pkcsconf.c

IBM的Linux上的PKCS#11实现

#define CFG_USER_PIN       0x0002
#define CFG_SLOT           0x0004
#define CFG_PKCS_INFO      0x0008
#define CFG_TOKEN_INFO     0x0010
#define CFG_SLOT_INFO      0x0020
#define CFG_MECHANISM_INFO 0x0040
#define CFG_INITIALIZE     0x0080
#define CFG_INIT_USER      0x0100
#define CFG_SET_USER       0x0200
#define CFG_SET_SO         0x0400
#define CFG_NEW_PIN        0x0800
#define CFG_SHARED_MEM     0x1000
#define CFG_LIST_SLOT      0x2000

CK_RV init(void);
void  usage(unsigned char *);
int   echo(int);
void  get_pin(CK_CHAR **);
CK_RV cleanup(void);
CK_RV display_pkcs11_info(void);
CK_RV get_slot_list(int, CK_CHAR_PTR);
CK_RV display_slot_info(void);
CK_RV display_token_info(void);
CK_RV display_mechanism_info(void);
void  display_shared_memory(void);
void *attach_shared_memory(void);
void  detach_shared_memory(char *);
CK_RV validate_slot(CK_CHAR_PTR);
CK_RV init_token(CK_CHAR_PTR);
CK_RV init_user_pin(CK_CHAR_PTR, CK_CHAR_PTR);
CK_RV list_slot(void);
CK_RV set_user_pin(CK_USER_TYPE, CK_CHAR_PTR, CK_CHAR_PTR);

void * dllPtr;
CK_FUNCTION_LIST_PTR  FunctionPtr = NULL;
CK_SLOT_ID_PTR        SlotList = NULL;
CK_ULONG              SlotCount = 0;
Slot_Mgr_Shr_t *      shmp = NULL;
int in_slot;

int
main(int argc, char *argv[]){
   CK_RV rc;                   // Return Code
   CK_FLAGS flags = 0;         // Bit mask for what options were passed in
   CK_CHAR_PTR sopin = NULL,   // The Security Office PIN
               pin = NULL,     // The User PIN
               newpin = NULL,  // To store PIN changes
               newpin2 = NULL, // To store validation of PIN change
               slot = NULL;    // The PKCS slot number

   int c,                      // To store passed in options
       errflag = 0;            // Error Flag

   /* Open the Message Catalog */
   setlocale(LC_ALL, "");
   catd = catopen(MF_PKCSCONF,0);

   /* Parse the command line parameters */
   while ((c = getopt (argc, argv, "itsmMIc:S:U:upPn:l")) != (-1)){
      switch (c){
         case 'c':  /* a specific card (slot) is specified */
            flags |= CFG_SLOT;
            slot = (CK_CHAR_PTR) malloc(strlen(optarg));
            memcpy(slot, optarg, strlen(optarg));
            break;
         case 'S':  /* the SO pin */
            flags |= CFG_SO_PIN;
            sopin = (CK_CHAR_PTR) malloc(strlen(optarg));
            memcpy(sopin, optarg, strlen(optarg));
            break;
         case 'U':  /* the user pin */
            flags |= CFG_USER_PIN;
            pin = (CK_CHAR_PTR) malloc(strlen(optarg));
            memcpy(pin, optarg, strlen(optarg));
            break;
         case 'n':  /* the new pin */
            flags |= CFG_NEW_PIN;
            newpin = (CK_CHAR_PTR) malloc(strlen(optarg));
            memcpy(newpin, optarg, strlen(optarg));
            break;
         case 'i':  /* display PKCS11 info */
            flags |= CFG_PKCS_INFO;
            break;
         case 't':  /* display token info */
            flags |= CFG_TOKEN_INFO;
            break;
         case 's':  /* display slot info */
            flags |= CFG_SLOT_INFO;
            break;
         case 'm':  /* display mechanism info */
            flags |= CFG_MECHANISM_INFO;
            break;
#if SHM
         case 'M':  /* display shared memory */
            flags |= CFG_SHARED_MEM;
            break;
#endif
         case 'I':  /* initialize the token */
            flags |= CFG_INITIALIZE;
            break;
         case 'u':  /* initialize the user PIN */
            flags |= CFG_INIT_USER;
            break;
         case 'p':  /* set the user PIN */
            flags |= CFG_SET_USER;
            break;
         case 'P':  /* set the SO PIN */
            flags |= CFG_SET_SO;
            break;
         case 'l':  /* display slot description */
            flags |= CFG_LIST_SLOT;
            break;
         default:   /* if something else was passed in it is an error */
            errflag++;
            break;
      }
   }
   if (errflag != 0)  /* If there was an error print the usage statement */
       usage(argv[0]);

   /* Eliminate the ability to specify -I -p -u -P without a slot number */
   if ( (flags & (CFG_INITIALIZE | CFG_INIT_USER | CFG_SET_USER | CFG_SET_SO))
            && !(flags & CFG_SLOT)){
      usage(argv[0]);
   }
   /* Load the PKCS11 library and start the slotmanager if it is not running */
   init();

#if SHM
   /* If a slot number was passed in validate the slot number */
   if (flags & CFG_SLOT)
      validate_slot(slot);
#else
   if (flags & CFG_SLOT) {
	in_slot = atol(slot);
   }
#endif

   /* Get the slot list and indicate if a slot number was passed in or not */
   if (get_slot_list(flags & CFG_SLOT, slot))
      goto done;

   /* If the user tries to set the user and SO pin at the same time print an
    * error massage and exit indicating the function failed */
   if ((flags & CFG_SET_USER) && (flags & CFG_SET_SO)) {
      printf(PKCSINIT_MSG(EXCLUSION,
               "Setting the SO and user PINs are mutually exclusive.\n"));
      fflush(stdout);
      return CKR_FUNCTION_FAILED;
   }

   /* If the user wants to display PKCS11 info call the function to do so */
   if (flags & CFG_PKCS_INFO)
      display_pkcs11_info();

   /* If the user wants to display token info call the function to do so */
   if (flags & CFG_TOKEN_INFO)
      display_token_info();

   /* If the user wants to display slot info call the function to do so */
   if (flags & CFG_SLOT_INFO)
      display_slot_info();

   /* If the user wants to display slot info call the function to do so */
   if (flags & CFG_LIST_SLOT)
      list_slot();

   /* If the user wants to display mechanism info call the function to do so */
   if (flags & CFG_MECHANISM_INFO)
      display_mechanism_info();

#if SHM
   /* If the user wants to display shared memory info call the function to do so */
   if (flags & CFG_SHARED_MEM)
      display_shared_memory();
#endif

   /* If the user wants to initialize the card check to see if they passed in
    * the SO pin, if not ask for the PIN */
   if (flags & CFG_INITIALIZE){
      if (~flags & CFG_SO_PIN){
         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
         fflush(stdout);
         get_pin(&(sopin));
      }
      rc = init_token(sopin);
   }

   /* If the user wants to initialize the User PIN, check to see if they have
    * passed in the SO PIN, if not ask for it.  Then check to see if they passed
    * the New User PIN on the command line if not ask for the PIN and verify it */
   if (flags & CFG_INIT_USER){
      if (~flags & CFG_SO_PIN) {
         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
         fflush(stdout);
         get_pin(&sopin);
      }
      if (~flags & CFG_NEW_PIN) {
         printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
         fflush(stdout);
         get_pin(&newpin);
         printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: "));
         fflush(stdout);
         get_pin(&newpin2);
         if (! memcmp(newpin, newpin2, strlen(newpin)) == 0) {
            printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
            fflush(stdout);
            exit(CKR_PIN_INVALID);
         }
      }
      rc = init_user_pin(newpin, sopin);
   }

   /* If the user wants to set the SO PIN, check to see if they have passed the
    * current SO PIN and the New PIN in.  If not prompt and validate them. */
   if (flags & CFG_SET_SO){
      if (~flags & CFG_SO_PIN) {
         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
         fflush(stdout);
         get_pin(&sopin);
      }
      if (~flags & CFG_NEW_PIN) {
         printf(PKCSINIT_MSG(NEWSO, "Enter the new SO PIN: "));
         fflush(stdout);
         get_pin(&newpin);
         printf(PKCSINIT_MSG(VNEWSO, "Re-enter the new SO PIN: "));
         fflush(stdout);
         get_pin(&newpin2);
         if (! memcmp(newpin, newpin2, strlen(newpin)) == 0) {
            printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
            fflush(stdout);
            exit(CKR_PIN_INVALID);
         }
      }
      rc = set_user_pin(CKU_SO, sopin, newpin);
   }

   /* If the user wants to set the User PIN, check to see if they have passed the
    * current User PIN and the New PIN in.  If not prompt and validate them. */
   if (flags & CFG_SET_USER){
      if (~flags & CFG_USER_PIN) {
         printf(PKCSINIT_MSG(USERPIN, "Enter user PIN: "));
         fflush(stdout);
         get_pin(&pin);
      }
      if (~flags & CFG_NEW_PIN) {
         printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
         fflush(stdout);
         get_pin(&newpin);
         printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: "));
         fflush(stdout);
         get_pin(&newpin2);
         if (! memcmp(newpin, newpin2, strlen(newpin)) == 0) {
            printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
            fflush(stdout);
            exit(CKR_PIN_INVALID);
         }
      }
      rc = set_user_pin(CKU_USER, pin, newpin);
   }

   /* We are done, detach from shared memory, and free the memory we may have
    * allocated.  In the case of PIN's we bzero them to ensure that they are not
    * left around in system memory*/

done:
#if SHM
   detach_shared_memory((char *)shmp);
   free (slot);
#endif

   if (sopin) {
      bzero (sopin, strlen(sopin));
      free (sopin);
   }

   if (pin) {
      bzero (pin, strlen(pin));
      free (pin);
   }

   if (newpin) {
      bzero (newpin, strlen(newpin));
      free (newpin);
   }

   return rc;

}

void
get_pin(CK_CHAR ** pin){
   int  size = PIN_SIZE, count = 0;
   char buff[PIN_SIZE] = { 0 }, c = 0;

   /* Turn off echoing to the terminal when getting the password */
   echo(FALSE);

   /* Get each character and print out a '*' for each input */
   for (count = 0; (c != LINE_FEED) && (count < PIN_SIZE); count++){
      buff[count] = getc(stdin);
      c = buff[count];
      if ((c != LINE_FEED) && (c != BACK_SPACE))
         printf("*");
      if (c == BACK_SPACE) {
         printf("%c%c%c", BACK_SPACE, ' ', BACK_SPACE);
         count-=2;
      }
      fflush(stdout);
   }

   echo(TRUE);

   /* After we get the password go to the next line */
   printf("\n");
   fflush(stdout);

   /* Allocate 80 bytes for the user PIN.  This is large enough for the tokens
    * supported in AIX 5.0 and 5.1 */
   *pin = (char *)malloc(PIN_SIZE);