39 #include <libxml/tree.h>
40 #include <libxml/parser.h>
41 #include <libxml/xpath.h>
42 #include <libxml/xpathInternals.h>
43 #include <libxml/relaxng.h>
52 #define HSM_TOKEN_LABEL_LENGTH 32
59 ldns_pkcs11_rv_str(CK_RV rv)
68 return "CKR_HOST_MEMORY";
70 return "CKR_GENERAL_ERROR";
72 return "CKR_FUNCTION_FAILED";
74 return "CKR_SLOT_ID_INVALID";
76 return "CKR_ATTRIBUTE_READ_ONLY";
78 return "CKR_ATTRIBUTE_SENSITIVE";
80 return "CKR_ATTRIBUTE_TYPE_INVALID";
82 return "CKR_ATTRIBUTE_VALUE_INVALID";
84 return "CKR_DATA_INVALID";
86 return "CKR_DATA_LEN_RANGE";
88 return "CKR_DEVICE_ERROR";
90 return "CKR_DEVICE_MEMORY";
92 return "CKR_DEVICE_REMOVED";
94 return "CKR_ENCRYPTED_DATA_INVALID";
96 return "CKR_ENCRYPTED_DATA_LEN_RANGE";
98 return "CKR_FUNCTION_CANCELED";
100 return "CKR_FUNCTION_NOT_PARALLEL";
102 return "CKR_FUNCTION_NOT_SUPPORTED";
104 return "CKR_KEY_HANDLE_INVALID";
106 return "CKR_KEY_SIZE_RANGE";
108 return "CKR_KEY_TYPE_INCONSISTENT";
110 return "CKR_MECHANISM_INVALID";
112 return "CKR_MECHANISM_PARAM_INVALID";
114 return "CKR_OBJECT_HANDLE_INVALID";
116 return "CKR_OPERATION_ACTIVE";
118 return "CKR_OPERATION_NOT_INITIALIZED";
120 return "CKR_PIN_INCORRECT";
122 return "CKR_PIN_INVALID";
124 return "CKR_PIN_LEN_RANGE";
126 return "CKR_SESSION_CLOSED";
128 return "CKR_SESSION_COUNT";
130 return "CKR_SESSION_HANDLE_INVALID";
132 return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
134 return "CKR_SESSION_READ_ONLY";
136 return "CKR_SESSION_EXISTS";
138 return "CKR_SIGNATURE_INVALID";
140 return "CKR_SIGNATURE_LEN_RANGE";
142 return "CKR_TEMPLATE_INCOMPLETE";
144 return "CKR_TEMPLATE_INCONSISTENT";
146 return "CKR_TOKEN_NOT_PRESENT";
148 return "CKR_TOKEN_NOT_RECOGNIZED";
150 return "CKR_TOKEN_WRITE_PROTECTED";
152 return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
154 return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
156 return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
158 return "CKR_USER_ALREADY_LOGGED_IN";
160 return "CKR_USER_NOT_LOGGED_IN";
162 return "CKR_USER_PIN_NOT_INITIALIZED";
164 return "CKR_USER_TYPE_INVALID";
166 return "CKR_WRAPPED_KEY_INVALID";
168 return "CKR_WRAPPED_KEY_LEN_RANGE";
170 return "CKR_WRAPPING_KEY_HANDLE_INVALID";
172 return "CKR_WRAPPING_KEY_SIZE_RANGE";
174 return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
176 return "CKR_RANDOM_SEED_NOT_SUPPORTED";
178 return "CKR_VENDOR_DEFINED";
180 return "CKR_BUFFER_TOO_SMALL";
182 return "CKR_SAVED_STATE_INVALID";
184 return "CKR_INFORMATION_SENSITIVE";
186 return "CKR_STATE_UNSAVEABLE";
188 return "CKR_CRYPTOKI_NOT_INITIALIZED";
190 return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
192 return "CKR_MUTEX_BAD";
194 return "CKR_MUTEX_NOT_LOCKED";
196 return "Unknown error";
213 const char *message, ...)
217 if (ctx && ctx->
error == 0) {
221 va_start(args, message);
240 hsm_pkcs11_check_error(
hsm_ctx_t *ctx, CK_RV rv,
const char *action)
243 if (ctx && ctx->
error == 0) {
244 ctx->
error = (int) rv;
255 hsm_pkcs11_unload_functions(
void *handle)
259 #if defined(HAVE_LOADLIBRARY)
261 #elif defined(HAVE_DLOPEN)
262 result = dlclose(handle);
271 CK_C_GetFunctionList pGetFunctionList = NULL;
273 if (module && module->
path) {
276 #if defined(HAVE_LOADLIBRARY)
278 HINSTANCE hDLL = LoadLibrary(_T(module->
path));
286 pGetFunctionList = (CK_C_GetFunctionList)
287 GetProcAddress(hDLL, _T(
"C_GetFunctionList"));
289 #elif defined(HAVE_DLOPEN)
291 void* pDynLib = dlopen(module->
path, RTLD_NOW | RTLD_LOCAL);
293 if (pDynLib == NULL) {
299 pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib,
"C_GetFunctionList");
308 #ifdef HAVE_PKCS11_MODULE
309 return C_GetFunctionList(pkcs11_functions);
315 if (pGetFunctionList == NULL) {
331 if (data == NULL || len == NULL)
return;
335 while ((
unsigned short int)(*p) == 0 && l > 1) {
347 hsm_pkcs11_check_token_name(
hsm_ctx_t *ctx,
350 const char *token_name)
359 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetTokenInfo")) {
365 memcpy(token_name_bytes, token_name, strlen(token_name));
370 result = memcmp(token_info.
label,
381 const char *token_name, CK_SLOT_ID *slotId)
389 if (token_name == NULL || slotId == NULL)
return HSM_ERROR;
392 if (hsm_pkcs11_check_error(ctx, rv,
"get slot list")) {
398 "No slots found in HSM");
402 slotIds = malloc(
sizeof(CK_SLOT_ID) * slotCount);
404 if (hsm_pkcs11_check_error(ctx, rv,
"get slot list")) {
408 for (cur_slot = 0; cur_slot < slotCount; cur_slot++) {
409 if (hsm_pkcs11_check_token_name(ctx,
413 *slotId = slotIds[cur_slot];
421 "could not find token with the name %s", token_name);
430 hsm_module_new(
const char *repository,
431 const char *token_label,
437 if (!repository || !path)
return NULL;
441 if (!module)
return NULL;
455 module->
name = strdup(repository);
457 module->
path = strdup(path);
468 if (module->
name) free(module->
name);
470 if (module->
path) free(module->
path);
478 hsm_session_new(
hsm_module_t *module, CK_SESSION_HANDLE session_handle)
483 session->
session = session_handle;
506 const char *repository,
const char *token_label,
507 const char *module_path,
const char *pin,
514 CK_SESSION_HANDLE session_handle;
515 int first = 1, result;
522 module = hsm_module_new(repository, token_label, module_path, config);
524 rv = hsm_pkcs11_load_functions(module);
527 "hsm_session_init()",
528 "PKCS#11 module load failed: %s", module_path);
529 hsm_module_free(module);
536 if (hsm_pkcs11_check_error(ctx, rv,
"Initialization")) {
537 hsm_module_free(module);
545 hsm_module_free(module);
553 if (hsm_pkcs11_check_error(ctx, rv,
"Open first session")) {
554 hsm_module_free(module);
559 (
unsigned char *) pin,
560 strlen((
char *)pin));
563 *session = hsm_session_new(module, session_handle);
567 if (session_handle) {
569 C_CloseSession(session_handle);
570 if (hsm_pkcs11_check_error(ctx, rv,
571 "finalize after failed login")) {
572 hsm_module_free(module);
580 if (hsm_pkcs11_check_error(ctx, rv,
"finalize after failed login")) {
581 hsm_module_free(module);
585 hsm_module_free(module);
590 "hsm_session_init()",
591 "Incorrect PIN for repository %s", repository);
605 CK_SESSION_HANDLE session_handle;
613 if (result !=
HSM_OK)
return NULL;
620 if (hsm_pkcs11_check_error(ctx, rv,
"Clone session")) {
623 new_session = hsm_session_new(session->
module, session_handle);
646 hsm_session_free(ctx->
session[i]);
669 (void) hsm_pkcs11_check_error(ctx, rv,
"Logout");
674 (void) hsm_pkcs11_check_error(ctx, rv,
"Close session");
679 (void) hsm_pkcs11_check_error(ctx, rv,
"Finalize");
682 hsm_module_free(session->
module);
685 hsm_session_free(session);
695 hsm_ctx_close(
hsm_ctx_t *ctx,
int unload)
704 hsm_session_close(ctx, ctx->
session[i], unload);
728 if (!ctx || !session)
return -1;
744 new_ctx = hsm_ctx_new();
746 new_session = hsm_session_clone(ctx, ctx->
session[i]);
750 hsm_ctx_close(new_ctx, 0);
753 hsm_ctx_add_session(new_ctx, new_session);
776 if (!key || !key->
module)
return NULL;
792 CK_KEY_TYPE key_type;
803 if (hsm_pkcs11_check_error(ctx, rv,
804 "Get attr value algorithm type")) {
812 if ((
CK_LONG)
template[0].ulValueLen < 1) {
852 if (hsm_pkcs11_check_error(ctx, rv,
853 "Get attr value algorithm type")) {
857 if ((
CK_ULONG)
template[0].ulValueLen < 1) {
867 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the size of the modulus of the private key")) {
872 modulus = (
CK_BYTE_PTR)malloc(template2[0].ulValueLen);
873 template2[0].pValue = modulus;
874 if (modulus == NULL) {
876 "Error allocating memory for modulus");
886 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the modulus of the private key")) {
892 modulus_bits = template2[0].ulValueLen * 8;
894 for (
int i = 0; modulus_bits && (modulus[i] & mask) == 0; modulus_bits--) {
928 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the size of the prime of the private key")) {
932 return template2[0].ulValueLen * 8;
943 return hsm_get_key_size_rsa(ctx, session, key);
946 return hsm_get_key_size_dsa(ctx, session, key);
957 static CK_OBJECT_HANDLE
958 hsm_find_object_handle_for_id(
hsm_ctx_t *ctx,
960 CK_OBJECT_CLASS key_class,
965 CK_OBJECT_HANDLE object;
969 {
CKA_CLASS, &key_class,
sizeof(key_class) },
975 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects init")) {
983 if (hsm_pkcs11_check_error(ctx, rv,
"Find object")) {
988 if (hsm_pkcs11_check_error(ctx, rv,
"Find object final")) {
992 if (objectCount > 0) {
1004 static unsigned char *
1005 hsm_hex_parse(
const char *hex,
size_t *len)
1007 unsigned char *bytes;
1012 if (!len)
return NULL;
1015 if (!hex)
return NULL;
1016 hex_len = strlen(hex);
1017 if (hex_len % 2 != 0) {
1022 bytes = malloc(*len);
1023 for (i = 0; i < *len; i++) {
1024 bytes[i] = ldns_hexdigit_to_int(hex[2*i]) * 16 +
1025 ldns_hexdigit_to_int(hex[2*i+1]);
1035 hsm_hex_unparse(
char *dst,
const unsigned char *src,
size_t len)
1037 size_t dst_len = len*2 + 1;
1040 for (i = 0; i < len; i++) {
1041 snprintf(dst + (2*i), dst_len,
"%02x", src[i]);
1053 CK_OBJECT_HANDLE
object,
1069 if (hsm_pkcs11_check_error(ctx, rv,
"Get attr value")) {
1074 if ((
CK_LONG)
template[0].ulValueLen < 1) {
1080 template[0].pValue = malloc(
template[0].ulValueLen);
1086 if (hsm_pkcs11_check_error(ctx, rv,
"Get attr value 2")) {
1088 free(
template[0].pValue);
1092 *len =
template[0].ulValueLen;
1093 return template[0].pValue;
1101 hsm_key_new_privkey_object_handle(
hsm_ctx_t *ctx,
1103 CK_OBJECT_HANDLE
object)
1109 id = hsm_get_id_for_object(ctx, session,
object, &len);
1111 if (!
id)
return NULL;
1113 key = hsm_key_new();
1118 key->
public_key = hsm_find_object_handle_for_id(
1139 hsm_list_keys_session_internal(
hsm_ctx_t *ctx,
1149 {
CKA_CLASS, &key_class,
sizeof(key_class) },
1156 CK_OBJECT_HANDLE
object[max_object_count];
1157 CK_OBJECT_HANDLE *key_handles = NULL;
1161 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects init")) {
1166 while (objectCount > 0) {
1171 if (hsm_pkcs11_check_error(ctx, rv,
"Find first object")) {
1177 total_count += objectCount;
1178 if (objectCount > 0 && store) {
1179 key_handles = realloc(key_handles, total_count *
sizeof(CK_OBJECT_HANDLE));
1180 for (i = 0; i < objectCount; i++) {
1181 key_handles[j] =
object[i];
1188 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects final")) {
1195 keys = realloc(keys, total_count *
sizeof(
hsm_key_t *));
1196 for (i = 0; i < total_count; i++) {
1197 key = hsm_key_new_privkey_object_handle(ctx, session,
1205 *count = total_count;
1221 return hsm_list_keys_session_internal(ctx, session, count, 1);
1234 (void) hsm_list_keys_session_internal(ctx, session, &count, 0);
1244 const unsigned char *
id,
size_t len)
1247 CK_OBJECT_HANDLE private_key_handle;
1249 private_key_handle = hsm_find_object_handle_for_id(
1255 if (private_key_handle != 0) {
1256 key = hsm_key_new_privkey_object_handle(ctx, session,
1257 private_key_handle);
1275 const unsigned char *
id,
1282 if (!
id)
return NULL;
1285 key = hsm_find_key_by_id_session(ctx, ctx->
session[i],
id, len);
1286 if (key)
return key;
1298 hsm_find_repository_session(
hsm_ctx_t *ctx,
const char *repository)
1318 "hsm_find_repository_session()",
1319 "Can't find repository: %s", repository);
1333 unsigned long hKey = 0;
1334 unsigned char *data = NULL;
1335 size_t data_size = 0;
1343 if (!session || !session->
module) {
1358 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1361 public_exponent_len =
template[0].ulValueLen;
1362 modulus_len =
template[1].ulValueLen;
1364 public_exponent =
template[0].pValue = malloc(public_exponent_len);
1365 if (!public_exponent) {
1367 "Error allocating memory for public exponent");
1371 modulus =
template[1].pValue = malloc(modulus_len);
1374 "Error allocating memory for modulus");
1375 free(public_exponent);
1384 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1385 free(
template[0].pValue);
1386 free(
template[1].pValue);
1391 hsm_remove_leading_zeroes(public_exponent, &public_exponent_len);
1392 hsm_remove_leading_zeroes(modulus, &modulus_len);
1394 data_size = public_exponent_len + modulus_len + 1;
1395 if (public_exponent_len <= 256) {
1396 data = malloc(data_size);
1399 "Error allocating memory for pub key rr data");
1400 free(public_exponent);
1404 data[0] = public_exponent_len;
1405 memcpy(&data[1], public_exponent, public_exponent_len);
1406 memcpy(&data[1 + public_exponent_len], modulus, modulus_len);
1407 }
else if (public_exponent_len <= 65535) {
1409 data = malloc(data_size);
1412 "Error allocating memory for pub key rr data");
1413 free(public_exponent);
1418 ldns_write_uint16(&data[1], (uint16_t) public_exponent_len);
1419 memcpy(&data[3], public_exponent, public_exponent_len);
1420 memcpy(&data[3 + public_exponent_len], modulus, modulus_len);
1423 "Public exponent too big");
1424 free(public_exponent);
1428 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1429 free(public_exponent);
1448 unsigned char *data = NULL;
1449 size_t data_size = 0;
1459 if (!session || !session->
module) {
1469 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1472 prime_len =
template[0].ulValueLen;
1473 subprime_len =
template[1].ulValueLen;
1474 base_len =
template[2].ulValueLen;
1475 value_len =
template[3].ulValueLen;
1477 prime =
template[0].pValue = malloc(prime_len);
1480 "Error allocating memory for prime");
1484 subprime =
template[1].pValue = malloc(subprime_len);
1487 "Error allocating memory for subprime");
1492 base =
template[2].pValue = malloc(base_len);
1495 "Error allocating memory for base");
1501 value =
template[3].pValue = malloc(value_len);
1504 "Error allocating memory for value");
1516 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1524 data_size = prime_len + subprime_len + base_len + value_len + 1;
1525 data = malloc(data_size);
1528 "Error allocating memory for pub key rr data");
1535 data[0] = (prime_len - 64) / 8;
1536 memcpy(&data[1], subprime, subprime_len);
1537 memcpy(&data[1 + subprime_len], prime, prime_len);
1538 memcpy(&data[1 + subprime_len + prime_len], base, base_len);
1539 memcpy(&data[1 + subprime_len + prime_len + base_len], value, value_len);
1541 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1563 if (!session || !session->
module) {
1573 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1576 value_len =
template[0].ulValueLen;
1578 value =
template[0].pValue = malloc(value_len);
1581 "Error allocating memory for value");
1590 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1595 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, value_len, value);
1604 switch (hsm_get_key_algorithm(ctx, session, key)) {
1606 return hsm_get_key_rdata_rsa(ctx, session, key);
1609 return hsm_get_key_rdata_dsa(ctx, session, key);
1612 return hsm_get_key_rdata_gost(ctx, session, key);
1624 hsm_create_prefix(
CK_ULONG digest_len,
1625 ldns_algorithm algorithm,
1629 const CK_BYTE RSA_MD5_ID[] = { 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
1630 const CK_BYTE RSA_SHA1_ID[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 };
1631 const CK_BYTE RSA_SHA256_ID[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
1632 const CK_BYTE RSA_SHA512_ID[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 };
1635 case LDNS_SIGN_RSAMD5:
1636 *data_size =
sizeof(RSA_MD5_ID) + digest_len;
1637 data = malloc(*data_size);
1638 memcpy(data, RSA_MD5_ID,
sizeof(RSA_MD5_ID));
1640 case LDNS_SIGN_RSASHA1:
1641 case LDNS_SIGN_RSASHA1_NSEC3:
1642 *data_size =
sizeof(RSA_SHA1_ID) + digest_len;
1643 data = malloc(*data_size);
1644 memcpy(data, RSA_SHA1_ID,
sizeof(RSA_SHA1_ID));
1646 case LDNS_SIGN_RSASHA256:
1647 *data_size =
sizeof(RSA_SHA256_ID) + digest_len;
1648 data = malloc(*data_size);
1649 memcpy(data, RSA_SHA256_ID,
sizeof(RSA_SHA256_ID));
1651 case LDNS_SIGN_RSASHA512:
1652 *data_size =
sizeof(RSA_SHA512_ID) + digest_len;
1653 data = malloc(*data_size);
1654 memcpy(data, RSA_SHA512_ID,
sizeof(RSA_SHA512_ID));
1657 case LDNS_SIGN_DSA_NSEC3:
1658 case LDNS_SIGN_ECC_GOST:
1659 #if LDNS_BUILD_CONFIG_USE_ECDSA
1660 case LDNS_SIGN_ECDSAP256SHA256:
1661 case LDNS_SIGN_ECDSAP384SHA384:
1663 *data_size = digest_len;
1664 data = malloc(*data_size);
1675 CK_MECHANISM_TYPE mechanism_type,
1677 ldns_buffer *sign_buf)
1683 digest_mechanism.pParameter = NULL;
1684 digest_mechanism.ulParameterLen = 0;
1685 digest_mechanism.
mechanism = mechanism_type;
1686 digest = malloc(digest_len);
1689 if (hsm_pkcs11_check_error(ctx, rv,
"HSM digest init")) {
1695 ldns_buffer_begin(sign_buf),
1696 ldns_buffer_position(sign_buf),
1699 if (hsm_pkcs11_check_error(ctx, rv,
"HSM digest")) {
1708 ldns_buffer *sign_buf,
1710 ldns_algorithm algorithm)
1726 session = hsm_find_key_session(ctx, key);
1727 if (!session)
return NULL;
1732 switch (algorithm) {
1733 case LDNS_SIGN_RSAMD5:
1735 digest = hsm_digest_through_hsm(ctx, session,
1739 case LDNS_SIGN_RSASHA1:
1740 case LDNS_SIGN_RSASHA1_NSEC3:
1742 case LDNS_SIGN_DSA_NSEC3:
1743 digest_len = LDNS_SHA1_DIGEST_LENGTH;
1744 digest = malloc(digest_len);
1745 digest = ldns_sha1(ldns_buffer_begin(sign_buf),
1746 ldns_buffer_position(sign_buf),
1750 case LDNS_SIGN_RSASHA256:
1751 #if LDNS_BUILD_CONFIG_USE_ECDSA
1752 case LDNS_SIGN_ECDSAP256SHA256:
1754 digest_len = LDNS_SHA256_DIGEST_LENGTH;
1755 digest = malloc(digest_len);
1756 digest = ldns_sha256(ldns_buffer_begin(sign_buf),
1757 ldns_buffer_position(sign_buf),
1760 #if LDNS_BUILD_CONFIG_USE_ECDSA
1761 case LDNS_SIGN_ECDSAP384SHA384:
1762 digest_len = LDNS_SHA384_DIGEST_LENGTH;
1763 digest = malloc(digest_len);
1764 digest = ldns_sha384(ldns_buffer_begin(sign_buf),
1765 ldns_buffer_position(sign_buf),
1769 case LDNS_SIGN_RSASHA512:
1770 digest_len = LDNS_SHA512_DIGEST_LENGTH;
1771 digest = malloc(digest_len);
1772 digest = ldns_sha512(ldns_buffer_begin(sign_buf),
1773 ldns_buffer_position(sign_buf),
1776 case LDNS_SIGN_ECC_GOST:
1778 digest = hsm_digest_through_hsm(ctx, session,
1795 data = hsm_create_prefix(digest_len, algorithm, &data_len);
1796 memcpy(data + data_len - digest_len, digest, digest_len);
1798 sign_mechanism.pParameter = NULL;
1799 sign_mechanism.ulParameterLen = 0;
1801 case LDNS_SIGN_RSAMD5:
1802 case LDNS_SIGN_RSASHA1:
1803 case LDNS_SIGN_RSASHA1_NSEC3:
1804 case LDNS_SIGN_RSASHA256:
1805 case LDNS_SIGN_RSASHA512:
1809 case LDNS_SIGN_DSA_NSEC3:
1812 case LDNS_SIGN_ECC_GOST:
1815 #if LDNS_BUILD_CONFIG_USE_ECDSA
1817 case LDNS_SIGN_ECDSAP256SHA256:
1818 case LDNS_SIGN_ECDSAP384SHA384:
1832 if (hsm_pkcs11_check_error(ctx, rv,
"sign init")) {
1841 if (hsm_pkcs11_check_error(ctx, rv,
"sign final")) {
1847 sig_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
1859 hsm_dname_is_wildcard(
const ldns_rdf* dname)
1861 return ( ldns_dname_label_count(dname) > 0 &&
1862 ldns_rdf_data(dname)[0] == 1 &&
1863 ldns_rdf_data(dname)[1] ==
'*');
1867 hsm_create_empty_rrsig(
const ldns_rr_list *rrset,
1872 uint32_t orig_class;
1874 uint8_t label_count;
1876 label_count = ldns_dname_label_count(
1877 ldns_rr_owner(ldns_rr_list_rr(rrset, 0)));
1879 if (hsm_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) {
1883 rrsig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
1886 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
1887 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
1889 ldns_rr_set_class(rrsig, orig_class);
1890 ldns_rr_set_ttl(rrsig, orig_ttl);
1891 ldns_rr_set_owner(rrsig,
1894 ldns_rr_list_rr(rrset,
1900 (void)ldns_rr_rrsig_set_origttl(
1902 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
1905 (void)ldns_rr_rrsig_set_signame(
1907 ldns_rdf_clone(sign_params->
owner));
1909 (void)ldns_rr_rrsig_set_labels(
1911 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
1916 (void)ldns_rr_rrsig_set_inception(
1918 ldns_native2rdf_int32(
1922 (void)ldns_rr_rrsig_set_inception(
1924 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
1927 (void)ldns_rr_rrsig_set_expiration(
1929 ldns_native2rdf_int32(
1933 (void)ldns_rr_rrsig_set_expiration(
1935 ldns_native2rdf_int32(
1937 now + LDNS_DEFAULT_EXP_TIME));
1940 (void)ldns_rr_rrsig_set_keytag(
1942 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1945 (void)ldns_rr_rrsig_set_algorithm(
1947 ldns_native2rdf_int8(
1951 (void)ldns_rr_rrsig_set_typecovered(
1953 ldns_native2rdf_int16(
1955 ldns_rr_get_type(ldns_rr_list_rr(rrset,
1968 char *(pin_callback)(
unsigned int,
const char *,
unsigned int))
1971 xmlXPathContextPtr xpath_ctx;
1972 xmlXPathObjectPtr xpath_obj;
1985 int repositories = 0;
1989 _hsm_ctx = hsm_ctx_new();
1992 config_file = strdup(config);
1994 config_file = strdup(HSM_DEFAULT_CONFIG);
1998 doc = xmlParseFile(config_file);
2005 xpath_ctx = xmlXPathNewContext(doc);
2006 if(xpath_ctx == NULL) {
2008 hsm_ctx_free(_hsm_ctx);
2014 xexpr = (xmlChar *)
"//Configuration/RepositoryList/Repository";
2015 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
2016 if(xpath_obj == NULL) {
2017 xmlXPathFreeContext(xpath_ctx);
2019 hsm_ctx_free(_hsm_ctx);
2024 if (xpath_obj->nodesetval) {
2025 for (i = 0; i < xpath_obj->nodesetval->nodeNr; i++) {
2030 hsm_config_default(&module_config);
2032 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
2033 repository = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
2034 (
const xmlChar *)
"name");
2037 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"TokenLabel"))
2038 token_label = (
char *) xmlNodeGetContent(curNode);
2039 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Module"))
2040 module_path = (
char *) xmlNodeGetContent(curNode);
2041 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"PIN"))
2042 module_pin = (
char *) xmlNodeGetContent(curNode);
2043 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SkipPublicKey"))
2045 curNode = curNode->next;
2048 if (repository && token_label && module_path) {
2072 if (module_pin == NULL)
break;
2084 memset(module_pin, 0, strlen(module_pin));
2090 "No pin or callback function");
2107 xmlXPathFreeObject(xpath_obj);
2108 xmlXPathFreeContext(xpath_ctx);
2111 if (result ==
HSM_OK && repositories == 0) {
2113 "No repositories found");
2123 hsm_ctx_close(_hsm_ctx, 1);
2130 return hsm_ctx_clone(_hsm_ctx);
2140 CK_SESSION_HANDLE session_handle;
2148 if (session == NULL)
continue;
2154 if (hsm_pkcs11_check_error(ctx, rv,
"get session info")) {
2161 "Session not logged in");
2171 if (hsm_pkcs11_check_error(ctx, rv,
"test open session")) {
2175 if (hsm_pkcs11_check_error(ctx, rv,
"test close session")) {
2186 hsm_ctx_close(ctx, 0);
2197 params->
algorithm = LDNS_SIGN_RSASHA256;
2198 params->
flags = LDNS_KEY_ZONE_KEY;
2202 params->
owner = NULL;
2210 if (params->
owner) ldns_rdf_deep_free(params->
owner);
2219 size_t key_count = 0;
2220 size_t cur_key_count;
2231 keys = realloc(keys,
2232 (key_count + cur_key_count) *
sizeof(
hsm_key_t *));
2233 for (j = 0; j < cur_key_count; j++) {
2234 keys[key_count + j] = session_keys[j];
2236 key_count += cur_key_count;
2248 const char *repository)
2252 if (!repository)
return NULL;
2255 session = hsm_find_repository_session(ctx, repository);
2278 const char *repository)
2282 if (!repository)
return 0;
2285 session = hsm_find_repository_session(ctx, repository);
2295 unsigned char *id_bytes;
2299 id_bytes = hsm_hex_parse(
id, &len);
2301 if (!id_bytes)
return NULL;
2303 key = hsm_find_key_by_id_bin(ctx, id_bytes, len);
2310 const char *repository,
2311 unsigned long keysize)
2316 unsigned char id[16];
2320 CK_OBJECT_HANDLE publicKey, privateKey;
2321 CK_KEY_TYPE keyType =
CKK_RSA;
2325 CK_BYTE publicExponent[] = { 1, 0, 1 };
2331 session = hsm_find_repository_session(ctx, repository);
2332 if (!session)
return NULL;
2337 }
while (hsm_find_key_by_id_bin(ctx,
id, 16));
2340 hsm_hex_unparse(id_str,
id, 16);
2352 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2362 {
CKA_SIGN, &ctrue,
sizeof (ctrue) },
2373 publicKeyTemplate, 9,
2374 privateKeyTemplate, 10,
2377 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2381 new_key = hsm_key_new();
2396 const char *repository,
2397 unsigned long keysize)
2402 CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
2407 unsigned char id[16];
2411 CK_KEY_TYPE keyType =
CKK_DSA;
2431 {
CKA_BASE, dsa_g,
sizeof(dsa_g) },
2437 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2445 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2455 session = hsm_find_repository_session(ctx, repository);
2456 if (!session)
return NULL;
2462 }
while (hsm_find_key_by_id_bin(ctx,
id, 16));
2465 hsm_hex_unparse(id_str,
id, 16);
2473 if (hsm_pkcs11_check_error(ctx, rv,
"generate domain parameters")) {
2478 domainPar, publicKeyTemplate, 3);
2479 if (hsm_pkcs11_check_error(ctx, rv,
"get domain parameters")) {
2484 if (hsm_pkcs11_check_error(ctx, rv,
"destroy domain parameters")) {
2492 publicKeyTemplate, 10,
2493 privateKeyTemplate, 10,
2496 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2500 new_key = hsm_key_new();
2510 const char *repository)
2515 CK_OBJECT_HANDLE publicKey, privateKey;
2520 unsigned char id[16];
2529 CK_BYTE oid[] = { 0x06, 0x07, 0x2A, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 };
2538 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2546 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2556 session = hsm_find_repository_session(ctx, repository);
2557 if (!session)
return NULL;
2563 }
while (hsm_find_key_by_id_bin(ctx,
id, 16));
2566 hsm_hex_unparse(id_str,
id, 16);
2572 publicKeyTemplate, 10,
2573 privateKeyTemplate, 10,
2576 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2580 new_key = hsm_key_new();
2594 if (!key)
return -1;
2596 session = hsm_find_key_session(ctx, key);
2597 if (!session)
return -2;
2601 if (hsm_pkcs11_check_error(ctx, rv,
"Destroy private key")) {
2609 if (hsm_pkcs11_check_error(ctx, rv,
"Destroy public key")) {
2630 for (i = 0; i < count; i++) {
2645 if (!key)
return NULL;
2647 session = hsm_find_key_session(ctx, key);
2648 if (!session)
return NULL;
2650 id = hsm_get_id_for_object(ctx, session, key->
private_key, &len);
2651 if (!
id)
return NULL;
2654 id_str = malloc(len * 2 + 1);
2655 if (!id_str)
return NULL;
2657 hsm_hex_unparse(id_str,
id, len);
2672 session = hsm_find_key_session(ctx, key);
2673 if (!session)
return NULL;
2678 if (key_info->
id == NULL) {
2679 key_info->
id = strdup(
"");
2682 key_info->
algorithm = (
unsigned long) hsm_get_key_algorithm(ctx,
2685 key_info->
keysize = (
unsigned long) hsm_get_key_size(ctx,
2727 const ldns_rr_list* rrset,
2732 ldns_buffer *sign_buf;
2737 if (!key)
return NULL;
2738 if (!sign_params)
return NULL;
2740 signature = hsm_create_empty_rrsig((ldns_rr_list *)rrset,
2746 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2748 if (ldns_rrsig2buffer_wire(sign_buf, signature)
2749 != LDNS_STATUS_OK) {
2750 ldns_buffer_free(sign_buf);
2756 for(i = 0; i < ldns_rr_list_rr_count(rrset); i++) {
2757 ldns_rr2canonical(ldns_rr_list_rr(rrset, i));
2761 if (ldns_rr_list2buffer_wire(sign_buf, rrset)
2762 != LDNS_STATUS_OK) {
2763 ldns_buffer_free(sign_buf);
2767 b64_rdf = hsm_sign_buffer(ctx, sign_buf, key, sign_params->
algorithm);
2769 ldns_buffer_free(sign_buf);
2775 ldns_rr_rrsig_set_sig(signature, b64_rdf);
2792 size_t *digest_length)
2800 if (hsm_pkcs11_check_error(ctx, rv,
"digest init")) {
2811 if (hsm_pkcs11_check_error(ctx, rv,
"digest to determine result size")) {
2821 if (hsm_pkcs11_check_error(ctx, rv,
"digest")) {
2835 uint16_t iterations,
2836 uint8_t salt_length,
2839 char *orig_owner_str;
2840 size_t hashed_owner_str_len;
2841 ldns_rdf *hashed_owner;
2842 char *hashed_owner_str;
2843 char *hashed_owner_b32;
2844 int hashed_owner_b32_len;
2847 size_t hash_length = 0;
2857 mechanism.pParameter = NULL;
2858 mechanism.ulParameterLen = 0;
2861 printf(
"unknown algo: %u\n", (
unsigned int)algorithm);
2876 orig_owner_str = ldns_rdf2str(name);
2878 hashed_owner_str_len = salt_length + ldns_rdf_size(name);
2879 hashed_owner_str = LDNS_XMALLOC(
char, hashed_owner_str_len);
2880 memcpy(hashed_owner_str, ldns_rdf_data(name), ldns_rdf_size(name));
2881 memcpy(hashed_owner_str + ldns_rdf_size(name), salt, salt_length);
2883 for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
2884 if (hash != NULL) free(hash);
2885 hash = (
char *) hsm_digest(ctx,
2889 hashed_owner_str_len,
2892 LDNS_FREE(hashed_owner_str);
2893 hashed_owner_str_len = salt_length + hash_length;
2894 hashed_owner_str = LDNS_XMALLOC(
char, hashed_owner_str_len);
2895 if (!hashed_owner_str) {
2900 memcpy(hashed_owner_str, hash, hash_length);
2901 memcpy(hashed_owner_str + hash_length, salt, salt_length);
2904 LDNS_FREE(hashed_owner_str);
2905 hashed_owner_str = hash;
2906 hashed_owner_str_len = hash_length;
2907 hashed_owner_b32 = LDNS_XMALLOC(
char,
2908 ldns_b32_ntop_calculate_size(
2909 hashed_owner_str_len) + 1);
2910 LDNS_FREE(orig_owner_str);
2911 hashed_owner_b32_len =
2912 (size_t) ldns_b32_ntop_extended_hex((uint8_t *) hashed_owner_str,
2913 hashed_owner_str_len,
2915 ldns_b32_ntop_calculate_size(
2916 hashed_owner_str_len));
2917 if (hashed_owner_b32_len < 1) {
2918 error_name = ldns_rdf2str(name);
2920 "Error in base32 extended hex encoding "
2921 "of hashed owner name (name: %s, return code: %d)",
2922 error_name, hashed_owner_b32_len);
2923 LDNS_FREE(error_name);
2924 LDNS_FREE(hashed_owner_b32);
2927 hashed_owner_str_len = hashed_owner_b32_len;
2928 hashed_owner_b32[hashed_owner_b32_len] =
'\0';
2930 status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
2931 if (status != LDNS_STATUS_OK) {
2933 "Error creating rdf from %s", hashed_owner_b32);
2934 LDNS_FREE(hashed_owner_b32);
2939 LDNS_FREE(hashed_owner_b32);
2940 return hashed_owner;
2962 session = hsm_find_key_session(ctx, key);
2963 if (!session)
return NULL;
2965 dnskey = ldns_rr_new();
2966 ldns_rr_set_type(dnskey, LDNS_RR_TYPE_DNSKEY);
2968 ldns_rr_set_owner(dnskey, ldns_rdf_clone(sign_params->
owner));
2970 ldns_rr_push_rdf(dnskey,
2971 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
2972 sign_params->
flags));
2973 ldns_rr_push_rdf(dnskey,
2974 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
2975 LDNS_DNSSEC_KEYPROTO));
2976 ldns_rr_push_rdf(dnskey,
2977 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
2980 rdata = hsm_get_key_rdata(ctx, session, key);
2981 if (rdata == NULL) {
2984 ldns_rr_push_rdf(dnskey, rdata);
2991 unsigned char *buffer,
2992 unsigned long length)
2997 if (!buffer)
return -1;
3022 unsigned char rnd_buf[4];
3025 memcpy(&rnd, rnd_buf, 4);
3037 unsigned char rnd_buf[8];
3040 memcpy(&rnd, rnd_buf, 8);
3053 const char *token_label,
3061 result = hsm_session_init(_hsm_ctx,
3069 return hsm_ctx_add_session(_hsm_ctx, session);
3083 hsm_session_close(_hsm_ctx, _hsm_ctx->
session[i], 1);
3112 "hsm_token_attached()",
3113 "Can't find repository: %s", repository);
3121 case LDNS_SIGN_RSAMD5:
3122 case LDNS_SIGN_RSASHA1:
3123 case LDNS_SIGN_RSASHA1_NSEC3:
3124 case LDNS_SIGN_RSASHA256:
3125 case LDNS_SIGN_RSASHA512:
3127 case LDNS_SIGN_DSA_NSEC3:
3128 case LDNS_SIGN_ECC_GOST:
3131 #if LDNS_BUILD_CONFIG_USE_ECDSA
3132 case LDNS_SIGN_ECDSAP256SHA256:
3133 case LDNS_SIGN_ECDSAP384SHA384:
3157 if (message == NULL) {
3158 return strdup(
"libhsm memory allocation failed");
3174 printf(
"\t\tmodule at %p (sym %p)\n", (
void *) session->
module, (
void *) session->
module->
sym);
3175 printf(
"\t\tmodule path: %s\n", session->
module->
path);
3176 printf(
"\t\trepository name: %s\n", session->
module->
name);
3178 printf(
"\t\tsess handle: %u\n", (
unsigned int) session->
session);
3190 printf(
"CTX Sessions: %lu\n",
3193 printf(
"\tSession at %p\n", (
void *) ctx->
session[i]);
3205 printf(
"\tmodule: %p\n", (
void *) key->
module);
3206 printf(
"\tprivkey handle: %u\n", (
unsigned int) key->
private_key);
3208 printf(
"\tpubkey handle: %u\n", (
unsigned int) key->
public_key);
3210 printf(
"\tpubkey handle: %s\n",
"NULL");
3212 printf(
"\trepository: %s\n", key->
module->
name);
3214 printf(
"\tsize: %lu\n", key_info->
keysize);
3215 printf(
"\tid: %s\n", key_info->
id);
3218 printf(
"key: hsm_get_key_info() returned NULL\n");
3221 printf(
"key: <void>\n");
3233 fprintf(stderr,
"%s\n", message);
3236 fprintf(stderr,
"Unknown error\n");
3264 if (result !=
HSM_OK)
return;
3267 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetTokenInfo")) {
3271 printf(
"Repository: %s\n",session->
module->
name);
3273 printf(
"\tModule: %s\n", session->
module->
path);
3274 printf(
"\tSlot: %lu\n", slot_id);
3275 printf(
"\tToken Label: %.*s\n",
3276 (
int)
sizeof(token_info.
label), token_info.
label);
3277 printf(
"\tManufacturer: %.*s\n",
3278 (
int)
sizeof(token_info.manufacturerID), token_info.manufacturerID);
3279 printf(
"\tModel: %.*s\n",
3280 (
int)
sizeof(token_info.
model), token_info.
model);
3281 printf(
"\tSerial: %.*s\n",
3282 (
int)
sizeof(token_info.serialNumber), token_info.serialNumber);