2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A
2N/A/*
2N/A * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#ifndef _CRYPTOUTIL_H
2N/A#define _CRYPTOUTIL_H
2N/A
2N/A#ifdef __cplusplus
2N/Aextern "C" {
2N/A#endif
2N/A
2N/A#include <sys/types.h>
2N/A#include <syslog.h>
2N/A#include <security/cryptoki.h>
2N/A#include <sys/param.h>
2N/A#include <sys/paths.h>
2N/A
2N/A#define LOG_STDERR -1 /* cryptoerror() log to stderr, not syslog */
2N/A#define SUCCESS 0
2N/A#define FAILURE 1
2N/A#define MECH_ID_HEX_LEN 11 /* length of mechanism id in hex form */
2N/A
2N/A#define _PATH_PKCS11_CONF "/etc/crypto/pkcs11.conf"
2N/A#define _PATH_KCF_CONF "/etc/crypto/kcf.conf"
2N/A#define _PATH_KCFD_LOCK _PATH_SYSVOL "/kcfd.lock"
2N/A
2N/A/* $ISA substitution for parsing pkcs11.conf data */
2N/A#define PKCS11_ISA "/$ISA/"
2N/A#if defined(_LP64)
2N/A#if defined(__sparcv9)
2N/A#define PKCS11_ISA_DIR "/sparcv9/"
2N/A#elif defined(__amd64)
2N/A#define PKCS11_ISA_DIR "/amd64/"
2N/A#else
2N/A#define PKCS11_ISA_DIR "/64/"
2N/A#endif
2N/A#else /* 32-bit */
2N/A#define PKCS11_ISA_DIR "/"
2N/A#endif /* _LP64 */
2N/A
2N/A/* keywords and delimiters for parsing configuration files */
2N/A#define SEP_COLON ":"
2N/A#define SEP_SEMICOLON ";"
2N/A#define SEP_EQUAL "="
2N/A#define SEP_COMMA ","
2N/A#define METASLOT_KEYWORD "metaslot"
2N/A#define FIPS_KEYWORD "fips-140"
2N/A#define EF_DISABLED "disabledlist="
2N/A#define EF_ENABLED "enabledlist="
2N/A#define EF_NORANDOM "NO_RANDOM"
2N/A#define METASLOT_TOKEN "metaslot_token="
2N/A#define METASLOT_SLOT "metaslot_slot="
2N/A#define METASLOT_STATUS "metaslot_status="
2N/A#define EF_FIPS_STATUS "fips_status="
2N/A#define METASLOT_AUTO_KEY_MIGRATE "metaslot_auto_key_migrate="
2N/A#define ENABLED_KEYWORD "enabled"
2N/A#define DISABLED_KEYWORD "disabled"
2N/A#define SLOT_DESCRIPTION_SIZE 64
2N/A#define TOKEN_LABEL_SIZE 32
2N/A#define TOKEN_MANUFACTURER_SIZE 32
2N/A#define TOKEN_SERIAL_SIZE 16
2N/A#define CRYPTO_FIPS_MODE_DISABLED 0
2N/A#define CRYPTO_FIPS_MODE_ENABLED 1
2N/A
2N/A/*
2N/A * Define the following softtoken values that are used by softtoken
2N/A * library, cryptoadm and pktool command.
2N/A */
2N/A#define SOFT_SLOT_DESCRIPTION \
2N/A "Sun Crypto Softtoken " \
2N/A " "
2N/A#define SOFT_TOKEN_LABEL "Sun Software PKCS#11 softtoken "
2N/A#define SOFT_TOKEN_SERIAL " "
2N/A#define SOFT_MANUFACTURER_ID "Oracle Corporation "
2N/A#define SOFT_DEFAULT_PIN "changeme"
2N/A
2N/A#define METASLOT_TOKEN_LABEL "Sun Metaslot "
2N/A
2N/Atypedef char libname_t[MAXPATHLEN];
2N/Atypedef char midstr_t[MECH_ID_HEX_LEN];
2N/A
2N/Atypedef struct umechlist {
2N/A midstr_t name; /* mechanism name in hex form */
2N/A struct umechlist *next;
2N/A} umechlist_t;
2N/A
2N/Atypedef struct uentry {
2N/A libname_t name;
2N/A boolean_t flag_norandom; /* TRUE if random is disabled */
2N/A boolean_t flag_enabledlist; /* TRUE if an enabledlist */
2N/A umechlist_t *policylist; /* disabledlist or enabledlist */
2N/A boolean_t flag_metaslot_enabled; /* TRUE if metaslot's enabled */
2N/A boolean_t flag_metaslot_auto_key_migrate;
2N/A CK_UTF8CHAR metaslot_ks_slot[SLOT_DESCRIPTION_SIZE + 1];
2N/A CK_UTF8CHAR metaslot_ks_token[TOKEN_LABEL_SIZE + 1];
2N/A int count;
2N/A boolean_t flag_fips_enabled;
2N/A} uentry_t;
2N/A
2N/Atypedef struct uentrylist {
2N/A uentry_t *puent;
2N/A struct uentrylist *next;
2N/A} uentrylist_t;
2N/A
2N/A/* Return codes for pkcs11_parse_uri() */
2N/A#define PK11_URI_OK 0
2N/A#define PK11_URI_INVALID 1
2N/A#define PK11_MALLOC_ERROR 2
2N/A#define PK11_URI_VALUE_OVERFLOW 3
2N/A#define PK11_NOT_PKCS11_URI 4
2N/A
2N/A/*
2N/A * There is no limit for the attribute length in the spec. 256 bytes should be
2N/A * enough for the object name.
2N/A */
2N/A#define PK11_MAX_OBJECT_LEN 256
2N/A/*
2N/A * CKA_ID is of type "byte array" which can be of arbitrary length. 256 bytes
2N/A * should be sufficient though.
2N/A */
2N/A#define PK11_MAX_ID_LEN 256
2N/A
2N/A/* Maximum /etc/crypto/ configuration file line length */
2N/A#define CONFLINE_MAX_LEN 4096
2N/A
2N/A/* Structure for the PKCS#11 URI. */
2N/Atypedef struct pkcs11_uri_t {
2N/A /* CKA_LABEL attribute to the C_FindObjectsInit function. */
2N/A CK_UTF8CHAR_PTR object;
2N/A /*
2N/A * CKA_CLASS attribute to the C_FindObjectsInit function. The
2N/A * "objecttype" URI attribute can have a value one of "private",
2N/A * "public", "cert", "secretkey", and "data". The "objecttype" field can
2N/A * have a value of CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, CKO_CERTIFICATE,
2N/A * CKO_SECRET_KEY, and CKO_DATA. This attribute cannot be empty in the
2N/A * URI.
2N/A */
2N/A CK_ULONG objecttype;
2N/A /* CKO_DATA is 0 so we need this flag. Not part of the URI itself. */
2N/A boolean_t objecttype_present;
2N/A /*
2N/A * Token, manufacturer, serial and model are of fixed size length in
2N/A * the specification. We allocate memory on the fly to distinguish
2N/A * between an attribute not present and an empty value. We check for
2N/A * overflows. We always terminate the string with '\0' even when that is
2N/A * not used in the PKCS#11's CK_TOKEN_INFO structure (fields are padded
2N/A * with spaces).
2N/A */
2N/A /* Token label from CK_TOKEN_INFO. */
2N/A CK_UTF8CHAR_PTR token;
2N/A /* ManufacturerID from CK_TOKEN_INFO. */
2N/A CK_UTF8CHAR_PTR manuf;
2N/A /* SerialNumber from CK_TOKEN_INFO. */
2N/A CK_CHAR_PTR serial;
2N/A /* Model from CK_TOKEN_INFO. */
2N/A CK_UTF8CHAR_PTR model;
2N/A /* This is a byte array, we need a length parameter as well. */
2N/A CK_BYTE_PTR id;
2N/A int id_len;
2N/A /*
2N/A * Location of the file with a token PIN. Application can overload this,
2N/A * eg. "/bin/askpass|" may mean to read the PIN from a command. However,
2N/A * the pkcs11_parse_uri() function does not interpret this field in any
2N/A * way.
2N/A */
2N/A char *pinfile;
2N/A} pkcs11_uri_t;
2N/A
2N/Aextern void cryptodebug(const char *fmt, ...);
2N/Aextern void cryptoerror(int priority, const char *fmt, ...);
2N/Aextern void cryptodebug_init(const char *prefix);
2N/Aextern void cryptoerror_off(void);
2N/Aextern void cryptoerror_on(void);
2N/A
2N/Aextern const char *pkcs11_mech2str(CK_MECHANISM_TYPE mech);
2N/Aextern CK_RV pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech);
2N/A
2N/Aextern int get_pkcs11conf_info(uentrylist_t **ppliblist);
2N/Aextern umechlist_t *create_umech(char *name);
2N/Aextern void free_umechlist(umechlist_t *plist);
2N/Aextern void free_uentrylist(uentrylist_t *entrylist);
2N/Aextern void free_uentry(uentry_t *pent);
2N/Aextern uentry_t *getent_uef(char *libname);
2N/A
2N/Aextern void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen);
2N/Aextern int hexstr_to_bytes(char *hexstr, size_t hexlen, uchar_t **bytes,
2N/A size_t *blen);
2N/Aextern CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type,
2N/A CK_KEY_TYPE *ktype);
2N/Aextern CK_RV pkcs11_mech2keygen(CK_MECHANISM_TYPE mech_type,
2N/A CK_MECHANISM_TYPE *gen_mech);
2N/Aextern char *pkcs11_strerror(CK_RV rv);
2N/A
2N/Aextern int
2N/Aget_metaslot_info(boolean_t *status_enabled, boolean_t *migrate_enabled,
2N/A char **objectstore_slot_info, char **objectstore_token_info);
2N/A
2N/Aextern char *get_fullpath(char *dir, char *filepath);
2N/Aextern int str2lifetime(char *ltimestr, uint32_t *ltime);
2N/A
2N/Aextern char *pkcs11_default_token(void);
2N/Aextern int pkcs11_get_pass(char *token_name, char **pdata, size_t *psize,
2N/A size_t min_psize, boolean_t with_confirmation);
2N/A
2N/Aextern int pkcs11_seed_random(void *sbuf, size_t slen);
2N/Aextern int pkcs11_seed_urandom(void *sbuf, size_t slen);
2N/Aextern int pkcs11_get_random(void *dbuf, size_t dlen);
2N/Aextern int pkcs11_get_urandom(void *dbuf, size_t dlen);
2N/Aextern int pkcs11_get_nzero_random(void *dbuf, size_t dlen);
2N/Aextern int pkcs11_get_nzero_urandom(void *dbuf, size_t dlen);
2N/Aextern void pkcs11_close_random(void);
2N/Aextern void pkcs11_close_urandom(void);
2N/Aextern void pkcs11_close_random_seed(void);
2N/Aextern void pkcs11_close_urandom_seed(void);
2N/Aextern int pkcs11_read_data(char *filename, void **dbuf, size_t *dlen);
2N/A
2N/Aextern int open_nointr(const char *path, int oflag, ...);
2N/Aextern ssize_t readn_nointr(int fd, void *dbuf, size_t dlen);
2N/Aextern ssize_t writen_nointr(int fd, void *dbuf, size_t dlen);
2N/A
2N/Aextern int update_conf(char *conf_file, char *entry);
2N/A
2N/Aextern CK_RV get_fips_mode(int *mode);
2N/A
2N/Aextern int pkcs11_parse_uri(const char *str, pkcs11_uri_t *uri);
2N/Aextern void pkcs11_free_uri(pkcs11_uri_t *uri);
2N/A
2N/Aextern int memcmp_pad_max(void *d1, uint_t d1_len, void *d2,
2N/A uint_t d2_len, uint_t max_sz);
2N/A
2N/A#ifdef __cplusplus
2N/A}
2N/A#endif
2N/A
2N/A#endif /* _CRYPTOUTIL_H */