1 /* -*- mode: c; c-file-style:"stroustrup"; -*- */ 2 3 /* 4 * Copyright (c) 2018 Mastercard 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 #ifndef __PKCS11LIB_H__ 20 #define __PKCS11LIB_H__ 21 22 #include "config.h" 23 24 #include <stddef.h> /* needed for size_t */ 25 #include <stdio.h> /* needed for FILE */ 26 #include <stdbool.h> /* needed for bool type */ 27 #include <openssl/bio.h> /* needed for BIO */ 28 29 /* add support for dmalloc */ 30 #ifdef DEBUG_DMALLOC 31 # include <dmalloc.h> 32 #endif 33 34 35 #include "cryptoki.h" 36 37 /* grammar version, for wrapped keys */ 38 #define SUPPORTED_GRAMMAR_VERSION "2.2" 39 #define TOOLKIT_VERSION_SUPPORTING_GRAMMAR "2.5.0" 40 41 /* Program Error Codes */ 42 #define RC_OK 0x00 43 #define RC_DLOPEN_ERROR 0x01 44 #define RC_DLSYM_ERROR 0x02 45 #define RC_DLFUNC_ERROR 0x03 46 #define RC_ERROR_MEMORY 0x04 47 #define RC_ERROR_LIBRARY 0x05 48 #define RC_ERROR_GETOPT 0x06 49 #define RC_ERROR_READ_INPUT 0x07 50 #define RC_ERROR_USAGE 0x08 51 #define RC_ERROR_INVALID_HANDLE 0x09 52 #define RC_ERROR_OBJECT_EXISTS 0x0a 53 #define RC_ERROR_PKCS11_API 0x0b 54 #define RC_ERROR_KEYGEN_FAILED 0x0c 55 #define RC_ERROR_OBJECT_NOT_FOUND 0x0d 56 57 typedef enum e_func_rc { 58 rc_ok, 59 rc_dlopen_error, 60 rc_dlsym_error, 61 rc_dlfunc_error, 62 rc_error_memory, 63 rc_error_invalid_slot_or_token, 64 rc_error_library, 65 rc_error_getopt, 66 rc_error_read_input, 67 rc_error_usage, 68 rc_error_prompt, 69 rc_error_invalid_handle, 70 rc_error_object_exists, 71 rc_error_pkcs11_api, 72 rc_error_object_not_found, 73 rc_error_keygen_failed, 74 rc_error_invalid_label, 75 rc_error_wrapping_key_too_short, 76 rc_error_openssl_api, 77 rc_error_regex_compile, 78 rc_error_regex_nomatch, 79 rc_error_unknown_wrapping_alg, 80 rc_error_not_yet_implemented, 81 rc_error_invalid_parameter_for_method, 82 rc_error_invalid_argument, 83 rc_error_unsupported, 84 rc_error_parsing, /* issue when parsing a file */ 85 rc_error_oops, /* "assertion" like error. */ 86 rc_error_wrong_key_type, /* if the key type wanted doesn't match */ 87 rc_error_wrong_object_class, 88 rc_warning_not_entirely_completed, /* when a command has only partially succeeded */ 89 rc_error_other_error, 90 rc_error_insecure, 91 rc_error_dsa_missing_public_key, 92 rc_error_ec_or_ed_missing_public_key, 93 rc_error_lexer, 94 } func_rc; 95 96 #define AES_WRAP_MECH_SIZE_MAX 8 /* for both rfc3394 and rfc5496, remember the compatible */ 97 /* mechanisms. We don't anticipate that list to be large */ 98 99 typedef struct s_p11_ctx { 100 char *library; 101 char *nssinitparams; /* NSS configDir */ 102 void *libhandle; /* library handle pointer */ 103 CK_FUNCTION_LIST FunctionList; 104 CK_SLOT_ID slot; 105 int slotindex; 106 CK_SESSION_HANDLE Session; 107 CK_BBOOL initialized; 108 CK_BBOOL logged_in; 109 110 /* in support to rfc3394: */ 111 /* the following table will contain a list of AES wrapping mechanisms */ 112 /* supported by the selected token. On PKCS#11 v2.40, the standard is */ 113 /* called CKM_AES_KEY_WRAP, but many vendors have their own vendor- */ 114 /* specific implementation. These will be tried. */ 115 CK_MECHANISM_TYPE rfc3394_mech[AES_WRAP_MECH_SIZE_MAX]; 116 size_t rfc3394_mech_size; 117 /* in support to rfc5649: */ 118 /* the following table will contain a list of AES wrapping mechanisms */ 119 /* supported by the selected token. On PKCS#11 v2.40, the standard is */ 120 /* called CKM_AES_KEY_WRAP_PAD, but many vendors have their own */ 121 /* vendor-specific implementation. */ 122 CK_MECHANISM_TYPE rfc5649_mech[AES_WRAP_MECH_SIZE_MAX]; 123 size_t rfc5649_mech_size; 124 } pkcs11Context; 125 126 typedef struct CK_NSS_C_INITIALIZE_ARGS { 127 CK_CREATEMUTEX CreateMutex; 128 CK_DESTROYMUTEX DestroyMutex; 129 CK_LOCKMUTEX LockMutex; 130 CK_UNLOCKMUTEX UnlockMutex; 131 CK_FLAGS flags; 132 CK_CHAR_PTR *LibraryParameters; 133 CK_VOID_PTR pReserved; 134 } CK_NSS_C_INITIALIZE_ARGS; 135 136 /* pkcs11_idtemplate */ 137 #define IDTMPL_RESOURCE_POS 0 138 #define IDTMPL_OBJECT_CLASS_POS 1 139 140 141 typedef struct s_p11_idtmpl { 142 CK_ATTRIBUTE template[2]; 143 CK_ULONG template_len; 144 CK_OBJECT_CLASS oclass; 145 CK_BBOOL has_resource; /* resource is one of CKA_ID, CKA_LABEL, CKA_SERIAL_NUMBER */ 146 CK_BBOOL has_class; 147 } pkcs11IdTemplate; 148 149 /* pkcs11_search */ 150 typedef struct s_p11_srch { 151 pkcs11Context *p11Context; 152 CK_C_FindObjectsInit FindObjectsInit; 153 CK_C_FindObjects FindObjects; 154 CK_C_FindObjectsFinal FindObjectsFinal; 155 156 CK_OBJECT_HANDLE *handle_array; 157 CK_ULONG allocated; 158 CK_ULONG count; 159 CK_ULONG index; 160 161 } pkcs11Search; 162 163 /* pkcs11_keycomp */ 164 165 typedef void * KeyImportCtx; 166 167 typedef struct s_p11_attrlist { 168 pkcs11Context *p11Context; 169 CK_C_GetAttributeValue GetAttributeValue; 170 CK_C_SetAttributeValue SetAttributeValue; 171 172 CK_ATTRIBUTE *attr_array; 173 CK_ULONG allocated; 174 bool cast; /* this flag is to know how was the object created */ 175 bool has_template; /* this flag to remember if we have template attributes */ 176 } pkcs11AttrList; 177 178 179 /* supported key types */ 180 typedef enum { 181 unknown, 182 aes, 183 des, 184 des2, /* des3 double length */ 185 des3, /* des3 triple length */ 186 rsa, 187 ec, /* Regular EC */ 188 ed, /* Edwards EC */ 189 dsa, 190 dh, 191 generic, 192 #if defined(HAVE_NCIPHER) 193 hmacsha1, 194 hmacsha224, 195 hmacsha256, 196 hmacsha384, 197 hmacsha512 198 #endif 199 } key_type_t; 200 201 /* supported wrapping methods */ 202 enum wrappingmethod { w_unknown, /* unidentified alg */ 203 w_pkcs1_15, /* PKCS#1 v1.5, uses an RSA key for un/wrapping */ 204 w_pkcs1_oaep, /* PKCS#1 OAEP, uses an RSA key for un/wrapping */ 205 w_cbcpad, /* wraps private key (PKCS#8), padding according to PKCS#7, then symmetric key in CBC mode */ 206 w_rfc3394, /* wraps keys according to RFC3394 */ 207 w_rfc5649, /* wraps keys according to RFC5649 */ 208 w_envelope, /* envelope wrapping ( Private Key -> Symmetric Key -> Any Key) */ 209 }; 210 211 /* supported hashing algorithms */ 212 typedef enum { 213 sha1, 214 sha224, 215 sha256, 216 sha384, 217 sha512 218 } hash_alg_t ; 219 220 221 /* attribCtx contains a context that can hold parameters parsed from command line 222 that contains attributes. 223 It currently supports these grammars: 224 - CKA_DERIVE=true CKA_LABEL="label" CKA_UNWRAP_TEMPLATE={ CKA_EXTRACTABLE=false ... } 225 - the attributes can be shortened by removing the "CKA_" prefix 226 - boolean attributes can be true/false, CK_TRUE/CK_FALSE, yes/no, on/off 227 - boolean attributes without a value are set to CK_TRUE 228 - boolean attributes prefixed with "no" are set to CK_FALSE 229 - other attributes follow the same value syntax as for wrappedKeyCtx 230 */ 231 232 typedef struct s_p11_attribctx { 233 size_t current_idx; /* the current index */ 234 size_t mainlist_idx; /* the index of the main list */ 235 size_t wraptemplate_idx; /* the index of the wrap template list */ 236 size_t unwraptemplate_idx; /* the index of the unwrap template list */ 237 size_t derivetemplate_idx; /* the index of the derive template list */ 238 bool has_wrap_template; /* whether or not we have a wrap template */ 239 bool has_unwrap_template; /* whether or not we have an unwrap template */ 240 bool has_derive_template; /* whether or not we have a derive template */ 241 int level; /* used by parser to prevent mutli-level templates */ 242 size_t saved_idx; /* used by lexer to temporary store the index used for the template */ 243 244 struct { 245 CK_ATTRIBUTE *attrlist; 246 size_t attrnum; 247 } attrs[4]; 248 249 /* the following two members keep track of allowed mechanisms, when specified */ 250 CK_MECHANISM_TYPE_PTR allowedmechs; 251 size_t allowedmechs_len; 252 } attribCtx; 253 254 /* pkcs11_unwrap / pkcs11_wrap / pkcs11_wctx */ 255 256 typedef struct s_p11_wrappedkeyctx { 257 pkcs11Context *p11Context; 258 259 char *wrappingkeylabel; 260 char *wrappedkeylabel; /* inner key only - outer key will have random name and ID */ 261 262 char *filename; /* filename used to write wrapping file */ 263 264 /* the following two members keep track of allowed mechanisms, when specified */ 265 CK_MECHANISM_TYPE_PTR allowedmechs; 266 size_t allowedmechs_len; 267 268 struct { /* inner or outer but never both (by design) */ 269 CK_MECHANISM_TYPE aes_wrapping_mech; /* used when wrapping_meth is w_rfc3394 or w_rfc5649 */ 270 CK_BYTE_PTR iv; /* used for CKM_XXX_CBC_PAD and CKM_AES_KEY_WRAP_PAD */ 271 CK_ULONG iv_len; /* used for CBC_XXX_CBC_PAD and CKM_AES_KEY_WRAP_PAD */ 272 } aes_params; 273 CK_RSA_PKCS_OAEP_PARAMS_PTR oaep_params; /* inner or outer but never both (by design) */ 274 275 CK_BBOOL is_envelope; /* in case of envelope encryption, remember it here */ 276 /* outer key is stored in [0], inner key is stored in [1] */ 277 struct { 278 CK_OBJECT_HANDLE wrappingkeyhandle; 279 CK_OBJECT_HANDLE wrappedkeyhandle; 280 CK_OBJECT_CLASS wrappedkeyobjclass; 281 CK_BYTE_PTR wrapped_key_buffer; 282 CK_ULONG wrapped_key_len; 283 enum wrappingmethod wrapping_meth; 284 } key[2]; /* [0] is outer, [1] is inner */ 285 286 /* in case there is a public key, the following attributes are used */ 287 CK_BYTE_PTR pubk_buffer; 288 CK_ULONG pubk_len; 289 CK_OBJECT_HANDLE pubkhandle; 290 291 attribCtx *wrpkattribs; /* structure to hold wrappedkey attributes */ 292 attribCtx *pubkattribs; /* structure to hold public key attributes */ 293 294 } wrappedKeyCtx; 295 296 /* key index, see pkcs11_wctx.c for a comment explaining how this works */ 297 #define WRAPPEDKEYCTX_OUTER_KEY_INDEX 0 /* when w_envelope */ 298 #define WRAPPEDKEYCTX_INNER_KEY_INDEX 1 /* when w_envelope */ 299 #define WRAPPEDKEYCTX_LONE_KEY_INDEX 1 /* for all other wrapping methods */ 300 #define WRAPPEDKEYCTX_INNER_OR_LONE_KEY_INDEX 1 301 #define WRAPPEDKEYCTX_NO_INDEX -1 /* when no index is needed */ 302 303 /* supported content types in .wrap files */ 304 enum contenttype { ct_unknown, /* unidentified app */ 305 ct_appl_p11, /* application/pkcs11-tools */ 306 }; 307 308 309 /* /\* Supplementary flags for NSS *\/ */ 310 /* #define NSSCK_VENDOR_NSS 0x4E534350 /\* NSCP *\/ */ 311 /* #define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS) */ 312 /* #define CKA_TRUST (CKA_NSS + 0x2000) */ 313 314 /* /\* "Purpose" trust information *\/ */ 315 /* #define CKA_TRUST_SERVER_AUTH (CKA_TRUST + 8) */ 316 /* #define CKA_TRUST_CLIENT_AUTH (CKA_TRUST + 9) */ 317 /* #define CKA_TRUST_CODE_SIGNING (CKA_TRUST + 10) */ 318 /* #define CKA_TRUST_EMAIL_PROTECTION (CKA_TRUST + 11) */ 319 320 321 322 #define PASSWORD_NOLOGIN ":::nologin" 323 #define PASSWORD_EXEC ":::exec:" 324 325 326 /* macros used by internal lib */ 327 328 /* Endianness : counts for class-based search strings */ 329 330 #ifdef WORDS_BIGENDIAN 331 #define CLASS_CERT "CKA_CLASS/{00 00 00 00 00 00 00 01}" 332 #define CLASS_PUBK "CKA_CLASS/{00 00 00 00 00 00 00 02}" 333 #define CLASS_PRVK "CKA_CLASS/{00 00 00 00 00 00 00 03}" 334 #define CLASS_SECK "CKA_CLASS/{00 00 00 00 00 00 00 04}" 335 #define CLASS_DATA "CKA_CLASS/{00 00 00 00 00 00 00 00}" 336 #else 337 #define CLASS_CERT "CKA_CLASS/{01 00 00 00 00 00 00 00}" 338 #define CLASS_PUBK "CKA_CLASS/{02 00 00 00 00 00 00 00}" 339 #define CLASS_PRVK "CKA_CLASS/{03 00 00 00 00 00 00 00}" 340 #define CLASS_SECK "CKA_CLASS/{04 00 00 00 00 00 00 00}" 341 #define CLASS_DATA "CKA_CLASS/{00 00 00 00 00 00 00 00}" 342 #endif 343 344 /* prototypes */ 345 346 /* pkcs11_utils.c */ 347 348 char * pkcs11_prompt( char *, CK_BBOOL ); 349 void pkcs11_prompt_free_buffer(char *arg); 350 char * pkcs11_pipe_password( char * passwordexec ); 351 func_rc prompt_for_hex(char *message, char *prompt, char *target, int len); 352 353 char * print_keyClass( CK_ULONG ); 354 char * print_keyType( CK_ULONG ); 355 CK_ULONG get_object_class(char *); 356 CK_ATTRIBUTE_TYPE get_attribute_type(char *arg); 357 358 void release_attribute( CK_ATTRIBUTE_PTR arg ); 359 void release_attributes(CK_ATTRIBUTE attrs[], size_t cnt); 360 361 char * hex2bin_new(char *label, size_t size, size_t *outsize); 362 void hex2bin_free(char *ptr); 363 364 CK_ATTRIBUTE_PTR get_attribute_for_type_and_value(CK_ATTRIBUTE_TYPE argattrtype, char *arg ); 365 int get_attributes_from_argv( CK_ATTRIBUTE *attrs[] , int pos, int argc, char **argv); 366 char * label_or_id(CK_ATTRIBUTE_PTR label, CK_ATTRIBUTE_PTR id, char *buffer, int buffer_len); 367 368 /* pkcs11_error.c */ 369 func_rc pkcs11_error( CK_RV, char * const ); 370 func_rc pkcs11_warning( CK_RV, char * const ); 371 372 /* pkcs11_ll_[PLATFORM].c */ 373 /* platform-specific low-level routines */ 374 375 void * pkcs11_ll_dynlib_open( const char *libname); 376 void pkcs11_ll_dynlib_close( void * handle ); 377 void * pkcs11_ll_dynlib_getfunc(void *handle, const char *funcname); 378 void pkcs11_ll_clear_screen(void); 379 void pkcs11_ll_echo_on(void); 380 void pkcs11_ll_echo_off(void); 381 void pkcs11_ll_clear_screen(void); 382 void pkcs11_ll_release_screen(void); 383 char *pkcs11_ll_basename(char *path); 384 void pkcs11_ll_set_binary(FILE *fp); 385 unsigned long pkcs11_ll_bigendian_ul(unsigned long argul); 386 387 /* pkcs11_context.c */ 388 pkcs11Context * pkcs11_newContext( char *libraryname, char * nssconfigdir ); 389 void pkcs11_freeContext( pkcs11Context *p11Context ); 390 func_rc pkcs11_initialize( pkcs11Context * ); 391 func_rc pkcs11_finalize( pkcs11Context * ); 392 393 /* pkcs11_GetSession.c */ 394 func_rc pkcs11_open_session( pkcs11Context * p11Context, int slot, char *tokenlabel, char * password, int so, int interactive ); 395 func_rc pkcs11_close_session( pkcs11Context * p11Context ); 396 397 int setKeyLabel( pkcs11Context *, CK_OBJECT_HANDLE, char * ); 398 int showKey( pkcs11Context *, CK_OBJECT_HANDLE ); 399 400 /* pkcs11_idtemplate.c */ 401 pkcs11IdTemplate * pkcs11_make_idtemplate(char *labelorid); 402 void pkcs11_delete_idtemplate(pkcs11IdTemplate * idtmpl) ; 403 int pkcs11_sizeof_idtemplate(pkcs11IdTemplate *idtmpl); 404 405 /* pkcs11_random.c */ 406 func_rc pkcs11_getrandombytes(pkcs11Context *p11Context, CK_BYTE_PTR buffer, CK_ULONG desired_length); 407 408 /* pkcs11_peekpoke.c */ 409 CK_OBJECT_HANDLE pkcs11_getObjectHandle( pkcs11Context * p11Context, CK_OBJECT_CLASS oclass, CK_ATTRIBUTE_TYPE idorlabel, CK_BYTE_PTR byteArrayPtr, CK_ULONG byteArrayLen ); 410 CK_OBJECT_HANDLE pkcs11_findPrivateKeyByLabel( pkcs11Context * p11Context, char *label ); 411 CK_OBJECT_HANDLE pkcs11_findPublicKeyByLabel( pkcs11Context * p11Context, char *label ); 412 CK_BBOOL pkcs11_is_mech_supported(pkcs11Context *p11ctx, CK_MECHANISM_TYPE m); 413 414 415 CK_RV pkcs11_setObjectAttribute( pkcs11Context * p11Context, CK_OBJECT_HANDLE objectHandle, CK_ATTRIBUTE_PTR attr); 416 CK_RV pkcs11_setObjectAttributes( pkcs11Context * p11Context, CK_OBJECT_HANDLE objectHandle, CK_ATTRIBUTE attrs[], size_t cnt ); 417 418 int pkcs11_getObjectAttributes( pkcs11Context * p11Context, CK_OBJECT_HANDLE objectHandle, CK_ATTRIBUTE attr[], int attrlen ); 419 void pkcs11_freeObjectAttributesValues( CK_ATTRIBUTE attr[], int attrlen); 420 421 func_rc pkcs11_adjust_keypair_id(pkcs11Context * p11Context, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey); 422 CK_ULONG pkcs11_get_object_size(pkcs11Context *p11ctx, CK_OBJECT_HANDLE obj); 423 void pkcs11_adjust_des_key_parity(CK_BYTE* pucKey, int nKeyLen); 424 int pkcs11_get_rsa_modulus_bits(pkcs11Context *p11Context, CK_OBJECT_HANDLE obj); 425 int pkcs11_get_dsa_pubkey_bits(pkcs11Context *p11Context, CK_OBJECT_HANDLE hndl); 426 CK_OBJECT_CLASS pkcs11_get_object_class(pkcs11Context *p11Context, CK_OBJECT_HANDLE hndl); 427 key_type_t pkcs11_get_key_type(pkcs11Context *p11Context, CK_OBJECT_HANDLE hndl); 428 char *pkcs11_alloclabelforhandle(pkcs11Context *p11Context, CK_OBJECT_HANDLE hndl); 429 430 /* pkcs11_x509.c */ 431 432 CK_OBJECT_HANDLE pkcs11_importcert( pkcs11Context * p11Context, 433 char *filename, 434 void *x509, 435 char *label, 436 int trusted); 437 438 /* pkcs11_pubk.c */ 439 CK_ULONG pkcs11_new_SKI_value_from_pubk(EVP_PKEY *pubkey, CK_BYTE_PTR *buf); 440 441 CK_OBJECT_HANDLE pkcs11_importpubk( pkcs11Context * p11Context, 442 char *filename, 443 char *label, 444 CK_ATTRIBUTE attrs[], 445 CK_ULONG numattrs ); 446 447 CK_OBJECT_HANDLE pkcs11_importpubk_from_buffer( pkcs11Context * p11Context, 448 unsigned char *buffer, 449 size_t len, 450 char *label, 451 CK_ATTRIBUTE attrs[], 452 CK_ULONG numattrs ); 453 454 455 /* pkcs11_data.c */ 456 CK_OBJECT_HANDLE pkcs11_importdata( pkcs11Context * p11Context, 457 char *filename, 458 char *label); 459 460 /* pkcs11_ec.c */ 461 462 bool pkcs11_is_ed_param_named_25519(const uint8_t *ecparam, size_t ecparamlen); 463 bool pkcs11_is_ed_param_named_448(const uint8_t *ecparam, size_t ecparamlen); 464 465 bool pkcs11_ex_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len, key_type_t keytype); 466 467 bool pkcs11_ec_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len); 468 char * pkcs11_ec_oid2curvename(CK_BYTE *param, CK_ULONG param_len, char *where, size_t maxlen); 469 void pkcs11_ec_freeoid(CK_BYTE_PTR buf); 470 471 bool pkcs11_ed_curvename2oid(char *name, CK_BYTE **where, CK_ULONG *len); 472 char * pkcs11_ed_oid2curvename(CK_BYTE *param, CK_ULONG param_len, char *where, size_t maxlen); 473 void pkcs11_ed_freeoid(CK_BYTE_PTR buf); 474 475 /* pkcs11_keygen.c */ 476 typedef enum { 477 kg_token, /* token key */ 478 kg_session_for_wrapping, /* session key, that will be wrapped */ 479 kg_token_for_wrapping /* create session key, wrap, then copy locally as token key */ 480 } key_generation_t; 481 482 func_rc pkcs11_genAES( pkcs11Context * p11Context, 483 char *label, 484 CK_ULONG bits, 485 CK_ATTRIBUTE attrs[], 486 CK_ULONG numattrs, 487 CK_OBJECT_HANDLE_PTR hSecretKey, 488 key_generation_t gentype); 489 490 func_rc pkcs11_genDESX( pkcs11Context * p11Context, 491 char *label, 492 CK_ULONG bits, 493 CK_ATTRIBUTE attrs[], 494 CK_ULONG numattrs, 495 CK_OBJECT_HANDLE_PTR hSecretKey, 496 key_generation_t gentype); 497 498 /* HMAC keys */ 499 func_rc pkcs11_genGeneric( pkcs11Context * p11Context, 500 char *label, 501 key_type_t kt, 502 CK_ULONG bits, 503 CK_ATTRIBUTE attrs[], 504 CK_ULONG numattrs, 505 CK_OBJECT_HANDLE_PTR hSecretKey, 506 key_generation_t gentype); 507 508 func_rc pkcs11_genRSA( pkcs11Context * p11Context, 509 char *label, 510 CK_ULONG bits, 511 CK_ATTRIBUTE attrs[], 512 CK_ULONG numattrs, 513 CK_OBJECT_HANDLE_PTR hPublicKey, 514 CK_OBJECT_HANDLE_PTR hPrivateKey, 515 key_generation_t gentype); 516 517 func_rc pkcs11_genEC( pkcs11Context * p11Context, 518 char *label, 519 char *param, 520 CK_ATTRIBUTE attrs[], 521 CK_ULONG numattrs, 522 CK_OBJECT_HANDLE_PTR hPublicKey, 523 CK_OBJECT_HANDLE_PTR hPrivateKey, 524 key_generation_t gentype); 525 526 func_rc pkcs11_genED( pkcs11Context * p11Context, 527 char *label, 528 char *param, 529 CK_ATTRIBUTE attrs[], 530 CK_ULONG numattrs, 531 CK_OBJECT_HANDLE_PTR hPublicKey, 532 CK_OBJECT_HANDLE_PTR hPrivateKey, 533 key_generation_t gentype); 534 535 int pkcs11_testgenEC_support( pkcs11Context * p11Context, const char *param ); 536 537 func_rc pkcs11_genDSA(pkcs11Context * p11Context, 538 char *label, 539 char *param, 540 CK_ATTRIBUTE attrs[], 541 CK_ULONG numattrs, 542 CK_OBJECT_HANDLE_PTR hPublicKey, 543 CK_OBJECT_HANDLE_PTR hPrivateKey, 544 key_generation_t gentype); 545 546 func_rc pkcs11_genDH(pkcs11Context * p11Context, 547 char *label, 548 char *param, 549 CK_ATTRIBUTE attrs[], 550 CK_ULONG numattrs, 551 CK_OBJECT_HANDLE_PTR hPublicKey, 552 CK_OBJECT_HANDLE_PTR hPrivateKey, 553 key_generation_t gentype); 554 555 /* pkcs11_cert_common.c */ 556 X509_NAME *pkcs11_DN_new_from_string(char *subject, long chtype, bool multirdn, bool reverse); 557 bool pkcs11_X509_check_DN(char *subject); 558 const EVP_MD *pkcs11_get_EVP_MD(key_type_t key_type, hash_alg_t hash_alg); 559 EVP_PKEY *pkcs11_SPKI_from_RSA(pkcs11AttrList *attrlist ); 560 EVP_PKEY *pkcs11_SPKI_from_DSA(pkcs11AttrList *attrlist ); 561 EVP_PKEY *pkcs11_SPKI_from_EC(pkcs11AttrList *attrlist ); 562 EVP_PKEY *pkcs11_SPKI_from_ED(pkcs11AttrList *attrlist ); 563 564 565 /* pkcs11_req.c */ 566 CK_VOID_PTR pkcs11_create_X509_REQ(pkcs11Context *p11Context, 567 char *dn, 568 bool reverse, 569 bool fake, 570 char *san[], 571 int sancnt, 572 bool ext_ski, 573 key_type_t key_type, 574 hash_alg_t hash_alg, 575 CK_OBJECT_HANDLE hprivkey, 576 pkcs11AttrList *attrlist) ; 577 578 void write_X509_REQ(CK_VOID_PTR req, char *filename, bool verbose); 579 580 /* pkcs11_cert.c */ 581 CK_VOID_PTR pkcs11_create_X509_CERT(pkcs11Context *p11Context, 582 char *dn, 583 bool reverse, 584 int days, 585 char *san[], 586 int sancnt, 587 bool ext_ski, 588 key_type_t key_type, 589 hash_alg_t hash_alg, 590 CK_OBJECT_HANDLE hprivkey, 591 pkcs11AttrList *attrlist); 592 593 void write_X509_CERT(CK_VOID_PTR req, char *filename, bool verbose); 594 595 596 CK_ULONG pkcs11_allocate_and_hash_sha1(CK_BYTE_PTR data, CK_ULONG datalen, CK_VOID_PTR_PTR buf); 597 598 /* pkcs11_masq.c */ 599 600 typedef struct x509_req_handle_struct_t x509_req_handle_t; 601 602 x509_req_handle_t *pkcs11_get_X509_REQ_from_file(char *csrfilename); 603 void x509_req_handle_t_free(x509_req_handle_t *hndl); 604 bool pkcs11_masq_X509_REQ(x509_req_handle_t *req, 605 char *dn, 606 bool reverse, 607 char *san[], 608 int sancnt, 609 bool ext_ski); 610 611 612 /* pkcs11_search.c */ 613 pkcs11Search *pkcs11_new_search(pkcs11Context *p11Context, CK_ATTRIBUTE_PTR template, CK_ULONG length); 614 pkcs11Search *pkcs11_new_search_from_idtemplate( pkcs11Context *p11Context, pkcs11IdTemplate *idtmpl); 615 616 CK_OBJECT_HANDLE pkcs11_fetch_next(pkcs11Search *p11s); 617 void pkcs11_delete_search(pkcs11Search *p11s); 618 int pkcs11_label_exists(pkcs11Context *p11Context, char *label); 619 int pkcs11_privatekey_exists(pkcs11Context *p11Context, char *label); 620 int pkcs11_publickey_exists(pkcs11Context *p11Context, char *label); 621 int pkcs11_secretkey_exists(pkcs11Context *p11Context, char *label); 622 int pkcs11_certificate_exists(pkcs11Context *p11Context, char *label); 623 int pkcs11_data_exists(pkcs11Context *p11Context, char *label); 624 int pkcs11_findkeypair(pkcs11Context *p11Context, char *label, CK_OBJECT_HANDLE_PTR hPublicKey, CK_OBJECT_HANDLE_PTR hPrivateKey); 625 int pkcs11_findpublickey(pkcs11Context *p11Context, char *label, CK_OBJECT_HANDLE_PTR hPublicKey); 626 int pkcs11_findprivatekey(pkcs11Context *p11Context, char *label, CK_OBJECT_HANDLE_PTR hPublicKey); 627 int pkcs11_findsecretkey(pkcs11Context *p11Context, char *label, CK_OBJECT_HANDLE_PTR hSecretKey); 628 int pkcs11_findprivateorsecretkey(pkcs11Context *p11Context, char *label, CK_OBJECT_HANDLE_PTR hKey, CK_OBJECT_CLASS *oclass); 629 630 631 /* pkcs11_attr.c */ 632 633 #define _ATTR(attr) (CK_ATTRIBUTE_TYPE)(attr) 634 #define _ATTR_END _ATTR(0xFFFFFFFFL) 635 636 pkcs11AttrList *pkcs11_new_attrlist(pkcs11Context *p11Context, ...); 637 pkcs11AttrList *pkcs11_new_attrlist_from_array(pkcs11Context *p11Context, CK_ATTRIBUTE_PTR attrs, CK_ULONG attrlen); 638 pkcs11AttrList *pkcs11_cast_to_attrlist(pkcs11Context *p11Context, CK_ATTRIBUTE_PTR attrs, CK_ULONG numattrs); 639 640 void pkcs11_attrlist_assign_context(pkcs11AttrList *attrlist, pkcs11Context *p11Context); 641 642 bool pkcs11_set_attr_in_attrlist ( pkcs11AttrList *attrlist, 643 CK_ATTRIBUTE_TYPE attrib, 644 CK_VOID_PTR pvalue, 645 CK_ULONG len ); 646 647 bool pkcs11_attrlist_has_attribute(const pkcs11AttrList *attrlist, CK_ATTRIBUTE_TYPE attr); 648 CK_ATTRIBUTE_PTR pkcs11_get_attr_in_attrlist ( pkcs11AttrList *attrlist, 649 CK_ATTRIBUTE_TYPE attrib ); 650 651 CK_ATTRIBUTE_PTR pkcs11_get_attr_in_array ( CK_ATTRIBUTE_PTR array, 652 size_t arraysize, /* in bytes */ 653 CK_ATTRIBUTE_TYPE attrib ); 654 655 bool pkcs11_read_attr_from_handle ( pkcs11AttrList *attrlist, CK_OBJECT_HANDLE handle); 656 bool pkcs11_read_attr_from_handle_ext ( pkcs11AttrList *attrlist, CK_OBJECT_HANDLE handle, ... ); 657 bool pkcs11_attr_is_template(CK_ATTRIBUTE_TYPE attrtype); 658 bool pkcs11_attr_is_allowed_mechanisms(CK_ATTRIBUTE_TYPE attrtype); 659 660 pkcs11AttrList *pkcs11_attrlist_extend(pkcs11AttrList *attrlist, CK_ATTRIBUTE_PTR attrs, CK_ULONG numattrs); 661 662 void pkcs11_delete_attrlist(pkcs11AttrList *attrlist); 663 664 CK_ATTRIBUTE * const pkcs11_attrlist_get_attributes_array(pkcs11AttrList *attrlist); 665 CK_ULONG const pkcs11_attrlist_get_attributes_len(pkcs11AttrList *attrlist); 666 667 /* pkcs11_openssl.c */ 668 const char * pkcs11_openssl_version(void); 669 void pkcs11_openssl_error(char * file, int line); 670 #define P_ERR() pkcs11_openssl_error(__FILE__,__LINE__) 671 672 CK_ULONG pkcs11_openssl_alloc_and_sha1(CK_BYTE_PTR data, CK_ULONG datalen, CK_VOID_PTR_PTR buf); 673 void pkcs11_openssl_free(CK_VOID_PTR_PTR buf); 674 675 /* pkcs11_ossl_rsa_meth.c */ 676 void pkcs11_rsa_method_setup(); 677 void pkcs11_rsa_method_pkcs11_context(pkcs11Context * p11Context, CK_OBJECT_HANDLE hPrivateKey, bool fake); 678 679 /* pkcs11_ossl_dsa_meth.c */ 680 void pkcs11_dsa_method_setup(); 681 void pkcs11_dsa_method_pkcs11_context(pkcs11Context * p11Context, CK_OBJECT_HANDLE hPrivateKey, bool fake); 682 683 /* pkcs11_ossl_ecdsa_meth.c */ 684 void pkcs11_ecdsa_method_setup(); 685 void pkcs11_ecdsa_method_pkcs11_context(pkcs11Context * p11Context, CK_OBJECT_HANDLE hPrivateKey, bool fake); 686 687 /* pkcs11_ossl_eddsa_meth.c */ 688 void pkcs11_eddsa_method_setup(); 689 void pkcs11_eddsa_method_pkcs11_context(pkcs11Context * p11Context, CK_OBJECT_HANDLE hPrivateKey, bool fake); 690 691 692 /* list functions */ 693 int pkcs11_ls_certs(pkcs11Context *p11Context); 694 int pkcs11_ls_pubk(pkcs11Context *p11Context); 695 int pkcs11_ls_privk(pkcs11Context *p11Context); 696 int pkcs11_ls_secrk(pkcs11Context *p11Context); 697 int pkcs11_ls_data(pkcs11Context *p11Context); 698 func_rc pkcs11_ls( pkcs11Context *p11Context, char *pattern); 699 700 701 /* rm functions */ 702 int pkcs11_rm_objects_with_label(pkcs11Context *p11Context, char *label, int interactive, int verbose); 703 704 /* mv functions */ 705 int pkcs11_mv_objects(pkcs11Context *p11Context, char *source, char *dest, int interactive, int verbose); 706 707 /* cp functions */ 708 int pkcs11_cp_objects(pkcs11Context *p11Context, char *source, char *dest, int interactive, int verbose); 709 710 /* cat functions */ 711 func_rc pkcs11_cat_object_with_label(pkcs11Context *p11Context, char *label, int openssl_native, BIO *sink); 712 func_rc pkcs11_cat_object_with_handle(pkcs11Context *p11Context, CK_OBJECT_HANDLE hndl, int openssl_native, BIO *sink); 713 714 /* more functions */ 715 func_rc pkcs11_more_object_with_label(pkcs11Context *p11Context, char *label); 716 717 /* od functions */ 718 func_rc pkcs11_dump_object_with_label(pkcs11Context *p11Context, char *label); 719 720 /* keycomp functions */ 721 KeyImportCtx * pkcs11_import_component_init(pkcs11Context *p11Context, char *unwrappinglabel, char *targetlabel); 722 func_rc pkcs11_import_component(KeyImportCtx *kctx, unsigned char * comp, size_t len); 723 CK_OBJECT_HANDLE pkcs11_import_component_final(KeyImportCtx *kctx); 724 725 726 /* info functions */ 727 CK_MECHANISM_TYPE pkcs11_get_mechanism_type_from_name(char *name); /* pkcs11_mechanism.c */ 728 const char *pkcs11_get_mechanism_name_from_type(CK_MECHANISM_TYPE mech); /* pkcs11_mechanism.c */ 729 CK_ATTRIBUTE_TYPE pkcs11_get_attribute_type_from_name(char *name); /* pkcs11_attrdesc.c */ 730 const char *pkcs11_get_attribute_name_from_type(CK_ATTRIBUTE_TYPE attrtyp); /* pkcs11_attrdesc.c */ 731 732 func_rc pkcs11_info_library(pkcs11Context *p11Context); 733 func_rc pkcs11_info_slot(pkcs11Context *p11Context); 734 func_rc pkcs11_info_ecsupport(pkcs11Context *p11Context); 735 736 /* chattr function */ 737 func_rc pkcs11_change_object_attributes(pkcs11Context *p11Context, char *label, CK_ATTRIBUTE *attr, size_t cnt, int interactive ); 738 739 /* kcv functions */ 740 #define MAX_KCV_CLEARTEXT_SIZE 256 741 void pkcs11_display_kcv( pkcs11Context *p11Context, char *label, unsigned hmacdatasize ); 742 743 /* wrap/unwrap functions */ 744 func_rc pkcs11_prepare_wrappingctx(wrappedKeyCtx *wctx, char *wrappingjob); 745 func_rc pkcs11_wrap_from_label(wrappedKeyCtx *wctx, char *wrappedkeylabel); 746 func_rc pkcs11_wrap_from_handle(wrappedKeyCtx *wctx, CK_OBJECT_HANDLE wrappedkeyhandle, CK_OBJECT_HANDLE pubkhandle); 747 func_rc pkcs11_output_wrapped_key( wrappedKeyCtx *wctx); 748 749 wrappedKeyCtx *pkcs11_new_wrapped_key_from_file(pkcs11Context *p11Context, char *filename); 750 func_rc pkcs11_unwrap(pkcs11Context *p11Context, wrappedKeyCtx *ctx, char *wrappingkeylabel, char *wrappedkeylabel, CK_ATTRIBUTE attrs[], CK_ULONG numattrs, key_generation_t keygentype ); 751 const CK_OBJECT_HANDLE pkcs11_get_wrappedkeyhandle(wrappedKeyCtx *ctx); 752 const CK_OBJECT_HANDLE pkcs11_get_publickeyhandle(wrappedKeyCtx *ctx); 753 754 wrappedKeyCtx *pkcs11_new_wrappedkeycontext(pkcs11Context *p11Context); 755 void pkcs11_free_wrappedkeycontext(wrappedKeyCtx *wctx); 756 CK_MECHANISM_TYPE_PTR pkcs11_wctx_get_allowed_mechanisms(wrappedKeyCtx *ctx); 757 size_t pkcs11_wctx_get_allowed_mechanisms_len(wrappedKeyCtx *ctx); 758 void pkcs11_wctx_free_mechanisms(wrappedKeyCtx *wctx); /* to free allowed mechanisms */ 759 void pkcs11_wctx_forget_mechanisms(wrappedKeyCtx *wctx); /* for transfer of ownership */ 760 761 /* pkcs11_attribctx */ 762 attribCtx *pkcs11_new_attribcontext(); 763 void pkcs11_free_attribcontext(attribCtx *ctx); 764 func_rc pkcs11_parse_attribs_from_argv(attribCtx *ctx , int pos, int argc, char **argv, const char *additional); 765 CK_ATTRIBUTE_PTR pkcs11_get_attrlist_from_attribctx(attribCtx *ctx); 766 size_t pkcs11_get_attrnum_from_attribctx(attribCtx *ctx); 767 void pkcs11_adjust_attrnum_on_attribctx(attribCtx *ctx, size_t value); 768 769 func_rc pkcs11_attribctx_add_mechanism(attribCtx *ctx, CK_MECHANISM_TYPE attrtype); 770 func_rc pkcs11_attribctx_free_mechanisms(attribCtx *ctx); 771 void pkcs11_attribctx_forget_mechanisms(attribCtx *ctx); 772 CK_MECHANISM_TYPE_PTR pkcs11_attribctx_get_allowed_mechanisms(attribCtx *ctx); 773 size_t pkcs11_attribctx_get_allowed_mechanisms_len(attribCtx *ctx); 774 775 776 /* End - Function Prototypes */ 777 778 /* Callback Prompt Strings */ 779 #define SLOT_PROMPT_STRING "Enter slot index: " 780 #define PASS_PROMPT_STRING "Enter passphrase for token: " 781 #define TOKEN_PASS_PROMPT_STRING "Enter passphrase for token '%s': " 782 783 #define MAXBUFSIZE 1024 784 #define MAXKEYS 2000 785 #define MAX_KEY_LABEL_SIZE 32 786 #define MAX_BYTE_ARRAY_SIZE 20 787 788 #define PARSING_MAX_ATTRS 32 /* max number of attributes inside a wrap file */ 789 #define CMDLINE_MAX_ATTRS 32 /* max number of attributes for cmdline parsing */ 790 791 #endif 792 793 /* 794 *-------------------------------------------------------------------------------- 795 * $Log$ 796 *-------------------------------------------------------------------------------- 797 */ 798