HARDWARE_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
num_cert_attrs =
sizeof (CERT_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
/*
* Get the list of objects class that might contain
* some attributes.
*/
for (i = 0; i < ulCount; i++) {
/*
* only check if this attribute can belong to public key object
* class if public key object isn't already in the list
*/
if (!pub_found) {
for (j = 0; j < num_pub_key_attrs; j++) {
if (pTemplate[i].type == PUB_KEY_ATTRS[j]) {
pub_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_PUBLIC_KEY;
break;
}
}
}
if (!priv_found) {
for (j = 0; j < num_priv_key_attrs; j++) {
if (pTemplate[i].type == PRIV_KEY_ATTRS[j]) {
priv_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_PRIVATE_KEY;
break;
}
}
}
if (!secret_found) {
for (j = 0; j < num_secret_key_attrs; j++) {
if (pTemplate[i].type == SECRET_KEY_ATTRS[j]) {
secret_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_SECRET_KEY;
break;
}
}
}
if (!domain_found) {
for (j = 0; j < num_domain_attrs; j++) {
if (pTemplate[i].type == DOMAIN_ATTRS[j]) {
domain_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_DOMAIN_PARAMETERS;
break;
}
}
}
if (!hardware_found) {
for (j = 0; j < num_hardware_attrs; j++) {
if (pTemplate[i].type == HARDWARE_ATTRS[j]) {
hardware_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_HW_FEATURE;
break;
}
}
}
if (!cert_found) {
for (j = 0; j < num_cert_attrs; j++) {
if (pTemplate[i].type == CERT_ATTRS[j]) {
cert_found = B_TRUE;
pclasses[num_pclasses++] =
CKO_CERTIFICATE;
break;
}
}
}
}
*num_result_pclasses = num_pclasses;
}
boolean_t
kernel_find_match_attrs(kernel_object_t *obj, CK_OBJECT_CLASS *pclasses,
CK_ULONG num_pclasses, CK_ATTRIBUTE *template, CK_ULONG num_attr)
{
ulong_t i;
CK_ATTRIBUTE *tmpl_attr, *obj_attr;
uint64_t attr_mask;
biginteger_t *bigint;
boolean_t compare_attr, compare_bigint, compare_boolean;
/*
* Check if the class of this object match with any
* of object classes that can possibly contain the
* requested attributes.
*/
if (num_pclasses > 0) {
for (i = 0; i < num_pclasses; i++) {
if (obj->class == pclasses[i]) {
break;
}
}
if (i == num_pclasses) {
/*
* this object can't possibly contain one or
* more attributes, don't need to check this object
*/
return (B_FALSE);
}
}
/* need to examine everything */
for (i = 0; i < num_attr; i++) {
tmpl_attr = &(template[i]);
compare_attr = B_FALSE;
compare_bigint = B_FALSE;
compare_boolean = B_FALSE;
switch (tmpl_attr->type) {
/* First, check the most common attributes */
case CKA_CLASS:
if (*((CK_OBJECT_CLASS *)tmpl_attr->pValue) !=
obj->class) {
return (B_FALSE);
}
break;
case CKA_KEY_TYPE:
if (*((CK_KEY_TYPE *)tmpl_attr->pValue) !=
obj->key_type) {
return (B_FALSE);
}
break;
case CKA_ENCRYPT:
attr_mask = (obj->bool_attr_mask) & ENCRYPT_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_DECRYPT:
attr_mask = (obj->bool_attr_mask) & DECRYPT_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_WRAP:
attr_mask = (obj->bool_attr_mask) & WRAP_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_UNWRAP:
attr_mask = (obj->bool_attr_mask) & UNWRAP_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_SIGN:
attr_mask = (obj->bool_attr_mask) & SIGN_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_SIGN_RECOVER:
attr_mask = (obj->bool_attr_mask) &
SIGN_RECOVER_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_VERIFY:
attr_mask = (obj->bool_attr_mask) & VERIFY_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_VERIFY_RECOVER:
attr_mask = (obj->bool_attr_mask) &
VERIFY_RECOVER_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_DERIVE:
attr_mask = (obj->bool_attr_mask) & DERIVE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_LOCAL:
attr_mask = (obj->bool_attr_mask) & LOCAL_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_SENSITIVE:
attr_mask = (obj->bool_attr_mask) & SENSITIVE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_SECONDARY_AUTH:
attr_mask = (obj->bool_attr_mask) &
SECONDARY_AUTH_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_TRUSTED:
attr_mask = (obj->bool_attr_mask) & TRUSTED_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_EXTRACTABLE:
attr_mask = (obj->bool_attr_mask) &
EXTRACTABLE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_ALWAYS_SENSITIVE:
attr_mask = (obj->bool_attr_mask) &
ALWAYS_SENSITIVE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_NEVER_EXTRACTABLE:
attr_mask = (obj->bool_attr_mask) &
NEVER_EXTRACTABLE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_TOKEN:
/*
* CKA_TOKEN value is not applicable to an object
* created in the library, it should only contain
* the default value FALSE
*/
attr_mask = 0;
compare_boolean = B_TRUE;
break;
case CKA_PRIVATE:
attr_mask = (obj->bool_attr_mask) & PRIVATE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_MODIFIABLE:
attr_mask = (obj->bool_attr_mask) & MODIFIABLE_BOOL_ON;
compare_boolean = B_TRUE;
break;
case CKA_SUBJECT:
case CKA_ID:
case CKA_START_DATE:
case CKA_END_DATE:
case CKA_KEY_GEN_MECHANISM:
case CKA_LABEL:
/* find these attributes from extra_attrlistp */
obj_attr = get_extra_attr(tmpl_attr->type, obj);
compare_attr = B_TRUE;
break;
case CKA_VALUE_LEN:
/* only secret key has this attribute */
if (obj->class == CKO_SECRET_KEY) {
if (*((CK_ULONG *)tmpl_attr->pValue) !=
OBJ_SEC_VALUE_LEN(obj)) {
return (B_FALSE);
}
} else {
return (B_FALSE);
}
break;
case CKA_VALUE:
switch (obj->class) {
case CKO_SECRET_KEY:
/*
* secret_key_obj_t is the same as
* biginteger_t
*/
bigint = (biginteger_t *)OBJ_SEC(obj);
break;
case CKO_PRIVATE_KEY:
if (obj->key_type == CKK_DSA) {
bigint = OBJ_PRI_DSA_VALUE(obj);
} else {
return (B_FALSE);
}
break;
case CKO_PUBLIC_KEY:
if (obj->key_type == CKK_DSA) {
bigint = OBJ_PUB_DSA_VALUE(obj);
} else {
return (B_FALSE);
}
break;
default:
return (B_FALSE);
}
compare_bigint = B_TRUE;
break;
case CKA_MODULUS:
/* only RSA public and private key have this attr */
if (obj->key_type == CKK_RSA) {
if (obj->class == CKO_PUBLIC_KEY) {
bigint = OBJ_PUB_RSA_MOD(obj);
} else if (obj->class == CKO_PRIVATE_KEY) {
bigint = OBJ_PRI_RSA_MOD(obj);
} else {
return (B_FALSE);
}
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_MODULUS_BITS:
/* only RSA public key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PUBLIC_KEY)) {
CK_ULONG mod_bits = OBJ_PUB_RSA_MOD_BITS(obj);
if (mod_bits !=
*((CK_ULONG *)tmpl_attr->pValue)) {
return (B_FALSE);
}
} else {
return (B_FALSE);
}
break;
case CKA_PUBLIC_EXPONENT:
/* only RSA public and private key have this attr */
if (obj->key_type == CKK_RSA) {
if (obj->class == CKO_PUBLIC_KEY) {
bigint = OBJ_PUB_RSA_PUBEXPO(obj);
} else if (obj->class == CKO_PRIVATE_KEY) {
bigint = OBJ_PRI_RSA_PUBEXPO(obj);
} else {
return (B_FALSE);
}
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_PRIVATE_EXPONENT:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_PRIEXPO(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_PRIME_1:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_PRIME1(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_PRIME_2:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_PRIME2(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_EXPONENT_1:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_EXPO1(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_EXPONENT_2:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_EXPO2(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_COEFFICIENT:
/* only RSA private key has this attribute */
if ((obj->key_type == CKK_RSA) &&
(obj->class == CKO_PRIVATE_KEY)) {
bigint = OBJ_PRI_RSA_COEF(obj);
compare_bigint = B_TRUE;
} else {
return (B_FALSE);
}
break;
case CKA_VALUE_BITS:
return (B_FALSE);
case CKA_PRIME:
if (obj->class == CKO_PUBLIC_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PUB_DSA_PRIME(obj);
break;
default:
return (B_FALSE);
}
} else if (obj->class == CKO_PRIVATE_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PRI_DSA_PRIME(obj);
break;
default:
return (B_FALSE);
}
} else {
return (B_FALSE);
}
compare_bigint = B_TRUE;
break;
case CKA_SUBPRIME:
if (obj->class == CKO_PUBLIC_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PUB_DSA_SUBPRIME(obj);
break;
default:
return (B_FALSE);
}
} else if (obj->class == CKO_PRIVATE_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PRI_DSA_SUBPRIME(obj);
break;
default:
return (B_FALSE);
}
} else {
return (B_FALSE);
}
compare_bigint = B_TRUE;
break;
case CKA_BASE:
if (obj->class == CKO_PUBLIC_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PUB_DSA_BASE(obj);
break;
default:
return (B_FALSE);
}
} else if (obj->class == CKO_PRIVATE_KEY) {
switch (obj->key_type) {
case CKK_DSA:
bigint = OBJ_PRI_DSA_BASE(obj);
break;
default:
return (B_FALSE);
}
} else {
return (B_FALSE);
}
compare_bigint = B_TRUE;
break;
case CKA_PRIME_BITS:
return (B_FALSE);
case CKA_SUBPRIME_BITS:
return (B_FALSE);
default:
/*
* any other attributes are currently not supported.
* so, it's not possible for them to be in the
* object
*/
return (B_FALSE);
}
if (compare_boolean) {
CK_BBOOL bval;
if (attr_mask) {
bval = TRUE;
} else {
bval = FALSE;
}
if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) {
return (B_FALSE);
}
} else if (compare_bigint) {
if (bigint == NULL) {
return (B_FALSE);
}
if (tmpl_attr->ulValueLen != bigint->big_value_len) {
return (B_FALSE);
}
if (memcmp(tmpl_attr->pValue, bigint->big_value,
tmpl_attr->ulValueLen) != 0) {
return (B_FALSE);
}
} else if (compare_attr) {
if (obj_attr == NULL) {
/*
* The attribute type is valid, and its value
* has not been initialized in the object. In
* this case, it only matches the template's
* attribute if the template's value length
* is 0.
*/
if (tmpl_attr->ulValueLen != 0)
return (B_FALSE);
} else {
if (tmpl_attr->ulValueLen !=
obj_attr->ulValueLen) {
return (B_FALSE);
}
if (memcmp(tmpl_attr->pValue, obj_attr->pValue,
tmpl_attr->ulValueLen) != 0) {
return (B_FALSE);
}
}
}
}
return (B_TRUE);
}
CK_ATTRIBUTE_PTR
get_extra_attr(CK_ATTRIBUTE_TYPE type, kernel_object_t *obj)
{
CK_ATTRIBUTE_INFO_PTR tmp;
tmp = obj->extra_attrlistp;
while (tmp != NULL) {
if (tmp->attr.type == type) {
return (&(tmp->attr));
}
tmp = tmp->next;
}
/* if get there, the specified attribute is not found */
return (NULL);
}