aes_func.c

IBM的Linux上的PKCS#11实现

	printf("do_WrapUnwrapAES_CBC_PAD...\n");

	slot_id = SlotID;
	flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
	rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_OpenSession #1", rc);
		return FALSE;
	}


	memcpy(user_pin, "12345678", 8);
	user_pin_len = 8;

	rc = funcs->C_Login(session, CKU_USER, user_pin, user_pin_len);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_Login #1", rc);
		return FALSE;
	}

	mech.mechanism = CKM_AES_KEY_GEN;
	mech.ulParameterLen = 0;
	mech.pParameter = NULL;


	// first, generate an AES key and a wrapping key
	//
	rc = funcs->C_GenerateKey(session, &mech, key_gen_tmpl, 1, &h_key);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_GenerateKey #1", rc);
		return FALSE;
	}

	rc = funcs->C_GenerateKey(session, &mech, key_gen_tmpl, 1, &w_key);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_GenerateKey #2", rc);
		return FALSE;
	}

	// now, encrypt some data
	//
	orig_len = sizeof(original);
	for (i = 0; i < orig_len; i++) {
		original[i] = i % 255;
	}

	mech.mechanism = CKM_AES_CBC_PAD;
	mech.ulParameterLen = sizeof(init_v);
	mech.pParameter = init_v;

	rc = funcs->C_EncryptInit(session, &mech, h_key);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_EncryptInit #1", rc);
		return FALSE;
	}

	cipher_len = sizeof(cipher);
	rc = funcs->C_Encrypt(session, original, orig_len, cipher,
			      &cipher_len);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_Encrypt #1", rc);
		return FALSE;
	}

	// now, wrap the key.
	//
	wrapped_data_len = sizeof(wrapped_data);

	rc = funcs->C_WrapKey(session, &mech,
			      w_key, h_key,
			      wrapped_data, &wrapped_data_len);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_WrapKey #1", rc);
		return FALSE;
	}

	rc = funcs->C_UnwrapKey(session, &mech,
				w_key,
				wrapped_data, wrapped_data_len,
				template, tmpl_count, &uw_key);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_UnWrapKey #1", rc);
		return FALSE;
	}

	// now, decrypt the data using the unwrapped key.
	//
	rc = funcs->C_DecryptInit(session, &mech, uw_key);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_DecryptInit #1", rc);
		return FALSE;
	}

	decipher_len = sizeof(decipher);
	rc = funcs->C_Decrypt(session, cipher, cipher_len, decipher,
			      &decipher_len);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_Decrypt #1", rc);
		return FALSE;
	}

	if (orig_len != decipher_len) {
		printf("   ERROR:  lengths don't match:  %d vs %d\n",
		       orig_len, decipher_len);
		return FALSE;
	}

	for (i = 0; i < orig_len; i++) {
		if (original[i] != decipher[i]) {
			printf("   ERROR:  mismatch at byte %d\n", i);
			return FALSE;
		}
	}

	// we'll generate an RSA keypair here so we can make sure it works
	//
	{
		CK_MECHANISM mech2;
		CK_OBJECT_HANDLE publ_key, priv_key;

		CK_ULONG bits = 1024;
		CK_BYTE pub_exp[] = { 0x3 };

		CK_ATTRIBUTE pub_tmpl[] = {
			{CKA_MODULUS_BITS, &bits, sizeof(bits)}
			,
			{CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp)}
		};

		CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY;
		CK_KEY_TYPE keytype = CKK_RSA;
		CK_ATTRIBUTE uw_tmpl[] = {
			{CKA_CLASS, &keyclass, sizeof(keyclass)}
			,
			{CKA_KEY_TYPE, &keytype, sizeof(keytype)}
		};

		mech2.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
		mech2.ulParameterLen = 0;
		mech2.pParameter = NULL;

		rc = funcs->C_GenerateKeyPair(session, &mech2,
					      pub_tmpl, 2,
					      NULL, 0,
					      &publ_key, &priv_key);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_GenerateKeyPair #1", rc);
			return FALSE;
		}

		// now, wrap the key.
		//
		wrapped_data_len = sizeof(wrapped_data);

		rc = funcs->C_WrapKey(session, &mech,
				      w_key, priv_key,
				      wrapped_data, &wrapped_data_len);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_WrapKey #2", rc);
			return FALSE;
		}

		rc = funcs->C_UnwrapKey(session, &mech,
					w_key,
					wrapped_data, wrapped_data_len,
					uw_tmpl, 2, &uw_key);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_UnWrapKey #2", rc);
			return FALSE;
		}
		// encrypt something with the public key
		//
		mech2.mechanism = CKM_RSA_PKCS;
		mech2.ulParameterLen = 0;
		mech2.pParameter = NULL;

		rc = funcs->C_EncryptInit(session, &mech2, publ_key);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_EncryptInit #2", rc);
			return FALSE;
		}
		// for RSA operations, keep the input data size smaller than
		// the modulus
		//
		orig_len = 30;

		cipher_len = sizeof(cipher);
		rc = funcs->C_Encrypt(session, original, orig_len, cipher,
				      &cipher_len);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_Encrypt #2", rc);
			return FALSE;
		}
		// now, decrypt the data using the unwrapped private key.
		//
		rc = funcs->C_DecryptInit(session, &mech2, uw_key);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_DecryptInit #1", rc);
			return FALSE;
		}

		decipher_len = sizeof(decipher);
		rc = funcs->C_Decrypt(session, cipher, cipher_len,
				      decipher, &decipher_len);
		if (rc != CKR_OK) {
			OC_ERR_MSG("   C_Decrypt #1", rc);
			return FALSE;
		}

		if (orig_len != decipher_len) {
			printf
			    ("   ERROR:  lengths don't match:  %d vs %d\n",
			     orig_len, decipher_len);
			return FALSE;
		}

		for (i = 0; i < orig_len; i++) {
			if (original[i] != decipher[i]) {
				printf("   ERROR:  mismatch at byte %d\n",
				       i);
				return FALSE;
			}
		}
	}

	rc = funcs->C_CloseAllSessions(slot_id);
	if (rc != CKR_OK) {
		OC_ERR_MSG("   C_CloseAllSessions #1", rc);
		return FALSE;
	}

	printf("Looks okay...\n");
	return TRUE;
}

int do_GetFunctionList(void)
{
        char *pkcslib = "/usr/lib/pkcs11/PKCS11_API.so";
        CK_RV (*func_ptr)();
        int rc;

        if( (dl_handle = dlopen(pkcslib, RTLD_NOW)) == NULL) {
                printf("dlopen: %s\n", dlerror());
                return -1;
        }

        func_ptr = (CK_RV (*)())dlsym(dl_handle, "C_GetFunctionList");

        if(func_ptr == NULL)
                return -1;

        if( (rc = func_ptr(&funcs)) != CKR_OK) {
                OC_ERR_MSG("C_GetFunctionList", rc);
                return -1;
        }

        return 0;
}


#if !( AIX || LINUX)
//
//
void process_time(SYSTEMTIME t1, SYSTEMTIME t2)
{
   long ms   = t2.wMilliseconds - t1.wMilliseconds;
   long s    = t2.wSecond - t1.wSecond;
   long min  = t2.wMinute - t1.wMinute;
   long hour = t2.wHour   - t1.wHour;

   // this doesn't handle hour wrap around but that's not a problem here
   //

   while (ms < 0) {
      ms += 1000;
      s--;
   }

   while (s < 0) {
      s += 60;
      min--;
   }

   while (min < 0) {
      min += 60;
      hour--;
   }

   ms += (s * 1000) + (min * 60 * 1000);

   printf("Time:  %d ms\n", ms );
}
#else
void process_time(SYSTEMTIME t1, SYSTEMTIME t2)
{
   long ms   = t2.millitm - t1.millitm;
   long s    = t2.time - t1.time;

   while (ms < 0) {
      ms += 1000;
      s--;
   }

   ms += (s*1000);



   printf("Time:  %u msec\n", ms );

}
#endif


void process_ret_code( CK_RV rc )
{
        switch (rc) {
         case CKR_OK:printf(" CKR_OK");break;
         case CKR_CANCEL:                           printf(" CKR_CANCEL");                           break;
         case CKR_HOST_MEMORY:                      printf(" CKR_HOST_MEMORY");                      break;
         case CKR_SLOT_ID_INVALID:                  printf(" CKR_SLOT_ID_INVALID");                  break;
         case CKR_GENERAL_ERROR:                    printf(" CKR_GENERAL_ERROR");                    break;
         case CKR_FUNCTION_FAILED:                  printf(" CKR_FUNCTION_FAILED");                  break;
         case CKR_ARGUMENTS_BAD:                    printf(" CKR_ARGUMENTS_BAD");                    break;
         case CKR_NO_EVENT:                         printf(" CKR_NO_EVENT");                         break;
         case CKR_NEED_TO_CREATE_THREADS:           printf(" CKR_NEED_TO_CREATE_THREADS");           break;
         case CKR_CANT_LOCK:                        printf(" CKR_CANT_LOCK");                        break;
         case CKR_ATTRIBUTE_READ_ONLY:              printf(" CKR_ATTRIBUTE_READ_ONLY");              break;
         case CKR_ATTRIBUTE_SENSITIVE:              printf(" CKR_ATTRIBUTE_SENSITIVE");              break;
         case CKR_ATTRIBUTE_TYPE_INVALID:           printf(" CKR_ATTRIBUTE_TYPE_INVALID");           break;
         case CKR_ATTRIBUTE_VALUE_INVALID:          printf(" CKR_ATTRIBUTE_VALUE_INVALID");          break;
         case CKR_DATA_INVALID:                     printf(" CKR_DATA_INVALID");                     break;
         case CKR_DATA_LEN_RANGE:                   printf(" CKR_DATA_LEN_RANGE");                   break;
         case CKR_DEVICE_ERROR:                     printf(" CKR_DEVICE_ERROR");                     break;
         case CKR_DEVICE_MEMORY:                    printf(" CKR_DEVICE_MEMORY");                    break;
         case CKR_DEVICE_REMOVED:                   printf(" CKR_DEVICE_REMOVED");                   break;
         case CKR_ENCRYPTED_DATA_INVALID:           printf(" CKR_ENCRYPTED_DATA_INVALID");           break;
         case CKR_ENCRYPTED_DATA_LEN_RANGE:         printf(" CKR_ENCRYPTED_DATA_LEN_RANGE");         break;
         case CKR_FUNCTION_CANCELED:                printf(" CKR_FUNCTION_CANCELED");                break;
         case CKR_FUNCTION_NOT_PARALLEL:            printf(" CKR_FUNCTION_NOT_PARALLEL");            break;
         case CKR_FUNCTION_NOT_SUPPORTED:           printf(" CKR_FUNCTION_NOT_SUPPORTED");           break;
         case CKR_KEY_HANDLE_INVALID:               printf(" CKR_KEY_HANDLE_INVALID");               break;
         case CKR_KEY_SIZE_RANGE:                   printf(" CKR_KEY_SIZE_RANGE");                   break;
         case CKR_KEY_TYPE_INCONSISTENT:            printf(" CKR_KEY_TYPE_INCONSISTENT");            break;
         case CKR_KEY_NOT_NEEDED:                   printf(" CKR_KEY_NOT_NEEDED");                   break;
         case CKR_KEY_CHANGED:                      printf(" CKR_KEY_CHANGED");                      break;
         case CKR_KEY_NEEDED:                       printf(" CKR_KEY_NEEDED");                       break;
         case CKR_KEY_INDIGESTIBLE:                 printf(" CKR_KEY_INDIGESTIBLE");                 break;
         case CKR_KEY_FUNCTION_NOT_PERMITTED:       printf(" CKR_KEY_FUNCTION_NOT_PERMITTED");       break;
         case CKR_KEY_NOT_WRAPPABLE:                printf(" CKR_KEY_NOT_WRAPPABLE");                break;
         case CKR_KEY_UNEXTRACTABLE:                printf(" CKR_KEY_UNEXTRACTABLE");                break;
         case CKR_MECHANISM_INVALID:                printf(" CKR_MECHANISM_INVALID");                break;
         case CKR_MECHANISM_PARAM_INVALID:          printf(" CKR_MECHANISM_PARAM_INVALID");          break;
         case CKR_OBJECT_HANDLE_INVALID:            printf(" CKR_OBJECT_HANDLE_INVALID");            break;
         case CKR_OPERATION_ACTIVE:                 printf(" CKR_OPERATION_ACTIVE");                 break;
         case CKR_OPERATION_NOT_INITIALIZED:        printf(" CKR_OPERATION_NOT_INITIALIZED");        break;
         case CKR_PIN_INCORRECT:                    printf(" CKR_PIN_INCORRECT");                    break;
         case CKR_PIN_INVALID:                      printf(" CKR_PIN_INVALID");                      break;
         case CKR_PIN_LEN_RANGE:                    printf(" CKR_PIN_LEN_RANGE");                    break;
         case CKR_PIN_EXPIRED:                      printf(" CKR_PIN_EXPIRED");                      break;
         case CKR_PIN_LOCKED:                       printf(" CKR_PIN_LOCKED");                       break;
         case CKR_SESSION_CLOSED:                   printf(" CKR_SESSION_CLOSED");                   break;
         case CKR_SESSION_COUNT:                    printf(" CKR_SESSION_COUNT");                    break;
         case CKR_SESSION_HANDLE_INVALID:           printf(" CKR_SESSION_HANDLE_INVALID");           break;
         case CKR_SESSION_PARALLEL_NOT_SUPPORTED:   printf(" CKR_SESSION_PARALLEL_NOT_SUPPORTED");   break;
         case CKR_SESSION_READ_ONLY:                printf(" CKR_SESSION_READ_ONLY");                break;
         case CKR_SESSION_EXISTS:                   printf(" CKR_SESSION_EXISTS");                   break;
         case CKR_SESSION_READ_ONLY_EXISTS:         printf(" CKR_SESSION_READ_ONLY_EXISTS");         break;
         case CKR_SESSION_READ_WRITE_SO_EXISTS:     printf(" CKR_SESSION_READ_WRITE_SO_EXISTS");     break;
         case CKR_SIGNATURE_INVALID:                printf(" CKR_SIGNATURE_INVALID");                break;
         case CKR_SIGNATURE_LEN_RANGE:              printf(" CKR_SIGNATURE_LEN_RANGE");              break;
         case CKR_TEMPLATE_INCOMPLETE:              printf(" CKR_TEMPLATE_INCOMPLETE");              break;
         case CKR_TEMPLATE_INCONSISTENT:            printf(" CKR_TEMPLATE_INCONSISTENT");            break;
         case CKR_TOKEN_NOT_PRESENT:                printf(" CKR_TOKEN_NOT_PRESENT");                break;
        case CKR_TOKEN_NOT_RECOGNIZED:             printf(" CKR_TOKEN_NOT_RECOGNIZED");             break;
        case CKR_TOKEN_WRITE_PROTECTED:            printf(" CKR_TOKEN_WRITE_PROTECTED");            break;
        case CKR_UNWRAPPING_KEY_HANDLE_INVALID:    printf(" CKR_UNWRAPPING_KEY_HANDLE_INVALID");    break;
        case CKR_UNWRAPPING_KEY_SIZE_RANGE:        printf(" CKR_UNWRAPPING_KEY_SIZE_RANGE");        break;
        case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT: printf(" CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"); break;
        case CKR_USER_ALREADY_LOGGED_IN:           printf(" CKR_USER_ALREADY_LOGGED_IN");           break;
        case CKR_USER_NOT_LOGGED_IN:               printf(" CKR_USER_NOT_LOGGED_IN");               break;
        case CKR_USER_PIN_NOT_INITIALIZED:         printf(" CKR_USER_PIN_NOT_INITIALIZED");         break;
        case CKR_USER_TYPE_INVALID:                printf(" CKR_USER_TYPE_INVALID");                break;
        case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:   printf(" CKR_USER_ANOTHER_ALREADY_LOGGED_IN");   break;
        case CKR_USER_TOO_MANY_TYPES:              printf(" CKR_USER_TOO_MANY_TYPES");              break;
        case CKR_WRAPPED_KEY_INVALID:              printf(" CKR_WRAPPED_KEY_INVALID");              break;
        case CKR_WRAPPED_KEY_LEN_RANGE:            printf(" CKR_WRAPPED_KEY_LEN_RANGE");            break;
        case CKR_WRAPPING_KEY_HANDLE_INVALID:      printf(" CKR_WRAPPING_KEY_HANDLE_INVALID");      break;
        case CKR_WRAPPING_KEY_SIZE_RANGE:          printf(" CKR_WRAPPING_KEY_SIZE_RANGE");          break;
        case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:   printf(" CKR_WRAPPING_KEY_TYPE_INCONSISTENT");   break;
        case CKR_RANDOM_SEED_NOT_SUPPORTED:        printf(" CKR_RANDOM_SEED_NOT_SUPPORTED");        break;
        case CKR_RANDOM_NO_RNG:                    printf(" CKR_RANDOM_NO_RNG");                    break;
        case CKR_BUFFER_TOO_SMALL:                 printf(" CKR_BUFFER_TOO_SMALL");                 break;
        case CKR_SAVED_STATE_INVALID:              printf(" CKR_SAVED_STATE_INVALID");              break;
        case CKR_INFORMATION_SENSITIVE:            printf(" CKR_INFORMATION_SENSITIVE");            break;
        case CKR_STATE_UNSAVEABLE:                 printf(" CKR_STATE_UNSAVEABLE");                 break;
        case CKR_CRYPTOKI_NOT_INITIALIZED:         printf(" CKR_CRYPTOKI_NOT_INITIALIZED");         break;
        case CKR_CRYPTOKI_ALREADY_INITIALIZED:     printf(" CKR_CRYPTOKI_ALREADY_INITIALIZED");     break;
        case CKR_MUTEX_BAD:                        printf(" CKR_MUTEX_BAD");break;
        case CKR_MUTEX_NOT_LOCKED:    printf(" CKR_MUTEX_NOT_LOCKED");break;
        }
}


void oc_err_msg( char *file, int line, char *str, CK_RV rc )
{
        printf("%s line %d Error: %s returned:  %d ", file, line, str, rc );
        process_ret_code( rc );
        printf("\n\n");
}


int main(int argc, char **argv)
{
	int			i;
	CK_C_INITIALIZE_ARGS	initialize_args;
	CK_RV			rc;
	SYSTEMTIME		t1, t2;

	/* Parse the command line */
	for (i = 1; i < argc; i++) {
		if (strncmp(argv[i], "-slot", 5) == 0) {
			SlotID = (unsigned long)atoi(argv[i + 1]);
			i++;
			break;
		}
	}

	printf("Using slot %u...\n\n", SlotID);

	if (do_GetFunctionList())
		return -1;

	/* There will be no multi-threaded Cryptoki access in this app */
	memset(&initialize_args, 0, sizeof(initialize_args));

	if ((rc = funcs->C_Initialize(&initialize_args)) != CKR_OK) {
		OC_ERR_MSG("C_Initialize", rc);
		return;
	}





	GetSystemTime(&t1);
	rc = do_EncryptAES_ECB();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_EncryptAES_CBC();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_EncryptAES_Multipart_ECB();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_EncryptAES_Multipart_CBC();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_EncryptAES_Multipart_CBC_PAD();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_WrapUnwrapAES_ECB();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_WrapUnwrapAES_CBC();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

	GetSystemTime(&t1);
	rc = do_WrapUnwrapAES_CBC_PAD();
	if (!rc)
		goto done;
	GetSystemTime(&t2);
	process_time(t1, t2);

done:
        if( (rc = funcs->C_Finalize(NULL)) != CKR_OK)
                OC_ERR_MSG("C_Finalize", rc);

        /* Decrement the reference count to PKCS11_API.so */
        dlclose(dl_handle);


	return rc;
}