Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
yubihsm_pkcs11.c
Go to the documentation of this file.
1/*
2 * Copyright 2015-2018 Yubico AB
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <sys/types.h>
18#include <sys/stat.h>
19
20#include <stdbool.h>
21#include <stdlib.h>
22#include <string.h>
23#include <unistd.h>
24
25#ifdef __WIN32
26#include <winsock.h>
27#else
28#include <arpa/inet.h>
29#endif
30
31#include <cmdline.h>
32#include <yubihsm.h>
33
34#include <openssl/rsa.h>
35
36#include "debug_p11.h"
37#include "util_pkcs11.h"
38#include "yubihsm_pkcs11.h"
39#include "../common/insecure_memzero.h"
40
41#define YUBIHSM_PKCS11_MANUFACTURER "Yubico (www.yubico.com)"
42#define YUBIHSM_PKCS11_LIBDESC "YubiHSM PKCS#11 Library"
43#define YUBIHSM_PKCS11_MIN_PIN_LEN 12 // key_id (4) + password (8)
44#define YUBIHSM_PKCS11_MAX_PIN_LEN 68 // key_id (4) + password (64)
45
46#define UNUSED(x) (void) (x) // TODO(adma): also in yubihsm-shell.h
47
48#define GLOBAL_LOCK_OR_RETURN \
49 do { \
50 if (g_ctx.mutex != NULL) { \
51 CK_RV lock_rv = g_ctx.lock_mutex(g_ctx.mutex); \
52 if (lock_rv != CKR_OK) { \
53 DBG_ERR("Unable to acquire global lock"); \
54 return lock_rv; \
55 } \
56 } \
57 } while (0)
58
59#define GLOBAL_UNLOCK_OR_RETURN \
60 do { \
61 if (g_ctx.mutex != NULL) { \
62 CK_RV lock_rv = g_ctx.unlock_mutex(g_ctx.mutex); \
63 if (lock_rv != CKR_OK) { \
64 DBG_ERR("Unable to release global lock"); \
65 return lock_rv; \
66 } \
67 } \
68 } while (0)
69
70extern CK_FUNCTION_LIST function_list;
71
72static bool g_yh_initialized = false;
73
74static yubihsm_pkcs11_context g_ctx;
75
76static void destroy_slot_mutex(void *data) {
77 yubihsm_pkcs11_slot *slot = (yubihsm_pkcs11_slot *) data;
78 if (slot->mutex != NULL) {
79 g_ctx.destroy_mutex(slot->mutex);
80 }
81
82 slot->mutex = NULL;
83}
84
85static bool compare_ecdh_keys(void *data, void *item) {
86 if (data == NULL || item == NULL) {
87 return false;
88 }
89
90 CK_OBJECT_HANDLE *a = data;
91
92 ListItem *itm = (ListItem *) item;
93 ecdh_session_key *key = (ecdh_session_key *) &itm->data;
94 CK_OBJECT_HANDLE b = key->id;
95
96 return *a == b;
97}
98
99/* General Purpose */
100
101CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
102
103 DIN;
104
105 if (g_yh_initialized == true) {
106 return CKR_CRYPTOKI_ALREADY_INITIALIZED;
107 }
108
109 CK_C_INITIALIZE_ARGS_PTR init_args = pInitArgs;
110
111 yh_dbg_init(false, false, 0, "stderr");
112
113 if (pInitArgs != NULL) {
114 if ((init_args->flags & CKF_OS_LOCKING_OK) == 0 &&
115 init_args->CreateMutex == NULL && init_args->DestroyMutex == NULL &&
116 init_args->LockMutex == NULL && init_args->UnlockMutex == NULL) {
117 // NOTE(adma): no threading required
118 // all is good, do nothing
119 g_ctx.create_mutex = NULL;
120 g_ctx.destroy_mutex = NULL;
121 g_ctx.lock_mutex = NULL;
122 g_ctx.unlock_mutex = NULL;
123 } else if ((init_args->flags & CKF_OS_LOCKING_OK) != 0 &&
124 init_args->CreateMutex == NULL &&
125 init_args->DestroyMutex == NULL &&
126 init_args->LockMutex == NULL && init_args->UnlockMutex == NULL) {
127 // NOTE(adma): threading with native OS locks
128 set_native_locking(&g_ctx);
129 } else if ((init_args->flags & CKF_OS_LOCKING_OK) == 0 &&
130 init_args->CreateMutex != NULL &&
131 init_args->DestroyMutex != NULL &&
132 init_args->LockMutex != NULL && init_args->UnlockMutex != NULL) {
133 // NOTE(adma): threading with supplied functions
134 g_ctx.create_mutex = init_args->CreateMutex;
135 g_ctx.destroy_mutex = init_args->DestroyMutex;
136 g_ctx.lock_mutex = init_args->LockMutex;
137 g_ctx.unlock_mutex = init_args->UnlockMutex;
138 } else if ((init_args->flags & CKF_OS_LOCKING_OK) != 0 &&
139 init_args->CreateMutex != NULL &&
140 init_args->DestroyMutex != NULL &&
141 init_args->LockMutex != NULL && init_args->UnlockMutex != NULL) {
142 // NOTE(adma): threading with native or supplied functions
143 g_ctx.create_mutex = init_args->CreateMutex;
144 g_ctx.destroy_mutex = init_args->DestroyMutex;
145 g_ctx.lock_mutex = init_args->LockMutex;
146 g_ctx.unlock_mutex = init_args->UnlockMutex;
147 } else {
148 return CKR_ARGUMENTS_BAD;
149 }
150 }
151
152 if (g_ctx.create_mutex != NULL) {
153 if (g_ctx.create_mutex(&g_ctx.mutex) != CKR_OK) {
154 DBG_ERR("Unable to create global mutex");
155 return CKR_FUNCTION_FAILED;
156 }
157 } else {
158 g_ctx.mutex = NULL;
159 }
160
161 struct cmdline_parser_params params;
162
163 struct gengetopt_args_info args_info;
164
165 cmdline_parser_params_init(&params);
166
167 params.initialize = 1;
168 params.check_required = 1;
169
170 char *tmp = "";
171
172 if (cmdline_parser(0, &tmp, &args_info) != 0) {
173 DBG_ERR("Unable to initialize ggo structure");
174 return CKR_FUNCTION_FAILED;
175 }
176
177 params.initialize = 0;
178 params.override = 1;
179
180 char *args = NULL;
181 char *args_parsed = NULL;
182
183 yh_connector **connector_list = NULL;
184
185 if (init_args != NULL && init_args->pReserved != NULL) {
186 args = strdup(init_args->pReserved);
187 if (args == NULL) {
188 DBG_ERR("Failed copying reserved string");
189 return CKR_FUNCTION_FAILED;
190 }
191
192 char *str = args;
193 char *save = NULL;
194 char *part;
195 while ((part = strtok_r(str, " \r\n\t", &save))) {
196 char *new_ptr;
197 str = NULL;
198 if (args_parsed == NULL) {
199 new_ptr = calloc(strlen(part) + 4, sizeof(char));
200 } else {
201 new_ptr = realloc(args_parsed, strlen(args_parsed) + strlen(part) + 4);
202 }
203 if (new_ptr) {
204 args_parsed = new_ptr;
205 sprintf(args_parsed + strlen(args_parsed), "--%s ", part);
206 } else {
207 DBG_ERR("Failed allocating memory for args");
208 goto c_i_failure;
209 }
210 }
211
212 DBG_INFO("Now parsing supplied init args as '%s'", args_parsed);
213
214 if (cmdline_parser_string_ext(args_parsed, &args_info,
215 "yubihsm_pkcs11 module", &params) != 0) {
216 DBG_ERR("Parsing of the reserved init args '%s' failed", args);
217 goto c_i_failure;
218 }
219
220 free(args);
221 args = NULL;
222 free(args_parsed);
223 args_parsed = NULL;
224 }
225
226 // NOTE(thorduri): #TOCTOU
227 char *config_file = args_info.config_file_arg;
228 struct stat sb;
229 if (stat(config_file, &sb) == -1) {
230 config_file = getenv("YUBIHSM_PKCS11_CONF");
231 }
232
233 params.override = 0;
234
235 if (config_file != NULL &&
236 cmdline_parser_config_file(config_file, &args_info, &params) != 0) {
237 DBG_ERR("Unable to parse configuration file");
238 return CKR_FUNCTION_FAILED;
239 }
240
241 yh_dbg_init(args_info.debug_flag, args_info.dinout_flag,
242 args_info.libdebug_flag, args_info.debug_file_arg);
243
244 // NOTE(adma): it's better to set the argument optional and check its presence
245 // here
246 if (args_info.connector_given == 0) {
247 DBG_ERR("No connector defined");
248 return CKR_FUNCTION_FAILED;
249 }
250
251 if (yh_init() != YHR_SUCCESS) {
252 DBG_ERR("Unable to initialize libyubihsm");
253 return CKR_FUNCTION_FAILED;
254 }
255
256 DBG_INFO("Found %u configured connector(s)", args_info.connector_given);
257
258 connector_list = calloc(args_info.connector_given, sizeof(yh_connector *));
259 if (connector_list == NULL) {
260 DBG_ERR("Failed allocating memory");
261 goto c_i_failure;
262 }
263 size_t n_connectors = 0;
264 for (unsigned int i = 0; i < args_info.connector_given; i++) {
265 if (yh_init_connector(args_info.connector_arg[i], &connector_list[i]) !=
266 YHR_SUCCESS) {
267 DBG_ERR("Failed to init connector");
268 goto c_i_failure;
269 }
270 if (args_info.cacert_given) {
271 if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CA,
272 args_info.cacert_arg) != YHR_SUCCESS) {
273 DBG_ERR("Failed to set HTTPS CA option");
274 goto c_i_failure;
275 }
276 }
277 if (args_info.proxy_given) {
278 if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
279 args_info.proxy_arg) != YHR_SUCCESS) {
280 DBG_ERR("Failed to set proxy server option");
281 goto c_i_failure;
282 }
283 }
284
285 if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
286 DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
287 continue;
288 } else {
289 n_connectors++;
290 }
291 }
292
293 if (add_connectors(&g_ctx, args_info.connector_given, args_info.connector_arg,
294 connector_list) == false) {
295 DBG_ERR("Failed building connectors list");
296 goto c_i_failure;
297 }
298
299 cmdline_parser_free(&args_info);
300 free(connector_list);
301
302 DBG_INFO("Found %zu usable connector(s)", n_connectors);
303
304 g_yh_initialized = true;
305
306 DOUT;
307 return CKR_OK;
308
309c_i_failure:
310
311 free(args_parsed);
312 free(args);
313
314 list_iterate(&g_ctx.slots, destroy_slot_mutex);
315 list_destroy(&g_ctx.slots);
316
317 if (connector_list) {
318 for (unsigned int i = 0; i < args_info.connector_given; i++) {
319 yh_disconnect(connector_list[i]);
320 }
321 }
322
323 cmdline_parser_free(&args_info);
324 free(connector_list);
325
326 if (g_ctx.mutex != NULL) {
327 g_ctx.destroy_mutex(g_ctx.mutex);
328 g_ctx.mutex = NULL;
329 }
330
331 return CKR_FUNCTION_FAILED;
332}
333
334CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) {
335
336 DIN;
337
338 if (pReserved != NULL) {
339 DBG_ERR("Finalized called with pReserved != NULL");
340 return CKR_ARGUMENTS_BAD;
341 }
342
343 if (g_yh_initialized == false) {
344 DBG_ERR("libyubihsm is not initialized or already finalized");
345 return CKR_CRYPTOKI_NOT_INITIALIZED;
346 }
347
348 list_iterate(&g_ctx.slots, destroy_slot_mutex);
349 list_destroy(&g_ctx.slots);
350
351 if (g_ctx.mutex != NULL) {
352 g_ctx.destroy_mutex(g_ctx.mutex);
353 g_ctx.mutex = NULL;
354 }
355
356 g_yh_initialized = false;
357
358 yh_exit();
359
360 DOUT;
361
362 if (_YHP11_OUTPUT != stdout && _YHP11_OUTPUT != stderr &&
363 _YHP11_OUTPUT != NULL) {
364 fclose(_YHP11_OUTPUT);
365 _YHP11_OUTPUT = stderr;
366 }
367
368 return CKR_OK;
369}
370
371CK_DEFINE_FUNCTION(CK_RV, C_GetInfo)(CK_INFO_PTR pInfo) {
372
373 DIN;
374
375 if (g_yh_initialized == false) {
376 DBG_ERR("libyubihsm is not initialized or already finalized");
377 return CKR_CRYPTOKI_NOT_INITIALIZED;
378 }
379 if (pInfo == NULL) {
380 return CKR_ARGUMENTS_BAD;
381 }
382
383 CK_VERSION ver = {VERSION_MAJOR, (VERSION_MINOR * 10) + VERSION_PATCH};
384
385 pInfo->cryptokiVersion = function_list.version;
386
387 memset(pInfo->manufacturerID, ' ', sizeof(pInfo->manufacturerID));
388 memcpy((char *) pInfo->manufacturerID, YUBIHSM_PKCS11_MANUFACTURER,
389 strlen(YUBIHSM_PKCS11_MANUFACTURER));
390
391 pInfo->flags = 0;
392
393 memset(pInfo->libraryDescription, ' ', sizeof(pInfo->libraryDescription));
394 memcpy((char *) pInfo->libraryDescription, YUBIHSM_PKCS11_LIBDESC,
395 strlen(YUBIHSM_PKCS11_LIBDESC));
396
397 pInfo->libraryVersion = ver;
398
399 DOUT;
400 return CKR_OK;
401}
402
403CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionList)
404(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
405 yh_dbg_init(false, false, 0, "stderr");
406
407 DIN;
408
409 if (ppFunctionList == NULL) {
410 DBG_ERR("GetFunctionList called with ppFunctionList = NULL");
411 return CKR_ARGUMENTS_BAD;
412 }
413
414 *ppFunctionList = &function_list;
415
416 DOUT;
417 return CKR_OK;
418}
419
420/* Slot and token management */
421
422CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)
423(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
424
425 DIN;
426
427 if (g_yh_initialized == false) {
428 DBG_ERR("libyubihsm is not initialized or already finalized");
429 return CKR_CRYPTOKI_NOT_INITIALIZED;
430 }
431
432 if (!pulCount) {
433 DBG_ERR("pulCount argument bad");
434 return CKR_ARGUMENTS_BAD;
435 }
436
437 GLOBAL_LOCK_OR_RETURN;
438
439 if (pSlotList == NULL) {
440 *pulCount = 0;
441 // NOTE(adma) just return the number of slots
442 if (tokenPresent == CK_TRUE) {
443 for (ListItem *item = g_ctx.slots.head; item != NULL; item = item->next) {
444 yubihsm_pkcs11_slot *slot = (yubihsm_pkcs11_slot *) item->data;
445 if (yh_connector_has_device(slot->connector) == true) {
446 *pulCount += 1;
447 }
448 }
449
450 DBG_INFO("Number of slots with a token is %lu", *pulCount);
451 } else {
452 *pulCount = g_ctx.slots.length;
453
454 DBG_INFO("Total number of slots is %lu", *pulCount);
455 }
456 // NOTE(adma): actually return the slot IDs
457 DBG_INFO("Can return %lu slot(s)", *pulCount);
458
459 GLOBAL_UNLOCK_OR_RETURN;
460
461 DOUT;
462 return CKR_OK;
463 }
464
465 uint16_t j = 0;
466 bool full = false;
467 bool overflow = false;
468 for (ListItem *item = g_ctx.slots.head; item != NULL; item = item->next) {
469 if (j == *pulCount) {
470 full = true;
471 }
472
473 yubihsm_pkcs11_slot *slot = (yubihsm_pkcs11_slot *) item->data;
474 if (tokenPresent == CK_TRUE) {
475 if (yh_connector_has_device(slot->connector) != true) {
476 continue;
477 }
478 }
479 if (full == false) {
480 pSlotList[j] = slot->id;
481
482 DBG_INFO("Returning slot %lu", pSlotList[j]);
483 } else {
484 overflow = true;
485 }
486
487 j += 1;
488 }
489
490 *pulCount = j;
491
492 if (overflow == true) {
493 GLOBAL_UNLOCK_OR_RETURN;
494 return CKR_BUFFER_TOO_SMALL;
495 }
496
497 GLOBAL_UNLOCK_OR_RETURN;
498
499 DOUT;
500 return CKR_OK;
501}
502
503CK_DEFINE_FUNCTION(CK_RV, C_GetSlotInfo)
504(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
505
506 DIN;
507
508 if (g_yh_initialized == false) {
509 DBG_ERR("libyubihsm is not initialized or already finalized");
510 return CKR_CRYPTOKI_NOT_INITIALIZED;
511 }
512
513 if (!pInfo) {
514 DBG_ERR("Invalid pInfo");
515 return CKR_ARGUMENTS_BAD;
516 }
517
518 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
519 if (slot == NULL) {
520 DBG_ERR("Invalid slot ID %lu", slotID);
521 return CKR_SLOT_ID_INVALID;
522 }
523
524 char *s;
525 int l;
526
527 s = "YubiHSM Connector ";
528 l = strlen(s);
529 memset(pInfo->slotDescription, ' ', 64);
530 memcpy((char *) pInfo->slotDescription, s, l);
531
532 yh_get_connector_address(slot->connector, &s);
533 memcpy((char *) pInfo->slotDescription + l, s, strlen(s));
534
535 s = "Yubico";
536 l = strlen(s);
537 memset(pInfo->manufacturerID, ' ', 32);
538 memcpy((char *) pInfo->manufacturerID, s, l);
539
540 pInfo->flags = CKF_REMOVABLE_DEVICE | CKF_HW_SLOT;
541
545
546 uint8_t major;
547 uint8_t minor;
548 uint8_t patch;
549
550 yh_get_connector_version(slot->connector, &major, &minor, &patch);
551
552 pInfo->hardwareVersion.major = major;
553 pInfo->hardwareVersion.minor = (minor * 100) + patch;
554
555 pInfo->firmwareVersion.major = major;
556 pInfo->firmwareVersion.minor = (minor * 100) + patch;
557
558 release_slot(&g_ctx, slot);
559
560 DOUT;
561 return CKR_OK;
562}
563
564CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo)
565(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
566
567 DIN;
568
569 CK_RV rv = CKR_OK;
570
571 if (g_yh_initialized == false) {
572 DBG_ERR("libyubihsm is not initialized or already finalized");
573 return CKR_CRYPTOKI_NOT_INITIALIZED;
574 }
575
576 if (!pInfo) {
577 DBG_ERR("Invalid pInfo");
578 return CKR_ARGUMENTS_BAD;
579 }
580
581 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
582 if (slot == NULL) {
583 DBG_ERR("Invalid slot ID %lu", slotID);
584 return CKR_SLOT_ID_INVALID;
585 }
586
587 if (yh_connector_has_device(slot->connector) == false) {
588 DBG_ERR("Slot %lu has no token inserted", slotID);
589 rv = CKR_TOKEN_NOT_PRESENT;
590 goto c_gt_out;
591 }
592
593 char *s;
594 int l;
595
596 s = "YubiHSM";
597 l = strlen(s);
598 memset(pInfo->label, ' ', 32);
599 memcpy((char *) pInfo->label, s, l);
600
601 s = YUBIHSM_PKCS11_MANUFACTURER;
602 l = strlen(s);
603 memset(pInfo->manufacturerID, ' ', 32);
604 memcpy((char *) pInfo->manufacturerID, s, l);
605
606 yh_rc yrc;
607
608 uint8_t major;
609 uint8_t minor;
610 uint8_t patch;
611 uint32_t serial;
612
613 yrc = yh_util_get_device_info(slot->connector, &major, &minor, &patch,
614 &serial, NULL, NULL, NULL, NULL);
615 if (yrc != YHR_SUCCESS) {
616 DBG_ERR("Unable to get device version and serial number: %s",
617 yh_strerror(yrc));
618 rv = CKR_DEVICE_ERROR;
619 goto c_gt_out;
620 }
621
622 s = "YubiHSM";
623 l = strlen(s);
624 memset(pInfo->model, ' ', 16);
625 memcpy((char *) pInfo->model, s, l);
626
627 memset(pInfo->serialNumber, ' ', 16);
628 l = sprintf((char *) pInfo->serialNumber, "%08u", serial);
629 pInfo->serialNumber[l] = ' ';
630
631 pInfo->flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED |
632 CKF_TOKEN_INITIALIZED;
633
634 pInfo->ulMaxSessionCount =
635 CK_EFFECTIVELY_INFINITE; // maximum number of sessions that can be opened
636 // with the token at one time by a single
637 // application
638 pInfo->ulSessionCount =
639 CK_UNAVAILABLE_INFORMATION; // number of sessions that this application
640 // currently has open with the token
641 pInfo->ulMaxRwSessionCount =
642 CK_EFFECTIVELY_INFINITE; // maximum number of read/write sessions that can
643 // be opened with the token at one time by a single
644 // application
645 pInfo->ulRwSessionCount =
646 CK_UNAVAILABLE_INFORMATION; // number of read/write sessions that this
647 // application currently has open with the token
648 pInfo->ulMaxPinLen =
649 YUBIHSM_PKCS11_MAX_PIN_LEN; // maximum length in bytes of the PIN
650 pInfo->ulMinPinLen =
651 YUBIHSM_PKCS11_MIN_PIN_LEN; // minimum length in bytes of the PIN
652 pInfo->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
653 pInfo->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
654 pInfo->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
655 pInfo->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION;
656
657 CK_VERSION ver = {major, (minor * 100) + patch};
658
659 pInfo->hardwareVersion = ver;
660
661 pInfo->firmwareVersion = ver;
662
663 DOUT;
664
665c_gt_out:
666
667 release_slot(&g_ctx, slot);
668
669 return rv;
670}
671
672CK_DEFINE_FUNCTION(CK_RV, C_WaitForSlotEvent)
673(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) {
674
675 DIN;
676
677 UNUSED(flags);
678 UNUSED(pSlot);
679 UNUSED(pReserved);
680
681 DOUT;
682 return CKR_FUNCTION_NOT_SUPPORTED;
683}
684
685CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismList)
686(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList,
687 CK_ULONG_PTR pulCount) {
688
689 DIN;
690
691 CK_RV rv = CKR_OK;
692
693 if (g_yh_initialized == false) {
694 DBG_ERR("libyubihsm is not initialized or already finalized");
695 return CKR_CRYPTOKI_NOT_INITIALIZED;
696 }
697
698 if (pulCount == NULL) {
699 DBG_ERR("Wrong/missing parameter");
700 return CKR_ARGUMENTS_BAD;
701 }
702
703 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
704 if (slot == NULL) {
705 DBG_ERR("Invalid slot ID %lu", slotID);
706 return CKR_SLOT_ID_INVALID;
707 }
708
709 rv = get_mechanism_list(slot, pMechanismList, pulCount);
710 if (rv == CKR_BUFFER_TOO_SMALL) {
711 DBG_ERR("Mechanism buffer too small");
712 goto c_gml_out;
713 } else if (rv == CKR_FUNCTION_FAILED) {
714 DBG_ERR("Failed getting device info");
715 goto c_gml_out;
716 }
717
718 DBG_INFO("Found %lu mechanisms", *pulCount);
719
720 DOUT;
721
722c_gml_out:
723
724 release_slot(&g_ctx, slot);
725
726 return rv;
727}
728
729CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismInfo)
730(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) {
731
732 DIN;
733
734 CK_RV rv = CKR_OK;
735
736 if (g_yh_initialized == false) {
737 DBG_ERR("libyubihsm is not initialized or already finalized");
738 return CKR_CRYPTOKI_NOT_INITIALIZED;
739 }
740
741 if (pInfo == NULL) {
742 DBG_ERR("Wrong/missing parameter");
743 return CKR_ARGUMENTS_BAD;
744 }
745
746 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
747 if (slot == NULL) {
748 DBG_ERR("Invalid slot ID %lu", slotID);
749 return CKR_SLOT_ID_INVALID;
750 }
751
752 if (get_mechanism_info(slot, type, pInfo) == false) {
753 DBG_ERR("Invalid mechanism %lu", type);
754 rv = CKR_MECHANISM_INVALID;
755 } else {
756 DOUT;
757 }
758
759 release_slot(&g_ctx, slot);
760
761 return rv;
762}
763
764CK_DEFINE_FUNCTION(CK_RV, C_InitToken)
765(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen,
766 CK_UTF8CHAR_PTR pLabel) {
767
768 DIN;
769
770 UNUSED(slotID);
771 UNUSED(pPin);
772 UNUSED(ulPinLen);
773 UNUSED(pLabel);
774
775 DOUT;
776 return CKR_FUNCTION_NOT_SUPPORTED;
777}
778
779CK_DEFINE_FUNCTION(CK_RV, C_InitPIN)
780(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
781
782 DIN;
783
784 UNUSED(hSession);
785 UNUSED(pPin);
786 UNUSED(ulPinLen);
787
788 DOUT;
789 return CKR_FUNCTION_NOT_SUPPORTED;
790}
791
792CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)
793(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldLen,
794 CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewLen) {
795
796 DIN;
797
798 UNUSED(hSession);
799 UNUSED(pOldPin);
800 UNUSED(ulOldLen);
801 UNUSED(pNewPin);
802 UNUSED(ulNewLen);
803
804 DOUT;
805 return CKR_FUNCTION_NOT_SUPPORTED;
806}
807
808CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)
809(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY Notify,
810 CK_SESSION_HANDLE_PTR phSession) {
811
812 DIN; // TODO(adma): check pApplication and Notify
813
814 CK_RV rv = CKR_OK;
815
816 UNUSED(Notify);
817 UNUSED(pApplication);
818
819 if (g_yh_initialized == false) {
820 DBG_ERR("libyubihsm is not initialized or already finalized");
821 return CKR_CRYPTOKI_NOT_INITIALIZED;
822 }
823
824 if (phSession == NULL) {
825 DBG_ERR("Wrong/Missing parameter");
826 return CKR_ARGUMENTS_BAD;
827 }
828
829 if ((flags & CKF_SERIAL_SESSION) == 0) {
830 // NOTE(adma): required by specs
831 DBG_ERR("Open session called without CKF_SERIAL_SESSION set");
832 return CKR_SESSION_PARALLEL_NOT_SUPPORTED;
833 }
834
835 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
836 if (slot == NULL) {
837 DBG_ERR("Invalid slot ID %lu", slotID);
838 return CKR_SLOT_ID_INVALID;
839 }
840
841 if (yh_connector_has_device(slot->connector) == false) {
842 DBG_ERR("Slot %lu has no token inserted", slotID);
843 rv = CKR_TOKEN_NOT_PRESENT;
844 goto c_os_out;
845 }
846
847 // NOTE(adma): we have already checked that the connector is
848 // connectable at this point. This function should only "allocate" a
849 // session pointer
850
851 if (create_session(slot, flags, phSession) == false) {
852 DBG_ERR("Connector %lu has too many open sessions", slotID);
853 rv = CKR_SESSION_COUNT;
854 goto c_os_out;
855 }
856
857 DBG_INFO("Allocated session %lu", *phSession);
858
859 DOUT;
860
861c_os_out:
862
863 release_slot(&g_ctx, slot);
864
865 return rv;
866}
867
868CK_DEFINE_FUNCTION(CK_RV, C_CloseSession)(CK_SESSION_HANDLE hSession) {
869
870 DIN;
871
872 if (g_yh_initialized == false) {
873 DBG_ERR("libyubihsm is not initialized or already finalized");
874 return CKR_CRYPTOKI_NOT_INITIALIZED;
875 }
876
877 yubihsm_pkcs11_session *session;
878 CK_RV rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
879 if (rv == CKR_OK) {
880 if (session->slot->pkcs11_sessions.length == 1) {
881 // NOTE: if this is the last session and is authenticated we need to
882 // de-auth
883 if (yh_util_close_session(session->slot->device_session) != YHR_SUCCESS) {
884 DBG_ERR("Failed closing device session, continuing");
885 }
886
887 if (yh_destroy_session(&session->slot->device_session) != YHR_SUCCESS) {
888 DBG_ERR("Failed destroying session");
889 // TODO: should we handle the error cases here better?
890 }
891 session->slot->device_session = NULL;
892 }
893
894 release_session(&g_ctx, session);
895 } else if (rv == CKR_SESSION_HANDLE_INVALID) {
896 // BUG(thorduri): piggybacking off of the validation in get_session()
897 // above, which might not hold forever.
898 DBG_ERR("Trying to close invalid session");
899 return CKR_SESSION_HANDLE_INVALID;
900 }
901
902 if (session) {
903 list_destroy(&session->ecdh_session_keys);
904 }
905 if (delete_session(&g_ctx, &hSession) == false) {
906 DBG_ERR("Trying to close invalid session");
907 return CKR_SESSION_HANDLE_INVALID;
908 }
909
910 DBG_INFO("Closing session %lu", hSession);
911
912 DOUT;
913 return CKR_OK;
914}
915
916CK_DEFINE_FUNCTION(CK_RV, C_CloseAllSessions)(CK_SLOT_ID slotID) {
917
918 DIN;
919
920 CK_RV rv = CKR_OK;
921
922 if (g_yh_initialized == false) {
923 DBG_ERR("libyubihsm is not initialized or already finalized");
924 return CKR_CRYPTOKI_NOT_INITIALIZED;
925 }
926
927 yubihsm_pkcs11_slot *slot = get_slot(&g_ctx, slotID);
928 if (slot == NULL) {
929 DBG_ERR("Invalid slot");
930 return CKR_SLOT_ID_INVALID;
931 }
932
933 DBG_INFO("Closing all sessions for slot %lu", slotID);
934
935 if (slot->device_session) {
936 if (yh_util_close_session(slot->device_session) != YHR_SUCCESS) {
937 DBG_ERR("Failed closing device session, continuing");
938 }
939 if (yh_destroy_session(&slot->device_session) != YHR_SUCCESS) {
940 // TODO: handle or ignore these errrors?
941 DBG_ERR("Failed destroying device session");
942 }
943 slot->device_session = NULL;
944 }
945
946 list_destroy(&slot->pkcs11_sessions);
947 list_create(&slot->pkcs11_sessions, sizeof(yubihsm_pkcs11_session), NULL);
948
949 release_slot(&g_ctx, slot);
950
951 DOUT;
952 return rv;
953}
954
955CK_DEFINE_FUNCTION(CK_RV, C_GetSessionInfo)
956(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) {
957
958 DIN;
959
960 CK_RV rv = CKR_OK;
961
962 if (g_yh_initialized == false) {
963 DBG_ERR("libyubihsm is not initialized or already finalized");
964 return CKR_CRYPTOKI_NOT_INITIALIZED;
965 }
966
967 if (pInfo == NULL) {
968 DBG_ERR("Wrong/Missing parameter");
969 return CKR_ARGUMENTS_BAD;
970 }
971
972 yubihsm_pkcs11_session *session;
973 CK_RV ret = get_session(&g_ctx, hSession, &session, 0);
974 if (ret != CKR_OK) {
975 DBG_ERR("Session handle invalid");
976 return ret;
977 }
978
979 pInfo->slotID = session->slot->id;
980
981 pInfo->flags = 0;
982 switch (session->session_state) {
983 case SESSION_RESERVED_RO:
984 pInfo->state = CKS_RO_PUBLIC_SESSION;
985 break;
986
987 case SESSION_RESERVED_RW:
988 pInfo->state = CKS_RW_PUBLIC_SESSION;
989 pInfo->flags |= CKF_RW_SESSION;
990 break;
991
992 case SESSION_AUTHENTICATED_RO:
993 pInfo->state = CKS_RO_USER_FUNCTIONS;
994 break;
995
996 case SESSION_AUTHENTICATED_RW:
997 pInfo->state = CKS_RW_USER_FUNCTIONS;
998 pInfo->flags |= CKF_RW_SESSION;
999 break;
1000
1001 default:
1002 DBG_ERR("Unknown session %lu", hSession);
1003 rv = CKR_SESSION_HANDLE_INVALID;
1004 }
1005
1006 pInfo->flags |= CKF_SERIAL_SESSION;
1007 pInfo->ulDeviceError = 0;
1008
1009 if (rv == CKR_OK) {
1010 DOUT;
1011 }
1012
1013 release_session(&g_ctx, session);
1014
1015 return rv;
1016}
1017
1018CK_DEFINE_FUNCTION(CK_RV, C_GetOperationState)
1019(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
1020 CK_ULONG_PTR pulOperationStateLen) {
1021
1022 DIN;
1023
1024 UNUSED(hSession);
1025 UNUSED(pOperationState);
1026 UNUSED(pulOperationStateLen);
1027
1028 DOUT;
1029 return CKR_FUNCTION_NOT_SUPPORTED;
1030}
1031
1032CK_DEFINE_FUNCTION(CK_RV, C_SetOperationState)
1033(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
1034 CK_ULONG ulOperationStateLen, CK_OBJECT_HANDLE hEncryptionKey,
1035 CK_OBJECT_HANDLE hAuthenticationKey) {
1036
1037 DIN;
1038
1039 UNUSED(hSession);
1040 UNUSED(pOperationState);
1041 UNUSED(ulOperationStateLen);
1042 UNUSED(hEncryptionKey);
1043 UNUSED(hAuthenticationKey);
1044
1045 DOUT;
1046 return CKR_FUNCTION_NOT_SUPPORTED;
1047}
1048
1049static void login_sessions(void *data) {
1050 yubihsm_pkcs11_session *session = (yubihsm_pkcs11_session *) data;
1051 switch (session->session_state) {
1052 case SESSION_RESERVED_RO:
1053 session->session_state = SESSION_AUTHENTICATED_RO;
1054 break;
1055 case SESSION_RESERVED_RW:
1056 session->session_state = SESSION_AUTHENTICATED_RW;
1057 break;
1058 case SESSION_AUTHENTICATED_RO:
1059 case SESSION_AUTHENTICATED_RW:
1060 break;
1061 }
1062}
1063
1064static void logout_sessions(void *data) {
1065 yubihsm_pkcs11_session *session = (yubihsm_pkcs11_session *) data;
1066 switch (session->session_state) {
1067 case SESSION_AUTHENTICATED_RO:
1068 session->session_state = SESSION_RESERVED_RO;
1069 break;
1070 case SESSION_AUTHENTICATED_RW:
1071 session->session_state = SESSION_RESERVED_RW;
1072 break;
1073 case SESSION_RESERVED_RO:
1074 case SESSION_RESERVED_RW:
1075 break;
1076 }
1077}
1078
1079CK_DEFINE_FUNCTION(CK_RV, C_Login)
1080(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin,
1081 CK_ULONG ulPinLen) {
1082
1083 DIN;
1084
1085 CK_RV rv = CKR_OK;
1086
1087 if (g_yh_initialized == false) {
1088 DBG_ERR("libyubihsm is not initialized or already finalized");
1089 return CKR_CRYPTOKI_NOT_INITIALIZED;
1090 }
1091
1092 if (userType != CKU_USER) {
1093 DBG_ERR("Inalid user type, only regular user allowed");
1094 return CKR_USER_TYPE_INVALID;
1095 }
1096
1097 if (ulPinLen < YUBIHSM_PKCS11_MIN_PIN_LEN ||
1098 ulPinLen > YUBIHSM_PKCS11_MAX_PIN_LEN) {
1099 DBG_ERR("Wrong PIN length, must be [%d, %d] got %lu",
1100 YUBIHSM_PKCS11_MIN_PIN_LEN, YUBIHSM_PKCS11_MAX_PIN_LEN, ulPinLen);
1101 return CKR_ARGUMENTS_BAD;
1102 }
1103
1104 uint16_t key_id;
1105
1106 if (parse_hex(pPin, 4, (uint8_t *) &key_id) == false) {
1107 DBG_ERR(
1108 "PIN contains invalid characters, first four digits must be [0-9A-Fa-f]");
1109 return CKR_PIN_INCORRECT;
1110 }
1111
1112 key_id = ntohs(key_id);
1113
1114 pPin += 4;
1115 ulPinLen -= 4;
1116
1117 yubihsm_pkcs11_session *session;
1118 rv = get_session(&g_ctx, hSession, &session, SESSION_NOT_AUTHENTICATED);
1119 if (rv != CKR_OK) {
1120 DBG_ERR("Invalid session ID: %lu", hSession);
1121 return rv;
1122 }
1123
1124 yh_rc yrc;
1125 yrc =
1126 yh_create_session_derived(session->slot->connector, key_id, pPin, ulPinLen,
1127 true, &session->slot->device_session);
1128 if (yrc != YHR_SUCCESS) {
1129 DBG_ERR("Failed to create session: %s", yh_strerror(yrc));
1130 if (yrc == YHR_CRYPTOGRAM_MISMATCH) {
1131 rv = CKR_PIN_INCORRECT;
1132 } else {
1133 rv = CKR_FUNCTION_FAILED;
1134 }
1135 goto c_l_out;
1136 }
1137
1138 yrc = yh_authenticate_session(session->slot->device_session);
1139 if (yrc != YHR_SUCCESS) {
1140 DBG_ERR("Failed to authenticate session: %s", yh_strerror(yrc));
1141 if (yrc == YHR_CRYPTOGRAM_MISMATCH) {
1142 rv = CKR_PIN_INCORRECT;
1143 } else {
1144 rv = CKR_FUNCTION_FAILED;
1145 }
1146 goto c_l_out;
1147 }
1148
1149 list_iterate(&session->slot->pkcs11_sessions, login_sessions);
1150
1151 DOUT;
1152
1153c_l_out:
1154
1155 release_session(&g_ctx, session);
1156
1157 return rv;
1158}
1159
1160CK_DEFINE_FUNCTION(CK_RV, C_Logout)(CK_SESSION_HANDLE hSession) {
1161
1162 DIN;
1163
1164 CK_RV rv = CKR_OK;
1165
1166 if (g_yh_initialized == false) {
1167 DBG_ERR("libyubihsm is not initialized or already finalized");
1168 return CKR_CRYPTOKI_NOT_INITIALIZED;
1169 }
1170
1171 yubihsm_pkcs11_session *session;
1172 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
1173 if (rv != CKR_OK) {
1174 DBG_ERR("Invalid session ID: %lu", hSession);
1175 return rv;
1176 }
1177
1178 if (yh_util_close_session(session->slot->device_session) != YHR_SUCCESS) {
1179 DBG_ERR("Failed closing session");
1180 rv = CKR_FUNCTION_FAILED;
1181 goto c_l_out;
1182 }
1183
1184 if (yh_destroy_session(&session->slot->device_session) != YHR_SUCCESS) {
1185 DBG_ERR("Failed destroying session");
1186 rv = CKR_FUNCTION_FAILED;
1187 goto c_l_out;
1188 }
1189
1190 session->slot->device_session = NULL;
1191
1192 list_iterate(&session->slot->pkcs11_sessions, logout_sessions);
1193
1194 DOUT;
1195
1196c_l_out:
1197
1198 release_session(&g_ctx, session);
1199
1200 return rv;
1201}
1202
1203CK_DEFINE_FUNCTION(CK_RV, C_CreateObject)
1204(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
1205 CK_OBJECT_HANDLE_PTR phObject) {
1206
1207 DIN;
1208
1209 CK_RV rv = CKR_OK;
1210
1211 if (g_yh_initialized == false) {
1212 DBG_ERR("libyubihsm is not initialized or already finalized");
1213 return CKR_CRYPTOKI_NOT_INITIALIZED;
1214 }
1215
1216 if (pTemplate == NULL || ulCount == 0 || phObject == NULL) {
1217 DBG_ERR("Called with invalid parameters: pTemplate=%p ulCount=%lu "
1218 "phObject=%p",
1219 (void *) pTemplate, ulCount, (void *) phObject);
1220 return CKR_ARGUMENTS_BAD;
1221 }
1222
1223 yubihsm_pkcs11_session *session;
1224 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED_RW);
1225 if (rv != CKR_OK) {
1226 DBG_ERR("Invalid session ID: %lu", hSession);
1227 return rv;
1228 }
1229
1230 if (session->operation.type != OPERATION_NOOP) {
1231 DBG_ERR("A different operation is already active");
1232 rv = CKR_OPERATION_ACTIVE;
1233 goto c_co_out;
1234 }
1235
1236 struct {
1237 bool set;
1238 CK_ULONG d;
1239 } class, key_type, id;
1240 class.set = key_type.set = id.set = false;
1241 class.d = key_type.d = id.d = 0;
1242 yubihsm_pkcs11_object_template template;
1243 memset(&template, 0, sizeof(template));
1244
1245 for (CK_ULONG i = 0; i < ulCount; i++) {
1246 switch (pTemplate[i].type) {
1247 case CKA_CLASS:
1248 if (class.set == false) {
1249 class.d = *((CK_ULONG_PTR) pTemplate[i].pValue);
1250 class.set = true;
1251 } else {
1252 rv = CKR_TEMPLATE_INCONSISTENT;
1253 goto c_co_out;
1254 }
1255 break;
1256
1257 case CKA_KEY_TYPE:
1258 if (key_type.set == false) {
1259 key_type.d = *((CK_ULONG_PTR) pTemplate[i].pValue);
1260 key_type.set = true;
1261 } else {
1262 rv = CKR_TEMPLATE_INCONSISTENT;
1263 goto c_co_out;
1264 }
1265 break;
1266
1267 case CKA_ID:
1268 if (id.set == false) {
1269 id.d = parse_id_value(pTemplate[i].pValue, pTemplate[i].ulValueLen);
1270 if (id.d == (CK_ULONG) -1) {
1271 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1272 goto c_co_out;
1273 }
1274 id.set = true;
1275 } else {
1276 rv = CKR_TEMPLATE_INCONSISTENT;
1277 goto c_co_out;
1278 }
1279 break;
1280
1281 case CKA_LABEL:
1282 if (pTemplate[i].ulValueLen > YH_OBJ_LABEL_LEN) {
1283 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1284 goto c_co_out;
1285 }
1286
1287 memcpy(template.label, pTemplate[i].pValue, pTemplate[i].ulValueLen);
1288
1289 break;
1290
1291 case CKA_EXTRACTABLE:
1292 if ((rv = set_template_attribute(&template.exportable,
1293 pTemplate[i].pValue)) != CKR_OK) {
1294 goto c_co_out;
1295 }
1296 }
1297 }
1298
1299 if (class.set == false) {
1300 rv = CKR_TEMPLATE_INCOMPLETE;
1301 goto c_co_out;
1302 }
1303
1304 template.id = id.d;
1305 yh_capabilities capabilities = {{0}};
1306 yh_capabilities delegated_capabilities = {{0}};
1307 uint8_t type;
1308 yh_rc rc;
1309
1310 if (template.exportable == ATTRIBUTE_TRUE) {
1311 rc = yh_string_to_capabilities("exportable-under-wrap", &capabilities);
1312 if (rc != YHR_SUCCESS) {
1313 DBG_ERR("Failed setting exportable-under-wrap capability");
1314 rv = CKR_FUNCTION_FAILED;
1315 goto c_co_out;
1316 }
1317 }
1318
1319 if (class.d == CKO_PRIVATE_KEY) {
1320 if (key_type.set == false) {
1321 rv = CKR_TEMPLATE_INCOMPLETE;
1322 goto c_co_out;
1323 }
1324 type = YH_ASYMMETRIC_KEY;
1325 if (key_type.d == CKK_RSA) {
1326 rv = parse_rsa_template(pTemplate, ulCount, &template);
1327 if (rv != CKR_OK) {
1328 goto c_co_out;
1329 }
1330
1331 DBG_INFO("parsed RSA key, algorithm: %d, objlen: %d", template.algorithm,
1332 template.objlen);
1333
1334 if (template.sign == ATTRIBUTE_TRUE) {
1335 rc = yh_string_to_capabilities("sign-pkcs,sign-pss", &capabilities);
1336 if (rc != YHR_SUCCESS) {
1337 rv = CKR_FUNCTION_FAILED;
1338 goto c_co_out;
1339 }
1340 }
1341
1342 if (template.decrypt == ATTRIBUTE_TRUE) {
1343 rc =
1344 yh_string_to_capabilities("decrypt-pkcs,decrypt-oaep", &capabilities);
1345 if (rc != YHR_SUCCESS) {
1346 rv = CKR_FUNCTION_FAILED;
1347 goto c_co_out;
1348 }
1349 }
1350
1351 if (yh_util_import_rsa_key(session->slot->device_session, &template.id,
1352 template.label, 0xffff, &capabilities,
1353 template.algorithm, template.obj.rsa.p,
1354 template.obj.rsa.q) != YHR_SUCCESS) {
1355 DBG_ERR("Failed writing RSA key to device");
1356 rv = CKR_FUNCTION_FAILED;
1357 goto c_co_out;
1358 }
1359 } else if (key_type.d == CKK_EC) {
1360 rv = parse_ec_template(pTemplate, ulCount, &template);
1361 if (rv != CKR_OK) {
1362 goto c_co_out;
1363 }
1364
1365 DBG_INFO("parsed EC key, algorithm: %d, objlen: %d", template.algorithm,
1366 template.objlen);
1367
1368 if (template.sign == ATTRIBUTE_TRUE) {
1369 rc = yh_string_to_capabilities("sign-ecdsa", &capabilities);
1370 if (rc != YHR_SUCCESS) {
1371 rv = CKR_FUNCTION_FAILED;
1372 goto c_co_out;
1373 }
1374 }
1375
1376 if (template.derive == ATTRIBUTE_TRUE) {
1377 rc = yh_string_to_capabilities("derive-ecdh", &capabilities);
1378 if (rc != YHR_SUCCESS) {
1379 rv = CKR_FUNCTION_FAILED;
1380 goto c_co_out;
1381 }
1382 }
1383
1384 if (yh_util_import_ec_key(session->slot->device_session, &template.id,
1385 template.label, 0xffff, &capabilities,
1386 template.algorithm,
1387 template.obj.buf) != YHR_SUCCESS) {
1388 DBG_ERR("Failed writing EC key to device");
1389 rv = CKR_FUNCTION_FAILED;
1390 goto c_co_out;
1391 }
1392 } else {
1393 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1394 goto c_co_out;
1395 }
1396 } else if (class.d == CKO_SECRET_KEY) {
1397 if (key_type.set == false) {
1398 rv = CKR_TEMPLATE_INCOMPLETE;
1399 goto c_co_out;
1400 }
1401 if (key_type.d == CKK_SHA_1_HMAC || key_type.d == CKK_SHA256_HMAC ||
1402 key_type.d == CKK_SHA384_HMAC || key_type.d == CKK_SHA512_HMAC) {
1403 type = YH_HMAC_KEY;
1404 rv = parse_hmac_template(pTemplate, ulCount, &template, false);
1405 if (rv != CKR_OK) {
1406 goto c_co_out;
1407 }
1408
1409 DBG_INFO("parsed HMAC key, algorithm: %d, objlen: %d", template.algorithm,
1410 template.objlen);
1411
1412 if (template.sign == ATTRIBUTE_TRUE) {
1413 rc = yh_string_to_capabilities("sign-hmac", &capabilities);
1414 if (rc != YHR_SUCCESS) {
1415 rv = CKR_FUNCTION_FAILED;
1416 goto c_co_out;
1417 }
1418 }
1419
1420 if (template.verify == ATTRIBUTE_TRUE) {
1421 rc = yh_string_to_capabilities("verify-hmac", &capabilities);
1422 if (rc != YHR_SUCCESS) {
1423 rv = CKR_FUNCTION_FAILED;
1424 goto c_co_out;
1425 }
1426 }
1427
1428 if (yh_util_import_hmac_key(session->slot->device_session, &template.id,
1429 template.label, 0xffff, &capabilities,
1430 template.algorithm, template.obj.buf,
1431 template.objlen) != YHR_SUCCESS) {
1432 DBG_ERR("Failed writing HMAC key to device");
1433 rv = CKR_FUNCTION_FAILED;
1434 goto c_co_out;
1435 }
1436 } else if (key_type.d == CKK_YUBICO_AES128_CCM_WRAP ||
1437 key_type.d == CKK_YUBICO_AES192_CCM_WRAP ||
1438 key_type.d == CKK_YUBICO_AES256_CCM_WRAP) {
1439 yh_algorithm algo = key_type.d & 0xff;
1440 type = YH_WRAP_KEY;
1441 rv = parse_wrap_template(pTemplate, ulCount, &template, false);
1442 if (rv != CKR_OK) {
1443 goto c_co_out;
1444 }
1445
1446 DBG_INFO("parsed WRAP key, objlen: %d", template.objlen);
1447
1448 if (template.wrap == ATTRIBUTE_TRUE) {
1449 rc = yh_string_to_capabilities("export-wrapped", &capabilities);
1450 if (rc != YHR_SUCCESS) {
1451 rv = CKR_FUNCTION_FAILED;
1452 goto c_co_out;
1453 }
1454 }
1455
1456 if (template.unwrap == ATTRIBUTE_TRUE) {
1457 rc = yh_string_to_capabilities("import-wrapped", &capabilities);
1458 if (rc != YHR_SUCCESS) {
1459 rv = CKR_FUNCTION_FAILED;
1460 goto c_co_out;
1461 }
1462 }
1463
1464 if (template.encrypt == ATTRIBUTE_TRUE) {
1465 rc = yh_string_to_capabilities("wrap-data", &capabilities);
1466 if (rc != YHR_SUCCESS) {
1467 rv = CKR_FUNCTION_FAILED;
1468 goto c_co_out;
1469 }
1470 }
1471
1472 if (template.decrypt == ATTRIBUTE_TRUE) {
1473 rc = yh_string_to_capabilities("unwrap-data", &capabilities);
1474 if (rc != YHR_SUCCESS) {
1475 rv = CKR_FUNCTION_FAILED;
1476 goto c_co_out;
1477 }
1478 }
1479
1480 rc = yh_string_to_capabilities("all", &delegated_capabilities);
1481 if (rc != YHR_SUCCESS) {
1482 rv = CKR_FUNCTION_FAILED;
1483 goto c_co_out;
1484 }
1485
1486 if (yh_util_import_wrap_key(session->slot->device_session, &template.id,
1487 template.label, 0xffff, &capabilities, algo,
1488 &delegated_capabilities, template.obj.buf,
1489 template.objlen) != YHR_SUCCESS) {
1490 DBG_ERR("Failed writing WRAP key to device");
1491 rv = CKR_FUNCTION_FAILED;
1492 goto c_co_out;
1493 }
1494 } else {
1495 DBG_ERR("Unknown key_type: %lx", key_type.d);
1496 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1497 goto c_co_out;
1498 }
1499 } else if (class.d == CKO_CERTIFICATE || class.d == CKO_DATA) {
1500 yh_algorithm algo;
1501 type = YH_OPAQUE;
1502 if (class.d == CKO_CERTIFICATE) {
1503 algo = YH_ALGO_OPAQUE_X509_CERTIFICATE;
1504 } else {
1505 algo = YH_ALGO_OPAQUE_DATA;
1506 }
1507 for (CK_ULONG i = 0; i < ulCount; i++) {
1508 switch (pTemplate[i].type) {
1509 case CKA_VALUE:
1510 if (template.obj.buf == NULL) {
1511 template.obj.buf = (CK_BYTE_PTR) pTemplate[i].pValue;
1512 template.objlen = pTemplate[i].ulValueLen;
1513 DBG_INFO("Object will be stored with length %d", template.objlen);
1514 } else {
1515 DBG_ERR("Object buffer already set");
1516 rv = CKR_TEMPLATE_INCONSISTENT;
1517 goto c_co_out;
1518 }
1519 break;
1520 case CKA_CERTIFICATE_TYPE:
1521 if (algo != YH_ALGO_OPAQUE_X509_CERTIFICATE ||
1522 *(CK_CERTIFICATE_TYPE *) pTemplate[i].pValue != CKC_X_509) {
1523 DBG_ERR("Certificate type invalid");
1524 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1525 goto c_co_out;
1526 }
1527 break;
1528 }
1529 }
1530
1531 if (yh_util_import_opaque(session->slot->device_session, &template.id,
1532 template.label, 0xffff, &capabilities, algo,
1533 template.obj.buf,
1534 template.objlen) != YHR_SUCCESS) {
1535 DBG_ERR("Failed writing Opaque object to device");
1536 rv = CKR_FUNCTION_FAILED;
1537 goto c_co_out;
1538 }
1539 } else {
1540 rv = CKR_TEMPLATE_INCONSISTENT;
1541 goto c_co_out;
1542 }
1543
1544 yh_object_descriptor object;
1545 if (yh_util_get_object_info(session->slot->device_session, template.id, type,
1546 &object) != YHR_SUCCESS) {
1547 DBG_ERR("Failed executing get object info after creating");
1548 rv = CKR_FUNCTION_FAILED;
1549 goto c_co_out;
1550 }
1551 *phObject = object.sequence << 24 | object.type << 16 | object.id;
1552
1553 DBG_INFO("Created object %08lx", *phObject);
1554
1555 DOUT;
1556
1557c_co_out:
1558
1559 release_session(&g_ctx, session);
1560
1561 return rv;
1562}
1563
1564CK_DEFINE_FUNCTION(CK_RV, C_CopyObject)
1565(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
1566 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
1567 CK_OBJECT_HANDLE_PTR phNewObject) {
1568
1569 DIN;
1570
1571 UNUSED(hSession);
1572 UNUSED(hObject);
1573 UNUSED(pTemplate);
1574 UNUSED(ulCount);
1575 UNUSED(phNewObject);
1576
1577 DOUT;
1578 return CKR_FUNCTION_NOT_SUPPORTED;
1579}
1580
1581CK_DEFINE_FUNCTION(CK_RV, C_DestroyObject)
1582(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
1583
1584 DIN;
1585
1586 CK_RV rv = CKR_OK;
1587
1588 if (g_yh_initialized == false) {
1589 DBG_ERR("libyubihsm is not initialized or already finalized");
1590 return CKR_CRYPTOKI_NOT_INITIALIZED;
1591 }
1592
1593 yubihsm_pkcs11_session *session;
1594 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
1595 if (rv != CKR_OK) {
1596 DBG_ERR("Invalid session ID %lu", hSession);
1597 return rv;
1598 }
1599
1600 if (session->operation.type != OPERATION_NOOP) {
1601 DBG_ERR("Other operation in progress");
1602 rv = CKR_FUNCTION_FAILED;
1603 goto c_do_out;
1604 }
1605
1606 int type = hObject >> 16;
1607
1608 if (type == ECDH_KEY_TYPE) {
1609 ListItem *item =
1610 list_get(&session->ecdh_session_keys, &hObject, compare_ecdh_keys);
1611 if (item) {
1612 list_delete(&session->ecdh_session_keys, item);
1613 DBG_INFO("Deleted ECDH session key %08lx", hObject);
1614 } else {
1615 DBG_INFO("No ECDH session key with ID %08lx was found", hObject);
1616 }
1617 } else {
1618 if (((uint8_t)(hObject >> 16)) == YH_PUBLIC_KEY) {
1619 DBG_INFO("Trying to delete public key, returning success with noop");
1620 goto c_do_out;
1621 }
1622
1623 yubihsm_pkcs11_object_desc *object =
1624 get_object_desc(session->slot->device_session, session->slot->objects,
1625 hObject);
1626 if (object == NULL) {
1627 DBG_ERR("Object not found");
1628 rv = CKR_OBJECT_HANDLE_INVALID;
1629 goto c_do_out;
1630 }
1631
1632 if (yh_util_delete_object(session->slot->device_session, object->object.id,
1633 object->object.type) != YHR_SUCCESS) {
1634 DBG_ERR("Failed deleting object");
1635 rv = CKR_FUNCTION_FAILED;
1636 goto c_do_out;
1637 }
1638
1639 DBG_INFO("Deleted object %08lx", hObject);
1640 delete_object_from_cache(session->slot->objects, hObject);
1641 }
1642
1643 DOUT;
1644
1645c_do_out:
1646
1647 release_session(&g_ctx, session);
1648
1649 return rv;
1650}
1651
1652CK_DEFINE_FUNCTION(CK_RV, C_GetObjectSize)
1653(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
1654
1655 DIN;
1656
1657 CK_RV rv = CKR_OK;
1658
1659 if (g_yh_initialized == false) {
1660 DBG_ERR("libyubihsm is not initialized or already finalized");
1661 return CKR_CRYPTOKI_NOT_INITIALIZED;
1662 }
1663
1664 if (pulSize == NULL) {
1665 return CKR_ARGUMENTS_BAD;
1666 }
1667
1668 yubihsm_pkcs11_session *session;
1669 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
1670 if (rv != CKR_OK) {
1671 DBG_ERR("Unknown session %lu", hSession);
1672 return rv;
1673 }
1674
1675 int type = hObject >> 16;
1676
1677 if (type == ECDH_KEY_TYPE) {
1678 ListItem *item =
1679 list_get(&session->ecdh_session_keys, &hObject, compare_ecdh_keys);
1680 if (item) {
1681 ecdh_session_key *key = (ecdh_session_key *) item->data;
1682 *pulSize = key->len;
1683
1684 DOUT;
1685 } else {
1686 rv = CKR_OBJECT_HANDLE_INVALID;
1687 }
1688 } else {
1689 yubihsm_pkcs11_object_desc *object =
1690 get_object_desc(session->slot->device_session, session->slot->objects,
1691 hObject);
1692 if (object == NULL) {
1693 rv = CKR_OBJECT_HANDLE_INVALID;
1694 } else {
1695 *pulSize = object->object.len;
1696
1697 DOUT;
1698 }
1699 }
1700 release_session(&g_ctx, session);
1701
1702 return rv;
1703}
1704
1705CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)
1706(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
1707 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
1708
1709 DIN;
1710
1711 CK_RV rv = CKR_OK;
1712
1713 if (g_yh_initialized == false) {
1714 DBG_ERR("libyubihsm is not initialized or already finalized");
1715 return CKR_CRYPTOKI_NOT_INITIALIZED;
1716 }
1717
1718 if (pTemplate == NULL || ulCount == 0) {
1719 return CKR_ARGUMENTS_BAD;
1720 }
1721
1722 yubihsm_pkcs11_session *session;
1723 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
1724 if (rv != CKR_OK) {
1725 DBG_ERR("Unknown session %lu", hSession);
1726 return rv;
1727 }
1728
1729 DBG_INFO("For object %08lx", hObject);
1730
1731 int type = hObject >> 16;
1732
1733 if (type == ECDH_KEY_TYPE) {
1734 bool object_found = false;
1735 ListItem *item =
1736 list_get(&session->ecdh_session_keys, &hObject, compare_ecdh_keys);
1737 if (item) {
1738 object_found = true;
1739 DBG_INFO("Object is an ECDH key available only in the current session. "
1740 "Key id: 0x%lx",
1741 hObject);
1742 ecdh_session_key *key = (ecdh_session_key *) item->data;
1743 rv = populate_template(type, key, pTemplate, ulCount,
1744 session->slot->device_session);
1745 }
1746
1747 if ((rv == CKR_OK) && !object_found) {
1748 DBG_ERR("Unable to retrieve session ECDH key with ID: %08lx", hObject);
1749 rv = CKR_FUNCTION_FAILED;
1750 goto c_gav_out;
1751 } else if (rv != CKR_OK) {
1752 goto c_gav_out;
1753 }
1754
1755 } else {
1756 yubihsm_pkcs11_object_desc *object =
1757 get_object_desc(session->slot->device_session, session->slot->objects,
1758 hObject);
1759
1760 if (object == NULL) {
1761 DBG_ERR("Unable to retrieve object");
1762 rv = CKR_FUNCTION_FAILED;
1763 goto c_gav_out;
1764 }
1765
1766 rv = populate_template(type, object, pTemplate, ulCount,
1767 session->slot->device_session);
1768 if (rv != CKR_OK) {
1769 goto c_gav_out;
1770 }
1771 }
1772
1773 DOUT;
1774
1775c_gav_out:
1776
1777 release_session(&g_ctx, session);
1778
1779 return rv;
1780}
1781
1782CK_DEFINE_FUNCTION(CK_RV, C_SetAttributeValue)
1783(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
1784 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
1785
1786 DIN;
1787
1788 CK_RV rv = CKR_FUNCTION_NOT_SUPPORTED;
1789
1790 if (g_yh_initialized == false) {
1791 DBG_ERR("libyubihsm is not initialized or already finalized");
1792 return CKR_CRYPTOKI_NOT_INITIALIZED;
1793 }
1794
1795 if (pTemplate == NULL || ulCount == 0) {
1796 DBG_ERR("Called with invalid parameters: pTemplate=%p ulCount=%lu",
1797 (void *) pTemplate, ulCount);
1798 return CKR_ARGUMENTS_BAD;
1799 }
1800
1801 yubihsm_pkcs11_session *session;
1802 rv = get_session(&g_ctx, hSession, &session, 0);
1803 if (rv != CKR_OK) {
1804 DBG_ERR("Unknown session %lu", hSession);
1805 return rv;
1806 }
1807
1808 int type = hObject >> 16;
1809 if (type == ECDH_KEY_TYPE) {
1810 DBG_INFO("Refusing to change attributes of an ECDH session key");
1811 rv = CKR_FUNCTION_NOT_SUPPORTED;
1812 goto c_sav_out;
1813 }
1814
1815 yubihsm_pkcs11_object_desc *object =
1816 get_object_desc(session->slot->device_session, session->slot->objects,
1817 hObject);
1818 if (object == NULL) {
1819 DBG_ERR("Unable to retrieve object");
1820 rv = CKR_FUNCTION_FAILED;
1821 goto c_sav_out;
1822 }
1823
1824 for (CK_ULONG i = 0; i < ulCount; i++) {
1825 switch (pTemplate[i].type) {
1826 case CKA_ID: {
1827 int new_id =
1828 parse_id_value(pTemplate[i].pValue, pTemplate[i].ulValueLen);
1829 if (new_id != object->object.id) {
1830 DBG_INFO("Refusing to change id of object (old:%x, new:%x",
1831 object->object.id, new_id);
1832 rv = CKR_FUNCTION_NOT_SUPPORTED;
1833 goto c_sav_out;
1834 }
1835 } break;
1836
1837 case CKA_LABEL:
1838 if (pTemplate[i].ulValueLen != strlen(object->object.label) ||
1839 memcmp(pTemplate[i].pValue, object->object.label,
1840 pTemplate[i].ulValueLen) != 0) {
1841 DBG_INFO("Refusing to change label of object");
1842 rv = CKR_FUNCTION_NOT_SUPPORTED;
1843 goto c_sav_out;
1844 }
1845 break;
1846
1847 default:
1848 DBG_INFO("Refusing to change attribute %lx of object",
1849 pTemplate[i].type);
1850 rv = CKR_FUNCTION_NOT_SUPPORTED;
1851 goto c_sav_out;
1852 }
1853 }
1854
1855 DOUT;
1856c_sav_out:
1857 release_session(&g_ctx, session);
1858
1859 return rv;
1860}
1861
1862static bool should_include_sessionkeys(bool is_secret_key, bool extractable_set,
1863 bool is_extractable, int object_id) {
1864 if (object_id != 0) {
1865 // Searching for a specific keys
1866 return false;
1867 }
1868 if (!is_secret_key) {
1869 return false;
1870 }
1871 if (extractable_set && !is_extractable) {
1872 return false;
1873 }
1874 return true;
1875}
1876
1877CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)
1878(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
1879
1880 DIN;
1881
1882 CK_RV rv = CKR_OK;
1883 char *label = NULL;
1884
1885 if (g_yh_initialized == false) {
1886 DBG_ERR("libyubihsm is not initialized or already finalized");
1887 return CKR_CRYPTOKI_NOT_INITIALIZED;
1888 }
1889
1890 if (ulCount != 0 && pTemplate == NULL) {
1891 DBG_ERR("Asking for specific objects but no template given");
1892 return CKR_ARGUMENTS_BAD;
1893 }
1894
1895 yubihsm_pkcs11_session *session;
1896 rv = get_session(&g_ctx, hSession, &session, 0);
1897 if (rv != CKR_OK) {
1898 DBG_ERR("Unknown session %lu", hSession);
1899 return rv;
1900 }
1901
1902 if (session->operation.type != OPERATION_NOOP) {
1903 DBG_ERR("Another operation is already active %d", session->operation.type);
1904 rv = CKR_OPERATION_ACTIVE;
1905 goto c_foi_out;
1906 }
1907
1908 session->operation.op.find.only_private = false;
1909 session->operation.op.find.n_objects = 0;
1910
1911 if (session->session_state & SESSION_NOT_AUTHENTICATED) {
1912 rv = CKR_OK;
1913 // NOTE: we need to take extra care here, we're lying about the operation
1914 // being succesful, so we need to setup the internal state correctly as
1915 // well.
1916 session->operation.type = OPERATION_FIND;
1917 session->operation.op.find.current_object = 0;
1918 DOUT;
1919 goto c_foi_out;
1920 }
1921
1922 yh_rc rc;
1923
1924 int id = 0;
1925 uint8_t type = 0;
1926 uint16_t domains = 0;
1927 yh_capabilities capabilities = {{0}};
1928 bool pub = false;
1929 yh_algorithm algorithm = 0;
1930 bool unknown = false;
1931 bool secret_key = false;
1932 bool extractable_set = false;
1933
1934 DBG_INFO("find with %lu attributes", ulCount);
1935 if (ulCount != 0) {
1936 for (CK_ULONG i = 0; i < ulCount; i++) {
1937 switch (pTemplate[i].type) {
1938 case CKA_ID:
1939 id = parse_id_value(pTemplate[i].pValue, pTemplate[i].ulValueLen);
1940 if (id == -1) {
1941 DBG_ERR("Failed to parse ID from template");
1942 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1943 goto c_foi_out;
1944 }
1945 DBG_INFO("id parsed as %x", id);
1946 break;
1947
1948 case CKA_CLASS: {
1949 uint32_t value = *((CK_ULONG_PTR)(pTemplate[i].pValue));
1950 switch (value) {
1951 case CKO_CERTIFICATE:
1952 DBG_INFO("Filtering for certificate");
1953 algorithm =
1954 YH_ALGO_OPAQUE_X509_CERTIFICATE; // TODO: handle other certs?
1955 case CKO_DATA:
1956 type = YH_OPAQUE;
1957 break;
1958
1959 case CKO_PUBLIC_KEY:
1960 pub = true;
1961 type = YH_ASYMMETRIC_KEY;
1962 break;
1963
1964 case CKO_PRIVATE_KEY:
1965 session->operation.op.find.only_private = true;
1966 type = YH_ASYMMETRIC_KEY;
1967 break;
1968
1969 case CKO_SECRET_KEY:
1970 secret_key = true;
1971 break;
1972
1973 default:
1974 unknown = true;
1975 DBG_INFO("Asking for unknown class %x, returning empty set",
1976 (uint32_t) pTemplate[i].type);
1977 }
1978 } break;
1979
1980 case CKA_LABEL: {
1981 CK_ULONG len = pTemplate[i].ulValueLen;
1982
1983 if (len > YH_OBJ_LABEL_LEN) {
1984 DBG_ERR("Label value too long, found %lu, maximum is %d", len,
1985 YH_OBJ_LABEL_LEN);
1986 rv = CKR_ATTRIBUTE_VALUE_INVALID;
1987 goto c_foi_out;
1988 }
1989
1990 label = calloc(len + 1, sizeof(char));
1991 if (label == NULL) {
1992 DBG_ERR("Unable to allocate label memory");
1993 rv = CKR_HOST_MEMORY;
1994 goto c_foi_out;
1995 }
1996
1997 memcpy(label, pTemplate[i].pValue, len);
1998 } break;
1999
2000 case CKA_SIGN:
2001 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2002 session->operation.op.find.only_private = true;
2003 rc = yh_string_to_capabilities(
2004 "sign-pkcs,sign-pss,sign-ecdsa,sign-hmac", &capabilities);
2005 if (rc != YHR_SUCCESS) {
2006 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2007 rv = CKR_FUNCTION_FAILED;
2008 goto c_foi_out;
2009 }
2010 }
2011 break;
2012
2013 case CKA_DECRYPT:
2014 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2015 session->operation.op.find.only_private = true;
2016 rc =
2017 yh_string_to_capabilities("decrypt-pkcs,decrypt-oaep,derive-ecdh,"
2018 "unwrap-data",
2019 &capabilities);
2020 if (rc != YHR_SUCCESS) {
2021 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2022 rv = CKR_FUNCTION_FAILED;
2023 goto c_foi_out;
2024 }
2025 }
2026 break;
2027
2028 case CKA_ENCRYPT:
2029 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2030 type = YH_WRAP_KEY;
2031 rc = yh_string_to_capabilities("wrap-data", &capabilities);
2032 if (rc != YHR_SUCCESS) {
2033 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2034 rv = CKR_FUNCTION_FAILED;
2035 goto c_foi_out;
2036 }
2037 }
2038 break;
2039
2040 case CKA_WRAP:
2041 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2042 type = YH_WRAP_KEY;
2043 rc = yh_string_to_capabilities("export-wrapped", &capabilities);
2044 if (rc != YHR_SUCCESS) {
2045 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2046 rv = CKR_FUNCTION_FAILED;
2047 goto c_foi_out;
2048 }
2049 }
2050 break;
2051
2052 case CKA_UNWRAP:
2053 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2054 type = YH_WRAP_KEY;
2055 rc = yh_string_to_capabilities("import-wrapped", &capabilities);
2056 if (rc != YHR_SUCCESS) {
2057 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2058 rv = CKR_FUNCTION_FAILED;
2059 goto c_foi_out;
2060 }
2061 }
2062 break;
2063
2064 case CKA_EXTRACTABLE:
2065 extractable_set = true;
2066 if (*((CK_BBOOL *) pTemplate[i].pValue) == CK_TRUE) {
2067 session->operation.op.find.only_private = true;
2068 rc =
2069 yh_string_to_capabilities("exportable-under-wrap", &capabilities);
2070 if (rc != YHR_SUCCESS) {
2071 DBG_ERR("Failed to parse capabilities: %s", yh_strerror(rc));
2072 rv = CKR_FUNCTION_FAILED;
2073 goto c_foi_out;
2074 }
2075 }
2076 break;
2077
2078 case CKA_TOKEN:
2079 case CKA_PRIVATE:
2080 case CKA_SENSITIVE:
2081 case CKA_ALWAYS_SENSITIVE:
2082 case CKA_DESTROYABLE:
2083 case CKA_KEY_TYPE:
2084 case CKA_APPLICATION:
2085 DBG_INFO("Got type %x, ignoring it for results",
2086 (uint32_t) pTemplate[i].type);
2087 break;
2088
2089 default:
2090 unknown = true;
2091 DBG_INFO("Got type %x, returning empty set",
2092 (uint32_t) pTemplate[i].type);
2093 break;
2094 }
2095 }
2096 }
2097
2098 if (unknown == false) {
2099 uint16_t found_objects = 0;
2100 if (secret_key == true) {
2101 // NOTE(adma): looking for a secret key. Get items of all types and filter
2102 // manually
2103 yh_object_descriptor
2104 tmp_objects[YH_MAX_ITEMS_COUNT + MAX_ECDH_SESSION_KEYS];
2105 size_t tmp_n_objects = YH_MAX_ITEMS_COUNT + MAX_ECDH_SESSION_KEYS;
2106 rc = yh_util_list_objects(session->slot->device_session, id, 0, domains,
2107 &capabilities, algorithm, label, tmp_objects,
2108 &tmp_n_objects);
2109 if (rc != YHR_SUCCESS) {
2110 DBG_ERR("Failed to get object list");
2111 rv = CKR_FUNCTION_FAILED;
2112 goto c_foi_out;
2113 }
2114
2115 for (uint16_t i = 0; i < tmp_n_objects; i++) {
2116 if (tmp_objects[i].type == YH_WRAP_KEY ||
2117 tmp_objects[i].type == YH_HMAC_KEY) {
2118 memcpy(session->operation.op.find.objects + found_objects,
2119 tmp_objects + i, sizeof(yh_object_descriptor));
2120 found_objects++;
2121 }
2122 }
2123 } else {
2124 session->operation.op.find.n_objects =
2125 YH_MAX_ITEMS_COUNT + MAX_ECDH_SESSION_KEYS;
2126 rc = yh_util_list_objects(session->slot->device_session, id, type,
2127 domains, &capabilities, algorithm, label,
2128 session->operation.op.find.objects,
2129 &session->operation.op.find.n_objects);
2130 if (rc != YHR_SUCCESS) {
2131 DBG_ERR("Failed to get object list");
2132 rv = CKR_FUNCTION_FAILED;
2133 goto c_foi_out;
2134 }
2135 found_objects = session->operation.op.find.n_objects;
2136
2137 if (pub) {
2138 for (uint16_t i = 0; i < session->operation.op.find.n_objects; i++) {
2139 if (session->operation.op.find.objects[i].type == YH_ASYMMETRIC_KEY) {
2140 session->operation.op.find.objects[i].type |= 0x80;
2141 }
2142 }
2143 }
2144 }
2145
2146 if (ulCount == 0 ||
2147 should_include_sessionkeys(secret_key, extractable_set,
2148 session->operation.op.find.only_private,
2149 id)) {
2150 for (ListItem *item = session->ecdh_session_keys.head; item != NULL;
2151 item = item->next) {
2152 ecdh_session_key *key = (ecdh_session_key *) item->data;
2153
2154 if (label == NULL || strcmp(label, key->label) == 0) {
2155
2156 yh_object_descriptor desc;
2157 memset(&desc, 0, sizeof(desc));
2158 desc.id = key->id & 0xffff;
2159 desc.len = key->len;
2160 desc.type = ECDH_KEY_TYPE;
2161 memcpy(desc.label, key->label, strlen(key->label) + 1);
2162
2163 // Add this item/key to the list of found objects
2164 memcpy(session->operation.op.find.objects + found_objects, &desc,
2165 sizeof(yh_object_descriptor));
2166
2167 found_objects++;
2168 }
2169 }
2170 }
2171
2172 session->operation.op.find.n_objects = found_objects;
2173 }
2174
2175 // NOTE: it's important to set the operation type as late as possible so we
2176 // don't leave it set after erroring out.
2177 session->operation.type = OPERATION_FIND;
2178 session->operation.op.find.current_object = 0;
2179
2180 DOUT;
2181
2182c_foi_out:
2183
2184 if (label != NULL) {
2185 free(label);
2186 label = NULL;
2187 }
2188
2189 release_session(&g_ctx, session);
2190
2191 return rv;
2192}
2193
2194CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)
2195(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
2196 CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount) {
2197
2198 DIN;
2199
2200 CK_RV rv = CKR_OK;
2201
2202 if (g_yh_initialized == false) {
2203 DBG_ERR("libyubihsm is not initialized or already finalized");
2204 return CKR_CRYPTOKI_NOT_INITIALIZED;
2205 }
2206
2207 yubihsm_pkcs11_session *session;
2208 rv = get_session(&g_ctx, hSession, &session, 0);
2209 if (rv != CKR_OK) {
2210 DBG_ERR("Unknown session %lu", hSession);
2211 return rv;
2212 }
2213
2214 if (phObject == NULL || ulMaxObjectCount == 0 || pulObjectCount == NULL) {
2215 rv = CKR_ARGUMENTS_BAD;
2216 goto c_fo_out;
2217 }
2218
2219 if (session->operation.type != OPERATION_FIND) {
2220 rv = CKR_OPERATION_NOT_INITIALIZED;
2221 goto c_fo_out;
2222 }
2223
2224 DBG_INFO("Can return %lu object(s)", ulMaxObjectCount);
2225
2226 *pulObjectCount = 0;
2227 for (uint16_t i = 0;
2228 i < ulMaxObjectCount && session->operation.op.find.current_object <
2229 session->operation.op.find.n_objects;
2230 session->operation.op.find.current_object++) {
2231 yh_object_descriptor *object =
2232 &session->operation.op.find
2233 .objects[session->operation.op.find.current_object];
2234 uint32_t id;
2235 switch (object->type) {
2236 case YH_ASYMMETRIC_KEY:
2237 case YH_OPAQUE:
2238 case YH_WRAP_KEY:
2239 case YH_HMAC_KEY:
2240 case YH_PUBLIC_KEY:
2241 id = object->sequence << 24;
2242 id |= object->type << 16;
2243 id |= object->id;
2244 break;
2245 default:
2246 if (object->type == ECDH_KEY_TYPE) {
2247 id = ECDH_KEY_TYPE << 16;
2248 id |= object->id;
2249 } else {
2250 DBG_INFO("Found unknown object type %x, skipping over", object->type);
2251 continue;
2252 }
2253 }
2254
2255 phObject[i++] = id;
2256
2257 *pulObjectCount += 1;
2258
2259 if (!session->operation.op.find.only_private &&
2260 object->type == YH_ASYMMETRIC_KEY) {
2261 object->type |= 0x80;
2262 session->operation.op.find.current_object--;
2263 DBG_INFO("stepping back");
2264 }
2265
2266 DBG_INFO("Returning object %d as %08x",
2267 session->operation.op.find.current_object, id);
2268 }
2269
2270 DBG_INFO("Returning %lu object(s)", *pulObjectCount);
2271
2272 DOUT;
2273
2274c_fo_out:
2275
2276 release_session(&g_ctx, session);
2277
2278 return rv;
2279}
2280
2281CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsFinal)(CK_SESSION_HANDLE hSession) {
2282
2283 DIN;
2284
2285 CK_RV rv = CKR_OK;
2286
2287 if (g_yh_initialized == false) {
2288 DBG_ERR("libyubihsm is not initialized or already finalized");
2289 return CKR_CRYPTOKI_NOT_INITIALIZED;
2290 }
2291
2292 yubihsm_pkcs11_session *session;
2293 rv = get_session(&g_ctx, hSession, &session, 0);
2294 if (rv != CKR_OK) {
2295 DBG_ERR("Unknown session %lu", hSession);
2296 return rv;
2297 }
2298
2299 if (session->operation.type != OPERATION_FIND) {
2300 rv = CKR_OPERATION_NOT_INITIALIZED;
2301 goto c_fof_out;
2302 }
2303
2304 session->operation.op.find.current_object = 0;
2305 session->operation.op.find.n_objects = 0;
2306
2307 session->operation.type = OPERATION_NOOP;
2308
2309 DOUT;
2310
2311c_fof_out:
2312
2313 release_session(&g_ctx, session);
2314
2315 return rv;
2316}
2317
2318CK_DEFINE_FUNCTION(CK_RV, C_EncryptInit)
2319(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
2320 CK_OBJECT_HANDLE hKey) {
2321
2322 DIN;
2323
2324 CK_RV rv = CKR_OK;
2325
2326 if (g_yh_initialized == false) {
2327 DBG_ERR("libyubihsm is not initialized or already finalized");
2328 return CKR_CRYPTOKI_NOT_INITIALIZED;
2329 }
2330
2331 if (pMechanism == NULL || pMechanism->mechanism != CKM_YUBICO_AES_CCM_WRAP) {
2332 DBG_ERR("Invalid Mechanism");
2333 return CKR_ARGUMENTS_BAD;
2334 }
2335
2336 yubihsm_pkcs11_session *session;
2337 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2338 if (rv != CKR_OK) {
2339 DBG_ERR("Invalid session ID %lu", hSession);
2340 return rv;
2341 }
2342
2343 if (session->operation.type != OPERATION_NOOP) {
2344 DBG_ERR("Other operation in progress");
2345 rv = CKR_OPERATION_ACTIVE;
2346 goto c_ei_out;
2347 }
2348
2349 DBG_INFO("Trying to encrypt data with mechanism 0x%04lx and key %08lx",
2350 pMechanism->mechanism, hKey);
2351
2352 int type = hKey >> 16;
2353 if (type == ECDH_KEY_TYPE) {
2354 DBG_ERR("Wrong key type");
2355 rv = CKR_KEY_TYPE_INCONSISTENT;
2356 goto c_ei_out;
2357 }
2358
2359 yubihsm_pkcs11_object_desc *object =
2360 get_object_desc(session->slot->device_session, session->slot->objects,
2361 hKey);
2362
2363 if (object == NULL) {
2364 DBG_ERR("Unable to retrieve object");
2365 rv = CKR_FUNCTION_FAILED;
2366 goto c_ei_out;
2367 }
2368
2369 if (check_encrypt_mechanism(session->slot, pMechanism) != true) {
2370 DBG_ERR("Encryption mechanism %lu not supported", pMechanism->mechanism);
2371 rv = CKR_MECHANISM_INVALID;
2372 goto c_ei_out;
2373 }
2374 session->operation.mechanism.mechanism = pMechanism->mechanism;
2375
2376 if (object->object.type != YH_WRAP_KEY) {
2377 DBG_ERR("Wrong key type or algorithm");
2378 rv = CKR_KEY_TYPE_INCONSISTENT;
2379 goto c_ei_out;
2380 }
2381
2382 session->operation.op.encrypt.key_id = hKey;
2383 session->operation.type = OPERATION_ENCRYPT;
2384 session->operation.buffer_length = 0;
2385
2386 DOUT;
2387
2388c_ei_out:
2389 release_session(&g_ctx, session);
2390 return rv;
2391}
2392
2393CK_DEFINE_FUNCTION(CK_RV, C_Encrypt)
2394(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
2395 CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pulEncryptedDataLen) {
2396
2397 DIN;
2398
2399 CK_RV rv = CKR_OK;
2400 bool terminate = true;
2401
2402 yubihsm_pkcs11_session *session = NULL;
2403
2404 if (g_yh_initialized == false) {
2405 DBG_ERR("libyubihsm is not initialized or already finalized");
2406 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
2407 goto c_e_out;
2408 }
2409
2410 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2411 if (rv != CKR_OK) {
2412 DBG_ERR("Invalid session ID %lu", hSession);
2413 goto c_e_out;
2414 }
2415
2416 if (session->operation.type != OPERATION_ENCRYPT) {
2417 DBG_ERR("Encryption operation not initialized");
2418 rv = CKR_OPERATION_NOT_INITIALIZED;
2419 goto c_e_out;
2420 }
2421
2427
2428 CK_ULONG datalen = YH_CCM_WRAP_OVERHEAD + ulDataLen;
2429 DBG_INFO("The size of the data will be %lu", datalen);
2430
2431 if (pEncryptedData == NULL) {
2432 // NOTE: if data is NULL, just return size we'll need
2433 *pulEncryptedDataLen = datalen;
2434 rv = CKR_OK;
2435 terminate = false;
2436
2437 DOUT;
2438 goto c_e_out;
2439 }
2440
2441 if (*pulEncryptedDataLen < datalen) {
2442 DBG_ERR("pulEncryptedDataLen too small, expected = %lu, got %lu)", datalen,
2443 *pulEncryptedDataLen);
2444 rv = CKR_BUFFER_TOO_SMALL;
2445 *pulEncryptedDataLen = datalen;
2446 terminate = false;
2447
2448 goto c_e_out;
2449 }
2450
2451 DBG_INFO("Encrypting %lu bytes", ulDataLen);
2452 rv = apply_encrypt_mechanism_update(&session->operation, pData, ulDataLen);
2453 if (rv != CKR_OK) {
2454 DBG_ERR("Unable to perform encrypt operation step");
2455 goto c_e_out;
2456 }
2457
2458 rv = perform_encrypt(session->slot->device_session, &session->operation,
2459 pEncryptedData, (uint16_t *) pulEncryptedDataLen);
2460 if (rv != CKR_OK) {
2461 DBG_ERR("Unable to encrypt data");
2462 goto c_e_out;
2463 }
2464
2465 DBG_INFO("Got %lu butes back", *pulEncryptedDataLen);
2466
2467 rv = CKR_OK;
2468
2469 DOUT;
2470
2471c_e_out:
2472 if (session != NULL) {
2473 release_session(&g_ctx, session);
2474 if (terminate == true) {
2475 session->operation.type = OPERATION_NOOP;
2476 }
2477 }
2478 return rv;
2479}
2480
2481CK_DEFINE_FUNCTION(CK_RV, C_EncryptUpdate)
2482(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen,
2483 CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) {
2484
2485 DIN;
2486
2487 CK_RV rv = CKR_OK;
2488 yubihsm_pkcs11_session *session = NULL;
2489
2490 if (g_yh_initialized == false) {
2491 DBG_ERR("libyubihsm is not initialized or already finalized");
2492 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
2493 goto c_eu_out;
2494 }
2495
2496 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2497 if (rv != CKR_OK) {
2498 DBG_ERR("Invalid session ID %lu", hSession);
2499 goto c_eu_out;
2500 }
2501
2502 if (session->operation.type != OPERATION_ENCRYPT) {
2503 DBG_ERR("Decrypt operation not initialized");
2504 rv = CKR_OPERATION_NOT_INITIALIZED;
2505 goto c_eu_out;
2506 }
2507
2508 if (pPart == NULL) {
2509 DBG_ERR("No data provided");
2510 rv = CKR_ARGUMENTS_BAD;
2511 goto c_eu_out;
2512 }
2513
2514 DBG_INFO("Encrypt update with %lu bytes", ulPartLen);
2515
2516 rv = apply_encrypt_mechanism_update(&session->operation, pPart, ulPartLen);
2517 if (rv != CKR_OK) {
2518 DBG_ERR("Unable to perform encryption operation step");
2519 goto c_eu_out;
2520 }
2521
2522 UNUSED(pEncryptedPart);
2523 *pulEncryptedPartLen = 0;
2524
2525 DOUT;
2526
2527c_eu_out:
2528 if (session != NULL) {
2529 release_session(&g_ctx, session);
2530 if (rv != CKR_OK) {
2531 session->operation.type = OPERATION_NOOP;
2532 decrypt_mechanism_cleanup(&session->operation);
2533 }
2534 }
2535
2536 return rv;
2537}
2538
2539CK_DEFINE_FUNCTION(CK_RV, C_EncryptFinal)
2540(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart,
2541 CK_ULONG_PTR pulLastEncryptedPartLen) {
2542
2543 DIN;
2544
2545 CK_RV rv = CKR_OK;
2546 bool terminate = true;
2547 yubihsm_pkcs11_session *session = NULL;
2548
2549 if (g_yh_initialized == false) {
2550 DBG_ERR("libyubihsm is not initialized or already finalized");
2551 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
2552 goto c_ef_out;
2553 }
2554
2555 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2556 if (rv != CKR_OK) {
2557 DBG_ERR("Invalid session ID %lu", hSession);
2558 goto c_ef_out;
2559 }
2560
2561 if (session->operation.type != OPERATION_ENCRYPT) {
2562 DBG_ERR("Encrypt operation not initialized");
2563 rv = CKR_OPERATION_NOT_INITIALIZED;
2564 goto c_ef_out;
2565 }
2566
2567 CK_ULONG datalen = 0;
2571 DBG_ERR("Mechanism %lu not supported",
2572 session->operation.mechanism.mechanism);
2573 rv = CKR_MECHANISM_INVALID;
2574 goto c_ef_out;
2575 }
2576
2577 if (*pulLastEncryptedPartLen < datalen) {
2578 DBG_ERR("pulLastEncryptedPartLen too small, data will not fit, expected = "
2579 "%lu, got %lu",
2580 datalen, *pulLastEncryptedPartLen);
2581 rv = CKR_BUFFER_TOO_SMALL;
2582
2583 *pulLastEncryptedPartLen = datalen;
2584 terminate = false;
2585
2586 goto c_ef_out;
2587 }
2588
2589 if (pLastEncryptedPart == NULL) {
2590 // NOTE: should this rather return length and ok?
2591 DBG_ERR("No buffer provided");
2592 rv = CKR_ARGUMENTS_BAD;
2593 goto c_ef_out;
2594 }
2595
2596 rv =
2597 perform_encrypt(session->slot->device_session, &session->operation,
2598 pLastEncryptedPart, (uint16_t *) pulLastEncryptedPartLen);
2599
2600 if (rv != CKR_OK) {
2601 DBG_ERR("Unable to encrypt data");
2602 goto c_ef_out;
2603 }
2604
2605 DBG_INFO("Got %lu bytes back", *pulLastEncryptedPartLen);
2606
2607 DOUT;
2608
2609c_ef_out:
2610 if (session != NULL) {
2611 release_session(&g_ctx, session);
2612 if (terminate == true) {
2613 session->operation.type = OPERATION_NOOP;
2614 decrypt_mechanism_cleanup(&session->operation);
2615 }
2616 }
2617
2618 return rv;
2619}
2620
2621CK_DEFINE_FUNCTION(CK_RV, C_DecryptInit)
2622(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
2623 CK_OBJECT_HANDLE hKey) {
2624
2625 DIN;
2626
2627 CK_RV rv = CKR_OK;
2628 EVP_MD_CTX *mdctx = NULL;
2629
2630 if (g_yh_initialized == false) {
2631 DBG_ERR("libyubihsm is not initialized or already finalized");
2632 return CKR_CRYPTOKI_NOT_INITIALIZED;
2633 }
2634
2635 if (pMechanism == NULL) {
2636 DBG_ERR("Invalid Mechanism");
2637 return CKR_ARGUMENTS_BAD;
2638 }
2639
2640 yubihsm_pkcs11_session *session;
2641 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2642 if (rv != CKR_OK) {
2643 DBG_ERR("Invalid session ID %lu", hSession);
2644 return rv;
2645 }
2646
2647 if (session->operation.type != OPERATION_NOOP) {
2648 DBG_ERR("Other operation in progress");
2649 rv = CKR_OPERATION_ACTIVE;
2650 goto c_di_out;
2651 }
2652
2653 DBG_INFO("Trying to decrypt data with mechanism 0x%04lx and key %08lx",
2654 pMechanism->mechanism, hKey);
2655
2656 int type = hKey >> 16;
2657 if (type == ECDH_KEY_TYPE) {
2658 DBG_ERR("Wrong key type");
2659 rv = CKR_KEY_TYPE_INCONSISTENT;
2660 goto c_di_out;
2661 }
2662
2663 yubihsm_pkcs11_object_desc *object =
2664 get_object_desc(session->slot->device_session, session->slot->objects,
2665 hKey);
2666
2667 if (object == NULL) {
2668 DBG_ERR("Unable to retrieve object");
2669 rv = CKR_FUNCTION_FAILED;
2670 goto c_di_out;
2671 }
2672
2673 if (check_decrypt_mechanism(session->slot, pMechanism) != true) {
2674 DBG_ERR("Decryption mechanism %lu not supported", pMechanism->mechanism);
2675 rv = CKR_MECHANISM_INVALID;
2676 goto c_di_out;
2677 }
2678 session->operation.mechanism.mechanism = pMechanism->mechanism;
2679
2680 if (object->object.type == YH_ASYMMETRIC_KEY &&
2681 yh_is_rsa(object->object.algorithm)) {
2682 DBG_INFO("RSA decryption requested");
2683
2684 size_t key_length;
2685 yh_rc yrc = yh_get_key_bitlength(object->object.algorithm, &key_length);
2686 if (yrc != YHR_SUCCESS) {
2687 DBG_ERR("Unable to get key length: %s", yh_strerror(yrc));
2688 rv = CKR_FUNCTION_FAILED;
2689 goto c_di_out;
2690 }
2691
2692 session->operation.op.decrypt.key_len = key_length;
2693
2694 if (pMechanism->mechanism == CKM_RSA_PKCS_OAEP) {
2695 if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS)) {
2696 DBG_ERR("Length of mechanism parameters does not match expected value: "
2697 "found %lu, expected %zu",
2698 pMechanism->ulParameterLen, sizeof(CK_RSA_PKCS_OAEP_PARAMS));
2699 rv = CKR_MECHANISM_PARAM_INVALID;
2700 goto c_di_out;
2701 }
2702
2703 CK_RSA_PKCS_OAEP_PARAMS *params = pMechanism->pParameter;
2704
2705 if (params->source == 0 && params->ulSourceDataLen != 0) {
2706 DBG_ERR("Source parameter empty but sourceDataLen != 0");
2707 rv = CKR_MECHANISM_PARAM_INVALID;
2708 goto c_di_out;
2709 } else if (params->source != 0 && params->source != CKZ_DATA_SPECIFIED) {
2710 DBG_ERR("Unknown value in parameter source");
2711 rv = CKR_MECHANISM_PARAM_INVALID;
2712 goto c_di_out;
2713 }
2714
2715 switch (params->mgf) {
2716 case CKG_MGF1_SHA1:
2717 session->operation.mechanism.oaep.mgf1Algo = YH_ALGO_MGF1_SHA1;
2718 break;
2719 case CKG_MGF1_SHA256:
2720 session->operation.mechanism.oaep.mgf1Algo = YH_ALGO_MGF1_SHA256;
2721 break;
2722 case CKG_MGF1_SHA384:
2723 session->operation.mechanism.oaep.mgf1Algo = YH_ALGO_MGF1_SHA384;
2724 break;
2725 case CKG_MGF1_SHA512:
2726 session->operation.mechanism.oaep.mgf1Algo = YH_ALGO_MGF1_SHA512;
2727 break;
2728 default:
2729 rv = CKR_MECHANISM_PARAM_INVALID;
2730 goto c_di_out;
2731 };
2732
2733 const EVP_MD *md = NULL;
2734
2735 switch (params->hashAlg) {
2736 case CKM_SHA_1:
2737 md = EVP_sha1();
2738 break;
2739 case CKM_SHA256:
2740 md = EVP_sha256();
2741 break;
2742 case CKM_SHA384:
2743 md = EVP_sha384();
2744 break;
2745 case CKM_SHA512:
2746 md = EVP_sha512();
2747 break;
2748 default:
2749 rv = CKR_MECHANISM_PARAM_INVALID;
2750 goto c_di_out;
2751 }
2752 mdctx = EVP_MD_CTX_create();
2753
2754 if (EVP_DigestInit_ex(mdctx, md, NULL) == 0) {
2755 rv = CKR_MECHANISM_PARAM_INVALID;
2756 goto c_di_out;
2757 }
2758
2759 if (EVP_DigestUpdate(mdctx, params->pSourceData,
2760 params->ulSourceDataLen) != 1) {
2761 rv = CKR_FUNCTION_FAILED;
2762 goto c_di_out;
2763 }
2764 if (EVP_DigestFinal_ex(mdctx, session->operation.mechanism.oaep.label,
2765 &session->operation.mechanism.oaep.label_len) !=
2766 1) {
2767 rv = CKR_FUNCTION_FAILED;
2768 goto c_di_out;
2769 }
2770 } else if (pMechanism->mechanism != CKM_RSA_PKCS) {
2771 DBG_ERR("Mechanism %lu not supported", pMechanism->mechanism);
2772 rv = CKR_MECHANISM_INVALID;
2773 goto c_di_out;
2774 }
2775 } else if (object->object.type == YH_WRAP_KEY &&
2776 pMechanism->mechanism == CKM_YUBICO_AES_CCM_WRAP) {
2777 // NOTE: is setup done for the data unwrap?
2778 rv = CKR_OK;
2779 } else {
2780 rv = CKR_KEY_TYPE_INCONSISTENT;
2781 goto c_di_out;
2782 }
2783
2784 session->operation.op.decrypt.key_id = hKey;
2785
2786 // TODO(adma): check mechanism parameters and key length and key supported
2787 // parameters
2788
2789 rv = apply_decrypt_mechanism_init(&session->operation);
2790 if (rv != CKR_OK) {
2791 DBG_ERR("Unable to initialize decryption operation");
2792 goto c_di_out;
2793 }
2794
2795 session->operation.type = OPERATION_DECRYPT;
2796
2797 DOUT;
2798
2799c_di_out:
2800
2801 if (mdctx != NULL) {
2802 EVP_MD_CTX_destroy(mdctx);
2803 }
2804
2805 release_session(&g_ctx, session);
2806
2807 return rv;
2808}
2809
2810CK_DEFINE_FUNCTION(CK_RV, C_Decrypt)
2811(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
2812 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) {
2813
2814 DIN;
2815
2816 CK_RV rv = CKR_OK;
2817 bool terminate = true;
2818
2819 yubihsm_pkcs11_session *session = NULL;
2820
2821 if (g_yh_initialized == false) {
2822 DBG_ERR("libyubihsm is not initialized or already finalized");
2823 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
2824 goto c_d_out;
2825 }
2826
2827 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2828 if (rv != CKR_OK) {
2829 DBG_ERR("Invalid session ID %lu", hSession);
2830 goto c_d_out;
2831 }
2832
2833 if (session->operation.type != OPERATION_DECRYPT) {
2834 DBG_ERR("Decryption operation not initialized");
2835 rv = CKR_OPERATION_NOT_INITIALIZED;
2836 goto c_d_out;
2837 }
2838
2839 // NOTE: datalen is just an approximation here since the data is encrypted
2840 CK_ULONG datalen;
2841 if (session->operation.mechanism.mechanism == CKM_RSA_PKCS) {
2842 datalen = (session->operation.op.decrypt.key_len + 7) / 8 - 11;
2843 } else if (session->operation.mechanism.mechanism == CKM_RSA_PKCS_OAEP) {
2844 datalen = (session->operation.op.decrypt.key_len + 7) / 8 -
2845 session->operation.mechanism.oaep.label_len * 2 - 2;
2846 } else if (session->operation.mechanism.mechanism ==
2847 CKM_YUBICO_AES_CCM_WRAP) {
2848 if (ulEncryptedDataLen <= YH_CCM_WRAP_OVERHEAD) {
2849 DBG_ERR("Encrypted data is to short to possibly come from aes-ccm-wrap");
2850 rv = CKR_ENCRYPTED_DATA_INVALID;
2851 goto c_d_out;
2852 }
2853 datalen = ulEncryptedDataLen - YH_CCM_WRAP_OVERHEAD;
2854 } else {
2855 DBG_ERR("Mechanism %lu not supported",
2856 session->operation.mechanism.mechanism);
2857 rv = CKR_MECHANISM_INVALID;
2858 goto c_d_out;
2859 }
2860
2861 DBG_INFO("The size of the data will be %lu", datalen);
2862
2863 if (pData == NULL) {
2864 // NOTE(adma): Just return the size of the data
2865 *pulDataLen = datalen;
2866
2867 rv = CKR_OK;
2868 terminate = false;
2869
2870 DOUT;
2871 goto c_d_out;
2872 }
2873
2874 // NOTE: if pData is set we'll go on with decryption no matter what pulDataLen
2875 // is, the user might know more than us about the real data length
2876
2877 // if the operation is already finalized, skip to perform
2878 if (session->operation.op.decrypt.finalized == false) {
2879 DBG_INFO("Sending %lu bytes to decrypt", ulEncryptedDataLen);
2880
2881 rv = apply_decrypt_mechanism_update(&session->operation, pEncryptedData,
2882 ulEncryptedDataLen);
2883 if (rv != CKR_OK) {
2884 DBG_ERR("Unable to perform decrypt operation step");
2885 goto c_d_out;
2886 }
2887
2888 rv = apply_decrypt_mechanism_finalize(&session->operation);
2889 if (rv != CKR_OK) {
2890 DBG_ERR("Unable to finalize decrypt operation");
2891 goto c_d_out;
2892 }
2893 }
2894
2895 DBG_INFO("Using key %04x", session->operation.op.decrypt.key_id);
2896
2897 rv = perform_decrypt(session->slot->device_session, &session->operation,
2898 pData, (uint16_t *) pulDataLen);
2899 if (rv != CKR_OK) {
2900 DBG_ERR("Unable to decrypt data");
2901 if (rv == CKR_BUFFER_TOO_SMALL) {
2902 terminate = false;
2903 }
2904 goto c_d_out;
2905 }
2906
2907 DBG_INFO("Got %lu bytes back", *pulDataLen);
2908
2909 rv = CKR_OK;
2910
2911 DOUT;
2912
2913c_d_out:
2914 if (session != NULL) {
2915 release_session(&g_ctx, session);
2916 if (terminate == true) {
2917 session->operation.type = OPERATION_NOOP;
2918 decrypt_mechanism_cleanup(&session->operation);
2919 }
2920 }
2921
2922 return rv;
2923}
2924
2925CK_DEFINE_FUNCTION(CK_RV, C_DecryptUpdate)
2926(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
2927 CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) {
2928
2929 DIN;
2930
2931 CK_RV rv = CKR_OK;
2932
2933 // TODO(adma): somebody should check that this is a proper mult-part
2934 // mechanism/operation
2935
2936 yubihsm_pkcs11_session *session = NULL;
2937
2938 if (g_yh_initialized == false) {
2939 DBG_ERR("libyubihsm is not initialized or already finalized");
2940 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
2941 goto c_du_out;
2942 }
2943
2944 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
2945 if (rv != CKR_OK) {
2946 DBG_ERR("Invalid session ID %lu", hSession);
2947 goto c_du_out;
2948 }
2949
2950 if (session->operation.type != OPERATION_DECRYPT) {
2951 DBG_ERR("Decrypt operation not initialized");
2952 rv = CKR_OPERATION_NOT_INITIALIZED;
2953 goto c_du_out;
2954 }
2955
2956 if (pEncryptedPart == NULL) {
2957 DBG_ERR("No data provided");
2958 rv = CKR_ARGUMENTS_BAD;
2959 goto c_du_out;
2960 }
2961
2962 DBG_INFO("Decrypt update with %lu bytes", ulEncryptedPartLen);
2963
2964 rv = apply_decrypt_mechanism_update(&session->operation, pEncryptedPart,
2965 ulEncryptedPartLen);
2966 if (rv != CKR_OK) {
2967 DBG_ERR("Unable to perform decryption operation step");
2968 goto c_du_out;
2969 }
2970
2971 // NOTE(adma): we don't really do anything here, just store this current chunk
2972 // of data
2973 UNUSED(pPart);
2974 *pulPartLen = 0;
2975
2976 DOUT;
2977
2978c_du_out:
2979 if (session != NULL) {
2980 release_session(&g_ctx, session);
2981 if (rv != CKR_OK) {
2982 session->operation.type = OPERATION_NOOP;
2983 decrypt_mechanism_cleanup(&session->operation);
2984 }
2985 }
2986
2987 return rv;
2988}
2989
2990CK_DEFINE_FUNCTION(CK_RV, C_DecryptFinal)
2991(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
2992 CK_ULONG_PTR pulLastPartLen) {
2993
2994 DIN;
2995
2996 CK_RV rv = CKR_OK;
2997 bool terminate = true;
2998
2999 yubihsm_pkcs11_session *session = NULL;
3000
3001 if (g_yh_initialized == false) {
3002 DBG_ERR("libyubihsm is not initialized or already finalized");
3003 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3004 goto c_df_out;
3005 }
3006
3007 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3008 if (rv != CKR_OK) {
3009 DBG_ERR("Invalid session ID %lu", hSession);
3010 goto c_df_out;
3011 }
3012
3013 if (session->operation.type != OPERATION_DECRYPT) {
3014 DBG_ERR("Decrypt operation not initialized");
3015 rv = CKR_OPERATION_NOT_INITIALIZED;
3016 goto c_df_out;
3017 }
3018
3019 CK_ULONG datalen;
3020 if (session->operation.mechanism.mechanism == CKM_RSA_PKCS) {
3021 datalen = (session->operation.op.decrypt.key_len + 7) / 8 - 11;
3022 } else if (session->operation.mechanism.mechanism == CKM_RSA_PKCS_OAEP) {
3023 datalen = (session->operation.op.decrypt.key_len + 7) / 8 -
3024 session->operation.mechanism.oaep.label_len * 2 - 2;
3025 } else if (session->operation.mechanism.mechanism ==
3026 CKM_YUBICO_AES_CCM_WRAP) {
3027 if (session->operation.buffer_length <= YH_CCM_WRAP_OVERHEAD) {
3028 DBG_ERR("Encrypted data is to short to possibly come from aes-ccm-wrap");
3029 rv = CKR_ENCRYPTED_DATA_INVALID;
3030 goto c_df_out;
3031 }
3032 datalen = session->operation.buffer_length - YH_CCM_WRAP_OVERHEAD;
3033 } else {
3034 DBG_ERR("Mechanism %lu not supported",
3035 session->operation.mechanism.mechanism);
3036 rv = CKR_MECHANISM_INVALID;
3037 goto c_df_out;
3038 }
3039
3040 if (pLastPart == NULL) {
3041 DBG_ERR("No buffer provided, length check only");
3042 *pulLastPartLen = datalen;
3043 rv = CKR_OK;
3044 terminate = false;
3045 goto c_df_out;
3046 }
3047
3048 // if it's already finalized, skip to perform
3049 if (session->operation.op.decrypt.finalized == false) {
3050 rv = apply_decrypt_mechanism_finalize(&session->operation);
3051 if (rv != CKR_OK) {
3052 DBG_ERR("Unable to finalize decryption operation");
3053 goto c_df_out;
3054 }
3055 }
3056
3057 rv = perform_decrypt(session->slot->device_session, &session->operation,
3058 pLastPart, (uint16_t *) pulLastPartLen);
3059 if (rv != CKR_OK) {
3060 DBG_ERR("Unable to decrypt data");
3061 if (rv == CKR_BUFFER_TOO_SMALL) {
3062 terminate = false;
3063 }
3064 goto c_df_out;
3065 }
3066
3067 DBG_INFO("Got %lu bytes back", *pulLastPartLen);
3068
3069 DOUT;
3070
3071c_df_out:
3072 if (session != NULL) {
3073 release_session(&g_ctx, session);
3074 if (terminate == true) {
3075 session->operation.type = OPERATION_NOOP;
3076 decrypt_mechanism_cleanup(&session->operation);
3077 }
3078 }
3079
3080 return rv;
3081}
3082
3083CK_DEFINE_FUNCTION(CK_RV, C_DigestInit)
3084(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
3085
3086 DIN;
3087
3088 CK_RV rv = CKR_OK;
3089
3090 if (g_yh_initialized == false) {
3091 DBG_ERR("libyubihsm is not initialized or already finalized");
3092 return CKR_CRYPTOKI_NOT_INITIALIZED;
3093 }
3094
3095 if (pMechanism == NULL) {
3096 DBG_ERR("Invalid Mechanism");
3097 return CKR_ARGUMENTS_BAD;
3098 }
3099
3100 yubihsm_pkcs11_session *session;
3101 rv = get_session(&g_ctx, hSession, &session, 0);
3102 if (rv != CKR_OK) {
3103 DBG_ERR("Invalid session ID %lu", hSession);
3104 return rv;
3105 }
3106
3107 if (session->operation.type != OPERATION_NOOP) {
3108 DBG_ERR("Other operation in progress");
3109 rv = CKR_OPERATION_ACTIVE;
3110 goto c_di_out;
3111 }
3112
3113 DBG_INFO("Trying to digest data with mechanism 0x%04lx",
3114 pMechanism->mechanism);
3115
3116 if (check_digest_mechanism(pMechanism) != true) {
3117 DBG_ERR("Digest mechanism %lu not supported", pMechanism->mechanism);
3118 rv = CKR_MECHANISM_INVALID;
3119 goto c_di_out;
3120 }
3121 session->operation.mechanism.mechanism = pMechanism->mechanism;
3122
3123 CK_ULONG digest_length;
3124 digest_length = get_digest_bytelength(pMechanism->mechanism);
3125
3126 session->operation.op.digest.digest_len = digest_length;
3127
3128 rv = apply_digest_mechanism_init(&session->operation);
3129 if (rv != CKR_OK) {
3130 DBG_ERR("Unable to initialize digest operation");
3131 goto c_di_out;
3132 }
3133
3134 session->operation.type = OPERATION_DIGEST;
3135
3136 DOUT;
3137
3138c_di_out:
3139
3140 release_session(&g_ctx, session);
3141
3142 return rv;
3143}
3144
3145CK_DEFINE_FUNCTION(CK_RV, C_Digest)
3146(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
3147 CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) {
3148
3149 DIN;
3150
3151 CK_RV rv = CKR_OK;
3152 bool terminate = true;
3153
3154 yubihsm_pkcs11_session *session = NULL;
3155
3156 if (g_yh_initialized == false) {
3157 DBG_ERR("libyubihsm is not initialized or already finalized");
3158 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3159 goto c_d_out;
3160 }
3161
3162 rv = get_session(&g_ctx, hSession, &session, 0);
3163 if (rv != CKR_OK) {
3164 DBG_ERR("Invalid session ID %lu", hSession);
3165 goto c_d_out;
3166 }
3167
3168 if (session->operation.type != OPERATION_DIGEST) {
3169 DBG_ERR("Digest operation not initialized");
3170 rv = CKR_OPERATION_NOT_INITIALIZED;
3171 goto c_d_out;
3172 }
3173
3174 if (session->operation.op.digest.is_multipart == true) {
3175 DBG_ERR("Another digest operation is already active");
3176 rv = CKR_OPERATION_ACTIVE;
3177 goto c_d_out;
3178 }
3179
3180 if (pulDigestLen == NULL) {
3181 DBG_ERR("Wrong/missing parameter");
3182 rv = CKR_ARGUMENTS_BAD;
3183 goto c_d_out;
3184 }
3185
3186 if (pDigest == NULL) {
3187 // NOTE(adma): Just return the size of the digest
3188 DBG_INFO("The size of the digest will be %lu",
3189 session->operation.op.digest.digest_len);
3190
3191 *pulDigestLen = session->operation.op.digest.digest_len;
3192
3193 rv = CKR_OK;
3194 terminate = false;
3195
3196 DOUT;
3197 goto c_d_out;
3198 }
3199
3200 if (*pulDigestLen < session->operation.op.digest.digest_len) {
3201 DBG_ERR("pulDigestLen too small, data will not fit, expected = %lu, got "
3202 "%lu",
3203 session->operation.op.digest.digest_len, *pulDigestLen);
3204
3205 *pulDigestLen = session->operation.op.digest.digest_len;
3206
3207 rv = CKR_BUFFER_TOO_SMALL;
3208 terminate = false;
3209 goto c_d_out;
3210 }
3211
3212 DBG_INFO("Sending %lu bytes to digest", ulDataLen);
3213
3214 rv = apply_digest_mechanism_update(&session->operation, pData, ulDataLen);
3215 if (rv != CKR_OK) {
3216 DBG_ERR("Unable to perform digest operation step");
3217 goto c_d_out;
3218 }
3219
3220 rv = apply_digest_mechanism_finalize(&session->operation);
3221 if (rv != CKR_OK) {
3222 DBG_ERR("Unable to finalize digest operation");
3223 goto c_d_out;
3224 }
3225
3226 rv = perform_digest(&session->operation, pDigest,
3227 (uint16_t *) pulDigestLen); // TODO(adma): too zealous?
3228 // just us a memcpy?
3229 if (rv != CKR_OK) {
3230 DBG_ERR("Unable to digest data");
3231 goto c_d_out;
3232 }
3233
3234 DBG_INFO("Got %lu bytes back", *pulDigestLen);
3235
3236 DOUT;
3237
3238c_d_out:
3239 if (session != NULL) {
3240 release_session(&g_ctx, session);
3241 if (terminate == true) {
3242 session->operation.type = OPERATION_NOOP;
3243 digest_mechanism_cleanup(&session->operation);
3244 }
3245 }
3246
3247 return rv;
3248}
3249
3250CK_DEFINE_FUNCTION(CK_RV, C_DigestUpdate)
3251(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) {
3252
3253 DIN;
3254
3255 CK_RV rv = CKR_OK;
3256
3257 // TODO(adma): somebody should check that this is a proper mult-part
3258 // mechanism/operation
3259
3260 yubihsm_pkcs11_session *session = NULL;
3261
3262 if (g_yh_initialized == false) {
3263 DBG_ERR("libyubihsm is not initialized or already finalized");
3264 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3265 goto c_du_out;
3266 }
3267
3268 rv = get_session(&g_ctx, hSession, &session, 0);
3269 if (rv != CKR_OK) {
3270 DBG_ERR("Invalid session ID %lu", hSession);
3271 goto c_du_out;
3272 }
3273
3274 if (session->operation.type != OPERATION_DIGEST) {
3275 DBG_ERR("Digest operation not initialized");
3276 rv = CKR_OPERATION_NOT_INITIALIZED;
3277 goto c_du_out;
3278 }
3279
3280 if (pPart == NULL) {
3281 DBG_ERR("No data provided");
3282 rv = CKR_ARGUMENTS_BAD;
3283 goto c_du_out;
3284 }
3285
3286 DBG_INFO("Digest update with %lu bytes", ulPartLen);
3287
3288 rv = apply_digest_mechanism_update(&session->operation, pPart, ulPartLen);
3289 if (rv != CKR_OK) {
3290 DBG_ERR("Unable to perform digest operation step");
3291 goto c_du_out;
3292 }
3293
3294 session->operation.op.digest.is_multipart = true;
3295
3296 DOUT;
3297
3298c_du_out:
3299 if (session != NULL) {
3300 release_session(&g_ctx, session);
3301 if (rv != CKR_OK) {
3302 session->operation.type = OPERATION_NOOP;
3303 digest_mechanism_cleanup(&session->operation);
3304 }
3305 }
3306
3307 return rv;
3308}
3309
3310CK_DEFINE_FUNCTION(CK_RV, C_DigestKey)
3311(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
3312
3313 DIN;
3314
3315 UNUSED(hSession);
3316 UNUSED(hKey);
3317
3318 DOUT;
3319 return CKR_FUNCTION_NOT_SUPPORTED;
3320}
3321
3322CK_DEFINE_FUNCTION(CK_RV, C_DigestFinal)
3323(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) {
3324
3325 DIN;
3326
3327 CK_RV rv = CKR_OK;
3328 bool terminate = true;
3329
3330 yubihsm_pkcs11_session *session = NULL;
3331
3332 if (g_yh_initialized == false) {
3333 DBG_ERR("libyubihsm is not initialized or already finalized");
3334 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3335 goto c_df_out;
3336 }
3337
3338 rv = get_session(&g_ctx, hSession, &session, 0);
3339 if (rv != CKR_OK) {
3340 DBG_ERR("Invalid session ID %lu", hSession);
3341 goto c_df_out;
3342 }
3343
3344 if (pulDigestLen == NULL) {
3345 DBG_ERR("Wrong/missing parameter");
3346 rv = CKR_ARGUMENTS_BAD;
3347 goto c_df_out;
3348 }
3349
3350 if (session->operation.type != OPERATION_DIGEST) {
3351 DBG_ERR("Digest operation not initialized");
3352 rv = CKR_OPERATION_NOT_INITIALIZED;
3353 goto c_df_out;
3354 }
3355
3356 if (session->operation.op.digest.is_multipart == false) {
3357 DBG_ERR("Another digest operation is already active");
3358 rv = CKR_OPERATION_ACTIVE;
3359 goto c_df_out;
3360 }
3361
3362 if (pDigest == NULL) {
3363 // NOTE(adma): Just return the size of the digest
3364 DBG_INFO("The size of the digest will be %lu",
3365 session->operation.op.digest.digest_len);
3366
3367 *pulDigestLen = session->operation.op.digest.digest_len;
3368
3369 rv = CKR_OK;
3370 terminate = false;
3371
3372 DOUT;
3373 goto c_df_out;
3374 }
3375
3376 if (*pulDigestLen < session->operation.op.digest.digest_len) {
3377 DBG_ERR("pulDigestLen too small, data will not fit, expected = %lu, got "
3378 "%lu",
3379 session->operation.op.digest.digest_len, *pulDigestLen);
3380
3381 *pulDigestLen = session->operation.op.digest.digest_len;
3382
3383 terminate = false;
3384 rv = CKR_BUFFER_TOO_SMALL;
3385 goto c_df_out;
3386 }
3387
3388 rv = apply_digest_mechanism_finalize(&session->operation);
3389 if (rv != CKR_OK) {
3390 DBG_ERR("Unable to finalize digest operation");
3391 goto c_df_out;
3392 }
3393
3394 rv = perform_digest(&session->operation, pDigest, (uint16_t *) pulDigestLen);
3395 if (rv != CKR_OK) {
3396 DBG_ERR("Unable to digest data");
3397 goto c_df_out;
3398 }
3399
3400 DBG_INFO("Got %lu bytes back", *pulDigestLen);
3401
3402 DOUT;
3403
3404c_df_out:
3405 if (session != NULL) {
3406 release_session(&g_ctx, session);
3407 if (terminate == true) {
3408 session->operation.type = OPERATION_NOOP;
3409 digest_mechanism_cleanup(&session->operation);
3410 }
3411 }
3412
3413 return rv;
3414}
3415
3416CK_DEFINE_FUNCTION(CK_RV, C_SignInit)
3417(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
3418 CK_OBJECT_HANDLE hKey) {
3419
3420 DIN;
3421
3422 CK_RV rv = CKR_OK;
3423
3424 if (g_yh_initialized == false) {
3425 DBG_ERR("libyubihsm is not initialized or already finalized");
3426 return CKR_CRYPTOKI_NOT_INITIALIZED;
3427 }
3428
3429 if (pMechanism == NULL) {
3430 DBG_ERR("Invalid Mechanism");
3431 return CKR_ARGUMENTS_BAD;
3432 }
3433
3434 yubihsm_pkcs11_session *session;
3435 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3436 if (rv != CKR_OK) {
3437 DBG_ERR("Invalid session ID %lu", hSession);
3438 return rv;
3439 }
3440
3441 if (session->operation.type != OPERATION_NOOP) {
3442 DBG_ERR("Other operation in progress");
3443 rv = CKR_OPERATION_ACTIVE;
3444 goto c_si_out;
3445 }
3446
3447 DBG_INFO("Trying to sign data with mechanism 0x%04lx and key %08lx",
3448 pMechanism->mechanism, hKey);
3449
3450 int type = hKey >> 16;
3451 if (type == ECDH_KEY_TYPE) {
3452 DBG_ERR("Signing using an ECDH session key is not supported");
3453 rv = CKR_FUNCTION_NOT_SUPPORTED;
3454 goto c_si_out;
3455 }
3456
3457 yubihsm_pkcs11_object_desc *object =
3458 get_object_desc(session->slot->device_session, session->slot->objects,
3459 hKey);
3460
3461 if (object == NULL) {
3462 DBG_ERR("Unable to retrieve object");
3463 rv = CKR_FUNCTION_FAILED;
3464 goto c_si_out;
3465 }
3466
3467 size_t key_length;
3468 yh_rc yrc = yh_get_key_bitlength(object->object.algorithm, &key_length);
3469 if (yrc != YHR_SUCCESS) {
3470 DBG_ERR("Unable to get key length: %s", yh_strerror(yrc));
3471 rv = CKR_FUNCTION_FAILED;
3472 goto c_si_out;
3473 }
3474
3475 session->operation.op.sign.key_len = key_length;
3476
3477 if (check_sign_mechanism(session->slot, pMechanism) != true) {
3478 DBG_ERR("Signing mechanism %lu not supported", pMechanism->mechanism);
3479 rv = CKR_MECHANISM_INVALID;
3480 goto c_si_out;
3481 }
3482 session->operation.mechanism.mechanism =
3483 pMechanism->mechanism; // TODO(adma): also need to check/copy the
3484 // mechanism's parameter, if any
3485
3486 if (object->object.type == YH_ASYMMETRIC_KEY) {
3487 if (yh_is_rsa(object->object.algorithm)) {
3488 if (is_RSA_sign_mechanism(session->operation.mechanism.mechanism) ==
3489 true) {
3490 DBG_INFO("RSA signature requested");
3491 session->operation.op.sign.sig_len =
3492 (session->operation.op.sign.key_len + 7) / 8;
3493 if (is_PSS_sign_mechanism(session->operation.mechanism.mechanism)) {
3494 if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
3495 DBG_ERR("Length of mechanism parameters does not match expected "
3496 "value, "
3497 "%lu != %zu",
3498 pMechanism->ulParameterLen, sizeof(CK_RSA_PKCS_PSS_PARAMS));
3499 rv = CKR_MECHANISM_PARAM_INVALID;
3500 goto c_si_out;
3501 }
3502
3503 CK_RSA_PKCS_PSS_PARAMS *params = pMechanism->pParameter;
3504 // TODO: validate that params->hashAlg matches mechanism
3505
3506 if (params->sLen > 0xffff) {
3507 DBG_ERR("Salt is too big for device");
3508 rv = CKR_MECHANISM_PARAM_INVALID;
3509 goto c_si_out;
3510 }
3511 session->operation.mechanism.pss.salt_len = params->sLen;
3512
3513 switch (params->mgf) {
3514 case CKG_MGF1_SHA1:
3515 session->operation.mechanism.pss.mgf1Algo = YH_ALGO_MGF1_SHA1;
3516 break;
3517 case CKG_MGF1_SHA256:
3518 session->operation.mechanism.pss.mgf1Algo = YH_ALGO_MGF1_SHA256;
3519 break;
3520 case CKG_MGF1_SHA384:
3521 session->operation.mechanism.pss.mgf1Algo = YH_ALGO_MGF1_SHA384;
3522 break;
3523 case CKG_MGF1_SHA512:
3524 session->operation.mechanism.pss.mgf1Algo = YH_ALGO_MGF1_SHA512;
3525 break;
3526 default:
3527 rv = CKR_MECHANISM_PARAM_INVALID;
3528 goto c_si_out;
3529 };
3530 }
3531 } else {
3532 DBG_ERR("Mechanism %lu not supported",
3533 session->operation.mechanism.mechanism);
3534 rv = CKR_MECHANISM_INVALID;
3535 goto c_si_out;
3536 }
3537 } else {
3538 if (is_ECDSA_sign_mechanism(session->operation.mechanism.mechanism) ==
3539 true) {
3540 DBG_INFO("ECDSA signature requested");
3541 session->operation.op.sign.sig_len =
3542 ((session->operation.op.sign.key_len + 7) / 8) * 2;
3543 } else {
3544 DBG_ERR("Mechanism %lu not supported",
3545 session->operation.mechanism.mechanism);
3546 rv = CKR_MECHANISM_INVALID;
3547 goto c_si_out;
3548 }
3549 }
3550 } else if (object->object.type == YH_HMAC_KEY) {
3551 if (is_HMAC_sign_mechanism(session->operation.mechanism.mechanism) ==
3552 true) {
3553 DBG_INFO("HMAC signature requested (len %lu)",
3554 (unsigned long) (key_length / 8));
3555 session->operation.op.sign.sig_len =
3556 (session->operation.op.sign.key_len + 7) / 8;
3557 } else {
3558 DBG_ERR("Mechanism %lu not supported",
3559 session->operation.mechanism.mechanism);
3560 rv = CKR_MECHANISM_INVALID;
3561 goto c_si_out;
3562 }
3563 } else {
3564 rv = CKR_KEY_TYPE_INCONSISTENT;
3565 goto c_si_out;
3566 }
3567
3568 session->operation.op.sign.key_id =
3569 hKey; // TODO(adma): should we store something else rather than the key ID?
3570
3571 // TODO(adma): check mechanism parameters and key length and key supported
3572 // parameters
3573
3574 rv = apply_sign_mechanism_init(&session->operation);
3575 if (rv != CKR_OK) {
3576 DBG_ERR("Unable to initialize signing operation");
3577 goto c_si_out;
3578 }
3579
3580 session->operation.type = OPERATION_SIGN;
3581
3582 DOUT;
3583
3584c_si_out:
3585
3586 release_session(&g_ctx, session);
3587
3588 return rv;
3589}
3590
3591CK_DEFINE_FUNCTION(CK_RV, C_Sign)
3592(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
3593 CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) {
3594
3595 DIN;
3596
3597 CK_RV rv = CKR_OK;
3598 bool terminate = true;
3599
3600 yubihsm_pkcs11_session *session = NULL;
3601
3602 if (g_yh_initialized == false) {
3603 DBG_ERR("libyubihsm is not initialized or already finalized");
3604 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3605 goto c_s_out;
3606 }
3607
3608 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3609 if (rv != CKR_OK) {
3610 DBG_ERR("Invalid session ID %lu", hSession);
3611 goto c_s_out;
3612 }
3613
3614 if (session->operation.type != OPERATION_SIGN) {
3615 DBG_ERR("Signature operation not initialized");
3616 rv = CKR_OPERATION_NOT_INITIALIZED;
3617 goto c_s_out;
3618 }
3619
3620 DBG_INFO("The size of the signature will be %u",
3621 session->operation.op.sign.sig_len);
3622
3623 if (pSignature == NULL) {
3624 // NOTE(adma): Just return the size of the signature
3625 *pulSignatureLen = session->operation.op.sign.sig_len;
3626
3627 rv = CKR_OK;
3628 terminate = false;
3629 DOUT;
3630 goto c_s_out;
3631 }
3632
3633 if (*pulSignatureLen < session->operation.op.sign.sig_len) {
3634 DBG_ERR("pulSignatureLen too small, signature will not fit, expected %u, "
3635 "got %lu",
3636 session->operation.op.sign.sig_len, *pulSignatureLen);
3637 *pulSignatureLen = session->operation.op.sign.sig_len;
3638 rv = CKR_BUFFER_TOO_SMALL;
3639 terminate = false;
3640 goto c_s_out;
3641 }
3642
3643 DBG_INFO("Sending %lu bytes to sign", ulDataLen);
3644
3645 rv = apply_sign_mechanism_update(&session->operation, pData, ulDataLen);
3646 if (rv != CKR_OK) {
3647 DBG_ERR("Unable to perform signing operation step");
3648 goto c_s_out;
3649 }
3650
3651 rv = apply_sign_mechanism_finalize(&session->operation);
3652 if (rv != CKR_OK) {
3653 DBG_ERR("Unable to finalize signing operation");
3654 goto c_s_out;
3655 }
3656
3657 DBG_INFO("Using key %04x", session->operation.op.sign.key_id);
3658 DBG_INFO("After padding and transformation there are %u bytes",
3659 session->operation.buffer_length);
3660
3661 rv = perform_signature(session->slot->device_session, &session->operation,
3662 pSignature, (uint16_t *) pulSignatureLen);
3663 if (rv != CKR_OK) {
3664 DBG_ERR("Unable to sign data");
3665 goto c_s_out;
3666 }
3667
3668 DBG_INFO("Got %lu bytes back", *pulSignatureLen);
3669
3670 DOUT;
3671
3672c_s_out:
3673 if (session != NULL) {
3674 release_session(&g_ctx, session);
3675 if (terminate == true) {
3676 session->operation.type = OPERATION_NOOP;
3677 sign_mechanism_cleanup(&session->operation);
3678 }
3679 }
3680
3681 return rv;
3682}
3683
3684CK_DEFINE_FUNCTION(CK_RV, C_SignUpdate)
3685(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) {
3686
3687 DIN;
3688
3689 CK_RV rv = CKR_OK;
3690
3691 // TODO(adma): somebody should check that this is a proper mult-part
3692 // mechanism/operation
3693
3694 yubihsm_pkcs11_session *session = NULL;
3695
3696 if (g_yh_initialized == false) {
3697 DBG_ERR("libyubihsm is not initialized or already finalized");
3698 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3699 goto c_su_out;
3700 }
3701
3702 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3703 if (rv != CKR_OK) {
3704 DBG_ERR("Invalid session ID %lu", hSession);
3705 goto c_su_out;
3706 }
3707
3708 if (session->operation.type != OPERATION_SIGN) {
3709 DBG_ERR("Signature operation not initialized");
3710 rv = CKR_OPERATION_NOT_INITIALIZED;
3711 goto c_su_out;
3712 }
3713
3714 if (pPart == NULL) {
3715 DBG_ERR("No data provided");
3716 rv = CKR_ARGUMENTS_BAD;
3717 goto c_su_out;
3718 }
3719
3720 DBG_INFO("Signature update with %lu bytes", ulPartLen);
3721
3722 rv = apply_sign_mechanism_update(&session->operation, pPart, ulPartLen);
3723 if (rv != CKR_OK) {
3724 DBG_ERR("Unable to perform signing operation step");
3725 goto c_su_out;
3726 }
3727
3728 DOUT;
3729
3730c_su_out:
3731 if (session != NULL) {
3732 release_session(&g_ctx, session);
3733 if (rv != CKR_OK) {
3734 session->operation.type = OPERATION_NOOP;
3735 sign_mechanism_cleanup(&session->operation);
3736 }
3737 }
3738
3739 return rv;
3740}
3741
3742CK_DEFINE_FUNCTION(CK_RV, C_SignFinal)
3743(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
3744 CK_ULONG_PTR pulSignatureLen) {
3745
3746 DIN;
3747
3748 CK_RV rv = CKR_OK;
3749 bool terminate = false;
3750
3751 yubihsm_pkcs11_session *session = NULL;
3752
3753 if (g_yh_initialized == false) {
3754 DBG_ERR("libyubihsm is not initialized or already finalized");
3755 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
3756 goto c_sf_out;
3757 }
3758
3759 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3760 if (rv != CKR_OK) {
3761 DBG_ERR("Invalid session ID %lu", hSession);
3762 goto c_sf_out;
3763 }
3764
3765 if (session->operation.type != OPERATION_SIGN) {
3766 DBG_ERR("Signature operation not initialized");
3767 rv = CKR_OPERATION_NOT_INITIALIZED;
3768 goto c_sf_out;
3769 }
3770
3771 if (pSignature == NULL) {
3772 DBG_ERR("No buffer provided, length check only");
3773 *pulSignatureLen = session->operation.op.sign.sig_len;
3774 rv = CKR_OK;
3775 DOUT;
3776 goto c_sf_out;
3777 }
3778
3779 terminate = true;
3780
3781 rv = apply_sign_mechanism_finalize(&session->operation);
3782 if (rv != CKR_OK) {
3783 DBG_ERR("Unable to finalize signing operation");
3784 goto c_sf_out;
3785 }
3786
3787 rv = perform_signature(session->slot->device_session, &session->operation,
3788 pSignature, (uint16_t *) pulSignatureLen);
3789 if (rv != CKR_OK) {
3790 DBG_ERR("Unable to sign data");
3791 goto c_sf_out;
3792 }
3793
3794 DBG_INFO("Got %lu bytes back", *pulSignatureLen);
3795
3796 DOUT;
3797
3798c_sf_out:
3799 if (session != NULL) {
3800 release_session(&g_ctx, session);
3801 if (terminate == true) {
3802 session->operation.type = OPERATION_NOOP;
3803 sign_mechanism_cleanup(&session->operation);
3804 }
3805 }
3806
3807 return rv;
3808}
3809
3810CK_DEFINE_FUNCTION(CK_RV, C_SignRecoverInit)
3811(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
3812 CK_OBJECT_HANDLE hKey) {
3813
3814 DIN;
3815
3816 UNUSED(hSession);
3817 UNUSED(pMechanism);
3818 UNUSED(hKey);
3819
3820 DOUT;
3821 return CKR_FUNCTION_NOT_SUPPORTED;
3822}
3823
3824CK_DEFINE_FUNCTION(CK_RV, C_SignRecover)
3825(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
3826 CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) {
3827
3828 DIN;
3829
3830 UNUSED(hSession);
3831 UNUSED(pData);
3832 UNUSED(ulDataLen);
3833 UNUSED(pSignature);
3834 UNUSED(pulSignatureLen);
3835
3836 DOUT;
3837 return CKR_FUNCTION_NOT_SUPPORTED;
3838}
3839
3840CK_DEFINE_FUNCTION(CK_RV, C_VerifyInit)
3841(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
3842 CK_OBJECT_HANDLE hKey) {
3843
3844 DIN;
3845
3846 CK_RV rv = CKR_OK;
3847
3848 if (g_yh_initialized == false) {
3849 DBG_ERR("libyubihsm is not initialized or already finalized");
3850 return CKR_CRYPTOKI_NOT_INITIALIZED;
3851 }
3852
3853 if (pMechanism == NULL) {
3854 DBG_ERR("Invalid Mechanism");
3855 return CKR_ARGUMENTS_BAD;
3856 }
3857
3858 yubihsm_pkcs11_session *session;
3859 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
3860 if (rv != CKR_OK) {
3861 DBG_ERR("Invalid session ID %lu", hSession);
3862 return rv;
3863 }
3864
3865 if (session->operation.type != OPERATION_NOOP) {
3866 DBG_ERR("Other operation in progress");
3867 rv = CKR_OPERATION_ACTIVE;
3868 goto c_vi_out;
3869 }
3870
3871 DBG_INFO("Trying to verify data with mechanism 0x%04lx and key %lx",
3872 pMechanism->mechanism, hKey);
3873
3874 int type = hKey >> 16;
3875 if (type == ECDH_KEY_TYPE) {
3876 DBG_ERR("Wrong key type");
3877 rv = CKR_KEY_TYPE_INCONSISTENT;
3878 goto c_vi_out;
3879 }
3880
3881 yubihsm_pkcs11_object_desc *object =
3882 get_object_desc(session->slot->device_session, session->slot->objects,
3883 hKey);
3884
3885 if (object == NULL) {
3886 DBG_ERR("Unable to retrieve object");
3887 rv = CKR_FUNCTION_FAILED;
3888 goto c_vi_out;
3889 }
3890
3891 size_t key_length;
3892 yh_rc yrc = yh_get_key_bitlength(object->object.algorithm, &key_length);
3893 if (yrc != YHR_SUCCESS) {
3894 DBG_ERR("Unable to get key length: %s", yh_strerror(yrc));
3895 rv = CKR_FUNCTION_FAILED;
3896 goto c_vi_out;
3897 }
3898
3899 session->operation.op.verify.key_len = key_length;
3900
3901 if (check_verify_mechanism(session->slot, pMechanism) != true) {
3902 DBG_ERR("Verification mechanism %lu not supported", pMechanism->mechanism);
3903 rv = CKR_MECHANISM_INVALID;
3904 goto c_vi_out;
3905 }
3906 session->operation.mechanism.mechanism =
3907 pMechanism->mechanism; // TODO(adma): also need to check/copy the
3908 // mechanism's parameter, if any
3909
3910 if (object->object.type == YH_HMAC_KEY) {
3911 DBG_INFO("HMAC verification requested");
3912 } else if (object->object.type == YH_PUBLIC_KEY) {
3913 DBG_INFO("Asymmetric verification requested");
3914 } else {
3915 rv = CKR_KEY_TYPE_INCONSISTENT;
3916 goto c_vi_out;
3917 }
3918
3919 session->operation.op.verify.key_id = hKey;
3920
3921 rv = apply_verify_mechanism_init(&session->operation);
3922 if (rv != CKR_OK) {
3923 DBG_ERR("Unable to initialize verification operation");
3924 goto c_vi_out;
3925 }
3926
3927 if (yh_is_rsa(object->object.algorithm)) {
3928 if (is_PSS_sign_mechanism(session->operation.mechanism.mechanism)) {
3929 if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
3930 DBG_ERR("Length of mechanism parameters does not match expected value, "
3931 "%lu != %zu",
3932 pMechanism->ulParameterLen, sizeof(CK_RSA_PKCS_PSS_PARAMS));
3933 rv = CKR_MECHANISM_PARAM_INVALID;
3934 goto c_vi_out;
3935 }
3936
3937 // TODO: validate that params->hashAlg matches mechanism
3938 CK_RSA_PKCS_PSS_PARAMS *params = pMechanism->pParameter;
3939
3940 session->operation.op.verify.padding = RSA_PKCS1_PSS_PADDING;
3941 session->operation.op.verify.saltLen = params->sLen;
3942 switch (params->mgf) {
3943 case CKG_MGF1_SHA1:
3944 session->operation.op.verify.mgf1md = EVP_sha1();
3945 break;
3946 case CKG_MGF1_SHA256:
3947 session->operation.op.verify.mgf1md = EVP_sha256();
3948 break;
3949 case CKG_MGF1_SHA384:
3950 session->operation.op.verify.mgf1md = EVP_sha384();
3951 break;
3952 case CKG_MGF1_SHA512:
3953 session->operation.op.verify.mgf1md = EVP_sha512();
3954 break;
3955 default:
3956 DBG_ERR("Unsupported mgf algorithm: %lu", params->mgf);
3957 rv = CKR_MECHANISM_PARAM_INVALID;
3958 goto c_vi_out;
3959 }
3960 switch (params->hashAlg) {
3961 case CKM_SHA_1:
3962 session->operation.op.verify.md = EVP_sha1();
3963 break;
3964 case CKM_SHA256:
3965 session->operation.op.verify.md = EVP_sha256();
3966 break;
3967 case CKM_SHA384:
3968 session->operation.op.verify.md = EVP_sha384();
3969 break;
3970 case CKM_SHA512:
3971 session->operation.op.verify.md = EVP_sha512();
3972 break;
3973 default:
3974 DBG_ERR("Unsupported pss hash algorithm: %lu", params->hashAlg);
3975 rv = CKR_MECHANISM_PARAM_INVALID;
3976 goto c_vi_out;
3977 }
3978 } else if (is_PKCS1v1_5_sign_mechanism(
3979 session->operation.mechanism.mechanism)) {
3980 session->operation.op.verify.padding = RSA_PKCS1_PADDING;
3981 }
3982 }
3983
3984 session->operation.type = OPERATION_VERIFY;
3985
3986 DOUT;
3987
3988c_vi_out:
3989
3990 release_session(&g_ctx, session);
3991
3992 return rv;
3993}
3994
3995CK_DEFINE_FUNCTION(CK_RV, C_Verify)
3996(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
3997 CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) {
3998
3999 DIN;
4000
4001 CK_RV rv = CKR_OK;
4002
4003 yubihsm_pkcs11_session *session = NULL;
4004
4005 if (g_yh_initialized == false) {
4006 DBG_ERR("libyubihsm is not initialized or already finalized");
4007 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
4008 goto c_v_out;
4009 }
4010
4011 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4012 if (rv != CKR_OK) {
4013 DBG_ERR("Invalid session ID %lu", hSession);
4014 goto c_v_out;
4015 }
4016
4017 if (pData == NULL || pSignature == NULL) {
4018 DBG_ERR("Invalid parameters");
4019 rv = CKR_ARGUMENTS_BAD;
4020 goto c_v_out;
4021 }
4022
4023 if (session->operation.type != OPERATION_VERIFY) {
4024 DBG_ERR("Verification operation not initialized");
4025 rv = CKR_OPERATION_NOT_INITIALIZED;
4026 goto c_v_out;
4027 }
4028
4029 CK_ULONG siglen;
4030 if (is_HMAC_sign_mechanism(session->operation.mechanism.mechanism) == true) {
4031 switch (session->operation.mechanism.mechanism) {
4032 case CKM_SHA_1_HMAC:
4033 siglen = 20;
4034 break;
4035
4036 case CKM_SHA256_HMAC:
4037 siglen = 32;
4038 break;
4039
4040 case CKM_SHA384_HMAC:
4041 siglen = 48;
4042 break;
4043
4044 case CKM_SHA512_HMAC:
4045 siglen = 64;
4046 break;
4047 default:
4048 rv = CKR_ARGUMENTS_BAD;
4049 goto c_v_out;
4050 }
4051 } else if (is_RSA_sign_mechanism(session->operation.mechanism.mechanism) ==
4052 true) {
4053 siglen = (session->operation.op.verify.key_len + 7) / 8;
4054 } else if (is_ECDSA_sign_mechanism(session->operation.mechanism.mechanism)) {
4055 siglen = ((session->operation.op.verify.key_len + 7) / 8) * 2;
4056 } else {
4057 DBG_ERR("Mechanism %lu not supported",
4058 session->operation.mechanism.mechanism);
4059 rv = CKR_MECHANISM_INVALID;
4060 goto c_v_out;
4061 }
4062
4063 if (ulSignatureLen != siglen) {
4064 DBG_ERR("Wrong data length, expected %lu, got %lu", siglen, ulSignatureLen);
4065 rv = CKR_SIGNATURE_LEN_RANGE;
4066 goto c_v_out;
4067 }
4068
4069 rv = apply_verify_mechanism_update(&session->operation, pData, ulDataLen);
4070 if (rv != CKR_OK) {
4071 DBG_ERR("Unable to perform verification operation step");
4072 goto c_v_out;
4073 }
4074
4075 rv = apply_verify_mechanism_finalize(&session->operation);
4076 if (rv != CKR_OK) {
4077 DBG_ERR("Unable to finalize verification operation");
4078 goto c_v_out;
4079 }
4080
4081 DBG_INFO("Using key %04x", session->operation.op.verify.key_id);
4082
4083 rv = perform_verify(session->slot->device_session, &session->operation,
4084 pSignature, ulSignatureLen);
4085 if (rv != CKR_OK) {
4086 DBG_ERR("Unable to verify signature");
4087 goto c_v_out;
4088 }
4089
4090 DBG_INFO("Signature successfully verified");
4091
4092 DOUT;
4093
4094c_v_out:
4095 if (session != NULL) {
4096 release_session(&g_ctx, session);
4097 session->operation.type = OPERATION_NOOP;
4098 verify_mechanism_cleanup(&session->operation);
4099 }
4100
4101 return rv;
4102}
4103
4104CK_DEFINE_FUNCTION(CK_RV, C_VerifyUpdate)
4105(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) {
4106
4107 DIN;
4108
4109 CK_RV rv = CKR_OK;
4110
4111 // TODO(adma): somebody should check that this is a proper mult-part
4112 // mechanism/operation
4113
4114 yubihsm_pkcs11_session *session = NULL;
4115
4116 if (g_yh_initialized == false) {
4117 DBG_ERR("libyubihsm is not initialized or already finalized");
4118 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
4119 goto c_vu_out;
4120 }
4121
4122 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4123 if (rv != CKR_OK) {
4124 DBG_ERR("Invalid session ID %lu", hSession);
4125 goto c_vu_out;
4126 }
4127
4128 if (session->operation.type != OPERATION_VERIFY) {
4129 DBG_ERR("Verification operation not initialized");
4130 rv = CKR_OPERATION_NOT_INITIALIZED;
4131 goto c_vu_out;
4132 }
4133
4134 if (pPart == NULL) {
4135 DBG_ERR("No data provided");
4136 rv = CKR_ARGUMENTS_BAD;
4137 goto c_vu_out;
4138 }
4139
4140 DBG_ERR("Verification update with %lu bytes", ulPartLen);
4141
4142 rv = apply_verify_mechanism_update(&session->operation, pPart, ulPartLen);
4143 if (rv != CKR_OK) {
4144 DBG_ERR("Unable to perform verification operation step");
4145 goto c_vu_out;
4146 }
4147
4148 DOUT;
4149
4150c_vu_out:
4151 if (session != NULL) {
4152 release_session(&g_ctx, session);
4153 if (rv != CKR_OK) {
4154 session->operation.type = OPERATION_NOOP;
4155 verify_mechanism_cleanup(&session->operation);
4156 }
4157 }
4158
4159 return rv;
4160}
4161
4162CK_DEFINE_FUNCTION(CK_RV, C_VerifyFinal)
4163(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) {
4164
4165 DIN;
4166
4167 CK_RV rv = CKR_OK;
4168
4169 yubihsm_pkcs11_session *session = NULL;
4170
4171 if (g_yh_initialized == false) {
4172 DBG_ERR("libyubihsm is not initialized or already finalized");
4173 rv = CKR_CRYPTOKI_NOT_INITIALIZED;
4174 goto c_vf_out;
4175 }
4176
4177 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4178 if (rv != CKR_OK) {
4179 DBG_ERR("Invalid session ID %lu", hSession);
4180 goto c_vf_out;
4181 }
4182
4183 if (session->operation.type != OPERATION_VERIFY) {
4184 DBG_ERR("Verification operation not initialized");
4185 rv = CKR_OPERATION_NOT_INITIALIZED;
4186 goto c_vf_out;
4187 }
4188
4189 if (pSignature == NULL) {
4190 DBG_ERR("No buffer provided");
4191 rv = CKR_ARGUMENTS_BAD;
4192 goto c_vf_out;
4193 }
4194
4195 rv = apply_verify_mechanism_finalize(&session->operation);
4196 if (rv != CKR_OK) {
4197 DBG_ERR("Unable to finalize verification operation");
4198 goto c_vf_out;
4199 }
4200
4201 rv = perform_verify(session->slot->device_session, &session->operation,
4202 pSignature, ulSignatureLen);
4203 if (rv != CKR_OK) {
4204 DBG_ERR("Unable to verify data");
4205 goto c_vf_out;
4206 }
4207
4208 DOUT;
4209
4210c_vf_out:
4211 if (session != NULL) {
4212 release_session(&g_ctx, session);
4213 session->operation.type = OPERATION_NOOP;
4214 verify_mechanism_cleanup(&session->operation);
4215 }
4216
4217 return rv;
4218}
4219
4220CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecoverInit)
4221(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4222 CK_OBJECT_HANDLE hKey) {
4223
4224 DIN;
4225
4226 UNUSED(hSession);
4227 UNUSED(pMechanism);
4228 UNUSED(hKey);
4229
4230 DOUT;
4231 return CKR_FUNCTION_NOT_SUPPORTED;
4232}
4233
4234CK_DEFINE_FUNCTION(CK_RV, C_VerifyRecover)
4235(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen,
4236 CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) {
4237
4238 DIN;
4239
4240 UNUSED(hSession);
4241 UNUSED(pSignature);
4242 UNUSED(ulSignatureLen);
4243 UNUSED(pData);
4244 UNUSED(pulDataLen);
4245
4246 DOUT;
4247 return CKR_FUNCTION_NOT_SUPPORTED;
4248}
4249
4250CK_DEFINE_FUNCTION(CK_RV, C_DigestEncryptUpdate)
4251(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen,
4252 CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) {
4253
4254 DIN;
4255
4256 UNUSED(hSession);
4257 UNUSED(pPart);
4258 UNUSED(ulPartLen);
4259 UNUSED(pEncryptedPart);
4260 UNUSED(pulEncryptedPartLen);
4261
4262 DOUT;
4263 return CKR_FUNCTION_NOT_SUPPORTED;
4264}
4265
4266CK_DEFINE_FUNCTION(CK_RV, C_DecryptDigestUpdate)
4267(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
4268 CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) {
4269
4270 DIN;
4271
4272 UNUSED(hSession);
4273 UNUSED(pEncryptedPart);
4274 UNUSED(ulEncryptedPartLen);
4275 UNUSED(pPart);
4276 UNUSED(pulPartLen);
4277
4278 DOUT;
4279 return CKR_FUNCTION_NOT_SUPPORTED;
4280}
4281
4282CK_DEFINE_FUNCTION(CK_RV, C_SignEncryptUpdate)
4283(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen,
4284 CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) {
4285
4286 DIN;
4287
4288 UNUSED(hSession);
4289 UNUSED(pPart);
4290 UNUSED(ulPartLen);
4291 UNUSED(pEncryptedPart);
4292 UNUSED(pulEncryptedPartLen);
4293
4294 DOUT;
4295 return CKR_FUNCTION_NOT_SUPPORTED;
4296}
4297
4298CK_DEFINE_FUNCTION(CK_RV, C_DecryptVerifyUpdate)
4299(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
4300 CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) {
4301
4302 DIN;
4303
4304 UNUSED(hSession);
4305 UNUSED(pEncryptedPart);
4306 UNUSED(ulEncryptedPartLen);
4307 UNUSED(pPart);
4308 UNUSED(pulPartLen);
4309
4310 DOUT;
4311 return CKR_FUNCTION_NOT_SUPPORTED;
4312}
4313
4314CK_DEFINE_FUNCTION(CK_RV, C_GenerateKey)
4315(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4316 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) {
4317
4318 DIN;
4319
4320 CK_RV rv = CKR_OK;
4321
4322 if (g_yh_initialized == false) {
4323 DBG_ERR("libyubihsm is not initialized or already finalized");
4324 return CKR_CRYPTOKI_NOT_INITIALIZED;
4325 }
4326
4327 if (pMechanism == NULL || pTemplate == NULL || phKey == NULL) {
4328 DBG_ERR("Invalid argument");
4329 return CKR_ARGUMENTS_BAD;
4330 }
4331
4332 yubihsm_pkcs11_session *session;
4333 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED_RW);
4334 if (rv != CKR_OK) {
4335 DBG_ERR("Invalid session ID: %lu", hSession);
4336 return rv;
4337 }
4338
4339 if (session->operation.type != OPERATION_NOOP) {
4340 DBG_ERR("A different operation is already active");
4341 rv = CKR_OPERATION_ACTIVE;
4342 goto c_gk_out;
4343 }
4344
4345 if (pMechanism->mechanism != CKM_GENERIC_SECRET_KEY_GEN) {
4346 DBG_ERR("Invalid mechanism %lu", pMechanism->mechanism);
4347 rv = CKR_MECHANISM_INVALID;
4348 goto c_gk_out;
4349 }
4350
4351 yubihsm_pkcs11_object_template template;
4352 memset(&template, 0, sizeof(yubihsm_pkcs11_object_template));
4353 struct {
4354 bool set;
4355 CK_ULONG d;
4356 } class, key_type, id;
4357 class.set = key_type.set = id.set = false;
4358 class.d = key_type.d = id.d = 0;
4359
4360 for (CK_ULONG i = 0; i < ulCount; i++) {
4361 switch (pTemplate[i].type) {
4362 case CKA_CLASS:
4363 if (class.set == false) {
4364 class.d = *((CK_ULONG_PTR) pTemplate[i].pValue);
4365 class.set = true;
4366 } else {
4367 rv = CKR_TEMPLATE_INCONSISTENT;
4368 goto c_gk_out;
4369 }
4370 break;
4371
4372 case CKA_KEY_TYPE:
4373 if (key_type.set == false) {
4374 key_type.d = *((CK_ULONG_PTR) pTemplate[i].pValue);
4375 key_type.set = true;
4376 } else {
4377 rv = CKR_TEMPLATE_INCONSISTENT;
4378 goto c_gk_out;
4379 }
4380 break;
4381
4382 case CKA_ID:
4383 if (id.set == false) {
4384 id.d = parse_id_value(pTemplate[i].pValue, pTemplate[i].ulValueLen);
4385 if (id.d == (CK_ULONG) -1) {
4386 rv = CKR_ATTRIBUTE_VALUE_INVALID;
4387 goto c_gk_out;
4388 }
4389 id.set = true;
4390 } else {
4391 rv = CKR_TEMPLATE_INCONSISTENT;
4392 goto c_gk_out;
4393 }
4394 break;
4395
4396 case CKA_LABEL:
4397 if (pTemplate[i].ulValueLen > YH_OBJ_LABEL_LEN) {
4398 return CKR_ATTRIBUTE_VALUE_INVALID;
4399 }
4400
4401 memcpy(template.label, pTemplate[i].pValue, pTemplate[i].ulValueLen);
4402
4403 break;
4404
4405 case CKA_EXTRACTABLE:
4406 if ((rv = set_template_attribute(&template.exportable,
4407 pTemplate[i].pValue)) != CKR_OK) {
4408 return rv;
4409 }
4410 }
4411 }
4412
4413 if (key_type.set == false || class.set == false) {
4414 rv = CKR_TEMPLATE_INCOMPLETE;
4415 goto c_gk_out;
4416 }
4417
4418 template.id = id.d;
4419 yh_capabilities capabilities = {{0}};
4420 yh_capabilities delegated_capabilities = {{0}};
4421 uint8_t type;
4422 yh_rc rc;
4423
4424 if (template.exportable == ATTRIBUTE_TRUE) {
4425 rc = yh_string_to_capabilities("exportable-under-wrap", &capabilities);
4426 if (rc != YHR_SUCCESS) {
4427 rv = CKR_FUNCTION_FAILED;
4428 goto c_gk_out;
4429 }
4430 }
4431
4432 if (class.d == CKO_SECRET_KEY) {
4433 if (key_type.d == CKK_SHA_1_HMAC || key_type.d == CKK_SHA256_HMAC ||
4434 key_type.d == CKK_SHA384_HMAC || key_type.d == CKK_SHA512_HMAC) {
4435 type = YH_HMAC_KEY;
4436 rv = parse_hmac_template(pTemplate, ulCount, &template, true);
4437 if (rv != CKR_OK) {
4438 goto c_gk_out;
4439 }
4440
4441 if (template.sign == ATTRIBUTE_TRUE) {
4442 rc = yh_string_to_capabilities("sign-hmac", &capabilities);
4443 if (rc != YHR_SUCCESS) {
4444 rv = CKR_FUNCTION_FAILED;
4445 goto c_gk_out;
4446 }
4447 }
4448
4449 if (template.verify == ATTRIBUTE_TRUE) {
4450 rc = yh_string_to_capabilities("verify-hmac", &capabilities);
4451 if (rc != YHR_SUCCESS) {
4452 rv = CKR_FUNCTION_FAILED;
4453 goto c_gk_out;
4454 }
4455 }
4456
4457 if (yh_util_generate_hmac_key(session->slot->device_session, &template.id,
4458 template.label, 0xffff, &capabilities,
4459 template.algorithm) != YHR_SUCCESS) {
4460 DBG_ERR("Failed generating HMAC key");
4461 rv = CKR_FUNCTION_FAILED;
4462 goto c_gk_out;
4463 }
4464 } else if (key_type.d == CKK_YUBICO_AES128_CCM_WRAP ||
4465 key_type.d == CKK_YUBICO_AES192_CCM_WRAP ||
4466 key_type.d == CKK_YUBICO_AES256_CCM_WRAP) {
4467 yh_algorithm algo = key_type.d & 0xff;
4468 type = YH_WRAP_KEY;
4469 rv = parse_wrap_template(pTemplate, ulCount, &template, true);
4470 if (rv != CKR_OK) {
4471 goto c_gk_out;
4472 }
4473
4474 DBG_INFO("parsed WRAP key, objlen: %d", template.objlen);
4475
4476 if (template.wrap == ATTRIBUTE_TRUE) {
4477 rc = yh_string_to_capabilities("export-wrapped", &capabilities);
4478 if (rc != YHR_SUCCESS) {
4479 rv = CKR_FUNCTION_FAILED;
4480 goto c_gk_out;
4481 }
4482 }
4483
4484 if (template.unwrap == ATTRIBUTE_TRUE) {
4485 rc = yh_string_to_capabilities("import-wrapped", &capabilities);
4486 if (rc != YHR_SUCCESS) {
4487 rv = CKR_FUNCTION_FAILED;
4488 goto c_gk_out;
4489 }
4490 }
4491
4492 rc = yh_string_to_capabilities("all", &delegated_capabilities);
4493 if (rc != YHR_SUCCESS) {
4494 rv = CKR_FUNCTION_FAILED;
4495 goto c_gk_out;
4496 }
4497
4498 if (yh_util_generate_wrap_key(session->slot->device_session, &template.id,
4499 template.label, 0xffff, &capabilities, algo,
4500 &delegated_capabilities) != YHR_SUCCESS) {
4501 DBG_ERR("Failed generating wrap key");
4502 rv = CKR_FUNCTION_FAILED;
4503 goto c_gk_out;
4504 }
4505 } else {
4506 DBG_ERR("Unknown key_type: %lx", class.d);
4507 rv = CKR_ATTRIBUTE_VALUE_INVALID;
4508 goto c_gk_out;
4509 }
4510 } else {
4511 rv = CKR_TEMPLATE_INCONSISTENT;
4512 goto c_gk_out;
4513 }
4514
4515 yh_object_descriptor object;
4516 if (yh_util_get_object_info(session->slot->device_session, template.id, type,
4517 &object) != YHR_SUCCESS) {
4518 DBG_ERR("Failed getting new object %04x", template.id);
4519 rv = CKR_FUNCTION_FAILED;
4520 goto c_gk_out;
4521 }
4522 *phKey = object.sequence << 24 | object.type << 16 | object.id;
4523
4524 DBG_INFO("Created object %08lx", *phKey);
4525
4526 DOUT;
4527
4528c_gk_out:
4529
4530 release_session(&g_ctx, session);
4531
4532 return rv;
4533}
4534
4535CK_DEFINE_FUNCTION(CK_RV, C_GenerateKeyPair)
4536(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4537 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount,
4538 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount,
4539 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) {
4540
4541 DIN;
4542
4543 CK_RV rv = CKR_OK;
4544
4545 yubihsm_pkcs11_object_template template;
4546 memset(&template, 0, sizeof(yubihsm_pkcs11_object_template));
4547
4548 if (g_yh_initialized == false) {
4549 DBG_ERR("libyubihsm is not initialized or already finalized");
4550 return CKR_CRYPTOKI_NOT_INITIALIZED;
4551 }
4552
4553 if (pMechanism == NULL || pPublicKeyTemplate == NULL ||
4554 pPrivateKeyTemplate == NULL || phPublicKey == NULL ||
4555 phPrivateKey == NULL) {
4556 DBG_ERR("Invalid argument");
4557 return CKR_ARGUMENTS_BAD;
4558 }
4559
4560 yubihsm_pkcs11_session *session;
4561 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED_RW);
4562 if (rv != CKR_OK) {
4563 DBG_ERR("Invalid session ID: %lu", hSession);
4564 return rv;
4565 }
4566
4567 if (session->operation.type != OPERATION_NOOP) {
4568 DBG_ERR("A different operation is already active");
4569 rv = CKR_OPERATION_ACTIVE;
4570 goto c_gkp_out;
4571 }
4572
4579 rv =
4580 parse_ec_generate_template(pPublicKeyTemplate, ulPublicKeyAttributeCount,
4581 pPrivateKeyTemplate,
4582 ulPrivateKeyAttributeCount, &template);
4583 } else {
4584 DBG_ERR("Invalid mechanism for key generation: %lu", pMechanism->mechanism);
4585 rv = CKR_MECHANISM_INVALID;
4586 goto c_gkp_out;
4587 }
4588
4589 if (rv != CKR_OK) {
4590 DBG_ERR("Unable to parse generation template");
4591 goto c_gkp_out;
4592 }
4593
4594 yh_capabilities capabilities = {{0}};
4595 yh_rc rc;
4596
4597 if (template.exportable == ATTRIBUTE_TRUE) {
4598 rc = yh_string_to_capabilities("exportable-under-wrap", &capabilities);
4599 if (rc != YHR_SUCCESS) {
4600 rv = CKR_FUNCTION_FAILED;
4601 goto c_gkp_out;
4602 }
4603 }
4604
4605 // TODO(adma): check more return values
4606
4607 if (yh_is_rsa(template.algorithm)) {
4608
4609 if (template.sign == ATTRIBUTE_TRUE) {
4610 rc = yh_string_to_capabilities("sign-pkcs,sign-pss", &capabilities);
4611 if (rc != YHR_SUCCESS) {
4612 rv = CKR_FUNCTION_FAILED;
4613 goto c_gkp_out;
4614 }
4615 }
4616
4617 if (template.decrypt == ATTRIBUTE_TRUE) {
4618 rc =
4619 yh_string_to_capabilities("decrypt-pkcs,decrypt-oaep", &capabilities);
4620 if (rc != YHR_SUCCESS) {
4621 rv = CKR_FUNCTION_FAILED;
4622 goto c_gkp_out;
4623 }
4624 }
4625
4626 rc = yh_util_generate_rsa_key(session->slot->device_session, &template.id,
4627 template.label, 0xffff, &capabilities,
4628 template.algorithm);
4629 if (rc != YHR_SUCCESS) {
4630 DBG_ERR("Failed writing RSA key to device");
4631 rv = CKR_FUNCTION_FAILED;
4632 goto c_gkp_out;
4633 }
4634 } else {
4635
4636 if (template.sign == ATTRIBUTE_TRUE) {
4637 rc = yh_string_to_capabilities("sign-ecdsa", &capabilities);
4638 if (rc != YHR_SUCCESS) {
4639 rv = CKR_FUNCTION_FAILED;
4640 goto c_gkp_out;
4641 }
4642 }
4643
4644 if (template.derive == ATTRIBUTE_TRUE) {
4645 rc = yh_string_to_capabilities("derive-ecdh", &capabilities);
4646
4647 if (rc != YHR_SUCCESS) {
4648 rv = CKR_FUNCTION_FAILED;
4649 goto c_gkp_out;
4650 }
4651 }
4652
4653 rc = yh_util_generate_ec_key(session->slot->device_session, &template.id,
4654 template.label, 0xffff, &capabilities,
4655 template.algorithm);
4656 if (rc != YHR_SUCCESS) {
4657 DBG_ERR("Failed writing EC key to device");
4658 rv = CKR_FUNCTION_FAILED;
4659 goto c_gkp_out;
4660 }
4661 }
4662
4663 yh_object_descriptor object;
4664 if (yh_util_get_object_info(session->slot->device_session, template.id,
4665 YH_ASYMMETRIC_KEY, &object) != YHR_SUCCESS) {
4666 rv = CKR_FUNCTION_FAILED;
4667 goto c_gkp_out;
4668 }
4669 *phPublicKey = object.sequence << 24 | (object.type | 0x80) << 16 | object.id;
4670 *phPrivateKey = object.sequence << 24 | object.type << 16 | object.id;
4671
4672 DOUT;
4673
4674c_gkp_out:
4675
4676 insecure_memzero(&template, sizeof(template));
4677
4678 release_session(&g_ctx, session);
4679
4680 return rv;
4681}
4682
4683CK_DEFINE_FUNCTION(CK_RV, C_WrapKey)
4684(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4685 CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
4686 CK_ULONG_PTR pulWrappedKeyLen) {
4687
4688 DIN;
4689
4690 CK_RV rv = CKR_OK;
4691
4692 if (g_yh_initialized == false) {
4693 DBG_ERR("libyubihsm is not initialized or already finalized");
4694 return CKR_CRYPTOKI_NOT_INITIALIZED;
4695 }
4696
4697 if (pMechanism == NULL || pulWrappedKeyLen == NULL) {
4698 DBG_ERR("Invalid argument");
4699 return CKR_ARGUMENTS_BAD;
4700 }
4701
4702 yubihsm_pkcs11_session *session;
4703 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4704 if (rv != CKR_OK) {
4705 DBG_ERR("Unknown session %lu", hSession);
4706 return rv;
4707 }
4708
4709 int wrapped_key_type = hKey >> 16;
4710 int wrapping_key_type = hWrappingKey >> 16;
4711 if (wrapped_key_type == ECDH_KEY_TYPE || wrapping_key_type == ECDH_KEY_TYPE) {
4712 DBG_ERR("Wrapping involving ECDH session keys is not supported");
4713 rv = CKR_FUNCTION_NOT_SUPPORTED;
4714 goto c_wk_out;
4715 }
4716
4717 yubihsm_pkcs11_object_desc *object =
4718 get_object_desc(session->slot->device_session, session->slot->objects,
4719 hKey);
4720 if (object == NULL) {
4721 DBG_ERR("Wrapped key not found");
4722 rv = CKR_KEY_HANDLE_INVALID;
4723 goto c_wk_out;
4724 }
4725
4726 // NOTE: pWrappedKey is NULL so we just return the length we need
4727 if (pWrappedKey == NULL) {
4728 *pulWrappedKeyLen =
4729 sizeof(yh_object_descriptor) + object->object.len + YH_CCM_WRAP_OVERHEAD;
4730 DBG_INFO("Calculated that wrapping will need %lu bytes", *pulWrappedKeyLen);
4731 rv = CKR_OK;
4732 goto c_wk_out;
4733 }
4734
4735 if (session->operation.type != OPERATION_NOOP) {
4736 DBG_ERR("A different operation is already active");
4737 rv = CKR_OPERATION_ACTIVE;
4738 goto c_wk_out;
4739 }
4740
4741 if (check_wrap_mechanism(session->slot, pMechanism) != true) {
4742 DBG_ERR("Wrapping mechanism %lu not supported", pMechanism->mechanism);
4743 rv = CKR_MECHANISM_INVALID;
4744 goto c_wk_out;
4745 }
4746
4747 yubihsm_pkcs11_object_desc *key =
4748 get_object_desc(session->slot->device_session, session->slot->objects,
4749 hWrappingKey);
4750 if (key == NULL) {
4751 DBG_ERR("No wrap key found");
4752 rv = CKR_WRAPPING_KEY_HANDLE_INVALID;
4753 goto c_wk_out;
4754 }
4755
4756 if (yh_check_capability(&key->object.capabilities, "export-wrapped") ==
4757 false) {
4758 DBG_ERR("Wrap key does not have \"export-wrapped\" set");
4759 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; // TODO: say something better?
4760 goto c_wk_out;
4761 }
4762
4763 if (yh_check_capability(&object->object.capabilities,
4764 "exportable-under-wrap") == false) {
4765 DBG_ERR("Key to be wrapped does not have \"exportable-under-wrap\" set");
4766 rv = CKR_KEY_UNEXTRACTABLE;
4767 goto c_wk_out;
4768 }
4769
4770 uint8_t buf[2048];
4771 size_t len = sizeof(buf);
4772
4773 yh_rc yrc =
4774 yh_util_export_wrapped(session->slot->device_session, key->object.id,
4775 object->object.type, object->object.id, buf, &len);
4776 if (yrc != YHR_SUCCESS) {
4777 DBG_ERR("Wrapping failed: %s", yh_strerror(yrc));
4778 rv = CKR_FUNCTION_FAILED;
4779 goto c_wk_out;
4780 }
4781
4782 if (len > *pulWrappedKeyLen) {
4783 DBG_ERR("buffer to small, needed %lu, got %lu", (unsigned long) len,
4784 *pulWrappedKeyLen);
4785 rv = CKR_BUFFER_TOO_SMALL;
4786 goto c_wk_out;
4787 }
4788
4789 memcpy(pWrappedKey, buf, len);
4790 *pulWrappedKeyLen = len;
4791
4792 DOUT;
4793
4794c_wk_out:
4795
4796 release_session(&g_ctx, session);
4797
4798 return rv;
4799}
4800
4801CK_DEFINE_FUNCTION(CK_RV, C_UnwrapKey)
4802(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4803 CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey,
4804 CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
4805 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
4806
4807 DIN;
4808
4809 CK_RV rv = CKR_OK;
4810
4811 // NOTE: since the wrap is opaque we just ignore the template..
4812 UNUSED(pTemplate);
4813 UNUSED(ulAttributeCount);
4814
4815 if (g_yh_initialized == false) {
4816 DBG_ERR("libyubihsm is not initialized or already finalized");
4817 return CKR_CRYPTOKI_NOT_INITIALIZED;
4818 }
4819
4820 if (pMechanism == NULL || pWrappedKey == NULL || phKey == NULL) {
4821 DBG_ERR("Invalid argument");
4822 return CKR_ARGUMENTS_BAD;
4823 }
4824
4825 yubihsm_pkcs11_session *session;
4826 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4827 if (rv != CKR_OK) {
4828 DBG_ERR("Unknown session %lu", hSession);
4829 return rv;
4830 }
4831
4832 if (session->operation.type != OPERATION_NOOP) {
4833 DBG_ERR("A different operation is already active");
4834 rv = CKR_OPERATION_ACTIVE;
4835 goto c_uk_out;
4836 }
4837
4838 int unwrapping_key_type = hUnwrappingKey >> 16;
4839 if (unwrapping_key_type == ECDH_KEY_TYPE) {
4840 DBG_ERR("Unwrapping using ECDH session key is not supported");
4841 rv = CKR_FUNCTION_NOT_SUPPORTED;
4842 goto c_uk_out;
4843 }
4844
4845 if (check_wrap_mechanism(session->slot, pMechanism) != true) {
4846 DBG_ERR("Wrapping mechanism %lu not supported", pMechanism->mechanism);
4847 rv = CKR_MECHANISM_INVALID;
4848 goto c_uk_out;
4849 }
4850
4851 yubihsm_pkcs11_object_desc *key =
4852 get_object_desc(session->slot->device_session, session->slot->objects,
4853 hUnwrappingKey);
4854 if (key == NULL) {
4855 DBG_ERR("No wrap key found");
4856 rv = CKR_UNWRAPPING_KEY_HANDLE_INVALID;
4857 goto c_uk_out;
4858 }
4859
4860 if (yh_check_capability(&key->object.capabilities, "import-wrapped") ==
4861 false) {
4862 DBG_ERR("Wrap key can't unwrap");
4863 rv = CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT; // TODO: say something better?
4864 goto c_uk_out;
4865 }
4866
4867 uint16_t target_id;
4868 yh_object_type target_type;
4869 yh_rc yrc = yh_util_import_wrapped(session->slot->device_session,
4870 key->object.id, pWrappedKey,
4871 ulWrappedKeyLen, &target_type, &target_id);
4872 if (yrc != YHR_SUCCESS) {
4873 DBG_ERR("Unwrapping failed: %s", yh_strerror(yrc));
4874 rv = CKR_FUNCTION_FAILED;
4875 goto c_uk_out;
4876 }
4877
4878 yh_object_descriptor object;
4879 if (yh_util_get_object_info(session->slot->device_session, target_id,
4880 target_type, &object) != YHR_SUCCESS) {
4881 rv = CKR_FUNCTION_FAILED;
4882 goto c_uk_out;
4883 }
4884 *phKey = object.sequence << 24 | object.type << 16 | object.id;
4885
4886 DBG_INFO("Unwrapped object %08lx", *phKey);
4887
4888 DOUT;
4889
4890c_uk_out:
4891
4892 release_session(&g_ctx, session);
4893
4894 return rv;
4895}
4896
4897CK_DEFINE_FUNCTION(CK_RV, C_DeriveKey)
4898(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
4899 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
4900 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
4901
4902 DIN;
4903
4904 CK_RV rv = CKR_OK;
4905
4906 if (g_yh_initialized == false) {
4907 DBG_ERR("libyubihsm is not initialized or already finalized");
4908 return CKR_CRYPTOKI_NOT_INITIALIZED;
4909 }
4910
4911 yubihsm_pkcs11_session *session;
4912 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
4913 if (rv != CKR_OK) {
4914 DBG_ERR("Unknown session %lu", hSession);
4915 return rv;
4916 }
4917
4918 if (pMechanism == NULL || phKey == NULL) {
4919 DBG_ERR("Invalid argument");
4920 rv = CKR_ARGUMENTS_BAD;
4921 goto c_drv_out;
4922 }
4923
4924 if (pMechanism->mechanism != CKM_ECDH1_DERIVE) {
4925 DBG_ERR("Invalid mechanism for key generation: %lu", pMechanism->mechanism);
4926 rv = CKR_MECHANISM_INVALID;
4927 goto c_drv_out;
4928 }
4929
4930 int basekey_type = hBaseKey >> 16;
4931 if (basekey_type == ECDH_KEY_TYPE) {
4932 DBG_ERR("Cannot derive an ECDH key from another ECDH key");
4933 rv = CKR_ARGUMENTS_BAD;
4934 goto c_drv_out;
4935 }
4936
4937 char *label_buf = NULL;
4938 size_t label_len = 0;
4939 size_t expected_key_length = 0;
4940 for (CK_ULONG i = 0; i < ulAttributeCount; i++) {
4941 switch (pTemplate[i].type) {
4942 case CKA_VALUE_LEN:
4943 expected_key_length = *((CK_ULONG *) pTemplate[i].pValue);
4944 break;
4945 case CKA_LABEL:
4946 if (pTemplate[i].ulValueLen > YH_OBJ_LABEL_LEN) {
4947 rv = CKR_ATTRIBUTE_VALUE_INVALID;
4948 goto c_drv_out;
4949 }
4950 label_buf = pTemplate[i].pValue;
4951 label_len = pTemplate[i].ulValueLen;
4952 break;
4953 default:
4954 rv =
4955 validate_derive_key_attribute(pTemplate[i].type, pTemplate[i].pValue);
4956 if (rv != CKR_OK) {
4957 goto c_drv_out;
4958 }
4959 break;
4960 }
4961 }
4962
4963 CK_ECDH1_DERIVE_PARAMS *params = pMechanism->pParameter;
4964
4965 if (params->kdf == CKD_NULL) {
4966 if ((params->pSharedData != NULL) || (params->ulSharedDataLen != 0)) {
4967 DBG_ERR("Mechanism parameters incompatible with key derivation function "
4968 "CKD_NULL");
4969 rv = CKR_MECHANISM_PARAM_INVALID;
4970 goto c_drv_out;
4971 }
4972 } else {
4973 DBG_ERR("Unsupported value of mechanism parameter key derivation function");
4974 rv = CKR_MECHANISM_PARAM_INVALID;
4975 goto c_drv_out;
4976 }
4977
4978 size_t in_len = params->ulPublicDataLen;
4979 if (in_len != params->ulPublicDataLen) {
4980 DBG_ERR("Invalid parameter");
4981 return CKR_ARGUMENTS_BAD;
4982 }
4983
4984 CK_BYTE_PTR pubkey = params->pPublicData;
4985
4986 int seq = session->ecdh_session_keys.length + 1;
4987 if (seq > MAX_ECDH_SESSION_KEYS) {
4988 DBG_ERR("There are already %d ECDH keys available for this session. "
4989 "Cannot derive more",
4990 MAX_ECDH_SESSION_KEYS);
4991 rv = CKR_FUNCTION_FAILED;
4992 goto c_drv_out;
4993 }
4994
4995 // Read the base key as the private keyID
4996 uint16_t privkey_id = hBaseKey & 0xffff;
4997
4998 ecdh_session_key ecdh_key;
4999 memset(&ecdh_key, 0, sizeof(ecdh_key));
5000 size_t out_len = sizeof(ecdh_key.ecdh_key);
5001 rv = yh_util_derive_ecdh(session->slot->device_session, privkey_id, pubkey,
5002 in_len, ecdh_key.ecdh_key, &out_len);
5003 if (rv != CKR_OK) {
5004 DBG_ERR("Unable to derive ECDH key: %s", yh_strerror(rv));
5005 goto c_drv_out;
5006 }
5007
5008 if ((expected_key_length > 0) && (expected_key_length != out_len)) {
5009 DBG_ERR("Failed to derive a key with the expected length");
5010 rv = CKR_FUNCTION_FAILED;
5011 goto c_drv_out;
5012 }
5013
5014 // Make a session variable to store the derived key
5015 ecdh_key.id = ECDH_KEY_TYPE << 16 | seq;
5016 ecdh_key.len = out_len;
5017 memcpy(ecdh_key.label, label_buf, label_len);
5018 list_append(&session->ecdh_session_keys, (void *) &ecdh_key);
5019
5020 insecure_memzero(ecdh_key.ecdh_key, out_len);
5021
5022 *phKey = ecdh_key.id;
5023
5024 DBG_INFO("Created object %04lx", *phKey);
5025
5026 DOUT;
5027
5028c_drv_out:
5029
5030 release_session(&g_ctx, session);
5031
5032 return rv;
5033}
5034
5035/* Random number generation functions */
5036
5037CK_DEFINE_FUNCTION(CK_RV, C_SeedRandom)
5038(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) {
5039
5040 DIN;
5041
5042 UNUSED(hSession);
5043 UNUSED(pSeed);
5044 UNUSED(ulSeedLen);
5045
5046 DOUT;
5047 return CKR_RANDOM_SEED_NOT_SUPPORTED;
5048}
5049
5050CK_DEFINE_FUNCTION(CK_RV, C_GenerateRandom)
5051(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) {
5052
5053 DIN;
5054
5055 CK_RV rv = CKR_OK;
5056
5057 if (g_yh_initialized == false) {
5058 DBG_ERR("libyubihsm is not initialized or already finalized");
5059 return CKR_CRYPTOKI_NOT_INITIALIZED;
5060 }
5061
5062 size_t len = ulRandomLen;
5063 if (len != ulRandomLen || pRandomData == NULL) {
5064 DBG_ERR("Invalid parameter");
5065 return CKR_ARGUMENTS_BAD;
5066 }
5067
5068 yubihsm_pkcs11_session *session;
5069 rv = get_session(&g_ctx, hSession, &session, SESSION_AUTHENTICATED);
5070 if (rv != CKR_OK) {
5071 DBG_ERR("Unknown session %lu", hSession);
5072 return rv;
5073 }
5074
5075 // the OpenSC pkcs11 test calls with 0 and expects CKR_OK, do that..
5076 if (len != 0) {
5077 yh_rc rc = yh_util_get_pseudo_random(session->slot->device_session,
5078 ulRandomLen, pRandomData, &len);
5079 if (rc != YHR_SUCCESS) {
5080 DBG_ERR("Failed to get random data");
5081 rv = CKR_FUNCTION_FAILED;
5082 goto c_gr_out;
5083 }
5084 }
5085
5086 if (len != ulRandomLen) {
5087 DBG_ERR("Incorrect amount of data returned");
5088 rv = CKR_FUNCTION_FAILED;
5089 goto c_gr_out;
5090 }
5091
5092 DOUT;
5093
5094c_gr_out:
5095
5096 release_session(&g_ctx, session);
5097
5098 return rv;
5099}
5100
5101CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionStatus)
5102(CK_SESSION_HANDLE hSession)
5103
5104{
5105
5106 DIN;
5107
5108 UNUSED(hSession);
5109
5110 DOUT;
5111 return CKR_FUNCTION_NOT_PARALLEL;
5112}
5113
5114CK_DEFINE_FUNCTION(CK_RV, C_CancelFunction)(CK_SESSION_HANDLE hSession) {
5115
5116 DIN;
5117
5118 UNUSED(hSession);
5119
5120 DOUT;
5121 return CKR_FUNCTION_NOT_PARALLEL;
5122}
5123
5124CK_FUNCTION_LIST function_list = {
5125 {CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR},
5126 C_Initialize,
5127 C_Finalize,
5128 C_GetInfo,
5129 C_GetFunctionList,
5130 C_GetSlotList,
5131 C_GetSlotInfo,
5132 C_GetTokenInfo,
5133 C_GetMechanismList,
5134 C_GetMechanismInfo,
5135 C_InitToken,
5136 C_InitPIN,
5137 C_SetPIN,
5138 C_OpenSession,
5139 C_CloseSession,
5140 C_CloseAllSessions,
5141 C_GetSessionInfo,
5142 C_GetOperationState,
5143 C_SetOperationState,
5144 C_Login,
5145 C_Logout,
5146 C_CreateObject,
5147 C_CopyObject,
5148 C_DestroyObject,
5149 C_GetObjectSize,
5150 C_GetAttributeValue,
5151 C_SetAttributeValue,
5152 C_FindObjectsInit,
5153 C_FindObjects,
5154 C_FindObjectsFinal,
5155 C_EncryptInit,
5156 C_Encrypt,
5157 C_EncryptUpdate,
5158 C_EncryptFinal,
5159 C_DecryptInit,
5160 C_Decrypt,
5161 C_DecryptUpdate,
5162 C_DecryptFinal,
5163 C_DigestInit,
5164 C_Digest,
5165 C_DigestUpdate,
5166 C_DigestKey,
5167 C_DigestFinal,
5168 C_SignInit,
5169 C_Sign,
5170 C_SignUpdate,
5171 C_SignFinal,
5172 C_SignRecoverInit,
5173 C_SignRecover,
5174 C_VerifyInit,
5175 C_Verify,
5176 C_VerifyUpdate,
5177 C_VerifyFinal,
5178 C_VerifyRecoverInit,
5179 C_VerifyRecover,
5180 C_DigestEncryptUpdate,
5181 C_DecryptDigestUpdate,
5182 C_SignEncryptUpdate,
5183 C_DecryptVerifyUpdate,
5184 C_GenerateKey,
5185 C_GenerateKeyPair,
5186 C_WrapKey,
5187 C_UnwrapKey,
5188 C_DeriveKey,
5189 C_SeedRandom,
5190 C_GenerateRandom,
5191 C_GetFunctionStatus,
5192 C_CancelFunction,
5193 C_WaitForSlotEvent,
5194};
DBG_ERR
#define DBG_ERR(...)
Definition debug_lib.h:76
DBG_INFO
#define DBG_INFO(...)
Definition debug_lib.h:63
_YHP11_OUTPUT
FILE * _YHP11_OUTPUT
Definition debug_p11.c:25
yh_dbg_init
void yh_dbg_init(int dbg, int dinout, int libdbg, const char *debug_file)
Definition debug_p11.c:27
debug_p11.h
insecure_memzero.h
insecure_memzero
#define insecure_memzero(buf, len)
Definition insecure_memzero.h:31
yh_strerror
const char * yh_strerror(yh_rc err)
Definition error.c:65
list_append
bool list_append(List *list, void *item)
Definition list.c:78
list_delete
void list_delete(List *list, ListItem *item)
Definition list.c:117
list_iterate
void list_iterate(List *list, IteratorFn iterator_fn)
Definition list.c:175
list_get
ListItem * list_get(List *list, void *data, CompareItemFn compare_item_fn)
Definition list.c:105
list_create
void list_create(List *list, int item_size, FreeItemFn free_item_fn)
Definition list.c:24
list_destroy
void list_destroy(List *list)
Definition list.c:33
verify
void verify(const char *msg, const T &a, const S &b)
Definition minitest.cpp:13
CKD_NULL
#define CKD_NULL
Definition pkcs11.h:732
CKR_SESSION_COUNT
#define CKR_SESSION_COUNT
Definition pkcs11.h:1137
CKA_TOKEN
#define CKA_TOKEN
Definition pkcs11.h:364
CKR_MECHANISM_INVALID
#define CKR_MECHANISM_INVALID
Definition pkcs11.h:1126
CKR_SLOT_ID_INVALID
#define CKR_SLOT_ID_INVALID
Definition pkcs11.h:1095
CKG_MGF1_SHA256
#define CKG_MGF1_SHA256
Definition pkcs11.h:746
CKM_RSA_PKCS
#define CKM_RSA_PKCS
Definition pkcs11.h:470
CKF_LOGIN_REQUIRED
#define CKF_LOGIN_REQUIRED
Definition pkcs11.h:248
CKF_HW_SLOT
#define CKF_HW_SLOT
Definition pkcs11.h:222
CKO_PUBLIC_KEY
#define CKO_PUBLIC_KEY
Definition pkcs11.h:302
CKR_KEY_UNEXTRACTABLE
#define CKR_KEY_UNEXTRACTABLE
Definition pkcs11.h:1125
CKR_UNWRAPPING_KEY_HANDLE_INVALID
#define CKR_UNWRAPPING_KEY_HANDLE_INVALID
Definition pkcs11.h:1151
CKK_SHA256_HMAC
#define CKK_SHA256_HMAC
Definition pkcs11.h:345
CK_DEFINE_FUNCTION
#define CK_DEFINE_FUNCTION(retval, name)
Definition pkcs11.h:1185
CKS_RW_PUBLIC_SESSION
#define CKS_RW_PUBLIC_SESSION
Definition pkcs11.h:282
CKR_MECHANISM_PARAM_INVALID
#define CKR_MECHANISM_PARAM_INVALID
Definition pkcs11.h:1127
CKF_TOKEN_INITIALIZED
#define CKF_TOKEN_INITIALIZED
Definition pkcs11.h:254
CKM_SHA_1_HMAC
#define CKM_SHA_1_HMAC
Definition pkcs11.h:533
CKG_MGF1_SHA512
#define CKG_MGF1_SHA512
Definition pkcs11.h:748
CKC_X_509
#define CKC_X_509
Definition pkcs11.h:356
CKR_DEVICE_ERROR
#define CKR_DEVICE_ERROR
Definition pkcs11.h:1108
CKR_SESSION_PARALLEL_NOT_SUPPORTED
#define CKR_SESSION_PARALLEL_NOT_SUPPORTED
Definition pkcs11.h:1139
CK_SESSION_HANDLE_PTR
ck_session_handle_t * CK_SESSION_HANDLE_PTR
Definition pkcs11.h:1227
CKA_ID
#define CKA_ID
Definition pkcs11.h:385
CK_MECHANISM_TYPE_PTR
ck_mechanism_type_t * CK_MECHANISM_TYPE_PTR
Definition pkcs11.h:1242
CKA_APPLICATION
#define CKA_APPLICATION
Definition pkcs11.h:367
CK_ULONG_PTR
CK_ULONG * CK_ULONG_PTR
Definition pkcs11.h:1199
CKM_ECDH1_DERIVE
#define CKM_ECDH1_DERIVE
Definition pkcs11.h:652
CKR_WRAPPING_KEY_TYPE_INCONSISTENT
#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT
Definition pkcs11.h:1164
value
#define value
Definition pkcs11.h:157
CK_ULONG
unsigned long int CK_ULONG
Definition pkcs11.h:1194
CKO_SECRET_KEY
#define CKO_SECRET_KEY
Definition pkcs11.h:304
CKK_RSA
#define CKK_RSA
Definition pkcs11.h:319
CRYPTOKI_VERSION_MINOR
#define CRYPTOKI_VERSION_MINOR
Definition pkcs11.h:66
CKM_RSA_PKCS_KEY_PAIR_GEN
#define CKM_RSA_PKCS_KEY_PAIR_GEN
Definition pkcs11.h:469
CKR_SESSION_HANDLE_INVALID
#define CKR_SESSION_HANDLE_INVALID
Definition pkcs11.h:1138
CKO_CERTIFICATE
#define CKO_CERTIFICATE
Definition pkcs11.h:301
CKF_USER_PIN_INITIALIZED
#define CKF_USER_PIN_INITIALIZED
Definition pkcs11.h:249
CKF_RW_SESSION
#define CKF_RW_SESSION
Definition pkcs11.h:293
CKS_RO_USER_FUNCTIONS
#define CKS_RO_USER_FUNCTIONS
Definition pkcs11.h:281
CKR_ARGUMENTS_BAD
#define CKR_ARGUMENTS_BAD
Definition pkcs11.h:1098
CKM_SHA256
#define CKM_SHA256
Definition pkcs11.h:541
CKU_USER
#define CKU_USER
Definition pkcs11.h:275
CKA_PRIVATE
#define CKA_PRIVATE
Definition pkcs11.h:365
CKG_MGF1_SHA384
#define CKG_MGF1_SHA384
Definition pkcs11.h:747
CK_SLOT_ID_PTR
ck_slot_id_t * CK_SLOT_ID_PTR
Definition pkcs11.h:1219
CKR_TOKEN_NOT_PRESENT
#define CKR_TOKEN_NOT_PRESENT
Definition pkcs11.h:1148
CKR_CRYPTOKI_NOT_INITIALIZED
#define CKR_CRYPTOKI_NOT_INITIALIZED
Definition pkcs11.h:1173
CKA_SENSITIVE
#define CKA_SENSITIVE
Definition pkcs11.h:386
CKR_PIN_INCORRECT
#define CKR_PIN_INCORRECT
Definition pkcs11.h:1131
CK_OBJECT_HANDLE_PTR
ck_object_handle_t * CK_OBJECT_HANDLE_PTR
Definition pkcs11.h:1232
CKF_REMOVABLE_DEVICE
#define CKF_REMOVABLE_DEVICE
Definition pkcs11.h:221
CKZ_DATA_SPECIFIED
#define CKZ_DATA_SPECIFIED
Definition pkcs11.h:752
CKM_RSA_PKCS_OAEP
#define CKM_RSA_PKCS_OAEP
Definition pkcs11.h:478
CKA_SIGN
#define CKA_SIGN
Definition pkcs11.h:391
CKR_WRAPPING_KEY_HANDLE_INVALID
#define CKR_WRAPPING_KEY_HANDLE_INVALID
Definition pkcs11.h:1162
CK_UNAVAILABLE_INFORMATION
#define CK_UNAVAILABLE_INFORMATION
Definition pkcs11.h:265
CK_TRUE
#define CK_TRUE
Definition pkcs11.h:1203
CKA_VALUE
#define CKA_VALUE
Definition pkcs11.h:368
CK_BYTE_PTR
CK_BYTE * CK_BYTE_PTR
Definition pkcs11.h:1196
CKF_OS_LOCKING_OK
#define CKF_OS_LOCKING_OK
Definition pkcs11.h:1090
CKR_OBJECT_HANDLE_INVALID
#define CKR_OBJECT_HANDLE_INVALID
Definition pkcs11.h:1128
CKM_SHA256_HMAC
#define CKM_SHA256_HMAC
Definition pkcs11.h:542
CK_VOID_PTR
void * CK_VOID_PTR
Definition pkcs11.h:1200
CKO_DATA
#define CKO_DATA
Definition pkcs11.h:300
CKO_PRIVATE_KEY
#define CKO_PRIVATE_KEY
Definition pkcs11.h:303
CKR_ENCRYPTED_DATA_INVALID
#define CKR_ENCRYPTED_DATA_INVALID
Definition pkcs11.h:1111
CKR_CRYPTOKI_ALREADY_INITIALIZED
#define CKR_CRYPTOKI_ALREADY_INITIALIZED
Definition pkcs11.h:1174
CKM_GENERIC_SECRET_KEY_GEN
#define CKM_GENERIC_SECRET_KEY_GEN
Definition pkcs11.h:586
CKF_SERIAL_SESSION
#define CKF_SERIAL_SESSION
Definition pkcs11.h:294
CKR_FUNCTION_FAILED
#define CKR_FUNCTION_FAILED
Definition pkcs11.h:1097
CKM_SHA384
#define CKM_SHA384
Definition pkcs11.h:544
CKR_OPERATION_NOT_INITIALIZED
#define CKR_OPERATION_NOT_INITIALIZED
Definition pkcs11.h:1130
CKM_EC_KEY_PAIR_GEN
#define CKM_EC_KEY_PAIR_GEN
Definition pkcs11.h:645
CKM_SHA384_HMAC
#define CKM_SHA384_HMAC
Definition pkcs11.h:545
CKR_TEMPLATE_INCONSISTENT
#define CKR_TEMPLATE_INCONSISTENT
Definition pkcs11.h:1147
CKR_OPERATION_ACTIVE
#define CKR_OPERATION_ACTIVE
Definition pkcs11.h:1129
CK_EFFECTIVELY_INFINITE
#define CK_EFFECTIVELY_INFINITE
Definition pkcs11.h:266
CKA_UNWRAP
#define CKA_UNWRAP
Definition pkcs11.h:390
CKM_SHA512
#define CKM_SHA512
Definition pkcs11.h:547
CK_BBOOL
unsigned char CK_BBOOL
Definition pkcs11.h:1193
CKR_BUFFER_TOO_SMALL
#define CKR_BUFFER_TOO_SMALL
Definition pkcs11.h:1169
CKS_RW_USER_FUNCTIONS
#define CKS_RW_USER_FUNCTIONS
Definition pkcs11.h:283
CKS_RO_PUBLIC_SESSION
#define CKS_RO_PUBLIC_SESSION
Definition pkcs11.h:280
CKA_DECRYPT
#define CKA_DECRYPT
Definition pkcs11.h:388
CKA_KEY_TYPE
#define CKA_KEY_TYPE
Definition pkcs11.h:383
CKA_VALUE_LEN
#define CKA_VALUE_LEN
Definition pkcs11.h:414
CKK_SHA384_HMAC
#define CKK_SHA384_HMAC
Definition pkcs11.h:346
CKF_RNG
#define CKF_RNG
Definition pkcs11.h:246
CKA_DESTROYABLE
#define CKA_DESTROYABLE
Definition pkcs11.h:422
CKR_ATTRIBUTE_VALUE_INVALID
#define CKR_ATTRIBUTE_VALUE_INVALID
Definition pkcs11.h:1105
CKA_ALWAYS_SENSITIVE
#define CKA_ALWAYS_SENSITIVE
Definition pkcs11.h:418
CKG_MGF1_SHA1
#define CKG_MGF1_SHA1
Definition pkcs11.h:744
CKA_CERTIFICATE_TYPE
#define CKA_CERTIFICATE_TYPE
Definition pkcs11.h:370
CKA_LABEL
#define CKA_LABEL
Definition pkcs11.h:366
CKA_EXTRACTABLE
#define CKA_EXTRACTABLE
Definition pkcs11.h:415
CKR_TEMPLATE_INCOMPLETE
#define CKR_TEMPLATE_INCOMPLETE
Definition pkcs11.h:1146
CKA_ENCRYPT
#define CKA_ENCRYPT
Definition pkcs11.h:387
CKR_HOST_MEMORY
#define CKR_HOST_MEMORY
Definition pkcs11.h:1094
CKR_SIGNATURE_LEN_RANGE
#define CKR_SIGNATURE_LEN_RANGE
Definition pkcs11.h:1145
CKR_USER_TYPE_INVALID
#define CKR_USER_TYPE_INVALID
Definition pkcs11.h:1157
CRYPTOKI_VERSION_MAJOR
#define CRYPTOKI_VERSION_MAJOR
Definition pkcs11.h:65
CKM_SHA512_HMAC
#define CKM_SHA512_HMAC
Definition pkcs11.h:548
CKR_KEY_HANDLE_INVALID
#define CKR_KEY_HANDLE_INVALID
Definition pkcs11.h:1116
CKF_TOKEN_PRESENT
#define CKF_TOKEN_PRESENT
Definition pkcs11.h:220
CKK_EC
#define CKK_EC
Definition pkcs11.h:323
CKK_SHA_1_HMAC
#define CKK_SHA_1_HMAC
Definition pkcs11.h:344
CK_UTF8CHAR_PTR
CK_UTF8CHAR * CK_UTF8CHAR_PTR
Definition pkcs11.h:1198
CKR_KEY_TYPE_INCONSISTENT
#define CKR_KEY_TYPE_INCONSISTENT
Definition pkcs11.h:1118
CKM_SHA_1
#define CKM_SHA_1
Definition pkcs11.h:532
CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
Definition pkcs11.h:1153
CKA_WRAP
#define CKA_WRAP
Definition pkcs11.h:389
CKA_CLASS
#define CKA_CLASS
Definition pkcs11.h:363
CKK_SHA512_HMAC
#define CKK_SHA512_HMAC
Definition pkcs11.h:347
CKK_YUBICO_AES192_CCM_WRAP
#define CKK_YUBICO_AES192_CCM_WRAP
Definition pkcs11y.h:28
CKK_YUBICO_AES128_CCM_WRAP
#define CKK_YUBICO_AES128_CCM_WRAP
Definition pkcs11y.h:26
CKM_YUBICO_AES_CCM_WRAP
#define CKM_YUBICO_AES_CCM_WRAP
Definition pkcs11y.h:33
CKK_YUBICO_AES256_CCM_WRAP
#define CKK_YUBICO_AES256_CCM_WRAP
Definition pkcs11y.h:30
a
const GenericPointer< typename T::ValueType > T2 T::AllocatorType & a
Definition pointer.h:1181
uint16_t
unsigned short uint16_t
Definition stdint.h:125
uint32_t
unsigned int uint32_t
Definition stdint.h:126
uint8_t
unsigned char uint8_t
Definition stdint.h:124
CK_ECDH1_DERIVE_PARAMS
Definition pkcs11.h:734
CK_RSA_PKCS_OAEP_PARAMS
Definition pkcs11.h:754
CK_RSA_PKCS_PSS_PARAMS
Definition pkcs11.h:762
List::length
int length
Definition list.h:36
List::head
ListItem * head
Definition list.h:38
ListItem::data
void * data
Definition list.h:31
ListItem::next
ListItem * next
Definition list.h:32
ck_attribute
Definition pkcs11.h:455
ck_attribute::type
ck_attribute_type_t type
Definition pkcs11.h:456
ck_c_initialize_args
Definition pkcs11.h:1080
ck_c_initialize_args::flags
ck_flags_t flags
Definition pkcs11.h:1085
ck_function_list
Definition pkcs11.h:1003
ck_function_list::version
struct ck_version version
Definition pkcs11.h:1004
ck_info
Definition pkcs11.h:198
ck_mechanism_info
Definition pkcs11.h:700
ck_mechanism
Definition pkcs11.h:694
ck_mechanism::mechanism
ck_mechanism_type_t mechanism
Definition pkcs11.h:695
ck_session_info
Definition pkcs11.h:286
ck_slot_info
Definition pkcs11.h:212
ck_slot_info::flags
ck_flags_t flags
Definition pkcs11.h:215
ck_token_info
Definition pkcs11.h:225
ck_version
Definition pkcs11.h:193
decrypt_info::key_len
CK_ULONG key_len
Definition yubihsm_pkcs11.h:80
decrypt_info::finalized
bool finalized
Definition yubihsm_pkcs11.h:81
decrypt_info::key_id
uint16_t key_id
Definition yubihsm_pkcs11.h:79
digest_info::is_multipart
bool is_multipart
Definition yubihsm_pkcs11.h:75
digest_info::digest_len
CK_ULONG digest_len
Definition yubihsm_pkcs11.h:74
ecdh_session_key
Definition yubihsm_pkcs11.h:122
ecdh_session_key::ecdh_key
uint8_t ecdh_key[ECDH_KEY_BUF_SIZE]
The key itself.
Definition yubihsm_pkcs11.h:126
ecdh_session_key::len
size_t len
The length of the key.
Definition yubihsm_pkcs11.h:128
ecdh_session_key::label
char label[YH_OBJ_LABEL_LEN+1]
Object label.
Definition yubihsm_pkcs11.h:130
ecdh_session_key::id
CK_OBJECT_HANDLE id
Definition yubihsm_pkcs11.h:124
encrypt_info::key_id
uint16_t key_id
Definition yubihsm_pkcs11.h:85
find_info::current_object
uint16_t current_object
Definition yubihsm_pkcs11.h:60
find_info::only_private
bool only_private
Definition yubihsm_pkcs11.h:62
find_info::n_objects
size_t n_objects
Definition yubihsm_pkcs11.h:61
find_info::objects
yh_object_descriptor objects[YH_MAX_ITEMS_COUNT]
Definition yubihsm_pkcs11.h:59
mechanism::oaep
struct mechanism::@110::@112 oaep
mechanism::pss
struct mechanism::@110::@113 pss
mechanism::mechanism
CK_MECHANISM_TYPE mechanism
Definition yubihsm_pkcs11.h:108
sign_info::key_id
uint16_t key_id
Definition yubihsm_pkcs11.h:67
sign_info::sig_len
uint16_t sig_len
Definition yubihsm_pkcs11.h:69
sign_info::key_len
CK_ULONG key_len
Definition yubihsm_pkcs11.h:68
verify_info::key_id
uint16_t key_id
Definition yubihsm_pkcs11.h:94
verify_info::padding
int padding
Definition yubihsm_pkcs11.h:91
verify_info::saltLen
unsigned long saltLen
Definition yubihsm_pkcs11.h:92
verify_info::md
const EVP_MD * md
Definition yubihsm_pkcs11.h:90
verify_info::key_len
CK_ULONG key_len
Definition yubihsm_pkcs11.h:95
verify_info::mgf1md
const EVP_MD * mgf1md
Definition yubihsm_pkcs11.h:93
yh_capabilities
Capabilities representation.
Definition yubihsm.h:162
yh_connector
Definition internal.h:37
yh_object_descriptor
Definition yubihsm.h:540
yh_object_descriptor::algorithm
yh_algorithm algorithm
Object algorithm.
Definition yubihsm.h:552
yh_object_descriptor::len
uint16_t len
Object length.
Definition yubihsm.h:546
yh_object_descriptor::id
uint16_t id
Object ID.
Definition yubihsm.h:544
yh_object_descriptor::capabilities
yh_capabilities capabilities
Object capabilities.
Definition yubihsm.h:542
yh_object_descriptor::label
char label[YH_OBJ_LABEL_LEN+1]
Object label.
Definition yubihsm.h:558
yh_object_descriptor::type
yh_object_type type
Object type.
Definition yubihsm.h:550
yubihsm_pkcs11_context
Definition yubihsm_pkcs11.h:141
yubihsm_pkcs11_context::mutex
void * mutex
Definition yubihsm_pkcs11.h:147
yubihsm_pkcs11_context::unlock_mutex
CK_UNLOCKMUTEX unlock_mutex
Definition yubihsm_pkcs11.h:146
yubihsm_pkcs11_context::lock_mutex
CK_LOCKMUTEX lock_mutex
Definition yubihsm_pkcs11.h:145
yubihsm_pkcs11_context::destroy_mutex
CK_DESTROYMUTEX destroy_mutex
Definition yubihsm_pkcs11.h:144
yubihsm_pkcs11_context::create_mutex
CK_CREATEMUTEX create_mutex
Definition yubihsm_pkcs11.h:143
yubihsm_pkcs11_context::slots
List slots
Definition yubihsm_pkcs11.h:142
yubihsm_pkcs11_object_desc
Definition yubihsm_pkcs11.h:41
yubihsm_pkcs11_object_template
Definition yubihsm_pkcs11.h:177
yubihsm_pkcs11_op_info::mechanism
mechanism mechanism
Definition yubihsm_pkcs11.h:135
yubihsm_pkcs11_op_info::op
op op
Definition yubihsm_pkcs11.h:136
yubihsm_pkcs11_op_info::type
yubihsm_pkcs11_op_type type
Definition yubihsm_pkcs11.h:134
yubihsm_pkcs11_op_info::buffer_length
unsigned int buffer_length
Definition yubihsm_pkcs11.h:138
yubihsm_pkcs11_session
Definition yubihsm_pkcs11.h:163
yubihsm_pkcs11_session::operation
yubihsm_pkcs11_op_info operation
Definition yubihsm_pkcs11.h:165
yubihsm_pkcs11_session::slot
yubihsm_pkcs11_slot * slot
Definition yubihsm_pkcs11.h:167
yubihsm_pkcs11_session::ecdh_session_keys
List ecdh_session_keys
Definition yubihsm_pkcs11.h:168
yubihsm_pkcs11_session::session_state
yubihsm_pkcs11_session_state session_state
Definition yubihsm_pkcs11.h:166
yubihsm_pkcs11_slot
Definition yubihsm_pkcs11.h:150
yubihsm_pkcs11_slot::mutex
void * mutex
Definition yubihsm_pkcs11.h:160
yubihsm_pkcs11_slot::id
uint16_t id
Definition yubihsm_pkcs11.h:151
yubihsm_pkcs11_slot::connector
yh_connector * connector
Definition yubihsm_pkcs11.h:154
yubihsm_pkcs11_slot::pkcs11_sessions
List pkcs11_sessions
Definition yubihsm_pkcs11.h:156
yubihsm_pkcs11_slot::device_session
yh_session * device_session
Definition yubihsm_pkcs11.h:155
yubihsm_pkcs11_slot::objects
yubihsm_pkcs11_object_desc objects[YH_MAX_ITEMS_COUNT]
Definition yubihsm_pkcs11.h:157
params
account_query_db::get_accounts_by_authorizers_params params
Definition test_account_query_db.cpp:20
op::digest
digest_info digest
Definition yubihsm_pkcs11.h:101
op::find
find_info find
Definition yubihsm_pkcs11.h:99
op::decrypt
decrypt_info decrypt
Definition yubihsm_pkcs11.h:103
op::verify
verify_info verify
Definition yubihsm_pkcs11.h:102
op::encrypt
encrypt_info encrypt
Definition yubihsm_pkcs11.h:104
op::sign
sign_info sign
Definition yubihsm_pkcs11.h:100
is_PKCS1v1_5_sign_mechanism
bool is_PKCS1v1_5_sign_mechanism(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2673
is_ECDSA_sign_mechanism
bool is_ECDSA_sign_mechanism(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2690
set_template_attribute
CK_RV set_template_attribute(yubihsm_pkcs11_attribute *attribute, void *value)
Definition util_pkcs11.c:2953
get_mechanism_list
CK_RV get_mechanism_list(yubihsm_pkcs11_slot *slot, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR count)
Definition util_pkcs11.c:73
add_connectors
bool add_connectors(yubihsm_pkcs11_context *ctx, int n_connectors, char **connector_names, yh_connector **connectors)
Definition util_pkcs11.c:2924
apply_verify_mechanism_finalize
CK_RV apply_verify_mechanism_finalize(yubihsm_pkcs11_op_info *op_info __attribute((unused)))
Definition util_pkcs11.c:2150
decrypt_mechanism_cleanup
bool decrypt_mechanism_cleanup(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2566
verify_mechanism_cleanup
bool verify_mechanism_cleanup(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2556
populate_template
CK_RV populate_template(int type, void *object, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yh_session *session)
Definition util_pkcs11.c:3872
check_encrypt_mechanism
bool check_encrypt_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1702
parse_ec_generate_template
CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, yubihsm_pkcs11_object_template *template)
Definition util_pkcs11.c:3570
apply_verify_mechanism_init
CK_RV apply_verify_mechanism_init(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:1821
perform_digest
CK_RV perform_digest(yubihsm_pkcs11_op_info *op_info, uint8_t *digest, uint16_t *digest_len)
Definition util_pkcs11.c:2533
is_PSS_sign_mechanism
bool is_PSS_sign_mechanism(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2707
release_slot
void release_slot(yubihsm_pkcs11_context *ctx, yubihsm_pkcs11_slot *slot)
Definition util_pkcs11.c:2782
apply_decrypt_mechanism_finalize
CK_RV apply_decrypt_mechanism_finalize(yubihsm_pkcs11_op_info *op_info __attribute((unused)))
Definition util_pkcs11.c:2156
parse_rsa_generate_template
CK_RV parse_rsa_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, yubihsm_pkcs11_object_template *template)
Definition util_pkcs11.c:3305
is_HMAC_sign_mechanism
bool is_HMAC_sign_mechanism(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2724
get_session
CK_RV get_session(yubihsm_pkcs11_context *ctx, CK_SESSION_HANDLE hSession, yubihsm_pkcs11_session **session, int session_state)
Definition util_pkcs11.c:2789
parse_hex
bool parse_hex(CK_UTF8CHAR_PTR hex, CK_ULONG hex_len, uint8_t *parsed)
Definition util_pkcs11.c:464
apply_digest_mechanism_init
CK_RV apply_digest_mechanism_init(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:1902
perform_signature
CK_RV perform_signature(yh_session *session, yubihsm_pkcs11_op_info *op_info, uint8_t *signature, uint16_t *signature_len)
Definition util_pkcs11.c:2410
validate_derive_key_attribute
CK_RV validate_derive_key_attribute(CK_ATTRIBUTE_TYPE type, void *value)
Definition util_pkcs11.c:3940
apply_encrypt_mechanism_update
CK_RV apply_encrypt_mechanism_update(yubihsm_pkcs11_op_info *op_info, CK_BYTE_PTR in, CK_ULONG in_len)
Definition util_pkcs11.c:2075
check_decrypt_mechanism
bool check_decrypt_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1678
check_digest_mechanism
bool check_digest_mechanism(CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1725
parse_wrap_template
CK_RV parse_wrap_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template, bool generate)
Definition util_pkcs11.c:3801
parse_id_value
int parse_id_value(void *value, CK_ULONG len)
Definition util_pkcs11.c:3556
parse_ec_template
CK_RV parse_ec_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template)
Definition util_pkcs11.c:3150
sign_mechanism_cleanup
bool sign_mechanism_cleanup(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2546
create_session
bool create_session(yubihsm_pkcs11_slot *slot, CK_FLAGS flags, CK_SESSION_HANDLE_PTR phSession)
Definition util_pkcs11.c:491
apply_sign_mechanism_finalize
CK_RV apply_sign_mechanism_finalize(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2117
get_slot
yubihsm_pkcs11_slot * get_slot(yubihsm_pkcs11_context *ctx, CK_ULONG id)
Definition util_pkcs11.c:2766
parse_hmac_template
CK_RV parse_hmac_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template, bool generate)
Definition util_pkcs11.c:3229
is_RSA_sign_mechanism
bool is_RSA_sign_mechanism(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2605
apply_sign_mechanism_update
CK_RV apply_sign_mechanism_update(yubihsm_pkcs11_op_info *op_info, CK_BYTE_PTR in, CK_ULONG in_len)
Definition util_pkcs11.c:1943
set_native_locking
void set_native_locking(yubihsm_pkcs11_context *ctx)
Definition util_pkcs11.c:2916
apply_decrypt_mechanism_update
CK_RV apply_decrypt_mechanism_update(yubihsm_pkcs11_op_info *op_info, CK_BYTE_PTR in, CK_ULONG in_len)
Definition util_pkcs11.c:2053
check_wrap_mechanism
bool check_wrap_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1740
get_object_desc
yubihsm_pkcs11_object_desc * get_object_desc(yh_session *session, yubihsm_pkcs11_object_desc *objects, CK_OBJECT_HANDLE objHandle)
Definition util_pkcs11.c:1587
delete_session
bool delete_session(yubihsm_pkcs11_context *ctx, CK_SESSION_HANDLE_PTR phSession)
Definition util_pkcs11.c:2831
apply_digest_mechanism_update
CK_RV apply_digest_mechanism_update(yubihsm_pkcs11_op_info *op_info, CK_BYTE_PTR in, CK_ULONG in_len)
Definition util_pkcs11.c:2095
check_verify_mechanism
bool check_verify_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1672
perform_decrypt
CK_RV perform_decrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info, uint8_t *data, uint16_t *data_len)
Definition util_pkcs11.c:2463
apply_decrypt_mechanism_init
CK_RV apply_decrypt_mechanism_init(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:1884
apply_digest_mechanism_finalize
CK_RV apply_digest_mechanism_finalize(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2163
get_mechanism_info
bool get_mechanism_info(yubihsm_pkcs11_slot *slot, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo)
Definition util_pkcs11.c:313
release_session
void release_session(yubihsm_pkcs11_context *ctx, yubihsm_pkcs11_session *session)
Definition util_pkcs11.c:2850
perform_verify
CK_RV perform_verify(yh_session *session, yubihsm_pkcs11_op_info *op_info, uint8_t *signature, uint16_t signature_len)
Definition util_pkcs11.c:2225
parse_rsa_template
CK_RV parse_rsa_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, yubihsm_pkcs11_object_template *template)
Definition util_pkcs11.c:2976
get_digest_bytelength
CK_ULONG get_digest_bytelength(CK_MECHANISM_TYPE m)
Definition util_pkcs11.c:2583
apply_sign_mechanism_init
CK_RV apply_sign_mechanism_init(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:1763
digest_mechanism_cleanup
bool digest_mechanism_cleanup(yubihsm_pkcs11_op_info *op_info)
Definition util_pkcs11.c:2573
apply_verify_mechanism_update
CK_RV apply_verify_mechanism_update(yubihsm_pkcs11_op_info *op_info, CK_BYTE_PTR in, CK_ULONG in_len)
Definition util_pkcs11.c:2007
check_sign_mechanism
bool check_sign_mechanism(yubihsm_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism)
Definition util_pkcs11.c:1646
perform_encrypt
CK_RV perform_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info, uint8_t *data, uint16_t *data_len)
Definition util_pkcs11.c:2505
util_pkcs11.h
yh_is_rsa
bool yh_is_rsa(yh_algorithm algorithm)
Definition yubihsm.c:4245
yh_util_import_opaque
yh_rc yh_util_import_opaque(yh_session *session, uint16_t *object_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *in, size_t in_len)
Definition yubihsm.c:2666
yh_connector_has_device
bool yh_connector_has_device(yh_connector *connector)
Definition yubihsm.c:906
yh_util_import_hmac_key
yh_rc yh_util_import_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *key, size_t key_len)
Definition yubihsm.c:1750
yh_destroy_session
yh_rc yh_destroy_session(yh_session **session)
Definition yubihsm.c:890
yh_util_generate_hmac_key
yh_rc yh_util_generate_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1992
yh_util_generate_wrap_key
yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities)
Definition yubihsm.c:2458
yh_util_derive_ecdh
yh_rc yh_util_derive_ecdh(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2174
yh_util_generate_ec_key
yh_rc yh_util_generate_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1913
yh_exit
yh_rc yh_exit(void)
Definition yubihsm.c:3910
yh_get_key_bitlength
yh_rc yh_get_key_bitlength(yh_algorithm algorithm, size_t *result)
Definition yubihsm.c:4309
yh_util_import_wrap_key
yh_rc yh_util_import_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities, const uint8_t *in, size_t in_len)
Definition yubihsm.c:2363
yh_create_session_derived
yh_rc yh_create_session_derived(yh_connector *connector, uint16_t authkey_id, const uint8_t *password, size_t password_len, bool recreate, yh_session **session)
Definition yubihsm.c:593
yh_init
yh_rc yh_init(void)
Definition yubihsm.c:3857
yh_util_close_session
yh_rc yh_util_close_session(yh_session *session)
Definition yubihsm.c:1257
yh_util_get_device_info
yh_rc yh_util_get_device_info(yh_connector *connector, uint8_t *major, uint8_t *minor, uint8_t *patch, uint32_t *serial, uint8_t *log_total, uint8_t *log_used, yh_algorithm *algorithms, size_t *n_algorithms)
Definition yubihsm.c:938
yh_authenticate_session
yh_rc yh_authenticate_session(yh_session *session)
Definition yubihsm.c:2927
yh_util_get_object_info
yh_rc yh_util_get_object_info(yh_session *session, uint16_t id, yh_object_type type, yh_object_descriptor *object)
Definition yubihsm.c:1128
yh_util_list_objects
yh_rc yh_util_list_objects(yh_session *session, uint16_t id, yh_object_type type, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const char *label, yh_object_descriptor *objects, size_t *n_objects)
Definition yubihsm.c:1030
yh_set_connector_option
yh_rc yh_set_connector_option(yh_connector *connector, yh_connector_option opt, const void *val)
Definition yubihsm.c:4063
yh_init_connector
yh_rc yh_init_connector(const char *url, yh_connector **connector)
Definition yubihsm.c:4024
yh_connect
yh_rc yh_connect(yh_connector *connector, int timeout)
Definition yubihsm.c:4079
yh_util_export_wrapped
yh_rc yh_util_export_wrapped(yh_session *session, uint16_t wrapping_key_id, yh_object_type target_type, uint16_t target_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2265
yh_string_to_capabilities
yh_rc yh_string_to_capabilities(const char *capability, yh_capabilities *result)
Definition yubihsm.c:4115
yh_util_import_rsa_key
yh_rc yh_util_import_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *p, const uint8_t *q)
Definition yubihsm.c:1655
yh_disconnect
yh_rc yh_disconnect(yh_connector *connector)
Definition yubihsm.c:4097
yh_util_generate_rsa_key
yh_rc yh_util_generate_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1900
yh_check_capability
bool yh_check_capability(const yh_capabilities *capabilities, const char *capability)
Definition yubihsm.c:4198
yh_util_import_ec_key
yh_rc yh_util_import_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *s)
Definition yubihsm.c:1689
yh_util_import_wrapped
yh_rc yh_util_import_wrapped(yh_session *session, uint16_t wrapping_key_id, const uint8_t *in, size_t in_len, yh_object_type *target_type, uint16_t *target_id)
Definition yubihsm.c:2309
yh_util_delete_object
yh_rc yh_util_delete_object(yh_session *session, uint16_t id, yh_object_type type)
Definition yubihsm.c:2222
yh_util_get_pseudo_random
yh_rc yh_util_get_pseudo_random(yh_session *session, size_t len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1560
yh_object_type
yh_object_type
Definition yubihsm.h:359
YH_WRAP_KEY
@ YH_WRAP_KEY
Definition yubihsm.h:369
YH_OPAQUE
@ YH_OPAQUE
Definition yubihsm.h:362
YH_HMAC_KEY
@ YH_HMAC_KEY
HMAC Key is a secret key used when computing and verifying HMAC signatures.
Definition yubihsm.h:371
YH_ASYMMETRIC_KEY
@ YH_ASYMMETRIC_KEY
Asymmetric Key is the private key of an asymmetric key-pair.
Definition yubihsm.h:366
YH_PUBLIC_KEY
@ YH_PUBLIC_KEY
Definition yubihsm.h:379
YH_MAX_ITEMS_COUNT
#define YH_MAX_ITEMS_COUNT
Max items the device may hold.
Definition yubihsm.h:103
YH_OBJ_LABEL_LEN
#define YH_OBJ_LABEL_LEN
Max length of object labels.
Definition yubihsm.h:123
yh_algorithm
yh_algorithm
Definition yubihsm.h:390
YH_ALGO_MGF1_SHA512
@ YH_ALGO_MGF1_SHA512
mgf1-sha512
Definition yubihsm.h:460
YH_ALGO_OPAQUE_X509_CERTIFICATE
@ YH_ALGO_OPAQUE_X509_CERTIFICATE
opaque-x509-certificate
Definition yubihsm.h:452
YH_ALGO_MGF1_SHA384
@ YH_ALGO_MGF1_SHA384
mgf1-sha384
Definition yubihsm.h:458
YH_ALGO_OPAQUE_DATA
@ YH_ALGO_OPAQUE_DATA
opaque-data
Definition yubihsm.h:450
YH_ALGO_MGF1_SHA1
@ YH_ALGO_MGF1_SHA1
mgf1-sha1
Definition yubihsm.h:454
YH_ALGO_MGF1_SHA256
@ YH_ALGO_MGF1_SHA256
mgf1-sha256
Definition yubihsm.h:456
YH_CONNECTOR_PROXY_SERVER
@ YH_CONNECTOR_PROXY_SERVER
Definition yubihsm.h:506
YH_CONNECTOR_HTTPS_CA
@ YH_CONNECTOR_HTTPS_CA
Definition yubihsm.h:503
YH_CCM_WRAP_OVERHEAD
#define YH_CCM_WRAP_OVERHEAD
Definition yubihsm.h:149
yh_rc
yh_rc
Definition yubihsm.h:170
YHR_SUCCESS
@ YHR_SUCCESS
Returned value when function was successful.
Definition yubihsm.h:172
YHR_CRYPTOGRAM_MISMATCH
@ YHR_CRYPTOGRAM_MISMATCH
Returned value when failing to verify cryptogram.
Definition yubihsm.h:189
patch
uint8_t patch
Definition yubihsm_pkcs11.c:548
pulSize
CK_SESSION_HANDLE CK_OBJECT_HANDLE CK_ULONG_PTR pulSize
Definition yubihsm_pkcs11.c:1653
c_df_out
goto c_df_out
Definition yubihsm_pkcs11.c:3037
slot
yubihsm_pkcs11_slot * slot
Definition yubihsm_pkcs11.c:518
hObject
CK_SESSION_HANDLE CK_OBJECT_HANDLE hObject
Definition yubihsm_pkcs11.c:1565
pInfo
CK_SLOT_ID CK_SLOT_INFO_PTR pInfo
Definition yubihsm_pkcs11.c:504
ulPrivateKeyAttributeCount
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG CK_ATTRIBUTE_PTR CK_ULONG ulPrivateKeyAttributeCount
Definition yubihsm_pkcs11.c:4538
pPart
CK_SESSION_HANDLE CK_BYTE_PTR pPart
Definition yubihsm_pkcs11.c:2482
pulDataLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulDataLen
Definition yubihsm_pkcs11.c:2812
capabilities
yh_capabilities capabilities
Definition yubihsm_pkcs11.c:1305
session
yubihsm_pkcs11_session * session
Definition yubihsm_pkcs11.c:972
pulWrappedKeyLen
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE CK_OBJECT_HANDLE CK_BYTE_PTR CK_ULONG_PTR pulWrappedKeyLen
Definition yubihsm_pkcs11.c:4686
pulEncryptedDataLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulEncryptedDataLen
Definition yubihsm_pkcs11.c:2395
c_s_out
goto c_s_out
Definition yubihsm_pkcs11.c:3640
pulLastEncryptedPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG_PTR pulLastEncryptedPartLen
Definition yubihsm_pkcs11.c:2541
c_vi_out
goto c_vi_out
Definition yubihsm_pkcs11.c:3916
d
CK_ULONG d
Definition yubihsm_pkcs11.c:1238
serial
uint32_t serial
Definition yubihsm_pkcs11.c:611
datalen
CK_ULONG datalen
Definition yubihsm_pkcs11.c:2428
c_gkp_out
goto c_gkp_out
Definition yubihsm_pkcs11.c:4586
target_type
yh_object_type target_type
Definition yubihsm_pkcs11.c:4868
hSession
CK_SESSION_HANDLE hSession
Definition yubihsm_pkcs11.c:780
secret_key
bool secret_key
Definition yubihsm_pkcs11.c:1931
full
bool full
Definition yubihsm_pkcs11.c:466
YUBIHSM_PKCS11_MAX_PIN_LEN
#define YUBIHSM_PKCS11_MAX_PIN_LEN
Definition yubihsm_pkcs11.c:44
type
CK_SLOT_ID CK_MECHANISM_TYPE type
Definition yubihsm_pkcs11.c:730
ulMaxObjectCount
CK_SESSION_HANDLE CK_OBJECT_HANDLE_PTR CK_ULONG ulMaxObjectCount
Definition yubihsm_pkcs11.c:2196
label
char * label
Definition yubihsm_pkcs11.c:1883
ulPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulPartLen
Definition yubihsm_pkcs11.c:2482
ulSignatureLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG ulSignatureLen
Definition yubihsm_pkcs11.c:3997
ulOperationStateLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulOperationStateLen
Definition yubihsm_pkcs11.c:1034
phPrivateKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG CK_ATTRIBUTE_PTR CK_ULONG CK_OBJECT_HANDLE_PTR CK_OBJECT_HANDLE_PTR phPrivateKey
Definition yubihsm_pkcs11.c:4539
CKR_FUNCTION_NOT_PARALLEL
return CKR_FUNCTION_NOT_PARALLEL
Definition yubihsm_pkcs11.c:5111
privkey_id
uint16_t privkey_id
Definition yubihsm_pkcs11.c:4996
pub
bool pub
Definition yubihsm_pkcs11.c:1928
wrapping_key_type
int wrapping_key_type
Definition yubihsm_pkcs11.c:4710
pNewPin
CK_SESSION_HANDLE CK_UTF8CHAR_PTR CK_ULONG CK_UTF8CHAR_PTR pNewPin
Definition yubihsm_pkcs11.c:794
Notify
CK_SLOT_ID CK_FLAGS CK_VOID_PTR CK_NOTIFY Notify
Definition yubihsm_pkcs11.c:809
yh_get_connector_version
yh_get_connector_version(slot->connector, &major, &minor, &patch)
ret
CK_RV ret
Definition yubihsm_pkcs11.c:973
hBaseKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE hBaseKey
Definition yubihsm_pkcs11.c:4899
CKR_OK
return CKR_OK
Definition yubihsm_pkcs11.c:417
mdctx
EVP_MD_CTX * mdctx
Definition yubihsm_pkcs11.c:2628
userType
CK_SESSION_HANDLE CK_USER_TYPE userType
Definition yubihsm_pkcs11.c:1080
pSlotList
CK_BBOOL CK_SLOT_ID_PTR pSlotList
Definition yubihsm_pkcs11.c:423
pulPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulPartLen
Definition yubihsm_pkcs11.c:2927
hWrappingKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE hWrappingKey
Definition yubihsm_pkcs11.c:4685
ulCount
CK_SESSION_HANDLE CK_ATTRIBUTE_PTR CK_ULONG ulCount
Definition yubihsm_pkcs11.c:1204
extractable_set
bool extractable_set
Definition yubihsm_pkcs11.c:1932
overflow
bool overflow
Definition yubihsm_pkcs11.c:467
phSession
CK_SLOT_ID CK_FLAGS CK_VOID_PTR CK_NOTIFY CK_SESSION_HANDLE_PTR phSession
Definition yubihsm_pkcs11.c:810
c_si_out
goto c_si_out
Definition yubihsm_pkcs11.c:3565
c_e_out
goto c_e_out
Definition yubihsm_pkcs11.c:2448
s
char * s
Definition yubihsm_pkcs11.c:524
j
uint16_t j
Definition yubihsm_pkcs11.c:465
domains
uint16_t domains
Definition yubihsm_pkcs11.c:1926
out_len
size_t out_len
Definition yubihsm_pkcs11.c:5000
c_gk_out
goto c_gk_out
Definition yubihsm_pkcs11.c:4512
ulEncryptedPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulEncryptedPartLen
Definition yubihsm_pkcs11.c:2927
major
uint8_t major
Definition yubihsm_pkcs11.c:546
pSlot
CK_FLAGS CK_SLOT_ID_PTR pSlot
Definition yubihsm_pkcs11.c:673
ulRandomLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulRandomLen
Definition yubihsm_pkcs11.c:5051
pWrappedKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE CK_OBJECT_HANDLE CK_BYTE_PTR pWrappedKey
Definition yubihsm_pkcs11.c:4685
phPublicKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG CK_ATTRIBUTE_PTR CK_ULONG CK_OBJECT_HANDLE_PTR phPublicKey
Definition yubihsm_pkcs11.c:4539
pData
CK_SESSION_HANDLE CK_BYTE_PTR pData
Definition yubihsm_pkcs11.c:2394
digest_length
CK_ULONG digest_length
Definition yubihsm_pkcs11.c:3123
algorithm
yh_algorithm algorithm
Definition yubihsm_pkcs11.c:1929
function_list
CK_FUNCTION_LIST function_list
Definition yubihsm_pkcs11.c:5124
pEncryptedData
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR pEncryptedData
Definition yubihsm_pkcs11.c:2395
DOUT
DOUT
Definition yubihsm_pkcs11.c:416
ulNewLen
CK_SESSION_HANDLE CK_UTF8CHAR_PTR CK_ULONG CK_UTF8CHAR_PTR CK_ULONG ulNewLen
Definition yubihsm_pkcs11.c:794
pulLastPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG_PTR pulLastPartLen
Definition yubihsm_pkcs11.c:2992
hKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE hKey
Definition yubihsm_pkcs11.c:2320
c_di_out
goto c_di_out
Definition yubihsm_pkcs11.c:2781
len
size_t len
Definition yubihsm_pkcs11.c:4771
terminate
bool terminate
Definition yubihsm_pkcs11.c:2400
pRandomData
CK_SESSION_HANDLE CK_BYTE_PTR pRandomData
Definition yubihsm_pkcs11.c:5051
phNewObject
CK_SESSION_HANDLE CK_OBJECT_HANDLE CK_ATTRIBUTE_PTR CK_ULONG CK_OBJECT_HANDLE_PTR phNewObject
Definition yubihsm_pkcs11.c:1567
pulSignatureLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulSignatureLen
Definition yubihsm_pkcs11.c:3593
unwrapping_key_type
int unwrapping_key_type
Definition yubihsm_pkcs11.c:4838
hEncryptionKey
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_OBJECT_HANDLE hEncryptionKey
Definition yubihsm_pkcs11.c:1034
slotID
CK_SLOT_ID slotID
Definition yubihsm_pkcs11.c:504
ulWrappedKeyLen
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE CK_BYTE_PTR CK_ULONG ulWrappedKeyLen
Definition yubihsm_pkcs11.c:4804
ppFunctionList
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
Definition yubihsm_pkcs11.c:404
pMechanismList
CK_SLOT_ID CK_MECHANISM_TYPE_PTR pMechanismList
Definition yubihsm_pkcs11.c:686
c_d_out
goto c_d_out
Definition yubihsm_pkcs11.c:2858
pOperationState
CK_SESSION_HANDLE CK_BYTE_PTR pOperationState
Definition yubihsm_pkcs11.c:1019
buf
uint8_t buf[2048]
Definition yubihsm_pkcs11.c:4770
object
yh_object_descriptor object
Definition yubihsm_pkcs11.c:1544
UNUSED
#define UNUSED(x)
Definition yubihsm_pkcs11.c:46
pApplication
CK_SLOT_ID CK_FLAGS CK_VOID_PTR pApplication
Definition yubihsm_pkcs11.c:809
set
bool set
Definition yubihsm_pkcs11.c:1237
l
int l
Definition yubihsm_pkcs11.c:525
YUBIHSM_PKCS11_MANUFACTURER
#define YUBIHSM_PKCS11_MANUFACTURER
Definition yubihsm_pkcs11.c:41
pubkey
CK_BYTE_PTR pubkey
Definition yubihsm_pkcs11.c:4984
pulDigestLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulDigestLen
Definition yubihsm_pkcs11.c:3147
pSeed
CK_SESSION_HANDLE CK_BYTE_PTR pSeed
Definition yubihsm_pkcs11.c:5038
pLastEncryptedPart
CK_SESSION_HANDLE CK_BYTE_PTR pLastEncryptedPart
Definition yubihsm_pkcs11.c:2540
basekey_type
int basekey_type
Definition yubihsm_pkcs11.c:4930
seq
int seq
Definition yubihsm_pkcs11.c:4986
rc
yh_rc rc
Definition yubihsm_pkcs11.c:1308
ulSeedLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulSeedLen
Definition yubihsm_pkcs11.c:5038
ulAttributeCount
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE CK_BYTE_PTR CK_ULONG CK_ATTRIBUTE_PTR CK_ULONG ulAttributeCount
Definition yubihsm_pkcs11.c:4805
yrc
yh_rc yrc
Definition yubihsm_pkcs11.c:606
c_drv_out
goto c_drv_out
Definition yubihsm_pkcs11.c:4975
rv
CK_RV rv
Definition yubihsm_pkcs11.c:569
ulDataLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulDataLen
Definition yubihsm_pkcs11.c:2394
pPrivateKeyTemplate
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG CK_ATTRIBUTE_PTR pPrivateKeyTemplate
Definition yubihsm_pkcs11.c:4538
id
struct @108 id
Definition yubihsm_pkcs11.c:1304
phObject
CK_SESSION_HANDLE CK_ATTRIBUTE_PTR CK_ULONG CK_OBJECT_HANDLE_PTR phObject
Definition yubihsm_pkcs11.c:1205
pTemplate
CK_SESSION_HANDLE CK_ATTRIBUTE_PTR pTemplate
Definition yubihsm_pkcs11.c:1204
hAuthenticationKey
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_OBJECT_HANDLE CK_OBJECT_HANDLE hAuthenticationKey
Definition yubihsm_pkcs11.c:1035
wrapped_key_type
int wrapped_key_type
Definition yubihsm_pkcs11.c:4709
ulPublicKeyAttributeCount
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG ulPublicKeyAttributeCount
Definition yubihsm_pkcs11.c:4537
c_co_out
goto c_co_out
Definition yubihsm_pkcs11.c:1541
expected_key_length
size_t expected_key_length
Definition yubihsm_pkcs11.c:4939
ver
CK_VERSION ver
Definition yubihsm_pkcs11.c:657
YUBIHSM_PKCS11_MIN_PIN_LEN
#define YUBIHSM_PKCS11_MIN_PIN_LEN
Definition yubihsm_pkcs11.c:43
delete_object_from_cache
delete_object_from_cache(session->slot->objects, hObject)
CKR_RANDOM_SEED_NOT_SUPPORTED
return CKR_RANDOM_SEED_NOT_SUPPORTED
Definition yubihsm_pkcs11.c:5047
pMechanism
CK_SESSION_HANDLE CK_MECHANISM_PTR pMechanism
Definition yubihsm_pkcs11.c:2319
siglen
CK_ULONG siglen
Definition yubihsm_pkcs11.c:4029
pReserved
CK_FLAGS CK_SLOT_ID_PTR CK_VOID_PTR pReserved
Definition yubihsm_pkcs11.c:673
pulEncryptedPartLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR CK_ULONG_PTR pulEncryptedPartLen
Definition yubihsm_pkcs11.c:2483
key_length
size_t key_length
Definition yubihsm_pkcs11.c:3467
pDigest
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR pDigest
Definition yubihsm_pkcs11.c:3147
ulPinLen
CK_SLOT_ID CK_UTF8CHAR_PTR CK_ULONG ulPinLen
Definition yubihsm_pkcs11.c:765
c_ef_out
goto c_ef_out
Definition yubihsm_pkcs11.c:2574
unknown
bool unknown
Definition yubihsm_pkcs11.c:1930
ulOldLen
CK_SESSION_HANDLE CK_UTF8CHAR_PTR CK_ULONG ulOldLen
Definition yubihsm_pkcs11.c:793
DIN
DIN
Definition yubihsm_pkcs11.c:407
pPin
CK_SLOT_ID CK_UTF8CHAR_PTR pPin
Definition yubihsm_pkcs11.c:765
GLOBAL_UNLOCK_OR_RETURN
#define GLOBAL_UNLOCK_OR_RETURN
Definition yubihsm_pkcs11.c:59
CKR_FUNCTION_NOT_SUPPORTED
return CKR_FUNCTION_NOT_SUPPORTED
Definition yubihsm_pkcs11.c:682
ulEncryptedDataLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG ulEncryptedDataLen
Definition yubihsm_pkcs11.c:2812
GLOBAL_LOCK_OR_RETURN
#define GLOBAL_LOCK_OR_RETURN
Definition yubihsm_pkcs11.c:48
target_id
uint16_t target_id
Definition yubihsm_pkcs11.c:4867
pulCount
CK_BBOOL CK_SLOT_ID_PTR CK_ULONG_PTR pulCount
Definition yubihsm_pkcs11.c:423
key_id
uint16_t key_id
Definition yubihsm_pkcs11.c:1104
memset
memset(pInfo->slotDescription, ' ', 64)
pPublicKeyTemplate
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR pPublicKeyTemplate
Definition yubihsm_pkcs11.c:4537
ecdh_key
ecdh_session_key ecdh_key
Definition yubihsm_pkcs11.c:4998
label_buf
char * label_buf
Definition yubihsm_pkcs11.c:4937
flags
pInfo flags
Definition yubihsm_pkcs11.c:540
yh_get_connector_address
yh_get_connector_address(slot->connector, &s)
minor
uint8_t minor
Definition yubihsm_pkcs11.c:547
label_len
size_t label_len
Definition yubihsm_pkcs11.c:4938
memcpy
memcpy((char *) pInfo->slotDescription, s, l)
c_v_out
goto c_v_out
Definition yubihsm_pkcs11.c:4060
pEncryptedPart
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR pEncryptedPart
Definition yubihsm_pkcs11.c:2483
YUBIHSM_PKCS11_LIBDESC
#define YUBIHSM_PKCS11_LIBDESC
Definition yubihsm_pkcs11.c:42
pLastPart
CK_SESSION_HANDLE CK_BYTE_PTR pLastPart
Definition yubihsm_pkcs11.c:2991
pulOperationStateLen
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG_PTR pulOperationStateLen
Definition yubihsm_pkcs11.c:1020
in_len
size_t in_len
Definition yubihsm_pkcs11.c:4978
tokenPresent
CK_BBOOL tokenPresent
Definition yubihsm_pkcs11.c:423
pOldPin
CK_SESSION_HANDLE CK_UTF8CHAR_PTR pOldPin
Definition yubihsm_pkcs11.c:793
hUnwrappingKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_OBJECT_HANDLE hUnwrappingKey
Definition yubihsm_pkcs11.c:4803
key_type
struct @108 key_type
delegated_capabilities
yh_capabilities delegated_capabilities
Definition yubihsm_pkcs11.c:1306
pulObjectCount
CK_SESSION_HANDLE CK_OBJECT_HANDLE_PTR CK_ULONG CK_ULONG_PTR pulObjectCount
Definition yubihsm_pkcs11.c:2196
pLabel
CK_SLOT_ID CK_UTF8CHAR_PTR CK_ULONG CK_UTF8CHAR_PTR pLabel
Definition yubihsm_pkcs11.c:766
phKey
CK_SESSION_HANDLE CK_MECHANISM_PTR CK_ATTRIBUTE_PTR CK_ULONG CK_OBJECT_HANDLE_PTR phKey
Definition yubihsm_pkcs11.c:4316
pSignature
CK_SESSION_HANDLE CK_BYTE_PTR CK_ULONG CK_BYTE_PTR pSignature
Definition yubihsm_pkcs11.c:3593
yubihsm_pkcs11.h
SESSION_AUTHENTICATED_RW
@ SESSION_AUTHENTICATED_RW
Definition yubihsm_pkcs11.h:34
SESSION_AUTHENTICATED_RO
@ SESSION_AUTHENTICATED_RO
Definition yubihsm_pkcs11.h:33
SESSION_RESERVED_RO
@ SESSION_RESERVED_RO
Definition yubihsm_pkcs11.h:31
SESSION_RESERVED_RW
@ SESSION_RESERVED_RW
Definition yubihsm_pkcs11.h:32
SESSION_NOT_AUTHENTICATED
#define SESSION_NOT_AUTHENTICATED
Definition yubihsm_pkcs11.h:39
MAX_ECDH_SESSION_KEYS
#define MAX_ECDH_SESSION_KEYS
Definition yubihsm_pkcs11.h:26
SESSION_AUTHENTICATED
#define SESSION_AUTHENTICATED
Definition yubihsm_pkcs11.h:37
ATTRIBUTE_TRUE
@ ATTRIBUTE_TRUE
Definition yubihsm_pkcs11.h:174
OPERATION_FIND
@ OPERATION_FIND
Definition yubihsm_pkcs11.h:49
OPERATION_DIGEST
@ OPERATION_DIGEST
Definition yubihsm_pkcs11.h:52
OPERATION_ENCRYPT
@ OPERATION_ENCRYPT
Definition yubihsm_pkcs11.h:55
OPERATION_SIGN
@ OPERATION_SIGN
Definition yubihsm_pkcs11.h:51
OPERATION_NOOP
@ OPERATION_NOOP
Definition yubihsm_pkcs11.h:48
OPERATION_VERIFY
@ OPERATION_VERIFY
Definition yubihsm_pkcs11.h:54
OPERATION_DECRYPT
@ OPERATION_DECRYPT
Definition yubihsm_pkcs11.h:53
ECDH_KEY_TYPE
#define ECDH_KEY_TYPE
Definition yubihsm_pkcs11.h:28