Print this page
6621176 $SRC/cmd/cmd-crypto/cryptoadm/*.c seem to have syntax errors in the translation notes
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
+++ new/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * Administration for metaslot
28 28 *
29 29 * All the "list" operations will call functions in libpkcs11.so
30 30 * Normally, it doesn't make sense to call functions in libpkcs11.so directly
31 31 * because libpkcs11.so depends on the configuration file (pkcs11.conf) the
32 32 * cryptoadm command is trying to administer. However, since metaslot
33 33 * is part of the framework, it is not possible to get information about
34 34 * it without actually calling functions in libpkcs11.so.
35 35 *
36 36 * So, for the listing operation, which won't modify the value of pkcs11.conf
37 37 * it is safe to call libpkcs11.so.
38 38 *
39 39 * For other operations that modifies the pkcs11.conf file, libpkcs11.so
40 40 * will not be called.
41 41 *
42 42 */
43 43
44 44 #include <cryptoutil.h>
45 45 #include <stdio.h>
46 46 #include <libintl.h>
47 47 #include <dlfcn.h>
48 48 #include <link.h>
49 49 #include <strings.h>
50 50 #include <security/cryptoki.h>
51 51 #include <cryptoutil.h>
52 52 #include "cryptoadm.h"
53 53
54 54 #define METASLOT_ID 0
55 55
56 56 int
57 57 list_metaslot_info(boolean_t show_mechs, boolean_t verbose,
58 58 mechlist_t *mechlist)
59 59 {
60 60 int rc = SUCCESS;
61 61 CK_RV rv;
62 62 CK_SLOT_INFO slot_info;
63 63 CK_TOKEN_INFO token_info;
64 64 CK_MECHANISM_TYPE_PTR pmech_list = NULL;
65 65 CK_ULONG mech_count;
66 66 int i;
67 67 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
68 68 CK_FUNCTION_LIST_PTR funcs;
69 69 void *dldesc = NULL;
70 70 boolean_t lib_initialized = B_FALSE;
71 71 uentry_t *puent;
72 72 char buf[128];
73 73
74 74
75 75 /*
76 76 * Display the system-wide metaslot settings as specified
|
↓ open down ↓ |
76 lines elided |
↑ open up ↑ |
77 77 * in pkcs11.conf file.
78 78 */
79 79 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
80 80 cryptoerror(LOG_STDERR,
81 81 gettext("metaslot entry doesn't exist."));
82 82 return (FAILURE);
83 83 }
84 84
85 85 (void) printf(gettext("System-wide Meta Slot Configuration:\n"));
86 86 /*
87 - * TRANSLATION_NOTE:
87 + * TRANSLATION_NOTE
88 88 * Strictly for appearance's sake, this line should be as long as
89 89 * the length of the translated text above.
90 90 */
91 91 (void) printf(gettext("------------------------------------\n"));
92 92 (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ?
93 93 gettext("enabled") : gettext("disabled"));
94 94 (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"),
95 95 puent->flag_metaslot_auto_key_migrate ? gettext("enabled") :
96 96 gettext("disabled"));
97 97
98 98 bzero(buf, sizeof (buf));
99 99 if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) {
100 100 (void) printf(gettext("Persistent object store slot: %s\n"),
101 101 puent->metaslot_ks_slot);
102 102 }
103 103
104 104 if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) {
105 105 (void) printf(gettext("Persistent object store token: %s\n"),
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
106 106 puent->metaslot_ks_token);
107 107 }
108 108
109 109 if ((!verbose) && (!show_mechs)) {
110 110 return (SUCCESS);
111 111 }
112 112
113 113 if (verbose) {
114 114 (void) printf(gettext("\nDetailed Meta Slot Information:\n"));
115 115 /*
116 - * TRANSLATION_NOTE:
116 + * TRANSLATION_NOTE
117 117 * Strictly for appearance's sake, this line should be as
118 118 * long as the length of the translated text above.
119 119 */
120 120 (void) printf(gettext("-------------------------------\n"));
121 121 }
122 122
123 123 /*
124 124 * Need to actually make calls to libpkcs11.so to get
125 125 * information about metaslot.
126 126 */
127 127
128 128 dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW);
129 129 if (dldesc == NULL) {
130 130 char *dl_error;
131 131 dl_error = dlerror();
132 132 cryptodebug("Cannot load PKCS#11 framework library. "
133 133 "dlerror:%s", dl_error);
134 134 return (FAILURE);
135 135 }
136 136
137 137 /* Get the pointer to library's C_GetFunctionList() */
138 138 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
139 139 if (Tmp_C_GetFunctionList == NULL) {
140 140 cryptodebug("Cannot get the address of the C_GetFunctionList "
141 141 "from framework");
142 142 rc = FAILURE;
143 143 goto finish;
144 144 }
145 145
146 146
147 147 /* Get the provider's function list */
148 148 rv = Tmp_C_GetFunctionList(&funcs);
149 149 if (rv != CKR_OK) {
150 150 cryptodebug("failed to call C_GetFunctionList in "
151 151 "framework library");
152 152 rc = FAILURE;
153 153 goto finish;
154 154 }
155 155
156 156 /* Initialize this provider */
157 157 rv = funcs->C_Initialize(NULL_PTR);
158 158 if (rv != CKR_OK) {
159 159 cryptodebug("C_Initialize failed with error code 0x%x\n", rv);
160 160 rc = FAILURE;
161 161 goto finish;
162 162 } else {
163 163 lib_initialized = B_TRUE;
164 164 }
165 165
166 166 /*
167 167 * We know for sure that metaslot is slot 0 in the framework,
168 168 * so, we will do a C_GetSlotInfo() trying to see if it works.
169 169 * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot
170 170 * is not really enabled.
171 171 */
172 172 rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info);
173 173 if (rv == CKR_SLOT_ID_INVALID) {
174 174 (void) printf(gettext("actual status: disabled.\n"));
175 175 /*
176 176 * Even if the -m and -v flag is supplied, there's nothing
177 177 * interesting to display about metaslot since it is disabled,
178 178 * so, just stop right here.
179 179 */
180 180 goto finish;
181 181 }
182 182
183 183 if (rv != CKR_OK) {
184 184 cryptodebug("C_GetSlotInfo failed with error "
185 185 "code 0x%x\n", rv);
186 186 rc = FAILURE;
187 187 goto finish;
188 188 }
189 189
190 190 if (!verbose) {
191 191 goto display_mechs;
192 192 }
193 193
194 194 (void) printf(gettext("actual status: enabled.\n"));
195 195
196 196 (void) printf(gettext("Description: %.64s\n"),
197 197 slot_info.slotDescription);
198 198
199 199 (void) printf(gettext("Token Present: %s\n"),
200 200 (slot_info.flags & CKF_TOKEN_PRESENT ?
201 201 gettext("True") : gettext("False")));
202 202
203 203 rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info);
204 204 if (rv != CKR_OK) {
205 205 cryptodebug("C_GetTokenInfo failed with error "
206 206 "code 0x%x\n", rv);
207 207 rc = FAILURE;
208 208 goto finish;
209 209 }
210 210
211 211 (void) printf(gettext("Token Label: %.32s\n"
212 212 "Manufacturer ID: %.32s\n"
213 213 "Model: %.16s\n"
214 214 "Serial Number: %.16s\n"
215 215 "Hardware Version: %d.%d\n"
216 216 "Firmware Version: %d.%d\n"
217 217 "UTC Time: %.16s\n"
218 218 "PIN Min Length: %d\n"
219 219 "PIN Max Length: %d\n"),
220 220 token_info.label,
221 221 token_info.manufacturerID,
222 222 token_info.model,
223 223 token_info.serialNumber,
224 224 token_info.hardwareVersion.major,
225 225 token_info.hardwareVersion.minor,
226 226 token_info.firmwareVersion.major,
227 227 token_info.firmwareVersion.minor,
228 228 token_info.utcTime,
229 229 token_info.ulMinPinLen,
230 230 token_info.ulMaxPinLen);
231 231
232 232 display_token_flags(token_info.flags);
233 233
234 234 if (!show_mechs) {
235 235 goto finish;
236 236 }
237 237
238 238 display_mechs:
239 239
240 240 if (mechlist == NULL) {
241 241 rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR,
242 242 &mech_count);
243 243 if (rv != CKR_OK) {
244 244 cryptodebug("C_GetMechanismList failed with error "
245 245 "code 0x%x\n", rv);
246 246 rc = FAILURE;
247 247 goto finish;
248 248 }
249 249
250 250 if (mech_count > 0) {
251 251 pmech_list = malloc(mech_count *
252 252 sizeof (CK_MECHANISM_TYPE));
253 253 if (pmech_list == NULL) {
254 254 cryptodebug("out of memory");
255 255 rc = FAILURE;
256 256 goto finish;
257 257 }
258 258 rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list,
259 259 &mech_count);
260 260 if (rv != CKR_OK) {
261 261 cryptodebug("C_GetMechanismList failed with "
262 262 "error code 0x%x\n", rv);
263 263 rc = FAILURE;
264 264 goto finish;
265 265 }
266 266 }
267 267 } else {
268 268 rc = convert_mechlist(&pmech_list, &mech_count, mechlist);
269 269 if (rc != SUCCESS) {
270 270 goto finish;
271 271 }
272 272 }
273 273
274 274 (void) printf(gettext("Mechanisms:\n"));
275 275 if (mech_count == 0) {
276 276 /* should never be this case */
277 277 (void) printf(gettext("No mechanisms\n"));
278 278 goto finish;
279 279 }
280 280 if (verbose) {
281 281 display_verbose_mech_header();
282 282 }
283 283
284 284 for (i = 0; i < mech_count; i++) {
285 285 CK_MECHANISM_TYPE mech = pmech_list[i];
286 286
287 287 if (mech >= CKM_VENDOR_DEFINED) {
288 288 (void) printf("%#lx", mech);
289 289 } else {
290 290 (void) printf("%-29s", pkcs11_mech2str(mech));
291 291 }
292 292
293 293 if (verbose) {
294 294 CK_MECHANISM_INFO mech_info;
295 295 rv = funcs->C_GetMechanismInfo(METASLOT_ID,
296 296 mech, &mech_info);
297 297 if (rv != CKR_OK) {
298 298 cryptodebug("C_GetMechanismInfo failed with "
299 299 "error code 0x%x\n", rv);
300 300 rc = FAILURE;
301 301 goto finish;
302 302 }
303 303 display_mech_info(&mech_info);
304 304 }
305 305 (void) printf("\n");
306 306 }
307 307
308 308 finish:
309 309
310 310 if ((rc == FAILURE) && (show_mechs)) {
311 311 (void) printf(gettext(
312 312 "metaslot: failed to retrieve the mechanism list.\n"));
313 313 }
314 314
315 315 if (lib_initialized) {
316 316 (void) funcs->C_Finalize(NULL_PTR);
317 317 }
318 318
319 319 if (dldesc != NULL) {
320 320 (void) dlclose(dldesc);
321 321 }
322 322
323 323 if (pmech_list != NULL) {
324 324 (void) free(pmech_list);
325 325 }
326 326
327 327 return (rc);
328 328 }
329 329
330 330 int
331 331 list_metaslot_policy()
332 332 {
333 333
334 334 uentry_t *puent;
335 335 int rc;
336 336
337 337 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
338 338 cryptoerror(LOG_STDERR,
339 339 gettext("metaslot entry doesn't exist."));
340 340 return (FAILURE);
341 341 }
342 342
343 343 rc = display_policy(puent);
344 344 (void) printf("\n");
345 345 free_uentry(puent);
346 346 return (rc);
347 347 }
348 348
349 349 /*
350 350 * disable metaslot and some of its configuration options
351 351 *
352 352 * If mechlist==NULL, and the other 2 flags are false, just disabled
353 353 * the metaslot feature.
354 354 *
355 355 * mechlist: list of mechanisms to disable
356 356 * allflag: if true, indicates all mechanisms should be disabled.
357 357 * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled
358 358 */
359 359 int
360 360 disable_metaslot(mechlist_t *mechlist, boolean_t allflag,
361 361 boolean_t auto_key_migrate_flag)
362 362 {
363 363 uentry_t *puent;
364 364 int rc = SUCCESS;
365 365
366 366 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
367 367 cryptoerror(LOG_STDERR,
368 368 gettext("metaslot entry doesn't exist."));
369 369 return (FAILURE);
370 370 }
371 371
372 372
373 373 if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) {
374 374 /* disable metaslot */
375 375 puent->flag_metaslot_enabled = B_FALSE;
376 376 goto write_to_file;
377 377 }
378 378
379 379 if (auto_key_migrate_flag) {
380 380 /* need to disable auto_key_migrate */
381 381 puent->flag_metaslot_auto_key_migrate = B_FALSE;
382 382 }
383 383
384 384 if ((mechlist == NULL) && (!allflag)) {
385 385 goto write_to_file;
386 386 }
387 387
388 388 /* disable specified mechanisms */
389 389 if (allflag) {
390 390 free_umechlist(puent->policylist);
391 391 puent->policylist = NULL;
392 392 puent->count = 0;
393 393 puent->flag_enabledlist = B_TRUE;
394 394 rc = SUCCESS;
395 395 } else {
396 396 if (puent->flag_enabledlist == B_TRUE) {
397 397 /*
398 398 * The current default policy mode
399 399 * is "all are disabled, except ...", so if a
400 400 * specified mechanism is in the exception list
401 401 * (the policylist), delete it from the policylist.
402 402 */
403 403 rc = update_policylist(puent, mechlist, DELETE_MODE);
404 404 } else {
405 405 /*
406 406 * The current default policy mode of this library
407 407 * is "all are enabled", so if a specified mechanism
408 408 * is not in the exception list (policylist), add
409 409 * it into the policylist.
410 410 */
411 411 rc = update_policylist(puent, mechlist, ADD_MODE);
412 412 }
413 413 }
414 414
415 415 if (rc != SUCCESS) {
416 416 goto finish;
417 417 }
418 418
419 419 /* If all mechanisms are disabled, metaslot will be disabled as well */
420 420 if ((puent->flag_enabledlist) && (puent->count == 0)) {
421 421 puent->flag_metaslot_enabled = B_FALSE;
422 422 }
423 423
424 424 write_to_file:
425 425
426 426 rc = update_pkcs11conf(puent);
427 427
428 428 finish:
429 429 free_uentry(puent);
430 430 return (rc);
431 431 }
432 432
433 433 /*
434 434 * enable metaslot and some of its configuration options
435 435 *
436 436 * If mechlist==NULL, and the other flags are false, or not specified,
437 437 * just enable the metaslot feature.
438 438 *
439 439 * token: if specified, indicate label of token to be used as keystore.
440 440 * slot: if specified, indicate slot to be used as keystore.
441 441 * use_default: if true, indicate to use the default keystore. It should
442 442 * not be specified if either token or slot is specified.
443 443 * mechlist: list of mechanisms to enable
444 444 * allflag: if true, indicates all mechanisms should be enabled.
445 445 * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled
446 446 */
447 447 int
448 448 enable_metaslot(char *token, char *slot, boolean_t use_default,
449 449 mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag)
450 450 {
451 451 uentry_t *puent;
452 452 int rc = SUCCESS;
453 453
454 454 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
455 455 cryptoerror(LOG_STDERR,
456 456 gettext("metaslot entry doesn't exist."));
457 457 return (FAILURE);
458 458 }
459 459
460 460 puent->flag_metaslot_enabled = B_TRUE;
461 461
462 462 if (auto_key_migrate_flag) {
463 463 /* need to enable auto_key_migrate */
464 464 puent->flag_metaslot_auto_key_migrate = B_TRUE;
465 465 }
466 466
467 467 if (allflag) {
468 468 /*
469 469 * If enabling all, what needs to be done are cleaning up the
470 470 * policylist and setting the "flag_enabledlist" flag to
471 471 * B_FALSE.
472 472 */
473 473 free_umechlist(puent->policylist);
474 474 puent->policylist = NULL;
475 475 puent->count = 0;
476 476 puent->flag_enabledlist = B_FALSE;
477 477 rc = SUCCESS;
478 478 } else {
479 479 if (mechlist) {
480 480 if (puent->flag_enabledlist == B_TRUE) {
481 481 /*
482 482 * The current default policy mode of this
483 483 * library is "all are disabled, except ...",
484 484 * so if a specified mechanism is not in the
485 485 * exception list (policylist), add it.
486 486 */
487 487 rc = update_policylist(puent, mechlist,
488 488 ADD_MODE);
489 489 } else {
490 490 /*
491 491 * The current default policy mode of this
492 492 * library is "all are enabled, except", so if
493 493 * a specified mechanism is in the exception
494 494 * list (policylist), delete it.
495 495 */
496 496 rc = update_policylist(puent, mechlist,
497 497 DELETE_MODE);
498 498 }
499 499 }
500 500 }
501 501
502 502 if (rc != SUCCESS) {
503 503 goto finish;
504 504 }
505 505
506 506 if (!use_default && !token && !slot) {
507 507 /* no need to change metaslot keystore */
508 508 goto write_to_file;
509 509 }
510 510
511 511 (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE);
512 512 (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE);
513 513
514 514 if (use_default) {
515 515 (void) strlcpy((char *)puent->metaslot_ks_token,
516 516 SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE);
517 517 (void) strlcpy((char *)puent->metaslot_ks_slot,
518 518 SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE);
519 519 } else {
520 520
521 521 if (token) {
522 522 (void) strlcpy((char *)puent->metaslot_ks_token, token,
523 523 TOKEN_LABEL_SIZE);
524 524 }
525 525
526 526 if (slot) {
527 527 (void) strlcpy((char *)puent->metaslot_ks_slot, slot,
528 528 SLOT_DESCRIPTION_SIZE);
529 529 }
530 530 }
531 531
532 532
533 533 write_to_file:
534 534
535 535 rc = update_pkcs11conf(puent);
536 536
537 537 finish:
538 538 free_uentry(puent);
539 539 return (rc);
540 540 }
|
↓ open down ↓ |
414 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX