key.c

IBM的Linux上的PKCS#11实现

   sensitive_attr->pValue     = (CK_BYTE *)sensitive_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)sensitive_attr->pValue = FALSE;

   decrypt_attr->type       = CKA_DECRYPT;
   decrypt_attr->ulValueLen = sizeof(CK_BBOOL);
   decrypt_attr->pValue     = (CK_BYTE *)decrypt_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)decrypt_attr->pValue = TRUE;

   sign_attr->type       = CKA_SIGN;
   sign_attr->ulValueLen = sizeof(CK_BBOOL);
   sign_attr->pValue     = (CK_BYTE *)sign_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)sign_attr->pValue = TRUE;

   sign_recover_attr->type       = CKA_SIGN_RECOVER;
   sign_recover_attr->ulValueLen = sizeof(CK_BBOOL);
   sign_recover_attr->pValue     = (CK_BYTE *)sign_recover_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)sign_recover_attr->pValue = TRUE;

   unwrap_attr->type       = CKA_UNWRAP;
   unwrap_attr->ulValueLen = sizeof(CK_BBOOL);
   unwrap_attr->pValue     = (CK_BYTE *)unwrap_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)unwrap_attr->pValue = TRUE;

   extractable_attr->type       = CKA_EXTRACTABLE;
   extractable_attr->ulValueLen = sizeof(CK_BBOOL);
   extractable_attr->pValue     = (CK_BYTE *)extractable_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)extractable_attr->pValue = TRUE;

   // by default, we'll set NEVER_EXTRACTABLE == FALSE and ALWAYS_SENSITIVE == FALSE
   // If the key is being created with KEYGEN, it will adjust as necessary.
   //
   never_extr_attr->type       = CKA_NEVER_EXTRACTABLE;
   never_extr_attr->ulValueLen = sizeof(CK_BBOOL);
   never_extr_attr->pValue     = (CK_BYTE *)never_extr_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)never_extr_attr->pValue = FALSE;

   always_sens_attr->type       = CKA_ALWAYS_SENSITIVE;
   always_sens_attr->ulValueLen = sizeof(CK_BBOOL);
   always_sens_attr->pValue     = (CK_BYTE *)always_sens_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)always_sens_attr->pValue = FALSE;

   template_update_attribute( tmpl, class_attr );
   template_update_attribute( tmpl, subject_attr );
   template_update_attribute( tmpl, sensitive_attr );
   template_update_attribute( tmpl, decrypt_attr );
   template_update_attribute( tmpl, sign_attr );
   template_update_attribute( tmpl, sign_recover_attr );
   template_update_attribute( tmpl, unwrap_attr );
   template_update_attribute( tmpl, extractable_attr );
   template_update_attribute( tmpl, never_extr_attr );
   template_update_attribute( tmpl, always_sens_attr );

   return CKR_OK;
}


//
//
CK_RV
priv_key_unwrap( TEMPLATE *tmpl,
                 CK_ULONG  keytype,
                 CK_BYTE  *data,
                 CK_ULONG  data_len )
{
   CK_ATTRIBUTE *extractable   = NULL;
   CK_ATTRIBUTE *always_sens   = NULL;
   CK_ATTRIBUTE *never_extract = NULL;
   CK_ATTRIBUTE *sensitive     = NULL;
   CK_ATTRIBUTE *local         = NULL;
   CK_BBOOL   true  = TRUE;
   CK_BBOOL   false = FALSE;
   CK_RV      rc;

   switch (keytype) {
      case CKK_RSA:
         rc = rsa_priv_unwrap( tmpl, data, data_len );
         break;

      case CKK_DSA:
         rc = dsa_priv_unwrap( tmpl, data, data_len );
         break;

      default:
         st_err_log(62, __FILE__, __LINE__);
         return CKR_WRAPPED_KEY_INVALID;
   }

   if (rc != CKR_OK) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      return rc;
   }

   // make sure
   //    CKA_LOCAL             == FALSE
   //    CKA_ALWAYS_SENSITIVE  == FALSE
   //    CKA_EXTRACTABLE       == TRUE
   //    CKA_NEVER_EXTRACTABLE == FALSE
   //
   rc = build_attribute( CKA_LOCAL,  &false, 1, &local );
   if (rc != CKR_OK){
      st_err_log(84, __FILE__, __LINE__);
      goto cleanup;
   }
   rc = build_attribute( CKA_ALWAYS_SENSITIVE,  &false, 1, &always_sens );
   if (rc != CKR_OK){
      st_err_log(84, __FILE__, __LINE__);
      goto cleanup;
   }
   rc = build_attribute( CKA_SENSITIVE,         &false, 1, &sensitive );
   if (rc != CKR_OK){
      st_err_log(84, __FILE__, __LINE__);
      goto cleanup;
   }
   rc = build_attribute( CKA_EXTRACTABLE,       &true,  1, &extractable );
   if (rc != CKR_OK){
      st_err_log(84, __FILE__, __LINE__);
      goto cleanup;
   }
   rc = build_attribute( CKA_NEVER_EXTRACTABLE, &false, 1, &never_extract );
   if (rc != CKR_OK){
      st_err_log(84, __FILE__, __LINE__);
      goto cleanup;
   }
   template_update_attribute( tmpl, local );
   template_update_attribute( tmpl, always_sens );
   template_update_attribute( tmpl, sensitive );
   template_update_attribute( tmpl, extractable );
   template_update_attribute( tmpl, never_extract );

   return CKR_OK;

cleanup:

   if (local)         free(local);
   if (always_sens)   free(always_sens);
   if (extractable)   free(extractable);
   if (never_extract) free(never_extract);

   return rc;
}


// priv_key_validate_attribute()
//
CK_RV
priv_key_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode )
{
   switch (attr->type) {
      case CKA_SUBJECT:
         return CKR_OK;

      case CKA_DECRYPT:
      case CKA_SIGN:
      case CKA_SIGN_RECOVER:
      case CKA_UNWRAP:
         // we might want to do this for MODE_COPY too
         //
         if (mode == MODE_MODIFY) {
            if (nv_token_data->tweak_vector.allow_key_mods == TRUE)
               return CKR_OK;
            st_err_log(7, __FILE__, __LINE__);
            return CKR_ATTRIBUTE_READ_ONLY;
         }
         return CKR_OK;

      // after key creation, CKA_SENSITIVE may only be set to TRUE
      //
      case CKA_SENSITIVE:
         {
            CK_BBOOL value;

            if (mode == MODE_CREATE || mode == MODE_KEYGEN)
               return CKR_OK;

            value = *(CK_BBOOL *)attr->pValue;
            if (value != TRUE){
               st_err_log(7, __FILE__, __LINE__);
               return CKR_ATTRIBUTE_READ_ONLY;
            }
         }
         return CKR_OK;

      // after key creation, CKA_EXTRACTABLE may only be set to FALSE
      //
      case CKA_EXTRACTABLE:
         {
            CK_BBOOL value;

            value = *(CK_BBOOL *)attr->pValue;
            if ((mode != MODE_CREATE && mode != MODE_KEYGEN) && value !=
FALSE){
               st_err_log(7, __FILE__, __LINE__);
               return CKR_ATTRIBUTE_READ_ONLY;
            }
            if (value == FALSE) {
               CK_ATTRIBUTE *attr;

               attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
               if (!attr){
                  st_err_log(1, __FILE__, __LINE__);
                  return CKR_HOST_MEMORY;
               }
               attr->type       = CKA_NEVER_EXTRACTABLE;
               attr->ulValueLen = sizeof(CK_BBOOL);
               attr->pValue     = (CK_BYTE *)attr + sizeof(CK_ATTRIBUTE);
               *(CK_BBOOL *)attr->pValue = FALSE;

               template_update_attribute( tmpl, attr );
            }
         }
         return CKR_OK;

      case CKA_ALWAYS_SENSITIVE:
      case CKA_NEVER_EXTRACTABLE:
         st_err_log(7, __FILE__, __LINE__);
         return CKR_ATTRIBUTE_READ_ONLY;

      default:
         return key_object_validate_attribute( tmpl, attr, mode );
   }

   st_err_log(8, __FILE__, __LINE__);
   return CKR_ATTRIBUTE_TYPE_INVALID;
}




// secret_key_check_required_attributes()
//
CK_RV
secret_key_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   return key_object_check_required_attributes( tmpl, mode );
}


// secret_key_set_default_attributes()
//
// some of the common secret key attributes have defaults but none of the specific
// secret keytypes have default attributes
//
CK_RV
secret_key_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   CK_ATTRIBUTE       *class_attr       = NULL;
   CK_ATTRIBUTE       *sensitive_attr   = NULL;
   CK_ATTRIBUTE       *encrypt_attr     = NULL;
   CK_ATTRIBUTE       *decrypt_attr     = NULL;
   CK_ATTRIBUTE       *sign_attr        = NULL;
   CK_ATTRIBUTE       *verify_attr      = NULL;
   CK_ATTRIBUTE       *wrap_attr        = NULL;
   CK_ATTRIBUTE       *unwrap_attr      = NULL;
   CK_ATTRIBUTE       *extractable_attr = NULL;
   CK_ATTRIBUTE       *never_extr_attr  = NULL;
   CK_ATTRIBUTE       *always_sens_attr = NULL;
   CK_RV            rc;


   rc = key_object_set_default_attributes( tmpl, mode );
   if (rc != CKR_OK)
      return rc;

   // add the default CKO_DATA attributes
   //
   class_attr       = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_OBJECT_CLASS) );
   sensitive_attr   = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   encrypt_attr     = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   decrypt_attr     = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   sign_attr        = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   verify_attr      = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   wrap_attr        = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   unwrap_attr      = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   extractable_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   never_extr_attr  = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );
   always_sens_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) );

   if (!class_attr  || !sensitive_attr || !encrypt_attr  || !decrypt_attr ||
       !sign_attr   || !verify_attr    || !wrap_attr     ||
       !unwrap_attr || !extractable_attr || !never_extr_attr || !always_sens_attr)
   {
      if (class_attr)       free( class_attr );
      if (sensitive_attr)   free( sensitive_attr );
      if (encrypt_attr)     free( encrypt_attr );
      if (decrypt_attr)     free( decrypt_attr );
      if (sign_attr)        free( sign_attr );
      if (verify_attr)      free( verify_attr );
      if (wrap_attr)        free( wrap_attr );
      if (unwrap_attr)      free( unwrap_attr );
      if (extractable_attr) free( extractable_attr );
      if (never_extr_attr)  free( never_extr_attr );
      if (always_sens_attr) free( always_sens_attr );
      st_err_log(1, __FILE__, __LINE__);

      return CKR_HOST_MEMORY;
   }

   class_attr->type       = CKA_CLASS;
   class_attr->ulValueLen = sizeof(CK_OBJECT_CLASS);
   class_attr->pValue     = (CK_BYTE *)class_attr + sizeof(CK_ATTRIBUTE);
   *(CK_OBJECT_CLASS *)class_attr->pValue = CKO_SECRET_KEY;

   sensitive_attr->type       = CKA_SENSITIVE;
   sensitive_attr->ulValueLen = sizeof(CK_BBOOL);
   sensitive_attr->pValue     = (CK_BYTE *)sensitive_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)sensitive_attr->pValue = FALSE;

   encrypt_attr->type       = CKA_ENCRYPT;
   encrypt_attr->ulValueLen = sizeof(CK_BBOOL);
   encrypt_attr->pValue     = (CK_BYTE *)encrypt_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)encrypt_attr->pValue = TRUE;

   decrypt_attr->type       = CKA_DECRYPT;
   decrypt_attr->ulValueLen = sizeof(CK_BBOOL);
   decrypt_attr->pValue     = (CK_BYTE *)decrypt_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)decrypt_attr->pValue = TRUE;

   sign_attr->type       = CKA_SIGN;
   sign_attr->ulValueLen = sizeof(CK_BBOOL);
   sign_attr->pValue     = (CK_BYTE *)sign_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)sign_attr->pValue = TRUE;

   verify_attr->type       = CKA_VERIFY;
   verify_attr->ulValueLen = sizeof(CK_BBOOL);
   verify_attr->pValue     = (CK_BYTE *)verify_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)verify_attr->pValue = TRUE;

   wrap_attr->type       = CKA_WRAP;
   wrap_attr->ulValueLen = sizeof(CK_BBOOL);
   wrap_attr->pValue     = (CK_BYTE *)wrap_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)wrap_attr->pValue = TRUE;

   unwrap_attr->type       = CKA_UNWRAP;
   unwrap_attr->ulValueLen = sizeof(CK_BBOOL);
   unwrap_attr->pValue     = (CK_BYTE *)unwrap_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)unwrap_attr->pValue = TRUE;

   extractable_attr->type       = CKA_EXTRACTABLE;
   extractable_attr->ulValueLen = sizeof(CK_BBOOL);
   extractable_attr->pValue     = (CK_BYTE *)extractable_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)extractable_attr->pValue = TRUE;

   // by default, we'll set NEVER_EXTRACTABLE == FALSE and ALWAYS_SENSITIVE == FALSE
   // If the key is being created with KEYGEN, it will adjust as necessary.
   //
   always_sens_attr->type       = CKA_ALWAYS_SENSITIVE;
   always_sens_attr->ulValueLen = sizeof(CK_BBOOL);
   always_sens_attr->pValue     = (CK_BYTE *)always_sens_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)always_sens_attr->pValue = FALSE;

   never_extr_attr->type       = CKA_NEVER_EXTRACTABLE;
   never_extr_attr->ulValueLen = sizeof(CK_BBOOL);
   never_extr_attr->pValue     = (CK_BYTE *)never_extr_attr + sizeof(CK_ATTRIBUTE);
   *(CK_BBOOL *)never_extr_attr->pValue = FALSE;

   template_update_attribute( tmpl, class_attr );
   template_update_attribute( tmpl, sensitive_attr );
   template_update_attribute( tmpl, encrypt_attr );
   template_update_attribute( tmpl, decrypt_attr );
   template_update_attribute( tmpl, sign_attr );
   template_update_attribute( tmpl, verify_attr );
   template_update_attribute( tmpl, wrap_attr );
   template_update_attribute( tmpl, unwrap_attr );
   template_update_attribute( tmpl, extractable_attr );
   template_update_attribute( tmpl, never_extr_attr );
   template_update_attribute( tmpl, always_sens_attr );

   return CKR_OK;
}


//
//
CK_RV