pk11.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 809 行 · 第 1/2 页

/*
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

#include "modutil.h"
#include "secmodti.h"
#include "pk11func.h"

extern PK11DefaultArrayEntry PK11_DefaultArray[];
extern int num_pk11_default_mechanisms;
extern SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo*, PK11DefaultArrayEntry*,
	PRBool);

/*************************************************************************
 *
 * F i p s M o d e
 * If arg=="true", enable FIPS mode on the internal module.  If arg=="false",
 * disable FIPS mode on the internal module.
 */
Error
FipsMode(char *arg)
{

	char *internal_name;

	if(!PORT_Strcasecmp(arg, "true")) {
		if(!PK11_IsFIPS()) {
			internal_name = PR_smprintf("%s",
				SECMOD_GetInternalModule()->commonName);
			if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
				PR_smprintf_free(internal_name);
				PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
				return FIPS_SWITCH_FAILED_ERR;
			}
			PR_smprintf_free(internal_name);
			PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
		} else {
			PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
			return FIPS_ALREADY_ON_ERR;
		}
	} else if(!PORT_Strcasecmp(arg, "false")) {
		if(PK11_IsFIPS()) {
			internal_name = PR_smprintf("%s",
				SECMOD_GetInternalModule()->commonName);
			if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
				PR_smprintf_free(internal_name);
				PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
				return FIPS_SWITCH_FAILED_ERR;
			}
			PR_smprintf_free(internal_name);
			PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
		} else {
			PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_OFF_ERR]);
			return FIPS_ALREADY_OFF_ERR;
		}
	} else {
		PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
		return INVALID_FIPS_ARG;
	}

	return SUCCESS;
}

/************************************************************************
 * Cipher and Mechanism name-bitmask translation tables
 */

typedef struct {
	char *name;
	unsigned long mask;
} MaskString;

static MaskString mechanismStrings[] = {
	{"RSA", PUBLIC_MECH_RSA_FLAG},
	{"DSA", PUBLIC_MECH_DSA_FLAG},
	{"RC2", PUBLIC_MECH_RC2_FLAG},
	{"RC4", PUBLIC_MECH_RC4_FLAG},
	{"RC5", PUBLIC_MECH_RC5_FLAG},
	{"DES", PUBLIC_MECH_DES_FLAG},
	{"DH", PUBLIC_MECH_DH_FLAG},
	{"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
	{"SHA1", PUBLIC_MECH_SHA1_FLAG},
	{"MD5", PUBLIC_MECH_MD5_FLAG},
	{"MD2", PUBLIC_MECH_MD2_FLAG},
	{"SSL", PUBLIC_MECH_SSL_FLAG},
	{"TLS", PUBLIC_MECH_TLS_FLAG},
	{"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
	{"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
};
static int numMechanismStrings = 13;

static MaskString cipherStrings[] = {
	{"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
};
static int numCipherStrings= 1;

/* Maximum length of a colon-separated list of all the strings in an 
 * array. */
#define MAX_STRING_LIST_LEN 240	/* or less */

/************************************************************************
 * 
 * g e t F l a g s F r o m S t r i n g
 *
 * Parses a mechanism list passed on the command line and converts it
 * to an unsigned long bitmask.
 * string is a colon-separated string of constants
 * array is an array of MaskStrings.
 * elements is the number of elements in array.
 */
static unsigned long
getFlagsFromString(char *string, MaskString array[], int elements)
{
	unsigned long ret = 0;
	short i = 0;
	char *cp;
	char *buf;
	char *end;

	if(!string || !string[0]) {
		return ret;
	}

	/* Make a temporary copy of the string */
	buf = PR_Malloc(strlen(string)+1);
	if(!buf) {
		out_of_memory();
	}
	strcpy(buf, string);

	/* Look at each element of the list passed in */
	for(cp=buf; cp && *cp; cp = (end ? end+1 : NULL) ) {
		/* Look at the string up to the next colon */
		end = strchr(cp, ':');
		if(end) {
			*end = '\0';
		}

		/* Find which element this is */
		for(i=0; i < elements; i++) {
			if( !PORT_Strcasecmp(cp, array[i].name) ) {
				break;
			}
		}
		if(i == elements) {
			/* Skip a bogus string, but print a warning message */
			PR_fprintf(PR_STDERR, errStrings[INVALID_CONSTANT_ERR], cp);
			continue;
		}
		ret |= array[i].mask;
	}

	PR_Free(buf);
	return ret;
}

/**********************************************************************
 *
 * g e t S t r i n g F r o m F l a g s
 * 
 * The return string's memory is owned by this function.  Copy it
 * if you need it permanently or you want to change it.
 */
static char *
getStringFromFlags(unsigned long flags, MaskString array[], int elements)
{
	static char buf[MAX_STRING_LIST_LEN];
	int i;
	int count=0;

	buf[0] = '\0';
	for(i=0; i<elements; i++) {
		if( flags & array[i].mask ) {
			++count;
			if(count!=1) {
				strcat(buf, ":");
			}
			strcat(buf, array[i].name);
		}
	}
	return buf;
}

/**********************************************************************
 *
 * A d d M o d u l e
 *
 * Add the named module, with the given library file, ciphers, and
 * default mechanism flags
 */
Error
AddModule(char *moduleName, char *libFile, char *cipherString,
	char *mechanismString)
{
	unsigned long ciphers;
	unsigned long mechanisms;
	SECStatus status;

	mechanisms =
		getFlagsFromString(mechanismString, mechanismStrings,
		  numMechanismStrings);
	ciphers =
		getFlagsFromString(cipherString, cipherStrings, numCipherStrings);

	status =
		SECMOD_AddNewModule(moduleName, libFile,
		  SECMOD_PubMechFlagstoInternal(mechanisms),
		  SECMOD_PubCipherFlagstoInternal(ciphers) );

	if(status != SECSuccess) {
		PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], moduleName);
		return ADD_MODULE_FAILED_ERR;
	} else {
		PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
		return SUCCESS;
	}
}

/***********************************************************************
 *
 * D e l e t e M o d u l e
 *
 * Deletes the named module from the database.
 */
Error
DeleteModule(char *moduleName)
{
	SECStatus status;
	int type;
	
	status = SECMOD_DeleteModule(moduleName, &type);

	if(status != SECSuccess) {
		if(type == SECMOD_FIPS || type == SECMOD_INTERNAL) {
			PR_fprintf(PR_STDERR, errStrings[DELETE_INTERNAL_ERR]);
			return DELETE_INTERNAL_ERR;
		} else {
			PR_fprintf(PR_STDERR, errStrings[DELETE_FAILED_ERR], moduleName);
			return DELETE_FAILED_ERR;
		}
	}

	PR_fprintf(PR_STDOUT, msgStrings[DELETE_SUCCESS_MSG], moduleName);
	return SUCCESS;
}

/************************************************************************
 *
 * L i s t M o d u l e s
 *
 * Lists all the modules in the database, along with their slots and tokens.
 */
Error
ListModules()
{
	SECMODListLock *lock;
	SECMODModuleList *list;
	SECMODModuleList *mlp;
	Error ret=UNSPECIFIED_ERR;
	int count = 0, i;

	lock = SECMOD_GetDefaultModuleListLock();
	if(!lock) {
		PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
		return NO_LIST_LOCK_ERR;
	}

	SECMOD_GetReadLock(lock);

	list = SECMOD_GetDefaultModuleList();
	if(!list) {
		PR_fprintf(PR_STDERR, errStrings[NO_MODULE_LIST_ERR]);
		ret = NO_MODULE_LIST_ERR;
		goto loser;
	}

	PR_fprintf(PR_STDOUT,
		"\nListing of PKCS #11 Modules\n"
		"-----------------------------------------------------------\n");
	
	for(mlp=list; mlp != NULL; mlp = mlp->next) {
		++count;
		if(count!=1) {
			PR_fprintf(PR_STDOUT, "\n");
		}

		PR_fprintf(PR_STDOUT, "%3d. %s\n", count, mlp->module->commonName);

		if(mlp->module->dllName) {
			PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", mlp->module->dllName);
		}

		if(mlp->module->slotCount == 0) {
			PR_fprintf(PR_STDOUT,
				"\t slots: There are no slots attached to this module\n");
		} else {
			PR_fprintf(PR_STDOUT,
				"\t slots: %d slot%s attached\n", mlp->module->slotCount,
				(mlp->module->slotCount==1 ? "" : "s") );
		}

		if(mlp->module->loaded == 0) {
			PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n");
		} else {
			PR_fprintf(PR_STDOUT, "\tstatus: loaded\n");
		}

		/* Print slot and token names */
		for (i = 0; i < mlp->module->slotCount; i++) {
			PK11SlotInfo *slot = mlp->module->slots[i];

			PR_fprintf(PR_STDOUT, "\n");
			PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
			PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
		}
    }

	PR_fprintf(PR_STDOUT,
		"-----------------------------------------------------------\n");

	ret = SUCCESS;

loser:
	SECMOD_ReleaseReadLock(lock);
	return ret;
}

/* Strings describing PK11DisableReasons */
static int numDisableReasonStr = 5;
static char *disableReasonStr[] = {
	"no reason",
	"user disabled",
	"could not initialize token",
	"could not verify token",
	"token not present"
};

/***********************************************************************
 *
 * L i s t M o d u l e
 *
 * Lists detailed information about the named module.
 */
Error
ListModule(char *moduleName)
{
	SECMODModule *module;
	PK11SlotInfo *slot;
	int slotnum;
	CK_INFO modinfo;
	CK_SLOT_INFO slotinfo;
	CK_TOKEN_INFO tokeninfo;
	char *ciphers, *mechanisms;
	PK11DisableReasons reason;

	if(!moduleName) {
		return SUCCESS;
	}

	module = SECMOD_FindModule(moduleName);
	if(!module) {
		PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
		return NO_SUCH_MODULE_ERR;
	}

	if(PK11_GetModInfo(module, &modinfo) != SECSuccess) {
		PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName);
		return MOD_INFO_ERR;
	}

	/* Module info */
	PR_fprintf(PR_STDOUT, 
		"\n-----------------------------------------------------------\n");
	PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName);
	if(module->internal || !module->dllName) {
		PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n");