Accepting request 265545 from home:posophe:branches:security
Update + changes OBS-URL: https://build.opensuse.org/request/show/265545 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=24
This commit is contained in:
parent
e535e749ba
commit
a15255e127
@ -1,42 +0,0 @@
|
||||
commit f558043c9c7aa2ada4dd9d7548c2c713aea24753
|
||||
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
Date: Fri Feb 7 15:03:48 2014 -0600
|
||||
|
||||
ep11: Fixed Makefile to complement common code dependencies
|
||||
This will fix the side effect that the ep11 token could not
|
||||
plugged into slot 0, because of unresolved symbols.
|
||||
|
||||
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/Makefile.am b/usr/lib/pkcs11/ep11_stdll/Makefile.am
|
||||
index fd940ec..d587fd2 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/Makefile.am
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/Makefile.am
|
||||
@@ -28,10 +28,15 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
|
||||
../common/loadsave.c \
|
||||
../common/key.c \
|
||||
../common/key_mgr.c \
|
||||
- ../common/mech_md5.c \
|
||||
+ ../common/mech_des.c \
|
||||
+ ../common/mech_des3.c \
|
||||
+ ../common/mech_aes.c \
|
||||
+ ../common/mech_md5.c \
|
||||
../common/mech_md2.c \
|
||||
../common/mech_rng.c \
|
||||
+ ../common/mech_rsa.c \
|
||||
../common/mech_sha.c \
|
||||
+ ../common/mech_ssl3.c \
|
||||
../common/new_host.c \
|
||||
../common/obj_mgr.c \
|
||||
../common/object.c \
|
||||
@@ -44,8 +49,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
|
||||
../common/log.c \
|
||||
../common/mech_list.c \
|
||||
../common/shared_memory.c \
|
||||
- ../common/attributes.c \
|
||||
- ../common/sw_crypt.c \
|
||||
+ ../common/attributes.c \
|
||||
+ ../common/sw_crypt.c \
|
||||
ep11_specific.c
|
||||
|
||||
noinst_HEADERS = ep11.h
|
@ -1,21 +0,0 @@
|
||||
commit d564279d2c2913021ca325507d1ce3af3aff078a
|
||||
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
Date: Fri Feb 7 15:08:27 2014 -0600
|
||||
|
||||
ep11: switched to official m_init() function based on library change
|
||||
|
||||
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index a9a72e4..1a43ccb 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -1281,7 +1281,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
||||
/* for real HW on Z-series, this would open the
|
||||
* device driver file /dev/zcrypt.
|
||||
*/
|
||||
- if (m_add_backend(NULL,0) < 0) {
|
||||
+ if (m_init() < 0) {
|
||||
EP11TOK_ELOG(1,"open of the zcrypt device driver failed");
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
@ -1,129 +0,0 @@
|
||||
commit 099a3a110a733ef3a91c41a88dcd45f15af8a6cd
|
||||
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
Date: Wed Feb 12 12:06:53 2014 -0600
|
||||
|
||||
Scenario: processA creates private token key object and before he can
|
||||
use it, processB gets it, uses it, and deletes it.
|
||||
Because opencryptoki was not checking the global token object count,
|
||||
process B segfaulted when count was zero, thinking there were objects in
|
||||
shared memory to search.
|
||||
Also, it was not checking return code of object_mgr_check_shm() in
|
||||
object_mgr_find_in_map1 to see if anything was found in shm.
|
||||
And lastly, return correct error code.
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/pkcs11/common/obj_mgr.c b/usr/lib/pkcs11/common/obj_mgr.c
|
||||
index 92c11c2..8d42d9e 100755
|
||||
--- a/usr/lib/pkcs11/common/obj_mgr.c
|
||||
+++ b/usr/lib/pkcs11/common/obj_mgr.c
|
||||
@@ -1340,13 +1340,28 @@ object_mgr_find_in_map1( CK_OBJECT_HANDLE handle,
|
||||
goto done;
|
||||
}
|
||||
|
||||
-// SAB XXX Fix me.. need to make it more efficient than just looking for the object to be changed
|
||||
-// set a global flag that contains the ref count to all objects.. if the shm ref count changes, then we update the object
|
||||
-// if not
|
||||
-
|
||||
- XProcLock();
|
||||
- object_mgr_check_shm( obj );
|
||||
- XProcUnLock();
|
||||
+ /* SAB XXX Fix me.. need to make it more efficient than just looking
|
||||
+ * for the object to be changed. set a global flag that contains the
|
||||
+ * ref count to all objects.. if the shm ref count changes, then we
|
||||
+ * update the object. if not
|
||||
+ */
|
||||
+
|
||||
+ /* Note: Each C_Initialize call loads up the public token objects
|
||||
+ * and build corresponding tree(s). The same for private token objects
|
||||
+ * upon successful C_Login. Since token objects can be shared, it is
|
||||
+ * possible another process or session has deleted a token object.
|
||||
+ * Accounting is done in shm, so check shm to see if object still exists.
|
||||
+ */
|
||||
+ if (!object_is_session_object(obj)) {
|
||||
+ XProcLock();
|
||||
+ rc = object_mgr_check_shm( obj );
|
||||
+ XProcUnLock();
|
||||
+
|
||||
+ if (rc != CKR_OK) {
|
||||
+ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
*ptr = obj;
|
||||
done:
|
||||
@@ -2101,8 +2116,8 @@ object_mgr_del_from_shm( OBJECT *obj )
|
||||
0, global_shm->num_priv_tok_obj-1,
|
||||
obj, &index );
|
||||
if (rc != CKR_OK){
|
||||
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
|
||||
+ return rc;
|
||||
}
|
||||
// Since the number of objects starts at 1 and index starts at zero, we
|
||||
// decrement before we get count. This eliminates the need to perform
|
||||
@@ -2139,8 +2154,8 @@ object_mgr_del_from_shm( OBJECT *obj )
|
||||
0, global_shm->num_publ_tok_obj-1,
|
||||
obj, &index );
|
||||
if (rc != CKR_OK){
|
||||
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
|
||||
+ return rc;
|
||||
}
|
||||
global_shm->num_publ_tok_obj--;
|
||||
|
||||
@@ -2189,25 +2204,36 @@ object_mgr_check_shm( OBJECT *obj )
|
||||
// the calling routine is responsible for locking the global_shm mutex
|
||||
//
|
||||
|
||||
+ /* first check the object count. If it is 0, then just return. */
|
||||
priv = object_is_private( obj );
|
||||
|
||||
if (priv) {
|
||||
+
|
||||
+ if (global_shm->num_priv_tok_obj == 0) {
|
||||
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
|
||||
+ return CKR_OBJECT_HANDLE_INVALID;
|
||||
+ }
|
||||
rc = object_mgr_search_shm_for_obj( global_shm->priv_tok_objs,
|
||||
0, global_shm->num_priv_tok_obj-1,
|
||||
obj, &index );
|
||||
if (rc != CKR_OK){
|
||||
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
|
||||
+ return rc;
|
||||
}
|
||||
entry = &global_shm->priv_tok_objs[index];
|
||||
}
|
||||
else {
|
||||
+
|
||||
+ if (global_shm->num_publ_tok_obj == 0) {
|
||||
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
|
||||
+ return CKR_OBJECT_HANDLE_INVALID;
|
||||
+ }
|
||||
rc = object_mgr_search_shm_for_obj( global_shm->publ_tok_objs,
|
||||
0, global_shm->num_publ_tok_obj-1,
|
||||
obj, &index );
|
||||
if (rc != CKR_OK){
|
||||
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
|
||||
+ return rc;
|
||||
}
|
||||
entry = &global_shm->publ_tok_objs[index];
|
||||
}
|
||||
@@ -2256,8 +2282,8 @@ object_mgr_search_shm_for_obj( TOK_OBJ_ENTRY * obj_list,
|
||||
}
|
||||
}
|
||||
}
|
||||
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
|
||||
+ return CKR_OBJECT_HANDLE_INVALID;
|
||||
}
|
||||
|
||||
|
@ -1,233 +0,0 @@
|
||||
commit 9d445b0294b588a834797e4f8c3d6ea3c1b3da2b
|
||||
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
Date: Wed Feb 12 12:09:14 2014 -0600
|
||||
|
||||
ep11's h_opaque_2_blob needs to catch the return code from
|
||||
object_mgr_find_in_map1 and return it.
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index 1a43ccb..90d3df1 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -1814,12 +1814,12 @@ CK_RV token_specific_derive_key(SESSION *session, CK_MECHANISM_PTR mech,
|
||||
memset(&secret_op, 0, sizeof(secret_op));
|
||||
secret_op.blob_size = blobsize;
|
||||
|
||||
- if (h_opaque_2_blob(hBaseKey, &blob, &blob_len) != CKR_OK) {
|
||||
+ rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len);
|
||||
+ if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"FAIL hBaseKey=0x%lx",hBaseKey);
|
||||
- return CKR_CANCEL;
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
-
|
||||
/* Get the keytype to use when creating the key object */
|
||||
rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -2732,36 +2732,19 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
|
||||
private_key_obj->name, public_key_obj, private_key_obj);
|
||||
}
|
||||
|
||||
- /* Keys should be fully constructed,
|
||||
- * assign object handles and store keys.
|
||||
- */
|
||||
- rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
|
||||
- if (rc != CKR_OK) {
|
||||
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
- rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
|
||||
- if (rc != CKR_OK) {
|
||||
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
|
||||
- object_mgr_destroy_object(sess, *phPublicKey);
|
||||
- public_key_obj = NULL;
|
||||
- goto error;
|
||||
- }
|
||||
-
|
||||
/* copy CKA_CLASS, CKA_KEY_TYPE to private template */
|
||||
if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) {
|
||||
rc = build_attribute(attr->type, attr->pValue,
|
||||
attr->ulValueLen, &n_attr);
|
||||
if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
|
||||
- return rc;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
rc = template_update_attribute(private_key_obj->template, n_attr);
|
||||
if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
|
||||
- return rc;
|
||||
+ goto error;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2770,17 +2753,34 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
|
||||
attr->ulValueLen, &n_attr);
|
||||
if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
|
||||
- return rc;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
rc = template_update_attribute(private_key_obj->template, n_attr);
|
||||
if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
|
||||
- return rc;
|
||||
+ goto error;
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Keys should be fully constructed,
|
||||
+ * assign object handles and store keys.
|
||||
+ */
|
||||
+ rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
|
||||
+ object_mgr_destroy_object(sess, *phPublicKey);
|
||||
+ public_key_obj = NULL;
|
||||
+ goto error;
|
||||
+ }
|
||||
return rc;
|
||||
+
|
||||
error:
|
||||
if (public_key_obj) object_free(public_key_obj);
|
||||
if (private_key_obj) object_free(private_key_obj);
|
||||
@@ -2801,11 +2801,13 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
|
||||
OBJECT *key_obj;
|
||||
CK_ATTRIBUTE *attr = NULL;
|
||||
ep11_opaque *op;
|
||||
+ CK_RV rc;
|
||||
|
||||
/* find the key obj by the key handle */
|
||||
- if (object_mgr_find_in_map1(handle,&key_obj) != CKR_OK) {
|
||||
+ rc = object_mgr_find_in_map1(handle,&key_obj);
|
||||
+ if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"key 0x%lx not mapped", handle);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/* blob already exists */
|
||||
@@ -2844,30 +2846,31 @@ CK_RV token_specific_sign_init(SESSION *session, CK_MECHANISM *mech,
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
- if (h_opaque_2_blob(key,&privkey_blob,&blob_len) == CKR_OK) {
|
||||
- rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
|
||||
- mech, privkey_blob, blob_len, ep11tok_target) ;
|
||||
+ rc = h_opaque_2_blob(key, &privkey_blob, &blob_len);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
|
||||
- /* SIGN_VERIFY_CONTEX holds all needed for continuing,
|
||||
- * also by another adapter (stateless requests)
|
||||
- */
|
||||
- ctx->key = key;
|
||||
- ctx->multi = FALSE;
|
||||
- ctx->active = TRUE;
|
||||
- ctx->context = ep11_sign_state;
|
||||
- ctx->context_len = ep11_sign_state_l;
|
||||
+ rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
|
||||
+ mech, privkey_blob, blob_len, ep11tok_target) ;
|
||||
|
||||
- if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
|
||||
- } else {
|
||||
- EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
|
||||
- }
|
||||
+ /* SIGN_VERIFY_CONTEX holds all needed for continuing,
|
||||
+ * also by another adapter (stateless requests)
|
||||
+ */
|
||||
+ ctx->key = key;
|
||||
+ ctx->multi = FALSE;
|
||||
+ ctx->active = TRUE;
|
||||
+ ctx->context = ep11_sign_state;
|
||||
+ ctx->context_len = ep11_sign_state_l;
|
||||
|
||||
- return rc;
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
|
||||
} else {
|
||||
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
|
||||
}
|
||||
+
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
|
||||
@@ -2946,27 +2949,26 @@ CK_RV token_specific_verify_init(SESSION *session, CK_MECHANISM *mech,
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
- if (h_opaque_2_blob(key,&spki,&spki_len) == CKR_OK) {
|
||||
- rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
|
||||
- spki, spki_len, ep11tok_target);
|
||||
-
|
||||
- ctx->key = key;
|
||||
- ctx->multi = FALSE;
|
||||
- ctx->active = TRUE;
|
||||
- ctx->context = ep11_sign_state;
|
||||
- ctx->context_len = ep11_sign_state_l;
|
||||
-
|
||||
- if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
|
||||
- } else {
|
||||
- EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
|
||||
- }
|
||||
-
|
||||
+ rc = h_opaque_2_blob(key, &spki, &spki_len);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
|
||||
return rc;
|
||||
+ }
|
||||
+
|
||||
+ rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
|
||||
+ spki, spki_len, ep11tok_target);
|
||||
+ ctx->key = key;
|
||||
+ ctx->multi = FALSE;
|
||||
+ ctx->active = TRUE;
|
||||
+ ctx->context = ep11_sign_state;
|
||||
+ ctx->context_len = ep11_sign_state_l;
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
|
||||
} else {
|
||||
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
|
||||
}
|
||||
+
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
|
||||
@@ -3169,11 +3171,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech,
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
- if (h_opaque_2_blob(key, &blob, &blob_len) != CKR_OK) {
|
||||
+ rc = h_opaque_2_blob(key, &blob, &blob_len);
|
||||
+ if (rc != CKR_OK) {
|
||||
EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ return rc;
|
||||
}
|
||||
-
|
||||
+
|
||||
if (op == DECRYPT) {
|
||||
rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob,
|
||||
blob_len, ep11tok_target);
|
@ -1,187 +0,0 @@
|
||||
commit 6589fae1561d1d050b743d3ff5e0b846616664a0
|
||||
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
Date: Wed Feb 12 15:56:46 2014 -0600
|
||||
|
||||
EP11: some README updates about usage and restrictions.
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/doc/README.ep11_stdll b/doc/README.ep11_stdll
|
||||
index dedb76c..e972391 100644
|
||||
--- a/doc/README.ep11_stdll
|
||||
+++ b/doc/README.ep11_stdll
|
||||
@@ -3,8 +3,8 @@ EP11 Token
|
||||
|
||||
The EP11 token is a token that uses the IBM Crypto Express adapters
|
||||
(starting with Crypto Express 4S adapters) configured with Enterprise
|
||||
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with
|
||||
-that firmware load are also called CEXnP adapters for n >= 4.
|
||||
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
|
||||
+firmware load are also called CEXnP adapters for n >= 4.
|
||||
|
||||
The EP11 token is only supported on the System z architecture and requires a
|
||||
Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
|
||||
@@ -17,14 +17,13 @@ Configuration
|
||||
-------------
|
||||
|
||||
To use the EP11 token a slot entry must be defined in the general opencryptoki
|
||||
-configuration file that sets the stdll attribute to libpkcs11_epp.so.
|
||||
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
|
||||
|
||||
A EP11 token specific configuration file must be set up to define the target
|
||||
-adapters and target adapter domains. The name of the configuration file must
|
||||
-be defined in the global openCryptoki configuration opencryptoki.conf file
|
||||
-as part of the token specification using the confname attribute.
|
||||
-
|
||||
-E.g. the entry,
|
||||
+adapters and target adapter domains. The name of the configuration file must be
|
||||
+defined in the global openCryptoki configuration opencryptoki.conf file as part
|
||||
+of the token specification using the confname attribute.
|
||||
+E.g. the entry
|
||||
|
||||
slot 4
|
||||
{
|
||||
@@ -35,39 +34,39 @@ confname = ep11tok.conf
|
||||
defines the name of the configuration file of the EP11 token to be
|
||||
ep11tok.conf. Per default this file is searched in the directory where
|
||||
openCryptoki searches its global configuration file. This default path can
|
||||
-be overwritten using the OCK_EP11_TOKEN_DIR environment variable.
|
||||
-
|
||||
-EP11 token configuration files defines a list of adapter/domain pairs to
|
||||
-which the EP11 token sends its cryptographic requests. This list can be
|
||||
-specified as a white list starting with a line containing the key word
|
||||
-APQN_WHITELIST followed by one or more lines containing each 2 white space
|
||||
-separted positive integers followed by a line with the key word END.
|
||||
-In each of these lines the first integer denotes the adapter number
|
||||
-and the second integer denotes the domain id. Alternatively the keyword
|
||||
-APQN_ANY can be used to define that all adapter/domain pairs with EP11
|
||||
-firmware load that are available to the system shall be used as target
|
||||
-adapters. An adapter number corresponds to the numerical part xx of an
|
||||
-adapter id of the form cardxx as displayed by the lszcrypt tool or in
|
||||
-the sys file system (e.g. in /sys/bus/ap/devices).
|
||||
-Currently Linux on z only supports a single domain. That domain number
|
||||
-can be displayed with lszcrypt -b (see the value of ap_domain) or
|
||||
-alternatively as contents of /sys/bus/ap/ap_domain.
|
||||
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
|
||||
+
|
||||
+EP11 token configuration files defines a list of adapter/domain pairs to which
|
||||
+the EP11 token sends its cryptographic requests. This list can be specified as
|
||||
+a white list starting with a line containing the key word APQN_WHITELIST
|
||||
+followed by one or more lines containing each two integers (in the range
|
||||
+of 0 - 255) separated by a white space. The white list is ended with a line
|
||||
+containing the key word END. In each of lines of the white list the first
|
||||
+integer denotes the adapter number and the second integer denotes the domain
|
||||
+id. Alternatively the keyword APQN_ANY can be used to define that all
|
||||
+adapter/domain pairs with EP11 firmware load that are available to the system
|
||||
+shall be used as target adapters. An adapter number corresponds to the
|
||||
+numerical part xx of an adapter id of the form cardxx as displayed by the
|
||||
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
|
||||
+Currently Linux on z only supports a single domain. That domain number can be
|
||||
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
|
||||
+contents of /sys/bus/ap/ap_domain.
|
||||
|
||||
In addition to the target adapter a log level can be defined in the EP11
|
||||
-configuration file using a line consisting of the key word LOGLEVEL
|
||||
-followed by an integer between 0 and 9.
|
||||
+configuration file using a line consisting of the key word LOGLEVEL followed
|
||||
+by an integer between 0 and 9.
|
||||
|
||||
Logging
|
||||
-------
|
||||
|
||||
If a log level greater than 0 is defined in the environment variable
|
||||
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11
|
||||
-configuration file then log entries are written to a log file
|
||||
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the
|
||||
-process using the EP11 token.
|
||||
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
|
||||
+file then log entries are written to a log file
|
||||
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
|
||||
+using the EP11 token.
|
||||
|
||||
-Note, that the handling of EP11 logs is subject to change in future
|
||||
-releases of opencryptoki.
|
||||
+Note, that the handling of EP11 logs is subject to change in future releases
|
||||
+of opencryptoki.
|
||||
|
||||
Crypto Express Adapter EP11 Master Key Management
|
||||
-------------------------------------------------
|
||||
@@ -77,28 +76,27 @@ object repository (in the TOK_OBJ directory within the EP11 token directory)
|
||||
become invalid.
|
||||
|
||||
The key migration tool pkcsep11_migrate can be used to perform the migration
|
||||
-of the current EP11 master keys to new master keys. Therefore the
|
||||
-following steps must be performed:
|
||||
-
|
||||
-1) on the Trusted Key Entry console (TKE): submit and commit
|
||||
-new master keys on the EP11 adapter(s)
|
||||
-2) on Linux: stop all processes using openCryptoki with the EP11 token
|
||||
-3) on Linux: back up the token object repository of the EP11 token
|
||||
-4) on Linux: migrate keys of object repository of EP11 token with
|
||||
-migration tool. If a failure occurs restore the backed up token
|
||||
-repository and retry step 4
|
||||
-5) on the TKE: activate new master keys on the EP11 adapter(s)
|
||||
-6) on Linux: restart applications using openCryptoki with the EP11 token
|
||||
+of the current EP11 master keys to new master keys. Therefore the following
|
||||
+steps must be performed:
|
||||
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
|
||||
+keys on the EP11 adapter(s).
|
||||
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
|
||||
+3) On Linux: Back up the token object repository of the EP11 token.
|
||||
+4) On Linux: Migrate keys of object repository of EP11 token with
|
||||
+migration tool. If a failure occurs restore the backed up token repository
|
||||
+and retry step 4.
|
||||
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
|
||||
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
|
||||
|
||||
Token specifics
|
||||
---------------
|
||||
|
||||
-The EP11 token only supports secure keys (i.e. key wrapped by a master key
|
||||
-of the Crypto Express adapter). Therefore all keys must have the attribute
|
||||
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define
|
||||
-a (token specific) default for secure keys the attribute must be explicitly
|
||||
-provided whenever a secret key is generated, unwrapped or created with
|
||||
-C_CreateObject. In addition all keys used with the EP11 token are extractable
|
||||
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
|
||||
+the Crypto Express adapter). Therefore all keys must have the attribute
|
||||
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
|
||||
+(token specific) default for secure keys the attribute must be explicitly
|
||||
+provided whenever a secret key is generated, unwrapped or build with
|
||||
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
|
||||
i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
|
||||
|
||||
When creating keys the default values of the attributes CKA_ENCRYPT,
|
||||
@@ -108,18 +106,21 @@ Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
|
||||
All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
|
||||
or equal to 17.
|
||||
|
||||
-See the mechanism list and mechanism info (pkcsconf -m) for supported
|
||||
-mechanisms together with supported functions and key sizes.
|
||||
-Note the supported mechanism list is currently fixed and matches the
|
||||
-most stringent setting of the Crypto Express adapter.
|
||||
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
|
||||
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
|
||||
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
|
||||
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
|
||||
|
||||
-Temporary Restrictions & Circumventions
|
||||
----------------------------------------
|
||||
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
|
||||
+a length that is a multiple of the block size of DES3 or AES respectively.
|
||||
|
||||
-Wrapping 192 bit AES keys with the mechanism CKM_AES_CBC is not supported, use
|
||||
-CKM_AES_CBC_PAD instead.
|
||||
+See the mechanism list and mechanism info (pkcsconf -m) for supported
|
||||
+mechanisms together with supported functions and key sizes. Note the
|
||||
+supported mechanism list is currently fix and matches the most stringent
|
||||
+setting of the Crypto Express adapter.
|
||||
|
||||
-Importing RAS private keys with C_Unwrap is not supported for key sizes that
|
||||
-are not a multiple of AES blocksize. No circumvention possible.
|
||||
+Note, the EP11 coprocessor adapter can be configured to restrict the
|
||||
+cryptographic capababilities in order for the adapter to comply with specific
|
||||
+security requirements and regulations. Such restrictions on the adapter impact
|
||||
+the capabilitiy of the EP11 token.
|
||||
|
||||
-CKM_SHA512_HMAC is not supported. No circumvention possible.
|
@ -1,110 +0,0 @@
|
||||
From 68a30e9bf0e494057a889e06623dd0d8ab95acf7 Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Wed, 2 Apr 2014 12:03:53 -0500
|
||||
Subject: [PATCH 1/6] print_mechanism() ignored bad returncodes from the
|
||||
called function token_specific_get_mechanism_list(). So
|
||||
the token init was just running fine but mechanism list
|
||||
kept empty (eg. because of wrong adapter
|
||||
configuration). Fixed this and adjusted some of the
|
||||
related log messages.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 32 +++++++++++++++++++++++--------
|
||||
1 file changed, 24 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index 90d3df1..4e3703b 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -1140,17 +1140,27 @@ static CK_RV print_mechanism(void)
|
||||
CK_ULONG count = 0;
|
||||
int i;
|
||||
CK_MECHANISM_INFO m_info;
|
||||
+ CK_RV rc;
|
||||
|
||||
- /* only informational */
|
||||
- (void) token_specific_get_mechanism_list(list, &count);
|
||||
+ /* first call is just to fetch the count value */
|
||||
+ rc = token_specific_get_mechanism_list(list, &count);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"can't fetch mechanism list.");
|
||||
+ return rc;
|
||||
+ }
|
||||
list = (CK_MECHANISM_TYPE_PTR)malloc(sizeof(CK_MECHANISM_TYPE) * count);
|
||||
if (!list) {
|
||||
EP11TOK_ELOG(1,"Memory allocation failed.");
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
- /* only informational */
|
||||
- (void) token_specific_get_mechanism_list(list, &count);
|
||||
+ /* now really fill the list */
|
||||
+ rc = token_specific_get_mechanism_list(list, &count);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"can't fetch mechanism list!");
|
||||
+ free(list);
|
||||
+ return rc;
|
||||
+ }
|
||||
|
||||
EP11TOK_LOG(2,"EP11 token mechanism list, %lu entries:", count);
|
||||
for (i = 0; i < count; i++) {
|
||||
@@ -1170,6 +1180,7 @@ static CK_RV print_mechanism(void)
|
||||
EP11TOK_LOG(2," %s {%lu,%lu%s}", ep11_get_ckm(list[i]),
|
||||
m_info.ulMinKeySize, m_info.ulMaxKeySize, strflags);
|
||||
}
|
||||
+
|
||||
free(list);
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -1295,7 +1306,11 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
||||
}
|
||||
|
||||
/* print mechanismlist to log file */
|
||||
- (void)print_mechanism();
|
||||
+ rc = print_mechanism();
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"failure on fetching mechanism list rc=0x%lx, maybe wrong config ?", rc);
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
|
||||
/* create an AES key needed for importing keys
|
||||
* (encrypt by wrap_key and m_UnwrapKey by wrap key)
|
||||
@@ -3528,7 +3543,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
|
||||
rc = m_GetMechanismList(0, pMechanismList, pulCount,
|
||||
ep11tok_target);
|
||||
if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"bad rc #1 rc=0x%lx", rc);
|
||||
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -3543,7 +3558,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
|
||||
}
|
||||
rc = m_GetMechanismList(0, mlist, &counter, ep11tok_target);
|
||||
if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"bad rc #2 rc=0x%lx", rc);
|
||||
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
|
||||
free(mlist);
|
||||
return rc;
|
||||
}
|
||||
@@ -3573,7 +3588,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
|
||||
*/
|
||||
rc = m_GetMechanismList(0,mlist,&counter,ep11tok_target);
|
||||
if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"bad rc #3 rc=0x%lx", rc);
|
||||
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -3743,6 +3758,7 @@ static int read_adapter_config_file(const char* conf_name)
|
||||
|
||||
if (!conf_name) {
|
||||
/* no conf_name was given, should not happen */
|
||||
+ EP11TOK_ELOG(1,"no conf_name argument found");
|
||||
return APQN_FILE_INV_1;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,172 +0,0 @@
|
||||
From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Wed, 2 Apr 2014 12:05:12 -0500
|
||||
Subject: [PATCH 2/6] Fix failure when confname is not given, use default
|
||||
ep11tok.conf instead.
|
||||
|
||||
Slight rework on the way how the ep11 token config file is found:
|
||||
If env has no OCK_EP11_TOKEN_DIR
|
||||
if confname is not null, try to use it
|
||||
if this fails, try ock default config dir + confname
|
||||
if this fails, try ock default config dir + ep11tok.conf
|
||||
if OCK_EP11_TOKEN_DIR given then
|
||||
if confname is not null, try OCK_EP11_TOKEN_DIR + confname
|
||||
if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf
|
||||
if still unsuccessful then token init will fail.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------
|
||||
1 file changed, 52 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index 4e3703b..0eea8c9 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
|
||||
static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
|
||||
CK_BYTE **blob, size_t *blob_len);
|
||||
|
||||
+#define EP11_DEFAULT_CFG_FILE "ep11tok.conf"
|
||||
#define EP11_CFG_FILE_SIZE 4096
|
||||
|
||||
/* error rc for reading the adapter config file */
|
||||
@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
||||
}
|
||||
}
|
||||
EP11TOK_LOG(1,"init running");
|
||||
+
|
||||
+ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */
|
||||
+ rc = read_adapter_config_file(conf_name);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc);
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
|
||||
/* wrap key name */
|
||||
memset(wrap_key_name, 0, sizeof(wrap_key_name));
|
||||
@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
||||
#endif
|
||||
-
|
||||
- /* user specified adapter/domain pairs the token is supposed to use */
|
||||
- rc = read_adapter_config_file(conf_name);
|
||||
- if (rc != CKR_OK) {
|
||||
- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc);
|
||||
- return CKR_GENERAL_ERROR;
|
||||
- }
|
||||
-
|
||||
+
|
||||
/* print mechanismlist to log file */
|
||||
rc = print_mechanism();
|
||||
if (rc != CKR_OK) {
|
||||
@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name)
|
||||
if (ep11_initialized) {
|
||||
return 0;
|
||||
}
|
||||
-
|
||||
+
|
||||
memset(fname,0,PATH_MAX);
|
||||
-
|
||||
- if (!conf_name) {
|
||||
- /* no conf_name was given, should not happen */
|
||||
- EP11TOK_ELOG(1,"no conf_name argument found");
|
||||
- return APQN_FILE_INV_1;
|
||||
- }
|
||||
|
||||
/* via envrionment variable it is possible to overwrite the
|
||||
- * config file given in the opencryptoki.conf. Then we use
|
||||
- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf.
|
||||
+ * directory where the ep11 token config file is searched.
|
||||
*/
|
||||
if (conf_dir) {
|
||||
- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name);
|
||||
- ap_fp = fopen(fname,"r");
|
||||
- }
|
||||
-
|
||||
- /* if there was no environment variable or fopen failed, use the
|
||||
- * default given from opencryptoki.conf via conf_name argument.
|
||||
- */
|
||||
- if (!ap_fp) {
|
||||
- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
|
||||
- ap_fp = fopen(fname,"r");
|
||||
+ if (conf_name && strlen(conf_name) > 0) {
|
||||
+ /* extract filename part from conf_name */
|
||||
+ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--);
|
||||
+ if (i < strlen(conf_name)-1) {
|
||||
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1);
|
||||
+ fname[sizeof(fname)-1] = '\0';
|
||||
+ ap_fp = fopen(fname,"r");
|
||||
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
||||
+ }
|
||||
+ }
|
||||
+ if (!ap_fp) {
|
||||
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE);
|
||||
+ fname[sizeof(fname)-1] = '\0';
|
||||
+ ap_fp = fopen(fname,"r");
|
||||
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (conf_name && strlen(conf_name) > 0) {
|
||||
+ strncpy(fname, conf_name, sizeof(fname));
|
||||
+ fname[sizeof(fname)-1] = '\0';
|
||||
+ ap_fp = fopen(fname,"r");
|
||||
+ if (!ap_fp) {
|
||||
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
||||
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
|
||||
+ fname[sizeof(fname)-1] = '\0';
|
||||
+ ap_fp = fopen(fname,"r");
|
||||
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
||||
+ }
|
||||
+ } else {
|
||||
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE);
|
||||
+ fname[sizeof(fname)-1] = '\0';
|
||||
+ ap_fp = fopen(fname,"r");
|
||||
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
||||
+ }
|
||||
}
|
||||
-
|
||||
+
|
||||
/* now we should really have an open ep11 token config file */
|
||||
if (!ap_fp) {
|
||||
EP11TOK_ELOG(1,"no valid EP 11 config file found");
|
||||
return APQN_FILE_INV_2;
|
||||
}
|
||||
-
|
||||
+
|
||||
EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname);
|
||||
-
|
||||
+
|
||||
/* read config file line by line,
|
||||
* ignore empty and # and copy rest into file buf
|
||||
*/
|
||||
@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name)
|
||||
}
|
||||
|
||||
ep11_targets.length = 0;
|
||||
-
|
||||
+
|
||||
for (i=0,j=0,str=filebuf; rc == 0; str=NULL) {
|
||||
/* strtok tokenizes the string,
|
||||
* delimiters are newline and whitespace.
|
||||
*/
|
||||
token = strtok(str, "\n\t ");
|
||||
-
|
||||
+
|
||||
if (i == 0) {
|
||||
/* expecting APQN_WHITELIST or APQN_BLACKLIST
|
||||
* or APQN_ANY or LOGLEVEL or eof.
|
||||
@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name)
|
||||
/* do some checks: */
|
||||
if (rc == 0) {
|
||||
if ( !(whitemode || blackmode || anymode)) {
|
||||
- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
|
||||
+ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:"
|
||||
+ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
|
||||
rc = APQN_FILE_NO_APQN_MODE;
|
||||
} else if (whitemode || blackmode) {
|
||||
/* at least one APQN needs to be defined */
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 2bca1b392214241f84065d7709681c029b43b444 Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Mon, 14 Apr 2014 11:48:56 -0500
|
||||
Subject: [PATCH 3/6] Configure was checking for the ep11 lib and the m_init()
|
||||
function. As this library will be dynamically loaded at
|
||||
run time and there is no dependency at build time (but
|
||||
build will break if ep11 lib is not available) removed
|
||||
this check.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
configure.in | 9 ++-------
|
||||
1 file changed, 2 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index ac41e84..1a1601c 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -372,14 +372,9 @@ if test "x$with_zcrypt" != "xno"; then
|
||||
])
|
||||
|
||||
if test "x$with_zcrypt" != "xno"; then
|
||||
- AC_CHECK_LIB([ep11], [m_init],
|
||||
- [with_zcrypt=yes], [
|
||||
- if test "x$with_zcrypt" != "xcheck"; then
|
||||
- AC_MSG_ERROR([Build with zcrypt requested but zcrypt libraries couldn't be found])
|
||||
- fi
|
||||
- with_zcrypt=no
|
||||
- ])
|
||||
+ with_zcrypt=no
|
||||
fi
|
||||
+
|
||||
if test "x$with_zcrypt" = "xno"; then
|
||||
CFLAGS="$old_cflags"
|
||||
LIBS="$old_libs"
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 11e808223faa9c334858e38acacf277079264beb Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Mon, 14 Apr 2014 12:02:48 -0500
|
||||
Subject: [PATCH 4/6] The asm/zcrypt.h header file uses some std int types and
|
||||
so the stdint.h include statement should occur before
|
||||
the zcrypt header file.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index 0eea8c9..373be5b 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -296,6 +296,7 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
+#include <stdint.h>
|
||||
|
||||
#include "pkcs11types.h"
|
||||
#include "defs.h"
|
||||
@@ -314,7 +315,6 @@
|
||||
#include <lber.h>
|
||||
#include <asm/zcrypt.h>
|
||||
#include <syslog.h>
|
||||
-#include <stdint.h>
|
||||
#include <dlfcn.h>
|
||||
#include <lber.h>
|
||||
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,144 +0,0 @@
|
||||
From b0fc36e0e1fd549164a2502213163ce23d2f0138 Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Mon, 14 Apr 2014 13:13:11 -0500
|
||||
Subject: [PATCH 5/6] Small reworks: - Some of the ock testcase c files are
|
||||
tracked by git as 755. Fixed, c code files should
|
||||
appear 644 now. - pkcs11 misc_func test improved to
|
||||
show not just the mechanism number but also the
|
||||
(preprocessor defined) mechanism name. - misc speed
|
||||
test rsa encrypt receive buffer increased so the
|
||||
"buffer size too small" is fixed now. - misc speed test
|
||||
rsa uses now an exponent value of 17 (0x01,0x00,0x01)
|
||||
instead of 3 (0x03). Some tokens (eg. ep11) do not
|
||||
allow such low exponents and reject RSA key
|
||||
generation.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
---
|
||||
testcases/misc_tests/speed.c | 14 ++++++++------
|
||||
testcases/pkcs11/misc_func.c | 3 ++-
|
||||
2 files changed, 10 insertions(+), 7 deletions(-)
|
||||
mode change 100755 => 100644 testcases/crypto/aes_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/des3_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/des_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/digest_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/dsa_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/rsa_func.c
|
||||
mode change 100755 => 100644 testcases/crypto/ssl3_func.c
|
||||
mode change 100755 => 100644 testcases/pkcs11/misc_func.c
|
||||
mode change 100755 => 100644 testcases/pkcs11/sess_mgmt.c
|
||||
mode change 100755 => 100644 testcases/pkcs11/sess_perf.c
|
||||
|
||||
diff --git a/testcases/crypto/aes_func.c b/testcases/crypto/aes_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/des3_func.c b/testcases/crypto/des3_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/des_func.c b/testcases/crypto/des_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/digest_func.c b/testcases/crypto/digest_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/dsa_func.c b/testcases/crypto/dsa_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/crypto/ssl3_func.c b/testcases/crypto/ssl3_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/misc_tests/speed.c b/testcases/misc_tests/speed.c
|
||||
index 102ba72..5df3169 100755
|
||||
--- a/testcases/misc_tests/speed.c
|
||||
+++ b/testcases/misc_tests/speed.c
|
||||
@@ -60,6 +60,7 @@ long speed_process_time(SYSTEMTIME t1, SYSTEMTIME t2)
|
||||
int do_RSA_PKCS_EncryptDecrypt( void )
|
||||
{
|
||||
CK_BYTE data1[100];
|
||||
+ CK_BYTE data2[200];
|
||||
CK_BYTE signature[256];
|
||||
CK_SLOT_ID slot_id;
|
||||
CK_SESSION_HANDLE session;
|
||||
@@ -69,14 +70,14 @@ int do_RSA_PKCS_EncryptDecrypt( void )
|
||||
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
|
||||
CK_ULONG user_pin_len;
|
||||
CK_ULONG i;
|
||||
- CK_ULONG len1, sig_len;
|
||||
+ CK_ULONG len1, len2, sig_len;
|
||||
CK_RV rc;
|
||||
|
||||
SYSTEMTIME t1, t2;
|
||||
CK_ULONG diff, min_time, max_time, avg_time;
|
||||
|
||||
CK_ULONG bits = 1024;
|
||||
- CK_BYTE pub_exp[] = { 0x3 };
|
||||
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
|
||||
|
||||
CK_ATTRIBUTE pub_tmpl[] =
|
||||
{
|
||||
@@ -190,7 +191,8 @@ int do_RSA_PKCS_EncryptDecrypt( void )
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- rc = funcs->C_Decrypt( session, signature,sig_len,data1, &len1 );
|
||||
+ len2 = sizeof(data2);
|
||||
+ rc = funcs->C_Decrypt( session, signature, sig_len, data2, &len2 );
|
||||
if (rc != CKR_OK) {
|
||||
show_error(" C_Decrypt #1", rc );
|
||||
return FALSE;
|
||||
@@ -259,7 +261,7 @@ int do_RSA_KeyGen_2048( void )
|
||||
{
|
||||
SYSTEMTIME t1, t2;
|
||||
CK_ULONG bits = 2048;
|
||||
- CK_BYTE pub_exp[] = { 0x3 };
|
||||
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
|
||||
|
||||
CK_ATTRIBUTE pub_tmpl[] =
|
||||
{
|
||||
@@ -368,7 +370,7 @@ int do_RSA_KeyGen_1024( void )
|
||||
{
|
||||
SYSTEMTIME t1, t2;
|
||||
CK_ULONG bits = 1024;
|
||||
- CK_BYTE pub_exp[] = { 0x3 };
|
||||
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
|
||||
|
||||
CK_ATTRIBUTE pub_tmpl[] =
|
||||
{
|
||||
@@ -468,7 +470,7 @@ int do_RSA_PKCS_SignVerify_1024( void )
|
||||
CK_ULONG diff, min_time, max_time, avg_time;
|
||||
|
||||
CK_ULONG bits = 1024;
|
||||
- CK_BYTE pub_exp[] = { 0x3 };
|
||||
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
|
||||
|
||||
CK_ATTRIBUTE pub_tmpl[] =
|
||||
{
|
||||
diff --git a/testcases/pkcs11/misc_func.c b/testcases/pkcs11/misc_func.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
index 8103649..d6619fd
|
||||
--- a/testcases/pkcs11/misc_func.c
|
||||
+++ b/testcases/pkcs11/misc_func.c
|
||||
@@ -602,7 +602,8 @@ CK_RV do_GetMechanismInfo( void )
|
||||
return rc;
|
||||
}
|
||||
|
||||
- printf(" Mechanism #%ld\n", mech_list[i] );
|
||||
+ printf(" Mechanism #%ld %s\n", mech_list[i],
|
||||
+ p11_get_ckm(mech_list[i]) );
|
||||
printf(" ulMinKeySize: %ld\n", info.ulMinKeySize );
|
||||
printf(" ulMaxKeySize: %ld\n", info.ulMaxKeySize );
|
||||
printf(" flags: %p\n", (void *)info.flags );
|
||||
diff --git a/testcases/pkcs11/sess_mgmt.c b/testcases/pkcs11/sess_mgmt.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/testcases/pkcs11/sess_perf.c b/testcases/pkcs11/sess_perf.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 10f4766cd6782f3d15e42a985cdf909fe4c7762e Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Tue, 15 Apr 2014 13:16:33 -0500
|
||||
Subject: [PATCH 6/6] The 31 bit build on s390 showed an build error at
|
||||
initialization of an static long long variable which
|
||||
gets an address assigned. Fixed and tested on 31 and 64
|
||||
bit.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
index 373be5b..5aa890b 100644
|
||||
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
||||
@@ -407,9 +407,9 @@ static ep11_target_t ep11_targets;
|
||||
/* defined in the makefile, ep11 library can run standalone (without HW card),
|
||||
crypto algorithms are implemented in software then (no secure key) */
|
||||
#ifdef EP11_STANDALONE
|
||||
-unsigned long long ep11tok_target = 0x0000000100000008ull;
|
||||
+static unsigned long long ep11tok_target = 0x0000000100000008ull;
|
||||
#else
|
||||
-unsigned long long ep11tok_target = (unsigned long long) &ep11_targets;
|
||||
+static void* ep11tok_target = (void*) &ep11_targets;
|
||||
#endif
|
||||
|
||||
/* */
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 5b8d304e050467e4acfd02dcefdcebad0e61c472 Mon Sep 17 00:00:00 2001
|
||||
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
Date: Wed, 30 Apr 2014 11:42:29 -0500
|
||||
Subject: [PATCH] ep11 is not building because not setting with_zcrypt
|
||||
correctly.
|
||||
|
||||
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||
---
|
||||
configure.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 1a1601c..66bb329 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -372,7 +372,7 @@ if test "x$with_zcrypt" != "xno"; then
|
||||
])
|
||||
|
||||
if test "x$with_zcrypt" != "xno"; then
|
||||
- with_zcrypt=no
|
||||
+ with_zcrypt=yes
|
||||
fi
|
||||
|
||||
if test "x$with_zcrypt" = "xno"; then
|
||||
--
|
||||
1.7.12.4
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 417e55a76a3a52dfb22f0055230c74b083d9e3a7 Mon Sep 17 00:00:00 2001
|
||||
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
Date: Fri, 29 Aug 2014 12:40:35 -0500
|
||||
Subject: [PATCH] Man page corrections.
|
||||
|
||||
Remove references to obsoleted pk_config_data and pkcs11_startup
|
||||
in the pkcsslotd man page. Other changes made as necessary.
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
---
|
||||
man/man5/opencryptoki.conf.5.in | 12 +++++++++++-
|
||||
man/man8/pkcsslotd.8.in | 6 ++----
|
||||
2 files changed, 13 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
|
||||
index e13c110..f3aabd1 100644
|
||||
--- a/man/man5/opencryptoki.conf.5.in
|
||||
+++ b/man/man5/opencryptoki.conf.5.in
|
||||
@@ -3,7 +3,7 @@
|
||||
opencryptoki.conf \- Configuration file for pkcsslotd.
|
||||
|
||||
.SH DESCRIPTION
|
||||
-pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki.conf
|
||||
+pkcsslotd uses a configuration file at @sysconfdir@/opencryptoki/opencryptoki.conf
|
||||
|
||||
This is a text file that contains information used to configure
|
||||
pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
|
||||
@@ -51,6 +51,16 @@ Version number of the slot's firmware, if any. The version number is composed
|
||||
of a major version number (the integer portion of the version) and a
|
||||
minor version number (the hundredths portion of the version).
|
||||
.TP
|
||||
+.BR confname
|
||||
+If the slot is associated with a token that has its own configuration file,
|
||||
+this option identifies the name of that configuration file.
|
||||
+For example, confname=ep11tok.conf
|
||||
+
|
||||
+.SH Notes
|
||||
+The pound sign ('#') is used to indicate a comment.
|
||||
+Both the comment character and any text after it, up to the end of the line,
|
||||
+are ignored. The comment character cannot be used inside the brackets of
|
||||
+slot descriptions, as this will cause a syntax error.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.PD 0
|
||||
diff --git a/man/man8/pkcsslotd.8.in b/man/man8/pkcsslotd.8.in
|
||||
index c5d7280..db113e9 100644
|
||||
--- a/man/man8/pkcsslotd.8.in
|
||||
+++ b/man/man8/pkcsslotd.8.in
|
||||
@@ -29,9 +29,7 @@ manual page for details.
|
||||
.TP
|
||||
\fBopencryptoki\fP(7),
|
||||
.TP
|
||||
-\fBpkcsconf\fP(1),
|
||||
-.TP
|
||||
-\fBpk_config_data\fP(5),
|
||||
+\fBopencryptoki.conf\fP(5),
|
||||
.TP
|
||||
-\fBpkcs11_startup\fP(1).
|
||||
+\fBpkcsconf\fP(1),
|
||||
.PD
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,783 +0,0 @@
|
||||
From afb086ce22bd1ff4d0f1cf0768dfff3c03424096 Mon Sep 17 00:00:00 2001
|
||||
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
Date: Thu, 28 Aug 2014 00:36:43 -0500
|
||||
Subject: [PATCH 1/2] Add a pkcscca tool to help migrate cca private token
|
||||
objects from v2(encrypted with cca hardware) to v3 (encrypted in software)
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
---
|
||||
configure.in | 1 +
|
||||
usr/sbin/Makefile.am | 6 +-
|
||||
usr/sbin/pkcscca/Makefile.am | 14 +
|
||||
usr/sbin/pkcscca/pkcscca.c | 661 +++++++++++++++++++++++++++++++++++++++++++
|
||||
usr/sbin/pkcscca/pkcscca.h | 49 ++++
|
||||
5 files changed, 730 insertions(+), 1 deletion(-)
|
||||
create mode 100644 usr/sbin/pkcscca/Makefile.am
|
||||
create mode 100644 usr/sbin/pkcscca/pkcscca.c
|
||||
create mode 100644 usr/sbin/pkcscca/pkcscca.h
|
||||
|
||||
Index: opencryptoki/configure.in
|
||||
===================================================================
|
||||
--- opencryptoki.orig/configure.in
|
||||
+++ opencryptoki/configure.in
|
||||
@@ -818,6 +818,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
|
||||
usr/sbin/pkcsslotd/Makefile \
|
||||
usr/sbin/pkcsconf/Makefile \
|
||||
usr/sbin/pkcsicsf/Makefile \
|
||||
+ usr/sbin/pkcscca/Makefile \
|
||||
usr/sbin/pkcscca_migrate/Makefile \
|
||||
usr/sbin/pkcsep11_migrate/Makefile \
|
||||
usr/lib/pkcs11/methods/Makefile \
|
||||
Index: opencryptoki/usr/sbin/Makefile.am
|
||||
===================================================================
|
||||
--- opencryptoki.orig/usr/sbin/Makefile.am
|
||||
+++ opencryptoki/usr/sbin/Makefile.am
|
||||
@@ -11,4 +11,8 @@ if ENABLE_PKCSEP11_MIGRATE
|
||||
PKCSEP11_MIGRATE_DIR = pkcsep11_migrate
|
||||
endif
|
||||
|
||||
-SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR)
|
||||
+if ENABLE_CCATOK
|
||||
+PKCSCCA_DIR = pkcscca
|
||||
+endif
|
||||
+
|
||||
+SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) $(PKCSCCA_DIR)
|
||||
Index: opencryptoki/usr/sbin/pkcscca/Makefile.am
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ opencryptoki/usr/sbin/pkcscca/Makefile.am
|
||||
@@ -0,0 +1,14 @@
|
||||
+sbin_PROGRAMS=pkcscca
|
||||
+
|
||||
+pkcscca_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
|
||||
+pkcscca_LDFLAGS = -lcrypto -ldl
|
||||
+
|
||||
+# Not all versions of automake observe sbinname_CFLAGS
|
||||
+AM_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
|
||||
+
|
||||
+pkcscca_SOURCES = ../../lib/pkcs11/common/p11util.c \
|
||||
+ ../../lib/pkcs11/common/sw_crypt.c \
|
||||
+ ../../lib/pkcs11/common/log.c \
|
||||
+ pkcscca.c
|
||||
+
|
||||
+INCLUDES = -I. -I../../include/pkcs11 -I../../lib/pkcs11/common
|
||||
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.c
|
||||
@@ -0,0 +1,661 @@
|
||||
+/*
|
||||
+ * Licensed materials - Property of IBM
|
||||
+ *
|
||||
+ * pkcscca - A tool for PKCS#11 CCA token.
|
||||
+ * Currently, only migrates CCA private token objects from CCA cipher
|
||||
+ * to using a software cipher.
|
||||
+ *
|
||||
+ *
|
||||
+ * Copyright (C) International Business Machines Corp. 2014
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <unistd.h>
|
||||
+#include <string.h>
|
||||
+#include <getopt.h>
|
||||
+#include <termios.h>
|
||||
+#include <dlfcn.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <linux/limits.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <pkcs11types.h>
|
||||
+
|
||||
+#include "sw_crypt.h"
|
||||
+#include "pkcscca.h"
|
||||
+
|
||||
+void (*CSNBDEC)();
|
||||
+int v_flag = 0;
|
||||
+
|
||||
+int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
|
||||
+{
|
||||
+ EVP_MD_CTX md_ctx;
|
||||
+ unsigned int result_size;
|
||||
+ int rc;
|
||||
+
|
||||
+ switch (hash_type) {
|
||||
+ case HASH_SHA1:
|
||||
+ rc = EVP_DigestInit(&md_ctx, EVP_sha1());
|
||||
+ break;
|
||||
+ case HASH_MD5:
|
||||
+ rc = EVP_DigestInit(&md_ctx, EVP_md5());
|
||||
+ break;
|
||||
+ default:
|
||||
+ return -1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (rc != 1) {
|
||||
+ fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ rc = EVP_DigestUpdate(&md_ctx, buf, buf_size);
|
||||
+ if (rc != 1) {
|
||||
+ fprintf(stderr, "EVP_DigestUpdate() failed: rc = %d\n", rc);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ result_size = EVP_MD_CTX_size(&md_ctx);
|
||||
+ rc = EVP_DigestFinal(&md_ctx, (unsigned char *)digest, &result_size);
|
||||
+ if (rc != 1) {
|
||||
+ fprintf(stderr, "EVP_DigestFinal() failed: rc = %d\n", rc);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int cca_decrypt(unsigned char *in_data, unsigned long in_data_len,
|
||||
+ unsigned char *out_data, unsigned long *out_data_len,
|
||||
+ unsigned char *init_v, unsigned char *key_value)
|
||||
+{
|
||||
+ long return_code, reason_code, rule_array_count, length;
|
||||
+ unsigned char chaining_vector[18];
|
||||
+ unsigned char rule_array[256];
|
||||
+
|
||||
+ length = in_data_len;
|
||||
+ rule_array_count = 1;
|
||||
+ memcpy(rule_array, "CBC ", 8);
|
||||
+
|
||||
+ CSNBDEC(&return_code, &reason_code, NULL, NULL, key_value,
|
||||
+ &length, in_data, init_v, &rule_array_count,
|
||||
+ rule_array, chaining_vector, out_data);
|
||||
+
|
||||
+ if (return_code != 0) {
|
||||
+ fprintf(stderr, "CSNBDEC (DES3 DECRYPT) failed: return_code=%ld reason_code=%ld\n", return_code, reason_code);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ *out_data_len = length;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int reencrypt_private_token_object(unsigned char *data, unsigned long len,
|
||||
+ unsigned char *new_cipher,
|
||||
+ unsigned long *new_cipher_len,
|
||||
+ unsigned char *masterkey)
|
||||
+{
|
||||
+ unsigned char *clear = NULL;
|
||||
+ unsigned char des3_key[64];
|
||||
+ unsigned char sw_des3_key[3 * DES_KEY_SIZE];
|
||||
+ unsigned long clear_len;
|
||||
+ CK_RV rc;
|
||||
+ int ret;
|
||||
+
|
||||
+ /* cca wants 8 extra bytes for padding purposes */
|
||||
+ clear_len = len + 8;
|
||||
+ clear = (unsigned char *) malloc(clear_len);
|
||||
+ if (!clear) {
|
||||
+ fprintf(stderr, "malloc() failed: %s.\n", strerror(errno));
|
||||
+ ret =-1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* decrypt using cca des3 */
|
||||
+ memcpy(des3_key, masterkey, MASTER_KEY_SIZE);
|
||||
+ ret = cca_decrypt(data, len, clear, &clear_len, "10293847", des3_key);
|
||||
+ if (ret)
|
||||
+ goto done;
|
||||
+
|
||||
+ /* now encrypt using software des3 */
|
||||
+ memcpy(sw_des3_key, masterkey, 3 * DES_KEY_SIZE);
|
||||
+ rc = sw_des3_cbc_encrypt(clear, clear_len, new_cipher, new_cipher_len,
|
||||
+ "10293847", sw_des3_key);
|
||||
+ if (rc != CKR_OK)
|
||||
+ ret = -1;
|
||||
+done:
|
||||
+ if (clear)
|
||||
+ free(clear);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int load_private_token_objects(unsigned char *data_store,
|
||||
+ unsigned char *masterkey)
|
||||
+{
|
||||
+ FILE *fp1 = NULL, *fp2 = NULL;
|
||||
+ unsigned char *buf = NULL;
|
||||
+ unsigned char tmp[PATH_MAX], fname[PATH_MAX], iname[PATH_MAX];
|
||||
+ CK_BBOOL priv;
|
||||
+ unsigned int size;
|
||||
+ int rc, scount= 0, fcount = 0;
|
||||
+ size_t read_size;
|
||||
+ unsigned char *new_cipher;
|
||||
+ unsigned long new_cipher_len;
|
||||
+
|
||||
+ snprintf(iname, sizeof(iname), "%s/TOK_OBJ/OBJ.IDX", data_store);
|
||||
+
|
||||
+ fp1 = fopen((char *)iname, "r");
|
||||
+ if (!fp1)
|
||||
+ return -1; // no token objects
|
||||
+
|
||||
+ while (!feof(fp1)) {
|
||||
+ (void)fgets((char *)tmp, 50, fp1);
|
||||
+ if (!feof(fp1)) {
|
||||
+ tmp[strlen((char *)tmp) - 1] = 0;
|
||||
+
|
||||
+ snprintf((char *)fname, sizeof(fname), "%s/TOK_OBJ/",
|
||||
+ data_store);
|
||||
+ strcat((char *)fname, (char *)tmp);
|
||||
+
|
||||
+ fp2 = fopen((char *)fname, "r");
|
||||
+ if (!fp2)
|
||||
+ continue;
|
||||
+
|
||||
+ fread(&size, sizeof(unsigned int), 1, fp2);
|
||||
+ fread(&priv, sizeof(CK_BBOOL), 1, fp2);
|
||||
+ if (priv == FALSE) {
|
||||
+ fclose(fp2);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ size = size - sizeof(unsigned int) - sizeof(CK_BBOOL);
|
||||
+ buf = (unsigned char *) malloc(size);
|
||||
+ if (!buf) {
|
||||
+ fprintf(stderr, "Cannot malloc for object %s "
|
||||
+ "(ignoring it).\n", tmp);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ read_size = fread((char *)buf, 1, size, fp2);
|
||||
+ if (read_size != size) {
|
||||
+ fprintf(stderr, "Cannot read object %s "
|
||||
+ "(ignoring it).\n", tmp);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ new_cipher_len = size;
|
||||
+ new_cipher = malloc(new_cipher_len);
|
||||
+ if (!new_cipher) {
|
||||
+ fprintf(stderr, "Cannot malloc space for new "
|
||||
+ "cipher (ignoring object %s).\n", tmp);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ /* After reading the private token object,
|
||||
+ * decrypt it using CCA des3 and then re-encrypt it
|
||||
+ * using software des3.
|
||||
+ */
|
||||
+ memset(new_cipher, 0, new_cipher_len);
|
||||
+ rc = reencrypt_private_token_object(buf, size,
|
||||
+ new_cipher, &new_cipher_len,
|
||||
+ masterkey);
|
||||
+ if (rc)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ fclose(fp2);
|
||||
+
|
||||
+ /* now save the newly re-encrypted object back to
|
||||
+ * disk in its original file.
|
||||
+ */
|
||||
+ fp2 = fopen((char *)fname, "w");
|
||||
+ size = sizeof(unsigned int) + sizeof(CK_BBOOL)
|
||||
+ + new_cipher_len;
|
||||
+ (void)fwrite(&size, sizeof(unsigned int), 1, fp2);
|
||||
+ (void)fwrite(&priv, sizeof(CK_BBOOL), 1, fp2);
|
||||
+ (void)fwrite(new_cipher, new_cipher_len, 1, fp2);
|
||||
+ rc = 0;
|
||||
+
|
||||
+cleanup:
|
||||
+ if (fp2)
|
||||
+ fclose(fp2);
|
||||
+ if (buf)
|
||||
+ free(buf);
|
||||
+ if (new_cipher)
|
||||
+ free(new_cipher);
|
||||
+
|
||||
+ if (rc) {
|
||||
+ if (v_flag)
|
||||
+ printf("Failed to process %s\n", fname);
|
||||
+ fcount++;
|
||||
+ } else {
|
||||
+ if (v_flag)
|
||||
+ printf("Processed %s.\n", fname);
|
||||
+ scount++;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(fp1);
|
||||
+ printf("Successfully migrated %d object(s).\n", scount);
|
||||
+
|
||||
+ if (v_flag && fcount)
|
||||
+ printf("Failed to migrate %d object(s).\n", fcount);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int load_masterkey(char *mkfile, char *pin, char *masterkey)
|
||||
+{
|
||||
+ unsigned char des3_key[3 * DES_KEY_SIZE];
|
||||
+ unsigned char hash_sha[SHA1_HASH_SIZE];
|
||||
+ unsigned char pin_md5_hash[MD5_HASH_SIZE];
|
||||
+ unsigned char *cipher = NULL;
|
||||
+ unsigned char *clear = NULL;
|
||||
+ unsigned long cipher_len, clear_len;
|
||||
+ int ret;
|
||||
+ CK_RV rc;
|
||||
+ FILE *fp = NULL;
|
||||
+
|
||||
+ clear_len = cipher_len = MASTER_KEY_SIZE + SHA1_HASH_SIZE + (DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1);
|
||||
+
|
||||
+ fp = fopen((char *)mkfile, "r");
|
||||
+ if (!fp) {
|
||||
+ fprintf(stderr, "Could not open %s: %s\n", mkfile,
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ cipher = malloc(cipher_len);
|
||||
+ clear = malloc(clear_len);
|
||||
+ if (cipher == NULL || clear == NULL) {
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = fread(cipher, cipher_len, 1, fp);
|
||||
+ if (ret != 1) {
|
||||
+ fprintf(stderr, "Could not read %s: %s\n", mkfile,
|
||||
+ strerror(errno));
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* decrypt the masterkey */
|
||||
+
|
||||
+ ret = compute_md5(pin, strlen(pin), pin_md5_hash);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Error calculating MD5 of PIN!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(des3_key, pin_md5_hash, MD5_HASH_SIZE);
|
||||
+ memcpy(des3_key + MD5_HASH_SIZE, pin_md5_hash, DES_KEY_SIZE);
|
||||
+
|
||||
+ rc = sw_des3_cbc_decrypt(cipher, cipher_len, clear, &clear_len,
|
||||
+ (unsigned char *)"12345678", des3_key);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ fprintf(stderr, "Error decrypting master key file after read");
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * technically should strip PKCS padding here but since I already know
|
||||
+ * what the length should be, I don't bother.
|
||||
+ *
|
||||
+ * compare the hashes to verify integrity
|
||||
+ */
|
||||
+
|
||||
+ ret = compute_sha1(clear, MASTER_KEY_SIZE, hash_sha);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Failed to compute sha for masterkey.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (memcmp(hash_sha, clear + MASTER_KEY_SIZE, SHA1_HASH_SIZE) != 0) {
|
||||
+ fprintf(stderr, "%s appears to have been tampered!\n", mkfile);
|
||||
+ fprintf(stderr, "Cannot migrate.\n");
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(masterkey, clear, MASTER_KEY_SIZE);
|
||||
+ ret = 0;
|
||||
+
|
||||
+done:
|
||||
+ if (fp)
|
||||
+ fclose(fp);
|
||||
+ if (clear)
|
||||
+ free(clear);
|
||||
+ if (cipher)
|
||||
+ free(cipher);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int get_pin(char **pin, size_t *pinlen)
|
||||
+{
|
||||
+ struct termios old, new;
|
||||
+ int nread;
|
||||
+ char *buff = NULL;
|
||||
+ size_t buflen;
|
||||
+ int rc = 0;
|
||||
+
|
||||
+ /* turn echoing off */
|
||||
+ if (tcgetattr(fileno(stdin), &old) != 0)
|
||||
+ return -1;
|
||||
+
|
||||
+ new = old;
|
||||
+ new.c_lflag &= ~ECHO;
|
||||
+ if (tcsetattr (fileno(stdin), TCSAFLUSH, &new) != 0)
|
||||
+ return -1;
|
||||
+
|
||||
+ /* read the pin
|
||||
+ * Note: getline will allocate memory for buff. free it when done.
|
||||
+ */
|
||||
+ nread = getline(&buff, &buflen, stdin);
|
||||
+ if (nread == -1) {
|
||||
+ rc = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Restore terminal */
|
||||
+ (void) tcsetattr(fileno(stdin), TCSAFLUSH, &old);
|
||||
+
|
||||
+ /* start a newline */
|
||||
+ printf("\n");
|
||||
+ fflush(stdout);
|
||||
+
|
||||
+ /* Allocate PIN.
|
||||
+ * Note: nread includes carriage return.
|
||||
+ * Replace with terminating NULL.
|
||||
+ */
|
||||
+ *pin = (unsigned char *)malloc(nread);
|
||||
+ if (*pin == NULL) {
|
||||
+ rc = -ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* strip the carriage return since not part of pin. */
|
||||
+ buff[nread - 1] = '\0';
|
||||
+ memcpy(*pin, buff, nread);
|
||||
+ /* don't include the terminating null in the pinlen */
|
||||
+ *pinlen = nread - 1;
|
||||
+
|
||||
+done:
|
||||
+ if (buff)
|
||||
+ free(buff);
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+int verify_pins(char *data_store, char *sopin, unsigned long sopinlen,
|
||||
+ char *userpin, unsigned long userpinlen)
|
||||
+{
|
||||
+ TOKEN_DATA td;
|
||||
+ unsigned char fname[PATH_MAX];
|
||||
+ unsigned char pin_sha[SHA1_HASH_SIZE];
|
||||
+ FILE *fp = NULL;
|
||||
+ int ret;
|
||||
+
|
||||
+ /* read the NVTOK.DAT */
|
||||
+ snprintf(fname, PATH_MAX, "%s/NVTOK.DAT", data_store);
|
||||
+ fp = fopen((char *)fname, "r");
|
||||
+ if (!fp) {
|
||||
+ fprintf(stderr, "Could not open %s: %s\n", fname,
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ ret = fread(&td, sizeof(TOKEN_DATA), 1, fp);
|
||||
+ if (ret != 1) {
|
||||
+ fprintf(stderr, "Could not read %s: %s\n", fname,
|
||||
+ strerror(errno));
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Now compute the SHAs for the SO and USER pins entered.
|
||||
+ * Compare with the SHAs for SO and USER PINs saved in
|
||||
+ * NVTOK.DAT to verify.
|
||||
+ */
|
||||
+
|
||||
+ if (sopin != NULL) {
|
||||
+ ret = compute_sha1(sopin, sopinlen, pin_sha);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Failed to compute sha for SO.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (memcmp(td.so_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
|
||||
+ fprintf(stderr, "SO PIN is incorrect.\n");
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (userpin != NULL) {
|
||||
+ ret = compute_sha1(userpin, userpinlen, pin_sha);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Failed to compute sha for USER.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (memcmp(td.user_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
|
||||
+ fprintf(stderr, "USER PIN is incorrect.\n");
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 0;
|
||||
+
|
||||
+done:
|
||||
+ /* clear out the hash */
|
||||
+ memset(pin_sha, 0, SHA1_HASH_SIZE);
|
||||
+ if (fp)
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+void usage(char *progname)
|
||||
+{
|
||||
+ printf("usage:\t%s -h | -m v2objectsv3 [OPTIONS] \n", progname);
|
||||
+ printf(" -h\t\t\t\tshow this help\n");
|
||||
+ printf(" -m=migration_type\t\tCurrently the only type of CCA ");
|
||||
+ printf("migration\n\t\t\t\tsupported is v2objectsv3. v2objectsv3 ");
|
||||
+ printf("migrates\n\t\t\t\tCCA private token objects from CCA ");
|
||||
+ printf("encryption\n\t\t\t\t(used in v2)to software encryption ");
|
||||
+ printf("(used in v3). \n\n");
|
||||
+ printf("Migrate options (with -m v2objectsv3):\n");
|
||||
+ printf(" -d, --datastore=DIRECTORY\tCCA token datastore location\n");
|
||||
+ printf(" -v, --verbose\t\t\tprovide more detailed output\n");
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+int main(int argc, char **argv)
|
||||
+{
|
||||
+ int ret, opt;
|
||||
+ unsigned int m_flag = 0;
|
||||
+ char *sopin = NULL, *userpin = NULL;
|
||||
+ size_t sopinlen, userpinlen;
|
||||
+ unsigned char masterkey[MASTER_KEY_SIZE];
|
||||
+ unsigned char *data_store = NULL;
|
||||
+ unsigned char *m_type = NULL;
|
||||
+ int data_store_len;
|
||||
+ char fname[PATH_MAX];
|
||||
+ struct stat statbuf;
|
||||
+ void *lib_csulcca;
|
||||
+
|
||||
+ struct option long_opts[] = {
|
||||
+ { "datastore", required_argument, NULL, 'd' },
|
||||
+ { "verbose", no_argument, NULL, 'v'},
|
||||
+ { 0, 0, 0, 0 }
|
||||
+ };
|
||||
+
|
||||
+ int long_index;
|
||||
+ while ((opt = getopt_long(argc, argv, "d:m:hv", long_opts, NULL)) != -1) {
|
||||
+ switch (opt) {
|
||||
+ case 'd':
|
||||
+ data_store = strdup(optarg);
|
||||
+ break;
|
||||
+
|
||||
+ case 'h':
|
||||
+ usage(argv[0]);
|
||||
+ return 0;
|
||||
+
|
||||
+ case 'm':
|
||||
+ m_type = strdup(optarg);
|
||||
+ break;
|
||||
+
|
||||
+ case 'v':
|
||||
+ v_flag++;
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ usage(argv[0]);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (m_type) {
|
||||
+ if (memcmp(m_type, "v2objectsv3", strlen("v2objectsv3"))) {
|
||||
+ fprintf(stderr, "unknown migration type\n");
|
||||
+ usage(argv[0]);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* use default data_store if one is not given */
|
||||
+ if (data_store == NULL) {
|
||||
+ data_store_len = strlen(TOK_DATASTORE);
|
||||
+ data_store = malloc(data_store_len + 1);
|
||||
+ if (data_store == NULL) {
|
||||
+ fprintf(stderr, "malloc failed: %s\n",strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ memset(data_store, 0, data_store_len + 1);
|
||||
+ memcpy(data_store, TOK_DATASTORE, data_store_len);
|
||||
+ }
|
||||
+
|
||||
+ /* Verify that the data store is valid by looking for
|
||||
+ * MK_SO, MK_USER, and TOK_OBJ/OBJ.IDX.
|
||||
+ */
|
||||
+
|
||||
+ memset(fname, 0, PATH_MAX);
|
||||
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
|
||||
+ if (stat(fname, &statbuf) != 0) {
|
||||
+ fprintf(stderr, "Cannot find %s.\n", fname);
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ memset(fname, 0, PATH_MAX);
|
||||
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
|
||||
+ if (stat(fname, &statbuf) != 0) {
|
||||
+ fprintf(stderr, "Cannot find %s.\n", fname);
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ memset(fname, 0, PATH_MAX);
|
||||
+ snprintf(fname, PATH_MAX, "%s/TOK_OBJ/OBJ.IDX", data_store);
|
||||
+ if (stat(fname, &statbuf) != 0) {
|
||||
+ fprintf(stderr, "Cannot find %s.\n", fname);
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* If the OBJ.IDX is empty, then no objects to migrate. */
|
||||
+ if (statbuf.st_size == 0) {
|
||||
+ printf("OBJ.IDX file is empty. Thus no objects to migrate.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (v_flag)
|
||||
+ printf("%s has an MK_SO, MK_USER and TOK/OBJ.IDX\n",
|
||||
+ data_store);
|
||||
+
|
||||
+ /* get the SO pin to authorize migration */
|
||||
+ printf("Enter the SO PIN: ");
|
||||
+ fflush(stdout);
|
||||
+ ret = get_pin(&sopin, &sopinlen);
|
||||
+ if (ret != 0) {
|
||||
+ fprintf(stderr, "Could not get SO PIN.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* get the USER pin to authorize migration */
|
||||
+ printf("Enter the USER PIN: ");
|
||||
+ fflush(stdout);
|
||||
+ ret = get_pin(&userpin, &userpinlen);
|
||||
+
|
||||
+ if (ret != 0) {
|
||||
+ fprintf(stderr, "Could not get USER PIN.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Verify the SO and USER PINs entered. */
|
||||
+ ret = verify_pins(data_store, sopin, sopinlen, userpin, userpinlen);
|
||||
+ if (ret)
|
||||
+ goto done;
|
||||
+
|
||||
+ lib_csulcca = dlopen(CCA_LIBRARY, (RTLD_GLOBAL | RTLD_NOW));
|
||||
+ if (lib_csulcca == NULL) {
|
||||
+ fprintf(stderr, "dlopen(%s) failed: %s\n", CCA_LIBRARY,
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ CSNBDEC = dlsym(lib_csulcca, "CSNBDEC");
|
||||
+
|
||||
+ /* Get the masterkey from MK_SO.
|
||||
+ * This also helps verify that correct SO pin was entered.
|
||||
+ */
|
||||
+ memset(masterkey, 0, MASTER_KEY_SIZE);
|
||||
+ memset(fname, 0, PATH_MAX);
|
||||
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
|
||||
+ ret = load_masterkey(fname, sopin, masterkey);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Could not load masterkey from MK_SO.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (v_flag)
|
||||
+ printf("Successfully verified SO Pin.\n");
|
||||
+
|
||||
+ /* Get the masterkey from MK_USER.
|
||||
+ * This also helps verift that correct USER pin was entered.
|
||||
+ */
|
||||
+ memset(masterkey, 0, MASTER_KEY_SIZE);
|
||||
+ memset(fname, 0, PATH_MAX);
|
||||
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
|
||||
+ ret = load_masterkey(fname, userpin, masterkey);
|
||||
+ if (ret) {
|
||||
+ fprintf(stderr, "Could not load masterkey from MK_USER.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (v_flag)
|
||||
+ printf("Successfully verified USER Pin.\n");
|
||||
+
|
||||
+ /* Load all the private token objects and re-encrypt them
|
||||
+ * using software des3, instead of CSNBENC.
|
||||
+ */
|
||||
+ (void)load_private_token_objects(data_store, masterkey);
|
||||
+
|
||||
+done:
|
||||
+
|
||||
+ if (sopin)
|
||||
+ free(sopin);
|
||||
+ if (userpin)
|
||||
+ free(userpin);
|
||||
+ if (data_store)
|
||||
+ free(data_store);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.h
|
||||
@@ -0,0 +1,49 @@
|
||||
+/*
|
||||
+ * Licensed materials - Property of IBM
|
||||
+ *
|
||||
+ * pkcscca - A tool for PKCS#11 CCA token.
|
||||
+ * Currently, only migrates CCA private token objects from using a
|
||||
+ * CCA cipher to using a software cipher.
|
||||
+ *
|
||||
+ * Copyright (C) International Business Machines Corp. 2014
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#ifndef __PKCSCCA_H_
|
||||
+#define __PKCSCCA_H_
|
||||
+
|
||||
+#define CCA_LIBRARY "libcsulcca.so"
|
||||
+#define TOK_DATASTORE "/var/lib/opencryptoki/ccatok"
|
||||
+#define MASTER_KEY_SIZE 64
|
||||
+#define SHA1_HASH_SIZE 20
|
||||
+#define MD5_HASH_SIZE 16
|
||||
+#define DES_BLOCK_SIZE 8
|
||||
+#define DES_KEY_SIZE 8
|
||||
+#define compute_sha1(a,b,c) compute_hash(HASH_SHA1,b,a,c)
|
||||
+#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
|
||||
+#define HASH_SHA1 1
|
||||
+#define HASH_MD5 2
|
||||
+
|
||||
+/* from host_defs.h */
|
||||
+#include "pkcs32.h"
|
||||
+typedef struct _TWEAK_VEC
|
||||
+{
|
||||
+ int allow_weak_des ;
|
||||
+ int check_des_parity ;
|
||||
+ int allow_key_mods ;
|
||||
+ int netscape_mods ;
|
||||
+} TWEAK_VEC;
|
||||
+
|
||||
+typedef struct _TOKEN_DATA
|
||||
+{
|
||||
+ CK_TOKEN_INFO_32 token_info;
|
||||
+
|
||||
+ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE];
|
||||
+ CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE];
|
||||
+ CK_BYTE next_token_object_name[8];
|
||||
+ TWEAK_VEC tweak_vector;
|
||||
+} TOKEN_DATA;
|
||||
+
|
||||
+
|
||||
+#endif
|
@ -1,281 +0,0 @@
|
||||
From 13eda6d102b8c44f85cf4eac094ff8a964c630f4 Mon Sep 17 00:00:00 2001
|
||||
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
Date: Mon, 1 Sep 2014 22:46:37 -0500
|
||||
Subject: [PATCH 2/2] Add documentation (pkcscca manpage and README.cca_stdll)
|
||||
to assist in migrating cca private token objects from v2 to v3.
|
||||
|
||||
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||
---
|
||||
configure.in | 1 +
|
||||
doc/README.cca_stdll | 175 ++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
man/man1/Makefile.am | 2 +-
|
||||
man/man1/pkcscca.1.in | 45 +++++++++++++
|
||||
4 files changed, 209 insertions(+), 14 deletions(-)
|
||||
create mode 100644 man/man1/pkcscca.1.in
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index f3fbe70..3e7e5e8 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -843,6 +843,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
|
||||
man/man1/Makefile \
|
||||
man/man1/pkcsconf.1 \
|
||||
man/man1/pkcsicsf.1 \
|
||||
+ man/man1/pkcscca.1 \
|
||||
man/man1/pkcsep11_migrate.1 \
|
||||
man/man5/Makefile \
|
||||
man/man5/opencryptoki.conf.5 \
|
||||
diff --git a/doc/README.cca_stdll b/doc/README.cca_stdll
|
||||
index f535dfa..a0d13f1 100644
|
||||
--- a/doc/README.cca_stdll
|
||||
+++ b/doc/README.cca_stdll
|
||||
@@ -1,24 +1,173 @@
|
||||
+CCA TOKEN
|
||||
|
||||
-README for the CCA secure-key token
|
||||
+OverView
|
||||
+--------
|
||||
+The CCA token is a secure key token.
|
||||
+A Secure key - key value does not exist in the clear outside of the HSM
|
||||
+(secure, tamper-resistent boundary of the card). It is a clear key wrapped
|
||||
+with the appropriate MasterKey that has been installed into the secure hardware.
|
||||
+A clear key is generated in the hardware, wrapped with the appropriate
|
||||
+master key that has been installed into the hardware. The wrapped key is then
|
||||
+passed back to the invoker. Upon an encryption and/or decryption request,
|
||||
+the wrapped key and the data to be encrypted are passed into the hardware.
|
||||
+The wrapped key is verified, and the clear key is used to encrypt and/or
|
||||
+decrypt the data. All this is done in the CCA hardware.
|
||||
|
||||
-Kent Yoder <yoder1@us.ibm.com>
|
||||
+Within opencryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE
|
||||
+attribute rather than the CKA_VALUE attribute.
|
||||
|
||||
- The key used to encrypt private objects on disk is a secure key.
|
||||
+Pre-requisites:
|
||||
+The CCA token requires cca library, libcsulcca.so, which is part of the
|
||||
+csulcca rpm.
|
||||
+It also requires proper configuration and installation of the MK keys into
|
||||
+the hardware which is outside the scope of this document.
|
||||
|
||||
- The key used to encrypt that secure key is based on the hash of the
|
||||
-USER and SO pins. Therefore it is a clear key and software is used to
|
||||
-do the encryption/decryption of the secure key.
|
||||
+Configuration
|
||||
+-------------
|
||||
|
||||
-MK_USER: The secure key used for internal on-disk encryption, encrypted
|
||||
+To use the CCA token a slot entry must be defined in the
|
||||
+opencryptoki.conf configuration file that sets the stdll attribute to
|
||||
+libcsulcca.so.
|
||||
+
|
||||
+The CCA token also requires that the appropriate master keys have
|
||||
+been installed into the hardware. The corresponding driver must also be
|
||||
+loaded, i.e. modprobe z90crypt.
|
||||
+
|
||||
+CCA Token Objects
|
||||
+-------------------------
|
||||
+
|
||||
+Opencryptoki stores token objects on disk. Public token objects are not
|
||||
+encrypted. Private token objects are encrypted.
|
||||
+Versions of opencryptoki prior to version 3, used a CCA generated secure key
|
||||
+(des3 key) and the crypto adapter to encrypt the private token object's data.
|
||||
+In version 3, a clear key (des3 key) and software crypto (openssl) are used
|
||||
+to encrypt this data.
|
||||
+
|
||||
+Migration Information
|
||||
+---------------------
|
||||
+
|
||||
+Migrating version 2 private token objects to version 3 is ONLY required if
|
||||
+the system will run opencryptoki version 3 and will use private token
|
||||
+objects saved or preserved from version 2.
|
||||
+Note, public token objects do not need to be migrated.
|
||||
+If there are no private token objects from version 2, then the version 3
|
||||
+does not require any migrating.
|
||||
+
|
||||
+In version 2 private token objects are encrypted and decrypted with a secure
|
||||
+key in the crypto adapter. In version 3, this encryption and decryption is
|
||||
+done with a clear key using software crypto. Therefore, opencryptoki
|
||||
+version 3, will not succesfully decrypt a version 2 private token object.
|
||||
+
|
||||
+Version 2 private token objects must be "migrated" to version 3 so that
|
||||
+opencryptoki version 3 can access these objects. This migration will
|
||||
+decrypt the objects using the CCA call, CSNBDEC and the current
|
||||
+opencryptoki key stored in MK_USER. The objects will then be re-encrypted
|
||||
+using software crypto. The key bits that are stored in MK_USER will then be
|
||||
+used as a clear key.
|
||||
+
|
||||
+Once the migration has completed, these private token objects should then be
|
||||
+accessable to version 3.
|
||||
+
|
||||
+Migration Steps
|
||||
+---------------
|
||||
+
|
||||
+1. Either update or install version 3.
|
||||
+a. Update to opencryptoki version 3. In most linux distributions, an update
|
||||
+from version 2 to version 3 will preserve the contents of the CCA data-store.
|
||||
+
|
||||
+b. Install opencryptoki version 3. In most distributions, an install will
|
||||
+remove the contents of the CCA data-store. You will essentially be starting
|
||||
+from the beginning and have to initialize the CCA token.
|
||||
+
|
||||
+In this scenario, if a prior version of opencryptoki had been running on the
|
||||
+system, and you wanted to preserve your token objects, you will have saved
|
||||
+or backed them up somewhere.
|
||||
+
|
||||
+2. Backup the CCA data-store before migrating. It is always a good idea to
|
||||
+back up the data in case the migration is unsuccessful or data is corrupted.
|
||||
+The data-store is the directory in which the CCA token information is stored
|
||||
+on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok.
|
||||
+Within this directory there is,
|
||||
+
|
||||
+MK_USER: The des3 key used for internal on-disk encryption, encrypted
|
||||
under the USER's PIN by software routines
|
||||
|
||||
-MK_SO: The secure key used for internal on-disk encryption, encrypted
|
||||
+MK_SO: The des3 key used for internal on-disk encryption, encrypted
|
||||
under the SO's PIN by software routines
|
||||
|
||||
-So, MK_USER and MK_SO contain the same key, encrypted under different PINs
|
||||
+NKTOK.DAT: Token information.
|
||||
+
|
||||
+TOK_OBJ: The directory in which token objects are stored.
|
||||
+
|
||||
+TOK_OBJ/OBJ.IDX: A list of current token objects.
|
||||
+
|
||||
+**NOTE: MK_USER and MK_SO contain the same key, encrypted under
|
||||
+different PINs
|
||||
+
|
||||
+3. Ensure no opencryptoki processes are running. Stop the pkcsslotd daemon
|
||||
+if it is running.
|
||||
+
|
||||
+4. Run the pkcscca tool to perform the migration.
|
||||
+For example,
|
||||
+ pkcscca -m v2objectsv3 -v
|
||||
+
|
||||
+Note that the "-v" option will allow you to see which objects did and did not
|
||||
+get migrated. Specify the "-d" flag if you wish to migrate CCA token objects
|
||||
+stored in a data-store different from the default, /var/lib/opencryptoki/ccatok.
|
||||
+
|
||||
+5. (Optional) Removing shared memory may be required to pick up
|
||||
+the newly migrated objects.
|
||||
+
|
||||
+CCA token's shared memory segment tracks its token objects.
|
||||
+Token objects stored on disk are only loaded into shared memory
|
||||
+when the shared memory is created. The shared memory is usually
|
||||
+created after a reboot, an install, or an update of the opencryptoki package.
|
||||
+
|
||||
+If another opencryptoki process accessed the CCA token after install
|
||||
+or update, then opencryptoki will have loaded all the token objects into
|
||||
+shared memory, except for the private token objects requiring migration,
|
||||
+since they will have failed decryption. Subsequent calls to the
|
||||
+opencryptoki api will not find these objects since they have not
|
||||
+been loaded into shared memory. Opencryptoki won't read the
|
||||
+objects from disk and load into shared memory again until the next time
|
||||
+shared memory is created.
|
||||
+
|
||||
+So, in this case, shared memory must be removed and created again so
|
||||
+that opencryptoki can successfuly load all the token objects including the
|
||||
+newly migrated private token objects into CCA token's shared memory segment.
|
||||
+
|
||||
+Remove shared memory if,
|
||||
+ - after updating or installing, any opencryptoki processes or tools tried
|
||||
+ to access the CCA token before migrating CCA token's private token
|
||||
+ objects. For example, the pkcsconf command was run.
|
||||
+
|
||||
+ The pre-migrated objects will have failed decryption and not
|
||||
+ been loaded into shared memory. A reboot or removing shared memory
|
||||
+ will cause the token to create shared memory again and load the newly
|
||||
+ migrated private token objects into it.
|
||||
+
|
||||
+CCA's shared memory can be removed two ways.
|
||||
+ 1. a reboot
|
||||
+
|
||||
+ 2. remove the shared memory file,
|
||||
+ i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok"
|
||||
+
|
||||
+ Notes: (1). Ensure that no opencryptoki processes are running
|
||||
+ before removing the shared memory. Otherwise, you risk corrupting
|
||||
+ any running opencryptoki processes.
|
||||
+ (2). If you have installed opencryptoki manually (not via a distro
|
||||
+ rpm) the CCA token shared memory segment may be named
|
||||
+ usr.local.var.lib.opencryptoki.ccatok.
|
||||
+
|
||||
+The next opencryptoki process to run will cause opencryptoki to create
|
||||
+a shared memory segment for the token and load the newly migrated objects
|
||||
+as well as any other token objects for the token.
|
||||
|
||||
-PKCS#11 Notes:
|
||||
+6. After a successful migration, the CCA private token objects should be
|
||||
+encrypted and ready to be accessed by opencryptoki version 3.
|
||||
|
||||
-DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE
|
||||
-attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however
|
||||
-in this case, the id used to reference the secure key is stored here.
|
||||
+TroubleShooting:
|
||||
+1. If version 3 cannot find the newly migrated CCA private token objects,
|
||||
+reboot or remove the shared memory file. This will cause token to create
|
||||
+shared memory again and load the newly migrated private token objects
|
||||
+into shared memory.
|
||||
diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
|
||||
index c4b4d95..f2274d7 100644
|
||||
--- a/man/man1/Makefile.am
|
||||
+++ b/man/man1/Makefile.am
|
||||
@@ -1,3 +1,3 @@
|
||||
-man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1
|
||||
+man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1
|
||||
EXTRA_DIST = $(man1_MANS)
|
||||
CLEANFILES = $(man1_MANS)
|
||||
diff --git a/man/man1/pkcscca.1.in b/man/man1/pkcscca.1.in
|
||||
new file mode 100644
|
||||
index 0000000..c6e49d6
|
||||
--- /dev/null
|
||||
+++ b/man/man1/pkcscca.1.in
|
||||
@@ -0,0 +1,45 @@
|
||||
+.TH PKCSCCA 1 "September 2014" "@PACKAGE_VERSION@" "openCryptoki"
|
||||
+.SH NAME
|
||||
+pkcscca \- configuration utility for the CCA token
|
||||
+
|
||||
+.SH SYNOPSIS
|
||||
+\fBpkcscca\fP
|
||||
+[\fB-h\fP]
|
||||
+[\fB-m v2objectsv3\fP]
|
||||
+[\fIOPTIONS\fP]
|
||||
+
|
||||
+.SH DESCRIPTION
|
||||
+The \fBpkcscca\fP utility assists in administering the CCA token. Currently it
|
||||
+migrates opencryptoki version 2 private token objects to the encryption
|
||||
+method used in opencryptoki version 3.
|
||||
+
|
||||
+In verion 2 of opencryptoki, CCA private token objects were encrypted in CCA
|
||||
+hardware. In version 3 these objects are encrypted in software. The
|
||||
+\fBv2objectsv3\fP migration option migrates these version 2 objects by
|
||||
+decrypting them in CCA hardware using a secure key and then re-encrypting
|
||||
+them in software using a software key. Afterwards, v2 objects can be accessed
|
||||
+in version 3.
|
||||
+
|
||||
+.SH "FLAGS"
|
||||
+.IP "\fB-h\fP" 10
|
||||
+show usage information
|
||||
+.IP "\fB-m\fP" 10
|
||||
+perform a migration. \fBv2objectsv3\fP is currently the only type of migration
|
||||
+supported and must be specified along with this flag.
|
||||
+
|
||||
+.SH "MIGRATION OPTIONS"
|
||||
+.IP "\fB-d|--datastore\fP \fIdirectory\fp" 10
|
||||
+the directory where the CCA token information is kept. This directory will be
|
||||
+used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok
|
||||
+.IP "\fB-v|--verbose\fP" 10
|
||||
+provide detailed output during migration
|
||||
+
|
||||
+.SH "FILES"
|
||||
+.IP "/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX"
|
||||
+contains current list of public and private token objects for the CCA token.
|
||||
+
|
||||
+.SH SEE ALSO
|
||||
+.PD 0
|
||||
+.TP
|
||||
+\fBREADME.cca_stdll\fP (in system's doc directory)
|
||||
+.PD
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,255 +0,0 @@
|
||||
--- opencryptoki.orig/doc/README.ep11_stdll 2014-09-04 21:59:50.000000000 -0600
|
||||
+++ opencryptoki/doc/README.ep11_stdll 2014-09-04 22:01:27.223654000 -0600
|
||||
@@ -1,126 +1,126 @@
|
||||
-EP11 Token
|
||||
-==========
|
||||
-
|
||||
-The EP11 token is a token that uses the IBM Crypto Express adapters
|
||||
-(starting with Crypto Express 4S adapters) configured with Enterprise
|
||||
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
|
||||
-firmware load are also called CEXnP adapters for n >= 4.
|
||||
-
|
||||
-The EP11 token is only supported on the System z architecture and requires a
|
||||
-Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
|
||||
-loaded into the kernel and the availability of EP11 library libep11.
|
||||
-
|
||||
-The token directory of the EP11 token is opencryptoki/ep11tok typically
|
||||
-located in /var/lib.
|
||||
-
|
||||
-Configuration
|
||||
--------------
|
||||
-
|
||||
-To use the EP11 token a slot entry must be defined in the general opencryptoki
|
||||
-configuration file that sets the stdll attribute to libpkcs11_ep11.so.
|
||||
-
|
||||
-A EP11 token specific configuration file must be set up to define the target
|
||||
-adapters and target adapter domains. The name of the configuration file must be
|
||||
-defined in the global openCryptoki configuration opencryptoki.conf file as part
|
||||
-of the token specification using the confname attribute.
|
||||
-E.g. the entry
|
||||
-
|
||||
-slot 4
|
||||
-{
|
||||
-stdll = libpkcs11_ep11.so
|
||||
-confname = ep11tok.conf
|
||||
-}
|
||||
-
|
||||
-defines the name of the configuration file of the EP11 token to be
|
||||
-ep11tok.conf. Per default this file is searched in the directory where
|
||||
-openCryptoki searches its global configuration file. This default path can
|
||||
-be overriden using the OCK_EP11_TOKEN_DIR environment variable.
|
||||
-
|
||||
-EP11 token configuration files defines a list of adapter/domain pairs to which
|
||||
-the EP11 token sends its cryptographic requests. This list can be specified as
|
||||
-a white list starting with a line containing the key word APQN_WHITELIST
|
||||
-followed by one or more lines containing each two integers (in the range
|
||||
-of 0 - 255) separated by a white space. The white list is ended with a line
|
||||
-containing the key word END. In each of lines of the white list the first
|
||||
-integer denotes the adapter number and the second integer denotes the domain
|
||||
-id. Alternatively the keyword APQN_ANY can be used to define that all
|
||||
-adapter/domain pairs with EP11 firmware load that are available to the system
|
||||
-shall be used as target adapters. An adapter number corresponds to the
|
||||
-numerical part xx of an adapter id of the form cardxx as displayed by the
|
||||
-lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
|
||||
-Currently Linux on z only supports a single domain. That domain number can be
|
||||
-displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
|
||||
-contents of /sys/bus/ap/ap_domain.
|
||||
-
|
||||
-In addition to the target adapter a log level can be defined in the EP11
|
||||
-configuration file using a line consisting of the key word LOGLEVEL followed
|
||||
-by an integer between 0 and 9.
|
||||
-
|
||||
-Logging
|
||||
--------
|
||||
-
|
||||
-If a log level greater than 0 is defined in the environment variable
|
||||
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
|
||||
-file then log entries are written to a log file
|
||||
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
|
||||
-using the EP11 token.
|
||||
-
|
||||
-Note, that the handling of EP11 logs is subject to change in future releases
|
||||
-of opencryptoki.
|
||||
-
|
||||
-Crypto Express Adapter EP11 Master Key Management
|
||||
--------------------------------------------------
|
||||
-
|
||||
-If master keys are changed on an EP11 adapter all key objects in the token
|
||||
-object repository (in the TOK_OBJ directory within the EP11 token directory)
|
||||
-become invalid.
|
||||
-
|
||||
-The key migration tool pkcsep11_migrate can be used to perform the migration
|
||||
-of the current EP11 master keys to new master keys. Therefore the following
|
||||
-steps must be performed:
|
||||
-1) On the Trusted Key Entry console (TKE): Submit and commit new master
|
||||
-keys on the EP11 adapter(s).
|
||||
-2) On Linux: Stop all processes using openCryptoki with the EP11 token.
|
||||
-3) On Linux: Back up the token object repository of the EP11 token.
|
||||
-4) On Linux: Migrate keys of object repository of EP11 token with
|
||||
-migration tool. If a failure occurs restore the backed up token repository
|
||||
-and retry step 4.
|
||||
-5) On the TKE: Activate new master keys on the EP11 adapter(s).
|
||||
-6) On Linux: Restart applications using openCryptoki with the EP11 token.
|
||||
-
|
||||
-Token specifics
|
||||
----------------
|
||||
-
|
||||
-The EP11 token only supports secure keys (i.e. key wrapped by a master key of
|
||||
-the Crypto Express adapter). Therefore all keys must have the attribute
|
||||
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
|
||||
-(token specific) default for secure keys the attribute must be explicitly
|
||||
-provided whenever a secret key is generated, unwrapped or build with
|
||||
-C_CreateObject. In addition all keys used with the EP11 token are extractable.
|
||||
-i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
|
||||
-
|
||||
-When creating keys the default values of the attributes CKA_ENCRYPT,
|
||||
-CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
|
||||
-Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
|
||||
-
|
||||
-All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
|
||||
-or equal to 17.
|
||||
-
|
||||
-The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
|
||||
-according to ANSI X9.31. Therefore in the EP11 token the lengths of the
|
||||
-RSA primes (p or q) must be a multiple of 128 bits and the length of the
|
||||
-modulus (CKA_MODULUS_BITS) must be a multiple of 256.
|
||||
-
|
||||
-The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
|
||||
-a length that is a multiple of the block size of DES3 or AES respectively.
|
||||
-
|
||||
-See the mechanism list and mechanism info (pkcsconf -m) for supported
|
||||
-mechanisms together with supported functions and key sizes. Note the
|
||||
-supported mechanism list is currently fix and matches the most stringent
|
||||
-setting of the Crypto Express adapter.
|
||||
-
|
||||
-Note, the EP11 coprocessor adapter can be configured to restrict the
|
||||
-cryptographic capababilities in order for the adapter to comply with specific
|
||||
-security requirements and regulations. Such restrictions on the adapter impact
|
||||
-the capabilitiy of the EP11 token.
|
||||
-
|
||||
+EP11 Token
|
||||
+==========
|
||||
+
|
||||
+The EP11 token is a token that uses the IBM Crypto Express adapters
|
||||
+(starting with Crypto Express 4S adapters) configured with Enterprise
|
||||
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
|
||||
+firmware load are also called CEXnP adapters for n >= 4.
|
||||
+
|
||||
+The EP11 token is only supported on the System z architecture and requires a
|
||||
+Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
|
||||
+loaded into the kernel and the availability of EP11 library libep11.
|
||||
+
|
||||
+The token directory of the EP11 token is opencryptoki/ep11tok typically
|
||||
+located in /var/lib.
|
||||
+
|
||||
+Configuration
|
||||
+-------------
|
||||
+
|
||||
+To use the EP11 token a slot entry must be defined in the general opencryptoki
|
||||
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
|
||||
+
|
||||
+A EP11 token specific configuration file must be set up to define the target
|
||||
+adapters and target adapter domains. The name of the configuration file must be
|
||||
+defined in the global openCryptoki configuration opencryptoki.conf file as part
|
||||
+of the token specification using the confname attribute.
|
||||
+E.g. the entry
|
||||
+
|
||||
+slot 4
|
||||
+{
|
||||
+stdll = libpkcs11_ep11.so
|
||||
+confname = ep11tok.conf
|
||||
+}
|
||||
+
|
||||
+defines the name of the configuration file of the EP11 token to be
|
||||
+ep11tok.conf. Per default this file is searched in the directory where
|
||||
+openCryptoki searches its global configuration file. This default path can
|
||||
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
|
||||
+
|
||||
+EP11 token configuration files defines a list of adapter/domain pairs to which
|
||||
+the EP11 token sends its cryptographic requests. This list can be specified as
|
||||
+a white list starting with a line containing the key word APQN_WHITELIST
|
||||
+followed by one or more lines containing each two integers (in the range
|
||||
+of 0 - 255) separated by a white space. The white list is ended with a line
|
||||
+containing the key word END. In each of lines of the white list the first
|
||||
+integer denotes the adapter number and the second integer denotes the domain
|
||||
+id. Alternatively the keyword APQN_ANY can be used to define that all
|
||||
+adapter/domain pairs with EP11 firmware load that are available to the system
|
||||
+shall be used as target adapters. An adapter number corresponds to the
|
||||
+numerical part xx of an adapter id of the form cardxx as displayed by the
|
||||
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
|
||||
+Currently Linux on z only supports a single domain. That domain number can be
|
||||
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
|
||||
+contents of /sys/bus/ap/ap_domain.
|
||||
+
|
||||
+In addition to the target adapter a log level can be defined in the EP11
|
||||
+configuration file using a line consisting of the key word LOGLEVEL followed
|
||||
+by an integer between 0 and 9.
|
||||
+
|
||||
+Logging
|
||||
+-------
|
||||
+
|
||||
+If a log level greater than 0 is defined in the environment variable
|
||||
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
|
||||
+file then log entries are written to a log file
|
||||
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
|
||||
+using the EP11 token.
|
||||
+
|
||||
+Note, that the handling of EP11 logs is subject to change in future releases
|
||||
+of opencryptoki.
|
||||
+
|
||||
+Crypto Express Adapter EP11 Master Key Management
|
||||
+-------------------------------------------------
|
||||
+
|
||||
+If master keys are changed on an EP11 adapter all key objects in the token
|
||||
+object repository (in the TOK_OBJ directory within the EP11 token directory)
|
||||
+become invalid.
|
||||
+
|
||||
+The key migration tool pkcsep11_migrate can be used to perform the migration
|
||||
+of the current EP11 master keys to new master keys. Therefore the following
|
||||
+steps must be performed:
|
||||
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
|
||||
+keys on the EP11 adapter(s).
|
||||
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
|
||||
+3) On Linux: Back up the token object repository of the EP11 token.
|
||||
+4) On Linux: Migrate keys of object repository of EP11 token with
|
||||
+migration tool. If a failure occurs restore the backed up token repository
|
||||
+and retry step 4.
|
||||
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
|
||||
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
|
||||
+
|
||||
+Token specifics
|
||||
+---------------
|
||||
+
|
||||
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
|
||||
+the Crypto Express adapter). Therefore all keys must have the attribute
|
||||
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
|
||||
+(token specific) default for secure keys the attribute must be explicitly
|
||||
+provided whenever a secret key is generated, unwrapped or build with
|
||||
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
|
||||
+i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
|
||||
+
|
||||
+When creating keys the default values of the attributes CKA_ENCRYPT,
|
||||
+CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
|
||||
+Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
|
||||
+
|
||||
+All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
|
||||
+or equal to 17.
|
||||
+
|
||||
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
|
||||
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
|
||||
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
|
||||
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
|
||||
+
|
||||
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
|
||||
+a length that is a multiple of the block size of DES3 or AES respectively.
|
||||
+
|
||||
+See the mechanism list and mechanism info (pkcsconf -m) for supported
|
||||
+mechanisms together with supported functions and key sizes. Note the
|
||||
+supported mechanism list is currently fix and matches the most stringent
|
||||
+setting of the Crypto Express adapter.
|
||||
+
|
||||
+Note, the EP11 coprocessor adapter can be configured to restrict the
|
||||
+cryptographic capababilities in order for the adapter to comply with specific
|
||||
+security requirements and regulations. Such restrictions on the adapter impact
|
||||
+the capabilitiy of the EP11 token.
|
||||
+
|
@ -1,19 +0,0 @@
|
||||
commit 2094b476ab7c14caecc37add2da43bba11b71bf5
|
||||
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
Date: Fri Aug 15 12:48:46 2014 +0200
|
||||
|
||||
Fixed ica token's SHA update function when passing zero message size
|
||||
|
||||
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
|
||||
|
||||
--- opencryptoki.orig/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-01-27 15:01:58.000000000 -0700
|
||||
+++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-09-05 09:19:55.009080000 -0600
|
||||
@@ -859,7 +859,7 @@ token_specific_sha_update( DIGEST_CONTEX
|
||||
* we're not stuck with 0 bytes when the MSG_PART_FINAL
|
||||
* comes in. - KEY
|
||||
*/
|
||||
- if (!(in_data_len % 64)) {
|
||||
+ if (!(in_data_len % 64) && (in_data_len != 0)) {
|
||||
oc_sha_ctx->tail_len = 64;
|
||||
memcpy(oc_sha_ctx->tail, in_data + in_data_len - 64, 64);
|
||||
in_data_len -= 64;
|
@ -1,3 +1,39 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 17 10:42:43 UTC 2014 - p.drouand@gmail.com
|
||||
|
||||
- Update to version 3.2
|
||||
+New pkcscca tool. Currently it assists in migrating cca private token
|
||||
objects from opencryptoki version 2 to the clear key encryption method
|
||||
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
|
||||
Changes to README.cca_stdll to assist in using the CCA token and
|
||||
migrating the private token objects.
|
||||
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
|
||||
+ Various bugfixes.
|
||||
+ New testcases for various crypto algorithms.
|
||||
- Only depend on insserv if builded with sysvinit support
|
||||
- Remove obsolete patches; merged on upstream release
|
||||
+ ocki-3.1_01_ep11_makefile.patch
|
||||
+ ocki-3.1_02_ep11_m_init.patch
|
||||
+ ocki-3.1_03_ock_obj_mgr.patch
|
||||
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
|
||||
+ ocki-3.1_05_ep11_readme_update.patch
|
||||
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
|
||||
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
|
||||
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
|
||||
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
|
||||
+ ocki-3.1_06_0005-Small-reworks.patch
|
||||
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
|
||||
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
|
||||
+ ocki-3.1_07_0001-Man-page-corrections.patch
|
||||
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
|
||||
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
|
||||
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
|
||||
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
|
||||
- Project is now hosted on sourceforge; fix the Url
|
||||
- Remove cvs related stuff; tarball is produced by upstream
|
||||
- Use %configure macro instead of manually defined options
|
||||
- Build with parallel support; use %{?_smp_mflags} macro
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 5 15:30:59 UTC 2014 - jjolly@suse.com
|
||||
|
||||
|
@ -46,15 +46,15 @@ BuildRequires: trousers-devel
|
||||
%if %{uses_systemd}
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%{?systemd_requires}
|
||||
%else
|
||||
%insserv_prereq
|
||||
%endif
|
||||
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
|
||||
License: IPL-1.0
|
||||
Group: Productivity/Security
|
||||
Version: 3.1
|
||||
Version: 3.2
|
||||
Release: 0
|
||||
# :pserver:anonymous@cvs.sourceforge.net:/cvsroot/opencryptoki
|
||||
# cvs co -r openCryptoki-2-1-5 -d openCryptoki-2-1-5 .
|
||||
Source: %{oc_cvs_tag}-v%{version}.tar.bz2
|
||||
Source: %{oc_cvs_tag}-v%{version}.tgz
|
||||
Source1: openCryptoki.pkcsslotd
|
||||
Source2: openCryptoki-TFAQ.html
|
||||
Source3: openCryptoki-tmp.conf
|
||||
@ -62,26 +62,9 @@ Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch
|
||||
Patch2: ocki-3.1-fix-init_d-path.patch
|
||||
Patch3: ocki-3.1-fix-implicit-decl.patch
|
||||
Patch4: ocki-3.1-fix-libica-link.patch
|
||||
Patch5: ocki-3.1_01_ep11_makefile.patch
|
||||
Patch6: ocki-3.1_02_ep11_m_init.patch
|
||||
Patch7: ocki-3.1_03_ock_obj_mgr.patch
|
||||
Patch8: ocki-3.1_04_ep11_opaque2blob_error_handl.patch
|
||||
Patch9: ocki-3.1_05_ep11_readme_update.patch
|
||||
Patch10: ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
|
||||
Patch11: ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
|
||||
Patch12: ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
|
||||
Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
|
||||
Patch14: ocki-3.1_06_0005-Small-reworks.patch
|
||||
Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
|
||||
Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
|
||||
Patch17: ocki-3.1_07_0001-Man-page-corrections.patch
|
||||
Patch18: ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
|
||||
Patch19: ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
|
||||
Patch20: ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
|
||||
Patch21: ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
|
||||
Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki
|
||||
Url: http://sourceforge.net/projects/opencryptoki/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq
|
||||
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed
|
||||
# IBM maintains openCryptoki on these architectures:
|
||||
ExclusiveArch: %openCryptoki_32bit_arch %openCryptoki_64bit_arch
|
||||
#
|
||||
@ -160,37 +143,16 @@ Cryptographic Accelerator (FC 4960 on pSeries).
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
cp %{SOURCE2} .
|
||||
|
||||
%build
|
||||
autoreconf --force --install
|
||||
CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \
|
||||
--prefix=/usr \
|
||||
--libdir=%{_libdir} \
|
||||
CFLAGS="%optflags -D__USE_BSD" %configure \
|
||||
--enable-tpmtok \
|
||||
%if %{uses_systemd}
|
||||
--with-systemd=/usr/lib/systemd/system \
|
||||
--with-systemd=/usr/lib/systemd/system
|
||||
%endif
|
||||
--sysconfdir=%{_sysconfdir} \
|
||||
--localstatedir=%{_localstatedir}
|
||||
%__make
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
%make_install DESTDIR=$RPM_BUILD_ROOT INSROOT=$RPM_BUILD_ROOT
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:05df5d5657e1de41ca7c81e0cc8c8c42d7b842fb062ad76f4961efffb0984aca
|
||||
size 680250
|
3
opencryptoki-v3.2.tgz
Normal file
3
opencryptoki-v3.2.tgz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d0b4676766753449f4d9001436cf8371812ddff7b59869e8d5adef94c4fd261b
|
||||
size 911965
|
Loading…
Reference in New Issue
Block a user