pool/openCryptoki
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 265545 from home:posophe:branches:security

Browse Source 
Update + changes

OBS-URL: https://build.opensuse.org/request/show/265545
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=24
This commit is contained in:
Marcus Meissner 2014-12-18 14:21:44 +00:00 committed by Git OBS Bridge
parent e535e749ba
commit a15255e127
21 changed files with 48 additions and 2621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
ocki-3.1_01_ep11_makefile.patch
View File

@ -1,42 +0,0 @@
commit f558043c9c7aa2ada4dd9d7548c2c713aea24753
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Feb 7 15:03:48 2014 -0600
ep11: Fixed Makefile to complement common code dependencies
This will fix the side effect that the ep11 token could not
plugged into slot 0, because of unresolved symbols.
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/Makefile.am b/usr/lib/pkcs11/ep11_stdll/Makefile.am
index fd940ec..d587fd2 100644
--- a/usr/lib/pkcs11/ep11_stdll/Makefile.am
+++ b/usr/lib/pkcs11/ep11_stdll/Makefile.am
@@ -28,10 +28,15 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
../common/loadsave.c \
../common/key.c \
../common/key_mgr.c \
- ../common/mech_md5.c \
+ ../common/mech_des.c \
+ ../common/mech_des3.c \
+ ../common/mech_aes.c \
+ ../common/mech_md5.c \
../common/mech_md2.c \
../common/mech_rng.c \
+ ../common/mech_rsa.c \
../common/mech_sha.c \
+ ../common/mech_ssl3.c \
../common/new_host.c \
../common/obj_mgr.c \
../common/object.c \
@@ -44,8 +49,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
../common/log.c \
../common/mech_list.c \
../common/shared_memory.c \
- ../common/attributes.c \
- ../common/sw_crypt.c \
+ ../common/attributes.c \
+ ../common/sw_crypt.c \
ep11_specific.c
noinst_HEADERS = ep11.h

21
ocki-3.1_02_ep11_m_init.patch
View File

@ -1,21 +0,0 @@
commit d564279d2c2913021ca325507d1ce3af3aff078a
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Feb 7 15:08:27 2014 -0600
ep11: switched to official m_init() function based on library change
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index a9a72e4..1a43ccb 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1281,7 +1281,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
/* for real HW on Z-series, this would open the
* device driver file /dev/zcrypt.
*/
- if (m_add_backend(NULL,0) < 0) {
+ if (m_init() < 0) {
EP11TOK_ELOG(1,"open of the zcrypt device driver failed");
return CKR_DEVICE_ERROR;
}

129
ocki-3.1_03_ock_obj_mgr.patch
View File

@ -1,129 +0,0 @@
commit 099a3a110a733ef3a91c41a88dcd45f15af8a6cd
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Feb 12 12:06:53 2014 -0600
Scenario: processA creates private token key object and before he can
use it, processB gets it, uses it, and deletes it.
Because opencryptoki was not checking the global token object count,
process B segfaulted when count was zero, thinking there were objects in
shared memory to search.
Also, it was not checking return code of object_mgr_check_shm() in
object_mgr_find_in_map1 to see if anything was found in shm.
And lastly, return correct error code.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/common/obj_mgr.c b/usr/lib/pkcs11/common/obj_mgr.c
index 92c11c2..8d42d9e 100755
--- a/usr/lib/pkcs11/common/obj_mgr.c
+++ b/usr/lib/pkcs11/common/obj_mgr.c
@@ -1340,13 +1340,28 @@ object_mgr_find_in_map1( CK_OBJECT_HANDLE handle,
goto done;
}
-// SAB XXX Fix me.. need to make it more efficient than just looking for the object to be changed
-// set a global flag that contains the ref count to all objects.. if the shm ref count changes, then we update the object
-// if not
-
- XProcLock();
- object_mgr_check_shm( obj );
- XProcUnLock();
+ /* SAB XXX Fix me.. need to make it more efficient than just looking
+ * for the object to be changed. set a global flag that contains the
+ * ref count to all objects.. if the shm ref count changes, then we
+ * update the object. if not
+ */
+
+ /* Note: Each C_Initialize call loads up the public token objects
+ * and build corresponding tree(s). The same for private token objects
+ * upon successful C_Login. Since token objects can be shared, it is
+ * possible another process or session has deleted a token object.
+ * Accounting is done in shm, so check shm to see if object still exists.
+ */
+ if (!object_is_session_object(obj)) {
+ XProcLock();
+ rc = object_mgr_check_shm( obj );
+ XProcUnLock();
+
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
+ goto done;
+ }
+ }
*ptr = obj;
done:
@@ -2101,8 +2116,8 @@ object_mgr_del_from_shm( OBJECT *obj )
0, global_shm->num_priv_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
// Since the number of objects starts at 1 and index starts at zero, we
// decrement before we get count. This eliminates the need to perform
@@ -2139,8 +2154,8 @@ object_mgr_del_from_shm( OBJECT *obj )
0, global_shm->num_publ_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
global_shm->num_publ_tok_obj--;
@@ -2189,25 +2204,36 @@ object_mgr_check_shm( OBJECT *obj )
// the calling routine is responsible for locking the global_shm mutex
//
+ /* first check the object count. If it is 0, then just return. */
priv = object_is_private( obj );
if (priv) {
+
+ if (global_shm->num_priv_tok_obj == 0) {
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
rc = object_mgr_search_shm_for_obj( global_shm->priv_tok_objs,
0, global_shm->num_priv_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
entry = &global_shm->priv_tok_objs[index];
}
else {
+
+ if (global_shm->num_publ_tok_obj == 0) {
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
rc = object_mgr_search_shm_for_obj( global_shm->publ_tok_objs,
0, global_shm->num_publ_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
entry = &global_shm->publ_tok_objs[index];
}
@@ -2256,8 +2282,8 @@ object_mgr_search_shm_for_obj( TOK_OBJ_ENTRY * obj_list,
}
}
}
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
}

233
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
View File

@ -1,233 +0,0 @@
commit 9d445b0294b588a834797e4f8c3d6ea3c1b3da2b
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Feb 12 12:09:14 2014 -0600
ep11's h_opaque_2_blob needs to catch the return code from
object_mgr_find_in_map1 and return it.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 1a43ccb..90d3df1 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1814,12 +1814,12 @@ CK_RV token_specific_derive_key(SESSION *session, CK_MECHANISM_PTR mech,
memset(&secret_op, 0, sizeof(secret_op));
secret_op.blob_size = blobsize;
- if (h_opaque_2_blob(hBaseKey, &blob, &blob_len) != CKR_OK) {
+ rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"FAIL hBaseKey=0x%lx",hBaseKey);
- return CKR_CANCEL;
+ return rc;
}
-
/* Get the keytype to use when creating the key object */
rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class);
if (rc != CKR_OK) {
@@ -2732,36 +2732,19 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
private_key_obj->name, public_key_obj, private_key_obj);
}
- /* Keys should be fully constructed,
- * assign object handles and store keys.
- */
- rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
- if (rc != CKR_OK) {
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
- goto error;
- }
-
- rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
- if (rc != CKR_OK) {
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
- object_mgr_destroy_object(sess, *phPublicKey);
- public_key_obj = NULL;
- goto error;
- }
-
/* copy CKA_CLASS, CKA_KEY_TYPE to private template */
if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) {
rc = build_attribute(attr->type, attr->pValue,
attr->ulValueLen, &n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
rc = template_update_attribute(private_key_obj->template, n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
}
@@ -2770,17 +2753,34 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
attr->ulValueLen, &n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
rc = template_update_attribute(private_key_obj->template, n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
}
+ /* Keys should be fully constructed,
+ * assign object handles and store keys.
+ */
+ rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
+ goto error;
+ }
+
+ rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
+ object_mgr_destroy_object(sess, *phPublicKey);
+ public_key_obj = NULL;
+ goto error;
+ }
return rc;
+
error:
if (public_key_obj) object_free(public_key_obj);
if (private_key_obj) object_free(private_key_obj);
@@ -2801,11 +2801,13 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
OBJECT *key_obj;
CK_ATTRIBUTE *attr = NULL;
ep11_opaque *op;
+ CK_RV rc;
/* find the key obj by the key handle */
- if (object_mgr_find_in_map1(handle,&key_obj) != CKR_OK) {
+ rc = object_mgr_find_in_map1(handle,&key_obj);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"key 0x%lx not mapped", handle);
- return CKR_FUNCTION_FAILED;
+ return rc;
}
/* blob already exists */
@@ -2844,30 +2846,31 @@ CK_RV token_specific_sign_init(SESSION *session, CK_MECHANISM *mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key,&privkey_blob,&blob_len) == CKR_OK) {
- rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
- mech, privkey_blob, blob_len, ep11tok_target) ;
+ rc = h_opaque_2_blob(key, &privkey_blob, &blob_len);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
+ return rc;
+ }
- /* SIGN_VERIFY_CONTEX holds all needed for continuing,
- * also by another adapter (stateless requests)
- */
- ctx->key = key;
- ctx->multi = FALSE;
- ctx->active = TRUE;
- ctx->context = ep11_sign_state;
- ctx->context_len = ep11_sign_state_l;
+ rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
+ mech, privkey_blob, blob_len, ep11tok_target) ;
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
- } else {
- EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
- }
+ /* SIGN_VERIFY_CONTEX holds all needed for continuing,
+ * also by another adapter (stateless requests)
+ */
+ ctx->key = key;
+ ctx->multi = FALSE;
+ ctx->active = TRUE;
+ ctx->context = ep11_sign_state;
+ ctx->context_len = ep11_sign_state_l;
- return rc;
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
} else {
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
}
+
+ return rc;
}
@@ -2946,27 +2949,26 @@ CK_RV token_specific_verify_init(SESSION *session, CK_MECHANISM *mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key,&spki,&spki_len) == CKR_OK) {
- rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
- spki, spki_len, ep11tok_target);
-
- ctx->key = key;
- ctx->multi = FALSE;
- ctx->active = TRUE;
- ctx->context = ep11_sign_state;
- ctx->context_len = ep11_sign_state_l;
-
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
- } else {
- EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
- }
-
+ rc = h_opaque_2_blob(key, &spki, &spki_len);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
return rc;
+ }
+
+ rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
+ spki, spki_len, ep11tok_target);
+ ctx->key = key;
+ ctx->multi = FALSE;
+ ctx->active = TRUE;
+ ctx->context = ep11_sign_state;
+ ctx->context_len = ep11_sign_state_l;
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
} else {
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
}
+
+ return rc;
}
@@ -3169,11 +3171,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key, &blob, &blob_len) != CKR_OK) {
+ rc = h_opaque_2_blob(key, &blob, &blob_len);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ return rc;
}
-
+
if (op == DECRYPT) {
rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob,
blob_len, ep11tok_target);

187
ocki-3.1_05_ep11_readme_update.patch
View File

@ -1,187 +0,0 @@
commit 6589fae1561d1d050b743d3ff5e0b846616664a0
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Wed Feb 12 15:56:46 2014 -0600
EP11: some README updates about usage and restrictions.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/doc/README.ep11_stdll b/doc/README.ep11_stdll
index dedb76c..e972391 100644
--- a/doc/README.ep11_stdll
+++ b/doc/README.ep11_stdll
@@ -3,8 +3,8 @@ EP11 Token
The EP11 token is a token that uses the IBM Crypto Express adapters
(starting with Crypto Express 4S adapters) configured with Enterprise
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with
-that firmware load are also called CEXnP adapters for n >= 4.
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
+firmware load are also called CEXnP adapters for n >= 4.
The EP11 token is only supported on the System z architecture and requires a
Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
@@ -17,14 +17,13 @@ Configuration
-------------
To use the EP11 token a slot entry must be defined in the general opencryptoki
-configuration file that sets the stdll attribute to libpkcs11_epp.so.
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
A EP11 token specific configuration file must be set up to define the target
-adapters and target adapter domains. The name of the configuration file must
-be defined in the global openCryptoki configuration opencryptoki.conf file
-as part of the token specification using the confname attribute.
-
-E.g. the entry,
+adapters and target adapter domains. The name of the configuration file must be
+defined in the global openCryptoki configuration opencryptoki.conf file as part
+of the token specification using the confname attribute.
+E.g. the entry
slot 4
{
@@ -35,39 +34,39 @@ confname = ep11tok.conf
defines the name of the configuration file of the EP11 token to be
ep11tok.conf. Per default this file is searched in the directory where
openCryptoki searches its global configuration file. This default path can
-be overwritten using the OCK_EP11_TOKEN_DIR environment variable.
-
-EP11 token configuration files defines a list of adapter/domain pairs to
-which the EP11 token sends its cryptographic requests. This list can be
-specified as a white list starting with a line containing the key word
-APQN_WHITELIST followed by one or more lines containing each 2 white space
-separted positive integers followed by a line with the key word END.
-In each of these lines the first integer denotes the adapter number
-and the second integer denotes the domain id. Alternatively the keyword
-APQN_ANY can be used to define that all adapter/domain pairs with EP11
-firmware load that are available to the system shall be used as target
-adapters. An adapter number corresponds to the numerical part xx of an
-adapter id of the form cardxx as displayed by the lszcrypt tool or in
-the sys file system (e.g. in /sys/bus/ap/devices).
-Currently Linux on z only supports a single domain. That domain number
-can be displayed with lszcrypt -b (see the value of ap_domain) or
-alternatively as contents of /sys/bus/ap/ap_domain.
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
+
+EP11 token configuration files defines a list of adapter/domain pairs to which
+the EP11 token sends its cryptographic requests. This list can be specified as
+a white list starting with a line containing the key word APQN_WHITELIST
+followed by one or more lines containing each two integers (in the range
+of 0 - 255) separated by a white space. The white list is ended with a line
+containing the key word END. In each of lines of the white list the first
+integer denotes the adapter number and the second integer denotes the domain
+id. Alternatively the keyword APQN_ANY can be used to define that all
+adapter/domain pairs with EP11 firmware load that are available to the system
+shall be used as target adapters. An adapter number corresponds to the
+numerical part xx of an adapter id of the form cardxx as displayed by the
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
+Currently Linux on z only supports a single domain. That domain number can be
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
+contents of /sys/bus/ap/ap_domain.
In addition to the target adapter a log level can be defined in the EP11
-configuration file using a line consisting of the key word LOGLEVEL
-followed by an integer between 0 and 9.
+configuration file using a line consisting of the key word LOGLEVEL followed
+by an integer between 0 and 9.
Logging
-------
If a log level greater than 0 is defined in the environment variable
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11
-configuration file then log entries are written to a log file
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the
-process using the EP11 token.
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
+file then log entries are written to a log file
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
+using the EP11 token.
-Note, that the handling of EP11 logs is subject to change in future
-releases of opencryptoki.
+Note, that the handling of EP11 logs is subject to change in future releases
+of opencryptoki.
Crypto Express Adapter EP11 Master Key Management
-------------------------------------------------
@@ -77,28 +76,27 @@ object repository (in the TOK_OBJ directory within the EP11 token directory)
become invalid.
The key migration tool pkcsep11_migrate can be used to perform the migration
-of the current EP11 master keys to new master keys. Therefore the
-following steps must be performed:
-
-1) on the Trusted Key Entry console (TKE): submit and commit
-new master keys on the EP11 adapter(s)
-2) on Linux: stop all processes using openCryptoki with the EP11 token
-3) on Linux: back up the token object repository of the EP11 token
-4) on Linux: migrate keys of object repository of EP11 token with
-migration tool. If a failure occurs restore the backed up token
-repository and retry step 4
-5) on the TKE: activate new master keys on the EP11 adapter(s)
-6) on Linux: restart applications using openCryptoki with the EP11 token
+of the current EP11 master keys to new master keys. Therefore the following
+steps must be performed:
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
+keys on the EP11 adapter(s).
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
+3) On Linux: Back up the token object repository of the EP11 token.
+4) On Linux: Migrate keys of object repository of EP11 token with
+migration tool. If a failure occurs restore the backed up token repository
+and retry step 4.
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
Token specifics
---------------
-The EP11 token only supports secure keys (i.e. key wrapped by a master key
-of the Crypto Express adapter). Therefore all keys must have the attribute
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define
-a (token specific) default for secure keys the attribute must be explicitly
-provided whenever a secret key is generated, unwrapped or created with
-C_CreateObject. In addition all keys used with the EP11 token are extractable
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
+the Crypto Express adapter). Therefore all keys must have the attribute
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
+(token specific) default for secure keys the attribute must be explicitly
+provided whenever a secret key is generated, unwrapped or build with
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
When creating keys the default values of the attributes CKA_ENCRYPT,
@@ -108,18 +106,21 @@ Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
or equal to 17.
-See the mechanism list and mechanism info (pkcsconf -m) for supported
-mechanisms together with supported functions and key sizes.
-Note the supported mechanism list is currently fixed and matches the
-most stringent setting of the Crypto Express adapter.
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
-Temporary Restrictions & Circumventions
----------------------------------------
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
+a length that is a multiple of the block size of DES3 or AES respectively.
-Wrapping 192 bit AES keys with the mechanism CKM_AES_CBC is not supported, use
-CKM_AES_CBC_PAD instead.
+See the mechanism list and mechanism info (pkcsconf -m) for supported
+mechanisms together with supported functions and key sizes. Note the
+supported mechanism list is currently fix and matches the most stringent
+setting of the Crypto Express adapter.
-Importing RAS private keys with C_Unwrap is not supported for key sizes that
-are not a multiple of AES blocksize. No circumvention possible.
+Note, the EP11 coprocessor adapter can be configured to restrict the
+cryptographic capababilities in order for the adapter to comply with specific
+security requirements and regulations. Such restrictions on the adapter impact
+the capabilitiy of the EP11 token.
-CKM_SHA512_HMAC is not supported. No circumvention possible.

110
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
View File

@ -1,110 +0,0 @@
From 68a30e9bf0e494057a889e06623dd0d8ab95acf7 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 2 Apr 2014 12:03:53 -0500
Subject: [PATCH 1/6] print_mechanism() ignored bad returncodes from the
called function token_specific_get_mechanism_list(). So
the token init was just running fine but mechanism list
kept empty (eg. because of wrong adapter
configuration). Fixed this and adjusted some of the
related log messages.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 32 +++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 90d3df1..4e3703b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1140,17 +1140,27 @@ static CK_RV print_mechanism(void)
CK_ULONG count = 0;
int i;
CK_MECHANISM_INFO m_info;
+ CK_RV rc;
- /* only informational */
- (void) token_specific_get_mechanism_list(list, &count);
+ /* first call is just to fetch the count value */
+ rc = token_specific_get_mechanism_list(list, &count);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"can't fetch mechanism list.");
+ return rc;
+ }
list = (CK_MECHANISM_TYPE_PTR)malloc(sizeof(CK_MECHANISM_TYPE) * count);
if (!list) {
EP11TOK_ELOG(1,"Memory allocation failed.");
return CKR_HOST_MEMORY;
}
- /* only informational */
- (void) token_specific_get_mechanism_list(list, &count);
+ /* now really fill the list */
+ rc = token_specific_get_mechanism_list(list, &count);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"can't fetch mechanism list!");
+ free(list);
+ return rc;
+ }
EP11TOK_LOG(2,"EP11 token mechanism list, %lu entries:", count);
for (i = 0; i < count; i++) {
@@ -1170,6 +1180,7 @@ static CK_RV print_mechanism(void)
EP11TOK_LOG(2," %s {%lu,%lu%s}", ep11_get_ckm(list[i]),
m_info.ulMinKeySize, m_info.ulMaxKeySize, strflags);
}
+
free(list);
return CKR_OK;
}
@@ -1295,7 +1306,11 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
}
/* print mechanismlist to log file */
- (void)print_mechanism();
+ rc = print_mechanism();
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"failure on fetching mechanism list rc=0x%lx, maybe wrong config ?", rc);
+ return CKR_GENERAL_ERROR;
+ }
/* create an AES key needed for importing keys
* (encrypt by wrap_key and m_UnwrapKey by wrap key)
@@ -3528,7 +3543,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
rc = m_GetMechanismList(0, pMechanismList, pulCount,
ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #1 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
return rc;
}
@@ -3543,7 +3558,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
}
rc = m_GetMechanismList(0, mlist, &counter, ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #2 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
free(mlist);
return rc;
}
@@ -3573,7 +3588,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
*/
rc = m_GetMechanismList(0,mlist,&counter,ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #3 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
return rc;
}
@@ -3743,6 +3758,7 @@ static int read_adapter_config_file(const char* conf_name)
if (!conf_name) {
/* no conf_name was given, should not happen */
+ EP11TOK_ELOG(1,"no conf_name argument found");
return APQN_FILE_INV_1;
}
--
1.7.12.4

172
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
View File

@ -1,172 +0,0 @@
From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 2 Apr 2014 12:05:12 -0500
Subject: [PATCH 2/6] Fix failure when confname is not given, use default
ep11tok.conf instead.
Slight rework on the way how the ep11 token config file is found:
If env has no OCK_EP11_TOKEN_DIR
if confname is not null, try to use it
if this fails, try ock default config dir + confname
if this fails, try ock default config dir + ep11tok.conf
if OCK_EP11_TOKEN_DIR given then
if confname is not null, try OCK_EP11_TOKEN_DIR + confname
if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf
if still unsuccessful then token init will fail.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------
1 file changed, 52 insertions(+), 33 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 4e3703b..0eea8c9 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
CK_BYTE **blob, size_t *blob_len);
+#define EP11_DEFAULT_CFG_FILE "ep11tok.conf"
#define EP11_CFG_FILE_SIZE 4096
/* error rc for reading the adapter config file */
@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
}
}
EP11TOK_LOG(1,"init running");
+
+ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */
+ rc = read_adapter_config_file(conf_name);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc);
+ return CKR_GENERAL_ERROR;
+ }
/* wrap key name */
memset(wrap_key_name, 0, sizeof(wrap_key_name));
@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
return CKR_DEVICE_ERROR;
}
#endif
-
- /* user specified adapter/domain pairs the token is supposed to use */
- rc = read_adapter_config_file(conf_name);
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc);
- return CKR_GENERAL_ERROR;
- }
-
+
/* print mechanismlist to log file */
rc = print_mechanism();
if (rc != CKR_OK) {
@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name)
if (ep11_initialized) {
return 0;
}
-
+
memset(fname,0,PATH_MAX);
-
- if (!conf_name) {
- /* no conf_name was given, should not happen */
- EP11TOK_ELOG(1,"no conf_name argument found");
- return APQN_FILE_INV_1;
- }
/* via envrionment variable it is possible to overwrite the
- * config file given in the opencryptoki.conf. Then we use
- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf.
+ * directory where the ep11 token config file is searched.
*/
if (conf_dir) {
- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name);
- ap_fp = fopen(fname,"r");
- }
-
- /* if there was no environment variable or fopen failed, use the
- * default given from opencryptoki.conf via conf_name argument.
- */
- if (!ap_fp) {
- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
- ap_fp = fopen(fname,"r");
+ if (conf_name && strlen(conf_name) > 0) {
+ /* extract filename part from conf_name */
+ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--);
+ if (i < strlen(conf_name)-1) {
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ }
+ if (!ap_fp) {
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ } else {
+ if (conf_name && strlen(conf_name) > 0) {
+ strncpy(fname, conf_name, sizeof(fname));
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) {
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ } else {
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
}
-
+
/* now we should really have an open ep11 token config file */
if (!ap_fp) {
EP11TOK_ELOG(1,"no valid EP 11 config file found");
return APQN_FILE_INV_2;
}
-
+
EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname);
-
+
/* read config file line by line,
* ignore empty and # and copy rest into file buf
*/
@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name)
}
ep11_targets.length = 0;
-
+
for (i=0,j=0,str=filebuf; rc == 0; str=NULL) {
/* strtok tokenizes the string,
* delimiters are newline and whitespace.
*/
token = strtok(str, "\n\t ");
-
+
if (i == 0) {
/* expecting APQN_WHITELIST or APQN_BLACKLIST
* or APQN_ANY or LOGLEVEL or eof.
@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name)
/* do some checks: */
if (rc == 0) {
if ( !(whitemode || blackmode || anymode)) {
- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
+ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:"
+ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
rc = APQN_FILE_NO_APQN_MODE;
} else if (whitemode || blackmode) {
/* at least one APQN needs to be defined */
--
1.7.12.4

38
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
View File

@ -1,38 +0,0 @@
From 2bca1b392214241f84065d7709681c029b43b444 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 11:48:56 -0500
Subject: [PATCH 3/6] Configure was checking for the ep11 lib and the m_init()
function. As this library will be dynamically loaded at
run time and there is no dependency at build time (but
build will break if ep11 lib is not available) removed
this check.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
configure.in | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index ac41e84..1a1601c 100644
--- a/configure.in
+++ b/configure.in
@@ -372,14 +372,9 @@ if test "x$with_zcrypt" != "xno"; then
])
if test "x$with_zcrypt" != "xno"; then
- AC_CHECK_LIB([ep11], [m_init],
- [with_zcrypt=yes], [
- if test "x$with_zcrypt" != "xcheck"; then
- AC_MSG_ERROR([Build with zcrypt requested but zcrypt libraries couldn't be found])
- fi
- with_zcrypt=no
- ])
+ with_zcrypt=no
fi
+
if test "x$with_zcrypt" = "xno"; then
CFLAGS="$old_cflags"
LIBS="$old_libs"
--
1.7.12.4

35
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
View File

@ -1,35 +0,0 @@
From 11e808223faa9c334858e38acacf277079264beb Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 12:02:48 -0500
Subject: [PATCH 4/6] The asm/zcrypt.h header file uses some std int types and
so the stdint.h include statement should occur before
the zcrypt header file.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 0eea8c9..373be5b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -296,6 +296,7 @@
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
+#include <stdint.h>
#include "pkcs11types.h"
#include "defs.h"
@@ -314,7 +315,6 @@
#include <lber.h>
#include <asm/zcrypt.h>
#include <syslog.h>
-#include <stdint.h>
#include <dlfcn.h>
#include <lber.h>
--
1.7.12.4

144
ocki-3.1_06_0005-Small-reworks.patch
View File

@ -1,144 +0,0 @@
From b0fc36e0e1fd549164a2502213163ce23d2f0138 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 13:13:11 -0500
Subject: [PATCH 5/6] Small reworks: - Some of the ock testcase c files are
tracked by git as 755. Fixed, c code files should
appear 644 now. - pkcs11 misc_func test improved to
show not just the mechanism number but also the
(preprocessor defined) mechanism name. - misc speed
test rsa encrypt receive buffer increased so the
"buffer size too small" is fixed now. - misc speed test
rsa uses now an exponent value of 17 (0x01,0x00,0x01)
instead of 3 (0x03). Some tokens (eg. ep11) do not
allow such low exponents and reject RSA key
generation.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
testcases/misc_tests/speed.c | 14 ++++++++------
testcases/pkcs11/misc_func.c | 3 ++-
2 files changed, 10 insertions(+), 7 deletions(-)
mode change 100755 => 100644 testcases/crypto/aes_func.c
mode change 100755 => 100644 testcases/crypto/des3_func.c
mode change 100755 => 100644 testcases/crypto/des_func.c
mode change 100755 => 100644 testcases/crypto/digest_func.c
mode change 100755 => 100644 testcases/crypto/dsa_func.c
mode change 100755 => 100644 testcases/crypto/rsa_func.c
mode change 100755 => 100644 testcases/crypto/ssl3_func.c
mode change 100755 => 100644 testcases/pkcs11/misc_func.c
mode change 100755 => 100644 testcases/pkcs11/sess_mgmt.c
mode change 100755 => 100644 testcases/pkcs11/sess_perf.c
diff --git a/testcases/crypto/aes_func.c b/testcases/crypto/aes_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/des3_func.c b/testcases/crypto/des3_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/des_func.c b/testcases/crypto/des_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/digest_func.c b/testcases/crypto/digest_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/dsa_func.c b/testcases/crypto/dsa_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/ssl3_func.c b/testcases/crypto/ssl3_func.c
old mode 100755
new mode 100644
diff --git a/testcases/misc_tests/speed.c b/testcases/misc_tests/speed.c
index 102ba72..5df3169 100755
--- a/testcases/misc_tests/speed.c
+++ b/testcases/misc_tests/speed.c
@@ -60,6 +60,7 @@ long speed_process_time(SYSTEMTIME t1, SYSTEMTIME t2)
int do_RSA_PKCS_EncryptDecrypt( void )
{
CK_BYTE data1[100];
+ CK_BYTE data2[200];
CK_BYTE signature[256];
CK_SLOT_ID slot_id;
CK_SESSION_HANDLE session;
@@ -69,14 +70,14 @@ int do_RSA_PKCS_EncryptDecrypt( void )
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_ULONG i;
- CK_ULONG len1, sig_len;
+ CK_ULONG len1, len2, sig_len;
CK_RV rc;
SYSTEMTIME t1, t2;
CK_ULONG diff, min_time, max_time, avg_time;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -190,7 +191,8 @@ int do_RSA_PKCS_EncryptDecrypt( void )
return FALSE;
}
- rc = funcs->C_Decrypt( session, signature,sig_len,data1, &len1 );
+ len2 = sizeof(data2);
+ rc = funcs->C_Decrypt( session, signature, sig_len, data2, &len2 );
if (rc != CKR_OK) {
show_error(" C_Decrypt #1", rc );
return FALSE;
@@ -259,7 +261,7 @@ int do_RSA_KeyGen_2048( void )
{
SYSTEMTIME t1, t2;
CK_ULONG bits = 2048;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -368,7 +370,7 @@ int do_RSA_KeyGen_1024( void )
{
SYSTEMTIME t1, t2;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -468,7 +470,7 @@ int do_RSA_PKCS_SignVerify_1024( void )
CK_ULONG diff, min_time, max_time, avg_time;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
diff --git a/testcases/pkcs11/misc_func.c b/testcases/pkcs11/misc_func.c
old mode 100755
new mode 100644
index 8103649..d6619fd
--- a/testcases/pkcs11/misc_func.c
+++ b/testcases/pkcs11/misc_func.c
@@ -602,7 +602,8 @@ CK_RV do_GetMechanismInfo( void )
return rc;
}
- printf(" Mechanism #%ld\n", mech_list[i] );
+ printf(" Mechanism #%ld %s\n", mech_list[i],
+ p11_get_ckm(mech_list[i]) );
printf(" ulMinKeySize: %ld\n", info.ulMinKeySize );
printf(" ulMaxKeySize: %ld\n", info.ulMaxKeySize );
printf(" flags: %p\n", (void *)info.flags );
diff --git a/testcases/pkcs11/sess_mgmt.c b/testcases/pkcs11/sess_mgmt.c
old mode 100755
new mode 100644
diff --git a/testcases/pkcs11/sess_perf.c b/testcases/pkcs11/sess_perf.c
old mode 100755
new mode 100644
--
1.7.12.4

32
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
View File

@ -1,32 +0,0 @@
From 10f4766cd6782f3d15e42a985cdf909fe4c7762e Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Tue, 15 Apr 2014 13:16:33 -0500
Subject: [PATCH 6/6] The 31 bit build on s390 showed an build error at
initialization of an static long long variable which
gets an address assigned. Fixed and tested on 31 and 64
bit.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 373be5b..5aa890b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -407,9 +407,9 @@ static ep11_target_t ep11_targets;
/* defined in the makefile, ep11 library can run standalone (without HW card),
crypto algorithms are implemented in software then (no secure key) */
#ifdef EP11_STANDALONE
-unsigned long long ep11tok_target = 0x0000000100000008ull;
+static unsigned long long ep11tok_target = 0x0000000100000008ull;
#else
-unsigned long long ep11tok_target = (unsigned long long) &ep11_targets;
+static void* ep11tok_target = (void*) &ep11_targets;
#endif
/* */
--
1.7.12.4

27
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
View File

@ -1,27 +0,0 @@
From 5b8d304e050467e4acfd02dcefdcebad0e61c472 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 30 Apr 2014 11:42:29 -0500
Subject: [PATCH] ep11 is not building because not setting with_zcrypt
correctly.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
configure.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.in b/configure.in
index 1a1601c..66bb329 100644
--- a/configure.in
+++ b/configure.in
@@ -372,7 +372,7 @@ if test "x$with_zcrypt" != "xno"; then
])
if test "x$with_zcrypt" != "xno"; then
- with_zcrypt=no
+ with_zcrypt=yes
fi
if test "x$with_zcrypt" = "xno"; then
--
1.7.12.4

63
ocki-3.1_07_0001-Man-page-corrections.patch
View File

@ -1,63 +0,0 @@
From 417e55a76a3a52dfb22f0055230c74b083d9e3a7 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Fri, 29 Aug 2014 12:40:35 -0500
Subject: [PATCH] Man page corrections.
Remove references to obsoleted pk_config_data and pkcs11_startup
in the pkcsslotd man page. Other changes made as necessary.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
man/man5/opencryptoki.conf.5.in | 12 +++++++++++-
man/man8/pkcsslotd.8.in | 6 ++----
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
index e13c110..f3aabd1 100644
--- a/man/man5/opencryptoki.conf.5.in
+++ b/man/man5/opencryptoki.conf.5.in
@@ -3,7 +3,7 @@
opencryptoki.conf \- Configuration file for pkcsslotd.
.SH DESCRIPTION
-pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki.conf
+pkcsslotd uses a configuration file at @sysconfdir@/opencryptoki/opencryptoki.conf
This is a text file that contains information used to configure
pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
@@ -51,6 +51,16 @@ Version number of the slot's firmware, if any. The version number is composed
of a major version number (the integer portion of the version) and a
minor version number (the hundredths portion of the version).
.TP
+.BR confname
+If the slot is associated with a token that has its own configuration file,
+this option identifies the name of that configuration file.
+For example, confname=ep11tok.conf
+
+.SH Notes
+The pound sign ('#') is used to indicate a comment.
+Both the comment character and any text after it, up to the end of the line,
+are ignored. The comment character cannot be used inside the brackets of
+slot descriptions, as this will cause a syntax error.
.SH "SEE ALSO"
.PD 0
diff --git a/man/man8/pkcsslotd.8.in b/man/man8/pkcsslotd.8.in
index c5d7280..db113e9 100644
--- a/man/man8/pkcsslotd.8.in
+++ b/man/man8/pkcsslotd.8.in
@@ -29,9 +29,7 @@ manual page for details.
.TP
\fBopencryptoki\fP(7),
.TP
-\fBpkcsconf\fP(1),
-.TP
-\fBpk_config_data\fP(5),
+\fBopencryptoki.conf\fP(5),
.TP
-\fBpkcs11_startup\fP(1).
+\fBpkcsconf\fP(1),
.PD
--
1.8.1.4

783
ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
View File

@ -1,783 +0,0 @@
From afb086ce22bd1ff4d0f1cf0768dfff3c03424096 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Thu, 28 Aug 2014 00:36:43 -0500
Subject: [PATCH 1/2] Add a pkcscca tool to help migrate cca private token
objects from v2(encrypted with cca hardware) to v3 (encrypted in software)
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
configure.in | 1 +
usr/sbin/Makefile.am | 6 +-
usr/sbin/pkcscca/Makefile.am | 14 +
usr/sbin/pkcscca/pkcscca.c | 661 +++++++++++++++++++++++++++++++++++++++++++
usr/sbin/pkcscca/pkcscca.h | 49 ++++
5 files changed, 730 insertions(+), 1 deletion(-)
create mode 100644 usr/sbin/pkcscca/Makefile.am
create mode 100644 usr/sbin/pkcscca/pkcscca.c
create mode 100644 usr/sbin/pkcscca/pkcscca.h
Index: opencryptoki/configure.in
===================================================================
--- opencryptoki.orig/configure.in
+++ opencryptoki/configure.in
@@ -818,6 +818,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
usr/sbin/pkcsslotd/Makefile \
usr/sbin/pkcsconf/Makefile \
usr/sbin/pkcsicsf/Makefile \
+ usr/sbin/pkcscca/Makefile \
usr/sbin/pkcscca_migrate/Makefile \
usr/sbin/pkcsep11_migrate/Makefile \
usr/lib/pkcs11/methods/Makefile \
Index: opencryptoki/usr/sbin/Makefile.am
===================================================================
--- opencryptoki.orig/usr/sbin/Makefile.am
+++ opencryptoki/usr/sbin/Makefile.am
@@ -11,4 +11,8 @@ if ENABLE_PKCSEP11_MIGRATE
PKCSEP11_MIGRATE_DIR = pkcsep11_migrate
endif
-SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR)
+if ENABLE_CCATOK
+PKCSCCA_DIR = pkcscca
+endif
+
+SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) $(PKCSCCA_DIR)
Index: opencryptoki/usr/sbin/pkcscca/Makefile.am
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/Makefile.am
@@ -0,0 +1,14 @@
+sbin_PROGRAMS=pkcscca
+
+pkcscca_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
+pkcscca_LDFLAGS = -lcrypto -ldl
+
+# Not all versions of automake observe sbinname_CFLAGS
+AM_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
+
+pkcscca_SOURCES = ../../lib/pkcs11/common/p11util.c \
+ ../../lib/pkcs11/common/sw_crypt.c \
+ ../../lib/pkcs11/common/log.c \
+ pkcscca.c
+
+INCLUDES = -I. -I../../include/pkcs11 -I../../lib/pkcs11/common
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.c
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.c
@@ -0,0 +1,661 @@
+/*
+ * Licensed materials - Property of IBM
+ *
+ * pkcscca - A tool for PKCS#11 CCA token.
+ * Currently, only migrates CCA private token objects from CCA cipher
+ * to using a software cipher.
+ *
+ *
+ * Copyright (C) International Business Machines Corp. 2014
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <termios.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <linux/limits.h>
+#include <openssl/evp.h>
+#include <pkcs11types.h>
+
+#include "sw_crypt.h"
+#include "pkcscca.h"
+
+void (*CSNBDEC)();
+int v_flag = 0;
+
+int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
+{
+ EVP_MD_CTX md_ctx;
+ unsigned int result_size;
+ int rc;
+
+ switch (hash_type) {
+ case HASH_SHA1:
+ rc = EVP_DigestInit(&md_ctx, EVP_sha1());
+ break;
+ case HASH_MD5:
+ rc = EVP_DigestInit(&md_ctx, EVP_md5());
+ break;
+ default:
+ return -1;
+ break;
+ }
+
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ rc = EVP_DigestUpdate(&md_ctx, buf, buf_size);
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestUpdate() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ result_size = EVP_MD_CTX_size(&md_ctx);
+ rc = EVP_DigestFinal(&md_ctx, (unsigned char *)digest, &result_size);
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestFinal() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ return 0;
+}
+
+int cca_decrypt(unsigned char *in_data, unsigned long in_data_len,
+ unsigned char *out_data, unsigned long *out_data_len,
+ unsigned char *init_v, unsigned char *key_value)
+{
+ long return_code, reason_code, rule_array_count, length;
+ unsigned char chaining_vector[18];
+ unsigned char rule_array[256];
+
+ length = in_data_len;
+ rule_array_count = 1;
+ memcpy(rule_array, "CBC ", 8);
+
+ CSNBDEC(&return_code, &reason_code, NULL, NULL, key_value,
+ &length, in_data, init_v, &rule_array_count,
+ rule_array, chaining_vector, out_data);
+
+ if (return_code != 0) {
+ fprintf(stderr, "CSNBDEC (DES3 DECRYPT) failed: return_code=%ld reason_code=%ld\n", return_code, reason_code);
+ return -1;
+ }
+ *out_data_len = length;
+ return 0;
+}
+
+int reencrypt_private_token_object(unsigned char *data, unsigned long len,
+ unsigned char *new_cipher,
+ unsigned long *new_cipher_len,
+ unsigned char *masterkey)
+{
+ unsigned char *clear = NULL;
+ unsigned char des3_key[64];
+ unsigned char sw_des3_key[3 * DES_KEY_SIZE];
+ unsigned long clear_len;
+ CK_RV rc;
+ int ret;
+
+ /* cca wants 8 extra bytes for padding purposes */
+ clear_len = len + 8;
+ clear = (unsigned char *) malloc(clear_len);
+ if (!clear) {
+ fprintf(stderr, "malloc() failed: %s.\n", strerror(errno));
+ ret =-1;
+ goto done;
+ }
+
+ /* decrypt using cca des3 */
+ memcpy(des3_key, masterkey, MASTER_KEY_SIZE);
+ ret = cca_decrypt(data, len, clear, &clear_len, "10293847", des3_key);
+ if (ret)
+ goto done;
+
+ /* now encrypt using software des3 */
+ memcpy(sw_des3_key, masterkey, 3 * DES_KEY_SIZE);
+ rc = sw_des3_cbc_encrypt(clear, clear_len, new_cipher, new_cipher_len,
+ "10293847", sw_des3_key);
+ if (rc != CKR_OK)
+ ret = -1;
+done:
+ if (clear)
+ free(clear);
+
+ return ret;
+}
+
+int load_private_token_objects(unsigned char *data_store,
+ unsigned char *masterkey)
+{
+ FILE *fp1 = NULL, *fp2 = NULL;
+ unsigned char *buf = NULL;
+ unsigned char tmp[PATH_MAX], fname[PATH_MAX], iname[PATH_MAX];
+ CK_BBOOL priv;
+ unsigned int size;
+ int rc, scount= 0, fcount = 0;
+ size_t read_size;
+ unsigned char *new_cipher;
+ unsigned long new_cipher_len;
+
+ snprintf(iname, sizeof(iname), "%s/TOK_OBJ/OBJ.IDX", data_store);
+
+ fp1 = fopen((char *)iname, "r");
+ if (!fp1)
+ return -1; // no token objects
+
+ while (!feof(fp1)) {
+ (void)fgets((char *)tmp, 50, fp1);
+ if (!feof(fp1)) {
+ tmp[strlen((char *)tmp) - 1] = 0;
+
+ snprintf((char *)fname, sizeof(fname), "%s/TOK_OBJ/",
+ data_store);
+ strcat((char *)fname, (char *)tmp);
+
+ fp2 = fopen((char *)fname, "r");
+ if (!fp2)
+ continue;
+
+ fread(&size, sizeof(unsigned int), 1, fp2);
+ fread(&priv, sizeof(CK_BBOOL), 1, fp2);
+ if (priv == FALSE) {
+ fclose(fp2);
+ continue;
+ }
+
+ size = size - sizeof(unsigned int) - sizeof(CK_BBOOL);
+ buf = (unsigned char *) malloc(size);
+ if (!buf) {
+ fprintf(stderr, "Cannot malloc for object %s "
+ "(ignoring it).\n", tmp);
+ goto cleanup;
+ }
+
+ read_size = fread((char *)buf, 1, size, fp2);
+ if (read_size != size) {
+ fprintf(stderr, "Cannot read object %s "
+ "(ignoring it).\n", tmp);
+ goto cleanup;
+ }
+
+ new_cipher_len = size;
+ new_cipher = malloc(new_cipher_len);
+ if (!new_cipher) {
+ fprintf(stderr, "Cannot malloc space for new "
+ "cipher (ignoring object %s).\n", tmp);
+ goto cleanup;
+ }
+
+ /* After reading the private token object,
+ * decrypt it using CCA des3 and then re-encrypt it
+ * using software des3.
+ */
+ memset(new_cipher, 0, new_cipher_len);
+ rc = reencrypt_private_token_object(buf, size,
+ new_cipher, &new_cipher_len,
+ masterkey);
+ if (rc)
+ goto cleanup;
+
+ fclose(fp2);
+
+ /* now save the newly re-encrypted object back to
+ * disk in its original file.
+ */
+ fp2 = fopen((char *)fname, "w");
+ size = sizeof(unsigned int) + sizeof(CK_BBOOL)
+ + new_cipher_len;
+ (void)fwrite(&size, sizeof(unsigned int), 1, fp2);
+ (void)fwrite(&priv, sizeof(CK_BBOOL), 1, fp2);
+ (void)fwrite(new_cipher, new_cipher_len, 1, fp2);
+ rc = 0;
+
+cleanup:
+ if (fp2)
+ fclose(fp2);
+ if (buf)
+ free(buf);
+ if (new_cipher)
+ free(new_cipher);
+
+ if (rc) {
+ if (v_flag)
+ printf("Failed to process %s\n", fname);
+ fcount++;
+ } else {
+ if (v_flag)
+ printf("Processed %s.\n", fname);
+ scount++;
+ }
+ }
+ }
+ fclose(fp1);
+ printf("Successfully migrated %d object(s).\n", scount);
+
+ if (v_flag && fcount)
+ printf("Failed to migrate %d object(s).\n", fcount);
+
+ return 0;
+}
+
+int load_masterkey(char *mkfile, char *pin, char *masterkey)
+{
+ unsigned char des3_key[3 * DES_KEY_SIZE];
+ unsigned char hash_sha[SHA1_HASH_SIZE];
+ unsigned char pin_md5_hash[MD5_HASH_SIZE];
+ unsigned char *cipher = NULL;
+ unsigned char *clear = NULL;
+ unsigned long cipher_len, clear_len;
+ int ret;
+ CK_RV rc;
+ FILE *fp = NULL;
+
+ clear_len = cipher_len = MASTER_KEY_SIZE + SHA1_HASH_SIZE + (DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1);
+
+ fp = fopen((char *)mkfile, "r");
+ if (!fp) {
+ fprintf(stderr, "Could not open %s: %s\n", mkfile,
+ strerror(errno));
+ return -1;
+ }
+
+ cipher = malloc(cipher_len);
+ clear = malloc(clear_len);
+ if (cipher == NULL || clear == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ ret = fread(cipher, cipher_len, 1, fp);
+ if (ret != 1) {
+ fprintf(stderr, "Could not read %s: %s\n", mkfile,
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ /* decrypt the masterkey */
+
+ ret = compute_md5(pin, strlen(pin), pin_md5_hash);
+ if (ret) {
+ fprintf(stderr, "Error calculating MD5 of PIN!\n");
+ goto done;
+ }
+
+ memcpy(des3_key, pin_md5_hash, MD5_HASH_SIZE);
+ memcpy(des3_key + MD5_HASH_SIZE, pin_md5_hash, DES_KEY_SIZE);
+
+ rc = sw_des3_cbc_decrypt(cipher, cipher_len, clear, &clear_len,
+ (unsigned char *)"12345678", des3_key);
+ if (rc != CKR_OK) {
+ fprintf(stderr, "Error decrypting master key file after read");
+ ret = -1;
+ goto done;
+ }
+
+ /*
+ * technically should strip PKCS padding here but since I already know
+ * what the length should be, I don't bother.
+ *
+ * compare the hashes to verify integrity
+ */
+
+ ret = compute_sha1(clear, MASTER_KEY_SIZE, hash_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for masterkey.\n");
+ goto done;
+ }
+
+ if (memcmp(hash_sha, clear + MASTER_KEY_SIZE, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "%s appears to have been tampered!\n", mkfile);
+ fprintf(stderr, "Cannot migrate.\n");
+ ret = -1;
+ goto done;
+ }
+
+ memcpy(masterkey, clear, MASTER_KEY_SIZE);
+ ret = 0;
+
+done:
+ if (fp)
+ fclose(fp);
+ if (clear)
+ free(clear);
+ if (cipher)
+ free(cipher);
+
+ return ret;
+}
+
+int get_pin(char **pin, size_t *pinlen)
+{
+ struct termios old, new;
+ int nread;
+ char *buff = NULL;
+ size_t buflen;
+ int rc = 0;
+
+ /* turn echoing off */
+ if (tcgetattr(fileno(stdin), &old) != 0)
+ return -1;
+
+ new = old;
+ new.c_lflag &= ~ECHO;
+ if (tcsetattr (fileno(stdin), TCSAFLUSH, &new) != 0)
+ return -1;
+
+ /* read the pin
+ * Note: getline will allocate memory for buff. free it when done.
+ */
+ nread = getline(&buff, &buflen, stdin);
+ if (nread == -1) {
+ rc = -1;
+ goto done;
+ }
+
+ /* Restore terminal */
+ (void) tcsetattr(fileno(stdin), TCSAFLUSH, &old);
+
+ /* start a newline */
+ printf("\n");
+ fflush(stdout);
+
+ /* Allocate PIN.
+ * Note: nread includes carriage return.
+ * Replace with terminating NULL.
+ */
+ *pin = (unsigned char *)malloc(nread);
+ if (*pin == NULL) {
+ rc = -ENOMEM;
+ goto done;
+ }
+
+ /* strip the carriage return since not part of pin. */
+ buff[nread - 1] = '\0';
+ memcpy(*pin, buff, nread);
+ /* don't include the terminating null in the pinlen */
+ *pinlen = nread - 1;
+
+done:
+ if (buff)
+ free(buff);
+
+ return rc;
+}
+
+int verify_pins(char *data_store, char *sopin, unsigned long sopinlen,
+ char *userpin, unsigned long userpinlen)
+{
+ TOKEN_DATA td;
+ unsigned char fname[PATH_MAX];
+ unsigned char pin_sha[SHA1_HASH_SIZE];
+ FILE *fp = NULL;
+ int ret;
+
+ /* read the NVTOK.DAT */
+ snprintf(fname, PATH_MAX, "%s/NVTOK.DAT", data_store);
+ fp = fopen((char *)fname, "r");
+ if (!fp) {
+ fprintf(stderr, "Could not open %s: %s\n", fname,
+ strerror(errno));
+ return -1;
+ }
+
+ ret = fread(&td, sizeof(TOKEN_DATA), 1, fp);
+ if (ret != 1) {
+ fprintf(stderr, "Could not read %s: %s\n", fname,
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ /* Now compute the SHAs for the SO and USER pins entered.
+ * Compare with the SHAs for SO and USER PINs saved in
+ * NVTOK.DAT to verify.
+ */
+
+ if (sopin != NULL) {
+ ret = compute_sha1(sopin, sopinlen, pin_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for SO.\n");
+ goto done;
+ }
+
+ if (memcmp(td.so_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "SO PIN is incorrect.\n");
+ ret = -1;
+ goto done;
+ }
+ }
+
+ if (userpin != NULL) {
+ ret = compute_sha1(userpin, userpinlen, pin_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for USER.\n");
+ goto done;
+ }
+
+ if (memcmp(td.user_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "USER PIN is incorrect.\n");
+ ret = -1;
+ goto done;
+ }
+ }
+ ret = 0;
+
+done:
+ /* clear out the hash */
+ memset(pin_sha, 0, SHA1_HASH_SIZE);
+ if (fp)
+ fclose(fp);
+
+ return ret;
+}
+
+void usage(char *progname)
+{
+ printf("usage:\t%s -h | -m v2objectsv3 [OPTIONS] \n", progname);
+ printf(" -h\t\t\t\tshow this help\n");
+ printf(" -m=migration_type\t\tCurrently the only type of CCA ");
+ printf("migration\n\t\t\t\tsupported is v2objectsv3. v2objectsv3 ");
+ printf("migrates\n\t\t\t\tCCA private token objects from CCA ");
+ printf("encryption\n\t\t\t\t(used in v2)to software encryption ");
+ printf("(used in v3). \n\n");
+ printf("Migrate options (with -m v2objectsv3):\n");
+ printf(" -d, --datastore=DIRECTORY\tCCA token datastore location\n");
+ printf(" -v, --verbose\t\t\tprovide more detailed output\n");
+
+ return;
+}
+
+int main(int argc, char **argv)
+{
+ int ret, opt;
+ unsigned int m_flag = 0;
+ char *sopin = NULL, *userpin = NULL;
+ size_t sopinlen, userpinlen;
+ unsigned char masterkey[MASTER_KEY_SIZE];
+ unsigned char *data_store = NULL;
+ unsigned char *m_type = NULL;
+ int data_store_len;
+ char fname[PATH_MAX];
+ struct stat statbuf;
+ void *lib_csulcca;
+
+ struct option long_opts[] = {
+ { "datastore", required_argument, NULL, 'd' },
+ { "verbose", no_argument, NULL, 'v'},
+ { 0, 0, 0, 0 }
+ };
+
+ int long_index;
+ while ((opt = getopt_long(argc, argv, "d:m:hv", long_opts, NULL)) != -1) {
+ switch (opt) {
+ case 'd':
+ data_store = strdup(optarg);
+ break;
+
+ case 'h':
+ usage(argv[0]);
+ return 0;
+
+ case 'm':
+ m_type = strdup(optarg);
+ break;
+
+ case 'v':
+ v_flag++;
+ break;
+
+ default:
+ usage(argv[0]);
+ return -1;
+ }
+ }
+
+ if (m_type) {
+ if (memcmp(m_type, "v2objectsv3", strlen("v2objectsv3"))) {
+ fprintf(stderr, "unknown migration type\n");
+ usage(argv[0]);
+ return -1;
+ }
+ }
+
+ /* use default data_store if one is not given */
+ if (data_store == NULL) {
+ data_store_len = strlen(TOK_DATASTORE);
+ data_store = malloc(data_store_len + 1);
+ if (data_store == NULL) {
+ fprintf(stderr, "malloc failed: %s\n",strerror(errno));
+ return -1;
+ }
+ memset(data_store, 0, data_store_len + 1);
+ memcpy(data_store, TOK_DATASTORE, data_store_len);
+ }
+
+ /* Verify that the data store is valid by looking for
+ * MK_SO, MK_USER, and TOK_OBJ/OBJ.IDX.
+ */
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/TOK_OBJ/OBJ.IDX", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ /* If the OBJ.IDX is empty, then no objects to migrate. */
+ if (statbuf.st_size == 0) {
+ printf("OBJ.IDX file is empty. Thus no objects to migrate.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("%s has an MK_SO, MK_USER and TOK/OBJ.IDX\n",
+ data_store);
+
+ /* get the SO pin to authorize migration */
+ printf("Enter the SO PIN: ");
+ fflush(stdout);
+ ret = get_pin(&sopin, &sopinlen);
+ if (ret != 0) {
+ fprintf(stderr, "Could not get SO PIN.\n");
+ goto done;
+ }
+
+ /* get the USER pin to authorize migration */
+ printf("Enter the USER PIN: ");
+ fflush(stdout);
+ ret = get_pin(&userpin, &userpinlen);
+
+ if (ret != 0) {
+ fprintf(stderr, "Could not get USER PIN.\n");
+ goto done;
+ }
+
+ /* Verify the SO and USER PINs entered. */
+ ret = verify_pins(data_store, sopin, sopinlen, userpin, userpinlen);
+ if (ret)
+ goto done;
+
+ lib_csulcca = dlopen(CCA_LIBRARY, (RTLD_GLOBAL | RTLD_NOW));
+ if (lib_csulcca == NULL) {
+ fprintf(stderr, "dlopen(%s) failed: %s\n", CCA_LIBRARY,
+ strerror(errno));
+ return -1;
+ }
+
+ CSNBDEC = dlsym(lib_csulcca, "CSNBDEC");
+
+ /* Get the masterkey from MK_SO.
+ * This also helps verify that correct SO pin was entered.
+ */
+ memset(masterkey, 0, MASTER_KEY_SIZE);
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
+ ret = load_masterkey(fname, sopin, masterkey);
+ if (ret) {
+ fprintf(stderr, "Could not load masterkey from MK_SO.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("Successfully verified SO Pin.\n");
+
+ /* Get the masterkey from MK_USER.
+ * This also helps verift that correct USER pin was entered.
+ */
+ memset(masterkey, 0, MASTER_KEY_SIZE);
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
+ ret = load_masterkey(fname, userpin, masterkey);
+ if (ret) {
+ fprintf(stderr, "Could not load masterkey from MK_USER.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("Successfully verified USER Pin.\n");
+
+ /* Load all the private token objects and re-encrypt them
+ * using software des3, instead of CSNBENC.
+ */
+ (void)load_private_token_objects(data_store, masterkey);
+
+done:
+
+ if (sopin)
+ free(sopin);
+ if (userpin)
+ free(userpin);
+ if (data_store)
+ free(data_store);
+
+ return ret;
+}
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.h
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.h
@@ -0,0 +1,49 @@
+/*
+ * Licensed materials - Property of IBM
+ *
+ * pkcscca - A tool for PKCS#11 CCA token.
+ * Currently, only migrates CCA private token objects from using a
+ * CCA cipher to using a software cipher.
+ *
+ * Copyright (C) International Business Machines Corp. 2014
+ *
+ */
+
+
+#ifndef __PKCSCCA_H_
+#define __PKCSCCA_H_
+
+#define CCA_LIBRARY "libcsulcca.so"
+#define TOK_DATASTORE "/var/lib/opencryptoki/ccatok"
+#define MASTER_KEY_SIZE 64
+#define SHA1_HASH_SIZE 20
+#define MD5_HASH_SIZE 16
+#define DES_BLOCK_SIZE 8
+#define DES_KEY_SIZE 8
+#define compute_sha1(a,b,c) compute_hash(HASH_SHA1,b,a,c)
+#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
+#define HASH_SHA1 1
+#define HASH_MD5 2
+
+/* from host_defs.h */
+#include "pkcs32.h"
+typedef struct _TWEAK_VEC
+{
+ int allow_weak_des ;
+ int check_des_parity ;
+ int allow_key_mods ;
+ int netscape_mods ;
+} TWEAK_VEC;
+
+typedef struct _TOKEN_DATA
+{
+ CK_TOKEN_INFO_32 token_info;
+
+ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE];
+ CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE];
+ CK_BYTE next_token_object_name[8];
+ TWEAK_VEC tweak_vector;
+} TOKEN_DATA;
+
+
+#endif

281
ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
View File

@ -1,281 +0,0 @@
From 13eda6d102b8c44f85cf4eac094ff8a964c630f4 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Mon, 1 Sep 2014 22:46:37 -0500
Subject: [PATCH 2/2] Add documentation (pkcscca manpage and README.cca_stdll)
to assist in migrating cca private token objects from v2 to v3.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
configure.in | 1 +
doc/README.cca_stdll | 175 ++++++++++++++++++++++++++++++++++++++++++++++----
man/man1/Makefile.am | 2 +-
man/man1/pkcscca.1.in | 45 +++++++++++++
4 files changed, 209 insertions(+), 14 deletions(-)
create mode 100644 man/man1/pkcscca.1.in
diff --git a/configure.in b/configure.in
index f3fbe70..3e7e5e8 100644
--- a/configure.in
+++ b/configure.in
@@ -843,6 +843,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
man/man1/Makefile \
man/man1/pkcsconf.1 \
man/man1/pkcsicsf.1 \
+ man/man1/pkcscca.1 \
man/man1/pkcsep11_migrate.1 \
man/man5/Makefile \
man/man5/opencryptoki.conf.5 \
diff --git a/doc/README.cca_stdll b/doc/README.cca_stdll
index f535dfa..a0d13f1 100644
--- a/doc/README.cca_stdll
+++ b/doc/README.cca_stdll
@@ -1,24 +1,173 @@
+CCA TOKEN
-README for the CCA secure-key token
+OverView
+--------
+The CCA token is a secure key token.
+A Secure key - key value does not exist in the clear outside of the HSM
+(secure, tamper-resistent boundary of the card). It is a clear key wrapped
+with the appropriate MasterKey that has been installed into the secure hardware.
+A clear key is generated in the hardware, wrapped with the appropriate
+master key that has been installed into the hardware. The wrapped key is then
+passed back to the invoker. Upon an encryption and/or decryption request,
+the wrapped key and the data to be encrypted are passed into the hardware.
+The wrapped key is verified, and the clear key is used to encrypt and/or
+decrypt the data. All this is done in the CCA hardware.
-Kent Yoder <yoder1@us.ibm.com>
+Within opencryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE
+attribute rather than the CKA_VALUE attribute.
- The key used to encrypt private objects on disk is a secure key.
+Pre-requisites:
+The CCA token requires cca library, libcsulcca.so, which is part of the
+csulcca rpm.
+It also requires proper configuration and installation of the MK keys into
+the hardware which is outside the scope of this document.
- The key used to encrypt that secure key is based on the hash of the
-USER and SO pins. Therefore it is a clear key and software is used to
-do the encryption/decryption of the secure key.
+Configuration
+-------------
-MK_USER: The secure key used for internal on-disk encryption, encrypted
+To use the CCA token a slot entry must be defined in the
+opencryptoki.conf configuration file that sets the stdll attribute to
+libcsulcca.so.
+
+The CCA token also requires that the appropriate master keys have
+been installed into the hardware. The corresponding driver must also be
+loaded, i.e. modprobe z90crypt.
+
+CCA Token Objects
+-------------------------
+
+Opencryptoki stores token objects on disk. Public token objects are not
+encrypted. Private token objects are encrypted.
+Versions of opencryptoki prior to version 3, used a CCA generated secure key
+(des3 key) and the crypto adapter to encrypt the private token object's data.
+In version 3, a clear key (des3 key) and software crypto (openssl) are used
+to encrypt this data.
+
+Migration Information
+---------------------
+
+Migrating version 2 private token objects to version 3 is ONLY required if
+the system will run opencryptoki version 3 and will use private token
+objects saved or preserved from version 2.
+Note, public token objects do not need to be migrated.
+If there are no private token objects from version 2, then the version 3
+does not require any migrating.
+
+In version 2 private token objects are encrypted and decrypted with a secure
+key in the crypto adapter. In version 3, this encryption and decryption is
+done with a clear key using software crypto. Therefore, opencryptoki
+version 3, will not succesfully decrypt a version 2 private token object.
+
+Version 2 private token objects must be "migrated" to version 3 so that
+opencryptoki version 3 can access these objects. This migration will
+decrypt the objects using the CCA call, CSNBDEC and the current
+opencryptoki key stored in MK_USER. The objects will then be re-encrypted
+using software crypto. The key bits that are stored in MK_USER will then be
+used as a clear key.
+
+Once the migration has completed, these private token objects should then be
+accessable to version 3.
+
+Migration Steps
+---------------
+
+1. Either update or install version 3.
+a. Update to opencryptoki version 3. In most linux distributions, an update
+from version 2 to version 3 will preserve the contents of the CCA data-store.
+
+b. Install opencryptoki version 3. In most distributions, an install will
+remove the contents of the CCA data-store. You will essentially be starting
+from the beginning and have to initialize the CCA token.
+
+In this scenario, if a prior version of opencryptoki had been running on the
+system, and you wanted to preserve your token objects, you will have saved
+or backed them up somewhere.
+
+2. Backup the CCA data-store before migrating. It is always a good idea to
+back up the data in case the migration is unsuccessful or data is corrupted.
+The data-store is the directory in which the CCA token information is stored
+on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok.
+Within this directory there is,
+
+MK_USER: The des3 key used for internal on-disk encryption, encrypted
under the USER's PIN by software routines
-MK_SO: The secure key used for internal on-disk encryption, encrypted
+MK_SO: The des3 key used for internal on-disk encryption, encrypted
under the SO's PIN by software routines
-So, MK_USER and MK_SO contain the same key, encrypted under different PINs
+NKTOK.DAT: Token information.
+
+TOK_OBJ: The directory in which token objects are stored.
+
+TOK_OBJ/OBJ.IDX: A list of current token objects.
+
+**NOTE: MK_USER and MK_SO contain the same key, encrypted under
+different PINs
+
+3. Ensure no opencryptoki processes are running. Stop the pkcsslotd daemon
+if it is running.
+
+4. Run the pkcscca tool to perform the migration.
+For example,
+ pkcscca -m v2objectsv3 -v
+
+Note that the "-v" option will allow you to see which objects did and did not
+get migrated. Specify the "-d" flag if you wish to migrate CCA token objects
+stored in a data-store different from the default, /var/lib/opencryptoki/ccatok.
+
+5. (Optional) Removing shared memory may be required to pick up
+the newly migrated objects.
+
+CCA token's shared memory segment tracks its token objects.
+Token objects stored on disk are only loaded into shared memory
+when the shared memory is created. The shared memory is usually
+created after a reboot, an install, or an update of the opencryptoki package.
+
+If another opencryptoki process accessed the CCA token after install
+or update, then opencryptoki will have loaded all the token objects into
+shared memory, except for the private token objects requiring migration,
+since they will have failed decryption. Subsequent calls to the
+opencryptoki api will not find these objects since they have not
+been loaded into shared memory. Opencryptoki won't read the
+objects from disk and load into shared memory again until the next time
+shared memory is created.
+
+So, in this case, shared memory must be removed and created again so
+that opencryptoki can successfuly load all the token objects including the
+newly migrated private token objects into CCA token's shared memory segment.
+
+Remove shared memory if,
+ - after updating or installing, any opencryptoki processes or tools tried
+ to access the CCA token before migrating CCA token's private token
+ objects. For example, the pkcsconf command was run.
+
+ The pre-migrated objects will have failed decryption and not
+ been loaded into shared memory. A reboot or removing shared memory
+ will cause the token to create shared memory again and load the newly
+ migrated private token objects into it.
+
+CCA's shared memory can be removed two ways.
+ 1. a reboot
+
+ 2. remove the shared memory file,
+ i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok"
+
+ Notes: (1). Ensure that no opencryptoki processes are running
+ before removing the shared memory. Otherwise, you risk corrupting
+ any running opencryptoki processes.
+ (2). If you have installed opencryptoki manually (not via a distro
+ rpm) the CCA token shared memory segment may be named
+ usr.local.var.lib.opencryptoki.ccatok.
+
+The next opencryptoki process to run will cause opencryptoki to create
+a shared memory segment for the token and load the newly migrated objects
+as well as any other token objects for the token.
-PKCS#11 Notes:
+6. After a successful migration, the CCA private token objects should be
+encrypted and ready to be accessed by opencryptoki version 3.
-DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE
-attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however
-in this case, the id used to reference the secure key is stored here.
+TroubleShooting:
+1. If version 3 cannot find the newly migrated CCA private token objects,
+reboot or remove the shared memory file. This will cause token to create
+shared memory again and load the newly migrated private token objects
+into shared memory.
diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
index c4b4d95..f2274d7 100644
--- a/man/man1/Makefile.am
+++ b/man/man1/Makefile.am
@@ -1,3 +1,3 @@
-man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1
+man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1
EXTRA_DIST = $(man1_MANS)
CLEANFILES = $(man1_MANS)
diff --git a/man/man1/pkcscca.1.in b/man/man1/pkcscca.1.in
new file mode 100644
index 0000000..c6e49d6
--- /dev/null
+++ b/man/man1/pkcscca.1.in
@@ -0,0 +1,45 @@
+.TH PKCSCCA 1 "September 2014" "@PACKAGE_VERSION@" "openCryptoki"
+.SH NAME
+pkcscca \- configuration utility for the CCA token
+
+.SH SYNOPSIS
+\fBpkcscca\fP
+[\fB-h\fP]
+[\fB-m v2objectsv3\fP]
+[\fIOPTIONS\fP]
+
+.SH DESCRIPTION
+The \fBpkcscca\fP utility assists in administering the CCA token. Currently it
+migrates opencryptoki version 2 private token objects to the encryption
+method used in opencryptoki version 3.
+
+In verion 2 of opencryptoki, CCA private token objects were encrypted in CCA
+hardware. In version 3 these objects are encrypted in software. The
+\fBv2objectsv3\fP migration option migrates these version 2 objects by
+decrypting them in CCA hardware using a secure key and then re-encrypting
+them in software using a software key. Afterwards, v2 objects can be accessed
+in version 3.
+
+.SH "FLAGS"
+.IP "\fB-h\fP" 10
+show usage information
+.IP "\fB-m\fP" 10
+perform a migration. \fBv2objectsv3\fP is currently the only type of migration
+supported and must be specified along with this flag.
+
+.SH "MIGRATION OPTIONS"
+.IP "\fB-d|--datastore\fP \fIdirectory\fp" 10
+the directory where the CCA token information is kept. This directory will be
+used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok
+.IP "\fB-v|--verbose\fP" 10
+provide detailed output during migration
+
+.SH "FILES"
+.IP "/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX"
+contains current list of public and private token objects for the CCA token.
+
+.SH SEE ALSO
+.PD 0
+.TP
+\fBREADME.cca_stdll\fP (in system's doc directory)
+.PD
--
1.8.1.4

255
ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
View File

@ -1,255 +0,0 @@
--- opencryptoki.orig/doc/README.ep11_stdll 2014-09-04 21:59:50.000000000 -0600
+++ opencryptoki/doc/README.ep11_stdll 2014-09-04 22:01:27.223654000 -0600
@@ -1,126 +1,126 @@
-EP11 Token
-==========
-
-The EP11 token is a token that uses the IBM Crypto Express adapters
-(starting with Crypto Express 4S adapters) configured with Enterprise
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
-firmware load are also called CEXnP adapters for n >= 4.
-
-The EP11 token is only supported on the System z architecture and requires a
-Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
-loaded into the kernel and the availability of EP11 library libep11.
-
-The token directory of the EP11 token is opencryptoki/ep11tok typically
-located in /var/lib.
-
-Configuration
--------------
-
-To use the EP11 token a slot entry must be defined in the general opencryptoki
-configuration file that sets the stdll attribute to libpkcs11_ep11.so.
-
-A EP11 token specific configuration file must be set up to define the target
-adapters and target adapter domains. The name of the configuration file must be
-defined in the global openCryptoki configuration opencryptoki.conf file as part
-of the token specification using the confname attribute.
-E.g. the entry
-
-slot 4
-{
-stdll = libpkcs11_ep11.so
-confname = ep11tok.conf
-}
-
-defines the name of the configuration file of the EP11 token to be
-ep11tok.conf. Per default this file is searched in the directory where
-openCryptoki searches its global configuration file. This default path can
-be overriden using the OCK_EP11_TOKEN_DIR environment variable.
-
-EP11 token configuration files defines a list of adapter/domain pairs to which
-the EP11 token sends its cryptographic requests. This list can be specified as
-a white list starting with a line containing the key word APQN_WHITELIST
-followed by one or more lines containing each two integers (in the range
-of 0 - 255) separated by a white space. The white list is ended with a line
-containing the key word END. In each of lines of the white list the first
-integer denotes the adapter number and the second integer denotes the domain
-id. Alternatively the keyword APQN_ANY can be used to define that all
-adapter/domain pairs with EP11 firmware load that are available to the system
-shall be used as target adapters. An adapter number corresponds to the
-numerical part xx of an adapter id of the form cardxx as displayed by the
-lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
-Currently Linux on z only supports a single domain. That domain number can be
-displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
-contents of /sys/bus/ap/ap_domain.
-
-In addition to the target adapter a log level can be defined in the EP11
-configuration file using a line consisting of the key word LOGLEVEL followed
-by an integer between 0 and 9.
-
-Logging
--------
-
-If a log level greater than 0 is defined in the environment variable
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
-file then log entries are written to a log file
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
-using the EP11 token.
-
-Note, that the handling of EP11 logs is subject to change in future releases
-of opencryptoki.
-
-Crypto Express Adapter EP11 Master Key Management
--------------------------------------------------
-
-If master keys are changed on an EP11 adapter all key objects in the token
-object repository (in the TOK_OBJ directory within the EP11 token directory)
-become invalid.
-
-The key migration tool pkcsep11_migrate can be used to perform the migration
-of the current EP11 master keys to new master keys. Therefore the following
-steps must be performed:
-1) On the Trusted Key Entry console (TKE): Submit and commit new master
-keys on the EP11 adapter(s).
-2) On Linux: Stop all processes using openCryptoki with the EP11 token.
-3) On Linux: Back up the token object repository of the EP11 token.
-4) On Linux: Migrate keys of object repository of EP11 token with
-migration tool. If a failure occurs restore the backed up token repository
-and retry step 4.
-5) On the TKE: Activate new master keys on the EP11 adapter(s).
-6) On Linux: Restart applications using openCryptoki with the EP11 token.
-
-Token specifics
----------------
-
-The EP11 token only supports secure keys (i.e. key wrapped by a master key of
-the Crypto Express adapter). Therefore all keys must have the attribute
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
-(token specific) default for secure keys the attribute must be explicitly
-provided whenever a secret key is generated, unwrapped or build with
-C_CreateObject. In addition all keys used with the EP11 token are extractable.
-i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
-
-When creating keys the default values of the attributes CKA_ENCRYPT,
-CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
-Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
-
-All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
-or equal to 17.
-
-The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
-according to ANSI X9.31. Therefore in the EP11 token the lengths of the
-RSA primes (p or q) must be a multiple of 128 bits and the length of the
-modulus (CKA_MODULUS_BITS) must be a multiple of 256.
-
-The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
-a length that is a multiple of the block size of DES3 or AES respectively.
-
-See the mechanism list and mechanism info (pkcsconf -m) for supported
-mechanisms together with supported functions and key sizes. Note the
-supported mechanism list is currently fix and matches the most stringent
-setting of the Crypto Express adapter.
-
-Note, the EP11 coprocessor adapter can be configured to restrict the
-cryptographic capababilities in order for the adapter to comply with specific
-security requirements and regulations. Such restrictions on the adapter impact
-the capabilitiy of the EP11 token.
-
+EP11 Token
+==========
+
+The EP11 token is a token that uses the IBM Crypto Express adapters
+(starting with Crypto Express 4S adapters) configured with Enterprise
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
+firmware load are also called CEXnP adapters for n >= 4.
+
+The EP11 token is only supported on the System z architecture and requires a
+Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
+loaded into the kernel and the availability of EP11 library libep11.
+
+The token directory of the EP11 token is opencryptoki/ep11tok typically
+located in /var/lib.
+
+Configuration
+-------------
+
+To use the EP11 token a slot entry must be defined in the general opencryptoki
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
+
+A EP11 token specific configuration file must be set up to define the target
+adapters and target adapter domains. The name of the configuration file must be
+defined in the global openCryptoki configuration opencryptoki.conf file as part
+of the token specification using the confname attribute.
+E.g. the entry
+
+slot 4
+{
+stdll = libpkcs11_ep11.so
+confname = ep11tok.conf
+}
+
+defines the name of the configuration file of the EP11 token to be
+ep11tok.conf. Per default this file is searched in the directory where
+openCryptoki searches its global configuration file. This default path can
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
+
+EP11 token configuration files defines a list of adapter/domain pairs to which
+the EP11 token sends its cryptographic requests. This list can be specified as
+a white list starting with a line containing the key word APQN_WHITELIST
+followed by one or more lines containing each two integers (in the range
+of 0 - 255) separated by a white space. The white list is ended with a line
+containing the key word END. In each of lines of the white list the first
+integer denotes the adapter number and the second integer denotes the domain
+id. Alternatively the keyword APQN_ANY can be used to define that all
+adapter/domain pairs with EP11 firmware load that are available to the system
+shall be used as target adapters. An adapter number corresponds to the
+numerical part xx of an adapter id of the form cardxx as displayed by the
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
+Currently Linux on z only supports a single domain. That domain number can be
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
+contents of /sys/bus/ap/ap_domain.
+
+In addition to the target adapter a log level can be defined in the EP11
+configuration file using a line consisting of the key word LOGLEVEL followed
+by an integer between 0 and 9.
+
+Logging
+-------
+
+If a log level greater than 0 is defined in the environment variable
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
+file then log entries are written to a log file
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
+using the EP11 token.
+
+Note, that the handling of EP11 logs is subject to change in future releases
+of opencryptoki.
+
+Crypto Express Adapter EP11 Master Key Management
+-------------------------------------------------
+
+If master keys are changed on an EP11 adapter all key objects in the token
+object repository (in the TOK_OBJ directory within the EP11 token directory)
+become invalid.
+
+The key migration tool pkcsep11_migrate can be used to perform the migration
+of the current EP11 master keys to new master keys. Therefore the following
+steps must be performed:
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
+keys on the EP11 adapter(s).
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
+3) On Linux: Back up the token object repository of the EP11 token.
+4) On Linux: Migrate keys of object repository of EP11 token with
+migration tool. If a failure occurs restore the backed up token repository
+and retry step 4.
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
+
+Token specifics
+---------------
+
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
+the Crypto Express adapter). Therefore all keys must have the attribute
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
+(token specific) default for secure keys the attribute must be explicitly
+provided whenever a secret key is generated, unwrapped or build with
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
+i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
+
+When creating keys the default values of the attributes CKA_ENCRYPT,
+CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
+Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
+
+All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
+or equal to 17.
+
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
+
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
+a length that is a multiple of the block size of DES3 or AES respectively.
+
+See the mechanism list and mechanism info (pkcsconf -m) for supported
+mechanisms together with supported functions and key sizes. Note the
+supported mechanism list is currently fix and matches the most stringent
+setting of the Crypto Express adapter.
+
+Note, the EP11 coprocessor adapter can be configured to restrict the
+cryptographic capababilities in order for the adapter to comply with specific
+security requirements and regulations. Such restrictions on the adapter impact
+the capabilitiy of the EP11 token.
+

19
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
View File

@ -1,19 +0,0 @@
commit 2094b476ab7c14caecc37add2da43bba11b71bf5
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Aug 15 12:48:46 2014 +0200
Fixed ica token's SHA update function when passing zero message size
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
--- opencryptoki.orig/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-09-05 09:19:55.009080000 -0600
@@ -859,7 +859,7 @@ token_specific_sha_update( DIGEST_CONTEX
* we're not stuck with 0 bytes when the MSG_PART_FINAL
* comes in. - KEY
*/
- if (!(in_data_len % 64)) {
+ if (!(in_data_len % 64) && (in_data_len != 0)) {
oc_sha_ctx->tail_len = 64;
memcpy(oc_sha_ctx->tail, in_data + in_data_len - 64, 64);
in_data_len -= 64;

36
openCryptoki.changes
View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Wed Dec 17 10:42:43 UTC 2014 - p.drouand@gmail.com
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
-------------------------------------------------------------------
Fri Sep 5 15:30:59 UTC 2014 - jjolly@suse.com

56
openCryptoki.spec
View File

@ -46,15 +46,15 @@ BuildRequires: trousers-devel
%if %{uses_systemd}
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%else
%insserv_prereq
%endif
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: IPL-1.0
Group: Productivity/Security
Version: 3.1
Version: 3.2
Release: 0
# :pserver:anonymous@cvs.sourceforge.net:/cvsroot/opencryptoki
# cvs co -r openCryptoki-2-1-5 -d openCryptoki-2-1-5 .
Source: %{oc_cvs_tag}-v%{version}.tar.bz2
Source: %{oc_cvs_tag}-v%{version}.tgz
Source1: openCryptoki.pkcsslotd
Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-tmp.conf
@ -62,26 +62,9 @@ Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch
Patch2: ocki-3.1-fix-init_d-path.patch
Patch3: ocki-3.1-fix-implicit-decl.patch
Patch4: ocki-3.1-fix-libica-link.patch
Patch5: ocki-3.1_01_ep11_makefile.patch
Patch6: ocki-3.1_02_ep11_m_init.patch
Patch7: ocki-3.1_03_ock_obj_mgr.patch
Patch8: ocki-3.1_04_ep11_opaque2blob_error_handl.patch
Patch9: ocki-3.1_05_ep11_readme_update.patch
Patch10: ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
Patch11: ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
Patch12: ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
Patch14: ocki-3.1_06_0005-Small-reworks.patch
Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
Patch17: ocki-3.1_07_0001-Man-page-corrections.patch
Patch18: ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
Patch19: ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
Patch20: ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
Patch21: ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki
Url: http://sourceforge.net/projects/opencryptoki/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed
# IBM maintains openCryptoki on these architectures:
ExclusiveArch: %openCryptoki_32bit_arch %openCryptoki_64bit_arch
#
@ -160,37 +143,16 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
cp %{SOURCE2} .
%build
autoreconf --force --install
CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \
--prefix=/usr \
--libdir=%{_libdir} \
CFLAGS="%optflags -D__USE_BSD" %configure \
--enable-tpmtok \
%if %{uses_systemd}
--with-systemd=/usr/lib/systemd/system \
--with-systemd=/usr/lib/systemd/system
%endif
--sysconfdir=%{_sysconfdir} \
--localstatedir=%{_localstatedir}
%__make
make %{?_smp_mflags}
%install
%make_install DESTDIR=$RPM_BUILD_ROOT INSROOT=$RPM_BUILD_ROOT

3
opencryptoki-v3.1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:05df5d5657e1de41ca7c81e0cc8c8c42d7b842fb062ad76f4961efffb0984aca
size 680250

3
opencryptoki-v3.2.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d0b4676766753449f4d9001436cf8371812ddff7b59869e8d5adef94c4fd261b
size 911965