search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
count number of enctypes too
[heimdal.git] / lib / hx509 / softp11.c
blob38f587e0fea23badc4436f2dfd44629c32e2a182
1 /*
2 * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #define CRYPTOKI_EXPORTS 1
35
36 #include "hx_locl.h"
37 #include "pkcs11.h"
38
39 #define OBJECT_ID_MASK 0xfff
40 #define HANDLE_OBJECT_ID(h) ((h) & OBJECT_ID_MASK)
41 #define OBJECT_ID(obj) HANDLE_OBJECT_ID((obj)->object_handle)
42
43 #ifndef HAVE_RANDOM
44 #define random() rand()
45 #define srandom(s) srand(s)
46 #endif
47
48 #ifdef _WIN32
49 #include <shlobj.h>
50 #endif
51
52 struct st_attr {
53 CK_ATTRIBUTE attribute;
54 int secret;
55 };
56
57 struct st_object {
58 CK_OBJECT_HANDLE object_handle;
59 struct st_attr *attrs;
60 int num_attributes;
61 hx509_cert cert;
62 };
63
64 static struct soft_token {
65 CK_VOID_PTR application;
66 CK_NOTIFY notify;
67 char *config_file;
68 hx509_certs certs;
69 struct {
70 struct st_object **objs;
71 int num_objs;
72 } object;
73 struct {
74 int hardware_slot;
75 int app_error_fatal;
76 int login_done;
77 } flags;
78 int open_sessions;
79 struct session_state {
80 CK_SESSION_HANDLE session_handle;
81
82 struct {
83 CK_ATTRIBUTE *attributes;
84 CK_ULONG num_attributes;
85 int next_object;
86 } find;
87
88 int sign_object;
89 CK_MECHANISM_PTR sign_mechanism;
90 int verify_object;
91 CK_MECHANISM_PTR verify_mechanism;
92 } state[10];
93 #define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
94 FILE *logfile;
95 } soft_token;
96
97 static hx509_context context;
98
99 static void
100 application_error(const char *fmt, ...)
101 {
102 va_list ap;
103 va_start(ap, fmt);
104 vprintf(fmt, ap);
105 va_end(ap);
106 if (soft_token.flags.app_error_fatal)
107 abort();
108 }
109
110 static void
111 st_logf(const char *fmt, ...)
112 {
113 va_list ap;
114 if (soft_token.logfile == NULL)
115 return;
116 va_start(ap, fmt);
117 vfprintf(soft_token.logfile, fmt, ap);
118 va_end(ap);
119 fflush(soft_token.logfile);
120 }
121
122 static CK_RV
123 init_context(void)
124 {
125 if (context == NULL) {
126 int ret = hx509_context_init(&context);
127 if (ret)
128 return CKR_GENERAL_ERROR;
129 }
130 return CKR_OK;
131 }
132
133 #define INIT_CONTEXT() { CK_RV icret = init_context(); if (icret) return icret; }
134
135 static void
136 snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
137 {
138 int len;
139 va_list ap;
140 va_start(ap, fmt);
141 len = vsnprintf(str, size, fmt, ap);
142 va_end(ap);
143 if (len < 0 || (size_t)len > size)
144 return;
145 while ((size_t)len < size)
146 str[len++] = fillchar;
147 }
148
149 #ifndef TEST_APP
150 #define printf error_use_st_logf
151 #endif
152
153 #define VERIFY_SESSION_HANDLE(s, state) \
154 { \
155 CK_RV xret; \
156 xret = verify_session_handle(s, state); \
157 if (xret != CKR_OK) { \
158 /* return CKR_OK */; \
159 } \
160 }
161
162 static CK_RV
163 verify_session_handle(CK_SESSION_HANDLE hSession,
164 struct session_state **state)
165 {
166 size_t i;
167
168 for (i = 0; i < MAX_NUM_SESSION; i++){
169 if (soft_token.state[i].session_handle == hSession)
170 break;
171 }
172 if (i == MAX_NUM_SESSION) {
173 application_error("use of invalid handle: 0x%08lx\n",
174 (unsigned long)hSession);
175 return CKR_SESSION_HANDLE_INVALID;
176 }
177 if (state)
178 *state = &soft_token.state[i];
179 return CKR_OK;
180 }
181
182 static CK_RV
183 object_handle_to_object(CK_OBJECT_HANDLE handle,
184 struct st_object **object)
185 {
186 int i = HANDLE_OBJECT_ID(handle);
187
188 *object = NULL;
189 if (i >= soft_token.object.num_objs)
190 return CKR_ARGUMENTS_BAD;
191 if (soft_token.object.objs[i] == NULL)
192 return CKR_ARGUMENTS_BAD;
193 if (soft_token.object.objs[i]->object_handle != handle)
194 return CKR_ARGUMENTS_BAD;
195 *object = soft_token.object.objs[i];
196 return CKR_OK;
197 }
198
199 static int
200 attributes_match(const struct st_object *obj,
201 const CK_ATTRIBUTE *attributes,
202 CK_ULONG num_attributes)
203 {
204 CK_ULONG i;
205 int j;
206
207 st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));
208
209 for (i = 0; i < num_attributes; i++) {
210 int match = 0;
211 for (j = 0; j < obj->num_attributes; j++) {
212 if (attributes[i].type == obj->attrs[j].attribute.type &&
213 attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&
214 memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,
215 attributes[i].ulValueLen) == 0) {
216 match = 1;
217 break;
218 }
219 }
220 if (match == 0) {
221 st_logf("type %d attribute have no match\n", attributes[i].type);
222 return 0;
223 }
224 }
225 st_logf("attribute matches\n");
226 return 1;
227 }
228
229 static void
230 print_attributes(const CK_ATTRIBUTE *attributes,
231 CK_ULONG num_attributes)
232 {
233 CK_ULONG i;
234
235 st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes);
236
237 for (i = 0; i < num_attributes; i++) {
238 st_logf(" type: ");
239 switch (attributes[i].type) {
240 case CKA_TOKEN: {
241 CK_BBOOL *ck_true;
242 if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) {
243 application_error("token attribute wrong length\n");
244 break;
245 }
246 ck_true = attributes[i].pValue;
247 st_logf("token: %s", *ck_true ? "TRUE" : "FALSE");
248 break;
249 }
250 case CKA_CLASS: {
251 CK_OBJECT_CLASS *class;
252 if (attributes[i].ulValueLen != sizeof(CK_ULONG)) {
253 application_error("class attribute wrong length\n");
254 break;
255 }
256 class = attributes[i].pValue;
257 st_logf("class ");
258 switch (*class) {
259 case CKO_CERTIFICATE:
260 st_logf("certificate");
261 break;
262 case CKO_PUBLIC_KEY:
263 st_logf("public key");
264 break;
265 case CKO_PRIVATE_KEY:
266 st_logf("private key");
267 break;
268 case CKO_SECRET_KEY:
269 st_logf("secret key");
270 break;
271 case CKO_DOMAIN_PARAMETERS:
272 st_logf("domain parameters");
273 break;
274 default:
275 st_logf("[class %lx]", (long unsigned)*class);
276 break;
277 }
278 break;
279 }
280 case CKA_PRIVATE:
281 st_logf("private");
282 break;
283 case CKA_LABEL:
284 st_logf("label");
285 break;
286 case CKA_APPLICATION:
287 st_logf("application");
288 break;
289 case CKA_VALUE:
290 st_logf("value");
291 break;
292 case CKA_ID:
293 st_logf("id");
294 break;
295 default:
296 st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type);
297 break;
298 }
299 st_logf("\n");
300 }
301 }
302
303 static struct st_object *
304 add_st_object(void)
305 {
306 struct st_object *o, **objs;
307 int i;
308
309 o = calloc(1, sizeof(*o));
310 if (o == NULL)
311 return NULL;
312
313 for (i = 0; i < soft_token.object.num_objs; i++) {
314 if (soft_token.object.objs == NULL) {
315 soft_token.object.objs[i] = o;
316 break;
317 }
318 }
319 if (i == soft_token.object.num_objs) {
320 objs = realloc(soft_token.object.objs,
321 (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
322 if (objs == NULL) {
323 free(o);
324 return NULL;
325 }
326 soft_token.object.objs = objs;
327 soft_token.object.objs[soft_token.object.num_objs++] = o;
328 }
329 soft_token.object.objs[i]->object_handle =
330 (random() & (~OBJECT_ID_MASK)) | i;
331
332 return o;
333 }
334
335 static CK_RV
336 add_object_attribute(struct st_object *o,
337 int secret,
338 CK_ATTRIBUTE_TYPE type,
339 CK_VOID_PTR pValue,
340 CK_ULONG ulValueLen)
341 {
342 struct st_attr *a;
343 int i;
344
345 i = o->num_attributes;
346 a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));
347 if (a == NULL)
348 return CKR_DEVICE_MEMORY;
349 o->attrs = a;
350 o->attrs[i].secret = secret;
351 o->attrs[i].attribute.type = type;
352 o->attrs[i].attribute.pValue = malloc(ulValueLen);
353 if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)
354 return CKR_DEVICE_MEMORY;
355 memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
356 o->attrs[i].attribute.ulValueLen = ulValueLen;
357 o->num_attributes++;
358
359 return CKR_OK;
360 }
361
362 static CK_RV
363 add_pubkey_info(hx509_context hxctx, struct st_object *o,
364 CK_KEY_TYPE key_type, hx509_cert cert)
365 {
366 BIGNUM *num;
367 CK_BYTE *modulus = NULL;
368 size_t modulus_len = 0;
369 CK_ULONG modulus_bits = 0;
370 CK_BYTE *exponent = NULL;
371 size_t exponent_len = 0;
372
373 if (key_type != CKK_RSA)
374 return CKR_OK;
375 if (_hx509_cert_private_key(cert) == NULL)
376 return CKR_OK;
377
378 num = _hx509_private_key_get_internal(context,
379 _hx509_cert_private_key(cert),
380 "rsa-modulus");
381 if (num == NULL)
382 return CKR_GENERAL_ERROR;
383 modulus_bits = BN_num_bits(num);
384
385 modulus_len = BN_num_bytes(num);
386 modulus = malloc(modulus_len);
387 BN_bn2bin(num, modulus);
388 BN_free(num);
389
390 add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
391 add_object_attribute(o, 0, CKA_MODULUS_BITS,
392 &modulus_bits, sizeof(modulus_bits));
393
394 free(modulus);
395
396 num = _hx509_private_key_get_internal(context,
397 _hx509_cert_private_key(cert),
398 "rsa-exponent");
399 if (num == NULL)
400 return CKR_GENERAL_ERROR;
401
402 exponent_len = BN_num_bytes(num);
403 exponent = malloc(exponent_len);
404 BN_bn2bin(num, exponent);
405 BN_free(num);
406
407 add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
408 exponent, exponent_len);
409
410 free(exponent);
411
412 return CKR_OK;
413 }
414
415
416 struct foo {
417 char *label;
418 char *id;
419 };
420
421 static int
422 add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
423 {
424 static char empty[] = "";
425 struct foo *foo = (struct foo *)ctx;
426 struct st_object *o = NULL;
427 CK_OBJECT_CLASS type;
428 CK_BBOOL bool_true = CK_TRUE;
429 CK_BBOOL bool_false = CK_FALSE;
430 CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
431 CK_KEY_TYPE key_type;
432 CK_MECHANISM_TYPE mech_type;
433 CK_RV ret = CKR_GENERAL_ERROR;
434 int hret;
435 heim_octet_string cert_data, subject_data, issuer_data, serial_data;
436
437 st_logf("adding certificate\n");
438
439 serial_data.data = NULL;
440 serial_data.length = 0;
441 cert_data = subject_data = issuer_data = serial_data;
442
443 hret = hx509_cert_binary(hxctx, cert, &cert_data);
444 if (hret)
445 goto out;
446
447 {
448 hx509_name name;
449
450 hret = hx509_cert_get_issuer(cert, &name);
451 if (hret)
452 goto out;
453 hret = hx509_name_binary(name, &issuer_data);
454 hx509_name_free(&name);
455 if (hret)
456 goto out;
457
458 hret = hx509_cert_get_subject(cert, &name);
459 if (hret)
460 goto out;
461 hret = hx509_name_binary(name, &subject_data);
462 hx509_name_free(&name);
463 if (hret)
464 goto out;
465 }
466
467 {
468 AlgorithmIdentifier alg;
469
470 hret = hx509_cert_get_SPKI_AlgorithmIdentifier(context, cert, &alg);
471 if (hret) {
472 ret = CKR_DEVICE_MEMORY;
473 goto out;
474 }
475
476 key_type = CKK_RSA; /* XXX */
477
478 free_AlgorithmIdentifier(&alg);
479 }
480
481
482 type = CKO_CERTIFICATE;
483 o = add_st_object();
484 if (o == NULL) {
485 ret = CKR_DEVICE_MEMORY;
486 goto out;
487 }
488
489 o->cert = hx509_cert_ref(cert);
490
491 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
492 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
493 add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
494 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
495 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
496
497 add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
498 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
499
500 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
501 add_object_attribute(o, 0, CKA_ISSUER, issuer_data.data, issuer_data.length);
502 add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data.data, serial_data.length);
503 add_object_attribute(o, 0, CKA_VALUE, cert_data.data, cert_data.length);
504 add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));
505
506 st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));
507
508 type = CKO_PUBLIC_KEY;
509 o = add_st_object();
510 if (o == NULL) {
511 ret = CKR_DEVICE_MEMORY;
512 goto out;
513 }
514 o->cert = hx509_cert_ref(cert);
515
516 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
517 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
518 add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
519 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
520 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
521
522 add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
523 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
524 add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
525 add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
526 add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
527 add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
528 mech_type = CKM_RSA_X_509;
529 add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
530
531 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
532 add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
533 add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
534 add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
535 add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
536 add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
537
538 add_pubkey_info(hxctx, o, key_type, cert);
539
540 st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));
541
542 if (hx509_cert_have_private_key(cert)) {
543 CK_FLAGS flags;
544
545 type = CKO_PRIVATE_KEY;
546 o = add_st_object();
547 if (o == NULL) {
548 ret = CKR_DEVICE_MEMORY;
549 goto out;
550 }
551 o->cert = hx509_cert_ref(cert);
552
553 add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
554 add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
555 add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));
556 add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
557 add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
558
559 add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
560 add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
561 add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
562 add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
563 add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
564 add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
565 mech_type = CKM_RSA_X_509;
566 add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
567
568 add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
569 add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));
570 add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));
571 flags = 0;
572 add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));
573
574 add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));
575 add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));
576 add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));
577 add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));
578 add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));
579 add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));
580
581 add_pubkey_info(hxctx, o, key_type, cert);
582 }
583
584 ret = CKR_OK;
585 out:
586 if (ret != CKR_OK) {
587 st_logf("something went wrong when adding cert!\n");
588
589 /* XXX wack o */;
590 }
591 hx509_xfree(cert_data.data);
592 hx509_xfree(serial_data.data);
593 hx509_xfree(issuer_data.data);
594 hx509_xfree(subject_data.data);
595
596 return 0;
597 }
598
599 static CK_RV
600 add_certificate(const char *cert_file,
601 const char *pin,
602 char *id,
603 char *label)
604 {
605 hx509_certs certs;
606 hx509_lock lock = NULL;
607 int ret, flags = 0;
608
609 struct foo foo;
610 foo.id = id;
611 foo.label = label;
612
613 if (pin == NULL)
614 flags |= HX509_CERTS_UNPROTECT_ALL;
615
616 if (pin) {
617 char *str;
618 asprintf(&str, "PASS:%s", pin);
619
620 hx509_lock_init(context, &lock);
621 hx509_lock_command_string(lock, str);
622
623 memset(str, 0, strlen(str));
624 free(str);
625 }
626
627 ret = hx509_certs_init(context, cert_file, flags, lock, &certs);
628 if (ret) {
629 st_logf("failed to open file %s\n", cert_file);
630 return CKR_GENERAL_ERROR;
631 }
632
633 ret = hx509_certs_iter_f(context, certs, add_cert, &foo);
634 hx509_certs_free(&certs);
635 if (ret) {
636 st_logf("failed adding certs from file %s\n", cert_file);
637 return CKR_GENERAL_ERROR;
638 }
639
640 return CKR_OK;
641 }
642
643 static void
644 find_object_final(struct session_state *state)
645 {
646 if (state->find.attributes) {
647 CK_ULONG i;
648
649 for (i = 0; i < state->find.num_attributes; i++) {
650 if (state->find.attributes[i].pValue)
651 free(state->find.attributes[i].pValue);
652 }
653 free(state->find.attributes);
654 state->find.attributes = NULL;
655 state->find.num_attributes = 0;
656 state->find.next_object = -1;
657 }
658 }
659
660 static void
661 reset_crypto_state(struct session_state *state)
662 {
663 state->sign_object = -1;
664 if (state->sign_mechanism)
665 free(state->sign_mechanism);
666 state->sign_mechanism = NULL_PTR;
667 state->verify_object = -1;
668 if (state->verify_mechanism)
669 free(state->verify_mechanism);
670 state->verify_mechanism = NULL_PTR;
671 }
672
673 static void
674 close_session(struct session_state *state)
675 {
676 if (state->find.attributes) {
677 application_error("application didn't do C_FindObjectsFinal\n");
678 find_object_final(state);
679 }
680
681 state->session_handle = CK_INVALID_HANDLE;
682 soft_token.application = NULL_PTR;
683 soft_token.notify = NULL_PTR;
684 reset_crypto_state(state);
685 }
686
687 static const char *
688 has_session(void)
689 {
690 return soft_token.open_sessions > 0 ? "yes" : "no";
691 }
692
693 static CK_RV
694 read_conf_file(const char *fn, CK_USER_TYPE userType, const char *pin)
695 {
696 char buf[1024], *type, *s, *p;
697 FILE *f;
698 CK_RV ret = CKR_OK;
699 CK_RV failed = CKR_OK;
700
701 if (fn == NULL) {
702 st_logf("Can't open configuration file. No file specified\n");
703 return CKR_GENERAL_ERROR;
704 }
705
706 f = fopen(fn, "r");
707 if (f == NULL) {
708 st_logf("can't open configuration file %s\n", fn);
709 return CKR_GENERAL_ERROR;
710 }
711 rk_cloexec_file(f);
712
713 while(fgets(buf, sizeof(buf), f) != NULL) {
714 buf[strcspn(buf, "\n")] = '\0';
715
716 st_logf("line: %s\n", buf);
717
718 p = buf;
719 while (isspace((unsigned char)*p))
720 p++;
721 if (*p == '#')
722 continue;
723 while (isspace((unsigned char)*p))
724 p++;
725
726 s = NULL;
727 type = strtok_r(p, "\t", &s);
728 if (type == NULL)
729 continue;
730
731 if (strcasecmp("certificate", type) == 0) {
732 char *cert, *id, *label;
733
734 id = strtok_r(NULL, "\t", &s);
735 if (id == NULL) {
736 st_logf("no id\n");
737 continue;
738 }
739 st_logf("id: %s\n", id);
740 label = strtok_r(NULL, "\t", &s);
741 if (label == NULL) {
742 st_logf("no label\n");
743 continue;
744 }
745 cert = strtok_r(NULL, "\t", &s);
746 if (cert == NULL) {
747 st_logf("no certfiicate store\n");
748 continue;
749 }
750
751 st_logf("adding: %s: %s in file %s\n", id, label, cert);
752
753 ret = add_certificate(cert, pin, id, label);
754 if (ret)
755 failed = ret;
756 } else if (strcasecmp("debug", type) == 0) {
757 char *name;
758
759 name = strtok_r(NULL, "\t", &s);
760 if (name == NULL) {
761 st_logf("no filename\n");
762 continue;
763 }
764
765 if (soft_token.logfile)
766 fclose(soft_token.logfile);
767
768 if (strcasecmp(name, "stdout") == 0)
769 soft_token.logfile = stdout;
770 else {
771 soft_token.logfile = fopen(name, "a");
772 if (soft_token.logfile)
773 rk_cloexec_file(soft_token.logfile);
774 }
775 if (soft_token.logfile == NULL)
776 st_logf("failed to open file: %s\n", name);
777
778 } else if (strcasecmp("app-fatal", type) == 0) {
779 char *name;
780
781 name = strtok_r(NULL, "\t", &s);
782 if (name == NULL) {
783 st_logf("argument to app-fatal\n");
784 continue;
785 }
786
787 if (strcmp(name, "true") == 0 || strcmp(name, "on") == 0)
788 soft_token.flags.app_error_fatal = 1;
789 else if (strcmp(name, "false") == 0 || strcmp(name, "off") == 0)
790 soft_token.flags.app_error_fatal = 0;
791 else
792 st_logf("unknown app-fatal: %s\n", name);
793
794 } else {
795 st_logf("unknown type: %s\n", type);
796 }
797 }
798
799 fclose(f);
800
801 return failed;
802 }
803
804 static CK_RV
805 func_not_supported(void)
806 {
807 st_logf("function not supported\n");
808 return CKR_FUNCTION_NOT_SUPPORTED;
809 }
810
811 static char *
812 get_config_file_for_user(void)
813 {
814 char *fn = NULL;
815
816 #ifndef _WIN32
817 char *home = NULL;
818
819 if (!issuid()) {
820 fn = getenv("SOFTPKCS11RC");
821 if (fn)
822 fn = strdup(fn);
823 home = getenv("HOME");
824 }
825 if (fn == NULL && home == NULL) {
826 struct passwd *pw = getpwuid(getuid());
827 if(pw != NULL)
828 home = pw->pw_dir;
829 }
830 if (fn == NULL) {
831 if (home)
832 asprintf(&fn, "%s/.soft-token.rc", home);
833 else
834 fn = strdup("/etc/soft-token.rc");
835 }
836 #else /* Windows */
837
838 char appdatafolder[MAX_PATH];
839
840 fn = getenv("SOFTPKCS11RC");
841
842 /* Retrieve the roaming AppData folder for the current user. The
843 current user is the user account represented by the current
844 thread token. */
845
846 if (fn == NULL &&
847 SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, SHGFP_TYPE_CURRENT, appdatafolder))) {
848
849 asprintf(&fn, "%s\\.soft-token.rc", appdatafolder);
850 }
851
852 #endif /* _WIN32 */
853
854 return fn;
855 }
856
857
858 CK_RV CK_SPEC
859 C_Initialize(CK_VOID_PTR a)
860 {
861 CK_C_INITIALIZE_ARGS_PTR args = a;
862 CK_RV ret;
863 size_t i;
864
865 st_logf("Initialize\n");
866
867 INIT_CONTEXT();
868
869 OpenSSL_add_all_algorithms();
870
871 srandom(getpid() ^ (int) time(NULL));
872
873 for (i = 0; i < MAX_NUM_SESSION; i++) {
874 soft_token.state[i].session_handle = CK_INVALID_HANDLE;
875 soft_token.state[i].find.attributes = NULL;
876 soft_token.state[i].find.num_attributes = 0;
877 soft_token.state[i].find.next_object = -1;
878 reset_crypto_state(&soft_token.state[i]);
879 }
880
881 soft_token.flags.hardware_slot = 1;
882 soft_token.flags.app_error_fatal = 0;
883 soft_token.flags.login_done = 0;
884
885 soft_token.object.objs = NULL;
886 soft_token.object.num_objs = 0;
887
888 soft_token.logfile = NULL;
889 #if 0
890 soft_token.logfile = stdout;
891 #endif
892 #if 0
893 soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a");
894 #endif
895
896 if (a != NULL_PTR) {
897 st_logf("\tCreateMutex:\t%p\n", args->CreateMutex);
898 st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex);
899 st_logf("\tLockMutext\t%p\n", args->LockMutex);
900 st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex);
901 st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
902 }
903
904 soft_token.config_file = get_config_file_for_user();
905
906 /*
907 * This operations doesn't return CKR_OK if any of the
908 * certificates failes to be unparsed (ie password protected).
909 */
910 ret = read_conf_file(soft_token.config_file, CKU_USER, NULL);
911 if (ret == CKR_OK)
912 soft_token.flags.login_done = 1;
913
914 return CKR_OK;
915 }
916
917 CK_RV
918 C_Finalize(CK_VOID_PTR args)
919 {
920 size_t i;
921
922 INIT_CONTEXT();
923
924 st_logf("Finalize\n");
925
926 for (i = 0; i < MAX_NUM_SESSION; i++) {
927 if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) {
928 application_error("application finalized without "
929 "closing session\n");
930 close_session(&soft_token.state[i]);
931 }
932 }
933
934 return CKR_OK;
935 }
936
937 CK_RV
938 C_GetInfo(CK_INFO_PTR args)
939 {
940 INIT_CONTEXT();
941
942 st_logf("GetInfo\n");
943
944 memset(args, 17, sizeof(*args));
945 args->cryptokiVersion.major = 2;
946 args->cryptokiVersion.minor = 10;
947 snprintf_fill((char *)args->manufacturerID,
948 sizeof(args->manufacturerID),
949 ' ',
950 "Heimdal hx509 SoftToken");
951 snprintf_fill((char *)args->libraryDescription,
952 sizeof(args->libraryDescription), ' ',
953 "Heimdal hx509 SoftToken");
954 args->libraryVersion.major = 2;
955 args->libraryVersion.minor = 0;
956
957 return CKR_OK;
958 }
959
960 extern CK_FUNCTION_LIST funcs;
961
962 CK_RV
963 C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
964 {
965 INIT_CONTEXT();
966
967 *ppFunctionList = &funcs;
968 return CKR_OK;
969 }
970
971 CK_RV
972 C_GetSlotList(CK_BBOOL tokenPresent,
973 CK_SLOT_ID_PTR pSlotList,
974 CK_ULONG_PTR pulCount)
975 {
976 INIT_CONTEXT();
977 st_logf("GetSlotList: %s\n",
978 tokenPresent ? "tokenPresent" : "token not Present");
979 if (pSlotList)
980 pSlotList[0] = 1;
981 *pulCount = 1;
982 return CKR_OK;
983 }
984
985 CK_RV
986 C_GetSlotInfo(CK_SLOT_ID slotID,
987 CK_SLOT_INFO_PTR pInfo)
988 {
989 INIT_CONTEXT();
990 st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session());
991
992 memset(pInfo, 18, sizeof(*pInfo));
993
994 if (slotID != 1)
995 return CKR_ARGUMENTS_BAD;
996
997 snprintf_fill((char *)pInfo->slotDescription,
998 sizeof(pInfo->slotDescription),
999 ' ',
1000 "Heimdal hx509 SoftToken (slot)");
1001 snprintf_fill((char *)pInfo->manufacturerID,
1002 sizeof(pInfo->manufacturerID),
1003 ' ',
1004 "Heimdal hx509 SoftToken (slot)");
1005 pInfo->flags = CKF_TOKEN_PRESENT;
1006 if (soft_token.flags.hardware_slot)
1007 pInfo->flags |= CKF_HW_SLOT;
1008 pInfo->hardwareVersion.major = 1;
1009 pInfo->hardwareVersion.minor = 0;
1010 pInfo->firmwareVersion.major = 1;
1011 pInfo->firmwareVersion.minor = 0;
1012
1013 return CKR_OK;
1014 }
1015
1016 CK_RV
1017 C_GetTokenInfo(CK_SLOT_ID slotID,
1018 CK_TOKEN_INFO_PTR pInfo)
1019 {
1020 INIT_CONTEXT();
1021 st_logf("GetTokenInfo: %s\n", has_session());
1022
1023 memset(pInfo, 19, sizeof(*pInfo));
1024
1025 snprintf_fill((char *)pInfo->label,
1026 sizeof(pInfo->label),
1027 ' ',
1028 "Heimdal hx509 SoftToken (token)");
1029 snprintf_fill((char *)pInfo->manufacturerID,
1030 sizeof(pInfo->manufacturerID),
1031 ' ',
1032 "Heimdal hx509 SoftToken (token)");
1033 snprintf_fill((char *)pInfo->model,
1034 sizeof(pInfo->model),
1035 ' ',
1036 "Heimdal hx509 SoftToken (token)");
1037 snprintf_fill((char *)pInfo->serialNumber,
1038 sizeof(pInfo->serialNumber),
1039 ' ',
1040 "4711");
1041 pInfo->flags =
1042 CKF_TOKEN_INITIALIZED |
1043 CKF_USER_PIN_INITIALIZED;
1044
1045 if (soft_token.flags.login_done == 0)
1046 pInfo->flags |= CKF_LOGIN_REQUIRED;
1047
1048 /* CFK_RNG |
1049 CKF_RESTORE_KEY_NOT_NEEDED |
1050 */
1051 pInfo->ulMaxSessionCount = MAX_NUM_SESSION;
1052 pInfo->ulSessionCount = soft_token.open_sessions;
1053 pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION;
1054 pInfo->ulRwSessionCount = soft_token.open_sessions;
1055 pInfo->ulMaxPinLen = 1024;
1056 pInfo->ulMinPinLen = 0;
1057 pInfo->ulTotalPublicMemory = 4711;
1058 pInfo->ulFreePublicMemory = 4712;
1059 pInfo->ulTotalPrivateMemory = 4713;
1060 pInfo->ulFreePrivateMemory = 4714;
1061 pInfo->hardwareVersion.major = 2;
1062 pInfo->hardwareVersion.minor = 0;
1063 pInfo->firmwareVersion.major = 2;
1064 pInfo->firmwareVersion.minor = 0;
1065
1066 return CKR_OK;
1067 }
1068
1069 CK_RV
1070 C_GetMechanismList(CK_SLOT_ID slotID,
1071 CK_MECHANISM_TYPE_PTR pMechanismList,
1072 CK_ULONG_PTR pulCount)
1073 {
1074 INIT_CONTEXT();
1075 st_logf("GetMechanismList\n");
1076
1077 *pulCount = 1;
1078 if (pMechanismList == NULL_PTR)
1079 return CKR_OK;
1080 pMechanismList[1] = CKM_RSA_PKCS;
1081
1082 return CKR_OK;
1083 }
1084
1085 CK_RV
1086 C_GetMechanismInfo(CK_SLOT_ID slotID,
1087 CK_MECHANISM_TYPE type,
1088 CK_MECHANISM_INFO_PTR pInfo)
1089 {
1090 INIT_CONTEXT();
1091 st_logf("GetMechanismInfo: slot %d type: %d\n",
1092 (int)slotID, (int)type);
1093 memset(pInfo, 0, sizeof(*pInfo));
1094
1095 return CKR_OK;
1096 }
1097
1098 CK_RV
1099 C_InitToken(CK_SLOT_ID slotID,
1100 CK_UTF8CHAR_PTR pPin,
1101 CK_ULONG ulPinLen,
1102 CK_UTF8CHAR_PTR pLabel)
1103 {
1104 INIT_CONTEXT();
1105 st_logf("InitToken: slot %d\n", (int)slotID);
1106 return CKR_FUNCTION_NOT_SUPPORTED;
1107 }
1108
1109 CK_RV
1110 C_OpenSession(CK_SLOT_ID slotID,
1111 CK_FLAGS flags,
1112 CK_VOID_PTR pApplication,
1113 CK_NOTIFY Notify,
1114 CK_SESSION_HANDLE_PTR phSession)
1115 {
1116 size_t i;
1117 INIT_CONTEXT();
1118 st_logf("OpenSession: slot: %d\n", (int)slotID);
1119
1120 if (soft_token.open_sessions == MAX_NUM_SESSION)
1121 return CKR_SESSION_COUNT;
1122
1123 soft_token.application = pApplication;
1124 soft_token.notify = Notify;
1125
1126 for (i = 0; i < MAX_NUM_SESSION; i++)
1127 if (soft_token.state[i].session_handle == CK_INVALID_HANDLE)
1128 break;
1129 if (i == MAX_NUM_SESSION)
1130 abort();
1131
1132 soft_token.open_sessions++;
1133
1134 soft_token.state[i].session_handle =
1135 (CK_SESSION_HANDLE)(random() & 0xfffff);
1136 *phSession = soft_token.state[i].session_handle;
1137
1138 return CKR_OK;
1139 }
1140
1141 CK_RV
1142 C_CloseSession(CK_SESSION_HANDLE hSession)
1143 {
1144 struct session_state *state;
1145 INIT_CONTEXT();
1146 st_logf("CloseSession\n");
1147
1148 if (verify_session_handle(hSession, &state) != CKR_OK)
1149 application_error("closed session not open");
1150 else
1151 close_session(state);
1152
1153 return CKR_OK;
1154 }
1155
1156 CK_RV
1157 C_CloseAllSessions(CK_SLOT_ID slotID)
1158 {
1159 size_t i;
1160 INIT_CONTEXT();
1161
1162 st_logf("CloseAllSessions\n");
1163
1164 for (i = 0; i < MAX_NUM_SESSION; i++)
1165 if (soft_token.state[i].session_handle != CK_INVALID_HANDLE)
1166 close_session(&soft_token.state[i]);
1167
1168 return CKR_OK;
1169 }
1170
1171 CK_RV
1172 C_GetSessionInfo(CK_SESSION_HANDLE hSession,
1173 CK_SESSION_INFO_PTR pInfo)
1174 {
1175 st_logf("GetSessionInfo\n");
1176 INIT_CONTEXT();
1177
1178 VERIFY_SESSION_HANDLE(hSession, NULL);
1179
1180 memset(pInfo, 20, sizeof(*pInfo));
1181
1182 pInfo->slotID = 1;
1183 if (soft_token.flags.login_done)
1184 pInfo->state = CKS_RO_USER_FUNCTIONS;
1185 else
1186 pInfo->state = CKS_RO_PUBLIC_SESSION;
1187 pInfo->flags = CKF_SERIAL_SESSION;
1188 pInfo->ulDeviceError = 0;
1189
1190 return CKR_OK;
1191 }
1192
1193 CK_RV
1194 C_Login(CK_SESSION_HANDLE hSession,
1195 CK_USER_TYPE userType,
1196 CK_UTF8CHAR_PTR pPin,
1197 CK_ULONG ulPinLen)
1198 {
1199 char *pin = NULL;
1200 CK_RV ret;
1201 INIT_CONTEXT();
1202
1203 st_logf("Login\n");
1204
1205 VERIFY_SESSION_HANDLE(hSession, NULL);
1206
1207 if (pPin != NULL_PTR) {
1208 asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
1209 st_logf("type: %d password: %s\n", (int)userType, pin);
1210 }
1211
1212 /*
1213 * Login
1214 */
1215
1216 ret = read_conf_file(soft_token.config_file, userType, pin);
1217 if (ret == CKR_OK)
1218 soft_token.flags.login_done = 1;
1219
1220 free(pin);
1221
1222 return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT;
1223 }
1224
1225 CK_RV
1226 C_Logout(CK_SESSION_HANDLE hSession)
1227 {
1228 st_logf("Logout\n");
1229 INIT_CONTEXT();
1230
1231 VERIFY_SESSION_HANDLE(hSession, NULL);
1232 return CKR_FUNCTION_NOT_SUPPORTED;
1233 }
1234
1235 CK_RV
1236 C_GetObjectSize(CK_SESSION_HANDLE hSession,
1237 CK_OBJECT_HANDLE hObject,
1238 CK_ULONG_PTR pulSize)
1239 {
1240 st_logf("GetObjectSize\n");
1241 INIT_CONTEXT();
1242
1243 VERIFY_SESSION_HANDLE(hSession, NULL);
1244 return CKR_FUNCTION_NOT_SUPPORTED;
1245 }
1246
1247 CK_RV
1248 C_GetAttributeValue(CK_SESSION_HANDLE hSession,
1249 CK_OBJECT_HANDLE hObject,
1250 CK_ATTRIBUTE_PTR pTemplate,
1251 CK_ULONG ulCount)
1252 {
1253 struct session_state *state;
1254 struct st_object *obj;
1255 CK_ULONG i;
1256 CK_RV ret;
1257 int j;
1258
1259 INIT_CONTEXT();
1260
1261 st_logf("GetAttributeValue: %lx\n",
1262 (unsigned long)HANDLE_OBJECT_ID(hObject));
1263 VERIFY_SESSION_HANDLE(hSession, &state);
1264
1265 if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) {
1266 st_logf("object not found: %lx\n",
1267 (unsigned long)HANDLE_OBJECT_ID(hObject));
1268 return ret;
1269 }
1270
1271 for (i = 0; i < ulCount; i++) {
1272 st_logf(" getting 0x%08lx\n", (unsigned long)pTemplate[i].type);
1273 for (j = 0; j < obj->num_attributes; j++) {
1274 if (obj->attrs[j].secret) {
1275 pTemplate[i].ulValueLen = (CK_ULONG)-1;
1276 break;
1277 }
1278 if (pTemplate[i].type == obj->attrs[j].attribute.type) {
1279 if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) {
1280 if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen)
1281 memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue,
1282 obj->attrs[j].attribute.ulValueLen);
1283 }
1284 pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen;
1285 break;
1286 }
1287 }
1288 if (j == obj->num_attributes) {
1289 st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type);
1290 pTemplate[i].ulValueLen = (CK_ULONG)-1;
1291 }
1292
1293 }
1294 return CKR_OK;
1295 }
1296
1297 CK_RV
1298 C_FindObjectsInit(CK_SESSION_HANDLE hSession,
1299 CK_ATTRIBUTE_PTR pTemplate,
1300 CK_ULONG ulCount)
1301 {
1302 struct session_state *state;
1303
1304 st_logf("FindObjectsInit\n");
1305
1306 INIT_CONTEXT();
1307
1308 VERIFY_SESSION_HANDLE(hSession, &state);
1309
1310 if (state->find.next_object != -1) {
1311 application_error("application didn't do C_FindObjectsFinal\n");
1312 find_object_final(state);
1313 }
1314 if (ulCount) {
1315 CK_ULONG i;
1316
1317 print_attributes(pTemplate, ulCount);
1318
1319 state->find.attributes =
1320 calloc(1, ulCount * sizeof(state->find.attributes[0]));
1321 if (state->find.attributes == NULL)
1322 return CKR_DEVICE_MEMORY;
1323 for (i = 0; i < ulCount; i++) {
1324 state->find.attributes[i].pValue =
1325 malloc(pTemplate[i].ulValueLen);
1326 if (state->find.attributes[i].pValue == NULL) {
1327 find_object_final(state);
1328 return CKR_DEVICE_MEMORY;
1329 }
1330 memcpy(state->find.attributes[i].pValue,
1331 pTemplate[i].pValue, pTemplate[i].ulValueLen);
1332 state->find.attributes[i].type = pTemplate[i].type;
1333 state->find.attributes[i].ulValueLen = pTemplate[i].ulValueLen;
1334 }
1335 state->find.num_attributes = ulCount;
1336 state->find.next_object = 0;
1337 } else {
1338 st_logf("find all objects\n");
1339 state->find.attributes = NULL;
1340 state->find.num_attributes = 0;
1341 state->find.next_object = 0;
1342 }
1343
1344 return CKR_OK;
1345 }
1346
1347 CK_RV
1348 C_FindObjects(CK_SESSION_HANDLE hSession,
1349 CK_OBJECT_HANDLE_PTR phObject,
1350 CK_ULONG ulMaxObjectCount,
1351 CK_ULONG_PTR pulObjectCount)
1352 {
1353 struct session_state *state;
1354 int i;
1355
1356 INIT_CONTEXT();
1357
1358 st_logf("FindObjects\n");
1359
1360 VERIFY_SESSION_HANDLE(hSession, &state);
1361
1362 if (state->find.next_object == -1) {
1363 application_error("application didn't do C_FindObjectsInit\n");
1364 return CKR_ARGUMENTS_BAD;
1365 }
1366 if (ulMaxObjectCount == 0) {
1367 application_error("application asked for 0 objects\n");
1368 return CKR_ARGUMENTS_BAD;
1369 }
1370 *pulObjectCount = 0;
1371 for (i = state->find.next_object; i < soft_token.object.num_objs; i++) {
1372 st_logf("FindObjects: %d\n", i);
1373 state->find.next_object = i + 1;
1374 if (attributes_match(soft_token.object.objs[i],
1375 state->find.attributes,
1376 state->find.num_attributes)) {
1377 *phObject++ = soft_token.object.objs[i]->object_handle;
1378 ulMaxObjectCount--;
1379 (*pulObjectCount)++;
1380 if (ulMaxObjectCount == 0)
1381 break;
1382 }
1383 }
1384 return CKR_OK;
1385 }
1386
1387 CK_RV
1388 C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
1389 {
1390 struct session_state *state;
1391
1392 INIT_CONTEXT();
1393
1394 st_logf("FindObjectsFinal\n");
1395 VERIFY_SESSION_HANDLE(hSession, &state);
1396 find_object_final(state);
1397 return CKR_OK;
1398 }
1399
1400 static CK_RV
1401 commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len,
1402 const CK_MECHANISM_TYPE *mechs, int mechs_len,
1403 const CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey,
1404 struct st_object **o)
1405 {
1406 CK_RV ret;
1407 int i;
1408
1409 *o = NULL;
1410 if ((ret = object_handle_to_object(hKey, o)) != CKR_OK)
1411 return ret;
1412
1413 ret = attributes_match(*o, attr_match, attr_match_len);
1414 if (!ret) {
1415 application_error("called commonInit on key that doesn't "
1416 "support required attr");
1417 return CKR_ARGUMENTS_BAD;
1418 }
1419
1420 for (i = 0; i < mechs_len; i++)
1421 if (mechs[i] == pMechanism->mechanism)
1422 break;
1423 if (i == mechs_len) {
1424 application_error("called mech (%08lx) not supported\n",
1425 pMechanism->mechanism);
1426 return CKR_ARGUMENTS_BAD;
1427 }
1428 return CKR_OK;
1429 }
1430
1431
1432 static CK_RV
1433 dup_mechanism(CK_MECHANISM_PTR *dp, const CK_MECHANISM_PTR pMechanism)
1434 {
1435 CK_MECHANISM_PTR p;
1436
1437 p = malloc(sizeof(*p));
1438 if (p == NULL)
1439 return CKR_DEVICE_MEMORY;
1440
1441 if (*dp)
1442 free(*dp);
1443 *dp = p;
1444 memcpy(p, pMechanism, sizeof(*p));
1445
1446 return CKR_OK;
1447 }
1448
1449 CK_RV
1450 C_DigestInit(CK_SESSION_HANDLE hSession,
1451 CK_MECHANISM_PTR pMechanism)
1452 {
1453 st_logf("DigestInit\n");
1454 INIT_CONTEXT();
1455 VERIFY_SESSION_HANDLE(hSession, NULL);
1456 return CKR_FUNCTION_NOT_SUPPORTED;
1457 }
1458
1459 CK_RV
1460 C_SignInit(CK_SESSION_HANDLE hSession,
1461 CK_MECHANISM_PTR pMechanism,
1462 CK_OBJECT_HANDLE hKey)
1463 {
1464 struct session_state *state;
1465 CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
1466 CK_BBOOL bool_true = CK_TRUE;
1467 CK_ATTRIBUTE attr[] = {
1468 { CKA_SIGN, &bool_true, sizeof(bool_true) }
1469 };
1470 struct st_object *o;
1471 CK_RV ret;
1472
1473 INIT_CONTEXT();
1474 st_logf("SignInit\n");
1475 VERIFY_SESSION_HANDLE(hSession, &state);
1476
1477 ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]),
1478 mechs, sizeof(mechs)/sizeof(mechs[0]),
1479 pMechanism, hKey, &o);
1480 if (ret)
1481 return ret;
1482
1483 ret = dup_mechanism(&state->sign_mechanism, pMechanism);
1484 if (ret == CKR_OK)
1485 state->sign_object = OBJECT_ID(o);
1486
1487 return CKR_OK;
1488 }
1489
1490 CK_RV
1491 C_Sign(CK_SESSION_HANDLE hSession,
1492 CK_BYTE_PTR pData,
1493 CK_ULONG ulDataLen,
1494 CK_BYTE_PTR pSignature,
1495 CK_ULONG_PTR pulSignatureLen)
1496 {
1497 struct session_state *state;
1498 struct st_object *o;
1499 CK_RV ret;
1500 int hret;
1501 const AlgorithmIdentifier *alg;
1502 heim_octet_string sig, data;
1503
1504 INIT_CONTEXT();
1505 st_logf("Sign\n");
1506 VERIFY_SESSION_HANDLE(hSession, &state);
1507
1508 sig.data = NULL;
1509 sig.length = 0;
1510
1511 if (state->sign_object == -1)
1512 return CKR_ARGUMENTS_BAD;
1513
1514 if (pulSignatureLen == NULL) {
1515 st_logf("signature len NULL\n");
1516 ret = CKR_ARGUMENTS_BAD;
1517 goto out;
1518 }
1519
1520 if (pData == NULL_PTR) {
1521 st_logf("data NULL\n");
1522 ret = CKR_ARGUMENTS_BAD;
1523 goto out;
1524 }
1525
1526 o = soft_token.object.objs[state->sign_object];
1527
1528 if (hx509_cert_have_private_key(o->cert) == 0) {
1529 st_logf("private key NULL\n");
1530 return CKR_ARGUMENTS_BAD;
1531 }
1532
1533 switch(state->sign_mechanism->mechanism) {
1534 case CKM_RSA_PKCS:
1535 alg = hx509_signature_rsa_pkcs1_x509();
1536 break;
1537 default:
1538 ret = CKR_FUNCTION_NOT_SUPPORTED;
1539 goto out;
1540 }
1541
1542 data.data = pData;
1543 data.length = ulDataLen;
1544
1545 hret = _hx509_create_signature(context,
1546 _hx509_cert_private_key(o->cert),
1547 alg,
1548 &data,
1549 NULL,
1550 &sig);
1551 if (hret) {
1552 ret = CKR_DEVICE_ERROR;
1553 goto out;
1554 }
1555 *pulSignatureLen = sig.length;
1556
1557 if (pSignature != NULL_PTR)
1558 memcpy(pSignature, sig.data, sig.length);
1559
1560 ret = CKR_OK;
1561 out:
1562 if (sig.data) {
1563 memset(sig.data, 0, sig.length);
1564 der_free_octet_string(&sig);
1565 }
1566 return ret;
1567 }
1568
1569 CK_RV
1570 C_SignUpdate(CK_SESSION_HANDLE hSession,
1571 CK_BYTE_PTR pPart,
1572 CK_ULONG ulPartLen)
1573 {
1574 INIT_CONTEXT();
1575 st_logf("SignUpdate\n");
1576 VERIFY_SESSION_HANDLE(hSession, NULL);
1577 return CKR_FUNCTION_NOT_SUPPORTED;
1578 }
1579
1580
1581 CK_RV
1582 C_SignFinal(CK_SESSION_HANDLE hSession,
1583 CK_BYTE_PTR pSignature,
1584 CK_ULONG_PTR pulSignatureLen)
1585 {
1586 INIT_CONTEXT();
1587 st_logf("SignUpdate\n");
1588 VERIFY_SESSION_HANDLE(hSession, NULL);
1589 return CKR_FUNCTION_NOT_SUPPORTED;
1590 }
1591
1592 CK_RV
1593 C_VerifyInit(CK_SESSION_HANDLE hSession,
1594 CK_MECHANISM_PTR pMechanism,
1595 CK_OBJECT_HANDLE hKey)
1596 {
1597 struct session_state *state;
1598 CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
1599 CK_BBOOL bool_true = CK_TRUE;
1600 CK_ATTRIBUTE attr[] = {
1601 { CKA_VERIFY, &bool_true, sizeof(bool_true) }
1602 };
1603 struct st_object *o;
1604 CK_RV ret;
1605
1606 INIT_CONTEXT();
1607 st_logf("VerifyInit\n");
1608 VERIFY_SESSION_HANDLE(hSession, &state);
1609
1610 ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]),
1611 mechs, sizeof(mechs)/sizeof(mechs[0]),
1612 pMechanism, hKey, &o);
1613 if (ret)
1614 return ret;
1615
1616 ret = dup_mechanism(&state->verify_mechanism, pMechanism);
1617 if (ret == CKR_OK)
1618 state->verify_object = OBJECT_ID(o);
1619
1620 return ret;
1621 }
1622
1623 CK_RV
1624 C_Verify(CK_SESSION_HANDLE hSession,
1625 CK_BYTE_PTR pData,
1626 CK_ULONG ulDataLen,
1627 CK_BYTE_PTR pSignature,
1628 CK_ULONG ulSignatureLen)
1629 {
1630 struct session_state *state;
1631 struct st_object *o;
1632 const AlgorithmIdentifier *alg;
1633 CK_RV ret;
1634 int hret;
1635 heim_octet_string data, sig;
1636
1637 INIT_CONTEXT();
1638 st_logf("Verify\n");
1639 VERIFY_SESSION_HANDLE(hSession, &state);
1640
1641 if (state->verify_object == -1)
1642 return CKR_ARGUMENTS_BAD;
1643
1644 o = soft_token.object.objs[state->verify_object];
1645
1646 switch(state->verify_mechanism->mechanism) {
1647 case CKM_RSA_PKCS:
1648 alg = hx509_signature_rsa_pkcs1_x509();
1649 break;
1650 default:
1651 ret = CKR_FUNCTION_NOT_SUPPORTED;
1652 goto out;
1653 }
1654
1655 sig.data = pData;
1656 sig.length = ulDataLen;
1657 data.data = pSignature;
1658 data.length = ulSignatureLen;
1659
1660 hret = _hx509_verify_signature(context,
1661 o->cert,
1662 alg,
1663 &data,
1664 &sig);
1665 if (hret) {
1666 ret = CKR_GENERAL_ERROR;
1667 goto out;
1668 }
1669 ret = CKR_OK;
1670
1671 out:
1672 return ret;
1673 }
1674
1675
1676 CK_RV
1677 C_VerifyUpdate(CK_SESSION_HANDLE hSession,
1678 CK_BYTE_PTR pPart,
1679 CK_ULONG ulPartLen)
1680 {
1681 INIT_CONTEXT();
1682 st_logf("VerifyUpdate\n");
1683 VERIFY_SESSION_HANDLE(hSession, NULL);
1684 return CKR_FUNCTION_NOT_SUPPORTED;
1685 }
1686
1687 CK_RV
1688 C_VerifyFinal(CK_SESSION_HANDLE hSession,
1689 CK_BYTE_PTR pSignature,
1690 CK_ULONG ulSignatureLen)
1691 {
1692 INIT_CONTEXT();
1693 st_logf("VerifyFinal\n");
1694 VERIFY_SESSION_HANDLE(hSession, NULL);
1695 return CKR_FUNCTION_NOT_SUPPORTED;
1696 }
1697
1698 CK_RV
1699 C_GenerateRandom(CK_SESSION_HANDLE hSession,
1700 CK_BYTE_PTR RandomData,
1701 CK_ULONG ulRandomLen)
1702 {
1703 INIT_CONTEXT();
1704 st_logf("GenerateRandom\n");
1705 VERIFY_SESSION_HANDLE(hSession, NULL);
1706 return CKR_FUNCTION_NOT_SUPPORTED;
1707 }
1708
1709
1710 CK_FUNCTION_LIST funcs = {
1711 { 2, 11 },
1712 C_Initialize,
1713 C_Finalize,
1714 C_GetInfo,
1715 C_GetFunctionList,
1716 C_GetSlotList,
1717 C_GetSlotInfo,
1718 C_GetTokenInfo,
1719 C_GetMechanismList,
1720 C_GetMechanismInfo,
1721 C_InitToken,
1722 (void *)func_not_supported, /* C_InitPIN */
1723 (void *)func_not_supported, /* C_SetPIN */
1724 C_OpenSession,
1725 C_CloseSession,
1726 C_CloseAllSessions,
1727 C_GetSessionInfo,
1728 (void *)func_not_supported, /* C_GetOperationState */
1729 (void *)func_not_supported, /* C_SetOperationState */
1730 C_Login,
1731 C_Logout,
1732 (void *)func_not_supported, /* C_CreateObject */
1733 (void *)func_not_supported, /* C_CopyObject */
1734 (void *)func_not_supported, /* C_DestroyObject */
1735 (void *)func_not_supported, /* C_GetObjectSize */
1736 C_GetAttributeValue,
1737 (void *)func_not_supported, /* C_SetAttributeValue */
1738 C_FindObjectsInit,
1739 C_FindObjects,
1740 C_FindObjectsFinal,
1741 (void *)func_not_supported, /* C_EncryptInit, */
1742 (void *)func_not_supported, /* C_Encrypt, */
1743 (void *)func_not_supported, /* C_EncryptUpdate, */
1744 (void *)func_not_supported, /* C_EncryptFinal, */
1745 (void *)func_not_supported, /* C_DecryptInit, */
1746 (void *)func_not_supported, /* C_Decrypt, */
1747 (void *)func_not_supported, /* C_DecryptUpdate, */
1748 (void *)func_not_supported, /* C_DecryptFinal, */
1749 C_DigestInit,
1750 (void *)func_not_supported, /* C_Digest */
1751 (void *)func_not_supported, /* C_DigestUpdate */
1752 (void *)func_not_supported, /* C_DigestKey */
1753 (void *)func_not_supported, /* C_DigestFinal */
1754 C_SignInit,
1755 C_Sign,
1756 C_SignUpdate,
1757 C_SignFinal,
1758 (void *)func_not_supported, /* C_SignRecoverInit */
1759 (void *)func_not_supported, /* C_SignRecover */
1760 C_VerifyInit,
1761 C_Verify,
1762 C_VerifyUpdate,
1763 C_VerifyFinal,
1764 (void *)func_not_supported, /* C_VerifyRecoverInit */
1765 (void *)func_not_supported, /* C_VerifyRecover */
1766 (void *)func_not_supported, /* C_DigestEncryptUpdate */
1767 (void *)func_not_supported, /* C_DecryptDigestUpdate */
1768 (void *)func_not_supported, /* C_SignEncryptUpdate */
1769 (void *)func_not_supported, /* C_DecryptVerifyUpdate */
1770 (void *)func_not_supported, /* C_GenerateKey */
1771 (void *)func_not_supported, /* C_GenerateKeyPair */
1772 (void *)func_not_supported, /* C_WrapKey */
1773 (void *)func_not_supported, /* C_UnwrapKey */
1774 (void *)func_not_supported, /* C_DeriveKey */
1775 (void *)func_not_supported, /* C_SeedRandom */
1776 C_GenerateRandom,
1777 (void *)func_not_supported, /* C_GetFunctionStatus */
1778 (void *)func_not_supported, /* C_CancelFunction */
1779 (void *)func_not_supported /* C_WaitForSlotEvent */
1780 };
Heimdal