1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate #include <security/cryptoki.h> 30*7c478bd9Sstevel@tonic-gate #include "pkcs11Global.h" 31*7c478bd9Sstevel@tonic-gate #include "pkcs11Conf.h" 32*7c478bd9Sstevel@tonic-gate #include "pkcs11Session.h" 33*7c478bd9Sstevel@tonic-gate #include "pkcs11Slot.h" 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate /* 36*7c478bd9Sstevel@tonic-gate * C_SignInit will verify that the session handle is valid within the 37*7c478bd9Sstevel@tonic-gate * framework, that the mechanism is not disabled for the slot 38*7c478bd9Sstevel@tonic-gate * associated with this session, and then redirect to the underlying 39*7c478bd9Sstevel@tonic-gate * provider. Policy is only checked for C_SignInit, since it is 40*7c478bd9Sstevel@tonic-gate * required to be called before C_Sign and C_SignUpdate. 41*7c478bd9Sstevel@tonic-gate */ 42*7c478bd9Sstevel@tonic-gate CK_RV 43*7c478bd9Sstevel@tonic-gate C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 44*7c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE hKey) 45*7c478bd9Sstevel@tonic-gate { 46*7c478bd9Sstevel@tonic-gate 47*7c478bd9Sstevel@tonic-gate CK_RV rv; 48*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 49*7c478bd9Sstevel@tonic-gate CK_SLOT_ID slotid; 50*7c478bd9Sstevel@tonic-gate 51*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 52*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 53*7c478bd9Sstevel@tonic-gate if (policyfastpath && 54*7c478bd9Sstevel@tonic-gate pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) { 55*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 56*7c478bd9Sstevel@tonic-gate } 57*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_SignInit(hSession, pMechanism, hKey)); 58*7c478bd9Sstevel@tonic-gate } 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 61*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 62*7c478bd9Sstevel@tonic-gate } 63*7c478bd9Sstevel@tonic-gate 64*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 65*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 66*7c478bd9Sstevel@tonic-gate 67*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 68*7c478bd9Sstevel@tonic-gate return (rv); 69*7c478bd9Sstevel@tonic-gate } 70*7c478bd9Sstevel@tonic-gate 71*7c478bd9Sstevel@tonic-gate slotid = sessp->se_slotid; 72*7c478bd9Sstevel@tonic-gate 73*7c478bd9Sstevel@tonic-gate /* Make sure this is not a disabled mechanism */ 74*7c478bd9Sstevel@tonic-gate if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) { 75*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 76*7c478bd9Sstevel@tonic-gate } 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate /* Initialize the digest with the underlying provider */ 79*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(slotid)->C_SignInit(sessp->se_handle, 80*7c478bd9Sstevel@tonic-gate pMechanism, hKey); 81*7c478bd9Sstevel@tonic-gate 82*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 83*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 84*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 85*7c478bd9Sstevel@tonic-gate } 86*7c478bd9Sstevel@tonic-gate 87*7c478bd9Sstevel@tonic-gate return (rv); 88*7c478bd9Sstevel@tonic-gate } 89*7c478bd9Sstevel@tonic-gate 90*7c478bd9Sstevel@tonic-gate /* 91*7c478bd9Sstevel@tonic-gate * C_Sign is a pure wrapper to the underlying provider. 92*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 93*7c478bd9Sstevel@tonic-gate */ 94*7c478bd9Sstevel@tonic-gate CK_RV 95*7c478bd9Sstevel@tonic-gate C_Sign(CK_SESSION_HANDLE hSession, 96*7c478bd9Sstevel@tonic-gate CK_BYTE_PTR pData, 97*7c478bd9Sstevel@tonic-gate CK_ULONG ulDataLen, 98*7c478bd9Sstevel@tonic-gate CK_BYTE_PTR pSignature, 99*7c478bd9Sstevel@tonic-gate CK_ULONG_PTR pulSignatureLen) 100*7c478bd9Sstevel@tonic-gate { 101*7c478bd9Sstevel@tonic-gate CK_RV rv; 102*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 103*7c478bd9Sstevel@tonic-gate 104*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 105*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 106*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_Sign(hSession, pData, ulDataLen, 107*7c478bd9Sstevel@tonic-gate pSignature, pulSignatureLen)); 108*7c478bd9Sstevel@tonic-gate } 109*7c478bd9Sstevel@tonic-gate 110*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 111*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 112*7c478bd9Sstevel@tonic-gate } 113*7c478bd9Sstevel@tonic-gate 114*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 115*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 116*7c478bd9Sstevel@tonic-gate 117*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 118*7c478bd9Sstevel@tonic-gate return (rv); 119*7c478bd9Sstevel@tonic-gate } 120*7c478bd9Sstevel@tonic-gate 121*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 122*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_Sign(sessp->se_handle, pData, 123*7c478bd9Sstevel@tonic-gate ulDataLen, pSignature, pulSignatureLen); 124*7c478bd9Sstevel@tonic-gate 125*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 126*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 127*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 128*7c478bd9Sstevel@tonic-gate } 129*7c478bd9Sstevel@tonic-gate 130*7c478bd9Sstevel@tonic-gate return (rv); 131*7c478bd9Sstevel@tonic-gate 132*7c478bd9Sstevel@tonic-gate } 133*7c478bd9Sstevel@tonic-gate 134*7c478bd9Sstevel@tonic-gate /* 135*7c478bd9Sstevel@tonic-gate * C_SignUpdate is a pure wrapper to the underlying provider. 136*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 137*7c478bd9Sstevel@tonic-gate */ 138*7c478bd9Sstevel@tonic-gate CK_RV 139*7c478bd9Sstevel@tonic-gate C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) 140*7c478bd9Sstevel@tonic-gate { 141*7c478bd9Sstevel@tonic-gate CK_RV rv; 142*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 143*7c478bd9Sstevel@tonic-gate 144*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 145*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 146*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_SignUpdate(hSession, pPart, ulPartLen)); 147*7c478bd9Sstevel@tonic-gate } 148*7c478bd9Sstevel@tonic-gate 149*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 150*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 151*7c478bd9Sstevel@tonic-gate } 152*7c478bd9Sstevel@tonic-gate 153*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 154*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 155*7c478bd9Sstevel@tonic-gate 156*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 157*7c478bd9Sstevel@tonic-gate return (rv); 158*7c478bd9Sstevel@tonic-gate } 159*7c478bd9Sstevel@tonic-gate 160*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 161*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_SignUpdate(sessp->se_handle, pPart, 162*7c478bd9Sstevel@tonic-gate ulPartLen); 163*7c478bd9Sstevel@tonic-gate 164*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 165*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 166*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 167*7c478bd9Sstevel@tonic-gate } 168*7c478bd9Sstevel@tonic-gate 169*7c478bd9Sstevel@tonic-gate return (rv); 170*7c478bd9Sstevel@tonic-gate 171*7c478bd9Sstevel@tonic-gate } 172*7c478bd9Sstevel@tonic-gate 173*7c478bd9Sstevel@tonic-gate /* 174*7c478bd9Sstevel@tonic-gate * C_SignFinal is a pure wrapper to the underlying provider. 175*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 176*7c478bd9Sstevel@tonic-gate */ 177*7c478bd9Sstevel@tonic-gate CK_RV 178*7c478bd9Sstevel@tonic-gate C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, 179*7c478bd9Sstevel@tonic-gate CK_ULONG_PTR pulSignatureLen) 180*7c478bd9Sstevel@tonic-gate { 181*7c478bd9Sstevel@tonic-gate CK_RV rv; 182*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 183*7c478bd9Sstevel@tonic-gate 184*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 185*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 186*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_SignFinal(hSession, pSignature, 187*7c478bd9Sstevel@tonic-gate pulSignatureLen)); 188*7c478bd9Sstevel@tonic-gate } 189*7c478bd9Sstevel@tonic-gate 190*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 191*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 192*7c478bd9Sstevel@tonic-gate } 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 195*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 196*7c478bd9Sstevel@tonic-gate 197*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 198*7c478bd9Sstevel@tonic-gate return (rv); 199*7c478bd9Sstevel@tonic-gate } 200*7c478bd9Sstevel@tonic-gate 201*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 202*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_SignFinal(sessp->se_handle, 203*7c478bd9Sstevel@tonic-gate pSignature, pulSignatureLen); 204*7c478bd9Sstevel@tonic-gate 205*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 206*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 207*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 208*7c478bd9Sstevel@tonic-gate } 209*7c478bd9Sstevel@tonic-gate 210*7c478bd9Sstevel@tonic-gate return (rv); 211*7c478bd9Sstevel@tonic-gate } 212*7c478bd9Sstevel@tonic-gate 213*7c478bd9Sstevel@tonic-gate /* 214*7c478bd9Sstevel@tonic-gate * C_SignRecoverInit will verify that the session handle is valid within 215*7c478bd9Sstevel@tonic-gate * the framework, that the mechanism is not disabled for the slot 216*7c478bd9Sstevel@tonic-gate * associated with this session, and then redirect to the underlying 217*7c478bd9Sstevel@tonic-gate * provider. Policy is only checked for C_SignRecoverInit, since it is 218*7c478bd9Sstevel@tonic-gate * required to be called before C_SignRecover. 219*7c478bd9Sstevel@tonic-gate */ 220*7c478bd9Sstevel@tonic-gate CK_RV 221*7c478bd9Sstevel@tonic-gate C_SignRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 222*7c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE hKey) 223*7c478bd9Sstevel@tonic-gate { 224*7c478bd9Sstevel@tonic-gate CK_RV rv; 225*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 226*7c478bd9Sstevel@tonic-gate CK_SLOT_ID slotid; 227*7c478bd9Sstevel@tonic-gate 228*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 229*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 230*7c478bd9Sstevel@tonic-gate if (policyfastpath && 231*7c478bd9Sstevel@tonic-gate pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) { 232*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 233*7c478bd9Sstevel@tonic-gate } 234*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_SignRecoverInit(hSession, pMechanism, 235*7c478bd9Sstevel@tonic-gate hKey)); 236*7c478bd9Sstevel@tonic-gate } 237*7c478bd9Sstevel@tonic-gate 238*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 239*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 240*7c478bd9Sstevel@tonic-gate } 241*7c478bd9Sstevel@tonic-gate 242*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 243*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 244*7c478bd9Sstevel@tonic-gate 245*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 246*7c478bd9Sstevel@tonic-gate return (rv); 247*7c478bd9Sstevel@tonic-gate } 248*7c478bd9Sstevel@tonic-gate 249*7c478bd9Sstevel@tonic-gate slotid = sessp->se_slotid; 250*7c478bd9Sstevel@tonic-gate 251*7c478bd9Sstevel@tonic-gate /* Make sure this is not a disabled mechanism */ 252*7c478bd9Sstevel@tonic-gate if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) { 253*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 254*7c478bd9Sstevel@tonic-gate } 255*7c478bd9Sstevel@tonic-gate 256*7c478bd9Sstevel@tonic-gate /* Initialize the digest with the underlying provider */ 257*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(slotid)->C_SignRecoverInit(sessp->se_handle, 258*7c478bd9Sstevel@tonic-gate pMechanism, hKey); 259*7c478bd9Sstevel@tonic-gate 260*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 261*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 262*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 263*7c478bd9Sstevel@tonic-gate } 264*7c478bd9Sstevel@tonic-gate 265*7c478bd9Sstevel@tonic-gate return (rv); 266*7c478bd9Sstevel@tonic-gate 267*7c478bd9Sstevel@tonic-gate } 268*7c478bd9Sstevel@tonic-gate 269*7c478bd9Sstevel@tonic-gate /* 270*7c478bd9Sstevel@tonic-gate * C_SignRecover is a pure wrapper to the underlying provider. 271*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 272*7c478bd9Sstevel@tonic-gate */ 273*7c478bd9Sstevel@tonic-gate CK_RV 274*7c478bd9Sstevel@tonic-gate C_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, 275*7c478bd9Sstevel@tonic-gate CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) 276*7c478bd9Sstevel@tonic-gate { 277*7c478bd9Sstevel@tonic-gate CK_RV rv; 278*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 279*7c478bd9Sstevel@tonic-gate 280*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 281*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 282*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_SignRecover(hSession, pData, ulDataLen, 283*7c478bd9Sstevel@tonic-gate pSignature, pulSignatureLen)); 284*7c478bd9Sstevel@tonic-gate } 285*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 286*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 287*7c478bd9Sstevel@tonic-gate } 288*7c478bd9Sstevel@tonic-gate 289*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 290*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 291*7c478bd9Sstevel@tonic-gate 292*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 293*7c478bd9Sstevel@tonic-gate return (rv); 294*7c478bd9Sstevel@tonic-gate } 295*7c478bd9Sstevel@tonic-gate 296*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 297*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_SignRecover(sessp->se_handle, pData, 298*7c478bd9Sstevel@tonic-gate ulDataLen, pSignature, pulSignatureLen); 299*7c478bd9Sstevel@tonic-gate 300*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 301*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 302*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 303*7c478bd9Sstevel@tonic-gate } 304*7c478bd9Sstevel@tonic-gate 305*7c478bd9Sstevel@tonic-gate return (rv); 306*7c478bd9Sstevel@tonic-gate } 307