1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 *
21 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
22 */
23 /*
24 * Copyright 2010 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #ifndef _CRYPTOUTIL_H
28 #define _CRYPTOUTIL_H
29
30 #ifdef __cplusplus
31 extern "C" {
32 #endif
33
34 #include <sys/types.h>
35 #include <syslog.h>
36 #include <security/cryptoki.h>
37 #include <sys/param.h>
38
39 #define LOG_STDERR -1
40 #define SUCCESS 0
41 #define FAILURE 1
42 #define MECH_ID_HEX_LEN 11 /* length of mechanism id in hex form */
43
44 #define _PATH_PKCS11_CONF "/etc/crypto/pkcs11.conf"
45 #define _PATH_KCF_CONF "/etc/crypto/kcf.conf"
46 #define _PATH_KCFD_LOCK "/var/run/kcfd.lock"
47
48 /* $ISA substitution for parsing pkcs11.conf data */
49 #define PKCS11_ISA "/$ISA/"
50 #if defined(_LP64)
51 #define PKCS11_ISA_DIR "/64/"
52 #else /* !_LP64 */
53 #define PKCS11_ISA_DIR "/"
54 #endif
55
56 /* keywords and delimiters for parsing configuration files */
57 #define SEP_COLON ":"
58 #define SEP_SEMICOLON ";"
59 #define SEP_EQUAL "="
60 #define SEP_COMMA ","
61 #define METASLOT_KEYWORD "metaslot"
62 #define FIPS_KEYWORD "fips-140"
63 #define EF_DISABLED "disabledlist="
64 #define EF_ENABLED "enabledlist="
65 #define EF_NORANDOM "NO_RANDOM"
66 #define METASLOT_TOKEN "metaslot_token="
67 #define METASLOT_SLOT "metaslot_slot="
68 #define METASLOT_STATUS "metaslot_status="
69 #define EF_FIPS_STATUS "fips_status="
70 #define METASLOT_AUTO_KEY_MIGRATE "metaslot_auto_key_migrate="
71 #define ENABLED_KEYWORD "enabled"
72 #define DISABLED_KEYWORD "disabled"
73 #define SLOT_DESCRIPTION_SIZE 64
74 #define TOKEN_LABEL_SIZE 32
75 #define TOKEN_MANUFACTURER_SIZE 32
76 #define TOKEN_SERIAL_SIZE 16
77 #define CRYPTO_FIPS_MODE_DISABLED 0
78 #define CRYPTO_FIPS_MODE_ENABLED 1
79
80 /*
81 * Define the following softtoken values that are used by softtoken
82 * library, cryptoadm and pktool command.
83 */
84 #define SOFT_SLOT_DESCRIPTION \
85 "Sun Crypto Softtoken " \
86 " "
87 #define SOFT_TOKEN_LABEL "Sun Software PKCS#11 softtoken "
88 #define SOFT_TOKEN_SERIAL " "
89 #define SOFT_MANUFACTURER_ID "Sun Microsystems, Inc. "
90 #define SOFT_DEFAULT_PIN "changeme"
91
92 typedef char libname_t[MAXPATHLEN];
93 typedef char midstr_t[MECH_ID_HEX_LEN];
94
95 typedef struct umechlist {
96 midstr_t name; /* mechanism name in hex form */
97 struct umechlist *next;
98 } umechlist_t;
99
100 typedef struct uentry {
101 libname_t name;
102 boolean_t flag_norandom; /* TRUE if random is disabled */
103 boolean_t flag_enabledlist; /* TRUE if an enabledlist */
104 umechlist_t *policylist; /* disabledlist or enabledlist */
105 boolean_t flag_metaslot_enabled; /* TRUE if metaslot's enabled */
106 boolean_t flag_metaslot_auto_key_migrate;
107 CK_UTF8CHAR metaslot_ks_slot[SLOT_DESCRIPTION_SIZE + 1];
108 CK_UTF8CHAR metaslot_ks_token[TOKEN_LABEL_SIZE + 1];
109 int count;
110 boolean_t flag_fips_enabled;
111 } uentry_t;
112
113 typedef struct uentrylist {
114 uentry_t *puent;
115 struct uentrylist *next;
116 } uentrylist_t;
117
118 /* Return codes for pkcs11_parse_uri() */
119 #define PK11_URI_OK 0
120 #define PK11_URI_INVALID 1
121 #define PK11_MALLOC_ERROR 2
122 #define PK11_URI_VALUE_OVERFLOW 3
123 #define PK11_NOT_PKCS11_URI 4
124
125 /*
126 * There is no limit for the attribute length in the spec. 256 bytes should be
127 * enough for the object name.
128 */
129 #define PK11_MAX_OBJECT_LEN 256
130 /*
131 * CKA_ID is of type "byte array" which can be of arbitrary length. 256 bytes
132 * should be sufficient though.
133 */
134 #define PK11_MAX_ID_LEN 256
135
136 /* Structure for the PKCS#11 URI. */
137 typedef struct pkcs11_uri_t {
138 /* CKA_LABEL attribute to the C_FindObjectsInit function. */
139 CK_UTF8CHAR_PTR object;
140 /*
141 * CKA_CLASS attribute to the C_FindObjectsInit function. The
142 * "objecttype" URI attribute can have a value one of "private",
143 * "public", "cert", "secretkey", and "data". The "objecttype" field can
144 * have a value of CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, CKO_CERTIFICATE,
145 * CKO_SECRET_KEY, and CKO_DATA. This attribute cannot be empty in the
146 * URI.
147 */
148 CK_ULONG objecttype;
149 /* CKO_DATA is 0 so we need this flag. Not part of the URI itself. */
150 boolean_t objecttype_present;
151 /*
152 * Token, manufufacturer, serial and model are of fixed size length in
153 * the specification. We allocate memory on the fly to distinguish
154 * between an attribute not present and an empty value. We check for
155 * overflows. We always terminate the string with '\0' even when that is
156 * not used in the PKCS#11's CK_TOKEN_INFO structure (fields are padded
157 * with spaces).
158 */
159 /* Token label from CK_TOKEN_INFO. */
160 CK_UTF8CHAR_PTR token;
161 /* ManufacturerID from CK_TOKEN_INFO. */
162 CK_UTF8CHAR_PTR manuf;
163 /* SerialNumber from CK_TOKEN_INFO. */
164 CK_CHAR_PTR serial;
165 /* Model from CK_TOKEN_INFO. */
166 CK_UTF8CHAR_PTR model;
167 /* This is a byte array, we need a length parameter as well. */
168 CK_BYTE_PTR id;
169 int id_len;
170 /*
171 * Location of the file with a token PIN. Application can overload this,
172 * eg. "/bin/askpass|" may mean to read the PIN from a command. However,
173 * the pkcs11_parse_uri() function does not interpret this field in any
174 * way.
175 */
176 char *pinfile;
177 } pkcs11_uri_t;
178
179 extern void cryptodebug(const char *fmt, ...);
180 extern void cryptoerror(int priority, const char *fmt, ...);
181 extern void cryptodebug_init(const char *prefix);
182 extern void cryptoerror_off();
183 extern void cryptoerror_on();
184
185 extern const char *pkcs11_mech2str(CK_MECHANISM_TYPE mech);
186 extern CK_RV pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech);
187
188 extern int get_pkcs11conf_info(uentrylist_t **);
189 extern umechlist_t *create_umech(char *);
190 extern void free_umechlist(umechlist_t *);
191 extern void free_uentrylist(uentrylist_t *);
192 extern void free_uentry(uentry_t *);
193 extern uentry_t *getent_uef(char *);
194
195 extern void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen);
196 extern int hexstr_to_bytes(char *hexstr, size_t hexlen, uchar_t **bytes,
197 size_t *blen);
198 extern CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type,
199 CK_KEY_TYPE *ktype);
200 extern CK_RV pkcs11_mech2keygen(CK_MECHANISM_TYPE mech_type,
201 CK_MECHANISM_TYPE *gen_mech);
202 extern char *pkcs11_strerror(CK_RV rv);
203
204 extern int
205 get_metaslot_info(boolean_t *status_enabled, boolean_t *migrate_enabled,
206 char **objectstore_slot_info, char **objectstore_token_info);
207
208 extern char *get_fullpath(char *dir, char *filepath);
209 extern int str2lifetime(char *ltimestr, uint32_t *ltime);
210
211 extern char *pkcs11_default_token(void);
212 extern int pkcs11_get_pass(char *token_name, char **pdata, size_t *psize,
213 size_t min_psize, boolean_t with_confirmation);
214
215 extern int pkcs11_seed_urandom(void *sbuf, size_t slen);
216 extern int pkcs11_get_random(void *dbuf, size_t dlen);
217 extern int pkcs11_get_urandom(void *dbuf, size_t dlen);
218 extern int pkcs11_get_nzero_urandom(void *dbuf, size_t dlen);
219 extern void pkcs11_close_random(void);
220 extern void pkcs11_close_urandom(void);
221 extern void pkcs11_close_urandom_seed(void);
222 extern int pkcs11_read_data(char *filename, void **dbuf, size_t *dlen);
223
224 extern int open_nointr(const char *path, int oflag, ...);
225 extern ssize_t readn_nointr(int fd, void *dbuf, size_t dlen);
226 extern ssize_t writen_nointr(int fd, void *dbuf, size_t dlen);
227 extern int update_conf(char *conf_file, char *entry);
228
229 extern int pkcs11_parse_uri(const char *str, pkcs11_uri_t *uri);
230 extern void pkcs11_free_uri(pkcs11_uri_t *uri);
231
232 #ifdef __cplusplus
233 }
234 #endif
235
236 #endif /* _CRYPTOUTIL_H */