tpm_pkcs11.c

Linux下关于TPM的一些检测小工具

/*
 * generateKey
 *   Invoke the PKCS#11 C_GenerateKey API to generate a key
 *   for the specified mechanism with the specified attributes.
 */
CK_RV
generateKey( CK_SESSION_HANDLE  a_hSession,
             CK_MECHANISM      *a_ptMechanism,
             CK_ATTRIBUTE      *a_ptAttrList,
             CK_ULONG           a_ulAttrCount,
             CK_OBJECT_HANDLE  *a_phObject ) {

	CK_RV  rv;

	if ( !g_bTokenOpen )
		return CKR_GENERAL_ERROR;

	rv = g_pFcnList->C_GenerateKey( a_hSession, a_ptMechanism, a_ptAttrList, a_ulAttrCount, a_phObject );
	pkcsResult( "C_GenerateKey", rv );

	return rv;
}

/*
 * createObject
 *   Invoke the PKCS#11 C_CreateObject API to create an object
 *   with the specified attributes.
 */
CK_RV
createObject( CK_SESSION_HANDLE  a_hSession,
              CK_ATTRIBUTE      *a_ptAttrList,
              CK_ULONG           a_ulAttrCount,
              CK_OBJECT_HANDLE  *a_phObject ) {

	CK_RV  rv;

	if ( !g_bTokenOpen )
		return CKR_GENERAL_ERROR;

	rv = g_pFcnList->C_CreateObject( a_hSession, a_ptAttrList, a_ulAttrCount, a_phObject );
	pkcsResult( "C_CreateObject", rv );

	return rv;
}

/*
 * destroyObject
 *   Invoke the PKCS#11 C_DestroyObject API.
 */
CK_RV
destroyObject( CK_SESSION_HANDLE  a_hSession,
               CK_OBJECT_HANDLE   a_hObject ) {

	CK_RV  rv;

	if ( !g_bTokenOpen )
		return CKR_GENERAL_ERROR;

	rv = g_pFcnList->C_DestroyObject( a_hSession, a_hObject );
	pkcsResult( "C_DestroyObject", rv );

	return rv;
}

/*
 * getObjectAttributes
 *   Invoke the PKCS#11 C_GetAttributeValue API to retrieve
 *   the specified attributes.
 */
CK_RV
getObjectAttributes( CK_SESSION_HANDLE  a_hSession,
                     CK_OBJECT_HANDLE   a_hObject,
                     CK_ATTRIBUTE      *a_ptAttrList,
                     CK_ULONG           a_ulAttrCount ) {

	CK_RV  rv;

	if ( !g_bTokenOpen )
		return CKR_GENERAL_ERROR;

	rv = g_pFcnList->C_GetAttributeValue( a_hSession, a_hObject, a_ptAttrList, a_ulAttrCount );
	pkcsResultException( "C_GetAttributeValue", rv, CKR_ATTRIBUTE_TYPE_INVALID );

	return rv;
}

/*
 * findObjects
 *   Return a list of object handles for all objects that
 *   match the specified attributes.
 */
CK_RV
findObjects( CK_SESSION_HANDLE  a_hSession,
             CK_ATTRIBUTE      *a_ptAttrList,
             CK_ULONG           a_ulAttrCount,
             CK_OBJECT_HANDLE **a_phObjList,
             CK_ULONG          *a_pulObjCount ) {

	CK_RV             rv, rv_temp;
	CK_ULONG          ulCount    = 0;
	CK_ULONG          ulCurCount = 0;
	CK_ULONG          ulMaxCount = 0;
	CK_OBJECT_HANDLE *phObjList  = NULL;

	*a_phObjList = NULL;
	*a_pulObjCount = 0;

	if ( !g_bTokenOpen )
		return CKR_GENERAL_ERROR;

	// Initialize the find operation
	rv = g_pFcnList->C_FindObjectsInit( a_hSession, a_ptAttrList, a_ulAttrCount );
	pkcsResult( "C_FindObjectsInit", rv );
	if ( rv != CKR_OK )
		goto out;

	// Iterate until all object handles have been returned
	do {
		// Allocate (or increase) the object handle list buffer
		CK_OBJECT_HANDLE *phTemp = phObjList;

		ulMaxCount += TPM_FIND_MAX;
		phObjList = (CK_OBJECT_HANDLE *)calloc( sizeof( CK_OBJECT_HANDLE ), ulMaxCount );
		if ( !phObjList ) {
			logError( _("Unable to obtain memory for object handle list\n") );
			rv = CKR_HOST_MEMORY;
			goto done;
		}

		// Copy the list of object handles
		if ( phTemp ) {
			memcpy( phObjList, phTemp, ulCurCount * sizeof( CK_OBJECT_HANDLE ) );
			free( phTemp );
		}

		// Find the matching objects
		rv = g_pFcnList->C_FindObjects( a_hSession, phObjList + ulCurCount, TPM_FIND_MAX, &ulCount );
		pkcsResult( "C_FindObjects", rv );
		if ( rv != CKR_OK )
			goto done;

		ulCurCount += ulCount;
	} while ( ulCurCount == ulMaxCount );

	*a_phObjList = phObjList;
	*a_pulObjCount = ulCurCount;

done:
	// Terminate the find operation
	rv_temp = g_pFcnList->C_FindObjectsFinal( a_hSession );
	pkcsResult( "C_FindObjectsFinal", rv_temp );

out:
	if ( ( rv != CKR_OK ) && phObjList )
		free( phObjList );

	return rv;
}

/*
 * displayByteArray
 *   Format a byte array for display.
 */
void
displayByteArray( const char   *a_pszLabel,
                  CK_ATTRIBUTE *a_ptAttr,
                  int           a_bExtended ) {

	const char *pszPre  = ( a_bExtended ) ? "\t" : "";
	const char *pszPost = ( a_bExtended ) ? "\n" : "";

	logMsg( "%s%s'", pszPre, a_pszLabel );

	if ( a_ptAttr->ulValueLen )
		logHex( a_ptAttr->ulValueLen, a_ptAttr->pValue );
	else
		logMsg( "(null)" );

	logMsg( "'%s", pszPost );
}

/*
 * displayCertObject
 *   Format a certificate object for display.
 */
CK_RV
displayCertObject( CK_SESSION_HANDLE  a_hSession,
                   CK_OBJECT_HANDLE   a_hObject,
                   int                a_bExtended ) {

	CK_RV                rv;
	CK_OBJECT_CLASS  tClass;
	CK_BBOOL             bToken;
	CK_BBOOL             bPrivate;
	CK_BBOOL             bModifiable;
	CK_CHAR             *pszLabel    = NULL;
	CK_CERTIFICATE_TYPE  tType;
	CK_BBOOL             bTrusted;

	CK_ATTRIBUTE  tCertList[] = {
			{ CKA_CLASS, &tClass, sizeof( tClass ) },
			{ CKA_TOKEN, &bToken, sizeof( bToken ) },
			{ CKA_PRIVATE, &bPrivate, sizeof( bPrivate ) },
			{ CKA_MODIFIABLE, &bModifiable, sizeof( bModifiable ) },
			{ CKA_LABEL, NULL, 0 },
			{ CKA_CERTIFICATE_TYPE, &tType, sizeof( tType ) },
			{ CKA_TRUSTED, &bTrusted, sizeof( bTrusted ) },
		};
	CK_ATTRIBUTE  tX509List[] = {
			{ CKA_SUBJECT, NULL, 0 },
			{ CKA_ID, NULL, 0 },
			{ CKA_ISSUER, NULL, 0 },
			{ CKA_SERIAL_NUMBER, NULL, 0 },
			{ CKA_VALUE, NULL, 0 },
		};
	CK_ATTRIBUTE  tX509AttrList[] = {
			{ CKA_OWNER, NULL, 0 },
			{ CKA_AC_ISSUER, NULL, 0 },
			{ CKA_SERIAL_NUMBER, NULL, 0 },
			{ CKA_ATTR_TYPES, NULL, 0 },
			{ CKA_VALUE, NULL, 0 },
		};
	CK_ULONG      ulCertCount     = sizeof( tCertList ) / sizeof( CK_ATTRIBUTE );
	CK_ULONG      ulX509Count     = sizeof( tX509List ) / sizeof( CK_ATTRIBUTE );
	CK_ULONG      ulX509AttrCount = sizeof( tX509AttrList ) / sizeof( CK_ATTRIBUTE );
	CK_ATTRIBUTE *ptAttrList;
	CK_ULONG      ulAttrCount;

	// Retrieve the common certificate attributes
	rv = getObjectAttributes( a_hSession, a_hObject, tCertList, ulCertCount );
	if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
		return rv;

	// Allocate storage for the object label (extra byte for null
	// terminated string)
	if ( tCertList[ 4 ].ulValueLen > 0 ) {
		pszLabel = tCertList[ 4 ].pValue = calloc( 1, tCertList[ 4 ].ulValueLen + 1 );

		rv = getObjectAttributes( a_hSession, a_hObject, tCertList, ulCertCount );
		if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
			return rv;
	}

	// Determine the attributes to retrieve based on the certficate type
	switch ( tType ) {
		case CKC_X_509:
			ptAttrList = tX509List;
			ulAttrCount = ulX509Count;
			break;

		case CKC_X_509_ATTR_CERT:
			ptAttrList = tX509AttrList;
			ulAttrCount = ulX509AttrCount;
			break;

		default:
			ptAttrList = NULL;
			ulAttrCount = 0;
	}

	if ( ptAttrList ) {
		CK_ULONG  ulMalloc;

		// Retrieve the specific certificate type attributes (for obtaining
		// the attribute lengths)
		rv = getObjectAttributes( a_hSession, a_hObject, ptAttrList, ulAttrCount );
		if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
			return rv;

		for ( ulMalloc = 0; ulMalloc < ulAttrCount; ulMalloc++ ) {
			// Allocate the storage (with an extra byte for null terminated
			// strings - just in case)
			if ( ptAttrList[ ulMalloc ].ulValueLen > 0 )
				ptAttrList[ ulMalloc ].pValue =
					calloc( 1, ptAttrList[ ulMalloc ].ulValueLen );
		}

		// Now retrieve all the specific certificate type attributes
		rv = getObjectAttributes( a_hSession, a_hObject, ptAttrList, ulAttrCount );
		if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
			return rv;
	}

	if ( a_bExtended ) {
		logMsg( _("Certificate Object\n") );
		switch ( tType ) {
			case CKC_X_509:
				logMsg( _("\tX509 Certificate\n") );
				break;

			case CKC_X_509_ATTR_CERT:
				logMsg( _("\tX509 Attribute Certificate\n") );
				break;

			default:
				logMsg( _("\tUnknown Certificate Type (%08x)\n"), tType );
		}
		if ( tCertList[ 1 ].ulValueLen > 0 )
			logMsg( _("\tToken Object: %s\n"), bToken ? _("true") : _("false") );
		if ( tCertList[ 2 ].ulValueLen > 0 )
			logMsg( _("\tPrivate Object: %s\n"), bPrivate ? _("true") : _("false") );
		if ( tCertList[ 3 ].ulValueLen > 0 )
			logMsg( _("\tModifiable Object: %s\n"), bModifiable ? _("true") : _("false") );
		if ( tCertList[ 4 ].ulValueLen > 0 )
			logMsg( _("\tLabel: '%s'\n"), pszLabel );
		if ( tCertList[ 5 ].ulValueLen > 0 )
			logMsg( _("\tTrusted: %s\n"), bTrusted ? _("true") : _("false") );

		// Display the attributes based on the certficate type
		switch ( tType ) {
			case CKC_X_509:
				if ( tX509List[ 0 ].ulValueLen > 0 )
					displayByteArray( _("Subject: "), &tX509List[ 0 ], a_bExtended );
				if ( tX509List[ 1 ].ulValueLen > 0 ) {
					logMsg( _("\tId: '%s' ("), tX509List[ 1 ].pValue );
					displayByteArray( "", &tX509List[ 1 ], FALSE );
					logMsg( ")\n" );
				}
				if ( tX509List[ 2 ].ulValueLen > 0 )
					displayByteArray( _("Issuer: "), &tX509List[ 2 ], a_bExtended );
				if ( tX509List[ 3 ].ulValueLen > 0 )
					displayByteArray( _("Serial Number: "), &tX509List[ 3 ], a_bExtended );
				if ( tX509List[ 4 ].ulValueLen > 0 )
					displayByteArray( _("Value: "), &tX509List[ 4 ], a_bExtended );
				break;

			case CKC_X_509_ATTR_CERT:
				if ( tX509AttrList[ 0 ].ulValueLen > 0 )
					displayByteArray( _("Owner: "), &tX509AttrList[ 0 ], a_bExtended );
				if ( tX509AttrList[ 1 ].ulValueLen > 0 )
					displayByteArray( _("Issuer: "), &tX509AttrList[ 1 ], a_bExtended );
				if ( tX509AttrList[ 2 ].ulValueLen > 0 )
					displayByteArray( _("Serial Number: "), &tX509AttrList[ 2 ], a_bExtended );
				if ( tX509AttrList[ 3 ].ulValueLen > 0 )
					displayByteArray( _("Attribute Types: "), &tX509AttrList[ 3 ], a_bExtended );
				if ( tX509AttrList[ 4 ].ulValueLen > 0 )
					displayByteArray( _("Value: "), &tX509AttrList[ 4 ], a_bExtended );
				break;
		}
	}
	else {
		// Display the attributes based on the certficate type
		logMsg( _("Certificate: ") );
		switch ( tType ) {
			case CKC_X_509:
				logMsg( _("Type: X509 Public Key") );
				break;

			case CKC_X_509_ATTR_CERT:
				logMsg( _("Type: X509 Attribute") );
				break;

			default:
				logMsg( _("Unknown Type (%08x)"), tType );
		}

		if ( tCertList[ 4 ].ulValueLen > 0 )
			logMsg( _(", Label: '%s'"), pszLabel );

		logMsg( "\n" );
	}

	return rv;
}

/*
 * displayAsymKeyObject
 *   Format an asymmetric key object for display.
 */
CK_RV
displayAsymKeyObject( CK_SESSION_HANDLE  a_hSession,
                      CK_OBJECT_HANDLE   a_hObject,
                      int                a_bExtended ) {

	CK_RV            rv;
	CK_OBJECT_CLASS  tClass;
	CK_BBOOL         bToken;
	CK_BBOOL         bPrivate;
	CK_BBOOL         bModifiable;
	CK_CHAR         *pszLabel     = NULL;
	CK_KEY_TYPE      tType;
	CK_CHAR         *pszId        = NULL;

	CK_ATTRIBUTE  tKeyList[] = {
			{ CKA_CLASS, &tClass, sizeof( tClass ) },
			{ CKA_TOKEN, &bToken, sizeof( bToken ) },
			{ CKA_PRIVATE, &bPrivate, sizeof( bPrivate ) },
			{ CKA_MODIFIABLE, &bModifiable, sizeof( bModifiable ) },
			{ CKA_LABEL, NULL, 0 },
			{ CKA_KEY_TYPE, &tType, sizeof( tType ) },
			{ CKA_SUBJECT, NULL, 0 },
			{ CKA_ID, NULL, 0 },
		};
	CK_ULONG      ulKeyCount = sizeof( tKeyList ) / sizeof( CK_ATTRIBUTE );

	// Retrieve the common key attributes
	rv = getObjectAttributes( a_hSession, a_hObject, tKeyList, ulKeyCount );
	if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
		return rv;

	// Allocate storage for the object id
	if ( ( tKeyList[ 4 ].ulValueLen > 0 ) || ( tKeyList[ 6 ].ulValueLen > 0 ) || ( tKeyList[ 7 ].ulValueLen > 0 ) ) {
		if ( tKeyList[ 4 ].ulValueLen > 0 )
			pszLabel = tKeyList[ 4 ].pValue =
				calloc( 1, tKeyList[ 4 ].ulValueLen + 1 );

		if ( tKeyList[ 6 ].ulValueLen > 0 )
			tKeyList[ 6 ].pValue =
				calloc( 1, tKeyList[ 6 ].ulValueLen + 1 );

		if ( tKeyList[ 7 ].ulValueLen > 0 )
			pszId = tKeyList[ 7 ].pValue =
				calloc( 1, tKeyList[ 7 ].ulValueLen + 1 );

		rv = getObjectAttributes( a_hSession, a_hObject, tKeyList, ulKeyCount );
		if ( ( rv != CKR_OK ) && ( rv != CKR_ATTRIBUTE_TYPE_INVALID ) )
			return rv;
	}

	if ( a_bExtended ) {
		logMsg( _("Key Object\n") );
		switch ( tClass ) {
			case CKO_PUBLIC_KEY:
				logMsg( _("\tPublic Key\n") );
				break;