1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate /* 30*7c478bd9Sstevel@tonic-gate * Administration for metaslot 31*7c478bd9Sstevel@tonic-gate * 32*7c478bd9Sstevel@tonic-gate * All the "list" operations will call functions in libpkcs11.so 33*7c478bd9Sstevel@tonic-gate * Normally, it doesn't make sense to call functions in libpkcs11.so directly 34*7c478bd9Sstevel@tonic-gate * because libpkcs11.so depends on the configuration file (pkcs11.conf) the 35*7c478bd9Sstevel@tonic-gate * cryptoadm command is trying to administer. However, since metaslot 36*7c478bd9Sstevel@tonic-gate * is part of the framework, it is not possible to get information about 37*7c478bd9Sstevel@tonic-gate * it without actually calling functions in libpkcs11.so. 38*7c478bd9Sstevel@tonic-gate * 39*7c478bd9Sstevel@tonic-gate * So, for the listing operation, which won't modify the value of pkcs11.conf 40*7c478bd9Sstevel@tonic-gate * it is safe to call libpkcs11.so. 41*7c478bd9Sstevel@tonic-gate * 42*7c478bd9Sstevel@tonic-gate * For other operations that modifies the pkcs11.conf file, libpkcs11.so 43*7c478bd9Sstevel@tonic-gate * will not be called. 44*7c478bd9Sstevel@tonic-gate * 45*7c478bd9Sstevel@tonic-gate */ 46*7c478bd9Sstevel@tonic-gate 47*7c478bd9Sstevel@tonic-gate #include <cryptoutil.h> 48*7c478bd9Sstevel@tonic-gate #include <stdio.h> 49*7c478bd9Sstevel@tonic-gate #include <libintl.h> 50*7c478bd9Sstevel@tonic-gate #include <dlfcn.h> 51*7c478bd9Sstevel@tonic-gate #include <link.h> 52*7c478bd9Sstevel@tonic-gate #include <strings.h> 53*7c478bd9Sstevel@tonic-gate #include <security/cryptoki.h> 54*7c478bd9Sstevel@tonic-gate #include <cryptoutil.h> 55*7c478bd9Sstevel@tonic-gate #include "cryptoadm.h" 56*7c478bd9Sstevel@tonic-gate 57*7c478bd9Sstevel@tonic-gate #define METASLOT_ID 0 58*7c478bd9Sstevel@tonic-gate 59*7c478bd9Sstevel@tonic-gate int 60*7c478bd9Sstevel@tonic-gate list_metaslot_info(boolean_t show_mechs, boolean_t verbose, 61*7c478bd9Sstevel@tonic-gate mechlist_t *mechlist) 62*7c478bd9Sstevel@tonic-gate { 63*7c478bd9Sstevel@tonic-gate int rc = SUCCESS; 64*7c478bd9Sstevel@tonic-gate CK_RV rv; 65*7c478bd9Sstevel@tonic-gate CK_SLOT_INFO slot_info; 66*7c478bd9Sstevel@tonic-gate CK_TOKEN_INFO token_info; 67*7c478bd9Sstevel@tonic-gate CK_MECHANISM_TYPE_PTR pmech_list = NULL; 68*7c478bd9Sstevel@tonic-gate CK_ULONG mech_count; 69*7c478bd9Sstevel@tonic-gate int i; 70*7c478bd9Sstevel@tonic-gate CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR); 71*7c478bd9Sstevel@tonic-gate CK_FUNCTION_LIST_PTR funcs; 72*7c478bd9Sstevel@tonic-gate void *dldesc = NULL; 73*7c478bd9Sstevel@tonic-gate boolean_t lib_initialized = B_FALSE; 74*7c478bd9Sstevel@tonic-gate uentry_t *puent; 75*7c478bd9Sstevel@tonic-gate char buf[128]; 76*7c478bd9Sstevel@tonic-gate 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate /* 79*7c478bd9Sstevel@tonic-gate * Display the system-wide metaslot settings as specified 80*7c478bd9Sstevel@tonic-gate * in pkcs11.conf file. 81*7c478bd9Sstevel@tonic-gate */ 82*7c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 83*7c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 84*7c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 85*7c478bd9Sstevel@tonic-gate return (FAILURE); 86*7c478bd9Sstevel@tonic-gate } 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate (void) printf(gettext("System-wide Meta Slot Configuration:\n")); 89*7c478bd9Sstevel@tonic-gate /* 90*7c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE: 91*7c478bd9Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 92*7c478bd9Sstevel@tonic-gate * the length of the translated text above. 93*7c478bd9Sstevel@tonic-gate */ 94*7c478bd9Sstevel@tonic-gate (void) printf(gettext("------------------------------------\n")); 95*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ? 96*7c478bd9Sstevel@tonic-gate gettext("enabled") : gettext("disabled")); 97*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"), 98*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate ? gettext("enabled") : 99*7c478bd9Sstevel@tonic-gate gettext("disabled")); 100*7c478bd9Sstevel@tonic-gate 101*7c478bd9Sstevel@tonic-gate bzero(buf, sizeof (buf)); 102*7c478bd9Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) { 103*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Persistent object store slot: %s\n"), 104*7c478bd9Sstevel@tonic-gate puent->metaslot_ks_slot); 105*7c478bd9Sstevel@tonic-gate } 106*7c478bd9Sstevel@tonic-gate 107*7c478bd9Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) { 108*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Persistent object store token: %s\n"), 109*7c478bd9Sstevel@tonic-gate puent->metaslot_ks_token); 110*7c478bd9Sstevel@tonic-gate } 111*7c478bd9Sstevel@tonic-gate 112*7c478bd9Sstevel@tonic-gate if ((!verbose) && (!show_mechs)) { 113*7c478bd9Sstevel@tonic-gate return (SUCCESS); 114*7c478bd9Sstevel@tonic-gate } 115*7c478bd9Sstevel@tonic-gate 116*7c478bd9Sstevel@tonic-gate if (verbose) { 117*7c478bd9Sstevel@tonic-gate (void) printf(gettext("\nDetailed Meta Slot Information:\n")); 118*7c478bd9Sstevel@tonic-gate /* 119*7c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE: 120*7c478bd9Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as 121*7c478bd9Sstevel@tonic-gate * long as the length of the translated text above. 122*7c478bd9Sstevel@tonic-gate */ 123*7c478bd9Sstevel@tonic-gate (void) printf(gettext("-------------------------------\n")); 124*7c478bd9Sstevel@tonic-gate } 125*7c478bd9Sstevel@tonic-gate 126*7c478bd9Sstevel@tonic-gate /* 127*7c478bd9Sstevel@tonic-gate * Need to actually make calls to libpkcs11.so to get 128*7c478bd9Sstevel@tonic-gate * information about metaslot. 129*7c478bd9Sstevel@tonic-gate */ 130*7c478bd9Sstevel@tonic-gate 131*7c478bd9Sstevel@tonic-gate dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW); 132*7c478bd9Sstevel@tonic-gate if (dldesc == NULL) { 133*7c478bd9Sstevel@tonic-gate char *dl_error; 134*7c478bd9Sstevel@tonic-gate dl_error = dlerror(); 135*7c478bd9Sstevel@tonic-gate cryptodebug("Cannot load PKCS#11 framework library. " 136*7c478bd9Sstevel@tonic-gate "dlerror:%s", dl_error); 137*7c478bd9Sstevel@tonic-gate return (FAILURE); 138*7c478bd9Sstevel@tonic-gate } 139*7c478bd9Sstevel@tonic-gate 140*7c478bd9Sstevel@tonic-gate /* Get the pointer to library's C_GetFunctionList() */ 141*7c478bd9Sstevel@tonic-gate Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList"); 142*7c478bd9Sstevel@tonic-gate if (Tmp_C_GetFunctionList == NULL) { 143*7c478bd9Sstevel@tonic-gate cryptodebug("Cannot get the address of the C_GetFunctionList " 144*7c478bd9Sstevel@tonic-gate "from framework"); 145*7c478bd9Sstevel@tonic-gate rc = FAILURE; 146*7c478bd9Sstevel@tonic-gate goto finish; 147*7c478bd9Sstevel@tonic-gate } 148*7c478bd9Sstevel@tonic-gate 149*7c478bd9Sstevel@tonic-gate 150*7c478bd9Sstevel@tonic-gate /* Get the provider's function list */ 151*7c478bd9Sstevel@tonic-gate rv = Tmp_C_GetFunctionList(&funcs); 152*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 153*7c478bd9Sstevel@tonic-gate cryptodebug("failed to call C_GetFunctionList in " 154*7c478bd9Sstevel@tonic-gate "framework library"); 155*7c478bd9Sstevel@tonic-gate rc = FAILURE; 156*7c478bd9Sstevel@tonic-gate goto finish; 157*7c478bd9Sstevel@tonic-gate } 158*7c478bd9Sstevel@tonic-gate 159*7c478bd9Sstevel@tonic-gate /* Initialize this provider */ 160*7c478bd9Sstevel@tonic-gate rv = funcs->C_Initialize(NULL_PTR); 161*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 162*7c478bd9Sstevel@tonic-gate cryptodebug("C_Initialize failed with error code 0x%x\n", rv); 163*7c478bd9Sstevel@tonic-gate rc = FAILURE; 164*7c478bd9Sstevel@tonic-gate goto finish; 165*7c478bd9Sstevel@tonic-gate } else { 166*7c478bd9Sstevel@tonic-gate lib_initialized = B_TRUE; 167*7c478bd9Sstevel@tonic-gate } 168*7c478bd9Sstevel@tonic-gate 169*7c478bd9Sstevel@tonic-gate /* 170*7c478bd9Sstevel@tonic-gate * We know for sure that metaslot is slot 0 in the framework, 171*7c478bd9Sstevel@tonic-gate * so, we will do a C_GetSlotInfo() trying to see if it works. 172*7c478bd9Sstevel@tonic-gate * If it failes with CKR_SLOT_ID_INVALID, we know that metaslot 173*7c478bd9Sstevel@tonic-gate * is not really enabled. 174*7c478bd9Sstevel@tonic-gate */ 175*7c478bd9Sstevel@tonic-gate rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info); 176*7c478bd9Sstevel@tonic-gate if (rv == CKR_SLOT_ID_INVALID) { 177*7c478bd9Sstevel@tonic-gate (void) printf(gettext("actual status: disabled.\n")); 178*7c478bd9Sstevel@tonic-gate /* 179*7c478bd9Sstevel@tonic-gate * Even if the -m and -v flag is supplied, there's nothing 180*7c478bd9Sstevel@tonic-gate * interesting to display about metaslot since it is disabled, 181*7c478bd9Sstevel@tonic-gate * so, just stop right here. 182*7c478bd9Sstevel@tonic-gate */ 183*7c478bd9Sstevel@tonic-gate goto finish; 184*7c478bd9Sstevel@tonic-gate } 185*7c478bd9Sstevel@tonic-gate 186*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 187*7c478bd9Sstevel@tonic-gate cryptodebug("C_GetSlotInfo failed with error " 188*7c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 189*7c478bd9Sstevel@tonic-gate rc = FAILURE; 190*7c478bd9Sstevel@tonic-gate goto finish; 191*7c478bd9Sstevel@tonic-gate } 192*7c478bd9Sstevel@tonic-gate 193*7c478bd9Sstevel@tonic-gate if (!verbose) { 194*7c478bd9Sstevel@tonic-gate goto display_mechs; 195*7c478bd9Sstevel@tonic-gate } 196*7c478bd9Sstevel@tonic-gate 197*7c478bd9Sstevel@tonic-gate (void) printf(gettext("actual status: enabled.\n")); 198*7c478bd9Sstevel@tonic-gate 199*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Description: %.64s\n"), 200*7c478bd9Sstevel@tonic-gate slot_info.slotDescription); 201*7c478bd9Sstevel@tonic-gate 202*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Token Present: %s\n"), 203*7c478bd9Sstevel@tonic-gate (slot_info.flags & CKF_TOKEN_PRESENT ? 204*7c478bd9Sstevel@tonic-gate gettext("True") : gettext("False"))); 205*7c478bd9Sstevel@tonic-gate 206*7c478bd9Sstevel@tonic-gate rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info); 207*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 208*7c478bd9Sstevel@tonic-gate cryptodebug("C_GetTokenInfo failed with error " 209*7c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 210*7c478bd9Sstevel@tonic-gate rc = FAILURE; 211*7c478bd9Sstevel@tonic-gate goto finish; 212*7c478bd9Sstevel@tonic-gate } 213*7c478bd9Sstevel@tonic-gate 214*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Token Label: %.32s\n" 215*7c478bd9Sstevel@tonic-gate "Manufacturer ID: %.32s\n" 216*7c478bd9Sstevel@tonic-gate "Model: %.16s\n" 217*7c478bd9Sstevel@tonic-gate "Serial Number: %.16s\n" 218*7c478bd9Sstevel@tonic-gate "Hardware Version: %d.%d\n" 219*7c478bd9Sstevel@tonic-gate "Firmware Version: %d.%d\n" 220*7c478bd9Sstevel@tonic-gate "UTC Time: %.16s\n" 221*7c478bd9Sstevel@tonic-gate "PIN Length: %d-%d\n"), 222*7c478bd9Sstevel@tonic-gate token_info.label, 223*7c478bd9Sstevel@tonic-gate token_info.manufacturerID, 224*7c478bd9Sstevel@tonic-gate token_info.model, 225*7c478bd9Sstevel@tonic-gate token_info.serialNumber, 226*7c478bd9Sstevel@tonic-gate token_info.hardwareVersion.major, 227*7c478bd9Sstevel@tonic-gate token_info.hardwareVersion.minor, 228*7c478bd9Sstevel@tonic-gate token_info.firmwareVersion.major, 229*7c478bd9Sstevel@tonic-gate token_info.firmwareVersion.minor, 230*7c478bd9Sstevel@tonic-gate token_info.utcTime, 231*7c478bd9Sstevel@tonic-gate token_info.ulMinPinLen, 232*7c478bd9Sstevel@tonic-gate token_info.ulMaxPinLen); 233*7c478bd9Sstevel@tonic-gate 234*7c478bd9Sstevel@tonic-gate display_token_flags(token_info.flags); 235*7c478bd9Sstevel@tonic-gate 236*7c478bd9Sstevel@tonic-gate if (!show_mechs) { 237*7c478bd9Sstevel@tonic-gate goto finish; 238*7c478bd9Sstevel@tonic-gate } 239*7c478bd9Sstevel@tonic-gate 240*7c478bd9Sstevel@tonic-gate display_mechs: 241*7c478bd9Sstevel@tonic-gate 242*7c478bd9Sstevel@tonic-gate if (mechlist == NULL) { 243*7c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR, 244*7c478bd9Sstevel@tonic-gate &mech_count); 245*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 246*7c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with error " 247*7c478bd9Sstevel@tonic-gate "code 0x%x\n", rv); 248*7c478bd9Sstevel@tonic-gate rc = FAILURE; 249*7c478bd9Sstevel@tonic-gate goto finish; 250*7c478bd9Sstevel@tonic-gate } 251*7c478bd9Sstevel@tonic-gate 252*7c478bd9Sstevel@tonic-gate if (mech_count > 0) { 253*7c478bd9Sstevel@tonic-gate pmech_list = malloc(mech_count * 254*7c478bd9Sstevel@tonic-gate sizeof (CK_MECHANISM_TYPE)); 255*7c478bd9Sstevel@tonic-gate if (pmech_list == NULL) { 256*7c478bd9Sstevel@tonic-gate cryptodebug("out of memory"); 257*7c478bd9Sstevel@tonic-gate rc = FAILURE; 258*7c478bd9Sstevel@tonic-gate goto finish; 259*7c478bd9Sstevel@tonic-gate } 260*7c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list, 261*7c478bd9Sstevel@tonic-gate &mech_count); 262*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 263*7c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with " 264*7c478bd9Sstevel@tonic-gate "error code 0x%x\n", rv); 265*7c478bd9Sstevel@tonic-gate rc = FAILURE; 266*7c478bd9Sstevel@tonic-gate goto finish; 267*7c478bd9Sstevel@tonic-gate } 268*7c478bd9Sstevel@tonic-gate } 269*7c478bd9Sstevel@tonic-gate } else { 270*7c478bd9Sstevel@tonic-gate rc = convert_mechlist(&pmech_list, &mech_count, mechlist); 271*7c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 272*7c478bd9Sstevel@tonic-gate goto finish; 273*7c478bd9Sstevel@tonic-gate } 274*7c478bd9Sstevel@tonic-gate } 275*7c478bd9Sstevel@tonic-gate 276*7c478bd9Sstevel@tonic-gate (void) printf(gettext("Mechanisms:\n")); 277*7c478bd9Sstevel@tonic-gate if (mech_count == 0) { 278*7c478bd9Sstevel@tonic-gate /* should never be this case */ 279*7c478bd9Sstevel@tonic-gate (void) printf(gettext("No mechanisms\n")); 280*7c478bd9Sstevel@tonic-gate goto finish; 281*7c478bd9Sstevel@tonic-gate } 282*7c478bd9Sstevel@tonic-gate if (verbose) { 283*7c478bd9Sstevel@tonic-gate display_verbose_mech_header(); 284*7c478bd9Sstevel@tonic-gate } 285*7c478bd9Sstevel@tonic-gate 286*7c478bd9Sstevel@tonic-gate for (i = 0; i < mech_count; i++) { 287*7c478bd9Sstevel@tonic-gate (void) printf("%-29s", pkcs11_mech2str(pmech_list[i])); 288*7c478bd9Sstevel@tonic-gate if (verbose) { 289*7c478bd9Sstevel@tonic-gate CK_MECHANISM_INFO mech_info; 290*7c478bd9Sstevel@tonic-gate rv = funcs->C_GetMechanismInfo(METASLOT_ID, 291*7c478bd9Sstevel@tonic-gate pmech_list[i], &mech_info); 292*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 293*7c478bd9Sstevel@tonic-gate cryptodebug("C_GetMechanismInfo failed with " 294*7c478bd9Sstevel@tonic-gate "error code 0x%x\n", rv); 295*7c478bd9Sstevel@tonic-gate rc = FAILURE; 296*7c478bd9Sstevel@tonic-gate goto finish; 297*7c478bd9Sstevel@tonic-gate } 298*7c478bd9Sstevel@tonic-gate display_mech_info(&mech_info); 299*7c478bd9Sstevel@tonic-gate } 300*7c478bd9Sstevel@tonic-gate (void) printf("\n"); 301*7c478bd9Sstevel@tonic-gate } 302*7c478bd9Sstevel@tonic-gate 303*7c478bd9Sstevel@tonic-gate finish: 304*7c478bd9Sstevel@tonic-gate 305*7c478bd9Sstevel@tonic-gate if ((rc == FAILURE) && (show_mechs)) { 306*7c478bd9Sstevel@tonic-gate (void) printf(gettext( 307*7c478bd9Sstevel@tonic-gate "metaslot: failed to retrieve the mechanism list.\n")); 308*7c478bd9Sstevel@tonic-gate } 309*7c478bd9Sstevel@tonic-gate 310*7c478bd9Sstevel@tonic-gate if (lib_initialized) { 311*7c478bd9Sstevel@tonic-gate (void) funcs->C_Finalize(NULL_PTR); 312*7c478bd9Sstevel@tonic-gate } 313*7c478bd9Sstevel@tonic-gate 314*7c478bd9Sstevel@tonic-gate if (dldesc != NULL) { 315*7c478bd9Sstevel@tonic-gate (void) dlclose(dldesc); 316*7c478bd9Sstevel@tonic-gate } 317*7c478bd9Sstevel@tonic-gate 318*7c478bd9Sstevel@tonic-gate if (pmech_list != NULL) { 319*7c478bd9Sstevel@tonic-gate (void) free(pmech_list); 320*7c478bd9Sstevel@tonic-gate } 321*7c478bd9Sstevel@tonic-gate 322*7c478bd9Sstevel@tonic-gate return (rc); 323*7c478bd9Sstevel@tonic-gate } 324*7c478bd9Sstevel@tonic-gate 325*7c478bd9Sstevel@tonic-gate int 326*7c478bd9Sstevel@tonic-gate list_metaslot_policy() 327*7c478bd9Sstevel@tonic-gate { 328*7c478bd9Sstevel@tonic-gate 329*7c478bd9Sstevel@tonic-gate uentry_t *puent; 330*7c478bd9Sstevel@tonic-gate int rc; 331*7c478bd9Sstevel@tonic-gate 332*7c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 333*7c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 334*7c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 335*7c478bd9Sstevel@tonic-gate return (FAILURE); 336*7c478bd9Sstevel@tonic-gate } 337*7c478bd9Sstevel@tonic-gate 338*7c478bd9Sstevel@tonic-gate rc = display_policy(puent); 339*7c478bd9Sstevel@tonic-gate (void) printf("\n"); 340*7c478bd9Sstevel@tonic-gate free_uentry(puent); 341*7c478bd9Sstevel@tonic-gate return (rc); 342*7c478bd9Sstevel@tonic-gate } 343*7c478bd9Sstevel@tonic-gate 344*7c478bd9Sstevel@tonic-gate /* 345*7c478bd9Sstevel@tonic-gate * disable metaslot and some of its configuration options 346*7c478bd9Sstevel@tonic-gate * 347*7c478bd9Sstevel@tonic-gate * If mechlist==NULL, and the other 2 flags are false, just disabled 348*7c478bd9Sstevel@tonic-gate * the metaslot feature. 349*7c478bd9Sstevel@tonic-gate * 350*7c478bd9Sstevel@tonic-gate * mechlist: list of mechanisms to disable 351*7c478bd9Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be disabled. 352*7c478bd9Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled 353*7c478bd9Sstevel@tonic-gate */ 354*7c478bd9Sstevel@tonic-gate int 355*7c478bd9Sstevel@tonic-gate disable_metaslot(mechlist_t *mechlist, boolean_t allflag, 356*7c478bd9Sstevel@tonic-gate boolean_t auto_key_migrate_flag) 357*7c478bd9Sstevel@tonic-gate { 358*7c478bd9Sstevel@tonic-gate uentry_t *puent; 359*7c478bd9Sstevel@tonic-gate int rc = SUCCESS; 360*7c478bd9Sstevel@tonic-gate 361*7c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 362*7c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 363*7c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 364*7c478bd9Sstevel@tonic-gate return (FAILURE); 365*7c478bd9Sstevel@tonic-gate } 366*7c478bd9Sstevel@tonic-gate 367*7c478bd9Sstevel@tonic-gate 368*7c478bd9Sstevel@tonic-gate if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) { 369*7c478bd9Sstevel@tonic-gate /* disable metaslot */ 370*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 371*7c478bd9Sstevel@tonic-gate goto write_to_file; 372*7c478bd9Sstevel@tonic-gate } 373*7c478bd9Sstevel@tonic-gate 374*7c478bd9Sstevel@tonic-gate if (auto_key_migrate_flag) { 375*7c478bd9Sstevel@tonic-gate /* need to disable auto_key_migrate */ 376*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_FALSE; 377*7c478bd9Sstevel@tonic-gate } 378*7c478bd9Sstevel@tonic-gate 379*7c478bd9Sstevel@tonic-gate if ((mechlist == NULL) && (!allflag)) { 380*7c478bd9Sstevel@tonic-gate goto write_to_file; 381*7c478bd9Sstevel@tonic-gate } 382*7c478bd9Sstevel@tonic-gate 383*7c478bd9Sstevel@tonic-gate /* disable specified mechanisms */ 384*7c478bd9Sstevel@tonic-gate if (allflag) { 385*7c478bd9Sstevel@tonic-gate free_umechlist(puent->policylist); 386*7c478bd9Sstevel@tonic-gate puent->policylist = NULL; 387*7c478bd9Sstevel@tonic-gate puent->count = 0; 388*7c478bd9Sstevel@tonic-gate puent->flag_enabledlist = B_TRUE; 389*7c478bd9Sstevel@tonic-gate rc = SUCCESS; 390*7c478bd9Sstevel@tonic-gate } else { 391*7c478bd9Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 392*7c478bd9Sstevel@tonic-gate /* 393*7c478bd9Sstevel@tonic-gate * The current default policy mode 394*7c478bd9Sstevel@tonic-gate * is "all are disabled, except ...", so if a 395*7c478bd9Sstevel@tonic-gate * specified mechanism is in the exception list 396*7c478bd9Sstevel@tonic-gate * (the policylist), delete it from the policylist. 397*7c478bd9Sstevel@tonic-gate */ 398*7c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, DELETE_MODE); 399*7c478bd9Sstevel@tonic-gate } else { 400*7c478bd9Sstevel@tonic-gate /* 401*7c478bd9Sstevel@tonic-gate * The current default policy mode of this library 402*7c478bd9Sstevel@tonic-gate * is "all are enabled", so if a specified mechanism 403*7c478bd9Sstevel@tonic-gate * is not in the exception list (policylist), add 404*7c478bd9Sstevel@tonic-gate * it into the policylist. 405*7c478bd9Sstevel@tonic-gate */ 406*7c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, ADD_MODE); 407*7c478bd9Sstevel@tonic-gate } 408*7c478bd9Sstevel@tonic-gate } 409*7c478bd9Sstevel@tonic-gate 410*7c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 411*7c478bd9Sstevel@tonic-gate goto finish; 412*7c478bd9Sstevel@tonic-gate } 413*7c478bd9Sstevel@tonic-gate 414*7c478bd9Sstevel@tonic-gate /* If all mechanisms are disabled, metaslot will be disabled as well */ 415*7c478bd9Sstevel@tonic-gate if ((puent->flag_enabledlist) && (puent->count == 0)) { 416*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 417*7c478bd9Sstevel@tonic-gate } 418*7c478bd9Sstevel@tonic-gate 419*7c478bd9Sstevel@tonic-gate write_to_file: 420*7c478bd9Sstevel@tonic-gate 421*7c478bd9Sstevel@tonic-gate rc = update_pkcs11conf(puent); 422*7c478bd9Sstevel@tonic-gate 423*7c478bd9Sstevel@tonic-gate finish: 424*7c478bd9Sstevel@tonic-gate free_uentry(puent); 425*7c478bd9Sstevel@tonic-gate return (rc); 426*7c478bd9Sstevel@tonic-gate } 427*7c478bd9Sstevel@tonic-gate 428*7c478bd9Sstevel@tonic-gate /* 429*7c478bd9Sstevel@tonic-gate * enable metaslot and some of its configuration options 430*7c478bd9Sstevel@tonic-gate * 431*7c478bd9Sstevel@tonic-gate * If mechlist==NULL, and the other flags are false, or not specified, 432*7c478bd9Sstevel@tonic-gate * just enable the metaslot feature. 433*7c478bd9Sstevel@tonic-gate * 434*7c478bd9Sstevel@tonic-gate * token: if specified, indicate label of token to be used as keystore. 435*7c478bd9Sstevel@tonic-gate * slot: if specified, indicate slot to be used as keystore. 436*7c478bd9Sstevel@tonic-gate * use_default: if true, indicate to use the default keystore. It should 437*7c478bd9Sstevel@tonic-gate * not be specified if either token or slot is specified. 438*7c478bd9Sstevel@tonic-gate * mechlist: list of mechanisms to enable 439*7c478bd9Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be enabled. 440*7c478bd9Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled 441*7c478bd9Sstevel@tonic-gate */ 442*7c478bd9Sstevel@tonic-gate int 443*7c478bd9Sstevel@tonic-gate enable_metaslot(char *token, char *slot, boolean_t use_default, 444*7c478bd9Sstevel@tonic-gate mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag) 445*7c478bd9Sstevel@tonic-gate { 446*7c478bd9Sstevel@tonic-gate uentry_t *puent; 447*7c478bd9Sstevel@tonic-gate int rc = SUCCESS; 448*7c478bd9Sstevel@tonic-gate 449*7c478bd9Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 450*7c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 451*7c478bd9Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 452*7c478bd9Sstevel@tonic-gate return (FAILURE); 453*7c478bd9Sstevel@tonic-gate } 454*7c478bd9Sstevel@tonic-gate 455*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_enabled = B_TRUE; 456*7c478bd9Sstevel@tonic-gate 457*7c478bd9Sstevel@tonic-gate if (auto_key_migrate_flag) { 458*7c478bd9Sstevel@tonic-gate /* need to enable auto_key_migrate */ 459*7c478bd9Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_TRUE; 460*7c478bd9Sstevel@tonic-gate } 461*7c478bd9Sstevel@tonic-gate 462*7c478bd9Sstevel@tonic-gate if (allflag) { 463*7c478bd9Sstevel@tonic-gate /* 464*7c478bd9Sstevel@tonic-gate * If enabling all, what needs to be done are cleaning up the 465*7c478bd9Sstevel@tonic-gate * policylist and setting the "flag_enabledlist" flag to 466*7c478bd9Sstevel@tonic-gate * B_FALSE. 467*7c478bd9Sstevel@tonic-gate */ 468*7c478bd9Sstevel@tonic-gate free_umechlist(puent->policylist); 469*7c478bd9Sstevel@tonic-gate puent->policylist = NULL; 470*7c478bd9Sstevel@tonic-gate puent->count = 0; 471*7c478bd9Sstevel@tonic-gate puent->flag_enabledlist = B_FALSE; 472*7c478bd9Sstevel@tonic-gate rc = SUCCESS; 473*7c478bd9Sstevel@tonic-gate } else { 474*7c478bd9Sstevel@tonic-gate if (mechlist) { 475*7c478bd9Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 476*7c478bd9Sstevel@tonic-gate /* 477*7c478bd9Sstevel@tonic-gate * The current default policy mode of this 478*7c478bd9Sstevel@tonic-gate * library is "all are disabled, except ...", 479*7c478bd9Sstevel@tonic-gate * so if a specified mechanism is not in the 480*7c478bd9Sstevel@tonic-gate * exception list (policylist), add it. 481*7c478bd9Sstevel@tonic-gate */ 482*7c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 483*7c478bd9Sstevel@tonic-gate ADD_MODE); 484*7c478bd9Sstevel@tonic-gate } else { 485*7c478bd9Sstevel@tonic-gate /* 486*7c478bd9Sstevel@tonic-gate * The current default policy mode of this 487*7c478bd9Sstevel@tonic-gate * library is "all are enabled, except", so if 488*7c478bd9Sstevel@tonic-gate * a specified mechanism is in the exception 489*7c478bd9Sstevel@tonic-gate * list (policylist), delete it. 490*7c478bd9Sstevel@tonic-gate */ 491*7c478bd9Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 492*7c478bd9Sstevel@tonic-gate DELETE_MODE); 493*7c478bd9Sstevel@tonic-gate } 494*7c478bd9Sstevel@tonic-gate } 495*7c478bd9Sstevel@tonic-gate } 496*7c478bd9Sstevel@tonic-gate 497*7c478bd9Sstevel@tonic-gate if (rc != SUCCESS) { 498*7c478bd9Sstevel@tonic-gate goto finish; 499*7c478bd9Sstevel@tonic-gate } 500*7c478bd9Sstevel@tonic-gate 501*7c478bd9Sstevel@tonic-gate if (!use_default && !token && !slot) { 502*7c478bd9Sstevel@tonic-gate /* no need to change metaslot keystore */ 503*7c478bd9Sstevel@tonic-gate goto write_to_file; 504*7c478bd9Sstevel@tonic-gate } 505*7c478bd9Sstevel@tonic-gate 506*7c478bd9Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE); 507*7c478bd9Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE); 508*7c478bd9Sstevel@tonic-gate 509*7c478bd9Sstevel@tonic-gate if (use_default) { 510*7c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, 511*7c478bd9Sstevel@tonic-gate SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE); 512*7c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, 513*7c478bd9Sstevel@tonic-gate SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE); 514*7c478bd9Sstevel@tonic-gate } else { 515*7c478bd9Sstevel@tonic-gate 516*7c478bd9Sstevel@tonic-gate if (token) { 517*7c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, token, 518*7c478bd9Sstevel@tonic-gate TOKEN_LABEL_SIZE); 519*7c478bd9Sstevel@tonic-gate } 520*7c478bd9Sstevel@tonic-gate 521*7c478bd9Sstevel@tonic-gate if (slot) { 522*7c478bd9Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, slot, 523*7c478bd9Sstevel@tonic-gate SLOT_DESCRIPTION_SIZE); 524*7c478bd9Sstevel@tonic-gate } 525*7c478bd9Sstevel@tonic-gate } 526*7c478bd9Sstevel@tonic-gate 527*7c478bd9Sstevel@tonic-gate 528*7c478bd9Sstevel@tonic-gate write_to_file: 529*7c478bd9Sstevel@tonic-gate 530*7c478bd9Sstevel@tonic-gate rc = update_pkcs11conf(puent); 531*7c478bd9Sstevel@tonic-gate 532*7c478bd9Sstevel@tonic-gate finish: 533*7c478bd9Sstevel@tonic-gate free_uentry(puent); 534*7c478bd9Sstevel@tonic-gate return (rc); 535*7c478bd9Sstevel@tonic-gate } 536