1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright 2012 Milan Jurik. All rights reserved. 25 */ 26 27 #include <stdlib.h> 28 #include <string.h> 29 #include <security/cryptoki.h> 30 #include <sys/crypto/common.h> 31 #include <arcfour.h> 32 #include <aes_impl.h> 33 #include <blowfish_impl.h> 34 #include <bignum.h> 35 #include <des_impl.h> 36 #include <rsa_impl.h> 37 #include "softGlobal.h" 38 #include "softObject.h" 39 #include "softSession.h" 40 #include "softKeystore.h" 41 #include "softKeystoreUtil.h" 42 #include "softCrypt.h" 43 44 45 /* 46 * This attribute table is used by the soft_lookup_attr() 47 * to validate the attributes. 48 */ 49 CK_ATTRIBUTE_TYPE attr_map[] = { 50 CKA_PRIVATE, 51 CKA_LABEL, 52 CKA_APPLICATION, 53 CKA_OBJECT_ID, 54 CKA_CERTIFICATE_TYPE, 55 CKA_ISSUER, 56 CKA_SERIAL_NUMBER, 57 CKA_AC_ISSUER, 58 CKA_OWNER, 59 CKA_ATTR_TYPES, 60 CKA_SUBJECT, 61 CKA_ID, 62 CKA_SENSITIVE, 63 CKA_START_DATE, 64 CKA_END_DATE, 65 CKA_MODULUS, 66 CKA_MODULUS_BITS, 67 CKA_PUBLIC_EXPONENT, 68 CKA_PRIVATE_EXPONENT, 69 CKA_PRIME_1, 70 CKA_PRIME_2, 71 CKA_EXPONENT_1, 72 CKA_EXPONENT_2, 73 CKA_COEFFICIENT, 74 CKA_PRIME, 75 CKA_SUBPRIME, 76 CKA_BASE, 77 CKA_EXTRACTABLE, 78 CKA_LOCAL, 79 CKA_NEVER_EXTRACTABLE, 80 CKA_ALWAYS_SENSITIVE, 81 CKA_MODIFIABLE, 82 CKA_ECDSA_PARAMS, 83 CKA_EC_PARAMS, 84 CKA_EC_POINT, 85 CKA_SECONDARY_AUTH, 86 CKA_AUTH_PIN_FLAGS, 87 CKA_HW_FEATURE_TYPE, 88 CKA_RESET_ON_INIT, 89 CKA_HAS_RESET 90 }; 91 92 /* 93 * attributes that exists only in public key objects 94 * Note: some attributes may also exist in one or two 95 * other object classes, but they are also listed 96 * because not all object have them. 97 */ 98 CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS[] = 99 { 100 CKA_SUBJECT, 101 CKA_ENCRYPT, 102 CKA_WRAP, 103 CKA_VERIFY, 104 CKA_VERIFY_RECOVER, 105 CKA_MODULUS, 106 CKA_MODULUS_BITS, 107 CKA_PUBLIC_EXPONENT, 108 CKA_PRIME, 109 CKA_SUBPRIME, 110 CKA_BASE, 111 CKA_TRUSTED, 112 CKA_ECDSA_PARAMS, 113 CKA_EC_PARAMS, 114 CKA_EC_POINT 115 }; 116 117 /* 118 * attributes that exists only in private key objects 119 * Note: some attributes may also exist in one or two 120 * other object classes, but they are also listed 121 * because not all object have them. 122 */ 123 CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS[] = 124 { 125 CKA_DECRYPT, 126 CKA_UNWRAP, 127 CKA_SIGN, 128 CKA_SIGN_RECOVER, 129 CKA_MODULUS, 130 CKA_PUBLIC_EXPONENT, 131 CKA_PRIVATE_EXPONENT, 132 CKA_PRIME, 133 CKA_SUBPRIME, 134 CKA_BASE, 135 CKA_PRIME_1, 136 CKA_PRIME_2, 137 CKA_EXPONENT_1, 138 CKA_EXPONENT_2, 139 CKA_COEFFICIENT, 140 CKA_VALUE_BITS, 141 CKA_SUBJECT, 142 CKA_SENSITIVE, 143 CKA_EXTRACTABLE, 144 CKA_NEVER_EXTRACTABLE, 145 CKA_ALWAYS_SENSITIVE, 146 CKA_EC_PARAMS 147 }; 148 149 /* 150 * attributes that exists only in secret key objects 151 * Note: some attributes may also exist in one or two 152 * other object classes, but they are also listed 153 * because not all object have them. 154 */ 155 CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS[] = 156 { 157 CKA_VALUE_LEN, 158 CKA_ENCRYPT, 159 CKA_DECRYPT, 160 CKA_WRAP, 161 CKA_UNWRAP, 162 CKA_SIGN, 163 CKA_VERIFY, 164 CKA_SENSITIVE, 165 CKA_EXTRACTABLE, 166 CKA_NEVER_EXTRACTABLE, 167 CKA_ALWAYS_SENSITIVE 168 }; 169 170 /* 171 * attributes that exists only in domain parameter objects 172 * Note: some attributes may also exist in one or two 173 * other object classes, but they are also listed 174 * because not all object have them. 175 */ 176 CK_ATTRIBUTE_TYPE DOMAIN_ATTRS[] = 177 { 178 CKA_PRIME, 179 CKA_SUBPRIME, 180 CKA_BASE, 181 CKA_PRIME_BITS, 182 CKA_SUBPRIME_BITS, 183 CKA_SUB_PRIME_BITS 184 }; 185 186 /* 187 * attributes that exists only in hardware feature objects 188 * 189 */ 190 CK_ATTRIBUTE_TYPE HARDWARE_ATTRS[] = 191 { 192 CKA_HW_FEATURE_TYPE, 193 CKA_RESET_ON_INIT, 194 CKA_HAS_RESET 195 }; 196 197 /* 198 * attributes that exists only in certificate objects 199 */ 200 CK_ATTRIBUTE_TYPE CERT_ATTRS[] = 201 { 202 CKA_CERTIFICATE_TYPE, 203 CKA_TRUSTED, 204 CKA_SUBJECT, 205 CKA_ID, 206 CKA_ISSUER, 207 CKA_AC_ISSUER, 208 CKA_SERIAL_NUMBER, 209 CKA_OWNER, 210 CKA_ATTR_TYPES 211 }; 212 213 214 /* 215 * Validate the attribute by using binary search algorithm. 216 */ 217 CK_RV 218 soft_lookup_attr(CK_ATTRIBUTE_TYPE type) 219 { 220 221 size_t lower, middle, upper; 222 223 lower = 0; 224 upper = (sizeof (attr_map) / sizeof (CK_ATTRIBUTE_TYPE)) - 1; 225 226 while (lower <= upper) { 227 /* Always starts from middle. */ 228 middle = (lower + upper) / 2; 229 230 if (type > attr_map[middle]) { 231 /* Adjust the lower bound to upper half. */ 232 lower = middle + 1; 233 continue; 234 } 235 236 if (type == attr_map[middle]) { 237 /* Found it. */ 238 return (CKR_OK); 239 } 240 241 if (type < attr_map[middle]) { 242 /* Adjust the upper bound to lower half. */ 243 upper = middle - 1; 244 continue; 245 } 246 } 247 248 /* Failed to find the matching attribute from the attribute table. */ 249 return (CKR_ATTRIBUTE_TYPE_INVALID); 250 } 251 252 253 /* 254 * Validate the attribute by using the following search algorithm: 255 * 256 * 1) Search for the most frequently used attributes first. 257 * 2) If not found, search for the usage-purpose attributes - these 258 * attributes have dense set of values, therefore compiler will 259 * optimize it with a branch table and branch to the appropriate 260 * case. 261 * 3) If still not found, use binary search for the rest of the 262 * attributes in the attr_map[] table. 263 */ 264 CK_RV 265 soft_validate_attr(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 266 CK_OBJECT_CLASS *class) 267 { 268 269 CK_ULONG i; 270 CK_RV rv = CKR_OK; 271 272 for (i = 0; i < ulAttrNum; i++) { 273 /* First tier search */ 274 switch (template[i].type) { 275 case CKA_CLASS: 276 *class = *((CK_OBJECT_CLASS*)template[i].pValue); 277 break; 278 case CKA_TOKEN: 279 break; 280 case CKA_KEY_TYPE: 281 break; 282 case CKA_VALUE: 283 break; 284 case CKA_VALUE_LEN: 285 break; 286 case CKA_VALUE_BITS: 287 break; 288 default: 289 /* Second tier search */ 290 switch (template[i].type) { 291 case CKA_ENCRYPT: 292 break; 293 case CKA_DECRYPT: 294 break; 295 case CKA_WRAP: 296 break; 297 case CKA_UNWRAP: 298 break; 299 case CKA_SIGN: 300 break; 301 case CKA_SIGN_RECOVER: 302 break; 303 case CKA_VERIFY: 304 break; 305 case CKA_VERIFY_RECOVER: 306 break; 307 case CKA_DERIVE: 308 break; 309 default: 310 /* Third tier search */ 311 rv = soft_lookup_attr(template[i].type); 312 if (rv != CKR_OK) 313 return (rv); 314 break; 315 } 316 break; 317 } 318 } 319 return (rv); 320 } 321 322 static void 323 cleanup_cert_attr(cert_attr_t *attr) 324 { 325 if (attr) { 326 if (attr->value) { 327 (void) memset(attr->value, 0, attr->length); 328 free(attr->value); 329 } 330 attr->value = NULL; 331 attr->length = 0; 332 } 333 } 334 335 static CK_RV 336 copy_cert_attr(cert_attr_t *src_attr, cert_attr_t **dest_attr) 337 { 338 CK_RV rv = CKR_OK; 339 340 if (src_attr == NULL || dest_attr == NULL) 341 return (CKR_HOST_MEMORY); 342 343 if (src_attr->value == NULL) 344 return (CKR_HOST_MEMORY); 345 346 /* free memory if its already allocated */ 347 if (*dest_attr != NULL) { 348 if ((*dest_attr)->value != (CK_BYTE *)NULL) 349 free((*dest_attr)->value); 350 } else { 351 *dest_attr = malloc(sizeof (cert_attr_t)); 352 if (*dest_attr == NULL) 353 return (CKR_HOST_MEMORY); 354 } 355 356 (*dest_attr)->value = NULL; 357 (*dest_attr)->length = 0; 358 359 if (src_attr->length) { 360 (*dest_attr)->value = malloc(src_attr->length); 361 if ((*dest_attr)->value == NULL) { 362 free(*dest_attr); 363 return (CKR_HOST_MEMORY); 364 } 365 366 (void) memcpy((*dest_attr)->value, src_attr->value, 367 src_attr->length); 368 (*dest_attr)->length = src_attr->length; 369 } 370 371 return (rv); 372 } 373 374 void 375 soft_cleanup_cert_object(soft_object_t *object_p) 376 { 377 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 378 379 if (object_p->class != CKO_CERTIFICATE || 380 OBJ_CERT(object_p) == NULL) 381 return; 382 383 if (certtype == CKC_X_509) { 384 if (X509_CERT_SUBJECT(object_p) != NULL) { 385 cleanup_cert_attr(X509_CERT_SUBJECT(object_p)); 386 free(X509_CERT_SUBJECT(object_p)); 387 X509_CERT_SUBJECT(object_p) = NULL; 388 } 389 if (X509_CERT_VALUE(object_p) != NULL) { 390 cleanup_cert_attr(X509_CERT_VALUE(object_p)); 391 free(X509_CERT_VALUE(object_p)); 392 X509_CERT_VALUE(object_p) = NULL; 393 } 394 free(OBJ_CERT(object_p)); 395 } else if (certtype == CKC_X_509_ATTR_CERT) { 396 if (X509_ATTR_CERT_VALUE(object_p) != NULL) { 397 cleanup_cert_attr(X509_ATTR_CERT_VALUE(object_p)); 398 free(X509_ATTR_CERT_VALUE(object_p)); 399 X509_ATTR_CERT_VALUE(object_p) = NULL; 400 } 401 if (X509_ATTR_CERT_OWNER(object_p) != NULL) { 402 cleanup_cert_attr(X509_ATTR_CERT_OWNER(object_p)); 403 free(X509_ATTR_CERT_OWNER(object_p)); 404 X509_ATTR_CERT_OWNER(object_p) = NULL; 405 } 406 free(OBJ_CERT(object_p)); 407 } 408 } 409 410 /* 411 * Clean up and release all the storage in the extra attribute list 412 * of an object. 413 */ 414 void 415 soft_cleanup_extra_attr(soft_object_t *object_p) 416 { 417 418 CK_ATTRIBUTE_INFO_PTR extra_attr; 419 CK_ATTRIBUTE_INFO_PTR tmp; 420 421 extra_attr = object_p->extra_attrlistp; 422 while (extra_attr) { 423 tmp = extra_attr->next; 424 if (extra_attr->attr.pValue) 425 /* 426 * All extra attributes in the extra attribute 427 * list have pValue points to the value of the 428 * attribute (with simple byte array type). 429 * Free the storage for the value of the attribute. 430 */ 431 free(extra_attr->attr.pValue); 432 433 /* Free the storage for the attribute_info struct. */ 434 free(extra_attr); 435 extra_attr = tmp; 436 } 437 438 object_p->extra_attrlistp = NULL; 439 } 440 441 442 /* 443 * Create the attribute_info struct to hold the object's attribute, 444 * and add it to the extra attribute list of an object. 445 */ 446 CK_RV 447 soft_add_extra_attr(CK_ATTRIBUTE_PTR template, soft_object_t *object_p) 448 { 449 450 CK_ATTRIBUTE_INFO_PTR attrp; 451 452 /* Allocate the storage for the attribute_info struct. */ 453 attrp = calloc(1, sizeof (attribute_info_t)); 454 if (attrp == NULL) { 455 return (CKR_HOST_MEMORY); 456 } 457 458 /* Set up attribute_info struct. */ 459 attrp->attr.type = template->type; 460 attrp->attr.ulValueLen = template->ulValueLen; 461 462 if ((template->pValue != NULL) && 463 (template->ulValueLen > 0)) { 464 /* Allocate storage for the value of the attribute. */ 465 attrp->attr.pValue = malloc(template->ulValueLen); 466 if (attrp->attr.pValue == NULL) { 467 free(attrp); 468 return (CKR_HOST_MEMORY); 469 } 470 471 (void) memcpy(attrp->attr.pValue, template->pValue, 472 template->ulValueLen); 473 } else { 474 attrp->attr.pValue = NULL; 475 } 476 477 /* Insert the new attribute in front of extra attribute list. */ 478 if (object_p->extra_attrlistp == NULL) { 479 object_p->extra_attrlistp = attrp; 480 attrp->next = NULL; 481 } else { 482 attrp->next = object_p->extra_attrlistp; 483 object_p->extra_attrlistp = attrp; 484 } 485 486 return (CKR_OK); 487 } 488 489 CK_RV 490 soft_copy_certificate(certificate_obj_t *oldcert, certificate_obj_t **newcert, 491 CK_CERTIFICATE_TYPE type) 492 { 493 CK_RV rv = CKR_OK; 494 certificate_obj_t *cert; 495 x509_cert_t x509; 496 x509_attr_cert_t x509_attr; 497 498 cert = calloc(1, sizeof (certificate_obj_t)); 499 if (cert == NULL) { 500 return (CKR_HOST_MEMORY); 501 } 502 503 if (type == CKC_X_509) { 504 x509 = oldcert->cert_type_u.x509; 505 if (x509.subject) 506 if ((rv = copy_cert_attr(x509.subject, 507 &cert->cert_type_u.x509.subject))) 508 return (rv); 509 if (x509.value) 510 if ((rv = copy_cert_attr(x509.value, 511 &cert->cert_type_u.x509.value))) 512 return (rv); 513 } else if (type == CKC_X_509_ATTR_CERT) { 514 x509_attr = oldcert->cert_type_u.x509_attr; 515 if (x509_attr.owner) 516 if ((rv = copy_cert_attr(x509_attr.owner, 517 &cert->cert_type_u.x509_attr.owner))) 518 return (rv); 519 if (x509_attr.value) 520 if ((rv = copy_cert_attr(x509_attr.value, 521 &cert->cert_type_u.x509_attr.value))) 522 return (rv); 523 } else { 524 /* wrong certificate type */ 525 rv = CKR_ATTRIBUTE_TYPE_INVALID; 526 } 527 if (rv == CKR_OK) 528 *newcert = cert; 529 return (rv); 530 } 531 532 /* 533 * Copy the attribute_info struct from the old object to a new attribute_info 534 * struct, and add that new struct to the extra attribute list of the new 535 * object. 536 */ 537 CK_RV 538 soft_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp, soft_object_t *object_p) 539 { 540 CK_ATTRIBUTE_INFO_PTR attrp; 541 542 /* Allocate attribute_info struct. */ 543 attrp = calloc(1, sizeof (attribute_info_t)); 544 if (attrp == NULL) { 545 return (CKR_HOST_MEMORY); 546 } 547 548 attrp->attr.type = old_attrp->attr.type; 549 attrp->attr.ulValueLen = old_attrp->attr.ulValueLen; 550 551 if ((old_attrp->attr.pValue != NULL) && 552 (old_attrp->attr.ulValueLen > 0)) { 553 attrp->attr.pValue = malloc(old_attrp->attr.ulValueLen); 554 if (attrp->attr.pValue == NULL) { 555 free(attrp); 556 return (CKR_HOST_MEMORY); 557 } 558 559 (void) memcpy(attrp->attr.pValue, old_attrp->attr.pValue, 560 old_attrp->attr.ulValueLen); 561 } else { 562 attrp->attr.pValue = NULL; 563 } 564 565 /* Insert the new attribute in front of extra attribute list */ 566 if (object_p->extra_attrlistp == NULL) { 567 object_p->extra_attrlistp = attrp; 568 attrp->next = NULL; 569 } else { 570 attrp->next = object_p->extra_attrlistp; 571 object_p->extra_attrlistp = attrp; 572 } 573 574 return (CKR_OK); 575 } 576 577 578 /* 579 * Get the attribute triple from the extra attribute list in the object 580 * (if the specified attribute type is found), and copy it to a template. 581 * Note the type of the attribute to be copied is specified by the template, 582 * and the storage is pre-allocated for the atrribute value in the template 583 * for doing the copy. 584 */ 585 CK_RV 586 get_extra_attr_from_object(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 587 { 588 589 CK_ATTRIBUTE_INFO_PTR extra_attr; 590 CK_ATTRIBUTE_TYPE type = template->type; 591 592 extra_attr = object_p->extra_attrlistp; 593 594 while (extra_attr) { 595 if (type == extra_attr->attr.type) { 596 /* Found it. */ 597 break; 598 } else { 599 /* Does not match, try next one. */ 600 extra_attr = extra_attr->next; 601 } 602 } 603 604 if (extra_attr == NULL) { 605 /* A valid but un-initialized attribute. */ 606 template->ulValueLen = 0; 607 return (CKR_OK); 608 } 609 610 /* 611 * We found the attribute in the extra attribute list. 612 */ 613 if (template->pValue == NULL) { 614 template->ulValueLen = extra_attr->attr.ulValueLen; 615 return (CKR_OK); 616 } 617 618 if (template->ulValueLen >= extra_attr->attr.ulValueLen) { 619 /* 620 * The buffer provided by the application is large 621 * enough to hold the value of the attribute. 622 */ 623 (void) memcpy(template->pValue, extra_attr->attr.pValue, 624 extra_attr->attr.ulValueLen); 625 template->ulValueLen = extra_attr->attr.ulValueLen; 626 return (CKR_OK); 627 } else { 628 /* 629 * The buffer provided by the application does 630 * not have enough space to hold the value. 631 */ 632 template->ulValueLen = (CK_ULONG)-1; 633 return (CKR_BUFFER_TOO_SMALL); 634 } 635 } 636 637 638 /* 639 * Modify the attribute triple in the extra attribute list of the object 640 * if the specified attribute type is found. Otherwise, just add it to 641 * list. 642 */ 643 CK_RV 644 set_extra_attr_to_object(soft_object_t *object_p, CK_ATTRIBUTE_TYPE type, 645 CK_ATTRIBUTE_PTR template) 646 { 647 648 CK_ATTRIBUTE_INFO_PTR extra_attr; 649 650 extra_attr = object_p->extra_attrlistp; 651 652 while (extra_attr) { 653 if (type == extra_attr->attr.type) { 654 /* Found it. */ 655 break; 656 } else { 657 /* Does not match, try next one. */ 658 extra_attr = extra_attr->next; 659 } 660 } 661 662 if (extra_attr == NULL) { 663 /* 664 * This attribute is a new one, go ahead adding it to 665 * the extra attribute list. 666 */ 667 return (soft_add_extra_attr(template, object_p)); 668 } 669 670 /* We found the attribute in the extra attribute list. */ 671 if ((template->pValue != NULL) && 672 (template->ulValueLen > 0)) { 673 if (template->ulValueLen > extra_attr->attr.ulValueLen) { 674 /* The old buffer is too small to hold the new value. */ 675 if (extra_attr->attr.pValue != NULL) 676 /* Free storage for the old attribute value. */ 677 free(extra_attr->attr.pValue); 678 679 /* Allocate storage for the new attribute value. */ 680 extra_attr->attr.pValue = malloc(template->ulValueLen); 681 if (extra_attr->attr.pValue == NULL) { 682 return (CKR_HOST_MEMORY); 683 } 684 } 685 686 /* Replace the attribute with new value. */ 687 extra_attr->attr.ulValueLen = template->ulValueLen; 688 (void) memcpy(extra_attr->attr.pValue, template->pValue, 689 template->ulValueLen); 690 } else { 691 extra_attr->attr.pValue = NULL; 692 } 693 694 return (CKR_OK); 695 } 696 697 698 /* 699 * Copy the big integer attribute value from template to a biginteger_t struct. 700 */ 701 CK_RV 702 get_bigint_attr_from_template(biginteger_t *big, CK_ATTRIBUTE_PTR template) 703 { 704 705 if ((template->pValue != NULL) && 706 (template->ulValueLen > 0)) { 707 /* Allocate storage for the value of the attribute. */ 708 big->big_value = malloc(template->ulValueLen); 709 if (big->big_value == NULL) { 710 return (CKR_HOST_MEMORY); 711 } 712 713 (void) memcpy(big->big_value, template->pValue, 714 template->ulValueLen); 715 big->big_value_len = template->ulValueLen; 716 } else { 717 big->big_value = NULL; 718 big->big_value_len = 0; 719 } 720 721 return (CKR_OK); 722 } 723 724 725 /* 726 * Copy the big integer attribute value from a biginteger_t struct in the 727 * object to a template. 728 */ 729 CK_RV 730 get_bigint_attr_from_object(biginteger_t *big, CK_ATTRIBUTE_PTR template) 731 { 732 733 if (template->pValue == NULL) { 734 template->ulValueLen = big->big_value_len; 735 return (CKR_OK); 736 } 737 738 if (big->big_value == NULL) { 739 template->ulValueLen = 0; 740 return (CKR_OK); 741 } 742 743 if (template->ulValueLen >= big->big_value_len) { 744 /* 745 * The buffer provided by the application is large 746 * enough to hold the value of the attribute. 747 */ 748 (void) memcpy(template->pValue, big->big_value, 749 big->big_value_len); 750 template->ulValueLen = big->big_value_len; 751 return (CKR_OK); 752 } else { 753 /* 754 * The buffer provided by the application does 755 * not have enough space to hold the value. 756 */ 757 template->ulValueLen = (CK_ULONG)-1; 758 return (CKR_BUFFER_TOO_SMALL); 759 } 760 } 761 762 763 /* 764 * Copy the boolean data type attribute value from an object for the 765 * specified attribute to the template. 766 */ 767 CK_RV 768 get_bool_attr_from_object(soft_object_t *object_p, CK_ULONG bool_flag, 769 CK_ATTRIBUTE_PTR template) 770 { 771 772 if (template->pValue == NULL) { 773 template->ulValueLen = sizeof (CK_BBOOL); 774 return (CKR_OK); 775 } 776 777 if (template->ulValueLen >= sizeof (CK_BBOOL)) { 778 /* 779 * The buffer provided by the application is large 780 * enough to hold the value of the attribute. 781 */ 782 if (object_p->bool_attr_mask & bool_flag) { 783 *((CK_BBOOL *)template->pValue) = B_TRUE; 784 } else { 785 *((CK_BBOOL *)template->pValue) = B_FALSE; 786 } 787 788 template->ulValueLen = sizeof (CK_BBOOL); 789 return (CKR_OK); 790 } else { 791 /* 792 * The buffer provided by the application does 793 * not have enough space to hold the value. 794 */ 795 template->ulValueLen = (CK_ULONG)-1; 796 return (CKR_BUFFER_TOO_SMALL); 797 } 798 } 799 800 /* 801 * Set the boolean data type attribute value in the object. 802 */ 803 CK_RV 804 set_bool_attr_to_object(soft_object_t *object_p, CK_ULONG bool_flag, 805 CK_ATTRIBUTE_PTR template) 806 { 807 808 if (*(CK_BBOOL *)template->pValue) 809 object_p->bool_attr_mask |= bool_flag; 810 else 811 object_p->bool_attr_mask &= ~bool_flag; 812 813 return (CKR_OK); 814 } 815 816 817 /* 818 * Copy the CK_ULONG data type attribute value from an object to the 819 * template. 820 */ 821 CK_RV 822 get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template) 823 { 824 825 if (template->pValue == NULL) { 826 template->ulValueLen = sizeof (CK_ULONG); 827 return (CKR_OK); 828 } 829 830 if (template->ulValueLen >= sizeof (CK_ULONG)) { 831 /* 832 * The buffer provided by the application is large 833 * enough to hold the value of the attribute. 834 * It is also assumed to be correctly aligned. 835 */ 836 *(CK_ULONG_PTR)template->pValue = value; 837 template->ulValueLen = sizeof (CK_ULONG); 838 return (CKR_OK); 839 } else { 840 /* 841 * The buffer provided by the application does 842 * not have enough space to hold the value. 843 */ 844 template->ulValueLen = (CK_ULONG)-1; 845 return (CKR_BUFFER_TOO_SMALL); 846 } 847 } 848 849 850 /* 851 * Copy the CK_ULONG data type attribute value from a template to the 852 * object. 853 */ 854 static CK_RV 855 get_ulong_attr_from_template(CK_ULONG *value, CK_ATTRIBUTE_PTR template) 856 { 857 858 if (template->ulValueLen < sizeof (CK_ULONG)) 859 return (CKR_ATTRIBUTE_VALUE_INVALID); 860 861 if (template->pValue != NULL) { 862 *value = *(CK_ULONG_PTR)template->pValue; 863 } else { 864 *value = 0; 865 } 866 867 return (CKR_OK); 868 } 869 870 /* 871 * Copy the big integer attribute value from source's biginteger_t to 872 * destination's biginteger_t. 873 */ 874 void 875 copy_bigint_attr(biginteger_t *src, biginteger_t *dst) 876 { 877 878 if ((src->big_value != NULL) && 879 (src->big_value_len > 0)) { 880 /* 881 * To do the copy, just have dst's big_value points 882 * to src's. 883 */ 884 dst->big_value = src->big_value; 885 dst->big_value_len = src->big_value_len; 886 887 /* 888 * After the copy, nullify the src's big_value pointer. 889 * It prevents any double freeing the value. 890 */ 891 src->big_value = NULL; 892 src->big_value_len = 0; 893 } else { 894 dst->big_value = NULL; 895 dst->big_value_len = 0; 896 } 897 } 898 899 CK_RV 900 get_string_from_template(CK_ATTRIBUTE_PTR dest, CK_ATTRIBUTE_PTR src) 901 { 902 if ((src->pValue != NULL) && 903 (src->ulValueLen > 0)) { 904 /* Allocate storage for the value of the attribute. */ 905 dest->pValue = malloc(src->ulValueLen); 906 if (dest->pValue == NULL) { 907 return (CKR_HOST_MEMORY); 908 } 909 910 (void) memcpy(dest->pValue, src->pValue, 911 src->ulValueLen); 912 dest->ulValueLen = src->ulValueLen; 913 dest->type = src->type; 914 } else { 915 dest->pValue = NULL; 916 dest->ulValueLen = 0; 917 dest->type = src->type; 918 } 919 920 return (CKR_OK); 921 922 } 923 924 CK_RV 925 get_cert_attr_from_template(cert_attr_t **dest, CK_ATTRIBUTE_PTR src) 926 { 927 if (src->pValue != NULL && src->ulValueLen > 0) { 928 /* 929 * If the attribute was already set, clear out the 930 * existing value and release the memory. 931 */ 932 if (*dest != NULL) { 933 if ((*dest)->value != NULL) { 934 (void) memset((*dest)->value, 0, 935 (*dest)->length); 936 free((*dest)->value); 937 } 938 } else { 939 *dest = malloc(sizeof (cert_attr_t)); 940 if (*dest == NULL) { 941 return (CKR_HOST_MEMORY); 942 } 943 (void) memset(*dest, 0, sizeof (cert_attr_t)); 944 } 945 (*dest)->value = malloc(src->ulValueLen); 946 if ((*dest)->value == NULL) { 947 free(*dest); 948 *dest = NULL; 949 return (CKR_HOST_MEMORY); 950 } 951 (void) memcpy((*dest)->value, src->pValue, src->ulValueLen); 952 (*dest)->length = src->ulValueLen; 953 } 954 955 return (CKR_OK); 956 } 957 958 /* 959 * Copy the certificate attribute information to the template. 960 * If the template attribute is not big enough, set the ulValueLen=-1 961 * and return CKR_BUFFER_TOO_SMALL. 962 */ 963 static CK_RV 964 get_cert_attr_from_object(cert_attr_t *src, CK_ATTRIBUTE_PTR template) 965 { 966 if (template->pValue == NULL) { 967 template->ulValueLen = src->length; 968 return (CKR_OK); 969 } else if (template->ulValueLen >= src->length) { 970 /* 971 * The buffer provided by the application is large 972 * enough to hold the value of the attribute. 973 */ 974 (void) memcpy(template->pValue, src->value, src->length); 975 template->ulValueLen = src->length; 976 return (CKR_OK); 977 } else { 978 /* 979 * The buffer provided by the application does 980 * not have enough space to hold the value. 981 */ 982 template->ulValueLen = (CK_ULONG)-1; 983 return (CKR_BUFFER_TOO_SMALL); 984 } 985 } 986 987 void 988 string_attr_cleanup(CK_ATTRIBUTE_PTR template) 989 { 990 991 if (template->pValue) { 992 free(template->pValue); 993 template->pValue = NULL; 994 template->ulValueLen = 0; 995 } 996 } 997 998 /* 999 * Release the storage allocated for object attribute with big integer 1000 * value. 1001 */ 1002 void 1003 bigint_attr_cleanup(biginteger_t *big) 1004 { 1005 1006 if (big == NULL) 1007 return; 1008 1009 if (big->big_value) { 1010 (void) memset(big->big_value, 0, big->big_value_len); 1011 free(big->big_value); 1012 big->big_value = NULL; 1013 big->big_value_len = 0; 1014 } 1015 } 1016 1017 1018 /* 1019 * Clean up and release all the storage allocated to hold the big integer 1020 * attributes associated with the type (i.e. class) of the object. Also, 1021 * release the storage allocated to the type of the object. 1022 */ 1023 void 1024 soft_cleanup_object_bigint_attrs(soft_object_t *object_p) 1025 { 1026 1027 CK_OBJECT_CLASS class = object_p->class; 1028 CK_KEY_TYPE keytype = object_p->key_type; 1029 1030 1031 switch (class) { 1032 case CKO_PUBLIC_KEY: 1033 if (OBJ_PUB(object_p)) { 1034 switch (keytype) { 1035 case CKK_RSA: 1036 bigint_attr_cleanup(OBJ_PUB_RSA_MOD( 1037 object_p)); 1038 bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO( 1039 object_p)); 1040 break; 1041 1042 case CKK_DSA: 1043 bigint_attr_cleanup(OBJ_PUB_DSA_PRIME( 1044 object_p)); 1045 bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME( 1046 object_p)); 1047 bigint_attr_cleanup(OBJ_PUB_DSA_BASE( 1048 object_p)); 1049 bigint_attr_cleanup(OBJ_PUB_DSA_VALUE( 1050 object_p)); 1051 break; 1052 1053 case CKK_DH: 1054 bigint_attr_cleanup(OBJ_PUB_DH_PRIME( 1055 object_p)); 1056 bigint_attr_cleanup(OBJ_PUB_DH_BASE( 1057 object_p)); 1058 bigint_attr_cleanup(OBJ_PUB_DH_VALUE( 1059 object_p)); 1060 break; 1061 1062 case CKK_X9_42_DH: 1063 bigint_attr_cleanup(OBJ_PUB_DH942_PRIME( 1064 object_p)); 1065 bigint_attr_cleanup(OBJ_PUB_DH942_BASE( 1066 object_p)); 1067 bigint_attr_cleanup(OBJ_PUB_DH942_SUBPRIME( 1068 object_p)); 1069 bigint_attr_cleanup(OBJ_PUB_DH942_VALUE( 1070 object_p)); 1071 break; 1072 case CKK_EC: 1073 bigint_attr_cleanup(OBJ_PUB_EC_POINT( 1074 object_p)); 1075 break; 1076 } 1077 1078 /* Release Public Key Object struct */ 1079 free(OBJ_PUB(object_p)); 1080 OBJ_PUB(object_p) = NULL; 1081 } 1082 break; 1083 1084 case CKO_PRIVATE_KEY: 1085 if (OBJ_PRI(object_p)) { 1086 switch (keytype) { 1087 case CKK_RSA: 1088 bigint_attr_cleanup(OBJ_PRI_RSA_MOD( 1089 object_p)); 1090 bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO( 1091 object_p)); 1092 bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO( 1093 object_p)); 1094 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1( 1095 object_p)); 1096 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2( 1097 object_p)); 1098 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1( 1099 object_p)); 1100 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2( 1101 object_p)); 1102 bigint_attr_cleanup(OBJ_PRI_RSA_COEF( 1103 object_p)); 1104 break; 1105 1106 case CKK_DSA: 1107 bigint_attr_cleanup(OBJ_PRI_DSA_PRIME( 1108 object_p)); 1109 bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME( 1110 object_p)); 1111 bigint_attr_cleanup(OBJ_PRI_DSA_BASE( 1112 object_p)); 1113 bigint_attr_cleanup(OBJ_PRI_DSA_VALUE( 1114 object_p)); 1115 break; 1116 1117 case CKK_DH: 1118 bigint_attr_cleanup(OBJ_PRI_DH_PRIME( 1119 object_p)); 1120 bigint_attr_cleanup(OBJ_PRI_DH_BASE( 1121 object_p)); 1122 bigint_attr_cleanup(OBJ_PRI_DH_VALUE( 1123 object_p)); 1124 break; 1125 1126 case CKK_X9_42_DH: 1127 bigint_attr_cleanup(OBJ_PRI_DH942_PRIME( 1128 object_p)); 1129 bigint_attr_cleanup(OBJ_PRI_DH942_BASE( 1130 object_p)); 1131 bigint_attr_cleanup(OBJ_PRI_DH942_SUBPRIME( 1132 object_p)); 1133 bigint_attr_cleanup(OBJ_PRI_DH942_VALUE( 1134 object_p)); 1135 break; 1136 1137 case CKK_EC: 1138 bigint_attr_cleanup(OBJ_PRI_EC_VALUE( 1139 object_p)); 1140 break; 1141 } 1142 1143 /* Release Private Key Object struct. */ 1144 free(OBJ_PRI(object_p)); 1145 OBJ_PRI(object_p) = NULL; 1146 } 1147 break; 1148 1149 case CKO_SECRET_KEY: 1150 if (OBJ_SEC(object_p)) { 1151 /* cleanup key data area */ 1152 if (OBJ_SEC_VALUE(object_p) != NULL && 1153 OBJ_SEC_VALUE_LEN(object_p) > 0) { 1154 (void) memset(OBJ_SEC_VALUE(object_p), 0, 1155 OBJ_SEC_VALUE_LEN(object_p)); 1156 free(OBJ_SEC_VALUE(object_p)); 1157 } 1158 /* cleanup key schedule data area */ 1159 if (OBJ_KEY_SCHED(object_p) != NULL && 1160 OBJ_KEY_SCHED_LEN(object_p) > 0) { 1161 (void) memset(OBJ_KEY_SCHED(object_p), 0, 1162 OBJ_KEY_SCHED_LEN(object_p)); 1163 free(OBJ_KEY_SCHED(object_p)); 1164 } 1165 1166 /* Release Secret Key Object struct. */ 1167 free(OBJ_SEC(object_p)); 1168 OBJ_SEC(object_p) = NULL; 1169 } 1170 break; 1171 1172 case CKO_DOMAIN_PARAMETERS: 1173 if (OBJ_DOM(object_p)) { 1174 switch (keytype) { 1175 case CKK_DSA: 1176 bigint_attr_cleanup(OBJ_DOM_DSA_PRIME( 1177 object_p)); 1178 bigint_attr_cleanup(OBJ_DOM_DSA_SUBPRIME( 1179 object_p)); 1180 bigint_attr_cleanup(OBJ_DOM_DSA_BASE( 1181 object_p)); 1182 break; 1183 1184 case CKK_DH: 1185 bigint_attr_cleanup(OBJ_DOM_DH_PRIME( 1186 object_p)); 1187 bigint_attr_cleanup(OBJ_DOM_DH_BASE( 1188 object_p)); 1189 break; 1190 1191 case CKK_X9_42_DH: 1192 bigint_attr_cleanup(OBJ_DOM_DH942_PRIME( 1193 object_p)); 1194 bigint_attr_cleanup(OBJ_DOM_DH942_BASE( 1195 object_p)); 1196 bigint_attr_cleanup(OBJ_DOM_DH942_SUBPRIME( 1197 object_p)); 1198 break; 1199 } 1200 1201 /* Release Domain Parameters Object struct. */ 1202 free(OBJ_DOM(object_p)); 1203 OBJ_DOM(object_p) = NULL; 1204 } 1205 break; 1206 } 1207 } 1208 1209 1210 /* 1211 * Parse the common attributes. Return to caller with appropriate return 1212 * value to indicate if the supplied template specifies a valid attribute 1213 * with a valid value. 1214 */ 1215 CK_RV 1216 soft_parse_common_attrs(CK_ATTRIBUTE_PTR template, uchar_t *object_type) 1217 { 1218 1219 CK_RV rv = CKR_OK; 1220 1221 switch (template->type) { 1222 case CKA_CLASS: 1223 break; 1224 1225 /* default boolean attributes */ 1226 case CKA_TOKEN: 1227 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 1228 if (!soft_keystore_status(KEYSTORE_INITIALIZED)) 1229 return (CKR_DEVICE_REMOVED); 1230 *object_type |= TOKEN_OBJECT; 1231 } 1232 break; 1233 1234 case CKA_PRIVATE: 1235 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 1236 (void) pthread_mutex_lock(&soft_giant_mutex); 1237 if (!soft_slot.authenticated) { 1238 /* 1239 * Check if this is the special case when 1240 * the PIN is never initialized in the keystore. 1241 * If true, we will let it pass here and let 1242 * it fail with CKR_PIN_EXPIRED later on. 1243 */ 1244 if (!soft_slot.userpin_change_needed) { 1245 (void) pthread_mutex_unlock( 1246 &soft_giant_mutex); 1247 return (CKR_USER_NOT_LOGGED_IN); 1248 } 1249 } 1250 (void) pthread_mutex_unlock(&soft_giant_mutex); 1251 *object_type |= PRIVATE_OBJECT; 1252 } 1253 break; 1254 1255 case CKA_LABEL: 1256 break; 1257 1258 default: 1259 rv = CKR_TEMPLATE_INCONSISTENT; 1260 } 1261 1262 return (rv); 1263 } 1264 1265 1266 /* 1267 * Build a Public Key Object. 1268 * 1269 * - Parse the object's template, and when an error is detected such as 1270 * invalid attribute type, invalid attribute value, etc., return 1271 * with appropriate return value. 1272 * - Set up attribute mask field in the object for the supplied common 1273 * attributes that have boolean type. 1274 * - Build the attribute_info struct to hold the value of each supplied 1275 * attribute that has byte array type. Link attribute_info structs 1276 * together to form the extra attribute list of the object. 1277 * - Allocate storage for the Public Key object. 1278 * - Build the Public Key object according to the key type. Allocate 1279 * storage to hold the big integer value for the supplied attributes 1280 * that are required for a certain key type. 1281 * 1282 */ 1283 CK_RV 1284 soft_build_public_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 1285 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type) 1286 { 1287 1288 ulong_t i; 1289 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 1290 uint64_t attr_mask = PUBLIC_KEY_DEFAULT; 1291 CK_RV rv = CKR_OK; 1292 int isLabel = 0; 1293 /* Must set flags */ 1294 int isModulus = 0; 1295 int isPubExpo = 0; 1296 int isPrime = 0; 1297 int isSubprime = 0; 1298 int isBase = 0; 1299 int isValue = 0; 1300 int isECParam = 0; 1301 int isECPoint = 0; 1302 /* Must not set flags */ 1303 int isModulusBits = 0; 1304 CK_ULONG modulus_bits = 0; 1305 1306 biginteger_t modulus; 1307 biginteger_t pubexpo; 1308 biginteger_t prime; 1309 biginteger_t subprime; 1310 biginteger_t base; 1311 biginteger_t value; 1312 biginteger_t point; 1313 CK_ATTRIBUTE string_tmp; 1314 CK_ATTRIBUTE param_tmp; 1315 1316 public_key_obj_t *pbk; 1317 uchar_t object_type = 0; 1318 1319 CK_ATTRIBUTE defpubexpo = { CKA_PUBLIC_EXPONENT, 1320 (CK_BYTE_PTR)DEFAULT_PUB_EXPO, DEFAULT_PUB_EXPO_Len }; 1321 1322 BIGNUM n; 1323 1324 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 1325 (void) memset(&modulus, 0x0, sizeof (biginteger_t)); 1326 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t)); 1327 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 1328 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 1329 (void) memset(&base, 0x0, sizeof (biginteger_t)); 1330 (void) memset(&value, 0x0, sizeof (biginteger_t)); 1331 (void) memset(&point, 0x0, sizeof (biginteger_t)); 1332 string_tmp.pValue = NULL; 1333 param_tmp.pValue = NULL; 1334 1335 for (i = 0; i < ulAttrNum; i++) { 1336 1337 /* Public Key Object Attributes */ 1338 switch (template[i].type) { 1339 1340 /* common key attributes */ 1341 case CKA_KEY_TYPE: 1342 keytype = *((CK_KEY_TYPE*)template[i].pValue); 1343 break; 1344 1345 case CKA_ID: 1346 case CKA_START_DATE: 1347 case CKA_END_DATE: 1348 1349 /* common public key attribute */ 1350 case CKA_SUBJECT: 1351 /* 1352 * Allocate storage to hold the attribute 1353 * value with byte array type, and add it to 1354 * the extra attribute list of the object. 1355 */ 1356 rv = soft_add_extra_attr(&template[i], 1357 new_object); 1358 if (rv != CKR_OK) { 1359 goto fail_cleanup; 1360 } 1361 break; 1362 1363 /* 1364 * The following key related attribute types must 1365 * not be specified by C_CreateObject, C_GenerateKey(Pair). 1366 */ 1367 case CKA_LOCAL: 1368 case CKA_KEY_GEN_MECHANISM: 1369 rv = CKR_TEMPLATE_INCONSISTENT; 1370 goto fail_cleanup; 1371 1372 /* Key related boolean attributes */ 1373 case CKA_DERIVE: 1374 if (*(CK_BBOOL *)template[i].pValue) 1375 attr_mask |= DERIVE_BOOL_ON; 1376 break; 1377 1378 case CKA_ENCRYPT: 1379 if (*(CK_BBOOL *)template[i].pValue) 1380 attr_mask |= ENCRYPT_BOOL_ON; 1381 else 1382 attr_mask &= ~ENCRYPT_BOOL_ON; 1383 break; 1384 1385 case CKA_VERIFY: 1386 if (*(CK_BBOOL *)template[i].pValue) 1387 attr_mask |= VERIFY_BOOL_ON; 1388 else 1389 attr_mask &= ~VERIFY_BOOL_ON; 1390 break; 1391 1392 case CKA_VERIFY_RECOVER: 1393 if (*(CK_BBOOL *)template[i].pValue) 1394 attr_mask |= VERIFY_RECOVER_BOOL_ON; 1395 else 1396 attr_mask &= ~VERIFY_RECOVER_BOOL_ON; 1397 break; 1398 1399 case CKA_WRAP: 1400 if (*(CK_BBOOL *)template[i].pValue) 1401 attr_mask |= WRAP_BOOL_ON; 1402 else 1403 attr_mask &= ~WRAP_BOOL_ON; 1404 break; 1405 1406 case CKA_TRUSTED: 1407 if (*(CK_BBOOL *)template[i].pValue) 1408 attr_mask |= TRUSTED_BOOL_ON; 1409 break; 1410 1411 case CKA_MODIFIABLE: 1412 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 1413 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 1414 break; 1415 1416 /* 1417 * The following key related attribute types must 1418 * be specified according to the key type by 1419 * C_CreateObject. 1420 */ 1421 case CKA_MODULUS: 1422 1423 isModulus = 1; 1424 /* 1425 * Copyin big integer attribute from template 1426 * to a local variable. 1427 */ 1428 rv = get_bigint_attr_from_template(&modulus, 1429 &template[i]); 1430 if (rv != CKR_OK) 1431 goto fail_cleanup; 1432 1433 /* 1434 * Modulus length needs to be between min key length and 1435 * max key length. 1436 */ 1437 if ((modulus.big_value_len < 1438 MIN_RSA_KEYLENGTH_IN_BYTES) || 1439 (modulus.big_value_len > 1440 MAX_RSA_KEYLENGTH_IN_BYTES)) { 1441 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1442 goto fail_cleanup; 1443 } 1444 break; 1445 1446 case CKA_PUBLIC_EXPONENT: 1447 isPubExpo = 1; 1448 rv = get_bigint_attr_from_template(&pubexpo, 1449 &template[i]); 1450 if (rv != CKR_OK) 1451 goto fail_cleanup; 1452 break; 1453 1454 case CKA_PRIME: 1455 isPrime = 1; 1456 rv = get_bigint_attr_from_template(&prime, 1457 &template[i]); 1458 if (rv != CKR_OK) 1459 goto fail_cleanup; 1460 break; 1461 1462 case CKA_SUBPRIME: 1463 isSubprime = 1; 1464 rv = get_bigint_attr_from_template(&subprime, 1465 &template[i]); 1466 if (rv != CKR_OK) 1467 goto fail_cleanup; 1468 break; 1469 1470 case CKA_BASE: 1471 isBase = 1; 1472 rv = get_bigint_attr_from_template(&base, 1473 &template[i]); 1474 if (rv != CKR_OK) 1475 goto fail_cleanup; 1476 break; 1477 1478 case CKA_VALUE: 1479 isValue = 1; 1480 if (mode == SOFT_CREATE_OBJ) { 1481 if ((template[i].ulValueLen == 0) || 1482 (template[i].pValue == NULL)) { 1483 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1484 goto fail_cleanup; 1485 } 1486 } 1487 1488 rv = get_bigint_attr_from_template(&value, 1489 &template[i]); 1490 if (rv != CKR_OK) 1491 goto fail_cleanup; 1492 break; 1493 1494 case CKA_MODULUS_BITS: 1495 isModulusBits = 1; 1496 rv = get_ulong_attr_from_template(&modulus_bits, 1497 &template[i]); 1498 if (rv != CKR_OK) 1499 goto fail_cleanup; 1500 break; 1501 1502 case CKA_LABEL: 1503 isLabel = 1; 1504 rv = get_string_from_template(&string_tmp, 1505 &template[i]); 1506 if (rv != CKR_OK) 1507 goto fail_cleanup; 1508 break; 1509 1510 case CKA_EC_PARAMS: 1511 isECParam = 1; 1512 rv = get_string_from_template(¶m_tmp, &template[i]); 1513 if (rv != CKR_OK) 1514 goto fail_cleanup; 1515 break; 1516 1517 case CKA_EC_POINT: 1518 isECPoint = 1; 1519 rv = get_bigint_attr_from_template(&point, 1520 &template[i]); 1521 if (rv != CKR_OK) 1522 goto fail_cleanup; 1523 break; 1524 1525 default: 1526 rv = soft_parse_common_attrs(&template[i], 1527 &object_type); 1528 if (rv != CKR_OK) 1529 goto fail_cleanup; 1530 break; 1531 } 1532 } /* For */ 1533 1534 /* Allocate storage for Public Key Object. */ 1535 pbk = calloc(1, sizeof (public_key_obj_t)); 1536 if (pbk == NULL) { 1537 rv = CKR_HOST_MEMORY; 1538 goto fail_cleanup; 1539 } 1540 1541 new_object->object_class_u.public_key = pbk; 1542 new_object->class = CKO_PUBLIC_KEY; 1543 1544 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) { 1545 rv = CKR_TEMPLATE_INCOMPLETE; 1546 goto fail_cleanup; 1547 } 1548 1549 if ((mode == SOFT_GEN_KEY) && (keytype == (CK_KEY_TYPE)~0UL)) { 1550 keytype = key_type; 1551 } 1552 1553 if ((mode == SOFT_GEN_KEY) && (keytype != key_type)) { 1554 /* 1555 * The key type specified in the template does not 1556 * match the implied key type based on the mechanism. 1557 */ 1558 rv = CKR_TEMPLATE_INCONSISTENT; 1559 goto fail_cleanup; 1560 } 1561 1562 new_object->key_type = keytype; 1563 1564 /* Supported key types of the Public Key Object */ 1565 switch (keytype) { 1566 1567 case CKK_RSA: 1568 if (mode == SOFT_CREATE_OBJ) { 1569 if (isModulusBits || isPrime || isSubprime || 1570 isBase || isValue) { 1571 rv = CKR_TEMPLATE_INCONSISTENT; 1572 goto fail_cleanup; 1573 } 1574 1575 if (isModulus && isPubExpo) { 1576 /* 1577 * Derive modulus_bits attribute from modulus. 1578 * Save modulus_bits integer value to the 1579 * designated place in the public key object. 1580 */ 1581 n.malloced = 0; 1582 #ifdef __sparcv9 1583 if (big_init(&n, (int)CHARLEN2BIGNUMLEN( 1584 modulus.big_value_len)) != BIG_OK) { 1585 #else /* !__sparcv9 */ 1586 if (big_init(&n, CHARLEN2BIGNUMLEN( 1587 modulus.big_value_len)) != BIG_OK) { 1588 #endif /* __sparcv9 */ 1589 rv = CKR_HOST_MEMORY; 1590 big_finish(&n); 1591 goto fail_cleanup; 1592 } 1593 bytestring2bignum(&n, modulus.big_value, 1594 modulus.big_value_len); 1595 1596 modulus_bits = big_bitlength(&n); 1597 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits; 1598 big_finish(&n); 1599 1600 /* 1601 * After modulus_bits has been computed, 1602 * it is safe to move modulus and pubexpo 1603 * big integer attribute value to the 1604 * designated place in the public key object. 1605 */ 1606 copy_bigint_attr(&modulus, 1607 KEY_PUB_RSA_MOD(pbk)); 1608 1609 copy_bigint_attr(&pubexpo, 1610 KEY_PUB_RSA_PUBEXPO(pbk)); 1611 } else { 1612 rv = CKR_TEMPLATE_INCOMPLETE; 1613 goto fail_cleanup; 1614 } 1615 } else { 1616 /* mode is SOFT_GEN_KEY */ 1617 1618 if (isModulus || isPrime || isSubprime || 1619 isBase || isValue) { 1620 rv = CKR_TEMPLATE_INCONSISTENT; 1621 goto fail_cleanup; 1622 } 1623 1624 1625 if (isModulusBits) { 1626 /* 1627 * Copy big integer attribute value to the 1628 * designated place in the public key object. 1629 */ 1630 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits; 1631 } else { 1632 rv = CKR_TEMPLATE_INCOMPLETE; 1633 goto fail_cleanup; 1634 } 1635 1636 /* 1637 * Use PKCS#11 default 0x010001 for public exponent 1638 * if not not specified in attribute template. 1639 */ 1640 if (!isPubExpo) { 1641 isPubExpo = 1; 1642 rv = get_bigint_attr_from_template(&pubexpo, 1643 &defpubexpo); 1644 if (rv != CKR_OK) 1645 goto fail_cleanup; 1646 } 1647 /* 1648 * Copy big integer attribute value to the 1649 * designated place in the public key object. 1650 */ 1651 copy_bigint_attr(&pubexpo, KEY_PUB_RSA_PUBEXPO(pbk)); 1652 } 1653 1654 break; 1655 1656 case CKK_DSA: 1657 if (mode == SOFT_CREATE_OBJ) { 1658 if (isModulusBits || isModulus || isPubExpo) { 1659 rv = CKR_TEMPLATE_INCONSISTENT; 1660 goto fail_cleanup; 1661 } 1662 1663 if (isPrime && isSubprime && isBase && isValue) { 1664 copy_bigint_attr(&value, 1665 KEY_PUB_DSA_VALUE(pbk)); 1666 } else { 1667 rv = CKR_TEMPLATE_INCOMPLETE; 1668 goto fail_cleanup; 1669 } 1670 } else { 1671 if (isModulusBits || isModulus || isPubExpo || 1672 isValue) { 1673 rv = CKR_TEMPLATE_INCONSISTENT; 1674 goto fail_cleanup; 1675 } 1676 1677 if (!(isPrime && isSubprime && isBase)) { 1678 rv = CKR_TEMPLATE_INCOMPLETE; 1679 goto fail_cleanup; 1680 } 1681 } 1682 1683 copy_bigint_attr(&prime, KEY_PUB_DSA_PRIME(pbk)); 1684 1685 copy_bigint_attr(&subprime, KEY_PUB_DSA_SUBPRIME(pbk)); 1686 1687 copy_bigint_attr(&base, KEY_PUB_DSA_BASE(pbk)); 1688 1689 break; 1690 1691 case CKK_DH: 1692 if (mode == SOFT_CREATE_OBJ) { 1693 if (isModulusBits || isModulus || isPubExpo || 1694 isSubprime) { 1695 rv = CKR_TEMPLATE_INCONSISTENT; 1696 goto fail_cleanup; 1697 } 1698 1699 if (isPrime && isBase && isValue) { 1700 copy_bigint_attr(&value, 1701 KEY_PUB_DH_VALUE(pbk)); 1702 } else { 1703 rv = CKR_TEMPLATE_INCOMPLETE; 1704 goto fail_cleanup; 1705 } 1706 } else { 1707 if (isModulusBits || isModulus || isPubExpo || 1708 isSubprime || isValue) { 1709 rv = CKR_TEMPLATE_INCONSISTENT; 1710 goto fail_cleanup; 1711 } 1712 1713 if (!(isPrime && isBase)) { 1714 rv = CKR_TEMPLATE_INCOMPLETE; 1715 goto fail_cleanup; 1716 } 1717 } 1718 1719 copy_bigint_attr(&prime, KEY_PUB_DH_PRIME(pbk)); 1720 1721 copy_bigint_attr(&base, KEY_PUB_DH_BASE(pbk)); 1722 1723 break; 1724 1725 case CKK_X9_42_DH: 1726 if (mode == SOFT_CREATE_OBJ) { 1727 if (isModulusBits || isModulus || isPubExpo) { 1728 rv = CKR_TEMPLATE_INCONSISTENT; 1729 goto fail_cleanup; 1730 } 1731 1732 if (isPrime && isSubprime && isBase && isValue) { 1733 copy_bigint_attr(&value, 1734 KEY_PUB_DH942_VALUE(pbk)); 1735 } else { 1736 rv = CKR_TEMPLATE_INCOMPLETE; 1737 goto fail_cleanup; 1738 } 1739 } else { 1740 if (isModulusBits || isModulus || isPubExpo || 1741 isValue) { 1742 rv = CKR_TEMPLATE_INCONSISTENT; 1743 goto fail_cleanup; 1744 } 1745 1746 if (!(isPrime && isSubprime && isBase)) { 1747 rv = CKR_TEMPLATE_INCOMPLETE; 1748 goto fail_cleanup; 1749 } 1750 } 1751 1752 copy_bigint_attr(&prime, KEY_PUB_DH942_PRIME(pbk)); 1753 1754 copy_bigint_attr(&base, KEY_PUB_DH942_BASE(pbk)); 1755 1756 copy_bigint_attr(&subprime, KEY_PUB_DH942_SUBPRIME(pbk)); 1757 1758 break; 1759 1760 case CKK_EC: 1761 if (mode == SOFT_CREATE_OBJ) { 1762 if (isModulusBits || isModulus || isPubExpo || 1763 isPrime || isSubprime || isBase || isValue) { 1764 rv = CKR_TEMPLATE_INCONSISTENT; 1765 goto fail_cleanup; 1766 1767 } else if (!isECParam || !isECPoint) { 1768 rv = CKR_TEMPLATE_INCOMPLETE; 1769 goto fail_cleanup; 1770 } 1771 } else { 1772 if (isModulusBits || isModulus || isPubExpo || 1773 isPrime || isSubprime || isBase || isValue) { 1774 rv = CKR_TEMPLATE_INCONSISTENT; 1775 goto fail_cleanup; 1776 1777 } else if (!isECParam) { 1778 rv = CKR_TEMPLATE_INCOMPLETE; 1779 goto fail_cleanup; 1780 } 1781 } 1782 1783 if (isECPoint) { 1784 copy_bigint_attr(&point, KEY_PUB_EC_POINT(pbk)); 1785 } 1786 rv = soft_add_extra_attr(¶m_tmp, new_object); 1787 if (rv != CKR_OK) 1788 goto fail_cleanup; 1789 string_attr_cleanup(¶m_tmp); 1790 break; 1791 1792 default: 1793 rv = CKR_TEMPLATE_INCONSISTENT; 1794 goto fail_cleanup; 1795 } 1796 1797 /* Set up object. */ 1798 new_object->object_type = object_type; 1799 new_object->bool_attr_mask = attr_mask; 1800 if (isLabel) { 1801 rv = soft_add_extra_attr(&string_tmp, new_object); 1802 if (rv != CKR_OK) 1803 goto fail_cleanup; 1804 string_attr_cleanup(&string_tmp); 1805 } 1806 1807 return (rv); 1808 1809 fail_cleanup: 1810 /* 1811 * cleanup the storage allocated to the local variables. 1812 */ 1813 bigint_attr_cleanup(&modulus); 1814 bigint_attr_cleanup(&pubexpo); 1815 bigint_attr_cleanup(&prime); 1816 bigint_attr_cleanup(&subprime); 1817 bigint_attr_cleanup(&base); 1818 bigint_attr_cleanup(&value); 1819 bigint_attr_cleanup(&point); 1820 string_attr_cleanup(&string_tmp); 1821 string_attr_cleanup(¶m_tmp); 1822 1823 /* 1824 * cleanup the storage allocated inside the object itself. 1825 */ 1826 soft_cleanup_object(new_object); 1827 1828 return (rv); 1829 } 1830 1831 1832 /* 1833 * Build a Private Key Object. 1834 * 1835 * - Parse the object's template, and when an error is detected such as 1836 * invalid attribute type, invalid attribute value, etc., return 1837 * with appropriate return value. 1838 * - Set up attribute mask field in the object for the supplied common 1839 * attributes that have boolean type. 1840 * - Build the attribute_info struct to hold the value of each supplied 1841 * attribute that has byte array type. Link attribute_info structs 1842 * together to form the extra attribute list of the object. 1843 * - Allocate storage for the Private Key object. 1844 * - Build the Private Key object according to the key type. Allocate 1845 * storage to hold the big integer value for the supplied attributes 1846 * that are required for a certain key type. 1847 * 1848 */ 1849 CK_RV 1850 soft_build_private_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 1851 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type) 1852 { 1853 ulong_t i; 1854 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 1855 uint64_t attr_mask = PRIVATE_KEY_DEFAULT; 1856 CK_RV rv = CKR_OK; 1857 int isLabel = 0; 1858 int isECParam = 0; 1859 /* Must set flags unless mode == SOFT_UNWRAP_KEY */ 1860 int isModulus = 0; 1861 int isPriExpo = 0; 1862 int isPrime = 0; 1863 int isSubprime = 0; 1864 int isBase = 0; 1865 /* Must set flags if mode == SOFT_GEN_KEY */ 1866 int isValue = 0; 1867 /* Must not set flags */ 1868 int isValueBits = 0; 1869 CK_ULONG value_bits = 0; 1870 1871 /* Private Key RSA optional */ 1872 int isPubExpo = 0; 1873 int isPrime1 = 0; 1874 int isPrime2 = 0; 1875 int isExpo1 = 0; 1876 int isExpo2 = 0; 1877 int isCoef = 0; 1878 1879 biginteger_t modulus; 1880 biginteger_t priexpo; 1881 biginteger_t prime; 1882 biginteger_t subprime; 1883 biginteger_t base; 1884 biginteger_t value; 1885 1886 biginteger_t pubexpo; 1887 biginteger_t prime1; 1888 biginteger_t prime2; 1889 biginteger_t expo1; 1890 biginteger_t expo2; 1891 biginteger_t coef; 1892 CK_ATTRIBUTE string_tmp; 1893 CK_ATTRIBUTE param_tmp; 1894 BIGNUM x, q; 1895 1896 private_key_obj_t *pvk; 1897 uchar_t object_type = 0; 1898 1899 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 1900 (void) memset(&modulus, 0x0, sizeof (biginteger_t)); 1901 (void) memset(&priexpo, 0x0, sizeof (biginteger_t)); 1902 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 1903 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 1904 (void) memset(&base, 0x0, sizeof (biginteger_t)); 1905 (void) memset(&value, 0x0, sizeof (biginteger_t)); 1906 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t)); 1907 (void) memset(&prime1, 0x0, sizeof (biginteger_t)); 1908 (void) memset(&prime2, 0x0, sizeof (biginteger_t)); 1909 (void) memset(&expo1, 0x0, sizeof (biginteger_t)); 1910 (void) memset(&expo2, 0x0, sizeof (biginteger_t)); 1911 (void) memset(&coef, 0x0, sizeof (biginteger_t)); 1912 string_tmp.pValue = NULL; 1913 param_tmp.pValue = NULL; 1914 x.malloced = 0; 1915 q.malloced = 0; 1916 1917 for (i = 0; i < ulAttrNum; i++) { 1918 1919 /* Private Key Object Attributes */ 1920 switch (template[i].type) { 1921 /* common key attributes */ 1922 case CKA_KEY_TYPE: 1923 keytype = *((CK_KEY_TYPE*)template[i].pValue); 1924 break; 1925 1926 case CKA_ID: 1927 case CKA_START_DATE: 1928 case CKA_END_DATE: 1929 1930 /* common private key attribute */ 1931 case CKA_SUBJECT: 1932 /* 1933 * Allocate storage to hold the attribute 1934 * value with byte array type, and add it to 1935 * the extra attribute list of the object. 1936 */ 1937 rv = soft_add_extra_attr(&template[i], 1938 new_object); 1939 if (rv != CKR_OK) { 1940 goto fail_cleanup; 1941 } 1942 break; 1943 1944 /* 1945 * The following key related attribute types must 1946 * not be specified by C_CreateObject or C_GenerateKey(Pair). 1947 */ 1948 case CKA_LOCAL: 1949 case CKA_KEY_GEN_MECHANISM: 1950 case CKA_AUTH_PIN_FLAGS: 1951 case CKA_ALWAYS_SENSITIVE: 1952 case CKA_NEVER_EXTRACTABLE: 1953 rv = CKR_TEMPLATE_INCONSISTENT; 1954 goto fail_cleanup; 1955 1956 /* Key related boolean attributes */ 1957 case CKA_DERIVE: 1958 if (*(CK_BBOOL *)template[i].pValue) 1959 attr_mask |= DERIVE_BOOL_ON; 1960 break; 1961 1962 case CKA_SENSITIVE: 1963 if (*(CK_BBOOL *)template[i].pValue) 1964 attr_mask |= SENSITIVE_BOOL_ON; 1965 break; 1966 1967 case CKA_SECONDARY_AUTH: 1968 if (*(CK_BBOOL *)template[i].pValue) { 1969 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1970 goto fail_cleanup; 1971 } 1972 break; 1973 1974 case CKA_DECRYPT: 1975 if (*(CK_BBOOL *)template[i].pValue) 1976 attr_mask |= DECRYPT_BOOL_ON; 1977 else 1978 attr_mask &= ~DECRYPT_BOOL_ON; 1979 break; 1980 1981 case CKA_SIGN: 1982 if (*(CK_BBOOL *)template[i].pValue) 1983 attr_mask |= SIGN_BOOL_ON; 1984 else 1985 attr_mask &= ~SIGN_BOOL_ON; 1986 break; 1987 1988 case CKA_SIGN_RECOVER: 1989 if (*(CK_BBOOL *)template[i].pValue) 1990 attr_mask |= SIGN_RECOVER_BOOL_ON; 1991 else 1992 attr_mask &= ~SIGN_RECOVER_BOOL_ON; 1993 break; 1994 1995 case CKA_UNWRAP: 1996 if (*(CK_BBOOL *)template[i].pValue) 1997 attr_mask |= UNWRAP_BOOL_ON; 1998 else 1999 attr_mask &= ~UNWRAP_BOOL_ON; 2000 break; 2001 2002 case CKA_EXTRACTABLE: 2003 if (*(CK_BBOOL *)template[i].pValue) 2004 attr_mask |= EXTRACTABLE_BOOL_ON; 2005 else 2006 attr_mask &= ~EXTRACTABLE_BOOL_ON; 2007 break; 2008 2009 case CKA_MODIFIABLE: 2010 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 2011 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 2012 break; 2013 2014 /* 2015 * The following key related attribute types must 2016 * be specified according to the key type by 2017 * C_CreateObject. 2018 */ 2019 case CKA_MODULUS: 2020 2021 isModulus = 1; 2022 /* 2023 * Copyin big integer attribute from template 2024 * to a local variable. 2025 */ 2026 rv = get_bigint_attr_from_template(&modulus, 2027 &template[i]); 2028 if (rv != CKR_OK) 2029 goto fail_cleanup; 2030 2031 /* 2032 * Modulus length needs to be between min key length and 2033 * max key length. 2034 */ 2035 if ((modulus.big_value_len < 2036 MIN_RSA_KEYLENGTH_IN_BYTES) || 2037 (modulus.big_value_len > 2038 MAX_RSA_KEYLENGTH_IN_BYTES)) { 2039 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2040 goto fail_cleanup; 2041 } 2042 break; 2043 2044 case CKA_PUBLIC_EXPONENT: 2045 2046 isPubExpo = 1; 2047 rv = get_bigint_attr_from_template(&pubexpo, 2048 &template[i]); 2049 if (rv != CKR_OK) 2050 goto fail_cleanup; 2051 break; 2052 2053 case CKA_PRIVATE_EXPONENT: 2054 2055 isPriExpo = 1; 2056 rv = get_bigint_attr_from_template(&priexpo, 2057 &template[i]); 2058 if (rv != CKR_OK) 2059 goto fail_cleanup; 2060 break; 2061 2062 case CKA_PRIME_1: 2063 isPrime1 = 1; 2064 rv = get_bigint_attr_from_template(&prime1, 2065 &template[i]); 2066 if (rv != CKR_OK) 2067 goto fail_cleanup; 2068 break; 2069 2070 case CKA_PRIME_2: 2071 isPrime2 = 1; 2072 rv = get_bigint_attr_from_template(&prime2, 2073 &template[i]); 2074 if (rv != CKR_OK) 2075 goto fail_cleanup; 2076 break; 2077 2078 case CKA_EXPONENT_1: 2079 isExpo1 = 1; 2080 rv = get_bigint_attr_from_template(&expo1, 2081 &template[i]); 2082 if (rv != CKR_OK) 2083 goto fail_cleanup; 2084 break; 2085 2086 case CKA_EXPONENT_2: 2087 isExpo2 = 1; 2088 rv = get_bigint_attr_from_template(&expo2, 2089 &template[i]); 2090 if (rv != CKR_OK) 2091 goto fail_cleanup; 2092 break; 2093 2094 case CKA_COEFFICIENT: 2095 isCoef = 1; 2096 rv = get_bigint_attr_from_template(&coef, 2097 &template[i]); 2098 if (rv != CKR_OK) 2099 goto fail_cleanup; 2100 break; 2101 2102 case CKA_PRIME: 2103 isPrime = 1; 2104 rv = get_bigint_attr_from_template(&prime, 2105 &template[i]); 2106 if (rv != CKR_OK) 2107 goto fail_cleanup; 2108 break; 2109 2110 case CKA_SUBPRIME: 2111 isSubprime = 1; 2112 rv = get_bigint_attr_from_template(&subprime, 2113 &template[i]); 2114 if (rv != CKR_OK) 2115 goto fail_cleanup; 2116 break; 2117 2118 case CKA_BASE: 2119 isBase = 1; 2120 rv = get_bigint_attr_from_template(&base, 2121 &template[i]); 2122 if (rv != CKR_OK) 2123 goto fail_cleanup; 2124 break; 2125 2126 case CKA_VALUE: 2127 isValue = 1; 2128 if (mode == SOFT_CREATE_OBJ) { 2129 if ((template[i].ulValueLen == 0) || 2130 (template[i].pValue == NULL)) { 2131 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2132 goto fail_cleanup; 2133 } 2134 } 2135 2136 rv = get_bigint_attr_from_template(&value, 2137 &template[i]); 2138 if (rv != CKR_OK) 2139 goto fail_cleanup; 2140 break; 2141 2142 case CKA_VALUE_BITS: 2143 isValueBits = 1; 2144 rv = get_ulong_attr_from_template(&value_bits, 2145 &template[i]); 2146 if (rv != CKR_OK) 2147 goto fail_cleanup; 2148 break; 2149 2150 case CKA_LABEL: 2151 isLabel = 1; 2152 rv = get_string_from_template(&string_tmp, 2153 &template[i]); 2154 if (rv != CKR_OK) 2155 goto fail_cleanup; 2156 break; 2157 2158 case CKA_EC_PARAMS: 2159 isECParam = 1; 2160 rv = get_string_from_template(¶m_tmp, 2161 &template[i]); 2162 if (rv != CKR_OK) 2163 goto fail_cleanup; 2164 break; 2165 2166 default: 2167 rv = soft_parse_common_attrs(&template[i], 2168 &object_type); 2169 if (rv != CKR_OK) 2170 goto fail_cleanup; 2171 break; 2172 2173 } 2174 } /* For */ 2175 2176 /* Allocate storage for Private Key Object. */ 2177 pvk = calloc(1, sizeof (private_key_obj_t)); 2178 if (pvk == NULL) { 2179 rv = CKR_HOST_MEMORY; 2180 goto fail_cleanup; 2181 } 2182 2183 new_object->object_class_u.private_key = pvk; 2184 new_object->class = CKO_PRIVATE_KEY; 2185 2186 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) { 2187 rv = CKR_TEMPLATE_INCOMPLETE; 2188 goto fail_cleanup; 2189 } 2190 2191 if (mode == SOFT_GEN_KEY) { 2192 /* 2193 * The key type is not specified in the application's 2194 * template, so we use the implied key type based on 2195 * the mechanism. 2196 */ 2197 if (keytype == (CK_KEY_TYPE)~0UL) { 2198 keytype = key_type; 2199 } 2200 2201 /* If still unspecified, template is incomplete */ 2202 if (keytype == (CK_KEY_TYPE)~0UL) { 2203 rv = CKR_TEMPLATE_INCOMPLETE; 2204 goto fail_cleanup; 2205 } 2206 2207 /* 2208 * The key type specified in the template does not 2209 * match the implied key type based on the mechanism. 2210 */ 2211 if (keytype != key_type) { 2212 rv = CKR_TEMPLATE_INCONSISTENT; 2213 goto fail_cleanup; 2214 } 2215 } 2216 2217 if (mode == SOFT_UNWRAP_KEY) { 2218 /* 2219 * Note that, for mode SOFT_UNWRAP_KEY, key type is not 2220 * implied by the mechanism (key_type), so if it is not 2221 * specified from the attribute template (keytype), it is 2222 * incomplete. 2223 */ 2224 if (keytype == (CK_KEY_TYPE)~0UL) { 2225 rv = CKR_TEMPLATE_INCOMPLETE; 2226 goto fail_cleanup; 2227 } 2228 } 2229 2230 new_object->key_type = keytype; 2231 2232 /* Supported key types of the Private Key Object */ 2233 switch (keytype) { 2234 case CKK_RSA: 2235 if (isPrime || isSubprime || isBase || isValue || 2236 isValueBits) { 2237 rv = CKR_TEMPLATE_INCONSISTENT; 2238 goto fail_cleanup; 2239 } 2240 2241 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2242 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2243 isPrime2 || isExpo1 || isExpo2 || isCoef) { 2244 rv = CKR_TEMPLATE_INCONSISTENT; 2245 goto fail_cleanup; 2246 } else 2247 break; 2248 } 2249 2250 if (isModulus && isPriExpo) { 2251 /* 2252 * Copy big integer attribute value to the 2253 * designated place in the Private Key object. 2254 */ 2255 copy_bigint_attr(&modulus, KEY_PRI_RSA_MOD(pvk)); 2256 2257 copy_bigint_attr(&priexpo, KEY_PRI_RSA_PRIEXPO(pvk)); 2258 } else { 2259 rv = CKR_TEMPLATE_INCOMPLETE; 2260 goto fail_cleanup; 2261 } 2262 2263 /* The following attributes are optional. */ 2264 if (isPubExpo) { 2265 copy_bigint_attr(&pubexpo, KEY_PRI_RSA_PUBEXPO(pvk)); 2266 } 2267 2268 if (isPrime1) { 2269 copy_bigint_attr(&prime1, KEY_PRI_RSA_PRIME1(pvk)); 2270 } 2271 2272 if (isPrime2) { 2273 copy_bigint_attr(&prime2, KEY_PRI_RSA_PRIME2(pvk)); 2274 } 2275 2276 if (isExpo1) { 2277 copy_bigint_attr(&expo1, KEY_PRI_RSA_EXPO1(pvk)); 2278 } 2279 2280 if (isExpo2) { 2281 copy_bigint_attr(&expo2, KEY_PRI_RSA_EXPO2(pvk)); 2282 } 2283 2284 if (isCoef) { 2285 copy_bigint_attr(&coef, KEY_PRI_RSA_COEF(pvk)); 2286 } 2287 break; 2288 2289 case CKK_DSA: 2290 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2291 isPrime2 || isExpo1 || isExpo2 || isCoef || 2292 isValueBits) { 2293 rv = CKR_TEMPLATE_INCONSISTENT; 2294 goto fail_cleanup; 2295 } 2296 2297 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2298 if (isPrime || isSubprime || isBase || isValue) { 2299 rv = CKR_TEMPLATE_INCONSISTENT; 2300 goto fail_cleanup; 2301 } else 2302 break; 2303 } 2304 2305 if (isPrime && isSubprime && isBase && isValue) { 2306 /* 2307 * The private value x must be less than subprime q. 2308 * Size for big_init is in BIG_CHUNK_TYPE words. 2309 */ 2310 #ifdef __sparcv9 2311 if (big_init(&x, 2312 (int)CHARLEN2BIGNUMLEN(value.big_value_len)) 2313 != BIG_OK) { 2314 #else /* !__sparcv9 */ 2315 if (big_init(&x, 2316 CHARLEN2BIGNUMLEN(value.big_value_len)) 2317 != BIG_OK) { 2318 #endif /* __sparcv9 */ 2319 rv = CKR_HOST_MEMORY; 2320 goto fail_cleanup; 2321 } 2322 #ifdef __sparcv9 2323 if (big_init(&q, 2324 (int)CHARLEN2BIGNUMLEN(subprime.big_value_len)) 2325 != BIG_OK) { 2326 #else /* !__sparcv9 */ 2327 if (big_init(&q, 2328 CHARLEN2BIGNUMLEN(subprime.big_value_len)) 2329 != BIG_OK) { 2330 #endif /* __sparcv9 */ 2331 rv = CKR_HOST_MEMORY; 2332 goto fail_cleanup; 2333 } 2334 bytestring2bignum(&x, value.big_value, 2335 value.big_value_len); 2336 bytestring2bignum(&q, subprime.big_value, 2337 subprime.big_value_len); 2338 2339 if (big_cmp_abs(&x, &q) > 0) { 2340 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2341 goto fail_cleanup; 2342 } 2343 2344 copy_bigint_attr(&prime, KEY_PRI_DSA_PRIME(pvk)); 2345 2346 copy_bigint_attr(&subprime, KEY_PRI_DSA_SUBPRIME(pvk)); 2347 2348 copy_bigint_attr(&base, KEY_PRI_DSA_BASE(pvk)); 2349 2350 copy_bigint_attr(&value, KEY_PRI_DSA_VALUE(pvk)); 2351 } else { 2352 rv = CKR_TEMPLATE_INCOMPLETE; 2353 goto fail_cleanup; 2354 } 2355 break; 2356 2357 case CKK_DH: 2358 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2359 isPrime2 || isExpo1 || isExpo2 || isCoef || 2360 isSubprime) { 2361 rv = CKR_TEMPLATE_INCONSISTENT; 2362 goto fail_cleanup; 2363 } 2364 2365 /* CKA_VALUE_BITS is for key gen but not unwrap */ 2366 if (mode == SOFT_GEN_KEY) 2367 KEY_PRI_DH_VAL_BITS(pvk) = (isValueBits) ? 2368 value_bits : 0; 2369 else if (mode == SOFT_UNWRAP_KEY) { 2370 if (isValueBits) { 2371 rv = CKR_TEMPLATE_INCONSISTENT; 2372 goto fail_cleanup; 2373 } 2374 } 2375 2376 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2377 if (isPrime || isBase || isValue) { 2378 rv = CKR_TEMPLATE_INCONSISTENT; 2379 goto fail_cleanup; 2380 } else 2381 break; 2382 } 2383 2384 if (isValueBits) { 2385 rv = CKR_TEMPLATE_INCONSISTENT; 2386 goto fail_cleanup; 2387 } 2388 2389 if (isPrime && isBase && isValue) { 2390 copy_bigint_attr(&prime, KEY_PRI_DH_PRIME(pvk)); 2391 2392 copy_bigint_attr(&base, KEY_PRI_DH_BASE(pvk)); 2393 2394 copy_bigint_attr(&value, KEY_PRI_DH_VALUE(pvk)); 2395 } else { 2396 rv = CKR_TEMPLATE_INCOMPLETE; 2397 goto fail_cleanup; 2398 } 2399 break; 2400 2401 case CKK_X9_42_DH: 2402 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2403 isPrime2 || isExpo1 || isExpo2 || isCoef || 2404 isValueBits) { 2405 rv = CKR_TEMPLATE_INCONSISTENT; 2406 goto fail_cleanup; 2407 } 2408 2409 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2410 if (isPrime || isSubprime || isBase || isValue) { 2411 rv = CKR_TEMPLATE_INCONSISTENT; 2412 goto fail_cleanup; 2413 } else 2414 break; 2415 } 2416 2417 if (isPrime && isSubprime && isBase && isValue) { 2418 copy_bigint_attr(&prime, KEY_PRI_DH942_PRIME(pvk)); 2419 2420 copy_bigint_attr(&base, KEY_PRI_DH942_BASE(pvk)); 2421 2422 copy_bigint_attr(&subprime, 2423 KEY_PRI_DH942_SUBPRIME(pvk)); 2424 2425 copy_bigint_attr(&value, KEY_PRI_DH942_VALUE(pvk)); 2426 } else { 2427 rv = CKR_TEMPLATE_INCOMPLETE; 2428 goto fail_cleanup; 2429 } 2430 break; 2431 2432 case CKK_EC: 2433 if (isModulus || isPubExpo || isPrime || 2434 isPrime1 || isPrime2 || isExpo1 || isExpo2 || isCoef || 2435 isValueBits || isBase) { 2436 rv = CKR_TEMPLATE_INCONSISTENT; 2437 goto fail_cleanup; 2438 2439 } else if (isECParam) { 2440 rv = soft_add_extra_attr(¶m_tmp, new_object); 2441 if (rv != CKR_OK) 2442 goto fail_cleanup; 2443 string_attr_cleanup(¶m_tmp); 2444 } 2445 if (isValue) { 2446 copy_bigint_attr(&value, KEY_PRI_EC_VALUE(pvk)); 2447 } 2448 break; 2449 2450 default: 2451 rv = CKR_TEMPLATE_INCONSISTENT; 2452 goto fail_cleanup; 2453 } 2454 2455 /* Set up object. */ 2456 new_object->object_type = object_type; 2457 new_object->bool_attr_mask = attr_mask; 2458 if (isLabel) { 2459 rv = soft_add_extra_attr(&string_tmp, new_object); 2460 if (rv != CKR_OK) 2461 goto fail_cleanup; 2462 string_attr_cleanup(&string_tmp); 2463 } 2464 big_finish(&x); 2465 big_finish(&q); 2466 2467 return (rv); 2468 2469 fail_cleanup: 2470 /* 2471 * cleanup the storage allocated to the local variables. 2472 */ 2473 bigint_attr_cleanup(&modulus); 2474 bigint_attr_cleanup(&priexpo); 2475 bigint_attr_cleanup(&prime); 2476 bigint_attr_cleanup(&subprime); 2477 bigint_attr_cleanup(&base); 2478 bigint_attr_cleanup(&value); 2479 bigint_attr_cleanup(&pubexpo); 2480 bigint_attr_cleanup(&prime1); 2481 bigint_attr_cleanup(&prime2); 2482 bigint_attr_cleanup(&expo1); 2483 bigint_attr_cleanup(&expo2); 2484 bigint_attr_cleanup(&coef); 2485 string_attr_cleanup(&string_tmp); 2486 string_attr_cleanup(¶m_tmp); 2487 big_finish(&x); 2488 big_finish(&q); 2489 2490 /* 2491 * cleanup the storage allocated inside the object itself. 2492 */ 2493 soft_cleanup_object(new_object); 2494 2495 return (rv); 2496 } 2497 2498 2499 /* 2500 * Build a Secret Key Object. 2501 * 2502 * - Parse the object's template, and when an error is detected such as 2503 * invalid attribute type, invalid attribute value, etc., return 2504 * with appropriate return value. 2505 * - Set up attribute mask field in the object for the supplied common 2506 * attributes that have boolean type. 2507 * - Build the attribute_info struct to hold the value of each supplied 2508 * attribute that has byte array type. Link attribute_info structs 2509 * together to form the extra attribute list of the object. 2510 * - Allocate storage for the Secret Key object. 2511 * - Build the Secret Key object. Allocate storage to hold the big integer 2512 * value for the attribute CKA_VALUE that is required for all the key 2513 * types supported by secret key object. 2514 * This function is called internally with mode = SOFT_CREATE_OBJ_INT. 2515 * 2516 */ 2517 CK_RV 2518 soft_build_secret_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 2519 soft_object_t *new_object, CK_ULONG mode, CK_ULONG key_len, 2520 CK_KEY_TYPE key_type) 2521 { 2522 2523 ulong_t i; 2524 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 2525 uint64_t attr_mask = SECRET_KEY_DEFAULT; 2526 CK_RV rv = CKR_OK; 2527 int isLabel = 0; 2528 /* Must set flags if mode != SOFT_UNWRAP_KEY, else must not set */ 2529 int isValue = 0; 2530 /* Must not set flags if mode != SOFT_UNWRAP_KEY, else optional */ 2531 int isValueLen = 0; 2532 2533 CK_ATTRIBUTE string_tmp; 2534 2535 secret_key_obj_t *sck; 2536 uchar_t object_type = 0; 2537 2538 string_tmp.pValue = NULL; 2539 2540 /* Allocate storage for Secret Key Object. */ 2541 sck = calloc(1, sizeof (secret_key_obj_t)); 2542 if (sck == NULL) { 2543 rv = CKR_HOST_MEMORY; 2544 goto fail_cleanup; 2545 } 2546 2547 new_object->object_class_u.secret_key = sck; 2548 new_object->class = CKO_SECRET_KEY; 2549 2550 for (i = 0; i < ulAttrNum; i++) { 2551 2552 /* Secret Key Object Attributes */ 2553 switch (template[i].type) { 2554 2555 /* common key attributes */ 2556 case CKA_KEY_TYPE: 2557 keytype = *((CK_KEY_TYPE*)template[i].pValue); 2558 break; 2559 2560 case CKA_ID: 2561 case CKA_START_DATE: 2562 case CKA_END_DATE: 2563 /* 2564 * Allocate storage to hold the attribute 2565 * value with byte array type, and add it to 2566 * the extra attribute list of the object. 2567 */ 2568 rv = soft_add_extra_attr(&template[i], 2569 new_object); 2570 if (rv != CKR_OK) { 2571 goto fail_cleanup; 2572 } 2573 break; 2574 2575 /* 2576 * The following key related attribute types must 2577 * not be specified by C_CreateObject and C_GenerateKey. 2578 */ 2579 case CKA_LOCAL: 2580 case CKA_KEY_GEN_MECHANISM: 2581 case CKA_ALWAYS_SENSITIVE: 2582 case CKA_NEVER_EXTRACTABLE: 2583 rv = CKR_TEMPLATE_INCONSISTENT; 2584 goto fail_cleanup; 2585 2586 /* Key related boolean attributes */ 2587 case CKA_DERIVE: 2588 if (*(CK_BBOOL *)template[i].pValue) 2589 attr_mask |= DERIVE_BOOL_ON; 2590 break; 2591 2592 case CKA_SENSITIVE: 2593 if (*(CK_BBOOL *)template[i].pValue) 2594 attr_mask |= SENSITIVE_BOOL_ON; 2595 break; 2596 2597 case CKA_ENCRYPT: 2598 if (*(CK_BBOOL *)template[i].pValue) 2599 attr_mask |= ENCRYPT_BOOL_ON; 2600 else 2601 attr_mask &= ~ENCRYPT_BOOL_ON; 2602 break; 2603 2604 case CKA_DECRYPT: 2605 if (*(CK_BBOOL *)template[i].pValue) 2606 attr_mask |= DECRYPT_BOOL_ON; 2607 else 2608 attr_mask &= ~DECRYPT_BOOL_ON; 2609 break; 2610 2611 case CKA_SIGN: 2612 if (*(CK_BBOOL *)template[i].pValue) 2613 attr_mask |= SIGN_BOOL_ON; 2614 else 2615 attr_mask &= ~SIGN_BOOL_ON; 2616 break; 2617 2618 case CKA_VERIFY: 2619 if (*(CK_BBOOL *)template[i].pValue) 2620 attr_mask |= VERIFY_BOOL_ON; 2621 else 2622 attr_mask &= ~VERIFY_BOOL_ON; 2623 break; 2624 2625 case CKA_WRAP: 2626 if (*(CK_BBOOL *)template[i].pValue) 2627 attr_mask |= WRAP_BOOL_ON; 2628 else 2629 attr_mask &= ~WRAP_BOOL_ON; 2630 break; 2631 2632 case CKA_UNWRAP: 2633 if (*(CK_BBOOL *)template[i].pValue) 2634 attr_mask |= UNWRAP_BOOL_ON; 2635 else 2636 attr_mask &= ~UNWRAP_BOOL_ON; 2637 break; 2638 2639 case CKA_EXTRACTABLE: 2640 if (*(CK_BBOOL *)template[i].pValue) 2641 attr_mask |= EXTRACTABLE_BOOL_ON; 2642 else 2643 attr_mask &= ~EXTRACTABLE_BOOL_ON; 2644 break; 2645 2646 case CKA_MODIFIABLE: 2647 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 2648 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 2649 break; 2650 2651 case CKA_VALUE: 2652 isValue = 1; 2653 if (mode == SOFT_CREATE_OBJ) { 2654 if ((template[i].ulValueLen == 0) || 2655 (template[i].pValue == NULL)) { 2656 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2657 goto fail_cleanup; 2658 } 2659 } 2660 2661 /* 2662 * Copyin attribute from template 2663 * to a local variable. 2664 */ 2665 rv = get_bigint_attr_from_template((biginteger_t *)sck, 2666 &template[i]); 2667 if (rv != CKR_OK) 2668 goto fail_cleanup; 2669 break; 2670 2671 case CKA_VALUE_LEN: 2672 isValueLen = 1; 2673 rv = get_ulong_attr_from_template(&sck->sk_value_len, 2674 &template[i]); 2675 if (rv != CKR_OK) 2676 goto fail_cleanup; 2677 break; 2678 2679 case CKA_LABEL: 2680 isLabel = 1; 2681 rv = get_string_from_template(&string_tmp, 2682 &template[i]); 2683 if (rv != CKR_OK) 2684 goto fail_cleanup; 2685 break; 2686 2687 default: 2688 rv = soft_parse_common_attrs(&template[i], 2689 &object_type); 2690 if (rv != CKR_OK) 2691 goto fail_cleanup; 2692 break; 2693 2694 } 2695 } /* For */ 2696 2697 switch (mode) { 2698 case SOFT_CREATE_OBJ: 2699 case SOFT_CREATE_OBJ_INT: 2700 case SOFT_DERIVE_KEY_DH: 2701 /* 2702 * The key type must be specified in the application's 2703 * template. Otherwise, returns error. 2704 */ 2705 if (keytype == (CK_KEY_TYPE)~0UL) { 2706 rv = CKR_TEMPLATE_INCOMPLETE; 2707 goto fail_cleanup; 2708 } 2709 break; 2710 2711 case SOFT_GEN_KEY: 2712 if (keytype == (CK_KEY_TYPE)~0UL) { 2713 /* 2714 * The key type is not specified in the application's 2715 * template, so we use the implied key type based on 2716 * the mechanism. 2717 */ 2718 keytype = key_type; 2719 } else { 2720 if (keytype != key_type) { 2721 /* 2722 * The key type specified in the template 2723 * does not match the implied key type based 2724 * on the mechanism. 2725 */ 2726 rv = CKR_TEMPLATE_INCONSISTENT; 2727 goto fail_cleanup; 2728 } 2729 } 2730 2731 /* 2732 * If a key_len is passed as a parameter, it has to 2733 * match the one found in the template. 2734 */ 2735 if (key_len > 0) { 2736 if (isValueLen && sck->sk_value_len != key_len) { 2737 rv = CKR_TEMPLATE_INCONSISTENT; 2738 goto fail_cleanup; 2739 } 2740 isValueLen = 1; 2741 sck->sk_value_len = key_len; 2742 } 2743 break; 2744 2745 case SOFT_UNWRAP_KEY: 2746 /* 2747 * Note that, for mode SOFT_UNWRAP_KEY, key type is not 2748 * implied by the mechanism (key_type), so if it is not 2749 * specified from the attribute template (keytype), it is 2750 * incomplete. 2751 */ 2752 if (keytype == (CK_KEY_TYPE)~0UL) { 2753 rv = CKR_TEMPLATE_INCOMPLETE; 2754 goto fail_cleanup; 2755 } 2756 break; 2757 2758 case SOFT_DERIVE_KEY_OTHER: 2759 /* 2760 * For CKM_MD5_KEY_DERIVATION & CKM_SHA1_KEY_DERIVATION, the 2761 * key type is optional. 2762 */ 2763 if (keytype == (CK_KEY_TYPE)~0UL) { 2764 keytype = key_type; 2765 } 2766 break; 2767 } 2768 2769 switch (mode) { 2770 case SOFT_CREATE_OBJ: 2771 case SOFT_CREATE_OBJ_INT: 2772 switch (keytype) { 2773 case CKK_RC4: 2774 if (!isValue) { 2775 rv = CKR_TEMPLATE_INCOMPLETE; 2776 goto fail_cleanup; 2777 } 2778 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) || 2779 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) { 2780 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2781 goto fail_cleanup; 2782 } 2783 break; 2784 2785 case CKK_GENERIC_SECRET: 2786 if (!isValue) { 2787 rv = CKR_TEMPLATE_INCOMPLETE; 2788 goto fail_cleanup; 2789 } 2790 break; 2791 2792 case CKK_AES: 2793 if (!isValue) { 2794 rv = CKR_TEMPLATE_INCOMPLETE; 2795 goto fail_cleanup; 2796 } 2797 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2798 (sck->sk_value_len != AES_192_KEY_BYTES) && 2799 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2800 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2801 goto fail_cleanup; 2802 } 2803 break; 2804 2805 case CKK_BLOWFISH: 2806 if (!isValue) { 2807 rv = CKR_TEMPLATE_INCOMPLETE; 2808 goto fail_cleanup; 2809 } 2810 if ((sck->sk_value_len < BLOWFISH_MINBYTES) || 2811 (sck->sk_value_len > BLOWFISH_MAXBYTES)) { 2812 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2813 goto fail_cleanup; 2814 } 2815 2816 break; 2817 2818 case CKK_DES: 2819 if (!isValue) { 2820 rv = CKR_TEMPLATE_INCOMPLETE; 2821 goto fail_cleanup; 2822 } 2823 if (sck->sk_value_len != DES_KEYSIZE) { 2824 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2825 goto fail_cleanup; 2826 } 2827 break; 2828 2829 case CKK_DES2: 2830 if (!isValue) { 2831 rv = CKR_TEMPLATE_INCOMPLETE; 2832 goto fail_cleanup; 2833 } 2834 if (sck->sk_value_len != DES2_KEYSIZE) { 2835 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2836 goto fail_cleanup; 2837 } 2838 break; 2839 2840 case CKK_DES3: 2841 if (!isValue) { 2842 rv = CKR_TEMPLATE_INCOMPLETE; 2843 goto fail_cleanup; 2844 } 2845 if (sck->sk_value_len != DES3_KEYSIZE) { 2846 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2847 goto fail_cleanup; 2848 } 2849 break; 2850 2851 default: 2852 rv = CKR_TEMPLATE_INCONSISTENT; 2853 goto fail_cleanup; 2854 } 2855 2856 if (isValueLen) { 2857 /* 2858 * Templates for internal object creation come from 2859 * applications calls to C_DeriveKey(), for which it 2860 * is OKey to pass a CKA_VALUE_LEN attribute, as 2861 * long as it does not conflict with the length of the 2862 * CKA_VALUE attribute. 2863 */ 2864 if ((mode != SOFT_CREATE_OBJ_INT) || 2865 ((key_len > 0) && sck->sk_value_len != key_len)) { 2866 rv = CKR_TEMPLATE_INCONSISTENT; 2867 goto fail_cleanup; 2868 } 2869 } 2870 break; 2871 2872 case SOFT_GEN_KEY: 2873 /* CKA_VALUE must not be specified */ 2874 if (isValue) { 2875 rv = CKR_TEMPLATE_INCONSISTENT; 2876 goto fail_cleanup; 2877 } 2878 2879 switch (keytype) { 2880 /* 2881 * CKA_VALUE_LEN must be specified by C_GenerateKey 2882 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 2883 */ 2884 case CKK_RC4: 2885 if (!isValueLen) { 2886 rv = CKR_TEMPLATE_INCOMPLETE; 2887 goto fail_cleanup; 2888 } 2889 ; 2890 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) || 2891 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) { 2892 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2893 goto fail_cleanup; 2894 } 2895 break; 2896 2897 case CKK_GENERIC_SECRET: 2898 /* arbitrary key length - no length checking */ 2899 if (!isValueLen) { 2900 rv = CKR_TEMPLATE_INCOMPLETE; 2901 goto fail_cleanup; 2902 } 2903 break; 2904 2905 case CKK_AES: 2906 if (!isValueLen) { 2907 rv = CKR_TEMPLATE_INCOMPLETE; 2908 goto fail_cleanup; 2909 } 2910 2911 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2912 (sck->sk_value_len != AES_192_KEY_BYTES) && 2913 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2914 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2915 goto fail_cleanup; 2916 } 2917 2918 break; 2919 2920 case CKK_BLOWFISH: 2921 if (!isValueLen) { 2922 rv = CKR_TEMPLATE_INCOMPLETE; 2923 goto fail_cleanup; 2924 } 2925 if ((sck->sk_value_len < BLOWFISH_MINBYTES) || 2926 (sck->sk_value_len > BLOWFISH_MAXBYTES)) { 2927 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2928 goto fail_cleanup; 2929 } 2930 2931 break; 2932 2933 case CKK_DES: 2934 case CKK_DES2: 2935 case CKK_DES3: 2936 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 2937 if (isValueLen) { 2938 rv = CKR_TEMPLATE_INCONSISTENT; 2939 goto fail_cleanup; 2940 } 2941 break; 2942 2943 default: 2944 rv = CKR_TEMPLATE_INCONSISTENT; 2945 goto fail_cleanup; 2946 } 2947 break; 2948 2949 case SOFT_UNWRAP_KEY: 2950 /* 2951 * According to v2.11 of PKCS#11 spec, neither CKA_VALUE nor 2952 * CKA_VALUE_LEN can be be specified; however v2.20 has this 2953 * restriction removed, perhaps because it makes it hard to 2954 * determine variable-length key sizes. This case statement 2955 * complied with v2.20. 2956 */ 2957 if (isValue) { 2958 rv = CKR_TEMPLATE_INCONSISTENT; 2959 goto fail_cleanup; 2960 } 2961 2962 switch (keytype) { 2963 /* 2964 * CKA_VALUE_LEN is optional 2965 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET 2966 * and the unwrapping mech is *_CBC_PAD. 2967 * 2968 * CKA_VALUE_LEN is required 2969 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET 2970 * and the unwrapping mech is *_ECB or *_CBC. 2971 * 2972 * since mech is not known at this point, CKA_VALUE_LEN is 2973 * treated as optional and the caller needs to enforce it. 2974 */ 2975 case CKK_RC4: 2976 if (isValueLen) { 2977 if ((sck->sk_value_len < 2978 ARCFOUR_MIN_KEY_BYTES) || 2979 (sck->sk_value_len > 2980 ARCFOUR_MAX_KEY_BYTES)) { 2981 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2982 goto fail_cleanup; 2983 } 2984 } 2985 break; 2986 2987 case CKK_GENERIC_SECRET: 2988 /* arbitrary key length - no length checking */ 2989 break; 2990 2991 case CKK_AES: 2992 if (isValueLen) { 2993 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2994 (sck->sk_value_len != AES_192_KEY_BYTES) && 2995 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2996 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2997 goto fail_cleanup; 2998 } 2999 } 3000 break; 3001 3002 case CKK_BLOWFISH: 3003 if (isValueLen && 3004 ((sck->sk_value_len < BLOWFISH_MINBYTES) || 3005 (sck->sk_value_len > BLOWFISH_MAXBYTES))) { 3006 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3007 goto fail_cleanup; 3008 } 3009 break; 3010 3011 case CKK_DES: 3012 case CKK_DES2: 3013 case CKK_DES3: 3014 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3015 if (isValueLen) { 3016 rv = CKR_TEMPLATE_INCONSISTENT; 3017 goto fail_cleanup; 3018 } 3019 break; 3020 3021 default: 3022 rv = CKR_TEMPLATE_INCONSISTENT; 3023 goto fail_cleanup; 3024 } 3025 break; 3026 3027 case SOFT_DERIVE_KEY_DH: 3028 /* CKA_VALUE must not be specified */ 3029 if (isValue) { 3030 rv = CKR_TEMPLATE_INCONSISTENT; 3031 goto fail_cleanup; 3032 } 3033 3034 switch (keytype) { 3035 /* 3036 * CKA_VALUE_LEN is optional 3037 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 3038 */ 3039 case CKK_RC4: 3040 if (isValueLen) { 3041 if ((sck->sk_value_len < 3042 ARCFOUR_MIN_KEY_BYTES) || 3043 (sck->sk_value_len > 3044 ARCFOUR_MAX_KEY_BYTES)) { 3045 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3046 goto fail_cleanup; 3047 } 3048 } 3049 break; 3050 3051 case CKK_GENERIC_SECRET: 3052 /* arbitrary key length - no length checking */ 3053 break; 3054 3055 case CKK_AES: 3056 if (isValueLen) { 3057 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 3058 (sck->sk_value_len != AES_192_KEY_BYTES) && 3059 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 3060 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3061 goto fail_cleanup; 3062 } 3063 } 3064 3065 break; 3066 3067 case CKK_BLOWFISH: 3068 if (isValueLen && 3069 ((sck->sk_value_len < BLOWFISH_MINBYTES) || 3070 (sck->sk_value_len > BLOWFISH_MAXBYTES))) { 3071 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3072 goto fail_cleanup; 3073 } 3074 break; 3075 3076 case CKK_DES: 3077 case CKK_DES2: 3078 case CKK_DES3: 3079 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3080 if (isValueLen) { 3081 rv = CKR_TEMPLATE_INCONSISTENT; 3082 goto fail_cleanup; 3083 } 3084 break; 3085 3086 default: 3087 rv = CKR_TEMPLATE_INCONSISTENT; 3088 goto fail_cleanup; 3089 } 3090 break; 3091 3092 case SOFT_DERIVE_KEY_OTHER: 3093 /* CKA_VALUE must not be specified */ 3094 if (isValue) { 3095 rv = CKR_TEMPLATE_INCONSISTENT; 3096 goto fail_cleanup; 3097 } 3098 3099 switch (keytype) { 3100 /* 3101 * CKA_VALUE_LEN is an optional attribute for 3102 * CKM_SHA1_KEY_DERIVATION and CKM_MD5_KEY_DERIVATION 3103 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 3104 */ 3105 case CKK_RC4: 3106 case CKK_GENERIC_SECRET: 3107 case CKK_AES: 3108 case CKK_BLOWFISH: 3109 /* 3110 * No need to check key length value here, it will be 3111 * validated later in soft_key_derive_check_length(). 3112 */ 3113 break; 3114 3115 case CKK_DES: 3116 case CKK_DES2: 3117 case CKK_DES3: 3118 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3119 if (isValueLen) { 3120 rv = CKR_TEMPLATE_INCONSISTENT; 3121 goto fail_cleanup; 3122 } 3123 break; 3124 3125 default: 3126 rv = CKR_TEMPLATE_INCONSISTENT; 3127 goto fail_cleanup; 3128 } 3129 break; 3130 } 3131 3132 /* Set up object. */ 3133 new_object->key_type = keytype; 3134 new_object->object_type = object_type; 3135 new_object->bool_attr_mask = attr_mask; 3136 if (isLabel) { 3137 rv = soft_add_extra_attr(&string_tmp, new_object); 3138 if (rv != CKR_OK) 3139 goto fail_cleanup; 3140 string_attr_cleanup(&string_tmp); 3141 } 3142 return (rv); 3143 3144 fail_cleanup: 3145 /* 3146 * cleanup the storage allocated to the local variables. 3147 */ 3148 bigint_attr_cleanup((biginteger_t *)sck); 3149 string_attr_cleanup(&string_tmp); 3150 3151 /* 3152 * cleanup the storage allocated inside the object itself. 3153 */ 3154 soft_cleanup_object(new_object); 3155 3156 return (rv); 3157 } 3158 3159 3160 /* 3161 * Build a Domain Parameter Object. 3162 * 3163 * - Parse the object's template, and when an error is detected such as 3164 * invalid attribute type, invalid attribute value, etc., return 3165 * with appropriate return value. 3166 * - Allocate storage for the Domain Parameter object. 3167 * - Build the Domain Parameter object according to the key type. Allocate 3168 * storage to hold the big integer value for the supplied attributes 3169 * that are required for a certain key type. 3170 * 3171 */ 3172 CK_RV 3173 soft_build_domain_parameters_object(CK_ATTRIBUTE_PTR template, 3174 CK_ULONG ulAttrNum, soft_object_t *new_object) 3175 { 3176 3177 ulong_t i; 3178 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 3179 CK_RV rv = CKR_OK; 3180 int isLabel = 0; 3181 /* Must set flags */ 3182 int isPrime = 0; 3183 int isSubprime = 0; 3184 int isBase = 0; 3185 /* Must not set flags */ 3186 int isPrimeBits = 0; 3187 int isSubPrimeBits = 0; 3188 3189 biginteger_t prime; 3190 biginteger_t subprime; 3191 biginteger_t base; 3192 CK_ATTRIBUTE string_tmp; 3193 3194 domain_obj_t *dom; 3195 uchar_t object_type = 0; 3196 3197 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 3198 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 3199 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 3200 (void) memset(&base, 0x0, sizeof (biginteger_t)); 3201 string_tmp.pValue = NULL; 3202 3203 for (i = 0; i < ulAttrNum; i++) { 3204 3205 /* Domain Parameters Object Attributes */ 3206 switch (template[i].type) { 3207 3208 /* common domain parameter attribute */ 3209 case CKA_KEY_TYPE: 3210 keytype = *((CK_KEY_TYPE*)template[i].pValue); 3211 break; 3212 3213 /* 3214 * The following common domain parameter attribute 3215 * must not be specified by C_CreateObject. 3216 */ 3217 case CKA_LOCAL: 3218 rv = CKR_TEMPLATE_INCONSISTENT; 3219 goto fail_cleanup; 3220 3221 /* 3222 * The following domain parameter attributes must be 3223 * specified according to the key type by 3224 * C_CreateObject. 3225 */ 3226 case CKA_PRIME: 3227 isPrime = 1; 3228 /* 3229 * Copyin big integer attribute from template 3230 * to a local variable. 3231 */ 3232 rv = get_bigint_attr_from_template(&prime, 3233 &template[i]); 3234 if (rv != CKR_OK) 3235 goto fail_cleanup; 3236 break; 3237 3238 case CKA_SUBPRIME: 3239 isSubprime = 1; 3240 rv = get_bigint_attr_from_template(&subprime, 3241 &template[i]); 3242 if (rv != CKR_OK) 3243 goto fail_cleanup; 3244 break; 3245 3246 case CKA_BASE: 3247 isBase = 1; 3248 rv = get_bigint_attr_from_template(&base, 3249 &template[i]); 3250 if (rv != CKR_OK) 3251 goto fail_cleanup; 3252 break; 3253 3254 case CKA_PRIME_BITS: 3255 isPrimeBits = 1; 3256 break; 3257 3258 case CKA_SUB_PRIME_BITS: 3259 isSubPrimeBits = 1; 3260 break; 3261 3262 case CKA_LABEL: 3263 isLabel = 1; 3264 rv = get_string_from_template(&string_tmp, 3265 &template[i]); 3266 if (rv != CKR_OK) 3267 goto fail_cleanup; 3268 break; 3269 3270 default: 3271 rv = soft_parse_common_attrs(&template[i], 3272 &object_type); 3273 if (rv != CKR_OK) 3274 goto fail_cleanup; 3275 break; 3276 3277 } 3278 } /* For */ 3279 3280 /* Allocate storage for Domain Parameters Object. */ 3281 dom = calloc(1, sizeof (domain_obj_t)); 3282 if (dom == NULL) { 3283 rv = CKR_HOST_MEMORY; 3284 goto fail_cleanup; 3285 } 3286 3287 new_object->object_class_u.domain = dom; 3288 new_object->class = CKO_DOMAIN_PARAMETERS; 3289 3290 if (keytype == (CK_KEY_TYPE)~0UL) { 3291 rv = CKR_TEMPLATE_INCOMPLETE; 3292 goto fail_cleanup; 3293 } 3294 3295 new_object->key_type = keytype; 3296 3297 /* Supported key types of the Domain Parameters Object */ 3298 switch (keytype) { 3299 case CKK_DSA: 3300 if (isPrimeBits || isSubPrimeBits) { 3301 rv = CKR_TEMPLATE_INCONSISTENT; 3302 goto fail_cleanup; 3303 } 3304 3305 if (isPrime && isSubprime && isBase) { 3306 /* 3307 * Copy big integer attribute value to the 3308 * designated place in the domain parameter 3309 * object. 3310 */ 3311 copy_bigint_attr(&prime, KEY_DOM_DSA_PRIME(dom)); 3312 3313 copy_bigint_attr(&subprime, KEY_DOM_DSA_SUBPRIME(dom)); 3314 3315 copy_bigint_attr(&base, KEY_DOM_DSA_BASE(dom)); 3316 } else { 3317 rv = CKR_TEMPLATE_INCOMPLETE; 3318 goto fail_cleanup; 3319 } 3320 break; 3321 3322 case CKK_DH: 3323 if (isPrimeBits || isSubprime || isSubPrimeBits) { 3324 rv = CKR_TEMPLATE_INCONSISTENT; 3325 goto fail_cleanup; 3326 } 3327 3328 if (isPrime && isBase) { 3329 copy_bigint_attr(&prime, KEY_DOM_DH_PRIME(dom)); 3330 3331 copy_bigint_attr(&base, KEY_DOM_DH_BASE(dom)); 3332 } else { 3333 rv = CKR_TEMPLATE_INCOMPLETE; 3334 goto fail_cleanup; 3335 } 3336 break; 3337 3338 case CKK_X9_42_DH: 3339 if (isPrimeBits || isSubPrimeBits) { 3340 rv = CKR_TEMPLATE_INCONSISTENT; 3341 goto fail_cleanup; 3342 } 3343 3344 if (isPrime && isSubprime && isBase) { 3345 copy_bigint_attr(&prime, KEY_DOM_DH942_PRIME(dom)); 3346 3347 copy_bigint_attr(&base, KEY_DOM_DH942_BASE(dom)); 3348 3349 copy_bigint_attr(&subprime, 3350 KEY_DOM_DH942_SUBPRIME(dom)); 3351 } else { 3352 rv = CKR_TEMPLATE_INCOMPLETE; 3353 goto fail_cleanup; 3354 } 3355 break; 3356 3357 default: 3358 rv = CKR_TEMPLATE_INCONSISTENT; 3359 goto fail_cleanup; 3360 } 3361 3362 new_object->object_type = object_type; 3363 3364 if (isLabel) { 3365 rv = soft_add_extra_attr(&string_tmp, new_object); 3366 if (rv != CKR_OK) 3367 goto fail_cleanup; 3368 string_attr_cleanup(&string_tmp); 3369 } 3370 3371 return (rv); 3372 3373 fail_cleanup: 3374 /* 3375 * cleanup the storage allocated to the local variables. 3376 */ 3377 bigint_attr_cleanup(&prime); 3378 bigint_attr_cleanup(&subprime); 3379 bigint_attr_cleanup(&base); 3380 string_attr_cleanup(&string_tmp); 3381 3382 /* 3383 * cleanup the storage allocated inside the object itself. 3384 */ 3385 soft_cleanup_object(new_object); 3386 3387 return (rv); 3388 } 3389 3390 /* 3391 * Build a Certificate Object 3392 * 3393 * - Parse the object's template, and when an error is detected such as 3394 * invalid attribute type, invalid attribute value, etc., return 3395 * with appropriate return value. 3396 * - Allocate storage for the Certificate object 3397 */ 3398 static CK_RV 3399 soft_build_certificate_object(CK_ATTRIBUTE_PTR template, 3400 CK_ULONG ulAttrNum, soft_object_t *new_object, 3401 CK_CERTIFICATE_TYPE cert_type) 3402 { 3403 uint64_t attr_mask = 0; 3404 CK_RV rv = CKR_OK; 3405 CK_ULONG i; 3406 int owner_set = 0; 3407 int value_set = 0; 3408 int subject_set = 0; 3409 certificate_obj_t *cert; 3410 /* certificate type defaults to the value given as a parameter */ 3411 CK_CERTIFICATE_TYPE certtype = cert_type; 3412 CK_ATTRIBUTE string_tmp; 3413 int isLabel = 0; 3414 uchar_t object_type = 0; 3415 3416 /* 3417 * Look for the certificate type attribute and do some 3418 * sanity checking before creating the structures. 3419 */ 3420 for (i = 0; i < ulAttrNum; i++) { 3421 /* Certificate Object Attributes */ 3422 switch (template[i].type) { 3423 case CKA_CERTIFICATE_TYPE: 3424 certtype = 3425 *((CK_CERTIFICATE_TYPE*)template[i].pValue); 3426 break; 3427 case CKA_SUBJECT: 3428 subject_set = 1; 3429 break; 3430 case CKA_OWNER: 3431 owner_set = 1; 3432 break; 3433 case CKA_VALUE: 3434 value_set = 1; 3435 break; 3436 } 3437 } 3438 3439 /* The certificate type MUST be specified */ 3440 if (certtype != CKC_X_509 && certtype != CKC_X_509_ATTR_CERT) 3441 return (CKR_TEMPLATE_INCOMPLETE); 3442 3443 /* 3444 * For X.509 certs, the CKA_SUBJECT and CKA_VALUE 3445 * must be present at creation time. 3446 */ 3447 if (certtype == CKC_X_509 && 3448 (!subject_set || !value_set)) 3449 return (CKR_TEMPLATE_INCOMPLETE); 3450 3451 /* 3452 * For X.509 Attribute certs, the CKA_OWNER and CKA_VALUE 3453 * must be present at creation time. 3454 */ 3455 if (certtype == CKC_X_509_ATTR_CERT && 3456 (!owner_set || !value_set)) 3457 return (CKR_TEMPLATE_INCOMPLETE); 3458 3459 string_tmp.pValue = NULL; 3460 cert = calloc(1, sizeof (certificate_obj_t)); 3461 if (cert == NULL) { 3462 return (CKR_HOST_MEMORY); 3463 } 3464 cert->certificate_type = certtype; 3465 3466 for (i = 0; i < ulAttrNum; i++) { 3467 /* Certificate Object Attributes */ 3468 switch (certtype) { 3469 case CKC_X_509: 3470 switch (template[i].type) { 3471 case CKA_SUBJECT: 3472 rv = get_cert_attr_from_template( 3473 &cert->cert_type_u.x509.subject, 3474 &template[i]); 3475 break; 3476 case CKA_VALUE: 3477 rv = get_cert_attr_from_template( 3478 &cert->cert_type_u.x509.value, 3479 &template[i]); 3480 break; 3481 case CKA_LABEL: 3482 isLabel = 1; 3483 rv = get_string_from_template( 3484 &string_tmp, 3485 &template[i]); 3486 if (rv != CKR_OK) 3487 goto fail_cleanup; 3488 break; 3489 case CKA_ID: 3490 case CKA_ISSUER: 3491 case CKA_SERIAL_NUMBER: 3492 rv = soft_add_extra_attr(&template[i], 3493 new_object); 3494 break; 3495 case CKA_MODIFIABLE: 3496 if ((*(CK_BBOOL *)template[i].pValue) == 3497 B_FALSE) 3498 attr_mask |= 3499 NOT_MODIFIABLE_BOOL_ON; 3500 break; 3501 case CKA_CERTIFICATE_TYPE: 3502 break; 3503 default: 3504 rv = soft_parse_common_attrs( 3505 &template[i], &object_type); 3506 if (rv != CKR_OK) 3507 goto fail_cleanup; 3508 } 3509 break; 3510 case CKC_X_509_ATTR_CERT: 3511 switch (template[i].type) { 3512 case CKA_OWNER: 3513 rv = get_cert_attr_from_template( 3514 &cert->cert_type_u.x509_attr.owner, 3515 &template[i]); 3516 break; 3517 case CKA_VALUE: 3518 rv = get_cert_attr_from_template( 3519 &cert->cert_type_u.x509_attr.value, 3520 &template[i]); 3521 break; 3522 case CKA_LABEL: 3523 isLabel = 1; 3524 rv = get_string_from_template( 3525 &string_tmp, &template[i]); 3526 if (rv != CKR_OK) 3527 goto fail_cleanup; 3528 break; 3529 case CKA_SERIAL_NUMBER: 3530 case CKA_AC_ISSUER: 3531 case CKA_ATTR_TYPES: 3532 rv = soft_add_extra_attr(&template[i], 3533 new_object); 3534 break; 3535 3536 case CKA_MODIFIABLE: 3537 if ((*(CK_BBOOL *)template[i].pValue) == 3538 B_FALSE) 3539 attr_mask |= 3540 NOT_MODIFIABLE_BOOL_ON; 3541 break; 3542 case CKA_CERTIFICATE_TYPE: 3543 break; 3544 default: 3545 rv = soft_parse_common_attrs( 3546 &template[i], &object_type); 3547 if (rv != CKR_OK) 3548 goto fail_cleanup; 3549 break; 3550 } 3551 break; 3552 default: 3553 rv = CKR_TEMPLATE_INCOMPLETE; 3554 break; 3555 } 3556 } 3557 3558 if (rv == CKR_OK) { 3559 new_object->object_class_u.certificate = cert; 3560 new_object->class = CKO_CERTIFICATE; 3561 new_object->object_type = object_type; 3562 new_object->cert_type = certtype; 3563 new_object->bool_attr_mask = attr_mask; 3564 if (isLabel) { 3565 rv = soft_add_extra_attr(&string_tmp, new_object); 3566 if (rv != CKR_OK) 3567 goto fail_cleanup; 3568 string_attr_cleanup(&string_tmp); 3569 } 3570 } 3571 3572 fail_cleanup: 3573 if (rv != CKR_OK) { 3574 soft_cleanup_cert_object(new_object); 3575 } 3576 return (rv); 3577 } 3578 3579 3580 /* 3581 * Validate the attribute types in the object's template. Then, 3582 * call the appropriate build function according to the class of 3583 * the object specified in the template. 3584 * 3585 * Note: The following classes of objects are supported: 3586 * - CKO_PUBLIC_KEY 3587 * - CKO_PRIVATE_KEY 3588 * - CKO_SECRET_KEY 3589 * - CKO_DOMAIN_PARAMETERS 3590 * - CKO_CERTIFICATE 3591 * 3592 */ 3593 CK_RV 3594 soft_build_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 3595 soft_object_t *new_object) 3596 { 3597 3598 CK_OBJECT_CLASS class = (CK_OBJECT_CLASS)~0UL; 3599 CK_RV rv = CKR_OK; 3600 3601 if (template == NULL) { 3602 return (CKR_ARGUMENTS_BAD); 3603 } 3604 3605 /* Validate the attribute type in the template. */ 3606 rv = soft_validate_attr(template, ulAttrNum, &class); 3607 if (rv != CKR_OK) 3608 return (rv); 3609 /* 3610 * CKA_CLASS is a mandatory attribute for C_CreateObject 3611 */ 3612 if (class == (CK_OBJECT_CLASS)~0UL) 3613 return (CKR_TEMPLATE_INCOMPLETE); 3614 3615 /* 3616 * Call the appropriate function based on the supported class 3617 * of the object. 3618 */ 3619 switch (class) { 3620 case CKO_PUBLIC_KEY: 3621 rv = soft_build_public_key_object(template, ulAttrNum, 3622 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL); 3623 break; 3624 3625 case CKO_PRIVATE_KEY: 3626 rv = soft_build_private_key_object(template, ulAttrNum, 3627 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL); 3628 break; 3629 3630 case CKO_SECRET_KEY: 3631 rv = soft_build_secret_key_object(template, ulAttrNum, 3632 new_object, SOFT_CREATE_OBJ, 0, (CK_KEY_TYPE)~0UL); 3633 break; 3634 3635 case CKO_DOMAIN_PARAMETERS: 3636 rv = soft_build_domain_parameters_object(template, ulAttrNum, 3637 new_object); 3638 break; 3639 3640 case CKO_CERTIFICATE: 3641 rv = soft_build_certificate_object(template, ulAttrNum, 3642 new_object, (CK_CERTIFICATE_TYPE)~0UL); 3643 break; 3644 3645 case CKO_DATA: 3646 case CKO_HW_FEATURE: 3647 case CKO_VENDOR_DEFINED: 3648 default: 3649 return (CKR_ATTRIBUTE_VALUE_INVALID); 3650 } 3651 3652 return (rv); 3653 } 3654 3655 /* 3656 * Validate the attribute types in the object's template. Then, 3657 * call the appropriate build function according to the class of 3658 * the object specified in the template. 3659 * 3660 */ 3661 CK_RV 3662 soft_build_key(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 3663 soft_object_t *new_object, CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, 3664 CK_ULONG key_len, CK_ULONG mode) 3665 { 3666 3667 CK_RV rv = CKR_OK; 3668 CK_OBJECT_CLASS temp_class = (CK_OBJECT_CLASS)~0UL; 3669 3670 /* Validate the attribute type in the template. */ 3671 if ((template != NULL) && (ulAttrNum != 0)) { 3672 rv = soft_validate_attr(template, ulAttrNum, &temp_class); 3673 if (rv != CKR_OK) 3674 return (rv); 3675 } 3676 3677 /* 3678 * If either the class from the parameter list ("class") or 3679 * the class from the template ("temp_class") is not specified, 3680 * try to use the other one. 3681 */ 3682 if (temp_class == (CK_OBJECT_CLASS)~0UL) { 3683 temp_class = class; 3684 } else if (class == (CK_OBJECT_CLASS)~0UL) { 3685 class = temp_class; 3686 } 3687 3688 /* If object class is still not specified, template is incomplete. */ 3689 if (class == (CK_OBJECT_CLASS)~0UL) 3690 return (CKR_TEMPLATE_INCOMPLETE); 3691 3692 /* Class should match if specified in both parameters and template. */ 3693 if (class != temp_class) 3694 return (CKR_TEMPLATE_INCONSISTENT); 3695 3696 /* 3697 * Call the appropriate function based on the supported class 3698 * of the object. 3699 */ 3700 switch (class) { 3701 case CKO_PUBLIC_KEY: 3702 3703 /* Unwrapping public keys is not supported. */ 3704 if (mode == SOFT_UNWRAP_KEY) { 3705 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3706 break; 3707 } 3708 3709 rv = soft_build_public_key_object(template, ulAttrNum, 3710 new_object, mode, key_type); 3711 break; 3712 3713 case CKO_PRIVATE_KEY: 3714 3715 rv = soft_build_private_key_object(template, ulAttrNum, 3716 new_object, mode, key_type); 3717 break; 3718 3719 case CKO_SECRET_KEY: 3720 3721 rv = soft_build_secret_key_object(template, ulAttrNum, 3722 new_object, mode, key_len, key_type); 3723 break; 3724 3725 case CKO_DOMAIN_PARAMETERS: 3726 3727 /* Unwrapping domain parameters is not supported. */ 3728 if (mode == SOFT_UNWRAP_KEY) { 3729 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3730 break; 3731 } 3732 3733 rv = soft_build_domain_parameters_object(template, ulAttrNum, 3734 new_object); 3735 break; 3736 3737 case CKO_DATA: 3738 case CKO_CERTIFICATE: 3739 case CKO_HW_FEATURE: 3740 case CKO_VENDOR_DEFINED: 3741 default: 3742 return (CKR_ATTRIBUTE_VALUE_INVALID); 3743 } 3744 3745 return (rv); 3746 } 3747 3748 3749 /* 3750 * Get the value of a requested attribute that is common to all supported 3751 * classes (i.e. public key, private key, secret key, domain parameters, 3752 * and certificate classes). 3753 */ 3754 CK_RV 3755 soft_get_common_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template, 3756 uchar_t object_type) 3757 { 3758 3759 CK_RV rv = CKR_OK; 3760 3761 switch (template->type) { 3762 3763 case CKA_CLASS: 3764 return (get_ulong_attr_from_object(object_p->class, 3765 template)); 3766 3767 /* default boolean attributes */ 3768 case CKA_TOKEN: 3769 template->ulValueLen = sizeof (CK_BBOOL); 3770 if (template->pValue == NULL) { 3771 return (CKR_OK); 3772 } 3773 if (object_type & TOKEN_OBJECT) 3774 *((CK_BBOOL *)template->pValue) = B_TRUE; 3775 else 3776 *((CK_BBOOL *)template->pValue) = B_FALSE; 3777 break; 3778 3779 case CKA_PRIVATE: 3780 3781 template->ulValueLen = sizeof (CK_BBOOL); 3782 if (template->pValue == NULL) { 3783 return (CKR_OK); 3784 } 3785 if (object_type & PRIVATE_OBJECT) 3786 *((CK_BBOOL *)template->pValue) = B_TRUE; 3787 else 3788 *((CK_BBOOL *)template->pValue) = B_FALSE; 3789 break; 3790 3791 case CKA_MODIFIABLE: 3792 template->ulValueLen = sizeof (CK_BBOOL); 3793 if (template->pValue == NULL) { 3794 return (CKR_OK); 3795 } 3796 if ((object_p->bool_attr_mask) & NOT_MODIFIABLE_BOOL_ON) 3797 *((CK_BBOOL *)template->pValue) = B_FALSE; 3798 else 3799 *((CK_BBOOL *)template->pValue) = B_TRUE; 3800 break; 3801 3802 case CKA_LABEL: 3803 return (get_extra_attr_from_object(object_p, 3804 template)); 3805 3806 default: 3807 /* 3808 * The specified attribute for the object is invalid. 3809 * (the object does not possess such an attribute.) 3810 */ 3811 template->ulValueLen = (CK_ULONG)-1; 3812 return (CKR_ATTRIBUTE_TYPE_INVALID); 3813 } 3814 3815 return (rv); 3816 } 3817 3818 /* 3819 * Get the value of a requested attribute that is common to all key objects 3820 * (i.e. public key, private key and secret key). 3821 */ 3822 CK_RV 3823 soft_get_common_key_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 3824 { 3825 3826 switch (template->type) { 3827 3828 case CKA_KEY_TYPE: 3829 return (get_ulong_attr_from_object(object_p->key_type, 3830 template)); 3831 3832 case CKA_ID: 3833 case CKA_START_DATE: 3834 case CKA_END_DATE: 3835 /* 3836 * The above extra attributes have byte array type. 3837 */ 3838 return (get_extra_attr_from_object(object_p, 3839 template)); 3840 3841 /* Key related boolean attributes */ 3842 case CKA_LOCAL: 3843 return (get_bool_attr_from_object(object_p, 3844 LOCAL_BOOL_ON, template)); 3845 3846 case CKA_DERIVE: 3847 return (get_bool_attr_from_object(object_p, 3848 DERIVE_BOOL_ON, template)); 3849 3850 case CKA_KEY_GEN_MECHANISM: 3851 return (get_ulong_attr_from_object(object_p->mechanism, 3852 template)); 3853 3854 default: 3855 return (CKR_ATTRIBUTE_TYPE_INVALID); 3856 } 3857 } 3858 3859 /* 3860 * Get the value of a requested attribute of a Public Key Object. 3861 * 3862 * Rule: All the attributes in the public key object can be revealed. 3863 */ 3864 CK_RV 3865 soft_get_public_key_attribute(soft_object_t *object_p, 3866 CK_ATTRIBUTE_PTR template) 3867 { 3868 3869 CK_RV rv = CKR_OK; 3870 CK_KEY_TYPE keytype = object_p->key_type; 3871 3872 switch (template->type) { 3873 3874 case CKA_SUBJECT: 3875 case CKA_EC_PARAMS: 3876 /* 3877 * The above extra attributes have byte array type. 3878 */ 3879 return (get_extra_attr_from_object(object_p, 3880 template)); 3881 3882 /* Key related boolean attributes */ 3883 case CKA_ENCRYPT: 3884 return (get_bool_attr_from_object(object_p, 3885 ENCRYPT_BOOL_ON, template)); 3886 3887 case CKA_VERIFY: 3888 return (get_bool_attr_from_object(object_p, 3889 VERIFY_BOOL_ON, template)); 3890 3891 case CKA_VERIFY_RECOVER: 3892 return (get_bool_attr_from_object(object_p, 3893 VERIFY_RECOVER_BOOL_ON, template)); 3894 3895 case CKA_WRAP: 3896 return (get_bool_attr_from_object(object_p, 3897 WRAP_BOOL_ON, template)); 3898 3899 case CKA_TRUSTED: 3900 return (get_bool_attr_from_object(object_p, 3901 TRUSTED_BOOL_ON, template)); 3902 3903 case CKA_MODULUS: 3904 /* 3905 * This attribute is valid only for RSA public key 3906 * object. 3907 */ 3908 if (keytype == CKK_RSA) { 3909 return (get_bigint_attr_from_object( 3910 OBJ_PUB_RSA_MOD(object_p), template)); 3911 } else { 3912 template->ulValueLen = (CK_ULONG)-1; 3913 return (CKR_ATTRIBUTE_TYPE_INVALID); 3914 } 3915 3916 case CKA_PUBLIC_EXPONENT: 3917 if (keytype == CKK_RSA) { 3918 return (get_bigint_attr_from_object( 3919 OBJ_PUB_RSA_PUBEXPO(object_p), template)); 3920 } else { 3921 template->ulValueLen = (CK_ULONG)-1; 3922 return (CKR_ATTRIBUTE_TYPE_INVALID); 3923 } 3924 3925 case CKA_MODULUS_BITS: 3926 if (keytype == CKK_RSA) { 3927 return (get_ulong_attr_from_object( 3928 OBJ_PUB_RSA_MOD_BITS(object_p), template)); 3929 } else { 3930 template->ulValueLen = (CK_ULONG)-1; 3931 return (CKR_ATTRIBUTE_TYPE_INVALID); 3932 } 3933 3934 case CKA_PRIME: 3935 switch (keytype) { 3936 case CKK_DSA: 3937 return (get_bigint_attr_from_object( 3938 OBJ_PUB_DSA_PRIME(object_p), template)); 3939 3940 case CKK_DH: 3941 return (get_bigint_attr_from_object( 3942 OBJ_PUB_DH_PRIME(object_p), template)); 3943 3944 case CKK_X9_42_DH: 3945 return (get_bigint_attr_from_object( 3946 OBJ_PUB_DH942_PRIME(object_p), template)); 3947 3948 default: 3949 template->ulValueLen = (CK_ULONG)-1; 3950 return (CKR_ATTRIBUTE_TYPE_INVALID); 3951 } 3952 3953 case CKA_SUBPRIME: 3954 switch (keytype) { 3955 case CKK_DSA: 3956 return (get_bigint_attr_from_object( 3957 OBJ_PUB_DSA_SUBPRIME(object_p), template)); 3958 3959 case CKK_X9_42_DH: 3960 return (get_bigint_attr_from_object( 3961 OBJ_PUB_DH942_SUBPRIME(object_p), template)); 3962 3963 default: 3964 template->ulValueLen = (CK_ULONG)-1; 3965 return (CKR_ATTRIBUTE_TYPE_INVALID); 3966 } 3967 3968 case CKA_BASE: 3969 switch (keytype) { 3970 case CKK_DSA: 3971 return (get_bigint_attr_from_object( 3972 OBJ_PUB_DSA_BASE(object_p), template)); 3973 3974 case CKK_DH: 3975 return (get_bigint_attr_from_object( 3976 OBJ_PUB_DH_BASE(object_p), template)); 3977 3978 case CKK_X9_42_DH: 3979 return (get_bigint_attr_from_object( 3980 OBJ_PUB_DH942_BASE(object_p), template)); 3981 3982 default: 3983 template->ulValueLen = (CK_ULONG)-1; 3984 return (CKR_ATTRIBUTE_TYPE_INVALID); 3985 } 3986 3987 case CKA_EC_POINT: 3988 return (get_bigint_attr_from_object( 3989 OBJ_PUB_EC_POINT(object_p), template)); 3990 3991 case CKA_VALUE: 3992 switch (keytype) { 3993 case CKK_DSA: 3994 return (get_bigint_attr_from_object( 3995 OBJ_PUB_DSA_VALUE(object_p), template)); 3996 3997 case CKK_DH: 3998 return (get_bigint_attr_from_object( 3999 OBJ_PUB_DH_VALUE(object_p), template)); 4000 4001 case CKK_X9_42_DH: 4002 return (get_bigint_attr_from_object( 4003 OBJ_PUB_DH942_VALUE(object_p), template)); 4004 4005 default: 4006 template->ulValueLen = (CK_ULONG)-1; 4007 return (CKR_ATTRIBUTE_TYPE_INVALID); 4008 } 4009 4010 default: 4011 /* 4012 * First, get the value of the request attribute defined 4013 * in the list of common key attributes. If the request 4014 * attribute is not found in that list, then get the 4015 * attribute from the list of common attributes. 4016 */ 4017 rv = soft_get_common_key_attrs(object_p, template); 4018 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4019 rv = soft_get_common_attrs(object_p, template, 4020 object_p->object_type); 4021 } 4022 break; 4023 } 4024 4025 return (rv); 4026 } 4027 4028 4029 /* 4030 * Get the value of a requested attribute of a Private Key Object. 4031 * 4032 * Rule: All the attributes in the private key object can be revealed 4033 * except those marked with footnote number "7" when the object 4034 * has its CKA_SENSITIVE attribute set to TRUE or its 4035 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.). 4036 */ 4037 CK_RV 4038 soft_get_private_key_attribute(soft_object_t *object_p, 4039 CK_ATTRIBUTE_PTR template) 4040 { 4041 4042 CK_RV rv = CKR_OK; 4043 CK_KEY_TYPE keytype = object_p->key_type; 4044 4045 4046 /* 4047 * If the following specified attributes for the private key 4048 * object cannot be revealed because the object is sensitive 4049 * or unextractable, then the ulValueLen is set to -1. 4050 */ 4051 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) || 4052 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4053 4054 switch (template->type) { 4055 case CKA_PRIVATE_EXPONENT: 4056 case CKA_PRIME_1: 4057 case CKA_PRIME_2: 4058 case CKA_EXPONENT_1: 4059 case CKA_EXPONENT_2: 4060 case CKA_COEFFICIENT: 4061 case CKA_VALUE: 4062 template->ulValueLen = (CK_ULONG)-1; 4063 return (CKR_ATTRIBUTE_SENSITIVE); 4064 } 4065 } 4066 4067 switch (template->type) { 4068 4069 case CKA_SUBJECT: 4070 case CKA_EC_PARAMS: 4071 /* 4072 * The above extra attributes have byte array type. 4073 */ 4074 return (get_extra_attr_from_object(object_p, 4075 template)); 4076 4077 /* Key related boolean attributes */ 4078 case CKA_SENSITIVE: 4079 return (get_bool_attr_from_object(object_p, 4080 SENSITIVE_BOOL_ON, template)); 4081 4082 case CKA_SECONDARY_AUTH: 4083 return (get_bool_attr_from_object(object_p, 4084 SECONDARY_AUTH_BOOL_ON, template)); 4085 4086 case CKA_DECRYPT: 4087 return (get_bool_attr_from_object(object_p, 4088 DECRYPT_BOOL_ON, template)); 4089 4090 case CKA_SIGN: 4091 return (get_bool_attr_from_object(object_p, 4092 SIGN_BOOL_ON, template)); 4093 4094 case CKA_SIGN_RECOVER: 4095 return (get_bool_attr_from_object(object_p, 4096 SIGN_RECOVER_BOOL_ON, template)); 4097 4098 case CKA_UNWRAP: 4099 return (get_bool_attr_from_object(object_p, 4100 UNWRAP_BOOL_ON, template)); 4101 4102 case CKA_EXTRACTABLE: 4103 return (get_bool_attr_from_object(object_p, 4104 EXTRACTABLE_BOOL_ON, template)); 4105 4106 case CKA_ALWAYS_SENSITIVE: 4107 return (get_bool_attr_from_object(object_p, 4108 ALWAYS_SENSITIVE_BOOL_ON, template)); 4109 4110 case CKA_NEVER_EXTRACTABLE: 4111 return (get_bool_attr_from_object(object_p, 4112 NEVER_EXTRACTABLE_BOOL_ON, template)); 4113 4114 case CKA_MODULUS: 4115 if (keytype == CKK_RSA) { 4116 return (get_bigint_attr_from_object( 4117 OBJ_PRI_RSA_MOD(object_p), template)); 4118 } else { 4119 template->ulValueLen = (CK_ULONG)-1; 4120 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4121 break; 4122 } 4123 4124 case CKA_PUBLIC_EXPONENT: 4125 if (keytype == CKK_RSA) { 4126 return (get_bigint_attr_from_object( 4127 OBJ_PRI_RSA_PUBEXPO(object_p), template)); 4128 } else { 4129 template->ulValueLen = (CK_ULONG)-1; 4130 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4131 break; 4132 } 4133 4134 case CKA_PRIVATE_EXPONENT: 4135 if (keytype == CKK_RSA) { 4136 return (get_bigint_attr_from_object( 4137 OBJ_PRI_RSA_PRIEXPO(object_p), template)); 4138 } else { 4139 template->ulValueLen = (CK_ULONG)-1; 4140 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4141 break; 4142 } 4143 4144 case CKA_PRIME_1: 4145 if (keytype == CKK_RSA) { 4146 return (get_bigint_attr_from_object( 4147 OBJ_PRI_RSA_PRIME1(object_p), template)); 4148 } else { 4149 template->ulValueLen = (CK_ULONG)-1; 4150 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4151 break; 4152 } 4153 4154 case CKA_PRIME_2: 4155 if (keytype == CKK_RSA) { 4156 return (get_bigint_attr_from_object( 4157 OBJ_PRI_RSA_PRIME2(object_p), template)); 4158 } else { 4159 template->ulValueLen = (CK_ULONG)-1; 4160 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4161 break; 4162 } 4163 4164 case CKA_EXPONENT_1: 4165 if (keytype == CKK_RSA) { 4166 return (get_bigint_attr_from_object( 4167 OBJ_PRI_RSA_EXPO1(object_p), template)); 4168 } else { 4169 template->ulValueLen = (CK_ULONG)-1; 4170 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4171 break; 4172 } 4173 4174 case CKA_EXPONENT_2: 4175 if (keytype == CKK_RSA) { 4176 return (get_bigint_attr_from_object( 4177 OBJ_PRI_RSA_EXPO2(object_p), template)); 4178 } else { 4179 template->ulValueLen = (CK_ULONG)-1; 4180 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4181 break; 4182 } 4183 4184 case CKA_COEFFICIENT: 4185 if (keytype == CKK_RSA) { 4186 return (get_bigint_attr_from_object( 4187 OBJ_PRI_RSA_COEF(object_p), template)); 4188 } else { 4189 template->ulValueLen = (CK_ULONG)-1; 4190 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4191 break; 4192 } 4193 4194 case CKA_VALUE_BITS: 4195 if (keytype == CKK_DH) { 4196 return (get_ulong_attr_from_object( 4197 OBJ_PRI_DH_VAL_BITS(object_p), template)); 4198 } else { 4199 template->ulValueLen = (CK_ULONG)-1; 4200 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4201 break; 4202 } 4203 4204 case CKA_PRIME: 4205 switch (keytype) { 4206 case CKK_DSA: 4207 return (get_bigint_attr_from_object( 4208 OBJ_PRI_DSA_PRIME(object_p), template)); 4209 4210 case CKK_DH: 4211 return (get_bigint_attr_from_object( 4212 OBJ_PRI_DH_PRIME(object_p), template)); 4213 4214 case CKK_X9_42_DH: 4215 return (get_bigint_attr_from_object( 4216 OBJ_PRI_DH942_PRIME(object_p), template)); 4217 4218 default: 4219 template->ulValueLen = (CK_ULONG)-1; 4220 return (CKR_ATTRIBUTE_TYPE_INVALID); 4221 } 4222 4223 case CKA_SUBPRIME: 4224 switch (keytype) { 4225 case CKK_DSA: 4226 return (get_bigint_attr_from_object( 4227 OBJ_PRI_DSA_SUBPRIME(object_p), template)); 4228 4229 case CKK_X9_42_DH: 4230 return (get_bigint_attr_from_object( 4231 OBJ_PRI_DH942_SUBPRIME(object_p), template)); 4232 4233 default: 4234 template->ulValueLen = (CK_ULONG)-1; 4235 return (CKR_ATTRIBUTE_TYPE_INVALID); 4236 } 4237 4238 case CKA_BASE: 4239 switch (keytype) { 4240 case CKK_DSA: 4241 return (get_bigint_attr_from_object( 4242 OBJ_PRI_DSA_BASE(object_p), template)); 4243 4244 case CKK_DH: 4245 return (get_bigint_attr_from_object( 4246 OBJ_PRI_DH_BASE(object_p), template)); 4247 4248 case CKK_X9_42_DH: 4249 return (get_bigint_attr_from_object( 4250 OBJ_PRI_DH942_BASE(object_p), template)); 4251 4252 default: 4253 template->ulValueLen = (CK_ULONG)-1; 4254 return (CKR_ATTRIBUTE_TYPE_INVALID); 4255 } 4256 4257 case CKA_VALUE: 4258 switch (keytype) { 4259 case CKK_DSA: 4260 return (get_bigint_attr_from_object( 4261 OBJ_PRI_DSA_VALUE(object_p), template)); 4262 4263 case CKK_DH: 4264 return (get_bigint_attr_from_object( 4265 OBJ_PRI_DH_VALUE(object_p), template)); 4266 4267 case CKK_X9_42_DH: 4268 return (get_bigint_attr_from_object( 4269 OBJ_PRI_DH942_VALUE(object_p), template)); 4270 4271 case CKK_EC: 4272 return (get_bigint_attr_from_object( 4273 OBJ_PRI_EC_VALUE(object_p), template)); 4274 4275 default: 4276 template->ulValueLen = (CK_ULONG)-1; 4277 return (CKR_ATTRIBUTE_TYPE_INVALID); 4278 } 4279 4280 default: 4281 /* 4282 * First, get the value of the request attribute defined 4283 * in the list of common key attributes. If the request 4284 * attribute is not found in that list, then get the 4285 * attribute from the list of common attributes. 4286 */ 4287 rv = soft_get_common_key_attrs(object_p, template); 4288 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4289 rv = soft_get_common_attrs(object_p, template, 4290 object_p->object_type); 4291 } 4292 break; 4293 } 4294 4295 return (rv); 4296 } 4297 4298 4299 /* 4300 * Get the value of a requested attribute of a Secret Key Object. 4301 * 4302 * Rule: All the attributes in the secret key object can be revealed 4303 * except those marked with footnote number "7" when the object 4304 * has its CKA_SENSITIVE attribute set to TRUE or its 4305 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.). 4306 */ 4307 CK_RV 4308 soft_get_secret_key_attribute(soft_object_t *object_p, 4309 CK_ATTRIBUTE_PTR template) 4310 { 4311 4312 CK_RV rv = CKR_OK; 4313 CK_KEY_TYPE keytype = object_p->key_type; 4314 4315 switch (template->type) { 4316 4317 /* Key related boolean attributes */ 4318 case CKA_SENSITIVE: 4319 return (get_bool_attr_from_object(object_p, 4320 SENSITIVE_BOOL_ON, template)); 4321 4322 case CKA_ENCRYPT: 4323 return (get_bool_attr_from_object(object_p, 4324 ENCRYPT_BOOL_ON, template)); 4325 4326 case CKA_DECRYPT: 4327 return (get_bool_attr_from_object(object_p, 4328 DECRYPT_BOOL_ON, template)); 4329 4330 case CKA_SIGN: 4331 return (get_bool_attr_from_object(object_p, 4332 SIGN_BOOL_ON, template)); 4333 4334 case CKA_VERIFY: 4335 return (get_bool_attr_from_object(object_p, 4336 VERIFY_BOOL_ON, template)); 4337 4338 case CKA_WRAP: 4339 return (get_bool_attr_from_object(object_p, 4340 WRAP_BOOL_ON, template)); 4341 4342 case CKA_UNWRAP: 4343 return (get_bool_attr_from_object(object_p, 4344 UNWRAP_BOOL_ON, template)); 4345 4346 case CKA_EXTRACTABLE: 4347 return (get_bool_attr_from_object(object_p, 4348 EXTRACTABLE_BOOL_ON, template)); 4349 4350 case CKA_ALWAYS_SENSITIVE: 4351 return (get_bool_attr_from_object(object_p, 4352 ALWAYS_SENSITIVE_BOOL_ON, template)); 4353 4354 case CKA_NEVER_EXTRACTABLE: 4355 return (get_bool_attr_from_object(object_p, 4356 NEVER_EXTRACTABLE_BOOL_ON, template)); 4357 4358 case CKA_VALUE: 4359 case CKA_VALUE_LEN: 4360 /* 4361 * If the specified attribute for the secret key object 4362 * cannot be revealed because the object is sensitive 4363 * or unextractable, then the ulValueLen is set to -1. 4364 */ 4365 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) || 4366 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4367 template->ulValueLen = (CK_ULONG)-1; 4368 return (CKR_ATTRIBUTE_SENSITIVE); 4369 } 4370 4371 switch (keytype) { 4372 case CKK_RC4: 4373 case CKK_GENERIC_SECRET: 4374 case CKK_RC5: 4375 case CKK_DES: 4376 case CKK_DES2: 4377 case CKK_DES3: 4378 case CKK_CDMF: 4379 case CKK_AES: 4380 case CKK_BLOWFISH: 4381 if (template->type == CKA_VALUE_LEN) { 4382 return (get_ulong_attr_from_object( 4383 OBJ_SEC_VALUE_LEN(object_p), 4384 template)); 4385 } else { 4386 return (get_bigint_attr_from_object( 4387 (biginteger_t *)OBJ_SEC(object_p), 4388 template)); 4389 } 4390 default: 4391 template->ulValueLen = (CK_ULONG)-1; 4392 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4393 break; 4394 } 4395 break; 4396 4397 default: 4398 /* 4399 * First, get the value of the request attribute defined 4400 * in the list of common key attributes. If the request 4401 * attribute is not found in that list, then get the 4402 * attribute from the list of common attributes. 4403 */ 4404 rv = soft_get_common_key_attrs(object_p, template); 4405 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4406 rv = soft_get_common_attrs(object_p, template, 4407 object_p->object_type); 4408 } 4409 break; 4410 } 4411 4412 return (rv); 4413 } 4414 4415 4416 /* 4417 * Get the value of a requested attribute of a Domain Parameters Object. 4418 * 4419 * Rule: All the attributes in the domain parameters object can be revealed. 4420 */ 4421 CK_RV 4422 soft_get_domain_parameters_attribute(soft_object_t *object_p, 4423 CK_ATTRIBUTE_PTR template) 4424 { 4425 4426 CK_RV rv = CKR_OK; 4427 CK_KEY_TYPE keytype = object_p->key_type; 4428 4429 switch (template->type) { 4430 4431 case CKA_KEY_TYPE: 4432 return (get_ulong_attr_from_object(keytype, 4433 template)); 4434 4435 case CKA_LOCAL: 4436 return (get_bool_attr_from_object(object_p, 4437 LOCAL_BOOL_ON, template)); 4438 4439 case CKA_PRIME: 4440 switch (keytype) { 4441 case CKK_DSA: 4442 return (get_bigint_attr_from_object( 4443 OBJ_DOM_DSA_PRIME(object_p), template)); 4444 4445 case CKK_DH: 4446 return (get_bigint_attr_from_object( 4447 OBJ_DOM_DH_PRIME(object_p), template)); 4448 4449 case CKK_X9_42_DH: 4450 return (get_bigint_attr_from_object( 4451 OBJ_DOM_DH942_PRIME(object_p), template)); 4452 4453 default: 4454 template->ulValueLen = (CK_ULONG)-1; 4455 return (CKR_ATTRIBUTE_TYPE_INVALID); 4456 } 4457 4458 case CKA_SUBPRIME: 4459 switch (keytype) { 4460 case CKK_DSA: 4461 return (get_bigint_attr_from_object( 4462 OBJ_DOM_DSA_SUBPRIME(object_p), template)); 4463 4464 case CKK_X9_42_DH: 4465 return (get_bigint_attr_from_object( 4466 OBJ_DOM_DH942_SUBPRIME(object_p), template)); 4467 4468 default: 4469 template->ulValueLen = (CK_ULONG)-1; 4470 return (CKR_ATTRIBUTE_TYPE_INVALID); 4471 } 4472 4473 case CKA_BASE: 4474 switch (keytype) { 4475 case CKK_DSA: 4476 return (get_bigint_attr_from_object( 4477 OBJ_DOM_DSA_BASE(object_p), template)); 4478 4479 case CKK_DH: 4480 return (get_bigint_attr_from_object( 4481 OBJ_DOM_DH_BASE(object_p), template)); 4482 4483 case CKK_X9_42_DH: 4484 return (get_bigint_attr_from_object( 4485 OBJ_DOM_DH942_BASE(object_p), template)); 4486 4487 default: 4488 template->ulValueLen = (CK_ULONG)-1; 4489 return (CKR_ATTRIBUTE_TYPE_INVALID); 4490 } 4491 4492 case CKA_PRIME_BITS: 4493 switch (keytype) { 4494 case CKK_DSA: 4495 return (get_ulong_attr_from_object( 4496 OBJ_DOM_DSA_PRIME_BITS(object_p), template)); 4497 4498 case CKK_DH: 4499 return (get_ulong_attr_from_object( 4500 OBJ_DOM_DH_PRIME_BITS(object_p), template)); 4501 4502 case CKK_X9_42_DH: 4503 return (get_ulong_attr_from_object( 4504 OBJ_DOM_DH942_PRIME_BITS(object_p), template)); 4505 4506 default: 4507 template->ulValueLen = (CK_ULONG)-1; 4508 return (CKR_ATTRIBUTE_TYPE_INVALID); 4509 } 4510 4511 case CKA_SUB_PRIME_BITS: 4512 switch (keytype) { 4513 case CKK_X9_42_DH: 4514 return (get_ulong_attr_from_object( 4515 OBJ_DOM_DH942_SUBPRIME_BITS(object_p), template)); 4516 4517 default: 4518 template->ulValueLen = (CK_ULONG)-1; 4519 return (CKR_ATTRIBUTE_TYPE_INVALID); 4520 } 4521 4522 default: 4523 /* 4524 * Get the value of a common attribute. 4525 */ 4526 rv = soft_get_common_attrs(object_p, template, 4527 object_p->object_type); 4528 break; 4529 } 4530 4531 return (rv); 4532 } 4533 4534 /* 4535 * Get certificate attributes from an object. 4536 * return CKR_ATTRIBUTE_TYPE_INVALID if the requested type 4537 * does not exist in the certificate. 4538 */ 4539 CK_RV 4540 soft_get_certificate_attribute(soft_object_t *object_p, 4541 CK_ATTRIBUTE_PTR template) 4542 { 4543 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 4544 cert_attr_t src; 4545 4546 switch (template->type) { 4547 case CKA_SUBJECT: 4548 if (certtype == CKC_X_509) { 4549 return (get_cert_attr_from_object( 4550 X509_CERT_SUBJECT(object_p), template)); 4551 } 4552 break; 4553 case CKA_VALUE: 4554 if (certtype == CKC_X_509) { 4555 return (get_cert_attr_from_object( 4556 X509_CERT_VALUE(object_p), template)); 4557 } else if (certtype == CKC_X_509_ATTR_CERT) { 4558 return (get_cert_attr_from_object( 4559 X509_ATTR_CERT_VALUE(object_p), template)); 4560 } 4561 break; 4562 case CKA_OWNER: 4563 if (certtype == CKC_X_509_ATTR_CERT) { 4564 return (get_cert_attr_from_object( 4565 X509_ATTR_CERT_OWNER(object_p), template)); 4566 } 4567 break; 4568 case CKA_CERTIFICATE_TYPE: 4569 src.value = (CK_BYTE *)&certtype; 4570 src.length = sizeof (certtype); 4571 return (get_cert_attr_from_object(&src, template)); 4572 case CKA_TRUSTED: 4573 return (get_bool_attr_from_object(object_p, 4574 TRUSTED_BOOL_ON, template)); 4575 case CKA_ID: 4576 case CKA_ISSUER: 4577 case CKA_SERIAL_NUMBER: 4578 case CKA_AC_ISSUER: 4579 case CKA_ATTR_TYPES: 4580 return (get_extra_attr_from_object(object_p, 4581 template)); 4582 default: 4583 return (soft_get_common_attrs(object_p, template, 4584 object_p->object_type)); 4585 } 4586 4587 /* 4588 * If we got this far, then the combination of certificate type 4589 * and requested attribute is invalid. 4590 */ 4591 return (CKR_ATTRIBUTE_TYPE_INVALID); 4592 } 4593 4594 CK_RV 4595 soft_set_certificate_attribute(soft_object_t *object_p, 4596 CK_ATTRIBUTE_PTR template, boolean_t copy) 4597 { 4598 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 4599 4600 switch (template->type) { 4601 case CKA_SUBJECT: 4602 if (certtype == CKC_X_509) { 4603 /* SUBJECT attr cannot be modified. */ 4604 return (CKR_ATTRIBUTE_READ_ONLY); 4605 } 4606 break; 4607 case CKA_OWNER: 4608 if (certtype == CKC_X_509_ATTR_CERT) { 4609 /* OWNER attr cannot be modified. */ 4610 return (CKR_ATTRIBUTE_READ_ONLY); 4611 } 4612 break; 4613 case CKA_VALUE: 4614 /* VALUE attr cannot be modified. */ 4615 return (CKR_ATTRIBUTE_READ_ONLY); 4616 case CKA_ID: 4617 case CKA_ISSUER: 4618 if (certtype == CKC_X_509) { 4619 return (set_extra_attr_to_object(object_p, 4620 template->type, template)); 4621 } 4622 break; 4623 case CKA_AC_ISSUER: 4624 case CKA_ATTR_TYPES: 4625 if (certtype == CKC_X_509_ATTR_CERT) { 4626 return (set_extra_attr_to_object(object_p, 4627 template->type, template)); 4628 } 4629 break; 4630 case CKA_SERIAL_NUMBER: 4631 case CKA_LABEL: 4632 return (set_extra_attr_to_object(object_p, 4633 template->type, template)); 4634 default: 4635 return (soft_set_common_storage_attribute( 4636 object_p, template, copy)); 4637 } 4638 4639 /* 4640 * If we got this far, then the combination of certificate type 4641 * and requested attribute is invalid. 4642 */ 4643 return (CKR_ATTRIBUTE_TYPE_INVALID); 4644 } 4645 4646 /* 4647 * Call the appropriate get attribute function according to the class 4648 * of object. 4649 * 4650 * The caller of this function holds the lock on the object. 4651 */ 4652 CK_RV 4653 soft_get_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 4654 { 4655 4656 CK_RV rv = CKR_OK; 4657 CK_OBJECT_CLASS class = object_p->class; 4658 4659 switch (class) { 4660 case CKO_PUBLIC_KEY: 4661 rv = soft_get_public_key_attribute(object_p, template); 4662 break; 4663 4664 case CKO_PRIVATE_KEY: 4665 rv = soft_get_private_key_attribute(object_p, template); 4666 break; 4667 4668 case CKO_SECRET_KEY: 4669 rv = soft_get_secret_key_attribute(object_p, template); 4670 break; 4671 4672 case CKO_DOMAIN_PARAMETERS: 4673 rv = soft_get_domain_parameters_attribute(object_p, template); 4674 break; 4675 4676 case CKO_CERTIFICATE: 4677 rv = soft_get_certificate_attribute(object_p, template); 4678 break; 4679 4680 default: 4681 /* 4682 * If the specified attribute for the object is invalid 4683 * (the object does not possess such as attribute), then 4684 * the ulValueLen is modified to hold the value -1. 4685 */ 4686 template->ulValueLen = (CK_ULONG)-1; 4687 return (CKR_ATTRIBUTE_TYPE_INVALID); 4688 } 4689 4690 return (rv); 4691 4692 } 4693 4694 CK_RV 4695 soft_set_common_storage_attribute(soft_object_t *object_p, 4696 CK_ATTRIBUTE_PTR template, boolean_t copy) 4697 { 4698 4699 CK_RV rv = CKR_OK; 4700 4701 switch (template->type) { 4702 4703 case CKA_TOKEN: 4704 if (copy) { 4705 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 4706 if (!soft_keystore_status(KEYSTORE_INITIALIZED)) 4707 return (CKR_DEVICE_REMOVED); 4708 object_p->object_type |= TOKEN_OBJECT; 4709 } 4710 } else { 4711 rv = CKR_ATTRIBUTE_READ_ONLY; 4712 } 4713 4714 break; 4715 4716 case CKA_PRIVATE: 4717 if (copy) { 4718 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 4719 (void) pthread_mutex_lock(&soft_giant_mutex); 4720 if (!soft_slot.authenticated) { 4721 /* 4722 * Check if this is the special case 4723 * when the PIN is never initialized 4724 * in the keystore. If true, we will 4725 * let it pass here and let it fail 4726 * with CKR_PIN_EXPIRED later on. 4727 */ 4728 if (!soft_slot.userpin_change_needed) { 4729 (void) pthread_mutex_unlock( 4730 &soft_giant_mutex); 4731 return (CKR_USER_NOT_LOGGED_IN); 4732 } 4733 } 4734 (void) pthread_mutex_unlock(&soft_giant_mutex); 4735 object_p->object_type |= PRIVATE_OBJECT; 4736 } 4737 } else { 4738 rv = CKR_ATTRIBUTE_READ_ONLY; 4739 } 4740 break; 4741 4742 case CKA_MODIFIABLE: 4743 if (copy) { 4744 if ((*(CK_BBOOL *)template->pValue) == TRUE) 4745 object_p->bool_attr_mask &= 4746 ~NOT_MODIFIABLE_BOOL_ON; 4747 else 4748 object_p->bool_attr_mask |= 4749 NOT_MODIFIABLE_BOOL_ON; 4750 } else { 4751 rv = CKR_ATTRIBUTE_READ_ONLY; 4752 } 4753 break; 4754 4755 case CKA_CLASS: 4756 rv = CKR_ATTRIBUTE_READ_ONLY; 4757 break; 4758 4759 default: 4760 rv = CKR_TEMPLATE_INCONSISTENT; 4761 } 4762 4763 return (rv); 4764 } 4765 4766 /* 4767 * Set the value of an attribute that is common to all key objects 4768 * (i.e. public key, private key and secret key). 4769 */ 4770 CK_RV 4771 soft_set_common_key_attribute(soft_object_t *object_p, 4772 CK_ATTRIBUTE_PTR template, boolean_t copy) 4773 { 4774 4775 switch (template->type) { 4776 4777 case CKA_LABEL: 4778 /* 4779 * Only the LABEL can be modified in the common storage 4780 * object attributes after the object is created. 4781 */ 4782 return (set_extra_attr_to_object(object_p, 4783 CKA_LABEL, template)); 4784 4785 case CKA_ID: 4786 return (set_extra_attr_to_object(object_p, 4787 CKA_ID, template)); 4788 4789 case CKA_START_DATE: 4790 return (set_extra_attr_to_object(object_p, 4791 CKA_START_DATE, template)); 4792 4793 case CKA_END_DATE: 4794 return (set_extra_attr_to_object(object_p, 4795 CKA_END_DATE, template)); 4796 4797 case CKA_DERIVE: 4798 return (set_bool_attr_to_object(object_p, 4799 DERIVE_BOOL_ON, template)); 4800 4801 case CKA_KEY_TYPE: 4802 case CKA_LOCAL: 4803 case CKA_KEY_GEN_MECHANISM: 4804 return (CKR_ATTRIBUTE_READ_ONLY); 4805 4806 default: 4807 return (soft_set_common_storage_attribute(object_p, 4808 template, copy)); 4809 4810 } 4811 4812 } 4813 4814 4815 /* 4816 * Set the value of an attribute of a Public Key Object. 4817 * 4818 * Rule: The attributes marked with footnote number "8" in the PKCS11 4819 * spec may be modified (p.88 in PKCS11 spec.). 4820 */ 4821 CK_RV 4822 soft_set_public_key_attribute(soft_object_t *object_p, 4823 CK_ATTRIBUTE_PTR template, boolean_t copy) 4824 { 4825 CK_KEY_TYPE keytype = object_p->key_type; 4826 4827 switch (template->type) { 4828 4829 case CKA_SUBJECT: 4830 return (set_extra_attr_to_object(object_p, 4831 CKA_SUBJECT, template)); 4832 4833 case CKA_ENCRYPT: 4834 return (set_bool_attr_to_object(object_p, 4835 ENCRYPT_BOOL_ON, template)); 4836 4837 case CKA_VERIFY: 4838 return (set_bool_attr_to_object(object_p, 4839 VERIFY_BOOL_ON, template)); 4840 4841 case CKA_VERIFY_RECOVER: 4842 return (set_bool_attr_to_object(object_p, 4843 VERIFY_RECOVER_BOOL_ON, template)); 4844 4845 case CKA_WRAP: 4846 return (set_bool_attr_to_object(object_p, 4847 WRAP_BOOL_ON, template)); 4848 4849 case CKA_MODULUS: 4850 case CKA_MODULUS_BITS: 4851 case CKA_PUBLIC_EXPONENT: 4852 if (keytype == CKK_RSA) 4853 return (CKR_ATTRIBUTE_READ_ONLY); 4854 break; 4855 4856 case CKA_SUBPRIME: 4857 if ((keytype == CKK_DSA) || 4858 (keytype == CKK_X9_42_DH)) 4859 return (CKR_ATTRIBUTE_READ_ONLY); 4860 break; 4861 4862 case CKA_PRIME: 4863 case CKA_BASE: 4864 case CKA_VALUE: 4865 if ((keytype == CKK_DSA) || 4866 (keytype == CKK_DH) || 4867 (keytype == CKK_X9_42_DH)) 4868 return (CKR_ATTRIBUTE_READ_ONLY); 4869 break; 4870 4871 default: 4872 /* 4873 * Set the value of a common key attribute. 4874 */ 4875 return (soft_set_common_key_attribute(object_p, 4876 template, copy)); 4877 4878 } 4879 /* 4880 * If we got this far, then the combination of key type 4881 * and requested attribute is invalid. 4882 */ 4883 return (CKR_ATTRIBUTE_TYPE_INVALID); 4884 } 4885 4886 4887 /* 4888 * Set the value of an attribute of a Private Key Object. 4889 * 4890 * Rule: The attributes marked with footnote number "8" in the PKCS11 4891 * spec may be modified (p.88 in PKCS11 spec.). 4892 */ 4893 CK_RV 4894 soft_set_private_key_attribute(soft_object_t *object_p, 4895 CK_ATTRIBUTE_PTR template, boolean_t copy) 4896 { 4897 CK_KEY_TYPE keytype = object_p->key_type; 4898 4899 switch (template->type) { 4900 4901 case CKA_SUBJECT: 4902 return (set_extra_attr_to_object(object_p, 4903 CKA_SUBJECT, template)); 4904 4905 case CKA_SENSITIVE: 4906 /* 4907 * Cannot set SENSITIVE to FALSE if it is already ON. 4908 */ 4909 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) && 4910 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) { 4911 return (CKR_ATTRIBUTE_READ_ONLY); 4912 } 4913 4914 if (*(CK_BBOOL *)template->pValue) 4915 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON; 4916 return (CKR_OK); 4917 4918 case CKA_DECRYPT: 4919 return (set_bool_attr_to_object(object_p, 4920 DECRYPT_BOOL_ON, template)); 4921 4922 case CKA_SIGN: 4923 return (set_bool_attr_to_object(object_p, 4924 SIGN_BOOL_ON, template)); 4925 4926 case CKA_SIGN_RECOVER: 4927 return (set_bool_attr_to_object(object_p, 4928 SIGN_RECOVER_BOOL_ON, template)); 4929 4930 case CKA_UNWRAP: 4931 return (set_bool_attr_to_object(object_p, 4932 UNWRAP_BOOL_ON, template)); 4933 4934 case CKA_EXTRACTABLE: 4935 /* 4936 * Cannot set EXTRACTABLE to TRUE if it is already OFF. 4937 */ 4938 if ((*(CK_BBOOL *)template->pValue) && 4939 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4940 return (CKR_ATTRIBUTE_READ_ONLY); 4941 } 4942 4943 if ((*(CK_BBOOL *)template->pValue) == B_FALSE) 4944 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON; 4945 return (CKR_OK); 4946 4947 case CKA_MODULUS: 4948 case CKA_PUBLIC_EXPONENT: 4949 case CKA_PRIVATE_EXPONENT: 4950 case CKA_PRIME_1: 4951 case CKA_PRIME_2: 4952 case CKA_EXPONENT_1: 4953 case CKA_EXPONENT_2: 4954 case CKA_COEFFICIENT: 4955 if (keytype == CKK_RSA) { 4956 return (CKR_ATTRIBUTE_READ_ONLY); 4957 } 4958 break; 4959 4960 case CKA_SUBPRIME: 4961 if ((keytype == CKK_DSA) || 4962 (keytype == CKK_X9_42_DH)) 4963 return (CKR_ATTRIBUTE_READ_ONLY); 4964 break; 4965 4966 case CKA_PRIME: 4967 case CKA_BASE: 4968 case CKA_VALUE: 4969 if ((keytype == CKK_DSA) || 4970 (keytype == CKK_DH) || 4971 (keytype == CKK_X9_42_DH)) 4972 return (CKR_ATTRIBUTE_READ_ONLY); 4973 break; 4974 4975 case CKA_VALUE_BITS: 4976 if (keytype == CKK_DH) 4977 return (CKR_ATTRIBUTE_READ_ONLY); 4978 break; 4979 4980 default: 4981 /* 4982 * Set the value of a common key attribute. 4983 */ 4984 return (soft_set_common_key_attribute(object_p, 4985 template, copy)); 4986 } 4987 4988 /* 4989 * If we got this far, then the combination of key type 4990 * and requested attribute is invalid. 4991 */ 4992 return (CKR_ATTRIBUTE_TYPE_INVALID); 4993 } 4994 4995 /* 4996 * Set the value of an attribute of a Secret Key Object. 4997 * 4998 * Rule: The attributes marked with footnote number "8" in the PKCS11 4999 * spec may be modified (p.88 in PKCS11 spec.). 5000 */ 5001 CK_RV 5002 soft_set_secret_key_attribute(soft_object_t *object_p, 5003 CK_ATTRIBUTE_PTR template, boolean_t copy) 5004 { 5005 CK_KEY_TYPE keytype = object_p->key_type; 5006 5007 switch (template->type) { 5008 5009 case CKA_SENSITIVE: 5010 /* 5011 * Cannot set SENSITIVE to FALSE if it is already ON. 5012 */ 5013 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) && 5014 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) { 5015 return (CKR_ATTRIBUTE_READ_ONLY); 5016 } 5017 5018 if (*(CK_BBOOL *)template->pValue) 5019 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON; 5020 return (CKR_OK); 5021 5022 case CKA_ENCRYPT: 5023 return (set_bool_attr_to_object(object_p, 5024 ENCRYPT_BOOL_ON, template)); 5025 5026 case CKA_DECRYPT: 5027 return (set_bool_attr_to_object(object_p, 5028 DECRYPT_BOOL_ON, template)); 5029 5030 case CKA_SIGN: 5031 return (set_bool_attr_to_object(object_p, 5032 SIGN_BOOL_ON, template)); 5033 5034 case CKA_VERIFY: 5035 return (set_bool_attr_to_object(object_p, 5036 VERIFY_BOOL_ON, template)); 5037 5038 case CKA_WRAP: 5039 return (set_bool_attr_to_object(object_p, 5040 WRAP_BOOL_ON, template)); 5041 5042 case CKA_UNWRAP: 5043 return (set_bool_attr_to_object(object_p, 5044 UNWRAP_BOOL_ON, template)); 5045 5046 case CKA_EXTRACTABLE: 5047 /* 5048 * Cannot set EXTRACTABLE to TRUE if it is already OFF. 5049 */ 5050 if ((*(CK_BBOOL *)template->pValue) && 5051 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 5052 return (CKR_ATTRIBUTE_READ_ONLY); 5053 } 5054 5055 if ((*(CK_BBOOL *)template->pValue) == B_FALSE) 5056 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON; 5057 return (CKR_OK); 5058 5059 case CKA_VALUE: 5060 return (CKR_ATTRIBUTE_READ_ONLY); 5061 5062 case CKA_VALUE_LEN: 5063 if ((keytype == CKK_RC4) || 5064 (keytype == CKK_GENERIC_SECRET) || 5065 (keytype == CKK_AES) || 5066 (keytype == CKK_BLOWFISH)) 5067 return (CKR_ATTRIBUTE_READ_ONLY); 5068 break; 5069 5070 default: 5071 /* 5072 * Set the value of a common key attribute. 5073 */ 5074 return (soft_set_common_key_attribute(object_p, 5075 template, copy)); 5076 5077 } 5078 /* 5079 * If we got this far, then the combination of key type 5080 * and requested attribute is invalid. 5081 */ 5082 return (CKR_ATTRIBUTE_TYPE_INVALID); 5083 } 5084 5085 5086 /* 5087 * Call the appropriate set attribute function according to the class 5088 * of object. 5089 * 5090 * The caller of this function does not hold the lock on the original 5091 * object, since this function is setting the attribute on the new object 5092 * that is being modified. 5093 * 5094 * Argument copy: TRUE when called by C_CopyObject, 5095 * FALSE when called by C_SetAttributeValue. 5096 */ 5097 CK_RV 5098 soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template, 5099 boolean_t copy) 5100 { 5101 5102 CK_RV rv = CKR_OK; 5103 CK_OBJECT_CLASS class = object_p->class; 5104 5105 switch (class) { 5106 5107 case CKO_PUBLIC_KEY: 5108 rv = soft_set_public_key_attribute(object_p, template, copy); 5109 break; 5110 5111 case CKO_PRIVATE_KEY: 5112 rv = soft_set_private_key_attribute(object_p, template, copy); 5113 break; 5114 5115 case CKO_SECRET_KEY: 5116 rv = soft_set_secret_key_attribute(object_p, template, copy); 5117 break; 5118 5119 case CKO_DOMAIN_PARAMETERS: 5120 switch (template->type) { 5121 case CKA_LABEL: 5122 /* 5123 * Only the LABEL can be modified in the common 5124 * storage object attributes after the object is 5125 * created. 5126 */ 5127 return (set_extra_attr_to_object(object_p, 5128 CKA_LABEL, template)); 5129 default: 5130 return (CKR_TEMPLATE_INCONSISTENT); 5131 } 5132 case CKO_CERTIFICATE: 5133 rv = soft_set_certificate_attribute(object_p, template, copy); 5134 break; 5135 5136 default: 5137 /* 5138 * If the template specifies a value of an attribute 5139 * which is incompatible with other existing attributes 5140 * of the object, then fails with return code 5141 * CKR_TEMPLATE_INCONSISTENT. 5142 */ 5143 rv = CKR_TEMPLATE_INCONSISTENT; 5144 break; 5145 } 5146 5147 return (rv); 5148 } 5149 5150 CK_RV 5151 soft_get_public_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type, 5152 uchar_t *value, uint32_t *value_len) 5153 { 5154 uint32_t len = 0; 5155 switch (type) { 5156 5157 /* The following attributes belong to RSA */ 5158 case CKA_MODULUS: 5159 #ifdef __sparcv9 5160 len = 5161 /* LINTED */ 5162 (uint32_t) 5163 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len; 5164 #else /* !__sparcv9 */ 5165 len = 5166 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len; 5167 #endif /* __sparcv9 */ 5168 5169 /* This attribute MUST BE set */ 5170 if (len == 0 || len > *value_len) { 5171 return (CKR_ATTRIBUTE_VALUE_INVALID); 5172 } 5173 *value_len = len; 5174 5175 (void) memcpy(value, 5176 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value, 5177 *value_len); 5178 5179 break; 5180 5181 case CKA_PUBLIC_EXPONENT: 5182 #ifdef __sparcv9 5183 len = 5184 /* LINTED */ 5185 (uint32_t) 5186 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len; 5187 #else /* !__sparcv9 */ 5188 len = 5189 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len; 5190 #endif /* __sparcv9 */ 5191 5192 /* This attribute MUST BE set */ 5193 if (len == 0 || len > *value_len) { 5194 return (CKR_ATTRIBUTE_VALUE_INVALID); 5195 } 5196 *value_len = len; 5197 5198 (void) memcpy(value, 5199 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value, 5200 *value_len); 5201 5202 break; 5203 5204 /* The following attributes belong to DSA and DH */ 5205 case CKA_PRIME: 5206 5207 if (key->key_type == CKK_DSA) 5208 #ifdef __sparcv9 5209 len = 5210 /* LINTED */ 5211 (uint32_t) 5212 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))-> 5213 big_value_len; 5214 #else /* !__sparcv9 */ 5215 len = 5216 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))-> 5217 big_value_len; 5218 #endif /* __sparcv9 */ 5219 else 5220 #ifdef __sparcv9 5221 len = 5222 /* LINTED */ 5223 (uint32_t) 5224 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))-> 5225 big_value_len; 5226 #else /* !__sparcv9 */ 5227 len = 5228 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))-> 5229 big_value_len; 5230 #endif /* __sparcv9 */ 5231 5232 /* This attribute MUST BE set */ 5233 if (len == 0 || len > *value_len) { 5234 return (CKR_ATTRIBUTE_VALUE_INVALID); 5235 } 5236 *value_len = len; 5237 5238 if (key->key_type == CKK_DSA) 5239 (void) memcpy(value, 5240 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->big_value, 5241 *value_len); 5242 else 5243 (void) memcpy(value, 5244 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->big_value, 5245 *value_len); 5246 5247 break; 5248 5249 case CKA_SUBPRIME: 5250 #ifdef __sparcv9 5251 len = 5252 /* LINTED */ 5253 (uint32_t) 5254 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len; 5255 #else /* !__sparcv9 */ 5256 len = 5257 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len; 5258 #endif /* __sparcv9 */ 5259 5260 /* This attribute MUST BE set */ 5261 if (len == 0 || len > *value_len) { 5262 return (CKR_ATTRIBUTE_VALUE_INVALID); 5263 } 5264 *value_len = len; 5265 5266 (void) memcpy(value, 5267 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value, 5268 *value_len); 5269 5270 break; 5271 5272 case CKA_BASE: 5273 5274 if (key->key_type == CKK_DSA) 5275 #ifdef __sparcv9 5276 len = 5277 /* LINTED */ 5278 (uint32_t) 5279 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))-> 5280 big_value_len; 5281 #else /* !__sparcv9 */ 5282 len = 5283 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))-> 5284 big_value_len; 5285 #endif /* __sparcv9 */ 5286 else 5287 #ifdef __sparcv9 5288 len = 5289 /* LINTED */ 5290 (uint32_t) 5291 ((biginteger_t *)OBJ_PUB_DH_BASE(key))-> 5292 big_value_len; 5293 #else /* !__sparcv9 */ 5294 len = 5295 ((biginteger_t *)OBJ_PUB_DH_BASE(key))-> 5296 big_value_len; 5297 #endif /* __sparcv9 */ 5298 5299 /* This attribute MUST BE set */ 5300 if (len == 0 || len > *value_len) { 5301 return (CKR_ATTRIBUTE_VALUE_INVALID); 5302 } 5303 *value_len = len; 5304 5305 if (key->key_type == CKK_DSA) 5306 (void) memcpy(value, 5307 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->big_value, 5308 *value_len); 5309 else 5310 (void) memcpy(value, 5311 ((biginteger_t *)OBJ_PUB_DH_BASE(key))->big_value, 5312 *value_len); 5313 break; 5314 5315 case CKA_VALUE: 5316 5317 if (key->key_type == CKK_DSA) 5318 #ifdef __sparcv9 5319 len = 5320 /* LINTED */ 5321 (uint32_t) 5322 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))-> 5323 big_value_len; 5324 #else /* !__sparcv9 */ 5325 len = 5326 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))-> 5327 big_value_len; 5328 #endif /* __sparcv9 */ 5329 else 5330 #ifdef __sparcv9 5331 len = 5332 /* LINTED */ 5333 (uint32_t) 5334 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))-> 5335 big_value_len; 5336 #else /* !__sparcv9 */ 5337 len = 5338 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))-> 5339 big_value_len; 5340 #endif /* __sparcv9 */ 5341 5342 /* This attribute MUST BE set */ 5343 if (len == 0 || len > *value_len) { 5344 return (CKR_ATTRIBUTE_VALUE_INVALID); 5345 } 5346 *value_len = len; 5347 5348 if (key->key_type == CKK_DSA) 5349 (void) memcpy(value, 5350 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->big_value, 5351 *value_len); 5352 else 5353 (void) memcpy(value, 5354 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->big_value, 5355 *value_len); 5356 5357 break; 5358 } 5359 5360 return (CKR_OK); 5361 } 5362 5363 5364 CK_RV 5365 soft_get_private_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type, 5366 uchar_t *value, uint32_t *value_len) 5367 { 5368 5369 uint32_t len = 0; 5370 5371 switch (type) { 5372 5373 /* The following attributes belong to RSA */ 5374 case CKA_MODULUS: 5375 #ifdef __sparcv9 5376 len = 5377 /* LINTED */ 5378 (uint32_t) 5379 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len; 5380 #else /* !__sparcv9 */ 5381 len = 5382 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len; 5383 #endif /* __sparcv9 */ 5384 5385 /* This attribute MUST BE set */ 5386 if (len == 0 || len > *value_len) { 5387 return (CKR_ATTRIBUTE_VALUE_INVALID); 5388 } 5389 *value_len = len; 5390 5391 (void) memcpy(value, 5392 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value, 5393 *value_len); 5394 5395 break; 5396 5397 case CKA_PRIVATE_EXPONENT: 5398 #ifdef __sparcv9 5399 len = 5400 /* LINTED */ 5401 (uint32_t) 5402 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len; 5403 #else /* !__sparcv9 */ 5404 len = 5405 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len; 5406 #endif /* __sparcv9 */ 5407 5408 /* This attribute MUST BE set */ 5409 if (len == 0 || len > *value_len) { 5410 return (CKR_ATTRIBUTE_VALUE_INVALID); 5411 } 5412 *value_len = len; 5413 5414 (void) memcpy(value, 5415 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value, 5416 *value_len); 5417 5418 break; 5419 5420 case CKA_PRIME_1: 5421 #ifdef __sparcv9 5422 len = 5423 /* LINTED */ 5424 (uint32_t) 5425 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len; 5426 #else /* !__sparcv9 */ 5427 len = 5428 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len; 5429 #endif /* __sparcv9 */ 5430 5431 if (len > *value_len) { 5432 return (CKR_ATTRIBUTE_VALUE_INVALID); 5433 } 5434 *value_len = len; 5435 5436 if (*value_len == 0) { 5437 return (CKR_OK); 5438 } 5439 5440 (void) memcpy(value, 5441 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value, 5442 *value_len); 5443 5444 break; 5445 5446 case CKA_PRIME_2: 5447 #ifdef __sparcv9 5448 len = 5449 /* LINTED */ 5450 (uint32_t) 5451 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len; 5452 #else /* !__sparcv9 */ 5453 len = 5454 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len; 5455 #endif /* __sparcv9 */ 5456 5457 if (len > *value_len) { 5458 return (CKR_ATTRIBUTE_VALUE_INVALID); 5459 } 5460 *value_len = len; 5461 5462 if (*value_len == 0) { 5463 return (CKR_OK); 5464 } 5465 5466 (void) memcpy(value, 5467 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value, 5468 *value_len); 5469 5470 break; 5471 5472 case CKA_EXPONENT_1: 5473 #ifdef __sparcv9 5474 len = 5475 /* LINTED */ 5476 (uint32_t) 5477 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len; 5478 #else /* !__sparcv9 */ 5479 len = 5480 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len; 5481 #endif /* __sparcv9 */ 5482 5483 if (len > *value_len) { 5484 return (CKR_ATTRIBUTE_VALUE_INVALID); 5485 } 5486 *value_len = len; 5487 5488 if (*value_len == 0) { 5489 return (CKR_OK); 5490 } 5491 5492 (void) memcpy(value, 5493 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value, 5494 *value_len); 5495 5496 break; 5497 5498 case CKA_EXPONENT_2: 5499 #ifdef __sparcv9 5500 len = 5501 /* LINTED */ 5502 (uint32_t) 5503 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len; 5504 #else /* !__sparcv9 */ 5505 len = 5506 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len; 5507 #endif /* __sparcv9 */ 5508 5509 if (len > *value_len) { 5510 return (CKR_ATTRIBUTE_VALUE_INVALID); 5511 } 5512 *value_len = len; 5513 5514 if (*value_len == 0) { 5515 return (CKR_OK); 5516 } 5517 5518 (void) memcpy(value, 5519 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value, 5520 *value_len); 5521 5522 break; 5523 5524 case CKA_COEFFICIENT: 5525 #ifdef __sparcv9 5526 len = 5527 /* LINTED */ 5528 (uint32_t) 5529 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len; 5530 #else /* !__sparcv9 */ 5531 len = 5532 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len; 5533 #endif /* __sparcv9 */ 5534 5535 if (len > *value_len) { 5536 return (CKR_ATTRIBUTE_VALUE_INVALID); 5537 } 5538 *value_len = len; 5539 5540 if (*value_len == 0) { 5541 return (CKR_OK); 5542 } 5543 5544 (void) memcpy(value, 5545 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value, 5546 *value_len); 5547 5548 break; 5549 5550 /* The following attributes belong to DSA and DH */ 5551 case CKA_PRIME: 5552 5553 if (key->key_type == CKK_DSA) 5554 #ifdef __sparcv9 5555 len = 5556 /* LINTED */ 5557 (uint32_t) 5558 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))-> 5559 big_value_len; 5560 #else /* !__sparcv9 */ 5561 len = 5562 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))-> 5563 big_value_len; 5564 #endif /* __sparcv9 */ 5565 else 5566 #ifdef __sparcv9 5567 len = 5568 /* LINTED */ 5569 (uint32_t) 5570 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))-> 5571 big_value_len; 5572 #else /* !__sparcv9 */ 5573 len = 5574 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))-> 5575 big_value_len; 5576 #endif /* __sparcv9 */ 5577 5578 /* This attribute MUST BE set */ 5579 if (len == 0 || len > *value_len) { 5580 return (CKR_ATTRIBUTE_VALUE_INVALID); 5581 } 5582 *value_len = len; 5583 5584 if (key->key_type == CKK_DSA) 5585 (void) memcpy(value, 5586 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->big_value, 5587 *value_len); 5588 else 5589 (void) memcpy(value, 5590 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->big_value, 5591 *value_len); 5592 5593 break; 5594 5595 case CKA_SUBPRIME: 5596 #ifdef __sparcv9 5597 len = 5598 /* LINTED */ 5599 (uint32_t) 5600 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len; 5601 #else /* !__sparcv9 */ 5602 len = 5603 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len; 5604 #endif /* __sparcv9 */ 5605 5606 /* This attribute MUST BE set */ 5607 if (len == 0 || len > *value_len) { 5608 return (CKR_ATTRIBUTE_VALUE_INVALID); 5609 } 5610 *value_len = len; 5611 5612 (void) memcpy(value, 5613 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value, 5614 *value_len); 5615 5616 break; 5617 5618 case CKA_BASE: 5619 5620 if (key->key_type == CKK_DSA) 5621 #ifdef __sparcv9 5622 len = 5623 /* LINTED */ 5624 (uint32_t) 5625 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))-> 5626 big_value_len; 5627 #else /* !__sparcv9 */ 5628 len = 5629 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))-> 5630 big_value_len; 5631 #endif /* __sparcv9 */ 5632 else 5633 #ifdef __sparcv9 5634 len = 5635 /* LINTED */ 5636 (uint32_t) 5637 ((biginteger_t *)OBJ_PRI_DH_BASE(key))-> 5638 big_value_len; 5639 #else /* !__sparcv9 */ 5640 len = 5641 ((biginteger_t *)OBJ_PRI_DH_BASE(key))-> 5642 big_value_len; 5643 #endif /* __sparcv9 */ 5644 5645 /* This attribute MUST BE set */ 5646 if (len == 0 || len > *value_len) { 5647 return (CKR_ATTRIBUTE_VALUE_INVALID); 5648 } 5649 *value_len = len; 5650 5651 if (key->key_type == CKK_DSA) 5652 (void) memcpy(value, 5653 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->big_value, 5654 *value_len); 5655 else 5656 (void) memcpy(value, 5657 ((biginteger_t *)OBJ_PRI_DH_BASE(key))->big_value, 5658 *value_len); 5659 break; 5660 5661 case CKA_VALUE: 5662 5663 if (key->key_type == CKK_DSA) { 5664 #ifdef __sparcv9 5665 len = 5666 /* LINTED */ 5667 (uint32_t) 5668 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))-> 5669 big_value_len; 5670 #else /* !__sparcv9 */ 5671 len = 5672 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))-> 5673 big_value_len; 5674 #endif /* __sparcv9 */ 5675 } else if (key->key_type == CKK_DH) { 5676 #ifdef __sparcv9 5677 len = 5678 /* LINTED */ 5679 (uint32_t) 5680 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))-> 5681 big_value_len; 5682 #else /* !__sparcv9 */ 5683 len = 5684 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))-> 5685 big_value_len; 5686 #endif /* __sparcv9 */ 5687 } else { 5688 #ifdef __sparcv9 5689 len = 5690 /* LINTED */ 5691 (uint32_t) 5692 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))-> 5693 big_value_len; 5694 #else /* !__sparcv9 */ 5695 len = 5696 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))-> 5697 big_value_len; 5698 #endif /* __sparcv9 */ 5699 } 5700 5701 /* This attribute MUST BE set */ 5702 if (len == 0 || len > *value_len) { 5703 return (CKR_ATTRIBUTE_VALUE_INVALID); 5704 } 5705 *value_len = len; 5706 5707 if (key->key_type == CKK_DSA) { 5708 (void) memcpy(value, 5709 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->big_value, 5710 *value_len); 5711 } else if (key->key_type == CKK_DH) { 5712 (void) memcpy(value, 5713 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->big_value, 5714 *value_len); 5715 } else { 5716 (void) memcpy(value, 5717 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->big_value, 5718 *value_len); 5719 } 5720 5721 break; 5722 } 5723 5724 return (CKR_OK); 5725 5726 } 5727 5728 static CK_RV 5729 copy_bigint(biginteger_t *new_bigint, biginteger_t *old_bigint) 5730 { 5731 new_bigint->big_value = 5732 malloc((sizeof (CK_BYTE) * new_bigint->big_value_len)); 5733 5734 if (new_bigint->big_value == NULL) { 5735 return (CKR_HOST_MEMORY); 5736 } 5737 5738 (void) memcpy(new_bigint->big_value, old_bigint->big_value, 5739 (sizeof (CK_BYTE) * new_bigint->big_value_len)); 5740 5741 return (CKR_OK); 5742 } 5743 5744 static void 5745 free_public_key_attr(public_key_obj_t *pbk, CK_KEY_TYPE key_type) 5746 { 5747 if (pbk == NULL) { 5748 return; 5749 } 5750 5751 switch (key_type) { 5752 case CKK_RSA: 5753 bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk)); 5754 bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk)); 5755 break; 5756 case CKK_DSA: 5757 bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk)); 5758 bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk)); 5759 bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk)); 5760 bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk)); 5761 break; 5762 case CKK_DH: 5763 bigint_attr_cleanup(KEY_PUB_DH_PRIME(pbk)); 5764 bigint_attr_cleanup(KEY_PUB_DH_BASE(pbk)); 5765 bigint_attr_cleanup(KEY_PUB_DH_VALUE(pbk)); 5766 break; 5767 case CKK_EC: 5768 bigint_attr_cleanup(KEY_PUB_EC_POINT(pbk)); 5769 break; 5770 case CKK_X9_42_DH: 5771 bigint_attr_cleanup(KEY_PUB_DH942_PRIME(pbk)); 5772 bigint_attr_cleanup(KEY_PUB_DH942_SUBPRIME(pbk)); 5773 bigint_attr_cleanup(KEY_PUB_DH942_BASE(pbk)); 5774 bigint_attr_cleanup(KEY_PUB_DH942_VALUE(pbk)); 5775 break; 5776 default: 5777 break; 5778 } 5779 free(pbk); 5780 } 5781 5782 CK_RV 5783 soft_copy_public_key_attr(public_key_obj_t *old_pub_key_obj_p, 5784 public_key_obj_t **new_pub_key_obj_p, CK_KEY_TYPE key_type) 5785 { 5786 5787 public_key_obj_t *pbk; 5788 CK_RV rv = CKR_OK; 5789 5790 pbk = calloc(1, sizeof (public_key_obj_t)); 5791 if (pbk == NULL) { 5792 return (CKR_HOST_MEMORY); 5793 } 5794 5795 switch (key_type) { 5796 case CKK_RSA: 5797 (void) memcpy(KEY_PUB_RSA(pbk), 5798 KEY_PUB_RSA(old_pub_key_obj_p), 5799 sizeof (rsa_pub_key_t)); 5800 /* copy modulus */ 5801 rv = copy_bigint(KEY_PUB_RSA_MOD(pbk), 5802 KEY_PUB_RSA_MOD(old_pub_key_obj_p)); 5803 if (rv != CKR_OK) { 5804 free_public_key_attr(pbk, key_type); 5805 return (rv); 5806 } 5807 /* copy public exponent */ 5808 rv = copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk), 5809 KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p)); 5810 if (rv != CKR_OK) { 5811 free_public_key_attr(pbk, key_type); 5812 return (rv); 5813 } 5814 break; 5815 case CKK_DSA: 5816 (void) memcpy(KEY_PUB_DSA(pbk), 5817 KEY_PUB_DSA(old_pub_key_obj_p), 5818 sizeof (dsa_pub_key_t)); 5819 5820 /* copy prime */ 5821 rv = copy_bigint(KEY_PUB_DSA_PRIME(pbk), 5822 KEY_PUB_DSA_PRIME(old_pub_key_obj_p)); 5823 if (rv != CKR_OK) { 5824 free_public_key_attr(pbk, key_type); 5825 return (rv); 5826 } 5827 5828 /* copy subprime */ 5829 rv = copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk), 5830 KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p)); 5831 if (rv != CKR_OK) { 5832 free_public_key_attr(pbk, key_type); 5833 return (rv); 5834 } 5835 5836 /* copy base */ 5837 rv = copy_bigint(KEY_PUB_DSA_BASE(pbk), 5838 KEY_PUB_DSA_BASE(old_pub_key_obj_p)); 5839 if (rv != CKR_OK) { 5840 free_public_key_attr(pbk, key_type); 5841 return (rv); 5842 } 5843 5844 /* copy value */ 5845 rv = copy_bigint(KEY_PUB_DSA_VALUE(pbk), 5846 KEY_PUB_DSA_VALUE(old_pub_key_obj_p)); 5847 if (rv != CKR_OK) { 5848 free_public_key_attr(pbk, key_type); 5849 return (rv); 5850 } 5851 break; 5852 case CKK_DH: 5853 (void) memcpy(KEY_PUB_DH(pbk), 5854 KEY_PUB_DH(old_pub_key_obj_p), 5855 sizeof (dh_pub_key_t)); 5856 5857 /* copy prime */ 5858 rv = copy_bigint(KEY_PUB_DH_PRIME(pbk), 5859 KEY_PUB_DH_PRIME(old_pub_key_obj_p)); 5860 if (rv != CKR_OK) { 5861 free_public_key_attr(pbk, key_type); 5862 return (rv); 5863 } 5864 5865 /* copy base */ 5866 rv = copy_bigint(KEY_PUB_DH_BASE(pbk), 5867 KEY_PUB_DH_BASE(old_pub_key_obj_p)); 5868 if (rv != CKR_OK) { 5869 free_public_key_attr(pbk, key_type); 5870 return (rv); 5871 } 5872 5873 /* copy value */ 5874 rv = copy_bigint(KEY_PUB_DH_VALUE(pbk), 5875 KEY_PUB_DH_VALUE(old_pub_key_obj_p)); 5876 if (rv != CKR_OK) { 5877 free_public_key_attr(pbk, key_type); 5878 return (rv); 5879 } 5880 break; 5881 case CKK_EC: 5882 (void) memcpy(KEY_PUB_EC(pbk), 5883 KEY_PUB_EC(old_pub_key_obj_p), 5884 sizeof (ec_pub_key_t)); 5885 5886 /* copy point */ 5887 rv = copy_bigint(KEY_PUB_EC_POINT(pbk), 5888 KEY_PUB_EC_POINT(old_pub_key_obj_p)); 5889 if (rv != CKR_OK) { 5890 free_public_key_attr(pbk, key_type); 5891 return (rv); 5892 } 5893 break; 5894 case CKK_X9_42_DH: 5895 (void) memcpy(KEY_PUB_DH942(pbk), 5896 KEY_PUB_DH942(old_pub_key_obj_p), 5897 sizeof (dh942_pub_key_t)); 5898 5899 /* copy prime */ 5900 rv = copy_bigint(KEY_PUB_DH942_PRIME(pbk), 5901 KEY_PUB_DH942_PRIME(old_pub_key_obj_p)); 5902 if (rv != CKR_OK) { 5903 free_public_key_attr(pbk, key_type); 5904 return (rv); 5905 } 5906 5907 /* copy subprime */ 5908 rv = copy_bigint(KEY_PUB_DH942_SUBPRIME(pbk), 5909 KEY_PUB_DH942_SUBPRIME(old_pub_key_obj_p)); 5910 if (rv != CKR_OK) { 5911 free_public_key_attr(pbk, key_type); 5912 return (rv); 5913 } 5914 5915 /* copy base */ 5916 rv = copy_bigint(KEY_PUB_DH942_BASE(pbk), 5917 KEY_PUB_DH942_BASE(old_pub_key_obj_p)); 5918 if (rv != CKR_OK) { 5919 free_public_key_attr(pbk, key_type); 5920 return (rv); 5921 } 5922 5923 /* copy value */ 5924 rv = copy_bigint(KEY_PUB_DH942_VALUE(pbk), 5925 KEY_PUB_DH942_VALUE(old_pub_key_obj_p)); 5926 if (rv != CKR_OK) { 5927 free_public_key_attr(pbk, key_type); 5928 return (rv); 5929 } 5930 break; 5931 default: 5932 break; 5933 } 5934 *new_pub_key_obj_p = pbk; 5935 return (rv); 5936 } 5937 5938 static void 5939 free_private_key_attr(private_key_obj_t *pbk, CK_KEY_TYPE key_type) 5940 { 5941 if (pbk == NULL) { 5942 return; 5943 } 5944 5945 switch (key_type) { 5946 case CKK_RSA: 5947 bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk)); 5948 bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk)); 5949 bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk)); 5950 bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk)); 5951 bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk)); 5952 bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk)); 5953 bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk)); 5954 bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk)); 5955 break; 5956 case CKK_DSA: 5957 bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk)); 5958 bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk)); 5959 bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk)); 5960 bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk)); 5961 break; 5962 case CKK_DH: 5963 bigint_attr_cleanup(KEY_PRI_DH_PRIME(pbk)); 5964 bigint_attr_cleanup(KEY_PRI_DH_BASE(pbk)); 5965 bigint_attr_cleanup(KEY_PRI_DH_VALUE(pbk)); 5966 break; 5967 case CKK_EC: 5968 bigint_attr_cleanup(KEY_PRI_EC_VALUE(pbk)); 5969 break; 5970 case CKK_X9_42_DH: 5971 bigint_attr_cleanup(KEY_PRI_DH942_PRIME(pbk)); 5972 bigint_attr_cleanup(KEY_PRI_DH942_SUBPRIME(pbk)); 5973 bigint_attr_cleanup(KEY_PRI_DH942_BASE(pbk)); 5974 bigint_attr_cleanup(KEY_PRI_DH942_VALUE(pbk)); 5975 break; 5976 default: 5977 break; 5978 } 5979 free(pbk); 5980 } 5981 5982 CK_RV 5983 soft_copy_private_key_attr(private_key_obj_t *old_pri_key_obj_p, 5984 private_key_obj_t **new_pri_key_obj_p, CK_KEY_TYPE key_type) 5985 { 5986 CK_RV rv = CKR_OK; 5987 private_key_obj_t *pbk; 5988 5989 pbk = calloc(1, sizeof (private_key_obj_t)); 5990 if (pbk == NULL) { 5991 return (CKR_HOST_MEMORY); 5992 } 5993 5994 switch (key_type) { 5995 case CKK_RSA: 5996 (void) memcpy(KEY_PRI_RSA(pbk), 5997 KEY_PRI_RSA(old_pri_key_obj_p), 5998 sizeof (rsa_pri_key_t)); 5999 /* copy modulus */ 6000 rv = copy_bigint(KEY_PRI_RSA_MOD(pbk), 6001 KEY_PRI_RSA_MOD(old_pri_key_obj_p)); 6002 if (rv != CKR_OK) { 6003 free_private_key_attr(pbk, key_type); 6004 return (rv); 6005 } 6006 /* copy public exponent */ 6007 rv = copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk), 6008 KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p)); 6009 if (rv != CKR_OK) { 6010 free_private_key_attr(pbk, key_type); 6011 return (rv); 6012 } 6013 /* copy private exponent */ 6014 rv = copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk), 6015 KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p)); 6016 if (rv != CKR_OK) { 6017 free_private_key_attr(pbk, key_type); 6018 return (rv); 6019 } 6020 /* copy prime_1 */ 6021 rv = copy_bigint(KEY_PRI_RSA_PRIME1(pbk), 6022 KEY_PRI_RSA_PRIME1(old_pri_key_obj_p)); 6023 if (rv != CKR_OK) { 6024 free_private_key_attr(pbk, key_type); 6025 return (rv); 6026 } 6027 /* copy prime_2 */ 6028 rv = copy_bigint(KEY_PRI_RSA_PRIME2(pbk), 6029 KEY_PRI_RSA_PRIME2(old_pri_key_obj_p)); 6030 if (rv != CKR_OK) { 6031 free_private_key_attr(pbk, key_type); 6032 return (rv); 6033 } 6034 /* copy exponent_1 */ 6035 rv = copy_bigint(KEY_PRI_RSA_EXPO1(pbk), 6036 KEY_PRI_RSA_EXPO1(old_pri_key_obj_p)); 6037 if (rv != CKR_OK) { 6038 free_private_key_attr(pbk, key_type); 6039 return (rv); 6040 } 6041 /* copy exponent_2 */ 6042 rv = copy_bigint(KEY_PRI_RSA_EXPO2(pbk), 6043 KEY_PRI_RSA_EXPO2(old_pri_key_obj_p)); 6044 if (rv != CKR_OK) { 6045 free_private_key_attr(pbk, key_type); 6046 return (rv); 6047 } 6048 /* copy coefficient */ 6049 rv = copy_bigint(KEY_PRI_RSA_COEF(pbk), 6050 KEY_PRI_RSA_COEF(old_pri_key_obj_p)); 6051 if (rv != CKR_OK) { 6052 free_private_key_attr(pbk, key_type); 6053 return (rv); 6054 } 6055 break; 6056 case CKK_DSA: 6057 (void) memcpy(KEY_PRI_DSA(pbk), 6058 KEY_PRI_DSA(old_pri_key_obj_p), 6059 sizeof (dsa_pri_key_t)); 6060 6061 /* copy prime */ 6062 rv = copy_bigint(KEY_PRI_DSA_PRIME(pbk), 6063 KEY_PRI_DSA_PRIME(old_pri_key_obj_p)); 6064 if (rv != CKR_OK) { 6065 free_private_key_attr(pbk, key_type); 6066 return (rv); 6067 } 6068 6069 /* copy subprime */ 6070 rv = copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk), 6071 KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p)); 6072 if (rv != CKR_OK) { 6073 free_private_key_attr(pbk, key_type); 6074 return (rv); 6075 } 6076 6077 /* copy base */ 6078 rv = copy_bigint(KEY_PRI_DSA_BASE(pbk), 6079 KEY_PRI_DSA_BASE(old_pri_key_obj_p)); 6080 if (rv != CKR_OK) { 6081 free_private_key_attr(pbk, key_type); 6082 return (rv); 6083 } 6084 6085 /* copy value */ 6086 rv = copy_bigint(KEY_PRI_DSA_VALUE(pbk), 6087 KEY_PRI_DSA_VALUE(old_pri_key_obj_p)); 6088 if (rv != CKR_OK) { 6089 free_private_key_attr(pbk, key_type); 6090 return (rv); 6091 } 6092 break; 6093 case CKK_DH: 6094 (void) memcpy(KEY_PRI_DH(pbk), 6095 KEY_PRI_DH(old_pri_key_obj_p), 6096 sizeof (dh_pri_key_t)); 6097 6098 /* copy prime */ 6099 rv = copy_bigint(KEY_PRI_DH_PRIME(pbk), 6100 KEY_PRI_DH_PRIME(old_pri_key_obj_p)); 6101 if (rv != CKR_OK) { 6102 free_private_key_attr(pbk, key_type); 6103 return (rv); 6104 } 6105 6106 /* copy base */ 6107 rv = copy_bigint(KEY_PRI_DH_BASE(pbk), 6108 KEY_PRI_DH_BASE(old_pri_key_obj_p)); 6109 if (rv != CKR_OK) { 6110 free_private_key_attr(pbk, key_type); 6111 return (rv); 6112 } 6113 6114 /* copy value */ 6115 rv = copy_bigint(KEY_PRI_DH_VALUE(pbk), 6116 KEY_PRI_DH_VALUE(old_pri_key_obj_p)); 6117 if (rv != CKR_OK) { 6118 free_private_key_attr(pbk, key_type); 6119 return (rv); 6120 } 6121 break; 6122 case CKK_EC: 6123 (void) memcpy(KEY_PRI_EC(pbk), 6124 KEY_PRI_EC(old_pri_key_obj_p), 6125 sizeof (ec_pri_key_t)); 6126 6127 /* copy value */ 6128 rv = copy_bigint(KEY_PRI_EC_VALUE(pbk), 6129 KEY_PRI_EC_VALUE(old_pri_key_obj_p)); 6130 if (rv != CKR_OK) { 6131 free_private_key_attr(pbk, key_type); 6132 return (rv); 6133 } 6134 break; 6135 case CKK_X9_42_DH: 6136 (void) memcpy(KEY_PRI_DH942(pbk), 6137 KEY_PRI_DH942(old_pri_key_obj_p), 6138 sizeof (dh942_pri_key_t)); 6139 6140 /* copy prime */ 6141 rv = copy_bigint(KEY_PRI_DH942_PRIME(pbk), 6142 KEY_PRI_DH942_PRIME(old_pri_key_obj_p)); 6143 if (rv != CKR_OK) { 6144 free_private_key_attr(pbk, key_type); 6145 return (rv); 6146 } 6147 6148 /* copy subprime */ 6149 rv = copy_bigint(KEY_PRI_DH942_SUBPRIME(pbk), 6150 KEY_PRI_DH942_SUBPRIME(old_pri_key_obj_p)); 6151 if (rv != CKR_OK) { 6152 free_private_key_attr(pbk, key_type); 6153 return (rv); 6154 } 6155 6156 /* copy base */ 6157 rv = copy_bigint(KEY_PRI_DH942_BASE(pbk), 6158 KEY_PRI_DH942_BASE(old_pri_key_obj_p)); 6159 if (rv != CKR_OK) { 6160 free_private_key_attr(pbk, key_type); 6161 return (rv); 6162 } 6163 6164 /* copy value */ 6165 rv = copy_bigint(KEY_PRI_DH942_VALUE(pbk), 6166 KEY_PRI_DH942_VALUE(old_pri_key_obj_p)); 6167 if (rv != CKR_OK) { 6168 free_private_key_attr(pbk, key_type); 6169 return (rv); 6170 } 6171 break; 6172 default: 6173 break; 6174 } 6175 *new_pri_key_obj_p = pbk; 6176 return (rv); 6177 } 6178 6179 static void 6180 free_domain_attr(domain_obj_t *domain, CK_KEY_TYPE key_type) 6181 { 6182 if (domain == NULL) { 6183 return; 6184 } 6185 6186 switch (key_type) { 6187 case CKK_DSA: 6188 bigint_attr_cleanup(KEY_DOM_DSA_PRIME(domain)); 6189 bigint_attr_cleanup(KEY_DOM_DSA_SUBPRIME(domain)); 6190 bigint_attr_cleanup(KEY_DOM_DSA_BASE(domain)); 6191 break; 6192 case CKK_DH: 6193 bigint_attr_cleanup(KEY_DOM_DH_PRIME(domain)); 6194 bigint_attr_cleanup(KEY_DOM_DH_BASE(domain)); 6195 break; 6196 case CKK_X9_42_DH: 6197 bigint_attr_cleanup(KEY_DOM_DH942_PRIME(domain)); 6198 bigint_attr_cleanup(KEY_DOM_DH942_SUBPRIME(domain)); 6199 bigint_attr_cleanup(KEY_DOM_DH942_BASE(domain)); 6200 break; 6201 default: 6202 break; 6203 } 6204 free(domain); 6205 } 6206 6207 CK_RV 6208 soft_copy_domain_attr(domain_obj_t *old_domain_obj_p, 6209 domain_obj_t **new_domain_obj_p, CK_KEY_TYPE key_type) 6210 { 6211 CK_RV rv = CKR_OK; 6212 domain_obj_t *domain; 6213 6214 domain = calloc(1, sizeof (domain_obj_t)); 6215 if (domain == NULL) { 6216 return (CKR_HOST_MEMORY); 6217 } 6218 6219 switch (key_type) { 6220 case CKK_DSA: 6221 (void) memcpy(KEY_DOM_DSA(domain), 6222 KEY_DOM_DSA(old_domain_obj_p), 6223 sizeof (dsa_dom_key_t)); 6224 6225 /* copy prime */ 6226 rv = copy_bigint(KEY_DOM_DSA_PRIME(domain), 6227 KEY_DOM_DSA_PRIME(old_domain_obj_p)); 6228 if (rv != CKR_OK) { 6229 free_domain_attr(domain, key_type); 6230 return (rv); 6231 } 6232 6233 /* copy subprime */ 6234 rv = copy_bigint(KEY_DOM_DSA_SUBPRIME(domain), 6235 KEY_DOM_DSA_SUBPRIME(old_domain_obj_p)); 6236 if (rv != CKR_OK) { 6237 free_domain_attr(domain, key_type); 6238 return (rv); 6239 } 6240 6241 /* copy base */ 6242 rv = copy_bigint(KEY_DOM_DSA_BASE(domain), 6243 KEY_DOM_DSA_BASE(old_domain_obj_p)); 6244 if (rv != CKR_OK) { 6245 free_domain_attr(domain, key_type); 6246 return (rv); 6247 } 6248 6249 break; 6250 case CKK_DH: 6251 (void) memcpy(KEY_DOM_DH(domain), 6252 KEY_DOM_DH(old_domain_obj_p), 6253 sizeof (dh_dom_key_t)); 6254 6255 /* copy prime */ 6256 rv = copy_bigint(KEY_DOM_DH_PRIME(domain), 6257 KEY_DOM_DH_PRIME(old_domain_obj_p)); 6258 if (rv != CKR_OK) { 6259 free_domain_attr(domain, key_type); 6260 return (rv); 6261 } 6262 6263 /* copy base */ 6264 rv = copy_bigint(KEY_DOM_DH_BASE(domain), 6265 KEY_DOM_DH_BASE(old_domain_obj_p)); 6266 if (rv != CKR_OK) { 6267 free_domain_attr(domain, key_type); 6268 return (rv); 6269 } 6270 6271 break; 6272 case CKK_X9_42_DH: 6273 (void) memcpy(KEY_DOM_DH942(domain), 6274 KEY_DOM_DH942(old_domain_obj_p), 6275 sizeof (dh942_dom_key_t)); 6276 6277 /* copy prime */ 6278 rv = copy_bigint(KEY_DOM_DH942_PRIME(domain), 6279 KEY_DOM_DH942_PRIME(old_domain_obj_p)); 6280 if (rv != CKR_OK) { 6281 free_domain_attr(domain, key_type); 6282 return (rv); 6283 } 6284 6285 /* copy subprime */ 6286 rv = copy_bigint(KEY_DOM_DH942_SUBPRIME(domain), 6287 KEY_DOM_DH942_SUBPRIME(old_domain_obj_p)); 6288 if (rv != CKR_OK) { 6289 free_domain_attr(domain, key_type); 6290 return (rv); 6291 } 6292 6293 /* copy base */ 6294 rv = copy_bigint(KEY_DOM_DH942_BASE(domain), 6295 KEY_DOM_DH942_BASE(old_domain_obj_p)); 6296 if (rv != CKR_OK) { 6297 free_domain_attr(domain, key_type); 6298 return (rv); 6299 } 6300 6301 break; 6302 default: 6303 break; 6304 } 6305 *new_domain_obj_p = domain; 6306 return (rv); 6307 } 6308 6309 CK_RV 6310 soft_copy_secret_key_attr(secret_key_obj_t *old_secret_key_obj_p, 6311 secret_key_obj_t **new_secret_key_obj_p) 6312 { 6313 secret_key_obj_t *sk; 6314 6315 sk = malloc(sizeof (secret_key_obj_t)); 6316 if (sk == NULL) { 6317 return (CKR_HOST_MEMORY); 6318 } 6319 (void) memcpy(sk, old_secret_key_obj_p, sizeof (secret_key_obj_t)); 6320 6321 /* copy the secret key value */ 6322 sk->sk_value = malloc((sizeof (CK_BYTE) * sk->sk_value_len)); 6323 if (sk->sk_value == NULL) { 6324 free(sk); 6325 return (CKR_HOST_MEMORY); 6326 } 6327 (void) memcpy(sk->sk_value, old_secret_key_obj_p->sk_value, 6328 (sizeof (CK_BYTE) * sk->sk_value_len)); 6329 6330 /* 6331 * Copy the pre-expanded key schedule. 6332 */ 6333 if (old_secret_key_obj_p->key_sched != NULL && 6334 old_secret_key_obj_p->keysched_len > 0) { 6335 sk->key_sched = malloc(old_secret_key_obj_p->keysched_len); 6336 if (sk->key_sched == NULL) { 6337 free(sk); 6338 return (CKR_HOST_MEMORY); 6339 } 6340 sk->keysched_len = old_secret_key_obj_p->keysched_len; 6341 (void) memcpy(sk->key_sched, old_secret_key_obj_p->key_sched, 6342 sk->keysched_len); 6343 } 6344 6345 *new_secret_key_obj_p = sk; 6346 6347 return (CKR_OK); 6348 } 6349 6350 /* 6351 * If CKA_CLASS not given, guess CKA_CLASS using 6352 * attributes on template . 6353 * 6354 * Some attributes are specific to an object class. If one or more 6355 * of these attributes are in the template, make a list of classes 6356 * that can have these attributes. This would speed up the search later, 6357 * because we can immediately skip an object if the class of that 6358 * object can not possibly contain one of the attributes. 6359 * 6360 */ 6361 void 6362 soft_process_find_attr(CK_OBJECT_CLASS *pclasses, 6363 CK_ULONG *num_result_pclasses, CK_ATTRIBUTE_PTR pTemplate, 6364 CK_ULONG ulCount) 6365 { 6366 ulong_t i; 6367 int j; 6368 boolean_t pub_found = B_FALSE, 6369 priv_found = B_FALSE, 6370 secret_found = B_FALSE, 6371 domain_found = B_FALSE, 6372 hardware_found = B_FALSE, 6373 cert_found = B_FALSE; 6374 int num_pub_key_attrs, num_priv_key_attrs, 6375 num_secret_key_attrs, num_domain_attrs, 6376 num_hardware_attrs, num_cert_attrs; 6377 int num_pclasses = 0; 6378 6379 for (i = 0; i < ulCount; i++) { 6380 if (pTemplate[i].type == CKA_CLASS) { 6381 /* 6382 * don't need to guess the class, it is specified. 6383 * Just record the class, and return. 6384 */ 6385 pclasses[0] = 6386 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue)); 6387 *num_result_pclasses = 1; 6388 return; 6389 } 6390 } 6391 6392 num_pub_key_attrs = 6393 sizeof (PUB_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6394 num_priv_key_attrs = 6395 sizeof (PRIV_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6396 num_secret_key_attrs = 6397 sizeof (SECRET_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6398 num_domain_attrs = 6399 sizeof (DOMAIN_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6400 num_hardware_attrs = 6401 sizeof (HARDWARE_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6402 num_cert_attrs = 6403 sizeof (CERT_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6404 6405 /* 6406 * Get the list of objects class that might contain 6407 * some attributes. 6408 */ 6409 for (i = 0; i < ulCount; i++) { 6410 /* 6411 * only check if this attribute can belong to public key object 6412 * class if public key object isn't already in the list 6413 */ 6414 if (!pub_found) { 6415 for (j = 0; j < num_pub_key_attrs; j++) { 6416 if (pTemplate[i].type == PUB_KEY_ATTRS[j]) { 6417 pub_found = B_TRUE; 6418 pclasses[num_pclasses++] = 6419 CKO_PUBLIC_KEY; 6420 break; 6421 } 6422 } 6423 } 6424 6425 if (!priv_found) { 6426 for (j = 0; j < num_priv_key_attrs; j++) { 6427 if (pTemplate[i].type == PRIV_KEY_ATTRS[j]) { 6428 priv_found = B_TRUE; 6429 pclasses[num_pclasses++] = 6430 CKO_PRIVATE_KEY; 6431 break; 6432 } 6433 } 6434 } 6435 6436 if (!secret_found) { 6437 for (j = 0; j < num_secret_key_attrs; j++) { 6438 if (pTemplate[i].type == SECRET_KEY_ATTRS[j]) { 6439 secret_found = B_TRUE; 6440 pclasses[num_pclasses++] = 6441 CKO_SECRET_KEY; 6442 break; 6443 } 6444 } 6445 } 6446 6447 if (!domain_found) { 6448 for (j = 0; j < num_domain_attrs; j++) { 6449 if (pTemplate[i].type == DOMAIN_ATTRS[j]) { 6450 domain_found = B_TRUE; 6451 pclasses[num_pclasses++] = 6452 CKO_DOMAIN_PARAMETERS; 6453 break; 6454 } 6455 } 6456 } 6457 6458 if (!hardware_found) { 6459 for (j = 0; j < num_hardware_attrs; j++) { 6460 if (pTemplate[i].type == HARDWARE_ATTRS[j]) { 6461 hardware_found = B_TRUE; 6462 pclasses[num_pclasses++] = 6463 CKO_HW_FEATURE; 6464 break; 6465 } 6466 } 6467 } 6468 6469 if (!cert_found) { 6470 for (j = 0; j < num_cert_attrs; j++) { 6471 if (pTemplate[i].type == CERT_ATTRS[j]) { 6472 cert_found = B_TRUE; 6473 pclasses[num_pclasses++] = 6474 CKO_CERTIFICATE; 6475 break; 6476 } 6477 } 6478 } 6479 } 6480 *num_result_pclasses = num_pclasses; 6481 } 6482 6483 boolean_t 6484 soft_find_match_attrs(soft_object_t *obj, CK_OBJECT_CLASS *pclasses, 6485 CK_ULONG num_pclasses, CK_ATTRIBUTE *template, CK_ULONG num_attr) 6486 { 6487 ulong_t i; 6488 CK_ATTRIBUTE *tmpl_attr, *obj_attr; 6489 cert_attr_t *cert_attr; 6490 uint64_t attr_mask; 6491 biginteger_t *bigint; 6492 boolean_t compare_attr, compare_bigint, compare_boolean; 6493 boolean_t compare_cert_val, compare_cert_type; 6494 6495 /* 6496 * Check if the class of this object match with any 6497 * of object classes that can possibly contain the 6498 * requested attributes. 6499 */ 6500 if (num_pclasses > 0) { 6501 for (i = 0; i < num_pclasses; i++) { 6502 if (obj->class == pclasses[i]) { 6503 break; 6504 } 6505 } 6506 if (i == num_pclasses) { 6507 /* 6508 * this object can't possibly contain one or 6509 * more attributes, don't need to check this object 6510 */ 6511 return (B_FALSE); 6512 } 6513 } 6514 6515 /* need to examine everything */ 6516 for (i = 0; i < num_attr; i++) { 6517 tmpl_attr = &(template[i]); 6518 compare_attr = B_FALSE; 6519 compare_bigint = B_FALSE; 6520 compare_boolean = B_FALSE; 6521 compare_cert_val = B_FALSE; 6522 compare_cert_type = B_FALSE; 6523 switch (tmpl_attr->type) { 6524 /* First, check the most common attributes */ 6525 case CKA_CLASS: 6526 if (*((CK_OBJECT_CLASS *)tmpl_attr->pValue) != 6527 obj->class) { 6528 return (B_FALSE); 6529 } 6530 break; 6531 case CKA_KEY_TYPE: 6532 if (*((CK_KEY_TYPE *)tmpl_attr->pValue) != 6533 obj->key_type) { 6534 return (B_FALSE); 6535 } 6536 break; 6537 case CKA_ENCRYPT: 6538 attr_mask = (obj->bool_attr_mask) & ENCRYPT_BOOL_ON; 6539 compare_boolean = B_TRUE; 6540 break; 6541 case CKA_DECRYPT: 6542 attr_mask = (obj->bool_attr_mask) & DECRYPT_BOOL_ON; 6543 compare_boolean = B_TRUE; 6544 break; 6545 case CKA_WRAP: 6546 attr_mask = (obj->bool_attr_mask) & WRAP_BOOL_ON; 6547 compare_boolean = B_TRUE; 6548 break; 6549 case CKA_UNWRAP: 6550 attr_mask = (obj->bool_attr_mask) & UNWRAP_BOOL_ON; 6551 compare_boolean = B_TRUE; 6552 break; 6553 case CKA_SIGN: 6554 attr_mask = (obj->bool_attr_mask) & SIGN_BOOL_ON; 6555 compare_boolean = B_TRUE; 6556 break; 6557 case CKA_SIGN_RECOVER: 6558 attr_mask = (obj->bool_attr_mask) & 6559 SIGN_RECOVER_BOOL_ON; 6560 compare_boolean = B_TRUE; 6561 break; 6562 case CKA_VERIFY: 6563 attr_mask = (obj->bool_attr_mask) & VERIFY_BOOL_ON; 6564 compare_boolean = B_TRUE; 6565 break; 6566 case CKA_VERIFY_RECOVER: 6567 attr_mask = (obj->bool_attr_mask) & 6568 VERIFY_RECOVER_BOOL_ON; 6569 compare_boolean = B_TRUE; 6570 break; 6571 case CKA_DERIVE: 6572 attr_mask = (obj->bool_attr_mask) & DERIVE_BOOL_ON; 6573 compare_boolean = B_TRUE; 6574 break; 6575 case CKA_LOCAL: 6576 attr_mask = (obj->bool_attr_mask) & LOCAL_BOOL_ON; 6577 compare_boolean = B_TRUE; 6578 break; 6579 case CKA_SENSITIVE: 6580 attr_mask = (obj->bool_attr_mask) & SENSITIVE_BOOL_ON; 6581 compare_boolean = B_TRUE; 6582 break; 6583 case CKA_SECONDARY_AUTH: 6584 attr_mask = (obj->bool_attr_mask) & 6585 SECONDARY_AUTH_BOOL_ON; 6586 compare_boolean = B_TRUE; 6587 break; 6588 case CKA_TRUSTED: 6589 attr_mask = (obj->bool_attr_mask) & TRUSTED_BOOL_ON; 6590 compare_boolean = B_TRUE; 6591 break; 6592 case CKA_EXTRACTABLE: 6593 attr_mask = (obj->bool_attr_mask) & 6594 EXTRACTABLE_BOOL_ON; 6595 compare_boolean = B_TRUE; 6596 break; 6597 case CKA_ALWAYS_SENSITIVE: 6598 attr_mask = (obj->bool_attr_mask) & 6599 ALWAYS_SENSITIVE_BOOL_ON; 6600 compare_boolean = B_TRUE; 6601 break; 6602 case CKA_NEVER_EXTRACTABLE: 6603 attr_mask = (obj->bool_attr_mask) & 6604 NEVER_EXTRACTABLE_BOOL_ON; 6605 compare_boolean = B_TRUE; 6606 break; 6607 case CKA_TOKEN: 6608 attr_mask = (obj->object_type) & TOKEN_OBJECT; 6609 compare_boolean = B_TRUE; 6610 break; 6611 case CKA_PRIVATE: 6612 attr_mask = (obj->object_type) & PRIVATE_OBJECT; 6613 compare_boolean = B_TRUE; 6614 break; 6615 case CKA_MODIFIABLE: 6616 { 6617 CK_BBOOL bval; 6618 attr_mask = (obj->bool_attr_mask) & 6619 NOT_MODIFIABLE_BOOL_ON; 6620 6621 if (attr_mask) { 6622 bval = FALSE; 6623 } else { 6624 bval = TRUE; 6625 } 6626 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) { 6627 return (B_FALSE); 6628 } 6629 break; 6630 } 6631 case CKA_OWNER: 6632 /* 6633 * For X.509 attribute certificate object, get its 6634 * CKA_OWNER attribute from the x509_attr_cert_t struct. 6635 */ 6636 if ((obj->class == CKO_CERTIFICATE) && 6637 (obj->cert_type == CKC_X_509_ATTR_CERT)) { 6638 cert_attr = X509_ATTR_CERT_OWNER(obj); 6639 compare_cert_val = B_TRUE; 6640 } 6641 break; 6642 case CKA_SUBJECT: 6643 /* 6644 * For X.509 certificate object, get its CKA_SUBJECT 6645 * attribute from the x509_cert_t struct (not from 6646 * the extra_attrlistp). 6647 */ 6648 if ((obj->class == CKO_CERTIFICATE) && 6649 (obj->cert_type == CKC_X_509)) { 6650 cert_attr = X509_CERT_SUBJECT(obj); 6651 compare_cert_val = B_TRUE; 6652 break; 6653 } 6654 /*FALLTHRU*/ 6655 case CKA_ID: 6656 case CKA_START_DATE: 6657 case CKA_END_DATE: 6658 case CKA_KEY_GEN_MECHANISM: 6659 case CKA_LABEL: 6660 case CKA_ISSUER: 6661 case CKA_SERIAL_NUMBER: 6662 case CKA_AC_ISSUER: 6663 case CKA_ATTR_TYPES: 6664 /* find these attributes from extra_attrlistp */ 6665 obj_attr = get_extra_attr(tmpl_attr->type, obj); 6666 compare_attr = B_TRUE; 6667 break; 6668 case CKA_CERTIFICATE_TYPE: 6669 compare_cert_type = B_TRUE; 6670 break; 6671 case CKA_VALUE_LEN: 6672 /* only secret key has this attribute */ 6673 if (obj->class == CKO_SECRET_KEY) { 6674 if (*((CK_ULONG *)tmpl_attr->pValue) != 6675 OBJ_SEC_VALUE_LEN(obj)) { 6676 return (B_FALSE); 6677 } 6678 } else { 6679 return (B_FALSE); 6680 } 6681 break; 6682 case CKA_VALUE: 6683 switch (obj->class) { 6684 case CKO_SECRET_KEY: 6685 /* 6686 * secret_key_obj_t is the same as 6687 * biginteger_t 6688 */ 6689 bigint = (biginteger_t *)OBJ_SEC(obj); 6690 compare_bigint = B_TRUE; 6691 break; 6692 case CKO_PRIVATE_KEY: 6693 if (obj->key_type == CKK_DSA) { 6694 bigint = OBJ_PRI_DSA_VALUE(obj); 6695 } else if (obj->key_type == CKK_DH) { 6696 bigint = OBJ_PRI_DH_VALUE(obj); 6697 } else if (obj->key_type == CKK_X9_42_DH) { 6698 bigint = OBJ_PRI_DH942_VALUE(obj); 6699 } else { 6700 return (B_FALSE); 6701 } 6702 compare_bigint = B_TRUE; 6703 break; 6704 case CKO_PUBLIC_KEY: 6705 if (obj->key_type == CKK_DSA) { 6706 bigint = OBJ_PUB_DSA_VALUE(obj); 6707 } else if (obj->key_type == CKK_DH) { 6708 bigint = OBJ_PUB_DH_VALUE(obj); 6709 } else if (obj->key_type == CKK_X9_42_DH) { 6710 bigint = OBJ_PUB_DH942_VALUE(obj); 6711 } else { 6712 return (B_FALSE); 6713 } 6714 compare_bigint = B_TRUE; 6715 break; 6716 case CKO_CERTIFICATE: 6717 if (obj->cert_type == CKC_X_509) { 6718 cert_attr = X509_CERT_VALUE(obj); 6719 } else if (obj->cert_type == 6720 CKC_X_509_ATTR_CERT) { 6721 cert_attr = X509_ATTR_CERT_VALUE(obj); 6722 } 6723 compare_cert_val = B_TRUE; 6724 break; 6725 default: 6726 return (B_FALSE); 6727 } 6728 break; 6729 case CKA_MODULUS: 6730 /* only RSA public and private key have this attr */ 6731 if (obj->key_type == CKK_RSA) { 6732 if (obj->class == CKO_PUBLIC_KEY) { 6733 bigint = OBJ_PUB_RSA_MOD(obj); 6734 } else if (obj->class == CKO_PRIVATE_KEY) { 6735 bigint = OBJ_PRI_RSA_MOD(obj); 6736 } else { 6737 return (B_FALSE); 6738 } 6739 compare_bigint = B_TRUE; 6740 } else { 6741 return (B_FALSE); 6742 } 6743 break; 6744 case CKA_MODULUS_BITS: 6745 /* only RSA public key has this attribute */ 6746 if ((obj->key_type == CKK_RSA) && 6747 (obj->class == CKO_PUBLIC_KEY)) { 6748 CK_ULONG mod_bits = OBJ_PUB_RSA_MOD_BITS(obj); 6749 if (mod_bits != 6750 *((CK_ULONG *)tmpl_attr->pValue)) { 6751 return (B_FALSE); 6752 } 6753 } else { 6754 return (B_FALSE); 6755 } 6756 break; 6757 case CKA_PUBLIC_EXPONENT: 6758 /* only RSA public and private key have this attr */ 6759 if (obj->key_type == CKK_RSA) { 6760 if (obj->class == CKO_PUBLIC_KEY) { 6761 bigint = OBJ_PUB_RSA_PUBEXPO(obj); 6762 } else if (obj->class == CKO_PRIVATE_KEY) { 6763 bigint = OBJ_PRI_RSA_PUBEXPO(obj); 6764 } else { 6765 return (B_FALSE); 6766 } 6767 compare_bigint = B_TRUE; 6768 } else { 6769 return (B_FALSE); 6770 } 6771 break; 6772 case CKA_PRIVATE_EXPONENT: 6773 /* only RSA private key has this attribute */ 6774 if ((obj->key_type == CKK_RSA) && 6775 (obj->class == CKO_PRIVATE_KEY)) { 6776 bigint = OBJ_PRI_RSA_PRIEXPO(obj); 6777 compare_bigint = B_TRUE; 6778 } else { 6779 return (B_FALSE); 6780 } 6781 break; 6782 case CKA_PRIME_1: 6783 /* only RSA private key has this attribute */ 6784 if ((obj->key_type == CKK_RSA) && 6785 (obj->class == CKO_PRIVATE_KEY)) { 6786 bigint = OBJ_PRI_RSA_PRIME1(obj); 6787 compare_bigint = B_TRUE; 6788 } else { 6789 return (B_FALSE); 6790 } 6791 break; 6792 case CKA_PRIME_2: 6793 /* only RSA private key has this attribute */ 6794 if ((obj->key_type == CKK_RSA) && 6795 (obj->class == CKO_PRIVATE_KEY)) { 6796 bigint = OBJ_PRI_RSA_PRIME2(obj); 6797 compare_bigint = B_TRUE; 6798 } else { 6799 return (B_FALSE); 6800 } 6801 break; 6802 case CKA_EXPONENT_1: 6803 /* only RSA private key has this attribute */ 6804 if ((obj->key_type == CKK_RSA) && 6805 (obj->class == CKO_PRIVATE_KEY)) { 6806 bigint = OBJ_PRI_RSA_EXPO1(obj); 6807 compare_bigint = B_TRUE; 6808 } else { 6809 return (B_FALSE); 6810 } 6811 break; 6812 case CKA_EXPONENT_2: 6813 /* only RSA private key has this attribute */ 6814 if ((obj->key_type == CKK_RSA) && 6815 (obj->class == CKO_PRIVATE_KEY)) { 6816 bigint = OBJ_PRI_RSA_EXPO2(obj); 6817 compare_bigint = B_TRUE; 6818 } else { 6819 return (B_FALSE); 6820 } 6821 break; 6822 case CKA_COEFFICIENT: 6823 /* only RSA private key has this attribute */ 6824 if ((obj->key_type == CKK_RSA) && 6825 (obj->class == CKO_PRIVATE_KEY)) { 6826 bigint = OBJ_PRI_RSA_COEF(obj); 6827 compare_bigint = B_TRUE; 6828 } else { 6829 return (B_FALSE); 6830 } 6831 break; 6832 case CKA_VALUE_BITS: 6833 /* only Diffie-Hellman private key has this attr */ 6834 if ((obj->key_type == CKK_DH) && 6835 (obj->class == CKO_PRIVATE_KEY)) { 6836 CK_ULONG val_bits = OBJ_PRI_DH_VAL_BITS(obj); 6837 if (val_bits != 6838 *((CK_ULONG *)tmpl_attr->pValue)) { 6839 return (B_FALSE); 6840 } 6841 } else { 6842 return (B_FALSE); 6843 } 6844 break; 6845 case CKA_PRIME: 6846 if (obj->class == CKO_PUBLIC_KEY) { 6847 switch (obj->key_type) { 6848 case CKK_DSA: 6849 bigint = OBJ_PUB_DSA_PRIME(obj); 6850 break; 6851 case CKK_DH: 6852 bigint = OBJ_PUB_DH_PRIME(obj); 6853 break; 6854 case CKK_X9_42_DH: 6855 bigint = OBJ_PUB_DH942_PRIME(obj); 6856 break; 6857 default: 6858 return (B_FALSE); 6859 } 6860 } else if (obj->class == CKO_PRIVATE_KEY) { 6861 switch (obj->key_type) { 6862 case CKK_DSA: 6863 bigint = OBJ_PRI_DSA_PRIME(obj); 6864 break; 6865 case CKK_DH: 6866 bigint = OBJ_PRI_DH_PRIME(obj); 6867 break; 6868 case CKK_X9_42_DH: 6869 bigint = OBJ_PRI_DH942_PRIME(obj); 6870 break; 6871 default: 6872 return (B_FALSE); 6873 } 6874 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6875 switch (obj->key_type) { 6876 case CKK_DSA: 6877 bigint = OBJ_DOM_DSA_PRIME(obj); 6878 break; 6879 case CKK_DH: 6880 bigint = OBJ_DOM_DH_PRIME(obj); 6881 break; 6882 case CKK_X9_42_DH: 6883 bigint = OBJ_DOM_DH942_PRIME(obj); 6884 break; 6885 default: 6886 return (B_FALSE); 6887 } 6888 } else { 6889 return (B_FALSE); 6890 } 6891 compare_bigint = B_TRUE; 6892 break; 6893 case CKA_SUBPRIME: 6894 if (obj->class == CKO_PUBLIC_KEY) { 6895 switch (obj->key_type) { 6896 case CKK_DSA: 6897 bigint = OBJ_PUB_DSA_SUBPRIME(obj); 6898 break; 6899 case CKK_X9_42_DH: 6900 bigint = OBJ_PUB_DH942_SUBPRIME(obj); 6901 break; 6902 default: 6903 return (B_FALSE); 6904 } 6905 } else if (obj->class == CKO_PRIVATE_KEY) { 6906 switch (obj->key_type) { 6907 case CKK_DSA: 6908 bigint = OBJ_PRI_DSA_SUBPRIME(obj); 6909 break; 6910 case CKK_X9_42_DH: 6911 bigint = OBJ_PRI_DH942_SUBPRIME(obj); 6912 break; 6913 default: 6914 return (B_FALSE); 6915 } 6916 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6917 switch (obj->key_type) { 6918 case CKK_DSA: 6919 bigint = OBJ_DOM_DSA_SUBPRIME(obj); 6920 break; 6921 case CKK_X9_42_DH: 6922 bigint = OBJ_DOM_DH942_SUBPRIME(obj); 6923 break; 6924 default: 6925 return (B_FALSE); 6926 } 6927 } else { 6928 return (B_FALSE); 6929 } 6930 compare_bigint = B_TRUE; 6931 break; 6932 case CKA_BASE: 6933 if (obj->class == CKO_PUBLIC_KEY) { 6934 switch (obj->key_type) { 6935 case CKK_DSA: 6936 bigint = OBJ_PUB_DSA_BASE(obj); 6937 break; 6938 case CKK_DH: 6939 bigint = OBJ_PUB_DH_BASE(obj); 6940 break; 6941 case CKK_X9_42_DH: 6942 bigint = OBJ_PUB_DH942_BASE(obj); 6943 break; 6944 default: 6945 return (B_FALSE); 6946 } 6947 } else if (obj->class == CKO_PRIVATE_KEY) { 6948 switch (obj->key_type) { 6949 case CKK_DSA: 6950 bigint = OBJ_PRI_DSA_BASE(obj); 6951 break; 6952 case CKK_DH: 6953 bigint = OBJ_PRI_DH_BASE(obj); 6954 break; 6955 case CKK_X9_42_DH: 6956 bigint = OBJ_PRI_DH942_BASE(obj); 6957 break; 6958 default: 6959 return (B_FALSE); 6960 } 6961 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6962 switch (obj->key_type) { 6963 case CKK_DSA: 6964 bigint = OBJ_DOM_DSA_BASE(obj); 6965 break; 6966 case CKK_DH: 6967 bigint = OBJ_DOM_DH_BASE(obj); 6968 break; 6969 case CKK_X9_42_DH: 6970 bigint = OBJ_DOM_DH942_BASE(obj); 6971 break; 6972 default: 6973 return (B_FALSE); 6974 } 6975 } else { 6976 return (B_FALSE); 6977 } 6978 compare_bigint = B_TRUE; 6979 break; 6980 case CKA_PRIME_BITS: 6981 if (obj->class == CKO_DOMAIN_PARAMETERS) { 6982 CK_ULONG prime_bits; 6983 if (obj->key_type == CKK_DSA) { 6984 prime_bits = 6985 OBJ_DOM_DSA_PRIME_BITS(obj); 6986 } else if (obj->key_type == CKK_DH) { 6987 prime_bits = 6988 OBJ_DOM_DH_PRIME_BITS(obj); 6989 } else if (obj->key_type == CKK_X9_42_DH) { 6990 prime_bits = 6991 OBJ_DOM_DH942_PRIME_BITS(obj); 6992 } else { 6993 return (B_FALSE); 6994 } 6995 if (prime_bits != 6996 *((CK_ULONG *)tmpl_attr->pValue)) { 6997 return (B_FALSE); 6998 } 6999 } else { 7000 return (B_FALSE); 7001 } 7002 break; 7003 case CKA_SUBPRIME_BITS: 7004 if ((obj->class == CKO_DOMAIN_PARAMETERS) && 7005 (obj->key_type == CKK_X9_42_DH)) { 7006 CK_ULONG subprime_bits = 7007 OBJ_DOM_DH942_SUBPRIME_BITS(obj); 7008 if (subprime_bits != 7009 *((CK_ULONG *)tmpl_attr->pValue)) { 7010 return (B_FALSE); 7011 } 7012 } else { 7013 return (B_FALSE); 7014 } 7015 break; 7016 default: 7017 /* 7018 * any other attributes are currently not supported. 7019 * so, it's not possible for them to be in the 7020 * object 7021 */ 7022 return (B_FALSE); 7023 } 7024 if (compare_boolean) { 7025 CK_BBOOL bval; 7026 7027 if (attr_mask) { 7028 bval = TRUE; 7029 } else { 7030 bval = FALSE; 7031 } 7032 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) { 7033 return (B_FALSE); 7034 } 7035 } else if (compare_bigint) { 7036 if (bigint == NULL) { 7037 return (B_FALSE); 7038 } 7039 if (tmpl_attr->ulValueLen != bigint->big_value_len) { 7040 return (B_FALSE); 7041 } 7042 if (memcmp(tmpl_attr->pValue, bigint->big_value, 7043 tmpl_attr->ulValueLen) != 0) { 7044 return (B_FALSE); 7045 } 7046 } else if (compare_attr) { 7047 if (obj_attr == NULL) { 7048 /* 7049 * The attribute type is valid, and its value 7050 * has not been initialized in the object. In 7051 * this case, it only matches the template's 7052 * attribute if the template's value length 7053 * is 0. 7054 */ 7055 if (tmpl_attr->ulValueLen != 0) 7056 return (B_FALSE); 7057 } else { 7058 if (tmpl_attr->ulValueLen != 7059 obj_attr->ulValueLen) { 7060 return (B_FALSE); 7061 } 7062 if (memcmp(tmpl_attr->pValue, obj_attr->pValue, 7063 tmpl_attr->ulValueLen) != 0) { 7064 return (B_FALSE); 7065 } 7066 } 7067 } else if (compare_cert_val) { 7068 if (cert_attr == NULL) { 7069 /* specific attribute not found */ 7070 return (B_FALSE); 7071 } 7072 if (tmpl_attr->ulValueLen != cert_attr->length) { 7073 return (B_FALSE); 7074 } 7075 if (memcmp(tmpl_attr->pValue, cert_attr->value, 7076 tmpl_attr->ulValueLen) != 0) { 7077 return (B_FALSE); 7078 } 7079 } else if (compare_cert_type) { 7080 if (memcmp(tmpl_attr->pValue, &(obj->cert_type), 7081 tmpl_attr->ulValueLen) != 0) { 7082 return (B_FALSE); 7083 } 7084 } 7085 } 7086 return (B_TRUE); 7087 } 7088 7089 CK_ATTRIBUTE_PTR 7090 get_extra_attr(CK_ATTRIBUTE_TYPE type, soft_object_t *obj) 7091 { 7092 CK_ATTRIBUTE_INFO_PTR tmp; 7093 7094 tmp = obj->extra_attrlistp; 7095 while (tmp != NULL) { 7096 if (tmp->attr.type == type) { 7097 return (&(tmp->attr)); 7098 } 7099 tmp = tmp->next; 7100 } 7101 /* if get there, the specified attribute is not found */ 7102 return (NULL); 7103 } 7104