4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
30 #include <security/cryptoki.h>
31 #include <sys/crypto/common.h>
34 #include <blowfish_impl.h>
38 #include "softGlobal.h"
39 #include "softObject.h"
40 #include "softSession.h"
41 #include "softKeystore.h"
42 #include "softKeystoreUtil.h"
43 #include "softCrypt.h"
47 * This attribute table is used by the soft_lookup_attr()
48 * to validate the attributes.
50 CK_ATTRIBUTE_TYPE attr_map
[] = {
80 CKA_NEVER_EXTRACTABLE
,
94 * attributes that exists only in public key objects
95 * Note: some attributes may also exist in one or two
96 * other object classes, but they are also listed
97 * because not all object have them.
99 CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS
[] =
119 * attributes that exists only in private key objects
120 * Note: some attributes may also exist in one or two
121 * other object classes, but they are also listed
122 * because not all object have them.
124 CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS
[] =
132 CKA_PRIVATE_EXPONENT
,
145 CKA_NEVER_EXTRACTABLE
,
146 CKA_ALWAYS_SENSITIVE
,
151 * attributes that exists only in secret key objects
152 * Note: some attributes may also exist in one or two
153 * other object classes, but they are also listed
154 * because not all object have them.
156 CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS
[] =
167 CKA_NEVER_EXTRACTABLE
,
172 * attributes that exists only in domain parameter objects
173 * Note: some attributes may also exist in one or two
174 * other object classes, but they are also listed
175 * because not all object have them.
177 CK_ATTRIBUTE_TYPE DOMAIN_ATTRS
[] =
188 * attributes that exists only in hardware feature objects
191 CK_ATTRIBUTE_TYPE HARDWARE_ATTRS
[] =
199 * attributes that exists only in certificate objects
201 CK_ATTRIBUTE_TYPE CERT_ATTRS
[] =
203 CKA_CERTIFICATE_TYPE
,
216 * Validate the attribute by using binary search algorithm.
219 soft_lookup_attr(CK_ATTRIBUTE_TYPE type
)
222 size_t lower
, middle
, upper
;
225 upper
= (sizeof (attr_map
) / sizeof (CK_ATTRIBUTE_TYPE
)) - 1;
227 while (lower
<= upper
) {
228 /* Always starts from middle. */
229 middle
= (lower
+ upper
) / 2;
231 if (type
> attr_map
[middle
]) {
232 /* Adjust the lower bound to upper half. */
237 if (type
== attr_map
[middle
]) {
242 if (type
< attr_map
[middle
]) {
243 /* Adjust the upper bound to lower half. */
249 /* Failed to find the matching attribute from the attribute table. */
250 return (CKR_ATTRIBUTE_TYPE_INVALID
);
255 * Validate the attribute by using the following search algorithm:
257 * 1) Search for the most frequently used attributes first.
258 * 2) If not found, search for the usage-purpose attributes - these
259 * attributes have dense set of values, therefore compiler will
260 * optimize it with a branch table and branch to the appropriate
262 * 3) If still not found, use binary search for the rest of the
263 * attributes in the attr_map[] table.
266 soft_validate_attr(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
267 CK_OBJECT_CLASS
*class)
273 for (i
= 0; i
< ulAttrNum
; i
++) {
274 /* First tier search */
275 switch (template[i
].type
) {
277 *class = *((CK_OBJECT_CLASS
*)template[i
].pValue
);
290 /* Second tier search */
291 switch (template[i
].type
) {
302 case CKA_SIGN_RECOVER
:
306 case CKA_VERIFY_RECOVER
:
311 /* Third tier search */
312 rv
= soft_lookup_attr(template[i
].type
);
324 cleanup_cert_attr(cert_attr_t
*attr
)
327 freezero(attr
->value
, attr
->length
);
334 copy_cert_attr(cert_attr_t
*src_attr
, cert_attr_t
**dest_attr
)
338 if (src_attr
== NULL
|| dest_attr
== NULL
)
339 return (CKR_HOST_MEMORY
);
341 if (src_attr
->value
== NULL
)
342 return (CKR_HOST_MEMORY
);
344 /* free memory if its already allocated */
345 if (*dest_attr
!= NULL
) {
346 cleanup_cert_attr(*dest_attr
);
348 *dest_attr
= malloc(sizeof (cert_attr_t
));
349 if (*dest_attr
== NULL
)
350 return (CKR_HOST_MEMORY
);
353 (*dest_attr
)->value
= NULL
;
354 (*dest_attr
)->length
= 0;
356 if (src_attr
->length
) {
357 (*dest_attr
)->value
= malloc(src_attr
->length
);
358 if ((*dest_attr
)->value
== NULL
) {
360 return (CKR_HOST_MEMORY
);
363 (void) memcpy((*dest_attr
)->value
, src_attr
->value
,
365 (*dest_attr
)->length
= src_attr
->length
;
372 soft_cleanup_cert_object(soft_object_t
*object_p
)
374 CK_CERTIFICATE_TYPE certtype
= object_p
->cert_type
;
376 if (object_p
->class != CKO_CERTIFICATE
||
377 OBJ_CERT(object_p
) == NULL
)
380 if (certtype
== CKC_X_509
) {
381 if (X509_CERT_SUBJECT(object_p
) != NULL
) {
382 cleanup_cert_attr(X509_CERT_SUBJECT(object_p
));
383 free(X509_CERT_SUBJECT(object_p
));
384 X509_CERT_SUBJECT(object_p
) = NULL
;
386 if (X509_CERT_VALUE(object_p
) != NULL
) {
387 cleanup_cert_attr(X509_CERT_VALUE(object_p
));
388 free(X509_CERT_VALUE(object_p
));
389 X509_CERT_VALUE(object_p
) = NULL
;
391 free(OBJ_CERT(object_p
));
392 } else if (certtype
== CKC_X_509_ATTR_CERT
) {
393 if (X509_ATTR_CERT_VALUE(object_p
) != NULL
) {
394 cleanup_cert_attr(X509_ATTR_CERT_VALUE(object_p
));
395 free(X509_ATTR_CERT_VALUE(object_p
));
396 X509_ATTR_CERT_VALUE(object_p
) = NULL
;
398 if (X509_ATTR_CERT_OWNER(object_p
) != NULL
) {
399 cleanup_cert_attr(X509_ATTR_CERT_OWNER(object_p
));
400 free(X509_ATTR_CERT_OWNER(object_p
));
401 X509_ATTR_CERT_OWNER(object_p
) = NULL
;
403 free(OBJ_CERT(object_p
));
408 * Clean up and release all the storage in the extra attribute list
412 soft_cleanup_extra_attr(soft_object_t
*object_p
)
415 CK_ATTRIBUTE_INFO_PTR extra_attr
;
416 CK_ATTRIBUTE_INFO_PTR tmp
;
418 extra_attr
= object_p
->extra_attrlistp
;
420 tmp
= extra_attr
->next
;
422 * All extra attributes in the extra attribute
423 * list have pValue points to the value of the
424 * attribute (with simple byte array type).
425 * Free the storage for the value of the attribute.
427 freezero(extra_attr
->attr
.pValue
,
428 extra_attr
->attr
.ulValueLen
);
430 /* Free the storage for the attribute_info struct. */
435 object_p
->extra_attrlistp
= NULL
;
440 * Create the attribute_info struct to hold the object's attribute,
441 * and add it to the extra attribute list of an object.
444 soft_add_extra_attr(CK_ATTRIBUTE_PTR
template, soft_object_t
*object_p
)
447 CK_ATTRIBUTE_INFO_PTR attrp
;
449 /* Allocate the storage for the attribute_info struct. */
450 attrp
= calloc(1, sizeof (attribute_info_t
));
452 return (CKR_HOST_MEMORY
);
455 /* Set up attribute_info struct. */
456 attrp
->attr
.type
= template->type
;
457 attrp
->attr
.ulValueLen
= template->ulValueLen
;
459 if ((template->pValue
!= NULL
) &&
460 (template->ulValueLen
> 0)) {
461 /* Allocate storage for the value of the attribute. */
462 attrp
->attr
.pValue
= malloc(template->ulValueLen
);
463 if (attrp
->attr
.pValue
== NULL
) {
465 return (CKR_HOST_MEMORY
);
468 (void) memcpy(attrp
->attr
.pValue
, template->pValue
,
469 template->ulValueLen
);
471 attrp
->attr
.pValue
= NULL
;
474 /* Insert the new attribute in front of extra attribute list. */
475 if (object_p
->extra_attrlistp
== NULL
) {
476 object_p
->extra_attrlistp
= attrp
;
479 attrp
->next
= object_p
->extra_attrlistp
;
480 object_p
->extra_attrlistp
= attrp
;
487 soft_copy_certificate(certificate_obj_t
*oldcert
, certificate_obj_t
**newcert
,
488 CK_CERTIFICATE_TYPE type
)
491 certificate_obj_t
*cert
;
493 x509_attr_cert_t x509_attr
;
495 cert
= calloc(1, sizeof (certificate_obj_t
));
497 return (CKR_HOST_MEMORY
);
500 if (type
== CKC_X_509
) {
501 x509
= oldcert
->cert_type_u
.x509
;
503 if ((rv
= copy_cert_attr(x509
.subject
,
504 &cert
->cert_type_u
.x509
.subject
)))
507 if ((rv
= copy_cert_attr(x509
.value
,
508 &cert
->cert_type_u
.x509
.value
)))
510 } else if (type
== CKC_X_509_ATTR_CERT
) {
511 x509_attr
= oldcert
->cert_type_u
.x509_attr
;
513 if ((rv
= copy_cert_attr(x509_attr
.owner
,
514 &cert
->cert_type_u
.x509_attr
.owner
)))
517 if ((rv
= copy_cert_attr(x509_attr
.value
,
518 &cert
->cert_type_u
.x509_attr
.value
)))
521 /* wrong certificate type */
522 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
530 * Copy the attribute_info struct from the old object to a new attribute_info
531 * struct, and add that new struct to the extra attribute list of the new
535 soft_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp
, soft_object_t
*object_p
)
537 CK_ATTRIBUTE_INFO_PTR attrp
;
539 /* Allocate attribute_info struct. */
540 attrp
= calloc(1, sizeof (attribute_info_t
));
542 return (CKR_HOST_MEMORY
);
545 attrp
->attr
.type
= old_attrp
->attr
.type
;
546 attrp
->attr
.ulValueLen
= old_attrp
->attr
.ulValueLen
;
548 if ((old_attrp
->attr
.pValue
!= NULL
) &&
549 (old_attrp
->attr
.ulValueLen
> 0)) {
550 attrp
->attr
.pValue
= malloc(old_attrp
->attr
.ulValueLen
);
551 if (attrp
->attr
.pValue
== NULL
) {
553 return (CKR_HOST_MEMORY
);
556 (void) memcpy(attrp
->attr
.pValue
, old_attrp
->attr
.pValue
,
557 old_attrp
->attr
.ulValueLen
);
559 attrp
->attr
.pValue
= NULL
;
562 /* Insert the new attribute in front of extra attribute list */
563 if (object_p
->extra_attrlistp
== NULL
) {
564 object_p
->extra_attrlistp
= attrp
;
567 attrp
->next
= object_p
->extra_attrlistp
;
568 object_p
->extra_attrlistp
= attrp
;
576 * Get the attribute triple from the extra attribute list in the object
577 * (if the specified attribute type is found), and copy it to a template.
578 * Note the type of the attribute to be copied is specified by the template,
579 * and the storage is pre-allocated for the atrribute value in the template
580 * for doing the copy.
583 get_extra_attr_from_object(soft_object_t
*object_p
, CK_ATTRIBUTE_PTR
template)
586 CK_ATTRIBUTE_INFO_PTR extra_attr
;
587 CK_ATTRIBUTE_TYPE type
= template->type
;
589 extra_attr
= object_p
->extra_attrlistp
;
592 if (type
== extra_attr
->attr
.type
) {
596 /* Does not match, try next one. */
597 extra_attr
= extra_attr
->next
;
601 if (extra_attr
== NULL
) {
602 /* A valid but un-initialized attribute. */
603 template->ulValueLen
= 0;
608 * We found the attribute in the extra attribute list.
610 if (template->pValue
== NULL
) {
611 template->ulValueLen
= extra_attr
->attr
.ulValueLen
;
615 if (template->ulValueLen
>= extra_attr
->attr
.ulValueLen
) {
617 * The buffer provided by the application is large
618 * enough to hold the value of the attribute.
620 (void) memcpy(template->pValue
, extra_attr
->attr
.pValue
,
621 extra_attr
->attr
.ulValueLen
);
622 template->ulValueLen
= extra_attr
->attr
.ulValueLen
;
626 * The buffer provided by the application does
627 * not have enough space to hold the value.
629 template->ulValueLen
= (CK_ULONG
)-1;
630 return (CKR_BUFFER_TOO_SMALL
);
636 * Modify the attribute triple in the extra attribute list of the object
637 * if the specified attribute type is found. Otherwise, just add it to
641 set_extra_attr_to_object(soft_object_t
*object_p
, CK_ATTRIBUTE_TYPE type
,
642 CK_ATTRIBUTE_PTR
template)
645 CK_ATTRIBUTE_INFO_PTR extra_attr
;
647 extra_attr
= object_p
->extra_attrlistp
;
650 if (type
== extra_attr
->attr
.type
) {
654 /* Does not match, try next one. */
655 extra_attr
= extra_attr
->next
;
659 if (extra_attr
== NULL
) {
661 * This attribute is a new one, go ahead adding it to
662 * the extra attribute list.
664 return (soft_add_extra_attr(template, object_p
));
667 /* We found the attribute in the extra attribute list. */
668 if ((template->pValue
!= NULL
) &&
669 (template->ulValueLen
> 0)) {
670 if (template->ulValueLen
> extra_attr
->attr
.ulValueLen
) {
671 /* The old buffer is too small to hold the new value. */
672 /* Free storage for the old attribute value. */
673 freezero(extra_attr
->attr
.pValue
,
674 extra_attr
->attr
.ulValueLen
);
676 /* Allocate storage for the new attribute value. */
677 extra_attr
->attr
.pValue
= malloc(template->ulValueLen
);
678 if (extra_attr
->attr
.pValue
== NULL
) {
679 return (CKR_HOST_MEMORY
);
683 /* Replace the attribute with new value. */
684 extra_attr
->attr
.ulValueLen
= template->ulValueLen
;
685 (void) memcpy(extra_attr
->attr
.pValue
, template->pValue
,
686 template->ulValueLen
);
688 extra_attr
->attr
.pValue
= NULL
;
696 * Copy the big integer attribute value from template to a biginteger_t struct.
699 get_bigint_attr_from_template(biginteger_t
*big
, CK_ATTRIBUTE_PTR
template)
702 if ((template->pValue
!= NULL
) &&
703 (template->ulValueLen
> 0)) {
704 /* Allocate storage for the value of the attribute. */
705 big
->big_value
= malloc(template->ulValueLen
);
706 if (big
->big_value
== NULL
) {
707 return (CKR_HOST_MEMORY
);
710 (void) memcpy(big
->big_value
, template->pValue
,
711 template->ulValueLen
);
712 big
->big_value_len
= template->ulValueLen
;
714 big
->big_value
= NULL
;
715 big
->big_value_len
= 0;
723 * Copy the big integer attribute value from a biginteger_t struct in the
724 * object to a template.
727 get_bigint_attr_from_object(biginteger_t
*big
, CK_ATTRIBUTE_PTR
template)
730 if (template->pValue
== NULL
) {
731 template->ulValueLen
= big
->big_value_len
;
735 if (big
->big_value
== NULL
) {
736 template->ulValueLen
= 0;
740 if (template->ulValueLen
>= big
->big_value_len
) {
742 * The buffer provided by the application is large
743 * enough to hold the value of the attribute.
745 (void) memcpy(template->pValue
, big
->big_value
,
747 template->ulValueLen
= big
->big_value_len
;
751 * The buffer provided by the application does
752 * not have enough space to hold the value.
754 template->ulValueLen
= (CK_ULONG
)-1;
755 return (CKR_BUFFER_TOO_SMALL
);
761 * Copy the boolean data type attribute value from an object for the
762 * specified attribute to the template.
765 get_bool_attr_from_object(soft_object_t
*object_p
, CK_ULONG bool_flag
,
766 CK_ATTRIBUTE_PTR
template)
769 if (template->pValue
== NULL
) {
770 template->ulValueLen
= sizeof (CK_BBOOL
);
774 if (template->ulValueLen
>= sizeof (CK_BBOOL
)) {
776 * The buffer provided by the application is large
777 * enough to hold the value of the attribute.
779 if (object_p
->bool_attr_mask
& bool_flag
) {
780 *((CK_BBOOL
*)template->pValue
) = B_TRUE
;
782 *((CK_BBOOL
*)template->pValue
) = B_FALSE
;
785 template->ulValueLen
= sizeof (CK_BBOOL
);
789 * The buffer provided by the application does
790 * not have enough space to hold the value.
792 template->ulValueLen
= (CK_ULONG
)-1;
793 return (CKR_BUFFER_TOO_SMALL
);
798 * Set the boolean data type attribute value in the object.
801 set_bool_attr_to_object(soft_object_t
*object_p
, CK_ULONG bool_flag
,
802 CK_ATTRIBUTE_PTR
template)
805 if (*(CK_BBOOL
*)template->pValue
)
806 object_p
->bool_attr_mask
|= bool_flag
;
808 object_p
->bool_attr_mask
&= ~bool_flag
;
815 * Copy the CK_ULONG data type attribute value from an object to the
819 get_ulong_attr_from_object(CK_ULONG value
, CK_ATTRIBUTE_PTR
template)
822 if (template->pValue
== NULL
) {
823 template->ulValueLen
= sizeof (CK_ULONG
);
827 if (template->ulValueLen
>= sizeof (CK_ULONG
)) {
829 * The buffer provided by the application is large
830 * enough to hold the value of the attribute.
831 * It is also assumed to be correctly aligned.
833 *(CK_ULONG_PTR
)template->pValue
= value
;
834 template->ulValueLen
= sizeof (CK_ULONG
);
838 * The buffer provided by the application does
839 * not have enough space to hold the value.
841 template->ulValueLen
= (CK_ULONG
)-1;
842 return (CKR_BUFFER_TOO_SMALL
);
848 * Copy the CK_ULONG data type attribute value from a template to the
852 get_ulong_attr_from_template(CK_ULONG
*value
, CK_ATTRIBUTE_PTR
template)
855 if (template->ulValueLen
< sizeof (CK_ULONG
))
856 return (CKR_ATTRIBUTE_VALUE_INVALID
);
858 if (template->pValue
!= NULL
) {
859 *value
= *(CK_ULONG_PTR
)template->pValue
;
868 * Copy the big integer attribute value from source's biginteger_t to
869 * destination's biginteger_t.
872 copy_bigint_attr(biginteger_t
*src
, biginteger_t
*dst
)
875 if ((src
->big_value
!= NULL
) &&
876 (src
->big_value_len
> 0)) {
878 * To do the copy, just have dst's big_value points
881 dst
->big_value
= src
->big_value
;
882 dst
->big_value_len
= src
->big_value_len
;
885 * After the copy, nullify the src's big_value pointer.
886 * It prevents any double freeing the value.
888 src
->big_value
= NULL
;
889 src
->big_value_len
= 0;
891 dst
->big_value
= NULL
;
892 dst
->big_value_len
= 0;
897 get_string_from_template(CK_ATTRIBUTE_PTR dest
, CK_ATTRIBUTE_PTR src
)
899 if ((src
->pValue
!= NULL
) &&
900 (src
->ulValueLen
> 0)) {
901 /* Allocate storage for the value of the attribute. */
902 dest
->pValue
= malloc(src
->ulValueLen
);
903 if (dest
->pValue
== NULL
) {
904 return (CKR_HOST_MEMORY
);
907 (void) memcpy(dest
->pValue
, src
->pValue
,
909 dest
->ulValueLen
= src
->ulValueLen
;
910 dest
->type
= src
->type
;
913 dest
->ulValueLen
= 0;
914 dest
->type
= src
->type
;
922 get_cert_attr_from_template(cert_attr_t
**dest
, CK_ATTRIBUTE_PTR src
)
924 if (src
->pValue
!= NULL
&& src
->ulValueLen
> 0) {
926 * If the attribute was already set, clear out the
927 * existing value and release the memory.
930 cleanup_cert_attr(*dest
);
932 *dest
= malloc(sizeof (cert_attr_t
));
934 return (CKR_HOST_MEMORY
);
936 (void) memset(*dest
, 0, sizeof (cert_attr_t
));
938 (*dest
)->value
= malloc(src
->ulValueLen
);
939 if ((*dest
)->value
== NULL
) {
942 return (CKR_HOST_MEMORY
);
944 (void) memcpy((*dest
)->value
, src
->pValue
, src
->ulValueLen
);
945 (*dest
)->length
= src
->ulValueLen
;
952 * Copy the certificate attribute information to the template.
953 * If the template attribute is not big enough, set the ulValueLen=-1
954 * and return CKR_BUFFER_TOO_SMALL.
957 get_cert_attr_from_object(cert_attr_t
*src
, CK_ATTRIBUTE_PTR
template)
959 if (template->pValue
== NULL
) {
960 template->ulValueLen
= src
->length
;
962 } else if (template->ulValueLen
>= src
->length
) {
964 * The buffer provided by the application is large
965 * enough to hold the value of the attribute.
967 (void) memcpy(template->pValue
, src
->value
, src
->length
);
968 template->ulValueLen
= src
->length
;
972 * The buffer provided by the application does
973 * not have enough space to hold the value.
975 template->ulValueLen
= (CK_ULONG
)-1;
976 return (CKR_BUFFER_TOO_SMALL
);
981 string_attr_cleanup(CK_ATTRIBUTE_PTR
template)
983 freezero(template->pValue
, template->ulValueLen
);
984 template->pValue
= NULL
;
985 template->ulValueLen
= 0;
989 * Release the storage allocated for object attribute with big integer
993 bigint_attr_cleanup(biginteger_t
*big
)
999 freezero(big
->big_value
, big
->big_value_len
);
1000 big
->big_value
= NULL
;
1001 big
->big_value_len
= 0;
1006 * Clean up and release all the storage allocated to hold the big integer
1007 * attributes associated with the type (i.e. class) of the object. Also,
1008 * release the storage allocated to the type of the object.
1011 soft_cleanup_object_bigint_attrs(soft_object_t
*object_p
)
1014 CK_OBJECT_CLASS
class = object_p
->class;
1015 CK_KEY_TYPE keytype
= object_p
->key_type
;
1019 case CKO_PUBLIC_KEY
:
1020 if (OBJ_PUB(object_p
)) {
1023 bigint_attr_cleanup(OBJ_PUB_RSA_MOD(
1025 bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO(
1030 bigint_attr_cleanup(OBJ_PUB_DSA_PRIME(
1032 bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME(
1034 bigint_attr_cleanup(OBJ_PUB_DSA_BASE(
1036 bigint_attr_cleanup(OBJ_PUB_DSA_VALUE(
1041 bigint_attr_cleanup(OBJ_PUB_DH_PRIME(
1043 bigint_attr_cleanup(OBJ_PUB_DH_BASE(
1045 bigint_attr_cleanup(OBJ_PUB_DH_VALUE(
1050 bigint_attr_cleanup(OBJ_PUB_DH942_PRIME(
1052 bigint_attr_cleanup(OBJ_PUB_DH942_BASE(
1054 bigint_attr_cleanup(OBJ_PUB_DH942_SUBPRIME(
1056 bigint_attr_cleanup(OBJ_PUB_DH942_VALUE(
1060 bigint_attr_cleanup(OBJ_PUB_EC_POINT(
1065 /* Release Public Key Object struct */
1066 free(OBJ_PUB(object_p
));
1067 OBJ_PUB(object_p
) = NULL
;
1071 case CKO_PRIVATE_KEY
:
1072 if (OBJ_PRI(object_p
)) {
1075 bigint_attr_cleanup(OBJ_PRI_RSA_MOD(
1077 bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO(
1079 bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO(
1081 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1(
1083 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2(
1085 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1(
1087 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2(
1089 bigint_attr_cleanup(OBJ_PRI_RSA_COEF(
1094 bigint_attr_cleanup(OBJ_PRI_DSA_PRIME(
1096 bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME(
1098 bigint_attr_cleanup(OBJ_PRI_DSA_BASE(
1100 bigint_attr_cleanup(OBJ_PRI_DSA_VALUE(
1105 bigint_attr_cleanup(OBJ_PRI_DH_PRIME(
1107 bigint_attr_cleanup(OBJ_PRI_DH_BASE(
1109 bigint_attr_cleanup(OBJ_PRI_DH_VALUE(
1114 bigint_attr_cleanup(OBJ_PRI_DH942_PRIME(
1116 bigint_attr_cleanup(OBJ_PRI_DH942_BASE(
1118 bigint_attr_cleanup(OBJ_PRI_DH942_SUBPRIME(
1120 bigint_attr_cleanup(OBJ_PRI_DH942_VALUE(
1125 bigint_attr_cleanup(OBJ_PRI_EC_VALUE(
1130 /* Release Private Key Object struct. */
1131 free(OBJ_PRI(object_p
));
1132 OBJ_PRI(object_p
) = NULL
;
1136 case CKO_SECRET_KEY
:
1137 if (OBJ_SEC(object_p
)) {
1138 /* cleanup key data area */
1139 if (OBJ_SEC_VALUE(object_p
) != NULL
&&
1140 OBJ_SEC_VALUE_LEN(object_p
) > 0) {
1141 freezero(OBJ_SEC_VALUE(object_p
),
1142 OBJ_SEC_VALUE_LEN(object_p
));
1144 /* cleanup key schedule data area */
1145 if (OBJ_KEY_SCHED(object_p
) != NULL
&&
1146 OBJ_KEY_SCHED_LEN(object_p
) > 0) {
1147 freezero(OBJ_KEY_SCHED(object_p
),
1148 OBJ_KEY_SCHED_LEN(object_p
));
1151 /* Release Secret Key Object struct. */
1152 free(OBJ_SEC(object_p
));
1153 OBJ_SEC(object_p
) = NULL
;
1157 case CKO_DOMAIN_PARAMETERS
:
1158 if (OBJ_DOM(object_p
)) {
1161 bigint_attr_cleanup(OBJ_DOM_DSA_PRIME(
1163 bigint_attr_cleanup(OBJ_DOM_DSA_SUBPRIME(
1165 bigint_attr_cleanup(OBJ_DOM_DSA_BASE(
1170 bigint_attr_cleanup(OBJ_DOM_DH_PRIME(
1172 bigint_attr_cleanup(OBJ_DOM_DH_BASE(
1177 bigint_attr_cleanup(OBJ_DOM_DH942_PRIME(
1179 bigint_attr_cleanup(OBJ_DOM_DH942_BASE(
1181 bigint_attr_cleanup(OBJ_DOM_DH942_SUBPRIME(
1186 /* Release Domain Parameters Object struct. */
1187 free(OBJ_DOM(object_p
));
1188 OBJ_DOM(object_p
) = NULL
;
1196 * Parse the common attributes. Return to caller with appropriate return
1197 * value to indicate if the supplied template specifies a valid attribute
1198 * with a valid value.
1201 soft_parse_common_attrs(CK_ATTRIBUTE_PTR
template, uchar_t
*object_type
)
1206 switch (template->type
) {
1210 /* default boolean attributes */
1212 if ((*(CK_BBOOL
*)template->pValue
) == B_TRUE
) {
1213 if (!soft_keystore_status(KEYSTORE_INITIALIZED
))
1214 return (CKR_DEVICE_REMOVED
);
1215 *object_type
|= TOKEN_OBJECT
;
1220 if ((*(CK_BBOOL
*)template->pValue
) == B_TRUE
) {
1221 (void) pthread_mutex_lock(&soft_giant_mutex
);
1222 if (!soft_slot
.authenticated
) {
1224 * Check if this is the special case when
1225 * the PIN is never initialized in the keystore.
1226 * If true, we will let it pass here and let
1227 * it fail with CKR_PIN_EXPIRED later on.
1229 if (!soft_slot
.userpin_change_needed
) {
1230 (void) pthread_mutex_unlock(
1232 return (CKR_USER_NOT_LOGGED_IN
);
1235 (void) pthread_mutex_unlock(&soft_giant_mutex
);
1236 *object_type
|= PRIVATE_OBJECT
;
1244 rv
= CKR_TEMPLATE_INCONSISTENT
;
1252 * Build a Public Key Object.
1254 * - Parse the object's template, and when an error is detected such as
1255 * invalid attribute type, invalid attribute value, etc., return
1256 * with appropriate return value.
1257 * - Set up attribute mask field in the object for the supplied common
1258 * attributes that have boolean type.
1259 * - Build the attribute_info struct to hold the value of each supplied
1260 * attribute that has byte array type. Link attribute_info structs
1261 * together to form the extra attribute list of the object.
1262 * - Allocate storage for the Public Key object.
1263 * - Build the Public Key object according to the key type. Allocate
1264 * storage to hold the big integer value for the supplied attributes
1265 * that are required for a certain key type.
1269 soft_build_public_key_object(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
1270 soft_object_t
*new_object
, CK_ULONG mode
, CK_KEY_TYPE key_type
)
1274 CK_KEY_TYPE keytype
= (CK_KEY_TYPE
)~0UL;
1275 uint64_t attr_mask
= PUBLIC_KEY_DEFAULT
;
1278 /* Must set flags */
1287 /* Must not set flags */
1288 int isModulusBits
= 0;
1289 CK_ULONG modulus_bits
= 0;
1291 biginteger_t modulus
;
1292 biginteger_t pubexpo
;
1294 biginteger_t subprime
;
1298 CK_ATTRIBUTE string_tmp
;
1299 CK_ATTRIBUTE param_tmp
;
1301 public_key_obj_t
*pbk
;
1302 uchar_t object_type
= 0;
1304 CK_ATTRIBUTE defpubexpo
= { CKA_PUBLIC_EXPONENT
,
1305 (CK_BYTE_PTR
)DEFAULT_PUB_EXPO
, DEFAULT_PUB_EXPO_Len
};
1309 /* prevent bigint_attr_cleanup from freeing invalid attr value */
1310 (void) memset(&modulus
, 0x0, sizeof (biginteger_t
));
1311 (void) memset(&pubexpo
, 0x0, sizeof (biginteger_t
));
1312 (void) memset(&prime
, 0x0, sizeof (biginteger_t
));
1313 (void) memset(&subprime
, 0x0, sizeof (biginteger_t
));
1314 (void) memset(&base
, 0x0, sizeof (biginteger_t
));
1315 (void) memset(&value
, 0x0, sizeof (biginteger_t
));
1316 (void) memset(&point
, 0x0, sizeof (biginteger_t
));
1317 string_tmp
.pValue
= NULL
;
1318 param_tmp
.pValue
= NULL
;
1320 for (i
= 0; i
< ulAttrNum
; i
++) {
1322 /* Public Key Object Attributes */
1323 switch (template[i
].type
) {
1325 /* common key attributes */
1327 keytype
= *((CK_KEY_TYPE
*)template[i
].pValue
);
1331 case CKA_START_DATE
:
1334 /* common public key attribute */
1337 * Allocate storage to hold the attribute
1338 * value with byte array type, and add it to
1339 * the extra attribute list of the object.
1341 rv
= soft_add_extra_attr(&template[i
],
1349 * The following key related attribute types must
1350 * not be specified by C_CreateObject, C_GenerateKey(Pair).
1353 case CKA_KEY_GEN_MECHANISM
:
1354 rv
= CKR_TEMPLATE_INCONSISTENT
;
1357 /* Key related boolean attributes */
1359 if (*(CK_BBOOL
*)template[i
].pValue
)
1360 attr_mask
|= DERIVE_BOOL_ON
;
1364 if (*(CK_BBOOL
*)template[i
].pValue
)
1365 attr_mask
|= ENCRYPT_BOOL_ON
;
1367 attr_mask
&= ~ENCRYPT_BOOL_ON
;
1371 if (*(CK_BBOOL
*)template[i
].pValue
)
1372 attr_mask
|= VERIFY_BOOL_ON
;
1374 attr_mask
&= ~VERIFY_BOOL_ON
;
1377 case CKA_VERIFY_RECOVER
:
1378 if (*(CK_BBOOL
*)template[i
].pValue
)
1379 attr_mask
|= VERIFY_RECOVER_BOOL_ON
;
1381 attr_mask
&= ~VERIFY_RECOVER_BOOL_ON
;
1385 if (*(CK_BBOOL
*)template[i
].pValue
)
1386 attr_mask
|= WRAP_BOOL_ON
;
1388 attr_mask
&= ~WRAP_BOOL_ON
;
1392 if (*(CK_BBOOL
*)template[i
].pValue
)
1393 attr_mask
|= TRUSTED_BOOL_ON
;
1396 case CKA_MODIFIABLE
:
1397 if ((*(CK_BBOOL
*)template[i
].pValue
) == B_FALSE
)
1398 attr_mask
|= NOT_MODIFIABLE_BOOL_ON
;
1402 * The following key related attribute types must
1403 * be specified according to the key type by
1410 * Copyin big integer attribute from template
1411 * to a local variable.
1413 rv
= get_bigint_attr_from_template(&modulus
,
1419 * Modulus length needs to be between min key length and
1422 if ((modulus
.big_value_len
<
1423 MIN_RSA_KEYLENGTH_IN_BYTES
) ||
1424 (modulus
.big_value_len
>
1425 MAX_RSA_KEYLENGTH_IN_BYTES
)) {
1426 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
1431 case CKA_PUBLIC_EXPONENT
:
1433 rv
= get_bigint_attr_from_template(&pubexpo
,
1441 rv
= get_bigint_attr_from_template(&prime
,
1449 rv
= get_bigint_attr_from_template(&subprime
,
1457 rv
= get_bigint_attr_from_template(&base
,
1465 if (mode
== SOFT_CREATE_OBJ
) {
1466 if ((template[i
].ulValueLen
== 0) ||
1467 (template[i
].pValue
== NULL
)) {
1468 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
1473 rv
= get_bigint_attr_from_template(&value
,
1479 case CKA_MODULUS_BITS
:
1481 rv
= get_ulong_attr_from_template(&modulus_bits
,
1489 rv
= get_string_from_template(&string_tmp
,
1497 rv
= get_string_from_template(¶m_tmp
, &template[i
]);
1504 rv
= get_bigint_attr_from_template(&point
,
1511 rv
= soft_parse_common_attrs(&template[i
],
1519 /* Allocate storage for Public Key Object. */
1520 pbk
= calloc(1, sizeof (public_key_obj_t
));
1522 rv
= CKR_HOST_MEMORY
;
1526 new_object
->object_class_u
.public_key
= pbk
;
1527 new_object
->class = CKO_PUBLIC_KEY
;
1529 if ((mode
== SOFT_CREATE_OBJ
) && (keytype
== (CK_KEY_TYPE
)~0UL)) {
1530 rv
= CKR_TEMPLATE_INCOMPLETE
;
1534 if ((mode
== SOFT_GEN_KEY
) && (keytype
== (CK_KEY_TYPE
)~0UL)) {
1538 if ((mode
== SOFT_GEN_KEY
) && (keytype
!= key_type
)) {
1540 * The key type specified in the template does not
1541 * match the implied key type based on the mechanism.
1543 rv
= CKR_TEMPLATE_INCONSISTENT
;
1547 new_object
->key_type
= keytype
;
1549 /* Supported key types of the Public Key Object */
1553 if (mode
== SOFT_CREATE_OBJ
) {
1554 if (isModulusBits
|| isPrime
|| isSubprime
||
1555 isBase
|| isValue
) {
1556 rv
= CKR_TEMPLATE_INCONSISTENT
;
1560 if (isModulus
&& isPubExpo
) {
1562 * Derive modulus_bits attribute from modulus.
1563 * Save modulus_bits integer value to the
1564 * designated place in the public key object.
1567 if (big_init(&n
, CHARLEN2BIGNUMLEN(
1568 modulus
.big_value_len
)) != BIG_OK
) {
1569 rv
= CKR_HOST_MEMORY
;
1573 bytestring2bignum(&n
, modulus
.big_value
,
1574 modulus
.big_value_len
);
1576 modulus_bits
= big_bitlength(&n
);
1577 KEY_PUB_RSA_MOD_BITS(pbk
) = modulus_bits
;
1581 * After modulus_bits has been computed,
1582 * it is safe to move modulus and pubexpo
1583 * big integer attribute value to the
1584 * designated place in the public key object.
1586 copy_bigint_attr(&modulus
,
1587 KEY_PUB_RSA_MOD(pbk
));
1589 copy_bigint_attr(&pubexpo
,
1590 KEY_PUB_RSA_PUBEXPO(pbk
));
1592 rv
= CKR_TEMPLATE_INCOMPLETE
;
1596 /* mode is SOFT_GEN_KEY */
1598 if (isModulus
|| isPrime
|| isSubprime
||
1599 isBase
|| isValue
) {
1600 rv
= CKR_TEMPLATE_INCONSISTENT
;
1605 if (isModulusBits
) {
1607 * Copy big integer attribute value to the
1608 * designated place in the public key object.
1610 KEY_PUB_RSA_MOD_BITS(pbk
) = modulus_bits
;
1612 rv
= CKR_TEMPLATE_INCOMPLETE
;
1617 * Use PKCS#11 default 0x010001 for public exponent
1618 * if not not specified in attribute template.
1622 rv
= get_bigint_attr_from_template(&pubexpo
,
1628 * Copy big integer attribute value to the
1629 * designated place in the public key object.
1631 copy_bigint_attr(&pubexpo
, KEY_PUB_RSA_PUBEXPO(pbk
));
1637 if (mode
== SOFT_CREATE_OBJ
) {
1638 if (isModulusBits
|| isModulus
|| isPubExpo
) {
1639 rv
= CKR_TEMPLATE_INCONSISTENT
;
1643 if (isPrime
&& isSubprime
&& isBase
&& isValue
) {
1644 copy_bigint_attr(&value
,
1645 KEY_PUB_DSA_VALUE(pbk
));
1647 rv
= CKR_TEMPLATE_INCOMPLETE
;
1651 if (isModulusBits
|| isModulus
|| isPubExpo
||
1653 rv
= CKR_TEMPLATE_INCONSISTENT
;
1657 if (!(isPrime
&& isSubprime
&& isBase
)) {
1658 rv
= CKR_TEMPLATE_INCOMPLETE
;
1663 copy_bigint_attr(&prime
, KEY_PUB_DSA_PRIME(pbk
));
1665 copy_bigint_attr(&subprime
, KEY_PUB_DSA_SUBPRIME(pbk
));
1667 copy_bigint_attr(&base
, KEY_PUB_DSA_BASE(pbk
));
1672 if (mode
== SOFT_CREATE_OBJ
) {
1673 if (isModulusBits
|| isModulus
|| isPubExpo
||
1675 rv
= CKR_TEMPLATE_INCONSISTENT
;
1679 if (isPrime
&& isBase
&& isValue
) {
1680 copy_bigint_attr(&value
,
1681 KEY_PUB_DH_VALUE(pbk
));
1683 rv
= CKR_TEMPLATE_INCOMPLETE
;
1687 if (isModulusBits
|| isModulus
|| isPubExpo
||
1688 isSubprime
|| isValue
) {
1689 rv
= CKR_TEMPLATE_INCONSISTENT
;
1693 if (!(isPrime
&& isBase
)) {
1694 rv
= CKR_TEMPLATE_INCOMPLETE
;
1699 copy_bigint_attr(&prime
, KEY_PUB_DH_PRIME(pbk
));
1701 copy_bigint_attr(&base
, KEY_PUB_DH_BASE(pbk
));
1706 if (mode
== SOFT_CREATE_OBJ
) {
1707 if (isModulusBits
|| isModulus
|| isPubExpo
) {
1708 rv
= CKR_TEMPLATE_INCONSISTENT
;
1712 if (isPrime
&& isSubprime
&& isBase
&& isValue
) {
1713 copy_bigint_attr(&value
,
1714 KEY_PUB_DH942_VALUE(pbk
));
1716 rv
= CKR_TEMPLATE_INCOMPLETE
;
1720 if (isModulusBits
|| isModulus
|| isPubExpo
||
1722 rv
= CKR_TEMPLATE_INCONSISTENT
;
1726 if (!(isPrime
&& isSubprime
&& isBase
)) {
1727 rv
= CKR_TEMPLATE_INCOMPLETE
;
1732 copy_bigint_attr(&prime
, KEY_PUB_DH942_PRIME(pbk
));
1734 copy_bigint_attr(&base
, KEY_PUB_DH942_BASE(pbk
));
1736 copy_bigint_attr(&subprime
, KEY_PUB_DH942_SUBPRIME(pbk
));
1741 if (mode
== SOFT_CREATE_OBJ
) {
1742 if (isModulusBits
|| isModulus
|| isPubExpo
||
1743 isPrime
|| isSubprime
|| isBase
|| isValue
) {
1744 rv
= CKR_TEMPLATE_INCONSISTENT
;
1747 } else if (!isECParam
|| !isECPoint
) {
1748 rv
= CKR_TEMPLATE_INCOMPLETE
;
1752 if (isModulusBits
|| isModulus
|| isPubExpo
||
1753 isPrime
|| isSubprime
|| isBase
|| isValue
) {
1754 rv
= CKR_TEMPLATE_INCONSISTENT
;
1757 } else if (!isECParam
) {
1758 rv
= CKR_TEMPLATE_INCOMPLETE
;
1764 copy_bigint_attr(&point
, KEY_PUB_EC_POINT(pbk
));
1766 rv
= soft_add_extra_attr(¶m_tmp
, new_object
);
1769 string_attr_cleanup(¶m_tmp
);
1773 rv
= CKR_TEMPLATE_INCONSISTENT
;
1777 /* Set up object. */
1778 new_object
->object_type
= object_type
;
1779 new_object
->bool_attr_mask
= attr_mask
;
1781 rv
= soft_add_extra_attr(&string_tmp
, new_object
);
1784 string_attr_cleanup(&string_tmp
);
1791 * cleanup the storage allocated to the local variables.
1793 bigint_attr_cleanup(&modulus
);
1794 bigint_attr_cleanup(&pubexpo
);
1795 bigint_attr_cleanup(&prime
);
1796 bigint_attr_cleanup(&subprime
);
1797 bigint_attr_cleanup(&base
);
1798 bigint_attr_cleanup(&value
);
1799 bigint_attr_cleanup(&point
);
1800 string_attr_cleanup(&string_tmp
);
1801 string_attr_cleanup(¶m_tmp
);
1804 * cleanup the storage allocated inside the object itself.
1806 soft_cleanup_object(new_object
);
1813 * Build a Private Key Object.
1815 * - Parse the object's template, and when an error is detected such as
1816 * invalid attribute type, invalid attribute value, etc., return
1817 * with appropriate return value.
1818 * - Set up attribute mask field in the object for the supplied common
1819 * attributes that have boolean type.
1820 * - Build the attribute_info struct to hold the value of each supplied
1821 * attribute that has byte array type. Link attribute_info structs
1822 * together to form the extra attribute list of the object.
1823 * - Allocate storage for the Private Key object.
1824 * - Build the Private Key object according to the key type. Allocate
1825 * storage to hold the big integer value for the supplied attributes
1826 * that are required for a certain key type.
1830 soft_build_private_key_object(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
1831 soft_object_t
*new_object
, CK_ULONG mode
, CK_KEY_TYPE key_type
)
1834 CK_KEY_TYPE keytype
= (CK_KEY_TYPE
)~0UL;
1835 uint64_t attr_mask
= PRIVATE_KEY_DEFAULT
;
1839 /* Must set flags unless mode == SOFT_UNWRAP_KEY */
1845 /* Must set flags if mode == SOFT_GEN_KEY */
1847 /* Must not set flags */
1848 int isValueBits
= 0;
1849 CK_ULONG value_bits
= 0;
1851 /* Private Key RSA optional */
1859 biginteger_t modulus
;
1860 biginteger_t priexpo
;
1862 biginteger_t subprime
;
1866 biginteger_t pubexpo
;
1867 biginteger_t prime1
;
1868 biginteger_t prime2
;
1872 CK_ATTRIBUTE string_tmp
;
1873 CK_ATTRIBUTE param_tmp
;
1876 private_key_obj_t
*pvk
;
1877 uchar_t object_type
= 0;
1879 /* prevent bigint_attr_cleanup from freeing invalid attr value */
1880 (void) memset(&modulus
, 0x0, sizeof (biginteger_t
));
1881 (void) memset(&priexpo
, 0x0, sizeof (biginteger_t
));
1882 (void) memset(&prime
, 0x0, sizeof (biginteger_t
));
1883 (void) memset(&subprime
, 0x0, sizeof (biginteger_t
));
1884 (void) memset(&base
, 0x0, sizeof (biginteger_t
));
1885 (void) memset(&value
, 0x0, sizeof (biginteger_t
));
1886 (void) memset(&pubexpo
, 0x0, sizeof (biginteger_t
));
1887 (void) memset(&prime1
, 0x0, sizeof (biginteger_t
));
1888 (void) memset(&prime2
, 0x0, sizeof (biginteger_t
));
1889 (void) memset(&expo1
, 0x0, sizeof (biginteger_t
));
1890 (void) memset(&expo2
, 0x0, sizeof (biginteger_t
));
1891 (void) memset(&coef
, 0x0, sizeof (biginteger_t
));
1892 string_tmp
.pValue
= NULL
;
1893 param_tmp
.pValue
= NULL
;
1897 for (i
= 0; i
< ulAttrNum
; i
++) {
1899 /* Private Key Object Attributes */
1900 switch (template[i
].type
) {
1901 /* common key attributes */
1903 keytype
= *((CK_KEY_TYPE
*)template[i
].pValue
);
1907 case CKA_START_DATE
:
1910 /* common private key attribute */
1913 * Allocate storage to hold the attribute
1914 * value with byte array type, and add it to
1915 * the extra attribute list of the object.
1917 rv
= soft_add_extra_attr(&template[i
],
1925 * The following key related attribute types must
1926 * not be specified by C_CreateObject or C_GenerateKey(Pair).
1929 case CKA_KEY_GEN_MECHANISM
:
1930 case CKA_AUTH_PIN_FLAGS
:
1931 case CKA_ALWAYS_SENSITIVE
:
1932 case CKA_NEVER_EXTRACTABLE
:
1933 rv
= CKR_TEMPLATE_INCONSISTENT
;
1936 /* Key related boolean attributes */
1938 if (*(CK_BBOOL
*)template[i
].pValue
)
1939 attr_mask
|= DERIVE_BOOL_ON
;
1943 if (*(CK_BBOOL
*)template[i
].pValue
)
1944 attr_mask
|= SENSITIVE_BOOL_ON
;
1947 case CKA_SECONDARY_AUTH
:
1948 if (*(CK_BBOOL
*)template[i
].pValue
) {
1949 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
1955 if (*(CK_BBOOL
*)template[i
].pValue
)
1956 attr_mask
|= DECRYPT_BOOL_ON
;
1958 attr_mask
&= ~DECRYPT_BOOL_ON
;
1962 if (*(CK_BBOOL
*)template[i
].pValue
)
1963 attr_mask
|= SIGN_BOOL_ON
;
1965 attr_mask
&= ~SIGN_BOOL_ON
;
1968 case CKA_SIGN_RECOVER
:
1969 if (*(CK_BBOOL
*)template[i
].pValue
)
1970 attr_mask
|= SIGN_RECOVER_BOOL_ON
;
1972 attr_mask
&= ~SIGN_RECOVER_BOOL_ON
;
1976 if (*(CK_BBOOL
*)template[i
].pValue
)
1977 attr_mask
|= UNWRAP_BOOL_ON
;
1979 attr_mask
&= ~UNWRAP_BOOL_ON
;
1982 case CKA_EXTRACTABLE
:
1983 if (*(CK_BBOOL
*)template[i
].pValue
)
1984 attr_mask
|= EXTRACTABLE_BOOL_ON
;
1986 attr_mask
&= ~EXTRACTABLE_BOOL_ON
;
1989 case CKA_MODIFIABLE
:
1990 if ((*(CK_BBOOL
*)template[i
].pValue
) == B_FALSE
)
1991 attr_mask
|= NOT_MODIFIABLE_BOOL_ON
;
1995 * The following key related attribute types must
1996 * be specified according to the key type by
2003 * Copyin big integer attribute from template
2004 * to a local variable.
2006 rv
= get_bigint_attr_from_template(&modulus
,
2012 * Modulus length needs to be between min key length and
2015 if ((modulus
.big_value_len
<
2016 MIN_RSA_KEYLENGTH_IN_BYTES
) ||
2017 (modulus
.big_value_len
>
2018 MAX_RSA_KEYLENGTH_IN_BYTES
)) {
2019 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2024 case CKA_PUBLIC_EXPONENT
:
2027 rv
= get_bigint_attr_from_template(&pubexpo
,
2033 case CKA_PRIVATE_EXPONENT
:
2036 rv
= get_bigint_attr_from_template(&priexpo
,
2044 rv
= get_bigint_attr_from_template(&prime1
,
2052 rv
= get_bigint_attr_from_template(&prime2
,
2058 case CKA_EXPONENT_1
:
2060 rv
= get_bigint_attr_from_template(&expo1
,
2066 case CKA_EXPONENT_2
:
2068 rv
= get_bigint_attr_from_template(&expo2
,
2074 case CKA_COEFFICIENT
:
2076 rv
= get_bigint_attr_from_template(&coef
,
2084 rv
= get_bigint_attr_from_template(&prime
,
2092 rv
= get_bigint_attr_from_template(&subprime
,
2100 rv
= get_bigint_attr_from_template(&base
,
2108 if (mode
== SOFT_CREATE_OBJ
) {
2109 if ((template[i
].ulValueLen
== 0) ||
2110 (template[i
].pValue
== NULL
)) {
2111 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2116 rv
= get_bigint_attr_from_template(&value
,
2122 case CKA_VALUE_BITS
:
2124 rv
= get_ulong_attr_from_template(&value_bits
,
2132 rv
= get_string_from_template(&string_tmp
,
2140 rv
= get_string_from_template(¶m_tmp
,
2147 rv
= soft_parse_common_attrs(&template[i
],
2156 /* Allocate storage for Private Key Object. */
2157 pvk
= calloc(1, sizeof (private_key_obj_t
));
2159 rv
= CKR_HOST_MEMORY
;
2163 new_object
->object_class_u
.private_key
= pvk
;
2164 new_object
->class = CKO_PRIVATE_KEY
;
2166 if ((mode
== SOFT_CREATE_OBJ
) && (keytype
== (CK_KEY_TYPE
)~0UL)) {
2167 rv
= CKR_TEMPLATE_INCOMPLETE
;
2171 if (mode
== SOFT_GEN_KEY
) {
2173 * The key type is not specified in the application's
2174 * template, so we use the implied key type based on
2177 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2181 /* If still unspecified, template is incomplete */
2182 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2183 rv
= CKR_TEMPLATE_INCOMPLETE
;
2188 * The key type specified in the template does not
2189 * match the implied key type based on the mechanism.
2191 if (keytype
!= key_type
) {
2192 rv
= CKR_TEMPLATE_INCONSISTENT
;
2197 if (mode
== SOFT_UNWRAP_KEY
) {
2199 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
2200 * implied by the mechanism (key_type), so if it is not
2201 * specified from the attribute template (keytype), it is
2204 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2205 rv
= CKR_TEMPLATE_INCOMPLETE
;
2210 new_object
->key_type
= keytype
;
2212 /* Supported key types of the Private Key Object */
2215 if (isPrime
|| isSubprime
|| isBase
|| isValue
||
2217 rv
= CKR_TEMPLATE_INCONSISTENT
;
2221 if (mode
== SOFT_GEN_KEY
|| mode
== SOFT_UNWRAP_KEY
) {
2222 if (isModulus
|| isPubExpo
|| isPriExpo
|| isPrime1
||
2223 isPrime2
|| isExpo1
|| isExpo2
|| isCoef
) {
2224 rv
= CKR_TEMPLATE_INCONSISTENT
;
2230 if (isModulus
&& isPriExpo
) {
2232 * Copy big integer attribute value to the
2233 * designated place in the Private Key object.
2235 copy_bigint_attr(&modulus
, KEY_PRI_RSA_MOD(pvk
));
2237 copy_bigint_attr(&priexpo
, KEY_PRI_RSA_PRIEXPO(pvk
));
2239 rv
= CKR_TEMPLATE_INCOMPLETE
;
2243 /* The following attributes are optional. */
2245 copy_bigint_attr(&pubexpo
, KEY_PRI_RSA_PUBEXPO(pvk
));
2249 copy_bigint_attr(&prime1
, KEY_PRI_RSA_PRIME1(pvk
));
2253 copy_bigint_attr(&prime2
, KEY_PRI_RSA_PRIME2(pvk
));
2257 copy_bigint_attr(&expo1
, KEY_PRI_RSA_EXPO1(pvk
));
2261 copy_bigint_attr(&expo2
, KEY_PRI_RSA_EXPO2(pvk
));
2265 copy_bigint_attr(&coef
, KEY_PRI_RSA_COEF(pvk
));
2270 if (isModulus
|| isPubExpo
|| isPriExpo
|| isPrime1
||
2271 isPrime2
|| isExpo1
|| isExpo2
|| isCoef
||
2273 rv
= CKR_TEMPLATE_INCONSISTENT
;
2277 if (mode
== SOFT_GEN_KEY
|| mode
== SOFT_UNWRAP_KEY
) {
2278 if (isPrime
|| isSubprime
|| isBase
|| isValue
) {
2279 rv
= CKR_TEMPLATE_INCONSISTENT
;
2285 if (isPrime
&& isSubprime
&& isBase
&& isValue
) {
2287 * The private value x must be less than subprime q.
2288 * Size for big_init is in BIG_CHUNK_TYPE words.
2291 CHARLEN2BIGNUMLEN(value
.big_value_len
))
2293 rv
= CKR_HOST_MEMORY
;
2297 CHARLEN2BIGNUMLEN(subprime
.big_value_len
))
2299 rv
= CKR_HOST_MEMORY
;
2302 bytestring2bignum(&x
, value
.big_value
,
2303 value
.big_value_len
);
2304 bytestring2bignum(&q
, subprime
.big_value
,
2305 subprime
.big_value_len
);
2307 if (big_cmp_abs(&x
, &q
) > 0) {
2308 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2312 copy_bigint_attr(&prime
, KEY_PRI_DSA_PRIME(pvk
));
2314 copy_bigint_attr(&subprime
, KEY_PRI_DSA_SUBPRIME(pvk
));
2316 copy_bigint_attr(&base
, KEY_PRI_DSA_BASE(pvk
));
2318 copy_bigint_attr(&value
, KEY_PRI_DSA_VALUE(pvk
));
2320 rv
= CKR_TEMPLATE_INCOMPLETE
;
2326 if (isModulus
|| isPubExpo
|| isPriExpo
|| isPrime1
||
2327 isPrime2
|| isExpo1
|| isExpo2
|| isCoef
||
2329 rv
= CKR_TEMPLATE_INCONSISTENT
;
2333 /* CKA_VALUE_BITS is for key gen but not unwrap */
2334 if (mode
== SOFT_GEN_KEY
)
2335 KEY_PRI_DH_VAL_BITS(pvk
) = (isValueBits
) ?
2337 else if (mode
== SOFT_UNWRAP_KEY
) {
2339 rv
= CKR_TEMPLATE_INCONSISTENT
;
2344 if (mode
== SOFT_GEN_KEY
|| mode
== SOFT_UNWRAP_KEY
) {
2345 if (isPrime
|| isBase
|| isValue
) {
2346 rv
= CKR_TEMPLATE_INCONSISTENT
;
2353 rv
= CKR_TEMPLATE_INCONSISTENT
;
2357 if (isPrime
&& isBase
&& isValue
) {
2358 copy_bigint_attr(&prime
, KEY_PRI_DH_PRIME(pvk
));
2360 copy_bigint_attr(&base
, KEY_PRI_DH_BASE(pvk
));
2362 copy_bigint_attr(&value
, KEY_PRI_DH_VALUE(pvk
));
2364 rv
= CKR_TEMPLATE_INCOMPLETE
;
2370 if (isModulus
|| isPubExpo
|| isPriExpo
|| isPrime1
||
2371 isPrime2
|| isExpo1
|| isExpo2
|| isCoef
||
2373 rv
= CKR_TEMPLATE_INCONSISTENT
;
2377 if (mode
== SOFT_GEN_KEY
|| mode
== SOFT_UNWRAP_KEY
) {
2378 if (isPrime
|| isSubprime
|| isBase
|| isValue
) {
2379 rv
= CKR_TEMPLATE_INCONSISTENT
;
2385 if (isPrime
&& isSubprime
&& isBase
&& isValue
) {
2386 copy_bigint_attr(&prime
, KEY_PRI_DH942_PRIME(pvk
));
2388 copy_bigint_attr(&base
, KEY_PRI_DH942_BASE(pvk
));
2390 copy_bigint_attr(&subprime
,
2391 KEY_PRI_DH942_SUBPRIME(pvk
));
2393 copy_bigint_attr(&value
, KEY_PRI_DH942_VALUE(pvk
));
2395 rv
= CKR_TEMPLATE_INCOMPLETE
;
2401 if (isModulus
|| isPubExpo
|| isPrime
||
2402 isPrime1
|| isPrime2
|| isExpo1
|| isExpo2
|| isCoef
||
2403 isValueBits
|| isBase
) {
2404 rv
= CKR_TEMPLATE_INCONSISTENT
;
2407 } else if (isECParam
) {
2408 rv
= soft_add_extra_attr(¶m_tmp
, new_object
);
2411 string_attr_cleanup(¶m_tmp
);
2414 copy_bigint_attr(&value
, KEY_PRI_EC_VALUE(pvk
));
2419 rv
= CKR_TEMPLATE_INCONSISTENT
;
2423 /* Set up object. */
2424 new_object
->object_type
= object_type
;
2425 new_object
->bool_attr_mask
= attr_mask
;
2427 rv
= soft_add_extra_attr(&string_tmp
, new_object
);
2430 string_attr_cleanup(&string_tmp
);
2439 * cleanup the storage allocated to the local variables.
2441 bigint_attr_cleanup(&modulus
);
2442 bigint_attr_cleanup(&priexpo
);
2443 bigint_attr_cleanup(&prime
);
2444 bigint_attr_cleanup(&subprime
);
2445 bigint_attr_cleanup(&base
);
2446 bigint_attr_cleanup(&value
);
2447 bigint_attr_cleanup(&pubexpo
);
2448 bigint_attr_cleanup(&prime1
);
2449 bigint_attr_cleanup(&prime2
);
2450 bigint_attr_cleanup(&expo1
);
2451 bigint_attr_cleanup(&expo2
);
2452 bigint_attr_cleanup(&coef
);
2453 string_attr_cleanup(&string_tmp
);
2454 string_attr_cleanup(¶m_tmp
);
2459 * cleanup the storage allocated inside the object itself.
2461 soft_cleanup_object(new_object
);
2468 * Build a Secret Key Object.
2470 * - Parse the object's template, and when an error is detected such as
2471 * invalid attribute type, invalid attribute value, etc., return
2472 * with appropriate return value.
2473 * - Set up attribute mask field in the object for the supplied common
2474 * attributes that have boolean type.
2475 * - Build the attribute_info struct to hold the value of each supplied
2476 * attribute that has byte array type. Link attribute_info structs
2477 * together to form the extra attribute list of the object.
2478 * - Allocate storage for the Secret Key object.
2479 * - Build the Secret Key object. Allocate storage to hold the big integer
2480 * value for the attribute CKA_VALUE that is required for all the key
2481 * types supported by secret key object.
2482 * This function is called internally with mode = SOFT_CREATE_OBJ_INT.
2486 soft_build_secret_key_object(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
2487 soft_object_t
*new_object
, CK_ULONG mode
, CK_ULONG key_len
,
2488 CK_KEY_TYPE key_type
)
2492 CK_KEY_TYPE keytype
= (CK_KEY_TYPE
)~0UL;
2493 uint64_t attr_mask
= SECRET_KEY_DEFAULT
;
2496 /* Must set flags if mode != SOFT_UNWRAP_KEY, else must not set */
2498 /* Must not set flags if mode != SOFT_UNWRAP_KEY, else optional */
2501 CK_ATTRIBUTE string_tmp
;
2503 secret_key_obj_t
*sck
;
2504 uchar_t object_type
= 0;
2506 string_tmp
.pValue
= NULL
;
2508 /* Allocate storage for Secret Key Object. */
2509 sck
= calloc(1, sizeof (secret_key_obj_t
));
2511 rv
= CKR_HOST_MEMORY
;
2515 new_object
->object_class_u
.secret_key
= sck
;
2516 new_object
->class = CKO_SECRET_KEY
;
2518 for (i
= 0; i
< ulAttrNum
; i
++) {
2520 /* Secret Key Object Attributes */
2521 switch (template[i
].type
) {
2523 /* common key attributes */
2525 keytype
= *((CK_KEY_TYPE
*)template[i
].pValue
);
2529 case CKA_START_DATE
:
2532 * Allocate storage to hold the attribute
2533 * value with byte array type, and add it to
2534 * the extra attribute list of the object.
2536 rv
= soft_add_extra_attr(&template[i
],
2544 * The following key related attribute types must
2545 * not be specified by C_CreateObject and C_GenerateKey.
2548 case CKA_KEY_GEN_MECHANISM
:
2549 case CKA_ALWAYS_SENSITIVE
:
2550 case CKA_NEVER_EXTRACTABLE
:
2551 rv
= CKR_TEMPLATE_INCONSISTENT
;
2554 /* Key related boolean attributes */
2556 if (*(CK_BBOOL
*)template[i
].pValue
)
2557 attr_mask
|= DERIVE_BOOL_ON
;
2561 if (*(CK_BBOOL
*)template[i
].pValue
)
2562 attr_mask
|= SENSITIVE_BOOL_ON
;
2566 if (*(CK_BBOOL
*)template[i
].pValue
)
2567 attr_mask
|= ENCRYPT_BOOL_ON
;
2569 attr_mask
&= ~ENCRYPT_BOOL_ON
;
2573 if (*(CK_BBOOL
*)template[i
].pValue
)
2574 attr_mask
|= DECRYPT_BOOL_ON
;
2576 attr_mask
&= ~DECRYPT_BOOL_ON
;
2580 if (*(CK_BBOOL
*)template[i
].pValue
)
2581 attr_mask
|= SIGN_BOOL_ON
;
2583 attr_mask
&= ~SIGN_BOOL_ON
;
2587 if (*(CK_BBOOL
*)template[i
].pValue
)
2588 attr_mask
|= VERIFY_BOOL_ON
;
2590 attr_mask
&= ~VERIFY_BOOL_ON
;
2594 if (*(CK_BBOOL
*)template[i
].pValue
)
2595 attr_mask
|= WRAP_BOOL_ON
;
2597 attr_mask
&= ~WRAP_BOOL_ON
;
2601 if (*(CK_BBOOL
*)template[i
].pValue
)
2602 attr_mask
|= UNWRAP_BOOL_ON
;
2604 attr_mask
&= ~UNWRAP_BOOL_ON
;
2607 case CKA_EXTRACTABLE
:
2608 if (*(CK_BBOOL
*)template[i
].pValue
)
2609 attr_mask
|= EXTRACTABLE_BOOL_ON
;
2611 attr_mask
&= ~EXTRACTABLE_BOOL_ON
;
2614 case CKA_MODIFIABLE
:
2615 if ((*(CK_BBOOL
*)template[i
].pValue
) == B_FALSE
)
2616 attr_mask
|= NOT_MODIFIABLE_BOOL_ON
;
2621 if (mode
== SOFT_CREATE_OBJ
) {
2622 if ((template[i
].ulValueLen
== 0) ||
2623 (template[i
].pValue
== NULL
)) {
2624 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2630 * Copyin attribute from template
2631 * to a local variable.
2633 rv
= get_bigint_attr_from_template((biginteger_t
*)sck
,
2641 rv
= get_ulong_attr_from_template(&sck
->sk_value_len
,
2649 rv
= get_string_from_template(&string_tmp
,
2656 rv
= soft_parse_common_attrs(&template[i
],
2666 case SOFT_CREATE_OBJ
:
2667 case SOFT_CREATE_OBJ_INT
:
2668 case SOFT_DERIVE_KEY_DH
:
2670 * The key type must be specified in the application's
2671 * template. Otherwise, returns error.
2673 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2674 rv
= CKR_TEMPLATE_INCOMPLETE
;
2680 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2682 * The key type is not specified in the application's
2683 * template, so we use the implied key type based on
2688 if (keytype
!= key_type
) {
2690 * The key type specified in the template
2691 * does not match the implied key type based
2694 rv
= CKR_TEMPLATE_INCONSISTENT
;
2700 * If a key_len is passed as a parameter, it has to
2701 * match the one found in the template.
2704 if (isValueLen
&& sck
->sk_value_len
!= key_len
) {
2705 rv
= CKR_TEMPLATE_INCONSISTENT
;
2709 sck
->sk_value_len
= key_len
;
2713 case SOFT_UNWRAP_KEY
:
2715 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
2716 * implied by the mechanism (key_type), so if it is not
2717 * specified from the attribute template (keytype), it is
2720 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2721 rv
= CKR_TEMPLATE_INCOMPLETE
;
2726 case SOFT_DERIVE_KEY_OTHER
:
2728 * For CKM_MD5_KEY_DERIVATION & CKM_SHA1_KEY_DERIVATION, the
2729 * key type is optional.
2731 if (keytype
== (CK_KEY_TYPE
)~0UL) {
2738 case SOFT_CREATE_OBJ
:
2739 case SOFT_CREATE_OBJ_INT
:
2743 rv
= CKR_TEMPLATE_INCOMPLETE
;
2746 if ((sck
->sk_value_len
< ARCFOUR_MIN_KEY_BYTES
) ||
2747 (sck
->sk_value_len
> ARCFOUR_MAX_KEY_BYTES
)) {
2748 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2753 case CKK_GENERIC_SECRET
:
2755 rv
= CKR_TEMPLATE_INCOMPLETE
;
2762 rv
= CKR_TEMPLATE_INCOMPLETE
;
2765 if ((sck
->sk_value_len
!= AES_MIN_KEY_BYTES
) &&
2766 (sck
->sk_value_len
!= AES_192_KEY_BYTES
) &&
2767 (sck
->sk_value_len
!= AES_MAX_KEY_BYTES
)) {
2768 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2775 rv
= CKR_TEMPLATE_INCOMPLETE
;
2778 if ((sck
->sk_value_len
< BLOWFISH_MINBYTES
) ||
2779 (sck
->sk_value_len
> BLOWFISH_MAXBYTES
)) {
2780 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2788 rv
= CKR_TEMPLATE_INCOMPLETE
;
2791 if (sck
->sk_value_len
!= DES_KEYSIZE
) {
2792 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2799 rv
= CKR_TEMPLATE_INCOMPLETE
;
2802 if (sck
->sk_value_len
!= DES2_KEYSIZE
) {
2803 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2810 rv
= CKR_TEMPLATE_INCOMPLETE
;
2813 if (sck
->sk_value_len
!= DES3_KEYSIZE
) {
2814 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2820 rv
= CKR_TEMPLATE_INCONSISTENT
;
2826 * Templates for internal object creation come from
2827 * applications calls to C_DeriveKey(), for which it
2828 * is OKey to pass a CKA_VALUE_LEN attribute, as
2829 * long as it does not conflict with the length of the
2830 * CKA_VALUE attribute.
2832 if ((mode
!= SOFT_CREATE_OBJ_INT
) ||
2833 ((key_len
> 0) && sck
->sk_value_len
!= key_len
)) {
2834 rv
= CKR_TEMPLATE_INCONSISTENT
;
2841 /* CKA_VALUE must not be specified */
2843 rv
= CKR_TEMPLATE_INCONSISTENT
;
2849 * CKA_VALUE_LEN must be specified by C_GenerateKey
2850 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
2854 rv
= CKR_TEMPLATE_INCOMPLETE
;
2858 if ((sck
->sk_value_len
< ARCFOUR_MIN_KEY_BYTES
) ||
2859 (sck
->sk_value_len
> ARCFOUR_MAX_KEY_BYTES
)) {
2860 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2865 case CKK_GENERIC_SECRET
:
2866 /* arbitrary key length - no length checking */
2868 rv
= CKR_TEMPLATE_INCOMPLETE
;
2875 rv
= CKR_TEMPLATE_INCOMPLETE
;
2879 if ((sck
->sk_value_len
!= AES_MIN_KEY_BYTES
) &&
2880 (sck
->sk_value_len
!= AES_192_KEY_BYTES
) &&
2881 (sck
->sk_value_len
!= AES_MAX_KEY_BYTES
)) {
2882 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2890 rv
= CKR_TEMPLATE_INCOMPLETE
;
2893 if ((sck
->sk_value_len
< BLOWFISH_MINBYTES
) ||
2894 (sck
->sk_value_len
> BLOWFISH_MAXBYTES
)) {
2895 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2904 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
2906 rv
= CKR_TEMPLATE_INCONSISTENT
;
2912 rv
= CKR_TEMPLATE_INCONSISTENT
;
2917 case SOFT_UNWRAP_KEY
:
2919 * According to v2.11 of PKCS#11 spec, neither CKA_VALUE nor
2920 * CKA_VALUE_LEN can be be specified; however v2.20 has this
2921 * restriction removed, perhaps because it makes it hard to
2922 * determine variable-length key sizes. This case statement
2923 * complied with v2.20.
2926 rv
= CKR_TEMPLATE_INCONSISTENT
;
2932 * CKA_VALUE_LEN is optional
2933 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
2934 * and the unwrapping mech is *_CBC_PAD.
2936 * CKA_VALUE_LEN is required
2937 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
2938 * and the unwrapping mech is *_ECB or *_CBC.
2940 * since mech is not known at this point, CKA_VALUE_LEN is
2941 * treated as optional and the caller needs to enforce it.
2945 if ((sck
->sk_value_len
<
2946 ARCFOUR_MIN_KEY_BYTES
) ||
2947 (sck
->sk_value_len
>
2948 ARCFOUR_MAX_KEY_BYTES
)) {
2949 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2955 case CKK_GENERIC_SECRET
:
2956 /* arbitrary key length - no length checking */
2961 if ((sck
->sk_value_len
!= AES_MIN_KEY_BYTES
) &&
2962 (sck
->sk_value_len
!= AES_192_KEY_BYTES
) &&
2963 (sck
->sk_value_len
!= AES_MAX_KEY_BYTES
)) {
2964 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2972 ((sck
->sk_value_len
< BLOWFISH_MINBYTES
) ||
2973 (sck
->sk_value_len
> BLOWFISH_MAXBYTES
))) {
2974 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
2982 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
2984 rv
= CKR_TEMPLATE_INCONSISTENT
;
2990 rv
= CKR_TEMPLATE_INCONSISTENT
;
2995 case SOFT_DERIVE_KEY_DH
:
2996 /* CKA_VALUE must not be specified */
2998 rv
= CKR_TEMPLATE_INCONSISTENT
;
3004 * CKA_VALUE_LEN is optional
3005 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
3009 if ((sck
->sk_value_len
<
3010 ARCFOUR_MIN_KEY_BYTES
) ||
3011 (sck
->sk_value_len
>
3012 ARCFOUR_MAX_KEY_BYTES
)) {
3013 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
3019 case CKK_GENERIC_SECRET
:
3020 /* arbitrary key length - no length checking */
3025 if ((sck
->sk_value_len
!= AES_MIN_KEY_BYTES
) &&
3026 (sck
->sk_value_len
!= AES_192_KEY_BYTES
) &&
3027 (sck
->sk_value_len
!= AES_MAX_KEY_BYTES
)) {
3028 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
3037 ((sck
->sk_value_len
< BLOWFISH_MINBYTES
) ||
3038 (sck
->sk_value_len
> BLOWFISH_MAXBYTES
))) {
3039 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
3047 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
3049 rv
= CKR_TEMPLATE_INCONSISTENT
;
3055 rv
= CKR_TEMPLATE_INCONSISTENT
;
3060 case SOFT_DERIVE_KEY_OTHER
:
3061 /* CKA_VALUE must not be specified */
3063 rv
= CKR_TEMPLATE_INCONSISTENT
;
3069 * CKA_VALUE_LEN is an optional attribute for
3070 * CKM_SHA1_KEY_DERIVATION and CKM_MD5_KEY_DERIVATION
3071 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
3074 case CKK_GENERIC_SECRET
:
3078 * No need to check key length value here, it will be
3079 * validated later in soft_key_derive_check_length().
3086 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
3088 rv
= CKR_TEMPLATE_INCONSISTENT
;
3094 rv
= CKR_TEMPLATE_INCONSISTENT
;
3100 /* Set up object. */
3101 new_object
->key_type
= keytype
;
3102 new_object
->object_type
= object_type
;
3103 new_object
->bool_attr_mask
= attr_mask
;
3105 rv
= soft_add_extra_attr(&string_tmp
, new_object
);
3108 string_attr_cleanup(&string_tmp
);
3114 * cleanup the storage allocated to the local variables.
3116 bigint_attr_cleanup((biginteger_t
*)sck
);
3117 string_attr_cleanup(&string_tmp
);
3120 * cleanup the storage allocated inside the object itself.
3122 soft_cleanup_object(new_object
);
3129 * Build a Domain Parameter Object.
3131 * - Parse the object's template, and when an error is detected such as
3132 * invalid attribute type, invalid attribute value, etc., return
3133 * with appropriate return value.
3134 * - Allocate storage for the Domain Parameter object.
3135 * - Build the Domain Parameter object according to the key type. Allocate
3136 * storage to hold the big integer value for the supplied attributes
3137 * that are required for a certain key type.
3141 soft_build_domain_parameters_object(CK_ATTRIBUTE_PTR
template,
3142 CK_ULONG ulAttrNum
, soft_object_t
*new_object
)
3146 CK_KEY_TYPE keytype
= (CK_KEY_TYPE
)~0UL;
3149 /* Must set flags */
3153 /* Must not set flags */
3154 int isPrimeBits
= 0;
3155 int isSubPrimeBits
= 0;
3158 biginteger_t subprime
;
3160 CK_ATTRIBUTE string_tmp
;
3163 uchar_t object_type
= 0;
3165 /* prevent bigint_attr_cleanup from freeing invalid attr value */
3166 (void) memset(&prime
, 0x0, sizeof (biginteger_t
));
3167 (void) memset(&subprime
, 0x0, sizeof (biginteger_t
));
3168 (void) memset(&base
, 0x0, sizeof (biginteger_t
));
3169 string_tmp
.pValue
= NULL
;
3171 for (i
= 0; i
< ulAttrNum
; i
++) {
3173 /* Domain Parameters Object Attributes */
3174 switch (template[i
].type
) {
3176 /* common domain parameter attribute */
3178 keytype
= *((CK_KEY_TYPE
*)template[i
].pValue
);
3182 * The following common domain parameter attribute
3183 * must not be specified by C_CreateObject.
3186 rv
= CKR_TEMPLATE_INCONSISTENT
;
3190 * The following domain parameter attributes must be
3191 * specified according to the key type by
3197 * Copyin big integer attribute from template
3198 * to a local variable.
3200 rv
= get_bigint_attr_from_template(&prime
,
3208 rv
= get_bigint_attr_from_template(&subprime
,
3216 rv
= get_bigint_attr_from_template(&base
,
3222 case CKA_PRIME_BITS
:
3226 case CKA_SUB_PRIME_BITS
:
3232 rv
= get_string_from_template(&string_tmp
,
3239 rv
= soft_parse_common_attrs(&template[i
],
3248 /* Allocate storage for Domain Parameters Object. */
3249 dom
= calloc(1, sizeof (domain_obj_t
));
3251 rv
= CKR_HOST_MEMORY
;
3255 new_object
->object_class_u
.domain
= dom
;
3256 new_object
->class = CKO_DOMAIN_PARAMETERS
;
3258 if (keytype
== (CK_KEY_TYPE
)~0UL) {
3259 rv
= CKR_TEMPLATE_INCOMPLETE
;
3263 new_object
->key_type
= keytype
;
3265 /* Supported key types of the Domain Parameters Object */
3268 if (isPrimeBits
|| isSubPrimeBits
) {
3269 rv
= CKR_TEMPLATE_INCONSISTENT
;
3273 if (isPrime
&& isSubprime
&& isBase
) {
3275 * Copy big integer attribute value to the
3276 * designated place in the domain parameter
3279 copy_bigint_attr(&prime
, KEY_DOM_DSA_PRIME(dom
));
3281 copy_bigint_attr(&subprime
, KEY_DOM_DSA_SUBPRIME(dom
));
3283 copy_bigint_attr(&base
, KEY_DOM_DSA_BASE(dom
));
3285 rv
= CKR_TEMPLATE_INCOMPLETE
;
3291 if (isPrimeBits
|| isSubprime
|| isSubPrimeBits
) {
3292 rv
= CKR_TEMPLATE_INCONSISTENT
;
3296 if (isPrime
&& isBase
) {
3297 copy_bigint_attr(&prime
, KEY_DOM_DH_PRIME(dom
));
3299 copy_bigint_attr(&base
, KEY_DOM_DH_BASE(dom
));
3301 rv
= CKR_TEMPLATE_INCOMPLETE
;
3307 if (isPrimeBits
|| isSubPrimeBits
) {
3308 rv
= CKR_TEMPLATE_INCONSISTENT
;
3312 if (isPrime
&& isSubprime
&& isBase
) {
3313 copy_bigint_attr(&prime
, KEY_DOM_DH942_PRIME(dom
));
3315 copy_bigint_attr(&base
, KEY_DOM_DH942_BASE(dom
));
3317 copy_bigint_attr(&subprime
,
3318 KEY_DOM_DH942_SUBPRIME(dom
));
3320 rv
= CKR_TEMPLATE_INCOMPLETE
;
3326 rv
= CKR_TEMPLATE_INCONSISTENT
;
3330 new_object
->object_type
= object_type
;
3333 rv
= soft_add_extra_attr(&string_tmp
, new_object
);
3336 string_attr_cleanup(&string_tmp
);
3343 * cleanup the storage allocated to the local variables.
3345 bigint_attr_cleanup(&prime
);
3346 bigint_attr_cleanup(&subprime
);
3347 bigint_attr_cleanup(&base
);
3348 string_attr_cleanup(&string_tmp
);
3351 * cleanup the storage allocated inside the object itself.
3353 soft_cleanup_object(new_object
);
3359 * Build a Certificate Object
3361 * - Parse the object's template, and when an error is detected such as
3362 * invalid attribute type, invalid attribute value, etc., return
3363 * with appropriate return value.
3364 * - Allocate storage for the Certificate object
3367 soft_build_certificate_object(CK_ATTRIBUTE_PTR
template,
3368 CK_ULONG ulAttrNum
, soft_object_t
*new_object
,
3369 CK_CERTIFICATE_TYPE cert_type
)
3371 uint64_t attr_mask
= 0;
3376 int subject_set
= 0;
3377 certificate_obj_t
*cert
;
3378 /* certificate type defaults to the value given as a parameter */
3379 CK_CERTIFICATE_TYPE certtype
= cert_type
;
3380 CK_ATTRIBUTE string_tmp
;
3382 uchar_t object_type
= 0;
3385 * Look for the certificate type attribute and do some
3386 * sanity checking before creating the structures.
3388 for (i
= 0; i
< ulAttrNum
; i
++) {
3389 /* Certificate Object Attributes */
3390 switch (template[i
].type
) {
3391 case CKA_CERTIFICATE_TYPE
:
3393 *((CK_CERTIFICATE_TYPE
*)template[i
].pValue
);
3407 /* The certificate type MUST be specified */
3408 if (certtype
!= CKC_X_509
&& certtype
!= CKC_X_509_ATTR_CERT
)
3409 return (CKR_TEMPLATE_INCOMPLETE
);
3412 * For X.509 certs, the CKA_SUBJECT and CKA_VALUE
3413 * must be present at creation time.
3415 if (certtype
== CKC_X_509
&&
3416 (!subject_set
|| !value_set
))
3417 return (CKR_TEMPLATE_INCOMPLETE
);
3420 * For X.509 Attribute certs, the CKA_OWNER and CKA_VALUE
3421 * must be present at creation time.
3423 if (certtype
== CKC_X_509_ATTR_CERT
&&
3424 (!owner_set
|| !value_set
))
3425 return (CKR_TEMPLATE_INCOMPLETE
);
3427 string_tmp
.pValue
= NULL
;
3428 cert
= calloc(1, sizeof (certificate_obj_t
));
3430 return (CKR_HOST_MEMORY
);
3432 cert
->certificate_type
= certtype
;
3434 for (i
= 0; i
< ulAttrNum
; i
++) {
3435 /* Certificate Object Attributes */
3438 switch (template[i
].type
) {
3440 rv
= get_cert_attr_from_template(
3441 &cert
->cert_type_u
.x509
.subject
,
3445 rv
= get_cert_attr_from_template(
3446 &cert
->cert_type_u
.x509
.value
,
3451 rv
= get_string_from_template(
3459 case CKA_SERIAL_NUMBER
:
3460 rv
= soft_add_extra_attr(&template[i
],
3463 case CKA_MODIFIABLE
:
3464 if ((*(CK_BBOOL
*)template[i
].pValue
) ==
3467 NOT_MODIFIABLE_BOOL_ON
;
3469 case CKA_CERTIFICATE_TYPE
:
3472 rv
= soft_parse_common_attrs(
3473 &template[i
], &object_type
);
3478 case CKC_X_509_ATTR_CERT
:
3479 switch (template[i
].type
) {
3481 rv
= get_cert_attr_from_template(
3482 &cert
->cert_type_u
.x509_attr
.owner
,
3486 rv
= get_cert_attr_from_template(
3487 &cert
->cert_type_u
.x509_attr
.value
,
3492 rv
= get_string_from_template(
3493 &string_tmp
, &template[i
]);
3497 case CKA_SERIAL_NUMBER
:
3499 case CKA_ATTR_TYPES
:
3500 rv
= soft_add_extra_attr(&template[i
],
3504 case CKA_MODIFIABLE
:
3505 if ((*(CK_BBOOL
*)template[i
].pValue
) ==
3508 NOT_MODIFIABLE_BOOL_ON
;
3510 case CKA_CERTIFICATE_TYPE
:
3513 rv
= soft_parse_common_attrs(
3514 &template[i
], &object_type
);
3521 rv
= CKR_TEMPLATE_INCOMPLETE
;
3527 new_object
->object_class_u
.certificate
= cert
;
3528 new_object
->class = CKO_CERTIFICATE
;
3529 new_object
->object_type
= object_type
;
3530 new_object
->cert_type
= certtype
;
3531 new_object
->bool_attr_mask
= attr_mask
;
3533 rv
= soft_add_extra_attr(&string_tmp
, new_object
);
3536 string_attr_cleanup(&string_tmp
);
3542 soft_cleanup_cert_object(new_object
);
3549 * Validate the attribute types in the object's template. Then,
3550 * call the appropriate build function according to the class of
3551 * the object specified in the template.
3553 * Note: The following classes of objects are supported:
3557 * - CKO_DOMAIN_PARAMETERS
3562 soft_build_object(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
3563 soft_object_t
*new_object
)
3566 CK_OBJECT_CLASS
class = (CK_OBJECT_CLASS
)~0UL;
3569 if (template == NULL
) {
3570 return (CKR_ARGUMENTS_BAD
);
3573 /* Validate the attribute type in the template. */
3574 rv
= soft_validate_attr(template, ulAttrNum
, &class);
3578 * CKA_CLASS is a mandatory attribute for C_CreateObject
3580 if (class == (CK_OBJECT_CLASS
)~0UL)
3581 return (CKR_TEMPLATE_INCOMPLETE
);
3584 * Call the appropriate function based on the supported class
3588 case CKO_PUBLIC_KEY
:
3589 rv
= soft_build_public_key_object(template, ulAttrNum
,
3590 new_object
, SOFT_CREATE_OBJ
, (CK_KEY_TYPE
)~0UL);
3593 case CKO_PRIVATE_KEY
:
3594 rv
= soft_build_private_key_object(template, ulAttrNum
,
3595 new_object
, SOFT_CREATE_OBJ
, (CK_KEY_TYPE
)~0UL);
3598 case CKO_SECRET_KEY
:
3599 rv
= soft_build_secret_key_object(template, ulAttrNum
,
3600 new_object
, SOFT_CREATE_OBJ
, 0, (CK_KEY_TYPE
)~0UL);
3603 case CKO_DOMAIN_PARAMETERS
:
3604 rv
= soft_build_domain_parameters_object(template, ulAttrNum
,
3608 case CKO_CERTIFICATE
:
3609 rv
= soft_build_certificate_object(template, ulAttrNum
,
3610 new_object
, (CK_CERTIFICATE_TYPE
)~0UL);
3614 case CKO_HW_FEATURE
:
3615 case CKO_VENDOR_DEFINED
:
3617 return (CKR_ATTRIBUTE_VALUE_INVALID
);
3624 * Validate the attribute types in the object's template. Then,
3625 * call the appropriate build function according to the class of
3626 * the object specified in the template.
3630 soft_build_key(CK_ATTRIBUTE_PTR
template, CK_ULONG ulAttrNum
,
3631 soft_object_t
*new_object
, CK_OBJECT_CLASS
class, CK_KEY_TYPE key_type
,
3632 CK_ULONG key_len
, CK_ULONG mode
)
3636 CK_OBJECT_CLASS temp_class
= (CK_OBJECT_CLASS
)~0UL;
3638 /* Validate the attribute type in the template. */
3639 if ((template != NULL
) && (ulAttrNum
!= 0)) {
3640 rv
= soft_validate_attr(template, ulAttrNum
, &temp_class
);
3646 * If either the class from the parameter list ("class") or
3647 * the class from the template ("temp_class") is not specified,
3648 * try to use the other one.
3650 if (temp_class
== (CK_OBJECT_CLASS
)~0UL) {
3652 } else if (class == (CK_OBJECT_CLASS
)~0UL) {
3656 /* If object class is still not specified, template is incomplete. */
3657 if (class == (CK_OBJECT_CLASS
)~0UL)
3658 return (CKR_TEMPLATE_INCOMPLETE
);
3660 /* Class should match if specified in both parameters and template. */
3661 if (class != temp_class
)
3662 return (CKR_TEMPLATE_INCONSISTENT
);
3665 * Call the appropriate function based on the supported class
3669 case CKO_PUBLIC_KEY
:
3671 /* Unwrapping public keys is not supported. */
3672 if (mode
== SOFT_UNWRAP_KEY
) {
3673 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
3677 rv
= soft_build_public_key_object(template, ulAttrNum
,
3678 new_object
, mode
, key_type
);
3681 case CKO_PRIVATE_KEY
:
3683 rv
= soft_build_private_key_object(template, ulAttrNum
,
3684 new_object
, mode
, key_type
);
3687 case CKO_SECRET_KEY
:
3689 rv
= soft_build_secret_key_object(template, ulAttrNum
,
3690 new_object
, mode
, key_len
, key_type
);
3693 case CKO_DOMAIN_PARAMETERS
:
3695 /* Unwrapping domain parameters is not supported. */
3696 if (mode
== SOFT_UNWRAP_KEY
) {
3697 rv
= CKR_ATTRIBUTE_VALUE_INVALID
;
3701 rv
= soft_build_domain_parameters_object(template, ulAttrNum
,
3706 case CKO_CERTIFICATE
:
3707 case CKO_HW_FEATURE
:
3708 case CKO_VENDOR_DEFINED
:
3710 return (CKR_ATTRIBUTE_VALUE_INVALID
);
3718 * Get the value of a requested attribute that is common to all supported
3719 * classes (i.e. public key, private key, secret key, domain parameters,
3720 * and certificate classes).
3723 soft_get_common_attrs(soft_object_t
*object_p
, CK_ATTRIBUTE_PTR
template,
3724 uchar_t object_type
)
3729 switch (template->type
) {
3732 return (get_ulong_attr_from_object(object_p
->class,
3735 /* default boolean attributes */
3737 template->ulValueLen
= sizeof (CK_BBOOL
);
3738 if (template->pValue
== NULL
) {
3741 if (object_type
& TOKEN_OBJECT
)
3742 *((CK_BBOOL
*)template->pValue
) = B_TRUE
;
3744 *((CK_BBOOL
*)template->pValue
) = B_FALSE
;
3749 template->ulValueLen
= sizeof (CK_BBOOL
);
3750 if (template->pValue
== NULL
) {
3753 if (object_type
& PRIVATE_OBJECT
)
3754 *((CK_BBOOL
*)template->pValue
) = B_TRUE
;
3756 *((CK_BBOOL
*)template->pValue
) = B_FALSE
;
3759 case CKA_MODIFIABLE
:
3760 template->ulValueLen
= sizeof (CK_BBOOL
);
3761 if (template->pValue
== NULL
) {
3764 if ((object_p
->bool_attr_mask
) & NOT_MODIFIABLE_BOOL_ON
)
3765 *((CK_BBOOL
*)template->pValue
) = B_FALSE
;
3767 *((CK_BBOOL
*)template->pValue
) = B_TRUE
;
3771 return (get_extra_attr_from_object(object_p
,
3776 * The specified attribute for the object is invalid.
3777 * (the object does not possess such an attribute.)
3779 template->ulValueLen
= (CK_ULONG
)-1;
3780 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3787 * Get the value of a requested attribute that is common to all key objects
3788 * (i.e. public key, private key and secret key).
3791 soft_get_common_key_attrs(soft_object_t
*object_p
, CK_ATTRIBUTE_PTR
template)
3794 switch (template->type
) {
3797 return (get_ulong_attr_from_object(object_p
->key_type
,
3801 case CKA_START_DATE
:
3804 * The above extra attributes have byte array type.
3806 return (get_extra_attr_from_object(object_p
,
3809 /* Key related boolean attributes */
3811 return (get_bool_attr_from_object(object_p
,
3812 LOCAL_BOOL_ON
, template));
3815 return (get_bool_attr_from_object(object_p
,
3816 DERIVE_BOOL_ON
, template));
3818 case CKA_KEY_GEN_MECHANISM
:
3819 return (get_ulong_attr_from_object(object_p
->mechanism
,
3823 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3828 * Get the value of a requested attribute of a Public Key Object.
3830 * Rule: All the attributes in the public key object can be revealed.
3833 soft_get_public_key_attribute(soft_object_t
*object_p
,
3834 CK_ATTRIBUTE_PTR
template)
3838 CK_KEY_TYPE keytype
= object_p
->key_type
;
3840 switch (template->type
) {
3845 * The above extra attributes have byte array type.
3847 return (get_extra_attr_from_object(object_p
,
3850 /* Key related boolean attributes */
3852 return (get_bool_attr_from_object(object_p
,
3853 ENCRYPT_BOOL_ON
, template));
3856 return (get_bool_attr_from_object(object_p
,
3857 VERIFY_BOOL_ON
, template));
3859 case CKA_VERIFY_RECOVER
:
3860 return (get_bool_attr_from_object(object_p
,
3861 VERIFY_RECOVER_BOOL_ON
, template));
3864 return (get_bool_attr_from_object(object_p
,
3865 WRAP_BOOL_ON
, template));
3868 return (get_bool_attr_from_object(object_p
,
3869 TRUSTED_BOOL_ON
, template));
3873 * This attribute is valid only for RSA public key
3876 if (keytype
== CKK_RSA
) {
3877 return (get_bigint_attr_from_object(
3878 OBJ_PUB_RSA_MOD(object_p
), template));
3880 template->ulValueLen
= (CK_ULONG
)-1;
3881 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3884 case CKA_PUBLIC_EXPONENT
:
3885 if (keytype
== CKK_RSA
) {
3886 return (get_bigint_attr_from_object(
3887 OBJ_PUB_RSA_PUBEXPO(object_p
), template));
3889 template->ulValueLen
= (CK_ULONG
)-1;
3890 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3893 case CKA_MODULUS_BITS
:
3894 if (keytype
== CKK_RSA
) {
3895 return (get_ulong_attr_from_object(
3896 OBJ_PUB_RSA_MOD_BITS(object_p
), template));
3898 template->ulValueLen
= (CK_ULONG
)-1;
3899 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3905 return (get_bigint_attr_from_object(
3906 OBJ_PUB_DSA_PRIME(object_p
), template));
3909 return (get_bigint_attr_from_object(
3910 OBJ_PUB_DH_PRIME(object_p
), template));
3913 return (get_bigint_attr_from_object(
3914 OBJ_PUB_DH942_PRIME(object_p
), template));
3917 template->ulValueLen
= (CK_ULONG
)-1;
3918 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3924 return (get_bigint_attr_from_object(
3925 OBJ_PUB_DSA_SUBPRIME(object_p
), template));
3928 return (get_bigint_attr_from_object(
3929 OBJ_PUB_DH942_SUBPRIME(object_p
), template));
3932 template->ulValueLen
= (CK_ULONG
)-1;
3933 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3939 return (get_bigint_attr_from_object(
3940 OBJ_PUB_DSA_BASE(object_p
), template));
3943 return (get_bigint_attr_from_object(
3944 OBJ_PUB_DH_BASE(object_p
), template));
3947 return (get_bigint_attr_from_object(
3948 OBJ_PUB_DH942_BASE(object_p
), template));
3951 template->ulValueLen
= (CK_ULONG
)-1;
3952 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3956 return (get_bigint_attr_from_object(
3957 OBJ_PUB_EC_POINT(object_p
), template));
3962 return (get_bigint_attr_from_object(
3963 OBJ_PUB_DSA_VALUE(object_p
), template));
3966 return (get_bigint_attr_from_object(
3967 OBJ_PUB_DH_VALUE(object_p
), template));
3970 return (get_bigint_attr_from_object(
3971 OBJ_PUB_DH942_VALUE(object_p
), template));
3974 template->ulValueLen
= (CK_ULONG
)-1;
3975 return (CKR_ATTRIBUTE_TYPE_INVALID
);
3980 * First, get the value of the request attribute defined
3981 * in the list of common key attributes. If the request
3982 * attribute is not found in that list, then get the
3983 * attribute from the list of common attributes.
3985 rv
= soft_get_common_key_attrs(object_p
, template);
3986 if (rv
== CKR_ATTRIBUTE_TYPE_INVALID
) {
3987 rv
= soft_get_common_attrs(object_p
, template,
3988 object_p
->object_type
);
3998 * Get the value of a requested attribute of a Private Key Object.
4000 * Rule: All the attributes in the private key object can be revealed
4001 * except those marked with footnote number "7" when the object
4002 * has its CKA_SENSITIVE attribute set to TRUE or its
4003 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
4006 soft_get_private_key_attribute(soft_object_t
*object_p
,
4007 CK_ATTRIBUTE_PTR
template)
4011 CK_KEY_TYPE keytype
= object_p
->key_type
;
4015 * If the following specified attributes for the private key
4016 * object cannot be revealed because the object is sensitive
4017 * or unextractable, then the ulValueLen is set to -1.
4019 if ((object_p
->bool_attr_mask
& SENSITIVE_BOOL_ON
) ||
4020 !(object_p
->bool_attr_mask
& EXTRACTABLE_BOOL_ON
)) {
4022 switch (template->type
) {
4023 case CKA_PRIVATE_EXPONENT
:
4026 case CKA_EXPONENT_1
:
4027 case CKA_EXPONENT_2
:
4028 case CKA_COEFFICIENT
:
4030 template->ulValueLen
= (CK_ULONG
)-1;
4031 return (CKR_ATTRIBUTE_SENSITIVE
);
4035 switch (template->type
) {
4040 * The above extra attributes have byte array type.
4042 return (get_extra_attr_from_object(object_p
,
4045 /* Key related boolean attributes */
4047 return (get_bool_attr_from_object(object_p
,
4048 SENSITIVE_BOOL_ON
, template));
4050 case CKA_SECONDARY_AUTH
:
4051 return (get_bool_attr_from_object(object_p
,
4052 SECONDARY_AUTH_BOOL_ON
, template));
4055 return (get_bool_attr_from_object(object_p
,
4056 DECRYPT_BOOL_ON
, template));
4059 return (get_bool_attr_from_object(object_p
,
4060 SIGN_BOOL_ON
, template));
4062 case CKA_SIGN_RECOVER
:
4063 return (get_bool_attr_from_object(object_p
,
4064 SIGN_RECOVER_BOOL_ON
, template));
4067 return (get_bool_attr_from_object(object_p
,
4068 UNWRAP_BOOL_ON
, template));
4070 case CKA_EXTRACTABLE
:
4071 return (get_bool_attr_from_object(object_p
,
4072 EXTRACTABLE_BOOL_ON
, template));
4074 case CKA_ALWAYS_SENSITIVE
:
4075 return (get_bool_attr_from_object(object_p
,
4076 ALWAYS_SENSITIVE_BOOL_ON
, template));
4078 case CKA_NEVER_EXTRACTABLE
:
4079 return (get_bool_attr_from_object(object_p
,
4080 NEVER_EXTRACTABLE_BOOL_ON
, template));
4083 if (keytype
== CKK_RSA
) {
4084 return (get_bigint_attr_from_object(
4085 OBJ_PRI_RSA_MOD(object_p
), template));
4087 template->ulValueLen
= (CK_ULONG
)-1;
4088 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4092 case CKA_PUBLIC_EXPONENT
:
4093 if (keytype
== CKK_RSA
) {
4094 return (get_bigint_attr_from_object(
4095 OBJ_PRI_RSA_PUBEXPO(object_p
), template));
4097 template->ulValueLen
= (CK_ULONG
)-1;
4098 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4102 case CKA_PRIVATE_EXPONENT
:
4103 if (keytype
== CKK_RSA
) {
4104 return (get_bigint_attr_from_object(
4105 OBJ_PRI_RSA_PRIEXPO(object_p
), template));
4107 template->ulValueLen
= (CK_ULONG
)-1;
4108 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4113 if (keytype
== CKK_RSA
) {
4114 return (get_bigint_attr_from_object(
4115 OBJ_PRI_RSA_PRIME1(object_p
), template));
4117 template->ulValueLen
= (CK_ULONG
)-1;
4118 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4123 if (keytype
== CKK_RSA
) {
4124 return (get_bigint_attr_from_object(
4125 OBJ_PRI_RSA_PRIME2(object_p
), template));
4127 template->ulValueLen
= (CK_ULONG
)-1;
4128 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4132 case CKA_EXPONENT_1
:
4133 if (keytype
== CKK_RSA
) {
4134 return (get_bigint_attr_from_object(
4135 OBJ_PRI_RSA_EXPO1(object_p
), template));
4137 template->ulValueLen
= (CK_ULONG
)-1;
4138 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4142 case CKA_EXPONENT_2
:
4143 if (keytype
== CKK_RSA
) {
4144 return (get_bigint_attr_from_object(
4145 OBJ_PRI_RSA_EXPO2(object_p
), template));
4147 template->ulValueLen
= (CK_ULONG
)-1;
4148 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4152 case CKA_COEFFICIENT
:
4153 if (keytype
== CKK_RSA
) {
4154 return (get_bigint_attr_from_object(
4155 OBJ_PRI_RSA_COEF(object_p
), template));
4157 template->ulValueLen
= (CK_ULONG
)-1;
4158 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4162 case CKA_VALUE_BITS
:
4163 if (keytype
== CKK_DH
) {
4164 return (get_ulong_attr_from_object(
4165 OBJ_PRI_DH_VAL_BITS(object_p
), template));
4167 template->ulValueLen
= (CK_ULONG
)-1;
4168 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4175 return (get_bigint_attr_from_object(
4176 OBJ_PRI_DSA_PRIME(object_p
), template));
4179 return (get_bigint_attr_from_object(
4180 OBJ_PRI_DH_PRIME(object_p
), template));
4183 return (get_bigint_attr_from_object(
4184 OBJ_PRI_DH942_PRIME(object_p
), template));
4187 template->ulValueLen
= (CK_ULONG
)-1;
4188 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4194 return (get_bigint_attr_from_object(
4195 OBJ_PRI_DSA_SUBPRIME(object_p
), template));
4198 return (get_bigint_attr_from_object(
4199 OBJ_PRI_DH942_SUBPRIME(object_p
), template));
4202 template->ulValueLen
= (CK_ULONG
)-1;
4203 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4209 return (get_bigint_attr_from_object(
4210 OBJ_PRI_DSA_BASE(object_p
), template));
4213 return (get_bigint_attr_from_object(
4214 OBJ_PRI_DH_BASE(object_p
), template));
4217 return (get_bigint_attr_from_object(
4218 OBJ_PRI_DH942_BASE(object_p
), template));
4221 template->ulValueLen
= (CK_ULONG
)-1;
4222 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4228 return (get_bigint_attr_from_object(
4229 OBJ_PRI_DSA_VALUE(object_p
), template));
4232 return (get_bigint_attr_from_object(
4233 OBJ_PRI_DH_VALUE(object_p
), template));
4236 return (get_bigint_attr_from_object(
4237 OBJ_PRI_DH942_VALUE(object_p
), template));
4240 return (get_bigint_attr_from_object(
4241 OBJ_PRI_EC_VALUE(object_p
), template));
4244 template->ulValueLen
= (CK_ULONG
)-1;
4245 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4250 * First, get the value of the request attribute defined
4251 * in the list of common key attributes. If the request
4252 * attribute is not found in that list, then get the
4253 * attribute from the list of common attributes.
4255 rv
= soft_get_common_key_attrs(object_p
, template);
4256 if (rv
== CKR_ATTRIBUTE_TYPE_INVALID
) {
4257 rv
= soft_get_common_attrs(object_p
, template,
4258 object_p
->object_type
);
4268 * Get the value of a requested attribute of a Secret Key Object.
4270 * Rule: All the attributes in the secret key object can be revealed
4271 * except those marked with footnote number "7" when the object
4272 * has its CKA_SENSITIVE attribute set to TRUE or its
4273 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
4276 soft_get_secret_key_attribute(soft_object_t
*object_p
,
4277 CK_ATTRIBUTE_PTR
template)
4281 CK_KEY_TYPE keytype
= object_p
->key_type
;
4283 switch (template->type
) {
4285 /* Key related boolean attributes */
4287 return (get_bool_attr_from_object(object_p
,
4288 SENSITIVE_BOOL_ON
, template));
4291 return (get_bool_attr_from_object(object_p
,
4292 ENCRYPT_BOOL_ON
, template));
4295 return (get_bool_attr_from_object(object_p
,
4296 DECRYPT_BOOL_ON
, template));
4299 return (get_bool_attr_from_object(object_p
,
4300 SIGN_BOOL_ON
, template));
4303 return (get_bool_attr_from_object(object_p
,
4304 VERIFY_BOOL_ON
, template));
4307 return (get_bool_attr_from_object(object_p
,
4308 WRAP_BOOL_ON
, template));
4311 return (get_bool_attr_from_object(object_p
,
4312 UNWRAP_BOOL_ON
, template));
4314 case CKA_EXTRACTABLE
:
4315 return (get_bool_attr_from_object(object_p
,
4316 EXTRACTABLE_BOOL_ON
, template));
4318 case CKA_ALWAYS_SENSITIVE
:
4319 return (get_bool_attr_from_object(object_p
,
4320 ALWAYS_SENSITIVE_BOOL_ON
, template));
4322 case CKA_NEVER_EXTRACTABLE
:
4323 return (get_bool_attr_from_object(object_p
,
4324 NEVER_EXTRACTABLE_BOOL_ON
, template));
4329 * If the specified attribute for the secret key object
4330 * cannot be revealed because the object is sensitive
4331 * or unextractable, then the ulValueLen is set to -1.
4333 if ((object_p
->bool_attr_mask
& SENSITIVE_BOOL_ON
) ||
4334 !(object_p
->bool_attr_mask
& EXTRACTABLE_BOOL_ON
)) {
4335 template->ulValueLen
= (CK_ULONG
)-1;
4336 return (CKR_ATTRIBUTE_SENSITIVE
);
4341 case CKK_GENERIC_SECRET
:
4349 if (template->type
== CKA_VALUE_LEN
) {
4350 return (get_ulong_attr_from_object(
4351 OBJ_SEC_VALUE_LEN(object_p
),
4354 return (get_bigint_attr_from_object(
4355 (biginteger_t
*)OBJ_SEC(object_p
),
4359 template->ulValueLen
= (CK_ULONG
)-1;
4360 rv
= CKR_ATTRIBUTE_TYPE_INVALID
;
4367 * First, get the value of the request attribute defined
4368 * in the list of common key attributes. If the request
4369 * attribute is not found in that list, then get the
4370 * attribute from the list of common attributes.
4372 rv
= soft_get_common_key_attrs(object_p
, template);
4373 if (rv
== CKR_ATTRIBUTE_TYPE_INVALID
) {
4374 rv
= soft_get_common_attrs(object_p
, template,
4375 object_p
->object_type
);
4385 * Get the value of a requested attribute of a Domain Parameters Object.
4387 * Rule: All the attributes in the domain parameters object can be revealed.
4390 soft_get_domain_parameters_attribute(soft_object_t
*object_p
,
4391 CK_ATTRIBUTE_PTR
template)
4395 CK_KEY_TYPE keytype
= object_p
->key_type
;
4397 switch (template->type
) {
4400 return (get_ulong_attr_from_object(keytype
,
4404 return (get_bool_attr_from_object(object_p
,
4405 LOCAL_BOOL_ON
, template));
4410 return (get_bigint_attr_from_object(
4411 OBJ_DOM_DSA_PRIME(object_p
), template));
4414 return (get_bigint_attr_from_object(
4415 OBJ_DOM_DH_PRIME(object_p
), template));
4418 return (get_bigint_attr_from_object(
4419 OBJ_DOM_DH942_PRIME(object_p
), template));
4422 template->ulValueLen
= (CK_ULONG
)-1;
4423 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4429 return (get_bigint_attr_from_object(
4430 OBJ_DOM_DSA_SUBPRIME(object_p
), template));
4433 return (get_bigint_attr_from_object(
4434 OBJ_DOM_DH942_SUBPRIME(object_p
), template));
4437 template->ulValueLen
= (CK_ULONG
)-1;
4438 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4444 return (get_bigint_attr_from_object(
4445 OBJ_DOM_DSA_BASE(object_p
), template));
4448 return (get_bigint_attr_from_object(
4449 OBJ_DOM_DH_BASE(object_p
), template));
4452 return (get_bigint_attr_from_object(
4453 OBJ_DOM_DH942_BASE(object_p
), template));
4456 template->ulValueLen
= (CK_ULONG
)-1;
4457 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4460 case CKA_PRIME_BITS
:
4463 return (get_ulong_attr_from_object(
4464 OBJ_DOM_DSA_PRIME_BITS(object_p
), template));
4467 return (get_ulong_attr_from_object(
4468 OBJ_DOM_DH_PRIME_BITS(object_p
), template));
4471 return (get_ulong_attr_from_object(
4472 OBJ_DOM_DH942_PRIME_BITS(object_p
), template));
4475 template->ulValueLen
= (CK_ULONG
)-1;
4476 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4479 case CKA_SUB_PRIME_BITS
:
4482 return (get_ulong_attr_from_object(
4483 OBJ_DOM_DH942_SUBPRIME_BITS(object_p
), template));
4486 template->ulValueLen
= (CK_ULONG
)-1;
4487 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4492 * Get the value of a common attribute.
4494 rv
= soft_get_common_attrs(object_p
, template,
4495 object_p
->object_type
);
4503 * Get certificate attributes from an object.
4504 * return CKR_ATTRIBUTE_TYPE_INVALID if the requested type
4505 * does not exist in the certificate.
4508 soft_get_certificate_attribute(soft_object_t
*object_p
,
4509 CK_ATTRIBUTE_PTR
template)
4511 CK_CERTIFICATE_TYPE certtype
= object_p
->cert_type
;
4514 switch (template->type
) {
4516 if (certtype
== CKC_X_509
) {
4517 return (get_cert_attr_from_object(
4518 X509_CERT_SUBJECT(object_p
), template));
4522 if (certtype
== CKC_X_509
) {
4523 return (get_cert_attr_from_object(
4524 X509_CERT_VALUE(object_p
), template));
4525 } else if (certtype
== CKC_X_509_ATTR_CERT
) {
4526 return (get_cert_attr_from_object(
4527 X509_ATTR_CERT_VALUE(object_p
), template));
4531 if (certtype
== CKC_X_509_ATTR_CERT
) {
4532 return (get_cert_attr_from_object(
4533 X509_ATTR_CERT_OWNER(object_p
), template));
4536 case CKA_CERTIFICATE_TYPE
:
4537 src
.value
= (CK_BYTE
*)&certtype
;
4538 src
.length
= sizeof (certtype
);
4539 return (get_cert_attr_from_object(&src
, template));
4541 return (get_bool_attr_from_object(object_p
,
4542 TRUSTED_BOOL_ON
, template));
4545 case CKA_SERIAL_NUMBER
:
4547 case CKA_ATTR_TYPES
:
4548 return (get_extra_attr_from_object(object_p
,
4551 return (soft_get_common_attrs(object_p
, template,
4552 object_p
->object_type
));
4556 * If we got this far, then the combination of certificate type
4557 * and requested attribute is invalid.
4559 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4563 soft_set_certificate_attribute(soft_object_t
*object_p
,
4564 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4566 CK_CERTIFICATE_TYPE certtype
= object_p
->cert_type
;
4568 switch (template->type
) {
4570 if (certtype
== CKC_X_509
) {
4571 /* SUBJECT attr cannot be modified. */
4572 return (CKR_ATTRIBUTE_READ_ONLY
);
4576 if (certtype
== CKC_X_509_ATTR_CERT
) {
4577 /* OWNER attr cannot be modified. */
4578 return (CKR_ATTRIBUTE_READ_ONLY
);
4582 /* VALUE attr cannot be modified. */
4583 return (CKR_ATTRIBUTE_READ_ONLY
);
4586 if (certtype
== CKC_X_509
) {
4587 return (set_extra_attr_to_object(object_p
,
4588 template->type
, template));
4592 case CKA_ATTR_TYPES
:
4593 if (certtype
== CKC_X_509_ATTR_CERT
) {
4594 return (set_extra_attr_to_object(object_p
,
4595 template->type
, template));
4598 case CKA_SERIAL_NUMBER
:
4600 return (set_extra_attr_to_object(object_p
,
4601 template->type
, template));
4603 return (soft_set_common_storage_attribute(
4604 object_p
, template, copy
));
4608 * If we got this far, then the combination of certificate type
4609 * and requested attribute is invalid.
4611 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4615 * Call the appropriate get attribute function according to the class
4618 * The caller of this function holds the lock on the object.
4621 soft_get_attribute(soft_object_t
*object_p
, CK_ATTRIBUTE_PTR
template)
4625 CK_OBJECT_CLASS
class = object_p
->class;
4628 case CKO_PUBLIC_KEY
:
4629 rv
= soft_get_public_key_attribute(object_p
, template);
4632 case CKO_PRIVATE_KEY
:
4633 rv
= soft_get_private_key_attribute(object_p
, template);
4636 case CKO_SECRET_KEY
:
4637 rv
= soft_get_secret_key_attribute(object_p
, template);
4640 case CKO_DOMAIN_PARAMETERS
:
4641 rv
= soft_get_domain_parameters_attribute(object_p
, template);
4644 case CKO_CERTIFICATE
:
4645 rv
= soft_get_certificate_attribute(object_p
, template);
4650 * If the specified attribute for the object is invalid
4651 * (the object does not possess such as attribute), then
4652 * the ulValueLen is modified to hold the value -1.
4654 template->ulValueLen
= (CK_ULONG
)-1;
4655 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4663 soft_set_common_storage_attribute(soft_object_t
*object_p
,
4664 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4669 switch (template->type
) {
4673 if ((*(CK_BBOOL
*)template->pValue
) == B_TRUE
) {
4674 if (!soft_keystore_status(KEYSTORE_INITIALIZED
))
4675 return (CKR_DEVICE_REMOVED
);
4676 object_p
->object_type
|= TOKEN_OBJECT
;
4679 rv
= CKR_ATTRIBUTE_READ_ONLY
;
4686 if ((*(CK_BBOOL
*)template->pValue
) == B_TRUE
) {
4687 (void) pthread_mutex_lock(&soft_giant_mutex
);
4688 if (!soft_slot
.authenticated
) {
4690 * Check if this is the special case
4691 * when the PIN is never initialized
4692 * in the keystore. If true, we will
4693 * let it pass here and let it fail
4694 * with CKR_PIN_EXPIRED later on.
4696 if (!soft_slot
.userpin_change_needed
) {
4697 (void) pthread_mutex_unlock(
4699 return (CKR_USER_NOT_LOGGED_IN
);
4702 (void) pthread_mutex_unlock(&soft_giant_mutex
);
4703 object_p
->object_type
|= PRIVATE_OBJECT
;
4706 rv
= CKR_ATTRIBUTE_READ_ONLY
;
4710 case CKA_MODIFIABLE
:
4712 if ((*(CK_BBOOL
*)template->pValue
) == TRUE
)
4713 object_p
->bool_attr_mask
&=
4714 ~NOT_MODIFIABLE_BOOL_ON
;
4716 object_p
->bool_attr_mask
|=
4717 NOT_MODIFIABLE_BOOL_ON
;
4719 rv
= CKR_ATTRIBUTE_READ_ONLY
;
4724 rv
= CKR_ATTRIBUTE_READ_ONLY
;
4728 rv
= CKR_TEMPLATE_INCONSISTENT
;
4735 * Set the value of an attribute that is common to all key objects
4736 * (i.e. public key, private key and secret key).
4739 soft_set_common_key_attribute(soft_object_t
*object_p
,
4740 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4743 switch (template->type
) {
4747 * Only the LABEL can be modified in the common storage
4748 * object attributes after the object is created.
4750 return (set_extra_attr_to_object(object_p
,
4751 CKA_LABEL
, template));
4754 return (set_extra_attr_to_object(object_p
,
4757 case CKA_START_DATE
:
4758 return (set_extra_attr_to_object(object_p
,
4759 CKA_START_DATE
, template));
4762 return (set_extra_attr_to_object(object_p
,
4763 CKA_END_DATE
, template));
4766 return (set_bool_attr_to_object(object_p
,
4767 DERIVE_BOOL_ON
, template));
4771 case CKA_KEY_GEN_MECHANISM
:
4772 return (CKR_ATTRIBUTE_READ_ONLY
);
4775 return (soft_set_common_storage_attribute(object_p
,
4784 * Set the value of an attribute of a Public Key Object.
4786 * Rule: The attributes marked with footnote number "8" in the PKCS11
4787 * spec may be modified (p.88 in PKCS11 spec.).
4790 soft_set_public_key_attribute(soft_object_t
*object_p
,
4791 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4793 CK_KEY_TYPE keytype
= object_p
->key_type
;
4795 switch (template->type
) {
4798 return (set_extra_attr_to_object(object_p
,
4799 CKA_SUBJECT
, template));
4802 return (set_bool_attr_to_object(object_p
,
4803 ENCRYPT_BOOL_ON
, template));
4806 return (set_bool_attr_to_object(object_p
,
4807 VERIFY_BOOL_ON
, template));
4809 case CKA_VERIFY_RECOVER
:
4810 return (set_bool_attr_to_object(object_p
,
4811 VERIFY_RECOVER_BOOL_ON
, template));
4814 return (set_bool_attr_to_object(object_p
,
4815 WRAP_BOOL_ON
, template));
4818 case CKA_MODULUS_BITS
:
4819 case CKA_PUBLIC_EXPONENT
:
4820 if (keytype
== CKK_RSA
)
4821 return (CKR_ATTRIBUTE_READ_ONLY
);
4825 if ((keytype
== CKK_DSA
) ||
4826 (keytype
== CKK_X9_42_DH
))
4827 return (CKR_ATTRIBUTE_READ_ONLY
);
4833 if ((keytype
== CKK_DSA
) ||
4834 (keytype
== CKK_DH
) ||
4835 (keytype
== CKK_X9_42_DH
))
4836 return (CKR_ATTRIBUTE_READ_ONLY
);
4841 * Set the value of a common key attribute.
4843 return (soft_set_common_key_attribute(object_p
,
4848 * If we got this far, then the combination of key type
4849 * and requested attribute is invalid.
4851 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4856 * Set the value of an attribute of a Private Key Object.
4858 * Rule: The attributes marked with footnote number "8" in the PKCS11
4859 * spec may be modified (p.88 in PKCS11 spec.).
4862 soft_set_private_key_attribute(soft_object_t
*object_p
,
4863 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4865 CK_KEY_TYPE keytype
= object_p
->key_type
;
4867 switch (template->type
) {
4870 return (set_extra_attr_to_object(object_p
,
4871 CKA_SUBJECT
, template));
4875 * Cannot set SENSITIVE to FALSE if it is already ON.
4877 if (((*(CK_BBOOL
*)template->pValue
) == B_FALSE
) &&
4878 (object_p
->bool_attr_mask
& SENSITIVE_BOOL_ON
)) {
4879 return (CKR_ATTRIBUTE_READ_ONLY
);
4882 if (*(CK_BBOOL
*)template->pValue
)
4883 object_p
->bool_attr_mask
|= SENSITIVE_BOOL_ON
;
4887 return (set_bool_attr_to_object(object_p
,
4888 DECRYPT_BOOL_ON
, template));
4891 return (set_bool_attr_to_object(object_p
,
4892 SIGN_BOOL_ON
, template));
4894 case CKA_SIGN_RECOVER
:
4895 return (set_bool_attr_to_object(object_p
,
4896 SIGN_RECOVER_BOOL_ON
, template));
4899 return (set_bool_attr_to_object(object_p
,
4900 UNWRAP_BOOL_ON
, template));
4902 case CKA_EXTRACTABLE
:
4904 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
4906 if ((*(CK_BBOOL
*)template->pValue
) &&
4907 !(object_p
->bool_attr_mask
& EXTRACTABLE_BOOL_ON
)) {
4908 return (CKR_ATTRIBUTE_READ_ONLY
);
4911 if ((*(CK_BBOOL
*)template->pValue
) == B_FALSE
)
4912 object_p
->bool_attr_mask
&= ~EXTRACTABLE_BOOL_ON
;
4916 case CKA_PUBLIC_EXPONENT
:
4917 case CKA_PRIVATE_EXPONENT
:
4920 case CKA_EXPONENT_1
:
4921 case CKA_EXPONENT_2
:
4922 case CKA_COEFFICIENT
:
4923 if (keytype
== CKK_RSA
) {
4924 return (CKR_ATTRIBUTE_READ_ONLY
);
4929 if ((keytype
== CKK_DSA
) ||
4930 (keytype
== CKK_X9_42_DH
))
4931 return (CKR_ATTRIBUTE_READ_ONLY
);
4937 if ((keytype
== CKK_DSA
) ||
4938 (keytype
== CKK_DH
) ||
4939 (keytype
== CKK_X9_42_DH
))
4940 return (CKR_ATTRIBUTE_READ_ONLY
);
4943 case CKA_VALUE_BITS
:
4944 if (keytype
== CKK_DH
)
4945 return (CKR_ATTRIBUTE_READ_ONLY
);
4950 * Set the value of a common key attribute.
4952 return (soft_set_common_key_attribute(object_p
,
4957 * If we got this far, then the combination of key type
4958 * and requested attribute is invalid.
4960 return (CKR_ATTRIBUTE_TYPE_INVALID
);
4964 * Set the value of an attribute of a Secret Key Object.
4966 * Rule: The attributes marked with footnote number "8" in the PKCS11
4967 * spec may be modified (p.88 in PKCS11 spec.).
4970 soft_set_secret_key_attribute(soft_object_t
*object_p
,
4971 CK_ATTRIBUTE_PTR
template, boolean_t copy
)
4973 CK_KEY_TYPE keytype
= object_p
->key_type
;
4975 switch (template->type
) {
4979 * Cannot set SENSITIVE to FALSE if it is already ON.
4981 if (((*(CK_BBOOL
*)template->pValue
) == B_FALSE
) &&
4982 (object_p
->bool_attr_mask
& SENSITIVE_BOOL_ON
)) {
4983 return (CKR_ATTRIBUTE_READ_ONLY
);
4986 if (*(CK_BBOOL
*)template->pValue
)
4987 object_p
->bool_attr_mask
|= SENSITIVE_BOOL_ON
;
4991 return (set_bool_attr_to_object(object_p
,
4992 ENCRYPT_BOOL_ON
, template));
4995 return (set_bool_attr_to_object(object_p
,
4996 DECRYPT_BOOL_ON
, template));
4999 return (set_bool_attr_to_object(object_p
,
5000 SIGN_BOOL_ON
, template));
5003 return (set_bool_attr_to_object(object_p
,
5004 VERIFY_BOOL_ON
, template));
5007 return (set_bool_attr_to_object(object_p
,
5008 WRAP_BOOL_ON
, template));
5011 return (set_bool_attr_to_object(object_p
,
5012 UNWRAP_BOOL_ON
, template));
5014 case CKA_EXTRACTABLE
:
5016 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
5018 if ((*(CK_BBOOL
*)template->pValue
) &&
5019 !(object_p
->bool_attr_mask
& EXTRACTABLE_BOOL_ON
)) {
5020 return (CKR_ATTRIBUTE_READ_ONLY
);
5023 if ((*(CK_BBOOL
*)template->pValue
) == B_FALSE
)
5024 object_p
->bool_attr_mask
&= ~EXTRACTABLE_BOOL_ON
;
5028 return (CKR_ATTRIBUTE_READ_ONLY
);
5031 if ((keytype
== CKK_RC4
) ||
5032 (keytype
== CKK_GENERIC_SECRET
) ||
5033 (keytype
== CKK_AES
) ||
5034 (keytype
== CKK_BLOWFISH
))
5035 return (CKR_ATTRIBUTE_READ_ONLY
);
5040 * Set the value of a common key attribute.
5042 return (soft_set_common_key_attribute(object_p
,
5047 * If we got this far, then the combination of key type
5048 * and requested attribute is invalid.
5050 return (CKR_ATTRIBUTE_TYPE_INVALID
);
5055 * Call the appropriate set attribute function according to the class
5058 * The caller of this function does not hold the lock on the original
5059 * object, since this function is setting the attribute on the new object
5060 * that is being modified.
5062 * Argument copy: TRUE when called by C_CopyObject,
5063 * FALSE when called by C_SetAttributeValue.
5066 soft_set_attribute(soft_object_t
*object_p
, CK_ATTRIBUTE_PTR
template,
5071 CK_OBJECT_CLASS
class = object_p
->class;
5075 case CKO_PUBLIC_KEY
:
5076 rv
= soft_set_public_key_attribute(object_p
, template, copy
);
5079 case CKO_PRIVATE_KEY
:
5080 rv
= soft_set_private_key_attribute(object_p
, template, copy
);
5083 case CKO_SECRET_KEY
:
5084 rv
= soft_set_secret_key_attribute(object_p
, template, copy
);
5087 case CKO_DOMAIN_PARAMETERS
:
5088 switch (template->type
) {
5091 * Only the LABEL can be modified in the common
5092 * storage object attributes after the object is
5095 return (set_extra_attr_to_object(object_p
,
5096 CKA_LABEL
, template));
5098 return (CKR_TEMPLATE_INCONSISTENT
);
5100 case CKO_CERTIFICATE
:
5101 rv
= soft_set_certificate_attribute(object_p
, template, copy
);
5106 * If the template specifies a value of an attribute
5107 * which is incompatible with other existing attributes
5108 * of the object, then fails with return code
5109 * CKR_TEMPLATE_INCONSISTENT.
5111 rv
= CKR_TEMPLATE_INCONSISTENT
;
5119 soft_get_public_value(soft_object_t
*key
, CK_ATTRIBUTE_TYPE type
,
5120 uchar_t
*value
, uint32_t *value_len
)
5125 /* The following attributes belong to RSA */
5128 ((biginteger_t
*)OBJ_PUB_RSA_MOD(key
))->big_value_len
;
5130 /* This attribute MUST BE set */
5131 if (len
== 0 || len
> *value_len
) {
5132 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5136 (void) memcpy(value
,
5137 ((biginteger_t
*)OBJ_PUB_RSA_MOD(key
))->big_value
,
5142 case CKA_PUBLIC_EXPONENT
:
5144 ((biginteger_t
*)OBJ_PUB_RSA_PUBEXPO(key
))->big_value_len
;
5146 /* This attribute MUST BE set */
5147 if (len
== 0 || len
> *value_len
) {
5148 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5152 (void) memcpy(value
,
5153 ((biginteger_t
*)OBJ_PUB_RSA_PUBEXPO(key
))->big_value
,
5158 /* The following attributes belong to DSA and DH */
5161 if (key
->key_type
== CKK_DSA
)
5163 ((biginteger_t
*)OBJ_PUB_DSA_PRIME(key
))->
5167 ((biginteger_t
*)OBJ_PUB_DH_PRIME(key
))->
5170 /* This attribute MUST BE set */
5171 if (len
== 0 || len
> *value_len
) {
5172 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5176 if (key
->key_type
== CKK_DSA
)
5177 (void) memcpy(value
,
5178 ((biginteger_t
*)OBJ_PUB_DSA_PRIME(key
))->big_value
,
5181 (void) memcpy(value
,
5182 ((biginteger_t
*)OBJ_PUB_DH_PRIME(key
))->big_value
,
5189 ((biginteger_t
*)OBJ_PUB_DSA_SUBPRIME(key
))->big_value_len
;
5191 /* This attribute MUST BE set */
5192 if (len
== 0 || len
> *value_len
) {
5193 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5197 (void) memcpy(value
,
5198 ((biginteger_t
*)OBJ_PUB_DSA_SUBPRIME(key
))->big_value
,
5205 if (key
->key_type
== CKK_DSA
)
5207 ((biginteger_t
*)OBJ_PUB_DSA_BASE(key
))->
5211 ((biginteger_t
*)OBJ_PUB_DH_BASE(key
))->
5214 /* This attribute MUST BE set */
5215 if (len
== 0 || len
> *value_len
) {
5216 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5220 if (key
->key_type
== CKK_DSA
)
5221 (void) memcpy(value
,
5222 ((biginteger_t
*)OBJ_PUB_DSA_BASE(key
))->big_value
,
5225 (void) memcpy(value
,
5226 ((biginteger_t
*)OBJ_PUB_DH_BASE(key
))->big_value
,
5232 if (key
->key_type
== CKK_DSA
)
5234 ((biginteger_t
*)OBJ_PUB_DSA_VALUE(key
))->
5238 ((biginteger_t
*)OBJ_PUB_DH_VALUE(key
))->
5241 /* This attribute MUST BE set */
5242 if (len
== 0 || len
> *value_len
) {
5243 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5247 if (key
->key_type
== CKK_DSA
)
5248 (void) memcpy(value
,
5249 ((biginteger_t
*)OBJ_PUB_DSA_VALUE(key
))->big_value
,
5252 (void) memcpy(value
,
5253 ((biginteger_t
*)OBJ_PUB_DH_VALUE(key
))->big_value
,
5264 soft_get_private_value(soft_object_t
*key
, CK_ATTRIBUTE_TYPE type
,
5265 uchar_t
*value
, uint32_t *value_len
)
5272 /* The following attributes belong to RSA */
5275 ((biginteger_t
*)OBJ_PRI_RSA_MOD(key
))->big_value_len
;
5277 /* This attribute MUST BE set */
5278 if (len
== 0 || len
> *value_len
) {
5279 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5283 (void) memcpy(value
,
5284 ((biginteger_t
*)OBJ_PRI_RSA_MOD(key
))->big_value
,
5289 case CKA_PRIVATE_EXPONENT
:
5291 ((biginteger_t
*)OBJ_PRI_RSA_PRIEXPO(key
))->big_value_len
;
5293 /* This attribute MUST BE set */
5294 if (len
== 0 || len
> *value_len
) {
5295 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5299 (void) memcpy(value
,
5300 ((biginteger_t
*)OBJ_PRI_RSA_PRIEXPO(key
))->big_value
,
5307 ((biginteger_t
*)OBJ_PRI_RSA_PRIME1(key
))->big_value_len
;
5309 if (len
> *value_len
) {
5310 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5314 if (*value_len
== 0) {
5318 (void) memcpy(value
,
5319 ((biginteger_t
*)OBJ_PRI_RSA_PRIME1(key
))->big_value
,
5326 ((biginteger_t
*)OBJ_PRI_RSA_PRIME2(key
))->big_value_len
;
5328 if (len
> *value_len
) {
5329 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5333 if (*value_len
== 0) {
5337 (void) memcpy(value
,
5338 ((biginteger_t
*)OBJ_PRI_RSA_PRIME2(key
))->big_value
,
5343 case CKA_EXPONENT_1
:
5345 ((biginteger_t
*)OBJ_PRI_RSA_EXPO1(key
))->big_value_len
;
5347 if (len
> *value_len
) {
5348 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5352 if (*value_len
== 0) {
5356 (void) memcpy(value
,
5357 ((biginteger_t
*)OBJ_PRI_RSA_EXPO1(key
))->big_value
,
5362 case CKA_EXPONENT_2
:
5364 ((biginteger_t
*)OBJ_PRI_RSA_EXPO2(key
))->big_value_len
;
5366 if (len
> *value_len
) {
5367 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5371 if (*value_len
== 0) {
5375 (void) memcpy(value
,
5376 ((biginteger_t
*)OBJ_PRI_RSA_EXPO2(key
))->big_value
,
5381 case CKA_COEFFICIENT
:
5383 ((biginteger_t
*)OBJ_PRI_RSA_COEF(key
))->big_value_len
;
5385 if (len
> *value_len
) {
5386 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5390 if (*value_len
== 0) {
5394 (void) memcpy(value
,
5395 ((biginteger_t
*)OBJ_PRI_RSA_COEF(key
))->big_value
,
5400 /* The following attributes belong to DSA and DH */
5403 if (key
->key_type
== CKK_DSA
)
5405 ((biginteger_t
*)OBJ_PRI_DSA_PRIME(key
))->
5409 ((biginteger_t
*)OBJ_PRI_DH_PRIME(key
))->
5412 /* This attribute MUST BE set */
5413 if (len
== 0 || len
> *value_len
) {
5414 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5418 if (key
->key_type
== CKK_DSA
)
5419 (void) memcpy(value
,
5420 ((biginteger_t
*)OBJ_PRI_DSA_PRIME(key
))->big_value
,
5423 (void) memcpy(value
,
5424 ((biginteger_t
*)OBJ_PRI_DH_PRIME(key
))->big_value
,
5431 ((biginteger_t
*)OBJ_PRI_DSA_SUBPRIME(key
))->big_value_len
;
5433 /* This attribute MUST BE set */
5434 if (len
== 0 || len
> *value_len
) {
5435 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5439 (void) memcpy(value
,
5440 ((biginteger_t
*)OBJ_PRI_DSA_SUBPRIME(key
))->big_value
,
5447 if (key
->key_type
== CKK_DSA
)
5449 ((biginteger_t
*)OBJ_PRI_DSA_BASE(key
))->
5453 ((biginteger_t
*)OBJ_PRI_DH_BASE(key
))->
5456 /* This attribute MUST BE set */
5457 if (len
== 0 || len
> *value_len
) {
5458 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5462 if (key
->key_type
== CKK_DSA
)
5463 (void) memcpy(value
,
5464 ((biginteger_t
*)OBJ_PRI_DSA_BASE(key
))->big_value
,
5467 (void) memcpy(value
,
5468 ((biginteger_t
*)OBJ_PRI_DH_BASE(key
))->big_value
,
5474 if (key
->key_type
== CKK_DSA
) {
5476 ((biginteger_t
*)OBJ_PRI_DSA_VALUE(key
))->
5478 } else if (key
->key_type
== CKK_DH
) {
5480 ((biginteger_t
*)OBJ_PRI_DH_VALUE(key
))->
5484 ((biginteger_t
*)OBJ_PRI_EC_VALUE(key
))->
5488 /* This attribute MUST BE set */
5489 if (len
== 0 || len
> *value_len
) {
5490 return (CKR_ATTRIBUTE_VALUE_INVALID
);
5494 if (key
->key_type
== CKK_DSA
) {
5495 (void) memcpy(value
,
5496 ((biginteger_t
*)OBJ_PRI_DSA_VALUE(key
))->big_value
,
5498 } else if (key
->key_type
== CKK_DH
) {
5499 (void) memcpy(value
,
5500 ((biginteger_t
*)OBJ_PRI_DH_VALUE(key
))->big_value
,
5503 (void) memcpy(value
,
5504 ((biginteger_t
*)OBJ_PRI_EC_VALUE(key
))->big_value
,
5516 copy_bigint(biginteger_t
*new_bigint
, biginteger_t
*old_bigint
)
5518 new_bigint
->big_value
=
5519 malloc((sizeof (CK_BYTE
) * new_bigint
->big_value_len
));
5521 if (new_bigint
->big_value
== NULL
) {
5522 return (CKR_HOST_MEMORY
);
5525 (void) memcpy(new_bigint
->big_value
, old_bigint
->big_value
,
5526 (sizeof (CK_BYTE
) * new_bigint
->big_value_len
));
5532 free_public_key_attr(public_key_obj_t
*pbk
, CK_KEY_TYPE key_type
)
5540 bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk
));
5541 bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk
));
5544 bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk
));
5545 bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk
));
5546 bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk
));
5547 bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk
));
5550 bigint_attr_cleanup(KEY_PUB_DH_PRIME(pbk
));
5551 bigint_attr_cleanup(KEY_PUB_DH_BASE(pbk
));
5552 bigint_attr_cleanup(KEY_PUB_DH_VALUE(pbk
));
5555 bigint_attr_cleanup(KEY_PUB_EC_POINT(pbk
));
5558 bigint_attr_cleanup(KEY_PUB_DH942_PRIME(pbk
));
5559 bigint_attr_cleanup(KEY_PUB_DH942_SUBPRIME(pbk
));
5560 bigint_attr_cleanup(KEY_PUB_DH942_BASE(pbk
));
5561 bigint_attr_cleanup(KEY_PUB_DH942_VALUE(pbk
));
5570 soft_copy_public_key_attr(public_key_obj_t
*old_pub_key_obj_p
,
5571 public_key_obj_t
**new_pub_key_obj_p
, CK_KEY_TYPE key_type
)
5574 public_key_obj_t
*pbk
;
5577 pbk
= calloc(1, sizeof (public_key_obj_t
));
5579 return (CKR_HOST_MEMORY
);
5584 (void) memcpy(KEY_PUB_RSA(pbk
),
5585 KEY_PUB_RSA(old_pub_key_obj_p
),
5586 sizeof (rsa_pub_key_t
));
5588 rv
= copy_bigint(KEY_PUB_RSA_MOD(pbk
),
5589 KEY_PUB_RSA_MOD(old_pub_key_obj_p
));
5591 free_public_key_attr(pbk
, key_type
);
5594 /* copy public exponent */
5595 rv
= copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk
),
5596 KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p
));
5598 free_public_key_attr(pbk
, key_type
);
5603 (void) memcpy(KEY_PUB_DSA(pbk
),
5604 KEY_PUB_DSA(old_pub_key_obj_p
),
5605 sizeof (dsa_pub_key_t
));
5608 rv
= copy_bigint(KEY_PUB_DSA_PRIME(pbk
),
5609 KEY_PUB_DSA_PRIME(old_pub_key_obj_p
));
5611 free_public_key_attr(pbk
, key_type
);
5616 rv
= copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk
),
5617 KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p
));
5619 free_public_key_attr(pbk
, key_type
);
5624 rv
= copy_bigint(KEY_PUB_DSA_BASE(pbk
),
5625 KEY_PUB_DSA_BASE(old_pub_key_obj_p
));
5627 free_public_key_attr(pbk
, key_type
);
5632 rv
= copy_bigint(KEY_PUB_DSA_VALUE(pbk
),
5633 KEY_PUB_DSA_VALUE(old_pub_key_obj_p
));
5635 free_public_key_attr(pbk
, key_type
);
5640 (void) memcpy(KEY_PUB_DH(pbk
),
5641 KEY_PUB_DH(old_pub_key_obj_p
),
5642 sizeof (dh_pub_key_t
));
5645 rv
= copy_bigint(KEY_PUB_DH_PRIME(pbk
),
5646 KEY_PUB_DH_PRIME(old_pub_key_obj_p
));
5648 free_public_key_attr(pbk
, key_type
);
5653 rv
= copy_bigint(KEY_PUB_DH_BASE(pbk
),
5654 KEY_PUB_DH_BASE(old_pub_key_obj_p
));
5656 free_public_key_attr(pbk
, key_type
);
5661 rv
= copy_bigint(KEY_PUB_DH_VALUE(pbk
),
5662 KEY_PUB_DH_VALUE(old_pub_key_obj_p
));
5664 free_public_key_attr(pbk
, key_type
);
5669 (void) memcpy(KEY_PUB_EC(pbk
),
5670 KEY_PUB_EC(old_pub_key_obj_p
),
5671 sizeof (ec_pub_key_t
));
5674 rv
= copy_bigint(KEY_PUB_EC_POINT(pbk
),
5675 KEY_PUB_EC_POINT(old_pub_key_obj_p
));
5677 free_public_key_attr(pbk
, key_type
);
5682 (void) memcpy(KEY_PUB_DH942(pbk
),
5683 KEY_PUB_DH942(old_pub_key_obj_p
),
5684 sizeof (dh942_pub_key_t
));
5687 rv
= copy_bigint(KEY_PUB_DH942_PRIME(pbk
),
5688 KEY_PUB_DH942_PRIME(old_pub_key_obj_p
));
5690 free_public_key_attr(pbk
, key_type
);
5695 rv
= copy_bigint(KEY_PUB_DH942_SUBPRIME(pbk
),
5696 KEY_PUB_DH942_SUBPRIME(old_pub_key_obj_p
));
5698 free_public_key_attr(pbk
, key_type
);
5703 rv
= copy_bigint(KEY_PUB_DH942_BASE(pbk
),
5704 KEY_PUB_DH942_BASE(old_pub_key_obj_p
));
5706 free_public_key_attr(pbk
, key_type
);
5711 rv
= copy_bigint(KEY_PUB_DH942_VALUE(pbk
),
5712 KEY_PUB_DH942_VALUE(old_pub_key_obj_p
));
5714 free_public_key_attr(pbk
, key_type
);
5721 *new_pub_key_obj_p
= pbk
;
5726 free_private_key_attr(private_key_obj_t
*pbk
, CK_KEY_TYPE key_type
)
5734 bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk
));
5735 bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk
));
5736 bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk
));
5737 bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk
));
5738 bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk
));
5739 bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk
));
5740 bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk
));
5741 bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk
));
5744 bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk
));
5745 bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk
));
5746 bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk
));
5747 bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk
));
5750 bigint_attr_cleanup(KEY_PRI_DH_PRIME(pbk
));
5751 bigint_attr_cleanup(KEY_PRI_DH_BASE(pbk
));
5752 bigint_attr_cleanup(KEY_PRI_DH_VALUE(pbk
));
5755 bigint_attr_cleanup(KEY_PRI_EC_VALUE(pbk
));
5758 bigint_attr_cleanup(KEY_PRI_DH942_PRIME(pbk
));
5759 bigint_attr_cleanup(KEY_PRI_DH942_SUBPRIME(pbk
));
5760 bigint_attr_cleanup(KEY_PRI_DH942_BASE(pbk
));
5761 bigint_attr_cleanup(KEY_PRI_DH942_VALUE(pbk
));
5770 soft_copy_private_key_attr(private_key_obj_t
*old_pri_key_obj_p
,
5771 private_key_obj_t
**new_pri_key_obj_p
, CK_KEY_TYPE key_type
)
5774 private_key_obj_t
*pbk
;
5776 pbk
= calloc(1, sizeof (private_key_obj_t
));
5778 return (CKR_HOST_MEMORY
);
5783 (void) memcpy(KEY_PRI_RSA(pbk
),
5784 KEY_PRI_RSA(old_pri_key_obj_p
),
5785 sizeof (rsa_pri_key_t
));
5787 rv
= copy_bigint(KEY_PRI_RSA_MOD(pbk
),
5788 KEY_PRI_RSA_MOD(old_pri_key_obj_p
));
5790 free_private_key_attr(pbk
, key_type
);
5793 /* copy public exponent */
5794 rv
= copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk
),
5795 KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p
));
5797 free_private_key_attr(pbk
, key_type
);
5800 /* copy private exponent */
5801 rv
= copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk
),
5802 KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p
));
5804 free_private_key_attr(pbk
, key_type
);
5808 rv
= copy_bigint(KEY_PRI_RSA_PRIME1(pbk
),
5809 KEY_PRI_RSA_PRIME1(old_pri_key_obj_p
));
5811 free_private_key_attr(pbk
, key_type
);
5815 rv
= copy_bigint(KEY_PRI_RSA_PRIME2(pbk
),
5816 KEY_PRI_RSA_PRIME2(old_pri_key_obj_p
));
5818 free_private_key_attr(pbk
, key_type
);
5821 /* copy exponent_1 */
5822 rv
= copy_bigint(KEY_PRI_RSA_EXPO1(pbk
),
5823 KEY_PRI_RSA_EXPO1(old_pri_key_obj_p
));
5825 free_private_key_attr(pbk
, key_type
);
5828 /* copy exponent_2 */
5829 rv
= copy_bigint(KEY_PRI_RSA_EXPO2(pbk
),
5830 KEY_PRI_RSA_EXPO2(old_pri_key_obj_p
));
5832 free_private_key_attr(pbk
, key_type
);
5835 /* copy coefficient */
5836 rv
= copy_bigint(KEY_PRI_RSA_COEF(pbk
),
5837 KEY_PRI_RSA_COEF(old_pri_key_obj_p
));
5839 free_private_key_attr(pbk
, key_type
);
5844 (void) memcpy(KEY_PRI_DSA(pbk
),
5845 KEY_PRI_DSA(old_pri_key_obj_p
),
5846 sizeof (dsa_pri_key_t
));
5849 rv
= copy_bigint(KEY_PRI_DSA_PRIME(pbk
),
5850 KEY_PRI_DSA_PRIME(old_pri_key_obj_p
));
5852 free_private_key_attr(pbk
, key_type
);
5857 rv
= copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk
),
5858 KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p
));
5860 free_private_key_attr(pbk
, key_type
);
5865 rv
= copy_bigint(KEY_PRI_DSA_BASE(pbk
),
5866 KEY_PRI_DSA_BASE(old_pri_key_obj_p
));
5868 free_private_key_attr(pbk
, key_type
);
5873 rv
= copy_bigint(KEY_PRI_DSA_VALUE(pbk
),
5874 KEY_PRI_DSA_VALUE(old_pri_key_obj_p
));
5876 free_private_key_attr(pbk
, key_type
);
5881 (void) memcpy(KEY_PRI_DH(pbk
),
5882 KEY_PRI_DH(old_pri_key_obj_p
),
5883 sizeof (dh_pri_key_t
));
5886 rv
= copy_bigint(KEY_PRI_DH_PRIME(pbk
),
5887 KEY_PRI_DH_PRIME(old_pri_key_obj_p
));
5889 free_private_key_attr(pbk
, key_type
);
5894 rv
= copy_bigint(KEY_PRI_DH_BASE(pbk
),
5895 KEY_PRI_DH_BASE(old_pri_key_obj_p
));
5897 free_private_key_attr(pbk
, key_type
);
5902 rv
= copy_bigint(KEY_PRI_DH_VALUE(pbk
),
5903 KEY_PRI_DH_VALUE(old_pri_key_obj_p
));
5905 free_private_key_attr(pbk
, key_type
);
5910 (void) memcpy(KEY_PRI_EC(pbk
),
5911 KEY_PRI_EC(old_pri_key_obj_p
),
5912 sizeof (ec_pri_key_t
));
5915 rv
= copy_bigint(KEY_PRI_EC_VALUE(pbk
),
5916 KEY_PRI_EC_VALUE(old_pri_key_obj_p
));
5918 free_private_key_attr(pbk
, key_type
);
5923 (void) memcpy(KEY_PRI_DH942(pbk
),
5924 KEY_PRI_DH942(old_pri_key_obj_p
),
5925 sizeof (dh942_pri_key_t
));
5928 rv
= copy_bigint(KEY_PRI_DH942_PRIME(pbk
),
5929 KEY_PRI_DH942_PRIME(old_pri_key_obj_p
));
5931 free_private_key_attr(pbk
, key_type
);
5936 rv
= copy_bigint(KEY_PRI_DH942_SUBPRIME(pbk
),
5937 KEY_PRI_DH942_SUBPRIME(old_pri_key_obj_p
));
5939 free_private_key_attr(pbk
, key_type
);
5944 rv
= copy_bigint(KEY_PRI_DH942_BASE(pbk
),
5945 KEY_PRI_DH942_BASE(old_pri_key_obj_p
));
5947 free_private_key_attr(pbk
, key_type
);
5952 rv
= copy_bigint(KEY_PRI_DH942_VALUE(pbk
),
5953 KEY_PRI_DH942_VALUE(old_pri_key_obj_p
));
5955 free_private_key_attr(pbk
, key_type
);
5962 *new_pri_key_obj_p
= pbk
;
5967 free_domain_attr(domain_obj_t
*domain
, CK_KEY_TYPE key_type
)
5969 if (domain
== NULL
) {
5975 bigint_attr_cleanup(KEY_DOM_DSA_PRIME(domain
));
5976 bigint_attr_cleanup(KEY_DOM_DSA_SUBPRIME(domain
));
5977 bigint_attr_cleanup(KEY_DOM_DSA_BASE(domain
));
5980 bigint_attr_cleanup(KEY_DOM_DH_PRIME(domain
));
5981 bigint_attr_cleanup(KEY_DOM_DH_BASE(domain
));
5984 bigint_attr_cleanup(KEY_DOM_DH942_PRIME(domain
));
5985 bigint_attr_cleanup(KEY_DOM_DH942_SUBPRIME(domain
));
5986 bigint_attr_cleanup(KEY_DOM_DH942_BASE(domain
));
5995 soft_copy_domain_attr(domain_obj_t
*old_domain_obj_p
,
5996 domain_obj_t
**new_domain_obj_p
, CK_KEY_TYPE key_type
)
5999 domain_obj_t
*domain
;
6001 domain
= calloc(1, sizeof (domain_obj_t
));
6002 if (domain
== NULL
) {
6003 return (CKR_HOST_MEMORY
);
6008 (void) memcpy(KEY_DOM_DSA(domain
),
6009 KEY_DOM_DSA(old_domain_obj_p
),
6010 sizeof (dsa_dom_key_t
));
6013 rv
= copy_bigint(KEY_DOM_DSA_PRIME(domain
),
6014 KEY_DOM_DSA_PRIME(old_domain_obj_p
));
6016 free_domain_attr(domain
, key_type
);
6021 rv
= copy_bigint(KEY_DOM_DSA_SUBPRIME(domain
),
6022 KEY_DOM_DSA_SUBPRIME(old_domain_obj_p
));
6024 free_domain_attr(domain
, key_type
);
6029 rv
= copy_bigint(KEY_DOM_DSA_BASE(domain
),
6030 KEY_DOM_DSA_BASE(old_domain_obj_p
));
6032 free_domain_attr(domain
, key_type
);
6038 (void) memcpy(KEY_DOM_DH(domain
),
6039 KEY_DOM_DH(old_domain_obj_p
),
6040 sizeof (dh_dom_key_t
));
6043 rv
= copy_bigint(KEY_DOM_DH_PRIME(domain
),
6044 KEY_DOM_DH_PRIME(old_domain_obj_p
));
6046 free_domain_attr(domain
, key_type
);
6051 rv
= copy_bigint(KEY_DOM_DH_BASE(domain
),
6052 KEY_DOM_DH_BASE(old_domain_obj_p
));
6054 free_domain_attr(domain
, key_type
);
6060 (void) memcpy(KEY_DOM_DH942(domain
),
6061 KEY_DOM_DH942(old_domain_obj_p
),
6062 sizeof (dh942_dom_key_t
));
6065 rv
= copy_bigint(KEY_DOM_DH942_PRIME(domain
),
6066 KEY_DOM_DH942_PRIME(old_domain_obj_p
));
6068 free_domain_attr(domain
, key_type
);
6073 rv
= copy_bigint(KEY_DOM_DH942_SUBPRIME(domain
),
6074 KEY_DOM_DH942_SUBPRIME(old_domain_obj_p
));
6076 free_domain_attr(domain
, key_type
);
6081 rv
= copy_bigint(KEY_DOM_DH942_BASE(domain
),
6082 KEY_DOM_DH942_BASE(old_domain_obj_p
));
6084 free_domain_attr(domain
, key_type
);
6092 *new_domain_obj_p
= domain
;
6097 soft_copy_secret_key_attr(secret_key_obj_t
*old_secret_key_obj_p
,
6098 secret_key_obj_t
**new_secret_key_obj_p
)
6100 secret_key_obj_t
*sk
;
6102 sk
= malloc(sizeof (secret_key_obj_t
));
6104 return (CKR_HOST_MEMORY
);
6106 (void) memcpy(sk
, old_secret_key_obj_p
, sizeof (secret_key_obj_t
));
6108 /* copy the secret key value */
6109 sk
->sk_value
= malloc(sk
->sk_value_len
);
6110 if (sk
->sk_value
== NULL
) {
6112 return (CKR_HOST_MEMORY
);
6114 (void) memcpy(sk
->sk_value
, old_secret_key_obj_p
->sk_value
,
6115 (sizeof (CK_BYTE
) * sk
->sk_value_len
));
6118 * Copy the pre-expanded key schedule.
6120 if (old_secret_key_obj_p
->key_sched
!= NULL
&&
6121 old_secret_key_obj_p
->keysched_len
> 0) {
6122 sk
->key_sched
= malloc(old_secret_key_obj_p
->keysched_len
);
6123 if (sk
->key_sched
== NULL
) {
6124 freezero(sk
->sk_value
, sk
->sk_value_len
);
6126 return (CKR_HOST_MEMORY
);
6128 sk
->keysched_len
= old_secret_key_obj_p
->keysched_len
;
6129 (void) memcpy(sk
->key_sched
, old_secret_key_obj_p
->key_sched
,
6133 *new_secret_key_obj_p
= sk
;
6139 * If CKA_CLASS not given, guess CKA_CLASS using
6140 * attributes on template .
6142 * Some attributes are specific to an object class. If one or more
6143 * of these attributes are in the template, make a list of classes
6144 * that can have these attributes. This would speed up the search later,
6145 * because we can immediately skip an object if the class of that
6146 * object can not possibly contain one of the attributes.
6150 soft_process_find_attr(CK_OBJECT_CLASS
*pclasses
,
6151 CK_ULONG
*num_result_pclasses
, CK_ATTRIBUTE_PTR pTemplate
,
6156 boolean_t pub_found
= B_FALSE
,
6157 priv_found
= B_FALSE
,
6158 secret_found
= B_FALSE
,
6159 domain_found
= B_FALSE
,
6160 hardware_found
= B_FALSE
,
6161 cert_found
= B_FALSE
;
6162 int num_pub_key_attrs
, num_priv_key_attrs
,
6163 num_secret_key_attrs
, num_domain_attrs
,
6164 num_hardware_attrs
, num_cert_attrs
;
6165 int num_pclasses
= 0;
6167 for (i
= 0; i
< ulCount
; i
++) {
6168 if (pTemplate
[i
].type
== CKA_CLASS
) {
6170 * don't need to guess the class, it is specified.
6171 * Just record the class, and return.
6174 (*((CK_OBJECT_CLASS
*)pTemplate
[i
].pValue
));
6175 *num_result_pclasses
= 1;
6181 sizeof (PUB_KEY_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6182 num_priv_key_attrs
=
6183 sizeof (PRIV_KEY_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6184 num_secret_key_attrs
=
6185 sizeof (SECRET_KEY_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6187 sizeof (DOMAIN_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6188 num_hardware_attrs
=
6189 sizeof (HARDWARE_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6191 sizeof (CERT_ATTRS
) / sizeof (CK_ATTRIBUTE_TYPE
);
6194 * Get the list of objects class that might contain
6197 for (i
= 0; i
< ulCount
; i
++) {
6199 * only check if this attribute can belong to public key object
6200 * class if public key object isn't already in the list
6203 for (j
= 0; j
< num_pub_key_attrs
; j
++) {
6204 if (pTemplate
[i
].type
== PUB_KEY_ATTRS
[j
]) {
6206 pclasses
[num_pclasses
++] =
6214 for (j
= 0; j
< num_priv_key_attrs
; j
++) {
6215 if (pTemplate
[i
].type
== PRIV_KEY_ATTRS
[j
]) {
6216 priv_found
= B_TRUE
;
6217 pclasses
[num_pclasses
++] =
6224 if (!secret_found
) {
6225 for (j
= 0; j
< num_secret_key_attrs
; j
++) {
6226 if (pTemplate
[i
].type
== SECRET_KEY_ATTRS
[j
]) {
6227 secret_found
= B_TRUE
;
6228 pclasses
[num_pclasses
++] =
6235 if (!domain_found
) {
6236 for (j
= 0; j
< num_domain_attrs
; j
++) {
6237 if (pTemplate
[i
].type
== DOMAIN_ATTRS
[j
]) {
6238 domain_found
= B_TRUE
;
6239 pclasses
[num_pclasses
++] =
6240 CKO_DOMAIN_PARAMETERS
;
6246 if (!hardware_found
) {
6247 for (j
= 0; j
< num_hardware_attrs
; j
++) {
6248 if (pTemplate
[i
].type
== HARDWARE_ATTRS
[j
]) {
6249 hardware_found
= B_TRUE
;
6250 pclasses
[num_pclasses
++] =
6258 for (j
= 0; j
< num_cert_attrs
; j
++) {
6259 if (pTemplate
[i
].type
== CERT_ATTRS
[j
]) {
6260 cert_found
= B_TRUE
;
6261 pclasses
[num_pclasses
++] =
6268 *num_result_pclasses
= num_pclasses
;
6272 soft_find_match_attrs(soft_object_t
*obj
, CK_OBJECT_CLASS
*pclasses
,
6273 CK_ULONG num_pclasses
, CK_ATTRIBUTE
*template, CK_ULONG num_attr
)
6276 CK_ATTRIBUTE
*tmpl_attr
, *obj_attr
;
6277 cert_attr_t
*cert_attr
;
6279 biginteger_t
*bigint
;
6280 boolean_t compare_attr
, compare_bigint
, compare_boolean
;
6281 boolean_t compare_cert_val
, compare_cert_type
;
6284 * Check if the class of this object match with any
6285 * of object classes that can possibly contain the
6286 * requested attributes.
6288 if (num_pclasses
> 0) {
6289 for (i
= 0; i
< num_pclasses
; i
++) {
6290 if (obj
->class == pclasses
[i
]) {
6294 if (i
== num_pclasses
) {
6296 * this object can't possibly contain one or
6297 * more attributes, don't need to check this object
6303 /* need to examine everything */
6304 for (i
= 0; i
< num_attr
; i
++) {
6305 tmpl_attr
= &(template[i
]);
6306 compare_attr
= B_FALSE
;
6307 compare_bigint
= B_FALSE
;
6308 compare_boolean
= B_FALSE
;
6309 compare_cert_val
= B_FALSE
;
6310 compare_cert_type
= B_FALSE
;
6311 switch (tmpl_attr
->type
) {
6312 /* First, check the most common attributes */
6314 if (*((CK_OBJECT_CLASS
*)tmpl_attr
->pValue
) !=
6320 if (*((CK_KEY_TYPE
*)tmpl_attr
->pValue
) !=
6326 attr_mask
= (obj
->bool_attr_mask
) & ENCRYPT_BOOL_ON
;
6327 compare_boolean
= B_TRUE
;
6330 attr_mask
= (obj
->bool_attr_mask
) & DECRYPT_BOOL_ON
;
6331 compare_boolean
= B_TRUE
;
6334 attr_mask
= (obj
->bool_attr_mask
) & WRAP_BOOL_ON
;
6335 compare_boolean
= B_TRUE
;
6338 attr_mask
= (obj
->bool_attr_mask
) & UNWRAP_BOOL_ON
;
6339 compare_boolean
= B_TRUE
;
6342 attr_mask
= (obj
->bool_attr_mask
) & SIGN_BOOL_ON
;
6343 compare_boolean
= B_TRUE
;
6345 case CKA_SIGN_RECOVER
:
6346 attr_mask
= (obj
->bool_attr_mask
) &
6347 SIGN_RECOVER_BOOL_ON
;
6348 compare_boolean
= B_TRUE
;
6351 attr_mask
= (obj
->bool_attr_mask
) & VERIFY_BOOL_ON
;
6352 compare_boolean
= B_TRUE
;
6354 case CKA_VERIFY_RECOVER
:
6355 attr_mask
= (obj
->bool_attr_mask
) &
6356 VERIFY_RECOVER_BOOL_ON
;
6357 compare_boolean
= B_TRUE
;
6360 attr_mask
= (obj
->bool_attr_mask
) & DERIVE_BOOL_ON
;
6361 compare_boolean
= B_TRUE
;
6364 attr_mask
= (obj
->bool_attr_mask
) & LOCAL_BOOL_ON
;
6365 compare_boolean
= B_TRUE
;
6368 attr_mask
= (obj
->bool_attr_mask
) & SENSITIVE_BOOL_ON
;
6369 compare_boolean
= B_TRUE
;
6371 case CKA_SECONDARY_AUTH
:
6372 attr_mask
= (obj
->bool_attr_mask
) &
6373 SECONDARY_AUTH_BOOL_ON
;
6374 compare_boolean
= B_TRUE
;
6377 attr_mask
= (obj
->bool_attr_mask
) & TRUSTED_BOOL_ON
;
6378 compare_boolean
= B_TRUE
;
6380 case CKA_EXTRACTABLE
:
6381 attr_mask
= (obj
->bool_attr_mask
) &
6382 EXTRACTABLE_BOOL_ON
;
6383 compare_boolean
= B_TRUE
;
6385 case CKA_ALWAYS_SENSITIVE
:
6386 attr_mask
= (obj
->bool_attr_mask
) &
6387 ALWAYS_SENSITIVE_BOOL_ON
;
6388 compare_boolean
= B_TRUE
;
6390 case CKA_NEVER_EXTRACTABLE
:
6391 attr_mask
= (obj
->bool_attr_mask
) &
6392 NEVER_EXTRACTABLE_BOOL_ON
;
6393 compare_boolean
= B_TRUE
;
6396 attr_mask
= (obj
->object_type
) & TOKEN_OBJECT
;
6397 compare_boolean
= B_TRUE
;
6400 attr_mask
= (obj
->object_type
) & PRIVATE_OBJECT
;
6401 compare_boolean
= B_TRUE
;
6403 case CKA_MODIFIABLE
:
6406 attr_mask
= (obj
->bool_attr_mask
) &
6407 NOT_MODIFIABLE_BOOL_ON
;
6414 if (bval
!= *((CK_BBOOL
*)tmpl_attr
->pValue
)) {
6421 * For X.509 attribute certificate object, get its
6422 * CKA_OWNER attribute from the x509_attr_cert_t struct.
6424 if ((obj
->class == CKO_CERTIFICATE
) &&
6425 (obj
->cert_type
== CKC_X_509_ATTR_CERT
)) {
6426 cert_attr
= X509_ATTR_CERT_OWNER(obj
);
6427 compare_cert_val
= B_TRUE
;
6432 * For X.509 certificate object, get its CKA_SUBJECT
6433 * attribute from the x509_cert_t struct (not from
6434 * the extra_attrlistp).
6436 if ((obj
->class == CKO_CERTIFICATE
) &&
6437 (obj
->cert_type
== CKC_X_509
)) {
6438 cert_attr
= X509_CERT_SUBJECT(obj
);
6439 compare_cert_val
= B_TRUE
;
6444 case CKA_START_DATE
:
6446 case CKA_KEY_GEN_MECHANISM
:
6449 case CKA_SERIAL_NUMBER
:
6451 case CKA_ATTR_TYPES
:
6452 /* find these attributes from extra_attrlistp */
6453 obj_attr
= get_extra_attr(tmpl_attr
->type
, obj
);
6454 compare_attr
= B_TRUE
;
6456 case CKA_CERTIFICATE_TYPE
:
6457 compare_cert_type
= B_TRUE
;
6460 /* only secret key has this attribute */
6461 if (obj
->class == CKO_SECRET_KEY
) {
6462 if (*((CK_ULONG
*)tmpl_attr
->pValue
) !=
6463 OBJ_SEC_VALUE_LEN(obj
)) {
6471 switch (obj
->class) {
6472 case CKO_SECRET_KEY
:
6474 * secret_key_obj_t is the same as
6477 bigint
= (biginteger_t
*)OBJ_SEC(obj
);
6478 compare_bigint
= B_TRUE
;
6480 case CKO_PRIVATE_KEY
:
6481 if (obj
->key_type
== CKK_DSA
) {
6482 bigint
= OBJ_PRI_DSA_VALUE(obj
);
6483 } else if (obj
->key_type
== CKK_DH
) {
6484 bigint
= OBJ_PRI_DH_VALUE(obj
);
6485 } else if (obj
->key_type
== CKK_X9_42_DH
) {
6486 bigint
= OBJ_PRI_DH942_VALUE(obj
);
6490 compare_bigint
= B_TRUE
;
6492 case CKO_PUBLIC_KEY
:
6493 if (obj
->key_type
== CKK_DSA
) {
6494 bigint
= OBJ_PUB_DSA_VALUE(obj
);
6495 } else if (obj
->key_type
== CKK_DH
) {
6496 bigint
= OBJ_PUB_DH_VALUE(obj
);
6497 } else if (obj
->key_type
== CKK_X9_42_DH
) {
6498 bigint
= OBJ_PUB_DH942_VALUE(obj
);
6502 compare_bigint
= B_TRUE
;
6504 case CKO_CERTIFICATE
:
6505 if (obj
->cert_type
== CKC_X_509
) {
6506 cert_attr
= X509_CERT_VALUE(obj
);
6507 } else if (obj
->cert_type
==
6508 CKC_X_509_ATTR_CERT
) {
6509 cert_attr
= X509_ATTR_CERT_VALUE(obj
);
6511 compare_cert_val
= B_TRUE
;
6518 /* only RSA public and private key have this attr */
6519 if (obj
->key_type
== CKK_RSA
) {
6520 if (obj
->class == CKO_PUBLIC_KEY
) {
6521 bigint
= OBJ_PUB_RSA_MOD(obj
);
6522 } else if (obj
->class == CKO_PRIVATE_KEY
) {
6523 bigint
= OBJ_PRI_RSA_MOD(obj
);
6527 compare_bigint
= B_TRUE
;
6532 case CKA_MODULUS_BITS
:
6533 /* only RSA public key has this attribute */
6534 if ((obj
->key_type
== CKK_RSA
) &&
6535 (obj
->class == CKO_PUBLIC_KEY
)) {
6536 CK_ULONG mod_bits
= OBJ_PUB_RSA_MOD_BITS(obj
);
6538 *((CK_ULONG
*)tmpl_attr
->pValue
)) {
6545 case CKA_PUBLIC_EXPONENT
:
6546 /* only RSA public and private key have this attr */
6547 if (obj
->key_type
== CKK_RSA
) {
6548 if (obj
->class == CKO_PUBLIC_KEY
) {
6549 bigint
= OBJ_PUB_RSA_PUBEXPO(obj
);
6550 } else if (obj
->class == CKO_PRIVATE_KEY
) {
6551 bigint
= OBJ_PRI_RSA_PUBEXPO(obj
);
6555 compare_bigint
= B_TRUE
;
6560 case CKA_PRIVATE_EXPONENT
:
6561 /* only RSA private key has this attribute */
6562 if ((obj
->key_type
== CKK_RSA
) &&
6563 (obj
->class == CKO_PRIVATE_KEY
)) {
6564 bigint
= OBJ_PRI_RSA_PRIEXPO(obj
);
6565 compare_bigint
= B_TRUE
;
6571 /* only RSA private key has this attribute */
6572 if ((obj
->key_type
== CKK_RSA
) &&
6573 (obj
->class == CKO_PRIVATE_KEY
)) {
6574 bigint
= OBJ_PRI_RSA_PRIME1(obj
);
6575 compare_bigint
= B_TRUE
;
6581 /* only RSA private key has this attribute */
6582 if ((obj
->key_type
== CKK_RSA
) &&
6583 (obj
->class == CKO_PRIVATE_KEY
)) {
6584 bigint
= OBJ_PRI_RSA_PRIME2(obj
);
6585 compare_bigint
= B_TRUE
;
6590 case CKA_EXPONENT_1
:
6591 /* only RSA private key has this attribute */
6592 if ((obj
->key_type
== CKK_RSA
) &&
6593 (obj
->class == CKO_PRIVATE_KEY
)) {
6594 bigint
= OBJ_PRI_RSA_EXPO1(obj
);
6595 compare_bigint
= B_TRUE
;
6600 case CKA_EXPONENT_2
:
6601 /* only RSA private key has this attribute */
6602 if ((obj
->key_type
== CKK_RSA
) &&
6603 (obj
->class == CKO_PRIVATE_KEY
)) {
6604 bigint
= OBJ_PRI_RSA_EXPO2(obj
);
6605 compare_bigint
= B_TRUE
;
6610 case CKA_COEFFICIENT
:
6611 /* only RSA private key has this attribute */
6612 if ((obj
->key_type
== CKK_RSA
) &&
6613 (obj
->class == CKO_PRIVATE_KEY
)) {
6614 bigint
= OBJ_PRI_RSA_COEF(obj
);
6615 compare_bigint
= B_TRUE
;
6620 case CKA_VALUE_BITS
:
6621 /* only Diffie-Hellman private key has this attr */
6622 if ((obj
->key_type
== CKK_DH
) &&
6623 (obj
->class == CKO_PRIVATE_KEY
)) {
6624 CK_ULONG val_bits
= OBJ_PRI_DH_VAL_BITS(obj
);
6626 *((CK_ULONG
*)tmpl_attr
->pValue
)) {
6634 if (obj
->class == CKO_PUBLIC_KEY
) {
6635 switch (obj
->key_type
) {
6637 bigint
= OBJ_PUB_DSA_PRIME(obj
);
6640 bigint
= OBJ_PUB_DH_PRIME(obj
);
6643 bigint
= OBJ_PUB_DH942_PRIME(obj
);
6648 } else if (obj
->class == CKO_PRIVATE_KEY
) {
6649 switch (obj
->key_type
) {
6651 bigint
= OBJ_PRI_DSA_PRIME(obj
);
6654 bigint
= OBJ_PRI_DH_PRIME(obj
);
6657 bigint
= OBJ_PRI_DH942_PRIME(obj
);
6662 } else if (obj
->class == CKO_DOMAIN_PARAMETERS
) {
6663 switch (obj
->key_type
) {
6665 bigint
= OBJ_DOM_DSA_PRIME(obj
);
6668 bigint
= OBJ_DOM_DH_PRIME(obj
);
6671 bigint
= OBJ_DOM_DH942_PRIME(obj
);
6679 compare_bigint
= B_TRUE
;
6682 if (obj
->class == CKO_PUBLIC_KEY
) {
6683 switch (obj
->key_type
) {
6685 bigint
= OBJ_PUB_DSA_SUBPRIME(obj
);
6688 bigint
= OBJ_PUB_DH942_SUBPRIME(obj
);
6693 } else if (obj
->class == CKO_PRIVATE_KEY
) {
6694 switch (obj
->key_type
) {
6696 bigint
= OBJ_PRI_DSA_SUBPRIME(obj
);
6699 bigint
= OBJ_PRI_DH942_SUBPRIME(obj
);
6704 } else if (obj
->class == CKO_DOMAIN_PARAMETERS
) {
6705 switch (obj
->key_type
) {
6707 bigint
= OBJ_DOM_DSA_SUBPRIME(obj
);
6710 bigint
= OBJ_DOM_DH942_SUBPRIME(obj
);
6718 compare_bigint
= B_TRUE
;
6721 if (obj
->class == CKO_PUBLIC_KEY
) {
6722 switch (obj
->key_type
) {
6724 bigint
= OBJ_PUB_DSA_BASE(obj
);
6727 bigint
= OBJ_PUB_DH_BASE(obj
);
6730 bigint
= OBJ_PUB_DH942_BASE(obj
);
6735 } else if (obj
->class == CKO_PRIVATE_KEY
) {
6736 switch (obj
->key_type
) {
6738 bigint
= OBJ_PRI_DSA_BASE(obj
);
6741 bigint
= OBJ_PRI_DH_BASE(obj
);
6744 bigint
= OBJ_PRI_DH942_BASE(obj
);
6749 } else if (obj
->class == CKO_DOMAIN_PARAMETERS
) {
6750 switch (obj
->key_type
) {
6752 bigint
= OBJ_DOM_DSA_BASE(obj
);
6755 bigint
= OBJ_DOM_DH_BASE(obj
);
6758 bigint
= OBJ_DOM_DH942_BASE(obj
);
6766 compare_bigint
= B_TRUE
;
6768 case CKA_PRIME_BITS
:
6769 if (obj
->class == CKO_DOMAIN_PARAMETERS
) {
6770 CK_ULONG prime_bits
;
6771 if (obj
->key_type
== CKK_DSA
) {
6773 OBJ_DOM_DSA_PRIME_BITS(obj
);
6774 } else if (obj
->key_type
== CKK_DH
) {
6776 OBJ_DOM_DH_PRIME_BITS(obj
);
6777 } else if (obj
->key_type
== CKK_X9_42_DH
) {
6779 OBJ_DOM_DH942_PRIME_BITS(obj
);
6784 *((CK_ULONG
*)tmpl_attr
->pValue
)) {
6791 case CKA_SUBPRIME_BITS
:
6792 if ((obj
->class == CKO_DOMAIN_PARAMETERS
) &&
6793 (obj
->key_type
== CKK_X9_42_DH
)) {
6794 CK_ULONG subprime_bits
=
6795 OBJ_DOM_DH942_SUBPRIME_BITS(obj
);
6796 if (subprime_bits
!=
6797 *((CK_ULONG
*)tmpl_attr
->pValue
)) {
6806 * any other attributes are currently not supported.
6807 * so, it's not possible for them to be in the
6812 if (compare_boolean
) {
6820 if (bval
!= *((CK_BBOOL
*)tmpl_attr
->pValue
)) {
6823 } else if (compare_bigint
) {
6824 if (bigint
== NULL
) {
6827 if (tmpl_attr
->ulValueLen
!= bigint
->big_value_len
) {
6830 if (memcmp(tmpl_attr
->pValue
, bigint
->big_value
,
6831 tmpl_attr
->ulValueLen
) != 0) {
6834 } else if (compare_attr
) {
6835 if (obj_attr
== NULL
) {
6837 * The attribute type is valid, and its value
6838 * has not been initialized in the object. In
6839 * this case, it only matches the template's
6840 * attribute if the template's value length
6843 if (tmpl_attr
->ulValueLen
!= 0)
6846 if (tmpl_attr
->ulValueLen
!=
6847 obj_attr
->ulValueLen
) {
6850 if (memcmp(tmpl_attr
->pValue
, obj_attr
->pValue
,
6851 tmpl_attr
->ulValueLen
) != 0) {
6855 } else if (compare_cert_val
) {
6856 if (cert_attr
== NULL
) {
6857 /* specific attribute not found */
6860 if (tmpl_attr
->ulValueLen
!= cert_attr
->length
) {
6863 if (memcmp(tmpl_attr
->pValue
, cert_attr
->value
,
6864 tmpl_attr
->ulValueLen
) != 0) {
6867 } else if (compare_cert_type
) {
6868 if (memcmp(tmpl_attr
->pValue
, &(obj
->cert_type
),
6869 tmpl_attr
->ulValueLen
) != 0) {
6878 get_extra_attr(CK_ATTRIBUTE_TYPE type
, soft_object_t
*obj
)
6880 CK_ATTRIBUTE_INFO_PTR tmp
;
6882 tmp
= obj
->extra_attrlistp
;
6883 while (tmp
!= NULL
) {
6884 if (tmp
->attr
.type
== type
) {
6885 return (&(tmp
->attr
));
6889 /* if get there, the specified attribute is not found */