Print this page
6723237 libcryptoutil should allow mechanism number "0x80000000" (the value of marker CKM_VENDOR_DEFINED)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
+++ new/usr/src/cmd/cmd-crypto/cryptoadm/adm_metaslot.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 -#pragma ident "@(#)adm_metaslot.c 1.4 08/06/27 SMI"
26 +#pragma ident "@(#)adm_metaslot.c 1.5 08/07/07 SMI"
27 27
28 28 /*
29 29 * Administration for metaslot
30 30 *
31 31 * All the "list" operations will call functions in libpkcs11.so
32 32 * Normally, it doesn't make sense to call functions in libpkcs11.so directly
33 33 * because libpkcs11.so depends on the configuration file (pkcs11.conf) the
34 34 * cryptoadm command is trying to administer. However, since metaslot
35 35 * is part of the framework, it is not possible to get information about
36 36 * it without actually calling functions in libpkcs11.so.
37 37 *
38 38 * So, for the listing operation, which won't modify the value of pkcs11.conf
39 39 * it is safe to call libpkcs11.so.
40 40 *
41 41 * For other operations that modifies the pkcs11.conf file, libpkcs11.so
42 42 * will not be called.
43 43 *
44 44 */
45 45
46 46 #include <cryptoutil.h>
47 47 #include <stdio.h>
48 48 #include <libintl.h>
49 49 #include <dlfcn.h>
50 50 #include <link.h>
51 51 #include <strings.h>
52 52 #include <security/cryptoki.h>
53 53 #include <cryptoutil.h>
54 54 #include "cryptoadm.h"
55 55
56 56 #define METASLOT_ID 0
57 57
58 58 int
59 59 list_metaslot_info(boolean_t show_mechs, boolean_t verbose,
60 60 mechlist_t *mechlist)
61 61 {
62 62 int rc = SUCCESS;
63 63 CK_RV rv;
64 64 CK_SLOT_INFO slot_info;
65 65 CK_TOKEN_INFO token_info;
66 66 CK_MECHANISM_TYPE_PTR pmech_list = NULL;
67 67 CK_ULONG mech_count;
68 68 int i;
69 69 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
70 70 CK_FUNCTION_LIST_PTR funcs;
71 71 void *dldesc = NULL;
72 72 boolean_t lib_initialized = B_FALSE;
73 73 uentry_t *puent;
74 74 char buf[128];
75 75
76 76
77 77 /*
78 78 * Display the system-wide metaslot settings as specified
79 79 * in pkcs11.conf file.
80 80 */
81 81 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
82 82 cryptoerror(LOG_STDERR,
83 83 gettext("metaslot entry doesn't exist."));
84 84 return (FAILURE);
85 85 }
86 86
87 87 (void) printf(gettext("System-wide Meta Slot Configuration:\n"));
88 88 /*
89 89 * TRANSLATION_NOTE:
90 90 * Strictly for appearance's sake, this line should be as long as
91 91 * the length of the translated text above.
92 92 */
93 93 (void) printf(gettext("------------------------------------\n"));
94 94 (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ?
95 95 gettext("enabled") : gettext("disabled"));
96 96 (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"),
97 97 puent->flag_metaslot_auto_key_migrate ? gettext("enabled") :
98 98 gettext("disabled"));
99 99
100 100 bzero(buf, sizeof (buf));
101 101 if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) {
102 102 (void) printf(gettext("Persistent object store slot: %s\n"),
103 103 puent->metaslot_ks_slot);
104 104 }
105 105
106 106 if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) {
107 107 (void) printf(gettext("Persistent object store token: %s\n"),
108 108 puent->metaslot_ks_token);
109 109 }
110 110
111 111 if ((!verbose) && (!show_mechs)) {
112 112 return (SUCCESS);
113 113 }
114 114
115 115 if (verbose) {
116 116 (void) printf(gettext("\nDetailed Meta Slot Information:\n"));
117 117 /*
118 118 * TRANSLATION_NOTE:
119 119 * Strictly for appearance's sake, this line should be as
120 120 * long as the length of the translated text above.
121 121 */
122 122 (void) printf(gettext("-------------------------------\n"));
123 123 }
124 124
125 125 /*
126 126 * Need to actually make calls to libpkcs11.so to get
127 127 * information about metaslot.
128 128 */
129 129
130 130 dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW);
131 131 if (dldesc == NULL) {
132 132 char *dl_error;
133 133 dl_error = dlerror();
134 134 cryptodebug("Cannot load PKCS#11 framework library. "
135 135 "dlerror:%s", dl_error);
136 136 return (FAILURE);
137 137 }
138 138
139 139 /* Get the pointer to library's C_GetFunctionList() */
140 140 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
141 141 if (Tmp_C_GetFunctionList == NULL) {
142 142 cryptodebug("Cannot get the address of the C_GetFunctionList "
143 143 "from framework");
144 144 rc = FAILURE;
145 145 goto finish;
146 146 }
147 147
148 148
149 149 /* Get the provider's function list */
150 150 rv = Tmp_C_GetFunctionList(&funcs);
151 151 if (rv != CKR_OK) {
152 152 cryptodebug("failed to call C_GetFunctionList in "
153 153 "framework library");
154 154 rc = FAILURE;
155 155 goto finish;
156 156 }
157 157
158 158 /* Initialize this provider */
159 159 rv = funcs->C_Initialize(NULL_PTR);
160 160 if (rv != CKR_OK) {
161 161 cryptodebug("C_Initialize failed with error code 0x%x\n", rv);
162 162 rc = FAILURE;
163 163 goto finish;
164 164 } else {
165 165 lib_initialized = B_TRUE;
166 166 }
167 167
168 168 /*
169 169 * We know for sure that metaslot is slot 0 in the framework,
170 170 * so, we will do a C_GetSlotInfo() trying to see if it works.
171 171 * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot
172 172 * is not really enabled.
173 173 */
174 174 rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info);
175 175 if (rv == CKR_SLOT_ID_INVALID) {
176 176 (void) printf(gettext("actual status: disabled.\n"));
177 177 /*
178 178 * Even if the -m and -v flag is supplied, there's nothing
179 179 * interesting to display about metaslot since it is disabled,
180 180 * so, just stop right here.
181 181 */
182 182 goto finish;
183 183 }
184 184
185 185 if (rv != CKR_OK) {
186 186 cryptodebug("C_GetSlotInfo failed with error "
187 187 "code 0x%x\n", rv);
188 188 rc = FAILURE;
189 189 goto finish;
190 190 }
191 191
192 192 if (!verbose) {
193 193 goto display_mechs;
194 194 }
195 195
196 196 (void) printf(gettext("actual status: enabled.\n"));
197 197
198 198 (void) printf(gettext("Description: %.64s\n"),
199 199 slot_info.slotDescription);
200 200
201 201 (void) printf(gettext("Token Present: %s\n"),
202 202 (slot_info.flags & CKF_TOKEN_PRESENT ?
203 203 gettext("True") : gettext("False")));
204 204
205 205 rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info);
206 206 if (rv != CKR_OK) {
207 207 cryptodebug("C_GetTokenInfo failed with error "
208 208 "code 0x%x\n", rv);
209 209 rc = FAILURE;
210 210 goto finish;
211 211 }
212 212
213 213 (void) printf(gettext("Token Label: %.32s\n"
214 214 "Manufacturer ID: %.32s\n"
215 215 "Model: %.16s\n"
216 216 "Serial Number: %.16s\n"
217 217 "Hardware Version: %d.%d\n"
218 218 "Firmware Version: %d.%d\n"
219 219 "UTC Time: %.16s\n"
220 220 "PIN Length: %d-%d\n"),
221 221 token_info.label,
222 222 token_info.manufacturerID,
223 223 token_info.model,
224 224 token_info.serialNumber,
225 225 token_info.hardwareVersion.major,
226 226 token_info.hardwareVersion.minor,
227 227 token_info.firmwareVersion.major,
228 228 token_info.firmwareVersion.minor,
229 229 token_info.utcTime,
230 230 token_info.ulMinPinLen,
231 231 token_info.ulMaxPinLen);
232 232
233 233 display_token_flags(token_info.flags);
234 234
235 235 if (!show_mechs) {
236 236 goto finish;
237 237 }
238 238
239 239 display_mechs:
240 240
241 241 if (mechlist == NULL) {
242 242 rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR,
243 243 &mech_count);
244 244 if (rv != CKR_OK) {
245 245 cryptodebug("C_GetMechanismList failed with error "
246 246 "code 0x%x\n", rv);
247 247 rc = FAILURE;
248 248 goto finish;
249 249 }
250 250
251 251 if (mech_count > 0) {
252 252 pmech_list = malloc(mech_count *
253 253 sizeof (CK_MECHANISM_TYPE));
254 254 if (pmech_list == NULL) {
255 255 cryptodebug("out of memory");
256 256 rc = FAILURE;
257 257 goto finish;
258 258 }
259 259 rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list,
260 260 &mech_count);
261 261 if (rv != CKR_OK) {
262 262 cryptodebug("C_GetMechanismList failed with "
263 263 "error code 0x%x\n", rv);
264 264 rc = FAILURE;
265 265 goto finish;
266 266 }
267 267 }
268 268 } else {
269 269 rc = convert_mechlist(&pmech_list, &mech_count, mechlist);
270 270 if (rc != SUCCESS) {
271 271 goto finish;
272 272 }
273 273 }
274 274
275 275 (void) printf(gettext("Mechanisms:\n"));
276 276 if (mech_count == 0) {
277 277 /* should never be this case */
|
↓ open down ↓ |
241 lines elided |
↑ open up ↑ |
278 278 (void) printf(gettext("No mechanisms\n"));
279 279 goto finish;
280 280 }
281 281 if (verbose) {
282 282 display_verbose_mech_header();
283 283 }
284 284
285 285 for (i = 0; i < mech_count; i++) {
286 286 CK_MECHANISM_TYPE mech = pmech_list[i];
287 287
288 - if (mech > CKM_VENDOR_DEFINED) {
288 + if (mech >= CKM_VENDOR_DEFINED) {
289 289 (void) printf("%#lx", mech);
290 290 } else {
291 291 (void) printf("%-29s", pkcs11_mech2str(mech));
292 292 }
293 293
294 294 if (verbose) {
295 295 CK_MECHANISM_INFO mech_info;
296 296 rv = funcs->C_GetMechanismInfo(METASLOT_ID,
297 297 mech, &mech_info);
298 298 if (rv != CKR_OK) {
299 299 cryptodebug("C_GetMechanismInfo failed with "
300 300 "error code 0x%x\n", rv);
301 301 rc = FAILURE;
302 302 goto finish;
303 303 }
304 304 display_mech_info(&mech_info);
305 305 }
306 306 (void) printf("\n");
307 307 }
308 308
309 309 finish:
310 310
311 311 if ((rc == FAILURE) && (show_mechs)) {
312 312 (void) printf(gettext(
313 313 "metaslot: failed to retrieve the mechanism list.\n"));
314 314 }
315 315
316 316 if (lib_initialized) {
317 317 (void) funcs->C_Finalize(NULL_PTR);
318 318 }
319 319
320 320 if (dldesc != NULL) {
321 321 (void) dlclose(dldesc);
322 322 }
323 323
324 324 if (pmech_list != NULL) {
325 325 (void) free(pmech_list);
326 326 }
327 327
328 328 return (rc);
329 329 }
330 330
331 331 int
332 332 list_metaslot_policy()
333 333 {
334 334
335 335 uentry_t *puent;
336 336 int rc;
337 337
338 338 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
339 339 cryptoerror(LOG_STDERR,
340 340 gettext("metaslot entry doesn't exist."));
341 341 return (FAILURE);
342 342 }
343 343
344 344 rc = display_policy(puent);
345 345 (void) printf("\n");
346 346 free_uentry(puent);
347 347 return (rc);
348 348 }
349 349
350 350 /*
351 351 * disable metaslot and some of its configuration options
352 352 *
353 353 * If mechlist==NULL, and the other 2 flags are false, just disabled
354 354 * the metaslot feature.
355 355 *
356 356 * mechlist: list of mechanisms to disable
357 357 * allflag: if true, indicates all mechanisms should be disabled.
358 358 * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled
359 359 */
360 360 int
361 361 disable_metaslot(mechlist_t *mechlist, boolean_t allflag,
362 362 boolean_t auto_key_migrate_flag)
363 363 {
364 364 uentry_t *puent;
365 365 int rc = SUCCESS;
366 366
367 367 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
368 368 cryptoerror(LOG_STDERR,
369 369 gettext("metaslot entry doesn't exist."));
370 370 return (FAILURE);
371 371 }
372 372
373 373
374 374 if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) {
375 375 /* disable metaslot */
376 376 puent->flag_metaslot_enabled = B_FALSE;
377 377 goto write_to_file;
378 378 }
379 379
380 380 if (auto_key_migrate_flag) {
381 381 /* need to disable auto_key_migrate */
382 382 puent->flag_metaslot_auto_key_migrate = B_FALSE;
383 383 }
384 384
385 385 if ((mechlist == NULL) && (!allflag)) {
386 386 goto write_to_file;
387 387 }
388 388
389 389 /* disable specified mechanisms */
390 390 if (allflag) {
391 391 free_umechlist(puent->policylist);
392 392 puent->policylist = NULL;
393 393 puent->count = 0;
394 394 puent->flag_enabledlist = B_TRUE;
395 395 rc = SUCCESS;
396 396 } else {
397 397 if (puent->flag_enabledlist == B_TRUE) {
398 398 /*
399 399 * The current default policy mode
400 400 * is "all are disabled, except ...", so if a
401 401 * specified mechanism is in the exception list
402 402 * (the policylist), delete it from the policylist.
403 403 */
404 404 rc = update_policylist(puent, mechlist, DELETE_MODE);
405 405 } else {
406 406 /*
407 407 * The current default policy mode of this library
408 408 * is "all are enabled", so if a specified mechanism
409 409 * is not in the exception list (policylist), add
410 410 * it into the policylist.
411 411 */
412 412 rc = update_policylist(puent, mechlist, ADD_MODE);
413 413 }
414 414 }
415 415
416 416 if (rc != SUCCESS) {
417 417 goto finish;
418 418 }
419 419
420 420 /* If all mechanisms are disabled, metaslot will be disabled as well */
421 421 if ((puent->flag_enabledlist) && (puent->count == 0)) {
422 422 puent->flag_metaslot_enabled = B_FALSE;
423 423 }
424 424
425 425 write_to_file:
426 426
427 427 rc = update_pkcs11conf(puent);
428 428
429 429 finish:
430 430 free_uentry(puent);
431 431 return (rc);
432 432 }
433 433
434 434 /*
435 435 * enable metaslot and some of its configuration options
436 436 *
437 437 * If mechlist==NULL, and the other flags are false, or not specified,
438 438 * just enable the metaslot feature.
439 439 *
440 440 * token: if specified, indicate label of token to be used as keystore.
441 441 * slot: if specified, indicate slot to be used as keystore.
442 442 * use_default: if true, indicate to use the default keystore. It should
443 443 * not be specified if either token or slot is specified.
444 444 * mechlist: list of mechanisms to enable
445 445 * allflag: if true, indicates all mechanisms should be enabled.
446 446 * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled
447 447 */
448 448 int
449 449 enable_metaslot(char *token, char *slot, boolean_t use_default,
450 450 mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag)
451 451 {
452 452 uentry_t *puent;
453 453 int rc = SUCCESS;
454 454
455 455 if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
456 456 cryptoerror(LOG_STDERR,
457 457 gettext("metaslot entry doesn't exist."));
458 458 return (FAILURE);
459 459 }
460 460
461 461 puent->flag_metaslot_enabled = B_TRUE;
462 462
463 463 if (auto_key_migrate_flag) {
464 464 /* need to enable auto_key_migrate */
465 465 puent->flag_metaslot_auto_key_migrate = B_TRUE;
466 466 }
467 467
468 468 if (allflag) {
469 469 /*
470 470 * If enabling all, what needs to be done are cleaning up the
471 471 * policylist and setting the "flag_enabledlist" flag to
472 472 * B_FALSE.
473 473 */
474 474 free_umechlist(puent->policylist);
475 475 puent->policylist = NULL;
476 476 puent->count = 0;
477 477 puent->flag_enabledlist = B_FALSE;
478 478 rc = SUCCESS;
479 479 } else {
480 480 if (mechlist) {
481 481 if (puent->flag_enabledlist == B_TRUE) {
482 482 /*
483 483 * The current default policy mode of this
484 484 * library is "all are disabled, except ...",
485 485 * so if a specified mechanism is not in the
486 486 * exception list (policylist), add it.
487 487 */
488 488 rc = update_policylist(puent, mechlist,
489 489 ADD_MODE);
490 490 } else {
491 491 /*
492 492 * The current default policy mode of this
493 493 * library is "all are enabled, except", so if
494 494 * a specified mechanism is in the exception
495 495 * list (policylist), delete it.
496 496 */
497 497 rc = update_policylist(puent, mechlist,
498 498 DELETE_MODE);
499 499 }
500 500 }
501 501 }
502 502
503 503 if (rc != SUCCESS) {
504 504 goto finish;
505 505 }
506 506
507 507 if (!use_default && !token && !slot) {
508 508 /* no need to change metaslot keystore */
509 509 goto write_to_file;
510 510 }
511 511
512 512 (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE);
513 513 (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE);
514 514
515 515 if (use_default) {
516 516 (void) strlcpy((char *)puent->metaslot_ks_token,
517 517 SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE);
518 518 (void) strlcpy((char *)puent->metaslot_ks_slot,
519 519 SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE);
520 520 } else {
521 521
522 522 if (token) {
523 523 (void) strlcpy((char *)puent->metaslot_ks_token, token,
524 524 TOKEN_LABEL_SIZE);
525 525 }
526 526
527 527 if (slot) {
528 528 (void) strlcpy((char *)puent->metaslot_ks_slot, slot,
529 529 SLOT_DESCRIPTION_SIZE);
530 530 }
531 531 }
532 532
533 533
534 534 write_to_file:
535 535
536 536 rc = update_pkcs11conf(puent);
537 537
538 538 finish:
539 539 free_uentry(puent);
540 540 return (rc);
541 541 }
|
↓ open down ↓ |
243 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX