search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove debug printf
[heimdal.git] / lib / hx509 / softp11.c
blobf18b98a3dc797aa81d67a7eb0e23c810432efef6
1 /*
2 * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35 #include "pkcs11.h"
36
37 #define OBJECT_ID_MASK 0xfff
38 #define HANDLE_OBJECT_ID(h) ((h) & OBJECT_ID_MASK)
39 #define OBJECT_ID(obj) HANDLE_OBJECT_ID((obj)->object_handle)
40
41
42 struct st_attr {
43 CK_ATTRIBUTE attribute;
44 int secret;
45 };
46
47 struct st_object {
48 CK_OBJECT_HANDLE object_handle;
49 struct st_attr *attrs;
50 int num_attributes;
51 hx509_cert cert;
52 };
53
54 static struct soft_token {
55 CK_VOID_PTR application;
56 CK_NOTIFY notify;
57 char *config_file;
58 hx509_certs certs;
59 struct {
60 struct st_object **objs;
61 int num_objs;
62 } object;
63 struct {
64 int hardware_slot;
65 int app_error_fatal;
66 int login_done;
67 } flags;
68 int open_sessions;
69 struct session_state {
70 CK_SESSION_HANDLE session_handle;
71
72 struct {
73 CK_ATTRIBUTE *attributes;
74 CK_ULONG num_attributes;
75 int next_object;
76 } find;
77
78 int sign_object;
79 CK_MECHANISM_PTR sign_mechanism;
80 int verify_object;
81 CK_MECHANISM_PTR verify_mechanism;
82 } state[10];
83 #define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
84 FILE *logfile;
85 } soft_token;
86
87 static hx509_context context;
88
89 static void
90 application_error(const char *fmt, ...)
91 {
92 va_list ap;
93 va_start(ap, fmt);
94 vprintf(fmt, ap);
95 va_end(ap);
96 if (soft_token.flags.app_error_fatal)
97 abort();
98 }
99
100 static void
101 st_logf(const char *fmt, ...)
102 {
103 va_list ap;
104 if (soft_token.logfile == NULL)
105 return;
106 va_start(ap, fmt);
107 vfprintf(soft_token.logfile, fmt, ap);
108 va_end(ap);
109 fflush(soft_token.logfile);
110 }
111
112 static CK_RV
113 init_context(void)
114 {
115 if (context == NULL) {
116 int ret = hx509_context_init(&context);
117 if (ret)
118 return CKR_GENERAL_ERROR;
119 }
120 return CKR_OK;
121 }
122
123 #define INIT_CONTEXT() { CK_RV icret = init_context(); if (icret) return icret; }
124
125 static void
126 snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
127 {
128 int len;
129 va_list ap;
130 va_start(ap, fmt);
131 len = vsnprintf(str, size, fmt, ap);
132 va_end(ap);
133 if (len < 0 || len > size)
134 return;
135 while(len < size)
136 str[len++] = fillchar;
137 }
138
139 #ifndef TEST_APP
140 #define printf error_use_st_logf
141 #endif
142
143 #define VERIFY_SESSION_HANDLE(s, state) \
144 { \
145 CK_RV ret; \
146 ret = verify_session_handle(s, state); \
147 if (ret != CKR_OK) { \
148 /* return CKR_OK */; \
149 } \
150 }
151
152 static CK_RV
153 verify_session_handle(CK_SESSION_HANDLE hSession,
154 struct session_state **state)
155 {
156 int i;
157
158 for (i = 0; i < MAX_NUM_SESSION; i++){
159 if (soft_token.state[i].session_handle == hSession)
160 break;
161 }
162 if (i == MAX_NUM_SESSION) {
163 application_error("use of invalid handle: 0x%08lx\n",
164 (unsigned long)hSession);
165 return CKR_SESSION_HANDLE_INVALID;
166 }
167 if (state)
168 *state = &soft_token.state[i];
169 return CKR_OK;
170 }
171
172 static CK_RV
173 object_handle_to_object(CK_OBJECT_HANDLE handle,
174 struct st_object **object)
175 {
176 int i = HANDLE_OBJECT_ID(handle);
177
178 *object = NULL;
179 if (i >= soft_token.object.num_objs)
180 return CKR_ARGUMENTS_BAD;
181 if (soft_token.object.objs[i] == NULL)
182 return CKR_ARGUMENTS_BAD;
183 if (soft_token.object.objs[i]->object_handle != handle)
184 return CKR_ARGUMENTS_BAD;
185 *object = soft_token.object.objs[i];
186 return CKR_OK;
187 }
188
189 static int
190 attributes_match(const struct st_object *obj,
191 const CK_ATTRIBUTE *attributes,
192 CK_ULONG num_attributes)
193 {
194 CK_ULONG i;
195 int j;
196
197 st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));
198
199 for (i = 0; i < num_attributes; i++) {
200 int match = 0;
201 for (j = 0; j < obj->num_attributes; j++) {
202 if (attributes[i].type == obj->attrs[j].attribute.type &&
203 attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&
204 memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,
205 attributes[i].ulValueLen) == 0) {
206 match = 1;
207 break;
208 }
209 }
210 if (match == 0) {
211 st_logf("type %d attribute have no match\n", attributes[i].type);
212 return 0;
213 }
214 }
215 st_logf("attribute matches\n");
216 return 1;
217 }
218
219 static void
220 print_attributes(const CK_ATTRIBUTE *attributes,
221 CK_ULONG num_attributes)
222 {
223 CK_ULONG i;
224
225 st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes);
226
227 for (i = 0; i < num_attributes; i++) {
228 st_logf(" type: ");
229 switch (attributes[i].type) {
230 case CKA_TOKEN: {
231 CK_BBOOL *ck_true;
232 if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) {
233 application_error("token attribute wrong length\n");
234 break;
235 }
236 ck_true = attributes[i].pValue;
237 st_logf("token: %s", *ck_true ? "TRUE" : "FALSE");
238 break;
239 }
240 case CKA_CLASS: {
241 CK_OBJECT_CLASS *class;
242 if (attributes[i].ulValueLen != sizeof(CK_ULONG)) {
243 application_error("class attribute wrong length\n");
244 break;
245 }
246 class = attributes[i].pValue;
247 st_logf("class ");
248 switch (*class) {
249 case CKO_CERTIFICATE:
250 st_logf("certificate");
251 break;
252 case CKO_PUBLIC_KEY:
253 st_logf("public key");
254 break;
255 case CKO_PRIVATE_KEY:
256 st_logf("private key");
257 break;
258 case CKO_SECRET_KEY:
259 st_logf("secret key");
260 break;
261 case CKO_DOMAIN_PARAMETERS:
262 st_logf("domain parameters");
263 break;
264 default:
265 st_logf("[class %lx]", (long unsigned)*class);
266 break;
267 }
268 break;
269 }
270 case CKA_PRIVATE:
271 st_logf("private");
272 break;
273 case CKA_LABEL:
274 st_logf("label");
275 break;
276 case CKA_APPLICATION:
277 st_logf("application");
278 break;
279 case CKA_VALUE:
280 st_logf("value");
281 break;
282 case CKA_ID:
283 st_logf("id");
284 break;
285 default:
286 st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type);
287 break;
288 }
289 st_logf("\n");
290 }
291 }
292
293 static struct st_object *
294 add_st_object(void)
295 {
296 struct st_object *o, **objs;
297 int i;
298
299 o = calloc(1, sizeof(*o));
300 if (o == NULL)
301 return NULL;
302
303 for (i = 0; i < soft_token.object.num_objs; i++) {
304 if (soft_token.object.objs == NULL) {
305 soft_token.object.objs[i] = o;
306 break;
307 }
308 }
309 if (i == soft_token.object.num_objs) {
310 objs = realloc(soft_token.object.objs,
311 (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
312 if (objs == NULL) {
313 free(o);
314 return NULL;
315 }
316 soft_token.object.objs = objs;
317 soft_token.object.objs[soft_token.object.num_objs++] = o;
318 }
319 soft_token.object.objs[i]->object_handle =
320 (random() & (~OBJECT_ID_MASK)) | i;
321
322 return o;
323 }
324
325 static CK_RV
326 add_object_attribute(struct st_object *o,
327 int secret,
328 CK_ATTRIBUTE_TYPE type,
329 CK_VOID_PTR pValue,
330 CK_ULONG ulValueLen)
331 {
332 struct st_attr *a;
333 int i;
334
335 i = o->num_attributes;
336 a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));
337 if (a == NULL)
338 return CKR_DEVICE_MEMORY;
339 o->attrs = a;
340 o->attrs[i].secret = secret;
341 o->attrs[i].attribute.type = type;
342 o->attrs[i].attribute.pValue = malloc(ulValueLen);
343 if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)
344 return CKR_DEVICE_MEMORY;
345 memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
346 o->attrs[i].attribute.ulValueLen = ulValueLen;
347 o->num_attributes++;
348
349 return CKR_OK;
350 }
351
352 static CK_RV
353 add_pubkey_info(hx509_context hxctx, struct st_object *o,
354 CK_KEY_TYPE key_type, hx509_cert cert)
355 {
356 BIGNUM *num;
357 CK_BYTE *modulus = NULL;
358 size_t modulus_len = 0;
359 CK_ULONG modulus_bits = 0;
360 CK_BYTE *exponent = NULL;
361 size_t exponent_len = 0;
362
363 if (key_type != CKK_RSA)
364 return CKR_OK;
365 if (_hx509_cert_private_key(cert) == NULL)
366 return CKR_OK;
367
368 num = _hx509_private_key_get_internal(context,
369 _hx509_cert_private_key(cert),
370 "rsa-modulus");
371 if (num == NULL)
372 return CKR_GENERAL_ERROR;
373 modulus_bits = BN_num_bits(num);
374
375 modulus_len = BN_num_bytes(num);
376 modulus = malloc(modulus_len);
377 BN_bn2bin(num, modulus);
378 BN_free(num);
379
380 add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
381 add_object_attribute(o, 0, CKA_MODULUS_BITS,
382 &modulus_bits, sizeof(modulus_bits));
383
384 free(modulus);
385
386 num = _hx509_private_key_get_internal(context,
387 _hx509_cert_private_key(cert),
388 "rsa-exponent");
389 if (num == NULL)
390 return CKR_GENERAL_ERROR;
391
392 exponent_len = BN_num_bytes(num);
393 exponent = malloc(exponent_len);
394 BN_bn2bin(num, exponent);
395 BN_free(num);
396
397 add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
398 exponent, exponent_len);
399
400 free(exponent);
401
402 return CKR_OK;
403 }
404
405
406 struct foo {
407 char *label;
408 char *id;
409 };
410
411 static int
412 add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
413 {
414 struct foo *foo = (struct foo *)ctx;
415 struct st_object *o = NULL;
416 CK_OBJECT_CLASS type;
417 CK_BBOOL bool_true = CK_TRUE;
418 CK_BBOOL bool_false = CK_FALSE;
419 CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
420 CK_KEY_TYPE key_type;
421 CK_MECHANISM_TYPE mech_type;
422 CK_RV ret = CKR_GENERAL_ERROR;
423 int hret;
424 heim_octet_string cert_data, subject_data, issuer_data, serial_data;
425
426 st_logf("adding certificate\n");
427
428 serial_data.data = NULL;
429 serial_data.length = 0;
430 cert_data = subject_data = issuer_data = serial_data;
431
432 hret = hx509_cert_binary(hxctx, cert, &cert_data);
433 if (hret)
434 goto out;
435
436 {
437 hx509_name name;
438
439 hret = hx509_cert_get_issuer(cert, &name);
440 if (hret)
441 goto out;
442 hret = hx509_name_binary(name, &issuer_data);
443 hx509_name_free(&name);
444 if (hret)
445 goto out;
446
447 hret = hx509_cert_get_subject(cert, &name);
448 if (hret)
449 goto out;
450 hret = hx509_name_binary(name, &subject_data);
451 hx509_name_free(&name);
452 if (hret)
453 goto out;
454 }
455
456 {
457 AlgorithmIdentifier alg;
458
459 hret = hx509_cert_get_SPKI_AlgorithmIdentifier(context, cert, &alg);
460 if (hret) {
461 ret = CKR_DEVICE_MEMORY;
462 goto out;
463 }
464
465 key_type = CKK_RSA; /* XXX */
466
467 free_AlgorithmIdentifier(&alg);
468 }
469
470
471 type = CKO_CERTIFICATE;
472 o = add_st_object();
473 if (o == NULL) {
474 ret = CKR_DEVICE_MEMORY;
475 goto out;
476 }
477
478 o->cert = hx509_cert_ref(cert);
479
480 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
481 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
482 add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
483 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
484 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
485
486 add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
487 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
488
489 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
490 add_object_attribute(o, 0, CKA_ISSUER, issuer_data.data, issuer_data.length);
491 add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data.data, serial_data.length);
492 add_object_attribute(o, 0, CKA_VALUE, cert_data.data, cert_data.length);
493 add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));
494
495 st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));
496
497 type = CKO_PUBLIC_KEY;
498 o = add_st_object();
499 if (o == NULL) {
500 ret = CKR_DEVICE_MEMORY;
501 goto out;
502 }
503 o->cert = hx509_cert_ref(cert);
504
505 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
506 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
507 add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
508 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
509 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
510
511 add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
512 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
513 add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
514 add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
515 add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
516 add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
517 mech_type = CKM_RSA_X_509;
518 add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
519
520 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
521 add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
522 add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
523 add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
524 add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
525 add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
526
527 add_pubkey_info(hxctx, o, key_type, cert);
528
529 st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));
530
531 if (hx509_cert_have_private_key(cert)) {
532 CK_FLAGS flags;
533
534 type = CKO_PRIVATE_KEY;
535 o = add_st_object();
536 if (o == NULL) {
537 ret = CKR_DEVICE_MEMORY;
538 goto out;
539 }
540 o->cert = hx509_cert_ref(cert);
541
542 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
543 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
544 add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));
545 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
546 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
547
548 add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
549 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
550 add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
551 add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
552 add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
553 add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
554 mech_type = CKM_RSA_X_509;
555 add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
556
557 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
558 add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));
559 add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));
560 flags = 0;
561 add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));
562
563 add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));
564 add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));
565 add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));
566 add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));
567 add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));
568 add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));
569
570 add_pubkey_info(hxctx, o, key_type, cert);
571 }
572
573 ret = CKR_OK;
574 out:
575 if (ret != CKR_OK) {
576 st_logf("something went wrong when adding cert!\n");
577
578 /* XXX wack o */;
579 }
580 hx509_xfree(cert_data.data);
581 hx509_xfree(serial_data.data);
582 hx509_xfree(issuer_data.data);
583 hx509_xfree(subject_data.data);
584
585 return 0;
586 }
587
588 static CK_RV
589 add_certificate(const char *cert_file,
590 const char *pin,
591 char *id,
592 char *label)
593 {
594 hx509_certs certs;
595 hx509_lock lock = NULL;
596 int ret, flags = 0;
597
598 struct foo foo;
599 foo.id = id;
600 foo.label = label;
601
602 if (pin == NULL)
603 flags |= HX509_CERTS_UNPROTECT_ALL;
604
605 if (pin) {
606 char *str;
607 asprintf(&str, "PASS:%s", pin);
608
609 hx509_lock_init(context, &lock);
610 hx509_lock_command_string(lock, str);
611
612 memset(str, 0, strlen(str));
613 free(str);
614 }
615
616 ret = hx509_certs_init(context, cert_file, flags, lock, &certs);
617 if (ret) {
618 st_logf("failed to open file %s\n", cert_file);
619 return CKR_GENERAL_ERROR;
620 }
621
622 ret = hx509_certs_iter(context, certs, add_cert, &foo);
623 hx509_certs_free(&certs);
624 if (ret) {
625 st_logf("failed adding certs from file %s\n", cert_file);
626 return CKR_GENERAL_ERROR;
627 }
628
629 return CKR_OK;
630 }
631
632 static void
633 find_object_final(struct session_state *state)
634 {
635 if (state->find.attributes) {
636 CK_ULONG i;
637
638 for (i = 0; i < state->find.num_attributes; i++) {
639 if (state->find.attributes[i].pValue)
640 free(state->find.attributes[i].pValue);
641 }
642 free(state->find.attributes);
643 state->find.attributes = NULL;
644 state->find.num_attributes = 0;
645 state->find.next_object = -1;
646 }
647 }
648
649 static void
650 reset_crypto_state(struct session_state *state)
651 {
652 state->sign_object = -1;
653 if (state->sign_mechanism)
654 free(state->sign_mechanism);
655 state->sign_mechanism = NULL_PTR;
656 state->verify_object = -1;
657 if (state->verify_mechanism)
658 free(state->verify_mechanism);
659 state->verify_mechanism = NULL_PTR;
660 }
661
662 static void
663 close_session(struct session_state *state)
664 {
665 if (state->find.attributes) {
666 application_error("application didn't do C_FindObjectsFinal\n");
667 find_object_final(state);
668 }
669
670 state->session_handle = CK_INVALID_HANDLE;
671 soft_token.application = NULL_PTR;
672 soft_token.notify = NULL_PTR;
673 reset_crypto_state(state);
674 }
675
676 static const char *
677 has_session(void)
678 {
679 return soft_token.open_sessions > 0 ? "yes" : "no";
680 }
681
682 static CK_RV
683 read_conf_file(const char *fn, CK_USER_TYPE userType, const char *pin)
684 {
685 char buf[1024], *type, *s, *p;
686 FILE *f;
687 CK_RV ret = CKR_OK;
688 CK_RV failed = CKR_OK;
689
690 f = fopen(fn, "r");
691 if (f == NULL) {
692 st_logf("can't open configuration file %s\n", fn);
693 return CKR_GENERAL_ERROR;
694 }
695 rk_cloexec_file(f);
696
697 while(fgets(buf, sizeof(buf), f) != NULL) {
698 buf[strcspn(buf, "\n")] = '\0';
699
700 st_logf("line: %s\n", buf);
701
702 p = buf;
703 while (isspace((unsigned char)*p))
704 p++;
705 if (*p == '#')
706 continue;
707 while (isspace((unsigned char)*p))
708 p++;
709
710 s = NULL;
711 type = strtok_r(p, "\t", &s);
712 if (type == NULL)
713 continue;
714
715 if (strcasecmp("certificate", type) == 0) {
716 char *cert, *id, *label;
717
718 id = strtok_r(NULL, "\t", &s);
719 if (id == NULL) {
720 st_logf("no id\n");
721 continue;
722 }
723 st_logf("id: %s\n", id);
724 label = strtok_r(NULL, "\t", &s);
725 if (label == NULL) {
726 st_logf("no label\n");
727 continue;
728 }
729 cert = strtok_r(NULL, "\t", &s);
730 if (cert == NULL) {
731 st_logf("no certfiicate store\n");
732 continue;
733 }
734
735 st_logf("adding: %s: %s in file %s\n", id, label, cert);
736
737 ret = add_certificate(cert, pin, id, label);
738 if (ret)
739 failed = ret;
740 } else if (strcasecmp("debug", type) == 0) {
741 char *name;
742
743 name = strtok_r(NULL, "\t", &s);
744 if (name == NULL) {
745 st_logf("no filename\n");
746 continue;
747 }
748
749 if (soft_token.logfile)
750 fclose(soft_token.logfile);
751
752 if (strcasecmp(name, "stdout") == 0)
753 soft_token.logfile = stdout;
754 else {
755 soft_token.logfile = fopen(name, "a");
756 if (soft_token.logfile)
757 rk_cloexec_file(soft_token.logfile);
758 }
759 if (soft_token.logfile == NULL)
760 st_logf("failed to open file: %s\n", name);
761
762 } else if (strcasecmp("app-fatal", type) == 0) {
763 char *name;
764
765 name = strtok_r(NULL, "\t", &s);
766 if (name == NULL) {
767 st_logf("argument to app-fatal\n");
768 continue;
769 }
770
771 if (strcmp(name, "true") == 0 || strcmp(name, "on") == 0)
772 soft_token.flags.app_error_fatal = 1;
773 else if (strcmp(name, "false") == 0 || strcmp(name, "off") == 0)
774 soft_token.flags.app_error_fatal = 0;
775 else
776 st_logf("unknown app-fatal: %s\n", name);
777
778 } else {
779 st_logf("unknown type: %s\n", type);
780 }
781 }
782
783 fclose(f);
784
785 return failed;
786 }
787
788 static CK_RV
789 func_not_supported(void)
790 {
791 st_logf("function not supported\n");
792 return CKR_FUNCTION_NOT_SUPPORTED;
793 }
794
795 CK_RV
796 C_Initialize(CK_VOID_PTR a)
797 {
798 CK_C_INITIALIZE_ARGS_PTR args = a;
799 CK_RV ret;
800 int i;
801
802 st_logf("Initialize\n");
803
804 INIT_CONTEXT();
805
806 OpenSSL_add_all_algorithms();
807
808 srandom(getpid() ^ time(NULL));
809
810 for (i = 0; i < MAX_NUM_SESSION; i++) {
811 soft_token.state[i].session_handle = CK_INVALID_HANDLE;
812 soft_token.state[i].find.attributes = NULL;
813 soft_token.state[i].find.num_attributes = 0;
814 soft_token.state[i].find.next_object = -1;
815 reset_crypto_state(&soft_token.state[i]);
816 }
817
818 soft_token.flags.hardware_slot = 1;
819 soft_token.flags.app_error_fatal = 0;
820 soft_token.flags.login_done = 0;
821
822 soft_token.object.objs = NULL;
823 soft_token.object.num_objs = 0;
824
825 soft_token.logfile = NULL;
826 #if 0
827 soft_token.logfile = stdout;
828 #endif
829 #if 0
830 soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a");
831 #endif
832
833 if (a != NULL_PTR) {
834 st_logf("\tCreateMutex:\t%p\n", args->CreateMutex);
835 st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex);
836 st_logf("\tLockMutext\t%p\n", args->LockMutex);
837 st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex);
838 st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
839 }
840
841 {
842 char *fn = NULL, *home = NULL;
843
844 if (getuid() == geteuid()) {
845 fn = getenv("SOFTPKCS11RC");
846 if (fn)
847 fn = strdup(fn);
848 home = getenv("HOME");
849 }
850 if (fn == NULL && home == NULL) {
851 struct passwd *pw = getpwuid(getuid());
852 if(pw != NULL)
853 home = pw->pw_dir;
854 }
855 if (fn == NULL) {
856 if (home)
857 asprintf(&fn, "%s/.soft-token.rc", home);
858 else
859 fn = strdup("/etc/soft-token.rc");
860 }
861
862 soft_token.config_file = fn;
863 }
864
865 /*
866 * This operations doesn't return CKR_OK if any of the
867 * certificates failes to be unparsed (ie password protected).
868 */
869 ret = read_conf_file(soft_token.config_file, CKU_USER, NULL);
870 if (ret == CKR_OK)
871 soft_token.flags.login_done = 1;
872
873 return CKR_OK;
874 }
875
876 CK_RV
877 C_Finalize(CK_VOID_PTR args)
878 {
879 int i;
880
881 INIT_CONTEXT();
882
883 st_logf("Finalize\n");
884
885 for (i = 0; i < MAX_NUM_SESSION; i++) {
886 if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) {
887 application_error("application finalized without "
888 "closing session\n");
889 close_session(&soft_token.state[i]);
890 }
891 }
892
893 return CKR_OK;
894 }
895
896 CK_RV
897 C_GetInfo(CK_INFO_PTR args)
898 {
899 INIT_CONTEXT();
900
901 st_logf("GetInfo\n");
902
903 memset(args, 17, sizeof(*args));
904 args->cryptokiVersion.major = 2;
905 args->cryptokiVersion.minor = 10;
906 snprintf_fill((char *)args->manufacturerID,
907 sizeof(args->manufacturerID),
908 ' ',
909 "Heimdal hx509 SoftToken");
910 snprintf_fill((char *)args->libraryDescription,
911 sizeof(args->libraryDescription), ' ',
912 "Heimdal hx509 SoftToken");
913 args->libraryVersion.major = 2;
914 args->libraryVersion.minor = 0;
915
916 return CKR_OK;
917 }
918
919 extern CK_FUNCTION_LIST funcs;
920
921 CK_RV
922 C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
923 {
924 INIT_CONTEXT();
925
926 *ppFunctionList = &funcs;
927 return CKR_OK;
928 }
929
930 CK_RV
931 C_GetSlotList(CK_BBOOL tokenPresent,
932 CK_SLOT_ID_PTR pSlotList,
933 CK_ULONG_PTR pulCount)
934 {
935 INIT_CONTEXT();
936 st_logf("GetSlotList: %s\n",
937 tokenPresent ? "tokenPresent" : "token not Present");
938 if (pSlotList)
939 pSlotList[0] = 1;
940 *pulCount = 1;
941 return CKR_OK;
942 }
943
944 CK_RV
945 C_GetSlotInfo(CK_SLOT_ID slotID,
946 CK_SLOT_INFO_PTR pInfo)
947 {
948 INIT_CONTEXT();
949 st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session());
950
951 memset(pInfo, 18, sizeof(*pInfo));
952
953 if (slotID != 1)
954 return CKR_ARGUMENTS_BAD;
955
956 snprintf_fill((char *)pInfo->slotDescription,
957 sizeof(pInfo->slotDescription),
958 ' ',
959 "Heimdal hx509 SoftToken (slot)");
960 snprintf_fill((char *)pInfo->manufacturerID,
961 sizeof(pInfo->manufacturerID),
962 ' ',
963 "Heimdal hx509 SoftToken (slot)");
964 pInfo->flags = CKF_TOKEN_PRESENT;
965 if (soft_token.flags.hardware_slot)
966 pInfo->flags |= CKF_HW_SLOT;
967 pInfo->hardwareVersion.major = 1;
968 pInfo->hardwareVersion.minor = 0;
969 pInfo->firmwareVersion.major = 1;
970 pInfo->firmwareVersion.minor = 0;
971
972 return CKR_OK;
973 }
974
975 CK_RV
976 C_GetTokenInfo(CK_SLOT_ID slotID,
977 CK_TOKEN_INFO_PTR pInfo)
978 {
979 INIT_CONTEXT();
980 st_logf("GetTokenInfo: %s\n", has_session());
981
982 memset(pInfo, 19, sizeof(*pInfo));
983
984 snprintf_fill((char *)pInfo->label,
985 sizeof(pInfo->label),
986 ' ',
987 "Heimdal hx509 SoftToken (token)");
988 snprintf_fill((char *)pInfo->manufacturerID,
989 sizeof(pInfo->manufacturerID),
990 ' ',
991 "Heimdal hx509 SoftToken (token)");
992 snprintf_fill((char *)pInfo->model,
993 sizeof(pInfo->model),
994 ' ',
995 "Heimdal hx509 SoftToken (token)");
996 snprintf_fill((char *)pInfo->serialNumber,
997 sizeof(pInfo->serialNumber),
998 ' ',
999 "4711");
1000 pInfo->flags =
1001 CKF_TOKEN_INITIALIZED |
1002 CKF_USER_PIN_INITIALIZED;
1003
1004 if (soft_token.flags.login_done == 0)
1005 pInfo->flags |= CKF_LOGIN_REQUIRED;
1006
1007 /* CFK_RNG |
1008 CKF_RESTORE_KEY_NOT_NEEDED |
1009 */
1010 pInfo->ulMaxSessionCount = MAX_NUM_SESSION;
1011 pInfo->ulSessionCount = soft_token.open_sessions;
1012 pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION;
1013 pInfo->ulRwSessionCount = soft_token.open_sessions;
1014 pInfo->ulMaxPinLen = 1024;
1015 pInfo->ulMinPinLen = 0;
1016 pInfo->ulTotalPublicMemory = 4711;
1017 pInfo->ulFreePublicMemory = 4712;
1018 pInfo->ulTotalPrivateMemory = 4713;
1019 pInfo->ulFreePrivateMemory = 4714;
1020 pInfo->hardwareVersion.major = 2;
1021 pInfo->hardwareVersion.minor = 0;
1022 pInfo->firmwareVersion.major = 2;
1023 pInfo->firmwareVersion.minor = 0;
1024
1025 return CKR_OK;
1026 }
1027
1028 CK_RV
1029 C_GetMechanismList(CK_SLOT_ID slotID,
1030 CK_MECHANISM_TYPE_PTR pMechanismList,
1031 CK_ULONG_PTR pulCount)
1032 {
1033 INIT_CONTEXT();
1034 st_logf("GetMechanismList\n");
1035
1036 *pulCount = 1;
1037 if (pMechanismList == NULL_PTR)
1038 return CKR_OK;
1039 pMechanismList[1] = CKM_RSA_PKCS;
1040
1041 return CKR_OK;
1042 }
1043
1044 CK_RV
1045 C_GetMechanismInfo(CK_SLOT_ID slotID,
1046 CK_MECHANISM_TYPE type,
1047 CK_MECHANISM_INFO_PTR pInfo)
1048 {
1049 INIT_CONTEXT();
1050 st_logf("GetMechanismInfo: slot %d type: %d\n",
1051 (int)slotID, (int)type);
1052 memset(pInfo, 0, sizeof(*pInfo));
1053
1054 return CKR_OK;
1055 }
1056
1057 CK_RV
1058 C_InitToken(CK_SLOT_ID slotID,
1059 CK_UTF8CHAR_PTR pPin,
1060 CK_ULONG ulPinLen,
1061 CK_UTF8CHAR_PTR pLabel)
1062 {
1063 INIT_CONTEXT();
1064 st_logf("InitToken: slot %d\n", (int)slotID);
1065 return CKR_FUNCTION_NOT_SUPPORTED;
1066 }
1067
1068 CK_RV
1069 C_OpenSession(CK_SLOT_ID slotID,
1070 CK_FLAGS flags,
1071 CK_VOID_PTR pApplication,
1072 CK_NOTIFY Notify,
1073 CK_SESSION_HANDLE_PTR phSession)
1074 {
1075 int i;
1076 INIT_CONTEXT();
1077 st_logf("OpenSession: slot: %d\n", (int)slotID);
1078
1079 if (soft_token.open_sessions == MAX_NUM_SESSION)
1080 return CKR_SESSION_COUNT;
1081
1082 soft_token.application = pApplication;
1083 soft_token.notify = Notify;
1084
1085 for (i = 0; i < MAX_NUM_SESSION; i++)
1086 if (soft_token.state[i].session_handle == CK_INVALID_HANDLE)
1087 break;
1088 if (i == MAX_NUM_SESSION)
1089 abort();
1090
1091 soft_token.open_sessions++;
1092
1093 soft_token.state[i].session_handle =
1094 (CK_SESSION_HANDLE)(random() & 0xfffff);
1095 *phSession = soft_token.state[i].session_handle;
1096
1097 return CKR_OK;
1098 }
1099
1100 CK_RV
1101 C_CloseSession(CK_SESSION_HANDLE hSession)
1102 {
1103 struct session_state *state;
1104 INIT_CONTEXT();
1105 st_logf("CloseSession\n");
1106
1107 if (verify_session_handle(hSession, &state) != CKR_OK)
1108 application_error("closed session not open");
1109 else
1110 close_session(state);
1111
1112 return CKR_OK;
1113 }
1114
1115 CK_RV
1116 C_CloseAllSessions(CK_SLOT_ID slotID)
1117 {
1118 int i;
1119 INIT_CONTEXT();
1120
1121 st_logf("CloseAllSessions\n");
1122
1123 for (i = 0; i < MAX_NUM_SESSION; i++)
1124 if (soft_token.state[i].session_handle != CK_INVALID_HANDLE)
1125 close_session(&soft_token.state[i]);
1126
1127 return CKR_OK;
1128 }
1129
1130 CK_RV
1131 C_GetSessionInfo(CK_SESSION_HANDLE hSession,
1132 CK_SESSION_INFO_PTR pInfo)
1133 {
1134 st_logf("GetSessionInfo\n");
1135 INIT_CONTEXT();
1136
1137 VERIFY_SESSION_HANDLE(hSession, NULL);
1138
1139 memset(pInfo, 20, sizeof(*pInfo));
1140
1141 pInfo->slotID = 1;
1142 if (soft_token.flags.login_done)
1143 pInfo->state = CKS_RO_USER_FUNCTIONS;
1144 else
1145 pInfo->state = CKS_RO_PUBLIC_SESSION;
1146 pInfo->flags = CKF_SERIAL_SESSION;
1147 pInfo->ulDeviceError = 0;
1148
1149 return CKR_OK;
1150 }
1151
1152 CK_RV
1153 C_Login(CK_SESSION_HANDLE hSession,
1154 CK_USER_TYPE userType,
1155 CK_UTF8CHAR_PTR pPin,
1156 CK_ULONG ulPinLen)
1157 {
1158 char *pin = NULL;
1159 CK_RV ret;
1160 INIT_CONTEXT();
1161
1162 st_logf("Login\n");
1163
1164 VERIFY_SESSION_HANDLE(hSession, NULL);
1165
1166 if (pPin != NULL_PTR) {
1167 asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
1168 st_logf("type: %d password: %s\n", (int)userType, pin);
1169 }
1170
1171 /*
1172 * Login
1173 */
1174
1175 ret = read_conf_file(soft_token.config_file, userType, pin);
1176 if (ret == CKR_OK)
1177 soft_token.flags.login_done = 1;
1178
1179 free(pin);
1180
1181 return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT;
1182 }
1183
1184 CK_RV
1185 C_Logout(CK_SESSION_HANDLE hSession)
1186 {
1187 st_logf("Logout\n");
1188 INIT_CONTEXT();
1189
1190 VERIFY_SESSION_HANDLE(hSession, NULL);
1191 return CKR_FUNCTION_NOT_SUPPORTED;
1192 }
1193
1194 CK_RV
1195 C_GetObjectSize(CK_SESSION_HANDLE hSession,
1196 CK_OBJECT_HANDLE hObject,
1197 CK_ULONG_PTR pulSize)
1198 {
1199 st_logf("GetObjectSize\n");
1200 INIT_CONTEXT();
1201
1202 VERIFY_SESSION_HANDLE(hSession, NULL);
1203 return CKR_FUNCTION_NOT_SUPPORTED;
1204 }
1205
1206 CK_RV
1207 C_GetAttributeValue(CK_SESSION_HANDLE hSession,
1208 CK_OBJECT_HANDLE hObject,
1209 CK_ATTRIBUTE_PTR pTemplate,
1210 CK_ULONG ulCount)
1211 {
1212 struct session_state *state;
1213 struct st_object *obj;
1214 CK_ULONG i;
1215 CK_RV ret;
1216 int j;
1217
1218 INIT_CONTEXT();
1219
1220 st_logf("GetAttributeValue: %lx\n",
1221 (unsigned long)HANDLE_OBJECT_ID(hObject));
1222 VERIFY_SESSION_HANDLE(hSession, &state);
1223
1224 if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) {
1225 st_logf("object not found: %lx\n",
1226 (unsigned long)HANDLE_OBJECT_ID(hObject));
1227 return ret;
1228 }
1229
1230 for (i = 0; i < ulCount; i++) {
1231 st_logf(" getting 0x%08lx\n", (unsigned long)pTemplate[i].type);
1232 for (j = 0; j < obj->num_attributes; j++) {
1233 if (obj->attrs[j].secret) {
1234 pTemplate[i].ulValueLen = (CK_ULONG)-1;
1235 break;
1236 }
1237 if (pTemplate[i].type == obj->attrs[j].attribute.type) {
1238 if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) {
1239 if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen)
1240 memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue,
1241 obj->attrs[j].attribute.ulValueLen);
1242 }
1243 pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen;
1244 break;
1245 }
1246 }
1247 if (j == obj->num_attributes) {
1248 st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type);
1249 pTemplate[i].ulValueLen = (CK_ULONG)-1;
1250 }
1251
1252 }
1253 return CKR_OK;
1254 }
1255
1256 CK_RV
1257 C_FindObjectsInit(CK_SESSION_HANDLE hSession,
1258 CK_ATTRIBUTE_PTR pTemplate,
1259 CK_ULONG ulCount)
1260 {
1261 struct session_state *state;
1262
1263 st_logf("FindObjectsInit\n");
1264
1265 INIT_CONTEXT();
1266
1267 VERIFY_SESSION_HANDLE(hSession, &state);
1268
1269 if (state->find.next_object != -1) {
1270 application_error("application didn't do C_FindObjectsFinal\n");
1271 find_object_final(state);
1272 }
1273 if (ulCount) {
1274 CK_ULONG i;
1275
1276 print_attributes(pTemplate, ulCount);
1277
1278 state->find.attributes =
1279 calloc(1, ulCount * sizeof(state->find.attributes[0]));
1280 if (state->find.attributes == NULL)
1281 return CKR_DEVICE_MEMORY;
1282 for (i = 0; i < ulCount; i++) {
1283 state->find.attributes[i].pValue =
1284 malloc(pTemplate[i].ulValueLen);
1285 if (state->find.attributes[i].pValue == NULL) {
1286 find_object_final(state);
1287 return CKR_DEVICE_MEMORY;
1288 }
1289 memcpy(state->find.attributes[i].pValue,
1290 pTemplate[i].pValue, pTemplate[i].ulValueLen);
1291 state->find.attributes[i].type = pTemplate[i].type;
1292 state->find.attributes[i].ulValueLen = pTemplate[i].ulValueLen;
1293 }
1294 state->find.num_attributes = ulCount;
1295 state->find.next_object = 0;
1296 } else {
1297 st_logf("find all objects\n");
1298 state->find.attributes = NULL;
1299 state->find.num_attributes = 0;
1300 state->find.next_object = 0;
1301 }
1302
1303 return CKR_OK;
1304 }
1305
1306 CK_RV
1307 C_FindObjects(CK_SESSION_HANDLE hSession,
1308 CK_OBJECT_HANDLE_PTR phObject,
1309 CK_ULONG ulMaxObjectCount,
1310 CK_ULONG_PTR pulObjectCount)
1311 {
1312 struct session_state *state;
1313 int i;
1314
1315 INIT_CONTEXT();
1316
1317 st_logf("FindObjects\n");
1318
1319 VERIFY_SESSION_HANDLE(hSession, &state);
1320
1321 if (state->find.next_object == -1) {
1322 application_error("application didn't do C_FindObjectsInit\n");
1323 return CKR_ARGUMENTS_BAD;
1324 }
1325 if (ulMaxObjectCount == 0) {
1326 application_error("application asked for 0 objects\n");
1327 return CKR_ARGUMENTS_BAD;
1328 }
1329 *pulObjectCount = 0;
1330 for (i = state->find.next_object; i < soft_token.object.num_objs; i++) {
1331 st_logf("FindObjects: %d\n", i);
1332 state->find.next_object = i + 1;
1333 if (attributes_match(soft_token.object.objs[i],
1334 state->find.attributes,
1335 state->find.num_attributes)) {
1336 *phObject++ = soft_token.object.objs[i]->object_handle;
1337 ulMaxObjectCount--;
1338 (*pulObjectCount)++;
1339 if (ulMaxObjectCount == 0)
1340 break;
1341 }
1342 }
1343 return CKR_OK;
1344 }
1345
1346 CK_RV
1347 C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
1348 {
1349 struct session_state *state;
1350
1351 INIT_CONTEXT();
1352
1353 st_logf("FindObjectsFinal\n");
1354 VERIFY_SESSION_HANDLE(hSession, &state);
1355 find_object_final(state);
1356 return CKR_OK;
1357 }
1358
1359 static CK_RV
1360 commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len,
1361 const CK_MECHANISM_TYPE *mechs, int mechs_len,
1362 const CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey,
1363 struct st_object **o)
1364 {
1365 CK_RV ret;
1366 int i;
1367
1368 *o = NULL;
1369 if ((ret = object_handle_to_object(hKey, o)) != CKR_OK)
1370 return ret;
1371
1372 ret = attributes_match(*o, attr_match, attr_match_len);
1373 if (!ret) {
1374 application_error("called commonInit on key that doesn't "
1375 "support required attr");
1376 return CKR_ARGUMENTS_BAD;
1377 }
1378
1379 for (i = 0; i < mechs_len; i++)
1380 if (mechs[i] == pMechanism->mechanism)
1381 break;
1382 if (i == mechs_len) {
1383 application_error("called mech (%08lx) not supported\n",
1384 pMechanism->mechanism);
1385 return CKR_ARGUMENTS_BAD;
1386 }
1387 return CKR_OK;
1388 }
1389
1390
1391 static CK_RV
1392 dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism)
1393 {
1394 CK_MECHANISM_PTR p;
1395
1396 p = malloc(sizeof(*p));
1397 if (p == NULL)
1398 return CKR_DEVICE_MEMORY;
1399
1400 if (*dup)
1401 free(*dup);
1402 *dup = p;
1403 memcpy(p, pMechanism, sizeof(*p));
1404
1405 return CKR_OK;
1406 }
1407
1408 CK_RV
1409 C_DigestInit(CK_SESSION_HANDLE hSession,
1410 CK_MECHANISM_PTR pMechanism)
1411 {
1412 st_logf("DigestInit\n");
1413 INIT_CONTEXT();
1414 VERIFY_SESSION_HANDLE(hSession, NULL);
1415 return CKR_FUNCTION_NOT_SUPPORTED;
1416 }
1417
1418 CK_RV
1419 C_SignInit(CK_SESSION_HANDLE hSession,
1420 CK_MECHANISM_PTR pMechanism,
1421 CK_OBJECT_HANDLE hKey)
1422 {
1423 struct session_state *state;
1424 CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
1425 CK_BBOOL bool_true = CK_TRUE;
1426 CK_ATTRIBUTE attr[] = {
1427 { CKA_SIGN, &bool_true, sizeof(bool_true) }
1428 };
1429 struct st_object *o;
1430 CK_RV ret;
1431
1432 INIT_CONTEXT();
1433 st_logf("SignInit\n");
1434 VERIFY_SESSION_HANDLE(hSession, &state);
1435
1436 ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]),
1437 mechs, sizeof(mechs)/sizeof(mechs[0]),
1438 pMechanism, hKey, &o);
1439 if (ret)
1440 return ret;
1441
1442 ret = dup_mechanism(&state->sign_mechanism, pMechanism);
1443 if (ret == CKR_OK)
1444 state->sign_object = OBJECT_ID(o);
1445
1446 return CKR_OK;
1447 }
1448
1449 CK_RV
1450 C_Sign(CK_SESSION_HANDLE hSession,
1451 CK_BYTE_PTR pData,
1452 CK_ULONG ulDataLen,
1453 CK_BYTE_PTR pSignature,
1454 CK_ULONG_PTR pulSignatureLen)
1455 {
1456 struct session_state *state;
1457 struct st_object *o;
1458 CK_RV ret;
1459 uint hret;
1460 const AlgorithmIdentifier *alg;
1461 heim_octet_string sig, data;
1462
1463 INIT_CONTEXT();
1464 st_logf("Sign\n");
1465 VERIFY_SESSION_HANDLE(hSession, &state);
1466
1467 sig.data = NULL;
1468 sig.length = 0;
1469
1470 if (state->sign_object == -1)
1471 return CKR_ARGUMENTS_BAD;
1472
1473 if (pulSignatureLen == NULL) {
1474 st_logf("signature len NULL\n");
1475 ret = CKR_ARGUMENTS_BAD;
1476 goto out;
1477 }
1478
1479 if (pData == NULL_PTR) {
1480 st_logf("data NULL\n");
1481 ret = CKR_ARGUMENTS_BAD;
1482 goto out;
1483 }
1484
1485 o = soft_token.object.objs[state->sign_object];
1486
1487 if (hx509_cert_have_private_key(o->cert) == 0) {
1488 st_logf("private key NULL\n");
1489 return CKR_ARGUMENTS_BAD;
1490 }
1491
1492 switch(state->sign_mechanism->mechanism) {
1493 case CKM_RSA_PKCS:
1494 alg = hx509_signature_rsa_pkcs1_x509();
1495 break;
1496 default:
1497 ret = CKR_FUNCTION_NOT_SUPPORTED;
1498 goto out;
1499 }
1500
1501 data.data = pData;
1502 data.length = ulDataLen;
1503
1504 hret = _hx509_create_signature(context,
1505 _hx509_cert_private_key(o->cert),
1506 alg,
1507 &data,
1508 NULL,
1509 &sig);
1510 if (hret) {
1511 ret = CKR_DEVICE_ERROR;
1512 goto out;
1513 }
1514 *pulSignatureLen = sig.length;
1515
1516 if (pSignature != NULL_PTR)
1517 memcpy(pSignature, sig.data, sig.length);
1518
1519 ret = CKR_OK;
1520 out:
1521 if (sig.data) {
1522 memset(sig.data, 0, sig.length);
1523 der_free_octet_string(&sig);
1524 }
1525 return ret;
1526 }
1527
1528 CK_RV
1529 C_SignUpdate(CK_SESSION_HANDLE hSession,
1530 CK_BYTE_PTR pPart,
1531 CK_ULONG ulPartLen)
1532 {
1533 INIT_CONTEXT();
1534 st_logf("SignUpdate\n");
1535 VERIFY_SESSION_HANDLE(hSession, NULL);
1536 return CKR_FUNCTION_NOT_SUPPORTED;
1537 }
1538
1539
1540 CK_RV
1541 C_SignFinal(CK_SESSION_HANDLE hSession,
1542 CK_BYTE_PTR pSignature,
1543 CK_ULONG_PTR pulSignatureLen)
1544 {
1545 INIT_CONTEXT();
1546 st_logf("SignUpdate\n");
1547 VERIFY_SESSION_HANDLE(hSession, NULL);
1548 return CKR_FUNCTION_NOT_SUPPORTED;
1549 }
1550
1551 CK_RV
1552 C_VerifyInit(CK_SESSION_HANDLE hSession,
1553 CK_MECHANISM_PTR pMechanism,
1554 CK_OBJECT_HANDLE hKey)
1555 {
1556 struct session_state *state;
1557 CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
1558 CK_BBOOL bool_true = CK_TRUE;
1559 CK_ATTRIBUTE attr[] = {
1560 { CKA_VERIFY, &bool_true, sizeof(bool_true) }
1561 };
1562 struct st_object *o;
1563 CK_RV ret;
1564
1565 INIT_CONTEXT();
1566 st_logf("VerifyInit\n");
1567 VERIFY_SESSION_HANDLE(hSession, &state);
1568
1569 ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]),
1570 mechs, sizeof(mechs)/sizeof(mechs[0]),
1571 pMechanism, hKey, &o);
1572 if (ret)
1573 return ret;
1574
1575 ret = dup_mechanism(&state->verify_mechanism, pMechanism);
1576 if (ret == CKR_OK)
1577 state->verify_object = OBJECT_ID(o);
1578
1579 return ret;
1580 }
1581
1582 CK_RV
1583 C_Verify(CK_SESSION_HANDLE hSession,
1584 CK_BYTE_PTR pData,
1585 CK_ULONG ulDataLen,
1586 CK_BYTE_PTR pSignature,
1587 CK_ULONG ulSignatureLen)
1588 {
1589 struct session_state *state;
1590 struct st_object *o;
1591 const AlgorithmIdentifier *alg;
1592 CK_RV ret;
1593 int hret;
1594 heim_octet_string data, sig;
1595
1596 INIT_CONTEXT();
1597 st_logf("Verify\n");
1598 VERIFY_SESSION_HANDLE(hSession, &state);
1599
1600 if (state->verify_object == -1)
1601 return CKR_ARGUMENTS_BAD;
1602
1603 o = soft_token.object.objs[state->verify_object];
1604
1605 switch(state->verify_mechanism->mechanism) {
1606 case CKM_RSA_PKCS:
1607 alg = hx509_signature_rsa_pkcs1_x509();
1608 break;
1609 default:
1610 ret = CKR_FUNCTION_NOT_SUPPORTED;
1611 goto out;
1612 }
1613
1614 sig.data = pData;
1615 sig.length = ulDataLen;
1616 data.data = pSignature;
1617 data.length = ulSignatureLen;
1618
1619 hret = _hx509_verify_signature(context,
1620 o->cert,
1621 alg,
1622 &data,
1623 &sig);
1624 if (hret) {
1625 ret = CKR_GENERAL_ERROR;
1626 goto out;
1627 }
1628 ret = CKR_OK;
1629
1630 out:
1631 return ret;
1632 }
1633
1634
1635 CK_RV
1636 C_VerifyUpdate(CK_SESSION_HANDLE hSession,
1637 CK_BYTE_PTR pPart,
1638 CK_ULONG ulPartLen)
1639 {
1640 INIT_CONTEXT();
1641 st_logf("VerifyUpdate\n");
1642 VERIFY_SESSION_HANDLE(hSession, NULL);
1643 return CKR_FUNCTION_NOT_SUPPORTED;
1644 }
1645
1646 CK_RV
1647 C_VerifyFinal(CK_SESSION_HANDLE hSession,
1648 CK_BYTE_PTR pSignature,
1649 CK_ULONG ulSignatureLen)
1650 {
1651 INIT_CONTEXT();
1652 st_logf("VerifyFinal\n");
1653 VERIFY_SESSION_HANDLE(hSession, NULL);
1654 return CKR_FUNCTION_NOT_SUPPORTED;
1655 }
1656
1657 CK_RV
1658 C_GenerateRandom(CK_SESSION_HANDLE hSession,
1659 CK_BYTE_PTR RandomData,
1660 CK_ULONG ulRandomLen)
1661 {
1662 INIT_CONTEXT();
1663 st_logf("GenerateRandom\n");
1664 VERIFY_SESSION_HANDLE(hSession, NULL);
1665 return CKR_FUNCTION_NOT_SUPPORTED;
1666 }
1667
1668
1669 CK_FUNCTION_LIST funcs = {
1670 { 2, 11 },
1671 C_Initialize,
1672 C_Finalize,
1673 C_GetInfo,
1674 C_GetFunctionList,
1675 C_GetSlotList,
1676 C_GetSlotInfo,
1677 C_GetTokenInfo,
1678 C_GetMechanismList,
1679 C_GetMechanismInfo,
1680 C_InitToken,
1681 (void *)func_not_supported, /* C_InitPIN */
1682 (void *)func_not_supported, /* C_SetPIN */
1683 C_OpenSession,
1684 C_CloseSession,
1685 C_CloseAllSessions,
1686 C_GetSessionInfo,
1687 (void *)func_not_supported, /* C_GetOperationState */
1688 (void *)func_not_supported, /* C_SetOperationState */
1689 C_Login,
1690 C_Logout,
1691 (void *)func_not_supported, /* C_CreateObject */
1692 (void *)func_not_supported, /* C_CopyObject */
1693 (void *)func_not_supported, /* C_DestroyObject */
1694 (void *)func_not_supported, /* C_GetObjectSize */
1695 C_GetAttributeValue,
1696 (void *)func_not_supported, /* C_SetAttributeValue */
1697 C_FindObjectsInit,
1698 C_FindObjects,
1699 C_FindObjectsFinal,
1700 (void *)func_not_supported, /* C_EncryptInit, */
1701 (void *)func_not_supported, /* C_Encrypt, */
1702 (void *)func_not_supported, /* C_EncryptUpdate, */
1703 (void *)func_not_supported, /* C_EncryptFinal, */
1704 (void *)func_not_supported, /* C_DecryptInit, */
1705 (void *)func_not_supported, /* C_Decrypt, */
1706 (void *)func_not_supported, /* C_DecryptUpdate, */
1707 (void *)func_not_supported, /* C_DecryptFinal, */
1708 C_DigestInit,
1709 (void *)func_not_supported, /* C_Digest */
1710 (void *)func_not_supported, /* C_DigestUpdate */
1711 (void *)func_not_supported, /* C_DigestKey */
1712 (void *)func_not_supported, /* C_DigestFinal */
1713 C_SignInit,
1714 C_Sign,
1715 C_SignUpdate,
1716 C_SignFinal,
1717 (void *)func_not_supported, /* C_SignRecoverInit */
1718 (void *)func_not_supported, /* C_SignRecover */
1719 C_VerifyInit,
1720 C_Verify,
1721 C_VerifyUpdate,
1722 C_VerifyFinal,
1723 (void *)func_not_supported, /* C_VerifyRecoverInit */
1724 (void *)func_not_supported, /* C_VerifyRecover */
1725 (void *)func_not_supported, /* C_DigestEncryptUpdate */
1726 (void *)func_not_supported, /* C_DecryptDigestUpdate */
1727 (void *)func_not_supported, /* C_SignEncryptUpdate */
1728 (void *)func_not_supported, /* C_DecryptVerifyUpdate */
1729 (void *)func_not_supported, /* C_GenerateKey */
1730 (void *)func_not_supported, /* C_GenerateKeyPair */
1731 (void *)func_not_supported, /* C_WrapKey */
1732 (void *)func_not_supported, /* C_UnwrapKey */
1733 (void *)func_not_supported, /* C_DeriveKey */
1734 (void *)func_not_supported, /* C_SeedRandom */
1735 C_GenerateRandom,
1736 (void *)func_not_supported, /* C_GetFunctionStatus */
1737 (void *)func_not_supported, /* C_CancelFunction */
1738 (void *)func_not_supported /* C_WaitForSlotEvent */
1739 };
Heimdal