Ejemplo n.º 1
0
int open_session_and_login()
{
	CK_RV rv = CKR_OK;

	rv = C_Initialize(NULL_PTR);
	if (CKR_OK != rv)
		return EXIT_FAILURE;

	rv = C_OpenSession(FEPKCS11_APP0_TOKEN_SLOT_ID,
			   CKF_RW_SESSION | CKF_SERIAL_SESSION,
			   NULL,
			   NULL,
			   &hSession);
	if (CKR_OK != rv) {
		C_Finalize(NULL_PTR);
		return EXIT_FAILURE;
	}

	rv = C_Login(hSession, CKU_USER, NULL_PTR, 0);
	if (CKR_OK != rv) {
		C_CloseSession(hSession);
		C_Finalize(NULL_PTR);
		return EXIT_FAILURE;
	}

	return EXIT_SUCCESS;
}
Ejemplo n.º 2
0
void logout_and_close_session()
{
	C_Logout(hSession);
	C_CloseSession(hSession);
	C_Finalize(NULL_PTR);
	hSession = CK_INVALID_HANDLE;
}
Ejemplo n.º 3
0
/*
 * Open a session with this slot
 */
static
int pkcs11_open_session(PKCS11_SLOT * slot, int rw, int relogin)
{
	PKCS11_SLOT_private *priv = PRIVSLOT(slot);
	PKCS11_CTX *ctx = SLOT2CTX(slot);
	int rv;

	if (relogin == 0) {
		CHECK_SLOT_FORK(slot);

		if (priv->haveSession) {
			CRYPTOKI_call(ctx, C_CloseSession(priv->session));
			priv->haveSession = 0;
		}
	}
	rv = CRYPTOKI_call(ctx,
		C_OpenSession(priv->id,
			CKF_SERIAL_SESSION | (rw ? CKF_RW_SESSION : 0),
			NULL, NULL, &priv->session));
	CRYPTOKI_checkerr(PKCS11_F_PKCS11_OPEN_SESSION, rv);
	priv->haveSession = 1;
	priv->prev_rw = rw;

	return 0;
}
Ejemplo n.º 4
0
/*
 * krb5_reinit_ef_handle()
 *
 * deal with fork safety issue regarding the krb ctx and the pkcs11 hSession
 * field.  This function is called if it is determined that the krb ctx hSession
 * is being accessed in a child process after a fork().  This function
 * re-initilizes the pkcs11 session and returns the session handle.
 */
CK_SESSION_HANDLE
krb5_reinit_ef_handle(krb5_context ctx)
{
    ctx->cryptoki_initialized = FALSE;

    if (krb5_init_ef_handle(ctx) != 0) {
	/*
	 * krb5_free_ef_handle() not needed here -- we assume that an equivalent
	 * of C_Finalize() was done in the child-side of the fork(), so all EF
	 * resources in this context will be invalid.
	 */
	return(CK_INVALID_HANDLE);
    }

    /* reset the ctx pid since we're in a new process (child) */
    ctx->pid = __krb5_current_pid; 

    /* If the RC4 handles were initialized, reset them here */
    if (ctx->arcfour_ctx.initialized) {
	krb5_error_code ret;
	ret = krb5_open_pkcs11_session(&ctx->arcfour_ctx.eSession);
        if (ret) {
		ctx->arcfour_ctx.initialized = 0;
		ctx->arcfour_ctx.eSession = CK_INVALID_HANDLE;
		C_CloseSession(ctx->hSession);
		ctx->hSession = CK_INVALID_HANDLE;
	}
        ret = krb5_open_pkcs11_session(&ctx->arcfour_ctx.dSession);
        if (ret) {
		ctx->arcfour_ctx.initialized = 0;
		ctx->arcfour_ctx.eSession = CK_INVALID_HANDLE;
		ctx->arcfour_ctx.dSession = CK_INVALID_HANDLE;
		C_CloseSession(ctx->hSession);
		ctx->hSession = CK_INVALID_HANDLE;
	}
    }

    /* 
     * It is safe for this function to access ctx->hSession directly.  Do
     * NOT use the krb_ctx_hSession() here.
     */
    return(ctx->hSession);
}
Ejemplo n.º 5
0
krb5_error_code
krb5_free_ef_handle(krb5_context ctx)
{
	/* 
	 * fork safety: Don't free any PKCS state if we've forked since
	 * allocating the pkcs handles.
	 */
	if (ctx->cryptoki_initialized == TRUE &&
	    ctx->pid == __krb5_current_pid) {
		/* 
		 * It is safe for this function to access ctx->hSession
		 * directly.  Do NOT use the krb_ctx_hSession() here.
		 */
		if (ctx->hSession) {
			C_CloseSession(ctx->hSession);
			ctx->hSession = 0;
		}
		if (ctx->arcfour_ctx.dKey) {
			C_DestroyObject(ctx->arcfour_ctx.dSession,
				ctx->arcfour_ctx.dKey);
			ctx->arcfour_ctx.dKey = 0;
		}
		if (ctx->arcfour_ctx.eKey) {
			C_DestroyObject(ctx->arcfour_ctx.eSession,
				ctx->arcfour_ctx.eKey);
			ctx->arcfour_ctx.eKey = 0;
		}
		if (ctx->arcfour_ctx.eSession) {
			C_CloseSession(ctx->arcfour_ctx.eSession);
			ctx->arcfour_ctx.eSession = 0;
		}
		if (ctx->arcfour_ctx.dSession) {
			C_CloseSession(ctx->arcfour_ctx.dSession);
			ctx->arcfour_ctx.eSession = 0;
		}
		ctx->arcfour_ctx.initialized = 0;

		ctx->cryptoki_initialized = FALSE;
	}
	return(0);
}
Ejemplo n.º 6
0
static void crypto_token_logout(CK_SESSION_HANDLE hSession)
{
	CK_RV rv = CKR_OK;

	rv = C_Logout(hSession);
	assert(rv == CKR_OK);

	rv = C_CloseSession(hSession);
	assert(rv == CKR_OK);

	rv = C_Finalize(NULL_PTR);
	assert(rv == CKR_OK);
}
Ejemplo n.º 7
0
void TokenTests::testInitToken()
{
	CK_RV rv;
	CK_UTF8CHAR pin[] = SLOT_0_SO1_PIN;
	CK_ULONG pinLength = sizeof(pin) - 1;
	CK_UTF8CHAR label[32];
	CK_SESSION_HANDLE hSession;

	memset(label, ' ', 32);
	memcpy(label, "token1", strlen("token1"));

	// Just make sure that we finalize any previous failed tests
	C_Finalize(NULL_PTR);

	rv = C_InitToken(SLOT_INIT_TOKEN, pin, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);

	rv = C_Initialize(NULL_PTR);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_InitToken(SLOT_INIT_TOKEN, NULL_PTR, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_ARGUMENTS_BAD);

	rv = C_InitToken(SLOT_INVALID, pin, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_SLOT_ID_INVALID);

	// Initialize
	rv = C_InitToken(SLOT_INIT_TOKEN, pin, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_OK);

	// Initialize with wrong password
	rv = C_InitToken(SLOT_INIT_TOKEN, pin, pinLength - 1, label);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_InitToken(SLOT_INIT_TOKEN, pin, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_SESSION_EXISTS);

	rv = C_CloseSession(hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	// Re-initialize
	rv = C_InitToken(SLOT_INIT_TOKEN, pin, pinLength, label);
	CPPUNIT_ASSERT(rv == CKR_OK);

	C_Finalize(NULL_PTR);
}
Ejemplo n.º 8
0
static void shutdownFunction( DEVICE_INFO *deviceInfo )
	{
	PKCS11_INFO *pkcs11Info = deviceInfo->devicePKCS11;

	assert( isWritePtr( deviceInfo, sizeof( DEVICE_INFO ) ) );

	/* Log out and close the session with the device */
	if( deviceInfo->flags & DEVICE_LOGGEDIN )
		C_Logout( pkcs11Info->hSession );
	C_CloseSession( pkcs11Info->hSession );
	pkcs11Info->hSession = CK_OBJECT_NONE;
	deviceInfo->flags &= ~( DEVICE_ACTIVE | DEVICE_LOGGEDIN );

	/* Free the device capability information */
	freeCapabilities( deviceInfo );
	}
Ejemplo n.º 9
0
CPKCSDemoDlg::~CPKCSDemoDlg()
{
	if(m_hSession)
	{
		C_CloseSession(m_hSession);
		m_hSession = NULL_PTR;
	}
	delete[] m_pApplication;
	if(m_pSlotList)
	{
		delete[] m_pSlotList;
		m_pSlotList = NULL_PTR;
	}
	if(m_pbCipherBuffer)
	{
		delete[] m_pbCipherBuffer;
		m_pbCipherBuffer = NULL_PTR;
		m_ulCipherLen = 0;
	}
}
Ejemplo n.º 10
0
CK_BBOOL can_enter_pin(CK_SLOT_ID slot) {
	CK_SESSION_HANDLE session;
	CK_SESSION_INFO info;
	CK_BBOOL retval = CK_TRUE;

	if(C_OpenSession(slot, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session) != CKR_OK) {
		printf("Could not open a session\n");
		return CK_FALSE;
	}
	if(C_GetSessionInfo(session, &info) != CKR_OK) {
		printf("Could not request session info\n");
		return CK_FALSE;
	}
	if(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
		if(have_robot() && !is_manual_robot()) {
			fprintf(stderr, "E: robot cannot enter a pin code on a protected auth path SC reader\n");
			retval = CK_FALSE;
		}
	}
	C_CloseSession(session);
	return retval;
}
Ejemplo n.º 11
0
FLAG ECCTest_in()
{
	CK_RV rv = 0;
	CK_SLOT_ID SlotId = 0;
	CK_SESSION_HANDLE hSession = 0;
	CK_ULONG ECCPubKeyClass = CKO_PUBLIC_KEY;
	CK_ULONG ECCPriKeyClass = CKO_PRIVATE_KEY;
	CK_BYTE ECCPubLabel[] = "ECC_PUBLIC_KEY_7";
	CK_BYTE ECCPriLabel[] = "ECC_PRIVATE_KEY_7";
	CK_BBOOL isFalse = TRUE;
#if 0	/* CKA_LABEL TEST*/
	CK_ATTRUBUTE ECCKeyLabel = {
		CAK_LABEL,//type
		ECCPub//value
		//value_len
	};
#endif	/* END CAK_LABEL TEST*/
	
	CK_ATTRIBUTE ECCPubKey[] = {
		{CKA_CLASS, &ECCPubKeyClass, sizeof(ECCPubKeyClass)},
		{CKA_LABEL, &ECCPubLabel, sizeof(ECCPubLabel)},
		{CKA_TOKEN, &isFalse, sizeof(isFalse)}
							};
	
	CK_ATTRIBUTE ECCPriKey[] = {
		{CKA_CLASS, &ECCPriKeyClass, sizeof(ECCPriKeyClass)},
		{CKA_LABEL, &ECCPriLabel, sizeof(ECCPriLabel)},
		{CKA_TOKEN, &isFalse, sizeof(isFalse)}
							};

	CK_ATTRIBUTE CreateECCPriKey[] = {
		{CKA_CLASS, NULL_PTR, 0},
		{CKA_MODULUS_BITS, NULL_PTR, 0},
		{CKA_VALUE, NULL_PTR, 0}
							};

	CK_MECHANISM ECCGenKey = {CKM_ECDSA_KEY_PAIR_GEN, NULL_PTR, 0};
	CK_MECHANISM mECCEncrypt = {CKM_ECDSA_PKCS, NULL_PTR, 0};
	CK_OBJECT_HANDLE hECCPubKey = 0;
	CK_OBJECT_HANDLE hECCPriKey = 0;

	CK_BYTE indata[160] = {0x00};
	CK_BYTE outdata[300] = {0x00};
	CK_BYTE temp[300] = {0x00};
	CK_ULONG outlength = 0;
	CK_ULONG templength = 0;
	
	memset(indata, 0x31, 40);
	memset(outdata, 0x00, 300);
	memset(temp, 0x00, 300);
	
	printf("ECC Inside Encrypt and Decrypt!\n");
	rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
	C_Login(hSession, CKU_SO, "11111111", 8);
#endif
	rv = C_GenerateKeyPair(hSession, &ECCGenKey, ECCPubKey, 3, ECCPriKey, 3, &hECCPubKey, &hECCPriKey);

	rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
	rv = C_Encrypt(hSession, indata, 40, outdata, &outlength);
	rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
	rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
	if (memcmp(indata, temp, 40) == 0 && templength == 40)
	{
		printf("OK ECC IN!\n");
	}
	else
	{
		printf("ERROR ECC IN!\n");
	}

	printf("ECC Crossing Encrypt and Decrypt!\n");
	memset(indata, 0x33, 110);
	memset(outdata, 0x00, 300);
	memset(temp, 0x00, 300);

	rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 3);
	if (rv == 0)
	{
		CreateECCPriKey[0].pValue = malloc(CreateECCPriKey[0].ulValueLen);
		if (CreateECCPriKey[0].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			return -1;
		}
		CreateECCPriKey[1].pValue = malloc(CreateECCPriKey[1].ulValueLen);
		if (CreateECCPriKey[1].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPriKey, 1);
			return -1;
		}
		
		CreateECCPriKey[2].pValue = malloc(CreateECCPriKey[2].ulValueLen);
		if (CreateECCPriKey[2].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPriKey, 2);
			return -1;
		}
		rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 3);
		rv = C_CreateObject(hSession, CreateECCPriKey, 3, &hECCPriKey);
	}
	FreeAttribute(CreateECCPriKey, 3);

	rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
	rv = C_Encrypt(hSession, indata, 110, outdata, &outlength);
	rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
	rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
	if (memcmp(indata, temp, 110) == 0 && templength == 110)
	{
		printf("OK ECC Crossing!\n");
	}
	else
	{
		printf("ERROR ECC Crossing!\n");
	}
#ifdef DEVICE_KEY
	C_Logout(hSession);
#endif
	C_CloseSession(hSession);

	return 0;
}
Ejemplo n.º 12
0
Archivo: fuzz.c Proyecto: Fedict/eid-mw 
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	static bool initialized = false;
	CK_SLOT_ID slot;
	CK_ULONG count = 0, type;
	CK_SLOT_ID_PTR slotlist = NULL;
	CK_RV rv;
	CK_SESSION_HANDLE session;
	CK_ATTRIBUTE attrs[2];
	CK_OBJECT_HANDLE object;

	beid_set_fuzz_data(data, size, "3F00DF014031");
	check_rv(C_Initialize(NULL));
	do {
		slotlist = realloc(slotlist, sizeof(CK_SLOT_ID) * count);
	} while((rv = C_GetSlotList(CK_TRUE, slotlist, &count)) == CKR_BUFFER_TOO_SMALL);

	check_rv_late("C_GetSlotList");

	assert(count > 0);

	check_rv(C_OpenSession(slotlist[0], CKF_SERIAL_SESSION, NULL, NULL, &session));
	free(slotlist);
	slotlist = NULL;

	attrs[0].type = CKA_CLASS;
	attrs[0].pValue = &type;
	type = CKO_DATA;
	attrs[0].ulValueLen = sizeof(CK_ULONG);
	attrs[1].type = CKA_OBJECT_ID;
	attrs[1].pValue = "id";
	attrs[1].ulValueLen = strlen("id");

	check_rv(C_FindObjectsInit(session, attrs, 2));

	char *label_str = NULL;
	char *value_str = NULL;
	char *objid_str = NULL;

	do {
		char junk[1024];

		CK_ATTRIBUTE data[3] = {
			{CKA_LABEL, NULL_PTR, 0},
			{CKA_VALUE, NULL_PTR, 0},
			{CKA_OBJECT_ID, NULL_PTR, 0},
		};

		check_rv(C_FindObjects(session, &object, 1, &count));
		if(!count) continue;

		free(label_str);
		free(value_str);
		free(objid_str);

		check_rv(C_GetAttributeValue(session, object, data, 3));

		label_str = calloc(data[0].ulValueLen + 1, 1);
		data[0].pValue = label_str;

		value_str = calloc(data[1].ulValueLen + 1, 1);
		data[1].pValue = value_str;

		objid_str = calloc(data[2].ulValueLen + 1, 1);
		data[2].pValue = objid_str;

		check_rv(C_GetAttributeValue(session, object, data, 3));

		snprintf(junk, sizeof(junk), "%s%s%s", label_str, value_str, objid_str);
	} while(count);

	printf("label: %s, objid: %s, value: %s\n", label_str, objid_str, value_str);

	free(label_str);
	free(value_str);
	free(objid_str);

	check_rv(C_CloseSession(session));
	check_rv(C_Finalize(NULL));

	return 0;
}
Ejemplo n.º 13
0
BOOL UpdateValidationX509::ValidateUpdate( MFUpdate* pUpdate, UINT8* pValidation, INT32 validationLen )
{
    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
    CK_SLOT_ID slotID;
    CK_SESSION_HANDLE session;
    CK_OBJECT_CLASS ckoCert = CKO_CERTIFICATE;
    CK_OBJECT_HANDLE hCACert;
    CK_MECHANISM_TYPE sha1Mech = CKM_SHA_1;
    CK_MECHANISM mech = { CKM_RSA_PKCS, &sha1Mech, sizeof(sha1Mech) };
    BOOL retVal = FALSE;
    UINT8* caCert;
    UINT32 certLen = 0;

    if(g_DebuggerPortSslConfig.GetCertificateAuthority == NULL)
    {
        return FALSE;
    }
    
    g_DebuggerPortSslConfig.GetCertificateAuthority( &caCert, &certLen );

    CK_ATTRIBUTE attribs[] =
    {
        { CKA_CLASS   , &ckoCert, sizeof(ckoCert) },
        { CKA_VALUE   , caCert  , certLen         }
    };

    if(pUpdate->Providers->Storage == NULL) return FALSE;
    if(certLen == 0 || caCert == NULL     ) return FALSE;
    if(pValidation == NULL                ) return FALSE;

    C_Initialize(NULL);

    slotID = Cryptoki_FindSlot(NULL, mechs, ARRAYSIZE(mechs));  if(CK_SLOT_ID_INVALID == slotID) return FALSE;
    
    if(CKR_OK == C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL, NULL, &session) && (CK_SESSION_HANDLE_INVALID != session))
    {
        if(CKR_OK == C_CreateObject(session, attribs, ARRAYSIZE(attribs), &hCACert) && hCACert != CK_OBJECT_HANDLE_INVALID)
        {
            if(CKR_OK == C_VerifyInit(session, &mech, hCACert)) 
            {
                UINT8 buff[512];
                INT32 len = sizeof(buff);
                INT32 updateSize = pUpdate->Header.UpdateSize;
                INT32 offset = 0;

                while(offset < updateSize)
                {
                    if((offset + len) > updateSize)
                    {
                        len = updateSize - offset;
                    }
                    
                    if(!pUpdate->Providers->Storage->Read(pUpdate->StorageHandle, offset, buff, len)) break;

                    C_VerifyUpdate(session, buff, len);

                    offset += len;
                }
                retVal = CKR_OK == C_VerifyFinal(session, pValidation, (CK_ULONG)validationLen);
            }

            C_DestroyObject(session, hCACert);
        }
        
        C_CloseSession(session);
    }

    return retVal;    
}
Ejemplo n.º 14
0
void UserTests::testLogin()
{
	CK_RV rv;
	CK_UTF8CHAR pin[] = SLOT_0_USER1_PIN;
	CK_ULONG pinLength = sizeof(pin) - 1;
	CK_UTF8CHAR sopin[] = SLOT_0_SO1_PIN;
	CK_ULONG sopinLength = sizeof(sopin) - 1;
	CK_SESSION_HANDLE hSession[2];

	// Just make sure that we finalize any previous tests
	C_Finalize(NULL_PTR);

	// Set up user PIN
	rv = C_Initialize(NULL_PTR);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR, NULL_PTR, &hSession[0]);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_Login(hSession[0], CKU_USER, pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_PIN_NOT_INITIALIZED);
	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_InitPIN(hSession[0], pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);
	C_Finalize(NULL_PTR);

	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);

	rv = C_Initialize(NULL_PTR);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR, NULL_PTR, &hSession[0]);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(CK_INVALID_HANDLE, CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_SESSION_HANDLE_INVALID);

	rv = C_Login(hSession[0], CKU_SO, NULL_PTR, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_ARGUMENTS_BAD);

	rv = C_Login(hSession[0], CKU_SO, sopin, 0);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &hSession[1]);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_SESSION_READ_ONLY_EXISTS);

	rv = C_CloseSession(hSession[1]);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_USER, pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_ANOTHER_ALREADY_LOGGED_IN);

	rv = C_Logout(hSession[0]);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_SO, sopin, sopinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_ALREADY_LOGGED_IN);

	rv = C_Login(hSession[0], CKU_USER, pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_ANOTHER_ALREADY_LOGGED_IN);

	rv = C_Logout(hSession[0]);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_USER, pin, pinLength - 1);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_Login(hSession[0], CKU_USER, pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession[0], CKU_USER, pin, pinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_ALREADY_LOGGED_IN);
}
Ejemplo n.º 15
0
int
main (int argc, char *argv[])
{
  CK_RV err;
  CK_SLOT_ID_PTR slots;
  CK_ULONG slots_count;
  unsigned int i;

  (void) argc;
  (void) argv;

  if (argc > 1 && !strcmp ("--printable", argv[1]))
    printable = true;
    
  init_cryptoki ();

  err = C_GetSlotList (true, NULL, &slots_count);
  fail_if_err (err);

  if (slots_count == 0)
    {
      printf ("Skipping test because no token is present.\n");
      return 77;
    }

  printf ("Number of slots with tokens: %lu\n", slots_count);
  slots = malloc (sizeof (CK_SLOT_ID) * slots_count);
  if (!slots)
    fail_if_err (CKR_HOST_MEMORY);

  err = C_GetSlotList (true, slots, &slots_count);
  fail_if_err (err);

  for (i = 0; i < slots_count; i++)
    {
      CK_SESSION_HANDLE session;
      CK_OBJECT_HANDLE object;
      CK_ULONG count;

      printf ("%2i. Slot ID %lu\n", i, slots[i]);
      err = C_OpenSession (slots[i], CKF_SERIAL_SESSION, NULL, NULL,
			   &session);
      fail_if_err (err);
     
      printf ("    Session ID: %lu\n", session);

      err = C_FindObjectsInit (session, NULL, 0);
      fail_if_err (err);

      do
	{
	  err = C_FindObjects (session, &object, 1, &count);
	  fail_if_err (err);

	  if (count)
	    {
	      printf ("    Object Handle: %lu\n", object);

	      err = dump_object (session, object);
	      fail_if_err (err);
	    }
	}
      while (count);

      err = C_FindObjectsFinal (session);
      fail_if_err (err);

      err = C_CloseSession (session);
      fail_if_err (err);
    }

  return 0;
}
Ejemplo n.º 16
0
static int
key_hdl_to_zc(libzfs_handle_t *hdl, zfs_handle_t *zhp, char *keysource,
    int crypt, zfs_cmd_t *zc, zfs_crypto_zckey_t cmd)
{
    //	CK_SESSION_HANDLE session;
	int ret = 0;
	key_format_t format;
	key_locator_t locator;
	char *uri;
	//pkcs11_uri_t p11uri;
	size_t keylen = zio_crypt_table[crypt].ci_keylen;
	char *keydata = NULL;
	size_t keydatalen = 0;
	char *tmpkeydata = NULL;
	size_t tmpkeydatalen = 0;
	uint64_t salt;
	//struct cb_arg_curl cb_curl = { 0 };

    fprintf(stderr, "in key_hdl_to_zc\r\n");

	zc->zc_crypto.zic_clone_newkey = hdl->libzfs_crypt.zc_clone_newkey;

	if (!keysource_prop_parser(keysource, &format, &locator, &uri)) {
		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
		    "invalid keysource property."));
		return (-1);
	}

	/*
	 * First check if there was anything in the handle already
	 * if so we use that and we are done with locating the data.
	 * Note that we may be looking at other fields
	 * and zic_clone_newkey even if zc_key_data_len is empty.
	 *
	 * We allow this regardless of the locator so that things
	 * like a PAM module can provide the passphrase but the user
	 * can still have "passphrase,prompt" to use zfs(1M) interactively.
	 */
	if (hdl->libzfs_crypt.zc_key_data_len != 0) {
		keydata = zfs_alloc(hdl, hdl->libzfs_crypt.zc_key_data_len);
		bcopy(hdl->libzfs_crypt.zc_key_data, keydata,
		    hdl->libzfs_crypt.zc_key_data_len);
		keydatalen = hdl->libzfs_crypt.zc_key_data_len;
		goto format_key;
	}

	/*
	 * Get the key from the URI or prompt for it.
	 * If the format is raw then prompting is a simple read(2)
	 * otherwise we put up a prompt saying what we are asking for.
	 * We can't do this with the 'zfs mount -a' that is in
	 * sys:/system/filesystem/local:default but we shouldn't
	 * cause errors or warnings there either.
	 */
	switch (locator) {
	case KEY_LOCATOR_PROMPT:
		if (format == KEY_FORMAT_RAW) {
			keydata = zfs_alloc(hdl, keylen);
			errno = 0;
			keydatalen = read(STDIN_FILENO, keydata, keylen);
			if (keydatalen != keylen) {
				free(keydata);
				return (-1);
			}

		} else {
			int tries = 0;
			do {
				/* get_passphrase allocates keydata */
				ret = get_passphrase(hdl, &keydata,
				    &keydatalen, format, zc, cmd);
			} while (ret != 0 && ++tries < 3);
			if (ret)
				return (-1);
		}
		break;
	case KEY_LOCATOR_FILE_URI:
		/*
		 * Need to tell pkcs11_read_data() how big of a key
		 * we want in case the locator URI is a device (eg, /dev/random)
		 * to be read from and not a file.
		 *
		 * Note that pkcs11_read_data allocates memory with malloc
		 * that we need to free.
		 */
#if 0 // FIXME
		keydatalen = keylen;
		ret = pkcs11_read_data(&(uri[7]),
		    (void **)&keydata, &keydatalen);
		if (ret != 0) {
			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
			    "failed to read key file: %s"), strerror(ret));
			errno = ret;
			return (-1);
		}
#endif
		break;

	case KEY_LOCATOR_PKCS11_URI:
#if 0 // FIXME
		keydatalen = keylen;
		/*
		 * Parse out the PKCS#11 URI and
		 * get the value of the wrapping key.
		 */
		if (pkcs11_parse_uri(uri, &p11uri) != PK11_URI_OK) {
			errno = EINVAL;
			return (-1);
		}
		ret = get_pkcs11_key_value(hdl, zc, cmd, &p11uri,
		    &keydata, &keydatalen);
		pkcs11_free_uri(&p11uri);
		if (ret != 0) {
			return (-1);
		}
#endif
		break;
	case KEY_LOCATOR_HTTPS_URI: {
#if 0
		CURL *curl_hdl = curl_easy_init();
		CURLcode cerr;

		cerr = curl_easy_setopt(curl_hdl, CURLOPT_URL, uri);
		if (cerr != CURLE_OK)
			goto curl_fail;
		cerr = curl_easy_setopt(curl_hdl, CURLOPT_FAILONERROR, 1L);
		if (cerr != CURLE_OK)
			goto curl_fail;
		cerr = curl_easy_setopt(curl_hdl, CURLOPT_WRITEFUNCTION,
		    get_keydata_curl);
		if (cerr != CURLE_OK)
			goto curl_fail;
		cb_curl.cb_hdl = hdl;
		cerr = curl_easy_setopt(curl_hdl, CURLOPT_WRITEDATA,
		    &cb_curl);
		if (cerr != CURLE_OK)
			goto curl_fail;
		cerr = curl_easy_perform(curl_hdl);
curl_fail:
		/*
		 * Just deal with libcurl errors here, reading the wrong key
		 * size is dealt with generically in the format_key section.
		 */
		if (cerr != 0) {
			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
			    "failed to retreive key from '%s': '%s'"),
			    uri, curl_easy_strerror(cerr));
			return (-1);
		}

		keydata = cb_curl.cb_keydata;
		keydatalen = cb_curl.cb_keydatalen;

		curl_easy_cleanup(curl_hdl);
#endif
		break;

        case KEY_LOCATOR_NONE: // Avoid Warning
            break;
		}
	}

format_key:
	if (keydata == NULL || keydatalen == 0) {
		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
		    "key can not be of zero size"));
		errno = ret;
		return (-1);
	}

	/*
	 * Now that we have the key do any transform that is necessary
	 * such as turning the hex format into raw or in the case of
	 * a passphrase running it through PKCS#5 to get the raw key.
	 *
	 * Note that zic_keydata is not malloc'd memory so that we
	 * don't have to worry about our caller freeing it.
	 */
	switch (format) {
	case KEY_FORMAT_RAW:
		bcopy(keydata, zc->zc_crypto.zic_keydata, keydatalen);
		zc->zc_crypto.zic_keydatalen = keydatalen;
		zc->zc_crypto.zic_salt = 0;
		break;
	case KEY_FORMAT_HEX:
		/*
		 * If the keylen is not on the byte boundary, in terms of hex
		 * format, and that extra char is a linefeed, we can trim it
		 */
		if (keydatalen == (keylen * 2) + 1 &&
		    keydata[keydatalen] == '\n') {
			keydatalen--;
		}

		/*
		 * hexstr_to_bytes allocates memory with malloc
		 * but we want the data in zic_keydata which isn't malloc'd
		 * so to avoid a memory leak we use a tmpkeydata buffer
		 * and bcopy it.
		 */
#if 0        // FIXME
		ret = hexstr_to_bytes(keydata, keydatalen,
		    (uchar_t **)&tmpkeydata, &tmpkeydatalen);
#endif

		if (ret) {
			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
			    "invalid hex format key."));
			errno = EACCES;
			ret = -1;
			goto out;
		}

		bcopy(tmpkeydata, zc->zc_crypto.zic_keydata, tmpkeydatalen);
		bzero(tmpkeydata, tmpkeydatalen);
		free(tmpkeydata);
		zc->zc_crypto.zic_keydatalen = tmpkeydatalen;
		zc->zc_crypto.zic_salt = 0;
		break;
	case KEY_FORMAT_PASSPHRASE:
		/* Remove any extra linefeed that may be on the end */
		if (keydata[keydatalen - 1] == '\n')
			keydatalen--;

		if (cmd == ZFS_CRYPTO_KEY_LOAD) {
			salt = zfs_prop_get_int(zhp, ZFS_PROP_SALT);
		} else {
#if 0 // FIXME
			ret = pkcs11_get_random(&salt, sizeof (uint64_t));
			if (ret) {
				zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
				    "failed to obtain salt: %s."),
				    pkcs11_strerror(ret));
				errno = EINVAL;
				ret = -1;
				goto out;
			}
#endif
		}

        fprintf(stderr, "Key is '%s' and is len %u\r\n",
                keydata, keydatalen);

        // FIXME
        tmpkeydata = strdup(keydata);
        tmpkeydatalen = keydatalen;
        salt = 0x1234;

#if 0 // FIXME
		ret = SUNW_C_GetMechSession(CKM_PKCS5_PBKD2, &session);
		if (ret) {
			zfs_error_aux(hdl,
			    dgettext(TEXT_DOMAIN,
			    "failed to access CKM_PKCS5_PBKD2: %s."),
			    pkcs11_strerror(ret));
			errno = EINVAL;
			ret = -1;
			goto out;
		}

		/*
		 * pkcs11_PasswdToKey allocates memory with malloc
		 * but we want the data in zic_keydata which isn't malloc'd
		 * so to avoid a memory leak we use a tmpkeydata buffer
		 * and bcopy it.
		 */
		ret = pkcs11_PasswdToKey(session, keydata, keydatalen,
		    (void *)&salt, sizeof (uint64_t), CKK_AES,
		    keylen, (void **)&tmpkeydata, &tmpkeydatalen);

		(void) C_CloseSession(session);

		if (ret) {
			zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
			    "failed to generate key: %s."),
			    pkcs11_strerror(ret));
			errno = EINVAL;
			ret = -1;
			goto out;
		}
#endif

		bcopy(tmpkeydata, zc->zc_crypto.zic_keydata, tmpkeydatalen);
		bzero(tmpkeydata, tmpkeydatalen);
		free(tmpkeydata);
		zc->zc_crypto.zic_keydatalen = tmpkeydatalen;
		zc->zc_crypto.zic_salt = salt;
		break;

	default:
		ASSERT(format);
	}

	if (zc->zc_crypto.zic_keydatalen != keylen) {
		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
		    "key length invalid. expected %lu bytes have %lu"),
		    keylen, zc->zc_crypto.zic_keydatalen);
		errno = EIO;
		ret = -1;
	}

    if (tmpkeydatalen) // Only decrease if NOT zero.
        tmpkeydatalen--;
	while (zc->zc_crypto.zic_keydata[tmpkeydatalen] == 0 &&
	    tmpkeydatalen > 0)
		tmpkeydatalen--;

	if (tmpkeydatalen == 0) {
		zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
                                    "invalid all zeros key %lu"), tmpkeydatalen);
		errno = EIO;
		ret = -1;
	}
out:
	if (keydata) {
		bzero(keydata, keydatalen);
		free(keydata);
	}

	return (ret);
}
Ejemplo n.º 17
0
void UserTests::testSetPIN()
{
	CK_RV rv;
	CK_UTF8CHAR pin1[] = SLOT_0_USER1_PIN;
	CK_ULONG pin1Length = sizeof(pin1) - 1;
	CK_UTF8CHAR pin2[] = SLOT_0_USER2_PIN;
	CK_ULONG pin2Length = sizeof(pin2) - 1;
	CK_UTF8CHAR so1pin[] = SLOT_0_SO1_PIN;
	CK_ULONG so1pinLength = sizeof(so1pin) - 1;
	CK_UTF8CHAR so2pin[] = SLOT_0_SO2_PIN;
	CK_ULONG so2pinLength = sizeof(so2pin) - 1;
	CK_SESSION_HANDLE hSession;

	// Just make sure that we finalize any previous tests
	C_Finalize(NULL_PTR);

	// Set up user PIN
	rv = C_Initialize(NULL_PTR);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR, NULL_PTR, &hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_Login(hSession, CKU_SO, so1pin, so1pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);
	rv = C_InitPIN(hSession, pin1, pin1Length);
	CPPUNIT_ASSERT(rv == CKR_OK);
	C_Finalize(NULL_PTR);

	rv = C_SetPIN(hSession, pin1, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);

	rv = C_Initialize(NULL_PTR);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_SetPIN(CK_INVALID_HANDLE, pin1, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_SESSION_HANDLE_INVALID);

	rv = C_SetPIN(hSession, pin1, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_SESSION_READ_ONLY);

	rv = C_CloseSession(hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_OpenSession(SLOT_INIT_TOKEN, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR, NULL_PTR, &hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_SetPIN(hSession, NULL_PTR, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_ARGUMENTS_BAD);

	rv = C_SetPIN(hSession, pin1, pin1Length, NULL_PTR, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_ARGUMENTS_BAD);

	rv = C_SetPIN(hSession, pin1, pin1Length, pin2, 0);
	CPPUNIT_ASSERT(rv == CKR_PIN_LEN_RANGE);

	rv = C_SetPIN(hSession, pin2, pin2Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_SetPIN(hSession, pin1, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession, CKU_USER, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_SetPIN(hSession, pin1, pin1Length, pin2, pin2Length);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_SetPIN(hSession, pin2, pin2Length, pin1, pin1Length);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession, CKU_SO, so1pin, so1pinLength);
	CPPUNIT_ASSERT(rv == CKR_USER_ANOTHER_ALREADY_LOGGED_IN);

	rv = C_Logout(hSession);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_Login(hSession, CKU_SO, so1pin, so1pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_SetPIN(hSession, so2pin, so2pinLength, so2pin, so2pinLength);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_SetPIN(hSession, so1pin, so1pinLength, so2pin, so2pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);

	rv = C_SetPIN(hSession, so1pin, so1pinLength, so1pin, so1pinLength);
	CPPUNIT_ASSERT(rv == CKR_PIN_INCORRECT);

	rv = C_SetPIN(hSession, so2pin, so2pinLength, so1pin, so1pinLength);
	CPPUNIT_ASSERT(rv == CKR_OK);
}
Ejemplo n.º 18
0
void
end_session(CK_SESSION_HANDLE session) {
    CK_RV rv;
    rv = C_CloseSession(session);
    check_return_value(rv, "close session");
}
Ejemplo n.º 19
0
void ECCSpeedTest()
{
	CK_RV rv = 0;
	CK_SLOT_ID SlotId = 0;
	CK_SESSION_HANDLE hSession = 0;
	CK_OBJECT_HANDLE hECCPubKey = 0;
	CK_OBJECT_HANDLE hECCPriKey = 0;
	CK_BBOOL isTrue = FALSE;
	CK_ULONG ECCPubKeyClass = CKO_PUBLIC_KEY;
	CK_ULONG ECCPriKeyClass = CKO_PRIVATE_KEY;
	CK_BYTE Id[] = "MY_ECC_KEY";
	
	CK_ATTRIBUTE ECCPubKey[] = {
		{CKA_CLASS, &ECCPubKeyClass, sizeof(ECCPubKeyClass)},
		{CKA_ID, &Id, strlen(Id)},
		{CKA_TOKEN, &isTrue, sizeof(isTrue)}
	};
	
	CK_ATTRIBUTE ECCPriKey[] = {
		{CKA_CLASS, &ECCPriKeyClass, sizeof(ECCPriKeyClass)},
		{CKA_ID, &Id, strlen(Id)},
		{CKA_TOKEN, &isTrue, sizeof(isTrue)}
	};
	
	CK_MECHANISM ECCGenKey = {CKM_ECDSA_KEY_PAIR_GEN, NULL_PTR, 0};
	CK_MECHANISM mECCEncrypt = {CKM_ECDSA_PKCS, NULL_PTR, 0};
	CK_BYTE indata[160] = {0x00};
	CK_BYTE outdata[300] = {0x00};
	CK_BYTE temp[300] = {0x00};
	CK_ULONG outlength = 0;
	CK_ULONG templength = 0;
	CK_ULONG i = 0;

	LARGE_INTEGER Frequency;
	LARGE_INTEGER StartNum;
	LARGE_INTEGER EndNum;
	double Second;

	memset(indata, 0x42, 111);
	memset(outdata, 0x00, 300);
	memset(temp, 0x00, 300);

	rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
	C_Login(hSession, CKU_SO, "11111111", 8);
#endif
	QueryPerformanceFrequency(&Frequency);
	QueryPerformanceCounter(&StartNum);
	for (i=0; i<LOOPTIMES; i++)
	{
		C_GenerateKeyPair(hSession, &ECCGenKey, ECCPubKey, 3, ECCPriKey, 3, &hECCPubKey, &hECCPriKey);
	}
	QueryPerformanceCounter(&EndNum);
	Second = (double)(((EndNum.QuadPart - StartNum.QuadPart)+0.0)/Frequency.QuadPart);
	printf("Generate ECC Key Time is: %03f s\n", Second/LOOPTIMES);
	
	QueryPerformanceCounter(&StartNum);
	for (i=0; i<LOOPTIMES; i++)
	{
		C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
		C_Encrypt(hSession, indata, 111, outdata, &outlength);
		C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
		C_Decrypt(hSession, outdata, outlength, temp, &templength);
	}
	QueryPerformanceCounter(&EndNum);
	Second = (double)(((EndNum.QuadPart - StartNum.QuadPart)+0.0)/Frequency.QuadPart);
	printf("ECC Encrypt and Decrypt Time is: %03f s\n", Second/LOOPTIMES);
#ifdef DEVICE_KEY
	C_Logout(hSession);
#endif
	C_CloseSession(hSession);

}
Ejemplo n.º 20
0
KMF_RETURN
PKCS_EncryptData(KMF_HANDLE_T kmfh,
		KMF_ALGORITHM_INDEX AlgorithmId,
		KMF_X509_SPKI *keyp,
		KMF_DATA *plaintext,
		KMF_DATA *ciphertext)
{
	KMF_RETURN rv = KMF_OK;
	CK_RV ckRv;
	CK_MECHANISM ckMechanism;
	CK_MECHANISM_TYPE mechtype;
	CK_KEY_TYPE keytype;
	CK_OBJECT_HANDLE ckKeyHandle = 0;
	CK_SESSION_HANDLE ckSession = NULL;
	CK_ULONG out_len = 0, in_len = 0, total_encrypted = 0;
	uint8_t *in_data, *out_data;
	int i, blocks, block_size;
	CK_ATTRIBUTE ckTemplate[2];
	CK_ULONG ckNumTemplates;
	CK_ULONG ckMaxTemplates = (sizeof (ckTemplate) /
	    sizeof (CK_ATTRIBUTE));

	if (get_pk11_data(AlgorithmId, &keytype, &mechtype, NULL, 0))
		return (KMF_ERR_BAD_ALGORITHM);

	rv = kmf_create_pk11_session(&ckSession, mechtype, CKF_ENCRYPT);
	if (rv != KMF_OK)
		return (rv);

	/* Get the public key used in encryption */
	rv = PKCS_AcquirePublicKeyHandle(ckSession, keyp,
	    keytype, &ckKeyHandle);

	if (rv != KMF_OK) {
		(void) C_CloseSession(ckSession);
		return (rv);
	}

	/* Get the modulus length */
	ckNumTemplates = 0;
	if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates, ckMaxTemplates,
	    CKA_MODULUS, (CK_BYTE *)NULL, sizeof (CK_ULONG))) {
		if (ckKeyHandle != 0)
			(void) C_DestroyObject(ckSession, ckKeyHandle);
		(void) C_CloseSession(ckSession);
		return (KMF_ERR_INTERNAL);
	}

	ckRv = C_GetAttributeValue(ckSession, ckKeyHandle,
	    ckTemplate, ckNumTemplates);

	if (ckRv != CKR_OK) {
		if (ckKeyHandle != 0)
			(void) C_DestroyObject(ckSession, ckKeyHandle);
		kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
		kmfh->lasterr.errcode = ckRv;
		(void) C_CloseSession(ckSession);
		return (KMF_ERR_INTERNAL);
	}
	out_len = ckTemplate[0].ulValueLen;

	if (out_len > ciphertext->Length) {
		if (ckKeyHandle != 0)
			(void) C_DestroyObject(ckSession, ckKeyHandle);
		(void) C_CloseSession(ckSession);
		return (KMF_ERR_BUFFER_SIZE);
	}

	ckMechanism.mechanism = mechtype;
	ckMechanism.pParameter = NULL_PTR;
	ckMechanism.ulParameterLen = 0;

	/* Compute the fixed input data length for single-part encryption */
	block_size = out_len - 11;

	in_data = plaintext->Data;
	out_data = ciphertext->Data;

	blocks = plaintext->Length/block_size;

	for (i = 0; i < blocks; i++) {
		ckRv = C_EncryptInit(ckSession, &ckMechanism, ckKeyHandle);
		if (ckRv != CKR_OK) {
			if (ckKeyHandle != 0)
				(void) C_DestroyObject(ckSession, ckKeyHandle);
			kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
			kmfh->lasterr.errcode = ckRv;
			(void) C_CloseSession(ckSession);
			return (KMF_ERR_INTERNAL);
		}
		ckRv = C_Encrypt(ckSession, (CK_BYTE_PTR)in_data, block_size,
		    (CK_BYTE_PTR)out_data, &out_len);

		if (ckRv != CKR_OK) {
			if (ckKeyHandle != 0)
				(void) C_DestroyObject(ckSession, ckKeyHandle);
			kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
			kmfh->lasterr.errcode = ckRv;
			(void) C_CloseSession(ckSession);
			return (KMF_ERR_INTERNAL);
		}

		out_data += out_len;
		total_encrypted += out_len;
		in_data += block_size;
	}

	if (plaintext->Length % block_size) {
		/* Encrypt the remaining data */
		ckRv = C_EncryptInit(ckSession, &ckMechanism, ckKeyHandle);
		if (ckRv != CKR_OK) {
			if (ckKeyHandle != 0)
				(void) C_DestroyObject(ckSession, ckKeyHandle);
			kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
			kmfh->lasterr.errcode = ckRv;
			(void) C_CloseSession(ckSession);
			return (KMF_ERR_INTERNAL);
		}

		in_len = plaintext->Length % block_size;
		ckRv = C_Encrypt(ckSession, (CK_BYTE_PTR)in_data, in_len,
		    (CK_BYTE_PTR)out_data, &out_len);

		if (ckRv != CKR_OK) {
			if (ckKeyHandle != 0)
				(void) C_DestroyObject(ckSession, ckKeyHandle);
			kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
			kmfh->lasterr.errcode = ckRv;
			(void) C_CloseSession(ckSession);
			return (KMF_ERR_INTERNAL);
		}

		out_data += out_len;
		total_encrypted += out_len;
		in_data += in_len;
	}

	ciphertext->Length = total_encrypted;

	if (ckKeyHandle != 0)
		(void) C_DestroyObject(ckSession, ckKeyHandle);

	(void) C_CloseSession(ckSession);
	return (rv);

}
Ejemplo n.º 21
0
int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle)
{
    int err = SOCK_SOCKET_ERROR;
    SSL *ssl = NULL;
    int nonblock = 0;

    // Retrieve SSL struct from g_SSL_Driver    
    if((sslContextHandle >= ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0))
    {
        goto error;
    }
    
    // sd should already have been created
    // Now do the SSL negotiation   
    ssl = (SSL*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext;
    if (ssl == NULL) goto error;

    if (!SSL_set_fd(ssl, sd))
    {
        goto error;
    }

    if(ssl->verify_mode != SSL_VERIFY_NONE)
    {
        SSL_CTX* pCtx = SSL_get_SSL_CTX(ssl);

        if(pCtx != NULL)
        {
            X509_STORE *pStore = SSL_CTX_get_cert_store(pCtx);

            if(sk_num(&pStore->objs->stack) == 0)
            {
                CryptokiSession* pSession;
                CK_SLOT_ID  slotID;
                OBJECT_DATA* pObj;
                CK_ATTRIBUTE attribs[2];
                CK_OBJECT_CLASS cls = SwapEndianIfBEc32(CKO_CERTIFICATE);
                LPSTR label = "CA";
                CK_SESSION_HANDLE hSess;

                if(CKR_OK == C_OpenSession(0, CKF_SERIAL_SESSION, NULL, NULL, &hSess) && 
                   CKR_OK == Cryptoki_GetSlotIDFromSession(hSess, &slotID, &pSession))
                {
                    attribs[0].type = CKA_CLASS;
                    attribs[0].pValue = &cls;
                    attribs[0].ulValueLen = sizeof(cls);

                    attribs[1].type = CKA_LABEL;
                    attribs[1].pValue = label;
                    attribs[1].ulValueLen = 2;

                    if(CKR_OK == C_FindObjectsInit(hSess, attribs, ARRAYSIZE(attribs)))
                    {
                        CK_OBJECT_HANDLE hObjs[20];
                        CK_ULONG cnt = 0;

                        if(CKR_OK == C_FindObjects(hSess, hObjs, ARRAYSIZE(hObjs), &cnt) && cnt > 0)
                        {
                            for(int i=0; i<cnt; i++)
                            {
                                pObj = PKCS11_Objects_OpenSSL::GetObjectFromHandle(&pSession->Context, hObjs[i]);

                                if(pObj != NULL && pObj->Type == 3 /*CertificateType*/)
                                {
                                    CERT_DATA* pCert = (CERT_DATA*)pObj->Data;

                                    X509_STORE_add_cert(pStore, pCert->cert);
                                }
                            }
                        }

                        C_FindObjectsFinal(hSess);
                    }
                }

                if(pStore->objs == NULL || 0 == sk_num(&pStore->objs->stack))
                {
                    ssl->verify_mode = SSL_VERIFY_NONE;
                }

                C_CloseSession(hSess);
            }
        }
    }

    if(szTargetHost != NULL && szTargetHost[0] != 0)
    {
        SSL_set_tlsext_host_name(ssl, szTargetHost);
    }

    SOCK_ioctl(sd, SOCK_FIONBIO, &nonblock);

    err = SSL_connect (ssl);    

    nonblock = 1;
    SOCK_ioctl(sd, SOCK_FIONBIO, &nonblock);

    err = SSL_get_error(ssl,err);
      
    if(err == SSL_ERROR_WANT_READ)
    {
        err = SOCK_EWOULDBLOCK;
#if !defined(TCPIP_LWIP) && !defined(TCPIP_LWIP_OS)
        SOCKET_DRIVER.ClearStatusBitsForSocket( sd, FALSE );        
#endif
    }
    else if(err == SSL_ERROR_WANT_WRITE)
    {
        err = SOCK_TRY_AGAIN;
#if !defined(TCPIP_LWIP) && !defined(TCPIP_LWIP_OS)
        SOCKET_DRIVER.ClearStatusBitsForSocket( sd, TRUE );        
#endif
    }

    SOCKET_DRIVER.SetSocketSslData(sd, (void*)ssl);

error:
    return err;
}
Ejemplo n.º 22
0
int main(int argc, char const *argv[]){
	CK_RV rv = CKR_OK;
	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
	CK_SLOT_ID slotId = 0;
	FILE *file;
	FILE *file_out;
	
	char * key_name;
	char command;

	if (argc !=3) {
		printf("Wrong arguments\n");
		printf("Usage:\n");
		printf("\t%s <command> <key name>\n", argv[0]);
		printf("\t\te - encode\n\t\td - decode\n\n");
		return 1;
	}

	/* read the command and key name arguments from the command line */
	command = argv[1][0];
	key_name = argv[2];

	/* Initialise the cryptoki API */
	printf( "Initializing Cryptoki API ... " );
    rv = C_Initialize(NULL);
    CHECK_CK_RV_GOTO(rv, "C_Initialize", end);
	printf( "OK\n" );

	/* Obtain a session so we can perform cryptoki operations */
	printf( "Obtaining a session ... " );
    rv = C_OpenSession(slotId, CKF_RW_SESSION, NULL, NULL, &hSession);
    CHECK_CK_RV_GOTO(rv, "C_OpenSession", end);
	printf( "OK\n" );

	printf("Using key: %s\n", key_name);

    /* Login as a user with a PIN */
	printf( "Logining as a user with a PIN ... " );
	rv = C_Login(hSession, CKU_USER, (CK_CHAR_PTR)USERPIN, (CK_SIZE) strlen((char*)USERPIN));
	CHECK_CK_RV_GOTO(rv, "C_Login as User", end);
	printf( "OK\n" );

	printf("Creating 3DES secret key ... ");
	rv = CreateSecretKeyObject(hSession, &hKey, key_name);
	CHECK_CK_RV_GOTO(rv, "CreateSecretKeyObject", end);
	printf("OK\n");

	printf("Finding 3DES key ... ");
	rv = findObject(hSession, CKO_SECRET_KEY, key_name, &hKey);
	CHECK_CK_RV_GOTO(rv, "findObject", end);
	printf("OK\n");
		
	switch(command) {
		
		case 'e':
			printf("Opening file... ");
			file = fopen("input.txt", "rb");
			if (!file) {
				printf("file not found\n");
				return 1;
			} else {
				file_out = fopen("output.txt", "wb");
				printf("ok\n");
			}
			
			printf("Encrypting file with 3DES ... ");
			rv = encryptDataLoop(file, file_out, hSession, hKey);
			CHECK_CK_RV_GOTO(rv, "encryptDataLoop", end);
			printf("OK\n");

			fclose(file);
			fclose(file_out);
			break;
		
		case 'd':
			printf("Opening file... ");
			file = fopen("output.txt", "rb");
			if (!file) {
				printf("file not found\n");
				return 1;
			} else {
				file_out = fopen("output2.txt", "wb");
				printf("ok\n");
			}

			printf("Decrypting file with 3DES ... ");
			rv = decryptDataLoop(file, file_out, hSession, hKey);
			CHECK_CK_RV_GOTO(rv, "decryptDataLoop", end);
			printf("OK\n");

			fclose(file);
			fclose(file_out);
			break;

		default:
			printf("Unknown command: %s\n", argv[1]);
	}

	/** Destroying the 3DES key */
	printf("Destrying the 3DES key ... ");
	rv = C_DestroyObject(hSession, hKey);
	CHECK_CK_RV_GOTO(rv, "DestroyObject", end);
	printf("OK\n");

	/* We've finished our work, close the session */
	printf( "Closing the session ... " );
    rv = C_CloseSession(hSession);
    CHECK_CK_RV_GOTO(rv, "C_CloseSession", end);
	printf("OK\n");

    /* We no longer need the cryptoki API ... */
	printf( "Finilizing the cryptoki ... " );
    rv = C_Finalize(NULL);
    CHECK_CK_RV_GOTO(rv, "C_Finalize", end);
	printf("OK\n");

	end:
    if (rv != CKR_OK)
    {
        fprintf(stderr,
                "Error performing create key operation : 0x%lx\n",
                rv);
        /* Clean up... we don't care if there are any errors.
         */
        if (hSession != CK_INVALID_HANDLE) C_CloseSession(hSession);
        C_Finalize(NULL);
    }
    return rv;
}
Ejemplo n.º 23
0
FLAG ECCTest_out()
{
	CK_RV rv = 0;
	CK_SLOT_ID SlotId = 0;
	CK_SESSION_HANDLE hSession = 0;
	CK_OBJECT_HANDLE hECCPubKey = 0;
	CK_OBJECT_HANDLE hECCPriKey = 0;
	CK_BBOOL isTrue = TRUE;
	CK_ULONG ECCPubKeyClass = CKO_PUBLIC_KEY;
	CK_ULONG ECCPriKeyClass = CKO_PRIVATE_KEY;
	CK_BYTE Id[] = "MY_ECC_KEY";

	CK_ATTRIBUTE ECCPubKey[] = {
		{CKA_CLASS, &ECCPubKeyClass, sizeof(ECCPubKeyClass)},
		{CKA_ID, &Id, strlen(Id)},
		{CKA_TOKEN, &isTrue, sizeof(isTrue)}
								};

	CK_ATTRIBUTE ECCPriKey[] = {
		{CKA_CLASS, &ECCPriKeyClass, sizeof(ECCPriKeyClass)},
		{CKA_ID, &Id, strlen(Id)},
		{CKA_TOKEN, &isTrue, sizeof(isTrue)}
								};

	CK_ATTRIBUTE CreateECCPubKey[] = {
		{CKA_CLASS, NULL_PTR, 0},
		{CKA_MODULUS_BITS, NULL_PTR, 0},
		{CKA_ID, NULL_PTR, 0},
		{CKA_EC_POINT, NULL_PTR, 0}
								};

	CK_ATTRIBUTE CreateECCPriKey[] = {
		{CKA_CLASS, NULL_PTR, 0},
		{CKA_ID, NULL_PTR, 0},
		{CKA_MODULUS_BITS, NULL_PTR, 0},
		{CKA_VALUE, NULL_PTR, 0}
								};
	
	CK_MECHANISM ECCGenKey = {CKM_ECDSA_KEY_PAIR_GEN, NULL_PTR, 0};
	CK_MECHANISM mECCEncrypt = {CKM_ECDSA_PKCS, NULL_PTR, 0};
	CK_BYTE indata[160] = {0x00};
	CK_BYTE outdata[300] = {0x00};
	CK_BYTE temp[300] = {0x00};
	CK_ULONG outlength = 0;
	CK_ULONG templength = 0;

	printf("ECC Outside Encrypt and Decrypt!\n");
	rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
	C_Login(hSession, CKU_SO, "11111111", 8);
#endif
	rv = C_GenerateKeyPair(hSession, &ECCGenKey, ECCPubKey, 3, ECCPriKey, 3, &hECCPubKey, &hECCPriKey);
	rv = C_CloseSession(hSession);

	rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
	C_Login(hSession, CKU_SO, "11111111", 8);
#endif
	rv = C_GetAttributeValue(hSession, hECCPubKey, CreateECCPubKey, 4);
	if (rv == 0)
	{
		CreateECCPubKey[0].pValue = malloc(CreateECCPubKey[0].ulValueLen);
		if (CreateECCPubKey[0].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			return -1;
		}
		CreateECCPubKey[1].pValue = malloc(CreateECCPubKey[1].ulValueLen);
		if (CreateECCPubKey[1].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPubKey, 1);
			return -1;
		}
		CreateECCPubKey[2].pValue = malloc(CreateECCPubKey[2].ulValueLen);
		if (CreateECCPubKey[2].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPubKey, 2);
			return -1;
		}
		CreateECCPubKey[3].pValue = malloc(CreateECCPubKey[3].ulValueLen);
		if (CreateECCPubKey[3].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPubKey, 3);
			return -1;
		}
		rv = C_GetAttributeValue(hSession, hECCPubKey, CreateECCPubKey, 4);
		rv = C_DestroyObject(hSession, hECCPubKey);
		rv = C_CreateObject(hSession, CreateECCPubKey, 4, &hECCPubKey);
	}
	FreeAttribute(CreateECCPubKey, 4);

	memset(indata, 0x33, 110);
	memset(outdata, 0x00, 300);
	memset(temp, 0x00, 300);
	
	rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
	rv = C_Encrypt(hSession, indata, 110, outdata, &outlength);

	rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 4);
	if (rv == 0)
	{
		CreateECCPriKey[0].pValue = malloc(CreateECCPriKey[0].ulValueLen);
		if (CreateECCPriKey[0].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			return -1;
		}
		CreateECCPriKey[1].pValue = malloc(CreateECCPriKey[1].ulValueLen);
		if (CreateECCPriKey[1].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPriKey, 1);
			return -1;
		}
	
		CreateECCPriKey[2].pValue = malloc(CreateECCPriKey[2].ulValueLen);
		if (CreateECCPriKey[2].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPriKey, 2);
			return -1;
		}
		CreateECCPriKey[3].pValue = malloc(CreateECCPriKey[3].ulValueLen);
		if (CreateECCPriKey[3].pValue == NULL)
		{
			printf("ECCTest_out->malloc ERROR!\n");
			FreeAttribute(CreateECCPriKey, 3);
			return -1;
		}
		rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 4);
		rv = C_DestroyObject(hSession, hECCPriKey);
		rv = C_CreateObject(hSession, CreateECCPriKey, 4, &hECCPriKey);
	}
	FreeAttribute(CreateECCPriKey, 4);

	rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
	rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
#ifdef DEVICE_KEY
	C_Logout(hSession);
#endif
	rv = C_CloseSession(hSession);

	if (memcmp(indata, temp, 110) == 0 && templength == 110)
	{
		printf("OK ECC OUT!\n");
	}
	else
	{
		printf("ERROR ECC OUT!\n");
	}
	return 0;
}
Ejemplo n.º 24
0
/*
 * Utility routine for verifying generic data using
 * the cryptographic framework (PKCS#11).
 * There are situations where we want to force this
 * operation to happen in a specific keystore.
 * For example:
 * libelfsign.so.1 verifies signatures on crypto libraries.
 * We must use pkcs11 functions to verify the pkcs11
 * plugins in order to keep the validation within the
 * Cryptographic Framework's FIPS-140 boundary. To avoid
 * a circular dependency, pksc11_softtoken.so.1 is
 * interposed by libkcfd.so.1 via kcfd, which prevents
 * libpkcs11.so.1's interfaces from being used when libkmf.so.1
 * is called from kcfd.
 *
 * This also saves code and time because verify operations
 * only use public keys and do not need acccess to any
 * keystore specific functions.
 */
KMF_RETURN
PKCS_VerifyData(KMF_HANDLE_T handle,
		KMF_ALGORITHM_INDEX AlgorithmId,
		KMF_X509_SPKI *keyp,
		KMF_DATA *data,
		KMF_DATA *signature)
{
	KMF_RETURN	rv = KMF_OK;
	CK_RV		ckRv;
	KMF_HANDLE	*kmfh = (KMF_HANDLE *)handle;
	CK_MECHANISM	ckMechanism;
	CK_MECHANISM_TYPE mechtype, hashmech;
	CK_OBJECT_HANDLE ckKeyHandle = 0;
	CK_KEY_TYPE	pk11keytype;
	CK_SESSION_HANDLE ckSession = 0;
	CK_ATTRIBUTE	subprime = { CKA_SUBPRIME, NULL, 0 };
	CK_BYTE		*dataptr;
	CK_ULONG	datalen;
	KMF_DATA	hashData = { 0, NULL };
	uchar_t		digest[1024];

	if (AlgorithmId == KMF_ALGID_NONE)
		return (KMF_ERR_BAD_ALGORITHM);

	if (get_pk11_data(AlgorithmId, &pk11keytype, &mechtype, &hashmech, 1))
		return (KMF_ERR_BAD_ALGORITHM);

	/*
	 * Verify in metaslot/softtoken since only the public key is needed
	 * and not all hardware tokens support the combined [hash]-RSA/DSA/EC
	 * mechanisms.
	 */
	rv = kmf_create_pk11_session(&ckSession, mechtype, 0);
	if (rv != KMF_OK)
		return (rv);

	/* Fetch the verifying key */
	rv = PKCS_AcquirePublicKeyHandle(ckSession, keyp,
	    pk11keytype, &ckKeyHandle);

	if (rv != KMF_OK) {
		(void) C_CloseSession(ckSession);
		return (rv);
	}
	dataptr = data->Data;
	datalen = data->Length;
	/*
	 * For some mechanisms, we must compute the hash separately
	 * and then do the verify.
	 */
	if (hashmech != 0 &&
	    (mechtype == CKM_ECDSA ||
	    mechtype == CKM_DSA ||
	    mechtype == CKM_RSA_PKCS)) {
		hashData.Data = digest;
		hashData.Length = sizeof (digest);

		rv = PKCS_DigestData(handle, ckSession,
		    hashmech, data, &hashData,
		    (mechtype == CKM_RSA_PKCS));
		if (rv)
			goto cleanup;

		dataptr = hashData.Data;
		datalen = hashData.Length;
	}
	if (mechtype == CKM_DSA &&
	    hashmech == CKM_SHA256) {
		/*
		 * FIPS 186-3 says that when using DSA
		 * the hash must be truncated to the size of the
		 * subprime.
		 */
		ckRv = C_GetAttributeValue(ckSession,
		    ckKeyHandle, &subprime, 1);
		if (ckRv != CKR_OK)  {
			kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
			kmfh->lasterr.errcode = ckRv;
			rv = KMF_ERR_INTERNAL;
			goto cleanup;
		}
		datalen = subprime.ulValueLen;
	}

	ckMechanism.mechanism = mechtype;
	ckMechanism.pParameter = NULL;
	ckMechanism.ulParameterLen = 0;

	ckRv = C_VerifyInit(ckSession, &ckMechanism, ckKeyHandle);
	if (ckRv != CKR_OK) {
		kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
		kmfh->lasterr.errcode = ckRv;
		rv = KMF_ERR_INTERNAL;
		goto cleanup;
	}
	ckRv = C_Verify(ckSession,
	    dataptr, datalen,
	    (CK_BYTE *)signature->Data,
	    (CK_ULONG)signature->Length);

	if (ckRv != CKR_OK) {
		kmfh->lasterr.kstype = KMF_KEYSTORE_PK11TOKEN;
		kmfh->lasterr.errcode = ckRv;
		rv = KMF_ERR_INTERNAL;
	}

cleanup:
	if (ckKeyHandle != 0)
		(void) C_DestroyObject(ckSession, ckKeyHandle);
	(void) C_CloseSession(ckSession);
	return (rv);
}