pool/openCryptoki
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 247627 from home:jjolly:branches:security

Browse Source 
Fixed several bugs and cleaned up changes and specfile

OBS-URL: https://build.opensuse.org/request/show/247627
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=21
This commit is contained in:
Marcus Meissner 2014-09-05 10:54:00 +00:00 committed by Git OBS Bridge
parent eb0091de2e
commit bbdcb346df
8 changed files with 1459 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
ocki-3.1-fix-implicit-decl.patch
View File

@ -1,5 +1,5 @@
--- opencryptoki.orig/usr/lib/pkcs11/common/loadsave.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/common/loadsave.c 2014-01-31 10:56:26.377812000 -0700
--- opencryptoki/usr/lib/pkcs11/common/loadsave.c
+++ opencryptoki/usr/lib/pkcs11/common/loadsave.c
@@ -287,6 +287,9 @@
//
//
@ -10,8 +10,8 @@
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
--- opencryptoki.orig/usr/lib/pkcs11/common/mech_rng.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c 2014-01-31 11:00:30.004283000 -0700
--- opencryptoki/usr/lib/pkcs11/common/mech_rng.c
+++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c
@@ -301,6 +301,7 @@
#include <sys/types.h>
#include <sys/stat.h>
@ -20,40 +20,8 @@
#include "pkcs11types.h"
--- opencryptoki.orig/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-31 11:03:14.422314000 -0700
@@ -294,6 +294,7 @@
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"
--- opencryptoki.orig/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:15.000000000 -0700
+++ opencryptoki/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:25.929081000 -0700
@@ -293,6 +293,9 @@
#include <sys/types.h>
#include <sys/file.h>
#include <grp.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"
--- opencryptoki.orig/usr/sbin/pkcsslotd/slotmgr.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c 2014-01-31 11:12:08.708122000 -0700
@@ -292,6 +292,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"
--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-31 11:16:45.158228000 -0700
--- opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
@@ -31,6 +31,9 @@
*
*/
@ -64,3 +32,35 @@
#include <pthread.h>
#include <string.h>
#include <stdlib.h>
--- opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c
+++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c
@@ -294,6 +294,7 @@
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"
--- opencryptoki/usr/sbin/pkcsslotd/mutex.c
+++ opencryptoki/usr/sbin/pkcsslotd/mutex.c
@@ -293,6 +293,9 @@
#include <sys/types.h>
#include <sys/file.h>
#include <grp.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"
--- opencryptoki/usr/sbin/pkcsslotd/slotmgr.c
+++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c
@@ -292,6 +292,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
+#include <unistd.h>
#include "log.h"
#include "slotmgr.h"

6
ocki-3.1-remove-make-install-chgrp-chmod.patch
View File

@ -84,9 +84,9 @@
uninstall-hook:
if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-31 08:20:37.999866000 -0700
@@ -69,11 +69,7 @@ install-data-hook:
--- opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am
@@ -69,11 +69,7 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_tpm.so PKCS11_TPM.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm

63
ocki-3.1_07_0001-Man-page-corrections.patch Normal file
View File

@ -0,0 +1,63 @@
From 417e55a76a3a52dfb22f0055230c74b083d9e3a7 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Fri, 29 Aug 2014 12:40:35 -0500
Subject: [PATCH] Man page corrections.
Remove references to obsoleted pk_config_data and pkcs11_startup
in the pkcsslotd man page. Other changes made as necessary.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
man/man5/opencryptoki.conf.5.in | 12 +++++++++++-
man/man8/pkcsslotd.8.in | 6 ++----
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
index e13c110..f3aabd1 100644
--- a/man/man5/opencryptoki.conf.5.in
+++ b/man/man5/opencryptoki.conf.5.in
@@ -3,7 +3,7 @@
opencryptoki.conf \- Configuration file for pkcsslotd.
.SH DESCRIPTION
-pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki.conf
+pkcsslotd uses a configuration file at @sysconfdir@/opencryptoki/opencryptoki.conf
This is a text file that contains information used to configure
pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
@@ -51,6 +51,16 @@ Version number of the slot's firmware, if any. The version number is composed
of a major version number (the integer portion of the version) and a
minor version number (the hundredths portion of the version).
.TP
+.BR confname
+If the slot is associated with a token that has its own configuration file,
+this option identifies the name of that configuration file.
+For example, confname=ep11tok.conf
+
+.SH Notes
+The pound sign ('#') is used to indicate a comment.
+Both the comment character and any text after it, up to the end of the line,
+are ignored. The comment character cannot be used inside the brackets of
+slot descriptions, as this will cause a syntax error.
.SH "SEE ALSO"
.PD 0
diff --git a/man/man8/pkcsslotd.8.in b/man/man8/pkcsslotd.8.in
index c5d7280..db113e9 100644
--- a/man/man8/pkcsslotd.8.in
+++ b/man/man8/pkcsslotd.8.in
@@ -29,9 +29,7 @@ manual page for details.
.TP
\fBopencryptoki\fP(7),
.TP
-\fBpkcsconf\fP(1),
-.TP
-\fBpk_config_data\fP(5),
+\fBopencryptoki.conf\fP(5),
.TP
-\fBpkcs11_startup\fP(1).
+\fBpkcsconf\fP(1),
.PD
--
1.8.1.4

783
ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch Normal file
View File

@ -0,0 +1,783 @@
From afb086ce22bd1ff4d0f1cf0768dfff3c03424096 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Thu, 28 Aug 2014 00:36:43 -0500
Subject: [PATCH 1/2] Add a pkcscca tool to help migrate cca private token
objects from v2(encrypted with cca hardware) to v3 (encrypted in software)
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
configure.in | 1 +
usr/sbin/Makefile.am | 6 +-
usr/sbin/pkcscca/Makefile.am | 14 +
usr/sbin/pkcscca/pkcscca.c | 661 +++++++++++++++++++++++++++++++++++++++++++
usr/sbin/pkcscca/pkcscca.h | 49 ++++
5 files changed, 730 insertions(+), 1 deletion(-)
create mode 100644 usr/sbin/pkcscca/Makefile.am
create mode 100644 usr/sbin/pkcscca/pkcscca.c
create mode 100644 usr/sbin/pkcscca/pkcscca.h
Index: opencryptoki/configure.in
===================================================================
--- opencryptoki.orig/configure.in
+++ opencryptoki/configure.in
@@ -818,6 +818,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
usr/sbin/pkcsslotd/Makefile \
usr/sbin/pkcsconf/Makefile \
usr/sbin/pkcsicsf/Makefile \
+ usr/sbin/pkcscca/Makefile \
usr/sbin/pkcscca_migrate/Makefile \
usr/sbin/pkcsep11_migrate/Makefile \
usr/lib/pkcs11/methods/Makefile \
Index: opencryptoki/usr/sbin/Makefile.am
===================================================================
--- opencryptoki.orig/usr/sbin/Makefile.am
+++ opencryptoki/usr/sbin/Makefile.am
@@ -11,4 +11,8 @@ if ENABLE_PKCSEP11_MIGRATE
PKCSEP11_MIGRATE_DIR = pkcsep11_migrate
endif
-SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR)
+if ENABLE_CCATOK
+PKCSCCA_DIR = pkcscca
+endif
+
+SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) $(PKCSCCA_DIR)
Index: opencryptoki/usr/sbin/pkcscca/Makefile.am
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/Makefile.am
@@ -0,0 +1,14 @@
+sbin_PROGRAMS=pkcscca
+
+pkcscca_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
+pkcscca_LDFLAGS = -lcrypto -ldl
+
+# Not all versions of automake observe sbinname_CFLAGS
+AM_CFLAGS = -DSTDLL_NAME=\"pkcscca\"
+
+pkcscca_SOURCES = ../../lib/pkcs11/common/p11util.c \
+ ../../lib/pkcs11/common/sw_crypt.c \
+ ../../lib/pkcs11/common/log.c \
+ pkcscca.c
+
+INCLUDES = -I. -I../../include/pkcs11 -I../../lib/pkcs11/common
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.c
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.c
@@ -0,0 +1,661 @@
+/*
+ * Licensed materials - Property of IBM
+ *
+ * pkcscca - A tool for PKCS#11 CCA token.
+ * Currently, only migrates CCA private token objects from CCA cipher
+ * to using a software cipher.
+ *
+ *
+ * Copyright (C) International Business Machines Corp. 2014
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <termios.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <linux/limits.h>
+#include <openssl/evp.h>
+#include <pkcs11types.h>
+
+#include "sw_crypt.h"
+#include "pkcscca.h"
+
+void (*CSNBDEC)();
+int v_flag = 0;
+
+int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
+{
+ EVP_MD_CTX md_ctx;
+ unsigned int result_size;
+ int rc;
+
+ switch (hash_type) {
+ case HASH_SHA1:
+ rc = EVP_DigestInit(&md_ctx, EVP_sha1());
+ break;
+ case HASH_MD5:
+ rc = EVP_DigestInit(&md_ctx, EVP_md5());
+ break;
+ default:
+ return -1;
+ break;
+ }
+
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ rc = EVP_DigestUpdate(&md_ctx, buf, buf_size);
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestUpdate() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ result_size = EVP_MD_CTX_size(&md_ctx);
+ rc = EVP_DigestFinal(&md_ctx, (unsigned char *)digest, &result_size);
+ if (rc != 1) {
+ fprintf(stderr, "EVP_DigestFinal() failed: rc = %d\n", rc);
+ return -1;
+ }
+
+ return 0;
+}
+
+int cca_decrypt(unsigned char *in_data, unsigned long in_data_len,
+ unsigned char *out_data, unsigned long *out_data_len,
+ unsigned char *init_v, unsigned char *key_value)
+{
+ long return_code, reason_code, rule_array_count, length;
+ unsigned char chaining_vector[18];
+ unsigned char rule_array[256];
+
+ length = in_data_len;
+ rule_array_count = 1;
+ memcpy(rule_array, "CBC ", 8);
+
+ CSNBDEC(&return_code, &reason_code, NULL, NULL, key_value,
+ &length, in_data, init_v, &rule_array_count,
+ rule_array, chaining_vector, out_data);
+
+ if (return_code != 0) {
+ fprintf(stderr, "CSNBDEC (DES3 DECRYPT) failed: return_code=%ld reason_code=%ld\n", return_code, reason_code);
+ return -1;
+ }
+ *out_data_len = length;
+ return 0;
+}
+
+int reencrypt_private_token_object(unsigned char *data, unsigned long len,
+ unsigned char *new_cipher,
+ unsigned long *new_cipher_len,
+ unsigned char *masterkey)
+{
+ unsigned char *clear = NULL;
+ unsigned char des3_key[64];
+ unsigned char sw_des3_key[3 * DES_KEY_SIZE];
+ unsigned long clear_len;
+ CK_RV rc;
+ int ret;
+
+ /* cca wants 8 extra bytes for padding purposes */
+ clear_len = len + 8;
+ clear = (unsigned char *) malloc(clear_len);
+ if (!clear) {
+ fprintf(stderr, "malloc() failed: %s.\n", strerror(errno));
+ ret =-1;
+ goto done;
+ }
+
+ /* decrypt using cca des3 */
+ memcpy(des3_key, masterkey, MASTER_KEY_SIZE);
+ ret = cca_decrypt(data, len, clear, &clear_len, "10293847", des3_key);
+ if (ret)
+ goto done;
+
+ /* now encrypt using software des3 */
+ memcpy(sw_des3_key, masterkey, 3 * DES_KEY_SIZE);
+ rc = sw_des3_cbc_encrypt(clear, clear_len, new_cipher, new_cipher_len,
+ "10293847", sw_des3_key);
+ if (rc != CKR_OK)
+ ret = -1;
+done:
+ if (clear)
+ free(clear);
+
+ return ret;
+}
+
+int load_private_token_objects(unsigned char *data_store,
+ unsigned char *masterkey)
+{
+ FILE *fp1 = NULL, *fp2 = NULL;
+ unsigned char *buf = NULL;
+ unsigned char tmp[PATH_MAX], fname[PATH_MAX], iname[PATH_MAX];
+ CK_BBOOL priv;
+ unsigned int size;
+ int rc, scount= 0, fcount = 0;
+ size_t read_size;
+ unsigned char *new_cipher;
+ unsigned long new_cipher_len;
+
+ snprintf(iname, sizeof(iname), "%s/TOK_OBJ/OBJ.IDX", data_store);
+
+ fp1 = fopen((char *)iname, "r");
+ if (!fp1)
+ return -1; // no token objects
+
+ while (!feof(fp1)) {
+ (void)fgets((char *)tmp, 50, fp1);
+ if (!feof(fp1)) {
+ tmp[strlen((char *)tmp) - 1] = 0;
+
+ snprintf((char *)fname, sizeof(fname), "%s/TOK_OBJ/",
+ data_store);
+ strcat((char *)fname, (char *)tmp);
+
+ fp2 = fopen((char *)fname, "r");
+ if (!fp2)
+ continue;
+
+ fread(&size, sizeof(unsigned int), 1, fp2);
+ fread(&priv, sizeof(CK_BBOOL), 1, fp2);
+ if (priv == FALSE) {
+ fclose(fp2);
+ continue;
+ }
+
+ size = size - sizeof(unsigned int) - sizeof(CK_BBOOL);
+ buf = (unsigned char *) malloc(size);
+ if (!buf) {
+ fprintf(stderr, "Cannot malloc for object %s "
+ "(ignoring it).\n", tmp);
+ goto cleanup;
+ }
+
+ read_size = fread((char *)buf, 1, size, fp2);
+ if (read_size != size) {
+ fprintf(stderr, "Cannot read object %s "
+ "(ignoring it).\n", tmp);
+ goto cleanup;
+ }
+
+ new_cipher_len = size;
+ new_cipher = malloc(new_cipher_len);
+ if (!new_cipher) {
+ fprintf(stderr, "Cannot malloc space for new "
+ "cipher (ignoring object %s).\n", tmp);
+ goto cleanup;
+ }
+
+ /* After reading the private token object,
+ * decrypt it using CCA des3 and then re-encrypt it
+ * using software des3.
+ */
+ memset(new_cipher, 0, new_cipher_len);
+ rc = reencrypt_private_token_object(buf, size,
+ new_cipher, &new_cipher_len,
+ masterkey);
+ if (rc)
+ goto cleanup;
+
+ fclose(fp2);
+
+ /* now save the newly re-encrypted object back to
+ * disk in its original file.
+ */
+ fp2 = fopen((char *)fname, "w");
+ size = sizeof(unsigned int) + sizeof(CK_BBOOL)
+ + new_cipher_len;
+ (void)fwrite(&size, sizeof(unsigned int), 1, fp2);
+ (void)fwrite(&priv, sizeof(CK_BBOOL), 1, fp2);
+ (void)fwrite(new_cipher, new_cipher_len, 1, fp2);
+ rc = 0;
+
+cleanup:
+ if (fp2)
+ fclose(fp2);
+ if (buf)
+ free(buf);
+ if (new_cipher)
+ free(new_cipher);
+
+ if (rc) {
+ if (v_flag)
+ printf("Failed to process %s\n", fname);
+ fcount++;
+ } else {
+ if (v_flag)
+ printf("Processed %s.\n", fname);
+ scount++;
+ }
+ }
+ }
+ fclose(fp1);
+ printf("Successfully migrated %d object(s).\n", scount);
+
+ if (v_flag && fcount)
+ printf("Failed to migrate %d object(s).\n", fcount);
+
+ return 0;
+}
+
+int load_masterkey(char *mkfile, char *pin, char *masterkey)
+{
+ unsigned char des3_key[3 * DES_KEY_SIZE];
+ unsigned char hash_sha[SHA1_HASH_SIZE];
+ unsigned char pin_md5_hash[MD5_HASH_SIZE];
+ unsigned char *cipher = NULL;
+ unsigned char *clear = NULL;
+ unsigned long cipher_len, clear_len;
+ int ret;
+ CK_RV rc;
+ FILE *fp = NULL;
+
+ clear_len = cipher_len = MASTER_KEY_SIZE + SHA1_HASH_SIZE + (DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1);
+
+ fp = fopen((char *)mkfile, "r");
+ if (!fp) {
+ fprintf(stderr, "Could not open %s: %s\n", mkfile,
+ strerror(errno));
+ return -1;
+ }
+
+ cipher = malloc(cipher_len);
+ clear = malloc(clear_len);
+ if (cipher == NULL || clear == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ ret = fread(cipher, cipher_len, 1, fp);
+ if (ret != 1) {
+ fprintf(stderr, "Could not read %s: %s\n", mkfile,
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ /* decrypt the masterkey */
+
+ ret = compute_md5(pin, strlen(pin), pin_md5_hash);
+ if (ret) {
+ fprintf(stderr, "Error calculating MD5 of PIN!\n");
+ goto done;
+ }
+
+ memcpy(des3_key, pin_md5_hash, MD5_HASH_SIZE);
+ memcpy(des3_key + MD5_HASH_SIZE, pin_md5_hash, DES_KEY_SIZE);
+
+ rc = sw_des3_cbc_decrypt(cipher, cipher_len, clear, &clear_len,
+ (unsigned char *)"12345678", des3_key);
+ if (rc != CKR_OK) {
+ fprintf(stderr, "Error decrypting master key file after read");
+ ret = -1;
+ goto done;
+ }
+
+ /*
+ * technically should strip PKCS padding here but since I already know
+ * what the length should be, I don't bother.
+ *
+ * compare the hashes to verify integrity
+ */
+
+ ret = compute_sha1(clear, MASTER_KEY_SIZE, hash_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for masterkey.\n");
+ goto done;
+ }
+
+ if (memcmp(hash_sha, clear + MASTER_KEY_SIZE, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "%s appears to have been tampered!\n", mkfile);
+ fprintf(stderr, "Cannot migrate.\n");
+ ret = -1;
+ goto done;
+ }
+
+ memcpy(masterkey, clear, MASTER_KEY_SIZE);
+ ret = 0;
+
+done:
+ if (fp)
+ fclose(fp);
+ if (clear)
+ free(clear);
+ if (cipher)
+ free(cipher);
+
+ return ret;
+}
+
+int get_pin(char **pin, size_t *pinlen)
+{
+ struct termios old, new;
+ int nread;
+ char *buff = NULL;
+ size_t buflen;
+ int rc = 0;
+
+ /* turn echoing off */
+ if (tcgetattr(fileno(stdin), &old) != 0)
+ return -1;
+
+ new = old;
+ new.c_lflag &= ~ECHO;
+ if (tcsetattr (fileno(stdin), TCSAFLUSH, &new) != 0)
+ return -1;
+
+ /* read the pin
+ * Note: getline will allocate memory for buff. free it when done.
+ */
+ nread = getline(&buff, &buflen, stdin);
+ if (nread == -1) {
+ rc = -1;
+ goto done;
+ }
+
+ /* Restore terminal */
+ (void) tcsetattr(fileno(stdin), TCSAFLUSH, &old);
+
+ /* start a newline */
+ printf("\n");
+ fflush(stdout);
+
+ /* Allocate PIN.
+ * Note: nread includes carriage return.
+ * Replace with terminating NULL.
+ */
+ *pin = (unsigned char *)malloc(nread);
+ if (*pin == NULL) {
+ rc = -ENOMEM;
+ goto done;
+ }
+
+ /* strip the carriage return since not part of pin. */
+ buff[nread - 1] = '\0';
+ memcpy(*pin, buff, nread);
+ /* don't include the terminating null in the pinlen */
+ *pinlen = nread - 1;
+
+done:
+ if (buff)
+ free(buff);
+
+ return rc;
+}
+
+int verify_pins(char *data_store, char *sopin, unsigned long sopinlen,
+ char *userpin, unsigned long userpinlen)
+{
+ TOKEN_DATA td;
+ unsigned char fname[PATH_MAX];
+ unsigned char pin_sha[SHA1_HASH_SIZE];
+ FILE *fp = NULL;
+ int ret;
+
+ /* read the NVTOK.DAT */
+ snprintf(fname, PATH_MAX, "%s/NVTOK.DAT", data_store);
+ fp = fopen((char *)fname, "r");
+ if (!fp) {
+ fprintf(stderr, "Could not open %s: %s\n", fname,
+ strerror(errno));
+ return -1;
+ }
+
+ ret = fread(&td, sizeof(TOKEN_DATA), 1, fp);
+ if (ret != 1) {
+ fprintf(stderr, "Could not read %s: %s\n", fname,
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ /* Now compute the SHAs for the SO and USER pins entered.
+ * Compare with the SHAs for SO and USER PINs saved in
+ * NVTOK.DAT to verify.
+ */
+
+ if (sopin != NULL) {
+ ret = compute_sha1(sopin, sopinlen, pin_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for SO.\n");
+ goto done;
+ }
+
+ if (memcmp(td.so_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "SO PIN is incorrect.\n");
+ ret = -1;
+ goto done;
+ }
+ }
+
+ if (userpin != NULL) {
+ ret = compute_sha1(userpin, userpinlen, pin_sha);
+ if (ret) {
+ fprintf(stderr, "Failed to compute sha for USER.\n");
+ goto done;
+ }
+
+ if (memcmp(td.user_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) {
+ fprintf(stderr, "USER PIN is incorrect.\n");
+ ret = -1;
+ goto done;
+ }
+ }
+ ret = 0;
+
+done:
+ /* clear out the hash */
+ memset(pin_sha, 0, SHA1_HASH_SIZE);
+ if (fp)
+ fclose(fp);
+
+ return ret;
+}
+
+void usage(char *progname)
+{
+ printf("usage:\t%s -h | -m v2objectsv3 [OPTIONS] \n", progname);
+ printf(" -h\t\t\t\tshow this help\n");
+ printf(" -m=migration_type\t\tCurrently the only type of CCA ");
+ printf("migration\n\t\t\t\tsupported is v2objectsv3. v2objectsv3 ");
+ printf("migrates\n\t\t\t\tCCA private token objects from CCA ");
+ printf("encryption\n\t\t\t\t(used in v2)to software encryption ");
+ printf("(used in v3). \n\n");
+ printf("Migrate options (with -m v2objectsv3):\n");
+ printf(" -d, --datastore=DIRECTORY\tCCA token datastore location\n");
+ printf(" -v, --verbose\t\t\tprovide more detailed output\n");
+
+ return;
+}
+
+int main(int argc, char **argv)
+{
+ int ret, opt;
+ unsigned int m_flag = 0;
+ char *sopin = NULL, *userpin = NULL;
+ size_t sopinlen, userpinlen;
+ unsigned char masterkey[MASTER_KEY_SIZE];
+ unsigned char *data_store = NULL;
+ unsigned char *m_type = NULL;
+ int data_store_len;
+ char fname[PATH_MAX];
+ struct stat statbuf;
+ void *lib_csulcca;
+
+ struct option long_opts[] = {
+ { "datastore", required_argument, NULL, 'd' },
+ { "verbose", no_argument, NULL, 'v'},
+ { 0, 0, 0, 0 }
+ };
+
+ int long_index;
+ while ((opt = getopt_long(argc, argv, "d:m:hv", long_opts, NULL)) != -1) {
+ switch (opt) {
+ case 'd':
+ data_store = strdup(optarg);
+ break;
+
+ case 'h':
+ usage(argv[0]);
+ return 0;
+
+ case 'm':
+ m_type = strdup(optarg);
+ break;
+
+ case 'v':
+ v_flag++;
+ break;
+
+ default:
+ usage(argv[0]);
+ return -1;
+ }
+ }
+
+ if (m_type) {
+ if (memcmp(m_type, "v2objectsv3", strlen("v2objectsv3"))) {
+ fprintf(stderr, "unknown migration type\n");
+ usage(argv[0]);
+ return -1;
+ }
+ }
+
+ /* use default data_store if one is not given */
+ if (data_store == NULL) {
+ data_store_len = strlen(TOK_DATASTORE);
+ data_store = malloc(data_store_len + 1);
+ if (data_store == NULL) {
+ fprintf(stderr, "malloc failed: %s\n",strerror(errno));
+ return -1;
+ }
+ memset(data_store, 0, data_store_len + 1);
+ memcpy(data_store, TOK_DATASTORE, data_store_len);
+ }
+
+ /* Verify that the data store is valid by looking for
+ * MK_SO, MK_USER, and TOK_OBJ/OBJ.IDX.
+ */
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/TOK_OBJ/OBJ.IDX", data_store);
+ if (stat(fname, &statbuf) != 0) {
+ fprintf(stderr, "Cannot find %s.\n", fname);
+ ret = -1;
+ goto done;
+ }
+
+ /* If the OBJ.IDX is empty, then no objects to migrate. */
+ if (statbuf.st_size == 0) {
+ printf("OBJ.IDX file is empty. Thus no objects to migrate.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("%s has an MK_SO, MK_USER and TOK/OBJ.IDX\n",
+ data_store);
+
+ /* get the SO pin to authorize migration */
+ printf("Enter the SO PIN: ");
+ fflush(stdout);
+ ret = get_pin(&sopin, &sopinlen);
+ if (ret != 0) {
+ fprintf(stderr, "Could not get SO PIN.\n");
+ goto done;
+ }
+
+ /* get the USER pin to authorize migration */
+ printf("Enter the USER PIN: ");
+ fflush(stdout);
+ ret = get_pin(&userpin, &userpinlen);
+
+ if (ret != 0) {
+ fprintf(stderr, "Could not get USER PIN.\n");
+ goto done;
+ }
+
+ /* Verify the SO and USER PINs entered. */
+ ret = verify_pins(data_store, sopin, sopinlen, userpin, userpinlen);
+ if (ret)
+ goto done;
+
+ lib_csulcca = dlopen(CCA_LIBRARY, (RTLD_GLOBAL | RTLD_NOW));
+ if (lib_csulcca == NULL) {
+ fprintf(stderr, "dlopen(%s) failed: %s\n", CCA_LIBRARY,
+ strerror(errno));
+ return -1;
+ }
+
+ CSNBDEC = dlsym(lib_csulcca, "CSNBDEC");
+
+ /* Get the masterkey from MK_SO.
+ * This also helps verify that correct SO pin was entered.
+ */
+ memset(masterkey, 0, MASTER_KEY_SIZE);
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store);
+ ret = load_masterkey(fname, sopin, masterkey);
+ if (ret) {
+ fprintf(stderr, "Could not load masterkey from MK_SO.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("Successfully verified SO Pin.\n");
+
+ /* Get the masterkey from MK_USER.
+ * This also helps verift that correct USER pin was entered.
+ */
+ memset(masterkey, 0, MASTER_KEY_SIZE);
+ memset(fname, 0, PATH_MAX);
+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store);
+ ret = load_masterkey(fname, userpin, masterkey);
+ if (ret) {
+ fprintf(stderr, "Could not load masterkey from MK_USER.\n");
+ goto done;
+ }
+
+ if (v_flag)
+ printf("Successfully verified USER Pin.\n");
+
+ /* Load all the private token objects and re-encrypt them
+ * using software des3, instead of CSNBENC.
+ */
+ (void)load_private_token_objects(data_store, masterkey);
+
+done:
+
+ if (sopin)
+ free(sopin);
+ if (userpin)
+ free(userpin);
+ if (data_store)
+ free(data_store);
+
+ return ret;
+}
Index: opencryptoki/usr/sbin/pkcscca/pkcscca.h
===================================================================
--- /dev/null
+++ opencryptoki/usr/sbin/pkcscca/pkcscca.h
@@ -0,0 +1,49 @@
+/*
+ * Licensed materials - Property of IBM
+ *
+ * pkcscca - A tool for PKCS#11 CCA token.
+ * Currently, only migrates CCA private token objects from using a
+ * CCA cipher to using a software cipher.
+ *
+ * Copyright (C) International Business Machines Corp. 2014
+ *
+ */
+
+
+#ifndef __PKCSCCA_H_
+#define __PKCSCCA_H_
+
+#define CCA_LIBRARY "libcsulcca.so"
+#define TOK_DATASTORE "/var/lib/opencryptoki/ccatok"
+#define MASTER_KEY_SIZE 64
+#define SHA1_HASH_SIZE 20
+#define MD5_HASH_SIZE 16
+#define DES_BLOCK_SIZE 8
+#define DES_KEY_SIZE 8
+#define compute_sha1(a,b,c) compute_hash(HASH_SHA1,b,a,c)
+#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
+#define HASH_SHA1 1
+#define HASH_MD5 2
+
+/* from host_defs.h */
+#include "pkcs32.h"
+typedef struct _TWEAK_VEC
+{
+ int allow_weak_des ;
+ int check_des_parity ;
+ int allow_key_mods ;
+ int netscape_mods ;
+} TWEAK_VEC;
+
+typedef struct _TOKEN_DATA
+{
+ CK_TOKEN_INFO_32 token_info;
+
+ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE];
+ CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE];
+ CK_BYTE next_token_object_name[8];
+ TWEAK_VEC tweak_vector;
+} TOKEN_DATA;
+
+
+#endif

281
ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch Normal file
View File

@ -0,0 +1,281 @@
From 13eda6d102b8c44f85cf4eac094ff8a964c630f4 Mon Sep 17 00:00:00 2001
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Mon, 1 Sep 2014 22:46:37 -0500
Subject: [PATCH 2/2] Add documentation (pkcscca manpage and README.cca_stdll)
to assist in migrating cca private token objects from v2 to v3.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
configure.in | 1 +
doc/README.cca_stdll | 175 ++++++++++++++++++++++++++++++++++++++++++++++----
man/man1/Makefile.am | 2 +-
man/man1/pkcscca.1.in | 45 +++++++++++++
4 files changed, 209 insertions(+), 14 deletions(-)
create mode 100644 man/man1/pkcscca.1.in
diff --git a/configure.in b/configure.in
index f3fbe70..3e7e5e8 100644
--- a/configure.in
+++ b/configure.in
@@ -843,6 +843,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \
man/man1/Makefile \
man/man1/pkcsconf.1 \
man/man1/pkcsicsf.1 \
+ man/man1/pkcscca.1 \
man/man1/pkcsep11_migrate.1 \
man/man5/Makefile \
man/man5/opencryptoki.conf.5 \
diff --git a/doc/README.cca_stdll b/doc/README.cca_stdll
index f535dfa..a0d13f1 100644
--- a/doc/README.cca_stdll
+++ b/doc/README.cca_stdll
@@ -1,24 +1,173 @@
+CCA TOKEN
-README for the CCA secure-key token
+OverView
+--------
+The CCA token is a secure key token.
+A Secure key - key value does not exist in the clear outside of the HSM
+(secure, tamper-resistent boundary of the card). It is a clear key wrapped
+with the appropriate MasterKey that has been installed into the secure hardware.
+A clear key is generated in the hardware, wrapped with the appropriate
+master key that has been installed into the hardware. The wrapped key is then
+passed back to the invoker. Upon an encryption and/or decryption request,
+the wrapped key and the data to be encrypted are passed into the hardware.
+The wrapped key is verified, and the clear key is used to encrypt and/or
+decrypt the data. All this is done in the CCA hardware.
-Kent Yoder <yoder1@us.ibm.com>
+Within opencryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE
+attribute rather than the CKA_VALUE attribute.
- The key used to encrypt private objects on disk is a secure key.
+Pre-requisites:
+The CCA token requires cca library, libcsulcca.so, which is part of the
+csulcca rpm.
+It also requires proper configuration and installation of the MK keys into
+the hardware which is outside the scope of this document.
- The key used to encrypt that secure key is based on the hash of the
-USER and SO pins. Therefore it is a clear key and software is used to
-do the encryption/decryption of the secure key.
+Configuration
+-------------
-MK_USER: The secure key used for internal on-disk encryption, encrypted
+To use the CCA token a slot entry must be defined in the
+opencryptoki.conf configuration file that sets the stdll attribute to
+libcsulcca.so.
+
+The CCA token also requires that the appropriate master keys have
+been installed into the hardware. The corresponding driver must also be
+loaded, i.e. modprobe z90crypt.
+
+CCA Token Objects
+-------------------------
+
+Opencryptoki stores token objects on disk. Public token objects are not
+encrypted. Private token objects are encrypted.
+Versions of opencryptoki prior to version 3, used a CCA generated secure key
+(des3 key) and the crypto adapter to encrypt the private token object's data.
+In version 3, a clear key (des3 key) and software crypto (openssl) are used
+to encrypt this data.
+
+Migration Information
+---------------------
+
+Migrating version 2 private token objects to version 3 is ONLY required if
+the system will run opencryptoki version 3 and will use private token
+objects saved or preserved from version 2.
+Note, public token objects do not need to be migrated.
+If there are no private token objects from version 2, then the version 3
+does not require any migrating.
+
+In version 2 private token objects are encrypted and decrypted with a secure
+key in the crypto adapter. In version 3, this encryption and decryption is
+done with a clear key using software crypto. Therefore, opencryptoki
+version 3, will not succesfully decrypt a version 2 private token object.
+
+Version 2 private token objects must be "migrated" to version 3 so that
+opencryptoki version 3 can access these objects. This migration will
+decrypt the objects using the CCA call, CSNBDEC and the current
+opencryptoki key stored in MK_USER. The objects will then be re-encrypted
+using software crypto. The key bits that are stored in MK_USER will then be
+used as a clear key.
+
+Once the migration has completed, these private token objects should then be
+accessable to version 3.
+
+Migration Steps
+---------------
+
+1. Either update or install version 3.
+a. Update to opencryptoki version 3. In most linux distributions, an update
+from version 2 to version 3 will preserve the contents of the CCA data-store.
+
+b. Install opencryptoki version 3. In most distributions, an install will
+remove the contents of the CCA data-store. You will essentially be starting
+from the beginning and have to initialize the CCA token.
+
+In this scenario, if a prior version of opencryptoki had been running on the
+system, and you wanted to preserve your token objects, you will have saved
+or backed them up somewhere.
+
+2. Backup the CCA data-store before migrating. It is always a good idea to
+back up the data in case the migration is unsuccessful or data is corrupted.
+The data-store is the directory in which the CCA token information is stored
+on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok.
+Within this directory there is,
+
+MK_USER: The des3 key used for internal on-disk encryption, encrypted
under the USER's PIN by software routines
-MK_SO: The secure key used for internal on-disk encryption, encrypted
+MK_SO: The des3 key used for internal on-disk encryption, encrypted
under the SO's PIN by software routines
-So, MK_USER and MK_SO contain the same key, encrypted under different PINs
+NKTOK.DAT: Token information.
+
+TOK_OBJ: The directory in which token objects are stored.
+
+TOK_OBJ/OBJ.IDX: A list of current token objects.
+
+**NOTE: MK_USER and MK_SO contain the same key, encrypted under
+different PINs
+
+3. Ensure no opencryptoki processes are running. Stop the pkcsslotd daemon
+if it is running.
+
+4. Run the pkcscca tool to perform the migration.
+For example,
+ pkcscca -m v2objectsv3 -v
+
+Note that the "-v" option will allow you to see which objects did and did not
+get migrated. Specify the "-d" flag if you wish to migrate CCA token objects
+stored in a data-store different from the default, /var/lib/opencryptoki/ccatok.
+
+5. (Optional) Removing shared memory may be required to pick up
+the newly migrated objects.
+
+CCA token's shared memory segment tracks its token objects.
+Token objects stored on disk are only loaded into shared memory
+when the shared memory is created. The shared memory is usually
+created after a reboot, an install, or an update of the opencryptoki package.
+
+If another opencryptoki process accessed the CCA token after install
+or update, then opencryptoki will have loaded all the token objects into
+shared memory, except for the private token objects requiring migration,
+since they will have failed decryption. Subsequent calls to the
+opencryptoki api will not find these objects since they have not
+been loaded into shared memory. Opencryptoki won't read the
+objects from disk and load into shared memory again until the next time
+shared memory is created.
+
+So, in this case, shared memory must be removed and created again so
+that opencryptoki can successfuly load all the token objects including the
+newly migrated private token objects into CCA token's shared memory segment.
+
+Remove shared memory if,
+ - after updating or installing, any opencryptoki processes or tools tried
+ to access the CCA token before migrating CCA token's private token
+ objects. For example, the pkcsconf command was run.
+
+ The pre-migrated objects will have failed decryption and not
+ been loaded into shared memory. A reboot or removing shared memory
+ will cause the token to create shared memory again and load the newly
+ migrated private token objects into it.
+
+CCA's shared memory can be removed two ways.
+ 1. a reboot
+
+ 2. remove the shared memory file,
+ i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok"
+
+ Notes: (1). Ensure that no opencryptoki processes are running
+ before removing the shared memory. Otherwise, you risk corrupting
+ any running opencryptoki processes.
+ (2). If you have installed opencryptoki manually (not via a distro
+ rpm) the CCA token shared memory segment may be named
+ usr.local.var.lib.opencryptoki.ccatok.
+
+The next opencryptoki process to run will cause opencryptoki to create
+a shared memory segment for the token and load the newly migrated objects
+as well as any other token objects for the token.
-PKCS#11 Notes:
+6. After a successful migration, the CCA private token objects should be
+encrypted and ready to be accessed by opencryptoki version 3.
-DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE
-attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however
-in this case, the id used to reference the secure key is stored here.
+TroubleShooting:
+1. If version 3 cannot find the newly migrated CCA private token objects,
+reboot or remove the shared memory file. This will cause token to create
+shared memory again and load the newly migrated private token objects
+into shared memory.
diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am
index c4b4d95..f2274d7 100644
--- a/man/man1/Makefile.am
+++ b/man/man1/Makefile.am
@@ -1,3 +1,3 @@
-man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1
+man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1
EXTRA_DIST = $(man1_MANS)
CLEANFILES = $(man1_MANS)
diff --git a/man/man1/pkcscca.1.in b/man/man1/pkcscca.1.in
new file mode 100644
index 0000000..c6e49d6
--- /dev/null
+++ b/man/man1/pkcscca.1.in
@@ -0,0 +1,45 @@
+.TH PKCSCCA 1 "September 2014" "@PACKAGE_VERSION@" "openCryptoki"
+.SH NAME
+pkcscca \- configuration utility for the CCA token
+
+.SH SYNOPSIS
+\fBpkcscca\fP
+[\fB-h\fP]
+[\fB-m v2objectsv3\fP]
+[\fIOPTIONS\fP]
+
+.SH DESCRIPTION
+The \fBpkcscca\fP utility assists in administering the CCA token. Currently it
+migrates opencryptoki version 2 private token objects to the encryption
+method used in opencryptoki version 3.
+
+In verion 2 of opencryptoki, CCA private token objects were encrypted in CCA
+hardware. In version 3 these objects are encrypted in software. The
+\fBv2objectsv3\fP migration option migrates these version 2 objects by
+decrypting them in CCA hardware using a secure key and then re-encrypting
+them in software using a software key. Afterwards, v2 objects can be accessed
+in version 3.
+
+.SH "FLAGS"
+.IP "\fB-h\fP" 10
+show usage information
+.IP "\fB-m\fP" 10
+perform a migration. \fBv2objectsv3\fP is currently the only type of migration
+supported and must be specified along with this flag.
+
+.SH "MIGRATION OPTIONS"
+.IP "\fB-d|--datastore\fP \fIdirectory\fp" 10
+the directory where the CCA token information is kept. This directory will be
+used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok
+.IP "\fB-v|--verbose\fP" 10
+provide detailed output during migration
+
+.SH "FILES"
+.IP "/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX"
+contains current list of public and private token objects for the CCA token.
+
+.SH SEE ALSO
+.PD 0
+.TP
+\fBREADME.cca_stdll\fP (in system's doc directory)
+.PD
--
1.8.1.4

255
ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch Normal file
View File

@ -0,0 +1,255 @@
--- opencryptoki.orig/doc/README.ep11_stdll 2014-09-04 21:59:50.000000000 -0600
+++ opencryptoki/doc/README.ep11_stdll 2014-09-04 22:01:27.223654000 -0600
@@ -1,126 +1,126 @@
-EP11 Token
-==========
-
-The EP11 token is a token that uses the IBM Crypto Express adapters
-(starting with Crypto Express 4S adapters) configured with Enterprise
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
-firmware load are also called CEXnP adapters for n >= 4.
-
-The EP11 token is only supported on the System z architecture and requires a
-Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
-loaded into the kernel and the availability of EP11 library libep11.
-
-The token directory of the EP11 token is opencryptoki/ep11tok typically
-located in /var/lib.
-
-Configuration
--------------
-
-To use the EP11 token a slot entry must be defined in the general opencryptoki
-configuration file that sets the stdll attribute to libpkcs11_ep11.so.
-
-A EP11 token specific configuration file must be set up to define the target
-adapters and target adapter domains. The name of the configuration file must be
-defined in the global openCryptoki configuration opencryptoki.conf file as part
-of the token specification using the confname attribute.
-E.g. the entry
-
-slot 4
-{
-stdll = libpkcs11_ep11.so
-confname = ep11tok.conf
-}
-
-defines the name of the configuration file of the EP11 token to be
-ep11tok.conf. Per default this file is searched in the directory where
-openCryptoki searches its global configuration file. This default path can
-be overriden using the OCK_EP11_TOKEN_DIR environment variable.
-
-EP11 token configuration files defines a list of adapter/domain pairs to which
-the EP11 token sends its cryptographic requests. This list can be specified as
-a white list starting with a line containing the key word APQN_WHITELIST
-followed by one or more lines containing each two integers (in the range
-of 0 - 255) separated by a white space. The white list is ended with a line
-containing the key word END. In each of lines of the white list the first
-integer denotes the adapter number and the second integer denotes the domain
-id. Alternatively the keyword APQN_ANY can be used to define that all
-adapter/domain pairs with EP11 firmware load that are available to the system
-shall be used as target adapters. An adapter number corresponds to the
-numerical part xx of an adapter id of the form cardxx as displayed by the
-lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
-Currently Linux on z only supports a single domain. That domain number can be
-displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
-contents of /sys/bus/ap/ap_domain.
-
-In addition to the target adapter a log level can be defined in the EP11
-configuration file using a line consisting of the key word LOGLEVEL followed
-by an integer between 0 and 9.
-
-Logging
--------
-
-If a log level greater than 0 is defined in the environment variable
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
-file then log entries are written to a log file
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
-using the EP11 token.
-
-Note, that the handling of EP11 logs is subject to change in future releases
-of opencryptoki.
-
-Crypto Express Adapter EP11 Master Key Management
--------------------------------------------------
-
-If master keys are changed on an EP11 adapter all key objects in the token
-object repository (in the TOK_OBJ directory within the EP11 token directory)
-become invalid.
-
-The key migration tool pkcsep11_migrate can be used to perform the migration
-of the current EP11 master keys to new master keys. Therefore the following
-steps must be performed:
-1) On the Trusted Key Entry console (TKE): Submit and commit new master
-keys on the EP11 adapter(s).
-2) On Linux: Stop all processes using openCryptoki with the EP11 token.
-3) On Linux: Back up the token object repository of the EP11 token.
-4) On Linux: Migrate keys of object repository of EP11 token with
-migration tool. If a failure occurs restore the backed up token repository
-and retry step 4.
-5) On the TKE: Activate new master keys on the EP11 adapter(s).
-6) On Linux: Restart applications using openCryptoki with the EP11 token.
-
-Token specifics
----------------
-
-The EP11 token only supports secure keys (i.e. key wrapped by a master key of
-the Crypto Express adapter). Therefore all keys must have the attribute
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
-(token specific) default for secure keys the attribute must be explicitly
-provided whenever a secret key is generated, unwrapped or build with
-C_CreateObject. In addition all keys used with the EP11 token are extractable.
-i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
-
-When creating keys the default values of the attributes CKA_ENCRYPT,
-CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
-Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
-
-All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
-or equal to 17.
-
-The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
-according to ANSI X9.31. Therefore in the EP11 token the lengths of the
-RSA primes (p or q) must be a multiple of 128 bits and the length of the
-modulus (CKA_MODULUS_BITS) must be a multiple of 256.
-
-The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
-a length that is a multiple of the block size of DES3 or AES respectively.
-
-See the mechanism list and mechanism info (pkcsconf -m) for supported
-mechanisms together with supported functions and key sizes. Note the
-supported mechanism list is currently fix and matches the most stringent
-setting of the Crypto Express adapter.
-
-Note, the EP11 coprocessor adapter can be configured to restrict the
-cryptographic capababilities in order for the adapter to comply with specific
-security requirements and regulations. Such restrictions on the adapter impact
-the capabilitiy of the EP11 token.
-
+EP11 Token
+==========
+
+The EP11 token is a token that uses the IBM Crypto Express adapters
+(starting with Crypto Express 4S adapters) configured with Enterprise
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
+firmware load are also called CEXnP adapters for n >= 4.
+
+The EP11 token is only supported on the System z architecture and requires a
+Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
+loaded into the kernel and the availability of EP11 library libep11.
+
+The token directory of the EP11 token is opencryptoki/ep11tok typically
+located in /var/lib.
+
+Configuration
+-------------
+
+To use the EP11 token a slot entry must be defined in the general opencryptoki
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
+
+A EP11 token specific configuration file must be set up to define the target
+adapters and target adapter domains. The name of the configuration file must be
+defined in the global openCryptoki configuration opencryptoki.conf file as part
+of the token specification using the confname attribute.
+E.g. the entry
+
+slot 4
+{
+stdll = libpkcs11_ep11.so
+confname = ep11tok.conf
+}
+
+defines the name of the configuration file of the EP11 token to be
+ep11tok.conf. Per default this file is searched in the directory where
+openCryptoki searches its global configuration file. This default path can
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
+
+EP11 token configuration files defines a list of adapter/domain pairs to which
+the EP11 token sends its cryptographic requests. This list can be specified as
+a white list starting with a line containing the key word APQN_WHITELIST
+followed by one or more lines containing each two integers (in the range
+of 0 - 255) separated by a white space. The white list is ended with a line
+containing the key word END. In each of lines of the white list the first
+integer denotes the adapter number and the second integer denotes the domain
+id. Alternatively the keyword APQN_ANY can be used to define that all
+adapter/domain pairs with EP11 firmware load that are available to the system
+shall be used as target adapters. An adapter number corresponds to the
+numerical part xx of an adapter id of the form cardxx as displayed by the
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
+Currently Linux on z only supports a single domain. That domain number can be
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
+contents of /sys/bus/ap/ap_domain.
+
+In addition to the target adapter a log level can be defined in the EP11
+configuration file using a line consisting of the key word LOGLEVEL followed
+by an integer between 0 and 9.
+
+Logging
+-------
+
+If a log level greater than 0 is defined in the environment variable
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
+file then log entries are written to a log file
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
+using the EP11 token.
+
+Note, that the handling of EP11 logs is subject to change in future releases
+of opencryptoki.
+
+Crypto Express Adapter EP11 Master Key Management
+-------------------------------------------------
+
+If master keys are changed on an EP11 adapter all key objects in the token
+object repository (in the TOK_OBJ directory within the EP11 token directory)
+become invalid.
+
+The key migration tool pkcsep11_migrate can be used to perform the migration
+of the current EP11 master keys to new master keys. Therefore the following
+steps must be performed:
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
+keys on the EP11 adapter(s).
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
+3) On Linux: Back up the token object repository of the EP11 token.
+4) On Linux: Migrate keys of object repository of EP11 token with
+migration tool. If a failure occurs restore the backed up token repository
+and retry step 4.
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
+
+Token specifics
+---------------
+
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
+the Crypto Express adapter). Therefore all keys must have the attribute
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
+(token specific) default for secure keys the attribute must be explicitly
+provided whenever a secret key is generated, unwrapped or build with
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
+i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
+
+When creating keys the default values of the attributes CKA_ENCRYPT,
+CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE.
+Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
+
+All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
+or equal to 17.
+
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
+
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
+a length that is a multiple of the block size of DES3 or AES respectively.
+
+See the mechanism list and mechanism info (pkcsconf -m) for supported
+mechanisms together with supported functions and key sizes. Note the
+supported mechanism list is currently fix and matches the most stringent
+setting of the Crypto Express adapter.
+
+Note, the EP11 coprocessor adapter can be configured to restrict the
+cryptographic capababilities in order for the adapter to comply with specific
+security requirements and regulations. Such restrictions on the adapter impact
+the capabilitiy of the EP11 token.
+

26
openCryptoki.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Fri Sep 5 04:05:02 UTC 2014 - jjolly@suse.com
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
-------------------------------------------------------------------
Thu Sep 4 21:51:32 UTC 2014 - jjolly@suse.com
- Added all files from %src/doc as rpm %doc (bnc#894780)
-------------------------------------------------------------------
Thu Sep 4 21:17:04 UTC 2014 - jjolly@suse.com
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
-------------------------------------------------------------------
Thu Sep 4 20:35:01 UTC 2014 - jjolly@suse.com
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889193)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
-------------------------------------------------------------------
Fri Aug 15 02:14:21 UTC 2014 - sfalken@opensuse.org

10
openCryptoki.spec
View File

@ -74,6 +74,10 @@ Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-
Patch14: ocki-3.1_06_0005-Small-reworks.patch
Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
Patch17: ocki-3.1_07_0001-Man-page-corrections.patch
Patch18: ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
Patch19: ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
Patch20: ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq
@ -167,6 +171,10 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
cp %{SOURCE2} .
%build
@ -285,6 +293,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
%files
%defattr(-,root,root)
%doc openCryptoki-TFAQ.html
%doc doc/*
# configuration directory
%dir %{_sysconfdir}/opencryptoki
%config %{_sysconfdir}/opencryptoki/opencryptoki.conf
@ -307,6 +316,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
%{_sbindir}/pkcsslotd
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsicsf
%{_sbindir}/pkcscca
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
# State and lock directories