/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #ifndef _LIBELFSIGN_H #define _LIBELFSIGN_H #ifdef __cplusplus extern "C" { #endif /* * libelfsign Private Interfaces * This Header file should not be shipped as part of Solaris binary or * source products. */ #include #include #include #include #include #include /* * Certificate-related definitions */ #define ELFSIGN_CRYPTO "Solaris Cryptographic Framework" #define USAGELIMITED "OU=UsageLimited" #define ESA ".esa" #define ESA_LEN sizeof (".esa") typedef enum ELFCert_VStatus_e { E_UNCHECKED, E_OK, E_IS_TA, E_FAILED } ELFCert_VStatus_t; typedef struct ELFCert_s { ELFCert_VStatus_t c_verified; char *c_subject; char *c_issuer; KMF_X509_DER_CERT c_cert; KMF_KEY_HANDLE c_privatekey; } *ELFCert_t; #define CRYPTO_CERTS_DIR "/etc/crypto/certs" #define ETC_CERTS_DIR "/etc/certs" /* * libelfsign actions */ enum ES_ACTION { ES_GET, ES_GET_CRYPTO, ES_GET_FIPS140, ES_UPDATE, ES_UPDATE_RSA_MD5_SHA1, ES_UPDATE_RSA_SHA1 }; #define ES_ACTISUPDATE(a) ((a) >= ES_UPDATE) /* * Context for elfsign operation */ struct ELFsign_s { Elf *es_elf; char *es_pathname; char *es_certpath; int es_fd; size_t es_shstrndx; enum ES_ACTION es_action; KMF_KEY_HANDLE es_privatekey; filesig_vers_t es_version; boolean_t es_same_endian; boolean_t es_has_phdr; char es_ei_class; struct flock es_flock; KMF_HANDLE_T es_kmfhandle; void *es_callbackctx; void (*es_sigvercallback)(void *, void *, size_t, ELFCert_t); void (*es_certCAcallback)(void *, ELFCert_t, char *); void (*es_certvercallback)(void *, ELFCert_t, ELFCert_t); }; #define ES_FMT_RSA_MD5_SHA1 "rsa_md5_sha1" #define ES_FMT_RSA_SHA1 "rsa_sha1" /* * ELF signature handling */ typedef struct ELFsign_s *ELFsign_t; struct ELFsign_sig_info { char *esi_format; char *esi_signer; time_t esi_time; }; extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess, struct filesignatures *fsp, const char *dn, int dn_len, const uchar_t *sig, int sig_len, const char *oid, int oid_len); extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess, struct filesignatures *fsp, uchar_t *sig, size_t *sig_len); extern ELFsign_status_t elfsign_begin(const char *, enum ES_ACTION, ELFsign_t *); extern void elfsign_end(ELFsign_t ess); extern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path); extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess, struct ELFsign_sig_info **esipp); extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash, size_t *hash_len); extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess, uchar_t *hash, size_t *hash_len); extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess, uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len); extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp, enum ES_ACTION action); extern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx); extern void elfsign_setsigvercallback(ELFsign_t ess, void (*cb)(void *, void *, size_t, ELFCert_t)); extern ELFsign_status_t elfsign_signatures(ELFsign_t ess, struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action); extern char const *elfsign_strerror(ELFsign_status_t); extern boolean_t elfsign_sig_info(struct filesignatures *fssp, struct ELFsign_sig_info **esipp); extern void elfsign_sig_info_free(struct ELFsign_sig_info *); /* * ELF "Certificate Library" */ extern const char _PATH_ELFSIGN_CERTS[]; #define ELFCERT_MAX_DN_LEN 255 extern boolean_t elfcertlib_init(ELFsign_t); extern void elfcertlib_fini(ELFsign_t); extern boolean_t elfcertlib_settoken(ELFsign_t, char *); extern void elfcertlib_setcertCAcallback(ELFsign_t ess, void (*cb)(void *, ELFCert_t, char *)); extern void elfcertlib_setcertvercallback(ELFsign_t ess, void (*cb)(void *, ELFCert_t, ELFCert_t)); extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname, char *signer_DN, ELFCert_t *certp, enum ES_ACTION action); extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t); extern char *elfcertlib_getdn(ELFCert_t cert); extern char *elfcertlib_getissuer(ELFCert_t cert); extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, const char *path); extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert, const char *token_id, const char *pin); extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert, const uchar_t *data, size_t data_len, uchar_t *sig, size_t *sig_len); extern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert); extern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert, const uchar_t *sig, size_t sig_len, const uchar_t *data, size_t data_len); #ifdef __cplusplus } #endif #endif /* _LIBELFSIGN_H */