2 * Copyright (C) 2012 Red Hat Inc.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * * Redistributions of source code must retain the above
9 * copyright notice, this list of conditions and the
10 * following disclaimer.
11 * * Redistributions in binary form must reproduce the
12 * above copyright notice, this list of conditions and
13 * the following disclaimer in the documentation and/or
14 * other materials provided with the distribution.
15 * * The names of contributors to this software may not be
16 * used to endorse or promote products derived from this
17 * software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
26 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
27 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
29 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
32 * Author: Stef Walter <stefw@redhat.com>
37 #define CRYPTOKI_EXPORTS
42 #define P11_DEBUG_FLAG P11_DEBUG_TRUST
61 #define MANUFACTURER_ID "PKCS#11 Kit "
62 #define LIBRARY_DESCRIPTION "PKCS#11 Kit Trust Module "
63 #define TOKEN_MODEL "p11-kit-trust "
64 #define TOKEN_SERIAL_NUMBER "1 "
66 /* Initial slot id: non-zero and non-one */
67 #define BASE_SLOT_ID 18UL
69 static struct _Shared {
74 } gl = { 0, NULL, NULL, NULL };
76 /* Used during FindObjects */
77 typedef struct _FindObjects {
79 CK_OBJECT_HANDLE *snapshot;
81 CK_ATTRIBUTE *public_key;
85 static CK_FUNCTION_LIST sys_function_list;
88 find_objects_free (void *data)
90 FindObjects *find = data;
91 p11_attrs_free (find->match);
92 free (find->snapshot);
93 p11_dict_free (find->extensions);
98 lookup_session (CK_SESSION_HANDLE handle,
99 p11_session **session)
104 return CKR_CRYPTOKI_NOT_INITIALIZED;
106 sess = p11_dict_get (gl.sessions, &handle);
108 return CKR_SESSION_HANDLE_INVALID;
115 static CK_ATTRIBUTE *
116 lookup_object_inlock (p11_session *session,
117 CK_OBJECT_HANDLE handle,
122 assert (session != NULL);
124 attrs = p11_index_lookup (session->index, handle);
127 *index = session->index;
131 attrs = p11_index_lookup (p11_token_index (session->token), handle);
134 *index = p11_token_index (session->token);
142 check_index_writable (p11_session *session,
145 if (index == p11_token_index (session->token)) {
146 if (!p11_token_is_writable (session->token))
147 return CKR_TOKEN_WRITE_PROTECTED;
148 else if (!session->read_write)
149 return CKR_SESSION_READ_ONLY;
156 lookup_slot_inlock (CK_SLOT_ID id,
160 * These are invalid inputs, that well behaved callers should
161 * not produce, so have them fail precondations
164 return_val_if_fail (gl.tokens != NULL,
165 CKR_CRYPTOKI_NOT_INITIALIZED);
167 return_val_if_fail (id >= BASE_SLOT_ID && id - BASE_SLOT_ID < gl.tokens->num,
168 CKR_SLOT_ID_INVALID);
171 *token = gl.tokens->elem[id - BASE_SLOT_ID];
176 check_slot (CK_SLOT_ID id)
181 ret = lookup_slot_inlock (id, NULL) == CKR_OK;
188 create_tokens_inlock (p11_array *tokens,
192 * TRANSLATORS: These label strings are used in PKCS#11 URIs and
193 * unfortunately cannot be marked translatable. If localization is
194 * desired they should be translated in GUI applications. These
195 * strings will not change arbitrarily.
203 { "~/", "User Trust", P11_TOKEN_FLAG_NONE },
204 { P11_DEFAULT_TRUST_PREFIX, "Default Trust", P11_TOKEN_FLAG_WRITE_PROTECTED },
205 { P11_SYSTEM_TRUST_PREFIX, "System Trust", P11_TOKEN_FLAG_NONE },
221 p11_debug ("using paths: %s", paths);
223 alloc = remaining = strdup (paths);
224 return_val_if_fail (remaining != NULL, false);
228 pos = strchr (remaining, P11_PATH_SEP_C);
236 if (path[0] != '\0') {
237 /* The slot for the new token */
238 slot = BASE_SLOT_ID + tokens->num;
241 flags = P11_TOKEN_FLAG_NONE;
244 /* Claim the various labels based on prefix */
245 for (i = 0; label == NULL && labels[i].prefix != NULL; i++) {
246 if (strncmp (path, labels[i].prefix, strlen (labels[i].prefix)) == 0) {
247 label = labels[i].label;
248 flags = labels[i].flags;
249 labels[i].label = NULL;
253 /* Didn't find a label above, then make one based on the path */
255 label = base = p11_path_base (path);
256 return_val_if_fail (base != NULL, false);
259 token = p11_token_new (slot, path, label, flags);
260 return_val_if_fail (token != NULL, false);
262 if (!p11_array_push (tokens, token))
263 return_val_if_reached (false);
266 assert (lookup_slot_inlock (slot, &check) == CKR_OK && check == token);
275 parse_argument (char *arg,
280 value = arg + strcspn (arg, ":=");
286 if (strcmp (arg, "paths") == 0) {
288 gl.paths = value ? strdup (value) : NULL;
290 } else if (strcmp (arg, "verbose") == 0) {
291 if (strcmp (value, "yes") == 0)
293 else if (strcmp (value, "no") == 0)
294 p11_message_quiet ();
296 p11_message ("unrecognized module argument: %s", arg);
301 sys_C_Finalize (CK_VOID_PTR reserved)
307 /* WARNING: This function must be reentrant */
310 rv = CKR_ARGUMENTS_BAD;
315 if (gl.initialized == 0) {
316 p11_debug ("trust module is not initialized");
317 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
319 } else if (gl.initialized == 1) {
320 p11_debug ("doing finalization");
325 p11_dict_free (gl.sessions);
328 p11_array_free (gl.tokens);
336 p11_debug ("trust module still initialized %d times", gl.initialized);
342 p11_debug ("out: 0x%lx", rv);
347 sys_C_Initialize (CK_VOID_PTR init_args)
349 static const CK_C_INITIALIZE_ARGS def_args =
350 { NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK, NULL, };
351 const CK_C_INITIALIZE_ARGS *args = NULL;
355 p11_library_init_once ();
357 /* WARNING: This function must be reentrant */
369 /* ALL supplied function pointers need to have the value either NULL or non-NULL. */
370 supplied_ok = (args->CreateMutex == NULL && args->DestroyMutex == NULL &&
371 args->LockMutex == NULL && args->UnlockMutex == NULL) ||
372 (args->CreateMutex != NULL && args->DestroyMutex != NULL &&
373 args->LockMutex != NULL && args->UnlockMutex != NULL);
375 p11_message ("invalid set of mutex calls supplied");
376 rv = CKR_ARGUMENTS_BAD;
380 * When the CKF_OS_LOCKING_OK flag isn't set return an error.
381 * We must be able to use our pthread functionality.
383 if (!(args->flags & CKF_OS_LOCKING_OK)) {
384 p11_message ("can't do without os locking");
388 if (rv == CKR_OK && gl.initialized != 0) {
389 p11_debug ("trust module already initialized %d times",
393 * We support setting the socket path and other arguments from from the
394 * pReserved pointer, similar to how NSS PKCS#11 components are initialized.
396 } else if (rv == CKR_OK) {
397 p11_debug ("doing initialization");
400 p11_argv_parse ((const char*)args->pReserved, parse_argument, NULL);
402 gl.sessions = p11_dict_new (p11_dict_ulongptr_hash,
403 p11_dict_ulongptr_equal,
404 NULL, p11_session_free);
406 gl.tokens = p11_array_new ((p11_destroyer)p11_token_free);
407 if (gl.tokens && !create_tokens_inlock (gl.tokens, gl.paths ? gl.paths : TRUST_PATHS))
410 if (gl.sessions == NULL || gl.tokens == NULL) {
412 rv = CKR_GENERAL_ERROR;
421 sys_C_Finalize (NULL);
423 p11_debug ("out: 0x%lx", rv);
428 sys_C_GetInfo (CK_INFO_PTR info)
432 p11_library_init_once ();
436 return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
441 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
446 memset (info, 0, sizeof (*info));
447 info->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR;
448 info->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR;
449 info->libraryVersion.major = PACKAGE_MAJOR;
450 info->libraryVersion.minor = PACKAGE_MINOR;
452 memcpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32);
453 memcpy ((char*)info->libraryDescription, LIBRARY_DESCRIPTION, 32);
456 p11_debug ("out: 0x%lx", rv);
462 sys_C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list)
464 /* Can be called before C_Initialize */
465 return_val_if_fail (list != NULL, CKR_ARGUMENTS_BAD);
467 *list = &sys_function_list;
472 sys_C_GetSlotList (CK_BBOOL token_present,
473 CK_SLOT_ID_PTR slot_list,
479 return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD);
486 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
493 } else if (!slot_list) {
494 *count = gl.tokens->num;
497 } else if (*count < gl.tokens->num) {
498 *count = gl.tokens->num;
499 rv = CKR_BUFFER_TOO_SMALL;
502 for (i = 0; i < gl.tokens->num; i++)
503 slot_list[i] = BASE_SLOT_ID + i;
504 *count = gl.tokens->num;
508 p11_debug ("out: 0x%lx", rv);
514 sys_C_GetSlotInfo (CK_SLOT_ID id,
515 CK_SLOT_INFO_PTR info)
522 return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
527 rv = lookup_slot_inlock (id, &token);
529 memset (info, 0, sizeof (*info));
530 info->firmwareVersion.major = 0;
531 info->firmwareVersion.minor = 0;
532 info->hardwareVersion.major = PACKAGE_MAJOR;
533 info->hardwareVersion.minor = PACKAGE_MINOR;
534 info->flags = CKF_TOKEN_PRESENT;
535 memcpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32);
537 /* If too long, copy the first 64 characters into buffer */
538 path = p11_token_get_path (token);
539 length = strlen (path);
540 if (length > sizeof (info->slotDescription))
541 length = sizeof (info->slotDescription);
542 memset (info->slotDescription, ' ', sizeof (info->slotDescription));
543 memcpy (info->slotDescription, path, length);
547 p11_debug ("out: 0x%lx", rv);
553 sys_C_GetTokenInfo (CK_SLOT_ID id,
554 CK_TOKEN_INFO_PTR info)
561 return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
567 rv = lookup_slot_inlock (id, &token);
569 memset (info, 0, sizeof (*info));
570 info->firmwareVersion.major = 0;
571 info->firmwareVersion.minor = 0;
572 info->hardwareVersion.major = PACKAGE_MAJOR;
573 info->hardwareVersion.minor = PACKAGE_MINOR;
574 info->flags = CKF_TOKEN_INITIALIZED;
575 memcpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32);
576 memcpy ((char*)info->model, TOKEN_MODEL, 16);
577 memcpy ((char*)info->serialNumber, TOKEN_SERIAL_NUMBER, 16);
578 info->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE;
579 info->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
580 info->ulMaxRwSessionCount = 0;
581 info->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION;
582 info->ulMaxPinLen = 0;
583 info->ulMinPinLen = 0;
584 info->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
585 info->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
586 info->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
587 info->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION;
589 /* If too long, copy the first 32 characters into buffer */
590 label = p11_token_get_label (token);
591 length = strlen (label);
592 if (length > sizeof (info->label))
593 length = sizeof (info->label);
594 memset (info->label, ' ', sizeof (info->label));
595 memcpy (info->label, label, length);
597 if (!p11_token_is_writable (token))
598 info->flags |= CKF_WRITE_PROTECTED;
602 p11_debug ("out: 0x%lx", rv);
608 sys_C_GetMechanismList (CK_SLOT_ID id,
609 CK_MECHANISM_TYPE_PTR mechanism_list,
614 return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD);
620 p11_debug ("out: 0x%lx", rv);
625 sys_C_GetMechanismInfo (CK_SLOT_ID id,
626 CK_MECHANISM_TYPE type,
627 CK_MECHANISM_INFO_PTR info)
629 return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
630 return_val_if_fail (check_slot (id), CKR_SLOT_ID_INVALID);
631 return_val_if_reached (CKR_MECHANISM_INVALID);
635 sys_C_InitToken (CK_SLOT_ID id,
638 CK_UTF8CHAR_PTR label)
640 p11_debug ("not supported");
641 return CKR_FUNCTION_NOT_SUPPORTED;
645 sys_C_WaitForSlotEvent (CK_FLAGS flags,
647 CK_VOID_PTR reserved)
649 p11_debug ("not supported");
650 return CKR_FUNCTION_NOT_SUPPORTED;
654 sys_C_OpenSession (CK_SLOT_ID id,
656 CK_VOID_PTR user_data,
658 CK_SESSION_HANDLE_PTR handle)
660 p11_session *session;
664 return_val_if_fail (check_slot (id), CKR_SLOT_ID_INVALID);
665 return_val_if_fail (handle != NULL, CKR_ARGUMENTS_BAD);
671 rv = lookup_slot_inlock (id, &token);
675 } else if (!(flags & CKF_SERIAL_SESSION)) {
676 rv = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
678 } else if ((flags & CKF_RW_SESSION) &&
679 !p11_token_is_writable (token)) {
680 rv = CKR_TOKEN_WRITE_PROTECTED;
683 session = p11_session_new (token);
684 if (p11_dict_set (gl.sessions, &session->handle, session)) {
686 if (flags & CKF_RW_SESSION)
687 session->read_write = true;
688 *handle = session->handle;
689 p11_debug ("session: %lu", *handle);
692 rv = CKR_GENERAL_ERROR;
698 p11_debug ("out: 0x%lx", rv);
704 sys_C_CloseSession (CK_SESSION_HANDLE handle)
713 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
715 } else if (p11_dict_remove (gl.sessions, &handle)) {
719 rv = CKR_SESSION_HANDLE_INVALID;
724 p11_debug ("out: 0x%lx", rv);
730 sys_C_CloseAllSessions (CK_SLOT_ID id)
732 CK_SESSION_HANDLE *handle;
733 p11_session *session;
742 rv = lookup_slot_inlock (id, &token);
744 p11_dict_iterate (gl.sessions, &iter);
745 while (p11_dict_next (&iter, (void **)&handle, (void **)&session)) {
746 if (session->token == token)
747 p11_dict_remove (gl.sessions, handle);
753 p11_debug ("out: 0x%lx", rv);
759 sys_C_GetFunctionStatus (CK_SESSION_HANDLE handle)
761 return CKR_SESSION_PARALLEL_NOT_SUPPORTED;
765 sys_C_CancelFunction (CK_SESSION_HANDLE handle)
767 return CKR_SESSION_PARALLEL_NOT_SUPPORTED;
771 sys_C_GetSessionInfo (CK_SESSION_HANDLE handle,
772 CK_SESSION_INFO_PTR info)
774 p11_session *session;
777 return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
783 rv = lookup_session (handle, &session);
785 info->flags = CKF_SERIAL_SESSION;
786 info->state = CKS_RO_PUBLIC_SESSION;
787 info->slotID = p11_token_get_slot (session->token);
788 info->ulDeviceError = 0;
794 p11_debug ("out: 0x%lx", rv);
800 sys_C_InitPIN (CK_SESSION_HANDLE handle,
804 p11_debug ("not supported");
805 return CKR_FUNCTION_NOT_SUPPORTED;
809 sys_C_SetPIN (CK_SESSION_HANDLE handle,
810 CK_UTF8CHAR_PTR old_pin,
811 CK_ULONG old_pin_len,
812 CK_UTF8CHAR_PTR new_pin,
813 CK_ULONG new_pin_len)
815 p11_debug ("not supported");
816 return CKR_FUNCTION_NOT_SUPPORTED;
820 sys_C_GetOperationState (CK_SESSION_HANDLE handle,
821 CK_BYTE_PTR operation_state,
822 CK_ULONG_PTR operation_state_len)
824 p11_debug ("not supported");
825 return CKR_FUNCTION_NOT_SUPPORTED;
829 sys_C_SetOperationState (CK_SESSION_HANDLE handle,
830 CK_BYTE_PTR operation_state,
831 CK_ULONG operation_state_len,
832 CK_OBJECT_HANDLE encryption_key,
833 CK_OBJECT_HANDLE authentication_key)
835 p11_debug ("not supported");
836 return CKR_FUNCTION_NOT_SUPPORTED;
840 sys_C_Login (CK_SESSION_HANDLE handle,
841 CK_USER_TYPE user_type,
851 rv = lookup_session (handle, NULL);
852 /* Since the trust module is designed as a replacement
853 * of nssckbi, it works as a general access device as
854 * described in the table 1.1 of:
855 * <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Implement>.
857 * That means that the tokens provided by this module
858 * shall be accessed without login, and if the caller
859 * tries to login, the attempt should fail with an
860 * explicit error (otherwise, the caller cannot
861 * distinguish the user's login status, see also
862 * C_Logout below). */
864 rv = CKR_USER_TYPE_INVALID;
868 p11_debug ("out: 0x%lx", rv);
874 sys_C_Logout (CK_SESSION_HANDLE handle)
882 rv = lookup_session (handle, NULL);
884 rv = CKR_USER_NOT_LOGGED_IN;
888 p11_debug ("out: 0x%lx", rv);
894 sys_C_CreateObject (CK_SESSION_HANDLE handle,
895 CK_ATTRIBUTE_PTR template,
897 CK_OBJECT_HANDLE_PTR new_object)
899 p11_session *session;
904 return_val_if_fail (new_object != NULL, CKR_ARGUMENTS_BAD);
910 rv = lookup_session (handle, &session);
912 if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val) && val)
913 index = p11_token_index (session->token);
915 index = session->index;
916 rv = check_index_writable (session, index);
920 rv = p11_index_add (index, template, count, new_object);
924 p11_debug ("out: 0x%lx", rv);
930 sys_C_CopyObject (CK_SESSION_HANDLE handle,
931 CK_OBJECT_HANDLE object,
932 CK_ATTRIBUTE_PTR template,
934 CK_OBJECT_HANDLE_PTR new_object)
936 CK_BBOOL vfalse = CK_FALSE;
937 CK_ATTRIBUTE token = { CKA_TOKEN, &vfalse, sizeof (vfalse) };
938 p11_session *session;
939 CK_ATTRIBUTE *original;
945 return_val_if_fail (new_object != NULL, CKR_ARGUMENTS_BAD);
951 rv = lookup_session (handle, &session);
953 original = lookup_object_inlock (session, object, &index);
954 if (original == NULL)
955 rv = CKR_OBJECT_HANDLE_INVALID;
959 if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val))
960 index = val ? p11_token_index (session->token) : session->index;
961 rv = check_index_writable (session, index);
965 attrs = p11_attrs_dup (original);
966 attrs = p11_attrs_buildn (attrs, template, count);
967 attrs = p11_attrs_build (attrs, &token, NULL);
968 rv = p11_index_take (index, attrs, new_object);
973 p11_debug ("out: 0x%lx", rv);
979 sys_C_DestroyObject (CK_SESSION_HANDLE handle,
980 CK_OBJECT_HANDLE object)
982 p11_session *session;
992 rv = lookup_session (handle, &session);
994 attrs = lookup_object_inlock (session, object, &index);
996 rv = CKR_OBJECT_HANDLE_INVALID;
998 rv = check_index_writable (session, index);
1000 if (rv == CKR_OK && p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) {
1001 /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */
1002 rv = CKR_ATTRIBUTE_READ_ONLY;
1006 rv = p11_index_remove (index, object);
1011 p11_debug ("out: 0x%lx", rv);
1017 sys_C_GetObjectSize (CK_SESSION_HANDLE handle,
1018 CK_OBJECT_HANDLE object,
1021 p11_session *session;
1024 return_val_if_fail (size != NULL, CKR_ARGUMENTS_BAD);
1030 rv = lookup_session (handle, &session);
1032 if (lookup_object_inlock (session, object, NULL)) {
1033 *size = CK_UNAVAILABLE_INFORMATION;
1036 rv = CKR_OBJECT_HANDLE_INVALID;
1042 p11_debug ("out: 0x%lx", rv);
1048 sys_C_GetAttributeValue (CK_SESSION_HANDLE handle,
1049 CK_OBJECT_HANDLE object,
1050 CK_ATTRIBUTE_PTR template,
1053 CK_ATTRIBUTE *attrs;
1054 CK_ATTRIBUTE *result;
1056 p11_session *session;
1061 p11_debug ("in: %lu, %lu", handle, object);
1065 rv = lookup_session (handle, &session);
1067 attrs = lookup_object_inlock (session, object, NULL);
1069 rv = CKR_OBJECT_HANDLE_INVALID;
1073 for (i = 0; i < count; i++) {
1074 result = template + i;
1075 attr = p11_attrs_find (attrs, result->type);
1077 result->ulValueLen = (CK_ULONG)-1;
1078 rv = CKR_ATTRIBUTE_TYPE_INVALID;
1082 if (!result->pValue) {
1083 result->ulValueLen = attr->ulValueLen;
1087 if (result->ulValueLen >= attr->ulValueLen) {
1088 memcpy (result->pValue, attr->pValue, attr->ulValueLen);
1089 result->ulValueLen = attr->ulValueLen;
1093 result->ulValueLen = (CK_ULONG)-1;
1094 rv = CKR_BUFFER_TOO_SMALL;
1100 if (p11_debugging) {
1101 string = p11_attrs_to_string (template, count);
1102 p11_debug ("out: 0x%lx %s", rv, string);
1110 sys_C_SetAttributeValue (CK_SESSION_HANDLE handle,
1111 CK_OBJECT_HANDLE object,
1112 CK_ATTRIBUTE_PTR template,
1115 p11_session *session;
1116 CK_ATTRIBUTE *attrs;
1125 rv = lookup_session (handle, &session);
1127 attrs = lookup_object_inlock (session, object, &index);
1128 if (attrs == NULL) {
1129 rv = CKR_OBJECT_HANDLE_INVALID;
1130 } else if (p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) {
1131 /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */
1132 rv = CKR_ATTRIBUTE_READ_ONLY;
1136 rv = check_index_writable (session, index);
1138 /* Reload the item if applicable */
1139 if (rv == CKR_OK && index == p11_token_index (session->token)) {
1140 if (p11_token_reload (session->token, attrs)) {
1141 attrs = p11_index_lookup (index, object);
1142 if (p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) {
1143 /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */
1144 rv = CKR_ATTRIBUTE_READ_ONLY;
1150 rv = p11_index_set (index, object, template, count);
1155 p11_debug ("out: 0x%lx", rv);
1161 sys_C_FindObjectsInit (CK_SESSION_HANDLE handle,
1162 CK_ATTRIBUTE_PTR template,
1165 p11_index *indices[2] = { NULL, NULL };
1166 CK_BBOOL want_token_objects;
1167 CK_BBOOL want_session_objects;
1170 p11_session *session;
1174 CK_OBJECT_CLASS klass;
1176 if (p11_debugging) {
1177 string = p11_attrs_to_string (template, count);
1178 p11_debug ("in: %lu, %s", handle, string);
1184 /* Are we searching for token objects? */
1185 if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &token)) {
1186 want_token_objects = token;
1187 want_session_objects = !token;
1189 want_token_objects = CK_TRUE;
1190 want_session_objects = CK_TRUE;
1193 rv = lookup_session (handle, &session);
1195 /* Refresh from disk if this session hasn't yet */
1197 if (want_session_objects)
1198 indices[n++] = session->index;
1199 if (want_token_objects) {
1200 if (!session->loaded)
1201 p11_token_load (session->token);
1203 session->loaded = CK_TRUE;
1204 indices[n++] = p11_token_index (session->token);
1210 find = calloc (1, sizeof (FindObjects));
1211 warn_if_fail (find != NULL);
1213 /* Make a snapshot of what we're matching */
1215 find->match = p11_attrs_buildn (NULL, template, count);
1216 warn_if_fail (find->match != NULL);
1218 /* Build a session snapshot of all objects */
1220 find->snapshot = p11_index_snapshot (indices[0], indices[1], template, count);
1221 warn_if_fail (find->snapshot != NULL);
1223 if (p11_attrs_find_ulong (find->match, CKA_CLASS, &klass) &&
1224 klass == CKO_X_CERTIFICATE_EXTENSION) {
1225 find->public_key = p11_attrs_find (find->match, CKA_PUBLIC_KEY_INFO);
1226 find->extensions = p11_dict_new (p11_oid_hash,
1232 if (!find || !find->snapshot || !find->match)
1233 rv = CKR_HOST_MEMORY;
1235 p11_session_set_operation (session, find_objects_free, find);
1240 p11_debug ("out: 0x%lx", rv);
1246 match_for_broken_nss_serial_number_lookups (CK_ATTRIBUTE *attr,
1247 CK_ATTRIBUTE *match)
1249 unsigned char der[32];
1250 unsigned char *val_val;
1255 if (!match->pValue || !match->ulValueLen ||
1256 match->ulValueLen == CKA_INVALID ||
1257 attr->ulValueLen == CKA_INVALID)
1260 der_len = sizeof (der);
1261 der[0] = ASN1_TAG_INTEGER | ASN1_CLASS_UNIVERSAL;
1262 len_len = der_len - 1;
1263 asn1_length_der (match->ulValueLen, der + 1, &len_len);
1264 assert (len_len < (der_len - 1));
1265 der_len = 1 + len_len;
1267 val_val = attr->pValue;
1268 val_len = attr->ulValueLen;
1270 if (der_len + match->ulValueLen != val_len)
1273 if (memcmp (der, val_val, der_len) != 0 ||
1274 memcmp (match->pValue, val_val + der_len, match->ulValueLen) != 0)
1277 p11_debug ("worked around serial number lookup that's not DER encoded");
1282 find_objects_match (CK_ATTRIBUTE *attrs,
1285 CK_OBJECT_CLASS klass;
1286 CK_ATTRIBUTE *attr, *match = find->match;
1288 for (; !p11_attrs_terminator (match); match++) {
1289 attr = p11_attrs_find ((CK_ATTRIBUTE *)attrs, match->type);
1292 if (p11_attr_equal (attr, match))
1296 * WORKAROUND: NSS calls us asking for CKA_SERIAL_NUMBER items that are
1297 * not DER encoded. It shouldn't be doing this. We never return any certificate
1298 * serial numbers that are not DER encoded.
1300 * So work around the issue here while the NSS guys fix this issue.
1301 * This code should be removed in future versions.
1304 if (attr->type == CKA_SERIAL_NUMBER &&
1305 p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) &&
1306 klass == CKO_NSS_TRUST) {
1307 if (match_for_broken_nss_serial_number_lookups (attr, match))
1315 * WORKAROUND: We keep all objects in the database, while PKIX
1316 * doesn't allow multiple extensions identified by the same
1317 * OID can be attached to a certificate. Check any duplicate
1318 * and only return the first matching object.
1320 if (find->public_key &&
1321 p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) &&
1322 klass == CKO_X_CERTIFICATE_EXTENSION) {
1323 CK_ATTRIBUTE *oid = p11_attrs_find (attrs, CKA_OBJECT_ID);
1326 if (p11_oid_simple (oid->pValue, oid->ulValueLen) &&
1327 p11_dict_get (find->extensions, oid->pValue)) {
1328 p11_debug ("duplicate extension object");
1331 value = memdup (oid->pValue, oid->ulValueLen);
1332 return_val_if_fail (value != NULL, false);
1333 if (!p11_dict_set (find->extensions, value, value))
1342 sys_C_FindObjects (CK_SESSION_HANDLE handle,
1343 CK_OBJECT_HANDLE_PTR objects,
1347 CK_OBJECT_HANDLE object;
1348 CK_ATTRIBUTE *attrs;
1349 FindObjects *find = NULL;
1350 p11_session *session;
1355 return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD);
1357 p11_debug ("in: %lu, %lu", handle, max_count);
1361 rv = lookup_session (handle, &session);
1363 if (session->cleanup != find_objects_free)
1364 rv = CKR_OPERATION_NOT_INITIALIZED;
1365 find = session->operation;
1370 while (matched < max_count) {
1371 object = find->snapshot[find->iterator];
1377 attrs = lookup_object_inlock (session, object, &index);
1381 if (find_objects_match (attrs, find)) {
1382 objects[matched] = object;
1392 p11_debug ("out: 0x%lx, %lu", handle, *count);
1398 sys_C_FindObjectsFinal (CK_SESSION_HANDLE handle)
1400 p11_session *session;
1407 rv = lookup_session (handle, &session);
1409 if (session->cleanup != find_objects_free)
1410 rv = CKR_OPERATION_NOT_INITIALIZED;
1412 p11_session_set_operation (session, NULL, NULL);
1417 p11_debug ("out: 0x%lx", rv);
1423 sys_C_EncryptInit (CK_SESSION_HANDLE handle,
1424 CK_MECHANISM_PTR mechanism,
1425 CK_OBJECT_HANDLE key)
1427 return_val_if_reached (CKR_MECHANISM_INVALID);
1431 sys_C_Encrypt (CK_SESSION_HANDLE handle,
1434 CK_BYTE_PTR encrypted_data,
1435 CK_ULONG_PTR encrypted_data_len)
1437 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1441 sys_C_EncryptUpdate (CK_SESSION_HANDLE handle,
1444 CK_BYTE_PTR encrypted_part,
1445 CK_ULONG_PTR encrypted_part_len)
1447 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1451 sys_C_EncryptFinal (CK_SESSION_HANDLE handle,
1452 CK_BYTE_PTR last_part,
1453 CK_ULONG_PTR last_part_len)
1455 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1459 sys_C_DecryptInit (CK_SESSION_HANDLE handle,
1460 CK_MECHANISM_PTR mechanism,
1461 CK_OBJECT_HANDLE key)
1463 return_val_if_reached (CKR_MECHANISM_INVALID);
1467 sys_C_Decrypt (CK_SESSION_HANDLE handle,
1468 CK_BYTE_PTR enc_data,
1469 CK_ULONG enc_data_len,
1471 CK_ULONG_PTR data_len)
1473 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1477 sys_C_DecryptUpdate (CK_SESSION_HANDLE handle,
1478 CK_BYTE_PTR enc_part,
1479 CK_ULONG enc_part_len,
1481 CK_ULONG_PTR part_len)
1483 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1487 sys_C_DecryptFinal (CK_SESSION_HANDLE handle,
1488 CK_BYTE_PTR last_part,
1489 CK_ULONG_PTR last_part_len)
1491 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1495 sys_C_DigestInit (CK_SESSION_HANDLE handle,
1496 CK_MECHANISM_PTR mechanism)
1498 return_val_if_reached (CKR_MECHANISM_INVALID);
1502 sys_C_Digest (CK_SESSION_HANDLE handle,
1506 CK_ULONG_PTR digest_len)
1508 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1512 sys_C_DigestUpdate (CK_SESSION_HANDLE handle,
1516 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1520 sys_C_DigestKey (CK_SESSION_HANDLE handle,
1521 CK_OBJECT_HANDLE key)
1523 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1527 sys_C_DigestFinal (CK_SESSION_HANDLE handle,
1529 CK_ULONG_PTR digest_len)
1531 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1535 sys_C_SignInit (CK_SESSION_HANDLE handle,
1536 CK_MECHANISM_PTR mechanism,
1537 CK_OBJECT_HANDLE key)
1539 return_val_if_reached (CKR_MECHANISM_INVALID);
1543 sys_C_Sign (CK_SESSION_HANDLE handle,
1546 CK_BYTE_PTR signature,
1547 CK_ULONG_PTR signature_len)
1549 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1553 sys_C_SignUpdate (CK_SESSION_HANDLE handle,
1557 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1561 sys_C_SignFinal (CK_SESSION_HANDLE handle,
1562 CK_BYTE_PTR signature,
1563 CK_ULONG_PTR signature_len)
1565 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1569 sys_C_SignRecoverInit (CK_SESSION_HANDLE handle,
1570 CK_MECHANISM_PTR mechanism,
1571 CK_OBJECT_HANDLE key)
1573 return_val_if_reached (CKR_MECHANISM_INVALID);
1577 sys_C_SignRecover (CK_SESSION_HANDLE handle,
1580 CK_BYTE_PTR signature,
1581 CK_ULONG_PTR signature_len)
1583 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1587 sys_C_VerifyInit (CK_SESSION_HANDLE handle,
1588 CK_MECHANISM_PTR mechanism,
1589 CK_OBJECT_HANDLE key)
1591 return_val_if_reached (CKR_MECHANISM_INVALID);
1595 sys_C_Verify (CK_SESSION_HANDLE handle,
1598 CK_BYTE_PTR signature,
1599 CK_ULONG signature_len)
1601 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1605 sys_C_VerifyUpdate (CK_SESSION_HANDLE handle,
1609 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1613 sys_C_VerifyFinal (CK_SESSION_HANDLE handle,
1614 CK_BYTE_PTR signature,
1615 CK_ULONG signature_len)
1617 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1621 sys_C_VerifyRecoverInit (CK_SESSION_HANDLE handle,
1622 CK_MECHANISM_PTR mechanism,
1623 CK_OBJECT_HANDLE key)
1625 return_val_if_reached (CKR_MECHANISM_INVALID);
1629 sys_C_VerifyRecover (CK_SESSION_HANDLE handle,
1630 CK_BYTE_PTR signature,
1631 CK_ULONG signature_len,
1633 CK_ULONG_PTR data_len)
1635 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1639 sys_C_DigestEncryptUpdate (CK_SESSION_HANDLE handle,
1642 CK_BYTE_PTR enc_part,
1643 CK_ULONG_PTR enc_part_len)
1645 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1649 sys_C_DecryptDigestUpdate (CK_SESSION_HANDLE handle,
1650 CK_BYTE_PTR enc_part,
1651 CK_ULONG enc_part_len,
1653 CK_ULONG_PTR part_len)
1655 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1659 sys_C_SignEncryptUpdate (CK_SESSION_HANDLE handle,
1662 CK_BYTE_PTR enc_part,
1663 CK_ULONG_PTR enc_part_len)
1665 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1669 sys_C_DecryptVerifyUpdate (CK_SESSION_HANDLE handle,
1670 CK_BYTE_PTR enc_part,
1671 CK_ULONG enc_part_len,
1673 CK_ULONG_PTR part_len)
1675 return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED);
1679 sys_C_GenerateKey (CK_SESSION_HANDLE handle,
1680 CK_MECHANISM_PTR mechanism,
1681 CK_ATTRIBUTE_PTR template,
1683 CK_OBJECT_HANDLE_PTR key)
1685 return_val_if_reached (CKR_MECHANISM_INVALID);
1689 sys_C_GenerateKeyPair (CK_SESSION_HANDLE handle,
1690 CK_MECHANISM_PTR mechanism,
1691 CK_ATTRIBUTE_PTR pub_template,
1693 CK_ATTRIBUTE_PTR priv_template,
1694 CK_ULONG priv_count,
1695 CK_OBJECT_HANDLE_PTR pub_key,
1696 CK_OBJECT_HANDLE_PTR priv_key)
1698 return_val_if_reached (CKR_MECHANISM_INVALID);
1702 sys_C_WrapKey (CK_SESSION_HANDLE handle,
1703 CK_MECHANISM_PTR mechanism,
1704 CK_OBJECT_HANDLE wrapping_key,
1705 CK_OBJECT_HANDLE key,
1706 CK_BYTE_PTR wrapped_key,
1707 CK_ULONG_PTR wrapped_key_len)
1709 return_val_if_reached (CKR_MECHANISM_INVALID);
1713 sys_C_UnwrapKey (CK_SESSION_HANDLE handle,
1714 CK_MECHANISM_PTR mechanism,
1715 CK_OBJECT_HANDLE unwrapping_key,
1716 CK_BYTE_PTR wrapped_key,
1717 CK_ULONG wrapped_key_len,
1718 CK_ATTRIBUTE_PTR template,
1720 CK_OBJECT_HANDLE_PTR key)
1722 return_val_if_reached (CKR_MECHANISM_INVALID);
1726 sys_C_DeriveKey (CK_SESSION_HANDLE handle,
1727 CK_MECHANISM_PTR mechanism,
1728 CK_OBJECT_HANDLE base_key,
1729 CK_ATTRIBUTE_PTR template,
1731 CK_OBJECT_HANDLE_PTR key)
1733 return_val_if_reached (CKR_MECHANISM_INVALID);
1737 sys_C_SeedRandom (CK_SESSION_HANDLE handle,
1741 return_val_if_reached (CKR_RANDOM_NO_RNG);
1745 sys_C_GenerateRandom (CK_SESSION_HANDLE handle,
1746 CK_BYTE_PTR random_data,
1747 CK_ULONG random_len)
1749 return_val_if_reached (CKR_RANDOM_NO_RNG);
1752 /* --------------------------------------------------------------------
1753 * MODULE ENTRY POINT
1756 static CK_FUNCTION_LIST sys_function_list = {
1757 { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, /* version */
1761 sys_C_GetFunctionList,
1765 sys_C_GetMechanismList,
1766 sys_C_GetMechanismInfo,
1772 sys_C_CloseAllSessions,
1773 sys_C_GetSessionInfo,
1774 sys_C_GetOperationState,
1775 sys_C_SetOperationState,
1780 sys_C_DestroyObject,
1781 sys_C_GetObjectSize,
1782 sys_C_GetAttributeValue,
1783 sys_C_SetAttributeValue,
1784 sys_C_FindObjectsInit,
1786 sys_C_FindObjectsFinal,
1789 sys_C_EncryptUpdate,
1793 sys_C_DecryptUpdate,
1804 sys_C_SignRecoverInit,
1810 sys_C_VerifyRecoverInit,
1811 sys_C_VerifyRecover,
1812 sys_C_DigestEncryptUpdate,
1813 sys_C_DecryptDigestUpdate,
1814 sys_C_SignEncryptUpdate,
1815 sys_C_DecryptVerifyUpdate,
1817 sys_C_GenerateKeyPair,
1822 sys_C_GenerateRandom,
1823 sys_C_GetFunctionStatus,
1824 sys_C_CancelFunction,
1825 sys_C_WaitForSlotEvent
1829 __declspec(dllexport)
1833 C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list)
1835 p11_library_init_once ();
1836 return sys_C_GetFunctionList (list);
1840 p11_module_next_id (void)
1842 static CK_ULONG unique = 0x10;