From 8cb2ba5dd37822ab86dc49b6c5b9e0435f3987c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 20 May 2021 16:26:53 +0200 Subject: [PATCH 1/3] Remove native PKCS#11 support The native PKCS#11 support has been removed in favour of better maintained, more performance and easier to use OpenSSL PKCS#11 engine from the OpenSC project. --- README.md | 5 +- bin/Makefile.am | 4 - bin/confgen/keygen.c | 2 - bin/confgen/rndc-confgen.c | 2 - bin/confgen/tsig-keygen.c | 7 - bin/dig/dig.c | 2 - bin/dig/dighost.c | 9 - bin/dnssec/dnssec-cds.c | 7 - bin/dnssec/dnssec-dsfromkey.c | 7 - bin/dnssec/dnssec-importkey.c | 7 - bin/dnssec/dnssec-keyfromlabel.c | 23 +- bin/dnssec/dnssec-keyfromlabel.rst | 20 +- bin/dnssec/dnssec-keygen.c | 16 - bin/dnssec/dnssec-keygen.rst | 5 +- bin/dnssec/dnssec-revoke.c | 14 - bin/dnssec/dnssec-revoke.rst | 5 +- bin/dnssec/dnssec-settime.c | 17 - bin/dnssec/dnssec-settime.rst | 5 +- bin/dnssec/dnssec-signzone.c | 14 - bin/dnssec/dnssec-signzone.rst | 5 +- bin/dnssec/dnssec-verify.c | 14 - bin/dnssec/dnssec-verify.rst | 5 +- bin/named/config.c | 2 - bin/named/main.c | 6 - bin/named/named.rst | 5 +- bin/nsupdate/nsupdate.c | 2 - bin/pkcs11/.gitignore | 4 - bin/pkcs11/Makefile.am | 13 - bin/pkcs11/pkcs11-destroy.c | 265 --- bin/pkcs11/pkcs11-destroy.rst | 71 - bin/pkcs11/pkcs11-keygen.c | 476 ---- bin/pkcs11/pkcs11-keygen.rst | 90 - bin/pkcs11/pkcs11-list.c | 274 --- bin/pkcs11/pkcs11-list.rst | 66 - bin/pkcs11/pkcs11-tokens.c | 101 - bin/pkcs11/pkcs11-tokens.rst | 53 - bin/rndc/rndc.c | 2 - bin/tests/system/Makefile.am | 4 - bin/tests/system/cleanpkcs11.sh | 14 - bin/tests/system/conf.sh.common | 3 - bin/tests/system/conf.sh.in | 5 +- bin/tests/system/dnssec/tests.sh | 6 - .../pkcs11/2037-pk11_numbits-crash-test.pkt | 20 - bin/tests/system/pkcs11/clean.sh | 19 - bin/tests/system/pkcs11/ns1/example.db.in | 22 - bin/tests/system/pkcs11/ns1/named.conf.in | 34 - bin/tests/system/pkcs11/setup.sh | 91 - bin/tests/system/pkcs11/tests.sh | 146 -- bin/tests/system/pkcs11/usepkcs11 | 1 - bin/tests/system/rsabigexponent/bigkey.c | 5 - bin/tests/system/run.sh.in | 12 - bin/tests/system/testcrypto.sh | 2 - bin/tests/system/tkey/keycreate.c | 2 - bin/tests/system/tkey/keydelete.c | 2 - configure.ac | 47 - doc/arm/manpages.rst | 4 - doc/arm/pkcs11.rst | 273 +-- doc/man/Makefile.am | 22 +- doc/man/conf.py | 4 - doc/man/dnssec-keyfromlabel.1in | 20 +- doc/man/dnssec-keygen.1in | 5 +- doc/man/dnssec-revoke.1in | 5 +- doc/man/dnssec-settime.1in | 5 +- doc/man/dnssec-signzone.1in | 5 +- doc/man/dnssec-verify.1in | 5 +- doc/man/named.8in | 5 +- doc/man/pkcs11-destroy.1in | 74 - doc/man/pkcs11-destroy.rst | 13 - doc/man/pkcs11-keygen.1in | 95 - doc/man/pkcs11-keygen.rst | 13 - doc/man/pkcs11-list.1in | 73 - doc/man/pkcs11-list.rst | 13 - doc/man/pkcs11-tokens.1in | 58 - doc/man/pkcs11-tokens.rst | 13 - lib/bind9/check.c | 2 - lib/dns/Makefile.am | 17 +- lib/dns/dnssec.c | 2 - lib/dns/dst_api.c | 18 - lib/dns/dst_internal.h | 39 +- lib/dns/dst_parse.c | 2 - lib/dns/dst_pkcs11.h | 41 - lib/dns/hmac_link.c | 2 - lib/dns/include/dns/tsig.h | 1 - lib/dns/openssldh_link.c | 2 - lib/dns/opensslrsa_link.c | 2 - lib/dns/pkcs11.c | 33 - lib/dns/pkcs11ecdsa_link.c | 1149 --------- lib/dns/pkcs11eddsa_link.c | 1119 --------- lib/dns/pkcs11rsa_link.c | 2102 ----------------- lib/dns/rcode.c | 2 - lib/dns/tests/dh_test.c | 2 - lib/dns/tests/rsa_test.c | 2 - lib/dns/tkey.c | 6 - lib/dns/tsec.c | 2 - lib/dns/tsig.c | 2 - lib/isc/Makefile.am | 17 - lib/isc/include/pk11/constants.h | 35 - lib/isc/include/pk11/internal.h | 47 - lib/isc/include/pk11/pk11.h | 286 --- lib/isc/include/pk11/result.h | 46 - lib/isc/include/pk11/site.h | 14 - lib/isc/include/pkcs11/pkcs11.h | 1653 ------------- lib/isc/pk11.c | 1100 --------- lib/isc/pk11_api.c | 706 ------ lib/isc/pk11_result.c | 71 - lib/isc/tests/hash_test.c | 2 - lib/isc/tests/result_test.c | 26 - lib/isccc/cc.c | 2 - util/copyrights | 32 - 109 files changed, 143 insertions(+), 11206 deletions(-) delete mode 100644 bin/pkcs11/.gitignore delete mode 100644 bin/pkcs11/Makefile.am delete mode 100644 bin/pkcs11/pkcs11-destroy.c delete mode 100644 bin/pkcs11/pkcs11-destroy.rst delete mode 100644 bin/pkcs11/pkcs11-keygen.c delete mode 100644 bin/pkcs11/pkcs11-keygen.rst delete mode 100644 bin/pkcs11/pkcs11-list.c delete mode 100644 bin/pkcs11/pkcs11-list.rst delete mode 100644 bin/pkcs11/pkcs11-tokens.c delete mode 100644 bin/pkcs11/pkcs11-tokens.rst delete mode 100644 bin/tests/system/cleanpkcs11.sh delete mode 100644 bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt delete mode 100644 bin/tests/system/pkcs11/clean.sh delete mode 100644 bin/tests/system/pkcs11/ns1/example.db.in delete mode 100644 bin/tests/system/pkcs11/ns1/named.conf.in delete mode 100644 bin/tests/system/pkcs11/setup.sh delete mode 100644 bin/tests/system/pkcs11/tests.sh delete mode 100644 bin/tests/system/pkcs11/usepkcs11 delete mode 100644 doc/man/pkcs11-destroy.1in delete mode 100644 doc/man/pkcs11-destroy.rst delete mode 100644 doc/man/pkcs11-keygen.1in delete mode 100644 doc/man/pkcs11-keygen.rst delete mode 100644 doc/man/pkcs11-list.1in delete mode 100644 doc/man/pkcs11-list.rst delete mode 100644 doc/man/pkcs11-tokens.1in delete mode 100644 doc/man/pkcs11-tokens.rst delete mode 100644 lib/dns/dst_pkcs11.h delete mode 100644 lib/dns/pkcs11.c delete mode 100644 lib/dns/pkcs11ecdsa_link.c delete mode 100644 lib/dns/pkcs11eddsa_link.c delete mode 100644 lib/dns/pkcs11rsa_link.c delete mode 100644 lib/isc/include/pk11/constants.h delete mode 100644 lib/isc/include/pk11/internal.h delete mode 100644 lib/isc/include/pk11/pk11.h delete mode 100644 lib/isc/include/pk11/result.h delete mode 100644 lib/isc/include/pk11/site.h delete mode 100644 lib/isc/include/pkcs11/pkcs11.h delete mode 100644 lib/isc/pk11.c delete mode 100644 lib/isc/pk11_api.c delete mode 100644 lib/isc/pk11_result.c diff --git a/README.md b/README.md index f85910ddbb..1c09d7b076 100644 --- a/README.md +++ b/README.md @@ -191,9 +191,8 @@ For the server to support DNSSEC, you need to build it with crypto support. To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the OpenSSL library is installed in a nonstandard location, specify the prefix using `--with-openssl=` on the configure command line. To use a -PKCS#11 hardware service module for cryptographic operations, specify the -path to the PKCS#11 provider library using `--with-pkcs11=`, and -configure BIND with `--enable-native-pkcs11`. +PKCS#11 hardware service module for cryptographic operations, it will +be necessary to compile and use engine_pkcs11 from the OpenSC project. To support DNS over HTTPS, the server must be linked with `libnghttp2`. diff --git a/bin/Makefile.am b/bin/Makefile.am index 296a0220f7..ba7658e1a7 100644 --- a/bin/Makefile.am +++ b/bin/Makefile.am @@ -1,5 +1 @@ SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins - -if HAVE_PKCS11 -SUBDIRS += pkcs11 -endif diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index a0840834d8..caaba14585 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -23,8 +23,6 @@ #include #include -#include - #include #include diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index d53093dfb3..a511421b32 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -38,8 +38,6 @@ #include #include -#include - #include #include diff --git a/bin/confgen/tsig-keygen.c b/bin/confgen/tsig-keygen.c index 11f65e0426..54d84595d5 100644 --- a/bin/confgen/tsig-keygen.c +++ b/bin/confgen/tsig-keygen.c @@ -34,10 +34,6 @@ #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include #include #include @@ -101,9 +97,6 @@ main(int argc, char **argv) { int len = 0; int ch; -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); result = isc_file_progname(*argv, program, sizeof(program)); diff --git a/bin/dig/dig.c b/bin/dig/dig.c index c88e5edecb..7b1e649d1c 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -27,8 +27,6 @@ #include #include -#include - #include #include #include diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 0b27baefe6..ead78f5bcb 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -55,8 +55,6 @@ #include #include -#include - #include #include #include @@ -84,10 +82,6 @@ #include "dighost.h" -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #define systemlocale(l) (void)setlocale(l, "") #define resetlocale(l) (void)setlocale(l, "C") @@ -1338,9 +1332,6 @@ setup_libs(void) { debug("setup_libs()"); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); result = isc_net_probeipv4(); diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index 093b47ec55..aebd9e9786 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -55,10 +55,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-cds"; @@ -1061,9 +1057,6 @@ main(int argc, char *argv[]) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 3d60729983..07371acc4a 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -43,10 +43,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-dsfromkey"; @@ -377,9 +373,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 77ef407717..7f7fd2dc64 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -41,10 +41,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-importkey"; @@ -316,9 +312,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index bb94c98a18..aca17aea1d 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -25,8 +25,6 @@ #include #include -#include - #include #include #include @@ -38,10 +36,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ @@ -69,14 +63,7 @@ usage(void) { fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -E :\n"); -#if USE_PKCS11 - fprintf(stderr, - " path to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " name of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -K directory: directory in which to place " "key files\n"); @@ -170,9 +157,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; @@ -622,12 +606,7 @@ main(int argc, char **argv) { isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, -#if USE_PKCS11 - "pkcs11", -#else /* if USE_PKCS11 */ - engine, -#endif /* if USE_PKCS11 */ + ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine, label, NULL, mctx, &key); if (ret != ISC_R_SUCCESS) { diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 86f03750ae..484fe3ee80 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -78,10 +78,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-l label`` This option specifies the label for a key pair in the crypto hardware. @@ -91,21 +88,6 @@ Options preceded by an optional OpenSSL engine name, followed by a colon, as in ``pkcs11:keylabel``. - When BIND 9 is built with native PKCS#11 support, the label is a - PKCS#11 URI string in the format - ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords - include ``token``, which identifies the HSM; ``object``, which identifies - the key; and ``pin-source``, which identifies a file from which the - HSM's PIN code can be obtained. The label is stored in the - on-disk ``private`` file. - - If the label contains a ``pin-source`` field, tools using the - generated key files are able to use the HSM for signing and other - operations without any need for an operator to manually enter a PIN. - Note: Making the HSM's PIN accessible in this manner may reduce the - security advantage of using an HSM; use caution - with this feature. - ``-n nametype`` This option specifies the owner type of the key. The value of ``nametype`` must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index c9bf49f4fe..a3f0b4f168 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -40,8 +40,6 @@ #include #include -#include - #include #include #include @@ -59,10 +57,6 @@ #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ @@ -168,14 +162,7 @@ usage(void) { fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); fprintf(stderr, " -E :\n"); -#if USE_PKCS11 - fprintf(stderr, - " path to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " name of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f : KSK | REVOKE\n"); fprintf(stderr, " -g : use specified generator " "(DH only)\n"); @@ -881,9 +868,6 @@ main(int argc, char **argv) { usage(); } -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 31c7b5ae51..4e0cfcbd49 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -105,10 +105,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-f flag`` This option sets the specified flag in the flag field of the KEY/DNSKEY record. diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index cf611851f3..f21bb5e72c 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -31,10 +31,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-revoke"; @@ -49,14 +45,7 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); -#if USE_PKCS11 - fprintf(stderr, - " -E engine: specify PKCS#11 provider " - "(default: %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, " -E engine: specify OpenSSL engine\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f: force overwrite\n"); fprintf(stderr, " -h: help\n"); fprintf(stderr, " -K directory: use directory for key files\n"); @@ -94,9 +83,6 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index 31da670cc2..24c62b8cd4 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -61,10 +61,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-f`` This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair, diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index ef497b112b..c6a1c40376 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -35,10 +35,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-settime"; @@ -54,17 +50,7 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "General options:\n"); -#if USE_PKCS11 - fprintf(stderr, - " -E engine: specify PKCS#11 provider " - "(default: %s)\n", - PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, " -E engine: specify OpenSSL engine " - "(default \"pkcs11\")\n"); -#else /* if USE_PKCS11 */ fprintf(stderr, " -E engine: specify OpenSSL engine\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); @@ -262,9 +248,6 @@ main(int argc, char **argv) { setup_logging(mctx, &log); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index 731e35ff8b..79f3a429f6 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -104,10 +104,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). Timing Options ~~~~~~~~~~~~~~ diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index b42d30ac22..fdc985bf97 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -84,10 +84,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-signzone"; @@ -3254,14 +3250,7 @@ usage(void) { fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if USE_PKCS11 - fprintf(stderr, - "\t\tpath to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-Q:\t"); @@ -3401,9 +3390,6 @@ main(int argc, char *argv[]) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index a43d76954a..e85163864a 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -71,10 +71,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-g`` This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-`` diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index a5ed08742f..11d020b6bf 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -61,10 +61,6 @@ #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #include "dnssectool.h" const char *program = "dnssec-verify"; @@ -163,14 +159,7 @@ usage(void) { fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if USE_PKCS11 - fprintf(stderr, - "\t\tpath to PKCS#11 provider library " - "(default is %s)\n", - PK11_LIB_LOCATION); -#else /* if USE_PKCS11 */ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); -#endif /* if USE_PKCS11 */ fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, " "not ZSKs\n"); fprintf(stderr, "\t-z:\tAll records signed with KSKs\n"); @@ -219,9 +208,6 @@ main(int argc, char *argv[]) { isc_mem_create(&mctx); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index 7f2ba531bb..49c2a8397a 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -49,10 +49,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-I input-format`` This option sets the format of the input zone file. Possible formats are ``text`` diff --git a/bin/named/config.c b/bin/named/config.c index fd07732dd8..fa5cfbc2aa 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -25,8 +25,6 @@ #include #include -#include - #include #include #include diff --git a/bin/named/main.c b/bin/named/main.c index acc2e1310e..bc43aa1bbc 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -53,9 +53,6 @@ #include #include -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ #include @@ -1463,9 +1460,6 @@ main(int argc, char *argv[]) { dns_result_register(); dst_result_register(); isccc_result_register(); -#if USE_PKCS11 - pk11_result_register(); -#endif /* if USE_PKCS11 */ parse_command_line(argc, argv); diff --git a/bin/named/named.rst b/bin/named/named.rst index 60eb3fb751..813551a371 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -74,10 +74,7 @@ Options When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). When BIND is - built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it - defaults to the path of the PKCS#11 provider library specified via - ``--with-pkcs11``. + hardware service module (usually ``pkcs11``). ``-f`` This option runs the server in the foreground (i.e., do not daemonize). diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 67fea4ed73..fc1c70b0a7 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -46,8 +46,6 @@ #include #include -#include - #include #include #include diff --git a/bin/pkcs11/.gitignore b/bin/pkcs11/.gitignore deleted file mode 100644 index d6c6dce33b..0000000000 --- a/bin/pkcs11/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -pkcs11-destroy -pkcs11-keygen -pkcs11-list -pkcs11-tokens diff --git a/bin/pkcs11/Makefile.am b/bin/pkcs11/Makefile.am deleted file mode 100644 index b80c1c74fb..0000000000 --- a/bin/pkcs11/Makefile.am +++ /dev/null @@ -1,13 +0,0 @@ -include $(top_srcdir)/Makefile.top - -AM_CPPFLAGS += \ - $(LIBISC_CFLAGS) - -LDADD += \ - $(LIBISC_LIBS) - -bin_PROGRAMS = \ - pkcs11-list \ - pkcs11-destroy \ - pkcs11-keygen \ - pkcs11-tokens diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c deleted file mode 100644 index 4e1f4b0cd3..0000000000 --- a/bin/pkcs11/pkcs11-destroy.c +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Copyright (C) 2009, 2015 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] - * [-p $pin] [ -w $wait ] - */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - pk11_context_t pctx; - char *lib_name = NULL; - char *label = NULL; - char *pin = NULL; - int error = 0; - unsigned int id = 0, i = 0, wait = 5; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, - sizeof(attr_id) } }; - unsigned int j, len; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'i': - id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': - label = isc_commandline_argument; - break; - case 'p': - pin = isc_commandline_argument; - break; - case 'w': - wait = atoi(isc_commandline_argument); - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg || (id && (label != NULL))) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] " - "{-i id | -l label} [-p pin] [-w waittime]\n"); - exit(1); - } - - if (id) { - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label) { - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, OP_ANY, false, true, true, - (const char *)pin, slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - memset(pin, 0, strlen(pin)); - - hSession = pctx.session; - - rv = pkcs_C_FindObjectsInit(hSession, search_template, - ((id != 0) || (label != NULL)) ? 1 : 0); - - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - - rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - - if (ulObjectCount == 0) { - printf("No matching key objects found.\n"); - goto exit_search; - } else { - printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : ""); - } - - for (i = 0; i < ulObjectCount; i++) { - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_ATTRIBUTE attr_template[] = { - { CKA_CLASS, &oclass, sizeof(oclass) }, - { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, - { CKA_ID, idbuf, sizeof(idbuf) } - }; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template, - 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, - rv); - error = 1; - goto exit_search; - } - len = attr_template[2].ulValueLen; - printf(" object[%u]: class %lu, label '%s', id[%lu] ", i, - oclass, labelbuf, attr_template[2].ulValueLen); - if (len > 4) { - len = 4; - } - if (len > 0) { - printf("0x"); - } - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (attr_template[2].ulValueLen > len) { - printf("...\n"); - } else { - printf("\n"); - } - } - - if (wait != 0) { - printf("WARNING: This action is irreversible! " - "Destroying key objects in %u seconds\n ", - wait); - for (i = 0; i < wait; i++) { - printf("."); - fflush(stdout); - sleep(1); - } - printf("\n"); - } - - for (i = 0; i < ulObjectCount; i++) { - rv = pkcs_C_DestroyObject(hSession, akey[i]); - if (rv != CKR_OK) { - fprintf(stderr, - "C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i, - rv); - error = 1; - } - } - - if (error == 0) { - printf("Destruction complete.\n"); - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-destroy.rst b/bin/pkcs11/pkcs11-destroy.rst deleted file mode 100644 index af43f61748..0000000000 --- a/bin/pkcs11/pkcs11-destroy.rst +++ /dev/null @@ -1,71 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-destroy: - -pkcs11-destroy - destroy PKCS#11 objects - -Synopsis -~~~~~~~~ - -:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds] - -Description -~~~~~~~~~~~ - -``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified -by their ``ID`` or ``label``. - -Matching keys are displayed before being destroyed. By default, there is -a five-second delay to allow the user to interrupt the process before -the destruction takes place. - -Options -~~~~~~~ - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -``-i ID`` - This option destroys keys with the given object ID. - -``-l label`` - This option destroys keys with the given label. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-destroy`` prompts for it. - -``-w seconds`` - This option specifies how long, in seconds, to pause before carrying out key destruction. The - default is 5 seconds. If set to ``0``, destruction is - immediate. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c deleted file mode 100644 index ba004e1594..0000000000 --- a/bin/pkcs11/pkcs11-keygen.c +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pkcs11-keygen - PKCS#11 key generator - * - * Create a key in the keystore of an HSM - * - * The calculation of key tag is left to the script - * that converts the key into a DNSKEY RR and inserts - * it into a zone file. - * - * usage: - * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize] - * [-i id] [-p pin] -l label - * - */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include -#include - -/* Define static key template values */ -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -/* Static arrays of data used for key template initialization */ -static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1; -static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1; -static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519; -static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448; - -/* Key class: RSA, ECC, ECX, or unknown */ -typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; - -/* - * Private key template - */ -#define PRIVATE_LABEL 0 -#define PRIVATE_SIGN 1 -#define PRIVATE_TOKEN 2 -#define PRIVATE_PRIVATE 3 -#define PRIVATE_SENSITIVE 4 -#define PRIVATE_EXTRACTABLE 5 -#define PRIVATE_ID 6 -#define PRIVATE_ATTRS 7 -static CK_ATTRIBUTE private_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_SIGN, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &truevalue, sizeof(truevalue) }, - { CKA_SENSITIVE, &truevalue, sizeof(truevalue) }, - { CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Public key template for RSA keys - */ -#define RSA_LABEL 0 -#define RSA_VERIFY 1 -#define RSA_TOKEN 2 -#define RSA_PRIVATE 3 -#define RSA_MODULUS_BITS 4 -#define RSA_PUBLIC_EXPONENT 5 -#define RSA_ID 6 -#define RSA_ATTRS 7 -static CK_ATTRIBUTE rsa_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_VERIFY, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, - { CKA_MODULUS_BITS, NULL_PTR, 0 }, - { CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Public key template for ECC/ECX keys - */ -#define ECC_LABEL 0 -#define ECC_VERIFY 1 -#define ECC_TOKEN 2 -#define ECC_PRIVATE 3 -#define ECC_PARAMS 4 -#define ECC_ID 5 -#define ECC_ATTRS 6 -static CK_ATTRIBUTE ecc_template[] = { - { CKA_LABEL, NULL_PTR, 0 }, - { CKA_VERIFY, &truevalue, sizeof(truevalue) }, - { CKA_TOKEN, &truevalue, sizeof(truevalue) }, - { CKA_PRIVATE, &falsevalue, sizeof(falsevalue) }, - { CKA_EC_PARAMS, NULL_PTR, 0 }, - { CKA_ID, NULL_PTR, 0 } -}; - -/* - * Convert from text to key class. Accepts the names of DNSSEC - * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and - * NSEC3RSASHA1 maps to RSA. - */ -static key_class_t -keyclass_fromtext(const char *name) { - if (name == NULL) { - return (key_unknown); - } - - if (strncasecmp(name, "rsa", 3) == 0 || - strncasecmp(name, "nsec3rsa", 8) == 0) { - return (key_rsa); - } else if (strncasecmp(name, "ecc", 3) == 0 || - strncasecmp(name, "ecdsa", 5) == 0) - { - return (key_ecc); - } else if (strncasecmp(name, "ecx", 3) == 0 || - strncasecmp(name, "ed", 2) == 0) { - return (key_ecx); - } else { - return (key_unknown); - } -} - -static void -usage(void) { - fprintf(stderr, "Usage:\n" - "\tpkcs11-keygen -a algorithm -b keysize -l label\n" - "\t [-P] [-m module] " - "[-s slot] [-e] [-S] [-i id] [-p PIN]\n"); - exit(2); -} - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_MECHANISM mech; - CK_SESSION_HANDLE hSession; - char *lib_name = NULL; - char *pin = NULL; - CK_ULONG bits = 0; - CK_CHAR *label = NULL; - CK_OBJECT_HANDLE privatekey, publickey; - CK_BYTE exponent[5]; - CK_ULONG expsize = 0; - pk11_context_t pctx; - int error = 0; - int c, errflg = 0; - int hide = 1, quiet = 0; - int idlen = 0, id_offset = 0; - unsigned long id = 0; - CK_BYTE idbuf[4]; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } }; - CK_ATTRIBUTE *public_template = NULL; - CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS; - key_class_t keyclass = key_rsa; - pk11_optype_t op_type = OP_ANY; - -#define OPTIONS ":a:b:ei:l:m:Pp:qSs:" - while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { - switch (c) { - case 'a': - keyclass = keyclass_fromtext(isc_commandline_argument); - break; - case 'P': - hide = 0; - break; - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'e': - expsize = 5; - break; - case 'b': - bits = atoi(isc_commandline_argument); - break; - case 'l': - /* -l option is retained for backward compatibility * */ - label = (CK_CHAR *)isc_commandline_argument; - break; - case 'i': - id = strtoul(isc_commandline_argument, NULL, 0); - idlen = 4; - break; - case 'p': - pin = isc_commandline_argument; - break; - case 'q': - quiet = 1; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (label == NULL && isc_commandline_index < argc) { - label = (CK_CHAR *)argv[isc_commandline_index]; - } - - if (errflg || (label == NULL)) { - usage(); - } - - if (expsize != 0 && keyclass != key_rsa) { - fprintf(stderr, "The -e option is only compatible " - "with RSA key generation\n"); - exit(2); - } - - switch (keyclass) { - case key_rsa: - op_type = OP_RSA; - if (expsize == 0) { - expsize = 3; - } - if (bits == 0) { - usage(); - } - - mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = rsa_template; - public_attrcnt = RSA_ATTRS; - id_offset = RSA_ID; - - /* Set public exponent to F4 or F5 */ - exponent[0] = 0x01; - exponent[1] = 0x00; - if (expsize == 3) { - exponent[2] = 0x01; - } else { - exponent[2] = 0x00; - exponent[3] = 0x00; - exponent[4] = 0x01; - } - - public_template[RSA_MODULUS_BITS].pValue = &bits; - public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits); - public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent; - public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; - break; - case key_ecc: - op_type = OP_ECDSA; - if (bits == 0) { - bits = 256; - } else if (bits != 256 && bits != 384) { - fprintf(stderr, "ECC keys only support bit sizes of " - "256 and 384\n"); - exit(2); - } - - mech.mechanism = CKM_EC_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = ecc_template; - public_attrcnt = ECC_ATTRS; - id_offset = ECC_ID; - - if (bits == 256) { - public_template[4].pValue = pk11_ecc_prime256v1; - public_template[4].ulValueLen = - sizeof(pk11_ecc_prime256v1); - } else { - public_template[4].pValue = pk11_ecc_secp384r1; - public_template[4].ulValueLen = - sizeof(pk11_ecc_secp384r1); - } - - break; - case key_ecx: - op_type = OP_EDDSA; - if (bits == 0) { - bits = 256; - } else if (bits != 256 && bits != 456) { - fprintf(stderr, "ECX keys only support bit sizes of " - "256 and 456\n"); - exit(2); - } - - mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN; - mech.pParameter = NULL; - mech.ulParameterLen = 0; - - public_template = ecc_template; - public_attrcnt = ECC_ATTRS; - id_offset = ECC_ID; - - if (bits == 256) { - public_template[4].pValue = pk11_ecx_ed25519; - public_template[4].ulValueLen = - sizeof(pk11_ecx_ed25519); - } else { - public_template[4].pValue = pk11_ecx_ed448; - public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); - } - - break; - case key_unknown: - usage(); - } - - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen((char *)label); - public_template[0].pValue = label; - public_template[0].ulValueLen = strlen((char *)label); - private_template[0].pValue = label; - private_template[0].ulValueLen = strlen((char *)label); - - if (idlen == 0) { - public_attrcnt--; - private_attrcnt--; - } else { - if (id <= 0xffff) { - idlen = 2; - idbuf[0] = (CK_BYTE)(id >> 8); - idbuf[1] = (CK_BYTE)id; - } else { - idbuf[0] = (CK_BYTE)(id >> 24); - idbuf[1] = (CK_BYTE)(id >> 16); - idbuf[2] = (CK_BYTE)(id >> 8); - idbuf[3] = (CK_BYTE)id; - } - - public_template[id_offset].pValue = idbuf; - public_template[id_offset].ulValueLen = idlen; - private_template[PRIVATE_ID].pValue = idbuf; - private_template[PRIVATE_ID].ulValueLen = idlen; - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, op_type, false, true, true, - (const char *)pin, slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - memset(pin, 0, strlen(pin)); - - hSession = pctx.session; - - /* check if a key with the same id already exists */ - rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - if (ulObjectCount != 0) { - fprintf(stderr, "Key already exists.\n"); - error = 1; - goto exit_search; - } - - /* Set attributes if the key is not to be hidden */ - if (!hide) { - private_template[4].pValue = &falsevalue; - private_template[5].pValue = &truevalue; - } - - /* Generate Key pair for signing/verifying */ - rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template, - public_attrcnt, private_template, - private_attrcnt, &publickey, &privatekey); - - if (rv != CKR_OK) { - fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv); - error = 1; - } else if (!quiet) { - printf("Key pair generation complete.\n"); - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-keygen.rst b/bin/pkcs11/pkcs11-keygen.rst deleted file mode 100644 index 4eb1523f61..0000000000 --- a/bin/pkcs11/pkcs11-keygen.rst +++ /dev/null @@ -1,90 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-keygen: - -pkcs11-keygen - generate keys on a PKCS#11 device -------------------------------------------------- - -Synopsis -~~~~~~~~ - -:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label - -Description -~~~~~~~~~~~ - -``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair -with the given ``label`` (which must be unique) and with ``keysize`` -bits of prime. - -Options -~~~~~~~ - -``-a algorithm`` - This option specifies the key algorithm class: supported classes are RSA, DSA, DH, - ECC, and ECX. In addition to these strings, the ``algorithm`` can be - specified as a DNSSEC signing algorithm to be used with this - key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to - ECC, and ED25519 to ECX. The default class is ``RSA``. - -``-b keysize`` - This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the - only valid values are 256 and 384, and the default is 256. For ECX - keys, the only valid values are 256 and 456, and the default is 256. - -``-e`` - For RSA keys only, this option specifies use of a large exponent. - -``-i id`` - This option creates key objects with ``id``. The ID is either an unsigned short 2-byte - or an unsigned long 4-byte number. - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-P`` - This option sets the new private key to be non-sensitive and extractable, and - allows the private key data to be read from the PKCS#11 device. The - default is for private keys to be sensitive and non-extractable. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-keygen`` prompts for it. - -``-q`` - This option sets quiet mode, which suppresses unnecessary output. - -``-S`` - For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-, - or 1536-bit size and base (AKA generator) 2. If not specified, bit - size defaults to 1024. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)` diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c deleted file mode 100644 index c103a44abc..0000000000 --- a/bin/pkcs11/pkcs11-list.c +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; - pk11_context_t pctx; - char *lib_name = NULL; - char *label = NULL; - char *pin = NULL; - bool error = false, logon = true, all = false; - unsigned int i = 0, id = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id, - sizeof(attr_id) } }; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) { - switch (c) { - case 'P': - logon = false; - break; - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - break; - case 'i': - id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': - label = isc_commandline_argument; - break; - case 'p': - pin = isc_commandline_argument; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] " - "[-i id | -l label] [-p pin]\n"); - exit(1); - } - - if (!id && (label == NULL)) { - all = true; - } - - if (slot) { - printf("slot %lu\n", slot); - } - - if (id) { - printf("id %u\n", id); - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label != NULL) { - printf("label %s\n", label); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - if (logon && pin == NULL) { - pin = getpass("Enter Pin: "); - } - - result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin, - slot); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n"); - } else if (result != ISC_R_SUCCESS) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - if (pin != NULL) { - memset(pin, 0, strlen(pin)); - } - - hSession = pctx.session; - - rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - - ulObjectCount = 1; - while (ulObjectCount) { - rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - for (i = 0; i < ulObjectCount; i++) { - unsigned int j, len; - - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; - CK_BYTE idbuf[64]; - CK_BBOOL extract = TRUE; - CK_BBOOL never = FALSE; - CK_ATTRIBUTE template[] = { - { CKA_CLASS, &oclass, sizeof(oclass) }, - { CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 }, - { CKA_ID, idbuf, sizeof(idbuf) } - }; - CK_ATTRIBUTE priv_template[] = { - { CKA_EXTRACTABLE, &extract, sizeof(extract) }, - { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) } - }; - - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - - rv = pkcs_C_GetAttributeValue(hSession, akey[i], - template, 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%u]: " - "rv = 0x%.8lX\n", - i, rv); - if (rv == CKR_BUFFER_TOO_SMALL) { - fprintf(stderr, - "%u too small: %lu %lu %lu\n", - i, template[0].ulValueLen, - template[1].ulValueLen, - template[2].ulValueLen); - } - error = 1; - continue; - } - - len = template[2].ulValueLen; - printf("object[%u]: handle %lu class %lu " - "label[%lu] '%s' id[%lu] ", - i, akey[i], oclass, template[1].ulValueLen, - labelbuf, template[2].ulValueLen); - if (len == 2) { - id = (idbuf[0] << 8) & 0xff00; - id |= idbuf[1] & 0xff; - printf("%u", id); - } else { - if (len > 8) { - len = 8; - } - if (len > 0) { - printf("0x"); - } - for (j = 0; j < len; j++) - printf("%02x", idbuf[j]); - if (template[2].ulValueLen > len) { - printf("..."); - } - } - if ((oclass == CKO_PRIVATE_KEY || - oclass == CKO_SECRET_KEY) && - pkcs_C_GetAttributeValue(hSession, akey[i], - priv_template, - 2) == CKR_OK) - { - printf(" E:%s", - extract ? "true" - : (never ? "never" : "false")); - } - printf("\n"); - } - } - -exit_search: - rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - -exit_session: - pk11_return_session(&pctx); - (void)pk11_finalize(); - - exit(error); -} diff --git a/bin/pkcs11/pkcs11-list.rst b/bin/pkcs11/pkcs11-list.rst deleted file mode 100644 index e010d7ecfd..0000000000 --- a/bin/pkcs11/pkcs11-list.rst +++ /dev/null @@ -1,66 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-list: - -pkcs11-list - list PKCS#11 objects ----------------------------------- - -:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN] - -Description -~~~~~~~~~~~ - -``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by -default, all objects. The object class, label, and ID are displayed for -all keys. For private or secret keys, the extractability attribute is -also displayed, as either ``true``, ``false``, or ``never``. - -Options -~~~~~~~ - -``-P`` - This option lists only the public objects. (Note that on some PKCS#11 devices, all - objects are private.) - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-s slot`` - This option opens the session with the given PKCS#11 slot. The default is slot 0. - -``-i ID`` - This option lists only key objects with the given object ID. - -``-l label`` - This option lists only key objects with the given label. - -``-p PIN`` - This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command - line, ``pkcs11-list`` prompts for it. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)` diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c deleted file mode 100644 index 0db601d31a..0000000000 --- a/bin/pkcs11/pkcs11-tokens.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* pkcs11-tokens [-m module] */ - -/*! \file */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -int -main(int argc, char *argv[]) { - isc_result_t result; - char *lib_name = NULL; - int c, errflg = 0; - isc_mem_t *mctx = NULL; - pk11_context_t pctx; - - while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 'v': - pk11_verbose_init = true; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n"); - exit(1); - } - - isc_mem_create(&mctx); - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) { - pk11_set_lib_name(lib_name); - } - - result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0); - if (result == PK11_R_NORANDOMSERVICE || - result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE) - { - fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); - fprintf(stderr, "This HSM will not work with BIND 9 " - "using native PKCS#11.\n\n"); - } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) { - fprintf(stderr, - "Unrecoverable error initializing " - "PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - pk11_dump_tokens(); - - if (pctx.handle != NULL) { - pk11_return_session(&pctx); - } - (void)pk11_finalize(); - - isc_mem_destroy(&mctx); - - exit(0); -} diff --git a/bin/pkcs11/pkcs11-tokens.rst b/bin/pkcs11/pkcs11-tokens.rst deleted file mode 100644 index 4cb89a5395..0000000000 --- a/bin/pkcs11/pkcs11-tokens.rst +++ /dev/null @@ -1,53 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - - -.. highlight: console - -.. _man_pkcs11-tokens: - -pkcs11-tokens - list PKCS#11 available tokens ---------------------------------------------- - -Synopsis -~~~~~~~~ - -:program:`pkcs11-tokens` [**-m** module] [**-v**] - -Description -~~~~~~~~~~~ - -``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from -the slot/token scan performed at application initialization. - -Options -~~~~~~~ - -``-m module`` - This option specifies the PKCS#11 provider module. This must be the full path to a - shared library object implementing the PKCS#11 API for the device. - -``-v`` - This option makes the PKCS#11 libisc initialization verbose. - -See Also -~~~~~~~~ - -:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)` diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 97b182999f..620af62a36 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -36,8 +36,6 @@ #include #include -#include - #include #include diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 2b32330dac..9a88662e0c 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -230,10 +230,6 @@ endif HAVE_PYMOD_DNS endif HAVE_PYTHON -if HAVE_PKCS11 -TESTS += pkcs11 -endif - else !HAVE_PERL check: echo Perl is not available, no tests were ran diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh deleted file mode 100644 index bbd98c45c2..0000000000 --- a/bin/tests/system/cleanpkcs11.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ./conf.sh - -[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1 diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index f307da1eb6..4671e12172 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -731,9 +731,6 @@ export NSUPDATE export NZD2NZF export PERL export PIPEQUERIES -export PK11DEL -export PK11GEN -export PK11LIST export PSSUSPEND export PYTHON export RESOLVE diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index d6773c174d..06aaad39c2 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -48,9 +48,6 @@ NSEC3HASH=$TOP_BUILDDIR/bin/tools/nsec3hash NSLOOKUP=$TOP_BUILDDIR/bin/dig/nslookup NSUPDATE=$TOP_BUILDDIR/bin/nsupdate/nsupdate NZD2NZF=$TOP_BUILDDIR/bin/tools/named-nzd2nzf -PK11DEL="$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" -PK11GEN="$TOP_BUILDDIR/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" -PK11LIST="$TOP_BUILDDIR/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve REVOKE=$TOP_BUILDDIR/bin/dnssec/dnssec-revoke RNDC=$TOP_BUILDDIR/bin/rndc/rndc @@ -77,7 +74,7 @@ KRB5_KTNAME=dns.keytab # # Construct the lists of tests to run # -SEQUENTIAL_UNIX="@PKCS11_TEST@" +SEQUENTIAL_UNIX="" SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX" PARALLEL_UNIX="@DNSTAP@ diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index e41fe685ca..edb6bf7bb9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3366,12 +3366,6 @@ do ;; 15|16) key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - # Soft-fail in case HSM doesn't support Edwards curves - if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then - echo_i "Algorithm $alg not supported by HSM: skipping" - alg=$((alg+1)) - continue - fi ;; *) key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) diff --git a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt deleted file mode 100644 index 09b06f0739..0000000000 --- a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt +++ /dev/null @@ -1,20 +0,0 @@ -edda 2800 0001 0000 0001 0000 0972 7361 -7368 6132 3536 0765 7861 6d70 6c65 0000 -0600 01c0 0c00 3000 0100 0001 2c01 0801 -0003 0803 0100 0100 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 0000 0000 0000 0000 0000 -0000 0000 0000 00 diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh deleted file mode 100644 index 23c5a6f857..0000000000 --- a/bin/tests/system/pkcs11/clean.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl -rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out* -rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats -rm -f supported -rm -f ns*/named.run ns*/named.lock ns*/named.conf -rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in deleted file mode 100644 index 95d2a63a54..0000000000 --- a/bin/tests/system/pkcs11/ns1/example.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA ns root ( - 2000082401 ; serial - 1800 ; refresh (30 minutes) - 1800 ; retry (30 minutes) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.1 - -txt TXT "recursed" - diff --git a/bin/tests/system/pkcs11/ns1/named.conf.in b/bin/tests/system/pkcs11/ns1/named.conf.in deleted file mode 100644 index a4a51b357c..0000000000 --- a/bin/tests/system/pkcs11/ns1/named.conf.in +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - dnssec-validation no; - notify no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh deleted file mode 100644 index ce364d9636..0000000000 --- a/bin/tests/system/pkcs11/setup.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/sh -# -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -eu - -# shellcheck source=conf.sh -. ../conf.sh - -echo_i "Generating keys for Native PKCS#11" >&2 - -infile=ns1/example.db.in - -printf '%s' "${HSMPIN:-1234}" > pin -PWD=$(pwd) - -copy_setports ns1/named.conf.in ns1/named.conf - -get_random() { - dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An -} - -genpkcs() ( - alg="$1" - bits="$2" - label="$3" - id="$(get_random)" - - $PK11DEL -l "$label" -w0 >/dev/null || true - $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null -) - -keyfrlab() ( - alg="$1" - bits="$2" - label="$3" - zone="$4" - shift 4 - - $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone" -) - -genzsk() ( - genpkcs "$@" - keyfrlab "$@" -) - -genksk() ( - genpkcs "$@" - keyfrlab "$@" -f ksk -) - -algs= -for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do - alg=$(echo "$algbits" | cut -f 1 -d :) - bits=$(echo "$algbits" | cut -f 2 -d :) - zone="$alg.example" - zonefile="ns1/$alg.example.db" - if $SHELL ../testcrypto.sh "$alg"; then - echo "$alg" >> supported - algs="$algs$alg " - - zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone") - zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone") - ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone") - ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone") - - cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile" - $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null - cp "$zsk2.key" "ns1/$alg.zsk" - cp "$ksk2.key" "ns1/$alg.ksk" - mv "K$alg"* ns1/ - - cat >> ns1/named.conf < "dig.out.$rrtype.$alg" && - count=$(count_rrsigs "dig.out.$rrtype.$alg") && - test "$count" -gt "$count0" -) - -test_done() { - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - ret=0 -} - -status=0 -ret=0 - -n=0 -while read -r alg; do - zonefile=ns1/$alg.example.db - echo_i "testing PKCS#11 key generation ($alg)" - count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true) - [ "$count" -eq 4 ] || ret=1 - test_done - - echo_i "testing offline signing with PKCS#11 keys ($alg)" - - count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed") - [ "$count" -eq 9 ] || ret=1 - test_done - - echo_i "testing inline signing with new PKCS#11 ZSK ($alg)" - - dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1 - countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0") - new_zsk=$(grep -v ';' "ns1/$alg.zsk") - - cat > "upd.cmd.ZSK.$alg" < "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1 - - retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1 - test_done - - echo_i "testing inline signing with new PKCS#11 KSK ($alg)" - - dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1 - countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0") - new_ksk=$(grep -v ';' "ns1/$alg.ksk") - - cat > "upd.cmd.KSK.$alg" < "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1 - - retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1 - test_done - - echo_i "testing PKCS#11 key destroy ($alg)" - - # Lookup all existing keys - echo_i "looking up all existing keys ($alg)" - $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1 - test_done - - echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)" - $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1 - test_done - - echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)" - $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1 - test_done - - id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") - echo_i "destroying key with $id id ($alg)" - if [ -n "$id" ]; then - $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 - else - ret=1 - fi - test_done - - id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") - echo_i "destroying key with $id id ($alg)" - if [ -n "$id" ]; then - $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 - else - ret=1 - fi - test_done - - echo_i "checking if all keys have been destroyed ($alg)" - $PK11LIST > "pkcs11-list.out.$alg" || ret=1 - count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true) - [ "$count" -eq 0 ] || ret=1 - test_done - n=$((n+1)) -done < supported - -echo_i "Checking if all supported algorithms were tested" -[ "$n" -eq "$(wc -l < supported)" ] || ret=1 -test_done - -echo_i "Checking for assertion failure in pk11_numbits()" -$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt -dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 -test_done - -echo_i "exit status: $status" -[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11 deleted file mode 100644 index ef4641287c..0000000000 --- a/bin/tests/system/pkcs11/usepkcs11 +++ /dev/null @@ -1 +0,0 @@ -This test relies on PKCS#11! diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 09ec9c75d3..00928ada6a 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -74,8 +74,6 @@ main(int argc, char **argv) { UNUSED(argc); UNUSED(argv); -#if !USE_PKCS11 - rsa = RSA_new(); e = BN_new(); pkey = EVP_PKEY_new(); @@ -151,9 +149,6 @@ main(int argc, char **argv) { dst_lib_destroy(); isc_mem_destroy(&mctx); return (0); -#else /* !USE_PKCS11 */ - return (1); -#endif /* !USE_PKC11 */ } /*! \file */ diff --git a/bin/tests/system/run.sh.in b/bin/tests/system/run.sh.in index bd4c38e843..c940ba22f7 100644 --- a/bin/tests/system/run.sh.in +++ b/bin/tests/system/run.sh.in @@ -161,18 +161,6 @@ else exit 77 fi -# Check for PKCS#11 support -if - test ! -f "$systest/usepkcs11" || $SHELL cleanpkcs11.sh -then - : pkcs11 ok -else - echowarn "I:$systest:Need PKCS#11, skipping test." - echowarn "R:$systest:PKCS11ONLY" - echoend "E:$systest:$(date_with_args)" - exit 0 -fi - # Clean up files left from any potential previous runs except when # started with the --restart option. if ! $restart; then diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index 137de4ee8e..2e48cae888 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -66,8 +66,6 @@ then else if test $quiet -eq 0; then echo_i "This test requires support for $msg" >&2 - echo_i "configure with --with-openssl, or --enable-native-pkcs11" \ - "--with-pkcs11" >&2 fi exit 255 fi diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index 291c861867..13da1f6117 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -27,8 +27,6 @@ #include #include -#include - #include #include #include diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 5871e12032..92f37fb1c1 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -27,8 +27,6 @@ #include #include -#include - #include #include #include diff --git a/configure.ac b/configure.ac index 39168fc072..3a70a3c515 100644 --- a/configure.ac +++ b/configure.ac @@ -747,43 +747,6 @@ AX_RESTORE_FLAGS([openssl]) AC_SUBST([OPENSSL_CFLAGS]) AC_SUBST([OPENSSL_LIBS]) -# -# was --enable-native-pkcs11 specified? -# -# [pairwise: --enable-native-pkcs11, --disable-native-pkcs11] -AC_ARG_ENABLE([native-pkcs11], - AS_HELP_STRING([--enable-native-pkcs11], - [use native PKCS11 for public-key crypto [default=no]]), - [:], [enable_native_pkcs11="no"]) - -AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography]) -AS_CASE([$enable_native_pkcs11], - [no],[AC_MSG_RESULT([no])], - [yes],[CRYPTO=pkcs11 - AC_MSG_RESULT([yes]) - AC_CHECK_FUNCS([getpassphrase]) - ]) -AM_CONDITIONAL([HAVE_PKCS11], [test "$CRYPTO" = "pkcs11"]) - -AC_SUBST([CRYPTO]) -AS_CASE([$CRYPTO], - [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], - [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) - -# -# was --with-pkcs11 specified? -# -# [pairwise: skip] -AC_ARG_WITH([pkcs11], - [AS_HELP_STRING([--with-pkcs11[=PATH]], - [Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])], - [:], [with_pkcs11="undefined"]) - -AS_CASE([$with_pkcs11], - [yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])], - [no|undefined],[with_pkcs11="undefined"]) -AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path]) - AC_CHECK_FUNCS([clock_gettime]) # [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi] @@ -1634,7 +1597,6 @@ AC_CONFIG_FILES([bin/Makefile bin/nsupdate/Makefile bin/check/Makefile bin/confgen/Makefile - bin/pkcs11/Makefile bin/plugins/Makefile]) # Libraries @@ -1742,11 +1704,6 @@ report() { test "auto" = "$validation_default" && echo " DNSSEC validation active by default (--enable-auto-validation)" - test "$CRYPTO" = "pkcs11" && ( - echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)" - echo " PKCS#11 module (--with-pkcs11): $with_pkcs11" - ) - echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$with_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" @@ -1798,10 +1755,6 @@ report() { test "yes" = "$validation_default" && echo " DNSSEC validation requires configuration (--enable-auto-validation)" - test "$CRYPTO" = "pkcs11" || ( - echo " Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)" - ) - test "yes" = "$enable_querytrace" || \ echo " Very verbose query trace logging (--enable-querytrace)" test "yes" = "$enable_singletrace" || \ diff --git a/doc/arm/manpages.rst b/doc/arm/manpages.rst index 1c913f52a5..56c55c7462 100644 --- a/doc/arm/manpages.rst +++ b/doc/arm/manpages.rst @@ -40,10 +40,6 @@ Manual Pages .. include:: ../../bin/tools/nsec3hash.rst .. include:: ../../bin/dig/nslookup.rst .. include:: ../../bin/nsupdate/nsupdate.rst -.. include:: ../../bin/pkcs11/pkcs11-destroy.rst -.. include:: ../../bin/pkcs11/pkcs11-keygen.rst -.. include:: ../../bin/pkcs11/pkcs11-list.rst -.. include:: ../../bin/pkcs11/pkcs11-tokens.rst .. include:: ../../bin/confgen/rndc-confgen.rst .. include:: ../../bin/rndc/rndc.conf.rst .. include:: ../../bin/rndc/rndc.rst diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index 8fcba0ea42..bae55d536d 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -17,26 +17,15 @@ Public Key Cryptography Standard #11 (PKCS#11) defines a platform-independent API for the control of hardware security modules (HSMs) and other cryptographic support devices. -BIND 9 is known to work with three HSMs: the AEP Keyper, which has been -tested with Debian Linux, Solaris x86, and Windows Server 2003; the -Thales nShield, tested with Debian Linux; and the Sun SCA 6000 -cryptographic acceleration board, tested with Solaris x86. In addition, -BIND can be used with all current versions of SoftHSM, a software-based -HSM simulator library produced by the OpenDNSSEC project. - PKCS#11 uses a "provider library": a dynamically loadable library which provides a low-level PKCS#11 interface to drive the HSM hardware. The PKCS#11 provider library comes from the HSM vendor, and it is specific to the HSM to be controlled. -There are two available mechanisms for PKCS#11 support in BIND 9: -OpenSSL-based PKCS#11 and native PKCS#11. With OpenSSL-based PKCS#11, -BIND uses a modified version of OpenSSL, which loads the -provider library and operates the HSM indirectly; any cryptographic -operations not supported by the HSM can be carried out by OpenSSL -instead. Native PKCS#11 enables BIND to bypass OpenSSL completely; -BIND loads the provider library itself, and uses the PKCS#11 API to -drive the HSM directly. +BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is +dynamically loaded into OpenSSL and the HSM is operated indirectly; any +cryptographic operations not supported by the HSM can be carried out by OpenSSL +instead. Prerequisites ~~~~~~~~~~~~~ @@ -44,34 +33,6 @@ Prerequisites See the documentation provided by the HSM vendor for information about installing, initializing, testing, and troubleshooting the HSM. -Native PKCS#11 -~~~~~~~~~~~~~~ - -Native PKCS#11 mode only works with an HSM capable of carrying out -*every* cryptographic operation BIND 9 may need. The HSM's provider -library must have a complete implementation of the PKCS#11 API, so that -all these functions are accessible. As of this writing, only the Thales -nShield HSM and SoftHSMv2 can be used in this fashion. For other HSMs, -including the AEP Keyper, Sun SCA 6000, and older versions of SoftHSM, -use OpenSSL-based PKCS#11. (Note: Eventually, when more HSMs become -capable of supporting native PKCS#11, it is expected that OpenSSL-based -PKCS#11 will be deprecated.) - -To build BIND with native PKCS#11, configure it as follows: - -:: - - $ cd bind9 - $ ./configure --enable-native-pkcs11 \ - --with-pkcs11=provider-library-path - - -This causes all BIND tools, including ``named`` and the ``dnssec-*`` -and ``pkcs11-*`` tools, to use the PKCS#11 provider library specified in -provider-library-path for cryptography. (The provider library path can -be overridden using the ``-E`` argument in ``named`` and the ``dnssec-*`` tools, -or the ``-m`` argument in the ``pkcs11-*`` tools.) - Building SoftHSMv2 ^^^^^^^^^^^^^^^^^^ @@ -99,156 +60,163 @@ with BIND. $ make install $ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 - OpenSSL-based PKCS#11 ~~~~~~~~~~~~~~~~~~~~~ OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project. -For more information, see https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 +engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. +That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine +API. One has to register the engine with OpenSSL and one has to provide the +path to the PKCS#11 module which should be gatewayed to. This can be done by +editing the OpenSSL configuration file, by engine specific controls, or by using +the p11-kit proxy module. -PKCS#11 Tools -~~~~~~~~~~~~~ +It is recommended, that libp11 >= 0.4.12 is used. -BIND 9 includes a minimal set of tools to operate the HSM, including -``pkcs11-keygen`` to generate a new key pair within the HSM, -``pkcs11-list`` to list objects currently available, ``pkcs11-destroy`` -to remove objects, and ``pkcs11-tokens`` to list available tokens. +For more detailed howto including the examples, we recommend reading: -In UNIX/Linux builds, these tools are built only if BIND 9 is configured -with the ``--with-pkcs11`` option. (Note: If ``--with-pkcs11`` is set to ``yes``, -rather than to the path of the PKCS#11 provider, the tools are -built but the provider is left undefined. Use the ``-m`` option or the -``PKCS11_PROVIDER`` environment variable to specify the path to the -provider.) +https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 Using the HSM ~~~~~~~~~~~~~ -For OpenSSL-based PKCS#11, the runtime environment must first be set up -so the OpenSSL and PKCS#11 libraries can be loaded: +The canonical documentation for configuring engine_pkcs11 is in the +`libp11/README.md`_, but here's copy of working configuration for +your convenience: + +.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration + +We are going to use our own custom copy of OpenSSL configuration, again it's +driven by an environment variable, this time called OPENSSL_CONF. We are +going to copy the global OpenSSL configuration (often found in +``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11. + +:: + cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf + +and export the environment variable: + +:: + export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf + +Now add following line at the top of file, before any sections (in square +brackets) are defined: + +:: + openssl_conf = openssl_init + +And add following lines at the bottom of the file: + +:: + [openssl_init] + engines=engine_section + + [engine_section] + pkcs11 = pkcs11_section + + [pkcs11_section] + engine_id = pkcs11 + dynamic_path = /pkcs11.so + MODULE_PATH = + init = 0 + +Key Generation +~~~~~~~~~~~~~~ + +HSM keys can now be created and used. We are going to assume that you already +have a BIND 9 installed, either from a package, or from the sources, and the +tools are readily available in the ``$PATH``. + +For generating the keys, we are going to use ``pkcs11-tool`` available from the +OpenSC suite. On both DEB-based and RPM-based distributions, the package is +called opensc. + +We need to generate at least two RSA keys: :: - $ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH} + pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin + pkcs11-tool --module -l -k --key-type rsa:2048 --label example.net-ksk --pin -This causes ``named`` and other binaries to load the OpenSSL library -from ``/opt/pkcs11/usr/lib``, rather than from the default location. This -step is not necessary when using native PKCS#11. +Remember that each key should have unique label and we are going to use that +label to reference the private key. -Some HSMs require other environment variables to be set. For example, -when operating an AEP Keyper, the location of -the "machine" file, which stores information about the Keyper for use by -the provider library, must be specified. If the machine file is in -``/opt/Keyper/PKCS11Provider/machine``, use: +Convert the RSA keys stored in the HSM into a format that BIND 9 understands. +The ``dnssec-keyfromlabel`` tool from BIND 9 can link the raw keys stored in the +HSM with the ``K++`` files. You'll need to provide the OpenSSL +engine name (``pkcs11``), the algorithm (``RSASHA256``) and the PKCS#11 label +that specify the token (we asume that it has been initialized as bind9), the +name of the PKCS#11 object (called label when generating the keys using +``pkcs11-tool``) and the HSM PIN. + +Convert the KSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net - $ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider - -Such environment variables must be set when running any tool that -uses the HSM, including ``pkcs11-keygen``, ``pkcs11-list``, -``pkcs11-destroy``, ``dnssec-keyfromlabel``, ``dnssec-signzone``, -``dnssec-keygen``, and ``named``. - -HSM keys can now be created and used. In this case, we will create -a 2048-bit key and give it the label "sample-ksk": +and ZSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net - $ pkcs11-keygen -b 2048 -l sample-ksk - -To confirm that the key exists: +NOTE: you can use PIN stored on disk, by specifying ``pin-source=/``, f.e.: :: + (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt) - $ pkcs11-list - Enter PIN: - object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] - object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] - -Before using this key to sign a zone, we must create a pair of BIND 9 -key files. The ``dnssec-keyfromlabel`` utility does this. In this case, we -are using the HSM key "sample-ksk" as the key-signing key for -"example.net": +and then use in the label specification: :: + pin-source=/opt/bind9/etc/pin.txt - $ dnssec-keyfromlabel -l sample-ksk -f KSK example.net - -The resulting K*.key and K*.private files can now be used to sign the -zone. Unlike normal K\* files, which contain both public and private key -data, these files contain only the public key data, plus an -identifier for the private key which remains stored within the HSM. -Signing with the private key takes place inside the HSM. - -To generate a second key in the HSM for use as a -zone-signing key, follow the same procedure above, using a different -keylabel, a smaller key size, and omitting ``-f KSK`` from the -``dnssec-keyfromlabel`` arguments: +Confirm that you have one KSK and one ZSK present in the current directory: :: + ls -l K* - $ pkcs11-keygen -b 1024 -l sample-zsk - $ dnssec-keyfromlabel -l sample-zsk example.net - -Alternatively, a conventional on-disk key can be generated -using ``dnssec-keygen``: +The output should look like this (the second number will be different): :: + Kexample.net.+008+31729.key + Kexample.net.+008+31729.private + Kexample.net.+008+42231.key + Kexample.net.+008+42231.private - $ dnssec-keygen example.net - -This provides less security than an HSM key, but since HSMs can be slow -or cumbersome to use for security reasons, it may be more efficient to -reserve HSM keys for use in the less frequent key-signing operation. The -zone-signing key can be rolled more frequently, if desired, to -compensate for a reduction in key security. (Note: When using native -PKCS#11, there is no speed advantage to using on-disk keys, as -cryptographic operations are done by the HSM.) - -Now the zone can be signed. Please note that, if the -S option is not used for -``dnssec-signzone``, the contents of both -``K*.key`` files must be added to the zone master file before signing it. - -:: - - $ dnssec-signzone -S example.net - Enter PIN: - Verifying the zone using the following algorithms: - NSEC3RSASHA1. - Zone signing complete: - Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by - example.net.signed Specifying the Engine on the Command Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can -be specified in ``named`` and all of the BIND ``dnssec-*`` tools by -using the ``-E `` command line option. If BIND 9 is built with the -``--with-pkcs11`` option, this option defaults to "pkcs11". Specifying the -engine is generally not necessary unless -a different OpenSSL engine is used. +When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be +specified in ``named`` and all of the BIND ``dnssec-*`` tools by using the ``-E +`` command line option. Specifying the engine is generally not necessary +unless a different OpenSSL engine is used. -To disable use of the "pkcs11" engine - for -troubleshooting purposes, or because the HSM is unavailable - set -the engine to the empty string. For example: +The zone signing commences as usual, with only one small difference. We need to +provide the name of the OpenSSL engine using the -E command line option. :: - - $ dnssec-signzone -E '' -S example.net - -This causes ``dnssec-signzone`` to run as if it were compiled without -the ``--with-pkcs11`` option. - -When built with native PKCS#11 mode, the "engine" option has a different -meaning: it specifies the path to the PKCS#11 provider library. This may -be useful when testing a new provider library. + dnssec-signzone -E pkcs11 -S -o example.net example.net Running ``named`` With Automatic Zone Re-signing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The zone can also be signed automatically by named. Again, we need to provide +the name of the OpenSSL engine using the -E command line option. + +:: + named -E pkcs11 -c named.conf + +and the logs should have lines like: + +:: + Fetching example.net/RSASHA256/31729 (KSK) from key repository. + DNSKEY example.net/RSASHA256/31729 (KSK) is now published + DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active + Fetching example.net/RSASHA256/42231 (ZSK) from key repository. + DNSKEY example.net/RSASHA256/42231 (ZSK) is now published + DNSKEY example.net/RSA256SHA256/42231 (ZSK) is now active + For ``named`` to dynamically re-sign zones using HSM keys, and/or to sign new records inserted via nsupdate, ``named`` must have access to the HSM PIN. In OpenSSL-based PKCS#11, this is @@ -273,14 +241,3 @@ Here is a sample ``openssl.cnf``: This also allows the ``dnssec-\*`` tools to access the HSM without PIN entry. (The ``pkcs11-\*`` tools access the HSM directly, not via OpenSSL, so a PIN is still required to use them.) - -In native PKCS#11 mode, the PIN can be provided in a file specified as -an attribute of the key's label. For example, if a key had the label -``pkcs11:object=local-zsk;pin-source=/etc/hsmpin``, then the PIN would -be read from the file ``/etc/hsmpin``. - -.. warning:: - - Placing the HSM's PIN in a text file in this manner may reduce the - security advantage of using an HSM. Use caution - when configuring the system in this way. diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 2e73e2c853..1ca74c140a 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -32,10 +32,6 @@ MANPAGES_RST = \ nsec3hash.rst \ nslookup.rst \ nsupdate.rst \ - pkcs11-destroy.rst \ - pkcs11-keygen.rst \ - pkcs11-list.rst \ - pkcs11-tokens.rst \ rndc-confgen.rst \ rndc.conf.rst \ rndc.rst \ @@ -59,10 +55,6 @@ MANPAGES_RST = \ ../../bin/dnssec/dnssec-verify.rst \ ../../bin/named/named.rst \ ../../bin/nsupdate/nsupdate.rst \ - ../../bin/pkcs11/pkcs11-destroy.rst \ - ../../bin/pkcs11/pkcs11-keygen.rst \ - ../../bin/pkcs11/pkcs11-list.rst \ - ../../bin/pkcs11/pkcs11-tokens.rst \ ../../bin/plugins/filter-aaaa.rst \ ../../bin/plugins/filter-a.rst \ ../../bin/rndc/rndc.conf.rst \ @@ -119,22 +111,10 @@ man_MANS += \ named-nzd2nzf.1 endif HAVE_LMDB -if HAVE_PKCS11 -man_MANS += \ - pkcs11-destroy.1 \ - pkcs11-keygen.1 \ - pkcs11-list.1 \ - pkcs11-tokens.1 -endif HAVE_PKCS11 - MANPAGES_IN = \ $(man_MANS:=in) \ dnstap-read.1in \ - named-nzd2nzf.1in \ - pkcs11-destroy.1in \ - pkcs11-keygen.1in \ - pkcs11-list.1in \ - pkcs11-tokens.1in + named-nzd2nzf.1in EXTRA_DIST = \ conf.py \ diff --git a/doc/man/conf.py b/doc/man/conf.py index 04dd6d86e9..8b4e37c777 100644 --- a/doc/man/conf.py +++ b/doc/man/conf.py @@ -95,10 +95,6 @@ man_pages = [ ('nsec3hash', 'nsec3hash', 'generate NSEC3 hash', author, 1), ('nslookup', 'nslookup', 'query Internet name servers interactively', author, 1), ('nsupdate', 'nsupdate', 'dynamic DNS update utility', author, 1), - ('pkcs11-destroy', 'pkcs11-destroy', 'destroy PKCS#11 objects', author, 1), - ('pkcs11-keygen', 'pkcs11-keygen', 'generate keys on a PKCS#11 device', author, 1), - ('pkcs11-list', 'pkcs11-list', 'list PKCS#11 objects', author, 1), - ('pkcs11-tokens', 'pkcs11-tokens', 'list PKCS#11 available tokens', author, 1), ('rndc-confgen', 'rndc-confgen', 'rndc key generation tool', author, 8), ('rndc.conf', 'rndc.conf', 'rndc configuration file', author, 5), ('rndc', 'rndc', 'name server control utility', author, 8), diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in index 56d5dc19ef..fac4b27c25 100644 --- a/doc/man/dnssec-keyfromlabel.1in +++ b/doc/man/dnssec-keyfromlabel.1in @@ -78,10 +78,7 @@ This option specifies the cryptographic hardware to use. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-l label\fP This option specifies the label for a key pair in the crypto hardware. @@ -90,21 +87,6 @@ When BIND 9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in \fBpkcs11:keylabel\fP\&. -.sp -When BIND 9 is built with native PKCS#11 support, the label is a -PKCS#11 URI string in the format -\fBpkcs11:keyword\e =value[;\e keyword\e =value;...]\fP\&. Keywords -include \fBtoken\fP, which identifies the HSM; \fBobject\fP, which identifies -the key; and \fBpin\-source\fP, which identifies a file from which the -HSM\(aqs PIN code can be obtained. The label is stored in the -on\-disk \fBprivate\fP file. -.sp -If the label contains a \fBpin\-source\fP field, tools using the -generated key files are able to use the HSM for signing and other -operations without any need for an operator to manually enter a PIN. -Note: Making the HSM\(aqs PIN accessible in this manner may reduce the -security advantage of using an HSM; use caution -with this feature. .TP .B \fB\-n nametype\fP This option specifies the owner type of the key. The value of \fBnametype\fP must diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in index 057ff3d37f..0c098c9945 100644 --- a/doc/man/dnssec-keygen.1in +++ b/doc/man/dnssec-keygen.1in @@ -105,10 +105,7 @@ This option specifies the cryptographic hardware to use, when applicable. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-f flag\fP This option sets the specified flag in the flag field of the KEY/DNSKEY record. diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in index 11c65032e5..416c1a160b 100644 --- a/doc/man/dnssec-revoke.1in +++ b/doc/man/dnssec-revoke.1in @@ -61,10 +61,7 @@ This option specifies the cryptographic hardware to use, when applicable. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-f\fP This option indicates a forced overwrite and causes \fBdnssec\-revoke\fP to write the new key pair, diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index 32ae197b54..9df4116777 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -104,10 +104,7 @@ This option specifies the cryptographic hardware to use, when applicable. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .UNINDENT .SH TIMING OPTIONS .sp diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in index e999d2d1fc..750da47ceb 100644 --- a/doc/man/dnssec-signzone.1in +++ b/doc/man/dnssec-signzone.1in @@ -71,10 +71,7 @@ operations, such as a secure key store used for signing, when applicable. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-g\fP This option indicates that DS records for child zones should be generated from a \fBdsset\-\fP or \fBkeyset\-\fP diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in index 8d61ef690b..11e84a3555 100644 --- a/doc/man/dnssec-verify.1in +++ b/doc/man/dnssec-verify.1in @@ -49,10 +49,7 @@ This option specifies the cryptographic hardware to use, when applicable. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-I input\-format\fP This option sets the format of the input zone file. Possible formats are \fBtext\fP diff --git a/doc/man/named.8in b/doc/man/named.8in index 3644de685c..ae9dfa0640 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -74,10 +74,7 @@ operations, such as a secure key store used for signing. .sp When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or -hardware service module (usually \fBpkcs11\fP). When BIND is -built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it -defaults to the path of the PKCS#11 provider library specified via -\fB\-\-with\-pkcs11\fP\&. +hardware service module (usually \fBpkcs11\fP). .TP .B \fB\-f\fP This option runs the server in the foreground (i.e., do not daemonize). diff --git a/doc/man/pkcs11-destroy.1in b/doc/man/pkcs11-destroy.1in deleted file mode 100644 index 5e9d2f50e2..0000000000 --- a/doc/man/pkcs11-destroy.1in +++ /dev/null @@ -1,74 +0,0 @@ -.\" Man page generated from reStructuredText. -. -.TH "PKCS11-DESTROY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" -.SH NAME -pkcs11-destroy \- destroy PKCS#11 objects -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -pkcs11\-destroy \- destroy PKCS#11 objects -.sp -\fBpkcs11\-destroy\fP [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID] [\fB\-l\fP label] [\fB\-p\fP PIN] [\fB\-w\fP seconds] -.sp -\fBpkcs11\-destroy\fP destroys keys stored in a PKCS#11 device, identified -by their \fBID\fP or \fBlabel\fP\&. -.sp -Matching keys are displayed before being destroyed. By default, there is -a five\-second delay to allow the user to interrupt the process before -the destruction takes place. -.INDENT 0.0 -.TP -.B \fB\-m module\fP -This option specifies the PKCS#11 provider module. This must be the full path to a -shared library object implementing the PKCS#11 API for the device. -.TP -.B \fB\-s slot\fP -This option opens the session with the given PKCS#11 slot. The default is slot 0. -.TP -.B \fB\-i ID\fP -This option destroys keys with the given object ID. -.TP -.B \fB\-l label\fP -This option destroys keys with the given label. -.TP -.B \fB\-p PIN\fP -This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command -line, \fBpkcs11\-destroy\fP prompts for it. -.TP -.B \fB\-w seconds\fP -This option specifies how long, in seconds, to pause before carrying out key destruction. The -default is 5 seconds. If set to \fB0\fP, destruction is -immediate. -.UNINDENT -.sp -\fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP -.SH AUTHOR -Internet Systems Consortium -.SH COPYRIGHT -2021, Internet Systems Consortium -.\" Generated by docutils manpage writer. -. diff --git a/doc/man/pkcs11-destroy.rst b/doc/man/pkcs11-destroy.rst deleted file mode 100644 index 7833562501..0000000000 --- a/doc/man/pkcs11-destroy.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -:orphan: - -.. include:: ../../bin/pkcs11/pkcs11-destroy.rst \ No newline at end of file diff --git a/doc/man/pkcs11-keygen.1in b/doc/man/pkcs11-keygen.1in deleted file mode 100644 index aa9177ab81..0000000000 --- a/doc/man/pkcs11-keygen.1in +++ /dev/null @@ -1,95 +0,0 @@ -.\" Man page generated from reStructuredText. -. -.TH "PKCS11-KEYGEN" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" -.SH NAME -pkcs11-keygen \- generate keys on a PKCS#11 device -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.SH SYNOPSIS -.sp -\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label -.SH DESCRIPTION -.sp -\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair -with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP -bits of prime. -.SH OPTIONS -.INDENT 0.0 -.TP -.B \fB\-a algorithm\fP -This option specifies the key algorithm class: supported classes are RSA, DSA, DH, -ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be -specified as a DNSSEC signing algorithm to be used with this -key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to -ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&. -.TP -.B \fB\-b keysize\fP -This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the -only valid values are 256 and 384, and the default is 256. For ECX -keys, the only valid values are 256 and 456, and the default is 256. -.TP -.B \fB\-e\fP -For RSA keys only, this option specifies use of a large exponent. -.TP -.B \fB\-i id\fP -This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte -or an unsigned long 4\-byte number. -.TP -.B \fB\-m module\fP -This option specifies the PKCS#11 provider module. This must be the full path to a -shared library object implementing the PKCS#11 API for the device. -.TP -.B \fB\-P\fP -This option sets the new private key to be non\-sensitive and extractable, and -allows the private key data to be read from the PKCS#11 device. The -default is for private keys to be sensitive and non\-extractable. -.TP -.B \fB\-p PIN\fP -This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command -line, \fBpkcs11\-keygen\fP prompts for it. -.TP -.B \fB\-q\fP -This option sets quiet mode, which suppresses unnecessary output. -.TP -.B \fB\-S\fP -For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-, -or 1536\-bit size and base (AKA generator) 2. If not specified, bit -size defaults to 1024. -.TP -.B \fB\-s slot\fP -This option opens the session with the given PKCS#11 slot. The default is slot 0. -.UNINDENT -.SH SEE ALSO -.sp -\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP -.SH AUTHOR -Internet Systems Consortium -.SH COPYRIGHT -2021, Internet Systems Consortium -.\" Generated by docutils manpage writer. -. diff --git a/doc/man/pkcs11-keygen.rst b/doc/man/pkcs11-keygen.rst deleted file mode 100644 index accea9f782..0000000000 --- a/doc/man/pkcs11-keygen.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -:orphan: - -.. include:: ../../bin/pkcs11/pkcs11-keygen.rst \ No newline at end of file diff --git a/doc/man/pkcs11-list.1in b/doc/man/pkcs11-list.1in deleted file mode 100644 index 19e12f3f85..0000000000 --- a/doc/man/pkcs11-list.1in +++ /dev/null @@ -1,73 +0,0 @@ -.\" Man page generated from reStructuredText. -. -.TH "PKCS11-LIST" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" -.SH NAME -pkcs11-list \- list PKCS#11 objects -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.sp -\fBpkcs11\-list\fP [\fB\-P\fP] [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID \fB] [\-l\fP label] [\fB\-p\fP PIN] -.SH DESCRIPTION -.sp -\fBpkcs11\-list\fP lists the PKCS#11 objects with \fBID\fP or \fBlabel\fP or, by -default, all objects. The object class, label, and ID are displayed for -all keys. For private or secret keys, the extractability attribute is -also displayed, as either \fBtrue\fP, \fBfalse\fP, or \fBnever\fP\&. -.SH OPTIONS -.INDENT 0.0 -.TP -.B \fB\-P\fP -This option lists only the public objects. (Note that on some PKCS#11 devices, all -objects are private.) -.TP -.B \fB\-m module\fP -This option specifies the PKCS#11 provider module. This must be the full path to a -shared library object implementing the PKCS#11 API for the device. -.TP -.B \fB\-s slot\fP -This option opens the session with the given PKCS#11 slot. The default is slot 0. -.TP -.B \fB\-i ID\fP -This option lists only key objects with the given object ID. -.TP -.B \fB\-l label\fP -This option lists only key objects with the given label. -.TP -.B \fB\-p PIN\fP -This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command -line, \fBpkcs11\-list\fP prompts for it. -.UNINDENT -.SH SEE ALSO -.sp -\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-tokens(8)\fP -.SH AUTHOR -Internet Systems Consortium -.SH COPYRIGHT -2021, Internet Systems Consortium -.\" Generated by docutils manpage writer. -. diff --git a/doc/man/pkcs11-list.rst b/doc/man/pkcs11-list.rst deleted file mode 100644 index ceaca278f3..0000000000 --- a/doc/man/pkcs11-list.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -:orphan: - -.. include:: ../../bin/pkcs11/pkcs11-list.rst \ No newline at end of file diff --git a/doc/man/pkcs11-tokens.1in b/doc/man/pkcs11-tokens.1in deleted file mode 100644 index a83c7bfa59..0000000000 --- a/doc/man/pkcs11-tokens.1in +++ /dev/null @@ -1,58 +0,0 @@ -.\" Man page generated from reStructuredText. -. -.TH "PKCS11-TOKENS" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" -.SH NAME -pkcs11-tokens \- list PKCS#11 available tokens -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.SH SYNOPSIS -.sp -\fBpkcs11\-tokens\fP [\fB\-m\fP module] [\fB\-v\fP] -.SH DESCRIPTION -.sp -\fBpkcs11\-tokens\fP lists the PKCS#11 available tokens with defaults from -the slot/token scan performed at application initialization. -.SH OPTIONS -.INDENT 0.0 -.TP -.B \fB\-m module\fP -This option specifies the PKCS#11 provider module. This must be the full path to a -shared library object implementing the PKCS#11 API for the device. -.TP -.B \fB\-v\fP -This option makes the PKCS#11 libisc initialization verbose. -.UNINDENT -.SH SEE ALSO -.sp -\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP -.SH AUTHOR -Internet Systems Consortium -.SH COPYRIGHT -2021, Internet Systems Consortium -.\" Generated by docutils manpage writer. -. diff --git a/doc/man/pkcs11-tokens.rst b/doc/man/pkcs11-tokens.rst deleted file mode 100644 index a473ac040d..0000000000 --- a/doc/man/pkcs11-tokens.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -:orphan: - -.. include:: ../../bin/pkcs11/pkcs11-tokens.rst \ No newline at end of file diff --git a/lib/bind9/check.c b/lib/bind9/check.c index cf67cba406..927615f79e 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -40,8 +40,6 @@ #include #include -#include - #include #include #include diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am index 7bf84d2f2a..2bf55ecaf0 100644 --- a/lib/dns/Makefile.am +++ b/lib/dns/Makefile.am @@ -176,7 +176,6 @@ libdns_la_SOURCES = \ dst_openssl.h \ dst_parse.c \ dst_parse.h \ - dst_pkcs11.h \ dst_result.c \ dyndb.c \ ecs.c \ @@ -205,6 +204,9 @@ libdns_la_SOURCES = \ nta.c \ openssl_link.c \ openssldh_link.c \ + opensslecdsa_link.c \ + openssleddsa_link.c \ + opensslrsa_link.c \ order.c \ peer.c \ private.c \ @@ -256,19 +258,6 @@ libdns_la_SOURCES += \ gssapi_link.c endif -if HAVE_PKCS11 -libdns_la_SOURCES += \ - pkcs11.c \ - pkcs11ecdsa_link.c \ - pkcs11eddsa_link.c \ - pkcs11rsa_link.c -else !HAVE_PKCS11 -libdns_la_SOURCES += \ - opensslecdsa_link.c \ - openssleddsa_link.c \ - opensslrsa_link.c -endif - if HAVE_GEOIP2 libdns_la_SOURCES += \ geoip2.c diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 91fa60564c..af94681df2 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -24,8 +24,6 @@ #include #include -#include - #include #include #include diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index b0d5162cc6..f530371668 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -45,8 +45,6 @@ #include #include -#include - #define DST_KEY_INTERNAL #include @@ -203,7 +201,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); RETERR(dst__openssl_init(engine)); RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); -#if USE_OPENSSL RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -220,19 +217,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #ifdef HAVE_OPENSSL_ED448 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif /* ifdef HAVE_OPENSSL_ED448 */ -#endif /* USE_OPENSSL */ -#if USE_PKCS11 - RETERR(dst__pkcs11_init(mctx, engine)); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); - RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); - RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); - RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519])); - RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); -#endif /* USE_PKCS11 */ #if HAVE_GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif /* HAVE_GSSAPI */ @@ -259,9 +244,6 @@ dst_lib_destroy(void) { } } dst__openssl_destroy(); -#if USE_PKCS11 - (void)dst__pkcs11_destroy(); -#endif /* USE_PKCS11 */ } bool diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 5955072ef3..841edcd73c 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -28,6 +28,12 @@ #include #include +#include +#include +#include +#include +#include + #include #include #include @@ -38,17 +44,6 @@ #include #include -#if USE_PKCS11 -#include -#include -#endif /* USE_PKCS11 */ - -#include -#include -#include -#include -#include - #include #include @@ -99,12 +94,7 @@ struct dst_key { void *generic; dns_gss_ctx_id_t gssctx; DH *dh; -#if USE_OPENSSL EVP_PKEY *pkey; -#endif /* if USE_OPENSSL */ -#if USE_PKCS11 - pk11_object_t *pkey; -#endif /* if USE_PKCS11 */ dst_hmac_key_t *hmac_key; } keydata; /*%< pointer to key in crypto pkg fmt */ @@ -149,9 +139,6 @@ struct dst_context { dst_gssapi_signverifyctx_t *gssctx; isc_hmac_t *hmac_ctx; EVP_MD_CTX *evp_md_ctx; -#if USE_PKCS11 - pk11_context_t *pk11_ctx; -#endif /* if USE_PKCS11 */ } ctxdata; }; @@ -203,7 +190,6 @@ struct dst_func { */ isc_result_t dst__openssl_init(const char *engine); -#define dst__pkcs11_init pk11_initialize isc_result_t dst__hmacmd5_init(struct dst_func **funcp); @@ -219,7 +205,6 @@ isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t dst__openssldh_init(struct dst_func **funcp); -#if USE_OPENSSL isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); isc_result_t @@ -228,17 +213,6 @@ dst__opensslecdsa_init(struct dst_func **funcp); isc_result_t dst__openssleddsa_init(struct dst_func **funcp); #endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ -#endif /* USE_OPENSSL */ -#if USE_PKCS11 -isc_result_t -dst__pkcs11rsa_init(struct dst_func **funcp); -isc_result_t -dst__pkcs11dsa_init(struct dst_func **funcp); -isc_result_t -dst__pkcs11ecdsa_init(struct dst_func **funcp); -isc_result_t -dst__pkcs11eddsa_init(struct dst_func **funcp); -#endif /* USE_PKCS11 */ #if HAVE_GSSAPI isc_result_t dst__gssapi_init(struct dst_func **funcp); @@ -249,7 +223,6 @@ dst__gssapi_init(struct dst_func **funcp); */ void dst__openssl_destroy(void); -#define dst__pkcs11_destroy pk11_finalize /*% * Memory allocators using the DST memory pool. diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 74dbd85303..e4bc9778ef 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -38,8 +38,6 @@ #include #include -#include - #include #include diff --git a/lib/dns/dst_pkcs11.h b/lib/dns/dst_pkcs11.h deleted file mode 100644 index 3d8159c528..0000000000 --- a/lib/dns/dst_pkcs11.h +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef DST_PKCS11_H -#define DST_PKCS11_H 1 - -#include -#include -#include - -ISC_LANG_BEGINDECLS - -isc_result_t -dst__pkcs11_toresult(const char *funcname, const char *file, int line, - isc_result_t fallback, CK_RV rv); - -#define PK11_CALL(func, args, fallback) \ - ((void)(((rv = (func)args) == CKR_OK) || \ - ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ - fallback, rv)), \ - 0))) - -#define PK11_RET(func, args, fallback) \ - ((void)(((rv = (func)args) == CKR_OK) || \ - ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ - fallback, rv)), \ - 0))); \ - if (rv != CKR_OK) \ - goto err; - -ISC_LANG_ENDDECLS - -#endif /* DST_PKCS11_H */ diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index ee4c67bd73..881a9d1193 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -36,8 +36,6 @@ #include #include -#include - #include #include "dst_internal.h" diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 5ee75cf15a..a79cd5e707 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -26,7 +26,6 @@ #include #include -#include /* * Algorithms. diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 72b8209366..b49f26fe56 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -36,8 +36,6 @@ #include #include -#include - #include #include "dst_internal.h" diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index e088d5e57e..c0c2eccc0f 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -24,8 +24,6 @@ #include #include -#include - #include #include "dst_internal.h" diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c deleted file mode 100644 index 462b3e9d13..0000000000 --- a/lib/dns/pkcs11.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include - -#include -#include - -#include -#include - -#include "dst_internal.h" -#include "dst_pkcs11.h" - -isc_result_t -dst__pkcs11_toresult(const char *funcname, const char *file, int line, - isc_result_t fallback, CK_RV rv) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO, - ISC_LOG_WARNING, "%s:%d: %s: Error = 0x%.8lX\n", file, - line, funcname, rv); - if (rv == CKR_HOST_MEMORY) { - return (ISC_R_NOMEMORY); - } - return (fallback); -} diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c deleted file mode 100644 index e5da3d5007..0000000000 --- a/lib/dns/pkcs11ecdsa_link.c +++ /dev/null @@ -1,1149 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include -#include -#include -#include - -#include -#include -#include -#include - -#include - -#include - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -/* - * FIPS 186-3 ECDSA keys: - * mechanisms: - * CKM_ECDSA, - * CKM_EC_KEY_PAIR_GEN - * domain parameters: - * CKA_EC_PARAMS (choice with OID namedCurve) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_EC - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_EC_POINT (point Q) - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_EC - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_VALUE (big int d) - * point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) - */ - -#define TAG_OCTECT_STRING 0x04 -#define UNCOMPRESSED 0x04 - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static void -pkcs11ecdsa_destroy(dst_key_t *key); - -static isc_result_t -pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - pk11_object_t *ec = key->keydata.pkey; - isc_result_t ret; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - if (dctx->key->key_alg == DST_ALG_ECDSA256) { - mech.mechanism = CKM_SHA256; - } else { - mech.mechanism = CKM_SHA384; - } - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) { - slotid = ec->slot; - } else { - slotid = pk11_get_best_token(OP_ECDSA); - } - ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon, - NULL, slotid); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE); - dctx->ctxdata.pk11_ctx = pk11_ctx; - return (ISC_R_SUCCESS); - -err: - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static void -pkcs11ecdsa_destroyctx(dst_context_t *dctx) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - - if (pk11_ctx != NULL) { - (void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len); - memset(garbage, 0, sizeof(garbage)); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - - PK11_CALL(pkcs_C_DigestUpdate, - (pk11_ctx->session, (CK_BYTE_PTR)data->base, - (CK_ULONG)data->length), - ISC_R_FAILURE); - - return (ret); -} - -static isc_result_t -pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG dgstlen; - CK_ULONG siglen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - switch (key->key_alg) { - case DST_ALG_ECDSA256: - dgstlen = ISC_SHA256_DIGESTLENGTH; - siglen = DNS_SIG_ECDSA256SIZE; - break; - case DST_ALG_ECDSA384: - siglen = DNS_SIG_ECDSA384SIZE; - dgstlen = ISC_SHA384_DIGESTLENGTH; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), - ISC_R_FAILURE); - - isc_buffer_availableregion(sig, &r); - if (r.length < siglen) { - DST_RET(ISC_R_NOSPACE); - } - - if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = ec->ontoken; - pk11_ctx->object = ec->object; - goto token_key; - } - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), - ISC_R_FAILURE); - -token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base, - &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int)siglen); - -err: - - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static isc_result_t -pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_EC_POINT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG dgstlen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - switch (key->key_alg) { - case DST_ALG_ECDSA256: - dgstlen = ISC_SHA256_DIGESTLENGTH; - break; - case DST_ALG_ECDSA384: - dgstlen = ISC_SHA384_DIGESTLENGTH; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), - ISC_R_FAILURE); - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_EC_POINT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base, - (CK_ULONG)sig->length), - DST_R_VERIFYFAILURE); - -err: - - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static bool -pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *ec1, *ec2; - CK_ATTRIBUTE *attr1, *attr2; - - ec1 = key1->keydata.pkey; - ec2 = key2->keydata.pkey; - - if ((ec1 == NULL) && (ec2 == NULL)) { - return (true); - } else if ((ec1 == NULL) || (ec2 == NULL)) { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_VALUE); - attr2 = pk11_attribute_bytype(ec2, CKA_VALUE); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - { - return (false); - } - - if (!ec1->ontoken && !ec2->ontoken) { - return (true); - } else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object)) - { - return (false); - } - - return (true); -} - -#define SETCURVE() \ - switch (key->key_alg) { \ - case DST_ALG_ECDSA256: \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(PK11_ECC_PRIME256V1)); \ - memmove(attr->pValue, PK11_ECC_PRIME256V1, \ - sizeof(PK11_ECC_PRIME256V1)); \ - attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \ - break; \ - case DST_ALG_ECDSA384: \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(PK11_ECC_SECP384R1)); \ - memmove(attr->pValue, PK11_ECC_SECP384R1, \ - sizeof(PK11_ECC_SECP384R1)); \ - attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \ - break; \ - default: \ - INSIST(0); \ - ISC_UNREACHABLE(); \ - } - -#define FREECURVE() \ - if (attr->pValue != NULL) { \ - memset(attr->pValue, 0, attr->ulValueLen); \ - isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \ - attr->pValue = NULL; \ - } - -static isc_result_t -pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE pubTemplate[] = { - { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = { - { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, false, NULL, - pk11_get_best_token(OP_ECDSA)); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - attr[2].type = CKA_VALUE; - - attr = &pubTemplate[5]; - SETCURVE(); - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6, - privTemplate, (CK_ULONG)7, &pub, &priv), - DST_R_CRYPTOFAILURE); - - attr = &pubTemplate[5]; - FREECURVE(); - - attr = ec->repr; - SETCURVE(); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - switch (key->key_alg) { - case DST_ALG_ECDSA256: - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - break; - case DST_ALG_ECDSA384: - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - return (ISC_R_SUCCESS); - -err: - pkcs11ecdsa_destroy(key); - if (priv != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - } - if (pub != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static bool -pkcs11ecdsa_isprivate(const dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) { - return (false); - } - attr = pk11_attribute_bytype(ec, CKA_VALUE); - return (attr != NULL || ec->ontoken); -} - -static void -pkcs11ecdsa_destroy(dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) { - return; - } - - INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken); - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_EC_PARAMS: - case CKA_EC_POINT: - case CKA_VALUE: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - switch (key->key_alg) { - case DST_ALG_ECDSA256: - len = DNS_KEY_ECDSA256SIZE; - break; - case DST_ALG_ECDSA384: - len = DNS_KEY_ECDSA384SIZE; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_EC_POINT); - if ((attr == NULL) || (attr->ulValueLen != len + 3) || - (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) || - (((CK_BYTE_PTR)attr->pValue)[1] != len + 1) || - (((CK_BYTE_PTR)attr->pValue)[2] != UNCOMPRESSED)) - { - return (ISC_R_FAILURE); - } - - isc_buffer_availableregion(data, &r); - if (r.length < len) { - return (ISC_R_NOSPACE); - } - memmove(r.base, (CK_BYTE_PTR)attr->pValue + 3, len); - isc_buffer_add(data, len); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - - switch (key->key_alg) { - case DST_ALG_ECDSA256: - len = DNS_KEY_ECDSA256SIZE; - break; - case DST_ALG_ECDSA384: - len = DNS_KEY_ECDSA384SIZE; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - return (ISC_R_SUCCESS); - } - if (r.length != len) { - return (DST_R_INVALIDPUBLICKEY); - } - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - ec->attrcnt = 2; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - SETCURVE(); - - attr++; - attr->type = CKA_EC_POINT; - attr->pValue = isc_mem_get(key->mctx, len + 3); - ((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING; - ((CK_BYTE_PTR)attr->pValue)[1] = len + 1; - ((CK_BYTE_PTR)attr->pValue)[2] = UNCOMPRESSED; - memmove((CK_BYTE_PTR)attr->pValue + 3, r.base, len); - attr->ulValueLen = len + 3; - - isc_buffer_forward(data, len); - key->keydata.pkey = ec; - key->key_size = len * 4; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *ec; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) { - return (DST_R_NULLKEY); - } - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_VALUE); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY; - priv.elements[i].length = (unsigned short)attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_ECDSA_ENGINE; - priv.elements[i].length = strlen(key->engine) + 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_ECDSA_LABEL; - priv.elements[i].length = strlen(key->label) + 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - memset(buf, 0, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -static isc_result_t -pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) { - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *ec; - pk11_object_t *pubec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - - if (label == NULL) { - return (DST_R_NOENGINE); - } - - ec = key->keydata.pkey; - pubec = pub->keydata.pkey; - - ec->object = CK_INVALID_HANDLE; - ec->ontoken = true; - ec->reqlogon = true; - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - - attr->type = CKA_EC_PARAMS; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_EC_POINT; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon, - NULL, ec->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - -err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static isc_result_t -pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *ec = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - unsigned int i; - const char *engine = NULL, *label = NULL; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - if (key->external) { - if (priv.nelements != 0) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_ECDSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_ECDSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11ecdsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) { - goto err; - } - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); - } - - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_EC_POINT; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - switch (key->key_alg) { - case DST_ALG_ECDSA256: - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - break; - case DST_ALG_ECDSA384: - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - return (ISC_R_SUCCESS); - -err: - pkcs11ecdsa_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - - UNUSED(pin); - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - ec->object = CK_INVALID_HANDLE; - ec->ontoken = true; - ec->reqlogon = true; - key->keydata.pkey = ec; - - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon, - NULL, ec->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - attr = ec->repr; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - switch (key->key_alg) { - case DST_ALG_ECDSA256: - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - break; - case DST_ALG_ECDSA384: - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - -err: - pkcs11ecdsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static dst_func_t pkcs11ecdsa_functions = { - pkcs11ecdsa_createctx, - NULL, /*%< createctx2 */ - pkcs11ecdsa_destroyctx, - pkcs11ecdsa_adddata, - pkcs11ecdsa_sign, - pkcs11ecdsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11ecdsa_compare, - NULL, /*%< paramcompare */ - pkcs11ecdsa_generate, - pkcs11ecdsa_isprivate, - pkcs11ecdsa_destroy, - pkcs11ecdsa_todns, - pkcs11ecdsa_fromdns, - pkcs11ecdsa_tofile, - pkcs11ecdsa_parse, - NULL, /*%< cleanup */ - pkcs11ecdsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11ecdsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) { - *funcp = &pkcs11ecdsa_functions; - } - return (ISC_R_SUCCESS); -} diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c deleted file mode 100644 index 471648f768..0000000000 --- a/lib/dns/pkcs11eddsa_link.c +++ /dev/null @@ -1,1119 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include -#include -#include -#include - -#include -#include -#include -#include - -#include - -#include - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -/* - * FIPS 186-3 EDDSA keys: - * mechanisms: - * CKM_EDDSA, - * CKM_EC_EDWARDS_KEY_PAIR_GEN - * domain parameters: - * CKA_EC_PARAMS (choice with OID namedCurve) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_EC_EDWARDS - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_EC_POINT (big int A) - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_EC_EDWARDS - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_VALUE (big int k) - * point format: 0x04 (octet-string) - */ - -#define TAG_OCTECT_STRING 0x04 - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static void -pkcs11eddsa_destroy(dst_key_t *key); - -static isc_result_t -pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) { - isc_buffer_t *buf = NULL; - - UNUSED(key); - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - - isc_buffer_allocate(dctx->mctx, &buf, 16); - isc_buffer_setautorealloc(buf, true); - dctx->ctxdata.generic = buf; - - return (ISC_R_SUCCESS); -} - -static void -pkcs11eddsa_destroyctx(dst_context_t *dctx) { - isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - if (buf != NULL) { - isc_buffer_free(&buf); - } - dctx->ctxdata.generic = NULL; -} - -static isc_result_t -pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - isc_result_t result; - - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - - result = isc_buffer_copyregion(buf, data); - INSIST(result == ISC_R_SUCCESS); - - return (result); -} - -static isc_result_t -pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC_EDWARDS; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_ULONG siglen; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t t; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - REQUIRE(ec != NULL); - - switch (key->key_alg) { - case DST_ALG_ED25519: - siglen = DNS_SIG_ED25519SIZE; - break; - case DST_ALG_ED448: - siglen = DNS_SIG_ED448SIZE; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) { - slotid = ec->slot; - } else { - slotid = pk11_get_best_token(OP_EDDSA); - } - ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, - NULL, slotid); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - isc_buffer_availableregion(sig, &r); - if (r.length < siglen) { - DST_RET(ISC_R_NOSPACE); - } - - if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = ec->ontoken; - pk11_ctx->object = ec->object; - goto token_key; - } - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), - ISC_R_FAILURE); - -token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - isc_buffer_usedregion(buf, &t); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length, - (CK_BYTE_PTR)r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int)siglen); - -err: - - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - isc_buffer_free(&buf); - dctx->ctxdata.generic = NULL; - - return (ret); -} - -static isc_result_t -pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC_EDWARDS; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_EC_POINT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t t; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - REQUIRE(ec != NULL); - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) { - slotid = ec->slot; - } else { - slotid = pk11_get_best_token(OP_EDDSA); - } - ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, - NULL, slotid); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_EC_POINT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - isc_buffer_usedregion(buf, &t); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length, - (CK_BYTE_PTR)sig->base, (CK_ULONG)sig->length), - DST_R_VERIFYFAILURE); - -err: - - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - isc_buffer_free(&buf); - dctx->ctxdata.generic = NULL; - - return (ret); -} - -static bool -pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *ec1, *ec2; - CK_ATTRIBUTE *attr1, *attr2; - - ec1 = key1->keydata.pkey; - ec2 = key2->keydata.pkey; - - if ((ec1 == NULL) && (ec2 == NULL)) { - return (true); - } else if ((ec1 == NULL) || (ec2 == NULL)) { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(ec1, CKA_VALUE); - attr2 = pk11_attribute_bytype(ec2, CKA_VALUE); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - { - return (false); - } - - if (!ec1->ontoken && !ec2->ontoken) { - return (true); - } else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object)) - { - return (false); - } - - return (true); -} - -#define SETCURVE() \ - switch (key->key_alg) { \ - case DST_ALG_ED25519: \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(PK11_ECX_ED25519)); \ - memmove(attr->pValue, PK11_ECX_ED25519, \ - sizeof(PK11_ECX_ED25519)); \ - attr->ulValueLen = sizeof(PK11_ECX_ED25519); \ - break; \ - case DST_ALG_ED448: \ - attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \ - memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \ - attr->ulValueLen = sizeof(PK11_ECX_ED448); \ - break; \ - default: \ - INSIST(0); \ - ISC_UNREACHABLE(); \ - } - -#define FREECURVE() \ - if (attr->pValue != NULL) { \ - memset(attr->pValue, 0, attr->ulValueLen); \ - isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \ - attr->pValue = NULL; \ - } - -static isc_result_t -pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC_EDWARDS; - CK_ATTRIBUTE pubTemplate[] = { - { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = { - { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL, - pk11_get_best_token(OP_EDDSA)); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - attr[2].type = CKA_VALUE; - - attr = &pubTemplate[5]; - SETCURVE(); - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6, - privTemplate, (CK_ULONG)7, &pub, &priv), - DST_R_CRYPTOFAILURE); - - attr = &pubTemplate[5]; - FREECURVE(); - - attr = ec->repr; - SETCURVE(); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - switch (key->key_alg) { - case DST_ALG_ED25519: - key->key_size = DNS_KEY_ED25519SIZE * 8; - break; - case DST_ALG_ED448: - key->key_size = DNS_KEY_ED448SIZE * 8; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - return (ISC_R_SUCCESS); - -err: - pkcs11eddsa_destroy(key); - if (priv != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - } - if (pub != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static bool -pkcs11eddsa_isprivate(const dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) { - return (false); - } - attr = pk11_attribute_bytype(ec, CKA_VALUE); - return (attr != NULL || ec->ontoken); -} - -static void -pkcs11eddsa_destroy(dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) { - return; - } - - INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken); - - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_EC_PARAMS: - case CKA_EC_POINT: - case CKA_VALUE: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - switch (key->key_alg) { - case DST_ALG_ED25519: - len = DNS_KEY_ED25519SIZE; - break; - case DST_ALG_ED448: - len = DNS_KEY_ED448SIZE; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_EC_POINT); - if ((attr == NULL) || (attr->ulValueLen != len + 2) || - (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) || - (((CK_BYTE_PTR)attr->pValue)[1] != len)) - { - return (ISC_R_FAILURE); - } - - isc_buffer_availableregion(data, &r); - if (r.length < len) { - return (ISC_R_NOSPACE); - } - memmove(r.base, (CK_BYTE_PTR)attr->pValue + 2, len); - isc_buffer_add(data, len); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - - switch (key->key_alg) { - case DST_ALG_ED25519: - len = DNS_KEY_ED25519SIZE; - break; - case DST_ALG_ED448: - len = DNS_KEY_ED448SIZE; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - return (ISC_R_SUCCESS); - } - if (r.length != len) { - return (DST_R_INVALIDPUBLICKEY); - } - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - ec->attrcnt = 2; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - SETCURVE(); - - attr++; - attr->type = CKA_EC_POINT; - attr->pValue = isc_mem_get(key->mctx, len + 2); - ((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING; - ((CK_BYTE_PTR)attr->pValue)[1] = len; - memmove((CK_BYTE_PTR)attr->pValue + 2, r.base, len); - attr->ulValueLen = len + 2; - - isc_buffer_forward(data, len); - key->keydata.pkey = ec; - key->key_size = len * 8; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *ec; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) { - return (DST_R_NULLKEY); - } - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_VALUE); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY; - priv.elements[i].length = (unsigned short)attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_EDDSA_ENGINE; - priv.elements[i].length = strlen(key->engine) + 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_EDDSA_LABEL; - priv.elements[i].length = strlen(key->label) + 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - memset(buf, 0, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -static isc_result_t -pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) { - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC_EDWARDS; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *ec; - pk11_object_t *pubec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - - if (label == NULL) { - return (DST_R_NOENGINE); - } - - ec = key->keydata.pkey; - pubec = pub->keydata.pkey; - - ec->object = CK_INVALID_HANDLE; - ec->ontoken = true; - ec->reqlogon = true; - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - - attr->type = CKA_EC_PARAMS; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_EC_POINT; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, - NULL, ec->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - -err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static isc_result_t -pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *ec = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - unsigned int i; - const char *engine = NULL, *label = NULL; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - if (key->external) { - if (priv.nelements != 0) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_EDDSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_EDDSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11eddsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) { - goto err; - } - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); - } - - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_EC_POINT; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - switch (key->key_alg) { - case DST_ALG_ED25519: - key->key_size = DNS_KEY_ED25519SIZE * 8; - break; - case DST_ALG_ED448: - key->key_size = DNS_KEY_ED448SIZE * 8; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - return (ISC_R_SUCCESS); - -err: - pkcs11eddsa_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC_EDWARDS; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - - UNUSED(pin); - - ec = isc_mem_get(key->mctx, sizeof(*ec)); - memset(ec, 0, sizeof(*ec)); - ec->object = CK_INVALID_HANDLE; - ec->ontoken = true; - ec->reqlogon = true; - key->keydata.pkey = ec; - - ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, - NULL, ec->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - attr = ec->repr; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - switch (key->key_alg) { - case DST_ALG_ED25519: - key->key_size = DNS_KEY_ED25519SIZE * 8; - break; - case DST_ALG_ED448: - key->key_size = DNS_KEY_ED448SIZE * 8; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - -err: - pkcs11eddsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static dst_func_t pkcs11eddsa_functions = { - pkcs11eddsa_createctx, - NULL, /*%< createctx2 */ - pkcs11eddsa_destroyctx, - pkcs11eddsa_adddata, - pkcs11eddsa_sign, - pkcs11eddsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11eddsa_compare, - NULL, /*%< paramcompare */ - pkcs11eddsa_generate, - pkcs11eddsa_isprivate, - pkcs11eddsa_destroy, - pkcs11eddsa_todns, - pkcs11eddsa_fromdns, - pkcs11eddsa_tofile, - pkcs11eddsa_parse, - NULL, /*%< cleanup */ - pkcs11eddsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11eddsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) { - *funcp = &pkcs11eddsa_functions; - } - return (ISC_R_SUCCESS); -} diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c deleted file mode 100644 index 6e78941622..0000000000 --- a/lib/dns/pkcs11rsa_link.c +++ /dev/null @@ -1,2102 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include -#include - -#include -#include -#include -#include - -#include -#include - -#include - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -/* - * Limit the size of public exponents. - */ -#ifndef RSA_MAX_PUBEXP_BITS -#define RSA_MAX_PUBEXP_BITS 35 -#endif /* ifndef RSA_MAX_PUBEXP_BITS */ - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static void -pkcs11rsa_destroy(dst_key_t *key); - -#ifndef PK11_RSA_PKCS_REPLACE - -static isc_result_t -pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_SLOT_ID slotid; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096)) - { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - rsa = key->keydata.pkey; - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (rsa->ontoken) { - slotid = rsa->slot; - } else { - slotid = pk11_get_best_token(OP_RSA); - } - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, - NULL, slotid); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = rsa->ontoken; - pk11_ctx->object = rsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIVATE_EXPONENT: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_1: - INSIST(keyTemplate[9].type == attr->type); - keyTemplate[9].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[9].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[9].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_2: - INSIST(keyTemplate[10].type == attr->type); - keyTemplate[10].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[10].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[10].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_1: - INSIST(keyTemplate[11].type == attr->type); - keyTemplate[11].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[11].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[11].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_2: - INSIST(keyTemplate[12].type == attr->type); - keyTemplate[12].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[12].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[12].ulValueLen = attr->ulValueLen; - break; - case CKA_COEFFICIENT: - INSIST(keyTemplate[13].type == attr->type); - keyTemplate[13].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[13].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[13].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)14, - &pk11_ctx->object), - ISC_R_FAILURE); - -token_key: - - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA1_RSA_PKCS; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256_RSA_PKCS; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512_RSA_PKCS; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - PK11_RET(pkcs_C_SignInit, (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 6; i <= 13; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - - return (ISC_R_SUCCESS); - -err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - } - for (i = 6; i <= 13; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, - dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096)) - { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - rsa = key->keydata.pkey; - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, - NULL, pk11_get_best_token(OP_RSA)); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - { - unsigned int bits; - - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - ret = pk11_numbits(attr->pValue, attr->ulValueLen, - &bits); - if (ret != ISC_R_SUCCESS || - (bits > maxbits && maxbits != 0)) { - DST_RET(DST_R_VERIFYFAILURE); - } - break; - } - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, - &pk11_ctx->object), - ISC_R_FAILURE); - - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA1_RSA_PKCS; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256_RSA_PKCS; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512_RSA_PKCS; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, pk11_ctx->object), ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - - return (ISC_R_SUCCESS); - -err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) { - return (pkcs11rsa_createctx_sign(key, dctx)); - } else { - return (pkcs11rsa_createctx_verify(key, 0U, dctx)); - } -} - -static isc_result_t -pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) { - return (pkcs11rsa_createctx_sign(key, dctx)); - } else { - return (pkcs11rsa_createctx_verify(key, (unsigned)maxbits, - dctx)); - } -} - -static void -pkcs11rsa_destroyctx(dst_context_t *dctx) { - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - if (!pk11_ctx->ontoken && - (pk11_ctx->object != CK_INVALID_HANDLE)) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - if (dctx->use == DO_SIGN) { - PK11_CALL(pkcs_C_SignUpdate, - (pk11_ctx->session, (CK_BYTE_PTR)data->base, - (CK_ULONG)data->length), - ISC_R_FAILURE); - } else { - PK11_CALL(pkcs_C_VerifyUpdate, - (pk11_ctx->session, (CK_BYTE_PTR)data->base, - (CK_ULONG)data->length), - ISC_R_FAILURE); - } - return (ret); -} - -static isc_result_t -pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_ULONG siglen = 0; - isc_region_t r; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_RET(pkcs_C_SignFinal, (pk11_ctx->session, NULL, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_availableregion(sig, &r); - - if (r.length < (unsigned int)siglen) { - return (ISC_R_NOSPACE); - } - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, (CK_BYTE_PTR)r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int)siglen); - -err: - return (ret); -} - -static isc_result_t -pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_VerifyFinal, - (pk11_ctx->session, (CK_BYTE_PTR)sig->base, - (CK_ULONG)sig->length), - DST_R_VERIFYFAILURE); - return (ret); -} - -#else /* ifndef PK11_RSA_PKCS_REPLACE */ - -/* - * CKM__RSA_PKCS mechanisms are not available so fall back - * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand. - */ - -CK_BYTE md5_der[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 }; -CK_BYTE sha1_der[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, - 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 }; -CK_BYTE sha256_der[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, - 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, - 0x01, 0x05, 0x00, 0x04, 0x20 }; -CK_BYTE sha512_der[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, - 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, - 0x03, 0x05, 0x00, 0x04, 0x40 }; -#define MAX_DER_SIZE 19 -#define MIN_PKCS1_PADLEN 11 - -static isc_result_t -pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_SLOT_ID slotid; - pk11_object_t *rsa = key->keydata.pkey; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - REQUIRE(rsa != NULL); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096)) - { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - switch (key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA_1; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (rsa->ontoken) { - slotid = rsa->slot; - } else { - slotid = pk11_get_best_token(OP_RSA); - } - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, - NULL, slotid); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE); - dctx->ctxdata.pk11_ctx = pk11_ctx; - return (ISC_R_SUCCESS); - -err: - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static void -pkcs11rsa_destroyctx(dst_context_t *dctx) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - (void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_DigestUpdate, - (pk11_ctx->session, (CK_BYTE_PTR)data->base, - (CK_ULONG)data->length), - ISC_R_FAILURE); - - return (ret); -} - -static isc_result_t -pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH]; - CK_BYTE *der; - CK_ULONG derlen; - CK_ULONG hashlen; - CK_ULONG dgstlen; - CK_ULONG siglen = 0; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *rsa = key->keydata.pkey; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - REQUIRE(rsa != NULL); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096)) - { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - switch (key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - der = sha1_der; - derlen = sizeof(sha1_der); - hashlen = ISC_SHA1_DIGESTLENGTH; - break; - case DST_ALG_RSASHA256: - der = sha256_der; - derlen = sizeof(sha256_der); - hashlen = ISC_SHA256_DIGESTLENGTH; - break; - case DST_ALG_RSASHA512: - der = sha512_der; - derlen = sizeof(sha512_der); - hashlen = ISC_SHA512_DIGESTLENGTH; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - dgstlen = derlen + hashlen; - INSIST(dgstlen <= sizeof(digest)); - memmove(digest, der, derlen); - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest + derlen, &hashlen), - DST_R_SIGNFAILURE); - - isc_buffer_availableregion(sig, &r); - if (r.length < (unsigned int)dgstlen + MIN_PKCS1_PADLEN) { - return (ISC_R_NOSPACE); - } - - if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = rsa->ontoken; - pk11_ctx->object = rsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIVATE_EXPONENT: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_1: - INSIST(keyTemplate[9].type == attr->type); - keyTemplate[9].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[9].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[9].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_2: - INSIST(keyTemplate[10].type == attr->type); - keyTemplate[10].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[10].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[10].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_1: - INSIST(keyTemplate[11].type == attr->type); - keyTemplate[11].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[11].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[11].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_2: - INSIST(keyTemplate[12].type == attr->type); - keyTemplate[12].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[12].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[12].ulValueLen = attr->ulValueLen; - break; - case CKA_COEFFICIENT: - INSIST(keyTemplate[13].type == attr->type); - keyTemplate[13].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[13].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[13].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)14, &hKey), - ISC_R_FAILURE); - -token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, digest, dgstlen, NULL, &siglen), - DST_R_SIGNFAILURE); - - if (r.length < (unsigned int)siglen) { - return (ISC_R_NOSPACE); - } - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base, - &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int)siglen); - -err: - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 6; i <= 13; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static isc_result_t -pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH]; - CK_BYTE *der; - CK_ULONG derlen; - CK_ULONG hashlen; - CK_ULONG dgstlen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *rsa = key->keydata.pkey; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - REQUIRE(rsa != NULL); - - switch (key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - der = sha1_der; - derlen = sizeof(sha1_der); - hashlen = ISC_SHA1_DIGESTLENGTH; - break; - case DST_ALG_RSASHA256: - der = sha256_der; - derlen = sizeof(sha256_der); - hashlen = ISC_SHA256_DIGESTLENGTH; - break; - case DST_ALG_RSASHA512: - der = sha512_der; - derlen = sizeof(sha512_der); - hashlen = ISC_SHA512_DIGESTLENGTH; - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - dgstlen = derlen + hashlen; - INSIST(dgstlen <= sizeof(digest)); - memmove(digest, der, derlen); - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest + derlen, &hashlen), - DST_R_SIGNFAILURE); - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - { - unsigned int bits; - - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - ret = pk11_numbits(attr->pValue, attr->ulValueLen, - &bits); - if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) - { - DST_RET(DST_R_VERIFYFAILURE); - } - break; - } - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base, - (CK_ULONG)sig->length), - DST_R_VERIFYFAILURE); - -err: - if (hKey != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, hKey); - } - for (i = 5; i <= 6; i++) { - if (keyTemplate[i].pValue != NULL) { - { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - } - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} -#endif /* ifndef PK11_RSA_PKCS_REPLACE */ - -static bool -pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *rsa1, *rsa2; - CK_ATTRIBUTE *attr1, *attr2; - - rsa1 = key1->keydata.pkey; - rsa2 = key2->keydata.pkey; - - if ((rsa1 == NULL) && (rsa2 == NULL)) { - return (true); - } else if ((rsa1 == NULL) || (rsa2 == NULL)) { - return (false); - } - - attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS); - attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT); - attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT); - if ((attr1 == NULL) && (attr2 == NULL)) { - return (true); - } else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - { - return (false); - } - - attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT); - attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - { - return (false); - } - - if (!rsa1->ontoken && !rsa2->ontoken) { - return (true); - } else if (rsa1->ontoken || rsa2->ontoken || - (rsa1->object != rsa2->object)) { - return (false); - } - - return (true); -} - -static isc_result_t -pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_ULONG bits = 0; - CK_BYTE pubexp[5]; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE pubTemplate[] = { - { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_MODULUS_BITS, &bits, (CK_ULONG)sizeof(bits) }, - { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG)sizeof(pubexp) } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = { - { CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - UNUSED(callback); - - /* - * Reject incorrect RSA key lengths. - */ - switch (key->key_alg) { - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (key->key_size > 4096) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((key->key_size < 512) || (key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((key->key_size < 1024) || (key->key_size > 4096)) { - return (ISC_R_FAILURE); - } - break; - default: - INSIST(0); - ISC_UNREACHABLE(); - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, false, NULL, - pk11_get_best_token(OP_RSA)); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - bits = key->key_size; - if (exp == 0) { - /* RSA_F4 0x10001 */ - pubexp[0] = 1; - pubexp[1] = 0; - pubexp[2] = 1; - pubTemplate[6].ulValueLen = 3; - } else { - /* F5 0x100000001 */ - pubexp[0] = 1; - pubexp[1] = 0; - pubexp[2] = 0; - pubexp[3] = 0; - pubexp[4] = 1; - pubTemplate[6].ulValueLen = 5; - } - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)7, - privTemplate, (CK_ULONG)7, &pub, &priv), - DST_R_CRYPTOFAILURE); - - rsa = isc_mem_get(key->mctx, sizeof(*rsa)); - memset(rsa, 0, sizeof(*rsa)); - key->keydata.pkey = rsa; - rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8); - memset(rsa->repr, 0, sizeof(*attr) * 8); - rsa->attrcnt = 8; - - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[2].type = CKA_PRIVATE_EXPONENT; - attr[3].type = CKA_PRIME_1; - attr[4].type = CKA_PRIME_2; - attr[5].type = CKA_EXPONENT_1; - attr[6].type = CKA_EXPONENT_2; - attr[7].type = CKA_COEFFICIENT; - - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2), - DST_R_CRYPTOFAILURE); - - attr += 2; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 5; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6), - DST_R_CRYPTOFAILURE); - - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - -err: - pkcs11rsa_destroy(key); - if (priv != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, priv); - } - if (pub != CK_INVALID_HANDLE) { - (void)pkcs_C_DestroyObject(pk11_ctx->session, pub); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static bool -pkcs11rsa_isprivate(const dst_key_t *key) { - pk11_object_t *rsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (rsa == NULL) { - return (false); - } - attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT); - return (attr != NULL || rsa->ontoken); -} - -static void -pkcs11rsa_destroy(dst_key_t *key) { - pk11_object_t *rsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (rsa == NULL) { - return; - } - - INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken); - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_MODULUS: - case CKA_PUBLIC_EXPONENT: - case CKA_PRIVATE_EXPONENT: - case CKA_PRIME_1: - case CKA_PRIME_2: - case CKA_EXPONENT_1: - case CKA_EXPONENT_2: - case CKA_COEFFICIENT: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, attr->pValue, - attr->ulValueLen); - } - break; - } - if (rsa->repr != NULL) { - isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, rsa->repr, rsa->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - isc_region_t r; - unsigned int e_bytes = 0, mod_bytes = 0; - CK_BYTE *exponent = NULL, *modulus = NULL; - - REQUIRE(key->keydata.pkey != NULL); - - rsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_PUBLIC_EXPONENT: - exponent = (CK_BYTE *)attr->pValue; - e_bytes = (unsigned int)attr->ulValueLen; - break; - case CKA_MODULUS: - modulus = (CK_BYTE *)attr->pValue; - mod_bytes = (unsigned int)attr->ulValueLen; - break; - } - REQUIRE((exponent != NULL) && (modulus != NULL)); - - isc_buffer_availableregion(data, &r); - - if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */ - if (r.length < 1) { - return (ISC_R_NOSPACE); - } - isc_buffer_putuint8(data, (uint8_t)e_bytes); - isc_region_consume(&r, 1); - } else { - if (r.length < 3) { - return (ISC_R_NOSPACE); - } - isc_buffer_putuint8(data, 0); - isc_buffer_putuint16(data, (uint16_t)e_bytes); - isc_region_consume(&r, 3); - } - - if (r.length < e_bytes + mod_bytes) { - return (ISC_R_NOSPACE); - } - - memmove(r.base, exponent, e_bytes); - isc_region_consume(&r, e_bytes); - memmove(r.base, modulus, mod_bytes); - - isc_buffer_add(data, e_bytes + mod_bytes); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *rsa; - isc_region_t r; - unsigned int e_bytes, mod_bytes; - CK_BYTE *exponent = NULL, *modulus = NULL; - CK_ATTRIBUTE *attr; - unsigned int length; - unsigned int bits; - isc_result_t ret = ISC_R_SUCCESS; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - return (ISC_R_SUCCESS); - } - length = r.length; - - rsa = isc_mem_get(key->mctx, sizeof(*rsa)); - - memset(rsa, 0, sizeof(*rsa)); - - e_bytes = *r.base; - isc_region_consume(&r, 1); - - if (e_bytes == 0) { - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - e_bytes = (*r.base) << 8; - isc_region_consume(&r, 1); - e_bytes += *r.base; - isc_region_consume(&r, 1); - } - - if (r.length < e_bytes) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - exponent = r.base; - isc_region_consume(&r, e_bytes); - modulus = r.base; - mod_bytes = r.length; - - ret = pk11_numbits(modulus, mod_bytes, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - key->key_size = bits; - - isc_buffer_forward(data, length); - - rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[0].pValue = isc_mem_get(key->mctx, mod_bytes); - memmove(attr[0].pValue, modulus, mod_bytes); - attr[0].ulValueLen = (CK_ULONG)mod_bytes; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[1].pValue = isc_mem_get(key->mctx, e_bytes); - memmove(attr[1].pValue, exponent, e_bytes); - attr[1].ulValueLen = (CK_ULONG)e_bytes; - - key->keydata.pkey = rsa; - - return (ISC_R_SUCCESS); -err: - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - return (ret); -} - -static isc_result_t -pkcs11rsa_tofile(const dst_key_t *key, const char *directory) { - int i; - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *modulus = NULL, *exponent = NULL; - CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL; - CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; - dst_private_t priv; - unsigned char *bufs[10]; - isc_result_t result; - - if (key->keydata.pkey == NULL) { - return (DST_R_NULLKEY); - } - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - rsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(rsa); attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - modulus = attr; - break; - case CKA_PUBLIC_EXPONENT: - exponent = attr; - break; - case CKA_PRIVATE_EXPONENT: - d = attr; - break; - case CKA_PRIME_1: - p = attr; - break; - case CKA_PRIME_2: - q = attr; - break; - case CKA_EXPONENT_1: - dmp1 = attr; - break; - case CKA_EXPONENT_2: - dmq1 = attr; - break; - case CKA_COEFFICIENT: - iqmp = attr; - break; - } - if ((modulus == NULL) || (exponent == NULL)) { - return (DST_R_NULLKEY); - } - - memset(bufs, 0, sizeof(bufs)); - - for (i = 0; i < 10; i++) { - bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen); - memset(bufs[i], 0, modulus->ulValueLen); - } - - i = 0; - - priv.elements[i].tag = TAG_RSA_MODULUS; - priv.elements[i].length = (unsigned short)modulus->ulValueLen; - memmove(bufs[i], modulus->pValue, modulus->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT; - priv.elements[i].length = (unsigned short)exponent->ulValueLen; - memmove(bufs[i], exponent->pValue, exponent->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - if (d != NULL) { - priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT; - priv.elements[i].length = (unsigned short)d->ulValueLen; - memmove(bufs[i], d->pValue, d->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (p != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME1; - priv.elements[i].length = (unsigned short)p->ulValueLen; - memmove(bufs[i], p->pValue, p->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (q != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME2; - priv.elements[i].length = (unsigned short)q->ulValueLen; - memmove(bufs[i], q->pValue, q->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (dmp1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT1; - priv.elements[i].length = (unsigned short)dmp1->ulValueLen; - memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (dmq1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT2; - priv.elements[i].length = (unsigned short)dmq1->ulValueLen; - memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (iqmp != NULL) { - priv.elements[i].tag = TAG_RSA_COEFFICIENT; - priv.elements[i].length = (unsigned short)iqmp->ulValueLen; - memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_RSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_RSA_LABEL; - priv.elements[i].length = (unsigned short)strlen(key->label) + - 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - for (i = 0; i < 10; i++) { - if (bufs[i] == NULL) { - break; - } - isc_safe_memwipe(bufs[i], modulus->ulValueLen); - isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen); - } - return (result); -} - -static isc_result_t -pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) { - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *rsa; - pk11_object_t *pubrsa; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int bits; - - if (label == NULL) { - return (DST_R_NOENGINE); - } - - rsa = key->keydata.pkey; - pubrsa = pub->keydata.pkey; - - rsa->object = CK_INVALID_HANDLE; - rsa->ontoken = true; - rsa->reqlogon = true; - rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - - attr->type = CKA_MODULUS; - pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_PUBLIC_EXPONENT; - pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); - INSIST(pubattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, - NULL, rsa->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(rsa, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(rsa, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - key->key_size = bits; - - return (ISC_R_SUCCESS); - -err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - - return (ret); -} - -static isc_result_t -rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) { - CK_ATTRIBUTE *pubattr, *privattr; - CK_BYTE *priv_exp = NULL, *priv_mod = NULL; - CK_BYTE *pub_exp = NULL, *pub_mod = NULL; - unsigned int priv_explen = 0, priv_modlen = 0; - unsigned int pub_explen = 0, pub_modlen = 0; - - REQUIRE(rsa != NULL && pubrsa != NULL); - - privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(privattr != NULL); - priv_exp = privattr->pValue; - priv_explen = privattr->ulValueLen; - - pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); - INSIST(pubattr != NULL); - pub_exp = pubattr->pValue; - pub_explen = pubattr->ulValueLen; - - if (priv_exp != NULL) { - if (priv_explen != pub_explen) { - return (DST_R_INVALIDPRIVATEKEY); - } - if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen)) { - return (DST_R_INVALIDPRIVATEKEY); - } - } else { - privattr->pValue = pub_exp; - privattr->ulValueLen = pub_explen; - pubattr->pValue = NULL; - pubattr->ulValueLen = 0; - } - - if (privattr->pValue == NULL) { - return (DST_R_INVALIDPRIVATEKEY); - } - - privattr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(privattr != NULL); - priv_mod = privattr->pValue; - priv_modlen = privattr->ulValueLen; - - pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); - INSIST(pubattr != NULL); - pub_mod = pubattr->pValue; - pub_modlen = pubattr->ulValueLen; - - if (priv_mod != NULL) { - if (priv_modlen != pub_modlen) { - return (DST_R_INVALIDPRIVATEKEY); - } - if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen)) { - return (DST_R_INVALIDPRIVATEKEY); - } - } else { - privattr->pValue = pub_mod; - privattr->ulValueLen = pub_modlen; - pubattr->pValue = NULL; - pubattr->ulValueLen = 0; - } - - if (privattr->pValue == NULL) { - return (DST_R_INVALIDPRIVATEKEY); - } - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx = key->mctx; - const char *engine = NULL, *label = NULL; - unsigned int bits; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - if (key->external) { - if (priv.nelements != 0) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - if (pub == NULL) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_RSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_RSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - rsa = isc_mem_get(key->mctx, sizeof(*rsa)); - memset(rsa, 0, sizeof(*rsa)); - key->keydata.pkey = rsa; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11rsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) { - goto err; - } - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); - } - - rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8); - memset(rsa->repr, 0, sizeof(*attr) * 8); - rsa->attrcnt = 8; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[2].type = CKA_PRIVATE_EXPONENT; - attr[3].type = CKA_PRIME_1; - attr[4].type = CKA_PRIME_2; - attr[5].type = CKA_EXPONENT_1; - attr[6].type = CKA_EXPONENT_2; - attr[7].type = CKA_COEFFICIENT; - - for (i = 0; i < priv.nelements; i++) { - CK_BYTE *bn; - - switch (priv.elements[i].tag) { - case TAG_RSA_ENGINE: - continue; - case TAG_RSA_LABEL: - continue; - default: - bn = isc_mem_get(key->mctx, priv.elements[i].length); - memmove(bn, priv.elements[i].data, - priv.elements[i].length); - } - - switch (priv.elements[i].tag) { - case TAG_RSA_MODULUS: - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PUBLICEXPONENT: - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIVATEEXPONENT: - attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIME1: - attr = pk11_attribute_bytype(rsa, CKA_PRIME_1); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIME2: - attr = pk11_attribute_bytype(rsa, CKA_PRIME_2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_EXPONENT1: - attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_1); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_EXPONENT2: - attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_COEFFICIENT: - attr = pk11_attribute_bytype(rsa, CKA_COEFFICIENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - } - } - - if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - key->key_size = bits; - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - - ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - if (bits > RSA_MAX_PUBEXP_BITS) { - DST_RET(ISC_R_RANGE); - } - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - -err: - pkcs11rsa_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE searchTemplate[] = { - { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - unsigned int bits; - - UNUSED(pin); - - rsa = isc_mem_get(key->mctx, sizeof(*rsa)); - memset(rsa, 0, sizeof(*rsa)); - rsa->object = CK_INVALID_HANDLE; - rsa->ontoken = true; - rsa->reqlogon = true; - key->keydata.pkey = rsa; - - rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2); - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - - ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon, - NULL, rsa->slot); - if (ret != ISC_R_SUCCESS) { - goto err; - } - - attr = pk11_attribute_bytype(rsa, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(rsa, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - attr = rsa->repr; - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG)4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt), - DST_R_CRYPTOFAILURE); - (void)pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) { - DST_RET(ISC_R_NOTFOUND); - } - if (cnt > 1) { - DST_RET(ISC_R_EXISTS); - } - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } - - key->label = isc_mem_strdup(key->mctx, label); - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - - ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - if (bits > RSA_MAX_PUBEXP_BITS) { - DST_RET(ISC_R_RANGE); - } - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); - if (ret != ISC_R_SUCCESS) { - goto err; - } - key->key_size = bits; - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - -err: - pkcs11rsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - - return (ret); -} - -static dst_func_t pkcs11rsa_functions = { - pkcs11rsa_createctx, -#ifndef PK11_RSA_PKCS_REPLACE - pkcs11rsa_createctx2, -#else /* ifndef PK11_RSA_PKCS_REPLACE */ - NULL, /*%< createctx2 */ -#endif /* ifndef PK11_RSA_PKCS_REPLACE */ - pkcs11rsa_destroyctx, - pkcs11rsa_adddata, - pkcs11rsa_sign, - pkcs11rsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11rsa_compare, - NULL, /*%< paramcompare */ - pkcs11rsa_generate, - pkcs11rsa_isprivate, - pkcs11rsa_destroy, - pkcs11rsa_todns, - pkcs11rsa_fromdns, - pkcs11rsa_tofile, - pkcs11rsa_parse, - NULL, /*%< cleanup */ - pkcs11rsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11rsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - - if (*funcp == NULL) { - *funcp = &pkcs11rsa_functions; - } - return (ISC_R_SUCCESS); -} diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index ef046b3322..b1a62f1e5f 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -24,8 +24,6 @@ #include #include -#include - #include #include #include diff --git a/lib/dns/tests/dh_test.c b/lib/dns/tests/dh_test.c index 1f82fa5747..2adc8f4b82 100644 --- a/lib/dns/tests/dh_test.c +++ b/lib/dns/tests/dh_test.c @@ -25,8 +25,6 @@ #include #include -#include - #include #include diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c index 74b7bf5961..51aab9f999 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c @@ -26,8 +26,6 @@ #include #include -#include - #include "../dst_internal.h" #include "dnstest.h" diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index f0489d4834..29ac687b5a 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -29,8 +29,6 @@ #include #include -#include - #include #include #include @@ -53,10 +51,6 @@ #define TEMP_BUFFER_SZ 8192 #define TKEY_RANDOM_AMOUNT 16 -#if USE_PKCS11 -#include -#endif /* if USE_PKCS11 */ - #define RETERR(x) \ do { \ result = (x); \ diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c index 4501801dfd..2cd18b6e30 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -12,8 +12,6 @@ #include #include -#include - #include #include #include diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 9d466c7779..772cd7028c 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -24,8 +24,6 @@ #include #include -#include - #include #include #include diff --git a/lib/isc/Makefile.am b/lib/isc/Makefile.am index b6bd2a4dfd..73a8245e34 100644 --- a/lib/isc/Makefile.am +++ b/lib/isc/Makefile.am @@ -106,22 +106,8 @@ libisc_la_HEADERS = \ include/isc/utf8.h \ include/isc/util.h -pk11dir = $(includedir)/pk11 -pk11_HEADERS = \ - include/pk11/constants.h \ - include/pk11/internal.h \ - include/pk11/pk11.h \ - include/pk11/result.h \ - include/pk11/site.h - -pkcs11dir = $(includedir)/pkcs11 -pkcs11_HEADERS = \ - include/pkcs11/pkcs11.h - libisc_la_SOURCES = \ $(libisc_la_HEADERS) \ - $(pk11_HEADERS) \ - $(pkcs11_HEADERS) \ netmgr/netmgr-int.h \ netmgr/netmgr.c \ netmgr/tcp.c \ @@ -186,9 +172,6 @@ libisc_la_SOURCES = \ openssl_shim.h \ os.c \ parseint.c \ - pk11.c \ - pk11_api.c \ - pk11_result.c \ pool.c \ portset.c \ queue.c \ diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h deleted file mode 100644 index 48e9a6f56c..0000000000 --- a/lib/isc/include/pk11/constants.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once - -#include - -/*! \file pk11/constants.h */ - -/*% - * Static arrays of data used for key template initialization - */ -#define PK11_ECC_PRIME256V1 \ - (uint8_t[]) { \ - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \ - } -#define PK11_ECC_SECP384R1 \ - (uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 } -#define PK11_ECX_ED25519 \ - (uint8_t[]) { \ - 0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \ - '1', '9' \ - } -#define PK11_ECX_ED448 \ - (uint8_t[]) { \ - 0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \ - } diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h deleted file mode 100644 index 9c067c5610..0000000000 --- a/lib/isc/include/pk11/internal.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef PK11_INTERNAL_H -#define PK11_INTERNAL_H 1 - -/*! \file pk11/internal.h */ - -#include - -ISC_LANG_BEGINDECLS - -const char * -pk11_get_lib_name(void); - -void * -pk11_mem_get(size_t size); - -void -pk11_mem_put(void *ptr, size_t size); - -CK_SLOT_ID -pk11_get_best_token(pk11_optype_t optype); - -isc_result_t -pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); - -CK_ATTRIBUTE * -pk11_attribute_first(const pk11_object_t *obj); - -CK_ATTRIBUTE * -pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr); - -CK_ATTRIBUTE * -pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type); - -ISC_LANG_ENDDECLS - -#endif /* PK11_INTERNAL_H */ diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h deleted file mode 100644 index 3a2b6ac2a3..0000000000 --- a/lib/isc/include/pk11/pk11.h +++ /dev/null @@ -1,286 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once - -/*! \file pk11/pk11.h */ - -#include -#include - -#include -#include -#include -#include - -#define PK11_FATALCHECK(func, args) \ - ((void)(((rv = (func)args) == CKR_OK) || \ - ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0))) - -#include -#include - -ISC_LANG_BEGINDECLS - -#define SES_MAGIC ISC_MAGIC('P', 'K', 'S', 'S') -#define TOK_MAGIC ISC_MAGIC('P', 'K', 'T', 'K') - -#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC) -#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC) - -typedef struct pk11_context pk11_context_t; - -struct pk11_object { - CK_OBJECT_HANDLE object; - CK_SLOT_ID slot; - CK_BBOOL ontoken; - CK_BBOOL reqlogon; - CK_BYTE attrcnt; - CK_ATTRIBUTE * repr; -}; - -struct pk11_context { - void * handle; - CK_SESSION_HANDLE session; - CK_BBOOL ontoken; - CK_OBJECT_HANDLE object; -}; - -typedef struct pk11_object pk11_object_t; - -typedef enum { - OP_ANY = 0, - OP_RSA = 1, - OP_DH = 3, - OP_ECDSA = 4, - OP_EDDSA = 5, - OP_MAX = 6 -} pk11_optype_t; - -/*% - * Global flag to make choose_slots() verbose - */ -extern bool pk11_verbose_init; - -/*% - * Function prototypes - */ - -void -pk11_set_lib_name(const char *lib_name); -/*%< - * Set the PKCS#11 provider (aka library) path/name. - */ - -isc_result_t -pk11_initialize(isc_mem_t *mctx, const char *engine); -/*%< - * Initialize PKCS#11 device - * - * mctx: memory context to attach to pk11_mctx. - * engine: PKCS#11 provider (aka library) path/name. - * - * returns: - * ISC_R_SUCCESS - * PK11_R_NOPROVIDER: can't load the provider - * PK11_R_INITFAILED: C_Initialize() failed - * PK11_R_NORANDOMSERVICE: can't find required random service - * PK11_R_NODIGESTSERVICE: can't find required digest service - * PK11_R_NOAESSERVICE: can't find required AES service - */ - -isc_result_t -pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services, - bool rw, bool logon, const char *pin, CK_SLOT_ID slot); -/*%< - * Initialize PKCS#11 device and acquire a session. - * - * need_services: - * if true, this session requires full PKCS#11 API - * support including random and digest services, and - * the lack of these services will cause the session not - * to be initialized. If false, the function will return - * an error code indicating the missing service, but the - * session will be usable for other purposes. - * rw: if true, session will be read/write (useful for - * generating or destroying keys); otherwise read-only. - * login: indicates whether to log in to the device - * pin: optional PIN, overriding any PIN currently associated - * with the - * slot: device slot ID - */ - -void -pk11_return_session(pk11_context_t *ctx); -/*%< - * Release an active PKCS#11 session for reuse. - */ - -isc_result_t -pk11_finalize(void); -/*%< - * Shut down PKCS#11 device and free all sessions. - */ - -isc_result_t -pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx, - pk11_optype_t optype); - -ISC_NORETURN void -pk11_error_fatalcheck(const char *file, int line, const char *funcname, - CK_RV rv); - -void -pk11_dump_tokens(void); - -CK_RV -pkcs_C_Initialize(CK_VOID_PTR pReserved); - -char * -pk11_get_load_error_message(void); - -CK_RV -pkcs_C_Finalize(CK_VOID_PTR pReserved); - -CK_RV -pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount); - -CK_RV -pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); - -CK_RV -pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo); - -CK_RV -pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, - CK_RV (*Notify)(CK_SESSION_HANDLE hSession, - CK_NOTIFICATION event, - CK_VOID_PTR pApplication), - CK_SESSION_HANDLE_PTR phSession); - -CK_RV -pkcs_C_CloseSession(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, - CK_CHAR_PTR pPin, CK_ULONG usPinLen); - -CK_RV -pkcs_C_Logout(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject); - -CK_RV -pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); - -CK_RV -pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); - -CK_RV -pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); - -CK_RV -pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount); - -CK_RV -pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount); - -CK_RV -pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen); - -CK_RV -pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); - -CK_RV -pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen); - -CK_RV -pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); - -CK_RV -pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen); - -CK_RV -pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); - -CK_RV -pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen); - -CK_RV -pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey); - -CK_RV -pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG usPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG usPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPrivateKey, - CK_OBJECT_HANDLE_PTR phPublicKey); - -CK_RV -pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); - -CK_RV -pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen); - -CK_RV -pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, - CK_ULONG ulRandomLen); - -ISC_LANG_ENDDECLS diff --git a/lib/isc/include/pk11/result.h b/lib/isc/include/pk11/result.h deleted file mode 100644 index 6b16ae6d50..0000000000 --- a/lib/isc/include/pk11/result.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef PK11_RESULT_H -#define PK11_RESULT_H 1 - -/*! \file pk11/result.h */ - -#include -#include -#include - -/* - * Nothing in this file truly depends on , but the - * PK11 result codes are considered to be publicly derived from - * the ISC result codes, so including this file buys you the ISC_R_ - * namespace too. - */ -#include /* Contractual promise. */ - -#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0) -#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1) -#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2) -#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3) -#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4) - -#define PK11_R_NRESULTS 5 /* Number of results */ - -ISC_LANG_BEGINDECLS - -const char *pk11_result_totext(isc_result_t); - -void -pk11_result_register(void); - -ISC_LANG_ENDDECLS - -#endif /* PK11_RESULT_H */ diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h deleted file mode 100644 index 95f7e9d1a1..0000000000 --- a/lib/isc/include/pk11/site.h +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once - -/*! \file pk11/site.h */ diff --git a/lib/isc/include/pkcs11/pkcs11.h b/lib/isc/include/pkcs11/pkcs11.h deleted file mode 100644 index cd565ee64f..0000000000 --- a/lib/isc/include/pkcs11/pkcs11.h +++ /dev/null @@ -1,1653 +0,0 @@ -/* pkcs11.h - * Copyright 2006, 2007 g10 Code GmbH - * Copyright 2006 Andreas Jellinghaus - * Copyright 2017 Red Hat, Inc. - * - * This file is free software; as a special exception the author gives - * unlimited permission to copy and/or distribute it, with or without - * modifications, as long as this notice is preserved. - * - * This file is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY, to the extent permitted by law; without even - * the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - * PURPOSE. */ - -/* Please submit any changes back to the p11-kit project at - * https://github.com/p11-glue/p11-kit/, so that - * they can be picked up by other projects from there as well. */ - -/* This file is a modified implementation of the PKCS #11 standard by - * OASIS group. It is mostly a drop-in replacement, with the - * following change: - * - * This header file does not require any macro definitions by the user - * (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros - * for you (if useful, some are missing, let me know if you need - * more). - * - * There is an additional API available that does comply better to the - * GNU coding standard. It can be switched on by defining - * CRYPTOKI_GNU before including this header file. For this, the - * following changes are made to the specification: - * - * All structure types are changed to a "struct ck_foo" where CK_FOO - * is the type name in PKCS #11. - * - * All non-structure types are changed to ck_foo_t where CK_FOO is the - * lowercase version of the type name in PKCS #11. The basic types - * (CK_ULONG et al.) are removed without substitute. - * - * All members of structures are modified in the following way: Type - * indication prefixes are removed, and underscore characters are - * inserted before words. Then the result is lowercased. - * - * Note that function names are still in the original case, as they - * need for ABI compatibility. - * - * CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use - * . - * - * If CRYPTOKI_COMPAT is defined before including this header file, - * then none of the API changes above take place, and the API is the - * one defined by the PKCS #11 standard. */ - -#ifndef PKCS11_H -#define PKCS11_H 1 - -#if defined(__cplusplus) -extern "C" { -#endif /* if defined(__cplusplus) */ - -/* The version of cryptoki we implement. The revision is changed with - * each modification of this file. */ -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 40 -#define P11_KIT_CRYPTOKI_VERSION_REVISION 0 - -/* Compatibility interface is default, unless CRYPTOKI_GNU is - * given. */ -#ifndef CRYPTOKI_GNU -#ifndef CRYPTOKI_COMPAT -#define CRYPTOKI_COMPAT 1 -#endif /* ifndef CRYPTOKI_COMPAT */ -#endif /* ifndef CRYPTOKI_GNU */ - -/* System dependencies. */ - -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) - -/* There is a matching pop below. */ -#pragma pack(push, cryptoki, 1) - -#ifdef CRYPTOKI_EXPORTS -#define CK_SPEC __declspec(dllexport) -#else /* ifdef CRYPTOKI_EXPORTS */ -#define CK_SPEC __declspec(dllimport) -#endif /* ifdef CRYPTOKI_EXPORTS */ - -#else /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */ - -#define CK_SPEC - -#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */ - -#ifdef CRYPTOKI_COMPAT -/* If we are in compatibility mode, switch all exposed names to the - * PKCS #11 variant. There are corresponding #undefs below. */ - -#define ck_flags_t CK_FLAGS -#define ck_version _CK_VERSION - -#define ck_info _CK_INFO -#define cryptoki_version cryptokiVersion -#define manufacturer_id manufacturerID -#define library_description libraryDescription -#define library_version libraryVersion - -#define ck_notification_t CK_NOTIFICATION -#define ck_slot_id_t CK_SLOT_ID - -#define ck_slot_info _CK_SLOT_INFO -#define slot_description slotDescription -#define hardware_version hardwareVersion -#define firmware_version firmwareVersion - -#define ck_token_info _CK_TOKEN_INFO -#define serial_number serialNumber -#define max_session_count ulMaxSessionCount -#define session_count ulSessionCount -#define max_rw_session_count ulMaxRwSessionCount -#define rw_session_count ulRwSessionCount -#define max_pin_len ulMaxPinLen -#define min_pin_len ulMinPinLen -#define total_public_memory ulTotalPublicMemory -#define free_public_memory ulFreePublicMemory -#define total_private_memory ulTotalPrivateMemory -#define free_private_memory ulFreePrivateMemory -#define utc_time utcTime - -#define ck_session_handle_t CK_SESSION_HANDLE -#define ck_user_type_t CK_USER_TYPE -#define ck_state_t CK_STATE - -#define ck_session_info _CK_SESSION_INFO -#define slot_id slotID -#define device_error ulDeviceError - -#define ck_object_handle_t CK_OBJECT_HANDLE -#define ck_object_class_t CK_OBJECT_CLASS -#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE -#define ck_key_type_t CK_KEY_TYPE -#define ck_certificate_type_t CK_CERTIFICATE_TYPE -#define ck_attribute_type_t CK_ATTRIBUTE_TYPE - -#define ck_attribute _CK_ATTRIBUTE -#define value pValue -#define value_len ulValueLen - -#define count ulCount - -#define ck_date _CK_DATE - -#define ck_mechanism_type_t CK_MECHANISM_TYPE - -#define ck_mechanism _CK_MECHANISM -#define parameter pParameter -#define parameter_len ulParameterLen - -#define params pParams - -#define ck_mechanism_info _CK_MECHANISM_INFO -#define min_key_size ulMinKeySize -#define max_key_size ulMaxKeySize - -#define ck_param_type CK_PARAM_TYPE -#define ck_otp_param CK_OTP_PARAM -#define ck_otp_params CK_OTP_PARAMS -#define ck_otp_signature_info CK_OTP_SIGNATURE_INFO - -#define ck_rv_t CK_RV -#define ck_notify_t CK_NOTIFY - -#define ck_function_list _CK_FUNCTION_LIST - -#define ck_createmutex_t CK_CREATEMUTEX -#define ck_destroymutex_t CK_DESTROYMUTEX -#define ck_lockmutex_t CK_LOCKMUTEX -#define ck_unlockmutex_t CK_UNLOCKMUTEX - -#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS -#define create_mutex CreateMutex -#define destroy_mutex DestroyMutex -#define lock_mutex LockMutex -#define unlock_mutex UnlockMutex -#define reserved pReserved - -#define ck_rsa_pkcs_mgf_type_t CK_RSA_PKCS_MGF_TYPE -#define ck_rsa_pkcs_oaep_source_type_t CK_RSA_PKCS_OAEP_SOURCE_TYPE -#define hash_alg hashAlg -#define s_len sLen -#define source_data pSourceData -#define source_data_len ulSourceDataLen - -#define counter_bits ulCounterBits -#define iv_ptr pIv -#define iv_len ulIvLen -#define iv_bits ulIvBits -#define aad_ptr pAAD -#define aad_len ulAADLen -#define tag_bits ulTagBits -#define shared_data_len ulSharedDataLen -#define shared_data pSharedData -#define public_data_len ulPublicDataLen -#define public_data pPublicData -#define string_data pData -#define string_data_len ulLen -#define data_params pData -#endif /* CRYPTOKI_COMPAT */ - -typedef unsigned long ck_flags_t; - -struct ck_version { - unsigned char major; - unsigned char minor; -}; - -struct ck_info { - struct ck_version cryptoki_version; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - unsigned char library_description[32]; - struct ck_version library_version; -}; - -typedef unsigned long ck_notification_t; - -#define CKN_SURRENDER (0UL) - -typedef unsigned long ck_slot_id_t; - -struct ck_slot_info { - unsigned char slot_description[64]; - unsigned char manufacturer_id[32]; - ck_flags_t flags; - struct ck_version hardware_version; - struct ck_version firmware_version; -}; - -#define CKF_TOKEN_PRESENT (1UL << 0) -#define CKF_REMOVABLE_DEVICE (1UL << 1) -#define CKF_HW_SLOT (1UL << 2) -#define CKF_ARRAY_ATTRIBUTE (1UL << 30) - -struct ck_token_info { - unsigned char label[32]; - unsigned char manufacturer_id[32]; - unsigned char model[16]; - unsigned char serial_number[16]; - ck_flags_t flags; - unsigned long max_session_count; - unsigned long session_count; - unsigned long max_rw_session_count; - unsigned long rw_session_count; - unsigned long max_pin_len; - unsigned long min_pin_len; - unsigned long total_public_memory; - unsigned long free_public_memory; - unsigned long total_private_memory; - unsigned long free_private_memory; - struct ck_version hardware_version; - struct ck_version firmware_version; - unsigned char utc_time[16]; -}; - -#define CKF_RNG (1UL << 0) -#define CKF_WRITE_PROTECTED (1UL << 1) -#define CKF_LOGIN_REQUIRED (1UL << 2) -#define CKF_USER_PIN_INITIALIZED (1UL << 3) -#define CKF_RESTORE_KEY_NOT_NEEDED (1UL << 5) -#define CKF_CLOCK_ON_TOKEN (1UL << 6) -#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8) -#define CKF_DUAL_CRYPTO_OPERATIONS (1UL << 9) -#define CKF_TOKEN_INITIALIZED (1UL << 10) -#define CKF_SECONDARY_AUTHENTICATION (1UL << 11) -#define CKF_USER_PIN_COUNT_LOW (1UL << 16) -#define CKF_USER_PIN_FINAL_TRY (1UL << 17) -#define CKF_USER_PIN_LOCKED (1UL << 18) -#define CKF_USER_PIN_TO_BE_CHANGED (1UL << 19) -#define CKF_SO_PIN_COUNT_LOW (1UL << 20) -#define CKF_SO_PIN_FINAL_TRY (1UL << 21) -#define CKF_SO_PIN_LOCKED (1UL << 22) -#define CKF_SO_PIN_TO_BE_CHANGED (1UL << 23) - -#define CK_UNAVAILABLE_INFORMATION ((unsigned long)-1L) -#define CK_EFFECTIVELY_INFINITE (0UL) - -typedef unsigned long ck_session_handle_t; - -#define CK_INVALID_HANDLE (0UL) - -typedef unsigned long ck_user_type_t; - -#define CKU_SO (0UL) -#define CKU_USER (1UL) -#define CKU_CONTEXT_SPECIFIC (2UL) - -typedef unsigned long ck_state_t; - -#define CKS_RO_PUBLIC_SESSION (0UL) -#define CKS_RO_USER_FUNCTIONS (1UL) -#define CKS_RW_PUBLIC_SESSION (2UL) -#define CKS_RW_USER_FUNCTIONS (3UL) -#define CKS_RW_SO_FUNCTIONS (4UL) - -struct ck_session_info { - ck_slot_id_t slot_id; - ck_state_t state; - ck_flags_t flags; - unsigned long device_error; -}; - -#define CKF_RW_SESSION (1UL << 1) -#define CKF_SERIAL_SESSION (1UL << 2) - -typedef unsigned long ck_object_handle_t; - -typedef unsigned long ck_object_class_t; - -#define CKO_DATA (0UL) -#define CKO_CERTIFICATE (1UL) -#define CKO_PUBLIC_KEY (2UL) -#define CKO_PRIVATE_KEY (3UL) -#define CKO_SECRET_KEY (4UL) -#define CKO_HW_FEATURE (5UL) -#define CKO_DOMAIN_PARAMETERS (6UL) -#define CKO_MECHANISM (7UL) -#define CKO_OTP_KEY (8UL) -#define CKO_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -typedef unsigned long ck_hw_feature_type_t; - -#define CKH_MONOTONIC_COUNTER (1UL) -#define CKH_CLOCK (2UL) -#define CKH_USER_INTERFACE (3UL) -#define CKH_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -typedef unsigned long ck_key_type_t; - -#define CKK_RSA (0UL) -#define CKK_DSA (1UL) -#define CKK_DH (2UL) -#define CKK_ECDSA (3UL) -#define CKK_EC (3UL) -#define CKK_X9_42_DH (4UL) -#define CKK_KEA (5UL) -#define CKK_GENERIC_SECRET (0x10UL) -#define CKK_RC2 (0x11UL) -#define CKK_RC4 (0x12UL) -#define CKK_DES (0x13UL) -#define CKK_DES2 (0x14UL) -#define CKK_DES3 (0x15UL) -#define CKK_CAST (0x16UL) -#define CKK_CAST3 (0x17UL) -#define CKK_CAST128 (0x18UL) -#define CKK_RC5 (0x19UL) -#define CKK_IDEA (0x1aUL) -#define CKK_SKIPJACK (0x1bUL) -#define CKK_BATON (0x1cUL) -#define CKK_JUNIPER (0x1dUL) -#define CKK_CDMF (0x1eUL) -#define CKK_AES (0x1fUL) -#define CKK_BLOWFISH (0x20UL) -#define CKK_TWOFISH (0x21UL) -#define CKK_SECURID (0x22UL) -#define CKK_HOTP (0x23UL) -#define CKK_ACTI (0x24UL) -#define CKK_CAMELLIA (0x25UL) -#define CKK_ARIA (0x26UL) -#define CKK_MD5_HMAC (0x27UL) -#define CKK_SHA_1_HMAC (0x28UL) -#define CKK_RIPEMD128_HMAC (0x29UL) -#define CKK_RIPEMD160_HMAC (0x2aUL) -#define CKK_SHA256_HMAC (0x2bUL) -#define CKK_SHA384_HMAC (0x2cUL) -#define CKK_SHA512_HMAC (0x2dUL) -#define CKK_SHA224_HMAC (0x2eUL) -#define CKK_SEED (0x2fUL) -#define CKK_GOSTR3410 (0x30UL) -#define CKK_GOSTR3411 (0x31UL) -#define CKK_GOST28147 (0x32UL) -#define CKK_EC_EDWARDS (0x40UL) -#define CKK_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -typedef unsigned long ck_certificate_type_t; - -#define CKC_X_509 (0UL) -#define CKC_X_509_ATTR_CERT (1UL) -#define CKC_WTLS (2UL) -#define CKC_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -#define CKC_OPENPGP (CKC_VENDOR_DEFINED | 0x504750UL) - -typedef unsigned long ck_attribute_type_t; - -#define CKA_CLASS (0UL) -#define CKA_TOKEN (1UL) -#define CKA_PRIVATE (2UL) -#define CKA_LABEL (3UL) -#define CKA_APPLICATION (0x10UL) -#define CKA_VALUE (0x11UL) -#define CKA_OBJECT_ID (0x12UL) -#define CKA_CERTIFICATE_TYPE (0x80UL) -#define CKA_ISSUER (0x81UL) -#define CKA_SERIAL_NUMBER (0x82UL) -#define CKA_AC_ISSUER (0x83UL) -#define CKA_OWNER (0x84UL) -#define CKA_ATTR_TYPES (0x85UL) -#define CKA_TRUSTED (0x86UL) -#define CKA_CERTIFICATE_CATEGORY (0x87UL) -#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88UL) -#define CKA_URL (0x89UL) -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL) -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8bUL) -#define CKA_NAME_HASH_ALGORITHM (0x8cUL) -#define CKA_CHECK_VALUE (0x90UL) -#define CKA_KEY_TYPE (0x100UL) -#define CKA_SUBJECT (0x101UL) -#define CKA_ID (0x102UL) -#define CKA_SENSITIVE (0x103UL) -#define CKA_ENCRYPT (0x104UL) -#define CKA_DECRYPT (0x105UL) -#define CKA_WRAP (0x106UL) -#define CKA_UNWRAP (0x107UL) -#define CKA_SIGN (0x108UL) -#define CKA_SIGN_RECOVER (0x109UL) -#define CKA_VERIFY (0x10aUL) -#define CKA_VERIFY_RECOVER (0x10bUL) -#define CKA_DERIVE (0x10cUL) -#define CKA_START_DATE (0x110UL) -#define CKA_END_DATE (0x111UL) -#define CKA_MODULUS (0x120UL) -#define CKA_MODULUS_BITS (0x121UL) -#define CKA_PUBLIC_EXPONENT (0x122UL) -#define CKA_PRIVATE_EXPONENT (0x123UL) -#define CKA_PRIME_1 (0x124UL) -#define CKA_PRIME_2 (0x125UL) -#define CKA_EXPONENT_1 (0x126UL) -#define CKA_EXPONENT_2 (0x127UL) -#define CKA_COEFFICIENT (0x128UL) -#define CKA_PUBLIC_KEY_INFO (0x129UL) -#define CKA_PRIME (0x130UL) -#define CKA_SUBPRIME (0x131UL) -#define CKA_BASE (0x132UL) -#define CKA_PRIME_BITS (0x133UL) -#define CKA_SUB_PRIME_BITS (0x134UL) -#define CKA_VALUE_BITS (0x160UL) -#define CKA_VALUE_LEN (0x161UL) -#define CKA_EXTRACTABLE (0x162UL) -#define CKA_LOCAL (0x163UL) -#define CKA_NEVER_EXTRACTABLE (0x164UL) -#define CKA_ALWAYS_SENSITIVE (0x165UL) -#define CKA_KEY_GEN_MECHANISM (0x166UL) -#define CKA_MODIFIABLE (0x170UL) -#define CKA_COPYABLE (0x171UL) -#define CKA_DESTROYABLE (0x172UL) -#define CKA_ECDSA_PARAMS (0x180UL) -#define CKA_EC_PARAMS (0x180UL) -#define CKA_EC_POINT (0x181UL) -#define CKA_SECONDARY_AUTH (0x200UL) -#define CKA_AUTH_PIN_FLAGS (0x201UL) -#define CKA_ALWAYS_AUTHENTICATE (0x202UL) -#define CKA_WRAP_WITH_TRUSTED (0x210UL) -#define CKA_OTP_FORMAT (0x220UL) -#define CKA_OTP_LENGTH (0x221UL) -#define CKA_OTP_TIME_INTERVAL (0x222UL) -#define CKA_OTP_USER_FRIENDLY_MODE (0x223UL) -#define CKA_OTP_CHALLENGE_REQUIREMENT (0x224UL) -#define CKA_OTP_TIME_REQUIREMENT (0x225UL) -#define CKA_OTP_COUNTER_REQUIREMENT (0x226UL) -#define CKA_OTP_PIN_REQUIREMENT (0x227UL) -#define CKA_OTP_USER_IDENTIFIER (0x22AUL) -#define CKA_OTP_SERVICE_IDENTIFIER (0x22BUL) -#define CKA_OTP_SERVICE_LOGO (0x22CUL) -#define CKA_OTP_SERVICE_LOGO_TYPE (0x22DUL) -#define CKA_OTP_COUNTER (0x22EUL) -#define CKA_OTP_TIME (0x22FUL) -#define CKA_GOSTR3410_PARAMS (0x250UL) -#define CKA_GOSTR3411_PARAMS (0x251UL) -#define CKA_GOST28147_PARAMS (0x252UL) -#define CKA_HW_FEATURE_TYPE (0x300UL) -#define CKA_RESET_ON_INIT (0x301UL) -#define CKA_HAS_RESET (0x302UL) -#define CKA_PIXEL_X (0x400UL) -#define CKA_PIXEL_Y (0x401UL) -#define CKA_RESOLUTION (0x402UL) -#define CKA_CHAR_ROWS (0x403UL) -#define CKA_CHAR_COLUMNS (0x404UL) -#define CKA_COLOR (0x405UL) -#define CKA_BITS_PER_PIXEL (0x406UL) -#define CKA_CHAR_SETS (0x480UL) -#define CKA_ENCODING_METHODS (0x481UL) -#define CKA_MIME_TYPES (0x482UL) -#define CKA_MECHANISM_TYPE (0x500UL) -#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501UL) -#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502UL) -#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503UL) -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211UL) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212UL) -#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x213UL) -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600UL) -#define CKA_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -struct ck_attribute { - ck_attribute_type_t type; - void * value; - unsigned long value_len; -}; - -struct ck_date { - unsigned char year[4]; - unsigned char month[2]; - unsigned char day[2]; -}; - -typedef unsigned long ck_mechanism_type_t; - -#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL) -#define CKM_RSA_PKCS (1UL) -#define CKM_RSA_9796 (2UL) -#define CKM_RSA_X_509 (3UL) -#define CKM_MD2_RSA_PKCS (4UL) -#define CKM_MD5_RSA_PKCS (5UL) -#define CKM_SHA1_RSA_PKCS (6UL) -#define CKM_RIPEMD128_RSA_PKCS (7UL) -#define CKM_RIPEMD160_RSA_PKCS (8UL) -#define CKM_RSA_PKCS_OAEP (9UL) -#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xaUL) -#define CKM_RSA_X9_31 (0xbUL) -#define CKM_SHA1_RSA_X9_31 (0xcUL) -#define CKM_RSA_PKCS_PSS (0xdUL) -#define CKM_SHA1_RSA_PKCS_PSS (0xeUL) -#define CKM_DSA_KEY_PAIR_GEN (0x10UL) -#define CKM_DSA (0x11UL) -#define CKM_DSA_SHA1 (0x12UL) -#define CKM_DSA_SHA224 (0x13UL) -#define CKM_DSA_SHA256 (0x14UL) -#define CKM_DSA_SHA384 (0x15UL) -#define CKM_DSA_SHA512 (0x16UL) -#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20UL) -#define CKM_DH_PKCS_DERIVE (0x21UL) -#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30UL) -#define CKM_X9_42_DH_DERIVE (0x31UL) -#define CKM_X9_42_DH_HYBRID_DERIVE (0x32UL) -#define CKM_X9_42_MQV_DERIVE (0x33UL) -#define CKM_SHA256_RSA_PKCS (0x40UL) -#define CKM_SHA384_RSA_PKCS (0x41UL) -#define CKM_SHA512_RSA_PKCS (0x42UL) -#define CKM_SHA256_RSA_PKCS_PSS (0x43UL) -#define CKM_SHA384_RSA_PKCS_PSS (0x44UL) -#define CKM_SHA512_RSA_PKCS_PSS (0x45UL) -#define CKM_SHA512_224 (0x48UL) -#define CKM_SHA512_224_HMAC (0x49UL) -#define CKM_SHA512_224_HMAC_GENERAL (0x4aUL) -#define CKM_SHA512_224_KEY_DERIVATION (0x4bUL) -#define CKM_SHA512_256 (0x4cUL) -#define CKM_SHA512_256_HMAC (0x4dUL) -#define CKM_SHA512_256_HMAC_GENERAL (0x4eUL) -#define CKM_SHA512_256_KEY_DERIVATION (0x4fUL) -#define CKM_SHA512_T (0x50UL) -#define CKM_SHA512_T_HMAC (0x51UL) -#define CKM_SHA512_T_HMAC_GENERAL (0x52UL) -#define CKM_SHA512_T_KEY_DERIVATION (0x53UL) -#define CKM_RC2_KEY_GEN (0x100UL) -#define CKM_RC2_ECB (0x101UL) -#define CKM_RC2_CBC (0x102UL) -#define CKM_RC2_MAC (0x103UL) -#define CKM_RC2_MAC_GENERAL (0x104UL) -#define CKM_RC2_CBC_PAD (0x105UL) -#define CKM_RC4_KEY_GEN (0x110UL) -#define CKM_RC4 (0x111UL) -#define CKM_DES_KEY_GEN (0x120UL) -#define CKM_DES_ECB (0x121UL) -#define CKM_DES_CBC (0x122UL) -#define CKM_DES_MAC (0x123UL) -#define CKM_DES_MAC_GENERAL (0x124UL) -#define CKM_DES_CBC_PAD (0x125UL) -#define CKM_DES2_KEY_GEN (0x130UL) -#define CKM_DES3_KEY_GEN (0x131UL) -#define CKM_DES3_ECB (0x132UL) -#define CKM_DES3_CBC (0x133UL) -#define CKM_DES3_MAC (0x134UL) -#define CKM_DES3_MAC_GENERAL (0x135UL) -#define CKM_DES3_CBC_PAD (0x136UL) -#define CKM_DES3_CMAC_GENERAL (0x137UL) -#define CKM_DES3_CMAC (0x138UL) -#define CKM_CDMF_KEY_GEN (0x140UL) -#define CKM_CDMF_ECB (0x141UL) -#define CKM_CDMF_CBC (0x142UL) -#define CKM_CDMF_MAC (0x143UL) -#define CKM_CDMF_MAC_GENERAL (0x144UL) -#define CKM_CDMF_CBC_PAD (0x145UL) -#define CKM_DES_OFB64 (0x150UL) -#define CKM_DES_OFB8 (0x151UL) -#define CKM_DES_CFB64 (0x152UL) -#define CKM_DES_CFB8 (0x153UL) -#define CKM_MD2 (0x200UL) -#define CKM_MD2_HMAC (0x201UL) -#define CKM_MD2_HMAC_GENERAL (0x202UL) -#define CKM_MD5 (0x210UL) -#define CKM_MD5_HMAC (0x211UL) -#define CKM_MD5_HMAC_GENERAL (0x212UL) -#define CKM_SHA_1 (0x220UL) -#define CKM_SHA_1_HMAC (0x221UL) -#define CKM_SHA_1_HMAC_GENERAL (0x222UL) -#define CKM_RIPEMD128 (0x230UL) -#define CKM_RIPEMD128_HMAC (0x231UL) -#define CKM_RIPEMD128_HMAC_GENERAL (0x232UL) -#define CKM_RIPEMD160 (0x240UL) -#define CKM_RIPEMD160_HMAC (0x241UL) -#define CKM_RIPEMD160_HMAC_GENERAL (0x242UL) -#define CKM_SHA256 (0x250UL) -#define CKM_SHA256_HMAC (0x251UL) -#define CKM_SHA256_HMAC_GENERAL (0x252UL) -#define CKM_SHA384 (0x260UL) -#define CKM_SHA384_HMAC (0x261UL) -#define CKM_SHA384_HMAC_GENERAL (0x262UL) -#define CKM_SHA512 (0x270UL) -#define CKM_SHA512_HMAC (0x271UL) -#define CKM_SHA512_HMAC_GENERAL (0x272UL) -#define CKM_SECURID_KEY_GEN (0x280UL) -#define CKM_SECURID (0x282UL) -#define CKM_HOTP_KEY_GEN (0x290UL) -#define CKM_HOTP (0x291UL) -#define CKM_ACTI (0x2a0UL) -#define CKM_ACTI_KEY_GEN (0x2a1UL) -#define CKM_CAST_KEY_GEN (0x300UL) -#define CKM_CAST_ECB (0x301UL) -#define CKM_CAST_CBC (0x302UL) -#define CKM_CAST_MAC (0x303UL) -#define CKM_CAST_MAC_GENERAL (0x304UL) -#define CKM_CAST_CBC_PAD (0x305UL) -#define CKM_CAST3_KEY_GEN (0x310UL) -#define CKM_CAST3_ECB (0x311UL) -#define CKM_CAST3_CBC (0x312UL) -#define CKM_CAST3_MAC (0x313UL) -#define CKM_CAST3_MAC_GENERAL (0x314UL) -#define CKM_CAST3_CBC_PAD (0x315UL) -#define CKM_CAST5_KEY_GEN (0x320UL) -#define CKM_CAST128_KEY_GEN (0x320UL) -#define CKM_CAST5_ECB (0x321UL) -#define CKM_CAST128_ECB (0x321UL) -#define CKM_CAST5_CBC (0x322UL) -#define CKM_CAST128_CBC (0x322UL) -#define CKM_CAST5_MAC (0x323UL) -#define CKM_CAST128_MAC (0x323UL) -#define CKM_CAST5_MAC_GENERAL (0x324UL) -#define CKM_CAST128_MAC_GENERAL (0x324UL) -#define CKM_CAST5_CBC_PAD (0x325UL) -#define CKM_CAST128_CBC_PAD (0x325UL) -#define CKM_RC5_KEY_GEN (0x330UL) -#define CKM_RC5_ECB (0x331UL) -#define CKM_RC5_CBC (0x332UL) -#define CKM_RC5_MAC (0x333UL) -#define CKM_RC5_MAC_GENERAL (0x334UL) -#define CKM_RC5_CBC_PAD (0x335UL) -#define CKM_IDEA_KEY_GEN (0x340UL) -#define CKM_IDEA_ECB (0x341UL) -#define CKM_IDEA_CBC (0x342UL) -#define CKM_IDEA_MAC (0x343UL) -#define CKM_IDEA_MAC_GENERAL (0x344UL) -#define CKM_IDEA_CBC_PAD (0x345UL) -#define CKM_GENERIC_SECRET_KEY_GEN (0x350UL) -#define CKM_CONCATENATE_BASE_AND_KEY (0x360UL) -#define CKM_CONCATENATE_BASE_AND_DATA (0x362UL) -#define CKM_CONCATENATE_DATA_AND_BASE (0x363UL) -#define CKM_XOR_BASE_AND_DATA (0x364UL) -#define CKM_EXTRACT_KEY_FROM_KEY (0x365UL) -#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370UL) -#define CKM_SSL3_MASTER_KEY_DERIVE (0x371UL) -#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372UL) -#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373UL) -#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL) -#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL) -#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL) -#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377UL) -#define CKM_TLS_PRF (0x378UL) -#define CKM_SSL3_MD5_MAC (0x380UL) -#define CKM_SSL3_SHA1_MAC (0x381UL) -#define CKM_MD5_KEY_DERIVATION (0x390UL) -#define CKM_MD2_KEY_DERIVATION (0x391UL) -#define CKM_SHA1_KEY_DERIVATION (0x392UL) -#define CKM_SHA256_KEY_DERIVATION (0x393UL) -#define CKM_SHA384_KEY_DERIVATION (0x394UL) -#define CKM_SHA512_KEY_DERIVATION (0x395UL) -#define CKM_PBE_MD2_DES_CBC (0x3a0UL) -#define CKM_PBE_MD5_DES_CBC (0x3a1UL) -#define CKM_PBE_MD5_CAST_CBC (0x3a2UL) -#define CKM_PBE_MD5_CAST3_CBC (0x3a3UL) -#define CKM_PBE_MD5_CAST5_CBC (0x3a4UL) -#define CKM_PBE_MD5_CAST128_CBC (0x3a4UL) -#define CKM_PBE_SHA1_CAST5_CBC (0x3a5UL) -#define CKM_PBE_SHA1_CAST128_CBC (0x3a5UL) -#define CKM_PBE_SHA1_RC4_128 (0x3a6UL) -#define CKM_PBE_SHA1_RC4_40 (0x3a7UL) -#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8UL) -#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9UL) -#define CKM_PBE_SHA1_RC2_128_CBC (0x3aaUL) -#define CKM_PBE_SHA1_RC2_40_CBC (0x3abUL) -#define CKM_PKCS5_PBKD2 (0x3b0UL) -#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0UL) -#define CKM_WTLS_PRE_MASTER_KEY_GEN (0x3d0UL) -#define CKM_WTLS_MASTER_KEY_DERIVE (0x3d1UL) -#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC (0x3d2UL) -#define CKM_WTLS_PRF (0x3d3UL) -#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4UL) -#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5UL) -#define CKM_TLS10_MAC_SERVER (0x3d6UL) -#define CKM_TLS10_MAC_CLIENT (0x3d7UL) -#define CKM_TLS12_MAC (0x3d8UL) -#define CKM_TLS12_KDF (0x3d9UL) -#define CKM_TLS12_MASTER_KEY_DERIVE (0x3e0UL) -#define CKM_TLS12_KEY_AND_MAC_DERIVE (0x3e1UL) -#define CKM_TLS12_MASTER_KEY_DERIVE_DH (0x3e2UL) -#define CKM_TLS12_KEY_SAFE_DERIVE (0x3e3UL) -#define CKM_TLS_MAC (0x3e4UL) -#define CKM_TLS_KDF (0x3e5UL) -#define CKM_KEY_WRAP_LYNKS (0x400UL) -#define CKM_KEY_WRAP_SET_OAEP (0x401UL) -#define CKM_CMS_SIG (0x500UL) -#define CKM_KIP_DERIVE (0x510UL) -#define CKM_KIP_WRAP (0x511UL) -#define CKM_KIP_MAC (0x512UL) -#define CKM_ARIA_KEY_GEN (0x560UL) -#define CKM_ARIA_ECB (0x561UL) -#define CKM_ARIA_CBC (0x562UL) -#define CKM_ARIA_MAC (0x563UL) -#define CKM_ARIA_MAC_GENERAL (0x564UL) -#define CKM_ARIA_CBC_PAD (0x565UL) -#define CKM_ARIA_ECB_ENCRYPT_DATA (0x566UL) -#define CKM_ARIA_CBC_ENCRYPT_DATA (0x567UL) -#define CKM_SEED_KEY_GEN (0x650UL) -#define CKM_SEED_ECB (0x651UL) -#define CKM_SEED_CBC (0x652UL) -#define CKM_SEED_MAC (0x653UL) -#define CKM_SEED_MAC_GENERAL (0x654UL) -#define CKM_SEED_CBC_PAD (0x655UL) -#define CKM_SEED_ECB_ENCRYPT_DATA (0x656UL) -#define CKM_SEED_CBC_ENCRYPT_DATA (0x657UL) -#define CKM_SKIPJACK_KEY_GEN (0x1000UL) -#define CKM_SKIPJACK_ECB64 (0x1001UL) -#define CKM_SKIPJACK_CBC64 (0x1002UL) -#define CKM_SKIPJACK_OFB64 (0x1003UL) -#define CKM_SKIPJACK_CFB64 (0x1004UL) -#define CKM_SKIPJACK_CFB32 (0x1005UL) -#define CKM_SKIPJACK_CFB16 (0x1006UL) -#define CKM_SKIPJACK_CFB8 (0x1007UL) -#define CKM_SKIPJACK_WRAP (0x1008UL) -#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009UL) -#define CKM_SKIPJACK_RELAYX (0x100aUL) -#define CKM_KEA_KEY_PAIR_GEN (0x1010UL) -#define CKM_KEA_KEY_DERIVE (0x1011UL) -#define CKM_FORTEZZA_TIMESTAMP (0x1020UL) -#define CKM_BATON_KEY_GEN (0x1030UL) -#define CKM_BATON_ECB128 (0x1031UL) -#define CKM_BATON_ECB96 (0x1032UL) -#define CKM_BATON_CBC128 (0x1033UL) -#define CKM_BATON_COUNTER (0x1034UL) -#define CKM_BATON_SHUFFLE (0x1035UL) -#define CKM_BATON_WRAP (0x1036UL) -#define CKM_ECDSA_KEY_PAIR_GEN (0x1040UL) -#define CKM_EC_KEY_PAIR_GEN (0x1040UL) -#define CKM_ECDSA (0x1041UL) -#define CKM_ECDSA_SHA1 (0x1042UL) -#define CKM_ECDSA_SHA224 (0x1043UL) -#define CKM_ECDSA_SHA256 (0x1044UL) -#define CKM_ECDSA_SHA384 (0x1045UL) -#define CKM_ECDSA_SHA512 (0x1046UL) -#define CKM_ECDH1_DERIVE (0x1050UL) -#define CKM_ECDH1_COFACTOR_DERIVE (0x1051UL) -#define CKM_ECMQV_DERIVE (0x1052UL) -#define CKM_ECDH_AES_KEY_WRAP (0x1053UL) -#define CKM_RSA_AES_KEY_WRAP (0x1054UL) -#define CKM_JUNIPER_KEY_GEN (0x1060UL) -#define CKM_JUNIPER_ECB128 (0x1061UL) -#define CKM_JUNIPER_CBC128 (0x1062UL) -#define CKM_JUNIPER_COUNTER (0x1063UL) -#define CKM_JUNIPER_SHUFFLE (0x1064UL) -#define CKM_JUNIPER_WRAP (0x1065UL) -#define CKM_FASTHASH (0x1070UL) -#define CKM_AES_KEY_GEN (0x1080UL) -#define CKM_AES_ECB (0x1081UL) -#define CKM_AES_CBC (0x1082UL) -#define CKM_AES_MAC (0x1083UL) -#define CKM_AES_MAC_GENERAL (0x1084UL) -#define CKM_AES_CBC_PAD (0x1085UL) -#define CKM_AES_CTR (0x1086UL) -#define CKM_AES_GCM (0x1087UL) -#define CKM_AES_CCM (0x1088UL) -#define CKM_AES_CTS (0x1089UL) -#define CKM_AES_CMAC (0x108aUL) -#define CKM_AES_CMAC_GENERAL (0x108bUL) -#define CKM_AES_XCBC_MAC (0x108cUL) -#define CKM_AES_XCBC_MAC_96 (0x108dUL) -#define CKM_AES_GMAC (0x108eUL) -#define CKM_BLOWFISH_KEY_GEN (0x1090UL) -#define CKM_BLOWFISH_CBC (0x1091UL) -#define CKM_TWOFISH_KEY_GEN (0x1092UL) -#define CKM_TWOFISH_CBC (0x1093UL) -#define CKM_BLOWFISH_CBC_PAD (0x1094UL) -#define CKM_TWOFISH_CBC_PAD (0x1095UL) -#define CKM_DES_ECB_ENCRYPT_DATA (0x1100UL) -#define CKM_DES_CBC_ENCRYPT_DATA (0x1101UL) -#define CKM_DES3_ECB_ENCRYPT_DATA (0x1102UL) -#define CKM_DES3_CBC_ENCRYPT_DATA (0x1103UL) -#define CKM_AES_ECB_ENCRYPT_DATA (0x1104UL) -#define CKM_AES_CBC_ENCRYPT_DATA (0x1105UL) -#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL) -#define CKM_GOSTR3410 (0x1201UL) -#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL) -#define CKM_GOSTR3410_KEY_WRAP (0x1203UL) -#define CKM_GOSTR3410_DERIVE (0x1204UL) -#define CKM_GOSTR3411 (0x1210UL) -#define CKM_GOSTR3411_HMAC (0x1211UL) -#define CKM_GOST28147_KEY_GEN (0x1220UL) -#define CKM_GOST28147_ECB (0x1221UL) -#define CKM_GOST28147 (0x1222UL) -#define CKM_GOST28147_MAC (0x1223UL) -#define CKM_GOST28147_KEY_WRAP (0x1224UL) -#define CKM_DSA_PARAMETER_GEN (0x2000UL) -#define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL) -#define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL) -#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN (0x2003UL) -#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN (0x2004UL) -#define CKM_AES_OFB (0x2104UL) -#define CKM_AES_CFB64 (0x2105UL) -#define CKM_AES_CFB8 (0x2106UL) -#define CKM_AES_CFB128 (0x2107UL) -#define CKM_AES_CFB1 (0x2108UL) - -#define CKM_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -/* Amendments */ -#define CKM_SHA224 (0x255UL) -#define CKM_SHA224_HMAC (0x256UL) -#define CKM_SHA224_HMAC_GENERAL (0x257UL) -#define CKM_SHA224_RSA_PKCS (0x46UL) -#define CKM_SHA224_RSA_PKCS_PSS (0x47UL) -#define CKM_SHA224_KEY_DERIVATION (0x396UL) - -#define CKM_CAMELLIA_KEY_GEN (0x550UL) -#define CKM_CAMELLIA_ECB (0x551UL) -#define CKM_CAMELLIA_CBC (0x552UL) -#define CKM_CAMELLIA_MAC (0x553UL) -#define CKM_CAMELLIA_MAC_GENERAL (0x554UL) -#define CKM_CAMELLIA_CBC_PAD (0x555UL) -#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556UL) -#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557UL) -#define CKM_CAMELLIA_CTR (0x558UL) - -#define CKM_AES_KEY_WRAP (0x2109UL) -#define CKM_AES_KEY_WRAP_PAD (0x210aUL) - -#define CKM_RSA_PKCS_TPM_1_1 (0x4001UL) -#define CKM_RSA_PKCS_OAEP_TPM_1_1 (0x4002UL) - -/* From version 3.0 */ -#define CKM_EC_EDWARDS_KEY_PAIR_GEN (0x1055UL) -#define CKM_EDDSA (0x1057UL) - -/* Attribute and other constants related to OTP */ -#define CK_OTP_FORMAT_DECIMAL (0UL) -#define CK_OTP_FORMAT_HEXADECIMAL (1UL) -#define CK_OTP_FORMAT_ALPHANUMERIC (2UL) -#define CK_OTP_FORMAT_BINARY (3UL) -#define CK_OTP_PARAM_IGNORED (0UL) -#define CK_OTP_PARAM_OPTIONAL (1UL) -#define CK_OTP_PARAM_MANDATORY (2UL) - -#define CK_OTP_VALUE (0UL) -#define CK_OTP_PIN (1UL) -#define CK_OTP_CHALLENGE (2UL) -#define CK_OTP_TIME (3UL) -#define CK_OTP_COUNTER (4UL) -#define CK_OTP_FLAGS (5UL) -#define CK_OTP_OUTPUT_LENGTH (6UL) -#define CK_OTP_FORMAT (7UL) - -/* OTP mechanism flags */ -#define CKF_NEXT_OTP (0x01UL) -#define CKF_EXCLUDE_TIME (0x02UL) -#define CKF_EXCLUDE_COUNTER (0x04UL) -#define CKF_EXCLUDE_CHALLENGE (0x08UL) -#define CKF_EXCLUDE_PIN (0x10UL) -#define CKF_USER_FRIENDLY_OTP (0x20UL) - -#define CKN_OTP_CHANGED (0x01UL) - -struct ck_mechanism { - ck_mechanism_type_t mechanism; - void * parameter; - unsigned long parameter_len; -}; - -struct ck_mechanism_info { - unsigned long min_key_size; - unsigned long max_key_size; - ck_flags_t flags; -}; - -typedef unsigned long ck_param_type; - -typedef struct ck_otp_param { - ck_param_type type; - void * value; - unsigned long value_len; -} ck_otp_param; - -typedef struct ck_otp_params { - struct ck_otp_param *params; - unsigned long count; -} ck_otp_params; - -typedef struct ck_otp_signature_info { - struct ck_otp_param *params; - unsigned long count; -} ck_otp_signature_info; - -#define CKG_MGF1_SHA1 0x00000001UL -#define CKG_MGF1_SHA224 0x00000005UL -#define CKG_MGF1_SHA256 0x00000002UL -#define CKG_MGF1_SHA384 0x00000003UL -#define CKG_MGF1_SHA512 0x00000004UL - -typedef unsigned long ck_rsa_pkcs_mgf_type_t; - -struct ck_rsa_pkcs_pss_params { - ck_mechanism_type_t hash_alg; - ck_rsa_pkcs_mgf_type_t mgf; - unsigned long s_len; -}; - -typedef unsigned long ck_rsa_pkcs_oaep_source_type_t; - -struct ck_rsa_pkcs_oaep_params { - ck_mechanism_type_t hash_alg; - ck_rsa_pkcs_mgf_type_t mgf; - ck_rsa_pkcs_oaep_source_type_t source; - void * source_data; - unsigned long source_data_len; -}; - -struct ck_aes_ctr_params { - unsigned long counter_bits; - unsigned char cb[16]; -}; - -struct ck_gcm_params { - unsigned char *iv_ptr; - unsigned long iv_len; - unsigned long iv_bits; - unsigned char *aad_ptr; - unsigned long aad_len; - unsigned long tag_bits; -}; - -/* The following EC Key Derivation Functions are defined */ -#define CKD_NULL (0x01UL) -#define CKD_SHA1_KDF (0x02UL) - -/* The following X9.42 DH key derivation functions are defined */ -#define CKD_SHA1_KDF_ASN1 (0x03UL) -#define CKD_SHA1_KDF_CONCATENATE (0x04UL) -#define CKD_SHA224_KDF (0x05UL) -#define CKD_SHA256_KDF (0x06UL) -#define CKD_SHA384_KDF (0x07UL) -#define CKD_SHA512_KDF (0x08UL) -#define CKD_CPDIVERSIFY_KDF (0x09UL) - -typedef unsigned long ck_ec_kdf_t; - -struct ck_ecdh1_derive_params { - ck_ec_kdf_t kdf; - unsigned long shared_data_len; - unsigned char *shared_data; - unsigned long public_data_len; - unsigned char *public_data; -}; - -struct ck_key_derivation_string_data { - unsigned char *string_data; - unsigned long string_data_len; -}; - -struct ck_des_cbc_encrypt_data_params { - unsigned char iv[8]; - unsigned char *data_params; - unsigned long length; -}; - -struct ck_aes_cbc_encrypt_data_params { - unsigned char iv[16]; - unsigned char *data_params; - unsigned long length; -}; - -#define CKF_HW (1UL << 0) -#define CKF_ENCRYPT (1UL << 8) -#define CKF_DECRYPT (1UL << 9) -#define CKF_DIGEST (1UL << 10) -#define CKF_SIGN (1UL << 11) -#define CKF_SIGN_RECOVER (1UL << 12) -#define CKF_VERIFY (1UL << 13) -#define CKF_VERIFY_RECOVER (1UL << 14) -#define CKF_GENERATE (1UL << 15) -#define CKF_GENERATE_KEY_PAIR (1UL << 16) -#define CKF_WRAP (1UL << 17) -#define CKF_UNWRAP (1UL << 18) -#define CKF_DERIVE (1UL << 19) -#define CKF_EXTENSION ((unsigned long)(1UL << 31)) - -#define CKF_EC_F_P (1UL << 20) -#define CKF_EC_NAMEDCURVE (1UL << 23) -#define CKF_EC_UNCOMPRESS (1UL << 24) -#define CKF_EC_COMPRESS (1UL << 25) - -/* Flags for C_WaitForSlotEvent. */ -#define CKF_DONT_BLOCK (1UL) - -typedef unsigned long ck_rv_t; - -typedef ck_rv_t (*ck_notify_t)(ck_session_handle_t session, - ck_notification_t event, void *application); - -/* Forward reference. */ -struct ck_function_list; - -#define _CK_DECLARE_FUNCTION(name, args) \ - typedef ck_rv_t(*CK_##name) args; \ - ck_rv_t CK_SPEC name args - -_CK_DECLARE_FUNCTION(C_Initialize, (void *init_args)); -_CK_DECLARE_FUNCTION(C_Finalize, (void *reserved)); -_CK_DECLARE_FUNCTION(C_GetInfo, (struct ck_info * info)); -_CK_DECLARE_FUNCTION(C_GetFunctionList, - (struct ck_function_list * *function_list)); - -_CK_DECLARE_FUNCTION(C_GetSlotList, - (unsigned char token_present, ck_slot_id_t *slot_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION(C_GetSlotInfo, - (ck_slot_id_t slot_id, struct ck_slot_info *info)); -_CK_DECLARE_FUNCTION(C_GetTokenInfo, - (ck_slot_id_t slot_id, struct ck_token_info *info)); -_CK_DECLARE_FUNCTION(C_WaitForSlotEvent, - (ck_flags_t flags, ck_slot_id_t *slot, void *reserved)); -_CK_DECLARE_FUNCTION(C_GetMechanismList, - (ck_slot_id_t slot_id, ck_mechanism_type_t *mechanism_list, - unsigned long *count)); -_CK_DECLARE_FUNCTION(C_GetMechanismInfo, - (ck_slot_id_t slot_id, ck_mechanism_type_t type, - struct ck_mechanism_info *info)); -_CK_DECLARE_FUNCTION(C_InitToken, - (ck_slot_id_t slot_id, unsigned char *pin, - unsigned long pin_len, unsigned char *label)); -_CK_DECLARE_FUNCTION(C_InitPIN, (ck_session_handle_t session, - unsigned char *pin, unsigned long pin_len)); -_CK_DECLARE_FUNCTION(C_SetPIN, (ck_session_handle_t session, - unsigned char *old_pin, unsigned long old_len, - unsigned char *new_pin, unsigned long new_len)); - -_CK_DECLARE_FUNCTION(C_OpenSession, - (ck_slot_id_t slot_id, ck_flags_t flags, void *application, - ck_notify_t notify, ck_session_handle_t *session)); -_CK_DECLARE_FUNCTION(C_CloseSession, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION(C_CloseAllSessions, (ck_slot_id_t slot_id)); -_CK_DECLARE_FUNCTION(C_GetSessionInfo, (ck_session_handle_t session, - struct ck_session_info *info)); -_CK_DECLARE_FUNCTION(C_GetOperationState, (ck_session_handle_t session, - unsigned char * operation_state, - unsigned long *operation_state_len)); -_CK_DECLARE_FUNCTION(C_SetOperationState, - (ck_session_handle_t session, - unsigned char * operation_state, - unsigned long operation_state_len, - ck_object_handle_t encryption_key, - ck_object_handle_t authentiation_key)); -_CK_DECLARE_FUNCTION(C_Login, - (ck_session_handle_t session, ck_user_type_t user_type, - unsigned char *pin, unsigned long pin_len)); -_CK_DECLARE_FUNCTION(C_Logout, (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION(C_CreateObject, - (ck_session_handle_t session, struct ck_attribute *templ, - unsigned long count, ck_object_handle_t *object)); -_CK_DECLARE_FUNCTION(C_CopyObject, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t *new_object)); -_CK_DECLARE_FUNCTION(C_DestroyObject, - (ck_session_handle_t session, ck_object_handle_t object)); -_CK_DECLARE_FUNCTION(C_GetObjectSize, - (ck_session_handle_t session, ck_object_handle_t object, - unsigned long *size)); -_CK_DECLARE_FUNCTION(C_GetAttributeValue, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count)); -_CK_DECLARE_FUNCTION(C_SetAttributeValue, - (ck_session_handle_t session, ck_object_handle_t object, - struct ck_attribute *templ, unsigned long count)); -_CK_DECLARE_FUNCTION(C_FindObjectsInit, - (ck_session_handle_t session, struct ck_attribute *templ, - unsigned long count)); -_CK_DECLARE_FUNCTION(C_FindObjects, - (ck_session_handle_t session, ck_object_handle_t *object, - unsigned long max_object_count, - unsigned long *object_count)); -_CK_DECLARE_FUNCTION(C_FindObjectsFinal, (ck_session_handle_t session)); - -_CK_DECLARE_FUNCTION(C_EncryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Encrypt, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *encrypted_data, - unsigned long *encrypted_data_len)); -_CK_DECLARE_FUNCTION(C_EncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_EncryptFinal, (ck_session_handle_t session, - unsigned char * last_encrypted_part, - unsigned long *last_encrypted_part_len)); - -_CK_DECLARE_FUNCTION(C_DecryptInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Decrypt, (ck_session_handle_t session, - unsigned char * encrypted_data, - unsigned long encrypted_data_len, - unsigned char *data, unsigned long *data_len)); -_CK_DECLARE_FUNCTION(C_DecryptUpdate, - (ck_session_handle_t session, - unsigned char * encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); -_CK_DECLARE_FUNCTION(C_DecryptFinal, - (ck_session_handle_t session, unsigned char *last_part, - unsigned long *last_part_len)); - -_CK_DECLARE_FUNCTION(C_DigestInit, (ck_session_handle_t session, - struct ck_mechanism *mechanism)); -_CK_DECLARE_FUNCTION(C_Digest, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *digest, - unsigned long *digest_len)); -_CK_DECLARE_FUNCTION(C_DigestUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_DigestKey, - (ck_session_handle_t session, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_DigestFinal, - (ck_session_handle_t session, unsigned char *digest, - unsigned long *digest_len)); - -_CK_DECLARE_FUNCTION(C_SignInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Sign, (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION(C_SignUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_SignFinal, - (ck_session_handle_t session, unsigned char *signature, - unsigned long *signature_len)); -_CK_DECLARE_FUNCTION(C_SignRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_SignRecover, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long *signature_len)); - -_CK_DECLARE_FUNCTION(C_VerifyInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_Verify, - (ck_session_handle_t session, unsigned char *data, - unsigned long data_len, unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION(C_VerifyUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len)); -_CK_DECLARE_FUNCTION(C_VerifyFinal, - (ck_session_handle_t session, unsigned char *signature, - unsigned long signature_len)); -_CK_DECLARE_FUNCTION(C_VerifyRecoverInit, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, ck_object_handle_t key)); -_CK_DECLARE_FUNCTION(C_VerifyRecover, - (ck_session_handle_t session, unsigned char *signature, - unsigned long signature_len, unsigned char *data, - unsigned long *data_len)); - -_CK_DECLARE_FUNCTION(C_DigestEncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_DecryptDigestUpdate, - (ck_session_handle_t session, - unsigned char * encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); -_CK_DECLARE_FUNCTION(C_SignEncryptUpdate, - (ck_session_handle_t session, unsigned char *part, - unsigned long part_len, unsigned char *encrypted_part, - unsigned long *encrypted_part_len)); -_CK_DECLARE_FUNCTION(C_DecryptVerifyUpdate, - (ck_session_handle_t session, - unsigned char * encrypted_part, - unsigned long encrypted_part_len, unsigned char *part, - unsigned long *part_len)); - -_CK_DECLARE_FUNCTION(C_GenerateKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *templ, unsigned long count, - ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION(C_GenerateKeyPair, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - struct ck_attribute *public_key_template, - unsigned long public_key_attribute_count, - struct ck_attribute *private_key_template, - unsigned long private_key_attribute_count, - ck_object_handle_t * public_key, - ck_object_handle_t * private_key)); -_CK_DECLARE_FUNCTION(C_WrapKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t wrapping_key, ck_object_handle_t key, - unsigned char *wrapped_key, - unsigned long *wrapped_key_len)); -_CK_DECLARE_FUNCTION(C_UnwrapKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t unwrapping_key, - unsigned char *wrapped_key, unsigned long wrapped_key_len, - struct ck_attribute *templ, unsigned long attribute_count, - ck_object_handle_t *key)); -_CK_DECLARE_FUNCTION(C_DeriveKey, - (ck_session_handle_t session, - struct ck_mechanism *mechanism, - ck_object_handle_t base_key, struct ck_attribute *templ, - unsigned long attribute_count, ck_object_handle_t *key)); - -_CK_DECLARE_FUNCTION(C_SeedRandom, - (ck_session_handle_t session, unsigned char *seed, - unsigned long seed_len)); -_CK_DECLARE_FUNCTION(C_GenerateRandom, - (ck_session_handle_t session, unsigned char *random_data, - unsigned long random_len)); - -_CK_DECLARE_FUNCTION(C_GetFunctionStatus, (ck_session_handle_t session)); -_CK_DECLARE_FUNCTION(C_CancelFunction, (ck_session_handle_t session)); - -struct ck_function_list { - struct ck_version version; - CK_C_Initialize C_Initialize; - CK_C_Finalize C_Finalize; - CK_C_GetInfo C_GetInfo; - CK_C_GetFunctionList C_GetFunctionList; - CK_C_GetSlotList C_GetSlotList; - CK_C_GetSlotInfo C_GetSlotInfo; - CK_C_GetTokenInfo C_GetTokenInfo; - CK_C_GetMechanismList C_GetMechanismList; - CK_C_GetMechanismInfo C_GetMechanismInfo; - CK_C_InitToken C_InitToken; - CK_C_InitPIN C_InitPIN; - CK_C_SetPIN C_SetPIN; - CK_C_OpenSession C_OpenSession; - CK_C_CloseSession C_CloseSession; - CK_C_CloseAllSessions C_CloseAllSessions; - CK_C_GetSessionInfo C_GetSessionInfo; - CK_C_GetOperationState C_GetOperationState; - CK_C_SetOperationState C_SetOperationState; - CK_C_Login C_Login; - CK_C_Logout C_Logout; - CK_C_CreateObject C_CreateObject; - CK_C_CopyObject C_CopyObject; - CK_C_DestroyObject C_DestroyObject; - CK_C_GetObjectSize C_GetObjectSize; - CK_C_GetAttributeValue C_GetAttributeValue; - CK_C_SetAttributeValue C_SetAttributeValue; - CK_C_FindObjectsInit C_FindObjectsInit; - CK_C_FindObjects C_FindObjects; - CK_C_FindObjectsFinal C_FindObjectsFinal; - CK_C_EncryptInit C_EncryptInit; - CK_C_Encrypt C_Encrypt; - CK_C_EncryptUpdate C_EncryptUpdate; - CK_C_EncryptFinal C_EncryptFinal; - CK_C_DecryptInit C_DecryptInit; - CK_C_Decrypt C_Decrypt; - CK_C_DecryptUpdate C_DecryptUpdate; - CK_C_DecryptFinal C_DecryptFinal; - CK_C_DigestInit C_DigestInit; - CK_C_Digest C_Digest; - CK_C_DigestUpdate C_DigestUpdate; - CK_C_DigestKey C_DigestKey; - CK_C_DigestFinal C_DigestFinal; - CK_C_SignInit C_SignInit; - CK_C_Sign C_Sign; - CK_C_SignUpdate C_SignUpdate; - CK_C_SignFinal C_SignFinal; - CK_C_SignRecoverInit C_SignRecoverInit; - CK_C_SignRecover C_SignRecover; - CK_C_VerifyInit C_VerifyInit; - CK_C_Verify C_Verify; - CK_C_VerifyUpdate C_VerifyUpdate; - CK_C_VerifyFinal C_VerifyFinal; - CK_C_VerifyRecoverInit C_VerifyRecoverInit; - CK_C_VerifyRecover C_VerifyRecover; - CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; - CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; - CK_C_SignEncryptUpdate C_SignEncryptUpdate; - CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; - CK_C_GenerateKey C_GenerateKey; - CK_C_GenerateKeyPair C_GenerateKeyPair; - CK_C_WrapKey C_WrapKey; - CK_C_UnwrapKey C_UnwrapKey; - CK_C_DeriveKey C_DeriveKey; - CK_C_SeedRandom C_SeedRandom; - CK_C_GenerateRandom C_GenerateRandom; - CK_C_GetFunctionStatus C_GetFunctionStatus; - CK_C_CancelFunction C_CancelFunction; - CK_C_WaitForSlotEvent C_WaitForSlotEvent; -}; - -typedef ck_rv_t (*ck_createmutex_t)(void **mutex); -typedef ck_rv_t (*ck_destroymutex_t)(void *mutex); -typedef ck_rv_t (*ck_lockmutex_t)(void *mutex); -typedef ck_rv_t (*ck_unlockmutex_t)(void *mutex); - -struct ck_c_initialize_args { - ck_createmutex_t create_mutex; - ck_destroymutex_t destroy_mutex; - ck_lockmutex_t lock_mutex; - ck_unlockmutex_t unlock_mutex; - ck_flags_t flags; - void * reserved; -}; - -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0) -#define CKF_OS_LOCKING_OK (1UL << 1) - -#define CKR_OK (0UL) -#define CKR_CANCEL (1UL) -#define CKR_HOST_MEMORY (2UL) -#define CKR_SLOT_ID_INVALID (3UL) -#define CKR_GENERAL_ERROR (5UL) -#define CKR_FUNCTION_FAILED (6UL) -#define CKR_ARGUMENTS_BAD (7UL) -#define CKR_NO_EVENT (8UL) -#define CKR_NEED_TO_CREATE_THREADS (9UL) -#define CKR_CANT_LOCK (0xaUL) -#define CKR_ATTRIBUTE_READ_ONLY (0x10UL) -#define CKR_ATTRIBUTE_SENSITIVE (0x11UL) -#define CKR_ATTRIBUTE_TYPE_INVALID (0x12UL) -#define CKR_ATTRIBUTE_VALUE_INVALID (0x13UL) -#define CKR_ACTION_PROHIBITED (0x1BUL) -#define CKR_DATA_INVALID (0x20UL) -#define CKR_DATA_LEN_RANGE (0x21UL) -#define CKR_DEVICE_ERROR (0x30UL) -#define CKR_DEVICE_MEMORY (0x31UL) -#define CKR_DEVICE_REMOVED (0x32UL) -#define CKR_ENCRYPTED_DATA_INVALID (0x40UL) -#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41UL) -#define CKR_FUNCTION_CANCELED (0x50UL) -#define CKR_FUNCTION_NOT_PARALLEL (0x51UL) -#define CKR_FUNCTION_NOT_SUPPORTED (0x54UL) -#define CKR_KEY_HANDLE_INVALID (0x60UL) -#define CKR_KEY_SIZE_RANGE (0x62UL) -#define CKR_KEY_TYPE_INCONSISTENT (0x63UL) -#define CKR_KEY_NOT_NEEDED (0x64UL) -#define CKR_KEY_CHANGED (0x65UL) -#define CKR_KEY_NEEDED (0x66UL) -#define CKR_KEY_INDIGESTIBLE (0x67UL) -#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68UL) -#define CKR_KEY_NOT_WRAPPABLE (0x69UL) -#define CKR_KEY_UNEXTRACTABLE (0x6aUL) -#define CKR_MECHANISM_INVALID (0x70UL) -#define CKR_MECHANISM_PARAM_INVALID (0x71UL) -#define CKR_OBJECT_HANDLE_INVALID (0x82UL) -#define CKR_OPERATION_ACTIVE (0x90UL) -#define CKR_OPERATION_NOT_INITIALIZED (0x91UL) -#define CKR_PIN_INCORRECT (0xa0UL) -#define CKR_PIN_INVALID (0xa1UL) -#define CKR_PIN_LEN_RANGE (0xa2UL) -#define CKR_PIN_EXPIRED (0xa3UL) -#define CKR_PIN_LOCKED (0xa4UL) -#define CKR_SESSION_CLOSED (0xb0UL) -#define CKR_SESSION_COUNT (0xb1UL) -#define CKR_SESSION_HANDLE_INVALID (0xb3UL) -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4UL) -#define CKR_SESSION_READ_ONLY (0xb5UL) -#define CKR_SESSION_EXISTS (0xb6UL) -#define CKR_SESSION_READ_ONLY_EXISTS (0xb7UL) -#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8UL) -#define CKR_SIGNATURE_INVALID (0xc0UL) -#define CKR_SIGNATURE_LEN_RANGE (0xc1UL) -#define CKR_TEMPLATE_INCOMPLETE (0xd0UL) -#define CKR_TEMPLATE_INCONSISTENT (0xd1UL) -#define CKR_TOKEN_NOT_PRESENT (0xe0UL) -#define CKR_TOKEN_NOT_RECOGNIZED (0xe1UL) -#define CKR_TOKEN_WRITE_PROTECTED (0xe2UL) -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0UL) -#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1UL) -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL) -#define CKR_USER_ALREADY_LOGGED_IN (0x100UL) -#define CKR_USER_NOT_LOGGED_IN (0x101UL) -#define CKR_USER_PIN_NOT_INITIALIZED (0x102UL) -#define CKR_USER_TYPE_INVALID (0x103UL) -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104UL) -#define CKR_USER_TOO_MANY_TYPES (0x105UL) -#define CKR_WRAPPED_KEY_INVALID (0x110UL) -#define CKR_WRAPPED_KEY_LEN_RANGE (0x112UL) -#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113UL) -#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114UL) -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115UL) -#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120UL) -#define CKR_RANDOM_NO_RNG (0x121UL) -#define CKR_DOMAIN_PARAMS_INVALID (0x130UL) -#define CKR_BUFFER_TOO_SMALL (0x150UL) -#define CKR_SAVED_STATE_INVALID (0x160UL) -#define CKR_INFORMATION_SENSITIVE (0x170UL) -#define CKR_STATE_UNSAVEABLE (0x180UL) -#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190UL) -#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191UL) -#define CKR_MUTEX_BAD (0x1a0UL) -#define CKR_MUTEX_NOT_LOCKED (0x1a1UL) -#define CKR_NEW_PIN_MODE (0x1b0UL) -#define CKR_NEXT_OTP (0x1b1UL) -#define CKR_EXCEEDED_MAX_ITERATIONS (0x1c0UL) -#define CKR_FIPS_SELF_TEST_FAILED (0x1c1UL) -#define CKR_LIBRARY_LOAD_FAILED (0x1c2UL) -#define CKR_PIN_TOO_WEAK (0x1c3UL) -#define CKR_PUBLIC_KEY_INVALID (0x1c4UL) -#define CKR_FUNCTION_REJECTED (0x200UL) -#define CKR_VENDOR_DEFINED ((unsigned long)(1UL << 31)) - -#define CKZ_DATA_SPECIFIED (0x01UL) - -/* Compatibility layer. */ - -#ifdef CRYPTOKI_COMPAT - -#undef CK_DEFINE_FUNCTION -#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name - -/* For NULL. */ -#include - -typedef unsigned char CK_BYTE; -typedef unsigned char CK_CHAR; -typedef unsigned char CK_UTF8CHAR; -typedef unsigned char CK_BBOOL; -typedef unsigned long int CK_ULONG; -typedef long int CK_LONG; -typedef CK_BYTE * CK_BYTE_PTR; -typedef CK_CHAR * CK_CHAR_PTR; -typedef CK_UTF8CHAR * CK_UTF8CHAR_PTR; -typedef CK_ULONG * CK_ULONG_PTR; -typedef void * CK_VOID_PTR; -typedef void ** CK_VOID_PTR_PTR; -#define CK_FALSE 0 -#define CK_TRUE 1 -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE 0 -#endif /* ifndef FALSE */ -#ifndef TRUE -#define TRUE 1 -#endif /* ifndef TRUE */ -#endif /* ifndef CK_DISABLE_TRUE_FALSE */ - -typedef struct ck_version CK_VERSION; -typedef struct ck_version *CK_VERSION_PTR; - -typedef struct ck_info CK_INFO; -typedef struct ck_info *CK_INFO_PTR; - -typedef ck_slot_id_t *CK_SLOT_ID_PTR; - -typedef struct ck_slot_info CK_SLOT_INFO; -typedef struct ck_slot_info *CK_SLOT_INFO_PTR; - -typedef struct ck_token_info CK_TOKEN_INFO; -typedef struct ck_token_info *CK_TOKEN_INFO_PTR; - -typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; - -typedef struct ck_session_info CK_SESSION_INFO; -typedef struct ck_session_info *CK_SESSION_INFO_PTR; - -typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; - -typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; - -typedef struct ck_attribute CK_ATTRIBUTE; -typedef struct ck_attribute *CK_ATTRIBUTE_PTR; - -typedef struct ck_date CK_DATE; -typedef struct ck_date *CK_DATE_PTR; - -typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; - -typedef struct ck_mechanism CK_MECHANISM; -typedef struct ck_mechanism *CK_MECHANISM_PTR; - -typedef struct ck_mechanism_info CK_MECHANISM_INFO; -typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; - -typedef struct ck_otp_mechanism_info CK_OTP_MECHANISM_INFO; -typedef struct ck_otp_mechanism_info *CK_OTP_MECHANISM_INFO_PTR; - -typedef struct ck_function_list CK_FUNCTION_LIST; -typedef struct ck_function_list * CK_FUNCTION_LIST_PTR; -typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; - -typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; -typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; - -typedef struct ck_rsa_pkcs_pss_params CK_RSA_PKCS_PSS_PARAMS; -typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR; - -typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; -typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; - -typedef struct ck_aes_ctr_params CK_AES_CTR_PARAMS; -typedef struct ck_aes_ctr_params *CK_AES_CTR_PARAMS_PTR; - -typedef struct ck_gcm_params CK_GCM_PARAMS; -typedef struct ck_gcm_params *CK_GCM_PARAMS_PTR; - -typedef struct ck_ecdh1_derive_params CK_ECDH1_DERIVE_PARAMS; -typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR; - -typedef struct ck_key_derivation_string_data CK_KEY_DERIVATION_STRING_DATA; -typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR; - -typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS; -typedef struct ck_des_cbc_encrypt_data_params - *CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS; -typedef struct ck_aes_cbc_encrypt_data_params - *CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -#ifndef NULL_PTR -#define NULL_PTR NULL -#endif /* ifndef NULL_PTR */ - -/* Delete the helper macros defined at the top of the file. */ -#undef ck_flags_t -#undef ck_version - -#undef ck_info -#undef cryptoki_version -#undef manufacturer_id -#undef library_description -#undef library_version - -#undef ck_notification_t -#undef ck_slot_id_t - -#undef ck_slot_info -#undef slot_description -#undef hardware_version -#undef firmware_version - -#undef ck_token_info -#undef serial_number -#undef max_session_count -#undef session_count -#undef max_rw_session_count -#undef rw_session_count -#undef max_pin_len -#undef min_pin_len -#undef total_public_memory -#undef free_public_memory -#undef total_private_memory -#undef free_private_memory -#undef utc_time - -#undef ck_session_handle_t -#undef ck_user_type_t -#undef ck_state_t - -#undef ck_session_info -#undef slot_id -#undef device_error - -#undef ck_object_handle_t -#undef ck_object_class_t -#undef ck_hw_feature_type_t -#undef ck_key_type_t -#undef ck_certificate_type_t -#undef ck_attribute_type_t - -#undef ck_attribute -#undef value -#undef value_len - -#undef params -#undef count - -#undef ck_date - -#undef ck_mechanism_type_t - -#undef ck_mechanism -#undef parameter -#undef parameter_len - -#undef ck_mechanism_info - -#undef ck_param_type -#undef ck_otp_param -#undef ck_otp_params -#undef ck_otp_signature_info - -#undef min_key_size -#undef max_key_size - -#undef ck_rv_t -#undef ck_notify_t - -#undef ck_function_list - -#undef ck_createmutex_t -#undef ck_destroymutex_t -#undef ck_lockmutex_t -#undef ck_unlockmutex_t - -#undef ck_c_initialize_args -#undef create_mutex -#undef destroy_mutex -#undef lock_mutex -#undef unlock_mutex -#undef reserved - -#endif /* CRYPTOKI_COMPAT */ - -/* System dependencies. */ -#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) -#pragma pack(pop, cryptoki) -#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */ - -#if defined(__cplusplus) -} -#endif /* if defined(__cplusplus) */ - -#endif /* PKCS11_H */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c deleted file mode 100644 index 5052406a6d..0000000000 --- a/lib/isc/pk11.c +++ /dev/null @@ -1,1100 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */ -#ifndef PINLEN -#define PINLEN 256 -#endif /* ifndef PINLEN */ - -#ifndef PK11_NO_LOGERR -#define PK11_NO_LOGERR 1 -#endif /* ifndef PK11_NO_LOGERR */ - -bool pk11_verbose_init = false; - -static isc_once_t once = ISC_ONCE_INIT; -static isc_mem_t *pk11_mctx = NULL; -static int32_t allocsize = 0; -static bool initialized = false; - -typedef struct pk11_session pk11_session_t; -typedef struct pk11_token pk11_token_t; -typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t; - -struct pk11_session { - unsigned int magic; - CK_SESSION_HANDLE session; - ISC_LINK(pk11_session_t) link; - pk11_token_t *token; -}; - -struct pk11_token { - unsigned int magic; - unsigned int operations; - ISC_LINK(pk11_token_t) link; - CK_SLOT_ID slotid; - pk11_sessionlist_t sessions; - bool logged; - char name[32]; - char manuf[32]; - char model[16]; - char serial[16]; - char pin[PINLEN + 1]; -}; -static ISC_LIST(pk11_token_t) tokens; - -static pk11_token_t *best_rsa_token; -static pk11_token_t *best_ecdsa_token; -static pk11_token_t *best_eddsa_token; - -static isc_result_t -free_all_sessions(void); -static isc_result_t -free_session_list(pk11_sessionlist_t *slist); -static isc_result_t -setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw); -static void -scan_slots(void); -static isc_result_t -token_login(pk11_session_t *sp); -static char * -percent_decode(char *x, size_t *len); -static bool -pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny); -static CK_ATTRIBUTE * -push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len); - -static isc_mutex_t alloclock; -static isc_mutex_t sessionlock; - -static pk11_sessionlist_t actives; - -static CK_C_INITIALIZE_ARGS pk11_init_args = { - NULL_PTR, /* CreateMutex */ - NULL_PTR, /* DestroyMutex */ - NULL_PTR, /* LockMutex */ - NULL_PTR, /* UnlockMutex */ - CKF_OS_LOCKING_OK, /* flags */ - NULL_PTR, /* pReserved */ -}; - -#ifndef PK11_LIB_LOCATION -#define PK11_LIB_LOCATION "unknown_provider" -#endif /* ifndef PK11_LIB_LOCATION */ - -static const char *lib_name = PK11_LIB_LOCATION; - -void -pk11_set_lib_name(const char *name) { - lib_name = name; -} - -const char * -pk11_get_lib_name(void) { - return (lib_name); -} - -static void -initialize(void) { - char *pk11_provider; - - isc_mutex_init(&alloclock); - isc_mutex_init(&sessionlock); - - pk11_provider = getenv("PKCS11_PROVIDER"); - if (pk11_provider != NULL) { - lib_name = pk11_provider; - } -} - -void * -pk11_mem_get(size_t size) { - void *ptr; - - LOCK(&alloclock); - if (pk11_mctx != NULL) { - ptr = isc_mem_get(pk11_mctx, size); - } else { - ptr = malloc(size); - if (ptr == NULL && size != 0) { - char strbuf[ISC_STRERRORSIZE]; - strerror_r(errno, strbuf, sizeof(strbuf)); - isc_error_fatal(__FILE__, __LINE__, "malloc failed: %s", - strbuf); - } - } - UNLOCK(&alloclock); - - if (ptr != NULL) { - memset(ptr, 0, size); - } - return (ptr); -} - -void -pk11_mem_put(void *ptr, size_t size) { - if (ptr != NULL) { - memset(ptr, 0, size); - } - LOCK(&alloclock); - if (pk11_mctx != NULL) { - isc_mem_put(pk11_mctx, ptr, size); - } else { - if (ptr != NULL) { - allocsize -= (int)size; - } - free(ptr); - } - UNLOCK(&alloclock); -} - -isc_result_t -pk11_initialize(isc_mem_t *mctx, const char *engine) { - isc_result_t result = ISC_R_SUCCESS; - CK_RV rv; - - RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS); - - LOCK(&sessionlock); - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) { - isc_mem_attach(mctx, &pk11_mctx); - } - UNLOCK(&alloclock); - if (initialized) { - goto unlock; - } else { - initialized = true; - } - - ISC_LIST_INIT(tokens); - ISC_LIST_INIT(actives); - - if (engine != NULL) { - lib_name = engine; - } - - /* Initialize the CRYPTOKI library */ - rv = pkcs_C_Initialize((CK_VOID_PTR)&pk11_init_args); - - if (rv == 0xfe) { - result = PK11_R_NOPROVIDER; - fprintf(stderr, "Can't load PKCS#11 provider: %s\n", - pk11_get_load_error_message()); - goto unlock; - } - if (rv != CKR_OK) { - result = PK11_R_INITFAILED; - goto unlock; - } - - scan_slots(); -unlock: - UNLOCK(&sessionlock); - return (result); -} - -isc_result_t -pk11_finalize(void) { - pk11_token_t *token, *next; - isc_result_t ret; - - ret = free_all_sessions(); - (void)pkcs_C_Finalize(NULL_PTR); - token = ISC_LIST_HEAD(tokens); - while (token != NULL) { - next = ISC_LIST_NEXT(token, link); - ISC_LIST_UNLINK(tokens, token, link); - if (token == best_rsa_token) { - best_rsa_token = NULL; - } - if (token == best_ecdsa_token) { - best_ecdsa_token = NULL; - } - if (token == best_eddsa_token) { - best_eddsa_token = NULL; - } - pk11_mem_put(token, sizeof(*token)); - token = next; - } - if (pk11_mctx != NULL) { - isc_mem_detach(&pk11_mctx); - } - initialized = false; - return (ret); -} - -isc_result_t -pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services, - bool rw, bool logon, const char *pin, CK_SLOT_ID slot) { - pk11_token_t *token = NULL; - pk11_sessionlist_t *freelist; - pk11_session_t *sp; - isc_result_t ret; - UNUSED(need_services); - - memset(ctx, 0, sizeof(pk11_context_t)); - ctx->handle = NULL; - ctx->session = CK_INVALID_HANDLE; - - ret = pk11_initialize(NULL, NULL); - if (ret != ISC_R_SUCCESS) { - return (ret); - } - - LOCK(&sessionlock); - /* wait for initialization to finish */ - UNLOCK(&sessionlock); - - switch (optype) { - case OP_ANY: - for (token = ISC_LIST_HEAD(tokens); token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (token->slotid == slot) { - break; - } - } - break; - default: - for (token = ISC_LIST_HEAD(tokens); token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (token->slotid == slot) { - break; - } - } - break; - } - if (token == NULL) { - return (ISC_R_NOTFOUND); - } - - /* Override the token's PIN */ - if (logon && pin != NULL && *pin != '\0') { - if (strlen(pin) > PINLEN) { - return (ISC_R_RANGE); - } - /* - * We want to zero out the old pin before - * overwriting with a new one. - */ - memset(token->pin, 0, sizeof(token->pin)); - strlcpy(token->pin, pin, sizeof(token->pin)); - } - - freelist = &token->sessions; - - LOCK(&sessionlock); - sp = ISC_LIST_HEAD(*freelist); - if (sp != NULL) { - ISC_LIST_UNLINK(*freelist, sp, link); - ISC_LIST_APPEND(actives, sp, link); - UNLOCK(&sessionlock); - if (logon) { - ret = token_login(sp); - } - ctx->handle = sp; - ctx->session = sp->session; - return (ret); - } - UNLOCK(&sessionlock); - - sp = pk11_mem_get(sizeof(*sp)); - sp->magic = SES_MAGIC; - sp->token = token; - sp->session = CK_INVALID_HANDLE; - ISC_LINK_INIT(sp, link); - ret = setup_session(sp, token, rw); - if ((ret == ISC_R_SUCCESS) && logon) { - ret = token_login(sp); - } - LOCK(&sessionlock); - ISC_LIST_APPEND(actives, sp, link); - UNLOCK(&sessionlock); - ctx->handle = sp; - ctx->session = sp->session; - return (ret); -} - -void -pk11_return_session(pk11_context_t *ctx) { - pk11_session_t *sp = (pk11_session_t *)ctx->handle; - - if (sp == NULL) { - return; - } - ctx->handle = NULL; - ctx->session = CK_INVALID_HANDLE; - - LOCK(&sessionlock); - ISC_LIST_UNLINK(actives, sp, link); - UNLOCK(&sessionlock); - if (sp->session == CK_INVALID_HANDLE) { - pk11_mem_put(sp, sizeof(*sp)); - return; - } - - LOCK(&sessionlock); - ISC_LIST_APPEND(sp->token->sessions, sp, link); - UNLOCK(&sessionlock); -} - -static isc_result_t -free_all_sessions(void) { - pk11_token_t *token; - isc_result_t ret = ISC_R_SUCCESS; - isc_result_t oret; - - for (token = ISC_LIST_HEAD(tokens); token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - oret = free_session_list(&token->sessions); - if (oret != ISC_R_SUCCESS) { - ret = oret; - } - } - if (!ISC_LIST_EMPTY(actives)) { - ret = ISC_R_ADDRINUSE; - oret = free_session_list(&actives); - if (oret != ISC_R_SUCCESS) { - ret = oret; - } - } - return (ret); -} - -static isc_result_t -free_session_list(pk11_sessionlist_t *slist) { - pk11_session_t *sp; - CK_RV rv; - isc_result_t ret; - - ret = ISC_R_SUCCESS; - LOCK(&sessionlock); - while (!ISC_LIST_EMPTY(*slist)) { - sp = ISC_LIST_HEAD(*slist); - ISC_LIST_UNLINK(*slist, sp, link); - UNLOCK(&sessionlock); - if (sp->session != CK_INVALID_HANDLE) { - rv = pkcs_C_CloseSession(sp->session); - if (rv != CKR_OK) { - ret = ISC_R_CRYPTOFAILURE; - } - } - LOCK(&sessionlock); - pk11_mem_put(sp, sizeof(*sp)); - } - UNLOCK(&sessionlock); - - return (ret); -} - -static isc_result_t -setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw) { - CK_RV rv; - CK_FLAGS flags = CKF_SERIAL_SESSION; - - if (rw) { - flags += CKF_RW_SESSION; - } - - rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR, NULL_PTR, - &sp->session); - if (rv != CKR_OK) { - return (ISC_R_CRYPTOFAILURE); - } - return (ISC_R_SUCCESS); -} - -static isc_result_t -token_login(pk11_session_t *sp) { - CK_RV rv; - pk11_token_t *token = sp->token; - isc_result_t ret = ISC_R_SUCCESS; - - LOCK(&sessionlock); - if (!token->logged) { - rv = pkcs_C_Login(sp->session, CKU_USER, - (CK_UTF8CHAR_PTR)token->pin, - (CK_ULONG)strlen(token->pin)); - if (rv != CKR_OK) { -#if PK11_NO_LOGERR - pk11_error_fatalcheck(__FILE__, __LINE__, - "pkcs_C_Login", rv); -#else /* if PK11_NO_LOGERR */ - ret = ISC_R_NOPERM; -#endif /* if PK11_NO_LOGERR */ - } else { - token->logged = true; - } - } - UNLOCK(&sessionlock); - return (ret); -} - -#define PK11_TRACE(fmt) \ - if (pk11_verbose_init) \ - fprintf(stderr, fmt) -#define PK11_TRACE1(fmt, arg) \ - if (pk11_verbose_init) \ - fprintf(stderr, fmt, arg) -#define PK11_TRACE2(fmt, arg1, arg2) \ - if (pk11_verbose_init) \ - fprintf(stderr, fmt, arg1, arg2) -#define PK11_TRACEM(mech) \ - if (pk11_verbose_init) \ - fprintf(stderr, #mech ": 0x%lx\n", rv) - -static void -scan_slots(void) { - CK_MECHANISM_INFO mechInfo; - CK_TOKEN_INFO tokenInfo; - CK_RV rv; - CK_SLOT_ID slot; - CK_SLOT_ID_PTR slotList; - CK_ULONG slotCount; - pk11_token_t *token; - unsigned int i; - bool bad; - - slotCount = 0; - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); - PK11_TRACE1("slotCount=%lu\n", slotCount); - /* it's not an error if we didn't find any providers */ - if (slotCount == 0) { - return; - } - slotList = pk11_mem_get(sizeof(CK_SLOT_ID) * slotCount); - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); - - for (i = 0; i < slotCount; i++) { - slot = slotList[i]; - PK11_TRACE2("slot#%u=0x%lx\n", i, slot); - - rv = pkcs_C_GetTokenInfo(slot, &tokenInfo); - if (rv != CKR_OK) { - continue; - } - token = pk11_mem_get(sizeof(*token)); - token->magic = TOK_MAGIC; - token->slotid = slot; - ISC_LINK_INIT(token, link); - ISC_LIST_INIT(token->sessions); - memmove(token->name, tokenInfo.label, 32); - memmove(token->manuf, tokenInfo.manufacturerID, 32); - memmove(token->model, tokenInfo.model, 16); - memmove(token->serial, tokenInfo.serialNumber, 16); - ISC_LIST_APPEND(tokens, token, link); - - /* Check for RSA support */ - bad = false; - rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = true; - PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_MD5_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_SHA1_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_SHA256_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_SHA512_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_RSA_PKCS); - } - if (!bad) { - token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) { - best_rsa_token = token; - } - } - - /* Check for ECDSA support */ - bad = false; - rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = true; - PK11_TRACEM(CKM_EC_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_ECDSA); - } - if (!bad) { - token->operations |= 1 << OP_ECDSA; - if (best_ecdsa_token == NULL) { - best_ecdsa_token = token; - } - } - - /* Check for EDDSA support */ - bad = false; - rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = true; - PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) - { - bad = true; - PK11_TRACEM(CKM_EDDSA); - } - if (!bad) { - token->operations |= 1 << OP_EDDSA; - if (best_eddsa_token == NULL) { - best_eddsa_token = token; - } - } - } - - if (slotList != NULL) { - pk11_mem_put(slotList, sizeof(CK_SLOT_ID) * slotCount); - } -} - -CK_SLOT_ID -pk11_get_best_token(pk11_optype_t optype) { - pk11_token_t *token = NULL; - - switch (optype) { - case OP_RSA: - token = best_rsa_token; - break; - case OP_ECDSA: - token = best_ecdsa_token; - break; - case OP_EDDSA: - token = best_eddsa_token; - break; - default: - break; - } - if (token == NULL) { - return (0); - } - return (token->slotid); -} - -isc_result_t -pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { - unsigned int bitcnt, i; - CK_BYTE top; - - if (bytecnt == 0) { - *bits = 0; - return (ISC_R_SUCCESS); - } - bitcnt = bytecnt * 8; - for (i = 0; i < bytecnt; i++) { - top = data[i]; - if (top == 0) { - bitcnt -= 8; - continue; - } - if (top & 0x80) { - *bits = bitcnt; - return (ISC_R_SUCCESS); - } - if (top & 0x40) { - *bits = bitcnt - 1; - return (ISC_R_SUCCESS); - } - if (top & 0x20) { - *bits = bitcnt - 2; - return (ISC_R_SUCCESS); - } - if (top & 0x10) { - *bits = bitcnt - 3; - return (ISC_R_SUCCESS); - } - if (top & 0x08) { - *bits = bitcnt - 4; - return (ISC_R_SUCCESS); - } - if (top & 0x04) { - *bits = bitcnt - 5; - return (ISC_R_SUCCESS); - } - if (top & 0x02) { - *bits = bitcnt - 6; - return (ISC_R_SUCCESS); - } - if (top & 0x01) { - *bits = bitcnt - 7; - return (ISC_R_SUCCESS); - } - break; - } - return (ISC_R_RANGE); -} - -CK_ATTRIBUTE * -pk11_attribute_first(const pk11_object_t *obj) { - return (obj->repr); -} - -CK_ATTRIBUTE * -pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) { - CK_ATTRIBUTE *next; - - next = attr + 1; - if ((next - obj->repr) >= obj->attrcnt) { - return (NULL); - } - return (next); -} - -CK_ATTRIBUTE * -pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) { - CK_ATTRIBUTE *attr; - - for (attr = pk11_attribute_first(obj); attr != NULL; - attr = pk11_attribute_next(obj, attr)) - { - if (attr->type == type) { - return (attr); - } - } - return (NULL); -} - -static char * -percent_decode(char *x, size_t *len) { - char *p, *c; - unsigned char v = 0; - - INSIST(len != NULL); - - for (p = c = x; p[0] != '\0'; p++, c++) { - switch (p[0]) { - case '%': - switch (p[1]) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - v = (p[1] - '0') << 4; - break; - case 'A': - case 'B': - case 'C': - case 'D': - case 'E': - case 'F': - v = (p[1] - 'A' + 10) << 4; - break; - case 'a': - case 'b': - case 'c': - case 'd': - case 'e': - case 'f': - v = (p[1] - 'a' + 10) << 4; - break; - default: - return (NULL); - } - switch (p[2]) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - v |= (p[2] - '0') & 0x0f; - break; - case 'A': - case 'B': - case 'C': - case 'D': - case 'E': - case 'F': - v = (p[2] - 'A' + 10) & 0x0f; - break; - case 'a': - case 'b': - case 'c': - case 'd': - case 'e': - case 'f': - v = (p[2] - 'a' + 10) & 0x0f; - break; - default: - return (NULL); - } - p += 2; - *c = (char)v; - (*len)++; - break; - default: - *c = *p; - (*len)++; - } - } - return (x); -} - -static bool -pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) { - char buf[32]; - - INSIST((leny == 32) || (leny == 16)); - - memset(buf, ' ', 32); - if (lenx > leny) { - lenx = leny; - } - memmove(buf, x, lenx); - return (memcmp(buf, y, leny) == 0); -} - -static CK_ATTRIBUTE * -push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) { - CK_ATTRIBUTE *old = obj->repr; - CK_ATTRIBUTE *attr; - CK_BYTE cnt = obj->attrcnt; - - REQUIRE(old != NULL || cnt == 0); - - obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr)); - memset(obj->repr, 0, (cnt + 1) * sizeof(*attr)); - if (old != NULL) { - memmove(obj->repr, old, cnt * sizeof(*attr)); - } - attr = obj->repr + cnt; - attr->ulValueLen = (CK_ULONG)len; - attr->pValue = isc_mem_get(mctx, len); - memset(attr->pValue, 0, len); - if (old != NULL) { - memset(old, 0, cnt * sizeof(*attr)); - isc_mem_put(mctx, old, cnt * sizeof(*attr)); - } - obj->attrcnt++; - return (attr); -} - -#define DST_RET(a) \ - { \ - ret = a; \ - goto err; \ - } - -isc_result_t -pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx, - pk11_optype_t optype) { - CK_ATTRIBUTE *attr; - pk11_token_t *token = NULL; - char *uri, *p, *a, *na, *v; - size_t len, l; - FILE *stream = NULL; - char pin[PINLEN + 1]; - bool gotpin = false; - isc_result_t ret; - - /* get values to work on */ - len = strlen(label) + 1; - uri = isc_mem_get(mctx, len); - memmove(uri, label, len); - - /* get the URI scheme */ - p = strchr(uri, ':'); - if (p == NULL) { - DST_RET(PK11_R_NOPROVIDER); - } - *p++ = '\0'; - if (strcmp(uri, "pkcs11") != 0) { - DST_RET(PK11_R_NOPROVIDER); - } - - /* get attributes */ - for (na = p; na != NULL;) { - a = na; - p = strchr(a, ';'); - if (p == NULL) { - /* last attribute */ - na = NULL; - } else { - *p++ = '\0'; - na = p; - } - p = strchr(a, '='); - if (p != NULL) { - *p++ = '\0'; - v = p; - } else { - v = a; - } - l = 0; - v = percent_decode(v, &l); - if (v == NULL) { - DST_RET(PK11_R_NOPROVIDER); - } - if ((a == v) || (strcmp(a, "object") == 0)) { - /* object: CKA_LABEL */ - attr = pk11_attribute_bytype(obj, CKA_LABEL); - if (attr != NULL) { - DST_RET(PK11_R_NOPROVIDER); - } - attr = push_attribute(obj, mctx, l); - if (attr == NULL) { - DST_RET(ISC_R_NOMEMORY); - } - attr->type = CKA_LABEL; - memmove(attr->pValue, v, l); - } else if (strcmp(a, "token") == 0) { - /* token: CK_TOKEN_INFO label */ - if (token == NULL) { - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (pk11strcmp(v, l, token->name, 32)) { - break; - } - } - } - } else if (strcmp(a, "manufacturer") == 0) { - /* manufacturer: CK_TOKEN_INFO manufacturerID */ - if (token == NULL) { - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (pk11strcmp(v, l, token->manuf, 32)) - { - break; - } - } - } - } else if (strcmp(a, "serial") == 0) { - /* serial: CK_TOKEN_INFO serialNumber */ - if (token == NULL) { - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (pk11strcmp(v, l, token->serial, 16)) - { - break; - } - } - } - } else if (strcmp(a, "model") == 0) { - /* model: CK_TOKEN_INFO model */ - if (token == NULL) { - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - if (pk11strcmp(v, l, token->model, 16)) - { - break; - } - } - } - } else if (strcmp(a, "library-manufacturer") == 0) { - /* ignored */ - } else if (strcmp(a, "library-description") == 0) { - /* ignored */ - } else if (strcmp(a, "library-version") == 0) { - /* ignored */ - } else if (strcmp(a, "object-type") == 0) { - /* object-type: CKA_CLASS */ - /* only private makes sense */ - if (strcmp(v, "private") != 0) { - DST_RET(PK11_R_NOPROVIDER); - } - } else if (strcmp(a, "id") == 0) { - /* id: CKA_ID */ - attr = pk11_attribute_bytype(obj, CKA_ID); - if (attr != NULL) { - DST_RET(PK11_R_NOPROVIDER); - } - attr = push_attribute(obj, mctx, l); - if (attr == NULL) { - DST_RET(ISC_R_NOMEMORY); - } - attr->type = CKA_ID; - memmove(attr->pValue, v, l); - } else if (strcmp(a, "pin-source") == 0) { - /* pin-source: PIN */ - ret = isc_stdio_open(v, "r", &stream); - if (ret != ISC_R_SUCCESS) { - goto err; - } - memset(pin, 0, PINLEN + 1); - ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l); - if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) { - goto err; - } - if (l > PINLEN) { - DST_RET(ISC_R_RANGE); - } - ret = isc_stdio_close(stream); - stream = NULL; - if (ret != ISC_R_SUCCESS) { - goto err; - } - gotpin = true; - } else { - DST_RET(PK11_R_NOPROVIDER); - } - } - - if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) && - (pk11_attribute_bytype(obj, CKA_ID) == NULL)) - { - DST_RET(ISC_R_NOTFOUND); - } - - if (token == NULL) { - if (optype == OP_RSA) { - token = best_rsa_token; - } else if (optype == OP_ECDSA) { - token = best_ecdsa_token; - } else if (optype == OP_EDDSA) { - token = best_eddsa_token; - } - } - if (token == NULL) { - DST_RET(ISC_R_NOTFOUND); - } - obj->slot = token->slotid; - if (gotpin) { - memmove(token->pin, pin, PINLEN + 1); - obj->reqlogon = true; - } - - ret = ISC_R_SUCCESS; - -err: - if (stream != NULL) { - (void)isc_stdio_close(stream); - } - isc_mem_put(mctx, uri, len); - return (ret); -} - -void -pk11_error_fatalcheck(const char *file, int line, const char *funcname, - CK_RV rv) { - isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv); -} - -void -pk11_dump_tokens(void) { - pk11_token_t *token; - bool first; - - printf("DEFAULTS\n"); - printf("\tbest_rsa_token=%p\n", best_rsa_token); - printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token); - printf("\tbest_eddsa_token=%p\n", best_eddsa_token); - - for (token = ISC_LIST_HEAD(tokens); token != NULL; - token = ISC_LIST_NEXT(token, link)) - { - printf("\nTOKEN\n"); - printf("\taddress=%p\n", token); - printf("\tslotID=%lu\n", token->slotid); - printf("\tlabel=%.32s\n", token->name); - printf("\tmanufacturerID=%.32s\n", token->manuf); - printf("\tmodel=%.16s\n", token->model); - printf("\tserialNumber=%.16s\n", token->serial); - printf("\tsupported operations=0x%x (", token->operations); - first = true; - if (token->operations & (1 << OP_RSA)) { - first = false; - printf("RSA"); - } - if (token->operations & (1 << OP_ECDSA)) { - if (!first) { - printf(","); - } - printf("EC"); - } - printf(")\n"); - } -} diff --git a/lib/isc/pk11_api.c b/lib/isc/pk11_api.c deleted file mode 100644 index 400e0e5c97..0000000000 --- a/lib/isc/pk11_api.c +++ /dev/null @@ -1,706 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include - -#define KEEP_PKCS11_NAMES -#include -#include - -static void *hPK11 = NULL; -static char loaderrmsg[1024]; - -CK_RV -pkcs_C_Initialize(CK_VOID_PTR pReserved) { - CK_C_Initialize sym; - - if (hPK11 != NULL) { - return (CKR_CRYPTOKI_ALREADY_INITIALIZED); - } - - hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); - - if (hPK11 == NULL) { - snprintf(loaderrmsg, sizeof(loaderrmsg), - "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(), - dlerror()); - return (CKR_LIBRARY_LOAD_FAILED); - } - sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize"); - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(pReserved)); -} - -char * -pk11_get_load_error_message(void) { - return (loaderrmsg); -} - -CK_RV -pkcs_C_Finalize(CK_VOID_PTR pReserved) { - CK_C_Finalize sym; - CK_RV rv; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize"); - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - rv = (*sym)(pReserved); - if ((rv == CKR_OK) && (dlclose(hPK11) != 0)) { - return (CKR_LIBRARY_LOAD_FAILED); - } - hPK11 = NULL; - return (rv); -} - -CK_RV -pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount) { - static CK_C_GetSlotList sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(tokenPresent, pSlotList, pulCount)); -} - -CK_RV -pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { - static CK_C_GetTokenInfo sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(slotID, pInfo)); -} - -CK_RV -pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo) { - static CK_C_GetMechanismInfo sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetMechanismInfo)dlsym(hPK11, "C_GetMechanismInfo"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(slotID, type, pInfo)); -} - -CK_RV -pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, - CK_RV (*Notify)(CK_SESSION_HANDLE hSession, - CK_NOTIFICATION event, - CK_VOID_PTR pApplication), - CK_SESSION_HANDLE_PTR phSession) { - static CK_C_OpenSession sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); - } - if (hPK11 == NULL) { - snprintf(loaderrmsg, sizeof(loaderrmsg), - "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(), - dlerror()); - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(slotID, flags, pApplication, Notify, phSession)); -} - -CK_RV -pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) { - static CK_C_CloseSession sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession)); -} - -CK_RV -pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, - CK_CHAR_PTR pPin, CK_ULONG usPinLen) { - static CK_C_Login sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Login)dlsym(hPK11, "C_Login"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, userType, pPin, usPinLen)); -} - -CK_RV -pkcs_C_Logout(CK_SESSION_HANDLE hSession) { - static CK_C_Logout sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Logout)dlsym(hPK11, "C_Logout"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession)); -} - -CK_RV -pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) { - static CK_C_CreateObject sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pTemplate, usCount, phObject)); -} - -CK_RV -pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) { - static CK_C_DestroyObject sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, hObject)); -} - -CK_RV -pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) { - static CK_C_GetAttributeValue sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_" - "GetAttributeValue"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, hObject, pTemplate, usCount)); -} - -CK_RV -pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) { - static CK_C_SetAttributeValue sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_" - "SetAttributeValue"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, hObject, pTemplate, usCount)); -} - -CK_RV -pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount) { - static CK_C_FindObjectsInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pTemplate, usCount)); -} - -CK_RV -pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) { - static CK_C_FindObjects sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount)); -} - -CK_RV -pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) { - static CK_C_FindObjectsFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession)); -} - -CK_RV -pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) { - static CK_C_EncryptInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, hKey)); -} - -CK_RV -pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen) { - static CK_C_Encrypt sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pData, ulDataLen, pEncryptedData, - pulEncryptedDataLen)); -} - -CK_RV -pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) { - static CK_C_DigestInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism)); -} - -CK_RV -pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) { - static CK_C_DigestUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pPart, ulPartLen)); -} - -CK_RV -pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen) { - static CK_C_DigestFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pDigest, pulDigestLen)); -} - -CK_RV -pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) { - static CK_C_SignInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, hKey)); -} - -CK_RV -pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) { - static CK_C_Sign sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Sign)dlsym(hPK11, "C_Sign"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pData, ulDataLen, pSignature, - pulSignatureLen)); -} - -CK_RV -pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) { - static CK_C_SignUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pPart, ulPartLen)); -} - -CK_RV -pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen) { - static CK_C_SignFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pSignature, pulSignatureLen)); -} - -CK_RV -pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) { - static CK_C_VerifyInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, hKey)); -} - -CK_RV -pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) { - static CK_C_Verify sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Verify)dlsym(hPK11, "C_Verify"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen)); -} - -CK_RV -pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) { - static CK_C_VerifyUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pPart, ulPartLen)); -} - -CK_RV -pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen) { - static CK_C_VerifyFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pSignature, ulSignatureLen)); -} - -CK_RV -pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey) { - static CK_C_GenerateKey sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, pTemplate, ulCount, phKey)); -} - -CK_RV -pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG usPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG usPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPrivateKey, - CK_OBJECT_HANDLE_PTR phPublicKey) { - static CK_C_GenerateKeyPair sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, pPublicKeyTemplate, - usPublicKeyAttributeCount, pPrivateKeyTemplate, - usPrivateKeyAttributeCount, phPrivateKey, phPublicKey)); -} - -CK_RV -pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) { - static CK_C_DeriveKey sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pMechanism, hBaseKey, pTemplate, - ulAttributeCount, phKey)); -} - -CK_RV -pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen) { - static CK_C_SeedRandom sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, pSeed, ulSeedLen)); -} - -CK_RV -pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, - CK_ULONG ulRandomLen) { - static CK_C_GenerateRandom sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) { - return (CKR_LIBRARY_LOAD_FAILED); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom"); - } - if (sym == NULL) { - return (CKR_FUNCTION_NOT_SUPPORTED); - } - return ((*sym)(hSession, RandomData, ulRandomLen)); -} diff --git a/lib/isc/pk11_result.c b/lib/isc/pk11_result.c deleted file mode 100644 index a8afed6abf..0000000000 --- a/lib/isc/pk11_result.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include - -#include -#include - -#include - -static const char *text[PK11_R_NRESULTS] = { - "PKCS#11 initialization failed", /*%< 0 */ - "no PKCS#11 provider", /*%< 1 */ - "PKCS#11 no random service", /*%< 2 */ - "PKCS#11 no digist service", /*%< 3 */ - "PKCS#11 no AES service", /*%< 4 */ -}; - -static const char *ids[PK11_R_NRESULTS] = { - "PK11_R_INITFAILED", "PK11_R_NOPROVIDER", - "PK11_R_NORANDOMSERVICE", "PK11_R_NODIGESTSERVICE", - "PK11_R_NOAESSERVICE", -}; - -#define PK11_RESULT_RESULTSET 2 - -static isc_once_t once = ISC_ONCE_INIT; - -static void -initialize_action(void) { - isc_result_t result; - - result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, - text, PK11_RESULT_RESULTSET); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_result_register() failed: %u", result); - } - - result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, - ids, PK11_RESULT_RESULTSET); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_result_registerids() failed: %u", result); - } -} - -static void -initialize(void) { - RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS); -} - -const char * -pk11_result_totext(isc_result_t result) { - initialize(); - - return (isc_result_totext(result)); -} - -void -pk11_result_register(void) { - initialize(); -} diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c index 6d4918b218..5988c97d32 100644 --- a/lib/isc/tests/hash_test.c +++ b/lib/isc/tests/hash_test.c @@ -31,8 +31,6 @@ #include #include -#include - #define TEST_INPUT(x) (x), sizeof(x) - 1 /*Hash function test */ diff --git a/lib/isc/tests/result_test.c b/lib/isc/tests/result_test.c index ff20f160b7..2977905c61 100644 --- a/lib/isc/tests/result_test.c +++ b/lib/isc/tests/result_test.c @@ -24,8 +24,6 @@ #include #include -#include - /* convert result to identifier string */ static void isc_result_toid_test(void **state) { @@ -62,8 +60,6 @@ tables(void **state) { UNUSED(state); - pk11_result_register(); - for (result = 0; result < ISC_R_NRESULTS; result++) { str = isc_result_toid(result); assert_non_null(str); @@ -84,28 +80,6 @@ tables(void **state) { str = isc_result_totext(result); assert_non_null(str); assert_string_equal(str, "(result code text not available)"); - - for (result = ISC_RESULTCLASS_PK11; - result < (ISC_RESULTCLASS_PK11 + PK11_R_NRESULTS); result++) - { - str = isc_result_toid(result); - assert_non_null(str); - assert_string_not_equal(str, "(result code text not " - "available)"); - - str = isc_result_totext(result); - assert_non_null(str); - assert_string_not_equal(str, "(result code text not " - "available)"); - } - - str = isc_result_toid(result); - assert_non_null(str); - assert_string_equal(str, "(result code text not available)"); - - str = isc_result_totext(result); - assert_non_null(str); - assert_string_equal(str, "(result code text not available)"); } int diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index 0be28b9057..581682cfc9 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -37,8 +37,6 @@ #include #include -#include - #include #include #include diff --git a/util/copyrights b/util/copyrights index 25f5077bc5..e00f0f6371 100644 --- a/util/copyrights +++ b/util/copyrights @@ -96,14 +96,6 @@ ./bin/named/zoneconf.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 ./bin/nsupdate/nsupdate.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 ./bin/nsupdate/nsupdate.rst RST 2020,2021 -./bin/pkcs11/pkcs11-destroy.c X 2009,2010,2014,2015,2018,2019,2020,2021 -./bin/pkcs11/pkcs11-destroy.rst RST 2020,2021 -./bin/pkcs11/pkcs11-keygen.c X 2009,2014,2015,2017,2018,2019,2020,2021 -./bin/pkcs11/pkcs11-keygen.rst RST 2020,2021 -./bin/pkcs11/pkcs11-list.c C 2009,2014,2015,2016,2018,2019,2020,2021 -./bin/pkcs11/pkcs11-list.rst RST 2020,2021 -./bin/pkcs11/pkcs11-tokens.c C 2014,2015,2016,2018,2019,2020,2021 -./bin/pkcs11/pkcs11-tokens.rst RST 2020,2021 ./bin/plugins/filter-a.c C 2018,2019,2020,2021 ./bin/plugins/filter-a.rst RST 2020,2021 ./bin/plugins/filter-aaaa.c C 2018,2019,2020,2021 @@ -205,7 +197,6 @@ ./bin/tests/system/checkzone/zones/bad-badclass.raw X 2015,2018,2019,2020,2021 ./bin/tests/system/ckdnsrps.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/cleanall.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2017,2018,2019,2020,2021 -./bin/tests/system/cleanpkcs11.sh SH 2010,2012,2014,2016,2018,2019,2020,2021 ./bin/tests/system/common/rndc.key X 2011,2013,2016,2018,2019,2020,2021 ./bin/tests/system/conf.sh.common SH 2018,2019,2020,2021 ./bin/tests/system/conf.sh.in SH 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020 @@ -612,11 +603,6 @@ ./bin/tests/system/pipelined/refb X 2014,2015,2018,2019,2020,2021 ./bin/tests/system/pipelined/setup.sh SH 2014,2015,2016,2017,2018,2019,2020,2021 ./bin/tests/system/pipelined/tests.sh SH 2014,2015,2016,2017,2018,2019,2020,2021 -./bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt X 2020,2021 -./bin/tests/system/pkcs11/clean.sh SH 2010,2012,2014,2016,2017,2018,2019,2020,2021 -./bin/tests/system/pkcs11/setup.sh SH 2010,2012,2013,2014,2016,2017,2018,2019,2020,2021 -./bin/tests/system/pkcs11/tests.sh SH 2010,2012,2014,2016,2017,2018,2019,2020,2021 -./bin/tests/system/pkcs11/usepkcs11 X 2010,2018,2019,2020,2021 ./bin/tests/system/qmin/ans2/ans.py PYTHON 2018,2019,2020,2021 ./bin/tests/system/qmin/ans3/ans.py PYTHON 2018,2019,2020,2021 ./bin/tests/system/qmin/ans4/ans.py PYTHON 2018,2019,2020,2021 @@ -1128,10 +1114,6 @@ ./doc/man/nsec3hash.rst RST 2020,2021 ./doc/man/nslookup.rst RST 2020,2021 ./doc/man/nsupdate.rst RST 2020,2021 -./doc/man/pkcs11-destroy.rst RST 2020,2021 -./doc/man/pkcs11-keygen.rst RST 2020,2021 -./doc/man/pkcs11-list.rst RST 2020,2021 -./doc/man/pkcs11-tokens.rst RST 2020,2021 ./doc/man/rndc-confgen.rst RST 2020,2021 ./doc/man/rndc.conf.rst RST 2020,2021 ./doc/man/rndc.rst RST 2020,2021 @@ -1200,7 +1182,6 @@ ./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015,2016,2018,2019,2020,2021 ./lib/dns/dst_parse.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/dst_parse.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2012,2014,2016,2017,2018,2019,2020,2021 -./lib/dns/dst_pkcs11.h C 2014,2016,2018,2019,2020,2021 ./lib/dns/dst_result.c C 1999,2000,2001,2004,2005,2007,2008,2012,2013,2014,2015,2016,2018,2019,2020,2021 ./lib/dns/dyndb.c C 2015,2016,2017,2018,2019,2020,2021 ./lib/dns/ecs.c C 2017,2018,2019,2020,2021 @@ -1337,10 +1318,6 @@ ./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 -./lib/dns/pkcs11.c C 2014,2016,2017,2018,2019,2020,2021 -./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018,2019,2020,2021 -./lib/dns/pkcs11eddsa_link.c C 2017,2018,2019,2020,2021 -./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/private.c C 2009,2011,2012,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/rbt.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 ./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021 @@ -1783,12 +1760,6 @@ ./lib/isc/include/isc/url.h C 2021 ./lib/isc/include/isc/utf8.h C 2020,2021 ./lib/isc/include/isc/util.h C 1998,1999,2000,2001,2004,2005,2006,2007,2010,2011,2012,2015,2016,2017,2018,2019,2020,2021 -./lib/isc/include/pk11/constants.h C 2014,2016,2017,2018,2019,2020,2021 -./lib/isc/include/pk11/internal.h C 2014,2016,2018,2019,2020,2021 -./lib/isc/include/pk11/pk11.h C 2014,2016,2018,2019,2020,2021 -./lib/isc/include/pk11/result.h C 2014,2016,2018,2019,2020,2021 -./lib/isc/include/pk11/site.h C 2016,2017,2018,2019,2020,2021 -./lib/isc/include/pkcs11/pkcs11.h X 2019,2020,2021 ./lib/isc/interfaceiter.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2014,2016,2017,2018,2019,2020,2021 ./lib/isc/iterated_hash.c C 2006,2008,2009,2016,2018,2019,2020,2021 ./lib/isc/jemalloc_shim.h C 2021 @@ -1822,9 +1793,6 @@ ./lib/isc/openssl_shim.h C 2020,2021 ./lib/isc/os.c C 2000,2001,2004,2005,2007,2016,2018,2019,2020,2021 ./lib/isc/parseint.c C 2001,2002,2003,2004,2005,2007,2012,2016,2018,2019,2020,2021 -./lib/isc/pk11.c C 2014,2015,2016,2017,2018,2019,2020,2021 -./lib/isc/pk11_api.c C 2014,2016,2018,2019,2020,2021 -./lib/isc/pk11_result.c C 2014,2015,2016,2018,2019,2020,2021 ./lib/isc/pool.c C 2013,2015,2016,2018,2019,2020,2021 ./lib/isc/portset.c C 2008,2016,2017,2018,2019,2020,2021 ./lib/isc/queue.c C 2019,2020,2021 From b687c1d3af7e37d353567dee76bb9a23eea16dba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 7 Sep 2021 21:54:48 +0200 Subject: [PATCH 2/3] Disable softhsm2.4 and softhsm2.6 builds and tests from the CI Until we have a system test that would directly test the engine_pkcs11 integration, we need to disable the system tests that enabled native PKCS#11 in the CI because it's currently broken. --- .gitlab-ci.yml | 48 ------------------------------------------------ 1 file changed, 48 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 57a20eea72..df82009d5b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1024,54 +1024,6 @@ unit:clang:buster:amd64: - job: clang:buster:amd64 artifacts: true -# Jobs for PKCS#11-enabled GCC builds on Debian "sid" (amd64) - -gcc:softhsm2.4: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "--without-jemalloc --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" - <<: *base_image - <<: *build_job - -system:gcc:softhsm2.4: - <<: *base_image - <<: *system_test_job - needs: - - job: gcc:softhsm2.4 - artifacts: true - -unit:gcc:softhsm2.4: - <<: *base_image - <<: *unit_test_job - needs: - - job: gcc:softhsm2.4 - artifacts: true - -# Jobs for PKCS#11-enabled GCC builds on Fedora 34 (amd64) - -gcc:softhsm2.6: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O1" - EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so" - <<: *fedora_34_amd64_image - <<: *build_job - -system:gcc:softhsm2.6: - <<: *fedora_34_amd64_image - <<: *system_test_job - needs: - - job: gcc:softhsm2.6 - artifacts: true - -unit:gcc:softhsm2.6: - <<: *fedora_34_amd64_image - <<: *unit_test_job - needs: - - job: gcc:softhsm2.6 - artifacts: true - # Jobs for Clang builds on FreeBSD 11 (amd64) clang:freebsd11:amd64: From 79de2ee528eafed0f64549c68af7a83253558c1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 20 May 2021 16:35:48 +0200 Subject: [PATCH 3/3] Add CHANGES and release note for GL #2691 --- CHANGES | 3 +++ doc/notes/notes-current.rst | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index f96de23205..518b5e75b5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5712. [func] Remove native PKCS#11 support in favor of OpenSSL + engine_pkcs11 from the OpenSC project. [GL #2691] + 5711. [bug] "map" files exceeding 2GB in size could fail to load due to a size comparison that incorrectly treated the file size as a signed integer. [GL #2878] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 9543909b7c..3d999eacf4 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -29,7 +29,8 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- None. +- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the + OpenSC project. :gl:`#2691` Feature Changes ~~~~~~~~~~~~~~~