1*c0b5d9fbSchristos /* $NetBSD: pk11.h,v 1.6 2022/09/23 12:15:33 christos Exp $ */ 2e2b1b9c0Schristos 3e2b1b9c0Schristos /* 4e2b1b9c0Schristos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5e2b1b9c0Schristos * 6*c0b5d9fbSchristos * SPDX-License-Identifier: MPL-2.0 7*c0b5d9fbSchristos * 8e2b1b9c0Schristos * This Source Code Form is subject to the terms of the Mozilla Public 9e2b1b9c0Schristos * License, v. 2.0. If a copy of the MPL was not distributed with this 1073584a28Schristos * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11e2b1b9c0Schristos * 12e2b1b9c0Schristos * See the COPYRIGHT file distributed with this work for additional 13e2b1b9c0Schristos * information regarding copyright ownership. 14e2b1b9c0Schristos */ 15e2b1b9c0Schristos 16e2b1b9c0Schristos #ifndef PK11_PK11_H 17e2b1b9c0Schristos #define PK11_PK11_H 1 18e2b1b9c0Schristos 19e2b1b9c0Schristos /*! \file pk11/pk11.h */ 20e2b1b9c0Schristos 21f2e20987Schristos #include <stdbool.h> 229742fdb4Schristos #include <unistd.h> 23f2e20987Schristos 24e2b1b9c0Schristos #include <isc/lang.h> 25e2b1b9c0Schristos #include <isc/magic.h> 26e2b1b9c0Schristos #include <isc/types.h> 27e2b1b9c0Schristos 28e2b1b9c0Schristos #define PK11_FATALCHECK(func, args) \ 29e2b1b9c0Schristos ((void)(((rv = (func)args) == CKR_OK) || \ 30e2b1b9c0Schristos ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0))) 31e2b1b9c0Schristos 32e2b1b9c0Schristos #include <pk11/site.h> 339742fdb4Schristos #include <pkcs11/pkcs11.h> 34e2b1b9c0Schristos 35e2b1b9c0Schristos ISC_LANG_BEGINDECLS 36e2b1b9c0Schristos 37e2b1b9c0Schristos #define SES_MAGIC ISC_MAGIC('P', 'K', 'S', 'S') 38e2b1b9c0Schristos #define TOK_MAGIC ISC_MAGIC('P', 'K', 'T', 'K') 39e2b1b9c0Schristos 40e2b1b9c0Schristos #define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC) 41e2b1b9c0Schristos #define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC) 42e2b1b9c0Schristos 43e2b1b9c0Schristos typedef struct pk11_context pk11_context_t; 44e2b1b9c0Schristos 45e2b1b9c0Schristos struct pk11_object { 46e2b1b9c0Schristos CK_OBJECT_HANDLE object; 47e2b1b9c0Schristos CK_SLOT_ID slot; 48e2b1b9c0Schristos CK_BBOOL ontoken; 49e2b1b9c0Schristos CK_BBOOL reqlogon; 50e2b1b9c0Schristos CK_BYTE attrcnt; 51e2b1b9c0Schristos CK_ATTRIBUTE *repr; 52e2b1b9c0Schristos }; 53e2b1b9c0Schristos 54e2b1b9c0Schristos struct pk11_context { 55e2b1b9c0Schristos void *handle; 56e2b1b9c0Schristos CK_SESSION_HANDLE session; 57e2b1b9c0Schristos CK_BBOOL ontoken; 58e2b1b9c0Schristos CK_OBJECT_HANDLE object; 59e2b1b9c0Schristos }; 60e2b1b9c0Schristos 61e2b1b9c0Schristos typedef struct pk11_object pk11_object_t; 62e2b1b9c0Schristos 63e2b1b9c0Schristos typedef enum { 64e2b1b9c0Schristos OP_ANY = 0, 65f2e20987Schristos OP_RSA = 1, 66f2e20987Schristos OP_DH = 3, 67f2e20987Schristos OP_ECDSA = 4, 68f2e20987Schristos OP_EDDSA = 5, 69f2e20987Schristos OP_MAX = 6 70e2b1b9c0Schristos } pk11_optype_t; 71e2b1b9c0Schristos 72e2b1b9c0Schristos /*% 73e2b1b9c0Schristos * Global flag to make choose_slots() verbose 74e2b1b9c0Schristos */ 75f2e20987Schristos LIBISC_EXTERNAL_DATA extern bool pk11_verbose_init; 76e2b1b9c0Schristos 77e2b1b9c0Schristos /*% 78e2b1b9c0Schristos * Function prototypes 79e2b1b9c0Schristos */ 80e2b1b9c0Schristos 819742fdb4Schristos void 829742fdb4Schristos pk11_set_lib_name(const char *lib_name); 83e2b1b9c0Schristos /*%< 84e2b1b9c0Schristos * Set the PKCS#11 provider (aka library) path/name. 85e2b1b9c0Schristos */ 86e2b1b9c0Schristos 879742fdb4Schristos isc_result_t 889742fdb4Schristos pk11_initialize(isc_mem_t *mctx, const char *engine); 89e2b1b9c0Schristos /*%< 90e2b1b9c0Schristos * Initialize PKCS#11 device 91e2b1b9c0Schristos * 92e2b1b9c0Schristos * mctx: memory context to attach to pk11_mctx. 93e2b1b9c0Schristos * engine: PKCS#11 provider (aka library) path/name. 94e2b1b9c0Schristos * 95e2b1b9c0Schristos * returns: 96e2b1b9c0Schristos * ISC_R_SUCCESS 97e2b1b9c0Schristos * PK11_R_NOPROVIDER: can't load the provider 98e2b1b9c0Schristos * PK11_R_INITFAILED: C_Initialize() failed 99e2b1b9c0Schristos * PK11_R_NORANDOMSERVICE: can't find required random service 100e2b1b9c0Schristos * PK11_R_NODIGESTSERVICE: can't find required digest service 101e2b1b9c0Schristos * PK11_R_NOAESSERVICE: can't find required AES service 102e2b1b9c0Schristos */ 103e2b1b9c0Schristos 1049742fdb4Schristos isc_result_t 1059742fdb4Schristos pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services, 1069742fdb4Schristos bool rw, bool logon, const char *pin, CK_SLOT_ID slot); 107e2b1b9c0Schristos /*%< 108e2b1b9c0Schristos * Initialize PKCS#11 device and acquire a session. 109e2b1b9c0Schristos * 110e2b1b9c0Schristos * need_services: 111f2e20987Schristos * if true, this session requires full PKCS#11 API 112e2b1b9c0Schristos * support including random and digest services, and 113e2b1b9c0Schristos * the lack of these services will cause the session not 114f2e20987Schristos * to be initialized. If false, the function will return 115e2b1b9c0Schristos * an error code indicating the missing service, but the 116e2b1b9c0Schristos * session will be usable for other purposes. 117f2e20987Schristos * rw: if true, session will be read/write (useful for 118e2b1b9c0Schristos * generating or destroying keys); otherwise read-only. 119e2b1b9c0Schristos * login: indicates whether to log in to the device 120e2b1b9c0Schristos * pin: optional PIN, overriding any PIN currently associated 121e2b1b9c0Schristos * with the 122e2b1b9c0Schristos * slot: device slot ID 123e2b1b9c0Schristos */ 124e2b1b9c0Schristos 1259742fdb4Schristos void 1269742fdb4Schristos pk11_return_session(pk11_context_t *ctx); 127e2b1b9c0Schristos /*%< 128e2b1b9c0Schristos * Release an active PKCS#11 session for reuse. 129e2b1b9c0Schristos */ 130e2b1b9c0Schristos 1319742fdb4Schristos isc_result_t 1329742fdb4Schristos pk11_finalize(void); 133e2b1b9c0Schristos /*%< 134e2b1b9c0Schristos * Shut down PKCS#11 device and free all sessions. 135e2b1b9c0Schristos */ 136e2b1b9c0Schristos 1379742fdb4Schristos isc_result_t 1389742fdb4Schristos pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx, 1399742fdb4Schristos pk11_optype_t optype); 140e2b1b9c0Schristos 141e2b1b9c0Schristos ISC_PLATFORM_NORETURN_PRE void 1429742fdb4Schristos pk11_error_fatalcheck(const char *file, int line, const char *funcname, 1439742fdb4Schristos CK_RV rv) ISC_PLATFORM_NORETURN_POST; 144e2b1b9c0Schristos 1459742fdb4Schristos void 1469742fdb4Schristos pk11_dump_tokens(void); 147e2b1b9c0Schristos 148e2b1b9c0Schristos CK_RV 149e2b1b9c0Schristos pkcs_C_Initialize(CK_VOID_PTR pReserved); 150e2b1b9c0Schristos 1519742fdb4Schristos char * 1529742fdb4Schristos pk11_get_load_error_message(void); 153e2b1b9c0Schristos 154e2b1b9c0Schristos CK_RV 155e2b1b9c0Schristos pkcs_C_Finalize(CK_VOID_PTR pReserved); 156e2b1b9c0Schristos 157e2b1b9c0Schristos CK_RV 158e2b1b9c0Schristos pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, 159e2b1b9c0Schristos CK_ULONG_PTR pulCount); 160e2b1b9c0Schristos 161e2b1b9c0Schristos CK_RV 162e2b1b9c0Schristos pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); 163e2b1b9c0Schristos 164e2b1b9c0Schristos CK_RV 165e2b1b9c0Schristos pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, 166e2b1b9c0Schristos CK_MECHANISM_INFO_PTR pInfo); 167e2b1b9c0Schristos 168e2b1b9c0Schristos CK_RV 1699742fdb4Schristos pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, 170e2b1b9c0Schristos CK_RV (*Notify)(CK_SESSION_HANDLE hSession, 171e2b1b9c0Schristos CK_NOTIFICATION event, 172e2b1b9c0Schristos CK_VOID_PTR pApplication), 173e2b1b9c0Schristos CK_SESSION_HANDLE_PTR phSession); 174e2b1b9c0Schristos 175e2b1b9c0Schristos CK_RV 176e2b1b9c0Schristos pkcs_C_CloseSession(CK_SESSION_HANDLE hSession); 177e2b1b9c0Schristos 178e2b1b9c0Schristos CK_RV 179e2b1b9c0Schristos pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, 180e2b1b9c0Schristos CK_CHAR_PTR pPin, CK_ULONG usPinLen); 181e2b1b9c0Schristos 182e2b1b9c0Schristos CK_RV 183e2b1b9c0Schristos pkcs_C_Logout(CK_SESSION_HANDLE hSession); 184e2b1b9c0Schristos 185e2b1b9c0Schristos CK_RV 186e2b1b9c0Schristos pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, 187e2b1b9c0Schristos CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject); 188e2b1b9c0Schristos 189e2b1b9c0Schristos CK_RV 190e2b1b9c0Schristos pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); 191e2b1b9c0Schristos 192e2b1b9c0Schristos CK_RV 193e2b1b9c0Schristos pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, 194e2b1b9c0Schristos CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); 195e2b1b9c0Schristos 196e2b1b9c0Schristos CK_RV 197e2b1b9c0Schristos pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, 198e2b1b9c0Schristos CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); 199e2b1b9c0Schristos 200e2b1b9c0Schristos CK_RV 201e2b1b9c0Schristos pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, 202e2b1b9c0Schristos CK_ULONG usCount); 203e2b1b9c0Schristos 204e2b1b9c0Schristos CK_RV 205e2b1b9c0Schristos pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, 206e2b1b9c0Schristos CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount); 207e2b1b9c0Schristos 208e2b1b9c0Schristos CK_RV 209e2b1b9c0Schristos pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession); 210e2b1b9c0Schristos 211e2b1b9c0Schristos CK_RV 212e2b1b9c0Schristos pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 213e2b1b9c0Schristos CK_OBJECT_HANDLE hKey); 214e2b1b9c0Schristos 215e2b1b9c0Schristos CK_RV 216e2b1b9c0Schristos pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, 217e2b1b9c0Schristos CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, 218e2b1b9c0Schristos CK_ULONG_PTR pulEncryptedDataLen); 219e2b1b9c0Schristos 220e2b1b9c0Schristos CK_RV 221e2b1b9c0Schristos pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); 222e2b1b9c0Schristos 223e2b1b9c0Schristos CK_RV 224e2b1b9c0Schristos pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, 225e2b1b9c0Schristos CK_ULONG ulPartLen); 226e2b1b9c0Schristos 227e2b1b9c0Schristos CK_RV 228e2b1b9c0Schristos pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, 229e2b1b9c0Schristos CK_ULONG_PTR pulDigestLen); 230e2b1b9c0Schristos 231e2b1b9c0Schristos CK_RV 232e2b1b9c0Schristos pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 233e2b1b9c0Schristos CK_OBJECT_HANDLE hKey); 234e2b1b9c0Schristos 235e2b1b9c0Schristos CK_RV 2369742fdb4Schristos pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, 2379742fdb4Schristos CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); 238e2b1b9c0Schristos 239e2b1b9c0Schristos CK_RV 240e2b1b9c0Schristos pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, 241e2b1b9c0Schristos CK_ULONG ulPartLen); 242e2b1b9c0Schristos 243e2b1b9c0Schristos CK_RV 244e2b1b9c0Schristos pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, 245e2b1b9c0Schristos CK_ULONG_PTR pulSignatureLen); 246e2b1b9c0Schristos 247e2b1b9c0Schristos CK_RV 248e2b1b9c0Schristos pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 249e2b1b9c0Schristos CK_OBJECT_HANDLE hKey); 250e2b1b9c0Schristos 251e2b1b9c0Schristos CK_RV 2529742fdb4Schristos pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, 2539742fdb4Schristos CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); 254e2b1b9c0Schristos 255e2b1b9c0Schristos CK_RV 256e2b1b9c0Schristos pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, 257e2b1b9c0Schristos CK_ULONG ulPartLen); 258e2b1b9c0Schristos 259e2b1b9c0Schristos CK_RV 260e2b1b9c0Schristos pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, 261e2b1b9c0Schristos CK_ULONG ulSignatureLen); 262e2b1b9c0Schristos 263e2b1b9c0Schristos CK_RV 264e2b1b9c0Schristos pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 265e2b1b9c0Schristos CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 266e2b1b9c0Schristos CK_OBJECT_HANDLE_PTR phKey); 267e2b1b9c0Schristos 268e2b1b9c0Schristos CK_RV 2699742fdb4Schristos pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 270e2b1b9c0Schristos CK_ATTRIBUTE_PTR pPublicKeyTemplate, 271e2b1b9c0Schristos CK_ULONG usPublicKeyAttributeCount, 272e2b1b9c0Schristos CK_ATTRIBUTE_PTR pPrivateKeyTemplate, 273e2b1b9c0Schristos CK_ULONG usPrivateKeyAttributeCount, 274e2b1b9c0Schristos CK_OBJECT_HANDLE_PTR phPrivateKey, 275e2b1b9c0Schristos CK_OBJECT_HANDLE_PTR phPublicKey); 276e2b1b9c0Schristos 277e2b1b9c0Schristos CK_RV 278e2b1b9c0Schristos pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 279e2b1b9c0Schristos CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, 280e2b1b9c0Schristos CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); 281e2b1b9c0Schristos 282e2b1b9c0Schristos CK_RV 283e2b1b9c0Schristos pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, 284e2b1b9c0Schristos CK_ULONG ulSeedLen); 285e2b1b9c0Schristos 286e2b1b9c0Schristos CK_RV 287e2b1b9c0Schristos pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, 288e2b1b9c0Schristos CK_ULONG ulRandomLen); 289e2b1b9c0Schristos 290e2b1b9c0Schristos ISC_LANG_ENDDECLS 291e2b1b9c0Schristos 292e2b1b9c0Schristos #endif /* PK11_PK11_H */ 293