obj_mgmt.c

IBM的Linux上的PKCS#11实现

// File: obj_mgmt.c
//

#include <windows.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <memory.h>

#include "pkcs11types.h"
#include "regress.h"


// 1) create a data object
// 2) create a certificate
// 3) create a key object
//
int do_CreateSessionObject( void )
{
   CK_SLOT_ID        slot_id;
   CK_FLAGS          flags;
   CK_SESSION_HANDLE h_session;
   CK_RV             rc;
   CK_BYTE           user_pin[8];
   CK_ULONG          user_pin_len;

   CK_BYTE           true  = TRUE;
   CK_BYTE           false = FALSE;

   CK_OBJECT_HANDLE  h_data;
   CK_OBJECT_CLASS   data_class         = CKO_DATA;
   CK_BYTE           data_application[] = "Test Application";
   CK_BYTE           data_value[]       = "1234567890abcedfghijklmnopqrstuvwxyz";
   CK_ATTRIBUTE      data_attribs[] =
   {
       {CKA_CLASS,       &data_class,       sizeof(data_class)       },
       {CKA_TOKEN,       &false,            sizeof(false)            },
       {CKA_APPLICATION, &data_application, sizeof(data_application) },
       {CKA_VALUE,       &data_value,       sizeof(data_value)       }
   };

   CK_OBJECT_HANDLE    h_cert;
   CK_OBJECT_CLASS     cert_class         = CKO_CERTIFICATE;
   CK_CERTIFICATE_TYPE cert_type          = CKC_X_509;
   CK_BYTE             cert_subject[]     = "Certificate subject";
   CK_BYTE             cert_id[]          = "Certificate ID";
   CK_BYTE             cert_value[]       = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
   CK_ATTRIBUTE        cert_attribs[] =
   {
       {CKA_CLASS,            &cert_class,       sizeof(cert_class)   },
       {CKA_TOKEN,            &false,            sizeof(false)        },
       {CKA_CERTIFICATE_TYPE, &cert_type,        sizeof(cert_type)    },
       {CKA_SUBJECT,          &cert_subject,     sizeof(cert_subject) },
       {CKA_ID,               &cert_id,          sizeof(cert_id)      },
       {CKA_VALUE,            &cert_value,       sizeof(cert_value)   }
   };

   CK_OBJECT_HANDLE  h_key;
   CK_OBJECT_CLASS   key_class          = CKO_PUBLIC_KEY;
   CK_KEY_TYPE       key_type           = CKK_RSA;
   CK_BYTE           key_modulus[]      = "1234567890987654321";
   CK_BYTE           key_exponent[]     = "123";
   CK_ATTRIBUTE      key_attribs[] =
   {
      {CKA_CLASS,           &key_class,    sizeof(key_class)    },
      {CKA_KEY_TYPE,        &key_type,     sizeof(key_type)     },
      {CKA_WRAP,            &true,         sizeof(true)         },
      {CKA_MODULUS,         &key_modulus,  sizeof(key_modulus)  },
      {CKA_PUBLIC_EXPONENT, &key_exponent, sizeof(key_exponent) }
   };


   printf("do_CreateSessionObject...\n");

   memcpy( user_pin, "12345678", 8 );
   user_pin_len = 8;

   slot_id = SLOT_ID;


   // create a USER R/W session
   //
   flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
   rc = funcs->C_OpenSession( slot_id, flags, NULL, NULL, &h_session );
   if (rc != CKR_OK) {
      show_error("   C_OpenSession #1", rc );
      return FALSE;
   }

   rc = funcs->C_Login( h_session, CKU_USER, user_pin, user_pin_len );
   if (rc != CKR_OK) {
      show_error("   C_Login #1", rc );
      return FALSE;
   }


   //
   // now, create the objects
   //

   rc = funcs->C_CreateObject( h_session, data_attribs, 4, &h_data );
   if (rc != CKR_OK) {
      show_error("   C_CreateObject #1", rc );
      return FALSE;
   }

   rc = funcs->C_CreateObject( h_session, cert_attribs, 6, &h_cert );
   if (rc != CKR_OK) {
      show_error("   C_CreateObject #2", rc );
      return FALSE;
   }

   rc = funcs->C_CreateObject( h_session, key_attribs, 5, &h_key );
   if (rc != CKR_OK) {
      show_error("   C_CreateObject #3", rc );
      return FALSE;
   }

   // done...close the session and verify the object is deleted
   //
   rc = funcs->C_CloseAllSessions( slot_id );
   if (rc != CKR_OK) {
      show_error("   C_CloseAllSessions #2:  %d", rc );
      return FALSE;
   }


   printf("Looks okay...\n");


   return TRUE;
}

// do_CopyObject()
//
// API routines exercised:
//    C_CreateObject
//    C_CopyObject
//    C_DestroyObject
//    C_GetAttributeValue
//    C_GetObjectSize
//
// 1) create a data object with no CKA_APPLICATION attribute
// 2) create a copy of the object specifying the CKA_APPLICATION attribute
// 3) extract the CK_VALUE attribute from the copy.  ensure this matches the original
// 4) extract the CKA_APPLICATION attribute from the original.  ensure it is empty.
// 5) extract the CKA_APPLICATION attribute from the copy.  ensure is correct.
// 6) attempt to extract CK_PRIME from the original.  ensure this fails correctly.
// 7) attempt to extract CK_PRIME from a non-existant object.  ensure this fails correctly.
// 8) get the size of the original object and copied objects
// 9) destroy the original object.  ensure this succeeds.
// A) destroy a non-existant object.  ensure this fails correctly.
// B) get the size of the original object.  ensure this fails correctly.
// C) attempt to reference the original object.  ensure this fails correctly.
// D) attempt to reference the copied object after the session has been closed.  ensure
//    that this fails with an CKR_INVALID_SESSION_HANDLE.
//
int do_CopyObject( void )
{
   CK_SLOT_ID        slot_id;
   CK_FLAGS          flags;
   CK_SESSION_HANDLE h_session;
   CK_RV             rc;
   CK_BYTE           user_pin[8];
   CK_ULONG          user_pin_len;
   CK_ULONG          obj_size;

   CK_BYTE           false = FALSE;

   CK_OBJECT_HANDLE  h_data;
   CK_OBJECT_CLASS   data_class         = CKO_DATA;
   CK_BYTE           data_application[] = "Test Application";
   CK_BYTE           data_value[]       = "1234567890abcedfghijklmnopqrstuvwxyz";
   CK_ATTRIBUTE      data_attribs[] =
   {
      {CKA_CLASS,       &data_class,       sizeof(data_class)       },
      {CKA_TOKEN,       &false,            sizeof(false)            },
      {CKA_VALUE,       &data_value,       sizeof(data_value)       }
   };

   CK_OBJECT_HANDLE  h_copy;
   CK_ATTRIBUTE      copy_attribs[] =
   {
      {CKA_APPLICATION, &data_application, sizeof(data_application) }
   };

   CK_BYTE           buf1[100];
   CK_ATTRIBUTE      verify_attribs[] =
   {
      {CKA_APPLICATION, &buf1, sizeof(buf1) }
   };

   CK_BYTE           buf2[100];
   CK_ATTRIBUTE      prime_attribs[] =
   {
      {CKA_PRIME, &buf2, sizeof(buf2) }
   };



   printf("do_CopyObject...\n");

   memcpy( user_pin, "12345678", 8 );
   user_pin_len = 8;

   slot_id = SLOT_ID;


   // create a USER R/W session
   //
   flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
   rc = funcs->C_OpenSession( slot_id, flags, NULL, NULL, &h_session );
   if (rc != CKR_OK) {
      show_error("   C_OpenSession #1", rc );
      return FALSE;
   }

   rc = funcs->C_Login( h_session, CKU_USER, user_pin, user_pin_len );
   if (rc != CKR_OK) {
      show_error("   C_Login #1", rc );
      return FALSE;
   }


   // create the object
   //
   rc = funcs->C_CreateObject( h_session, data_attribs, 3, &h_data );
   if (rc != CKR_OK) {
      show_error("   C_CreateObject #1", rc );
      return FALSE;
   }

   // create the copy
   //
   rc = funcs->C_CopyObject( h_session, h_data, copy_attribs, 1, &h_copy );
   if (rc != CKR_OK) {
      show_error("   C_CopyObject #1", rc );
      return FALSE;
   }

   // now, try to extract the CKA_APPLICATION attribute from the original
   // this will pull in the token's default value for CKA_APPLICATION which
   //
   verify_attribs[0].ulValueLen = sizeof(buf1);
   rc = funcs->C_GetAttributeValue( h_session, h_data, verify_attribs, 1 );
   if (rc != CKR_OK) {
      show_error("   C_GetAttributeValue #1", rc );
      return FALSE;
   }

   // now, try to extract the CKA_APPLICATION attribute from the copy
   //
   verify_attribs[0].ulValueLen = sizeof(buf1);
   rc = funcs->C_GetAttributeValue( h_session, h_copy, verify_attribs, 1 );
   if (rc != CKR_OK) {
      show_error("   C_GetAttributeValue #2", rc );
      return FALSE;
   }

   if (memcmp( &data_application, verify_attribs[0].pValue, sizeof(data_application) ) != 0) {
      printf("   ERROR:  extracted attribute doesn't match\n");
      return FALSE;
   }

   // now, try to extract CKA_PRIME from the original.  this should not exist
   //
   prime_attribs[0].ulValueLen = sizeof(buf2);
   rc = funcs->C_GetAttributeValue( h_session, h_data, prime_attribs, 1 );
   if (rc != CKR_ATTRIBUTE_TYPE_INVALID) {
      show_error("   C_GetAttributeValue #3", rc );
      printf("   Expected CKR_ATTRIBUTE_TYPE_INVALID\n");
      return FALSE;
   }


   // now, try to extract CKA_PRIME from a bogus object handle.  this should not exist
   //
   rc = funcs->C_GetAttributeValue( h_session, 98765, prime_attribs, 1 );
   if (rc != CKR_OBJECT_HANDLE_INVALID) {
      show_error("   C_GetAttributeValue #4", rc );
      printf("   Expected CKR_OBJECT_HANDLE_INVALID\n");
      return FALSE;
   }

   // now, get the size of the original object
   //
   rc = funcs->C_GetObjectSize( h_session, h_data, &obj_size );
   if (rc != CKR_OK) {
      show_error("   C_GetObjectSize #1", rc );
      return FALSE;
   }

   // now, destroy the original object
   //
   rc = funcs->C_DestroyObject( h_session, h_data );
   if (rc != CKR_OK) {
      show_error("   C_DestroyObject #1", rc );
      return FALSE;
   }

   // now, destroy a non-existant object
   //
   rc = funcs->C_DestroyObject( h_session, h_data );
   if (rc != CKR_OBJECT_HANDLE_INVALID) {
      show_error("   C_DestroyObject #2", rc );
      printf("   Expected CKR_OBJECT_HANDLE_INVALID\n");
      return FALSE;
   }


   // now, get the size of a non-existent object
   //
   rc = funcs->C_GetObjectSize( h_session, h_data, &obj_size );
   if (rc != CKR_OBJECT_HANDLE_INVALID) {
      show_error("   C_GetObjectSize #2", rc );
      printf("   Expected CKR_OBJECT_HANDLE_INVALID\n");
      return FALSE;
   }


   // now, try to extract CKA_PRIME from the original.  the object should not exist
   //
   prime_attribs[0].ulValueLen = sizeof(buf2);
   rc = funcs->C_GetAttributeValue( h_session, h_data, prime_attribs, 1 );
   if (rc != CKR_OBJECT_HANDLE_INVALID) {
      show_error("   C_GetAttributeValue #5", rc );
      printf("   Expected CKR_OBJECT_HANDLE_INVALID\n");
      return FALSE;
   }


   // done...close the session and verify the object is deleted
   //
   rc = funcs->C_CloseAllSessions( slot_id );
   if (rc != CKR_OK) {
      show_error("   C_CloseAllSessions #1:  %d", rc );
      return FALSE;
   }

   // try to extract CKA_APPLICATION from the copy.  this should fail since all sessions
   // are now closed.
   //
   verify_attribs[0].ulValueLen = sizeof(buf1);
   rc = funcs->C_GetAttributeValue( h_session, h_copy, verify_attribs, 1 );
   if (rc != CKR_SESSION_HANDLE_INVALID) {
      show_error("   C_GetAttributeValue #6", rc );
      printf("   Expected CKR_SESSION_HANDLE_INVALID\n");
      return FALSE;
   }


   printf("Looks okay...\n");
   return TRUE;
}


// do_SetAttributeValues()
//
// API routines exercised:
//    C_CreateObject
//    C_GetAttributeValue
//    C_SetAttributeValue
//
// 1) create a certificate object with no CKA_SERIAL_NUMBER or CKA_ISSUER
// 2) add CKA_SERIAL_NUMBER and CKA_ISSUER and modify CKA_ID.  verify this works.
// 3) try to modify CKA_VALUE and CKA_ID in a single call to C_SetAttributeValue.  verify
//    that this fails correctly and that the object is not modified.
//
int do_SetAttributeValues( void )
{
   CK_SLOT_ID        slot_id;
   CK_FLAGS          flags;
   CK_SESSION_HANDLE h_session;
   CK_RV             rc;
   CK_BYTE           user_pin[8];
   CK_ULONG          user_pin_len;

   CK_BYTE           false = FALSE;

   CK_OBJECT_HANDLE    h_cert;
   CK_OBJECT_CLASS     cert_class         = CKO_CERTIFICATE;
   CK_CERTIFICATE_TYPE cert_type          = CKC_X_509;
   CK_BYTE             cert_subject[]     = "Certificate subject";
   CK_BYTE             cert_id[]          = "Certificate ID";
   CK_BYTE             cert_value[]       = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";

   CK_ATTRIBUTE        cert_attribs[] =
   {
       {CKA_CLASS,            &cert_class,       sizeof(cert_class)   },
       {CKA_TOKEN,            &false,            sizeof(false)        },
       {CKA_CERTIFICATE_TYPE, &cert_type,        sizeof(cert_type)    },
       {CKA_SUBJECT,          &cert_subject,     sizeof(cert_subject) },
       {CKA_ID,               &cert_id,          sizeof(cert_id)      },
       {CKA_VALUE,            &cert_value,       sizeof(cert_value)   }
   };

   CK_BYTE       cert_id2[]    = "New ID";
   CK_BYTE       cert_issuer[] = "Certificate Issuer";
   CK_BYTE       cert_ser_no[] = "Serial Number: 12345";
   CK_ATTRIBUTE  update_attr[] =
   {
      {CKA_SERIAL_NUMBER, &cert_ser_no,  sizeof(cert_ser_no) },
      {CKA_ISSUER,        &cert_issuer,  sizeof(cert_issuer) },
      {CKA_ID,            &cert_id2,     sizeof(cert_id2)    }
   };

   CK_BYTE       cert_value2[] = "Invalid Value";
   CK_BYTE       cert_id3[]    = "ID #3";
   CK_ATTRIBUTE  invalid_attr[] =
   {
      {CKA_VALUE, &cert_value2,  sizeof(cert_value2) },
      {CKA_ID,    &cert_id3,     sizeof(cert_id3)    }
   };


   printf("do_SetAttributeValues...\n");

   memcpy( user_pin, "12345678", 8 );