|
Packit |
8681c6 |
/*
|
|
Packit |
8681c6 |
* COPYRIGHT (c) International Business Machines Corp. 2001-2017
|
|
Packit |
8681c6 |
*
|
|
Packit |
8681c6 |
* This program is provided under the terms of the Common Public License,
|
|
Packit |
8681c6 |
* version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
|
Packit |
8681c6 |
* software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
|
Packit |
8681c6 |
* found in the file LICENSE file or at
|
|
Packit |
8681c6 |
* https://opensource.org/licenses/cpl1.0.php
|
|
Packit |
8681c6 |
*/
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// File: sign_mgr.c
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
// Signature manager routines
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#include <pthread.h>
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#include <string.h> // for memcmp() et al
|
|
Packit |
8681c6 |
#include <stdlib.h>
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#include "pkcs11types.h"
|
|
Packit |
8681c6 |
#include "defs.h"
|
|
Packit |
8681c6 |
#include "host_defs.h"
|
|
Packit |
8681c6 |
#include "h_extern.h"
|
|
Packit |
8681c6 |
#include "tok_spec_struct.h"
|
|
Packit |
8681c6 |
#include "trace.h"
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_init(STDLL_TokData_t *tokdata,
|
|
Packit |
8681c6 |
SESSION *sess,
|
|
Packit |
8681c6 |
SIGN_VERIFY_CONTEXT *ctx,
|
|
Packit |
8681c6 |
CK_MECHANISM *mech,
|
|
Packit |
8681c6 |
CK_BBOOL recover_mode, CK_OBJECT_HANDLE key)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
OBJECT *key_obj = NULL;
|
|
Packit |
8681c6 |
CK_ATTRIBUTE *attr = NULL;
|
|
Packit |
8681c6 |
CK_BYTE *ptr = NULL;
|
|
Packit |
8681c6 |
CK_KEY_TYPE keytype;
|
|
Packit |
8681c6 |
CK_OBJECT_CLASS class;
|
|
Packit |
8681c6 |
CK_BBOOL flag;
|
|
Packit |
8681c6 |
CK_RV rc;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (!sess || !ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function arguments.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->active != FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_ACTIVE));
|
|
Packit |
8681c6 |
return CKR_OPERATION_ACTIVE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
// key usage restrictions
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
rc = object_mgr_find_in_map1(tokdata, key, &key_obj, READ_LOCK);
|
|
Packit |
8681c6 |
if (rc != CKR_OK) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Failed to acquire key from specified handle.\n");
|
|
Packit |
8681c6 |
if (rc == CKR_OBJECT_HANDLE_INVALID)
|
|
Packit |
8681c6 |
return CKR_KEY_HANDLE_INVALID;
|
|
Packit |
8681c6 |
else
|
|
Packit |
8681c6 |
return rc;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (recover_mode) {
|
|
Packit |
8681c6 |
// is key allowed to generate signatures where the data can be
|
|
Packit |
8681c6 |
// recovered from the signature?
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_SIGN_RECOVER,
|
|
Packit |
8681c6 |
&attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_SIGN_RECOVER for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
// is key allowed to generate signatures where the signature is an
|
|
Packit |
8681c6 |
// appendix to the data?
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_SIGN, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_SIGN for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
flag = *(CK_BBOOL *) attr->pValue;
|
|
Packit |
8681c6 |
if (flag != TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_FUNCTION_NOT_PERMITTED));
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// is the mechanism supported? is the key type correct? is a
|
|
Packit |
8681c6 |
// parameter present if required? is the key size allowed?
|
|
Packit |
8681c6 |
// is the key allowed to generate signatures?
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
switch (mech->mechanism) {
|
|
Packit |
8681c6 |
case CKM_RSA_X_509:
|
|
Packit |
8681c6 |
case CKM_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_RSA_PKCS_PSS) {
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_MODULUS, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_MODULUS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = check_pss_params(mech, attr->ulValueLen);
|
|
Packit |
8681c6 |
if (rc != CKR_OK) {
|
|
Packit |
8681c6 |
TRACE_DEVEL("check_pss_params() failed.\n");
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_RSA) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// must be a PRIVATE key
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
flag = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (flag == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// if it's not a private RSA key then we have an internal failure...
|
|
Packit |
8681c6 |
// means that somehow a public key got assigned a CKA_SIGN attribute
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
if (class != CKO_PRIVATE_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a private key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
// PKCS #11 doesn't allow multi-part RSA operations
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_ECDSA:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA1:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA224:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA256:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA384:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA512:
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_EC) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// must be a PRIVATE key
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
flag = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (flag == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (class != CKO_PRIVATE_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a private key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_ECDSA) {
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(RSA_DIGEST_CONTEXT);
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(RSA_DIGEST_CONTEXT));
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(RSA_DIGEST_CONTEXT));
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_RSA_PKCS:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS:
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_RSA) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// must be a PRIVATE key operation
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
flag = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (flag == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (class != CKO_PRIVATE_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a private key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(RSA_DIGEST_CONTEXT);
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(RSA_DIGEST_CONTEXT));
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(RSA_DIGEST_CONTEXT));
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_MODULUS, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = check_pss_params(mech, attr->ulValueLen);
|
|
Packit |
8681c6 |
if (rc != CKR_OK) {
|
|
Packit |
8681c6 |
TRACE_DEVEL("check_pss_params failed.\n");
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_RSA) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// must be a PRIVATE key operation
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
flag = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (flag == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (class != CKO_PRIVATE_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a private key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(DIGEST_CONTEXT);
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(ctx->context_len);
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, ctx->context_len);
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
#if !(NODSA)
|
|
Packit |
8681c6 |
case CKM_DSA:
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_DSA) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// must be a PRIVATE key
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
flag = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (flag == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// if it's not a private RSA key then we have an internal failure...
|
|
Packit |
8681c6 |
// means that somehow a public key got assigned a CKA_SIGN attribute
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
if (class != CKO_PRIVATE_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a private key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
// PKCS #11 doesn't allow multi-part DSA operations
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_HMAC:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_HMAC:
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_GENERIC_SECRET) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/* Note: It was previously believed that pkcs#11 did not
|
|
Packit |
8681c6 |
* support hmac multipart. As a result, those tokens using the
|
|
Packit |
8681c6 |
* locally implemented hmac helper functions do not support
|
|
Packit |
8681c6 |
* multipart hmac.
|
|
Packit |
8681c6 |
*/
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_224_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_256_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_384_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_512_HMAC:
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != 0) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_GENERIC_SECRET) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_KEY_TYPE_INCONSISTENT));
|
|
Packit |
8681c6 |
rc = CKR_KEY_TYPE_INCONSISTENT;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// PKCS #11 doesn't allow multi-part HMAC operations
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = hmac_sign_init(tokdata, sess, mech, key);
|
|
Packit |
8681c6 |
if (rc != CKR_OK) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Failed to initialize hmac.\n");
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_HMAC_GENERAL:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_HMAC_GENERAL:
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_MD2_HMAC_GENERAL) && (*param > 16)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_MD5_HMAC_GENERAL) && (*param > 16)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE,
|
|
Packit |
8681c6 |
&attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_GENERIC_SECRET) {
|
|
Packit |
8681c6 |
TRACE_ERROR("A generic secret key is required.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// PKCS #11 doesn't allow multi-part HMAC operations
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC_GENERAL:
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA_1_HMAC_GENERAL) && (*param > 20)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA224_HMAC_GENERAL) && (*param > 28)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA256_HMAC_GENERAL) && (*param > 32)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA384_HMAC_GENERAL) && (*param > 48)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA512_HMAC_GENERAL) && (*param > 64)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA512_224_HMAC_GENERAL)
|
|
Packit |
8681c6 |
&& (*param > 28)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if ((mech->mechanism == CKM_SHA512_256_HMAC_GENERAL)
|
|
Packit |
8681c6 |
&& (*param > 32)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_KEY_TYPE,
|
|
Packit |
8681c6 |
&attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
keytype = *(CK_KEY_TYPE *) attr->pValue;
|
|
Packit |
8681c6 |
if (keytype != CKK_GENERIC_SECRET) {
|
|
Packit |
8681c6 |
TRACE_ERROR("A generic secret key is required.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/* Note: It was previously believed that pkcs#11 did not
|
|
Packit |
8681c6 |
* support hmac multipart. As a result, those tokens using the
|
|
Packit |
8681c6 |
* locally implemented hmac helper functions do not support
|
|
Packit |
8681c6 |
* multipart hmac.
|
|
Packit |
8681c6 |
*/
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = hmac_sign_init(tokdata, sess, mech, key);
|
|
Packit |
8681c6 |
if (rc != CKR_OK) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Failed to initialize hmac.\n");
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_SSL3_MD5_MAC:
|
|
Packit |
8681c6 |
case CKM_SSL3_SHA1_MAC:
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
// FIXME - Netscape sets the parameter == 16. PKCS #11 limit is 8
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_SSL3_MD5_MAC) {
|
|
Packit |
8681c6 |
if (*param < 4 || *param > 16) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_SSL3_SHA1_MAC) {
|
|
Packit |
8681c6 |
if (*param < 4 || *param > 20) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = template_attribute_find(key_obj->template, CKA_CLASS, &attr);
|
|
Packit |
8681c6 |
if (rc == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
Packit |
8681c6 |
rc = CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
class = *(CK_OBJECT_CLASS *) attr->pValue;
|
|
Packit |
8681c6 |
if (class != CKO_SECRET_KEY) {
|
|
Packit |
8681c6 |
TRACE_ERROR("This operation requires a secret key.\n");
|
|
Packit |
8681c6 |
rc = CKR_KEY_FUNCTION_NOT_PERMITTED;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(SSL3_MAC_CONTEXT);
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(SSL3_MAC_CONTEXT));
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(SSL3_MAC_CONTEXT));
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_DES3_MAC:
|
|
Packit |
8681c6 |
case CKM_DES3_MAC_GENERAL:
|
|
Packit |
8681c6 |
if (mech->pParameter) {
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_DES3_MAC_GENERAL) {
|
|
Packit |
8681c6 |
if (*param < 1 || *param > DES_BLOCK_SIZE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
/* CKM_DES3_MAC should not have params */
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(DES_DATA_CONTEXT));
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(DES_DATA_CONTEXT);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(DES_DATA_CONTEXT));
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC:
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC_GENERAL:
|
|
Packit |
8681c6 |
if (mech->pParameter) {
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_DES3_CMAC_GENERAL) {
|
|
Packit |
8681c6 |
if (*param < 1 || *param > DES_BLOCK_SIZE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
/* CKM_DES3_CMAC should not have params */
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(DES_CMAC_CONTEXT));
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(DES_CMAC_CONTEXT);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(DES_CMAC_CONTEXT));
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_AES_MAC:
|
|
Packit |
8681c6 |
case CKM_AES_MAC_GENERAL:
|
|
Packit |
8681c6 |
if (mech->pParameter) {
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_AES_MAC_GENERAL) {
|
|
Packit |
8681c6 |
if (*param < 1 || *param > AES_BLOCK_SIZE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
/* CKM_AES_MAC should not have params */
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(AES_DATA_CONTEXT));
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(AES_DATA_CONTEXT);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(AES_DATA_CONTEXT));
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
case CKM_AES_CMAC:
|
|
Packit |
8681c6 |
case CKM_AES_CMAC_GENERAL:
|
|
Packit |
8681c6 |
if (mech->pParameter) {
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_MAC_GENERAL_PARAMS *param =
|
|
Packit |
8681c6 |
(CK_MAC_GENERAL_PARAMS *) mech->pParameter;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->mechanism == CKM_AES_CMAC_GENERAL) {
|
|
Packit |
8681c6 |
if (*param < 1 || *param > AES_BLOCK_SIZE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
} else {
|
|
Packit |
8681c6 |
/* CKM_AES_CMAC should not have params */
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_PARAM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->context = (CK_BYTE *) malloc(sizeof(AES_CMAC_CONTEXT));
|
|
Packit |
8681c6 |
ctx->context_len = sizeof(AES_CMAC_CONTEXT);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (!ctx->context) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memset(ctx->context, 0x0, sizeof(AES_CMAC_CONTEXT));
|
|
Packit |
8681c6 |
break;
|
|
Packit |
8681c6 |
default:
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
|
Packit |
8681c6 |
rc = CKR_MECHANISM_INVALID;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (mech->ulParameterLen > 0 && mech->pParameter != NULL) {
|
|
Packit |
8681c6 |
ptr = (CK_BYTE *) malloc(mech->ulParameterLen);
|
|
Packit |
8681c6 |
if (!ptr) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
Packit |
8681c6 |
rc = CKR_HOST_MEMORY;
|
|
Packit |
8681c6 |
goto done;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
memcpy(ptr, mech->pParameter, mech->ulParameterLen);
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
ctx->key = key;
|
|
Packit |
8681c6 |
ctx->mech.ulParameterLen = mech->ulParameterLen;
|
|
Packit |
8681c6 |
ctx->mech.mechanism = mech->mechanism;
|
|
Packit |
8681c6 |
ctx->mech.pParameter = ptr;
|
|
Packit |
8681c6 |
ctx->multi_init = FALSE;
|
|
Packit |
8681c6 |
ctx->multi = FALSE;
|
|
Packit |
8681c6 |
ctx->active = TRUE;
|
|
Packit |
8681c6 |
ctx->recover = recover_mode;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
rc = CKR_OK;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
done:
|
|
Packit |
8681c6 |
object_put(tokdata, key_obj, TRUE);
|
|
Packit |
8681c6 |
key_obj = NULL;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return rc;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_cleanup(SIGN_VERIFY_CONTEXT *ctx)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
if (!ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function argument.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
ctx->key = 0;
|
|
Packit |
8681c6 |
ctx->mech.ulParameterLen = 0;
|
|
Packit |
8681c6 |
ctx->mech.mechanism = 0;
|
|
Packit |
8681c6 |
ctx->multi_init = FALSE;
|
|
Packit |
8681c6 |
ctx->multi = FALSE;
|
|
Packit |
8681c6 |
ctx->active = FALSE;
|
|
Packit |
8681c6 |
ctx->init_pending = FALSE;
|
|
Packit |
8681c6 |
ctx->recover = FALSE;
|
|
Packit |
8681c6 |
ctx->context_len = 0;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (ctx->mech.pParameter) {
|
|
Packit |
8681c6 |
free(ctx->mech.pParameter);
|
|
Packit |
8681c6 |
ctx->mech.pParameter = NULL;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (ctx->context) {
|
|
Packit |
8681c6 |
free(ctx->context);
|
|
Packit |
8681c6 |
ctx->context = NULL;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return CKR_OK;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_sign(STDLL_TokData_t *tokdata,
|
|
Packit |
8681c6 |
SESSION *sess,
|
|
Packit |
8681c6 |
CK_BBOOL length_only,
|
|
Packit |
8681c6 |
SIGN_VERIFY_CONTEXT *ctx,
|
|
Packit |
8681c6 |
CK_BYTE *in_data,
|
|
Packit |
8681c6 |
CK_ULONG in_data_len,
|
|
Packit |
8681c6 |
CK_BYTE *out_data, CK_ULONG *out_data_len)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
if (!sess || !ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function arguments.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->active == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->recover == TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi_init == FALSE) {
|
|
Packit |
8681c6 |
ctx->multi = FALSE;
|
|
Packit |
8681c6 |
ctx->multi_init = TRUE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// if the caller just wants the signature length, there is no reason to
|
|
Packit |
8681c6 |
// specify the input data. I just need the input data length
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
if ((length_only == FALSE) && (!in_data || !out_data)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi == TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_ACTIVE));
|
|
Packit |
8681c6 |
return CKR_OPERATION_ACTIVE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
switch (ctx->mech.mechanism) {
|
|
Packit |
8681c6 |
case CKM_RSA_PKCS:
|
|
Packit |
8681c6 |
return rsa_pkcs_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_RSA_X_509:
|
|
Packit |
8681c6 |
return rsa_x509_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
return rsa_pss_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_RSA_PKCS:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS:
|
|
Packit |
8681c6 |
return rsa_hash_pkcs_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
return rsa_hash_pss_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
#if !(NODSA)
|
|
Packit |
8681c6 |
case CKM_DSA:
|
|
Packit |
8681c6 |
return dsa_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_HMAC:
|
|
Packit |
8681c6 |
case CKM_MD2_HMAC_GENERAL:
|
|
Packit |
8681c6 |
return md2_hmac_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_HMAC:
|
|
Packit |
8681c6 |
case CKM_MD5_HMAC_GENERAL:
|
|
Packit |
8681c6 |
return md5_hmac_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC_GENERAL:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_224_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_256_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_384_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_512_HMAC:
|
|
Packit Service |
8aa27d |
return sha_hmac_sign(tokdata, sess, length_only, ctx,
|
|
Packit Service |
8aa27d |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_SSL3_MD5_MAC:
|
|
Packit |
8681c6 |
case CKM_SSL3_SHA1_MAC:
|
|
Packit |
8681c6 |
return ssl3_mac_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA1:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA224:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA256:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA384:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA512:
|
|
Packit |
8681c6 |
return ec_hash_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_ECDSA:
|
|
Packit |
8681c6 |
return ec_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_DES3_MAC:
|
|
Packit |
8681c6 |
case CKM_DES3_MAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_mac_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC:
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_cmac_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_AES_MAC:
|
|
Packit |
8681c6 |
case CKM_AES_MAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_mac_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_AES_CMAC:
|
|
Packit |
8681c6 |
case CKM_AES_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_cmac_sign(tokdata, sess, length_only, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
default:
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
|
Packit |
8681c6 |
return CKR_MECHANISM_INVALID;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_sign_update(STDLL_TokData_t *tokdata,
|
|
Packit |
8681c6 |
SESSION *sess,
|
|
Packit |
8681c6 |
SIGN_VERIFY_CONTEXT *ctx,
|
|
Packit |
8681c6 |
CK_BYTE *in_data, CK_ULONG in_data_len)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
if (!sess || !ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function arguments.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
if (ctx->active == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->recover == TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi_init == FALSE) {
|
|
Packit |
8681c6 |
ctx->multi = TRUE;
|
|
Packit |
8681c6 |
ctx->multi_init = TRUE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_ACTIVE));
|
|
Packit |
8681c6 |
return CKR_OPERATION_ACTIVE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
switch (ctx->mech.mechanism) {
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_RSA_PKCS:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS:
|
|
Packit |
8681c6 |
return rsa_hash_pkcs_sign_update(tokdata, sess, ctx, in_data,
|
|
Packit |
8681c6 |
in_data_len);
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
return rsa_hash_pss_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_SSL3_MD5_MAC:
|
|
Packit |
8681c6 |
case CKM_SSL3_SHA1_MAC:
|
|
Packit |
8681c6 |
return ssl3_mac_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_DES3_MAC:
|
|
Packit |
8681c6 |
case CKM_DES3_MAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_mac_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC:
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_cmac_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_AES_MAC:
|
|
Packit |
8681c6 |
case CKM_AES_MAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_mac_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_AES_CMAC:
|
|
Packit |
8681c6 |
case CKM_AES_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_cmac_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA1:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA224:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA256:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA384:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA512:
|
|
Packit |
8681c6 |
return ec_hash_sign_update(tokdata, sess, ctx, in_data, in_data_len);
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC_GENERAL:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_224_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_256_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_384_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_512_HMAC:
|
|
Packit |
8681c6 |
return hmac_sign_update(tokdata, sess, in_data, in_data_len);
|
|
Packit |
8681c6 |
default:
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
|
Packit |
8681c6 |
return CKR_MECHANISM_INVALID;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_sign_final(STDLL_TokData_t *tokdata,
|
|
Packit |
8681c6 |
SESSION *sess,
|
|
Packit |
8681c6 |
CK_BBOOL length_only,
|
|
Packit |
8681c6 |
SIGN_VERIFY_CONTEXT *ctx,
|
|
Packit |
8681c6 |
CK_BYTE *signature, CK_ULONG *sig_len)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
if (!sess || !ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function arguments.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->active == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->recover == TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi_init == FALSE) {
|
|
Packit |
8681c6 |
ctx->multi = TRUE;
|
|
Packit |
8681c6 |
ctx->multi_init = TRUE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_ACTIVE));
|
|
Packit |
8681c6 |
return CKR_OPERATION_ACTIVE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
switch (ctx->mech.mechanism) {
|
|
Packit |
8681c6 |
#if !(NOMD2)
|
|
Packit |
8681c6 |
case CKM_MD2_RSA_PKCS:
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
case CKM_MD5_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS:
|
|
Packit |
8681c6 |
return rsa_hash_pkcs_sign_final(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
signature, sig_len);
|
|
Packit |
8681c6 |
case CKM_SHA1_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA224_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA256_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA384_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
case CKM_SHA512_RSA_PKCS_PSS:
|
|
Packit |
8681c6 |
return rsa_hash_pss_sign_final(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
signature, sig_len);
|
|
Packit |
8681c6 |
case CKM_SSL3_MD5_MAC:
|
|
Packit |
8681c6 |
case CKM_SSL3_SHA1_MAC:
|
|
Packit |
8681c6 |
return ssl3_mac_sign_final(tokdata, sess, length_only, ctx, signature,
|
|
Packit |
8681c6 |
sig_len);
|
|
Packit |
8681c6 |
case CKM_DES3_MAC:
|
|
Packit |
8681c6 |
case CKM_DES3_MAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_mac_sign_final(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
signature, sig_len);
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC:
|
|
Packit |
8681c6 |
case CKM_DES3_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return des3_cmac_sign_final(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
signature, sig_len);
|
|
Packit |
8681c6 |
case CKM_AES_MAC:
|
|
Packit |
8681c6 |
case CKM_AES_MAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_mac_sign_final(tokdata, sess, length_only, ctx, signature,
|
|
Packit |
8681c6 |
sig_len);
|
|
Packit |
8681c6 |
case CKM_AES_CMAC:
|
|
Packit |
8681c6 |
case CKM_AES_CMAC_GENERAL:
|
|
Packit |
8681c6 |
return aes_cmac_sign_final(tokdata, sess, length_only, ctx, signature,
|
|
Packit |
8681c6 |
sig_len);
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA1:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA224:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA256:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA384:
|
|
Packit |
8681c6 |
case CKM_ECDSA_SHA512:
|
|
Packit |
8681c6 |
return ec_hash_sign_final(tokdata, sess, length_only, ctx, signature,
|
|
Packit |
8681c6 |
sig_len);
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC:
|
|
Packit |
8681c6 |
case CKM_SHA_1_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA256_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA384_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_224_HMAC_GENERAL:
|
|
Packit |
8681c6 |
case CKM_SHA512_256_HMAC_GENERAL:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_224_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_256_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_384_HMAC:
|
|
Packit Service |
8aa27d |
case CKM_IBM_SHA3_512_HMAC:
|
|
Packit |
8681c6 |
return hmac_sign_final(tokdata, sess, signature, sig_len);
|
|
Packit |
8681c6 |
default:
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
|
Packit |
8681c6 |
return CKR_MECHANISM_INVALID;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
CK_RV sign_mgr_sign_recover(STDLL_TokData_t *tokdata,
|
|
Packit |
8681c6 |
SESSION *sess,
|
|
Packit |
8681c6 |
CK_BBOOL length_only,
|
|
Packit |
8681c6 |
SIGN_VERIFY_CONTEXT *ctx,
|
|
Packit |
8681c6 |
CK_BYTE *in_data,
|
|
Packit |
8681c6 |
CK_ULONG in_data_len,
|
|
Packit |
8681c6 |
CK_BYTE *out_data, CK_ULONG *out_data_len)
|
|
Packit |
8681c6 |
{
|
|
Packit |
8681c6 |
if (!sess || !ctx) {
|
|
Packit |
8681c6 |
TRACE_ERROR("Invalid function arguments.\n");
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->active == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->recover == FALSE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
|
|
Packit |
8681c6 |
return CKR_OPERATION_NOT_INITIALIZED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
// if the caller just wants the signature length, there is no reason to
|
|
Packit |
8681c6 |
// specify the input data. I just need the input data length
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
if ((length_only == FALSE) && (!in_data || !out_data)) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
if (ctx->multi == TRUE) {
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_ACTIVE));
|
|
Packit |
8681c6 |
return CKR_OPERATION_ACTIVE;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
switch (ctx->mech.mechanism) {
|
|
Packit |
8681c6 |
case CKM_RSA_PKCS:
|
|
Packit |
8681c6 |
// we can use the same sign mechanism to do sign-recover
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
return rsa_pkcs_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
case CKM_RSA_X_509:
|
|
Packit |
8681c6 |
return rsa_x509_sign(tokdata, sess, length_only, ctx,
|
|
Packit |
8681c6 |
in_data, in_data_len, out_data, out_data_len);
|
|
Packit |
8681c6 |
default:
|
|
Packit |
8681c6 |
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
|
Packit |
8681c6 |
return CKR_MECHANISM_INVALID;
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
return CKR_FUNCTION_FAILED;
|
|
Packit |
8681c6 |
}
|