xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_tpm/common/tpm_specific.c (revision 7ae7577ce925f555e5e3410f14a3ccc896c842f2)
1 /*
2  * The Initial Developer of the Original Code is International
3  * Business Machines Corporation. Portions created by IBM
4  * Corporation are Copyright (C) 2005 International Business
5  * Machines Corporation. All Rights Reserved.
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the Common Public License as published by
9  * IBM Corporation; either version 1 of the License, or (at your option)
10  * any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * Common Public License for more details.
16  *
17  * You should have received a copy of the Common Public License
18  * along with this program; if not, a copy can be viewed at
19  * http://www.opensource.org/licenses/cpl1.0.php.
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright 2012 Milan Jurik. All rights reserved.
25  * Copyright (c) 2016 by Delphix. All rights reserved.
26  * Copyright 2018 Jason King
27  */
28 
29 #include <pthread.h>
30 #include <string.h>
31 
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <uuid/uuid.h>
35 #include <fcntl.h>
36 #include <errno.h>
37 #include <pwd.h>
38 #include <syslog.h>
39 
40 #include <sys/crypto/common.h>	/* For CRYPTO_BYTES2BITS */
41 #include <rsa_impl.h>
42 #include <padding.h>
43 
44 #include <tss/platform.h>
45 #include <tss/tss_defines.h>
46 #include <tss/tss_typedef.h>
47 #include <tss/tss_structs.h>
48 #include <tss/tss_error.h>
49 #include <tss/tcs_error.h>
50 #include <tss/tspi.h>
51 #include <trousers/trousers.h>
52 
53 #include "tpmtok_int.h"
54 #include "tpmtok_defs.h"
55 
56 #define	MAX_RSA_KEYLENGTH 512
57 
58 extern void stlogit(char *fmt, ...);
59 
60 CK_RV token_rng(TSS_HCONTEXT, CK_BYTE *,  CK_ULONG);
61 int tok_slot2local(CK_SLOT_ID);
62 CK_RV token_specific_session(CK_SLOT_ID);
63 CK_RV token_specific_final(TSS_HCONTEXT);
64 
65 CK_RV
66 token_specific_rsa_decrypt(
67 	TSS_HCONTEXT,
68 	CK_BYTE *,
69 	CK_ULONG,
70 	CK_BYTE *,
71 	CK_ULONG *,
72 	OBJECT *);
73 
74 CK_RV
75 token_specific_rsa_encrypt(
76 	TSS_HCONTEXT,
77 	CK_BYTE *,
78 	CK_ULONG,
79 	CK_BYTE *,
80 	CK_ULONG *,
81 	OBJECT *);
82 
83 CK_RV
84 token_specific_rsa_sign(
85 	TSS_HCONTEXT,
86 	CK_BYTE *,
87 	CK_ULONG,
88 	CK_BYTE *,
89 	CK_ULONG *,
90 	OBJECT *);
91 
92 CK_RV
93 token_specific_rsa_verify(TSS_HCONTEXT, CK_BYTE *,
94     CK_ULONG, CK_BYTE *, CK_ULONG, OBJECT *);
95 
96 CK_RV
97 token_specific_rsa_generate_keypair(TSS_HCONTEXT,
98 	TEMPLATE *,
99 	TEMPLATE *);
100 
101 CK_RV
102 token_specific_sha_init(DIGEST_CONTEXT *);
103 
104 CK_RV
105 token_specific_sha_update(DIGEST_CONTEXT *,
106 	CK_BYTE *,
107 	CK_ULONG);
108 
109 CK_RV
110 token_specific_sha_final(DIGEST_CONTEXT *,
111 	CK_BYTE *,
112 	CK_ULONG *);
113 
114 CK_RV token_specific_login(TSS_HCONTEXT, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG);
115 CK_RV token_specific_logout(TSS_HCONTEXT);
116 CK_RV token_specific_init_pin(TSS_HCONTEXT, CK_CHAR_PTR, CK_ULONG);
117 CK_RV token_specific_set_pin(ST_SESSION_HANDLE, CK_CHAR_PTR,
118 	CK_ULONG, CK_CHAR_PTR, CK_ULONG);
119 CK_RV token_specific_verify_so_pin(TSS_HCONTEXT, CK_CHAR_PTR, CK_ULONG);
120 
121 static CK_RV
122 token_specific_init(char *, CK_SLOT_ID, TSS_HCONTEXT *);
123 
124 struct token_specific_struct token_specific = {
125 	"TPM_Debug",
126 	&token_specific_init,
127 	NULL,
128 	&token_rng,
129 	&token_specific_session,
130 	&token_specific_final,
131 	&token_specific_rsa_decrypt,
132 	&token_specific_rsa_encrypt,
133 	&token_specific_rsa_sign,
134 	&token_specific_rsa_verify,
135 	&token_specific_rsa_generate_keypair,
136 	NULL,
137 	NULL,
138 	NULL,
139 	&token_specific_login,
140 	&token_specific_logout,
141 	&token_specific_init_pin,
142 	&token_specific_set_pin,
143 	&token_specific_verify_so_pin
144 };
145 
146 /* The context we'll use globally to connect to the TSP */
147 
148 /* TSP key handles */
149 TSS_HKEY hPublicRootKey = NULL_HKEY;
150 TSS_HKEY hPublicLeafKey = NULL_HKEY;
151 TSS_HKEY hPrivateRootKey = NULL_HKEY;
152 TSS_HKEY hPrivateLeafKey = NULL_HKEY;
153 
154 TSS_UUID publicRootKeyUUID;
155 TSS_UUID publicLeafKeyUUID;
156 TSS_UUID privateRootKeyUUID;
157 TSS_UUID privateLeafKeyUUID;
158 
159 /* TSP policy handles */
160 TSS_HPOLICY hDefaultPolicy = NULL_HPOLICY;
161 
162 /* PKCS#11 key handles */
163 int not_initialized = 0;
164 
165 CK_BYTE current_user_pin_sha[SHA1_DIGEST_LENGTH];
166 CK_BYTE current_so_pin_sha[SHA1_DIGEST_LENGTH];
167 
168 static TPM_CAP_VERSION_INFO tpmvinfo;
169 
170 static CK_RV
171 verify_user_pin(TSS_HCONTEXT, CK_BYTE *);
172 
173 static TSS_RESULT
174 tss_assign_secret_key_policy(TSS_HCONTEXT, TSS_FLAG, TSS_HKEY, CK_CHAR *);
175 
176 static TSS_RESULT
177 set_legacy_key_params(TSS_HKEY);
178 
179 static void
180 local_uuid_clear(TSS_UUID *uuid)
181 {
182 	if (uuid == NULL)
183 		return;
184 	(void) memset(uuid, 0, sizeof (TSS_UUID));
185 }
186 
187 
188 /* convert from TSS_UUID to uuid_t */
189 static void
190 tss_uuid_convert_from(TSS_UUID *uu, uuid_t ptr)
191 {
192 	uint_t		tmp;
193 	uchar_t		*out = ptr;
194 
195 	tmp = ntohl(uu->ulTimeLow);
196 	out[3] = (uchar_t)tmp;
197 	tmp >>= 8;
198 	out[2] = (uchar_t)tmp;
199 	tmp >>= 8;
200 	out[1] = (uchar_t)tmp;
201 	tmp >>= 8;
202 	out[0] = (uchar_t)tmp;
203 
204 	tmp = ntohs(uu->usTimeMid);
205 	out[5] = (uchar_t)tmp;
206 	tmp >>= 8;
207 	out[4] = (uchar_t)tmp;
208 
209 	tmp = ntohs(uu->usTimeHigh);
210 	out[7] = (uchar_t)tmp;
211 	tmp >>= 8;
212 	out[6] = (uchar_t)tmp;
213 
214 	tmp = uu->bClockSeqHigh;
215 	out[8] = (uchar_t)tmp;
216 	tmp = uu->bClockSeqLow;
217 	out[9] = (uchar_t)tmp;
218 
219 	(void) memcpy(out+10, uu->rgbNode, 6);
220 }
221 
222 /* convert from uuid_t to TSS_UUID */
223 static void
224 tss_uuid_convert_to(TSS_UUID *uuid, uuid_t in)
225 {
226 	uchar_t		*ptr;
227 	uint32_t	ltmp;
228 	uint16_t	stmp;
229 
230 	ptr = in;
231 
232 	ltmp = *ptr++;
233 	ltmp = (ltmp << 8) | *ptr++;
234 	ltmp = (ltmp << 8) | *ptr++;
235 	ltmp = (ltmp << 8) | *ptr++;
236 	uuid->ulTimeLow = ntohl(ltmp);
237 
238 	stmp = *ptr++;
239 	stmp = (stmp << 8) | *ptr++;
240 	uuid->usTimeMid = ntohs(stmp);
241 
242 	stmp = *ptr++;
243 	stmp = (stmp << 8) | *ptr++;
244 	uuid->usTimeHigh = ntohs(stmp);
245 
246 	uuid->bClockSeqHigh = *ptr++;
247 
248 	uuid->bClockSeqLow = *ptr++;
249 
250 	(void) memcpy(uuid->rgbNode, ptr, 6);
251 }
252 
253 static void
254 local_uuid_copy(TSS_UUID *dst, TSS_UUID *src)
255 {
256 	uuid_t udst, usrc;
257 
258 	tss_uuid_convert_from(dst, udst);
259 	tss_uuid_convert_from(src, usrc);
260 
261 	uuid_copy(udst, usrc);
262 
263 	tss_uuid_convert_to(dst, udst);
264 }
265 
266 static void
267 local_uuid_generate(TSS_UUID *uu)
268 {
269 	uuid_t newuuid;
270 
271 	uuid_generate(newuuid);
272 
273 	tss_uuid_convert_to(uu, newuuid);
274 }
275 
276 static int
277 local_copy_file(char *dst, char *src)
278 {
279 	FILE *fdest, *fsrc;
280 	char line[BUFSIZ];
281 
282 	fdest = fopen(dst, "w");
283 	if (fdest == NULL)
284 		return (-1);
285 
286 	fsrc = fopen(src, "r");
287 	if (fsrc == NULL) {
288 		(void) fclose(fdest);
289 		return (-1);
290 	}
291 
292 	while (fread(line, sizeof (line), 1, fsrc))
293 		(void) fprintf(fdest, "%s\n", line);
294 	(void) fclose(fsrc);
295 	(void) fclose(fdest);
296 	return (0);
297 }
298 
299 static int
300 remove_uuid(char *keyname)
301 {
302 	int ret = 0;
303 	FILE *fp, *newfp;
304 	char fname[MAXPATHLEN];
305 	char line[BUFSIZ], key[BUFSIZ], idstr[BUFSIZ];
306 	char *tmpfname;
307 	char *p = get_tpm_keystore_path();
308 
309 	if (p == NULL)
310 		return (-1);
311 
312 	(void) snprintf(fname, sizeof (fname),
313 	    "%s/%s", p, TPMTOK_UUID_INDEX_FILENAME);
314 
315 	fp = fopen(fname, "r");
316 	if (fp == NULL) {
317 		return (-1);
318 	}
319 
320 	tmpfname = tempnam("/tmp", "tpmtok");
321 	newfp = fopen(tmpfname, "w+");
322 	if (newfp == NULL) {
323 		free(tmpfname);
324 		(void) fclose(fp);
325 		return (-1);
326 	}
327 
328 	while (!feof(fp)) {
329 		(void) fgets(line, sizeof (line), fp);
330 		if (sscanf(line, "%1024s %1024s", key, idstr) == 2) {
331 			if (strcmp(key, keyname))
332 				(void) fprintf(newfp, "%s\n", line);
333 		}
334 	}
335 
336 	(void) fclose(fp);
337 	(void) fclose(newfp);
338 	if (local_copy_file(fname, tmpfname) == 0)
339 		(void) unlink(tmpfname);
340 
341 	free(tmpfname);
342 
343 	return (ret);
344 }
345 
346 static int
347 find_uuid(char *keyname, TSS_UUID *uu)
348 {
349 	int ret = 0, found = 0;
350 	FILE *fp = NULL;
351 	char fname[MAXPATHLEN];
352 	char line[BUFSIZ], key[BUFSIZ], idstr[BUFSIZ];
353 	uuid_t uuid;
354 	char *p = get_tpm_keystore_path();
355 
356 	if (p == NULL)
357 		return (-1);
358 
359 	tss_uuid_convert_from(uu, uuid);
360 
361 	(void) snprintf(fname, sizeof (fname),
362 	    "%s/%s", p, TPMTOK_UUID_INDEX_FILENAME);
363 
364 	/* Open UUID Index file */
365 	fp = fopen(fname, "r");
366 	if (fp == NULL) {
367 		if (errno == ENOENT) {
368 			/* initialize the file */
369 			fp = fopen(fname, "w");
370 			if (fp != NULL)
371 				(void) fclose(fp);
372 		}
373 		return (-1);
374 	}
375 
376 	while (!feof(fp)) {
377 		(void) fgets(line, sizeof (line), fp);
378 		if (sscanf(line, "%1024s %1024s", key, idstr) == 2) {
379 			if (strcmp(key, keyname) == 0) {
380 				ret = uuid_parse(idstr, uuid);
381 				if (ret == 0) {
382 					found = 1;
383 					tss_uuid_convert_to(uu,
384 					    uuid);
385 				}
386 				break;
387 			}
388 		}
389 	}
390 	(void) fclose(fp);
391 
392 	if (!found)
393 		ret = -1;
394 	return (ret);
395 }
396 
397 static int
398 local_uuid_is_null(TSS_UUID *uu)
399 {
400 	uuid_t uuid;
401 	int nulluuid;
402 
403 	tss_uuid_convert_from(uu, uuid);
404 
405 	nulluuid = uuid_is_null(uuid);
406 	return (nulluuid);
407 }
408 
409 static int
410 add_uuid(char *keyname, TSS_UUID *uu)
411 {
412 	FILE *fp = NULL;
413 	char fname[MAXPATHLEN];
414 	char idstr[BUFSIZ];
415 	uuid_t uuid;
416 	char *p = get_tpm_keystore_path();
417 
418 	if (p == NULL)
419 		return (-1);
420 
421 	tss_uuid_convert_from(uu, uuid);
422 
423 	if (uuid_is_null(uuid))
424 		return (-1);
425 
426 	uuid_unparse(uuid, idstr);
427 
428 	(void) snprintf(fname, sizeof (fname),
429 	    "%s/%s", p, TPMTOK_UUID_INDEX_FILENAME);
430 
431 	fp = fopen(fname, "a");
432 	if (fp == NULL)
433 		return (-1);
434 
435 	(void) fprintf(fp, "%s %s\n", keyname, idstr);
436 	(void) fclose(fp);
437 
438 	return (0);
439 }
440 
441 
442 static UINT32
443 util_get_keysize_flag(CK_ULONG size)
444 {
445 	switch (size) {
446 		case 512:
447 			return (TSS_KEY_SIZE_512);
448 		case 1024:
449 			return (TSS_KEY_SIZE_1024);
450 		case 2048:
451 			return (TSS_KEY_SIZE_2048);
452 		default:
453 			break;
454 	}
455 
456 	return (0);
457 }
458 
459 /* make sure the public exponent attribute is 65537 */
460 static CK_ULONG
461 util_check_public_exponent(TEMPLATE *tmpl)
462 {
463 	CK_BBOOL flag;
464 	CK_ATTRIBUTE *publ_exp_attr;
465 	CK_BYTE pubexp_bytes[] = { 1, 0, 1 };
466 	CK_ULONG publ_exp, rc = 1;
467 
468 	flag = template_attribute_find(tmpl, CKA_PUBLIC_EXPONENT,
469 	    &publ_exp_attr);
470 	if (!flag) {
471 		LogError1("Couldn't find public exponent attribute");
472 		return (CKR_TEMPLATE_INCOMPLETE);
473 	}
474 
475 	switch (publ_exp_attr->ulValueLen) {
476 		case 3:
477 			rc = memcmp(pubexp_bytes, publ_exp_attr->pValue, 3);
478 			break;
479 		case sizeof (CK_ULONG):
480 			publ_exp = *((CK_ULONG *)publ_exp_attr->pValue);
481 			if (publ_exp == 65537)
482 				rc = 0;
483 			break;
484 		default:
485 			break;
486 	}
487 
488 	return (rc);
489 }
490 
491 TSS_RESULT
492 set_public_modulus(TSS_HCONTEXT hContext, TSS_HKEY hKey,
493 	unsigned long size_n, unsigned char *n)
494 {
495 	UINT64 offset;
496 	UINT32 blob_size;
497 	BYTE *blob, pub_blob[1024];
498 	TCPA_PUBKEY pub_key;
499 	TSS_RESULT result;
500 
501 	/* Get the TCPA_PUBKEY blob from the key object. */
502 	result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
503 	    TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, &blob_size, &blob);
504 	if (result != TSS_SUCCESS) {
505 		stlogit("Tspi_GetAttribData failed: rc=0x%0x - %s\n",
506 		    result, Trspi_Error_String(result));
507 		return (result);
508 	}
509 
510 	offset = 0;
511 	result = Trspi_UnloadBlob_PUBKEY(&offset, blob, &pub_key);
512 	if (result != TSS_SUCCESS) {
513 		stlogit("Trspi_UnloadBlob_PUBKEY failed: rc=0x%0x - %s\n",
514 		    result, Trspi_Error_String(result));
515 		return (result);
516 	}
517 
518 	Tspi_Context_FreeMemory(hContext, blob);
519 	/* Free the first dangling reference, putting 'n' in its place */
520 	free(pub_key.pubKey.key);
521 	pub_key.pubKey.keyLength = size_n;
522 	pub_key.pubKey.key = n;
523 
524 	offset = 0;
525 	Trspi_LoadBlob_PUBKEY(&offset, pub_blob, &pub_key);
526 
527 	/* Free the second dangling reference */
528 	free(pub_key.algorithmParms.parms);
529 
530 	/* set the public key data in the TSS object */
531 	result = Tspi_SetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
532 	    TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, (UINT32)offset, pub_blob);
533 	if (result != TSS_SUCCESS) {
534 		stlogit("Tspi_SetAttribData failed: rc=0x%0x - %s\n",
535 		    result, Trspi_Error_String(result));
536 		return (result);
537 	}
538 
539 	return (result);
540 }
541 
542 /*
543  * Get details about the TPM to put into the token_info structure.
544  */
545 CK_RV
546 token_get_tpm_info(TSS_HCONTEXT hContext, TOKEN_DATA *td)
547 {
548 	TSS_RESULT result;
549 	TPM_CAPABILITY_AREA capArea = TSS_TPMCAP_VERSION_VAL;
550 	UINT32 datalen;
551 	BYTE *data;
552 	TSS_HTPM hTPM;
553 
554 	if ((result = Tspi_Context_GetTpmObject(hContext, &hTPM))) {
555 		stlogit("Tspi_Context_GetTpmObject: 0x%0x - %s",
556 		    result, Trspi_Error_String(result));
557 		return (CKR_FUNCTION_FAILED);
558 	}
559 	if ((result = Tspi_TPM_GetCapability(hTPM,
560 	    capArea, 0, NULL, &datalen, &data)) != 0 || datalen == 0 ||
561 	    data == NULL) {
562 		stlogit("Tspi_Context_GetCapability: 0x%0x - %s",
563 		    result, Trspi_Error_String(result));
564 		return (CKR_FUNCTION_FAILED);
565 	}
566 	if (datalen > sizeof (tpmvinfo)) {
567 		Tspi_Context_FreeMemory(hContext, data);
568 		return (CKR_FUNCTION_FAILED);
569 	}
570 
571 	(void) memcpy(&tpmvinfo, (void *)data, datalen);
572 
573 	bzero(td->token_info.manufacturerID,
574 	    sizeof (td->token_info.manufacturerID));
575 
576 	(void) memset(td->token_info.manufacturerID,  ' ',
577 	    sizeof (td->token_info.manufacturerID) - 1);
578 
579 	(void) memcpy(td->token_info.manufacturerID,
580 	    tpmvinfo.tpmVendorID, sizeof (tpmvinfo.tpmVendorID));
581 
582 	(void) memset(td->token_info.label, ' ',
583 	    sizeof (td->token_info.label) - 1);
584 
585 	(void) memcpy(td->token_info.label, "TPM", 3);
586 
587 	td->token_info.hardwareVersion.major = tpmvinfo.version.major;
588 	td->token_info.hardwareVersion.minor = tpmvinfo.version.minor;
589 	td->token_info.firmwareVersion.major = tpmvinfo.version.revMajor;
590 	td->token_info.firmwareVersion.minor = tpmvinfo.version.revMinor;
591 
592 	Tspi_Context_FreeMemory(hContext, data);
593 	return (CKR_OK);
594 }
595 
596 /*ARGSUSED*/
597 CK_RV
598 token_specific_session(CK_SLOT_ID  slotid)
599 {
600 	return (CKR_OK);
601 }
602 
603 CK_RV
604 token_rng(TSS_HCONTEXT hContext, CK_BYTE *output, CK_ULONG bytes)
605 {
606 	TSS_RESULT rc;
607 	TSS_HTPM hTPM;
608 	BYTE *random_bytes = NULL;
609 
610 	if ((rc = Tspi_Context_GetTpmObject(hContext, &hTPM))) {
611 		stlogit("Tspi_Context_GetTpmObject: 0x%0x - %s",
612 		    rc, Trspi_Error_String(rc));
613 		return (CKR_FUNCTION_FAILED);
614 	}
615 
616 	if ((rc = Tspi_TPM_GetRandom(hTPM, bytes, &random_bytes))) {
617 		stlogit("Tspi_TPM_GetRandom: 0x%0x - %s",
618 		    rc, Trspi_Error_String(rc));
619 		return (CKR_FUNCTION_FAILED);
620 	}
621 
622 	(void) memcpy(output, random_bytes, bytes);
623 	Tspi_Context_FreeMemory(hContext, random_bytes);
624 
625 	return (CKR_OK);
626 }
627 
628 TSS_RESULT
629 open_tss_context(TSS_HCONTEXT *pContext)
630 {
631 	TSS_RESULT result;
632 
633 	if ((result = Tspi_Context_Create(pContext))) {
634 		stlogit("Tspi_Context_Create: 0x%0x - %s",
635 		    result, Trspi_Error_String(result));
636 		return (CKR_FUNCTION_FAILED);
637 	}
638 
639 	if ((result = Tspi_Context_Connect(*pContext, NULL))) {
640 		stlogit("Tspi_Context_Connect: 0x%0x - %s",
641 		    result, Trspi_Error_String(result));
642 		Tspi_Context_Close(*pContext);
643 		*pContext = 0;
644 		return (CKR_FUNCTION_FAILED);
645 	}
646 	return (result);
647 }
648 
649 /*ARGSUSED*/
650 static CK_RV
651 token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber,
652     TSS_HCONTEXT *hContext)
653 {
654 	TSS_RESULT result;
655 
656 	result = open_tss_context(hContext);
657 	if (result)
658 		return (CKR_FUNCTION_FAILED);
659 
660 	if ((result = Tspi_Context_GetDefaultPolicy(*hContext,
661 	    &hDefaultPolicy))) {
662 		stlogit("Tspi_Context_GetDefaultPolicy: 0x%0x - %s",
663 		    result, Trspi_Error_String(result));
664 		return (CKR_FUNCTION_FAILED);
665 	}
666 
667 	local_uuid_clear(&publicRootKeyUUID);
668 	local_uuid_clear(&privateRootKeyUUID);
669 	local_uuid_clear(&publicLeafKeyUUID);
670 	local_uuid_clear(&privateLeafKeyUUID);
671 
672 	result = token_get_tpm_info(*hContext, nv_token_data);
673 	return (result);
674 }
675 
676 /*
677  * Given a modulus and prime from an RSA key, create a TSS_HKEY object by
678  * wrapping the RSA key with a key from the TPM (SRK or other previously stored
679  * key).
680  */
681 static CK_RV
682 token_wrap_sw_key(
683 	TSS_HCONTEXT hContext,
684 	int size_n,
685 	unsigned char *n,
686 	int size_p,
687 	unsigned char *p,
688 	TSS_HKEY hParentKey,
689 	TSS_FLAG initFlags,
690 	TSS_HKEY *phKey)
691 {
692 	TSS_RESULT result;
693 	UINT32 key_size;
694 
695 	key_size = util_get_keysize_flag(size_n * 8);
696 	if (initFlags == 0) {
697 		return (CKR_FUNCTION_FAILED);
698 	}
699 
700 	/* create the TSS key object */
701 	result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
702 	    TSS_KEY_MIGRATABLE | initFlags | key_size, phKey);
703 	if (result != TSS_SUCCESS) {
704 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
705 		    result, Trspi_Error_String(result));
706 		return (CKR_FUNCTION_FAILED);
707 	}
708 
709 	result = set_public_modulus(hContext, *phKey, size_n, n);
710 	if (result != TSS_SUCCESS) {
711 		Tspi_Context_CloseObject(hContext, *phKey);
712 		*phKey = NULL_HKEY;
713 		return (CKR_FUNCTION_FAILED);
714 	}
715 
716 	/* set the private key data in the TSS object */
717 	result = Tspi_SetAttribData(*phKey, TSS_TSPATTRIB_KEY_BLOB,
718 	    TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY, size_p, p);
719 	if (result != TSS_SUCCESS) {
720 		stlogit("Tspi_SetAttribData: 0x%x - %s",
721 		    result, Trspi_Error_String(result));
722 		Tspi_Context_CloseObject(hContext, *phKey);
723 		*phKey = NULL_HKEY;
724 		return (CKR_FUNCTION_FAILED);
725 	}
726 
727 	result = tss_assign_secret_key_policy(hContext, TSS_POLICY_MIGRATION,
728 	    *phKey, NULL);
729 
730 	if (TPMTOK_TSS_KEY_TYPE(initFlags) == TSS_KEY_TYPE_LEGACY) {
731 		if ((result = Tspi_SetAttribUint32(*phKey,
732 		    TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
733 		    TSS_ES_RSAESPKCSV15))) {
734 			stlogit("Tspi_SetAttribUint32: 0x%0x - %s\n",
735 			    result, Trspi_Error_String(result));
736 			Tspi_Context_CloseObject(hContext, *phKey);
737 			return (CKR_FUNCTION_FAILED);
738 		}
739 
740 		if ((result = Tspi_SetAttribUint32(*phKey,
741 		    TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
742 		    TSS_SS_RSASSAPKCS1V15_DER))) {
743 			stlogit("Tspi_SetAttribUint32: 0x%0x - %s\n",
744 			    result, Trspi_Error_String(result));
745 			Tspi_Context_CloseObject(hContext, *phKey);
746 			return (CKR_FUNCTION_FAILED);
747 		}
748 	}
749 
750 	result = Tspi_Key_WrapKey(*phKey, hParentKey, NULL_HPCRS);
751 	if (result != TSS_SUCCESS) {
752 		stlogit("Tspi_Key_WrapKey: 0x%0x - %s",
753 		    result, Trspi_Error_String(result));
754 		Tspi_Context_CloseObject(hContext, *phKey);
755 		*phKey = NULL_HKEY;
756 		return (CKR_FUNCTION_FAILED);
757 	}
758 
759 	return (CKR_OK);
760 }
761 
762 /*
763  * Create a TPM key blob for an imported key. This function is only called when
764  * a key is in active use, so any failure should trickle through.
765  */
766 static CK_RV
767 token_wrap_key_object(TSS_HCONTEXT hContext,
768 	CK_OBJECT_HANDLE ckObject,
769 	TSS_HKEY hParentKey, TSS_HKEY *phKey)
770 {
771 	CK_RV		rc = CKR_OK;
772 	CK_ATTRIBUTE	*attr = NULL, *new_attr, *prime_attr;
773 	CK_ULONG	class, key_type;
774 	OBJECT		*obj;
775 
776 	TSS_RESULT	result;
777 	TSS_FLAG	initFlags = 0;
778 	BYTE		*rgbBlob;
779 	UINT32		ulBlobLen;
780 
781 	if ((rc = object_mgr_find_in_map1(hContext, ckObject, &obj))) {
782 		return (rc);
783 	}
784 
785 	/* if the object isn't a key, fail */
786 	if (template_attribute_find(obj->template, CKA_KEY_TYPE,
787 	    &attr) == FALSE) {
788 		return (CKR_TEMPLATE_INCOMPLETE);
789 	}
790 
791 	key_type = *((CK_ULONG *)attr->pValue);
792 
793 	if (key_type != CKK_RSA) {
794 		return (CKR_TEMPLATE_INCONSISTENT);
795 	}
796 
797 	if (template_attribute_find(obj->template, CKA_CLASS,
798 	    &attr) == FALSE) {
799 		return (CKR_TEMPLATE_INCOMPLETE);
800 	}
801 
802 	class = *((CK_ULONG *)attr->pValue);
803 
804 	if (class == CKO_PRIVATE_KEY) {
805 		/*
806 		 * In order to create a full TSS key blob using a PKCS#11
807 		 * private key object, we need one of the two primes, the
808 		 * modulus and the private exponent and we need the public
809 		 * exponent to be correct.
810 		 */
811 
812 		/*
813 		 * Check the least likely attribute to exist first, the
814 		 * primes.
815 		 */
816 		if (template_attribute_find(obj->template, CKA_PRIME_1,
817 		    &prime_attr) == FALSE) {
818 			if (template_attribute_find(obj->template,
819 			    CKA_PRIME_2, &prime_attr) == FALSE) {
820 				return (CKR_TEMPLATE_INCOMPLETE);
821 			}
822 		}
823 
824 		/* Make sure the public exponent is usable */
825 		if ((rc = util_check_public_exponent(obj->template))) {
826 			return (CKR_TEMPLATE_INCONSISTENT);
827 		}
828 
829 		/* get the modulus */
830 		if (template_attribute_find(obj->template, CKA_MODULUS,
831 		    &attr) == FALSE) {
832 			return (CKR_TEMPLATE_INCOMPLETE);
833 		}
834 
835 		/* make sure the key size is usable */
836 		initFlags = util_get_keysize_flag(attr->ulValueLen * 8);
837 		if (initFlags == 0) {
838 			return (CKR_TEMPLATE_INCONSISTENT);
839 		}
840 
841 		/* generate the software based key */
842 		if ((rc = token_wrap_sw_key(hContext,
843 		    (int)attr->ulValueLen, attr->pValue,
844 		    (int)prime_attr->ulValueLen, prime_attr->pValue,
845 		    hParentKey, TSS_KEY_TYPE_LEGACY | TSS_KEY_NO_AUTHORIZATION,
846 		    phKey))) {
847 			return (rc);
848 		}
849 	} else if (class == CKO_PUBLIC_KEY) {
850 		/* Make sure the public exponent is usable */
851 		if ((util_check_public_exponent(obj->template))) {
852 			return (CKR_TEMPLATE_INCONSISTENT);
853 		}
854 
855 		/* grab the modulus to put into the TSS key object */
856 		if (template_attribute_find(obj->template,
857 		    CKA_MODULUS, &attr) == FALSE) {
858 			return (CKR_TEMPLATE_INCONSISTENT);
859 		}
860 
861 		/* make sure the key size is usable */
862 		initFlags = util_get_keysize_flag(attr->ulValueLen * 8);
863 		if (initFlags == 0) {
864 			return (CKR_TEMPLATE_INCONSISTENT);
865 		}
866 
867 		initFlags |= TSS_KEY_MIGRATABLE | TSS_KEY_NO_AUTHORIZATION |
868 		    TSS_KEY_TYPE_LEGACY;
869 
870 		if ((result = Tspi_Context_CreateObject(hContext,
871 		    TSS_OBJECT_TYPE_RSAKEY, initFlags, phKey))) {
872 			stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
873 			    result, Trspi_Error_String(result));
874 			return (result);
875 		}
876 
877 		if ((result = set_public_modulus(hContext, *phKey,
878 		    attr->ulValueLen, attr->pValue))) {
879 			Tspi_Context_CloseObject(hContext, *phKey);
880 			*phKey = NULL_HKEY;
881 			return (CKR_FUNCTION_FAILED);
882 		}
883 		result = tss_assign_secret_key_policy(hContext,
884 		    TSS_POLICY_MIGRATION, *phKey, NULL);
885 		if (result) {
886 			Tspi_Context_CloseObject(hContext, *phKey);
887 			*phKey = NULL_HKEY;
888 			return (CKR_FUNCTION_FAILED);
889 		}
890 
891 		result = set_legacy_key_params(*phKey);
892 		if (result) {
893 			Tspi_Context_CloseObject(hContext, *phKey);
894 			*phKey = NULL_HKEY;
895 			return (CKR_FUNCTION_FAILED);
896 		}
897 	} else {
898 		return (CKR_FUNCTION_FAILED);
899 	}
900 
901 	/* grab the entire key blob to put into the PKCS#11 object */
902 	if ((result = Tspi_GetAttribData(*phKey, TSS_TSPATTRIB_KEY_BLOB,
903 	    TSS_TSPATTRIB_KEYBLOB_BLOB, &ulBlobLen, &rgbBlob))) {
904 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
905 		    result, Trspi_Error_String(result));
906 		return (CKR_FUNCTION_FAILED);
907 	}
908 
909 	/* insert the key blob into the object */
910 	if ((rc = build_attribute(CKA_IBM_OPAQUE, rgbBlob, ulBlobLen,
911 	    &new_attr))) {
912 		Tspi_Context_FreeMemory(hContext, rgbBlob);
913 		return (rc);
914 	}
915 	(void) template_update_attribute(obj->template, new_attr);
916 	Tspi_Context_FreeMemory(hContext, rgbBlob);
917 
918 	/*
919 	 * If this is a token object, save it with the new attribute
920 	 * so that we don't have to go down this path again.
921 	 */
922 	if (!object_is_session_object(obj)) {
923 		rc = save_token_object(hContext, obj);
924 	}
925 
926 	return (rc);
927 }
928 
929 static TSS_RESULT
930 tss_assign_secret_key_policy(TSS_HCONTEXT hContext, TSS_FLAG policyType,
931     TSS_HKEY hKey, CK_CHAR *passHash)
932 {
933 	TSS_RESULT result;
934 	TSS_HPOLICY hPolicy;
935 
936 	if ((result = Tspi_Context_CreateObject(hContext,
937 	    TSS_OBJECT_TYPE_POLICY, policyType, &hPolicy))) {
938 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
939 		    result, Trspi_Error_String(result));
940 		return (result);
941 	}
942 	if ((result = Tspi_Policy_AssignToObject(hPolicy, hKey))) {
943 		stlogit("Tspi_Policy_AssignToObject: 0x%0x - %s",
944 		    result, Trspi_Error_String(result));
945 		goto done;
946 	}
947 	if (passHash == NULL) {
948 		result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_NONE,
949 		    0, NULL);
950 	} else {
951 		result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1,
952 		    SHA1_DIGEST_LENGTH, passHash);
953 	}
954 	if (result != TSS_SUCCESS) {
955 		stlogit("Tspi_Policy_SetSecret: 0x%0x - %s",
956 		    result, Trspi_Error_String(result));
957 		goto done;
958 	}
959 done:
960 	if (result != TSS_SUCCESS)
961 		Tspi_Context_CloseObject(hContext, hPolicy);
962 	return (result);
963 }
964 
965 /*
966  * Take a key from the TSS store (on-disk) and load it into the TPM, wrapped
967  * by an already TPM-resident key and protected with a PIN (optional).
968  */
969 static CK_RV
970 token_load_key(
971 	TSS_HCONTEXT hContext,
972 	CK_OBJECT_HANDLE ckKey,
973 	TSS_HKEY hParentKey,
974 	CK_CHAR_PTR passHash,
975 	TSS_HKEY *phKey)
976 {
977 	TSS_RESULT result;
978 	CK_RV rc;
979 
980 	/*
981 	 * The key blob wasn't found, load the parts of the key
982 	 * from the object DB and create a new key object that
983 	 * gets loaded into the TPM, wrapped with the parent key.
984 	 */
985 	if ((rc = token_wrap_key_object(hContext, ckKey,
986 	    hParentKey, phKey))) {
987 		return (rc);
988 	}
989 
990 	/*
991 	 * Assign the PIN hash (optional) to the newly loaded key object,
992 	 * if this PIN is incorrect, the TPM will not be able to decrypt
993 	 * the private key and use it.
994 	 */
995 	result = tss_assign_secret_key_policy(hContext, TSS_POLICY_USAGE,
996 	    *phKey, passHash);
997 
998 	return (result);
999 }
1000 
1001 /*
1002  * Load the SRK into the TPM by referencing its well-known UUID and using the
1003  * default SRK PIN (20 bytes of 0x00).
1004  *
1005  * NOTE - if the SRK PIN is changed by an administrative tool, this code will
1006  * fail because it assumes that the well-known PIN is still being used.
1007  */
1008 static TSS_RESULT
1009 token_load_srk(TSS_HCONTEXT hContext, TSS_HKEY *hSRK)
1010 {
1011 	TSS_HPOLICY hPolicy;
1012 	TSS_RESULT result;
1013 	TSS_UUID SRK_UUID = TSS_UUID_SRK;
1014 	BYTE wellKnown[] = TSS_WELL_KNOWN_SECRET;
1015 	TSS_HTPM hTPM;
1016 
1017 	if ((result = Tspi_Context_GetTpmObject(hContext, &hTPM))) {
1018 		stlogit("Tspi_Context_GetTpmObject: 0x%0x - %s",
1019 		    result, Trspi_Error_String(result));
1020 		return (CKR_FUNCTION_FAILED);
1021 	}
1022 
1023 	/* load the SRK */
1024 	if ((result = Tspi_Context_LoadKeyByUUID(hContext,
1025 	    TSS_PS_TYPE_SYSTEM, SRK_UUID, hSRK))) {
1026 		stlogit("Tspi_Context_LoadKeyByUUID: 0x%0x - %s",
1027 		    result, Trspi_Error_String(result));
1028 		goto done;
1029 	}
1030 	if ((result = Tspi_GetPolicyObject(*hSRK, TSS_POLICY_USAGE,
1031 	    &hPolicy))) {
1032 		stlogit("Tspi_GetPolicyObject: 0x%0x - %s",
1033 		    result, Trspi_Error_String(result));
1034 		goto done;
1035 	}
1036 	if ((result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1,
1037 	    sizeof (wellKnown), wellKnown))) {
1038 		stlogit("Tspi_Policy_SetSecret: 0x%0x - %s",
1039 		    result, Trspi_Error_String(result));
1040 		goto done;
1041 	}
1042 
1043 done:
1044 	return (result);
1045 }
1046 
1047 static TSS_RESULT
1048 tss_find_and_load_key(TSS_HCONTEXT hContext,
1049 	char *keyid, TSS_UUID *uuid, TSS_HKEY hParent,
1050 	BYTE *hash, TSS_HKEY *hKey)
1051 {
1052 	TSS_RESULT result;
1053 
1054 	if (local_uuid_is_null(uuid) &&
1055 	    find_uuid(keyid, uuid)) {
1056 		/* The UUID was not created or saved yet */
1057 		return (1);
1058 	}
1059 	result = Tspi_Context_GetKeyByUUID(hContext,
1060 	    TSS_PS_TYPE_USER, *uuid, hKey);
1061 	if (result) {
1062 		stlogit("Tspi_Context_GetKeyByUUID: 0x%0x - %s",
1063 		    result, Trspi_Error_String(result));
1064 		return (result);
1065 	}
1066 
1067 	if (hash != NULL) {
1068 		result = tss_assign_secret_key_policy(hContext,
1069 		    TSS_POLICY_USAGE, *hKey, (CK_BYTE *)hash);
1070 		if (result)
1071 			return (result);
1072 	}
1073 
1074 	result = Tspi_Key_LoadKey(*hKey, hParent);
1075 	if (result)
1076 		stlogit("Tspi_Key_LoadKey: 0x%0x - %s",
1077 		    result, Trspi_Error_String(result));
1078 
1079 	return (result);
1080 }
1081 
1082 static TSS_RESULT
1083 token_load_public_root_key(TSS_HCONTEXT hContext)
1084 {
1085 	TSS_RESULT result;
1086 	TSS_HKEY hSRK;
1087 
1088 	if (hPublicRootKey != NULL_HKEY)
1089 		return (TSS_SUCCESS);
1090 
1091 	if ((result = token_load_srk(hContext, &hSRK))) {
1092 		return (result);
1093 	}
1094 
1095 	result = tss_find_and_load_key(hContext,
1096 	    TPMTOK_PUBLIC_ROOT_KEY_ID,
1097 	    &publicRootKeyUUID, hSRK, NULL, &hPublicRootKey);
1098 	if (result)
1099 		return (result);
1100 
1101 	return (result);
1102 }
1103 
1104 static TSS_RESULT
1105 set_legacy_key_params(TSS_HKEY hKey)
1106 {
1107 	TSS_RESULT result;
1108 
1109 	if ((result = Tspi_SetAttribUint32(hKey,
1110 	    TSS_TSPATTRIB_KEY_INFO,
1111 	    TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
1112 	    TSS_ES_RSAESPKCSV15))) {
1113 		stlogit("Tspi_SetAttribUint32: 0x%0x - %s",
1114 		    result, Trspi_Error_String(result));
1115 		return (result);
1116 	}
1117 
1118 	if ((result = Tspi_SetAttribUint32(hKey,
1119 	    TSS_TSPATTRIB_KEY_INFO,
1120 	    TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
1121 	    TSS_SS_RSASSAPKCS1V15_DER))) {
1122 		stlogit("Tspi_SetAttribUint32: 0x%0x - %s",
1123 		    result, Trspi_Error_String(result));
1124 		return (result);
1125 	}
1126 
1127 	return (result);
1128 }
1129 
1130 static TSS_RESULT
1131 tss_generate_key(TSS_HCONTEXT hContext, TSS_FLAG initFlags, BYTE *passHash,
1132 	TSS_HKEY hParentKey, TSS_HKEY *phKey)
1133 {
1134 	TSS_RESULT	result;
1135 	TSS_HPOLICY	hMigPolicy;
1136 
1137 	if ((result = Tspi_Context_CreateObject(hContext,
1138 	    TSS_OBJECT_TYPE_RSAKEY, initFlags, phKey))) {
1139 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
1140 		    result, Trspi_Error_String(result));
1141 		return (result);
1142 	}
1143 	result = tss_assign_secret_key_policy(hContext, TSS_POLICY_USAGE,
1144 	    *phKey, passHash);
1145 
1146 	if (result) {
1147 		Tspi_Context_CloseObject(hContext, *phKey);
1148 		return (result);
1149 	}
1150 
1151 	if (TPMTOK_TSS_KEY_MIG_TYPE(initFlags) == TSS_KEY_MIGRATABLE) {
1152 		if ((result = Tspi_Context_CreateObject(hContext,
1153 		    TSS_OBJECT_TYPE_POLICY, TSS_POLICY_MIGRATION,
1154 		    &hMigPolicy))) {
1155 			stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
1156 			    result, Trspi_Error_String(result));
1157 			Tspi_Context_CloseObject(hContext, *phKey);
1158 			return (result);
1159 		}
1160 
1161 		if (passHash == NULL) {
1162 			result = Tspi_Policy_SetSecret(hMigPolicy,
1163 			    TSS_SECRET_MODE_NONE, 0, NULL);
1164 		} else {
1165 			result = Tspi_Policy_SetSecret(hMigPolicy,
1166 			    TSS_SECRET_MODE_SHA1, 20, passHash);
1167 		}
1168 
1169 		if (result != TSS_SUCCESS) {
1170 			stlogit("Tspi_Policy_SetSecret: 0x%0x - %s",
1171 			    result, Trspi_Error_String(result));
1172 			Tspi_Context_CloseObject(hContext, *phKey);
1173 			Tspi_Context_CloseObject(hContext, hMigPolicy);
1174 			return (result);
1175 		}
1176 
1177 		if ((result = Tspi_Policy_AssignToObject(hMigPolicy, *phKey))) {
1178 			stlogit("Tspi_Policy_AssignToObject: 0x%0x - %s",
1179 			    result, Trspi_Error_String(result));
1180 			Tspi_Context_CloseObject(hContext, *phKey);
1181 			Tspi_Context_CloseObject(hContext, hMigPolicy);
1182 			return (result);
1183 		}
1184 	}
1185 
1186 	if (TPMTOK_TSS_KEY_TYPE(initFlags) == TSS_KEY_TYPE_LEGACY) {
1187 		result = set_legacy_key_params(*phKey);
1188 		if (result) {
1189 			Tspi_Context_CloseObject(hContext, *phKey);
1190 			Tspi_Context_CloseObject(hContext, hMigPolicy);
1191 			return (result);
1192 		}
1193 	}
1194 
1195 	if ((result = Tspi_Key_CreateKey(*phKey, hParentKey, 0))) {
1196 		stlogit("Tspi_Key_CreateKey: 0x%0x - %s",
1197 		    result, Trspi_Error_String(result));
1198 		Tspi_Context_CloseObject(hContext, *phKey);
1199 		Tspi_Context_CloseObject(hContext, hMigPolicy);
1200 	}
1201 
1202 	return (result);
1203 }
1204 
1205 static TSS_RESULT
1206 tss_change_auth(
1207 	TSS_HCONTEXT hContext,
1208 	TSS_HKEY hObjectToChange, TSS_HKEY hParentObject,
1209 	TSS_UUID objUUID, TSS_UUID parentUUID,
1210 	CK_CHAR *passHash)
1211 {
1212 	TSS_RESULT result;
1213 	TSS_HPOLICY hPolicy;
1214 	TSS_HKEY oldkey;
1215 
1216 	if ((result = Tspi_Context_CreateObject(hContext,
1217 	    TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE, &hPolicy))) {
1218 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
1219 		    result, Trspi_Error_String(result));
1220 		return (result);
1221 	}
1222 
1223 	if ((result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1,
1224 	    SHA1_DIGEST_LENGTH, passHash))) {
1225 		stlogit("Tspi_Policy_SetSecret: 0x%0x - %s",
1226 		    result, Trspi_Error_String(result));
1227 		return (result);
1228 	}
1229 
1230 	if ((result = Tspi_ChangeAuth(hObjectToChange, hParentObject,
1231 	    hPolicy))) {
1232 		stlogit("Tspi_ChangeAuth: 0x%0x - %s",
1233 		    result, Trspi_Error_String(result));
1234 	}
1235 	/*
1236 	 * Update the PS key by unregistering the key UUID and then
1237 	 * re-registering with the same UUID.  This forces the updated
1238 	 * auth data associated with the key to be stored in PS so
1239 	 * the new PIN can be used next time.
1240 	 */
1241 	if ((result = Tspi_Context_UnregisterKey(hContext,
1242 	    TSS_PS_TYPE_USER, objUUID, &oldkey)))
1243 		stlogit("Tspi_Context_UnregisterKey: 0x%0x - %s",
1244 		    result, Trspi_Error_String(result));
1245 
1246 	if ((result = Tspi_Context_RegisterKey(hContext, hObjectToChange,
1247 	    TSS_PS_TYPE_USER, objUUID, TSS_PS_TYPE_USER, parentUUID)))
1248 		stlogit("Tspi_Context_RegisterKey: 0x%0x - %s",
1249 		    result, Trspi_Error_String(result));
1250 
1251 	return (result);
1252 }
1253 
1254 static CK_RV
1255 token_generate_leaf_key(TSS_HCONTEXT hContext,
1256 	int key_type, CK_CHAR_PTR passHash, TSS_HKEY *phKey)
1257 {
1258 	CK_RV		rc = CKR_FUNCTION_FAILED;
1259 	TSS_RESULT	result;
1260 	TSS_HKEY	hParentKey;
1261 	TSS_UUID	newuuid, parentUUID;
1262 	char		*keyid;
1263 	TSS_FLAG	initFlags = TSS_KEY_MIGRATABLE |
1264 	    TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048  | TSS_KEY_AUTHORIZATION;
1265 
1266 	switch (key_type) {
1267 		case TPMTOK_PUBLIC_LEAF_KEY:
1268 			hParentKey = hPublicRootKey;
1269 			keyid = TPMTOK_PUBLIC_LEAF_KEY_ID;
1270 			local_uuid_copy(&parentUUID, &publicRootKeyUUID);
1271 			break;
1272 		case TPMTOK_PRIVATE_LEAF_KEY:
1273 			hParentKey = hPrivateRootKey;
1274 			keyid = TPMTOK_PRIVATE_LEAF_KEY_ID;
1275 			local_uuid_copy(&parentUUID, &privateRootKeyUUID);
1276 			break;
1277 		default:
1278 			stlogit("Unknown key type 0x%0x", key_type);
1279 			goto done;
1280 	}
1281 
1282 	if (result = tss_generate_key(hContext, initFlags, passHash,
1283 	    hParentKey, phKey)) {
1284 		return (rc);
1285 	}
1286 
1287 	/*
1288 	 * - generate newUUID
1289 	 * - Tspi_Context_RegisterKey(hContext, hPrivateRootKey,
1290 	 *   USER, newUUID, USER, parentUUID);
1291 	 * - store newUUID
1292 	 */
1293 	(void) local_uuid_generate(&newuuid);
1294 
1295 	result = Tspi_Context_RegisterKey(hContext, *phKey,
1296 	    TSS_PS_TYPE_USER, newuuid,
1297 	    TSS_PS_TYPE_USER, parentUUID);
1298 	if (result == TSS_SUCCESS) {
1299 		int ret;
1300 		/*
1301 		 * Add the UUID to the token UUID index.
1302 		 */
1303 		ret = add_uuid(keyid, &newuuid);
1304 
1305 		if (ret)
1306 			result = Tspi_Context_UnregisterKey(hContext,
1307 			    TSS_PS_TYPE_USER, newuuid, phKey);
1308 		else
1309 			rc = CKR_OK;
1310 	}
1311 
1312 done:
1313 	return (rc);
1314 }
1315 
1316 /*
1317  * PINs are verified by attempting to bind/unbind random data using a
1318  * TPM resident key that has the PIN being tested assigned as its "secret".
1319  * If the PIN is incorrect, the unbind operation will fail.
1320  */
1321 static CK_RV
1322 token_verify_pin(TSS_HCONTEXT hContext, TSS_HKEY hKey)
1323 {
1324 	TSS_HENCDATA hEncData;
1325 	UINT32 ulUnboundDataLen;
1326 	BYTE *rgbUnboundData = NULL;
1327 	BYTE rgbData[16];
1328 	TSS_RESULT result;
1329 	CK_RV rc = CKR_FUNCTION_FAILED;
1330 
1331 	if ((result = Tspi_Context_CreateObject(hContext,
1332 	    TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData))) {
1333 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
1334 		    result, Trspi_Error_String(result));
1335 		goto done;
1336 	}
1337 
1338 	/* Use some random data */
1339 	rc = token_rng(hContext, rgbData, sizeof (rgbData));
1340 	if (rc)
1341 		goto done;
1342 
1343 	if ((result = Tspi_Data_Bind(hEncData, hKey,
1344 	    sizeof (rgbData), rgbData))) {
1345 		stlogit("Tspi_Data_Bind: 0x%0x - %s",
1346 		    result, Trspi_Error_String(result));
1347 		goto done;
1348 	}
1349 
1350 	/* unbind the junk data to test the key's auth data */
1351 	result = Tspi_Data_Unbind(hEncData, hKey, &ulUnboundDataLen,
1352 	    &rgbUnboundData);
1353 	if (result == TPM_E_AUTHFAIL) {
1354 		rc = CKR_PIN_INCORRECT;
1355 		stlogit("Tspi_Data_Unbind: 0x%0x - %s",
1356 		    result, Trspi_Error_String(result));
1357 		goto done;
1358 	} else if (result != TSS_SUCCESS) {
1359 		stlogit("Tspi_Data_Unbind: 0x%0x - %s",
1360 		    result, Trspi_Error_String(result));
1361 		rc = CKR_FUNCTION_FAILED;
1362 		goto done;
1363 	}
1364 
1365 	if (memcmp(rgbUnboundData, rgbData, ulUnboundDataLen))
1366 		rc = CKR_PIN_INCORRECT;
1367 	else
1368 		rc = CKR_OK;
1369 
1370 done:
1371 	if (rgbUnboundData != NULL)
1372 		Tspi_Context_FreeMemory(hContext, rgbUnboundData);
1373 	Tspi_Context_CloseObject(hContext, hEncData);
1374 	return (rc);
1375 }
1376 
1377 static CK_RV
1378 token_create_private_tree(TSS_HCONTEXT hContext, CK_BYTE *pinHash)
1379 {
1380 	CK_RV		rc;
1381 	TSS_RESULT	result;
1382 	int		ret;
1383 	TSS_FLAG initFlags = TSS_KEY_SIZE_2048 |
1384 	    TSS_KEY_NO_AUTHORIZATION | TSS_KEY_TYPE_STORAGE;
1385 	TSS_UUID SRK_UUID = TSS_UUID_SRK;
1386 	TSS_HKEY hSRK;
1387 
1388 	if (token_load_srk(hContext, &hSRK))
1389 		return (CKR_FUNCTION_FAILED);
1390 
1391 	/*
1392 	 * - create UUID privateRootKeyUUID
1393 	 * - Tspi_Context_RegisterKey(hContext, hPrivateRootKey,
1394 	 *   USER, privateRootKeyUUID, system, UUID_SRK);
1395 	 * - store privateRootKeyUUID in users private token space.
1396 	 */
1397 	if ((result = tss_generate_key(hContext, initFlags, NULL, hSRK,
1398 	    &hPrivateRootKey))) {
1399 		return (result);
1400 	}
1401 	if (local_uuid_is_null(&privateRootKeyUUID))
1402 		local_uuid_generate(&privateRootKeyUUID);
1403 
1404 	result = Tspi_Context_RegisterKey(hContext, hPrivateRootKey,
1405 	    TSS_PS_TYPE_USER, privateRootKeyUUID,
1406 	    TSS_PS_TYPE_SYSTEM, SRK_UUID);
1407 
1408 	if (result) {
1409 		local_uuid_clear(&privateRootKeyUUID);
1410 		return (result);
1411 	}
1412 
1413 	ret = add_uuid(TPMTOK_PRIVATE_ROOT_KEY_ID, &privateRootKeyUUID);
1414 	if (ret) {
1415 		result = Tspi_Context_UnregisterKey(hContext,
1416 		    TSS_PS_TYPE_USER, privateRootKeyUUID,
1417 		    &hPrivateRootKey);
1418 		return (CKR_FUNCTION_FAILED);
1419 	}
1420 
1421 	if ((result = Tspi_Key_LoadKey(hPrivateRootKey, hSRK))) {
1422 		stlogit("Tspi_Key_LoadKey: 0x%0x - %s",
1423 		    result, Trspi_Error_String(result));
1424 		Tspi_Context_CloseObject(hContext, hPrivateRootKey);
1425 
1426 		(void) remove_uuid(TPMTOK_PRIVATE_ROOT_KEY_ID);
1427 		local_uuid_clear(&privateRootKeyUUID);
1428 
1429 		hPrivateRootKey = NULL_HKEY;
1430 		return (CKR_FUNCTION_FAILED);
1431 	}
1432 
1433 
1434 	/* generate the private leaf key */
1435 	if ((rc = token_generate_leaf_key(hContext,
1436 	    TPMTOK_PRIVATE_LEAF_KEY,
1437 	    pinHash, &hPrivateLeafKey))) {
1438 		return (rc);
1439 	}
1440 
1441 	if ((result = Tspi_Key_LoadKey(hPrivateLeafKey, hPrivateRootKey))) {
1442 		stlogit("Tspi_Key_LoadKey: 0x%0x - %s",
1443 		    result, Trspi_Error_String(result));
1444 
1445 		(void) Tspi_Context_UnregisterKey(hContext,
1446 		    TSS_PS_TYPE_USER, privateLeafKeyUUID,
1447 		    &hPrivateLeafKey);
1448 		(void) remove_uuid(TPMTOK_PRIVATE_LEAF_KEY_ID);
1449 		local_uuid_clear(&privateLeafKeyUUID);
1450 
1451 		(void) Tspi_Context_UnregisterKey(hContext,
1452 		    TSS_PS_TYPE_USER, privateRootKeyUUID,
1453 		    &hPrivateRootKey);
1454 		(void) remove_uuid(TPMTOK_PRIVATE_ROOT_KEY_ID);
1455 		local_uuid_clear(&privateRootKeyUUID);
1456 
1457 		Tspi_Context_CloseObject(hContext, hPrivateRootKey);
1458 		hPrivateRootKey = NULL_HKEY;
1459 
1460 		Tspi_Context_CloseObject(hContext, hPrivateLeafKey);
1461 		hPrivateRootKey = NULL_HKEY;
1462 
1463 		return (CKR_FUNCTION_FAILED);
1464 	}
1465 	return (rc);
1466 }
1467 
1468 static CK_RV
1469 token_create_public_tree(TSS_HCONTEXT hContext, CK_BYTE *pinHash)
1470 {
1471 	CK_RV		rc;
1472 	TSS_RESULT	result;
1473 	int		ret;
1474 	TSS_FLAG initFlags = TSS_KEY_SIZE_2048 |
1475 	    TSS_KEY_NO_AUTHORIZATION | TSS_KEY_TYPE_STORAGE;
1476 	TSS_UUID srk_uuid = TSS_UUID_SRK;
1477 	TSS_HKEY hSRK;
1478 
1479 	if (token_load_srk(hContext, &hSRK))
1480 		return (CKR_FUNCTION_FAILED);
1481 
1482 	/*
1483 	 * - create publicRootKeyUUID
1484 	 * - Tspi_Context_RegisterKey(hContext, hPublicRootKey,
1485 	 *   USER, publicRootKeyUUID, system, UUID_SRK);
1486 	 * - store publicRootKeyUUID in users private token space.
1487 	 */
1488 	if ((result = tss_generate_key(hContext, initFlags, NULL, hSRK,
1489 	    &hPublicRootKey))) {
1490 		return (CKR_FUNCTION_FAILED);
1491 	}
1492 	if (local_uuid_is_null(&publicRootKeyUUID))
1493 		local_uuid_generate(&publicRootKeyUUID);
1494 
1495 	result = Tspi_Context_RegisterKey(hContext, hPublicRootKey,
1496 	    TSS_PS_TYPE_USER, publicRootKeyUUID,
1497 	    TSS_PS_TYPE_SYSTEM, srk_uuid);
1498 
1499 	if (result) {
1500 		local_uuid_clear(&publicRootKeyUUID);
1501 		return (CKR_FUNCTION_FAILED);
1502 	}
1503 
1504 	ret = add_uuid(TPMTOK_PUBLIC_ROOT_KEY_ID, &publicRootKeyUUID);
1505 	if (ret) {
1506 		result = Tspi_Context_UnregisterKey(hContext,
1507 		    TSS_PS_TYPE_USER, publicRootKeyUUID,
1508 		    &hPublicRootKey);
1509 		/* does result matter here? */
1510 		return (CKR_FUNCTION_FAILED);
1511 	}
1512 
1513 	/* Load the newly created publicRootKey into the TPM using the SRK */
1514 	if ((result = Tspi_Key_LoadKey(hPublicRootKey, hSRK))) {
1515 		stlogit("Tspi_Key_LoadKey: 0x%x - %s", result,
1516 		    Trspi_Error_String(result));
1517 		Tspi_Context_CloseObject(hContext, hPublicRootKey);
1518 		hPublicRootKey = NULL_HKEY;
1519 		return (CKR_FUNCTION_FAILED);
1520 	}
1521 
1522 	/* create the SO's leaf key */
1523 	if ((rc = token_generate_leaf_key(hContext, TPMTOK_PUBLIC_LEAF_KEY,
1524 	    pinHash, &hPublicLeafKey))) {
1525 		return (rc);
1526 	}
1527 
1528 	if ((result = Tspi_Key_LoadKey(hPublicLeafKey, hPublicRootKey))) {
1529 		stlogit("Tspi_Key_LoadKey: 0x%0x - %s",
1530 		    result, Trspi_Error_String(result));
1531 
1532 		/* Unregister keys and clear UUIDs */
1533 		(void) Tspi_Context_UnregisterKey(hContext,
1534 		    TSS_PS_TYPE_USER, publicLeafKeyUUID,
1535 		    &hPublicLeafKey);
1536 		(void) remove_uuid(TPMTOK_PUBLIC_LEAF_KEY_ID);
1537 
1538 		(void) Tspi_Context_UnregisterKey(hContext,
1539 		    TSS_PS_TYPE_USER, publicRootKeyUUID,
1540 		    &hPublicRootKey);
1541 		(void) remove_uuid(TPMTOK_PUBLIC_ROOT_KEY_ID);
1542 
1543 		Tspi_Context_CloseObject(hContext, hPublicRootKey);
1544 		hPublicRootKey = NULL_HKEY;
1545 
1546 		Tspi_Context_CloseObject(hContext, hPublicLeafKey);
1547 		hPublicLeafKey = NULL_HKEY;
1548 
1549 		return (CKR_FUNCTION_FAILED);
1550 	}
1551 
1552 	return (rc);
1553 }
1554 
1555 CK_RV
1556 token_specific_login(
1557 	TSS_HCONTEXT hContext,
1558 	CK_USER_TYPE userType,
1559 	CK_CHAR_PTR pPin,
1560 	CK_ULONG ulPinLen)
1561 {
1562 	CK_RV rc;
1563 	CK_BYTE hash_sha[SHA1_DIGEST_LENGTH];
1564 	TSS_RESULT result;
1565 	TSS_HKEY hSRK;
1566 
1567 	/* Make sure the SRK is loaded into the TPM */
1568 	if ((result = token_load_srk(hContext, &hSRK))) {
1569 		return (CKR_FUNCTION_FAILED);
1570 	}
1571 
1572 	if ((rc = compute_sha(pPin, ulPinLen, hash_sha))) {
1573 		return (CKR_FUNCTION_FAILED);
1574 	}
1575 
1576 	if (userType == CKU_USER) {
1577 		/*
1578 		 * If the public root key doesn't exist yet,
1579 		 * the SO hasn't init'd the token.
1580 		 */
1581 		if ((result = token_load_public_root_key(hContext))) {
1582 			if (result == TPM_E_DECRYPT_ERROR) {
1583 				return (CKR_USER_PIN_NOT_INITIALIZED);
1584 			}
1585 		}
1586 
1587 		/*
1588 		 * - find privateRootKeyUUID
1589 		 * - load by UUID (SRK parent)
1590 		 */
1591 		if (local_uuid_is_null(&privateRootKeyUUID) &&
1592 		    find_uuid(TPMTOK_PRIVATE_ROOT_KEY_ID,
1593 		    &privateRootKeyUUID)) {
1594 				if (memcmp(hash_sha,
1595 				    default_user_pin_sha,
1596 				    SHA1_DIGEST_LENGTH))
1597 					return (CKR_PIN_INCORRECT);
1598 
1599 				not_initialized = 1;
1600 				return (CKR_OK);
1601 		}
1602 
1603 		if ((rc = verify_user_pin(hContext, hash_sha))) {
1604 			return (rc);
1605 		}
1606 
1607 		(void) memcpy(current_user_pin_sha, hash_sha,
1608 		    SHA1_DIGEST_LENGTH);
1609 
1610 		rc = load_private_token_objects(hContext);
1611 		if (rc == CKR_OK) {
1612 			(void) XProcLock(xproclock);
1613 			global_shm->priv_loaded = TRUE;
1614 			(void) XProcUnLock(xproclock);
1615 		}
1616 	} else {
1617 		/*
1618 		 * SO login logic:
1619 		 *
1620 		 * - find publicRootKey UUID
1621 		 * - load by UUID wrap with hSRK from above
1622 		 */
1623 		if (local_uuid_is_null(&publicRootKeyUUID) &&
1624 		    find_uuid(TPMTOK_PUBLIC_ROOT_KEY_ID,
1625 		    &publicRootKeyUUID)) {
1626 				if (memcmp(hash_sha,
1627 				    default_so_pin_sha,
1628 				    SHA1_DIGEST_LENGTH))
1629 					return (CKR_PIN_INCORRECT);
1630 
1631 				not_initialized = 1;
1632 				return (CKR_OK);
1633 
1634 		}
1635 		if (hPublicRootKey == NULL_HKEY) {
1636 			result = tss_find_and_load_key(
1637 			    hContext,
1638 			    TPMTOK_PUBLIC_ROOT_KEY_ID,
1639 			    &publicRootKeyUUID, hSRK, NULL,
1640 			    &hPublicRootKey);
1641 
1642 			if (result)
1643 				return (CKR_FUNCTION_FAILED);
1644 		}
1645 
1646 		/* find, load the public leaf key */
1647 		if (hPublicLeafKey == NULL_HKEY) {
1648 			result = tss_find_and_load_key(
1649 			    hContext,
1650 			    TPMTOK_PUBLIC_LEAF_KEY_ID,
1651 			    &publicLeafKeyUUID, hPublicRootKey, hash_sha,
1652 			    &hPublicLeafKey);
1653 			if (result)
1654 				return (CKR_FUNCTION_FAILED);
1655 		}
1656 
1657 		if ((rc = token_verify_pin(hContext, hPublicLeafKey))) {
1658 			return (rc);
1659 		}
1660 
1661 		(void) memcpy(current_so_pin_sha, hash_sha, SHA1_DIGEST_LENGTH);
1662 	}
1663 
1664 	return (rc);
1665 }
1666 
1667 CK_RV
1668 token_specific_logout(TSS_HCONTEXT hContext)
1669 {
1670 	if (hPrivateLeafKey != NULL_HKEY) {
1671 		Tspi_Key_UnloadKey(hPrivateLeafKey);
1672 		hPrivateLeafKey = NULL_HKEY;
1673 	} else if (hPublicLeafKey != NULL_HKEY) {
1674 		Tspi_Key_UnloadKey(hPublicLeafKey);
1675 		hPublicLeafKey = NULL_HKEY;
1676 	}
1677 
1678 	local_uuid_clear(&publicRootKeyUUID);
1679 	local_uuid_clear(&publicLeafKeyUUID);
1680 	local_uuid_clear(&privateRootKeyUUID);
1681 	local_uuid_clear(&privateLeafKeyUUID);
1682 
1683 	(void) memset(current_so_pin_sha, 0, SHA1_DIGEST_LENGTH);
1684 	(void) memset(current_user_pin_sha, 0, SHA1_DIGEST_LENGTH);
1685 
1686 	(void) object_mgr_purge_private_token_objects(hContext);
1687 
1688 	return (CKR_OK);
1689 }
1690 
1691 /*ARGSUSED*/
1692 CK_RV
1693 token_specific_init_pin(TSS_HCONTEXT hContext,
1694 	CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
1695 {
1696 	/*
1697 	 * Since the SO must log in before calling C_InitPIN, we will
1698 	 * be able to return (CKR_OK) automatically here.
1699 	 * This is because the USER key structure is created at the
1700 	 * time of their first login, not at C_InitPIN time.
1701 	 */
1702 	return (CKR_OK);
1703 }
1704 
1705 static CK_RV
1706 check_pin_properties(CK_USER_TYPE userType, CK_BYTE *pinHash,
1707 	CK_ULONG ulPinLen)
1708 {
1709 	/* make sure the new PIN is different */
1710 	if (userType == CKU_USER) {
1711 		if (!memcmp(pinHash, default_user_pin_sha,
1712 		    SHA1_DIGEST_LENGTH)) {
1713 			LogError1("new PIN must not be the default");
1714 			return (CKR_PIN_INVALID);
1715 		}
1716 	} else {
1717 		if (!memcmp(pinHash, default_so_pin_sha,
1718 		    SHA1_DIGEST_LENGTH)) {
1719 			LogError1("new PIN must not be the default");
1720 			return (CKR_PIN_INVALID);
1721 		}
1722 	}
1723 
1724 	if (ulPinLen > MAX_PIN_LEN || ulPinLen < MIN_PIN_LEN) {
1725 		LogError1("New PIN is out of size range");
1726 		return (CKR_PIN_LEN_RANGE);
1727 	}
1728 
1729 	return (CKR_OK);
1730 }
1731 
1732 /*
1733  * This function is called from set_pin only, where a non-logged-in public
1734  * session can provide the user pin which must be verified. This function
1735  * assumes that the pin has already been set once, so there's no migration
1736  * path option or checking of the default user pin.
1737  */
1738 static CK_RV
1739 verify_user_pin(TSS_HCONTEXT hContext, CK_BYTE *hash_sha)
1740 {
1741 	CK_RV rc;
1742 	TSS_RESULT result;
1743 	TSS_HKEY hSRK;
1744 
1745 	if (token_load_srk(hContext, &hSRK))
1746 		return (CKR_FUNCTION_FAILED);
1747 
1748 	/*
1749 	 * Verify the user by loading the privateLeafKey
1750 	 * into the TPM (if it's not already) and then
1751 	 * call the verify_pin operation.
1752 	 *
1753 	 * The hashed PIN is assigned to the private leaf key.
1754 	 * If it is incorrect (not the same as the one originally
1755 	 * used when the key was created), the verify operation
1756 	 * will fail.
1757 	 */
1758 	if (hPrivateRootKey == NULL_HKEY) {
1759 		result = tss_find_and_load_key(
1760 		    hContext,
1761 		    TPMTOK_PRIVATE_ROOT_KEY_ID,
1762 		    &privateRootKeyUUID, hSRK, NULL, &hPrivateRootKey);
1763 		if (result)
1764 			return (CKR_FUNCTION_FAILED);
1765 	}
1766 
1767 	if (hPrivateLeafKey == NULL_HKEY) {
1768 		result = tss_find_and_load_key(
1769 		    hContext,
1770 		    TPMTOK_PRIVATE_LEAF_KEY_ID,
1771 		    &privateLeafKeyUUID, hPrivateRootKey, hash_sha,
1772 		    &hPrivateLeafKey);
1773 
1774 		if (result)
1775 			return (CKR_FUNCTION_FAILED);
1776 	}
1777 
1778 	/*
1779 	 * Verify that the PIN is correct by attempting to wrap/unwrap some
1780 	 * random data.
1781 	 */
1782 	if ((rc = token_verify_pin(hContext, hPrivateLeafKey))) {
1783 		return (rc);
1784 	}
1785 
1786 	return (CKR_OK);
1787 }
1788 
1789 CK_RV
1790 token_specific_set_pin(ST_SESSION_HANDLE session,
1791 	CK_CHAR_PTR pOldPin, CK_ULONG ulOldPinLen,
1792 	CK_CHAR_PTR pNewPin, CK_ULONG ulNewPinLen)
1793 {
1794 	SESSION		*sess = session_mgr_find(session.sessionh);
1795 	CK_BYTE		oldpin_hash[SHA1_DIGEST_LENGTH];
1796 	CK_BYTE		newpin_hash[SHA1_DIGEST_LENGTH];
1797 	CK_RV		rc;
1798 	TSS_HKEY	hSRK;
1799 
1800 	if (!sess) {
1801 		return (CKR_SESSION_HANDLE_INVALID);
1802 	}
1803 
1804 	if ((rc = compute_sha(pOldPin, ulOldPinLen, oldpin_hash))) {
1805 		return (CKR_FUNCTION_FAILED);
1806 	}
1807 	if ((rc = compute_sha(pNewPin, ulNewPinLen, newpin_hash))) {
1808 		return (CKR_FUNCTION_FAILED);
1809 	}
1810 
1811 	if (token_load_srk(sess->hContext, &hSRK)) {
1812 		return (CKR_FUNCTION_FAILED);
1813 	}
1814 
1815 	/*
1816 	 * From the PKCS#11 2.20 spec: "C_SetPIN modifies the PIN of
1817 	 * the user that is currently logged in, or the CKU_USER PIN
1818 	 * if the session is not logged in."
1819 	 * A non R/W session fails with CKR_SESSION_READ_ONLY.
1820 	 */
1821 	if (sess->session_info.state == CKS_RW_USER_FUNCTIONS ||
1822 	    sess->session_info.state == CKS_RW_PUBLIC_SESSION) {
1823 		if (not_initialized) {
1824 			if (memcmp(oldpin_hash, default_user_pin_sha,
1825 			    SHA1_DIGEST_LENGTH)) {
1826 				return (CKR_PIN_INCORRECT);
1827 			}
1828 
1829 			if ((rc = check_pin_properties(CKU_USER, newpin_hash,
1830 			    ulNewPinLen))) {
1831 				return (rc);
1832 			}
1833 
1834 			if ((rc = token_create_private_tree(sess->hContext,
1835 			    newpin_hash))) {
1836 				return (CKR_FUNCTION_FAILED);
1837 			}
1838 
1839 			nv_token_data->token_info.flags &=
1840 			    ~(CKF_USER_PIN_TO_BE_CHANGED);
1841 			nv_token_data->token_info.flags |=
1842 			    CKF_USER_PIN_INITIALIZED;
1843 
1844 			nv_token_data->token_info.flags &=
1845 			    ~(CKF_USER_PIN_TO_BE_CHANGED);
1846 			nv_token_data->token_info.flags |=
1847 			    CKF_USER_PIN_INITIALIZED;
1848 
1849 			return (save_token_data(nv_token_data));
1850 		}
1851 
1852 		if (sess->session_info.state == CKS_RW_USER_FUNCTIONS) {
1853 			/* if we're already logged in, just verify the hash */
1854 			if (memcmp(current_user_pin_sha, oldpin_hash,
1855 			    SHA1_DIGEST_LENGTH)) {
1856 				return (CKR_PIN_INCORRECT);
1857 			}
1858 		} else {
1859 			if ((rc = verify_user_pin(sess->hContext,
1860 			    oldpin_hash))) {
1861 				return (rc);
1862 			}
1863 		}
1864 
1865 		if ((rc = check_pin_properties(CKU_USER, newpin_hash,
1866 		    ulNewPinLen)))
1867 			return (rc);
1868 
1869 		/* change the auth on the TSS object */
1870 		if (tss_change_auth(sess->hContext,
1871 		    hPrivateLeafKey, hPrivateRootKey,
1872 		    privateLeafKeyUUID, privateRootKeyUUID,
1873 		    newpin_hash))
1874 			return (CKR_FUNCTION_FAILED);
1875 
1876 	} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
1877 		if (not_initialized) {
1878 			if (memcmp(default_so_pin_sha, oldpin_hash,
1879 			    SHA1_DIGEST_LENGTH))
1880 				return (CKR_PIN_INCORRECT);
1881 
1882 			if ((rc = check_pin_properties(CKU_SO,
1883 			    newpin_hash, ulNewPinLen)))
1884 				return (rc);
1885 
1886 			if ((rc = token_create_public_tree(sess->hContext,
1887 			    newpin_hash)))
1888 				return (CKR_FUNCTION_FAILED);
1889 
1890 			nv_token_data->token_info.flags &=
1891 			    ~(CKF_SO_PIN_TO_BE_CHANGED);
1892 
1893 			return (save_token_data(nv_token_data));
1894 		}
1895 
1896 		if (memcmp(current_so_pin_sha, oldpin_hash,
1897 		    SHA1_DIGEST_LENGTH))
1898 			return (CKR_PIN_INCORRECT);
1899 
1900 		if ((rc = check_pin_properties(CKU_SO, newpin_hash,
1901 		    ulNewPinLen)))
1902 			return (rc);
1903 
1904 		/* change auth on the SO's leaf key */
1905 		if (tss_change_auth(sess->hContext,
1906 		    hPublicLeafKey, hPublicRootKey,
1907 		    publicLeafKeyUUID, publicRootKeyUUID,
1908 		    newpin_hash))
1909 			return (CKR_FUNCTION_FAILED);
1910 
1911 	} else {
1912 		rc = CKR_SESSION_READ_ONLY;
1913 	}
1914 
1915 	return (rc);
1916 }
1917 
1918 /* only called at token init time */
1919 CK_RV
1920 token_specific_verify_so_pin(TSS_HCONTEXT hContext, CK_CHAR_PTR pPin,
1921     CK_ULONG ulPinLen)
1922 {
1923 	CK_BYTE hash_sha[SHA1_DIGEST_LENGTH];
1924 	CK_RV rc;
1925 	TSS_RESULT result;
1926 	TSS_HKEY hSRK;
1927 
1928 	if ((rc = compute_sha(pPin, ulPinLen, hash_sha))) {
1929 		return (CKR_FUNCTION_FAILED);
1930 	}
1931 	if ((rc = token_load_srk(hContext, &hSRK))) {
1932 		return (CKR_FUNCTION_FAILED);
1933 	}
1934 
1935 	/*
1936 	 * TRYME INSTEAD:
1937 	 * - find publicRootKeyUUID
1938 	 * - Load publicRootKey by UUID (SRK parent)
1939 	 * - find publicLeafKeyUUID
1940 	 * - Load publicLeafKey by UUID (publicRootKey parent)
1941 	 * - set password policy on publicLeafKey
1942 	 */
1943 	if (local_uuid_is_null(&publicRootKeyUUID) &&
1944 	    find_uuid(TPMTOK_PUBLIC_ROOT_KEY_ID, &publicRootKeyUUID)) {
1945 		/*
1946 		 * The SO hasn't set their PIN yet, compare the
1947 		 * login pin with the hard-coded value.
1948 		 */
1949 		if (memcmp(default_so_pin_sha, hash_sha,
1950 		    SHA1_DIGEST_LENGTH)) {
1951 			return (CKR_PIN_INCORRECT);
1952 		}
1953 		return (CKR_OK);
1954 	}
1955 
1956 	result = Tspi_Context_GetKeyByUUID(hContext,
1957 	    TSS_PS_TYPE_USER, publicRootKeyUUID, &hPublicRootKey);
1958 
1959 	if (result)
1960 		return (CKR_FUNCTION_FAILED);
1961 
1962 	result = Tspi_Key_LoadKey(hPublicRootKey, hSRK);
1963 	if (result)
1964 		return (CKR_FUNCTION_FAILED);
1965 
1966 	if (local_uuid_is_null(&publicLeafKeyUUID) &&
1967 	    find_uuid(TPMTOK_PUBLIC_LEAF_KEY_ID, &publicLeafKeyUUID))
1968 		return (CKR_FUNCTION_FAILED);
1969 
1970 	result = Tspi_Context_GetKeyByUUID(hContext,
1971 	    TSS_PS_TYPE_USER, publicLeafKeyUUID, &hPublicLeafKey);
1972 	if (result)
1973 		return (CKR_FUNCTION_FAILED);
1974 
1975 	result = tss_assign_secret_key_policy(hContext, TSS_POLICY_USAGE,
1976 	    hPublicLeafKey, hash_sha);
1977 	if (result)
1978 		return (CKR_FUNCTION_FAILED);
1979 
1980 	result = Tspi_Key_LoadKey(hPublicLeafKey, hPublicRootKey);
1981 	if (result)
1982 		return (CKR_FUNCTION_FAILED);
1983 
1984 	/* If the hash given is wrong, the verify will fail */
1985 	if ((rc = token_verify_pin(hContext, hPublicLeafKey))) {
1986 		return (rc);
1987 	}
1988 
1989 	return (CKR_OK);
1990 }
1991 
1992 CK_RV
1993 token_specific_final(TSS_HCONTEXT hContext)
1994 {
1995 	if (hPublicRootKey != NULL_HKEY) {
1996 		Tspi_Context_CloseObject(hContext, hPublicRootKey);
1997 		hPublicRootKey = NULL_HKEY;
1998 	}
1999 	if (hPublicLeafKey != NULL_HKEY) {
2000 		Tspi_Context_CloseObject(hContext, hPublicLeafKey);
2001 		hPublicLeafKey = NULL_HKEY;
2002 	}
2003 	if (hPrivateRootKey != NULL_HKEY) {
2004 		Tspi_Context_CloseObject(hContext, hPrivateRootKey);
2005 		hPrivateRootKey = NULL_HKEY;
2006 	}
2007 	if (hPrivateLeafKey != NULL_HKEY) {
2008 		Tspi_Context_CloseObject(hContext, hPrivateLeafKey);
2009 		hPrivateLeafKey = NULL_HKEY;
2010 	}
2011 	return (CKR_OK);
2012 }
2013 
2014 /*
2015  * Wrap the 20 bytes of auth data and store in an attribute of the two
2016  * keys.
2017  */
2018 static CK_RV
2019 token_wrap_auth_data(TSS_HCONTEXT hContext,
2020 	CK_BYTE *authData, TEMPLATE *publ_tmpl,
2021 	TEMPLATE *priv_tmpl)
2022 {
2023 	CK_RV		rc;
2024 	CK_ATTRIBUTE	*new_attr;
2025 
2026 	TSS_RESULT	ret;
2027 	TSS_HKEY	hParentKey;
2028 	TSS_HENCDATA	hEncData;
2029 	BYTE		*blob;
2030 	UINT32		blob_size;
2031 
2032 	if ((hPrivateLeafKey == NULL_HKEY) && (hPublicLeafKey == NULL_HKEY)) {
2033 		return (CKR_FUNCTION_FAILED);
2034 	} else if (hPublicLeafKey != NULL_HKEY) {
2035 		hParentKey = hPublicLeafKey;
2036 	} else {
2037 		hParentKey = hPrivateLeafKey;
2038 	}
2039 
2040 	/* create the encrypted data object */
2041 	if ((ret = Tspi_Context_CreateObject(hContext,
2042 	    TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData))) {
2043 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2044 		    ret, Trspi_Error_String(ret));
2045 		return (CKR_FUNCTION_FAILED);
2046 	}
2047 
2048 	if ((ret = Tspi_Data_Bind(hEncData, hParentKey, SHA1_DIGEST_LENGTH,
2049 	    authData))) {
2050 		stlogit("Tspi_Data_Bind: 0x%0x - %s",
2051 		    ret, Trspi_Error_String(ret));
2052 		return (CKR_FUNCTION_FAILED);
2053 	}
2054 
2055 	/* pull the encrypted data out of the encrypted data object */
2056 	if ((ret = Tspi_GetAttribData(hEncData, TSS_TSPATTRIB_ENCDATA_BLOB,
2057 	    TSS_TSPATTRIB_ENCDATABLOB_BLOB, &blob_size, &blob))) {
2058 		stlogit("Tspi_SetAttribData: 0x%0x - %s",
2059 		    ret, Trspi_Error_String(ret));
2060 		return (CKR_FUNCTION_FAILED);
2061 	}
2062 
2063 	if ((rc = build_attribute(CKA_ENC_AUTHDATA, blob, blob_size,
2064 	    &new_attr))) {
2065 		return (rc);
2066 	}
2067 	(void) template_update_attribute(publ_tmpl, new_attr);
2068 
2069 	if ((rc = build_attribute(CKA_ENC_AUTHDATA, blob,
2070 	    blob_size, &new_attr))) {
2071 		return (rc);
2072 	}
2073 	(void) template_update_attribute(priv_tmpl, new_attr);
2074 
2075 	return (rc);
2076 }
2077 
2078 static CK_RV
2079 token_unwrap_auth_data(TSS_HCONTEXT hContext, CK_BYTE *encAuthData,
2080 	CK_ULONG encAuthDataLen, TSS_HKEY hKey,
2081 	BYTE **authData)
2082 {
2083 	TSS_RESULT	result;
2084 	TSS_HENCDATA	hEncData;
2085 	BYTE		*buf;
2086 	UINT32		buf_size;
2087 
2088 	if ((result = Tspi_Context_CreateObject(hContext,
2089 	    TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData))) {
2090 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2091 		    result, Trspi_Error_String(result));
2092 		return (CKR_FUNCTION_FAILED);
2093 	}
2094 
2095 	if ((result = Tspi_SetAttribData(hEncData,
2096 	    TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB,
2097 	    encAuthDataLen, encAuthData))) {
2098 		stlogit("Tspi_SetAttribData: 0x%0x - %s",
2099 		    result, Trspi_Error_String(result));
2100 		return (CKR_FUNCTION_FAILED);
2101 	}
2102 
2103 	/* unbind the data, receiving the plaintext back */
2104 	if ((result = Tspi_Data_Unbind(hEncData, hKey, &buf_size, &buf))) {
2105 		stlogit("Tspi_Data_Unbind: 0x%0x - %s",
2106 		    result, Trspi_Error_String(result));
2107 		return (CKR_FUNCTION_FAILED);
2108 	}
2109 
2110 	if (buf_size != SHA1_DIGEST_LENGTH) {
2111 		return (CKR_FUNCTION_FAILED);
2112 	}
2113 
2114 	*authData = buf;
2115 
2116 	return (CKR_OK);
2117 }
2118 
2119 CK_RV
2120 token_specific_rsa_generate_keypair(
2121 	TSS_HCONTEXT hContext,
2122 	TEMPLATE  *publ_tmpl,
2123 	TEMPLATE  *priv_tmpl)
2124 {
2125 	CK_ATTRIBUTE	*attr = NULL;
2126 	CK_ULONG	mod_bits = 0;
2127 	CK_BBOOL	flag;
2128 	CK_RV		rc;
2129 
2130 	TSS_FLAG	initFlags = 0;
2131 	BYTE		authHash[SHA1_DIGEST_LENGTH];
2132 	BYTE		*authData = NULL;
2133 	TSS_HKEY	hKey = NULL_HKEY;
2134 	TSS_HKEY	hParentKey = NULL_HKEY;
2135 	TSS_RESULT	result;
2136 	UINT32		ulBlobLen;
2137 	BYTE		*rgbBlob;
2138 
2139 	/* Make sure the public exponent is usable */
2140 	if ((util_check_public_exponent(publ_tmpl))) {
2141 		return (CKR_TEMPLATE_INCONSISTENT);
2142 	}
2143 
2144 	flag = template_attribute_find(publ_tmpl, CKA_MODULUS_BITS, &attr);
2145 	if (!flag) {
2146 		return (CKR_TEMPLATE_INCOMPLETE);
2147 	}
2148 	mod_bits = *(CK_ULONG *)attr->pValue;
2149 
2150 	if ((initFlags = util_get_keysize_flag(mod_bits)) == 0) {
2151 		return (CKR_KEY_SIZE_RANGE);
2152 	}
2153 
2154 	/*
2155 	 * If we're not logged in, hPrivateLeafKey and hPublicLeafKey
2156 	 * should be NULL.
2157 	 */
2158 	if ((hPrivateLeafKey == NULL_HKEY) &&
2159 	    (hPublicLeafKey == NULL_HKEY)) {
2160 		/* public session, wrap key with the PRK */
2161 		initFlags |= TSS_KEY_TYPE_LEGACY |
2162 		    TSS_KEY_NO_AUTHORIZATION | TSS_KEY_MIGRATABLE;
2163 
2164 		if ((result = token_load_public_root_key(hContext))) {
2165 			return (CKR_FUNCTION_FAILED);
2166 		}
2167 
2168 		hParentKey = hPublicRootKey;
2169 	} else if (hPrivateLeafKey != NULL_HKEY) {
2170 		/* logged in USER session */
2171 		initFlags |= TSS_KEY_TYPE_LEGACY |
2172 		    TSS_KEY_AUTHORIZATION | TSS_KEY_MIGRATABLE;
2173 
2174 		/* get a random SHA1 hash for the auth data */
2175 		if ((rc = token_rng(hContext, authHash, SHA1_DIGEST_LENGTH))) {
2176 			return (CKR_FUNCTION_FAILED);
2177 		}
2178 
2179 		authData = authHash;
2180 		hParentKey = hPrivateRootKey;
2181 	} else {
2182 		/* logged in SO session */
2183 		initFlags |= TSS_KEY_TYPE_LEGACY |
2184 		    TSS_KEY_AUTHORIZATION | TSS_KEY_MIGRATABLE;
2185 
2186 		/* get a random SHA1 hash for the auth data */
2187 		if ((rc = token_rng(hContext, authHash, SHA1_DIGEST_LENGTH))) {
2188 			return (CKR_FUNCTION_FAILED);
2189 		}
2190 
2191 		authData = authHash;
2192 		hParentKey = hPublicRootKey;
2193 	}
2194 
2195 	if ((result = tss_generate_key(hContext, initFlags, authData,
2196 	    hParentKey, &hKey))) {
2197 		return (result);
2198 	}
2199 
2200 	if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_KEY_BLOB,
2201 	    TSS_TSPATTRIB_KEYBLOB_BLOB, &ulBlobLen, &rgbBlob))) {
2202 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
2203 		    result, Trspi_Error_String(result));
2204 		return (CKR_FUNCTION_FAILED);
2205 	}
2206 
2207 	if ((rc = build_attribute(CKA_IBM_OPAQUE, rgbBlob,
2208 	    ulBlobLen, &attr))) {
2209 		Tspi_Context_FreeMemory(hContext, rgbBlob);
2210 		return (rc);
2211 	}
2212 	(void) template_update_attribute(priv_tmpl, attr);
2213 	if ((rc = build_attribute(CKA_IBM_OPAQUE, rgbBlob,
2214 	    ulBlobLen, &attr))) {
2215 		Tspi_Context_FreeMemory(hContext, rgbBlob);
2216 		return (rc);
2217 	}
2218 	(void) template_update_attribute(publ_tmpl, attr);
2219 
2220 	Tspi_Context_FreeMemory(hContext, rgbBlob);
2221 
2222 	/* grab the public key to put into the public key object */
2223 	if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO,
2224 	    TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &ulBlobLen, &rgbBlob))) {
2225 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
2226 		    result, Trspi_Error_String(result));
2227 		return (result);
2228 	}
2229 
2230 	/* add the public key blob to the object template */
2231 	if ((rc = build_attribute(CKA_MODULUS, rgbBlob, ulBlobLen, &attr))) {
2232 		Tspi_Context_FreeMemory(hContext, rgbBlob);
2233 		return (rc);
2234 	}
2235 	(void) template_update_attribute(publ_tmpl, attr);
2236 
2237 	/* add the public key blob to the object template */
2238 	if ((rc = build_attribute(CKA_MODULUS, rgbBlob, ulBlobLen, &attr))) {
2239 		Tspi_Context_FreeMemory(hContext, rgbBlob);
2240 		return (rc);
2241 	}
2242 	(void) template_update_attribute(priv_tmpl, attr);
2243 	Tspi_Context_FreeMemory(hContext, rgbBlob);
2244 
2245 	/* wrap the authdata and put it into an object */
2246 	if (authData != NULL) {
2247 		rc = token_wrap_auth_data(hContext, authData, publ_tmpl,
2248 		    priv_tmpl);
2249 	}
2250 
2251 	return (rc);
2252 }
2253 
2254 static CK_RV
2255 token_rsa_load_key(
2256 	TSS_HCONTEXT hContext,
2257 	OBJECT *key_obj,
2258 	TSS_HKEY *phKey)
2259 {
2260 	TSS_RESULT result;
2261 	TSS_HPOLICY hPolicy = NULL_HPOLICY;
2262 	TSS_HKEY	hParentKey;
2263 	BYTE		*authData = NULL;
2264 	CK_ATTRIBUTE	*attr;
2265 	CK_RV		rc;
2266 	CK_OBJECT_HANDLE handle;
2267 	CK_ULONG	class;
2268 
2269 	if (hPrivateLeafKey != NULL_HKEY) {
2270 		hParentKey = hPrivateRootKey;
2271 	} else {
2272 		if ((result = token_load_public_root_key(hContext)))
2273 			return (CKR_FUNCTION_FAILED);
2274 
2275 		hParentKey = hPublicRootKey;
2276 	}
2277 
2278 	*phKey = 0;
2279 	if (template_attribute_find(key_obj->template, CKA_CLASS,
2280 	    &attr) == FALSE) {
2281 		return (CKR_TEMPLATE_INCOMPLETE);
2282 	}
2283 	class = *((CK_ULONG *)attr->pValue);
2284 
2285 	rc = template_attribute_find(key_obj->template,
2286 	    CKA_IBM_OPAQUE, &attr);
2287 	/*
2288 	 * A public key cannot use the OPAQUE data attribute so they
2289 	 * must be created in software.  A private key may not yet
2290 	 * have its "opaque" data defined and needs to be created
2291 	 * and loaded so it can be used inside the TPM.
2292 	 */
2293 	if (class == CKO_PUBLIC_KEY || rc == FALSE) {
2294 		rc = object_mgr_find_in_map2(hContext, key_obj, &handle);
2295 		if (rc != CKR_OK)
2296 			return (CKR_FUNCTION_FAILED);
2297 
2298 		if ((rc = token_load_key(hContext,
2299 		    handle, hParentKey, NULL, phKey))) {
2300 			return (rc);
2301 		}
2302 	}
2303 	/*
2304 	 * If this is a private key, get the blob and load it in the TPM.
2305 	 * If it is public, the key is already loaded in software.
2306 	 */
2307 	if (class == CKO_PRIVATE_KEY) {
2308 		/* If we already have a handle, just load it */
2309 		if (*phKey != 0) {
2310 			result = Tspi_Key_LoadKey(*phKey, hParentKey);
2311 			if (result) {
2312 				stlogit("Tspi_Context_LoadKeyByBlob: "
2313 				    "0x%0x - %s",
2314 				    result, Trspi_Error_String(result));
2315 				return (CKR_FUNCTION_FAILED);
2316 			}
2317 		} else {
2318 			/* try again to get the CKA_IBM_OPAQUE attr */
2319 			if ((rc = template_attribute_find(key_obj->template,
2320 			    CKA_IBM_OPAQUE, &attr)) == FALSE) {
2321 				return (rc);
2322 			}
2323 			if ((result = Tspi_Context_LoadKeyByBlob(hContext,
2324 			    hParentKey, attr->ulValueLen, attr->pValue,
2325 			    phKey))) {
2326 				stlogit("Tspi_Context_LoadKeyByBlob: "
2327 				    "0x%0x - %s",
2328 				    result, Trspi_Error_String(result));
2329 				return (CKR_FUNCTION_FAILED);
2330 			}
2331 		}
2332 	}
2333 
2334 	/* auth data may be required */
2335 	if (template_attribute_find(key_obj->template, CKA_ENC_AUTHDATA,
2336 	    &attr) == TRUE && attr) {
2337 		if ((hPrivateLeafKey == NULL_HKEY) &&
2338 		    (hPublicLeafKey == NULL_HKEY)) {
2339 			return (CKR_FUNCTION_FAILED);
2340 		} else if (hPublicLeafKey != NULL_HKEY) {
2341 			hParentKey = hPublicLeafKey;
2342 		} else {
2343 			hParentKey = hPrivateLeafKey;
2344 		}
2345 
2346 		if ((result = token_unwrap_auth_data(hContext,
2347 		    attr->pValue, attr->ulValueLen,
2348 		    hParentKey, &authData))) {
2349 			return (CKR_FUNCTION_FAILED);
2350 		}
2351 
2352 		if ((result = Tspi_GetPolicyObject(*phKey,
2353 		    TSS_POLICY_USAGE, &hPolicy))) {
2354 			stlogit("Tspi_GetPolicyObject: 0x%0x - %s",
2355 			    result, Trspi_Error_String(result));
2356 			return (CKR_FUNCTION_FAILED);
2357 		}
2358 
2359 		/*
2360 		 * If the policy handle returned is the same as the
2361 		 * context's default policy, then a new policy must
2362 		 * be created and assigned to the key. Otherwise, just set the
2363 		 * secret in the policy.
2364 		 */
2365 		if (hPolicy == hDefaultPolicy) {
2366 			if ((result = Tspi_Context_CreateObject(hContext,
2367 			    TSS_OBJECT_TYPE_POLICY, TSS_POLICY_USAGE,
2368 			    &hPolicy))) {
2369 				stlogit("Tspi_Context_CreateObject: "
2370 				    "0x%0x - %s",
2371 				    result, Trspi_Error_String(result));
2372 				return (CKR_FUNCTION_FAILED);
2373 			}
2374 
2375 			if ((result = Tspi_Policy_SetSecret(hPolicy,
2376 			    TSS_SECRET_MODE_SHA1,
2377 			    SHA1_DIGEST_LENGTH, authData))) {
2378 				stlogit("Tspi_Policy_SetSecret: "
2379 				    "0x%0x - %s",
2380 				    result, Trspi_Error_String(result));
2381 				return (CKR_FUNCTION_FAILED);
2382 			}
2383 
2384 			if ((result = Tspi_Policy_AssignToObject(hPolicy,
2385 			    *phKey))) {
2386 				stlogit("Tspi_Policy_AssignToObject: "
2387 				    "0x%0x - %s",
2388 				    result, Trspi_Error_String(result));
2389 				return (CKR_FUNCTION_FAILED);
2390 			}
2391 		} else if ((result = Tspi_Policy_SetSecret(hPolicy,
2392 		    TSS_SECRET_MODE_SHA1, SHA1_DIGEST_LENGTH, authData))) {
2393 			stlogit("Tspi_Policy_SetSecret: 0x%0x - %s",
2394 			    result, Trspi_Error_String(result));
2395 			return (CKR_FUNCTION_FAILED);
2396 		}
2397 
2398 		Tspi_Context_FreeMemory(hContext, authData);
2399 	}
2400 
2401 	return (CKR_OK);
2402 }
2403 
2404 CK_RV
2405 tpm_decrypt_data(
2406 	TSS_HCONTEXT hContext,
2407 	TSS_HKEY    hKey,
2408 	CK_BYTE   * in_data,
2409 	CK_ULONG    in_data_len,
2410 	CK_BYTE   * out_data,
2411 	CK_ULONG  * out_data_len)
2412 {
2413 	TSS_RESULT result;
2414 	TSS_HENCDATA	hEncData = NULL_HENCDATA;
2415 	UINT32		buf_size = 0, modLen;
2416 	BYTE		*buf = NULL, *modulus = NULL;
2417 	CK_ULONG	chunklen, remain, outlen;
2418 
2419 	/* push the data into the encrypted data object */
2420 	if ((result = Tspi_Context_CreateObject(hContext,
2421 	    TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData))) {
2422 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2423 		    result, Trspi_Error_String(result));
2424 		return (CKR_FUNCTION_FAILED);
2425 	}
2426 
2427 	/*
2428 	 * Figure out the modulus size so we can break the data
2429 	 * into smaller chunks if necessary.
2430 	 */
2431 	if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO,
2432 	    TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &modLen, &modulus))) {
2433 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
2434 		    result, Trspi_Error_String(result));
2435 		return (result);
2436 	}
2437 	/* we don't need the actual modulus */
2438 	Tspi_Context_FreeMemory(hContext, modulus);
2439 
2440 	chunklen = (in_data_len > modLen ? modLen : in_data_len);
2441 	remain = in_data_len;
2442 	outlen = 0;
2443 
2444 	while (remain > 0) {
2445 		if ((result = Tspi_SetAttribData(hEncData,
2446 		    TSS_TSPATTRIB_ENCDATA_BLOB,
2447 		    TSS_TSPATTRIB_ENCDATABLOB_BLOB,
2448 		    chunklen, in_data))) {
2449 			stlogit("Tspi_SetAttribData: 0x%0x - %s",
2450 			    result, Trspi_Error_String(result));
2451 			return (CKR_FUNCTION_FAILED);
2452 		}
2453 
2454 		/* unbind the data, receiving the plaintext back */
2455 		if ((result = Tspi_Data_Unbind(hEncData, hKey,
2456 		    &buf_size, &buf))) {
2457 			stlogit("Tspi_Data_Unbind: 0x%0x - %s",
2458 			    result, Trspi_Error_String(result));
2459 			return (CKR_FUNCTION_FAILED);
2460 		}
2461 
2462 		if (*out_data_len < buf_size + outlen) {
2463 			Tspi_Context_FreeMemory(hContext, buf);
2464 			return (CKR_BUFFER_TOO_SMALL);
2465 		}
2466 
2467 		(void) memcpy(out_data + outlen, buf, buf_size);
2468 
2469 		outlen += buf_size;
2470 		in_data += chunklen;
2471 		remain -= chunklen;
2472 
2473 		Tspi_Context_FreeMemory(hContext, buf);
2474 		if (chunklen > remain)
2475 			chunklen = remain;
2476 	}
2477 	*out_data_len = outlen;
2478 	return (CKR_OK);
2479 }
2480 
2481 CK_RV
2482 token_specific_rsa_decrypt(
2483 	TSS_HCONTEXT hContext,
2484 	CK_BYTE   * in_data,
2485 	CK_ULONG    in_data_len,
2486 	CK_BYTE   * out_data,
2487 	CK_ULONG  * out_data_len,
2488 	OBJECT	  * key_obj)
2489 {
2490 	CK_RV		rc;
2491 	TSS_HKEY	hKey;
2492 
2493 	if ((rc = token_rsa_load_key(hContext, key_obj, &hKey))) {
2494 		return (rc);
2495 	}
2496 
2497 	rc = tpm_decrypt_data(hContext, hKey, in_data, in_data_len,
2498 	    out_data, out_data_len);
2499 
2500 	return (rc);
2501 }
2502 
2503 CK_RV
2504 token_specific_rsa_verify(
2505 	TSS_HCONTEXT hContext,
2506 	CK_BYTE   * in_data,
2507 	CK_ULONG    in_data_len,
2508 	CK_BYTE   * sig,
2509 	CK_ULONG    sig_len,
2510 	OBJECT	  * key_obj)
2511 {
2512 	TSS_RESULT	result;
2513 	TSS_HHASH	hHash;
2514 	TSS_HKEY	hKey;
2515 	CK_RV		rc;
2516 
2517 	if ((rc = token_rsa_load_key(hContext, key_obj, &hKey))) {
2518 		return (rc);
2519 	}
2520 
2521 	/* Create the hash object we'll use to sign */
2522 	if ((result = Tspi_Context_CreateObject(hContext,
2523 	    TSS_OBJECT_TYPE_HASH, TSS_HASH_OTHER, &hHash))) {
2524 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2525 		    result, Trspi_Error_String(result));
2526 		return (CKR_FUNCTION_FAILED);
2527 	}
2528 
2529 	/* Insert the data into the hash object */
2530 	if ((result = Tspi_Hash_SetHashValue(hHash, in_data_len,
2531 	    in_data))) {
2532 		stlogit("Tspi_Hash_SetHashValue: 0x%0x - %s",
2533 		    result, Trspi_Error_String(result));
2534 		return (CKR_FUNCTION_FAILED);
2535 	}
2536 
2537 	/* Verify */
2538 	result = Tspi_Hash_VerifySignature(hHash, hKey, sig_len, sig);
2539 	if (result != TSS_SUCCESS &&
2540 	    TPMTOK_TSS_ERROR_CODE(result) != TSS_E_FAIL) {
2541 		stlogit("Tspi_Hash_VerifySignature: 0x%0x - %s",
2542 		    result, Trspi_Error_String(result));
2543 	}
2544 
2545 	if (TPMTOK_TSS_ERROR_CODE(result) == TSS_E_FAIL) {
2546 		rc = CKR_SIGNATURE_INVALID;
2547 	} else {
2548 		rc = CKR_OK;
2549 	}
2550 
2551 	return (rc);
2552 }
2553 
2554 CK_RV
2555 token_specific_rsa_sign(
2556 	TSS_HCONTEXT hContext,
2557 	CK_BYTE   * in_data,
2558 	CK_ULONG    in_data_len,
2559 	CK_BYTE   * out_data,
2560 	CK_ULONG  * out_data_len,
2561 	OBJECT	  * key_obj)
2562 {
2563 	TSS_RESULT	result;
2564 	TSS_HHASH	hHash;
2565 	BYTE		*sig;
2566 	UINT32		sig_len;
2567 	TSS_HKEY	hKey;
2568 	CK_RV		rc;
2569 
2570 	if ((rc = token_rsa_load_key(hContext, key_obj, &hKey))) {
2571 		return (rc);
2572 	}
2573 
2574 	/* Create the hash object we'll use to sign */
2575 	if ((result = Tspi_Context_CreateObject(hContext,
2576 	    TSS_OBJECT_TYPE_HASH, TSS_HASH_OTHER, &hHash))) {
2577 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2578 		    result, Trspi_Error_String(result));
2579 		return (CKR_FUNCTION_FAILED);
2580 	}
2581 
2582 	/* Insert the data into the hash object */
2583 	if ((result = Tspi_Hash_SetHashValue(hHash, in_data_len,
2584 	    in_data))) {
2585 		stlogit("Tspi_Hash_SetHashValue: 0x%0x - %s",
2586 		    result, Trspi_Error_String(result));
2587 		return (CKR_FUNCTION_FAILED);
2588 	}
2589 
2590 	/* Sign */
2591 	if ((result = Tspi_Hash_Sign(hHash, hKey, &sig_len, &sig))) {
2592 		stlogit("Tspi_Hash_Sign: 0x%0x - %s",
2593 		    result, Trspi_Error_String(result));
2594 		return (CKR_DATA_LEN_RANGE);
2595 	}
2596 
2597 	if (sig_len > *out_data_len) {
2598 		Tspi_Context_FreeMemory(hContext, sig);
2599 		return (CKR_BUFFER_TOO_SMALL);
2600 	}
2601 
2602 	(void) memcpy(out_data, sig, sig_len);
2603 	*out_data_len = sig_len;
2604 	Tspi_Context_FreeMemory(hContext, sig);
2605 
2606 	return (CKR_OK);
2607 }
2608 
2609 CK_RV
2610 tpm_encrypt_data(
2611 	TSS_HCONTEXT hContext,
2612 	TSS_HKEY hKey,
2613 	CK_BYTE *in_data,
2614 	CK_ULONG in_data_len,
2615 	CK_BYTE *out_data,
2616 	CK_ULONG *out_data_len)
2617 {
2618 	TSS_RESULT	result;
2619 	TSS_HENCDATA	hEncData;
2620 	BYTE		*dataBlob, *modulus;
2621 	UINT32		dataBlobSize, modLen;
2622 	CK_ULONG	chunklen, remain;
2623 	CK_ULONG	outlen;
2624 	UINT32		keyusage, scheme, maxsize;
2625 
2626 	if ((result = Tspi_Context_CreateObject(hContext,
2627 	    TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData))) {
2628 		stlogit("Tspi_Context_CreateObject: 0x%0x - %s",
2629 		    result, Trspi_Error_String(result));
2630 		return (CKR_FUNCTION_FAILED);
2631 	}
2632 	/*
2633 	 * Figure out the modulus size so we can break the data
2634 	 * into smaller chunks if necessary.
2635 	 */
2636 	if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO,
2637 	    TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &modLen, &modulus))) {
2638 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
2639 		    result, Trspi_Error_String(result));
2640 		return (result);
2641 	}
2642 	/* we don't need the actual modulus */
2643 	Tspi_Context_FreeMemory(hContext, modulus);
2644 
2645 	/*
2646 	 * According to TSS spec for Tspi_Data_Bind (4.3.4.21.5),
2647 	 * Max input data size varies depending on the key type and
2648 	 * encryption scheme.
2649 	 */
2650 	if ((result = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
2651 	    TSS_TSPATTRIB_KEYINFO_USAGE, &keyusage))) {
2652 		stlogit("Cannot find USAGE: %s\n",
2653 		    Trspi_Error_String(result));
2654 		return (result);
2655 	}
2656 	if ((result = Tspi_GetAttribUint32(hKey, TSS_TSPATTRIB_KEY_INFO,
2657 	    TSS_TSPATTRIB_KEYINFO_ENCSCHEME, &scheme))) {
2658 		stlogit("Cannot find ENCSCHEME: %s\n",
2659 		    Trspi_Error_String(result));
2660 		return (result);
2661 	}
2662 	switch (scheme) {
2663 		case TSS_ES_RSAESPKCSV15:
2664 			if (keyusage == TSS_KEYUSAGE_BIND)
2665 				maxsize = 16;
2666 			else /* legacy */
2667 				maxsize = 11;
2668 			break;
2669 		case TSS_ES_RSAESOAEP_SHA1_MGF1:
2670 			maxsize = 47;
2671 			break;
2672 		default:
2673 			maxsize = 0;
2674 	}
2675 
2676 	modLen -= maxsize;
2677 
2678 	chunklen = (in_data_len > modLen ? modLen : in_data_len);
2679 	remain = in_data_len;
2680 	outlen = 0;
2681 	while (remain > 0) {
2682 		if ((result = Tspi_Data_Bind(hEncData, hKey,
2683 		    chunklen, in_data))) {
2684 			stlogit("Tspi_Data_Bind: 0x%0x - %s",
2685 			    result, Trspi_Error_String(result));
2686 			return (CKR_FUNCTION_FAILED);
2687 		}
2688 
2689 		if ((result = Tspi_GetAttribData(hEncData,
2690 		    TSS_TSPATTRIB_ENCDATA_BLOB,
2691 		    TSS_TSPATTRIB_ENCDATABLOB_BLOB,
2692 		    &dataBlobSize, &dataBlob))) {
2693 			stlogit("Tspi_GetAttribData: 0x%0x - %s",
2694 			    result, Trspi_Error_String(result));
2695 			return (CKR_FUNCTION_FAILED);
2696 		}
2697 
2698 		if (outlen + dataBlobSize > *out_data_len) {
2699 			Tspi_Context_FreeMemory(hContext, dataBlob);
2700 			return (CKR_DATA_LEN_RANGE);
2701 		}
2702 
2703 		(void) memcpy(out_data + outlen,
2704 		    dataBlob, dataBlobSize);
2705 
2706 		outlen += dataBlobSize;
2707 		in_data += chunklen;
2708 		remain -= chunklen;
2709 
2710 		if (chunklen > remain)
2711 			chunklen = remain;
2712 
2713 		Tspi_Context_FreeMemory(hContext, dataBlob);
2714 	}
2715 	*out_data_len = outlen;
2716 
2717 	return (CKR_OK);
2718 }
2719 
2720 CK_RV
2721 token_specific_rsa_encrypt(
2722 	TSS_HCONTEXT hContext,
2723 	CK_BYTE   * in_data,
2724 	CK_ULONG    in_data_len,
2725 	CK_BYTE   * out_data,
2726 	CK_ULONG  * out_data_len,
2727 	OBJECT	  * key_obj)
2728 {
2729 	TSS_HKEY	hKey;
2730 	CK_RV		rc;
2731 
2732 	if ((rc = token_rsa_load_key(hContext, key_obj, &hKey))) {
2733 		return (rc);
2734 	}
2735 
2736 	rc  = tpm_encrypt_data(hContext, hKey, in_data, in_data_len,
2737 	    out_data, out_data_len);
2738 
2739 	return (rc);
2740 }
2741 
2742 /*
2743  * RSA Verify Recover
2744  *
2745  * Public key crypto is done in software, not by the TPM.
2746  * We use libsoftcrypto and perform the RSA operations ourselves similar
2747  * to how pkcs11_softtoken performs the operation.
2748  */
2749 CK_RV
2750 token_specific_rsa_verify_recover(
2751 	TSS_HCONTEXT	hContext,
2752 	CK_BYTE_PTR	pSignature,
2753 	CK_ULONG	ulSignatureLen,
2754 	CK_BYTE_PTR	pData,
2755 	CK_ULONG_PTR	pulDataLen,
2756 	OBJECT		*key_obj)
2757 {
2758 	TSS_HKEY	hKey;
2759 	TSS_RESULT	result;
2760 	CK_RV		rc;
2761 	BYTE		*modulus;
2762 	UINT32		modLen;
2763 	RSAbytekey	rsa = { 0 };
2764 	uchar_t		exp[] = { 0x01, 0x00, 0x01 };
2765 	CK_BYTE		plain_data[MAX_RSA_KEYLENGTH];
2766 	size_t		data_len;
2767 
2768 	if ((rc = token_rsa_load_key(hContext, key_obj, &hKey))) {
2769 		return (rc);
2770 	}
2771 
2772 	if ((result = Tspi_GetAttribData(hKey, TSS_TSPATTRIB_RSAKEY_INFO,
2773 	    TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &modLen, &modulus))) {
2774 		stlogit("Tspi_GetAttribData: 0x%0x - %s",
2775 		    result, Trspi_Error_String(result));
2776 		return (CKR_FUNCTION_FAILED);
2777 	}
2778 
2779 	if (ulSignatureLen != modLen) {
2780 		rc = CKR_SIGNATURE_LEN_RANGE;
2781 		goto end;
2782 	}
2783 
2784 	rsa.modulus = modulus;
2785 	rsa.modulus_bits = CRYPTO_BYTES2BITS(modLen);
2786 	rsa.pubexpo = exp;
2787 	rsa.pubexpo_bytes = sizeof (exp);
2788 
2789 	if ((rc = rsa_encrypt(&rsa, pSignature, modLen, plain_data)) != CKR_OK)
2790 		goto end;
2791 
2792 	data_len = modLen;
2793 	if ((rc = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len)) != CKR_OK)
2794 		goto end;
2795 
2796 	(void) memcpy(pData, &plain_data[modLen - data_len], data_len);
2797 	*pulDataLen = data_len;
2798 
2799 end:
2800 	Tspi_Context_FreeMemory(hContext, modulus);
2801 	return (rc);
2802 }
2803