CA认证

开发平台：

WINDOWS

fortpk11.c：源码内容

/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
* replace them with the notice and other provisions required by
* the GPL. If you do not delete the provisions above, a recipient
* may use your version of this file under either the MPL or the
* GPL.
*
* This file implements PKCS 11 for FORTEZZA using MACI
* drivers. Except for the Mac. They only have CI libraries, so
* that's what we use there.
*
* For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
*
* This implementations queries the MACI to figure out how
* many slots exist on a given system. There is an artificial boundary
* of 32 slots, because allocating slots dynamically caused memory
* problems in the client when first this module was first developed.
* Some how the heap was being corrupted and we couldn't find out where.
* Subsequent attempts to allocate dynamic memory caused no problem.
*
* In this implementation, session objects are only visible to the session
* that created or generated them.
*/
#include "fpkmem.h"
#include "seccomon.h"
#include "fpkcs11.h"
#include "fpkcs11i.h"
#include "cryptint.h"
#include "pk11func.h"
#include "fortsock.h"
#include "fmutex.h"
#ifdef notdef
#include <ctype.h>
#include <stdio.h>
#endif
#ifdef XP_MAC
#ifndef __POWERPC__
#include <A4Stuff.h>
#endif
/* This is not a 4.0 project, so I can't depend on
* 4.0 defines, so instead I depend on CodeWarrior
* defines. I define XP_MAC in fpkmem.h
*/
#if __POWERPC__
#elif __CFM68K__
#else
/* These include are taken fromn npmac.cpp which are used
* by the plugin group to properly set-up a plug-in for
* dynamic loading on 68K.
*/
#include <Quickdraw.h>
/*
** The Mixed Mode procInfos defined in npupp.h assume Think C-
** style calling conventions. These conventions are used by
** Metrowerks with the exception of pointer return types, which
** in Metrowerks 68K are returned in A0, instead of the standard
** D0. Thus, since NPN_MemAlloc and NPN_UserAgent return pointers,
** Mixed Mode will return the values to a 68K plugin in D0, but
** a 68K plugin compiled by Metrowerks will expect the result in
** A0. The following pragma forces Metrowerks to use D0 instead.
*/
#ifdef __MWERKS__
#ifndef powerc
#pragma pointers_in_D0
#endif
#endif
#ifdef __MWERKS__
#ifndef powerc
#pragma pointers_in_A0
#endif
#endif
/* The following fix for static initializers fixes a previous
** incompatibility with some parts of PowerPlant.
*/
#ifdef __MWERKS__
#ifdef __cplusplus
extern "C" {
#endif
#ifndef powerc
extern void __InitCode__(void);
#else
extern void __sinit(void);
#endif
extern void __destroy_global_chain(void);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __MWERKS__ */
#endif
#endif
typedef struct {
unsigned char *data;
int len;
} CertItem;
/*
* ******************** Static data *******************************
*/
/* The next three strings must be exactly 32 characters long */
static char *manufacturerID = "Netscape Communications Corp ";
static char *libraryDescription = "Communicator Fortezza Crypto Svc";
typedef enum {DSA_KEY, KEA_KEY, V1_KEY, INVALID_KEY } PrivKeyType;
static PK11Slot fort11_slot[NUM_SLOTS];
static FortezzaSocket fortezzaSockets[NUM_SLOTS];
static PRBool init = PR_FALSE;
static CK_ULONG kNumSockets = 0;
#define __PASTE(x,y) x##y
#undef CK_FUNC
#undef CK_EXTERN
#undef CK_NEED_ARG_LIST
#undef _CK_RV
#define fort11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
#define fort11_SlotFromSession pk11_SlotFromSession
#define fort11_isToken pk11_isToken
static CK_FUNCTION_LIST fort11_funcList = {
{ 2, 1 },
#undef CK_FUNC
#undef CK_EXTERN
#undef CK_NEED_ARG_LIST
#undef _CK_RV
#define CK_EXTERN
#define CK_FUNC(name) name,
#define _CK_RV
#include "fpkcs11f.h"
};
#undef CK_FUNC
#undef CK_EXTERN
#undef _CK_RV
#undef __PASTE
#undef pk11_SlotFromSessionHandle
#undef pk11_SlotFromID
#define MAJOR_VERSION_MASK 0xFF00
#define MINOR_VERSION_MASK 0x00FF
/* Mechanisms */
struct mechanismList {
CK_MECHANISM_TYPE type;
CK_MECHANISM_INFO domestic;
PRBool privkey;
};
static struct mechanismList mechanisms[] = {
{CKM_DSA, {512,1024,CKF_SIGN}, PR_TRUE},
{CKM_SKIPJACK_KEY_GEN, {92, 92, CKF_GENERATE}, PR_TRUE},
{CKM_SKIPJACK_CBC64, {92, 92, CKF_ENCRYPT | CKF_DECRYPT}, PR_TRUE},
{CKM_SKIPJACK_WRAP, {92, 92, CKF_WRAP}, PR_TRUE},
{CKM_KEA_KEY_DERIVE, {128, 128, CKF_DERIVE}, PR_TRUE},
};
static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
/*************Static function prototypes********************************/
static PRBool fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type);
static void fort11_FreeAttribute(PK11Attribute *attribute);
static void fort11_DestroyAttribute(PK11Attribute *attribute);
static PK11Object* fort11_NewObject(PK11Slot *slot);
static PK11FreeStatus fort11_FreeObject(PK11Object *object);
static CK_RV fort11_AddAttributeType(PK11Object *object,
CK_ATTRIBUTE_TYPE type,
void *valPtr,
CK_ULONG length);
static void fort11_AddSlotObject(PK11Slot *slot, PK11Object *object);
static PK11Attribute* fort11_FindAttribute(PK11Object *object,
CK_ATTRIBUTE_TYPE type);
static PK11Attribute* fort11_NewAttribute(CK_ATTRIBUTE_TYPE type,
CK_VOID_PTR value, CK_ULONG len);
static void fort11_DeleteAttributeType(PK11Object *object,
CK_ATTRIBUTE_TYPE type);
static void fort11_AddAttribute(PK11Object *object,
PK11Attribute *attribute);
static void fort11_AddObject(PK11Session *session,
PK11Object *object);
static PK11Object * fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle,
PK11Session *session);
static void fort11_DeleteObject(PK11Session *session,PK11Object *object);
static CK_RV fort11_DestroyObject(PK11Object *object);
void fort11_FreeSession(PK11Session *session);
#define FIRST_SLOT_SESS_ID 0x00000100L
#define ADD_NEXT_SESS_ID 0x00000100L
#define SLOT_MASK 0x000000FFL
#define FAILED CKR_FUNCTION_FAILED
static void
fort11_FreeFortezzaKey (void *inFortezzaKey) {
RemoveKey ((FortezzaKey*) inFortezzaKey);
}
static void
fort11_DestroySlotObjects (PK11Slot *slot, PK11Session *session) {
PK11Object *currObject, *nextObject, *oldObject;
int i;
for (i=0; i<HASH_SIZE; i++) {
currObject = slot->tokObjects[i];
slot->tokObjects[i] = NULL;
do {
FMUTEX_Lock(slot->sessionLock);
if (currObject) {
nextObject = currObject->next;
FMUTEX_Lock(currObject->refLock);
currObject->refCount++;
FMUTEX_Unlock(currObject->refLock);
fort11_DeleteObject(session, currObject);
}
FMUTEX_Unlock(slot->sessionLock);
if (currObject) {
oldObject = currObject;
currObject = nextObject;
fort11_FreeObject(oldObject);
}
} while (currObject != NULL);
}
}
static void
fort11_TokenRemoved(PK11Slot *slot, PK11Session *session) {
FortezzaSocket *socket = &fortezzaSockets[slot->slotID-1];
LogoutFromSocket (socket);
slot->isLoggedIn = PR_FALSE;
if (session && session->notify) {
/*If no session pointer exists, lots of leaked memory*/
session->notify (session->handle, CKN_SURRENDER,
session->appData);
fort11_FreeSession(session); /* Release the reference held
* by the slot with the session
*/
}
fort11_DestroySlotObjects(slot, session);
fort11_FreeSession(session); /* Release the reference held
* by the slot with the session
*/
/* All keys will have been freed at this point so we can
* NULL out this pointer
*/
socket->keys = NULL;
}
PRBool
fort11_FortezzaIsUserCert(unsigned char * label) {
if ( (!PORT_Memcmp(label, "KEAK", 4)) || /* v3 user certs */
(!PORT_Memcmp(label, "DSA1", 4)) ||
(!PORT_Memcmp(label, "DSAI", 4)) ||
(!PORT_Memcmp(label, "DSAO", 4)) ||
(!PORT_Memcmp(label, "INKS", 4)) || /* v1 user certs */
(!PORT_Memcmp(label, "INKX", 4)) ||
(!PORT_Memcmp(label, "ONKS", 4)) ||
(!PORT_Memcmp(label, "ONKX", 4)) ||
(!PORT_Memcmp(label, "3IXS", 4)) || /* old v3 user certs */
(!PORT_Memcmp(label, "3OXS", 4)) ||
(!PORT_Memcmp(label, "3IKX", 4)) ) {
return PR_TRUE;
} else { return PR_FALSE; }
}
static PRBool
fort11_FortezzaIsACert(unsigned char * label) {
if (label == NULL) return PR_FALSE;
if ( (!PORT_Memcmp(label, "DSA1", 4)) || /* v3 certs */
(!PORT_Memcmp(label, "DSAI", 4)) ||
(!PORT_Memcmp(label, "DSAO", 4)) ||
(!PORT_Memcmp(label, "DSAX", 4)) ||
(!PORT_Memcmp(label, "KEAK", 4)) ||
(!PORT_Memcmp(label, "KEAX", 4)) ||
(!PORT_Memcmp(label, "CAX1", 4)) ||
(!PORT_Memcmp(label, "PCA1", 4)) ||
(!PORT_Memcmp(label, "PAA1", 4)) ||
(!PORT_Memcmp(label, "ICA1", 4)) ||
(!PORT_Memcmp(label, "3IXS", 4)) || /* old v3 certs */
(!PORT_Memcmp(label, "3OXS", 4)) ||
(!PORT_Memcmp(label, "3CAX", 4)) ||
(!PORT_Memcmp(label, "3IKX", 4)) ||
(!PORT_Memcmp(label, "3PCA", 4)) ||
(!PORT_Memcmp(label, "3PAA", 4)) ||
(!PORT_Memcmp(label, "3ICA", 4)) ||
(!PORT_Memcmp(label, "INKS", 4)) || /* v1 certs */
(!PORT_Memcmp(label, "INKX", 4)) ||
(!PORT_Memcmp(label, "ONKS", 4)) ||
(!PORT_Memcmp(label, "ONKX", 4)) ||
(!PORT_Memcmp(label, "RRXX", 4)) ||
(!PORT_Memcmp(label, "RTXX", 4)) ||
(!PORT_Memcmp(label, "LAXX", 4)) ) {
return PR_TRUE;
}
return PR_FALSE;
}
static
int fort11_cert_length(unsigned char *buf, int length) {
unsigned char tag;
int used_length= 0;
int data_length;
tag = buf[used_length++];
/* blow out when we come to the end */
if (tag == 0) {
return 0;
}
data_length = buf[used_length++];
if (data_length&0x80) {
int len_count = data_length & 0x7f;
data_length = 0;
while (len_count-- > 0) {
data_length = (data_length << 8) | buf[used_length++];
}
}
if (data_length > (length-used_length) ) {
return length;
}
return (data_length + used_length);
}
unsigned char *fort11_data_start(unsigned char *buf, int length,
int *data_length, PRBool includeTag) {
unsigned char tag;
int used_length= 0;
tag = buf[used_length++];
/* blow out when we come to the end */
if (tag == 0) {
return NULL;
}
*data_length = buf[used_length++];
if (*data_length&0x80) {
int len_count = *data_length & 0x7f;
*data_length = 0;
while (len_count-- > 0) {
*data_length = (*data_length << 8) | buf[used_length++];
}
}
if (*data_length > (length-used_length) ) {
*data_length = length-used_length;
return NULL;
}
if (includeTag) *data_length += used_length;
return (buf + (includeTag ? 0 : used_length));
}
int
fort11_GetCertFields(unsigned char *cert,int cert_length,CertItem *issuer,
CertItem *serial,CertItem *subject)
{
unsigned char *buf;
int buf_length;
unsigned char *date;
int datelen;
/* get past the signature wrap */
buf = fort11_data_start(cert,cert_length,&buf_length,PR_FALSE);
if (buf == NULL) return FAILED;
/* get into the raw cert data */
buf = fort11_data_start(buf,buf_length,&buf_length,PR_FALSE);
if (buf == NULL) return FAILED;
/* skip past any optional version number */
if ((buf[0] & 0xa0) == 0xa0) {
date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
if (date == NULL) return FAILED;
buf_length -= (date-buf) + datelen;
buf = date + datelen;
}
/* serial number */
serial->data = fort11_data_start(buf,buf_length,&serial->len,PR_FALSE);
if (serial->data == NULL) return FAILED;
buf_length -= (serial->data-buf) + serial->len;
buf = serial->data + serial->len;
/* skip the OID */
date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
if (date == NULL) return FAILED;
buf_length -= (date-buf) + datelen;
buf = date + datelen;
/* issuer */
issuer->data = fort11_data_start(buf,buf_length,&issuer->len,PR_TRUE);
if (issuer->data == NULL) return FAILED;
buf_length -= (issuer->data-buf) + issuer->len;
buf = issuer->data + issuer->len;
/* skip the date */
date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
if (date == NULL) return FAILED;
buf_length -= (date-buf) + datelen;
buf = date + datelen;
/*subject */
subject->data=fort11_data_start(buf,buf_length,&subject->len,PR_TRUE);
if (subject->data == NULL) return FAILED;
buf_length -= (subject->data-buf) + subject->len;
buf = subject->data +subject->len;
/*subject */
return CKR_OK;
}
/* quick tohex function to get rid of scanf */
static
int fort11_tohex(char *s) {
int val = 0;
for(;*s;s++) {
if ((*s >= '0') && (*s <= '9')) {
val = (val << 4) + (*s - '0');
continue;
} else if ((*s >= 'a') && (*s <= 'f')) {
val = (val << 4) + (*s - 'a') + 10;
continue;
} else if ((*s >= 'A') && (*s <= 'F')) {
val = (val << 4) + (*s - 'A') + 10;
continue;
}
break;
}
return val;
}
/* only should be called for V3 KEA cert labels. */
static int
fort11_GetSibling(CI_CERT_STR label) {
int value = 0;
char s[3];
label +=4;
strcpy(s,"00");
memcpy(s, label, 2);
value = fort11_tohex(s);
/* sibling of 255 means no sibling */
if (value == 255) {
value = -1;
}
return value;
}
static PrivKeyType
fort11_GetKeyType(CI_CERT_STR label) {
if (label == NULL) return INVALID_KEY;
if ( (!PORT_Memcmp(label, "DSA1", 4)) || /* v3 certs */
(!PORT_Memcmp(label, "DSAI", 4)) ||
(!PORT_Memcmp(label, "DSAO", 4)) ||
(!PORT_Memcmp(label, "3IXS", 4)) || /* old v3 certs */
(!PORT_Memcmp(label, "3OXS", 4)) ) {
return DSA_KEY;
}
if ( (!PORT_Memcmp(label, "KEAK", 4)) ||
(!PORT_Memcmp(label, "3IKX", 4)) ) {
return KEA_KEY;
}
if ( (!PORT_Memcmp(label, "INKS", 4)) || /* V1 Certs*/
(!PORT_Memcmp(label, "INKX", 4)) ||
(!PORT_Memcmp(label, "ONKS", 4)) ||
(!PORT_Memcmp(label, "ONKX", 4)) ||
(!PORT_Memcmp(label, "RRXX", 4)) ||
(!PORT_Memcmp(label, "RTXX", 4)) ||
(!PORT_Memcmp(label, "LAXX", 4)) ) {
return V1_KEY;
}
return INVALID_KEY;
}
static CK_RV
fort11_ConvertToDSAKey(PK11Object *privateKey, PK11Slot *slot) {
CK_KEY_TYPE key_type = CKK_DSA;
CK_BBOOL cktrue = TRUE;
CK_BBOOL ckfalse = FALSE;
CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
CK_CHAR label[] = "A DSA Private Key";
/* Fill in the common Default values */
if (fort11_AddAttributeType(privateKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_CLASS, &privClass,
sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &key_type,
sizeof(CK_KEY_TYPE)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType (privateKey, CKA_TOKEN, &cktrue,
sizeof (CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
PORT_Strlen((char*)label)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_SENSITIVE, &cktrue,
sizeof (CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_SIGN, &cktrue,
sizeof (CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &cktrue,
sizeof(cktrue)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_DECRYPT, &ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_SIGN_RECOVER, &ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_UNWRAP, &ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_EXTRACTABLE, &ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_ALWAYS_SENSITIVE, &cktrue,
sizeof(cktrue)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_NEVER_EXTRACTABLE, &cktrue,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_PRIME, NULL, 0) != CKR_OK){
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_SUBPRIME, NULL, 0) != CKR_OK){
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_BASE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_VALUE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &cktrue,
sizeof(cktrue)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_MODIFIABLE,&ckfalse,
sizeof(ckfalse)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
FMUTEX_Lock(slot->objectLock);
privateKey->handle = slot->tokenIDCount++;
privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
FMUTEX_Unlock(slot->objectLock);
privateKey->objclass = privClass;
privateKey->slot = slot;
privateKey->inDB = PR_TRUE;
return CKR_OK;
}
static int
fort11_LoadRootPAAKey(PK11Slot *slot, PK11Session *session) {
CK_OBJECT_CLASS theClass = CKO_SECRET_KEY;
int id = 0;
CK_BBOOL True = TRUE;
CK_BBOOL False = FALSE;
CK_CHAR label[] = "Trusted Root PAA Key";
PK11Object *rootKey;
FortezzaKey *newKey;
FortezzaSocket *socket = &fortezzaSockets[slot->slotID-1];
/*Don't know the key type. Does is matter?*/
rootKey = fort11_NewObject(slot);
if (rootKey == NULL) {
return CKR_HOST_MEMORY;
}
if (fort11_AddAttributeType(rootKey, CKA_CLASS, &theClass,
sizeof(theClass)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_TOKEN, &True,
sizeof(True)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_LABEL, label,
sizeof(label)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_PRIVATE, &True,
sizeof (True)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey,CKA_MODIFIABLE, &False,
sizeof(False)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_ID, &id,
sizeof(int)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_DERIVE, &True,
sizeof(True)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(rootKey, CKA_SENSITIVE, &True,
sizeof(True)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
FMUTEX_Lock(slot->objectLock);
rootKey->handle = slot->tokenIDCount++;
rootKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
FMUTEX_Unlock(slot->objectLock);
rootKey->objclass = theClass;
rootKey->slot = slot;
rootKey->inDB = PR_TRUE;
newKey = NewFortezzaKey(socket, Ks, NULL, 0);
if (newKey == NULL) {
fort11_FreeObject(rootKey);
return CKR_HOST_MEMORY;
}
rootKey->objectInfo = (void*)newKey;
rootKey->infoFree = fort11_FreeFortezzaKey;
fort11_AddObject(session, rootKey);
return CKR_OK;
}
static CK_RV
fort11_ConvertToKEAKey (PK11Object *privateKey, PK11Slot *slot) {
CK_OBJECT_CLASS theClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_KEA;
CK_CHAR label[] = "A KEA private key Object";
CK_BBOOL True = TRUE;
CK_BBOOL False = FALSE;
if (fort11_AddAttributeType(privateKey, CKA_CLASS, &theClass,
sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &keyType,
sizeof (CK_KEY_TYPE)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_TOKEN, &True,
sizeof(CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
PORT_Strlen((char*)label)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType (privateKey, CKA_SENSITIVE,
&True, sizeof(CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType (privateKey, CKA_DERIVE,
&True, sizeof(CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &True,
sizeof(True)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_START_DATE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_END_DATE, NULL, 0) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &False,
sizeof(False)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
FMUTEX_Lock(slot->objectLock);
privateKey->handle = slot->tokenIDCount++;
privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
FMUTEX_Unlock(slot->objectLock);
privateKey->objclass = theClass;
privateKey->slot = slot;
privateKey->inDB = PR_TRUE;
return CKR_OK;
}
static CK_RV
fort11_ConvertToV1Key (PK11Object* privateKey, PK11Slot *slot) {
CK_RV rv;
CK_BBOOL True = TRUE;
rv = fort11_ConvertToDSAKey(privateKey, slot);
if (rv != CKR_OK) {
return rv;
}
if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &True,
sizeof (CK_BBOOL)) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
return CKR_OK;
}
static CK_RV
fort11_NewPrivateKey(PK11Object *privKeyObject, PK11Slot *slot,CI_PERSON currPerson) {
PrivKeyType keyType = fort11_GetKeyType(currPerson.CertLabel);
CK_RV rv;
switch (keyType) {
case DSA_KEY:
rv = fort11_ConvertToDSAKey(privKeyObject, slot);
break;
case KEA_KEY:
rv = fort11_ConvertToKEAKey(privKeyObject, slot);
break;
case V1_KEY:
rv = fort11_ConvertToV1Key(privKeyObject, slot);
break;
default:
rv = CKR_GENERAL_ERROR;
break;
}
return rv;
}
PRBool
fort11_LoadCertObjectForSearch(CI_PERSON currPerson, PK11Slot *slot,
PK11Session *session, CI_PERSON *pers_array) {
PK11Object *certObject, *privKeyObject;
PK11Attribute *attribute, *newAttribute;
int ci_rv;
CI_CERTIFICATE cert;
CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE certType = CKC_X_509;
CK_BBOOL cktrue = TRUE;
CK_BBOOL ckfalse = FALSE;
CertItem issuer, serial, subject;
int certSize;
char nickname[50];
char *cursor;
PrivKeyType priv_key;
int sibling;
certObject = fort11_NewObject(slot);
if (certObject == NULL)
return PR_FALSE;
ci_rv = MACI_GetCertificate (fortezzaSockets[slot->slotID-1].maciSession,
currPerson.CertificateIndex, cert);
if (ci_rv != CI_OK){
fort11_FreeObject(certObject);
return PR_FALSE;
}
ci_rv = fort11_GetCertFields(cert,CI_CERT_SIZE,&issuer,&serial,&subject);
if (ci_rv != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_CLASS, &certClass,
sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
fort11_FreeObject (certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_TOKEN, &cktrue,
sizeof (CK_BBOOL)) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_PRIVATE, &ckfalse,
sizeof (CK_BBOOL)) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
/* check if the label represents a KEA key. if so, the
nickname should be made the same as the corresponding DSA
sibling cert. */
priv_key = fort11_GetKeyType(currPerson.CertLabel);
if (priv_key == KEA_KEY) {
sibling = fort11_GetSibling(currPerson.CertLabel);
/* check for failure of fort11_GetSibling. also check that
the sibling is not zero. */
if (sibling > 0) {
/* assign the KEA cert label to be the same as the
sibling DSA label */
sprintf (nickname, "%s", &pers_array[sibling-1].CertLabel[8] );
} else {
sprintf (nickname, "%s", &currPerson.CertLabel[8]);
}
} else {
sprintf (nickname, "%s", &currPerson.CertLabel[8]);
}
cursor = nickname+PORT_Strlen(nickname)-1;
while ((*cursor) == ' ') {
cursor--;
}
cursor[1] = '';
if (fort11_AddAttributeType(certObject, CKA_LABEL, nickname,
PORT_Strlen(nickname)) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_CERTIFICATE_TYPE, &certType,
sizeof(CK_CERTIFICATE_TYPE)) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
certSize = fort11_cert_length(cert,CI_CERT_SIZE);
if (fort11_AddAttributeType (certObject, CKA_VALUE, cert, certSize)
!= CI_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_ISSUER, issuer.data,
issuer.len) != CKR_OK) {
fort11_FreeObject (certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_SUBJECT, subject.data,
subject.len) != CKR_OK) {
fort11_FreeObject (certObject);
return PR_FALSE;
}
if (fort11_AddAttributeType(certObject, CKA_SERIAL_NUMBER,
serial.data, serial.len) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
/*Change this to a byte array later*/
if (fort11_AddAttributeType(certObject, CKA_ID,
&currPerson.CertificateIndex,
sizeof(int)) != CKR_OK) {
fort11_FreeObject(certObject);
return PR_FALSE;
}
certObject->objectInfo = NULL;
certObject->infoFree = NULL;
certObject->objclass = certClass;
certObject->slot = slot;
certObject->inDB = PR_TRUE;
FMUTEX_Lock(slot->objectLock);
certObject->handle = slot->tokenIDCount++;
certObject->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_CERT);
FMUTEX_Unlock(slot->objectLock);
if (fort11_FortezzaIsUserCert (currPerson.CertLabel)) {
privKeyObject = fort11_NewObject(slot);
if (fort11_NewPrivateKey(privKeyObject, slot, currPerson) != CKR_OK) {
fort11_FreeObject(privKeyObject);
fort11_FreeObject(certObject);
return PR_FALSE;
}
if(fort11_AddAttributeType(privKeyObject,CKA_ID,
&currPerson.CertificateIndex,
sizeof(int)) != CKR_OK) {
fort11_FreeObject(privKeyObject);
fort11_FreeObject(certObject);
return PR_FALSE;
}
attribute = fort11_FindAttribute(certObject,CKA_SUBJECT);
newAttribute=
fort11_NewAttribute(pk11_attr_expand(&attribute->attrib));
fort11_FreeAttribute(attribute);
if (newAttribute != NULL) {
fort11_DeleteAttributeType(privKeyObject,
CKA_SUBJECT);
fort11_AddAttribute(privKeyObject,
newAttribute);
}
fort11_AddObject (session, privKeyObject);
}
fort11_AddObject (session, certObject);
return PR_TRUE;
}
#define TRUSTED_PAA "00000000Trusted Root PAA"
static int
fort11_BuildCertObjects(FortezzaSocket *currSocket, PK11Slot *slot,
PK11Session *session) {
int i;
CI_PERSON rootPAA;
PORT_Memcpy (rootPAA.CertLabel, TRUSTED_PAA, 1+PORT_Strlen (TRUSTED_PAA));
rootPAA.CertificateIndex = 0;
if (!fort11_LoadCertObjectForSearch(rootPAA, slot, session,
currSocket->personalityList)) {
return CKR_GENERAL_ERROR;
}
if (fort11_LoadRootPAAKey(slot, session) != CKR_OK) {
return CKR_GENERAL_ERROR;
}
for (i=0 ; i < currSocket->numPersonalities; i++) {
if (fort11_FortezzaIsACert (currSocket->personalityList[i].CertLabel)){
if (!fort11_LoadCertObjectForSearch(currSocket->personalityList[i],
slot, session,
currSocket->personalityList)){
return CKR_GENERAL_ERROR;
}
}
}
return CKR_OK;
}
PK11Slot*
fort11_SlotFromSessionHandle(CK_SESSION_HANDLE inHandle) {
CK_SESSION_HANDLE whichSlot = inHandle & SLOT_MASK;
if (whichSlot >= kNumSockets) return NULL_PTR;
return &fort11_slot[whichSlot];
}
PK11Slot*
fort11_SlotFromID (CK_SLOT_ID inSlotID) {
if (inSlotID == 0 || inSlotID > kNumSockets)
return NULL;
return &fort11_slot[inSlotID-1];
}
CK_ULONG fort11_firstSessionID (int inSlotNum) {
return (CK_ULONG)(inSlotNum);
}
/*
* Utility to convert passed in PIN to a CI_PIN
*/
void fort11_convertToCIPin (CI_PIN ciPin,CK_CHAR_PTR pPin, CK_ULONG ulLen) {
unsigned long i;
for (i=0; i<ulLen; i++) {
ciPin[i] = pPin[i];
}
ciPin[ulLen] = '';
}
/*
* return true if object has attribute
*/
static PRBool
fort11_hasAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
PK11Attribute *attribute;
FMUTEX_Lock(object->attributeLock);
pk11queue_find(attribute,type,object->head,HASH_SIZE);
FMUTEX_Unlock(object->attributeLock);
return (PRBool)(attribute != NULL);
}
/*
* create a new attribute with type, value, and length. Space is allocated
* to hold value.
*/
static PK11Attribute *
fort11_NewAttribute(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len) {
PK11Attribute *attribute;
CK_RV mrv;
attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
if (attribute == NULL) return NULL;
attribute->attrib.type = type;
if (value) {
attribute->attrib.pValue = (CK_VOID_PTR)PORT_Alloc(len);
if (attribute->attrib.pValue == NULL) {
PORT_Free(attribute);
return NULL;
}
PORT_Memcpy(attribute->attrib.pValue,value,len);
attribute->attrib.ulValueLen = len;
} else {
attribute->attrib.pValue = NULL;
attribute->attrib.ulValueLen = 0;
}
attribute->handle = type;
attribute->next = attribute->prev = NULL;
attribute->refCount = 1;
if (FMUTEX_MutexEnabled()) {
mrv = FMUTEX_Create (&attribute->refLock);
if (mrv != CKR_OK) {
if (attribute->attrib.pValue) PORT_Free(attribute->attrib.pValue);
PORT_Free(attribute);
return NULL;
}
} else {
attribute->refLock = NULL;
}
return attribute;
}
/*
* add an attribute to an object
*/
static
void fort11_AddAttribute(PK11Object *object,PK11Attribute *attribute) {
FMUTEX_Lock (object->attributeLock);
pk11queue_add(attribute,attribute->handle,object->head,HASH_SIZE);
FMUTEX_Unlock(object->attributeLock);
}
static CK_RV
fort11_AddAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
CK_ULONG length) {
PK11Attribute *attribute;
attribute = fort11_NewAttribute(type,valPtr,length);
if (attribute == NULL) { return CKR_HOST_MEMORY; }
fort11_AddAttribute(object,attribute);
return CKR_OK;
}
/* Make sure a given attribute exists. If it doesn't, initialize it to
* value and len
*/
static CK_RV
fort11_forceAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *value,
unsigned int len) {
if ( !fort11_hasAttribute(object, type)) {
return fort11_AddAttributeType(object,type,value,len);
}
return CKR_OK;
}
/*
* look up and attribute structure from a type and Object structure.
* The returned attribute is referenced and needs to be freed when
* it is no longer needed.
*/
static PK11Attribute *
fort11_FindAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
PK11Attribute *attribute;
FMUTEX_Lock(object->attributeLock);
pk11queue_find(attribute,type,object->head,HASH_SIZE);
if (attribute) {
/* atomic increment would be nice here */
FMUTEX_Lock(attribute->refLock);
attribute->refCount++;
FMUTEX_Unlock(attribute->refLock);
}
FMUTEX_Unlock(object->attributeLock);
return(attribute);
}
/*
* this is only valid for CK_BBOOL type attributes. Return the state
* of that attribute.
*/
static PRBool
fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
PK11Attribute *attribute;
PRBool tok = PR_FALSE;
attribute=fort11_FindAttribute(object,type);
if (attribute == NULL) { return PR_FALSE; }
tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
fort11_FreeAttribute(attribute);
return tok;
}
/*
* add an object to a slot and session queue
*/
static
void fort11_AddSlotObject(PK11Slot *slot, PK11Object *object) {
FMUTEX_Lock(slot->objectLock);
pk11queue_add(object,object->handle,slot->tokObjects,HASH_SIZE);
FMUTEX_Unlock(slot->objectLock);
}
static
void fort11_AddObject(PK11Session *session, PK11Object *object) {
PK11Slot *slot = fort11_SlotFromSession(session);
if (!fort11_isToken(object->handle)) {
FMUTEX_Lock(session->objectLock);
pk11queue_add(&object->sessionList,0,session->objects,0);
FMUTEX_Unlock(session->objectLock);
}
fort11_AddSlotObject(slot,object);
}
/*
* free all the data associated with an object. Object reference count must
* be 'zero'.
*/
static CK_RV
fort11_DestroyObject(PK11Object *object) {
int i;
CK_RV crv = CKR_OK;
/* PORT_Assert(object->refCount == 0);*/
if (object->label) PORT_Free(object->label);
/* clean out the attributes */
/* since no one is referencing us, it's safe to walk the chain
* without a lock */
for (i=0; i < HASH_SIZE; i++) {
PK11Attribute *ap,*next;
for (ap = object->head[i]; ap != NULL; ap = next) {
next = ap->next;
/* paranoia */
ap->next = ap->prev = NULL;
fort11_FreeAttribute(ap);
}
object->head[i] = NULL;
}
FMUTEX_Destroy(object->attributeLock);
FMUTEX_Destroy(object->refLock);
if (object->objectInfo) {
(*object->infoFree)(object->objectInfo);
}
PORT_Free(object);
return crv;
}
/*
* release a reference to an attribute structure
*/
static void
fort11_FreeAttribute(PK11Attribute *attribute) {
PRBool destroy = PR_FALSE;
FMUTEX_Lock(attribute->refLock);
if (attribute->refCount == 1) destroy = PR_TRUE;
attribute->refCount--;
FMUTEX_Unlock(attribute->refLock);
if (destroy) fort11_DestroyAttribute(attribute);
}
/*
* release a reference to an object handle
*/
static PK11FreeStatus
fort11_FreeObject(PK11Object *object) {
PRBool destroy = PR_FALSE;
CK_RV crv;
FMUTEX_Lock(object->refLock);
if (object->refCount == 1) destroy = PR_TRUE;
object->refCount--;
FMUTEX_Unlock(object->refLock);
if (destroy) {
crv = fort11_DestroyObject(object);
if (crv != CKR_OK) {
return PK11_DestroyFailure;
}
return PK11_Destroyed;
}
return PK11_Busy;
}
static void
fort11_update_state(PK11Slot *slot,PK11Session *session) {
if (slot->isLoggedIn) {
if (slot->ssoLoggedIn) {
session->info.state = CKS_RW_SO_FUNCTIONS;
} else if (session->info.flags & CKF_RW_SESSION) {
session->info.state = CKS_RW_USER_FUNCTIONS;
} else {
session->info.state = CKS_RO_USER_FUNCTIONS;
}
} else {
if (session->info.flags & CKF_RW_SESSION) {
session->info.state = CKS_RW_PUBLIC_SESSION;
} else {
session->info.state = CKS_RO_PUBLIC_SESSION;
}
}
}
/* update the state of all the sessions on a slot */
static void
fort11_update_all_states(PK11Slot *slot) {
int i;
PK11Session *session;
for (i=0; i < SESSION_HASH_SIZE; i++) {
FMUTEX_Lock(slot->sessionLock);
for (session = slot->head[i]; session; session = session->next) {
fort11_update_state(slot,session);
}
FMUTEX_Unlock(slot->sessionLock);
}
}
/*
* Create a new object
*/
static PK11Object *
fort11_NewObject(PK11Slot *slot) {
PK11Object *object;
CK_RV mrv;
int i;
object = (PK11Object*)PORT_Alloc(sizeof(PK11Object));
if (object == NULL) return NULL;
object->handle = 0;
object->next = object->prev = NULL;
object->sessionList.next = NULL;
object->sessionList.prev = NULL;
object->sessionList.parent = object;
object->inDB = PR_FALSE;
object->label = NULL;
object->refCount = 1;
object->session = NULL;
object->slot = slot;
object->objclass = 0xffff;
if (FMUTEX_MutexEnabled()) {
mrv = FMUTEX_Create(&object->refLock);
if (mrv != CKR_OK) {
PORT_Free(object);
return NULL;
}
mrv = FMUTEX_Create(&object->attributeLock);
if (mrv != CKR_OK) {
FMUTEX_Destroy(object->refLock);
PORT_Free(object);
return NULL;
}
} else {
object->attributeLock = NULL;
object->refLock = NULL;
}
for (i=0; i < HASH_SIZE; i++) {
object->head[i] = NULL;
}
object->objectInfo = NULL;
object->infoFree = NULL;
return object;
}
/*
* look up and object structure from a handle. OBJECT_Handles only make
* sense in terms of a given session. make a reference to that object
* structure returned.
*/
static PK11Object * fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle,
PK11Session *session) {
PK11Object **head;
void *lock;
PK11Slot *slot = fort11_SlotFromSession(session);
PK11Object *object;
/*
* Token objects are stored in the slot. Session objects are stored
* with the session.
*/
head = slot->tokObjects;
lock = slot->objectLock;
FMUTEX_Lock(lock);
pk11queue_find(object,handle,head,HASH_SIZE);
if (object) {
FMUTEX_Lock(object->refLock);
object->refCount++;
FMUTEX_Unlock(object->refLock);
}
FMUTEX_Unlock(lock);
return(object);
}
/*
* add an object to a slot andsession queue
*/
static
void fort11_DeleteObject(PK11Session *session, PK11Object *object) {
PK11Slot *slot;
if (session == NULL)
return;
slot = fort11_SlotFromSession(session);
if (!fort11_isToken(object->handle)) {
FMUTEX_Lock(session->objectLock);
pk11queue_delete(&object->sessionList,0,session->objects,0);
FMUTEX_Unlock(session->objectLock);
}
FMUTEX_Lock(slot->objectLock);
pk11queue_delete(object,object->handle,slot->tokObjects,HASH_SIZE);
FMUTEX_Unlock(slot->objectLock);
fort11_FreeObject(object);
}
/*
* ******************** Search Utilities *******************************
*/
/* add an object to a search list */
CK_RV
fort11_AddToList(PK11ObjectListElement **list,PK11Object *object) {
PK11ObjectListElement *newelem =
(PK11ObjectListElement *)PORT_Alloc(sizeof(PK11ObjectListElement));
if (newelem == NULL) return CKR_HOST_MEMORY;
newelem->next = *list;
newelem->object = object;
FMUTEX_Lock(object->refLock);
object->refCount++;
FMUTEX_Unlock(object->refLock);
*list = newelem;
return CKR_OK;
}
/*
* free a single list element. Return the Next object in the list.
*/
PK11ObjectListElement *
fort11_FreeObjectListElement(PK11ObjectListElement *objectList) {
PK11ObjectListElement *ol = objectList->next;
fort11_FreeObject(objectList->object);
PORT_Free(objectList);
return ol;
}
/* free an entire object list */
void
fort11_FreeObjectList(PK11ObjectListElement *objectList) {
PK11ObjectListElement *ol;
for (ol= objectList; ol != NULL; ol = fort11_FreeObjectListElement(ol)) {}
}
/*
* free a search structure
*/
void
fort11_FreeSearch(PK11SearchResults *search) {
if (search->handles) {
PORT_Free(search->handles);
}
PORT_Free(search);
}
/*
* Free up all the memory associated with an attribute. Reference count
* must be zero to call this.
*/
static void
fort11_DestroyAttribute(PK11Attribute *attribute) {
/*PORT_Assert(attribute->refCount == 0);*/
FMUTEX_Destroy(attribute->refLock);
if (attribute->attrib.pValue) {
/* clear out the data in the attribute value... it may have been
* sensitive data */
PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
PORT_Free(attribute->attrib.pValue);
}
PORT_Free(attribute);
}
/*
* delete an attribute from an object
*/
static void
fort11_DeleteAttribute(PK11Object *object, PK11Attribute *attribute) {
FMUTEX_Lock(object->attributeLock);
if (attribute->next || attribute->prev) {
pk11queue_delete(attribute,attribute->handle,
object->head,HASH_SIZE);
}
FMUTEX_Unlock(object->attributeLock);
fort11_FreeAttribute(attribute);
}
/*
* decode when a particular attribute may be modified
* PK11_NEVER: This attribute must be set at object creation time and
* can never be modified.
* PK11_ONCOPY: This attribute may be modified only when you copy the
* object.
* PK11_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
* FALSE to TRUE.
* PK11_ALWAYS: This attribute can always be modified.
* Some attributes vary their modification type based on the class of the
* object.
*/
PK11ModifyType
fort11_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
/* if we don't know about it, user user defined, always allow modify */
PK11ModifyType mtype = PK11_ALWAYS;
switch(type) {
/* NEVER */
case CKA_CLASS:
case CKA_CERTIFICATE_TYPE:
case CKA_KEY_TYPE:
case CKA_MODULUS:
case CKA_MODULUS_BITS:
case CKA_PUBLIC_EXPONENT:
case CKA_PRIVATE_EXPONENT:
case CKA_PRIME:
case CKA_SUBPRIME:
case CKA_BASE:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:
case CKA_VALUE_LEN:
mtype = PK11_NEVER;
break;
/* ONCOPY */
case CKA_TOKEN:
case CKA_PRIVATE:
mtype = PK11_ONCOPY;
break;
/* SENSITIVE */
case CKA_SENSITIVE:
mtype = PK11_SENSITIVE;
break;
/* ALWAYS */
case CKA_LABEL:
case CKA_APPLICATION:
case CKA_ID:
case CKA_SERIAL_NUMBER:
case CKA_START_DATE:
case CKA_END_DATE:
case CKA_DERIVE:
case CKA_ENCRYPT:
case CKA_DECRYPT:
case CKA_SIGN:
case CKA_VERIFY:
case CKA_SIGN_RECOVER:
case CKA_VERIFY_RECOVER:
case CKA_WRAP:
case CKA_UNWRAP:
mtype = PK11_ALWAYS;
break;
/* DEPENDS ON CLASS */
case CKA_VALUE:
mtype = (inClass == CKO_DATA) ? PK11_ALWAYS : PK11_NEVER;
break;
case CKA_SUBJECT:
mtype = (inClass == CKO_CERTIFICATE) ? PK11_NEVER : PK11_ALWAYS;
break;
default:
break;
}
return mtype;
}
/* decode if a particular attribute is sensitive (cannot be read
* back to the user of if the object is set to SENSITIVE) */
PRBool
fort11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
switch(type) {
/* ALWAYS */
case CKA_PRIVATE_EXPONENT:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:
return PR_TRUE;
/* DEPENDS ON CLASS */
case CKA_VALUE:
/* PRIVATE and SECRET KEYS have SENSITIVE values */
return (PRBool)((inClass == CKO_PRIVATE_KEY) ||
(inClass == CKO_SECRET_KEY));
default:
break;
}
return PR_FALSE;
}
static void
fort11_DeleteAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
PK11Attribute *attribute;
attribute = fort11_FindAttribute(object, type);
if (attribute == NULL) return ;
fort11_DeleteAttribute(object,attribute);
}
/*
* create a new nession. NOTE: The session handle is not set, and the
* session is not added to the slot's session queue.
*/
static PK11Session *
fort11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
CK_VOID_PTR pApplication,
CK_FLAGS flags) {
PK11Session *session;
PK11Slot *slot = &fort11_slot[slotID-1];
CK_RV mrv;
if (slot == NULL) return NULL;
session = (PK11Session*)PORT_Alloc(sizeof(PK11Session));
if (session == NULL) return NULL;
session->next = session->prev = NULL;
session->refCount = 1;
session->context = NULL;
session->search = NULL;
session->objectIDCount = 1;
session->fortezzaContext.fortezzaKey = NULL;
session->fortezzaContext.fortezzaSocket = NULL;
if (FMUTEX_MutexEnabled()) {
mrv = FMUTEX_Create(&session->refLock);
if (mrv != CKR_OK) {
PORT_Free(session);
return NULL;
}
mrv = FMUTEX_Create(&session->objectLock);
if (mrv != CKR_OK) {
FMUTEX_Destroy(session->refLock);
PORT_Free(session);
return NULL;
}
} else {
session->refLock = NULL;
session->objectLock = NULL;
}
session->objects[0] = NULL;
session->slot = slot;
session->notify = notify;
session->appData = pApplication;
session->info.flags = flags;
session->info.slotID = slotID;
fort11_update_state(slot,session);
return session;
}
/*
* look up a session structure from a session handle
* generate a reference to it.
*/
PK11Session *
fort11_SessionFromHandle(CK_SESSION_HANDLE handle, PRBool isCloseSession) {
PK11Slot *slot = fort11_SlotFromSessionHandle(handle);
PK11Session *session;
if (!isCloseSession &&
!SocketStateUnchanged(&fortezzaSockets[slot->slotID-1]))
return NULL;
FMUTEX_Lock(slot->sessionLock);
pk11queue_find(session,handle,slot->head,SESSION_HASH_SIZE);
if (session) session->refCount++;
FMUTEX_Unlock(slot->sessionLock);
return (session);
}
/* free all the data associated with a session. */
static void
fort11_DestroySession(PK11Session *session)
{
PK11ObjectList *op,*next;
/* PORT_Assert(session->refCount == 0);*/
/* clean out the attributes */
FMUTEX_Lock(session->objectLock);
for (op = session->objects[0]; op != NULL; op = next) {
next = op->next;
/* paranoia */
op->next = op->prev = NULL;
fort11_DeleteObject(session,op->parent);
}
FMUTEX_Unlock(session->objectLock);
FMUTEX_Destroy(session->objectLock);
FMUTEX_Destroy(session->refLock);
if (session->search) {
fort11_FreeSearch(session->search);
}
pk11queue_delete(session, session->handle, session->slot->head,
SESSION_HASH_SIZE);
PORT_Free(session);
}
/*
* release a reference to a session handle
*/
void
fort11_FreeSession(PK11Session *session) {
PRBool destroy = PR_FALSE;
PK11Slot *slot = NULL;
if (!session) return; /*Quick fix to elminate crash*/
/*Fix in later version */
if (FMUTEX_MutexEnabled()) {
slot = fort11_SlotFromSession(session);
FMUTEX_Lock(slot->sessionLock);
}
if (session->refCount == 1) destroy = PR_TRUE;
session->refCount--;
if (FMUTEX_MutexEnabled()) {
FMUTEX_Unlock(slot->sessionLock);
}
if (destroy) {
fort11_DestroySession(session);
}
}
/* return true if the object matches the template */
PRBool
fort11_objectMatch(PK11Object *object,CK_ATTRIBUTE_PTR theTemplate,int count) {
int i;
for (i=0; i < count; i++) {
PK11Attribute *attribute =
fort11_FindAttribute(object,theTemplate[i].type);
if (attribute == NULL) {
return PR_FALSE;
}
if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
theTemplate[i].ulValueLen) == 0) {
fort11_FreeAttribute(attribute);
continue;
}
}
fort11_FreeAttribute(attribute);
return PR_FALSE;
}
return PR_TRUE;
}
/* search through all the objects in the queue and return the template matches
* in the object list.
*/
CK_RV
fort11_searchObjectList(PK11ObjectListElement **objectList,PK11Object **head,
void *lock, CK_ATTRIBUTE_PTR theTemplate, int count) {
int i;
PK11Object *object;
CK_RV rv;
for(i=0; i < HASH_SIZE; i++) {
/* We need to hold the lock to copy a consistant version of
* the linked list. */
FMUTEX_Lock(lock);
for (object = head[i]; object != NULL; object= object->next) {
if (fort11_objectMatch(object,theTemplate,count)) {
rv = fort11_AddToList(objectList,object);
if (rv != CKR_OK) {
return rv;
}
}
}
FMUTEX_Unlock(lock);
}
return CKR_OK;
}
static PRBool
fort11_NotAllFuncsNULL (CK_C_INITIALIZE_ARGS_PTR pArgs) {
return (PRBool)(pArgs && pArgs->CreateMutex && pArgs->DestroyMutex &&
pArgs->LockMutex && pArgs->UnlockMutex);
}
static PRBool
fort11_InArgCheck(CK_C_INITIALIZE_ARGS_PTR pArgs) {
PRBool rv;
/* The only check for now, is to make sure that all of the
* function pointers are either all NULL or all Non-NULL.
* We also need to make sure the pReserved field in pArgs is
* set to NULL.
*/
if (pArgs == NULL) {
return PR_TRUE; /* If the argument is NULL, no
* inconsistencies can exist.
*/
}
if (pArgs->pReserved != NULL) {
return PR_FALSE;
}
if (pArgs->CreateMutex != NULL) {
rv = (PRBool) (pArgs->DestroyMutex != NULL &&
pArgs->LockMutex != NULL &&
pArgs->UnlockMutex != NULL);
} else { /*pArgs->CreateMutex == NULL*/
rv = (PRBool) (pArgs->DestroyMutex == NULL &&
pArgs->LockMutex == NULL &&
pArgs->UnlockMutex == NULL);
}
return rv;
}
/**********************************************************************
*
* Start of PKCS 11 functions
*
**********************************************************************/
/**********************************************************************
*
* In order to get this to work on 68K, we have to do some special tricks,
* First trick is that we need to make the module a Code Resource, and
* all Code Resources on 68K have to have a main function. So we
* define main to be a wrapper for C_GetFunctionList which will be the
* first funnction called by any software that uses the PKCS11 module.
*
* The second trick is that whenever you access a global variable from
* the Code Resource, it does funny things to the stack on 68K, so we
* need to call some macros that handle the stack for us. First thing
* you do is call EnterCodeResource() first thing in a function that
* accesses a global, right before you leave that function, you call
* ExitCodeResource. This will take care of stack management.
*
* Third trick is to call __InitCode__() when we first enter the module
* so that all of the global variables get initialized properly.
*
**********************************************************************/
#if defined(XP_MAC) && !defined(__POWERPC__)
#define FORT11_RETURN(exp) {ExitCodeResource(); return (exp);}
#define FORT11_ENTER() EnterCodeResource();
#else /*XP_MAC*/
#define FORT11_RETURN(exp) return (exp);
#define FORT11_ENTER()
#endif /*XP_MAC*/
#define CARD_OK(rv) if ((rv) != CI_OK) FORT11_RETURN (CKR_DEVICE_ERROR);
#define SLOT_OK(slot) if ((slot) > kNumSockets) FORT11_RETURN (CKR_SLOT_ID_INVALID);
#ifdef XP_MAC
/* This is not a 4.0 project, so I can't depend on
* 4.0 defines, so instead I depend on CodeWarrior
* defines.
*/
#if __POWERPC__
#elif __CFM68K__
#else
/* To get this to work on 68K, we need to have
* the symbol main. So we just make it a wrapper for C_GetFunctionList.
*/
PR_PUBLIC_API(CK_RV) main(CK_FUNCTION_LIST_PTR *pFunctionList) {
FORT11_ENTER()
CK_RV rv;
__InitCode__();
rv = C_GetFunctionList(pFunctionList);
FORT11_RETURN (rv);
}
#endif
#endif /*XP_MAC*/
/* Return the function list */
PR_PUBLIC_API(CK_RV) C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
/* No need to do a FORT11_RETURN as this function will never be directly
* called in the case where we need to do stack management.
* The main function will call this after taking care of stack stuff.
*/
*pFunctionList = &fort11_funcList;
return CKR_OK;
}
/* C_Initialize initializes the Cryptoki library. */
PR_PUBLIC_API(CK_RV) C_Initialize(CK_VOID_PTR pReserved) {
FORT11_ENTER()
int i,j, tempNumSockets;
int rv = 1;
CK_C_INITIALIZE_ARGS_PTR pArgs = (CK_C_INITIALIZE_ARGS_PTR)pReserved;
CK_RV mrv;
/* intialize all the slots */
if (!init) {
init = PR_TRUE;
/* need to initialize locks before MACI_Initialize is called in
* software fortezza. */
if (pArgs) {
if (!fort11_InArgCheck(pArgs)) {
FORT11_RETURN (CKR_ARGUMENTS_BAD);
}
if (pArgs->flags & CKF_OS_LOCKING_OK){
if (!fort11_NotAllFuncsNULL(pArgs)) {
FORT11_RETURN (CKR_CANT_LOCK);
}
}
if (fort11_NotAllFuncsNULL(pArgs)) {
mrv = FMUTEX_Init(pArgs);
if (mrv != CKR_OK) {
return CKR_GENERAL_ERROR;
}
}
}
rv = MACI_Initialize (&tempNumSockets);
kNumSockets = (CK_ULONG)tempNumSockets;
CARD_OK (rv);
for (i=0; i < (int) kNumSockets; i++) {
if (FMUTEX_MutexEnabled()) {
mrv = FMUTEX_Create(&fort11_slot[i].sessionLock);
if (mrv != CKR_OK) {
FORT11_RETURN (CKR_GENERAL_ERROR);
}
mrv = FMUTEX_Create(&fort11_slot[i].objectLock);
if (mrv != CKR_OK) {
FMUTEX_Destroy(fort11_slot[i].sessionLock);
FORT11_RETURN (CKR_GENERAL_ERROR);
}
} else {
fort11_slot[i].sessionLock = NULL;
fort11_slot[i].objectLock = NULL;
}
for(j=0; j < SESSION_HASH_SIZE; j++) {
fort11_slot[i].head[j] = NULL;
}
for(j=0; j < HASH_SIZE; j++) {
fort11_slot[i].tokObjects[j] = NULL;
}
fort11_slot[i].password = NULL;
fort11_slot[i].hasTokens = PR_FALSE;
fort11_slot[i].sessionIDCount = fort11_firstSessionID (i);
fort11_slot[i].sessionCount = 0;
fort11_slot[i].rwSessionCount = 0;
fort11_slot[i].tokenIDCount = 1;
fort11_slot[i].needLogin = PR_TRUE;
fort11_slot[i].isLoggedIn = PR_FALSE;
fort11_slot[i].ssoLoggedIn = PR_FALSE;
fort11_slot[i].DB_loaded = PR_FALSE;
fort11_slot[i].slotID= i+1;
InitSocket(&fortezzaSockets[i], i+1);
}
}
FORT11_RETURN (CKR_OK);
}
/*C_Finalize indicates that an application is done with the Cryptoki library.*/
PR_PUBLIC_API(CK_RV) C_Finalize (CK_VOID_PTR pReserved) {
FORT11_ENTER()
int i;
for (i=0; i< (int) kNumSockets; i++) {
FreeSocket(&fortezzaSockets[i]);
}
MACI_Terminate(fortezzaSockets[0].maciSession);
init = PR_FALSE;
FORT11_RETURN (CKR_OK);
}
/* C_GetInfo returns general information about Cryptoki. */
PR_PUBLIC_API(CK_RV) C_GetInfo(CK_INFO_PTR pInfo) {
FORT11_ENTER()
pInfo->cryptokiVersion = fort11_funcList.version;
PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
pInfo->libraryVersion.major = 1;
pInfo->libraryVersion.minor = 7;
PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
pInfo->flags = 0;
FORT11_RETURN (CKR_OK);
}
/* C_GetSlotList obtains a list of slots in the system. */
PR_PUBLIC_API(CK_RV) C_GetSlotList(CK_BBOOL tokenPresent,
CK_SLOT_ID_PTR pSlotList,
CK_ULONG_PTR pulCount) {
FORT11_ENTER()
int i;
if (pSlotList != NULL) {
if (*pulCount >= kNumSockets) {
for (i=0; i < (int) kNumSockets; i++) {
pSlotList[i] = i+1;
}
} else {
FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
}
} else {
*pulCount = kNumSockets;
}
FORT11_RETURN (CKR_OK);
}
/* C_GetSlotInfo obtains information about a particular slot in the system. */
PR_PUBLIC_API(CK_RV) C_GetSlotInfo(CK_SLOT_ID slotID,
CK_SLOT_INFO_PTR pInfo) {
FORT11_ENTER()
int rv;
CI_CONFIG ciConfig;
CI_STATE ciState;
HSESSION maciSession;
char slotDescription[65];
FortezzaSocket *socket;
SLOT_OK(slotID);
socket = &fortezzaSockets[slotID-1];
if (!socket->isOpen) {
InitSocket(socket, slotID);
}
maciSession = socket->maciSession;
rv = MACI_Select(maciSession, slotID);
CARD_OK (rv)
rv = MACI_GetConfiguration (maciSession, &ciConfig);
pInfo->firmwareVersion.major = 0;
pInfo->firmwareVersion.minor = 0;
#ifdef SWFORT
PORT_Memcpy (pInfo->manufacturerID,"Netscape Communications Corp ",32);
PORT_Memcpy (slotDescription,"Netscape Software Slot # ",32);
#define _local_BASE 24
#else
PORT_Memcpy (pInfo->manufacturerID,"LITRONIC ",32);
PORT_Memcpy (slotDescription,"Litronic MACI Slot # ",32);
#define _local_BASE 20
#endif
slotDescription[_local_BASE] = (char )((slotID < 10) ? slotID :
slotID/10) + '0';
if (slotID >= 10) slotDescription[_local_BASE+1] =
(char)(slotID % 10) + '0';
PORT_Memcpy (&slotDescription[32]," ",32);
PORT_Memcpy (pInfo->slotDescription, slotDescription , 64);
if (rv == CI_OK) {
pInfo->hardwareVersion.major =
(ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
pInfo->hardwareVersion.minor =
ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
pInfo->flags = CKF_TOKEN_PRESENT;
} else {
pInfo->hardwareVersion.major = 0;
pInfo->hardwareVersion.minor = 0;
pInfo->flags = 0;
}
#ifdef SWFORT
/* do we need to make it a removable device as well?? */
pInfo->flags |= CKF_REMOVABLE_DEVICE;
#else
pInfo->flags |= (CKF_REMOVABLE_DEVICE | CKF_HW_SLOT);
#endif
rv = MACI_GetState(maciSession, &ciState);
if (rv == CI_OK) {
switch (ciState) {
case CI_ZEROIZE:
case CI_INTERNAL_FAILURE:
pInfo->flags &= (~CKF_TOKEN_PRESENT);
default:
break;
}
} else {
pInfo->flags &= (~CKF_TOKEN_PRESENT);
}
FORT11_RETURN (CKR_OK);
}
#define CKF_THREAD_SAFE 0x8000
/* C_GetTokenInfo obtains information about a particular token
in the system. */
PR_PUBLIC_API(CK_RV) C_GetTokenInfo(CK_SLOT_ID slotID,
CK_TOKEN_INFO_PTR pInfo) {
FORT11_ENTER()
CI_STATUS cardStatus;
CI_CONFIG ciConfig;
PK11Slot *slot;
int rv, i;
char tmp[33];
FortezzaSocket *socket;
SLOT_OK (slotID);
slot = &fort11_slot[slotID-1];
socket = &fortezzaSockets[slotID-1];
if (!socket->isOpen) {
InitSocket(socket, slotID);
}
rv = MACI_Select (socket->maciSession, slotID);
rv = MACI_GetStatus (socket->maciSession, &cardStatus);
if (rv != CI_OK) {
FORT11_RETURN (CKR_DEVICE_ERROR);
}
#ifdef SWFORT
sprintf (tmp, "Software FORTEZZA Slot #%d", slotID);
#else
sprintf (tmp, "FORTEZZA Slot #%d", slotID);
#endif
PORT_Memcpy (pInfo->label, tmp, PORT_Strlen(tmp)+1);
for (i=0; i<8; i++) {
int serNum;
serNum = (int)cardStatus.SerialNumber[i];
sprintf ((char*)&pInfo->serialNumber[2*i], "%.2x", serNum);
}
rv = MACI_GetTime (fortezzaSockets[slotID-1].maciSession, pInfo->utcTime);
if (rv == CI_OK) {
pInfo->flags = CKF_CLOCK_ON_TOKEN;
} else {
switch (rv) {
case CI_LIB_NOT_INIT:
case CI_INV_POINTER:
case CI_NO_CARD:
case CI_NO_SOCKET:
FORT11_RETURN (CKR_DEVICE_ERROR);
default:
pInfo->flags = 0;
break;
}
}
rv = MACI_GetConfiguration (fortezzaSockets[slotID-1].maciSession,
&ciConfig);
if (rv == CI_OK) {
PORT_Memcpy(pInfo->manufacturerID,ciConfig.ManufacturerName,
PORT_Strlen(ciConfig.ManufacturerName));
for (i=PORT_Strlen(ciConfig.ManufacturerName); i<32; i++) {
pInfo->manufacturerID[i] = ' ';
}
PORT_Memcpy(pInfo->model,ciConfig.ProcessorType,16);
}
pInfo->ulMaxPinLen = CI_PIN_SIZE;
pInfo->ulMinPinLen = 0;
pInfo->ulTotalPublicMemory = 0;
pInfo->ulFreePublicMemory = 0;
pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED| CKF_USER_PIN_INITIALIZED |
CKF_THREAD_SAFE | CKF_WRITE_PROTECTED;
pInfo->ulMaxSessionCount = 0;
pInfo->ulSessionCount = slot->sessionCount;
pInfo->ulMaxRwSessionCount = 0;
pInfo->ulRwSessionCount = slot->rwSessionCount;
if (rv == CI_OK) {
pInfo->firmwareVersion.major =
(ciConfig.ManufacturerSWVer & MAJOR_VERSION_MASK) >> 8;
pInfo->firmwareVersion.minor =
ciConfig.ManufacturerSWVer & MINOR_VERSION_MASK;
pInfo->hardwareVersion.major =
(ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
pInfo->hardwareVersion.minor =
ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
}
FORT11_RETURN (CKR_OK);
}
/* C_GetMechanismList obtains a list of mechanism types supported by a
token. */
PR_PUBLIC_API(CK_RV) C_GetMechanismList(CK_SLOT_ID slotID,
CK_MECHANISM_TYPE_PTR pMechanismList,
CK_ULONG_PTR pulCount) {
FORT11_ENTER()
CK_RV rv = CKR_OK;
int i;
SLOT_OK (slotID);
if (pMechanismList == NULL) {
*pulCount = mechanismCount;
} else {
if (*pulCount >= mechanismCount) {
*pulCount = mechanismCount;
for (i=0; i< (int)mechanismCount; i++) {
pMechanismList[i] = mechanisms[i].type;
}
} else {
rv = CKR_BUFFER_TOO_SMALL;
}
}
FORT11_RETURN (rv);
}
/* C_GetMechanismInfo obtains information about a particular mechanism
* possibly supported by a token. */
PR_PUBLIC_API(CK_RV) C_GetMechanismInfo(CK_SLOT_ID slotID,
CK_MECHANISM_TYPE type,
CK_MECHANISM_INFO_PTR pInfo) {
int i;
FORT11_ENTER()
SLOT_OK (slotID);
for (i=0; i< (int)mechanismCount; i++) {
if (type == mechanisms[i].type) {