├── .gitignore ├── LICENSE.txt ├── Makefile.in ├── README.md ├── common.h ├── compile.ps1 ├── configure ├── configure.ac ├── pkcs11-impl.c ├── pkcs11.h ├── pkcs11f.h ├── pkcs11t.h ├── scd.c ├── scd.h ├── sec.c └── sec.h /.gitignore: -------------------------------------------------------------------------------- 1 | *.log 2 | scd*.so 3 | *.o 4 | config.status 5 | Makefile 6 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile.in: -------------------------------------------------------------------------------- 1 | # @configure_input@ 2 | CFLAGS:= -Werror -Wall -std=c99 -fPIC 3 | 4 | # CFLAGS+= $(shell libassuan-config --cflags) 5 | # LDFLAGS+= $(shell libassuan-config --libs) 6 | 7 | # CFLAGS+= $(shell libgcrypt-config --cflags) 8 | # LDFLAGS+= $(shell libgcrypt-config --libs) 9 | 10 | CFLAGS+= @extra_CFLAGS@ 11 | LDFLAGS+= @extra_LDFLAGS@ 12 | 13 | TARGET:=scd-pkcs11-$(shell uname -s)-$(shell uname -m).so 14 | TARGET_SHORTNAME:=scd-pkcs11.so 15 | SOURCES:=pkcs11-impl.c sec.c scd.c 16 | OBJECTS:=$(SOURCES:.c=.o) 17 | 18 | prefix:=@prefix@ 19 | exec_prefix:=@exec_prefix@ 20 | libdir:=@libdir@ 21 | 22 | %.o: %.c 23 | $(CC) -c $< $(CPPFLAGS) $(CFLAGS) 24 | 25 | all: $(TARGET) 26 | 27 | $(TARGET): $(OBJECTS) 28 | $(CC) -shared $(OBJECTS) -o $(TARGET) $(LDFLAGS) 29 | 30 | debug: 31 | CPPFLAGS=-DSEC_DEBUG $(MAKE) 32 | 33 | debug2: 34 | CPPFLAGS="-DSEC_DEBUG -DSEC_LOG_STDERR" $(MAKE) 35 | 36 | clean: 37 | rm -f $(TARGET) $(OBJECTS) 38 | 39 | distclean: clean 40 | rm -f Makefile config.log config.status 41 | 42 | install: $(TARGET) 43 | mkdir -pv "$(libdir)" 44 | cp "$(TARGET)" "$(libdir)/$(TARGET_SHORTNAME)" 45 | 46 | uninstall: 47 | rm -f "$(libdir)/$(TARGET_SHORTNAME)" 48 | 49 | # deps 50 | sec.c: sec.h common.h 51 | pkcs11-impl.c: sec.h scd.h common.h 52 | scd.c: scd.h common.h 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | SCD-PKCS#11 2 | =========== 3 | 4 | The scd-pkcs#11 module is a prototype / proof of concept PKCS#11 provider interfacing to GnuPG's smart card daemon (scdaemon). 5 | 6 | It allows PKCS#11 aware applications such as Firefox or OpenSSH to use smart cards via GnuPG's builtin smart card support. scd-pkcs#11 is an alternative to the OpenSC PKCS#11 module. 7 | 8 | ## Component Overview 9 | 10 | ### Scenario A - with SCD-PKCS#11 11 | 12 | This Scenario is the focus of this project. 13 | 14 | USB SmartCard 15 | |-- scdaemon -- gpg-agent -- GnuPG / SSH (via gpg-agent's builtin ssh-agent) 16 | |-- SCD-PKCS#11 provider 17 | |-- client app (Firefox, SSH, ...) 18 | 19 | ### Scenario B - with and without SCD-PKCS#11 20 | 21 | Problem: scdaemon needs exclusive access to the smart card 22 | 23 | USB SmartCard 24 | |-- pcscd 25 | | |-- CCID driver 26 | | |-- PKCS#11 provider (e.g. opensc-pkcs11.so) 27 | | |-- client app (Firefox, SSH, ...) 28 | | 29 | |-- scdaemon ---- gpg-agent -- GnuPG (or SSH via gpg-agent builtin ssh-agent) 30 | |-- SCD-PKCS#11 provider 31 | |-- client app 32 | 33 | ### Scenario C - without SCD-PKCS#11, but with gnupg-pkcs11-scd: 34 | 35 | USB token 36 | |-- pcscd 37 | |-- CCID driver 38 | |-- PKCS#11 provider (e.g. opensc-pkcs11.so) 39 | |-- client app (Firefox, SSH, ...) 40 | |-- gnupg-pkcs11-scd (alternative scdaemon) 41 | |-- gpg-agent -- GnuPG 42 | 43 | ### Scenario D - OSX component overview 44 | 45 | USB token -- PCSCD -- CCID driver bundle -- PKCS#11 provider -- client app 46 | |-- .. .. .. .. .. .. |-- tokend -- tokend.bundle -- Keychain -- OSX App (Safari, Chrome, ...) 47 | | 48 | |-- scdaemon -- gpg-agent -- GnuPG 49 | |-- SCD-PKCS#11 provider -- client app 50 | 51 | Problems: 52 | 53 | * scdaemon and CCID do not work simultaneously. 54 | * scdaemon does not quit after use. 55 | * CCID is not up to date. New hardware may need custom drivers. 56 | * tokend is not well documented. The relevant open source OpenSC.tokend seems to lack maintenance since OSX 10.6, but appears to work (even if somewhat by coincidence). 57 | 58 | ## Compiling / Installation 59 | 60 | Please read the [wiki installation page](https://github.com/sektioneins/scd-pkcs11/wiki/Installation). 61 | 62 | Quick-Install from source: 63 | 64 | ``` 65 | ./configure 66 | make 67 | make install 68 | ``` 69 | 70 | That's it. See the [wiki](https://github.com/sektioneins/scd-pkcs11/wiki) for further documentation. 71 | 72 | ### Quick Installation on OSX / macOS 73 | 74 | ``` 75 | brew install sektioneins/tap/scd-pkcs11 76 | ``` 77 | 78 | ## Related Projects 79 | 80 | * [Scute](http://www.scute.org/) - "Scute is a PKCS #11 module that adds support for the OpenPGP smartcard card to the Mozilla Network Security Services (NSS)." 81 | * [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11_release_notes.html) - "This is a PKCS#11 module that allows to communicate with the PIV application running on a YubiKey." 82 | 83 | ## Feedback 84 | 85 | Please use the [issue tracker](https://github.com/sektioneins/scd-pkcs11/issues). 86 | 87 | When reporting a bug, please provide 88 | 89 | * Operating System and version 90 | * library version, e.g. commit id or package version 91 | * PKCS#11 client, e.g. Firefox 92 | * Short description of what to do to reproduce the bug 93 | * If needed, log files, screen shots, additional information. 94 | 95 | ## License 96 | 97 | Copyright (C) 2015-2018 SektionEins GmbH / Ben Fuhrmannek 98 | 99 | Licensed under the Apache License, Version 2.0 (the "License"); 100 | you may not use this file except in compliance with the License. 101 | You may obtain a copy of the License at 102 | 103 | http://www.apache.org/licenses/LICENSE-2.0 104 | 105 | Unless required by applicable law or agreed to in writing, software 106 | distributed under the License is distributed on an "AS IS" BASIS, 107 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 108 | See the License for the specific language governing permissions and 109 | limitations under the License. 110 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | /* for stpcpy on linux; possibly other functions */ 2 | // #define _GNU_SOURCE 3 | #define _XOPEN_SOURCE 700 4 | 5 | // the prefix SEC_ is an acronym for SektionEins Cryptoki 6 | 7 | // #define SEC_DEBUG 8 | // #define SEC_LOG_STDERR 9 | #ifndef SEC_LOG 10 | #define SEC_LOG "/tmp/ck_log.txt" 11 | #endif 12 | 13 | #ifdef _WIN32 14 | #warning compiling experimental windows version 15 | #endif 16 | 17 | #define SEC_MAJOR_VERSION 0 18 | #define SEC_MINOR_VERSION 0 19 | 20 | /* ---- */ 21 | 22 | #ifndef HAVE_UCHAR 23 | typedef unsigned char uchar; 24 | #endif 25 | 26 | #ifndef HAVE_UINT 27 | typedef unsigned int uint; 28 | #endif 29 | 30 | /* ----- DEBUGGING + LOGGING */ 31 | 32 | #ifdef SEC_DEBUG 33 | 34 | #define SDEBUG_PRINT(f, msg...) \ 35 | {fprintf(f,"%s:%u %s #> ",__FILE__, __LINE__, __func__);fprintf(f, msg);fprintf(f,"\n");} 36 | #ifdef SEC_LOG_STDERR 37 | #define SDEBUG(msg...) {SDEBUG_PRINT(stderr, msg);} 38 | #else 39 | #define SDEBUG(msg...) {FILE *f;f=fopen(SEC_LOG, "a+");if(f){SDEBUG_PRINT(f, msg);fclose(f);}} 40 | #endif 41 | #define sec_log(msg...) SDEBUG(msg) 42 | #define sec_log_err(msg...) SDEBUG(msg) 43 | 44 | #else 45 | 46 | #define SDEBUG(msg...) 47 | #define sec_log(msg...) \ 48 | fprintf(stderr, msg) 49 | 50 | #define sec_log_err(msg...) \ 51 | fprintf(stderr, msg) 52 | 53 | #endif 54 | -------------------------------------------------------------------------------- /compile.ps1: -------------------------------------------------------------------------------- 1 | $gpg_inst = "C:/Program Files (x86)/GnuPG" 2 | $includes = @("-I${gpg_inst}/include") 3 | $cflags = @("-DSEC_DEBUG", "-DSEC_LOG_STDERR", "-std=gnu99") 4 | echo "." 5 | & gcc -c sec.c $includes $cflags 6 | echo "." 7 | & gcc -c scd.c $includes $cflags 8 | echo "." 9 | & gcc -c pkcs11-impl.c $includes $cflags 10 | echo "." 11 | & gcc sec.o scd.o pkcs11-impl.o -shared -o scd-pkcs11.dll -v "-L${gpg_inst}/bin" -lassuan-0 -lgcrypt-20 -lgpg-error-0 12 | 13 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | AC_INIT(scd-pkcs11, 0.0, , , https://github.com/sektioneins/scd-pkcs11) 2 | 3 | AC_CONFIG_FILES([Makefile]) 4 | 5 | AC_MSG_CHECKING([SSL support]) 6 | 7 | AC_ARG_WITH([ssl], 8 | [AS_HELP_STRING([--with-ssl], 9 | [use openssl/libressl @<:@default=yes@:>@])], 10 | [], 11 | []) 12 | 13 | if test "$with_ssl" != "no" ; then 14 | extra_CFLAGS="-DHAVE_SSL" 15 | extra_LDFLAGS="-lssl -lcrypto" 16 | if test -n "$with_ssl" -a "$with_ssl" != "yes" ; then 17 | extra_CFLAGS="$extra_CFLAGS -I$with_ssl/include" 18 | extra_LDFLAGS="$extra_LDFLAGS -L$with_ssl/lib" 19 | fi 20 | with_ssl=yes 21 | fi 22 | 23 | AC_MSG_RESULT([$with_ssl]) 24 | 25 | 26 | AC_MSG_CHECKING([libassuan]) 27 | AC_ARG_WITH([assuan], 28 | [AS_HELP_STRING([--with-assuan], 29 | [libassuan-config path])], 30 | [ 31 | if test "$with_assuan" == "no"; then 32 | AC_MSG_ERROR([libassuan is required!]) 33 | fi 34 | libassuan_path="$with_assuan/" 35 | with_assuan=yes 36 | ], 37 | [with_assuan=yes]) 38 | 39 | extra_CFLAGS="$extra_CFLAGS \$(shell ${libassuan_path}libassuan-config --cflags)" 40 | extra_LDFLAGS="$extra_LDFLAGS \$(shell ${libassuan_path}libassuan-config --libs)" 41 | 42 | AC_MSG_RESULT([$with_assuan]) 43 | 44 | 45 | AC_MSG_CHECKING([libgcrypt]) 46 | AC_ARG_WITH([gcrypt], 47 | [AS_HELP_STRING([--with-gcrypt], 48 | [libgcrypt-config path])], 49 | [ 50 | if test "$with_gcrypt" == "no"; then 51 | AC_MSG_ERROR([libgcrypt is required!]) 52 | fi 53 | libgcrypt_path="$with_gcrypt/" 54 | with_gcrypt=yes 55 | ], 56 | [with_gcrypt=yes]) 57 | 58 | extra_CFLAGS="$extra_CFLAGS \$(shell ${libgcrypt_path}libgcrypt-config --cflags)" 59 | extra_LDFLAGS="$extra_LDFLAGS \$(shell ${libgcrypt_path}libgcrypt-config --libs)" 60 | 61 | AC_MSG_RESULT([$with_gcrypt]) 62 | 63 | 64 | 65 | AC_SUBST([extra_CFLAGS], [$extra_CFLAGS]) 66 | AC_SUBST([extra_LDFLAGS], [$extra_LDFLAGS]) 67 | 68 | 69 | AC_OUTPUT 70 | -------------------------------------------------------------------------------- /pkcs11-impl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2015-2018 SektionEins GmbH / Ben Fuhrmannek 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | #include "common.h" 23 | #include "sec.h" 24 | #include "scd.h" 25 | 26 | #ifdef SEC_DEBUG 27 | #define RETURN_CKR(ret) { if ((ret) != CKR_OK) { SDEBUG("CKR rv=0x%x", (ret)); } return (ret); } 28 | #else 29 | #define RETURN_CKR(ret) return (ret); 30 | #endif 31 | 32 | /* ---- */ 33 | 34 | static CK_BBOOL g_initialized = 0; 35 | 36 | /* ---- GENERATE CK_FUNCTION_LIST */ 37 | 38 | #define CK_PKCS11_FUNCTION_INFO(name) \ 39 | name, 40 | 41 | CK_FUNCTION_LIST pkcs11_function_list = { 42 | { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, 43 | #include "pkcs11f.h" 44 | }; 45 | #undef CK_PKCS11_FUNCTION_INFO 46 | 47 | 48 | /* ---- PKCS11 API IMPLEMENTATION */ 49 | 50 | 51 | #define SEC_PKCS11_FUNCTION(name) \ 52 | extern CK_DEFINE_FUNCTION(CK_RV, name) 53 | 54 | /* C_Initialize initializes the Cryptoki library. */ 55 | SEC_PKCS11_FUNCTION(C_Initialize) 56 | ( 57 | CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets 58 | * cast to CK_C_INITIALIZE_ARGS_PTR 59 | * and dereferenced */ 60 | ) 61 | { 62 | CK_C_INITIALIZE_ARGS_PTR pArgs = (CK_C_INITIALIZE_ARGS_PTR)pInitArgs; 63 | gpg_error_t err; 64 | 65 | SDEBUG("called"); 66 | if (g_initialized) { 67 | SDEBUG("already initialized."); 68 | RETURN_CKR(CKR_CRYPTOKI_ALREADY_INITIALIZED); 69 | } 70 | 71 | memset(&g_state, 0, sizeof(g_state)); 72 | 73 | if (pArgs != NULL_PTR) { 74 | if (pArgs->CreateMutex || pArgs->DestroyMutex || pArgs->LockMutex || pArgs->UnlockMutex) { 75 | if (pArgs->CreateMutex == NULL_PTR || pArgs->DestroyMutex == NULL_PTR || pArgs->LockMutex == NULL_PTR || pArgs->UnlockMutex == NULL_PTR) { 76 | SDEBUG("bad arguments -> mutex function ptr is NULL") 77 | RETURN_CKR(CKR_ARGUMENTS_BAD); // some but not all pointers are NULL_PTR 78 | } 79 | sec_log_err("multi-threading not supported"); 80 | RETURN_CKR(CKR_CANT_LOCK); 81 | } 82 | if (pArgs->flags & CKF_OS_LOCKING_OK) { 83 | sec_log_err("OS based multi-threading not supported"); 84 | RETURN_CKR(CKR_CANT_LOCK); 85 | } 86 | } 87 | 88 | err = scd_agent_connect(&g_state.ctx); 89 | if (err) { 90 | sec_log_err("cannot connect to agent: %d", err); 91 | RETURN_CKR(CKR_FUNCTION_FAILED); 92 | } 93 | 94 | g_initialized = 1; 95 | RETURN_CKR(CKR_OK); 96 | } 97 | 98 | 99 | /* C_Finalize indicates that an application is done with the 100 | * Cryptoki library. */ 101 | SEC_PKCS11_FUNCTION(C_Finalize) 102 | ( 103 | CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ 104 | ) 105 | { 106 | SDEBUG("called"); 107 | if (!g_initialized) 108 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 109 | 110 | g_initialized = 0; 111 | 112 | scd_agent_disconnect(g_state.ctx); 113 | g_state.ctx = NULL; 114 | 115 | sec_free_token(); 116 | 117 | RETURN_CKR(CKR_OK); 118 | } 119 | 120 | 121 | 122 | /* C_GetInfo returns general information about Cryptoki. */ 123 | SEC_PKCS11_FUNCTION(C_GetInfo) 124 | ( 125 | CK_INFO_PTR pInfo /* location that receives information */ 126 | ) 127 | { 128 | SDEBUG("called"); 129 | if (pInfo == NULL_PTR) 130 | RETURN_CKR(CKR_ARGUMENTS_BAD); 131 | 132 | memset(pInfo, 0, sizeof(CK_INFO)); 133 | pInfo->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR; 134 | pInfo->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR; 135 | strncpy((char*)pInfo->manufacturerID, "SektionEins GmbH", sizeof(pInfo->manufacturerID)-1); 136 | strncpy((char*)pInfo->libraryDescription, "GPG SCDAEMON PKCS#11 API", sizeof(pInfo->libraryDescription)-1); 137 | pInfo->libraryVersion.major = SEC_MAJOR_VERSION; 138 | pInfo->libraryVersion.minor = SEC_MINOR_VERSION; 139 | 140 | RETURN_CKR(CKR_OK); 141 | } 142 | 143 | 144 | /* C_GetFunctionList returns the function list. */ 145 | SEC_PKCS11_FUNCTION(C_GetFunctionList) 146 | ( 147 | CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to 148 | * function list */ 149 | ) 150 | { 151 | SDEBUG("called"); 152 | if (ppFunctionList == NULL_PTR) 153 | RETURN_CKR(CKR_ARGUMENTS_BAD); 154 | 155 | *ppFunctionList = &pkcs11_function_list; 156 | RETURN_CKR(CKR_OK); 157 | } 158 | 159 | 160 | 161 | /* Slot and token management */ 162 | 163 | /* C_GetSlotList obtains a list of slots in the system. */ 164 | SEC_PKCS11_FUNCTION(C_GetSlotList) 165 | ( 166 | CK_BBOOL tokenPresent, /* only slots with tokens? */ 167 | CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ 168 | CK_ULONG_PTR pulCount /* receives number of slots */ 169 | ) 170 | { 171 | SDEBUG("called"); 172 | if (!g_initialized) 173 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 174 | 175 | if (pulCount == NULL_PTR) 176 | RETURN_CKR(CKR_ARGUMENTS_BAD); 177 | 178 | if (pSlotList == NULL_PTR) { 179 | *pulCount = 1; 180 | RETURN_CKR(CKR_OK); 181 | } 182 | 183 | if (*pulCount < 1) { 184 | *pulCount = 1; 185 | RETURN_CKR(CKR_BUFFER_TOO_SMALL); 186 | } 187 | 188 | *pSlotList = 0; 189 | RETURN_CKR(CKR_OK); 190 | } 191 | 192 | 193 | /* C_GetSlotInfo obtains information about a particular slot in 194 | * the system. */ 195 | SEC_PKCS11_FUNCTION(C_GetSlotInfo) 196 | ( 197 | CK_SLOT_ID slotID, /* the ID of the slot */ 198 | CK_SLOT_INFO_PTR pInfo /* receives the slot information */ 199 | ) 200 | { 201 | SDEBUG("called"); 202 | if (!g_initialized) 203 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 204 | 205 | if (pInfo == NULL_PTR) 206 | RETURN_CKR(CKR_ARGUMENTS_BAD); 207 | if (slotID != 0) 208 | RETURN_CKR(CKR_SLOT_ID_INVALID); 209 | 210 | memset(pInfo, 0, sizeof(CK_SLOT_INFO)); 211 | strncpy((char*)pInfo->slotDescription, "Virtual slot", sizeof(pInfo->slotDescription)-1); 212 | strncpy((char*)pInfo->manufacturerID, "SektionEins GmbH", sizeof(pInfo->manufacturerID)-1); 213 | pInfo->flags = CKF_HW_SLOT | CKF_REMOVABLE_DEVICE; 214 | if (scd_token_present(g_state.ctx)) { 215 | pInfo->flags |= CKF_TOKEN_PRESENT; 216 | } else { 217 | sec_free_token(); 218 | } 219 | pInfo->hardwareVersion.major = 0; 220 | pInfo->hardwareVersion.minor = 0; 221 | pInfo->firmwareVersion.major = 0; 222 | pInfo->firmwareVersion.minor = 0; 223 | 224 | RETURN_CKR(CKR_OK); 225 | } 226 | 227 | 228 | /* C_GetTokenInfo obtains information about a particular token 229 | * in the system. */ 230 | SEC_PKCS11_FUNCTION(C_GetTokenInfo) 231 | ( 232 | CK_SLOT_ID slotID, /* ID of the token's slot */ 233 | CK_TOKEN_INFO_PTR pInfo /* receives the token information */ 234 | ) 235 | { 236 | SDEBUG("called"); 237 | if (!g_initialized) 238 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 239 | 240 | if (slotID != 0) 241 | RETURN_CKR(CKR_SLOT_ID_INVALID); 242 | if (pInfo == NULL_PTR) 243 | RETURN_CKR(CKR_ARGUMENTS_BAD); 244 | 245 | if (!scd_token_present(g_state.ctx)) { 246 | sec_free_token(); 247 | RETURN_CKR(CKR_TOKEN_NOT_PRESENT); 248 | } 249 | if (sec_learn_token(g_state.ctx)) { 250 | RETURN_CKR(CKR_TOKEN_NOT_PRESENT); 251 | } 252 | 253 | memset(pInfo, 0, sizeof(CK_TOKEN_INFO)); 254 | strncpy((char*)pInfo->label, "Virtual token", sizeof(pInfo->label)-1); 255 | strncpy((char*)pInfo->manufacturerID, "SektionEins GmbH", sizeof(pInfo->manufacturerID)-1); 256 | strncpy((char*)pInfo->model, "OpenPGP-Card", sizeof(pInfo->model)-1); /* blank padded */ 257 | strncpy((char*)pInfo->serialNumber, (char*)g_state.token->serialno, sizeof(pInfo->serialNumber)-1); 258 | // pInfo->flags = CKF_RNG | CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_PROTECTED_AUTHENTICATION_PATH; 259 | pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_PROTECTED_AUTHENTICATION_PATH | CKF_TOKEN_INITIALIZED; // CKF_LOGIN_REQUIRED 260 | 261 | pInfo->ulMaxSessionCount = SEC_MAX_SESSION_COUNT; /* max open sessions */ 262 | pInfo->ulSessionCount = g_state.session_count; /* sess. now open */ 263 | pInfo->ulMaxRwSessionCount = 0; /* max R/W sessions */ 264 | pInfo->ulRwSessionCount = 0; /* R/W sess. now open */ 265 | pInfo->ulMaxPinLen = 32; /* in bytes */ 266 | pInfo->ulMinPinLen = 6; /* in bytes */ 267 | pInfo->ulTotalPublicMemory = -1; /* in bytes */ 268 | pInfo->ulFreePublicMemory = -1; /* in bytes */ 269 | pInfo->ulTotalPrivateMemory = -1; /* in bytes */ 270 | pInfo->ulFreePrivateMemory = -1; /* in bytes */ 271 | 272 | pInfo->hardwareVersion.major = 2; /* version of hardware */ 273 | pInfo->hardwareVersion.minor = 1; 274 | pInfo->firmwareVersion.major = 2; /* version of firmware */ 275 | pInfo->firmwareVersion.major = 1; 276 | pInfo->utcTime[0] = 0; /* time */ 277 | 278 | RETURN_CKR(CKR_OK); 279 | } 280 | 281 | 282 | 283 | /* C_GetMechanismList obtains a list of mechanism types 284 | * supported by a token. */ 285 | SEC_PKCS11_FUNCTION(C_GetMechanismList) 286 | ( 287 | CK_SLOT_ID slotID, /* ID of token's slot */ 288 | CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ 289 | CK_ULONG_PTR pulCount /* gets # of mechs. */ 290 | ) 291 | { 292 | SDEBUG("called"); 293 | if (!g_initialized) 294 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 295 | 296 | if (slotID != 0) 297 | RETURN_CKR(CKR_SLOT_ID_INVALID); 298 | if (pMechanismList == NULL_PTR) { 299 | *pulCount = 16; 300 | RETURN_CKR(CKR_OK); 301 | } 302 | if (pulCount == NULL_PTR || *pulCount < 16) { 303 | *pulCount = 16; 304 | RETURN_CKR(CKR_BUFFER_TOO_SMALL); 305 | } 306 | 307 | // TODO: somehow get the actual list from the token 308 | 309 | *pulCount = 0; 310 | pMechanismList[(*pulCount)++] = CKM_SHA_1; 311 | pMechanismList[(*pulCount)++] = CKM_SHA256; 312 | pMechanismList[(*pulCount)++] = CKM_SHA384; 313 | pMechanismList[(*pulCount)++] = CKM_SHA512; 314 | pMechanismList[(*pulCount)++] = CKM_MD5; 315 | pMechanismList[(*pulCount)++] = CKM_RIPEMD160; 316 | pMechanismList[(*pulCount)++] = CKM_GOSTR3411; 317 | pMechanismList[(*pulCount)++] = CKM_RSA_X_509; 318 | pMechanismList[(*pulCount)++] = CKM_RSA_PKCS; 319 | pMechanismList[(*pulCount)++] = CKM_SHA1_RSA_PKCS; 320 | pMechanismList[(*pulCount)++] = CKM_SHA256_RSA_PKCS; 321 | pMechanismList[(*pulCount)++] = CKM_SHA384_RSA_PKCS; 322 | pMechanismList[(*pulCount)++] = CKM_SHA512_RSA_PKCS; 323 | pMechanismList[(*pulCount)++] = CKM_MD5_RSA_PKCS; 324 | pMechanismList[(*pulCount)++] = CKM_RIPEMD160_RSA_PKCS; 325 | pMechanismList[(*pulCount)++] = CKM_RSA_PKCS_KEY_PAIR_GEN; 326 | RETURN_CKR(CKR_OK); 327 | } 328 | 329 | 330 | /* C_GetMechanismInfo obtains information about a particular 331 | * mechanism possibly supported by a token. */ 332 | SEC_PKCS11_FUNCTION(C_GetMechanismInfo) 333 | ( 334 | CK_SLOT_ID slotID, /* ID of the token's slot */ 335 | CK_MECHANISM_TYPE type, /* type of mechanism */ 336 | CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ 337 | ) 338 | { 339 | SDEBUG("called"); 340 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 341 | } 342 | 343 | 344 | /* C_InitToken initializes a token. */ 345 | SEC_PKCS11_FUNCTION(C_InitToken) 346 | /* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ 347 | ( 348 | CK_SLOT_ID slotID, /* ID of the token's slot */ 349 | CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ 350 | CK_ULONG ulPinLen, /* length in bytes of the PIN */ 351 | CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ 352 | ) 353 | { 354 | SDEBUG("called"); 355 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 356 | } 357 | 358 | 359 | /* C_InitPIN initializes the normal user's PIN. */ 360 | SEC_PKCS11_FUNCTION(C_InitPIN) 361 | ( 362 | CK_SESSION_HANDLE hSession, /* the session's handle */ 363 | CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ 364 | CK_ULONG ulPinLen /* length in bytes of the PIN */ 365 | ) 366 | { 367 | SDEBUG("called"); 368 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 369 | } 370 | 371 | 372 | /* C_SetPIN modifies the PIN of the user who is logged in. */ 373 | SEC_PKCS11_FUNCTION(C_SetPIN) 374 | ( 375 | CK_SESSION_HANDLE hSession, /* the session's handle */ 376 | CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ 377 | CK_ULONG ulOldLen, /* length of the old PIN */ 378 | CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ 379 | CK_ULONG ulNewLen /* length of the new PIN */ 380 | ) 381 | { 382 | SDEBUG("called"); 383 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 384 | } 385 | 386 | 387 | 388 | /* Session management */ 389 | 390 | /* C_OpenSession opens a session between an application and a 391 | * token. */ 392 | SEC_PKCS11_FUNCTION(C_OpenSession) 393 | ( 394 | CK_SLOT_ID slotID, /* the slot's ID */ 395 | CK_FLAGS flags, /* from CK_SESSION_INFO */ 396 | CK_VOID_PTR pApplication, /* passed to callback */ 397 | CK_NOTIFY Notify, /* callback function */ 398 | CK_SESSION_HANDLE_PTR phSession /* gets session handle */ 399 | ) 400 | { 401 | SDEBUG("called"); 402 | if (!g_initialized) 403 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 404 | if (slotID != 0) 405 | RETURN_CKR(CKR_SLOT_ID_INVALID); 406 | // if (!(flags & CKF_SERIAL_SESSION)) 407 | // RETURN_CKR(CKR_PARALLEL_NOT_SUPPORTED); 408 | if (g_state.session_count >= SEC_MAX_SESSION_COUNT) 409 | RETURN_CKR(CKR_SESSION_COUNT); 410 | 411 | if (!scd_token_present(g_state.ctx)) { 412 | sec_free_token(); 413 | RETURN_CKR(CKR_TOKEN_NOT_PRESENT); 414 | } 415 | 416 | if (sec_learn_token(g_state.ctx)) { 417 | RETURN_CKR(CKR_TOKEN_NOT_PRESENT); 418 | } 419 | 420 | *phSession = ++g_state.session_count; 421 | RETURN_CKR(CKR_OK); 422 | } 423 | 424 | 425 | /* C_CloseSession closes a session between an application and a 426 | * token. */ 427 | SEC_PKCS11_FUNCTION(C_CloseSession) 428 | ( 429 | CK_SESSION_HANDLE hSession /* the session's handle */ 430 | ) 431 | { 432 | SDEBUG("called"); 433 | if (!g_initialized) 434 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 435 | g_state.session_count = 0; 436 | RETURN_CKR(CKR_OK); 437 | } 438 | 439 | 440 | /* C_CloseAllSessions closes all sessions with a token. */ 441 | SEC_PKCS11_FUNCTION(C_CloseAllSessions) 442 | ( 443 | CK_SLOT_ID slotID /* the token's slot */ 444 | ) 445 | { 446 | SDEBUG("called"); 447 | if (!g_initialized) 448 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 449 | g_state.session_count = 0; 450 | RETURN_CKR(CKR_OK); 451 | } 452 | 453 | 454 | /* C_GetSessionInfo obtains information about the session. */ 455 | SEC_PKCS11_FUNCTION(C_GetSessionInfo) 456 | ( 457 | CK_SESSION_HANDLE hSession, /* the session's handle */ 458 | CK_SESSION_INFO_PTR pInfo /* receives session info */ 459 | ) 460 | { 461 | SDEBUG("called"); 462 | if (!g_initialized) 463 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 464 | if (pInfo == NULL_PTR) { 465 | RETURN_CKR(CKR_ARGUMENTS_BAD); 466 | } 467 | memset(pInfo, 0, sizeof(CK_SESSION_INFO)); 468 | pInfo->slotID = 0; 469 | pInfo->state = CKS_RO_USER_FUNCTIONS; 470 | // possible states: 471 | // CKS_RO_PUBLIC_SESSION 0 472 | // CKS_RO_USER_FUNCTIONS 1 473 | // --> always assume CKS_RO_USER_FUNCTIONS, because SCD handles login 474 | pInfo->flags = CKF_SERIAL_SESSION; 475 | 476 | RETURN_CKR(CKR_OK); 477 | } 478 | 479 | 480 | /* C_GetOperationState obtains the state of the cryptographic operation 481 | * in a session. */ 482 | SEC_PKCS11_FUNCTION(C_GetOperationState) 483 | ( 484 | CK_SESSION_HANDLE hSession, /* session's handle */ 485 | CK_BYTE_PTR pOperationState, /* gets state */ 486 | CK_ULONG_PTR pulOperationStateLen /* gets state length */ 487 | ) 488 | { 489 | SDEBUG("called"); 490 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 491 | } 492 | 493 | 494 | /* C_SetOperationState restores the state of the cryptographic 495 | * operation in a session. */ 496 | SEC_PKCS11_FUNCTION(C_SetOperationState) 497 | ( 498 | CK_SESSION_HANDLE hSession, /* session's handle */ 499 | CK_BYTE_PTR pOperationState, /* holds state */ 500 | CK_ULONG ulOperationStateLen, /* holds state length */ 501 | CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ 502 | CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ 503 | ) 504 | { 505 | SDEBUG("called"); 506 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 507 | } 508 | 509 | 510 | /* C_Login logs a user into a token. */ 511 | SEC_PKCS11_FUNCTION(C_Login) 512 | ( 513 | CK_SESSION_HANDLE hSession, /* the session's handle */ 514 | CK_USER_TYPE userType, /* the user type */ 515 | CK_UTF8CHAR_PTR pPin, /* the user's PIN */ 516 | CK_ULONG ulPinLen /* the length of the PIN */ 517 | ) 518 | { 519 | SDEBUG("called"); 520 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 521 | } 522 | 523 | 524 | /* C_Logout logs a user out from a token. */ 525 | SEC_PKCS11_FUNCTION(C_Logout) 526 | ( 527 | CK_SESSION_HANDLE hSession /* the session's handle */ 528 | ) 529 | { 530 | SDEBUG("called"); 531 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 532 | } 533 | 534 | 535 | 536 | /* Object management */ 537 | 538 | /* C_CreateObject creates a new object. */ 539 | SEC_PKCS11_FUNCTION(C_CreateObject) 540 | ( 541 | CK_SESSION_HANDLE hSession, /* the session's handle */ 542 | CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ 543 | CK_ULONG ulCount, /* attributes in template */ 544 | CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ 545 | ) 546 | { 547 | SDEBUG("called"); 548 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 549 | } 550 | 551 | 552 | /* C_CopyObject copies an object, creating a new object for the 553 | * copy. */ 554 | SEC_PKCS11_FUNCTION(C_CopyObject) 555 | ( 556 | CK_SESSION_HANDLE hSession, /* the session's handle */ 557 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 558 | CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ 559 | CK_ULONG ulCount, /* attributes in template */ 560 | CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ 561 | ) 562 | { 563 | SDEBUG("called"); 564 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 565 | } 566 | 567 | 568 | /* C_DestroyObject destroys an object. */ 569 | SEC_PKCS11_FUNCTION(C_DestroyObject) 570 | ( 571 | CK_SESSION_HANDLE hSession, /* the session's handle */ 572 | CK_OBJECT_HANDLE hObject /* the object's handle */ 573 | ) 574 | { 575 | SDEBUG("called"); 576 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 577 | } 578 | 579 | 580 | /* C_GetObjectSize gets the size of an object in bytes. */ 581 | SEC_PKCS11_FUNCTION(C_GetObjectSize) 582 | ( 583 | CK_SESSION_HANDLE hSession, /* the session's handle */ 584 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 585 | CK_ULONG_PTR pulSize /* receives size of object */ 586 | ) 587 | { 588 | SDEBUG("called"); 589 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 590 | } 591 | 592 | 593 | /* C_GetAttributeValue obtains the value of one or more object 594 | * attributes. */ 595 | SEC_PKCS11_FUNCTION(C_GetAttributeValue) 596 | ( 597 | CK_SESSION_HANDLE hSession, /* the session's handle */ 598 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 599 | CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ 600 | CK_ULONG ulCount /* attributes in template */ 601 | ) 602 | { 603 | CK_RV rv = CKR_OK; 604 | SDEBUG("called. hSession=%lu hObject=%lu", hSession, hObject); 605 | if (!g_initialized) 606 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 607 | 608 | if (sec_learn_token(g_state.ctx)) { 609 | RETURN_CKR(CKR_DEVICE_REMOVED); 610 | } 611 | 612 | if (g_state.token == NULL) { 613 | RETURN_CKR(CKR_FUNCTION_FAILED); 614 | } 615 | 616 | struct sec_ck_alist *pA = NULL; 617 | switch (hObject) { 618 | case SEC_OH_CERT3: 619 | pA = &g_state.token->alCert[SEC_KEY3]; 620 | break; 621 | case SEC_OH_PRIV3: 622 | pA = &g_state.token->alPriv[SEC_KEY3]; 623 | break; 624 | case SEC_OH_PUB3: 625 | pA = &g_state.token->alPub[SEC_KEY3]; 626 | break; 627 | default: 628 | RETURN_CKR(CKR_OBJECT_HANDLE_INVALID); 629 | } 630 | 631 | if (pA == NULL || pA->p == NULL) { 632 | SDEBUG("failed (null ptr)"); 633 | RETURN_CKR(CKR_FUNCTION_FAILED); 634 | } 635 | 636 | CK_ATTRIBUTE_PTR pTmp; // pointer to current attribute of pA 637 | CK_ULONG i, j; 638 | for (i = 0; i < ulCount; i++) { 639 | SDEBUG("i=%lu type=0x%lx", i, pTemplate[i].type); 640 | pTmp = NULL; 641 | for (j = 0; j < pA->cnt; j++) { 642 | if (pTemplate[i].type == pA->p[j].type) { 643 | pTmp = &pA->p[j]; 644 | break; 645 | } 646 | } 647 | if (pTmp == NULL) { // attribute type not found 648 | SDEBUG("attribute type not found"); 649 | pTemplate[i].ulValueLen = -1; 650 | rv = CKR_ATTRIBUTE_TYPE_INVALID; 651 | continue; 652 | } 653 | if (pTemplate[i].pValue == NULL_PTR) { // size request 654 | SDEBUG("size request"); 655 | pTemplate[i].ulValueLen = pTmp->ulValueLen; 656 | continue; 657 | } 658 | if (pTemplate[i].ulValueLen < pTmp->ulValueLen) { // buffer too small 659 | SDEBUG("buffer too small"); 660 | pTemplate[i].ulValueLen = -1; 661 | rv = CKR_BUFFER_TOO_SMALL; 662 | continue; 663 | } 664 | memcpy(pTemplate[i].pValue, pTmp->pValue, pTmp->ulValueLen); 665 | pTemplate[i].ulValueLen = pTmp->ulValueLen; 666 | } 667 | 668 | 669 | return rv; 670 | } 671 | 672 | 673 | /* C_SetAttributeValue modifies the value of one or more object 674 | * attributes */ 675 | SEC_PKCS11_FUNCTION(C_SetAttributeValue) 676 | ( 677 | CK_SESSION_HANDLE hSession, /* the session's handle */ 678 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 679 | CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ 680 | CK_ULONG ulCount /* attributes in template */ 681 | ) 682 | { 683 | SDEBUG("called"); 684 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 685 | } 686 | 687 | 688 | /* C_FindObjectsInit initializes a search for token and session 689 | * objects that match a template. */ 690 | SEC_PKCS11_FUNCTION(C_FindObjectsInit) 691 | ( 692 | CK_SESSION_HANDLE hSession, /* the session's handle */ 693 | CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ 694 | CK_ULONG ulCount /* attrs in search template */ 695 | ) 696 | { 697 | SDEBUG("called count=%lu", ulCount); 698 | for (int i = 0; i < ulCount; i++) { 699 | SDEBUG("attribute i=%d type=0x%lx *value=%x", i, pTemplate[i].type, pTemplate[i].pValue == NULL_PTR ? 0 : *(uint*)pTemplate[i].pValue); 700 | 701 | } 702 | 703 | g_state.find.template.p = pTemplate; 704 | g_state.find.template.cnt = ulCount; 705 | g_state.find.ulResultCount = 0; 706 | 707 | // note: ulResultCount must not exceed SEC_FIND_MAXRESULTS 708 | 709 | if (g_state.token) { 710 | if (g_state.token->alCert[SEC_KEY3].p && (ulCount == 0 || sec_al_match(g_state.find.template, g_state.token->alCert[SEC_KEY3]))) 711 | g_state.find.phResult[g_state.find.ulResultCount++] = SEC_OH_CERT3; 712 | if (g_state.token->alPriv[SEC_KEY3].p && (ulCount == 0 || sec_al_match(g_state.find.template, g_state.token->alPriv[SEC_KEY3]))) 713 | g_state.find.phResult[g_state.find.ulResultCount++] = SEC_OH_PRIV3; 714 | if (g_state.token->alPub[SEC_KEY3].p && (ulCount == 0 || sec_al_match(g_state.find.template, g_state.token->alPub[SEC_KEY3]))) 715 | g_state.find.phResult[g_state.find.ulResultCount++] = SEC_OH_PUB3; 716 | } 717 | 718 | 719 | SDEBUG("returning %lu objects", g_state.find.ulResultCount); 720 | RETURN_CKR(CKR_OK); 721 | } 722 | 723 | 724 | /* C_FindObjects continues a search for token and session 725 | * objects that match a template, obtaining additional object 726 | * handles. */ 727 | SEC_PKCS11_FUNCTION(C_FindObjects) 728 | ( 729 | CK_SESSION_HANDLE hSession, /* session's handle */ 730 | CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ 731 | CK_ULONG ulMaxObjectCount, /* max handles to get */ 732 | CK_ULONG_PTR pulObjectCount /* actual # returned */ 733 | ) 734 | { 735 | SDEBUG("called phObject=%p ulMaxObjectCount=%lu", phObject, ulMaxObjectCount); 736 | if (!g_initialized) 737 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 738 | 739 | if (ulMaxObjectCount == 0) { 740 | RETURN_CKR(CKR_OK); 741 | } 742 | if (phObject == NULL_PTR) { 743 | RETURN_CKR(CKR_ARGUMENTS_BAD); 744 | } 745 | if (g_state.find.ulResultCount == 0) { 746 | // find not initialized or no further results 747 | *pulObjectCount = 0; 748 | RETURN_CKR(CKR_OK); 749 | } 750 | 751 | // copy phResult to phObject in reverse order, so that the first 752 | // ulResultCount objects will always hold the remaining result 753 | CK_ULONG i; 754 | // SDEBUG("ulResultCount=%lu", g_state.find.ulResultCount); 755 | for (i = 0; i < ulMaxObjectCount && i < g_state.find.ulResultCount; i++) { 756 | memcpy(phObject + i, g_state.find.phResult + g_state.find.ulResultCount - 1 - i, sizeof(*g_state.find.phResult)); 757 | // SDEBUG("phObject[%lu]=%lu", i, phObject[i]); 758 | } 759 | *pulObjectCount = i; 760 | g_state.find.ulResultCount -= i; 761 | 762 | RETURN_CKR(CKR_OK); 763 | } 764 | 765 | 766 | /* C_FindObjectsFinal finishes a search for token and session 767 | * objects. */ 768 | SEC_PKCS11_FUNCTION(C_FindObjectsFinal) 769 | ( 770 | CK_SESSION_HANDLE hSession /* the session's handle */ 771 | ) 772 | { 773 | SDEBUG("called"); 774 | if (!g_initialized) 775 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 776 | 777 | g_state.find.template.p = NULL; 778 | g_state.find.template.cnt = 0; 779 | g_state.find.ulResultCount = 0; 780 | RETURN_CKR(CKR_OK); 781 | } 782 | 783 | 784 | 785 | /* Encryption and decryption */ 786 | 787 | /* C_EncryptInit initializes an encryption operation. */ 788 | SEC_PKCS11_FUNCTION(C_EncryptInit) 789 | ( 790 | CK_SESSION_HANDLE hSession, /* the session's handle */ 791 | CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ 792 | CK_OBJECT_HANDLE hKey /* handle of encryption key */ 793 | ) 794 | { 795 | SDEBUG("called"); 796 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 797 | } 798 | 799 | 800 | /* C_Encrypt encrypts single-part data. */ 801 | SEC_PKCS11_FUNCTION(C_Encrypt) 802 | ( 803 | CK_SESSION_HANDLE hSession, /* session's handle */ 804 | CK_BYTE_PTR pData, /* the plaintext data */ 805 | CK_ULONG ulDataLen, /* bytes of plaintext */ 806 | CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ 807 | CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ 808 | ) 809 | { 810 | SDEBUG("called"); 811 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 812 | } 813 | 814 | 815 | /* C_EncryptUpdate continues a multiple-part encryption 816 | * operation. */ 817 | SEC_PKCS11_FUNCTION(C_EncryptUpdate) 818 | ( 819 | CK_SESSION_HANDLE hSession, /* session's handle */ 820 | CK_BYTE_PTR pPart, /* the plaintext data */ 821 | CK_ULONG ulPartLen, /* plaintext data len */ 822 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 823 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ 824 | ) 825 | { 826 | SDEBUG("called"); 827 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 828 | } 829 | 830 | 831 | /* C_EncryptFinal finishes a multiple-part encryption 832 | * operation. */ 833 | SEC_PKCS11_FUNCTION(C_EncryptFinal) 834 | ( 835 | CK_SESSION_HANDLE hSession, /* session handle */ 836 | CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ 837 | CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ 838 | ) 839 | { 840 | SDEBUG("called"); 841 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 842 | } 843 | 844 | 845 | /* C_DecryptInit initializes a decryption operation. */ 846 | SEC_PKCS11_FUNCTION(C_DecryptInit) 847 | ( 848 | CK_SESSION_HANDLE hSession, /* the session's handle */ 849 | CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ 850 | CK_OBJECT_HANDLE hKey /* handle of decryption key */ 851 | ) 852 | { 853 | SDEBUG("called"); 854 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 855 | } 856 | 857 | 858 | /* C_Decrypt decrypts encrypted data in a single part. */ 859 | SEC_PKCS11_FUNCTION(C_Decrypt) 860 | ( 861 | CK_SESSION_HANDLE hSession, /* session's handle */ 862 | CK_BYTE_PTR pEncryptedData, /* ciphertext */ 863 | CK_ULONG ulEncryptedDataLen, /* ciphertext length */ 864 | CK_BYTE_PTR pData, /* gets plaintext */ 865 | CK_ULONG_PTR pulDataLen /* gets p-text size */ 866 | ) 867 | { 868 | SDEBUG("called"); 869 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 870 | } 871 | 872 | 873 | /* C_DecryptUpdate continues a multiple-part decryption 874 | * operation. */ 875 | SEC_PKCS11_FUNCTION(C_DecryptUpdate) 876 | ( 877 | CK_SESSION_HANDLE hSession, /* session's handle */ 878 | CK_BYTE_PTR pEncryptedPart, /* encrypted data */ 879 | CK_ULONG ulEncryptedPartLen, /* input length */ 880 | CK_BYTE_PTR pPart, /* gets plaintext */ 881 | CK_ULONG_PTR pulPartLen /* p-text size */ 882 | ) 883 | { 884 | SDEBUG("called"); 885 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 886 | } 887 | 888 | 889 | /* C_DecryptFinal finishes a multiple-part decryption 890 | * operation. */ 891 | SEC_PKCS11_FUNCTION(C_DecryptFinal) 892 | ( 893 | CK_SESSION_HANDLE hSession, /* the session's handle */ 894 | CK_BYTE_PTR pLastPart, /* gets plaintext */ 895 | CK_ULONG_PTR pulLastPartLen /* p-text size */ 896 | ) 897 | { 898 | SDEBUG("called"); 899 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 900 | } 901 | 902 | 903 | 904 | /* Message digesting */ 905 | 906 | /* C_DigestInit initializes a message-digesting operation. */ 907 | SEC_PKCS11_FUNCTION(C_DigestInit) 908 | ( 909 | CK_SESSION_HANDLE hSession, /* the session's handle */ 910 | CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ 911 | ) 912 | { 913 | SDEBUG("called"); 914 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 915 | } 916 | 917 | 918 | /* C_Digest digests data in a single part. */ 919 | SEC_PKCS11_FUNCTION(C_Digest) 920 | ( 921 | CK_SESSION_HANDLE hSession, /* the session's handle */ 922 | CK_BYTE_PTR pData, /* data to be digested */ 923 | CK_ULONG ulDataLen, /* bytes of data to digest */ 924 | CK_BYTE_PTR pDigest, /* gets the message digest */ 925 | CK_ULONG_PTR pulDigestLen /* gets digest length */ 926 | ) 927 | { 928 | SDEBUG("called"); 929 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 930 | } 931 | 932 | 933 | /* C_DigestUpdate continues a multiple-part message-digesting 934 | * operation. */ 935 | SEC_PKCS11_FUNCTION(C_DigestUpdate) 936 | ( 937 | CK_SESSION_HANDLE hSession, /* the session's handle */ 938 | CK_BYTE_PTR pPart, /* data to be digested */ 939 | CK_ULONG ulPartLen /* bytes of data to be digested */ 940 | ) 941 | { 942 | SDEBUG("called"); 943 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 944 | } 945 | 946 | 947 | /* C_DigestKey continues a multi-part message-digesting 948 | * operation, by digesting the value of a secret key as part of 949 | * the data already digested. */ 950 | SEC_PKCS11_FUNCTION(C_DigestKey) 951 | ( 952 | CK_SESSION_HANDLE hSession, /* the session's handle */ 953 | CK_OBJECT_HANDLE hKey /* secret key to digest */ 954 | ) 955 | { 956 | SDEBUG("called"); 957 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 958 | } 959 | 960 | 961 | /* C_DigestFinal finishes a multiple-part message-digesting 962 | * operation. */ 963 | SEC_PKCS11_FUNCTION(C_DigestFinal) 964 | ( 965 | CK_SESSION_HANDLE hSession, /* the session's handle */ 966 | CK_BYTE_PTR pDigest, /* gets the message digest */ 967 | CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ 968 | ) 969 | { 970 | SDEBUG("called"); 971 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 972 | } 973 | 974 | 975 | 976 | /* Signing and MACing */ 977 | 978 | /* C_SignInit initializes a signature (private key encryption) 979 | * operation, where the signature is (will be) an appendix to 980 | * the data, and plaintext cannot be recovered from the 981 | *signature. */ 982 | SEC_PKCS11_FUNCTION(C_SignInit) 983 | ( 984 | CK_SESSION_HANDLE hSession, /* the session's handle */ 985 | CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ 986 | CK_OBJECT_HANDLE hKey /* handle of signature key */ 987 | ) 988 | { 989 | SDEBUG("called"); 990 | if (!g_initialized) 991 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 992 | 993 | if (pMechanism == NULL_PTR) 994 | RETURN_CKR(CKR_ARGUMENTS_BAD); 995 | SDEBUG("mechanism=0x%lx hKey=%lu", pMechanism->mechanism, hKey); 996 | if (pMechanism->mechanism != CKM_RSA_PKCS) 997 | RETURN_CKR(CKR_MECHANISM_INVALID); 998 | if (hKey != SEC_OH_PRIV3) 999 | RETURN_CKR(CKR_KEY_HANDLE_INVALID); 1000 | g_state.sign.inprogress = 1; 1001 | RETURN_CKR(CKR_OK); 1002 | } 1003 | 1004 | 1005 | /* C_Sign signs (encrypts with private key) data in a single 1006 | * part, where the signature is (will be) an appendix to the 1007 | * data, and plaintext cannot be recovered from the signature. */ 1008 | SEC_PKCS11_FUNCTION(C_Sign) 1009 | ( 1010 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1011 | CK_BYTE_PTR pData, /* the data to sign */ 1012 | CK_ULONG ulDataLen, /* count of bytes to sign */ 1013 | CK_BYTE_PTR pSignature, /* gets the signature */ 1014 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 1015 | ) 1016 | { 1017 | SDEBUG("called pData=%p pSignature=%p pulSignatureLen=%p", pData, pSignature, pulSignatureLen); 1018 | if (!g_initialized) 1019 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 1020 | 1021 | if (!g_state.sign.inprogress) 1022 | RETURN_CKR(CKR_OPERATION_NOT_INITIALIZED); 1023 | 1024 | if (sec_learn_token(g_state.ctx)) { 1025 | RETURN_CKR(CKR_DEVICE_REMOVED); 1026 | } 1027 | if (pSignature == NULL_PTR && pulSignatureLen != NULL_PTR) { 1028 | CK_ATTRIBUTE_PTR pa = sec_al_get_attr(CKA_MODULUS_BITS, g_state.token->alPub[SEC_KEY3]); 1029 | if (pa == NULL) { return CKR_FUNCTION_REJECTED; } 1030 | CK_ULONG siglen = *(CK_ULONG*)pa->pValue + 7 / 8; 1031 | if (*pulSignatureLen < siglen) { 1032 | *pulSignatureLen = siglen; 1033 | RETURN_CKR(CKR_BUFFER_TOO_SMALL); 1034 | } 1035 | RETURN_CKR(CKR_OK); 1036 | } 1037 | 1038 | if (pData == NULL_PTR || pSignature == NULL_PTR || pulSignatureLen == NULL_PTR) 1039 | RETURN_CKR(CKR_ARGUMENTS_BAD); 1040 | 1041 | SDEBUG("datalen=%lu siglen=%lu", ulDataLen, *pulSignatureLen); 1042 | if (ulDataLen == 0 || ulDataLen > SEC_SIGN_MAXLEN) 1043 | RETURN_CKR(CKR_DATA_LEN_RANGE); 1044 | 1045 | gpg_error_t err; 1046 | err = scd_sign_data(g_state.ctx, pSignature, pulSignatureLen, pData, ulDataLen); 1047 | if (err == GPG_ERR_BUFFER_TOO_SHORT) { 1048 | RETURN_CKR(CKR_BUFFER_TOO_SMALL); 1049 | } 1050 | if (err) { 1051 | 1052 | SDEBUG("something went wrong"); 1053 | RETURN_CKR(CKR_GENERAL_ERROR); 1054 | } 1055 | 1056 | g_state.sign.inprogress = 0; 1057 | RETURN_CKR(CKR_OK); 1058 | } 1059 | 1060 | 1061 | /* C_SignUpdate continues a multiple-part signature operation, 1062 | * where the signature is (will be) an appendix to the data, 1063 | * and plaintext cannot be recovered from the signature. */ 1064 | SEC_PKCS11_FUNCTION(C_SignUpdate) 1065 | ( 1066 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1067 | CK_BYTE_PTR pPart, /* the data to sign */ 1068 | CK_ULONG ulPartLen /* count of bytes to sign */ 1069 | ) 1070 | { 1071 | SDEBUG("called"); 1072 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1073 | } 1074 | 1075 | 1076 | /* C_SignFinal finishes a multiple-part signature operation, 1077 | * returning the signature. */ 1078 | SEC_PKCS11_FUNCTION(C_SignFinal) 1079 | ( 1080 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1081 | CK_BYTE_PTR pSignature, /* gets the signature */ 1082 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 1083 | ) 1084 | { 1085 | SDEBUG("called"); 1086 | g_state.sign.inprogress = 0; 1087 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1088 | } 1089 | 1090 | 1091 | /* C_SignRecoverInit initializes a signature operation, where 1092 | * the data can be recovered from the signature. */ 1093 | SEC_PKCS11_FUNCTION(C_SignRecoverInit) 1094 | ( 1095 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1096 | CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ 1097 | CK_OBJECT_HANDLE hKey /* handle of the signature key */ 1098 | ) 1099 | { 1100 | SDEBUG("called"); 1101 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1102 | } 1103 | 1104 | 1105 | /* C_SignRecover signs data in a single operation, where the 1106 | * data can be recovered from the signature. */ 1107 | SEC_PKCS11_FUNCTION(C_SignRecover) 1108 | ( 1109 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1110 | CK_BYTE_PTR pData, /* the data to sign */ 1111 | CK_ULONG ulDataLen, /* count of bytes to sign */ 1112 | CK_BYTE_PTR pSignature, /* gets the signature */ 1113 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 1114 | ) 1115 | { 1116 | SDEBUG("called"); 1117 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1118 | } 1119 | 1120 | 1121 | 1122 | /* Verifying signatures and MACs */ 1123 | 1124 | /* C_VerifyInit initializes a verification operation, where the 1125 | * signature is an appendix to the data, and plaintext cannot 1126 | * cannot be recovered from the signature (e.g. DSA). */ 1127 | SEC_PKCS11_FUNCTION(C_VerifyInit) 1128 | ( 1129 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1130 | CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ 1131 | CK_OBJECT_HANDLE hKey /* verification key */ 1132 | ) 1133 | { 1134 | SDEBUG("called"); 1135 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1136 | } 1137 | 1138 | 1139 | /* C_Verify verifies a signature in a single-part operation, 1140 | * where the signature is an appendix to the data, and plaintext 1141 | * cannot be recovered from the signature. */ 1142 | SEC_PKCS11_FUNCTION(C_Verify) 1143 | ( 1144 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1145 | CK_BYTE_PTR pData, /* signed data */ 1146 | CK_ULONG ulDataLen, /* length of signed data */ 1147 | CK_BYTE_PTR pSignature, /* signature */ 1148 | CK_ULONG ulSignatureLen /* signature length*/ 1149 | ) 1150 | { 1151 | SDEBUG("called"); 1152 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1153 | } 1154 | 1155 | 1156 | /* C_VerifyUpdate continues a multiple-part verification 1157 | * operation, where the signature is an appendix to the data, 1158 | * and plaintext cannot be recovered from the signature. */ 1159 | SEC_PKCS11_FUNCTION(C_VerifyUpdate) 1160 | ( 1161 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1162 | CK_BYTE_PTR pPart, /* signed data */ 1163 | CK_ULONG ulPartLen /* length of signed data */ 1164 | ) 1165 | { 1166 | SDEBUG("called"); 1167 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1168 | } 1169 | 1170 | 1171 | /* C_VerifyFinal finishes a multiple-part verification 1172 | * operation, checking the signature. */ 1173 | SEC_PKCS11_FUNCTION(C_VerifyFinal) 1174 | ( 1175 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1176 | CK_BYTE_PTR pSignature, /* signature to verify */ 1177 | CK_ULONG ulSignatureLen /* signature length */ 1178 | ) 1179 | { 1180 | SDEBUG("called"); 1181 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1182 | } 1183 | 1184 | 1185 | /* C_VerifyRecoverInit initializes a signature verification 1186 | * operation, where the data is recovered from the signature. */ 1187 | SEC_PKCS11_FUNCTION(C_VerifyRecoverInit) 1188 | ( 1189 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1190 | CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ 1191 | CK_OBJECT_HANDLE hKey /* verification key */ 1192 | ) 1193 | { 1194 | SDEBUG("called"); 1195 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1196 | } 1197 | 1198 | 1199 | /* C_VerifyRecover verifies a signature in a single-part 1200 | * operation, where the data is recovered from the signature. */ 1201 | SEC_PKCS11_FUNCTION(C_VerifyRecover) 1202 | ( 1203 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1204 | CK_BYTE_PTR pSignature, /* signature to verify */ 1205 | CK_ULONG ulSignatureLen, /* signature length */ 1206 | CK_BYTE_PTR pData, /* gets signed data */ 1207 | CK_ULONG_PTR pulDataLen /* gets signed data len */ 1208 | ) 1209 | { 1210 | SDEBUG("called"); 1211 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1212 | } 1213 | 1214 | 1215 | 1216 | /* Dual-function cryptographic operations */ 1217 | 1218 | /* C_DigestEncryptUpdate continues a multiple-part digesting 1219 | * and encryption operation. */ 1220 | SEC_PKCS11_FUNCTION(C_DigestEncryptUpdate) 1221 | ( 1222 | CK_SESSION_HANDLE hSession, /* session's handle */ 1223 | CK_BYTE_PTR pPart, /* the plaintext data */ 1224 | CK_ULONG ulPartLen, /* plaintext length */ 1225 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 1226 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ 1227 | ) 1228 | { 1229 | SDEBUG("called"); 1230 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1231 | } 1232 | 1233 | 1234 | /* C_DecryptDigestUpdate continues a multiple-part decryption and 1235 | * digesting operation. */ 1236 | SEC_PKCS11_FUNCTION(C_DecryptDigestUpdate) 1237 | ( 1238 | CK_SESSION_HANDLE hSession, /* session's handle */ 1239 | CK_BYTE_PTR pEncryptedPart, /* ciphertext */ 1240 | CK_ULONG ulEncryptedPartLen, /* ciphertext length */ 1241 | CK_BYTE_PTR pPart, /* gets plaintext */ 1242 | CK_ULONG_PTR pulPartLen /* gets plaintext len */ 1243 | ) 1244 | { 1245 | SDEBUG("called"); 1246 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1247 | } 1248 | 1249 | 1250 | /* C_SignEncryptUpdate continues a multiple-part signing and 1251 | * encryption operation. */ 1252 | SEC_PKCS11_FUNCTION(C_SignEncryptUpdate) 1253 | ( 1254 | CK_SESSION_HANDLE hSession, /* session's handle */ 1255 | CK_BYTE_PTR pPart, /* the plaintext data */ 1256 | CK_ULONG ulPartLen, /* plaintext length */ 1257 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 1258 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ 1259 | ) 1260 | { 1261 | SDEBUG("called"); 1262 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1263 | } 1264 | 1265 | 1266 | /* C_DecryptVerifyUpdate continues a multiple-part decryption and 1267 | * verify operation. */ 1268 | SEC_PKCS11_FUNCTION(C_DecryptVerifyUpdate) 1269 | ( 1270 | CK_SESSION_HANDLE hSession, /* session's handle */ 1271 | CK_BYTE_PTR pEncryptedPart, /* ciphertext */ 1272 | CK_ULONG ulEncryptedPartLen, /* ciphertext length */ 1273 | CK_BYTE_PTR pPart, /* gets plaintext */ 1274 | CK_ULONG_PTR pulPartLen /* gets p-text length */ 1275 | ) 1276 | { 1277 | SDEBUG("called"); 1278 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1279 | } 1280 | 1281 | 1282 | 1283 | /* Key management */ 1284 | 1285 | /* C_GenerateKey generates a secret key, creating a new key 1286 | * object. */ 1287 | SEC_PKCS11_FUNCTION(C_GenerateKey) 1288 | ( 1289 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1290 | CK_MECHANISM_PTR pMechanism, /* key generation mech. */ 1291 | CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ 1292 | CK_ULONG ulCount, /* # of attrs in template */ 1293 | CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ 1294 | ) 1295 | { 1296 | SDEBUG("called"); 1297 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1298 | } 1299 | 1300 | 1301 | /* C_GenerateKeyPair generates a public-key/private-key pair, 1302 | * creating new key objects. */ 1303 | SEC_PKCS11_FUNCTION(C_GenerateKeyPair) 1304 | ( 1305 | CK_SESSION_HANDLE hSession, /* session 1306 | * handle */ 1307 | CK_MECHANISM_PTR pMechanism, /* key-gen 1308 | * mech. */ 1309 | CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template 1310 | * for pub. 1311 | * key */ 1312 | CK_ULONG ulPublicKeyAttributeCount, /* # pub. 1313 | * attrs. */ 1314 | CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template 1315 | * for priv. 1316 | * key */ 1317 | CK_ULONG ulPrivateKeyAttributeCount, /* # priv. 1318 | * attrs. */ 1319 | CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. 1320 | * key 1321 | * handle */ 1322 | CK_OBJECT_HANDLE_PTR phPrivateKey /* gets 1323 | * priv. key 1324 | * handle */ 1325 | ) 1326 | { 1327 | SDEBUG("called"); 1328 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1329 | } 1330 | 1331 | 1332 | /* C_WrapKey wraps (i.e., encrypts) a key. */ 1333 | SEC_PKCS11_FUNCTION(C_WrapKey) 1334 | ( 1335 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1336 | CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ 1337 | CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ 1338 | CK_OBJECT_HANDLE hKey, /* key to be wrapped */ 1339 | CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ 1340 | CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ 1341 | ) 1342 | { 1343 | SDEBUG("called"); 1344 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1345 | } 1346 | 1347 | 1348 | /* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new 1349 | * key object. */ 1350 | SEC_PKCS11_FUNCTION(C_UnwrapKey) 1351 | ( 1352 | CK_SESSION_HANDLE hSession, /* session's handle */ 1353 | CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ 1354 | CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ 1355 | CK_BYTE_PTR pWrappedKey, /* the wrapped key */ 1356 | CK_ULONG ulWrappedKeyLen, /* wrapped key len */ 1357 | CK_ATTRIBUTE_PTR pTemplate, /* new key template */ 1358 | CK_ULONG ulAttributeCount, /* template length */ 1359 | CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ 1360 | ) 1361 | { 1362 | SDEBUG("called"); 1363 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1364 | } 1365 | 1366 | 1367 | /* C_DeriveKey derives a key from a base key, creating a new key 1368 | * object. */ 1369 | SEC_PKCS11_FUNCTION(C_DeriveKey) 1370 | ( 1371 | CK_SESSION_HANDLE hSession, /* session's handle */ 1372 | CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ 1373 | CK_OBJECT_HANDLE hBaseKey, /* base key */ 1374 | CK_ATTRIBUTE_PTR pTemplate, /* new key template */ 1375 | CK_ULONG ulAttributeCount, /* template length */ 1376 | CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ 1377 | ) 1378 | { 1379 | SDEBUG("called"); 1380 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1381 | } 1382 | 1383 | 1384 | 1385 | /* Random number generation */ 1386 | 1387 | /* C_SeedRandom mixes additional seed material into the token's 1388 | * random number generator. */ 1389 | SEC_PKCS11_FUNCTION(C_SeedRandom) 1390 | ( 1391 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1392 | CK_BYTE_PTR pSeed, /* the seed material */ 1393 | CK_ULONG ulSeedLen /* length of seed material */ 1394 | ) 1395 | { 1396 | SDEBUG("called"); 1397 | RETURN_CKR(CKR_RANDOM_SEED_NOT_SUPPORTED); 1398 | } 1399 | 1400 | 1401 | /* C_GenerateRandom generates random data. */ 1402 | SEC_PKCS11_FUNCTION(C_GenerateRandom) 1403 | ( 1404 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1405 | CK_BYTE_PTR RandomData, /* receives the random data */ 1406 | CK_ULONG ulRandomLen /* # of bytes to generate */ 1407 | ) 1408 | { 1409 | SDEBUG("called"); 1410 | if (!g_initialized) 1411 | RETURN_CKR(CKR_CRYPTOKI_NOT_INITIALIZED); 1412 | 1413 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1414 | } 1415 | 1416 | 1417 | 1418 | /* Parallel function management */ 1419 | 1420 | /* C_GetFunctionStatus is a legacy function; it obtains an 1421 | * updated status of a function running in parallel with an 1422 | * application. */ 1423 | SEC_PKCS11_FUNCTION(C_GetFunctionStatus) 1424 | ( 1425 | CK_SESSION_HANDLE hSession /* the session's handle */ 1426 | ) 1427 | { 1428 | SDEBUG("called"); 1429 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1430 | } 1431 | 1432 | 1433 | /* C_CancelFunction is a legacy function; it cancels a function 1434 | * running in parallel. */ 1435 | SEC_PKCS11_FUNCTION(C_CancelFunction) 1436 | ( 1437 | CK_SESSION_HANDLE hSession /* the session's handle */ 1438 | ) 1439 | { 1440 | SDEBUG("called"); 1441 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1442 | } 1443 | 1444 | 1445 | 1446 | /* Functions added in for Cryptoki Version 2.01 or later */ 1447 | 1448 | /* C_WaitForSlotEvent waits for a slot event (token insertion, 1449 | * removal, etc.) to occur. */ 1450 | SEC_PKCS11_FUNCTION(C_WaitForSlotEvent) 1451 | ( 1452 | CK_FLAGS flags, /* blocking/nonblocking flag */ 1453 | CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ 1454 | CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ 1455 | ) 1456 | { 1457 | SDEBUG("called"); 1458 | RETURN_CKR(CKR_FUNCTION_NOT_SUPPORTED); 1459 | } 1460 | -------------------------------------------------------------------------------- /pkcs11.h: -------------------------------------------------------------------------------- 1 | /* 02-Sep-2008 from ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/ */ 2 | 3 | /* pkcs11.h include file for PKCS #11. */ 4 | /* $Revision: 1.4 $ */ 5 | 6 | /* License to copy and use this software is granted provided that it is 7 | * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface 8 | * (Cryptoki)" in all material mentioning or referencing this software. 9 | 10 | * License is also granted to make and use derivative works provided that 11 | * such works are identified as "derived from the RSA Security Inc. PKCS #11 12 | * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 13 | * referencing the derived work. 14 | 15 | * RSA Security Inc. makes no representations concerning either the 16 | * merchantability of this software or the suitability of this software for 17 | * any particular purpose. It is provided "as is" without express or implied 18 | * warranty of any kind. 19 | */ 20 | 21 | #ifndef _PKCS11_H_ 22 | #define _PKCS11_H_ 1 23 | 24 | #ifdef __cplusplus 25 | extern "C" { 26 | #endif 27 | 28 | /* Before including this file (pkcs11.h) (or pkcs11t.h by 29 | * itself), 6 platform-specific macros must be defined. These 30 | * macros are described below, and typical definitions for them 31 | * are also given. Be advised that these definitions can depend 32 | * on both the platform and the compiler used (and possibly also 33 | * on whether a Cryptoki library is linked statically or 34 | * dynamically). 35 | * 36 | * In addition to defining these 6 macros, the packing convention 37 | * for Cryptoki structures should be set. The Cryptoki 38 | * convention on packing is that structures should be 1-byte 39 | * aligned. 40 | * 41 | * If you're using Microsoft Developer Studio 5.0 to produce 42 | * Win32 stuff, this might be done by using the following 43 | * preprocessor directive before including pkcs11.h or pkcs11t.h: 44 | * 45 | * #pragma pack(push, cryptoki, 1) 46 | * 47 | * and using the following preprocessor directive after including 48 | * pkcs11.h or pkcs11t.h: 49 | * 50 | * #pragma pack(pop, cryptoki) 51 | * 52 | * If you're using an earlier version of Microsoft Developer 53 | * Studio to produce Win16 stuff, this might be done by using 54 | * the following preprocessor directive before including 55 | * pkcs11.h or pkcs11t.h: 56 | * 57 | * #pragma pack(1) 58 | * 59 | * In a UNIX environment, you're on your own for this. You might 60 | * not need to do (or be able to do!) anything. 61 | * 62 | * 63 | * Now for the macros: 64 | * 65 | * 66 | * 1. CK_PTR: The indirection string for making a pointer to an 67 | * object. It can be used like this: 68 | * 69 | * typedef CK_BYTE CK_PTR CK_BYTE_PTR; 70 | * 71 | * If you're using Microsoft Developer Studio 5.0 to produce 72 | * Win32 stuff, it might be defined by: 73 | * 74 | * #define CK_PTR * 75 | * 76 | * If you're using an earlier version of Microsoft Developer 77 | * Studio to produce Win16 stuff, it might be defined by: 78 | * 79 | * #define CK_PTR far * 80 | * 81 | * In a typical UNIX environment, it might be defined by: 82 | * 83 | * #define CK_PTR * 84 | * 85 | * 86 | * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes 87 | * an exportable Cryptoki library function definition out of a 88 | * return type and a function name. It should be used in the 89 | * following fashion to define the exposed Cryptoki functions in 90 | * a Cryptoki library: 91 | * 92 | * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( 93 | * CK_VOID_PTR pReserved 94 | * ) 95 | * { 96 | * ... 97 | * } 98 | * 99 | * If you're using Microsoft Developer Studio 5.0 to define a 100 | * function in a Win32 Cryptoki .dll, it might be defined by: 101 | * 102 | * #define CK_DEFINE_FUNCTION(returnType, name) \ 103 | * returnType __declspec(dllexport) name 104 | * 105 | * If you're using an earlier version of Microsoft Developer 106 | * Studio to define a function in a Win16 Cryptoki .dll, it 107 | * might be defined by: 108 | * 109 | * #define CK_DEFINE_FUNCTION(returnType, name) \ 110 | * returnType __export _far _pascal name 111 | * 112 | * In a UNIX environment, it might be defined by: 113 | * 114 | * #define CK_DEFINE_FUNCTION(returnType, name) \ 115 | * returnType name 116 | * 117 | * 118 | * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes 119 | * an importable Cryptoki library function declaration out of a 120 | * return type and a function name. It should be used in the 121 | * following fashion: 122 | * 123 | * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( 124 | * CK_VOID_PTR pReserved 125 | * ); 126 | * 127 | * If you're using Microsoft Developer Studio 5.0 to declare a 128 | * function in a Win32 Cryptoki .dll, it might be defined by: 129 | * 130 | * #define CK_DECLARE_FUNCTION(returnType, name) \ 131 | * returnType __declspec(dllimport) name 132 | * 133 | * If you're using an earlier version of Microsoft Developer 134 | * Studio to declare a function in a Win16 Cryptoki .dll, it 135 | * might be defined by: 136 | * 137 | * #define CK_DECLARE_FUNCTION(returnType, name) \ 138 | * returnType __export _far _pascal name 139 | * 140 | * In a UNIX environment, it might be defined by: 141 | * 142 | * #define CK_DECLARE_FUNCTION(returnType, name) \ 143 | * returnType name 144 | * 145 | * 146 | * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro 147 | * which makes a Cryptoki API function pointer declaration or 148 | * function pointer type declaration out of a return type and a 149 | * function name. It should be used in the following fashion: 150 | * 151 | * // Define funcPtr to be a pointer to a Cryptoki API function 152 | * // taking arguments args and returning CK_RV. 153 | * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); 154 | * 155 | * or 156 | * 157 | * // Define funcPtrType to be the type of a pointer to a 158 | * // Cryptoki API function taking arguments args and returning 159 | * // CK_RV, and then define funcPtr to be a variable of type 160 | * // funcPtrType. 161 | * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); 162 | * funcPtrType funcPtr; 163 | * 164 | * If you're using Microsoft Developer Studio 5.0 to access 165 | * functions in a Win32 Cryptoki .dll, in might be defined by: 166 | * 167 | * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 168 | * returnType __declspec(dllimport) (* name) 169 | * 170 | * If you're using an earlier version of Microsoft Developer 171 | * Studio to access functions in a Win16 Cryptoki .dll, it might 172 | * be defined by: 173 | * 174 | * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 175 | * returnType __export _far _pascal (* name) 176 | * 177 | * In a UNIX environment, it might be defined by: 178 | * 179 | * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 180 | * returnType (* name) 181 | * 182 | * 183 | * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes 184 | * a function pointer type for an application callback out of 185 | * a return type for the callback and a name for the callback. 186 | * It should be used in the following fashion: 187 | * 188 | * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); 189 | * 190 | * to declare a function pointer, myCallback, to a callback 191 | * which takes arguments args and returns a CK_RV. It can also 192 | * be used like this: 193 | * 194 | * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); 195 | * myCallbackType myCallback; 196 | * 197 | * If you're using Microsoft Developer Studio 5.0 to do Win32 198 | * Cryptoki development, it might be defined by: 199 | * 200 | * #define CK_CALLBACK_FUNCTION(returnType, name) \ 201 | * returnType (* name) 202 | * 203 | * If you're using an earlier version of Microsoft Developer 204 | * Studio to do Win16 development, it might be defined by: 205 | * 206 | * #define CK_CALLBACK_FUNCTION(returnType, name) \ 207 | * returnType _far _pascal (* name) 208 | * 209 | * In a UNIX environment, it might be defined by: 210 | * 211 | * #define CK_CALLBACK_FUNCTION(returnType, name) \ 212 | * returnType (* name) 213 | * 214 | * 215 | * 6. NULL_PTR: This macro is the value of a NULL pointer. 216 | * 217 | * In any ANSI/ISO C environment (and in many others as well), 218 | * this should best be defined by 219 | * 220 | * #ifndef NULL_PTR 221 | * #define NULL_PTR 0 222 | * #endif 223 | */ 224 | 225 | 226 | /* All the various Cryptoki types and #define'd values are in the 227 | * file pkcs11t.h. */ 228 | #include "pkcs11t.h" 229 | 230 | #define __PASTE(x,y) x##y 231 | 232 | 233 | /* ============================================================== 234 | * Define the "extern" form of all the entry points. 235 | * ============================================================== 236 | */ 237 | 238 | #define CK_NEED_ARG_LIST 1 239 | #define CK_PKCS11_FUNCTION_INFO(name) \ 240 | extern CK_DECLARE_FUNCTION(CK_RV, name) 241 | 242 | /* pkcs11f.h has all the information about the Cryptoki 243 | * function prototypes. */ 244 | #include "pkcs11f.h" 245 | 246 | #undef CK_NEED_ARG_LIST 247 | #undef CK_PKCS11_FUNCTION_INFO 248 | 249 | 250 | /* ============================================================== 251 | * Define the typedef form of all the entry points. That is, for 252 | * each Cryptoki function C_XXX, define a type CK_C_XXX which is 253 | * a pointer to that kind of function. 254 | * ============================================================== 255 | */ 256 | 257 | #define CK_NEED_ARG_LIST 1 258 | #define CK_PKCS11_FUNCTION_INFO(name) \ 259 | typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) 260 | 261 | /* pkcs11f.h has all the information about the Cryptoki 262 | * function prototypes. */ 263 | #include "pkcs11f.h" 264 | 265 | #undef CK_NEED_ARG_LIST 266 | #undef CK_PKCS11_FUNCTION_INFO 267 | 268 | 269 | /* ============================================================== 270 | * Define structed vector of entry points. A CK_FUNCTION_LIST 271 | * contains a CK_VERSION indicating a library's Cryptoki version 272 | * and then a whole slew of function pointers to the routines in 273 | * the library. This type was declared, but not defined, in 274 | * pkcs11t.h. 275 | * ============================================================== 276 | */ 277 | 278 | #define CK_PKCS11_FUNCTION_INFO(name) \ 279 | __PASTE(CK_,name) name; 280 | 281 | struct CK_FUNCTION_LIST { 282 | 283 | CK_VERSION version; /* Cryptoki version */ 284 | 285 | /* Pile all the function pointers into the CK_FUNCTION_LIST. */ 286 | /* pkcs11f.h has all the information about the Cryptoki 287 | * function prototypes. */ 288 | #include "pkcs11f.h" 289 | 290 | }; 291 | 292 | #undef CK_PKCS11_FUNCTION_INFO 293 | 294 | 295 | #undef __PASTE 296 | 297 | #ifdef __cplusplus 298 | } 299 | #endif 300 | 301 | #endif 302 | -------------------------------------------------------------------------------- /pkcs11f.h: -------------------------------------------------------------------------------- 1 | /* pkcs11f.h include file for PKCS #11. */ 2 | /* $Revision: 1.4 $ */ 3 | 4 | /* License to copy and use this software is granted provided that it is 5 | * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface 6 | * (Cryptoki)" in all material mentioning or referencing this software. 7 | 8 | * License is also granted to make and use derivative works provided that 9 | * such works are identified as "derived from the RSA Security Inc. PKCS #11 10 | * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 11 | * referencing the derived work. 12 | 13 | * RSA Security Inc. makes no representations concerning either the 14 | * merchantability of this software or the suitability of this software for 15 | * any particular purpose. It is provided "as is" without express or implied 16 | * warranty of any kind. 17 | */ 18 | 19 | /* This header file contains pretty much everything about all the */ 20 | /* Cryptoki function prototypes. Because this information is */ 21 | /* used for more than just declaring function prototypes, the */ 22 | /* order of the functions appearing herein is important, and */ 23 | /* should not be altered. */ 24 | 25 | /* General-purpose */ 26 | 27 | /* C_Initialize initializes the Cryptoki library. */ 28 | CK_PKCS11_FUNCTION_INFO(C_Initialize) 29 | #ifdef CK_NEED_ARG_LIST 30 | ( 31 | CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets 32 | * cast to CK_C_INITIALIZE_ARGS_PTR 33 | * and dereferenced */ 34 | ); 35 | #endif 36 | 37 | 38 | /* C_Finalize indicates that an application is done with the 39 | * Cryptoki library. */ 40 | CK_PKCS11_FUNCTION_INFO(C_Finalize) 41 | #ifdef CK_NEED_ARG_LIST 42 | ( 43 | CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ 44 | ); 45 | #endif 46 | 47 | 48 | /* C_GetInfo returns general information about Cryptoki. */ 49 | CK_PKCS11_FUNCTION_INFO(C_GetInfo) 50 | #ifdef CK_NEED_ARG_LIST 51 | ( 52 | CK_INFO_PTR pInfo /* location that receives information */ 53 | ); 54 | #endif 55 | 56 | 57 | /* C_GetFunctionList returns the function list. */ 58 | CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) 59 | #ifdef CK_NEED_ARG_LIST 60 | ( 61 | CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to 62 | * function list */ 63 | ); 64 | #endif 65 | 66 | 67 | 68 | /* Slot and token management */ 69 | 70 | /* C_GetSlotList obtains a list of slots in the system. */ 71 | CK_PKCS11_FUNCTION_INFO(C_GetSlotList) 72 | #ifdef CK_NEED_ARG_LIST 73 | ( 74 | CK_BBOOL tokenPresent, /* only slots with tokens? */ 75 | CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ 76 | CK_ULONG_PTR pulCount /* receives number of slots */ 77 | ); 78 | #endif 79 | 80 | 81 | /* C_GetSlotInfo obtains information about a particular slot in 82 | * the system. */ 83 | CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) 84 | #ifdef CK_NEED_ARG_LIST 85 | ( 86 | CK_SLOT_ID slotID, /* the ID of the slot */ 87 | CK_SLOT_INFO_PTR pInfo /* receives the slot information */ 88 | ); 89 | #endif 90 | 91 | 92 | /* C_GetTokenInfo obtains information about a particular token 93 | * in the system. */ 94 | CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) 95 | #ifdef CK_NEED_ARG_LIST 96 | ( 97 | CK_SLOT_ID slotID, /* ID of the token's slot */ 98 | CK_TOKEN_INFO_PTR pInfo /* receives the token information */ 99 | ); 100 | #endif 101 | 102 | 103 | /* C_GetMechanismList obtains a list of mechanism types 104 | * supported by a token. */ 105 | CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) 106 | #ifdef CK_NEED_ARG_LIST 107 | ( 108 | CK_SLOT_ID slotID, /* ID of token's slot */ 109 | CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ 110 | CK_ULONG_PTR pulCount /* gets # of mechs. */ 111 | ); 112 | #endif 113 | 114 | 115 | /* C_GetMechanismInfo obtains information about a particular 116 | * mechanism possibly supported by a token. */ 117 | CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) 118 | #ifdef CK_NEED_ARG_LIST 119 | ( 120 | CK_SLOT_ID slotID, /* ID of the token's slot */ 121 | CK_MECHANISM_TYPE type, /* type of mechanism */ 122 | CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ 123 | ); 124 | #endif 125 | 126 | 127 | /* C_InitToken initializes a token. */ 128 | CK_PKCS11_FUNCTION_INFO(C_InitToken) 129 | #ifdef CK_NEED_ARG_LIST 130 | /* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ 131 | ( 132 | CK_SLOT_ID slotID, /* ID of the token's slot */ 133 | CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ 134 | CK_ULONG ulPinLen, /* length in bytes of the PIN */ 135 | CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ 136 | ); 137 | #endif 138 | 139 | 140 | /* C_InitPIN initializes the normal user's PIN. */ 141 | CK_PKCS11_FUNCTION_INFO(C_InitPIN) 142 | #ifdef CK_NEED_ARG_LIST 143 | ( 144 | CK_SESSION_HANDLE hSession, /* the session's handle */ 145 | CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ 146 | CK_ULONG ulPinLen /* length in bytes of the PIN */ 147 | ); 148 | #endif 149 | 150 | 151 | /* C_SetPIN modifies the PIN of the user who is logged in. */ 152 | CK_PKCS11_FUNCTION_INFO(C_SetPIN) 153 | #ifdef CK_NEED_ARG_LIST 154 | ( 155 | CK_SESSION_HANDLE hSession, /* the session's handle */ 156 | CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ 157 | CK_ULONG ulOldLen, /* length of the old PIN */ 158 | CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ 159 | CK_ULONG ulNewLen /* length of the new PIN */ 160 | ); 161 | #endif 162 | 163 | 164 | 165 | /* Session management */ 166 | 167 | /* C_OpenSession opens a session between an application and a 168 | * token. */ 169 | CK_PKCS11_FUNCTION_INFO(C_OpenSession) 170 | #ifdef CK_NEED_ARG_LIST 171 | ( 172 | CK_SLOT_ID slotID, /* the slot's ID */ 173 | CK_FLAGS flags, /* from CK_SESSION_INFO */ 174 | CK_VOID_PTR pApplication, /* passed to callback */ 175 | CK_NOTIFY Notify, /* callback function */ 176 | CK_SESSION_HANDLE_PTR phSession /* gets session handle */ 177 | ); 178 | #endif 179 | 180 | 181 | /* C_CloseSession closes a session between an application and a 182 | * token. */ 183 | CK_PKCS11_FUNCTION_INFO(C_CloseSession) 184 | #ifdef CK_NEED_ARG_LIST 185 | ( 186 | CK_SESSION_HANDLE hSession /* the session's handle */ 187 | ); 188 | #endif 189 | 190 | 191 | /* C_CloseAllSessions closes all sessions with a token. */ 192 | CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) 193 | #ifdef CK_NEED_ARG_LIST 194 | ( 195 | CK_SLOT_ID slotID /* the token's slot */ 196 | ); 197 | #endif 198 | 199 | 200 | /* C_GetSessionInfo obtains information about the session. */ 201 | CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) 202 | #ifdef CK_NEED_ARG_LIST 203 | ( 204 | CK_SESSION_HANDLE hSession, /* the session's handle */ 205 | CK_SESSION_INFO_PTR pInfo /* receives session info */ 206 | ); 207 | #endif 208 | 209 | 210 | /* C_GetOperationState obtains the state of the cryptographic operation 211 | * in a session. */ 212 | CK_PKCS11_FUNCTION_INFO(C_GetOperationState) 213 | #ifdef CK_NEED_ARG_LIST 214 | ( 215 | CK_SESSION_HANDLE hSession, /* session's handle */ 216 | CK_BYTE_PTR pOperationState, /* gets state */ 217 | CK_ULONG_PTR pulOperationStateLen /* gets state length */ 218 | ); 219 | #endif 220 | 221 | 222 | /* C_SetOperationState restores the state of the cryptographic 223 | * operation in a session. */ 224 | CK_PKCS11_FUNCTION_INFO(C_SetOperationState) 225 | #ifdef CK_NEED_ARG_LIST 226 | ( 227 | CK_SESSION_HANDLE hSession, /* session's handle */ 228 | CK_BYTE_PTR pOperationState, /* holds state */ 229 | CK_ULONG ulOperationStateLen, /* holds state length */ 230 | CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ 231 | CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ 232 | ); 233 | #endif 234 | 235 | 236 | /* C_Login logs a user into a token. */ 237 | CK_PKCS11_FUNCTION_INFO(C_Login) 238 | #ifdef CK_NEED_ARG_LIST 239 | ( 240 | CK_SESSION_HANDLE hSession, /* the session's handle */ 241 | CK_USER_TYPE userType, /* the user type */ 242 | CK_UTF8CHAR_PTR pPin, /* the user's PIN */ 243 | CK_ULONG ulPinLen /* the length of the PIN */ 244 | ); 245 | #endif 246 | 247 | 248 | /* C_Logout logs a user out from a token. */ 249 | CK_PKCS11_FUNCTION_INFO(C_Logout) 250 | #ifdef CK_NEED_ARG_LIST 251 | ( 252 | CK_SESSION_HANDLE hSession /* the session's handle */ 253 | ); 254 | #endif 255 | 256 | 257 | 258 | /* Object management */ 259 | 260 | /* C_CreateObject creates a new object. */ 261 | CK_PKCS11_FUNCTION_INFO(C_CreateObject) 262 | #ifdef CK_NEED_ARG_LIST 263 | ( 264 | CK_SESSION_HANDLE hSession, /* the session's handle */ 265 | CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ 266 | CK_ULONG ulCount, /* attributes in template */ 267 | CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ 268 | ); 269 | #endif 270 | 271 | 272 | /* C_CopyObject copies an object, creating a new object for the 273 | * copy. */ 274 | CK_PKCS11_FUNCTION_INFO(C_CopyObject) 275 | #ifdef CK_NEED_ARG_LIST 276 | ( 277 | CK_SESSION_HANDLE hSession, /* the session's handle */ 278 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 279 | CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ 280 | CK_ULONG ulCount, /* attributes in template */ 281 | CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ 282 | ); 283 | #endif 284 | 285 | 286 | /* C_DestroyObject destroys an object. */ 287 | CK_PKCS11_FUNCTION_INFO(C_DestroyObject) 288 | #ifdef CK_NEED_ARG_LIST 289 | ( 290 | CK_SESSION_HANDLE hSession, /* the session's handle */ 291 | CK_OBJECT_HANDLE hObject /* the object's handle */ 292 | ); 293 | #endif 294 | 295 | 296 | /* C_GetObjectSize gets the size of an object in bytes. */ 297 | CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) 298 | #ifdef CK_NEED_ARG_LIST 299 | ( 300 | CK_SESSION_HANDLE hSession, /* the session's handle */ 301 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 302 | CK_ULONG_PTR pulSize /* receives size of object */ 303 | ); 304 | #endif 305 | 306 | 307 | /* C_GetAttributeValue obtains the value of one or more object 308 | * attributes. */ 309 | CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) 310 | #ifdef CK_NEED_ARG_LIST 311 | ( 312 | CK_SESSION_HANDLE hSession, /* the session's handle */ 313 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 314 | CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ 315 | CK_ULONG ulCount /* attributes in template */ 316 | ); 317 | #endif 318 | 319 | 320 | /* C_SetAttributeValue modifies the value of one or more object 321 | * attributes */ 322 | CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) 323 | #ifdef CK_NEED_ARG_LIST 324 | ( 325 | CK_SESSION_HANDLE hSession, /* the session's handle */ 326 | CK_OBJECT_HANDLE hObject, /* the object's handle */ 327 | CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ 328 | CK_ULONG ulCount /* attributes in template */ 329 | ); 330 | #endif 331 | 332 | 333 | /* C_FindObjectsInit initializes a search for token and session 334 | * objects that match a template. */ 335 | CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) 336 | #ifdef CK_NEED_ARG_LIST 337 | ( 338 | CK_SESSION_HANDLE hSession, /* the session's handle */ 339 | CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ 340 | CK_ULONG ulCount /* attrs in search template */ 341 | ); 342 | #endif 343 | 344 | 345 | /* C_FindObjects continues a search for token and session 346 | * objects that match a template, obtaining additional object 347 | * handles. */ 348 | CK_PKCS11_FUNCTION_INFO(C_FindObjects) 349 | #ifdef CK_NEED_ARG_LIST 350 | ( 351 | CK_SESSION_HANDLE hSession, /* session's handle */ 352 | CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ 353 | CK_ULONG ulMaxObjectCount, /* max handles to get */ 354 | CK_ULONG_PTR pulObjectCount /* actual # returned */ 355 | ); 356 | #endif 357 | 358 | 359 | /* C_FindObjectsFinal finishes a search for token and session 360 | * objects. */ 361 | CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) 362 | #ifdef CK_NEED_ARG_LIST 363 | ( 364 | CK_SESSION_HANDLE hSession /* the session's handle */ 365 | ); 366 | #endif 367 | 368 | 369 | 370 | /* Encryption and decryption */ 371 | 372 | /* C_EncryptInit initializes an encryption operation. */ 373 | CK_PKCS11_FUNCTION_INFO(C_EncryptInit) 374 | #ifdef CK_NEED_ARG_LIST 375 | ( 376 | CK_SESSION_HANDLE hSession, /* the session's handle */ 377 | CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ 378 | CK_OBJECT_HANDLE hKey /* handle of encryption key */ 379 | ); 380 | #endif 381 | 382 | 383 | /* C_Encrypt encrypts single-part data. */ 384 | CK_PKCS11_FUNCTION_INFO(C_Encrypt) 385 | #ifdef CK_NEED_ARG_LIST 386 | ( 387 | CK_SESSION_HANDLE hSession, /* session's handle */ 388 | CK_BYTE_PTR pData, /* the plaintext data */ 389 | CK_ULONG ulDataLen, /* bytes of plaintext */ 390 | CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ 391 | CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ 392 | ); 393 | #endif 394 | 395 | 396 | /* C_EncryptUpdate continues a multiple-part encryption 397 | * operation. */ 398 | CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) 399 | #ifdef CK_NEED_ARG_LIST 400 | ( 401 | CK_SESSION_HANDLE hSession, /* session's handle */ 402 | CK_BYTE_PTR pPart, /* the plaintext data */ 403 | CK_ULONG ulPartLen, /* plaintext data len */ 404 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 405 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ 406 | ); 407 | #endif 408 | 409 | 410 | /* C_EncryptFinal finishes a multiple-part encryption 411 | * operation. */ 412 | CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) 413 | #ifdef CK_NEED_ARG_LIST 414 | ( 415 | CK_SESSION_HANDLE hSession, /* session handle */ 416 | CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ 417 | CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ 418 | ); 419 | #endif 420 | 421 | 422 | /* C_DecryptInit initializes a decryption operation. */ 423 | CK_PKCS11_FUNCTION_INFO(C_DecryptInit) 424 | #ifdef CK_NEED_ARG_LIST 425 | ( 426 | CK_SESSION_HANDLE hSession, /* the session's handle */ 427 | CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ 428 | CK_OBJECT_HANDLE hKey /* handle of decryption key */ 429 | ); 430 | #endif 431 | 432 | 433 | /* C_Decrypt decrypts encrypted data in a single part. */ 434 | CK_PKCS11_FUNCTION_INFO(C_Decrypt) 435 | #ifdef CK_NEED_ARG_LIST 436 | ( 437 | CK_SESSION_HANDLE hSession, /* session's handle */ 438 | CK_BYTE_PTR pEncryptedData, /* ciphertext */ 439 | CK_ULONG ulEncryptedDataLen, /* ciphertext length */ 440 | CK_BYTE_PTR pData, /* gets plaintext */ 441 | CK_ULONG_PTR pulDataLen /* gets p-text size */ 442 | ); 443 | #endif 444 | 445 | 446 | /* C_DecryptUpdate continues a multiple-part decryption 447 | * operation. */ 448 | CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) 449 | #ifdef CK_NEED_ARG_LIST 450 | ( 451 | CK_SESSION_HANDLE hSession, /* session's handle */ 452 | CK_BYTE_PTR pEncryptedPart, /* encrypted data */ 453 | CK_ULONG ulEncryptedPartLen, /* input length */ 454 | CK_BYTE_PTR pPart, /* gets plaintext */ 455 | CK_ULONG_PTR pulPartLen /* p-text size */ 456 | ); 457 | #endif 458 | 459 | 460 | /* C_DecryptFinal finishes a multiple-part decryption 461 | * operation. */ 462 | CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) 463 | #ifdef CK_NEED_ARG_LIST 464 | ( 465 | CK_SESSION_HANDLE hSession, /* the session's handle */ 466 | CK_BYTE_PTR pLastPart, /* gets plaintext */ 467 | CK_ULONG_PTR pulLastPartLen /* p-text size */ 468 | ); 469 | #endif 470 | 471 | 472 | 473 | /* Message digesting */ 474 | 475 | /* C_DigestInit initializes a message-digesting operation. */ 476 | CK_PKCS11_FUNCTION_INFO(C_DigestInit) 477 | #ifdef CK_NEED_ARG_LIST 478 | ( 479 | CK_SESSION_HANDLE hSession, /* the session's handle */ 480 | CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ 481 | ); 482 | #endif 483 | 484 | 485 | /* C_Digest digests data in a single part. */ 486 | CK_PKCS11_FUNCTION_INFO(C_Digest) 487 | #ifdef CK_NEED_ARG_LIST 488 | ( 489 | CK_SESSION_HANDLE hSession, /* the session's handle */ 490 | CK_BYTE_PTR pData, /* data to be digested */ 491 | CK_ULONG ulDataLen, /* bytes of data to digest */ 492 | CK_BYTE_PTR pDigest, /* gets the message digest */ 493 | CK_ULONG_PTR pulDigestLen /* gets digest length */ 494 | ); 495 | #endif 496 | 497 | 498 | /* C_DigestUpdate continues a multiple-part message-digesting 499 | * operation. */ 500 | CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) 501 | #ifdef CK_NEED_ARG_LIST 502 | ( 503 | CK_SESSION_HANDLE hSession, /* the session's handle */ 504 | CK_BYTE_PTR pPart, /* data to be digested */ 505 | CK_ULONG ulPartLen /* bytes of data to be digested */ 506 | ); 507 | #endif 508 | 509 | 510 | /* C_DigestKey continues a multi-part message-digesting 511 | * operation, by digesting the value of a secret key as part of 512 | * the data already digested. */ 513 | CK_PKCS11_FUNCTION_INFO(C_DigestKey) 514 | #ifdef CK_NEED_ARG_LIST 515 | ( 516 | CK_SESSION_HANDLE hSession, /* the session's handle */ 517 | CK_OBJECT_HANDLE hKey /* secret key to digest */ 518 | ); 519 | #endif 520 | 521 | 522 | /* C_DigestFinal finishes a multiple-part message-digesting 523 | * operation. */ 524 | CK_PKCS11_FUNCTION_INFO(C_DigestFinal) 525 | #ifdef CK_NEED_ARG_LIST 526 | ( 527 | CK_SESSION_HANDLE hSession, /* the session's handle */ 528 | CK_BYTE_PTR pDigest, /* gets the message digest */ 529 | CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ 530 | ); 531 | #endif 532 | 533 | 534 | 535 | /* Signing and MACing */ 536 | 537 | /* C_SignInit initializes a signature (private key encryption) 538 | * operation, where the signature is (will be) an appendix to 539 | * the data, and plaintext cannot be recovered from the 540 | *signature. */ 541 | CK_PKCS11_FUNCTION_INFO(C_SignInit) 542 | #ifdef CK_NEED_ARG_LIST 543 | ( 544 | CK_SESSION_HANDLE hSession, /* the session's handle */ 545 | CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ 546 | CK_OBJECT_HANDLE hKey /* handle of signature key */ 547 | ); 548 | #endif 549 | 550 | 551 | /* C_Sign signs (encrypts with private key) data in a single 552 | * part, where the signature is (will be) an appendix to the 553 | * data, and plaintext cannot be recovered from the signature. */ 554 | CK_PKCS11_FUNCTION_INFO(C_Sign) 555 | #ifdef CK_NEED_ARG_LIST 556 | ( 557 | CK_SESSION_HANDLE hSession, /* the session's handle */ 558 | CK_BYTE_PTR pData, /* the data to sign */ 559 | CK_ULONG ulDataLen, /* count of bytes to sign */ 560 | CK_BYTE_PTR pSignature, /* gets the signature */ 561 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 562 | ); 563 | #endif 564 | 565 | 566 | /* C_SignUpdate continues a multiple-part signature operation, 567 | * where the signature is (will be) an appendix to the data, 568 | * and plaintext cannot be recovered from the signature. */ 569 | CK_PKCS11_FUNCTION_INFO(C_SignUpdate) 570 | #ifdef CK_NEED_ARG_LIST 571 | ( 572 | CK_SESSION_HANDLE hSession, /* the session's handle */ 573 | CK_BYTE_PTR pPart, /* the data to sign */ 574 | CK_ULONG ulPartLen /* count of bytes to sign */ 575 | ); 576 | #endif 577 | 578 | 579 | /* C_SignFinal finishes a multiple-part signature operation, 580 | * returning the signature. */ 581 | CK_PKCS11_FUNCTION_INFO(C_SignFinal) 582 | #ifdef CK_NEED_ARG_LIST 583 | ( 584 | CK_SESSION_HANDLE hSession, /* the session's handle */ 585 | CK_BYTE_PTR pSignature, /* gets the signature */ 586 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 587 | ); 588 | #endif 589 | 590 | 591 | /* C_SignRecoverInit initializes a signature operation, where 592 | * the data can be recovered from the signature. */ 593 | CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) 594 | #ifdef CK_NEED_ARG_LIST 595 | ( 596 | CK_SESSION_HANDLE hSession, /* the session's handle */ 597 | CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ 598 | CK_OBJECT_HANDLE hKey /* handle of the signature key */ 599 | ); 600 | #endif 601 | 602 | 603 | /* C_SignRecover signs data in a single operation, where the 604 | * data can be recovered from the signature. */ 605 | CK_PKCS11_FUNCTION_INFO(C_SignRecover) 606 | #ifdef CK_NEED_ARG_LIST 607 | ( 608 | CK_SESSION_HANDLE hSession, /* the session's handle */ 609 | CK_BYTE_PTR pData, /* the data to sign */ 610 | CK_ULONG ulDataLen, /* count of bytes to sign */ 611 | CK_BYTE_PTR pSignature, /* gets the signature */ 612 | CK_ULONG_PTR pulSignatureLen /* gets signature length */ 613 | ); 614 | #endif 615 | 616 | 617 | 618 | /* Verifying signatures and MACs */ 619 | 620 | /* C_VerifyInit initializes a verification operation, where the 621 | * signature is an appendix to the data, and plaintext cannot 622 | * cannot be recovered from the signature (e.g. DSA). */ 623 | CK_PKCS11_FUNCTION_INFO(C_VerifyInit) 624 | #ifdef CK_NEED_ARG_LIST 625 | ( 626 | CK_SESSION_HANDLE hSession, /* the session's handle */ 627 | CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ 628 | CK_OBJECT_HANDLE hKey /* verification key */ 629 | ); 630 | #endif 631 | 632 | 633 | /* C_Verify verifies a signature in a single-part operation, 634 | * where the signature is an appendix to the data, and plaintext 635 | * cannot be recovered from the signature. */ 636 | CK_PKCS11_FUNCTION_INFO(C_Verify) 637 | #ifdef CK_NEED_ARG_LIST 638 | ( 639 | CK_SESSION_HANDLE hSession, /* the session's handle */ 640 | CK_BYTE_PTR pData, /* signed data */ 641 | CK_ULONG ulDataLen, /* length of signed data */ 642 | CK_BYTE_PTR pSignature, /* signature */ 643 | CK_ULONG ulSignatureLen /* signature length*/ 644 | ); 645 | #endif 646 | 647 | 648 | /* C_VerifyUpdate continues a multiple-part verification 649 | * operation, where the signature is an appendix to the data, 650 | * and plaintext cannot be recovered from the signature. */ 651 | CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) 652 | #ifdef CK_NEED_ARG_LIST 653 | ( 654 | CK_SESSION_HANDLE hSession, /* the session's handle */ 655 | CK_BYTE_PTR pPart, /* signed data */ 656 | CK_ULONG ulPartLen /* length of signed data */ 657 | ); 658 | #endif 659 | 660 | 661 | /* C_VerifyFinal finishes a multiple-part verification 662 | * operation, checking the signature. */ 663 | CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) 664 | #ifdef CK_NEED_ARG_LIST 665 | ( 666 | CK_SESSION_HANDLE hSession, /* the session's handle */ 667 | CK_BYTE_PTR pSignature, /* signature to verify */ 668 | CK_ULONG ulSignatureLen /* signature length */ 669 | ); 670 | #endif 671 | 672 | 673 | /* C_VerifyRecoverInit initializes a signature verification 674 | * operation, where the data is recovered from the signature. */ 675 | CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) 676 | #ifdef CK_NEED_ARG_LIST 677 | ( 678 | CK_SESSION_HANDLE hSession, /* the session's handle */ 679 | CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ 680 | CK_OBJECT_HANDLE hKey /* verification key */ 681 | ); 682 | #endif 683 | 684 | 685 | /* C_VerifyRecover verifies a signature in a single-part 686 | * operation, where the data is recovered from the signature. */ 687 | CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) 688 | #ifdef CK_NEED_ARG_LIST 689 | ( 690 | CK_SESSION_HANDLE hSession, /* the session's handle */ 691 | CK_BYTE_PTR pSignature, /* signature to verify */ 692 | CK_ULONG ulSignatureLen, /* signature length */ 693 | CK_BYTE_PTR pData, /* gets signed data */ 694 | CK_ULONG_PTR pulDataLen /* gets signed data len */ 695 | ); 696 | #endif 697 | 698 | 699 | 700 | /* Dual-function cryptographic operations */ 701 | 702 | /* C_DigestEncryptUpdate continues a multiple-part digesting 703 | * and encryption operation. */ 704 | CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) 705 | #ifdef CK_NEED_ARG_LIST 706 | ( 707 | CK_SESSION_HANDLE hSession, /* session's handle */ 708 | CK_BYTE_PTR pPart, /* the plaintext data */ 709 | CK_ULONG ulPartLen, /* plaintext length */ 710 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 711 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ 712 | ); 713 | #endif 714 | 715 | 716 | /* C_DecryptDigestUpdate continues a multiple-part decryption and 717 | * digesting operation. */ 718 | CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) 719 | #ifdef CK_NEED_ARG_LIST 720 | ( 721 | CK_SESSION_HANDLE hSession, /* session's handle */ 722 | CK_BYTE_PTR pEncryptedPart, /* ciphertext */ 723 | CK_ULONG ulEncryptedPartLen, /* ciphertext length */ 724 | CK_BYTE_PTR pPart, /* gets plaintext */ 725 | CK_ULONG_PTR pulPartLen /* gets plaintext len */ 726 | ); 727 | #endif 728 | 729 | 730 | /* C_SignEncryptUpdate continues a multiple-part signing and 731 | * encryption operation. */ 732 | CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) 733 | #ifdef CK_NEED_ARG_LIST 734 | ( 735 | CK_SESSION_HANDLE hSession, /* session's handle */ 736 | CK_BYTE_PTR pPart, /* the plaintext data */ 737 | CK_ULONG ulPartLen, /* plaintext length */ 738 | CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ 739 | CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ 740 | ); 741 | #endif 742 | 743 | 744 | /* C_DecryptVerifyUpdate continues a multiple-part decryption and 745 | * verify operation. */ 746 | CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) 747 | #ifdef CK_NEED_ARG_LIST 748 | ( 749 | CK_SESSION_HANDLE hSession, /* session's handle */ 750 | CK_BYTE_PTR pEncryptedPart, /* ciphertext */ 751 | CK_ULONG ulEncryptedPartLen, /* ciphertext length */ 752 | CK_BYTE_PTR pPart, /* gets plaintext */ 753 | CK_ULONG_PTR pulPartLen /* gets p-text length */ 754 | ); 755 | #endif 756 | 757 | 758 | 759 | /* Key management */ 760 | 761 | /* C_GenerateKey generates a secret key, creating a new key 762 | * object. */ 763 | CK_PKCS11_FUNCTION_INFO(C_GenerateKey) 764 | #ifdef CK_NEED_ARG_LIST 765 | ( 766 | CK_SESSION_HANDLE hSession, /* the session's handle */ 767 | CK_MECHANISM_PTR pMechanism, /* key generation mech. */ 768 | CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ 769 | CK_ULONG ulCount, /* # of attrs in template */ 770 | CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ 771 | ); 772 | #endif 773 | 774 | 775 | /* C_GenerateKeyPair generates a public-key/private-key pair, 776 | * creating new key objects. */ 777 | CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) 778 | #ifdef CK_NEED_ARG_LIST 779 | ( 780 | CK_SESSION_HANDLE hSession, /* session 781 | * handle */ 782 | CK_MECHANISM_PTR pMechanism, /* key-gen 783 | * mech. */ 784 | CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template 785 | * for pub. 786 | * key */ 787 | CK_ULONG ulPublicKeyAttributeCount, /* # pub. 788 | * attrs. */ 789 | CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template 790 | * for priv. 791 | * key */ 792 | CK_ULONG ulPrivateKeyAttributeCount, /* # priv. 793 | * attrs. */ 794 | CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. 795 | * key 796 | * handle */ 797 | CK_OBJECT_HANDLE_PTR phPrivateKey /* gets 798 | * priv. key 799 | * handle */ 800 | ); 801 | #endif 802 | 803 | 804 | /* C_WrapKey wraps (i.e., encrypts) a key. */ 805 | CK_PKCS11_FUNCTION_INFO(C_WrapKey) 806 | #ifdef CK_NEED_ARG_LIST 807 | ( 808 | CK_SESSION_HANDLE hSession, /* the session's handle */ 809 | CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ 810 | CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ 811 | CK_OBJECT_HANDLE hKey, /* key to be wrapped */ 812 | CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ 813 | CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ 814 | ); 815 | #endif 816 | 817 | 818 | /* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new 819 | * key object. */ 820 | CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) 821 | #ifdef CK_NEED_ARG_LIST 822 | ( 823 | CK_SESSION_HANDLE hSession, /* session's handle */ 824 | CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ 825 | CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ 826 | CK_BYTE_PTR pWrappedKey, /* the wrapped key */ 827 | CK_ULONG ulWrappedKeyLen, /* wrapped key len */ 828 | CK_ATTRIBUTE_PTR pTemplate, /* new key template */ 829 | CK_ULONG ulAttributeCount, /* template length */ 830 | CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ 831 | ); 832 | #endif 833 | 834 | 835 | /* C_DeriveKey derives a key from a base key, creating a new key 836 | * object. */ 837 | CK_PKCS11_FUNCTION_INFO(C_DeriveKey) 838 | #ifdef CK_NEED_ARG_LIST 839 | ( 840 | CK_SESSION_HANDLE hSession, /* session's handle */ 841 | CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ 842 | CK_OBJECT_HANDLE hBaseKey, /* base key */ 843 | CK_ATTRIBUTE_PTR pTemplate, /* new key template */ 844 | CK_ULONG ulAttributeCount, /* template length */ 845 | CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ 846 | ); 847 | #endif 848 | 849 | 850 | 851 | /* Random number generation */ 852 | 853 | /* C_SeedRandom mixes additional seed material into the token's 854 | * random number generator. */ 855 | CK_PKCS11_FUNCTION_INFO(C_SeedRandom) 856 | #ifdef CK_NEED_ARG_LIST 857 | ( 858 | CK_SESSION_HANDLE hSession, /* the session's handle */ 859 | CK_BYTE_PTR pSeed, /* the seed material */ 860 | CK_ULONG ulSeedLen /* length of seed material */ 861 | ); 862 | #endif 863 | 864 | 865 | /* C_GenerateRandom generates random data. */ 866 | CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) 867 | #ifdef CK_NEED_ARG_LIST 868 | ( 869 | CK_SESSION_HANDLE hSession, /* the session's handle */ 870 | CK_BYTE_PTR RandomData, /* receives the random data */ 871 | CK_ULONG ulRandomLen /* # of bytes to generate */ 872 | ); 873 | #endif 874 | 875 | 876 | 877 | /* Parallel function management */ 878 | 879 | /* C_GetFunctionStatus is a legacy function; it obtains an 880 | * updated status of a function running in parallel with an 881 | * application. */ 882 | CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) 883 | #ifdef CK_NEED_ARG_LIST 884 | ( 885 | CK_SESSION_HANDLE hSession /* the session's handle */ 886 | ); 887 | #endif 888 | 889 | 890 | /* C_CancelFunction is a legacy function; it cancels a function 891 | * running in parallel. */ 892 | CK_PKCS11_FUNCTION_INFO(C_CancelFunction) 893 | #ifdef CK_NEED_ARG_LIST 894 | ( 895 | CK_SESSION_HANDLE hSession /* the session's handle */ 896 | ); 897 | #endif 898 | 899 | 900 | 901 | /* Functions added in for Cryptoki Version 2.01 or later */ 902 | 903 | /* C_WaitForSlotEvent waits for a slot event (token insertion, 904 | * removal, etc.) to occur. */ 905 | CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) 906 | #ifdef CK_NEED_ARG_LIST 907 | ( 908 | CK_FLAGS flags, /* blocking/nonblocking flag */ 909 | CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ 910 | CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ 911 | ); 912 | #endif 913 | -------------------------------------------------------------------------------- /pkcs11t.h: -------------------------------------------------------------------------------- 1 | /* pkcs11t.h include file for PKCS #11 V 2.30 - draft 1 */ 2 | 3 | /* License to copy and use this software is granted provided that it is 4 | * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface 5 | * (Cryptoki)" in all material mentioning or referencing this software. 6 | 7 | * License is also granted to make and use derivative works provided that 8 | * such works are identified as "derived from the RSA Security Inc. PKCS #11 9 | * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 10 | * referencing the derived work. 11 | 12 | * RSA Security Inc. makes no representations concerning either the 13 | * merchantability of this software or the suitability of this software for 14 | * any particular purpose. It is provided "as is" without express or implied 15 | * warranty of any kind. 16 | */ 17 | 18 | /* See top of pkcs11.h for information about the macros that 19 | * must be defined and the structure-packing conventions that 20 | * must be set before including this file. */ 21 | 22 | #ifndef _PKCS11T_H_ 23 | #define _PKCS11T_H_ 1 24 | 25 | #define CRYPTOKI_VERSION_MAJOR 2 26 | #define CRYPTOKI_VERSION_MINOR 30 27 | #define CRYPTOKI_VERSION_AMENDMENT 0 28 | 29 | #define CK_TRUE 1 30 | #define CK_FALSE 0 31 | 32 | #ifndef CK_DISABLE_TRUE_FALSE 33 | #ifndef FALSE 34 | #define FALSE CK_FALSE 35 | #endif 36 | 37 | #ifndef TRUE 38 | #define TRUE CK_TRUE 39 | #endif 40 | #endif 41 | 42 | /* an unsigned 8-bit value */ 43 | typedef unsigned char CK_BYTE; 44 | 45 | /* an unsigned 8-bit character */ 46 | typedef CK_BYTE CK_CHAR; 47 | 48 | /* an 8-bit UTF-8 character */ 49 | typedef CK_BYTE CK_UTF8CHAR; 50 | 51 | /* a BYTE-sized Boolean flag */ 52 | typedef CK_BYTE CK_BBOOL; 53 | 54 | /* an unsigned value, at least 32 bits long */ 55 | typedef unsigned long int CK_ULONG; 56 | 57 | /* a signed value, the same size as a CK_ULONG */ 58 | typedef long int CK_LONG; 59 | 60 | /* at least 32 bits; each bit is a Boolean flag */ 61 | typedef CK_ULONG CK_FLAGS; 62 | 63 | 64 | /* some special values for certain CK_ULONG variables */ 65 | #define CK_UNAVAILABLE_INFORMATION (~0UL) 66 | #define CK_EFFECTIVELY_INFINITE 0 67 | 68 | 69 | typedef CK_BYTE CK_PTR CK_BYTE_PTR; 70 | typedef CK_CHAR CK_PTR CK_CHAR_PTR; 71 | typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; 72 | typedef CK_ULONG CK_PTR CK_ULONG_PTR; 73 | typedef void CK_PTR CK_VOID_PTR; 74 | 75 | /* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ 76 | typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; 77 | 78 | 79 | /* The following value is always invalid if used as a session */ 80 | /* handle or object handle */ 81 | #define CK_INVALID_HANDLE 0 82 | 83 | 84 | typedef struct CK_VERSION { 85 | CK_BYTE major; /* integer portion of version number */ 86 | CK_BYTE minor; /* 1/100ths portion of version number */ 87 | } CK_VERSION; 88 | 89 | typedef CK_VERSION CK_PTR CK_VERSION_PTR; 90 | 91 | 92 | typedef struct CK_INFO { 93 | /* manufacturerID and libraryDecription have been changed from 94 | * CK_CHAR to CK_UTF8CHAR for v2.10 */ 95 | CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ 96 | CK_UTF8CHAR manufacturerID[32]; /* blank padded */ 97 | CK_FLAGS flags; /* must be zero */ 98 | 99 | CK_UTF8CHAR libraryDescription[32]; /* blank padded */ 100 | CK_VERSION libraryVersion; /* version of library */ 101 | } CK_INFO; 102 | 103 | typedef CK_INFO CK_PTR CK_INFO_PTR; 104 | 105 | 106 | /* CK_NOTIFICATION enumerates the types of notifications that 107 | * Cryptoki provides to an application */ 108 | typedef CK_ULONG CK_NOTIFICATION; 109 | #define CKN_SURRENDER 0 110 | #define CKN_OTP_CHANGED 1 111 | 112 | 113 | typedef CK_ULONG CK_SLOT_ID; 114 | 115 | typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; 116 | 117 | 118 | /* CK_SLOT_INFO provides information about a slot */ 119 | typedef struct CK_SLOT_INFO { 120 | /* slotDescription and manufacturerID have been changed from 121 | * CK_CHAR to CK_UTF8CHAR for v2.10 */ 122 | CK_UTF8CHAR slotDescription[64]; /* blank padded */ 123 | CK_UTF8CHAR manufacturerID[32]; /* blank padded */ 124 | CK_FLAGS flags; 125 | 126 | CK_VERSION hardwareVersion; /* version of hardware */ 127 | CK_VERSION firmwareVersion; /* version of firmware */ 128 | } CK_SLOT_INFO; 129 | 130 | /* flags: bit flags that provide capabilities of the slot 131 | * Bit Flag Mask Meaning 132 | */ 133 | #define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */ 134 | #define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/ 135 | #define CKF_HW_SLOT 0x00000004 /* hardware slot */ 136 | 137 | typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; 138 | 139 | 140 | /* CK_TOKEN_INFO provides information about a token */ 141 | typedef struct CK_TOKEN_INFO { 142 | /* label, manufacturerID, and model have been changed from 143 | * CK_CHAR to CK_UTF8CHAR for v2.10 */ 144 | CK_UTF8CHAR label[32]; /* blank padded */ 145 | CK_UTF8CHAR manufacturerID[32]; /* blank padded */ 146 | CK_UTF8CHAR model[16]; /* blank padded */ 147 | CK_CHAR serialNumber[16]; /* blank padded */ 148 | CK_FLAGS flags; /* see below */ 149 | 150 | CK_ULONG ulMaxSessionCount; /* max open sessions */ 151 | CK_ULONG ulSessionCount; /* sess. now open */ 152 | CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ 153 | CK_ULONG ulRwSessionCount; /* R/W sess. now open */ 154 | CK_ULONG ulMaxPinLen; /* in bytes */ 155 | CK_ULONG ulMinPinLen; /* in bytes */ 156 | CK_ULONG ulTotalPublicMemory; /* in bytes */ 157 | CK_ULONG ulFreePublicMemory; /* in bytes */ 158 | CK_ULONG ulTotalPrivateMemory; /* in bytes */ 159 | CK_ULONG ulFreePrivateMemory; /* in bytes */ 160 | CK_VERSION hardwareVersion; /* version of hardware */ 161 | CK_VERSION firmwareVersion; /* version of firmware */ 162 | CK_CHAR utcTime[16]; /* time */ 163 | } CK_TOKEN_INFO; 164 | 165 | /* The flags parameter is defined as follows: 166 | * Bit Flag Mask Meaning 167 | */ 168 | #define CKF_RNG 0x00000001 /* has random # 169 | * generator */ 170 | #define CKF_WRITE_PROTECTED 0x00000002 /* token is 171 | * write- 172 | * protected */ 173 | #define CKF_LOGIN_REQUIRED 0x00000004 /* user must 174 | * login */ 175 | #define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's 176 | * PIN is set */ 177 | 178 | /* CKF_RESTORE_KEY_NOT_NEEDED. If it is set, 179 | * that means that *every* time the state of cryptographic 180 | * operations of a session is successfully saved, all keys 181 | * needed to continue those operations are stored in the state */ 182 | #define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020 183 | 184 | /* CKF_CLOCK_ON_TOKEN. If it is set, that means 185 | * that the token has some sort of clock. The time on that 186 | * clock is returned in the token info structure */ 187 | #define CKF_CLOCK_ON_TOKEN 0x00000040 188 | 189 | /* CKF_PROTECTED_AUTHENTICATION_PATH. If it is 190 | * set, that means that there is some way for the user to login 191 | * without sending a PIN through the Cryptoki library itself */ 192 | #define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100 193 | 194 | /* CKF_DUAL_CRYPTO_OPERATIONS. If it is true, 195 | * that means that a single session with the token can perform 196 | * dual simultaneous cryptographic operations (digest and 197 | * encrypt; decrypt and digest; sign and encrypt; and decrypt 198 | * and sign) */ 199 | #define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200 200 | 201 | /* CKF_TOKEN_INITIALIZED. If it is true, the 202 | * token has been initialized using C_InitializeToken or an 203 | * equivalent mechanism outside the scope of PKCS #11. 204 | * Calling C_InitializeToken when this flag is set will cause 205 | * the token to be reinitialized. */ 206 | #define CKF_TOKEN_INITIALIZED 0x00000400 207 | 208 | /* CKF_SECONDARY_AUTHENTICATION. If it is 209 | * true, the token supports secondary authentication for 210 | * private key objects. This flag is deprecated in v2.11 and 211 | onwards. */ 212 | #define CKF_SECONDARY_AUTHENTICATION 0x00000800 213 | 214 | /* CKF_USER_PIN_COUNT_LOW. If it is true, an 215 | * incorrect user login PIN has been entered at least once 216 | * since the last successful authentication. */ 217 | #define CKF_USER_PIN_COUNT_LOW 0x00010000 218 | 219 | /* CKF_USER_PIN_FINAL_TRY. If it is true, 220 | * supplying an incorrect user PIN will it to become locked. */ 221 | #define CKF_USER_PIN_FINAL_TRY 0x00020000 222 | 223 | /* CKF_USER_PIN_LOCKED. If it is true, the 224 | * user PIN has been locked. User login to the token is not 225 | * possible. */ 226 | #define CKF_USER_PIN_LOCKED 0x00040000 227 | 228 | /* CKF_USER_PIN_TO_BE_CHANGED. If it is true, 229 | * the user PIN value is the default value set by token 230 | * initialization or manufacturing, or the PIN has been 231 | * expired by the card. */ 232 | #define CKF_USER_PIN_TO_BE_CHANGED 0x00080000 233 | 234 | /* CKF_SO_PIN_COUNT_LOW. If it is true, an 235 | * incorrect SO login PIN has been entered at least once since 236 | * the last successful authentication. */ 237 | #define CKF_SO_PIN_COUNT_LOW 0x00100000 238 | 239 | /* CKF_SO_PIN_FINAL_TRY. If it is true, 240 | * supplying an incorrect SO PIN will it to become locked. */ 241 | #define CKF_SO_PIN_FINAL_TRY 0x00200000 242 | 243 | /* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO 244 | * PIN has been locked. SO login to the token is not possible. 245 | */ 246 | #define CKF_SO_PIN_LOCKED 0x00400000 247 | 248 | /* CKF_SO_PIN_TO_BE_CHANGED. If it is true, 249 | * the SO PIN value is the default value set by token 250 | * initialization or manufacturing, or the PIN has been 251 | * expired by the card. */ 252 | #define CKF_SO_PIN_TO_BE_CHANGED 0x00800000 253 | 254 | #define CKF_ERROR_STATE 0x01000000 255 | 256 | typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; 257 | 258 | 259 | /* CK_SESSION_HANDLE is a Cryptoki-assigned value that 260 | * identifies a session */ 261 | typedef CK_ULONG CK_SESSION_HANDLE; 262 | 263 | typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 264 | 265 | 266 | /* CK_USER_TYPE enumerates the types of Cryptoki users */ 267 | typedef CK_ULONG CK_USER_TYPE; 268 | /* Security Officer */ 269 | #define CKU_SO 0 270 | /* Normal user */ 271 | #define CKU_USER 1 272 | /* Context specific */ 273 | #define CKU_CONTEXT_SPECIFIC 2 274 | 275 | /* CK_STATE enumerates the session states */ 276 | typedef CK_ULONG CK_STATE; 277 | #define CKS_RO_PUBLIC_SESSION 0 278 | #define CKS_RO_USER_FUNCTIONS 1 279 | #define CKS_RW_PUBLIC_SESSION 2 280 | #define CKS_RW_USER_FUNCTIONS 3 281 | #define CKS_RW_SO_FUNCTIONS 4 282 | 283 | 284 | /* CK_SESSION_INFO provides information about a session */ 285 | typedef struct CK_SESSION_INFO { 286 | CK_SLOT_ID slotID; 287 | CK_STATE state; 288 | CK_FLAGS flags; /* see below */ 289 | CK_ULONG ulDeviceError; /* device-dependent error code */ 290 | } CK_SESSION_INFO; 291 | 292 | /* The flags are defined in the following table: 293 | * Bit Flag Mask Meaning 294 | */ 295 | #define CKF_RW_SESSION 0x00000002 /* session is r/w */ 296 | #define CKF_SERIAL_SESSION 0x00000004 /* no parallel */ 297 | 298 | typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; 299 | 300 | 301 | /* CK_OBJECT_HANDLE is a token-specific identifier for an 302 | * object */ 303 | typedef CK_ULONG CK_OBJECT_HANDLE; 304 | 305 | typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; 306 | 307 | 308 | /* CK_OBJECT_CLASS is a value that identifies the classes (or 309 | * types) of objects that Cryptoki recognizes. It is defined 310 | * as follows: */ 311 | typedef CK_ULONG CK_OBJECT_CLASS; 312 | 313 | /* The following classes of objects are defined: */ 314 | #define CKO_DATA 0x00000000 315 | #define CKO_CERTIFICATE 0x00000001 316 | #define CKO_PUBLIC_KEY 0x00000002 317 | #define CKO_PRIVATE_KEY 0x00000003 318 | #define CKO_SECRET_KEY 0x00000004 319 | #define CKO_HW_FEATURE 0x00000005 320 | #define CKO_DOMAIN_PARAMETERS 0x00000006 321 | #define CKO_MECHANISM 0x00000007 322 | #define CKO_OTP_KEY 0x00000008 323 | 324 | #define CKO_VENDOR_DEFINED 0x80000000 325 | 326 | typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; 327 | 328 | /* CK_HW_FEATURE_TYPE is a 329 | * value that identifies the hardware feature type of an object 330 | * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ 331 | typedef CK_ULONG CK_HW_FEATURE_TYPE; 332 | 333 | /* The following hardware feature types are defined */ 334 | #define CKH_MONOTONIC_COUNTER 0x00000001 335 | #define CKH_CLOCK 0x00000002 336 | #define CKH_USER_INTERFACE 0x00000003 337 | #define CKH_VENDOR_DEFINED 0x80000000 338 | 339 | /* CK_KEY_TYPE is a value that identifies a key type */ 340 | typedef CK_ULONG CK_KEY_TYPE; 341 | 342 | /* the following key types are defined: */ 343 | #define CKK_RSA 0x00000000 344 | #define CKK_DSA 0x00000001 345 | #define CKK_DH 0x00000002 346 | /* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ 347 | #define CKK_ECDSA 0x00000003 348 | #define CKK_EC 0x00000003 349 | #define CKK_X9_42_DH 0x00000004 350 | #define CKK_KEA 0x00000005 351 | #define CKK_GENERIC_SECRET 0x00000010 352 | #define CKK_RC2 0x00000011 353 | #define CKK_RC4 0x00000012 354 | #define CKK_DES 0x00000013 355 | #define CKK_DES2 0x00000014 356 | #define CKK_DES3 0x00000015 357 | #define CKK_CAST 0x00000016 358 | #define CKK_CAST3 0x00000017 359 | /* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ 360 | #define CKK_CAST5 0x00000018 361 | #define CKK_CAST128 0x00000018 362 | #define CKK_RC5 0x00000019 363 | #define CKK_IDEA 0x0000001A 364 | #define CKK_SKIPJACK 0x0000001B 365 | #define CKK_BATON 0x0000001C 366 | #define CKK_JUNIPER 0x0000001D 367 | #define CKK_CDMF 0x0000001E 368 | #define CKK_AES 0x0000001F 369 | #define CKK_BLOWFISH 0x00000020 370 | #define CKK_TWOFISH 0x00000021 371 | #define CKK_SECURID 0x00000022 372 | #define CKK_HOTP 0x00000023 373 | #define CKK_ACTI 0x00000024 374 | #define CKK_CAMELLIA 0x00000025 375 | #define CKK_ARIA 0x00000026 376 | #define CKK_MD5_HMAC 0x00000027 377 | #define CKK_SHA_1_HMAC 0x00000028 378 | #define CKK_RIPEMD128_HMAC 0x00000029 379 | #define CKK_RIPEMD160_HMAC 0x0000002A 380 | #define CKK_SHA256_HMAC 0x0000002B 381 | #define CKK_SHA384_HMAC 0x0000002C 382 | #define CKK_SHA512_HMAC 0x0000002D 383 | #define CKK_SHA224_HMAC 0x0000002E 384 | #define CKK_SEED 0x0000002F 385 | #define CKK_GOSTR3410 0x00000030 386 | #define CKK_GOSTR3411 0x00000031 387 | #define CKK_GOST28147 0x00000032 388 | 389 | #define CKK_VENDOR_DEFINED 0x80000000 390 | 391 | 392 | /* CK_CERTIFICATE_TYPE is a value that identifies a certificate 393 | * type */ 394 | typedef CK_ULONG CK_CERTIFICATE_TYPE; 395 | 396 | /* The following certificate types are defined: */ 397 | #define CKC_X_509 0x00000000 398 | #define CKC_X_509_ATTR_CERT 0x00000001 399 | #define CKC_WTLS 0x00000002 400 | #define CKC_VENDOR_DEFINED 0x80000000 401 | 402 | 403 | /* CK_ATTRIBUTE_TYPE is a value that identifies an attribute 404 | * type */ 405 | typedef CK_ULONG CK_ATTRIBUTE_TYPE; 406 | 407 | /* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which 408 | consists of an array of values. */ 409 | #define CKF_ARRAY_ATTRIBUTE 0x40000000 410 | 411 | /* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */ 412 | #define CK_OTP_FORMAT_DECIMAL 0 413 | #define CK_OTP_FORMAT_HEXADECIMAL 1 414 | #define CK_OTP_FORMAT_ALPHANUMERIC 2 415 | #define CK_OTP_FORMAT_BINARY 3 416 | 417 | /* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT attributes */ 418 | #define CK_OTP_PARAM_IGNORED 0 419 | #define CK_OTP_PARAM_OPTIONAL 1 420 | #define CK_OTP_PARAM_MANDATORY 2 421 | 422 | /* The following attribute types are defined: */ 423 | #define CKA_CLASS 0x00000000 424 | #define CKA_TOKEN 0x00000001 425 | #define CKA_PRIVATE 0x00000002 426 | #define CKA_LABEL 0x00000003 427 | #define CKA_APPLICATION 0x00000010 428 | #define CKA_VALUE 0x00000011 429 | #define CKA_OBJECT_ID 0x00000012 430 | #define CKA_CERTIFICATE_TYPE 0x00000080 431 | #define CKA_ISSUER 0x00000081 432 | #define CKA_SERIAL_NUMBER 0x00000082 433 | #define CKA_AC_ISSUER 0x00000083 434 | #define CKA_OWNER 0x00000084 435 | #define CKA_ATTR_TYPES 0x00000085 436 | #define CKA_TRUSTED 0x00000086 437 | #define CKA_CERTIFICATE_CATEGORY 0x00000087 438 | #define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088 439 | #define CKA_URL 0x00000089 440 | #define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A 441 | #define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B 442 | #define CKA_CHECK_VALUE 0x00000090 443 | 444 | #define CKA_KEY_TYPE 0x00000100 445 | #define CKA_SUBJECT 0x00000101 446 | #define CKA_ID 0x00000102 447 | #define CKA_SENSITIVE 0x00000103 448 | #define CKA_ENCRYPT 0x00000104 449 | #define CKA_DECRYPT 0x00000105 450 | #define CKA_WRAP 0x00000106 451 | #define CKA_UNWRAP 0x00000107 452 | #define CKA_SIGN 0x00000108 453 | #define CKA_SIGN_RECOVER 0x00000109 454 | #define CKA_VERIFY 0x0000010A 455 | #define CKA_VERIFY_RECOVER 0x0000010B 456 | #define CKA_DERIVE 0x0000010C 457 | #define CKA_START_DATE 0x00000110 458 | #define CKA_END_DATE 0x00000111 459 | #define CKA_MODULUS 0x00000120 460 | #define CKA_MODULUS_BITS 0x00000121 461 | #define CKA_PUBLIC_EXPONENT 0x00000122 462 | #define CKA_PRIVATE_EXPONENT 0x00000123 463 | #define CKA_PRIME_1 0x00000124 464 | #define CKA_PRIME_2 0x00000125 465 | #define CKA_EXPONENT_1 0x00000126 466 | #define CKA_EXPONENT_2 0x00000127 467 | #define CKA_COEFFICIENT 0x00000128 468 | #define CKA_PRIME 0x00000130 469 | #define CKA_SUBPRIME 0x00000131 470 | #define CKA_BASE 0x00000132 471 | 472 | #define CKA_PRIME_BITS 0x00000133 473 | #define CKA_SUBPRIME_BITS 0x00000134 474 | /* (To retain backwards-compatibility) */ 475 | #define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS 476 | 477 | #define CKA_VALUE_BITS 0x00000160 478 | #define CKA_VALUE_LEN 0x00000161 479 | #define CKA_EXTRACTABLE 0x00000162 480 | #define CKA_LOCAL 0x00000163 481 | #define CKA_NEVER_EXTRACTABLE 0x00000164 482 | #define CKA_ALWAYS_SENSITIVE 0x00000165 483 | #define CKA_KEY_GEN_MECHANISM 0x00000166 484 | 485 | #define CKA_MODIFIABLE 0x00000170 486 | 487 | /* CKA_ECDSA_PARAMS is deprecated in v2.11, 488 | * CKA_EC_PARAMS is preferred. */ 489 | #define CKA_ECDSA_PARAMS 0x00000180 490 | #define CKA_EC_PARAMS 0x00000180 491 | 492 | #define CKA_EC_POINT 0x00000181 493 | 494 | /* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, 495 | * are new for v2.10. Deprecated in v2.11 and onwards. */ 496 | #define CKA_SECONDARY_AUTH 0x00000200 497 | #define CKA_AUTH_PIN_FLAGS 0x00000201 498 | 499 | #define CKA_ALWAYS_AUTHENTICATE 0x00000202 500 | 501 | #define CKA_WRAP_WITH_TRUSTED 0x00000210 502 | #define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) 503 | #define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) 504 | #define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213) 505 | 506 | #define CKA_OTP_FORMAT 0x00000220 507 | #define CKA_OTP_LENGTH 0x00000221 508 | #define CKA_OTP_TIME_INTERVAL 0x00000222 509 | #define CKA_OTP_USER_FRIENDLY_MODE 0x00000223 510 | #define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224 511 | #define CKA_OTP_TIME_REQUIREMENT 0x00000225 512 | #define CKA_OTP_COUNTER_REQUIREMENT 0x00000226 513 | #define CKA_OTP_PIN_REQUIREMENT 0x00000227 514 | #define CKA_OTP_COUNTER 0x0000022E 515 | #define CKA_OTP_TIME 0x0000022F 516 | #define CKA_OTP_USER_IDENTIFIER 0x0000022A 517 | #define CKA_OTP_SERVICE_IDENTIFIER 0x0000022B 518 | #define CKA_OTP_SERVICE_LOGO 0x0000022C 519 | #define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022D 520 | 521 | #define CKA_GOSTR3410_PARAMS 0x00000250 522 | #define CKA_GOSTR3411_PARAMS 0x00000251 523 | #define CKA_GOST28147_PARAMS 0x00000252 524 | 525 | #define CKA_HW_FEATURE_TYPE 0x00000300 526 | #define CKA_RESET_ON_INIT 0x00000301 527 | #define CKA_HAS_RESET 0x00000302 528 | 529 | #define CKA_PIXEL_X 0x00000400 530 | #define CKA_PIXEL_Y 0x00000401 531 | #define CKA_RESOLUTION 0x00000402 532 | #define CKA_CHAR_ROWS 0x00000403 533 | #define CKA_CHAR_COLUMNS 0x00000404 534 | #define CKA_COLOR 0x00000405 535 | #define CKA_BITS_PER_PIXEL 0x00000406 536 | #define CKA_CHAR_SETS 0x00000480 537 | #define CKA_ENCODING_METHODS 0x00000481 538 | #define CKA_MIME_TYPES 0x00000482 539 | #define CKA_MECHANISM_TYPE 0x00000500 540 | #define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501 541 | #define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502 542 | #define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503 543 | #define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600) 544 | 545 | #define CKA_VENDOR_DEFINED 0x80000000 546 | 547 | /* CK_ATTRIBUTE is a structure that includes the type, length 548 | * and value of an attribute */ 549 | typedef struct CK_ATTRIBUTE { 550 | CK_ATTRIBUTE_TYPE type; 551 | CK_VOID_PTR pValue; 552 | CK_ULONG ulValueLen; /* in bytes */ 553 | } CK_ATTRIBUTE; 554 | 555 | typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; 556 | 557 | 558 | /* CK_DATE is a structure that defines a date */ 559 | typedef struct CK_DATE{ 560 | CK_CHAR year[4]; /* the year ("1900" - "9999") */ 561 | CK_CHAR month[2]; /* the month ("01" - "12") */ 562 | CK_CHAR day[2]; /* the day ("01" - "31") */ 563 | } CK_DATE; 564 | 565 | 566 | /* CK_MECHANISM_TYPE is a value that identifies a mechanism 567 | * type */ 568 | typedef CK_ULONG CK_MECHANISM_TYPE; 569 | 570 | /* the following mechanism types are defined: */ 571 | #define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000 572 | #define CKM_RSA_PKCS 0x00000001 573 | #define CKM_RSA_9796 0x00000002 574 | #define CKM_RSA_X_509 0x00000003 575 | 576 | #define CKM_MD2_RSA_PKCS 0x00000004 577 | #define CKM_MD5_RSA_PKCS 0x00000005 578 | #define CKM_SHA1_RSA_PKCS 0x00000006 579 | 580 | #define CKM_RIPEMD128_RSA_PKCS 0x00000007 581 | #define CKM_RIPEMD160_RSA_PKCS 0x00000008 582 | #define CKM_RSA_PKCS_OAEP 0x00000009 583 | 584 | #define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A 585 | #define CKM_RSA_X9_31 0x0000000B 586 | #define CKM_SHA1_RSA_X9_31 0x0000000C 587 | #define CKM_RSA_PKCS_PSS 0x0000000D 588 | #define CKM_SHA1_RSA_PKCS_PSS 0x0000000E 589 | 590 | #define CKM_DSA_KEY_PAIR_GEN 0x00000010 591 | #define CKM_DSA 0x00000011 592 | #define CKM_DSA_SHA1 0x00000012 593 | #define CKM_DSA_SHA224 0x00000013 594 | #define CKM_DSA_SHA256 0x00000014 595 | #define CKM_DSA_SHA384 0x00000015 596 | #define CKM_DSA_SHA512 0x00000016 597 | #define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020 598 | #define CKM_DH_PKCS_DERIVE 0x00000021 599 | 600 | #define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030 601 | #define CKM_X9_42_DH_DERIVE 0x00000031 602 | #define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032 603 | #define CKM_X9_42_MQV_DERIVE 0x00000033 604 | 605 | #define CKM_SHA256_RSA_PKCS 0x00000040 606 | #define CKM_SHA384_RSA_PKCS 0x00000041 607 | #define CKM_SHA512_RSA_PKCS 0x00000042 608 | #define CKM_SHA256_RSA_PKCS_PSS 0x00000043 609 | #define CKM_SHA384_RSA_PKCS_PSS 0x00000044 610 | #define CKM_SHA512_RSA_PKCS_PSS 0x00000045 611 | 612 | #define CKM_SHA224_RSA_PKCS 0x00000046 613 | #define CKM_SHA224_RSA_PKCS_PSS 0x00000047 614 | 615 | #define CKM_RC2_KEY_GEN 0x00000100 616 | #define CKM_RC2_ECB 0x00000101 617 | #define CKM_RC2_CBC 0x00000102 618 | #define CKM_RC2_MAC 0x00000103 619 | 620 | #define CKM_RC2_MAC_GENERAL 0x00000104 621 | #define CKM_RC2_CBC_PAD 0x00000105 622 | 623 | #define CKM_RC4_KEY_GEN 0x00000110 624 | #define CKM_RC4 0x00000111 625 | #define CKM_DES_KEY_GEN 0x00000120 626 | #define CKM_DES_ECB 0x00000121 627 | #define CKM_DES_CBC 0x00000122 628 | #define CKM_DES_MAC 0x00000123 629 | 630 | #define CKM_DES_MAC_GENERAL 0x00000124 631 | #define CKM_DES_CBC_PAD 0x00000125 632 | 633 | #define CKM_DES2_KEY_GEN 0x00000130 634 | #define CKM_DES3_KEY_GEN 0x00000131 635 | #define CKM_DES3_ECB 0x00000132 636 | #define CKM_DES3_CBC 0x00000133 637 | #define CKM_DES3_MAC 0x00000134 638 | 639 | #define CKM_DES3_MAC_GENERAL 0x00000135 640 | #define CKM_DES3_CBC_PAD 0x00000136 641 | #define CKM_DES3_CMAC_GENERAL 0x00000137 642 | #define CKM_DES3_CMAC 0x00000138 643 | #define CKM_CDMF_KEY_GEN 0x00000140 644 | #define CKM_CDMF_ECB 0x00000141 645 | #define CKM_CDMF_CBC 0x00000142 646 | #define CKM_CDMF_MAC 0x00000143 647 | #define CKM_CDMF_MAC_GENERAL 0x00000144 648 | #define CKM_CDMF_CBC_PAD 0x00000145 649 | 650 | #define CKM_DES_OFB64 0x00000150 651 | #define CKM_DES_OFB8 0x00000151 652 | #define CKM_DES_CFB64 0x00000152 653 | #define CKM_DES_CFB8 0x00000153 654 | 655 | #define CKM_MD2 0x00000200 656 | 657 | #define CKM_MD2_HMAC 0x00000201 658 | #define CKM_MD2_HMAC_GENERAL 0x00000202 659 | 660 | #define CKM_MD5 0x00000210 661 | 662 | #define CKM_MD5_HMAC 0x00000211 663 | #define CKM_MD5_HMAC_GENERAL 0x00000212 664 | 665 | #define CKM_SHA_1 0x00000220 666 | 667 | #define CKM_SHA_1_HMAC 0x00000221 668 | #define CKM_SHA_1_HMAC_GENERAL 0x00000222 669 | 670 | #define CKM_RIPEMD128 0x00000230 671 | #define CKM_RIPEMD128_HMAC 0x00000231 672 | #define CKM_RIPEMD128_HMAC_GENERAL 0x00000232 673 | #define CKM_RIPEMD160 0x00000240 674 | #define CKM_RIPEMD160_HMAC 0x00000241 675 | #define CKM_RIPEMD160_HMAC_GENERAL 0x00000242 676 | 677 | #define CKM_SHA256 0x00000250 678 | #define CKM_SHA256_HMAC 0x00000251 679 | #define CKM_SHA256_HMAC_GENERAL 0x00000252 680 | 681 | #define CKM_SHA224 0x00000255 682 | #define CKM_SHA224_HMAC 0x00000256 683 | #define CKM_SHA224_HMAC_GENERAL 0x00000257 684 | #define CKM_SHA384 0x00000260 685 | #define CKM_SHA384_HMAC 0x00000261 686 | #define CKM_SHA384_HMAC_GENERAL 0x00000262 687 | #define CKM_SHA512 0x00000270 688 | #define CKM_SHA512_HMAC 0x00000271 689 | #define CKM_SHA512_HMAC_GENERAL 0x00000272 690 | #define CKM_SECURID_KEY_GEN 0x00000280 691 | #define CKM_SECURID 0x00000282 692 | #define CKM_HOTP_KEY_GEN 0x00000290 693 | #define CKM_HOTP 0x00000291 694 | #define CKM_ACTI 0x000002A0 695 | #define CKM_ACTI_KEY_GEN 0x000002A1 696 | 697 | #define CKM_CAST_KEY_GEN 0x00000300 698 | #define CKM_CAST_ECB 0x00000301 699 | #define CKM_CAST_CBC 0x00000302 700 | #define CKM_CAST_MAC 0x00000303 701 | #define CKM_CAST_MAC_GENERAL 0x00000304 702 | #define CKM_CAST_CBC_PAD 0x00000305 703 | #define CKM_CAST3_KEY_GEN 0x00000310 704 | #define CKM_CAST3_ECB 0x00000311 705 | #define CKM_CAST3_CBC 0x00000312 706 | #define CKM_CAST3_MAC 0x00000313 707 | #define CKM_CAST3_MAC_GENERAL 0x00000314 708 | #define CKM_CAST3_CBC_PAD 0x00000315 709 | /* Note that CAST128 and CAST5 are the same algorithm */ 710 | #define CKM_CAST5_KEY_GEN 0x00000320 711 | #define CKM_CAST128_KEY_GEN 0x00000320 712 | #define CKM_CAST5_ECB 0x00000321 713 | #define CKM_CAST128_ECB 0x00000321 714 | #define CKM_CAST5_CBC 0x00000322 715 | #define CKM_CAST128_CBC 0x00000322 716 | #define CKM_CAST5_MAC 0x00000323 717 | #define CKM_CAST128_MAC 0x00000323 718 | #define CKM_CAST5_MAC_GENERAL 0x00000324 719 | #define CKM_CAST128_MAC_GENERAL 0x00000324 720 | #define CKM_CAST5_CBC_PAD 0x00000325 721 | #define CKM_CAST128_CBC_PAD 0x00000325 722 | #define CKM_RC5_KEY_GEN 0x00000330 723 | #define CKM_RC5_ECB 0x00000331 724 | #define CKM_RC5_CBC 0x00000332 725 | #define CKM_RC5_MAC 0x00000333 726 | #define CKM_RC5_MAC_GENERAL 0x00000334 727 | #define CKM_RC5_CBC_PAD 0x00000335 728 | #define CKM_IDEA_KEY_GEN 0x00000340 729 | #define CKM_IDEA_ECB 0x00000341 730 | #define CKM_IDEA_CBC 0x00000342 731 | #define CKM_IDEA_MAC 0x00000343 732 | #define CKM_IDEA_MAC_GENERAL 0x00000344 733 | #define CKM_IDEA_CBC_PAD 0x00000345 734 | #define CKM_GENERIC_SECRET_KEY_GEN 0x00000350 735 | #define CKM_CONCATENATE_BASE_AND_KEY 0x00000360 736 | #define CKM_CONCATENATE_BASE_AND_DATA 0x00000362 737 | #define CKM_CONCATENATE_DATA_AND_BASE 0x00000363 738 | #define CKM_XOR_BASE_AND_DATA 0x00000364 739 | #define CKM_EXTRACT_KEY_FROM_KEY 0x00000365 740 | #define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370 741 | #define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371 742 | #define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372 743 | 744 | #define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373 745 | #define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374 746 | #define CKM_TLS_MASTER_KEY_DERIVE 0x00000375 747 | #define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376 748 | #define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377 749 | 750 | #define CKM_TLS_PRF 0x00000378 751 | 752 | #define CKM_SSL3_MD5_MAC 0x00000380 753 | #define CKM_SSL3_SHA1_MAC 0x00000381 754 | #define CKM_MD5_KEY_DERIVATION 0x00000390 755 | #define CKM_MD2_KEY_DERIVATION 0x00000391 756 | #define CKM_SHA1_KEY_DERIVATION 0x00000392 757 | 758 | #define CKM_SHA256_KEY_DERIVATION 0x00000393 759 | #define CKM_SHA384_KEY_DERIVATION 0x00000394 760 | #define CKM_SHA512_KEY_DERIVATION 0x00000395 761 | 762 | #define CKM_SHA224_KEY_DERIVATION 0x00000396 763 | 764 | #define CKM_PBE_MD2_DES_CBC 0x000003A0 765 | #define CKM_PBE_MD5_DES_CBC 0x000003A1 766 | #define CKM_PBE_MD5_CAST_CBC 0x000003A2 767 | #define CKM_PBE_MD5_CAST3_CBC 0x000003A3 768 | #define CKM_PBE_MD5_CAST5_CBC 0x000003A4 769 | #define CKM_PBE_MD5_CAST128_CBC 0x000003A4 770 | #define CKM_PBE_SHA1_CAST5_CBC 0x000003A5 771 | #define CKM_PBE_SHA1_CAST128_CBC 0x000003A5 772 | #define CKM_PBE_SHA1_RC4_128 0x000003A6 773 | #define CKM_PBE_SHA1_RC4_40 0x000003A7 774 | #define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8 775 | #define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9 776 | #define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA 777 | #define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB 778 | 779 | #define CKM_PKCS5_PBKD2 0x000003B0 780 | 781 | #define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 782 | 783 | #define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0 784 | #define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1 785 | #define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2 786 | #define CKM_WTLS_PRF 0x000003D3 787 | #define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4 788 | #define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5 789 | 790 | #define CKM_KEY_WRAP_LYNKS 0x00000400 791 | #define CKM_KEY_WRAP_SET_OAEP 0x00000401 792 | 793 | #define CKM_CMS_SIG 0x00000500 794 | 795 | #define CKM_KIP_DERIVE 0x00000510 796 | #define CKM_KIP_WRAP 0x00000511 797 | #define CKM_KIP_MAC 0x00000512 798 | 799 | #define CKM_CAMELLIA_KEY_GEN 0x00000550 800 | #define CKM_CAMELLIA_ECB 0x00000551 801 | #define CKM_CAMELLIA_CBC 0x00000552 802 | #define CKM_CAMELLIA_MAC 0x00000553 803 | #define CKM_CAMELLIA_MAC_GENERAL 0x00000554 804 | #define CKM_CAMELLIA_CBC_PAD 0x00000555 805 | #define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556 806 | #define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557 807 | #define CKM_CAMELLIA_CTR 0x00000558 808 | 809 | #define CKM_ARIA_KEY_GEN 0x00000560 810 | #define CKM_ARIA_ECB 0x00000561 811 | #define CKM_ARIA_CBC 0x00000562 812 | #define CKM_ARIA_MAC 0x00000563 813 | #define CKM_ARIA_MAC_GENERAL 0x00000564 814 | #define CKM_ARIA_CBC_PAD 0x00000565 815 | #define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566 816 | #define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567 817 | 818 | #define CKM_SEED_KEY_GEN 0x00000650 819 | #define CKM_SEED_ECB 0x00000651 820 | #define CKM_SEED_CBC 0x00000652 821 | #define CKM_SEED_MAC 0x00000653 822 | #define CKM_SEED_MAC_GENERAL 0x00000654 823 | #define CKM_SEED_CBC_PAD 0x00000655 824 | #define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656 825 | #define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657 826 | 827 | #define CKM_SKIPJACK_KEY_GEN 0x00001000 828 | #define CKM_SKIPJACK_ECB64 0x00001001 829 | #define CKM_SKIPJACK_CBC64 0x00001002 830 | #define CKM_SKIPJACK_OFB64 0x00001003 831 | #define CKM_SKIPJACK_CFB64 0x00001004 832 | #define CKM_SKIPJACK_CFB32 0x00001005 833 | #define CKM_SKIPJACK_CFB16 0x00001006 834 | #define CKM_SKIPJACK_CFB8 0x00001007 835 | #define CKM_SKIPJACK_WRAP 0x00001008 836 | #define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009 837 | #define CKM_SKIPJACK_RELAYX 0x0000100a 838 | #define CKM_KEA_KEY_PAIR_GEN 0x00001010 839 | #define CKM_KEA_KEY_DERIVE 0x00001011 840 | #define CKM_FORTEZZA_TIMESTAMP 0x00001020 841 | #define CKM_BATON_KEY_GEN 0x00001030 842 | #define CKM_BATON_ECB128 0x00001031 843 | #define CKM_BATON_ECB96 0x00001032 844 | #define CKM_BATON_CBC128 0x00001033 845 | #define CKM_BATON_COUNTER 0x00001034 846 | #define CKM_BATON_SHUFFLE 0x00001035 847 | #define CKM_BATON_WRAP 0x00001036 848 | 849 | /* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, 850 | * CKM_EC_KEY_PAIR_GEN is preferred */ 851 | #define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 852 | #define CKM_EC_KEY_PAIR_GEN 0x00001040 853 | 854 | #define CKM_ECDSA 0x00001041 855 | #define CKM_ECDSA_SHA1 0x00001042 856 | #define CKM_ECDSA_SHA224 0x00001043 857 | #define CKM_ECDSA_SHA256 0x00001044 858 | #define CKM_ECDSA_SHA384 0x00001045 859 | #define CKM_ECDSA_SHA512 0x00001046 860 | 861 | #define CKM_ECDH1_DERIVE 0x00001050 862 | #define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 863 | #define CKM_ECMQV_DERIVE 0x00001052 864 | 865 | #define CKM_JUNIPER_KEY_GEN 0x00001060 866 | #define CKM_JUNIPER_ECB128 0x00001061 867 | #define CKM_JUNIPER_CBC128 0x00001062 868 | #define CKM_JUNIPER_COUNTER 0x00001063 869 | #define CKM_JUNIPER_SHUFFLE 0x00001064 870 | #define CKM_JUNIPER_WRAP 0x00001065 871 | #define CKM_FASTHASH 0x00001070 872 | 873 | #define CKM_AES_KEY_GEN 0x00001080 874 | #define CKM_AES_ECB 0x00001081 875 | #define CKM_AES_CBC 0x00001082 876 | #define CKM_AES_MAC 0x00001083 877 | #define CKM_AES_MAC_GENERAL 0x00001084 878 | #define CKM_AES_CBC_PAD 0x00001085 879 | #define CKM_AES_CTR 0x00001086 880 | #define CKM_AES_CTS 0x00001089 881 | #define CKM_AES_CMAC 0x0000108A 882 | #define CKM_AES_CMAC_GENERAL 0x0000108B 883 | 884 | #define CKM_BLOWFISH_KEY_GEN 0x00001090 885 | #define CKM_BLOWFISH_CBC 0x00001091 886 | #define CKM_TWOFISH_KEY_GEN 0x00001092 887 | #define CKM_TWOFISH_CBC 0x00001093 888 | 889 | #define CKM_AES_GCM 0x00001087 890 | #define CKM_AES_CCM 0x00001088 891 | #define CKM_AES_KEY_WRAP 0x00001090 892 | #define CKM_AES_KEY_WRAP_PAD 0x00001091 893 | 894 | #define CKM_BLOWFISH_CBC_PAD 0x00001094 895 | #define CKM_TWOFISH_CBC_PAD 0x00001095 896 | 897 | #define CKM_DES_ECB_ENCRYPT_DATA 0x00001100 898 | #define CKM_DES_CBC_ENCRYPT_DATA 0x00001101 899 | #define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102 900 | #define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103 901 | #define CKM_AES_ECB_ENCRYPT_DATA 0x00001104 902 | #define CKM_AES_CBC_ENCRYPT_DATA 0x00001105 903 | 904 | #define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200 905 | #define CKM_GOSTR3410 0x00001201 906 | #define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202 907 | #define CKM_GOSTR3410_KEY_WRAP 0x00001203 908 | #define CKM_GOSTR3410_DERIVE 0x00001204 909 | #define CKM_GOSTR3411 0x00001210 910 | #define CKM_GOSTR3411_HMAC 0x00001211 911 | #define CKM_GOST28147_KEY_GEN 0x00001220 912 | #define CKM_GOST28147_ECB 0x00001221 913 | #define CKM_GOST28147 0x00001222 914 | #define CKM_GOST28147_MAC 0x00001223 915 | #define CKM_GOST28147_KEY_WRAP 0x00001224 916 | 917 | #define CKM_DSA_PARAMETER_GEN 0x00002000 918 | #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 919 | #define CKM_X9_42_DH_PARAMETER_GEN 0x00002002 920 | 921 | #define CKM_AES_OFB 0x00002104 922 | #define CKM_AES_CFB64 0x00002105 923 | #define CKM_AES_CFB8 0x00002106 924 | #define CKM_AES_CFB128 0x00002107 925 | 926 | #define CKM_RSA_PKCS_TPM_1_1 0x00004001 927 | #define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002 928 | 929 | #define CKM_VENDOR_DEFINED 0x80000000 930 | 931 | typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; 932 | 933 | 934 | /* CK_MECHANISM is a structure that specifies a particular 935 | * mechanism */ 936 | typedef struct CK_MECHANISM { 937 | CK_MECHANISM_TYPE mechanism; 938 | CK_VOID_PTR pParameter; 939 | CK_ULONG ulParameterLen; /* in bytes */ 940 | } CK_MECHANISM; 941 | 942 | typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; 943 | 944 | 945 | /* CK_MECHANISM_INFO provides information about a particular 946 | * mechanism */ 947 | typedef struct CK_MECHANISM_INFO { 948 | CK_ULONG ulMinKeySize; 949 | CK_ULONG ulMaxKeySize; 950 | CK_FLAGS flags; 951 | } CK_MECHANISM_INFO; 952 | 953 | /* The flags are defined as follows: 954 | * Bit Flag Mask Meaning */ 955 | #define CKF_HW 0x00000001 /* performed by HW */ 956 | 957 | /* Specify whether or not a mechanism can be used for a particular task */ 958 | #define CKF_ENCRYPT 0x00000100 959 | #define CKF_DECRYPT 0x00000200 960 | #define CKF_DIGEST 0x00000400 961 | #define CKF_SIGN 0x00000800 962 | #define CKF_SIGN_RECOVER 0x00001000 963 | #define CKF_VERIFY 0x00002000 964 | #define CKF_VERIFY_RECOVER 0x00004000 965 | #define CKF_GENERATE 0x00008000 966 | #define CKF_GENERATE_KEY_PAIR 0x00010000 967 | #define CKF_WRAP 0x00020000 968 | #define CKF_UNWRAP 0x00040000 969 | #define CKF_DERIVE 0x00080000 970 | 971 | /* Describe a token's EC capabilities not available in mechanism 972 | * information. */ 973 | #define CKF_EC_F_P 0x00100000 974 | #define CKF_EC_F_2M 0x00200000 975 | #define CKF_EC_ECPARAMETERS 0x00400000 976 | #define CKF_EC_NAMEDCURVE 0x00800000 977 | #define CKF_EC_UNCOMPRESS 0x01000000 978 | #define CKF_EC_COMPRESS 0x02000000 979 | 980 | #define CKF_EXTENSION 0x80000000 /* FALSE for this version */ 981 | 982 | typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; 983 | 984 | 985 | /* CK_RV is a value that identifies the return value of a 986 | * Cryptoki function */ 987 | typedef CK_ULONG CK_RV; 988 | 989 | #define CKR_OK 0x00000000 990 | #define CKR_CANCEL 0x00000001 991 | #define CKR_HOST_MEMORY 0x00000002 992 | #define CKR_SLOT_ID_INVALID 0x00000003 993 | 994 | /* CKR_FLAGS_INVALID was removed for v2.0 */ 995 | 996 | #define CKR_GENERAL_ERROR 0x00000005 997 | #define CKR_FUNCTION_FAILED 0x00000006 998 | 999 | #define CKR_ARGUMENTS_BAD 0x00000007 1000 | #define CKR_NO_EVENT 0x00000008 1001 | #define CKR_NEED_TO_CREATE_THREADS 0x00000009 1002 | #define CKR_CANT_LOCK 0x0000000A 1003 | 1004 | #define CKR_ATTRIBUTE_READ_ONLY 0x00000010 1005 | #define CKR_ATTRIBUTE_SENSITIVE 0x00000011 1006 | #define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012 1007 | #define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013 1008 | #define CKR_DATA_INVALID 0x00000020 1009 | #define CKR_DATA_LEN_RANGE 0x00000021 1010 | #define CKR_DEVICE_ERROR 0x00000030 1011 | #define CKR_DEVICE_MEMORY 0x00000031 1012 | #define CKR_DEVICE_REMOVED 0x00000032 1013 | #define CKR_ENCRYPTED_DATA_INVALID 0x00000040 1014 | #define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041 1015 | #define CKR_FUNCTION_CANCELED 0x00000050 1016 | #define CKR_FUNCTION_NOT_PARALLEL 0x00000051 1017 | 1018 | #define CKR_FUNCTION_NOT_SUPPORTED 0x00000054 1019 | 1020 | #define CKR_KEY_HANDLE_INVALID 0x00000060 1021 | 1022 | /* CKR_KEY_SENSITIVE was removed for v2.0 */ 1023 | 1024 | #define CKR_KEY_SIZE_RANGE 0x00000062 1025 | #define CKR_KEY_TYPE_INCONSISTENT 0x00000063 1026 | 1027 | #define CKR_KEY_NOT_NEEDED 0x00000064 1028 | #define CKR_KEY_CHANGED 0x00000065 1029 | #define CKR_KEY_NEEDED 0x00000066 1030 | #define CKR_KEY_INDIGESTIBLE 0x00000067 1031 | #define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068 1032 | #define CKR_KEY_NOT_WRAPPABLE 0x00000069 1033 | #define CKR_KEY_UNEXTRACTABLE 0x0000006A 1034 | 1035 | #define CKR_MECHANISM_INVALID 0x00000070 1036 | #define CKR_MECHANISM_PARAM_INVALID 0x00000071 1037 | 1038 | /* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID 1039 | * were removed for v2.0 */ 1040 | #define CKR_OBJECT_HANDLE_INVALID 0x00000082 1041 | #define CKR_OPERATION_ACTIVE 0x00000090 1042 | #define CKR_OPERATION_NOT_INITIALIZED 0x00000091 1043 | #define CKR_PIN_INCORRECT 0x000000A0 1044 | #define CKR_PIN_INVALID 0x000000A1 1045 | #define CKR_PIN_LEN_RANGE 0x000000A2 1046 | 1047 | #define CKR_PIN_EXPIRED 0x000000A3 1048 | #define CKR_PIN_LOCKED 0x000000A4 1049 | 1050 | #define CKR_SESSION_CLOSED 0x000000B0 1051 | #define CKR_SESSION_COUNT 0x000000B1 1052 | #define CKR_SESSION_HANDLE_INVALID 0x000000B3 1053 | #define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4 1054 | #define CKR_SESSION_READ_ONLY 0x000000B5 1055 | #define CKR_SESSION_EXISTS 0x000000B6 1056 | 1057 | #define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7 1058 | #define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8 1059 | 1060 | #define CKR_SIGNATURE_INVALID 0x000000C0 1061 | #define CKR_SIGNATURE_LEN_RANGE 0x000000C1 1062 | #define CKR_TEMPLATE_INCOMPLETE 0x000000D0 1063 | #define CKR_TEMPLATE_INCONSISTENT 0x000000D1 1064 | #define CKR_TOKEN_NOT_PRESENT 0x000000E0 1065 | #define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1 1066 | #define CKR_TOKEN_WRITE_PROTECTED 0x000000E2 1067 | #define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0 1068 | #define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1 1069 | #define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2 1070 | #define CKR_USER_ALREADY_LOGGED_IN 0x00000100 1071 | #define CKR_USER_NOT_LOGGED_IN 0x00000101 1072 | #define CKR_USER_PIN_NOT_INITIALIZED 0x00000102 1073 | #define CKR_USER_TYPE_INVALID 0x00000103 1074 | 1075 | #define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104 1076 | #define CKR_USER_TOO_MANY_TYPES 0x00000105 1077 | 1078 | #define CKR_WRAPPED_KEY_INVALID 0x00000110 1079 | #define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112 1080 | #define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113 1081 | #define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114 1082 | #define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115 1083 | #define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120 1084 | 1085 | #define CKR_RANDOM_NO_RNG 0x00000121 1086 | 1087 | #define CKR_DOMAIN_PARAMS_INVALID 0x00000130 1088 | 1089 | #define CKR_BUFFER_TOO_SMALL 0x00000150 1090 | #define CKR_SAVED_STATE_INVALID 0x00000160 1091 | #define CKR_INFORMATION_SENSITIVE 0x00000170 1092 | #define CKR_STATE_UNSAVEABLE 0x00000180 1093 | 1094 | #define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190 1095 | #define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191 1096 | #define CKR_MUTEX_BAD 0x000001A0 1097 | #define CKR_MUTEX_NOT_LOCKED 0x000001A1 1098 | 1099 | #define CKR_NEW_PIN_MODE 0x000001B0 1100 | #define CKR_NEXT_OTP 0x000001B1 1101 | #define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5 1102 | #define CKR_FIPS_SELF_TEST_FAILED 0x000001B6 1103 | #define CKR_LIBRARY_LOAD_FAILED 0x000001B7 1104 | #define CKR_PIN_TOO_WEAK 0x000001B8 1105 | #define CKR_PUBLIC_KEY_INVALID 0x000001B9 1106 | 1107 | #define CKR_FUNCTION_REJECTED 0x00000200 1108 | 1109 | #define CKR_VENDOR_DEFINED 0x80000000 1110 | 1111 | 1112 | /* CK_NOTIFY is an application callback that processes events */ 1113 | typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( 1114 | CK_SESSION_HANDLE hSession, /* the session's handle */ 1115 | CK_NOTIFICATION event, 1116 | CK_VOID_PTR pApplication /* passed to C_OpenSession */ 1117 | ); 1118 | 1119 | 1120 | /* CK_FUNCTION_LIST is a structure holding a Cryptoki spec 1121 | * version and pointers of appropriate types to all the 1122 | * Cryptoki functions */ 1123 | typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; 1124 | 1125 | typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; 1126 | 1127 | typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; 1128 | 1129 | 1130 | /* CK_CREATEMUTEX is an application callback for creating a 1131 | * mutex object */ 1132 | typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( 1133 | CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ 1134 | ); 1135 | 1136 | 1137 | /* CK_DESTROYMUTEX is an application callback for destroying a 1138 | * mutex object */ 1139 | typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( 1140 | CK_VOID_PTR pMutex /* pointer to mutex */ 1141 | ); 1142 | 1143 | 1144 | /* CK_LOCKMUTEX is an application callback for locking a mutex */ 1145 | typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( 1146 | CK_VOID_PTR pMutex /* pointer to mutex */ 1147 | ); 1148 | 1149 | 1150 | /* CK_UNLOCKMUTEX is an application callback for unlocking a 1151 | * mutex */ 1152 | typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( 1153 | CK_VOID_PTR pMutex /* pointer to mutex */ 1154 | ); 1155 | 1156 | 1157 | /* CK_C_INITIALIZE_ARGS provides the optional arguments to 1158 | * C_Initialize */ 1159 | typedef struct CK_C_INITIALIZE_ARGS { 1160 | CK_CREATEMUTEX CreateMutex; 1161 | CK_DESTROYMUTEX DestroyMutex; 1162 | CK_LOCKMUTEX LockMutex; 1163 | CK_UNLOCKMUTEX UnlockMutex; 1164 | CK_FLAGS flags; 1165 | CK_VOID_PTR pReserved; 1166 | } CK_C_INITIALIZE_ARGS; 1167 | 1168 | /* flags: bit flags that provide capabilities of the slot 1169 | * Bit Flag Mask Meaning 1170 | */ 1171 | #define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 1172 | #define CKF_OS_LOCKING_OK 0x00000002 1173 | 1174 | typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; 1175 | 1176 | 1177 | /* additional flags for parameters to functions */ 1178 | 1179 | /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ 1180 | #define CKF_DONT_BLOCK 1 1181 | 1182 | /* 1183 | * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message 1184 | * Generation Function (MGF) applied to a message block when 1185 | * formatting a message block for the PKCS #1 OAEP encryption 1186 | * scheme. */ 1187 | typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; 1188 | 1189 | typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; 1190 | 1191 | /* The following MGFs are defined */ 1192 | #define CKG_MGF1_SHA1 0x00000001 1193 | #define CKG_MGF1_SHA256 0x00000002 1194 | #define CKG_MGF1_SHA384 0x00000003 1195 | #define CKG_MGF1_SHA512 0x00000004 1196 | #define CKG_MGF1_SHA224 0x00000005 1197 | 1198 | /* 1199 | * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source 1200 | * of the encoding parameter when formatting a message block 1201 | * for the PKCS #1 OAEP encryption scheme. */ 1202 | typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; 1203 | 1204 | typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; 1205 | 1206 | /* The following encoding parameter sources are defined */ 1207 | #define CKZ_DATA_SPECIFIED 0x00000001 1208 | 1209 | /* 1210 | * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the 1211 | * CKM_RSA_PKCS_OAEP mechanism. */ 1212 | typedef struct CK_RSA_PKCS_OAEP_PARAMS { 1213 | CK_MECHANISM_TYPE hashAlg; 1214 | CK_RSA_PKCS_MGF_TYPE mgf; 1215 | CK_RSA_PKCS_OAEP_SOURCE_TYPE source; 1216 | CK_VOID_PTR pSourceData; 1217 | CK_ULONG ulSourceDataLen; 1218 | } CK_RSA_PKCS_OAEP_PARAMS; 1219 | 1220 | typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; 1221 | 1222 | /* 1223 | * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the 1224 | * CKM_RSA_PKCS_PSS mechanism(s). */ 1225 | typedef struct CK_RSA_PKCS_PSS_PARAMS { 1226 | CK_MECHANISM_TYPE hashAlg; 1227 | CK_RSA_PKCS_MGF_TYPE mgf; 1228 | CK_ULONG sLen; 1229 | } CK_RSA_PKCS_PSS_PARAMS; 1230 | 1231 | typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; 1232 | 1233 | typedef CK_ULONG CK_EC_KDF_TYPE; 1234 | 1235 | /* The following EC Key Derivation Functions are defined */ 1236 | #define CKD_NULL 0x00000001 1237 | #define CKD_SHA1_KDF 0x00000002 1238 | /* The following X9.42 DH key derivation functions are defined */ 1239 | #define CKD_SHA1_KDF_ASN1 0x00000003 1240 | #define CKD_SHA1_KDF_CONCATENATE 0x00000004 1241 | #define CKD_SHA224_KDF 0x00000005 1242 | #define CKD_SHA256_KDF 0x00000006 1243 | #define CKD_SHA384_KDF 0x00000007 1244 | #define CKD_SHA512_KDF 0x00000008 1245 | #define CKD_CPDIVERSIFY_KDF 0x00000009 1246 | 1247 | 1248 | /* 1249 | * CK_ECDH1_DERIVE_PARAMS provides the parameters to the 1250 | * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, 1251 | * where each party contributes one key pair. 1252 | */ 1253 | typedef struct CK_ECDH1_DERIVE_PARAMS { 1254 | CK_EC_KDF_TYPE kdf; 1255 | CK_ULONG ulSharedDataLen; 1256 | CK_BYTE_PTR pSharedData; 1257 | CK_ULONG ulPublicDataLen; 1258 | CK_BYTE_PTR pPublicData; 1259 | } CK_ECDH1_DERIVE_PARAMS; 1260 | 1261 | typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; 1262 | 1263 | 1264 | /* 1265 | * CK_ECDH2_DERIVE_PARAMS provides the parameters to the 1266 | * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */ 1267 | typedef struct CK_ECDH2_DERIVE_PARAMS { 1268 | CK_EC_KDF_TYPE kdf; 1269 | CK_ULONG ulSharedDataLen; 1270 | CK_BYTE_PTR pSharedData; 1271 | CK_ULONG ulPublicDataLen; 1272 | CK_BYTE_PTR pPublicData; 1273 | CK_ULONG ulPrivateDataLen; 1274 | CK_OBJECT_HANDLE hPrivateData; 1275 | CK_ULONG ulPublicDataLen2; 1276 | CK_BYTE_PTR pPublicData2; 1277 | } CK_ECDH2_DERIVE_PARAMS; 1278 | 1279 | typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; 1280 | 1281 | typedef struct CK_ECMQV_DERIVE_PARAMS { 1282 | CK_EC_KDF_TYPE kdf; 1283 | CK_ULONG ulSharedDataLen; 1284 | CK_BYTE_PTR pSharedData; 1285 | CK_ULONG ulPublicDataLen; 1286 | CK_BYTE_PTR pPublicData; 1287 | CK_ULONG ulPrivateDataLen; 1288 | CK_OBJECT_HANDLE hPrivateData; 1289 | CK_ULONG ulPublicDataLen2; 1290 | CK_BYTE_PTR pPublicData2; 1291 | CK_OBJECT_HANDLE publicKey; 1292 | } CK_ECMQV_DERIVE_PARAMS; 1293 | 1294 | typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; 1295 | 1296 | /* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the 1297 | * CKM_X9_42_DH_PARAMETER_GEN mechanisms */ 1298 | typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; 1299 | typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; 1300 | 1301 | /* 1302 | * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the 1303 | * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party 1304 | * contributes one key pair */ 1305 | typedef struct CK_X9_42_DH1_DERIVE_PARAMS { 1306 | CK_X9_42_DH_KDF_TYPE kdf; 1307 | CK_ULONG ulOtherInfoLen; 1308 | CK_BYTE_PTR pOtherInfo; 1309 | CK_ULONG ulPublicDataLen; 1310 | CK_BYTE_PTR pPublicData; 1311 | } CK_X9_42_DH1_DERIVE_PARAMS; 1312 | 1313 | typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; 1314 | 1315 | /* 1316 | * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the 1317 | * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation 1318 | * mechanisms, where each party contributes two key pairs */ 1319 | typedef struct CK_X9_42_DH2_DERIVE_PARAMS { 1320 | CK_X9_42_DH_KDF_TYPE kdf; 1321 | CK_ULONG ulOtherInfoLen; 1322 | CK_BYTE_PTR pOtherInfo; 1323 | CK_ULONG ulPublicDataLen; 1324 | CK_BYTE_PTR pPublicData; 1325 | CK_ULONG ulPrivateDataLen; 1326 | CK_OBJECT_HANDLE hPrivateData; 1327 | CK_ULONG ulPublicDataLen2; 1328 | CK_BYTE_PTR pPublicData2; 1329 | } CK_X9_42_DH2_DERIVE_PARAMS; 1330 | 1331 | typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; 1332 | 1333 | typedef struct CK_X9_42_MQV_DERIVE_PARAMS { 1334 | CK_X9_42_DH_KDF_TYPE kdf; 1335 | CK_ULONG ulOtherInfoLen; 1336 | CK_BYTE_PTR pOtherInfo; 1337 | CK_ULONG ulPublicDataLen; 1338 | CK_BYTE_PTR pPublicData; 1339 | CK_ULONG ulPrivateDataLen; 1340 | CK_OBJECT_HANDLE hPrivateData; 1341 | CK_ULONG ulPublicDataLen2; 1342 | CK_BYTE_PTR pPublicData2; 1343 | CK_OBJECT_HANDLE publicKey; 1344 | } CK_X9_42_MQV_DERIVE_PARAMS; 1345 | 1346 | typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; 1347 | 1348 | /* CK_KEA_DERIVE_PARAMS provides the parameters to the 1349 | * CKM_KEA_DERIVE mechanism */ 1350 | typedef struct CK_KEA_DERIVE_PARAMS { 1351 | CK_BBOOL isSender; 1352 | CK_ULONG ulRandomLen; 1353 | CK_BYTE_PTR pRandomA; 1354 | CK_BYTE_PTR pRandomB; 1355 | CK_ULONG ulPublicDataLen; 1356 | CK_BYTE_PTR pPublicData; 1357 | } CK_KEA_DERIVE_PARAMS; 1358 | 1359 | typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; 1360 | 1361 | 1362 | /* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and 1363 | * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just 1364 | * holds the effective keysize */ 1365 | typedef CK_ULONG CK_RC2_PARAMS; 1366 | 1367 | typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; 1368 | 1369 | 1370 | /* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC 1371 | * mechanism */ 1372 | typedef struct CK_RC2_CBC_PARAMS { 1373 | CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ 1374 | 1375 | CK_BYTE iv[8]; /* IV for CBC mode */ 1376 | } CK_RC2_CBC_PARAMS; 1377 | 1378 | typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; 1379 | 1380 | 1381 | /* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the 1382 | * CKM_RC2_MAC_GENERAL mechanism */ 1383 | typedef struct CK_RC2_MAC_GENERAL_PARAMS { 1384 | CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ 1385 | CK_ULONG ulMacLength; /* Length of MAC in bytes */ 1386 | } CK_RC2_MAC_GENERAL_PARAMS; 1387 | 1388 | typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \ 1389 | CK_RC2_MAC_GENERAL_PARAMS_PTR; 1390 | 1391 | 1392 | /* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and 1393 | * CKM_RC5_MAC mechanisms */ 1394 | typedef struct CK_RC5_PARAMS { 1395 | CK_ULONG ulWordsize; /* wordsize in bits */ 1396 | CK_ULONG ulRounds; /* number of rounds */ 1397 | } CK_RC5_PARAMS; 1398 | 1399 | typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; 1400 | 1401 | 1402 | /* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC 1403 | * mechanism */ 1404 | typedef struct CK_RC5_CBC_PARAMS { 1405 | CK_ULONG ulWordsize; /* wordsize in bits */ 1406 | CK_ULONG ulRounds; /* number of rounds */ 1407 | CK_BYTE_PTR pIv; /* pointer to IV */ 1408 | CK_ULONG ulIvLen; /* length of IV in bytes */ 1409 | } CK_RC5_CBC_PARAMS; 1410 | 1411 | typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; 1412 | 1413 | 1414 | /* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the 1415 | * CKM_RC5_MAC_GENERAL mechanism */ 1416 | typedef struct CK_RC5_MAC_GENERAL_PARAMS { 1417 | CK_ULONG ulWordsize; /* wordsize in bits */ 1418 | CK_ULONG ulRounds; /* number of rounds */ 1419 | CK_ULONG ulMacLength; /* Length of MAC in bytes */ 1420 | } CK_RC5_MAC_GENERAL_PARAMS; 1421 | 1422 | typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \ 1423 | CK_RC5_MAC_GENERAL_PARAMS_PTR; 1424 | 1425 | 1426 | /* CK_MAC_GENERAL_PARAMS provides the parameters to most block 1427 | * ciphers' MAC_GENERAL mechanisms. Its value is the length of 1428 | * the MAC */ 1429 | typedef CK_ULONG CK_MAC_GENERAL_PARAMS; 1430 | 1431 | typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; 1432 | 1433 | typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { 1434 | CK_BYTE iv[8]; 1435 | CK_BYTE_PTR pData; 1436 | CK_ULONG length; 1437 | } CK_DES_CBC_ENCRYPT_DATA_PARAMS; 1438 | 1439 | typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; 1440 | 1441 | typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { 1442 | CK_BYTE iv[16]; 1443 | CK_BYTE_PTR pData; 1444 | CK_ULONG length; 1445 | } CK_AES_CBC_ENCRYPT_DATA_PARAMS; 1446 | 1447 | typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; 1448 | 1449 | /* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the 1450 | * CKM_SKIPJACK_PRIVATE_WRAP mechanism */ 1451 | typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { 1452 | CK_ULONG ulPasswordLen; 1453 | CK_BYTE_PTR pPassword; 1454 | CK_ULONG ulPublicDataLen; 1455 | CK_BYTE_PTR pPublicData; 1456 | CK_ULONG ulPAndGLen; 1457 | CK_ULONG ulQLen; 1458 | CK_ULONG ulRandomLen; 1459 | CK_BYTE_PTR pRandomA; 1460 | CK_BYTE_PTR pPrimeP; 1461 | CK_BYTE_PTR pBaseG; 1462 | CK_BYTE_PTR pSubprimeQ; 1463 | } CK_SKIPJACK_PRIVATE_WRAP_PARAMS; 1464 | 1465 | typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \ 1466 | CK_SKIPJACK_PRIVATE_WRAP_PTR; 1467 | 1468 | 1469 | /* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the 1470 | * CKM_SKIPJACK_RELAYX mechanism */ 1471 | typedef struct CK_SKIPJACK_RELAYX_PARAMS { 1472 | CK_ULONG ulOldWrappedXLen; 1473 | CK_BYTE_PTR pOldWrappedX; 1474 | CK_ULONG ulOldPasswordLen; 1475 | CK_BYTE_PTR pOldPassword; 1476 | CK_ULONG ulOldPublicDataLen; 1477 | CK_BYTE_PTR pOldPublicData; 1478 | CK_ULONG ulOldRandomLen; 1479 | CK_BYTE_PTR pOldRandomA; 1480 | CK_ULONG ulNewPasswordLen; 1481 | CK_BYTE_PTR pNewPassword; 1482 | CK_ULONG ulNewPublicDataLen; 1483 | CK_BYTE_PTR pNewPublicData; 1484 | CK_ULONG ulNewRandomLen; 1485 | CK_BYTE_PTR pNewRandomA; 1486 | } CK_SKIPJACK_RELAYX_PARAMS; 1487 | 1488 | typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ 1489 | CK_SKIPJACK_RELAYX_PARAMS_PTR; 1490 | 1491 | 1492 | typedef struct CK_PBE_PARAMS { 1493 | CK_BYTE_PTR pInitVector; 1494 | CK_UTF8CHAR_PTR pPassword; 1495 | CK_ULONG ulPasswordLen; 1496 | CK_BYTE_PTR pSalt; 1497 | CK_ULONG ulSaltLen; 1498 | CK_ULONG ulIteration; 1499 | } CK_PBE_PARAMS; 1500 | 1501 | typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; 1502 | 1503 | 1504 | /* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the 1505 | * CKM_KEY_WRAP_SET_OAEP mechanism */ 1506 | typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { 1507 | CK_BYTE bBC; /* block contents byte */ 1508 | CK_BYTE_PTR pX; /* extra data */ 1509 | CK_ULONG ulXLen; /* length of extra data in bytes */ 1510 | } CK_KEY_WRAP_SET_OAEP_PARAMS; 1511 | 1512 | typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \ 1513 | CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; 1514 | 1515 | 1516 | typedef struct CK_SSL3_RANDOM_DATA { 1517 | CK_BYTE_PTR pClientRandom; 1518 | CK_ULONG ulClientRandomLen; 1519 | CK_BYTE_PTR pServerRandom; 1520 | CK_ULONG ulServerRandomLen; 1521 | } CK_SSL3_RANDOM_DATA; 1522 | 1523 | 1524 | typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { 1525 | CK_SSL3_RANDOM_DATA RandomInfo; 1526 | CK_VERSION_PTR pVersion; 1527 | } CK_SSL3_MASTER_KEY_DERIVE_PARAMS; 1528 | 1529 | typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \ 1530 | CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; 1531 | 1532 | 1533 | typedef struct CK_SSL3_KEY_MAT_OUT { 1534 | CK_OBJECT_HANDLE hClientMacSecret; 1535 | CK_OBJECT_HANDLE hServerMacSecret; 1536 | CK_OBJECT_HANDLE hClientKey; 1537 | CK_OBJECT_HANDLE hServerKey; 1538 | CK_BYTE_PTR pIVClient; 1539 | CK_BYTE_PTR pIVServer; 1540 | } CK_SSL3_KEY_MAT_OUT; 1541 | 1542 | typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; 1543 | 1544 | 1545 | typedef struct CK_SSL3_KEY_MAT_PARAMS { 1546 | CK_ULONG ulMacSizeInBits; 1547 | CK_ULONG ulKeySizeInBits; 1548 | CK_ULONG ulIVSizeInBits; 1549 | CK_BBOOL bIsExport; 1550 | CK_SSL3_RANDOM_DATA RandomInfo; 1551 | CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; 1552 | } CK_SSL3_KEY_MAT_PARAMS; 1553 | 1554 | typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; 1555 | 1556 | typedef struct CK_TLS_PRF_PARAMS { 1557 | CK_BYTE_PTR pSeed; 1558 | CK_ULONG ulSeedLen; 1559 | CK_BYTE_PTR pLabel; 1560 | CK_ULONG ulLabelLen; 1561 | CK_BYTE_PTR pOutput; 1562 | CK_ULONG_PTR pulOutputLen; 1563 | } CK_TLS_PRF_PARAMS; 1564 | 1565 | typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; 1566 | 1567 | typedef struct CK_WTLS_RANDOM_DATA { 1568 | CK_BYTE_PTR pClientRandom; 1569 | CK_ULONG ulClientRandomLen; 1570 | CK_BYTE_PTR pServerRandom; 1571 | CK_ULONG ulServerRandomLen; 1572 | } CK_WTLS_RANDOM_DATA; 1573 | 1574 | typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; 1575 | 1576 | typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { 1577 | CK_MECHANISM_TYPE DigestMechanism; 1578 | CK_WTLS_RANDOM_DATA RandomInfo; 1579 | CK_BYTE_PTR pVersion; 1580 | } CK_WTLS_MASTER_KEY_DERIVE_PARAMS; 1581 | 1582 | typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ 1583 | CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; 1584 | 1585 | typedef struct CK_WTLS_PRF_PARAMS { 1586 | CK_MECHANISM_TYPE DigestMechanism; 1587 | CK_BYTE_PTR pSeed; 1588 | CK_ULONG ulSeedLen; 1589 | CK_BYTE_PTR pLabel; 1590 | CK_ULONG ulLabelLen; 1591 | CK_BYTE_PTR pOutput; 1592 | CK_ULONG_PTR pulOutputLen; 1593 | } CK_WTLS_PRF_PARAMS; 1594 | 1595 | typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; 1596 | 1597 | typedef struct CK_WTLS_KEY_MAT_OUT { 1598 | CK_OBJECT_HANDLE hMacSecret; 1599 | CK_OBJECT_HANDLE hKey; 1600 | CK_BYTE_PTR pIV; 1601 | } CK_WTLS_KEY_MAT_OUT; 1602 | 1603 | typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; 1604 | 1605 | typedef struct CK_WTLS_KEY_MAT_PARAMS { 1606 | CK_MECHANISM_TYPE DigestMechanism; 1607 | CK_ULONG ulMacSizeInBits; 1608 | CK_ULONG ulKeySizeInBits; 1609 | CK_ULONG ulIVSizeInBits; 1610 | CK_ULONG ulSequenceNumber; 1611 | CK_BBOOL bIsExport; 1612 | CK_WTLS_RANDOM_DATA RandomInfo; 1613 | CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; 1614 | } CK_WTLS_KEY_MAT_PARAMS; 1615 | 1616 | typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; 1617 | 1618 | typedef struct CK_CMS_SIG_PARAMS { 1619 | CK_OBJECT_HANDLE certificateHandle; 1620 | CK_MECHANISM_PTR pSigningMechanism; 1621 | CK_MECHANISM_PTR pDigestMechanism; 1622 | CK_UTF8CHAR_PTR pContentType; 1623 | CK_BYTE_PTR pRequestedAttributes; 1624 | CK_ULONG ulRequestedAttributesLen; 1625 | CK_BYTE_PTR pRequiredAttributes; 1626 | CK_ULONG ulRequiredAttributesLen; 1627 | } CK_CMS_SIG_PARAMS; 1628 | 1629 | typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; 1630 | 1631 | typedef struct CK_KEY_DERIVATION_STRING_DATA { 1632 | CK_BYTE_PTR pData; 1633 | CK_ULONG ulLen; 1634 | } CK_KEY_DERIVATION_STRING_DATA; 1635 | 1636 | typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \ 1637 | CK_KEY_DERIVATION_STRING_DATA_PTR; 1638 | 1639 | 1640 | /* The CK_EXTRACT_PARAMS is used for the 1641 | * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit 1642 | * of the base key should be used as the first bit of the 1643 | * derived key */ 1644 | typedef CK_ULONG CK_EXTRACT_PARAMS; 1645 | 1646 | typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; 1647 | 1648 | /* 1649 | * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to 1650 | * indicate the Pseudo-Random Function (PRF) used to generate 1651 | * key bits using PKCS #5 PBKDF2. */ 1652 | typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; 1653 | 1654 | typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; 1655 | 1656 | #define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001 1657 | 1658 | 1659 | /* 1660 | * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the 1661 | * source of the salt value when deriving a key using PKCS #5 1662 | * PBKDF2. */ 1663 | typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; 1664 | 1665 | typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; 1666 | 1667 | /* The following salt value sources are defined in PKCS #5 v2.0. */ 1668 | #define CKZ_SALT_SPECIFIED 0x00000001 1669 | 1670 | /* 1671 | * CK_PKCS5_PBKD2_PARAMS is a structure that provides the 1672 | * parameters to the CKM_PKCS5_PBKD2 mechanism. */ 1673 | typedef struct CK_PKCS5_PBKD2_PARAMS { 1674 | CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; 1675 | CK_VOID_PTR pSaltSourceData; 1676 | CK_ULONG ulSaltSourceDataLen; 1677 | CK_ULONG iterations; 1678 | CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; 1679 | CK_VOID_PTR pPrfData; 1680 | CK_ULONG ulPrfDataLen; 1681 | CK_UTF8CHAR_PTR pPassword; 1682 | CK_ULONG_PTR ulPasswordLen; 1683 | } CK_PKCS5_PBKD2_PARAMS; 1684 | 1685 | typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; 1686 | 1687 | typedef CK_ULONG CK_OTP_PARAM_TYPE; 1688 | typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */ 1689 | 1690 | typedef struct CK_OTP_PARAM { 1691 | CK_OTP_PARAM_TYPE type; 1692 | CK_VOID_PTR pValue; 1693 | CK_ULONG ulValueLen; 1694 | } CK_OTP_PARAM; 1695 | 1696 | typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR; 1697 | 1698 | typedef struct CK_OTP_PARAMS { 1699 | CK_OTP_PARAM_PTR pParams; 1700 | CK_ULONG ulCount; 1701 | } CK_OTP_PARAMS; 1702 | 1703 | typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR; 1704 | 1705 | typedef struct CK_OTP_SIGNATURE_INFO { 1706 | CK_OTP_PARAM_PTR pParams; 1707 | CK_ULONG ulCount; 1708 | } CK_OTP_SIGNATURE_INFO; 1709 | 1710 | typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR; 1711 | 1712 | #define CK_OTP_VALUE 0 1713 | #define CK_OTP_PIN 1 1714 | #define CK_OTP_CHALLENGE 2 1715 | #define CK_OTP_TIME 3 1716 | #define CK_OTP_COUNTER 4 1717 | #define CK_OTP_FLAGS 5 1718 | #define CK_OTP_OUTPUT_LENGTH 6 1719 | #define CK_OTP_OUTPUT_FORMAT 7 1720 | 1721 | #define CKF_NEXT_OTP 0x00000001 1722 | #define CKF_EXCLUDE_TIME 0x00000002 1723 | #define CKF_EXCLUDE_COUNTER 0x00000004 1724 | #define CKF_EXCLUDE_CHALLENGE 0x00000008 1725 | #define CKF_EXCLUDE_PIN 0x00000010 1726 | #define CKF_USER_FRIENDLY_OTP 0x00000020 1727 | 1728 | typedef struct CK_KIP_PARAMS { 1729 | CK_MECHANISM_PTR pMechanism; 1730 | CK_OBJECT_HANDLE hKey; 1731 | CK_BYTE_PTR pSeed; 1732 | CK_ULONG ulSeedLen; 1733 | } CK_KIP_PARAMS; 1734 | 1735 | typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR; 1736 | 1737 | typedef struct CK_AES_CTR_PARAMS { 1738 | CK_ULONG ulCounterBits; 1739 | CK_BYTE cb[16]; 1740 | } CK_AES_CTR_PARAMS; 1741 | 1742 | typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; 1743 | 1744 | typedef struct CK_AES_GCM_PARAMS { 1745 | CK_BYTE_PTR pIv; 1746 | CK_ULONG ulIvLen; 1747 | CK_ULONG ulIvBits; 1748 | CK_BYTE_PTR pAAD; 1749 | CK_ULONG ulAADLen; 1750 | CK_ULONG ulTagBits; 1751 | } CK_AES_GCM_PARAMS; 1752 | 1753 | typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR; 1754 | 1755 | typedef struct CK_AES_CCM_PARAMS { 1756 | CK_ULONG ulDataLen; /*plaintext or ciphertext*/ 1757 | CK_BYTE_PTR pNonce; 1758 | CK_ULONG ulNonceLen; 1759 | CK_BYTE_PTR pAAD; 1760 | CK_ULONG ulAADLen; 1761 | CK_ULONG ulMACLen; 1762 | } CK_AES_CCM_PARAMS; 1763 | 1764 | typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR; 1765 | 1766 | typedef struct CK_CAMELLIA_CTR_PARAMS { 1767 | CK_ULONG ulCounterBits; 1768 | CK_BYTE cb[16]; 1769 | } CK_CAMELLIA_CTR_PARAMS; 1770 | 1771 | typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; 1772 | 1773 | typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { 1774 | CK_BYTE iv[16]; 1775 | CK_BYTE_PTR pData; 1776 | CK_ULONG length; 1777 | } CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; 1778 | 1779 | typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; 1780 | 1781 | typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { 1782 | CK_BYTE iv[16]; 1783 | CK_BYTE_PTR pData; 1784 | CK_ULONG length; 1785 | } CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; 1786 | 1787 | typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; 1788 | 1789 | #endif 1790 | -------------------------------------------------------------------------------- /scd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2015-2018 SektionEins GmbH / Ben Fuhrmannek 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | 18 | // for asprintf on linux 19 | #define _GNU_SOURCE 20 | 21 | #include "common.h" 22 | #include "scd.h" 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | // for asprintf with not too old libgpg-error 31 | #ifdef GPGRT_VERSION 32 | #define asprintf gpgrt_asprintf 33 | #endif 34 | 35 | #ifdef _WIN32 36 | static char* stpcpy(char *dst, char *src) 37 | { 38 | strcpy(dst, src); 39 | return dst + strlen(src); 40 | } 41 | #endif 42 | 43 | struct sec_signature { 44 | uchar *pSignature; 45 | unsigned long *pulSignatureLen; 46 | }; 47 | 48 | 49 | static gpg_error_t find_gpg_socket(char *buf, size_t len) 50 | { 51 | char *tmp, *t, *ext = NULL; 52 | 53 | // try GPG_AGENT_INFO which looks like /home/user/.gnupg/S.gpg-agent:1234:1 54 | // note: GPG_AGENT_INFO is not set for gnupg >= 2.1 55 | tmp = getenv("GPG_AGENT_INFO"); 56 | if (tmp) { 57 | t = strchr(tmp, ':'); 58 | if (t) { 59 | if (t-tmp + 1 > len) 60 | return 1; 61 | strncpy(buf, tmp, t-tmp); 62 | buf[t-tmp] = '\0'; 63 | return 0; 64 | } 65 | } 66 | 67 | #ifndef _WIN32 68 | // use $GNUPGHOME/S.gpg-agent if $GNUPGHOME is set 69 | tmp = getenv("GNUPGHOME"); 70 | if (tmp) { 71 | ext = "/S.gpg-agent"; 72 | if (strlen(tmp) + strlen(ext) + 1 > len) 73 | return 1; 74 | t = stpcpy(buf, tmp); 75 | stpcpy(t, ext); 76 | return 0; 77 | } 78 | 79 | // fall back to $HOME/.gnupg/S.gpg-agent 80 | tmp = getenv("HOME"); 81 | if (tmp) { 82 | ext = "/.gnupg/S.gpg-agent"; 83 | if (strlen(tmp) + strlen(ext) + 1 > len) 84 | return 1; 85 | t = stpcpy(buf, tmp); 86 | stpcpy(t, ext); 87 | return 0; 88 | } 89 | 90 | #else // _WIN32 91 | tmp = getenv("APPDATA"); 92 | if (tmp) { 93 | ext = "/gnupg/S.gpg-agent"; 94 | if (strlen(tmp) + strlen(ext) + 1 > len) 95 | return 1; 96 | t = stpcpy(buf, tmp); 97 | stpcpy(t, ext); 98 | return 0; 99 | } 100 | #endif 101 | 102 | return 1; 103 | } 104 | 105 | static inline int is_optstr_clean(char *str) 106 | { 107 | while (*str != 0) { 108 | if (*str < 32) { return 0; } 109 | str++; 110 | } 111 | return 1; 112 | } 113 | 114 | gpg_error_t scd_set_option(assuan_context_t ctx, char *key, char *value) 115 | { 116 | if (!key || *key == 0) { 117 | SDEBUG("OPTION key not set"); 118 | return 1; 119 | } 120 | if (!value) { 121 | SDEBUG("OPTION value not set for key '%s'", key); 122 | return 1; 123 | } 124 | 125 | if (!is_optstr_clean(value) || !is_optstr_clean(key)) { 126 | SDEBUG("OPTION key or value contains illegal characters for key '%s'", key); 127 | return 1; 128 | } 129 | 130 | char *cmd; 131 | if (asprintf(&cmd, "OPTION %s=%s", key, value) < 0) { 132 | SDEBUG("OPITON out of memory for key '%s'", key); 133 | return 1; 134 | } 135 | 136 | gpg_error_t err; 137 | err = assuan_transact(ctx, cmd, NULL, NULL, NULL, NULL, NULL, NULL); 138 | 139 | if (err) { 140 | sec_log_err("error setting OPTION '%s=%s'", key, value); 141 | } 142 | 143 | free(cmd); 144 | return err; 145 | } 146 | 147 | gpg_error_t scd_agent_connect(assuan_context_t *ctx) 148 | { 149 | gpg_error_t err; 150 | char gpg_agent_socket_name[1024]; 151 | 152 | if (ctx == NULL) { return 1; } 153 | if (*ctx != NULL) { return 0; } 154 | 155 | err = find_gpg_socket(gpg_agent_socket_name, 1024); 156 | if (err) { 157 | SDEBUG("Could not find agent path, check env. variables"); 158 | return err; 159 | } 160 | 161 | err = assuan_new(ctx); 162 | if (err) { return err; } 163 | 164 | err = assuan_socket_connect(*ctx, gpg_agent_socket_name, ASSUAN_INVALID_PID, 0); 165 | if (err) { 166 | assuan_release(*ctx); 167 | *ctx = NULL; 168 | SDEBUG("Could not connect to agent via socket: '%s'", gpg_agent_socket_name); 169 | return err; 170 | } 171 | 172 | #ifndef _WIN32 173 | // set options. ignore errors - see debug log for debugging problems 174 | char *val = NULL; 175 | val = getenv("GPG_TTY"); 176 | if (!val) { 177 | val = getenv("TTY"); 178 | } 179 | if (!val) { 180 | val = ttyname(0); 181 | } 182 | scd_set_option(*ctx, "ttyname", val); 183 | #endif 184 | 185 | scd_set_option(*ctx, "display", getenv("DISPLAY")); 186 | scd_set_option(*ctx, "ttytype", getenv("TERM")); 187 | scd_set_option(*ctx, "lc-ctype", setlocale(LC_CTYPE, NULL)); 188 | #ifndef _WIN32 189 | scd_set_option(*ctx, "lc-messages", setlocale(LC_MESSAGES, NULL)); 190 | #endif 191 | scd_set_option(*ctx, "xauthority", getenv("XAUTHORITY")); 192 | scd_set_option(*ctx, "pinentry-user-data", getenv("PINENTRY_USER_DATA")); 193 | scd_set_option(*ctx, "use-cache-for-signing", getenv("GPG_USE_CACHE_FOR_SIGNING")); 194 | scd_set_option(*ctx, "allow-pinentry-notify", getenv("GPG_ALLOW_PINENTRY_NOTIFY")); 195 | scd_set_option(*ctx, "pinentry-mode", getenv("PINENTRY_MODE")); 196 | scd_set_option(*ctx, "cache-ttl-opt-preset", getenv("GPG_CACHE_TTL_OPT_PRESET")); 197 | scd_set_option(*ctx, "s2k-count", getenv("GPG_S2K_COUNT")); 198 | 199 | return 0; 200 | } 201 | 202 | void scd_agent_disconnect(assuan_context_t ctx) 203 | { 204 | assuan_release(ctx); 205 | } 206 | 207 | gpg_error_t scd_serialno_openpgp(assuan_context_t ctx) 208 | { 209 | gpg_error_t err; 210 | err = assuan_transact(ctx, "SCD SERIALNO openpgp", NULL, NULL, NULL, NULL, NULL, NULL); 211 | SDEBUG("[%u] token %spresent", err, err? "not ":""); 212 | return err; 213 | } 214 | 215 | int scd_token_present(assuan_context_t ctx) 216 | { 217 | return !scd_serialno_openpgp(ctx); 218 | } 219 | 220 | 221 | #define ISHEX(p) ((*(p) >= '0' && *(p) <= '9') \ 222 | || (*(p) >= 'a' && *(p) <= 'f') \ 223 | || (*(p) >= 'F' && *(p) <= 'F')) 224 | #define HEXC2I(p) (*(p) <= '9' ? *(p) - '0' :\ 225 | *(p) <= 'F' ? *(p) - 'A' + 10 :\ 226 | *(p) - 'a' + 10) 227 | #define HEXC2I2(p) (16 * HEXC2I(p) + HEXC2I((p)+1)) 228 | 229 | gpg_error_t scd_unescape_data(uchar *out, size_t *poutlen, uchar *data, size_t datalen) 230 | { 231 | gpg_error_t rv = 0; 232 | uchar *pin = data, *pout = out; 233 | int countmode = 0; // if buffer is too short, return required buffer size in *poutlen 234 | SDEBUG("maxlen=%zu datalen=%zu", *poutlen, datalen); 235 | 236 | while (pin < data + datalen) { 237 | if (!countmode && pout >= out + *poutlen) { 238 | rv = GPG_ERR_BUFFER_TOO_SHORT; 239 | countmode = 1; 240 | // break; 241 | } 242 | 243 | if (*pin == '%' && pout + 2 < data + datalen && ISHEX(pout + 1) && ISHEX(pout + 2)) { 244 | if (!countmode) { 245 | *pout = HEXC2I2(pout+1); 246 | SDEBUG("c=%c", *pout); 247 | } 248 | pin += 2; 249 | } else { 250 | if (!countmode) *pout = *pin; 251 | } 252 | 253 | pin++; pout++; 254 | } 255 | *poutlen = pout - out; 256 | return rv; 257 | } 258 | 259 | gpg_error_t scd_copy_data(uchar *out, size_t *poutlen, uchar *data, size_t datalen) 260 | { 261 | gpg_error_t rv = 0; 262 | if (*poutlen < datalen) { 263 | rv = GPG_ERR_BUFFER_TOO_SHORT; 264 | } else { 265 | memcpy(out, data, datalen); 266 | } 267 | *poutlen = datalen; 268 | return rv; 269 | } 270 | 271 | static gpg_error_t sign_data_cb(void *arg, const void *data, size_t datalen) 272 | { 273 | struct sec_signature *psig = (struct sec_signature*)arg; 274 | gpg_error_t err = scd_copy_data(psig->pSignature, (size_t*)psig->pulSignatureLen, (unsigned char *)data, datalen); 275 | return err; 276 | } 277 | 278 | gpg_error_t scd_sign_data(assuan_context_t ctx, uchar *pSignature, unsigned long *pulSignatureLen, uchar *pData, unsigned long ulDataLen) 279 | { 280 | gpg_error_t err = 0; 281 | if (ulDataLen > SEC_SIGN_MAXLEN) 282 | return 1; 283 | char *cmdstart = "SCD SETDATA "; 284 | int offset = strlen(cmdstart); 285 | char *tmp = malloc(ulDataLen * 2 + offset + 1); 286 | strcpy(tmp, cmdstart); 287 | for (unsigned long i = 0; i < ulDataLen; i ++) 288 | sprintf(tmp + offset + i*2, "%02X", pData[i]); 289 | SDEBUG("cmd=%s", tmp); 290 | err = assuan_transact(ctx, tmp, NULL, NULL, NULL, NULL, NULL, NULL); 291 | free(tmp); 292 | if (err) { 293 | SDEBUG("ERROR: SETDATA failed [%x]: %s", err, gpg_strerror(err)); 294 | return err; 295 | } 296 | // if (g_state.sign.pSignature != NULL) { 297 | // sec_free(g_state.sign.pSignature); 298 | // } 299 | struct sec_signature sig = {pSignature, pulSignatureLen}; 300 | err = assuan_transact(ctx, "SCD PKAUTH OPENPGP.3", sign_data_cb, &sig, NULL, NULL, NULL, NULL); 301 | // if (err == GPG_ERR_BUFFER_TOO_SHORT) {} 302 | if (err) { 303 | SDEBUG("ERROR: PKAUTH failed [%x]: %s", err, gpg_strerror(err)); 304 | return err; 305 | } 306 | 307 | return err; 308 | } 309 | 310 | static inline gpg_error_t sec_sexp_strcmp(gcry_sexp_t sexp, int n, const char *v) { 311 | gpg_error_t err = 0; 312 | char *tmp; 313 | 314 | tmp = gcry_sexp_nth_string(sexp, n); 315 | if (tmp == NULL) { return 1; } 316 | 317 | if (strcmp(tmp, v) != 0) { 318 | SDEBUG("got '%s' instead of '%s'", tmp, v); 319 | err = 1; 320 | } 321 | 322 | gcry_free(tmp); 323 | return err; 324 | } 325 | 326 | gpg_error_t scd_unpack_pubkey(uchar **pn, size_t *pnlen, 327 | uchar **pe, size_t *pelen, 328 | uchar *pubkey, size_t pubkeylen) 329 | { 330 | // pubkey S-expression: (public-key (rsa (n ...) (e ...))) 331 | // |-> sexp |-> sexp2 |->sexp3 |->sexp3 332 | gpg_error_t err = 0; 333 | size_t len; 334 | char *tmp; 335 | 336 | *pn = NULL; 337 | *pe = NULL; 338 | 339 | gcry_sexp_t sexp = NULL; 340 | gcry_sexp_t sexp2 = NULL; 341 | gcry_sexp_t sexp3 = NULL; 342 | err = gcry_sexp_new(&sexp, pubkey, pubkeylen, 0); 343 | if (err) goto pubkey_error; 344 | 345 | // gcry_sexp_dump(sexp); 346 | 347 | err = sec_sexp_strcmp(sexp, 0, "public-key"); 348 | if (err) goto pubkey_error; 349 | 350 | sexp2 = gcry_sexp_nth(sexp, 1); 351 | if (sexp2 == NULL) goto pubkey_error; 352 | 353 | err = sec_sexp_strcmp(sexp2, 0, "rsa"); 354 | if (err) goto pubkey_error; 355 | 356 | sexp3 = gcry_sexp_nth(sexp2, 1); 357 | if (sexp3 == NULL) goto pubkey_error; 358 | 359 | err = sec_sexp_strcmp(sexp3, 0, "n"); 360 | if (err) goto pubkey_error; 361 | 362 | tmp = gcry_sexp_nth_buffer(sexp3, 1, &len); 363 | if (tmp == NULL) goto pubkey_error; 364 | *pn = malloc(len); 365 | memcpy(*pn, tmp, len); 366 | *pnlen = len; 367 | 368 | gcry_free(tmp); 369 | 370 | sexp3 = gcry_sexp_nth(sexp2, 2); 371 | if (sexp3 == NULL) goto pubkey_error; 372 | 373 | err = sec_sexp_strcmp(sexp3, 0, "e"); 374 | if (err) goto pubkey_error; 375 | 376 | tmp = gcry_sexp_nth_buffer(sexp3, 1, &len); 377 | if (tmp == NULL) goto pubkey_error; 378 | *pe = malloc(len); 379 | memcpy(*pe, tmp, len); 380 | *pelen = len; 381 | 382 | gcry_free(tmp); 383 | if (sexp) gcry_sexp_release(sexp); 384 | if (sexp2) gcry_sexp_release(sexp2); 385 | if (sexp3) gcry_sexp_release(sexp3); 386 | return 0; 387 | 388 | pubkey_error: 389 | if (err == 0) err = 1; 390 | SDEBUG("error %d: %s\n", err, gcry_strerror(err)); 391 | if (sexp) gcry_sexp_release(sexp); 392 | if (sexp2) gcry_sexp_release(sexp2); 393 | if (sexp3) gcry_sexp_release(sexp3); 394 | if (*pn) { free(*pn); *pn = NULL; *pnlen = 0; } 395 | if (*pe) { free(*pe); *pe = NULL; *pelen = 0; } 396 | return err; 397 | 398 | } 399 | -------------------------------------------------------------------------------- /scd.h: -------------------------------------------------------------------------------- 1 | #ifndef SCD_H 2 | #define SCD_H 3 | 4 | #include 5 | 6 | #define SEC_SIGN_MAXLEN 4096 7 | 8 | gpg_error_t scd_agent_connect(assuan_context_t *ctx); 9 | void scd_agent_disconnect(assuan_context_t ctx); 10 | gpg_error_t scd_set_option(assuan_context_t ctx, char *key, char *value); 11 | gpg_error_t scd_serialno_openpgp(assuan_context_t ctx); 12 | int scd_token_present(assuan_context_t ctx); 13 | gpg_error_t scd_unescape_data(uchar *out, size_t *poutlen, uchar *data, size_t datalen); 14 | gpg_error_t scd_copy_data(uchar *out, size_t *poutlen, uchar *data, size_t datalen); 15 | gpg_error_t scd_sign_data(assuan_context_t ctx, uchar *pSignature, unsigned long *pulSignatureLen, uchar *pData, unsigned long ulDataLen); 16 | 17 | gpg_error_t scd_unpack_pubkey(uchar **pn, size_t *pnlen, 18 | uchar **pe, size_t *pelen, 19 | uchar *pubkey, size_t pubkeylen); 20 | 21 | #endif /* SCD_H */ 22 | -------------------------------------------------------------------------------- /sec.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2015 SektionEins GmbH / Ben Fuhrmannek 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | 18 | #include 19 | 20 | #ifdef HAVE_SSL 21 | #include 22 | #endif 23 | 24 | #include "common.h" 25 | #include "sec.h" 26 | #include "scd.h" 27 | 28 | struct sec_internal g_state; 29 | 30 | #define SEC_LABEL1 "Signature certificate" 31 | #define SEC_LABEL2 "Encryption certificate" 32 | #define SEC_LABEL3 "Authentication certificate" 33 | 34 | /* ---- MEMORY MGMT */ 35 | 36 | #define SEC_ALLOC_COPY(type, name, value, length) \ 37 | type *name = calloc(1, length); memcpy(name, value, length); 38 | #define SEC_ALLOC_STRCPY(type, name, value) \ 39 | SEC_ALLOC_COPY(type, name, value, strlen(value)+1) 40 | #define SEC_ALLOC_ASSIGN(type, name, value) \ 41 | type *name = calloc(1, sizeof(type)); *name = value; 42 | 43 | 44 | 45 | static void sec_free_alist(struct sec_ck_alist *al) 46 | { 47 | if (al == NULL) { 48 | return; 49 | } 50 | if (al->p != NULL) { 51 | for (CK_ULONG i = 0; i < al->cnt; i++) { 52 | if (al->p[i].pValue != NULL) { 53 | free(al->p[i].pValue); 54 | } 55 | } 56 | } 57 | sec_free(al->p); 58 | } 59 | 60 | void sec_free_token() 61 | { 62 | if (g_state.token == NULL) 63 | return; 64 | 65 | for (int i = 0; i < 3; i++) { 66 | sec_free_alist(&g_state.token->alCert[i]); 67 | sec_free_alist(&g_state.token->alPriv[i]); 68 | sec_free_alist(&g_state.token->alPub[i]); 69 | } 70 | 71 | sec_free(g_state.token); 72 | } 73 | 74 | 75 | /* ---- BUILD ATTRIBUTE LISTS */ 76 | 77 | 78 | static uchar * sec_al_copy_attr(CK_ATTRIBUTE_TYPE type, struct sec_ck_alist al, CK_ULONG *len) 79 | { 80 | CK_ATTRIBUTE_PTR pa = sec_al_get_attr(type, al); 81 | if (pa == NULL) 82 | return NULL; 83 | *len = pa->ulValueLen; 84 | uchar *p = malloc(pa->ulValueLen); 85 | memcpy(p, pa->pValue, pa->ulValueLen); 86 | return p; 87 | } 88 | 89 | static void sec_convert_cert3_to_attribute_list() 90 | { 91 | if (g_state.token == NULL) { 92 | return; 93 | } 94 | SDEBUG("called certlen[SEC_KEY3]=%zu", g_state.token->certlen[SEC_KEY3]); 95 | sec_free_alist(&g_state.token->alCert[SEC_KEY3]); 96 | 97 | if (g_state.token->certlen[SEC_KEY3] == 0) 98 | return; 99 | 100 | const char *label3 = SEC_LABEL3; 101 | 102 | // cert3 atttribute list 103 | SDEBUG("converting cert3 to CK template"); 104 | SEC_ALLOC_ASSIGN(CK_OBJECT_CLASS, class, CKO_CERTIFICATE) 105 | SEC_ALLOC_ASSIGN(CK_CERTIFICATE_TYPE, certType, CKC_X_509) 106 | SEC_ALLOC_ASSIGN(CK_BBOOL, token, CK_TRUE) 107 | SEC_ALLOC_STRCPY(CK_UTF8CHAR, label, label3) 108 | SEC_ALLOC_COPY(CK_BYTE, certificate, g_state.token->cert[SEC_KEY3], g_state.token->certlen[SEC_KEY3]) 109 | SEC_ALLOC_ASSIGN(CK_BYTE, id, 3) 110 | 111 | CK_BYTE *subject = NULL; CK_ULONG subject_len = -1; 112 | CK_BYTE *issuer = NULL; CK_ULONG issuer_len = -1; 113 | CK_BYTE *serial = NULL; CK_ULONG serial_len = -1; 114 | 115 | #ifdef HAVE_SSL 116 | unsigned char *p = g_state.token->cert[SEC_KEY3]; 117 | X509 *x = d2i_X509(NULL, (const unsigned char **)&p, g_state.token->certlen[SEC_KEY3]); 118 | if (x != NULL) { 119 | X509_NAME *xn_subject = X509_get_subject_name(x); 120 | subject = (CK_BYTE*)X509_NAME_oneline(xn_subject, NULL, 0); // allocates subject 121 | if (subject) { 122 | subject_len = strlen((const char*)subject); 123 | } 124 | 125 | X509_NAME *xn_issuer = X509_get_issuer_name(x); 126 | issuer = (CK_BYTE*)X509_NAME_oneline(xn_issuer, NULL, 0); // allocates subject 127 | if (issuer) { 128 | issuer_len = strlen((const char*)issuer); 129 | } 130 | 131 | ASN1_INTEGER *a1serial = X509_get_serialNumber(x); 132 | if (a1serial) { 133 | BIGNUM *bn = ASN1_INTEGER_to_BN(a1serial, NULL); 134 | if (bn) { 135 | serial = (unsigned char *)BN_bn2dec(bn); 136 | BN_free(bn); 137 | if (serial) { 138 | serial_len = strlen((const char *)serial); 139 | } 140 | } 141 | } 142 | 143 | X509_free(x); 144 | } 145 | #endif /* HAVE_SSL */ 146 | // CKA_ISSUER 000000011559de00 / 89 147 | // 00000000 30 57 31 0B 30 09 06 03 55 04 06 13 02 41 55 31 0W1.0...U....AU1 148 | // 00000010 13 30 11 06 03 55 04 08 13 0A 53 6F 6D 65 2D 53 .0...U....Some-S 149 | // 00000020 74 61 74 65 31 21 30 1F 06 03 55 04 0A 13 18 49 tate1!0...U....I 150 | // 00000030 6E 74 65 72 6E 65 74 20 57 69 64 67 69 74 73 20 nternet Widgits 151 | // 00000040 50 74 79 20 4C 74 64 31 10 30 0E 06 03 55 04 03 Pty Ltd1.0...U.. 152 | // 00000050 13 07 4D 49 43 52 4F 43 41 ..MICROCA 153 | // DN: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=MICROCA 154 | // CKA_SUBJECT 000000011559de88 / 23 155 | // 00000000 30 15 31 13 30 11 06 03 55 04 03 0C 0A 48 61 6E 0.1.0...U....Han 156 | // 00000010 73 20 57 75 72 73 74 s Wurst 157 | // DN: CN=Hans Wurst 158 | 159 | 160 | CK_ATTRIBUTE template[] = { 161 | {CKA_CLASS, class, sizeof(*class)}, 162 | {CKA_CERTIFICATE_TYPE, certType, sizeof(*certType)}, 163 | {CKA_TOKEN, token, sizeof(*token)}, 164 | {CKA_LABEL, label, strlen((char*)label)+1}, 165 | {CKA_ID, id, sizeof(*id)}, 166 | {CKA_VALUE, certificate, g_state.token->certlen[SEC_KEY3]}, 167 | #ifdef HAVE_SSL 168 | {CKA_SUBJECT, subject, subject_len}, 169 | {CKA_ISSUER, issuer, issuer_len}, 170 | {CKA_SERIAL_NUMBER, serial, serial_len}, 171 | #endif 172 | }; 173 | 174 | g_state.token->alCert[SEC_KEY3].p = malloc(sizeof(template)); 175 | memcpy(g_state.token->alCert[SEC_KEY3].p, template, sizeof(template)); 176 | g_state.token->alCert[SEC_KEY3].cnt = sizeof(template)/sizeof(CK_ATTRIBUTE); 177 | 178 | 179 | 180 | } 181 | 182 | static void sec_convert_pubkey3_to_al() 183 | { 184 | if (g_state.token == NULL) { 185 | return; 186 | } 187 | SDEBUG("called pubkeylen[SEC_KEY3]=%zu", g_state.token->pubkeylen[SEC_KEY3]); 188 | sec_free_alist(&g_state.token->alPub[SEC_KEY3]); 189 | 190 | if (g_state.token->pubkeylen[SEC_KEY3] == 0) 191 | return; 192 | 193 | const char *label3 = SEC_LABEL3; 194 | gpg_error_t err; 195 | 196 | uchar *n = NULL, *e = NULL; 197 | size_t nlen, elen; 198 | err = scd_unpack_pubkey(&n, &nlen, &e, &elen, g_state.token->pubkey[SEC_KEY3], g_state.token->pubkeylen[SEC_KEY3]); 199 | if (err) { SDEBUG("error %d: %s\n", err, gpg_strerror(err)); return; } 200 | 201 | // public key attribute list 202 | SEC_ALLOC_ASSIGN(CK_OBJECT_CLASS, class, CKO_PUBLIC_KEY) 203 | SEC_ALLOC_ASSIGN(CK_BYTE, id, 3) 204 | SEC_ALLOC_STRCPY(CK_UTF8CHAR, label, label3) 205 | SEC_ALLOC_ASSIGN(CK_BBOOL, encrypt, 0) 206 | SEC_ALLOC_ASSIGN(CK_BBOOL, verify, 1) 207 | SEC_ALLOC_ASSIGN(CK_BBOOL, verify_recover, 0) 208 | SEC_ALLOC_ASSIGN(CK_BBOOL, wrap, 0) 209 | SEC_ALLOC_ASSIGN(CK_BBOOL, trusted, 1) 210 | SEC_ALLOC_ASSIGN(CK_KEY_TYPE, key_type, CKK_RSA) 211 | SEC_ALLOC_ASSIGN(CK_ULONG, modulus_bits, nlen * 8) 212 | 213 | // CKA_MODULUS 00007fc23b50a170 / 256 214 | // 00000000 9E 8A CC 5E 93 6F 31 9A BF 0A A8 9D 61 21 09 D8 ...^.o1.....a!.. 215 | // 00000010 99 C9 2C 6F 08 ED 39 13 19 9B DA FD C1 23 D3 26 ..,o..9......#.& 216 | // 00000020 F2 01 C4 70 AA 03 A6 78 B5 13 C1 D6 D2 1D 7B B9 ...p...x......{. 217 | // 00000030 73 86 65 5E E5 DF 12 34 03 F2 99 9B 1F C4 60 54 s.e^...4......`T 218 | // 00000040 7E 24 A9 D5 B8 49 DB C7 75 22 73 58 ED CB F4 8F ~$...I..u"sX.... 219 | // 00000050 A7 71 29 F4 4B 00 C0 D3 6F A9 05 94 72 5F C3 3C .q).K...o...r_.< 220 | // 00000060 F5 76 41 7E A8 C7 AE 08 6B EC B8 DC A7 11 F2 E8 .vA~....k....... 221 | // 00000070 61 64 C6 9D 3D AF D0 F2 92 1B 3B 13 E2 17 E0 4A ad..=.....;....J 222 | // 00000080 60 CF 72 85 78 03 5B 86 C8 4B BF 32 E0 BA 4C 62 `.r.x.[..K.2..Lb 223 | // 00000090 0F FD 7B BD 77 24 84 67 B1 12 AE 93 54 89 CC 0F ..{.w$.g....T... 224 | // 000000A0 83 1C 58 BD 24 6F E5 41 01 2B A7 D9 58 22 B3 65 ..X.$o.A.+..X".e 225 | // 000000B0 2C 66 A9 F2 95 3D DF 8D 04 99 8F 06 B3 0D CC BA ,f...=.......... 226 | // 000000C0 2A 2E DC 33 C3 73 E7 D6 95 8B B5 AA 9D 1B E3 EC *..3.s.......... 227 | // 000000D0 93 19 73 C6 A3 85 52 FF A3 58 75 21 4F 41 DC 92 ..s...R..Xu!OA.. 228 | // 000000E0 17 74 A0 F5 C1 1C D4 B2 10 F4 ED 68 33 D5 52 07 .t.........h3.R. 229 | // 000000F0 A7 8F 64 49 3C 24 B0 A1 EF FC 8D 32 38 EA D8 79 ..dI<$.....28..y 230 | // CKA_PUBLIC_EXPONENT 00007fc23b509a20 / 3 231 | // 00000000 01 00 01 ... 232 | 233 | CK_ATTRIBUTE template[] = { 234 | {CKA_CLASS, class, sizeof(*class)}, 235 | {CKA_ID, id, sizeof(*id)}, 236 | {CKA_ENCRYPT, encrypt, sizeof(*encrypt)}, 237 | {CKA_VERIFY, verify, sizeof(*verify)}, 238 | {CKA_VERIFY_RECOVER, verify_recover, sizeof(*verify_recover)}, 239 | {CKA_WRAP, wrap, sizeof(*wrap)}, 240 | {CKA_TRUSTED, trusted, sizeof(*trusted)}, 241 | {CKA_KEY_TYPE, key_type, sizeof(*key_type)}, 242 | {CKA_LABEL, label, strlen((char*)label)+1}, 243 | {CKA_MODULUS, n, nlen}, 244 | {CKA_MODULUS_BITS, modulus_bits, sizeof(*modulus_bits)}, 245 | {CKA_PUBLIC_EXPONENT, e, elen} 246 | 247 | }; 248 | 249 | g_state.token->alPub[SEC_KEY3].p = malloc(sizeof(template)); 250 | memcpy(g_state.token->alPub[SEC_KEY3].p, template, sizeof(template)); 251 | g_state.token->alPub[SEC_KEY3].cnt = sizeof(template)/sizeof(CK_ATTRIBUTE); 252 | 253 | 254 | 255 | } 256 | 257 | static void sec_create_privkey3_al() 258 | { 259 | if (g_state.token == NULL) { 260 | return; 261 | } 262 | sec_free_alist(&g_state.token->alPriv[SEC_KEY3]); 263 | 264 | if (g_state.token->pubkeylen[SEC_KEY3] == 0) // only create fake privkey al if pubkey is available 265 | return; 266 | 267 | const char *label3 = SEC_LABEL3; 268 | 269 | // private key attribute list 270 | SEC_ALLOC_ASSIGN(CK_OBJECT_CLASS, class, CKO_PRIVATE_KEY) 271 | SEC_ALLOC_ASSIGN(CK_BYTE, id, 3) 272 | SEC_ALLOC_ASSIGN(CK_BBOOL, sensitive, CK_TRUE) 273 | SEC_ALLOC_ASSIGN(CK_BBOOL, decrypt, CK_FALSE) 274 | SEC_ALLOC_ASSIGN(CK_BBOOL, sign, CK_TRUE) 275 | SEC_ALLOC_ASSIGN(CK_BBOOL, sign_recover, CK_FALSE) 276 | SEC_ALLOC_ASSIGN(CK_BBOOL, unwrap, CK_FALSE) 277 | SEC_ALLOC_ASSIGN(CK_BBOOL, extractable, CK_FALSE) 278 | SEC_ALLOC_ASSIGN(CK_BBOOL, always_sensitive, CK_TRUE) 279 | SEC_ALLOC_ASSIGN(CK_BBOOL, never_extractable, CK_TRUE) 280 | SEC_ALLOC_ASSIGN(CK_BBOOL, derive, CK_FALSE) 281 | SEC_ALLOC_ASSIGN(CK_BBOOL, always_authenticate, CK_FALSE) 282 | SEC_ALLOC_ASSIGN(CK_KEY_TYPE, key_type, CKK_RSA) 283 | SEC_ALLOC_STRCPY(CK_UTF8CHAR, label, label3) 284 | SEC_ALLOC_ASSIGN(CK_BBOOL, token, CK_TRUE) 285 | SEC_ALLOC_ASSIGN(CK_BBOOL, private, CK_TRUE) 286 | 287 | CK_ULONG modulus_len = -1, modulus_bits_len = -1, exponent_len = -1; 288 | uchar *modulus = sec_al_copy_attr(CKA_MODULUS, g_state.token->alPub[SEC_KEY3], &modulus_len); 289 | uchar *modulus_bits = sec_al_copy_attr(CKA_MODULUS_BITS, g_state.token->alPub[SEC_KEY3], &modulus_bits_len); 290 | uchar *exponent = sec_al_copy_attr(CKA_PUBLIC_EXPONENT, g_state.token->alPub[SEC_KEY3], &exponent_len); 291 | 292 | CK_ATTRIBUTE template[] = { 293 | {CKA_CLASS, class, sizeof(*class)}, 294 | {CKA_ID, id, sizeof(*id)}, 295 | {CKA_SENSITIVE, sensitive, sizeof(*sensitive)}, 296 | {CKA_DECRYPT, decrypt, sizeof(*decrypt)}, 297 | {CKA_SIGN, sign, sizeof(*sign)}, 298 | {CKA_SIGN_RECOVER, sign_recover, sizeof(*sign_recover)}, 299 | {CKA_UNWRAP, unwrap, sizeof(*unwrap)}, 300 | {CKA_EXTRACTABLE, extractable, sizeof(*extractable)}, 301 | {CKA_ALWAYS_SENSITIVE, always_sensitive, sizeof(*always_sensitive)}, 302 | {CKA_NEVER_EXTRACTABLE, never_extractable, sizeof(*never_extractable)}, 303 | {CKA_DERIVE, derive, sizeof(*derive)}, 304 | {CKA_KEY_TYPE, key_type, sizeof(*key_type)}, 305 | {CKA_LABEL, label, strlen((char*)label)+1}, 306 | {CKA_ALWAYS_AUTHENTICATE, always_authenticate, sizeof(*always_authenticate)}, 307 | {CKA_TOKEN, token, sizeof(*token)}, 308 | {CKA_PRIVATE, private, sizeof(*private)}, 309 | {CKA_MODULUS, modulus, modulus_len}, 310 | {CKA_MODULUS_BITS, modulus_bits, modulus_bits_len}, 311 | {CKA_PUBLIC_EXPONENT, exponent, exponent_len}, 312 | }; 313 | g_state.token->alPriv[SEC_KEY3].p = malloc(sizeof(template)); 314 | memcpy(g_state.token->alPriv[SEC_KEY3].p, template, sizeof(template)); 315 | g_state.token->alPriv[SEC_KEY3].cnt = sizeof(template)/sizeof(CK_ATTRIBUTE); 316 | 317 | 318 | } 319 | 320 | /* ---- SCD INTERACTION */ 321 | 322 | static gpg_error_t learn_status_cb(void *arg, const char *data) 323 | { 324 | 325 | // SDEBUG("RAW: %s", data); 326 | if (strncmp(data, "SERIALNO ", strlen("SERIALNO ")) == 0 && strlen(data) < sizeof(g_state.token->serialno)-1+strlen("SERIALNO ")) { 327 | sscanf(data, "SERIALNO %s", g_state.token->serialno); 328 | SDEBUG("found serialno %s", g_state.token->serialno); 329 | return 0; 330 | } 331 | if (strncmp(data, "KEY-FPR 1 ", strlen("KEY-FPR x ")) == 0 && strlen(data) < sizeof(g_state.token->serialno)-1+strlen("KEY-FPR x ")) { 332 | sscanf(data, "KEY-FPR 1 %s", g_state.token->key_fpr[0]); 333 | SDEBUG("found key fpr 1 %s", g_state.token->key_fpr[0]); 334 | return 0; 335 | } 336 | if (strncmp(data, "KEY-FPR 2 ", strlen("KEY-FPR x ")) == 0 && strlen(data) < sizeof(g_state.token->serialno)-1+strlen("KEY-FPR x ")) { 337 | sscanf(data, "KEY-FPR 2 %s", g_state.token->key_fpr[1]); 338 | SDEBUG("found key fpr 2 %s", g_state.token->key_fpr[1]); 339 | return 0; 340 | } 341 | if (strncmp(data, "KEY-FPR 3 ", strlen("KEY-FPR x ")) == 0 && strlen(data) < sizeof(g_state.token->serialno)-1+strlen("KEY-FPR x ")) { 342 | sscanf(data, "KEY-FPR 3 %s", g_state.token->key_fpr[2]); 343 | SDEBUG("found key fpr 3 %s", g_state.token->key_fpr[2]); 344 | return 0; 345 | } 346 | 347 | return 0; 348 | } 349 | 350 | static gpg_error_t cert3_data_cb(void *arg, const void *data, size_t datalen) { 351 | if (g_state.token == NULL) { 352 | SDEBUG("cannot store data"); 353 | return 1; 354 | } 355 | size_t len = SEC_CERT_MAXLEN - g_state.token->certlen[SEC_KEY3]; 356 | SDEBUG("cert3_data_cb len=%zu", datalen); 357 | gpg_error_t err = scd_copy_data(g_state.token->cert[SEC_KEY3] + g_state.token->certlen[SEC_KEY3], &len, (unsigned char*)data, datalen); 358 | g_state.token->certlen[SEC_KEY3] += len; 359 | if (err) {SDEBUG("error %d", err);} 360 | return err; 361 | } 362 | 363 | static gpg_error_t readkey3_data_cb(void *arg, const void *data, size_t datalen) 364 | { 365 | if (g_state.token == NULL) { 366 | SDEBUG("cannot store data"); 367 | return 1; 368 | } 369 | 370 | size_t len = SEC_KEY_MAXLEN - g_state.token->pubkeylen[SEC_KEY3]; 371 | gpg_error_t err = scd_copy_data(g_state.token->pubkey[SEC_KEY3] + g_state.token->pubkeylen[SEC_KEY3], &len, (uchar*)data, datalen); 372 | g_state.token->pubkeylen[SEC_KEY3] += len; 373 | 374 | SDEBUG("chunklen=%zu\n", len); 375 | return err; 376 | } 377 | 378 | gpg_error_t sec_learn_token(assuan_context_t ctx) 379 | { 380 | gpg_error_t err; 381 | if (g_state.token != NULL) 382 | return 0; 383 | 384 | err = scd_serialno_openpgp(ctx); 385 | if (err) goto sec_learn_token_err; 386 | 387 | g_state.token = calloc(1, sizeof(struct sec_token_info)); 388 | 389 | err = assuan_transact(ctx, "SCD LEARN --force", NULL, NULL, NULL, NULL, learn_status_cb, NULL); 390 | if (err) goto sec_learn_token_err; 391 | 392 | err = assuan_transact(ctx, "SCD READCERT OPENPGP.3", cert3_data_cb, NULL, NULL, NULL, NULL, NULL); 393 | if (err == GPG_ERR_BUFFER_TOO_SHORT) goto sec_learn_token_err; 394 | if (!err) sec_convert_cert3_to_attribute_list(); 395 | 396 | err = assuan_transact(ctx, "SCD READKEY OPENPGP.3", readkey3_data_cb, NULL, NULL, NULL, NULL, NULL); 397 | if (err == GPG_ERR_BUFFER_TOO_SHORT) goto sec_learn_token_err; 398 | if (!err) { 399 | sec_convert_pubkey3_to_al(); 400 | sec_create_privkey3_al(); 401 | } 402 | 403 | return err; 404 | 405 | sec_learn_token_err: 406 | SDEBUG("ERROR %x: %s", err, gpg_strerror(err)); 407 | sec_free_token(); 408 | return err; 409 | } 410 | 411 | 412 | /* ---- helper functions for CK data structures */ 413 | 414 | int sec_al_match(struct sec_ck_alist template, struct sec_ck_alist al) 415 | { 416 | int found; 417 | for (CK_ULONG i = 0; i < template.cnt; i++) { 418 | CK_ATTRIBUTE_PTR pT = &template.p[i]; 419 | found = 0; 420 | for (CK_ULONG j = 0; j < al.cnt; j++) { 421 | CK_ATTRIBUTE_PTR pA = &al.p[j]; 422 | SDEBUG("i=%lu j=%lu t-type=%lx a-type=%lx", i, j, pT->type, pA->type); 423 | if (pT->type == pA->type) { 424 | // SDEBUG("type match") 425 | if (pT->pValue == NULL_PTR || pA->pValue == NULL_PTR) { 426 | if (pT->pValue == pA->pValue) { // ok. both null pointers 427 | found = 1; 428 | SDEBUG("both null ptr. ok?"); 429 | break; 430 | } 431 | SDEBUG("null ptr? -> no match"); 432 | return 0; 433 | } 434 | if (pT->type == CKA_TOKEN || pT->type == CKA_ID) { // compare by 1-byte value 435 | if (*(CK_BBOOL*)pT->pValue == *(CK_BBOOL*)pA->pValue) { // comparison works only on little-endian. 436 | found = 1; 437 | SDEBUG("found match"); 438 | break; 439 | } 440 | } else { // compare memory 441 | if (pT->ulValueLen != pA->ulValueLen) { 442 | SDEBUG("value length mismatch"); 443 | return 0; 444 | } 445 | if (memcmp(pT->pValue, pA->pValue, pT->ulValueLen) == 0) { 446 | found = 1; 447 | SDEBUG("found match"); 448 | break; 449 | } 450 | } 451 | SDEBUG("no match"); 452 | return 0; 453 | } 454 | } 455 | if (found == 0) { 456 | SDEBUG("attr not found"); 457 | return 0; 458 | } 459 | } 460 | return 1; 461 | } 462 | 463 | CK_ATTRIBUTE_PTR sec_al_get_attr(CK_ATTRIBUTE_TYPE type, struct sec_ck_alist al) 464 | { 465 | if (al.p == NULL) 466 | return NULL; 467 | for (CK_ULONG i = 0; i < al.cnt; i++) { 468 | if (al.p[i].type == type) { 469 | return &al.p[i]; 470 | } 471 | } 472 | return NULL; 473 | } 474 | -------------------------------------------------------------------------------- /sec.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _FOO_H_ 3 | #define _FOO_H_ 4 | 5 | /* ---- */ 6 | 7 | #include 8 | #include 9 | // #include 10 | 11 | #include 12 | 13 | 14 | /* ---- PKCS11 includes */ 15 | #define CK_PTR * 16 | #define CK_DEFINE_FUNCTION(returnType, name) \ 17 | returnType name 18 | #define CK_DECLARE_FUNCTION(returnType, name) \ 19 | returnType name 20 | #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ 21 | returnType (* name) 22 | #define CK_CALLBACK_FUNCTION(returnType, name) \ 23 | returnType (* name) 24 | #ifndef NULL_PTR 25 | #define NULL_PTR 0 26 | #endif 27 | 28 | #include "pkcs11.h" 29 | 30 | 31 | /* ---- INTERNAL STATE & STRUCTS*/ 32 | #define SEC_MAX_SESSION_COUNT 1 /* do not change this! only one session is supported */ 33 | #define SEC_CERT_MAXLEN 16384 34 | #define SEC_KEY_MAXLEN 4096 35 | #define SEC_FIND_MAXRESULTS 10 36 | 37 | #define SEC_OH_PRIV1 21 38 | #define SEC_OH_PRIV2 22 39 | #define SEC_OH_PRIV3 23 40 | #define SEC_OH_PUB1 31 41 | #define SEC_OH_PUB2 32 42 | #define SEC_OH_PUB3 33 43 | #define SEC_OH_CERT1 41 44 | #define SEC_OH_CERT2 42 45 | #define SEC_OH_CERT3 43 46 | 47 | #define SEC_KEY1 0 48 | #define SEC_KEY2 1 49 | #define SEC_KEY3 2 50 | 51 | struct sec_ck_alist { 52 | CK_ATTRIBUTE_PTR p; 53 | CK_ULONG cnt; 54 | }; 55 | 56 | struct sec_token_info { 57 | unsigned char serialno[64]; 58 | unsigned char key_fpr[3][41]; 59 | // unsigned int max_certlen_3:16; 60 | unsigned char cert[3][SEC_CERT_MAXLEN]; 61 | size_t certlen[3]; 62 | unsigned char pubkey[3][SEC_KEY_MAXLEN]; 63 | size_t pubkeylen[3]; 64 | struct sec_ck_alist alPriv[3]; 65 | struct sec_ck_alist alPub[3]; 66 | struct sec_ck_alist alCert[3]; 67 | }; 68 | 69 | struct sec_find_object { 70 | struct sec_ck_alist template; 71 | CK_OBJECT_HANDLE phResult[SEC_FIND_MAXRESULTS]; 72 | CK_ULONG ulResultCount; 73 | }; 74 | 75 | struct sec_sign { 76 | CK_BBOOL inprogress; 77 | }; 78 | 79 | 80 | struct sec_internal { 81 | assuan_context_t ctx; 82 | int session_count; 83 | struct sec_token_info *token; 84 | struct sec_find_object find; 85 | struct sec_sign sign; 86 | }; 87 | 88 | #define g_state sec_g_state 89 | extern struct sec_internal g_state; 90 | 91 | 92 | 93 | /* ---- FUNCTIONS */ 94 | #define sec_free(p) { if (p != NULL) { free(p); p = NULL; } } 95 | 96 | gpg_error_t sec_learn_token(assuan_context_t ctx); 97 | void sec_free_token(); 98 | int sec_al_match(struct sec_ck_alist template, struct sec_ck_alist al); 99 | CK_ATTRIBUTE_PTR sec_al_get_attr(CK_ATTRIBUTE_TYPE type, struct sec_ck_alist al); 100 | 101 | #endif // _FOO_H_ 102 | --------------------------------------------------------------------------------