To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using `--with-openssl=<PREFIX>` on the configure command line. To use a
-PKCS#11 hardware service module for cryptographic operations, specify the
-path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
-configure BIND with `--enable-native-pkcs11`.
+PKCS#11 hardware service module for cryptographic operations, it will
+be necessary to compile and use engine_pkcs11 from the OpenSC project.
To support DNS over HTTPS, the server must be linked with `libnghttp2`.
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
-
-if HAVE_PKCS11
-SUBDIRS += pkcs11
-endif
#include <isc/result.h>
#include <isc/string.h>
-#include <pk11/site.h>
-
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <isc/time.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <isc/time.h>
#include <isc/util.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dns/result.h>
int len = 0;
int ch;
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
result = isc_file_progname(*argv, program, sizeof(program));
#include <isc/task.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/byaddr.h>
#include <dns/dns64.h>
#include <dns/fixedname.h>
#include <isc/types.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include "dighost.h"
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#define systemlocale(l) (void)setlocale(l, "")
#define resetlocale(l) (void)setlocale(l, "C")
debug("setup_libs()");
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
result = isc_net_probeipv4();
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-cds";
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-dsfromkey";
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-importkey";
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
-#if USE_PKCS11
- fprintf(stderr,
- " path to PKCS#11 provider library "
- "(default is %s)\n",
- PK11_LIB_LOCATION);
-#else /* if USE_PKCS11 */
fprintf(stderr, " name of an OpenSSL engine to use\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
- ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
-#if USE_PKCS11
- "pkcs11",
-#else /* if USE_PKCS11 */
- engine,
-#endif /* if USE_PKCS11 */
+ ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
label, NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-l label``
This option specifies the label for a key pair in the crypto hardware.
preceded by an optional OpenSSL engine name, followed by a colon, as
in ``pkcs11:keylabel``.
- When BIND 9 is built with native PKCS#11 support, the label is a
- PKCS#11 URI string in the format
- ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords
- include ``token``, which identifies the HSM; ``object``, which identifies
- the key; and ``pin-source``, which identifies a file from which the
- HSM's PIN code can be obtained. The label is stored in the
- on-disk ``private`` file.
-
- If the label contains a ``pin-source`` field, tools using the
- generated key files are able to use the HSM for signing and other
- operations without any need for an operator to manually enter a PIN.
- Note: Making the HSM's PIN accessible in this manner may reduce the
- security advantage of using an HSM; use caution
- with this feature.
-
``-n nametype``
This option specifies the owner type of the key. The value of ``nametype`` must
either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/kasp.h>
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
-#if USE_PKCS11
- fprintf(stderr,
- " path to PKCS#11 provider library "
- "(default is %s)\n",
- PK11_LIB_LOCATION);
-#else /* if USE_PKCS11 */
fprintf(stderr, " name of an OpenSSL engine to use\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
"(DH only)\n");
usage();
}
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-f flag``
This option sets the specified flag in the flag field of the KEY/DNSKEY record.
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-revoke";
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
-#if USE_PKCS11
- fprintf(stderr,
- " -E engine: specify PKCS#11 provider "
- "(default: %s)\n",
- PK11_LIB_LOCATION);
-#else /* if USE_PKCS11 */
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-f``
This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair,
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-settime";
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
-#if USE_PKCS11
- fprintf(stderr,
- " -E engine: specify PKCS#11 provider "
- "(default: %s)\n",
- PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, " -E engine: specify OpenSSL engine "
- "(default \"pkcs11\")\n");
-#else /* if USE_PKCS11 */
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
setup_logging(mctx, &log);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
Timing Options
~~~~~~~~~~~~~~
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-signzone";
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#if USE_PKCS11
- fprintf(stderr,
- "\t\tpath to PKCS#11 provider library "
- "(default is %s)\n",
- PK11_LIB_LOCATION);
-#else /* if USE_PKCS11 */
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-Q:\t");
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-g``
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
#include <dst/dst.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
-
#include "dnssectool.h"
const char *program = "dnssec-verify";
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#if USE_PKCS11
- fprintf(stderr,
- "\t\tpath to PKCS#11 provider library "
- "(default is %s)\n",
- PK11_LIB_LOCATION);
-#else /* if USE_PKCS11 */
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
-#endif /* if USE_PKCS11 */
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
isc_mem_create(&mctx);
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-I input-format``
This option sets the format of the input zone file. Possible formats are ``text``
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dst/result.h>
#include <isccc/result.h>
-#if USE_PKCS11
-#include <pk11/result.h>
-#endif /* if USE_PKCS11 */
#include <dlz/dlz_dlopen_driver.h>
dns_result_register();
dst_result_register();
isccc_result_register();
-#if USE_PKCS11
- pk11_result_register();
-#endif /* if USE_PKCS11 */
parse_command_line(argc, argv);
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``). When BIND is
- built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
- defaults to the path of the PKCS#11 provider library specified via
- ``--with-pkcs11``.
+ hardware service module (usually ``pkcs11``).
``-f``
This option runs the server in the foreground (i.e., do not daemonize).
#include <isc/types.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/callbacks.h>
#include <dns/dispatch.h>
#include <dns/dnssec.h>
+++ /dev/null
-pkcs11-destroy
-pkcs11-keygen
-pkcs11-list
-pkcs11-tokens
+++ /dev/null
-include $(top_srcdir)/Makefile.top
-
-AM_CPPFLAGS += \
- $(LIBISC_CFLAGS)
-
-LDADD += \
- $(LIBISC_LIBS)
-
-bin_PROGRAMS = \
- pkcs11-list \
- pkcs11-destroy \
- pkcs11-keygen \
- pkcs11-tokens
+++ /dev/null
-/*
- * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label]
- * [-p $pin] [ -w $wait ]
- */
-
-/*! \file */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_BYTE attr_id[2];
- CK_OBJECT_HANDLE akey[50];
- pk11_context_t pctx;
- char *lib_name = NULL;
- char *label = NULL;
- char *pin = NULL;
- int error = 0;
- unsigned int id = 0, i = 0, wait = 5;
- int c, errflg = 0;
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
- sizeof(attr_id) } };
- unsigned int j, len;
-
- while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) {
- switch (c) {
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- break;
- case 'i':
- id = atoi(isc_commandline_argument);
- id &= 0xffff;
- break;
- case 'l':
- label = isc_commandline_argument;
- break;
- case 'p':
- pin = isc_commandline_argument;
- break;
- case 'w':
- wait = atoi(isc_commandline_argument);
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg || (id && (label != NULL))) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
- "{-i id | -l label} [-p pin] [-w waittime]\n");
- exit(1);
- }
-
- if (id) {
- attr_id[0] = (id >> 8) & 0xff;
- attr_id[1] = id & 0xff;
- } else if (label) {
- search_template[0].type = CKA_LABEL;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
- }
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL) {
- pk11_set_lib_name(lib_name);
- }
-
- if (pin == NULL) {
- pin = getpass("Enter Pin: ");
- }
-
- result = pk11_get_session(&pctx, OP_ANY, false, true, true,
- (const char *)pin, slot);
- if (result == PK11_R_NORANDOMSERVICE ||
- result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
- {
- fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
- fprintf(stderr, "This HSM will not work with BIND 9 "
- "using native PKCS#11.\n");
- } else if (result != ISC_R_SUCCESS) {
- fprintf(stderr,
- "Unrecoverable error initializing "
- "PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- memset(pin, 0, strlen(pin));
-
- hSession = pctx.session;
-
- rv = pkcs_C_FindObjectsInit(hSession, search_template,
- ((id != 0) || (label != NULL)) ? 1 : 0);
-
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
-
- rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_search;
- }
-
- if (ulObjectCount == 0) {
- printf("No matching key objects found.\n");
- goto exit_search;
- } else {
- printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : "");
- }
-
- for (i = 0; i < ulObjectCount; i++) {
- CK_OBJECT_CLASS oclass = 0;
- CK_BYTE labelbuf[64 + 1];
- CK_BYTE idbuf[64];
- CK_ATTRIBUTE attr_template[] = {
- { CKA_CLASS, &oclass, sizeof(oclass) },
- { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
- { CKA_ID, idbuf, sizeof(idbuf) }
- };
-
- memset(labelbuf, 0, sizeof(labelbuf));
- memset(idbuf, 0, sizeof(idbuf));
-
- rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template,
- 3);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i,
- rv);
- error = 1;
- goto exit_search;
- }
- len = attr_template[2].ulValueLen;
- printf(" object[%u]: class %lu, label '%s', id[%lu] ", i,
- oclass, labelbuf, attr_template[2].ulValueLen);
- if (len > 4) {
- len = 4;
- }
- if (len > 0) {
- printf("0x");
- }
- for (j = 0; j < len; j++)
- printf("%02x", idbuf[j]);
- if (attr_template[2].ulValueLen > len) {
- printf("...\n");
- } else {
- printf("\n");
- }
- }
-
- if (wait != 0) {
- printf("WARNING: This action is irreversible! "
- "Destroying key objects in %u seconds\n ",
- wait);
- for (i = 0; i < wait; i++) {
- printf(".");
- fflush(stdout);
- sleep(1);
- }
- printf("\n");
- }
-
- for (i = 0; i < ulObjectCount; i++) {
- rv = pkcs_C_DestroyObject(hSession, akey[i]);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i,
- rv);
- error = 1;
- }
- }
-
- if (error == 0) {
- printf("Destruction complete.\n");
- }
-
-exit_search:
- rv = pkcs_C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
- error = 1;
- }
-
-exit_session:
- pk11_return_session(&pctx);
- (void)pk11_finalize();
-
- exit(error);
-}
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_pkcs11-destroy:
-
-pkcs11-destroy - destroy PKCS#11 objects
-
-Synopsis
-~~~~~~~~
-
-:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds]
-
-Description
-~~~~~~~~~~~
-
-``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified
-by their ``ID`` or ``label``.
-
-Matching keys are displayed before being destroyed. By default, there is
-a five-second delay to allow the user to interrupt the process before
-the destruction takes place.
-
-Options
-~~~~~~~
-
-``-m module``
- This option specifies the PKCS#11 provider module. This must be the full path to a
- shared library object implementing the PKCS#11 API for the device.
-
-``-s slot``
- This option opens the session with the given PKCS#11 slot. The default is slot 0.
-
-``-i ID``
- This option destroys keys with the given object ID.
-
-``-l label``
- This option destroys keys with the given label.
-
-``-p PIN``
- This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
- line, ``pkcs11-destroy`` prompts for it.
-
-``-w seconds``
- This option specifies how long, in seconds, to pause before carrying out key destruction. The
- default is 5 seconds. If set to ``0``, destruction is
- immediate.
-
-See Also
-~~~~~~~~
-
-:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`
+++ /dev/null
-/*
- * Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* pkcs11-keygen - PKCS#11 key generator
- *
- * Create a key in the keystore of an HSM
- *
- * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts
- * it into a zone file.
- *
- * usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize]
- * [-i id] [-p pin] -l label
- *
- */
-
-/*! \file */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <pk11/constants.h>
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-/* Static arrays of data used for key template initialization */
-static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1;
-static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1;
-static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519;
-static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448;
-
-/* Key class: RSA, ECC, ECX, or unknown */
-typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t;
-
-/*
- * Private key template
- */
-#define PRIVATE_LABEL 0
-#define PRIVATE_SIGN 1
-#define PRIVATE_TOKEN 2
-#define PRIVATE_PRIVATE 3
-#define PRIVATE_SENSITIVE 4
-#define PRIVATE_EXTRACTABLE 5
-#define PRIVATE_ID 6
-#define PRIVATE_ATTRS 7
-static CK_ATTRIBUTE private_template[] = {
- { CKA_LABEL, NULL_PTR, 0 },
- { CKA_SIGN, &truevalue, sizeof(truevalue) },
- { CKA_TOKEN, &truevalue, sizeof(truevalue) },
- { CKA_PRIVATE, &truevalue, sizeof(truevalue) },
- { CKA_SENSITIVE, &truevalue, sizeof(truevalue) },
- { CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) },
- { CKA_ID, NULL_PTR, 0 }
-};
-
-/*
- * Public key template for RSA keys
- */
-#define RSA_LABEL 0
-#define RSA_VERIFY 1
-#define RSA_TOKEN 2
-#define RSA_PRIVATE 3
-#define RSA_MODULUS_BITS 4
-#define RSA_PUBLIC_EXPONENT 5
-#define RSA_ID 6
-#define RSA_ATTRS 7
-static CK_ATTRIBUTE rsa_template[] = {
- { CKA_LABEL, NULL_PTR, 0 },
- { CKA_VERIFY, &truevalue, sizeof(truevalue) },
- { CKA_TOKEN, &truevalue, sizeof(truevalue) },
- { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
- { CKA_MODULUS_BITS, NULL_PTR, 0 },
- { CKA_PUBLIC_EXPONENT, NULL_PTR, 0 },
- { CKA_ID, NULL_PTR, 0 }
-};
-
-/*
- * Public key template for ECC/ECX keys
- */
-#define ECC_LABEL 0
-#define ECC_VERIFY 1
-#define ECC_TOKEN 2
-#define ECC_PRIVATE 3
-#define ECC_PARAMS 4
-#define ECC_ID 5
-#define ECC_ATTRS 6
-static CK_ATTRIBUTE ecc_template[] = {
- { CKA_LABEL, NULL_PTR, 0 },
- { CKA_VERIFY, &truevalue, sizeof(truevalue) },
- { CKA_TOKEN, &truevalue, sizeof(truevalue) },
- { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
- { CKA_EC_PARAMS, NULL_PTR, 0 },
- { CKA_ID, NULL_PTR, 0 }
-};
-
-/*
- * Convert from text to key class. Accepts the names of DNSSEC
- * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
- * NSEC3RSASHA1 maps to RSA.
- */
-static key_class_t
-keyclass_fromtext(const char *name) {
- if (name == NULL) {
- return (key_unknown);
- }
-
- if (strncasecmp(name, "rsa", 3) == 0 ||
- strncasecmp(name, "nsec3rsa", 8) == 0) {
- return (key_rsa);
- } else if (strncasecmp(name, "ecc", 3) == 0 ||
- strncasecmp(name, "ecdsa", 5) == 0)
- {
- return (key_ecc);
- } else if (strncasecmp(name, "ecx", 3) == 0 ||
- strncasecmp(name, "ed", 2) == 0) {
- return (key_ecx);
- } else {
- return (key_unknown);
- }
-}
-
-static void
-usage(void) {
- fprintf(stderr, "Usage:\n"
- "\tpkcs11-keygen -a algorithm -b keysize -l label\n"
- "\t [-P] [-m module] "
- "[-s slot] [-e] [-S] [-i id] [-p PIN]\n");
- exit(2);
-}
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_MECHANISM mech;
- CK_SESSION_HANDLE hSession;
- char *lib_name = NULL;
- char *pin = NULL;
- CK_ULONG bits = 0;
- CK_CHAR *label = NULL;
- CK_OBJECT_HANDLE privatekey, publickey;
- CK_BYTE exponent[5];
- CK_ULONG expsize = 0;
- pk11_context_t pctx;
- int error = 0;
- int c, errflg = 0;
- int hide = 1, quiet = 0;
- int idlen = 0, id_offset = 0;
- unsigned long id = 0;
- CK_BYTE idbuf[4];
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } };
- CK_ATTRIBUTE *public_template = NULL;
- CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
- key_class_t keyclass = key_rsa;
- pk11_optype_t op_type = OP_ANY;
-
-#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
- while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
- switch (c) {
- case 'a':
- keyclass = keyclass_fromtext(isc_commandline_argument);
- break;
- case 'P':
- hide = 0;
- break;
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- break;
- case 'e':
- expsize = 5;
- break;
- case 'b':
- bits = atoi(isc_commandline_argument);
- break;
- case 'l':
- /* -l option is retained for backward compatibility * */
- label = (CK_CHAR *)isc_commandline_argument;
- break;
- case 'i':
- id = strtoul(isc_commandline_argument, NULL, 0);
- idlen = 4;
- break;
- case 'p':
- pin = isc_commandline_argument;
- break;
- case 'q':
- quiet = 1;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (label == NULL && isc_commandline_index < argc) {
- label = (CK_CHAR *)argv[isc_commandline_index];
- }
-
- if (errflg || (label == NULL)) {
- usage();
- }
-
- if (expsize != 0 && keyclass != key_rsa) {
- fprintf(stderr, "The -e option is only compatible "
- "with RSA key generation\n");
- exit(2);
- }
-
- switch (keyclass) {
- case key_rsa:
- op_type = OP_RSA;
- if (expsize == 0) {
- expsize = 3;
- }
- if (bits == 0) {
- usage();
- }
-
- mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- public_template = rsa_template;
- public_attrcnt = RSA_ATTRS;
- id_offset = RSA_ID;
-
- /* Set public exponent to F4 or F5 */
- exponent[0] = 0x01;
- exponent[1] = 0x00;
- if (expsize == 3) {
- exponent[2] = 0x01;
- } else {
- exponent[2] = 0x00;
- exponent[3] = 0x00;
- exponent[4] = 0x01;
- }
-
- public_template[RSA_MODULUS_BITS].pValue = &bits;
- public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits);
- public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent;
- public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
- break;
- case key_ecc:
- op_type = OP_ECDSA;
- if (bits == 0) {
- bits = 256;
- } else if (bits != 256 && bits != 384) {
- fprintf(stderr, "ECC keys only support bit sizes of "
- "256 and 384\n");
- exit(2);
- }
-
- mech.mechanism = CKM_EC_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- public_template = ecc_template;
- public_attrcnt = ECC_ATTRS;
- id_offset = ECC_ID;
-
- if (bits == 256) {
- public_template[4].pValue = pk11_ecc_prime256v1;
- public_template[4].ulValueLen =
- sizeof(pk11_ecc_prime256v1);
- } else {
- public_template[4].pValue = pk11_ecc_secp384r1;
- public_template[4].ulValueLen =
- sizeof(pk11_ecc_secp384r1);
- }
-
- break;
- case key_ecx:
- op_type = OP_EDDSA;
- if (bits == 0) {
- bits = 256;
- } else if (bits != 256 && bits != 456) {
- fprintf(stderr, "ECX keys only support bit sizes of "
- "256 and 456\n");
- exit(2);
- }
-
- mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- public_template = ecc_template;
- public_attrcnt = ECC_ATTRS;
- id_offset = ECC_ID;
-
- if (bits == 256) {
- public_template[4].pValue = pk11_ecx_ed25519;
- public_template[4].ulValueLen =
- sizeof(pk11_ecx_ed25519);
- } else {
- public_template[4].pValue = pk11_ecx_ed448;
- public_template[4].ulValueLen = sizeof(pk11_ecx_ed448);
- }
-
- break;
- case key_unknown:
- usage();
- }
-
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen((char *)label);
- public_template[0].pValue = label;
- public_template[0].ulValueLen = strlen((char *)label);
- private_template[0].pValue = label;
- private_template[0].ulValueLen = strlen((char *)label);
-
- if (idlen == 0) {
- public_attrcnt--;
- private_attrcnt--;
- } else {
- if (id <= 0xffff) {
- idlen = 2;
- idbuf[0] = (CK_BYTE)(id >> 8);
- idbuf[1] = (CK_BYTE)id;
- } else {
- idbuf[0] = (CK_BYTE)(id >> 24);
- idbuf[1] = (CK_BYTE)(id >> 16);
- idbuf[2] = (CK_BYTE)(id >> 8);
- idbuf[3] = (CK_BYTE)id;
- }
-
- public_template[id_offset].pValue = idbuf;
- public_template[id_offset].ulValueLen = idlen;
- private_template[PRIVATE_ID].pValue = idbuf;
- private_template[PRIVATE_ID].ulValueLen = idlen;
- }
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL) {
- pk11_set_lib_name(lib_name);
- }
-
- if (pin == NULL) {
- pin = getpass("Enter Pin: ");
- }
-
- result = pk11_get_session(&pctx, op_type, false, true, true,
- (const char *)pin, slot);
- if (result == PK11_R_NORANDOMSERVICE ||
- result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
- {
- fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
- fprintf(stderr, "This HSM will not work with BIND 9 "
- "using native PKCS#11.\n");
- } else if (result != ISC_R_SUCCESS) {
- fprintf(stderr,
- "Unrecoverable error initializing "
- "PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- memset(pin, 0, strlen(pin));
-
- hSession = pctx.session;
-
- /* check if a key with the same id already exists */
- rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
- rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_search;
- }
- if (ulObjectCount != 0) {
- fprintf(stderr, "Key already exists.\n");
- error = 1;
- goto exit_search;
- }
-
- /* Set attributes if the key is not to be hidden */
- if (!hide) {
- private_template[4].pValue = &falsevalue;
- private_template[5].pValue = &truevalue;
- }
-
- /* Generate Key pair for signing/verifying */
- rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template,
- public_attrcnt, private_template,
- private_attrcnt, &publickey, &privatekey);
-
- if (rv != CKR_OK) {
- fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
- error = 1;
- } else if (!quiet) {
- printf("Key pair generation complete.\n");
- }
-
-exit_search:
- rv = pkcs_C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
- error = 1;
- }
-
-exit_session:
- pk11_return_session(&pctx);
- (void)pk11_finalize();
-
- exit(error);
-}
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_pkcs11-keygen:
-
-pkcs11-keygen - generate keys on a PKCS#11 device
--------------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label
-
-Description
-~~~~~~~~~~~
-
-``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair
-with the given ``label`` (which must be unique) and with ``keysize``
-bits of prime.
-
-Options
-~~~~~~~
-
-``-a algorithm``
- This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
- ECC, and ECX. In addition to these strings, the ``algorithm`` can be
- specified as a DNSSEC signing algorithm to be used with this
- key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
- ECC, and ED25519 to ECX. The default class is ``RSA``.
-
-``-b keysize``
- This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the
- only valid values are 256 and 384, and the default is 256. For ECX
- keys, the only valid values are 256 and 456, and the default is 256.
-
-``-e``
- For RSA keys only, this option specifies use of a large exponent.
-
-``-i id``
- This option creates key objects with ``id``. The ID is either an unsigned short 2-byte
- or an unsigned long 4-byte number.
-
-``-m module``
- This option specifies the PKCS#11 provider module. This must be the full path to a
- shared library object implementing the PKCS#11 API for the device.
-
-``-P``
- This option sets the new private key to be non-sensitive and extractable, and
- allows the private key data to be read from the PKCS#11 device. The
- default is for private keys to be sensitive and non-extractable.
-
-``-p PIN``
- This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
- line, ``pkcs11-keygen`` prompts for it.
-
-``-q``
- This option sets quiet mode, which suppresses unnecessary output.
-
-``-S``
- For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-,
- or 1536-bit size and base (AKA generator) 2. If not specified, bit
- size defaults to 1024.
-
-``-s slot``
- This option opens the session with the given PKCS#11 slot. The default is slot 0.
-
-See Also
-~~~~~~~~
-
-:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)`
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
-
-/*! \file */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_BYTE attr_id[2];
- CK_OBJECT_HANDLE akey[50];
- pk11_context_t pctx;
- char *lib_name = NULL;
- char *label = NULL;
- char *pin = NULL;
- bool error = false, logon = true, all = false;
- unsigned int i = 0, id = 0;
- int c, errflg = 0;
- CK_ULONG ulObjectCount;
- CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
- sizeof(attr_id) } };
-
- while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) {
- switch (c) {
- case 'P':
- logon = false;
- break;
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- break;
- case 'i':
- id = atoi(isc_commandline_argument);
- id &= 0xffff;
- break;
- case 'l':
- label = isc_commandline_argument;
- break;
- case 'p':
- pin = isc_commandline_argument;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] "
- "[-i id | -l label] [-p pin]\n");
- exit(1);
- }
-
- if (!id && (label == NULL)) {
- all = true;
- }
-
- if (slot) {
- printf("slot %lu\n", slot);
- }
-
- if (id) {
- printf("id %u\n", id);
- attr_id[0] = (id >> 8) & 0xff;
- attr_id[1] = id & 0xff;
- } else if (label != NULL) {
- printf("label %s\n", label);
- search_template[0].type = CKA_LABEL;
- search_template[0].pValue = label;
- search_template[0].ulValueLen = strlen(label);
- }
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL) {
- pk11_set_lib_name(lib_name);
- }
-
- if (logon && pin == NULL) {
- pin = getpass("Enter Pin: ");
- }
-
- result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin,
- slot);
- if (result == PK11_R_NORANDOMSERVICE ||
- result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
- {
- fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
- fprintf(stderr, "This HSM will not work with BIND 9 "
- "using native PKCS#11.\n");
- } else if (result != ISC_R_SUCCESS) {
- fprintf(stderr,
- "Unrecoverable error initializing "
- "PKCS#11: %s\n",
- isc_result_totext(result));
- fprintf(stderr,
- "Unrecoverable error initializing "
- "PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- if (pin != NULL) {
- memset(pin, 0, strlen(pin));
- }
-
- hSession = pctx.session;
-
- rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
-
- ulObjectCount = 1;
- while (ulObjectCount) {
- rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_search;
- }
- for (i = 0; i < ulObjectCount; i++) {
- unsigned int j, len;
-
- CK_OBJECT_CLASS oclass = 0;
- CK_BYTE labelbuf[64 + 1];
- CK_BYTE idbuf[64];
- CK_BBOOL extract = TRUE;
- CK_BBOOL never = FALSE;
- CK_ATTRIBUTE template[] = {
- { CKA_CLASS, &oclass, sizeof(oclass) },
- { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
- { CKA_ID, idbuf, sizeof(idbuf) }
- };
- CK_ATTRIBUTE priv_template[] = {
- { CKA_EXTRACTABLE, &extract, sizeof(extract) },
- { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) }
- };
-
- memset(labelbuf, 0, sizeof(labelbuf));
- memset(idbuf, 0, sizeof(idbuf));
-
- rv = pkcs_C_GetAttributeValue(hSession, akey[i],
- template, 3);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GetAttributeValue[%u]: "
- "rv = 0x%.8lX\n",
- i, rv);
- if (rv == CKR_BUFFER_TOO_SMALL) {
- fprintf(stderr,
- "%u too small: %lu %lu %lu\n",
- i, template[0].ulValueLen,
- template[1].ulValueLen,
- template[2].ulValueLen);
- }
- error = 1;
- continue;
- }
-
- len = template[2].ulValueLen;
- printf("object[%u]: handle %lu class %lu "
- "label[%lu] '%s' id[%lu] ",
- i, akey[i], oclass, template[1].ulValueLen,
- labelbuf, template[2].ulValueLen);
- if (len == 2) {
- id = (idbuf[0] << 8) & 0xff00;
- id |= idbuf[1] & 0xff;
- printf("%u", id);
- } else {
- if (len > 8) {
- len = 8;
- }
- if (len > 0) {
- printf("0x");
- }
- for (j = 0; j < len; j++)
- printf("%02x", idbuf[j]);
- if (template[2].ulValueLen > len) {
- printf("...");
- }
- }
- if ((oclass == CKO_PRIVATE_KEY ||
- oclass == CKO_SECRET_KEY) &&
- pkcs_C_GetAttributeValue(hSession, akey[i],
- priv_template,
- 2) == CKR_OK)
- {
- printf(" E:%s",
- extract ? "true"
- : (never ? "never" : "false"));
- }
- printf("\n");
- }
- }
-
-exit_search:
- rv = pkcs_C_FindObjectsFinal(hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
- error = 1;
- }
-
-exit_session:
- pk11_return_session(&pctx);
- (void)pk11_finalize();
-
- exit(error);
-}
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_pkcs11-list:
-
-pkcs11-list - list PKCS#11 objects
-----------------------------------
-
-:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN]
-
-Description
-~~~~~~~~~~~
-
-``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by
-default, all objects. The object class, label, and ID are displayed for
-all keys. For private or secret keys, the extractability attribute is
-also displayed, as either ``true``, ``false``, or ``never``.
-
-Options
-~~~~~~~
-
-``-P``
- This option lists only the public objects. (Note that on some PKCS#11 devices, all
- objects are private.)
-
-``-m module``
- This option specifies the PKCS#11 provider module. This must be the full path to a
- shared library object implementing the PKCS#11 API for the device.
-
-``-s slot``
- This option opens the session with the given PKCS#11 slot. The default is slot 0.
-
-``-i ID``
- This option lists only key objects with the given object ID.
-
-``-l label``
- This option lists only key objects with the given label.
-
-``-p PIN``
- This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
- line, ``pkcs11-list`` prompts for it.
-
-See Also
-~~~~~~~~
-
-:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)`
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/* pkcs11-tokens [-m module] */
-
-/*! \file */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- char *lib_name = NULL;
- int c, errflg = 0;
- isc_mem_t *mctx = NULL;
- pk11_context_t pctx;
-
- while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
- switch (c) {
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 'v':
- pk11_verbose_init = true;
- break;
- case ':':
- fprintf(stderr, "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
- exit(1);
- }
-
- isc_mem_create(&mctx);
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL) {
- pk11_set_lib_name(lib_name);
- }
-
- result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0);
- if (result == PK11_R_NORANDOMSERVICE ||
- result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
- {
- fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
- fprintf(stderr, "This HSM will not work with BIND 9 "
- "using native PKCS#11.\n\n");
- } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
- fprintf(stderr,
- "Unrecoverable error initializing "
- "PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- pk11_dump_tokens();
-
- if (pctx.handle != NULL) {
- pk11_return_session(&pctx);
- }
- (void)pk11_finalize();
-
- isc_mem_destroy(&mctx);
-
- exit(0);
-}
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-
-.. highlight: console
-
-.. _man_pkcs11-tokens:
-
-pkcs11-tokens - list PKCS#11 available tokens
----------------------------------------------
-
-Synopsis
-~~~~~~~~
-
-:program:`pkcs11-tokens` [**-m** module] [**-v**]
-
-Description
-~~~~~~~~~~~
-
-``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from
-the slot/token scan performed at application initialization.
-
-Options
-~~~~~~~
-
-``-m module``
- This option specifies the PKCS#11 provider module. This must be the full path to a
- shared library object implementing the PKCS#11 API for the device.
-
-``-v``
- This option makes the PKCS#11 libisc initialization verbose.
-
-See Also
-~~~~~~~~
-
-:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`
#include <isc/thread.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/name.h>
#include <isccc/alist.h>
endif HAVE_PYTHON
-if HAVE_PKCS11
-TESTS += pkcs11
-endif
-
else !HAVE_PERL
check:
echo Perl is not available, no tests were ran
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ./conf.sh
-
-[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1
export NZD2NZF
export PERL
export PIPEQUERIES
-export PK11DEL
-export PK11GEN
-export PK11LIST
export PSSUSPEND
export PYTHON
export RESOLVE
NSLOOKUP=$TOP_BUILDDIR/bin/dig/nslookup
NSUPDATE=$TOP_BUILDDIR/bin/nsupdate/nsupdate
NZD2NZF=$TOP_BUILDDIR/bin/tools/named-nzd2nzf
-PK11DEL="$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
-PK11GEN="$TOP_BUILDDIR/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
-PK11LIST="$TOP_BUILDDIR/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve
REVOKE=$TOP_BUILDDIR/bin/dnssec/dnssec-revoke
RNDC=$TOP_BUILDDIR/bin/rndc/rndc
#
# Construct the lists of tests to run
#
-SEQUENTIAL_UNIX="@PKCS11_TEST@"
+SEQUENTIAL_UNIX=""
SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX"
PARALLEL_UNIX="@DNSTAP@
;;
15|16)
key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)
- # Soft-fail in case HSM doesn't support Edwards curves
- if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then
- echo_i "Algorithm $alg not supported by HSM: skipping"
- alg=$((alg+1))
- continue
- fi
;;
*)
key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)
+++ /dev/null
-edda 2800 0001 0000 0001 0000 0972 7361
-7368 6132 3536 0765 7861 6d70 6c65 0000
-0600 01c0 0c00 3000 0100 0001 2c01 0801
-0003 0803 0100 0100 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 00
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
-rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
-rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
-rm -f supported
-rm -f ns*/named.run ns*/named.lock ns*/named.conf
-rm -f ns*/managed-keys.bind*
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300 ; 5 minutes
-@ IN SOA ns root (
- 2000082401 ; serial
- 1800 ; refresh (30 minutes)
- 1800 ; retry (30 minutes)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
- )
- NS ns
-ns A 10.53.0.1
-
-txt TXT "recursed"
-
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.1;
- notify-source 10.53.0.1;
- transfer-source 10.53.0.1;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
- listen-on-v6 { none; };
- recursion no;
- dnssec-validation no;
- notify no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -eu
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-echo_i "Generating keys for Native PKCS#11" >&2
-
-infile=ns1/example.db.in
-
-printf '%s' "${HSMPIN:-1234}" > pin
-PWD=$(pwd)
-
-copy_setports ns1/named.conf.in ns1/named.conf
-
-get_random() {
- dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
-}
-
-genpkcs() (
- alg="$1"
- bits="$2"
- label="$3"
- id="$(get_random)"
-
- $PK11DEL -l "$label" -w0 >/dev/null || true
- $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
-)
-
-keyfrlab() (
- alg="$1"
- bits="$2"
- label="$3"
- zone="$4"
- shift 4
-
- $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
-)
-
-genzsk() (
- genpkcs "$@"
- keyfrlab "$@"
-)
-
-genksk() (
- genpkcs "$@"
- keyfrlab "$@" -f ksk
-)
-
-algs=
-for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
- alg=$(echo "$algbits" | cut -f 1 -d :)
- bits=$(echo "$algbits" | cut -f 2 -d :)
- zone="$alg.example"
- zonefile="ns1/$alg.example.db"
- if $SHELL ../testcrypto.sh "$alg"; then
- echo "$alg" >> supported
- algs="$algs$alg "
-
- zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
- zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
- ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
- ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
-
- cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
- $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
- cp "$zsk2.key" "ns1/$alg.zsk"
- cp "$ksk2.key" "ns1/$alg.ksk"
- mv "K$alg"* ns1/
-
- cat >> ns1/named.conf <<EOF
-zone "$alg.example." {
- type primary;
- file "$alg.example.db.signed";
- allow-update { any; };
-};
-
-EOF
- fi
-done
-echo_i "Generated keys for Native PKCS#11: $algs"
+++ /dev/null
-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-count_rrsigs() (
- grep -c "IN[[:space:]]*RRSIG" "$@" || true
-)
-
-dig_with_opts() (
- $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
-)
-
-dig_for_rr() (
- alg=$1
- rrtype=$2
- count0=$3
- dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
- count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
- test "$count" -gt "$count0"
-)
-
-test_done() {
- if [ $ret -ne 0 ]; then echo_i "failed"; fi
- status=$((status+ret))
- ret=0
-}
-
-status=0
-ret=0
-
-n=0
-while read -r alg; do
- zonefile=ns1/$alg.example.db
- echo_i "testing PKCS#11 key generation ($alg)"
- count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
- [ "$count" -eq 4 ] || ret=1
- test_done
-
- echo_i "testing offline signing with PKCS#11 keys ($alg)"
-
- count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
- [ "$count" -eq 9 ] || ret=1
- test_done
-
- echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
-
- dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
- countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
- new_zsk=$(grep -v ';' "ns1/$alg.zsk")
-
- cat > "upd.cmd.ZSK.$alg" <<EOF
-server 10.53.0.1 $PORT
-ttl 300
-zone $alg.example.
-update add $new_zsk
-send
-EOF
-
- $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
-
- retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
- test_done
-
- echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
-
- dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
- countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
- new_ksk=$(grep -v ';' "ns1/$alg.ksk")
-
- cat > "upd.cmd.KSK.$alg" <<EOF
-server 10.53.0.1 $PORT
-ttl 300
-zone $alg.example.
-update add $new_ksk
-send
-EOF
-
- $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
-
- retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
- test_done
-
- echo_i "testing PKCS#11 key destroy ($alg)"
-
- # Lookup all existing keys
- echo_i "looking up all existing keys ($alg)"
- $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
- test_done
-
- echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
- $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
- test_done
-
- echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
- $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
- test_done
-
- id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
- echo_i "destroying key with $id id ($alg)"
- if [ -n "$id" ]; then
- $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
- else
- ret=1
- fi
- test_done
-
- id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
- echo_i "destroying key with $id id ($alg)"
- if [ -n "$id" ]; then
- $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
- else
- ret=1
- fi
- test_done
-
- echo_i "checking if all keys have been destroyed ($alg)"
- $PK11LIST > "pkcs11-list.out.$alg" || ret=1
- count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
- [ "$count" -eq 0 ] || ret=1
- test_done
- n=$((n+1))
-done < supported
-
-echo_i "Checking if all supported algorithms were tested"
-[ "$n" -eq "$(wc -l < supported)" ] || ret=1
-test_done
-
-echo_i "Checking for assertion failure in pk11_numbits()"
-$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
-dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
-test_done
-
-echo_i "exit status: $status"
-[ "$status" -eq 0 ] || exit 1
+++ /dev/null
-This test relies on PKCS#11!
UNUSED(argc);
UNUSED(argv);
-#if !USE_PKCS11
-
rsa = RSA_new();
e = BN_new();
pkey = EVP_PKEY_new();
dst_lib_destroy();
isc_mem_destroy(&mctx);
return (0);
-#else /* !USE_PKCS11 */
- return (1);
-#endif /* !USE_PKC11 */
}
/*! \file */
exit 77
fi
-# Check for PKCS#11 support
-if
- test ! -f "$systest/usepkcs11" || $SHELL cleanpkcs11.sh
-then
- : pkcs11 ok
-else
- echowarn "I:$systest:Need PKCS#11, skipping test."
- echowarn "R:$systest:PKCS11ONLY"
- echoend "E:$systest:$(date_with_args)"
- exit 0
-fi
-
# Clean up files left from any potential previous runs except when
# started with the --restart option.
if ! $restart; then
else
if test $quiet -eq 0; then
echo_i "This test requires support for $msg" >&2
- echo_i "configure with --with-openssl, or --enable-native-pkcs11" \
- "--with-pkcs11" >&2
fi
exit 255
fi
#include <isc/timer.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <isc/timer.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])
-#
-# was --enable-native-pkcs11 specified?
-#
-# [pairwise: --enable-native-pkcs11, --disable-native-pkcs11]
-AC_ARG_ENABLE([native-pkcs11],
- AS_HELP_STRING([--enable-native-pkcs11],
- [use native PKCS11 for public-key crypto [default=no]]),
- [:], [enable_native_pkcs11="no"])
-
-AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
-AS_CASE([$enable_native_pkcs11],
- [no],[AC_MSG_RESULT([no])],
- [yes],[CRYPTO=pkcs11
- AC_MSG_RESULT([yes])
- AC_CHECK_FUNCS([getpassphrase])
- ])
-AM_CONDITIONAL([HAVE_PKCS11], [test "$CRYPTO" = "pkcs11"])
-
-AC_SUBST([CRYPTO])
-AS_CASE([$CRYPTO],
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
-
-#
-# was --with-pkcs11 specified?
-#
-# [pairwise: skip]
-AC_ARG_WITH([pkcs11],
- [AS_HELP_STRING([--with-pkcs11[=PATH]],
- [Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])],
- [:], [with_pkcs11="undefined"])
-
-AS_CASE([$with_pkcs11],
- [yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])],
- [no|undefined],[with_pkcs11="undefined"])
-AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path])
-
AC_CHECK_FUNCS([clock_gettime])
# [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi]
bin/nsupdate/Makefile
bin/check/Makefile
bin/confgen/Makefile
- bin/pkcs11/Makefile
bin/plugins/Makefile])
# Libraries
test "auto" = "$validation_default" && echo " DNSSEC validation active by default (--enable-auto-validation)"
- test "$CRYPTO" = "pkcs11" && (
- echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
- echo " PKCS#11 module (--with-pkcs11): $with_pkcs11"
- )
-
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$with_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
test "yes" = "$validation_default" && echo " DNSSEC validation requires configuration (--enable-auto-validation)"
- test "$CRYPTO" = "pkcs11" || (
- echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
- )
-
test "yes" = "$enable_querytrace" || \
echo " Very verbose query trace logging (--enable-querytrace)"
test "yes" = "$enable_singletrace" || \
.. include:: ../../bin/tools/nsec3hash.rst
.. include:: ../../bin/dig/nslookup.rst
.. include:: ../../bin/nsupdate/nsupdate.rst
-.. include:: ../../bin/pkcs11/pkcs11-destroy.rst
-.. include:: ../../bin/pkcs11/pkcs11-keygen.rst
-.. include:: ../../bin/pkcs11/pkcs11-list.rst
-.. include:: ../../bin/pkcs11/pkcs11-tokens.rst
.. include:: ../../bin/confgen/rndc-confgen.rst
.. include:: ../../bin/rndc/rndc.conf.rst
.. include:: ../../bin/rndc/rndc.rst
platform-independent API for the control of hardware security modules
(HSMs) and other cryptographic support devices.
-BIND 9 is known to work with three HSMs: the AEP Keyper, which has been
-tested with Debian Linux, Solaris x86, and Windows Server 2003; the
-Thales nShield, tested with Debian Linux; and the Sun SCA 6000
-cryptographic acceleration board, tested with Solaris x86. In addition,
-BIND can be used with all current versions of SoftHSM, a software-based
-HSM simulator library produced by the OpenDNSSEC project.
-
PKCS#11 uses a "provider library": a dynamically loadable
library which provides a low-level PKCS#11 interface to drive the HSM
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.
-There are two available mechanisms for PKCS#11 support in BIND 9:
-OpenSSL-based PKCS#11 and native PKCS#11. With OpenSSL-based PKCS#11,
-BIND uses a modified version of OpenSSL, which loads the
-provider library and operates the HSM indirectly; any cryptographic
-operations not supported by the HSM can be carried out by OpenSSL
-instead. Native PKCS#11 enables BIND to bypass OpenSSL completely;
-BIND loads the provider library itself, and uses the PKCS#11 API to
-drive the HSM directly.
+BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is
+dynamically loaded into OpenSSL and the HSM is operated indirectly; any
+cryptographic operations not supported by the HSM can be carried out by OpenSSL
+instead.
Prerequisites
~~~~~~~~~~~~~
See the documentation provided by the HSM vendor for information about
installing, initializing, testing, and troubleshooting the HSM.
-Native PKCS#11
-~~~~~~~~~~~~~~
-
-Native PKCS#11 mode only works with an HSM capable of carrying out
-*every* cryptographic operation BIND 9 may need. The HSM's provider
-library must have a complete implementation of the PKCS#11 API, so that
-all these functions are accessible. As of this writing, only the Thales
-nShield HSM and SoftHSMv2 can be used in this fashion. For other HSMs,
-including the AEP Keyper, Sun SCA 6000, and older versions of SoftHSM,
-use OpenSSL-based PKCS#11. (Note: Eventually, when more HSMs become
-capable of supporting native PKCS#11, it is expected that OpenSSL-based
-PKCS#11 will be deprecated.)
-
-To build BIND with native PKCS#11, configure it as follows:
-
-::
-
- $ cd bind9
- $ ./configure --enable-native-pkcs11 \
- --with-pkcs11=provider-library-path
-
-
-This causes all BIND tools, including ``named`` and the ``dnssec-*``
-and ``pkcs11-*`` tools, to use the PKCS#11 provider library specified in
-provider-library-path for cryptography. (The provider library path can
-be overridden using the ``-E`` argument in ``named`` and the ``dnssec-*`` tools,
-or the ``-m`` argument in the ``pkcs11-*`` tools.)
-
Building SoftHSMv2
^^^^^^^^^^^^^^^^^^
$ make install
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
-
OpenSSL-based PKCS#11
~~~~~~~~~~~~~~~~~~~~~
OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
-For more information, see https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
+engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL.
+That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine
+API. One has to register the engine with OpenSSL and one has to provide the
+path to the PKCS#11 module which should be gatewayed to. This can be done by
+editing the OpenSSL configuration file, by engine specific controls, or by using
+the p11-kit proxy module.
-PKCS#11 Tools
-~~~~~~~~~~~~~
+It is recommended, that libp11 >= 0.4.12 is used.
-BIND 9 includes a minimal set of tools to operate the HSM, including
-``pkcs11-keygen`` to generate a new key pair within the HSM,
-``pkcs11-list`` to list objects currently available, ``pkcs11-destroy``
-to remove objects, and ``pkcs11-tokens`` to list available tokens.
+For more detailed howto including the examples, we recommend reading:
-In UNIX/Linux builds, these tools are built only if BIND 9 is configured
-with the ``--with-pkcs11`` option. (Note: If ``--with-pkcs11`` is set to ``yes``,
-rather than to the path of the PKCS#11 provider, the tools are
-built but the provider is left undefined. Use the ``-m`` option or the
-``PKCS11_PROVIDER`` environment variable to specify the path to the
-provider.)
+https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
Using the HSM
~~~~~~~~~~~~~
-For OpenSSL-based PKCS#11, the runtime environment must first be set up
-so the OpenSSL and PKCS#11 libraries can be loaded:
+The canonical documentation for configuring engine_pkcs11 is in the
+`libp11/README.md`_, but here's copy of working configuration for
+your convenience:
-::
+.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration
- $ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
+We are going to use our own custom copy of OpenSSL configuration, again it's
+driven by an environment variable, this time called OPENSSL_CONF. We are
+going to copy the global OpenSSL configuration (often found in
+``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
-This causes ``named`` and other binaries to load the OpenSSL library
-from ``/opt/pkcs11/usr/lib``, rather than from the default location. This
-step is not necessary when using native PKCS#11.
+::
+ cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
-Some HSMs require other environment variables to be set. For example,
-when operating an AEP Keyper, the location of
-the "machine" file, which stores information about the Keyper for use by
-the provider library, must be specified. If the machine file is in
-``/opt/Keyper/PKCS11Provider/machine``, use:
+and export the environment variable:
::
+ export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
- $ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
+Now add following line at the top of file, before any sections (in square
+brackets) are defined:
-Such environment variables must be set when running any tool that
-uses the HSM, including ``pkcs11-keygen``, ``pkcs11-list``,
-``pkcs11-destroy``, ``dnssec-keyfromlabel``, ``dnssec-signzone``,
-``dnssec-keygen``, and ``named``.
+::
+ openssl_conf = openssl_init
-HSM keys can now be created and used. In this case, we will create
-a 2048-bit key and give it the label "sample-ksk":
+And add following lines at the bottom of the file:
::
+ [openssl_init]
+ engines=engine_section
- $ pkcs11-keygen -b 2048 -l sample-ksk
+ [engine_section]
+ pkcs11 = pkcs11_section
-To confirm that the key exists:
+ [pkcs11_section]
+ engine_id = pkcs11
+ dynamic_path = <PATHTO>/pkcs11.so
+ MODULE_PATH = <FULL_PATH_TO_HSM_MODULE>
+ init = 0
-::
+Key Generation
+~~~~~~~~~~~~~~
+
+HSM keys can now be created and used. We are going to assume that you already
+have a BIND 9 installed, either from a package, or from the sources, and the
+tools are readily available in the ``$PATH``.
- $ pkcs11-list
- Enter PIN:
- object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
- object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+For generating the keys, we are going to use ``pkcs11-tool`` available from the
+OpenSC suite. On both DEB-based and RPM-based distributions, the package is
+called opensc.
-Before using this key to sign a zone, we must create a pair of BIND 9
-key files. The ``dnssec-keyfromlabel`` utility does this. In this case, we
-are using the HSM key "sample-ksk" as the key-signing key for
-"example.net":
+We need to generate at least two RSA keys:
::
- $ dnssec-keyfromlabel -l sample-ksk -f KSK example.net
+ pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
+ pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
-The resulting K*.key and K*.private files can now be used to sign the
-zone. Unlike normal K\* files, which contain both public and private key
-data, these files contain only the public key data, plus an
-identifier for the private key which remains stored within the HSM.
-Signing with the private key takes place inside the HSM.
+Remember that each key should have unique label and we are going to use that
+label to reference the private key.
-To generate a second key in the HSM for use as a
-zone-signing key, follow the same procedure above, using a different
-keylabel, a smaller key size, and omitting ``-f KSK`` from the
-``dnssec-keyfromlabel`` arguments:
+Convert the RSA keys stored in the HSM into a format that BIND 9 understands.
+The ``dnssec-keyfromlabel`` tool from BIND 9 can link the raw keys stored in the
+HSM with the ``K<zone>+<alg>+<id>`` files. You'll need to provide the OpenSSL
+engine name (``pkcs11``), the algorithm (``RSASHA256``) and the PKCS#11 label
+that specify the token (we asume that it has been initialized as bind9), the
+name of the PKCS#11 object (called label when generating the keys using
+``pkcs11-tool``) and the HSM PIN.
+
+Convert the KSK:
::
+ dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
+
+and ZSK:
- $ pkcs11-keygen -b 1024 -l sample-zsk
- $ dnssec-keyfromlabel -l sample-zsk example.net
+::
+ dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net
-Alternatively, a conventional on-disk key can be generated
-using ``dnssec-keygen``:
+NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
::
+ (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt)
- $ dnssec-keygen example.net
+and then use in the label specification:
-This provides less security than an HSM key, but since HSMs can be slow
-or cumbersome to use for security reasons, it may be more efficient to
-reserve HSM keys for use in the less frequent key-signing operation. The
-zone-signing key can be rolled more frequently, if desired, to
-compensate for a reduction in key security. (Note: When using native
-PKCS#11, there is no speed advantage to using on-disk keys, as
-cryptographic operations are done by the HSM.)
+::
+ pin-source=/opt/bind9/etc/pin.txt
-Now the zone can be signed. Please note that, if the -S option is not used for
-``dnssec-signzone``, the contents of both
-``K*.key`` files must be added to the zone master file before signing it.
+Confirm that you have one KSK and one ZSK present in the current directory:
::
+ ls -l K*
+
+The output should look like this (the second number will be different):
+
+::
+ Kexample.net.+008+31729.key
+ Kexample.net.+008+31729.private
+ Kexample.net.+008+42231.key
+ Kexample.net.+008+42231.private
- $ dnssec-signzone -S example.net
- Enter PIN:
- Verifying the zone using the following algorithms:
- NSEC3RSASHA1.
- Zone signing complete:
- Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
- example.net.signed
Specifying the Engine on the Command Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can
-be specified in ``named`` and all of the BIND ``dnssec-*`` tools by
-using the ``-E <engine>`` command line option. If BIND 9 is built with the
-``--with-pkcs11`` option, this option defaults to "pkcs11". Specifying the
-engine is generally not necessary unless
-a different OpenSSL engine is used.
+When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be
+specified in ``named`` and all of the BIND ``dnssec-*`` tools by using the ``-E
+<engine>`` command line option. Specifying the engine is generally not necessary
+unless a different OpenSSL engine is used.
-To disable use of the "pkcs11" engine - for
-troubleshooting purposes, or because the HSM is unavailable - set
-the engine to the empty string. For example:
+The zone signing commences as usual, with only one small difference. We need to
+provide the name of the OpenSSL engine using the -E command line option.
::
+ dnssec-signzone -E pkcs11 -S -o example.net example.net
- $ dnssec-signzone -E '' -S example.net
+Running ``named`` With Automatic Zone Re-signing
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-This causes ``dnssec-signzone`` to run as if it were compiled without
-the ``--with-pkcs11`` option.
+The zone can also be signed automatically by named. Again, we need to provide
+the name of the OpenSSL engine using the -E command line option.
-When built with native PKCS#11 mode, the "engine" option has a different
-meaning: it specifies the path to the PKCS#11 provider library. This may
-be useful when testing a new provider library.
+::
+ named -E pkcs11 -c named.conf
-Running ``named`` With Automatic Zone Re-signing
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+and the logs should have lines like:
+
+::
+ Fetching example.net/RSASHA256/31729 (KSK) from key repository.
+ DNSKEY example.net/RSASHA256/31729 (KSK) is now published
+ DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active
+ Fetching example.net/RSASHA256/42231 (ZSK) from key repository.
+ DNSKEY example.net/RSASHA256/42231 (ZSK) is now published
+ DNSKEY example.net/RSA256SHA256/42231 (ZSK) is now active
For ``named`` to dynamically re-sign zones using HSM keys,
and/or to sign new records inserted via nsupdate, ``named`` must
This also allows the ``dnssec-\*`` tools to access the HSM without PIN
entry. (The ``pkcs11-\*`` tools access the HSM directly, not via OpenSSL, so
a PIN is still required to use them.)
-
-In native PKCS#11 mode, the PIN can be provided in a file specified as
-an attribute of the key's label. For example, if a key had the label
-``pkcs11:object=local-zsk;pin-source=/etc/hsmpin``, then the PIN would
-be read from the file ``/etc/hsmpin``.
-
-.. warning::
-
- Placing the HSM's PIN in a text file in this manner may reduce the
- security advantage of using an HSM. Use caution
- when configuring the system in this way.
nsec3hash.rst \
nslookup.rst \
nsupdate.rst \
- pkcs11-destroy.rst \
- pkcs11-keygen.rst \
- pkcs11-list.rst \
- pkcs11-tokens.rst \
rndc-confgen.rst \
rndc.conf.rst \
rndc.rst \
../../bin/dnssec/dnssec-verify.rst \
../../bin/named/named.rst \
../../bin/nsupdate/nsupdate.rst \
- ../../bin/pkcs11/pkcs11-destroy.rst \
- ../../bin/pkcs11/pkcs11-keygen.rst \
- ../../bin/pkcs11/pkcs11-list.rst \
- ../../bin/pkcs11/pkcs11-tokens.rst \
../../bin/plugins/filter-aaaa.rst \
../../bin/plugins/filter-a.rst \
../../bin/rndc/rndc.conf.rst \
named-nzd2nzf.1
endif HAVE_LMDB
-if HAVE_PKCS11
-man_MANS += \
- pkcs11-destroy.1 \
- pkcs11-keygen.1 \
- pkcs11-list.1 \
- pkcs11-tokens.1
-endif HAVE_PKCS11
-
MANPAGES_IN = \
$(man_MANS:=in) \
dnstap-read.1in \
- named-nzd2nzf.1in \
- pkcs11-destroy.1in \
- pkcs11-keygen.1in \
- pkcs11-list.1in \
- pkcs11-tokens.1in
+ named-nzd2nzf.1in
EXTRA_DIST = \
conf.py \
('nsec3hash', 'nsec3hash', 'generate NSEC3 hash', author, 1),
('nslookup', 'nslookup', 'query Internet name servers interactively', author, 1),
('nsupdate', 'nsupdate', 'dynamic DNS update utility', author, 1),
- ('pkcs11-destroy', 'pkcs11-destroy', 'destroy PKCS#11 objects', author, 1),
- ('pkcs11-keygen', 'pkcs11-keygen', 'generate keys on a PKCS#11 device', author, 1),
- ('pkcs11-list', 'pkcs11-list', 'list PKCS#11 objects', author, 1),
- ('pkcs11-tokens', 'pkcs11-tokens', 'list PKCS#11 available tokens', author, 1),
('rndc-confgen', 'rndc-confgen', 'rndc key generation tool', author, 8),
('rndc.conf', 'rndc.conf', 'rndc configuration file', author, 5),
('rndc', 'rndc', 'name server control utility', author, 8),
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-l label\fP
This option specifies the label for a key pair in the crypto hardware.
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in \fBpkcs11:keylabel\fP\&.
-.sp
-When BIND 9 is built with native PKCS#11 support, the label is a
-PKCS#11 URI string in the format
-\fBpkcs11:keyword\e =value[;\e keyword\e =value;...]\fP\&. Keywords
-include \fBtoken\fP, which identifies the HSM; \fBobject\fP, which identifies
-the key; and \fBpin\-source\fP, which identifies a file from which the
-HSM\(aqs PIN code can be obtained. The label is stored in the
-on\-disk \fBprivate\fP file.
-.sp
-If the label contains a \fBpin\-source\fP field, tools using the
-generated key files are able to use the HSM for signing and other
-operations without any need for an operator to manually enter a PIN.
-Note: Making the HSM\(aqs PIN accessible in this manner may reduce the
-security advantage of using an HSM; use caution
-with this feature.
.TP
.B \fB\-n nametype\fP
This option specifies the owner type of the key. The value of \fBnametype\fP must
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f flag\fP
This option sets the specified flag in the flag field of the KEY/DNSKEY record.
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f\fP
This option indicates a forced overwrite and causes \fBdnssec\-revoke\fP to write the new key pair,
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.UNINDENT
.SH TIMING OPTIONS
.sp
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-g\fP
This option indicates that DS records for child zones should be generated from a \fBdsset\-\fP or \fBkeyset\-\fP
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-I input\-format\fP
This option sets the format of the input zone file. Possible formats are \fBtext\fP
.sp
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
-hardware service module (usually \fBpkcs11\fP). When BIND is
-built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
-defaults to the path of the PKCS#11 provider library specified via
-\fB\-\-with\-pkcs11\fP\&.
+hardware service module (usually \fBpkcs11\fP).
.TP
.B \fB\-f\fP
This option runs the server in the foreground (i.e., do not daemonize).
+++ /dev/null
-.\" Man page generated from reStructuredText.
-.
-.TH "PKCS11-DESTROY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
-.SH NAME
-pkcs11-destroy \- destroy PKCS#11 objects
-.
-.nr rst2man-indent-level 0
-.
-.de1 rstReportMargin
-\\$1 \\n[an-margin]
-level \\n[rst2man-indent-level]
-level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
--
-\\n[rst2man-indent0]
-\\n[rst2man-indent1]
-\\n[rst2man-indent2]
-..
-.de1 INDENT
-.\" .rstReportMargin pre:
-. RS \\$1
-. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
-. nr rst2man-indent-level +1
-.\" .rstReportMargin post:
-..
-.de UNINDENT
-. RE
-.\" indent \\n[an-margin]
-.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.nr rst2man-indent-level -1
-.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
-..
-pkcs11\-destroy \- destroy PKCS#11 objects
-.sp
-\fBpkcs11\-destroy\fP [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID] [\fB\-l\fP label] [\fB\-p\fP PIN] [\fB\-w\fP seconds]
-.sp
-\fBpkcs11\-destroy\fP destroys keys stored in a PKCS#11 device, identified
-by their \fBID\fP or \fBlabel\fP\&.
-.sp
-Matching keys are displayed before being destroyed. By default, there is
-a five\-second delay to allow the user to interrupt the process before
-the destruction takes place.
-.INDENT 0.0
-.TP
-.B \fB\-m module\fP
-This option specifies the PKCS#11 provider module. This must be the full path to a
-shared library object implementing the PKCS#11 API for the device.
-.TP
-.B \fB\-s slot\fP
-This option opens the session with the given PKCS#11 slot. The default is slot 0.
-.TP
-.B \fB\-i ID\fP
-This option destroys keys with the given object ID.
-.TP
-.B \fB\-l label\fP
-This option destroys keys with the given label.
-.TP
-.B \fB\-p PIN\fP
-This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
-line, \fBpkcs11\-destroy\fP prompts for it.
-.TP
-.B \fB\-w seconds\fP
-This option specifies how long, in seconds, to pause before carrying out key destruction. The
-default is 5 seconds. If set to \fB0\fP, destruction is
-immediate.
-.UNINDENT
-.sp
-\fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP
-.SH AUTHOR
-Internet Systems Consortium
-.SH COPYRIGHT
-2021, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-:orphan:
-
-.. include:: ../../bin/pkcs11/pkcs11-destroy.rst
\ No newline at end of file
+++ /dev/null
-.\" Man page generated from reStructuredText.
-.
-.TH "PKCS11-KEYGEN" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
-.SH NAME
-pkcs11-keygen \- generate keys on a PKCS#11 device
-.
-.nr rst2man-indent-level 0
-.
-.de1 rstReportMargin
-\\$1 \\n[an-margin]
-level \\n[rst2man-indent-level]
-level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
--
-\\n[rst2man-indent0]
-\\n[rst2man-indent1]
-\\n[rst2man-indent2]
-..
-.de1 INDENT
-.\" .rstReportMargin pre:
-. RS \\$1
-. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
-. nr rst2man-indent-level +1
-.\" .rstReportMargin post:
-..
-.de UNINDENT
-. RE
-.\" indent \\n[an-margin]
-.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.nr rst2man-indent-level -1
-.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
-..
-.SH SYNOPSIS
-.sp
-\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label
-.SH DESCRIPTION
-.sp
-\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair
-with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP
-bits of prime.
-.SH OPTIONS
-.INDENT 0.0
-.TP
-.B \fB\-a algorithm\fP
-This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
-ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be
-specified as a DNSSEC signing algorithm to be used with this
-key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
-ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&.
-.TP
-.B \fB\-b keysize\fP
-This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the
-only valid values are 256 and 384, and the default is 256. For ECX
-keys, the only valid values are 256 and 456, and the default is 256.
-.TP
-.B \fB\-e\fP
-For RSA keys only, this option specifies use of a large exponent.
-.TP
-.B \fB\-i id\fP
-This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte
-or an unsigned long 4\-byte number.
-.TP
-.B \fB\-m module\fP
-This option specifies the PKCS#11 provider module. This must be the full path to a
-shared library object implementing the PKCS#11 API for the device.
-.TP
-.B \fB\-P\fP
-This option sets the new private key to be non\-sensitive and extractable, and
-allows the private key data to be read from the PKCS#11 device. The
-default is for private keys to be sensitive and non\-extractable.
-.TP
-.B \fB\-p PIN\fP
-This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
-line, \fBpkcs11\-keygen\fP prompts for it.
-.TP
-.B \fB\-q\fP
-This option sets quiet mode, which suppresses unnecessary output.
-.TP
-.B \fB\-S\fP
-For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-,
-or 1536\-bit size and base (AKA generator) 2. If not specified, bit
-size defaults to 1024.
-.TP
-.B \fB\-s slot\fP
-This option opens the session with the given PKCS#11 slot. The default is slot 0.
-.UNINDENT
-.SH SEE ALSO
-.sp
-\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP
-.SH AUTHOR
-Internet Systems Consortium
-.SH COPYRIGHT
-2021, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-:orphan:
-
-.. include:: ../../bin/pkcs11/pkcs11-keygen.rst
\ No newline at end of file
+++ /dev/null
-.\" Man page generated from reStructuredText.
-.
-.TH "PKCS11-LIST" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
-.SH NAME
-pkcs11-list \- list PKCS#11 objects
-.
-.nr rst2man-indent-level 0
-.
-.de1 rstReportMargin
-\\$1 \\n[an-margin]
-level \\n[rst2man-indent-level]
-level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
--
-\\n[rst2man-indent0]
-\\n[rst2man-indent1]
-\\n[rst2man-indent2]
-..
-.de1 INDENT
-.\" .rstReportMargin pre:
-. RS \\$1
-. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
-. nr rst2man-indent-level +1
-.\" .rstReportMargin post:
-..
-.de UNINDENT
-. RE
-.\" indent \\n[an-margin]
-.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.nr rst2man-indent-level -1
-.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
-..
-.sp
-\fBpkcs11\-list\fP [\fB\-P\fP] [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID \fB] [\-l\fP label] [\fB\-p\fP PIN]
-.SH DESCRIPTION
-.sp
-\fBpkcs11\-list\fP lists the PKCS#11 objects with \fBID\fP or \fBlabel\fP or, by
-default, all objects. The object class, label, and ID are displayed for
-all keys. For private or secret keys, the extractability attribute is
-also displayed, as either \fBtrue\fP, \fBfalse\fP, or \fBnever\fP\&.
-.SH OPTIONS
-.INDENT 0.0
-.TP
-.B \fB\-P\fP
-This option lists only the public objects. (Note that on some PKCS#11 devices, all
-objects are private.)
-.TP
-.B \fB\-m module\fP
-This option specifies the PKCS#11 provider module. This must be the full path to a
-shared library object implementing the PKCS#11 API for the device.
-.TP
-.B \fB\-s slot\fP
-This option opens the session with the given PKCS#11 slot. The default is slot 0.
-.TP
-.B \fB\-i ID\fP
-This option lists only key objects with the given object ID.
-.TP
-.B \fB\-l label\fP
-This option lists only key objects with the given label.
-.TP
-.B \fB\-p PIN\fP
-This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
-line, \fBpkcs11\-list\fP prompts for it.
-.UNINDENT
-.SH SEE ALSO
-.sp
-\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-tokens(8)\fP
-.SH AUTHOR
-Internet Systems Consortium
-.SH COPYRIGHT
-2021, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-:orphan:
-
-.. include:: ../../bin/pkcs11/pkcs11-list.rst
\ No newline at end of file
+++ /dev/null
-.\" Man page generated from reStructuredText.
-.
-.TH "PKCS11-TOKENS" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
-.SH NAME
-pkcs11-tokens \- list PKCS#11 available tokens
-.
-.nr rst2man-indent-level 0
-.
-.de1 rstReportMargin
-\\$1 \\n[an-margin]
-level \\n[rst2man-indent-level]
-level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
--
-\\n[rst2man-indent0]
-\\n[rst2man-indent1]
-\\n[rst2man-indent2]
-..
-.de1 INDENT
-.\" .rstReportMargin pre:
-. RS \\$1
-. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
-. nr rst2man-indent-level +1
-.\" .rstReportMargin post:
-..
-.de UNINDENT
-. RE
-.\" indent \\n[an-margin]
-.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.nr rst2man-indent-level -1
-.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
-.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
-..
-.SH SYNOPSIS
-.sp
-\fBpkcs11\-tokens\fP [\fB\-m\fP module] [\fB\-v\fP]
-.SH DESCRIPTION
-.sp
-\fBpkcs11\-tokens\fP lists the PKCS#11 available tokens with defaults from
-the slot/token scan performed at application initialization.
-.SH OPTIONS
-.INDENT 0.0
-.TP
-.B \fB\-m module\fP
-This option specifies the PKCS#11 provider module. This must be the full path to a
-shared library object implementing the PKCS#11 API for the device.
-.TP
-.B \fB\-v\fP
-This option makes the PKCS#11 libisc initialization verbose.
-.UNINDENT
-.SH SEE ALSO
-.sp
-\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP
-.SH AUTHOR
-Internet Systems Consortium
-.SH COPYRIGHT
-2021, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+++ /dev/null
-..
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-
-:orphan:
-
-.. include:: ../../bin/pkcs11/pkcs11-tokens.rst
\ No newline at end of file
#include <isc/symtab.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>
dst_openssl.h \
dst_parse.c \
dst_parse.h \
- dst_pkcs11.h \
dst_result.c \
dyndb.c \
ecs.c \
nta.c \
openssl_link.c \
openssldh_link.c \
+ opensslecdsa_link.c \
+ openssleddsa_link.c \
+ opensslrsa_link.c \
order.c \
peer.c \
private.c \
gssapi_link.c
endif
-if HAVE_PKCS11
-libdns_la_SOURCES += \
- pkcs11.c \
- pkcs11ecdsa_link.c \
- pkcs11eddsa_link.c \
- pkcs11rsa_link.c
-else !HAVE_PKCS11
-libdns_la_SOURCES += \
- opensslecdsa_link.c \
- openssleddsa_link.c \
- opensslrsa_link.c
-endif
-
if HAVE_GEOIP2
libdns_la_SOURCES += \
geoip2.c
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/db.h>
#include <dns/diff.h>
#include <dns/dnssec.h>
#include <isc/time.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#define DST_KEY_INTERNAL
#include <dns/fixedname.h>
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
RETERR(dst__openssl_init(engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif /* ifdef HAVE_OPENSSL_ED448 */
-#endif /* USE_OPENSSL */
-
-#if USE_PKCS11
- RETERR(dst__pkcs11_init(mctx, engine));
- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
- RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
- RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
- RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
- RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
-#endif /* USE_PKCS11 */
+
#if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif /* HAVE_GSSAPI */
}
}
dst__openssl_destroy();
-#if USE_PKCS11
- (void)dst__pkcs11_destroy();
-#endif /* USE_PKCS11 */
}
bool
#include <inttypes.h>
#include <stdbool.h>
+#include <openssl/dh.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
#include <isc/buffer.h>
#include <isc/hmac.h>
#include <isc/lang.h>
#include <isc/stdtime.h>
#include <isc/types.h>
-#if USE_PKCS11
-#include <pk11/pk11.h>
-#include <pk11/site.h>
-#endif /* USE_PKCS11 */
-
-#include <openssl/dh.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-
#include <dns/time.h>
#include <dst/dst.h>
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
-#if USE_OPENSSL
EVP_PKEY *pkey;
-#endif /* if USE_OPENSSL */
-#if USE_PKCS11
- pk11_object_t *pkey;
-#endif /* if USE_PKCS11 */
dst_hmac_key_t *hmac_key;
} keydata; /*%< pointer to key in crypto pkg fmt */
dst_gssapi_signverifyctx_t *gssctx;
isc_hmac_t *hmac_ctx;
EVP_MD_CTX *evp_md_ctx;
-#if USE_PKCS11
- pk11_context_t *pk11_ctx;
-#endif /* if USE_PKCS11 */
} ctxdata;
};
*/
isc_result_t
dst__openssl_init(const char *engine);
-#define dst__pkcs11_init pk11_initialize
isc_result_t
dst__hmacmd5_init(struct dst_func **funcp);
dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t
dst__openssldh_init(struct dst_func **funcp);
-#if USE_OPENSSL
isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
isc_result_t
dst__openssleddsa_init(struct dst_func **funcp);
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
-#endif /* USE_OPENSSL */
-#if USE_PKCS11
-isc_result_t
-dst__pkcs11rsa_init(struct dst_func **funcp);
-isc_result_t
-dst__pkcs11dsa_init(struct dst_func **funcp);
-isc_result_t
-dst__pkcs11ecdsa_init(struct dst_func **funcp);
-isc_result_t
-dst__pkcs11eddsa_init(struct dst_func **funcp);
-#endif /* USE_PKCS11 */
#if HAVE_GSSAPI
isc_result_t
dst__gssapi_init(struct dst_func **funcp);
*/
void
dst__openssl_destroy(void);
-#define dst__pkcs11_destroy pk11_finalize
/*%
* Memory allocators using the DST memory pool.
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/log.h>
#include <dns/time.h>
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#ifndef DST_PKCS11_H
-#define DST_PKCS11_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dst__pkcs11_toresult(const char *funcname, const char *file, int line,
- isc_result_t fallback, CK_RV rv);
-
-#define PK11_CALL(func, args, fallback) \
- ((void)(((rv = (func)args) == CKR_OK) || \
- ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
- fallback, rv)), \
- 0)))
-
-#define PK11_RET(func, args, fallback) \
- ((void)(((rv = (func)args) == CKR_OK) || \
- ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
- fallback, rv)), \
- 0))); \
- if (rv != CKR_OK) \
- goto err;
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_PKCS11_H */
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dst/result.h>
#include "dst_internal.h"
#include <dns/types.h>
#include <dst/dst.h>
-#include <pk11/site.h>
/*
* Algorithms.
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dst/result.h>
#include "dst_internal.h"
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dst/result.h>
#include "dst_internal.h"
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <isc/util.h>
-
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-
-#include <dns/log.h>
-#include <dns/result.h>
-
-#include "dst_internal.h"
-#include "dst_pkcs11.h"
-
-isc_result_t
-dst__pkcs11_toresult(const char *funcname, const char *file, int line,
- isc_result_t fallback, CK_RV rv) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO,
- ISC_LOG_WARNING, "%s:%d: %s: Error = 0x%.8lX\n", file,
- line, funcname, rv);
- if (rv == CKR_HOST_MEMORY) {
- return (ISC_R_NOMEMORY);
- }
- return (fallback);
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <pk11/constants.h>
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#include <pkcs11/pkcs11.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst_pkcs11.h"
-
-/*
- * FIPS 186-3 ECDSA keys:
- * mechanisms:
- * CKM_ECDSA,
- * CKM_EC_KEY_PAIR_GEN
- * domain parameters:
- * CKA_EC_PARAMS (choice with OID namedCurve)
- * public keys:
- * object class CKO_PUBLIC_KEY
- * key type CKK_EC
- * attribute CKA_EC_PARAMS (choice with OID namedCurve)
- * attribute CKA_EC_POINT (point Q)
- * private keys:
- * object class CKO_PRIVATE_KEY
- * key type CKK_EC
- * attribute CKA_EC_PARAMS (choice with OID namedCurve)
- * attribute CKA_VALUE (big int d)
- * point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y>
- */
-
-#define TAG_OCTECT_STRING 0x04
-#define UNCOMPRESSED 0x04
-
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-static void
-pkcs11ecdsa_destroy(dst_key_t *key);
-
-static isc_result_t
-pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { 0, NULL, 0 };
- CK_SLOT_ID slotid;
- pk11_context_t *pk11_ctx;
- pk11_object_t *ec = key->keydata.pkey;
- isc_result_t ret;
-
- REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
- dctx->key->key_alg == DST_ALG_ECDSA384);
- REQUIRE(ec != NULL);
-
- if (dctx->key->key_alg == DST_ALG_ECDSA256) {
- mech.mechanism = CKM_SHA256;
- } else {
- mech.mechanism = CKM_SHA384;
- }
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- if (ec->ontoken && (dctx->use == DO_SIGN)) {
- slotid = ec->slot;
- } else {
- slotid = pk11_get_best_token(OP_ECDSA);
- }
- ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
- NULL, slotid);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
- dctx->ctxdata.pk11_ctx = pk11_ctx;
- return (ISC_R_SUCCESS);
-
-err:
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static void
-pkcs11ecdsa_destroyctx(dst_context_t *dctx) {
- CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
-
- REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
- dctx->key->key_alg == DST_ALG_ECDSA384);
-
- if (pk11_ctx != NULL) {
- (void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
- memset(garbage, 0, sizeof(garbage));
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
- }
-}
-
-static isc_result_t
-pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
- dctx->key->key_alg == DST_ALG_ECDSA384);
-
- PK11_CALL(pkcs_C_DigestUpdate,
- (pk11_ctx->session, (CK_BYTE_PTR)data->base,
- (CK_ULONG)data->length),
- ISC_R_FAILURE);
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_EC;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 },
- { CKA_VALUE, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG dgstlen;
- CK_ULONG siglen;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *ec = key->keydata.pkey;
- isc_region_t r;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
- REQUIRE(ec != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- dgstlen = ISC_SHA256_DIGESTLENGTH;
- siglen = DNS_SIG_ECDSA256SIZE;
- break;
- case DST_ALG_ECDSA384:
- siglen = DNS_SIG_ECDSA384SIZE;
- dgstlen = ISC_SHA384_DIGESTLENGTH;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
- ISC_R_FAILURE);
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < siglen) {
- DST_RET(ISC_R_NOSPACE);
- }
-
- if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = ec->ontoken;
- pk11_ctx->object = ec->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_EC_PARAMS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_VALUE:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
- ISC_R_FAILURE);
-
-token_key:
-
- PK11_RET(pkcs_C_SignInit,
- (pk11_ctx->session, &mech,
- pk11_ctx->ontoken ? pk11_ctx->object : hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_Sign,
- (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base,
- &siglen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_add(sig, (unsigned int)siglen);
-
-err:
-
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- memset(keyTemplate[i].pValue, 0,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 },
- { CKA_EC_POINT, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG dgstlen;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *ec = key->keydata.pkey;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
- REQUIRE(ec != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- dgstlen = ISC_SHA256_DIGESTLENGTH;
- break;
- case DST_ALG_ECDSA384:
- dgstlen = ISC_SHA384_DIGESTLENGTH;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
- ISC_R_FAILURE);
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_EC_PARAMS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EC_POINT:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_Verify,
- (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base,
- (CK_ULONG)sig->length),
- DST_R_VERIFYFAILURE);
-
-err:
-
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- memset(keyTemplate[i].pValue, 0,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
-
- return (ret);
-}
-
-static bool
-pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- pk11_object_t *ec1, *ec2;
- CK_ATTRIBUTE *attr1, *attr2;
-
- ec1 = key1->keydata.pkey;
- ec2 = key2->keydata.pkey;
-
- if ((ec1 == NULL) && (ec2 == NULL)) {
- return (true);
- } else if ((ec1 == NULL) || (ec2 == NULL)) {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
- attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
- attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
- attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
- if (((attr1 != NULL) || (attr2 != NULL)) &&
- ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen)))
- {
- return (false);
- }
-
- if (!ec1->ontoken && !ec2->ontoken) {
- return (true);
- } else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object))
- {
- return (false);
- }
-
- return (true);
-}
-
-#define SETCURVE() \
- switch (key->key_alg) { \
- case DST_ALG_ECDSA256: \
- attr->pValue = isc_mem_get(key->mctx, \
- sizeof(PK11_ECC_PRIME256V1)); \
- memmove(attr->pValue, PK11_ECC_PRIME256V1, \
- sizeof(PK11_ECC_PRIME256V1)); \
- attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \
- break; \
- case DST_ALG_ECDSA384: \
- attr->pValue = isc_mem_get(key->mctx, \
- sizeof(PK11_ECC_SECP384R1)); \
- memmove(attr->pValue, PK11_ECC_SECP384R1, \
- sizeof(PK11_ECC_SECP384R1)); \
- attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \
- break; \
- default: \
- INSIST(0); \
- ISC_UNREACHABLE(); \
- }
-
-#define FREECURVE() \
- if (attr->pValue != NULL) { \
- memset(attr->pValue, 0, attr->ulValueLen); \
- isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
- attr->pValue = NULL; \
- }
-
-static isc_result_t
-pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 };
- CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC;
- CK_ATTRIBUTE pubTemplate[] = {
- { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 }
- };
- CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
- CK_ATTRIBUTE privTemplate[] = {
- { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *ec;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
- UNUSED(unused);
- UNUSED(callback);
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, false, NULL,
- pk11_get_best_token(OP_ECDSA));
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- key->keydata.pkey = ec;
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
- memset(ec->repr, 0, sizeof(*attr) * 3);
- ec->attrcnt = 3;
-
- attr = ec->repr;
- attr[0].type = CKA_EC_PARAMS;
- attr[1].type = CKA_EC_POINT;
- attr[2].type = CKA_VALUE;
-
- attr = &pubTemplate[5];
- SETCURVE();
-
- PK11_RET(pkcs_C_GenerateKeyPair,
- (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6,
- privTemplate, (CK_ULONG)7, &pub, &priv),
- DST_R_CRYPTOFAILURE);
-
- attr = &pubTemplate[5];
- FREECURVE();
-
- attr = ec->repr;
- SETCURVE();
-
- attr++;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- attr++;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- key->key_size = DNS_KEY_ECDSA256SIZE * 4;
- break;
- case DST_ALG_ECDSA384:
- key->key_size = DNS_KEY_ECDSA384SIZE * 4;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11ecdsa_destroy(key);
- if (priv != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- }
- if (pub != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static bool
-pkcs11ecdsa_isprivate(const dst_key_t *key) {
- pk11_object_t *ec = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (ec == NULL) {
- return (false);
- }
- attr = pk11_attribute_bytype(ec, CKA_VALUE);
- return (attr != NULL || ec->ontoken);
-}
-
-static void
-pkcs11ecdsa_destroy(dst_key_t *key) {
- pk11_object_t *ec = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (ec == NULL) {
- return;
- }
-
- INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_LABEL:
- case CKA_ID:
- case CKA_EC_PARAMS:
- case CKA_EC_POINT:
- case CKA_VALUE:
- FREECURVE();
- break;
- }
- if (ec->repr != NULL) {
- memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr));
- }
- memset(ec, 0, sizeof(*ec));
- isc_mem_put(key->mctx, ec, sizeof(*ec));
- key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *ec;
- isc_region_t r;
- unsigned int len;
- CK_ATTRIBUTE *attr;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- len = DNS_KEY_ECDSA256SIZE;
- break;
- case DST_ALG_ECDSA384:
- len = DNS_KEY_ECDSA384SIZE;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- ec = key->keydata.pkey;
- attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
- if ((attr == NULL) || (attr->ulValueLen != len + 3) ||
- (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) ||
- (((CK_BYTE_PTR)attr->pValue)[1] != len + 1) ||
- (((CK_BYTE_PTR)attr->pValue)[2] != UNCOMPRESSED))
- {
- return (ISC_R_FAILURE);
- }
-
- isc_buffer_availableregion(data, &r);
- if (r.length < len) {
- return (ISC_R_NOSPACE);
- }
- memmove(r.base, (CK_BYTE_PTR)attr->pValue + 3, len);
- isc_buffer_add(data, len);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *ec;
- isc_region_t r;
- unsigned int len;
- CK_ATTRIBUTE *attr;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
-
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- len = DNS_KEY_ECDSA256SIZE;
- break;
- case DST_ALG_ECDSA384:
- len = DNS_KEY_ECDSA384SIZE;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0) {
- return (ISC_R_SUCCESS);
- }
- if (r.length != len) {
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- ec->attrcnt = 2;
-
- attr = ec->repr;
- attr->type = CKA_EC_PARAMS;
- SETCURVE();
-
- attr++;
- attr->type = CKA_EC_POINT;
- attr->pValue = isc_mem_get(key->mctx, len + 3);
- ((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING;
- ((CK_BYTE_PTR)attr->pValue)[1] = len + 1;
- ((CK_BYTE_PTR)attr->pValue)[2] = UNCOMPRESSED;
- memmove((CK_BYTE_PTR)attr->pValue + 3, r.base, len);
- attr->ulValueLen = len + 3;
-
- isc_buffer_forward(data, len);
- key->keydata.pkey = ec;
- key->key_size = len * 4;
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
- isc_result_t ret;
- pk11_object_t *ec;
- dst_private_t priv;
- unsigned char *buf = NULL;
- unsigned int i = 0;
- CK_ATTRIBUTE *attr;
-
- if (key->keydata.pkey == NULL) {
- return (DST_R_NULLKEY);
- }
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- ec = key->keydata.pkey;
- attr = pk11_attribute_bytype(ec, CKA_VALUE);
- if (attr != NULL) {
- buf = isc_mem_get(key->mctx, attr->ulValueLen);
- priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
- priv.elements[i].length = (unsigned short)attr->ulValueLen;
- memmove(buf, attr->pValue, attr->ulValueLen);
- priv.elements[i].data = buf;
- i++;
- }
-
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_ECDSA_ENGINE;
- priv.elements[i].length = strlen(key->engine) + 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
-
- if (key->label != NULL) {
- priv.elements[i].tag = TAG_ECDSA_LABEL;
- priv.elements[i].length = strlen(key->label) + 1;
- priv.elements[i].data = (unsigned char *)key->label;
- i++;
- }
-
- priv.nelements = i;
- ret = dst__privstruct_writefile(key, &priv, directory);
-
- if (buf != NULL) {
- memset(buf, 0, attr->ulValueLen);
- isc_mem_put(key->mctx, buf, attr->ulValueLen);
- }
- return (ret);
-}
-
-static isc_result_t
-pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
- dst_key_t *pub) {
- CK_RV rv;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_EC;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- CK_ATTRIBUTE *pubattr;
- pk11_object_t *ec;
- pk11_object_t *pubec;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
-
- if (label == NULL) {
- return (DST_R_NOENGINE);
- }
-
- ec = key->keydata.pkey;
- pubec = pub->keydata.pkey;
-
- ec->object = CK_INVALID_HANDLE;
- ec->ontoken = true;
- ec->reqlogon = true;
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(ec->repr, 0, sizeof(*attr) * 2);
- ec->attrcnt = 2;
- attr = ec->repr;
-
- attr->type = CKA_EC_PARAMS;
- pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
- attr++;
-
- attr->type = CKA_EC_POINT;
- pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
-
- ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
- NULL, ec->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(ec, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(ec, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
-
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- return (ISC_R_SUCCESS);
-
-err:
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
- return (ret);
-}
-
-static isc_result_t
-pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- pk11_object_t *ec = NULL;
- CK_ATTRIBUTE *attr, *pattr;
- isc_mem_t *mctx = key->mctx;
- unsigned int i;
- const char *engine = NULL, *label = NULL;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
-
- if ((pub == NULL) || (pub->keydata.pkey == NULL)) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS) {
- return (ret);
- }
-
- if (key->external) {
- if (priv.nelements != 0) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
-
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-
- return (ISC_R_SUCCESS);
- }
-
- for (i = 0; i < priv.nelements; i++) {
- switch (priv.elements[i].tag) {
- case TAG_ECDSA_ENGINE:
- engine = (char *)priv.elements[i].data;
- break;
- case TAG_ECDSA_LABEL:
- label = (char *)priv.elements[i].data;
- break;
- default:
- break;
- }
- }
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- key->keydata.pkey = ec;
-
- /* Is this key is stored in a HSM? See if we can fetch it. */
- if ((label != NULL) || (engine != NULL)) {
- ret = pkcs11ecdsa_fetch(key, engine, label, pub);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- return (ret);
- }
-
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
- memset(ec->repr, 0, sizeof(*attr) * 3);
- ec->attrcnt = 3;
-
- attr = ec->repr;
- attr->type = CKA_EC_PARAMS;
- pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
- INSIST(pattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
- memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
- attr->ulValueLen = pattr->ulValueLen;
-
- attr++;
- attr->type = CKA_EC_POINT;
- pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
- INSIST(pattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
- memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
- attr->ulValueLen = pattr->ulValueLen;
-
- attr++;
- attr->type = CKA_VALUE;
- attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
- memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
- attr->ulValueLen = priv.elements[0].length;
-
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- key->key_size = DNS_KEY_ECDSA256SIZE * 4;
- break;
- case DST_ALG_ECDSA384:
- key->key_size = DNS_KEY_ECDSA384SIZE * 4;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11ecdsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- return (ret);
-}
-
-static isc_result_t
-pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
- CK_RV rv;
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- pk11_object_t *ec;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
- unsigned int i;
-
- UNUSED(pin);
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- ec->object = CK_INVALID_HANDLE;
- ec->ontoken = true;
- ec->reqlogon = true;
- key->keydata.pkey = ec;
-
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(ec->repr, 0, sizeof(*attr) * 2);
- ec->attrcnt = 2;
- attr = ec->repr;
- attr[0].type = CKA_EC_PARAMS;
- attr[1].type = CKA_EC_POINT;
-
- ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
- NULL, ec->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(ec, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(ec, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- attr = ec->repr;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
- for (i = 0; i <= 1; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
-
- keyClass = CKO_PRIVATE_KEY;
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
- switch (key->key_alg) {
- case DST_ALG_ECDSA256:
- key->key_size = DNS_KEY_ECDSA256SIZE * 4;
- break;
- case DST_ALG_ECDSA384:
- key->key_size = DNS_KEY_ECDSA384SIZE * 4;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11ecdsa_destroy(key);
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
- return (ret);
-}
-
-static dst_func_t pkcs11ecdsa_functions = {
- pkcs11ecdsa_createctx,
- NULL, /*%< createctx2 */
- pkcs11ecdsa_destroyctx,
- pkcs11ecdsa_adddata,
- pkcs11ecdsa_sign,
- pkcs11ecdsa_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- pkcs11ecdsa_compare,
- NULL, /*%< paramcompare */
- pkcs11ecdsa_generate,
- pkcs11ecdsa_isprivate,
- pkcs11ecdsa_destroy,
- pkcs11ecdsa_todns,
- pkcs11ecdsa_fromdns,
- pkcs11ecdsa_tofile,
- pkcs11ecdsa_parse,
- NULL, /*%< cleanup */
- pkcs11ecdsa_fromlabel,
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__pkcs11ecdsa_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL) {
- *funcp = &pkcs11ecdsa_functions;
- }
- return (ISC_R_SUCCESS);
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <pk11/constants.h>
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#include <pkcs11/pkcs11.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst_pkcs11.h"
-
-/*
- * FIPS 186-3 EDDSA keys:
- * mechanisms:
- * CKM_EDDSA,
- * CKM_EC_EDWARDS_KEY_PAIR_GEN
- * domain parameters:
- * CKA_EC_PARAMS (choice with OID namedCurve)
- * public keys:
- * object class CKO_PUBLIC_KEY
- * key type CKK_EC_EDWARDS
- * attribute CKA_EC_PARAMS (choice with OID namedCurve)
- * attribute CKA_EC_POINT (big int A)
- * private keys:
- * object class CKO_PRIVATE_KEY
- * key type CKK_EC_EDWARDS
- * attribute CKA_EC_PARAMS (choice with OID namedCurve)
- * attribute CKA_VALUE (big int k)
- * point format: 0x04 (octet-string) <size> <A>
- */
-
-#define TAG_OCTECT_STRING 0x04
-
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-static void
-pkcs11eddsa_destroy(dst_key_t *key);
-
-static isc_result_t
-pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- isc_buffer_t *buf = NULL;
-
- UNUSED(key);
- REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
- dctx->key->key_alg == DST_ALG_ED448);
-
- isc_buffer_allocate(dctx->mctx, &buf, 16);
- isc_buffer_setautorealloc(buf, true);
- dctx->ctxdata.generic = buf;
-
- return (ISC_R_SUCCESS);
-}
-
-static void
-pkcs11eddsa_destroyctx(dst_context_t *dctx) {
- isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
-
- REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
- dctx->key->key_alg == DST_ALG_ED448);
- if (buf != NULL) {
- isc_buffer_free(&buf);
- }
- dctx->ctxdata.generic = NULL;
-}
-
-static isc_result_t
-pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
- isc_result_t result;
-
- REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
- dctx->key->key_alg == DST_ALG_ED448);
-
- result = isc_buffer_copyregion(buf, data);
- INSIST(result == ISC_R_SUCCESS);
-
- return (result);
-}
-
-static isc_result_t
-pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
- CK_RV rv;
- CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 },
- { CKA_VALUE, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_ULONG siglen;
- CK_SLOT_ID slotid;
- pk11_context_t *pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *ec = key->keydata.pkey;
- isc_region_t t;
- isc_region_t r;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_ED25519 ||
- key->key_alg == DST_ALG_ED448);
- REQUIRE(ec != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- siglen = DNS_SIG_ED25519SIZE;
- break;
- case DST_ALG_ED448:
- siglen = DNS_SIG_ED448SIZE;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- if (ec->ontoken && (dctx->use == DO_SIGN)) {
- slotid = ec->slot;
- } else {
- slotid = pk11_get_best_token(OP_EDDSA);
- }
- ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
- NULL, slotid);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < siglen) {
- DST_RET(ISC_R_NOSPACE);
- }
-
- if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = ec->ontoken;
- pk11_ctx->object = ec->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_EC_PARAMS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_VALUE:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
- ISC_R_FAILURE);
-
-token_key:
-
- PK11_RET(pkcs_C_SignInit,
- (pk11_ctx->session, &mech,
- pk11_ctx->ontoken ? pk11_ctx->object : hKey),
- ISC_R_FAILURE);
-
- isc_buffer_usedregion(buf, &t);
-
- PK11_RET(pkcs_C_Sign,
- (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length,
- (CK_BYTE_PTR)r.base, &siglen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_add(sig, (unsigned int)siglen);
-
-err:
-
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- memset(keyTemplate[i].pValue, 0,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- isc_buffer_free(&buf);
- dctx->ctxdata.generic = NULL;
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
- CK_RV rv;
- CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 },
- { CKA_EC_POINT, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_SLOT_ID slotid;
- pk11_context_t *pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *ec = key->keydata.pkey;
- isc_region_t t;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_ED25519 ||
- key->key_alg == DST_ALG_ED448);
- REQUIRE(ec != NULL);
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- if (ec->ontoken && (dctx->use == DO_SIGN)) {
- slotid = ec->slot;
- } else {
- slotid = pk11_get_best_token(OP_EDDSA);
- }
- ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
- NULL, slotid);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_EC_PARAMS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EC_POINT:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
- ISC_R_FAILURE);
-
- isc_buffer_usedregion(buf, &t);
-
- PK11_RET(pkcs_C_Verify,
- (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length,
- (CK_BYTE_PTR)sig->base, (CK_ULONG)sig->length),
- DST_R_VERIFYFAILURE);
-
-err:
-
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- memset(keyTemplate[i].pValue, 0,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- isc_buffer_free(&buf);
- dctx->ctxdata.generic = NULL;
-
- return (ret);
-}
-
-static bool
-pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- pk11_object_t *ec1, *ec2;
- CK_ATTRIBUTE *attr1, *attr2;
-
- ec1 = key1->keydata.pkey;
- ec2 = key2->keydata.pkey;
-
- if ((ec1 == NULL) && (ec2 == NULL)) {
- return (true);
- } else if ((ec1 == NULL) || (ec2 == NULL)) {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
- attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
- attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
- attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
- if (((attr1 != NULL) || (attr2 != NULL)) &&
- ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen)))
- {
- return (false);
- }
-
- if (!ec1->ontoken && !ec2->ontoken) {
- return (true);
- } else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object))
- {
- return (false);
- }
-
- return (true);
-}
-
-#define SETCURVE() \
- switch (key->key_alg) { \
- case DST_ALG_ED25519: \
- attr->pValue = isc_mem_get(key->mctx, \
- sizeof(PK11_ECX_ED25519)); \
- memmove(attr->pValue, PK11_ECX_ED25519, \
- sizeof(PK11_ECX_ED25519)); \
- attr->ulValueLen = sizeof(PK11_ECX_ED25519); \
- break; \
- case DST_ALG_ED448: \
- attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \
- memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \
- attr->ulValueLen = sizeof(PK11_ECX_ED448); \
- break; \
- default: \
- INSIST(0); \
- ISC_UNREACHABLE(); \
- }
-
-#define FREECURVE() \
- if (attr->pValue != NULL) { \
- memset(attr->pValue, 0, attr->ulValueLen); \
- isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
- attr->pValue = NULL; \
- }
-
-static isc_result_t
-pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 };
- CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
- CK_ATTRIBUTE pubTemplate[] = {
- { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_EC_PARAMS, NULL, 0 }
- };
- CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
- CK_ATTRIBUTE privTemplate[] = {
- { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *ec;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
-
- REQUIRE(key->key_alg == DST_ALG_ED25519 ||
- key->key_alg == DST_ALG_ED448);
- UNUSED(unused);
- UNUSED(callback);
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL,
- pk11_get_best_token(OP_EDDSA));
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- key->keydata.pkey = ec;
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
- memset(ec->repr, 0, sizeof(*attr) * 3);
- ec->attrcnt = 3;
-
- attr = ec->repr;
- attr[0].type = CKA_EC_PARAMS;
- attr[1].type = CKA_EC_POINT;
- attr[2].type = CKA_VALUE;
-
- attr = &pubTemplate[5];
- SETCURVE();
-
- PK11_RET(pkcs_C_GenerateKeyPair,
- (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6,
- privTemplate, (CK_ULONG)7, &pub, &priv),
- DST_R_CRYPTOFAILURE);
-
- attr = &pubTemplate[5];
- FREECURVE();
-
- attr = ec->repr;
- SETCURVE();
-
- attr++;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- attr++;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- key->key_size = DNS_KEY_ED25519SIZE * 8;
- break;
- case DST_ALG_ED448:
- key->key_size = DNS_KEY_ED448SIZE * 8;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11eddsa_destroy(key);
- if (priv != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- }
- if (pub != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- }
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static bool
-pkcs11eddsa_isprivate(const dst_key_t *key) {
- pk11_object_t *ec = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (ec == NULL) {
- return (false);
- }
- attr = pk11_attribute_bytype(ec, CKA_VALUE);
- return (attr != NULL || ec->ontoken);
-}
-
-static void
-pkcs11eddsa_destroy(dst_key_t *key) {
- pk11_object_t *ec = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (ec == NULL) {
- return;
- }
-
- INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
-
- for (attr = pk11_attribute_first(ec); attr != NULL;
- attr = pk11_attribute_next(ec, attr))
- switch (attr->type) {
- case CKA_LABEL:
- case CKA_ID:
- case CKA_EC_PARAMS:
- case CKA_EC_POINT:
- case CKA_VALUE:
- FREECURVE();
- break;
- }
- if (ec->repr != NULL) {
- memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr));
- }
- memset(ec, 0, sizeof(*ec));
- isc_mem_put(key->mctx, ec, sizeof(*ec));
- key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *ec;
- isc_region_t r;
- unsigned int len;
- CK_ATTRIBUTE *attr;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- len = DNS_KEY_ED25519SIZE;
- break;
- case DST_ALG_ED448:
- len = DNS_KEY_ED448SIZE;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- ec = key->keydata.pkey;
- attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
- if ((attr == NULL) || (attr->ulValueLen != len + 2) ||
- (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) ||
- (((CK_BYTE_PTR)attr->pValue)[1] != len))
- {
- return (ISC_R_FAILURE);
- }
-
- isc_buffer_availableregion(data, &r);
- if (r.length < len) {
- return (ISC_R_NOSPACE);
- }
- memmove(r.base, (CK_BYTE_PTR)attr->pValue + 2, len);
- isc_buffer_add(data, len);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *ec;
- isc_region_t r;
- unsigned int len;
- CK_ATTRIBUTE *attr;
-
- REQUIRE(key->key_alg == DST_ALG_ED25519 ||
- key->key_alg == DST_ALG_ED448);
-
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- len = DNS_KEY_ED25519SIZE;
- break;
- case DST_ALG_ED448:
- len = DNS_KEY_ED448SIZE;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0) {
- return (ISC_R_SUCCESS);
- }
- if (r.length != len) {
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- ec->attrcnt = 2;
-
- attr = ec->repr;
- attr->type = CKA_EC_PARAMS;
- SETCURVE();
-
- attr++;
- attr->type = CKA_EC_POINT;
- attr->pValue = isc_mem_get(key->mctx, len + 2);
- ((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING;
- ((CK_BYTE_PTR)attr->pValue)[1] = len;
- memmove((CK_BYTE_PTR)attr->pValue + 2, r.base, len);
- attr->ulValueLen = len + 2;
-
- isc_buffer_forward(data, len);
- key->keydata.pkey = ec;
- key->key_size = len * 8;
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) {
- isc_result_t ret;
- pk11_object_t *ec;
- dst_private_t priv;
- unsigned char *buf = NULL;
- unsigned int i = 0;
- CK_ATTRIBUTE *attr;
-
- if (key->keydata.pkey == NULL) {
- return (DST_R_NULLKEY);
- }
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- ec = key->keydata.pkey;
- attr = pk11_attribute_bytype(ec, CKA_VALUE);
- if (attr != NULL) {
- buf = isc_mem_get(key->mctx, attr->ulValueLen);
- priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
- priv.elements[i].length = (unsigned short)attr->ulValueLen;
- memmove(buf, attr->pValue, attr->ulValueLen);
- priv.elements[i].data = buf;
- i++;
- }
-
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_EDDSA_ENGINE;
- priv.elements[i].length = strlen(key->engine) + 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
-
- if (key->label != NULL) {
- priv.elements[i].tag = TAG_EDDSA_LABEL;
- priv.elements[i].length = strlen(key->label) + 1;
- priv.elements[i].data = (unsigned char *)key->label;
- i++;
- }
-
- priv.nelements = i;
- ret = dst__privstruct_writefile(key, &priv, directory);
-
- if (buf != NULL) {
- memset(buf, 0, attr->ulValueLen);
- isc_mem_put(key->mctx, buf, attr->ulValueLen);
- }
- return (ret);
-}
-
-static isc_result_t
-pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
- dst_key_t *pub) {
- CK_RV rv;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- CK_ATTRIBUTE *pubattr;
- pk11_object_t *ec;
- pk11_object_t *pubec;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
-
- if (label == NULL) {
- return (DST_R_NOENGINE);
- }
-
- ec = key->keydata.pkey;
- pubec = pub->keydata.pkey;
-
- ec->object = CK_INVALID_HANDLE;
- ec->ontoken = true;
- ec->reqlogon = true;
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(ec->repr, 0, sizeof(*attr) * 2);
- ec->attrcnt = 2;
- attr = ec->repr;
-
- attr->type = CKA_EC_PARAMS;
- pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
- attr++;
-
- attr->type = CKA_EC_POINT;
- pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
-
- ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
- NULL, ec->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(ec, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(ec, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
-
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- return (ISC_R_SUCCESS);
-
-err:
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
- return (ret);
-}
-
-static isc_result_t
-pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- pk11_object_t *ec = NULL;
- CK_ATTRIBUTE *attr, *pattr;
- isc_mem_t *mctx = key->mctx;
- unsigned int i;
- const char *engine = NULL, *label = NULL;
-
- REQUIRE(key->key_alg == DST_ALG_ED25519 ||
- key->key_alg == DST_ALG_ED448);
-
- if ((pub == NULL) || (pub->keydata.pkey == NULL)) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS) {
- return (ret);
- }
-
- if (key->external) {
- if (priv.nelements != 0) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
-
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-
- return (ISC_R_SUCCESS);
- }
-
- for (i = 0; i < priv.nelements; i++) {
- switch (priv.elements[i].tag) {
- case TAG_EDDSA_ENGINE:
- engine = (char *)priv.elements[i].data;
- break;
- case TAG_EDDSA_LABEL:
- label = (char *)priv.elements[i].data;
- break;
- default:
- break;
- }
- }
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- key->keydata.pkey = ec;
-
- /* Is this key is stored in a HSM? See if we can fetch it. */
- if ((label != NULL) || (engine != NULL)) {
- ret = pkcs11eddsa_fetch(key, engine, label, pub);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- return (ret);
- }
-
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
- memset(ec->repr, 0, sizeof(*attr) * 3);
- ec->attrcnt = 3;
-
- attr = ec->repr;
- attr->type = CKA_EC_PARAMS;
- pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
- INSIST(pattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
- memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
- attr->ulValueLen = pattr->ulValueLen;
-
- attr++;
- attr->type = CKA_EC_POINT;
- pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
- INSIST(pattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
- memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
- attr->ulValueLen = pattr->ulValueLen;
-
- attr++;
- attr->type = CKA_VALUE;
- attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
- memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
- attr->ulValueLen = priv.elements[0].length;
-
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- key->key_size = DNS_KEY_ED25519SIZE * 8;
- break;
- case DST_ALG_ED448:
- key->key_size = DNS_KEY_ED448SIZE * 8;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11eddsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
- return (ret);
-}
-
-static isc_result_t
-pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
- CK_RV rv;
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- pk11_object_t *ec;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
- unsigned int i;
-
- UNUSED(pin);
-
- ec = isc_mem_get(key->mctx, sizeof(*ec));
- memset(ec, 0, sizeof(*ec));
- ec->object = CK_INVALID_HANDLE;
- ec->ontoken = true;
- ec->reqlogon = true;
- key->keydata.pkey = ec;
-
- ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(ec->repr, 0, sizeof(*attr) * 2);
- ec->attrcnt = 2;
- attr = ec->repr;
- attr[0].type = CKA_EC_PARAMS;
- attr[1].type = CKA_EC_POINT;
-
- ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
- NULL, ec->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(ec, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(ec, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- attr = ec->repr;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
- for (i = 0; i <= 1; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
-
- keyClass = CKO_PRIVATE_KEY;
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
- switch (key->key_alg) {
- case DST_ALG_ED25519:
- key->key_size = DNS_KEY_ED25519SIZE * 8;
- break;
- case DST_ALG_ED448:
- key->key_size = DNS_KEY_ED448SIZE * 8;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11eddsa_destroy(key);
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
- return (ret);
-}
-
-static dst_func_t pkcs11eddsa_functions = {
- pkcs11eddsa_createctx,
- NULL, /*%< createctx2 */
- pkcs11eddsa_destroyctx,
- pkcs11eddsa_adddata,
- pkcs11eddsa_sign,
- pkcs11eddsa_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- pkcs11eddsa_compare,
- NULL, /*%< paramcompare */
- pkcs11eddsa_generate,
- pkcs11eddsa_isprivate,
- pkcs11eddsa_destroy,
- pkcs11eddsa_todns,
- pkcs11eddsa_fromdns,
- pkcs11eddsa_tofile,
- pkcs11eddsa_parse,
- NULL, /*%< cleanup */
- pkcs11eddsa_fromlabel,
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__pkcs11eddsa_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL) {
- *funcp = &pkcs11eddsa_functions;
- }
- return (ISC_R_SUCCESS);
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <inttypes.h>
-#include <stdbool.h>
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <pk11/internal.h>
-#include <pk11/site.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst_pkcs11.h"
-
-/*
- * Limit the size of public exponents.
- */
-#ifndef RSA_MAX_PUBEXP_BITS
-#define RSA_MAX_PUBEXP_BITS 35
-#endif /* ifndef RSA_MAX_PUBEXP_BITS */
-
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-static void
-pkcs11rsa_destroy(dst_key_t *key);
-
-#ifndef PK11_RSA_PKCS_REPLACE
-
-static isc_result_t
-pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { 0, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_MODULUS, NULL, 0 },
- { CKA_PUBLIC_EXPONENT, NULL, 0 },
- { CKA_PRIVATE_EXPONENT, NULL, 0 },
- { CKA_PRIME_1, NULL, 0 },
- { CKA_PRIME_2, NULL, 0 },
- { CKA_EXPONENT_1, NULL, 0 },
- { CKA_EXPONENT_2, NULL, 0 },
- { CKA_COEFFICIENT, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_SLOT_ID slotid;
- pk11_object_t *rsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-
- /*
- * Reject incorrect RSA key lengths.
- */
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- /* From RFC 3110 */
- if (dctx->key->key_size > 4096) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA256:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
- {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA512:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 1024) ||
- (dctx->key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- rsa = key->keydata.pkey;
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- if (rsa->ontoken) {
- slotid = rsa->slot;
- } else {
- slotid = pk11_get_best_token(OP_RSA);
- }
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
- NULL, slotid);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = rsa->ontoken;
- pk11_ctx->object = rsa->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- switch (attr->type) {
- case CKA_MODULUS:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PUBLIC_EXPONENT:
- INSIST(keyTemplate[7].type == attr->type);
- keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[7].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[7].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIVATE_EXPONENT:
- INSIST(keyTemplate[8].type == attr->type);
- keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[8].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[8].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIME_1:
- INSIST(keyTemplate[9].type == attr->type);
- keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[9].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[9].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIME_2:
- INSIST(keyTemplate[10].type == attr->type);
- keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[10].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[10].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EXPONENT_1:
- INSIST(keyTemplate[11].type == attr->type);
- keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[11].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[11].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EXPONENT_2:
- INSIST(keyTemplate[12].type == attr->type);
- keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[12].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[12].ulValueLen = attr->ulValueLen;
- break;
- case CKA_COEFFICIENT:
- INSIST(keyTemplate[13].type == attr->type);
- keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[13].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[13].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)14,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
-token_key:
-
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- mech.mechanism = CKM_SHA1_RSA_PKCS;
- break;
- case DST_ALG_RSASHA256:
- mech.mechanism = CKM_SHA256_RSA_PKCS;
- break;
- case DST_ALG_RSASHA512:
- mech.mechanism = CKM_SHA512_RSA_PKCS;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- PK11_RET(pkcs_C_SignInit, (pk11_ctx->session, &mech, pk11_ctx->object),
- ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 6; i <= 13; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- }
- for (i = 6; i <= 13; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
- dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { 0, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_MODULUS, NULL, 0 },
- { CKA_PUBLIC_EXPONENT, NULL, 0 },
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *rsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
- REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
-
- /*
- * Reject incorrect RSA key lengths.
- */
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- /* From RFC 3110 */
- if (dctx->key->key_size > 4096) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA256:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
- {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA512:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 1024) ||
- (dctx->key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- rsa = key->keydata.pkey;
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
- NULL, pk11_get_best_token(OP_RSA));
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- {
- unsigned int bits;
-
- switch (attr->type) {
- case CKA_MODULUS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PUBLIC_EXPONENT:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- ret = pk11_numbits(attr->pValue, attr->ulValueLen,
- &bits);
- if (ret != ISC_R_SUCCESS ||
- (bits > maxbits && maxbits != 0)) {
- DST_RET(DST_R_VERIFYFAILURE);
- }
- break;
- }
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- mech.mechanism = CKM_SHA1_RSA_PKCS;
- break;
- case DST_ALG_RSASHA256:
- mech.mechanism = CKM_SHA256_RSA_PKCS;
- break;
- case DST_ALG_RSASHA512:
- mech.mechanism = CKM_SHA512_RSA_PKCS;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- PK11_RET(pkcs_C_VerifyInit,
- (pk11_ctx->session, &mech, pk11_ctx->object), ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
-
- return (ISC_R_SUCCESS);
-
-err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- if (dctx->use == DO_SIGN) {
- return (pkcs11rsa_createctx_sign(key, dctx));
- } else {
- return (pkcs11rsa_createctx_verify(key, 0U, dctx));
- }
-}
-
-static isc_result_t
-pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
- if (dctx->use == DO_SIGN) {
- return (pkcs11rsa_createctx_sign(key, dctx));
- } else {
- return (pkcs11rsa_createctx_verify(key, (unsigned)maxbits,
- dctx));
- }
-}
-
-static void
-pkcs11rsa_destroyctx(dst_context_t *dctx) {
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
-
- if (pk11_ctx != NULL) {
- if (!pk11_ctx->ontoken &&
- (pk11_ctx->object != CK_INVALID_HANDLE)) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session,
- pk11_ctx->object);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
- }
-}
-
-static isc_result_t
-pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- if (dctx->use == DO_SIGN) {
- PK11_CALL(pkcs_C_SignUpdate,
- (pk11_ctx->session, (CK_BYTE_PTR)data->base,
- (CK_ULONG)data->length),
- ISC_R_FAILURE);
- } else {
- PK11_CALL(pkcs_C_VerifyUpdate,
- (pk11_ctx->session, (CK_BYTE_PTR)data->base,
- (CK_ULONG)data->length),
- ISC_R_FAILURE);
- }
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- CK_RV rv;
- CK_ULONG siglen = 0;
- isc_region_t r;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- PK11_RET(pkcs_C_SignFinal, (pk11_ctx->session, NULL, &siglen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_availableregion(sig, &r);
-
- if (r.length < (unsigned int)siglen) {
- return (ISC_R_NOSPACE);
- }
-
- PK11_RET(pkcs_C_SignFinal,
- (pk11_ctx->session, (CK_BYTE_PTR)r.base, &siglen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_add(sig, (unsigned int)siglen);
-
-err:
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- PK11_CALL(pkcs_C_VerifyFinal,
- (pk11_ctx->session, (CK_BYTE_PTR)sig->base,
- (CK_ULONG)sig->length),
- DST_R_VERIFYFAILURE);
- return (ret);
-}
-
-#else /* ifndef PK11_RSA_PKCS_REPLACE */
-
-/*
- * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back
- * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand.
- */
-
-CK_BYTE md5_der[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
-CK_BYTE sha1_der[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
- 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
-CK_BYTE sha256_der[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
- 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
- 0x01, 0x05, 0x00, 0x04, 0x20 };
-CK_BYTE sha512_der[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
- 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
- 0x03, 0x05, 0x00, 0x04, 0x40 };
-#define MAX_DER_SIZE 19
-#define MIN_PKCS1_PADLEN 11
-
-static isc_result_t
-pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { 0, NULL, 0 };
- CK_SLOT_ID slotid;
- pk11_object_t *rsa = key->keydata.pkey;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
-
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
- REQUIRE(rsa != NULL);
-
- /*
- * Reject incorrect RSA key lengths.
- */
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- /* From RFC 3110 */
- if (dctx->key->key_size > 4096) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA256:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
- {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA512:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 1024) ||
- (dctx->key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- switch (key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- mech.mechanism = CKM_SHA_1;
- break;
- case DST_ALG_RSASHA256:
- mech.mechanism = CKM_SHA256;
- break;
- case DST_ALG_RSASHA512:
- mech.mechanism = CKM_SHA512;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
- memset(pk11_ctx, 0, sizeof(*pk11_ctx));
- if (rsa->ontoken) {
- slotid = rsa->slot;
- } else {
- slotid = pk11_get_best_token(OP_RSA);
- }
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
- NULL, slotid);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
- dctx->ctxdata.pk11_ctx = pk11_ctx;
- return (ISC_R_SUCCESS);
-
-err:
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static void
-pkcs11rsa_destroyctx(dst_context_t *dctx) {
- CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
-
- if (pk11_ctx != NULL) {
- (void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
- }
-}
-
-static isc_result_t
-pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- PK11_CALL(pkcs_C_DigestUpdate,
- (pk11_ctx->session, (CK_BYTE_PTR)data->base,
- (CK_ULONG)data->length),
- ISC_R_FAILURE);
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_MODULUS, NULL, 0 },
- { CKA_PUBLIC_EXPONENT, NULL, 0 },
- { CKA_PRIVATE_EXPONENT, NULL, 0 },
- { CKA_PRIME_1, NULL, 0 },
- { CKA_PRIME_2, NULL, 0 },
- { CKA_EXPONENT_1, NULL, 0 },
- { CKA_EXPONENT_2, NULL, 0 },
- { CKA_COEFFICIENT, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
- CK_BYTE *der;
- CK_ULONG derlen;
- CK_ULONG hashlen;
- CK_ULONG dgstlen;
- CK_ULONG siglen = 0;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *rsa = key->keydata.pkey;
- isc_region_t r;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
- REQUIRE(rsa != NULL);
-
- /*
- * Reject incorrect RSA key lengths.
- */
- switch (dctx->key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- /* From RFC 3110 */
- if (dctx->key->key_size > 4096) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA256:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
- {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA512:
- /* From RFC 5702 */
- if ((dctx->key->key_size < 1024) ||
- (dctx->key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- switch (key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- der = sha1_der;
- derlen = sizeof(sha1_der);
- hashlen = ISC_SHA1_DIGESTLENGTH;
- break;
- case DST_ALG_RSASHA256:
- der = sha256_der;
- derlen = sizeof(sha256_der);
- hashlen = ISC_SHA256_DIGESTLENGTH;
- break;
- case DST_ALG_RSASHA512:
- der = sha512_der;
- derlen = sizeof(sha512_der);
- hashlen = ISC_SHA512_DIGESTLENGTH;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
- dgstlen = derlen + hashlen;
- INSIST(dgstlen <= sizeof(digest));
- memmove(digest, der, derlen);
-
- PK11_RET(pkcs_C_DigestFinal,
- (pk11_ctx->session, digest + derlen, &hashlen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < (unsigned int)dgstlen + MIN_PKCS1_PADLEN) {
- return (ISC_R_NOSPACE);
- }
-
- if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = rsa->ontoken;
- pk11_ctx->object = rsa->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- switch (attr->type) {
- case CKA_MODULUS:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PUBLIC_EXPONENT:
- INSIST(keyTemplate[7].type == attr->type);
- keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[7].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[7].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIVATE_EXPONENT:
- INSIST(keyTemplate[8].type == attr->type);
- keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[8].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[8].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIME_1:
- INSIST(keyTemplate[9].type == attr->type);
- keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[9].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[9].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PRIME_2:
- INSIST(keyTemplate[10].type == attr->type);
- keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[10].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[10].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EXPONENT_1:
- INSIST(keyTemplate[11].type == attr->type);
- keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[11].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[11].ulValueLen = attr->ulValueLen;
- break;
- case CKA_EXPONENT_2:
- INSIST(keyTemplate[12].type == attr->type);
- keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[12].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[12].ulValueLen = attr->ulValueLen;
- break;
- case CKA_COEFFICIENT:
- INSIST(keyTemplate[13].type == attr->type);
- keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[13].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[13].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)14, &hKey),
- ISC_R_FAILURE);
-
-token_key:
-
- PK11_RET(pkcs_C_SignInit,
- (pk11_ctx->session, &mech,
- pk11_ctx->ontoken ? pk11_ctx->object : hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_Sign,
- (pk11_ctx->session, digest, dgstlen, NULL, &siglen),
- DST_R_SIGNFAILURE);
-
- if (r.length < (unsigned int)siglen) {
- return (ISC_R_NOSPACE);
- }
-
- PK11_RET(pkcs_C_Sign,
- (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base,
- &siglen),
- DST_R_SIGNFAILURE);
-
- isc_buffer_add(sig, (unsigned int)siglen);
-
-err:
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 6; i <= 13; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE keyTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_MODULUS, NULL, 0 },
- { CKA_PUBLIC_EXPONENT, NULL, 0 },
- };
- CK_ATTRIBUTE *attr;
- CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
- CK_BYTE *der;
- CK_ULONG derlen;
- CK_ULONG hashlen;
- CK_ULONG dgstlen;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- dst_key_t *key = dctx->key;
- pk11_object_t *rsa = key->keydata.pkey;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int i;
-
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
- REQUIRE(rsa != NULL);
-
- switch (key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- der = sha1_der;
- derlen = sizeof(sha1_der);
- hashlen = ISC_SHA1_DIGESTLENGTH;
- break;
- case DST_ALG_RSASHA256:
- der = sha256_der;
- derlen = sizeof(sha256_der);
- hashlen = ISC_SHA256_DIGESTLENGTH;
- break;
- case DST_ALG_RSASHA512:
- der = sha512_der;
- derlen = sizeof(sha512_der);
- hashlen = ISC_SHA512_DIGESTLENGTH;
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
- dgstlen = derlen + hashlen;
- INSIST(dgstlen <= sizeof(digest));
- memmove(digest, der, derlen);
-
- PK11_RET(pkcs_C_DigestFinal,
- (pk11_ctx->session, digest + derlen, &hashlen),
- DST_R_SIGNFAILURE);
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- {
- unsigned int bits;
-
- switch (attr->type) {
- case CKA_MODULUS:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_PUBLIC_EXPONENT:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- ret = pk11_numbits(attr->pValue, attr->ulValueLen,
- &bits);
- if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
- {
- DST_RET(DST_R_VERIFYFAILURE);
- }
- break;
- }
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
- ISC_R_FAILURE);
-
- PK11_RET(pkcs_C_Verify,
- (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base,
- (CK_ULONG)sig->length),
- DST_R_VERIFYFAILURE);
-
-err:
- if (hKey != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
- }
- for (i = 5; i <= 6; i++) {
- if (keyTemplate[i].pValue != NULL) {
- {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- }
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
-
- return (ret);
-}
-#endif /* ifndef PK11_RSA_PKCS_REPLACE */
-
-static bool
-pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- pk11_object_t *rsa1, *rsa2;
- CK_ATTRIBUTE *attr1, *attr2;
-
- rsa1 = key1->keydata.pkey;
- rsa2 = key2->keydata.pkey;
-
- if ((rsa1 == NULL) && (rsa2 == NULL)) {
- return (true);
- } else if ((rsa1 == NULL) || (rsa2 == NULL)) {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
- attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
- attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
- if ((attr1 == NULL) && (attr2 == NULL)) {
- return (true);
- } else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- {
- return (false);
- }
-
- attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
- attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
- if (((attr1 != NULL) || (attr2 != NULL)) &&
- ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen)))
- {
- return (false);
- }
-
- if (!rsa1->ontoken && !rsa2->ontoken) {
- return (true);
- } else if (rsa1->ontoken || rsa2->ontoken ||
- (rsa1->object != rsa2->object)) {
- return (false);
- }
-
- return (true);
-}
-
-static isc_result_t
-pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
- CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
- CK_ULONG bits = 0;
- CK_BYTE pubexp[5];
- CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE pubTemplate[] = {
- { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_MODULUS_BITS, &bits, (CK_ULONG)sizeof(bits) },
- { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG)sizeof(pubexp) }
- };
- CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
- CK_ATTRIBUTE privTemplate[] = {
- { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
- { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *rsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- UNUSED(callback);
-
- /*
- * Reject incorrect RSA key lengths.
- */
- switch (key->key_alg) {
- case DST_ALG_RSASHA1:
- case DST_ALG_NSEC3RSASHA1:
- /* From RFC 3110 */
- if (key->key_size > 4096) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA256:
- /* From RFC 5702 */
- if ((key->key_size < 512) || (key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- case DST_ALG_RSASHA512:
- /* From RFC 5702 */
- if ((key->key_size < 1024) || (key->key_size > 4096)) {
- return (ISC_R_FAILURE);
- }
- break;
- default:
- INSIST(0);
- ISC_UNREACHABLE();
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, false, NULL,
- pk11_get_best_token(OP_RSA));
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- bits = key->key_size;
- if (exp == 0) {
- /* RSA_F4 0x10001 */
- pubexp[0] = 1;
- pubexp[1] = 0;
- pubexp[2] = 1;
- pubTemplate[6].ulValueLen = 3;
- } else {
- /* F5 0x100000001 */
- pubexp[0] = 1;
- pubexp[1] = 0;
- pubexp[2] = 0;
- pubexp[3] = 0;
- pubexp[4] = 1;
- pubTemplate[6].ulValueLen = 5;
- }
-
- PK11_RET(pkcs_C_GenerateKeyPair,
- (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)7,
- privTemplate, (CK_ULONG)7, &pub, &priv),
- DST_R_CRYPTOFAILURE);
-
- rsa = isc_mem_get(key->mctx, sizeof(*rsa));
- memset(rsa, 0, sizeof(*rsa));
- key->keydata.pkey = rsa;
- rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
- memset(rsa->repr, 0, sizeof(*attr) * 8);
- rsa->attrcnt = 8;
-
- attr = rsa->repr;
- attr[0].type = CKA_MODULUS;
- attr[1].type = CKA_PUBLIC_EXPONENT;
- attr[2].type = CKA_PRIVATE_EXPONENT;
- attr[3].type = CKA_PRIME_1;
- attr[4].type = CKA_PRIME_2;
- attr[5].type = CKA_EXPONENT_1;
- attr[6].type = CKA_EXPONENT_2;
- attr[7].type = CKA_COEFFICIENT;
-
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
- DST_R_CRYPTOFAILURE);
- for (i = 0; i <= 1; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
- DST_R_CRYPTOFAILURE);
-
- attr += 2;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
- DST_R_CRYPTOFAILURE);
- for (i = 0; i <= 5; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
- DST_R_CRYPTOFAILURE);
-
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11rsa_destroy(key);
- if (priv != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
- }
- if (pub != CK_INVALID_HANDLE) {
- (void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static bool
-pkcs11rsa_isprivate(const dst_key_t *key) {
- pk11_object_t *rsa = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (rsa == NULL) {
- return (false);
- }
- attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
- return (attr != NULL || rsa->ontoken);
-}
-
-static void
-pkcs11rsa_destroy(dst_key_t *key) {
- pk11_object_t *rsa = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (rsa == NULL) {
- return;
- }
-
- INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- switch (attr->type) {
- case CKA_LABEL:
- case CKA_ID:
- case CKA_MODULUS:
- case CKA_PUBLIC_EXPONENT:
- case CKA_PRIVATE_EXPONENT:
- case CKA_PRIME_1:
- case CKA_PRIME_2:
- case CKA_EXPONENT_1:
- case CKA_EXPONENT_2:
- case CKA_COEFFICIENT:
- if (attr->pValue != NULL) {
- isc_safe_memwipe(attr->pValue,
- attr->ulValueLen);
- isc_mem_put(key->mctx, attr->pValue,
- attr->ulValueLen);
- }
- break;
- }
- if (rsa->repr != NULL) {
- isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx, rsa->repr, rsa->attrcnt * sizeof(*attr));
- }
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *rsa;
- CK_ATTRIBUTE *attr;
- isc_region_t r;
- unsigned int e_bytes = 0, mod_bytes = 0;
- CK_BYTE *exponent = NULL, *modulus = NULL;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- rsa = key->keydata.pkey;
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- switch (attr->type) {
- case CKA_PUBLIC_EXPONENT:
- exponent = (CK_BYTE *)attr->pValue;
- e_bytes = (unsigned int)attr->ulValueLen;
- break;
- case CKA_MODULUS:
- modulus = (CK_BYTE *)attr->pValue;
- mod_bytes = (unsigned int)attr->ulValueLen;
- break;
- }
- REQUIRE((exponent != NULL) && (modulus != NULL));
-
- isc_buffer_availableregion(data, &r);
-
- if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
- if (r.length < 1) {
- return (ISC_R_NOSPACE);
- }
- isc_buffer_putuint8(data, (uint8_t)e_bytes);
- isc_region_consume(&r, 1);
- } else {
- if (r.length < 3) {
- return (ISC_R_NOSPACE);
- }
- isc_buffer_putuint8(data, 0);
- isc_buffer_putuint16(data, (uint16_t)e_bytes);
- isc_region_consume(&r, 3);
- }
-
- if (r.length < e_bytes + mod_bytes) {
- return (ISC_R_NOSPACE);
- }
-
- memmove(r.base, exponent, e_bytes);
- isc_region_consume(&r, e_bytes);
- memmove(r.base, modulus, mod_bytes);
-
- isc_buffer_add(data, e_bytes + mod_bytes);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *rsa;
- isc_region_t r;
- unsigned int e_bytes, mod_bytes;
- CK_BYTE *exponent = NULL, *modulus = NULL;
- CK_ATTRIBUTE *attr;
- unsigned int length;
- unsigned int bits;
- isc_result_t ret = ISC_R_SUCCESS;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0) {
- return (ISC_R_SUCCESS);
- }
- length = r.length;
-
- rsa = isc_mem_get(key->mctx, sizeof(*rsa));
-
- memset(rsa, 0, sizeof(*rsa));
-
- e_bytes = *r.base;
- isc_region_consume(&r, 1);
-
- if (e_bytes == 0) {
- if (r.length < 2) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- e_bytes = (*r.base) << 8;
- isc_region_consume(&r, 1);
- e_bytes += *r.base;
- isc_region_consume(&r, 1);
- }
-
- if (r.length < e_bytes) {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- exponent = r.base;
- isc_region_consume(&r, e_bytes);
- modulus = r.base;
- mod_bytes = r.length;
-
- ret = pk11_numbits(modulus, mod_bytes, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- key->key_size = bits;
-
- isc_buffer_forward(data, length);
-
- rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(rsa->repr, 0, sizeof(*attr) * 2);
- rsa->attrcnt = 2;
- attr = rsa->repr;
- attr[0].type = CKA_MODULUS;
- attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
- memmove(attr[0].pValue, modulus, mod_bytes);
- attr[0].ulValueLen = (CK_ULONG)mod_bytes;
- attr[1].type = CKA_PUBLIC_EXPONENT;
- attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
- memmove(attr[1].pValue, exponent, e_bytes);
- attr[1].ulValueLen = (CK_ULONG)e_bytes;
-
- key->keydata.pkey = rsa;
-
- return (ISC_R_SUCCESS);
-err:
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
- int i;
- pk11_object_t *rsa;
- CK_ATTRIBUTE *attr;
- CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
- CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL;
- CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
- dst_private_t priv;
- unsigned char *bufs[10];
- isc_result_t result;
-
- if (key->keydata.pkey == NULL) {
- return (DST_R_NULLKEY);
- }
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- rsa = key->keydata.pkey;
-
- for (attr = pk11_attribute_first(rsa); attr != NULL;
- attr = pk11_attribute_next(rsa, attr))
- switch (attr->type) {
- case CKA_MODULUS:
- modulus = attr;
- break;
- case CKA_PUBLIC_EXPONENT:
- exponent = attr;
- break;
- case CKA_PRIVATE_EXPONENT:
- d = attr;
- break;
- case CKA_PRIME_1:
- p = attr;
- break;
- case CKA_PRIME_2:
- q = attr;
- break;
- case CKA_EXPONENT_1:
- dmp1 = attr;
- break;
- case CKA_EXPONENT_2:
- dmq1 = attr;
- break;
- case CKA_COEFFICIENT:
- iqmp = attr;
- break;
- }
- if ((modulus == NULL) || (exponent == NULL)) {
- return (DST_R_NULLKEY);
- }
-
- memset(bufs, 0, sizeof(bufs));
-
- for (i = 0; i < 10; i++) {
- bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
- memset(bufs[i], 0, modulus->ulValueLen);
- }
-
- i = 0;
-
- priv.elements[i].tag = TAG_RSA_MODULUS;
- priv.elements[i].length = (unsigned short)modulus->ulValueLen;
- memmove(bufs[i], modulus->pValue, modulus->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
- priv.elements[i].length = (unsigned short)exponent->ulValueLen;
- memmove(bufs[i], exponent->pValue, exponent->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
-
- if (d != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
- priv.elements[i].length = (unsigned short)d->ulValueLen;
- memmove(bufs[i], d->pValue, d->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (p != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIME1;
- priv.elements[i].length = (unsigned short)p->ulValueLen;
- memmove(bufs[i], p->pValue, p->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (q != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIME2;
- priv.elements[i].length = (unsigned short)q->ulValueLen;
- memmove(bufs[i], q->pValue, q->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (dmp1 != NULL) {
- priv.elements[i].tag = TAG_RSA_EXPONENT1;
- priv.elements[i].length = (unsigned short)dmp1->ulValueLen;
- memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (dmq1 != NULL) {
- priv.elements[i].tag = TAG_RSA_EXPONENT2;
- priv.elements[i].length = (unsigned short)dmq1->ulValueLen;
- memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (iqmp != NULL) {
- priv.elements[i].tag = TAG_RSA_COEFFICIENT;
- priv.elements[i].length = (unsigned short)iqmp->ulValueLen;
- memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_RSA_ENGINE;
- priv.elements[i].length = (unsigned short)strlen(key->engine) +
- 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
-
- if (key->label != NULL) {
- priv.elements[i].tag = TAG_RSA_LABEL;
- priv.elements[i].length = (unsigned short)strlen(key->label) +
- 1;
- priv.elements[i].data = (unsigned char *)key->label;
- i++;
- }
-
- priv.nelements = i;
- result = dst__privstruct_writefile(key, &priv, directory);
- for (i = 0; i < 10; i++) {
- if (bufs[i] == NULL) {
- break;
- }
- isc_safe_memwipe(bufs[i], modulus->ulValueLen);
- isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
- }
- return (result);
-}
-
-static isc_result_t
-pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
- dst_key_t *pub) {
- CK_RV rv;
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- CK_ATTRIBUTE *pubattr;
- pk11_object_t *rsa;
- pk11_object_t *pubrsa;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
- unsigned int bits;
-
- if (label == NULL) {
- return (DST_R_NOENGINE);
- }
-
- rsa = key->keydata.pkey;
- pubrsa = pub->keydata.pkey;
-
- rsa->object = CK_INVALID_HANDLE;
- rsa->ontoken = true;
- rsa->reqlogon = true;
- rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(rsa->repr, 0, sizeof(*attr) * 2);
- rsa->attrcnt = 2;
- attr = rsa->repr;
-
- attr->type = CKA_MODULUS;
- pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
- attr++;
-
- attr->type = CKA_PUBLIC_EXPONENT;
- pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
- INSIST(pubattr != NULL);
- attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
- memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
- attr->ulValueLen = pubattr->ulValueLen;
-
- ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
- NULL, rsa->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(rsa, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(rsa, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
-
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
- INSIST(attr != NULL);
- ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- key->key_size = bits;
-
- return (ISC_R_SUCCESS);
-
-err:
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
-
- return (ret);
-}
-
-static isc_result_t
-rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) {
- CK_ATTRIBUTE *pubattr, *privattr;
- CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
- CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
- unsigned int priv_explen = 0, priv_modlen = 0;
- unsigned int pub_explen = 0, pub_modlen = 0;
-
- REQUIRE(rsa != NULL && pubrsa != NULL);
-
- privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
- INSIST(privattr != NULL);
- priv_exp = privattr->pValue;
- priv_explen = privattr->ulValueLen;
-
- pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
- INSIST(pubattr != NULL);
- pub_exp = pubattr->pValue;
- pub_explen = pubattr->ulValueLen;
-
- if (priv_exp != NULL) {
- if (priv_explen != pub_explen) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
- if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen)) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
- } else {
- privattr->pValue = pub_exp;
- privattr->ulValueLen = pub_explen;
- pubattr->pValue = NULL;
- pubattr->ulValueLen = 0;
- }
-
- if (privattr->pValue == NULL) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
-
- privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
- INSIST(privattr != NULL);
- priv_mod = privattr->pValue;
- priv_modlen = privattr->ulValueLen;
-
- pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
- INSIST(pubattr != NULL);
- pub_mod = pubattr->pValue;
- pub_modlen = pubattr->ulValueLen;
-
- if (priv_mod != NULL) {
- if (priv_modlen != pub_modlen) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
- if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen)) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
- } else {
- privattr->pValue = pub_mod;
- privattr->ulValueLen = pub_modlen;
- pubattr->pValue = NULL;
- pubattr->ulValueLen = 0;
- }
-
- if (privattr->pValue == NULL) {
- return (DST_R_INVALIDPRIVATEKEY);
- }
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- int i;
- pk11_object_t *rsa;
- CK_ATTRIBUTE *attr;
- isc_mem_t *mctx = key->mctx;
- const char *engine = NULL, *label = NULL;
- unsigned int bits;
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS) {
- return (ret);
- }
-
- if (key->external) {
- if (priv.nelements != 0) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
- if (pub == NULL) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
-
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ISC_R_SUCCESS);
- }
-
- for (i = 0; i < priv.nelements; i++) {
- switch (priv.elements[i].tag) {
- case TAG_RSA_ENGINE:
- engine = (char *)priv.elements[i].data;
- break;
- case TAG_RSA_LABEL:
- label = (char *)priv.elements[i].data;
- break;
- default:
- break;
- }
- }
- rsa = isc_mem_get(key->mctx, sizeof(*rsa));
- memset(rsa, 0, sizeof(*rsa));
- key->keydata.pkey = rsa;
-
- /* Is this key is stored in a HSM? See if we can fetch it. */
- if ((label != NULL) || (engine != NULL)) {
- ret = pkcs11rsa_fetch(key, engine, label, pub);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
- }
-
- rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
- memset(rsa->repr, 0, sizeof(*attr) * 8);
- rsa->attrcnt = 8;
- attr = rsa->repr;
- attr[0].type = CKA_MODULUS;
- attr[1].type = CKA_PUBLIC_EXPONENT;
- attr[2].type = CKA_PRIVATE_EXPONENT;
- attr[3].type = CKA_PRIME_1;
- attr[4].type = CKA_PRIME_2;
- attr[5].type = CKA_EXPONENT_1;
- attr[6].type = CKA_EXPONENT_2;
- attr[7].type = CKA_COEFFICIENT;
-
- for (i = 0; i < priv.nelements; i++) {
- CK_BYTE *bn;
-
- switch (priv.elements[i].tag) {
- case TAG_RSA_ENGINE:
- continue;
- case TAG_RSA_LABEL:
- continue;
- default:
- bn = isc_mem_get(key->mctx, priv.elements[i].length);
- memmove(bn, priv.elements[i].data,
- priv.elements[i].length);
- }
-
- switch (priv.elements[i].tag) {
- case TAG_RSA_MODULUS:
- attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_PUBLICEXPONENT:
- attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_PRIVATEEXPONENT:
- attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_PRIME1:
- attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_PRIME2:
- attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_EXPONENT1:
- attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_1);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_EXPONENT2:
- attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_2);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_RSA_COEFFICIENT:
- attr = pk11_attribute_bytype(rsa, CKA_COEFFICIENT);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- }
- }
-
- if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-
- attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
- INSIST(attr != NULL);
- ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- key->key_size = bits;
-
- attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
- INSIST(attr != NULL);
-
- ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- if (bits > RSA_MAX_PUBEXP_BITS) {
- DST_RET(ISC_R_RANGE);
- }
-
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11rsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
-}
-
-static isc_result_t
-pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
- CK_RV rv;
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_RSA;
- CK_ATTRIBUTE searchTemplate[] = {
- { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
- { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
- { CKA_LABEL, NULL, 0 }
- };
- CK_ULONG cnt;
- CK_ATTRIBUTE *attr;
- pk11_object_t *rsa;
- pk11_context_t *pk11_ctx = NULL;
- isc_result_t ret;
- unsigned int i;
- unsigned int bits;
-
- UNUSED(pin);
-
- rsa = isc_mem_get(key->mctx, sizeof(*rsa));
- memset(rsa, 0, sizeof(*rsa));
- rsa->object = CK_INVALID_HANDLE;
- rsa->ontoken = true;
- rsa->reqlogon = true;
- key->keydata.pkey = rsa;
-
- rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
- memset(rsa->repr, 0, sizeof(*attr) * 2);
- rsa->attrcnt = 2;
- attr = rsa->repr;
- attr[0].type = CKA_MODULUS;
- attr[1].type = CKA_PUBLIC_EXPONENT;
-
- ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
- ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
- NULL, rsa->slot);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
-
- attr = pk11_attribute_bytype(rsa, CKA_LABEL);
- if (attr == NULL) {
- attr = pk11_attribute_bytype(rsa, CKA_ID);
- INSIST(attr != NULL);
- searchTemplate[3].type = CKA_ID;
- }
- searchTemplate[3].pValue = attr->pValue;
- searchTemplate[3].ulValueLen = attr->ulValueLen;
-
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- attr = rsa->repr;
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
- for (i = 0; i <= 1; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
- DST_R_CRYPTOFAILURE);
-
- keyClass = CKO_PRIVATE_KEY;
- PK11_RET(pkcs_C_FindObjectsInit,
- (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
- DST_R_CRYPTOFAILURE);
- PK11_RET(pkcs_C_FindObjects,
- (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
- DST_R_CRYPTOFAILURE);
- (void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
- if (cnt == 0) {
- DST_RET(ISC_R_NOTFOUND);
- }
- if (cnt > 1) {
- DST_RET(ISC_R_EXISTS);
- }
-
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
-
- key->label = isc_mem_strdup(key->mctx, label);
-
- attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
- INSIST(attr != NULL);
-
- ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- if (bits > RSA_MAX_PUBEXP_BITS) {
- DST_RET(ISC_R_RANGE);
- }
-
- attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
- INSIST(attr != NULL);
- ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- key->key_size = bits;
-
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ISC_R_SUCCESS);
-
-err:
- pkcs11rsa_destroy(key);
- if (pk11_ctx != NULL) {
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
- }
-
- return (ret);
-}
-
-static dst_func_t pkcs11rsa_functions = {
- pkcs11rsa_createctx,
-#ifndef PK11_RSA_PKCS_REPLACE
- pkcs11rsa_createctx2,
-#else /* ifndef PK11_RSA_PKCS_REPLACE */
- NULL, /*%< createctx2 */
-#endif /* ifndef PK11_RSA_PKCS_REPLACE */
- pkcs11rsa_destroyctx,
- pkcs11rsa_adddata,
- pkcs11rsa_sign,
- pkcs11rsa_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- pkcs11rsa_compare,
- NULL, /*%< paramcompare */
- pkcs11rsa_generate,
- pkcs11rsa_isprivate,
- pkcs11rsa_destroy,
- pkcs11rsa_todns,
- pkcs11rsa_fromdns,
- pkcs11rsa_tofile,
- pkcs11rsa_parse,
- NULL, /*%< cleanup */
- pkcs11rsa_fromlabel,
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__pkcs11rsa_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
-
- if (*funcp == NULL) {
- *funcp = &pkcs11rsa_functions;
- }
- return (ISC_R_SUCCESS);
-}
#include <isc/types.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/cert.h>
#include <dns/ds.h>
#include <dns/dsdigest.h>
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/name.h>
#include <dst/result.h>
#include <isc/print.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include "../dst_internal.h"
#include "dnstest.h"
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
-#if USE_PKCS11
-#include <pk11/pk11.h>
-#endif /* if USE_PKCS11 */
-
#define RETERR(x) \
do { \
result = (x); \
#include <isc/mem.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/result.h>
#include <dns/tsec.h>
#include <dns/tsig.h>
#include <isc/time.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
include/isc/utf8.h \
include/isc/util.h
-pk11dir = $(includedir)/pk11
-pk11_HEADERS = \
- include/pk11/constants.h \
- include/pk11/internal.h \
- include/pk11/pk11.h \
- include/pk11/result.h \
- include/pk11/site.h
-
-pkcs11dir = $(includedir)/pkcs11
-pkcs11_HEADERS = \
- include/pkcs11/pkcs11.h
-
libisc_la_SOURCES = \
$(libisc_la_HEADERS) \
- $(pk11_HEADERS) \
- $(pkcs11_HEADERS) \
netmgr/netmgr-int.h \
netmgr/netmgr.c \
netmgr/tcp.c \
openssl_shim.h \
os.c \
parseint.c \
- pk11.c \
- pk11_api.c \
- pk11_result.c \
pool.c \
portset.c \
queue.c \
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-#include <inttypes.h>
-
-/*! \file pk11/constants.h */
-
-/*%
- * Static arrays of data used for key template initialization
- */
-#define PK11_ECC_PRIME256V1 \
- (uint8_t[]) { \
- 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \
- }
-#define PK11_ECC_SECP384R1 \
- (uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }
-#define PK11_ECX_ED25519 \
- (uint8_t[]) { \
- 0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \
- '1', '9' \
- }
-#define PK11_ECX_ED448 \
- (uint8_t[]) { \
- 0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \
- }
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#ifndef PK11_INTERNAL_H
-#define PK11_INTERNAL_H 1
-
-/*! \file pk11/internal.h */
-
-#include <pk11/pk11.h>
-
-ISC_LANG_BEGINDECLS
-
-const char *
-pk11_get_lib_name(void);
-
-void *
-pk11_mem_get(size_t size);
-
-void
-pk11_mem_put(void *ptr, size_t size);
-
-CK_SLOT_ID
-pk11_get_best_token(pk11_optype_t optype);
-
-isc_result_t
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
-
-CK_ATTRIBUTE *
-pk11_attribute_first(const pk11_object_t *obj);
-
-CK_ATTRIBUTE *
-pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr);
-
-CK_ATTRIBUTE *
-pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type);
-
-ISC_LANG_ENDDECLS
-
-#endif /* PK11_INTERNAL_H */
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file pk11/pk11.h */
-
-#include <stdbool.h>
-#include <unistd.h>
-
-#include <isc/attributes.h>
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-
-#define PK11_FATALCHECK(func, args) \
- ((void)(((rv = (func)args) == CKR_OK) || \
- ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
-
-#include <pk11/site.h>
-#include <pkcs11/pkcs11.h>
-
-ISC_LANG_BEGINDECLS
-
-#define SES_MAGIC ISC_MAGIC('P', 'K', 'S', 'S')
-#define TOK_MAGIC ISC_MAGIC('P', 'K', 'T', 'K')
-
-#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC)
-#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC)
-
-typedef struct pk11_context pk11_context_t;
-
-struct pk11_object {
- CK_OBJECT_HANDLE object;
- CK_SLOT_ID slot;
- CK_BBOOL ontoken;
- CK_BBOOL reqlogon;
- CK_BYTE attrcnt;
- CK_ATTRIBUTE * repr;
-};
-
-struct pk11_context {
- void * handle;
- CK_SESSION_HANDLE session;
- CK_BBOOL ontoken;
- CK_OBJECT_HANDLE object;
-};
-
-typedef struct pk11_object pk11_object_t;
-
-typedef enum {
- OP_ANY = 0,
- OP_RSA = 1,
- OP_DH = 3,
- OP_ECDSA = 4,
- OP_EDDSA = 5,
- OP_MAX = 6
-} pk11_optype_t;
-
-/*%
- * Global flag to make choose_slots() verbose
- */
-extern bool pk11_verbose_init;
-
-/*%
- * Function prototypes
- */
-
-void
-pk11_set_lib_name(const char *lib_name);
-/*%<
- * Set the PKCS#11 provider (aka library) path/name.
- */
-
-isc_result_t
-pk11_initialize(isc_mem_t *mctx, const char *engine);
-/*%<
- * Initialize PKCS#11 device
- *
- * mctx: memory context to attach to pk11_mctx.
- * engine: PKCS#11 provider (aka library) path/name.
- *
- * returns:
- * ISC_R_SUCCESS
- * PK11_R_NOPROVIDER: can't load the provider
- * PK11_R_INITFAILED: C_Initialize() failed
- * PK11_R_NORANDOMSERVICE: can't find required random service
- * PK11_R_NODIGESTSERVICE: can't find required digest service
- * PK11_R_NOAESSERVICE: can't find required AES service
- */
-
-isc_result_t
-pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services,
- bool rw, bool logon, const char *pin, CK_SLOT_ID slot);
-/*%<
- * Initialize PKCS#11 device and acquire a session.
- *
- * need_services:
- * if true, this session requires full PKCS#11 API
- * support including random and digest services, and
- * the lack of these services will cause the session not
- * to be initialized. If false, the function will return
- * an error code indicating the missing service, but the
- * session will be usable for other purposes.
- * rw: if true, session will be read/write (useful for
- * generating or destroying keys); otherwise read-only.
- * login: indicates whether to log in to the device
- * pin: optional PIN, overriding any PIN currently associated
- * with the
- * slot: device slot ID
- */
-
-void
-pk11_return_session(pk11_context_t *ctx);
-/*%<
- * Release an active PKCS#11 session for reuse.
- */
-
-isc_result_t
-pk11_finalize(void);
-/*%<
- * Shut down PKCS#11 device and free all sessions.
- */
-
-isc_result_t
-pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx,
- pk11_optype_t optype);
-
-ISC_NORETURN void
-pk11_error_fatalcheck(const char *file, int line, const char *funcname,
- CK_RV rv);
-
-void
-pk11_dump_tokens(void);
-
-CK_RV
-pkcs_C_Initialize(CK_VOID_PTR pReserved);
-
-char *
-pk11_get_load_error_message(void);
-
-CK_RV
-pkcs_C_Finalize(CK_VOID_PTR pReserved);
-
-CK_RV
-pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
- CK_ULONG_PTR pulCount);
-
-CK_RV
-pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
-
-CK_RV
-pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
- CK_MECHANISM_INFO_PTR pInfo);
-
-CK_RV
-pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
- CK_RV (*Notify)(CK_SESSION_HANDLE hSession,
- CK_NOTIFICATION event,
- CK_VOID_PTR pApplication),
- CK_SESSION_HANDLE_PTR phSession);
-
-CK_RV
-pkcs_C_CloseSession(CK_SESSION_HANDLE hSession);
-
-CK_RV
-pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
- CK_CHAR_PTR pPin, CK_ULONG usPinLen);
-
-CK_RV
-pkcs_C_Logout(CK_SESSION_HANDLE hSession);
-
-CK_RV
-pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
-
-CK_RV
-pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
-
-CK_RV
-pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-
-CK_RV
-pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-
-CK_RV
-pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount);
-
-CK_RV
-pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
- CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount);
-
-CK_RV
-pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
-
-CK_RV
-pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey);
-
-CK_RV
-pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
- CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
- CK_ULONG_PTR pulEncryptedDataLen);
-
-CK_RV
-pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);
-
-CK_RV
-pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen);
-
-CK_RV
-pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
- CK_ULONG_PTR pulDigestLen);
-
-CK_RV
-pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey);
-
-CK_RV
-pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
- CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);
-
-CK_RV
-pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen);
-
-CK_RV
-pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
- CK_ULONG_PTR pulSignatureLen);
-
-CK_RV
-pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey);
-
-CK_RV
-pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
- CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen);
-
-CK_RV
-pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen);
-
-CK_RV
-pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
- CK_ULONG ulSignatureLen);
-
-CK_RV
-pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
- CK_OBJECT_HANDLE_PTR phKey);
-
-CK_RV
-pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pPublicKeyTemplate,
- CK_ULONG usPublicKeyAttributeCount,
- CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
- CK_ULONG usPrivateKeyAttributeCount,
- CK_OBJECT_HANDLE_PTR phPrivateKey,
- CK_OBJECT_HANDLE_PTR phPublicKey);
-
-CK_RV
-pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
-
-CK_RV
-pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
- CK_ULONG ulSeedLen);
-
-CK_RV
-pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
- CK_ULONG ulRandomLen);
-
-ISC_LANG_ENDDECLS
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#ifndef PK11_RESULT_H
-#define PK11_RESULT_H 1
-
-/*! \file pk11/result.h */
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-#include <isc/types.h>
-
-/*
- * Nothing in this file truly depends on <isc/result.h>, but the
- * PK11 result codes are considered to be publicly derived from
- * the ISC result codes, so including this file buys you the ISC_R_
- * namespace too.
- */
-#include <isc/result.h> /* Contractual promise. */
-
-#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0)
-#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1)
-#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2)
-#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3)
-#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4)
-
-#define PK11_R_NRESULTS 5 /* Number of results */
-
-ISC_LANG_BEGINDECLS
-
-const char *pk11_result_totext(isc_result_t);
-
-void
-pk11_result_register(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* PK11_RESULT_H */
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file pk11/site.h */
+++ /dev/null
-/* pkcs11.h
- * Copyright 2006, 2007 g10 Code GmbH
- * Copyright 2006 Andreas Jellinghaus
- * Copyright 2017 Red Hat, Inc.
- *
- * This file is free software; as a special exception the author gives
- * unlimited permission to copy and/or distribute it, with or without
- * modifications, as long as this notice is preserved.
- *
- * This file is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- * the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. */
-
-/* Please submit any changes back to the p11-kit project at
- * https://github.com/p11-glue/p11-kit/, so that
- * they can be picked up by other projects from there as well. */
-
-/* This file is a modified implementation of the PKCS #11 standard by
- * OASIS group. It is mostly a drop-in replacement, with the
- * following change:
- *
- * This header file does not require any macro definitions by the user
- * (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros
- * for you (if useful, some are missing, let me know if you need
- * more).
- *
- * There is an additional API available that does comply better to the
- * GNU coding standard. It can be switched on by defining
- * CRYPTOKI_GNU before including this header file. For this, the
- * following changes are made to the specification:
- *
- * All structure types are changed to a "struct ck_foo" where CK_FOO
- * is the type name in PKCS #11.
- *
- * All non-structure types are changed to ck_foo_t where CK_FOO is the
- * lowercase version of the type name in PKCS #11. The basic types
- * (CK_ULONG et al.) are removed without substitute.
- *
- * All members of structures are modified in the following way: Type
- * indication prefixes are removed, and underscore characters are
- * inserted before words. Then the result is lowercased.
- *
- * Note that function names are still in the original case, as they
- * need for ABI compatibility.
- *
- * CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use
- * <stdbool.h>.
- *
- * If CRYPTOKI_COMPAT is defined before including this header file,
- * then none of the API changes above take place, and the API is the
- * one defined by the PKCS #11 standard. */
-
-#ifndef PKCS11_H
-#define PKCS11_H 1
-
-#if defined(__cplusplus)
-extern "C" {
-#endif /* if defined(__cplusplus) */
-
-/* The version of cryptoki we implement. The revision is changed with
- * each modification of this file. */
-#define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 40
-#define P11_KIT_CRYPTOKI_VERSION_REVISION 0
-
-/* Compatibility interface is default, unless CRYPTOKI_GNU is
- * given. */
-#ifndef CRYPTOKI_GNU
-#ifndef CRYPTOKI_COMPAT
-#define CRYPTOKI_COMPAT 1
-#endif /* ifndef CRYPTOKI_COMPAT */
-#endif /* ifndef CRYPTOKI_GNU */
-
-/* System dependencies. */
-
-#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
-
-/* There is a matching pop below. */
-#pragma pack(push, cryptoki, 1)
-
-#ifdef CRYPTOKI_EXPORTS
-#define CK_SPEC __declspec(dllexport)
-#else /* ifdef CRYPTOKI_EXPORTS */
-#define CK_SPEC __declspec(dllimport)
-#endif /* ifdef CRYPTOKI_EXPORTS */
-
-#else /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
-
-#define CK_SPEC
-
-#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
-
-#ifdef CRYPTOKI_COMPAT
-/* If we are in compatibility mode, switch all exposed names to the
- * PKCS #11 variant. There are corresponding #undefs below. */
-
-#define ck_flags_t CK_FLAGS
-#define ck_version _CK_VERSION
-
-#define ck_info _CK_INFO
-#define cryptoki_version cryptokiVersion
-#define manufacturer_id manufacturerID
-#define library_description libraryDescription
-#define library_version libraryVersion
-
-#define ck_notification_t CK_NOTIFICATION
-#define ck_slot_id_t CK_SLOT_ID
-
-#define ck_slot_info _CK_SLOT_INFO
-#define slot_description slotDescription
-#define hardware_version hardwareVersion
-#define firmware_version firmwareVersion
-
-#define ck_token_info _CK_TOKEN_INFO
-#define serial_number serialNumber
-#define max_session_count ulMaxSessionCount
-#define session_count ulSessionCount
-#define max_rw_session_count ulMaxRwSessionCount
-#define rw_session_count ulRwSessionCount
-#define max_pin_len ulMaxPinLen
-#define min_pin_len ulMinPinLen
-#define total_public_memory ulTotalPublicMemory
-#define free_public_memory ulFreePublicMemory
-#define total_private_memory ulTotalPrivateMemory
-#define free_private_memory ulFreePrivateMemory
-#define utc_time utcTime
-
-#define ck_session_handle_t CK_SESSION_HANDLE
-#define ck_user_type_t CK_USER_TYPE
-#define ck_state_t CK_STATE
-
-#define ck_session_info _CK_SESSION_INFO
-#define slot_id slotID
-#define device_error ulDeviceError
-
-#define ck_object_handle_t CK_OBJECT_HANDLE
-#define ck_object_class_t CK_OBJECT_CLASS
-#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
-#define ck_key_type_t CK_KEY_TYPE
-#define ck_certificate_type_t CK_CERTIFICATE_TYPE
-#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
-
-#define ck_attribute _CK_ATTRIBUTE
-#define value pValue
-#define value_len ulValueLen
-
-#define count ulCount
-
-#define ck_date _CK_DATE
-
-#define ck_mechanism_type_t CK_MECHANISM_TYPE
-
-#define ck_mechanism _CK_MECHANISM
-#define parameter pParameter
-#define parameter_len ulParameterLen
-
-#define params pParams
-
-#define ck_mechanism_info _CK_MECHANISM_INFO
-#define min_key_size ulMinKeySize
-#define max_key_size ulMaxKeySize
-
-#define ck_param_type CK_PARAM_TYPE
-#define ck_otp_param CK_OTP_PARAM
-#define ck_otp_params CK_OTP_PARAMS
-#define ck_otp_signature_info CK_OTP_SIGNATURE_INFO
-
-#define ck_rv_t CK_RV
-#define ck_notify_t CK_NOTIFY
-
-#define ck_function_list _CK_FUNCTION_LIST
-
-#define ck_createmutex_t CK_CREATEMUTEX
-#define ck_destroymutex_t CK_DESTROYMUTEX
-#define ck_lockmutex_t CK_LOCKMUTEX
-#define ck_unlockmutex_t CK_UNLOCKMUTEX
-
-#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
-#define create_mutex CreateMutex
-#define destroy_mutex DestroyMutex
-#define lock_mutex LockMutex
-#define unlock_mutex UnlockMutex
-#define reserved pReserved
-
-#define ck_rsa_pkcs_mgf_type_t CK_RSA_PKCS_MGF_TYPE
-#define ck_rsa_pkcs_oaep_source_type_t CK_RSA_PKCS_OAEP_SOURCE_TYPE
-#define hash_alg hashAlg
-#define s_len sLen
-#define source_data pSourceData
-#define source_data_len ulSourceDataLen
-
-#define counter_bits ulCounterBits
-#define iv_ptr pIv
-#define iv_len ulIvLen
-#define iv_bits ulIvBits
-#define aad_ptr pAAD
-#define aad_len ulAADLen
-#define tag_bits ulTagBits
-#define shared_data_len ulSharedDataLen
-#define shared_data pSharedData
-#define public_data_len ulPublicDataLen
-#define public_data pPublicData
-#define string_data pData
-#define string_data_len ulLen
-#define data_params pData
-#endif /* CRYPTOKI_COMPAT */
-
-typedef unsigned long ck_flags_t;
-
-struct ck_version {
- unsigned char major;
- unsigned char minor;
-};
-
-struct ck_info {
- struct ck_version cryptoki_version;
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- unsigned char library_description[32];
- struct ck_version library_version;
-};
-
-typedef unsigned long ck_notification_t;
-
-#define CKN_SURRENDER (0UL)
-
-typedef unsigned long ck_slot_id_t;
-
-struct ck_slot_info {
- unsigned char slot_description[64];
- unsigned char manufacturer_id[32];
- ck_flags_t flags;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
-};
-
-#define CKF_TOKEN_PRESENT (1UL << 0)
-#define CKF_REMOVABLE_DEVICE (1UL << 1)
-#define CKF_HW_SLOT (1UL << 2)
-#define CKF_ARRAY_ATTRIBUTE (1UL << 30)
-
-struct ck_token_info {
- unsigned char label[32];
- unsigned char manufacturer_id[32];
- unsigned char model[16];
- unsigned char serial_number[16];
- ck_flags_t flags;
- unsigned long max_session_count;
- unsigned long session_count;
- unsigned long max_rw_session_count;
- unsigned long rw_session_count;
- unsigned long max_pin_len;
- unsigned long min_pin_len;
- unsigned long total_public_memory;
- unsigned long free_public_memory;
- unsigned long total_private_memory;
- unsigned long free_private_memory;
- struct ck_version hardware_version;
- struct ck_version firmware_version;
- unsigned char utc_time[16];
-};
-
-#define CKF_RNG (1UL << 0)
-#define CKF_WRITE_PROTECTED (1UL << 1)
-#define CKF_LOGIN_REQUIRED (1UL << 2)
-#define CKF_USER_PIN_INITIALIZED (1UL << 3)
-#define CKF_RESTORE_KEY_NOT_NEEDED (1UL << 5)
-#define CKF_CLOCK_ON_TOKEN (1UL << 6)
-#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8)
-#define CKF_DUAL_CRYPTO_OPERATIONS (1UL << 9)
-#define CKF_TOKEN_INITIALIZED (1UL << 10)
-#define CKF_SECONDARY_AUTHENTICATION (1UL << 11)
-#define CKF_USER_PIN_COUNT_LOW (1UL << 16)
-#define CKF_USER_PIN_FINAL_TRY (1UL << 17)
-#define CKF_USER_PIN_LOCKED (1UL << 18)
-#define CKF_USER_PIN_TO_BE_CHANGED (1UL << 19)
-#define CKF_SO_PIN_COUNT_LOW (1UL << 20)
-#define CKF_SO_PIN_FINAL_TRY (1UL << 21)
-#define CKF_SO_PIN_LOCKED (1UL << 22)
-#define CKF_SO_PIN_TO_BE_CHANGED (1UL << 23)
-
-#define CK_UNAVAILABLE_INFORMATION ((unsigned long)-1L)
-#define CK_EFFECTIVELY_INFINITE (0UL)
-
-typedef unsigned long ck_session_handle_t;
-
-#define CK_INVALID_HANDLE (0UL)
-
-typedef unsigned long ck_user_type_t;
-
-#define CKU_SO (0UL)
-#define CKU_USER (1UL)
-#define CKU_CONTEXT_SPECIFIC (2UL)
-
-typedef unsigned long ck_state_t;
-
-#define CKS_RO_PUBLIC_SESSION (0UL)
-#define CKS_RO_USER_FUNCTIONS (1UL)
-#define CKS_RW_PUBLIC_SESSION (2UL)
-#define CKS_RW_USER_FUNCTIONS (3UL)
-#define CKS_RW_SO_FUNCTIONS (4UL)
-
-struct ck_session_info {
- ck_slot_id_t slot_id;
- ck_state_t state;
- ck_flags_t flags;
- unsigned long device_error;
-};
-
-#define CKF_RW_SESSION (1UL << 1)
-#define CKF_SERIAL_SESSION (1UL << 2)
-
-typedef unsigned long ck_object_handle_t;
-
-typedef unsigned long ck_object_class_t;
-
-#define CKO_DATA (0UL)
-#define CKO_CERTIFICATE (1UL)
-#define CKO_PUBLIC_KEY (2UL)
-#define CKO_PRIVATE_KEY (3UL)
-#define CKO_SECRET_KEY (4UL)
-#define CKO_HW_FEATURE (5UL)
-#define CKO_DOMAIN_PARAMETERS (6UL)
-#define CKO_MECHANISM (7UL)
-#define CKO_OTP_KEY (8UL)
-#define CKO_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-typedef unsigned long ck_hw_feature_type_t;
-
-#define CKH_MONOTONIC_COUNTER (1UL)
-#define CKH_CLOCK (2UL)
-#define CKH_USER_INTERFACE (3UL)
-#define CKH_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-typedef unsigned long ck_key_type_t;
-
-#define CKK_RSA (0UL)
-#define CKK_DSA (1UL)
-#define CKK_DH (2UL)
-#define CKK_ECDSA (3UL)
-#define CKK_EC (3UL)
-#define CKK_X9_42_DH (4UL)
-#define CKK_KEA (5UL)
-#define CKK_GENERIC_SECRET (0x10UL)
-#define CKK_RC2 (0x11UL)
-#define CKK_RC4 (0x12UL)
-#define CKK_DES (0x13UL)
-#define CKK_DES2 (0x14UL)
-#define CKK_DES3 (0x15UL)
-#define CKK_CAST (0x16UL)
-#define CKK_CAST3 (0x17UL)
-#define CKK_CAST128 (0x18UL)
-#define CKK_RC5 (0x19UL)
-#define CKK_IDEA (0x1aUL)
-#define CKK_SKIPJACK (0x1bUL)
-#define CKK_BATON (0x1cUL)
-#define CKK_JUNIPER (0x1dUL)
-#define CKK_CDMF (0x1eUL)
-#define CKK_AES (0x1fUL)
-#define CKK_BLOWFISH (0x20UL)
-#define CKK_TWOFISH (0x21UL)
-#define CKK_SECURID (0x22UL)
-#define CKK_HOTP (0x23UL)
-#define CKK_ACTI (0x24UL)
-#define CKK_CAMELLIA (0x25UL)
-#define CKK_ARIA (0x26UL)
-#define CKK_MD5_HMAC (0x27UL)
-#define CKK_SHA_1_HMAC (0x28UL)
-#define CKK_RIPEMD128_HMAC (0x29UL)
-#define CKK_RIPEMD160_HMAC (0x2aUL)
-#define CKK_SHA256_HMAC (0x2bUL)
-#define CKK_SHA384_HMAC (0x2cUL)
-#define CKK_SHA512_HMAC (0x2dUL)
-#define CKK_SHA224_HMAC (0x2eUL)
-#define CKK_SEED (0x2fUL)
-#define CKK_GOSTR3410 (0x30UL)
-#define CKK_GOSTR3411 (0x31UL)
-#define CKK_GOST28147 (0x32UL)
-#define CKK_EC_EDWARDS (0x40UL)
-#define CKK_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-typedef unsigned long ck_certificate_type_t;
-
-#define CKC_X_509 (0UL)
-#define CKC_X_509_ATTR_CERT (1UL)
-#define CKC_WTLS (2UL)
-#define CKC_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-#define CKC_OPENPGP (CKC_VENDOR_DEFINED | 0x504750UL)
-
-typedef unsigned long ck_attribute_type_t;
-
-#define CKA_CLASS (0UL)
-#define CKA_TOKEN (1UL)
-#define CKA_PRIVATE (2UL)
-#define CKA_LABEL (3UL)
-#define CKA_APPLICATION (0x10UL)
-#define CKA_VALUE (0x11UL)
-#define CKA_OBJECT_ID (0x12UL)
-#define CKA_CERTIFICATE_TYPE (0x80UL)
-#define CKA_ISSUER (0x81UL)
-#define CKA_SERIAL_NUMBER (0x82UL)
-#define CKA_AC_ISSUER (0x83UL)
-#define CKA_OWNER (0x84UL)
-#define CKA_ATTR_TYPES (0x85UL)
-#define CKA_TRUSTED (0x86UL)
-#define CKA_CERTIFICATE_CATEGORY (0x87UL)
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88UL)
-#define CKA_URL (0x89UL)
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL)
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8bUL)
-#define CKA_NAME_HASH_ALGORITHM (0x8cUL)
-#define CKA_CHECK_VALUE (0x90UL)
-#define CKA_KEY_TYPE (0x100UL)
-#define CKA_SUBJECT (0x101UL)
-#define CKA_ID (0x102UL)
-#define CKA_SENSITIVE (0x103UL)
-#define CKA_ENCRYPT (0x104UL)
-#define CKA_DECRYPT (0x105UL)
-#define CKA_WRAP (0x106UL)
-#define CKA_UNWRAP (0x107UL)
-#define CKA_SIGN (0x108UL)
-#define CKA_SIGN_RECOVER (0x109UL)
-#define CKA_VERIFY (0x10aUL)
-#define CKA_VERIFY_RECOVER (0x10bUL)
-#define CKA_DERIVE (0x10cUL)
-#define CKA_START_DATE (0x110UL)
-#define CKA_END_DATE (0x111UL)
-#define CKA_MODULUS (0x120UL)
-#define CKA_MODULUS_BITS (0x121UL)
-#define CKA_PUBLIC_EXPONENT (0x122UL)
-#define CKA_PRIVATE_EXPONENT (0x123UL)
-#define CKA_PRIME_1 (0x124UL)
-#define CKA_PRIME_2 (0x125UL)
-#define CKA_EXPONENT_1 (0x126UL)
-#define CKA_EXPONENT_2 (0x127UL)
-#define CKA_COEFFICIENT (0x128UL)
-#define CKA_PUBLIC_KEY_INFO (0x129UL)
-#define CKA_PRIME (0x130UL)
-#define CKA_SUBPRIME (0x131UL)
-#define CKA_BASE (0x132UL)
-#define CKA_PRIME_BITS (0x133UL)
-#define CKA_SUB_PRIME_BITS (0x134UL)
-#define CKA_VALUE_BITS (0x160UL)
-#define CKA_VALUE_LEN (0x161UL)
-#define CKA_EXTRACTABLE (0x162UL)
-#define CKA_LOCAL (0x163UL)
-#define CKA_NEVER_EXTRACTABLE (0x164UL)
-#define CKA_ALWAYS_SENSITIVE (0x165UL)
-#define CKA_KEY_GEN_MECHANISM (0x166UL)
-#define CKA_MODIFIABLE (0x170UL)
-#define CKA_COPYABLE (0x171UL)
-#define CKA_DESTROYABLE (0x172UL)
-#define CKA_ECDSA_PARAMS (0x180UL)
-#define CKA_EC_PARAMS (0x180UL)
-#define CKA_EC_POINT (0x181UL)
-#define CKA_SECONDARY_AUTH (0x200UL)
-#define CKA_AUTH_PIN_FLAGS (0x201UL)
-#define CKA_ALWAYS_AUTHENTICATE (0x202UL)
-#define CKA_WRAP_WITH_TRUSTED (0x210UL)
-#define CKA_OTP_FORMAT (0x220UL)
-#define CKA_OTP_LENGTH (0x221UL)
-#define CKA_OTP_TIME_INTERVAL (0x222UL)
-#define CKA_OTP_USER_FRIENDLY_MODE (0x223UL)
-#define CKA_OTP_CHALLENGE_REQUIREMENT (0x224UL)
-#define CKA_OTP_TIME_REQUIREMENT (0x225UL)
-#define CKA_OTP_COUNTER_REQUIREMENT (0x226UL)
-#define CKA_OTP_PIN_REQUIREMENT (0x227UL)
-#define CKA_OTP_USER_IDENTIFIER (0x22AUL)
-#define CKA_OTP_SERVICE_IDENTIFIER (0x22BUL)
-#define CKA_OTP_SERVICE_LOGO (0x22CUL)
-#define CKA_OTP_SERVICE_LOGO_TYPE (0x22DUL)
-#define CKA_OTP_COUNTER (0x22EUL)
-#define CKA_OTP_TIME (0x22FUL)
-#define CKA_GOSTR3410_PARAMS (0x250UL)
-#define CKA_GOSTR3411_PARAMS (0x251UL)
-#define CKA_GOST28147_PARAMS (0x252UL)
-#define CKA_HW_FEATURE_TYPE (0x300UL)
-#define CKA_RESET_ON_INIT (0x301UL)
-#define CKA_HAS_RESET (0x302UL)
-#define CKA_PIXEL_X (0x400UL)
-#define CKA_PIXEL_Y (0x401UL)
-#define CKA_RESOLUTION (0x402UL)
-#define CKA_CHAR_ROWS (0x403UL)
-#define CKA_CHAR_COLUMNS (0x404UL)
-#define CKA_COLOR (0x405UL)
-#define CKA_BITS_PER_PIXEL (0x406UL)
-#define CKA_CHAR_SETS (0x480UL)
-#define CKA_ENCODING_METHODS (0x481UL)
-#define CKA_MIME_TYPES (0x482UL)
-#define CKA_MECHANISM_TYPE (0x500UL)
-#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501UL)
-#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502UL)
-#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503UL)
-#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211UL)
-#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212UL)
-#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x213UL)
-#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600UL)
-#define CKA_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-struct ck_attribute {
- ck_attribute_type_t type;
- void * value;
- unsigned long value_len;
-};
-
-struct ck_date {
- unsigned char year[4];
- unsigned char month[2];
- unsigned char day[2];
-};
-
-typedef unsigned long ck_mechanism_type_t;
-
-#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL)
-#define CKM_RSA_PKCS (1UL)
-#define CKM_RSA_9796 (2UL)
-#define CKM_RSA_X_509 (3UL)
-#define CKM_MD2_RSA_PKCS (4UL)
-#define CKM_MD5_RSA_PKCS (5UL)
-#define CKM_SHA1_RSA_PKCS (6UL)
-#define CKM_RIPEMD128_RSA_PKCS (7UL)
-#define CKM_RIPEMD160_RSA_PKCS (8UL)
-#define CKM_RSA_PKCS_OAEP (9UL)
-#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xaUL)
-#define CKM_RSA_X9_31 (0xbUL)
-#define CKM_SHA1_RSA_X9_31 (0xcUL)
-#define CKM_RSA_PKCS_PSS (0xdUL)
-#define CKM_SHA1_RSA_PKCS_PSS (0xeUL)
-#define CKM_DSA_KEY_PAIR_GEN (0x10UL)
-#define CKM_DSA (0x11UL)
-#define CKM_DSA_SHA1 (0x12UL)
-#define CKM_DSA_SHA224 (0x13UL)
-#define CKM_DSA_SHA256 (0x14UL)
-#define CKM_DSA_SHA384 (0x15UL)
-#define CKM_DSA_SHA512 (0x16UL)
-#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20UL)
-#define CKM_DH_PKCS_DERIVE (0x21UL)
-#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30UL)
-#define CKM_X9_42_DH_DERIVE (0x31UL)
-#define CKM_X9_42_DH_HYBRID_DERIVE (0x32UL)
-#define CKM_X9_42_MQV_DERIVE (0x33UL)
-#define CKM_SHA256_RSA_PKCS (0x40UL)
-#define CKM_SHA384_RSA_PKCS (0x41UL)
-#define CKM_SHA512_RSA_PKCS (0x42UL)
-#define CKM_SHA256_RSA_PKCS_PSS (0x43UL)
-#define CKM_SHA384_RSA_PKCS_PSS (0x44UL)
-#define CKM_SHA512_RSA_PKCS_PSS (0x45UL)
-#define CKM_SHA512_224 (0x48UL)
-#define CKM_SHA512_224_HMAC (0x49UL)
-#define CKM_SHA512_224_HMAC_GENERAL (0x4aUL)
-#define CKM_SHA512_224_KEY_DERIVATION (0x4bUL)
-#define CKM_SHA512_256 (0x4cUL)
-#define CKM_SHA512_256_HMAC (0x4dUL)
-#define CKM_SHA512_256_HMAC_GENERAL (0x4eUL)
-#define CKM_SHA512_256_KEY_DERIVATION (0x4fUL)
-#define CKM_SHA512_T (0x50UL)
-#define CKM_SHA512_T_HMAC (0x51UL)
-#define CKM_SHA512_T_HMAC_GENERAL (0x52UL)
-#define CKM_SHA512_T_KEY_DERIVATION (0x53UL)
-#define CKM_RC2_KEY_GEN (0x100UL)
-#define CKM_RC2_ECB (0x101UL)
-#define CKM_RC2_CBC (0x102UL)
-#define CKM_RC2_MAC (0x103UL)
-#define CKM_RC2_MAC_GENERAL (0x104UL)
-#define CKM_RC2_CBC_PAD (0x105UL)
-#define CKM_RC4_KEY_GEN (0x110UL)
-#define CKM_RC4 (0x111UL)
-#define CKM_DES_KEY_GEN (0x120UL)
-#define CKM_DES_ECB (0x121UL)
-#define CKM_DES_CBC (0x122UL)
-#define CKM_DES_MAC (0x123UL)
-#define CKM_DES_MAC_GENERAL (0x124UL)
-#define CKM_DES_CBC_PAD (0x125UL)
-#define CKM_DES2_KEY_GEN (0x130UL)
-#define CKM_DES3_KEY_GEN (0x131UL)
-#define CKM_DES3_ECB (0x132UL)
-#define CKM_DES3_CBC (0x133UL)
-#define CKM_DES3_MAC (0x134UL)
-#define CKM_DES3_MAC_GENERAL (0x135UL)
-#define CKM_DES3_CBC_PAD (0x136UL)
-#define CKM_DES3_CMAC_GENERAL (0x137UL)
-#define CKM_DES3_CMAC (0x138UL)
-#define CKM_CDMF_KEY_GEN (0x140UL)
-#define CKM_CDMF_ECB (0x141UL)
-#define CKM_CDMF_CBC (0x142UL)
-#define CKM_CDMF_MAC (0x143UL)
-#define CKM_CDMF_MAC_GENERAL (0x144UL)
-#define CKM_CDMF_CBC_PAD (0x145UL)
-#define CKM_DES_OFB64 (0x150UL)
-#define CKM_DES_OFB8 (0x151UL)
-#define CKM_DES_CFB64 (0x152UL)
-#define CKM_DES_CFB8 (0x153UL)
-#define CKM_MD2 (0x200UL)
-#define CKM_MD2_HMAC (0x201UL)
-#define CKM_MD2_HMAC_GENERAL (0x202UL)
-#define CKM_MD5 (0x210UL)
-#define CKM_MD5_HMAC (0x211UL)
-#define CKM_MD5_HMAC_GENERAL (0x212UL)
-#define CKM_SHA_1 (0x220UL)
-#define CKM_SHA_1_HMAC (0x221UL)
-#define CKM_SHA_1_HMAC_GENERAL (0x222UL)
-#define CKM_RIPEMD128 (0x230UL)
-#define CKM_RIPEMD128_HMAC (0x231UL)
-#define CKM_RIPEMD128_HMAC_GENERAL (0x232UL)
-#define CKM_RIPEMD160 (0x240UL)
-#define CKM_RIPEMD160_HMAC (0x241UL)
-#define CKM_RIPEMD160_HMAC_GENERAL (0x242UL)
-#define CKM_SHA256 (0x250UL)
-#define CKM_SHA256_HMAC (0x251UL)
-#define CKM_SHA256_HMAC_GENERAL (0x252UL)
-#define CKM_SHA384 (0x260UL)
-#define CKM_SHA384_HMAC (0x261UL)
-#define CKM_SHA384_HMAC_GENERAL (0x262UL)
-#define CKM_SHA512 (0x270UL)
-#define CKM_SHA512_HMAC (0x271UL)
-#define CKM_SHA512_HMAC_GENERAL (0x272UL)
-#define CKM_SECURID_KEY_GEN (0x280UL)
-#define CKM_SECURID (0x282UL)
-#define CKM_HOTP_KEY_GEN (0x290UL)
-#define CKM_HOTP (0x291UL)
-#define CKM_ACTI (0x2a0UL)
-#define CKM_ACTI_KEY_GEN (0x2a1UL)
-#define CKM_CAST_KEY_GEN (0x300UL)
-#define CKM_CAST_ECB (0x301UL)
-#define CKM_CAST_CBC (0x302UL)
-#define CKM_CAST_MAC (0x303UL)
-#define CKM_CAST_MAC_GENERAL (0x304UL)
-#define CKM_CAST_CBC_PAD (0x305UL)
-#define CKM_CAST3_KEY_GEN (0x310UL)
-#define CKM_CAST3_ECB (0x311UL)
-#define CKM_CAST3_CBC (0x312UL)
-#define CKM_CAST3_MAC (0x313UL)
-#define CKM_CAST3_MAC_GENERAL (0x314UL)
-#define CKM_CAST3_CBC_PAD (0x315UL)
-#define CKM_CAST5_KEY_GEN (0x320UL)
-#define CKM_CAST128_KEY_GEN (0x320UL)
-#define CKM_CAST5_ECB (0x321UL)
-#define CKM_CAST128_ECB (0x321UL)
-#define CKM_CAST5_CBC (0x322UL)
-#define CKM_CAST128_CBC (0x322UL)
-#define CKM_CAST5_MAC (0x323UL)
-#define CKM_CAST128_MAC (0x323UL)
-#define CKM_CAST5_MAC_GENERAL (0x324UL)
-#define CKM_CAST128_MAC_GENERAL (0x324UL)
-#define CKM_CAST5_CBC_PAD (0x325UL)
-#define CKM_CAST128_CBC_PAD (0x325UL)
-#define CKM_RC5_KEY_GEN (0x330UL)
-#define CKM_RC5_ECB (0x331UL)
-#define CKM_RC5_CBC (0x332UL)
-#define CKM_RC5_MAC (0x333UL)
-#define CKM_RC5_MAC_GENERAL (0x334UL)
-#define CKM_RC5_CBC_PAD (0x335UL)
-#define CKM_IDEA_KEY_GEN (0x340UL)
-#define CKM_IDEA_ECB (0x341UL)
-#define CKM_IDEA_CBC (0x342UL)
-#define CKM_IDEA_MAC (0x343UL)
-#define CKM_IDEA_MAC_GENERAL (0x344UL)
-#define CKM_IDEA_CBC_PAD (0x345UL)
-#define CKM_GENERIC_SECRET_KEY_GEN (0x350UL)
-#define CKM_CONCATENATE_BASE_AND_KEY (0x360UL)
-#define CKM_CONCATENATE_BASE_AND_DATA (0x362UL)
-#define CKM_CONCATENATE_DATA_AND_BASE (0x363UL)
-#define CKM_XOR_BASE_AND_DATA (0x364UL)
-#define CKM_EXTRACT_KEY_FROM_KEY (0x365UL)
-#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370UL)
-#define CKM_SSL3_MASTER_KEY_DERIVE (0x371UL)
-#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372UL)
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373UL)
-#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL)
-#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL)
-#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL)
-#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377UL)
-#define CKM_TLS_PRF (0x378UL)
-#define CKM_SSL3_MD5_MAC (0x380UL)
-#define CKM_SSL3_SHA1_MAC (0x381UL)
-#define CKM_MD5_KEY_DERIVATION (0x390UL)
-#define CKM_MD2_KEY_DERIVATION (0x391UL)
-#define CKM_SHA1_KEY_DERIVATION (0x392UL)
-#define CKM_SHA256_KEY_DERIVATION (0x393UL)
-#define CKM_SHA384_KEY_DERIVATION (0x394UL)
-#define CKM_SHA512_KEY_DERIVATION (0x395UL)
-#define CKM_PBE_MD2_DES_CBC (0x3a0UL)
-#define CKM_PBE_MD5_DES_CBC (0x3a1UL)
-#define CKM_PBE_MD5_CAST_CBC (0x3a2UL)
-#define CKM_PBE_MD5_CAST3_CBC (0x3a3UL)
-#define CKM_PBE_MD5_CAST5_CBC (0x3a4UL)
-#define CKM_PBE_MD5_CAST128_CBC (0x3a4UL)
-#define CKM_PBE_SHA1_CAST5_CBC (0x3a5UL)
-#define CKM_PBE_SHA1_CAST128_CBC (0x3a5UL)
-#define CKM_PBE_SHA1_RC4_128 (0x3a6UL)
-#define CKM_PBE_SHA1_RC4_40 (0x3a7UL)
-#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8UL)
-#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9UL)
-#define CKM_PBE_SHA1_RC2_128_CBC (0x3aaUL)
-#define CKM_PBE_SHA1_RC2_40_CBC (0x3abUL)
-#define CKM_PKCS5_PBKD2 (0x3b0UL)
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0UL)
-#define CKM_WTLS_PRE_MASTER_KEY_GEN (0x3d0UL)
-#define CKM_WTLS_MASTER_KEY_DERIVE (0x3d1UL)
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC (0x3d2UL)
-#define CKM_WTLS_PRF (0x3d3UL)
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4UL)
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5UL)
-#define CKM_TLS10_MAC_SERVER (0x3d6UL)
-#define CKM_TLS10_MAC_CLIENT (0x3d7UL)
-#define CKM_TLS12_MAC (0x3d8UL)
-#define CKM_TLS12_KDF (0x3d9UL)
-#define CKM_TLS12_MASTER_KEY_DERIVE (0x3e0UL)
-#define CKM_TLS12_KEY_AND_MAC_DERIVE (0x3e1UL)
-#define CKM_TLS12_MASTER_KEY_DERIVE_DH (0x3e2UL)
-#define CKM_TLS12_KEY_SAFE_DERIVE (0x3e3UL)
-#define CKM_TLS_MAC (0x3e4UL)
-#define CKM_TLS_KDF (0x3e5UL)
-#define CKM_KEY_WRAP_LYNKS (0x400UL)
-#define CKM_KEY_WRAP_SET_OAEP (0x401UL)
-#define CKM_CMS_SIG (0x500UL)
-#define CKM_KIP_DERIVE (0x510UL)
-#define CKM_KIP_WRAP (0x511UL)
-#define CKM_KIP_MAC (0x512UL)
-#define CKM_ARIA_KEY_GEN (0x560UL)
-#define CKM_ARIA_ECB (0x561UL)
-#define CKM_ARIA_CBC (0x562UL)
-#define CKM_ARIA_MAC (0x563UL)
-#define CKM_ARIA_MAC_GENERAL (0x564UL)
-#define CKM_ARIA_CBC_PAD (0x565UL)
-#define CKM_ARIA_ECB_ENCRYPT_DATA (0x566UL)
-#define CKM_ARIA_CBC_ENCRYPT_DATA (0x567UL)
-#define CKM_SEED_KEY_GEN (0x650UL)
-#define CKM_SEED_ECB (0x651UL)
-#define CKM_SEED_CBC (0x652UL)
-#define CKM_SEED_MAC (0x653UL)
-#define CKM_SEED_MAC_GENERAL (0x654UL)
-#define CKM_SEED_CBC_PAD (0x655UL)
-#define CKM_SEED_ECB_ENCRYPT_DATA (0x656UL)
-#define CKM_SEED_CBC_ENCRYPT_DATA (0x657UL)
-#define CKM_SKIPJACK_KEY_GEN (0x1000UL)
-#define CKM_SKIPJACK_ECB64 (0x1001UL)
-#define CKM_SKIPJACK_CBC64 (0x1002UL)
-#define CKM_SKIPJACK_OFB64 (0x1003UL)
-#define CKM_SKIPJACK_CFB64 (0x1004UL)
-#define CKM_SKIPJACK_CFB32 (0x1005UL)
-#define CKM_SKIPJACK_CFB16 (0x1006UL)
-#define CKM_SKIPJACK_CFB8 (0x1007UL)
-#define CKM_SKIPJACK_WRAP (0x1008UL)
-#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009UL)
-#define CKM_SKIPJACK_RELAYX (0x100aUL)
-#define CKM_KEA_KEY_PAIR_GEN (0x1010UL)
-#define CKM_KEA_KEY_DERIVE (0x1011UL)
-#define CKM_FORTEZZA_TIMESTAMP (0x1020UL)
-#define CKM_BATON_KEY_GEN (0x1030UL)
-#define CKM_BATON_ECB128 (0x1031UL)
-#define CKM_BATON_ECB96 (0x1032UL)
-#define CKM_BATON_CBC128 (0x1033UL)
-#define CKM_BATON_COUNTER (0x1034UL)
-#define CKM_BATON_SHUFFLE (0x1035UL)
-#define CKM_BATON_WRAP (0x1036UL)
-#define CKM_ECDSA_KEY_PAIR_GEN (0x1040UL)
-#define CKM_EC_KEY_PAIR_GEN (0x1040UL)
-#define CKM_ECDSA (0x1041UL)
-#define CKM_ECDSA_SHA1 (0x1042UL)
-#define CKM_ECDSA_SHA224 (0x1043UL)
-#define CKM_ECDSA_SHA256 (0x1044UL)
-#define CKM_ECDSA_SHA384 (0x1045UL)
-#define CKM_ECDSA_SHA512 (0x1046UL)
-#define CKM_ECDH1_DERIVE (0x1050UL)
-#define CKM_ECDH1_COFACTOR_DERIVE (0x1051UL)
-#define CKM_ECMQV_DERIVE (0x1052UL)
-#define CKM_ECDH_AES_KEY_WRAP (0x1053UL)
-#define CKM_RSA_AES_KEY_WRAP (0x1054UL)
-#define CKM_JUNIPER_KEY_GEN (0x1060UL)
-#define CKM_JUNIPER_ECB128 (0x1061UL)
-#define CKM_JUNIPER_CBC128 (0x1062UL)
-#define CKM_JUNIPER_COUNTER (0x1063UL)
-#define CKM_JUNIPER_SHUFFLE (0x1064UL)
-#define CKM_JUNIPER_WRAP (0x1065UL)
-#define CKM_FASTHASH (0x1070UL)
-#define CKM_AES_KEY_GEN (0x1080UL)
-#define CKM_AES_ECB (0x1081UL)
-#define CKM_AES_CBC (0x1082UL)
-#define CKM_AES_MAC (0x1083UL)
-#define CKM_AES_MAC_GENERAL (0x1084UL)
-#define CKM_AES_CBC_PAD (0x1085UL)
-#define CKM_AES_CTR (0x1086UL)
-#define CKM_AES_GCM (0x1087UL)
-#define CKM_AES_CCM (0x1088UL)
-#define CKM_AES_CTS (0x1089UL)
-#define CKM_AES_CMAC (0x108aUL)
-#define CKM_AES_CMAC_GENERAL (0x108bUL)
-#define CKM_AES_XCBC_MAC (0x108cUL)
-#define CKM_AES_XCBC_MAC_96 (0x108dUL)
-#define CKM_AES_GMAC (0x108eUL)
-#define CKM_BLOWFISH_KEY_GEN (0x1090UL)
-#define CKM_BLOWFISH_CBC (0x1091UL)
-#define CKM_TWOFISH_KEY_GEN (0x1092UL)
-#define CKM_TWOFISH_CBC (0x1093UL)
-#define CKM_BLOWFISH_CBC_PAD (0x1094UL)
-#define CKM_TWOFISH_CBC_PAD (0x1095UL)
-#define CKM_DES_ECB_ENCRYPT_DATA (0x1100UL)
-#define CKM_DES_CBC_ENCRYPT_DATA (0x1101UL)
-#define CKM_DES3_ECB_ENCRYPT_DATA (0x1102UL)
-#define CKM_DES3_CBC_ENCRYPT_DATA (0x1103UL)
-#define CKM_AES_ECB_ENCRYPT_DATA (0x1104UL)
-#define CKM_AES_CBC_ENCRYPT_DATA (0x1105UL)
-#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL)
-#define CKM_GOSTR3410 (0x1201UL)
-#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL)
-#define CKM_GOSTR3410_KEY_WRAP (0x1203UL)
-#define CKM_GOSTR3410_DERIVE (0x1204UL)
-#define CKM_GOSTR3411 (0x1210UL)
-#define CKM_GOSTR3411_HMAC (0x1211UL)
-#define CKM_GOST28147_KEY_GEN (0x1220UL)
-#define CKM_GOST28147_ECB (0x1221UL)
-#define CKM_GOST28147 (0x1222UL)
-#define CKM_GOST28147_MAC (0x1223UL)
-#define CKM_GOST28147_KEY_WRAP (0x1224UL)
-#define CKM_DSA_PARAMETER_GEN (0x2000UL)
-#define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL)
-#define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL)
-#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN (0x2003UL)
-#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN (0x2004UL)
-#define CKM_AES_OFB (0x2104UL)
-#define CKM_AES_CFB64 (0x2105UL)
-#define CKM_AES_CFB8 (0x2106UL)
-#define CKM_AES_CFB128 (0x2107UL)
-#define CKM_AES_CFB1 (0x2108UL)
-
-#define CKM_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-/* Amendments */
-#define CKM_SHA224 (0x255UL)
-#define CKM_SHA224_HMAC (0x256UL)
-#define CKM_SHA224_HMAC_GENERAL (0x257UL)
-#define CKM_SHA224_RSA_PKCS (0x46UL)
-#define CKM_SHA224_RSA_PKCS_PSS (0x47UL)
-#define CKM_SHA224_KEY_DERIVATION (0x396UL)
-
-#define CKM_CAMELLIA_KEY_GEN (0x550UL)
-#define CKM_CAMELLIA_ECB (0x551UL)
-#define CKM_CAMELLIA_CBC (0x552UL)
-#define CKM_CAMELLIA_MAC (0x553UL)
-#define CKM_CAMELLIA_MAC_GENERAL (0x554UL)
-#define CKM_CAMELLIA_CBC_PAD (0x555UL)
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556UL)
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557UL)
-#define CKM_CAMELLIA_CTR (0x558UL)
-
-#define CKM_AES_KEY_WRAP (0x2109UL)
-#define CKM_AES_KEY_WRAP_PAD (0x210aUL)
-
-#define CKM_RSA_PKCS_TPM_1_1 (0x4001UL)
-#define CKM_RSA_PKCS_OAEP_TPM_1_1 (0x4002UL)
-
-/* From version 3.0 */
-#define CKM_EC_EDWARDS_KEY_PAIR_GEN (0x1055UL)
-#define CKM_EDDSA (0x1057UL)
-
-/* Attribute and other constants related to OTP */
-#define CK_OTP_FORMAT_DECIMAL (0UL)
-#define CK_OTP_FORMAT_HEXADECIMAL (1UL)
-#define CK_OTP_FORMAT_ALPHANUMERIC (2UL)
-#define CK_OTP_FORMAT_BINARY (3UL)
-#define CK_OTP_PARAM_IGNORED (0UL)
-#define CK_OTP_PARAM_OPTIONAL (1UL)
-#define CK_OTP_PARAM_MANDATORY (2UL)
-
-#define CK_OTP_VALUE (0UL)
-#define CK_OTP_PIN (1UL)
-#define CK_OTP_CHALLENGE (2UL)
-#define CK_OTP_TIME (3UL)
-#define CK_OTP_COUNTER (4UL)
-#define CK_OTP_FLAGS (5UL)
-#define CK_OTP_OUTPUT_LENGTH (6UL)
-#define CK_OTP_FORMAT (7UL)
-
-/* OTP mechanism flags */
-#define CKF_NEXT_OTP (0x01UL)
-#define CKF_EXCLUDE_TIME (0x02UL)
-#define CKF_EXCLUDE_COUNTER (0x04UL)
-#define CKF_EXCLUDE_CHALLENGE (0x08UL)
-#define CKF_EXCLUDE_PIN (0x10UL)
-#define CKF_USER_FRIENDLY_OTP (0x20UL)
-
-#define CKN_OTP_CHANGED (0x01UL)
-
-struct ck_mechanism {
- ck_mechanism_type_t mechanism;
- void * parameter;
- unsigned long parameter_len;
-};
-
-struct ck_mechanism_info {
- unsigned long min_key_size;
- unsigned long max_key_size;
- ck_flags_t flags;
-};
-
-typedef unsigned long ck_param_type;
-
-typedef struct ck_otp_param {
- ck_param_type type;
- void * value;
- unsigned long value_len;
-} ck_otp_param;
-
-typedef struct ck_otp_params {
- struct ck_otp_param *params;
- unsigned long count;
-} ck_otp_params;
-
-typedef struct ck_otp_signature_info {
- struct ck_otp_param *params;
- unsigned long count;
-} ck_otp_signature_info;
-
-#define CKG_MGF1_SHA1 0x00000001UL
-#define CKG_MGF1_SHA224 0x00000005UL
-#define CKG_MGF1_SHA256 0x00000002UL
-#define CKG_MGF1_SHA384 0x00000003UL
-#define CKG_MGF1_SHA512 0x00000004UL
-
-typedef unsigned long ck_rsa_pkcs_mgf_type_t;
-
-struct ck_rsa_pkcs_pss_params {
- ck_mechanism_type_t hash_alg;
- ck_rsa_pkcs_mgf_type_t mgf;
- unsigned long s_len;
-};
-
-typedef unsigned long ck_rsa_pkcs_oaep_source_type_t;
-
-struct ck_rsa_pkcs_oaep_params {
- ck_mechanism_type_t hash_alg;
- ck_rsa_pkcs_mgf_type_t mgf;
- ck_rsa_pkcs_oaep_source_type_t source;
- void * source_data;
- unsigned long source_data_len;
-};
-
-struct ck_aes_ctr_params {
- unsigned long counter_bits;
- unsigned char cb[16];
-};
-
-struct ck_gcm_params {
- unsigned char *iv_ptr;
- unsigned long iv_len;
- unsigned long iv_bits;
- unsigned char *aad_ptr;
- unsigned long aad_len;
- unsigned long tag_bits;
-};
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL (0x01UL)
-#define CKD_SHA1_KDF (0x02UL)
-
-/* The following X9.42 DH key derivation functions are defined */
-#define CKD_SHA1_KDF_ASN1 (0x03UL)
-#define CKD_SHA1_KDF_CONCATENATE (0x04UL)
-#define CKD_SHA224_KDF (0x05UL)
-#define CKD_SHA256_KDF (0x06UL)
-#define CKD_SHA384_KDF (0x07UL)
-#define CKD_SHA512_KDF (0x08UL)
-#define CKD_CPDIVERSIFY_KDF (0x09UL)
-
-typedef unsigned long ck_ec_kdf_t;
-
-struct ck_ecdh1_derive_params {
- ck_ec_kdf_t kdf;
- unsigned long shared_data_len;
- unsigned char *shared_data;
- unsigned long public_data_len;
- unsigned char *public_data;
-};
-
-struct ck_key_derivation_string_data {
- unsigned char *string_data;
- unsigned long string_data_len;
-};
-
-struct ck_des_cbc_encrypt_data_params {
- unsigned char iv[8];
- unsigned char *data_params;
- unsigned long length;
-};
-
-struct ck_aes_cbc_encrypt_data_params {
- unsigned char iv[16];
- unsigned char *data_params;
- unsigned long length;
-};
-
-#define CKF_HW (1UL << 0)
-#define CKF_ENCRYPT (1UL << 8)
-#define CKF_DECRYPT (1UL << 9)
-#define CKF_DIGEST (1UL << 10)
-#define CKF_SIGN (1UL << 11)
-#define CKF_SIGN_RECOVER (1UL << 12)
-#define CKF_VERIFY (1UL << 13)
-#define CKF_VERIFY_RECOVER (1UL << 14)
-#define CKF_GENERATE (1UL << 15)
-#define CKF_GENERATE_KEY_PAIR (1UL << 16)
-#define CKF_WRAP (1UL << 17)
-#define CKF_UNWRAP (1UL << 18)
-#define CKF_DERIVE (1UL << 19)
-#define CKF_EXTENSION ((unsigned long)(1UL << 31))
-
-#define CKF_EC_F_P (1UL << 20)
-#define CKF_EC_NAMEDCURVE (1UL << 23)
-#define CKF_EC_UNCOMPRESS (1UL << 24)
-#define CKF_EC_COMPRESS (1UL << 25)
-
-/* Flags for C_WaitForSlotEvent. */
-#define CKF_DONT_BLOCK (1UL)
-
-typedef unsigned long ck_rv_t;
-
-typedef ck_rv_t (*ck_notify_t)(ck_session_handle_t session,
- ck_notification_t event, void *application);
-
-/* Forward reference. */
-struct ck_function_list;
-
-#define _CK_DECLARE_FUNCTION(name, args) \
- typedef ck_rv_t(*CK_##name) args; \
- ck_rv_t CK_SPEC name args
-
-_CK_DECLARE_FUNCTION(C_Initialize, (void *init_args));
-_CK_DECLARE_FUNCTION(C_Finalize, (void *reserved));
-_CK_DECLARE_FUNCTION(C_GetInfo, (struct ck_info * info));
-_CK_DECLARE_FUNCTION(C_GetFunctionList,
- (struct ck_function_list * *function_list));
-
-_CK_DECLARE_FUNCTION(C_GetSlotList,
- (unsigned char token_present, ck_slot_id_t *slot_list,
- unsigned long *count));
-_CK_DECLARE_FUNCTION(C_GetSlotInfo,
- (ck_slot_id_t slot_id, struct ck_slot_info *info));
-_CK_DECLARE_FUNCTION(C_GetTokenInfo,
- (ck_slot_id_t slot_id, struct ck_token_info *info));
-_CK_DECLARE_FUNCTION(C_WaitForSlotEvent,
- (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
-_CK_DECLARE_FUNCTION(C_GetMechanismList,
- (ck_slot_id_t slot_id, ck_mechanism_type_t *mechanism_list,
- unsigned long *count));
-_CK_DECLARE_FUNCTION(C_GetMechanismInfo,
- (ck_slot_id_t slot_id, ck_mechanism_type_t type,
- struct ck_mechanism_info *info));
-_CK_DECLARE_FUNCTION(C_InitToken,
- (ck_slot_id_t slot_id, unsigned char *pin,
- unsigned long pin_len, unsigned char *label));
-_CK_DECLARE_FUNCTION(C_InitPIN, (ck_session_handle_t session,
- unsigned char *pin, unsigned long pin_len));
-_CK_DECLARE_FUNCTION(C_SetPIN, (ck_session_handle_t session,
- unsigned char *old_pin, unsigned long old_len,
- unsigned char *new_pin, unsigned long new_len));
-
-_CK_DECLARE_FUNCTION(C_OpenSession,
- (ck_slot_id_t slot_id, ck_flags_t flags, void *application,
- ck_notify_t notify, ck_session_handle_t *session));
-_CK_DECLARE_FUNCTION(C_CloseSession, (ck_session_handle_t session));
-_CK_DECLARE_FUNCTION(C_CloseAllSessions, (ck_slot_id_t slot_id));
-_CK_DECLARE_FUNCTION(C_GetSessionInfo, (ck_session_handle_t session,
- struct ck_session_info *info));
-_CK_DECLARE_FUNCTION(C_GetOperationState, (ck_session_handle_t session,
- unsigned char * operation_state,
- unsigned long *operation_state_len));
-_CK_DECLARE_FUNCTION(C_SetOperationState,
- (ck_session_handle_t session,
- unsigned char * operation_state,
- unsigned long operation_state_len,
- ck_object_handle_t encryption_key,
- ck_object_handle_t authentiation_key));
-_CK_DECLARE_FUNCTION(C_Login,
- (ck_session_handle_t session, ck_user_type_t user_type,
- unsigned char *pin, unsigned long pin_len));
-_CK_DECLARE_FUNCTION(C_Logout, (ck_session_handle_t session));
-
-_CK_DECLARE_FUNCTION(C_CreateObject,
- (ck_session_handle_t session, struct ck_attribute *templ,
- unsigned long count, ck_object_handle_t *object));
-_CK_DECLARE_FUNCTION(C_CopyObject,
- (ck_session_handle_t session, ck_object_handle_t object,
- struct ck_attribute *templ, unsigned long count,
- ck_object_handle_t *new_object));
-_CK_DECLARE_FUNCTION(C_DestroyObject,
- (ck_session_handle_t session, ck_object_handle_t object));
-_CK_DECLARE_FUNCTION(C_GetObjectSize,
- (ck_session_handle_t session, ck_object_handle_t object,
- unsigned long *size));
-_CK_DECLARE_FUNCTION(C_GetAttributeValue,
- (ck_session_handle_t session, ck_object_handle_t object,
- struct ck_attribute *templ, unsigned long count));
-_CK_DECLARE_FUNCTION(C_SetAttributeValue,
- (ck_session_handle_t session, ck_object_handle_t object,
- struct ck_attribute *templ, unsigned long count));
-_CK_DECLARE_FUNCTION(C_FindObjectsInit,
- (ck_session_handle_t session, struct ck_attribute *templ,
- unsigned long count));
-_CK_DECLARE_FUNCTION(C_FindObjects,
- (ck_session_handle_t session, ck_object_handle_t *object,
- unsigned long max_object_count,
- unsigned long *object_count));
-_CK_DECLARE_FUNCTION(C_FindObjectsFinal, (ck_session_handle_t session));
-
-_CK_DECLARE_FUNCTION(C_EncryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_Encrypt,
- (ck_session_handle_t session, unsigned char *data,
- unsigned long data_len, unsigned char *encrypted_data,
- unsigned long *encrypted_data_len));
-_CK_DECLARE_FUNCTION(C_EncryptUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len, unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
-_CK_DECLARE_FUNCTION(C_EncryptFinal, (ck_session_handle_t session,
- unsigned char * last_encrypted_part,
- unsigned long *last_encrypted_part_len));
-
-_CK_DECLARE_FUNCTION(C_DecryptInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_Decrypt, (ck_session_handle_t session,
- unsigned char * encrypted_data,
- unsigned long encrypted_data_len,
- unsigned char *data, unsigned long *data_len));
-_CK_DECLARE_FUNCTION(C_DecryptUpdate,
- (ck_session_handle_t session,
- unsigned char * encrypted_part,
- unsigned long encrypted_part_len, unsigned char *part,
- unsigned long *part_len));
-_CK_DECLARE_FUNCTION(C_DecryptFinal,
- (ck_session_handle_t session, unsigned char *last_part,
- unsigned long *last_part_len));
-
-_CK_DECLARE_FUNCTION(C_DigestInit, (ck_session_handle_t session,
- struct ck_mechanism *mechanism));
-_CK_DECLARE_FUNCTION(C_Digest,
- (ck_session_handle_t session, unsigned char *data,
- unsigned long data_len, unsigned char *digest,
- unsigned long *digest_len));
-_CK_DECLARE_FUNCTION(C_DigestUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len));
-_CK_DECLARE_FUNCTION(C_DigestKey,
- (ck_session_handle_t session, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_DigestFinal,
- (ck_session_handle_t session, unsigned char *digest,
- unsigned long *digest_len));
-
-_CK_DECLARE_FUNCTION(C_SignInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_Sign, (ck_session_handle_t session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len));
-_CK_DECLARE_FUNCTION(C_SignUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len));
-_CK_DECLARE_FUNCTION(C_SignFinal,
- (ck_session_handle_t session, unsigned char *signature,
- unsigned long *signature_len));
-_CK_DECLARE_FUNCTION(C_SignRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_SignRecover,
- (ck_session_handle_t session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long *signature_len));
-
-_CK_DECLARE_FUNCTION(C_VerifyInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_Verify,
- (ck_session_handle_t session, unsigned char *data,
- unsigned long data_len, unsigned char *signature,
- unsigned long signature_len));
-_CK_DECLARE_FUNCTION(C_VerifyUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len));
-_CK_DECLARE_FUNCTION(C_VerifyFinal,
- (ck_session_handle_t session, unsigned char *signature,
- unsigned long signature_len));
-_CK_DECLARE_FUNCTION(C_VerifyRecoverInit,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism, ck_object_handle_t key));
-_CK_DECLARE_FUNCTION(C_VerifyRecover,
- (ck_session_handle_t session, unsigned char *signature,
- unsigned long signature_len, unsigned char *data,
- unsigned long *data_len));
-
-_CK_DECLARE_FUNCTION(C_DigestEncryptUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len, unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
-_CK_DECLARE_FUNCTION(C_DecryptDigestUpdate,
- (ck_session_handle_t session,
- unsigned char * encrypted_part,
- unsigned long encrypted_part_len, unsigned char *part,
- unsigned long *part_len));
-_CK_DECLARE_FUNCTION(C_SignEncryptUpdate,
- (ck_session_handle_t session, unsigned char *part,
- unsigned long part_len, unsigned char *encrypted_part,
- unsigned long *encrypted_part_len));
-_CK_DECLARE_FUNCTION(C_DecryptVerifyUpdate,
- (ck_session_handle_t session,
- unsigned char * encrypted_part,
- unsigned long encrypted_part_len, unsigned char *part,
- unsigned long *part_len));
-
-_CK_DECLARE_FUNCTION(C_GenerateKey,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *templ, unsigned long count,
- ck_object_handle_t *key));
-_CK_DECLARE_FUNCTION(C_GenerateKeyPair,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism,
- struct ck_attribute *public_key_template,
- unsigned long public_key_attribute_count,
- struct ck_attribute *private_key_template,
- unsigned long private_key_attribute_count,
- ck_object_handle_t * public_key,
- ck_object_handle_t * private_key));
-_CK_DECLARE_FUNCTION(C_WrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t wrapping_key, ck_object_handle_t key,
- unsigned char *wrapped_key,
- unsigned long *wrapped_key_len));
-_CK_DECLARE_FUNCTION(C_UnwrapKey,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t unwrapping_key,
- unsigned char *wrapped_key, unsigned long wrapped_key_len,
- struct ck_attribute *templ, unsigned long attribute_count,
- ck_object_handle_t *key));
-_CK_DECLARE_FUNCTION(C_DeriveKey,
- (ck_session_handle_t session,
- struct ck_mechanism *mechanism,
- ck_object_handle_t base_key, struct ck_attribute *templ,
- unsigned long attribute_count, ck_object_handle_t *key));
-
-_CK_DECLARE_FUNCTION(C_SeedRandom,
- (ck_session_handle_t session, unsigned char *seed,
- unsigned long seed_len));
-_CK_DECLARE_FUNCTION(C_GenerateRandom,
- (ck_session_handle_t session, unsigned char *random_data,
- unsigned long random_len));
-
-_CK_DECLARE_FUNCTION(C_GetFunctionStatus, (ck_session_handle_t session));
-_CK_DECLARE_FUNCTION(C_CancelFunction, (ck_session_handle_t session));
-
-struct ck_function_list {
- struct ck_version version;
- CK_C_Initialize C_Initialize;
- CK_C_Finalize C_Finalize;
- CK_C_GetInfo C_GetInfo;
- CK_C_GetFunctionList C_GetFunctionList;
- CK_C_GetSlotList C_GetSlotList;
- CK_C_GetSlotInfo C_GetSlotInfo;
- CK_C_GetTokenInfo C_GetTokenInfo;
- CK_C_GetMechanismList C_GetMechanismList;
- CK_C_GetMechanismInfo C_GetMechanismInfo;
- CK_C_InitToken C_InitToken;
- CK_C_InitPIN C_InitPIN;
- CK_C_SetPIN C_SetPIN;
- CK_C_OpenSession C_OpenSession;
- CK_C_CloseSession C_CloseSession;
- CK_C_CloseAllSessions C_CloseAllSessions;
- CK_C_GetSessionInfo C_GetSessionInfo;
- CK_C_GetOperationState C_GetOperationState;
- CK_C_SetOperationState C_SetOperationState;
- CK_C_Login C_Login;
- CK_C_Logout C_Logout;
- CK_C_CreateObject C_CreateObject;
- CK_C_CopyObject C_CopyObject;
- CK_C_DestroyObject C_DestroyObject;
- CK_C_GetObjectSize C_GetObjectSize;
- CK_C_GetAttributeValue C_GetAttributeValue;
- CK_C_SetAttributeValue C_SetAttributeValue;
- CK_C_FindObjectsInit C_FindObjectsInit;
- CK_C_FindObjects C_FindObjects;
- CK_C_FindObjectsFinal C_FindObjectsFinal;
- CK_C_EncryptInit C_EncryptInit;
- CK_C_Encrypt C_Encrypt;
- CK_C_EncryptUpdate C_EncryptUpdate;
- CK_C_EncryptFinal C_EncryptFinal;
- CK_C_DecryptInit C_DecryptInit;
- CK_C_Decrypt C_Decrypt;
- CK_C_DecryptUpdate C_DecryptUpdate;
- CK_C_DecryptFinal C_DecryptFinal;
- CK_C_DigestInit C_DigestInit;
- CK_C_Digest C_Digest;
- CK_C_DigestUpdate C_DigestUpdate;
- CK_C_DigestKey C_DigestKey;
- CK_C_DigestFinal C_DigestFinal;
- CK_C_SignInit C_SignInit;
- CK_C_Sign C_Sign;
- CK_C_SignUpdate C_SignUpdate;
- CK_C_SignFinal C_SignFinal;
- CK_C_SignRecoverInit C_SignRecoverInit;
- CK_C_SignRecover C_SignRecover;
- CK_C_VerifyInit C_VerifyInit;
- CK_C_Verify C_Verify;
- CK_C_VerifyUpdate C_VerifyUpdate;
- CK_C_VerifyFinal C_VerifyFinal;
- CK_C_VerifyRecoverInit C_VerifyRecoverInit;
- CK_C_VerifyRecover C_VerifyRecover;
- CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
- CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
- CK_C_SignEncryptUpdate C_SignEncryptUpdate;
- CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
- CK_C_GenerateKey C_GenerateKey;
- CK_C_GenerateKeyPair C_GenerateKeyPair;
- CK_C_WrapKey C_WrapKey;
- CK_C_UnwrapKey C_UnwrapKey;
- CK_C_DeriveKey C_DeriveKey;
- CK_C_SeedRandom C_SeedRandom;
- CK_C_GenerateRandom C_GenerateRandom;
- CK_C_GetFunctionStatus C_GetFunctionStatus;
- CK_C_CancelFunction C_CancelFunction;
- CK_C_WaitForSlotEvent C_WaitForSlotEvent;
-};
-
-typedef ck_rv_t (*ck_createmutex_t)(void **mutex);
-typedef ck_rv_t (*ck_destroymutex_t)(void *mutex);
-typedef ck_rv_t (*ck_lockmutex_t)(void *mutex);
-typedef ck_rv_t (*ck_unlockmutex_t)(void *mutex);
-
-struct ck_c_initialize_args {
- ck_createmutex_t create_mutex;
- ck_destroymutex_t destroy_mutex;
- ck_lockmutex_t lock_mutex;
- ck_unlockmutex_t unlock_mutex;
- ck_flags_t flags;
- void * reserved;
-};
-
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0)
-#define CKF_OS_LOCKING_OK (1UL << 1)
-
-#define CKR_OK (0UL)
-#define CKR_CANCEL (1UL)
-#define CKR_HOST_MEMORY (2UL)
-#define CKR_SLOT_ID_INVALID (3UL)
-#define CKR_GENERAL_ERROR (5UL)
-#define CKR_FUNCTION_FAILED (6UL)
-#define CKR_ARGUMENTS_BAD (7UL)
-#define CKR_NO_EVENT (8UL)
-#define CKR_NEED_TO_CREATE_THREADS (9UL)
-#define CKR_CANT_LOCK (0xaUL)
-#define CKR_ATTRIBUTE_READ_ONLY (0x10UL)
-#define CKR_ATTRIBUTE_SENSITIVE (0x11UL)
-#define CKR_ATTRIBUTE_TYPE_INVALID (0x12UL)
-#define CKR_ATTRIBUTE_VALUE_INVALID (0x13UL)
-#define CKR_ACTION_PROHIBITED (0x1BUL)
-#define CKR_DATA_INVALID (0x20UL)
-#define CKR_DATA_LEN_RANGE (0x21UL)
-#define CKR_DEVICE_ERROR (0x30UL)
-#define CKR_DEVICE_MEMORY (0x31UL)
-#define CKR_DEVICE_REMOVED (0x32UL)
-#define CKR_ENCRYPTED_DATA_INVALID (0x40UL)
-#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41UL)
-#define CKR_FUNCTION_CANCELED (0x50UL)
-#define CKR_FUNCTION_NOT_PARALLEL (0x51UL)
-#define CKR_FUNCTION_NOT_SUPPORTED (0x54UL)
-#define CKR_KEY_HANDLE_INVALID (0x60UL)
-#define CKR_KEY_SIZE_RANGE (0x62UL)
-#define CKR_KEY_TYPE_INCONSISTENT (0x63UL)
-#define CKR_KEY_NOT_NEEDED (0x64UL)
-#define CKR_KEY_CHANGED (0x65UL)
-#define CKR_KEY_NEEDED (0x66UL)
-#define CKR_KEY_INDIGESTIBLE (0x67UL)
-#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68UL)
-#define CKR_KEY_NOT_WRAPPABLE (0x69UL)
-#define CKR_KEY_UNEXTRACTABLE (0x6aUL)
-#define CKR_MECHANISM_INVALID (0x70UL)
-#define CKR_MECHANISM_PARAM_INVALID (0x71UL)
-#define CKR_OBJECT_HANDLE_INVALID (0x82UL)
-#define CKR_OPERATION_ACTIVE (0x90UL)
-#define CKR_OPERATION_NOT_INITIALIZED (0x91UL)
-#define CKR_PIN_INCORRECT (0xa0UL)
-#define CKR_PIN_INVALID (0xa1UL)
-#define CKR_PIN_LEN_RANGE (0xa2UL)
-#define CKR_PIN_EXPIRED (0xa3UL)
-#define CKR_PIN_LOCKED (0xa4UL)
-#define CKR_SESSION_CLOSED (0xb0UL)
-#define CKR_SESSION_COUNT (0xb1UL)
-#define CKR_SESSION_HANDLE_INVALID (0xb3UL)
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4UL)
-#define CKR_SESSION_READ_ONLY (0xb5UL)
-#define CKR_SESSION_EXISTS (0xb6UL)
-#define CKR_SESSION_READ_ONLY_EXISTS (0xb7UL)
-#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8UL)
-#define CKR_SIGNATURE_INVALID (0xc0UL)
-#define CKR_SIGNATURE_LEN_RANGE (0xc1UL)
-#define CKR_TEMPLATE_INCOMPLETE (0xd0UL)
-#define CKR_TEMPLATE_INCONSISTENT (0xd1UL)
-#define CKR_TOKEN_NOT_PRESENT (0xe0UL)
-#define CKR_TOKEN_NOT_RECOGNIZED (0xe1UL)
-#define CKR_TOKEN_WRITE_PROTECTED (0xe2UL)
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0UL)
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1UL)
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL)
-#define CKR_USER_ALREADY_LOGGED_IN (0x100UL)
-#define CKR_USER_NOT_LOGGED_IN (0x101UL)
-#define CKR_USER_PIN_NOT_INITIALIZED (0x102UL)
-#define CKR_USER_TYPE_INVALID (0x103UL)
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104UL)
-#define CKR_USER_TOO_MANY_TYPES (0x105UL)
-#define CKR_WRAPPED_KEY_INVALID (0x110UL)
-#define CKR_WRAPPED_KEY_LEN_RANGE (0x112UL)
-#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113UL)
-#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114UL)
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115UL)
-#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120UL)
-#define CKR_RANDOM_NO_RNG (0x121UL)
-#define CKR_DOMAIN_PARAMS_INVALID (0x130UL)
-#define CKR_BUFFER_TOO_SMALL (0x150UL)
-#define CKR_SAVED_STATE_INVALID (0x160UL)
-#define CKR_INFORMATION_SENSITIVE (0x170UL)
-#define CKR_STATE_UNSAVEABLE (0x180UL)
-#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190UL)
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191UL)
-#define CKR_MUTEX_BAD (0x1a0UL)
-#define CKR_MUTEX_NOT_LOCKED (0x1a1UL)
-#define CKR_NEW_PIN_MODE (0x1b0UL)
-#define CKR_NEXT_OTP (0x1b1UL)
-#define CKR_EXCEEDED_MAX_ITERATIONS (0x1c0UL)
-#define CKR_FIPS_SELF_TEST_FAILED (0x1c1UL)
-#define CKR_LIBRARY_LOAD_FAILED (0x1c2UL)
-#define CKR_PIN_TOO_WEAK (0x1c3UL)
-#define CKR_PUBLIC_KEY_INVALID (0x1c4UL)
-#define CKR_FUNCTION_REJECTED (0x200UL)
-#define CKR_VENDOR_DEFINED ((unsigned long)(1UL << 31))
-
-#define CKZ_DATA_SPECIFIED (0x01UL)
-
-/* Compatibility layer. */
-
-#ifdef CRYPTOKI_COMPAT
-
-#undef CK_DEFINE_FUNCTION
-#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
-
-/* For NULL. */
-#include <stddef.h>
-
-typedef unsigned char CK_BYTE;
-typedef unsigned char CK_CHAR;
-typedef unsigned char CK_UTF8CHAR;
-typedef unsigned char CK_BBOOL;
-typedef unsigned long int CK_ULONG;
-typedef long int CK_LONG;
-typedef CK_BYTE * CK_BYTE_PTR;
-typedef CK_CHAR * CK_CHAR_PTR;
-typedef CK_UTF8CHAR * CK_UTF8CHAR_PTR;
-typedef CK_ULONG * CK_ULONG_PTR;
-typedef void * CK_VOID_PTR;
-typedef void ** CK_VOID_PTR_PTR;
-#define CK_FALSE 0
-#define CK_TRUE 1
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE 0
-#endif /* ifndef FALSE */
-#ifndef TRUE
-#define TRUE 1
-#endif /* ifndef TRUE */
-#endif /* ifndef CK_DISABLE_TRUE_FALSE */
-
-typedef struct ck_version CK_VERSION;
-typedef struct ck_version *CK_VERSION_PTR;
-
-typedef struct ck_info CK_INFO;
-typedef struct ck_info *CK_INFO_PTR;
-
-typedef ck_slot_id_t *CK_SLOT_ID_PTR;
-
-typedef struct ck_slot_info CK_SLOT_INFO;
-typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
-
-typedef struct ck_token_info CK_TOKEN_INFO;
-typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
-
-typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
-
-typedef struct ck_session_info CK_SESSION_INFO;
-typedef struct ck_session_info *CK_SESSION_INFO_PTR;
-
-typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
-
-typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
-
-typedef struct ck_attribute CK_ATTRIBUTE;
-typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
-
-typedef struct ck_date CK_DATE;
-typedef struct ck_date *CK_DATE_PTR;
-
-typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
-
-typedef struct ck_mechanism CK_MECHANISM;
-typedef struct ck_mechanism *CK_MECHANISM_PTR;
-
-typedef struct ck_mechanism_info CK_MECHANISM_INFO;
-typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
-
-typedef struct ck_otp_mechanism_info CK_OTP_MECHANISM_INFO;
-typedef struct ck_otp_mechanism_info *CK_OTP_MECHANISM_INFO_PTR;
-
-typedef struct ck_function_list CK_FUNCTION_LIST;
-typedef struct ck_function_list * CK_FUNCTION_LIST_PTR;
-typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
-
-typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
-typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
-
-typedef struct ck_rsa_pkcs_pss_params CK_RSA_PKCS_PSS_PARAMS;
-typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
-typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
-
-typedef struct ck_aes_ctr_params CK_AES_CTR_PARAMS;
-typedef struct ck_aes_ctr_params *CK_AES_CTR_PARAMS_PTR;
-
-typedef struct ck_gcm_params CK_GCM_PARAMS;
-typedef struct ck_gcm_params *CK_GCM_PARAMS_PTR;
-
-typedef struct ck_ecdh1_derive_params CK_ECDH1_DERIVE_PARAMS;
-typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR;
-
-typedef struct ck_key_derivation_string_data CK_KEY_DERIVATION_STRING_DATA;
-typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-typedef struct ck_des_cbc_encrypt_data_params
- *CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-typedef struct ck_aes_cbc_encrypt_data_params
- *CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-#ifndef NULL_PTR
-#define NULL_PTR NULL
-#endif /* ifndef NULL_PTR */
-
-/* Delete the helper macros defined at the top of the file. */
-#undef ck_flags_t
-#undef ck_version
-
-#undef ck_info
-#undef cryptoki_version
-#undef manufacturer_id
-#undef library_description
-#undef library_version
-
-#undef ck_notification_t
-#undef ck_slot_id_t
-
-#undef ck_slot_info
-#undef slot_description
-#undef hardware_version
-#undef firmware_version
-
-#undef ck_token_info
-#undef serial_number
-#undef max_session_count
-#undef session_count
-#undef max_rw_session_count
-#undef rw_session_count
-#undef max_pin_len
-#undef min_pin_len
-#undef total_public_memory
-#undef free_public_memory
-#undef total_private_memory
-#undef free_private_memory
-#undef utc_time
-
-#undef ck_session_handle_t
-#undef ck_user_type_t
-#undef ck_state_t
-
-#undef ck_session_info
-#undef slot_id
-#undef device_error
-
-#undef ck_object_handle_t
-#undef ck_object_class_t
-#undef ck_hw_feature_type_t
-#undef ck_key_type_t
-#undef ck_certificate_type_t
-#undef ck_attribute_type_t
-
-#undef ck_attribute
-#undef value
-#undef value_len
-
-#undef params
-#undef count
-
-#undef ck_date
-
-#undef ck_mechanism_type_t
-
-#undef ck_mechanism
-#undef parameter
-#undef parameter_len
-
-#undef ck_mechanism_info
-
-#undef ck_param_type
-#undef ck_otp_param
-#undef ck_otp_params
-#undef ck_otp_signature_info
-
-#undef min_key_size
-#undef max_key_size
-
-#undef ck_rv_t
-#undef ck_notify_t
-
-#undef ck_function_list
-
-#undef ck_createmutex_t
-#undef ck_destroymutex_t
-#undef ck_lockmutex_t
-#undef ck_unlockmutex_t
-
-#undef ck_c_initialize_args
-#undef create_mutex
-#undef destroy_mutex
-#undef lock_mutex
-#undef unlock_mutex
-#undef reserved
-
-#endif /* CRYPTOKI_COMPAT */
-
-/* System dependencies. */
-#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
-#pragma pack(pop, cryptoki)
-#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
-
-#if defined(__cplusplus)
-}
-#endif /* if defined(__cplusplus) */
-
-#endif /* PKCS11_H */
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <errno.h>
-#include <inttypes.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/strerr.h>
-#include <isc/string.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-#include <pk11/site.h>
-#include <pkcs11/pkcs11.h>
-
-/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
-#ifndef PINLEN
-#define PINLEN 256
-#endif /* ifndef PINLEN */
-
-#ifndef PK11_NO_LOGERR
-#define PK11_NO_LOGERR 1
-#endif /* ifndef PK11_NO_LOGERR */
-
-bool pk11_verbose_init = false;
-
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_mem_t *pk11_mctx = NULL;
-static int32_t allocsize = 0;
-static bool initialized = false;
-
-typedef struct pk11_session pk11_session_t;
-typedef struct pk11_token pk11_token_t;
-typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t;
-
-struct pk11_session {
- unsigned int magic;
- CK_SESSION_HANDLE session;
- ISC_LINK(pk11_session_t) link;
- pk11_token_t *token;
-};
-
-struct pk11_token {
- unsigned int magic;
- unsigned int operations;
- ISC_LINK(pk11_token_t) link;
- CK_SLOT_ID slotid;
- pk11_sessionlist_t sessions;
- bool logged;
- char name[32];
- char manuf[32];
- char model[16];
- char serial[16];
- char pin[PINLEN + 1];
-};
-static ISC_LIST(pk11_token_t) tokens;
-
-static pk11_token_t *best_rsa_token;
-static pk11_token_t *best_ecdsa_token;
-static pk11_token_t *best_eddsa_token;
-
-static isc_result_t
-free_all_sessions(void);
-static isc_result_t
-free_session_list(pk11_sessionlist_t *slist);
-static isc_result_t
-setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw);
-static void
-scan_slots(void);
-static isc_result_t
-token_login(pk11_session_t *sp);
-static char *
-percent_decode(char *x, size_t *len);
-static bool
-pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny);
-static CK_ATTRIBUTE *
-push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len);
-
-static isc_mutex_t alloclock;
-static isc_mutex_t sessionlock;
-
-static pk11_sessionlist_t actives;
-
-static CK_C_INITIALIZE_ARGS pk11_init_args = {
- NULL_PTR, /* CreateMutex */
- NULL_PTR, /* DestroyMutex */
- NULL_PTR, /* LockMutex */
- NULL_PTR, /* UnlockMutex */
- CKF_OS_LOCKING_OK, /* flags */
- NULL_PTR, /* pReserved */
-};
-
-#ifndef PK11_LIB_LOCATION
-#define PK11_LIB_LOCATION "unknown_provider"
-#endif /* ifndef PK11_LIB_LOCATION */
-
-static const char *lib_name = PK11_LIB_LOCATION;
-
-void
-pk11_set_lib_name(const char *name) {
- lib_name = name;
-}
-
-const char *
-pk11_get_lib_name(void) {
- return (lib_name);
-}
-
-static void
-initialize(void) {
- char *pk11_provider;
-
- isc_mutex_init(&alloclock);
- isc_mutex_init(&sessionlock);
-
- pk11_provider = getenv("PKCS11_PROVIDER");
- if (pk11_provider != NULL) {
- lib_name = pk11_provider;
- }
-}
-
-void *
-pk11_mem_get(size_t size) {
- void *ptr;
-
- LOCK(&alloclock);
- if (pk11_mctx != NULL) {
- ptr = isc_mem_get(pk11_mctx, size);
- } else {
- ptr = malloc(size);
- if (ptr == NULL && size != 0) {
- char strbuf[ISC_STRERRORSIZE];
- strerror_r(errno, strbuf, sizeof(strbuf));
- isc_error_fatal(__FILE__, __LINE__, "malloc failed: %s",
- strbuf);
- }
- }
- UNLOCK(&alloclock);
-
- if (ptr != NULL) {
- memset(ptr, 0, size);
- }
- return (ptr);
-}
-
-void
-pk11_mem_put(void *ptr, size_t size) {
- if (ptr != NULL) {
- memset(ptr, 0, size);
- }
- LOCK(&alloclock);
- if (pk11_mctx != NULL) {
- isc_mem_put(pk11_mctx, ptr, size);
- } else {
- if (ptr != NULL) {
- allocsize -= (int)size;
- }
- free(ptr);
- }
- UNLOCK(&alloclock);
-}
-
-isc_result_t
-pk11_initialize(isc_mem_t *mctx, const char *engine) {
- isc_result_t result = ISC_R_SUCCESS;
- CK_RV rv;
-
- RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
- LOCK(&sessionlock);
- LOCK(&alloclock);
- if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) {
- isc_mem_attach(mctx, &pk11_mctx);
- }
- UNLOCK(&alloclock);
- if (initialized) {
- goto unlock;
- } else {
- initialized = true;
- }
-
- ISC_LIST_INIT(tokens);
- ISC_LIST_INIT(actives);
-
- if (engine != NULL) {
- lib_name = engine;
- }
-
- /* Initialize the CRYPTOKI library */
- rv = pkcs_C_Initialize((CK_VOID_PTR)&pk11_init_args);
-
- if (rv == 0xfe) {
- result = PK11_R_NOPROVIDER;
- fprintf(stderr, "Can't load PKCS#11 provider: %s\n",
- pk11_get_load_error_message());
- goto unlock;
- }
- if (rv != CKR_OK) {
- result = PK11_R_INITFAILED;
- goto unlock;
- }
-
- scan_slots();
-unlock:
- UNLOCK(&sessionlock);
- return (result);
-}
-
-isc_result_t
-pk11_finalize(void) {
- pk11_token_t *token, *next;
- isc_result_t ret;
-
- ret = free_all_sessions();
- (void)pkcs_C_Finalize(NULL_PTR);
- token = ISC_LIST_HEAD(tokens);
- while (token != NULL) {
- next = ISC_LIST_NEXT(token, link);
- ISC_LIST_UNLINK(tokens, token, link);
- if (token == best_rsa_token) {
- best_rsa_token = NULL;
- }
- if (token == best_ecdsa_token) {
- best_ecdsa_token = NULL;
- }
- if (token == best_eddsa_token) {
- best_eddsa_token = NULL;
- }
- pk11_mem_put(token, sizeof(*token));
- token = next;
- }
- if (pk11_mctx != NULL) {
- isc_mem_detach(&pk11_mctx);
- }
- initialized = false;
- return (ret);
-}
-
-isc_result_t
-pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services,
- bool rw, bool logon, const char *pin, CK_SLOT_ID slot) {
- pk11_token_t *token = NULL;
- pk11_sessionlist_t *freelist;
- pk11_session_t *sp;
- isc_result_t ret;
- UNUSED(need_services);
-
- memset(ctx, 0, sizeof(pk11_context_t));
- ctx->handle = NULL;
- ctx->session = CK_INVALID_HANDLE;
-
- ret = pk11_initialize(NULL, NULL);
- if (ret != ISC_R_SUCCESS) {
- return (ret);
- }
-
- LOCK(&sessionlock);
- /* wait for initialization to finish */
- UNLOCK(&sessionlock);
-
- switch (optype) {
- case OP_ANY:
- for (token = ISC_LIST_HEAD(tokens); token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (token->slotid == slot) {
- break;
- }
- }
- break;
- default:
- for (token = ISC_LIST_HEAD(tokens); token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (token->slotid == slot) {
- break;
- }
- }
- break;
- }
- if (token == NULL) {
- return (ISC_R_NOTFOUND);
- }
-
- /* Override the token's PIN */
- if (logon && pin != NULL && *pin != '\0') {
- if (strlen(pin) > PINLEN) {
- return (ISC_R_RANGE);
- }
- /*
- * We want to zero out the old pin before
- * overwriting with a new one.
- */
- memset(token->pin, 0, sizeof(token->pin));
- strlcpy(token->pin, pin, sizeof(token->pin));
- }
-
- freelist = &token->sessions;
-
- LOCK(&sessionlock);
- sp = ISC_LIST_HEAD(*freelist);
- if (sp != NULL) {
- ISC_LIST_UNLINK(*freelist, sp, link);
- ISC_LIST_APPEND(actives, sp, link);
- UNLOCK(&sessionlock);
- if (logon) {
- ret = token_login(sp);
- }
- ctx->handle = sp;
- ctx->session = sp->session;
- return (ret);
- }
- UNLOCK(&sessionlock);
-
- sp = pk11_mem_get(sizeof(*sp));
- sp->magic = SES_MAGIC;
- sp->token = token;
- sp->session = CK_INVALID_HANDLE;
- ISC_LINK_INIT(sp, link);
- ret = setup_session(sp, token, rw);
- if ((ret == ISC_R_SUCCESS) && logon) {
- ret = token_login(sp);
- }
- LOCK(&sessionlock);
- ISC_LIST_APPEND(actives, sp, link);
- UNLOCK(&sessionlock);
- ctx->handle = sp;
- ctx->session = sp->session;
- return (ret);
-}
-
-void
-pk11_return_session(pk11_context_t *ctx) {
- pk11_session_t *sp = (pk11_session_t *)ctx->handle;
-
- if (sp == NULL) {
- return;
- }
- ctx->handle = NULL;
- ctx->session = CK_INVALID_HANDLE;
-
- LOCK(&sessionlock);
- ISC_LIST_UNLINK(actives, sp, link);
- UNLOCK(&sessionlock);
- if (sp->session == CK_INVALID_HANDLE) {
- pk11_mem_put(sp, sizeof(*sp));
- return;
- }
-
- LOCK(&sessionlock);
- ISC_LIST_APPEND(sp->token->sessions, sp, link);
- UNLOCK(&sessionlock);
-}
-
-static isc_result_t
-free_all_sessions(void) {
- pk11_token_t *token;
- isc_result_t ret = ISC_R_SUCCESS;
- isc_result_t oret;
-
- for (token = ISC_LIST_HEAD(tokens); token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- oret = free_session_list(&token->sessions);
- if (oret != ISC_R_SUCCESS) {
- ret = oret;
- }
- }
- if (!ISC_LIST_EMPTY(actives)) {
- ret = ISC_R_ADDRINUSE;
- oret = free_session_list(&actives);
- if (oret != ISC_R_SUCCESS) {
- ret = oret;
- }
- }
- return (ret);
-}
-
-static isc_result_t
-free_session_list(pk11_sessionlist_t *slist) {
- pk11_session_t *sp;
- CK_RV rv;
- isc_result_t ret;
-
- ret = ISC_R_SUCCESS;
- LOCK(&sessionlock);
- while (!ISC_LIST_EMPTY(*slist)) {
- sp = ISC_LIST_HEAD(*slist);
- ISC_LIST_UNLINK(*slist, sp, link);
- UNLOCK(&sessionlock);
- if (sp->session != CK_INVALID_HANDLE) {
- rv = pkcs_C_CloseSession(sp->session);
- if (rv != CKR_OK) {
- ret = ISC_R_CRYPTOFAILURE;
- }
- }
- LOCK(&sessionlock);
- pk11_mem_put(sp, sizeof(*sp));
- }
- UNLOCK(&sessionlock);
-
- return (ret);
-}
-
-static isc_result_t
-setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw) {
- CK_RV rv;
- CK_FLAGS flags = CKF_SERIAL_SESSION;
-
- if (rw) {
- flags += CKF_RW_SESSION;
- }
-
- rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR, NULL_PTR,
- &sp->session);
- if (rv != CKR_OK) {
- return (ISC_R_CRYPTOFAILURE);
- }
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-token_login(pk11_session_t *sp) {
- CK_RV rv;
- pk11_token_t *token = sp->token;
- isc_result_t ret = ISC_R_SUCCESS;
-
- LOCK(&sessionlock);
- if (!token->logged) {
- rv = pkcs_C_Login(sp->session, CKU_USER,
- (CK_UTF8CHAR_PTR)token->pin,
- (CK_ULONG)strlen(token->pin));
- if (rv != CKR_OK) {
-#if PK11_NO_LOGERR
- pk11_error_fatalcheck(__FILE__, __LINE__,
- "pkcs_C_Login", rv);
-#else /* if PK11_NO_LOGERR */
- ret = ISC_R_NOPERM;
-#endif /* if PK11_NO_LOGERR */
- } else {
- token->logged = true;
- }
- }
- UNLOCK(&sessionlock);
- return (ret);
-}
-
-#define PK11_TRACE(fmt) \
- if (pk11_verbose_init) \
- fprintf(stderr, fmt)
-#define PK11_TRACE1(fmt, arg) \
- if (pk11_verbose_init) \
- fprintf(stderr, fmt, arg)
-#define PK11_TRACE2(fmt, arg1, arg2) \
- if (pk11_verbose_init) \
- fprintf(stderr, fmt, arg1, arg2)
-#define PK11_TRACEM(mech) \
- if (pk11_verbose_init) \
- fprintf(stderr, #mech ": 0x%lx\n", rv)
-
-static void
-scan_slots(void) {
- CK_MECHANISM_INFO mechInfo;
- CK_TOKEN_INFO tokenInfo;
- CK_RV rv;
- CK_SLOT_ID slot;
- CK_SLOT_ID_PTR slotList;
- CK_ULONG slotCount;
- pk11_token_t *token;
- unsigned int i;
- bool bad;
-
- slotCount = 0;
- PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
- PK11_TRACE1("slotCount=%lu\n", slotCount);
- /* it's not an error if we didn't find any providers */
- if (slotCount == 0) {
- return;
- }
- slotList = pk11_mem_get(sizeof(CK_SLOT_ID) * slotCount);
- PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
-
- for (i = 0; i < slotCount; i++) {
- slot = slotList[i];
- PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
-
- rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
- if (rv != CKR_OK) {
- continue;
- }
- token = pk11_mem_get(sizeof(*token));
- token->magic = TOK_MAGIC;
- token->slotid = slot;
- ISC_LINK_INIT(token, link);
- ISC_LIST_INIT(token->sessions);
- memmove(token->name, tokenInfo.label, 32);
- memmove(token->manuf, tokenInfo.manufacturerID, 32);
- memmove(token->model, tokenInfo.model, 16);
- memmove(token->serial, tokenInfo.serialNumber, 16);
- ISC_LIST_APPEND(tokens, token, link);
-
- /* Check for RSA support */
- bad = false;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_MD5_RSA_PKCS);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_SHA1_RSA_PKCS);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_SHA256_RSA_PKCS);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_SHA512_RSA_PKCS);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_RSA_PKCS);
- }
- if (!bad) {
- token->operations |= 1 << OP_RSA;
- if (best_rsa_token == NULL) {
- best_rsa_token = token;
- }
- }
-
- /* Check for ECDSA support */
- bad = false;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_EC_KEY_PAIR_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_ECDSA);
- }
- if (!bad) {
- token->operations |= 1 << OP_ECDSA;
- if (best_ecdsa_token == NULL) {
- best_ecdsa_token = token;
- }
- }
-
- /* Check for EDDSA support */
- bad = false;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- {
- bad = true;
- PK11_TRACEM(CKM_EDDSA);
- }
- if (!bad) {
- token->operations |= 1 << OP_EDDSA;
- if (best_eddsa_token == NULL) {
- best_eddsa_token = token;
- }
- }
- }
-
- if (slotList != NULL) {
- pk11_mem_put(slotList, sizeof(CK_SLOT_ID) * slotCount);
- }
-}
-
-CK_SLOT_ID
-pk11_get_best_token(pk11_optype_t optype) {
- pk11_token_t *token = NULL;
-
- switch (optype) {
- case OP_RSA:
- token = best_rsa_token;
- break;
- case OP_ECDSA:
- token = best_ecdsa_token;
- break;
- case OP_EDDSA:
- token = best_eddsa_token;
- break;
- default:
- break;
- }
- if (token == NULL) {
- return (0);
- }
- return (token->slotid);
-}
-
-isc_result_t
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
- unsigned int bitcnt, i;
- CK_BYTE top;
-
- if (bytecnt == 0) {
- *bits = 0;
- return (ISC_R_SUCCESS);
- }
- bitcnt = bytecnt * 8;
- for (i = 0; i < bytecnt; i++) {
- top = data[i];
- if (top == 0) {
- bitcnt -= 8;
- continue;
- }
- if (top & 0x80) {
- *bits = bitcnt;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x40) {
- *bits = bitcnt - 1;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x20) {
- *bits = bitcnt - 2;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x10) {
- *bits = bitcnt - 3;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x08) {
- *bits = bitcnt - 4;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x04) {
- *bits = bitcnt - 5;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x02) {
- *bits = bitcnt - 6;
- return (ISC_R_SUCCESS);
- }
- if (top & 0x01) {
- *bits = bitcnt - 7;
- return (ISC_R_SUCCESS);
- }
- break;
- }
- return (ISC_R_RANGE);
-}
-
-CK_ATTRIBUTE *
-pk11_attribute_first(const pk11_object_t *obj) {
- return (obj->repr);
-}
-
-CK_ATTRIBUTE *
-pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) {
- CK_ATTRIBUTE *next;
-
- next = attr + 1;
- if ((next - obj->repr) >= obj->attrcnt) {
- return (NULL);
- }
- return (next);
-}
-
-CK_ATTRIBUTE *
-pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) {
- CK_ATTRIBUTE *attr;
-
- for (attr = pk11_attribute_first(obj); attr != NULL;
- attr = pk11_attribute_next(obj, attr))
- {
- if (attr->type == type) {
- return (attr);
- }
- }
- return (NULL);
-}
-
-static char *
-percent_decode(char *x, size_t *len) {
- char *p, *c;
- unsigned char v = 0;
-
- INSIST(len != NULL);
-
- for (p = c = x; p[0] != '\0'; p++, c++) {
- switch (p[0]) {
- case '%':
- switch (p[1]) {
- case '0':
- case '1':
- case '2':
- case '3':
- case '4':
- case '5':
- case '6':
- case '7':
- case '8':
- case '9':
- v = (p[1] - '0') << 4;
- break;
- case 'A':
- case 'B':
- case 'C':
- case 'D':
- case 'E':
- case 'F':
- v = (p[1] - 'A' + 10) << 4;
- break;
- case 'a':
- case 'b':
- case 'c':
- case 'd':
- case 'e':
- case 'f':
- v = (p[1] - 'a' + 10) << 4;
- break;
- default:
- return (NULL);
- }
- switch (p[2]) {
- case '0':
- case '1':
- case '2':
- case '3':
- case '4':
- case '5':
- case '6':
- case '7':
- case '8':
- case '9':
- v |= (p[2] - '0') & 0x0f;
- break;
- case 'A':
- case 'B':
- case 'C':
- case 'D':
- case 'E':
- case 'F':
- v = (p[2] - 'A' + 10) & 0x0f;
- break;
- case 'a':
- case 'b':
- case 'c':
- case 'd':
- case 'e':
- case 'f':
- v = (p[2] - 'a' + 10) & 0x0f;
- break;
- default:
- return (NULL);
- }
- p += 2;
- *c = (char)v;
- (*len)++;
- break;
- default:
- *c = *p;
- (*len)++;
- }
- }
- return (x);
-}
-
-static bool
-pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) {
- char buf[32];
-
- INSIST((leny == 32) || (leny == 16));
-
- memset(buf, ' ', 32);
- if (lenx > leny) {
- lenx = leny;
- }
- memmove(buf, x, lenx);
- return (memcmp(buf, y, leny) == 0);
-}
-
-static CK_ATTRIBUTE *
-push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) {
- CK_ATTRIBUTE *old = obj->repr;
- CK_ATTRIBUTE *attr;
- CK_BYTE cnt = obj->attrcnt;
-
- REQUIRE(old != NULL || cnt == 0);
-
- obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr));
- memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
- if (old != NULL) {
- memmove(obj->repr, old, cnt * sizeof(*attr));
- }
- attr = obj->repr + cnt;
- attr->ulValueLen = (CK_ULONG)len;
- attr->pValue = isc_mem_get(mctx, len);
- memset(attr->pValue, 0, len);
- if (old != NULL) {
- memset(old, 0, cnt * sizeof(*attr));
- isc_mem_put(mctx, old, cnt * sizeof(*attr));
- }
- obj->attrcnt++;
- return (attr);
-}
-
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
-
-isc_result_t
-pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx,
- pk11_optype_t optype) {
- CK_ATTRIBUTE *attr;
- pk11_token_t *token = NULL;
- char *uri, *p, *a, *na, *v;
- size_t len, l;
- FILE *stream = NULL;
- char pin[PINLEN + 1];
- bool gotpin = false;
- isc_result_t ret;
-
- /* get values to work on */
- len = strlen(label) + 1;
- uri = isc_mem_get(mctx, len);
- memmove(uri, label, len);
-
- /* get the URI scheme */
- p = strchr(uri, ':');
- if (p == NULL) {
- DST_RET(PK11_R_NOPROVIDER);
- }
- *p++ = '\0';
- if (strcmp(uri, "pkcs11") != 0) {
- DST_RET(PK11_R_NOPROVIDER);
- }
-
- /* get attributes */
- for (na = p; na != NULL;) {
- a = na;
- p = strchr(a, ';');
- if (p == NULL) {
- /* last attribute */
- na = NULL;
- } else {
- *p++ = '\0';
- na = p;
- }
- p = strchr(a, '=');
- if (p != NULL) {
- *p++ = '\0';
- v = p;
- } else {
- v = a;
- }
- l = 0;
- v = percent_decode(v, &l);
- if (v == NULL) {
- DST_RET(PK11_R_NOPROVIDER);
- }
- if ((a == v) || (strcmp(a, "object") == 0)) {
- /* object: CKA_LABEL */
- attr = pk11_attribute_bytype(obj, CKA_LABEL);
- if (attr != NULL) {
- DST_RET(PK11_R_NOPROVIDER);
- }
- attr = push_attribute(obj, mctx, l);
- if (attr == NULL) {
- DST_RET(ISC_R_NOMEMORY);
- }
- attr->type = CKA_LABEL;
- memmove(attr->pValue, v, l);
- } else if (strcmp(a, "token") == 0) {
- /* token: CK_TOKEN_INFO label */
- if (token == NULL) {
- for (token = ISC_LIST_HEAD(tokens);
- token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (pk11strcmp(v, l, token->name, 32)) {
- break;
- }
- }
- }
- } else if (strcmp(a, "manufacturer") == 0) {
- /* manufacturer: CK_TOKEN_INFO manufacturerID */
- if (token == NULL) {
- for (token = ISC_LIST_HEAD(tokens);
- token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (pk11strcmp(v, l, token->manuf, 32))
- {
- break;
- }
- }
- }
- } else if (strcmp(a, "serial") == 0) {
- /* serial: CK_TOKEN_INFO serialNumber */
- if (token == NULL) {
- for (token = ISC_LIST_HEAD(tokens);
- token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (pk11strcmp(v, l, token->serial, 16))
- {
- break;
- }
- }
- }
- } else if (strcmp(a, "model") == 0) {
- /* model: CK_TOKEN_INFO model */
- if (token == NULL) {
- for (token = ISC_LIST_HEAD(tokens);
- token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- if (pk11strcmp(v, l, token->model, 16))
- {
- break;
- }
- }
- }
- } else if (strcmp(a, "library-manufacturer") == 0) {
- /* ignored */
- } else if (strcmp(a, "library-description") == 0) {
- /* ignored */
- } else if (strcmp(a, "library-version") == 0) {
- /* ignored */
- } else if (strcmp(a, "object-type") == 0) {
- /* object-type: CKA_CLASS */
- /* only private makes sense */
- if (strcmp(v, "private") != 0) {
- DST_RET(PK11_R_NOPROVIDER);
- }
- } else if (strcmp(a, "id") == 0) {
- /* id: CKA_ID */
- attr = pk11_attribute_bytype(obj, CKA_ID);
- if (attr != NULL) {
- DST_RET(PK11_R_NOPROVIDER);
- }
- attr = push_attribute(obj, mctx, l);
- if (attr == NULL) {
- DST_RET(ISC_R_NOMEMORY);
- }
- attr->type = CKA_ID;
- memmove(attr->pValue, v, l);
- } else if (strcmp(a, "pin-source") == 0) {
- /* pin-source: PIN */
- ret = isc_stdio_open(v, "r", &stream);
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- memset(pin, 0, PINLEN + 1);
- ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
- if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) {
- goto err;
- }
- if (l > PINLEN) {
- DST_RET(ISC_R_RANGE);
- }
- ret = isc_stdio_close(stream);
- stream = NULL;
- if (ret != ISC_R_SUCCESS) {
- goto err;
- }
- gotpin = true;
- } else {
- DST_RET(PK11_R_NOPROVIDER);
- }
- }
-
- if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
- (pk11_attribute_bytype(obj, CKA_ID) == NULL))
- {
- DST_RET(ISC_R_NOTFOUND);
- }
-
- if (token == NULL) {
- if (optype == OP_RSA) {
- token = best_rsa_token;
- } else if (optype == OP_ECDSA) {
- token = best_ecdsa_token;
- } else if (optype == OP_EDDSA) {
- token = best_eddsa_token;
- }
- }
- if (token == NULL) {
- DST_RET(ISC_R_NOTFOUND);
- }
- obj->slot = token->slotid;
- if (gotpin) {
- memmove(token->pin, pin, PINLEN + 1);
- obj->reqlogon = true;
- }
-
- ret = ISC_R_SUCCESS;
-
-err:
- if (stream != NULL) {
- (void)isc_stdio_close(stream);
- }
- isc_mem_put(mctx, uri, len);
- return (ret);
-}
-
-void
-pk11_error_fatalcheck(const char *file, int line, const char *funcname,
- CK_RV rv) {
- isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv);
-}
-
-void
-pk11_dump_tokens(void) {
- pk11_token_t *token;
- bool first;
-
- printf("DEFAULTS\n");
- printf("\tbest_rsa_token=%p\n", best_rsa_token);
- printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
- printf("\tbest_eddsa_token=%p\n", best_eddsa_token);
-
- for (token = ISC_LIST_HEAD(tokens); token != NULL;
- token = ISC_LIST_NEXT(token, link))
- {
- printf("\nTOKEN\n");
- printf("\taddress=%p\n", token);
- printf("\tslotID=%lu\n", token->slotid);
- printf("\tlabel=%.32s\n", token->name);
- printf("\tmanufacturerID=%.32s\n", token->manuf);
- printf("\tmodel=%.16s\n", token->model);
- printf("\tserialNumber=%.16s\n", token->serial);
- printf("\tsupported operations=0x%x (", token->operations);
- first = true;
- if (token->operations & (1 << OP_RSA)) {
- first = false;
- printf("RSA");
- }
- if (token->operations & (1 << OP_ECDSA)) {
- if (!first) {
- printf(",");
- }
- printf("EC");
- }
- printf(")\n");
- }
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <dlfcn.h>
-#include <string.h>
-
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <pkcs11/pkcs11.h>
-
-#define KEEP_PKCS11_NAMES
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-
-static void *hPK11 = NULL;
-static char loaderrmsg[1024];
-
-CK_RV
-pkcs_C_Initialize(CK_VOID_PTR pReserved) {
- CK_C_Initialize sym;
-
- if (hPK11 != NULL) {
- return (CKR_CRYPTOKI_ALREADY_INITIALIZED);
- }
-
- hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
-
- if (hPK11 == NULL) {
- snprintf(loaderrmsg, sizeof(loaderrmsg),
- "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(),
- dlerror());
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(pReserved));
-}
-
-char *
-pk11_get_load_error_message(void) {
- return (loaderrmsg);
-}
-
-CK_RV
-pkcs_C_Finalize(CK_VOID_PTR pReserved) {
- CK_C_Finalize sym;
- CK_RV rv;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- rv = (*sym)(pReserved);
- if ((rv == CKR_OK) && (dlclose(hPK11) != 0)) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- hPK11 = NULL;
- return (rv);
-}
-
-CK_RV
-pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
- CK_ULONG_PTR pulCount) {
- static CK_C_GetSlotList sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(tokenPresent, pSlotList, pulCount));
-}
-
-CK_RV
-pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
- static CK_C_GetTokenInfo sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(slotID, pInfo));
-}
-
-CK_RV
-pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
- CK_MECHANISM_INFO_PTR pInfo) {
- static CK_C_GetMechanismInfo sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GetMechanismInfo)dlsym(hPK11, "C_GetMechanismInfo");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(slotID, type, pInfo));
-}
-
-CK_RV
-pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
- CK_RV (*Notify)(CK_SESSION_HANDLE hSession,
- CK_NOTIFICATION event,
- CK_VOID_PTR pApplication),
- CK_SESSION_HANDLE_PTR phSession) {
- static CK_C_OpenSession sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
- }
- if (hPK11 == NULL) {
- snprintf(loaderrmsg, sizeof(loaderrmsg),
- "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(),
- dlerror());
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(slotID, flags, pApplication, Notify, phSession));
-}
-
-CK_RV
-pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
- static CK_C_CloseSession sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession));
-}
-
-CK_RV
-pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
- CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
- static CK_C_Login sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_Login)dlsym(hPK11, "C_Login");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, userType, pPin, usPinLen));
-}
-
-CK_RV
-pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
- static CK_C_Logout sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession));
-}
-
-CK_RV
-pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) {
- static CK_C_CreateObject sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pTemplate, usCount, phObject));
-}
-
-CK_RV
-pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
- static CK_C_DestroyObject sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, hObject));
-}
-
-CK_RV
-pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
- static CK_C_GetAttributeValue sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_"
- "GetAttributeValue");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, hObject, pTemplate, usCount));
-}
-
-CK_RV
-pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
- static CK_C_SetAttributeValue sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_"
- "SetAttributeValue");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, hObject, pTemplate, usCount));
-}
-
-CK_RV
-pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount) {
- static CK_C_FindObjectsInit sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pTemplate, usCount));
-}
-
-CK_RV
-pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
- CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) {
- static CK_C_FindObjects sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount));
-}
-
-CK_RV
-pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
- static CK_C_FindObjectsFinal sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession));
-}
-
-CK_RV
-pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey) {
- static CK_C_EncryptInit sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, hKey));
-}
-
-CK_RV
-pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
- CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
- CK_ULONG_PTR pulEncryptedDataLen) {
- static CK_C_Encrypt sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pData, ulDataLen, pEncryptedData,
- pulEncryptedDataLen));
-}
-
-CK_RV
-pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
- static CK_C_DigestInit sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism));
-}
-
-CK_RV
-pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen) {
- static CK_C_DigestUpdate sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pPart, ulPartLen));
-}
-
-CK_RV
-pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
- CK_ULONG_PTR pulDigestLen) {
- static CK_C_DigestFinal sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pDigest, pulDigestLen));
-}
-
-CK_RV
-pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey) {
- static CK_C_SignInit sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, hKey));
-}
-
-CK_RV
-pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
- CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) {
- static CK_C_Sign sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pData, ulDataLen, pSignature,
- pulSignatureLen));
-}
-
-CK_RV
-pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen) {
- static CK_C_SignUpdate sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pPart, ulPartLen));
-}
-
-CK_RV
-pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
- CK_ULONG_PTR pulSignatureLen) {
- static CK_C_SignFinal sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pSignature, pulSignatureLen));
-}
-
-CK_RV
-pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hKey) {
- static CK_C_VerifyInit sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, hKey));
-}
-
-CK_RV
-pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
- CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) {
- static CK_C_Verify sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen));
-}
-
-CK_RV
-pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
- CK_ULONG ulPartLen) {
- static CK_C_VerifyUpdate sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pPart, ulPartLen));
-}
-
-CK_RV
-pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
- CK_ULONG ulSignatureLen) {
- static CK_C_VerifyFinal sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pSignature, ulSignatureLen));
-}
-
-CK_RV
-pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
- CK_OBJECT_HANDLE_PTR phKey) {
- static CK_C_GenerateKey sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, pTemplate, ulCount, phKey));
-}
-
-CK_RV
-pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pPublicKeyTemplate,
- CK_ULONG usPublicKeyAttributeCount,
- CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
- CK_ULONG usPrivateKeyAttributeCount,
- CK_OBJECT_HANDLE_PTR phPrivateKey,
- CK_OBJECT_HANDLE_PTR phPublicKey) {
- static CK_C_GenerateKeyPair sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, pPublicKeyTemplate,
- usPublicKeyAttributeCount, pPrivateKeyTemplate,
- usPrivateKeyAttributeCount, phPrivateKey, phPublicKey));
-}
-
-CK_RV
-pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
- static CK_C_DeriveKey sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pMechanism, hBaseKey, pTemplate,
- ulAttributeCount, phKey));
-}
-
-CK_RV
-pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
- CK_ULONG ulSeedLen) {
- static CK_C_SeedRandom sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, pSeed, ulSeedLen));
-}
-
-CK_RV
-pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
- CK_ULONG ulRandomLen) {
- static CK_C_GenerateRandom sym = NULL;
- static void *pPK11 = NULL;
-
- if (hPK11 == NULL) {
- return (CKR_LIBRARY_LOAD_FAILED);
- }
- if ((sym == NULL) || (hPK11 != pPK11)) {
- pPK11 = hPK11;
- sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
- }
- if (sym == NULL) {
- return (CKR_FUNCTION_NOT_SUPPORTED);
- }
- return ((*sym)(hSession, RandomData, ulRandomLen));
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <pk11/result.h>
-
-static const char *text[PK11_R_NRESULTS] = {
- "PKCS#11 initialization failed", /*%< 0 */
- "no PKCS#11 provider", /*%< 1 */
- "PKCS#11 no random service", /*%< 2 */
- "PKCS#11 no digist service", /*%< 3 */
- "PKCS#11 no AES service", /*%< 4 */
-};
-
-static const char *ids[PK11_R_NRESULTS] = {
- "PK11_R_INITFAILED", "PK11_R_NOPROVIDER",
- "PK11_R_NORANDOMSERVICE", "PK11_R_NODIGESTSERVICE",
- "PK11_R_NOAESSERVICE",
-};
-
-#define PK11_RESULT_RESULTSET 2
-
-static isc_once_t once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
- isc_result_t result;
-
- result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
- text, PK11_RESULT_RESULTSET);
- if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_result_register() failed: %u", result);
- }
-
- result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
- ids, PK11_RESULT_RESULTSET);
- if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_result_registerids() failed: %u", result);
- }
-}
-
-static void
-initialize(void) {
- RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-pk11_result_totext(isc_result_t result) {
- initialize();
-
- return (isc_result_totext(result));
-}
-
-void
-pk11_result_register(void) {
- initialize();
-}
#include <isc/string.h>
#include <isc/util.h>
-#include <pk11/site.h>
-
#define TEST_INPUT(x) (x), sizeof(x) - 1
/*Hash function test */
#include <isc/result.h>
#include <isc/util.h>
-#include <pk11/result.h>
-
/* convert result to identifier string */
static void
isc_result_toid_test(void **state) {
UNUSED(state);
- pk11_result_register();
-
for (result = 0; result < ISC_R_NRESULTS; result++) {
str = isc_result_toid(result);
assert_non_null(str);
str = isc_result_totext(result);
assert_non_null(str);
assert_string_equal(str, "(result code text not available)");
-
- for (result = ISC_RESULTCLASS_PK11;
- result < (ISC_RESULTCLASS_PK11 + PK11_R_NRESULTS); result++)
- {
- str = isc_result_toid(result);
- assert_non_null(str);
- assert_string_not_equal(str, "(result code text not "
- "available)");
-
- str = isc_result_totext(result);
- assert_non_null(str);
- assert_string_not_equal(str, "(result code text not "
- "available)");
- }
-
- str = isc_result_toid(result);
- assert_non_null(str);
- assert_string_equal(str, "(result code text not available)");
-
- str = isc_result_totext(result);
- assert_non_null(str);
- assert_string_equal(str, "(result code text not available)");
}
int
#include <isc/print.h>
#include <isc/safe.h>
-#include <pk11/site.h>
-
#include <isccc/alist.h>
#include <isccc/base64.h>
#include <isccc/cc.h>
./bin/named/zoneconf.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./bin/nsupdate/nsupdate.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./bin/nsupdate/nsupdate.rst RST 2020,2021
-./bin/pkcs11/pkcs11-destroy.c X 2009,2010,2014,2015,2018,2019,2020,2021
-./bin/pkcs11/pkcs11-destroy.rst RST 2020,2021
-./bin/pkcs11/pkcs11-keygen.c X 2009,2014,2015,2017,2018,2019,2020,2021
-./bin/pkcs11/pkcs11-keygen.rst RST 2020,2021
-./bin/pkcs11/pkcs11-list.c C 2009,2014,2015,2016,2018,2019,2020,2021
-./bin/pkcs11/pkcs11-list.rst RST 2020,2021
-./bin/pkcs11/pkcs11-tokens.c C 2014,2015,2016,2018,2019,2020,2021
-./bin/pkcs11/pkcs11-tokens.rst RST 2020,2021
./bin/plugins/filter-a.c C 2018,2019,2020,2021
./bin/plugins/filter-a.rst RST 2020,2021
./bin/plugins/filter-aaaa.c C 2018,2019,2020,2021
./bin/tests/system/checkzone/zones/bad-badclass.raw X 2015,2018,2019,2020,2021
./bin/tests/system/ckdnsrps.sh SH 2017,2018,2019,2020,2021
./bin/tests/system/cleanall.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2017,2018,2019,2020,2021
-./bin/tests/system/cleanpkcs11.sh SH 2010,2012,2014,2016,2018,2019,2020,2021
./bin/tests/system/common/rndc.key X 2011,2013,2016,2018,2019,2020,2021
./bin/tests/system/conf.sh.common SH 2018,2019,2020,2021
./bin/tests/system/conf.sh.in SH 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
./bin/tests/system/pipelined/refb X 2014,2015,2018,2019,2020,2021
./bin/tests/system/pipelined/setup.sh SH 2014,2015,2016,2017,2018,2019,2020,2021
./bin/tests/system/pipelined/tests.sh SH 2014,2015,2016,2017,2018,2019,2020,2021
-./bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt X 2020,2021
-./bin/tests/system/pkcs11/clean.sh SH 2010,2012,2014,2016,2017,2018,2019,2020,2021
-./bin/tests/system/pkcs11/setup.sh SH 2010,2012,2013,2014,2016,2017,2018,2019,2020,2021
-./bin/tests/system/pkcs11/tests.sh SH 2010,2012,2014,2016,2017,2018,2019,2020,2021
-./bin/tests/system/pkcs11/usepkcs11 X 2010,2018,2019,2020,2021
./bin/tests/system/qmin/ans2/ans.py PYTHON 2018,2019,2020,2021
./bin/tests/system/qmin/ans3/ans.py PYTHON 2018,2019,2020,2021
./bin/tests/system/qmin/ans4/ans.py PYTHON 2018,2019,2020,2021
./doc/man/nsec3hash.rst RST 2020,2021
./doc/man/nslookup.rst RST 2020,2021
./doc/man/nsupdate.rst RST 2020,2021
-./doc/man/pkcs11-destroy.rst RST 2020,2021
-./doc/man/pkcs11-keygen.rst RST 2020,2021
-./doc/man/pkcs11-list.rst RST 2020,2021
-./doc/man/pkcs11-tokens.rst RST 2020,2021
./doc/man/rndc-confgen.rst RST 2020,2021
./doc/man/rndc.conf.rst RST 2020,2021
./doc/man/rndc.rst RST 2020,2021
./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018,2019,2020,2021
./lib/dns/dst_parse.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./lib/dns/dst_parse.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2014,2016,2017,2018,2019,2020,2021
-./lib/dns/dst_pkcs11.h C 2014,2016,2018,2019,2020,2021
./lib/dns/dst_result.c C 1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020,2021
./lib/dns/dyndb.c C 2015,2016,2017,2018,2019,2020,2021
./lib/dns/ecs.c C 2017,2018,2019,2020,2021
./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018,2019,2020,2021
./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
-./lib/dns/pkcs11.c C 2014,2016,2017,2018,2019,2020,2021
-./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018,2019,2020,2021
-./lib/dns/pkcs11eddsa_link.c C 2017,2018,2019,2020,2021
-./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018,2019,2020,2021
./lib/dns/private.c C 2009,2011,2012,2015,2016,2017,2018,2019,2020,2021
./lib/dns/rbt.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021
./lib/isc/include/isc/url.h C 2021
./lib/isc/include/isc/utf8.h C 2020,2021
./lib/isc/include/isc/util.h C 1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2015,2016,2017,2018,2019,2020,2021
-./lib/isc/include/pk11/constants.h C 2014,2016,2017,2018,2019,2020,2021
-./lib/isc/include/pk11/internal.h C 2014,2016,2018,2019,2020,2021
-./lib/isc/include/pk11/pk11.h C 2014,2016,2018,2019,2020,2021
-./lib/isc/include/pk11/result.h C 2014,2016,2018,2019,2020,2021
-./lib/isc/include/pk11/site.h C 2016,2017,2018,2019,2020,2021
-./lib/isc/include/pkcs11/pkcs11.h X 2019,2020,2021
./lib/isc/interfaceiter.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2014,2016,2017,2018,2019,2020,2021
./lib/isc/iterated_hash.c C 2006,2008,2009,2016,2018,2019,2020,2021
./lib/isc/jemalloc_shim.h C 2021
./lib/isc/openssl_shim.h C 2020,2021
./lib/isc/os.c C 2000,2001,2004,2005,2007,2016,2018,2019,2020,2021
./lib/isc/parseint.c C 2001,2002,2003,2004,2005,2007,2012,2016,2018,2019,2020,2021
-./lib/isc/pk11.c C 2014,2015,2016,2017,2018,2019,2020,2021
-./lib/isc/pk11_api.c C 2014,2016,2018,2019,2020,2021
-./lib/isc/pk11_result.c C 2014,2015,2016,2018,2019,2020,2021
./lib/isc/pool.c C 2013,2015,2016,2018,2019,2020,2021
./lib/isc/portset.c C 2008,2016,2017,2018,2019,2020,2021
./lib/isc/queue.c C 2019,2020,2021