17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 52321aa36Sda * Common Development and Distribution License (the "License"). 62321aa36Sda * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 222321aa36Sda * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate /* 297c478bd9Sstevel@tonic-gate * Administration for metaslot 307c478bd9Sstevel@tonic-gate * 317c478bd9Sstevel@tonic-gate * All the "list" operations will call functions in libpkcs11.so 327c478bd9Sstevel@tonic-gate * Normally, it doesn't make sense to call functions in libpkcs11.so directly 337c478bd9Sstevel@tonic-gate * because libpkcs11.so depends on the configuration file (pkcs11.conf) the 347c478bd9Sstevel@tonic-gate * cryptoadm command is trying to administer. However, since metaslot 357c478bd9Sstevel@tonic-gate * is part of the framework, it is not possible to get information about 367c478bd9Sstevel@tonic-gate * it without actually calling functions in libpkcs11.so. 377c478bd9Sstevel@tonic-gate * 387c478bd9Sstevel@tonic-gate * So, for the listing operation, which won't modify the value of pkcs11.conf 397c478bd9Sstevel@tonic-gate * it is safe to call libpkcs11.so. 407c478bd9Sstevel@tonic-gate * 417c478bd9Sstevel@tonic-gate * For other operations that modifies the pkcs11.conf file, libpkcs11.so 427c478bd9Sstevel@tonic-gate * will not be called. 437c478bd9Sstevel@tonic-gate * 447c478bd9Sstevel@tonic-gate */ 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gate #include <cryptoutil.h> 477c478bd9Sstevel@tonic-gate #include <stdio.h> 487c478bd9Sstevel@tonic-gate #include <libintl.h> 497c478bd9Sstevel@tonic-gate #include <dlfcn.h> 507c478bd9Sstevel@tonic-gate #include <link.h> 517c478bd9Sstevel@tonic-gate #include <strings.h> 527c478bd9Sstevel@tonic-gate #include <security/cryptoki.h> 537c478bd9Sstevel@tonic-gate #include <cryptoutil.h> 547c478bd9Sstevel@tonic-gate #include "cryptoadm.h" 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate #define METASLOT_ID 0 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate int 597c478bd9Sstevel@tonic-gate list_metaslot_info(boolean_t show_mechs, boolean_t verbose, 607c478bd9Sstevel@tonic-gate mechlist_t *mechlist) 617c478bd9Sstevel@tonic-gate { 627c478bd9Sstevel@tonic-gate int rc = SUCCESS; 637c478bd9Sstevel@tonic-gate CK_RV rv; 647c478bd9Sstevel@tonic-gate CK_SLOT_INFO slot_info; 657c478bd9Sstevel@tonic-gate CK_TOKEN_INFO token_info; 667c478bd9Sstevel@tonic-gate CK_MECHANISM_TYPE_PTR pmech_list = NULL; 677c478bd9Sstevel@tonic-gate CK_ULONG mech_count; 687c478bd9Sstevel@tonic-gate int i; 697c478bd9Sstevel@tonic-gate CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR); 707c478bd9Sstevel@tonic-gate CK_FUNCTION_LIST_PTR funcs; 717c478bd9Sstevel@tonic-gate void *dldesc = NULL; 727c478bd9Sstevel@tonic-gate boolean_t lib_initialized = B_FALSE; 737c478bd9Sstevel@tonic-gate uentry_t *puent; 747c478bd9Sstevel@tonic-gate char buf[128]; 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate 777c478bd9Sstevel@tonic-gate /* 787c478bd9Sstevel@tonic-gate * Display the system-wide metaslot settings as specified 797c478bd9Sstevel@tonic-gate * in pkcs11.conf file. 807c478bd9Sstevel@tonic-gate */ 817c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 827c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 837c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 847c478bd9Sstevel@tonic-gate return (FAILURE); 857c478bd9Sstevel@tonic-gate } 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate (void) printf(gettext("System-wide Meta Slot Configuration:\n")); 887c478bd9Sstevel@tonic-gate /* 897c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE: 907c478bd9Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 917c478bd9Sstevel@tonic-gate * the length of the translated text above. 927c478bd9Sstevel@tonic-gate */ 937c478bd9Sstevel@tonic-gate (void) printf(gettext("------------------------------------\n")); 947c478bd9Sstevel@tonic-gate (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ? 957c478bd9Sstevel@tonic-gate gettext("enabled") : gettext("disabled")); 967c478bd9Sstevel@tonic-gate (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"), 977c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate ? gettext("enabled") : 987c478bd9Sstevel@tonic-gate gettext("disabled")); 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate bzero(buf, sizeof (buf)); 1017c478bd9Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) { 1027c478bd9Sstevel@tonic-gate (void) printf(gettext("Persistent object store slot: %s\n"), 1037c478bd9Sstevel@tonic-gate puent->metaslot_ks_slot); 1047c478bd9Sstevel@tonic-gate } 1057c478bd9Sstevel@tonic-gate 1067c478bd9Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) { 1077c478bd9Sstevel@tonic-gate (void) printf(gettext("Persistent object store token: %s\n"), 1087c478bd9Sstevel@tonic-gate puent->metaslot_ks_token); 1097c478bd9Sstevel@tonic-gate } 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate if ((!verbose) && (!show_mechs)) { 1127c478bd9Sstevel@tonic-gate return (SUCCESS); 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate if (verbose) { 1167c478bd9Sstevel@tonic-gate (void) printf(gettext("\nDetailed Meta Slot Information:\n")); 1177c478bd9Sstevel@tonic-gate /* 1187c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE: 1197c478bd9Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as 1207c478bd9Sstevel@tonic-gate * long as the length of the translated text above. 1217c478bd9Sstevel@tonic-gate */ 1227c478bd9Sstevel@tonic-gate (void) printf(gettext("-------------------------------\n")); 1237c478bd9Sstevel@tonic-gate } 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate /* 1267c478bd9Sstevel@tonic-gate * Need to actually make calls to libpkcs11.so to get 1277c478bd9Sstevel@tonic-gate * information about metaslot. 1287c478bd9Sstevel@tonic-gate */ 1297c478bd9Sstevel@tonic-gate 1307c478bd9Sstevel@tonic-gate dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW); 1317c478bd9Sstevel@tonic-gate if (dldesc == NULL) { 1327c478bd9Sstevel@tonic-gate char *dl_error; 1337c478bd9Sstevel@tonic-gate dl_error = dlerror(); 1347c478bd9Sstevel@tonic-gate cryptodebug("Cannot load PKCS#11 framework library. " 1357c478bd9Sstevel@tonic-gate "dlerror:%s", dl_error); 1367c478bd9Sstevel@tonic-gate return (FAILURE); 1377c478bd9Sstevel@tonic-gate } 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate /* Get the pointer to library's C_GetFunctionList() */ 1407c478bd9Sstevel@tonic-gate Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList"); 1417c478bd9Sstevel@tonic-gate if (Tmp_C_GetFunctionList == NULL) { 1427c478bd9Sstevel@tonic-gate cryptodebug("Cannot get the address of the C_GetFunctionList " 1437c478bd9Sstevel@tonic-gate "from framework"); 1447c478bd9Sstevel@tonic-gate rc = FAILURE; 1457c478bd9Sstevel@tonic-gate goto finish; 1467c478bd9Sstevel@tonic-gate } 1477c478bd9Sstevel@tonic-gate 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate /* Get the provider's function list */ 1507c478bd9Sstevel@tonic-gate rv = Tmp_C_GetFunctionList(&funcs); 1517c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 1527c478bd9Sstevel@tonic-gate cryptodebug("failed to call C_GetFunctionList in " 1537c478bd9Sstevel@tonic-gate "framework library"); 1547c478bd9Sstevel@tonic-gate rc = FAILURE; 1557c478bd9Sstevel@tonic-gate goto finish; 1567c478bd9Sstevel@tonic-gate } 1577c478bd9Sstevel@tonic-gate 1587c478bd9Sstevel@tonic-gate /* Initialize this provider */ 1597c478bd9Sstevel@tonic-gate rv = funcs->C_Initialize(NULL_PTR); 1607c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 1617c478bd9Sstevel@tonic-gate cryptodebug("C_Initialize failed with error code 0x%x\n", rv); 1627c478bd9Sstevel@tonic-gate rc = FAILURE; 1637c478bd9Sstevel@tonic-gate goto finish; 1647c478bd9Sstevel@tonic-gate } else { 1657c478bd9Sstevel@tonic-gate lib_initialized = B_TRUE; 1667c478bd9Sstevel@tonic-gate } 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate /* 1697c478bd9Sstevel@tonic-gate * We know for sure that metaslot is slot 0 in the framework, 1707c478bd9Sstevel@tonic-gate * so, we will do a C_GetSlotInfo() trying to see if it works. 1712321aa36Sda * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot 1727c478bd9Sstevel@tonic-gate * is not really enabled. 1737c478bd9Sstevel@tonic-gate */ 1747c478bd9Sstevel@tonic-gate rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info); 1757c478bd9Sstevel@tonic-gate if (rv == CKR_SLOT_ID_INVALID) { 1767c478bd9Sstevel@tonic-gate (void) printf(gettext("actual status: disabled.\n")); 1777c478bd9Sstevel@tonic-gate /* 1787c478bd9Sstevel@tonic-gate * Even if the -m and -v flag is supplied, there's nothing 1797c478bd9Sstevel@tonic-gate * interesting to display about metaslot since it is disabled, 1807c478bd9Sstevel@tonic-gate * so, just stop right here. 1817c478bd9Sstevel@tonic-gate */ 1827c478bd9Sstevel@tonic-gate goto finish; 1837c478bd9Sstevel@tonic-gate } 1847c478bd9Sstevel@tonic-gate 1857c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 1867c478bd9Sstevel@tonic-gate cryptodebug("C_GetSlotInfo failed with error " 1877c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 1887c478bd9Sstevel@tonic-gate rc = FAILURE; 1897c478bd9Sstevel@tonic-gate goto finish; 1907c478bd9Sstevel@tonic-gate } 1917c478bd9Sstevel@tonic-gate 1927c478bd9Sstevel@tonic-gate if (!verbose) { 1937c478bd9Sstevel@tonic-gate goto display_mechs; 1947c478bd9Sstevel@tonic-gate } 1957c478bd9Sstevel@tonic-gate 1967c478bd9Sstevel@tonic-gate (void) printf(gettext("actual status: enabled.\n")); 1977c478bd9Sstevel@tonic-gate 1987c478bd9Sstevel@tonic-gate (void) printf(gettext("Description: %.64s\n"), 1997c478bd9Sstevel@tonic-gate slot_info.slotDescription); 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gate (void) printf(gettext("Token Present: %s\n"), 2027c478bd9Sstevel@tonic-gate (slot_info.flags & CKF_TOKEN_PRESENT ? 2037c478bd9Sstevel@tonic-gate gettext("True") : gettext("False"))); 2047c478bd9Sstevel@tonic-gate 2057c478bd9Sstevel@tonic-gate rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info); 2067c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 2077c478bd9Sstevel@tonic-gate cryptodebug("C_GetTokenInfo failed with error " 2087c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 2097c478bd9Sstevel@tonic-gate rc = FAILURE; 2107c478bd9Sstevel@tonic-gate goto finish; 2117c478bd9Sstevel@tonic-gate } 2127c478bd9Sstevel@tonic-gate 2137c478bd9Sstevel@tonic-gate (void) printf(gettext("Token Label: %.32s\n" 2147c478bd9Sstevel@tonic-gate "Manufacturer ID: %.32s\n" 2157c478bd9Sstevel@tonic-gate "Model: %.16s\n" 2167c478bd9Sstevel@tonic-gate "Serial Number: %.16s\n" 2177c478bd9Sstevel@tonic-gate "Hardware Version: %d.%d\n" 2187c478bd9Sstevel@tonic-gate "Firmware Version: %d.%d\n" 2197c478bd9Sstevel@tonic-gate "UTC Time: %.16s\n" 2207c478bd9Sstevel@tonic-gate "PIN Length: %d-%d\n"), 2217c478bd9Sstevel@tonic-gate token_info.label, 2227c478bd9Sstevel@tonic-gate token_info.manufacturerID, 2237c478bd9Sstevel@tonic-gate token_info.model, 2247c478bd9Sstevel@tonic-gate token_info.serialNumber, 2257c478bd9Sstevel@tonic-gate token_info.hardwareVersion.major, 2267c478bd9Sstevel@tonic-gate token_info.hardwareVersion.minor, 2277c478bd9Sstevel@tonic-gate token_info.firmwareVersion.major, 2287c478bd9Sstevel@tonic-gate token_info.firmwareVersion.minor, 2297c478bd9Sstevel@tonic-gate token_info.utcTime, 2307c478bd9Sstevel@tonic-gate token_info.ulMinPinLen, 2317c478bd9Sstevel@tonic-gate token_info.ulMaxPinLen); 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate display_token_flags(token_info.flags); 2347c478bd9Sstevel@tonic-gate 2357c478bd9Sstevel@tonic-gate if (!show_mechs) { 2367c478bd9Sstevel@tonic-gate goto finish; 2377c478bd9Sstevel@tonic-gate } 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate display_mechs: 2407c478bd9Sstevel@tonic-gate 2417c478bd9Sstevel@tonic-gate if (mechlist == NULL) { 2427c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR, 2437c478bd9Sstevel@tonic-gate &mech_count); 2447c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 2457c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with error " 2467c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 2477c478bd9Sstevel@tonic-gate rc = FAILURE; 2487c478bd9Sstevel@tonic-gate goto finish; 2497c478bd9Sstevel@tonic-gate } 2507c478bd9Sstevel@tonic-gate 2517c478bd9Sstevel@tonic-gate if (mech_count > 0) { 2527c478bd9Sstevel@tonic-gate pmech_list = malloc(mech_count * 2537c478bd9Sstevel@tonic-gate sizeof (CK_MECHANISM_TYPE)); 2547c478bd9Sstevel@tonic-gate if (pmech_list == NULL) { 2557c478bd9Sstevel@tonic-gate cryptodebug("out of memory"); 2567c478bd9Sstevel@tonic-gate rc = FAILURE; 2577c478bd9Sstevel@tonic-gate goto finish; 2587c478bd9Sstevel@tonic-gate } 2597c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list, 2607c478bd9Sstevel@tonic-gate &mech_count); 2617c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 2627c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with " 2637c478bd9Sstevel@tonic-gate "error code 0x%x\n", rv); 2647c478bd9Sstevel@tonic-gate rc = FAILURE; 2657c478bd9Sstevel@tonic-gate goto finish; 2667c478bd9Sstevel@tonic-gate } 2677c478bd9Sstevel@tonic-gate } 2687c478bd9Sstevel@tonic-gate } else { 2697c478bd9Sstevel@tonic-gate rc = convert_mechlist(&pmech_list, &mech_count, mechlist); 2707c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 2717c478bd9Sstevel@tonic-gate goto finish; 2727c478bd9Sstevel@tonic-gate } 2737c478bd9Sstevel@tonic-gate } 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gate (void) printf(gettext("Mechanisms:\n")); 2767c478bd9Sstevel@tonic-gate if (mech_count == 0) { 2777c478bd9Sstevel@tonic-gate /* should never be this case */ 2787c478bd9Sstevel@tonic-gate (void) printf(gettext("No mechanisms\n")); 2797c478bd9Sstevel@tonic-gate goto finish; 2807c478bd9Sstevel@tonic-gate } 2817c478bd9Sstevel@tonic-gate if (verbose) { 2827c478bd9Sstevel@tonic-gate display_verbose_mech_header(); 2837c478bd9Sstevel@tonic-gate } 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gate for (i = 0; i < mech_count; i++) { 2862321aa36Sda CK_MECHANISM_TYPE mech = pmech_list[i]; 2872321aa36Sda 288*76d1b5a9Sda if (mech >= CKM_VENDOR_DEFINED) { 2892321aa36Sda (void) printf("%#lx", mech); 2902321aa36Sda } else { 2912321aa36Sda (void) printf("%-29s", pkcs11_mech2str(mech)); 2922321aa36Sda } 2932321aa36Sda 2947c478bd9Sstevel@tonic-gate if (verbose) { 2957c478bd9Sstevel@tonic-gate CK_MECHANISM_INFO mech_info; 2967c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismInfo(METASLOT_ID, 2972321aa36Sda mech, &mech_info); 2987c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 2997c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismInfo failed with " 3007c478bd9Sstevel@tonic-gate "error code 0x%x\n", rv); 3017c478bd9Sstevel@tonic-gate rc = FAILURE; 3027c478bd9Sstevel@tonic-gate goto finish; 3037c478bd9Sstevel@tonic-gate } 3047c478bd9Sstevel@tonic-gate display_mech_info(&mech_info); 3057c478bd9Sstevel@tonic-gate } 3067c478bd9Sstevel@tonic-gate (void) printf("\n"); 3077c478bd9Sstevel@tonic-gate } 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gate finish: 3107c478bd9Sstevel@tonic-gate 3117c478bd9Sstevel@tonic-gate if ((rc == FAILURE) && (show_mechs)) { 3127c478bd9Sstevel@tonic-gate (void) printf(gettext( 3137c478bd9Sstevel@tonic-gate "metaslot: failed to retrieve the mechanism list.\n")); 3147c478bd9Sstevel@tonic-gate } 3157c478bd9Sstevel@tonic-gate 3167c478bd9Sstevel@tonic-gate if (lib_initialized) { 3177c478bd9Sstevel@tonic-gate (void) funcs->C_Finalize(NULL_PTR); 3187c478bd9Sstevel@tonic-gate } 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gate if (dldesc != NULL) { 3217c478bd9Sstevel@tonic-gate (void) dlclose(dldesc); 3227c478bd9Sstevel@tonic-gate } 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gate if (pmech_list != NULL) { 3257c478bd9Sstevel@tonic-gate (void) free(pmech_list); 3267c478bd9Sstevel@tonic-gate } 3277c478bd9Sstevel@tonic-gate 3287c478bd9Sstevel@tonic-gate return (rc); 3297c478bd9Sstevel@tonic-gate } 3307c478bd9Sstevel@tonic-gate 3317c478bd9Sstevel@tonic-gate int 3327c478bd9Sstevel@tonic-gate list_metaslot_policy() 3337c478bd9Sstevel@tonic-gate { 3347c478bd9Sstevel@tonic-gate 3357c478bd9Sstevel@tonic-gate uentry_t *puent; 3367c478bd9Sstevel@tonic-gate int rc; 3377c478bd9Sstevel@tonic-gate 3387c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3397c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3407c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3417c478bd9Sstevel@tonic-gate return (FAILURE); 3427c478bd9Sstevel@tonic-gate } 3437c478bd9Sstevel@tonic-gate 3447c478bd9Sstevel@tonic-gate rc = display_policy(puent); 3457c478bd9Sstevel@tonic-gate (void) printf("\n"); 3467c478bd9Sstevel@tonic-gate free_uentry(puent); 3477c478bd9Sstevel@tonic-gate return (rc); 3487c478bd9Sstevel@tonic-gate } 3497c478bd9Sstevel@tonic-gate 3507c478bd9Sstevel@tonic-gate /* 3517c478bd9Sstevel@tonic-gate * disable metaslot and some of its configuration options 3527c478bd9Sstevel@tonic-gate * 3537c478bd9Sstevel@tonic-gate * If mechlist==NULL, and the other 2 flags are false, just disabled 3547c478bd9Sstevel@tonic-gate * the metaslot feature. 3557c478bd9Sstevel@tonic-gate * 3567c478bd9Sstevel@tonic-gate * mechlist: list of mechanisms to disable 3577c478bd9Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be disabled. 3587c478bd9Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled 3597c478bd9Sstevel@tonic-gate */ 3607c478bd9Sstevel@tonic-gate int 3617c478bd9Sstevel@tonic-gate disable_metaslot(mechlist_t *mechlist, boolean_t allflag, 3627c478bd9Sstevel@tonic-gate boolean_t auto_key_migrate_flag) 3637c478bd9Sstevel@tonic-gate { 3647c478bd9Sstevel@tonic-gate uentry_t *puent; 3657c478bd9Sstevel@tonic-gate int rc = SUCCESS; 3667c478bd9Sstevel@tonic-gate 3677c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3687c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3697c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3707c478bd9Sstevel@tonic-gate return (FAILURE); 3717c478bd9Sstevel@tonic-gate } 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gate 3747c478bd9Sstevel@tonic-gate if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) { 3757c478bd9Sstevel@tonic-gate /* disable metaslot */ 3767c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 3777c478bd9Sstevel@tonic-gate goto write_to_file; 3787c478bd9Sstevel@tonic-gate } 3797c478bd9Sstevel@tonic-gate 3807c478bd9Sstevel@tonic-gate if (auto_key_migrate_flag) { 3817c478bd9Sstevel@tonic-gate /* need to disable auto_key_migrate */ 3827c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_FALSE; 3837c478bd9Sstevel@tonic-gate } 3847c478bd9Sstevel@tonic-gate 3857c478bd9Sstevel@tonic-gate if ((mechlist == NULL) && (!allflag)) { 3867c478bd9Sstevel@tonic-gate goto write_to_file; 3877c478bd9Sstevel@tonic-gate } 3887c478bd9Sstevel@tonic-gate 3897c478bd9Sstevel@tonic-gate /* disable specified mechanisms */ 3907c478bd9Sstevel@tonic-gate if (allflag) { 3917c478bd9Sstevel@tonic-gate free_umechlist(puent->policylist); 3927c478bd9Sstevel@tonic-gate puent->policylist = NULL; 3937c478bd9Sstevel@tonic-gate puent->count = 0; 3947c478bd9Sstevel@tonic-gate puent->flag_enabledlist = B_TRUE; 3957c478bd9Sstevel@tonic-gate rc = SUCCESS; 3967c478bd9Sstevel@tonic-gate } else { 3977c478bd9Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 3987c478bd9Sstevel@tonic-gate /* 3997c478bd9Sstevel@tonic-gate * The current default policy mode 4007c478bd9Sstevel@tonic-gate * is "all are disabled, except ...", so if a 4017c478bd9Sstevel@tonic-gate * specified mechanism is in the exception list 4027c478bd9Sstevel@tonic-gate * (the policylist), delete it from the policylist. 4037c478bd9Sstevel@tonic-gate */ 4047c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, DELETE_MODE); 4057c478bd9Sstevel@tonic-gate } else { 4067c478bd9Sstevel@tonic-gate /* 4077c478bd9Sstevel@tonic-gate * The current default policy mode of this library 4087c478bd9Sstevel@tonic-gate * is "all are enabled", so if a specified mechanism 4097c478bd9Sstevel@tonic-gate * is not in the exception list (policylist), add 4107c478bd9Sstevel@tonic-gate * it into the policylist. 4117c478bd9Sstevel@tonic-gate */ 4127c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, ADD_MODE); 4137c478bd9Sstevel@tonic-gate } 4147c478bd9Sstevel@tonic-gate } 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 4177c478bd9Sstevel@tonic-gate goto finish; 4187c478bd9Sstevel@tonic-gate } 4197c478bd9Sstevel@tonic-gate 4207c478bd9Sstevel@tonic-gate /* If all mechanisms are disabled, metaslot will be disabled as well */ 4217c478bd9Sstevel@tonic-gate if ((puent->flag_enabledlist) && (puent->count == 0)) { 4227c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 4237c478bd9Sstevel@tonic-gate } 4247c478bd9Sstevel@tonic-gate 4257c478bd9Sstevel@tonic-gate write_to_file: 4267c478bd9Sstevel@tonic-gate 4277c478bd9Sstevel@tonic-gate rc = update_pkcs11conf(puent); 4287c478bd9Sstevel@tonic-gate 4297c478bd9Sstevel@tonic-gate finish: 4307c478bd9Sstevel@tonic-gate free_uentry(puent); 4317c478bd9Sstevel@tonic-gate return (rc); 4327c478bd9Sstevel@tonic-gate } 4337c478bd9Sstevel@tonic-gate 4347c478bd9Sstevel@tonic-gate /* 4357c478bd9Sstevel@tonic-gate * enable metaslot and some of its configuration options 4367c478bd9Sstevel@tonic-gate * 4377c478bd9Sstevel@tonic-gate * If mechlist==NULL, and the other flags are false, or not specified, 4387c478bd9Sstevel@tonic-gate * just enable the metaslot feature. 4397c478bd9Sstevel@tonic-gate * 4407c478bd9Sstevel@tonic-gate * token: if specified, indicate label of token to be used as keystore. 4417c478bd9Sstevel@tonic-gate * slot: if specified, indicate slot to be used as keystore. 4427c478bd9Sstevel@tonic-gate * use_default: if true, indicate to use the default keystore. It should 4437c478bd9Sstevel@tonic-gate * not be specified if either token or slot is specified. 4447c478bd9Sstevel@tonic-gate * mechlist: list of mechanisms to enable 4457c478bd9Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be enabled. 4467c478bd9Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled 4477c478bd9Sstevel@tonic-gate */ 4487c478bd9Sstevel@tonic-gate int 4497c478bd9Sstevel@tonic-gate enable_metaslot(char *token, char *slot, boolean_t use_default, 4507c478bd9Sstevel@tonic-gate mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag) 4517c478bd9Sstevel@tonic-gate { 4527c478bd9Sstevel@tonic-gate uentry_t *puent; 4537c478bd9Sstevel@tonic-gate int rc = SUCCESS; 4547c478bd9Sstevel@tonic-gate 4557c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 4567c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4577c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 4587c478bd9Sstevel@tonic-gate return (FAILURE); 4597c478bd9Sstevel@tonic-gate } 4607c478bd9Sstevel@tonic-gate 4617c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_TRUE; 4627c478bd9Sstevel@tonic-gate 4637c478bd9Sstevel@tonic-gate if (auto_key_migrate_flag) { 4647c478bd9Sstevel@tonic-gate /* need to enable auto_key_migrate */ 4657c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_TRUE; 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate 4687c478bd9Sstevel@tonic-gate if (allflag) { 4697c478bd9Sstevel@tonic-gate /* 4707c478bd9Sstevel@tonic-gate * If enabling all, what needs to be done are cleaning up the 4717c478bd9Sstevel@tonic-gate * policylist and setting the "flag_enabledlist" flag to 4727c478bd9Sstevel@tonic-gate * B_FALSE. 4737c478bd9Sstevel@tonic-gate */ 4747c478bd9Sstevel@tonic-gate free_umechlist(puent->policylist); 4757c478bd9Sstevel@tonic-gate puent->policylist = NULL; 4767c478bd9Sstevel@tonic-gate puent->count = 0; 4777c478bd9Sstevel@tonic-gate puent->flag_enabledlist = B_FALSE; 4787c478bd9Sstevel@tonic-gate rc = SUCCESS; 4797c478bd9Sstevel@tonic-gate } else { 4807c478bd9Sstevel@tonic-gate if (mechlist) { 4817c478bd9Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 4827c478bd9Sstevel@tonic-gate /* 4837c478bd9Sstevel@tonic-gate * The current default policy mode of this 4847c478bd9Sstevel@tonic-gate * library is "all are disabled, except ...", 4857c478bd9Sstevel@tonic-gate * so if a specified mechanism is not in the 4867c478bd9Sstevel@tonic-gate * exception list (policylist), add it. 4877c478bd9Sstevel@tonic-gate */ 4887c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4897c478bd9Sstevel@tonic-gate ADD_MODE); 4907c478bd9Sstevel@tonic-gate } else { 4917c478bd9Sstevel@tonic-gate /* 4927c478bd9Sstevel@tonic-gate * The current default policy mode of this 4937c478bd9Sstevel@tonic-gate * library is "all are enabled, except", so if 4947c478bd9Sstevel@tonic-gate * a specified mechanism is in the exception 4957c478bd9Sstevel@tonic-gate * list (policylist), delete it. 4967c478bd9Sstevel@tonic-gate */ 4977c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4987c478bd9Sstevel@tonic-gate DELETE_MODE); 4997c478bd9Sstevel@tonic-gate } 5007c478bd9Sstevel@tonic-gate } 5017c478bd9Sstevel@tonic-gate } 5027c478bd9Sstevel@tonic-gate 5037c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 5047c478bd9Sstevel@tonic-gate goto finish; 5057c478bd9Sstevel@tonic-gate } 5067c478bd9Sstevel@tonic-gate 5077c478bd9Sstevel@tonic-gate if (!use_default && !token && !slot) { 5087c478bd9Sstevel@tonic-gate /* no need to change metaslot keystore */ 5097c478bd9Sstevel@tonic-gate goto write_to_file; 5107c478bd9Sstevel@tonic-gate } 5117c478bd9Sstevel@tonic-gate 5127c478bd9Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE); 5137c478bd9Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE); 5147c478bd9Sstevel@tonic-gate 5157c478bd9Sstevel@tonic-gate if (use_default) { 5167c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, 5177c478bd9Sstevel@tonic-gate SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE); 5187c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, 5197c478bd9Sstevel@tonic-gate SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE); 5207c478bd9Sstevel@tonic-gate } else { 5217c478bd9Sstevel@tonic-gate 5227c478bd9Sstevel@tonic-gate if (token) { 5237c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, token, 5247c478bd9Sstevel@tonic-gate TOKEN_LABEL_SIZE); 5257c478bd9Sstevel@tonic-gate } 5267c478bd9Sstevel@tonic-gate 5277c478bd9Sstevel@tonic-gate if (slot) { 5287c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, slot, 5297c478bd9Sstevel@tonic-gate SLOT_DESCRIPTION_SIZE); 5307c478bd9Sstevel@tonic-gate } 5317c478bd9Sstevel@tonic-gate } 5327c478bd9Sstevel@tonic-gate 5337c478bd9Sstevel@tonic-gate 5347c478bd9Sstevel@tonic-gate write_to_file: 5357c478bd9Sstevel@tonic-gate 5367c478bd9Sstevel@tonic-gate rc = update_pkcs11conf(puent); 5377c478bd9Sstevel@tonic-gate 5387c478bd9Sstevel@tonic-gate finish: 5397c478bd9Sstevel@tonic-gate free_uentry(puent); 5407c478bd9Sstevel@tonic-gate return (rc); 5417c478bd9Sstevel@tonic-gate } 542