/*

 * COPYRIGHT (c) International Business Machines Corp. 2005-2017

 *

 * This program is provided under the terms of the Common Public License,

 * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this

 * software constitutes recipient's acceptance of CPL-1.0 terms which can be

 * found in the file LICENSE file or at

 * https://opensource.org/licenses/cpl1.0.php

 */

/*

 * tpm_specific.c

 *

 * Feb 10, 2005

 *

 * Author: Kent Yoder <yoder1@us.ibm.com>

 *

 * Encryption routines are based on ../soft_stdll/soft_specific.c.

 *

 */

#define _GNU_SOURCE

#include <stdio.h>

#include <pthread.h>

#include <string.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <unistd.h>

#include <errno.h>

#include <pwd.h>

#include <syslog.h>

#include <grp.h>

#include <openssl/des.h>

#include <openssl/rand.h>

#include <openssl/rsa.h>

#include <openssl/aes.h>

#include <openssl/evp.h>

#include <tss/platform.h>

#include <tss/tss_defines.h>

#include <tss/tss_typedef.h>

#include <tss/tss_structs.h>

#include <tss/tss_error.h>

#include <tss/tspi.h>

#include "pkcs11types.h"

#include "stdll.h"

#include "defs.h"

#include "host_defs.h"

#include "h_extern.h"

#include "tok_specific.h"

#include "tok_spec_struct.h"

#include "tok_struct.h"

#include "trace.h"

#include "ock_syslog.h"

#include "tpm_specific.h"

#include "../api/apiproto.h"

typedef struct {

    CK_BYTE master_key_private[MK_SIZE];

    /* The context we'll use globally to connect to the TSP */

    TSS_HCONTEXT tspContext;

    /* TSP key handles */

    TSS_HKEY hSRK;

    TSS_HKEY hPublicRootKey;

    TSS_HKEY hPublicLeafKey;

    TSS_HKEY hPrivateRootKey;

    TSS_HKEY hPrivateLeafKey;

    /* TSP policy handles */

    TSS_HPOLICY hDefaultPolicy;

    /* PKCS#11 key handles */

    CK_OBJECT_HANDLE ckPublicRootKey;

    CK_OBJECT_HANDLE ckPublicLeafKey;

    CK_OBJECT_HANDLE ckPrivateRootKey;

    CK_OBJECT_HANDLE ckPrivateLeafKey;

    int not_initialized;

    CK_BYTE current_user_pin_sha[SHA1_HASH_SIZE];

    CK_BYTE current_so_pin_sha[SHA1_HASH_SIZE];

} tpm_private_data_t;

TSS_RESULT util_set_public_modulus(TSS_HCONTEXT tspContext, TSS_HKEY,

                                  unsigned long, unsigned char *);

const char manuf[] = "IBM";

const char model[] = "TPM";

const char descr[] = "IBM TPM v1.1 token";

const char label[] = "tpmtok";

static const MECH_LIST_ELEMENT tpm_mech_list[] = {

    {CKM_RSA_PKCS_KEY_PAIR_GEN, {512, 2048, CKF_GENERATE_KEY_PAIR}},

    {CKM_DES_KEY_GEN, {0, 0, CKF_GENERATE}},

    {CKM_DES3_KEY_GEN, {0, 0, CKF_GENERATE}},

    {CKM_RSA_PKCS, {512, 2048, CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP |

                    CKF_UNWRAP | CKF_SIGN | CKF_VERIFY | CKF_SIGN_RECOVER |

                    CKF_VERIFY_RECOVER}},

    {CKM_MD5_RSA_PKCS, {512, 2048, CKF_HW | CKF_SIGN | CKF_VERIFY}},

    {CKM_SHA1_RSA_PKCS, {512, 2048, CKF_HW | CKF_SIGN | CKF_VERIFY}},

    {CKM_DES_ECB, {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_DES_CBC, {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_DES_CBC_PAD,

     {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_DES3_ECB, {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_DES3_CBC, {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_DES3_CBC_PAD,

     {0, 0, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_SHA_1, {0, 0, CKF_DIGEST}},

    {CKM_SHA_1_HMAC, {0, 0, CKF_SIGN | CKF_VERIFY}},

    {CKM_SHA_1_HMAC_GENERAL, {0, 0, CKF_SIGN | CKF_VERIFY}},

    {CKM_MD5, {0, 0, CKF_DIGEST}},

    {CKM_MD5_HMAC, {0, 0, CKF_SIGN | CKF_VERIFY}},

    {CKM_MD5_HMAC_GENERAL, {0, 0, CKF_SIGN | CKF_VERIFY}},

    {CKM_SSL3_PRE_MASTER_KEY_GEN, {48, 48, CKF_GENERATE}},

    {CKM_SSL3_MASTER_KEY_DERIVE, {48, 48, CKF_DERIVE}},

    {CKM_SSL3_KEY_AND_MAC_DERIVE, {48, 48, CKF_DERIVE}},

    {CKM_SSL3_MD5_MAC, {384, 384, CKF_SIGN | CKF_VERIFY}},

    {CKM_SSL3_SHA1_MAC, {384, 384, CKF_SIGN | CKF_VERIFY}},

    {CKM_AES_KEY_GEN, {16, 32, CKF_GENERATE}},

    {CKM_AES_ECB, {16, 32, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_AES_CBC, {16, 32, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP}},

    {CKM_AES_CBC_PAD, {16, 32, CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP |

                       CKF_UNWRAP}},

};

static const CK_ULONG tpm_mech_list_len =

                    (sizeof(tpm_mech_list) / sizeof(MECH_LIST_ELEMENT));

static void clear_internal_structures(STDLL_TokData_t * tokdata)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    tpm_data->hSRK = NULL_HKEY;

    tpm_data->hPrivateLeafKey = NULL_HKEY;

    tpm_data->hPublicLeafKey = NULL_HKEY;

    tpm_data->hPrivateRootKey = NULL_HKEY;

    tpm_data->hPublicRootKey = NULL_HKEY;

    memset(tpm_data->master_key_private, 0, MK_SIZE);

    memset(tpm_data->current_so_pin_sha, 0, SHA1_HASH_SIZE);

    memset(tpm_data->current_user_pin_sha, 0, SHA1_HASH_SIZE);

}

CK_RV token_specific_rng(STDLL_TokData_t * tokdata, CK_BYTE * output,

                         CK_ULONG bytes)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_RESULT rc;

    TSS_HTPM hTPM;

    BYTE *random_bytes = NULL;

    rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);

    if (rc) {

        TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);

        return CKR_FUNCTION_FAILED;

    }

    rc = Tspi_TPM_GetRandom(hTPM, bytes, &random_bytes);

    if (rc) {

        TRACE_ERROR("Tspi_TPM_GetRandom failed. rc=0x%x\n", rc);

        return CKR_FUNCTION_FAILED;

    }

    memcpy(output, random_bytes, bytes);

    Tspi_Context_FreeMemory(tpm_data->tspContext, random_bytes);

    return CKR_OK;

}

CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,

                          char *conf_name)

{

    tpm_private_data_t *tpm_data;

    TSS_RESULT result;

    char path_buf[PATH_MAX], fname[PATH_MAX];

    struct stat statbuf;

    UNUSED(conf_name);

    TRACE_INFO("tpm %s slot=%lu running\n", __func__, SlotNumber);

    tokdata->mech_list = (MECH_LIST_ELEMENT *)tpm_mech_list;

    tokdata->mech_list_len = tpm_mech_list_len;

    // if the user specific directory doesn't exist, create it

    if (get_pk_dir(tokdata, fname, PATH_MAX) == NULL) {

        TRACE_ERROR("pk_dir buffer overflow\n");

        return CKR_FUNCTION_FAILED;

    }

    if (stat(fname, &statbuf) < 0) {

        if (mkdir(fname, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {

            TRACE_ERROR("mkdir(%s): %s\n", fname, strerror(errno));

            return CKR_FUNCTION_FAILED;

        }

    }

    // now create userdir/TOK_OBJ if it doesn't exist

    if (ock_snprintf(path_buf, PATH_MAX, "%s/%s", fname, PK_LITE_OBJ_DIR) != 0) {

        TRACE_ERROR("userdir/TOK_OBJ path name overflow\n");

        return CKR_FUNCTION_FAILED;

    }

    if (stat(path_buf, &statbuf) < 0) {

        if (mkdir(path_buf, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {

            TRACE_ERROR("mkdir(%s): %s\n", path_buf, strerror(errno));

            return CKR_FUNCTION_FAILED;

        }

    }

    tpm_data = (tpm_private_data_t *)calloc(1, sizeof(tpm_private_data_t));

    tokdata->private_data = tpm_data;

    tpm_data->tspContext = NULL_HCONTEXT;

    clear_internal_structures(tokdata);

    result = Tspi_Context_Create(&tpm_data->tspContext);

    if (result) {

        TRACE_ERROR("Tspi_Context_Create failed. rc=0x%x\n", result);

        return CKR_FUNCTION_FAILED;

    }

    result = Tspi_Context_Connect(tpm_data->tspContext, NULL);

    if (result) {

        TRACE_ERROR("Tspi_Context_Connect failed. rc=0x%x\n", result);

        return CKR_FUNCTION_FAILED;

    }

    result = Tspi_Context_GetDefaultPolicy(tpm_data->tspContext,

                                           &tpm_data->hDefaultPolicy);

    if (result) {

        TRACE_ERROR("Tspi_Context_GetDefaultPolicy failed. rc=0x%x\n", result);

        return CKR_FUNCTION_FAILED;

    }

    OpenSSL_add_all_algorithms();

    return CKR_OK;

}

CK_RV token_find_key(STDLL_TokData_t * tokdata, int key_type,

                     CK_OBJECT_CLASS class, CK_OBJECT_HANDLE * handle)

{

    CK_BYTE *key_id = util_create_id(key_type);

    CK_RV rc = CKR_OK;

    CK_BBOOL true = TRUE;

    CK_ATTRIBUTE tmpl[] = {

        {CKA_ID, key_id, strlen((char *) key_id)},

        {CKA_CLASS, &class, sizeof(class)},

        {CKA_HIDDEN, &true, sizeof(CK_BBOOL)}

    };

    CK_OBJECT_HANDLE hObj;

    CK_ULONG ulObjCount;

    SESSION dummy_sess;

    /* init the dummy session state to something that will find any object on

     * the token */

    memset(&dummy_sess, 0, sizeof(SESSION));

    dummy_sess.session_info.state = CKS_RO_USER_FUNCTIONS;

    rc = object_mgr_find_init(tokdata, &dummy_sess, tmpl, 3);

    if (rc != CKR_OK) {

        goto done;

    }

    /* pulled from SC_FindObjects */

    ulObjCount = MIN(1, (dummy_sess.find_count - dummy_sess.find_idx));

    memcpy(&hObj, dummy_sess.find_list + dummy_sess.find_idx,

           ulObjCount * sizeof(CK_OBJECT_HANDLE));

    dummy_sess.find_idx += ulObjCount;

    if (ulObjCount > 1) {

        TRACE_INFO("More than one matching key found in the store!\n");

        rc = CKR_KEY_NOT_FOUND;

        goto done;

    } else if (ulObjCount < 1) {

        TRACE_INFO("key with ID=\"%s\" not found in the store!\n", key_id);

        rc = CKR_KEY_NOT_FOUND;

        goto done;

    }

    *handle = hObj;

done:

    object_mgr_find_final(&dummy_sess);

    free(key_id);

    return rc;

}

CK_RV token_get_key_blob(STDLL_TokData_t * tokdata, CK_OBJECT_HANDLE ckKey,

                         CK_ULONG * blob_size, CK_BYTE ** ret_blob)

{

    CK_RV rc = CKR_OK;

    CK_BYTE_PTR blob = NULL;

    CK_ATTRIBUTE tmpl[] = {

        {CKA_IBM_OPAQUE, NULL_PTR, 0}

    };

    SESSION dummy_sess;

    /* set up dummy session */

    memset(&dummy_sess, 0, sizeof(SESSION));

    dummy_sess.session_info.state = CKS_RO_USER_FUNCTIONS;

    /* find object the first time to return the size of the buffer needed */

    rc = object_mgr_get_attribute_values(tokdata, &dummy_sess, ckKey, tmpl, 1);

    if (rc != CKR_OK) {

        TRACE_DEVEL("object_mgr_get_attribute_values failed:rc=0x%lx\n", rc);

        goto done;

    }

    blob = malloc(tmpl[0].ulValueLen);

    if (blob == NULL) {

        TRACE_ERROR("malloc %ld bytes failed.\n", tmpl[0].ulValueLen);

        rc = CKR_HOST_MEMORY;

        goto done;

    }

    tmpl[0].pValue = blob;

    /* find object the 2nd time to fill the buffer with data */

    rc = object_mgr_get_attribute_values(tokdata, &dummy_sess, ckKey, tmpl, 1);

    if (rc != CKR_OK) {

        TRACE_DEVEL("object_mgr_get_attribute_values failed:rc=0x%lx\n", rc);

        goto done;

    }

    *ret_blob = blob;

    *blob_size = tmpl[0].ulValueLen;

done:

    return rc;

}

CK_RV token_wrap_sw_key(STDLL_TokData_t * tokdata,

                        int size_n, unsigned char *n, int size_p,

                        unsigned char *p, TSS_HKEY hParentKey,

                        TSS_FLAG initFlags, TSS_HKEY * phKey)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_RESULT result;

    TSS_HPOLICY hPolicy;

    TSS_BOOL get_srk_pub_key = TRUE;

    UINT32 key_size;

    key_size = util_get_keysize_flag(size_n * 8);

    if (initFlags == 0) {

        TRACE_ERROR("Invalid key size.\n");

        return CKR_FUNCTION_FAILED;

    }

    /* create the TSS key object */

    result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                       TSS_OBJECT_TYPE_RSAKEY,

                                       TSS_KEY_MIGRATABLE | initFlags |

                                       key_size, phKey);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Context_CreateObject failed: rc=0x%x\n", result);

        return result;

    }

    result = util_set_public_modulus(tpm_data->tspContext, *phKey, size_n, n);

    if (result != TSS_SUCCESS) {

        TRACE_DEVEL("util_set_public_modulus failed:rc=0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        *phKey = NULL_HKEY;

        return result;

    }

    /* set the private key data in the TSS object */

    result = Tspi_SetAttribData(*phKey, TSS_TSPATTRIB_KEY_BLOB,

                                TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY, size_p, p);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_SetAttribData failed: rc=0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        *phKey = NULL_HKEY;

        return result;

    }

    /* if the parent wrapping key is the SRK, we need to manually pull

     * out the SRK's pub key, which is not stored in persistent storage

     * for privacy reasons */

    if (hParentKey == tpm_data->hSRK && get_srk_pub_key == TRUE) {

        UINT32 pubKeySize;

        BYTE *pubKey;

        result = Tspi_Key_GetPubKey(hParentKey, &pubKeySize, &pubKey);

        if (result != TSS_SUCCESS) {

            if (result == TPM_E_INVALID_KEYHANDLE) {

                OCK_SYSLOG(LOG_WARNING,

                           "Warning: Your TPM is not configured to allow "

                           "reading the public SRK by anyone but the owner. "

                           "Use tpm_restrictsrk -a to allow reading the public "

                           "SRK");

            } else {

                OCK_SYSLOG(LOG_ERR, "Tspi_Key_GetPubKey failed: rc=0x%x",

                           result);

            }

            Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

            *phKey = NULL_HKEY;

            return result;

        }

        Tspi_Context_FreeMemory(tpm_data->tspContext, pubKey);

        get_srk_pub_key = FALSE;

    }

    result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                       TSS_OBJECT_TYPE_POLICY,

                                       TSS_POLICY_MIGRATION, &hPolicy);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Context_CreateObject: 0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        *phKey = NULL_HKEY;

        return result;

    }

    result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_NONE, 0, NULL);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Policy_SetSecret failed. rc=0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        Tspi_Context_CloseObject(tpm_data->tspContext, hPolicy);

        *phKey = NULL_HKEY;

        return result;

    }

    result = Tspi_Policy_AssignToObject(hPolicy, *phKey);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Policy_AssignToObject: 0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        Tspi_Context_CloseObject(tpm_data->tspContext, hPolicy);

        *phKey = NULL_HKEY;

        return result;

    }

    if (TPMTOK_TSS_KEY_TYPE(initFlags) == TSS_KEY_TYPE_LEGACY) {

        result = Tspi_SetAttribUint32(*phKey, TSS_TSPATTRIB_KEY_INFO,

                                      TSS_TSPATTRIB_KEYINFO_ENCSCHEME,

                                      TSS_ES_RSAESPKCSV15);

        if (result) {

            TRACE_ERROR("Tspi_SetAttribUint32 failed. rc=0x%x\n", result);

            Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

            Tspi_Context_CloseObject(tpm_data->tspContext, hPolicy);

            return result;

        }

        result = Tspi_SetAttribUint32(*phKey, TSS_TSPATTRIB_KEY_INFO,

                                      TSS_TSPATTRIB_KEYINFO_SIGSCHEME,

                                      TSS_SS_RSASSAPKCS1V15_DER);

        if (result) {

            TRACE_ERROR("Tspi_SetAttribUint32 failed. rc=0x%x\n", result);

            Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

            Tspi_Context_CloseObject(tpm_data->tspContext, hPolicy);

            return result;

        }

    }

    result = Tspi_Key_WrapKey(*phKey, hParentKey, NULL_HPCRS);

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Key_WrapKey failed: rc=0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

        *phKey = NULL_HKEY;

    }

    return result;

}

/*

 * Create a TPM key blob for an imported key. This function is only called when

 * a key is in active use, so any failure should trickle through.

 *

 * Note: The passed Object ckObject must not hold a lock, this function might

 *       need to acquire a WRITE lock on the object!

 */

CK_RV token_wrap_key_object(STDLL_TokData_t * tokdata,

                            CK_OBJECT_HANDLE ckObject, TSS_HKEY hParentKey,

                            TSS_HKEY * phKey)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    CK_RV rc = CKR_OK;

    CK_ATTRIBUTE *attr = NULL, *new_attr, *prime_attr;

    CK_ULONG class, key_type;

    CK_BBOOL found;

    OBJECT *obj = NULL;

    TSS_RESULT result;

    TSS_FLAG initFlags = 0;

    BYTE *rgbBlob;

    UINT32 ulBlobLen;

    rc = object_mgr_find_in_map1(tokdata, ckObject, &obj, WRITE_LOCK);

    if (rc != CKR_OK) {

        TRACE_DEVEL("object_mgr_find_in_map1 failed. rc=0x%lx\n", rc);

        return rc;

    }

    /* if the object isn't a key, fail */

    found = template_attribute_find(obj->template, CKA_KEY_TYPE, &attr);

    if (found == FALSE) {

        TRACE_ERROR("template_attribute_find(CKA_KEY_TYPE) failed.\n");

        rc = CKR_FUNCTION_FAILED;

        goto done;

    }

    key_type = *((CK_ULONG *) attr->pValue);

    if (key_type != CKK_RSA) {

        TRACE_ERROR("Bad key type!\n");

        rc = CKR_FUNCTION_FAILED;

        goto done;

    }

    found = template_attribute_find(obj->template, CKA_CLASS, &attr);

    if (found == FALSE) {

        TRACE_ERROR("template_attribute_find(CKA_CLASS) failed.\n");

        rc = CKR_FUNCTION_FAILED;

        goto done;

    }

    class = *((CK_ULONG *) attr->pValue);

    if (class == CKO_PRIVATE_KEY) {

        /* In order to create a full TSS key blob using a PKCS#11 private key

         * object, we need one of the two primes, the modulus and the private

         * exponent and we need the public exponent to be correct */

        /* check the least likely attribute to exist first, the primes */

        found = template_attribute_find(obj->template,

                                        CKA_PRIME_1, &prime_attr);

        if (found == FALSE) {

            found = template_attribute_find(obj->template,

                                            CKA_PRIME_2, &prime_attr);

            if (found == FALSE) {

                TRACE_ERROR("Couldn't find prime1 or prime2 of"

                            " key object to wrap\n");

                rc = CKR_TEMPLATE_INCONSISTENT;

                goto done;

            }

        }

        /* Make sure the public exponent is usable */

        if ((util_check_public_exponent(obj->template))) {

            TRACE_ERROR("Invalid public exponent\n");

            rc = CKR_TEMPLATE_INCONSISTENT;

            goto done;

        }

        /* get the modulus */

        found = template_attribute_find(obj->template, CKA_MODULUS, &attr);

        if (found == FALSE) {

            TRACE_ERROR("Couldn't find a required attribute of "

                        "key object\n");

            rc = CKR_FUNCTION_FAILED;

            goto done;

        }

        /* make sure the key size is usable */

        initFlags = util_get_keysize_flag(attr->ulValueLen * 8);

        if (initFlags == 0) {

            TRACE_ERROR("Invalid key size.\n");

            rc = CKR_TEMPLATE_INCONSISTENT;

            goto done;

        }

        /* generate the software based key */

        rc = token_wrap_sw_key(tokdata, (int) attr->ulValueLen, attr->pValue,

                               (int) prime_attr->ulValueLen,

                               prime_attr->pValue,

                               hParentKey,

                               TSS_KEY_TYPE_LEGACY | TSS_KEY_NO_AUTHORIZATION,

                               phKey);

        if (rc != CKR_OK) {

            TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lu\n", rc);

            goto done;

        }

    } else if (class == CKO_PUBLIC_KEY) {

        /* Make sure the public exponent is usable */

        if ((util_check_public_exponent(obj->template))) {

            TRACE_DEVEL("Invalid public exponent\n");

            rc = CKR_TEMPLATE_INCONSISTENT;

            goto done;

        }

        /* grab the modulus to put into the TSS key object */

        found = template_attribute_find(obj->template, CKA_MODULUS, &attr);

        if (found == FALSE) {

            TRACE_ERROR("Couldn't find a required attribute of "

                        "key object\n");

            rc = CKR_TEMPLATE_INCONSISTENT;

            goto done;

        }

        /* make sure the key size is usable */

        initFlags = util_get_keysize_flag(attr->ulValueLen * 8);

        if (initFlags == 0) {

            TRACE_ERROR("Invalid key size.\n");

            rc = CKR_TEMPLATE_INCONSISTENT;

            goto done;

        }

        initFlags |=

            TSS_KEY_TYPE_LEGACY | TSS_KEY_MIGRATABLE | TSS_KEY_NO_AUTHORIZATION;

        result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                           TSS_OBJECT_TYPE_RSAKEY,

                                           initFlags, phKey);

        if (result) {

            TRACE_ERROR("Tspi_Context_CreateObject failed. " "rc=0x%x\n",

                        result);

            rc = CKR_FUNCTION_FAILED;

            goto done;

        }

        result = util_set_public_modulus(tpm_data->tspContext, *phKey,

                                         attr->ulValueLen, attr->pValue);

        if (result) {

            TRACE_DEVEL("util_set_public_modulus failed: 0x%x\n", result);

            Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);

            *phKey = NULL_HKEY;

            rc = CKR_FUNCTION_FAILED;

            goto done;

        }

    } else {

        TRACE_ERROR("Bad key class!\n");

        rc = CKR_FUNCTION_FAILED;

        goto done;

    }

    /* grab the entire key blob to put into the PKCS#11 object */

    result = Tspi_GetAttribData(*phKey, TSS_TSPATTRIB_KEY_BLOB,

                                TSS_TSPATTRIB_KEYBLOB_BLOB,

                                &ulBlobLen, &rgbBlob);

    if (result) {

        TRACE_ERROR("Tspi_GetAttribData failed with rc: 0x%x\n", result);

        rc = CKR_FUNCTION_FAILED;

        goto done;

    }

    /* insert the key blob into the object */

    rc = build_attribute(CKA_IBM_OPAQUE, rgbBlob, ulBlobLen, &new_attr);

    if (rc != CKR_OK) {

        TRACE_DEVEL("build_atribute failed\n");

        Tspi_Context_FreeMemory(tpm_data->tspContext, rgbBlob);

        goto done;

    }

    template_update_attribute(obj->template, new_attr);

    Tspi_Context_FreeMemory(tpm_data->tspContext, rgbBlob);

    /* if this is a token object, save it with the new attribute so that we

     * don't have to go down this path again */

    if (!object_is_session_object(obj)) {

        rc = XProcLock(tokdata);

        if (rc != CKR_OK) {

            TRACE_ERROR("Failed to get process lock.\n");

            goto done;

        }

        rc = save_token_object(tokdata, obj);

        if (rc != CKR_OK) {

            XProcUnLock(tokdata);

        } else {

            rc = XProcUnLock(tokdata);

            if (rc != CKR_OK) {

                TRACE_ERROR("Failed to release process lock.\n");

                goto done;

            }

        }

    }

done:

    object_put(tokdata, obj, TRUE);

    obj = NULL;

    return rc;

}

/*

 * load a key in the TSS hierarchy from its CK_OBJECT_HANDLE

 *

 * Note: The passed Object ckKey must not hold a lock, this function might

 *       need to acquire a READ or WRITE lock on the object!

 */

CK_RV token_load_key(STDLL_TokData_t * tokdata, CK_OBJECT_HANDLE ckKey,

                     TSS_HKEY hParentKey, CK_CHAR_PTR passHash,

                     TSS_HKEY * phKey)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_RESULT result;

    TSS_HPOLICY hPolicy;

    CK_BYTE *blob = NULL;

    CK_ULONG ulBlobSize = 0;

    CK_RV rc;

    rc = token_get_key_blob(tokdata, ckKey, &ulBlobSize, &blob;;

    if (rc != CKR_OK) {

        if (rc != CKR_ATTRIBUTE_TYPE_INVALID) {

            TRACE_DEVEL("token_get_key_blob failed. rc=0x%lx\n", rc);

            return rc;

        }

        /* the key blob wasn't found, so check for a modulus

         * to load */

        TRACE_DEVEL("key blob not found, checking for modulus\n");

        rc = token_wrap_key_object(tokdata, ckKey, hParentKey, phKey);

        if (rc != CKR_OK) {

            TRACE_DEVEL("token_wrap_key_object failed. rc=0x%lx\n", rc);

            return rc;

        }

    }

    if (blob != NULL) {

        /* load the key inside the TSS */

        result = Tspi_Context_LoadKeyByBlob(tpm_data->tspContext,

                                            hParentKey,

                                            ulBlobSize, blob, phKey);

        if (result) {

            TRACE_ERROR("Tspi_Context_LoadKeyByBlob: 0x%x\n", result);

            goto done;

        }

    }

#if 0

    if ((result = Tspi_GetPolicyObject(*phKey, TSS_POLICY_USAGE, &hPolicy))) {

        TRACE_ERROR("Tspi_GetPolicyObject: 0x%x\n", result);

        goto done;

    }

#else

    result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                       TSS_OBJECT_TYPE_POLICY,

                                       TSS_POLICY_USAGE, &hPolicy);

    if (result) {

        TRACE_ERROR("Tspi_Context_CreateObject: 0x%x\n", result);

        goto done;

    }

#endif

    if (passHash == NULL) {

        result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_NONE, 0, NULL);

    } else {

        result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_SHA1,

                                       SHA1_HASH_SIZE, passHash);

    }

    if (result != TSS_SUCCESS) {

        TRACE_ERROR("Tspi_Policy_SetSecret: 0x%x\n", result);

        goto done;

    }

    result = Tspi_Policy_AssignToObject(hPolicy, *phKey);

    if (result) {

        TRACE_ERROR("Tspi_Policy_AssignToObject: 0x%x\n", result);

        goto done;

    }

done:

    free(blob);

    return result;

}

TSS_RESULT token_load_srk(STDLL_TokData_t * tokdata)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_HPOLICY hPolicy;

    TSS_RESULT result;

    TSS_UUID SRK_UUID = TSS_UUID_SRK;

    struct srk_info srk;

    if (tpm_data->hSRK != NULL_HKEY)

        return TSS_SUCCESS;

    /* load the SRK */

    result = Tspi_Context_LoadKeyByUUID(tpm_data->tspContext,

                                        TSS_PS_TYPE_SYSTEM, SRK_UUID,

                                        &tpm_data->hSRK);

    if (result) {

        TRACE_ERROR("Tspi_Context_LoadKeyByUUID failed. rc=0x%x\n", result);

        goto done;

    }

#if 0

    if ((result = Tspi_GetPolicyObject(tpm_data->hSRK, TSS_POLICY_USAGE,

                                       &hPolicy))) {

        TRACE_ERROR("Tspi_GetPolicyObject failed. rc=0x%x\n", result);

        goto done;

    }

#else

    result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                       TSS_OBJECT_TYPE_POLICY,

                                       TSS_POLICY_USAGE, &hPolicy);

    if (result) {

        TRACE_ERROR("Tspi_Context_CreateObject failed. rc=0x%x\n", result);

        goto done;

    }

    result = Tspi_Policy_AssignToObject(hPolicy, tpm_data->hSRK);

    if (result) {

        TRACE_ERROR("Tspi_Policy_AssignToObject failed. rc=0x%x\n", result);

        goto done;

    }

#endif

    /* get the srk info */

    memset(&srk, 0, sizeof(srk));

    if (get_srk_info(&srk))

        return -1;

    result = Tspi_Policy_SetSecret(hPolicy, (TSS_FLAG) srk.mode,

                                   srk.len, (BYTE *) srk.secret);

    if (result)

        TRACE_ERROR("Tspi_Policy_SetSecret failed. rc=0x%x\n", result);

    if (srk.secret)

        free(srk.secret);

done:

    return result;

}

TSS_RESULT token_load_public_root_key(STDLL_TokData_t * tokdata)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_RESULT result;

    BYTE *blob;

    CK_ULONG blob_size;

    if (tpm_data->hPublicRootKey != NULL_HKEY)

        return TSS_SUCCESS;

    result = token_load_srk(tokdata);

    if (result) {

        TRACE_DEVEL("token_load_srk failed. rc=0x%x\n", result);

        return result;

    }

    result = token_find_key(tokdata, TPMTOK_PUBLIC_ROOT_KEY,

                            CKO_PRIVATE_KEY, &tpm_data->ckPublicRootKey);

    if (result) {

        TRACE_ERROR("token_find_key failed. rc=0x%x\n", result);

        return CKR_FUNCTION_FAILED;

    }

    result = token_get_key_blob(tokdata, tpm_data->ckPublicRootKey, &blob_size,

                                &blob;;

    if (result) {

        TRACE_DEVEL("token_get_key_blob failed. rc=0x%x\n", result);

        return CKR_FUNCTION_FAILED;

    }

    /* load the Public Root Key */

    result = Tspi_Context_LoadKeyByBlob(tpm_data->tspContext, tpm_data->hSRK,

                                        blob_size, blob,

                                        &tpm_data->hPublicRootKey);

    if (result) {

        TRACE_ERROR("Tspi_Context_LoadKeyByBlob failed. rc=0x%x\n", result);

        free(blob);

        return CKR_FUNCTION_FAILED;

    }

    free(blob);

    return result;

}

TSS_RESULT tss_generate_key(STDLL_TokData_t * tokdata,

                            TSS_FLAG initFlags, BYTE * passHash,

                            TSS_HKEY hParentKey, TSS_HKEY * phKey)

{

    tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;

    TSS_RESULT result;

    TSS_HPOLICY hPolicy, hMigPolicy = 0;

    result = Tspi_Context_CreateObject(tpm_data->tspContext,

                                       TSS_OBJECT_TYPE_RSAKEY,

                                       initFlags, phKey);

    if (result) {

        TRACE_ERROR("Tspi_Context_CreateObject failed. rc=0x%x\n", result);

        return result;

    }

#if 0

    if ((result = Tspi_GetPolicyObject(*phKey, TSS_POLICY_USAGE, &hPolicy))) {

        TRACE_ERROR("Tspi_GetPolicyObject failed. rc=0x%x\n", result);

        Tspi_Context_CloseObject(tpm_data->tspContext, *phKey);