xref: /titanic_44/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c (revision 9dd0f810214fdc8e1af881a9a5c4b6927629ff9e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <strings.h>
29 #include <cryptoutil.h>
30 #include <security/cryptoki.h>
31 #include <arcfour.h>
32 #include "softGlobal.h"
33 #include "softSession.h"
34 #include <des_impl.h>
35 #include <aes_impl.h>
36 #include <blowfish_impl.h>
37 #include "softDH.h"
38 #include "softObject.h"
39 #include "softKeystore.h"
40 #include "softKeystoreUtil.h"
41 
42 
43 static CK_MECHANISM_TYPE soft_mechanisms[] = {
44 	CKM_DES_CBC,
45 	CKM_DES_CBC_PAD,
46 	CKM_DES_ECB,
47 	CKM_DES_KEY_GEN,
48 	CKM_DES_MAC_GENERAL,
49 	CKM_DES_MAC,
50 	CKM_DES3_CBC,
51 	CKM_DES3_CBC_PAD,
52 	CKM_DES3_ECB,
53 	CKM_DES3_KEY_GEN,
54 	CKM_AES_CBC,
55 	CKM_AES_CBC_PAD,
56 	CKM_AES_ECB,
57 	CKM_AES_KEY_GEN,
58 	CKM_BLOWFISH_CBC,
59 	CKM_BLOWFISH_KEY_GEN,
60 	CKM_SHA_1,
61 	CKM_SHA_1_HMAC,
62 	CKM_SHA_1_HMAC_GENERAL,
63 	CKM_SHA256,
64 	CKM_SHA256_HMAC,
65 	CKM_SHA256_HMAC_GENERAL,
66 	CKM_SHA384,
67 	CKM_SHA384_HMAC,
68 	CKM_SHA384_HMAC_GENERAL,
69 	CKM_SHA512,
70 	CKM_SHA512_HMAC,
71 	CKM_SHA512_HMAC_GENERAL,
72 	CKM_SSL3_SHA1_MAC,
73 	CKM_MD5,
74 	CKM_MD5_HMAC,
75 	CKM_MD5_HMAC_GENERAL,
76 	CKM_SSL3_MD5_MAC,
77 	CKM_RC4,
78 	CKM_RC4_KEY_GEN,
79 	CKM_DSA,
80 	CKM_DSA_SHA1,
81 	CKM_DSA_KEY_PAIR_GEN,
82 	CKM_RSA_PKCS,
83 	CKM_RSA_PKCS_KEY_PAIR_GEN,
84 	CKM_RSA_X_509,
85 	CKM_MD5_RSA_PKCS,
86 	CKM_SHA1_RSA_PKCS,
87 	CKM_SHA256_RSA_PKCS,
88 	CKM_SHA384_RSA_PKCS,
89 	CKM_SHA512_RSA_PKCS,
90 	CKM_DH_PKCS_KEY_PAIR_GEN,
91 	CKM_DH_PKCS_DERIVE,
92 	CKM_MD5_KEY_DERIVATION,
93 	CKM_SHA1_KEY_DERIVATION,
94 	CKM_SHA256_KEY_DERIVATION,
95 	CKM_SHA384_KEY_DERIVATION,
96 	CKM_SHA512_KEY_DERIVATION,
97 	CKM_PBE_SHA1_RC4_128,
98 	CKM_PKCS5_PBKD2,
99 	CKM_SSL3_PRE_MASTER_KEY_GEN,
100 	CKM_TLS_PRE_MASTER_KEY_GEN,
101 	CKM_SSL3_MASTER_KEY_DERIVE,
102 	CKM_TLS_MASTER_KEY_DERIVE,
103 	CKM_SSL3_MASTER_KEY_DERIVE_DH,
104 	CKM_TLS_MASTER_KEY_DERIVE_DH,
105 	CKM_SSL3_KEY_AND_MAC_DERIVE,
106 	CKM_TLS_KEY_AND_MAC_DERIVE,
107 	CKM_TLS_PRF
108 };
109 
110 /*
111  * This is the table of CK_MECHANISM_INFO structs for the supported mechanisms.
112  * The index for this table is the same as the one above for the same
113  * mechanism.
114  * The minimum and maximum sizes of the key for the mechanism can be measured
115  * in bits or in bytes (i.e. mechanism-dependent). This table specifies the
116  * supported range of key sizes in bytes; unless noted as in bits.
117  */
118 static CK_MECHANISM_INFO soft_mechanism_info[] = {
119 	{DES_MINBYTES, DES_MAXBYTES,
120 		CKF_ENCRYPT|CKF_DECRYPT|
121 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES_CBC */
122 	{DES_MINBYTES, DES_MAXBYTES,
123 		CKF_ENCRYPT|CKF_DECRYPT|
124 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES_CBC_PAD */
125 	{DES_MINBYTES, DES_MAXBYTES,
126 		CKF_ENCRYPT|CKF_DECRYPT|
127 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES_ECB */
128 	{DES_MINBYTES, DES_MAXBYTES,
129 		CKF_GENERATE},			/* CKM_DES_KEY_GEN */
130 	{DES_MINBYTES, DES_MAXBYTES,
131 		CKF_SIGN|CKF_VERIFY},		/* CKM_DES_MAC_GENERAL */
132 	{DES_MINBYTES, DES_MAXBYTES,
133 		CKF_SIGN|CKF_VERIFY},		/* CKM_DES_MAC */
134 /*
135  * Note that DES3 is allowed even if CRYPTO_UNLIMITED is not specified.
136  * This is because 3DES has an exception to the Solaris PAC enforced
137  * no crypto greater than 128 bit in core Solaris rule.
138  * The actual key length of 3DES is 192, but most cryptographers regard
139  * it to be effectively 112.
140  */
141 	{DES3_MINBYTES, DES3_MAXBYTES,
142 		CKF_ENCRYPT|CKF_DECRYPT|
143 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES3_CBC */
144 	{DES3_MINBYTES, DES3_MAXBYTES,
145 		CKF_ENCRYPT|CKF_DECRYPT|
146 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES3_CBC_PAD */
147 	{DES3_MINBYTES, DES3_MAXBYTES,
148 		CKF_ENCRYPT|CKF_DECRYPT|
149 		CKF_WRAP|CKF_UNWRAP},		/* CKM_DES3_ECB */
150 	{DES3_MINBYTES, DES3_MAXBYTES,
151 		CKF_GENERATE},			/* CKM_DES3_KEY_GEN */
152 	{AES_MINBYTES, AES_MAXBYTES,
153 		CKF_ENCRYPT|CKF_DECRYPT|
154 		CKF_WRAP|CKF_UNWRAP},		/* CKM_AES_CBC */
155 	{AES_MINBYTES, AES_MAXBYTES,
156 		CKF_ENCRYPT|CKF_DECRYPT|
157 		CKF_WRAP|CKF_UNWRAP},		/* CKM_AES_CBC_PAD */
158 	{AES_MINBYTES, AES_MAXBYTES,
159 		CKF_ENCRYPT|CKF_DECRYPT|
160 		CKF_WRAP|CKF_UNWRAP},		/* CKM_AES_ECB */
161 	{AES_MINBYTES, AES_MAXBYTES,
162 		CKF_GENERATE},			/* CKM_AES_KEY_GEN */
163 	{BLOWFISH_MINBYTES, BLOWFISH_MAXBYTES,
164 		CKF_ENCRYPT|CKF_DECRYPT|
165 		CKF_WRAP|CKF_UNWRAP},		/* CKM_BLOWFISH_ECB */
166 	{BLOWFISH_MINBYTES, BLOWFISH_MAXBYTES,
167 		CKF_GENERATE},			/* CKM_BLOWFISH_KEY_GEN */
168 	{0, 0, CKF_DIGEST},			/* CKM_SHA_1 */
169 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA_1_HMAC */
170 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA_1_HMAC_GENERAL */
171 	{0, 0, CKF_DIGEST},			/* CKM_SHA256 */
172 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA256_HMAC */
173 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA256_HMAC_GENERAL */
174 	{0, 0, CKF_DIGEST},			/* CKM_SHA384 */
175 	{1, 128, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA384_HMAC */
176 	{1, 128, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA384_HMAC_GENERAL */
177 	{0, 0, CKF_DIGEST},			/* CKM_SHA512 */
178 	{1, 128, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA512_HMAC */
179 	{1, 128, CKF_SIGN|CKF_VERIFY},		/* CKM_SHA512_HMAC_GENERAL */
180 	{1, 512, CKF_SIGN|CKF_VERIFY},		/* CKM_SSL3_SHA1_MAC */
181 	{0, 0, CKF_DIGEST},			/* CKM_MD5 */
182 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_MD5_HMAC */
183 	{1, 64, CKF_SIGN|CKF_VERIFY},		/* CKM_MD5_HMAC_GENERAL */
184 	{1, 512, CKF_SIGN|CKF_VERIFY},		/* CKM_SSL3_MD5_MAC */
185 	{8, ARCFOUR_MAX_KEY_BITS, CKF_ENCRYPT|CKF_DECRYPT}, /* CKM_RC4; */
186 							    /* in bits  */
187 	{8, ARCFOUR_MAX_KEY_BITS, CKF_GENERATE }, /* CKM_RC4_KEY_GEN; in bits */
188 	{512, 1024, CKF_SIGN|CKF_VERIFY},	/* CKM_DSA; in bits */
189 	{512, 1024, CKF_SIGN|CKF_VERIFY},	/* CKM_DSA_SHA1; in bits */
190 	{512, 1024, CKF_GENERATE_KEY_PAIR},	/* CKM_DSA_KEY_PAIR_GEN; */
191 						/* in bits */
192 	{256, 4096, CKF_ENCRYPT|CKF_DECRYPT|
193 		CKF_SIGN|CKF_SIGN_RECOVER|
194 		CKF_WRAP|CKF_UNWRAP|
195 		CKF_VERIFY|CKF_VERIFY_RECOVER},	/* CKM_RSA_PKCS; in bits */
196 	{256, 4096, CKF_GENERATE_KEY_PAIR},	/* CKM_RSA_PKCS_KEY_PAIR_GEN; */
197 						/* in bits */
198 	{256, 4096, CKF_ENCRYPT|CKF_DECRYPT|
199 		CKF_SIGN|CKF_SIGN_RECOVER|
200 		CKF_WRAP|CKF_UNWRAP|
201 		CKF_VERIFY|CKF_VERIFY_RECOVER},	/* CKM_RSA_X_509 in bits */
202 	{256, 4096, CKF_SIGN|CKF_VERIFY},	/* CKM_MD5_RSA_PKCS in bits */
203 	{256, 4096, CKF_SIGN|CKF_VERIFY},	/* CKM_SHA1_RSA_PKCS in bits */
204 	{256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA256_RSA_PKCS in bits */
205 	{256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA384_RSA_PKCS in bits */
206 	{256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA512_RSA_PKCS in bits */
207 	{MIN_DH_KEYLENGTH, MAX_DH_KEYLENGTH, CKF_GENERATE_KEY_PAIR},
208 						/* CKM_DH_PKCS_KEY_PAIR_GEN */
209 						/* in bits */
210 	{MIN_DH_KEYLENGTH, MAX_DH_KEYLENGTH, CKF_DERIVE},
211 						/* CKM_DH_PKCS_DERIVE; */
212 						/* in bits */
213 	{1, 16, CKF_DERIVE},			/* CKM_MD5_KEY_DERIVATION */
214 	{1, 20, CKF_DERIVE},			/* CKM_SHA1_KEY_DERIVATION */
215 	{1, 32, CKF_DERIVE},			/* CKM_SHA256_KEY_DERIVATION */
216 	{1, 48, CKF_DERIVE},			/* CKM_SHA384_KEY_DERIVATION */
217 	{1, 64, CKF_DERIVE},			/* CKM_SHA512_KEY_DERIVATION */
218 	{0, 0, CKF_GENERATE},			/* CKM_PBE_SHA1_RC4_128 */
219 	{0, 0, CKF_GENERATE},			/* CKM_PKCS5_PBKD2 */
220 	{48, 48, CKF_GENERATE},		/* CKM_SSL3_PRE_MASTER_KEY_GEN */
221 	{48, 48, CKF_GENERATE},		/* CKM_TLS_PRE_MASTER_KEY_GEN */
222 	{48, 48, CKF_DERIVE},		/* CKM_SSL3_MASTER_KEY_DERIVE */
223 	{48, 48, CKF_DERIVE},		/* CKM_TLS_MASTER_KEY_DERIVE */
224 	{48, 48, CKF_DERIVE},		/* CKM_SSL3_MASTER_KEY_DERIVE_DH */
225 	{48, 48, CKF_DERIVE},		/* CKM_TLS_MASTER_KEY_DERIVE_DH */
226 	{0, 0, CKF_DERIVE},		/* CKM_SSL3_KEY_AND_MAC_DERIVE */
227 	{0, 0, CKF_DERIVE},		/* CKM_TLS_KEY_AND_MAC_DERIVE */
228 	{0, 0, CKF_DERIVE}		/* CKM_TLS_PRF */
229 };
230 
231 /*
232  * Slot ID for softtoken is always 1. tokenPresent is ignored.
233  * Also, only one slot is used.
234  */
235 /*ARGSUSED*/
236 CK_RV
237 C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
238     CK_ULONG_PTR pulCount)
239 {
240 
241 	CK_RV rv;
242 
243 	if (!softtoken_initialized)
244 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
245 
246 	if (pulCount == NULL) {
247 		return (CKR_ARGUMENTS_BAD);
248 	}
249 
250 	if (pSlotList == NULL) {
251 		/*
252 		 * Application only wants to know the number of slots.
253 		 */
254 		*pulCount = 1;
255 		return (CKR_OK);
256 	}
257 
258 	if ((*pulCount < 1) && (pSlotList != NULL)) {
259 		rv = CKR_BUFFER_TOO_SMALL;
260 	} else {
261 		pSlotList[0] = SOFTTOKEN_SLOTID;
262 		rv = CKR_OK;
263 	}
264 
265 	*pulCount = 1;
266 	return (rv);
267 }
268 
269 
270 CK_RV
271 C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
272 {
273 
274 	if (!softtoken_initialized)
275 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
276 
277 	if (pInfo == NULL)
278 		return (CKR_ARGUMENTS_BAD);
279 
280 	/* Make sure the slot ID is valid */
281 	if (slotID != SOFTTOKEN_SLOTID)
282 		return (CKR_SLOT_ID_INVALID);
283 
284 	/* Provide information about the slot in the provided buffer */
285 	(void) strncpy((char *)pInfo->slotDescription, SOFT_SLOT_DESCRIPTION,
286 	    64);
287 	(void) strncpy((char *)pInfo->manufacturerID, SOFT_MANUFACTURER_ID, 32);
288 	pInfo->flags = 0;
289 	if (soft_keystore_status(KEYSTORE_PRESENT)) {
290 		pInfo->flags |= CKF_TOKEN_PRESENT;
291 	}
292 	pInfo->hardwareVersion.major = HARDWARE_VERSION_MAJOR;
293 	pInfo->hardwareVersion.minor = HARDWARE_VERSION_MINOR;
294 	pInfo->firmwareVersion.major = FIRMWARE_VERSION_MAJOR;
295 	pInfo->firmwareVersion.minor = FIRMWARE_VERSION_MINOR;
296 
297 	return (CKR_OK);
298 }
299 
300 
301 CK_RV
302 C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
303 {
304 
305 	ulong_t	token_flag = 0;
306 	boolean_t pin_initialized = B_FALSE;
307 	char	*ks_cryptpin = NULL;
308 	CK_RV rv = CKR_OK;
309 
310 	if (!softtoken_initialized)
311 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
312 
313 	/* Make sure the slot ID is valid */
314 	if (slotID != SOFTTOKEN_SLOTID)
315 		return (CKR_SLOT_ID_INVALID);
316 
317 	if (pInfo == NULL)
318 		return (CKR_ARGUMENTS_BAD);
319 
320 	if (!soft_keystore_status(KEYSTORE_VERSION_OK))
321 		return (CKR_DEVICE_REMOVED);
322 
323 	/* Provide information about a token in the provided buffer */
324 	(void) strncpy((char *)pInfo->label, SOFT_TOKEN_LABEL, 32);
325 	(void) strncpy((char *)pInfo->manufacturerID, SOFT_MANUFACTURER_ID, 32);
326 	(void) strncpy((char *)pInfo->model, TOKEN_MODEL, 16);
327 	(void) strncpy((char *)pInfo->serialNumber, SOFT_TOKEN_SERIAL, 16);
328 
329 	rv = soft_keystore_pin_initialized(&pin_initialized, &ks_cryptpin,
330 	    B_FALSE);
331 	if (rv != CKR_OK)
332 		return (rv);
333 	if (!pin_initialized)
334 		token_flag = CKF_USER_PIN_TO_BE_CHANGED;
335 	if (ks_cryptpin)
336 		free(ks_cryptpin);
337 
338 	pInfo->flags = SOFT_TOKEN_FLAGS | token_flag;
339 	pInfo->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE;
340 	pInfo->ulSessionCount = soft_session_cnt;
341 	pInfo->ulMaxRwSessionCount = CK_EFFECTIVELY_INFINITE;
342 	pInfo->ulRwSessionCount = soft_session_rw_cnt;
343 	pInfo->ulMaxPinLen = MAX_PIN_LEN;
344 	pInfo->ulMinPinLen = MIN_PIN_LEN;
345 	pInfo->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
346 	pInfo->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
347 	pInfo->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
348 	pInfo->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION;
349 	pInfo->hardwareVersion.major = HARDWARE_VERSION_MAJOR;
350 	pInfo->hardwareVersion.minor = HARDWARE_VERSION_MINOR;
351 	pInfo->firmwareVersion.major = FIRMWARE_VERSION_MAJOR;
352 	pInfo->firmwareVersion.minor = FIRMWARE_VERSION_MINOR;
353 	(void) memset(pInfo->utcTime, ' ', 16);
354 
355 	return (CKR_OK);
356 }
357 
358 /*ARGSUSED*/
359 CK_RV
360 C_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved)
361 {
362 	if (!softtoken_initialized)
363 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
364 
365 	/*
366 	 * This is currently not implemented, however we could cause this
367 	 * to wait for the token files to appear if soft_token_present is
368 	 * false.
369 	 * However there is currently no polite and portable way to do that
370 	 * because we might not even be able to get to an fd to the
371 	 * parent directory, so instead we don't support any slot events.
372 	 */
373 	return (CKR_FUNCTION_NOT_SUPPORTED);
374 }
375 
376 
377 CK_RV
378 C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList,
379     CK_ULONG_PTR pulCount)
380 {
381 
382 	ulong_t i;
383 	ulong_t mechnum;
384 
385 	if (!softtoken_initialized)
386 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
387 
388 	if (slotID != SOFTTOKEN_SLOTID)
389 		return (CKR_SLOT_ID_INVALID);
390 
391 	mechnum = sizeof (soft_mechanisms) / sizeof (CK_MECHANISM_TYPE);
392 
393 	if (pMechanismList == NULL) {
394 		/*
395 		 * Application only wants to know the number of
396 		 * supported mechanism types.
397 		 */
398 		*pulCount = mechnum;
399 		return (CKR_OK);
400 	}
401 
402 	if (*pulCount < mechnum) {
403 		*pulCount = mechnum;
404 		return (CKR_BUFFER_TOO_SMALL);
405 	}
406 
407 	for (i = 0; i < mechnum; i++) {
408 		pMechanismList[i] = soft_mechanisms[i];
409 	}
410 
411 	*pulCount = mechnum;
412 
413 	return (CKR_OK);
414 }
415 
416 
417 CK_RV
418 C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
419     CK_MECHANISM_INFO_PTR pInfo)
420 {
421 
422 	ulong_t i;
423 	ulong_t mechnum;
424 
425 	if (!softtoken_initialized)
426 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
427 
428 	if (slotID != SOFTTOKEN_SLOTID)
429 		return (CKR_SLOT_ID_INVALID);
430 
431 	if (pInfo == NULL) {
432 		return (CKR_ARGUMENTS_BAD);
433 	}
434 
435 	mechnum = sizeof (soft_mechanisms) / sizeof (CK_MECHANISM_TYPE);
436 	for (i = 0; i < mechnum; i++) {
437 		if (soft_mechanisms[i] == type)
438 			break;
439 	}
440 
441 	if (i == mechnum)
442 		/* unsupported mechanism */
443 		return (CKR_MECHANISM_INVALID);
444 
445 	pInfo->ulMinKeySize = soft_mechanism_info[i].ulMinKeySize;
446 	pInfo->ulMaxKeySize = soft_mechanism_info[i].ulMaxKeySize;
447 	pInfo->flags = soft_mechanism_info[i].flags;
448 
449 	return (CKR_OK);
450 }
451 
452 
453 /*ARGSUSED*/
454 CK_RV
455 C_InitToken(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen,
456     CK_UTF8CHAR_PTR pLabel)
457 {
458 	if (!softtoken_initialized)
459 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
460 
461 	return (CKR_FUNCTION_NOT_SUPPORTED);
462 }
463 
464 /*ARGSUSED*/
465 CK_RV
466 C_InitPIN(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen)
467 {
468 	if (!softtoken_initialized)
469 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
470 
471 	return (CKR_FUNCTION_NOT_SUPPORTED);
472 }
473 
474 
475 CK_RV
476 C_SetPIN(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin,
477     CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen)
478 {
479 
480 	soft_session_t *session_p;
481 	CK_RV rv;
482 	boolean_t lock_held = B_FALSE;
483 
484 	if (!softtoken_initialized)
485 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
486 
487 	/*
488 	 * Obtain the session pointer. Also, increment the session
489 	 * reference count.
490 	 */
491 	rv = handle2session(hSession, &session_p);
492 	if (rv != CKR_OK)
493 		return (rv);
494 
495 	if (!soft_keystore_status(KEYSTORE_VERSION_OK)) {
496 		SES_REFRELE(session_p, lock_held);
497 		return (CKR_DEVICE_REMOVED);
498 	}
499 
500 	if ((ulOldPinLen < MIN_PIN_LEN) || (ulOldPinLen > MAX_PIN_LEN) ||
501 	    (ulNewPinLen < MIN_PIN_LEN) ||(ulNewPinLen > MAX_PIN_LEN)) {
502 		SES_REFRELE(session_p, lock_held);
503 		return (CKR_PIN_LEN_RANGE);
504 	}
505 
506 	if ((pOldPin == NULL_PTR) || (pNewPin == NULL_PTR)) {
507 		/*
508 		 * We don't support CKF_PROTECTED_AUTHENTICATION_PATH
509 		 */
510 		SES_REFRELE(session_p, lock_held);
511 		return (CKR_ARGUMENTS_BAD);
512 	}
513 
514 	/* check the state of the session */
515 	if ((session_p->state != CKS_RW_PUBLIC_SESSION) &&
516 	    (session_p->state != CKS_RW_USER_FUNCTIONS)) {
517 		SES_REFRELE(session_p, lock_held);
518 		return (CKR_SESSION_READ_ONLY);
519 	}
520 
521 	rv = soft_setpin(pOldPin, ulOldPinLen, pNewPin, ulNewPinLen);
522 
523 	SES_REFRELE(session_p, lock_held);
524 	return (rv);
525 }
526