17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*c197cb9dShylee * Common Development and Distribution License (the "License"). 6*c197cb9dShylee * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*c197cb9dShylee * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate /* 297c478bd9Sstevel@tonic-gate * digest.c 307c478bd9Sstevel@tonic-gate * 317c478bd9Sstevel@tonic-gate * Implements digest(1) and mac(1) commands 327c478bd9Sstevel@tonic-gate * If command name is mac, performs mac operation 337c478bd9Sstevel@tonic-gate * else perform digest operation 347c478bd9Sstevel@tonic-gate * 357c478bd9Sstevel@tonic-gate * See the man pages for digest and mac for details on 367c478bd9Sstevel@tonic-gate * how these commands work. 377c478bd9Sstevel@tonic-gate */ 387c478bd9Sstevel@tonic-gate 397c478bd9Sstevel@tonic-gate #include <stdio.h> 407c478bd9Sstevel@tonic-gate #include <stdlib.h> 417c478bd9Sstevel@tonic-gate #include <unistd.h> 427c478bd9Sstevel@tonic-gate #include <fcntl.h> 437c478bd9Sstevel@tonic-gate #include <ctype.h> 447c478bd9Sstevel@tonic-gate #include <strings.h> 457c478bd9Sstevel@tonic-gate #include <libintl.h> 467c478bd9Sstevel@tonic-gate #include <libgen.h> 477c478bd9Sstevel@tonic-gate #include <locale.h> 487c478bd9Sstevel@tonic-gate #include <errno.h> 497c478bd9Sstevel@tonic-gate #include <sys/types.h> 507c478bd9Sstevel@tonic-gate #include <sys/stat.h> 517c478bd9Sstevel@tonic-gate #include <security/cryptoki.h> 527c478bd9Sstevel@tonic-gate #include <limits.h> 537c478bd9Sstevel@tonic-gate #include <cryptoutil.h> 54*c197cb9dShylee #include <kmfapi.h> 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate #define BUFFERSIZE (4096) /* Buffer size for reading file */ 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate /* 597c478bd9Sstevel@tonic-gate * RESULTLEN - large enough size in bytes to hold result for 607c478bd9Sstevel@tonic-gate * digest and mac results for all mechanisms 617c478bd9Sstevel@tonic-gate */ 627c478bd9Sstevel@tonic-gate #define RESULTLEN (512) 637c478bd9Sstevel@tonic-gate 647c478bd9Sstevel@tonic-gate /* 657c478bd9Sstevel@tonic-gate * Default parameters for PBKDF2 algorithm 667c478bd9Sstevel@tonic-gate */ 677c478bd9Sstevel@tonic-gate #define PBKD2_ITERATIONS (1000) 687c478bd9Sstevel@tonic-gate #define PBKD2_SALT_SIZE 16 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate /* 717c478bd9Sstevel@tonic-gate * Exit Status codes 727c478bd9Sstevel@tonic-gate */ 737c478bd9Sstevel@tonic-gate #ifndef EXIT_SUCCESS 747c478bd9Sstevel@tonic-gate #define EXIT_SUCCESS 0 /* No errors */ 757c478bd9Sstevel@tonic-gate #define EXIT_FAILURE 1 /* All errors except usage */ 767c478bd9Sstevel@tonic-gate #endif /* EXIT_SUCCESS */ 777c478bd9Sstevel@tonic-gate 787c478bd9Sstevel@tonic-gate #define EXIT_USAGE 2 /* usage/syntax error */ 797c478bd9Sstevel@tonic-gate 807c478bd9Sstevel@tonic-gate #define MAC_NAME "mac" /* name of mac command */ 81*c197cb9dShylee #define MAC_OPTIONS "lva:k:T:K:" /* for getopt */ 827c478bd9Sstevel@tonic-gate #define DIGEST_NAME "digest" /* name of mac command */ 837c478bd9Sstevel@tonic-gate #define DIGEST_OPTIONS "lva:" /* for getopt */ 84*c197cb9dShylee #define DEFAULT_TOKEN_PROMPT "Enter PIN for %s: " 85*c197cb9dShylee #define PK_DEFAULT_PK11TOKEN SOFT_TOKEN_LABEL 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate static boolean_t vflag = B_FALSE; /* -v (verbose) flag, optional */ 887c478bd9Sstevel@tonic-gate static boolean_t aflag = B_FALSE; /* -a <algorithm> flag, required */ 897c478bd9Sstevel@tonic-gate static boolean_t lflag = B_FALSE; /* -l flag, for mac and digest */ 90*c197cb9dShylee static boolean_t kflag = B_FALSE; 91*c197cb9dShylee static boolean_t Tflag = B_FALSE; 92*c197cb9dShylee static boolean_t Kflag = B_FALSE; 937c478bd9Sstevel@tonic-gate 947c478bd9Sstevel@tonic-gate static char *keyfile = NULL; /* name of keyfile */ 95*c197cb9dShylee static char *token_label = NULL; 96*c197cb9dShylee static char *key_label = NULL; 97*c197cb9dShylee 987c478bd9Sstevel@tonic-gate static CK_BYTE buf[BUFFERSIZE]; 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate struct mech_alias { 1017c478bd9Sstevel@tonic-gate CK_MECHANISM_TYPE type; 1027c478bd9Sstevel@tonic-gate char *alias; 1037c478bd9Sstevel@tonic-gate CK_ULONG keysize_min; 1047c478bd9Sstevel@tonic-gate CK_ULONG keysize_max; 1057c478bd9Sstevel@tonic-gate int keysize_unit; 1067c478bd9Sstevel@tonic-gate boolean_t available; 1077c478bd9Sstevel@tonic-gate }; 1087c478bd9Sstevel@tonic-gate 109f66d273dSizick #define MECH_ALIASES_COUNT 11 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate static struct mech_alias mech_aliases[] = { 1127c478bd9Sstevel@tonic-gate { CKM_SHA_1, "sha1", ULONG_MAX, 0L, 8, B_FALSE }, 1137c478bd9Sstevel@tonic-gate { CKM_MD5, "md5", ULONG_MAX, 0L, 8, B_FALSE }, 1147c478bd9Sstevel@tonic-gate { CKM_DES_MAC, "des_mac", ULONG_MAX, 0L, 8, B_FALSE }, 1157c478bd9Sstevel@tonic-gate { CKM_SHA_1_HMAC, "sha1_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 1167c478bd9Sstevel@tonic-gate { CKM_MD5_HMAC, "md5_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 117f66d273dSizick { CKM_SHA256, "sha256", ULONG_MAX, 0L, 8, B_FALSE }, 118f66d273dSizick { CKM_SHA384, "sha384", ULONG_MAX, 0L, 8, B_FALSE }, 119f66d273dSizick { CKM_SHA512, "sha512", ULONG_MAX, 0L, 8, B_FALSE }, 120f66d273dSizick { CKM_SHA256_HMAC, "sha256_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 121f66d273dSizick { CKM_SHA384_HMAC, "sha384_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 122f66d273dSizick { CKM_SHA512_HMAC, "sha512_hmac", ULONG_MAX, 0L, 8, B_FALSE } 1237c478bd9Sstevel@tonic-gate }; 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate static CK_BBOOL true = TRUE; 1267c478bd9Sstevel@tonic-gate 1277c478bd9Sstevel@tonic-gate static void usage(boolean_t mac_cmd); 1287c478bd9Sstevel@tonic-gate static int execute_cmd(char *algo_str, int filecount, 1297c478bd9Sstevel@tonic-gate char **filelist, boolean_t mac_cmd); 1307c478bd9Sstevel@tonic-gate static CK_RV do_mac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 1317c478bd9Sstevel@tonic-gate int fd, CK_OBJECT_HANDLE key, CK_BYTE_PTR *psignature, 1327c478bd9Sstevel@tonic-gate CK_ULONG_PTR psignaturelen); 1337c478bd9Sstevel@tonic-gate static CK_RV do_digest(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 1347c478bd9Sstevel@tonic-gate int fd, CK_BYTE_PTR *pdigest, CK_ULONG_PTR pdigestlen); 1357c478bd9Sstevel@tonic-gate static int getkey(char *filename, CK_BYTE_PTR *pkeydata); 136*c197cb9dShylee static int getpasswd(char *token_spec, CK_BYTE_PTR *pdata, CK_ULONG_PTR psize); 1377c478bd9Sstevel@tonic-gate 1387c478bd9Sstevel@tonic-gate int 1397c478bd9Sstevel@tonic-gate main(int argc, char **argv) 1407c478bd9Sstevel@tonic-gate { 1417c478bd9Sstevel@tonic-gate 1427c478bd9Sstevel@tonic-gate extern char *optarg; 1437c478bd9Sstevel@tonic-gate extern int optind; 1447c478bd9Sstevel@tonic-gate int errflag = 0; /* We had an optstr parse error */ 1457c478bd9Sstevel@tonic-gate char c; /* current getopts flag */ 1467c478bd9Sstevel@tonic-gate char *algo_str; /* mechanism/algorithm string */ 1477c478bd9Sstevel@tonic-gate int filecount; 1487c478bd9Sstevel@tonic-gate boolean_t mac_cmd; /* if TRUE, do mac, else do digest */ 1497c478bd9Sstevel@tonic-gate char *optstr; 1507c478bd9Sstevel@tonic-gate char **filelist; /* list of files */ 1517c478bd9Sstevel@tonic-gate char *cmdname = NULL; /* name of command */ 1527c478bd9Sstevel@tonic-gate 1537c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1547c478bd9Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defiend by cc -D */ 1557c478bd9Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1567c478bd9Sstevel@tonic-gate #endif 1577c478bd9Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate /* 1607c478bd9Sstevel@tonic-gate * Based on command name, determine 1617c478bd9Sstevel@tonic-gate * type of command. mac is mac 1627c478bd9Sstevel@tonic-gate * everything else is digest. 1637c478bd9Sstevel@tonic-gate */ 1647c478bd9Sstevel@tonic-gate cmdname = basename(argv[0]); 1657c478bd9Sstevel@tonic-gate 1667c478bd9Sstevel@tonic-gate cryptodebug_init(cmdname); 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate if (strcmp(cmdname, MAC_NAME) == 0) 1697c478bd9Sstevel@tonic-gate mac_cmd = B_TRUE; 1707c478bd9Sstevel@tonic-gate else if (strcmp(cmdname, DIGEST_NAME) == 0) 1717c478bd9Sstevel@tonic-gate mac_cmd = B_FALSE; 1727c478bd9Sstevel@tonic-gate else { 1737c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 1747c478bd9Sstevel@tonic-gate "command name must be either digest or mac\n")); 1757c478bd9Sstevel@tonic-gate exit(EXIT_USAGE); 1767c478bd9Sstevel@tonic-gate } 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate if (mac_cmd) { 1797c478bd9Sstevel@tonic-gate optstr = MAC_OPTIONS; 1807c478bd9Sstevel@tonic-gate } else { 1817c478bd9Sstevel@tonic-gate optstr = DIGEST_OPTIONS; 1827c478bd9Sstevel@tonic-gate } 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate /* Parse command line arguments */ 1857c478bd9Sstevel@tonic-gate while (!errflag && (c = getopt(argc, argv, optstr)) != -1) { 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate switch (c) { 1887c478bd9Sstevel@tonic-gate case 'v': 1897c478bd9Sstevel@tonic-gate vflag = B_TRUE; 1907c478bd9Sstevel@tonic-gate break; 1917c478bd9Sstevel@tonic-gate case 'a': 1927c478bd9Sstevel@tonic-gate aflag = B_TRUE; 1937c478bd9Sstevel@tonic-gate algo_str = optarg; 1947c478bd9Sstevel@tonic-gate break; 1957c478bd9Sstevel@tonic-gate case 'k': 196*c197cb9dShylee kflag = B_TRUE; 1977c478bd9Sstevel@tonic-gate keyfile = optarg; 1987c478bd9Sstevel@tonic-gate break; 1997c478bd9Sstevel@tonic-gate case 'l': 2007c478bd9Sstevel@tonic-gate lflag = B_TRUE; 2017c478bd9Sstevel@tonic-gate break; 202*c197cb9dShylee case 'T': 203*c197cb9dShylee Tflag = B_TRUE; 204*c197cb9dShylee token_label = optarg; 205*c197cb9dShylee break; 206*c197cb9dShylee case 'K': 207*c197cb9dShylee Kflag = B_TRUE; 208*c197cb9dShylee key_label = optarg; 209*c197cb9dShylee break; 2107c478bd9Sstevel@tonic-gate default: 2117c478bd9Sstevel@tonic-gate errflag++; 2127c478bd9Sstevel@tonic-gate } 2137c478bd9Sstevel@tonic-gate } 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate filecount = argc - optind; 2167c478bd9Sstevel@tonic-gate if (errflag || (!aflag && !lflag) || (lflag && argc > 2) || 217*c197cb9dShylee (kflag && Kflag) || (Tflag && !Kflag) || filecount < 0) { 2187c478bd9Sstevel@tonic-gate usage(mac_cmd); 2197c478bd9Sstevel@tonic-gate exit(EXIT_USAGE); 2207c478bd9Sstevel@tonic-gate } 2217c478bd9Sstevel@tonic-gate 2227c478bd9Sstevel@tonic-gate if (filecount == 0) { 2237c478bd9Sstevel@tonic-gate filelist = NULL; 2247c478bd9Sstevel@tonic-gate } else { 2257c478bd9Sstevel@tonic-gate filelist = &argv[optind]; 2267c478bd9Sstevel@tonic-gate } 2277c478bd9Sstevel@tonic-gate 2287c478bd9Sstevel@tonic-gate return (execute_cmd(algo_str, filecount, filelist, mac_cmd)); 2297c478bd9Sstevel@tonic-gate } 2307c478bd9Sstevel@tonic-gate 2317c478bd9Sstevel@tonic-gate /* 2327c478bd9Sstevel@tonic-gate * usage message for digest/mac 2337c478bd9Sstevel@tonic-gate */ 2347c478bd9Sstevel@tonic-gate static void 2357c478bd9Sstevel@tonic-gate usage(boolean_t mac_cmd) 2367c478bd9Sstevel@tonic-gate { 237*c197cb9dShylee (void) fprintf(stderr, gettext("Usage:\n")); 2387c478bd9Sstevel@tonic-gate if (mac_cmd) { 239*c197cb9dShylee (void) fprintf(stderr, gettext(" mac -l\n")); 240*c197cb9dShylee (void) fprintf(stderr, gettext(" mac [-v] -a <algorithm> " 241*c197cb9dShylee "[-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 242*c197cb9dShylee "[file...]\n")); 2437c478bd9Sstevel@tonic-gate } else { 244*c197cb9dShylee (void) fprintf(stderr, gettext(" digest -l | [-v] " 245*c197cb9dShylee "-a <algorithm> [file...]\n")); 2467c478bd9Sstevel@tonic-gate } 2477c478bd9Sstevel@tonic-gate } 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate /* 2507c478bd9Sstevel@tonic-gate * Print out list of available algorithms. 2517c478bd9Sstevel@tonic-gate */ 2527c478bd9Sstevel@tonic-gate static void 2537c478bd9Sstevel@tonic-gate algorithm_list(boolean_t mac_cmd) 2547c478bd9Sstevel@tonic-gate { 2557c478bd9Sstevel@tonic-gate int mech; 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gate if (mac_cmd) 2587c478bd9Sstevel@tonic-gate (void) printf(gettext("Algorithm Keysize: Min " 2597c478bd9Sstevel@tonic-gate "Max (bits)\n" 2607c478bd9Sstevel@tonic-gate "------------------------------------------\n")); 2617c478bd9Sstevel@tonic-gate 2627c478bd9Sstevel@tonic-gate for (mech = 0; mech < MECH_ALIASES_COUNT; mech++) { 2637c478bd9Sstevel@tonic-gate 2647c478bd9Sstevel@tonic-gate if (mech_aliases[mech].available == B_FALSE) 2657c478bd9Sstevel@tonic-gate continue; 2667c478bd9Sstevel@tonic-gate 2677c478bd9Sstevel@tonic-gate if (mac_cmd) { 2687c478bd9Sstevel@tonic-gate (void) printf("%-15s", mech_aliases[mech].alias); 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gate if (mech_aliases[mech].keysize_min != ULONG_MAX && 2717c478bd9Sstevel@tonic-gate mech_aliases[mech].keysize_max != 0) 2727c478bd9Sstevel@tonic-gate (void) printf(" %5lu %5lu\n", 2737c478bd9Sstevel@tonic-gate (mech_aliases[mech].keysize_min * 2747c478bd9Sstevel@tonic-gate mech_aliases[mech].keysize_unit), 2757c478bd9Sstevel@tonic-gate (mech_aliases[mech].keysize_max * 2767c478bd9Sstevel@tonic-gate mech_aliases[mech].keysize_unit)); 2777c478bd9Sstevel@tonic-gate else 2787c478bd9Sstevel@tonic-gate (void) printf("\n"); 2797c478bd9Sstevel@tonic-gate 2807c478bd9Sstevel@tonic-gate } else 2817c478bd9Sstevel@tonic-gate (void) printf("%s\n", mech_aliases[mech].alias); 2827c478bd9Sstevel@tonic-gate 2837c478bd9Sstevel@tonic-gate } 2847c478bd9Sstevel@tonic-gate } 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate static CK_RV 2877c478bd9Sstevel@tonic-gate generate_pkcs5_key(CK_SESSION_HANDLE hSession, 2887c478bd9Sstevel@tonic-gate CK_BYTE_PTR pSaltData, 2897c478bd9Sstevel@tonic-gate CK_ULONG saltLen, 2907c478bd9Sstevel@tonic-gate CK_ULONG iterations, 2917c478bd9Sstevel@tonic-gate CK_BYTE_PTR pkeydata, /* user entered passphrase */ 2927c478bd9Sstevel@tonic-gate CK_KEY_TYPE keytype, 2937c478bd9Sstevel@tonic-gate CK_ULONG passwd_size, 2947c478bd9Sstevel@tonic-gate CK_ULONG keylen, /* desired length of generated key */ 2957c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE *hKey) 2967c478bd9Sstevel@tonic-gate { 2977c478bd9Sstevel@tonic-gate CK_RV rv; 2987c478bd9Sstevel@tonic-gate CK_PKCS5_PBKD2_PARAMS params; 2997c478bd9Sstevel@tonic-gate CK_MECHANISM mechanism; 3007c478bd9Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY; 3017c478bd9Sstevel@tonic-gate CK_ATTRIBUTE tmpl[4]; 3027c478bd9Sstevel@tonic-gate int attrs = 0; 3037c478bd9Sstevel@tonic-gate 3047c478bd9Sstevel@tonic-gate tmpl[attrs].type = CKA_CLASS; 3057c478bd9Sstevel@tonic-gate tmpl[attrs].pValue = &class; 3067c478bd9Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (class); 3077c478bd9Sstevel@tonic-gate attrs++; 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gate tmpl[attrs].type = CKA_KEY_TYPE; 3107c478bd9Sstevel@tonic-gate tmpl[attrs].pValue = &keytype; 3117c478bd9Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keytype); 3127c478bd9Sstevel@tonic-gate attrs++; 3137c478bd9Sstevel@tonic-gate 3147c478bd9Sstevel@tonic-gate tmpl[attrs].type = CKA_SIGN; 3157c478bd9Sstevel@tonic-gate tmpl[attrs].pValue = &true; 3167c478bd9Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (CK_BBOOL); 3177c478bd9Sstevel@tonic-gate attrs++; 3187c478bd9Sstevel@tonic-gate 3197c478bd9Sstevel@tonic-gate if (keylen > 0) { 3207c478bd9Sstevel@tonic-gate tmpl[attrs].type = CKA_VALUE_LEN; 3217c478bd9Sstevel@tonic-gate tmpl[attrs].pValue = &keylen; 3227c478bd9Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keylen); 3237c478bd9Sstevel@tonic-gate attrs++; 3247c478bd9Sstevel@tonic-gate } 3257c478bd9Sstevel@tonic-gate 3267c478bd9Sstevel@tonic-gate params.saltSource = CKZ_SALT_SPECIFIED; 3277c478bd9Sstevel@tonic-gate params.pSaltSourceData = (void *)pSaltData; 3287c478bd9Sstevel@tonic-gate params.ulSaltSourceDataLen = saltLen; 3297c478bd9Sstevel@tonic-gate params.iterations = iterations; 3307c478bd9Sstevel@tonic-gate params.prf = CKP_PKCS5_PBKD2_HMAC_SHA1; 3317c478bd9Sstevel@tonic-gate params.pPrfData = NULL; 3327c478bd9Sstevel@tonic-gate params.ulPrfDataLen = 0; 3337c478bd9Sstevel@tonic-gate params.pPassword = (CK_UTF8CHAR_PTR)pkeydata; 3347c478bd9Sstevel@tonic-gate params.ulPasswordLen = &passwd_size; 3357c478bd9Sstevel@tonic-gate 3367c478bd9Sstevel@tonic-gate mechanism.mechanism = CKM_PKCS5_PBKD2; 3377c478bd9Sstevel@tonic-gate mechanism.pParameter = ¶ms; 3387c478bd9Sstevel@tonic-gate mechanism.ulParameterLen = sizeof (params); 3397c478bd9Sstevel@tonic-gate 3407c478bd9Sstevel@tonic-gate rv = C_GenerateKey(hSession, &mechanism, tmpl, 3417c478bd9Sstevel@tonic-gate attrs, hKey); 3427c478bd9Sstevel@tonic-gate 3437c478bd9Sstevel@tonic-gate return (rv); 3447c478bd9Sstevel@tonic-gate } 3457c478bd9Sstevel@tonic-gate 3467c478bd9Sstevel@tonic-gate 347*c197cb9dShylee static int 348*c197cb9dShylee get_token_key(CK_SESSION_HANDLE hSession, CK_KEY_TYPE keytype, 349*c197cb9dShylee char *keylabel, CK_BYTE *password, int password_len, 350*c197cb9dShylee CK_OBJECT_HANDLE *keyobj) 351*c197cb9dShylee { 352*c197cb9dShylee CK_RV rv; 353*c197cb9dShylee CK_ATTRIBUTE pTmpl[10]; 354*c197cb9dShylee CK_OBJECT_CLASS class = CKO_SECRET_KEY; 355*c197cb9dShylee CK_BBOOL true = 1; 356*c197cb9dShylee CK_BBOOL is_token = 1; 357*c197cb9dShylee CK_ULONG key_obj_count = 1; 358*c197cb9dShylee int i; 359*c197cb9dShylee CK_KEY_TYPE ckKeyType = keytype; 360*c197cb9dShylee 361*c197cb9dShylee 362*c197cb9dShylee rv = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, 363*c197cb9dShylee password_len); 364*c197cb9dShylee if (rv != CKR_OK) { 365*c197cb9dShylee (void) fprintf(stderr, "Cannot login to the token." 366*c197cb9dShylee " error = %s\n", pkcs11_strerror(rv)); 367*c197cb9dShylee return (-1); 368*c197cb9dShylee } 369*c197cb9dShylee 370*c197cb9dShylee i = 0; 371*c197cb9dShylee pTmpl[i].type = CKA_TOKEN; 372*c197cb9dShylee pTmpl[i].pValue = &is_token; 373*c197cb9dShylee pTmpl[i].ulValueLen = sizeof (CK_BBOOL); 374*c197cb9dShylee i++; 375*c197cb9dShylee 376*c197cb9dShylee pTmpl[i].type = CKA_CLASS; 377*c197cb9dShylee pTmpl[i].pValue = &class; 378*c197cb9dShylee pTmpl[i].ulValueLen = sizeof (class); 379*c197cb9dShylee i++; 380*c197cb9dShylee 381*c197cb9dShylee pTmpl[i].type = CKA_LABEL; 382*c197cb9dShylee pTmpl[i].pValue = keylabel; 383*c197cb9dShylee pTmpl[i].ulValueLen = strlen(keylabel); 384*c197cb9dShylee i++; 385*c197cb9dShylee 386*c197cb9dShylee pTmpl[i].type = CKA_KEY_TYPE; 387*c197cb9dShylee pTmpl[i].pValue = &ckKeyType; 388*c197cb9dShylee pTmpl[i].ulValueLen = sizeof (ckKeyType); 389*c197cb9dShylee i++; 390*c197cb9dShylee 391*c197cb9dShylee pTmpl[i].type = CKA_PRIVATE; 392*c197cb9dShylee pTmpl[i].pValue = &true; 393*c197cb9dShylee pTmpl[i].ulValueLen = sizeof (true); 394*c197cb9dShylee i++; 395*c197cb9dShylee 396*c197cb9dShylee rv = C_FindObjectsInit(hSession, pTmpl, i); 397*c197cb9dShylee if (rv != CKR_OK) { 398*c197cb9dShylee goto out; 399*c197cb9dShylee } 400*c197cb9dShylee 401*c197cb9dShylee rv = C_FindObjects(hSession, keyobj, 1, &key_obj_count); 402*c197cb9dShylee (void) C_FindObjectsFinal(hSession); 403*c197cb9dShylee 404*c197cb9dShylee out: 405*c197cb9dShylee if (rv != CKR_OK) { 406*c197cb9dShylee (void) fprintf(stderr, 407*c197cb9dShylee "Cannot retrieve key object. error = %s\n", 408*c197cb9dShylee pkcs11_strerror(rv)); 409*c197cb9dShylee return (-1); 410*c197cb9dShylee } 411*c197cb9dShylee 412*c197cb9dShylee if (key_obj_count == 0) { 413*c197cb9dShylee (void) fprintf(stderr, "Cannot find the key object.\n"); 414*c197cb9dShylee return (-1); 415*c197cb9dShylee } 416*c197cb9dShylee 417*c197cb9dShylee return (0); 418*c197cb9dShylee } 419*c197cb9dShylee 420*c197cb9dShylee 4217c478bd9Sstevel@tonic-gate /* 4227c478bd9Sstevel@tonic-gate * Execute the command. 4237c478bd9Sstevel@tonic-gate * algo_str - name of algorithm 4247c478bd9Sstevel@tonic-gate * filecount - no. of files to process, if 0, use stdin 4257c478bd9Sstevel@tonic-gate * filelist - list of files 4267c478bd9Sstevel@tonic-gate * mac_cmd - if true do mac else do digest 4277c478bd9Sstevel@tonic-gate */ 4287c478bd9Sstevel@tonic-gate static int 4297c478bd9Sstevel@tonic-gate execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) 4307c478bd9Sstevel@tonic-gate { 4317c478bd9Sstevel@tonic-gate int fd; 4327c478bd9Sstevel@tonic-gate char *filename = NULL; 4337c478bd9Sstevel@tonic-gate CK_RV rv; 4347c478bd9Sstevel@tonic-gate CK_ULONG slotcount; 4357c478bd9Sstevel@tonic-gate CK_SLOT_ID slotID; 4367c478bd9Sstevel@tonic-gate CK_SLOT_ID_PTR pSlotList = NULL; 4377c478bd9Sstevel@tonic-gate CK_MECHANISM_TYPE mech_type; 4387c478bd9Sstevel@tonic-gate CK_MECHANISM_INFO info; 4397c478bd9Sstevel@tonic-gate CK_MECHANISM mech; 4407c478bd9Sstevel@tonic-gate CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; 4417c478bd9Sstevel@tonic-gate CK_BYTE_PTR resultbuf = NULL; 4427c478bd9Sstevel@tonic-gate CK_ULONG resultlen; 4437c478bd9Sstevel@tonic-gate CK_BYTE_PTR pkeydata = NULL; 4447c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE key = (CK_OBJECT_HANDLE) 0; 4457c478bd9Sstevel@tonic-gate int keylen = 0; /* key length */ 4467c478bd9Sstevel@tonic-gate char *resultstr = NULL; /* result in hex string */ 4477c478bd9Sstevel@tonic-gate int resultstrlen; /* result string length */ 4487c478bd9Sstevel@tonic-gate int i; 4497c478bd9Sstevel@tonic-gate int exitcode = EXIT_SUCCESS; /* return code */ 4507c478bd9Sstevel@tonic-gate int slot, mek; /* index variables */ 4517c478bd9Sstevel@tonic-gate int mech_match = 0; 4527c478bd9Sstevel@tonic-gate CK_BYTE salt[PBKD2_SALT_SIZE]; 4537c478bd9Sstevel@tonic-gate CK_ULONG keysize; 4547c478bd9Sstevel@tonic-gate CK_ULONG iterations = PBKD2_ITERATIONS; 455*c197cb9dShylee CK_KEY_TYPE keytype; 456*c197cb9dShylee KMF_RETURN kmfrv; 457*c197cb9dShylee CK_SLOT_ID token_slot_id; 4587c478bd9Sstevel@tonic-gate 4597c478bd9Sstevel@tonic-gate if (aflag) { 4607c478bd9Sstevel@tonic-gate /* 4617c478bd9Sstevel@tonic-gate * Determine if algorithm/mechanism is valid 4627c478bd9Sstevel@tonic-gate */ 4637c478bd9Sstevel@tonic-gate for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; 4647c478bd9Sstevel@tonic-gate mech_match++) { 4657c478bd9Sstevel@tonic-gate if (strcmp(algo_str, 4667c478bd9Sstevel@tonic-gate mech_aliases[mech_match].alias) == 0) { 4677c478bd9Sstevel@tonic-gate mech_type = mech_aliases[mech_match].type; 4687c478bd9Sstevel@tonic-gate break; 4697c478bd9Sstevel@tonic-gate } 4707c478bd9Sstevel@tonic-gate 4717c478bd9Sstevel@tonic-gate } 4727c478bd9Sstevel@tonic-gate 4737c478bd9Sstevel@tonic-gate if (mech_match == MECH_ALIASES_COUNT) { 4747c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4757c478bd9Sstevel@tonic-gate gettext("unknown algorithm -- %s"), algo_str); 4767c478bd9Sstevel@tonic-gate return (EXIT_FAILURE); 4777c478bd9Sstevel@tonic-gate } 4787c478bd9Sstevel@tonic-gate 4797c478bd9Sstevel@tonic-gate /* Get key to do a MAC operation */ 4807c478bd9Sstevel@tonic-gate if (mac_cmd) { 481*c197cb9dShylee if (Kflag) { 482*c197cb9dShylee int status; 483*c197cb9dShylee 484*c197cb9dShylee if (token_label == NULL || 485*c197cb9dShylee !strlen(token_label)) { 486*c197cb9dShylee token_label = PK_DEFAULT_PK11TOKEN; 487*c197cb9dShylee } 488*c197cb9dShylee 489*c197cb9dShylee status = getpasswd(token_label, &pkeydata, 490*c197cb9dShylee (CK_ULONG *)&keylen); 491*c197cb9dShylee if (status == -1) { 492*c197cb9dShylee cryptoerror(LOG_STDERR, 493*c197cb9dShylee gettext("invalid passphrase.")); 494*c197cb9dShylee return (EXIT_FAILURE); 495*c197cb9dShylee } 496*c197cb9dShylee 497*c197cb9dShylee } else { 4987c478bd9Sstevel@tonic-gate keylen = getkey(keyfile, &pkeydata); 4997c478bd9Sstevel@tonic-gate if (keylen <= 0 || pkeydata == NULL) { 5007c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 5017c478bd9Sstevel@tonic-gate gettext("invalid key.")); 5027c478bd9Sstevel@tonic-gate return (EXIT_FAILURE); 5037c478bd9Sstevel@tonic-gate } 5047c478bd9Sstevel@tonic-gate } 5057c478bd9Sstevel@tonic-gate } 506*c197cb9dShylee } 5077c478bd9Sstevel@tonic-gate 5087c478bd9Sstevel@tonic-gate /* Initialize, and get list of slots */ 509*c197cb9dShylee rv = C_Initialize(NULL); 510*c197cb9dShylee if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { 5117c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 5127c478bd9Sstevel@tonic-gate gettext("failed to initialize PKCS #11 framework: %s"), 5137c478bd9Sstevel@tonic-gate pkcs11_strerror(rv)); 5147c478bd9Sstevel@tonic-gate return (EXIT_FAILURE); 5157c478bd9Sstevel@tonic-gate } 5167c478bd9Sstevel@tonic-gate 5177c478bd9Sstevel@tonic-gate /* Get slot count */ 5187c478bd9Sstevel@tonic-gate rv = C_GetSlotList(0, NULL_PTR, &slotcount); 5197c478bd9Sstevel@tonic-gate if (rv != CKR_OK || slotcount == 0) { 5207c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5217c478bd9Sstevel@tonic-gate "failed to find any cryptographic provider," 5227c478bd9Sstevel@tonic-gate "please check with your system administrator: %s"), 5237c478bd9Sstevel@tonic-gate pkcs11_strerror(rv)); 5247c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5257c478bd9Sstevel@tonic-gate goto cleanup; 5267c478bd9Sstevel@tonic-gate } 5277c478bd9Sstevel@tonic-gate 5287c478bd9Sstevel@tonic-gate /* Found at least one slot, allocate memory for slot list */ 5297c478bd9Sstevel@tonic-gate pSlotList = malloc(slotcount * sizeof (CK_SLOT_ID)); 5307c478bd9Sstevel@tonic-gate if (pSlotList == NULL_PTR) { 5317c478bd9Sstevel@tonic-gate int err = errno; 5327c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 5337c478bd9Sstevel@tonic-gate strerror(err)); 5347c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5357c478bd9Sstevel@tonic-gate goto cleanup; 5367c478bd9Sstevel@tonic-gate } 5377c478bd9Sstevel@tonic-gate 5387c478bd9Sstevel@tonic-gate /* Get the list of slots */ 5397c478bd9Sstevel@tonic-gate if ((rv = C_GetSlotList(0, pSlotList, &slotcount)) != CKR_OK) { 5407c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5417c478bd9Sstevel@tonic-gate "failed to find any cryptographic provider," 5427c478bd9Sstevel@tonic-gate "please check with your system administrator: %s"), 5437c478bd9Sstevel@tonic-gate pkcs11_strerror(rv)); 5447c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5457c478bd9Sstevel@tonic-gate goto cleanup; 5467c478bd9Sstevel@tonic-gate } 5477c478bd9Sstevel@tonic-gate 5487c478bd9Sstevel@tonic-gate /* 5497c478bd9Sstevel@tonic-gate * Obtain list of algorithms if -l option was given 5507c478bd9Sstevel@tonic-gate */ 5517c478bd9Sstevel@tonic-gate if (lflag) { 5527c478bd9Sstevel@tonic-gate 5537c478bd9Sstevel@tonic-gate for (slot = 0; slot < slotcount; slot++) { 5547c478bd9Sstevel@tonic-gate 5557c478bd9Sstevel@tonic-gate /* Iterate through each mechanism */ 5567c478bd9Sstevel@tonic-gate for (mek = 0; mek < MECH_ALIASES_COUNT; mek++) { 5577c478bd9Sstevel@tonic-gate rv = C_GetMechanismInfo(pSlotList[slot], 5587c478bd9Sstevel@tonic-gate mech_aliases[mek].type, &info); 5597c478bd9Sstevel@tonic-gate 5607c478bd9Sstevel@tonic-gate /* Only check algorithms that can be used */ 5617c478bd9Sstevel@tonic-gate if ((rv != CKR_OK) || 5627c478bd9Sstevel@tonic-gate (!mac_cmd && (info.flags & CKF_SIGN)) || 5637c478bd9Sstevel@tonic-gate (mac_cmd && (info.flags & CKF_DIGEST))) 5647c478bd9Sstevel@tonic-gate continue; 5657c478bd9Sstevel@tonic-gate 5667c478bd9Sstevel@tonic-gate /* 5677c478bd9Sstevel@tonic-gate * Set to minimum/maximum key sizes assuming 5687c478bd9Sstevel@tonic-gate * the values available are not 0. 5697c478bd9Sstevel@tonic-gate */ 5707c478bd9Sstevel@tonic-gate if (info.ulMinKeySize && (info.ulMinKeySize < 5717c478bd9Sstevel@tonic-gate mech_aliases[mek].keysize_min)) 5727c478bd9Sstevel@tonic-gate mech_aliases[mek].keysize_min = 5737c478bd9Sstevel@tonic-gate info.ulMinKeySize; 5747c478bd9Sstevel@tonic-gate 5757c478bd9Sstevel@tonic-gate if (info.ulMaxKeySize && (info.ulMaxKeySize > 5767c478bd9Sstevel@tonic-gate mech_aliases[mek].keysize_max)) 5777c478bd9Sstevel@tonic-gate mech_aliases[mek].keysize_max = 5787c478bd9Sstevel@tonic-gate info.ulMaxKeySize; 5797c478bd9Sstevel@tonic-gate 5807c478bd9Sstevel@tonic-gate mech_aliases[mek].available = B_TRUE; 5817c478bd9Sstevel@tonic-gate } 5827c478bd9Sstevel@tonic-gate 5837c478bd9Sstevel@tonic-gate } 5847c478bd9Sstevel@tonic-gate 5857c478bd9Sstevel@tonic-gate algorithm_list(mac_cmd); 5867c478bd9Sstevel@tonic-gate 5877c478bd9Sstevel@tonic-gate goto cleanup; 5887c478bd9Sstevel@tonic-gate } 5897c478bd9Sstevel@tonic-gate 590*c197cb9dShylee /* 591*c197cb9dShylee * Find a slot with matching mechanism 592*c197cb9dShylee * 593*c197cb9dShylee * If -K is specified, we find the slot id for the token first, then 594*c197cb9dShylee * check if the slot supports the algorithm. 595*c197cb9dShylee */ 596*c197cb9dShylee i = 0; 597*c197cb9dShylee if (Kflag) { 598*c197cb9dShylee kmfrv = KMF_PK11TokenLookup(NULL, token_label, &token_slot_id); 599*c197cb9dShylee if (kmfrv != KMF_OK) { 600*c197cb9dShylee cryptoerror(LOG_STDERR, 601*c197cb9dShylee gettext("no matching PKCS#11 token")); 602*c197cb9dShylee exitcode = EXIT_FAILURE; 603*c197cb9dShylee goto cleanup; 604*c197cb9dShylee } 605*c197cb9dShylee rv = C_GetMechanismInfo(token_slot_id, mech_type, &info); 606*c197cb9dShylee if (rv == CKR_OK && (info.flags & CKF_SIGN)) 607*c197cb9dShylee slotID = token_slot_id; 608*c197cb9dShylee else 609*c197cb9dShylee i = slotcount; 610*c197cb9dShylee 611*c197cb9dShylee } else { 6127c478bd9Sstevel@tonic-gate for (i = 0; i < slotcount; i++) { 6137c478bd9Sstevel@tonic-gate slotID = pSlotList[i]; 6147c478bd9Sstevel@tonic-gate rv = C_GetMechanismInfo(slotID, mech_type, &info); 6157c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 6167c478bd9Sstevel@tonic-gate continue; /* to the next slot */ 6177c478bd9Sstevel@tonic-gate } else { 6187c478bd9Sstevel@tonic-gate if (mac_cmd) { 6197c478bd9Sstevel@tonic-gate /* 6207c478bd9Sstevel@tonic-gate * Make sure the slot supports 6217c478bd9Sstevel@tonic-gate * PKCS5 key generation if we 6227c478bd9Sstevel@tonic-gate * will be using it later. 6237c478bd9Sstevel@tonic-gate * We use it whenever the key 6247c478bd9Sstevel@tonic-gate * is entered at command line. 6257c478bd9Sstevel@tonic-gate */ 6267c478bd9Sstevel@tonic-gate if ((info.flags & CKF_SIGN) && 6277c478bd9Sstevel@tonic-gate (keyfile == NULL)) { 6287c478bd9Sstevel@tonic-gate CK_MECHANISM_INFO kg_info; 6297c478bd9Sstevel@tonic-gate rv = C_GetMechanismInfo(slotID, 6307c478bd9Sstevel@tonic-gate CKM_PKCS5_PBKD2, &kg_info); 6317c478bd9Sstevel@tonic-gate if (rv == CKR_OK) 6327c478bd9Sstevel@tonic-gate break; 6337c478bd9Sstevel@tonic-gate } else if (info.flags & CKF_SIGN) { 6347c478bd9Sstevel@tonic-gate break; 6357c478bd9Sstevel@tonic-gate } 6367c478bd9Sstevel@tonic-gate } else { 6377c478bd9Sstevel@tonic-gate if (info.flags & CKF_DIGEST) 6387c478bd9Sstevel@tonic-gate break; 6397c478bd9Sstevel@tonic-gate } 6407c478bd9Sstevel@tonic-gate } 6417c478bd9Sstevel@tonic-gate } 642*c197cb9dShylee } 6437c478bd9Sstevel@tonic-gate 6447c478bd9Sstevel@tonic-gate /* Show error if no matching mechanism found */ 6457c478bd9Sstevel@tonic-gate if (i == slotcount) { 6467c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6477c478bd9Sstevel@tonic-gate gettext("no cryptographic provider was " 6487c478bd9Sstevel@tonic-gate "found for this algorithm -- %s"), algo_str); 6497c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 6507c478bd9Sstevel@tonic-gate goto cleanup; 6517c478bd9Sstevel@tonic-gate } 6527c478bd9Sstevel@tonic-gate 6537c478bd9Sstevel@tonic-gate /* Mechanism is supported. Go ahead & open a session */ 6547c478bd9Sstevel@tonic-gate rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, 6557c478bd9Sstevel@tonic-gate NULL_PTR, NULL, &hSession); 6567c478bd9Sstevel@tonic-gate 6577c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 6587c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6597c478bd9Sstevel@tonic-gate gettext("can not open PKCS#11 session: %s"), 6607c478bd9Sstevel@tonic-gate pkcs11_strerror(rv)); 6617c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 6627c478bd9Sstevel@tonic-gate goto cleanup; 6637c478bd9Sstevel@tonic-gate } 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate /* Create a key object for mac operation */ 6667c478bd9Sstevel@tonic-gate if (mac_cmd) { 6677c478bd9Sstevel@tonic-gate /* 6687c478bd9Sstevel@tonic-gate * If we read keybytes from a file, 6697c478bd9Sstevel@tonic-gate * do NOT process them with C_GenerateKey, 6707c478bd9Sstevel@tonic-gate * treat them as raw keydata bytes and 6717c478bd9Sstevel@tonic-gate * create a key object for them. 6727c478bd9Sstevel@tonic-gate */ 6737c478bd9Sstevel@tonic-gate if (keyfile) { 6747c478bd9Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY; 6757c478bd9Sstevel@tonic-gate CK_KEY_TYPE tmpl_keytype = CKK_GENERIC_SECRET; 6767c478bd9Sstevel@tonic-gate CK_BBOOL false = FALSE; 6777c478bd9Sstevel@tonic-gate int nattr = 0; 6787c478bd9Sstevel@tonic-gate CK_ATTRIBUTE template[5]; 6797c478bd9Sstevel@tonic-gate 6807c478bd9Sstevel@tonic-gate if (mech_type == CKM_DES_MAC) { 6817c478bd9Sstevel@tonic-gate tmpl_keytype = CKK_DES; 6827c478bd9Sstevel@tonic-gate } 6837c478bd9Sstevel@tonic-gate template[nattr].type = CKA_CLASS; 6847c478bd9Sstevel@tonic-gate template[nattr].pValue = &class; 6857c478bd9Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (class); 6867c478bd9Sstevel@tonic-gate nattr++; 6877c478bd9Sstevel@tonic-gate 6887c478bd9Sstevel@tonic-gate template[nattr].type = CKA_KEY_TYPE; 6897c478bd9Sstevel@tonic-gate template[nattr].pValue = &tmpl_keytype; 6907c478bd9Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (tmpl_keytype); 6917c478bd9Sstevel@tonic-gate nattr++; 6927c478bd9Sstevel@tonic-gate 6937c478bd9Sstevel@tonic-gate template[nattr].type = CKA_SIGN; 6947c478bd9Sstevel@tonic-gate template[nattr].pValue = &true; 6957c478bd9Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (true); 6967c478bd9Sstevel@tonic-gate nattr++; 6977c478bd9Sstevel@tonic-gate 6987c478bd9Sstevel@tonic-gate template[nattr].type = CKA_TOKEN; 6997c478bd9Sstevel@tonic-gate template[nattr].pValue = &false; 7007c478bd9Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (false); 7017c478bd9Sstevel@tonic-gate nattr++; 7027c478bd9Sstevel@tonic-gate 7037c478bd9Sstevel@tonic-gate template[nattr].type = CKA_VALUE; 7047c478bd9Sstevel@tonic-gate template[nattr].pValue = pkeydata; 7057c478bd9Sstevel@tonic-gate template[nattr].ulValueLen = keylen; 7067c478bd9Sstevel@tonic-gate nattr++; 7077c478bd9Sstevel@tonic-gate 7087c478bd9Sstevel@tonic-gate rv = C_CreateObject(hSession, template, 7097c478bd9Sstevel@tonic-gate nattr, &key); 710*c197cb9dShylee 711*c197cb9dShylee } else if (Kflag) { 712*c197cb9dShylee 713*c197cb9dShylee if (mech_type == CKM_DES_MAC) { 714*c197cb9dShylee keytype = CKK_DES; 715*c197cb9dShylee } else { 716*c197cb9dShylee keytype = CKK_GENERIC_SECRET; 717*c197cb9dShylee } 718*c197cb9dShylee 719*c197cb9dShylee rv = get_token_key(hSession, keytype, key_label, 720*c197cb9dShylee pkeydata, keylen, &key); 721*c197cb9dShylee if (rv != CKR_OK) { 722*c197cb9dShylee exitcode = EXIT_FAILURE; 723*c197cb9dShylee goto cleanup; 724*c197cb9dShylee } 7257c478bd9Sstevel@tonic-gate } else { 7267c478bd9Sstevel@tonic-gate CK_KEY_TYPE keytype; 7277c478bd9Sstevel@tonic-gate if (mech_type == CKM_DES_MAC) { 7287c478bd9Sstevel@tonic-gate keytype = CKK_DES; 7297c478bd9Sstevel@tonic-gate keysize = 0; 7307c478bd9Sstevel@tonic-gate } else { 7317c478bd9Sstevel@tonic-gate keytype = CKK_GENERIC_SECRET; 7327c478bd9Sstevel@tonic-gate keysize = 16; /* 128 bits */ 7337c478bd9Sstevel@tonic-gate } 7347c478bd9Sstevel@tonic-gate /* 7357c478bd9Sstevel@tonic-gate * We use a fixed salt (0x0a, 0x0a, 0x0a ...) 7367c478bd9Sstevel@tonic-gate * for creating the key so that the end user 7377c478bd9Sstevel@tonic-gate * will be able to generate the same 'mac' 7387c478bd9Sstevel@tonic-gate * using the same passphrase. 7397c478bd9Sstevel@tonic-gate */ 7407c478bd9Sstevel@tonic-gate (void) memset(salt, 0x0a, sizeof (salt)); 7417c478bd9Sstevel@tonic-gate rv = generate_pkcs5_key(hSession, 7427c478bd9Sstevel@tonic-gate salt, sizeof (salt), 7437c478bd9Sstevel@tonic-gate iterations, pkeydata, 7447c478bd9Sstevel@tonic-gate keytype, keylen, keysize, 7457c478bd9Sstevel@tonic-gate &key); 7467c478bd9Sstevel@tonic-gate } 7477c478bd9Sstevel@tonic-gate 7487c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 7497c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 7507c478bd9Sstevel@tonic-gate gettext("unable to create key for crypto " 7517c478bd9Sstevel@tonic-gate "operation: %s"), pkcs11_strerror(rv)); 7527c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7537c478bd9Sstevel@tonic-gate goto cleanup; 7547c478bd9Sstevel@tonic-gate } 7557c478bd9Sstevel@tonic-gate } 7567c478bd9Sstevel@tonic-gate 7577c478bd9Sstevel@tonic-gate /* Allocate a buffer to store result. */ 7587c478bd9Sstevel@tonic-gate resultlen = RESULTLEN; 7597c478bd9Sstevel@tonic-gate if ((resultbuf = malloc(resultlen)) == NULL) { 7607c478bd9Sstevel@tonic-gate int err = errno; 7617c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 7627c478bd9Sstevel@tonic-gate strerror(err)); 7637c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7647c478bd9Sstevel@tonic-gate goto cleanup; 7657c478bd9Sstevel@tonic-gate } 7667c478bd9Sstevel@tonic-gate 7677c478bd9Sstevel@tonic-gate /* Allocate a buffer to store result string */ 7687c478bd9Sstevel@tonic-gate resultstrlen = RESULTLEN; 7697c478bd9Sstevel@tonic-gate if ((resultstr = malloc(resultstrlen)) == NULL) { 7707c478bd9Sstevel@tonic-gate int err = errno; 7717c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 7727c478bd9Sstevel@tonic-gate strerror(err)); 7737c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7747c478bd9Sstevel@tonic-gate goto cleanup; 7757c478bd9Sstevel@tonic-gate } 7767c478bd9Sstevel@tonic-gate 7777c478bd9Sstevel@tonic-gate mech.mechanism = mech_type; 7787c478bd9Sstevel@tonic-gate mech.pParameter = NULL_PTR; 7797c478bd9Sstevel@tonic-gate mech.ulParameterLen = 0; 7807c478bd9Sstevel@tonic-gate exitcode = EXIT_SUCCESS; 7817c478bd9Sstevel@tonic-gate i = 0; 7827c478bd9Sstevel@tonic-gate 7837c478bd9Sstevel@tonic-gate do { 7847c478bd9Sstevel@tonic-gate if (filecount > 0 && filelist != NULL) { 7857c478bd9Sstevel@tonic-gate filename = filelist[i]; 7867c478bd9Sstevel@tonic-gate if ((fd = open(filename, O_RDONLY 7877c478bd9Sstevel@tonic-gate | O_NONBLOCK)) == -1) { 7887c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7897c478bd9Sstevel@tonic-gate "can not open input file %s\n"), filename); 7907c478bd9Sstevel@tonic-gate exitcode = EXIT_USAGE; 7917c478bd9Sstevel@tonic-gate continue; 7927c478bd9Sstevel@tonic-gate } 7937c478bd9Sstevel@tonic-gate } else { 7947c478bd9Sstevel@tonic-gate fd = 0; /* use stdin */ 7957c478bd9Sstevel@tonic-gate } 7967c478bd9Sstevel@tonic-gate 7977c478bd9Sstevel@tonic-gate /* 7987c478bd9Sstevel@tonic-gate * Perform the operation 7997c478bd9Sstevel@tonic-gate */ 8007c478bd9Sstevel@tonic-gate if (mac_cmd) { 8017c478bd9Sstevel@tonic-gate rv = do_mac(hSession, &mech, fd, key, &resultbuf, 8027c478bd9Sstevel@tonic-gate &resultlen); 8037c478bd9Sstevel@tonic-gate } else { 8047c478bd9Sstevel@tonic-gate rv = do_digest(hSession, &mech, fd, &resultbuf, 8057c478bd9Sstevel@tonic-gate &resultlen); 8067c478bd9Sstevel@tonic-gate } 8077c478bd9Sstevel@tonic-gate 8087c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 8097c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8107c478bd9Sstevel@tonic-gate gettext("crypto operation failed for " 8117c478bd9Sstevel@tonic-gate "file %s: %s\n"), 8127c478bd9Sstevel@tonic-gate filename ? filename : "STDIN", 8137c478bd9Sstevel@tonic-gate pkcs11_strerror(rv)); 8147c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 8157c478bd9Sstevel@tonic-gate continue; 8167c478bd9Sstevel@tonic-gate } 8177c478bd9Sstevel@tonic-gate 8187c478bd9Sstevel@tonic-gate /* if result size has changed, allocate a bigger resulstr buf */ 8197c478bd9Sstevel@tonic-gate if (resultlen != RESULTLEN) { 8207c478bd9Sstevel@tonic-gate resultstrlen = 2 * resultlen + 1; 8217c478bd9Sstevel@tonic-gate resultstr = realloc(resultstr, resultstrlen); 8227c478bd9Sstevel@tonic-gate 8237c478bd9Sstevel@tonic-gate if (resultstr == NULL) { 8247c478bd9Sstevel@tonic-gate int err = errno; 8257c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8267c478bd9Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 8277c478bd9Sstevel@tonic-gate exitcode = EXIT_FAILURE; 8287c478bd9Sstevel@tonic-gate goto cleanup; 8297c478bd9Sstevel@tonic-gate } 8307c478bd9Sstevel@tonic-gate } 8317c478bd9Sstevel@tonic-gate 8327c478bd9Sstevel@tonic-gate /* Output the result */ 8337c478bd9Sstevel@tonic-gate tohexstr(resultbuf, resultlen, resultstr, resultstrlen); 8347c478bd9Sstevel@tonic-gate 8357c478bd9Sstevel@tonic-gate /* Include mechanism name for verbose */ 8367c478bd9Sstevel@tonic-gate if (vflag) 8377c478bd9Sstevel@tonic-gate (void) fprintf(stdout, "%s ", algo_str); 8387c478bd9Sstevel@tonic-gate 8397c478bd9Sstevel@tonic-gate /* Include file name for multiple files, or if verbose */ 8407c478bd9Sstevel@tonic-gate if (filecount > 1 || (vflag && filecount > 0)) { 8417c478bd9Sstevel@tonic-gate (void) fprintf(stdout, "(%s) = ", filename); 8427c478bd9Sstevel@tonic-gate } 8437c478bd9Sstevel@tonic-gate 8447c478bd9Sstevel@tonic-gate (void) fprintf(stdout, "%s\n", resultstr); 8457c478bd9Sstevel@tonic-gate (void) close(fd); 8467c478bd9Sstevel@tonic-gate 8477c478bd9Sstevel@tonic-gate 8487c478bd9Sstevel@tonic-gate } while (++i < filecount); 8497c478bd9Sstevel@tonic-gate 8507c478bd9Sstevel@tonic-gate 8517c478bd9Sstevel@tonic-gate /* clear and free the key */ 8527c478bd9Sstevel@tonic-gate if (mac_cmd) { 8537c478bd9Sstevel@tonic-gate (void) memset(pkeydata, 0, keylen); 8547c478bd9Sstevel@tonic-gate free(pkeydata); 8557c478bd9Sstevel@tonic-gate pkeydata = NULL; 8567c478bd9Sstevel@tonic-gate } 8577c478bd9Sstevel@tonic-gate 8587c478bd9Sstevel@tonic-gate cleanup: 8597c478bd9Sstevel@tonic-gate if (resultbuf != NULL) { 8607c478bd9Sstevel@tonic-gate free(resultbuf); 8617c478bd9Sstevel@tonic-gate } 8627c478bd9Sstevel@tonic-gate 8637c478bd9Sstevel@tonic-gate if (resultstr != NULL) { 8647c478bd9Sstevel@tonic-gate free(resultstr); 8657c478bd9Sstevel@tonic-gate } 8667c478bd9Sstevel@tonic-gate 8677c478bd9Sstevel@tonic-gate if (pSlotList != NULL) { 8687c478bd9Sstevel@tonic-gate free(pSlotList); 8697c478bd9Sstevel@tonic-gate } 8707c478bd9Sstevel@tonic-gate 871*c197cb9dShylee if (!Kflag && key != (CK_OBJECT_HANDLE) 0) { 8727c478bd9Sstevel@tonic-gate (void) C_DestroyObject(hSession, key); 8737c478bd9Sstevel@tonic-gate } 8747c478bd9Sstevel@tonic-gate 8757c478bd9Sstevel@tonic-gate if (hSession != CK_INVALID_HANDLE) 8767c478bd9Sstevel@tonic-gate (void) C_CloseSession(hSession); 8777c478bd9Sstevel@tonic-gate 8787c478bd9Sstevel@tonic-gate (void) C_Finalize(NULL_PTR); 8797c478bd9Sstevel@tonic-gate 8807c478bd9Sstevel@tonic-gate return (exitcode); 8817c478bd9Sstevel@tonic-gate } 8827c478bd9Sstevel@tonic-gate 8837c478bd9Sstevel@tonic-gate /* 8847c478bd9Sstevel@tonic-gate * do_digest - Compute digest of a file 8857c478bd9Sstevel@tonic-gate * 8867c478bd9Sstevel@tonic-gate * hSession - session 8877c478bd9Sstevel@tonic-gate * pmech - ptr to mechanism to be used for digest 8887c478bd9Sstevel@tonic-gate * fd - file descriptor 8897c478bd9Sstevel@tonic-gate * pdigest - buffer where digest result is returned 8907c478bd9Sstevel@tonic-gate * pdigestlen - length of digest buffer on input, 8917c478bd9Sstevel@tonic-gate * length of result on output 8927c478bd9Sstevel@tonic-gate */ 8937c478bd9Sstevel@tonic-gate static CK_RV 8947c478bd9Sstevel@tonic-gate do_digest(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 8957c478bd9Sstevel@tonic-gate int fd, CK_BYTE_PTR *pdigest, CK_ULONG_PTR pdigestlen) 8967c478bd9Sstevel@tonic-gate { 8977c478bd9Sstevel@tonic-gate CK_RV rv; 8987c478bd9Sstevel@tonic-gate ssize_t nread; 8997c478bd9Sstevel@tonic-gate int saved_errno; 9007c478bd9Sstevel@tonic-gate 9017c478bd9Sstevel@tonic-gate if ((rv = C_DigestInit(hSession, pmech)) != CKR_OK) { 9027c478bd9Sstevel@tonic-gate return (rv); 9037c478bd9Sstevel@tonic-gate } 9047c478bd9Sstevel@tonic-gate 9057c478bd9Sstevel@tonic-gate while ((nread = read(fd, buf, sizeof (buf))) > 0) { 9067c478bd9Sstevel@tonic-gate /* Get the digest */ 9077c478bd9Sstevel@tonic-gate rv = C_DigestUpdate(hSession, buf, (CK_ULONG)nread); 9087c478bd9Sstevel@tonic-gate if (rv != CKR_OK) 9097c478bd9Sstevel@tonic-gate return (rv); 9107c478bd9Sstevel@tonic-gate } 9117c478bd9Sstevel@tonic-gate 9127c478bd9Sstevel@tonic-gate saved_errno = errno; /* for later use */ 9137c478bd9Sstevel@tonic-gate 9147c478bd9Sstevel@tonic-gate /* 9157c478bd9Sstevel@tonic-gate * Perform the C_DigestFinal, even if there is a read error. 9167c478bd9Sstevel@tonic-gate * Otherwise C_DigestInit will return CKR_OPERATION_ACTIVE 9177c478bd9Sstevel@tonic-gate * next time it is called (for another file) 9187c478bd9Sstevel@tonic-gate */ 9197c478bd9Sstevel@tonic-gate 9207c478bd9Sstevel@tonic-gate rv = C_DigestFinal(hSession, *pdigest, pdigestlen); 9217c478bd9Sstevel@tonic-gate 9227c478bd9Sstevel@tonic-gate /* result too big to fit? Allocate a bigger buffer */ 9237c478bd9Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 9247c478bd9Sstevel@tonic-gate *pdigest = realloc(*pdigest, *pdigestlen); 9257c478bd9Sstevel@tonic-gate 9267c478bd9Sstevel@tonic-gate if (*pdigest == NULL_PTR) { 9277c478bd9Sstevel@tonic-gate int err = errno; 9287c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9297c478bd9Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 9307c478bd9Sstevel@tonic-gate return (CKR_HOST_MEMORY); 9317c478bd9Sstevel@tonic-gate } 9327c478bd9Sstevel@tonic-gate 9337c478bd9Sstevel@tonic-gate rv = C_DigestFinal(hSession, *pdigest, pdigestlen); 9347c478bd9Sstevel@tonic-gate } 9357c478bd9Sstevel@tonic-gate 9367c478bd9Sstevel@tonic-gate 9377c478bd9Sstevel@tonic-gate /* There was a read error */ 9387c478bd9Sstevel@tonic-gate if (nread == -1) { 9397c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9407c478bd9Sstevel@tonic-gate "error reading file: %s"), strerror(saved_errno)); 9417c478bd9Sstevel@tonic-gate return (CKR_GENERAL_ERROR); 9427c478bd9Sstevel@tonic-gate } else { 9437c478bd9Sstevel@tonic-gate return (rv); 9447c478bd9Sstevel@tonic-gate } 9457c478bd9Sstevel@tonic-gate } 9467c478bd9Sstevel@tonic-gate 9477c478bd9Sstevel@tonic-gate /* 9487c478bd9Sstevel@tonic-gate * do_mac - Compute mac of a file 9497c478bd9Sstevel@tonic-gate * 9507c478bd9Sstevel@tonic-gate * hSession - session 9517c478bd9Sstevel@tonic-gate * pmech - ptr to mechanism to be used 9527c478bd9Sstevel@tonic-gate * fd - file descriptor 9537c478bd9Sstevel@tonic-gate * key - key to be used 9547c478bd9Sstevel@tonic-gate * psignature - ptr buffer where mac result is returned 9557c478bd9Sstevel@tonic-gate * returns new buf if current buf is small 9567c478bd9Sstevel@tonic-gate * psignaturelen - length of mac buffer on input, 9577c478bd9Sstevel@tonic-gate * length of result on output 9587c478bd9Sstevel@tonic-gate */ 9597c478bd9Sstevel@tonic-gate static CK_RV 9607c478bd9Sstevel@tonic-gate do_mac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 9617c478bd9Sstevel@tonic-gate int fd, CK_OBJECT_HANDLE key, CK_BYTE_PTR *psignature, 9627c478bd9Sstevel@tonic-gate CK_ULONG_PTR psignaturelen) 9637c478bd9Sstevel@tonic-gate { 9647c478bd9Sstevel@tonic-gate CK_RV rv; 9657c478bd9Sstevel@tonic-gate ssize_t nread; 9667c478bd9Sstevel@tonic-gate int saved_errno; 9677c478bd9Sstevel@tonic-gate 9687c478bd9Sstevel@tonic-gate if ((rv = C_SignInit(hSession, pmech, key)) != CKR_OK) { 9697c478bd9Sstevel@tonic-gate return (rv); 9707c478bd9Sstevel@tonic-gate } 9717c478bd9Sstevel@tonic-gate 9727c478bd9Sstevel@tonic-gate while ((nread = read(fd, buf, sizeof (buf))) > 0) { 9737c478bd9Sstevel@tonic-gate /* Get the MAC */ 9747c478bd9Sstevel@tonic-gate rv = C_SignUpdate(hSession, buf, (CK_ULONG)nread); 9757c478bd9Sstevel@tonic-gate if (rv != CKR_OK) 9767c478bd9Sstevel@tonic-gate return (rv); 9777c478bd9Sstevel@tonic-gate } 9787c478bd9Sstevel@tonic-gate 9797c478bd9Sstevel@tonic-gate saved_errno = errno; /* for later use */ 9807c478bd9Sstevel@tonic-gate 9817c478bd9Sstevel@tonic-gate /* 9827c478bd9Sstevel@tonic-gate * Perform the C_SignFinal, even if there is a read error. 9837c478bd9Sstevel@tonic-gate * Otherwise C_SignInit will return CKR_OPERATION_ACTIVE 9847c478bd9Sstevel@tonic-gate * next time it is called (for another file) 9857c478bd9Sstevel@tonic-gate */ 9867c478bd9Sstevel@tonic-gate 9877c478bd9Sstevel@tonic-gate rv = C_SignFinal(hSession, *psignature, psignaturelen); 9887c478bd9Sstevel@tonic-gate 9897c478bd9Sstevel@tonic-gate /* result too big to fit? Allocate a bigger buffer */ 9907c478bd9Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 9917c478bd9Sstevel@tonic-gate *psignature = realloc(*psignature, *psignaturelen); 9927c478bd9Sstevel@tonic-gate 9937c478bd9Sstevel@tonic-gate if (*psignature == NULL_PTR) { 9947c478bd9Sstevel@tonic-gate int err = errno; 9957c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9967c478bd9Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 9977c478bd9Sstevel@tonic-gate return (CKR_HOST_MEMORY); 9987c478bd9Sstevel@tonic-gate } 9997c478bd9Sstevel@tonic-gate 10007c478bd9Sstevel@tonic-gate rv = C_SignFinal(hSession, *psignature, psignaturelen); 10017c478bd9Sstevel@tonic-gate } 10027c478bd9Sstevel@tonic-gate 10037c478bd9Sstevel@tonic-gate /* There was a read error */ 10047c478bd9Sstevel@tonic-gate if (nread == -1) { 10057c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("error reading file: %s"), 10067c478bd9Sstevel@tonic-gate strerror(saved_errno)); 10077c478bd9Sstevel@tonic-gate return (CKR_GENERAL_ERROR); 10087c478bd9Sstevel@tonic-gate } else { 10097c478bd9Sstevel@tonic-gate return (rv); 10107c478bd9Sstevel@tonic-gate } 10117c478bd9Sstevel@tonic-gate } 10127c478bd9Sstevel@tonic-gate 10137c478bd9Sstevel@tonic-gate 10147c478bd9Sstevel@tonic-gate /* 10157c478bd9Sstevel@tonic-gate * getkey - gets keydata from file specified 10167c478bd9Sstevel@tonic-gate * 10177c478bd9Sstevel@tonic-gate * filename - name of file, if null, prompt for pass phrase 10187c478bd9Sstevel@tonic-gate * pkeydata - binary key data is returned in this buf 10197c478bd9Sstevel@tonic-gate * 10207c478bd9Sstevel@tonic-gate * returns length of key, or -1 if error 10217c478bd9Sstevel@tonic-gate */ 10227c478bd9Sstevel@tonic-gate static int 10237c478bd9Sstevel@tonic-gate getkey(char *filename, CK_BYTE_PTR *pkeydata) 10247c478bd9Sstevel@tonic-gate { 10257c478bd9Sstevel@tonic-gate struct stat statbuf; 10267c478bd9Sstevel@tonic-gate char *keybuf = NULL; 10277c478bd9Sstevel@tonic-gate char *tmpbuf; 10287c478bd9Sstevel@tonic-gate int keylen; 10297c478bd9Sstevel@tonic-gate int fd; 10307c478bd9Sstevel@tonic-gate 10317c478bd9Sstevel@tonic-gate if (filename != NULL) { 10327c478bd9Sstevel@tonic-gate 10337c478bd9Sstevel@tonic-gate /* read the key file into a buffer */ 10347c478bd9Sstevel@tonic-gate if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == -1) { 10357c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10367c478bd9Sstevel@tonic-gate "can't open %s\n"), filename); 10377c478bd9Sstevel@tonic-gate return (-1); 10387c478bd9Sstevel@tonic-gate 10397c478bd9Sstevel@tonic-gate } 10407c478bd9Sstevel@tonic-gate 10417c478bd9Sstevel@tonic-gate if (fstat(fd, &statbuf) == -1) { 10427c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10437c478bd9Sstevel@tonic-gate "can't stat %s\n"), filename); 10447c478bd9Sstevel@tonic-gate (void) close(fd); 10457c478bd9Sstevel@tonic-gate return (-1); 10467c478bd9Sstevel@tonic-gate } 10477c478bd9Sstevel@tonic-gate 10484bc0a2efScasper if (!S_ISREG(statbuf.st_mode)) { 10497c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10507c478bd9Sstevel@tonic-gate "%s not a regular file\n"), filename); 10517c478bd9Sstevel@tonic-gate (void) close(fd); 10527c478bd9Sstevel@tonic-gate return (-1); 10537c478bd9Sstevel@tonic-gate } 10547c478bd9Sstevel@tonic-gate 10557c478bd9Sstevel@tonic-gate keylen = (size_t)statbuf.st_size; 10567c478bd9Sstevel@tonic-gate 10577c478bd9Sstevel@tonic-gate if (keylen > 0) { 10587c478bd9Sstevel@tonic-gate /* allocate a buffer to hold the entire key */ 10597c478bd9Sstevel@tonic-gate if ((keybuf = malloc(keylen)) == NULL) { 10607c478bd9Sstevel@tonic-gate int err = errno; 10617c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 10627c478bd9Sstevel@tonic-gate strerror(err)); 10637c478bd9Sstevel@tonic-gate (void) close(fd); 10647c478bd9Sstevel@tonic-gate return (-1); 10657c478bd9Sstevel@tonic-gate } 10667c478bd9Sstevel@tonic-gate 10677c478bd9Sstevel@tonic-gate if (read(fd, keybuf, keylen) != keylen) { 10687c478bd9Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10697c478bd9Sstevel@tonic-gate "can't read %s\n"), filename); 10707c478bd9Sstevel@tonic-gate (void) close(fd); 10717c478bd9Sstevel@tonic-gate return (-1); 10727c478bd9Sstevel@tonic-gate } 10737c478bd9Sstevel@tonic-gate } 10747c478bd9Sstevel@tonic-gate (void) close(fd); 10757c478bd9Sstevel@tonic-gate 10767c478bd9Sstevel@tonic-gate } else { 10777c478bd9Sstevel@tonic-gate 10787c478bd9Sstevel@tonic-gate /* No file, prompt for a pass phrase */ 10797c478bd9Sstevel@tonic-gate tmpbuf = getpassphrase(gettext("Enter key:")); 10807c478bd9Sstevel@tonic-gate 10817c478bd9Sstevel@tonic-gate if (tmpbuf == NULL) { 10827c478bd9Sstevel@tonic-gate return (-1); /* error */ 10837c478bd9Sstevel@tonic-gate } else { 10847c478bd9Sstevel@tonic-gate keybuf = strdup(tmpbuf); 10857c478bd9Sstevel@tonic-gate (void) memset(tmpbuf, 0, strlen(tmpbuf)); 10867c478bd9Sstevel@tonic-gate } 10877c478bd9Sstevel@tonic-gate keylen = strlen(keybuf); 10887c478bd9Sstevel@tonic-gate } 10897c478bd9Sstevel@tonic-gate 10907c478bd9Sstevel@tonic-gate *pkeydata = (CK_BYTE_PTR)keybuf; 10917c478bd9Sstevel@tonic-gate 10927c478bd9Sstevel@tonic-gate return (keylen); 10937c478bd9Sstevel@tonic-gate } 1094*c197cb9dShylee 1095*c197cb9dShylee static int 1096*c197cb9dShylee getpasswd(char *token_spec, CK_BYTE_PTR *pdata, CK_ULONG *psize) 1097*c197cb9dShylee { 1098*c197cb9dShylee char *databuf; 1099*c197cb9dShylee char *tmpbuf; 1100*c197cb9dShylee char prompt[1024]; 1101*c197cb9dShylee 1102*c197cb9dShylee if (token_spec == NULL) 1103*c197cb9dShylee return (-1); 1104*c197cb9dShylee 1105*c197cb9dShylee (void) snprintf(prompt, sizeof (prompt), DEFAULT_TOKEN_PROMPT, 1106*c197cb9dShylee token_spec); 1107*c197cb9dShylee tmpbuf = getpassphrase(gettext(prompt)); 1108*c197cb9dShylee 1109*c197cb9dShylee if (tmpbuf == NULL) { 1110*c197cb9dShylee return (-1); /* error */ 1111*c197cb9dShylee } 1112*c197cb9dShylee 1113*c197cb9dShylee databuf = strdup(tmpbuf); 1114*c197cb9dShylee (void) memset(tmpbuf, 0, strlen(tmpbuf)); 1115*c197cb9dShylee if (databuf == NULL) 1116*c197cb9dShylee return (-1); 1117*c197cb9dShylee 1118*c197cb9dShylee *pdata = (CK_BYTE_PTR)databuf; 1119*c197cb9dShylee *psize = (CK_ULONG)strlen(databuf); 1120*c197cb9dShylee 1121*c197cb9dShylee return (0); 1122*c197cb9dShylee } 1123