📄 key_mgr.c
字号:
CK_RV rc; if (!sess || !wrapped_key || !h_unwrapped_key){ st_err_log(4, __FILE__, __LINE__, __FUNCTION__); return CKR_FUNCTION_FAILED; } rc = object_mgr_find_in_map1( h_unwrapping_key, &key_obj ); if (rc != CKR_OK){ st_err_log(62, __FILE__, __LINE__); return CKR_WRAPPING_KEY_HANDLE_INVALID; } found_class = FALSE; found_type = FALSE; // some mechanisms are restricted to wrapping certain types of keys. // in these cases, the CKA_CLASS attribute is implied and isn't required // to be specified in the template (though it still may appear) // switch (mech->mechanism) { case CKM_RSA_PKCS: case CKM_RSA_X_509: keyclass = CKO_SECRET_KEY; found_class = TRUE; break;#if !(NOCMF) case CKM_CDMF_ECB: case CKM_CDMF_CBC:#endif case CKM_DES_ECB: case CKM_DES_CBC: case CKM_DES3_ECB: case CKM_DES3_CBC: case CKM_AES_ECB: case CKM_AES_CBC: keyclass = CKO_SECRET_KEY; found_class = TRUE; break;#if !(NOCMF) case CKM_CDMF_CBC_PAD:#endif case CKM_DES_CBC_PAD: case CKM_DES3_CBC_PAD: case CKM_AES_CBC_PAD: // these mechanisms can wrap any type of key so nothing is implied // break; } // extract key type and key class from the template if they exist. we // have to scan the entire template in case the CKA_CLASS or CKA_KEY_TYPE // attributes are duplicated // for (i=0; i < attrib_count; i++) { switch (attributes[i].type) { case CKA_CLASS: keyclass = *(CK_OBJECT_CLASS *)attributes[i].pValue; found_class = TRUE; break; case CKA_KEY_TYPE: keytype = *(CK_KEY_TYPE *)attributes[i].pValue; found_type = TRUE; break; } } // if we're unwrapping a private key, we can extract the key type from // the BER-encoded information // if (found_class == FALSE || (found_type == FALSE && keyclass !=CKO_PRIVATE_KEY)){ st_err_log(48, __FILE__, __LINE__); return CKR_TEMPLATE_INCOMPLETE; } // final check to see if mechanism is allowed to unwrap such a key // switch (mech->mechanism) { case CKM_RSA_PKCS: case CKM_RSA_X_509: if (keyclass != CKO_SECRET_KEY){ st_err_log(49, __FILE__, __LINE__); return CKR_TEMPLATE_INCONSISTENT; } break;#if !(NOCMF) case CKM_CDMF_ECB: case CKM_CDMF_CBC:#endif case CKM_DES_ECB: case CKM_DES_CBC: case CKM_DES3_ECB: case CKM_DES3_CBC: case CKM_AES_ECB: case CKM_AES_CBC: if (keyclass != CKO_SECRET_KEY){ st_err_log(49, __FILE__, __LINE__); return CKR_TEMPLATE_INCONSISTENT; } break;#if !(NOCMF) case CKM_CDMF_CBC_PAD:#endif case CKM_DES_CBC_PAD: case CKM_DES3_CBC_PAD: case CKM_AES_CBC_PAD: break; default: st_err_log(28, __FILE__, __LINE__); return CKR_MECHANISM_INVALID; } // looks okay...do the decryption // ctx = (ENCR_DECR_CONTEXT *)malloc(sizeof(ENCR_DECR_CONTEXT)); if (!ctx){ st_err_log(0, __FILE__, __LINE__); return CKR_HOST_MEMORY; } memset( ctx, 0x0, sizeof(ENCR_DECR_CONTEXT) ); rc = decr_mgr_init( sess, ctx, OP_UNWRAP, mech, h_unwrapping_key ); if (rc != CKR_OK) return rc; rc = decr_mgr_decrypt( sess, TRUE, ctx, wrapped_key, wrapped_key_len, data, &data_len ); if (rc != CKR_OK){ st_err_log(100, __FILE__, __LINE__); goto error; } data = (CK_BYTE *)malloc(data_len); if (!data) { st_err_log(0, __FILE__, __LINE__); rc = CKR_HOST_MEMORY; goto error; } rc = decr_mgr_decrypt( sess, FALSE, ctx, wrapped_key, wrapped_key_len, data, &data_len ); decr_mgr_cleanup( ctx ); free( ctx ); if (rc != CKR_OK){ st_err_log(100, __FILE__, __LINE__); goto error; } // if we use X.509, the data will be padded from the front with zeros. // PKCS #11 specifies that for this mechanism, CK_VALUE is to be read // from the end of the data. // // Note: the PKCS #11 reference implementation gets this wrong. // if (mech->mechanism == CKM_RSA_X_509) fromend = TRUE; else fromend = FALSE; // extract the key type from the PrivateKeyInfo::AlgorithmIndicator // if (keyclass == CKO_PRIVATE_KEY) { rc = key_mgr_get_private_key_type( data, data_len, &keytype ); if (rc != CKR_OK){ st_err_log(101, __FILE__, __LINE__); goto error; } } // we have decrypted the wrapped key data. we also // know what type of key it is. now we need to construct a new key // object... // rc = object_mgr_create_skel( sess, attributes, attrib_count, MODE_UNWRAP, keyclass, keytype, &key_obj ); if (rc != CKR_OK){ st_err_log(89, __FILE__, __LINE__); goto error; } // at this point, 'key_obj' should contain a skeleton key. depending on // the key type. we're now ready to plug in the decrypted key data. // in some cases, the data will be BER-encoded so we'll need to decode it. // // this routine also ensires that CKA_EXTRACTABLE == FALSE, // CKA_ALWAYS_SENSITIVE == FALSE and CKA_LOCAL == FALSE // switch (keyclass) { case CKO_SECRET_KEY: rc = secret_key_unwrap( key_obj->template, keytype, data, data_len, fromend ); break; case CKO_PRIVATE_KEY: rc = priv_key_unwrap( key_obj->template, keytype, data, data_len ); break; default: rc = CKR_WRAPPED_KEY_INVALID; break; } if (rc != CKR_OK){ st_err_log(173, __FILE__, __LINE__); goto error; } // at this point, the key should be fully constructed...assign // an object handle and store the key // rc = object_mgr_create_final( sess, key_obj, h_unwrapped_key ); if (rc != CKR_OK){ st_err_log(90, __FILE__, __LINE__); goto error; } if (data) free(data); return rc;error: if (key_obj) object_free( key_obj ); if (data) free(data); return rc;}CK_RVkey_mgr_get_private_key_type( CK_BYTE *keydata, CK_ULONG keylen, CK_KEY_TYPE *keytype ){ CK_BYTE *alg = NULL; CK_BYTE *priv_key = NULL; CK_ULONG alg_len; CK_RV rc; rc = ber_decode_PrivateKeyInfo( keydata, keylen, &alg, &alg_len, &priv_key ); if (rc != CKR_OK){ st_err_log(102, __FILE__, __LINE__); return rc; } // check the entire AlgorithmIdentifier for RSA // if (alg_len >= ber_rsaEncryptionLen) { if (memcmp(alg, ber_rsaEncryption, ber_rsaEncryptionLen) == 0) { *keytype = CKK_RSA; return CKR_OK; } } // Check only the OBJECT IDENTIFIER for DSA // if (alg_len >= ber_idDSALen) { if (memcmp(alg, ber_idDSA, ber_idDSALen) == 0) { *keytype = CKK_DSA; return CKR_OK; } } st_err_log(48, __FILE__, __LINE__); return CKR_TEMPLATE_INCOMPLETE;}////CK_RVkey_mgr_derive_key( SESSION * sess, CK_MECHANISM * mech, CK_OBJECT_HANDLE base_key, CK_OBJECT_HANDLE * derived_key, CK_ATTRIBUTE * pTemplate, CK_ULONG ulCount ){ if (!sess || !mech){ st_err_log(4, __FILE__, __LINE__, __FUNCTION__); return CKR_FUNCTION_FAILED; } if (!pTemplate && (ulCount != 0)){ st_err_log(4, __FILE__, __LINE__, __FUNCTION__); return CKR_FUNCTION_FAILED; } switch (mech->mechanism) { case CKM_SSL3_MASTER_KEY_DERIVE: { if (!derived_key){ st_err_log(4, __FILE__, __LINE__, __FUNCTION__); return CKR_FUNCTION_FAILED; } return ssl3_master_key_derive( sess, mech, base_key, pTemplate, ulCount, derived_key ); } break ; case CKM_SSL3_KEY_AND_MAC_DERIVE: { CK_SSL3_KEY_MAT_PARAMS *params = (CK_SSL3_KEY_MAT_PARAMS *)mech->pParameter; // Check FCV //// if (((nv_FCV.FunctionCntlBytes[DES_FUNCTION_BYTE] & FCV_56_BIT_DES) == 0) && (params->bIsExport == FALSE))// return CKR_MECHANISM_INVALID; return ssl3_key_and_mac_derive( sess, mech, base_key, pTemplate, ulCount ); } break ;/* Begin code contributed by Corrent corp. */#ifndef NODH case CKM_DH_PKCS_DERIVE: { if (!derived_key){ st_err_log(4, __FILE__, __LINE__, __FUNCTION__); return CKR_FUNCTION_FAILED; } return dh_pkcs_derive( sess, mech, base_key, pTemplate, ulCount, derived_key ); } break ;#endif/* End code contributed by Corrent corp. */ default: st_err_log(28, __FILE__, __LINE__); return CKR_MECHANISM_INVALID; }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -