17 * You should have received a copy of the Common Public License
18 * along with this program; if not, a copy can be viewed at
19 * http://www.opensource.org/licenses/cpl1.0.php.
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 */
26
27 #include <pthread.h>
28 #include <string.h>
29
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <uuid/uuid.h>
33 #include <fcntl.h>
34 #include <errno.h>
35 #include <pwd.h>
36 #include <syslog.h>
37
38 #include <openssl/rsa.h>
39
40 #include <tss/platform.h>
41 #include <tss/tss_defines.h>
42 #include <tss/tss_typedef.h>
43 #include <tss/tss_structs.h>
44 #include <tss/tss_error.h>
45 #include <tss/tcs_error.h>
46 #include <tss/tspi.h>
47 #include <trousers/trousers.h>
48
49 #include "tpmtok_int.h"
50 #include "tpmtok_defs.h"
51
52 #define MAX_RSA_KEYLENGTH 512
53
54 extern void stlogit(char *fmt, ...);
55
56 CK_RV token_rng(TSS_HCONTEXT, CK_BYTE *, CK_ULONG);
608 rc, Trspi_Error_String(rc));
609 return (CKR_FUNCTION_FAILED);
610 }
611
612 if ((rc = Tspi_TPM_GetRandom(hTPM, bytes, &random_bytes))) {
613 stlogit("Tspi_TPM_GetRandom: 0x%0x - %s",
614 rc, Trspi_Error_String(rc));
615 return (CKR_FUNCTION_FAILED);
616 }
617
618 (void) memcpy(output, random_bytes, bytes);
619 Tspi_Context_FreeMemory(hContext, random_bytes);
620
621 return (CKR_OK);
622 }
623
624 TSS_RESULT
625 open_tss_context(TSS_HCONTEXT *pContext)
626 {
627 TSS_RESULT result;
628
629 if ((result = Tspi_Context_Create(pContext))) {
630 stlogit("Tspi_Context_Create: 0x%0x - %s",
631 result, Trspi_Error_String(result));
632 return (CKR_FUNCTION_FAILED);
633 }
634
635 if ((result = Tspi_Context_Connect(*pContext, NULL))) {
636 stlogit("Tspi_Context_Connect: 0x%0x - %s",
637 result, Trspi_Error_String(result));
638 Tspi_Context_Close(*pContext);
639 *pContext = 0;
640 return (CKR_FUNCTION_FAILED);
641 }
642 return (result);
643 }
644
645 /*ARGSUSED*/
646 static CK_RV
647 token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber,
648 TSS_HCONTEXT *hContext)
2254 TSS_HKEY *phKey)
2255 {
2256 TSS_RESULT result;
2257 TSS_HPOLICY hPolicy = NULL_HPOLICY;
2258 TSS_HKEY hParentKey;
2259 BYTE *authData = NULL;
2260 CK_ATTRIBUTE *attr;
2261 CK_RV rc;
2262 CK_OBJECT_HANDLE handle;
2263 CK_ULONG class;
2264
2265 if (hPrivateLeafKey != NULL_HKEY) {
2266 hParentKey = hPrivateRootKey;
2267 } else {
2268 if ((result = token_load_public_root_key(hContext)))
2269 return (CKR_FUNCTION_FAILED);
2270
2271 hParentKey = hPublicRootKey;
2272 }
2273
2274 *phKey = NULL;
2275 if (template_attribute_find(key_obj->template, CKA_CLASS,
2276 &attr) == FALSE) {
2277 return (CKR_TEMPLATE_INCOMPLETE);
2278 }
2279 class = *((CK_ULONG *)attr->pValue);
2280
2281 rc = template_attribute_find(key_obj->template,
2282 CKA_IBM_OPAQUE, &attr);
2283 /*
2284 * A public key cannot use the OPAQUE data attribute so they
2285 * must be created in software. A private key may not yet
2286 * have its "opaque" data defined and needs to be created
2287 * and loaded so it can be used inside the TPM.
2288 */
2289 if (class == CKO_PUBLIC_KEY || rc == FALSE) {
2290 rc = object_mgr_find_in_map2(hContext, key_obj, &handle);
2291 if (rc != CKR_OK)
2292 return (CKR_FUNCTION_FAILED);
2293
2294 if ((rc = token_load_key(hContext,
2295 handle, hParentKey, NULL, phKey))) {
2296 return (rc);
2297 }
2298 }
2299 /*
2300 * If this is a private key, get the blob and load it in the TPM.
2301 * If it is public, the key is already loaded in software.
2302 */
2303 if (class == CKO_PRIVATE_KEY) {
2304 /* If we already have a handle, just load it */
2305 if (*phKey != NULL) {
2306 result = Tspi_Key_LoadKey(*phKey, hParentKey);
2307 if (result) {
2308 stlogit("Tspi_Context_LoadKeyByBlob: "
2309 "0x%0x - %s",
2310 result, Trspi_Error_String(result));
2311 return (CKR_FUNCTION_FAILED);
2312 }
2313 } else {
2314 /* try again to get the CKA_IBM_OPAQUE attr */
2315 if ((rc = template_attribute_find(key_obj->template,
2316 CKA_IBM_OPAQUE, &attr)) == FALSE) {
2317 return (rc);
2318 }
2319 if ((result = Tspi_Context_LoadKeyByBlob(hContext,
2320 hParentKey, attr->ulValueLen, attr->pValue,
2321 phKey))) {
2322 stlogit("Tspi_Context_LoadKeyByBlob: "
2323 "0x%0x - %s",
2324 result, Trspi_Error_String(result));
2325 return (CKR_FUNCTION_FAILED);
|
17 * You should have received a copy of the Common Public License
18 * along with this program; if not, a copy can be viewed at
19 * http://www.opensource.org/licenses/cpl1.0.php.
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 */
26
27 #include <pthread.h>
28 #include <string.h>
29
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <uuid/uuid.h>
33 #include <fcntl.h>
34 #include <errno.h>
35 #include <pwd.h>
36 #include <syslog.h>
37 #include <libscf.h>
38
39 #include <openssl/rsa.h>
40
41 #include <tss/platform.h>
42 #include <tss/tss_defines.h>
43 #include <tss/tss_typedef.h>
44 #include <tss/tss_structs.h>
45 #include <tss/tss_error.h>
46 #include <tss/tcs_error.h>
47 #include <tss/tspi.h>
48 #include <trousers/trousers.h>
49
50 #include "tpmtok_int.h"
51 #include "tpmtok_defs.h"
52
53 #define MAX_RSA_KEYLENGTH 512
54
55 extern void stlogit(char *fmt, ...);
56
57 CK_RV token_rng(TSS_HCONTEXT, CK_BYTE *, CK_ULONG);
609 rc, Trspi_Error_String(rc));
610 return (CKR_FUNCTION_FAILED);
611 }
612
613 if ((rc = Tspi_TPM_GetRandom(hTPM, bytes, &random_bytes))) {
614 stlogit("Tspi_TPM_GetRandom: 0x%0x - %s",
615 rc, Trspi_Error_String(rc));
616 return (CKR_FUNCTION_FAILED);
617 }
618
619 (void) memcpy(output, random_bytes, bytes);
620 Tspi_Context_FreeMemory(hContext, random_bytes);
621
622 return (CKR_OK);
623 }
624
625 TSS_RESULT
626 open_tss_context(TSS_HCONTEXT *pContext)
627 {
628 TSS_RESULT result;
629 char *smf_string;
630
631 /*
632 * The Tspi_* functions fail if we don't have tcsd running. Worse,
633 * because Tspi_* uses TCP over localhost, this can accidentally
634 * trigger anti-denial-of-service measures.
635 *
636 * Instead, use SMF to see if tcsd is fully up and running, or if it
637 * exists at all. If it's not, bail early.
638 */
639 /* XXX KEBE ASKS -> Use a hardwired FMRI string or instance here? */
640 smf_string = smf_get_state("svc:/application/security/tcsd:default");
641 if (smf_string == NULL ||
642 strcmp(smf_string, SCF_STATE_STRING_ONLINE) != 0) {
643 free(smf_string);
644 return (CKR_FUNCTION_FAILED);
645 }
646 free(smf_string);
647
648 if ((result = Tspi_Context_Create(pContext))) {
649 stlogit("Tspi_Context_Create: 0x%0x - %s",
650 result, Trspi_Error_String(result));
651 return (CKR_FUNCTION_FAILED);
652 }
653
654 if ((result = Tspi_Context_Connect(*pContext, NULL))) {
655 stlogit("Tspi_Context_Connect: 0x%0x - %s",
656 result, Trspi_Error_String(result));
657 Tspi_Context_Close(*pContext);
658 *pContext = 0;
659 return (CKR_FUNCTION_FAILED);
660 }
661 return (result);
662 }
663
664 /*ARGSUSED*/
665 static CK_RV
666 token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber,
667 TSS_HCONTEXT *hContext)
2273 TSS_HKEY *phKey)
2274 {
2275 TSS_RESULT result;
2276 TSS_HPOLICY hPolicy = NULL_HPOLICY;
2277 TSS_HKEY hParentKey;
2278 BYTE *authData = NULL;
2279 CK_ATTRIBUTE *attr;
2280 CK_RV rc;
2281 CK_OBJECT_HANDLE handle;
2282 CK_ULONG class;
2283
2284 if (hPrivateLeafKey != NULL_HKEY) {
2285 hParentKey = hPrivateRootKey;
2286 } else {
2287 if ((result = token_load_public_root_key(hContext)))
2288 return (CKR_FUNCTION_FAILED);
2289
2290 hParentKey = hPublicRootKey;
2291 }
2292
2293 *phKey = (TSS_HKEY)(uintptr_t)NULL;
2294 if (template_attribute_find(key_obj->template, CKA_CLASS,
2295 &attr) == FALSE) {
2296 return (CKR_TEMPLATE_INCOMPLETE);
2297 }
2298 class = *((CK_ULONG *)attr->pValue);
2299
2300 rc = template_attribute_find(key_obj->template,
2301 CKA_IBM_OPAQUE, &attr);
2302 /*
2303 * A public key cannot use the OPAQUE data attribute so they
2304 * must be created in software. A private key may not yet
2305 * have its "opaque" data defined and needs to be created
2306 * and loaded so it can be used inside the TPM.
2307 */
2308 if (class == CKO_PUBLIC_KEY || rc == FALSE) {
2309 rc = object_mgr_find_in_map2(hContext, key_obj, &handle);
2310 if (rc != CKR_OK)
2311 return (CKR_FUNCTION_FAILED);
2312
2313 if ((rc = token_load_key(hContext,
2314 handle, hParentKey, NULL, phKey))) {
2315 return (rc);
2316 }
2317 }
2318 /*
2319 * If this is a private key, get the blob and load it in the TPM.
2320 * If it is public, the key is already loaded in software.
2321 */
2322 if (class == CKO_PRIVATE_KEY) {
2323 /* If we already have a handle, just load it */
2324 if (*phKey != (TSS_HKEY)(uintptr_t)NULL) {
2325 result = Tspi_Key_LoadKey(*phKey, hParentKey);
2326 if (result) {
2327 stlogit("Tspi_Context_LoadKeyByBlob: "
2328 "0x%0x - %s",
2329 result, Trspi_Error_String(result));
2330 return (CKR_FUNCTION_FAILED);
2331 }
2332 } else {
2333 /* try again to get the CKA_IBM_OPAQUE attr */
2334 if ((rc = template_attribute_find(key_obj->template,
2335 CKA_IBM_OPAQUE, &attr)) == FALSE) {
2336 return (rc);
2337 }
2338 if ((result = Tspi_Context_LoadKeyByBlob(hContext,
2339 hParentKey, attr->ulValueLen, attr->pValue,
2340 phKey))) {
2341 stlogit("Tspi_Context_LoadKeyByBlob: "
2342 "0x%0x - %s",
2343 result, Trspi_Error_String(result));
2344 return (CKR_FUNCTION_FAILED);
|