1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright 2012 Milan Jurik. All rights reserved. 25 * Copyright (c) 2018, Joyent, Inc. 26 */ 27 28 #include <stdlib.h> 29 #include <string.h> 30 #include <security/cryptoki.h> 31 #include <sys/crypto/common.h> 32 #include <arcfour.h> 33 #include <aes_impl.h> 34 #include <blowfish_impl.h> 35 #include <bignum.h> 36 #include <des_impl.h> 37 #include <rsa_impl.h> 38 #include "softGlobal.h" 39 #include "softObject.h" 40 #include "softSession.h" 41 #include "softKeystore.h" 42 #include "softKeystoreUtil.h" 43 #include "softCrypt.h" 44 45 46 /* 47 * This attribute table is used by the soft_lookup_attr() 48 * to validate the attributes. 49 */ 50 CK_ATTRIBUTE_TYPE attr_map[] = { 51 CKA_PRIVATE, 52 CKA_LABEL, 53 CKA_APPLICATION, 54 CKA_OBJECT_ID, 55 CKA_CERTIFICATE_TYPE, 56 CKA_ISSUER, 57 CKA_SERIAL_NUMBER, 58 CKA_AC_ISSUER, 59 CKA_OWNER, 60 CKA_ATTR_TYPES, 61 CKA_SUBJECT, 62 CKA_ID, 63 CKA_SENSITIVE, 64 CKA_START_DATE, 65 CKA_END_DATE, 66 CKA_MODULUS, 67 CKA_MODULUS_BITS, 68 CKA_PUBLIC_EXPONENT, 69 CKA_PRIVATE_EXPONENT, 70 CKA_PRIME_1, 71 CKA_PRIME_2, 72 CKA_EXPONENT_1, 73 CKA_EXPONENT_2, 74 CKA_COEFFICIENT, 75 CKA_PRIME, 76 CKA_SUBPRIME, 77 CKA_BASE, 78 CKA_EXTRACTABLE, 79 CKA_LOCAL, 80 CKA_NEVER_EXTRACTABLE, 81 CKA_ALWAYS_SENSITIVE, 82 CKA_MODIFIABLE, 83 CKA_ECDSA_PARAMS, 84 CKA_EC_PARAMS, 85 CKA_EC_POINT, 86 CKA_SECONDARY_AUTH, 87 CKA_AUTH_PIN_FLAGS, 88 CKA_HW_FEATURE_TYPE, 89 CKA_RESET_ON_INIT, 90 CKA_HAS_RESET 91 }; 92 93 /* 94 * attributes that exists only in public key objects 95 * Note: some attributes may also exist in one or two 96 * other object classes, but they are also listed 97 * because not all object have them. 98 */ 99 CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS[] = 100 { 101 CKA_SUBJECT, 102 CKA_ENCRYPT, 103 CKA_WRAP, 104 CKA_VERIFY, 105 CKA_VERIFY_RECOVER, 106 CKA_MODULUS, 107 CKA_MODULUS_BITS, 108 CKA_PUBLIC_EXPONENT, 109 CKA_PRIME, 110 CKA_SUBPRIME, 111 CKA_BASE, 112 CKA_TRUSTED, 113 CKA_ECDSA_PARAMS, 114 CKA_EC_PARAMS, 115 CKA_EC_POINT 116 }; 117 118 /* 119 * attributes that exists only in private key objects 120 * Note: some attributes may also exist in one or two 121 * other object classes, but they are also listed 122 * because not all object have them. 123 */ 124 CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS[] = 125 { 126 CKA_DECRYPT, 127 CKA_UNWRAP, 128 CKA_SIGN, 129 CKA_SIGN_RECOVER, 130 CKA_MODULUS, 131 CKA_PUBLIC_EXPONENT, 132 CKA_PRIVATE_EXPONENT, 133 CKA_PRIME, 134 CKA_SUBPRIME, 135 CKA_BASE, 136 CKA_PRIME_1, 137 CKA_PRIME_2, 138 CKA_EXPONENT_1, 139 CKA_EXPONENT_2, 140 CKA_COEFFICIENT, 141 CKA_VALUE_BITS, 142 CKA_SUBJECT, 143 CKA_SENSITIVE, 144 CKA_EXTRACTABLE, 145 CKA_NEVER_EXTRACTABLE, 146 CKA_ALWAYS_SENSITIVE, 147 CKA_EC_PARAMS 148 }; 149 150 /* 151 * attributes that exists only in secret key objects 152 * Note: some attributes may also exist in one or two 153 * other object classes, but they are also listed 154 * because not all object have them. 155 */ 156 CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS[] = 157 { 158 CKA_VALUE_LEN, 159 CKA_ENCRYPT, 160 CKA_DECRYPT, 161 CKA_WRAP, 162 CKA_UNWRAP, 163 CKA_SIGN, 164 CKA_VERIFY, 165 CKA_SENSITIVE, 166 CKA_EXTRACTABLE, 167 CKA_NEVER_EXTRACTABLE, 168 CKA_ALWAYS_SENSITIVE 169 }; 170 171 /* 172 * attributes that exists only in domain parameter objects 173 * Note: some attributes may also exist in one or two 174 * other object classes, but they are also listed 175 * because not all object have them. 176 */ 177 CK_ATTRIBUTE_TYPE DOMAIN_ATTRS[] = 178 { 179 CKA_PRIME, 180 CKA_SUBPRIME, 181 CKA_BASE, 182 CKA_PRIME_BITS, 183 CKA_SUBPRIME_BITS, 184 CKA_SUB_PRIME_BITS 185 }; 186 187 /* 188 * attributes that exists only in hardware feature objects 189 * 190 */ 191 CK_ATTRIBUTE_TYPE HARDWARE_ATTRS[] = 192 { 193 CKA_HW_FEATURE_TYPE, 194 CKA_RESET_ON_INIT, 195 CKA_HAS_RESET 196 }; 197 198 /* 199 * attributes that exists only in certificate objects 200 */ 201 CK_ATTRIBUTE_TYPE CERT_ATTRS[] = 202 { 203 CKA_CERTIFICATE_TYPE, 204 CKA_TRUSTED, 205 CKA_SUBJECT, 206 CKA_ID, 207 CKA_ISSUER, 208 CKA_AC_ISSUER, 209 CKA_SERIAL_NUMBER, 210 CKA_OWNER, 211 CKA_ATTR_TYPES 212 }; 213 214 215 /* 216 * Validate the attribute by using binary search algorithm. 217 */ 218 CK_RV 219 soft_lookup_attr(CK_ATTRIBUTE_TYPE type) 220 { 221 222 size_t lower, middle, upper; 223 224 lower = 0; 225 upper = (sizeof (attr_map) / sizeof (CK_ATTRIBUTE_TYPE)) - 1; 226 227 while (lower <= upper) { 228 /* Always starts from middle. */ 229 middle = (lower + upper) / 2; 230 231 if (type > attr_map[middle]) { 232 /* Adjust the lower bound to upper half. */ 233 lower = middle + 1; 234 continue; 235 } 236 237 if (type == attr_map[middle]) { 238 /* Found it. */ 239 return (CKR_OK); 240 } 241 242 if (type < attr_map[middle]) { 243 /* Adjust the upper bound to lower half. */ 244 upper = middle - 1; 245 continue; 246 } 247 } 248 249 /* Failed to find the matching attribute from the attribute table. */ 250 return (CKR_ATTRIBUTE_TYPE_INVALID); 251 } 252 253 254 /* 255 * Validate the attribute by using the following search algorithm: 256 * 257 * 1) Search for the most frequently used attributes first. 258 * 2) If not found, search for the usage-purpose attributes - these 259 * attributes have dense set of values, therefore compiler will 260 * optimize it with a branch table and branch to the appropriate 261 * case. 262 * 3) If still not found, use binary search for the rest of the 263 * attributes in the attr_map[] table. 264 */ 265 CK_RV 266 soft_validate_attr(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 267 CK_OBJECT_CLASS *class) 268 { 269 270 CK_ULONG i; 271 CK_RV rv = CKR_OK; 272 273 for (i = 0; i < ulAttrNum; i++) { 274 /* First tier search */ 275 switch (template[i].type) { 276 case CKA_CLASS: 277 *class = *((CK_OBJECT_CLASS*)template[i].pValue); 278 break; 279 case CKA_TOKEN: 280 break; 281 case CKA_KEY_TYPE: 282 break; 283 case CKA_VALUE: 284 break; 285 case CKA_VALUE_LEN: 286 break; 287 case CKA_VALUE_BITS: 288 break; 289 default: 290 /* Second tier search */ 291 switch (template[i].type) { 292 case CKA_ENCRYPT: 293 break; 294 case CKA_DECRYPT: 295 break; 296 case CKA_WRAP: 297 break; 298 case CKA_UNWRAP: 299 break; 300 case CKA_SIGN: 301 break; 302 case CKA_SIGN_RECOVER: 303 break; 304 case CKA_VERIFY: 305 break; 306 case CKA_VERIFY_RECOVER: 307 break; 308 case CKA_DERIVE: 309 break; 310 default: 311 /* Third tier search */ 312 rv = soft_lookup_attr(template[i].type); 313 if (rv != CKR_OK) 314 return (rv); 315 break; 316 } 317 break; 318 } 319 } 320 return (rv); 321 } 322 323 static void 324 cleanup_cert_attr(cert_attr_t *attr) 325 { 326 if (attr != NULL) { 327 freezero(attr->value, attr->length); 328 attr->value = NULL; 329 attr->length = 0; 330 } 331 } 332 333 static CK_RV 334 copy_cert_attr(cert_attr_t *src_attr, cert_attr_t **dest_attr) 335 { 336 CK_RV rv = CKR_OK; 337 338 if (src_attr == NULL || dest_attr == NULL) 339 return (CKR_HOST_MEMORY); 340 341 if (src_attr->value == NULL) 342 return (CKR_HOST_MEMORY); 343 344 /* free memory if its already allocated */ 345 if (*dest_attr != NULL) { 346 cleanup_cert_attr(*dest_attr); 347 } else { 348 *dest_attr = malloc(sizeof (cert_attr_t)); 349 if (*dest_attr == NULL) 350 return (CKR_HOST_MEMORY); 351 } 352 353 (*dest_attr)->value = NULL; 354 (*dest_attr)->length = 0; 355 356 if (src_attr->length) { 357 (*dest_attr)->value = malloc(src_attr->length); 358 if ((*dest_attr)->value == NULL) { 359 free(*dest_attr); 360 return (CKR_HOST_MEMORY); 361 } 362 363 (void) memcpy((*dest_attr)->value, src_attr->value, 364 src_attr->length); 365 (*dest_attr)->length = src_attr->length; 366 } 367 368 return (rv); 369 } 370 371 void 372 soft_cleanup_cert_object(soft_object_t *object_p) 373 { 374 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 375 376 if (object_p->class != CKO_CERTIFICATE || 377 OBJ_CERT(object_p) == NULL) 378 return; 379 380 if (certtype == CKC_X_509) { 381 if (X509_CERT_SUBJECT(object_p) != NULL) { 382 cleanup_cert_attr(X509_CERT_SUBJECT(object_p)); 383 free(X509_CERT_SUBJECT(object_p)); 384 X509_CERT_SUBJECT(object_p) = NULL; 385 } 386 if (X509_CERT_VALUE(object_p) != NULL) { 387 cleanup_cert_attr(X509_CERT_VALUE(object_p)); 388 free(X509_CERT_VALUE(object_p)); 389 X509_CERT_VALUE(object_p) = NULL; 390 } 391 free(OBJ_CERT(object_p)); 392 } else if (certtype == CKC_X_509_ATTR_CERT) { 393 if (X509_ATTR_CERT_VALUE(object_p) != NULL) { 394 cleanup_cert_attr(X509_ATTR_CERT_VALUE(object_p)); 395 free(X509_ATTR_CERT_VALUE(object_p)); 396 X509_ATTR_CERT_VALUE(object_p) = NULL; 397 } 398 if (X509_ATTR_CERT_OWNER(object_p) != NULL) { 399 cleanup_cert_attr(X509_ATTR_CERT_OWNER(object_p)); 400 free(X509_ATTR_CERT_OWNER(object_p)); 401 X509_ATTR_CERT_OWNER(object_p) = NULL; 402 } 403 free(OBJ_CERT(object_p)); 404 } 405 } 406 407 /* 408 * Clean up and release all the storage in the extra attribute list 409 * of an object. 410 */ 411 void 412 soft_cleanup_extra_attr(soft_object_t *object_p) 413 { 414 415 CK_ATTRIBUTE_INFO_PTR extra_attr; 416 CK_ATTRIBUTE_INFO_PTR tmp; 417 418 extra_attr = object_p->extra_attrlistp; 419 while (extra_attr) { 420 tmp = extra_attr->next; 421 if (extra_attr->attr.pValue != NULL) { 422 /* 423 * All extra attributes in the extra attribute 424 * list have pValue points to the value of the 425 * attribute (with simple byte array type). 426 * Free the storage for the value of the attribute. 427 */ 428 freezero(extra_attr->attr.pValue, 429 extra_attr->attr.ulValueLen); 430 } 431 432 /* Free the storage for the attribute_info struct. */ 433 free(extra_attr); 434 extra_attr = tmp; 435 } 436 437 object_p->extra_attrlistp = NULL; 438 } 439 440 441 /* 442 * Create the attribute_info struct to hold the object's attribute, 443 * and add it to the extra attribute list of an object. 444 */ 445 CK_RV 446 soft_add_extra_attr(CK_ATTRIBUTE_PTR template, soft_object_t *object_p) 447 { 448 449 CK_ATTRIBUTE_INFO_PTR attrp; 450 451 /* Allocate the storage for the attribute_info struct. */ 452 attrp = calloc(1, sizeof (attribute_info_t)); 453 if (attrp == NULL) { 454 return (CKR_HOST_MEMORY); 455 } 456 457 /* Set up attribute_info struct. */ 458 attrp->attr.type = template->type; 459 attrp->attr.ulValueLen = template->ulValueLen; 460 461 if ((template->pValue != NULL) && 462 (template->ulValueLen > 0)) { 463 /* Allocate storage for the value of the attribute. */ 464 attrp->attr.pValue = malloc(template->ulValueLen); 465 if (attrp->attr.pValue == NULL) { 466 free(attrp); 467 return (CKR_HOST_MEMORY); 468 } 469 470 (void) memcpy(attrp->attr.pValue, template->pValue, 471 template->ulValueLen); 472 } else { 473 attrp->attr.pValue = NULL; 474 } 475 476 /* Insert the new attribute in front of extra attribute list. */ 477 if (object_p->extra_attrlistp == NULL) { 478 object_p->extra_attrlistp = attrp; 479 attrp->next = NULL; 480 } else { 481 attrp->next = object_p->extra_attrlistp; 482 object_p->extra_attrlistp = attrp; 483 } 484 485 return (CKR_OK); 486 } 487 488 CK_RV 489 soft_copy_certificate(certificate_obj_t *oldcert, certificate_obj_t **newcert, 490 CK_CERTIFICATE_TYPE type) 491 { 492 CK_RV rv = CKR_OK; 493 certificate_obj_t *cert; 494 x509_cert_t x509; 495 x509_attr_cert_t x509_attr; 496 497 cert = calloc(1, sizeof (certificate_obj_t)); 498 if (cert == NULL) { 499 return (CKR_HOST_MEMORY); 500 } 501 502 if (type == CKC_X_509) { 503 x509 = oldcert->cert_type_u.x509; 504 if (x509.subject) 505 if ((rv = copy_cert_attr(x509.subject, 506 &cert->cert_type_u.x509.subject))) 507 return (rv); 508 if (x509.value) 509 if ((rv = copy_cert_attr(x509.value, 510 &cert->cert_type_u.x509.value))) 511 return (rv); 512 } else if (type == CKC_X_509_ATTR_CERT) { 513 x509_attr = oldcert->cert_type_u.x509_attr; 514 if (x509_attr.owner) 515 if ((rv = copy_cert_attr(x509_attr.owner, 516 &cert->cert_type_u.x509_attr.owner))) 517 return (rv); 518 if (x509_attr.value) 519 if ((rv = copy_cert_attr(x509_attr.value, 520 &cert->cert_type_u.x509_attr.value))) 521 return (rv); 522 } else { 523 /* wrong certificate type */ 524 rv = CKR_ATTRIBUTE_TYPE_INVALID; 525 } 526 if (rv == CKR_OK) 527 *newcert = cert; 528 return (rv); 529 } 530 531 /* 532 * Copy the attribute_info struct from the old object to a new attribute_info 533 * struct, and add that new struct to the extra attribute list of the new 534 * object. 535 */ 536 CK_RV 537 soft_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp, soft_object_t *object_p) 538 { 539 CK_ATTRIBUTE_INFO_PTR attrp; 540 541 /* Allocate attribute_info struct. */ 542 attrp = calloc(1, sizeof (attribute_info_t)); 543 if (attrp == NULL) { 544 return (CKR_HOST_MEMORY); 545 } 546 547 attrp->attr.type = old_attrp->attr.type; 548 attrp->attr.ulValueLen = old_attrp->attr.ulValueLen; 549 550 if ((old_attrp->attr.pValue != NULL) && 551 (old_attrp->attr.ulValueLen > 0)) { 552 attrp->attr.pValue = malloc(old_attrp->attr.ulValueLen); 553 if (attrp->attr.pValue == NULL) { 554 free(attrp); 555 return (CKR_HOST_MEMORY); 556 } 557 558 (void) memcpy(attrp->attr.pValue, old_attrp->attr.pValue, 559 old_attrp->attr.ulValueLen); 560 } else { 561 attrp->attr.pValue = NULL; 562 } 563 564 /* Insert the new attribute in front of extra attribute list */ 565 if (object_p->extra_attrlistp == NULL) { 566 object_p->extra_attrlistp = attrp; 567 attrp->next = NULL; 568 } else { 569 attrp->next = object_p->extra_attrlistp; 570 object_p->extra_attrlistp = attrp; 571 } 572 573 return (CKR_OK); 574 } 575 576 577 /* 578 * Get the attribute triple from the extra attribute list in the object 579 * (if the specified attribute type is found), and copy it to a template. 580 * Note the type of the attribute to be copied is specified by the template, 581 * and the storage is pre-allocated for the atrribute value in the template 582 * for doing the copy. 583 */ 584 CK_RV 585 get_extra_attr_from_object(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 586 { 587 588 CK_ATTRIBUTE_INFO_PTR extra_attr; 589 CK_ATTRIBUTE_TYPE type = template->type; 590 591 extra_attr = object_p->extra_attrlistp; 592 593 while (extra_attr) { 594 if (type == extra_attr->attr.type) { 595 /* Found it. */ 596 break; 597 } else { 598 /* Does not match, try next one. */ 599 extra_attr = extra_attr->next; 600 } 601 } 602 603 if (extra_attr == NULL) { 604 /* A valid but un-initialized attribute. */ 605 template->ulValueLen = 0; 606 return (CKR_OK); 607 } 608 609 /* 610 * We found the attribute in the extra attribute list. 611 */ 612 if (template->pValue == NULL) { 613 template->ulValueLen = extra_attr->attr.ulValueLen; 614 return (CKR_OK); 615 } 616 617 if (template->ulValueLen >= extra_attr->attr.ulValueLen) { 618 /* 619 * The buffer provided by the application is large 620 * enough to hold the value of the attribute. 621 */ 622 (void) memcpy(template->pValue, extra_attr->attr.pValue, 623 extra_attr->attr.ulValueLen); 624 template->ulValueLen = extra_attr->attr.ulValueLen; 625 return (CKR_OK); 626 } else { 627 /* 628 * The buffer provided by the application does 629 * not have enough space to hold the value. 630 */ 631 template->ulValueLen = (CK_ULONG)-1; 632 return (CKR_BUFFER_TOO_SMALL); 633 } 634 } 635 636 637 /* 638 * Modify the attribute triple in the extra attribute list of the object 639 * if the specified attribute type is found. Otherwise, just add it to 640 * list. 641 */ 642 CK_RV 643 set_extra_attr_to_object(soft_object_t *object_p, CK_ATTRIBUTE_TYPE type, 644 CK_ATTRIBUTE_PTR template) 645 { 646 647 CK_ATTRIBUTE_INFO_PTR extra_attr; 648 649 extra_attr = object_p->extra_attrlistp; 650 651 while (extra_attr) { 652 if (type == extra_attr->attr.type) { 653 /* Found it. */ 654 break; 655 } else { 656 /* Does not match, try next one. */ 657 extra_attr = extra_attr->next; 658 } 659 } 660 661 if (extra_attr == NULL) { 662 /* 663 * This attribute is a new one, go ahead adding it to 664 * the extra attribute list. 665 */ 666 return (soft_add_extra_attr(template, object_p)); 667 } 668 669 /* We found the attribute in the extra attribute list. */ 670 if ((template->pValue != NULL) && 671 (template->ulValueLen > 0)) { 672 if (template->ulValueLen > extra_attr->attr.ulValueLen) { 673 /* The old buffer is too small to hold the new value. */ 674 if (extra_attr->attr.pValue != NULL) { 675 /* Free storage for the old attribute value. */ 676 freezero(extra_attr->attr.pValue, 677 extra_attr->attr.ulValueLen); 678 } 679 680 /* Allocate storage for the new attribute value. */ 681 extra_attr->attr.pValue = malloc(template->ulValueLen); 682 if (extra_attr->attr.pValue == NULL) { 683 return (CKR_HOST_MEMORY); 684 } 685 } 686 687 /* Replace the attribute with new value. */ 688 extra_attr->attr.ulValueLen = template->ulValueLen; 689 (void) memcpy(extra_attr->attr.pValue, template->pValue, 690 template->ulValueLen); 691 } else { 692 extra_attr->attr.pValue = NULL; 693 } 694 695 return (CKR_OK); 696 } 697 698 699 /* 700 * Copy the big integer attribute value from template to a biginteger_t struct. 701 */ 702 CK_RV 703 get_bigint_attr_from_template(biginteger_t *big, CK_ATTRIBUTE_PTR template) 704 { 705 706 if ((template->pValue != NULL) && 707 (template->ulValueLen > 0)) { 708 /* Allocate storage for the value of the attribute. */ 709 big->big_value = malloc(template->ulValueLen); 710 if (big->big_value == NULL) { 711 return (CKR_HOST_MEMORY); 712 } 713 714 (void) memcpy(big->big_value, template->pValue, 715 template->ulValueLen); 716 big->big_value_len = template->ulValueLen; 717 } else { 718 big->big_value = NULL; 719 big->big_value_len = 0; 720 } 721 722 return (CKR_OK); 723 } 724 725 726 /* 727 * Copy the big integer attribute value from a biginteger_t struct in the 728 * object to a template. 729 */ 730 CK_RV 731 get_bigint_attr_from_object(biginteger_t *big, CK_ATTRIBUTE_PTR template) 732 { 733 734 if (template->pValue == NULL) { 735 template->ulValueLen = big->big_value_len; 736 return (CKR_OK); 737 } 738 739 if (big->big_value == NULL) { 740 template->ulValueLen = 0; 741 return (CKR_OK); 742 } 743 744 if (template->ulValueLen >= big->big_value_len) { 745 /* 746 * The buffer provided by the application is large 747 * enough to hold the value of the attribute. 748 */ 749 (void) memcpy(template->pValue, big->big_value, 750 big->big_value_len); 751 template->ulValueLen = big->big_value_len; 752 return (CKR_OK); 753 } else { 754 /* 755 * The buffer provided by the application does 756 * not have enough space to hold the value. 757 */ 758 template->ulValueLen = (CK_ULONG)-1; 759 return (CKR_BUFFER_TOO_SMALL); 760 } 761 } 762 763 764 /* 765 * Copy the boolean data type attribute value from an object for the 766 * specified attribute to the template. 767 */ 768 CK_RV 769 get_bool_attr_from_object(soft_object_t *object_p, CK_ULONG bool_flag, 770 CK_ATTRIBUTE_PTR template) 771 { 772 773 if (template->pValue == NULL) { 774 template->ulValueLen = sizeof (CK_BBOOL); 775 return (CKR_OK); 776 } 777 778 if (template->ulValueLen >= sizeof (CK_BBOOL)) { 779 /* 780 * The buffer provided by the application is large 781 * enough to hold the value of the attribute. 782 */ 783 if (object_p->bool_attr_mask & bool_flag) { 784 *((CK_BBOOL *)template->pValue) = B_TRUE; 785 } else { 786 *((CK_BBOOL *)template->pValue) = B_FALSE; 787 } 788 789 template->ulValueLen = sizeof (CK_BBOOL); 790 return (CKR_OK); 791 } else { 792 /* 793 * The buffer provided by the application does 794 * not have enough space to hold the value. 795 */ 796 template->ulValueLen = (CK_ULONG)-1; 797 return (CKR_BUFFER_TOO_SMALL); 798 } 799 } 800 801 /* 802 * Set the boolean data type attribute value in the object. 803 */ 804 CK_RV 805 set_bool_attr_to_object(soft_object_t *object_p, CK_ULONG bool_flag, 806 CK_ATTRIBUTE_PTR template) 807 { 808 809 if (*(CK_BBOOL *)template->pValue) 810 object_p->bool_attr_mask |= bool_flag; 811 else 812 object_p->bool_attr_mask &= ~bool_flag; 813 814 return (CKR_OK); 815 } 816 817 818 /* 819 * Copy the CK_ULONG data type attribute value from an object to the 820 * template. 821 */ 822 CK_RV 823 get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template) 824 { 825 826 if (template->pValue == NULL) { 827 template->ulValueLen = sizeof (CK_ULONG); 828 return (CKR_OK); 829 } 830 831 if (template->ulValueLen >= sizeof (CK_ULONG)) { 832 /* 833 * The buffer provided by the application is large 834 * enough to hold the value of the attribute. 835 * It is also assumed to be correctly aligned. 836 */ 837 *(CK_ULONG_PTR)template->pValue = value; 838 template->ulValueLen = sizeof (CK_ULONG); 839 return (CKR_OK); 840 } else { 841 /* 842 * The buffer provided by the application does 843 * not have enough space to hold the value. 844 */ 845 template->ulValueLen = (CK_ULONG)-1; 846 return (CKR_BUFFER_TOO_SMALL); 847 } 848 } 849 850 851 /* 852 * Copy the CK_ULONG data type attribute value from a template to the 853 * object. 854 */ 855 static CK_RV 856 get_ulong_attr_from_template(CK_ULONG *value, CK_ATTRIBUTE_PTR template) 857 { 858 859 if (template->ulValueLen < sizeof (CK_ULONG)) 860 return (CKR_ATTRIBUTE_VALUE_INVALID); 861 862 if (template->pValue != NULL) { 863 *value = *(CK_ULONG_PTR)template->pValue; 864 } else { 865 *value = 0; 866 } 867 868 return (CKR_OK); 869 } 870 871 /* 872 * Copy the big integer attribute value from source's biginteger_t to 873 * destination's biginteger_t. 874 */ 875 void 876 copy_bigint_attr(biginteger_t *src, biginteger_t *dst) 877 { 878 879 if ((src->big_value != NULL) && 880 (src->big_value_len > 0)) { 881 /* 882 * To do the copy, just have dst's big_value points 883 * to src's. 884 */ 885 dst->big_value = src->big_value; 886 dst->big_value_len = src->big_value_len; 887 888 /* 889 * After the copy, nullify the src's big_value pointer. 890 * It prevents any double freeing the value. 891 */ 892 src->big_value = NULL; 893 src->big_value_len = 0; 894 } else { 895 dst->big_value = NULL; 896 dst->big_value_len = 0; 897 } 898 } 899 900 CK_RV 901 get_string_from_template(CK_ATTRIBUTE_PTR dest, CK_ATTRIBUTE_PTR src) 902 { 903 if ((src->pValue != NULL) && 904 (src->ulValueLen > 0)) { 905 /* Allocate storage for the value of the attribute. */ 906 dest->pValue = malloc(src->ulValueLen); 907 if (dest->pValue == NULL) { 908 return (CKR_HOST_MEMORY); 909 } 910 911 (void) memcpy(dest->pValue, src->pValue, 912 src->ulValueLen); 913 dest->ulValueLen = src->ulValueLen; 914 dest->type = src->type; 915 } else { 916 dest->pValue = NULL; 917 dest->ulValueLen = 0; 918 dest->type = src->type; 919 } 920 921 return (CKR_OK); 922 923 } 924 925 CK_RV 926 get_cert_attr_from_template(cert_attr_t **dest, CK_ATTRIBUTE_PTR src) 927 { 928 if (src->pValue != NULL && src->ulValueLen > 0) { 929 /* 930 * If the attribute was already set, clear out the 931 * existing value and release the memory. 932 */ 933 if (*dest != NULL) { 934 cleanup_cert_attr(*dest); 935 } else { 936 *dest = malloc(sizeof (cert_attr_t)); 937 if (*dest == NULL) { 938 return (CKR_HOST_MEMORY); 939 } 940 (void) memset(*dest, 0, sizeof (cert_attr_t)); 941 } 942 (*dest)->value = malloc(src->ulValueLen); 943 if ((*dest)->value == NULL) { 944 free(*dest); 945 *dest = NULL; 946 return (CKR_HOST_MEMORY); 947 } 948 (void) memcpy((*dest)->value, src->pValue, src->ulValueLen); 949 (*dest)->length = src->ulValueLen; 950 } 951 952 return (CKR_OK); 953 } 954 955 /* 956 * Copy the certificate attribute information to the template. 957 * If the template attribute is not big enough, set the ulValueLen=-1 958 * and return CKR_BUFFER_TOO_SMALL. 959 */ 960 static CK_RV 961 get_cert_attr_from_object(cert_attr_t *src, CK_ATTRIBUTE_PTR template) 962 { 963 if (template->pValue == NULL) { 964 template->ulValueLen = src->length; 965 return (CKR_OK); 966 } else if (template->ulValueLen >= src->length) { 967 /* 968 * The buffer provided by the application is large 969 * enough to hold the value of the attribute. 970 */ 971 (void) memcpy(template->pValue, src->value, src->length); 972 template->ulValueLen = src->length; 973 return (CKR_OK); 974 } else { 975 /* 976 * The buffer provided by the application does 977 * not have enough space to hold the value. 978 */ 979 template->ulValueLen = (CK_ULONG)-1; 980 return (CKR_BUFFER_TOO_SMALL); 981 } 982 } 983 984 void 985 string_attr_cleanup(CK_ATTRIBUTE_PTR template) 986 { 987 freezero(template->pValue, template->ulValueLen); 988 template->pValue = NULL; 989 template->ulValueLen = 0; 990 } 991 992 /* 993 * Release the storage allocated for object attribute with big integer 994 * value. 995 */ 996 void 997 bigint_attr_cleanup(biginteger_t *big) 998 { 999 1000 if (big == NULL) 1001 return; 1002 1003 freezero(big->big_value, big->big_value_len); 1004 big->big_value = NULL; 1005 big->big_value_len = 0; 1006 } 1007 1008 1009 /* 1010 * Clean up and release all the storage allocated to hold the big integer 1011 * attributes associated with the type (i.e. class) of the object. Also, 1012 * release the storage allocated to the type of the object. 1013 */ 1014 void 1015 soft_cleanup_object_bigint_attrs(soft_object_t *object_p) 1016 { 1017 1018 CK_OBJECT_CLASS class = object_p->class; 1019 CK_KEY_TYPE keytype = object_p->key_type; 1020 1021 1022 switch (class) { 1023 case CKO_PUBLIC_KEY: 1024 if (OBJ_PUB(object_p)) { 1025 switch (keytype) { 1026 case CKK_RSA: 1027 bigint_attr_cleanup(OBJ_PUB_RSA_MOD( 1028 object_p)); 1029 bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO( 1030 object_p)); 1031 break; 1032 1033 case CKK_DSA: 1034 bigint_attr_cleanup(OBJ_PUB_DSA_PRIME( 1035 object_p)); 1036 bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME( 1037 object_p)); 1038 bigint_attr_cleanup(OBJ_PUB_DSA_BASE( 1039 object_p)); 1040 bigint_attr_cleanup(OBJ_PUB_DSA_VALUE( 1041 object_p)); 1042 break; 1043 1044 case CKK_DH: 1045 bigint_attr_cleanup(OBJ_PUB_DH_PRIME( 1046 object_p)); 1047 bigint_attr_cleanup(OBJ_PUB_DH_BASE( 1048 object_p)); 1049 bigint_attr_cleanup(OBJ_PUB_DH_VALUE( 1050 object_p)); 1051 break; 1052 1053 case CKK_X9_42_DH: 1054 bigint_attr_cleanup(OBJ_PUB_DH942_PRIME( 1055 object_p)); 1056 bigint_attr_cleanup(OBJ_PUB_DH942_BASE( 1057 object_p)); 1058 bigint_attr_cleanup(OBJ_PUB_DH942_SUBPRIME( 1059 object_p)); 1060 bigint_attr_cleanup(OBJ_PUB_DH942_VALUE( 1061 object_p)); 1062 break; 1063 case CKK_EC: 1064 bigint_attr_cleanup(OBJ_PUB_EC_POINT( 1065 object_p)); 1066 break; 1067 } 1068 1069 /* Release Public Key Object struct */ 1070 free(OBJ_PUB(object_p)); 1071 OBJ_PUB(object_p) = NULL; 1072 } 1073 break; 1074 1075 case CKO_PRIVATE_KEY: 1076 if (OBJ_PRI(object_p)) { 1077 switch (keytype) { 1078 case CKK_RSA: 1079 bigint_attr_cleanup(OBJ_PRI_RSA_MOD( 1080 object_p)); 1081 bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO( 1082 object_p)); 1083 bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO( 1084 object_p)); 1085 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1( 1086 object_p)); 1087 bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2( 1088 object_p)); 1089 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1( 1090 object_p)); 1091 bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2( 1092 object_p)); 1093 bigint_attr_cleanup(OBJ_PRI_RSA_COEF( 1094 object_p)); 1095 break; 1096 1097 case CKK_DSA: 1098 bigint_attr_cleanup(OBJ_PRI_DSA_PRIME( 1099 object_p)); 1100 bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME( 1101 object_p)); 1102 bigint_attr_cleanup(OBJ_PRI_DSA_BASE( 1103 object_p)); 1104 bigint_attr_cleanup(OBJ_PRI_DSA_VALUE( 1105 object_p)); 1106 break; 1107 1108 case CKK_DH: 1109 bigint_attr_cleanup(OBJ_PRI_DH_PRIME( 1110 object_p)); 1111 bigint_attr_cleanup(OBJ_PRI_DH_BASE( 1112 object_p)); 1113 bigint_attr_cleanup(OBJ_PRI_DH_VALUE( 1114 object_p)); 1115 break; 1116 1117 case CKK_X9_42_DH: 1118 bigint_attr_cleanup(OBJ_PRI_DH942_PRIME( 1119 object_p)); 1120 bigint_attr_cleanup(OBJ_PRI_DH942_BASE( 1121 object_p)); 1122 bigint_attr_cleanup(OBJ_PRI_DH942_SUBPRIME( 1123 object_p)); 1124 bigint_attr_cleanup(OBJ_PRI_DH942_VALUE( 1125 object_p)); 1126 break; 1127 1128 case CKK_EC: 1129 bigint_attr_cleanup(OBJ_PRI_EC_VALUE( 1130 object_p)); 1131 break; 1132 } 1133 1134 /* Release Private Key Object struct. */ 1135 free(OBJ_PRI(object_p)); 1136 OBJ_PRI(object_p) = NULL; 1137 } 1138 break; 1139 1140 case CKO_SECRET_KEY: 1141 if (OBJ_SEC(object_p)) { 1142 /* cleanup key data area */ 1143 if (OBJ_SEC_VALUE(object_p) != NULL && 1144 OBJ_SEC_VALUE_LEN(object_p) > 0) { 1145 freezero(OBJ_SEC_VALUE(object_p), 1146 OBJ_SEC_VALUE_LEN(object_p)); 1147 } 1148 /* cleanup key schedule data area */ 1149 if (OBJ_KEY_SCHED(object_p) != NULL && 1150 OBJ_KEY_SCHED_LEN(object_p) > 0) { 1151 freezero(OBJ_KEY_SCHED(object_p), 1152 OBJ_KEY_SCHED_LEN(object_p)); 1153 } 1154 1155 /* Release Secret Key Object struct. */ 1156 free(OBJ_SEC(object_p)); 1157 OBJ_SEC(object_p) = NULL; 1158 } 1159 break; 1160 1161 case CKO_DOMAIN_PARAMETERS: 1162 if (OBJ_DOM(object_p)) { 1163 switch (keytype) { 1164 case CKK_DSA: 1165 bigint_attr_cleanup(OBJ_DOM_DSA_PRIME( 1166 object_p)); 1167 bigint_attr_cleanup(OBJ_DOM_DSA_SUBPRIME( 1168 object_p)); 1169 bigint_attr_cleanup(OBJ_DOM_DSA_BASE( 1170 object_p)); 1171 break; 1172 1173 case CKK_DH: 1174 bigint_attr_cleanup(OBJ_DOM_DH_PRIME( 1175 object_p)); 1176 bigint_attr_cleanup(OBJ_DOM_DH_BASE( 1177 object_p)); 1178 break; 1179 1180 case CKK_X9_42_DH: 1181 bigint_attr_cleanup(OBJ_DOM_DH942_PRIME( 1182 object_p)); 1183 bigint_attr_cleanup(OBJ_DOM_DH942_BASE( 1184 object_p)); 1185 bigint_attr_cleanup(OBJ_DOM_DH942_SUBPRIME( 1186 object_p)); 1187 break; 1188 } 1189 1190 /* Release Domain Parameters Object struct. */ 1191 free(OBJ_DOM(object_p)); 1192 OBJ_DOM(object_p) = NULL; 1193 } 1194 break; 1195 } 1196 } 1197 1198 1199 /* 1200 * Parse the common attributes. Return to caller with appropriate return 1201 * value to indicate if the supplied template specifies a valid attribute 1202 * with a valid value. 1203 */ 1204 CK_RV 1205 soft_parse_common_attrs(CK_ATTRIBUTE_PTR template, uchar_t *object_type) 1206 { 1207 1208 CK_RV rv = CKR_OK; 1209 1210 switch (template->type) { 1211 case CKA_CLASS: 1212 break; 1213 1214 /* default boolean attributes */ 1215 case CKA_TOKEN: 1216 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 1217 if (!soft_keystore_status(KEYSTORE_INITIALIZED)) 1218 return (CKR_DEVICE_REMOVED); 1219 *object_type |= TOKEN_OBJECT; 1220 } 1221 break; 1222 1223 case CKA_PRIVATE: 1224 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 1225 (void) pthread_mutex_lock(&soft_giant_mutex); 1226 if (!soft_slot.authenticated) { 1227 /* 1228 * Check if this is the special case when 1229 * the PIN is never initialized in the keystore. 1230 * If true, we will let it pass here and let 1231 * it fail with CKR_PIN_EXPIRED later on. 1232 */ 1233 if (!soft_slot.userpin_change_needed) { 1234 (void) pthread_mutex_unlock( 1235 &soft_giant_mutex); 1236 return (CKR_USER_NOT_LOGGED_IN); 1237 } 1238 } 1239 (void) pthread_mutex_unlock(&soft_giant_mutex); 1240 *object_type |= PRIVATE_OBJECT; 1241 } 1242 break; 1243 1244 case CKA_LABEL: 1245 break; 1246 1247 default: 1248 rv = CKR_TEMPLATE_INCONSISTENT; 1249 } 1250 1251 return (rv); 1252 } 1253 1254 1255 /* 1256 * Build a Public Key Object. 1257 * 1258 * - Parse the object's template, and when an error is detected such as 1259 * invalid attribute type, invalid attribute value, etc., return 1260 * with appropriate return value. 1261 * - Set up attribute mask field in the object for the supplied common 1262 * attributes that have boolean type. 1263 * - Build the attribute_info struct to hold the value of each supplied 1264 * attribute that has byte array type. Link attribute_info structs 1265 * together to form the extra attribute list of the object. 1266 * - Allocate storage for the Public Key object. 1267 * - Build the Public Key object according to the key type. Allocate 1268 * storage to hold the big integer value for the supplied attributes 1269 * that are required for a certain key type. 1270 * 1271 */ 1272 CK_RV 1273 soft_build_public_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 1274 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type) 1275 { 1276 1277 ulong_t i; 1278 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 1279 uint64_t attr_mask = PUBLIC_KEY_DEFAULT; 1280 CK_RV rv = CKR_OK; 1281 int isLabel = 0; 1282 /* Must set flags */ 1283 int isModulus = 0; 1284 int isPubExpo = 0; 1285 int isPrime = 0; 1286 int isSubprime = 0; 1287 int isBase = 0; 1288 int isValue = 0; 1289 int isECParam = 0; 1290 int isECPoint = 0; 1291 /* Must not set flags */ 1292 int isModulusBits = 0; 1293 CK_ULONG modulus_bits = 0; 1294 1295 biginteger_t modulus; 1296 biginteger_t pubexpo; 1297 biginteger_t prime; 1298 biginteger_t subprime; 1299 biginteger_t base; 1300 biginteger_t value; 1301 biginteger_t point; 1302 CK_ATTRIBUTE string_tmp; 1303 CK_ATTRIBUTE param_tmp; 1304 1305 public_key_obj_t *pbk; 1306 uchar_t object_type = 0; 1307 1308 CK_ATTRIBUTE defpubexpo = { CKA_PUBLIC_EXPONENT, 1309 (CK_BYTE_PTR)DEFAULT_PUB_EXPO, DEFAULT_PUB_EXPO_Len }; 1310 1311 BIGNUM n; 1312 1313 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 1314 (void) memset(&modulus, 0x0, sizeof (biginteger_t)); 1315 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t)); 1316 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 1317 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 1318 (void) memset(&base, 0x0, sizeof (biginteger_t)); 1319 (void) memset(&value, 0x0, sizeof (biginteger_t)); 1320 (void) memset(&point, 0x0, sizeof (biginteger_t)); 1321 string_tmp.pValue = NULL; 1322 param_tmp.pValue = NULL; 1323 1324 for (i = 0; i < ulAttrNum; i++) { 1325 1326 /* Public Key Object Attributes */ 1327 switch (template[i].type) { 1328 1329 /* common key attributes */ 1330 case CKA_KEY_TYPE: 1331 keytype = *((CK_KEY_TYPE*)template[i].pValue); 1332 break; 1333 1334 case CKA_ID: 1335 case CKA_START_DATE: 1336 case CKA_END_DATE: 1337 1338 /* common public key attribute */ 1339 case CKA_SUBJECT: 1340 /* 1341 * Allocate storage to hold the attribute 1342 * value with byte array type, and add it to 1343 * the extra attribute list of the object. 1344 */ 1345 rv = soft_add_extra_attr(&template[i], 1346 new_object); 1347 if (rv != CKR_OK) { 1348 goto fail_cleanup; 1349 } 1350 break; 1351 1352 /* 1353 * The following key related attribute types must 1354 * not be specified by C_CreateObject, C_GenerateKey(Pair). 1355 */ 1356 case CKA_LOCAL: 1357 case CKA_KEY_GEN_MECHANISM: 1358 rv = CKR_TEMPLATE_INCONSISTENT; 1359 goto fail_cleanup; 1360 1361 /* Key related boolean attributes */ 1362 case CKA_DERIVE: 1363 if (*(CK_BBOOL *)template[i].pValue) 1364 attr_mask |= DERIVE_BOOL_ON; 1365 break; 1366 1367 case CKA_ENCRYPT: 1368 if (*(CK_BBOOL *)template[i].pValue) 1369 attr_mask |= ENCRYPT_BOOL_ON; 1370 else 1371 attr_mask &= ~ENCRYPT_BOOL_ON; 1372 break; 1373 1374 case CKA_VERIFY: 1375 if (*(CK_BBOOL *)template[i].pValue) 1376 attr_mask |= VERIFY_BOOL_ON; 1377 else 1378 attr_mask &= ~VERIFY_BOOL_ON; 1379 break; 1380 1381 case CKA_VERIFY_RECOVER: 1382 if (*(CK_BBOOL *)template[i].pValue) 1383 attr_mask |= VERIFY_RECOVER_BOOL_ON; 1384 else 1385 attr_mask &= ~VERIFY_RECOVER_BOOL_ON; 1386 break; 1387 1388 case CKA_WRAP: 1389 if (*(CK_BBOOL *)template[i].pValue) 1390 attr_mask |= WRAP_BOOL_ON; 1391 else 1392 attr_mask &= ~WRAP_BOOL_ON; 1393 break; 1394 1395 case CKA_TRUSTED: 1396 if (*(CK_BBOOL *)template[i].pValue) 1397 attr_mask |= TRUSTED_BOOL_ON; 1398 break; 1399 1400 case CKA_MODIFIABLE: 1401 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 1402 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 1403 break; 1404 1405 /* 1406 * The following key related attribute types must 1407 * be specified according to the key type by 1408 * C_CreateObject. 1409 */ 1410 case CKA_MODULUS: 1411 1412 isModulus = 1; 1413 /* 1414 * Copyin big integer attribute from template 1415 * to a local variable. 1416 */ 1417 rv = get_bigint_attr_from_template(&modulus, 1418 &template[i]); 1419 if (rv != CKR_OK) 1420 goto fail_cleanup; 1421 1422 /* 1423 * Modulus length needs to be between min key length and 1424 * max key length. 1425 */ 1426 if ((modulus.big_value_len < 1427 MIN_RSA_KEYLENGTH_IN_BYTES) || 1428 (modulus.big_value_len > 1429 MAX_RSA_KEYLENGTH_IN_BYTES)) { 1430 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1431 goto fail_cleanup; 1432 } 1433 break; 1434 1435 case CKA_PUBLIC_EXPONENT: 1436 isPubExpo = 1; 1437 rv = get_bigint_attr_from_template(&pubexpo, 1438 &template[i]); 1439 if (rv != CKR_OK) 1440 goto fail_cleanup; 1441 break; 1442 1443 case CKA_PRIME: 1444 isPrime = 1; 1445 rv = get_bigint_attr_from_template(&prime, 1446 &template[i]); 1447 if (rv != CKR_OK) 1448 goto fail_cleanup; 1449 break; 1450 1451 case CKA_SUBPRIME: 1452 isSubprime = 1; 1453 rv = get_bigint_attr_from_template(&subprime, 1454 &template[i]); 1455 if (rv != CKR_OK) 1456 goto fail_cleanup; 1457 break; 1458 1459 case CKA_BASE: 1460 isBase = 1; 1461 rv = get_bigint_attr_from_template(&base, 1462 &template[i]); 1463 if (rv != CKR_OK) 1464 goto fail_cleanup; 1465 break; 1466 1467 case CKA_VALUE: 1468 isValue = 1; 1469 if (mode == SOFT_CREATE_OBJ) { 1470 if ((template[i].ulValueLen == 0) || 1471 (template[i].pValue == NULL)) { 1472 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1473 goto fail_cleanup; 1474 } 1475 } 1476 1477 rv = get_bigint_attr_from_template(&value, 1478 &template[i]); 1479 if (rv != CKR_OK) 1480 goto fail_cleanup; 1481 break; 1482 1483 case CKA_MODULUS_BITS: 1484 isModulusBits = 1; 1485 rv = get_ulong_attr_from_template(&modulus_bits, 1486 &template[i]); 1487 if (rv != CKR_OK) 1488 goto fail_cleanup; 1489 break; 1490 1491 case CKA_LABEL: 1492 isLabel = 1; 1493 rv = get_string_from_template(&string_tmp, 1494 &template[i]); 1495 if (rv != CKR_OK) 1496 goto fail_cleanup; 1497 break; 1498 1499 case CKA_EC_PARAMS: 1500 isECParam = 1; 1501 rv = get_string_from_template(¶m_tmp, &template[i]); 1502 if (rv != CKR_OK) 1503 goto fail_cleanup; 1504 break; 1505 1506 case CKA_EC_POINT: 1507 isECPoint = 1; 1508 rv = get_bigint_attr_from_template(&point, 1509 &template[i]); 1510 if (rv != CKR_OK) 1511 goto fail_cleanup; 1512 break; 1513 1514 default: 1515 rv = soft_parse_common_attrs(&template[i], 1516 &object_type); 1517 if (rv != CKR_OK) 1518 goto fail_cleanup; 1519 break; 1520 } 1521 } /* For */ 1522 1523 /* Allocate storage for Public Key Object. */ 1524 pbk = calloc(1, sizeof (public_key_obj_t)); 1525 if (pbk == NULL) { 1526 rv = CKR_HOST_MEMORY; 1527 goto fail_cleanup; 1528 } 1529 1530 new_object->object_class_u.public_key = pbk; 1531 new_object->class = CKO_PUBLIC_KEY; 1532 1533 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) { 1534 rv = CKR_TEMPLATE_INCOMPLETE; 1535 goto fail_cleanup; 1536 } 1537 1538 if ((mode == SOFT_GEN_KEY) && (keytype == (CK_KEY_TYPE)~0UL)) { 1539 keytype = key_type; 1540 } 1541 1542 if ((mode == SOFT_GEN_KEY) && (keytype != key_type)) { 1543 /* 1544 * The key type specified in the template does not 1545 * match the implied key type based on the mechanism. 1546 */ 1547 rv = CKR_TEMPLATE_INCONSISTENT; 1548 goto fail_cleanup; 1549 } 1550 1551 new_object->key_type = keytype; 1552 1553 /* Supported key types of the Public Key Object */ 1554 switch (keytype) { 1555 1556 case CKK_RSA: 1557 if (mode == SOFT_CREATE_OBJ) { 1558 if (isModulusBits || isPrime || isSubprime || 1559 isBase || isValue) { 1560 rv = CKR_TEMPLATE_INCONSISTENT; 1561 goto fail_cleanup; 1562 } 1563 1564 if (isModulus && isPubExpo) { 1565 /* 1566 * Derive modulus_bits attribute from modulus. 1567 * Save modulus_bits integer value to the 1568 * designated place in the public key object. 1569 */ 1570 n.malloced = 0; 1571 #ifdef __sparcv9 1572 if (big_init(&n, (int)CHARLEN2BIGNUMLEN( 1573 modulus.big_value_len)) != BIG_OK) { 1574 #else /* !__sparcv9 */ 1575 if (big_init(&n, CHARLEN2BIGNUMLEN( 1576 modulus.big_value_len)) != BIG_OK) { 1577 #endif /* __sparcv9 */ 1578 rv = CKR_HOST_MEMORY; 1579 big_finish(&n); 1580 goto fail_cleanup; 1581 } 1582 bytestring2bignum(&n, modulus.big_value, 1583 modulus.big_value_len); 1584 1585 modulus_bits = big_bitlength(&n); 1586 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits; 1587 big_finish(&n); 1588 1589 /* 1590 * After modulus_bits has been computed, 1591 * it is safe to move modulus and pubexpo 1592 * big integer attribute value to the 1593 * designated place in the public key object. 1594 */ 1595 copy_bigint_attr(&modulus, 1596 KEY_PUB_RSA_MOD(pbk)); 1597 1598 copy_bigint_attr(&pubexpo, 1599 KEY_PUB_RSA_PUBEXPO(pbk)); 1600 } else { 1601 rv = CKR_TEMPLATE_INCOMPLETE; 1602 goto fail_cleanup; 1603 } 1604 } else { 1605 /* mode is SOFT_GEN_KEY */ 1606 1607 if (isModulus || isPrime || isSubprime || 1608 isBase || isValue) { 1609 rv = CKR_TEMPLATE_INCONSISTENT; 1610 goto fail_cleanup; 1611 } 1612 1613 1614 if (isModulusBits) { 1615 /* 1616 * Copy big integer attribute value to the 1617 * designated place in the public key object. 1618 */ 1619 KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits; 1620 } else { 1621 rv = CKR_TEMPLATE_INCOMPLETE; 1622 goto fail_cleanup; 1623 } 1624 1625 /* 1626 * Use PKCS#11 default 0x010001 for public exponent 1627 * if not not specified in attribute template. 1628 */ 1629 if (!isPubExpo) { 1630 isPubExpo = 1; 1631 rv = get_bigint_attr_from_template(&pubexpo, 1632 &defpubexpo); 1633 if (rv != CKR_OK) 1634 goto fail_cleanup; 1635 } 1636 /* 1637 * Copy big integer attribute value to the 1638 * designated place in the public key object. 1639 */ 1640 copy_bigint_attr(&pubexpo, KEY_PUB_RSA_PUBEXPO(pbk)); 1641 } 1642 1643 break; 1644 1645 case CKK_DSA: 1646 if (mode == SOFT_CREATE_OBJ) { 1647 if (isModulusBits || isModulus || isPubExpo) { 1648 rv = CKR_TEMPLATE_INCONSISTENT; 1649 goto fail_cleanup; 1650 } 1651 1652 if (isPrime && isSubprime && isBase && isValue) { 1653 copy_bigint_attr(&value, 1654 KEY_PUB_DSA_VALUE(pbk)); 1655 } else { 1656 rv = CKR_TEMPLATE_INCOMPLETE; 1657 goto fail_cleanup; 1658 } 1659 } else { 1660 if (isModulusBits || isModulus || isPubExpo || 1661 isValue) { 1662 rv = CKR_TEMPLATE_INCONSISTENT; 1663 goto fail_cleanup; 1664 } 1665 1666 if (!(isPrime && isSubprime && isBase)) { 1667 rv = CKR_TEMPLATE_INCOMPLETE; 1668 goto fail_cleanup; 1669 } 1670 } 1671 1672 copy_bigint_attr(&prime, KEY_PUB_DSA_PRIME(pbk)); 1673 1674 copy_bigint_attr(&subprime, KEY_PUB_DSA_SUBPRIME(pbk)); 1675 1676 copy_bigint_attr(&base, KEY_PUB_DSA_BASE(pbk)); 1677 1678 break; 1679 1680 case CKK_DH: 1681 if (mode == SOFT_CREATE_OBJ) { 1682 if (isModulusBits || isModulus || isPubExpo || 1683 isSubprime) { 1684 rv = CKR_TEMPLATE_INCONSISTENT; 1685 goto fail_cleanup; 1686 } 1687 1688 if (isPrime && isBase && isValue) { 1689 copy_bigint_attr(&value, 1690 KEY_PUB_DH_VALUE(pbk)); 1691 } else { 1692 rv = CKR_TEMPLATE_INCOMPLETE; 1693 goto fail_cleanup; 1694 } 1695 } else { 1696 if (isModulusBits || isModulus || isPubExpo || 1697 isSubprime || isValue) { 1698 rv = CKR_TEMPLATE_INCONSISTENT; 1699 goto fail_cleanup; 1700 } 1701 1702 if (!(isPrime && isBase)) { 1703 rv = CKR_TEMPLATE_INCOMPLETE; 1704 goto fail_cleanup; 1705 } 1706 } 1707 1708 copy_bigint_attr(&prime, KEY_PUB_DH_PRIME(pbk)); 1709 1710 copy_bigint_attr(&base, KEY_PUB_DH_BASE(pbk)); 1711 1712 break; 1713 1714 case CKK_X9_42_DH: 1715 if (mode == SOFT_CREATE_OBJ) { 1716 if (isModulusBits || isModulus || isPubExpo) { 1717 rv = CKR_TEMPLATE_INCONSISTENT; 1718 goto fail_cleanup; 1719 } 1720 1721 if (isPrime && isSubprime && isBase && isValue) { 1722 copy_bigint_attr(&value, 1723 KEY_PUB_DH942_VALUE(pbk)); 1724 } else { 1725 rv = CKR_TEMPLATE_INCOMPLETE; 1726 goto fail_cleanup; 1727 } 1728 } else { 1729 if (isModulusBits || isModulus || isPubExpo || 1730 isValue) { 1731 rv = CKR_TEMPLATE_INCONSISTENT; 1732 goto fail_cleanup; 1733 } 1734 1735 if (!(isPrime && isSubprime && isBase)) { 1736 rv = CKR_TEMPLATE_INCOMPLETE; 1737 goto fail_cleanup; 1738 } 1739 } 1740 1741 copy_bigint_attr(&prime, KEY_PUB_DH942_PRIME(pbk)); 1742 1743 copy_bigint_attr(&base, KEY_PUB_DH942_BASE(pbk)); 1744 1745 copy_bigint_attr(&subprime, KEY_PUB_DH942_SUBPRIME(pbk)); 1746 1747 break; 1748 1749 case CKK_EC: 1750 if (mode == SOFT_CREATE_OBJ) { 1751 if (isModulusBits || isModulus || isPubExpo || 1752 isPrime || isSubprime || isBase || isValue) { 1753 rv = CKR_TEMPLATE_INCONSISTENT; 1754 goto fail_cleanup; 1755 1756 } else if (!isECParam || !isECPoint) { 1757 rv = CKR_TEMPLATE_INCOMPLETE; 1758 goto fail_cleanup; 1759 } 1760 } else { 1761 if (isModulusBits || isModulus || isPubExpo || 1762 isPrime || isSubprime || isBase || isValue) { 1763 rv = CKR_TEMPLATE_INCONSISTENT; 1764 goto fail_cleanup; 1765 1766 } else if (!isECParam) { 1767 rv = CKR_TEMPLATE_INCOMPLETE; 1768 goto fail_cleanup; 1769 } 1770 } 1771 1772 if (isECPoint) { 1773 copy_bigint_attr(&point, KEY_PUB_EC_POINT(pbk)); 1774 } 1775 rv = soft_add_extra_attr(¶m_tmp, new_object); 1776 if (rv != CKR_OK) 1777 goto fail_cleanup; 1778 string_attr_cleanup(¶m_tmp); 1779 break; 1780 1781 default: 1782 rv = CKR_TEMPLATE_INCONSISTENT; 1783 goto fail_cleanup; 1784 } 1785 1786 /* Set up object. */ 1787 new_object->object_type = object_type; 1788 new_object->bool_attr_mask = attr_mask; 1789 if (isLabel) { 1790 rv = soft_add_extra_attr(&string_tmp, new_object); 1791 if (rv != CKR_OK) 1792 goto fail_cleanup; 1793 string_attr_cleanup(&string_tmp); 1794 } 1795 1796 return (rv); 1797 1798 fail_cleanup: 1799 /* 1800 * cleanup the storage allocated to the local variables. 1801 */ 1802 bigint_attr_cleanup(&modulus); 1803 bigint_attr_cleanup(&pubexpo); 1804 bigint_attr_cleanup(&prime); 1805 bigint_attr_cleanup(&subprime); 1806 bigint_attr_cleanup(&base); 1807 bigint_attr_cleanup(&value); 1808 bigint_attr_cleanup(&point); 1809 string_attr_cleanup(&string_tmp); 1810 string_attr_cleanup(¶m_tmp); 1811 1812 /* 1813 * cleanup the storage allocated inside the object itself. 1814 */ 1815 soft_cleanup_object(new_object); 1816 1817 return (rv); 1818 } 1819 1820 1821 /* 1822 * Build a Private Key Object. 1823 * 1824 * - Parse the object's template, and when an error is detected such as 1825 * invalid attribute type, invalid attribute value, etc., return 1826 * with appropriate return value. 1827 * - Set up attribute mask field in the object for the supplied common 1828 * attributes that have boolean type. 1829 * - Build the attribute_info struct to hold the value of each supplied 1830 * attribute that has byte array type. Link attribute_info structs 1831 * together to form the extra attribute list of the object. 1832 * - Allocate storage for the Private Key object. 1833 * - Build the Private Key object according to the key type. Allocate 1834 * storage to hold the big integer value for the supplied attributes 1835 * that are required for a certain key type. 1836 * 1837 */ 1838 CK_RV 1839 soft_build_private_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 1840 soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type) 1841 { 1842 ulong_t i; 1843 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 1844 uint64_t attr_mask = PRIVATE_KEY_DEFAULT; 1845 CK_RV rv = CKR_OK; 1846 int isLabel = 0; 1847 int isECParam = 0; 1848 /* Must set flags unless mode == SOFT_UNWRAP_KEY */ 1849 int isModulus = 0; 1850 int isPriExpo = 0; 1851 int isPrime = 0; 1852 int isSubprime = 0; 1853 int isBase = 0; 1854 /* Must set flags if mode == SOFT_GEN_KEY */ 1855 int isValue = 0; 1856 /* Must not set flags */ 1857 int isValueBits = 0; 1858 CK_ULONG value_bits = 0; 1859 1860 /* Private Key RSA optional */ 1861 int isPubExpo = 0; 1862 int isPrime1 = 0; 1863 int isPrime2 = 0; 1864 int isExpo1 = 0; 1865 int isExpo2 = 0; 1866 int isCoef = 0; 1867 1868 biginteger_t modulus; 1869 biginteger_t priexpo; 1870 biginteger_t prime; 1871 biginteger_t subprime; 1872 biginteger_t base; 1873 biginteger_t value; 1874 1875 biginteger_t pubexpo; 1876 biginteger_t prime1; 1877 biginteger_t prime2; 1878 biginteger_t expo1; 1879 biginteger_t expo2; 1880 biginteger_t coef; 1881 CK_ATTRIBUTE string_tmp; 1882 CK_ATTRIBUTE param_tmp; 1883 BIGNUM x, q; 1884 1885 private_key_obj_t *pvk; 1886 uchar_t object_type = 0; 1887 1888 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 1889 (void) memset(&modulus, 0x0, sizeof (biginteger_t)); 1890 (void) memset(&priexpo, 0x0, sizeof (biginteger_t)); 1891 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 1892 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 1893 (void) memset(&base, 0x0, sizeof (biginteger_t)); 1894 (void) memset(&value, 0x0, sizeof (biginteger_t)); 1895 (void) memset(&pubexpo, 0x0, sizeof (biginteger_t)); 1896 (void) memset(&prime1, 0x0, sizeof (biginteger_t)); 1897 (void) memset(&prime2, 0x0, sizeof (biginteger_t)); 1898 (void) memset(&expo1, 0x0, sizeof (biginteger_t)); 1899 (void) memset(&expo2, 0x0, sizeof (biginteger_t)); 1900 (void) memset(&coef, 0x0, sizeof (biginteger_t)); 1901 string_tmp.pValue = NULL; 1902 param_tmp.pValue = NULL; 1903 x.malloced = 0; 1904 q.malloced = 0; 1905 1906 for (i = 0; i < ulAttrNum; i++) { 1907 1908 /* Private Key Object Attributes */ 1909 switch (template[i].type) { 1910 /* common key attributes */ 1911 case CKA_KEY_TYPE: 1912 keytype = *((CK_KEY_TYPE*)template[i].pValue); 1913 break; 1914 1915 case CKA_ID: 1916 case CKA_START_DATE: 1917 case CKA_END_DATE: 1918 1919 /* common private key attribute */ 1920 case CKA_SUBJECT: 1921 /* 1922 * Allocate storage to hold the attribute 1923 * value with byte array type, and add it to 1924 * the extra attribute list of the object. 1925 */ 1926 rv = soft_add_extra_attr(&template[i], 1927 new_object); 1928 if (rv != CKR_OK) { 1929 goto fail_cleanup; 1930 } 1931 break; 1932 1933 /* 1934 * The following key related attribute types must 1935 * not be specified by C_CreateObject or C_GenerateKey(Pair). 1936 */ 1937 case CKA_LOCAL: 1938 case CKA_KEY_GEN_MECHANISM: 1939 case CKA_AUTH_PIN_FLAGS: 1940 case CKA_ALWAYS_SENSITIVE: 1941 case CKA_NEVER_EXTRACTABLE: 1942 rv = CKR_TEMPLATE_INCONSISTENT; 1943 goto fail_cleanup; 1944 1945 /* Key related boolean attributes */ 1946 case CKA_DERIVE: 1947 if (*(CK_BBOOL *)template[i].pValue) 1948 attr_mask |= DERIVE_BOOL_ON; 1949 break; 1950 1951 case CKA_SENSITIVE: 1952 if (*(CK_BBOOL *)template[i].pValue) 1953 attr_mask |= SENSITIVE_BOOL_ON; 1954 break; 1955 1956 case CKA_SECONDARY_AUTH: 1957 if (*(CK_BBOOL *)template[i].pValue) { 1958 rv = CKR_ATTRIBUTE_VALUE_INVALID; 1959 goto fail_cleanup; 1960 } 1961 break; 1962 1963 case CKA_DECRYPT: 1964 if (*(CK_BBOOL *)template[i].pValue) 1965 attr_mask |= DECRYPT_BOOL_ON; 1966 else 1967 attr_mask &= ~DECRYPT_BOOL_ON; 1968 break; 1969 1970 case CKA_SIGN: 1971 if (*(CK_BBOOL *)template[i].pValue) 1972 attr_mask |= SIGN_BOOL_ON; 1973 else 1974 attr_mask &= ~SIGN_BOOL_ON; 1975 break; 1976 1977 case CKA_SIGN_RECOVER: 1978 if (*(CK_BBOOL *)template[i].pValue) 1979 attr_mask |= SIGN_RECOVER_BOOL_ON; 1980 else 1981 attr_mask &= ~SIGN_RECOVER_BOOL_ON; 1982 break; 1983 1984 case CKA_UNWRAP: 1985 if (*(CK_BBOOL *)template[i].pValue) 1986 attr_mask |= UNWRAP_BOOL_ON; 1987 else 1988 attr_mask &= ~UNWRAP_BOOL_ON; 1989 break; 1990 1991 case CKA_EXTRACTABLE: 1992 if (*(CK_BBOOL *)template[i].pValue) 1993 attr_mask |= EXTRACTABLE_BOOL_ON; 1994 else 1995 attr_mask &= ~EXTRACTABLE_BOOL_ON; 1996 break; 1997 1998 case CKA_MODIFIABLE: 1999 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 2000 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 2001 break; 2002 2003 /* 2004 * The following key related attribute types must 2005 * be specified according to the key type by 2006 * C_CreateObject. 2007 */ 2008 case CKA_MODULUS: 2009 2010 isModulus = 1; 2011 /* 2012 * Copyin big integer attribute from template 2013 * to a local variable. 2014 */ 2015 rv = get_bigint_attr_from_template(&modulus, 2016 &template[i]); 2017 if (rv != CKR_OK) 2018 goto fail_cleanup; 2019 2020 /* 2021 * Modulus length needs to be between min key length and 2022 * max key length. 2023 */ 2024 if ((modulus.big_value_len < 2025 MIN_RSA_KEYLENGTH_IN_BYTES) || 2026 (modulus.big_value_len > 2027 MAX_RSA_KEYLENGTH_IN_BYTES)) { 2028 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2029 goto fail_cleanup; 2030 } 2031 break; 2032 2033 case CKA_PUBLIC_EXPONENT: 2034 2035 isPubExpo = 1; 2036 rv = get_bigint_attr_from_template(&pubexpo, 2037 &template[i]); 2038 if (rv != CKR_OK) 2039 goto fail_cleanup; 2040 break; 2041 2042 case CKA_PRIVATE_EXPONENT: 2043 2044 isPriExpo = 1; 2045 rv = get_bigint_attr_from_template(&priexpo, 2046 &template[i]); 2047 if (rv != CKR_OK) 2048 goto fail_cleanup; 2049 break; 2050 2051 case CKA_PRIME_1: 2052 isPrime1 = 1; 2053 rv = get_bigint_attr_from_template(&prime1, 2054 &template[i]); 2055 if (rv != CKR_OK) 2056 goto fail_cleanup; 2057 break; 2058 2059 case CKA_PRIME_2: 2060 isPrime2 = 1; 2061 rv = get_bigint_attr_from_template(&prime2, 2062 &template[i]); 2063 if (rv != CKR_OK) 2064 goto fail_cleanup; 2065 break; 2066 2067 case CKA_EXPONENT_1: 2068 isExpo1 = 1; 2069 rv = get_bigint_attr_from_template(&expo1, 2070 &template[i]); 2071 if (rv != CKR_OK) 2072 goto fail_cleanup; 2073 break; 2074 2075 case CKA_EXPONENT_2: 2076 isExpo2 = 1; 2077 rv = get_bigint_attr_from_template(&expo2, 2078 &template[i]); 2079 if (rv != CKR_OK) 2080 goto fail_cleanup; 2081 break; 2082 2083 case CKA_COEFFICIENT: 2084 isCoef = 1; 2085 rv = get_bigint_attr_from_template(&coef, 2086 &template[i]); 2087 if (rv != CKR_OK) 2088 goto fail_cleanup; 2089 break; 2090 2091 case CKA_PRIME: 2092 isPrime = 1; 2093 rv = get_bigint_attr_from_template(&prime, 2094 &template[i]); 2095 if (rv != CKR_OK) 2096 goto fail_cleanup; 2097 break; 2098 2099 case CKA_SUBPRIME: 2100 isSubprime = 1; 2101 rv = get_bigint_attr_from_template(&subprime, 2102 &template[i]); 2103 if (rv != CKR_OK) 2104 goto fail_cleanup; 2105 break; 2106 2107 case CKA_BASE: 2108 isBase = 1; 2109 rv = get_bigint_attr_from_template(&base, 2110 &template[i]); 2111 if (rv != CKR_OK) 2112 goto fail_cleanup; 2113 break; 2114 2115 case CKA_VALUE: 2116 isValue = 1; 2117 if (mode == SOFT_CREATE_OBJ) { 2118 if ((template[i].ulValueLen == 0) || 2119 (template[i].pValue == NULL)) { 2120 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2121 goto fail_cleanup; 2122 } 2123 } 2124 2125 rv = get_bigint_attr_from_template(&value, 2126 &template[i]); 2127 if (rv != CKR_OK) 2128 goto fail_cleanup; 2129 break; 2130 2131 case CKA_VALUE_BITS: 2132 isValueBits = 1; 2133 rv = get_ulong_attr_from_template(&value_bits, 2134 &template[i]); 2135 if (rv != CKR_OK) 2136 goto fail_cleanup; 2137 break; 2138 2139 case CKA_LABEL: 2140 isLabel = 1; 2141 rv = get_string_from_template(&string_tmp, 2142 &template[i]); 2143 if (rv != CKR_OK) 2144 goto fail_cleanup; 2145 break; 2146 2147 case CKA_EC_PARAMS: 2148 isECParam = 1; 2149 rv = get_string_from_template(¶m_tmp, 2150 &template[i]); 2151 if (rv != CKR_OK) 2152 goto fail_cleanup; 2153 break; 2154 2155 default: 2156 rv = soft_parse_common_attrs(&template[i], 2157 &object_type); 2158 if (rv != CKR_OK) 2159 goto fail_cleanup; 2160 break; 2161 2162 } 2163 } /* For */ 2164 2165 /* Allocate storage for Private Key Object. */ 2166 pvk = calloc(1, sizeof (private_key_obj_t)); 2167 if (pvk == NULL) { 2168 rv = CKR_HOST_MEMORY; 2169 goto fail_cleanup; 2170 } 2171 2172 new_object->object_class_u.private_key = pvk; 2173 new_object->class = CKO_PRIVATE_KEY; 2174 2175 if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) { 2176 rv = CKR_TEMPLATE_INCOMPLETE; 2177 goto fail_cleanup; 2178 } 2179 2180 if (mode == SOFT_GEN_KEY) { 2181 /* 2182 * The key type is not specified in the application's 2183 * template, so we use the implied key type based on 2184 * the mechanism. 2185 */ 2186 if (keytype == (CK_KEY_TYPE)~0UL) { 2187 keytype = key_type; 2188 } 2189 2190 /* If still unspecified, template is incomplete */ 2191 if (keytype == (CK_KEY_TYPE)~0UL) { 2192 rv = CKR_TEMPLATE_INCOMPLETE; 2193 goto fail_cleanup; 2194 } 2195 2196 /* 2197 * The key type specified in the template does not 2198 * match the implied key type based on the mechanism. 2199 */ 2200 if (keytype != key_type) { 2201 rv = CKR_TEMPLATE_INCONSISTENT; 2202 goto fail_cleanup; 2203 } 2204 } 2205 2206 if (mode == SOFT_UNWRAP_KEY) { 2207 /* 2208 * Note that, for mode SOFT_UNWRAP_KEY, key type is not 2209 * implied by the mechanism (key_type), so if it is not 2210 * specified from the attribute template (keytype), it is 2211 * incomplete. 2212 */ 2213 if (keytype == (CK_KEY_TYPE)~0UL) { 2214 rv = CKR_TEMPLATE_INCOMPLETE; 2215 goto fail_cleanup; 2216 } 2217 } 2218 2219 new_object->key_type = keytype; 2220 2221 /* Supported key types of the Private Key Object */ 2222 switch (keytype) { 2223 case CKK_RSA: 2224 if (isPrime || isSubprime || isBase || isValue || 2225 isValueBits) { 2226 rv = CKR_TEMPLATE_INCONSISTENT; 2227 goto fail_cleanup; 2228 } 2229 2230 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2231 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2232 isPrime2 || isExpo1 || isExpo2 || isCoef) { 2233 rv = CKR_TEMPLATE_INCONSISTENT; 2234 goto fail_cleanup; 2235 } else 2236 break; 2237 } 2238 2239 if (isModulus && isPriExpo) { 2240 /* 2241 * Copy big integer attribute value to the 2242 * designated place in the Private Key object. 2243 */ 2244 copy_bigint_attr(&modulus, KEY_PRI_RSA_MOD(pvk)); 2245 2246 copy_bigint_attr(&priexpo, KEY_PRI_RSA_PRIEXPO(pvk)); 2247 } else { 2248 rv = CKR_TEMPLATE_INCOMPLETE; 2249 goto fail_cleanup; 2250 } 2251 2252 /* The following attributes are optional. */ 2253 if (isPubExpo) { 2254 copy_bigint_attr(&pubexpo, KEY_PRI_RSA_PUBEXPO(pvk)); 2255 } 2256 2257 if (isPrime1) { 2258 copy_bigint_attr(&prime1, KEY_PRI_RSA_PRIME1(pvk)); 2259 } 2260 2261 if (isPrime2) { 2262 copy_bigint_attr(&prime2, KEY_PRI_RSA_PRIME2(pvk)); 2263 } 2264 2265 if (isExpo1) { 2266 copy_bigint_attr(&expo1, KEY_PRI_RSA_EXPO1(pvk)); 2267 } 2268 2269 if (isExpo2) { 2270 copy_bigint_attr(&expo2, KEY_PRI_RSA_EXPO2(pvk)); 2271 } 2272 2273 if (isCoef) { 2274 copy_bigint_attr(&coef, KEY_PRI_RSA_COEF(pvk)); 2275 } 2276 break; 2277 2278 case CKK_DSA: 2279 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2280 isPrime2 || isExpo1 || isExpo2 || isCoef || 2281 isValueBits) { 2282 rv = CKR_TEMPLATE_INCONSISTENT; 2283 goto fail_cleanup; 2284 } 2285 2286 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2287 if (isPrime || isSubprime || isBase || isValue) { 2288 rv = CKR_TEMPLATE_INCONSISTENT; 2289 goto fail_cleanup; 2290 } else 2291 break; 2292 } 2293 2294 if (isPrime && isSubprime && isBase && isValue) { 2295 /* 2296 * The private value x must be less than subprime q. 2297 * Size for big_init is in BIG_CHUNK_TYPE words. 2298 */ 2299 #ifdef __sparcv9 2300 if (big_init(&x, 2301 (int)CHARLEN2BIGNUMLEN(value.big_value_len)) 2302 != BIG_OK) { 2303 #else /* !__sparcv9 */ 2304 if (big_init(&x, 2305 CHARLEN2BIGNUMLEN(value.big_value_len)) 2306 != BIG_OK) { 2307 #endif /* __sparcv9 */ 2308 rv = CKR_HOST_MEMORY; 2309 goto fail_cleanup; 2310 } 2311 #ifdef __sparcv9 2312 if (big_init(&q, 2313 (int)CHARLEN2BIGNUMLEN(subprime.big_value_len)) 2314 != BIG_OK) { 2315 #else /* !__sparcv9 */ 2316 if (big_init(&q, 2317 CHARLEN2BIGNUMLEN(subprime.big_value_len)) 2318 != BIG_OK) { 2319 #endif /* __sparcv9 */ 2320 rv = CKR_HOST_MEMORY; 2321 goto fail_cleanup; 2322 } 2323 bytestring2bignum(&x, value.big_value, 2324 value.big_value_len); 2325 bytestring2bignum(&q, subprime.big_value, 2326 subprime.big_value_len); 2327 2328 if (big_cmp_abs(&x, &q) > 0) { 2329 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2330 goto fail_cleanup; 2331 } 2332 2333 copy_bigint_attr(&prime, KEY_PRI_DSA_PRIME(pvk)); 2334 2335 copy_bigint_attr(&subprime, KEY_PRI_DSA_SUBPRIME(pvk)); 2336 2337 copy_bigint_attr(&base, KEY_PRI_DSA_BASE(pvk)); 2338 2339 copy_bigint_attr(&value, KEY_PRI_DSA_VALUE(pvk)); 2340 } else { 2341 rv = CKR_TEMPLATE_INCOMPLETE; 2342 goto fail_cleanup; 2343 } 2344 break; 2345 2346 case CKK_DH: 2347 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2348 isPrime2 || isExpo1 || isExpo2 || isCoef || 2349 isSubprime) { 2350 rv = CKR_TEMPLATE_INCONSISTENT; 2351 goto fail_cleanup; 2352 } 2353 2354 /* CKA_VALUE_BITS is for key gen but not unwrap */ 2355 if (mode == SOFT_GEN_KEY) 2356 KEY_PRI_DH_VAL_BITS(pvk) = (isValueBits) ? 2357 value_bits : 0; 2358 else if (mode == SOFT_UNWRAP_KEY) { 2359 if (isValueBits) { 2360 rv = CKR_TEMPLATE_INCONSISTENT; 2361 goto fail_cleanup; 2362 } 2363 } 2364 2365 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2366 if (isPrime || isBase || isValue) { 2367 rv = CKR_TEMPLATE_INCONSISTENT; 2368 goto fail_cleanup; 2369 } else 2370 break; 2371 } 2372 2373 if (isValueBits) { 2374 rv = CKR_TEMPLATE_INCONSISTENT; 2375 goto fail_cleanup; 2376 } 2377 2378 if (isPrime && isBase && isValue) { 2379 copy_bigint_attr(&prime, KEY_PRI_DH_PRIME(pvk)); 2380 2381 copy_bigint_attr(&base, KEY_PRI_DH_BASE(pvk)); 2382 2383 copy_bigint_attr(&value, KEY_PRI_DH_VALUE(pvk)); 2384 } else { 2385 rv = CKR_TEMPLATE_INCOMPLETE; 2386 goto fail_cleanup; 2387 } 2388 break; 2389 2390 case CKK_X9_42_DH: 2391 if (isModulus || isPubExpo || isPriExpo || isPrime1 || 2392 isPrime2 || isExpo1 || isExpo2 || isCoef || 2393 isValueBits) { 2394 rv = CKR_TEMPLATE_INCONSISTENT; 2395 goto fail_cleanup; 2396 } 2397 2398 if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) { 2399 if (isPrime || isSubprime || isBase || isValue) { 2400 rv = CKR_TEMPLATE_INCONSISTENT; 2401 goto fail_cleanup; 2402 } else 2403 break; 2404 } 2405 2406 if (isPrime && isSubprime && isBase && isValue) { 2407 copy_bigint_attr(&prime, KEY_PRI_DH942_PRIME(pvk)); 2408 2409 copy_bigint_attr(&base, KEY_PRI_DH942_BASE(pvk)); 2410 2411 copy_bigint_attr(&subprime, 2412 KEY_PRI_DH942_SUBPRIME(pvk)); 2413 2414 copy_bigint_attr(&value, KEY_PRI_DH942_VALUE(pvk)); 2415 } else { 2416 rv = CKR_TEMPLATE_INCOMPLETE; 2417 goto fail_cleanup; 2418 } 2419 break; 2420 2421 case CKK_EC: 2422 if (isModulus || isPubExpo || isPrime || 2423 isPrime1 || isPrime2 || isExpo1 || isExpo2 || isCoef || 2424 isValueBits || isBase) { 2425 rv = CKR_TEMPLATE_INCONSISTENT; 2426 goto fail_cleanup; 2427 2428 } else if (isECParam) { 2429 rv = soft_add_extra_attr(¶m_tmp, new_object); 2430 if (rv != CKR_OK) 2431 goto fail_cleanup; 2432 string_attr_cleanup(¶m_tmp); 2433 } 2434 if (isValue) { 2435 copy_bigint_attr(&value, KEY_PRI_EC_VALUE(pvk)); 2436 } 2437 break; 2438 2439 default: 2440 rv = CKR_TEMPLATE_INCONSISTENT; 2441 goto fail_cleanup; 2442 } 2443 2444 /* Set up object. */ 2445 new_object->object_type = object_type; 2446 new_object->bool_attr_mask = attr_mask; 2447 if (isLabel) { 2448 rv = soft_add_extra_attr(&string_tmp, new_object); 2449 if (rv != CKR_OK) 2450 goto fail_cleanup; 2451 string_attr_cleanup(&string_tmp); 2452 } 2453 big_finish(&x); 2454 big_finish(&q); 2455 2456 return (rv); 2457 2458 fail_cleanup: 2459 /* 2460 * cleanup the storage allocated to the local variables. 2461 */ 2462 bigint_attr_cleanup(&modulus); 2463 bigint_attr_cleanup(&priexpo); 2464 bigint_attr_cleanup(&prime); 2465 bigint_attr_cleanup(&subprime); 2466 bigint_attr_cleanup(&base); 2467 bigint_attr_cleanup(&value); 2468 bigint_attr_cleanup(&pubexpo); 2469 bigint_attr_cleanup(&prime1); 2470 bigint_attr_cleanup(&prime2); 2471 bigint_attr_cleanup(&expo1); 2472 bigint_attr_cleanup(&expo2); 2473 bigint_attr_cleanup(&coef); 2474 string_attr_cleanup(&string_tmp); 2475 string_attr_cleanup(¶m_tmp); 2476 big_finish(&x); 2477 big_finish(&q); 2478 2479 /* 2480 * cleanup the storage allocated inside the object itself. 2481 */ 2482 soft_cleanup_object(new_object); 2483 2484 return (rv); 2485 } 2486 2487 2488 /* 2489 * Build a Secret Key Object. 2490 * 2491 * - Parse the object's template, and when an error is detected such as 2492 * invalid attribute type, invalid attribute value, etc., return 2493 * with appropriate return value. 2494 * - Set up attribute mask field in the object for the supplied common 2495 * attributes that have boolean type. 2496 * - Build the attribute_info struct to hold the value of each supplied 2497 * attribute that has byte array type. Link attribute_info structs 2498 * together to form the extra attribute list of the object. 2499 * - Allocate storage for the Secret Key object. 2500 * - Build the Secret Key object. Allocate storage to hold the big integer 2501 * value for the attribute CKA_VALUE that is required for all the key 2502 * types supported by secret key object. 2503 * This function is called internally with mode = SOFT_CREATE_OBJ_INT. 2504 * 2505 */ 2506 CK_RV 2507 soft_build_secret_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 2508 soft_object_t *new_object, CK_ULONG mode, CK_ULONG key_len, 2509 CK_KEY_TYPE key_type) 2510 { 2511 2512 ulong_t i; 2513 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 2514 uint64_t attr_mask = SECRET_KEY_DEFAULT; 2515 CK_RV rv = CKR_OK; 2516 int isLabel = 0; 2517 /* Must set flags if mode != SOFT_UNWRAP_KEY, else must not set */ 2518 int isValue = 0; 2519 /* Must not set flags if mode != SOFT_UNWRAP_KEY, else optional */ 2520 int isValueLen = 0; 2521 2522 CK_ATTRIBUTE string_tmp; 2523 2524 secret_key_obj_t *sck; 2525 uchar_t object_type = 0; 2526 2527 string_tmp.pValue = NULL; 2528 2529 /* Allocate storage for Secret Key Object. */ 2530 sck = calloc(1, sizeof (secret_key_obj_t)); 2531 if (sck == NULL) { 2532 rv = CKR_HOST_MEMORY; 2533 goto fail_cleanup; 2534 } 2535 2536 new_object->object_class_u.secret_key = sck; 2537 new_object->class = CKO_SECRET_KEY; 2538 2539 for (i = 0; i < ulAttrNum; i++) { 2540 2541 /* Secret Key Object Attributes */ 2542 switch (template[i].type) { 2543 2544 /* common key attributes */ 2545 case CKA_KEY_TYPE: 2546 keytype = *((CK_KEY_TYPE*)template[i].pValue); 2547 break; 2548 2549 case CKA_ID: 2550 case CKA_START_DATE: 2551 case CKA_END_DATE: 2552 /* 2553 * Allocate storage to hold the attribute 2554 * value with byte array type, and add it to 2555 * the extra attribute list of the object. 2556 */ 2557 rv = soft_add_extra_attr(&template[i], 2558 new_object); 2559 if (rv != CKR_OK) { 2560 goto fail_cleanup; 2561 } 2562 break; 2563 2564 /* 2565 * The following key related attribute types must 2566 * not be specified by C_CreateObject and C_GenerateKey. 2567 */ 2568 case CKA_LOCAL: 2569 case CKA_KEY_GEN_MECHANISM: 2570 case CKA_ALWAYS_SENSITIVE: 2571 case CKA_NEVER_EXTRACTABLE: 2572 rv = CKR_TEMPLATE_INCONSISTENT; 2573 goto fail_cleanup; 2574 2575 /* Key related boolean attributes */ 2576 case CKA_DERIVE: 2577 if (*(CK_BBOOL *)template[i].pValue) 2578 attr_mask |= DERIVE_BOOL_ON; 2579 break; 2580 2581 case CKA_SENSITIVE: 2582 if (*(CK_BBOOL *)template[i].pValue) 2583 attr_mask |= SENSITIVE_BOOL_ON; 2584 break; 2585 2586 case CKA_ENCRYPT: 2587 if (*(CK_BBOOL *)template[i].pValue) 2588 attr_mask |= ENCRYPT_BOOL_ON; 2589 else 2590 attr_mask &= ~ENCRYPT_BOOL_ON; 2591 break; 2592 2593 case CKA_DECRYPT: 2594 if (*(CK_BBOOL *)template[i].pValue) 2595 attr_mask |= DECRYPT_BOOL_ON; 2596 else 2597 attr_mask &= ~DECRYPT_BOOL_ON; 2598 break; 2599 2600 case CKA_SIGN: 2601 if (*(CK_BBOOL *)template[i].pValue) 2602 attr_mask |= SIGN_BOOL_ON; 2603 else 2604 attr_mask &= ~SIGN_BOOL_ON; 2605 break; 2606 2607 case CKA_VERIFY: 2608 if (*(CK_BBOOL *)template[i].pValue) 2609 attr_mask |= VERIFY_BOOL_ON; 2610 else 2611 attr_mask &= ~VERIFY_BOOL_ON; 2612 break; 2613 2614 case CKA_WRAP: 2615 if (*(CK_BBOOL *)template[i].pValue) 2616 attr_mask |= WRAP_BOOL_ON; 2617 else 2618 attr_mask &= ~WRAP_BOOL_ON; 2619 break; 2620 2621 case CKA_UNWRAP: 2622 if (*(CK_BBOOL *)template[i].pValue) 2623 attr_mask |= UNWRAP_BOOL_ON; 2624 else 2625 attr_mask &= ~UNWRAP_BOOL_ON; 2626 break; 2627 2628 case CKA_EXTRACTABLE: 2629 if (*(CK_BBOOL *)template[i].pValue) 2630 attr_mask |= EXTRACTABLE_BOOL_ON; 2631 else 2632 attr_mask &= ~EXTRACTABLE_BOOL_ON; 2633 break; 2634 2635 case CKA_MODIFIABLE: 2636 if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE) 2637 attr_mask |= NOT_MODIFIABLE_BOOL_ON; 2638 break; 2639 2640 case CKA_VALUE: 2641 isValue = 1; 2642 if (mode == SOFT_CREATE_OBJ) { 2643 if ((template[i].ulValueLen == 0) || 2644 (template[i].pValue == NULL)) { 2645 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2646 goto fail_cleanup; 2647 } 2648 } 2649 2650 /* 2651 * Copyin attribute from template 2652 * to a local variable. 2653 */ 2654 rv = get_bigint_attr_from_template((biginteger_t *)sck, 2655 &template[i]); 2656 if (rv != CKR_OK) 2657 goto fail_cleanup; 2658 break; 2659 2660 case CKA_VALUE_LEN: 2661 isValueLen = 1; 2662 rv = get_ulong_attr_from_template(&sck->sk_value_len, 2663 &template[i]); 2664 if (rv != CKR_OK) 2665 goto fail_cleanup; 2666 break; 2667 2668 case CKA_LABEL: 2669 isLabel = 1; 2670 rv = get_string_from_template(&string_tmp, 2671 &template[i]); 2672 if (rv != CKR_OK) 2673 goto fail_cleanup; 2674 break; 2675 2676 default: 2677 rv = soft_parse_common_attrs(&template[i], 2678 &object_type); 2679 if (rv != CKR_OK) 2680 goto fail_cleanup; 2681 break; 2682 2683 } 2684 } /* For */ 2685 2686 switch (mode) { 2687 case SOFT_CREATE_OBJ: 2688 case SOFT_CREATE_OBJ_INT: 2689 case SOFT_DERIVE_KEY_DH: 2690 /* 2691 * The key type must be specified in the application's 2692 * template. Otherwise, returns error. 2693 */ 2694 if (keytype == (CK_KEY_TYPE)~0UL) { 2695 rv = CKR_TEMPLATE_INCOMPLETE; 2696 goto fail_cleanup; 2697 } 2698 break; 2699 2700 case SOFT_GEN_KEY: 2701 if (keytype == (CK_KEY_TYPE)~0UL) { 2702 /* 2703 * The key type is not specified in the application's 2704 * template, so we use the implied key type based on 2705 * the mechanism. 2706 */ 2707 keytype = key_type; 2708 } else { 2709 if (keytype != key_type) { 2710 /* 2711 * The key type specified in the template 2712 * does not match the implied key type based 2713 * on the mechanism. 2714 */ 2715 rv = CKR_TEMPLATE_INCONSISTENT; 2716 goto fail_cleanup; 2717 } 2718 } 2719 2720 /* 2721 * If a key_len is passed as a parameter, it has to 2722 * match the one found in the template. 2723 */ 2724 if (key_len > 0) { 2725 if (isValueLen && sck->sk_value_len != key_len) { 2726 rv = CKR_TEMPLATE_INCONSISTENT; 2727 goto fail_cleanup; 2728 } 2729 isValueLen = 1; 2730 sck->sk_value_len = key_len; 2731 } 2732 break; 2733 2734 case SOFT_UNWRAP_KEY: 2735 /* 2736 * Note that, for mode SOFT_UNWRAP_KEY, key type is not 2737 * implied by the mechanism (key_type), so if it is not 2738 * specified from the attribute template (keytype), it is 2739 * incomplete. 2740 */ 2741 if (keytype == (CK_KEY_TYPE)~0UL) { 2742 rv = CKR_TEMPLATE_INCOMPLETE; 2743 goto fail_cleanup; 2744 } 2745 break; 2746 2747 case SOFT_DERIVE_KEY_OTHER: 2748 /* 2749 * For CKM_MD5_KEY_DERIVATION & CKM_SHA1_KEY_DERIVATION, the 2750 * key type is optional. 2751 */ 2752 if (keytype == (CK_KEY_TYPE)~0UL) { 2753 keytype = key_type; 2754 } 2755 break; 2756 } 2757 2758 switch (mode) { 2759 case SOFT_CREATE_OBJ: 2760 case SOFT_CREATE_OBJ_INT: 2761 switch (keytype) { 2762 case CKK_RC4: 2763 if (!isValue) { 2764 rv = CKR_TEMPLATE_INCOMPLETE; 2765 goto fail_cleanup; 2766 } 2767 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) || 2768 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) { 2769 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2770 goto fail_cleanup; 2771 } 2772 break; 2773 2774 case CKK_GENERIC_SECRET: 2775 if (!isValue) { 2776 rv = CKR_TEMPLATE_INCOMPLETE; 2777 goto fail_cleanup; 2778 } 2779 break; 2780 2781 case CKK_AES: 2782 if (!isValue) { 2783 rv = CKR_TEMPLATE_INCOMPLETE; 2784 goto fail_cleanup; 2785 } 2786 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2787 (sck->sk_value_len != AES_192_KEY_BYTES) && 2788 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2789 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2790 goto fail_cleanup; 2791 } 2792 break; 2793 2794 case CKK_BLOWFISH: 2795 if (!isValue) { 2796 rv = CKR_TEMPLATE_INCOMPLETE; 2797 goto fail_cleanup; 2798 } 2799 if ((sck->sk_value_len < BLOWFISH_MINBYTES) || 2800 (sck->sk_value_len > BLOWFISH_MAXBYTES)) { 2801 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2802 goto fail_cleanup; 2803 } 2804 2805 break; 2806 2807 case CKK_DES: 2808 if (!isValue) { 2809 rv = CKR_TEMPLATE_INCOMPLETE; 2810 goto fail_cleanup; 2811 } 2812 if (sck->sk_value_len != DES_KEYSIZE) { 2813 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2814 goto fail_cleanup; 2815 } 2816 break; 2817 2818 case CKK_DES2: 2819 if (!isValue) { 2820 rv = CKR_TEMPLATE_INCOMPLETE; 2821 goto fail_cleanup; 2822 } 2823 if (sck->sk_value_len != DES2_KEYSIZE) { 2824 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2825 goto fail_cleanup; 2826 } 2827 break; 2828 2829 case CKK_DES3: 2830 if (!isValue) { 2831 rv = CKR_TEMPLATE_INCOMPLETE; 2832 goto fail_cleanup; 2833 } 2834 if (sck->sk_value_len != DES3_KEYSIZE) { 2835 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2836 goto fail_cleanup; 2837 } 2838 break; 2839 2840 default: 2841 rv = CKR_TEMPLATE_INCONSISTENT; 2842 goto fail_cleanup; 2843 } 2844 2845 if (isValueLen) { 2846 /* 2847 * Templates for internal object creation come from 2848 * applications calls to C_DeriveKey(), for which it 2849 * is OKey to pass a CKA_VALUE_LEN attribute, as 2850 * long as it does not conflict with the length of the 2851 * CKA_VALUE attribute. 2852 */ 2853 if ((mode != SOFT_CREATE_OBJ_INT) || 2854 ((key_len > 0) && sck->sk_value_len != key_len)) { 2855 rv = CKR_TEMPLATE_INCONSISTENT; 2856 goto fail_cleanup; 2857 } 2858 } 2859 break; 2860 2861 case SOFT_GEN_KEY: 2862 /* CKA_VALUE must not be specified */ 2863 if (isValue) { 2864 rv = CKR_TEMPLATE_INCONSISTENT; 2865 goto fail_cleanup; 2866 } 2867 2868 switch (keytype) { 2869 /* 2870 * CKA_VALUE_LEN must be specified by C_GenerateKey 2871 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 2872 */ 2873 case CKK_RC4: 2874 if (!isValueLen) { 2875 rv = CKR_TEMPLATE_INCOMPLETE; 2876 goto fail_cleanup; 2877 } 2878 ; 2879 if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) || 2880 (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) { 2881 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2882 goto fail_cleanup; 2883 } 2884 break; 2885 2886 case CKK_GENERIC_SECRET: 2887 /* arbitrary key length - no length checking */ 2888 if (!isValueLen) { 2889 rv = CKR_TEMPLATE_INCOMPLETE; 2890 goto fail_cleanup; 2891 } 2892 break; 2893 2894 case CKK_AES: 2895 if (!isValueLen) { 2896 rv = CKR_TEMPLATE_INCOMPLETE; 2897 goto fail_cleanup; 2898 } 2899 2900 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2901 (sck->sk_value_len != AES_192_KEY_BYTES) && 2902 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2903 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2904 goto fail_cleanup; 2905 } 2906 2907 break; 2908 2909 case CKK_BLOWFISH: 2910 if (!isValueLen) { 2911 rv = CKR_TEMPLATE_INCOMPLETE; 2912 goto fail_cleanup; 2913 } 2914 if ((sck->sk_value_len < BLOWFISH_MINBYTES) || 2915 (sck->sk_value_len > BLOWFISH_MAXBYTES)) { 2916 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2917 goto fail_cleanup; 2918 } 2919 2920 break; 2921 2922 case CKK_DES: 2923 case CKK_DES2: 2924 case CKK_DES3: 2925 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 2926 if (isValueLen) { 2927 rv = CKR_TEMPLATE_INCONSISTENT; 2928 goto fail_cleanup; 2929 } 2930 break; 2931 2932 default: 2933 rv = CKR_TEMPLATE_INCONSISTENT; 2934 goto fail_cleanup; 2935 } 2936 break; 2937 2938 case SOFT_UNWRAP_KEY: 2939 /* 2940 * According to v2.11 of PKCS#11 spec, neither CKA_VALUE nor 2941 * CKA_VALUE_LEN can be be specified; however v2.20 has this 2942 * restriction removed, perhaps because it makes it hard to 2943 * determine variable-length key sizes. This case statement 2944 * complied with v2.20. 2945 */ 2946 if (isValue) { 2947 rv = CKR_TEMPLATE_INCONSISTENT; 2948 goto fail_cleanup; 2949 } 2950 2951 switch (keytype) { 2952 /* 2953 * CKA_VALUE_LEN is optional 2954 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET 2955 * and the unwrapping mech is *_CBC_PAD. 2956 * 2957 * CKA_VALUE_LEN is required 2958 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET 2959 * and the unwrapping mech is *_ECB or *_CBC. 2960 * 2961 * since mech is not known at this point, CKA_VALUE_LEN is 2962 * treated as optional and the caller needs to enforce it. 2963 */ 2964 case CKK_RC4: 2965 if (isValueLen) { 2966 if ((sck->sk_value_len < 2967 ARCFOUR_MIN_KEY_BYTES) || 2968 (sck->sk_value_len > 2969 ARCFOUR_MAX_KEY_BYTES)) { 2970 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2971 goto fail_cleanup; 2972 } 2973 } 2974 break; 2975 2976 case CKK_GENERIC_SECRET: 2977 /* arbitrary key length - no length checking */ 2978 break; 2979 2980 case CKK_AES: 2981 if (isValueLen) { 2982 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 2983 (sck->sk_value_len != AES_192_KEY_BYTES) && 2984 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 2985 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2986 goto fail_cleanup; 2987 } 2988 } 2989 break; 2990 2991 case CKK_BLOWFISH: 2992 if (isValueLen && 2993 ((sck->sk_value_len < BLOWFISH_MINBYTES) || 2994 (sck->sk_value_len > BLOWFISH_MAXBYTES))) { 2995 rv = CKR_ATTRIBUTE_VALUE_INVALID; 2996 goto fail_cleanup; 2997 } 2998 break; 2999 3000 case CKK_DES: 3001 case CKK_DES2: 3002 case CKK_DES3: 3003 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3004 if (isValueLen) { 3005 rv = CKR_TEMPLATE_INCONSISTENT; 3006 goto fail_cleanup; 3007 } 3008 break; 3009 3010 default: 3011 rv = CKR_TEMPLATE_INCONSISTENT; 3012 goto fail_cleanup; 3013 } 3014 break; 3015 3016 case SOFT_DERIVE_KEY_DH: 3017 /* CKA_VALUE must not be specified */ 3018 if (isValue) { 3019 rv = CKR_TEMPLATE_INCONSISTENT; 3020 goto fail_cleanup; 3021 } 3022 3023 switch (keytype) { 3024 /* 3025 * CKA_VALUE_LEN is optional 3026 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 3027 */ 3028 case CKK_RC4: 3029 if (isValueLen) { 3030 if ((sck->sk_value_len < 3031 ARCFOUR_MIN_KEY_BYTES) || 3032 (sck->sk_value_len > 3033 ARCFOUR_MAX_KEY_BYTES)) { 3034 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3035 goto fail_cleanup; 3036 } 3037 } 3038 break; 3039 3040 case CKK_GENERIC_SECRET: 3041 /* arbitrary key length - no length checking */ 3042 break; 3043 3044 case CKK_AES: 3045 if (isValueLen) { 3046 if ((sck->sk_value_len != AES_MIN_KEY_BYTES) && 3047 (sck->sk_value_len != AES_192_KEY_BYTES) && 3048 (sck->sk_value_len != AES_MAX_KEY_BYTES)) { 3049 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3050 goto fail_cleanup; 3051 } 3052 } 3053 3054 break; 3055 3056 case CKK_BLOWFISH: 3057 if (isValueLen && 3058 ((sck->sk_value_len < BLOWFISH_MINBYTES) || 3059 (sck->sk_value_len > BLOWFISH_MAXBYTES))) { 3060 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3061 goto fail_cleanup; 3062 } 3063 break; 3064 3065 case CKK_DES: 3066 case CKK_DES2: 3067 case CKK_DES3: 3068 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3069 if (isValueLen) { 3070 rv = CKR_TEMPLATE_INCONSISTENT; 3071 goto fail_cleanup; 3072 } 3073 break; 3074 3075 default: 3076 rv = CKR_TEMPLATE_INCONSISTENT; 3077 goto fail_cleanup; 3078 } 3079 break; 3080 3081 case SOFT_DERIVE_KEY_OTHER: 3082 /* CKA_VALUE must not be specified */ 3083 if (isValue) { 3084 rv = CKR_TEMPLATE_INCONSISTENT; 3085 goto fail_cleanup; 3086 } 3087 3088 switch (keytype) { 3089 /* 3090 * CKA_VALUE_LEN is an optional attribute for 3091 * CKM_SHA1_KEY_DERIVATION and CKM_MD5_KEY_DERIVATION 3092 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET. 3093 */ 3094 case CKK_RC4: 3095 case CKK_GENERIC_SECRET: 3096 case CKK_AES: 3097 case CKK_BLOWFISH: 3098 /* 3099 * No need to check key length value here, it will be 3100 * validated later in soft_key_derive_check_length(). 3101 */ 3102 break; 3103 3104 case CKK_DES: 3105 case CKK_DES2: 3106 case CKK_DES3: 3107 /* CKA_VALUE_LEN attribute does not apply to DES<n> */ 3108 if (isValueLen) { 3109 rv = CKR_TEMPLATE_INCONSISTENT; 3110 goto fail_cleanup; 3111 } 3112 break; 3113 3114 default: 3115 rv = CKR_TEMPLATE_INCONSISTENT; 3116 goto fail_cleanup; 3117 } 3118 break; 3119 } 3120 3121 /* Set up object. */ 3122 new_object->key_type = keytype; 3123 new_object->object_type = object_type; 3124 new_object->bool_attr_mask = attr_mask; 3125 if (isLabel) { 3126 rv = soft_add_extra_attr(&string_tmp, new_object); 3127 if (rv != CKR_OK) 3128 goto fail_cleanup; 3129 string_attr_cleanup(&string_tmp); 3130 } 3131 return (rv); 3132 3133 fail_cleanup: 3134 /* 3135 * cleanup the storage allocated to the local variables. 3136 */ 3137 bigint_attr_cleanup((biginteger_t *)sck); 3138 string_attr_cleanup(&string_tmp); 3139 3140 /* 3141 * cleanup the storage allocated inside the object itself. 3142 */ 3143 soft_cleanup_object(new_object); 3144 3145 return (rv); 3146 } 3147 3148 3149 /* 3150 * Build a Domain Parameter Object. 3151 * 3152 * - Parse the object's template, and when an error is detected such as 3153 * invalid attribute type, invalid attribute value, etc., return 3154 * with appropriate return value. 3155 * - Allocate storage for the Domain Parameter object. 3156 * - Build the Domain Parameter object according to the key type. Allocate 3157 * storage to hold the big integer value for the supplied attributes 3158 * that are required for a certain key type. 3159 * 3160 */ 3161 CK_RV 3162 soft_build_domain_parameters_object(CK_ATTRIBUTE_PTR template, 3163 CK_ULONG ulAttrNum, soft_object_t *new_object) 3164 { 3165 3166 ulong_t i; 3167 CK_KEY_TYPE keytype = (CK_KEY_TYPE)~0UL; 3168 CK_RV rv = CKR_OK; 3169 int isLabel = 0; 3170 /* Must set flags */ 3171 int isPrime = 0; 3172 int isSubprime = 0; 3173 int isBase = 0; 3174 /* Must not set flags */ 3175 int isPrimeBits = 0; 3176 int isSubPrimeBits = 0; 3177 3178 biginteger_t prime; 3179 biginteger_t subprime; 3180 biginteger_t base; 3181 CK_ATTRIBUTE string_tmp; 3182 3183 domain_obj_t *dom; 3184 uchar_t object_type = 0; 3185 3186 /* prevent bigint_attr_cleanup from freeing invalid attr value */ 3187 (void) memset(&prime, 0x0, sizeof (biginteger_t)); 3188 (void) memset(&subprime, 0x0, sizeof (biginteger_t)); 3189 (void) memset(&base, 0x0, sizeof (biginteger_t)); 3190 string_tmp.pValue = NULL; 3191 3192 for (i = 0; i < ulAttrNum; i++) { 3193 3194 /* Domain Parameters Object Attributes */ 3195 switch (template[i].type) { 3196 3197 /* common domain parameter attribute */ 3198 case CKA_KEY_TYPE: 3199 keytype = *((CK_KEY_TYPE*)template[i].pValue); 3200 break; 3201 3202 /* 3203 * The following common domain parameter attribute 3204 * must not be specified by C_CreateObject. 3205 */ 3206 case CKA_LOCAL: 3207 rv = CKR_TEMPLATE_INCONSISTENT; 3208 goto fail_cleanup; 3209 3210 /* 3211 * The following domain parameter attributes must be 3212 * specified according to the key type by 3213 * C_CreateObject. 3214 */ 3215 case CKA_PRIME: 3216 isPrime = 1; 3217 /* 3218 * Copyin big integer attribute from template 3219 * to a local variable. 3220 */ 3221 rv = get_bigint_attr_from_template(&prime, 3222 &template[i]); 3223 if (rv != CKR_OK) 3224 goto fail_cleanup; 3225 break; 3226 3227 case CKA_SUBPRIME: 3228 isSubprime = 1; 3229 rv = get_bigint_attr_from_template(&subprime, 3230 &template[i]); 3231 if (rv != CKR_OK) 3232 goto fail_cleanup; 3233 break; 3234 3235 case CKA_BASE: 3236 isBase = 1; 3237 rv = get_bigint_attr_from_template(&base, 3238 &template[i]); 3239 if (rv != CKR_OK) 3240 goto fail_cleanup; 3241 break; 3242 3243 case CKA_PRIME_BITS: 3244 isPrimeBits = 1; 3245 break; 3246 3247 case CKA_SUB_PRIME_BITS: 3248 isSubPrimeBits = 1; 3249 break; 3250 3251 case CKA_LABEL: 3252 isLabel = 1; 3253 rv = get_string_from_template(&string_tmp, 3254 &template[i]); 3255 if (rv != CKR_OK) 3256 goto fail_cleanup; 3257 break; 3258 3259 default: 3260 rv = soft_parse_common_attrs(&template[i], 3261 &object_type); 3262 if (rv != CKR_OK) 3263 goto fail_cleanup; 3264 break; 3265 3266 } 3267 } /* For */ 3268 3269 /* Allocate storage for Domain Parameters Object. */ 3270 dom = calloc(1, sizeof (domain_obj_t)); 3271 if (dom == NULL) { 3272 rv = CKR_HOST_MEMORY; 3273 goto fail_cleanup; 3274 } 3275 3276 new_object->object_class_u.domain = dom; 3277 new_object->class = CKO_DOMAIN_PARAMETERS; 3278 3279 if (keytype == (CK_KEY_TYPE)~0UL) { 3280 rv = CKR_TEMPLATE_INCOMPLETE; 3281 goto fail_cleanup; 3282 } 3283 3284 new_object->key_type = keytype; 3285 3286 /* Supported key types of the Domain Parameters Object */ 3287 switch (keytype) { 3288 case CKK_DSA: 3289 if (isPrimeBits || isSubPrimeBits) { 3290 rv = CKR_TEMPLATE_INCONSISTENT; 3291 goto fail_cleanup; 3292 } 3293 3294 if (isPrime && isSubprime && isBase) { 3295 /* 3296 * Copy big integer attribute value to the 3297 * designated place in the domain parameter 3298 * object. 3299 */ 3300 copy_bigint_attr(&prime, KEY_DOM_DSA_PRIME(dom)); 3301 3302 copy_bigint_attr(&subprime, KEY_DOM_DSA_SUBPRIME(dom)); 3303 3304 copy_bigint_attr(&base, KEY_DOM_DSA_BASE(dom)); 3305 } else { 3306 rv = CKR_TEMPLATE_INCOMPLETE; 3307 goto fail_cleanup; 3308 } 3309 break; 3310 3311 case CKK_DH: 3312 if (isPrimeBits || isSubprime || isSubPrimeBits) { 3313 rv = CKR_TEMPLATE_INCONSISTENT; 3314 goto fail_cleanup; 3315 } 3316 3317 if (isPrime && isBase) { 3318 copy_bigint_attr(&prime, KEY_DOM_DH_PRIME(dom)); 3319 3320 copy_bigint_attr(&base, KEY_DOM_DH_BASE(dom)); 3321 } else { 3322 rv = CKR_TEMPLATE_INCOMPLETE; 3323 goto fail_cleanup; 3324 } 3325 break; 3326 3327 case CKK_X9_42_DH: 3328 if (isPrimeBits || isSubPrimeBits) { 3329 rv = CKR_TEMPLATE_INCONSISTENT; 3330 goto fail_cleanup; 3331 } 3332 3333 if (isPrime && isSubprime && isBase) { 3334 copy_bigint_attr(&prime, KEY_DOM_DH942_PRIME(dom)); 3335 3336 copy_bigint_attr(&base, KEY_DOM_DH942_BASE(dom)); 3337 3338 copy_bigint_attr(&subprime, 3339 KEY_DOM_DH942_SUBPRIME(dom)); 3340 } else { 3341 rv = CKR_TEMPLATE_INCOMPLETE; 3342 goto fail_cleanup; 3343 } 3344 break; 3345 3346 default: 3347 rv = CKR_TEMPLATE_INCONSISTENT; 3348 goto fail_cleanup; 3349 } 3350 3351 new_object->object_type = object_type; 3352 3353 if (isLabel) { 3354 rv = soft_add_extra_attr(&string_tmp, new_object); 3355 if (rv != CKR_OK) 3356 goto fail_cleanup; 3357 string_attr_cleanup(&string_tmp); 3358 } 3359 3360 return (rv); 3361 3362 fail_cleanup: 3363 /* 3364 * cleanup the storage allocated to the local variables. 3365 */ 3366 bigint_attr_cleanup(&prime); 3367 bigint_attr_cleanup(&subprime); 3368 bigint_attr_cleanup(&base); 3369 string_attr_cleanup(&string_tmp); 3370 3371 /* 3372 * cleanup the storage allocated inside the object itself. 3373 */ 3374 soft_cleanup_object(new_object); 3375 3376 return (rv); 3377 } 3378 3379 /* 3380 * Build a Certificate Object 3381 * 3382 * - Parse the object's template, and when an error is detected such as 3383 * invalid attribute type, invalid attribute value, etc., return 3384 * with appropriate return value. 3385 * - Allocate storage for the Certificate object 3386 */ 3387 static CK_RV 3388 soft_build_certificate_object(CK_ATTRIBUTE_PTR template, 3389 CK_ULONG ulAttrNum, soft_object_t *new_object, 3390 CK_CERTIFICATE_TYPE cert_type) 3391 { 3392 uint64_t attr_mask = 0; 3393 CK_RV rv = CKR_OK; 3394 CK_ULONG i; 3395 int owner_set = 0; 3396 int value_set = 0; 3397 int subject_set = 0; 3398 certificate_obj_t *cert; 3399 /* certificate type defaults to the value given as a parameter */ 3400 CK_CERTIFICATE_TYPE certtype = cert_type; 3401 CK_ATTRIBUTE string_tmp; 3402 int isLabel = 0; 3403 uchar_t object_type = 0; 3404 3405 /* 3406 * Look for the certificate type attribute and do some 3407 * sanity checking before creating the structures. 3408 */ 3409 for (i = 0; i < ulAttrNum; i++) { 3410 /* Certificate Object Attributes */ 3411 switch (template[i].type) { 3412 case CKA_CERTIFICATE_TYPE: 3413 certtype = 3414 *((CK_CERTIFICATE_TYPE*)template[i].pValue); 3415 break; 3416 case CKA_SUBJECT: 3417 subject_set = 1; 3418 break; 3419 case CKA_OWNER: 3420 owner_set = 1; 3421 break; 3422 case CKA_VALUE: 3423 value_set = 1; 3424 break; 3425 } 3426 } 3427 3428 /* The certificate type MUST be specified */ 3429 if (certtype != CKC_X_509 && certtype != CKC_X_509_ATTR_CERT) 3430 return (CKR_TEMPLATE_INCOMPLETE); 3431 3432 /* 3433 * For X.509 certs, the CKA_SUBJECT and CKA_VALUE 3434 * must be present at creation time. 3435 */ 3436 if (certtype == CKC_X_509 && 3437 (!subject_set || !value_set)) 3438 return (CKR_TEMPLATE_INCOMPLETE); 3439 3440 /* 3441 * For X.509 Attribute certs, the CKA_OWNER and CKA_VALUE 3442 * must be present at creation time. 3443 */ 3444 if (certtype == CKC_X_509_ATTR_CERT && 3445 (!owner_set || !value_set)) 3446 return (CKR_TEMPLATE_INCOMPLETE); 3447 3448 string_tmp.pValue = NULL; 3449 cert = calloc(1, sizeof (certificate_obj_t)); 3450 if (cert == NULL) { 3451 return (CKR_HOST_MEMORY); 3452 } 3453 cert->certificate_type = certtype; 3454 3455 for (i = 0; i < ulAttrNum; i++) { 3456 /* Certificate Object Attributes */ 3457 switch (certtype) { 3458 case CKC_X_509: 3459 switch (template[i].type) { 3460 case CKA_SUBJECT: 3461 rv = get_cert_attr_from_template( 3462 &cert->cert_type_u.x509.subject, 3463 &template[i]); 3464 break; 3465 case CKA_VALUE: 3466 rv = get_cert_attr_from_template( 3467 &cert->cert_type_u.x509.value, 3468 &template[i]); 3469 break; 3470 case CKA_LABEL: 3471 isLabel = 1; 3472 rv = get_string_from_template( 3473 &string_tmp, 3474 &template[i]); 3475 if (rv != CKR_OK) 3476 goto fail_cleanup; 3477 break; 3478 case CKA_ID: 3479 case CKA_ISSUER: 3480 case CKA_SERIAL_NUMBER: 3481 rv = soft_add_extra_attr(&template[i], 3482 new_object); 3483 break; 3484 case CKA_MODIFIABLE: 3485 if ((*(CK_BBOOL *)template[i].pValue) == 3486 B_FALSE) 3487 attr_mask |= 3488 NOT_MODIFIABLE_BOOL_ON; 3489 break; 3490 case CKA_CERTIFICATE_TYPE: 3491 break; 3492 default: 3493 rv = soft_parse_common_attrs( 3494 &template[i], &object_type); 3495 if (rv != CKR_OK) 3496 goto fail_cleanup; 3497 } 3498 break; 3499 case CKC_X_509_ATTR_CERT: 3500 switch (template[i].type) { 3501 case CKA_OWNER: 3502 rv = get_cert_attr_from_template( 3503 &cert->cert_type_u.x509_attr.owner, 3504 &template[i]); 3505 break; 3506 case CKA_VALUE: 3507 rv = get_cert_attr_from_template( 3508 &cert->cert_type_u.x509_attr.value, 3509 &template[i]); 3510 break; 3511 case CKA_LABEL: 3512 isLabel = 1; 3513 rv = get_string_from_template( 3514 &string_tmp, &template[i]); 3515 if (rv != CKR_OK) 3516 goto fail_cleanup; 3517 break; 3518 case CKA_SERIAL_NUMBER: 3519 case CKA_AC_ISSUER: 3520 case CKA_ATTR_TYPES: 3521 rv = soft_add_extra_attr(&template[i], 3522 new_object); 3523 break; 3524 3525 case CKA_MODIFIABLE: 3526 if ((*(CK_BBOOL *)template[i].pValue) == 3527 B_FALSE) 3528 attr_mask |= 3529 NOT_MODIFIABLE_BOOL_ON; 3530 break; 3531 case CKA_CERTIFICATE_TYPE: 3532 break; 3533 default: 3534 rv = soft_parse_common_attrs( 3535 &template[i], &object_type); 3536 if (rv != CKR_OK) 3537 goto fail_cleanup; 3538 break; 3539 } 3540 break; 3541 default: 3542 rv = CKR_TEMPLATE_INCOMPLETE; 3543 break; 3544 } 3545 } 3546 3547 if (rv == CKR_OK) { 3548 new_object->object_class_u.certificate = cert; 3549 new_object->class = CKO_CERTIFICATE; 3550 new_object->object_type = object_type; 3551 new_object->cert_type = certtype; 3552 new_object->bool_attr_mask = attr_mask; 3553 if (isLabel) { 3554 rv = soft_add_extra_attr(&string_tmp, new_object); 3555 if (rv != CKR_OK) 3556 goto fail_cleanup; 3557 string_attr_cleanup(&string_tmp); 3558 } 3559 } 3560 3561 fail_cleanup: 3562 if (rv != CKR_OK) { 3563 soft_cleanup_cert_object(new_object); 3564 } 3565 return (rv); 3566 } 3567 3568 3569 /* 3570 * Validate the attribute types in the object's template. Then, 3571 * call the appropriate build function according to the class of 3572 * the object specified in the template. 3573 * 3574 * Note: The following classes of objects are supported: 3575 * - CKO_PUBLIC_KEY 3576 * - CKO_PRIVATE_KEY 3577 * - CKO_SECRET_KEY 3578 * - CKO_DOMAIN_PARAMETERS 3579 * - CKO_CERTIFICATE 3580 * 3581 */ 3582 CK_RV 3583 soft_build_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 3584 soft_object_t *new_object) 3585 { 3586 3587 CK_OBJECT_CLASS class = (CK_OBJECT_CLASS)~0UL; 3588 CK_RV rv = CKR_OK; 3589 3590 if (template == NULL) { 3591 return (CKR_ARGUMENTS_BAD); 3592 } 3593 3594 /* Validate the attribute type in the template. */ 3595 rv = soft_validate_attr(template, ulAttrNum, &class); 3596 if (rv != CKR_OK) 3597 return (rv); 3598 /* 3599 * CKA_CLASS is a mandatory attribute for C_CreateObject 3600 */ 3601 if (class == (CK_OBJECT_CLASS)~0UL) 3602 return (CKR_TEMPLATE_INCOMPLETE); 3603 3604 /* 3605 * Call the appropriate function based on the supported class 3606 * of the object. 3607 */ 3608 switch (class) { 3609 case CKO_PUBLIC_KEY: 3610 rv = soft_build_public_key_object(template, ulAttrNum, 3611 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL); 3612 break; 3613 3614 case CKO_PRIVATE_KEY: 3615 rv = soft_build_private_key_object(template, ulAttrNum, 3616 new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL); 3617 break; 3618 3619 case CKO_SECRET_KEY: 3620 rv = soft_build_secret_key_object(template, ulAttrNum, 3621 new_object, SOFT_CREATE_OBJ, 0, (CK_KEY_TYPE)~0UL); 3622 break; 3623 3624 case CKO_DOMAIN_PARAMETERS: 3625 rv = soft_build_domain_parameters_object(template, ulAttrNum, 3626 new_object); 3627 break; 3628 3629 case CKO_CERTIFICATE: 3630 rv = soft_build_certificate_object(template, ulAttrNum, 3631 new_object, (CK_CERTIFICATE_TYPE)~0UL); 3632 break; 3633 3634 case CKO_DATA: 3635 case CKO_HW_FEATURE: 3636 case CKO_VENDOR_DEFINED: 3637 default: 3638 return (CKR_ATTRIBUTE_VALUE_INVALID); 3639 } 3640 3641 return (rv); 3642 } 3643 3644 /* 3645 * Validate the attribute types in the object's template. Then, 3646 * call the appropriate build function according to the class of 3647 * the object specified in the template. 3648 * 3649 */ 3650 CK_RV 3651 soft_build_key(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum, 3652 soft_object_t *new_object, CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, 3653 CK_ULONG key_len, CK_ULONG mode) 3654 { 3655 3656 CK_RV rv = CKR_OK; 3657 CK_OBJECT_CLASS temp_class = (CK_OBJECT_CLASS)~0UL; 3658 3659 /* Validate the attribute type in the template. */ 3660 if ((template != NULL) && (ulAttrNum != 0)) { 3661 rv = soft_validate_attr(template, ulAttrNum, &temp_class); 3662 if (rv != CKR_OK) 3663 return (rv); 3664 } 3665 3666 /* 3667 * If either the class from the parameter list ("class") or 3668 * the class from the template ("temp_class") is not specified, 3669 * try to use the other one. 3670 */ 3671 if (temp_class == (CK_OBJECT_CLASS)~0UL) { 3672 temp_class = class; 3673 } else if (class == (CK_OBJECT_CLASS)~0UL) { 3674 class = temp_class; 3675 } 3676 3677 /* If object class is still not specified, template is incomplete. */ 3678 if (class == (CK_OBJECT_CLASS)~0UL) 3679 return (CKR_TEMPLATE_INCOMPLETE); 3680 3681 /* Class should match if specified in both parameters and template. */ 3682 if (class != temp_class) 3683 return (CKR_TEMPLATE_INCONSISTENT); 3684 3685 /* 3686 * Call the appropriate function based on the supported class 3687 * of the object. 3688 */ 3689 switch (class) { 3690 case CKO_PUBLIC_KEY: 3691 3692 /* Unwrapping public keys is not supported. */ 3693 if (mode == SOFT_UNWRAP_KEY) { 3694 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3695 break; 3696 } 3697 3698 rv = soft_build_public_key_object(template, ulAttrNum, 3699 new_object, mode, key_type); 3700 break; 3701 3702 case CKO_PRIVATE_KEY: 3703 3704 rv = soft_build_private_key_object(template, ulAttrNum, 3705 new_object, mode, key_type); 3706 break; 3707 3708 case CKO_SECRET_KEY: 3709 3710 rv = soft_build_secret_key_object(template, ulAttrNum, 3711 new_object, mode, key_len, key_type); 3712 break; 3713 3714 case CKO_DOMAIN_PARAMETERS: 3715 3716 /* Unwrapping domain parameters is not supported. */ 3717 if (mode == SOFT_UNWRAP_KEY) { 3718 rv = CKR_ATTRIBUTE_VALUE_INVALID; 3719 break; 3720 } 3721 3722 rv = soft_build_domain_parameters_object(template, ulAttrNum, 3723 new_object); 3724 break; 3725 3726 case CKO_DATA: 3727 case CKO_CERTIFICATE: 3728 case CKO_HW_FEATURE: 3729 case CKO_VENDOR_DEFINED: 3730 default: 3731 return (CKR_ATTRIBUTE_VALUE_INVALID); 3732 } 3733 3734 return (rv); 3735 } 3736 3737 3738 /* 3739 * Get the value of a requested attribute that is common to all supported 3740 * classes (i.e. public key, private key, secret key, domain parameters, 3741 * and certificate classes). 3742 */ 3743 CK_RV 3744 soft_get_common_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template, 3745 uchar_t object_type) 3746 { 3747 3748 CK_RV rv = CKR_OK; 3749 3750 switch (template->type) { 3751 3752 case CKA_CLASS: 3753 return (get_ulong_attr_from_object(object_p->class, 3754 template)); 3755 3756 /* default boolean attributes */ 3757 case CKA_TOKEN: 3758 template->ulValueLen = sizeof (CK_BBOOL); 3759 if (template->pValue == NULL) { 3760 return (CKR_OK); 3761 } 3762 if (object_type & TOKEN_OBJECT) 3763 *((CK_BBOOL *)template->pValue) = B_TRUE; 3764 else 3765 *((CK_BBOOL *)template->pValue) = B_FALSE; 3766 break; 3767 3768 case CKA_PRIVATE: 3769 3770 template->ulValueLen = sizeof (CK_BBOOL); 3771 if (template->pValue == NULL) { 3772 return (CKR_OK); 3773 } 3774 if (object_type & PRIVATE_OBJECT) 3775 *((CK_BBOOL *)template->pValue) = B_TRUE; 3776 else 3777 *((CK_BBOOL *)template->pValue) = B_FALSE; 3778 break; 3779 3780 case CKA_MODIFIABLE: 3781 template->ulValueLen = sizeof (CK_BBOOL); 3782 if (template->pValue == NULL) { 3783 return (CKR_OK); 3784 } 3785 if ((object_p->bool_attr_mask) & NOT_MODIFIABLE_BOOL_ON) 3786 *((CK_BBOOL *)template->pValue) = B_FALSE; 3787 else 3788 *((CK_BBOOL *)template->pValue) = B_TRUE; 3789 break; 3790 3791 case CKA_LABEL: 3792 return (get_extra_attr_from_object(object_p, 3793 template)); 3794 3795 default: 3796 /* 3797 * The specified attribute for the object is invalid. 3798 * (the object does not possess such an attribute.) 3799 */ 3800 template->ulValueLen = (CK_ULONG)-1; 3801 return (CKR_ATTRIBUTE_TYPE_INVALID); 3802 } 3803 3804 return (rv); 3805 } 3806 3807 /* 3808 * Get the value of a requested attribute that is common to all key objects 3809 * (i.e. public key, private key and secret key). 3810 */ 3811 CK_RV 3812 soft_get_common_key_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 3813 { 3814 3815 switch (template->type) { 3816 3817 case CKA_KEY_TYPE: 3818 return (get_ulong_attr_from_object(object_p->key_type, 3819 template)); 3820 3821 case CKA_ID: 3822 case CKA_START_DATE: 3823 case CKA_END_DATE: 3824 /* 3825 * The above extra attributes have byte array type. 3826 */ 3827 return (get_extra_attr_from_object(object_p, 3828 template)); 3829 3830 /* Key related boolean attributes */ 3831 case CKA_LOCAL: 3832 return (get_bool_attr_from_object(object_p, 3833 LOCAL_BOOL_ON, template)); 3834 3835 case CKA_DERIVE: 3836 return (get_bool_attr_from_object(object_p, 3837 DERIVE_BOOL_ON, template)); 3838 3839 case CKA_KEY_GEN_MECHANISM: 3840 return (get_ulong_attr_from_object(object_p->mechanism, 3841 template)); 3842 3843 default: 3844 return (CKR_ATTRIBUTE_TYPE_INVALID); 3845 } 3846 } 3847 3848 /* 3849 * Get the value of a requested attribute of a Public Key Object. 3850 * 3851 * Rule: All the attributes in the public key object can be revealed. 3852 */ 3853 CK_RV 3854 soft_get_public_key_attribute(soft_object_t *object_p, 3855 CK_ATTRIBUTE_PTR template) 3856 { 3857 3858 CK_RV rv = CKR_OK; 3859 CK_KEY_TYPE keytype = object_p->key_type; 3860 3861 switch (template->type) { 3862 3863 case CKA_SUBJECT: 3864 case CKA_EC_PARAMS: 3865 /* 3866 * The above extra attributes have byte array type. 3867 */ 3868 return (get_extra_attr_from_object(object_p, 3869 template)); 3870 3871 /* Key related boolean attributes */ 3872 case CKA_ENCRYPT: 3873 return (get_bool_attr_from_object(object_p, 3874 ENCRYPT_BOOL_ON, template)); 3875 3876 case CKA_VERIFY: 3877 return (get_bool_attr_from_object(object_p, 3878 VERIFY_BOOL_ON, template)); 3879 3880 case CKA_VERIFY_RECOVER: 3881 return (get_bool_attr_from_object(object_p, 3882 VERIFY_RECOVER_BOOL_ON, template)); 3883 3884 case CKA_WRAP: 3885 return (get_bool_attr_from_object(object_p, 3886 WRAP_BOOL_ON, template)); 3887 3888 case CKA_TRUSTED: 3889 return (get_bool_attr_from_object(object_p, 3890 TRUSTED_BOOL_ON, template)); 3891 3892 case CKA_MODULUS: 3893 /* 3894 * This attribute is valid only for RSA public key 3895 * object. 3896 */ 3897 if (keytype == CKK_RSA) { 3898 return (get_bigint_attr_from_object( 3899 OBJ_PUB_RSA_MOD(object_p), template)); 3900 } else { 3901 template->ulValueLen = (CK_ULONG)-1; 3902 return (CKR_ATTRIBUTE_TYPE_INVALID); 3903 } 3904 3905 case CKA_PUBLIC_EXPONENT: 3906 if (keytype == CKK_RSA) { 3907 return (get_bigint_attr_from_object( 3908 OBJ_PUB_RSA_PUBEXPO(object_p), template)); 3909 } else { 3910 template->ulValueLen = (CK_ULONG)-1; 3911 return (CKR_ATTRIBUTE_TYPE_INVALID); 3912 } 3913 3914 case CKA_MODULUS_BITS: 3915 if (keytype == CKK_RSA) { 3916 return (get_ulong_attr_from_object( 3917 OBJ_PUB_RSA_MOD_BITS(object_p), template)); 3918 } else { 3919 template->ulValueLen = (CK_ULONG)-1; 3920 return (CKR_ATTRIBUTE_TYPE_INVALID); 3921 } 3922 3923 case CKA_PRIME: 3924 switch (keytype) { 3925 case CKK_DSA: 3926 return (get_bigint_attr_from_object( 3927 OBJ_PUB_DSA_PRIME(object_p), template)); 3928 3929 case CKK_DH: 3930 return (get_bigint_attr_from_object( 3931 OBJ_PUB_DH_PRIME(object_p), template)); 3932 3933 case CKK_X9_42_DH: 3934 return (get_bigint_attr_from_object( 3935 OBJ_PUB_DH942_PRIME(object_p), template)); 3936 3937 default: 3938 template->ulValueLen = (CK_ULONG)-1; 3939 return (CKR_ATTRIBUTE_TYPE_INVALID); 3940 } 3941 3942 case CKA_SUBPRIME: 3943 switch (keytype) { 3944 case CKK_DSA: 3945 return (get_bigint_attr_from_object( 3946 OBJ_PUB_DSA_SUBPRIME(object_p), template)); 3947 3948 case CKK_X9_42_DH: 3949 return (get_bigint_attr_from_object( 3950 OBJ_PUB_DH942_SUBPRIME(object_p), template)); 3951 3952 default: 3953 template->ulValueLen = (CK_ULONG)-1; 3954 return (CKR_ATTRIBUTE_TYPE_INVALID); 3955 } 3956 3957 case CKA_BASE: 3958 switch (keytype) { 3959 case CKK_DSA: 3960 return (get_bigint_attr_from_object( 3961 OBJ_PUB_DSA_BASE(object_p), template)); 3962 3963 case CKK_DH: 3964 return (get_bigint_attr_from_object( 3965 OBJ_PUB_DH_BASE(object_p), template)); 3966 3967 case CKK_X9_42_DH: 3968 return (get_bigint_attr_from_object( 3969 OBJ_PUB_DH942_BASE(object_p), template)); 3970 3971 default: 3972 template->ulValueLen = (CK_ULONG)-1; 3973 return (CKR_ATTRIBUTE_TYPE_INVALID); 3974 } 3975 3976 case CKA_EC_POINT: 3977 return (get_bigint_attr_from_object( 3978 OBJ_PUB_EC_POINT(object_p), template)); 3979 3980 case CKA_VALUE: 3981 switch (keytype) { 3982 case CKK_DSA: 3983 return (get_bigint_attr_from_object( 3984 OBJ_PUB_DSA_VALUE(object_p), template)); 3985 3986 case CKK_DH: 3987 return (get_bigint_attr_from_object( 3988 OBJ_PUB_DH_VALUE(object_p), template)); 3989 3990 case CKK_X9_42_DH: 3991 return (get_bigint_attr_from_object( 3992 OBJ_PUB_DH942_VALUE(object_p), template)); 3993 3994 default: 3995 template->ulValueLen = (CK_ULONG)-1; 3996 return (CKR_ATTRIBUTE_TYPE_INVALID); 3997 } 3998 3999 default: 4000 /* 4001 * First, get the value of the request attribute defined 4002 * in the list of common key attributes. If the request 4003 * attribute is not found in that list, then get the 4004 * attribute from the list of common attributes. 4005 */ 4006 rv = soft_get_common_key_attrs(object_p, template); 4007 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4008 rv = soft_get_common_attrs(object_p, template, 4009 object_p->object_type); 4010 } 4011 break; 4012 } 4013 4014 return (rv); 4015 } 4016 4017 4018 /* 4019 * Get the value of a requested attribute of a Private Key Object. 4020 * 4021 * Rule: All the attributes in the private key object can be revealed 4022 * except those marked with footnote number "7" when the object 4023 * has its CKA_SENSITIVE attribute set to TRUE or its 4024 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.). 4025 */ 4026 CK_RV 4027 soft_get_private_key_attribute(soft_object_t *object_p, 4028 CK_ATTRIBUTE_PTR template) 4029 { 4030 4031 CK_RV rv = CKR_OK; 4032 CK_KEY_TYPE keytype = object_p->key_type; 4033 4034 4035 /* 4036 * If the following specified attributes for the private key 4037 * object cannot be revealed because the object is sensitive 4038 * or unextractable, then the ulValueLen is set to -1. 4039 */ 4040 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) || 4041 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4042 4043 switch (template->type) { 4044 case CKA_PRIVATE_EXPONENT: 4045 case CKA_PRIME_1: 4046 case CKA_PRIME_2: 4047 case CKA_EXPONENT_1: 4048 case CKA_EXPONENT_2: 4049 case CKA_COEFFICIENT: 4050 case CKA_VALUE: 4051 template->ulValueLen = (CK_ULONG)-1; 4052 return (CKR_ATTRIBUTE_SENSITIVE); 4053 } 4054 } 4055 4056 switch (template->type) { 4057 4058 case CKA_SUBJECT: 4059 case CKA_EC_PARAMS: 4060 /* 4061 * The above extra attributes have byte array type. 4062 */ 4063 return (get_extra_attr_from_object(object_p, 4064 template)); 4065 4066 /* Key related boolean attributes */ 4067 case CKA_SENSITIVE: 4068 return (get_bool_attr_from_object(object_p, 4069 SENSITIVE_BOOL_ON, template)); 4070 4071 case CKA_SECONDARY_AUTH: 4072 return (get_bool_attr_from_object(object_p, 4073 SECONDARY_AUTH_BOOL_ON, template)); 4074 4075 case CKA_DECRYPT: 4076 return (get_bool_attr_from_object(object_p, 4077 DECRYPT_BOOL_ON, template)); 4078 4079 case CKA_SIGN: 4080 return (get_bool_attr_from_object(object_p, 4081 SIGN_BOOL_ON, template)); 4082 4083 case CKA_SIGN_RECOVER: 4084 return (get_bool_attr_from_object(object_p, 4085 SIGN_RECOVER_BOOL_ON, template)); 4086 4087 case CKA_UNWRAP: 4088 return (get_bool_attr_from_object(object_p, 4089 UNWRAP_BOOL_ON, template)); 4090 4091 case CKA_EXTRACTABLE: 4092 return (get_bool_attr_from_object(object_p, 4093 EXTRACTABLE_BOOL_ON, template)); 4094 4095 case CKA_ALWAYS_SENSITIVE: 4096 return (get_bool_attr_from_object(object_p, 4097 ALWAYS_SENSITIVE_BOOL_ON, template)); 4098 4099 case CKA_NEVER_EXTRACTABLE: 4100 return (get_bool_attr_from_object(object_p, 4101 NEVER_EXTRACTABLE_BOOL_ON, template)); 4102 4103 case CKA_MODULUS: 4104 if (keytype == CKK_RSA) { 4105 return (get_bigint_attr_from_object( 4106 OBJ_PRI_RSA_MOD(object_p), template)); 4107 } else { 4108 template->ulValueLen = (CK_ULONG)-1; 4109 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4110 break; 4111 } 4112 4113 case CKA_PUBLIC_EXPONENT: 4114 if (keytype == CKK_RSA) { 4115 return (get_bigint_attr_from_object( 4116 OBJ_PRI_RSA_PUBEXPO(object_p), template)); 4117 } else { 4118 template->ulValueLen = (CK_ULONG)-1; 4119 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4120 break; 4121 } 4122 4123 case CKA_PRIVATE_EXPONENT: 4124 if (keytype == CKK_RSA) { 4125 return (get_bigint_attr_from_object( 4126 OBJ_PRI_RSA_PRIEXPO(object_p), template)); 4127 } else { 4128 template->ulValueLen = (CK_ULONG)-1; 4129 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4130 break; 4131 } 4132 4133 case CKA_PRIME_1: 4134 if (keytype == CKK_RSA) { 4135 return (get_bigint_attr_from_object( 4136 OBJ_PRI_RSA_PRIME1(object_p), template)); 4137 } else { 4138 template->ulValueLen = (CK_ULONG)-1; 4139 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4140 break; 4141 } 4142 4143 case CKA_PRIME_2: 4144 if (keytype == CKK_RSA) { 4145 return (get_bigint_attr_from_object( 4146 OBJ_PRI_RSA_PRIME2(object_p), template)); 4147 } else { 4148 template->ulValueLen = (CK_ULONG)-1; 4149 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4150 break; 4151 } 4152 4153 case CKA_EXPONENT_1: 4154 if (keytype == CKK_RSA) { 4155 return (get_bigint_attr_from_object( 4156 OBJ_PRI_RSA_EXPO1(object_p), template)); 4157 } else { 4158 template->ulValueLen = (CK_ULONG)-1; 4159 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4160 break; 4161 } 4162 4163 case CKA_EXPONENT_2: 4164 if (keytype == CKK_RSA) { 4165 return (get_bigint_attr_from_object( 4166 OBJ_PRI_RSA_EXPO2(object_p), template)); 4167 } else { 4168 template->ulValueLen = (CK_ULONG)-1; 4169 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4170 break; 4171 } 4172 4173 case CKA_COEFFICIENT: 4174 if (keytype == CKK_RSA) { 4175 return (get_bigint_attr_from_object( 4176 OBJ_PRI_RSA_COEF(object_p), template)); 4177 } else { 4178 template->ulValueLen = (CK_ULONG)-1; 4179 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4180 break; 4181 } 4182 4183 case CKA_VALUE_BITS: 4184 if (keytype == CKK_DH) { 4185 return (get_ulong_attr_from_object( 4186 OBJ_PRI_DH_VAL_BITS(object_p), template)); 4187 } else { 4188 template->ulValueLen = (CK_ULONG)-1; 4189 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4190 break; 4191 } 4192 4193 case CKA_PRIME: 4194 switch (keytype) { 4195 case CKK_DSA: 4196 return (get_bigint_attr_from_object( 4197 OBJ_PRI_DSA_PRIME(object_p), template)); 4198 4199 case CKK_DH: 4200 return (get_bigint_attr_from_object( 4201 OBJ_PRI_DH_PRIME(object_p), template)); 4202 4203 case CKK_X9_42_DH: 4204 return (get_bigint_attr_from_object( 4205 OBJ_PRI_DH942_PRIME(object_p), template)); 4206 4207 default: 4208 template->ulValueLen = (CK_ULONG)-1; 4209 return (CKR_ATTRIBUTE_TYPE_INVALID); 4210 } 4211 4212 case CKA_SUBPRIME: 4213 switch (keytype) { 4214 case CKK_DSA: 4215 return (get_bigint_attr_from_object( 4216 OBJ_PRI_DSA_SUBPRIME(object_p), template)); 4217 4218 case CKK_X9_42_DH: 4219 return (get_bigint_attr_from_object( 4220 OBJ_PRI_DH942_SUBPRIME(object_p), template)); 4221 4222 default: 4223 template->ulValueLen = (CK_ULONG)-1; 4224 return (CKR_ATTRIBUTE_TYPE_INVALID); 4225 } 4226 4227 case CKA_BASE: 4228 switch (keytype) { 4229 case CKK_DSA: 4230 return (get_bigint_attr_from_object( 4231 OBJ_PRI_DSA_BASE(object_p), template)); 4232 4233 case CKK_DH: 4234 return (get_bigint_attr_from_object( 4235 OBJ_PRI_DH_BASE(object_p), template)); 4236 4237 case CKK_X9_42_DH: 4238 return (get_bigint_attr_from_object( 4239 OBJ_PRI_DH942_BASE(object_p), template)); 4240 4241 default: 4242 template->ulValueLen = (CK_ULONG)-1; 4243 return (CKR_ATTRIBUTE_TYPE_INVALID); 4244 } 4245 4246 case CKA_VALUE: 4247 switch (keytype) { 4248 case CKK_DSA: 4249 return (get_bigint_attr_from_object( 4250 OBJ_PRI_DSA_VALUE(object_p), template)); 4251 4252 case CKK_DH: 4253 return (get_bigint_attr_from_object( 4254 OBJ_PRI_DH_VALUE(object_p), template)); 4255 4256 case CKK_X9_42_DH: 4257 return (get_bigint_attr_from_object( 4258 OBJ_PRI_DH942_VALUE(object_p), template)); 4259 4260 case CKK_EC: 4261 return (get_bigint_attr_from_object( 4262 OBJ_PRI_EC_VALUE(object_p), template)); 4263 4264 default: 4265 template->ulValueLen = (CK_ULONG)-1; 4266 return (CKR_ATTRIBUTE_TYPE_INVALID); 4267 } 4268 4269 default: 4270 /* 4271 * First, get the value of the request attribute defined 4272 * in the list of common key attributes. If the request 4273 * attribute is not found in that list, then get the 4274 * attribute from the list of common attributes. 4275 */ 4276 rv = soft_get_common_key_attrs(object_p, template); 4277 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4278 rv = soft_get_common_attrs(object_p, template, 4279 object_p->object_type); 4280 } 4281 break; 4282 } 4283 4284 return (rv); 4285 } 4286 4287 4288 /* 4289 * Get the value of a requested attribute of a Secret Key Object. 4290 * 4291 * Rule: All the attributes in the secret key object can be revealed 4292 * except those marked with footnote number "7" when the object 4293 * has its CKA_SENSITIVE attribute set to TRUE or its 4294 * CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.). 4295 */ 4296 CK_RV 4297 soft_get_secret_key_attribute(soft_object_t *object_p, 4298 CK_ATTRIBUTE_PTR template) 4299 { 4300 4301 CK_RV rv = CKR_OK; 4302 CK_KEY_TYPE keytype = object_p->key_type; 4303 4304 switch (template->type) { 4305 4306 /* Key related boolean attributes */ 4307 case CKA_SENSITIVE: 4308 return (get_bool_attr_from_object(object_p, 4309 SENSITIVE_BOOL_ON, template)); 4310 4311 case CKA_ENCRYPT: 4312 return (get_bool_attr_from_object(object_p, 4313 ENCRYPT_BOOL_ON, template)); 4314 4315 case CKA_DECRYPT: 4316 return (get_bool_attr_from_object(object_p, 4317 DECRYPT_BOOL_ON, template)); 4318 4319 case CKA_SIGN: 4320 return (get_bool_attr_from_object(object_p, 4321 SIGN_BOOL_ON, template)); 4322 4323 case CKA_VERIFY: 4324 return (get_bool_attr_from_object(object_p, 4325 VERIFY_BOOL_ON, template)); 4326 4327 case CKA_WRAP: 4328 return (get_bool_attr_from_object(object_p, 4329 WRAP_BOOL_ON, template)); 4330 4331 case CKA_UNWRAP: 4332 return (get_bool_attr_from_object(object_p, 4333 UNWRAP_BOOL_ON, template)); 4334 4335 case CKA_EXTRACTABLE: 4336 return (get_bool_attr_from_object(object_p, 4337 EXTRACTABLE_BOOL_ON, template)); 4338 4339 case CKA_ALWAYS_SENSITIVE: 4340 return (get_bool_attr_from_object(object_p, 4341 ALWAYS_SENSITIVE_BOOL_ON, template)); 4342 4343 case CKA_NEVER_EXTRACTABLE: 4344 return (get_bool_attr_from_object(object_p, 4345 NEVER_EXTRACTABLE_BOOL_ON, template)); 4346 4347 case CKA_VALUE: 4348 case CKA_VALUE_LEN: 4349 /* 4350 * If the specified attribute for the secret key object 4351 * cannot be revealed because the object is sensitive 4352 * or unextractable, then the ulValueLen is set to -1. 4353 */ 4354 if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) || 4355 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4356 template->ulValueLen = (CK_ULONG)-1; 4357 return (CKR_ATTRIBUTE_SENSITIVE); 4358 } 4359 4360 switch (keytype) { 4361 case CKK_RC4: 4362 case CKK_GENERIC_SECRET: 4363 case CKK_RC5: 4364 case CKK_DES: 4365 case CKK_DES2: 4366 case CKK_DES3: 4367 case CKK_CDMF: 4368 case CKK_AES: 4369 case CKK_BLOWFISH: 4370 if (template->type == CKA_VALUE_LEN) { 4371 return (get_ulong_attr_from_object( 4372 OBJ_SEC_VALUE_LEN(object_p), 4373 template)); 4374 } else { 4375 return (get_bigint_attr_from_object( 4376 (biginteger_t *)OBJ_SEC(object_p), 4377 template)); 4378 } 4379 default: 4380 template->ulValueLen = (CK_ULONG)-1; 4381 rv = CKR_ATTRIBUTE_TYPE_INVALID; 4382 break; 4383 } 4384 break; 4385 4386 default: 4387 /* 4388 * First, get the value of the request attribute defined 4389 * in the list of common key attributes. If the request 4390 * attribute is not found in that list, then get the 4391 * attribute from the list of common attributes. 4392 */ 4393 rv = soft_get_common_key_attrs(object_p, template); 4394 if (rv == CKR_ATTRIBUTE_TYPE_INVALID) { 4395 rv = soft_get_common_attrs(object_p, template, 4396 object_p->object_type); 4397 } 4398 break; 4399 } 4400 4401 return (rv); 4402 } 4403 4404 4405 /* 4406 * Get the value of a requested attribute of a Domain Parameters Object. 4407 * 4408 * Rule: All the attributes in the domain parameters object can be revealed. 4409 */ 4410 CK_RV 4411 soft_get_domain_parameters_attribute(soft_object_t *object_p, 4412 CK_ATTRIBUTE_PTR template) 4413 { 4414 4415 CK_RV rv = CKR_OK; 4416 CK_KEY_TYPE keytype = object_p->key_type; 4417 4418 switch (template->type) { 4419 4420 case CKA_KEY_TYPE: 4421 return (get_ulong_attr_from_object(keytype, 4422 template)); 4423 4424 case CKA_LOCAL: 4425 return (get_bool_attr_from_object(object_p, 4426 LOCAL_BOOL_ON, template)); 4427 4428 case CKA_PRIME: 4429 switch (keytype) { 4430 case CKK_DSA: 4431 return (get_bigint_attr_from_object( 4432 OBJ_DOM_DSA_PRIME(object_p), template)); 4433 4434 case CKK_DH: 4435 return (get_bigint_attr_from_object( 4436 OBJ_DOM_DH_PRIME(object_p), template)); 4437 4438 case CKK_X9_42_DH: 4439 return (get_bigint_attr_from_object( 4440 OBJ_DOM_DH942_PRIME(object_p), template)); 4441 4442 default: 4443 template->ulValueLen = (CK_ULONG)-1; 4444 return (CKR_ATTRIBUTE_TYPE_INVALID); 4445 } 4446 4447 case CKA_SUBPRIME: 4448 switch (keytype) { 4449 case CKK_DSA: 4450 return (get_bigint_attr_from_object( 4451 OBJ_DOM_DSA_SUBPRIME(object_p), template)); 4452 4453 case CKK_X9_42_DH: 4454 return (get_bigint_attr_from_object( 4455 OBJ_DOM_DH942_SUBPRIME(object_p), template)); 4456 4457 default: 4458 template->ulValueLen = (CK_ULONG)-1; 4459 return (CKR_ATTRIBUTE_TYPE_INVALID); 4460 } 4461 4462 case CKA_BASE: 4463 switch (keytype) { 4464 case CKK_DSA: 4465 return (get_bigint_attr_from_object( 4466 OBJ_DOM_DSA_BASE(object_p), template)); 4467 4468 case CKK_DH: 4469 return (get_bigint_attr_from_object( 4470 OBJ_DOM_DH_BASE(object_p), template)); 4471 4472 case CKK_X9_42_DH: 4473 return (get_bigint_attr_from_object( 4474 OBJ_DOM_DH942_BASE(object_p), template)); 4475 4476 default: 4477 template->ulValueLen = (CK_ULONG)-1; 4478 return (CKR_ATTRIBUTE_TYPE_INVALID); 4479 } 4480 4481 case CKA_PRIME_BITS: 4482 switch (keytype) { 4483 case CKK_DSA: 4484 return (get_ulong_attr_from_object( 4485 OBJ_DOM_DSA_PRIME_BITS(object_p), template)); 4486 4487 case CKK_DH: 4488 return (get_ulong_attr_from_object( 4489 OBJ_DOM_DH_PRIME_BITS(object_p), template)); 4490 4491 case CKK_X9_42_DH: 4492 return (get_ulong_attr_from_object( 4493 OBJ_DOM_DH942_PRIME_BITS(object_p), template)); 4494 4495 default: 4496 template->ulValueLen = (CK_ULONG)-1; 4497 return (CKR_ATTRIBUTE_TYPE_INVALID); 4498 } 4499 4500 case CKA_SUB_PRIME_BITS: 4501 switch (keytype) { 4502 case CKK_X9_42_DH: 4503 return (get_ulong_attr_from_object( 4504 OBJ_DOM_DH942_SUBPRIME_BITS(object_p), template)); 4505 4506 default: 4507 template->ulValueLen = (CK_ULONG)-1; 4508 return (CKR_ATTRIBUTE_TYPE_INVALID); 4509 } 4510 4511 default: 4512 /* 4513 * Get the value of a common attribute. 4514 */ 4515 rv = soft_get_common_attrs(object_p, template, 4516 object_p->object_type); 4517 break; 4518 } 4519 4520 return (rv); 4521 } 4522 4523 /* 4524 * Get certificate attributes from an object. 4525 * return CKR_ATTRIBUTE_TYPE_INVALID if the requested type 4526 * does not exist in the certificate. 4527 */ 4528 CK_RV 4529 soft_get_certificate_attribute(soft_object_t *object_p, 4530 CK_ATTRIBUTE_PTR template) 4531 { 4532 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 4533 cert_attr_t src; 4534 4535 switch (template->type) { 4536 case CKA_SUBJECT: 4537 if (certtype == CKC_X_509) { 4538 return (get_cert_attr_from_object( 4539 X509_CERT_SUBJECT(object_p), template)); 4540 } 4541 break; 4542 case CKA_VALUE: 4543 if (certtype == CKC_X_509) { 4544 return (get_cert_attr_from_object( 4545 X509_CERT_VALUE(object_p), template)); 4546 } else if (certtype == CKC_X_509_ATTR_CERT) { 4547 return (get_cert_attr_from_object( 4548 X509_ATTR_CERT_VALUE(object_p), template)); 4549 } 4550 break; 4551 case CKA_OWNER: 4552 if (certtype == CKC_X_509_ATTR_CERT) { 4553 return (get_cert_attr_from_object( 4554 X509_ATTR_CERT_OWNER(object_p), template)); 4555 } 4556 break; 4557 case CKA_CERTIFICATE_TYPE: 4558 src.value = (CK_BYTE *)&certtype; 4559 src.length = sizeof (certtype); 4560 return (get_cert_attr_from_object(&src, template)); 4561 case CKA_TRUSTED: 4562 return (get_bool_attr_from_object(object_p, 4563 TRUSTED_BOOL_ON, template)); 4564 case CKA_ID: 4565 case CKA_ISSUER: 4566 case CKA_SERIAL_NUMBER: 4567 case CKA_AC_ISSUER: 4568 case CKA_ATTR_TYPES: 4569 return (get_extra_attr_from_object(object_p, 4570 template)); 4571 default: 4572 return (soft_get_common_attrs(object_p, template, 4573 object_p->object_type)); 4574 } 4575 4576 /* 4577 * If we got this far, then the combination of certificate type 4578 * and requested attribute is invalid. 4579 */ 4580 return (CKR_ATTRIBUTE_TYPE_INVALID); 4581 } 4582 4583 CK_RV 4584 soft_set_certificate_attribute(soft_object_t *object_p, 4585 CK_ATTRIBUTE_PTR template, boolean_t copy) 4586 { 4587 CK_CERTIFICATE_TYPE certtype = object_p->cert_type; 4588 4589 switch (template->type) { 4590 case CKA_SUBJECT: 4591 if (certtype == CKC_X_509) { 4592 /* SUBJECT attr cannot be modified. */ 4593 return (CKR_ATTRIBUTE_READ_ONLY); 4594 } 4595 break; 4596 case CKA_OWNER: 4597 if (certtype == CKC_X_509_ATTR_CERT) { 4598 /* OWNER attr cannot be modified. */ 4599 return (CKR_ATTRIBUTE_READ_ONLY); 4600 } 4601 break; 4602 case CKA_VALUE: 4603 /* VALUE attr cannot be modified. */ 4604 return (CKR_ATTRIBUTE_READ_ONLY); 4605 case CKA_ID: 4606 case CKA_ISSUER: 4607 if (certtype == CKC_X_509) { 4608 return (set_extra_attr_to_object(object_p, 4609 template->type, template)); 4610 } 4611 break; 4612 case CKA_AC_ISSUER: 4613 case CKA_ATTR_TYPES: 4614 if (certtype == CKC_X_509_ATTR_CERT) { 4615 return (set_extra_attr_to_object(object_p, 4616 template->type, template)); 4617 } 4618 break; 4619 case CKA_SERIAL_NUMBER: 4620 case CKA_LABEL: 4621 return (set_extra_attr_to_object(object_p, 4622 template->type, template)); 4623 default: 4624 return (soft_set_common_storage_attribute( 4625 object_p, template, copy)); 4626 } 4627 4628 /* 4629 * If we got this far, then the combination of certificate type 4630 * and requested attribute is invalid. 4631 */ 4632 return (CKR_ATTRIBUTE_TYPE_INVALID); 4633 } 4634 4635 /* 4636 * Call the appropriate get attribute function according to the class 4637 * of object. 4638 * 4639 * The caller of this function holds the lock on the object. 4640 */ 4641 CK_RV 4642 soft_get_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template) 4643 { 4644 4645 CK_RV rv = CKR_OK; 4646 CK_OBJECT_CLASS class = object_p->class; 4647 4648 switch (class) { 4649 case CKO_PUBLIC_KEY: 4650 rv = soft_get_public_key_attribute(object_p, template); 4651 break; 4652 4653 case CKO_PRIVATE_KEY: 4654 rv = soft_get_private_key_attribute(object_p, template); 4655 break; 4656 4657 case CKO_SECRET_KEY: 4658 rv = soft_get_secret_key_attribute(object_p, template); 4659 break; 4660 4661 case CKO_DOMAIN_PARAMETERS: 4662 rv = soft_get_domain_parameters_attribute(object_p, template); 4663 break; 4664 4665 case CKO_CERTIFICATE: 4666 rv = soft_get_certificate_attribute(object_p, template); 4667 break; 4668 4669 default: 4670 /* 4671 * If the specified attribute for the object is invalid 4672 * (the object does not possess such as attribute), then 4673 * the ulValueLen is modified to hold the value -1. 4674 */ 4675 template->ulValueLen = (CK_ULONG)-1; 4676 return (CKR_ATTRIBUTE_TYPE_INVALID); 4677 } 4678 4679 return (rv); 4680 4681 } 4682 4683 CK_RV 4684 soft_set_common_storage_attribute(soft_object_t *object_p, 4685 CK_ATTRIBUTE_PTR template, boolean_t copy) 4686 { 4687 4688 CK_RV rv = CKR_OK; 4689 4690 switch (template->type) { 4691 4692 case CKA_TOKEN: 4693 if (copy) { 4694 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 4695 if (!soft_keystore_status(KEYSTORE_INITIALIZED)) 4696 return (CKR_DEVICE_REMOVED); 4697 object_p->object_type |= TOKEN_OBJECT; 4698 } 4699 } else { 4700 rv = CKR_ATTRIBUTE_READ_ONLY; 4701 } 4702 4703 break; 4704 4705 case CKA_PRIVATE: 4706 if (copy) { 4707 if ((*(CK_BBOOL *)template->pValue) == B_TRUE) { 4708 (void) pthread_mutex_lock(&soft_giant_mutex); 4709 if (!soft_slot.authenticated) { 4710 /* 4711 * Check if this is the special case 4712 * when the PIN is never initialized 4713 * in the keystore. If true, we will 4714 * let it pass here and let it fail 4715 * with CKR_PIN_EXPIRED later on. 4716 */ 4717 if (!soft_slot.userpin_change_needed) { 4718 (void) pthread_mutex_unlock( 4719 &soft_giant_mutex); 4720 return (CKR_USER_NOT_LOGGED_IN); 4721 } 4722 } 4723 (void) pthread_mutex_unlock(&soft_giant_mutex); 4724 object_p->object_type |= PRIVATE_OBJECT; 4725 } 4726 } else { 4727 rv = CKR_ATTRIBUTE_READ_ONLY; 4728 } 4729 break; 4730 4731 case CKA_MODIFIABLE: 4732 if (copy) { 4733 if ((*(CK_BBOOL *)template->pValue) == TRUE) 4734 object_p->bool_attr_mask &= 4735 ~NOT_MODIFIABLE_BOOL_ON; 4736 else 4737 object_p->bool_attr_mask |= 4738 NOT_MODIFIABLE_BOOL_ON; 4739 } else { 4740 rv = CKR_ATTRIBUTE_READ_ONLY; 4741 } 4742 break; 4743 4744 case CKA_CLASS: 4745 rv = CKR_ATTRIBUTE_READ_ONLY; 4746 break; 4747 4748 default: 4749 rv = CKR_TEMPLATE_INCONSISTENT; 4750 } 4751 4752 return (rv); 4753 } 4754 4755 /* 4756 * Set the value of an attribute that is common to all key objects 4757 * (i.e. public key, private key and secret key). 4758 */ 4759 CK_RV 4760 soft_set_common_key_attribute(soft_object_t *object_p, 4761 CK_ATTRIBUTE_PTR template, boolean_t copy) 4762 { 4763 4764 switch (template->type) { 4765 4766 case CKA_LABEL: 4767 /* 4768 * Only the LABEL can be modified in the common storage 4769 * object attributes after the object is created. 4770 */ 4771 return (set_extra_attr_to_object(object_p, 4772 CKA_LABEL, template)); 4773 4774 case CKA_ID: 4775 return (set_extra_attr_to_object(object_p, 4776 CKA_ID, template)); 4777 4778 case CKA_START_DATE: 4779 return (set_extra_attr_to_object(object_p, 4780 CKA_START_DATE, template)); 4781 4782 case CKA_END_DATE: 4783 return (set_extra_attr_to_object(object_p, 4784 CKA_END_DATE, template)); 4785 4786 case CKA_DERIVE: 4787 return (set_bool_attr_to_object(object_p, 4788 DERIVE_BOOL_ON, template)); 4789 4790 case CKA_KEY_TYPE: 4791 case CKA_LOCAL: 4792 case CKA_KEY_GEN_MECHANISM: 4793 return (CKR_ATTRIBUTE_READ_ONLY); 4794 4795 default: 4796 return (soft_set_common_storage_attribute(object_p, 4797 template, copy)); 4798 4799 } 4800 4801 } 4802 4803 4804 /* 4805 * Set the value of an attribute of a Public Key Object. 4806 * 4807 * Rule: The attributes marked with footnote number "8" in the PKCS11 4808 * spec may be modified (p.88 in PKCS11 spec.). 4809 */ 4810 CK_RV 4811 soft_set_public_key_attribute(soft_object_t *object_p, 4812 CK_ATTRIBUTE_PTR template, boolean_t copy) 4813 { 4814 CK_KEY_TYPE keytype = object_p->key_type; 4815 4816 switch (template->type) { 4817 4818 case CKA_SUBJECT: 4819 return (set_extra_attr_to_object(object_p, 4820 CKA_SUBJECT, template)); 4821 4822 case CKA_ENCRYPT: 4823 return (set_bool_attr_to_object(object_p, 4824 ENCRYPT_BOOL_ON, template)); 4825 4826 case CKA_VERIFY: 4827 return (set_bool_attr_to_object(object_p, 4828 VERIFY_BOOL_ON, template)); 4829 4830 case CKA_VERIFY_RECOVER: 4831 return (set_bool_attr_to_object(object_p, 4832 VERIFY_RECOVER_BOOL_ON, template)); 4833 4834 case CKA_WRAP: 4835 return (set_bool_attr_to_object(object_p, 4836 WRAP_BOOL_ON, template)); 4837 4838 case CKA_MODULUS: 4839 case CKA_MODULUS_BITS: 4840 case CKA_PUBLIC_EXPONENT: 4841 if (keytype == CKK_RSA) 4842 return (CKR_ATTRIBUTE_READ_ONLY); 4843 break; 4844 4845 case CKA_SUBPRIME: 4846 if ((keytype == CKK_DSA) || 4847 (keytype == CKK_X9_42_DH)) 4848 return (CKR_ATTRIBUTE_READ_ONLY); 4849 break; 4850 4851 case CKA_PRIME: 4852 case CKA_BASE: 4853 case CKA_VALUE: 4854 if ((keytype == CKK_DSA) || 4855 (keytype == CKK_DH) || 4856 (keytype == CKK_X9_42_DH)) 4857 return (CKR_ATTRIBUTE_READ_ONLY); 4858 break; 4859 4860 default: 4861 /* 4862 * Set the value of a common key attribute. 4863 */ 4864 return (soft_set_common_key_attribute(object_p, 4865 template, copy)); 4866 4867 } 4868 /* 4869 * If we got this far, then the combination of key type 4870 * and requested attribute is invalid. 4871 */ 4872 return (CKR_ATTRIBUTE_TYPE_INVALID); 4873 } 4874 4875 4876 /* 4877 * Set the value of an attribute of a Private Key Object. 4878 * 4879 * Rule: The attributes marked with footnote number "8" in the PKCS11 4880 * spec may be modified (p.88 in PKCS11 spec.). 4881 */ 4882 CK_RV 4883 soft_set_private_key_attribute(soft_object_t *object_p, 4884 CK_ATTRIBUTE_PTR template, boolean_t copy) 4885 { 4886 CK_KEY_TYPE keytype = object_p->key_type; 4887 4888 switch (template->type) { 4889 4890 case CKA_SUBJECT: 4891 return (set_extra_attr_to_object(object_p, 4892 CKA_SUBJECT, template)); 4893 4894 case CKA_SENSITIVE: 4895 /* 4896 * Cannot set SENSITIVE to FALSE if it is already ON. 4897 */ 4898 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) && 4899 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) { 4900 return (CKR_ATTRIBUTE_READ_ONLY); 4901 } 4902 4903 if (*(CK_BBOOL *)template->pValue) 4904 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON; 4905 return (CKR_OK); 4906 4907 case CKA_DECRYPT: 4908 return (set_bool_attr_to_object(object_p, 4909 DECRYPT_BOOL_ON, template)); 4910 4911 case CKA_SIGN: 4912 return (set_bool_attr_to_object(object_p, 4913 SIGN_BOOL_ON, template)); 4914 4915 case CKA_SIGN_RECOVER: 4916 return (set_bool_attr_to_object(object_p, 4917 SIGN_RECOVER_BOOL_ON, template)); 4918 4919 case CKA_UNWRAP: 4920 return (set_bool_attr_to_object(object_p, 4921 UNWRAP_BOOL_ON, template)); 4922 4923 case CKA_EXTRACTABLE: 4924 /* 4925 * Cannot set EXTRACTABLE to TRUE if it is already OFF. 4926 */ 4927 if ((*(CK_BBOOL *)template->pValue) && 4928 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 4929 return (CKR_ATTRIBUTE_READ_ONLY); 4930 } 4931 4932 if ((*(CK_BBOOL *)template->pValue) == B_FALSE) 4933 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON; 4934 return (CKR_OK); 4935 4936 case CKA_MODULUS: 4937 case CKA_PUBLIC_EXPONENT: 4938 case CKA_PRIVATE_EXPONENT: 4939 case CKA_PRIME_1: 4940 case CKA_PRIME_2: 4941 case CKA_EXPONENT_1: 4942 case CKA_EXPONENT_2: 4943 case CKA_COEFFICIENT: 4944 if (keytype == CKK_RSA) { 4945 return (CKR_ATTRIBUTE_READ_ONLY); 4946 } 4947 break; 4948 4949 case CKA_SUBPRIME: 4950 if ((keytype == CKK_DSA) || 4951 (keytype == CKK_X9_42_DH)) 4952 return (CKR_ATTRIBUTE_READ_ONLY); 4953 break; 4954 4955 case CKA_PRIME: 4956 case CKA_BASE: 4957 case CKA_VALUE: 4958 if ((keytype == CKK_DSA) || 4959 (keytype == CKK_DH) || 4960 (keytype == CKK_X9_42_DH)) 4961 return (CKR_ATTRIBUTE_READ_ONLY); 4962 break; 4963 4964 case CKA_VALUE_BITS: 4965 if (keytype == CKK_DH) 4966 return (CKR_ATTRIBUTE_READ_ONLY); 4967 break; 4968 4969 default: 4970 /* 4971 * Set the value of a common key attribute. 4972 */ 4973 return (soft_set_common_key_attribute(object_p, 4974 template, copy)); 4975 } 4976 4977 /* 4978 * If we got this far, then the combination of key type 4979 * and requested attribute is invalid. 4980 */ 4981 return (CKR_ATTRIBUTE_TYPE_INVALID); 4982 } 4983 4984 /* 4985 * Set the value of an attribute of a Secret Key Object. 4986 * 4987 * Rule: The attributes marked with footnote number "8" in the PKCS11 4988 * spec may be modified (p.88 in PKCS11 spec.). 4989 */ 4990 CK_RV 4991 soft_set_secret_key_attribute(soft_object_t *object_p, 4992 CK_ATTRIBUTE_PTR template, boolean_t copy) 4993 { 4994 CK_KEY_TYPE keytype = object_p->key_type; 4995 4996 switch (template->type) { 4997 4998 case CKA_SENSITIVE: 4999 /* 5000 * Cannot set SENSITIVE to FALSE if it is already ON. 5001 */ 5002 if (((*(CK_BBOOL *)template->pValue) == B_FALSE) && 5003 (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) { 5004 return (CKR_ATTRIBUTE_READ_ONLY); 5005 } 5006 5007 if (*(CK_BBOOL *)template->pValue) 5008 object_p->bool_attr_mask |= SENSITIVE_BOOL_ON; 5009 return (CKR_OK); 5010 5011 case CKA_ENCRYPT: 5012 return (set_bool_attr_to_object(object_p, 5013 ENCRYPT_BOOL_ON, template)); 5014 5015 case CKA_DECRYPT: 5016 return (set_bool_attr_to_object(object_p, 5017 DECRYPT_BOOL_ON, template)); 5018 5019 case CKA_SIGN: 5020 return (set_bool_attr_to_object(object_p, 5021 SIGN_BOOL_ON, template)); 5022 5023 case CKA_VERIFY: 5024 return (set_bool_attr_to_object(object_p, 5025 VERIFY_BOOL_ON, template)); 5026 5027 case CKA_WRAP: 5028 return (set_bool_attr_to_object(object_p, 5029 WRAP_BOOL_ON, template)); 5030 5031 case CKA_UNWRAP: 5032 return (set_bool_attr_to_object(object_p, 5033 UNWRAP_BOOL_ON, template)); 5034 5035 case CKA_EXTRACTABLE: 5036 /* 5037 * Cannot set EXTRACTABLE to TRUE if it is already OFF. 5038 */ 5039 if ((*(CK_BBOOL *)template->pValue) && 5040 !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) { 5041 return (CKR_ATTRIBUTE_READ_ONLY); 5042 } 5043 5044 if ((*(CK_BBOOL *)template->pValue) == B_FALSE) 5045 object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON; 5046 return (CKR_OK); 5047 5048 case CKA_VALUE: 5049 return (CKR_ATTRIBUTE_READ_ONLY); 5050 5051 case CKA_VALUE_LEN: 5052 if ((keytype == CKK_RC4) || 5053 (keytype == CKK_GENERIC_SECRET) || 5054 (keytype == CKK_AES) || 5055 (keytype == CKK_BLOWFISH)) 5056 return (CKR_ATTRIBUTE_READ_ONLY); 5057 break; 5058 5059 default: 5060 /* 5061 * Set the value of a common key attribute. 5062 */ 5063 return (soft_set_common_key_attribute(object_p, 5064 template, copy)); 5065 5066 } 5067 /* 5068 * If we got this far, then the combination of key type 5069 * and requested attribute is invalid. 5070 */ 5071 return (CKR_ATTRIBUTE_TYPE_INVALID); 5072 } 5073 5074 5075 /* 5076 * Call the appropriate set attribute function according to the class 5077 * of object. 5078 * 5079 * The caller of this function does not hold the lock on the original 5080 * object, since this function is setting the attribute on the new object 5081 * that is being modified. 5082 * 5083 * Argument copy: TRUE when called by C_CopyObject, 5084 * FALSE when called by C_SetAttributeValue. 5085 */ 5086 CK_RV 5087 soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template, 5088 boolean_t copy) 5089 { 5090 5091 CK_RV rv = CKR_OK; 5092 CK_OBJECT_CLASS class = object_p->class; 5093 5094 switch (class) { 5095 5096 case CKO_PUBLIC_KEY: 5097 rv = soft_set_public_key_attribute(object_p, template, copy); 5098 break; 5099 5100 case CKO_PRIVATE_KEY: 5101 rv = soft_set_private_key_attribute(object_p, template, copy); 5102 break; 5103 5104 case CKO_SECRET_KEY: 5105 rv = soft_set_secret_key_attribute(object_p, template, copy); 5106 break; 5107 5108 case CKO_DOMAIN_PARAMETERS: 5109 switch (template->type) { 5110 case CKA_LABEL: 5111 /* 5112 * Only the LABEL can be modified in the common 5113 * storage object attributes after the object is 5114 * created. 5115 */ 5116 return (set_extra_attr_to_object(object_p, 5117 CKA_LABEL, template)); 5118 default: 5119 return (CKR_TEMPLATE_INCONSISTENT); 5120 } 5121 case CKO_CERTIFICATE: 5122 rv = soft_set_certificate_attribute(object_p, template, copy); 5123 break; 5124 5125 default: 5126 /* 5127 * If the template specifies a value of an attribute 5128 * which is incompatible with other existing attributes 5129 * of the object, then fails with return code 5130 * CKR_TEMPLATE_INCONSISTENT. 5131 */ 5132 rv = CKR_TEMPLATE_INCONSISTENT; 5133 break; 5134 } 5135 5136 return (rv); 5137 } 5138 5139 CK_RV 5140 soft_get_public_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type, 5141 uchar_t *value, uint32_t *value_len) 5142 { 5143 uint32_t len = 0; 5144 switch (type) { 5145 5146 /* The following attributes belong to RSA */ 5147 case CKA_MODULUS: 5148 #ifdef __sparcv9 5149 len = 5150 /* LINTED */ 5151 (uint32_t) 5152 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len; 5153 #else /* !__sparcv9 */ 5154 len = 5155 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len; 5156 #endif /* __sparcv9 */ 5157 5158 /* This attribute MUST BE set */ 5159 if (len == 0 || len > *value_len) { 5160 return (CKR_ATTRIBUTE_VALUE_INVALID); 5161 } 5162 *value_len = len; 5163 5164 (void) memcpy(value, 5165 ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value, 5166 *value_len); 5167 5168 break; 5169 5170 case CKA_PUBLIC_EXPONENT: 5171 #ifdef __sparcv9 5172 len = 5173 /* LINTED */ 5174 (uint32_t) 5175 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len; 5176 #else /* !__sparcv9 */ 5177 len = 5178 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len; 5179 #endif /* __sparcv9 */ 5180 5181 /* This attribute MUST BE set */ 5182 if (len == 0 || len > *value_len) { 5183 return (CKR_ATTRIBUTE_VALUE_INVALID); 5184 } 5185 *value_len = len; 5186 5187 (void) memcpy(value, 5188 ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value, 5189 *value_len); 5190 5191 break; 5192 5193 /* The following attributes belong to DSA and DH */ 5194 case CKA_PRIME: 5195 5196 if (key->key_type == CKK_DSA) 5197 #ifdef __sparcv9 5198 len = 5199 /* LINTED */ 5200 (uint32_t) 5201 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))-> 5202 big_value_len; 5203 #else /* !__sparcv9 */ 5204 len = 5205 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))-> 5206 big_value_len; 5207 #endif /* __sparcv9 */ 5208 else 5209 #ifdef __sparcv9 5210 len = 5211 /* LINTED */ 5212 (uint32_t) 5213 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))-> 5214 big_value_len; 5215 #else /* !__sparcv9 */ 5216 len = 5217 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))-> 5218 big_value_len; 5219 #endif /* __sparcv9 */ 5220 5221 /* This attribute MUST BE set */ 5222 if (len == 0 || len > *value_len) { 5223 return (CKR_ATTRIBUTE_VALUE_INVALID); 5224 } 5225 *value_len = len; 5226 5227 if (key->key_type == CKK_DSA) 5228 (void) memcpy(value, 5229 ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->big_value, 5230 *value_len); 5231 else 5232 (void) memcpy(value, 5233 ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->big_value, 5234 *value_len); 5235 5236 break; 5237 5238 case CKA_SUBPRIME: 5239 #ifdef __sparcv9 5240 len = 5241 /* LINTED */ 5242 (uint32_t) 5243 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len; 5244 #else /* !__sparcv9 */ 5245 len = 5246 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len; 5247 #endif /* __sparcv9 */ 5248 5249 /* This attribute MUST BE set */ 5250 if (len == 0 || len > *value_len) { 5251 return (CKR_ATTRIBUTE_VALUE_INVALID); 5252 } 5253 *value_len = len; 5254 5255 (void) memcpy(value, 5256 ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value, 5257 *value_len); 5258 5259 break; 5260 5261 case CKA_BASE: 5262 5263 if (key->key_type == CKK_DSA) 5264 #ifdef __sparcv9 5265 len = 5266 /* LINTED */ 5267 (uint32_t) 5268 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))-> 5269 big_value_len; 5270 #else /* !__sparcv9 */ 5271 len = 5272 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))-> 5273 big_value_len; 5274 #endif /* __sparcv9 */ 5275 else 5276 #ifdef __sparcv9 5277 len = 5278 /* LINTED */ 5279 (uint32_t) 5280 ((biginteger_t *)OBJ_PUB_DH_BASE(key))-> 5281 big_value_len; 5282 #else /* !__sparcv9 */ 5283 len = 5284 ((biginteger_t *)OBJ_PUB_DH_BASE(key))-> 5285 big_value_len; 5286 #endif /* __sparcv9 */ 5287 5288 /* This attribute MUST BE set */ 5289 if (len == 0 || len > *value_len) { 5290 return (CKR_ATTRIBUTE_VALUE_INVALID); 5291 } 5292 *value_len = len; 5293 5294 if (key->key_type == CKK_DSA) 5295 (void) memcpy(value, 5296 ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->big_value, 5297 *value_len); 5298 else 5299 (void) memcpy(value, 5300 ((biginteger_t *)OBJ_PUB_DH_BASE(key))->big_value, 5301 *value_len); 5302 break; 5303 5304 case CKA_VALUE: 5305 5306 if (key->key_type == CKK_DSA) 5307 #ifdef __sparcv9 5308 len = 5309 /* LINTED */ 5310 (uint32_t) 5311 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))-> 5312 big_value_len; 5313 #else /* !__sparcv9 */ 5314 len = 5315 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))-> 5316 big_value_len; 5317 #endif /* __sparcv9 */ 5318 else 5319 #ifdef __sparcv9 5320 len = 5321 /* LINTED */ 5322 (uint32_t) 5323 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))-> 5324 big_value_len; 5325 #else /* !__sparcv9 */ 5326 len = 5327 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))-> 5328 big_value_len; 5329 #endif /* __sparcv9 */ 5330 5331 /* This attribute MUST BE set */ 5332 if (len == 0 || len > *value_len) { 5333 return (CKR_ATTRIBUTE_VALUE_INVALID); 5334 } 5335 *value_len = len; 5336 5337 if (key->key_type == CKK_DSA) 5338 (void) memcpy(value, 5339 ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->big_value, 5340 *value_len); 5341 else 5342 (void) memcpy(value, 5343 ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->big_value, 5344 *value_len); 5345 5346 break; 5347 } 5348 5349 return (CKR_OK); 5350 } 5351 5352 5353 CK_RV 5354 soft_get_private_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type, 5355 uchar_t *value, uint32_t *value_len) 5356 { 5357 5358 uint32_t len = 0; 5359 5360 switch (type) { 5361 5362 /* The following attributes belong to RSA */ 5363 case CKA_MODULUS: 5364 #ifdef __sparcv9 5365 len = 5366 /* LINTED */ 5367 (uint32_t) 5368 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len; 5369 #else /* !__sparcv9 */ 5370 len = 5371 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len; 5372 #endif /* __sparcv9 */ 5373 5374 /* This attribute MUST BE set */ 5375 if (len == 0 || len > *value_len) { 5376 return (CKR_ATTRIBUTE_VALUE_INVALID); 5377 } 5378 *value_len = len; 5379 5380 (void) memcpy(value, 5381 ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value, 5382 *value_len); 5383 5384 break; 5385 5386 case CKA_PRIVATE_EXPONENT: 5387 #ifdef __sparcv9 5388 len = 5389 /* LINTED */ 5390 (uint32_t) 5391 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len; 5392 #else /* !__sparcv9 */ 5393 len = 5394 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len; 5395 #endif /* __sparcv9 */ 5396 5397 /* This attribute MUST BE set */ 5398 if (len == 0 || len > *value_len) { 5399 return (CKR_ATTRIBUTE_VALUE_INVALID); 5400 } 5401 *value_len = len; 5402 5403 (void) memcpy(value, 5404 ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value, 5405 *value_len); 5406 5407 break; 5408 5409 case CKA_PRIME_1: 5410 #ifdef __sparcv9 5411 len = 5412 /* LINTED */ 5413 (uint32_t) 5414 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len; 5415 #else /* !__sparcv9 */ 5416 len = 5417 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len; 5418 #endif /* __sparcv9 */ 5419 5420 if (len > *value_len) { 5421 return (CKR_ATTRIBUTE_VALUE_INVALID); 5422 } 5423 *value_len = len; 5424 5425 if (*value_len == 0) { 5426 return (CKR_OK); 5427 } 5428 5429 (void) memcpy(value, 5430 ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value, 5431 *value_len); 5432 5433 break; 5434 5435 case CKA_PRIME_2: 5436 #ifdef __sparcv9 5437 len = 5438 /* LINTED */ 5439 (uint32_t) 5440 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len; 5441 #else /* !__sparcv9 */ 5442 len = 5443 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len; 5444 #endif /* __sparcv9 */ 5445 5446 if (len > *value_len) { 5447 return (CKR_ATTRIBUTE_VALUE_INVALID); 5448 } 5449 *value_len = len; 5450 5451 if (*value_len == 0) { 5452 return (CKR_OK); 5453 } 5454 5455 (void) memcpy(value, 5456 ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value, 5457 *value_len); 5458 5459 break; 5460 5461 case CKA_EXPONENT_1: 5462 #ifdef __sparcv9 5463 len = 5464 /* LINTED */ 5465 (uint32_t) 5466 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len; 5467 #else /* !__sparcv9 */ 5468 len = 5469 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len; 5470 #endif /* __sparcv9 */ 5471 5472 if (len > *value_len) { 5473 return (CKR_ATTRIBUTE_VALUE_INVALID); 5474 } 5475 *value_len = len; 5476 5477 if (*value_len == 0) { 5478 return (CKR_OK); 5479 } 5480 5481 (void) memcpy(value, 5482 ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value, 5483 *value_len); 5484 5485 break; 5486 5487 case CKA_EXPONENT_2: 5488 #ifdef __sparcv9 5489 len = 5490 /* LINTED */ 5491 (uint32_t) 5492 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len; 5493 #else /* !__sparcv9 */ 5494 len = 5495 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len; 5496 #endif /* __sparcv9 */ 5497 5498 if (len > *value_len) { 5499 return (CKR_ATTRIBUTE_VALUE_INVALID); 5500 } 5501 *value_len = len; 5502 5503 if (*value_len == 0) { 5504 return (CKR_OK); 5505 } 5506 5507 (void) memcpy(value, 5508 ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value, 5509 *value_len); 5510 5511 break; 5512 5513 case CKA_COEFFICIENT: 5514 #ifdef __sparcv9 5515 len = 5516 /* LINTED */ 5517 (uint32_t) 5518 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len; 5519 #else /* !__sparcv9 */ 5520 len = 5521 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len; 5522 #endif /* __sparcv9 */ 5523 5524 if (len > *value_len) { 5525 return (CKR_ATTRIBUTE_VALUE_INVALID); 5526 } 5527 *value_len = len; 5528 5529 if (*value_len == 0) { 5530 return (CKR_OK); 5531 } 5532 5533 (void) memcpy(value, 5534 ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value, 5535 *value_len); 5536 5537 break; 5538 5539 /* The following attributes belong to DSA and DH */ 5540 case CKA_PRIME: 5541 5542 if (key->key_type == CKK_DSA) 5543 #ifdef __sparcv9 5544 len = 5545 /* LINTED */ 5546 (uint32_t) 5547 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))-> 5548 big_value_len; 5549 #else /* !__sparcv9 */ 5550 len = 5551 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))-> 5552 big_value_len; 5553 #endif /* __sparcv9 */ 5554 else 5555 #ifdef __sparcv9 5556 len = 5557 /* LINTED */ 5558 (uint32_t) 5559 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))-> 5560 big_value_len; 5561 #else /* !__sparcv9 */ 5562 len = 5563 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))-> 5564 big_value_len; 5565 #endif /* __sparcv9 */ 5566 5567 /* This attribute MUST BE set */ 5568 if (len == 0 || len > *value_len) { 5569 return (CKR_ATTRIBUTE_VALUE_INVALID); 5570 } 5571 *value_len = len; 5572 5573 if (key->key_type == CKK_DSA) 5574 (void) memcpy(value, 5575 ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->big_value, 5576 *value_len); 5577 else 5578 (void) memcpy(value, 5579 ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->big_value, 5580 *value_len); 5581 5582 break; 5583 5584 case CKA_SUBPRIME: 5585 #ifdef __sparcv9 5586 len = 5587 /* LINTED */ 5588 (uint32_t) 5589 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len; 5590 #else /* !__sparcv9 */ 5591 len = 5592 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len; 5593 #endif /* __sparcv9 */ 5594 5595 /* This attribute MUST BE set */ 5596 if (len == 0 || len > *value_len) { 5597 return (CKR_ATTRIBUTE_VALUE_INVALID); 5598 } 5599 *value_len = len; 5600 5601 (void) memcpy(value, 5602 ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value, 5603 *value_len); 5604 5605 break; 5606 5607 case CKA_BASE: 5608 5609 if (key->key_type == CKK_DSA) 5610 #ifdef __sparcv9 5611 len = 5612 /* LINTED */ 5613 (uint32_t) 5614 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))-> 5615 big_value_len; 5616 #else /* !__sparcv9 */ 5617 len = 5618 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))-> 5619 big_value_len; 5620 #endif /* __sparcv9 */ 5621 else 5622 #ifdef __sparcv9 5623 len = 5624 /* LINTED */ 5625 (uint32_t) 5626 ((biginteger_t *)OBJ_PRI_DH_BASE(key))-> 5627 big_value_len; 5628 #else /* !__sparcv9 */ 5629 len = 5630 ((biginteger_t *)OBJ_PRI_DH_BASE(key))-> 5631 big_value_len; 5632 #endif /* __sparcv9 */ 5633 5634 /* This attribute MUST BE set */ 5635 if (len == 0 || len > *value_len) { 5636 return (CKR_ATTRIBUTE_VALUE_INVALID); 5637 } 5638 *value_len = len; 5639 5640 if (key->key_type == CKK_DSA) 5641 (void) memcpy(value, 5642 ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->big_value, 5643 *value_len); 5644 else 5645 (void) memcpy(value, 5646 ((biginteger_t *)OBJ_PRI_DH_BASE(key))->big_value, 5647 *value_len); 5648 break; 5649 5650 case CKA_VALUE: 5651 5652 if (key->key_type == CKK_DSA) { 5653 #ifdef __sparcv9 5654 len = 5655 /* LINTED */ 5656 (uint32_t) 5657 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))-> 5658 big_value_len; 5659 #else /* !__sparcv9 */ 5660 len = 5661 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))-> 5662 big_value_len; 5663 #endif /* __sparcv9 */ 5664 } else if (key->key_type == CKK_DH) { 5665 #ifdef __sparcv9 5666 len = 5667 /* LINTED */ 5668 (uint32_t) 5669 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))-> 5670 big_value_len; 5671 #else /* !__sparcv9 */ 5672 len = 5673 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))-> 5674 big_value_len; 5675 #endif /* __sparcv9 */ 5676 } else { 5677 #ifdef __sparcv9 5678 len = 5679 /* LINTED */ 5680 (uint32_t) 5681 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))-> 5682 big_value_len; 5683 #else /* !__sparcv9 */ 5684 len = 5685 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))-> 5686 big_value_len; 5687 #endif /* __sparcv9 */ 5688 } 5689 5690 /* This attribute MUST BE set */ 5691 if (len == 0 || len > *value_len) { 5692 return (CKR_ATTRIBUTE_VALUE_INVALID); 5693 } 5694 *value_len = len; 5695 5696 if (key->key_type == CKK_DSA) { 5697 (void) memcpy(value, 5698 ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->big_value, 5699 *value_len); 5700 } else if (key->key_type == CKK_DH) { 5701 (void) memcpy(value, 5702 ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->big_value, 5703 *value_len); 5704 } else { 5705 (void) memcpy(value, 5706 ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->big_value, 5707 *value_len); 5708 } 5709 5710 break; 5711 } 5712 5713 return (CKR_OK); 5714 5715 } 5716 5717 static CK_RV 5718 copy_bigint(biginteger_t *new_bigint, biginteger_t *old_bigint) 5719 { 5720 new_bigint->big_value = 5721 malloc((sizeof (CK_BYTE) * new_bigint->big_value_len)); 5722 5723 if (new_bigint->big_value == NULL) { 5724 return (CKR_HOST_MEMORY); 5725 } 5726 5727 (void) memcpy(new_bigint->big_value, old_bigint->big_value, 5728 (sizeof (CK_BYTE) * new_bigint->big_value_len)); 5729 5730 return (CKR_OK); 5731 } 5732 5733 static void 5734 free_public_key_attr(public_key_obj_t *pbk, CK_KEY_TYPE key_type) 5735 { 5736 if (pbk == NULL) { 5737 return; 5738 } 5739 5740 switch (key_type) { 5741 case CKK_RSA: 5742 bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk)); 5743 bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk)); 5744 break; 5745 case CKK_DSA: 5746 bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk)); 5747 bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk)); 5748 bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk)); 5749 bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk)); 5750 break; 5751 case CKK_DH: 5752 bigint_attr_cleanup(KEY_PUB_DH_PRIME(pbk)); 5753 bigint_attr_cleanup(KEY_PUB_DH_BASE(pbk)); 5754 bigint_attr_cleanup(KEY_PUB_DH_VALUE(pbk)); 5755 break; 5756 case CKK_EC: 5757 bigint_attr_cleanup(KEY_PUB_EC_POINT(pbk)); 5758 break; 5759 case CKK_X9_42_DH: 5760 bigint_attr_cleanup(KEY_PUB_DH942_PRIME(pbk)); 5761 bigint_attr_cleanup(KEY_PUB_DH942_SUBPRIME(pbk)); 5762 bigint_attr_cleanup(KEY_PUB_DH942_BASE(pbk)); 5763 bigint_attr_cleanup(KEY_PUB_DH942_VALUE(pbk)); 5764 break; 5765 default: 5766 break; 5767 } 5768 free(pbk); 5769 } 5770 5771 CK_RV 5772 soft_copy_public_key_attr(public_key_obj_t *old_pub_key_obj_p, 5773 public_key_obj_t **new_pub_key_obj_p, CK_KEY_TYPE key_type) 5774 { 5775 5776 public_key_obj_t *pbk; 5777 CK_RV rv = CKR_OK; 5778 5779 pbk = calloc(1, sizeof (public_key_obj_t)); 5780 if (pbk == NULL) { 5781 return (CKR_HOST_MEMORY); 5782 } 5783 5784 switch (key_type) { 5785 case CKK_RSA: 5786 (void) memcpy(KEY_PUB_RSA(pbk), 5787 KEY_PUB_RSA(old_pub_key_obj_p), 5788 sizeof (rsa_pub_key_t)); 5789 /* copy modulus */ 5790 rv = copy_bigint(KEY_PUB_RSA_MOD(pbk), 5791 KEY_PUB_RSA_MOD(old_pub_key_obj_p)); 5792 if (rv != CKR_OK) { 5793 free_public_key_attr(pbk, key_type); 5794 return (rv); 5795 } 5796 /* copy public exponent */ 5797 rv = copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk), 5798 KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p)); 5799 if (rv != CKR_OK) { 5800 free_public_key_attr(pbk, key_type); 5801 return (rv); 5802 } 5803 break; 5804 case CKK_DSA: 5805 (void) memcpy(KEY_PUB_DSA(pbk), 5806 KEY_PUB_DSA(old_pub_key_obj_p), 5807 sizeof (dsa_pub_key_t)); 5808 5809 /* copy prime */ 5810 rv = copy_bigint(KEY_PUB_DSA_PRIME(pbk), 5811 KEY_PUB_DSA_PRIME(old_pub_key_obj_p)); 5812 if (rv != CKR_OK) { 5813 free_public_key_attr(pbk, key_type); 5814 return (rv); 5815 } 5816 5817 /* copy subprime */ 5818 rv = copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk), 5819 KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p)); 5820 if (rv != CKR_OK) { 5821 free_public_key_attr(pbk, key_type); 5822 return (rv); 5823 } 5824 5825 /* copy base */ 5826 rv = copy_bigint(KEY_PUB_DSA_BASE(pbk), 5827 KEY_PUB_DSA_BASE(old_pub_key_obj_p)); 5828 if (rv != CKR_OK) { 5829 free_public_key_attr(pbk, key_type); 5830 return (rv); 5831 } 5832 5833 /* copy value */ 5834 rv = copy_bigint(KEY_PUB_DSA_VALUE(pbk), 5835 KEY_PUB_DSA_VALUE(old_pub_key_obj_p)); 5836 if (rv != CKR_OK) { 5837 free_public_key_attr(pbk, key_type); 5838 return (rv); 5839 } 5840 break; 5841 case CKK_DH: 5842 (void) memcpy(KEY_PUB_DH(pbk), 5843 KEY_PUB_DH(old_pub_key_obj_p), 5844 sizeof (dh_pub_key_t)); 5845 5846 /* copy prime */ 5847 rv = copy_bigint(KEY_PUB_DH_PRIME(pbk), 5848 KEY_PUB_DH_PRIME(old_pub_key_obj_p)); 5849 if (rv != CKR_OK) { 5850 free_public_key_attr(pbk, key_type); 5851 return (rv); 5852 } 5853 5854 /* copy base */ 5855 rv = copy_bigint(KEY_PUB_DH_BASE(pbk), 5856 KEY_PUB_DH_BASE(old_pub_key_obj_p)); 5857 if (rv != CKR_OK) { 5858 free_public_key_attr(pbk, key_type); 5859 return (rv); 5860 } 5861 5862 /* copy value */ 5863 rv = copy_bigint(KEY_PUB_DH_VALUE(pbk), 5864 KEY_PUB_DH_VALUE(old_pub_key_obj_p)); 5865 if (rv != CKR_OK) { 5866 free_public_key_attr(pbk, key_type); 5867 return (rv); 5868 } 5869 break; 5870 case CKK_EC: 5871 (void) memcpy(KEY_PUB_EC(pbk), 5872 KEY_PUB_EC(old_pub_key_obj_p), 5873 sizeof (ec_pub_key_t)); 5874 5875 /* copy point */ 5876 rv = copy_bigint(KEY_PUB_EC_POINT(pbk), 5877 KEY_PUB_EC_POINT(old_pub_key_obj_p)); 5878 if (rv != CKR_OK) { 5879 free_public_key_attr(pbk, key_type); 5880 return (rv); 5881 } 5882 break; 5883 case CKK_X9_42_DH: 5884 (void) memcpy(KEY_PUB_DH942(pbk), 5885 KEY_PUB_DH942(old_pub_key_obj_p), 5886 sizeof (dh942_pub_key_t)); 5887 5888 /* copy prime */ 5889 rv = copy_bigint(KEY_PUB_DH942_PRIME(pbk), 5890 KEY_PUB_DH942_PRIME(old_pub_key_obj_p)); 5891 if (rv != CKR_OK) { 5892 free_public_key_attr(pbk, key_type); 5893 return (rv); 5894 } 5895 5896 /* copy subprime */ 5897 rv = copy_bigint(KEY_PUB_DH942_SUBPRIME(pbk), 5898 KEY_PUB_DH942_SUBPRIME(old_pub_key_obj_p)); 5899 if (rv != CKR_OK) { 5900 free_public_key_attr(pbk, key_type); 5901 return (rv); 5902 } 5903 5904 /* copy base */ 5905 rv = copy_bigint(KEY_PUB_DH942_BASE(pbk), 5906 KEY_PUB_DH942_BASE(old_pub_key_obj_p)); 5907 if (rv != CKR_OK) { 5908 free_public_key_attr(pbk, key_type); 5909 return (rv); 5910 } 5911 5912 /* copy value */ 5913 rv = copy_bigint(KEY_PUB_DH942_VALUE(pbk), 5914 KEY_PUB_DH942_VALUE(old_pub_key_obj_p)); 5915 if (rv != CKR_OK) { 5916 free_public_key_attr(pbk, key_type); 5917 return (rv); 5918 } 5919 break; 5920 default: 5921 break; 5922 } 5923 *new_pub_key_obj_p = pbk; 5924 return (rv); 5925 } 5926 5927 static void 5928 free_private_key_attr(private_key_obj_t *pbk, CK_KEY_TYPE key_type) 5929 { 5930 if (pbk == NULL) { 5931 return; 5932 } 5933 5934 switch (key_type) { 5935 case CKK_RSA: 5936 bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk)); 5937 bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk)); 5938 bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk)); 5939 bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk)); 5940 bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk)); 5941 bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk)); 5942 bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk)); 5943 bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk)); 5944 break; 5945 case CKK_DSA: 5946 bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk)); 5947 bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk)); 5948 bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk)); 5949 bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk)); 5950 break; 5951 case CKK_DH: 5952 bigint_attr_cleanup(KEY_PRI_DH_PRIME(pbk)); 5953 bigint_attr_cleanup(KEY_PRI_DH_BASE(pbk)); 5954 bigint_attr_cleanup(KEY_PRI_DH_VALUE(pbk)); 5955 break; 5956 case CKK_EC: 5957 bigint_attr_cleanup(KEY_PRI_EC_VALUE(pbk)); 5958 break; 5959 case CKK_X9_42_DH: 5960 bigint_attr_cleanup(KEY_PRI_DH942_PRIME(pbk)); 5961 bigint_attr_cleanup(KEY_PRI_DH942_SUBPRIME(pbk)); 5962 bigint_attr_cleanup(KEY_PRI_DH942_BASE(pbk)); 5963 bigint_attr_cleanup(KEY_PRI_DH942_VALUE(pbk)); 5964 break; 5965 default: 5966 break; 5967 } 5968 free(pbk); 5969 } 5970 5971 CK_RV 5972 soft_copy_private_key_attr(private_key_obj_t *old_pri_key_obj_p, 5973 private_key_obj_t **new_pri_key_obj_p, CK_KEY_TYPE key_type) 5974 { 5975 CK_RV rv = CKR_OK; 5976 private_key_obj_t *pbk; 5977 5978 pbk = calloc(1, sizeof (private_key_obj_t)); 5979 if (pbk == NULL) { 5980 return (CKR_HOST_MEMORY); 5981 } 5982 5983 switch (key_type) { 5984 case CKK_RSA: 5985 (void) memcpy(KEY_PRI_RSA(pbk), 5986 KEY_PRI_RSA(old_pri_key_obj_p), 5987 sizeof (rsa_pri_key_t)); 5988 /* copy modulus */ 5989 rv = copy_bigint(KEY_PRI_RSA_MOD(pbk), 5990 KEY_PRI_RSA_MOD(old_pri_key_obj_p)); 5991 if (rv != CKR_OK) { 5992 free_private_key_attr(pbk, key_type); 5993 return (rv); 5994 } 5995 /* copy public exponent */ 5996 rv = copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk), 5997 KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p)); 5998 if (rv != CKR_OK) { 5999 free_private_key_attr(pbk, key_type); 6000 return (rv); 6001 } 6002 /* copy private exponent */ 6003 rv = copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk), 6004 KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p)); 6005 if (rv != CKR_OK) { 6006 free_private_key_attr(pbk, key_type); 6007 return (rv); 6008 } 6009 /* copy prime_1 */ 6010 rv = copy_bigint(KEY_PRI_RSA_PRIME1(pbk), 6011 KEY_PRI_RSA_PRIME1(old_pri_key_obj_p)); 6012 if (rv != CKR_OK) { 6013 free_private_key_attr(pbk, key_type); 6014 return (rv); 6015 } 6016 /* copy prime_2 */ 6017 rv = copy_bigint(KEY_PRI_RSA_PRIME2(pbk), 6018 KEY_PRI_RSA_PRIME2(old_pri_key_obj_p)); 6019 if (rv != CKR_OK) { 6020 free_private_key_attr(pbk, key_type); 6021 return (rv); 6022 } 6023 /* copy exponent_1 */ 6024 rv = copy_bigint(KEY_PRI_RSA_EXPO1(pbk), 6025 KEY_PRI_RSA_EXPO1(old_pri_key_obj_p)); 6026 if (rv != CKR_OK) { 6027 free_private_key_attr(pbk, key_type); 6028 return (rv); 6029 } 6030 /* copy exponent_2 */ 6031 rv = copy_bigint(KEY_PRI_RSA_EXPO2(pbk), 6032 KEY_PRI_RSA_EXPO2(old_pri_key_obj_p)); 6033 if (rv != CKR_OK) { 6034 free_private_key_attr(pbk, key_type); 6035 return (rv); 6036 } 6037 /* copy coefficient */ 6038 rv = copy_bigint(KEY_PRI_RSA_COEF(pbk), 6039 KEY_PRI_RSA_COEF(old_pri_key_obj_p)); 6040 if (rv != CKR_OK) { 6041 free_private_key_attr(pbk, key_type); 6042 return (rv); 6043 } 6044 break; 6045 case CKK_DSA: 6046 (void) memcpy(KEY_PRI_DSA(pbk), 6047 KEY_PRI_DSA(old_pri_key_obj_p), 6048 sizeof (dsa_pri_key_t)); 6049 6050 /* copy prime */ 6051 rv = copy_bigint(KEY_PRI_DSA_PRIME(pbk), 6052 KEY_PRI_DSA_PRIME(old_pri_key_obj_p)); 6053 if (rv != CKR_OK) { 6054 free_private_key_attr(pbk, key_type); 6055 return (rv); 6056 } 6057 6058 /* copy subprime */ 6059 rv = copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk), 6060 KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p)); 6061 if (rv != CKR_OK) { 6062 free_private_key_attr(pbk, key_type); 6063 return (rv); 6064 } 6065 6066 /* copy base */ 6067 rv = copy_bigint(KEY_PRI_DSA_BASE(pbk), 6068 KEY_PRI_DSA_BASE(old_pri_key_obj_p)); 6069 if (rv != CKR_OK) { 6070 free_private_key_attr(pbk, key_type); 6071 return (rv); 6072 } 6073 6074 /* copy value */ 6075 rv = copy_bigint(KEY_PRI_DSA_VALUE(pbk), 6076 KEY_PRI_DSA_VALUE(old_pri_key_obj_p)); 6077 if (rv != CKR_OK) { 6078 free_private_key_attr(pbk, key_type); 6079 return (rv); 6080 } 6081 break; 6082 case CKK_DH: 6083 (void) memcpy(KEY_PRI_DH(pbk), 6084 KEY_PRI_DH(old_pri_key_obj_p), 6085 sizeof (dh_pri_key_t)); 6086 6087 /* copy prime */ 6088 rv = copy_bigint(KEY_PRI_DH_PRIME(pbk), 6089 KEY_PRI_DH_PRIME(old_pri_key_obj_p)); 6090 if (rv != CKR_OK) { 6091 free_private_key_attr(pbk, key_type); 6092 return (rv); 6093 } 6094 6095 /* copy base */ 6096 rv = copy_bigint(KEY_PRI_DH_BASE(pbk), 6097 KEY_PRI_DH_BASE(old_pri_key_obj_p)); 6098 if (rv != CKR_OK) { 6099 free_private_key_attr(pbk, key_type); 6100 return (rv); 6101 } 6102 6103 /* copy value */ 6104 rv = copy_bigint(KEY_PRI_DH_VALUE(pbk), 6105 KEY_PRI_DH_VALUE(old_pri_key_obj_p)); 6106 if (rv != CKR_OK) { 6107 free_private_key_attr(pbk, key_type); 6108 return (rv); 6109 } 6110 break; 6111 case CKK_EC: 6112 (void) memcpy(KEY_PRI_EC(pbk), 6113 KEY_PRI_EC(old_pri_key_obj_p), 6114 sizeof (ec_pri_key_t)); 6115 6116 /* copy value */ 6117 rv = copy_bigint(KEY_PRI_EC_VALUE(pbk), 6118 KEY_PRI_EC_VALUE(old_pri_key_obj_p)); 6119 if (rv != CKR_OK) { 6120 free_private_key_attr(pbk, key_type); 6121 return (rv); 6122 } 6123 break; 6124 case CKK_X9_42_DH: 6125 (void) memcpy(KEY_PRI_DH942(pbk), 6126 KEY_PRI_DH942(old_pri_key_obj_p), 6127 sizeof (dh942_pri_key_t)); 6128 6129 /* copy prime */ 6130 rv = copy_bigint(KEY_PRI_DH942_PRIME(pbk), 6131 KEY_PRI_DH942_PRIME(old_pri_key_obj_p)); 6132 if (rv != CKR_OK) { 6133 free_private_key_attr(pbk, key_type); 6134 return (rv); 6135 } 6136 6137 /* copy subprime */ 6138 rv = copy_bigint(KEY_PRI_DH942_SUBPRIME(pbk), 6139 KEY_PRI_DH942_SUBPRIME(old_pri_key_obj_p)); 6140 if (rv != CKR_OK) { 6141 free_private_key_attr(pbk, key_type); 6142 return (rv); 6143 } 6144 6145 /* copy base */ 6146 rv = copy_bigint(KEY_PRI_DH942_BASE(pbk), 6147 KEY_PRI_DH942_BASE(old_pri_key_obj_p)); 6148 if (rv != CKR_OK) { 6149 free_private_key_attr(pbk, key_type); 6150 return (rv); 6151 } 6152 6153 /* copy value */ 6154 rv = copy_bigint(KEY_PRI_DH942_VALUE(pbk), 6155 KEY_PRI_DH942_VALUE(old_pri_key_obj_p)); 6156 if (rv != CKR_OK) { 6157 free_private_key_attr(pbk, key_type); 6158 return (rv); 6159 } 6160 break; 6161 default: 6162 break; 6163 } 6164 *new_pri_key_obj_p = pbk; 6165 return (rv); 6166 } 6167 6168 static void 6169 free_domain_attr(domain_obj_t *domain, CK_KEY_TYPE key_type) 6170 { 6171 if (domain == NULL) { 6172 return; 6173 } 6174 6175 switch (key_type) { 6176 case CKK_DSA: 6177 bigint_attr_cleanup(KEY_DOM_DSA_PRIME(domain)); 6178 bigint_attr_cleanup(KEY_DOM_DSA_SUBPRIME(domain)); 6179 bigint_attr_cleanup(KEY_DOM_DSA_BASE(domain)); 6180 break; 6181 case CKK_DH: 6182 bigint_attr_cleanup(KEY_DOM_DH_PRIME(domain)); 6183 bigint_attr_cleanup(KEY_DOM_DH_BASE(domain)); 6184 break; 6185 case CKK_X9_42_DH: 6186 bigint_attr_cleanup(KEY_DOM_DH942_PRIME(domain)); 6187 bigint_attr_cleanup(KEY_DOM_DH942_SUBPRIME(domain)); 6188 bigint_attr_cleanup(KEY_DOM_DH942_BASE(domain)); 6189 break; 6190 default: 6191 break; 6192 } 6193 free(domain); 6194 } 6195 6196 CK_RV 6197 soft_copy_domain_attr(domain_obj_t *old_domain_obj_p, 6198 domain_obj_t **new_domain_obj_p, CK_KEY_TYPE key_type) 6199 { 6200 CK_RV rv = CKR_OK; 6201 domain_obj_t *domain; 6202 6203 domain = calloc(1, sizeof (domain_obj_t)); 6204 if (domain == NULL) { 6205 return (CKR_HOST_MEMORY); 6206 } 6207 6208 switch (key_type) { 6209 case CKK_DSA: 6210 (void) memcpy(KEY_DOM_DSA(domain), 6211 KEY_DOM_DSA(old_domain_obj_p), 6212 sizeof (dsa_dom_key_t)); 6213 6214 /* copy prime */ 6215 rv = copy_bigint(KEY_DOM_DSA_PRIME(domain), 6216 KEY_DOM_DSA_PRIME(old_domain_obj_p)); 6217 if (rv != CKR_OK) { 6218 free_domain_attr(domain, key_type); 6219 return (rv); 6220 } 6221 6222 /* copy subprime */ 6223 rv = copy_bigint(KEY_DOM_DSA_SUBPRIME(domain), 6224 KEY_DOM_DSA_SUBPRIME(old_domain_obj_p)); 6225 if (rv != CKR_OK) { 6226 free_domain_attr(domain, key_type); 6227 return (rv); 6228 } 6229 6230 /* copy base */ 6231 rv = copy_bigint(KEY_DOM_DSA_BASE(domain), 6232 KEY_DOM_DSA_BASE(old_domain_obj_p)); 6233 if (rv != CKR_OK) { 6234 free_domain_attr(domain, key_type); 6235 return (rv); 6236 } 6237 6238 break; 6239 case CKK_DH: 6240 (void) memcpy(KEY_DOM_DH(domain), 6241 KEY_DOM_DH(old_domain_obj_p), 6242 sizeof (dh_dom_key_t)); 6243 6244 /* copy prime */ 6245 rv = copy_bigint(KEY_DOM_DH_PRIME(domain), 6246 KEY_DOM_DH_PRIME(old_domain_obj_p)); 6247 if (rv != CKR_OK) { 6248 free_domain_attr(domain, key_type); 6249 return (rv); 6250 } 6251 6252 /* copy base */ 6253 rv = copy_bigint(KEY_DOM_DH_BASE(domain), 6254 KEY_DOM_DH_BASE(old_domain_obj_p)); 6255 if (rv != CKR_OK) { 6256 free_domain_attr(domain, key_type); 6257 return (rv); 6258 } 6259 6260 break; 6261 case CKK_X9_42_DH: 6262 (void) memcpy(KEY_DOM_DH942(domain), 6263 KEY_DOM_DH942(old_domain_obj_p), 6264 sizeof (dh942_dom_key_t)); 6265 6266 /* copy prime */ 6267 rv = copy_bigint(KEY_DOM_DH942_PRIME(domain), 6268 KEY_DOM_DH942_PRIME(old_domain_obj_p)); 6269 if (rv != CKR_OK) { 6270 free_domain_attr(domain, key_type); 6271 return (rv); 6272 } 6273 6274 /* copy subprime */ 6275 rv = copy_bigint(KEY_DOM_DH942_SUBPRIME(domain), 6276 KEY_DOM_DH942_SUBPRIME(old_domain_obj_p)); 6277 if (rv != CKR_OK) { 6278 free_domain_attr(domain, key_type); 6279 return (rv); 6280 } 6281 6282 /* copy base */ 6283 rv = copy_bigint(KEY_DOM_DH942_BASE(domain), 6284 KEY_DOM_DH942_BASE(old_domain_obj_p)); 6285 if (rv != CKR_OK) { 6286 free_domain_attr(domain, key_type); 6287 return (rv); 6288 } 6289 6290 break; 6291 default: 6292 break; 6293 } 6294 *new_domain_obj_p = domain; 6295 return (rv); 6296 } 6297 6298 CK_RV 6299 soft_copy_secret_key_attr(secret_key_obj_t *old_secret_key_obj_p, 6300 secret_key_obj_t **new_secret_key_obj_p) 6301 { 6302 secret_key_obj_t *sk; 6303 6304 sk = malloc(sizeof (secret_key_obj_t)); 6305 if (sk == NULL) { 6306 return (CKR_HOST_MEMORY); 6307 } 6308 (void) memcpy(sk, old_secret_key_obj_p, sizeof (secret_key_obj_t)); 6309 6310 /* copy the secret key value */ 6311 sk->sk_value = malloc(sk->sk_value_len); 6312 if (sk->sk_value == NULL) { 6313 free(sk); 6314 return (CKR_HOST_MEMORY); 6315 } 6316 (void) memcpy(sk->sk_value, old_secret_key_obj_p->sk_value, 6317 (sizeof (CK_BYTE) * sk->sk_value_len)); 6318 6319 /* 6320 * Copy the pre-expanded key schedule. 6321 */ 6322 if (old_secret_key_obj_p->key_sched != NULL && 6323 old_secret_key_obj_p->keysched_len > 0) { 6324 sk->key_sched = malloc(old_secret_key_obj_p->keysched_len); 6325 if (sk->key_sched == NULL) { 6326 freezero(sk->sk_value, sk->sk_value_len); 6327 free(sk); 6328 return (CKR_HOST_MEMORY); 6329 } 6330 sk->keysched_len = old_secret_key_obj_p->keysched_len; 6331 (void) memcpy(sk->key_sched, old_secret_key_obj_p->key_sched, 6332 sk->keysched_len); 6333 } 6334 6335 *new_secret_key_obj_p = sk; 6336 6337 return (CKR_OK); 6338 } 6339 6340 /* 6341 * If CKA_CLASS not given, guess CKA_CLASS using 6342 * attributes on template . 6343 * 6344 * Some attributes are specific to an object class. If one or more 6345 * of these attributes are in the template, make a list of classes 6346 * that can have these attributes. This would speed up the search later, 6347 * because we can immediately skip an object if the class of that 6348 * object can not possibly contain one of the attributes. 6349 * 6350 */ 6351 void 6352 soft_process_find_attr(CK_OBJECT_CLASS *pclasses, 6353 CK_ULONG *num_result_pclasses, CK_ATTRIBUTE_PTR pTemplate, 6354 CK_ULONG ulCount) 6355 { 6356 ulong_t i; 6357 int j; 6358 boolean_t pub_found = B_FALSE, 6359 priv_found = B_FALSE, 6360 secret_found = B_FALSE, 6361 domain_found = B_FALSE, 6362 hardware_found = B_FALSE, 6363 cert_found = B_FALSE; 6364 int num_pub_key_attrs, num_priv_key_attrs, 6365 num_secret_key_attrs, num_domain_attrs, 6366 num_hardware_attrs, num_cert_attrs; 6367 int num_pclasses = 0; 6368 6369 for (i = 0; i < ulCount; i++) { 6370 if (pTemplate[i].type == CKA_CLASS) { 6371 /* 6372 * don't need to guess the class, it is specified. 6373 * Just record the class, and return. 6374 */ 6375 pclasses[0] = 6376 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue)); 6377 *num_result_pclasses = 1; 6378 return; 6379 } 6380 } 6381 6382 num_pub_key_attrs = 6383 sizeof (PUB_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6384 num_priv_key_attrs = 6385 sizeof (PRIV_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6386 num_secret_key_attrs = 6387 sizeof (SECRET_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6388 num_domain_attrs = 6389 sizeof (DOMAIN_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6390 num_hardware_attrs = 6391 sizeof (HARDWARE_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6392 num_cert_attrs = 6393 sizeof (CERT_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE); 6394 6395 /* 6396 * Get the list of objects class that might contain 6397 * some attributes. 6398 */ 6399 for (i = 0; i < ulCount; i++) { 6400 /* 6401 * only check if this attribute can belong to public key object 6402 * class if public key object isn't already in the list 6403 */ 6404 if (!pub_found) { 6405 for (j = 0; j < num_pub_key_attrs; j++) { 6406 if (pTemplate[i].type == PUB_KEY_ATTRS[j]) { 6407 pub_found = B_TRUE; 6408 pclasses[num_pclasses++] = 6409 CKO_PUBLIC_KEY; 6410 break; 6411 } 6412 } 6413 } 6414 6415 if (!priv_found) { 6416 for (j = 0; j < num_priv_key_attrs; j++) { 6417 if (pTemplate[i].type == PRIV_KEY_ATTRS[j]) { 6418 priv_found = B_TRUE; 6419 pclasses[num_pclasses++] = 6420 CKO_PRIVATE_KEY; 6421 break; 6422 } 6423 } 6424 } 6425 6426 if (!secret_found) { 6427 for (j = 0; j < num_secret_key_attrs; j++) { 6428 if (pTemplate[i].type == SECRET_KEY_ATTRS[j]) { 6429 secret_found = B_TRUE; 6430 pclasses[num_pclasses++] = 6431 CKO_SECRET_KEY; 6432 break; 6433 } 6434 } 6435 } 6436 6437 if (!domain_found) { 6438 for (j = 0; j < num_domain_attrs; j++) { 6439 if (pTemplate[i].type == DOMAIN_ATTRS[j]) { 6440 domain_found = B_TRUE; 6441 pclasses[num_pclasses++] = 6442 CKO_DOMAIN_PARAMETERS; 6443 break; 6444 } 6445 } 6446 } 6447 6448 if (!hardware_found) { 6449 for (j = 0; j < num_hardware_attrs; j++) { 6450 if (pTemplate[i].type == HARDWARE_ATTRS[j]) { 6451 hardware_found = B_TRUE; 6452 pclasses[num_pclasses++] = 6453 CKO_HW_FEATURE; 6454 break; 6455 } 6456 } 6457 } 6458 6459 if (!cert_found) { 6460 for (j = 0; j < num_cert_attrs; j++) { 6461 if (pTemplate[i].type == CERT_ATTRS[j]) { 6462 cert_found = B_TRUE; 6463 pclasses[num_pclasses++] = 6464 CKO_CERTIFICATE; 6465 break; 6466 } 6467 } 6468 } 6469 } 6470 *num_result_pclasses = num_pclasses; 6471 } 6472 6473 boolean_t 6474 soft_find_match_attrs(soft_object_t *obj, CK_OBJECT_CLASS *pclasses, 6475 CK_ULONG num_pclasses, CK_ATTRIBUTE *template, CK_ULONG num_attr) 6476 { 6477 ulong_t i; 6478 CK_ATTRIBUTE *tmpl_attr, *obj_attr; 6479 cert_attr_t *cert_attr; 6480 uint64_t attr_mask; 6481 biginteger_t *bigint; 6482 boolean_t compare_attr, compare_bigint, compare_boolean; 6483 boolean_t compare_cert_val, compare_cert_type; 6484 6485 /* 6486 * Check if the class of this object match with any 6487 * of object classes that can possibly contain the 6488 * requested attributes. 6489 */ 6490 if (num_pclasses > 0) { 6491 for (i = 0; i < num_pclasses; i++) { 6492 if (obj->class == pclasses[i]) { 6493 break; 6494 } 6495 } 6496 if (i == num_pclasses) { 6497 /* 6498 * this object can't possibly contain one or 6499 * more attributes, don't need to check this object 6500 */ 6501 return (B_FALSE); 6502 } 6503 } 6504 6505 /* need to examine everything */ 6506 for (i = 0; i < num_attr; i++) { 6507 tmpl_attr = &(template[i]); 6508 compare_attr = B_FALSE; 6509 compare_bigint = B_FALSE; 6510 compare_boolean = B_FALSE; 6511 compare_cert_val = B_FALSE; 6512 compare_cert_type = B_FALSE; 6513 switch (tmpl_attr->type) { 6514 /* First, check the most common attributes */ 6515 case CKA_CLASS: 6516 if (*((CK_OBJECT_CLASS *)tmpl_attr->pValue) != 6517 obj->class) { 6518 return (B_FALSE); 6519 } 6520 break; 6521 case CKA_KEY_TYPE: 6522 if (*((CK_KEY_TYPE *)tmpl_attr->pValue) != 6523 obj->key_type) { 6524 return (B_FALSE); 6525 } 6526 break; 6527 case CKA_ENCRYPT: 6528 attr_mask = (obj->bool_attr_mask) & ENCRYPT_BOOL_ON; 6529 compare_boolean = B_TRUE; 6530 break; 6531 case CKA_DECRYPT: 6532 attr_mask = (obj->bool_attr_mask) & DECRYPT_BOOL_ON; 6533 compare_boolean = B_TRUE; 6534 break; 6535 case CKA_WRAP: 6536 attr_mask = (obj->bool_attr_mask) & WRAP_BOOL_ON; 6537 compare_boolean = B_TRUE; 6538 break; 6539 case CKA_UNWRAP: 6540 attr_mask = (obj->bool_attr_mask) & UNWRAP_BOOL_ON; 6541 compare_boolean = B_TRUE; 6542 break; 6543 case CKA_SIGN: 6544 attr_mask = (obj->bool_attr_mask) & SIGN_BOOL_ON; 6545 compare_boolean = B_TRUE; 6546 break; 6547 case CKA_SIGN_RECOVER: 6548 attr_mask = (obj->bool_attr_mask) & 6549 SIGN_RECOVER_BOOL_ON; 6550 compare_boolean = B_TRUE; 6551 break; 6552 case CKA_VERIFY: 6553 attr_mask = (obj->bool_attr_mask) & VERIFY_BOOL_ON; 6554 compare_boolean = B_TRUE; 6555 break; 6556 case CKA_VERIFY_RECOVER: 6557 attr_mask = (obj->bool_attr_mask) & 6558 VERIFY_RECOVER_BOOL_ON; 6559 compare_boolean = B_TRUE; 6560 break; 6561 case CKA_DERIVE: 6562 attr_mask = (obj->bool_attr_mask) & DERIVE_BOOL_ON; 6563 compare_boolean = B_TRUE; 6564 break; 6565 case CKA_LOCAL: 6566 attr_mask = (obj->bool_attr_mask) & LOCAL_BOOL_ON; 6567 compare_boolean = B_TRUE; 6568 break; 6569 case CKA_SENSITIVE: 6570 attr_mask = (obj->bool_attr_mask) & SENSITIVE_BOOL_ON; 6571 compare_boolean = B_TRUE; 6572 break; 6573 case CKA_SECONDARY_AUTH: 6574 attr_mask = (obj->bool_attr_mask) & 6575 SECONDARY_AUTH_BOOL_ON; 6576 compare_boolean = B_TRUE; 6577 break; 6578 case CKA_TRUSTED: 6579 attr_mask = (obj->bool_attr_mask) & TRUSTED_BOOL_ON; 6580 compare_boolean = B_TRUE; 6581 break; 6582 case CKA_EXTRACTABLE: 6583 attr_mask = (obj->bool_attr_mask) & 6584 EXTRACTABLE_BOOL_ON; 6585 compare_boolean = B_TRUE; 6586 break; 6587 case CKA_ALWAYS_SENSITIVE: 6588 attr_mask = (obj->bool_attr_mask) & 6589 ALWAYS_SENSITIVE_BOOL_ON; 6590 compare_boolean = B_TRUE; 6591 break; 6592 case CKA_NEVER_EXTRACTABLE: 6593 attr_mask = (obj->bool_attr_mask) & 6594 NEVER_EXTRACTABLE_BOOL_ON; 6595 compare_boolean = B_TRUE; 6596 break; 6597 case CKA_TOKEN: 6598 attr_mask = (obj->object_type) & TOKEN_OBJECT; 6599 compare_boolean = B_TRUE; 6600 break; 6601 case CKA_PRIVATE: 6602 attr_mask = (obj->object_type) & PRIVATE_OBJECT; 6603 compare_boolean = B_TRUE; 6604 break; 6605 case CKA_MODIFIABLE: 6606 { 6607 CK_BBOOL bval; 6608 attr_mask = (obj->bool_attr_mask) & 6609 NOT_MODIFIABLE_BOOL_ON; 6610 6611 if (attr_mask) { 6612 bval = FALSE; 6613 } else { 6614 bval = TRUE; 6615 } 6616 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) { 6617 return (B_FALSE); 6618 } 6619 break; 6620 } 6621 case CKA_OWNER: 6622 /* 6623 * For X.509 attribute certificate object, get its 6624 * CKA_OWNER attribute from the x509_attr_cert_t struct. 6625 */ 6626 if ((obj->class == CKO_CERTIFICATE) && 6627 (obj->cert_type == CKC_X_509_ATTR_CERT)) { 6628 cert_attr = X509_ATTR_CERT_OWNER(obj); 6629 compare_cert_val = B_TRUE; 6630 } 6631 break; 6632 case CKA_SUBJECT: 6633 /* 6634 * For X.509 certificate object, get its CKA_SUBJECT 6635 * attribute from the x509_cert_t struct (not from 6636 * the extra_attrlistp). 6637 */ 6638 if ((obj->class == CKO_CERTIFICATE) && 6639 (obj->cert_type == CKC_X_509)) { 6640 cert_attr = X509_CERT_SUBJECT(obj); 6641 compare_cert_val = B_TRUE; 6642 break; 6643 } 6644 /*FALLTHRU*/ 6645 case CKA_ID: 6646 case CKA_START_DATE: 6647 case CKA_END_DATE: 6648 case CKA_KEY_GEN_MECHANISM: 6649 case CKA_LABEL: 6650 case CKA_ISSUER: 6651 case CKA_SERIAL_NUMBER: 6652 case CKA_AC_ISSUER: 6653 case CKA_ATTR_TYPES: 6654 /* find these attributes from extra_attrlistp */ 6655 obj_attr = get_extra_attr(tmpl_attr->type, obj); 6656 compare_attr = B_TRUE; 6657 break; 6658 case CKA_CERTIFICATE_TYPE: 6659 compare_cert_type = B_TRUE; 6660 break; 6661 case CKA_VALUE_LEN: 6662 /* only secret key has this attribute */ 6663 if (obj->class == CKO_SECRET_KEY) { 6664 if (*((CK_ULONG *)tmpl_attr->pValue) != 6665 OBJ_SEC_VALUE_LEN(obj)) { 6666 return (B_FALSE); 6667 } 6668 } else { 6669 return (B_FALSE); 6670 } 6671 break; 6672 case CKA_VALUE: 6673 switch (obj->class) { 6674 case CKO_SECRET_KEY: 6675 /* 6676 * secret_key_obj_t is the same as 6677 * biginteger_t 6678 */ 6679 bigint = (biginteger_t *)OBJ_SEC(obj); 6680 compare_bigint = B_TRUE; 6681 break; 6682 case CKO_PRIVATE_KEY: 6683 if (obj->key_type == CKK_DSA) { 6684 bigint = OBJ_PRI_DSA_VALUE(obj); 6685 } else if (obj->key_type == CKK_DH) { 6686 bigint = OBJ_PRI_DH_VALUE(obj); 6687 } else if (obj->key_type == CKK_X9_42_DH) { 6688 bigint = OBJ_PRI_DH942_VALUE(obj); 6689 } else { 6690 return (B_FALSE); 6691 } 6692 compare_bigint = B_TRUE; 6693 break; 6694 case CKO_PUBLIC_KEY: 6695 if (obj->key_type == CKK_DSA) { 6696 bigint = OBJ_PUB_DSA_VALUE(obj); 6697 } else if (obj->key_type == CKK_DH) { 6698 bigint = OBJ_PUB_DH_VALUE(obj); 6699 } else if (obj->key_type == CKK_X9_42_DH) { 6700 bigint = OBJ_PUB_DH942_VALUE(obj); 6701 } else { 6702 return (B_FALSE); 6703 } 6704 compare_bigint = B_TRUE; 6705 break; 6706 case CKO_CERTIFICATE: 6707 if (obj->cert_type == CKC_X_509) { 6708 cert_attr = X509_CERT_VALUE(obj); 6709 } else if (obj->cert_type == 6710 CKC_X_509_ATTR_CERT) { 6711 cert_attr = X509_ATTR_CERT_VALUE(obj); 6712 } 6713 compare_cert_val = B_TRUE; 6714 break; 6715 default: 6716 return (B_FALSE); 6717 } 6718 break; 6719 case CKA_MODULUS: 6720 /* only RSA public and private key have this attr */ 6721 if (obj->key_type == CKK_RSA) { 6722 if (obj->class == CKO_PUBLIC_KEY) { 6723 bigint = OBJ_PUB_RSA_MOD(obj); 6724 } else if (obj->class == CKO_PRIVATE_KEY) { 6725 bigint = OBJ_PRI_RSA_MOD(obj); 6726 } else { 6727 return (B_FALSE); 6728 } 6729 compare_bigint = B_TRUE; 6730 } else { 6731 return (B_FALSE); 6732 } 6733 break; 6734 case CKA_MODULUS_BITS: 6735 /* only RSA public key has this attribute */ 6736 if ((obj->key_type == CKK_RSA) && 6737 (obj->class == CKO_PUBLIC_KEY)) { 6738 CK_ULONG mod_bits = OBJ_PUB_RSA_MOD_BITS(obj); 6739 if (mod_bits != 6740 *((CK_ULONG *)tmpl_attr->pValue)) { 6741 return (B_FALSE); 6742 } 6743 } else { 6744 return (B_FALSE); 6745 } 6746 break; 6747 case CKA_PUBLIC_EXPONENT: 6748 /* only RSA public and private key have this attr */ 6749 if (obj->key_type == CKK_RSA) { 6750 if (obj->class == CKO_PUBLIC_KEY) { 6751 bigint = OBJ_PUB_RSA_PUBEXPO(obj); 6752 } else if (obj->class == CKO_PRIVATE_KEY) { 6753 bigint = OBJ_PRI_RSA_PUBEXPO(obj); 6754 } else { 6755 return (B_FALSE); 6756 } 6757 compare_bigint = B_TRUE; 6758 } else { 6759 return (B_FALSE); 6760 } 6761 break; 6762 case CKA_PRIVATE_EXPONENT: 6763 /* only RSA private key has this attribute */ 6764 if ((obj->key_type == CKK_RSA) && 6765 (obj->class == CKO_PRIVATE_KEY)) { 6766 bigint = OBJ_PRI_RSA_PRIEXPO(obj); 6767 compare_bigint = B_TRUE; 6768 } else { 6769 return (B_FALSE); 6770 } 6771 break; 6772 case CKA_PRIME_1: 6773 /* only RSA private key has this attribute */ 6774 if ((obj->key_type == CKK_RSA) && 6775 (obj->class == CKO_PRIVATE_KEY)) { 6776 bigint = OBJ_PRI_RSA_PRIME1(obj); 6777 compare_bigint = B_TRUE; 6778 } else { 6779 return (B_FALSE); 6780 } 6781 break; 6782 case CKA_PRIME_2: 6783 /* only RSA private key has this attribute */ 6784 if ((obj->key_type == CKK_RSA) && 6785 (obj->class == CKO_PRIVATE_KEY)) { 6786 bigint = OBJ_PRI_RSA_PRIME2(obj); 6787 compare_bigint = B_TRUE; 6788 } else { 6789 return (B_FALSE); 6790 } 6791 break; 6792 case CKA_EXPONENT_1: 6793 /* only RSA private key has this attribute */ 6794 if ((obj->key_type == CKK_RSA) && 6795 (obj->class == CKO_PRIVATE_KEY)) { 6796 bigint = OBJ_PRI_RSA_EXPO1(obj); 6797 compare_bigint = B_TRUE; 6798 } else { 6799 return (B_FALSE); 6800 } 6801 break; 6802 case CKA_EXPONENT_2: 6803 /* only RSA private key has this attribute */ 6804 if ((obj->key_type == CKK_RSA) && 6805 (obj->class == CKO_PRIVATE_KEY)) { 6806 bigint = OBJ_PRI_RSA_EXPO2(obj); 6807 compare_bigint = B_TRUE; 6808 } else { 6809 return (B_FALSE); 6810 } 6811 break; 6812 case CKA_COEFFICIENT: 6813 /* only RSA private key has this attribute */ 6814 if ((obj->key_type == CKK_RSA) && 6815 (obj->class == CKO_PRIVATE_KEY)) { 6816 bigint = OBJ_PRI_RSA_COEF(obj); 6817 compare_bigint = B_TRUE; 6818 } else { 6819 return (B_FALSE); 6820 } 6821 break; 6822 case CKA_VALUE_BITS: 6823 /* only Diffie-Hellman private key has this attr */ 6824 if ((obj->key_type == CKK_DH) && 6825 (obj->class == CKO_PRIVATE_KEY)) { 6826 CK_ULONG val_bits = OBJ_PRI_DH_VAL_BITS(obj); 6827 if (val_bits != 6828 *((CK_ULONG *)tmpl_attr->pValue)) { 6829 return (B_FALSE); 6830 } 6831 } else { 6832 return (B_FALSE); 6833 } 6834 break; 6835 case CKA_PRIME: 6836 if (obj->class == CKO_PUBLIC_KEY) { 6837 switch (obj->key_type) { 6838 case CKK_DSA: 6839 bigint = OBJ_PUB_DSA_PRIME(obj); 6840 break; 6841 case CKK_DH: 6842 bigint = OBJ_PUB_DH_PRIME(obj); 6843 break; 6844 case CKK_X9_42_DH: 6845 bigint = OBJ_PUB_DH942_PRIME(obj); 6846 break; 6847 default: 6848 return (B_FALSE); 6849 } 6850 } else if (obj->class == CKO_PRIVATE_KEY) { 6851 switch (obj->key_type) { 6852 case CKK_DSA: 6853 bigint = OBJ_PRI_DSA_PRIME(obj); 6854 break; 6855 case CKK_DH: 6856 bigint = OBJ_PRI_DH_PRIME(obj); 6857 break; 6858 case CKK_X9_42_DH: 6859 bigint = OBJ_PRI_DH942_PRIME(obj); 6860 break; 6861 default: 6862 return (B_FALSE); 6863 } 6864 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6865 switch (obj->key_type) { 6866 case CKK_DSA: 6867 bigint = OBJ_DOM_DSA_PRIME(obj); 6868 break; 6869 case CKK_DH: 6870 bigint = OBJ_DOM_DH_PRIME(obj); 6871 break; 6872 case CKK_X9_42_DH: 6873 bigint = OBJ_DOM_DH942_PRIME(obj); 6874 break; 6875 default: 6876 return (B_FALSE); 6877 } 6878 } else { 6879 return (B_FALSE); 6880 } 6881 compare_bigint = B_TRUE; 6882 break; 6883 case CKA_SUBPRIME: 6884 if (obj->class == CKO_PUBLIC_KEY) { 6885 switch (obj->key_type) { 6886 case CKK_DSA: 6887 bigint = OBJ_PUB_DSA_SUBPRIME(obj); 6888 break; 6889 case CKK_X9_42_DH: 6890 bigint = OBJ_PUB_DH942_SUBPRIME(obj); 6891 break; 6892 default: 6893 return (B_FALSE); 6894 } 6895 } else if (obj->class == CKO_PRIVATE_KEY) { 6896 switch (obj->key_type) { 6897 case CKK_DSA: 6898 bigint = OBJ_PRI_DSA_SUBPRIME(obj); 6899 break; 6900 case CKK_X9_42_DH: 6901 bigint = OBJ_PRI_DH942_SUBPRIME(obj); 6902 break; 6903 default: 6904 return (B_FALSE); 6905 } 6906 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6907 switch (obj->key_type) { 6908 case CKK_DSA: 6909 bigint = OBJ_DOM_DSA_SUBPRIME(obj); 6910 break; 6911 case CKK_X9_42_DH: 6912 bigint = OBJ_DOM_DH942_SUBPRIME(obj); 6913 break; 6914 default: 6915 return (B_FALSE); 6916 } 6917 } else { 6918 return (B_FALSE); 6919 } 6920 compare_bigint = B_TRUE; 6921 break; 6922 case CKA_BASE: 6923 if (obj->class == CKO_PUBLIC_KEY) { 6924 switch (obj->key_type) { 6925 case CKK_DSA: 6926 bigint = OBJ_PUB_DSA_BASE(obj); 6927 break; 6928 case CKK_DH: 6929 bigint = OBJ_PUB_DH_BASE(obj); 6930 break; 6931 case CKK_X9_42_DH: 6932 bigint = OBJ_PUB_DH942_BASE(obj); 6933 break; 6934 default: 6935 return (B_FALSE); 6936 } 6937 } else if (obj->class == CKO_PRIVATE_KEY) { 6938 switch (obj->key_type) { 6939 case CKK_DSA: 6940 bigint = OBJ_PRI_DSA_BASE(obj); 6941 break; 6942 case CKK_DH: 6943 bigint = OBJ_PRI_DH_BASE(obj); 6944 break; 6945 case CKK_X9_42_DH: 6946 bigint = OBJ_PRI_DH942_BASE(obj); 6947 break; 6948 default: 6949 return (B_FALSE); 6950 } 6951 } else if (obj->class == CKO_DOMAIN_PARAMETERS) { 6952 switch (obj->key_type) { 6953 case CKK_DSA: 6954 bigint = OBJ_DOM_DSA_BASE(obj); 6955 break; 6956 case CKK_DH: 6957 bigint = OBJ_DOM_DH_BASE(obj); 6958 break; 6959 case CKK_X9_42_DH: 6960 bigint = OBJ_DOM_DH942_BASE(obj); 6961 break; 6962 default: 6963 return (B_FALSE); 6964 } 6965 } else { 6966 return (B_FALSE); 6967 } 6968 compare_bigint = B_TRUE; 6969 break; 6970 case CKA_PRIME_BITS: 6971 if (obj->class == CKO_DOMAIN_PARAMETERS) { 6972 CK_ULONG prime_bits; 6973 if (obj->key_type == CKK_DSA) { 6974 prime_bits = 6975 OBJ_DOM_DSA_PRIME_BITS(obj); 6976 } else if (obj->key_type == CKK_DH) { 6977 prime_bits = 6978 OBJ_DOM_DH_PRIME_BITS(obj); 6979 } else if (obj->key_type == CKK_X9_42_DH) { 6980 prime_bits = 6981 OBJ_DOM_DH942_PRIME_BITS(obj); 6982 } else { 6983 return (B_FALSE); 6984 } 6985 if (prime_bits != 6986 *((CK_ULONG *)tmpl_attr->pValue)) { 6987 return (B_FALSE); 6988 } 6989 } else { 6990 return (B_FALSE); 6991 } 6992 break; 6993 case CKA_SUBPRIME_BITS: 6994 if ((obj->class == CKO_DOMAIN_PARAMETERS) && 6995 (obj->key_type == CKK_X9_42_DH)) { 6996 CK_ULONG subprime_bits = 6997 OBJ_DOM_DH942_SUBPRIME_BITS(obj); 6998 if (subprime_bits != 6999 *((CK_ULONG *)tmpl_attr->pValue)) { 7000 return (B_FALSE); 7001 } 7002 } else { 7003 return (B_FALSE); 7004 } 7005 break; 7006 default: 7007 /* 7008 * any other attributes are currently not supported. 7009 * so, it's not possible for them to be in the 7010 * object 7011 */ 7012 return (B_FALSE); 7013 } 7014 if (compare_boolean) { 7015 CK_BBOOL bval; 7016 7017 if (attr_mask) { 7018 bval = TRUE; 7019 } else { 7020 bval = FALSE; 7021 } 7022 if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) { 7023 return (B_FALSE); 7024 } 7025 } else if (compare_bigint) { 7026 if (bigint == NULL) { 7027 return (B_FALSE); 7028 } 7029 if (tmpl_attr->ulValueLen != bigint->big_value_len) { 7030 return (B_FALSE); 7031 } 7032 if (memcmp(tmpl_attr->pValue, bigint->big_value, 7033 tmpl_attr->ulValueLen) != 0) { 7034 return (B_FALSE); 7035 } 7036 } else if (compare_attr) { 7037 if (obj_attr == NULL) { 7038 /* 7039 * The attribute type is valid, and its value 7040 * has not been initialized in the object. In 7041 * this case, it only matches the template's 7042 * attribute if the template's value length 7043 * is 0. 7044 */ 7045 if (tmpl_attr->ulValueLen != 0) 7046 return (B_FALSE); 7047 } else { 7048 if (tmpl_attr->ulValueLen != 7049 obj_attr->ulValueLen) { 7050 return (B_FALSE); 7051 } 7052 if (memcmp(tmpl_attr->pValue, obj_attr->pValue, 7053 tmpl_attr->ulValueLen) != 0) { 7054 return (B_FALSE); 7055 } 7056 } 7057 } else if (compare_cert_val) { 7058 if (cert_attr == NULL) { 7059 /* specific attribute not found */ 7060 return (B_FALSE); 7061 } 7062 if (tmpl_attr->ulValueLen != cert_attr->length) { 7063 return (B_FALSE); 7064 } 7065 if (memcmp(tmpl_attr->pValue, cert_attr->value, 7066 tmpl_attr->ulValueLen) != 0) { 7067 return (B_FALSE); 7068 } 7069 } else if (compare_cert_type) { 7070 if (memcmp(tmpl_attr->pValue, &(obj->cert_type), 7071 tmpl_attr->ulValueLen) != 0) { 7072 return (B_FALSE); 7073 } 7074 } 7075 } 7076 return (B_TRUE); 7077 } 7078 7079 CK_ATTRIBUTE_PTR 7080 get_extra_attr(CK_ATTRIBUTE_TYPE type, soft_object_t *obj) 7081 { 7082 CK_ATTRIBUTE_INFO_PTR tmp; 7083 7084 tmp = obj->extra_attrlistp; 7085 while (tmp != NULL) { 7086 if (tmp->attr.type == type) { 7087 return (&(tmp->attr)); 7088 } 7089 tmp = tmp->next; 7090 } 7091 /* if get there, the specified attribute is not found */ 7092 return (NULL); 7093 }