10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7011Sda73024 * Common Development and Distribution License (the "License"). 6*7011Sda73024 * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*7011Sda73024 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate /* 290Sstevel@tonic-gate * Administration for metaslot 300Sstevel@tonic-gate * 310Sstevel@tonic-gate * All the "list" operations will call functions in libpkcs11.so 320Sstevel@tonic-gate * Normally, it doesn't make sense to call functions in libpkcs11.so directly 330Sstevel@tonic-gate * because libpkcs11.so depends on the configuration file (pkcs11.conf) the 340Sstevel@tonic-gate * cryptoadm command is trying to administer. However, since metaslot 350Sstevel@tonic-gate * is part of the framework, it is not possible to get information about 360Sstevel@tonic-gate * it without actually calling functions in libpkcs11.so. 370Sstevel@tonic-gate * 380Sstevel@tonic-gate * So, for the listing operation, which won't modify the value of pkcs11.conf 390Sstevel@tonic-gate * it is safe to call libpkcs11.so. 400Sstevel@tonic-gate * 410Sstevel@tonic-gate * For other operations that modifies the pkcs11.conf file, libpkcs11.so 420Sstevel@tonic-gate * will not be called. 430Sstevel@tonic-gate * 440Sstevel@tonic-gate */ 450Sstevel@tonic-gate 460Sstevel@tonic-gate #include <cryptoutil.h> 470Sstevel@tonic-gate #include <stdio.h> 480Sstevel@tonic-gate #include <libintl.h> 490Sstevel@tonic-gate #include <dlfcn.h> 500Sstevel@tonic-gate #include <link.h> 510Sstevel@tonic-gate #include <strings.h> 520Sstevel@tonic-gate #include <security/cryptoki.h> 530Sstevel@tonic-gate #include <cryptoutil.h> 540Sstevel@tonic-gate #include "cryptoadm.h" 550Sstevel@tonic-gate 560Sstevel@tonic-gate #define METASLOT_ID 0 570Sstevel@tonic-gate 580Sstevel@tonic-gate int 590Sstevel@tonic-gate list_metaslot_info(boolean_t show_mechs, boolean_t verbose, 600Sstevel@tonic-gate mechlist_t *mechlist) 610Sstevel@tonic-gate { 620Sstevel@tonic-gate int rc = SUCCESS; 630Sstevel@tonic-gate CK_RV rv; 640Sstevel@tonic-gate CK_SLOT_INFO slot_info; 650Sstevel@tonic-gate CK_TOKEN_INFO token_info; 660Sstevel@tonic-gate CK_MECHANISM_TYPE_PTR pmech_list = NULL; 670Sstevel@tonic-gate CK_ULONG mech_count; 680Sstevel@tonic-gate int i; 690Sstevel@tonic-gate CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR); 700Sstevel@tonic-gate CK_FUNCTION_LIST_PTR funcs; 710Sstevel@tonic-gate void *dldesc = NULL; 720Sstevel@tonic-gate boolean_t lib_initialized = B_FALSE; 730Sstevel@tonic-gate uentry_t *puent; 740Sstevel@tonic-gate char buf[128]; 750Sstevel@tonic-gate 760Sstevel@tonic-gate 770Sstevel@tonic-gate /* 780Sstevel@tonic-gate * Display the system-wide metaslot settings as specified 790Sstevel@tonic-gate * in pkcs11.conf file. 800Sstevel@tonic-gate */ 810Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 820Sstevel@tonic-gate cryptoerror(LOG_STDERR, 830Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 840Sstevel@tonic-gate return (FAILURE); 850Sstevel@tonic-gate } 860Sstevel@tonic-gate 870Sstevel@tonic-gate (void) printf(gettext("System-wide Meta Slot Configuration:\n")); 880Sstevel@tonic-gate /* 890Sstevel@tonic-gate * TRANSLATION_NOTE: 900Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 910Sstevel@tonic-gate * the length of the translated text above. 920Sstevel@tonic-gate */ 930Sstevel@tonic-gate (void) printf(gettext("------------------------------------\n")); 940Sstevel@tonic-gate (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ? 950Sstevel@tonic-gate gettext("enabled") : gettext("disabled")); 960Sstevel@tonic-gate (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"), 970Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate ? gettext("enabled") : 980Sstevel@tonic-gate gettext("disabled")); 990Sstevel@tonic-gate 1000Sstevel@tonic-gate bzero(buf, sizeof (buf)); 1010Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) { 1020Sstevel@tonic-gate (void) printf(gettext("Persistent object store slot: %s\n"), 1030Sstevel@tonic-gate puent->metaslot_ks_slot); 1040Sstevel@tonic-gate } 1050Sstevel@tonic-gate 1060Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) { 1070Sstevel@tonic-gate (void) printf(gettext("Persistent object store token: %s\n"), 1080Sstevel@tonic-gate puent->metaslot_ks_token); 1090Sstevel@tonic-gate } 1100Sstevel@tonic-gate 1110Sstevel@tonic-gate if ((!verbose) && (!show_mechs)) { 1120Sstevel@tonic-gate return (SUCCESS); 1130Sstevel@tonic-gate } 1140Sstevel@tonic-gate 1150Sstevel@tonic-gate if (verbose) { 1160Sstevel@tonic-gate (void) printf(gettext("\nDetailed Meta Slot Information:\n")); 1170Sstevel@tonic-gate /* 1180Sstevel@tonic-gate * TRANSLATION_NOTE: 1190Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as 1200Sstevel@tonic-gate * long as the length of the translated text above. 1210Sstevel@tonic-gate */ 1220Sstevel@tonic-gate (void) printf(gettext("-------------------------------\n")); 1230Sstevel@tonic-gate } 1240Sstevel@tonic-gate 1250Sstevel@tonic-gate /* 1260Sstevel@tonic-gate * Need to actually make calls to libpkcs11.so to get 1270Sstevel@tonic-gate * information about metaslot. 1280Sstevel@tonic-gate */ 1290Sstevel@tonic-gate 1300Sstevel@tonic-gate dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW); 1310Sstevel@tonic-gate if (dldesc == NULL) { 1320Sstevel@tonic-gate char *dl_error; 1330Sstevel@tonic-gate dl_error = dlerror(); 1340Sstevel@tonic-gate cryptodebug("Cannot load PKCS#11 framework library. " 1350Sstevel@tonic-gate "dlerror:%s", dl_error); 1360Sstevel@tonic-gate return (FAILURE); 1370Sstevel@tonic-gate } 1380Sstevel@tonic-gate 1390Sstevel@tonic-gate /* Get the pointer to library's C_GetFunctionList() */ 1400Sstevel@tonic-gate Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList"); 1410Sstevel@tonic-gate if (Tmp_C_GetFunctionList == NULL) { 1420Sstevel@tonic-gate cryptodebug("Cannot get the address of the C_GetFunctionList " 1430Sstevel@tonic-gate "from framework"); 1440Sstevel@tonic-gate rc = FAILURE; 1450Sstevel@tonic-gate goto finish; 1460Sstevel@tonic-gate } 1470Sstevel@tonic-gate 1480Sstevel@tonic-gate 1490Sstevel@tonic-gate /* Get the provider's function list */ 1500Sstevel@tonic-gate rv = Tmp_C_GetFunctionList(&funcs); 1510Sstevel@tonic-gate if (rv != CKR_OK) { 1520Sstevel@tonic-gate cryptodebug("failed to call C_GetFunctionList in " 1530Sstevel@tonic-gate "framework library"); 1540Sstevel@tonic-gate rc = FAILURE; 1550Sstevel@tonic-gate goto finish; 1560Sstevel@tonic-gate } 1570Sstevel@tonic-gate 1580Sstevel@tonic-gate /* Initialize this provider */ 1590Sstevel@tonic-gate rv = funcs->C_Initialize(NULL_PTR); 1600Sstevel@tonic-gate if (rv != CKR_OK) { 1610Sstevel@tonic-gate cryptodebug("C_Initialize failed with error code 0x%x\n", rv); 1620Sstevel@tonic-gate rc = FAILURE; 1630Sstevel@tonic-gate goto finish; 1640Sstevel@tonic-gate } else { 1650Sstevel@tonic-gate lib_initialized = B_TRUE; 1660Sstevel@tonic-gate } 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate /* 1690Sstevel@tonic-gate * We know for sure that metaslot is slot 0 in the framework, 1700Sstevel@tonic-gate * so, we will do a C_GetSlotInfo() trying to see if it works. 171*7011Sda73024 * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot 1720Sstevel@tonic-gate * is not really enabled. 1730Sstevel@tonic-gate */ 1740Sstevel@tonic-gate rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info); 1750Sstevel@tonic-gate if (rv == CKR_SLOT_ID_INVALID) { 1760Sstevel@tonic-gate (void) printf(gettext("actual status: disabled.\n")); 1770Sstevel@tonic-gate /* 1780Sstevel@tonic-gate * Even if the -m and -v flag is supplied, there's nothing 1790Sstevel@tonic-gate * interesting to display about metaslot since it is disabled, 1800Sstevel@tonic-gate * so, just stop right here. 1810Sstevel@tonic-gate */ 1820Sstevel@tonic-gate goto finish; 1830Sstevel@tonic-gate } 1840Sstevel@tonic-gate 1850Sstevel@tonic-gate if (rv != CKR_OK) { 1860Sstevel@tonic-gate cryptodebug("C_GetSlotInfo failed with error " 1870Sstevel@tonic-gate "code 0x%x\n", rv); 1880Sstevel@tonic-gate rc = FAILURE; 1890Sstevel@tonic-gate goto finish; 1900Sstevel@tonic-gate } 1910Sstevel@tonic-gate 1920Sstevel@tonic-gate if (!verbose) { 1930Sstevel@tonic-gate goto display_mechs; 1940Sstevel@tonic-gate } 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate (void) printf(gettext("actual status: enabled.\n")); 1970Sstevel@tonic-gate 1980Sstevel@tonic-gate (void) printf(gettext("Description: %.64s\n"), 1990Sstevel@tonic-gate slot_info.slotDescription); 2000Sstevel@tonic-gate 2010Sstevel@tonic-gate (void) printf(gettext("Token Present: %s\n"), 2020Sstevel@tonic-gate (slot_info.flags & CKF_TOKEN_PRESENT ? 2030Sstevel@tonic-gate gettext("True") : gettext("False"))); 2040Sstevel@tonic-gate 2050Sstevel@tonic-gate rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info); 2060Sstevel@tonic-gate if (rv != CKR_OK) { 2070Sstevel@tonic-gate cryptodebug("C_GetTokenInfo failed with error " 2080Sstevel@tonic-gate "code 0x%x\n", rv); 2090Sstevel@tonic-gate rc = FAILURE; 2100Sstevel@tonic-gate goto finish; 2110Sstevel@tonic-gate } 2120Sstevel@tonic-gate 2130Sstevel@tonic-gate (void) printf(gettext("Token Label: %.32s\n" 2140Sstevel@tonic-gate "Manufacturer ID: %.32s\n" 2150Sstevel@tonic-gate "Model: %.16s\n" 2160Sstevel@tonic-gate "Serial Number: %.16s\n" 2170Sstevel@tonic-gate "Hardware Version: %d.%d\n" 2180Sstevel@tonic-gate "Firmware Version: %d.%d\n" 2190Sstevel@tonic-gate "UTC Time: %.16s\n" 2200Sstevel@tonic-gate "PIN Length: %d-%d\n"), 2210Sstevel@tonic-gate token_info.label, 2220Sstevel@tonic-gate token_info.manufacturerID, 2230Sstevel@tonic-gate token_info.model, 2240Sstevel@tonic-gate token_info.serialNumber, 2250Sstevel@tonic-gate token_info.hardwareVersion.major, 2260Sstevel@tonic-gate token_info.hardwareVersion.minor, 2270Sstevel@tonic-gate token_info.firmwareVersion.major, 2280Sstevel@tonic-gate token_info.firmwareVersion.minor, 2290Sstevel@tonic-gate token_info.utcTime, 2300Sstevel@tonic-gate token_info.ulMinPinLen, 2310Sstevel@tonic-gate token_info.ulMaxPinLen); 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate display_token_flags(token_info.flags); 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate if (!show_mechs) { 2360Sstevel@tonic-gate goto finish; 2370Sstevel@tonic-gate } 2380Sstevel@tonic-gate 2390Sstevel@tonic-gate display_mechs: 2400Sstevel@tonic-gate 2410Sstevel@tonic-gate if (mechlist == NULL) { 2420Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR, 2430Sstevel@tonic-gate &mech_count); 2440Sstevel@tonic-gate if (rv != CKR_OK) { 2450Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with error " 2460Sstevel@tonic-gate "code 0x%x\n", rv); 2470Sstevel@tonic-gate rc = FAILURE; 2480Sstevel@tonic-gate goto finish; 2490Sstevel@tonic-gate } 2500Sstevel@tonic-gate 2510Sstevel@tonic-gate if (mech_count > 0) { 2520Sstevel@tonic-gate pmech_list = malloc(mech_count * 2530Sstevel@tonic-gate sizeof (CK_MECHANISM_TYPE)); 2540Sstevel@tonic-gate if (pmech_list == NULL) { 2550Sstevel@tonic-gate cryptodebug("out of memory"); 2560Sstevel@tonic-gate rc = FAILURE; 2570Sstevel@tonic-gate goto finish; 2580Sstevel@tonic-gate } 2590Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list, 2600Sstevel@tonic-gate &mech_count); 2610Sstevel@tonic-gate if (rv != CKR_OK) { 2620Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with " 2630Sstevel@tonic-gate "error code 0x%x\n", rv); 2640Sstevel@tonic-gate rc = FAILURE; 2650Sstevel@tonic-gate goto finish; 2660Sstevel@tonic-gate } 2670Sstevel@tonic-gate } 2680Sstevel@tonic-gate } else { 2690Sstevel@tonic-gate rc = convert_mechlist(&pmech_list, &mech_count, mechlist); 2700Sstevel@tonic-gate if (rc != SUCCESS) { 2710Sstevel@tonic-gate goto finish; 2720Sstevel@tonic-gate } 2730Sstevel@tonic-gate } 2740Sstevel@tonic-gate 2750Sstevel@tonic-gate (void) printf(gettext("Mechanisms:\n")); 2760Sstevel@tonic-gate if (mech_count == 0) { 2770Sstevel@tonic-gate /* should never be this case */ 2780Sstevel@tonic-gate (void) printf(gettext("No mechanisms\n")); 2790Sstevel@tonic-gate goto finish; 2800Sstevel@tonic-gate } 2810Sstevel@tonic-gate if (verbose) { 2820Sstevel@tonic-gate display_verbose_mech_header(); 2830Sstevel@tonic-gate } 2840Sstevel@tonic-gate 2850Sstevel@tonic-gate for (i = 0; i < mech_count; i++) { 286*7011Sda73024 CK_MECHANISM_TYPE mech = pmech_list[i]; 287*7011Sda73024 288*7011Sda73024 if (mech > CKM_VENDOR_DEFINED) { 289*7011Sda73024 (void) printf("%#lx", mech); 290*7011Sda73024 } else { 291*7011Sda73024 (void) printf("%-29s", pkcs11_mech2str(mech)); 292*7011Sda73024 } 293*7011Sda73024 2940Sstevel@tonic-gate if (verbose) { 2950Sstevel@tonic-gate CK_MECHANISM_INFO mech_info; 2960Sstevel@tonic-gate rv = funcs->C_GetMechanismInfo(METASLOT_ID, 297*7011Sda73024 mech, &mech_info); 2980Sstevel@tonic-gate if (rv != CKR_OK) { 2990Sstevel@tonic-gate cryptodebug("C_GetMechanismInfo failed with " 3000Sstevel@tonic-gate "error code 0x%x\n", rv); 3010Sstevel@tonic-gate rc = FAILURE; 3020Sstevel@tonic-gate goto finish; 3030Sstevel@tonic-gate } 3040Sstevel@tonic-gate display_mech_info(&mech_info); 3050Sstevel@tonic-gate } 3060Sstevel@tonic-gate (void) printf("\n"); 3070Sstevel@tonic-gate } 3080Sstevel@tonic-gate 3090Sstevel@tonic-gate finish: 3100Sstevel@tonic-gate 3110Sstevel@tonic-gate if ((rc == FAILURE) && (show_mechs)) { 3120Sstevel@tonic-gate (void) printf(gettext( 3130Sstevel@tonic-gate "metaslot: failed to retrieve the mechanism list.\n")); 3140Sstevel@tonic-gate } 3150Sstevel@tonic-gate 3160Sstevel@tonic-gate if (lib_initialized) { 3170Sstevel@tonic-gate (void) funcs->C_Finalize(NULL_PTR); 3180Sstevel@tonic-gate } 3190Sstevel@tonic-gate 3200Sstevel@tonic-gate if (dldesc != NULL) { 3210Sstevel@tonic-gate (void) dlclose(dldesc); 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate if (pmech_list != NULL) { 3250Sstevel@tonic-gate (void) free(pmech_list); 3260Sstevel@tonic-gate } 3270Sstevel@tonic-gate 3280Sstevel@tonic-gate return (rc); 3290Sstevel@tonic-gate } 3300Sstevel@tonic-gate 3310Sstevel@tonic-gate int 3320Sstevel@tonic-gate list_metaslot_policy() 3330Sstevel@tonic-gate { 3340Sstevel@tonic-gate 3350Sstevel@tonic-gate uentry_t *puent; 3360Sstevel@tonic-gate int rc; 3370Sstevel@tonic-gate 3380Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3390Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3400Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3410Sstevel@tonic-gate return (FAILURE); 3420Sstevel@tonic-gate } 3430Sstevel@tonic-gate 3440Sstevel@tonic-gate rc = display_policy(puent); 3450Sstevel@tonic-gate (void) printf("\n"); 3460Sstevel@tonic-gate free_uentry(puent); 3470Sstevel@tonic-gate return (rc); 3480Sstevel@tonic-gate } 3490Sstevel@tonic-gate 3500Sstevel@tonic-gate /* 3510Sstevel@tonic-gate * disable metaslot and some of its configuration options 3520Sstevel@tonic-gate * 3530Sstevel@tonic-gate * If mechlist==NULL, and the other 2 flags are false, just disabled 3540Sstevel@tonic-gate * the metaslot feature. 3550Sstevel@tonic-gate * 3560Sstevel@tonic-gate * mechlist: list of mechanisms to disable 3570Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be disabled. 3580Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled 3590Sstevel@tonic-gate */ 3600Sstevel@tonic-gate int 3610Sstevel@tonic-gate disable_metaslot(mechlist_t *mechlist, boolean_t allflag, 3620Sstevel@tonic-gate boolean_t auto_key_migrate_flag) 3630Sstevel@tonic-gate { 3640Sstevel@tonic-gate uentry_t *puent; 3650Sstevel@tonic-gate int rc = SUCCESS; 3660Sstevel@tonic-gate 3670Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3680Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3690Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3700Sstevel@tonic-gate return (FAILURE); 3710Sstevel@tonic-gate } 3720Sstevel@tonic-gate 3730Sstevel@tonic-gate 3740Sstevel@tonic-gate if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) { 3750Sstevel@tonic-gate /* disable metaslot */ 3760Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 3770Sstevel@tonic-gate goto write_to_file; 3780Sstevel@tonic-gate } 3790Sstevel@tonic-gate 3800Sstevel@tonic-gate if (auto_key_migrate_flag) { 3810Sstevel@tonic-gate /* need to disable auto_key_migrate */ 3820Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_FALSE; 3830Sstevel@tonic-gate } 3840Sstevel@tonic-gate 3850Sstevel@tonic-gate if ((mechlist == NULL) && (!allflag)) { 3860Sstevel@tonic-gate goto write_to_file; 3870Sstevel@tonic-gate } 3880Sstevel@tonic-gate 3890Sstevel@tonic-gate /* disable specified mechanisms */ 3900Sstevel@tonic-gate if (allflag) { 3910Sstevel@tonic-gate free_umechlist(puent->policylist); 3920Sstevel@tonic-gate puent->policylist = NULL; 3930Sstevel@tonic-gate puent->count = 0; 3940Sstevel@tonic-gate puent->flag_enabledlist = B_TRUE; 3950Sstevel@tonic-gate rc = SUCCESS; 3960Sstevel@tonic-gate } else { 3970Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 3980Sstevel@tonic-gate /* 3990Sstevel@tonic-gate * The current default policy mode 4000Sstevel@tonic-gate * is "all are disabled, except ...", so if a 4010Sstevel@tonic-gate * specified mechanism is in the exception list 4020Sstevel@tonic-gate * (the policylist), delete it from the policylist. 4030Sstevel@tonic-gate */ 4040Sstevel@tonic-gate rc = update_policylist(puent, mechlist, DELETE_MODE); 4050Sstevel@tonic-gate } else { 4060Sstevel@tonic-gate /* 4070Sstevel@tonic-gate * The current default policy mode of this library 4080Sstevel@tonic-gate * is "all are enabled", so if a specified mechanism 4090Sstevel@tonic-gate * is not in the exception list (policylist), add 4100Sstevel@tonic-gate * it into the policylist. 4110Sstevel@tonic-gate */ 4120Sstevel@tonic-gate rc = update_policylist(puent, mechlist, ADD_MODE); 4130Sstevel@tonic-gate } 4140Sstevel@tonic-gate } 4150Sstevel@tonic-gate 4160Sstevel@tonic-gate if (rc != SUCCESS) { 4170Sstevel@tonic-gate goto finish; 4180Sstevel@tonic-gate } 4190Sstevel@tonic-gate 4200Sstevel@tonic-gate /* If all mechanisms are disabled, metaslot will be disabled as well */ 4210Sstevel@tonic-gate if ((puent->flag_enabledlist) && (puent->count == 0)) { 4220Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 4230Sstevel@tonic-gate } 4240Sstevel@tonic-gate 4250Sstevel@tonic-gate write_to_file: 4260Sstevel@tonic-gate 4270Sstevel@tonic-gate rc = update_pkcs11conf(puent); 4280Sstevel@tonic-gate 4290Sstevel@tonic-gate finish: 4300Sstevel@tonic-gate free_uentry(puent); 4310Sstevel@tonic-gate return (rc); 4320Sstevel@tonic-gate } 4330Sstevel@tonic-gate 4340Sstevel@tonic-gate /* 4350Sstevel@tonic-gate * enable metaslot and some of its configuration options 4360Sstevel@tonic-gate * 4370Sstevel@tonic-gate * If mechlist==NULL, and the other flags are false, or not specified, 4380Sstevel@tonic-gate * just enable the metaslot feature. 4390Sstevel@tonic-gate * 4400Sstevel@tonic-gate * token: if specified, indicate label of token to be used as keystore. 4410Sstevel@tonic-gate * slot: if specified, indicate slot to be used as keystore. 4420Sstevel@tonic-gate * use_default: if true, indicate to use the default keystore. It should 4430Sstevel@tonic-gate * not be specified if either token or slot is specified. 4440Sstevel@tonic-gate * mechlist: list of mechanisms to enable 4450Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be enabled. 4460Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled 4470Sstevel@tonic-gate */ 4480Sstevel@tonic-gate int 4490Sstevel@tonic-gate enable_metaslot(char *token, char *slot, boolean_t use_default, 4500Sstevel@tonic-gate mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag) 4510Sstevel@tonic-gate { 4520Sstevel@tonic-gate uentry_t *puent; 4530Sstevel@tonic-gate int rc = SUCCESS; 4540Sstevel@tonic-gate 4550Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 4560Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4570Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 4580Sstevel@tonic-gate return (FAILURE); 4590Sstevel@tonic-gate } 4600Sstevel@tonic-gate 4610Sstevel@tonic-gate puent->flag_metaslot_enabled = B_TRUE; 4620Sstevel@tonic-gate 4630Sstevel@tonic-gate if (auto_key_migrate_flag) { 4640Sstevel@tonic-gate /* need to enable auto_key_migrate */ 4650Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_TRUE; 4660Sstevel@tonic-gate } 4670Sstevel@tonic-gate 4680Sstevel@tonic-gate if (allflag) { 4690Sstevel@tonic-gate /* 4700Sstevel@tonic-gate * If enabling all, what needs to be done are cleaning up the 4710Sstevel@tonic-gate * policylist and setting the "flag_enabledlist" flag to 4720Sstevel@tonic-gate * B_FALSE. 4730Sstevel@tonic-gate */ 4740Sstevel@tonic-gate free_umechlist(puent->policylist); 4750Sstevel@tonic-gate puent->policylist = NULL; 4760Sstevel@tonic-gate puent->count = 0; 4770Sstevel@tonic-gate puent->flag_enabledlist = B_FALSE; 4780Sstevel@tonic-gate rc = SUCCESS; 4790Sstevel@tonic-gate } else { 4800Sstevel@tonic-gate if (mechlist) { 4810Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 4820Sstevel@tonic-gate /* 4830Sstevel@tonic-gate * The current default policy mode of this 4840Sstevel@tonic-gate * library is "all are disabled, except ...", 4850Sstevel@tonic-gate * so if a specified mechanism is not in the 4860Sstevel@tonic-gate * exception list (policylist), add it. 4870Sstevel@tonic-gate */ 4880Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4890Sstevel@tonic-gate ADD_MODE); 4900Sstevel@tonic-gate } else { 4910Sstevel@tonic-gate /* 4920Sstevel@tonic-gate * The current default policy mode of this 4930Sstevel@tonic-gate * library is "all are enabled, except", so if 4940Sstevel@tonic-gate * a specified mechanism is in the exception 4950Sstevel@tonic-gate * list (policylist), delete it. 4960Sstevel@tonic-gate */ 4970Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4980Sstevel@tonic-gate DELETE_MODE); 4990Sstevel@tonic-gate } 5000Sstevel@tonic-gate } 5010Sstevel@tonic-gate } 5020Sstevel@tonic-gate 5030Sstevel@tonic-gate if (rc != SUCCESS) { 5040Sstevel@tonic-gate goto finish; 5050Sstevel@tonic-gate } 5060Sstevel@tonic-gate 5070Sstevel@tonic-gate if (!use_default && !token && !slot) { 5080Sstevel@tonic-gate /* no need to change metaslot keystore */ 5090Sstevel@tonic-gate goto write_to_file; 5100Sstevel@tonic-gate } 5110Sstevel@tonic-gate 5120Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE); 5130Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE); 5140Sstevel@tonic-gate 5150Sstevel@tonic-gate if (use_default) { 5160Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, 5170Sstevel@tonic-gate SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE); 5180Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, 5190Sstevel@tonic-gate SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE); 5200Sstevel@tonic-gate } else { 5210Sstevel@tonic-gate 5220Sstevel@tonic-gate if (token) { 5230Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, token, 5240Sstevel@tonic-gate TOKEN_LABEL_SIZE); 5250Sstevel@tonic-gate } 5260Sstevel@tonic-gate 5270Sstevel@tonic-gate if (slot) { 5280Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, slot, 5290Sstevel@tonic-gate SLOT_DESCRIPTION_SIZE); 5300Sstevel@tonic-gate } 5310Sstevel@tonic-gate } 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate 5340Sstevel@tonic-gate write_to_file: 5350Sstevel@tonic-gate 5360Sstevel@tonic-gate rc = update_pkcs11conf(puent); 5370Sstevel@tonic-gate 5380Sstevel@tonic-gate finish: 5390Sstevel@tonic-gate free_uentry(puent); 5400Sstevel@tonic-gate return (rc); 5410Sstevel@tonic-gate } 542