CK_BYTE *
util_create_id(int type)
{
CK_BYTE *ret = NULL;
int size = 0;
switch (type) {
case TPMTOK_PRIVATE_ROOT_KEY:
size = TPMTOK_PRIVATE_ROOT_KEY_ID_SIZE + 1;
if ((ret = malloc(size)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.",
size);
break;
}
sprintf((char *)ret, "%s", TPMTOK_PRIVATE_ROOT_KEY_ID);
break;
case TPMTOK_PUBLIC_ROOT_KEY:
size = TPMTOK_PUBLIC_ROOT_KEY_ID_SIZE + 1;
if ((ret = malloc(size)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.",
size);
break;
}
sprintf((char *)ret, "%s", TPMTOK_PUBLIC_ROOT_KEY_ID);
break;
case TPMTOK_PUBLIC_LEAF_KEY:
size = TPMTOK_PUBLIC_LEAF_KEY_ID_SIZE + 1;
if ((ret = malloc(size)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.",
size);
break;
}
sprintf((char *)ret, "%s", TPMTOK_PUBLIC_LEAF_KEY_ID);
break;
case TPMTOK_PRIVATE_LEAF_KEY:
size = TPMTOK_PRIVATE_LEAF_KEY_ID_SIZE + 1;
if ((ret = malloc(size)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.",
size);
break;
}
sprintf((char *)ret, "%s", TPMTOK_PRIVATE_LEAF_KEY_ID);
break;
default:
OCK_LOG_DEBUG("Unknown type passed to %s: %d", __FUNCTION__, type);
break;
}
return ret;
}
/* make sure the public exponent attribute is 65537 */
CK_ULONG
util_check_public_exponent(TEMPLATE *tmpl)
{
CK_BBOOL flag;
CK_ATTRIBUTE *publ_exp_attr;
CK_BYTE pubexp_bytes[] = { 1, 0, 1 };
CK_ULONG publ_exp, rc = 1;
flag = template_attribute_find(tmpl, CKA_PUBLIC_EXPONENT, &publ_exp_attr);
if (!flag){
OCK_LOG_DEBUG("Couldn't find public exponent attribute");
return CKR_TEMPLATE_INCOMPLETE;
}
switch (publ_exp_attr->ulValueLen) {
case 3:
rc = memcmp(pubexp_bytes, publ_exp_attr->pValue, 3);
break;
case sizeof(CK_ULONG):
publ_exp = *((CK_ULONG *)publ_exp_attr->pValue);
if (publ_exp == 65537)
rc = 0;
break;
default:
break;
}
return rc;
}
void
ock_err_log(int num, const char *layer, const char *file, int line)
{
if ( num < 0 || num > ERR_MAX)
num = ERR_MAX;
OCK_LOG_DEBUG("ERROR %s %s:%d %s\n", layer, file, line, ock_err_msg[num]);
}
TSS_RESULT
util_set_public_modulus(TSS_HKEY hKey, unsigned long size_n, unsigned char *n)
{
UINT64 offset;
UINT32 blob_size;
BYTE *blob, pub_blob[1024];
TCPA_PUBKEY pub_key;
TSS_RESULT result;
/* Get the TCPA_PUBKEY blob from the key object. */
result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
&blob_size, &blob);
if (result != TSS_SUCCESS) {
OCK_LOG_DEBUG("Tspi_GetAttribData failed: rc=0x%x", result);
return result;
}
offset = 0;
result = Trspi_UnloadBlob_PUBKEY(&offset, blob, &pub_key);
if (result != TSS_SUCCESS) {
OCK_LOG_DEBUG("Tspi_GetAttribData failed: rc=0x%x", result);
return result;
}
Tspi_Context_FreeMemory(tspContext, blob);
/* Free the first dangling reference, putting 'n' in its place */
free(pub_key.pubKey.key);
pub_key.pubKey.keyLength = size_n;
pub_key.pubKey.key = n;
offset = 0;
Trspi_LoadBlob_PUBKEY(&offset, pub_blob, &pub_key);
/* Free the second dangling reference */
free(pub_key.algorithmParms.parms);
/* set the public key data in the TSS object */
result = Tspi_SetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB, TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
(UINT32)offset, pub_blob);
if (result != TSS_SUCCESS) {
OCK_LOG_DEBUG("Tspi_SetAttribData failed: rc=0x%x", result);
return result;
}
return TSS_SUCCESS;
}
int
util_set_file_mode(char *filename, mode_t mode)
{
struct stat file_stat;
if (stat(filename, &file_stat) == -1) {
OCK_LOG_DEBUG("%s: stat: %s", __FUNCTION__, strerror(errno));
return -1;
} else if ((file_stat.st_mode ^ mode) != 0) {
if (chmod(filename, mode) == -1) {
OCK_LOG_DEBUG("chmod(%s) failed: %s", filename, strerror(errno));
return -1;
}
}
return 0;
}
CK_RV XProcUnLock(void)
{
if (spinxplfd != -1)
flock(spinxplfd, LOCK_UN);
else
OCK_LOG_DEBUG("No file descriptor to unlock with.\n");
return CKR_OK;
}
int main(int argc, char *argv[])
{
int rc = 0;
LDAP *ld = NULL;
char *uri, *dn, *pw;
char *token_name = NULL;
char *manufacturer_id = NULL;
char *model = NULL;
char *serial_number = NULL;
if (argc != 5) {
printf("Usage: %s <token_name> <manufacturer> <model> "
"<serial>\n", base_name(argv[0]));
return 1;
}
token_name = argv[1];
manufacturer_id = argv[2];
model = argv[3];
serial_number = argv[4];
init_conn_data(&uri, &dn, &pw);
OCK_LOG_DEBUG("Logging in\n");
if ((rc = icsf_login(&ld, uri, dn, pw)))
goto cleanup;
OCK_LOG_DEBUG("Checking support\n");
if ((rc = icsf_check_pkcs_extension(ld)))
goto cleanup;
OCK_LOG_DEBUG("Initializing token\n");
if ((rc = icsf_create_token(ld, NULL, token_name, manufacturer_id, model,
serial_number)))
goto cleanup;
cleanup:
if (rc)
printf("Error!\n");
if (ld)
icsf_logout(ld);
return rc;
}
int main(int argc, char *argv[])
{
int rc = 0;
LDAP *ld = NULL;
char *uri, *dn, *pw;
char *token_name = NULL;
if (argc != 2) {
printf("Usage: %s <token name>\n", base_name(argv[0]));
return 1;
}
token_name = argv[1];
init_conn_data(&uri, &dn, &pw);
OCK_LOG_DEBUG("Logging in\n");
if ((rc = icsf_login(&ld, uri, dn, pw)))
goto cleanup;
OCK_LOG_DEBUG("Checking support\n");
if ((rc = icsf_check_pkcs_extension(ld)))
goto cleanup;
OCK_LOG_DEBUG("Destroying token\n");
if ((rc = icsf_destroy_token(ld, NULL, token_name)))
goto cleanup;
cleanup:
if (rc)
printf("Error!\n");
if (ld)
icsf_logout(ld);
return rc;
}
CK_RV
XProcLock(void)
{
/* see if it exists */
if (spinxplfd == -1) {
spinxplfd = open(OCK_STDLL_LOCK_FILE, O_CREAT|O_RDWR,
S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
if (spinxplfd == -1)
OCK_LOG_DEBUG("Failed to open lock file,%s: %s\n",
OCK_STDLL_LOCK_FILE, strerror(errno));
}
if (spinxplfd != -1)
flock(spinxplfd,LOCK_EX);
return CKR_OK;
}
TSS_FLAG
get_srk_mode(void)
{
char *mode = NULL;
int i;
int num_modes = sizeof(tss_modes)/sizeof(tss_modes[0]);
mode = getenv("OCK_SRK_MODE");
if (mode == NULL)
return 0;
/* parse */
for (i = 0; i < num_modes; i++) {
if (strncmp(mode, tss_modes[i].str, strlen(mode)) == 0)
return tss_modes[i].mode;
}
OCK_LOG_DEBUG("Unknown TSS mode set in OCK_SRK_MODE, %s.\n", mode);
return -1;
}
int
get_srk_info(struct srk_info *srk)
{
char *passwd_ptr = NULL;
char *secret = NULL;
int i;
srk->mode = get_srk_mode();
if (srk->mode == -1)
return -1;
srk->secret = NULL;
passwd_ptr = getenv("OCK_SRK_SECRET");
/* If nothing is set, then use original opencryptoki default of
* secret is NULL and TSS_SECRET_MODE_PLAIN.
*/
if (passwd_ptr == NULL) {
srk->len = 0;
if (srk->mode == 0) {
srk->mode = TSS_SECRET_MODE_PLAIN;
return 0;
}
} else
srk->len = strlen(passwd_ptr);
/* A mode required at this point... */
if (srk->mode == 0) {
OCK_LOG_DEBUG("SRK policy's secret mode is not set.\n");
return -1;
}
/*
* getenv() returns a ptr to the actual string in our env,
* so be sure to make a copy to avoid problems.
*/
if (srk->len != 0) {
if ((secret = (char *)malloc(srk->len)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.\n", srk->len);
return -1;
}
memcpy(secret, passwd_ptr, srk->len);
srk->secret = secret;
}
/* Secrets that are a hash, need to be converted from a
* hex string to an array of bytes.
*/
if (srk->mode == TSS_SECRET_MODE_SHA1) {
char *secret_h;
int h_len = TPM_SHA1_160_HASH_LEN;
if ((secret_h = (char *)malloc(h_len)) == NULL) {
OCK_LOG_DEBUG("malloc of %d bytes failed.\n", h_len);
goto error;
}
/* reuse passwd ptr since we dont need it anymore. */
passwd_ptr = secret;
/* Assume hash is read in as string of hexidecimal digits.
* 2 hex digits are required to represent a byte.
* thus we need 2 * TPM_SHA1_160_HASH_LEN to
* represent the hash.
*/
if (srk->len != (h_len * 2)) {
OCK_LOG_DEBUG("Hashed secret is %d bytes, expected %d.\n",
srk->len, h_len*2);
goto error;
}
/* convert hexadecimal string into a byte array... */
for (i = 0; i < h_len; i++) {
sscanf(passwd_ptr, "%2hhx", &secret_h[i]);
passwd_ptr += 2;
}
srk->len = h_len;
srk->secret = secret_h;
free(secret);
}
return 0;
error:
if (secret)
free(secret);
return -1;
}
