From bbdcb346dfad148915aac4802605e856010375a814a02445c8ddb7117a468303 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 5 Sep 2014 10:54:00 +0000 Subject: [PATCH] Accepting request 247627 from home:jjolly:branches:security Fixed several bugs and cleaned up changes and specfile OBS-URL: https://build.opensuse.org/request/show/247627 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=21 --- ocki-3.1-fix-implicit-decl.patch | 76 +- ...-3.1-remove-make-install-chgrp-chmod.patch | 6 +- ocki-3.1_07_0001-Man-page-corrections.patch | 63 ++ ...ol-to-help-migrate-cca-private-token.patch | 783 ++++++++++++++++++ ...n-pkcscca-manpage-and-README.cca_std.patch | 281 +++++++ ...1_09_0001-Fix-EOL-encoding-in-README.patch | 255 ++++++ openCryptoki.changes | 26 + openCryptoki.spec | 10 + 8 files changed, 1459 insertions(+), 41 deletions(-) create mode 100644 ocki-3.1_07_0001-Man-page-corrections.patch create mode 100644 ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch create mode 100644 ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch create mode 100644 ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch diff --git a/ocki-3.1-fix-implicit-decl.patch b/ocki-3.1-fix-implicit-decl.patch index b9345ca..ed6e40c 100644 --- a/ocki-3.1-fix-implicit-decl.patch +++ b/ocki-3.1-fix-implicit-decl.patch @@ -1,5 +1,5 @@ ---- opencryptoki.orig/usr/lib/pkcs11/common/loadsave.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/common/loadsave.c 2014-01-31 10:56:26.377812000 -0700 +--- opencryptoki/usr/lib/pkcs11/common/loadsave.c ++++ opencryptoki/usr/lib/pkcs11/common/loadsave.c @@ -287,6 +287,9 @@ // // @@ -10,8 +10,8 @@ #include #include #include ---- opencryptoki.orig/usr/lib/pkcs11/common/mech_rng.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c 2014-01-31 11:00:30.004283000 -0700 +--- opencryptoki/usr/lib/pkcs11/common/mech_rng.c ++++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c @@ -301,6 +301,7 @@ #include #include @@ -20,40 +20,8 @@ #include "pkcs11types.h" ---- opencryptoki.orig/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-31 11:03:14.422314000 -0700 -@@ -294,6 +294,7 @@ - #include - #include - #include -+#include - - #include "log.h" - #include "slotmgr.h" ---- opencryptoki.orig/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:15.000000000 -0700 -+++ opencryptoki/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:25.929081000 -0700 -@@ -293,6 +293,9 @@ - #include - #include - #include -+#include -+#include -+#include - - #include "log.h" - #include "slotmgr.h" ---- opencryptoki.orig/usr/sbin/pkcsslotd/slotmgr.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c 2014-01-31 11:12:08.708122000 -0700 -@@ -292,6 +292,7 @@ - #include - #include - #include -+#include - - #include "log.h" - #include "slotmgr.h" ---- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-31 11:16:45.158228000 -0700 +--- opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c ++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c @@ -31,6 +31,9 @@ * */ @@ -64,3 +32,35 @@ #include #include #include +--- opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c ++++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c +@@ -294,6 +294,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "slotmgr.h" +--- opencryptoki/usr/sbin/pkcsslotd/mutex.c ++++ opencryptoki/usr/sbin/pkcsslotd/mutex.c +@@ -293,6 +293,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "log.h" + #include "slotmgr.h" +--- opencryptoki/usr/sbin/pkcsslotd/slotmgr.c ++++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c +@@ -292,6 +292,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "slotmgr.h" diff --git a/ocki-3.1-remove-make-install-chgrp-chmod.patch b/ocki-3.1-remove-make-install-chgrp-chmod.patch index 289d1f4..cefa3c7 100644 --- a/ocki-3.1-remove-make-install-chgrp-chmod.patch +++ b/ocki-3.1-remove-make-install-chgrp-chmod.patch @@ -84,9 +84,9 @@ uninstall-hook: if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ ---- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-31 08:20:37.999866000 -0700 -@@ -69,11 +69,7 @@ install-data-hook: +--- opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am +@@ -69,11 +69,7 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -sf libpkcs11_tpm.so PKCS11_TPM.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm diff --git a/ocki-3.1_07_0001-Man-page-corrections.patch b/ocki-3.1_07_0001-Man-page-corrections.patch new file mode 100644 index 0000000..ad7d31f --- /dev/null +++ b/ocki-3.1_07_0001-Man-page-corrections.patch @@ -0,0 +1,63 @@ +From 417e55a76a3a52dfb22f0055230c74b083d9e3a7 Mon Sep 17 00:00:00 2001 +From: Joy Latten +Date: Fri, 29 Aug 2014 12:40:35 -0500 +Subject: [PATCH] Man page corrections. + +Remove references to obsoleted pk_config_data and pkcs11_startup +in the pkcsslotd man page. Other changes made as necessary. + +Signed-off-by: Joy Latten +--- + man/man5/opencryptoki.conf.5.in | 12 +++++++++++- + man/man8/pkcsslotd.8.in | 6 ++---- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in +index e13c110..f3aabd1 100644 +--- a/man/man5/opencryptoki.conf.5.in ++++ b/man/man5/opencryptoki.conf.5.in +@@ -3,7 +3,7 @@ + opencryptoki.conf \- Configuration file for pkcsslotd. + + .SH DESCRIPTION +-pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki.conf ++pkcsslotd uses a configuration file at @sysconfdir@/opencryptoki/opencryptoki.conf + + This is a text file that contains information used to configure + pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to +@@ -51,6 +51,16 @@ Version number of the slot's firmware, if any. The version number is composed + of a major version number (the integer portion of the version) and a + minor version number (the hundredths portion of the version). + .TP ++.BR confname ++If the slot is associated with a token that has its own configuration file, ++this option identifies the name of that configuration file. ++For example, confname=ep11tok.conf ++ ++.SH Notes ++The pound sign ('#') is used to indicate a comment. ++Both the comment character and any text after it, up to the end of the line, ++are ignored. The comment character cannot be used inside the brackets of ++slot descriptions, as this will cause a syntax error. + + .SH "SEE ALSO" + .PD 0 +diff --git a/man/man8/pkcsslotd.8.in b/man/man8/pkcsslotd.8.in +index c5d7280..db113e9 100644 +--- a/man/man8/pkcsslotd.8.in ++++ b/man/man8/pkcsslotd.8.in +@@ -29,9 +29,7 @@ manual page for details. + .TP + \fBopencryptoki\fP(7), + .TP +-\fBpkcsconf\fP(1), +-.TP +-\fBpk_config_data\fP(5), ++\fBopencryptoki.conf\fP(5), + .TP +-\fBpkcs11_startup\fP(1). ++\fBpkcsconf\fP(1), + .PD +-- +1.8.1.4 + diff --git a/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch b/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch new file mode 100644 index 0000000..b27d5de --- /dev/null +++ b/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch @@ -0,0 +1,783 @@ +From afb086ce22bd1ff4d0f1cf0768dfff3c03424096 Mon Sep 17 00:00:00 2001 +From: Joy Latten +Date: Thu, 28 Aug 2014 00:36:43 -0500 +Subject: [PATCH 1/2] Add a pkcscca tool to help migrate cca private token + objects from v2(encrypted with cca hardware) to v3 (encrypted in software) + +Signed-off-by: Joy Latten +--- + configure.in | 1 + + usr/sbin/Makefile.am | 6 +- + usr/sbin/pkcscca/Makefile.am | 14 + + usr/sbin/pkcscca/pkcscca.c | 661 +++++++++++++++++++++++++++++++++++++++++++ + usr/sbin/pkcscca/pkcscca.h | 49 ++++ + 5 files changed, 730 insertions(+), 1 deletion(-) + create mode 100644 usr/sbin/pkcscca/Makefile.am + create mode 100644 usr/sbin/pkcscca/pkcscca.c + create mode 100644 usr/sbin/pkcscca/pkcscca.h + +Index: opencryptoki/configure.in +=================================================================== +--- opencryptoki.orig/configure.in ++++ opencryptoki/configure.in +@@ -818,6 +818,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \ + usr/sbin/pkcsslotd/Makefile \ + usr/sbin/pkcsconf/Makefile \ + usr/sbin/pkcsicsf/Makefile \ ++ usr/sbin/pkcscca/Makefile \ + usr/sbin/pkcscca_migrate/Makefile \ + usr/sbin/pkcsep11_migrate/Makefile \ + usr/lib/pkcs11/methods/Makefile \ +Index: opencryptoki/usr/sbin/Makefile.am +=================================================================== +--- opencryptoki.orig/usr/sbin/Makefile.am ++++ opencryptoki/usr/sbin/Makefile.am +@@ -11,4 +11,8 @@ if ENABLE_PKCSEP11_MIGRATE + PKCSEP11_MIGRATE_DIR = pkcsep11_migrate + endif + +-SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) ++if ENABLE_CCATOK ++PKCSCCA_DIR = pkcscca ++endif ++ ++SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) $(PKCSCCA_DIR) +Index: opencryptoki/usr/sbin/pkcscca/Makefile.am +=================================================================== +--- /dev/null ++++ opencryptoki/usr/sbin/pkcscca/Makefile.am +@@ -0,0 +1,14 @@ ++sbin_PROGRAMS=pkcscca ++ ++pkcscca_CFLAGS = -DSTDLL_NAME=\"pkcscca\" ++pkcscca_LDFLAGS = -lcrypto -ldl ++ ++# Not all versions of automake observe sbinname_CFLAGS ++AM_CFLAGS = -DSTDLL_NAME=\"pkcscca\" ++ ++pkcscca_SOURCES = ../../lib/pkcs11/common/p11util.c \ ++ ../../lib/pkcs11/common/sw_crypt.c \ ++ ../../lib/pkcs11/common/log.c \ ++ pkcscca.c ++ ++INCLUDES = -I. -I../../include/pkcs11 -I../../lib/pkcs11/common +Index: opencryptoki/usr/sbin/pkcscca/pkcscca.c +=================================================================== +--- /dev/null ++++ opencryptoki/usr/sbin/pkcscca/pkcscca.c +@@ -0,0 +1,661 @@ ++/* ++ * Licensed materials - Property of IBM ++ * ++ * pkcscca - A tool for PKCS#11 CCA token. ++ * Currently, only migrates CCA private token objects from CCA cipher ++ * to using a software cipher. ++ * ++ * ++ * Copyright (C) International Business Machines Corp. 2014 ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "sw_crypt.h" ++#include "pkcscca.h" ++ ++void (*CSNBDEC)(); ++int v_flag = 0; ++ ++int compute_hash(int hash_type, int buf_size, char *buf, char *digest) ++{ ++ EVP_MD_CTX md_ctx; ++ unsigned int result_size; ++ int rc; ++ ++ switch (hash_type) { ++ case HASH_SHA1: ++ rc = EVP_DigestInit(&md_ctx, EVP_sha1()); ++ break; ++ case HASH_MD5: ++ rc = EVP_DigestInit(&md_ctx, EVP_md5()); ++ break; ++ default: ++ return -1; ++ break; ++ } ++ ++ if (rc != 1) { ++ fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc); ++ return -1; ++ } ++ ++ rc = EVP_DigestUpdate(&md_ctx, buf, buf_size); ++ if (rc != 1) { ++ fprintf(stderr, "EVP_DigestUpdate() failed: rc = %d\n", rc); ++ return -1; ++ } ++ ++ result_size = EVP_MD_CTX_size(&md_ctx); ++ rc = EVP_DigestFinal(&md_ctx, (unsigned char *)digest, &result_size); ++ if (rc != 1) { ++ fprintf(stderr, "EVP_DigestFinal() failed: rc = %d\n", rc); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int cca_decrypt(unsigned char *in_data, unsigned long in_data_len, ++ unsigned char *out_data, unsigned long *out_data_len, ++ unsigned char *init_v, unsigned char *key_value) ++{ ++ long return_code, reason_code, rule_array_count, length; ++ unsigned char chaining_vector[18]; ++ unsigned char rule_array[256]; ++ ++ length = in_data_len; ++ rule_array_count = 1; ++ memcpy(rule_array, "CBC ", 8); ++ ++ CSNBDEC(&return_code, &reason_code, NULL, NULL, key_value, ++ &length, in_data, init_v, &rule_array_count, ++ rule_array, chaining_vector, out_data); ++ ++ if (return_code != 0) { ++ fprintf(stderr, "CSNBDEC (DES3 DECRYPT) failed: return_code=%ld reason_code=%ld\n", return_code, reason_code); ++ return -1; ++ } ++ *out_data_len = length; ++ return 0; ++} ++ ++int reencrypt_private_token_object(unsigned char *data, unsigned long len, ++ unsigned char *new_cipher, ++ unsigned long *new_cipher_len, ++ unsigned char *masterkey) ++{ ++ unsigned char *clear = NULL; ++ unsigned char des3_key[64]; ++ unsigned char sw_des3_key[3 * DES_KEY_SIZE]; ++ unsigned long clear_len; ++ CK_RV rc; ++ int ret; ++ ++ /* cca wants 8 extra bytes for padding purposes */ ++ clear_len = len + 8; ++ clear = (unsigned char *) malloc(clear_len); ++ if (!clear) { ++ fprintf(stderr, "malloc() failed: %s.\n", strerror(errno)); ++ ret =-1; ++ goto done; ++ } ++ ++ /* decrypt using cca des3 */ ++ memcpy(des3_key, masterkey, MASTER_KEY_SIZE); ++ ret = cca_decrypt(data, len, clear, &clear_len, "10293847", des3_key); ++ if (ret) ++ goto done; ++ ++ /* now encrypt using software des3 */ ++ memcpy(sw_des3_key, masterkey, 3 * DES_KEY_SIZE); ++ rc = sw_des3_cbc_encrypt(clear, clear_len, new_cipher, new_cipher_len, ++ "10293847", sw_des3_key); ++ if (rc != CKR_OK) ++ ret = -1; ++done: ++ if (clear) ++ free(clear); ++ ++ return ret; ++} ++ ++int load_private_token_objects(unsigned char *data_store, ++ unsigned char *masterkey) ++{ ++ FILE *fp1 = NULL, *fp2 = NULL; ++ unsigned char *buf = NULL; ++ unsigned char tmp[PATH_MAX], fname[PATH_MAX], iname[PATH_MAX]; ++ CK_BBOOL priv; ++ unsigned int size; ++ int rc, scount= 0, fcount = 0; ++ size_t read_size; ++ unsigned char *new_cipher; ++ unsigned long new_cipher_len; ++ ++ snprintf(iname, sizeof(iname), "%s/TOK_OBJ/OBJ.IDX", data_store); ++ ++ fp1 = fopen((char *)iname, "r"); ++ if (!fp1) ++ return -1; // no token objects ++ ++ while (!feof(fp1)) { ++ (void)fgets((char *)tmp, 50, fp1); ++ if (!feof(fp1)) { ++ tmp[strlen((char *)tmp) - 1] = 0; ++ ++ snprintf((char *)fname, sizeof(fname), "%s/TOK_OBJ/", ++ data_store); ++ strcat((char *)fname, (char *)tmp); ++ ++ fp2 = fopen((char *)fname, "r"); ++ if (!fp2) ++ continue; ++ ++ fread(&size, sizeof(unsigned int), 1, fp2); ++ fread(&priv, sizeof(CK_BBOOL), 1, fp2); ++ if (priv == FALSE) { ++ fclose(fp2); ++ continue; ++ } ++ ++ size = size - sizeof(unsigned int) - sizeof(CK_BBOOL); ++ buf = (unsigned char *) malloc(size); ++ if (!buf) { ++ fprintf(stderr, "Cannot malloc for object %s " ++ "(ignoring it).\n", tmp); ++ goto cleanup; ++ } ++ ++ read_size = fread((char *)buf, 1, size, fp2); ++ if (read_size != size) { ++ fprintf(stderr, "Cannot read object %s " ++ "(ignoring it).\n", tmp); ++ goto cleanup; ++ } ++ ++ new_cipher_len = size; ++ new_cipher = malloc(new_cipher_len); ++ if (!new_cipher) { ++ fprintf(stderr, "Cannot malloc space for new " ++ "cipher (ignoring object %s).\n", tmp); ++ goto cleanup; ++ } ++ ++ /* After reading the private token object, ++ * decrypt it using CCA des3 and then re-encrypt it ++ * using software des3. ++ */ ++ memset(new_cipher, 0, new_cipher_len); ++ rc = reencrypt_private_token_object(buf, size, ++ new_cipher, &new_cipher_len, ++ masterkey); ++ if (rc) ++ goto cleanup; ++ ++ fclose(fp2); ++ ++ /* now save the newly re-encrypted object back to ++ * disk in its original file. ++ */ ++ fp2 = fopen((char *)fname, "w"); ++ size = sizeof(unsigned int) + sizeof(CK_BBOOL) ++ + new_cipher_len; ++ (void)fwrite(&size, sizeof(unsigned int), 1, fp2); ++ (void)fwrite(&priv, sizeof(CK_BBOOL), 1, fp2); ++ (void)fwrite(new_cipher, new_cipher_len, 1, fp2); ++ rc = 0; ++ ++cleanup: ++ if (fp2) ++ fclose(fp2); ++ if (buf) ++ free(buf); ++ if (new_cipher) ++ free(new_cipher); ++ ++ if (rc) { ++ if (v_flag) ++ printf("Failed to process %s\n", fname); ++ fcount++; ++ } else { ++ if (v_flag) ++ printf("Processed %s.\n", fname); ++ scount++; ++ } ++ } ++ } ++ fclose(fp1); ++ printf("Successfully migrated %d object(s).\n", scount); ++ ++ if (v_flag && fcount) ++ printf("Failed to migrate %d object(s).\n", fcount); ++ ++ return 0; ++} ++ ++int load_masterkey(char *mkfile, char *pin, char *masterkey) ++{ ++ unsigned char des3_key[3 * DES_KEY_SIZE]; ++ unsigned char hash_sha[SHA1_HASH_SIZE]; ++ unsigned char pin_md5_hash[MD5_HASH_SIZE]; ++ unsigned char *cipher = NULL; ++ unsigned char *clear = NULL; ++ unsigned long cipher_len, clear_len; ++ int ret; ++ CK_RV rc; ++ FILE *fp = NULL; ++ ++ clear_len = cipher_len = MASTER_KEY_SIZE + SHA1_HASH_SIZE + (DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1); ++ ++ fp = fopen((char *)mkfile, "r"); ++ if (!fp) { ++ fprintf(stderr, "Could not open %s: %s\n", mkfile, ++ strerror(errno)); ++ return -1; ++ } ++ ++ cipher = malloc(cipher_len); ++ clear = malloc(clear_len); ++ if (cipher == NULL || clear == NULL) { ++ ret = -1; ++ goto done; ++ } ++ ++ ret = fread(cipher, cipher_len, 1, fp); ++ if (ret != 1) { ++ fprintf(stderr, "Could not read %s: %s\n", mkfile, ++ strerror(errno)); ++ ret = -1; ++ goto done; ++ } ++ ++ /* decrypt the masterkey */ ++ ++ ret = compute_md5(pin, strlen(pin), pin_md5_hash); ++ if (ret) { ++ fprintf(stderr, "Error calculating MD5 of PIN!\n"); ++ goto done; ++ } ++ ++ memcpy(des3_key, pin_md5_hash, MD5_HASH_SIZE); ++ memcpy(des3_key + MD5_HASH_SIZE, pin_md5_hash, DES_KEY_SIZE); ++ ++ rc = sw_des3_cbc_decrypt(cipher, cipher_len, clear, &clear_len, ++ (unsigned char *)"12345678", des3_key); ++ if (rc != CKR_OK) { ++ fprintf(stderr, "Error decrypting master key file after read"); ++ ret = -1; ++ goto done; ++ } ++ ++ /* ++ * technically should strip PKCS padding here but since I already know ++ * what the length should be, I don't bother. ++ * ++ * compare the hashes to verify integrity ++ */ ++ ++ ret = compute_sha1(clear, MASTER_KEY_SIZE, hash_sha); ++ if (ret) { ++ fprintf(stderr, "Failed to compute sha for masterkey.\n"); ++ goto done; ++ } ++ ++ if (memcmp(hash_sha, clear + MASTER_KEY_SIZE, SHA1_HASH_SIZE) != 0) { ++ fprintf(stderr, "%s appears to have been tampered!\n", mkfile); ++ fprintf(stderr, "Cannot migrate.\n"); ++ ret = -1; ++ goto done; ++ } ++ ++ memcpy(masterkey, clear, MASTER_KEY_SIZE); ++ ret = 0; ++ ++done: ++ if (fp) ++ fclose(fp); ++ if (clear) ++ free(clear); ++ if (cipher) ++ free(cipher); ++ ++ return ret; ++} ++ ++int get_pin(char **pin, size_t *pinlen) ++{ ++ struct termios old, new; ++ int nread; ++ char *buff = NULL; ++ size_t buflen; ++ int rc = 0; ++ ++ /* turn echoing off */ ++ if (tcgetattr(fileno(stdin), &old) != 0) ++ return -1; ++ ++ new = old; ++ new.c_lflag &= ~ECHO; ++ if (tcsetattr (fileno(stdin), TCSAFLUSH, &new) != 0) ++ return -1; ++ ++ /* read the pin ++ * Note: getline will allocate memory for buff. free it when done. ++ */ ++ nread = getline(&buff, &buflen, stdin); ++ if (nread == -1) { ++ rc = -1; ++ goto done; ++ } ++ ++ /* Restore terminal */ ++ (void) tcsetattr(fileno(stdin), TCSAFLUSH, &old); ++ ++ /* start a newline */ ++ printf("\n"); ++ fflush(stdout); ++ ++ /* Allocate PIN. ++ * Note: nread includes carriage return. ++ * Replace with terminating NULL. ++ */ ++ *pin = (unsigned char *)malloc(nread); ++ if (*pin == NULL) { ++ rc = -ENOMEM; ++ goto done; ++ } ++ ++ /* strip the carriage return since not part of pin. */ ++ buff[nread - 1] = '\0'; ++ memcpy(*pin, buff, nread); ++ /* don't include the terminating null in the pinlen */ ++ *pinlen = nread - 1; ++ ++done: ++ if (buff) ++ free(buff); ++ ++ return rc; ++} ++ ++int verify_pins(char *data_store, char *sopin, unsigned long sopinlen, ++ char *userpin, unsigned long userpinlen) ++{ ++ TOKEN_DATA td; ++ unsigned char fname[PATH_MAX]; ++ unsigned char pin_sha[SHA1_HASH_SIZE]; ++ FILE *fp = NULL; ++ int ret; ++ ++ /* read the NVTOK.DAT */ ++ snprintf(fname, PATH_MAX, "%s/NVTOK.DAT", data_store); ++ fp = fopen((char *)fname, "r"); ++ if (!fp) { ++ fprintf(stderr, "Could not open %s: %s\n", fname, ++ strerror(errno)); ++ return -1; ++ } ++ ++ ret = fread(&td, sizeof(TOKEN_DATA), 1, fp); ++ if (ret != 1) { ++ fprintf(stderr, "Could not read %s: %s\n", fname, ++ strerror(errno)); ++ ret = -1; ++ goto done; ++ } ++ ++ /* Now compute the SHAs for the SO and USER pins entered. ++ * Compare with the SHAs for SO and USER PINs saved in ++ * NVTOK.DAT to verify. ++ */ ++ ++ if (sopin != NULL) { ++ ret = compute_sha1(sopin, sopinlen, pin_sha); ++ if (ret) { ++ fprintf(stderr, "Failed to compute sha for SO.\n"); ++ goto done; ++ } ++ ++ if (memcmp(td.so_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) { ++ fprintf(stderr, "SO PIN is incorrect.\n"); ++ ret = -1; ++ goto done; ++ } ++ } ++ ++ if (userpin != NULL) { ++ ret = compute_sha1(userpin, userpinlen, pin_sha); ++ if (ret) { ++ fprintf(stderr, "Failed to compute sha for USER.\n"); ++ goto done; ++ } ++ ++ if (memcmp(td.user_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) { ++ fprintf(stderr, "USER PIN is incorrect.\n"); ++ ret = -1; ++ goto done; ++ } ++ } ++ ret = 0; ++ ++done: ++ /* clear out the hash */ ++ memset(pin_sha, 0, SHA1_HASH_SIZE); ++ if (fp) ++ fclose(fp); ++ ++ return ret; ++} ++ ++void usage(char *progname) ++{ ++ printf("usage:\t%s -h | -m v2objectsv3 [OPTIONS] \n", progname); ++ printf(" -h\t\t\t\tshow this help\n"); ++ printf(" -m=migration_type\t\tCurrently the only type of CCA "); ++ printf("migration\n\t\t\t\tsupported is v2objectsv3. v2objectsv3 "); ++ printf("migrates\n\t\t\t\tCCA private token objects from CCA "); ++ printf("encryption\n\t\t\t\t(used in v2)to software encryption "); ++ printf("(used in v3). \n\n"); ++ printf("Migrate options (with -m v2objectsv3):\n"); ++ printf(" -d, --datastore=DIRECTORY\tCCA token datastore location\n"); ++ printf(" -v, --verbose\t\t\tprovide more detailed output\n"); ++ ++ return; ++} ++ ++int main(int argc, char **argv) ++{ ++ int ret, opt; ++ unsigned int m_flag = 0; ++ char *sopin = NULL, *userpin = NULL; ++ size_t sopinlen, userpinlen; ++ unsigned char masterkey[MASTER_KEY_SIZE]; ++ unsigned char *data_store = NULL; ++ unsigned char *m_type = NULL; ++ int data_store_len; ++ char fname[PATH_MAX]; ++ struct stat statbuf; ++ void *lib_csulcca; ++ ++ struct option long_opts[] = { ++ { "datastore", required_argument, NULL, 'd' }, ++ { "verbose", no_argument, NULL, 'v'}, ++ { 0, 0, 0, 0 } ++ }; ++ ++ int long_index; ++ while ((opt = getopt_long(argc, argv, "d:m:hv", long_opts, NULL)) != -1) { ++ switch (opt) { ++ case 'd': ++ data_store = strdup(optarg); ++ break; ++ ++ case 'h': ++ usage(argv[0]); ++ return 0; ++ ++ case 'm': ++ m_type = strdup(optarg); ++ break; ++ ++ case 'v': ++ v_flag++; ++ break; ++ ++ default: ++ usage(argv[0]); ++ return -1; ++ } ++ } ++ ++ if (m_type) { ++ if (memcmp(m_type, "v2objectsv3", strlen("v2objectsv3"))) { ++ fprintf(stderr, "unknown migration type\n"); ++ usage(argv[0]); ++ return -1; ++ } ++ } ++ ++ /* use default data_store if one is not given */ ++ if (data_store == NULL) { ++ data_store_len = strlen(TOK_DATASTORE); ++ data_store = malloc(data_store_len + 1); ++ if (data_store == NULL) { ++ fprintf(stderr, "malloc failed: %s\n",strerror(errno)); ++ return -1; ++ } ++ memset(data_store, 0, data_store_len + 1); ++ memcpy(data_store, TOK_DATASTORE, data_store_len); ++ } ++ ++ /* Verify that the data store is valid by looking for ++ * MK_SO, MK_USER, and TOK_OBJ/OBJ.IDX. ++ */ ++ ++ memset(fname, 0, PATH_MAX); ++ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store); ++ if (stat(fname, &statbuf) != 0) { ++ fprintf(stderr, "Cannot find %s.\n", fname); ++ ret = -1; ++ goto done; ++ } ++ ++ memset(fname, 0, PATH_MAX); ++ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store); ++ if (stat(fname, &statbuf) != 0) { ++ fprintf(stderr, "Cannot find %s.\n", fname); ++ ret = -1; ++ goto done; ++ } ++ ++ memset(fname, 0, PATH_MAX); ++ snprintf(fname, PATH_MAX, "%s/TOK_OBJ/OBJ.IDX", data_store); ++ if (stat(fname, &statbuf) != 0) { ++ fprintf(stderr, "Cannot find %s.\n", fname); ++ ret = -1; ++ goto done; ++ } ++ ++ /* If the OBJ.IDX is empty, then no objects to migrate. */ ++ if (statbuf.st_size == 0) { ++ printf("OBJ.IDX file is empty. Thus no objects to migrate.\n"); ++ goto done; ++ } ++ ++ if (v_flag) ++ printf("%s has an MK_SO, MK_USER and TOK/OBJ.IDX\n", ++ data_store); ++ ++ /* get the SO pin to authorize migration */ ++ printf("Enter the SO PIN: "); ++ fflush(stdout); ++ ret = get_pin(&sopin, &sopinlen); ++ if (ret != 0) { ++ fprintf(stderr, "Could not get SO PIN.\n"); ++ goto done; ++ } ++ ++ /* get the USER pin to authorize migration */ ++ printf("Enter the USER PIN: "); ++ fflush(stdout); ++ ret = get_pin(&userpin, &userpinlen); ++ ++ if (ret != 0) { ++ fprintf(stderr, "Could not get USER PIN.\n"); ++ goto done; ++ } ++ ++ /* Verify the SO and USER PINs entered. */ ++ ret = verify_pins(data_store, sopin, sopinlen, userpin, userpinlen); ++ if (ret) ++ goto done; ++ ++ lib_csulcca = dlopen(CCA_LIBRARY, (RTLD_GLOBAL | RTLD_NOW)); ++ if (lib_csulcca == NULL) { ++ fprintf(stderr, "dlopen(%s) failed: %s\n", CCA_LIBRARY, ++ strerror(errno)); ++ return -1; ++ } ++ ++ CSNBDEC = dlsym(lib_csulcca, "CSNBDEC"); ++ ++ /* Get the masterkey from MK_SO. ++ * This also helps verify that correct SO pin was entered. ++ */ ++ memset(masterkey, 0, MASTER_KEY_SIZE); ++ memset(fname, 0, PATH_MAX); ++ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store); ++ ret = load_masterkey(fname, sopin, masterkey); ++ if (ret) { ++ fprintf(stderr, "Could not load masterkey from MK_SO.\n"); ++ goto done; ++ } ++ ++ if (v_flag) ++ printf("Successfully verified SO Pin.\n"); ++ ++ /* Get the masterkey from MK_USER. ++ * This also helps verift that correct USER pin was entered. ++ */ ++ memset(masterkey, 0, MASTER_KEY_SIZE); ++ memset(fname, 0, PATH_MAX); ++ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store); ++ ret = load_masterkey(fname, userpin, masterkey); ++ if (ret) { ++ fprintf(stderr, "Could not load masterkey from MK_USER.\n"); ++ goto done; ++ } ++ ++ if (v_flag) ++ printf("Successfully verified USER Pin.\n"); ++ ++ /* Load all the private token objects and re-encrypt them ++ * using software des3, instead of CSNBENC. ++ */ ++ (void)load_private_token_objects(data_store, masterkey); ++ ++done: ++ ++ if (sopin) ++ free(sopin); ++ if (userpin) ++ free(userpin); ++ if (data_store) ++ free(data_store); ++ ++ return ret; ++} +Index: opencryptoki/usr/sbin/pkcscca/pkcscca.h +=================================================================== +--- /dev/null ++++ opencryptoki/usr/sbin/pkcscca/pkcscca.h +@@ -0,0 +1,49 @@ ++/* ++ * Licensed materials - Property of IBM ++ * ++ * pkcscca - A tool for PKCS#11 CCA token. ++ * Currently, only migrates CCA private token objects from using a ++ * CCA cipher to using a software cipher. ++ * ++ * Copyright (C) International Business Machines Corp. 2014 ++ * ++ */ ++ ++ ++#ifndef __PKCSCCA_H_ ++#define __PKCSCCA_H_ ++ ++#define CCA_LIBRARY "libcsulcca.so" ++#define TOK_DATASTORE "/var/lib/opencryptoki/ccatok" ++#define MASTER_KEY_SIZE 64 ++#define SHA1_HASH_SIZE 20 ++#define MD5_HASH_SIZE 16 ++#define DES_BLOCK_SIZE 8 ++#define DES_KEY_SIZE 8 ++#define compute_sha1(a,b,c) compute_hash(HASH_SHA1,b,a,c) ++#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c) ++#define HASH_SHA1 1 ++#define HASH_MD5 2 ++ ++/* from host_defs.h */ ++#include "pkcs32.h" ++typedef struct _TWEAK_VEC ++{ ++ int allow_weak_des ; ++ int check_des_parity ; ++ int allow_key_mods ; ++ int netscape_mods ; ++} TWEAK_VEC; ++ ++typedef struct _TOKEN_DATA ++{ ++ CK_TOKEN_INFO_32 token_info; ++ ++ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE]; ++ CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE]; ++ CK_BYTE next_token_object_name[8]; ++ TWEAK_VEC tweak_vector; ++} TOKEN_DATA; ++ ++ ++#endif diff --git a/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch b/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch new file mode 100644 index 0000000..783b660 --- /dev/null +++ b/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch @@ -0,0 +1,281 @@ +From 13eda6d102b8c44f85cf4eac094ff8a964c630f4 Mon Sep 17 00:00:00 2001 +From: Joy Latten +Date: Mon, 1 Sep 2014 22:46:37 -0500 +Subject: [PATCH 2/2] Add documentation (pkcscca manpage and README.cca_stdll) + to assist in migrating cca private token objects from v2 to v3. + +Signed-off-by: Joy Latten +--- + configure.in | 1 + + doc/README.cca_stdll | 175 ++++++++++++++++++++++++++++++++++++++++++++++---- + man/man1/Makefile.am | 2 +- + man/man1/pkcscca.1.in | 45 +++++++++++++ + 4 files changed, 209 insertions(+), 14 deletions(-) + create mode 100644 man/man1/pkcscca.1.in + +diff --git a/configure.in b/configure.in +index f3fbe70..3e7e5e8 100644 +--- a/configure.in ++++ b/configure.in +@@ -843,6 +843,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \ + man/man1/Makefile \ + man/man1/pkcsconf.1 \ + man/man1/pkcsicsf.1 \ ++ man/man1/pkcscca.1 \ + man/man1/pkcsep11_migrate.1 \ + man/man5/Makefile \ + man/man5/opencryptoki.conf.5 \ +diff --git a/doc/README.cca_stdll b/doc/README.cca_stdll +index f535dfa..a0d13f1 100644 +--- a/doc/README.cca_stdll ++++ b/doc/README.cca_stdll +@@ -1,24 +1,173 @@ ++CCA TOKEN + +-README for the CCA secure-key token ++OverView ++-------- ++The CCA token is a secure key token. ++A Secure key - key value does not exist in the clear outside of the HSM ++(secure, tamper-resistent boundary of the card). It is a clear key wrapped ++with the appropriate MasterKey that has been installed into the secure hardware. ++A clear key is generated in the hardware, wrapped with the appropriate ++master key that has been installed into the hardware. The wrapped key is then ++passed back to the invoker. Upon an encryption and/or decryption request, ++the wrapped key and the data to be encrypted are passed into the hardware. ++The wrapped key is verified, and the clear key is used to encrypt and/or ++decrypt the data. All this is done in the CCA hardware. + +-Kent Yoder ++Within opencryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE ++attribute rather than the CKA_VALUE attribute. + +- The key used to encrypt private objects on disk is a secure key. ++Pre-requisites: ++The CCA token requires cca library, libcsulcca.so, which is part of the ++csulcca rpm. ++It also requires proper configuration and installation of the MK keys into ++the hardware which is outside the scope of this document. + +- The key used to encrypt that secure key is based on the hash of the +-USER and SO pins. Therefore it is a clear key and software is used to +-do the encryption/decryption of the secure key. ++Configuration ++------------- + +-MK_USER: The secure key used for internal on-disk encryption, encrypted ++To use the CCA token a slot entry must be defined in the ++opencryptoki.conf configuration file that sets the stdll attribute to ++libcsulcca.so. ++ ++The CCA token also requires that the appropriate master keys have ++been installed into the hardware. The corresponding driver must also be ++loaded, i.e. modprobe z90crypt. ++ ++CCA Token Objects ++------------------------- ++ ++Opencryptoki stores token objects on disk. Public token objects are not ++encrypted. Private token objects are encrypted. ++Versions of opencryptoki prior to version 3, used a CCA generated secure key ++(des3 key) and the crypto adapter to encrypt the private token object's data. ++In version 3, a clear key (des3 key) and software crypto (openssl) are used ++to encrypt this data. ++ ++Migration Information ++--------------------- ++ ++Migrating version 2 private token objects to version 3 is ONLY required if ++the system will run opencryptoki version 3 and will use private token ++objects saved or preserved from version 2. ++Note, public token objects do not need to be migrated. ++If there are no private token objects from version 2, then the version 3 ++does not require any migrating. ++ ++In version 2 private token objects are encrypted and decrypted with a secure ++key in the crypto adapter. In version 3, this encryption and decryption is ++done with a clear key using software crypto. Therefore, opencryptoki ++version 3, will not succesfully decrypt a version 2 private token object. ++ ++Version 2 private token objects must be "migrated" to version 3 so that ++opencryptoki version 3 can access these objects. This migration will ++decrypt the objects using the CCA call, CSNBDEC and the current ++opencryptoki key stored in MK_USER. The objects will then be re-encrypted ++using software crypto. The key bits that are stored in MK_USER will then be ++used as a clear key. ++ ++Once the migration has completed, these private token objects should then be ++accessable to version 3. ++ ++Migration Steps ++--------------- ++ ++1. Either update or install version 3. ++a. Update to opencryptoki version 3. In most linux distributions, an update ++from version 2 to version 3 will preserve the contents of the CCA data-store. ++ ++b. Install opencryptoki version 3. In most distributions, an install will ++remove the contents of the CCA data-store. You will essentially be starting ++from the beginning and have to initialize the CCA token. ++ ++In this scenario, if a prior version of opencryptoki had been running on the ++system, and you wanted to preserve your token objects, you will have saved ++or backed them up somewhere. ++ ++2. Backup the CCA data-store before migrating. It is always a good idea to ++back up the data in case the migration is unsuccessful or data is corrupted. ++The data-store is the directory in which the CCA token information is stored ++on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok. ++Within this directory there is, ++ ++MK_USER: The des3 key used for internal on-disk encryption, encrypted + under the USER's PIN by software routines + +-MK_SO: The secure key used for internal on-disk encryption, encrypted ++MK_SO: The des3 key used for internal on-disk encryption, encrypted + under the SO's PIN by software routines + +-So, MK_USER and MK_SO contain the same key, encrypted under different PINs ++NKTOK.DAT: Token information. ++ ++TOK_OBJ: The directory in which token objects are stored. ++ ++TOK_OBJ/OBJ.IDX: A list of current token objects. ++ ++**NOTE: MK_USER and MK_SO contain the same key, encrypted under ++different PINs ++ ++3. Ensure no opencryptoki processes are running. Stop the pkcsslotd daemon ++if it is running. ++ ++4. Run the pkcscca tool to perform the migration. ++For example, ++ pkcscca -m v2objectsv3 -v ++ ++Note that the "-v" option will allow you to see which objects did and did not ++get migrated. Specify the "-d" flag if you wish to migrate CCA token objects ++stored in a data-store different from the default, /var/lib/opencryptoki/ccatok. ++ ++5. (Optional) Removing shared memory may be required to pick up ++the newly migrated objects. ++ ++CCA token's shared memory segment tracks its token objects. ++Token objects stored on disk are only loaded into shared memory ++when the shared memory is created. The shared memory is usually ++created after a reboot, an install, or an update of the opencryptoki package. ++ ++If another opencryptoki process accessed the CCA token after install ++or update, then opencryptoki will have loaded all the token objects into ++shared memory, except for the private token objects requiring migration, ++since they will have failed decryption. Subsequent calls to the ++opencryptoki api will not find these objects since they have not ++been loaded into shared memory. Opencryptoki won't read the ++objects from disk and load into shared memory again until the next time ++shared memory is created. ++ ++So, in this case, shared memory must be removed and created again so ++that opencryptoki can successfuly load all the token objects including the ++newly migrated private token objects into CCA token's shared memory segment. ++ ++Remove shared memory if, ++ - after updating or installing, any opencryptoki processes or tools tried ++ to access the CCA token before migrating CCA token's private token ++ objects. For example, the pkcsconf command was run. ++ ++ The pre-migrated objects will have failed decryption and not ++ been loaded into shared memory. A reboot or removing shared memory ++ will cause the token to create shared memory again and load the newly ++ migrated private token objects into it. ++ ++CCA's shared memory can be removed two ways. ++ 1. a reboot ++ ++ 2. remove the shared memory file, ++ i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok" ++ ++ Notes: (1). Ensure that no opencryptoki processes are running ++ before removing the shared memory. Otherwise, you risk corrupting ++ any running opencryptoki processes. ++ (2). If you have installed opencryptoki manually (not via a distro ++ rpm) the CCA token shared memory segment may be named ++ usr.local.var.lib.opencryptoki.ccatok. ++ ++The next opencryptoki process to run will cause opencryptoki to create ++a shared memory segment for the token and load the newly migrated objects ++as well as any other token objects for the token. + +-PKCS#11 Notes: ++6. After a successful migration, the CCA private token objects should be ++encrypted and ready to be accessed by opencryptoki version 3. + +-DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE +-attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however +-in this case, the id used to reference the secure key is stored here. ++TroubleShooting: ++1. If version 3 cannot find the newly migrated CCA private token objects, ++reboot or remove the shared memory file. This will cause token to create ++shared memory again and load the newly migrated private token objects ++into shared memory. +diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am +index c4b4d95..f2274d7 100644 +--- a/man/man1/Makefile.am ++++ b/man/man1/Makefile.am +@@ -1,3 +1,3 @@ +-man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 ++man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1 + EXTRA_DIST = $(man1_MANS) + CLEANFILES = $(man1_MANS) +diff --git a/man/man1/pkcscca.1.in b/man/man1/pkcscca.1.in +new file mode 100644 +index 0000000..c6e49d6 +--- /dev/null ++++ b/man/man1/pkcscca.1.in +@@ -0,0 +1,45 @@ ++.TH PKCSCCA 1 "September 2014" "@PACKAGE_VERSION@" "openCryptoki" ++.SH NAME ++pkcscca \- configuration utility for the CCA token ++ ++.SH SYNOPSIS ++\fBpkcscca\fP ++[\fB-h\fP] ++[\fB-m v2objectsv3\fP] ++[\fIOPTIONS\fP] ++ ++.SH DESCRIPTION ++The \fBpkcscca\fP utility assists in administering the CCA token. Currently it ++migrates opencryptoki version 2 private token objects to the encryption ++method used in opencryptoki version 3. ++ ++In verion 2 of opencryptoki, CCA private token objects were encrypted in CCA ++hardware. In version 3 these objects are encrypted in software. The ++\fBv2objectsv3\fP migration option migrates these version 2 objects by ++decrypting them in CCA hardware using a secure key and then re-encrypting ++them in software using a software key. Afterwards, v2 objects can be accessed ++in version 3. ++ ++.SH "FLAGS" ++.IP "\fB-h\fP" 10 ++show usage information ++.IP "\fB-m\fP" 10 ++perform a migration. \fBv2objectsv3\fP is currently the only type of migration ++supported and must be specified along with this flag. ++ ++.SH "MIGRATION OPTIONS" ++.IP "\fB-d|--datastore\fP \fIdirectory\fp" 10 ++the directory where the CCA token information is kept. This directory will be ++used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok ++.IP "\fB-v|--verbose\fP" 10 ++provide detailed output during migration ++ ++.SH "FILES" ++.IP "/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX" ++contains current list of public and private token objects for the CCA token. ++ ++.SH SEE ALSO ++.PD 0 ++.TP ++\fBREADME.cca_stdll\fP (in system's doc directory) ++.PD +-- +1.8.1.4 + diff --git a/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch b/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch new file mode 100644 index 0000000..3b0c653 --- /dev/null +++ b/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch @@ -0,0 +1,255 @@ +--- opencryptoki.orig/doc/README.ep11_stdll 2014-09-04 21:59:50.000000000 -0600 ++++ opencryptoki/doc/README.ep11_stdll 2014-09-04 22:01:27.223654000 -0600 +@@ -1,126 +1,126 @@ +-EP11 Token +-========== +- +-The EP11 token is a token that uses the IBM Crypto Express adapters +-(starting with Crypto Express 4S adapters) configured with Enterprise +-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that +-firmware load are also called CEXnP adapters for n >= 4. +- +-The EP11 token is only supported on the System z architecture and requires a +-Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver +-loaded into the kernel and the availability of EP11 library libep11. +- +-The token directory of the EP11 token is opencryptoki/ep11tok typically +-located in /var/lib. +- +-Configuration +-------------- +- +-To use the EP11 token a slot entry must be defined in the general opencryptoki +-configuration file that sets the stdll attribute to libpkcs11_ep11.so. +- +-A EP11 token specific configuration file must be set up to define the target +-adapters and target adapter domains. The name of the configuration file must be +-defined in the global openCryptoki configuration opencryptoki.conf file as part +-of the token specification using the confname attribute. +-E.g. the entry +- +-slot 4 +-{ +-stdll = libpkcs11_ep11.so +-confname = ep11tok.conf +-} +- +-defines the name of the configuration file of the EP11 token to be +-ep11tok.conf. Per default this file is searched in the directory where +-openCryptoki searches its global configuration file. This default path can +-be overriden using the OCK_EP11_TOKEN_DIR environment variable. +- +-EP11 token configuration files defines a list of adapter/domain pairs to which +-the EP11 token sends its cryptographic requests. This list can be specified as +-a white list starting with a line containing the key word APQN_WHITELIST +-followed by one or more lines containing each two integers (in the range +-of 0 - 255) separated by a white space. The white list is ended with a line +-containing the key word END. In each of lines of the white list the first +-integer denotes the adapter number and the second integer denotes the domain +-id. Alternatively the keyword APQN_ANY can be used to define that all +-adapter/domain pairs with EP11 firmware load that are available to the system +-shall be used as target adapters. An adapter number corresponds to the +-numerical part xx of an adapter id of the form cardxx as displayed by the +-lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). +-Currently Linux on z only supports a single domain. That domain number can be +-displayed with lszcrypt -b (see the value of ap_domain) or alternatively as +-contents of /sys/bus/ap/ap_domain. +- +-In addition to the target adapter a log level can be defined in the EP11 +-configuration file using a line consisting of the key word LOGLEVEL followed +-by an integer between 0 and 9. +- +-Logging +-------- +- +-If a log level greater than 0 is defined in the environment variable +-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration +-file then log entries are written to a log file +-/var/log/ock_ep11_token..log where is the process id of the process +-using the EP11 token. +- +-Note, that the handling of EP11 logs is subject to change in future releases +-of opencryptoki. +- +-Crypto Express Adapter EP11 Master Key Management +-------------------------------------------------- +- +-If master keys are changed on an EP11 adapter all key objects in the token +-object repository (in the TOK_OBJ directory within the EP11 token directory) +-become invalid. +- +-The key migration tool pkcsep11_migrate can be used to perform the migration +-of the current EP11 master keys to new master keys. Therefore the following +-steps must be performed: +-1) On the Trusted Key Entry console (TKE): Submit and commit new master +-keys on the EP11 adapter(s). +-2) On Linux: Stop all processes using openCryptoki with the EP11 token. +-3) On Linux: Back up the token object repository of the EP11 token. +-4) On Linux: Migrate keys of object repository of EP11 token with +-migration tool. If a failure occurs restore the backed up token repository +-and retry step 4. +-5) On the TKE: Activate new master keys on the EP11 adapter(s). +-6) On Linux: Restart applications using openCryptoki with the EP11 token. +- +-Token specifics +---------------- +- +-The EP11 token only supports secure keys (i.e. key wrapped by a master key of +-the Crypto Express adapter). Therefore all keys must have the attribute +-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a +-(token specific) default for secure keys the attribute must be explicitly +-provided whenever a secret key is generated, unwrapped or build with +-C_CreateObject. In addition all keys used with the EP11 token are extractable. +-i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. +- +-When creating keys the default values of the attributes CKA_ENCRYPT, +-CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. +-Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. +- +-All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than +-or equal to 17. +- +-The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) +-according to ANSI X9.31. Therefore in the EP11 token the lengths of the +-RSA primes (p or q) must be a multiple of 128 bits and the length of the +-modulus (CKA_MODULUS_BITS) must be a multiple of 256. +- +-The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have +-a length that is a multiple of the block size of DES3 or AES respectively. +- +-See the mechanism list and mechanism info (pkcsconf -m) for supported +-mechanisms together with supported functions and key sizes. Note the +-supported mechanism list is currently fix and matches the most stringent +-setting of the Crypto Express adapter. +- +-Note, the EP11 coprocessor adapter can be configured to restrict the +-cryptographic capababilities in order for the adapter to comply with specific +-security requirements and regulations. Such restrictions on the adapter impact +-the capabilitiy of the EP11 token. +- ++EP11 Token ++========== ++ ++The EP11 token is a token that uses the IBM Crypto Express adapters ++(starting with Crypto Express 4S adapters) configured with Enterprise ++PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that ++firmware load are also called CEXnP adapters for n >= 4. ++ ++The EP11 token is only supported on the System z architecture and requires a ++Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver ++loaded into the kernel and the availability of EP11 library libep11. ++ ++The token directory of the EP11 token is opencryptoki/ep11tok typically ++located in /var/lib. ++ ++Configuration ++------------- ++ ++To use the EP11 token a slot entry must be defined in the general opencryptoki ++configuration file that sets the stdll attribute to libpkcs11_ep11.so. ++ ++A EP11 token specific configuration file must be set up to define the target ++adapters and target adapter domains. The name of the configuration file must be ++defined in the global openCryptoki configuration opencryptoki.conf file as part ++of the token specification using the confname attribute. ++E.g. the entry ++ ++slot 4 ++{ ++stdll = libpkcs11_ep11.so ++confname = ep11tok.conf ++} ++ ++defines the name of the configuration file of the EP11 token to be ++ep11tok.conf. Per default this file is searched in the directory where ++openCryptoki searches its global configuration file. This default path can ++be overriden using the OCK_EP11_TOKEN_DIR environment variable. ++ ++EP11 token configuration files defines a list of adapter/domain pairs to which ++the EP11 token sends its cryptographic requests. This list can be specified as ++a white list starting with a line containing the key word APQN_WHITELIST ++followed by one or more lines containing each two integers (in the range ++of 0 - 255) separated by a white space. The white list is ended with a line ++containing the key word END. In each of lines of the white list the first ++integer denotes the adapter number and the second integer denotes the domain ++id. Alternatively the keyword APQN_ANY can be used to define that all ++adapter/domain pairs with EP11 firmware load that are available to the system ++shall be used as target adapters. An adapter number corresponds to the ++numerical part xx of an adapter id of the form cardxx as displayed by the ++lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). ++Currently Linux on z only supports a single domain. That domain number can be ++displayed with lszcrypt -b (see the value of ap_domain) or alternatively as ++contents of /sys/bus/ap/ap_domain. ++ ++In addition to the target adapter a log level can be defined in the EP11 ++configuration file using a line consisting of the key word LOGLEVEL followed ++by an integer between 0 and 9. ++ ++Logging ++------- ++ ++If a log level greater than 0 is defined in the environment variable ++OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration ++file then log entries are written to a log file ++/var/log/ock_ep11_token..log where is the process id of the process ++using the EP11 token. ++ ++Note, that the handling of EP11 logs is subject to change in future releases ++of opencryptoki. ++ ++Crypto Express Adapter EP11 Master Key Management ++------------------------------------------------- ++ ++If master keys are changed on an EP11 adapter all key objects in the token ++object repository (in the TOK_OBJ directory within the EP11 token directory) ++become invalid. ++ ++The key migration tool pkcsep11_migrate can be used to perform the migration ++of the current EP11 master keys to new master keys. Therefore the following ++steps must be performed: ++1) On the Trusted Key Entry console (TKE): Submit and commit new master ++keys on the EP11 adapter(s). ++2) On Linux: Stop all processes using openCryptoki with the EP11 token. ++3) On Linux: Back up the token object repository of the EP11 token. ++4) On Linux: Migrate keys of object repository of EP11 token with ++migration tool. If a failure occurs restore the backed up token repository ++and retry step 4. ++5) On the TKE: Activate new master keys on the EP11 adapter(s). ++6) On Linux: Restart applications using openCryptoki with the EP11 token. ++ ++Token specifics ++--------------- ++ ++The EP11 token only supports secure keys (i.e. key wrapped by a master key of ++the Crypto Express adapter). Therefore all keys must have the attribute ++CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a ++(token specific) default for secure keys the attribute must be explicitly ++provided whenever a secret key is generated, unwrapped or build with ++C_CreateObject. In addition all keys used with the EP11 token are extractable. ++i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. ++ ++When creating keys the default values of the attributes CKA_ENCRYPT, ++CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. ++Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. ++ ++All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than ++or equal to 17. ++ ++The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) ++according to ANSI X9.31. Therefore in the EP11 token the lengths of the ++RSA primes (p or q) must be a multiple of 128 bits and the length of the ++modulus (CKA_MODULUS_BITS) must be a multiple of 256. ++ ++The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have ++a length that is a multiple of the block size of DES3 or AES respectively. ++ ++See the mechanism list and mechanism info (pkcsconf -m) for supported ++mechanisms together with supported functions and key sizes. Note the ++supported mechanism list is currently fix and matches the most stringent ++setting of the Crypto Express adapter. ++ ++Note, the EP11 coprocessor adapter can be configured to restrict the ++cryptographic capababilities in order for the adapter to comply with specific ++security requirements and regulations. Such restrictions on the adapter impact ++the capabilitiy of the EP11 token. ++ diff --git a/openCryptoki.changes b/openCryptoki.changes index 4410e12..5c3854b 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Fri Sep 5 04:05:02 UTC 2014 - jjolly@suse.com + +- Fixed README.ep11_stdll to have Unix-style EOL characters. +- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + +------------------------------------------------------------------- +Thu Sep 4 21:51:32 UTC 2014 - jjolly@suse.com + +- Added all files from %src/doc as rpm %doc (bnc#894780) + +------------------------------------------------------------------- +Thu Sep 4 21:17:04 UTC 2014 - jjolly@suse.com + +- Added pkcscca utility and documentation to convert private + token objects from v2 to v3. (bnc#893757) +- Added patches: + - ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + - ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + +------------------------------------------------------------------- +Thu Sep 4 20:35:01 UTC 2014 - jjolly@suse.com + +- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889193) +- Added patch ocki-3.1_07_0001-Man-page-corrections.patch + ------------------------------------------------------------------- Fri Aug 15 02:14:21 UTC 2014 - sfalken@opensuse.org diff --git a/openCryptoki.spec b/openCryptoki.spec index b02992b..055f7f1 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -74,6 +74,10 @@ Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int- Patch14: ocki-3.1_06_0005-Small-reworks.patch Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch +Patch17: ocki-3.1_07_0001-Man-page-corrections.patch +Patch18: ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch +Patch19: ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch +Patch20: ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq @@ -167,6 +171,10 @@ Cryptographic Accelerator (FC 4960 on pSeries). %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 cp %{SOURCE2} . %build @@ -285,6 +293,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %files %defattr(-,root,root) %doc openCryptoki-TFAQ.html +%doc doc/* # configuration directory %dir %{_sysconfdir}/opencryptoki %config %{_sysconfdir}/opencryptoki/opencryptoki.conf @@ -307,6 +316,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %{_sbindir}/pkcsslotd %{_sbindir}/pkcsconf %{_sbindir}/pkcsicsf +%{_sbindir}/pkcscca %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll # State and lock directories