loadsave.c

IBM的Linux上的PKCS#11实现

   //

   //object_mgr_restore_obj( obj_data, NULL );
   object_mgr_restore_obj( obj_data, pObj );
   rc = CKR_OK;

done:
//   if (ciphertxt) free( ciphertxt );
   if (cleartxt)  free( cleartxt );

   return rc;
}


//
//
CK_RV
load_masterkey_so( void )
{
   FILE               * fp  = NULL;
   CK_BYTE            * ptr = NULL;
   CK_BYTE              hash_sha[SHA1_HASH_SIZE];
   CK_BYTE              cipher[sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE              clear [sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE              des3_key[3 * DES_KEY_SIZE];
   CK_MECHANISM         mech;
   DIGEST_CONTEXT       digest_ctx;
   MASTER_KEY_FILE_T    mk;
   CK_ULONG             cipher_len, clear_len, hash_len;
   CK_RV                rc;
   CK_BYTE              fname[2048];

   memset( master_key, 0x0, 3*DES_KEY_SIZE );

   // this file gets created on C_InitToken so we can assume that it always exists
   //
   sprintf((char *)fname,"%s/MK_SO",pk_dir);
   //fp = fopen("/tmp/MK_SO", "r");
   fp = fopen((char *)fname, "r");
   if (!fp) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   set_perm(fileno(fp));
   clear_len = cipher_len = (sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1);

   rc = fread( cipher, cipher_len, 1, fp );
   if (rc != 1) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   // decrypt the master key data using the MD5 of the SO key
   // (we can't use the SHA of the SO key since the SHA of the key is stored
   // in the token data file).
   //
   memcpy( des3_key,                 so_pin_md5, MD5_HASH_SIZE );
   memcpy( des3_key + MD5_HASH_SIZE, so_pin_md5, DES_KEY_SIZE  );

#ifndef CLEARTEXT
   rc = ckm_des3_cbc_decrypt( cipher, cipher_len, clear, &clear_len, "12345678", des3_key );
#else
   bcopy(cipher,clear,cipher_len);
   rc = CKR_OK;
#endif

   if (rc != CKR_OK){
      st_err_log(106, __FILE__, __LINE__);
      goto done;
   }
   memcpy( (CK_BYTE *)&mk, clear, sizeof(mk) );

   //
   // technically should strip PKCS padding here but since I already know what
   // the length should be, I don't bother.
   //


   // compare the hashes
   //
   compute_sha( mk.key, 3 * DES_KEY_SIZE, hash_sha );

   if (memcmp(hash_sha, mk.sha_hash, SHA1_HASH_SIZE) != 0) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   memcpy( master_key, mk.key, 3*DES_KEY_SIZE );
   rc = CKR_OK;

done:
   if (fp)  fclose(fp);
   return rc;
}


//
//
CK_RV
load_masterkey_user( void )
{
   FILE               * fp  = NULL;
   CK_BYTE            * ptr = NULL;
   CK_BYTE              hash_sha[SHA1_HASH_SIZE];
   CK_BYTE              cipher[sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE              clear[sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE              des3_key[3 * DES_KEY_SIZE];
   CK_MECHANISM         mech;
   DIGEST_CONTEXT       digest_ctx;
   MASTER_KEY_FILE_T    mk;
   CK_ULONG             cipher_len, clear_len, hash_len;
   CK_RV                rc;
   CK_BYTE              fname[2048];

   memset( master_key, 0x0, 3*DES_KEY_SIZE );

   // this file gets created on C_InitToken so we can assume that it always exists
   //
   sprintf((char *)fname,"%s/MK_USER",pk_dir);
   //fp = fopen( "/tmp/MK_USER", "r" );
   fp = fopen( (char *)fname, "r" );
   if (!fp) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   set_perm(fileno(fp));
   clear_len = cipher_len = (sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1);

   rc = fread( cipher, cipher_len, 1, fp );
   if (rc != 1) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   // decrypt the master key data using the MD5 of the SO key
   // (we can't use the SHA of the SO key since the SHA of the key is stored
   // in the token data file).
   //
   memcpy( des3_key,                 user_pin_md5, MD5_HASH_SIZE );
   memcpy( des3_key + MD5_HASH_SIZE, user_pin_md5, DES_KEY_SIZE  );

#ifndef CLEARTEXT
   rc = ckm_des3_cbc_decrypt( cipher, cipher_len, clear, &clear_len, "12345678", des3_key );
#else
   bcopy(cipher,clear,cipher_len);
   rc = CKR_OK;
#endif

   if (rc != CKR_OK){
      st_err_log(106, __FILE__, __LINE__);
      goto done;
   }
   memcpy( (CK_BYTE *)&mk, clear, sizeof(mk) );

   //
   // technically should strip PKCS padding here but since I already know what
   // the length should be, I don't bother.
   //


   // compare the hashes
   //
   compute_sha( mk.key, 3 * DES_KEY_SIZE, hash_sha );

   if (memcmp(hash_sha, mk.sha_hash, SHA1_HASH_SIZE) != 0) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   memcpy( master_key, mk.key, 3*DES_KEY_SIZE );
   rc = CKR_OK;

done:
   if (fp)  fclose(fp);
   return rc;
}


//
//
CK_RV
save_masterkey_so( void )
{
   FILE             * fp = NULL;
   CK_BYTE            cleartxt [sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE            ciphertxt[sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE            des3_key[3 * DES_KEY_SIZE];
   CK_MECHANISM       mech;
   DIGEST_CONTEXT     digest_ctx;
   MASTER_KEY_FILE_T  mk;
   CK_ULONG           hash_len, cleartxt_len, ciphertxt_len, padded_len;
   CK_RV              rc;
   CK_BYTE            fname[2048];


   memcpy( mk.key, master_key, 3 * DES_KEY_SIZE);

   compute_sha( master_key, 3 * DES_KEY_SIZE, mk.sha_hash );

   // encrypt the key data
   //
   memcpy( des3_key,                 so_pin_md5, MD5_HASH_SIZE );
   memcpy( des3_key + MD5_HASH_SIZE, so_pin_md5, DES_KEY_SIZE  );

   ciphertxt_len = sizeof(ciphertxt);
   cleartxt_len  = sizeof(mk);
   memcpy( cleartxt, &mk, cleartxt_len );

   padded_len = DES_BLOCK_SIZE * (cleartxt_len / DES_BLOCK_SIZE + 1);
   add_pkcs_padding( cleartxt + cleartxt_len, DES_BLOCK_SIZE, cleartxt_len, padded_len );

#ifndef CLEARTEXT
   rc = ckm_des3_cbc_encrypt( cleartxt, padded_len, ciphertxt, &ciphertxt_len, "12345678", des3_key );
#else
            bcopy(cleartxt,ciphertxt,padded_len);
	             rc = CKR_OK;
#endif

   if (rc != CKR_OK){
      st_err_log(105, __FILE__, __LINE__);
      goto done;
   }

   // write the file
   //
   // probably ought to ensure the permissions are correct
   //
   sprintf((char *)fname,"%s/MK_SO",pk_dir);
   //fp = fopen( "/tmp/MK_SO", "w" );
   fp = fopen( (char *)fname, "w" );
   if (!fp) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }
   set_perm(fileno(fp));

   rc = fwrite( ciphertxt, ciphertxt_len, 1, fp );
   if (rc != 1) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   rc = CKR_OK;

done:
   if (fp)  fclose( fp );
   return rc;
}


//
//
CK_RV
save_masterkey_user( void )
{
   FILE             * fp = NULL;
   CK_BYTE            cleartxt [sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE            ciphertxt[sizeof(MASTER_KEY_FILE_T) + DES_BLOCK_SIZE];
   CK_BYTE            des3_key[3 * DES_KEY_SIZE];
   CK_MECHANISM       mech;
   DIGEST_CONTEXT     digest_ctx;
   MASTER_KEY_FILE_T  mk;
   CK_ULONG           hash_len, cleartxt_len, ciphertxt_len, padded_len;
   CK_RV              rc;
   CK_BYTE            fname[2048];


   memcpy( mk.key, master_key, 3 * DES_KEY_SIZE);

   compute_sha( master_key, 3 * DES_KEY_SIZE, mk.sha_hash );


   // encrypt the key data
   //
   memcpy( des3_key,                 user_pin_md5, MD5_HASH_SIZE );
   memcpy( des3_key + MD5_HASH_SIZE, user_pin_md5, DES_KEY_SIZE  );

   ciphertxt_len = sizeof(ciphertxt);
   cleartxt_len  = sizeof(mk);
   memcpy( cleartxt, &mk, cleartxt_len );

   padded_len = DES_BLOCK_SIZE * (cleartxt_len / DES_BLOCK_SIZE + 1);
   add_pkcs_padding( cleartxt + cleartxt_len, DES_BLOCK_SIZE, cleartxt_len, padded_len );

#ifndef CLEARTEXT
   rc = ckm_des3_cbc_encrypt( cleartxt, padded_len, ciphertxt, &ciphertxt_len, "12345678", des3_key );
#else
   bcopy(cleartxt,ciphertxt,padded_len);
   rc = CKR_OK;
#endif

   if (rc != CKR_OK){
      st_err_log(105, __FILE__, __LINE__);
      goto done;
   }


   // write the file
   //
   // probably ought to ensure the permissions are correct
   //
   sprintf((char *)fname,"%s/MK_USER", pk_dir);
   //fp = fopen( "/tmp/MK_USER", "w" );
   fp = fopen( (char *)fname, "w" );
   if (!fp) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   set_perm(fileno(fp));
   rc = fwrite( ciphertxt, ciphertxt_len, 1, fp );
   if (rc != 1) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   rc = CKR_OK;

done:
   if (fp)  fclose( fp );
   return rc;
}


//
//
CK_RV
reload_token_object( OBJECT *obj )
{
   FILE     * fp  = NULL;
   CK_BYTE  * buf = NULL;
   CK_BYTE    fname[2048];
   CK_BBOOL   priv;
   CK_ULONG_32   size;
   CK_ULONG   size_64;
   CK_RV      rc;

   memset( (char *)fname, 0x0, sizeof(fname) );

  // strcpy(fname, "/tmp/TOK_OBJ/" );
   sprintf((char *)fname,"%s/%s/",pk_dir, PK_LITE_OBJ_DIR);
   strncat((char *)fname,(char *)  obj->name, 8 );

   fp = fopen( (char *)fname, "r" );
   if (!fp) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   set_perm(fileno(fp));

   fread( &size, sizeof(CK_ULONG_32), 1, fp );
   fread( &priv, sizeof(CK_BBOOL), 1, fp );

   size = size - sizeof(CK_ULONG_32) - sizeof(CK_BBOOL);  // SAB

   buf = (CK_BYTE *)malloc(size);
   if (!buf) {
      st_err_log(0, __FILE__, __LINE__);
      rc = CKR_HOST_MEMORY;
      goto done;
   }

   fread( buf, size, 1, fp );

   size_64 = size;

   if (priv){
      rc = restore_private_token_object( buf, size_64, obj );
      if (rc != CKR_OK)
         st_err_log(107, __FILE__, __LINE__);
   }
   else{
      rc = object_mgr_restore_obj( buf, obj );
      if (rc != CKR_OK)
         st_err_log(108, __FILE__, __LINE__);
   }

done:
   if (fp)  fclose( fp );
   if (buf) free( buf );
   return rc;
}



extern void set_perm(int) ;

//
//
CK_RV
delete_token_object( OBJECT *obj )
{
   FILE      *fp1, *fp2;
   CK_BYTE    line[100];
   CK_BYTE    objidx[2048], idxtmp[2048],fname[2048];

   // FIXME:  on UNIX, we need to make sure these guys aren't symlinks
   //         before we blindly write to these files...
   //

   // remove the object from the index file
   //

   sprintf((char *)objidx,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR,PK_LITE_OBJ_IDX);
   sprintf((char *)idxtmp,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR, "IDX.TMP");
   //fp1 = fopen("/tmp/TOK_OBJ/OBJ.IDX", "r");
   //fp2 = fopen("/tmp/TOK_OBJ/IDX.TMP", "w");
   fp1 = fopen((char *)objidx, "r");
   fp2 = fopen((char *)idxtmp, "w");
   if (!fp1 || !fp2) {
      if (fp1) fclose(fp1);
      if (fp2) fclose(fp2);
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      return CKR_FUNCTION_FAILED;
   }

   set_perm(fileno(fp2));

   while (!feof(fp1)) {
      fgets((char *)line, 50, fp1 );
      if (!feof(fp1)) {
         line[ strlen((char *)line)-1 ] = 0;
         if (strcmp((char *)line, (char *)obj->name) == 0)
            continue;
         else
            fprintf( fp2, "%s\n", line );
      }
   }

   fclose(fp1);
   fclose(fp2);
   //fp2 = fopen("/tmp/TOK_OBJ/OBJ.IDX", "w");
   //fp1 = fopen("/tmp/TOK_OBJ/IDX.TMP", "r");
   fp2 = fopen((char *)objidx, "w");
   fp1 = fopen((char *)idxtmp, "r");
   if (!fp1 || !fp2) {
      if (fp1) fclose(fp1);
      if (fp2) fclose(fp2);
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      return CKR_FUNCTION_FAILED;
   }

   set_perm(fileno(fp2));

   while (!feof(fp1)) {
      fgets((char *)line, 50, fp1 );
      if (!feof(fp1))
         fprintf( fp2, "%s",(char *) line );
   }

   fclose(fp1);
   fclose(fp2);

   sprintf((char *)fname,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR,(char *)obj->name);
   unlink((char *)fname);
   return CKR_OK;

}