pkcsconf.c

IBM的Linux上的PKCS#11实现

   /* First clear the label array.  We must have 32 characters for PADDING then
    * we start all labels with 'IBM 4758 - ' therefore we use some of the label
    * information for our own use.  This is primarily done for support reasons,
    * we are able to look at the labels and determine what is in the system */
   memset(label, ' ', 32);
   strncpy(label, enteredlabel, strlen(enteredlabel) - 1);   // Strip the \n

   /* It is possible to initialize all tokens although this would not give us a
    * unique token label would it?  Normally this would be called with only one
    * token in the slot list.  Slot list is not the slot list of the system only
    * a list of slots we are working with */
   for (lcv = 0; lcv < SlotCount; lcv++){
      rc = FunctionPtr->C_InitToken(SlotList[lcv], pin,
            pinlen, label);
      if (rc != CKR_OK) {
         if (rc == CKR_PIN_INCORRECT) {
            printf(PKCSINIT_MSG(INCORRECTPIN, "Incorrect PIN Entered.\n"));
            fflush(stdout);
         }
         else {
            printf(PKCSINIT_MSG(INITERROR, "Error initializing token: 0x%X\n"), rc);
            fflush(stdout);
         }
         return rc;
      }
   }

   return CKR_OK;
}

CK_RV
init_user_pin(CK_CHAR_PTR pin, CK_CHAR_PTR sopin){
   CK_RV rc;                           // Return Value
   CK_FLAGS    flags = 0;              // Mask that we will use when opening the session 
   CK_SESSION_HANDLE session_handle;   // The session handle we get
   CK_ULONG pinlen, sopinlen;          // Length of the user and SO PINs

   /* get the length of the PINs */
   pinlen = strlen(pin);
   sopinlen = strlen(sopin);

   /* set the mask we will use for Open Session */
   flags |= CKF_SERIAL_SESSION;
   flags |= CKF_RW_SESSION;

   /* We need to open a read/write session to the adapter to initialize the user
    * PIN.  Attempt to do so */
   rc = FunctionPtr->C_OpenSession(SlotList[0], flags, NULL, NULL,
         &session_handle);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(OPENERROR, "Error opening session: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }

   /* After the session is open, we must login as the SO to initialize the PIN */
   rc = FunctionPtr->C_Login(session_handle, CKU_SO, sopin, sopinlen);
   if (rc != CKR_OK){
      if (rc = CKR_PIN_INCORRECT) {
         printf(PKCSINIT_MSG(INCORRECTPIN, "Incorrect PIN Entered.\n"));
         fflush(stdout);
      }
      else {
         printf(PKCSINIT_MSG(LOGINERROR, "Error logging in: 0x%X\n"), rc);
         fflush(stdout);
      }
      return rc;
   }

   /* Call the function to Init the PIN */
   rc = FunctionPtr->C_InitPIN(session_handle, pin, pinlen);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(SETPIN, "Error setting PIN: 0x%X\n"), rc);
      fflush(stdout);
   }

   /* Logout so that others can use the PIN */
   rc = FunctionPtr->C_Logout(session_handle);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(LOGOUTERROR, "Error logging out: 0x%X\n"), rc);
      fflush(stdout);
   }

   /* Close the session */
   rc = FunctionPtr->C_CloseSession(session_handle);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(CLOSEERROR, "Error closing session: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }
   return CKR_OK;
}

CK_RV
set_user_pin(CK_USER_TYPE user, CK_CHAR_PTR oldpin, CK_CHAR_PTR newpin){
   CK_RV rc;                           // Return Value
   CK_FLAGS flags = 0;                 // Mash ot open the session with
   CK_SESSION_HANDLE session_handle;   // The handle of the session we will open
   CK_ULONG oldpinlen, newpinlen;      // The size of the new and ole PINS

   /* NOTE:  This function is used for both the settinf of the SO and USER pins,
    *        the CK_USER_TYPE specifes which we are changing. */

   /* Get the size of the PINs */
   oldpinlen = strlen(oldpin);
   newpinlen = strlen(newpin);

   /* set the flags we will open the session with */
   flags |= CKF_SERIAL_SESSION;
   flags |= CKF_RW_SESSION;

   /* Open the Session */
   rc = FunctionPtr->C_OpenSession(SlotList[0], flags, NULL, NULL,
         &session_handle);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(OPENERROR, "Error opening session: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }

   /* Login to the session we just created as the pkcs11 passed in USER type */
   rc = FunctionPtr->C_Login(session_handle, user, oldpin, oldpinlen);
   if (rc != CKR_OK){
      if (rc = CKR_PIN_INCORRECT) {
         printf(PKCSINIT_MSG(INCORRECTPIN, "Incorrect PIN Entered.\n"));
         fflush(stdout);
      }
      else {
         printf(PKCSINIT_MSG(LOGINERROR, "Error logging in: 0x%X\n"), rc);
         fflush(stdout);
      }
      return rc;
   }

   /* set the new PIN */
   rc = FunctionPtr->C_SetPIN(session_handle, oldpin, oldpinlen,
         newpin, newpinlen);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(SETPIN, "Error setting PIN: 0x%X\n"), rc);
      fflush(stdout);
   }

   /* and of course clean up after ourselves */
   rc = FunctionPtr->C_CloseSession(session_handle);
   if (rc != CKR_OK){
      printf(PKCSINIT_MSG(CLOSEERROR, "Error closing session: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }

   return CKR_OK;
}

CK_RV
init(void){
   CK_RV rc;             // Return Code
   void (*symPtr)();     // Pointer for the Dll

   /* Open the PKCS11 API shared library, and inform the user is there is an
    * error */
   if (sizeof(CK_ULONG) == 4) 
      dllPtr = dlopen("/usr/lib/pkcs11/PKCS11_API.so", RTLD_NOW);
   else
      dllPtr = dlopen("/usr/lib/pkcs11/PKCS11_API.so64", RTLD_NOW);
   if (!dllPtr) {
      rc = errno;
      printf(PKCSINIT_MSG(LOADERROR, "Error loading PKCS#11 library: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }

   /* Get the list of the PKCS11 functions this token support */
   symPtr = (void (*)())dlsym(dllPtr, "C_GetFunctionList");
   if (!symPtr) {
      rc = errno;
      printf(PKCSINIT_MSG(FUNCTERROR, "Error getting function list: 0x%X\n"), rc);
      fflush(stdout);
      return rc;
   }

   symPtr(&FunctionPtr);

#if SHM
   /* Since this program uses PKCS11 function calls we need to make sure that
    * the slot daemon is running.  If the shared memory is created, then we
    * know slot manager is running.  Therefore, if we fail to attach to the
    * memory, we assume that slots is not running and attempt to start it.
    * After 1/2 second we try again and if it fails we fail. */
   if ((shmp = attach_shared_memory()) == NULL) {
       system("/usr/sbin/pkcsslotd");
       usleep(500);
       if ((shmp = attach_shared_memory()) == NULL) {
            printf(PKCSINIT_MSG(SLOTMGRERROR,
                    "Error communicating with slot manager: 0x%x\n"), errno);
            fflush(stdout);
            cleanup();
       }
   }
#endif

   /* If we get here we know the slot manager is running and we can use PKCS11
    * calls, so we will execute the PKCS11 Initilize command. */
   rc = FunctionPtr->C_Initialize(NULL);
   if (rc != CKR_OK) {
      printf(PKCSINIT_MSG(LIBERROR, "Error initializing the PKCS11 library: 0x%X\n"), rc);
      fflush(stdout);
      cleanup();
   }

   return CKR_OK;
}

CK_RV
cleanup(void){
   CK_RV rc;  // Return Code

   /* To clean up we will free the slot list we create, call the Finalize
    * routine for PKCS11 and close the dynamically linked library */
   free (SlotList);
   rc = FunctionPtr->C_Finalize(NULL);
   if (dllPtr)
      dlclose(dllPtr);

   exit (rc);
}

void
usage(unsigned char *progname){

   /* If we get here the user needs help, so give it to them */
   printf(PKCSINIT_MSG(USAGE,
           "usage:\t%s [-itsmMIupP] [-c slotnumber -U userPIN -S SOPin -n newpin]\n"),
           progname);
   printf(PKCSINIT_MSG(USAGE1, "\t-i display PKCS11 info\n"));
   printf(PKCSINIT_MSG(USAGE2, "\t-t display token info\n"));
   printf(PKCSINIT_MSG(USAGE3, "\t-s display slot info\n"));
   printf(PKCSINIT_MSG(USAGE4, "\t-m display mechanism list\n"));
   printf(PKCSINIT_MSG(USAGE6, "\t-I initialize token \n"));
   printf(PKCSINIT_MSG(USAGE7, "\t-u initialize user PIN\n"));
   printf(PKCSINIT_MSG(USAGE8, "\t-p set the user PIN\n"));
   printf(PKCSINIT_MSG(USAGE9, "\t-P set the SO PIN\n"));

   exit(-1);
}

#if SHM
void *
attach_shared_memory() {

   key_t  tok;
   int    shmid;
   char   *shmp;
   struct stat statbuf;

   // Really should fstat the tok_path

   if (stat(TOK_PATH,&statbuf) < 0 ){
      // The Stat token origin file does not work... Kick it out
      return NULL;
   }

   tok = ftok(TOK_PATH,'b');

   // Get the shared memory id.
   shmid = shmget(tok,sizeof(Slot_Mgr_Shr_t),
               S_IROTH|S_IWOTH|S_IWUSR|S_IWGRP|S_IRGRP|S_IRUSR|S_IWUSR);
   if ( shmid < 0 ) {
      return NULL;
   }


   /* Attach to shared memroy */
   shmp = (void *)shmat(shmid,NULL,0);
   if ( !shmp ) {
      return NULL;
   }

   return shmp;
}

void
detach_shared_memory (char *shmp) {

   /* We could call the shmdt (shared memory detatch) directly but this is more
    * readable */
   shmdt(shmp);
}

CK_RV
validate_slot(CK_CHAR_PTR slot) {
   int lcv;                // Loop control variable
   long slot_num;          // integer value for the slot (long should be large enough)
   CK_BOOL valid = FALSE;  // Conditional variable

   /* Make sure the slot passed in is not NULL */
   if (! slot)
      return CKR_ATTRIBUTE_VALUE_INVALID;
   slot_num = atol(slot);

   for(lcv = 0; lcv < shmp->num_slots; lcv++) {
      /* Compare what is in shared memory to the slot passed in */
      if (shmp->slot_info[lcv].slot_number == slot_num) {
         valid = TRUE;   // indicate the slot is valid
         in_slot = lcv;  // set the slot value to be array position
         break;          // no need to check the rest
      }
   }

   if (valid)
      return CKR_OK;
   else {
      /* This should really read Slot, but since translation has been done this
       * will need to wait until 5.1 to be translated correctly */
      printf(PKCSINIT_MSG(INVALIDCARD, "Invalid Card: %s\n"), slot);
      fflush(stdout);
      return CKR_ATTRIBUTE_VALUE_INVALID;
   }
}
#endif