/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. */ /* * Copyright 2010 Nexenta Systems, Inc. All rights reserved. * Copyright 2014, OmniTI Computer Consulting, Inc. All rights reserved. * Copyright 2018, Joyent, Inc. */ #ifndef _CRYPTOUTIL_H #define _CRYPTOUTIL_H #ifdef __cplusplus extern "C" { #endif #include #include #include #include #define LOG_STDERR -1 #define SUCCESS 0 #define FAILURE 1 #define MECH_ID_HEX_LEN 11 /* length of mechanism id in hex form */ #define _PATH_PKCS11_CONF "/etc/crypto/pkcs11.conf" #define _PATH_KCF_CONF "/etc/crypto/kcf.conf" #define _PATH_KCFD_LOCK "/var/run/kcfd.lock" /* $ISA substitution for parsing pkcs11.conf data */ #define PKCS11_ISA "/$ISA/" #if defined(_LP64) #define PKCS11_ISA_DIR "/64/" #else /* !_LP64 */ #define PKCS11_ISA_DIR "/" #endif /* keywords and delimiters for parsing configuration files */ #define SEP_COLON ":" #define SEP_SEMICOLON ";" #define SEP_EQUAL "=" #define SEP_COMMA "," #define METASLOT_KEYWORD "metaslot" #define FIPS_KEYWORD "fips-140" #define EF_DISABLED "disabledlist=" #define EF_ENABLED "enabledlist=" #define EF_NORANDOM "NO_RANDOM" #define METASLOT_TOKEN "metaslot_token=" #define METASLOT_SLOT "metaslot_slot=" #define METASLOT_STATUS "metaslot_status=" #define EF_FIPS_STATUS "fips_status=" #define METASLOT_AUTO_KEY_MIGRATE "metaslot_auto_key_migrate=" #define ENABLED_KEYWORD "enabled" #define DISABLED_KEYWORD "disabled" #define SLOT_DESCRIPTION_SIZE 64 #define TOKEN_LABEL_SIZE 32 #define TOKEN_MANUFACTURER_SIZE 32 #define TOKEN_SERIAL_SIZE 16 #define CRYPTO_FIPS_MODE_DISABLED 0 #define CRYPTO_FIPS_MODE_ENABLED 1 /* * Define the following softtoken values that are used by softtoken * library, cryptoadm and pktool command. */ #define SOFT_SLOT_DESCRIPTION \ "Sun Crypto Softtoken " \ " " #define SOFT_TOKEN_LABEL "Sun Software PKCS#11 softtoken " #define SOFT_TOKEN_SERIAL " " #define SOFT_MANUFACTURER_ID "Sun Microsystems, Inc. " #define SOFT_DEFAULT_PIN "changeme" typedef char libname_t[MAXPATHLEN]; typedef char midstr_t[MECH_ID_HEX_LEN]; typedef struct umechlist { midstr_t name; /* mechanism name in hex form */ struct umechlist *next; } umechlist_t; typedef struct uentry { libname_t name; boolean_t flag_norandom; /* TRUE if random is disabled */ boolean_t flag_enabledlist; /* TRUE if an enabledlist */ umechlist_t *policylist; /* disabledlist or enabledlist */ boolean_t flag_metaslot_enabled; /* TRUE if metaslot's enabled */ boolean_t flag_metaslot_auto_key_migrate; CK_UTF8CHAR metaslot_ks_slot[SLOT_DESCRIPTION_SIZE + 1]; CK_UTF8CHAR metaslot_ks_token[TOKEN_LABEL_SIZE + 1]; int count; boolean_t flag_fips_enabled; } uentry_t; typedef struct uentrylist { uentry_t *puent; struct uentrylist *next; } uentrylist_t; /* Return codes for pkcs11_parse_uri() */ #define PK11_URI_OK 0 #define PK11_URI_INVALID 1 #define PK11_MALLOC_ERROR 2 #define PK11_URI_VALUE_OVERFLOW 3 #define PK11_NOT_PKCS11_URI 4 /* * There is no limit for the attribute length in the spec. 256 bytes should be * enough for the object name. */ #define PK11_MAX_OBJECT_LEN 256 /* * CKA_ID is of type "byte array" which can be of arbitrary length. 256 bytes * should be sufficient though. */ #define PK11_MAX_ID_LEN 256 /* Structure for the PKCS#11 URI. */ typedef struct pkcs11_uri_t { /* CKA_LABEL attribute to the C_FindObjectsInit function. */ CK_UTF8CHAR_PTR object; /* * CKA_CLASS attribute to the C_FindObjectsInit function. The * "objecttype" URI attribute can have a value one of "private", * "public", "cert", "secretkey", and "data". The "objecttype" field can * have a value of CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, CKO_CERTIFICATE, * CKO_SECRET_KEY, and CKO_DATA. This attribute cannot be empty in the * URI. */ CK_ULONG objecttype; /* CKO_DATA is 0 so we need this flag. Not part of the URI itself. */ boolean_t objecttype_present; /* * Token, manufufacturer, serial and model are of fixed size length in * the specification. We allocate memory on the fly to distinguish * between an attribute not present and an empty value. We check for * overflows. We always terminate the string with '\0' even when that is * not used in the PKCS#11's CK_TOKEN_INFO structure (fields are padded * with spaces). */ /* Token label from CK_TOKEN_INFO. */ CK_UTF8CHAR_PTR token; /* ManufacturerID from CK_TOKEN_INFO. */ CK_UTF8CHAR_PTR manuf; /* SerialNumber from CK_TOKEN_INFO. */ CK_CHAR_PTR serial; /* Model from CK_TOKEN_INFO. */ CK_UTF8CHAR_PTR model; /* This is a byte array, we need a length parameter as well. */ CK_BYTE_PTR id; int id_len; /* * Location of the file with a token PIN. Application can overload this, * eg. "/bin/askpass|" may mean to read the PIN from a command. However, * the pkcs11_parse_uri() function does not interpret this field in any * way. */ char *pinfile; } pkcs11_uri_t; extern void cryptodebug(const char *fmt, ...); extern void cryptoerror(int priority, const char *fmt, ...); extern void cryptodebug_init(const char *prefix); extern void cryptoerror_off(); extern void cryptoerror_on(); extern const char *pkcs11_mech2str(CK_MECHANISM_TYPE mech); extern CK_RV pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech); extern int get_pkcs11conf_info(uentrylist_t **); extern umechlist_t *create_umech(char *); extern void free_umechlist(umechlist_t *); extern void free_uentrylist(uentrylist_t *); extern void free_uentry(uentry_t *); extern uentry_t *getent_uef(char *); extern void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen); extern int hexstr_to_bytes(char *hexstr, size_t hexlen, uchar_t **bytes, size_t *blen); extern CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type, CK_KEY_TYPE *ktype); extern CK_RV pkcs11_mech2keygen(CK_MECHANISM_TYPE mech_type, CK_MECHANISM_TYPE *gen_mech); extern char *pkcs11_strerror(CK_RV rv); extern int get_metaslot_info(boolean_t *status_enabled, boolean_t *migrate_enabled, char **objectstore_slot_info, char **objectstore_token_info); extern char *get_fullpath(char *dir, char *filepath); extern int str2lifetime(char *ltimestr, uint32_t *ltime); extern char *pkcs11_default_token(void); extern int pkcs11_get_pass(char *token_name, char **pdata, size_t *psize, size_t min_psize, boolean_t with_confirmation); extern int pkcs11_seed_urandom(void *sbuf, size_t slen); extern int pkcs11_get_random(void *dbuf, size_t dlen); extern int pkcs11_get_urandom(void *dbuf, size_t dlen); extern int pkcs11_get_nzero_urandom(void *dbuf, size_t dlen); extern int pkcs11_read_data(char *filename, void **dbuf, size_t *dlen); extern int open_nointr(const char *path, int oflag, ...); extern ssize_t readn_nointr(int fd, void *dbuf, size_t dlen); extern ssize_t writen_nointr(int fd, void *dbuf, size_t dlen); extern int update_conf(char *conf_file, char *entry); extern int pkcs11_parse_uri(const char *str, pkcs11_uri_t *uri); extern void pkcs11_free_uri(pkcs11_uri_t *uri); extern CK_RV crypto2pkcs11_error_number(uint_t); #ifdef __cplusplus } #endif #endif /* _CRYPTOUTIL_H */