1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
26 */
27
28 #include <stdlib.h>
29 #include <string.h>
30 #include <security/cryptoki.h>
31 #include <sys/crypto/common.h>
32 #include <arcfour.h>
33 #include <aes_impl.h>
34 #include <blowfish_impl.h>
35 #include <bignum.h>
36 #include <des_impl.h>
37 #include <rsa_impl.h>
38 #include "softGlobal.h"
39 #include "softObject.h"
40 #include "softSession.h"
41 #include "softKeystore.h"
42 #include "softKeystoreUtil.h"
43 #include "softCrypt.h"
44
45
46 /*
47 * This attribute table is used by the soft_lookup_attr()
48 * to validate the attributes.
49 */
50 CK_ATTRIBUTE_TYPE attr_map[] = {
51 CKA_PRIVATE,
52 CKA_LABEL,
53 CKA_APPLICATION,
54 CKA_OBJECT_ID,
55 CKA_CERTIFICATE_TYPE,
56 CKA_ISSUER,
57 CKA_SERIAL_NUMBER,
58 CKA_AC_ISSUER,
59 CKA_OWNER,
60 CKA_ATTR_TYPES,
61 CKA_SUBJECT,
62 CKA_ID,
63 CKA_SENSITIVE,
64 CKA_START_DATE,
65 CKA_END_DATE,
66 CKA_MODULUS,
67 CKA_MODULUS_BITS,
68 CKA_PUBLIC_EXPONENT,
69 CKA_PRIVATE_EXPONENT,
70 CKA_PRIME_1,
71 CKA_PRIME_2,
72 CKA_EXPONENT_1,
73 CKA_EXPONENT_2,
74 CKA_COEFFICIENT,
75 CKA_PRIME,
76 CKA_SUBPRIME,
77 CKA_BASE,
78 CKA_EXTRACTABLE,
79 CKA_LOCAL,
80 CKA_NEVER_EXTRACTABLE,
81 CKA_ALWAYS_SENSITIVE,
82 CKA_MODIFIABLE,
83 CKA_ECDSA_PARAMS,
84 CKA_EC_PARAMS,
85 CKA_EC_POINT,
86 CKA_SECONDARY_AUTH,
87 CKA_AUTH_PIN_FLAGS,
88 CKA_HW_FEATURE_TYPE,
89 CKA_RESET_ON_INIT,
90 CKA_HAS_RESET
91 };
92
93 /*
94 * attributes that exists only in public key objects
95 * Note: some attributes may also exist in one or two
96 * other object classes, but they are also listed
97 * because not all object have them.
98 */
99 CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS[] =
100 {
101 CKA_SUBJECT,
102 CKA_ENCRYPT,
103 CKA_WRAP,
104 CKA_VERIFY,
105 CKA_VERIFY_RECOVER,
106 CKA_MODULUS,
107 CKA_MODULUS_BITS,
108 CKA_PUBLIC_EXPONENT,
109 CKA_PRIME,
110 CKA_SUBPRIME,
111 CKA_BASE,
112 CKA_TRUSTED,
113 CKA_ECDSA_PARAMS,
114 CKA_EC_PARAMS,
115 CKA_EC_POINT
116 };
117
118 /*
119 * attributes that exists only in private key objects
120 * Note: some attributes may also exist in one or two
121 * other object classes, but they are also listed
122 * because not all object have them.
123 */
124 CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS[] =
125 {
126 CKA_DECRYPT,
127 CKA_UNWRAP,
128 CKA_SIGN,
129 CKA_SIGN_RECOVER,
130 CKA_MODULUS,
131 CKA_PUBLIC_EXPONENT,
132 CKA_PRIVATE_EXPONENT,
133 CKA_PRIME,
134 CKA_SUBPRIME,
135 CKA_BASE,
136 CKA_PRIME_1,
137 CKA_PRIME_2,
138 CKA_EXPONENT_1,
139 CKA_EXPONENT_2,
140 CKA_COEFFICIENT,
141 CKA_VALUE_BITS,
142 CKA_SUBJECT,
143 CKA_SENSITIVE,
144 CKA_EXTRACTABLE,
145 CKA_NEVER_EXTRACTABLE,
146 CKA_ALWAYS_SENSITIVE,
147 CKA_EC_PARAMS
148 };
149
150 /*
151 * attributes that exists only in secret key objects
152 * Note: some attributes may also exist in one or two
153 * other object classes, but they are also listed
154 * because not all object have them.
155 */
156 CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS[] =
157 {
158 CKA_VALUE_LEN,
159 CKA_ENCRYPT,
160 CKA_DECRYPT,
161 CKA_WRAP,
162 CKA_UNWRAP,
163 CKA_SIGN,
164 CKA_VERIFY,
165 CKA_SENSITIVE,
166 CKA_EXTRACTABLE,
167 CKA_NEVER_EXTRACTABLE,
168 CKA_ALWAYS_SENSITIVE
169 };
170
171 /*
172 * attributes that exists only in domain parameter objects
173 * Note: some attributes may also exist in one or two
174 * other object classes, but they are also listed
175 * because not all object have them.
176 */
177 CK_ATTRIBUTE_TYPE DOMAIN_ATTRS[] =
178 {
179 CKA_PRIME,
180 CKA_SUBPRIME,
181 CKA_BASE,
182 CKA_PRIME_BITS,
183 CKA_SUBPRIME_BITS,
184 CKA_SUB_PRIME_BITS
185 };
186
187 /*
188 * attributes that exists only in hardware feature objects
189 *
190 */
191 CK_ATTRIBUTE_TYPE HARDWARE_ATTRS[] =
192 {
193 CKA_HW_FEATURE_TYPE,
194 CKA_RESET_ON_INIT,
195 CKA_HAS_RESET
196 };
197
198 /*
199 * attributes that exists only in certificate objects
200 */
201 CK_ATTRIBUTE_TYPE CERT_ATTRS[] =
202 {
203 CKA_CERTIFICATE_TYPE,
204 CKA_TRUSTED,
205 CKA_SUBJECT,
206 CKA_ID,
207 CKA_ISSUER,
208 CKA_AC_ISSUER,
209 CKA_SERIAL_NUMBER,
210 CKA_OWNER,
211 CKA_ATTR_TYPES
212 };
213
214
215 /*
216 * Validate the attribute by using binary search algorithm.
217 */
218 CK_RV
219 soft_lookup_attr(CK_ATTRIBUTE_TYPE type)
220 {
221
222 size_t lower, middle, upper;
223
224 lower = 0;
225 upper = (sizeof (attr_map) / sizeof (CK_ATTRIBUTE_TYPE)) - 1;
226
227 while (lower <= upper) {
228 /* Always starts from middle. */
229 middle = (lower + upper) / 2;
230
231 if (type > attr_map[middle]) {
232 /* Adjust the lower bound to upper half. */
233 lower = middle + 1;
234 continue;
235 }
236
237 if (type == attr_map[middle]) {
238 /* Found it. */
239 return (CKR_OK);
240 }
241
242 if (type < attr_map[middle]) {
243 /* Adjust the upper bound to lower half. */
244 upper = middle - 1;
245 continue;
246 }
247 }
248
249 /* Failed to find the matching attribute from the attribute table. */
250 return (CKR_ATTRIBUTE_TYPE_INVALID);
251 }
252
253
254 /*
255 * Validate the attribute by using the following search algorithm:
256 *
257 * 1) Search for the most frequently used attributes first.
258 * 2) If not found, search for the usage-purpose attributes - these
259 * attributes have dense set of values, therefore compiler will
260 * optimize it with a branch table and branch to the appropriate
261 * case.
262 * 3) If still not found, use binary search for the rest of the
263 * attributes in the attr_map[] table.
264 */
265 CK_RV
266 soft_validate_attr(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
267 CK_OBJECT_CLASS *class)
268 {
269
270 CK_ULONG i;
271 CK_RV rv = CKR_OK;
272
273 for (i = 0; i < ulAttrNum; i++) {
274 /* First tier search */
275 switch (template[i].type) {
276 case CKA_CLASS:
277 *class = *((CK_OBJECT_CLASS*)template[i].pValue);
278 break;
279 case CKA_TOKEN:
280 break;
281 case CKA_KEY_TYPE:
282 break;
283 case CKA_VALUE:
284 break;
285 case CKA_VALUE_LEN:
286 break;
287 case CKA_VALUE_BITS:
288 break;
289 default:
290 /* Second tier search */
291 switch (template[i].type) {
292 case CKA_ENCRYPT:
293 break;
294 case CKA_DECRYPT:
295 break;
296 case CKA_WRAP:
297 break;
298 case CKA_UNWRAP:
299 break;
300 case CKA_SIGN:
301 break;
302 case CKA_SIGN_RECOVER:
303 break;
304 case CKA_VERIFY:
305 break;
306 case CKA_VERIFY_RECOVER:
307 break;
308 case CKA_DERIVE:
309 break;
310 default:
311 /* Third tier search */
312 rv = soft_lookup_attr(template[i].type);
313 if (rv != CKR_OK)
314 return (rv);
315 break;
316 }
317 break;
318 }
319 }
320 return (rv);
321 }
322
323 static void
324 cleanup_cert_attr(cert_attr_t *attr)
325 {
326 if (attr != NULL) {
327 freezero(attr->value, attr->length);
328 attr->value = NULL;
329 attr->length = 0;
330 }
331 }
332
333 static CK_RV
334 copy_cert_attr(cert_attr_t *src_attr, cert_attr_t **dest_attr)
335 {
336 CK_RV rv = CKR_OK;
337
338 if (src_attr == NULL || dest_attr == NULL)
339 return (CKR_HOST_MEMORY);
340
341 if (src_attr->value == NULL)
342 return (CKR_HOST_MEMORY);
343
344 /* free memory if its already allocated */
345 if (*dest_attr != NULL) {
346 cleanup_cert_attr(*dest_attr);
347 } else {
348 *dest_attr = malloc(sizeof (cert_attr_t));
349 if (*dest_attr == NULL)
350 return (CKR_HOST_MEMORY);
351 }
352
353 (*dest_attr)->value = NULL;
354 (*dest_attr)->length = 0;
355
356 if (src_attr->length) {
357 (*dest_attr)->value = malloc(src_attr->length);
358 if ((*dest_attr)->value == NULL) {
359 free(*dest_attr);
360 return (CKR_HOST_MEMORY);
361 }
362
363 (void) memcpy((*dest_attr)->value, src_attr->value,
364 src_attr->length);
365 (*dest_attr)->length = src_attr->length;
366 }
367
368 return (rv);
369 }
370
371 void
372 soft_cleanup_cert_object(soft_object_t *object_p)
373 {
374 CK_CERTIFICATE_TYPE certtype = object_p->cert_type;
375
376 if (object_p->class != CKO_CERTIFICATE ||
377 OBJ_CERT(object_p) == NULL)
378 return;
379
380 if (certtype == CKC_X_509) {
381 if (X509_CERT_SUBJECT(object_p) != NULL) {
382 cleanup_cert_attr(X509_CERT_SUBJECT(object_p));
383 free(X509_CERT_SUBJECT(object_p));
384 X509_CERT_SUBJECT(object_p) = NULL;
385 }
386 if (X509_CERT_VALUE(object_p) != NULL) {
387 cleanup_cert_attr(X509_CERT_VALUE(object_p));
388 free(X509_CERT_VALUE(object_p));
389 X509_CERT_VALUE(object_p) = NULL;
390 }
391 free(OBJ_CERT(object_p));
392 } else if (certtype == CKC_X_509_ATTR_CERT) {
393 if (X509_ATTR_CERT_VALUE(object_p) != NULL) {
394 cleanup_cert_attr(X509_ATTR_CERT_VALUE(object_p));
395 free(X509_ATTR_CERT_VALUE(object_p));
396 X509_ATTR_CERT_VALUE(object_p) = NULL;
397 }
398 if (X509_ATTR_CERT_OWNER(object_p) != NULL) {
399 cleanup_cert_attr(X509_ATTR_CERT_OWNER(object_p));
400 free(X509_ATTR_CERT_OWNER(object_p));
401 X509_ATTR_CERT_OWNER(object_p) = NULL;
402 }
403 free(OBJ_CERT(object_p));
404 }
405 }
406
407 /*
408 * Clean up and release all the storage in the extra attribute list
409 * of an object.
410 */
411 void
412 soft_cleanup_extra_attr(soft_object_t *object_p)
413 {
414
415 CK_ATTRIBUTE_INFO_PTR extra_attr;
416 CK_ATTRIBUTE_INFO_PTR tmp;
417
418 extra_attr = object_p->extra_attrlistp;
419 while (extra_attr) {
420 tmp = extra_attr->next;
421 if (extra_attr->attr.pValue != NULL) {
422 /*
423 * All extra attributes in the extra attribute
424 * list have pValue points to the value of the
425 * attribute (with simple byte array type).
426 * Free the storage for the value of the attribute.
427 */
428 freezero(extra_attr->attr.pValue,
429 extra_attr->attr.ulValueLen);
430 }
431
432 /* Free the storage for the attribute_info struct. */
433 free(extra_attr);
434 extra_attr = tmp;
435 }
436
437 object_p->extra_attrlistp = NULL;
438 }
439
440
441 /*
442 * Create the attribute_info struct to hold the object's attribute,
443 * and add it to the extra attribute list of an object.
444 */
445 CK_RV
446 soft_add_extra_attr(CK_ATTRIBUTE_PTR template, soft_object_t *object_p)
447 {
448
449 CK_ATTRIBUTE_INFO_PTR attrp;
450
451 /* Allocate the storage for the attribute_info struct. */
452 attrp = calloc(1, sizeof (attribute_info_t));
453 if (attrp == NULL) {
454 return (CKR_HOST_MEMORY);
455 }
456
457 /* Set up attribute_info struct. */
458 attrp->attr.type = template->type;
459 attrp->attr.ulValueLen = template->ulValueLen;
460
461 if ((template->pValue != NULL) &&
462 (template->ulValueLen > 0)) {
463 /* Allocate storage for the value of the attribute. */
464 attrp->attr.pValue = malloc(template->ulValueLen);
465 if (attrp->attr.pValue == NULL) {
466 free(attrp);
467 return (CKR_HOST_MEMORY);
468 }
469
470 (void) memcpy(attrp->attr.pValue, template->pValue,
471 template->ulValueLen);
472 } else {
473 attrp->attr.pValue = NULL;
474 }
475
476 /* Insert the new attribute in front of extra attribute list. */
477 if (object_p->extra_attrlistp == NULL) {
478 object_p->extra_attrlistp = attrp;
479 attrp->next = NULL;
480 } else {
481 attrp->next = object_p->extra_attrlistp;
482 object_p->extra_attrlistp = attrp;
483 }
484
485 return (CKR_OK);
486 }
487
488 CK_RV
489 soft_copy_certificate(certificate_obj_t *oldcert, certificate_obj_t **newcert,
490 CK_CERTIFICATE_TYPE type)
491 {
492 CK_RV rv = CKR_OK;
493 certificate_obj_t *cert;
494 x509_cert_t x509;
495 x509_attr_cert_t x509_attr;
496
497 cert = calloc(1, sizeof (certificate_obj_t));
498 if (cert == NULL) {
499 return (CKR_HOST_MEMORY);
500 }
501
502 if (type == CKC_X_509) {
503 x509 = oldcert->cert_type_u.x509;
504 if (x509.subject)
505 if ((rv = copy_cert_attr(x509.subject,
506 &cert->cert_type_u.x509.subject)))
507 return (rv);
508 if (x509.value)
509 if ((rv = copy_cert_attr(x509.value,
510 &cert->cert_type_u.x509.value)))
511 return (rv);
512 } else if (type == CKC_X_509_ATTR_CERT) {
513 x509_attr = oldcert->cert_type_u.x509_attr;
514 if (x509_attr.owner)
515 if ((rv = copy_cert_attr(x509_attr.owner,
516 &cert->cert_type_u.x509_attr.owner)))
517 return (rv);
518 if (x509_attr.value)
519 if ((rv = copy_cert_attr(x509_attr.value,
520 &cert->cert_type_u.x509_attr.value)))
521 return (rv);
522 } else {
523 /* wrong certificate type */
524 rv = CKR_ATTRIBUTE_TYPE_INVALID;
525 }
526 if (rv == CKR_OK)
527 *newcert = cert;
528 return (rv);
529 }
530
531 /*
532 * Copy the attribute_info struct from the old object to a new attribute_info
533 * struct, and add that new struct to the extra attribute list of the new
534 * object.
535 */
536 CK_RV
537 soft_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp, soft_object_t *object_p)
538 {
539 CK_ATTRIBUTE_INFO_PTR attrp;
540
541 /* Allocate attribute_info struct. */
542 attrp = calloc(1, sizeof (attribute_info_t));
543 if (attrp == NULL) {
544 return (CKR_HOST_MEMORY);
545 }
546
547 attrp->attr.type = old_attrp->attr.type;
548 attrp->attr.ulValueLen = old_attrp->attr.ulValueLen;
549
550 if ((old_attrp->attr.pValue != NULL) &&
551 (old_attrp->attr.ulValueLen > 0)) {
552 attrp->attr.pValue = malloc(old_attrp->attr.ulValueLen);
553 if (attrp->attr.pValue == NULL) {
554 free(attrp);
555 return (CKR_HOST_MEMORY);
556 }
557
558 (void) memcpy(attrp->attr.pValue, old_attrp->attr.pValue,
559 old_attrp->attr.ulValueLen);
560 } else {
561 attrp->attr.pValue = NULL;
562 }
563
564 /* Insert the new attribute in front of extra attribute list */
565 if (object_p->extra_attrlistp == NULL) {
566 object_p->extra_attrlistp = attrp;
567 attrp->next = NULL;
568 } else {
569 attrp->next = object_p->extra_attrlistp;
570 object_p->extra_attrlistp = attrp;
571 }
572
573 return (CKR_OK);
574 }
575
576
577 /*
578 * Get the attribute triple from the extra attribute list in the object
579 * (if the specified attribute type is found), and copy it to a template.
580 * Note the type of the attribute to be copied is specified by the template,
581 * and the storage is pre-allocated for the atrribute value in the template
582 * for doing the copy.
583 */
584 CK_RV
585 get_extra_attr_from_object(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
586 {
587
588 CK_ATTRIBUTE_INFO_PTR extra_attr;
589 CK_ATTRIBUTE_TYPE type = template->type;
590
591 extra_attr = object_p->extra_attrlistp;
592
593 while (extra_attr) {
594 if (type == extra_attr->attr.type) {
595 /* Found it. */
596 break;
597 } else {
598 /* Does not match, try next one. */
599 extra_attr = extra_attr->next;
600 }
601 }
602
603 if (extra_attr == NULL) {
604 /* A valid but un-initialized attribute. */
605 template->ulValueLen = 0;
606 return (CKR_OK);
607 }
608
609 /*
610 * We found the attribute in the extra attribute list.
611 */
612 if (template->pValue == NULL) {
613 template->ulValueLen = extra_attr->attr.ulValueLen;
614 return (CKR_OK);
615 }
616
617 if (template->ulValueLen >= extra_attr->attr.ulValueLen) {
618 /*
619 * The buffer provided by the application is large
620 * enough to hold the value of the attribute.
621 */
622 (void) memcpy(template->pValue, extra_attr->attr.pValue,
623 extra_attr->attr.ulValueLen);
624 template->ulValueLen = extra_attr->attr.ulValueLen;
625 return (CKR_OK);
626 } else {
627 /*
628 * The buffer provided by the application does
629 * not have enough space to hold the value.
630 */
631 template->ulValueLen = (CK_ULONG)-1;
632 return (CKR_BUFFER_TOO_SMALL);
633 }
634 }
635
636
637 /*
638 * Modify the attribute triple in the extra attribute list of the object
639 * if the specified attribute type is found. Otherwise, just add it to
640 * list.
641 */
642 CK_RV
643 set_extra_attr_to_object(soft_object_t *object_p, CK_ATTRIBUTE_TYPE type,
644 CK_ATTRIBUTE_PTR template)
645 {
646
647 CK_ATTRIBUTE_INFO_PTR extra_attr;
648
649 extra_attr = object_p->extra_attrlistp;
650
651 while (extra_attr) {
652 if (type == extra_attr->attr.type) {
653 /* Found it. */
654 break;
655 } else {
656 /* Does not match, try next one. */
657 extra_attr = extra_attr->next;
658 }
659 }
660
661 if (extra_attr == NULL) {
662 /*
663 * This attribute is a new one, go ahead adding it to
664 * the extra attribute list.
665 */
666 return (soft_add_extra_attr(template, object_p));
667 }
668
669 /* We found the attribute in the extra attribute list. */
670 if ((template->pValue != NULL) &&
671 (template->ulValueLen > 0)) {
672 if (template->ulValueLen > extra_attr->attr.ulValueLen) {
673 /* The old buffer is too small to hold the new value. */
674 if (extra_attr->attr.pValue != NULL) {
675 /* Free storage for the old attribute value. */
676 freezero(extra_attr->attr.pValue,
677 extra_attr->attr.ulValueLen);
678 }
679
680 /* Allocate storage for the new attribute value. */
681 extra_attr->attr.pValue = malloc(template->ulValueLen);
682 if (extra_attr->attr.pValue == NULL) {
683 return (CKR_HOST_MEMORY);
684 }
685 }
686
687 /* Replace the attribute with new value. */
688 extra_attr->attr.ulValueLen = template->ulValueLen;
689 (void) memcpy(extra_attr->attr.pValue, template->pValue,
690 template->ulValueLen);
691 } else {
692 extra_attr->attr.pValue = NULL;
693 }
694
695 return (CKR_OK);
696 }
697
698
699 /*
700 * Copy the big integer attribute value from template to a biginteger_t struct.
701 */
702 CK_RV
703 get_bigint_attr_from_template(biginteger_t *big, CK_ATTRIBUTE_PTR template)
704 {
705
706 if ((template->pValue != NULL) &&
707 (template->ulValueLen > 0)) {
708 /* Allocate storage for the value of the attribute. */
709 big->big_value = malloc(template->ulValueLen);
710 if (big->big_value == NULL) {
711 return (CKR_HOST_MEMORY);
712 }
713
714 (void) memcpy(big->big_value, template->pValue,
715 template->ulValueLen);
716 big->big_value_len = template->ulValueLen;
717 } else {
718 big->big_value = NULL;
719 big->big_value_len = 0;
720 }
721
722 return (CKR_OK);
723 }
724
725
726 /*
727 * Copy the big integer attribute value from a biginteger_t struct in the
728 * object to a template.
729 */
730 CK_RV
731 get_bigint_attr_from_object(biginteger_t *big, CK_ATTRIBUTE_PTR template)
732 {
733
734 if (template->pValue == NULL) {
735 template->ulValueLen = big->big_value_len;
736 return (CKR_OK);
737 }
738
739 if (big->big_value == NULL) {
740 template->ulValueLen = 0;
741 return (CKR_OK);
742 }
743
744 if (template->ulValueLen >= big->big_value_len) {
745 /*
746 * The buffer provided by the application is large
747 * enough to hold the value of the attribute.
748 */
749 (void) memcpy(template->pValue, big->big_value,
750 big->big_value_len);
751 template->ulValueLen = big->big_value_len;
752 return (CKR_OK);
753 } else {
754 /*
755 * The buffer provided by the application does
756 * not have enough space to hold the value.
757 */
758 template->ulValueLen = (CK_ULONG)-1;
759 return (CKR_BUFFER_TOO_SMALL);
760 }
761 }
762
763
764 /*
765 * Copy the boolean data type attribute value from an object for the
766 * specified attribute to the template.
767 */
768 CK_RV
769 get_bool_attr_from_object(soft_object_t *object_p, CK_ULONG bool_flag,
770 CK_ATTRIBUTE_PTR template)
771 {
772
773 if (template->pValue == NULL) {
774 template->ulValueLen = sizeof (CK_BBOOL);
775 return (CKR_OK);
776 }
777
778 if (template->ulValueLen >= sizeof (CK_BBOOL)) {
779 /*
780 * The buffer provided by the application is large
781 * enough to hold the value of the attribute.
782 */
783 if (object_p->bool_attr_mask & bool_flag) {
784 *((CK_BBOOL *)template->pValue) = B_TRUE;
785 } else {
786 *((CK_BBOOL *)template->pValue) = B_FALSE;
787 }
788
789 template->ulValueLen = sizeof (CK_BBOOL);
790 return (CKR_OK);
791 } else {
792 /*
793 * The buffer provided by the application does
794 * not have enough space to hold the value.
795 */
796 template->ulValueLen = (CK_ULONG)-1;
797 return (CKR_BUFFER_TOO_SMALL);
798 }
799 }
800
801 /*
802 * Set the boolean data type attribute value in the object.
803 */
804 CK_RV
805 set_bool_attr_to_object(soft_object_t *object_p, CK_ULONG bool_flag,
806 CK_ATTRIBUTE_PTR template)
807 {
808
809 if (*(CK_BBOOL *)template->pValue)
810 object_p->bool_attr_mask |= bool_flag;
811 else
812 object_p->bool_attr_mask &= ~bool_flag;
813
814 return (CKR_OK);
815 }
816
817
818 /*
819 * Copy the CK_ULONG data type attribute value from an object to the
820 * template.
821 */
822 CK_RV
823 get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template)
824 {
825
826 if (template->pValue == NULL) {
827 template->ulValueLen = sizeof (CK_ULONG);
828 return (CKR_OK);
829 }
830
831 if (template->ulValueLen >= sizeof (CK_ULONG)) {
832 /*
833 * The buffer provided by the application is large
834 * enough to hold the value of the attribute.
835 * It is also assumed to be correctly aligned.
836 */
837 *(CK_ULONG_PTR)template->pValue = value;
838 template->ulValueLen = sizeof (CK_ULONG);
839 return (CKR_OK);
840 } else {
841 /*
842 * The buffer provided by the application does
843 * not have enough space to hold the value.
844 */
845 template->ulValueLen = (CK_ULONG)-1;
846 return (CKR_BUFFER_TOO_SMALL);
847 }
848 }
849
850
851 /*
852 * Copy the CK_ULONG data type attribute value from a template to the
853 * object.
854 */
855 static CK_RV
856 get_ulong_attr_from_template(CK_ULONG *value, CK_ATTRIBUTE_PTR template)
857 {
858
859 if (template->ulValueLen < sizeof (CK_ULONG))
860 return (CKR_ATTRIBUTE_VALUE_INVALID);
861
862 if (template->pValue != NULL) {
863 *value = *(CK_ULONG_PTR)template->pValue;
864 } else {
865 *value = 0;
866 }
867
868 return (CKR_OK);
869 }
870
871 /*
872 * Copy the big integer attribute value from source's biginteger_t to
873 * destination's biginteger_t.
874 */
875 void
876 copy_bigint_attr(biginteger_t *src, biginteger_t *dst)
877 {
878
879 if ((src->big_value != NULL) &&
880 (src->big_value_len > 0)) {
881 /*
882 * To do the copy, just have dst's big_value points
883 * to src's.
884 */
885 dst->big_value = src->big_value;
886 dst->big_value_len = src->big_value_len;
887
888 /*
889 * After the copy, nullify the src's big_value pointer.
890 * It prevents any double freeing the value.
891 */
892 src->big_value = NULL;
893 src->big_value_len = 0;
894 } else {
895 dst->big_value = NULL;
896 dst->big_value_len = 0;
897 }
898 }
899
900 CK_RV
901 get_string_from_template(CK_ATTRIBUTE_PTR dest, CK_ATTRIBUTE_PTR src)
902 {
903 if ((src->pValue != NULL) &&
904 (src->ulValueLen > 0)) {
905 /* Allocate storage for the value of the attribute. */
906 dest->pValue = malloc(src->ulValueLen);
907 if (dest->pValue == NULL) {
908 return (CKR_HOST_MEMORY);
909 }
910
911 (void) memcpy(dest->pValue, src->pValue,
912 src->ulValueLen);
913 dest->ulValueLen = src->ulValueLen;
914 dest->type = src->type;
915 } else {
916 dest->pValue = NULL;
917 dest->ulValueLen = 0;
918 dest->type = src->type;
919 }
920
921 return (CKR_OK);
922
923 }
924
925 CK_RV
926 get_cert_attr_from_template(cert_attr_t **dest, CK_ATTRIBUTE_PTR src)
927 {
928 if (src->pValue != NULL && src->ulValueLen > 0) {
929 /*
930 * If the attribute was already set, clear out the
931 * existing value and release the memory.
932 */
933 if (*dest != NULL) {
934 cleanup_cert_attr(*dest);
935 } else {
936 *dest = malloc(sizeof (cert_attr_t));
937 if (*dest == NULL) {
938 return (CKR_HOST_MEMORY);
939 }
940 (void) memset(*dest, 0, sizeof (cert_attr_t));
941 }
942 (*dest)->value = malloc(src->ulValueLen);
943 if ((*dest)->value == NULL) {
944 free(*dest);
945 *dest = NULL;
946 return (CKR_HOST_MEMORY);
947 }
948 (void) memcpy((*dest)->value, src->pValue, src->ulValueLen);
949 (*dest)->length = src->ulValueLen;
950 }
951
952 return (CKR_OK);
953 }
954
955 /*
956 * Copy the certificate attribute information to the template.
957 * If the template attribute is not big enough, set the ulValueLen=-1
958 * and return CKR_BUFFER_TOO_SMALL.
959 */
960 static CK_RV
961 get_cert_attr_from_object(cert_attr_t *src, CK_ATTRIBUTE_PTR template)
962 {
963 if (template->pValue == NULL) {
964 template->ulValueLen = src->length;
965 return (CKR_OK);
966 } else if (template->ulValueLen >= src->length) {
967 /*
968 * The buffer provided by the application is large
969 * enough to hold the value of the attribute.
970 */
971 (void) memcpy(template->pValue, src->value, src->length);
972 template->ulValueLen = src->length;
973 return (CKR_OK);
974 } else {
975 /*
976 * The buffer provided by the application does
977 * not have enough space to hold the value.
978 */
979 template->ulValueLen = (CK_ULONG)-1;
980 return (CKR_BUFFER_TOO_SMALL);
981 }
982 }
983
984 void
985 string_attr_cleanup(CK_ATTRIBUTE_PTR template)
986 {
987 freezero(template->pValue, template->ulValueLen);
988 template->pValue = NULL;
989 template->ulValueLen = 0;
990 }
991
992 /*
993 * Release the storage allocated for object attribute with big integer
994 * value.
995 */
996 void
997 bigint_attr_cleanup(biginteger_t *big)
998 {
999
1000 if (big == NULL)
1001 return;
1002
1003 freezero(big->big_value, big->big_value_len);
1004 big->big_value = NULL;
1005 big->big_value_len = 0;
1006 }
1007
1008
1009 /*
1010 * Clean up and release all the storage allocated to hold the big integer
1011 * attributes associated with the type (i.e. class) of the object. Also,
1012 * release the storage allocated to the type of the object.
1013 */
1014 void
1015 soft_cleanup_object_bigint_attrs(soft_object_t *object_p)
1016 {
1017
1018 CK_OBJECT_CLASS class = object_p->class;
1019 CK_KEY_TYPE keytype = object_p->key_type;
1020
1021
1022 switch (class) {
1023 case CKO_PUBLIC_KEY:
1024 if (OBJ_PUB(object_p)) {
1025 switch (keytype) {
1026 case CKK_RSA:
1027 bigint_attr_cleanup(OBJ_PUB_RSA_MOD(
1028 object_p));
1029 bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO(
1030 object_p));
1031 break;
1032
1033 case CKK_DSA:
1034 bigint_attr_cleanup(OBJ_PUB_DSA_PRIME(
1035 object_p));
1036 bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME(
1037 object_p));
1038 bigint_attr_cleanup(OBJ_PUB_DSA_BASE(
1039 object_p));
1040 bigint_attr_cleanup(OBJ_PUB_DSA_VALUE(
1041 object_p));
1042 break;
1043
1044 case CKK_DH:
1045 bigint_attr_cleanup(OBJ_PUB_DH_PRIME(
1046 object_p));
1047 bigint_attr_cleanup(OBJ_PUB_DH_BASE(
1048 object_p));
1049 bigint_attr_cleanup(OBJ_PUB_DH_VALUE(
1050 object_p));
1051 break;
1052
1053 case CKK_X9_42_DH:
1054 bigint_attr_cleanup(OBJ_PUB_DH942_PRIME(
1055 object_p));
1056 bigint_attr_cleanup(OBJ_PUB_DH942_BASE(
1057 object_p));
1058 bigint_attr_cleanup(OBJ_PUB_DH942_SUBPRIME(
1059 object_p));
1060 bigint_attr_cleanup(OBJ_PUB_DH942_VALUE(
1061 object_p));
1062 break;
1063 case CKK_EC:
1064 bigint_attr_cleanup(OBJ_PUB_EC_POINT(
1065 object_p));
1066 break;
1067 }
1068
1069 /* Release Public Key Object struct */
1070 free(OBJ_PUB(object_p));
1071 OBJ_PUB(object_p) = NULL;
1072 }
1073 break;
1074
1075 case CKO_PRIVATE_KEY:
1076 if (OBJ_PRI(object_p)) {
1077 switch (keytype) {
1078 case CKK_RSA:
1079 bigint_attr_cleanup(OBJ_PRI_RSA_MOD(
1080 object_p));
1081 bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO(
1082 object_p));
1083 bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO(
1084 object_p));
1085 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1(
1086 object_p));
1087 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2(
1088 object_p));
1089 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1(
1090 object_p));
1091 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2(
1092 object_p));
1093 bigint_attr_cleanup(OBJ_PRI_RSA_COEF(
1094 object_p));
1095 break;
1096
1097 case CKK_DSA:
1098 bigint_attr_cleanup(OBJ_PRI_DSA_PRIME(
1099 object_p));
1100 bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME(
1101 object_p));
1102 bigint_attr_cleanup(OBJ_PRI_DSA_BASE(
1103 object_p));
1104 bigint_attr_cleanup(OBJ_PRI_DSA_VALUE(
1105 object_p));
1106 break;
1107
1108 case CKK_DH:
1109 bigint_attr_cleanup(OBJ_PRI_DH_PRIME(
1110 object_p));
1111 bigint_attr_cleanup(OBJ_PRI_DH_BASE(
1112 object_p));
1113 bigint_attr_cleanup(OBJ_PRI_DH_VALUE(
1114 object_p));
1115 break;
1116
1117 case CKK_X9_42_DH:
1118 bigint_attr_cleanup(OBJ_PRI_DH942_PRIME(
1119 object_p));
1120 bigint_attr_cleanup(OBJ_PRI_DH942_BASE(
1121 object_p));
1122 bigint_attr_cleanup(OBJ_PRI_DH942_SUBPRIME(
1123 object_p));
1124 bigint_attr_cleanup(OBJ_PRI_DH942_VALUE(
1125 object_p));
1126 break;
1127
1128 case CKK_EC:
1129 bigint_attr_cleanup(OBJ_PRI_EC_VALUE(
1130 object_p));
1131 break;
1132 }
1133
1134 /* Release Private Key Object struct. */
1135 free(OBJ_PRI(object_p));
1136 OBJ_PRI(object_p) = NULL;
1137 }
1138 break;
1139
1140 case CKO_SECRET_KEY:
1141 if (OBJ_SEC(object_p)) {
1142 /* cleanup key data area */
1143 if (OBJ_SEC_VALUE(object_p) != NULL &&
1144 OBJ_SEC_VALUE_LEN(object_p) > 0) {
1145 freezero(OBJ_SEC_VALUE(object_p),
1146 OBJ_SEC_VALUE_LEN(object_p));
1147 }
1148 /* cleanup key schedule data area */
1149 if (OBJ_KEY_SCHED(object_p) != NULL &&
1150 OBJ_KEY_SCHED_LEN(object_p) > 0) {
1151 freezero(OBJ_KEY_SCHED(object_p),
1152 OBJ_KEY_SCHED_LEN(object_p));
1153 }
1154
1155 /* Release Secret Key Object struct. */
1156 free(OBJ_SEC(object_p));
1157 OBJ_SEC(object_p) = NULL;
1158 }
1159 break;
1160
1161 case CKO_DOMAIN_PARAMETERS:
1162 if (OBJ_DOM(object_p)) {
1163 switch (keytype) {
1164 case CKK_DSA:
1165 bigint_attr_cleanup(OBJ_DOM_DSA_PRIME(
1166 object_p));
1167 bigint_attr_cleanup(OBJ_DOM_DSA_SUBPRIME(
1168 object_p));
1169 bigint_attr_cleanup(OBJ_DOM_DSA_BASE(
1170 object_p));
1171 break;
1172
1173 case CKK_DH:
1174 bigint_attr_cleanup(OBJ_DOM_DH_PRIME(
1175 object_p));
1176 bigint_attr_cleanup(OBJ_DOM_DH_BASE(
1177 object_p));
1178 break;
1179
1180 case CKK_X9_42_DH:
1181 bigint_attr_cleanup(OBJ_DOM_DH942_PRIME(
1182 object_p));
1183 bigint_attr_cleanup(OBJ_DOM_DH942_BASE(
1184 object_p));
1185 bigint_attr_cleanup(OBJ_DOM_DH942_SUBPRIME(
1186 object_p));
1187 break;
1188 }
1189
1190 /* Release Domain Parameters Object struct. */
1191 free(OBJ_DOM(object_p));
1192 OBJ_DOM(object_p) = NULL;
1193 }
1194 break;
1195 }
1196 }
1197
1198
1199 /*
1200 * Parse the common attributes. Return to caller with appropriate return
1201 * value to indicate if the supplied template specifies a valid attribute
1202 * with a valid value.
1203 */
1204 CK_RV
1205 soft_parse_common_attrs(CK_ATTRIBUTE_PTR template, uchar_t *object_type)
1206 {
1207
1208 CK_RV rv = CKR_OK;
1209
1210 switch (template->type) {
1211 case CKA_CLASS:
1212 break;
1213
1214 /* default boolean attributes */
1215 case CKA_TOKEN:
1216 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
1217 if (!soft_keystore_status(KEYSTORE_INITIALIZED))
1218 return (CKR_DEVICE_REMOVED);
1219 *object_type |= TOKEN_OBJECT;
1220 }
1221 break;
1222
1223 case CKA_PRIVATE:
1224 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
1225 (void) pthread_mutex_lock(&soft_giant_mutex);
1226 if (!soft_slot.authenticated) {
1227 /*
1228 * Check if this is the special case when
1229 * the PIN is never initialized in the keystore.
1230 * If true, we will let it pass here and let
1231 * it fail with CKR_PIN_EXPIRED later on.
1232 */
1233 if (!soft_slot.userpin_change_needed) {
1234 (void) pthread_mutex_unlock(
1235 &soft_giant_mutex);
1236 return (CKR_USER_NOT_LOGGED_IN);
1237 }
1238 }
1239 (void) pthread_mutex_unlock(&soft_giant_mutex);
1240 *object_type |= PRIVATE_OBJECT;
1241 }
1242 break;
1243
1244 case CKA_LABEL:
1245 break;
1246
1247 default:
1248 rv = CKR_TEMPLATE_INCONSISTENT;
1249 }
1250
1251 return (rv);
1252 }
1253
1254
1255 /*
1256 * Build a Public Key Object.
1257 *
1258 * - Parse the object's template, and when an error is detected such as
1259 * invalid attribute type, invalid attribute value, etc., return
1260 * with appropriate return value.
1261 * - Set up attribute mask field in the object for the supplied common
1262 * attributes that have boolean type.
1263 * - Build the attribute_info struct to hold the value of each supplied
1264 * attribute that has byte array type. Link attribute_info structs
1265 * together to form the extra attribute list of the object.
1266 * - Allocate storage for the Public Key object.
1267 * - Build the Public Key object according to the key type. Allocate
1268 * storage to hold the big integer value for the supplied attributes
1269 * that are required for a certain key type.
1270 *
1271 */
1272 CK_RV
1273 soft_build_public_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
1274 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type)
1275 {
1276
1277 ulong_t i;
1278 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
1279 uint64_t attr_mask = PUBLIC_KEY_DEFAULT;
1280 CK_RV rv = CKR_OK;
1281 int isLabel = 0;
1282 /* Must set flags */
1283 int isModulus = 0;
1284 int isPubExpo = 0;
1285 int isPrime = 0;
1286 int isSubprime = 0;
1287 int isBase = 0;
1288 int isValue = 0;
1289 int isECParam = 0;
1290 int isECPoint = 0;
1291 /* Must not set flags */
1292 int isModulusBits = 0;
1293 CK_ULONG modulus_bits = 0;
1294
1295 biginteger_t modulus;
1296 biginteger_t pubexpo;
1297 biginteger_t prime;
1298 biginteger_t subprime;
1299 biginteger_t base;
1300 biginteger_t value;
1301 biginteger_t point;
1302 CK_ATTRIBUTE string_tmp;
1303 CK_ATTRIBUTE param_tmp;
1304
1305 public_key_obj_t *pbk;
1306 uchar_t object_type = 0;
1307
1308 CK_ATTRIBUTE defpubexpo = { CKA_PUBLIC_EXPONENT,
1309 (CK_BYTE_PTR)DEFAULT_PUB_EXPO, DEFAULT_PUB_EXPO_Len };
1310
1311 BIGNUM n;
1312
1313 /* prevent bigint_attr_cleanup from freeing invalid attr value */
1314 (void) memset(&modulus, 0x0, sizeof (biginteger_t));
1315 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
1316 (void) memset(&prime, 0x0, sizeof (biginteger_t));
1317 (void) memset(&subprime, 0x0, sizeof (biginteger_t));
1318 (void) memset(&base, 0x0, sizeof (biginteger_t));
1319 (void) memset(&value, 0x0, sizeof (biginteger_t));
1320 (void) memset(&point, 0x0, sizeof (biginteger_t));
1321 string_tmp.pValue = NULL;
1322 param_tmp.pValue = NULL;
1323
1324 for (i = 0; i < ulAttrNum; i++) {
1325
1326 /* Public Key Object Attributes */
1327 switch (template[i].type) {
1328
1329 /* common key attributes */
1330 case CKA_KEY_TYPE:
1331 keytype = *((CK_KEY_TYPE*)template[i].pValue);
1332 break;
1333
1334 case CKA_ID:
1335 case CKA_START_DATE:
1336 case CKA_END_DATE:
1337
1338 /* common public key attribute */
1339 case CKA_SUBJECT:
1340 /*
1341 * Allocate storage to hold the attribute
1342 * value with byte array type, and add it to
1343 * the extra attribute list of the object.
1344 */
1345 rv = soft_add_extra_attr(&template[i],
1346 new_object);
1347 if (rv != CKR_OK) {
1348 goto fail_cleanup;
1349 }
1350 break;
1351
1352 /*
1353 * The following key related attribute types must
1354 * not be specified by C_CreateObject, C_GenerateKey(Pair).
1355 */
1356 case CKA_LOCAL:
1357 case CKA_KEY_GEN_MECHANISM:
1358 rv = CKR_TEMPLATE_INCONSISTENT;
1359 goto fail_cleanup;
1360
1361 /* Key related boolean attributes */
1362 case CKA_DERIVE:
1363 if (*(CK_BBOOL *)template[i].pValue)
1364 attr_mask |= DERIVE_BOOL_ON;
1365 break;
1366
1367 case CKA_ENCRYPT:
1368 if (*(CK_BBOOL *)template[i].pValue)
1369 attr_mask |= ENCRYPT_BOOL_ON;
1370 else
1371 attr_mask &= ~ENCRYPT_BOOL_ON;
1372 break;
1373
1374 case CKA_VERIFY:
1375 if (*(CK_BBOOL *)template[i].pValue)
1376 attr_mask |= VERIFY_BOOL_ON;
1377 else
1378 attr_mask &= ~VERIFY_BOOL_ON;
1379 break;
1380
1381 case CKA_VERIFY_RECOVER:
1382 if (*(CK_BBOOL *)template[i].pValue)
1383 attr_mask |= VERIFY_RECOVER_BOOL_ON;
1384 else
1385 attr_mask &= ~VERIFY_RECOVER_BOOL_ON;
1386 break;
1387
1388 case CKA_WRAP:
1389 if (*(CK_BBOOL *)template[i].pValue)
1390 attr_mask |= WRAP_BOOL_ON;
1391 else
1392 attr_mask &= ~WRAP_BOOL_ON;
1393 break;
1394
1395 case CKA_TRUSTED:
1396 if (*(CK_BBOOL *)template[i].pValue)
1397 attr_mask |= TRUSTED_BOOL_ON;
1398 break;
1399
1400 case CKA_MODIFIABLE:
1401 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
1402 attr_mask |= NOT_MODIFIABLE_BOOL_ON;
1403 break;
1404
1405 /*
1406 * The following key related attribute types must
1407 * be specified according to the key type by
1408 * C_CreateObject.
1409 */
1410 case CKA_MODULUS:
1411
1412 isModulus = 1;
1413 /*
1414 * Copyin big integer attribute from template
1415 * to a local variable.
1416 */
1417 rv = get_bigint_attr_from_template(&modulus,
1418 &template[i]);
1419 if (rv != CKR_OK)
1420 goto fail_cleanup;
1421
1422 /*
1423 * Modulus length needs to be between min key length and
1424 * max key length.
1425 */
1426 if ((modulus.big_value_len <
1427 MIN_RSA_KEYLENGTH_IN_BYTES) ||
1428 (modulus.big_value_len >
1429 MAX_RSA_KEYLENGTH_IN_BYTES)) {
1430 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1431 goto fail_cleanup;
1432 }
1433 break;
1434
1435 case CKA_PUBLIC_EXPONENT:
1436 isPubExpo = 1;
1437 rv = get_bigint_attr_from_template(&pubexpo,
1438 &template[i]);
1439 if (rv != CKR_OK)
1440 goto fail_cleanup;
1441 break;
1442
1443 case CKA_PRIME:
1444 isPrime = 1;
1445 rv = get_bigint_attr_from_template(&prime,
1446 &template[i]);
1447 if (rv != CKR_OK)
1448 goto fail_cleanup;
1449 break;
1450
1451 case CKA_SUBPRIME:
1452 isSubprime = 1;
1453 rv = get_bigint_attr_from_template(&subprime,
1454 &template[i]);
1455 if (rv != CKR_OK)
1456 goto fail_cleanup;
1457 break;
1458
1459 case CKA_BASE:
1460 isBase = 1;
1461 rv = get_bigint_attr_from_template(&base,
1462 &template[i]);
1463 if (rv != CKR_OK)
1464 goto fail_cleanup;
1465 break;
1466
1467 case CKA_VALUE:
1468 isValue = 1;
1469 if (mode == SOFT_CREATE_OBJ) {
1470 if ((template[i].ulValueLen == 0) ||
1471 (template[i].pValue == NULL)) {
1472 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1473 goto fail_cleanup;
1474 }
1475 }
1476
1477 rv = get_bigint_attr_from_template(&value,
1478 &template[i]);
1479 if (rv != CKR_OK)
1480 goto fail_cleanup;
1481 break;
1482
1483 case CKA_MODULUS_BITS:
1484 isModulusBits = 1;
1485 rv = get_ulong_attr_from_template(&modulus_bits,
1486 &template[i]);
1487 if (rv != CKR_OK)
1488 goto fail_cleanup;
1489 break;
1490
1491 case CKA_LABEL:
1492 isLabel = 1;
1493 rv = get_string_from_template(&string_tmp,
1494 &template[i]);
1495 if (rv != CKR_OK)
1496 goto fail_cleanup;
1497 break;
1498
1499 case CKA_EC_PARAMS:
1500 isECParam = 1;
1501 rv = get_string_from_template(¶m_tmp, &template[i]);
1502 if (rv != CKR_OK)
1503 goto fail_cleanup;
1504 break;
1505
1506 case CKA_EC_POINT:
1507 isECPoint = 1;
1508 rv = get_bigint_attr_from_template(&point,
1509 &template[i]);
1510 if (rv != CKR_OK)
1511 goto fail_cleanup;
1512 break;
1513
1514 default:
1515 rv = soft_parse_common_attrs(&template[i],
1516 &object_type);
1517 if (rv != CKR_OK)
1518 goto fail_cleanup;
1519 break;
1520 }
1521 } /* For */
1522
1523 /* Allocate storage for Public Key Object. */
1524 pbk = calloc(1, sizeof (public_key_obj_t));
1525 if (pbk == NULL) {
1526 rv = CKR_HOST_MEMORY;
1527 goto fail_cleanup;
1528 }
1529
1530 new_object->object_class_u.public_key = pbk;
1531 new_object->class = CKO_PUBLIC_KEY;
1532
1533 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) {
1534 rv = CKR_TEMPLATE_INCOMPLETE;
1535 goto fail_cleanup;
1536 }
1537
1538 if ((mode == SOFT_GEN_KEY) && (keytype == (CK_KEY_TYPE)~0UL)) {
1539 keytype = key_type;
1540 }
1541
1542 if ((mode == SOFT_GEN_KEY) && (keytype != key_type)) {
1543 /*
1544 * The key type specified in the template does not
1545 * match the implied key type based on the mechanism.
1546 */
1547 rv = CKR_TEMPLATE_INCONSISTENT;
1548 goto fail_cleanup;
1549 }
1550
1551 new_object->key_type = keytype;
1552
1553 /* Supported key types of the Public Key Object */
1554 switch (keytype) {
1555
1556 case CKK_RSA:
1557 if (mode == SOFT_CREATE_OBJ) {
1558 if (isModulusBits || isPrime || isSubprime ||
1559 isBase || isValue) {
1560 rv = CKR_TEMPLATE_INCONSISTENT;
1561 goto fail_cleanup;
1562 }
1563
1564 if (isModulus && isPubExpo) {
1565 /*
1566 * Derive modulus_bits attribute from modulus.
1567 * Save modulus_bits integer value to the
1568 * designated place in the public key object.
1569 */
1570 n.malloced = 0;
1571 #ifdef __sparcv9
1572 if (big_init(&n, (int)CHARLEN2BIGNUMLEN(
1573 modulus.big_value_len)) != BIG_OK) {
1574 #else /* !__sparcv9 */
1575 if (big_init(&n, CHARLEN2BIGNUMLEN(
1576 modulus.big_value_len)) != BIG_OK) {
1577 #endif /* __sparcv9 */
1578 rv = CKR_HOST_MEMORY;
1579 big_finish(&n);
1580 goto fail_cleanup;
1581 }
1582 bytestring2bignum(&n, modulus.big_value,
1583 modulus.big_value_len);
1584
1585 modulus_bits = big_bitlength(&n);
1586 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits;
1587 big_finish(&n);
1588
1589 /*
1590 * After modulus_bits has been computed,
1591 * it is safe to move modulus and pubexpo
1592 * big integer attribute value to the
1593 * designated place in the public key object.
1594 */
1595 copy_bigint_attr(&modulus,
1596 KEY_PUB_RSA_MOD(pbk));
1597
1598 copy_bigint_attr(&pubexpo,
1599 KEY_PUB_RSA_PUBEXPO(pbk));
1600 } else {
1601 rv = CKR_TEMPLATE_INCOMPLETE;
1602 goto fail_cleanup;
1603 }
1604 } else {
1605 /* mode is SOFT_GEN_KEY */
1606
1607 if (isModulus || isPrime || isSubprime ||
1608 isBase || isValue) {
1609 rv = CKR_TEMPLATE_INCONSISTENT;
1610 goto fail_cleanup;
1611 }
1612
1613
1614 if (isModulusBits) {
1615 /*
1616 * Copy big integer attribute value to the
1617 * designated place in the public key object.
1618 */
1619 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits;
1620 } else {
1621 rv = CKR_TEMPLATE_INCOMPLETE;
1622 goto fail_cleanup;
1623 }
1624
1625 /*
1626 * Use PKCS#11 default 0x010001 for public exponent
1627 * if not not specified in attribute template.
1628 */
1629 if (!isPubExpo) {
1630 isPubExpo = 1;
1631 rv = get_bigint_attr_from_template(&pubexpo,
1632 &defpubexpo);
1633 if (rv != CKR_OK)
1634 goto fail_cleanup;
1635 }
1636 /*
1637 * Copy big integer attribute value to the
1638 * designated place in the public key object.
1639 */
1640 copy_bigint_attr(&pubexpo, KEY_PUB_RSA_PUBEXPO(pbk));
1641 }
1642
1643 break;
1644
1645 case CKK_DSA:
1646 if (mode == SOFT_CREATE_OBJ) {
1647 if (isModulusBits || isModulus || isPubExpo) {
1648 rv = CKR_TEMPLATE_INCONSISTENT;
1649 goto fail_cleanup;
1650 }
1651
1652 if (isPrime && isSubprime && isBase && isValue) {
1653 copy_bigint_attr(&value,
1654 KEY_PUB_DSA_VALUE(pbk));
1655 } else {
1656 rv = CKR_TEMPLATE_INCOMPLETE;
1657 goto fail_cleanup;
1658 }
1659 } else {
1660 if (isModulusBits || isModulus || isPubExpo ||
1661 isValue) {
1662 rv = CKR_TEMPLATE_INCONSISTENT;
1663 goto fail_cleanup;
1664 }
1665
1666 if (!(isPrime && isSubprime && isBase)) {
1667 rv = CKR_TEMPLATE_INCOMPLETE;
1668 goto fail_cleanup;
1669 }
1670 }
1671
1672 copy_bigint_attr(&prime, KEY_PUB_DSA_PRIME(pbk));
1673
1674 copy_bigint_attr(&subprime, KEY_PUB_DSA_SUBPRIME(pbk));
1675
1676 copy_bigint_attr(&base, KEY_PUB_DSA_BASE(pbk));
1677
1678 break;
1679
1680 case CKK_DH:
1681 if (mode == SOFT_CREATE_OBJ) {
1682 if (isModulusBits || isModulus || isPubExpo ||
1683 isSubprime) {
1684 rv = CKR_TEMPLATE_INCONSISTENT;
1685 goto fail_cleanup;
1686 }
1687
1688 if (isPrime && isBase && isValue) {
1689 copy_bigint_attr(&value,
1690 KEY_PUB_DH_VALUE(pbk));
1691 } else {
1692 rv = CKR_TEMPLATE_INCOMPLETE;
1693 goto fail_cleanup;
1694 }
1695 } else {
1696 if (isModulusBits || isModulus || isPubExpo ||
1697 isSubprime || isValue) {
1698 rv = CKR_TEMPLATE_INCONSISTENT;
1699 goto fail_cleanup;
1700 }
1701
1702 if (!(isPrime && isBase)) {
1703 rv = CKR_TEMPLATE_INCOMPLETE;
1704 goto fail_cleanup;
1705 }
1706 }
1707
1708 copy_bigint_attr(&prime, KEY_PUB_DH_PRIME(pbk));
1709
1710 copy_bigint_attr(&base, KEY_PUB_DH_BASE(pbk));
1711
1712 break;
1713
1714 case CKK_X9_42_DH:
1715 if (mode == SOFT_CREATE_OBJ) {
1716 if (isModulusBits || isModulus || isPubExpo) {
1717 rv = CKR_TEMPLATE_INCONSISTENT;
1718 goto fail_cleanup;
1719 }
1720
1721 if (isPrime && isSubprime && isBase && isValue) {
1722 copy_bigint_attr(&value,
1723 KEY_PUB_DH942_VALUE(pbk));
1724 } else {
1725 rv = CKR_TEMPLATE_INCOMPLETE;
1726 goto fail_cleanup;
1727 }
1728 } else {
1729 if (isModulusBits || isModulus || isPubExpo ||
1730 isValue) {
1731 rv = CKR_TEMPLATE_INCONSISTENT;
1732 goto fail_cleanup;
1733 }
1734
1735 if (!(isPrime && isSubprime && isBase)) {
1736 rv = CKR_TEMPLATE_INCOMPLETE;
1737 goto fail_cleanup;
1738 }
1739 }
1740
1741 copy_bigint_attr(&prime, KEY_PUB_DH942_PRIME(pbk));
1742
1743 copy_bigint_attr(&base, KEY_PUB_DH942_BASE(pbk));
1744
1745 copy_bigint_attr(&subprime, KEY_PUB_DH942_SUBPRIME(pbk));
1746
1747 break;
1748
1749 case CKK_EC:
1750 if (mode == SOFT_CREATE_OBJ) {
1751 if (isModulusBits || isModulus || isPubExpo ||
1752 isPrime || isSubprime || isBase || isValue) {
1753 rv = CKR_TEMPLATE_INCONSISTENT;
1754 goto fail_cleanup;
1755
1756 } else if (!isECParam || !isECPoint) {
1757 rv = CKR_TEMPLATE_INCOMPLETE;
1758 goto fail_cleanup;
1759 }
1760 } else {
1761 if (isModulusBits || isModulus || isPubExpo ||
1762 isPrime || isSubprime || isBase || isValue) {
1763 rv = CKR_TEMPLATE_INCONSISTENT;
1764 goto fail_cleanup;
1765
1766 } else if (!isECParam) {
1767 rv = CKR_TEMPLATE_INCOMPLETE;
1768 goto fail_cleanup;
1769 }
1770 }
1771
1772 if (isECPoint) {
1773 copy_bigint_attr(&point, KEY_PUB_EC_POINT(pbk));
1774 }
1775 rv = soft_add_extra_attr(¶m_tmp, new_object);
1776 if (rv != CKR_OK)
1777 goto fail_cleanup;
1778 string_attr_cleanup(¶m_tmp);
1779 break;
1780
1781 default:
1782 rv = CKR_TEMPLATE_INCONSISTENT;
1783 goto fail_cleanup;
1784 }
1785
1786 /* Set up object. */
1787 new_object->object_type = object_type;
1788 new_object->bool_attr_mask = attr_mask;
1789 if (isLabel) {
1790 rv = soft_add_extra_attr(&string_tmp, new_object);
1791 if (rv != CKR_OK)
1792 goto fail_cleanup;
1793 string_attr_cleanup(&string_tmp);
1794 }
1795
1796 return (rv);
1797
1798 fail_cleanup:
1799 /*
1800 * cleanup the storage allocated to the local variables.
1801 */
1802 bigint_attr_cleanup(&modulus);
1803 bigint_attr_cleanup(&pubexpo);
1804 bigint_attr_cleanup(&prime);
1805 bigint_attr_cleanup(&subprime);
1806 bigint_attr_cleanup(&base);
1807 bigint_attr_cleanup(&value);
1808 bigint_attr_cleanup(&point);
1809 string_attr_cleanup(&string_tmp);
1810 string_attr_cleanup(¶m_tmp);
1811
1812 /*
1813 * cleanup the storage allocated inside the object itself.
1814 */
1815 soft_cleanup_object(new_object);
1816
1817 return (rv);
1818 }
1819
1820
1821 /*
1822 * Build a Private Key Object.
1823 *
1824 * - Parse the object's template, and when an error is detected such as
1825 * invalid attribute type, invalid attribute value, etc., return
1826 * with appropriate return value.
1827 * - Set up attribute mask field in the object for the supplied common
1828 * attributes that have boolean type.
1829 * - Build the attribute_info struct to hold the value of each supplied
1830 * attribute that has byte array type. Link attribute_info structs
1831 * together to form the extra attribute list of the object.
1832 * - Allocate storage for the Private Key object.
1833 * - Build the Private Key object according to the key type. Allocate
1834 * storage to hold the big integer value for the supplied attributes
1835 * that are required for a certain key type.
1836 *
1837 */
1838 CK_RV
1839 soft_build_private_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
1840 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type)
1841 {
1842 ulong_t i;
1843 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
1844 uint64_t attr_mask = PRIVATE_KEY_DEFAULT;
1845 CK_RV rv = CKR_OK;
1846 int isLabel = 0;
1847 int isECParam = 0;
1848 /* Must set flags unless mode == SOFT_UNWRAP_KEY */
1849 int isModulus = 0;
1850 int isPriExpo = 0;
1851 int isPrime = 0;
1852 int isSubprime = 0;
1853 int isBase = 0;
1854 /* Must set flags if mode == SOFT_GEN_KEY */
1855 int isValue = 0;
1856 /* Must not set flags */
1857 int isValueBits = 0;
1858 CK_ULONG value_bits = 0;
1859
1860 /* Private Key RSA optional */
1861 int isPubExpo = 0;
1862 int isPrime1 = 0;
1863 int isPrime2 = 0;
1864 int isExpo1 = 0;
1865 int isExpo2 = 0;
1866 int isCoef = 0;
1867
1868 biginteger_t modulus;
1869 biginteger_t priexpo;
1870 biginteger_t prime;
1871 biginteger_t subprime;
1872 biginteger_t base;
1873 biginteger_t value;
1874
1875 biginteger_t pubexpo;
1876 biginteger_t prime1;
1877 biginteger_t prime2;
1878 biginteger_t expo1;
1879 biginteger_t expo2;
1880 biginteger_t coef;
1881 CK_ATTRIBUTE string_tmp;
1882 CK_ATTRIBUTE param_tmp;
1883 BIGNUM x, q;
1884
1885 private_key_obj_t *pvk;
1886 uchar_t object_type = 0;
1887
1888 /* prevent bigint_attr_cleanup from freeing invalid attr value */
1889 (void) memset(&modulus, 0x0, sizeof (biginteger_t));
1890 (void) memset(&priexpo, 0x0, sizeof (biginteger_t));
1891 (void) memset(&prime, 0x0, sizeof (biginteger_t));
1892 (void) memset(&subprime, 0x0, sizeof (biginteger_t));
1893 (void) memset(&base, 0x0, sizeof (biginteger_t));
1894 (void) memset(&value, 0x0, sizeof (biginteger_t));
1895 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
1896 (void) memset(&prime1, 0x0, sizeof (biginteger_t));
1897 (void) memset(&prime2, 0x0, sizeof (biginteger_t));
1898 (void) memset(&expo1, 0x0, sizeof (biginteger_t));
1899 (void) memset(&expo2, 0x0, sizeof (biginteger_t));
1900 (void) memset(&coef, 0x0, sizeof (biginteger_t));
1901 string_tmp.pValue = NULL;
1902 param_tmp.pValue = NULL;
1903 x.malloced = 0;
1904 q.malloced = 0;
1905
1906 for (i = 0; i < ulAttrNum; i++) {
1907
1908 /* Private Key Object Attributes */
1909 switch (template[i].type) {
1910 /* common key attributes */
1911 case CKA_KEY_TYPE:
1912 keytype = *((CK_KEY_TYPE*)template[i].pValue);
1913 break;
1914
1915 case CKA_ID:
1916 case CKA_START_DATE:
1917 case CKA_END_DATE:
1918
1919 /* common private key attribute */
1920 case CKA_SUBJECT:
1921 /*
1922 * Allocate storage to hold the attribute
1923 * value with byte array type, and add it to
1924 * the extra attribute list of the object.
1925 */
1926 rv = soft_add_extra_attr(&template[i],
1927 new_object);
1928 if (rv != CKR_OK) {
1929 goto fail_cleanup;
1930 }
1931 break;
1932
1933 /*
1934 * The following key related attribute types must
1935 * not be specified by C_CreateObject or C_GenerateKey(Pair).
1936 */
1937 case CKA_LOCAL:
1938 case CKA_KEY_GEN_MECHANISM:
1939 case CKA_AUTH_PIN_FLAGS:
1940 case CKA_ALWAYS_SENSITIVE:
1941 case CKA_NEVER_EXTRACTABLE:
1942 rv = CKR_TEMPLATE_INCONSISTENT;
1943 goto fail_cleanup;
1944
1945 /* Key related boolean attributes */
1946 case CKA_DERIVE:
1947 if (*(CK_BBOOL *)template[i].pValue)
1948 attr_mask |= DERIVE_BOOL_ON;
1949 break;
1950
1951 case CKA_SENSITIVE:
1952 if (*(CK_BBOOL *)template[i].pValue)
1953 attr_mask |= SENSITIVE_BOOL_ON;
1954 break;
1955
1956 case CKA_SECONDARY_AUTH:
1957 if (*(CK_BBOOL *)template[i].pValue) {
1958 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1959 goto fail_cleanup;
1960 }
1961 break;
1962
1963 case CKA_DECRYPT:
1964 if (*(CK_BBOOL *)template[i].pValue)
1965 attr_mask |= DECRYPT_BOOL_ON;
1966 else
1967 attr_mask &= ~DECRYPT_BOOL_ON;
1968 break;
1969
1970 case CKA_SIGN:
1971 if (*(CK_BBOOL *)template[i].pValue)
1972 attr_mask |= SIGN_BOOL_ON;
1973 else
1974 attr_mask &= ~SIGN_BOOL_ON;
1975 break;
1976
1977 case CKA_SIGN_RECOVER:
1978 if (*(CK_BBOOL *)template[i].pValue)
1979 attr_mask |= SIGN_RECOVER_BOOL_ON;
1980 else
1981 attr_mask &= ~SIGN_RECOVER_BOOL_ON;
1982 break;
1983
1984 case CKA_UNWRAP:
1985 if (*(CK_BBOOL *)template[i].pValue)
1986 attr_mask |= UNWRAP_BOOL_ON;
1987 else
1988 attr_mask &= ~UNWRAP_BOOL_ON;
1989 break;
1990
1991 case CKA_EXTRACTABLE:
1992 if (*(CK_BBOOL *)template[i].pValue)
1993 attr_mask |= EXTRACTABLE_BOOL_ON;
1994 else
1995 attr_mask &= ~EXTRACTABLE_BOOL_ON;
1996 break;
1997
1998 case CKA_MODIFIABLE:
1999 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
2000 attr_mask |= NOT_MODIFIABLE_BOOL_ON;
2001 break;
2002
2003 /*
2004 * The following key related attribute types must
2005 * be specified according to the key type by
2006 * C_CreateObject.
2007 */
2008 case CKA_MODULUS:
2009
2010 isModulus = 1;
2011 /*
2012 * Copyin big integer attribute from template
2013 * to a local variable.
2014 */
2015 rv = get_bigint_attr_from_template(&modulus,
2016 &template[i]);
2017 if (rv != CKR_OK)
2018 goto fail_cleanup;
2019
2020 /*
2021 * Modulus length needs to be between min key length and
2022 * max key length.
2023 */
2024 if ((modulus.big_value_len <
2025 MIN_RSA_KEYLENGTH_IN_BYTES) ||
2026 (modulus.big_value_len >
2027 MAX_RSA_KEYLENGTH_IN_BYTES)) {
2028 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2029 goto fail_cleanup;
2030 }
2031 break;
2032
2033 case CKA_PUBLIC_EXPONENT:
2034
2035 isPubExpo = 1;
2036 rv = get_bigint_attr_from_template(&pubexpo,
2037 &template[i]);
2038 if (rv != CKR_OK)
2039 goto fail_cleanup;
2040 break;
2041
2042 case CKA_PRIVATE_EXPONENT:
2043
2044 isPriExpo = 1;
2045 rv = get_bigint_attr_from_template(&priexpo,
2046 &template[i]);
2047 if (rv != CKR_OK)
2048 goto fail_cleanup;
2049 break;
2050
2051 case CKA_PRIME_1:
2052 isPrime1 = 1;
2053 rv = get_bigint_attr_from_template(&prime1,
2054 &template[i]);
2055 if (rv != CKR_OK)
2056 goto fail_cleanup;
2057 break;
2058
2059 case CKA_PRIME_2:
2060 isPrime2 = 1;
2061 rv = get_bigint_attr_from_template(&prime2,
2062 &template[i]);
2063 if (rv != CKR_OK)
2064 goto fail_cleanup;
2065 break;
2066
2067 case CKA_EXPONENT_1:
2068 isExpo1 = 1;
2069 rv = get_bigint_attr_from_template(&expo1,
2070 &template[i]);
2071 if (rv != CKR_OK)
2072 goto fail_cleanup;
2073 break;
2074
2075 case CKA_EXPONENT_2:
2076 isExpo2 = 1;
2077 rv = get_bigint_attr_from_template(&expo2,
2078 &template[i]);
2079 if (rv != CKR_OK)
2080 goto fail_cleanup;
2081 break;
2082
2083 case CKA_COEFFICIENT:
2084 isCoef = 1;
2085 rv = get_bigint_attr_from_template(&coef,
2086 &template[i]);
2087 if (rv != CKR_OK)
2088 goto fail_cleanup;
2089 break;
2090
2091 case CKA_PRIME:
2092 isPrime = 1;
2093 rv = get_bigint_attr_from_template(&prime,
2094 &template[i]);
2095 if (rv != CKR_OK)
2096 goto fail_cleanup;
2097 break;
2098
2099 case CKA_SUBPRIME:
2100 isSubprime = 1;
2101 rv = get_bigint_attr_from_template(&subprime,
2102 &template[i]);
2103 if (rv != CKR_OK)
2104 goto fail_cleanup;
2105 break;
2106
2107 case CKA_BASE:
2108 isBase = 1;
2109 rv = get_bigint_attr_from_template(&base,
2110 &template[i]);
2111 if (rv != CKR_OK)
2112 goto fail_cleanup;
2113 break;
2114
2115 case CKA_VALUE:
2116 isValue = 1;
2117 if (mode == SOFT_CREATE_OBJ) {
2118 if ((template[i].ulValueLen == 0) ||
2119 (template[i].pValue == NULL)) {
2120 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2121 goto fail_cleanup;
2122 }
2123 }
2124
2125 rv = get_bigint_attr_from_template(&value,
2126 &template[i]);
2127 if (rv != CKR_OK)
2128 goto fail_cleanup;
2129 break;
2130
2131 case CKA_VALUE_BITS:
2132 isValueBits = 1;
2133 rv = get_ulong_attr_from_template(&value_bits,
2134 &template[i]);
2135 if (rv != CKR_OK)
2136 goto fail_cleanup;
2137 break;
2138
2139 case CKA_LABEL:
2140 isLabel = 1;
2141 rv = get_string_from_template(&string_tmp,
2142 &template[i]);
2143 if (rv != CKR_OK)
2144 goto fail_cleanup;
2145 break;
2146
2147 case CKA_EC_PARAMS:
2148 isECParam = 1;
2149 rv = get_string_from_template(¶m_tmp,
2150 &template[i]);
2151 if (rv != CKR_OK)
2152 goto fail_cleanup;
2153 break;
2154
2155 default:
2156 rv = soft_parse_common_attrs(&template[i],
2157 &object_type);
2158 if (rv != CKR_OK)
2159 goto fail_cleanup;
2160 break;
2161
2162 }
2163 } /* For */
2164
2165 /* Allocate storage for Private Key Object. */
2166 pvk = calloc(1, sizeof (private_key_obj_t));
2167 if (pvk == NULL) {
2168 rv = CKR_HOST_MEMORY;
2169 goto fail_cleanup;
2170 }
2171
2172 new_object->object_class_u.private_key = pvk;
2173 new_object->class = CKO_PRIVATE_KEY;
2174
2175 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) {
2176 rv = CKR_TEMPLATE_INCOMPLETE;
2177 goto fail_cleanup;
2178 }
2179
2180 if (mode == SOFT_GEN_KEY) {
2181 /*
2182 * The key type is not specified in the application's
2183 * template, so we use the implied key type based on
2184 * the mechanism.
2185 */
2186 if (keytype == (CK_KEY_TYPE)~0UL) {
2187 keytype = key_type;
2188 }
2189
2190 /* If still unspecified, template is incomplete */
2191 if (keytype == (CK_KEY_TYPE)~0UL) {
2192 rv = CKR_TEMPLATE_INCOMPLETE;
2193 goto fail_cleanup;
2194 }
2195
2196 /*
2197 * The key type specified in the template does not
2198 * match the implied key type based on the mechanism.
2199 */
2200 if (keytype != key_type) {
2201 rv = CKR_TEMPLATE_INCONSISTENT;
2202 goto fail_cleanup;
2203 }
2204 }
2205
2206 if (mode == SOFT_UNWRAP_KEY) {
2207 /*
2208 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
2209 * implied by the mechanism (key_type), so if it is not
2210 * specified from the attribute template (keytype), it is
2211 * incomplete.
2212 */
2213 if (keytype == (CK_KEY_TYPE)~0UL) {
2214 rv = CKR_TEMPLATE_INCOMPLETE;
2215 goto fail_cleanup;
2216 }
2217 }
2218
2219 new_object->key_type = keytype;
2220
2221 /* Supported key types of the Private Key Object */
2222 switch (keytype) {
2223 case CKK_RSA:
2224 if (isPrime || isSubprime || isBase || isValue ||
2225 isValueBits) {
2226 rv = CKR_TEMPLATE_INCONSISTENT;
2227 goto fail_cleanup;
2228 }
2229
2230 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
2231 if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
2232 isPrime2 || isExpo1 || isExpo2 || isCoef) {
2233 rv = CKR_TEMPLATE_INCONSISTENT;
2234 goto fail_cleanup;
2235 } else
2236 break;
2237 }
2238
2239 if (isModulus && isPriExpo) {
2240 /*
2241 * Copy big integer attribute value to the
2242 * designated place in the Private Key object.
2243 */
2244 copy_bigint_attr(&modulus, KEY_PRI_RSA_MOD(pvk));
2245
2246 copy_bigint_attr(&priexpo, KEY_PRI_RSA_PRIEXPO(pvk));
2247 } else {
2248 rv = CKR_TEMPLATE_INCOMPLETE;
2249 goto fail_cleanup;
2250 }
2251
2252 /* The following attributes are optional. */
2253 if (isPubExpo) {
2254 copy_bigint_attr(&pubexpo, KEY_PRI_RSA_PUBEXPO(pvk));
2255 }
2256
2257 if (isPrime1) {
2258 copy_bigint_attr(&prime1, KEY_PRI_RSA_PRIME1(pvk));
2259 }
2260
2261 if (isPrime2) {
2262 copy_bigint_attr(&prime2, KEY_PRI_RSA_PRIME2(pvk));
2263 }
2264
2265 if (isExpo1) {
2266 copy_bigint_attr(&expo1, KEY_PRI_RSA_EXPO1(pvk));
2267 }
2268
2269 if (isExpo2) {
2270 copy_bigint_attr(&expo2, KEY_PRI_RSA_EXPO2(pvk));
2271 }
2272
2273 if (isCoef) {
2274 copy_bigint_attr(&coef, KEY_PRI_RSA_COEF(pvk));
2275 }
2276 break;
2277
2278 case CKK_DSA:
2279 if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
2280 isPrime2 || isExpo1 || isExpo2 || isCoef ||
2281 isValueBits) {
2282 rv = CKR_TEMPLATE_INCONSISTENT;
2283 goto fail_cleanup;
2284 }
2285
2286 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
2287 if (isPrime || isSubprime || isBase || isValue) {
2288 rv = CKR_TEMPLATE_INCONSISTENT;
2289 goto fail_cleanup;
2290 } else
2291 break;
2292 }
2293
2294 if (isPrime && isSubprime && isBase && isValue) {
2295 /*
2296 * The private value x must be less than subprime q.
2297 * Size for big_init is in BIG_CHUNK_TYPE words.
2298 */
2299 #ifdef __sparcv9
2300 if (big_init(&x,
2301 (int)CHARLEN2BIGNUMLEN(value.big_value_len))
2302 != BIG_OK) {
2303 #else /* !__sparcv9 */
2304 if (big_init(&x,
2305 CHARLEN2BIGNUMLEN(value.big_value_len))
2306 != BIG_OK) {
2307 #endif /* __sparcv9 */
2308 rv = CKR_HOST_MEMORY;
2309 goto fail_cleanup;
2310 }
2311 #ifdef __sparcv9
2312 if (big_init(&q,
2313 (int)CHARLEN2BIGNUMLEN(subprime.big_value_len))
2314 != BIG_OK) {
2315 #else /* !__sparcv9 */
2316 if (big_init(&q,
2317 CHARLEN2BIGNUMLEN(subprime.big_value_len))
2318 != BIG_OK) {
2319 #endif /* __sparcv9 */
2320 rv = CKR_HOST_MEMORY;
2321 goto fail_cleanup;
2322 }
2323 bytestring2bignum(&x, value.big_value,
2324 value.big_value_len);
2325 bytestring2bignum(&q, subprime.big_value,
2326 subprime.big_value_len);
2327
2328 if (big_cmp_abs(&x, &q) > 0) {
2329 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2330 goto fail_cleanup;
2331 }
2332
2333 copy_bigint_attr(&prime, KEY_PRI_DSA_PRIME(pvk));
2334
2335 copy_bigint_attr(&subprime, KEY_PRI_DSA_SUBPRIME(pvk));
2336
2337 copy_bigint_attr(&base, KEY_PRI_DSA_BASE(pvk));
2338
2339 copy_bigint_attr(&value, KEY_PRI_DSA_VALUE(pvk));
2340 } else {
2341 rv = CKR_TEMPLATE_INCOMPLETE;
2342 goto fail_cleanup;
2343 }
2344 break;
2345
2346 case CKK_DH:
2347 if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
2348 isPrime2 || isExpo1 || isExpo2 || isCoef ||
2349 isSubprime) {
2350 rv = CKR_TEMPLATE_INCONSISTENT;
2351 goto fail_cleanup;
2352 }
2353
2354 /* CKA_VALUE_BITS is for key gen but not unwrap */
2355 if (mode == SOFT_GEN_KEY)
2356 KEY_PRI_DH_VAL_BITS(pvk) = (isValueBits) ?
2357 value_bits : 0;
2358 else if (mode == SOFT_UNWRAP_KEY) {
2359 if (isValueBits) {
2360 rv = CKR_TEMPLATE_INCONSISTENT;
2361 goto fail_cleanup;
2362 }
2363 }
2364
2365 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
2366 if (isPrime || isBase || isValue) {
2367 rv = CKR_TEMPLATE_INCONSISTENT;
2368 goto fail_cleanup;
2369 } else
2370 break;
2371 }
2372
2373 if (isValueBits) {
2374 rv = CKR_TEMPLATE_INCONSISTENT;
2375 goto fail_cleanup;
2376 }
2377
2378 if (isPrime && isBase && isValue) {
2379 copy_bigint_attr(&prime, KEY_PRI_DH_PRIME(pvk));
2380
2381 copy_bigint_attr(&base, KEY_PRI_DH_BASE(pvk));
2382
2383 copy_bigint_attr(&value, KEY_PRI_DH_VALUE(pvk));
2384 } else {
2385 rv = CKR_TEMPLATE_INCOMPLETE;
2386 goto fail_cleanup;
2387 }
2388 break;
2389
2390 case CKK_X9_42_DH:
2391 if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
2392 isPrime2 || isExpo1 || isExpo2 || isCoef ||
2393 isValueBits) {
2394 rv = CKR_TEMPLATE_INCONSISTENT;
2395 goto fail_cleanup;
2396 }
2397
2398 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
2399 if (isPrime || isSubprime || isBase || isValue) {
2400 rv = CKR_TEMPLATE_INCONSISTENT;
2401 goto fail_cleanup;
2402 } else
2403 break;
2404 }
2405
2406 if (isPrime && isSubprime && isBase && isValue) {
2407 copy_bigint_attr(&prime, KEY_PRI_DH942_PRIME(pvk));
2408
2409 copy_bigint_attr(&base, KEY_PRI_DH942_BASE(pvk));
2410
2411 copy_bigint_attr(&subprime,
2412 KEY_PRI_DH942_SUBPRIME(pvk));
2413
2414 copy_bigint_attr(&value, KEY_PRI_DH942_VALUE(pvk));
2415 } else {
2416 rv = CKR_TEMPLATE_INCOMPLETE;
2417 goto fail_cleanup;
2418 }
2419 break;
2420
2421 case CKK_EC:
2422 if (isModulus || isPubExpo || isPrime ||
2423 isPrime1 || isPrime2 || isExpo1 || isExpo2 || isCoef ||
2424 isValueBits || isBase) {
2425 rv = CKR_TEMPLATE_INCONSISTENT;
2426 goto fail_cleanup;
2427
2428 } else if (isECParam) {
2429 rv = soft_add_extra_attr(¶m_tmp, new_object);
2430 if (rv != CKR_OK)
2431 goto fail_cleanup;
2432 string_attr_cleanup(¶m_tmp);
2433 }
2434 if (isValue) {
2435 copy_bigint_attr(&value, KEY_PRI_EC_VALUE(pvk));
2436 }
2437 break;
2438
2439 default:
2440 rv = CKR_TEMPLATE_INCONSISTENT;
2441 goto fail_cleanup;
2442 }
2443
2444 /* Set up object. */
2445 new_object->object_type = object_type;
2446 new_object->bool_attr_mask = attr_mask;
2447 if (isLabel) {
2448 rv = soft_add_extra_attr(&string_tmp, new_object);
2449 if (rv != CKR_OK)
2450 goto fail_cleanup;
2451 string_attr_cleanup(&string_tmp);
2452 }
2453 big_finish(&x);
2454 big_finish(&q);
2455
2456 return (rv);
2457
2458 fail_cleanup:
2459 /*
2460 * cleanup the storage allocated to the local variables.
2461 */
2462 bigint_attr_cleanup(&modulus);
2463 bigint_attr_cleanup(&priexpo);
2464 bigint_attr_cleanup(&prime);
2465 bigint_attr_cleanup(&subprime);
2466 bigint_attr_cleanup(&base);
2467 bigint_attr_cleanup(&value);
2468 bigint_attr_cleanup(&pubexpo);
2469 bigint_attr_cleanup(&prime1);
2470 bigint_attr_cleanup(&prime2);
2471 bigint_attr_cleanup(&expo1);
2472 bigint_attr_cleanup(&expo2);
2473 bigint_attr_cleanup(&coef);
2474 string_attr_cleanup(&string_tmp);
2475 string_attr_cleanup(¶m_tmp);
2476 big_finish(&x);
2477 big_finish(&q);
2478
2479 /*
2480 * cleanup the storage allocated inside the object itself.
2481 */
2482 soft_cleanup_object(new_object);
2483
2484 return (rv);
2485 }
2486
2487
2488 /*
2489 * Build a Secret Key Object.
2490 *
2491 * - Parse the object's template, and when an error is detected such as
2492 * invalid attribute type, invalid attribute value, etc., return
2493 * with appropriate return value.
2494 * - Set up attribute mask field in the object for the supplied common
2495 * attributes that have boolean type.
2496 * - Build the attribute_info struct to hold the value of each supplied
2497 * attribute that has byte array type. Link attribute_info structs
2498 * together to form the extra attribute list of the object.
2499 * - Allocate storage for the Secret Key object.
2500 * - Build the Secret Key object. Allocate storage to hold the big integer
2501 * value for the attribute CKA_VALUE that is required for all the key
2502 * types supported by secret key object.
2503 * This function is called internally with mode = SOFT_CREATE_OBJ_INT.
2504 *
2505 */
2506 CK_RV
2507 soft_build_secret_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
2508 soft_object_t *new_object, CK_ULONG mode, CK_ULONG key_len,
2509 CK_KEY_TYPE key_type)
2510 {
2511
2512 ulong_t i;
2513 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
2514 uint64_t attr_mask = SECRET_KEY_DEFAULT;
2515 CK_RV rv = CKR_OK;
2516 int isLabel = 0;
2517 /* Must set flags if mode != SOFT_UNWRAP_KEY, else must not set */
2518 int isValue = 0;
2519 /* Must not set flags if mode != SOFT_UNWRAP_KEY, else optional */
2520 int isValueLen = 0;
2521
2522 CK_ATTRIBUTE string_tmp;
2523
2524 secret_key_obj_t *sck;
2525 uchar_t object_type = 0;
2526
2527 string_tmp.pValue = NULL;
2528
2529 /* Allocate storage for Secret Key Object. */
2530 sck = calloc(1, sizeof (secret_key_obj_t));
2531 if (sck == NULL) {
2532 rv = CKR_HOST_MEMORY;
2533 goto fail_cleanup;
2534 }
2535
2536 new_object->object_class_u.secret_key = sck;
2537 new_object->class = CKO_SECRET_KEY;
2538
2539 for (i = 0; i < ulAttrNum; i++) {
2540
2541 /* Secret Key Object Attributes */
2542 switch (template[i].type) {
2543
2544 /* common key attributes */
2545 case CKA_KEY_TYPE:
2546 keytype = *((CK_KEY_TYPE*)template[i].pValue);
2547 break;
2548
2549 case CKA_ID:
2550 case CKA_START_DATE:
2551 case CKA_END_DATE:
2552 /*
2553 * Allocate storage to hold the attribute
2554 * value with byte array type, and add it to
2555 * the extra attribute list of the object.
2556 */
2557 rv = soft_add_extra_attr(&template[i],
2558 new_object);
2559 if (rv != CKR_OK) {
2560 goto fail_cleanup;
2561 }
2562 break;
2563
2564 /*
2565 * The following key related attribute types must
2566 * not be specified by C_CreateObject and C_GenerateKey.
2567 */
2568 case CKA_LOCAL:
2569 case CKA_KEY_GEN_MECHANISM:
2570 case CKA_ALWAYS_SENSITIVE:
2571 case CKA_NEVER_EXTRACTABLE:
2572 rv = CKR_TEMPLATE_INCONSISTENT;
2573 goto fail_cleanup;
2574
2575 /* Key related boolean attributes */
2576 case CKA_DERIVE:
2577 if (*(CK_BBOOL *)template[i].pValue)
2578 attr_mask |= DERIVE_BOOL_ON;
2579 break;
2580
2581 case CKA_SENSITIVE:
2582 if (*(CK_BBOOL *)template[i].pValue)
2583 attr_mask |= SENSITIVE_BOOL_ON;
2584 break;
2585
2586 case CKA_ENCRYPT:
2587 if (*(CK_BBOOL *)template[i].pValue)
2588 attr_mask |= ENCRYPT_BOOL_ON;
2589 else
2590 attr_mask &= ~ENCRYPT_BOOL_ON;
2591 break;
2592
2593 case CKA_DECRYPT:
2594 if (*(CK_BBOOL *)template[i].pValue)
2595 attr_mask |= DECRYPT_BOOL_ON;
2596 else
2597 attr_mask &= ~DECRYPT_BOOL_ON;
2598 break;
2599
2600 case CKA_SIGN:
2601 if (*(CK_BBOOL *)template[i].pValue)
2602 attr_mask |= SIGN_BOOL_ON;
2603 else
2604 attr_mask &= ~SIGN_BOOL_ON;
2605 break;
2606
2607 case CKA_VERIFY:
2608 if (*(CK_BBOOL *)template[i].pValue)
2609 attr_mask |= VERIFY_BOOL_ON;
2610 else
2611 attr_mask &= ~VERIFY_BOOL_ON;
2612 break;
2613
2614 case CKA_WRAP:
2615 if (*(CK_BBOOL *)template[i].pValue)
2616 attr_mask |= WRAP_BOOL_ON;
2617 else
2618 attr_mask &= ~WRAP_BOOL_ON;
2619 break;
2620
2621 case CKA_UNWRAP:
2622 if (*(CK_BBOOL *)template[i].pValue)
2623 attr_mask |= UNWRAP_BOOL_ON;
2624 else
2625 attr_mask &= ~UNWRAP_BOOL_ON;
2626 break;
2627
2628 case CKA_EXTRACTABLE:
2629 if (*(CK_BBOOL *)template[i].pValue)
2630 attr_mask |= EXTRACTABLE_BOOL_ON;
2631 else
2632 attr_mask &= ~EXTRACTABLE_BOOL_ON;
2633 break;
2634
2635 case CKA_MODIFIABLE:
2636 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
2637 attr_mask |= NOT_MODIFIABLE_BOOL_ON;
2638 break;
2639
2640 case CKA_VALUE:
2641 isValue = 1;
2642 if (mode == SOFT_CREATE_OBJ) {
2643 if ((template[i].ulValueLen == 0) ||
2644 (template[i].pValue == NULL)) {
2645 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2646 goto fail_cleanup;
2647 }
2648 }
2649
2650 /*
2651 * Copyin attribute from template
2652 * to a local variable.
2653 */
2654 rv = get_bigint_attr_from_template((biginteger_t *)sck,
2655 &template[i]);
2656 if (rv != CKR_OK)
2657 goto fail_cleanup;
2658 break;
2659
2660 case CKA_VALUE_LEN:
2661 isValueLen = 1;
2662 rv = get_ulong_attr_from_template(&sck->sk_value_len,
2663 &template[i]);
2664 if (rv != CKR_OK)
2665 goto fail_cleanup;
2666 break;
2667
2668 case CKA_LABEL:
2669 isLabel = 1;
2670 rv = get_string_from_template(&string_tmp,
2671 &template[i]);
2672 if (rv != CKR_OK)
2673 goto fail_cleanup;
2674 break;
2675
2676 default:
2677 rv = soft_parse_common_attrs(&template[i],
2678 &object_type);
2679 if (rv != CKR_OK)
2680 goto fail_cleanup;
2681 break;
2682
2683 }
2684 } /* For */
2685
2686 switch (mode) {
2687 case SOFT_CREATE_OBJ:
2688 case SOFT_CREATE_OBJ_INT:
2689 case SOFT_DERIVE_KEY_DH:
2690 /*
2691 * The key type must be specified in the application's
2692 * template. Otherwise, returns error.
2693 */
2694 if (keytype == (CK_KEY_TYPE)~0UL) {
2695 rv = CKR_TEMPLATE_INCOMPLETE;
2696 goto fail_cleanup;
2697 }
2698 break;
2699
2700 case SOFT_GEN_KEY:
2701 if (keytype == (CK_KEY_TYPE)~0UL) {
2702 /*
2703 * The key type is not specified in the application's
2704 * template, so we use the implied key type based on
2705 * the mechanism.
2706 */
2707 keytype = key_type;
2708 } else {
2709 if (keytype != key_type) {
2710 /*
2711 * The key type specified in the template
2712 * does not match the implied key type based
2713 * on the mechanism.
2714 */
2715 rv = CKR_TEMPLATE_INCONSISTENT;
2716 goto fail_cleanup;
2717 }
2718 }
2719
2720 /*
2721 * If a key_len is passed as a parameter, it has to
2722 * match the one found in the template.
2723 */
2724 if (key_len > 0) {
2725 if (isValueLen && sck->sk_value_len != key_len) {
2726 rv = CKR_TEMPLATE_INCONSISTENT;
2727 goto fail_cleanup;
2728 }
2729 isValueLen = 1;
2730 sck->sk_value_len = key_len;
2731 }
2732 break;
2733
2734 case SOFT_UNWRAP_KEY:
2735 /*
2736 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
2737 * implied by the mechanism (key_type), so if it is not
2738 * specified from the attribute template (keytype), it is
2739 * incomplete.
2740 */
2741 if (keytype == (CK_KEY_TYPE)~0UL) {
2742 rv = CKR_TEMPLATE_INCOMPLETE;
2743 goto fail_cleanup;
2744 }
2745 break;
2746
2747 case SOFT_DERIVE_KEY_OTHER:
2748 /*
2749 * For CKM_MD5_KEY_DERIVATION & CKM_SHA1_KEY_DERIVATION, the
2750 * key type is optional.
2751 */
2752 if (keytype == (CK_KEY_TYPE)~0UL) {
2753 keytype = key_type;
2754 }
2755 break;
2756 }
2757
2758 switch (mode) {
2759 case SOFT_CREATE_OBJ:
2760 case SOFT_CREATE_OBJ_INT:
2761 switch (keytype) {
2762 case CKK_RC4:
2763 if (!isValue) {
2764 rv = CKR_TEMPLATE_INCOMPLETE;
2765 goto fail_cleanup;
2766 }
2767 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) ||
2768 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) {
2769 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2770 goto fail_cleanup;
2771 }
2772 break;
2773
2774 case CKK_GENERIC_SECRET:
2775 if (!isValue) {
2776 rv = CKR_TEMPLATE_INCOMPLETE;
2777 goto fail_cleanup;
2778 }
2779 break;
2780
2781 case CKK_AES:
2782 if (!isValue) {
2783 rv = CKR_TEMPLATE_INCOMPLETE;
2784 goto fail_cleanup;
2785 }
2786 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
2787 (sck->sk_value_len != AES_192_KEY_BYTES) &&
2788 (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
2789 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2790 goto fail_cleanup;
2791 }
2792 break;
2793
2794 case CKK_BLOWFISH:
2795 if (!isValue) {
2796 rv = CKR_TEMPLATE_INCOMPLETE;
2797 goto fail_cleanup;
2798 }
2799 if ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
2800 (sck->sk_value_len > BLOWFISH_MAXBYTES)) {
2801 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2802 goto fail_cleanup;
2803 }
2804
2805 break;
2806
2807 case CKK_DES:
2808 if (!isValue) {
2809 rv = CKR_TEMPLATE_INCOMPLETE;
2810 goto fail_cleanup;
2811 }
2812 if (sck->sk_value_len != DES_KEYSIZE) {
2813 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2814 goto fail_cleanup;
2815 }
2816 break;
2817
2818 case CKK_DES2:
2819 if (!isValue) {
2820 rv = CKR_TEMPLATE_INCOMPLETE;
2821 goto fail_cleanup;
2822 }
2823 if (sck->sk_value_len != DES2_KEYSIZE) {
2824 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2825 goto fail_cleanup;
2826 }
2827 break;
2828
2829 case CKK_DES3:
2830 if (!isValue) {
2831 rv = CKR_TEMPLATE_INCOMPLETE;
2832 goto fail_cleanup;
2833 }
2834 if (sck->sk_value_len != DES3_KEYSIZE) {
2835 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2836 goto fail_cleanup;
2837 }
2838 break;
2839
2840 default:
2841 rv = CKR_TEMPLATE_INCONSISTENT;
2842 goto fail_cleanup;
2843 }
2844
2845 if (isValueLen) {
2846 /*
2847 * Templates for internal object creation come from
2848 * applications calls to C_DeriveKey(), for which it
2849 * is OKey to pass a CKA_VALUE_LEN attribute, as
2850 * long as it does not conflict with the length of the
2851 * CKA_VALUE attribute.
2852 */
2853 if ((mode != SOFT_CREATE_OBJ_INT) ||
2854 ((key_len > 0) && sck->sk_value_len != key_len)) {
2855 rv = CKR_TEMPLATE_INCONSISTENT;
2856 goto fail_cleanup;
2857 }
2858 }
2859 break;
2860
2861 case SOFT_GEN_KEY:
2862 /* CKA_VALUE must not be specified */
2863 if (isValue) {
2864 rv = CKR_TEMPLATE_INCONSISTENT;
2865 goto fail_cleanup;
2866 }
2867
2868 switch (keytype) {
2869 /*
2870 * CKA_VALUE_LEN must be specified by C_GenerateKey
2871 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
2872 */
2873 case CKK_RC4:
2874 if (!isValueLen) {
2875 rv = CKR_TEMPLATE_INCOMPLETE;
2876 goto fail_cleanup;
2877 }
2878 ;
2879 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) ||
2880 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) {
2881 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2882 goto fail_cleanup;
2883 }
2884 break;
2885
2886 case CKK_GENERIC_SECRET:
2887 /* arbitrary key length - no length checking */
2888 if (!isValueLen) {
2889 rv = CKR_TEMPLATE_INCOMPLETE;
2890 goto fail_cleanup;
2891 }
2892 break;
2893
2894 case CKK_AES:
2895 if (!isValueLen) {
2896 rv = CKR_TEMPLATE_INCOMPLETE;
2897 goto fail_cleanup;
2898 }
2899
2900 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
2901 (sck->sk_value_len != AES_192_KEY_BYTES) &&
2902 (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
2903 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2904 goto fail_cleanup;
2905 }
2906
2907 break;
2908
2909 case CKK_BLOWFISH:
2910 if (!isValueLen) {
2911 rv = CKR_TEMPLATE_INCOMPLETE;
2912 goto fail_cleanup;
2913 }
2914 if ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
2915 (sck->sk_value_len > BLOWFISH_MAXBYTES)) {
2916 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2917 goto fail_cleanup;
2918 }
2919
2920 break;
2921
2922 case CKK_DES:
2923 case CKK_DES2:
2924 case CKK_DES3:
2925 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
2926 if (isValueLen) {
2927 rv = CKR_TEMPLATE_INCONSISTENT;
2928 goto fail_cleanup;
2929 }
2930 break;
2931
2932 default:
2933 rv = CKR_TEMPLATE_INCONSISTENT;
2934 goto fail_cleanup;
2935 }
2936 break;
2937
2938 case SOFT_UNWRAP_KEY:
2939 /*
2940 * According to v2.11 of PKCS#11 spec, neither CKA_VALUE nor
2941 * CKA_VALUE_LEN can be be specified; however v2.20 has this
2942 * restriction removed, perhaps because it makes it hard to
2943 * determine variable-length key sizes. This case statement
2944 * complied with v2.20.
2945 */
2946 if (isValue) {
2947 rv = CKR_TEMPLATE_INCONSISTENT;
2948 goto fail_cleanup;
2949 }
2950
2951 switch (keytype) {
2952 /*
2953 * CKA_VALUE_LEN is optional
2954 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
2955 * and the unwrapping mech is *_CBC_PAD.
2956 *
2957 * CKA_VALUE_LEN is required
2958 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
2959 * and the unwrapping mech is *_ECB or *_CBC.
2960 *
2961 * since mech is not known at this point, CKA_VALUE_LEN is
2962 * treated as optional and the caller needs to enforce it.
2963 */
2964 case CKK_RC4:
2965 if (isValueLen) {
2966 if ((sck->sk_value_len <
2967 ARCFOUR_MIN_KEY_BYTES) ||
2968 (sck->sk_value_len >
2969 ARCFOUR_MAX_KEY_BYTES)) {
2970 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2971 goto fail_cleanup;
2972 }
2973 }
2974 break;
2975
2976 case CKK_GENERIC_SECRET:
2977 /* arbitrary key length - no length checking */
2978 break;
2979
2980 case CKK_AES:
2981 if (isValueLen) {
2982 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
2983 (sck->sk_value_len != AES_192_KEY_BYTES) &&
2984 (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
2985 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2986 goto fail_cleanup;
2987 }
2988 }
2989 break;
2990
2991 case CKK_BLOWFISH:
2992 if (isValueLen &&
2993 ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
2994 (sck->sk_value_len > BLOWFISH_MAXBYTES))) {
2995 rv = CKR_ATTRIBUTE_VALUE_INVALID;
2996 goto fail_cleanup;
2997 }
2998 break;
2999
3000 case CKK_DES:
3001 case CKK_DES2:
3002 case CKK_DES3:
3003 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
3004 if (isValueLen) {
3005 rv = CKR_TEMPLATE_INCONSISTENT;
3006 goto fail_cleanup;
3007 }
3008 break;
3009
3010 default:
3011 rv = CKR_TEMPLATE_INCONSISTENT;
3012 goto fail_cleanup;
3013 }
3014 break;
3015
3016 case SOFT_DERIVE_KEY_DH:
3017 /* CKA_VALUE must not be specified */
3018 if (isValue) {
3019 rv = CKR_TEMPLATE_INCONSISTENT;
3020 goto fail_cleanup;
3021 }
3022
3023 switch (keytype) {
3024 /*
3025 * CKA_VALUE_LEN is optional
3026 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
3027 */
3028 case CKK_RC4:
3029 if (isValueLen) {
3030 if ((sck->sk_value_len <
3031 ARCFOUR_MIN_KEY_BYTES) ||
3032 (sck->sk_value_len >
3033 ARCFOUR_MAX_KEY_BYTES)) {
3034 rv = CKR_ATTRIBUTE_VALUE_INVALID;
3035 goto fail_cleanup;
3036 }
3037 }
3038 break;
3039
3040 case CKK_GENERIC_SECRET:
3041 /* arbitrary key length - no length checking */
3042 break;
3043
3044 case CKK_AES:
3045 if (isValueLen) {
3046 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
3047 (sck->sk_value_len != AES_192_KEY_BYTES) &&
3048 (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
3049 rv = CKR_ATTRIBUTE_VALUE_INVALID;
3050 goto fail_cleanup;
3051 }
3052 }
3053
3054 break;
3055
3056 case CKK_BLOWFISH:
3057 if (isValueLen &&
3058 ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
3059 (sck->sk_value_len > BLOWFISH_MAXBYTES))) {
3060 rv = CKR_ATTRIBUTE_VALUE_INVALID;
3061 goto fail_cleanup;
3062 }
3063 break;
3064
3065 case CKK_DES:
3066 case CKK_DES2:
3067 case CKK_DES3:
3068 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
3069 if (isValueLen) {
3070 rv = CKR_TEMPLATE_INCONSISTENT;
3071 goto fail_cleanup;
3072 }
3073 break;
3074
3075 default:
3076 rv = CKR_TEMPLATE_INCONSISTENT;
3077 goto fail_cleanup;
3078 }
3079 break;
3080
3081 case SOFT_DERIVE_KEY_OTHER:
3082 /* CKA_VALUE must not be specified */
3083 if (isValue) {
3084 rv = CKR_TEMPLATE_INCONSISTENT;
3085 goto fail_cleanup;
3086 }
3087
3088 switch (keytype) {
3089 /*
3090 * CKA_VALUE_LEN is an optional attribute for
3091 * CKM_SHA1_KEY_DERIVATION and CKM_MD5_KEY_DERIVATION
3092 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
3093 */
3094 case CKK_RC4:
3095 case CKK_GENERIC_SECRET:
3096 case CKK_AES:
3097 case CKK_BLOWFISH:
3098 /*
3099 * No need to check key length value here, it will be
3100 * validated later in soft_key_derive_check_length().
3101 */
3102 break;
3103
3104 case CKK_DES:
3105 case CKK_DES2:
3106 case CKK_DES3:
3107 /* CKA_VALUE_LEN attribute does not apply to DES<n> */
3108 if (isValueLen) {
3109 rv = CKR_TEMPLATE_INCONSISTENT;
3110 goto fail_cleanup;
3111 }
3112 break;
3113
3114 default:
3115 rv = CKR_TEMPLATE_INCONSISTENT;
3116 goto fail_cleanup;
3117 }
3118 break;
3119 }
3120
3121 /* Set up object. */
3122 new_object->key_type = keytype;
3123 new_object->object_type = object_type;
3124 new_object->bool_attr_mask = attr_mask;
3125 if (isLabel) {
3126 rv = soft_add_extra_attr(&string_tmp, new_object);
3127 if (rv != CKR_OK)
3128 goto fail_cleanup;
3129 string_attr_cleanup(&string_tmp);
3130 }
3131 return (rv);
3132
3133 fail_cleanup:
3134 /*
3135 * cleanup the storage allocated to the local variables.
3136 */
3137 bigint_attr_cleanup((biginteger_t *)sck);
3138 string_attr_cleanup(&string_tmp);
3139
3140 /*
3141 * cleanup the storage allocated inside the object itself.
3142 */
3143 soft_cleanup_object(new_object);
3144
3145 return (rv);
3146 }
3147
3148
3149 /*
3150 * Build a Domain Parameter Object.
3151 *
3152 * - Parse the object's template, and when an error is detected such as
3153 * invalid attribute type, invalid attribute value, etc., return
3154 * with appropriate return value.
3155 * - Allocate storage for the Domain Parameter object.
3156 * - Build the Domain Parameter object according to the key type. Allocate
3157 * storage to hold the big integer value for the supplied attributes
3158 * that are required for a certain key type.
3159 *
3160 */
3161 CK_RV
3162 soft_build_domain_parameters_object(CK_ATTRIBUTE_PTR template,
3163 CK_ULONG ulAttrNum, soft_object_t *new_object)
3164 {
3165
3166 ulong_t i;
3167 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL;
3168 CK_RV rv = CKR_OK;
3169 int isLabel = 0;
3170 /* Must set flags */
3171 int isPrime = 0;
3172 int isSubprime = 0;
3173 int isBase = 0;
3174 /* Must not set flags */
3175 int isPrimeBits = 0;
3176 int isSubPrimeBits = 0;
3177
3178 biginteger_t prime;
3179 biginteger_t subprime;
3180 biginteger_t base;
3181 CK_ATTRIBUTE string_tmp;
3182
3183 domain_obj_t *dom;
3184 uchar_t object_type = 0;
3185
3186 /* prevent bigint_attr_cleanup from freeing invalid attr value */
3187 (void) memset(&prime, 0x0, sizeof (biginteger_t));
3188 (void) memset(&subprime, 0x0, sizeof (biginteger_t));
3189 (void) memset(&base, 0x0, sizeof (biginteger_t));
3190 string_tmp.pValue = NULL;
3191
3192 for (i = 0; i < ulAttrNum; i++) {
3193
3194 /* Domain Parameters Object Attributes */
3195 switch (template[i].type) {
3196
3197 /* common domain parameter attribute */
3198 case CKA_KEY_TYPE:
3199 keytype = *((CK_KEY_TYPE*)template[i].pValue);
3200 break;
3201
3202 /*
3203 * The following common domain parameter attribute
3204 * must not be specified by C_CreateObject.
3205 */
3206 case CKA_LOCAL:
3207 rv = CKR_TEMPLATE_INCONSISTENT;
3208 goto fail_cleanup;
3209
3210 /*
3211 * The following domain parameter attributes must be
3212 * specified according to the key type by
3213 * C_CreateObject.
3214 */
3215 case CKA_PRIME:
3216 isPrime = 1;
3217 /*
3218 * Copyin big integer attribute from template
3219 * to a local variable.
3220 */
3221 rv = get_bigint_attr_from_template(&prime,
3222 &template[i]);
3223 if (rv != CKR_OK)
3224 goto fail_cleanup;
3225 break;
3226
3227 case CKA_SUBPRIME:
3228 isSubprime = 1;
3229 rv = get_bigint_attr_from_template(&subprime,
3230 &template[i]);
3231 if (rv != CKR_OK)
3232 goto fail_cleanup;
3233 break;
3234
3235 case CKA_BASE:
3236 isBase = 1;
3237 rv = get_bigint_attr_from_template(&base,
3238 &template[i]);
3239 if (rv != CKR_OK)
3240 goto fail_cleanup;
3241 break;
3242
3243 case CKA_PRIME_BITS:
3244 isPrimeBits = 1;
3245 break;
3246
3247 case CKA_SUB_PRIME_BITS:
3248 isSubPrimeBits = 1;
3249 break;
3250
3251 case CKA_LABEL:
3252 isLabel = 1;
3253 rv = get_string_from_template(&string_tmp,
3254 &template[i]);
3255 if (rv != CKR_OK)
3256 goto fail_cleanup;
3257 break;
3258
3259 default:
3260 rv = soft_parse_common_attrs(&template[i],
3261 &object_type);
3262 if (rv != CKR_OK)
3263 goto fail_cleanup;
3264 break;
3265
3266 }
3267 } /* For */
3268
3269 /* Allocate storage for Domain Parameters Object. */
3270 dom = calloc(1, sizeof (domain_obj_t));
3271 if (dom == NULL) {
3272 rv = CKR_HOST_MEMORY;
3273 goto fail_cleanup;
3274 }
3275
3276 new_object->object_class_u.domain = dom;
3277 new_object->class = CKO_DOMAIN_PARAMETERS;
3278
3279 if (keytype == (CK_KEY_TYPE)~0UL) {
3280 rv = CKR_TEMPLATE_INCOMPLETE;
3281 goto fail_cleanup;
3282 }
3283
3284 new_object->key_type = keytype;
3285
3286 /* Supported key types of the Domain Parameters Object */
3287 switch (keytype) {
3288 case CKK_DSA:
3289 if (isPrimeBits || isSubPrimeBits) {
3290 rv = CKR_TEMPLATE_INCONSISTENT;
3291 goto fail_cleanup;
3292 }
3293
3294 if (isPrime && isSubprime && isBase) {
3295 /*
3296 * Copy big integer attribute value to the
3297 * designated place in the domain parameter
3298 * object.
3299 */
3300 copy_bigint_attr(&prime, KEY_DOM_DSA_PRIME(dom));
3301
3302 copy_bigint_attr(&subprime, KEY_DOM_DSA_SUBPRIME(dom));
3303
3304 copy_bigint_attr(&base, KEY_DOM_DSA_BASE(dom));
3305 } else {
3306 rv = CKR_TEMPLATE_INCOMPLETE;
3307 goto fail_cleanup;
3308 }
3309 break;
3310
3311 case CKK_DH:
3312 if (isPrimeBits || isSubprime || isSubPrimeBits) {
3313 rv = CKR_TEMPLATE_INCONSISTENT;
3314 goto fail_cleanup;
3315 }
3316
3317 if (isPrime && isBase) {
3318 copy_bigint_attr(&prime, KEY_DOM_DH_PRIME(dom));
3319
3320 copy_bigint_attr(&base, KEY_DOM_DH_BASE(dom));
3321 } else {
3322 rv = CKR_TEMPLATE_INCOMPLETE;
3323 goto fail_cleanup;
3324 }
3325 break;
3326
3327 case CKK_X9_42_DH:
3328 if (isPrimeBits || isSubPrimeBits) {
3329 rv = CKR_TEMPLATE_INCONSISTENT;
3330 goto fail_cleanup;
3331 }
3332
3333 if (isPrime && isSubprime && isBase) {
3334 copy_bigint_attr(&prime, KEY_DOM_DH942_PRIME(dom));
3335
3336 copy_bigint_attr(&base, KEY_DOM_DH942_BASE(dom));
3337
3338 copy_bigint_attr(&subprime,
3339 KEY_DOM_DH942_SUBPRIME(dom));
3340 } else {
3341 rv = CKR_TEMPLATE_INCOMPLETE;
3342 goto fail_cleanup;
3343 }
3344 break;
3345
3346 default:
3347 rv = CKR_TEMPLATE_INCONSISTENT;
3348 goto fail_cleanup;
3349 }
3350
3351 new_object->object_type = object_type;
3352
3353 if (isLabel) {
3354 rv = soft_add_extra_attr(&string_tmp, new_object);
3355 if (rv != CKR_OK)
3356 goto fail_cleanup;
3357 string_attr_cleanup(&string_tmp);
3358 }
3359
3360 return (rv);
3361
3362 fail_cleanup:
3363 /*
3364 * cleanup the storage allocated to the local variables.
3365 */
3366 bigint_attr_cleanup(&prime);
3367 bigint_attr_cleanup(&subprime);
3368 bigint_attr_cleanup(&base);
3369 string_attr_cleanup(&string_tmp);
3370
3371 /*
3372 * cleanup the storage allocated inside the object itself.
3373 */
3374 soft_cleanup_object(new_object);
3375
3376 return (rv);
3377 }
3378
3379 /*
3380 * Build a Certificate Object
3381 *
3382 * - Parse the object's template, and when an error is detected such as
3383 * invalid attribute type, invalid attribute value, etc., return
3384 * with appropriate return value.
3385 * - Allocate storage for the Certificate object
3386 */
3387 static CK_RV
3388 soft_build_certificate_object(CK_ATTRIBUTE_PTR template,
3389 CK_ULONG ulAttrNum, soft_object_t *new_object,
3390 CK_CERTIFICATE_TYPE cert_type)
3391 {
3392 uint64_t attr_mask = 0;
3393 CK_RV rv = CKR_OK;
3394 CK_ULONG i;
3395 int owner_set = 0;
3396 int value_set = 0;
3397 int subject_set = 0;
3398 certificate_obj_t *cert;
3399 /* certificate type defaults to the value given as a parameter */
3400 CK_CERTIFICATE_TYPE certtype = cert_type;
3401 CK_ATTRIBUTE string_tmp;
3402 int isLabel = 0;
3403 uchar_t object_type = 0;
3404
3405 /*
3406 * Look for the certificate type attribute and do some
3407 * sanity checking before creating the structures.
3408 */
3409 for (i = 0; i < ulAttrNum; i++) {
3410 /* Certificate Object Attributes */
3411 switch (template[i].type) {
3412 case CKA_CERTIFICATE_TYPE:
3413 certtype =
3414 *((CK_CERTIFICATE_TYPE*)template[i].pValue);
3415 break;
3416 case CKA_SUBJECT:
3417 subject_set = 1;
3418 break;
3419 case CKA_OWNER:
3420 owner_set = 1;
3421 break;
3422 case CKA_VALUE:
3423 value_set = 1;
3424 break;
3425 }
3426 }
3427
3428 /* The certificate type MUST be specified */
3429 if (certtype != CKC_X_509 && certtype != CKC_X_509_ATTR_CERT)
3430 return (CKR_TEMPLATE_INCOMPLETE);
3431
3432 /*
3433 * For X.509 certs, the CKA_SUBJECT and CKA_VALUE
3434 * must be present at creation time.
3435 */
3436 if (certtype == CKC_X_509 &&
3437 (!subject_set || !value_set))
3438 return (CKR_TEMPLATE_INCOMPLETE);
3439
3440 /*
3441 * For X.509 Attribute certs, the CKA_OWNER and CKA_VALUE
3442 * must be present at creation time.
3443 */
3444 if (certtype == CKC_X_509_ATTR_CERT &&
3445 (!owner_set || !value_set))
3446 return (CKR_TEMPLATE_INCOMPLETE);
3447
3448 string_tmp.pValue = NULL;
3449 cert = calloc(1, sizeof (certificate_obj_t));
3450 if (cert == NULL) {
3451 return (CKR_HOST_MEMORY);
3452 }
3453 cert->certificate_type = certtype;
3454
3455 for (i = 0; i < ulAttrNum; i++) {
3456 /* Certificate Object Attributes */
3457 switch (certtype) {
3458 case CKC_X_509:
3459 switch (template[i].type) {
3460 case CKA_SUBJECT:
3461 rv = get_cert_attr_from_template(
3462 &cert->cert_type_u.x509.subject,
3463 &template[i]);
3464 break;
3465 case CKA_VALUE:
3466 rv = get_cert_attr_from_template(
3467 &cert->cert_type_u.x509.value,
3468 &template[i]);
3469 break;
3470 case CKA_LABEL:
3471 isLabel = 1;
3472 rv = get_string_from_template(
3473 &string_tmp,
3474 &template[i]);
3475 if (rv != CKR_OK)
3476 goto fail_cleanup;
3477 break;
3478 case CKA_ID:
3479 case CKA_ISSUER:
3480 case CKA_SERIAL_NUMBER:
3481 rv = soft_add_extra_attr(&template[i],
3482 new_object);
3483 break;
3484 case CKA_MODIFIABLE:
3485 if ((*(CK_BBOOL *)template[i].pValue) ==
3486 B_FALSE)
3487 attr_mask |=
3488 NOT_MODIFIABLE_BOOL_ON;
3489 break;
3490 case CKA_CERTIFICATE_TYPE:
3491 break;
3492 default:
3493 rv = soft_parse_common_attrs(
3494 &template[i], &object_type);
3495 if (rv != CKR_OK)
3496 goto fail_cleanup;
3497 }
3498 break;
3499 case CKC_X_509_ATTR_CERT:
3500 switch (template[i].type) {
3501 case CKA_OWNER:
3502 rv = get_cert_attr_from_template(
3503 &cert->cert_type_u.x509_attr.owner,
3504 &template[i]);
3505 break;
3506 case CKA_VALUE:
3507 rv = get_cert_attr_from_template(
3508 &cert->cert_type_u.x509_attr.value,
3509 &template[i]);
3510 break;
3511 case CKA_LABEL:
3512 isLabel = 1;
3513 rv = get_string_from_template(
3514 &string_tmp, &template[i]);
3515 if (rv != CKR_OK)
3516 goto fail_cleanup;
3517 break;
3518 case CKA_SERIAL_NUMBER:
3519 case CKA_AC_ISSUER:
3520 case CKA_ATTR_TYPES:
3521 rv = soft_add_extra_attr(&template[i],
3522 new_object);
3523 break;
3524
3525 case CKA_MODIFIABLE:
3526 if ((*(CK_BBOOL *)template[i].pValue) ==
3527 B_FALSE)
3528 attr_mask |=
3529 NOT_MODIFIABLE_BOOL_ON;
3530 break;
3531 case CKA_CERTIFICATE_TYPE:
3532 break;
3533 default:
3534 rv = soft_parse_common_attrs(
3535 &template[i], &object_type);
3536 if (rv != CKR_OK)
3537 goto fail_cleanup;
3538 break;
3539 }
3540 break;
3541 default:
3542 rv = CKR_TEMPLATE_INCOMPLETE;
3543 break;
3544 }
3545 }
3546
3547 if (rv == CKR_OK) {
3548 new_object->object_class_u.certificate = cert;
3549 new_object->class = CKO_CERTIFICATE;
3550 new_object->object_type = object_type;
3551 new_object->cert_type = certtype;
3552 new_object->bool_attr_mask = attr_mask;
3553 if (isLabel) {
3554 rv = soft_add_extra_attr(&string_tmp, new_object);
3555 if (rv != CKR_OK)
3556 goto fail_cleanup;
3557 string_attr_cleanup(&string_tmp);
3558 }
3559 }
3560
3561 fail_cleanup:
3562 if (rv != CKR_OK) {
3563 soft_cleanup_cert_object(new_object);
3564 }
3565 return (rv);
3566 }
3567
3568
3569 /*
3570 * Validate the attribute types in the object's template. Then,
3571 * call the appropriate build function according to the class of
3572 * the object specified in the template.
3573 *
3574 * Note: The following classes of objects are supported:
3575 * - CKO_PUBLIC_KEY
3576 * - CKO_PRIVATE_KEY
3577 * - CKO_SECRET_KEY
3578 * - CKO_DOMAIN_PARAMETERS
3579 * - CKO_CERTIFICATE
3580 *
3581 */
3582 CK_RV
3583 soft_build_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
3584 soft_object_t *new_object)
3585 {
3586
3587 CK_OBJECT_CLASS class = (CK_OBJECT_CLASS)~0UL;
3588 CK_RV rv = CKR_OK;
3589
3590 if (template == NULL) {
3591 return (CKR_ARGUMENTS_BAD);
3592 }
3593
3594 /* Validate the attribute type in the template. */
3595 rv = soft_validate_attr(template, ulAttrNum, &class);
3596 if (rv != CKR_OK)
3597 return (rv);
3598 /*
3599 * CKA_CLASS is a mandatory attribute for C_CreateObject
3600 */
3601 if (class == (CK_OBJECT_CLASS)~0UL)
3602 return (CKR_TEMPLATE_INCOMPLETE);
3603
3604 /*
3605 * Call the appropriate function based on the supported class
3606 * of the object.
3607 */
3608 switch (class) {
3609 case CKO_PUBLIC_KEY:
3610 rv = soft_build_public_key_object(template, ulAttrNum,
3611 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL);
3612 break;
3613
3614 case CKO_PRIVATE_KEY:
3615 rv = soft_build_private_key_object(template, ulAttrNum,
3616 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL);
3617 break;
3618
3619 case CKO_SECRET_KEY:
3620 rv = soft_build_secret_key_object(template, ulAttrNum,
3621 new_object, SOFT_CREATE_OBJ, 0, (CK_KEY_TYPE)~0UL);
3622 break;
3623
3624 case CKO_DOMAIN_PARAMETERS:
3625 rv = soft_build_domain_parameters_object(template, ulAttrNum,
3626 new_object);
3627 break;
3628
3629 case CKO_CERTIFICATE:
3630 rv = soft_build_certificate_object(template, ulAttrNum,
3631 new_object, (CK_CERTIFICATE_TYPE)~0UL);
3632 break;
3633
3634 case CKO_DATA:
3635 case CKO_HW_FEATURE:
3636 case CKO_VENDOR_DEFINED:
3637 default:
3638 return (CKR_ATTRIBUTE_VALUE_INVALID);
3639 }
3640
3641 return (rv);
3642 }
3643
3644 /*
3645 * Validate the attribute types in the object's template. Then,
3646 * call the appropriate build function according to the class of
3647 * the object specified in the template.
3648 *
3649 */
3650 CK_RV
3651 soft_build_key(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
3652 soft_object_t *new_object, CK_OBJECT_CLASS class, CK_KEY_TYPE key_type,
3653 CK_ULONG key_len, CK_ULONG mode)
3654 {
3655
3656 CK_RV rv = CKR_OK;
3657 CK_OBJECT_CLASS temp_class = (CK_OBJECT_CLASS)~0UL;
3658
3659 /* Validate the attribute type in the template. */
3660 if ((template != NULL) && (ulAttrNum != 0)) {
3661 rv = soft_validate_attr(template, ulAttrNum, &temp_class);
3662 if (rv != CKR_OK)
3663 return (rv);
3664 }
3665
3666 /*
3667 * If either the class from the parameter list ("class") or
3668 * the class from the template ("temp_class") is not specified,
3669 * try to use the other one.
3670 */
3671 if (temp_class == (CK_OBJECT_CLASS)~0UL) {
3672 temp_class = class;
3673 } else if (class == (CK_OBJECT_CLASS)~0UL) {
3674 class = temp_class;
3675 }
3676
3677 /* If object class is still not specified, template is incomplete. */
3678 if (class == (CK_OBJECT_CLASS)~0UL)
3679 return (CKR_TEMPLATE_INCOMPLETE);
3680
3681 /* Class should match if specified in both parameters and template. */
3682 if (class != temp_class)
3683 return (CKR_TEMPLATE_INCONSISTENT);
3684
3685 /*
3686 * Call the appropriate function based on the supported class
3687 * of the object.
3688 */
3689 switch (class) {
3690 case CKO_PUBLIC_KEY:
3691
3692 /* Unwrapping public keys is not supported. */
3693 if (mode == SOFT_UNWRAP_KEY) {
3694 rv = CKR_ATTRIBUTE_VALUE_INVALID;
3695 break;
3696 }
3697
3698 rv = soft_build_public_key_object(template, ulAttrNum,
3699 new_object, mode, key_type);
3700 break;
3701
3702 case CKO_PRIVATE_KEY:
3703
3704 rv = soft_build_private_key_object(template, ulAttrNum,
3705 new_object, mode, key_type);
3706 break;
3707
3708 case CKO_SECRET_KEY:
3709
3710 rv = soft_build_secret_key_object(template, ulAttrNum,
3711 new_object, mode, key_len, key_type);
3712 break;
3713
3714 case CKO_DOMAIN_PARAMETERS:
3715
3716 /* Unwrapping domain parameters is not supported. */
3717 if (mode == SOFT_UNWRAP_KEY) {
3718 rv = CKR_ATTRIBUTE_VALUE_INVALID;
3719 break;
3720 }
3721
3722 rv = soft_build_domain_parameters_object(template, ulAttrNum,
3723 new_object);
3724 break;
3725
3726 case CKO_DATA:
3727 case CKO_CERTIFICATE:
3728 case CKO_HW_FEATURE:
3729 case CKO_VENDOR_DEFINED:
3730 default:
3731 return (CKR_ATTRIBUTE_VALUE_INVALID);
3732 }
3733
3734 return (rv);
3735 }
3736
3737
3738 /*
3739 * Get the value of a requested attribute that is common to all supported
3740 * classes (i.e. public key, private key, secret key, domain parameters,
3741 * and certificate classes).
3742 */
3743 CK_RV
3744 soft_get_common_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
3745 uchar_t object_type)
3746 {
3747
3748 CK_RV rv = CKR_OK;
3749
3750 switch (template->type) {
3751
3752 case CKA_CLASS:
3753 return (get_ulong_attr_from_object(object_p->class,
3754 template));
3755
3756 /* default boolean attributes */
3757 case CKA_TOKEN:
3758 template->ulValueLen = sizeof (CK_BBOOL);
3759 if (template->pValue == NULL) {
3760 return (CKR_OK);
3761 }
3762 if (object_type & TOKEN_OBJECT)
3763 *((CK_BBOOL *)template->pValue) = B_TRUE;
3764 else
3765 *((CK_BBOOL *)template->pValue) = B_FALSE;
3766 break;
3767
3768 case CKA_PRIVATE:
3769
3770 template->ulValueLen = sizeof (CK_BBOOL);
3771 if (template->pValue == NULL) {
3772 return (CKR_OK);
3773 }
3774 if (object_type & PRIVATE_OBJECT)
3775 *((CK_BBOOL *)template->pValue) = B_TRUE;
3776 else
3777 *((CK_BBOOL *)template->pValue) = B_FALSE;
3778 break;
3779
3780 case CKA_MODIFIABLE:
3781 template->ulValueLen = sizeof (CK_BBOOL);
3782 if (template->pValue == NULL) {
3783 return (CKR_OK);
3784 }
3785 if ((object_p->bool_attr_mask) & NOT_MODIFIABLE_BOOL_ON)
3786 *((CK_BBOOL *)template->pValue) = B_FALSE;
3787 else
3788 *((CK_BBOOL *)template->pValue) = B_TRUE;
3789 break;
3790
3791 case CKA_LABEL:
3792 return (get_extra_attr_from_object(object_p,
3793 template));
3794
3795 default:
3796 /*
3797 * The specified attribute for the object is invalid.
3798 * (the object does not possess such an attribute.)
3799 */
3800 template->ulValueLen = (CK_ULONG)-1;
3801 return (CKR_ATTRIBUTE_TYPE_INVALID);
3802 }
3803
3804 return (rv);
3805 }
3806
3807 /*
3808 * Get the value of a requested attribute that is common to all key objects
3809 * (i.e. public key, private key and secret key).
3810 */
3811 CK_RV
3812 soft_get_common_key_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
3813 {
3814
3815 switch (template->type) {
3816
3817 case CKA_KEY_TYPE:
3818 return (get_ulong_attr_from_object(object_p->key_type,
3819 template));
3820
3821 case CKA_ID:
3822 case CKA_START_DATE:
3823 case CKA_END_DATE:
3824 /*
3825 * The above extra attributes have byte array type.
3826 */
3827 return (get_extra_attr_from_object(object_p,
3828 template));
3829
3830 /* Key related boolean attributes */
3831 case CKA_LOCAL:
3832 return (get_bool_attr_from_object(object_p,
3833 LOCAL_BOOL_ON, template));
3834
3835 case CKA_DERIVE:
3836 return (get_bool_attr_from_object(object_p,
3837 DERIVE_BOOL_ON, template));
3838
3839 case CKA_KEY_GEN_MECHANISM:
3840 return (get_ulong_attr_from_object(object_p->mechanism,
3841 template));
3842
3843 default:
3844 return (CKR_ATTRIBUTE_TYPE_INVALID);
3845 }
3846 }
3847
3848 /*
3849 * Get the value of a requested attribute of a Public Key Object.
3850 *
3851 * Rule: All the attributes in the public key object can be revealed.
3852 */
3853 CK_RV
3854 soft_get_public_key_attribute(soft_object_t *object_p,
3855 CK_ATTRIBUTE_PTR template)
3856 {
3857
3858 CK_RV rv = CKR_OK;
3859 CK_KEY_TYPE keytype = object_p->key_type;
3860
3861 switch (template->type) {
3862
3863 case CKA_SUBJECT:
3864 case CKA_EC_PARAMS:
3865 /*
3866 * The above extra attributes have byte array type.
3867 */
3868 return (get_extra_attr_from_object(object_p,
3869 template));
3870
3871 /* Key related boolean attributes */
3872 case CKA_ENCRYPT:
3873 return (get_bool_attr_from_object(object_p,
3874 ENCRYPT_BOOL_ON, template));
3875
3876 case CKA_VERIFY:
3877 return (get_bool_attr_from_object(object_p,
3878 VERIFY_BOOL_ON, template));
3879
3880 case CKA_VERIFY_RECOVER:
3881 return (get_bool_attr_from_object(object_p,
3882 VERIFY_RECOVER_BOOL_ON, template));
3883
3884 case CKA_WRAP:
3885 return (get_bool_attr_from_object(object_p,
3886 WRAP_BOOL_ON, template));
3887
3888 case CKA_TRUSTED:
3889 return (get_bool_attr_from_object(object_p,
3890 TRUSTED_BOOL_ON, template));
3891
3892 case CKA_MODULUS:
3893 /*
3894 * This attribute is valid only for RSA public key
3895 * object.
3896 */
3897 if (keytype == CKK_RSA) {
3898 return (get_bigint_attr_from_object(
3899 OBJ_PUB_RSA_MOD(object_p), template));
3900 } else {
3901 template->ulValueLen = (CK_ULONG)-1;
3902 return (CKR_ATTRIBUTE_TYPE_INVALID);
3903 }
3904
3905 case CKA_PUBLIC_EXPONENT:
3906 if (keytype == CKK_RSA) {
3907 return (get_bigint_attr_from_object(
3908 OBJ_PUB_RSA_PUBEXPO(object_p), template));
3909 } else {
3910 template->ulValueLen = (CK_ULONG)-1;
3911 return (CKR_ATTRIBUTE_TYPE_INVALID);
3912 }
3913
3914 case CKA_MODULUS_BITS:
3915 if (keytype == CKK_RSA) {
3916 return (get_ulong_attr_from_object(
3917 OBJ_PUB_RSA_MOD_BITS(object_p), template));
3918 } else {
3919 template->ulValueLen = (CK_ULONG)-1;
3920 return (CKR_ATTRIBUTE_TYPE_INVALID);
3921 }
3922
3923 case CKA_PRIME:
3924 switch (keytype) {
3925 case CKK_DSA:
3926 return (get_bigint_attr_from_object(
3927 OBJ_PUB_DSA_PRIME(object_p), template));
3928
3929 case CKK_DH:
3930 return (get_bigint_attr_from_object(
3931 OBJ_PUB_DH_PRIME(object_p), template));
3932
3933 case CKK_X9_42_DH:
3934 return (get_bigint_attr_from_object(
3935 OBJ_PUB_DH942_PRIME(object_p), template));
3936
3937 default:
3938 template->ulValueLen = (CK_ULONG)-1;
3939 return (CKR_ATTRIBUTE_TYPE_INVALID);
3940 }
3941
3942 case CKA_SUBPRIME:
3943 switch (keytype) {
3944 case CKK_DSA:
3945 return (get_bigint_attr_from_object(
3946 OBJ_PUB_DSA_SUBPRIME(object_p), template));
3947
3948 case CKK_X9_42_DH:
3949 return (get_bigint_attr_from_object(
3950 OBJ_PUB_DH942_SUBPRIME(object_p), template));
3951
3952 default:
3953 template->ulValueLen = (CK_ULONG)-1;
3954 return (CKR_ATTRIBUTE_TYPE_INVALID);
3955 }
3956
3957 case CKA_BASE:
3958 switch (keytype) {
3959 case CKK_DSA:
3960 return (get_bigint_attr_from_object(
3961 OBJ_PUB_DSA_BASE(object_p), template));
3962
3963 case CKK_DH:
3964 return (get_bigint_attr_from_object(
3965 OBJ_PUB_DH_BASE(object_p), template));
3966
3967 case CKK_X9_42_DH:
3968 return (get_bigint_attr_from_object(
3969 OBJ_PUB_DH942_BASE(object_p), template));
3970
3971 default:
3972 template->ulValueLen = (CK_ULONG)-1;
3973 return (CKR_ATTRIBUTE_TYPE_INVALID);
3974 }
3975
3976 case CKA_EC_POINT:
3977 return (get_bigint_attr_from_object(
3978 OBJ_PUB_EC_POINT(object_p), template));
3979
3980 case CKA_VALUE:
3981 switch (keytype) {
3982 case CKK_DSA:
3983 return (get_bigint_attr_from_object(
3984 OBJ_PUB_DSA_VALUE(object_p), template));
3985
3986 case CKK_DH:
3987 return (get_bigint_attr_from_object(
3988 OBJ_PUB_DH_VALUE(object_p), template));
3989
3990 case CKK_X9_42_DH:
3991 return (get_bigint_attr_from_object(
3992 OBJ_PUB_DH942_VALUE(object_p), template));
3993
3994 default:
3995 template->ulValueLen = (CK_ULONG)-1;
3996 return (CKR_ATTRIBUTE_TYPE_INVALID);
3997 }
3998
3999 default:
4000 /*
4001 * First, get the value of the request attribute defined
4002 * in the list of common key attributes. If the request
4003 * attribute is not found in that list, then get the
4004 * attribute from the list of common attributes.
4005 */
4006 rv = soft_get_common_key_attrs(object_p, template);
4007 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
4008 rv = soft_get_common_attrs(object_p, template,
4009 object_p->object_type);
4010 }
4011 break;
4012 }
4013
4014 return (rv);
4015 }
4016
4017
4018 /*
4019 * Get the value of a requested attribute of a Private Key Object.
4020 *
4021 * Rule: All the attributes in the private key object can be revealed
4022 * except those marked with footnote number "7" when the object
4023 * has its CKA_SENSITIVE attribute set to TRUE or its
4024 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
4025 */
4026 CK_RV
4027 soft_get_private_key_attribute(soft_object_t *object_p,
4028 CK_ATTRIBUTE_PTR template)
4029 {
4030
4031 CK_RV rv = CKR_OK;
4032 CK_KEY_TYPE keytype = object_p->key_type;
4033
4034
4035 /*
4036 * If the following specified attributes for the private key
4037 * object cannot be revealed because the object is sensitive
4038 * or unextractable, then the ulValueLen is set to -1.
4039 */
4040 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
4041 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
4042
4043 switch (template->type) {
4044 case CKA_PRIVATE_EXPONENT:
4045 case CKA_PRIME_1:
4046 case CKA_PRIME_2:
4047 case CKA_EXPONENT_1:
4048 case CKA_EXPONENT_2:
4049 case CKA_COEFFICIENT:
4050 case CKA_VALUE:
4051 template->ulValueLen = (CK_ULONG)-1;
4052 return (CKR_ATTRIBUTE_SENSITIVE);
4053 }
4054 }
4055
4056 switch (template->type) {
4057
4058 case CKA_SUBJECT:
4059 case CKA_EC_PARAMS:
4060 /*
4061 * The above extra attributes have byte array type.
4062 */
4063 return (get_extra_attr_from_object(object_p,
4064 template));
4065
4066 /* Key related boolean attributes */
4067 case CKA_SENSITIVE:
4068 return (get_bool_attr_from_object(object_p,
4069 SENSITIVE_BOOL_ON, template));
4070
4071 case CKA_SECONDARY_AUTH:
4072 return (get_bool_attr_from_object(object_p,
4073 SECONDARY_AUTH_BOOL_ON, template));
4074
4075 case CKA_DECRYPT:
4076 return (get_bool_attr_from_object(object_p,
4077 DECRYPT_BOOL_ON, template));
4078
4079 case CKA_SIGN:
4080 return (get_bool_attr_from_object(object_p,
4081 SIGN_BOOL_ON, template));
4082
4083 case CKA_SIGN_RECOVER:
4084 return (get_bool_attr_from_object(object_p,
4085 SIGN_RECOVER_BOOL_ON, template));
4086
4087 case CKA_UNWRAP:
4088 return (get_bool_attr_from_object(object_p,
4089 UNWRAP_BOOL_ON, template));
4090
4091 case CKA_EXTRACTABLE:
4092 return (get_bool_attr_from_object(object_p,
4093 EXTRACTABLE_BOOL_ON, template));
4094
4095 case CKA_ALWAYS_SENSITIVE:
4096 return (get_bool_attr_from_object(object_p,
4097 ALWAYS_SENSITIVE_BOOL_ON, template));
4098
4099 case CKA_NEVER_EXTRACTABLE:
4100 return (get_bool_attr_from_object(object_p,
4101 NEVER_EXTRACTABLE_BOOL_ON, template));
4102
4103 case CKA_MODULUS:
4104 if (keytype == CKK_RSA) {
4105 return (get_bigint_attr_from_object(
4106 OBJ_PRI_RSA_MOD(object_p), template));
4107 } else {
4108 template->ulValueLen = (CK_ULONG)-1;
4109 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4110 break;
4111 }
4112
4113 case CKA_PUBLIC_EXPONENT:
4114 if (keytype == CKK_RSA) {
4115 return (get_bigint_attr_from_object(
4116 OBJ_PRI_RSA_PUBEXPO(object_p), template));
4117 } else {
4118 template->ulValueLen = (CK_ULONG)-1;
4119 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4120 break;
4121 }
4122
4123 case CKA_PRIVATE_EXPONENT:
4124 if (keytype == CKK_RSA) {
4125 return (get_bigint_attr_from_object(
4126 OBJ_PRI_RSA_PRIEXPO(object_p), template));
4127 } else {
4128 template->ulValueLen = (CK_ULONG)-1;
4129 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4130 break;
4131 }
4132
4133 case CKA_PRIME_1:
4134 if (keytype == CKK_RSA) {
4135 return (get_bigint_attr_from_object(
4136 OBJ_PRI_RSA_PRIME1(object_p), template));
4137 } else {
4138 template->ulValueLen = (CK_ULONG)-1;
4139 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4140 break;
4141 }
4142
4143 case CKA_PRIME_2:
4144 if (keytype == CKK_RSA) {
4145 return (get_bigint_attr_from_object(
4146 OBJ_PRI_RSA_PRIME2(object_p), template));
4147 } else {
4148 template->ulValueLen = (CK_ULONG)-1;
4149 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4150 break;
4151 }
4152
4153 case CKA_EXPONENT_1:
4154 if (keytype == CKK_RSA) {
4155 return (get_bigint_attr_from_object(
4156 OBJ_PRI_RSA_EXPO1(object_p), template));
4157 } else {
4158 template->ulValueLen = (CK_ULONG)-1;
4159 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4160 break;
4161 }
4162
4163 case CKA_EXPONENT_2:
4164 if (keytype == CKK_RSA) {
4165 return (get_bigint_attr_from_object(
4166 OBJ_PRI_RSA_EXPO2(object_p), template));
4167 } else {
4168 template->ulValueLen = (CK_ULONG)-1;
4169 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4170 break;
4171 }
4172
4173 case CKA_COEFFICIENT:
4174 if (keytype == CKK_RSA) {
4175 return (get_bigint_attr_from_object(
4176 OBJ_PRI_RSA_COEF(object_p), template));
4177 } else {
4178 template->ulValueLen = (CK_ULONG)-1;
4179 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4180 break;
4181 }
4182
4183 case CKA_VALUE_BITS:
4184 if (keytype == CKK_DH) {
4185 return (get_ulong_attr_from_object(
4186 OBJ_PRI_DH_VAL_BITS(object_p), template));
4187 } else {
4188 template->ulValueLen = (CK_ULONG)-1;
4189 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4190 break;
4191 }
4192
4193 case CKA_PRIME:
4194 switch (keytype) {
4195 case CKK_DSA:
4196 return (get_bigint_attr_from_object(
4197 OBJ_PRI_DSA_PRIME(object_p), template));
4198
4199 case CKK_DH:
4200 return (get_bigint_attr_from_object(
4201 OBJ_PRI_DH_PRIME(object_p), template));
4202
4203 case CKK_X9_42_DH:
4204 return (get_bigint_attr_from_object(
4205 OBJ_PRI_DH942_PRIME(object_p), template));
4206
4207 default:
4208 template->ulValueLen = (CK_ULONG)-1;
4209 return (CKR_ATTRIBUTE_TYPE_INVALID);
4210 }
4211
4212 case CKA_SUBPRIME:
4213 switch (keytype) {
4214 case CKK_DSA:
4215 return (get_bigint_attr_from_object(
4216 OBJ_PRI_DSA_SUBPRIME(object_p), template));
4217
4218 case CKK_X9_42_DH:
4219 return (get_bigint_attr_from_object(
4220 OBJ_PRI_DH942_SUBPRIME(object_p), template));
4221
4222 default:
4223 template->ulValueLen = (CK_ULONG)-1;
4224 return (CKR_ATTRIBUTE_TYPE_INVALID);
4225 }
4226
4227 case CKA_BASE:
4228 switch (keytype) {
4229 case CKK_DSA:
4230 return (get_bigint_attr_from_object(
4231 OBJ_PRI_DSA_BASE(object_p), template));
4232
4233 case CKK_DH:
4234 return (get_bigint_attr_from_object(
4235 OBJ_PRI_DH_BASE(object_p), template));
4236
4237 case CKK_X9_42_DH:
4238 return (get_bigint_attr_from_object(
4239 OBJ_PRI_DH942_BASE(object_p), template));
4240
4241 default:
4242 template->ulValueLen = (CK_ULONG)-1;
4243 return (CKR_ATTRIBUTE_TYPE_INVALID);
4244 }
4245
4246 case CKA_VALUE:
4247 switch (keytype) {
4248 case CKK_DSA:
4249 return (get_bigint_attr_from_object(
4250 OBJ_PRI_DSA_VALUE(object_p), template));
4251
4252 case CKK_DH:
4253 return (get_bigint_attr_from_object(
4254 OBJ_PRI_DH_VALUE(object_p), template));
4255
4256 case CKK_X9_42_DH:
4257 return (get_bigint_attr_from_object(
4258 OBJ_PRI_DH942_VALUE(object_p), template));
4259
4260 case CKK_EC:
4261 return (get_bigint_attr_from_object(
4262 OBJ_PRI_EC_VALUE(object_p), template));
4263
4264 default:
4265 template->ulValueLen = (CK_ULONG)-1;
4266 return (CKR_ATTRIBUTE_TYPE_INVALID);
4267 }
4268
4269 default:
4270 /*
4271 * First, get the value of the request attribute defined
4272 * in the list of common key attributes. If the request
4273 * attribute is not found in that list, then get the
4274 * attribute from the list of common attributes.
4275 */
4276 rv = soft_get_common_key_attrs(object_p, template);
4277 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
4278 rv = soft_get_common_attrs(object_p, template,
4279 object_p->object_type);
4280 }
4281 break;
4282 }
4283
4284 return (rv);
4285 }
4286
4287
4288 /*
4289 * Get the value of a requested attribute of a Secret Key Object.
4290 *
4291 * Rule: All the attributes in the secret key object can be revealed
4292 * except those marked with footnote number "7" when the object
4293 * has its CKA_SENSITIVE attribute set to TRUE or its
4294 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
4295 */
4296 CK_RV
4297 soft_get_secret_key_attribute(soft_object_t *object_p,
4298 CK_ATTRIBUTE_PTR template)
4299 {
4300
4301 CK_RV rv = CKR_OK;
4302 CK_KEY_TYPE keytype = object_p->key_type;
4303
4304 switch (template->type) {
4305
4306 /* Key related boolean attributes */
4307 case CKA_SENSITIVE:
4308 return (get_bool_attr_from_object(object_p,
4309 SENSITIVE_BOOL_ON, template));
4310
4311 case CKA_ENCRYPT:
4312 return (get_bool_attr_from_object(object_p,
4313 ENCRYPT_BOOL_ON, template));
4314
4315 case CKA_DECRYPT:
4316 return (get_bool_attr_from_object(object_p,
4317 DECRYPT_BOOL_ON, template));
4318
4319 case CKA_SIGN:
4320 return (get_bool_attr_from_object(object_p,
4321 SIGN_BOOL_ON, template));
4322
4323 case CKA_VERIFY:
4324 return (get_bool_attr_from_object(object_p,
4325 VERIFY_BOOL_ON, template));
4326
4327 case CKA_WRAP:
4328 return (get_bool_attr_from_object(object_p,
4329 WRAP_BOOL_ON, template));
4330
4331 case CKA_UNWRAP:
4332 return (get_bool_attr_from_object(object_p,
4333 UNWRAP_BOOL_ON, template));
4334
4335 case CKA_EXTRACTABLE:
4336 return (get_bool_attr_from_object(object_p,
4337 EXTRACTABLE_BOOL_ON, template));
4338
4339 case CKA_ALWAYS_SENSITIVE:
4340 return (get_bool_attr_from_object(object_p,
4341 ALWAYS_SENSITIVE_BOOL_ON, template));
4342
4343 case CKA_NEVER_EXTRACTABLE:
4344 return (get_bool_attr_from_object(object_p,
4345 NEVER_EXTRACTABLE_BOOL_ON, template));
4346
4347 case CKA_VALUE:
4348 case CKA_VALUE_LEN:
4349 /*
4350 * If the specified attribute for the secret key object
4351 * cannot be revealed because the object is sensitive
4352 * or unextractable, then the ulValueLen is set to -1.
4353 */
4354 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
4355 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
4356 template->ulValueLen = (CK_ULONG)-1;
4357 return (CKR_ATTRIBUTE_SENSITIVE);
4358 }
4359
4360 switch (keytype) {
4361 case CKK_RC4:
4362 case CKK_GENERIC_SECRET:
4363 case CKK_RC5:
4364 case CKK_DES:
4365 case CKK_DES2:
4366 case CKK_DES3:
4367 case CKK_CDMF:
4368 case CKK_AES:
4369 case CKK_BLOWFISH:
4370 if (template->type == CKA_VALUE_LEN) {
4371 return (get_ulong_attr_from_object(
4372 OBJ_SEC_VALUE_LEN(object_p),
4373 template));
4374 } else {
4375 return (get_bigint_attr_from_object(
4376 (biginteger_t *)OBJ_SEC(object_p),
4377 template));
4378 }
4379 default:
4380 template->ulValueLen = (CK_ULONG)-1;
4381 rv = CKR_ATTRIBUTE_TYPE_INVALID;
4382 break;
4383 }
4384 break;
4385
4386 default:
4387 /*
4388 * First, get the value of the request attribute defined
4389 * in the list of common key attributes. If the request
4390 * attribute is not found in that list, then get the
4391 * attribute from the list of common attributes.
4392 */
4393 rv = soft_get_common_key_attrs(object_p, template);
4394 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
4395 rv = soft_get_common_attrs(object_p, template,
4396 object_p->object_type);
4397 }
4398 break;
4399 }
4400
4401 return (rv);
4402 }
4403
4404
4405 /*
4406 * Get the value of a requested attribute of a Domain Parameters Object.
4407 *
4408 * Rule: All the attributes in the domain parameters object can be revealed.
4409 */
4410 CK_RV
4411 soft_get_domain_parameters_attribute(soft_object_t *object_p,
4412 CK_ATTRIBUTE_PTR template)
4413 {
4414
4415 CK_RV rv = CKR_OK;
4416 CK_KEY_TYPE keytype = object_p->key_type;
4417
4418 switch (template->type) {
4419
4420 case CKA_KEY_TYPE:
4421 return (get_ulong_attr_from_object(keytype,
4422 template));
4423
4424 case CKA_LOCAL:
4425 return (get_bool_attr_from_object(object_p,
4426 LOCAL_BOOL_ON, template));
4427
4428 case CKA_PRIME:
4429 switch (keytype) {
4430 case CKK_DSA:
4431 return (get_bigint_attr_from_object(
4432 OBJ_DOM_DSA_PRIME(object_p), template));
4433
4434 case CKK_DH:
4435 return (get_bigint_attr_from_object(
4436 OBJ_DOM_DH_PRIME(object_p), template));
4437
4438 case CKK_X9_42_DH:
4439 return (get_bigint_attr_from_object(
4440 OBJ_DOM_DH942_PRIME(object_p), template));
4441
4442 default:
4443 template->ulValueLen = (CK_ULONG)-1;
4444 return (CKR_ATTRIBUTE_TYPE_INVALID);
4445 }
4446
4447 case CKA_SUBPRIME:
4448 switch (keytype) {
4449 case CKK_DSA:
4450 return (get_bigint_attr_from_object(
4451 OBJ_DOM_DSA_SUBPRIME(object_p), template));
4452
4453 case CKK_X9_42_DH:
4454 return (get_bigint_attr_from_object(
4455 OBJ_DOM_DH942_SUBPRIME(object_p), template));
4456
4457 default:
4458 template->ulValueLen = (CK_ULONG)-1;
4459 return (CKR_ATTRIBUTE_TYPE_INVALID);
4460 }
4461
4462 case CKA_BASE:
4463 switch (keytype) {
4464 case CKK_DSA:
4465 return (get_bigint_attr_from_object(
4466 OBJ_DOM_DSA_BASE(object_p), template));
4467
4468 case CKK_DH:
4469 return (get_bigint_attr_from_object(
4470 OBJ_DOM_DH_BASE(object_p), template));
4471
4472 case CKK_X9_42_DH:
4473 return (get_bigint_attr_from_object(
4474 OBJ_DOM_DH942_BASE(object_p), template));
4475
4476 default:
4477 template->ulValueLen = (CK_ULONG)-1;
4478 return (CKR_ATTRIBUTE_TYPE_INVALID);
4479 }
4480
4481 case CKA_PRIME_BITS:
4482 switch (keytype) {
4483 case CKK_DSA:
4484 return (get_ulong_attr_from_object(
4485 OBJ_DOM_DSA_PRIME_BITS(object_p), template));
4486
4487 case CKK_DH:
4488 return (get_ulong_attr_from_object(
4489 OBJ_DOM_DH_PRIME_BITS(object_p), template));
4490
4491 case CKK_X9_42_DH:
4492 return (get_ulong_attr_from_object(
4493 OBJ_DOM_DH942_PRIME_BITS(object_p), template));
4494
4495 default:
4496 template->ulValueLen = (CK_ULONG)-1;
4497 return (CKR_ATTRIBUTE_TYPE_INVALID);
4498 }
4499
4500 case CKA_SUB_PRIME_BITS:
4501 switch (keytype) {
4502 case CKK_X9_42_DH:
4503 return (get_ulong_attr_from_object(
4504 OBJ_DOM_DH942_SUBPRIME_BITS(object_p), template));
4505
4506 default:
4507 template->ulValueLen = (CK_ULONG)-1;
4508 return (CKR_ATTRIBUTE_TYPE_INVALID);
4509 }
4510
4511 default:
4512 /*
4513 * Get the value of a common attribute.
4514 */
4515 rv = soft_get_common_attrs(object_p, template,
4516 object_p->object_type);
4517 break;
4518 }
4519
4520 return (rv);
4521 }
4522
4523 /*
4524 * Get certificate attributes from an object.
4525 * return CKR_ATTRIBUTE_TYPE_INVALID if the requested type
4526 * does not exist in the certificate.
4527 */
4528 CK_RV
4529 soft_get_certificate_attribute(soft_object_t *object_p,
4530 CK_ATTRIBUTE_PTR template)
4531 {
4532 CK_CERTIFICATE_TYPE certtype = object_p->cert_type;
4533 cert_attr_t src;
4534
4535 switch (template->type) {
4536 case CKA_SUBJECT:
4537 if (certtype == CKC_X_509) {
4538 return (get_cert_attr_from_object(
4539 X509_CERT_SUBJECT(object_p), template));
4540 }
4541 break;
4542 case CKA_VALUE:
4543 if (certtype == CKC_X_509) {
4544 return (get_cert_attr_from_object(
4545 X509_CERT_VALUE(object_p), template));
4546 } else if (certtype == CKC_X_509_ATTR_CERT) {
4547 return (get_cert_attr_from_object(
4548 X509_ATTR_CERT_VALUE(object_p), template));
4549 }
4550 break;
4551 case CKA_OWNER:
4552 if (certtype == CKC_X_509_ATTR_CERT) {
4553 return (get_cert_attr_from_object(
4554 X509_ATTR_CERT_OWNER(object_p), template));
4555 }
4556 break;
4557 case CKA_CERTIFICATE_TYPE:
4558 src.value = (CK_BYTE *)&certtype;
4559 src.length = sizeof (certtype);
4560 return (get_cert_attr_from_object(&src, template));
4561 case CKA_TRUSTED:
4562 return (get_bool_attr_from_object(object_p,
4563 TRUSTED_BOOL_ON, template));
4564 case CKA_ID:
4565 case CKA_ISSUER:
4566 case CKA_SERIAL_NUMBER:
4567 case CKA_AC_ISSUER:
4568 case CKA_ATTR_TYPES:
4569 return (get_extra_attr_from_object(object_p,
4570 template));
4571 default:
4572 return (soft_get_common_attrs(object_p, template,
4573 object_p->object_type));
4574 }
4575
4576 /*
4577 * If we got this far, then the combination of certificate type
4578 * and requested attribute is invalid.
4579 */
4580 return (CKR_ATTRIBUTE_TYPE_INVALID);
4581 }
4582
4583 CK_RV
4584 soft_set_certificate_attribute(soft_object_t *object_p,
4585 CK_ATTRIBUTE_PTR template, boolean_t copy)
4586 {
4587 CK_CERTIFICATE_TYPE certtype = object_p->cert_type;
4588
4589 switch (template->type) {
4590 case CKA_SUBJECT:
4591 if (certtype == CKC_X_509) {
4592 /* SUBJECT attr cannot be modified. */
4593 return (CKR_ATTRIBUTE_READ_ONLY);
4594 }
4595 break;
4596 case CKA_OWNER:
4597 if (certtype == CKC_X_509_ATTR_CERT) {
4598 /* OWNER attr cannot be modified. */
4599 return (CKR_ATTRIBUTE_READ_ONLY);
4600 }
4601 break;
4602 case CKA_VALUE:
4603 /* VALUE attr cannot be modified. */
4604 return (CKR_ATTRIBUTE_READ_ONLY);
4605 case CKA_ID:
4606 case CKA_ISSUER:
4607 if (certtype == CKC_X_509) {
4608 return (set_extra_attr_to_object(object_p,
4609 template->type, template));
4610 }
4611 break;
4612 case CKA_AC_ISSUER:
4613 case CKA_ATTR_TYPES:
4614 if (certtype == CKC_X_509_ATTR_CERT) {
4615 return (set_extra_attr_to_object(object_p,
4616 template->type, template));
4617 }
4618 break;
4619 case CKA_SERIAL_NUMBER:
4620 case CKA_LABEL:
4621 return (set_extra_attr_to_object(object_p,
4622 template->type, template));
4623 default:
4624 return (soft_set_common_storage_attribute(
4625 object_p, template, copy));
4626 }
4627
4628 /*
4629 * If we got this far, then the combination of certificate type
4630 * and requested attribute is invalid.
4631 */
4632 return (CKR_ATTRIBUTE_TYPE_INVALID);
4633 }
4634
4635 /*
4636 * Call the appropriate get attribute function according to the class
4637 * of object.
4638 *
4639 * The caller of this function holds the lock on the object.
4640 */
4641 CK_RV
4642 soft_get_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
4643 {
4644
4645 CK_RV rv = CKR_OK;
4646 CK_OBJECT_CLASS class = object_p->class;
4647
4648 switch (class) {
4649 case CKO_PUBLIC_KEY:
4650 rv = soft_get_public_key_attribute(object_p, template);
4651 break;
4652
4653 case CKO_PRIVATE_KEY:
4654 rv = soft_get_private_key_attribute(object_p, template);
4655 break;
4656
4657 case CKO_SECRET_KEY:
4658 rv = soft_get_secret_key_attribute(object_p, template);
4659 break;
4660
4661 case CKO_DOMAIN_PARAMETERS:
4662 rv = soft_get_domain_parameters_attribute(object_p, template);
4663 break;
4664
4665 case CKO_CERTIFICATE:
4666 rv = soft_get_certificate_attribute(object_p, template);
4667 break;
4668
4669 default:
4670 /*
4671 * If the specified attribute for the object is invalid
4672 * (the object does not possess such as attribute), then
4673 * the ulValueLen is modified to hold the value -1.
4674 */
4675 template->ulValueLen = (CK_ULONG)-1;
4676 return (CKR_ATTRIBUTE_TYPE_INVALID);
4677 }
4678
4679 return (rv);
4680
4681 }
4682
4683 CK_RV
4684 soft_set_common_storage_attribute(soft_object_t *object_p,
4685 CK_ATTRIBUTE_PTR template, boolean_t copy)
4686 {
4687
4688 CK_RV rv = CKR_OK;
4689
4690 switch (template->type) {
4691
4692 case CKA_TOKEN:
4693 if (copy) {
4694 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
4695 if (!soft_keystore_status(KEYSTORE_INITIALIZED))
4696 return (CKR_DEVICE_REMOVED);
4697 object_p->object_type |= TOKEN_OBJECT;
4698 }
4699 } else {
4700 rv = CKR_ATTRIBUTE_READ_ONLY;
4701 }
4702
4703 break;
4704
4705 case CKA_PRIVATE:
4706 if (copy) {
4707 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
4708 (void) pthread_mutex_lock(&soft_giant_mutex);
4709 if (!soft_slot.authenticated) {
4710 /*
4711 * Check if this is the special case
4712 * when the PIN is never initialized
4713 * in the keystore. If true, we will
4714 * let it pass here and let it fail
4715 * with CKR_PIN_EXPIRED later on.
4716 */
4717 if (!soft_slot.userpin_change_needed) {
4718 (void) pthread_mutex_unlock(
4719 &soft_giant_mutex);
4720 return (CKR_USER_NOT_LOGGED_IN);
4721 }
4722 }
4723 (void) pthread_mutex_unlock(&soft_giant_mutex);
4724 object_p->object_type |= PRIVATE_OBJECT;
4725 }
4726 } else {
4727 rv = CKR_ATTRIBUTE_READ_ONLY;
4728 }
4729 break;
4730
4731 case CKA_MODIFIABLE:
4732 if (copy) {
4733 if ((*(CK_BBOOL *)template->pValue) == TRUE)
4734 object_p->bool_attr_mask &=
4735 ~NOT_MODIFIABLE_BOOL_ON;
4736 else
4737 object_p->bool_attr_mask |=
4738 NOT_MODIFIABLE_BOOL_ON;
4739 } else {
4740 rv = CKR_ATTRIBUTE_READ_ONLY;
4741 }
4742 break;
4743
4744 case CKA_CLASS:
4745 rv = CKR_ATTRIBUTE_READ_ONLY;
4746 break;
4747
4748 default:
4749 rv = CKR_TEMPLATE_INCONSISTENT;
4750 }
4751
4752 return (rv);
4753 }
4754
4755 /*
4756 * Set the value of an attribute that is common to all key objects
4757 * (i.e. public key, private key and secret key).
4758 */
4759 CK_RV
4760 soft_set_common_key_attribute(soft_object_t *object_p,
4761 CK_ATTRIBUTE_PTR template, boolean_t copy)
4762 {
4763
4764 switch (template->type) {
4765
4766 case CKA_LABEL:
4767 /*
4768 * Only the LABEL can be modified in the common storage
4769 * object attributes after the object is created.
4770 */
4771 return (set_extra_attr_to_object(object_p,
4772 CKA_LABEL, template));
4773
4774 case CKA_ID:
4775 return (set_extra_attr_to_object(object_p,
4776 CKA_ID, template));
4777
4778 case CKA_START_DATE:
4779 return (set_extra_attr_to_object(object_p,
4780 CKA_START_DATE, template));
4781
4782 case CKA_END_DATE:
4783 return (set_extra_attr_to_object(object_p,
4784 CKA_END_DATE, template));
4785
4786 case CKA_DERIVE:
4787 return (set_bool_attr_to_object(object_p,
4788 DERIVE_BOOL_ON, template));
4789
4790 case CKA_KEY_TYPE:
4791 case CKA_LOCAL:
4792 case CKA_KEY_GEN_MECHANISM:
4793 return (CKR_ATTRIBUTE_READ_ONLY);
4794
4795 default:
4796 return (soft_set_common_storage_attribute(object_p,
4797 template, copy));
4798
4799 }
4800
4801 }
4802
4803
4804 /*
4805 * Set the value of an attribute of a Public Key Object.
4806 *
4807 * Rule: The attributes marked with footnote number "8" in the PKCS11
4808 * spec may be modified (p.88 in PKCS11 spec.).
4809 */
4810 CK_RV
4811 soft_set_public_key_attribute(soft_object_t *object_p,
4812 CK_ATTRIBUTE_PTR template, boolean_t copy)
4813 {
4814 CK_KEY_TYPE keytype = object_p->key_type;
4815
4816 switch (template->type) {
4817
4818 case CKA_SUBJECT:
4819 return (set_extra_attr_to_object(object_p,
4820 CKA_SUBJECT, template));
4821
4822 case CKA_ENCRYPT:
4823 return (set_bool_attr_to_object(object_p,
4824 ENCRYPT_BOOL_ON, template));
4825
4826 case CKA_VERIFY:
4827 return (set_bool_attr_to_object(object_p,
4828 VERIFY_BOOL_ON, template));
4829
4830 case CKA_VERIFY_RECOVER:
4831 return (set_bool_attr_to_object(object_p,
4832 VERIFY_RECOVER_BOOL_ON, template));
4833
4834 case CKA_WRAP:
4835 return (set_bool_attr_to_object(object_p,
4836 WRAP_BOOL_ON, template));
4837
4838 case CKA_MODULUS:
4839 case CKA_MODULUS_BITS:
4840 case CKA_PUBLIC_EXPONENT:
4841 if (keytype == CKK_RSA)
4842 return (CKR_ATTRIBUTE_READ_ONLY);
4843 break;
4844
4845 case CKA_SUBPRIME:
4846 if ((keytype == CKK_DSA) ||
4847 (keytype == CKK_X9_42_DH))
4848 return (CKR_ATTRIBUTE_READ_ONLY);
4849 break;
4850
4851 case CKA_PRIME:
4852 case CKA_BASE:
4853 case CKA_VALUE:
4854 if ((keytype == CKK_DSA) ||
4855 (keytype == CKK_DH) ||
4856 (keytype == CKK_X9_42_DH))
4857 return (CKR_ATTRIBUTE_READ_ONLY);
4858 break;
4859
4860 default:
4861 /*
4862 * Set the value of a common key attribute.
4863 */
4864 return (soft_set_common_key_attribute(object_p,
4865 template, copy));
4866
4867 }
4868 /*
4869 * If we got this far, then the combination of key type
4870 * and requested attribute is invalid.
4871 */
4872 return (CKR_ATTRIBUTE_TYPE_INVALID);
4873 }
4874
4875
4876 /*
4877 * Set the value of an attribute of a Private Key Object.
4878 *
4879 * Rule: The attributes marked with footnote number "8" in the PKCS11
4880 * spec may be modified (p.88 in PKCS11 spec.).
4881 */
4882 CK_RV
4883 soft_set_private_key_attribute(soft_object_t *object_p,
4884 CK_ATTRIBUTE_PTR template, boolean_t copy)
4885 {
4886 CK_KEY_TYPE keytype = object_p->key_type;
4887
4888 switch (template->type) {
4889
4890 case CKA_SUBJECT:
4891 return (set_extra_attr_to_object(object_p,
4892 CKA_SUBJECT, template));
4893
4894 case CKA_SENSITIVE:
4895 /*
4896 * Cannot set SENSITIVE to FALSE if it is already ON.
4897 */
4898 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
4899 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
4900 return (CKR_ATTRIBUTE_READ_ONLY);
4901 }
4902
4903 if (*(CK_BBOOL *)template->pValue)
4904 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
4905 return (CKR_OK);
4906
4907 case CKA_DECRYPT:
4908 return (set_bool_attr_to_object(object_p,
4909 DECRYPT_BOOL_ON, template));
4910
4911 case CKA_SIGN:
4912 return (set_bool_attr_to_object(object_p,
4913 SIGN_BOOL_ON, template));
4914
4915 case CKA_SIGN_RECOVER:
4916 return (set_bool_attr_to_object(object_p,
4917 SIGN_RECOVER_BOOL_ON, template));
4918
4919 case CKA_UNWRAP:
4920 return (set_bool_attr_to_object(object_p,
4921 UNWRAP_BOOL_ON, template));
4922
4923 case CKA_EXTRACTABLE:
4924 /*
4925 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
4926 */
4927 if ((*(CK_BBOOL *)template->pValue) &&
4928 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
4929 return (CKR_ATTRIBUTE_READ_ONLY);
4930 }
4931
4932 if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
4933 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
4934 return (CKR_OK);
4935
4936 case CKA_MODULUS:
4937 case CKA_PUBLIC_EXPONENT:
4938 case CKA_PRIVATE_EXPONENT:
4939 case CKA_PRIME_1:
4940 case CKA_PRIME_2:
4941 case CKA_EXPONENT_1:
4942 case CKA_EXPONENT_2:
4943 case CKA_COEFFICIENT:
4944 if (keytype == CKK_RSA) {
4945 return (CKR_ATTRIBUTE_READ_ONLY);
4946 }
4947 break;
4948
4949 case CKA_SUBPRIME:
4950 if ((keytype == CKK_DSA) ||
4951 (keytype == CKK_X9_42_DH))
4952 return (CKR_ATTRIBUTE_READ_ONLY);
4953 break;
4954
4955 case CKA_PRIME:
4956 case CKA_BASE:
4957 case CKA_VALUE:
4958 if ((keytype == CKK_DSA) ||
4959 (keytype == CKK_DH) ||
4960 (keytype == CKK_X9_42_DH))
4961 return (CKR_ATTRIBUTE_READ_ONLY);
4962 break;
4963
4964 case CKA_VALUE_BITS:
4965 if (keytype == CKK_DH)
4966 return (CKR_ATTRIBUTE_READ_ONLY);
4967 break;
4968
4969 default:
4970 /*
4971 * Set the value of a common key attribute.
4972 */
4973 return (soft_set_common_key_attribute(object_p,
4974 template, copy));
4975 }
4976
4977 /*
4978 * If we got this far, then the combination of key type
4979 * and requested attribute is invalid.
4980 */
4981 return (CKR_ATTRIBUTE_TYPE_INVALID);
4982 }
4983
4984 /*
4985 * Set the value of an attribute of a Secret Key Object.
4986 *
4987 * Rule: The attributes marked with footnote number "8" in the PKCS11
4988 * spec may be modified (p.88 in PKCS11 spec.).
4989 */
4990 CK_RV
4991 soft_set_secret_key_attribute(soft_object_t *object_p,
4992 CK_ATTRIBUTE_PTR template, boolean_t copy)
4993 {
4994 CK_KEY_TYPE keytype = object_p->key_type;
4995
4996 switch (template->type) {
4997
4998 case CKA_SENSITIVE:
4999 /*
5000 * Cannot set SENSITIVE to FALSE if it is already ON.
5001 */
5002 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
5003 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
5004 return (CKR_ATTRIBUTE_READ_ONLY);
5005 }
5006
5007 if (*(CK_BBOOL *)template->pValue)
5008 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
5009 return (CKR_OK);
5010
5011 case CKA_ENCRYPT:
5012 return (set_bool_attr_to_object(object_p,
5013 ENCRYPT_BOOL_ON, template));
5014
5015 case CKA_DECRYPT:
5016 return (set_bool_attr_to_object(object_p,
5017 DECRYPT_BOOL_ON, template));
5018
5019 case CKA_SIGN:
5020 return (set_bool_attr_to_object(object_p,
5021 SIGN_BOOL_ON, template));
5022
5023 case CKA_VERIFY:
5024 return (set_bool_attr_to_object(object_p,
5025 VERIFY_BOOL_ON, template));
5026
5027 case CKA_WRAP:
5028 return (set_bool_attr_to_object(object_p,
5029 WRAP_BOOL_ON, template));
5030
5031 case CKA_UNWRAP:
5032 return (set_bool_attr_to_object(object_p,
5033 UNWRAP_BOOL_ON, template));
5034
5035 case CKA_EXTRACTABLE:
5036 /*
5037 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
5038 */
5039 if ((*(CK_BBOOL *)template->pValue) &&
5040 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
5041 return (CKR_ATTRIBUTE_READ_ONLY);
5042 }
5043
5044 if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
5045 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
5046 return (CKR_OK);
5047
5048 case CKA_VALUE:
5049 return (CKR_ATTRIBUTE_READ_ONLY);
5050
5051 case CKA_VALUE_LEN:
5052 if ((keytype == CKK_RC4) ||
5053 (keytype == CKK_GENERIC_SECRET) ||
5054 (keytype == CKK_AES) ||
5055 (keytype == CKK_BLOWFISH))
5056 return (CKR_ATTRIBUTE_READ_ONLY);
5057 break;
5058
5059 default:
5060 /*
5061 * Set the value of a common key attribute.
5062 */
5063 return (soft_set_common_key_attribute(object_p,
5064 template, copy));
5065
5066 }
5067 /*
5068 * If we got this far, then the combination of key type
5069 * and requested attribute is invalid.
5070 */
5071 return (CKR_ATTRIBUTE_TYPE_INVALID);
5072 }
5073
5074
5075 /*
5076 * Call the appropriate set attribute function according to the class
5077 * of object.
5078 *
5079 * The caller of this function does not hold the lock on the original
5080 * object, since this function is setting the attribute on the new object
5081 * that is being modified.
5082 *
5083 * Argument copy: TRUE when called by C_CopyObject,
5084 * FALSE when called by C_SetAttributeValue.
5085 */
5086 CK_RV
5087 soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
5088 boolean_t copy)
5089 {
5090
5091 CK_RV rv = CKR_OK;
5092 CK_OBJECT_CLASS class = object_p->class;
5093
5094 switch (class) {
5095
5096 case CKO_PUBLIC_KEY:
5097 rv = soft_set_public_key_attribute(object_p, template, copy);
5098 break;
5099
5100 case CKO_PRIVATE_KEY:
5101 rv = soft_set_private_key_attribute(object_p, template, copy);
5102 break;
5103
5104 case CKO_SECRET_KEY:
5105 rv = soft_set_secret_key_attribute(object_p, template, copy);
5106 break;
5107
5108 case CKO_DOMAIN_PARAMETERS:
5109 switch (template->type) {
5110 case CKA_LABEL:
5111 /*
5112 * Only the LABEL can be modified in the common
5113 * storage object attributes after the object is
5114 * created.
5115 */
5116 return (set_extra_attr_to_object(object_p,
5117 CKA_LABEL, template));
5118 default:
5119 return (CKR_TEMPLATE_INCONSISTENT);
5120 }
5121 case CKO_CERTIFICATE:
5122 rv = soft_set_certificate_attribute(object_p, template, copy);
5123 break;
5124
5125 default:
5126 /*
5127 * If the template specifies a value of an attribute
5128 * which is incompatible with other existing attributes
5129 * of the object, then fails with return code
5130 * CKR_TEMPLATE_INCONSISTENT.
5131 */
5132 rv = CKR_TEMPLATE_INCONSISTENT;
5133 break;
5134 }
5135
5136 return (rv);
5137 }
5138
5139 CK_RV
5140 soft_get_public_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
5141 uchar_t *value, uint32_t *value_len)
5142 {
5143 uint32_t len = 0;
5144 switch (type) {
5145
5146 /* The following attributes belong to RSA */
5147 case CKA_MODULUS:
5148 #ifdef __sparcv9
5149 len =
5150 /* LINTED */
5151 (uint32_t)
5152 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len;
5153 #else /* !__sparcv9 */
5154 len =
5155 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len;
5156 #endif /* __sparcv9 */
5157
5158 /* This attribute MUST BE set */
5159 if (len == 0 || len > *value_len) {
5160 return (CKR_ATTRIBUTE_VALUE_INVALID);
5161 }
5162 *value_len = len;
5163
5164 (void) memcpy(value,
5165 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value,
5166 *value_len);
5167
5168 break;
5169
5170 case CKA_PUBLIC_EXPONENT:
5171 #ifdef __sparcv9
5172 len =
5173 /* LINTED */
5174 (uint32_t)
5175 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len;
5176 #else /* !__sparcv9 */
5177 len =
5178 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len;
5179 #endif /* __sparcv9 */
5180
5181 /* This attribute MUST BE set */
5182 if (len == 0 || len > *value_len) {
5183 return (CKR_ATTRIBUTE_VALUE_INVALID);
5184 }
5185 *value_len = len;
5186
5187 (void) memcpy(value,
5188 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value,
5189 *value_len);
5190
5191 break;
5192
5193 /* The following attributes belong to DSA and DH */
5194 case CKA_PRIME:
5195
5196 if (key->key_type == CKK_DSA)
5197 #ifdef __sparcv9
5198 len =
5199 /* LINTED */
5200 (uint32_t)
5201 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->
5202 big_value_len;
5203 #else /* !__sparcv9 */
5204 len =
5205 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->
5206 big_value_len;
5207 #endif /* __sparcv9 */
5208 else
5209 #ifdef __sparcv9
5210 len =
5211 /* LINTED */
5212 (uint32_t)
5213 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->
5214 big_value_len;
5215 #else /* !__sparcv9 */
5216 len =
5217 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->
5218 big_value_len;
5219 #endif /* __sparcv9 */
5220
5221 /* This attribute MUST BE set */
5222 if (len == 0 || len > *value_len) {
5223 return (CKR_ATTRIBUTE_VALUE_INVALID);
5224 }
5225 *value_len = len;
5226
5227 if (key->key_type == CKK_DSA)
5228 (void) memcpy(value,
5229 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->big_value,
5230 *value_len);
5231 else
5232 (void) memcpy(value,
5233 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->big_value,
5234 *value_len);
5235
5236 break;
5237
5238 case CKA_SUBPRIME:
5239 #ifdef __sparcv9
5240 len =
5241 /* LINTED */
5242 (uint32_t)
5243 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len;
5244 #else /* !__sparcv9 */
5245 len =
5246 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len;
5247 #endif /* __sparcv9 */
5248
5249 /* This attribute MUST BE set */
5250 if (len == 0 || len > *value_len) {
5251 return (CKR_ATTRIBUTE_VALUE_INVALID);
5252 }
5253 *value_len = len;
5254
5255 (void) memcpy(value,
5256 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value,
5257 *value_len);
5258
5259 break;
5260
5261 case CKA_BASE:
5262
5263 if (key->key_type == CKK_DSA)
5264 #ifdef __sparcv9
5265 len =
5266 /* LINTED */
5267 (uint32_t)
5268 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->
5269 big_value_len;
5270 #else /* !__sparcv9 */
5271 len =
5272 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->
5273 big_value_len;
5274 #endif /* __sparcv9 */
5275 else
5276 #ifdef __sparcv9
5277 len =
5278 /* LINTED */
5279 (uint32_t)
5280 ((biginteger_t *)OBJ_PUB_DH_BASE(key))->
5281 big_value_len;
5282 #else /* !__sparcv9 */
5283 len =
5284 ((biginteger_t *)OBJ_PUB_DH_BASE(key))->
5285 big_value_len;
5286 #endif /* __sparcv9 */
5287
5288 /* This attribute MUST BE set */
5289 if (len == 0 || len > *value_len) {
5290 return (CKR_ATTRIBUTE_VALUE_INVALID);
5291 }
5292 *value_len = len;
5293
5294 if (key->key_type == CKK_DSA)
5295 (void) memcpy(value,
5296 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->big_value,
5297 *value_len);
5298 else
5299 (void) memcpy(value,
5300 ((biginteger_t *)OBJ_PUB_DH_BASE(key))->big_value,
5301 *value_len);
5302 break;
5303
5304 case CKA_VALUE:
5305
5306 if (key->key_type == CKK_DSA)
5307 #ifdef __sparcv9
5308 len =
5309 /* LINTED */
5310 (uint32_t)
5311 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->
5312 big_value_len;
5313 #else /* !__sparcv9 */
5314 len =
5315 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->
5316 big_value_len;
5317 #endif /* __sparcv9 */
5318 else
5319 #ifdef __sparcv9
5320 len =
5321 /* LINTED */
5322 (uint32_t)
5323 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->
5324 big_value_len;
5325 #else /* !__sparcv9 */
5326 len =
5327 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->
5328 big_value_len;
5329 #endif /* __sparcv9 */
5330
5331 /* This attribute MUST BE set */
5332 if (len == 0 || len > *value_len) {
5333 return (CKR_ATTRIBUTE_VALUE_INVALID);
5334 }
5335 *value_len = len;
5336
5337 if (key->key_type == CKK_DSA)
5338 (void) memcpy(value,
5339 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->big_value,
5340 *value_len);
5341 else
5342 (void) memcpy(value,
5343 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->big_value,
5344 *value_len);
5345
5346 break;
5347 }
5348
5349 return (CKR_OK);
5350 }
5351
5352
5353 CK_RV
5354 soft_get_private_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
5355 uchar_t *value, uint32_t *value_len)
5356 {
5357
5358 uint32_t len = 0;
5359
5360 switch (type) {
5361
5362 /* The following attributes belong to RSA */
5363 case CKA_MODULUS:
5364 #ifdef __sparcv9
5365 len =
5366 /* LINTED */
5367 (uint32_t)
5368 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len;
5369 #else /* !__sparcv9 */
5370 len =
5371 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len;
5372 #endif /* __sparcv9 */
5373
5374 /* This attribute MUST BE set */
5375 if (len == 0 || len > *value_len) {
5376 return (CKR_ATTRIBUTE_VALUE_INVALID);
5377 }
5378 *value_len = len;
5379
5380 (void) memcpy(value,
5381 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value,
5382 *value_len);
5383
5384 break;
5385
5386 case CKA_PRIVATE_EXPONENT:
5387 #ifdef __sparcv9
5388 len =
5389 /* LINTED */
5390 (uint32_t)
5391 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len;
5392 #else /* !__sparcv9 */
5393 len =
5394 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len;
5395 #endif /* __sparcv9 */
5396
5397 /* This attribute MUST BE set */
5398 if (len == 0 || len > *value_len) {
5399 return (CKR_ATTRIBUTE_VALUE_INVALID);
5400 }
5401 *value_len = len;
5402
5403 (void) memcpy(value,
5404 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value,
5405 *value_len);
5406
5407 break;
5408
5409 case CKA_PRIME_1:
5410 #ifdef __sparcv9
5411 len =
5412 /* LINTED */
5413 (uint32_t)
5414 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len;
5415 #else /* !__sparcv9 */
5416 len =
5417 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len;
5418 #endif /* __sparcv9 */
5419
5420 if (len > *value_len) {
5421 return (CKR_ATTRIBUTE_VALUE_INVALID);
5422 }
5423 *value_len = len;
5424
5425 if (*value_len == 0) {
5426 return (CKR_OK);
5427 }
5428
5429 (void) memcpy(value,
5430 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value,
5431 *value_len);
5432
5433 break;
5434
5435 case CKA_PRIME_2:
5436 #ifdef __sparcv9
5437 len =
5438 /* LINTED */
5439 (uint32_t)
5440 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len;
5441 #else /* !__sparcv9 */
5442 len =
5443 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len;
5444 #endif /* __sparcv9 */
5445
5446 if (len > *value_len) {
5447 return (CKR_ATTRIBUTE_VALUE_INVALID);
5448 }
5449 *value_len = len;
5450
5451 if (*value_len == 0) {
5452 return (CKR_OK);
5453 }
5454
5455 (void) memcpy(value,
5456 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value,
5457 *value_len);
5458
5459 break;
5460
5461 case CKA_EXPONENT_1:
5462 #ifdef __sparcv9
5463 len =
5464 /* LINTED */
5465 (uint32_t)
5466 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len;
5467 #else /* !__sparcv9 */
5468 len =
5469 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len;
5470 #endif /* __sparcv9 */
5471
5472 if (len > *value_len) {
5473 return (CKR_ATTRIBUTE_VALUE_INVALID);
5474 }
5475 *value_len = len;
5476
5477 if (*value_len == 0) {
5478 return (CKR_OK);
5479 }
5480
5481 (void) memcpy(value,
5482 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value,
5483 *value_len);
5484
5485 break;
5486
5487 case CKA_EXPONENT_2:
5488 #ifdef __sparcv9
5489 len =
5490 /* LINTED */
5491 (uint32_t)
5492 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len;
5493 #else /* !__sparcv9 */
5494 len =
5495 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len;
5496 #endif /* __sparcv9 */
5497
5498 if (len > *value_len) {
5499 return (CKR_ATTRIBUTE_VALUE_INVALID);
5500 }
5501 *value_len = len;
5502
5503 if (*value_len == 0) {
5504 return (CKR_OK);
5505 }
5506
5507 (void) memcpy(value,
5508 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value,
5509 *value_len);
5510
5511 break;
5512
5513 case CKA_COEFFICIENT:
5514 #ifdef __sparcv9
5515 len =
5516 /* LINTED */
5517 (uint32_t)
5518 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len;
5519 #else /* !__sparcv9 */
5520 len =
5521 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len;
5522 #endif /* __sparcv9 */
5523
5524 if (len > *value_len) {
5525 return (CKR_ATTRIBUTE_VALUE_INVALID);
5526 }
5527 *value_len = len;
5528
5529 if (*value_len == 0) {
5530 return (CKR_OK);
5531 }
5532
5533 (void) memcpy(value,
5534 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value,
5535 *value_len);
5536
5537 break;
5538
5539 /* The following attributes belong to DSA and DH */
5540 case CKA_PRIME:
5541
5542 if (key->key_type == CKK_DSA)
5543 #ifdef __sparcv9
5544 len =
5545 /* LINTED */
5546 (uint32_t)
5547 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->
5548 big_value_len;
5549 #else /* !__sparcv9 */
5550 len =
5551 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->
5552 big_value_len;
5553 #endif /* __sparcv9 */
5554 else
5555 #ifdef __sparcv9
5556 len =
5557 /* LINTED */
5558 (uint32_t)
5559 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->
5560 big_value_len;
5561 #else /* !__sparcv9 */
5562 len =
5563 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->
5564 big_value_len;
5565 #endif /* __sparcv9 */
5566
5567 /* This attribute MUST BE set */
5568 if (len == 0 || len > *value_len) {
5569 return (CKR_ATTRIBUTE_VALUE_INVALID);
5570 }
5571 *value_len = len;
5572
5573 if (key->key_type == CKK_DSA)
5574 (void) memcpy(value,
5575 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->big_value,
5576 *value_len);
5577 else
5578 (void) memcpy(value,
5579 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->big_value,
5580 *value_len);
5581
5582 break;
5583
5584 case CKA_SUBPRIME:
5585 #ifdef __sparcv9
5586 len =
5587 /* LINTED */
5588 (uint32_t)
5589 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len;
5590 #else /* !__sparcv9 */
5591 len =
5592 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len;
5593 #endif /* __sparcv9 */
5594
5595 /* This attribute MUST BE set */
5596 if (len == 0 || len > *value_len) {
5597 return (CKR_ATTRIBUTE_VALUE_INVALID);
5598 }
5599 *value_len = len;
5600
5601 (void) memcpy(value,
5602 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value,
5603 *value_len);
5604
5605 break;
5606
5607 case CKA_BASE:
5608
5609 if (key->key_type == CKK_DSA)
5610 #ifdef __sparcv9
5611 len =
5612 /* LINTED */
5613 (uint32_t)
5614 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->
5615 big_value_len;
5616 #else /* !__sparcv9 */
5617 len =
5618 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->
5619 big_value_len;
5620 #endif /* __sparcv9 */
5621 else
5622 #ifdef __sparcv9
5623 len =
5624 /* LINTED */
5625 (uint32_t)
5626 ((biginteger_t *)OBJ_PRI_DH_BASE(key))->
5627 big_value_len;
5628 #else /* !__sparcv9 */
5629 len =
5630 ((biginteger_t *)OBJ_PRI_DH_BASE(key))->
5631 big_value_len;
5632 #endif /* __sparcv9 */
5633
5634 /* This attribute MUST BE set */
5635 if (len == 0 || len > *value_len) {
5636 return (CKR_ATTRIBUTE_VALUE_INVALID);
5637 }
5638 *value_len = len;
5639
5640 if (key->key_type == CKK_DSA)
5641 (void) memcpy(value,
5642 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->big_value,
5643 *value_len);
5644 else
5645 (void) memcpy(value,
5646 ((biginteger_t *)OBJ_PRI_DH_BASE(key))->big_value,
5647 *value_len);
5648 break;
5649
5650 case CKA_VALUE:
5651
5652 if (key->key_type == CKK_DSA) {
5653 #ifdef __sparcv9
5654 len =
5655 /* LINTED */
5656 (uint32_t)
5657 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->
5658 big_value_len;
5659 #else /* !__sparcv9 */
5660 len =
5661 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->
5662 big_value_len;
5663 #endif /* __sparcv9 */
5664 } else if (key->key_type == CKK_DH) {
5665 #ifdef __sparcv9
5666 len =
5667 /* LINTED */
5668 (uint32_t)
5669 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->
5670 big_value_len;
5671 #else /* !__sparcv9 */
5672 len =
5673 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->
5674 big_value_len;
5675 #endif /* __sparcv9 */
5676 } else {
5677 #ifdef __sparcv9
5678 len =
5679 /* LINTED */
5680 (uint32_t)
5681 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
5682 big_value_len;
5683 #else /* !__sparcv9 */
5684 len =
5685 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
5686 big_value_len;
5687 #endif /* __sparcv9 */
5688 }
5689
5690 /* This attribute MUST BE set */
5691 if (len == 0 || len > *value_len) {
5692 return (CKR_ATTRIBUTE_VALUE_INVALID);
5693 }
5694 *value_len = len;
5695
5696 if (key->key_type == CKK_DSA) {
5697 (void) memcpy(value,
5698 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->big_value,
5699 *value_len);
5700 } else if (key->key_type == CKK_DH) {
5701 (void) memcpy(value,
5702 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->big_value,
5703 *value_len);
5704 } else {
5705 (void) memcpy(value,
5706 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->big_value,
5707 *value_len);
5708 }
5709
5710 break;
5711 }
5712
5713 return (CKR_OK);
5714
5715 }
5716
5717 static CK_RV
5718 copy_bigint(biginteger_t *new_bigint, biginteger_t *old_bigint)
5719 {
5720 new_bigint->big_value =
5721 malloc((sizeof (CK_BYTE) * new_bigint->big_value_len));
5722
5723 if (new_bigint->big_value == NULL) {
5724 return (CKR_HOST_MEMORY);
5725 }
5726
5727 (void) memcpy(new_bigint->big_value, old_bigint->big_value,
5728 (sizeof (CK_BYTE) * new_bigint->big_value_len));
5729
5730 return (CKR_OK);
5731 }
5732
5733 static void
5734 free_public_key_attr(public_key_obj_t *pbk, CK_KEY_TYPE key_type)
5735 {
5736 if (pbk == NULL) {
5737 return;
5738 }
5739
5740 switch (key_type) {
5741 case CKK_RSA:
5742 bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk));
5743 bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk));
5744 break;
5745 case CKK_DSA:
5746 bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk));
5747 bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk));
5748 bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk));
5749 bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk));
5750 break;
5751 case CKK_DH:
5752 bigint_attr_cleanup(KEY_PUB_DH_PRIME(pbk));
5753 bigint_attr_cleanup(KEY_PUB_DH_BASE(pbk));
5754 bigint_attr_cleanup(KEY_PUB_DH_VALUE(pbk));
5755 break;
5756 case CKK_EC:
5757 bigint_attr_cleanup(KEY_PUB_EC_POINT(pbk));
5758 break;
5759 case CKK_X9_42_DH:
5760 bigint_attr_cleanup(KEY_PUB_DH942_PRIME(pbk));
5761 bigint_attr_cleanup(KEY_PUB_DH942_SUBPRIME(pbk));
5762 bigint_attr_cleanup(KEY_PUB_DH942_BASE(pbk));
5763 bigint_attr_cleanup(KEY_PUB_DH942_VALUE(pbk));
5764 break;
5765 default:
5766 break;
5767 }
5768 free(pbk);
5769 }
5770
5771 CK_RV
5772 soft_copy_public_key_attr(public_key_obj_t *old_pub_key_obj_p,
5773 public_key_obj_t **new_pub_key_obj_p, CK_KEY_TYPE key_type)
5774 {
5775
5776 public_key_obj_t *pbk;
5777 CK_RV rv = CKR_OK;
5778
5779 pbk = calloc(1, sizeof (public_key_obj_t));
5780 if (pbk == NULL) {
5781 return (CKR_HOST_MEMORY);
5782 }
5783
5784 switch (key_type) {
5785 case CKK_RSA:
5786 (void) memcpy(KEY_PUB_RSA(pbk),
5787 KEY_PUB_RSA(old_pub_key_obj_p),
5788 sizeof (rsa_pub_key_t));
5789 /* copy modulus */
5790 rv = copy_bigint(KEY_PUB_RSA_MOD(pbk),
5791 KEY_PUB_RSA_MOD(old_pub_key_obj_p));
5792 if (rv != CKR_OK) {
5793 free_public_key_attr(pbk, key_type);
5794 return (rv);
5795 }
5796 /* copy public exponent */
5797 rv = copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk),
5798 KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p));
5799 if (rv != CKR_OK) {
5800 free_public_key_attr(pbk, key_type);
5801 return (rv);
5802 }
5803 break;
5804 case CKK_DSA:
5805 (void) memcpy(KEY_PUB_DSA(pbk),
5806 KEY_PUB_DSA(old_pub_key_obj_p),
5807 sizeof (dsa_pub_key_t));
5808
5809 /* copy prime */
5810 rv = copy_bigint(KEY_PUB_DSA_PRIME(pbk),
5811 KEY_PUB_DSA_PRIME(old_pub_key_obj_p));
5812 if (rv != CKR_OK) {
5813 free_public_key_attr(pbk, key_type);
5814 return (rv);
5815 }
5816
5817 /* copy subprime */
5818 rv = copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk),
5819 KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p));
5820 if (rv != CKR_OK) {
5821 free_public_key_attr(pbk, key_type);
5822 return (rv);
5823 }
5824
5825 /* copy base */
5826 rv = copy_bigint(KEY_PUB_DSA_BASE(pbk),
5827 KEY_PUB_DSA_BASE(old_pub_key_obj_p));
5828 if (rv != CKR_OK) {
5829 free_public_key_attr(pbk, key_type);
5830 return (rv);
5831 }
5832
5833 /* copy value */
5834 rv = copy_bigint(KEY_PUB_DSA_VALUE(pbk),
5835 KEY_PUB_DSA_VALUE(old_pub_key_obj_p));
5836 if (rv != CKR_OK) {
5837 free_public_key_attr(pbk, key_type);
5838 return (rv);
5839 }
5840 break;
5841 case CKK_DH:
5842 (void) memcpy(KEY_PUB_DH(pbk),
5843 KEY_PUB_DH(old_pub_key_obj_p),
5844 sizeof (dh_pub_key_t));
5845
5846 /* copy prime */
5847 rv = copy_bigint(KEY_PUB_DH_PRIME(pbk),
5848 KEY_PUB_DH_PRIME(old_pub_key_obj_p));
5849 if (rv != CKR_OK) {
5850 free_public_key_attr(pbk, key_type);
5851 return (rv);
5852 }
5853
5854 /* copy base */
5855 rv = copy_bigint(KEY_PUB_DH_BASE(pbk),
5856 KEY_PUB_DH_BASE(old_pub_key_obj_p));
5857 if (rv != CKR_OK) {
5858 free_public_key_attr(pbk, key_type);
5859 return (rv);
5860 }
5861
5862 /* copy value */
5863 rv = copy_bigint(KEY_PUB_DH_VALUE(pbk),
5864 KEY_PUB_DH_VALUE(old_pub_key_obj_p));
5865 if (rv != CKR_OK) {
5866 free_public_key_attr(pbk, key_type);
5867 return (rv);
5868 }
5869 break;
5870 case CKK_EC:
5871 (void) memcpy(KEY_PUB_EC(pbk),
5872 KEY_PUB_EC(old_pub_key_obj_p),
5873 sizeof (ec_pub_key_t));
5874
5875 /* copy point */
5876 rv = copy_bigint(KEY_PUB_EC_POINT(pbk),
5877 KEY_PUB_EC_POINT(old_pub_key_obj_p));
5878 if (rv != CKR_OK) {
5879 free_public_key_attr(pbk, key_type);
5880 return (rv);
5881 }
5882 break;
5883 case CKK_X9_42_DH:
5884 (void) memcpy(KEY_PUB_DH942(pbk),
5885 KEY_PUB_DH942(old_pub_key_obj_p),
5886 sizeof (dh942_pub_key_t));
5887
5888 /* copy prime */
5889 rv = copy_bigint(KEY_PUB_DH942_PRIME(pbk),
5890 KEY_PUB_DH942_PRIME(old_pub_key_obj_p));
5891 if (rv != CKR_OK) {
5892 free_public_key_attr(pbk, key_type);
5893 return (rv);
5894 }
5895
5896 /* copy subprime */
5897 rv = copy_bigint(KEY_PUB_DH942_SUBPRIME(pbk),
5898 KEY_PUB_DH942_SUBPRIME(old_pub_key_obj_p));
5899 if (rv != CKR_OK) {
5900 free_public_key_attr(pbk, key_type);
5901 return (rv);
5902 }
5903
5904 /* copy base */
5905 rv = copy_bigint(KEY_PUB_DH942_BASE(pbk),
5906 KEY_PUB_DH942_BASE(old_pub_key_obj_p));
5907 if (rv != CKR_OK) {
5908 free_public_key_attr(pbk, key_type);
5909 return (rv);
5910 }
5911
5912 /* copy value */
5913 rv = copy_bigint(KEY_PUB_DH942_VALUE(pbk),
5914 KEY_PUB_DH942_VALUE(old_pub_key_obj_p));
5915 if (rv != CKR_OK) {
5916 free_public_key_attr(pbk, key_type);
5917 return (rv);
5918 }
5919 break;
5920 default:
5921 break;
5922 }
5923 *new_pub_key_obj_p = pbk;
5924 return (rv);
5925 }
5926
5927 static void
5928 free_private_key_attr(private_key_obj_t *pbk, CK_KEY_TYPE key_type)
5929 {
5930 if (pbk == NULL) {
5931 return;
5932 }
5933
5934 switch (key_type) {
5935 case CKK_RSA:
5936 bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk));
5937 bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk));
5938 bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk));
5939 bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk));
5940 bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk));
5941 bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk));
5942 bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk));
5943 bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk));
5944 break;
5945 case CKK_DSA:
5946 bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk));
5947 bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk));
5948 bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk));
5949 bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk));
5950 break;
5951 case CKK_DH:
5952 bigint_attr_cleanup(KEY_PRI_DH_PRIME(pbk));
5953 bigint_attr_cleanup(KEY_PRI_DH_BASE(pbk));
5954 bigint_attr_cleanup(KEY_PRI_DH_VALUE(pbk));
5955 break;
5956 case CKK_EC:
5957 bigint_attr_cleanup(KEY_PRI_EC_VALUE(pbk));
5958 break;
5959 case CKK_X9_42_DH:
5960 bigint_attr_cleanup(KEY_PRI_DH942_PRIME(pbk));
5961 bigint_attr_cleanup(KEY_PRI_DH942_SUBPRIME(pbk));
5962 bigint_attr_cleanup(KEY_PRI_DH942_BASE(pbk));
5963 bigint_attr_cleanup(KEY_PRI_DH942_VALUE(pbk));
5964 break;
5965 default:
5966 break;
5967 }
5968 free(pbk);
5969 }
5970
5971 CK_RV
5972 soft_copy_private_key_attr(private_key_obj_t *old_pri_key_obj_p,
5973 private_key_obj_t **new_pri_key_obj_p, CK_KEY_TYPE key_type)
5974 {
5975 CK_RV rv = CKR_OK;
5976 private_key_obj_t *pbk;
5977
5978 pbk = calloc(1, sizeof (private_key_obj_t));
5979 if (pbk == NULL) {
5980 return (CKR_HOST_MEMORY);
5981 }
5982
5983 switch (key_type) {
5984 case CKK_RSA:
5985 (void) memcpy(KEY_PRI_RSA(pbk),
5986 KEY_PRI_RSA(old_pri_key_obj_p),
5987 sizeof (rsa_pri_key_t));
5988 /* copy modulus */
5989 rv = copy_bigint(KEY_PRI_RSA_MOD(pbk),
5990 KEY_PRI_RSA_MOD(old_pri_key_obj_p));
5991 if (rv != CKR_OK) {
5992 free_private_key_attr(pbk, key_type);
5993 return (rv);
5994 }
5995 /* copy public exponent */
5996 rv = copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk),
5997 KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p));
5998 if (rv != CKR_OK) {
5999 free_private_key_attr(pbk, key_type);
6000 return (rv);
6001 }
6002 /* copy private exponent */
6003 rv = copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk),
6004 KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p));
6005 if (rv != CKR_OK) {
6006 free_private_key_attr(pbk, key_type);
6007 return (rv);
6008 }
6009 /* copy prime_1 */
6010 rv = copy_bigint(KEY_PRI_RSA_PRIME1(pbk),
6011 KEY_PRI_RSA_PRIME1(old_pri_key_obj_p));
6012 if (rv != CKR_OK) {
6013 free_private_key_attr(pbk, key_type);
6014 return (rv);
6015 }
6016 /* copy prime_2 */
6017 rv = copy_bigint(KEY_PRI_RSA_PRIME2(pbk),
6018 KEY_PRI_RSA_PRIME2(old_pri_key_obj_p));
6019 if (rv != CKR_OK) {
6020 free_private_key_attr(pbk, key_type);
6021 return (rv);
6022 }
6023 /* copy exponent_1 */
6024 rv = copy_bigint(KEY_PRI_RSA_EXPO1(pbk),
6025 KEY_PRI_RSA_EXPO1(old_pri_key_obj_p));
6026 if (rv != CKR_OK) {
6027 free_private_key_attr(pbk, key_type);
6028 return (rv);
6029 }
6030 /* copy exponent_2 */
6031 rv = copy_bigint(KEY_PRI_RSA_EXPO2(pbk),
6032 KEY_PRI_RSA_EXPO2(old_pri_key_obj_p));
6033 if (rv != CKR_OK) {
6034 free_private_key_attr(pbk, key_type);
6035 return (rv);
6036 }
6037 /* copy coefficient */
6038 rv = copy_bigint(KEY_PRI_RSA_COEF(pbk),
6039 KEY_PRI_RSA_COEF(old_pri_key_obj_p));
6040 if (rv != CKR_OK) {
6041 free_private_key_attr(pbk, key_type);
6042 return (rv);
6043 }
6044 break;
6045 case CKK_DSA:
6046 (void) memcpy(KEY_PRI_DSA(pbk),
6047 KEY_PRI_DSA(old_pri_key_obj_p),
6048 sizeof (dsa_pri_key_t));
6049
6050 /* copy prime */
6051 rv = copy_bigint(KEY_PRI_DSA_PRIME(pbk),
6052 KEY_PRI_DSA_PRIME(old_pri_key_obj_p));
6053 if (rv != CKR_OK) {
6054 free_private_key_attr(pbk, key_type);
6055 return (rv);
6056 }
6057
6058 /* copy subprime */
6059 rv = copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk),
6060 KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p));
6061 if (rv != CKR_OK) {
6062 free_private_key_attr(pbk, key_type);
6063 return (rv);
6064 }
6065
6066 /* copy base */
6067 rv = copy_bigint(KEY_PRI_DSA_BASE(pbk),
6068 KEY_PRI_DSA_BASE(old_pri_key_obj_p));
6069 if (rv != CKR_OK) {
6070 free_private_key_attr(pbk, key_type);
6071 return (rv);
6072 }
6073
6074 /* copy value */
6075 rv = copy_bigint(KEY_PRI_DSA_VALUE(pbk),
6076 KEY_PRI_DSA_VALUE(old_pri_key_obj_p));
6077 if (rv != CKR_OK) {
6078 free_private_key_attr(pbk, key_type);
6079 return (rv);
6080 }
6081 break;
6082 case CKK_DH:
6083 (void) memcpy(KEY_PRI_DH(pbk),
6084 KEY_PRI_DH(old_pri_key_obj_p),
6085 sizeof (dh_pri_key_t));
6086
6087 /* copy prime */
6088 rv = copy_bigint(KEY_PRI_DH_PRIME(pbk),
6089 KEY_PRI_DH_PRIME(old_pri_key_obj_p));
6090 if (rv != CKR_OK) {
6091 free_private_key_attr(pbk, key_type);
6092 return (rv);
6093 }
6094
6095 /* copy base */
6096 rv = copy_bigint(KEY_PRI_DH_BASE(pbk),
6097 KEY_PRI_DH_BASE(old_pri_key_obj_p));
6098 if (rv != CKR_OK) {
6099 free_private_key_attr(pbk, key_type);
6100 return (rv);
6101 }
6102
6103 /* copy value */
6104 rv = copy_bigint(KEY_PRI_DH_VALUE(pbk),
6105 KEY_PRI_DH_VALUE(old_pri_key_obj_p));
6106 if (rv != CKR_OK) {
6107 free_private_key_attr(pbk, key_type);
6108 return (rv);
6109 }
6110 break;
6111 case CKK_EC:
6112 (void) memcpy(KEY_PRI_EC(pbk),
6113 KEY_PRI_EC(old_pri_key_obj_p),
6114 sizeof (ec_pri_key_t));
6115
6116 /* copy value */
6117 rv = copy_bigint(KEY_PRI_EC_VALUE(pbk),
6118 KEY_PRI_EC_VALUE(old_pri_key_obj_p));
6119 if (rv != CKR_OK) {
6120 free_private_key_attr(pbk, key_type);
6121 return (rv);
6122 }
6123 break;
6124 case CKK_X9_42_DH:
6125 (void) memcpy(KEY_PRI_DH942(pbk),
6126 KEY_PRI_DH942(old_pri_key_obj_p),
6127 sizeof (dh942_pri_key_t));
6128
6129 /* copy prime */
6130 rv = copy_bigint(KEY_PRI_DH942_PRIME(pbk),
6131 KEY_PRI_DH942_PRIME(old_pri_key_obj_p));
6132 if (rv != CKR_OK) {
6133 free_private_key_attr(pbk, key_type);
6134 return (rv);
6135 }
6136
6137 /* copy subprime */
6138 rv = copy_bigint(KEY_PRI_DH942_SUBPRIME(pbk),
6139 KEY_PRI_DH942_SUBPRIME(old_pri_key_obj_p));
6140 if (rv != CKR_OK) {
6141 free_private_key_attr(pbk, key_type);
6142 return (rv);
6143 }
6144
6145 /* copy base */
6146 rv = copy_bigint(KEY_PRI_DH942_BASE(pbk),
6147 KEY_PRI_DH942_BASE(old_pri_key_obj_p));
6148 if (rv != CKR_OK) {
6149 free_private_key_attr(pbk, key_type);
6150 return (rv);
6151 }
6152
6153 /* copy value */
6154 rv = copy_bigint(KEY_PRI_DH942_VALUE(pbk),
6155 KEY_PRI_DH942_VALUE(old_pri_key_obj_p));
6156 if (rv != CKR_OK) {
6157 free_private_key_attr(pbk, key_type);
6158 return (rv);
6159 }
6160 break;
6161 default:
6162 break;
6163 }
6164 *new_pri_key_obj_p = pbk;
6165 return (rv);
6166 }
6167
6168 static void
6169 free_domain_attr(domain_obj_t *domain, CK_KEY_TYPE key_type)
6170 {
6171 if (domain == NULL) {
6172 return;
6173 }
6174
6175 switch (key_type) {
6176 case CKK_DSA:
6177 bigint_attr_cleanup(KEY_DOM_DSA_PRIME(domain));
6178 bigint_attr_cleanup(KEY_DOM_DSA_SUBPRIME(domain));
6179 bigint_attr_cleanup(KEY_DOM_DSA_BASE(domain));
6180 break;
6181 case CKK_DH:
6182 bigint_attr_cleanup(KEY_DOM_DH_PRIME(domain));
6183 bigint_attr_cleanup(KEY_DOM_DH_BASE(domain));
6184 break;
6185 case CKK_X9_42_DH:
6186 bigint_attr_cleanup(KEY_DOM_DH942_PRIME(domain));
6187 bigint_attr_cleanup(KEY_DOM_DH942_SUBPRIME(domain));
6188 bigint_attr_cleanup(KEY_DOM_DH942_BASE(domain));
6189 break;
6190 default:
6191 break;
6192 }
6193 free(domain);
6194 }
6195
6196 CK_RV
6197 soft_copy_domain_attr(domain_obj_t *old_domain_obj_p,
6198 domain_obj_t **new_domain_obj_p, CK_KEY_TYPE key_type)
6199 {
6200 CK_RV rv = CKR_OK;
6201 domain_obj_t *domain;
6202
6203 domain = calloc(1, sizeof (domain_obj_t));
6204 if (domain == NULL) {
6205 return (CKR_HOST_MEMORY);
6206 }
6207
6208 switch (key_type) {
6209 case CKK_DSA:
6210 (void) memcpy(KEY_DOM_DSA(domain),
6211 KEY_DOM_DSA(old_domain_obj_p),
6212 sizeof (dsa_dom_key_t));
6213
6214 /* copy prime */
6215 rv = copy_bigint(KEY_DOM_DSA_PRIME(domain),
6216 KEY_DOM_DSA_PRIME(old_domain_obj_p));
6217 if (rv != CKR_OK) {
6218 free_domain_attr(domain, key_type);
6219 return (rv);
6220 }
6221
6222 /* copy subprime */
6223 rv = copy_bigint(KEY_DOM_DSA_SUBPRIME(domain),
6224 KEY_DOM_DSA_SUBPRIME(old_domain_obj_p));
6225 if (rv != CKR_OK) {
6226 free_domain_attr(domain, key_type);
6227 return (rv);
6228 }
6229
6230 /* copy base */
6231 rv = copy_bigint(KEY_DOM_DSA_BASE(domain),
6232 KEY_DOM_DSA_BASE(old_domain_obj_p));
6233 if (rv != CKR_OK) {
6234 free_domain_attr(domain, key_type);
6235 return (rv);
6236 }
6237
6238 break;
6239 case CKK_DH:
6240 (void) memcpy(KEY_DOM_DH(domain),
6241 KEY_DOM_DH(old_domain_obj_p),
6242 sizeof (dh_dom_key_t));
6243
6244 /* copy prime */
6245 rv = copy_bigint(KEY_DOM_DH_PRIME(domain),
6246 KEY_DOM_DH_PRIME(old_domain_obj_p));
6247 if (rv != CKR_OK) {
6248 free_domain_attr(domain, key_type);
6249 return (rv);
6250 }
6251
6252 /* copy base */
6253 rv = copy_bigint(KEY_DOM_DH_BASE(domain),
6254 KEY_DOM_DH_BASE(old_domain_obj_p));
6255 if (rv != CKR_OK) {
6256 free_domain_attr(domain, key_type);
6257 return (rv);
6258 }
6259
6260 break;
6261 case CKK_X9_42_DH:
6262 (void) memcpy(KEY_DOM_DH942(domain),
6263 KEY_DOM_DH942(old_domain_obj_p),
6264 sizeof (dh942_dom_key_t));
6265
6266 /* copy prime */
6267 rv = copy_bigint(KEY_DOM_DH942_PRIME(domain),
6268 KEY_DOM_DH942_PRIME(old_domain_obj_p));
6269 if (rv != CKR_OK) {
6270 free_domain_attr(domain, key_type);
6271 return (rv);
6272 }
6273
6274 /* copy subprime */
6275 rv = copy_bigint(KEY_DOM_DH942_SUBPRIME(domain),
6276 KEY_DOM_DH942_SUBPRIME(old_domain_obj_p));
6277 if (rv != CKR_OK) {
6278 free_domain_attr(domain, key_type);
6279 return (rv);
6280 }
6281
6282 /* copy base */
6283 rv = copy_bigint(KEY_DOM_DH942_BASE(domain),
6284 KEY_DOM_DH942_BASE(old_domain_obj_p));
6285 if (rv != CKR_OK) {
6286 free_domain_attr(domain, key_type);
6287 return (rv);
6288 }
6289
6290 break;
6291 default:
6292 break;
6293 }
6294 *new_domain_obj_p = domain;
6295 return (rv);
6296 }
6297
6298 CK_RV
6299 soft_copy_secret_key_attr(secret_key_obj_t *old_secret_key_obj_p,
6300 secret_key_obj_t **new_secret_key_obj_p)
6301 {
6302 secret_key_obj_t *sk;
6303
6304 sk = malloc(sizeof (secret_key_obj_t));
6305 if (sk == NULL) {
6306 return (CKR_HOST_MEMORY);
6307 }
6308 (void) memcpy(sk, old_secret_key_obj_p, sizeof (secret_key_obj_t));
6309
6310 /* copy the secret key value */
6311 sk->sk_value = malloc(sk->sk_value_len);
6312 if (sk->sk_value == NULL) {
6313 free(sk);
6314 return (CKR_HOST_MEMORY);
6315 }
6316 (void) memcpy(sk->sk_value, old_secret_key_obj_p->sk_value,
6317 (sizeof (CK_BYTE) * sk->sk_value_len));
6318
6319 /*
6320 * Copy the pre-expanded key schedule.
6321 */
6322 if (old_secret_key_obj_p->key_sched != NULL &&
6323 old_secret_key_obj_p->keysched_len > 0) {
6324 sk->key_sched = malloc(old_secret_key_obj_p->keysched_len);
6325 if (sk->key_sched == NULL) {
6326 freezero(sk->sk_value, sk->sk_value_len);
6327 free(sk);
6328 return (CKR_HOST_MEMORY);
6329 }
6330 sk->keysched_len = old_secret_key_obj_p->keysched_len;
6331 (void) memcpy(sk->key_sched, old_secret_key_obj_p->key_sched,
6332 sk->keysched_len);
6333 }
6334
6335 *new_secret_key_obj_p = sk;
6336
6337 return (CKR_OK);
6338 }
6339
6340 /*
6341 * If CKA_CLASS not given, guess CKA_CLASS using
6342 * attributes on template .
6343 *
6344 * Some attributes are specific to an object class. If one or more
6345 * of these attributes are in the template, make a list of classes
6346 * that can have these attributes. This would speed up the search later,
6347 * because we can immediately skip an object if the class of that
6348 * object can not possibly contain one of the attributes.
6349 *
6350 */
6351 void
6352 soft_process_find_attr(CK_OBJECT_CLASS *pclasses,
6353 CK_ULONG *num_result_pclasses, CK_ATTRIBUTE_PTR pTemplate,
6354 CK_ULONG ulCount)
6355 {
6356 ulong_t i;
6357 int j;
6358 boolean_t pub_found = B_FALSE,
6359 priv_found = B_FALSE,
6360 secret_found = B_FALSE,
6361 domain_found = B_FALSE,
6362 hardware_found = B_FALSE,
6363 cert_found = B_FALSE;
6364 int num_pub_key_attrs, num_priv_key_attrs,
6365 num_secret_key_attrs, num_domain_attrs,
6366 num_hardware_attrs, num_cert_attrs;
6367 int num_pclasses = 0;
6368
6369 for (i = 0; i < ulCount; i++) {
6370 if (pTemplate[i].type == CKA_CLASS) {
6371 /*
6372 * don't need to guess the class, it is specified.
6373 * Just record the class, and return.
6374 */
6375 pclasses[0] =
6376 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue));
6377 *num_result_pclasses = 1;
6378 return;
6379 }
6380 }
6381
6382 num_pub_key_attrs =
6383 sizeof (PUB_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6384 num_priv_key_attrs =
6385 sizeof (PRIV_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6386 num_secret_key_attrs =
6387 sizeof (SECRET_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6388 num_domain_attrs =
6389 sizeof (DOMAIN_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6390 num_hardware_attrs =
6391 sizeof (HARDWARE_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6392 num_cert_attrs =
6393 sizeof (CERT_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
6394
6395 /*
6396 * Get the list of objects class that might contain
6397 * some attributes.
6398 */
6399 for (i = 0; i < ulCount; i++) {
6400 /*
6401 * only check if this attribute can belong to public key object
6402 * class if public key object isn't already in the list
6403 */
6404 if (!pub_found) {
6405 for (j = 0; j < num_pub_key_attrs; j++) {
6406 if (pTemplate[i].type == PUB_KEY_ATTRS[j]) {
6407 pub_found = B_TRUE;
6408 pclasses[num_pclasses++] =
6409 CKO_PUBLIC_KEY;
6410 break;
6411 }
6412 }
6413 }
6414
6415 if (!priv_found) {
6416 for (j = 0; j < num_priv_key_attrs; j++) {
6417 if (pTemplate[i].type == PRIV_KEY_ATTRS[j]) {
6418 priv_found = B_TRUE;
6419 pclasses[num_pclasses++] =
6420 CKO_PRIVATE_KEY;
6421 break;
6422 }
6423 }
6424 }
6425
6426 if (!secret_found) {
6427 for (j = 0; j < num_secret_key_attrs; j++) {
6428 if (pTemplate[i].type == SECRET_KEY_ATTRS[j]) {
6429 secret_found = B_TRUE;
6430 pclasses[num_pclasses++] =
6431 CKO_SECRET_KEY;
6432 break;
6433 }
6434 }
6435 }
6436
6437 if (!domain_found) {
6438 for (j = 0; j < num_domain_attrs; j++) {
6439 if (pTemplate[i].type == DOMAIN_ATTRS[j]) {
6440 domain_found = B_TRUE;
6441 pclasses[num_pclasses++] =
6442 CKO_DOMAIN_PARAMETERS;
6443 break;
6444 }
6445 }
6446 }
6447
6448 if (!hardware_found) {
6449 for (j = 0; j < num_hardware_attrs; j++) {
6450 if (pTemplate[i].type == HARDWARE_ATTRS[j]) {
6451 hardware_found = B_TRUE;
6452 pclasses[num_pclasses++] =
6453 CKO_HW_FEATURE;
6454 break;
6455 }
6456 }
6457 }
6458
6459 if (!cert_found) {
6460 for (j = 0; j < num_cert_attrs; j++) {
6461 if (pTemplate[i].type == CERT_ATTRS[j]) {
6462 cert_found = B_TRUE;
6463 pclasses[num_pclasses++] =
6464 CKO_CERTIFICATE;
6465 break;
6466 }
6467 }
6468 }
6469 }
6470 *num_result_pclasses = num_pclasses;
6471 }
6472
6473 boolean_t
6474 soft_find_match_attrs(soft_object_t *obj, CK_OBJECT_CLASS *pclasses,
6475 CK_ULONG num_pclasses, CK_ATTRIBUTE *template, CK_ULONG num_attr)
6476 {
6477 ulong_t i;
6478 CK_ATTRIBUTE *tmpl_attr, *obj_attr;
6479 cert_attr_t *cert_attr;
6480 uint64_t attr_mask;
6481 biginteger_t *bigint;
6482 boolean_t compare_attr, compare_bigint, compare_boolean;
6483 boolean_t compare_cert_val, compare_cert_type;
6484
6485 /*
6486 * Check if the class of this object match with any
6487 * of object classes that can possibly contain the
6488 * requested attributes.
6489 */
6490 if (num_pclasses > 0) {
6491 for (i = 0; i < num_pclasses; i++) {
6492 if (obj->class == pclasses[i]) {
6493 break;
6494 }
6495 }
6496 if (i == num_pclasses) {
6497 /*
6498 * this object can't possibly contain one or
6499 * more attributes, don't need to check this object
6500 */
6501 return (B_FALSE);
6502 }
6503 }
6504
6505 /* need to examine everything */
6506 for (i = 0; i < num_attr; i++) {
6507 tmpl_attr = &(template[i]);
6508 compare_attr = B_FALSE;
6509 compare_bigint = B_FALSE;
6510 compare_boolean = B_FALSE;
6511 compare_cert_val = B_FALSE;
6512 compare_cert_type = B_FALSE;
6513 switch (tmpl_attr->type) {
6514 /* First, check the most common attributes */
6515 case CKA_CLASS:
6516 if (*((CK_OBJECT_CLASS *)tmpl_attr->pValue) !=
6517 obj->class) {
6518 return (B_FALSE);
6519 }
6520 break;
6521 case CKA_KEY_TYPE:
6522 if (*((CK_KEY_TYPE *)tmpl_attr->pValue) !=
6523 obj->key_type) {
6524 return (B_FALSE);
6525 }
6526 break;
6527 case CKA_ENCRYPT:
6528 attr_mask = (obj->bool_attr_mask) & ENCRYPT_BOOL_ON;
6529 compare_boolean = B_TRUE;
6530 break;
6531 case CKA_DECRYPT:
6532 attr_mask = (obj->bool_attr_mask) & DECRYPT_BOOL_ON;
6533 compare_boolean = B_TRUE;
6534 break;
6535 case CKA_WRAP:
6536 attr_mask = (obj->bool_attr_mask) & WRAP_BOOL_ON;
6537 compare_boolean = B_TRUE;
6538 break;
6539 case CKA_UNWRAP:
6540 attr_mask = (obj->bool_attr_mask) & UNWRAP_BOOL_ON;
6541 compare_boolean = B_TRUE;
6542 break;
6543 case CKA_SIGN:
6544 attr_mask = (obj->bool_attr_mask) & SIGN_BOOL_ON;
6545 compare_boolean = B_TRUE;
6546 break;
6547 case CKA_SIGN_RECOVER:
6548 attr_mask = (obj->bool_attr_mask) &
6549 SIGN_RECOVER_BOOL_ON;
6550 compare_boolean = B_TRUE;
6551 break;
6552 case CKA_VERIFY:
6553 attr_mask = (obj->bool_attr_mask) & VERIFY_BOOL_ON;
6554 compare_boolean = B_TRUE;
6555 break;
6556 case CKA_VERIFY_RECOVER:
6557 attr_mask = (obj->bool_attr_mask) &
6558 VERIFY_RECOVER_BOOL_ON;
6559 compare_boolean = B_TRUE;
6560 break;
6561 case CKA_DERIVE:
6562 attr_mask = (obj->bool_attr_mask) & DERIVE_BOOL_ON;
6563 compare_boolean = B_TRUE;
6564 break;
6565 case CKA_LOCAL:
6566 attr_mask = (obj->bool_attr_mask) & LOCAL_BOOL_ON;
6567 compare_boolean = B_TRUE;
6568 break;
6569 case CKA_SENSITIVE:
6570 attr_mask = (obj->bool_attr_mask) & SENSITIVE_BOOL_ON;
6571 compare_boolean = B_TRUE;
6572 break;
6573 case CKA_SECONDARY_AUTH:
6574 attr_mask = (obj->bool_attr_mask) &
6575 SECONDARY_AUTH_BOOL_ON;
6576 compare_boolean = B_TRUE;
6577 break;
6578 case CKA_TRUSTED:
6579 attr_mask = (obj->bool_attr_mask) & TRUSTED_BOOL_ON;
6580 compare_boolean = B_TRUE;
6581 break;
6582 case CKA_EXTRACTABLE:
6583 attr_mask = (obj->bool_attr_mask) &
6584 EXTRACTABLE_BOOL_ON;
6585 compare_boolean = B_TRUE;
6586 break;
6587 case CKA_ALWAYS_SENSITIVE:
6588 attr_mask = (obj->bool_attr_mask) &
6589 ALWAYS_SENSITIVE_BOOL_ON;
6590 compare_boolean = B_TRUE;
6591 break;
6592 case CKA_NEVER_EXTRACTABLE:
6593 attr_mask = (obj->bool_attr_mask) &
6594 NEVER_EXTRACTABLE_BOOL_ON;
6595 compare_boolean = B_TRUE;
6596 break;
6597 case CKA_TOKEN:
6598 attr_mask = (obj->object_type) & TOKEN_OBJECT;
6599 compare_boolean = B_TRUE;
6600 break;
6601 case CKA_PRIVATE:
6602 attr_mask = (obj->object_type) & PRIVATE_OBJECT;
6603 compare_boolean = B_TRUE;
6604 break;
6605 case CKA_MODIFIABLE:
6606 {
6607 CK_BBOOL bval;
6608 attr_mask = (obj->bool_attr_mask) &
6609 NOT_MODIFIABLE_BOOL_ON;
6610
6611 if (attr_mask) {
6612 bval = FALSE;
6613 } else {
6614 bval = TRUE;
6615 }
6616 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) {
6617 return (B_FALSE);
6618 }
6619 break;
6620 }
6621 case CKA_OWNER:
6622 /*
6623 * For X.509 attribute certificate object, get its
6624 * CKA_OWNER attribute from the x509_attr_cert_t struct.
6625 */
6626 if ((obj->class == CKO_CERTIFICATE) &&
6627 (obj->cert_type == CKC_X_509_ATTR_CERT)) {
6628 cert_attr = X509_ATTR_CERT_OWNER(obj);
6629 compare_cert_val = B_TRUE;
6630 }
6631 break;
6632 case CKA_SUBJECT:
6633 /*
6634 * For X.509 certificate object, get its CKA_SUBJECT
6635 * attribute from the x509_cert_t struct (not from
6636 * the extra_attrlistp).
6637 */
6638 if ((obj->class == CKO_CERTIFICATE) &&
6639 (obj->cert_type == CKC_X_509)) {
6640 cert_attr = X509_CERT_SUBJECT(obj);
6641 compare_cert_val = B_TRUE;
6642 break;
6643 }
6644 /*FALLTHRU*/
6645 case CKA_ID:
6646 case CKA_START_DATE:
6647 case CKA_END_DATE:
6648 case CKA_KEY_GEN_MECHANISM:
6649 case CKA_LABEL:
6650 case CKA_ISSUER:
6651 case CKA_SERIAL_NUMBER:
6652 case CKA_AC_ISSUER:
6653 case CKA_ATTR_TYPES:
6654 /* find these attributes from extra_attrlistp */
6655 obj_attr = get_extra_attr(tmpl_attr->type, obj);
6656 compare_attr = B_TRUE;
6657 break;
6658 case CKA_CERTIFICATE_TYPE:
6659 compare_cert_type = B_TRUE;
6660 break;
6661 case CKA_VALUE_LEN:
6662 /* only secret key has this attribute */
6663 if (obj->class == CKO_SECRET_KEY) {
6664 if (*((CK_ULONG *)tmpl_attr->pValue) !=
6665 OBJ_SEC_VALUE_LEN(obj)) {
6666 return (B_FALSE);
6667 }
6668 } else {
6669 return (B_FALSE);
6670 }
6671 break;
6672 case CKA_VALUE:
6673 switch (obj->class) {
6674 case CKO_SECRET_KEY:
6675 /*
6676 * secret_key_obj_t is the same as
6677 * biginteger_t
6678 */
6679 bigint = (biginteger_t *)OBJ_SEC(obj);
6680 compare_bigint = B_TRUE;
6681 break;
6682 case CKO_PRIVATE_KEY:
6683 if (obj->key_type == CKK_DSA) {
6684 bigint = OBJ_PRI_DSA_VALUE(obj);
6685 } else if (obj->key_type == CKK_DH) {
6686 bigint = OBJ_PRI_DH_VALUE(obj);
6687 } else if (obj->key_type == CKK_X9_42_DH) {
6688 bigint = OBJ_PRI_DH942_VALUE(obj);
6689 } else {
6690 return (B_FALSE);
6691 }
6692 compare_bigint = B_TRUE;
6693 break;
6694 case CKO_PUBLIC_KEY:
6695 if (obj->key_type == CKK_DSA) {
6696 bigint = OBJ_PUB_DSA_VALUE(obj);
6697 } else if (obj->key_type == CKK_DH) {
6698 bigint = OBJ_PUB_DH_VALUE(obj);
6699 } else if (obj->key_type == CKK_X9_42_DH) {
6700 bigint = OBJ_PUB_DH942_VALUE(obj);
6701 } else {
6702 return (B_FALSE);
6703 }
6704 compare_bigint = B_TRUE;
6705 break;
6706 case CKO_CERTIFICATE:
6707 if (obj->cert_type == CKC_X_509) {
6708 cert_attr = X509_CERT_VALUE(obj);
6709 } else if (obj->cert_type ==
6710 CKC_X_509_ATTR_CERT) {
6711 cert_attr = X509_ATTR_CERT_VALUE(obj);
6712 }
6713 compare_cert_val = B_TRUE;
6714 break;
6715 default:
6716 return (B_FALSE);
6717 }
6718 break;
6719 case CKA_MODULUS:
6720 /* only RSA public and private key have this attr */
6721 if (obj->key_type == CKK_RSA) {
6722 if (obj->class == CKO_PUBLIC_KEY) {
6723 bigint = OBJ_PUB_RSA_MOD(obj);
6724 } else if (obj->class == CKO_PRIVATE_KEY) {
6725 bigint = OBJ_PRI_RSA_MOD(obj);
6726 } else {
6727 return (B_FALSE);
6728 }
6729 compare_bigint = B_TRUE;
6730 } else {
6731 return (B_FALSE);
6732 }
6733 break;
6734 case CKA_MODULUS_BITS:
6735 /* only RSA public key has this attribute */
6736 if ((obj->key_type == CKK_RSA) &&
6737 (obj->class == CKO_PUBLIC_KEY)) {
6738 CK_ULONG mod_bits = OBJ_PUB_RSA_MOD_BITS(obj);
6739 if (mod_bits !=
6740 *((CK_ULONG *)tmpl_attr->pValue)) {
6741 return (B_FALSE);
6742 }
6743 } else {
6744 return (B_FALSE);
6745 }
6746 break;
6747 case CKA_PUBLIC_EXPONENT:
6748 /* only RSA public and private key have this attr */
6749 if (obj->key_type == CKK_RSA) {
6750 if (obj->class == CKO_PUBLIC_KEY) {
6751 bigint = OBJ_PUB_RSA_PUBEXPO(obj);
6752 } else if (obj->class == CKO_PRIVATE_KEY) {
6753 bigint = OBJ_PRI_RSA_PUBEXPO(obj);
6754 } else {
6755 return (B_FALSE);
6756 }
6757 compare_bigint = B_TRUE;
6758 } else {
6759 return (B_FALSE);
6760 }
6761 break;
6762 case CKA_PRIVATE_EXPONENT:
6763 /* only RSA private key has this attribute */
6764 if ((obj->key_type == CKK_RSA) &&
6765 (obj->class == CKO_PRIVATE_KEY)) {
6766 bigint = OBJ_PRI_RSA_PRIEXPO(obj);
6767 compare_bigint = B_TRUE;
6768 } else {
6769 return (B_FALSE);
6770 }
6771 break;
6772 case CKA_PRIME_1:
6773 /* only RSA private key has this attribute */
6774 if ((obj->key_type == CKK_RSA) &&
6775 (obj->class == CKO_PRIVATE_KEY)) {
6776 bigint = OBJ_PRI_RSA_PRIME1(obj);
6777 compare_bigint = B_TRUE;
6778 } else {
6779 return (B_FALSE);
6780 }
6781 break;
6782 case CKA_PRIME_2:
6783 /* only RSA private key has this attribute */
6784 if ((obj->key_type == CKK_RSA) &&
6785 (obj->class == CKO_PRIVATE_KEY)) {
6786 bigint = OBJ_PRI_RSA_PRIME2(obj);
6787 compare_bigint = B_TRUE;
6788 } else {
6789 return (B_FALSE);
6790 }
6791 break;
6792 case CKA_EXPONENT_1:
6793 /* only RSA private key has this attribute */
6794 if ((obj->key_type == CKK_RSA) &&
6795 (obj->class == CKO_PRIVATE_KEY)) {
6796 bigint = OBJ_PRI_RSA_EXPO1(obj);
6797 compare_bigint = B_TRUE;
6798 } else {
6799 return (B_FALSE);
6800 }
6801 break;
6802 case CKA_EXPONENT_2:
6803 /* only RSA private key has this attribute */
6804 if ((obj->key_type == CKK_RSA) &&
6805 (obj->class == CKO_PRIVATE_KEY)) {
6806 bigint = OBJ_PRI_RSA_EXPO2(obj);
6807 compare_bigint = B_TRUE;
6808 } else {
6809 return (B_FALSE);
6810 }
6811 break;
6812 case CKA_COEFFICIENT:
6813 /* only RSA private key has this attribute */
6814 if ((obj->key_type == CKK_RSA) &&
6815 (obj->class == CKO_PRIVATE_KEY)) {
6816 bigint = OBJ_PRI_RSA_COEF(obj);
6817 compare_bigint = B_TRUE;
6818 } else {
6819 return (B_FALSE);
6820 }
6821 break;
6822 case CKA_VALUE_BITS:
6823 /* only Diffie-Hellman private key has this attr */
6824 if ((obj->key_type == CKK_DH) &&
6825 (obj->class == CKO_PRIVATE_KEY)) {
6826 CK_ULONG val_bits = OBJ_PRI_DH_VAL_BITS(obj);
6827 if (val_bits !=
6828 *((CK_ULONG *)tmpl_attr->pValue)) {
6829 return (B_FALSE);
6830 }
6831 } else {
6832 return (B_FALSE);
6833 }
6834 break;
6835 case CKA_PRIME:
6836 if (obj->class == CKO_PUBLIC_KEY) {
6837 switch (obj->key_type) {
6838 case CKK_DSA:
6839 bigint = OBJ_PUB_DSA_PRIME(obj);
6840 break;
6841 case CKK_DH:
6842 bigint = OBJ_PUB_DH_PRIME(obj);
6843 break;
6844 case CKK_X9_42_DH:
6845 bigint = OBJ_PUB_DH942_PRIME(obj);
6846 break;
6847 default:
6848 return (B_FALSE);
6849 }
6850 } else if (obj->class == CKO_PRIVATE_KEY) {
6851 switch (obj->key_type) {
6852 case CKK_DSA:
6853 bigint = OBJ_PRI_DSA_PRIME(obj);
6854 break;
6855 case CKK_DH:
6856 bigint = OBJ_PRI_DH_PRIME(obj);
6857 break;
6858 case CKK_X9_42_DH:
6859 bigint = OBJ_PRI_DH942_PRIME(obj);
6860 break;
6861 default:
6862 return (B_FALSE);
6863 }
6864 } else if (obj->class == CKO_DOMAIN_PARAMETERS) {
6865 switch (obj->key_type) {
6866 case CKK_DSA:
6867 bigint = OBJ_DOM_DSA_PRIME(obj);
6868 break;
6869 case CKK_DH:
6870 bigint = OBJ_DOM_DH_PRIME(obj);
6871 break;
6872 case CKK_X9_42_DH:
6873 bigint = OBJ_DOM_DH942_PRIME(obj);
6874 break;
6875 default:
6876 return (B_FALSE);
6877 }
6878 } else {
6879 return (B_FALSE);
6880 }
6881 compare_bigint = B_TRUE;
6882 break;
6883 case CKA_SUBPRIME:
6884 if (obj->class == CKO_PUBLIC_KEY) {
6885 switch (obj->key_type) {
6886 case CKK_DSA:
6887 bigint = OBJ_PUB_DSA_SUBPRIME(obj);
6888 break;
6889 case CKK_X9_42_DH:
6890 bigint = OBJ_PUB_DH942_SUBPRIME(obj);
6891 break;
6892 default:
6893 return (B_FALSE);
6894 }
6895 } else if (obj->class == CKO_PRIVATE_KEY) {
6896 switch (obj->key_type) {
6897 case CKK_DSA:
6898 bigint = OBJ_PRI_DSA_SUBPRIME(obj);
6899 break;
6900 case CKK_X9_42_DH:
6901 bigint = OBJ_PRI_DH942_SUBPRIME(obj);
6902 break;
6903 default:
6904 return (B_FALSE);
6905 }
6906 } else if (obj->class == CKO_DOMAIN_PARAMETERS) {
6907 switch (obj->key_type) {
6908 case CKK_DSA:
6909 bigint = OBJ_DOM_DSA_SUBPRIME(obj);
6910 break;
6911 case CKK_X9_42_DH:
6912 bigint = OBJ_DOM_DH942_SUBPRIME(obj);
6913 break;
6914 default:
6915 return (B_FALSE);
6916 }
6917 } else {
6918 return (B_FALSE);
6919 }
6920 compare_bigint = B_TRUE;
6921 break;
6922 case CKA_BASE:
6923 if (obj->class == CKO_PUBLIC_KEY) {
6924 switch (obj->key_type) {
6925 case CKK_DSA:
6926 bigint = OBJ_PUB_DSA_BASE(obj);
6927 break;
6928 case CKK_DH:
6929 bigint = OBJ_PUB_DH_BASE(obj);
6930 break;
6931 case CKK_X9_42_DH:
6932 bigint = OBJ_PUB_DH942_BASE(obj);
6933 break;
6934 default:
6935 return (B_FALSE);
6936 }
6937 } else if (obj->class == CKO_PRIVATE_KEY) {
6938 switch (obj->key_type) {
6939 case CKK_DSA:
6940 bigint = OBJ_PRI_DSA_BASE(obj);
6941 break;
6942 case CKK_DH:
6943 bigint = OBJ_PRI_DH_BASE(obj);
6944 break;
6945 case CKK_X9_42_DH:
6946 bigint = OBJ_PRI_DH942_BASE(obj);
6947 break;
6948 default:
6949 return (B_FALSE);
6950 }
6951 } else if (obj->class == CKO_DOMAIN_PARAMETERS) {
6952 switch (obj->key_type) {
6953 case CKK_DSA:
6954 bigint = OBJ_DOM_DSA_BASE(obj);
6955 break;
6956 case CKK_DH:
6957 bigint = OBJ_DOM_DH_BASE(obj);
6958 break;
6959 case CKK_X9_42_DH:
6960 bigint = OBJ_DOM_DH942_BASE(obj);
6961 break;
6962 default:
6963 return (B_FALSE);
6964 }
6965 } else {
6966 return (B_FALSE);
6967 }
6968 compare_bigint = B_TRUE;
6969 break;
6970 case CKA_PRIME_BITS:
6971 if (obj->class == CKO_DOMAIN_PARAMETERS) {
6972 CK_ULONG prime_bits;
6973 if (obj->key_type == CKK_DSA) {
6974 prime_bits =
6975 OBJ_DOM_DSA_PRIME_BITS(obj);
6976 } else if (obj->key_type == CKK_DH) {
6977 prime_bits =
6978 OBJ_DOM_DH_PRIME_BITS(obj);
6979 } else if (obj->key_type == CKK_X9_42_DH) {
6980 prime_bits =
6981 OBJ_DOM_DH942_PRIME_BITS(obj);
6982 } else {
6983 return (B_FALSE);
6984 }
6985 if (prime_bits !=
6986 *((CK_ULONG *)tmpl_attr->pValue)) {
6987 return (B_FALSE);
6988 }
6989 } else {
6990 return (B_FALSE);
6991 }
6992 break;
6993 case CKA_SUBPRIME_BITS:
6994 if ((obj->class == CKO_DOMAIN_PARAMETERS) &&
6995 (obj->key_type == CKK_X9_42_DH)) {
6996 CK_ULONG subprime_bits =
6997 OBJ_DOM_DH942_SUBPRIME_BITS(obj);
6998 if (subprime_bits !=
6999 *((CK_ULONG *)tmpl_attr->pValue)) {
7000 return (B_FALSE);
7001 }
7002 } else {
7003 return (B_FALSE);
7004 }
7005 break;
7006 default:
7007 /*
7008 * any other attributes are currently not supported.
7009 * so, it's not possible for them to be in the
7010 * object
7011 */
7012 return (B_FALSE);
7013 }
7014 if (compare_boolean) {
7015 CK_BBOOL bval;
7016
7017 if (attr_mask) {
7018 bval = TRUE;
7019 } else {
7020 bval = FALSE;
7021 }
7022 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) {
7023 return (B_FALSE);
7024 }
7025 } else if (compare_bigint) {
7026 if (bigint == NULL) {
7027 return (B_FALSE);
7028 }
7029 if (tmpl_attr->ulValueLen != bigint->big_value_len) {
7030 return (B_FALSE);
7031 }
7032 if (memcmp(tmpl_attr->pValue, bigint->big_value,
7033 tmpl_attr->ulValueLen) != 0) {
7034 return (B_FALSE);
7035 }
7036 } else if (compare_attr) {
7037 if (obj_attr == NULL) {
7038 /*
7039 * The attribute type is valid, and its value
7040 * has not been initialized in the object. In
7041 * this case, it only matches the template's
7042 * attribute if the template's value length
7043 * is 0.
7044 */
7045 if (tmpl_attr->ulValueLen != 0)
7046 return (B_FALSE);
7047 } else {
7048 if (tmpl_attr->ulValueLen !=
7049 obj_attr->ulValueLen) {
7050 return (B_FALSE);
7051 }
7052 if (memcmp(tmpl_attr->pValue, obj_attr->pValue,
7053 tmpl_attr->ulValueLen) != 0) {
7054 return (B_FALSE);
7055 }
7056 }
7057 } else if (compare_cert_val) {
7058 if (cert_attr == NULL) {
7059 /* specific attribute not found */
7060 return (B_FALSE);
7061 }
7062 if (tmpl_attr->ulValueLen != cert_attr->length) {
7063 return (B_FALSE);
7064 }
7065 if (memcmp(tmpl_attr->pValue, cert_attr->value,
7066 tmpl_attr->ulValueLen) != 0) {
7067 return (B_FALSE);
7068 }
7069 } else if (compare_cert_type) {
7070 if (memcmp(tmpl_attr->pValue, &(obj->cert_type),
7071 tmpl_attr->ulValueLen) != 0) {
7072 return (B_FALSE);
7073 }
7074 }
7075 }
7076 return (B_TRUE);
7077 }
7078
7079 CK_ATTRIBUTE_PTR
7080 get_extra_attr(CK_ATTRIBUTE_TYPE type, soft_object_t *obj)
7081 {
7082 CK_ATTRIBUTE_INFO_PTR tmp;
7083
7084 tmp = obj->extra_attrlistp;
7085 while (tmp != NULL) {
7086 if (tmp->attr.type == type) {
7087 return (&(tmp->attr));
7088 }
7089 tmp = tmp->next;
7090 }
7091 /* if get there, the specified attribute is not found */
7092 return (NULL);
7093 }