1*47e946e7SWyllys Ingersoll /* 2*47e946e7SWyllys Ingersoll * Common Public License Version 0.5 3*47e946e7SWyllys Ingersoll * 4*47e946e7SWyllys Ingersoll * THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF 5*47e946e7SWyllys Ingersoll * THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, 6*47e946e7SWyllys Ingersoll * REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES 7*47e946e7SWyllys Ingersoll * RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. 8*47e946e7SWyllys Ingersoll * 9*47e946e7SWyllys Ingersoll * 1. DEFINITIONS 10*47e946e7SWyllys Ingersoll * 11*47e946e7SWyllys Ingersoll * "Contribution" means: 12*47e946e7SWyllys Ingersoll * a) in the case of the initial Contributor, the 13*47e946e7SWyllys Ingersoll * initial code and documentation distributed under 14*47e946e7SWyllys Ingersoll * this Agreement, and 15*47e946e7SWyllys Ingersoll * 16*47e946e7SWyllys Ingersoll * b) in the case of each subsequent Contributor: 17*47e946e7SWyllys Ingersoll * i) changes to the Program, and 18*47e946e7SWyllys Ingersoll * ii) additions to the Program; 19*47e946e7SWyllys Ingersoll * 20*47e946e7SWyllys Ingersoll * where such changes and/or additions to the Program 21*47e946e7SWyllys Ingersoll * originate from and are distributed by that 22*47e946e7SWyllys Ingersoll * particular Contributor. A Contribution 'originates' 23*47e946e7SWyllys Ingersoll * from a Contributor if it was added to the Program 24*47e946e7SWyllys Ingersoll * by such Contributor itself or anyone acting on such 25*47e946e7SWyllys Ingersoll * Contributor's behalf. Contributions do not include 26*47e946e7SWyllys Ingersoll * additions to the Program which: (i) are separate 27*47e946e7SWyllys Ingersoll * modules of software distributed in conjunction with 28*47e946e7SWyllys Ingersoll * the Program under their own license agreement, and 29*47e946e7SWyllys Ingersoll * (ii) are not derivative works of the Program. 30*47e946e7SWyllys Ingersoll * 31*47e946e7SWyllys Ingersoll * 32*47e946e7SWyllys Ingersoll * "Contributor" means any person or entity that distributes 33*47e946e7SWyllys Ingersoll * the Program. 34*47e946e7SWyllys Ingersoll * 35*47e946e7SWyllys Ingersoll * "Licensed Patents " mean patent claims licensable by a 36*47e946e7SWyllys Ingersoll * Contributor which are necessarily infringed by the use or 37*47e946e7SWyllys Ingersoll * sale of its Contribution alone or when combined with the 38*47e946e7SWyllys Ingersoll * Program. 39*47e946e7SWyllys Ingersoll * 40*47e946e7SWyllys Ingersoll * "Program" means the Contributions distributed in 41*47e946e7SWyllys Ingersoll * accordance with this Agreement. 42*47e946e7SWyllys Ingersoll * 43*47e946e7SWyllys Ingersoll * "Recipient" means anyone who receives the Program under 44*47e946e7SWyllys Ingersoll * this Agreement, including all Contributors. 45*47e946e7SWyllys Ingersoll * 46*47e946e7SWyllys Ingersoll * 2. GRANT OF RIGHTS 47*47e946e7SWyllys Ingersoll * 48*47e946e7SWyllys Ingersoll * a) Subject to the terms of this Agreement, each 49*47e946e7SWyllys Ingersoll * Contributor hereby grants Recipient a 50*47e946e7SWyllys Ingersoll * no - exclusive, worldwide, royalt - free copyright 51*47e946e7SWyllys Ingersoll * license to reproduce, prepare derivative works of, 52*47e946e7SWyllys Ingersoll * publicly display, publicly perform, distribute and 53*47e946e7SWyllys Ingersoll * sublicense the Contribution of such Contributor, if 54*47e946e7SWyllys Ingersoll * any, and such derivative works, in source code and 55*47e946e7SWyllys Ingersoll * object code form. 56*47e946e7SWyllys Ingersoll * 57*47e946e7SWyllys Ingersoll * b) Subject to the terms of this Agreement, each 58*47e946e7SWyllys Ingersoll * Contributor hereby grants Recipient a 59*47e946e7SWyllys Ingersoll * no - exclusive, worldwide, royalt - free patent 60*47e946e7SWyllys Ingersoll * license under Licensed Patents to make, use, sell, 61*47e946e7SWyllys Ingersoll * offer to sell, import and otherwise transfer the 62*47e946e7SWyllys Ingersoll * Contribution of such Contributor, if any, in source 63*47e946e7SWyllys Ingersoll * code and object code form. This patent license 64*47e946e7SWyllys Ingersoll * shall apply to the combination of the Contribution 65*47e946e7SWyllys Ingersoll * and the Program if, at the time the Contribution is 66*47e946e7SWyllys Ingersoll * added by the Contributor, such addition of the 67*47e946e7SWyllys Ingersoll * Contribution causes such combination to be covered 68*47e946e7SWyllys Ingersoll * by the Licensed Patents. The patent license shall 69*47e946e7SWyllys Ingersoll * not apply to any other combinations which include 70*47e946e7SWyllys Ingersoll * the Contribution. No hardware per se is licensed 71*47e946e7SWyllys Ingersoll * hereunder. 72*47e946e7SWyllys Ingersoll * 73*47e946e7SWyllys Ingersoll * c) Recipient understands that although each 74*47e946e7SWyllys Ingersoll * Contributor grants the licenses to its 75*47e946e7SWyllys Ingersoll * Contributions set forth herein, no assurances are 76*47e946e7SWyllys Ingersoll * provided by any Contributor that the Program does 77*47e946e7SWyllys Ingersoll * not infringe the patent or other intellectual 78*47e946e7SWyllys Ingersoll * property rights of any other entity. Each 79*47e946e7SWyllys Ingersoll * Contributor disclaims any liability to Recipient 80*47e946e7SWyllys Ingersoll * for claims brought by any other entity based on 81*47e946e7SWyllys Ingersoll * infringement of intellectual property rights or 82*47e946e7SWyllys Ingersoll * otherwise. As a condition to exercising the rights 83*47e946e7SWyllys Ingersoll * and licenses granted hereunder, each Recipient 84*47e946e7SWyllys Ingersoll * hereby assumes sole responsibility to secure any 85*47e946e7SWyllys Ingersoll * other intellectual property rights needed, if any. 86*47e946e7SWyllys Ingersoll * 87*47e946e7SWyllys Ingersoll * For example, if a third party patent license is 88*47e946e7SWyllys Ingersoll * required to allow Recipient to distribute the 89*47e946e7SWyllys Ingersoll * Program, it is Recipient's responsibility to 90*47e946e7SWyllys Ingersoll * acquire that license before distributing the 91*47e946e7SWyllys Ingersoll * Program. 92*47e946e7SWyllys Ingersoll * 93*47e946e7SWyllys Ingersoll * d) Each Contributor represents that to its 94*47e946e7SWyllys Ingersoll * knowledge it has sufficient copyright rights in its 95*47e946e7SWyllys Ingersoll * Contribution, if any, to grant the copyright 96*47e946e7SWyllys Ingersoll * license set forth in this Agreement. 97*47e946e7SWyllys Ingersoll * 98*47e946e7SWyllys Ingersoll * 3. REQUIREMENTS 99*47e946e7SWyllys Ingersoll * 100*47e946e7SWyllys Ingersoll * A Contributor may choose to distribute the Program in 101*47e946e7SWyllys Ingersoll * object code form under its own license agreement, provided 102*47e946e7SWyllys Ingersoll * that: 103*47e946e7SWyllys Ingersoll * a) it complies with the terms and conditions of 104*47e946e7SWyllys Ingersoll * this Agreement; and 105*47e946e7SWyllys Ingersoll * 106*47e946e7SWyllys Ingersoll * b) its license agreement: 107*47e946e7SWyllys Ingersoll * i) effectively disclaims on behalf of all 108*47e946e7SWyllys Ingersoll * Contributors all warranties and conditions, express 109*47e946e7SWyllys Ingersoll * and implied, including warranties or conditions of 110*47e946e7SWyllys Ingersoll * title and no - infringement, and implied warranties 111*47e946e7SWyllys Ingersoll * or conditions of merchantability and fitness for a 112*47e946e7SWyllys Ingersoll * particular purpose; 113*47e946e7SWyllys Ingersoll * 114*47e946e7SWyllys Ingersoll * ii) effectively excludes on behalf of all 115*47e946e7SWyllys Ingersoll * Contributors all liability for damages, including 116*47e946e7SWyllys Ingersoll * direct, indirect, special, incidental and 117*47e946e7SWyllys Ingersoll * consequential damages, such as lost profits; 118*47e946e7SWyllys Ingersoll * 119*47e946e7SWyllys Ingersoll * iii) states that any provisions which differ from 120*47e946e7SWyllys Ingersoll * this Agreement are offered by that Contributor 121*47e946e7SWyllys Ingersoll * alone and not by any other party; and 122*47e946e7SWyllys Ingersoll * 123*47e946e7SWyllys Ingersoll * iv) states that source code for the Program is 124*47e946e7SWyllys Ingersoll * available from such Contributor, and informs 125*47e946e7SWyllys Ingersoll * licensees how to obtain it in a reasonable manner 126*47e946e7SWyllys Ingersoll * on or through a medium customarily used for 127*47e946e7SWyllys Ingersoll * software exchange. 128*47e946e7SWyllys Ingersoll * 129*47e946e7SWyllys Ingersoll * When the Program is made available in source code form: 130*47e946e7SWyllys Ingersoll * a) it must be made available under this Agreement; 131*47e946e7SWyllys Ingersoll * and 132*47e946e7SWyllys Ingersoll * b) a copy of this Agreement must be included with 133*47e946e7SWyllys Ingersoll * each copy of the Program. 134*47e946e7SWyllys Ingersoll * 135*47e946e7SWyllys Ingersoll * Contributors may not remove or alter any copyright notices 136*47e946e7SWyllys Ingersoll * contained within the Program. 137*47e946e7SWyllys Ingersoll * 138*47e946e7SWyllys Ingersoll * Each Contributor must identify itself as the originator of 139*47e946e7SWyllys Ingersoll * its Contribution, if any, in a manner that reasonably 140*47e946e7SWyllys Ingersoll * allows subsequent Recipients to identify the originator of 141*47e946e7SWyllys Ingersoll * the Contribution. 142*47e946e7SWyllys Ingersoll * 143*47e946e7SWyllys Ingersoll * 144*47e946e7SWyllys Ingersoll * 4. COMMERCIAL DISTRIBUTION 145*47e946e7SWyllys Ingersoll * 146*47e946e7SWyllys Ingersoll * Commercial distributors of software may accept certain 147*47e946e7SWyllys Ingersoll * responsibilities with respect to end users, business 148*47e946e7SWyllys Ingersoll * partners and the like. While this license is intended to 149*47e946e7SWyllys Ingersoll * facilitate the commercial use of the Program, the 150*47e946e7SWyllys Ingersoll * Contributor who includes the Program in a commercial 151*47e946e7SWyllys Ingersoll * product offering should do so in a manner which does not 152*47e946e7SWyllys Ingersoll * create potential liability for other Contributors. 153*47e946e7SWyllys Ingersoll * Therefore, if a Contributor includes the Program in a 154*47e946e7SWyllys Ingersoll * commercial product offering, such Contributor ("Commercial 155*47e946e7SWyllys Ingersoll * Contributor") hereby agrees to defend and indemnify every 156*47e946e7SWyllys Ingersoll * other Contributor ("Indemnified Contributor") against any 157*47e946e7SWyllys Ingersoll * losses, damages and costs (collectively "Losses") arising 158*47e946e7SWyllys Ingersoll * from claims, lawsuits and other legal actions brought by a 159*47e946e7SWyllys Ingersoll * third party against the Indemnified Contributor to the 160*47e946e7SWyllys Ingersoll * extent caused by the acts or omissions of such Commercial 161*47e946e7SWyllys Ingersoll * Contributor in connection with its distribution of the 162*47e946e7SWyllys Ingersoll * Program in a commercial product offering. The obligations 163*47e946e7SWyllys Ingersoll * in this section do not apply to any claims or Losses 164*47e946e7SWyllys Ingersoll * relating to any actual or alleged intellectual property 165*47e946e7SWyllys Ingersoll * infringement. In order to qualify, an Indemnified 166*47e946e7SWyllys Ingersoll * Contributor must: a) promptly notify the Commercial 167*47e946e7SWyllys Ingersoll * Contributor in writing of such claim, and b) allow the 168*47e946e7SWyllys Ingersoll * Commercial Contributor to control, and cooperate with the 169*47e946e7SWyllys Ingersoll * Commercial Contributor in, the defense and any related 170*47e946e7SWyllys Ingersoll * settlement negotiations. The Indemnified Contributor may 171*47e946e7SWyllys Ingersoll * participate in any such claim at its own expense. 172*47e946e7SWyllys Ingersoll * 173*47e946e7SWyllys Ingersoll * 174*47e946e7SWyllys Ingersoll * For example, a Contributor might include the Program in a 175*47e946e7SWyllys Ingersoll * commercial product offering, Product X. That Contributor 176*47e946e7SWyllys Ingersoll * is then a Commercial Contributor. If that Commercial 177*47e946e7SWyllys Ingersoll * Contributor then makes performance claims, or offers 178*47e946e7SWyllys Ingersoll * warranties related to Product X, those performance claims 179*47e946e7SWyllys Ingersoll * and warranties are such Commercial Contributor's 180*47e946e7SWyllys Ingersoll * responsibility alone. Under this section, the Commercial 181*47e946e7SWyllys Ingersoll * Contributor would have to defend claims against the other 182*47e946e7SWyllys Ingersoll * Contributors related to those performance claims and 183*47e946e7SWyllys Ingersoll * warranties, and if a court requires any other Contributor 184*47e946e7SWyllys Ingersoll * to pay any damages as a result, the Commercial Contributor 185*47e946e7SWyllys Ingersoll * must pay those damages. 186*47e946e7SWyllys Ingersoll * 187*47e946e7SWyllys Ingersoll * 188*47e946e7SWyllys Ingersoll * 5. NO WARRANTY 189*47e946e7SWyllys Ingersoll * 190*47e946e7SWyllys Ingersoll * EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE 191*47e946e7SWyllys Ingersoll * PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT 192*47e946e7SWyllys Ingersoll * WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR 193*47e946e7SWyllys Ingersoll * IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR 194*47e946e7SWyllys Ingersoll * CONDITIONS OF TITLE, NO - INFRINGEMENT, MERCHANTABILITY OR 195*47e946e7SWyllys Ingersoll * FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely 196*47e946e7SWyllys Ingersoll * responsible for determining the appropriateness of using 197*47e946e7SWyllys Ingersoll * and distributing the Program and assumes all risks 198*47e946e7SWyllys Ingersoll * associated with its exercise of rights under this 199*47e946e7SWyllys Ingersoll * Agreement, including but not limited to the risks and 200*47e946e7SWyllys Ingersoll * costs of program errors, compliance with applicable laws, 201*47e946e7SWyllys Ingersoll * damage to or loss of data, programs or equipment, and 202*47e946e7SWyllys Ingersoll * unavailability or interruption of operations. 203*47e946e7SWyllys Ingersoll * 204*47e946e7SWyllys Ingersoll * 6. DISCLAIMER OF LIABILITY 205*47e946e7SWyllys Ingersoll * EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER 206*47e946e7SWyllys Ingersoll * RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY 207*47e946e7SWyllys Ingersoll * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 208*47e946e7SWyllys Ingersoll * OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION 209*47e946e7SWyllys Ingersoll * LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF 210*47e946e7SWyllys Ingersoll * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 211*47e946e7SWyllys Ingersoll * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 212*47e946e7SWyllys Ingersoll * OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE 213*47e946e7SWyllys Ingersoll * OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE 214*47e946e7SWyllys Ingersoll * POSSIBILITY OF SUCH DAMAGES. 215*47e946e7SWyllys Ingersoll * 216*47e946e7SWyllys Ingersoll * 7. GENERAL 217*47e946e7SWyllys Ingersoll * 218*47e946e7SWyllys Ingersoll * If any provision of this Agreement is invalid or 219*47e946e7SWyllys Ingersoll * unenforceable under applicable law, it shall not affect 220*47e946e7SWyllys Ingersoll * the validity or enforceability of the remainder of the 221*47e946e7SWyllys Ingersoll * terms of this Agreement, and without further action by the 222*47e946e7SWyllys Ingersoll * parties hereto, such provision shall be reformed to the 223*47e946e7SWyllys Ingersoll * minimum extent necessary to make such provision valid and 224*47e946e7SWyllys Ingersoll * enforceable. 225*47e946e7SWyllys Ingersoll * 226*47e946e7SWyllys Ingersoll * 227*47e946e7SWyllys Ingersoll * If Recipient institutes patent litigation against a 228*47e946e7SWyllys Ingersoll * Contributor with respect to a patent applicable to 229*47e946e7SWyllys Ingersoll * software (including a cros - claim or counterclaim in a 230*47e946e7SWyllys Ingersoll * lawsuit), then any patent licenses granted by that 231*47e946e7SWyllys Ingersoll * Contributor to such Recipient under this Agreement shall 232*47e946e7SWyllys Ingersoll * terminate as of the date such litigation is filed. In 233*47e946e7SWyllys Ingersoll * addition, If Recipient institutes patent litigation 234*47e946e7SWyllys Ingersoll * against any entity (including a cros - claim or 235*47e946e7SWyllys Ingersoll * counterclaim in a lawsuit) alleging that the Program 236*47e946e7SWyllys Ingersoll * itself (excluding combinations of the Program with other 237*47e946e7SWyllys Ingersoll * software or hardware) infringes such Recipient's 238*47e946e7SWyllys Ingersoll * patent(s), then such Recipient's rights granted under 239*47e946e7SWyllys Ingersoll * Section 2(b) shall terminate as of the date such 240*47e946e7SWyllys Ingersoll * litigation is filed. 241*47e946e7SWyllys Ingersoll * 242*47e946e7SWyllys Ingersoll * All Recipient's rights under this Agreement shall 243*47e946e7SWyllys Ingersoll * terminate if it fails to comply with any of the material 244*47e946e7SWyllys Ingersoll * terms or conditions of this Agreement and does not cure 245*47e946e7SWyllys Ingersoll * such failure in a reasonable period of time after becoming 246*47e946e7SWyllys Ingersoll * aware of such noncompliance. If all Recipient's rights 247*47e946e7SWyllys Ingersoll * under this Agreement terminate, Recipient agrees to cease 248*47e946e7SWyllys Ingersoll * use and distribution of the Program as soon as reasonably 249*47e946e7SWyllys Ingersoll * practicable. However, Recipient's obligations under this 250*47e946e7SWyllys Ingersoll * Agreement and any licenses granted by Recipient relating 251*47e946e7SWyllys Ingersoll * to the Program shall continue and survive. 252*47e946e7SWyllys Ingersoll * 253*47e946e7SWyllys Ingersoll * Everyone is permitted to copy and distribute copies of 254*47e946e7SWyllys Ingersoll * this Agreement, but in order to avoid inconsistency the 255*47e946e7SWyllys Ingersoll * Agreement is copyrighted and may only be modified in the 256*47e946e7SWyllys Ingersoll * following manner. The Agreement Steward reserves the right 257*47e946e7SWyllys Ingersoll * to publish new versions (including revisions) of this 258*47e946e7SWyllys Ingersoll * Agreement from time to time. No one other than the 259*47e946e7SWyllys Ingersoll * Agreement Steward has the right to modify this Agreement. 260*47e946e7SWyllys Ingersoll * 261*47e946e7SWyllys Ingersoll * IBM is the initial Agreement Steward. IBM may assign the 262*47e946e7SWyllys Ingersoll * responsibility to serve as the Agreement Steward to a 263*47e946e7SWyllys Ingersoll * suitable separate entity. Each new version of the 264*47e946e7SWyllys Ingersoll * Agreement will be given a distinguishing version number. 265*47e946e7SWyllys Ingersoll * The Program (including Contributions) may always be 266*47e946e7SWyllys Ingersoll * distributed subject to the version of the Agreement under 267*47e946e7SWyllys Ingersoll * which it was received. In addition, after a new version of 268*47e946e7SWyllys Ingersoll * the Agreement is published, Contributor may elect to 269*47e946e7SWyllys Ingersoll * distribute the Program (including its Contributions) under 270*47e946e7SWyllys Ingersoll * the new version. Except as expressly stated in Sections 271*47e946e7SWyllys Ingersoll * 2(a) and 2(b) above, Recipient receives no rights or 272*47e946e7SWyllys Ingersoll * licenses to the intellectual property of any Contributor 273*47e946e7SWyllys Ingersoll * under this Agreement, whether expressly, by implication, 274*47e946e7SWyllys Ingersoll * estoppel or otherwise. All rights in the Program not 275*47e946e7SWyllys Ingersoll * expressly granted under this Agreement are reserved. 276*47e946e7SWyllys Ingersoll * 277*47e946e7SWyllys Ingersoll * 278*47e946e7SWyllys Ingersoll * This Agreement is governed by the laws of the State of New 279*47e946e7SWyllys Ingersoll * York and the intellectual property laws of the United 280*47e946e7SWyllys Ingersoll * States of America. No party to this Agreement will bring a 281*47e946e7SWyllys Ingersoll * legal action under this Agreement more than one year after 282*47e946e7SWyllys Ingersoll * the cause of action arose. Each party waives its rights to 283*47e946e7SWyllys Ingersoll * a jury trial in any resulting litigation. 284*47e946e7SWyllys Ingersoll * 285*47e946e7SWyllys Ingersoll * 286*47e946e7SWyllys Ingersoll * 287*47e946e7SWyllys Ingersoll * (C) COPYRIGHT International Business Machines Corp. 2001, 2002 288*47e946e7SWyllys Ingersoll */ 289*47e946e7SWyllys Ingersoll /* 290*47e946e7SWyllys Ingersoll * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 291*47e946e7SWyllys Ingersoll * Use is subject to license terms. 292*47e946e7SWyllys Ingersoll */ 293*47e946e7SWyllys Ingersoll #include "tpmtok_int.h" 294*47e946e7SWyllys Ingersoll 295*47e946e7SWyllys Ingersoll CK_RV 296*47e946e7SWyllys Ingersoll key_object_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) 297*47e946e7SWyllys Ingersoll { 298*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * attr = NULL; 299*47e946e7SWyllys Ingersoll CK_BBOOL found; 300*47e946e7SWyllys Ingersoll 301*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_KEY_TYPE, &attr); 302*47e946e7SWyllys Ingersoll if (! found) { 303*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 304*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 305*47e946e7SWyllys Ingersoll } 306*47e946e7SWyllys Ingersoll } 307*47e946e7SWyllys Ingersoll 308*47e946e7SWyllys Ingersoll return (template_check_required_base_attributes(tmpl, mode)); 309*47e946e7SWyllys Ingersoll } 310*47e946e7SWyllys Ingersoll 311*47e946e7SWyllys Ingersoll CK_RV 312*47e946e7SWyllys Ingersoll key_object_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 313*47e946e7SWyllys Ingersoll { 314*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * id_attr = NULL; 315*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * sdate_attr = NULL; 316*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * edate_attr = NULL; 317*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * derive_attr = NULL; 318*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * local_attr = NULL; 319*47e946e7SWyllys Ingersoll 320*47e946e7SWyllys Ingersoll // satisfy the compiler 321*47e946e7SWyllys Ingersoll // 322*47e946e7SWyllys Ingersoll if (mode) 323*47e946e7SWyllys Ingersoll id_attr = NULL; 324*47e946e7SWyllys Ingersoll 325*47e946e7SWyllys Ingersoll id_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 326*47e946e7SWyllys Ingersoll sdate_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 327*47e946e7SWyllys Ingersoll edate_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 328*47e946e7SWyllys Ingersoll derive_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 329*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 330*47e946e7SWyllys Ingersoll local_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 331*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 332*47e946e7SWyllys Ingersoll 333*47e946e7SWyllys Ingersoll if (! id_attr || ! sdate_attr || ! edate_attr || 334*47e946e7SWyllys Ingersoll ! derive_attr || ! local_attr) { 335*47e946e7SWyllys Ingersoll if (id_attr) free(id_attr); 336*47e946e7SWyllys Ingersoll if (sdate_attr) free(sdate_attr); 337*47e946e7SWyllys Ingersoll if (edate_attr) free(edate_attr); 338*47e946e7SWyllys Ingersoll if (derive_attr) free(derive_attr); 339*47e946e7SWyllys Ingersoll if (local_attr) free(local_attr); 340*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 341*47e946e7SWyllys Ingersoll } 342*47e946e7SWyllys Ingersoll 343*47e946e7SWyllys Ingersoll id_attr->type = CKA_ID; 344*47e946e7SWyllys Ingersoll id_attr->ulValueLen = 0; 345*47e946e7SWyllys Ingersoll id_attr->pValue = NULL; 346*47e946e7SWyllys Ingersoll 347*47e946e7SWyllys Ingersoll sdate_attr->type = CKA_START_DATE; 348*47e946e7SWyllys Ingersoll sdate_attr->ulValueLen = 0; 349*47e946e7SWyllys Ingersoll sdate_attr->pValue = NULL; 350*47e946e7SWyllys Ingersoll 351*47e946e7SWyllys Ingersoll edate_attr->type = CKA_END_DATE; 352*47e946e7SWyllys Ingersoll edate_attr->ulValueLen = 0; 353*47e946e7SWyllys Ingersoll edate_attr->pValue = NULL; 354*47e946e7SWyllys Ingersoll 355*47e946e7SWyllys Ingersoll derive_attr->type = CKA_DERIVE; 356*47e946e7SWyllys Ingersoll derive_attr->ulValueLen = sizeof (CK_BBOOL); 357*47e946e7SWyllys Ingersoll derive_attr->pValue = (CK_BYTE *)derive_attr + 358*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 359*47e946e7SWyllys Ingersoll *(CK_BBOOL *)derive_attr->pValue = FALSE; 360*47e946e7SWyllys Ingersoll 361*47e946e7SWyllys Ingersoll local_attr->type = CKA_LOCAL; 362*47e946e7SWyllys Ingersoll local_attr->ulValueLen = sizeof (CK_BBOOL); 363*47e946e7SWyllys Ingersoll local_attr->pValue = (CK_BYTE *)local_attr + sizeof (CK_ATTRIBUTE); 364*47e946e7SWyllys Ingersoll *(CK_BBOOL *)local_attr->pValue = FALSE; 365*47e946e7SWyllys Ingersoll 366*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, id_attr); 367*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sdate_attr); 368*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, edate_attr); 369*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, derive_attr); 370*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, local_attr); 371*47e946e7SWyllys Ingersoll 372*47e946e7SWyllys Ingersoll return (CKR_OK); 373*47e946e7SWyllys Ingersoll } 374*47e946e7SWyllys Ingersoll 375*47e946e7SWyllys Ingersoll CK_RV 376*47e946e7SWyllys Ingersoll key_object_validate_attribute(TEMPLATE *tmpl, 377*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr, CK_ULONG mode) 378*47e946e7SWyllys Ingersoll { 379*47e946e7SWyllys Ingersoll switch (attr->type) { 380*47e946e7SWyllys Ingersoll case CKA_KEY_TYPE: 381*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE || mode == MODE_DERIVE || 382*47e946e7SWyllys Ingersoll mode == MODE_KEYGEN || mode == MODE_UNWRAP) 383*47e946e7SWyllys Ingersoll return (CKR_OK); 384*47e946e7SWyllys Ingersoll else { 385*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 386*47e946e7SWyllys Ingersoll } 387*47e946e7SWyllys Ingersoll case CKA_ID: 388*47e946e7SWyllys Ingersoll case CKA_START_DATE: 389*47e946e7SWyllys Ingersoll case CKA_END_DATE: 390*47e946e7SWyllys Ingersoll case CKA_DERIVE: 391*47e946e7SWyllys Ingersoll return (CKR_OK); 392*47e946e7SWyllys Ingersoll 393*47e946e7SWyllys Ingersoll case CKA_LOCAL: 394*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 395*47e946e7SWyllys Ingersoll 396*47e946e7SWyllys Ingersoll default: 397*47e946e7SWyllys Ingersoll return (template_validate_base_attribute(tmpl, attr, mode)); 398*47e946e7SWyllys Ingersoll } 399*47e946e7SWyllys Ingersoll } 400*47e946e7SWyllys Ingersoll 401*47e946e7SWyllys Ingersoll CK_RV 402*47e946e7SWyllys Ingersoll publ_key_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) { 403*47e946e7SWyllys Ingersoll return (key_object_check_required_attributes(tmpl, mode)); 404*47e946e7SWyllys Ingersoll } 405*47e946e7SWyllys Ingersoll 406*47e946e7SWyllys Ingersoll CK_RV 407*47e946e7SWyllys Ingersoll publ_key_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 408*47e946e7SWyllys Ingersoll { 409*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *class_attr = NULL; 410*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *subject_attr = NULL; 411*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *encrypt_attr = NULL; 412*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *verify_attr = NULL; 413*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *verify_recover_attr = NULL; 414*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *wrap_attr = NULL; 415*47e946e7SWyllys Ingersoll 416*47e946e7SWyllys Ingersoll CK_OBJECT_CLASS class = CKO_PUBLIC_KEY; 417*47e946e7SWyllys Ingersoll CK_RV rc; 418*47e946e7SWyllys Ingersoll 419*47e946e7SWyllys Ingersoll 420*47e946e7SWyllys Ingersoll rc = key_object_set_default_attributes(tmpl, mode); 421*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 422*47e946e7SWyllys Ingersoll return (rc); 423*47e946e7SWyllys Ingersoll } 424*47e946e7SWyllys Ingersoll // 425*47e946e7SWyllys Ingersoll // add the default CKO_PUBLIC_KEY attributes 426*47e946e7SWyllys Ingersoll // 427*47e946e7SWyllys Ingersoll class_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 428*47e946e7SWyllys Ingersoll sizeof (CK_OBJECT_CLASS)); 429*47e946e7SWyllys Ingersoll subject_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 430*47e946e7SWyllys Ingersoll encrypt_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 431*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 432*47e946e7SWyllys Ingersoll verify_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 433*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 434*47e946e7SWyllys Ingersoll verify_recover_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 435*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 436*47e946e7SWyllys Ingersoll wrap_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 437*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 438*47e946e7SWyllys Ingersoll 439*47e946e7SWyllys Ingersoll if (! class || ! subject_attr || ! encrypt_attr || 440*47e946e7SWyllys Ingersoll ! verify_attr || ! verify_recover_attr || ! wrap_attr) { 441*47e946e7SWyllys Ingersoll if (class_attr) free(class_attr); 442*47e946e7SWyllys Ingersoll if (subject_attr) free(subject_attr); 443*47e946e7SWyllys Ingersoll if (encrypt_attr) free(encrypt_attr); 444*47e946e7SWyllys Ingersoll if (verify_attr) free(verify_attr); 445*47e946e7SWyllys Ingersoll if (verify_recover_attr) free(verify_recover_attr); 446*47e946e7SWyllys Ingersoll if (wrap_attr) free(wrap_attr); 447*47e946e7SWyllys Ingersoll 448*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 449*47e946e7SWyllys Ingersoll } 450*47e946e7SWyllys Ingersoll 451*47e946e7SWyllys Ingersoll class_attr->type = CKA_CLASS; 452*47e946e7SWyllys Ingersoll class_attr->ulValueLen = sizeof (CK_OBJECT_CLASS); 453*47e946e7SWyllys Ingersoll class_attr->pValue = (CK_BYTE *)class_attr + 454*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 455*47e946e7SWyllys Ingersoll *(CK_OBJECT_CLASS *)class_attr->pValue = CKO_PUBLIC_KEY; 456*47e946e7SWyllys Ingersoll 457*47e946e7SWyllys Ingersoll subject_attr->type = CKA_SUBJECT; 458*47e946e7SWyllys Ingersoll subject_attr->ulValueLen = 0; // empty string 459*47e946e7SWyllys Ingersoll subject_attr->pValue = NULL; 460*47e946e7SWyllys Ingersoll 461*47e946e7SWyllys Ingersoll encrypt_attr->type = CKA_ENCRYPT; 462*47e946e7SWyllys Ingersoll encrypt_attr->ulValueLen = sizeof (CK_BBOOL); 463*47e946e7SWyllys Ingersoll encrypt_attr->pValue = (CK_BYTE *)encrypt_attr + 464*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 465*47e946e7SWyllys Ingersoll *(CK_BBOOL *)encrypt_attr->pValue = TRUE; 466*47e946e7SWyllys Ingersoll 467*47e946e7SWyllys Ingersoll verify_attr->type = CKA_VERIFY; 468*47e946e7SWyllys Ingersoll verify_attr->ulValueLen = sizeof (CK_BBOOL); 469*47e946e7SWyllys Ingersoll verify_attr->pValue = (CK_BYTE *)verify_attr + 470*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 471*47e946e7SWyllys Ingersoll *(CK_BBOOL *)verify_attr->pValue = TRUE; 472*47e946e7SWyllys Ingersoll 473*47e946e7SWyllys Ingersoll verify_recover_attr->type = CKA_VERIFY_RECOVER; 474*47e946e7SWyllys Ingersoll verify_recover_attr->ulValueLen = sizeof (CK_BBOOL); 475*47e946e7SWyllys Ingersoll verify_recover_attr->pValue = (CK_BYTE *)verify_recover_attr + 476*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 477*47e946e7SWyllys Ingersoll *(CK_BBOOL *)verify_recover_attr->pValue = TRUE; 478*47e946e7SWyllys Ingersoll 479*47e946e7SWyllys Ingersoll wrap_attr->type = CKA_WRAP; 480*47e946e7SWyllys Ingersoll wrap_attr->ulValueLen = sizeof (CK_BBOOL); 481*47e946e7SWyllys Ingersoll wrap_attr->pValue = (CK_BYTE *)wrap_attr + 482*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 483*47e946e7SWyllys Ingersoll *(CK_BBOOL *)wrap_attr->pValue = TRUE; 484*47e946e7SWyllys Ingersoll 485*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, class_attr); 486*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, subject_attr); 487*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, encrypt_attr); 488*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, verify_attr); 489*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, verify_recover_attr); 490*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, wrap_attr); 491*47e946e7SWyllys Ingersoll 492*47e946e7SWyllys Ingersoll return (CKR_OK); 493*47e946e7SWyllys Ingersoll } 494*47e946e7SWyllys Ingersoll 495*47e946e7SWyllys Ingersoll CK_RV 496*47e946e7SWyllys Ingersoll publ_key_validate_attribute(TEMPLATE *tmpl, 497*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr, CK_ULONG mode) { 498*47e946e7SWyllys Ingersoll switch (attr->type) { 499*47e946e7SWyllys Ingersoll case CKA_SUBJECT: 500*47e946e7SWyllys Ingersoll return (CKR_OK); 501*47e946e7SWyllys Ingersoll 502*47e946e7SWyllys Ingersoll case CKA_ENCRYPT: 503*47e946e7SWyllys Ingersoll case CKA_VERIFY: 504*47e946e7SWyllys Ingersoll case CKA_VERIFY_RECOVER: 505*47e946e7SWyllys Ingersoll case CKA_WRAP: 506*47e946e7SWyllys Ingersoll if (mode == MODE_MODIFY) { 507*47e946e7SWyllys Ingersoll if (nv_token_data->tweak_vector.allow_key_mods == TRUE) 508*47e946e7SWyllys Ingersoll return (CKR_OK); 509*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 510*47e946e7SWyllys Ingersoll } 511*47e946e7SWyllys Ingersoll return (CKR_OK); 512*47e946e7SWyllys Ingersoll 513*47e946e7SWyllys Ingersoll default: 514*47e946e7SWyllys Ingersoll return (key_object_validate_attribute(tmpl, attr, mode)); 515*47e946e7SWyllys Ingersoll } 516*47e946e7SWyllys Ingersoll } 517*47e946e7SWyllys Ingersoll 518*47e946e7SWyllys Ingersoll CK_RV 519*47e946e7SWyllys Ingersoll priv_key_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) { 520*47e946e7SWyllys Ingersoll return (key_object_check_required_attributes(tmpl, mode)); 521*47e946e7SWyllys Ingersoll } 522*47e946e7SWyllys Ingersoll 523*47e946e7SWyllys Ingersoll CK_RV 524*47e946e7SWyllys Ingersoll priv_key_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 525*47e946e7SWyllys Ingersoll { 526*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *class_attr = NULL; 527*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *subject_attr = NULL; 528*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sensitive_attr = NULL; 529*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *decrypt_attr = NULL; 530*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sign_attr = NULL; 531*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sign_recover_attr = NULL; 532*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *unwrap_attr = NULL; 533*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *extractable_attr = NULL; 534*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *never_extr_attr = NULL; 535*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *always_sens_attr = NULL; 536*47e946e7SWyllys Ingersoll CK_RV rc; 537*47e946e7SWyllys Ingersoll 538*47e946e7SWyllys Ingersoll 539*47e946e7SWyllys Ingersoll rc = key_object_set_default_attributes(tmpl, mode); 540*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 541*47e946e7SWyllys Ingersoll return (rc); 542*47e946e7SWyllys Ingersoll } 543*47e946e7SWyllys Ingersoll class_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 544*47e946e7SWyllys Ingersoll sizeof (CK_OBJECT_CLASS)); 545*47e946e7SWyllys Ingersoll subject_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 546*47e946e7SWyllys Ingersoll sensitive_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 547*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 548*47e946e7SWyllys Ingersoll decrypt_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 549*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 550*47e946e7SWyllys Ingersoll sign_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 551*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 552*47e946e7SWyllys Ingersoll sign_recover_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 553*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 554*47e946e7SWyllys Ingersoll unwrap_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 555*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 556*47e946e7SWyllys Ingersoll extractable_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 557*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 558*47e946e7SWyllys Ingersoll never_extr_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 559*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 560*47e946e7SWyllys Ingersoll always_sens_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 561*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 562*47e946e7SWyllys Ingersoll 563*47e946e7SWyllys Ingersoll if (! class_attr || ! subject_attr || ! sensitive_attr || 564*47e946e7SWyllys Ingersoll ! decrypt_attr || ! sign_attr || ! sign_recover_attr || 565*47e946e7SWyllys Ingersoll ! unwrap_attr || ! extractable_attr || 566*47e946e7SWyllys Ingersoll ! never_extr_attr || ! always_sens_attr) { 567*47e946e7SWyllys Ingersoll if (class_attr) free(class_attr); 568*47e946e7SWyllys Ingersoll if (subject_attr) free(subject_attr); 569*47e946e7SWyllys Ingersoll if (sensitive_attr) free(sensitive_attr); 570*47e946e7SWyllys Ingersoll if (decrypt_attr) free(decrypt_attr); 571*47e946e7SWyllys Ingersoll if (sign_attr) free(sign_attr); 572*47e946e7SWyllys Ingersoll if (sign_recover_attr) free(sign_recover_attr); 573*47e946e7SWyllys Ingersoll if (unwrap_attr) free(unwrap_attr); 574*47e946e7SWyllys Ingersoll if (extractable_attr) free(extractable_attr); 575*47e946e7SWyllys Ingersoll if (always_sens_attr) free(always_sens_attr); 576*47e946e7SWyllys Ingersoll if (never_extr_attr) free(never_extr_attr); 577*47e946e7SWyllys Ingersoll 578*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 579*47e946e7SWyllys Ingersoll } 580*47e946e7SWyllys Ingersoll 581*47e946e7SWyllys Ingersoll class_attr->type = CKA_CLASS; 582*47e946e7SWyllys Ingersoll class_attr->ulValueLen = sizeof (CK_OBJECT_CLASS); 583*47e946e7SWyllys Ingersoll class_attr->pValue = (CK_BYTE *)class_attr + sizeof (CK_ATTRIBUTE); 584*47e946e7SWyllys Ingersoll *(CK_OBJECT_CLASS *)class_attr->pValue = CKO_PRIVATE_KEY; 585*47e946e7SWyllys Ingersoll 586*47e946e7SWyllys Ingersoll subject_attr->type = CKA_SUBJECT; 587*47e946e7SWyllys Ingersoll subject_attr->ulValueLen = 0; // empty string 588*47e946e7SWyllys Ingersoll subject_attr->pValue = NULL; 589*47e946e7SWyllys Ingersoll 590*47e946e7SWyllys Ingersoll sensitive_attr->type = CKA_SENSITIVE; 591*47e946e7SWyllys Ingersoll sensitive_attr->ulValueLen = sizeof (CK_BBOOL); 592*47e946e7SWyllys Ingersoll sensitive_attr->pValue = (CK_BYTE *)sensitive_attr + 593*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 594*47e946e7SWyllys Ingersoll *(CK_BBOOL *)sensitive_attr->pValue = FALSE; 595*47e946e7SWyllys Ingersoll 596*47e946e7SWyllys Ingersoll decrypt_attr->type = CKA_DECRYPT; 597*47e946e7SWyllys Ingersoll decrypt_attr->ulValueLen = sizeof (CK_BBOOL); 598*47e946e7SWyllys Ingersoll decrypt_attr->pValue = (CK_BYTE *)decrypt_attr + 599*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 600*47e946e7SWyllys Ingersoll *(CK_BBOOL *)decrypt_attr->pValue = TRUE; 601*47e946e7SWyllys Ingersoll 602*47e946e7SWyllys Ingersoll sign_attr->type = CKA_SIGN; 603*47e946e7SWyllys Ingersoll sign_attr->ulValueLen = sizeof (CK_BBOOL); 604*47e946e7SWyllys Ingersoll sign_attr->pValue = (CK_BYTE *)sign_attr + 605*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 606*47e946e7SWyllys Ingersoll *(CK_BBOOL *)sign_attr->pValue = TRUE; 607*47e946e7SWyllys Ingersoll 608*47e946e7SWyllys Ingersoll sign_recover_attr->type = CKA_SIGN_RECOVER; 609*47e946e7SWyllys Ingersoll sign_recover_attr->ulValueLen = sizeof (CK_BBOOL); 610*47e946e7SWyllys Ingersoll sign_recover_attr->pValue = (CK_BYTE *)sign_recover_attr + 611*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 612*47e946e7SWyllys Ingersoll *(CK_BBOOL *)sign_recover_attr->pValue = TRUE; 613*47e946e7SWyllys Ingersoll 614*47e946e7SWyllys Ingersoll unwrap_attr->type = CKA_UNWRAP; 615*47e946e7SWyllys Ingersoll unwrap_attr->ulValueLen = sizeof (CK_BBOOL); 616*47e946e7SWyllys Ingersoll unwrap_attr->pValue = (CK_BYTE *)unwrap_attr + 617*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 618*47e946e7SWyllys Ingersoll *(CK_BBOOL *)unwrap_attr->pValue = TRUE; 619*47e946e7SWyllys Ingersoll 620*47e946e7SWyllys Ingersoll extractable_attr->type = CKA_EXTRACTABLE; 621*47e946e7SWyllys Ingersoll extractable_attr->ulValueLen = sizeof (CK_BBOOL); 622*47e946e7SWyllys Ingersoll extractable_attr->pValue = (CK_BYTE *)extractable_attr + 623*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 624*47e946e7SWyllys Ingersoll *(CK_BBOOL *)extractable_attr->pValue = TRUE; 625*47e946e7SWyllys Ingersoll 626*47e946e7SWyllys Ingersoll never_extr_attr->type = CKA_NEVER_EXTRACTABLE; 627*47e946e7SWyllys Ingersoll never_extr_attr->ulValueLen = sizeof (CK_BBOOL); 628*47e946e7SWyllys Ingersoll never_extr_attr->pValue = (CK_BYTE *)never_extr_attr + 629*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 630*47e946e7SWyllys Ingersoll *(CK_BBOOL *)never_extr_attr->pValue = FALSE; 631*47e946e7SWyllys Ingersoll 632*47e946e7SWyllys Ingersoll always_sens_attr->type = CKA_ALWAYS_SENSITIVE; 633*47e946e7SWyllys Ingersoll always_sens_attr->ulValueLen = sizeof (CK_BBOOL); 634*47e946e7SWyllys Ingersoll always_sens_attr->pValue = (CK_BYTE *)always_sens_attr + 635*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 636*47e946e7SWyllys Ingersoll *(CK_BBOOL *)always_sens_attr->pValue = FALSE; 637*47e946e7SWyllys Ingersoll 638*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, class_attr); 639*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, subject_attr); 640*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sensitive_attr); 641*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, decrypt_attr); 642*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sign_attr); 643*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sign_recover_attr); 644*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, unwrap_attr); 645*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, extractable_attr); 646*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, never_extr_attr); 647*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, always_sens_attr); 648*47e946e7SWyllys Ingersoll 649*47e946e7SWyllys Ingersoll return (CKR_OK); 650*47e946e7SWyllys Ingersoll } 651*47e946e7SWyllys Ingersoll 652*47e946e7SWyllys Ingersoll CK_RV 653*47e946e7SWyllys Ingersoll priv_key_unwrap(TEMPLATE *tmpl, 654*47e946e7SWyllys Ingersoll CK_ULONG keytype, 655*47e946e7SWyllys Ingersoll CK_BYTE *data, 656*47e946e7SWyllys Ingersoll CK_ULONG data_len) 657*47e946e7SWyllys Ingersoll { 658*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *extractable = NULL; 659*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *always_sens = NULL; 660*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *never_extract = NULL; 661*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sensitive = NULL; 662*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *local = NULL; 663*47e946e7SWyllys Ingersoll CK_BBOOL true = TRUE; 664*47e946e7SWyllys Ingersoll CK_BBOOL false = FALSE; 665*47e946e7SWyllys Ingersoll CK_RV rc; 666*47e946e7SWyllys Ingersoll 667*47e946e7SWyllys Ingersoll switch (keytype) { 668*47e946e7SWyllys Ingersoll case CKK_RSA: 669*47e946e7SWyllys Ingersoll rc = rsa_priv_unwrap(tmpl, data, data_len); 670*47e946e7SWyllys Ingersoll break; 671*47e946e7SWyllys Ingersoll 672*47e946e7SWyllys Ingersoll default: 673*47e946e7SWyllys Ingersoll return (CKR_WRAPPED_KEY_INVALID); 674*47e946e7SWyllys Ingersoll } 675*47e946e7SWyllys Ingersoll 676*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 677*47e946e7SWyllys Ingersoll return (rc); 678*47e946e7SWyllys Ingersoll } 679*47e946e7SWyllys Ingersoll 680*47e946e7SWyllys Ingersoll /* 681*47e946e7SWyllys Ingersoll * make sure 682*47e946e7SWyllys Ingersoll * CKA_LOCAL == FALSE 683*47e946e7SWyllys Ingersoll * CKA_ALWAYS_SENSITIVE == FALSE 684*47e946e7SWyllys Ingersoll * CKA_EXTRACTABLE == TRUE 685*47e946e7SWyllys Ingersoll * CKA_NEVER_EXTRACTABLE == FALSE 686*47e946e7SWyllys Ingersoll */ 687*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_LOCAL, &false, 1, &local); 688*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 689*47e946e7SWyllys Ingersoll goto cleanup; 690*47e946e7SWyllys Ingersoll } 691*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_ALWAYS_SENSITIVE, &false, 1, &always_sens); 692*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 693*47e946e7SWyllys Ingersoll goto cleanup; 694*47e946e7SWyllys Ingersoll } 695*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_SENSITIVE, &false, 1, &sensitive); 696*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 697*47e946e7SWyllys Ingersoll goto cleanup; 698*47e946e7SWyllys Ingersoll } 699*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_EXTRACTABLE, &true, 1, &extractable); 700*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 701*47e946e7SWyllys Ingersoll goto cleanup; 702*47e946e7SWyllys Ingersoll } 703*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_NEVER_EXTRACTABLE, &false, 1, &never_extract); 704*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 705*47e946e7SWyllys Ingersoll goto cleanup; 706*47e946e7SWyllys Ingersoll } 707*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, local); 708*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, always_sens); 709*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sensitive); 710*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, extractable); 711*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, never_extract); 712*47e946e7SWyllys Ingersoll 713*47e946e7SWyllys Ingersoll return (CKR_OK); 714*47e946e7SWyllys Ingersoll 715*47e946e7SWyllys Ingersoll cleanup: 716*47e946e7SWyllys Ingersoll 717*47e946e7SWyllys Ingersoll if (local) free(local); 718*47e946e7SWyllys Ingersoll if (always_sens) free(always_sens); 719*47e946e7SWyllys Ingersoll if (extractable) free(extractable); 720*47e946e7SWyllys Ingersoll if (never_extract) free(never_extract); 721*47e946e7SWyllys Ingersoll 722*47e946e7SWyllys Ingersoll return (rc); 723*47e946e7SWyllys Ingersoll } 724*47e946e7SWyllys Ingersoll 725*47e946e7SWyllys Ingersoll CK_RV 726*47e946e7SWyllys Ingersoll priv_key_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode) { 727*47e946e7SWyllys Ingersoll switch (attr->type) { 728*47e946e7SWyllys Ingersoll case CKA_SUBJECT: 729*47e946e7SWyllys Ingersoll return (CKR_OK); 730*47e946e7SWyllys Ingersoll 731*47e946e7SWyllys Ingersoll case CKA_DECRYPT: 732*47e946e7SWyllys Ingersoll case CKA_SIGN: 733*47e946e7SWyllys Ingersoll case CKA_SIGN_RECOVER: 734*47e946e7SWyllys Ingersoll case CKA_UNWRAP: 735*47e946e7SWyllys Ingersoll // we might want to do this for MODE_COPY too 736*47e946e7SWyllys Ingersoll // 737*47e946e7SWyllys Ingersoll if (mode == MODE_MODIFY) { 738*47e946e7SWyllys Ingersoll if (nv_token_data->tweak_vector.allow_key_mods == TRUE) 739*47e946e7SWyllys Ingersoll return (CKR_OK); 740*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 741*47e946e7SWyllys Ingersoll } 742*47e946e7SWyllys Ingersoll return (CKR_OK); 743*47e946e7SWyllys Ingersoll 744*47e946e7SWyllys Ingersoll // after key creation, CKA_SENSITIVE may only be set to TRUE 745*47e946e7SWyllys Ingersoll // 746*47e946e7SWyllys Ingersoll case CKA_SENSITIVE: 747*47e946e7SWyllys Ingersoll { 748*47e946e7SWyllys Ingersoll CK_BBOOL value; 749*47e946e7SWyllys Ingersoll 750*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE || mode == MODE_KEYGEN) 751*47e946e7SWyllys Ingersoll return (CKR_OK); 752*47e946e7SWyllys Ingersoll 753*47e946e7SWyllys Ingersoll value = *(CK_BBOOL *)attr->pValue; 754*47e946e7SWyllys Ingersoll if (value != TRUE) { 755*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 756*47e946e7SWyllys Ingersoll } 757*47e946e7SWyllys Ingersoll } 758*47e946e7SWyllys Ingersoll return (CKR_OK); 759*47e946e7SWyllys Ingersoll 760*47e946e7SWyllys Ingersoll case CKA_EXTRACTABLE: 761*47e946e7SWyllys Ingersoll { 762*47e946e7SWyllys Ingersoll CK_BBOOL value; 763*47e946e7SWyllys Ingersoll 764*47e946e7SWyllys Ingersoll value = *(CK_BBOOL *)attr->pValue; 765*47e946e7SWyllys Ingersoll if ((mode != MODE_CREATE && mode != MODE_KEYGEN) && 766*47e946e7SWyllys Ingersoll value != FALSE) { 767*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 768*47e946e7SWyllys Ingersoll } 769*47e946e7SWyllys Ingersoll if (value == FALSE) { 770*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr; 771*47e946e7SWyllys Ingersoll 772*47e946e7SWyllys Ingersoll attr = (CK_ATTRIBUTE *)malloc( 773*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE) + sizeof (CK_BBOOL)); 774*47e946e7SWyllys Ingersoll if (! attr) { 775*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 776*47e946e7SWyllys Ingersoll } 777*47e946e7SWyllys Ingersoll attr->type = CKA_NEVER_EXTRACTABLE; 778*47e946e7SWyllys Ingersoll attr->ulValueLen = sizeof (CK_BBOOL); 779*47e946e7SWyllys Ingersoll attr->pValue = (CK_BYTE *)attr + 780*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 781*47e946e7SWyllys Ingersoll *(CK_BBOOL *)attr->pValue = FALSE; 782*47e946e7SWyllys Ingersoll 783*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, attr); 784*47e946e7SWyllys Ingersoll } 785*47e946e7SWyllys Ingersoll } 786*47e946e7SWyllys Ingersoll return (CKR_OK); 787*47e946e7SWyllys Ingersoll 788*47e946e7SWyllys Ingersoll case CKA_ALWAYS_SENSITIVE: 789*47e946e7SWyllys Ingersoll case CKA_NEVER_EXTRACTABLE: 790*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 791*47e946e7SWyllys Ingersoll 792*47e946e7SWyllys Ingersoll default: 793*47e946e7SWyllys Ingersoll return (key_object_validate_attribute(tmpl, attr, mode)); 794*47e946e7SWyllys Ingersoll } 795*47e946e7SWyllys Ingersoll } 796*47e946e7SWyllys Ingersoll 797*47e946e7SWyllys Ingersoll CK_RV 798*47e946e7SWyllys Ingersoll secret_key_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) 799*47e946e7SWyllys Ingersoll { 800*47e946e7SWyllys Ingersoll return (key_object_check_required_attributes(tmpl, mode)); 801*47e946e7SWyllys Ingersoll } 802*47e946e7SWyllys Ingersoll 803*47e946e7SWyllys Ingersoll CK_RV 804*47e946e7SWyllys Ingersoll secret_key_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 805*47e946e7SWyllys Ingersoll { 806*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *class_attr = NULL; 807*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sensitive_attr = NULL; 808*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *encrypt_attr = NULL; 809*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *decrypt_attr = NULL; 810*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sign_attr = NULL; 811*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *verify_attr = NULL; 812*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *wrap_attr = NULL; 813*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *unwrap_attr = NULL; 814*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *extractable_attr = NULL; 815*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *never_extr_attr = NULL; 816*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *always_sens_attr = NULL; 817*47e946e7SWyllys Ingersoll CK_RV rc; 818*47e946e7SWyllys Ingersoll 819*47e946e7SWyllys Ingersoll 820*47e946e7SWyllys Ingersoll rc = key_object_set_default_attributes(tmpl, mode); 821*47e946e7SWyllys Ingersoll if (rc != CKR_OK) 822*47e946e7SWyllys Ingersoll return (rc); 823*47e946e7SWyllys Ingersoll 824*47e946e7SWyllys Ingersoll class_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 825*47e946e7SWyllys Ingersoll sizeof (CK_OBJECT_CLASS)); 826*47e946e7SWyllys Ingersoll sensitive_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 827*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 828*47e946e7SWyllys Ingersoll encrypt_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 829*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 830*47e946e7SWyllys Ingersoll decrypt_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 831*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 832*47e946e7SWyllys Ingersoll sign_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 833*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 834*47e946e7SWyllys Ingersoll verify_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 835*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 836*47e946e7SWyllys Ingersoll wrap_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 837*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 838*47e946e7SWyllys Ingersoll unwrap_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 839*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 840*47e946e7SWyllys Ingersoll extractable_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 841*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 842*47e946e7SWyllys Ingersoll never_extr_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 843*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 844*47e946e7SWyllys Ingersoll always_sens_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 845*47e946e7SWyllys Ingersoll sizeof (CK_BBOOL)); 846*47e946e7SWyllys Ingersoll 847*47e946e7SWyllys Ingersoll if (! class_attr || ! sensitive_attr || ! encrypt_attr || 848*47e946e7SWyllys Ingersoll ! decrypt_attr || ! sign_attr || ! verify_attr || 849*47e946e7SWyllys Ingersoll ! wrap_attr || ! unwrap_attr || ! extractable_attr || 850*47e946e7SWyllys Ingersoll ! never_extr_attr || ! always_sens_attr) { 851*47e946e7SWyllys Ingersoll if (class_attr) free(class_attr); 852*47e946e7SWyllys Ingersoll if (sensitive_attr) free(sensitive_attr); 853*47e946e7SWyllys Ingersoll if (encrypt_attr) free(encrypt_attr); 854*47e946e7SWyllys Ingersoll if (decrypt_attr) free(decrypt_attr); 855*47e946e7SWyllys Ingersoll if (sign_attr) free(sign_attr); 856*47e946e7SWyllys Ingersoll if (verify_attr) free(verify_attr); 857*47e946e7SWyllys Ingersoll if (wrap_attr) free(wrap_attr); 858*47e946e7SWyllys Ingersoll if (unwrap_attr) free(unwrap_attr); 859*47e946e7SWyllys Ingersoll if (extractable_attr) free(extractable_attr); 860*47e946e7SWyllys Ingersoll if (never_extr_attr) free(never_extr_attr); 861*47e946e7SWyllys Ingersoll if (always_sens_attr) free(always_sens_attr); 862*47e946e7SWyllys Ingersoll 863*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 864*47e946e7SWyllys Ingersoll } 865*47e946e7SWyllys Ingersoll 866*47e946e7SWyllys Ingersoll class_attr->type = CKA_CLASS; 867*47e946e7SWyllys Ingersoll class_attr->ulValueLen = sizeof (CK_OBJECT_CLASS); 868*47e946e7SWyllys Ingersoll class_attr->pValue = (CK_BYTE *)class_attr + 869*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 870*47e946e7SWyllys Ingersoll *(CK_OBJECT_CLASS *)class_attr->pValue = CKO_SECRET_KEY; 871*47e946e7SWyllys Ingersoll 872*47e946e7SWyllys Ingersoll sensitive_attr->type = CKA_SENSITIVE; 873*47e946e7SWyllys Ingersoll sensitive_attr->ulValueLen = sizeof (CK_BBOOL); 874*47e946e7SWyllys Ingersoll sensitive_attr->pValue = (CK_BYTE *)sensitive_attr + 875*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 876*47e946e7SWyllys Ingersoll *(CK_BBOOL *)sensitive_attr->pValue = FALSE; 877*47e946e7SWyllys Ingersoll 878*47e946e7SWyllys Ingersoll encrypt_attr->type = CKA_ENCRYPT; 879*47e946e7SWyllys Ingersoll encrypt_attr->ulValueLen = sizeof (CK_BBOOL); 880*47e946e7SWyllys Ingersoll encrypt_attr->pValue = (CK_BYTE *)encrypt_attr + 881*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 882*47e946e7SWyllys Ingersoll *(CK_BBOOL *)encrypt_attr->pValue = TRUE; 883*47e946e7SWyllys Ingersoll 884*47e946e7SWyllys Ingersoll decrypt_attr->type = CKA_DECRYPT; 885*47e946e7SWyllys Ingersoll decrypt_attr->ulValueLen = sizeof (CK_BBOOL); 886*47e946e7SWyllys Ingersoll decrypt_attr->pValue = (CK_BYTE *)decrypt_attr + 887*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 888*47e946e7SWyllys Ingersoll *(CK_BBOOL *)decrypt_attr->pValue = TRUE; 889*47e946e7SWyllys Ingersoll 890*47e946e7SWyllys Ingersoll sign_attr->type = CKA_SIGN; 891*47e946e7SWyllys Ingersoll sign_attr->ulValueLen = sizeof (CK_BBOOL); 892*47e946e7SWyllys Ingersoll sign_attr->pValue = (CK_BYTE *)sign_attr + 893*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 894*47e946e7SWyllys Ingersoll *(CK_BBOOL *)sign_attr->pValue = TRUE; 895*47e946e7SWyllys Ingersoll 896*47e946e7SWyllys Ingersoll verify_attr->type = CKA_VERIFY; 897*47e946e7SWyllys Ingersoll verify_attr->ulValueLen = sizeof (CK_BBOOL); 898*47e946e7SWyllys Ingersoll verify_attr->pValue = (CK_BYTE *)verify_attr + 899*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 900*47e946e7SWyllys Ingersoll *(CK_BBOOL *)verify_attr->pValue = TRUE; 901*47e946e7SWyllys Ingersoll 902*47e946e7SWyllys Ingersoll wrap_attr->type = CKA_WRAP; 903*47e946e7SWyllys Ingersoll wrap_attr->ulValueLen = sizeof (CK_BBOOL); 904*47e946e7SWyllys Ingersoll wrap_attr->pValue = (CK_BYTE *)wrap_attr + 905*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 906*47e946e7SWyllys Ingersoll *(CK_BBOOL *)wrap_attr->pValue = TRUE; 907*47e946e7SWyllys Ingersoll 908*47e946e7SWyllys Ingersoll unwrap_attr->type = CKA_UNWRAP; 909*47e946e7SWyllys Ingersoll unwrap_attr->ulValueLen = sizeof (CK_BBOOL); 910*47e946e7SWyllys Ingersoll unwrap_attr->pValue = (CK_BYTE *)unwrap_attr + 911*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 912*47e946e7SWyllys Ingersoll *(CK_BBOOL *)unwrap_attr->pValue = TRUE; 913*47e946e7SWyllys Ingersoll 914*47e946e7SWyllys Ingersoll extractable_attr->type = CKA_EXTRACTABLE; 915*47e946e7SWyllys Ingersoll extractable_attr->ulValueLen = sizeof (CK_BBOOL); 916*47e946e7SWyllys Ingersoll extractable_attr->pValue = (CK_BYTE *)extractable_attr + 917*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 918*47e946e7SWyllys Ingersoll *(CK_BBOOL *)extractable_attr->pValue = TRUE; 919*47e946e7SWyllys Ingersoll 920*47e946e7SWyllys Ingersoll always_sens_attr->type = CKA_ALWAYS_SENSITIVE; 921*47e946e7SWyllys Ingersoll always_sens_attr->ulValueLen = sizeof (CK_BBOOL); 922*47e946e7SWyllys Ingersoll always_sens_attr->pValue = (CK_BYTE *)always_sens_attr + 923*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 924*47e946e7SWyllys Ingersoll *(CK_BBOOL *)always_sens_attr->pValue = FALSE; 925*47e946e7SWyllys Ingersoll 926*47e946e7SWyllys Ingersoll never_extr_attr->type = CKA_NEVER_EXTRACTABLE; 927*47e946e7SWyllys Ingersoll never_extr_attr->ulValueLen = sizeof (CK_BBOOL); 928*47e946e7SWyllys Ingersoll never_extr_attr->pValue = (CK_BYTE *)never_extr_attr + 929*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 930*47e946e7SWyllys Ingersoll *(CK_BBOOL *)never_extr_attr->pValue = FALSE; 931*47e946e7SWyllys Ingersoll 932*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, class_attr); 933*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sensitive_attr); 934*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, encrypt_attr); 935*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, decrypt_attr); 936*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sign_attr); 937*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, verify_attr); 938*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, wrap_attr); 939*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, unwrap_attr); 940*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, extractable_attr); 941*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, never_extr_attr); 942*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, always_sens_attr); 943*47e946e7SWyllys Ingersoll 944*47e946e7SWyllys Ingersoll return (CKR_OK); 945*47e946e7SWyllys Ingersoll } 946*47e946e7SWyllys Ingersoll 947*47e946e7SWyllys Ingersoll CK_RV 948*47e946e7SWyllys Ingersoll secret_key_unwrap(TEMPLATE *tmpl, 949*47e946e7SWyllys Ingersoll CK_ULONG keytype, 950*47e946e7SWyllys Ingersoll CK_BYTE *data, 951*47e946e7SWyllys Ingersoll CK_ULONG data_len, 952*47e946e7SWyllys Ingersoll CK_BBOOL fromend) 953*47e946e7SWyllys Ingersoll { 954*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *local = NULL; 955*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *always_sens = NULL; 956*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *sensitive = NULL; 957*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *extractable = NULL; 958*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *never_extract = NULL; 959*47e946e7SWyllys Ingersoll CK_BBOOL true = TRUE; 960*47e946e7SWyllys Ingersoll CK_BBOOL false = FALSE; 961*47e946e7SWyllys Ingersoll CK_RV rc; 962*47e946e7SWyllys Ingersoll 963*47e946e7SWyllys Ingersoll switch (keytype) { 964*47e946e7SWyllys Ingersoll case CKK_GENERIC_SECRET: 965*47e946e7SWyllys Ingersoll rc = generic_secret_unwrap(tmpl, data, data_len, fromend); 966*47e946e7SWyllys Ingersoll break; 967*47e946e7SWyllys Ingersoll 968*47e946e7SWyllys Ingersoll default: 969*47e946e7SWyllys Ingersoll return (CKR_WRAPPED_KEY_INVALID); 970*47e946e7SWyllys Ingersoll } 971*47e946e7SWyllys Ingersoll 972*47e946e7SWyllys Ingersoll if (rc != CKR_OK) 973*47e946e7SWyllys Ingersoll return (rc); 974*47e946e7SWyllys Ingersoll 975*47e946e7SWyllys Ingersoll // make sure 976*47e946e7SWyllys Ingersoll // CKA_LOCAL == FALSE 977*47e946e7SWyllys Ingersoll // CKA_ALWAYS_SENSITIVE == FALSE 978*47e946e7SWyllys Ingersoll // CKA_EXTRACTABLE == TRUE 979*47e946e7SWyllys Ingersoll // CKA_NEVER_EXTRACTABLE == FALSE 980*47e946e7SWyllys Ingersoll // 981*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_LOCAL, &false, 1, &local); 982*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 983*47e946e7SWyllys Ingersoll goto cleanup; 984*47e946e7SWyllys Ingersoll } 985*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_ALWAYS_SENSITIVE, &false, 1, &always_sens); 986*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 987*47e946e7SWyllys Ingersoll goto cleanup; 988*47e946e7SWyllys Ingersoll } 989*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_SENSITIVE, &false, 1, &sensitive); 990*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 991*47e946e7SWyllys Ingersoll goto cleanup; 992*47e946e7SWyllys Ingersoll } 993*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_EXTRACTABLE, &true, 1, &extractable); 994*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 995*47e946e7SWyllys Ingersoll goto cleanup; 996*47e946e7SWyllys Ingersoll } 997*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_NEVER_EXTRACTABLE, &false, 1, &never_extract); 998*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 999*47e946e7SWyllys Ingersoll goto cleanup; 1000*47e946e7SWyllys Ingersoll } 1001*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, local); 1002*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, always_sens); 1003*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, sensitive); 1004*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, extractable); 1005*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, never_extract); 1006*47e946e7SWyllys Ingersoll 1007*47e946e7SWyllys Ingersoll return (CKR_OK); 1008*47e946e7SWyllys Ingersoll 1009*47e946e7SWyllys Ingersoll cleanup: 1010*47e946e7SWyllys Ingersoll 1011*47e946e7SWyllys Ingersoll if (local) free(local); 1012*47e946e7SWyllys Ingersoll if (extractable) free(extractable); 1013*47e946e7SWyllys Ingersoll if (always_sens) free(always_sens); 1014*47e946e7SWyllys Ingersoll if (never_extract) free(never_extract); 1015*47e946e7SWyllys Ingersoll 1016*47e946e7SWyllys Ingersoll return (rc); 1017*47e946e7SWyllys Ingersoll } 1018*47e946e7SWyllys Ingersoll 1019*47e946e7SWyllys Ingersoll CK_RV 1020*47e946e7SWyllys Ingersoll secret_key_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr, 1021*47e946e7SWyllys Ingersoll CK_ULONG mode) 1022*47e946e7SWyllys Ingersoll { 1023*47e946e7SWyllys Ingersoll switch (attr->type) { 1024*47e946e7SWyllys Ingersoll case CKA_ENCRYPT: 1025*47e946e7SWyllys Ingersoll case CKA_DECRYPT: 1026*47e946e7SWyllys Ingersoll case CKA_SIGN: 1027*47e946e7SWyllys Ingersoll case CKA_VERIFY: 1028*47e946e7SWyllys Ingersoll case CKA_WRAP: 1029*47e946e7SWyllys Ingersoll case CKA_UNWRAP: 1030*47e946e7SWyllys Ingersoll if (mode == MODE_MODIFY) { 1031*47e946e7SWyllys Ingersoll if (nv_token_data->tweak_vector.allow_key_mods == TRUE) 1032*47e946e7SWyllys Ingersoll return (CKR_OK); 1033*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1034*47e946e7SWyllys Ingersoll } 1035*47e946e7SWyllys Ingersoll return (CKR_OK); 1036*47e946e7SWyllys Ingersoll 1037*47e946e7SWyllys Ingersoll // after key creation, CKA_SENSITIVE may only be set to TRUE 1038*47e946e7SWyllys Ingersoll // 1039*47e946e7SWyllys Ingersoll case CKA_SENSITIVE: 1040*47e946e7SWyllys Ingersoll { 1041*47e946e7SWyllys Ingersoll CK_BBOOL value; 1042*47e946e7SWyllys Ingersoll 1043*47e946e7SWyllys Ingersoll value = *(CK_BBOOL *)attr->pValue; 1044*47e946e7SWyllys Ingersoll if ((mode != MODE_CREATE && mode != MODE_DERIVE && 1045*47e946e7SWyllys Ingersoll mode != MODE_KEYGEN) && (value != TRUE)) { 1046*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1047*47e946e7SWyllys Ingersoll } 1048*47e946e7SWyllys Ingersoll } 1049*47e946e7SWyllys Ingersoll return (CKR_OK); 1050*47e946e7SWyllys Ingersoll 1051*47e946e7SWyllys Ingersoll case CKA_EXTRACTABLE: 1052*47e946e7SWyllys Ingersoll { 1053*47e946e7SWyllys Ingersoll CK_BBOOL value; 1054*47e946e7SWyllys Ingersoll 1055*47e946e7SWyllys Ingersoll value = *(CK_BBOOL *)attr->pValue; 1056*47e946e7SWyllys Ingersoll if ((mode != MODE_CREATE && mode != MODE_DERIVE && 1057*47e946e7SWyllys Ingersoll mode != MODE_KEYGEN) && (value != FALSE)) { 1058*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1059*47e946e7SWyllys Ingersoll } 1060*47e946e7SWyllys Ingersoll if (value == FALSE) { 1061*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr; 1062*47e946e7SWyllys Ingersoll 1063*47e946e7SWyllys Ingersoll attr = (CK_ATTRIBUTE *)malloc( 1064*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE) + sizeof (CK_BBOOL)); 1065*47e946e7SWyllys Ingersoll if (! attr) { 1066*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 1067*47e946e7SWyllys Ingersoll } 1068*47e946e7SWyllys Ingersoll attr->type = CKA_NEVER_EXTRACTABLE; 1069*47e946e7SWyllys Ingersoll attr->ulValueLen = sizeof (CK_BBOOL); 1070*47e946e7SWyllys Ingersoll attr->pValue = (CK_BYTE *)attr + 1071*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 1072*47e946e7SWyllys Ingersoll *(CK_BBOOL *)attr->pValue = FALSE; 1073*47e946e7SWyllys Ingersoll 1074*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, attr); 1075*47e946e7SWyllys Ingersoll } 1076*47e946e7SWyllys Ingersoll } 1077*47e946e7SWyllys Ingersoll return (CKR_OK); 1078*47e946e7SWyllys Ingersoll 1079*47e946e7SWyllys Ingersoll case CKA_ALWAYS_SENSITIVE: 1080*47e946e7SWyllys Ingersoll case CKA_NEVER_EXTRACTABLE: 1081*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1082*47e946e7SWyllys Ingersoll 1083*47e946e7SWyllys Ingersoll default: 1084*47e946e7SWyllys Ingersoll return (key_object_validate_attribute(tmpl, 1085*47e946e7SWyllys Ingersoll attr, mode)); 1086*47e946e7SWyllys Ingersoll } 1087*47e946e7SWyllys Ingersoll } 1088*47e946e7SWyllys Ingersoll 1089*47e946e7SWyllys Ingersoll CK_BBOOL 1090*47e946e7SWyllys Ingersoll secret_key_check_exportability(CK_ATTRIBUTE_TYPE type) 1091*47e946e7SWyllys Ingersoll { 1092*47e946e7SWyllys Ingersoll switch (type) { 1093*47e946e7SWyllys Ingersoll case CKA_VALUE: 1094*47e946e7SWyllys Ingersoll return (FALSE); 1095*47e946e7SWyllys Ingersoll } 1096*47e946e7SWyllys Ingersoll 1097*47e946e7SWyllys Ingersoll return (TRUE); 1098*47e946e7SWyllys Ingersoll } 1099*47e946e7SWyllys Ingersoll 1100*47e946e7SWyllys Ingersoll CK_RV 1101*47e946e7SWyllys Ingersoll rsa_publ_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) 1102*47e946e7SWyllys Ingersoll { 1103*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr = NULL; 1104*47e946e7SWyllys Ingersoll CK_BBOOL found; 1105*47e946e7SWyllys Ingersoll 1106*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_MODULUS, &attr); 1107*47e946e7SWyllys Ingersoll if (! found) { 1108*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1109*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1110*47e946e7SWyllys Ingersoll } 1111*47e946e7SWyllys Ingersoll } 1112*47e946e7SWyllys Ingersoll 1113*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_MODULUS_BITS, &attr); 1114*47e946e7SWyllys Ingersoll if (! found) { 1115*47e946e7SWyllys Ingersoll if (mode == MODE_KEYGEN) { 1116*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1117*47e946e7SWyllys Ingersoll } 1118*47e946e7SWyllys Ingersoll } 1119*47e946e7SWyllys Ingersoll 1120*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_PUBLIC_EXPONENT, &attr); 1121*47e946e7SWyllys Ingersoll if (! found) { 1122*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE || mode == MODE_KEYGEN) { 1123*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1124*47e946e7SWyllys Ingersoll } 1125*47e946e7SWyllys Ingersoll } 1126*47e946e7SWyllys Ingersoll 1127*47e946e7SWyllys Ingersoll return (publ_key_check_required_attributes(tmpl, mode)); 1128*47e946e7SWyllys Ingersoll } 1129*47e946e7SWyllys Ingersoll 1130*47e946e7SWyllys Ingersoll CK_RV 1131*47e946e7SWyllys Ingersoll rsa_publ_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 1132*47e946e7SWyllys Ingersoll { 1133*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *type_attr = NULL; 1134*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *modulus_attr = NULL; 1135*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *modulus_bits_attr = NULL; 1136*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *public_exp_attr = NULL; 1137*47e946e7SWyllys Ingersoll CK_ULONG bits = 0L; 1138*47e946e7SWyllys Ingersoll 1139*47e946e7SWyllys Ingersoll (void) publ_key_set_default_attributes(tmpl, mode); 1140*47e946e7SWyllys Ingersoll 1141*47e946e7SWyllys Ingersoll type_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 1142*47e946e7SWyllys Ingersoll sizeof (CK_KEY_TYPE)); 1143*47e946e7SWyllys Ingersoll modulus_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1144*47e946e7SWyllys Ingersoll modulus_bits_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 1145*47e946e7SWyllys Ingersoll sizeof (CK_ULONG)); 1146*47e946e7SWyllys Ingersoll public_exp_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1147*47e946e7SWyllys Ingersoll 1148*47e946e7SWyllys Ingersoll if (! type_attr || ! modulus_attr || 1149*47e946e7SWyllys Ingersoll ! modulus_bits_attr || ! public_exp_attr) { 1150*47e946e7SWyllys Ingersoll if (type_attr) free(type_attr); 1151*47e946e7SWyllys Ingersoll if (modulus_attr) free(modulus_attr); 1152*47e946e7SWyllys Ingersoll if (modulus_bits_attr) free(modulus_bits_attr); 1153*47e946e7SWyllys Ingersoll if (public_exp_attr) free(public_exp_attr); 1154*47e946e7SWyllys Ingersoll 1155*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 1156*47e946e7SWyllys Ingersoll } 1157*47e946e7SWyllys Ingersoll 1158*47e946e7SWyllys Ingersoll type_attr->type = CKA_KEY_TYPE; 1159*47e946e7SWyllys Ingersoll type_attr->ulValueLen = sizeof (CK_KEY_TYPE); 1160*47e946e7SWyllys Ingersoll type_attr->pValue = (CK_BYTE *)type_attr + 1161*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 1162*47e946e7SWyllys Ingersoll *(CK_KEY_TYPE *)type_attr->pValue = CKK_RSA; 1163*47e946e7SWyllys Ingersoll 1164*47e946e7SWyllys Ingersoll modulus_attr->type = CKA_MODULUS; 1165*47e946e7SWyllys Ingersoll modulus_attr->ulValueLen = 0; 1166*47e946e7SWyllys Ingersoll modulus_attr->pValue = NULL; 1167*47e946e7SWyllys Ingersoll 1168*47e946e7SWyllys Ingersoll modulus_bits_attr->type = CKA_MODULUS_BITS; 1169*47e946e7SWyllys Ingersoll modulus_bits_attr->ulValueLen = sizeof (CK_ULONG); 1170*47e946e7SWyllys Ingersoll modulus_bits_attr->pValue = (CK_BYTE *)modulus_bits_attr + 1171*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 1172*47e946e7SWyllys Ingersoll *(CK_ULONG *)modulus_bits_attr->pValue = bits; 1173*47e946e7SWyllys Ingersoll 1174*47e946e7SWyllys Ingersoll public_exp_attr->type = CKA_PUBLIC_EXPONENT; 1175*47e946e7SWyllys Ingersoll public_exp_attr->ulValueLen = 0; 1176*47e946e7SWyllys Ingersoll public_exp_attr->pValue = NULL; 1177*47e946e7SWyllys Ingersoll 1178*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, type_attr); 1179*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, modulus_attr); 1180*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, modulus_bits_attr); 1181*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, public_exp_attr); 1182*47e946e7SWyllys Ingersoll 1183*47e946e7SWyllys Ingersoll return (CKR_OK); 1184*47e946e7SWyllys Ingersoll } 1185*47e946e7SWyllys Ingersoll 1186*47e946e7SWyllys Ingersoll CK_RV 1187*47e946e7SWyllys Ingersoll rsa_publ_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode) { 1188*47e946e7SWyllys Ingersoll switch (attr->type) { 1189*47e946e7SWyllys Ingersoll case CKA_MODULUS_BITS: 1190*47e946e7SWyllys Ingersoll if (mode == MODE_KEYGEN) { 1191*47e946e7SWyllys Ingersoll if (attr->ulValueLen != sizeof (CK_ULONG)) { 1192*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_VALUE_INVALID); 1193*47e946e7SWyllys Ingersoll } else { 1194*47e946e7SWyllys Ingersoll CK_ULONG mod_bits = *(CK_ULONG *)attr->pValue; 1195*47e946e7SWyllys Ingersoll 1196*47e946e7SWyllys Ingersoll if (mod_bits < 512 || mod_bits > 2048) { 1197*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_VALUE_INVALID); 1198*47e946e7SWyllys Ingersoll } 1199*47e946e7SWyllys Ingersoll 1200*47e946e7SWyllys Ingersoll if (mod_bits % 8 != 0) { 1201*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_VALUE_INVALID); 1202*47e946e7SWyllys Ingersoll } 1203*47e946e7SWyllys Ingersoll return (CKR_OK); 1204*47e946e7SWyllys Ingersoll } 1205*47e946e7SWyllys Ingersoll } else { 1206*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1207*47e946e7SWyllys Ingersoll } 1208*47e946e7SWyllys Ingersoll case CKA_MODULUS: 1209*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) 1210*47e946e7SWyllys Ingersoll return (remove_leading_zeros(attr)); 1211*47e946e7SWyllys Ingersoll else { 1212*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1213*47e946e7SWyllys Ingersoll } 1214*47e946e7SWyllys Ingersoll case CKA_PUBLIC_EXPONENT: 1215*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE || mode == MODE_KEYGEN) 1216*47e946e7SWyllys Ingersoll return (remove_leading_zeros(attr)); 1217*47e946e7SWyllys Ingersoll else { 1218*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1219*47e946e7SWyllys Ingersoll } 1220*47e946e7SWyllys Ingersoll default: 1221*47e946e7SWyllys Ingersoll return (publ_key_validate_attribute(tmpl, attr, mode)); 1222*47e946e7SWyllys Ingersoll } 1223*47e946e7SWyllys Ingersoll } 1224*47e946e7SWyllys Ingersoll 1225*47e946e7SWyllys Ingersoll CK_RV 1226*47e946e7SWyllys Ingersoll rsa_priv_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) { 1227*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr = NULL; 1228*47e946e7SWyllys Ingersoll CK_BBOOL found; 1229*47e946e7SWyllys Ingersoll 1230*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_MODULUS, &attr); 1231*47e946e7SWyllys Ingersoll if (! found) { 1232*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1233*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1234*47e946e7SWyllys Ingersoll } 1235*47e946e7SWyllys Ingersoll } 1236*47e946e7SWyllys Ingersoll 1237*47e946e7SWyllys Ingersoll // 1238*47e946e7SWyllys Ingersoll // PKCS #11 is flexible with respect to which attributes must be present 1239*47e946e7SWyllys Ingersoll // in an RSA key. Keys can be specified in Chinese Remainder format or 1240*47e946e7SWyllys Ingersoll // they can be specified in modula exponent format. Right now, I only 1241*47e946e7SWyllys Ingersoll // support keys created in Chinese Remainder format. That is, we return 1242*47e946e7SWyllys Ingersoll // CKR_TEMPLATE_INCOMPLETE if a modula exponent key is specified. This 1243*47e946e7SWyllys Ingersoll // is allowed by PKCS #11. 1244*47e946e7SWyllys Ingersoll // 1245*47e946e7SWyllys Ingersoll // In the future, we should allow for creation of keys in modula exp 1246*47e946e7SWyllys Ingersoll // format too. This raises some issues. It's easy enough to recognize 1247*47e946e7SWyllys Ingersoll // when a key has been specified in modula exponent format. And it's 1248*47e946e7SWyllys Ingersoll // easy enough to recognize when all attributes have been specified 1249*47e946e7SWyllys Ingersoll // (which is what we require right now). What's trickier to handle is 1250*47e946e7SWyllys Ingersoll // the "middle" cases in which more than the minimum yet less than the 1251*47e946e7SWyllys Ingersoll // full number of attributes have been specified. Do we revert back to 1252*47e946e7SWyllys Ingersoll // modula - exponent representation? Do we compute the missing 1253*47e946e7SWyllys Ingersoll // attributes ourselves? Do we simply return CKR_TEMPLATE_INCOMPLETE? 1254*47e946e7SWyllys Ingersoll // 1255*47e946e7SWyllys Ingersoll 1256*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_PUBLIC_EXPONENT, &attr); 1257*47e946e7SWyllys Ingersoll if (! found) { 1258*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1259*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1260*47e946e7SWyllys Ingersoll } 1261*47e946e7SWyllys Ingersoll } 1262*47e946e7SWyllys Ingersoll 1263*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_PRIVATE_EXPONENT, &attr); 1264*47e946e7SWyllys Ingersoll if (! found) { 1265*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1266*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1267*47e946e7SWyllys Ingersoll } 1268*47e946e7SWyllys Ingersoll } 1269*47e946e7SWyllys Ingersoll 1270*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_PRIME_1, &attr); 1271*47e946e7SWyllys Ingersoll if (! found) { 1272*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1273*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1274*47e946e7SWyllys Ingersoll } 1275*47e946e7SWyllys Ingersoll } 1276*47e946e7SWyllys Ingersoll 1277*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_PRIME_2, &attr); 1278*47e946e7SWyllys Ingersoll if (! found) { 1279*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1280*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1281*47e946e7SWyllys Ingersoll } 1282*47e946e7SWyllys Ingersoll } 1283*47e946e7SWyllys Ingersoll 1284*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_EXPONENT_1, &attr); 1285*47e946e7SWyllys Ingersoll if (! found) { 1286*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1287*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1288*47e946e7SWyllys Ingersoll } 1289*47e946e7SWyllys Ingersoll } 1290*47e946e7SWyllys Ingersoll 1291*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_EXPONENT_2, &attr); 1292*47e946e7SWyllys Ingersoll if (! found) { 1293*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1294*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1295*47e946e7SWyllys Ingersoll } 1296*47e946e7SWyllys Ingersoll } 1297*47e946e7SWyllys Ingersoll 1298*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_COEFFICIENT, &attr); 1299*47e946e7SWyllys Ingersoll if (! found) { 1300*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1301*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1302*47e946e7SWyllys Ingersoll } 1303*47e946e7SWyllys Ingersoll } 1304*47e946e7SWyllys Ingersoll 1305*47e946e7SWyllys Ingersoll return (priv_key_check_required_attributes(tmpl, mode)); 1306*47e946e7SWyllys Ingersoll } 1307*47e946e7SWyllys Ingersoll 1308*47e946e7SWyllys Ingersoll CK_RV 1309*47e946e7SWyllys Ingersoll rsa_priv_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 1310*47e946e7SWyllys Ingersoll { 1311*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *modulus_attr = NULL; 1312*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *public_exp_attr = NULL; 1313*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *private_exp_attr = NULL; 1314*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *type_attr = NULL; 1315*47e946e7SWyllys Ingersoll 1316*47e946e7SWyllys Ingersoll (void) priv_key_set_default_attributes(tmpl, mode); 1317*47e946e7SWyllys Ingersoll 1318*47e946e7SWyllys Ingersoll type_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 1319*47e946e7SWyllys Ingersoll sizeof (CK_KEY_TYPE)); 1320*47e946e7SWyllys Ingersoll modulus_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1321*47e946e7SWyllys Ingersoll public_exp_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1322*47e946e7SWyllys Ingersoll private_exp_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1323*47e946e7SWyllys Ingersoll 1324*47e946e7SWyllys Ingersoll if (! type_attr || ! modulus_attr || ! public_exp_attr || 1325*47e946e7SWyllys Ingersoll ! private_exp_attr) { 1326*47e946e7SWyllys Ingersoll if (type_attr) free(type_attr); 1327*47e946e7SWyllys Ingersoll if (modulus_attr) free(modulus_attr); 1328*47e946e7SWyllys Ingersoll if (public_exp_attr) free(public_exp_attr); 1329*47e946e7SWyllys Ingersoll if (private_exp_attr) free(private_exp_attr); 1330*47e946e7SWyllys Ingersoll 1331*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 1332*47e946e7SWyllys Ingersoll } 1333*47e946e7SWyllys Ingersoll 1334*47e946e7SWyllys Ingersoll modulus_attr->type = CKA_MODULUS; 1335*47e946e7SWyllys Ingersoll modulus_attr->ulValueLen = 0; 1336*47e946e7SWyllys Ingersoll modulus_attr->pValue = NULL; 1337*47e946e7SWyllys Ingersoll 1338*47e946e7SWyllys Ingersoll public_exp_attr->type = CKA_PUBLIC_EXPONENT; 1339*47e946e7SWyllys Ingersoll public_exp_attr->ulValueLen = 0; 1340*47e946e7SWyllys Ingersoll public_exp_attr->pValue = NULL; 1341*47e946e7SWyllys Ingersoll 1342*47e946e7SWyllys Ingersoll private_exp_attr->type = CKA_PRIVATE_EXPONENT; 1343*47e946e7SWyllys Ingersoll private_exp_attr->ulValueLen = 0; 1344*47e946e7SWyllys Ingersoll private_exp_attr->pValue = NULL; 1345*47e946e7SWyllys Ingersoll 1346*47e946e7SWyllys Ingersoll type_attr->type = CKA_KEY_TYPE; 1347*47e946e7SWyllys Ingersoll type_attr->ulValueLen = sizeof (CK_KEY_TYPE); 1348*47e946e7SWyllys Ingersoll type_attr->pValue = (CK_BYTE *)type_attr + sizeof (CK_ATTRIBUTE); 1349*47e946e7SWyllys Ingersoll *(CK_KEY_TYPE *)type_attr->pValue = CKK_RSA; 1350*47e946e7SWyllys Ingersoll 1351*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, type_attr); 1352*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, modulus_attr); 1353*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, public_exp_attr); 1354*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, private_exp_attr); 1355*47e946e7SWyllys Ingersoll 1356*47e946e7SWyllys Ingersoll return (CKR_OK); 1357*47e946e7SWyllys Ingersoll } 1358*47e946e7SWyllys Ingersoll 1359*47e946e7SWyllys Ingersoll CK_RV 1360*47e946e7SWyllys Ingersoll rsa_priv_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode) { 1361*47e946e7SWyllys Ingersoll switch (attr->type) { 1362*47e946e7SWyllys Ingersoll case CKA_MODULUS: 1363*47e946e7SWyllys Ingersoll case CKA_PRIVATE_EXPONENT: 1364*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) 1365*47e946e7SWyllys Ingersoll return (remove_leading_zeros(attr)); 1366*47e946e7SWyllys Ingersoll else { 1367*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1368*47e946e7SWyllys Ingersoll } 1369*47e946e7SWyllys Ingersoll case CKA_PUBLIC_EXPONENT: 1370*47e946e7SWyllys Ingersoll case CKA_PRIME_1: 1371*47e946e7SWyllys Ingersoll case CKA_PRIME_2: 1372*47e946e7SWyllys Ingersoll case CKA_EXPONENT_1: 1373*47e946e7SWyllys Ingersoll case CKA_EXPONENT_2: 1374*47e946e7SWyllys Ingersoll case CKA_COEFFICIENT: 1375*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) 1376*47e946e7SWyllys Ingersoll return (remove_leading_zeros(attr)); 1377*47e946e7SWyllys Ingersoll else { 1378*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1379*47e946e7SWyllys Ingersoll } 1380*47e946e7SWyllys Ingersoll default: 1381*47e946e7SWyllys Ingersoll return (priv_key_validate_attribute(tmpl, attr, mode)); 1382*47e946e7SWyllys Ingersoll } 1383*47e946e7SWyllys Ingersoll } 1384*47e946e7SWyllys Ingersoll 1385*47e946e7SWyllys Ingersoll CK_BBOOL 1386*47e946e7SWyllys Ingersoll rsa_priv_check_exportability(CK_ATTRIBUTE_TYPE type) { 1387*47e946e7SWyllys Ingersoll switch (type) { 1388*47e946e7SWyllys Ingersoll case CKA_PRIVATE_EXPONENT: 1389*47e946e7SWyllys Ingersoll case CKA_PRIME_1: 1390*47e946e7SWyllys Ingersoll case CKA_PRIME_2: 1391*47e946e7SWyllys Ingersoll case CKA_EXPONENT_1: 1392*47e946e7SWyllys Ingersoll case CKA_EXPONENT_2: 1393*47e946e7SWyllys Ingersoll case CKA_COEFFICIENT: 1394*47e946e7SWyllys Ingersoll return (FALSE); 1395*47e946e7SWyllys Ingersoll } 1396*47e946e7SWyllys Ingersoll 1397*47e946e7SWyllys Ingersoll return (TRUE); 1398*47e946e7SWyllys Ingersoll } 1399*47e946e7SWyllys Ingersoll 1400*47e946e7SWyllys Ingersoll 1401*47e946e7SWyllys Ingersoll /* 1402*47e946e7SWyllys Ingersoll * create the ASN.1 encoding for the private key for wrapping as defined 1403*47e946e7SWyllys Ingersoll * in PKCS #8 1404*47e946e7SWyllys Ingersoll * 1405*47e946e7SWyllys Ingersoll * ASN.1 type PrivateKeyInfo ::= SEQUENCE { 1406*47e946e7SWyllys Ingersoll * version Version 1407*47e946e7SWyllys Ingersoll * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier 1408*47e946e7SWyllys Ingersoll * privateKey PrivateKey 1409*47e946e7SWyllys Ingersoll * attributes OPTIONAL 1410*47e946e7SWyllys Ingersoll * 1411*47e946e7SWyllys Ingersoll * } 1412*47e946e7SWyllys Ingersoll * 1413*47e946e7SWyllys Ingersoll * Where PrivateKey is defined as follows for RSA: 1414*47e946e7SWyllys Ingersoll * 1415*47e946e7SWyllys Ingersoll * ASN.1 type RSAPrivateKey 1416*47e946e7SWyllys Ingersoll * 1417*47e946e7SWyllys Ingersoll * RSAPrivateKey ::= SEQUENCE { 1418*47e946e7SWyllys Ingersoll * version Version 1419*47e946e7SWyllys Ingersoll * modulus INTEGER 1420*47e946e7SWyllys Ingersoll * publicExponent INTEGER 1421*47e946e7SWyllys Ingersoll * privateExponent INTEGER 1422*47e946e7SWyllys Ingersoll * prime1 INTEGER 1423*47e946e7SWyllys Ingersoll * prime2 INTEGER 1424*47e946e7SWyllys Ingersoll * exponent1 INTEGER 1425*47e946e7SWyllys Ingersoll * exponent2 INTEGER 1426*47e946e7SWyllys Ingersoll * coefficient INTEGER 1427*47e946e7SWyllys Ingersoll * } 1428*47e946e7SWyllys Ingersoll */ 1429*47e946e7SWyllys Ingersoll CK_RV 1430*47e946e7SWyllys Ingersoll rsa_priv_wrap_get_data(TEMPLATE *tmpl, 1431*47e946e7SWyllys Ingersoll CK_BBOOL length_only, 1432*47e946e7SWyllys Ingersoll CK_BYTE **data, 1433*47e946e7SWyllys Ingersoll CK_ULONG *data_len) 1434*47e946e7SWyllys Ingersoll { 1435*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *modulus = NULL; 1436*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *publ_exp = NULL, *priv_exp = NULL; 1437*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *prime1 = NULL, *prime2 = NULL; 1438*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *exponent1 = NULL, *exponent2 = NULL; 1439*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *coeff = NULL; 1440*47e946e7SWyllys Ingersoll CK_RV rc; 1441*47e946e7SWyllys Ingersoll 1442*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_MODULUS, &modulus) == FALSE) { 1443*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1444*47e946e7SWyllys Ingersoll } 1445*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_PUBLIC_EXPONENT, 1446*47e946e7SWyllys Ingersoll &publ_exp) == FALSE) { 1447*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1448*47e946e7SWyllys Ingersoll } 1449*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_PRIVATE_EXPONENT, 1450*47e946e7SWyllys Ingersoll &priv_exp) == FALSE) { 1451*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1452*47e946e7SWyllys Ingersoll } 1453*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_PRIME_1, 1454*47e946e7SWyllys Ingersoll &prime1) == FALSE) { 1455*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1456*47e946e7SWyllys Ingersoll } 1457*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_PRIME_2, 1458*47e946e7SWyllys Ingersoll &prime2) == FALSE) { 1459*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1460*47e946e7SWyllys Ingersoll } 1461*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_EXPONENT_1, 1462*47e946e7SWyllys Ingersoll &exponent1) == FALSE) { 1463*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1464*47e946e7SWyllys Ingersoll } 1465*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_EXPONENT_2, 1466*47e946e7SWyllys Ingersoll &exponent2) == FALSE) { 1467*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1468*47e946e7SWyllys Ingersoll } 1469*47e946e7SWyllys Ingersoll if (template_attribute_find(tmpl, CKA_COEFFICIENT, 1470*47e946e7SWyllys Ingersoll &coeff) == FALSE) { 1471*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1472*47e946e7SWyllys Ingersoll } 1473*47e946e7SWyllys Ingersoll rc = ber_encode_RSAPrivateKey(length_only, data, data_len, 1474*47e946e7SWyllys Ingersoll modulus, publ_exp, priv_exp, prime1, prime2, 1475*47e946e7SWyllys Ingersoll exponent1, exponent2, coeff); 1476*47e946e7SWyllys Ingersoll 1477*47e946e7SWyllys Ingersoll return (rc); 1478*47e946e7SWyllys Ingersoll } 1479*47e946e7SWyllys Ingersoll 1480*47e946e7SWyllys Ingersoll CK_RV 1481*47e946e7SWyllys Ingersoll rsa_priv_unwrap(TEMPLATE *tmpl, 1482*47e946e7SWyllys Ingersoll CK_BYTE *data, 1483*47e946e7SWyllys Ingersoll CK_ULONG total_length) 1484*47e946e7SWyllys Ingersoll { 1485*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *modulus = NULL; 1486*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *publ_exp = NULL; 1487*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *priv_exp = NULL; 1488*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *prime1 = NULL; 1489*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *prime2 = NULL; 1490*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *exponent1 = NULL; 1491*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *exponent2 = NULL; 1492*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *coeff = NULL; 1493*47e946e7SWyllys Ingersoll CK_RV rc; 1494*47e946e7SWyllys Ingersoll 1495*47e946e7SWyllys Ingersoll rc = ber_decode_RSAPrivateKey(data, total_length, 1496*47e946e7SWyllys Ingersoll &modulus, &publ_exp, &priv_exp, &prime1, &prime2, 1497*47e946e7SWyllys Ingersoll &exponent1, &exponent2, &coeff); 1498*47e946e7SWyllys Ingersoll 1499*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 1500*47e946e7SWyllys Ingersoll return (rc); 1501*47e946e7SWyllys Ingersoll } 1502*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(modulus); 1503*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(publ_exp); 1504*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(priv_exp); 1505*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(prime1); 1506*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(prime2); 1507*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(exponent1); 1508*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(exponent2); 1509*47e946e7SWyllys Ingersoll (void) remove_leading_zeros(coeff); 1510*47e946e7SWyllys Ingersoll 1511*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, modulus); 1512*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, publ_exp); 1513*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, priv_exp); 1514*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, prime1); 1515*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, prime2); 1516*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, exponent1); 1517*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, exponent2); 1518*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, coeff); 1519*47e946e7SWyllys Ingersoll 1520*47e946e7SWyllys Ingersoll return (CKR_OK); 1521*47e946e7SWyllys Ingersoll } 1522*47e946e7SWyllys Ingersoll 1523*47e946e7SWyllys Ingersoll CK_RV 1524*47e946e7SWyllys Ingersoll generic_secret_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) 1525*47e946e7SWyllys Ingersoll { 1526*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr = NULL; 1527*47e946e7SWyllys Ingersoll CK_BBOOL found; 1528*47e946e7SWyllys Ingersoll 1529*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_VALUE, &attr); 1530*47e946e7SWyllys Ingersoll if (! found) { 1531*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1532*47e946e7SWyllys Ingersoll return (CKR_TEMPLATE_INCOMPLETE); 1533*47e946e7SWyllys Ingersoll } 1534*47e946e7SWyllys Ingersoll } 1535*47e946e7SWyllys Ingersoll 1536*47e946e7SWyllys Ingersoll 1537*47e946e7SWyllys Ingersoll found = template_attribute_find(tmpl, CKA_VALUE_LEN, &attr); 1538*47e946e7SWyllys Ingersoll if (! found) { 1539*47e946e7SWyllys Ingersoll return (CKR_OK); 1540*47e946e7SWyllys Ingersoll } else { 1541*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) { 1542*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1543*47e946e7SWyllys Ingersoll } 1544*47e946e7SWyllys Ingersoll } 1545*47e946e7SWyllys Ingersoll 1546*47e946e7SWyllys Ingersoll return (secret_key_check_required_attributes(tmpl, mode)); 1547*47e946e7SWyllys Ingersoll } 1548*47e946e7SWyllys Ingersoll 1549*47e946e7SWyllys Ingersoll CK_RV 1550*47e946e7SWyllys Ingersoll generic_secret_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) 1551*47e946e7SWyllys Ingersoll { 1552*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *value_attr = NULL; 1553*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *value_len_attr = NULL; 1554*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *type_attr = NULL; 1555*47e946e7SWyllys Ingersoll CK_ULONG len = 0L; 1556*47e946e7SWyllys Ingersoll 1557*47e946e7SWyllys Ingersoll if (mode) 1558*47e946e7SWyllys Ingersoll value_attr = NULL; 1559*47e946e7SWyllys Ingersoll 1560*47e946e7SWyllys Ingersoll (void) secret_key_set_default_attributes(tmpl, mode); 1561*47e946e7SWyllys Ingersoll 1562*47e946e7SWyllys Ingersoll type_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 1563*47e946e7SWyllys Ingersoll sizeof (CK_KEY_TYPE)); 1564*47e946e7SWyllys Ingersoll value_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE)); 1565*47e946e7SWyllys Ingersoll value_len_attr = (CK_ATTRIBUTE *)malloc(sizeof (CK_ATTRIBUTE) + 1566*47e946e7SWyllys Ingersoll sizeof (CK_ULONG)); 1567*47e946e7SWyllys Ingersoll 1568*47e946e7SWyllys Ingersoll if (! type_attr || ! value_attr || ! value_len_attr) { 1569*47e946e7SWyllys Ingersoll if (type_attr) free(type_attr); 1570*47e946e7SWyllys Ingersoll if (value_attr) free(value_attr); 1571*47e946e7SWyllys Ingersoll if (value_len_attr) free(value_len_attr); 1572*47e946e7SWyllys Ingersoll 1573*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 1574*47e946e7SWyllys Ingersoll } 1575*47e946e7SWyllys Ingersoll 1576*47e946e7SWyllys Ingersoll value_attr->type = CKA_VALUE; 1577*47e946e7SWyllys Ingersoll value_attr->ulValueLen = 0; 1578*47e946e7SWyllys Ingersoll value_attr->pValue = NULL; 1579*47e946e7SWyllys Ingersoll 1580*47e946e7SWyllys Ingersoll value_len_attr->type = CKA_VALUE_LEN; 1581*47e946e7SWyllys Ingersoll value_len_attr->ulValueLen = sizeof (CK_ULONG); 1582*47e946e7SWyllys Ingersoll value_len_attr->pValue = (CK_BYTE *)value_len_attr + 1583*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 1584*47e946e7SWyllys Ingersoll *(CK_ULONG *)value_len_attr->pValue = len; 1585*47e946e7SWyllys Ingersoll 1586*47e946e7SWyllys Ingersoll type_attr->type = CKA_KEY_TYPE; 1587*47e946e7SWyllys Ingersoll type_attr->ulValueLen = sizeof (CK_KEY_TYPE); 1588*47e946e7SWyllys Ingersoll type_attr->pValue = (CK_BYTE *)type_attr + 1589*47e946e7SWyllys Ingersoll sizeof (CK_ATTRIBUTE); 1590*47e946e7SWyllys Ingersoll *(CK_KEY_TYPE *)type_attr->pValue = CKK_GENERIC_SECRET; 1591*47e946e7SWyllys Ingersoll 1592*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, type_attr); 1593*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, value_attr); 1594*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, value_len_attr); 1595*47e946e7SWyllys Ingersoll 1596*47e946e7SWyllys Ingersoll return (CKR_OK); 1597*47e946e7SWyllys Ingersoll } 1598*47e946e7SWyllys Ingersoll 1599*47e946e7SWyllys Ingersoll CK_RV 1600*47e946e7SWyllys Ingersoll generic_secret_validate_attribute(TEMPLATE *tmpl, 1601*47e946e7SWyllys Ingersoll CK_ATTRIBUTE *attr, CK_ULONG mode) 1602*47e946e7SWyllys Ingersoll { 1603*47e946e7SWyllys Ingersoll switch (attr->type) { 1604*47e946e7SWyllys Ingersoll case CKA_VALUE: 1605*47e946e7SWyllys Ingersoll if (mode == MODE_CREATE) 1606*47e946e7SWyllys Ingersoll return (CKR_OK); 1607*47e946e7SWyllys Ingersoll else 1608*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1609*47e946e7SWyllys Ingersoll 1610*47e946e7SWyllys Ingersoll case CKA_VALUE_LEN: 1611*47e946e7SWyllys Ingersoll if (mode == MODE_KEYGEN || mode == MODE_DERIVE) 1612*47e946e7SWyllys Ingersoll return (CKR_OK); 1613*47e946e7SWyllys Ingersoll else { 1614*47e946e7SWyllys Ingersoll if (mode == MODE_UNWRAP) { 1615*47e946e7SWyllys Ingersoll return (CKR_OK); 1616*47e946e7SWyllys Ingersoll } 1617*47e946e7SWyllys Ingersoll return (CKR_ATTRIBUTE_READ_ONLY); 1618*47e946e7SWyllys Ingersoll } 1619*47e946e7SWyllys Ingersoll 1620*47e946e7SWyllys Ingersoll default: 1621*47e946e7SWyllys Ingersoll return (secret_key_validate_attribute(tmpl, attr, mode)); 1622*47e946e7SWyllys Ingersoll } 1623*47e946e7SWyllys Ingersoll } 1624*47e946e7SWyllys Ingersoll 1625*47e946e7SWyllys Ingersoll CK_BBOOL 1626*47e946e7SWyllys Ingersoll generic_secret_check_exportability(CK_ATTRIBUTE_TYPE type) { 1627*47e946e7SWyllys Ingersoll switch (type) { 1628*47e946e7SWyllys Ingersoll case CKA_VALUE: 1629*47e946e7SWyllys Ingersoll return (FALSE); 1630*47e946e7SWyllys Ingersoll } 1631*47e946e7SWyllys Ingersoll 1632*47e946e7SWyllys Ingersoll return (TRUE); 1633*47e946e7SWyllys Ingersoll } 1634*47e946e7SWyllys Ingersoll 1635*47e946e7SWyllys Ingersoll CK_RV 1636*47e946e7SWyllys Ingersoll generic_secret_wrap_get_data(TEMPLATE * tmpl, 1637*47e946e7SWyllys Ingersoll CK_BBOOL length_only, 1638*47e946e7SWyllys Ingersoll CK_BYTE ** data, 1639*47e946e7SWyllys Ingersoll CK_ULONG * data_len) 1640*47e946e7SWyllys Ingersoll { 1641*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * attr = NULL; 1642*47e946e7SWyllys Ingersoll CK_BYTE * ptr = NULL; 1643*47e946e7SWyllys Ingersoll CK_RV rc; 1644*47e946e7SWyllys Ingersoll 1645*47e946e7SWyllys Ingersoll if (! tmpl || ! data_len) { 1646*47e946e7SWyllys Ingersoll return (CKR_FUNCTION_FAILED); 1647*47e946e7SWyllys Ingersoll } 1648*47e946e7SWyllys Ingersoll 1649*47e946e7SWyllys Ingersoll rc = template_attribute_find(tmpl, CKA_VALUE, &attr); 1650*47e946e7SWyllys Ingersoll if (rc == FALSE) { 1651*47e946e7SWyllys Ingersoll return (CKR_KEY_NOT_WRAPPABLE); 1652*47e946e7SWyllys Ingersoll } 1653*47e946e7SWyllys Ingersoll *data_len = attr->ulValueLen; 1654*47e946e7SWyllys Ingersoll 1655*47e946e7SWyllys Ingersoll if (length_only == FALSE) { 1656*47e946e7SWyllys Ingersoll ptr = (CK_BYTE *)malloc(attr->ulValueLen); 1657*47e946e7SWyllys Ingersoll if (! ptr) { 1658*47e946e7SWyllys Ingersoll return (CKR_HOST_MEMORY); 1659*47e946e7SWyllys Ingersoll } 1660*47e946e7SWyllys Ingersoll (void) memcpy(ptr, attr->pValue, attr->ulValueLen); 1661*47e946e7SWyllys Ingersoll 1662*47e946e7SWyllys Ingersoll *data = ptr; 1663*47e946e7SWyllys Ingersoll } 1664*47e946e7SWyllys Ingersoll 1665*47e946e7SWyllys Ingersoll return (CKR_OK); 1666*47e946e7SWyllys Ingersoll } 1667*47e946e7SWyllys Ingersoll 1668*47e946e7SWyllys Ingersoll CK_RV 1669*47e946e7SWyllys Ingersoll generic_secret_unwrap(TEMPLATE *tmpl, 1670*47e946e7SWyllys Ingersoll CK_BYTE *data, 1671*47e946e7SWyllys Ingersoll CK_ULONG data_len, 1672*47e946e7SWyllys Ingersoll CK_BBOOL fromend) 1673*47e946e7SWyllys Ingersoll { 1674*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * attr = NULL; 1675*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * value_attr = NULL; 1676*47e946e7SWyllys Ingersoll CK_ATTRIBUTE * value_len_attr = NULL; 1677*47e946e7SWyllys Ingersoll CK_BYTE * ptr = NULL; 1678*47e946e7SWyllys Ingersoll CK_ULONG rc, len = 0; 1679*47e946e7SWyllys Ingersoll 1680*47e946e7SWyllys Ingersoll 1681*47e946e7SWyllys Ingersoll if (fromend == TRUE) 1682*47e946e7SWyllys Ingersoll ptr = data + data_len; 1683*47e946e7SWyllys Ingersoll else 1684*47e946e7SWyllys Ingersoll ptr = data; 1685*47e946e7SWyllys Ingersoll 1686*47e946e7SWyllys Ingersoll rc = template_attribute_find(tmpl, CKA_VALUE_LEN, &attr); 1687*47e946e7SWyllys Ingersoll if (rc) { 1688*47e946e7SWyllys Ingersoll len = *(CK_ULONG *)attr->pValue; 1689*47e946e7SWyllys Ingersoll if (len > data_len) { 1690*47e946e7SWyllys Ingersoll rc = CKR_ATTRIBUTE_VALUE_INVALID; 1691*47e946e7SWyllys Ingersoll goto error; 1692*47e946e7SWyllys Ingersoll } 1693*47e946e7SWyllys Ingersoll 1694*47e946e7SWyllys Ingersoll if (len != 0) 1695*47e946e7SWyllys Ingersoll data_len = len; 1696*47e946e7SWyllys Ingersoll } 1697*47e946e7SWyllys Ingersoll 1698*47e946e7SWyllys Ingersoll if (fromend == TRUE) 1699*47e946e7SWyllys Ingersoll ptr -= data_len; 1700*47e946e7SWyllys Ingersoll 1701*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_VALUE, ptr, data_len, &value_attr); 1702*47e946e7SWyllys Ingersoll if (rc != CKR_OK) { 1703*47e946e7SWyllys Ingersoll goto error; 1704*47e946e7SWyllys Ingersoll } 1705*47e946e7SWyllys Ingersoll if (data_len != len) { 1706*47e946e7SWyllys Ingersoll rc = build_attribute(CKA_VALUE_LEN, (CK_BYTE *)&data_len, 1707*47e946e7SWyllys Ingersoll sizeof (CK_ULONG), &value_len_attr); 1708*47e946e7SWyllys Ingersoll if (rc != CKR_OK) 1709*47e946e7SWyllys Ingersoll goto error; 1710*47e946e7SWyllys Ingersoll } 1711*47e946e7SWyllys Ingersoll 1712*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, value_attr); 1713*47e946e7SWyllys Ingersoll 1714*47e946e7SWyllys Ingersoll if (data_len != len) 1715*47e946e7SWyllys Ingersoll (void) template_update_attribute(tmpl, value_len_attr); 1716*47e946e7SWyllys Ingersoll 1717*47e946e7SWyllys Ingersoll return (CKR_OK); 1718*47e946e7SWyllys Ingersoll 1719*47e946e7SWyllys Ingersoll error: 1720*47e946e7SWyllys Ingersoll if (value_attr) free(value_attr); 1721*47e946e7SWyllys Ingersoll if (value_len_attr) free(value_len_attr); 1722*47e946e7SWyllys Ingersoll 1723*47e946e7SWyllys Ingersoll return (rc); 1724*47e946e7SWyllys Ingersoll } 1725