1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate #include <security/cryptoki.h> 30*7c478bd9Sstevel@tonic-gate #include "pkcs11Global.h" 31*7c478bd9Sstevel@tonic-gate #include "pkcs11Conf.h" 32*7c478bd9Sstevel@tonic-gate #include "pkcs11Session.h" 33*7c478bd9Sstevel@tonic-gate #include "pkcs11Slot.h" 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate /* 36*7c478bd9Sstevel@tonic-gate * C_VerifyInit will verify that the session handle is valid within the 37*7c478bd9Sstevel@tonic-gate * framework, that the mechanism is not disabled for the slot 38*7c478bd9Sstevel@tonic-gate * associated with this session, and then redirect to the underlying 39*7c478bd9Sstevel@tonic-gate * provider. Policy is only checked for C_VerifyInit, since it is 40*7c478bd9Sstevel@tonic-gate * required to be called before C_Verify and C_VerifyUpdate. 41*7c478bd9Sstevel@tonic-gate */ 42*7c478bd9Sstevel@tonic-gate CK_RV 43*7c478bd9Sstevel@tonic-gate C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 44*7c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE hKey) 45*7c478bd9Sstevel@tonic-gate { 46*7c478bd9Sstevel@tonic-gate CK_RV rv; 47*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 48*7c478bd9Sstevel@tonic-gate CK_SLOT_ID slotid; 49*7c478bd9Sstevel@tonic-gate 50*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 51*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 52*7c478bd9Sstevel@tonic-gate if (policyfastpath && 53*7c478bd9Sstevel@tonic-gate pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) { 54*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 55*7c478bd9Sstevel@tonic-gate } 56*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_VerifyInit(hSession, pMechanism, hKey)); 57*7c478bd9Sstevel@tonic-gate } 58*7c478bd9Sstevel@tonic-gate 59*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 60*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 61*7c478bd9Sstevel@tonic-gate } 62*7c478bd9Sstevel@tonic-gate 63*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 64*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 65*7c478bd9Sstevel@tonic-gate 66*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 67*7c478bd9Sstevel@tonic-gate return (rv); 68*7c478bd9Sstevel@tonic-gate } 69*7c478bd9Sstevel@tonic-gate 70*7c478bd9Sstevel@tonic-gate slotid = sessp->se_slotid; 71*7c478bd9Sstevel@tonic-gate 72*7c478bd9Sstevel@tonic-gate /* Make sure this is not a disabled mechanism */ 73*7c478bd9Sstevel@tonic-gate if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) { 74*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 75*7c478bd9Sstevel@tonic-gate } 76*7c478bd9Sstevel@tonic-gate 77*7c478bd9Sstevel@tonic-gate /* Initialize the digest with the underlying provider */ 78*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(slotid)->C_VerifyInit(sessp->se_handle, 79*7c478bd9Sstevel@tonic-gate pMechanism, hKey); 80*7c478bd9Sstevel@tonic-gate 81*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 82*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 83*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 84*7c478bd9Sstevel@tonic-gate } 85*7c478bd9Sstevel@tonic-gate 86*7c478bd9Sstevel@tonic-gate return (rv); 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate } 89*7c478bd9Sstevel@tonic-gate 90*7c478bd9Sstevel@tonic-gate /* 91*7c478bd9Sstevel@tonic-gate * C_Verify is a pure wrapper to the underlying provider. 92*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 93*7c478bd9Sstevel@tonic-gate */ 94*7c478bd9Sstevel@tonic-gate CK_RV 95*7c478bd9Sstevel@tonic-gate C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, 96*7c478bd9Sstevel@tonic-gate CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) 97*7c478bd9Sstevel@tonic-gate { 98*7c478bd9Sstevel@tonic-gate CK_RV rv; 99*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 100*7c478bd9Sstevel@tonic-gate 101*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 102*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 103*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_Verify(hSession, pData, ulDataLen, 104*7c478bd9Sstevel@tonic-gate pSignature, ulSignatureLen)); 105*7c478bd9Sstevel@tonic-gate } 106*7c478bd9Sstevel@tonic-gate 107*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 108*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 109*7c478bd9Sstevel@tonic-gate } 110*7c478bd9Sstevel@tonic-gate 111*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 112*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 113*7c478bd9Sstevel@tonic-gate 114*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 115*7c478bd9Sstevel@tonic-gate return (rv); 116*7c478bd9Sstevel@tonic-gate } 117*7c478bd9Sstevel@tonic-gate 118*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 119*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_Verify(sessp->se_handle, pData, 120*7c478bd9Sstevel@tonic-gate ulDataLen, pSignature, ulSignatureLen); 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 123*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 124*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 125*7c478bd9Sstevel@tonic-gate } 126*7c478bd9Sstevel@tonic-gate 127*7c478bd9Sstevel@tonic-gate return (rv); 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate } 130*7c478bd9Sstevel@tonic-gate 131*7c478bd9Sstevel@tonic-gate /* 132*7c478bd9Sstevel@tonic-gate * C_VerifyUpdate is a pure wrapper to the underlying provider. 133*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 134*7c478bd9Sstevel@tonic-gate */ 135*7c478bd9Sstevel@tonic-gate CK_RV 136*7c478bd9Sstevel@tonic-gate C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, 137*7c478bd9Sstevel@tonic-gate CK_ULONG ulPartLen) 138*7c478bd9Sstevel@tonic-gate { 139*7c478bd9Sstevel@tonic-gate CK_RV rv; 140*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 141*7c478bd9Sstevel@tonic-gate 142*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 143*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 144*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_VerifyUpdate(hSession, pPart, 145*7c478bd9Sstevel@tonic-gate ulPartLen)); 146*7c478bd9Sstevel@tonic-gate } 147*7c478bd9Sstevel@tonic-gate 148*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 149*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 150*7c478bd9Sstevel@tonic-gate } 151*7c478bd9Sstevel@tonic-gate 152*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 153*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 154*7c478bd9Sstevel@tonic-gate 155*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 156*7c478bd9Sstevel@tonic-gate return (rv); 157*7c478bd9Sstevel@tonic-gate } 158*7c478bd9Sstevel@tonic-gate 159*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 160*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_VerifyUpdate(sessp->se_handle, 161*7c478bd9Sstevel@tonic-gate pPart, ulPartLen); 162*7c478bd9Sstevel@tonic-gate 163*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 164*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 165*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 166*7c478bd9Sstevel@tonic-gate } 167*7c478bd9Sstevel@tonic-gate 168*7c478bd9Sstevel@tonic-gate return (rv); 169*7c478bd9Sstevel@tonic-gate } 170*7c478bd9Sstevel@tonic-gate 171*7c478bd9Sstevel@tonic-gate /* 172*7c478bd9Sstevel@tonic-gate * C_VerifyFinal is a pure wrapper to the underlying provider. 173*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 174*7c478bd9Sstevel@tonic-gate */ 175*7c478bd9Sstevel@tonic-gate CK_RV 176*7c478bd9Sstevel@tonic-gate C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, 177*7c478bd9Sstevel@tonic-gate CK_ULONG ulSignatureLen) 178*7c478bd9Sstevel@tonic-gate { 179*7c478bd9Sstevel@tonic-gate CK_RV rv; 180*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 181*7c478bd9Sstevel@tonic-gate 182*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 183*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 184*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_VerifyFinal(hSession, pSignature, 185*7c478bd9Sstevel@tonic-gate ulSignatureLen)); 186*7c478bd9Sstevel@tonic-gate } 187*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 188*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 189*7c478bd9Sstevel@tonic-gate } 190*7c478bd9Sstevel@tonic-gate 191*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 192*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 195*7c478bd9Sstevel@tonic-gate return (rv); 196*7c478bd9Sstevel@tonic-gate } 197*7c478bd9Sstevel@tonic-gate 198*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 199*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_VerifyFinal(sessp->se_handle, 200*7c478bd9Sstevel@tonic-gate pSignature, ulSignatureLen); 201*7c478bd9Sstevel@tonic-gate 202*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 203*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 204*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 205*7c478bd9Sstevel@tonic-gate } 206*7c478bd9Sstevel@tonic-gate 207*7c478bd9Sstevel@tonic-gate return (rv); 208*7c478bd9Sstevel@tonic-gate 209*7c478bd9Sstevel@tonic-gate } 210*7c478bd9Sstevel@tonic-gate 211*7c478bd9Sstevel@tonic-gate /* 212*7c478bd9Sstevel@tonic-gate * C_VerifyRecoverInit will verify that the session handle is valid within 213*7c478bd9Sstevel@tonic-gate * the framework, that the mechanism is not disabled for the slot 214*7c478bd9Sstevel@tonic-gate * associated with this session, and then redirect to the underlying 215*7c478bd9Sstevel@tonic-gate * provider. Policy is only checked for C_VerifyRecoverInit, since it is 216*7c478bd9Sstevel@tonic-gate * required to be called before C_VerifyRecover. 217*7c478bd9Sstevel@tonic-gate */ 218*7c478bd9Sstevel@tonic-gate CK_RV 219*7c478bd9Sstevel@tonic-gate C_VerifyRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, 220*7c478bd9Sstevel@tonic-gate CK_OBJECT_HANDLE hKey) 221*7c478bd9Sstevel@tonic-gate { 222*7c478bd9Sstevel@tonic-gate CK_RV rv; 223*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 224*7c478bd9Sstevel@tonic-gate CK_SLOT_ID slotid; 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 227*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 228*7c478bd9Sstevel@tonic-gate if (policyfastpath && 229*7c478bd9Sstevel@tonic-gate pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) { 230*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 231*7c478bd9Sstevel@tonic-gate } 232*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_VerifyRecoverInit(hSession, pMechanism, 233*7c478bd9Sstevel@tonic-gate hKey)); 234*7c478bd9Sstevel@tonic-gate } 235*7c478bd9Sstevel@tonic-gate 236*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 237*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 238*7c478bd9Sstevel@tonic-gate } 239*7c478bd9Sstevel@tonic-gate 240*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 241*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 242*7c478bd9Sstevel@tonic-gate 243*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 244*7c478bd9Sstevel@tonic-gate return (rv); 245*7c478bd9Sstevel@tonic-gate } 246*7c478bd9Sstevel@tonic-gate 247*7c478bd9Sstevel@tonic-gate slotid = sessp->se_slotid; 248*7c478bd9Sstevel@tonic-gate 249*7c478bd9Sstevel@tonic-gate /* Make sure this is not a disabled mechanism */ 250*7c478bd9Sstevel@tonic-gate if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) { 251*7c478bd9Sstevel@tonic-gate return (CKR_MECHANISM_INVALID); 252*7c478bd9Sstevel@tonic-gate } 253*7c478bd9Sstevel@tonic-gate 254*7c478bd9Sstevel@tonic-gate /* Initialize the digest with the underlying provider */ 255*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(slotid)->C_VerifyRecoverInit(sessp->se_handle, 256*7c478bd9Sstevel@tonic-gate pMechanism, hKey); 257*7c478bd9Sstevel@tonic-gate 258*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 259*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 260*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 261*7c478bd9Sstevel@tonic-gate } 262*7c478bd9Sstevel@tonic-gate 263*7c478bd9Sstevel@tonic-gate return (rv); 264*7c478bd9Sstevel@tonic-gate 265*7c478bd9Sstevel@tonic-gate 266*7c478bd9Sstevel@tonic-gate } 267*7c478bd9Sstevel@tonic-gate 268*7c478bd9Sstevel@tonic-gate /* 269*7c478bd9Sstevel@tonic-gate * C_VerifyRecover is a pure wrapper to the underlying provider. 270*7c478bd9Sstevel@tonic-gate * The only argument checked is whether or not hSession is valid. 271*7c478bd9Sstevel@tonic-gate */ 272*7c478bd9Sstevel@tonic-gate CK_RV 273*7c478bd9Sstevel@tonic-gate C_VerifyRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, 274*7c478bd9Sstevel@tonic-gate CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 275*7c478bd9Sstevel@tonic-gate { 276*7c478bd9Sstevel@tonic-gate CK_RV rv; 277*7c478bd9Sstevel@tonic-gate pkcs11_session_t *sessp; 278*7c478bd9Sstevel@tonic-gate 279*7c478bd9Sstevel@tonic-gate /* Check for a fastpath */ 280*7c478bd9Sstevel@tonic-gate if (purefastpath || policyfastpath) { 281*7c478bd9Sstevel@tonic-gate return (fast_funcs->C_VerifyRecover(hSession, pSignature, 282*7c478bd9Sstevel@tonic-gate ulSignatureLen, pData, pulDataLen)); 283*7c478bd9Sstevel@tonic-gate } 284*7c478bd9Sstevel@tonic-gate 285*7c478bd9Sstevel@tonic-gate if (!pkcs11_initialized) { 286*7c478bd9Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED); 287*7c478bd9Sstevel@tonic-gate } 288*7c478bd9Sstevel@tonic-gate 289*7c478bd9Sstevel@tonic-gate /* Obtain the session pointer */ 290*7c478bd9Sstevel@tonic-gate HANDLE2SESSION(hSession, sessp, rv); 291*7c478bd9Sstevel@tonic-gate 292*7c478bd9Sstevel@tonic-gate if (rv != CKR_OK) { 293*7c478bd9Sstevel@tonic-gate return (rv); 294*7c478bd9Sstevel@tonic-gate } 295*7c478bd9Sstevel@tonic-gate 296*7c478bd9Sstevel@tonic-gate /* Pass data to the provider */ 297*7c478bd9Sstevel@tonic-gate rv = FUNCLIST(sessp->se_slotid)->C_VerifyRecover(sessp->se_handle, 298*7c478bd9Sstevel@tonic-gate pSignature, ulSignatureLen, pData, pulDataLen); 299*7c478bd9Sstevel@tonic-gate 300*7c478bd9Sstevel@tonic-gate /* Present consistent interface to the application */ 301*7c478bd9Sstevel@tonic-gate if (rv == CKR_FUNCTION_NOT_SUPPORTED) { 302*7c478bd9Sstevel@tonic-gate return (CKR_FUNCTION_FAILED); 303*7c478bd9Sstevel@tonic-gate } 304*7c478bd9Sstevel@tonic-gate 305*7c478bd9Sstevel@tonic-gate return (rv); 306*7c478bd9Sstevel@tonic-gate } 307