10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 57011Sda73024 * Common Development and Distribution License (the "License"). 67011Sda73024 * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 227011Sda73024 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate /* 270Sstevel@tonic-gate * Administration for metaslot 280Sstevel@tonic-gate * 290Sstevel@tonic-gate * All the "list" operations will call functions in libpkcs11.so 300Sstevel@tonic-gate * Normally, it doesn't make sense to call functions in libpkcs11.so directly 310Sstevel@tonic-gate * because libpkcs11.so depends on the configuration file (pkcs11.conf) the 320Sstevel@tonic-gate * cryptoadm command is trying to administer. However, since metaslot 330Sstevel@tonic-gate * is part of the framework, it is not possible to get information about 340Sstevel@tonic-gate * it without actually calling functions in libpkcs11.so. 350Sstevel@tonic-gate * 360Sstevel@tonic-gate * So, for the listing operation, which won't modify the value of pkcs11.conf 370Sstevel@tonic-gate * it is safe to call libpkcs11.so. 380Sstevel@tonic-gate * 390Sstevel@tonic-gate * For other operations that modifies the pkcs11.conf file, libpkcs11.so 400Sstevel@tonic-gate * will not be called. 410Sstevel@tonic-gate * 420Sstevel@tonic-gate */ 430Sstevel@tonic-gate 440Sstevel@tonic-gate #include <cryptoutil.h> 450Sstevel@tonic-gate #include <stdio.h> 460Sstevel@tonic-gate #include <libintl.h> 470Sstevel@tonic-gate #include <dlfcn.h> 480Sstevel@tonic-gate #include <link.h> 490Sstevel@tonic-gate #include <strings.h> 500Sstevel@tonic-gate #include <security/cryptoki.h> 510Sstevel@tonic-gate #include <cryptoutil.h> 520Sstevel@tonic-gate #include "cryptoadm.h" 530Sstevel@tonic-gate 540Sstevel@tonic-gate #define METASLOT_ID 0 550Sstevel@tonic-gate 560Sstevel@tonic-gate int 570Sstevel@tonic-gate list_metaslot_info(boolean_t show_mechs, boolean_t verbose, 580Sstevel@tonic-gate mechlist_t *mechlist) 590Sstevel@tonic-gate { 600Sstevel@tonic-gate int rc = SUCCESS; 610Sstevel@tonic-gate CK_RV rv; 620Sstevel@tonic-gate CK_SLOT_INFO slot_info; 630Sstevel@tonic-gate CK_TOKEN_INFO token_info; 640Sstevel@tonic-gate CK_MECHANISM_TYPE_PTR pmech_list = NULL; 650Sstevel@tonic-gate CK_ULONG mech_count; 660Sstevel@tonic-gate int i; 670Sstevel@tonic-gate CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR); 680Sstevel@tonic-gate CK_FUNCTION_LIST_PTR funcs; 690Sstevel@tonic-gate void *dldesc = NULL; 700Sstevel@tonic-gate boolean_t lib_initialized = B_FALSE; 710Sstevel@tonic-gate uentry_t *puent; 720Sstevel@tonic-gate char buf[128]; 730Sstevel@tonic-gate 740Sstevel@tonic-gate 750Sstevel@tonic-gate /* 760Sstevel@tonic-gate * Display the system-wide metaslot settings as specified 770Sstevel@tonic-gate * in pkcs11.conf file. 780Sstevel@tonic-gate */ 790Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 800Sstevel@tonic-gate cryptoerror(LOG_STDERR, 810Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 820Sstevel@tonic-gate return (FAILURE); 830Sstevel@tonic-gate } 840Sstevel@tonic-gate 850Sstevel@tonic-gate (void) printf(gettext("System-wide Meta Slot Configuration:\n")); 860Sstevel@tonic-gate /* 87*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 880Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 890Sstevel@tonic-gate * the length of the translated text above. 900Sstevel@tonic-gate */ 910Sstevel@tonic-gate (void) printf(gettext("------------------------------------\n")); 920Sstevel@tonic-gate (void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ? 930Sstevel@tonic-gate gettext("enabled") : gettext("disabled")); 940Sstevel@tonic-gate (void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"), 950Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate ? gettext("enabled") : 960Sstevel@tonic-gate gettext("disabled")); 970Sstevel@tonic-gate 980Sstevel@tonic-gate bzero(buf, sizeof (buf)); 990Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) { 1000Sstevel@tonic-gate (void) printf(gettext("Persistent object store slot: %s\n"), 1010Sstevel@tonic-gate puent->metaslot_ks_slot); 1020Sstevel@tonic-gate } 1030Sstevel@tonic-gate 1040Sstevel@tonic-gate if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) { 1050Sstevel@tonic-gate (void) printf(gettext("Persistent object store token: %s\n"), 1060Sstevel@tonic-gate puent->metaslot_ks_token); 1070Sstevel@tonic-gate } 1080Sstevel@tonic-gate 1090Sstevel@tonic-gate if ((!verbose) && (!show_mechs)) { 1100Sstevel@tonic-gate return (SUCCESS); 1110Sstevel@tonic-gate } 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate if (verbose) { 1140Sstevel@tonic-gate (void) printf(gettext("\nDetailed Meta Slot Information:\n")); 1150Sstevel@tonic-gate /* 116*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 1170Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as 1180Sstevel@tonic-gate * long as the length of the translated text above. 1190Sstevel@tonic-gate */ 1200Sstevel@tonic-gate (void) printf(gettext("-------------------------------\n")); 1210Sstevel@tonic-gate } 1220Sstevel@tonic-gate 1230Sstevel@tonic-gate /* 1240Sstevel@tonic-gate * Need to actually make calls to libpkcs11.so to get 1250Sstevel@tonic-gate * information about metaslot. 1260Sstevel@tonic-gate */ 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW); 1290Sstevel@tonic-gate if (dldesc == NULL) { 1300Sstevel@tonic-gate char *dl_error; 1310Sstevel@tonic-gate dl_error = dlerror(); 1320Sstevel@tonic-gate cryptodebug("Cannot load PKCS#11 framework library. " 1330Sstevel@tonic-gate "dlerror:%s", dl_error); 1340Sstevel@tonic-gate return (FAILURE); 1350Sstevel@tonic-gate } 1360Sstevel@tonic-gate 1370Sstevel@tonic-gate /* Get the pointer to library's C_GetFunctionList() */ 1380Sstevel@tonic-gate Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList"); 1390Sstevel@tonic-gate if (Tmp_C_GetFunctionList == NULL) { 1400Sstevel@tonic-gate cryptodebug("Cannot get the address of the C_GetFunctionList " 1410Sstevel@tonic-gate "from framework"); 1420Sstevel@tonic-gate rc = FAILURE; 1430Sstevel@tonic-gate goto finish; 1440Sstevel@tonic-gate } 1450Sstevel@tonic-gate 1460Sstevel@tonic-gate 1470Sstevel@tonic-gate /* Get the provider's function list */ 1480Sstevel@tonic-gate rv = Tmp_C_GetFunctionList(&funcs); 1490Sstevel@tonic-gate if (rv != CKR_OK) { 1500Sstevel@tonic-gate cryptodebug("failed to call C_GetFunctionList in " 1510Sstevel@tonic-gate "framework library"); 1520Sstevel@tonic-gate rc = FAILURE; 1530Sstevel@tonic-gate goto finish; 1540Sstevel@tonic-gate } 1550Sstevel@tonic-gate 1560Sstevel@tonic-gate /* Initialize this provider */ 1570Sstevel@tonic-gate rv = funcs->C_Initialize(NULL_PTR); 1580Sstevel@tonic-gate if (rv != CKR_OK) { 1590Sstevel@tonic-gate cryptodebug("C_Initialize failed with error code 0x%x\n", rv); 1600Sstevel@tonic-gate rc = FAILURE; 1610Sstevel@tonic-gate goto finish; 1620Sstevel@tonic-gate } else { 1630Sstevel@tonic-gate lib_initialized = B_TRUE; 1640Sstevel@tonic-gate } 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate /* 1670Sstevel@tonic-gate * We know for sure that metaslot is slot 0 in the framework, 1680Sstevel@tonic-gate * so, we will do a C_GetSlotInfo() trying to see if it works. 1697011Sda73024 * If it fails with CKR_SLOT_ID_INVALID, we know that metaslot 1700Sstevel@tonic-gate * is not really enabled. 1710Sstevel@tonic-gate */ 1720Sstevel@tonic-gate rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info); 1730Sstevel@tonic-gate if (rv == CKR_SLOT_ID_INVALID) { 1740Sstevel@tonic-gate (void) printf(gettext("actual status: disabled.\n")); 1750Sstevel@tonic-gate /* 1760Sstevel@tonic-gate * Even if the -m and -v flag is supplied, there's nothing 1770Sstevel@tonic-gate * interesting to display about metaslot since it is disabled, 1780Sstevel@tonic-gate * so, just stop right here. 1790Sstevel@tonic-gate */ 1800Sstevel@tonic-gate goto finish; 1810Sstevel@tonic-gate } 1820Sstevel@tonic-gate 1830Sstevel@tonic-gate if (rv != CKR_OK) { 1840Sstevel@tonic-gate cryptodebug("C_GetSlotInfo failed with error " 1850Sstevel@tonic-gate "code 0x%x\n", rv); 1860Sstevel@tonic-gate rc = FAILURE; 1870Sstevel@tonic-gate goto finish; 1880Sstevel@tonic-gate } 1890Sstevel@tonic-gate 1900Sstevel@tonic-gate if (!verbose) { 1910Sstevel@tonic-gate goto display_mechs; 1920Sstevel@tonic-gate } 1930Sstevel@tonic-gate 1940Sstevel@tonic-gate (void) printf(gettext("actual status: enabled.\n")); 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate (void) printf(gettext("Description: %.64s\n"), 1970Sstevel@tonic-gate slot_info.slotDescription); 1980Sstevel@tonic-gate 1990Sstevel@tonic-gate (void) printf(gettext("Token Present: %s\n"), 2000Sstevel@tonic-gate (slot_info.flags & CKF_TOKEN_PRESENT ? 2010Sstevel@tonic-gate gettext("True") : gettext("False"))); 2020Sstevel@tonic-gate 2030Sstevel@tonic-gate rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info); 2040Sstevel@tonic-gate if (rv != CKR_OK) { 2050Sstevel@tonic-gate cryptodebug("C_GetTokenInfo failed with error " 2060Sstevel@tonic-gate "code 0x%x\n", rv); 2070Sstevel@tonic-gate rc = FAILURE; 2080Sstevel@tonic-gate goto finish; 2090Sstevel@tonic-gate } 2100Sstevel@tonic-gate 2110Sstevel@tonic-gate (void) printf(gettext("Token Label: %.32s\n" 2120Sstevel@tonic-gate "Manufacturer ID: %.32s\n" 2130Sstevel@tonic-gate "Model: %.16s\n" 2140Sstevel@tonic-gate "Serial Number: %.16s\n" 2150Sstevel@tonic-gate "Hardware Version: %d.%d\n" 2160Sstevel@tonic-gate "Firmware Version: %d.%d\n" 2170Sstevel@tonic-gate "UTC Time: %.16s\n" 2187304SDarren.Moffat@Sun.COM "PIN Min Length: %d\n" 2197304SDarren.Moffat@Sun.COM "PIN Max Length: %d\n"), 2200Sstevel@tonic-gate token_info.label, 2210Sstevel@tonic-gate token_info.manufacturerID, 2220Sstevel@tonic-gate token_info.model, 2230Sstevel@tonic-gate token_info.serialNumber, 2240Sstevel@tonic-gate token_info.hardwareVersion.major, 2250Sstevel@tonic-gate token_info.hardwareVersion.minor, 2260Sstevel@tonic-gate token_info.firmwareVersion.major, 2270Sstevel@tonic-gate token_info.firmwareVersion.minor, 2280Sstevel@tonic-gate token_info.utcTime, 2290Sstevel@tonic-gate token_info.ulMinPinLen, 2300Sstevel@tonic-gate token_info.ulMaxPinLen); 2310Sstevel@tonic-gate 2320Sstevel@tonic-gate display_token_flags(token_info.flags); 2330Sstevel@tonic-gate 2340Sstevel@tonic-gate if (!show_mechs) { 2350Sstevel@tonic-gate goto finish; 2360Sstevel@tonic-gate } 2370Sstevel@tonic-gate 2380Sstevel@tonic-gate display_mechs: 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate if (mechlist == NULL) { 2410Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR, 2420Sstevel@tonic-gate &mech_count); 2430Sstevel@tonic-gate if (rv != CKR_OK) { 2440Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with error " 2450Sstevel@tonic-gate "code 0x%x\n", rv); 2460Sstevel@tonic-gate rc = FAILURE; 2470Sstevel@tonic-gate goto finish; 2480Sstevel@tonic-gate } 2490Sstevel@tonic-gate 2500Sstevel@tonic-gate if (mech_count > 0) { 2510Sstevel@tonic-gate pmech_list = malloc(mech_count * 2520Sstevel@tonic-gate sizeof (CK_MECHANISM_TYPE)); 2530Sstevel@tonic-gate if (pmech_list == NULL) { 2540Sstevel@tonic-gate cryptodebug("out of memory"); 2550Sstevel@tonic-gate rc = FAILURE; 2560Sstevel@tonic-gate goto finish; 2570Sstevel@tonic-gate } 2580Sstevel@tonic-gate rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list, 2590Sstevel@tonic-gate &mech_count); 2600Sstevel@tonic-gate if (rv != CKR_OK) { 2610Sstevel@tonic-gate cryptodebug("C_GetMechanismList failed with " 2620Sstevel@tonic-gate "error code 0x%x\n", rv); 2630Sstevel@tonic-gate rc = FAILURE; 2640Sstevel@tonic-gate goto finish; 2650Sstevel@tonic-gate } 2660Sstevel@tonic-gate } 2670Sstevel@tonic-gate } else { 2680Sstevel@tonic-gate rc = convert_mechlist(&pmech_list, &mech_count, mechlist); 2690Sstevel@tonic-gate if (rc != SUCCESS) { 2700Sstevel@tonic-gate goto finish; 2710Sstevel@tonic-gate } 2720Sstevel@tonic-gate } 2730Sstevel@tonic-gate 2740Sstevel@tonic-gate (void) printf(gettext("Mechanisms:\n")); 2750Sstevel@tonic-gate if (mech_count == 0) { 2760Sstevel@tonic-gate /* should never be this case */ 2770Sstevel@tonic-gate (void) printf(gettext("No mechanisms\n")); 2780Sstevel@tonic-gate goto finish; 2790Sstevel@tonic-gate } 2800Sstevel@tonic-gate if (verbose) { 2810Sstevel@tonic-gate display_verbose_mech_header(); 2820Sstevel@tonic-gate } 2830Sstevel@tonic-gate 2840Sstevel@tonic-gate for (i = 0; i < mech_count; i++) { 2857011Sda73024 CK_MECHANISM_TYPE mech = pmech_list[i]; 2867011Sda73024 2877106Sda73024 if (mech >= CKM_VENDOR_DEFINED) { 2887011Sda73024 (void) printf("%#lx", mech); 2897011Sda73024 } else { 2907011Sda73024 (void) printf("%-29s", pkcs11_mech2str(mech)); 2917011Sda73024 } 2927011Sda73024 2930Sstevel@tonic-gate if (verbose) { 2940Sstevel@tonic-gate CK_MECHANISM_INFO mech_info; 2950Sstevel@tonic-gate rv = funcs->C_GetMechanismInfo(METASLOT_ID, 2967011Sda73024 mech, &mech_info); 2970Sstevel@tonic-gate if (rv != CKR_OK) { 2980Sstevel@tonic-gate cryptodebug("C_GetMechanismInfo failed with " 2990Sstevel@tonic-gate "error code 0x%x\n", rv); 3000Sstevel@tonic-gate rc = FAILURE; 3010Sstevel@tonic-gate goto finish; 3020Sstevel@tonic-gate } 3030Sstevel@tonic-gate display_mech_info(&mech_info); 3040Sstevel@tonic-gate } 3050Sstevel@tonic-gate (void) printf("\n"); 3060Sstevel@tonic-gate } 3070Sstevel@tonic-gate 3080Sstevel@tonic-gate finish: 3090Sstevel@tonic-gate 3100Sstevel@tonic-gate if ((rc == FAILURE) && (show_mechs)) { 3110Sstevel@tonic-gate (void) printf(gettext( 3120Sstevel@tonic-gate "metaslot: failed to retrieve the mechanism list.\n")); 3130Sstevel@tonic-gate } 3140Sstevel@tonic-gate 3150Sstevel@tonic-gate if (lib_initialized) { 3160Sstevel@tonic-gate (void) funcs->C_Finalize(NULL_PTR); 3170Sstevel@tonic-gate } 3180Sstevel@tonic-gate 3190Sstevel@tonic-gate if (dldesc != NULL) { 3200Sstevel@tonic-gate (void) dlclose(dldesc); 3210Sstevel@tonic-gate } 3220Sstevel@tonic-gate 3230Sstevel@tonic-gate if (pmech_list != NULL) { 3240Sstevel@tonic-gate (void) free(pmech_list); 3250Sstevel@tonic-gate } 3260Sstevel@tonic-gate 3270Sstevel@tonic-gate return (rc); 3280Sstevel@tonic-gate } 3290Sstevel@tonic-gate 3300Sstevel@tonic-gate int 3310Sstevel@tonic-gate list_metaslot_policy() 3320Sstevel@tonic-gate { 3330Sstevel@tonic-gate 3340Sstevel@tonic-gate uentry_t *puent; 3350Sstevel@tonic-gate int rc; 3360Sstevel@tonic-gate 3370Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3380Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3390Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3400Sstevel@tonic-gate return (FAILURE); 3410Sstevel@tonic-gate } 3420Sstevel@tonic-gate 3430Sstevel@tonic-gate rc = display_policy(puent); 3440Sstevel@tonic-gate (void) printf("\n"); 3450Sstevel@tonic-gate free_uentry(puent); 3460Sstevel@tonic-gate return (rc); 3470Sstevel@tonic-gate } 3480Sstevel@tonic-gate 3490Sstevel@tonic-gate /* 3500Sstevel@tonic-gate * disable metaslot and some of its configuration options 3510Sstevel@tonic-gate * 3520Sstevel@tonic-gate * If mechlist==NULL, and the other 2 flags are false, just disabled 3530Sstevel@tonic-gate * the metaslot feature. 3540Sstevel@tonic-gate * 3550Sstevel@tonic-gate * mechlist: list of mechanisms to disable 3560Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be disabled. 3570Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be disabled 3580Sstevel@tonic-gate */ 3590Sstevel@tonic-gate int 3600Sstevel@tonic-gate disable_metaslot(mechlist_t *mechlist, boolean_t allflag, 3610Sstevel@tonic-gate boolean_t auto_key_migrate_flag) 3620Sstevel@tonic-gate { 3630Sstevel@tonic-gate uentry_t *puent; 3640Sstevel@tonic-gate int rc = SUCCESS; 3650Sstevel@tonic-gate 3660Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 3670Sstevel@tonic-gate cryptoerror(LOG_STDERR, 3680Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 3690Sstevel@tonic-gate return (FAILURE); 3700Sstevel@tonic-gate } 3710Sstevel@tonic-gate 3720Sstevel@tonic-gate 3730Sstevel@tonic-gate if ((mechlist == NULL) && (!auto_key_migrate_flag) && (!allflag)) { 3740Sstevel@tonic-gate /* disable metaslot */ 3750Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 3760Sstevel@tonic-gate goto write_to_file; 3770Sstevel@tonic-gate } 3780Sstevel@tonic-gate 3790Sstevel@tonic-gate if (auto_key_migrate_flag) { 3800Sstevel@tonic-gate /* need to disable auto_key_migrate */ 3810Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_FALSE; 3820Sstevel@tonic-gate } 3830Sstevel@tonic-gate 3840Sstevel@tonic-gate if ((mechlist == NULL) && (!allflag)) { 3850Sstevel@tonic-gate goto write_to_file; 3860Sstevel@tonic-gate } 3870Sstevel@tonic-gate 3880Sstevel@tonic-gate /* disable specified mechanisms */ 3890Sstevel@tonic-gate if (allflag) { 3900Sstevel@tonic-gate free_umechlist(puent->policylist); 3910Sstevel@tonic-gate puent->policylist = NULL; 3920Sstevel@tonic-gate puent->count = 0; 3930Sstevel@tonic-gate puent->flag_enabledlist = B_TRUE; 3940Sstevel@tonic-gate rc = SUCCESS; 3950Sstevel@tonic-gate } else { 3960Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 3970Sstevel@tonic-gate /* 3980Sstevel@tonic-gate * The current default policy mode 3990Sstevel@tonic-gate * is "all are disabled, except ...", so if a 4000Sstevel@tonic-gate * specified mechanism is in the exception list 4010Sstevel@tonic-gate * (the policylist), delete it from the policylist. 4020Sstevel@tonic-gate */ 4030Sstevel@tonic-gate rc = update_policylist(puent, mechlist, DELETE_MODE); 4040Sstevel@tonic-gate } else { 4050Sstevel@tonic-gate /* 4060Sstevel@tonic-gate * The current default policy mode of this library 4070Sstevel@tonic-gate * is "all are enabled", so if a specified mechanism 4080Sstevel@tonic-gate * is not in the exception list (policylist), add 4090Sstevel@tonic-gate * it into the policylist. 4100Sstevel@tonic-gate */ 4110Sstevel@tonic-gate rc = update_policylist(puent, mechlist, ADD_MODE); 4120Sstevel@tonic-gate } 4130Sstevel@tonic-gate } 4140Sstevel@tonic-gate 4150Sstevel@tonic-gate if (rc != SUCCESS) { 4160Sstevel@tonic-gate goto finish; 4170Sstevel@tonic-gate } 4180Sstevel@tonic-gate 4190Sstevel@tonic-gate /* If all mechanisms are disabled, metaslot will be disabled as well */ 4200Sstevel@tonic-gate if ((puent->flag_enabledlist) && (puent->count == 0)) { 4210Sstevel@tonic-gate puent->flag_metaslot_enabled = B_FALSE; 4220Sstevel@tonic-gate } 4230Sstevel@tonic-gate 4240Sstevel@tonic-gate write_to_file: 4250Sstevel@tonic-gate 4260Sstevel@tonic-gate rc = update_pkcs11conf(puent); 4270Sstevel@tonic-gate 4280Sstevel@tonic-gate finish: 4290Sstevel@tonic-gate free_uentry(puent); 4300Sstevel@tonic-gate return (rc); 4310Sstevel@tonic-gate } 4320Sstevel@tonic-gate 4330Sstevel@tonic-gate /* 4340Sstevel@tonic-gate * enable metaslot and some of its configuration options 4350Sstevel@tonic-gate * 4360Sstevel@tonic-gate * If mechlist==NULL, and the other flags are false, or not specified, 4370Sstevel@tonic-gate * just enable the metaslot feature. 4380Sstevel@tonic-gate * 4390Sstevel@tonic-gate * token: if specified, indicate label of token to be used as keystore. 4400Sstevel@tonic-gate * slot: if specified, indicate slot to be used as keystore. 4410Sstevel@tonic-gate * use_default: if true, indicate to use the default keystore. It should 4420Sstevel@tonic-gate * not be specified if either token or slot is specified. 4430Sstevel@tonic-gate * mechlist: list of mechanisms to enable 4440Sstevel@tonic-gate * allflag: if true, indicates all mechanisms should be enabled. 4450Sstevel@tonic-gate * auto_key_migrate_flag: if true, indicates auto key migrate should be enabled 4460Sstevel@tonic-gate */ 4470Sstevel@tonic-gate int 4480Sstevel@tonic-gate enable_metaslot(char *token, char *slot, boolean_t use_default, 4490Sstevel@tonic-gate mechlist_t *mechlist, boolean_t allflag, boolean_t auto_key_migrate_flag) 4500Sstevel@tonic-gate { 4510Sstevel@tonic-gate uentry_t *puent; 4520Sstevel@tonic-gate int rc = SUCCESS; 4530Sstevel@tonic-gate 4540Sstevel@tonic-gate if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) { 4550Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4560Sstevel@tonic-gate gettext("metaslot entry doesn't exist.")); 4570Sstevel@tonic-gate return (FAILURE); 4580Sstevel@tonic-gate } 4590Sstevel@tonic-gate 4600Sstevel@tonic-gate puent->flag_metaslot_enabled = B_TRUE; 4610Sstevel@tonic-gate 4620Sstevel@tonic-gate if (auto_key_migrate_flag) { 4630Sstevel@tonic-gate /* need to enable auto_key_migrate */ 4640Sstevel@tonic-gate puent->flag_metaslot_auto_key_migrate = B_TRUE; 4650Sstevel@tonic-gate } 4660Sstevel@tonic-gate 4670Sstevel@tonic-gate if (allflag) { 4680Sstevel@tonic-gate /* 4690Sstevel@tonic-gate * If enabling all, what needs to be done are cleaning up the 4700Sstevel@tonic-gate * policylist and setting the "flag_enabledlist" flag to 4710Sstevel@tonic-gate * B_FALSE. 4720Sstevel@tonic-gate */ 4730Sstevel@tonic-gate free_umechlist(puent->policylist); 4740Sstevel@tonic-gate puent->policylist = NULL; 4750Sstevel@tonic-gate puent->count = 0; 4760Sstevel@tonic-gate puent->flag_enabledlist = B_FALSE; 4770Sstevel@tonic-gate rc = SUCCESS; 4780Sstevel@tonic-gate } else { 4790Sstevel@tonic-gate if (mechlist) { 4800Sstevel@tonic-gate if (puent->flag_enabledlist == B_TRUE) { 4810Sstevel@tonic-gate /* 4820Sstevel@tonic-gate * The current default policy mode of this 4830Sstevel@tonic-gate * library is "all are disabled, except ...", 4840Sstevel@tonic-gate * so if a specified mechanism is not in the 4850Sstevel@tonic-gate * exception list (policylist), add it. 4860Sstevel@tonic-gate */ 4870Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4880Sstevel@tonic-gate ADD_MODE); 4890Sstevel@tonic-gate } else { 4900Sstevel@tonic-gate /* 4910Sstevel@tonic-gate * The current default policy mode of this 4920Sstevel@tonic-gate * library is "all are enabled, except", so if 4930Sstevel@tonic-gate * a specified mechanism is in the exception 4940Sstevel@tonic-gate * list (policylist), delete it. 4950Sstevel@tonic-gate */ 4960Sstevel@tonic-gate rc = update_policylist(puent, mechlist, 4970Sstevel@tonic-gate DELETE_MODE); 4980Sstevel@tonic-gate } 4990Sstevel@tonic-gate } 5000Sstevel@tonic-gate } 5010Sstevel@tonic-gate 5020Sstevel@tonic-gate if (rc != SUCCESS) { 5030Sstevel@tonic-gate goto finish; 5040Sstevel@tonic-gate } 5050Sstevel@tonic-gate 5060Sstevel@tonic-gate if (!use_default && !token && !slot) { 5070Sstevel@tonic-gate /* no need to change metaslot keystore */ 5080Sstevel@tonic-gate goto write_to_file; 5090Sstevel@tonic-gate } 5100Sstevel@tonic-gate 5110Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_token, TOKEN_LABEL_SIZE); 5120Sstevel@tonic-gate (void) bzero((char *)puent->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE); 5130Sstevel@tonic-gate 5140Sstevel@tonic-gate if (use_default) { 5150Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, 5160Sstevel@tonic-gate SOFT_TOKEN_LABEL, TOKEN_LABEL_SIZE); 5170Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, 5180Sstevel@tonic-gate SOFT_SLOT_DESCRIPTION, SLOT_DESCRIPTION_SIZE); 5190Sstevel@tonic-gate } else { 5200Sstevel@tonic-gate 5210Sstevel@tonic-gate if (token) { 5220Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_token, token, 5230Sstevel@tonic-gate TOKEN_LABEL_SIZE); 5240Sstevel@tonic-gate } 5250Sstevel@tonic-gate 5260Sstevel@tonic-gate if (slot) { 5270Sstevel@tonic-gate (void) strlcpy((char *)puent->metaslot_ks_slot, slot, 5280Sstevel@tonic-gate SLOT_DESCRIPTION_SIZE); 5290Sstevel@tonic-gate } 5300Sstevel@tonic-gate } 5310Sstevel@tonic-gate 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate write_to_file: 5340Sstevel@tonic-gate 5350Sstevel@tonic-gate rc = update_pkcs11conf(puent); 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate finish: 5380Sstevel@tonic-gate free_uentry(puent); 5390Sstevel@tonic-gate return (rc); 5400Sstevel@tonic-gate } 541