📄 dev_pk11.c
字号:
/* We've finally got everything available, try and update the device with
the certificate data. In theory we should also set CKA_PRIVATE = FALSE
but the Dallas iButton driver doesn't allow this so we have to rely on
drivers doing the right thing with the default setting */
status = C_CreateObject( pkcs11Info->hSession,
( CK_ATTRIBUTE_PTR ) certTemplate, 8,
&hObject );
if( status != CKR_OK )
cryptStatus = mapError( pkcs11Info, status, CRYPT_ERROR_FAILED );
/* Clean up */
dynDestroy( &subjectDB );
dynDestroy( &iAndSDB );
dynDestroy( &certDB );
return( cryptStatus );
}
/****************************************************************************
* *
* Device Init/Shutdown/Device Control Routines *
* *
****************************************************************************/
/* Prototypes for functions to get and free device capability information */
static int getCapabilities( DEVICE_INFO *deviceInfo );
static void freeCapabilities( DEVICE_INFO *deviceInfo );
/* Prototypes for device-specific functions */
static int getRandomFunction( DEVICE_INFO *deviceInfo, void *buffer,
const int length );
/* Close a previously-opened session with the device. We have to have this
before the init function since it may be called by it if the init process
fails */
static void shutdownFunction( DEVICE_INFO *deviceInfo )
{
PKCS11_INFO *pkcs11Info = deviceInfo->devicePKCS11;
/* Log out and close the session with the device */
if( deviceInfo->flags & DEVICE_LOGGEDIN )
C_Logout( pkcs11Info->hSession );
C_CloseSession( pkcs11Info->hSession );
pkcs11Info->hSession = CRYPT_ERROR;
deviceInfo->flags &= ~( DEVICE_ACTIVE | DEVICE_LOGGEDIN );
/* Free the device capability information */
freeCapabilities( deviceInfo );
}
/* Open a session with the device */
static int initFunction( DEVICE_INFO *deviceInfo, const char *name,
const int nameLength )
{
CK_SESSION_HANDLE hSession;
CK_SLOT_ID slotList[ MAX_PKCS11_SLOTS ];
CK_ULONG slotCount = MAX_PKCS11_SLOTS;
CK_SLOT_INFO slotInfo;
CK_TOKEN_INFO tokenInfo;
CK_RV status;
PKCS11_INFO *pkcs11Info = deviceInfo->devicePKCS11;
char *labelPtr;
int tokenSlot = DEFAULT_SLOT, i, labelLength, cryptStatus;
/* Get information on all available slots */
memset( slotList, 0, sizeof( slotList ) );
status = C_GetSlotList( TRUE, slotList, &slotCount );
if( status != CKR_OK )
return( mapError( pkcs11Info, status, CRYPT_ERROR_OPEN ) );
if( slotCount <= 0 ) /* Can happen in some circumstances */
return( CRYPT_ERROR_OPEN );
/* Check whether a token name (used to select the slot) has been
specified */
for( i = 1; i < nameLength - 1; i++ )
if( name[ i ] == ':' && name[ i + 1 ] == ':' )
{
const void *tokenName = name + i + 2; /* Skip '::' */
const int tokenNameLength = nameLength - ( i + 2 );
if( tokenNameLength <= 0 )
return( CRYPT_ARGERROR_STR1 );
/* Check each slot for a token matching the given name */
for( tokenSlot = 0; tokenSlot < slotCount; tokenSlot++ )
{
status = C_GetTokenInfo( slotList[ tokenSlot ], &tokenInfo );
if( status == CKR_OK && \
!strnicmp( tokenName, tokenInfo.label, tokenNameLength ) )
break;
};
if( tokenSlot == slotCount )
return( CRYPT_ERROR_NOTFOUND );
}
pkcs11Info->slotID = slotList[ tokenSlot ];
/* Get information on device-specific capabilities */
status = C_GetSlotInfo( pkcs11Info->slotID, &slotInfo );
if( status != CKR_OK )
{
shutdownFunction( deviceInfo );
return( mapError( pkcs11Info, status, CRYPT_ERROR_OPEN ) );
}
if( slotInfo.flags & CKF_REMOVABLE_DEVICE )
/* The device is removable */
deviceInfo->flags |= DEVICE_REMOVABLE;
status = C_GetTokenInfo( pkcs11Info->slotID, &tokenInfo );
if( status != CKR_OK )
{
shutdownFunction( deviceInfo );
return( mapError( pkcs11Info, status, CRYPT_ERROR_OPEN ) );
}
if( tokenInfo.flags & CKF_RNG )
/* The device has an onboard RNG that we can use */
deviceInfo->getRandomFunction = getRandomFunction;
if( tokenInfo.flags & CKF_CLOCK_ON_TOKEN )
{
const time_t theTime = getTokenTime( &tokenInfo );
const time_t currentTime = getTime();
/* The token claims to have an onboard clock that we can use. Since
this could be arbitrarily inaccurate, we compare it with the
system time and only rely on it if it's within +/- 1 day of the
system time */
if( theTime >= currentTime - 86400 && \
theTime <= currentTime + 86400 )
deviceInfo->flags |= DEVICE_TIME;
}
if( tokenInfo.flags & CKF_WRITE_PROTECTED )
/* The device can't have data on it changed */
deviceInfo->flags |= DEVICE_READONLY;
if( tokenInfo.flags & CKF_LOGIN_REQUIRED )
/* The user needs to log in before using various device functions */
deviceInfo->flags |= DEVICE_NEEDSLOGIN;
if( ( pkcs11Info->minPinSize = ( int ) tokenInfo.ulMinPinLen ) < 4 )
/* Some devices report silly PIN sizes */
pkcs11Info->minPinSize = 4;
if( ( pkcs11Info->maxPinSize = ( int ) tokenInfo.ulMaxPinLen ) < 4 )
/* Some devices report silly PIN sizes (setting this to ULONG_MAX or
4GB, which becomes -1 as an int, counts as silly). Since we can't
differentiate between 0xFFFFFFFF = bogus value and 0xFFFFFFFF =
ULONG_MAX we play it safe and set the limit to 8 bytes, which most
devices should be able to handle */
pkcs11Info->maxPinSize = 8;
labelPtr = tokenInfo.label;
for( labelLength = 32;
labelLength > 0 && \
( labelPtr[ labelLength - 1 ] == ' ' || \
!labelPtr[ labelLength - 1 ] );
labelLength-- ); /* Strip trailing blanks/nulls */
while( labelLength > 0 && *labelPtr == ' ' )
{
/* Strip leading blanks */
labelPtr++;
labelLength--;
}
if( labelLength > 0 )
{
memcpy( pkcs11Info->labelBuffer, labelPtr, labelLength );
pkcs11Info->labelBuffer[ labelLength ] = '\0';
deviceInfo->label = pkcs11Info->labelBuffer;
}
else
{
/* There's no label for the token, use the device label instead */
if( pkcs11InfoTbl[ pkcs11Info->deviceNo ].name[ 0 ] )
{
strcpy( pkcs11Info->labelBuffer,
pkcs11InfoTbl[ pkcs11Info->deviceNo ].name );
deviceInfo->label = pkcs11Info->labelBuffer;
}
}
/* Open a session with the device. This gets a bit awkward because we
can't tell whether a R/W session is OK without opening a session, but
we can't open a session unless we know whether a R/W session is OK,
so we first try for a RW session and if that fails we go for a read-
only session */
status = C_OpenSession( pkcs11Info->slotID,
CKF_RW_SESSION | CKF_SERIAL_SESSION, NULL_PTR,
NULL_PTR, &hSession );
if( status == CKR_TOKEN_WRITE_PROTECTED )
status = C_OpenSession( pkcs11Info->slotID,
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR,
&hSession );
if( status != CKR_OK )
{
cryptStatus = mapError( pkcs11Info, status, CRYPT_ERROR_OPEN );
if( cryptStatus == CRYPT_ERROR_OPEN && \
!( tokenInfo.flags & CKF_USER_PIN_INITIALIZED ) )
/* We couldn't do much with the error code, it could be that the
token hasn't been initialised yet but unfortunately PKCS #11
doesn't define an error code for this condition. In addition
many tokens will allow a session to be opened and then fail
with a "PIN not set" error at a later point (which allows for
more accurate error reporting), however a small number won't
allow a session to be opened and return some odd-looking error
because there's nothing useful available. The best way to
report this in a meaningful manner to the caller is to check
whether the user PIN has been initialised, if it hasn't then
it's likely that the token as a whole hasn't been initialised
so we return a not initialised error */
cryptStatus = CRYPT_ERROR_NOTINITED;
return( cryptStatus );
}
pkcs11Info->hSession = hSession;
deviceInfo->flags |= DEVICE_ACTIVE;
/* Set up the capability information for this device */
cryptStatus = getCapabilities( deviceInfo );
if( cryptStatusError( cryptStatus ) )
{
shutdownFunction( deviceInfo );
return( ( cryptStatus == CRYPT_ERROR ) ? \
CRYPT_ERROR_OPEN : ( int ) cryptStatus );
}
return( CRYPT_OK );
}
/* Handle device control functions */
static int controlFunction( DEVICE_INFO *deviceInfo,
const CRYPT_ATTRIBUTE_TYPE type,
const void *data, const int dataLength )
{
CK_RV status;
PKCS11_INFO *pkcs11Info = deviceInfo->devicePKCS11;
/* Handle token present/active checks */
if( type == CRYPT_DEVINFO_LOGGEDIN )
{
CK_TOKEN_INFO tokenInfo;
CK_SLOT_INFO slotInfo;
/* Check whether the user is still logged in. This is rather
problematic because some devices can't detect a token removal,
and if they do they often can't report it to the driver. It's
also possible in some devices to remove the token and re-insert
it later without that being regarded as logging out (or you can
remove the smart card and insert your frequent flyer card and
it's still regarded as a card present). In addition if the
reader supports its own authentication mechanisms (even if it
forces a logout if the token is removed) it's possible for the
user to reinsert the token and reauthenticate themselves and it
appears as if they never logged out. In fact the only totally
foolproof way to detect a token removal/change is to try and use
the token to perform a crypto operation, which is a rather
suboptimal detection mechanism.
Because of this, the best that we can do here is check the token-
present flag and report a token-changed error if it's not set.
In addition since some devices only do a minimal check with
C_GetSlotInfo() (e.g. checking whether a microswitch is held
open by something in the slot, see above) we first call
C_GetTokenInfo(), which has a greater chance of actually trying
to access the token, before we call C_GetSlotInfo().
If there's a problem reported, we don't perform an implicit
shutdown since the user may choose to re-authenticate to the
device or perform some other action that we have no control over
in response to the token-removed notification */
status = C_GetTokenInfo( pkcs11Info->slotID, &tokenInfo );
if( status == CKR_OK )
status = C_GetSlotInfo( pkcs11Info->slotID, &slotInfo );
if( status != CKR_OK )
return( mapError( pkcs11Info, status, CRYPT_ERROR_SIGNALLED ) );
if( !( slotInfo.flags & CKF_TOKEN_PRESENT ) )
return( CRYPT_ERROR_SIGNALLED );
return( CRYPT_OK );
}
/* Handle user authorisation */
if( type == CRYPT_DEVINFO_AUTHENT_USER || \
type == CRYPT_DEVINFO_AUTHENT_SUPERVISOR )
{
/* If the user is already logged in, log them out before we try
logging in with a new authentication value */
if( deviceInfo->flags & DEVICE_LOGGEDIN )
{
C_Logout( pkcs11Info->hSession );
deviceInfo->flags &= ~DEVICE_LOGGEDIN;
}
/* Authenticate the user to the device */
status = C_Login( pkcs11Info->hSession,
( type == CRYPT_DEVINFO_AUTHENT_USER ) ? \
CKU_USER : CKU_SO, ( CK_CHAR_PTR ) data,
( CK_ULONG ) dataLength );
if( status != CKR_OK && status != CKR_USER_ALREADY_LOGGED_IN )
return( mapError( pkcs11Info, status, CRYPT_ERROR_FAILED ) );
/* The device is now ready for use */
deviceInfo->flags |= DEVICE_LOGGEDIN;
return( CRYPT_OK );
}
/* Handle authorisation value changes. The init SO/user PIN
functionality is a bit awkward in that it has to fill the gap between
C_InitToken() (which usually sets the SSO PIN but may also take an
initialisation PIN and leave the token in a state where the only valid
operation is to set the SSO PIN) and C_SetPIN() (which can only set the
SSO PIN for the SSO or the user PIN for the user). Setting the user
PIN by the SSO, which is usually required to perform any useful (non-
administrative) function with the token, requires the special-case
C_InitPIN(). In addition we can't speculatively set the user PIN to
be the same as the SSO PIN (which would be useful because in most
cases the user *is* the SSO, thus ensuring that the device behaves as
expected when the user isn't even aware that there are SSO and user
roles) because devices that implement an FSM for initialisation will
move into an undesired state once the SSO -> user change is triggered.
The FSM for initialisation on devices that perform a multi-stage
bootstrap and require all of the various intialisation functions to
be used one after the other (e.g. Fortezza) is:
uninitialised/zeroised
v
C_InitToken (enter init or SSO PIN)
v
initialised
v
C_SetPIN (change init PIN -> SSO PIN)
v
SSO initialised
v
C_InitPIN (set user PIN)
v
user initialised
v
C_Logout
C_Login (move from SO -> user state)
The final logout/login is only needed with some tokens, in others
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -