Print this page
5031131 perf: pkcs11_kernel can benefit from a more efficient pkcs11_mech2str()
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
+++ new/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 - * Common Development and Distribution License, Version 1.0 only
6 - * (the "License"). You may not use this file except in compliance
7 - * with the License.
5 + * Common Development and Distribution License (the "License").
6 + * You may not use this file except in compliance with the License.
8 7 *
9 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 9 * or http://www.opensolaris.org/os/licensing.
11 10 * See the License for the specific language governing permissions
12 11 * and limitations under the License.
13 12 *
14 13 * When distributing Covered Code, include this CDDL HEADER in each
15 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 15 * If applicable, add the following below this CDDL HEADER, with the
17 16 * fields enclosed by brackets "[]" replaced with your own identifying
18 17 * information: Portions Copyright [yyyy] [name of copyright owner]
19 18 *
20 19 * CDDL HEADER END
21 20 */
22 21 /*
23 - * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
22 + * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
24 23 * Use is subject to license terms.
25 24 */
26 25
27 -#pragma ident "@(#)adm_metaslot.c 1.3 05/06/08 SMI"
26 +#pragma ident "@(#)adm_metaslot.c 1.4 08/06/27 SMI"
28 27
29 28 /*
30 29 * Administration for metaslot
31 30 *
32 31 * All the "list" operations will call functions in libpkcs11.so
33 32 * Normally, it doesn't make sense to call functions in libpkcs11.so directly
34 33 * because libpkcs11.so depends on the configuration file (pkcs11.conf) the
35 34 * cryptoadm command is trying to administer. However, since metaslot
36 35 * is part of the framework, it is not possible to get information about
37 36 * it without actually calling functions in libpkcs11.so.
38 37 *
39 38 * So, for the listing operation, which won't modify the value of pkcs11.conf
40 39 * it is safe to call libpkcs11.so.
41 40 *
42 41 * For other operations that modifies the pkcs11.conf file, libpkcs11.so
43 42 * will not be called.
44 43 *
45 44 */
46 45
47 46 #include <cryptoutil.h>
48 47 #include <stdio.h>
49 48 #include <libintl.h>
50 49 #include <dlfcn.h>
51 50 #include <link.h>
52 51 #include <strings.h>
53 52 #include <security/cryptoki.h>
54 53 #include <cryptoutil.h>
55 54 #include "cryptoadm.h"
56 55
57 56 #define METASLOT_ID 0
58 57
59 58 int
60 59 list_metaslot_info(boolean_t show_mechs, boolean_t verbose,
61 60 mechlist_t *mechlist)
62 61 {
63 62 int rc = SUCCESS;
64 63 CK_RV rv;
65 64 CK_SLOT_INFO slot_info;
66 65 CK_TOKEN_INFO token_info;
67 66 CK_MECHANISM_TYPE_PTR pmech_list = NULL;
68 67 CK_ULONG mech_count;
69 68 int i;
70 69 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
71 70 CK_FUNCTION_LIST_PTR funcs;
72 71 void *dldesc = NULL;
73 72 boolean_t lib_initialized = B_FALSE;
74 73 uentry_t *puent;
75 74 char buf[128];
76 75
77 76
78 77 /*
79 78 * Display the system-wide metaslot settings as specified
80 79 * in pkcs11.conf file.
81 80 */
82 81 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
83 82 cryptoerror(LOG_STDERR,
84 83 gettext("metaslot entry doesn't exist."));
85 84 return (FAILURE);
86 85 }
87 86
88 87 (void) printf(gettext("System-wide Meta Slot Configuration:\n"));
89 88 /*
90 89 * TRANSLATION_NOTE:
91 90 * Strictly for appearance's sake, this line should be as long as
92 91 * the length of the translated text above.
93 92 */
94 93 (void) printf(gettext("------------------------------------\n"));
95 94 (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ?
96 95 gettext("enabled") : gettext("disabled"));
97 96 (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"),
98 97 puent->flag_metaslot_auto_key_migrate ? gettext("enabled") :
99 98 gettext("disabled"));
100 99
101 100 bzero(buf, sizeof (buf));
102 101 if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) {
103 102 (void) printf(gettext("Persistent object store slot: %s\n"),
104 103 puent->metaslot_ks_slot);
105 104 }
106 105
107 106 if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) {
108 107 (void) printf(gettext("Persistent object store token: %s\n"),
109 108 puent->metaslot_ks_token);
110 109 }
111 110
112 111 if ((!verbose) && (!show_mechs)) {
113 112 return (SUCCESS);
114 113 }
115 114
116 115 if (verbose) {
117 116 (void) printf(gettext("\nDetailed Meta Slot Information:\n"));
118 117 /*
119 118 * TRANSLATION_NOTE:
120 119 * Strictly for appearance's sake, this line should be as
121 120 * long as the length of the translated text above.
122 121 */
123 122 (void) printf(gettext("-------------------------------\n"));
124 123 }
125 124
126 125 /*
127 126 * Need to actually make calls to libpkcs11.so to get
128 127 * information about metaslot.
129 128 */
130 129
131 130 dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW);
132 131 if (dldesc == NULL) {
133 132 char *dl_error;
134 133 dl_error = dlerror();
135 134 cryptodebug("Cannot load PKCS#11 framework library. "
136 135 "dlerror:%s", dl_error);
137 136 return (FAILURE);
138 137 }
139 138
140 139 /* Get the pointer to library's C_GetFunctionList() */
141 140 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
142 141 if (Tmp_C_GetFunctionList == NULL) {
143 142 cryptodebug("Cannot get the address of the C_GetFunctionList "
144 143 "from framework");
145 144 rc = FAILURE;
146 145 goto finish;
147 146 }
148 147
149 148
150 149 /* Get the provider's function list */
151 150 rv = Tmp_C_GetFunctionList(&funcs);
152 151 if (rv != CKR_OK) {
153 152 cryptodebug("failed to call C_GetFunctionList in "
154 153 "framework library");
155 154 rc = FAILURE;
156 155 goto finish;
157 156 }
158 157
159 158 /* Initialize this provider */
160 159 rv = funcs->C_Initialize(NULL_PTR);
161 160 if (rv != CKR_OK) {
|
↓ open down ↓ |
124 lines elided |
↑ open up ↑ |
162 161 cryptodebug("C_Initialize failed with error code 0x%x\n", rv);
163 162 rc = FAILURE;
164 163 goto finish;
165 164 } else {
166 165 lib_initialized = B_TRUE;
167 166 }
168 167
169 168 /*
170 169 * We know for sure that metaslot is slot 0 in the framework,
171 170 * so, we will do a C_GetSlotInfo() trying to see if it works.
172 - * If it failes with CKR_SLOT_ID_INVALID, we know that metaslot
171 + * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot
173 172 * is not really enabled.
174 173 */
175 174 rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info);
176 175 if (rv == CKR_SLOT_ID_INVALID) {
177 176 (void) printf(gettext("actual status: disabled.\n"));
178 177 /*
179 178 * Even if the -m and -v flag is supplied, there's nothing
180 179 * interesting to display about metaslot since it is disabled,
181 180 * so, just stop right here.
182 181 */
183 182 goto finish;
184 183 }
185 184
186 185 if (rv != CKR_OK) {
187 186 cryptodebug("C_GetSlotInfo failed with error "
188 187 "code 0x%x\n", rv);
189 188 rc = FAILURE;
190 189 goto finish;
191 190 }
192 191
193 192 if (!verbose) {
194 193 goto display_mechs;
195 194 }
196 195
197 196 (void) printf(gettext("actual status: enabled.\n"));
198 197
199 198 (void) printf(gettext("Description: %.64s\n"),
200 199 slot_info.slotDescription);
201 200
202 201 (void) printf(gettext("Token Present: %s\n"),
203 202 (slot_info.flags & CKF_TOKEN_PRESENT ?
204 203 gettext("True") : gettext("False")));
205 204
206 205 rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info);
207 206 if (rv != CKR_OK) {
208 207 cryptodebug("C_GetTokenInfo failed with error "
209 208 "code 0x%x\n", rv);
210 209 rc = FAILURE;
211 210 goto finish;
212 211 }
213 212
214 213 (void) printf(gettext("Token Label: %.32s\n"
215 214 "Manufacturer ID: %.32s\n"
216 215 "Model: %.16s\n"
217 216 "Serial Number: %.16s\n"
218 217 "Hardware Version: %d.%d\n"
219 218 "Firmware Version: %d.%d\n"
220 219 "UTC Time: %.16s\n"
221 220 "PIN Length: %d-%d\n"),
222 221 token_info.label,
223 222 token_info.manufacturerID,
224 223 token_info.model,
225 224 token_info.serialNumber,
226 225 token_info.hardwareVersion.major,
227 226 token_info.hardwareVersion.minor,
228 227 token_info.firmwareVersion.major,
229 228 token_info.firmwareVersion.minor,
230 229 token_info.utcTime,
231 230 token_info.ulMinPinLen,
232 231 token_info.ulMaxPinLen);
233 232
234 233 display_token_flags(token_info.flags);
235 234
236 235 if (!show_mechs) {
237 236 goto finish;
238 237 }
239 238
240 239 display_mechs:
241 240
242 241 if (mechlist == NULL) {
243 242 rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR,
244 243 &mech_count);
245 244 if (rv != CKR_OK) {
246 245 cryptodebug("C_GetMechanismList failed with error "
247 246 "code 0x%x\n", rv);
248 247 rc = FAILURE;
249 248 goto finish;
250 249 }
251 250
252 251 if (mech_count > 0) {
253 252 pmech_list = malloc(mech_count *
254 253 sizeof (CK_MECHANISM_TYPE));
255 254 if (pmech_list == NULL) {
256 255 cryptodebug("out of memory");
257 256 rc = FAILURE;
258 257 goto finish;
259 258 }
260 259 rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list,
261 260 &mech_count);
262 261 if (rv != CKR_OK) {
263 262 cryptodebug("C_GetMechanismList failed with "
264 263 "error code 0x%x\n", rv);
265 264 rc = FAILURE;
266 265 goto finish;
267 266 }
268 267 }
269 268 } else {
270 269 rc = convert_mechlist(&pmech_list, &mech_count, mechlist);
271 270 if (rc != SUCCESS) {
272 271 goto finish;
273 272 }
274 273 }
275 274
276 275 (void) printf(gettext("Mechanisms:\n"));
|
↓ open down ↓ |
94 lines elided |
↑ open up ↑ |
277 276 if (mech_count == 0) {
278 277 /* should never be this case */
279 278 (void) printf(gettext("No mechanisms\n"));
280 279 goto finish;
281 280 }
282 281 if (verbose) {
283 282 display_verbose_mech_header();
284 283 }
285 284
286 285 for (i = 0; i < mech_count; i++) {
287 - (void) printf("%-29s", pkcs11_mech2str(pmech_list[i]));
286 + CK_MECHANISM_TYPE mech = pmech_list[i];
287 +
288 + if (mech > CKM_VENDOR_DEFINED) {
289 + (void) printf("%#lx", mech);
290 + } else {
291 + (void) printf("%-29s", pkcs11_mech2str(mech));
292 + }
293 +
288 294 if (verbose) {
289 295 CK_MECHANISM_INFO mech_info;
290 296 rv = funcs->C_GetMechanismInfo(METASLOT_ID,
291 - pmech_list[i], &mech_info);
297 + mech, &mech_info);
292 298 if (rv != CKR_OK) {
293 299 cryptodebug("C_GetMechanismInfo failed with "
294 300 "error code 0x%x\n", rv);
295 301 rc = FAILURE;
296 302 goto finish;
297 303 }
298 304 display_mech_info(&mech_info);
299 305 }
300 306 (void) printf("\n");
301 307 }
302 308
303 309 finish:
304 310
305 311 if ((rc == FAILURE) && (show_mechs)) {
306 312 (void) printf(gettext(
307 313 "metaslot: failed to retrieve the mechanism list.\n"));
308 314 }
309 315
310 316 if (lib_initialized) {
311 317 (void) funcs->C_Finalize(NULL_PTR);
312 318 }
313 319
314 320 if (dldesc != NULL) {
315 321 (void) dlclose(dldesc);
316 322 }
317 323
318 324 if (pmech_list != NULL) {
319 325 (void) free(pmech_list);
320 326 }
321 327
322 328 return (rc);
323 329 }
324 330
325 331 int
326 332 list_metaslot_policy()
327 333 {
328 334
329 335 uentry_t *puent;
330 336 int rc;
331 337
332 338 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
333 339 cryptoerror(LOG_STDERR,
334 340 gettext("metaslot entry doesn't exist."));
335 341 return (FAILURE);
336 342 }
337 343
338 344 rc = display_policy(puent);
339 345 (void) printf("\n");
340 346 free_uentry(puent);
341 347 return (rc);
342 348 }
343 349
344 350 /*
345 351 * disable metaslot and some of its configuration options
346 352 *
347 353 * If mechlist==NULL, and the other 2 flags are false, just disabled
348 354 * the metaslot feature.
349 355 *
350 356 * mechlist: list of mechanisms to disable
351 357 * allflag: if true, indicates all mechanisms should be disabled.
352 358 * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled
353 359 */
354 360 int
355 361 disable_metaslot(mechlist_t *mechlist, boolean_t allflag,
356 362 boolean_t auto_key_migrate_flag)
357 363 {
358 364 uentry_t *puent;
359 365 int rc = SUCCESS;
360 366
361 367 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
362 368 cryptoerror(LOG_STDERR,
363 369 gettext("metaslot entry doesn't exist."));
364 370 return (FAILURE);
365 371 }
366 372
367 373
368 374 if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) {
369 375 /* disable metaslot */
370 376 puent->flag_metaslot_enabled = B_FALSE;
371 377 goto write_to_file;
372 378 }
373 379
374 380 if (auto_key_migrate_flag) {
375 381 /* need to disable auto_key_migrate */
376 382 puent->flag_metaslot_auto_key_migrate = B_FALSE;
377 383 }
378 384
379 385 if ((mechlist == NULL) && (!allflag)) {
380 386 goto write_to_file;
381 387 }
382 388
383 389 /* disable specified mechanisms */
384 390 if (allflag) {
385 391 free_umechlist(puent->policylist);
386 392 puent->policylist = NULL;
387 393 puent->count = 0;
388 394 puent->flag_enabledlist = B_TRUE;
389 395 rc = SUCCESS;
390 396 } else {
391 397 if (puent->flag_enabledlist == B_TRUE) {
392 398 /*
393 399 * The current default policy mode
394 400 * is "all are disabled, except ...", so if a
395 401 * specified mechanism is in the exception list
396 402 * (the policylist), delete it from the policylist.
397 403 */
398 404 rc = update_policylist(puent, mechlist, DELETE_MODE);
399 405 } else {
400 406 /*
401 407 * The current default policy mode of this library
402 408 * is "all are enabled", so if a specified mechanism
403 409 * is not in the exception list (policylist), add
404 410 * it into the policylist.
405 411 */
406 412 rc = update_policylist(puent, mechlist, ADD_MODE);
407 413 }
408 414 }
409 415
410 416 if (rc != SUCCESS) {
411 417 goto finish;
412 418 }
413 419
414 420 /* If all mechanisms are disabled, metaslot will be disabled as well */
415 421 if ((puent->flag_enabledlist) && (puent->count == 0)) {
416 422 puent->flag_metaslot_enabled = B_FALSE;
417 423 }
418 424
419 425 write_to_file:
420 426
421 427 rc = update_pkcs11conf(puent);
422 428
423 429 finish:
424 430 free_uentry(puent);
425 431 return (rc);
426 432 }
427 433
428 434 /*
429 435 * enable metaslot and some of its configuration options
430 436 *
431 437 * If mechlist==NULL, and the other flags are false, or not specified,
432 438 * just enable the metaslot feature.
433 439 *
434 440 * token: if specified, indicate label of token to be used as keystore.
435 441 * slot: if specified, indicate slot to be used as keystore.
436 442 * use_default: if true, indicate to use the default keystore. It should
437 443 * not be specified if either token or slot is specified.
438 444 * mechlist: list of mechanisms to enable
439 445 * allflag: if true, indicates all mechanisms should be enabled.
440 446 * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled
441 447 */
442 448 int
443 449 enable_metaslot(char *token, char *slot, boolean_t use_default,
444 450 mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag)
445 451 {
446 452 uentry_t *puent;
447 453 int rc = SUCCESS;
448 454
449 455 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
450 456 cryptoerror(LOG_STDERR,
451 457 gettext("metaslot entry doesn't exist."));
452 458 return (FAILURE);
453 459 }
454 460
455 461 puent->flag_metaslot_enabled = B_TRUE;
456 462
457 463 if (auto_key_migrate_flag) {
458 464 /* need to enable auto_key_migrate */
459 465 puent->flag_metaslot_auto_key_migrate = B_TRUE;
460 466 }
461 467
462 468 if (allflag) {
463 469 /*
464 470 * If enabling all, what needs to be done are cleaning up the
465 471 * policylist and setting the "flag_enabledlist" flag to
466 472 * B_FALSE.
467 473 */
468 474 free_umechlist(puent->policylist);
469 475 puent->policylist = NULL;
470 476 puent->count = 0;
471 477 puent->flag_enabledlist = B_FALSE;
472 478 rc = SUCCESS;
473 479 } else {
474 480 if (mechlist) {
475 481 if (puent->flag_enabledlist == B_TRUE) {
476 482 /*
477 483 * The current default policy mode of this
478 484 * library is "all are disabled, except ...",
479 485 * so if a specified mechanism is not in the
480 486 * exception list (policylist), add it.
481 487 */
482 488 rc = update_policylist(puent, mechlist,
483 489 ADD_MODE);
484 490 } else {
485 491 /*
486 492 * The current default policy mode of this
487 493 * library is "all are enabled, except", so if
488 494 * a specified mechanism is in the exception
489 495 * list (policylist), delete it.
490 496 */
491 497 rc = update_policylist(puent, mechlist,
492 498 DELETE_MODE);
493 499 }
494 500 }
495 501 }
496 502
497 503 if (rc != SUCCESS) {
498 504 goto finish;
499 505 }
500 506
501 507 if (!use_default && !token && !slot) {
502 508 /* no need to change metaslot keystore */
503 509 goto write_to_file;
504 510 }
505 511
506 512 (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE);
507 513 (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE);
508 514
509 515 if (use_default) {
510 516 (void) strlcpy((char *)puent->metaslot_ks_token,
511 517 SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE);
512 518 (void) strlcpy((char *)puent->metaslot_ks_slot,
513 519 SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE);
514 520 } else {
515 521
516 522 if (token) {
517 523 (void) strlcpy((char *)puent->metaslot_ks_token, token,
518 524 TOKEN_LABEL_SIZE);
519 525 }
520 526
521 527 if (slot) {
522 528 (void) strlcpy((char *)puent->metaslot_ks_slot, slot,
523 529 SLOT_DESCRIPTION_SIZE);
524 530 }
525 531 }
526 532
527 533
528 534 write_to_file:
529 535
530 536 rc = update_pkcs11conf(puent);
531 537
532 538 finish:
533 539 free_uentry(puent);
534 540 return (rc);
535 541 }
|
↓ open down ↓ |
234 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX