1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _SYS_CRYPTO_ELFSIGN_H 27 #define _SYS_CRYPTO_ELFSIGN_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 /* 36 * Consolidation Private Interface for elfsign/libpkcs11/kcfd 37 */ 38 39 #include <sys/types.h> 40 #include <sys/param.h> 41 42 /* 43 * Project Private structures and types used for communication between kcfd 44 * and KCF over the door. 45 */ 46 47 typedef enum ELFsign_status_e { 48 ELFSIGN_UNKNOWN, 49 ELFSIGN_SUCCESS, 50 ELFSIGN_FAILED, 51 ELFSIGN_NOTSIGNED, 52 ELFSIGN_INVALID_CERTPATH, 53 ELFSIGN_INVALID_ELFOBJ, 54 ELFSIGN_RESTRICTED 55 } ELFsign_status_t; 56 57 #define KCF_KCFD_VERSION1 1 58 #define SIG_MAX_LENGTH 1024 59 60 #define ELF_SIGNATURE_SECTION ".SUNW_signature" 61 #define ELFSIGN_CRYPTO "Solaris Cryptographic Framework" 62 #define USAGELIMITED "OU=UsageLimited" 63 #define ESA ".esa" 64 #define ESA_LEN sizeof (".esa") 65 66 typedef struct kcf_door_arg_s { 67 short da_version; 68 boolean_t da_iskernel; 69 70 union { 71 char filename[MAXPATHLEN]; /* For request */ 72 73 struct kcf_door_result_s { /* For response */ 74 ELFsign_status_t status; 75 uint32_t siglen; 76 uchar_t signature[1]; 77 } result; 78 } da_u; 79 } kcf_door_arg_t; 80 81 typedef uint32_t filesig_vers_t; 82 83 /* 84 * File Signature Structure 85 * Applicable to ELF and other file formats 86 */ 87 struct filesignatures { 88 uint32_t filesig_cnt; /* count of signatures */ 89 uint32_t filesig_pad; /* unused */ 90 union { 91 char filesig_data[1]; 92 struct filesig { /* one of these for each signature */ 93 uint32_t filesig_size; 94 filesig_vers_t filesig_version; 95 union { 96 struct filesig_version1 { 97 uint32_t filesig_v1_dnsize; 98 uint32_t filesig_v1_sigsize; 99 uint32_t filesig_v1_oidsize; 100 char filesig_v1_data[1]; 101 } filesig_v1; 102 struct filesig_version3 { 103 uint64_t filesig_v3_time; 104 uint32_t filesig_v3_dnsize; 105 uint32_t filesig_v3_sigsize; 106 uint32_t filesig_v3_oidsize; 107 char filesig_v3_data[1]; 108 } filesig_v3; 109 } _u2; 110 } filesig_sig; 111 uint64_t filesig_align; 112 } _u1; 113 }; 114 #define filesig_sig _u1.filesig_sig 115 116 #define filesig_v1_dnsize _u2.filesig_v1.filesig_v1_dnsize 117 #define filesig_v1_sigsize _u2.filesig_v1.filesig_v1_sigsize 118 #define filesig_v1_oidsize _u2.filesig_v1.filesig_v1_oidsize 119 #define filesig_v1_data _u2.filesig_v1.filesig_v1_data 120 121 #define filesig_v3_time _u2.filesig_v3.filesig_v3_time 122 #define filesig_v3_dnsize _u2.filesig_v3.filesig_v3_dnsize 123 #define filesig_v3_sigsize _u2.filesig_v3.filesig_v3_sigsize 124 #define filesig_v3_oidsize _u2.filesig_v3.filesig_v3_oidsize 125 #define filesig_v3_data _u2.filesig_v3.filesig_v3_data 126 127 #define filesig_ALIGN(s) (((s) + sizeof (uint64_t) - 1) & \ 128 (-sizeof (uint64_t))) 129 #define filesig_next(ptr) (struct filesig *)((void *)((char *)(ptr) + \ 130 filesig_ALIGN((ptr)->filesig_size))) 131 132 #define FILESIG_UNKNOWN 0 /* unrecognized version */ 133 #define FILESIG_VERSION1 1 /* version1, all but sig section */ 134 #define FILESIG_VERSION2 2 /* version1 format, SHF_ALLOC only */ 135 #define FILESIG_VERSION3 3 /* version3, all but sig section */ 136 #define FILESIG_VERSION4 4 /* version3 format, SHF_ALLOC only */ 137 138 #ifndef _KERNEL 139 140 #define _PATH_KCFD_DOOR "/var/run/kcfd_door" 141 142 #define ES_FMT_RSA_MD5_SHA1 "rsa_md5_sha1" 143 #define ES_FMT_RSA_SHA1 "rsa_sha1" 144 enum ES_ACTION { 145 ES_GET, 146 ES_GET_CRYPTO, 147 ES_UPDATE, 148 ES_UPDATE_RSA_MD5_SHA1, 149 ES_UPDATE_RSA_SHA1 150 }; 151 #define ES_ACTISUPDATE(a) ((a) >= ES_UPDATE) 152 153 /* 154 * ELF signature handling 155 */ 156 typedef struct ELFsign_s *ELFsign_t; 157 struct ELFsign_sig_info { 158 char *esi_format; 159 char *esi_signer; 160 time_t esi_time; 161 }; 162 163 extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess, 164 struct filesignatures *fsp, const char *dn, int dn_len, 165 const uchar_t *sig, int sig_len, const char *oid, int oid_len); 166 extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess, 167 struct filesignatures *fsp, uchar_t *sig, size_t *sig_len); 168 extern ELFsign_status_t elfsign_begin(const char *, 169 const char *, char *, enum ES_ACTION, ELFsign_t *); 170 extern void elfsign_end(ELFsign_t ess); 171 extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess, 172 struct ELFsign_sig_info **esipp); 173 extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash, 174 size_t *hash_len); 175 extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess, 176 uchar_t *hash, size_t *hash_len); 177 extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess, 178 uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len); 179 extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp, 180 enum ES_ACTION action); 181 182 extern ELFsign_status_t elfsign_signatures(ELFsign_t ess, 183 struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action); 184 185 extern char const *elfsign_strerror(ELFsign_status_t); 186 extern boolean_t elfsign_sig_info(struct filesignatures *fssp, 187 struct ELFsign_sig_info **esipp); 188 extern void elfsign_sig_info_free(struct ELFsign_sig_info *); 189 190 extern ELFsign_t elfsign_new_ess(void); 191 192 /* 193 * ELF "Certificate Library" 194 */ 195 196 extern const char _PATH_ELFSIGN_CERTS[]; 197 198 #define ELFCERT_MAX_DN_LEN 255 199 200 typedef struct ELFCert_s *ELFCert_t; 201 202 extern boolean_t elfcertlib_init(ELFsign_t, char *); 203 204 extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname, 205 char *signer_DN, ELFCert_t *certp, enum ES_ACTION action); 206 extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t); 207 extern char *elfcertlib_getdn(ELFCert_t cert); 208 extern char *elfcertlib_getissuer(ELFCert_t cert); 209 210 extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, 211 const char *path); 212 extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert, 213 const char *token_id, const char *pin); 214 215 extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert, 216 const uchar_t *data, size_t data_len, uchar_t *sig, 217 size_t *sig_len); 218 219 #endif /* _KERNEL */ 220 221 #ifdef __cplusplus 222 } 223 #endif 224 225 #endif /* _SYS_CRYPTO_ELFSIGN_H */ 226