10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*3812Shylee * Common Development and Distribution License (the "License"). 6*3812Shylee * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*3812Shylee * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate /* 290Sstevel@tonic-gate * digest.c 300Sstevel@tonic-gate * 310Sstevel@tonic-gate * Implements digest(1) and mac(1) commands 320Sstevel@tonic-gate * If command name is mac, performs mac operation 330Sstevel@tonic-gate * else perform digest operation 340Sstevel@tonic-gate * 350Sstevel@tonic-gate * See the man pages for digest and mac for details on 360Sstevel@tonic-gate * how these commands work. 370Sstevel@tonic-gate */ 380Sstevel@tonic-gate 390Sstevel@tonic-gate #include <stdio.h> 400Sstevel@tonic-gate #include <stdlib.h> 410Sstevel@tonic-gate #include <unistd.h> 420Sstevel@tonic-gate #include <fcntl.h> 430Sstevel@tonic-gate #include <ctype.h> 440Sstevel@tonic-gate #include <strings.h> 450Sstevel@tonic-gate #include <libintl.h> 460Sstevel@tonic-gate #include <libgen.h> 470Sstevel@tonic-gate #include <locale.h> 480Sstevel@tonic-gate #include <errno.h> 490Sstevel@tonic-gate #include <sys/types.h> 500Sstevel@tonic-gate #include <sys/stat.h> 510Sstevel@tonic-gate #include <security/cryptoki.h> 520Sstevel@tonic-gate #include <limits.h> 530Sstevel@tonic-gate #include <cryptoutil.h> 54*3812Shylee #include <kmfapi.h> 550Sstevel@tonic-gate 560Sstevel@tonic-gate #define BUFFERSIZE (4096) /* Buffer size for reading file */ 570Sstevel@tonic-gate 580Sstevel@tonic-gate /* 590Sstevel@tonic-gate * RESULTLEN - large enough size in bytes to hold result for 600Sstevel@tonic-gate * digest and mac results for all mechanisms 610Sstevel@tonic-gate */ 620Sstevel@tonic-gate #define RESULTLEN (512) 630Sstevel@tonic-gate 640Sstevel@tonic-gate /* 650Sstevel@tonic-gate * Default parameters for PBKDF2 algorithm 660Sstevel@tonic-gate */ 670Sstevel@tonic-gate #define PBKD2_ITERATIONS (1000) 680Sstevel@tonic-gate #define PBKD2_SALT_SIZE 16 690Sstevel@tonic-gate 700Sstevel@tonic-gate /* 710Sstevel@tonic-gate * Exit Status codes 720Sstevel@tonic-gate */ 730Sstevel@tonic-gate #ifndef EXIT_SUCCESS 740Sstevel@tonic-gate #define EXIT_SUCCESS 0 /* No errors */ 750Sstevel@tonic-gate #define EXIT_FAILURE 1 /* All errors except usage */ 760Sstevel@tonic-gate #endif /* EXIT_SUCCESS */ 770Sstevel@tonic-gate 780Sstevel@tonic-gate #define EXIT_USAGE 2 /* usage/syntax error */ 790Sstevel@tonic-gate 800Sstevel@tonic-gate #define MAC_NAME "mac" /* name of mac command */ 81*3812Shylee #define MAC_OPTIONS "lva:k:T:K:" /* for getopt */ 820Sstevel@tonic-gate #define DIGEST_NAME "digest" /* name of mac command */ 830Sstevel@tonic-gate #define DIGEST_OPTIONS "lva:" /* for getopt */ 84*3812Shylee #define DEFAULT_TOKEN_PROMPT "Enter PIN for %s: " 85*3812Shylee #define PK_DEFAULT_PK11TOKEN SOFT_TOKEN_LABEL 860Sstevel@tonic-gate 870Sstevel@tonic-gate static boolean_t vflag = B_FALSE; /* -v (verbose) flag, optional */ 880Sstevel@tonic-gate static boolean_t aflag = B_FALSE; /* -a <algorithm> flag, required */ 890Sstevel@tonic-gate static boolean_t lflag = B_FALSE; /* -l flag, for mac and digest */ 90*3812Shylee static boolean_t kflag = B_FALSE; 91*3812Shylee static boolean_t Tflag = B_FALSE; 92*3812Shylee static boolean_t Kflag = B_FALSE; 930Sstevel@tonic-gate 940Sstevel@tonic-gate static char *keyfile = NULL; /* name of keyfile */ 95*3812Shylee static char *token_label = NULL; 96*3812Shylee static char *key_label = NULL; 97*3812Shylee 980Sstevel@tonic-gate static CK_BYTE buf[BUFFERSIZE]; 990Sstevel@tonic-gate 1000Sstevel@tonic-gate struct mech_alias { 1010Sstevel@tonic-gate CK_MECHANISM_TYPE type; 1020Sstevel@tonic-gate char *alias; 1030Sstevel@tonic-gate CK_ULONG keysize_min; 1040Sstevel@tonic-gate CK_ULONG keysize_max; 1050Sstevel@tonic-gate int keysize_unit; 1060Sstevel@tonic-gate boolean_t available; 1070Sstevel@tonic-gate }; 1080Sstevel@tonic-gate 109676Sizick #define MECH_ALIASES_COUNT 11 1100Sstevel@tonic-gate 1110Sstevel@tonic-gate static struct mech_alias mech_aliases[] = { 1120Sstevel@tonic-gate { CKM_SHA_1, "sha1", ULONG_MAX, 0L, 8, B_FALSE }, 1130Sstevel@tonic-gate { CKM_MD5, "md5", ULONG_MAX, 0L, 8, B_FALSE }, 1140Sstevel@tonic-gate { CKM_DES_MAC, "des_mac", ULONG_MAX, 0L, 8, B_FALSE }, 1150Sstevel@tonic-gate { CKM_SHA_1_HMAC, "sha1_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 1160Sstevel@tonic-gate { CKM_MD5_HMAC, "md5_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 117676Sizick { CKM_SHA256, "sha256", ULONG_MAX, 0L, 8, B_FALSE }, 118676Sizick { CKM_SHA384, "sha384", ULONG_MAX, 0L, 8, B_FALSE }, 119676Sizick { CKM_SHA512, "sha512", ULONG_MAX, 0L, 8, B_FALSE }, 120676Sizick { CKM_SHA256_HMAC, "sha256_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 121676Sizick { CKM_SHA384_HMAC, "sha384_hmac", ULONG_MAX, 0L, 8, B_FALSE }, 122676Sizick { CKM_SHA512_HMAC, "sha512_hmac", ULONG_MAX, 0L, 8, B_FALSE } 1230Sstevel@tonic-gate }; 1240Sstevel@tonic-gate 1250Sstevel@tonic-gate static CK_BBOOL true = TRUE; 1260Sstevel@tonic-gate 1270Sstevel@tonic-gate static void usage(boolean_t mac_cmd); 1280Sstevel@tonic-gate static int execute_cmd(char *algo_str, int filecount, 1290Sstevel@tonic-gate char **filelist, boolean_t mac_cmd); 1300Sstevel@tonic-gate static CK_RV do_mac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 1310Sstevel@tonic-gate int fd, CK_OBJECT_HANDLE key, CK_BYTE_PTR *psignature, 1320Sstevel@tonic-gate CK_ULONG_PTR psignaturelen); 1330Sstevel@tonic-gate static CK_RV do_digest(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 1340Sstevel@tonic-gate int fd, CK_BYTE_PTR *pdigest, CK_ULONG_PTR pdigestlen); 1350Sstevel@tonic-gate static int getkey(char *filename, CK_BYTE_PTR *pkeydata); 136*3812Shylee static int getpasswd(char *token_spec, CK_BYTE_PTR *pdata, CK_ULONG_PTR psize); 1370Sstevel@tonic-gate 1380Sstevel@tonic-gate int 1390Sstevel@tonic-gate main(int argc, char **argv) 1400Sstevel@tonic-gate { 1410Sstevel@tonic-gate 1420Sstevel@tonic-gate extern char *optarg; 1430Sstevel@tonic-gate extern int optind; 1440Sstevel@tonic-gate int errflag = 0; /* We had an optstr parse error */ 1450Sstevel@tonic-gate char c; /* current getopts flag */ 1460Sstevel@tonic-gate char *algo_str; /* mechanism/algorithm string */ 1470Sstevel@tonic-gate int filecount; 1480Sstevel@tonic-gate boolean_t mac_cmd; /* if TRUE, do mac, else do digest */ 1490Sstevel@tonic-gate char *optstr; 1500Sstevel@tonic-gate char **filelist; /* list of files */ 1510Sstevel@tonic-gate char *cmdname = NULL; /* name of command */ 1520Sstevel@tonic-gate 1530Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1540Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defiend by cc -D */ 1550Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1560Sstevel@tonic-gate #endif 1570Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1580Sstevel@tonic-gate 1590Sstevel@tonic-gate /* 1600Sstevel@tonic-gate * Based on command name, determine 1610Sstevel@tonic-gate * type of command. mac is mac 1620Sstevel@tonic-gate * everything else is digest. 1630Sstevel@tonic-gate */ 1640Sstevel@tonic-gate cmdname = basename(argv[0]); 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate cryptodebug_init(cmdname); 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate if (strcmp(cmdname, MAC_NAME) == 0) 1690Sstevel@tonic-gate mac_cmd = B_TRUE; 1700Sstevel@tonic-gate else if (strcmp(cmdname, DIGEST_NAME) == 0) 1710Sstevel@tonic-gate mac_cmd = B_FALSE; 1720Sstevel@tonic-gate else { 1730Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 1740Sstevel@tonic-gate "command name must be either digest or mac\n")); 1750Sstevel@tonic-gate exit(EXIT_USAGE); 1760Sstevel@tonic-gate } 1770Sstevel@tonic-gate 1780Sstevel@tonic-gate if (mac_cmd) { 1790Sstevel@tonic-gate optstr = MAC_OPTIONS; 1800Sstevel@tonic-gate } else { 1810Sstevel@tonic-gate optstr = DIGEST_OPTIONS; 1820Sstevel@tonic-gate } 1830Sstevel@tonic-gate 1840Sstevel@tonic-gate /* Parse command line arguments */ 1850Sstevel@tonic-gate while (!errflag && (c = getopt(argc, argv, optstr)) != -1) { 1860Sstevel@tonic-gate 1870Sstevel@tonic-gate switch (c) { 1880Sstevel@tonic-gate case 'v': 1890Sstevel@tonic-gate vflag = B_TRUE; 1900Sstevel@tonic-gate break; 1910Sstevel@tonic-gate case 'a': 1920Sstevel@tonic-gate aflag = B_TRUE; 1930Sstevel@tonic-gate algo_str = optarg; 1940Sstevel@tonic-gate break; 1950Sstevel@tonic-gate case 'k': 196*3812Shylee kflag = B_TRUE; 1970Sstevel@tonic-gate keyfile = optarg; 1980Sstevel@tonic-gate break; 1990Sstevel@tonic-gate case 'l': 2000Sstevel@tonic-gate lflag = B_TRUE; 2010Sstevel@tonic-gate break; 202*3812Shylee case 'T': 203*3812Shylee Tflag = B_TRUE; 204*3812Shylee token_label = optarg; 205*3812Shylee break; 206*3812Shylee case 'K': 207*3812Shylee Kflag = B_TRUE; 208*3812Shylee key_label = optarg; 209*3812Shylee break; 2100Sstevel@tonic-gate default: 2110Sstevel@tonic-gate errflag++; 2120Sstevel@tonic-gate } 2130Sstevel@tonic-gate } 2140Sstevel@tonic-gate 2150Sstevel@tonic-gate filecount = argc - optind; 2160Sstevel@tonic-gate if (errflag || (!aflag && !lflag) || (lflag && argc > 2) || 217*3812Shylee (kflag && Kflag) || (Tflag && !Kflag) || filecount < 0) { 2180Sstevel@tonic-gate usage(mac_cmd); 2190Sstevel@tonic-gate exit(EXIT_USAGE); 2200Sstevel@tonic-gate } 2210Sstevel@tonic-gate 2220Sstevel@tonic-gate if (filecount == 0) { 2230Sstevel@tonic-gate filelist = NULL; 2240Sstevel@tonic-gate } else { 2250Sstevel@tonic-gate filelist = &argv[optind]; 2260Sstevel@tonic-gate } 2270Sstevel@tonic-gate 2280Sstevel@tonic-gate return (execute_cmd(algo_str, filecount, filelist, mac_cmd)); 2290Sstevel@tonic-gate } 2300Sstevel@tonic-gate 2310Sstevel@tonic-gate /* 2320Sstevel@tonic-gate * usage message for digest/mac 2330Sstevel@tonic-gate */ 2340Sstevel@tonic-gate static void 2350Sstevel@tonic-gate usage(boolean_t mac_cmd) 2360Sstevel@tonic-gate { 237*3812Shylee (void) fprintf(stderr, gettext("Usage:\n")); 2380Sstevel@tonic-gate if (mac_cmd) { 239*3812Shylee (void) fprintf(stderr, gettext(" mac -l\n")); 240*3812Shylee (void) fprintf(stderr, gettext(" mac [-v] -a <algorithm> " 241*3812Shylee "[-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 242*3812Shylee "[file...]\n")); 2430Sstevel@tonic-gate } else { 244*3812Shylee (void) fprintf(stderr, gettext(" digest -l | [-v] " 245*3812Shylee "-a <algorithm> [file...]\n")); 2460Sstevel@tonic-gate } 2470Sstevel@tonic-gate } 2480Sstevel@tonic-gate 2490Sstevel@tonic-gate /* 2500Sstevel@tonic-gate * Print out list of available algorithms. 2510Sstevel@tonic-gate */ 2520Sstevel@tonic-gate static void 2530Sstevel@tonic-gate algorithm_list(boolean_t mac_cmd) 2540Sstevel@tonic-gate { 2550Sstevel@tonic-gate int mech; 2560Sstevel@tonic-gate 2570Sstevel@tonic-gate if (mac_cmd) 2580Sstevel@tonic-gate (void) printf(gettext("Algorithm Keysize: Min " 2590Sstevel@tonic-gate "Max (bits)\n" 2600Sstevel@tonic-gate "------------------------------------------\n")); 2610Sstevel@tonic-gate 2620Sstevel@tonic-gate for (mech = 0; mech < MECH_ALIASES_COUNT; mech++) { 2630Sstevel@tonic-gate 2640Sstevel@tonic-gate if (mech_aliases[mech].available == B_FALSE) 2650Sstevel@tonic-gate continue; 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate if (mac_cmd) { 2680Sstevel@tonic-gate (void) printf("%-15s", mech_aliases[mech].alias); 2690Sstevel@tonic-gate 2700Sstevel@tonic-gate if (mech_aliases[mech].keysize_min != ULONG_MAX && 2710Sstevel@tonic-gate mech_aliases[mech].keysize_max != 0) 2720Sstevel@tonic-gate (void) printf(" %5lu %5lu\n", 2730Sstevel@tonic-gate (mech_aliases[mech].keysize_min * 2740Sstevel@tonic-gate mech_aliases[mech].keysize_unit), 2750Sstevel@tonic-gate (mech_aliases[mech].keysize_max * 2760Sstevel@tonic-gate mech_aliases[mech].keysize_unit)); 2770Sstevel@tonic-gate else 2780Sstevel@tonic-gate (void) printf("\n"); 2790Sstevel@tonic-gate 2800Sstevel@tonic-gate } else 2810Sstevel@tonic-gate (void) printf("%s\n", mech_aliases[mech].alias); 2820Sstevel@tonic-gate 2830Sstevel@tonic-gate } 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate 2860Sstevel@tonic-gate static CK_RV 2870Sstevel@tonic-gate generate_pkcs5_key(CK_SESSION_HANDLE hSession, 2880Sstevel@tonic-gate CK_BYTE_PTR pSaltData, 2890Sstevel@tonic-gate CK_ULONG saltLen, 2900Sstevel@tonic-gate CK_ULONG iterations, 2910Sstevel@tonic-gate CK_BYTE_PTR pkeydata, /* user entered passphrase */ 2920Sstevel@tonic-gate CK_KEY_TYPE keytype, 2930Sstevel@tonic-gate CK_ULONG passwd_size, 2940Sstevel@tonic-gate CK_ULONG keylen, /* desired length of generated key */ 2950Sstevel@tonic-gate CK_OBJECT_HANDLE *hKey) 2960Sstevel@tonic-gate { 2970Sstevel@tonic-gate CK_RV rv; 2980Sstevel@tonic-gate CK_PKCS5_PBKD2_PARAMS params; 2990Sstevel@tonic-gate CK_MECHANISM mechanism; 3000Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY; 3010Sstevel@tonic-gate CK_ATTRIBUTE tmpl[4]; 3020Sstevel@tonic-gate int attrs = 0; 3030Sstevel@tonic-gate 3040Sstevel@tonic-gate tmpl[attrs].type = CKA_CLASS; 3050Sstevel@tonic-gate tmpl[attrs].pValue = &class; 3060Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (class); 3070Sstevel@tonic-gate attrs++; 3080Sstevel@tonic-gate 3090Sstevel@tonic-gate tmpl[attrs].type = CKA_KEY_TYPE; 3100Sstevel@tonic-gate tmpl[attrs].pValue = &keytype; 3110Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keytype); 3120Sstevel@tonic-gate attrs++; 3130Sstevel@tonic-gate 3140Sstevel@tonic-gate tmpl[attrs].type = CKA_SIGN; 3150Sstevel@tonic-gate tmpl[attrs].pValue = &true; 3160Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (CK_BBOOL); 3170Sstevel@tonic-gate attrs++; 3180Sstevel@tonic-gate 3190Sstevel@tonic-gate if (keylen > 0) { 3200Sstevel@tonic-gate tmpl[attrs].type = CKA_VALUE_LEN; 3210Sstevel@tonic-gate tmpl[attrs].pValue = &keylen; 3220Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keylen); 3230Sstevel@tonic-gate attrs++; 3240Sstevel@tonic-gate } 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate params.saltSource = CKZ_SALT_SPECIFIED; 3270Sstevel@tonic-gate params.pSaltSourceData = (void *)pSaltData; 3280Sstevel@tonic-gate params.ulSaltSourceDataLen = saltLen; 3290Sstevel@tonic-gate params.iterations = iterations; 3300Sstevel@tonic-gate params.prf = CKP_PKCS5_PBKD2_HMAC_SHA1; 3310Sstevel@tonic-gate params.pPrfData = NULL; 3320Sstevel@tonic-gate params.ulPrfDataLen = 0; 3330Sstevel@tonic-gate params.pPassword = (CK_UTF8CHAR_PTR)pkeydata; 3340Sstevel@tonic-gate params.ulPasswordLen = &passwd_size; 3350Sstevel@tonic-gate 3360Sstevel@tonic-gate mechanism.mechanism = CKM_PKCS5_PBKD2; 3370Sstevel@tonic-gate mechanism.pParameter = ¶ms; 3380Sstevel@tonic-gate mechanism.ulParameterLen = sizeof (params); 3390Sstevel@tonic-gate 3400Sstevel@tonic-gate rv = C_GenerateKey(hSession, &mechanism, tmpl, 3410Sstevel@tonic-gate attrs, hKey); 3420Sstevel@tonic-gate 3430Sstevel@tonic-gate return (rv); 3440Sstevel@tonic-gate } 3450Sstevel@tonic-gate 3460Sstevel@tonic-gate 347*3812Shylee static int 348*3812Shylee get_token_key(CK_SESSION_HANDLE hSession, CK_KEY_TYPE keytype, 349*3812Shylee char *keylabel, CK_BYTE *password, int password_len, 350*3812Shylee CK_OBJECT_HANDLE *keyobj) 351*3812Shylee { 352*3812Shylee CK_RV rv; 353*3812Shylee CK_ATTRIBUTE pTmpl[10]; 354*3812Shylee CK_OBJECT_CLASS class = CKO_SECRET_KEY; 355*3812Shylee CK_BBOOL true = 1; 356*3812Shylee CK_BBOOL is_token = 1; 357*3812Shylee CK_ULONG key_obj_count = 1; 358*3812Shylee int i; 359*3812Shylee CK_KEY_TYPE ckKeyType = keytype; 360*3812Shylee 361*3812Shylee 362*3812Shylee rv = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, 363*3812Shylee password_len); 364*3812Shylee if (rv != CKR_OK) { 365*3812Shylee (void) fprintf(stderr, "Cannot login to the token." 366*3812Shylee " error = %s\n", pkcs11_strerror(rv)); 367*3812Shylee return (-1); 368*3812Shylee } 369*3812Shylee 370*3812Shylee i = 0; 371*3812Shylee pTmpl[i].type = CKA_TOKEN; 372*3812Shylee pTmpl[i].pValue = &is_token; 373*3812Shylee pTmpl[i].ulValueLen = sizeof (CK_BBOOL); 374*3812Shylee i++; 375*3812Shylee 376*3812Shylee pTmpl[i].type = CKA_CLASS; 377*3812Shylee pTmpl[i].pValue = &class; 378*3812Shylee pTmpl[i].ulValueLen = sizeof (class); 379*3812Shylee i++; 380*3812Shylee 381*3812Shylee pTmpl[i].type = CKA_LABEL; 382*3812Shylee pTmpl[i].pValue = keylabel; 383*3812Shylee pTmpl[i].ulValueLen = strlen(keylabel); 384*3812Shylee i++; 385*3812Shylee 386*3812Shylee pTmpl[i].type = CKA_KEY_TYPE; 387*3812Shylee pTmpl[i].pValue = &ckKeyType; 388*3812Shylee pTmpl[i].ulValueLen = sizeof (ckKeyType); 389*3812Shylee i++; 390*3812Shylee 391*3812Shylee pTmpl[i].type = CKA_PRIVATE; 392*3812Shylee pTmpl[i].pValue = &true; 393*3812Shylee pTmpl[i].ulValueLen = sizeof (true); 394*3812Shylee i++; 395*3812Shylee 396*3812Shylee rv = C_FindObjectsInit(hSession, pTmpl, i); 397*3812Shylee if (rv != CKR_OK) { 398*3812Shylee goto out; 399*3812Shylee } 400*3812Shylee 401*3812Shylee rv = C_FindObjects(hSession, keyobj, 1, &key_obj_count); 402*3812Shylee (void) C_FindObjectsFinal(hSession); 403*3812Shylee 404*3812Shylee out: 405*3812Shylee if (rv != CKR_OK) { 406*3812Shylee (void) fprintf(stderr, 407*3812Shylee "Cannot retrieve key object. error = %s\n", 408*3812Shylee pkcs11_strerror(rv)); 409*3812Shylee return (-1); 410*3812Shylee } 411*3812Shylee 412*3812Shylee if (key_obj_count == 0) { 413*3812Shylee (void) fprintf(stderr, "Cannot find the key object.\n"); 414*3812Shylee return (-1); 415*3812Shylee } 416*3812Shylee 417*3812Shylee return (0); 418*3812Shylee } 419*3812Shylee 420*3812Shylee 4210Sstevel@tonic-gate /* 4220Sstevel@tonic-gate * Execute the command. 4230Sstevel@tonic-gate * algo_str - name of algorithm 4240Sstevel@tonic-gate * filecount - no. of files to process, if 0, use stdin 4250Sstevel@tonic-gate * filelist - list of files 4260Sstevel@tonic-gate * mac_cmd - if true do mac else do digest 4270Sstevel@tonic-gate */ 4280Sstevel@tonic-gate static int 4290Sstevel@tonic-gate execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) 4300Sstevel@tonic-gate { 4310Sstevel@tonic-gate int fd; 4320Sstevel@tonic-gate char *filename = NULL; 4330Sstevel@tonic-gate CK_RV rv; 4340Sstevel@tonic-gate CK_ULONG slotcount; 4350Sstevel@tonic-gate CK_SLOT_ID slotID; 4360Sstevel@tonic-gate CK_SLOT_ID_PTR pSlotList = NULL; 4370Sstevel@tonic-gate CK_MECHANISM_TYPE mech_type; 4380Sstevel@tonic-gate CK_MECHANISM_INFO info; 4390Sstevel@tonic-gate CK_MECHANISM mech; 4400Sstevel@tonic-gate CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; 4410Sstevel@tonic-gate CK_BYTE_PTR resultbuf = NULL; 4420Sstevel@tonic-gate CK_ULONG resultlen; 4430Sstevel@tonic-gate CK_BYTE_PTR pkeydata = NULL; 4440Sstevel@tonic-gate CK_OBJECT_HANDLE key = (CK_OBJECT_HANDLE) 0; 4450Sstevel@tonic-gate int keylen = 0; /* key length */ 4460Sstevel@tonic-gate char *resultstr = NULL; /* result in hex string */ 4470Sstevel@tonic-gate int resultstrlen; /* result string length */ 4480Sstevel@tonic-gate int i; 4490Sstevel@tonic-gate int exitcode = EXIT_SUCCESS; /* return code */ 4500Sstevel@tonic-gate int slot, mek; /* index variables */ 4510Sstevel@tonic-gate int mech_match = 0; 4520Sstevel@tonic-gate CK_BYTE salt[PBKD2_SALT_SIZE]; 4530Sstevel@tonic-gate CK_ULONG keysize; 4540Sstevel@tonic-gate CK_ULONG iterations = PBKD2_ITERATIONS; 455*3812Shylee CK_KEY_TYPE keytype; 456*3812Shylee KMF_RETURN kmfrv; 457*3812Shylee CK_SLOT_ID token_slot_id; 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate if (aflag) { 4600Sstevel@tonic-gate /* 4610Sstevel@tonic-gate * Determine if algorithm/mechanism is valid 4620Sstevel@tonic-gate */ 4630Sstevel@tonic-gate for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; 4640Sstevel@tonic-gate mech_match++) { 4650Sstevel@tonic-gate if (strcmp(algo_str, 4660Sstevel@tonic-gate mech_aliases[mech_match].alias) == 0) { 4670Sstevel@tonic-gate mech_type = mech_aliases[mech_match].type; 4680Sstevel@tonic-gate break; 4690Sstevel@tonic-gate } 4700Sstevel@tonic-gate 4710Sstevel@tonic-gate } 4720Sstevel@tonic-gate 4730Sstevel@tonic-gate if (mech_match == MECH_ALIASES_COUNT) { 4740Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4750Sstevel@tonic-gate gettext("unknown algorithm -- %s"), algo_str); 4760Sstevel@tonic-gate return (EXIT_FAILURE); 4770Sstevel@tonic-gate } 4780Sstevel@tonic-gate 4790Sstevel@tonic-gate /* Get key to do a MAC operation */ 4800Sstevel@tonic-gate if (mac_cmd) { 481*3812Shylee if (Kflag) { 482*3812Shylee int status; 483*3812Shylee 484*3812Shylee if (token_label == NULL || 485*3812Shylee !strlen(token_label)) { 486*3812Shylee token_label = PK_DEFAULT_PK11TOKEN; 487*3812Shylee } 488*3812Shylee 489*3812Shylee status = getpasswd(token_label, &pkeydata, 490*3812Shylee (CK_ULONG *)&keylen); 491*3812Shylee if (status == -1) { 492*3812Shylee cryptoerror(LOG_STDERR, 493*3812Shylee gettext("invalid passphrase.")); 494*3812Shylee return (EXIT_FAILURE); 495*3812Shylee } 496*3812Shylee 497*3812Shylee } else { 498*3812Shylee keylen = getkey(keyfile, &pkeydata); 499*3812Shylee if (keylen <= 0 || pkeydata == NULL) { 500*3812Shylee cryptoerror(LOG_STDERR, 501*3812Shylee gettext("invalid key.")); 502*3812Shylee return (EXIT_FAILURE); 503*3812Shylee } 5040Sstevel@tonic-gate } 5050Sstevel@tonic-gate } 5060Sstevel@tonic-gate } 5070Sstevel@tonic-gate 5080Sstevel@tonic-gate /* Initialize, and get list of slots */ 509*3812Shylee rv = C_Initialize(NULL); 510*3812Shylee if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { 5110Sstevel@tonic-gate cryptoerror(LOG_STDERR, 5120Sstevel@tonic-gate gettext("failed to initialize PKCS #11 framework: %s"), 5130Sstevel@tonic-gate pkcs11_strerror(rv)); 5140Sstevel@tonic-gate return (EXIT_FAILURE); 5150Sstevel@tonic-gate } 5160Sstevel@tonic-gate 5170Sstevel@tonic-gate /* Get slot count */ 5180Sstevel@tonic-gate rv = C_GetSlotList(0, NULL_PTR, &slotcount); 5190Sstevel@tonic-gate if (rv != CKR_OK || slotcount == 0) { 5200Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5210Sstevel@tonic-gate "failed to find any cryptographic provider," 5220Sstevel@tonic-gate "please check with your system administrator: %s"), 5230Sstevel@tonic-gate pkcs11_strerror(rv)); 5240Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5250Sstevel@tonic-gate goto cleanup; 5260Sstevel@tonic-gate } 5270Sstevel@tonic-gate 5280Sstevel@tonic-gate /* Found at least one slot, allocate memory for slot list */ 5290Sstevel@tonic-gate pSlotList = malloc(slotcount * sizeof (CK_SLOT_ID)); 5300Sstevel@tonic-gate if (pSlotList == NULL_PTR) { 5310Sstevel@tonic-gate int err = errno; 5320Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 5330Sstevel@tonic-gate strerror(err)); 5340Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5350Sstevel@tonic-gate goto cleanup; 5360Sstevel@tonic-gate } 5370Sstevel@tonic-gate 5380Sstevel@tonic-gate /* Get the list of slots */ 5390Sstevel@tonic-gate if ((rv = C_GetSlotList(0, pSlotList, &slotcount)) != CKR_OK) { 5400Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5410Sstevel@tonic-gate "failed to find any cryptographic provider," 5420Sstevel@tonic-gate "please check with your system administrator: %s"), 5430Sstevel@tonic-gate pkcs11_strerror(rv)); 5440Sstevel@tonic-gate exitcode = EXIT_FAILURE; 5450Sstevel@tonic-gate goto cleanup; 5460Sstevel@tonic-gate } 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate /* 5490Sstevel@tonic-gate * Obtain list of algorithms if -l option was given 5500Sstevel@tonic-gate */ 5510Sstevel@tonic-gate if (lflag) { 5520Sstevel@tonic-gate 5530Sstevel@tonic-gate for (slot = 0; slot < slotcount; slot++) { 5540Sstevel@tonic-gate 5550Sstevel@tonic-gate /* Iterate through each mechanism */ 5560Sstevel@tonic-gate for (mek = 0; mek < MECH_ALIASES_COUNT; mek++) { 5570Sstevel@tonic-gate rv = C_GetMechanismInfo(pSlotList[slot], 5580Sstevel@tonic-gate mech_aliases[mek].type, &info); 5590Sstevel@tonic-gate 5600Sstevel@tonic-gate /* Only check algorithms that can be used */ 5610Sstevel@tonic-gate if ((rv != CKR_OK) || 5620Sstevel@tonic-gate (!mac_cmd && (info.flags & CKF_SIGN)) || 5630Sstevel@tonic-gate (mac_cmd && (info.flags & CKF_DIGEST))) 5640Sstevel@tonic-gate continue; 5650Sstevel@tonic-gate 5660Sstevel@tonic-gate /* 5670Sstevel@tonic-gate * Set to minimum/maximum key sizes assuming 5680Sstevel@tonic-gate * the values available are not 0. 5690Sstevel@tonic-gate */ 5700Sstevel@tonic-gate if (info.ulMinKeySize && (info.ulMinKeySize < 5710Sstevel@tonic-gate mech_aliases[mek].keysize_min)) 5720Sstevel@tonic-gate mech_aliases[mek].keysize_min = 5730Sstevel@tonic-gate info.ulMinKeySize; 5740Sstevel@tonic-gate 5750Sstevel@tonic-gate if (info.ulMaxKeySize && (info.ulMaxKeySize > 5760Sstevel@tonic-gate mech_aliases[mek].keysize_max)) 5770Sstevel@tonic-gate mech_aliases[mek].keysize_max = 5780Sstevel@tonic-gate info.ulMaxKeySize; 5790Sstevel@tonic-gate 5800Sstevel@tonic-gate mech_aliases[mek].available = B_TRUE; 5810Sstevel@tonic-gate } 5820Sstevel@tonic-gate 5830Sstevel@tonic-gate } 5840Sstevel@tonic-gate 5850Sstevel@tonic-gate algorithm_list(mac_cmd); 5860Sstevel@tonic-gate 5870Sstevel@tonic-gate goto cleanup; 5880Sstevel@tonic-gate } 5890Sstevel@tonic-gate 590*3812Shylee /* 591*3812Shylee * Find a slot with matching mechanism 592*3812Shylee * 593*3812Shylee * If -K is specified, we find the slot id for the token first, then 594*3812Shylee * check if the slot supports the algorithm. 595*3812Shylee */ 596*3812Shylee i = 0; 597*3812Shylee if (Kflag) { 598*3812Shylee kmfrv = KMF_PK11TokenLookup(NULL, token_label, &token_slot_id); 599*3812Shylee if (kmfrv != KMF_OK) { 600*3812Shylee cryptoerror(LOG_STDERR, 601*3812Shylee gettext("no matching PKCS#11 token")); 602*3812Shylee exitcode = EXIT_FAILURE; 603*3812Shylee goto cleanup; 604*3812Shylee } 605*3812Shylee rv = C_GetMechanismInfo(token_slot_id, mech_type, &info); 606*3812Shylee if (rv == CKR_OK && (info.flags & CKF_SIGN)) 607*3812Shylee slotID = token_slot_id; 608*3812Shylee else 609*3812Shylee i = slotcount; 610*3812Shylee 611*3812Shylee } else { 612*3812Shylee for (i = 0; i < slotcount; i++) { 613*3812Shylee slotID = pSlotList[i]; 614*3812Shylee rv = C_GetMechanismInfo(slotID, mech_type, &info); 615*3812Shylee if (rv != CKR_OK) { 616*3812Shylee continue; /* to the next slot */ 617*3812Shylee } else { 618*3812Shylee if (mac_cmd) { 619*3812Shylee /* 620*3812Shylee * Make sure the slot supports 621*3812Shylee * PKCS5 key generation if we 622*3812Shylee * will be using it later. 623*3812Shylee * We use it whenever the key 624*3812Shylee * is entered at command line. 625*3812Shylee */ 626*3812Shylee if ((info.flags & CKF_SIGN) && 627*3812Shylee (keyfile == NULL)) { 628*3812Shylee CK_MECHANISM_INFO kg_info; 629*3812Shylee rv = C_GetMechanismInfo(slotID, 630*3812Shylee CKM_PKCS5_PBKD2, &kg_info); 631*3812Shylee if (rv == CKR_OK) 632*3812Shylee break; 633*3812Shylee } else if (info.flags & CKF_SIGN) { 634*3812Shylee break; 635*3812Shylee } 636*3812Shylee } else { 637*3812Shylee if (info.flags & CKF_DIGEST) 638*3812Shylee break; 6390Sstevel@tonic-gate } 6400Sstevel@tonic-gate } 6410Sstevel@tonic-gate } 6420Sstevel@tonic-gate } 6430Sstevel@tonic-gate 6440Sstevel@tonic-gate /* Show error if no matching mechanism found */ 6450Sstevel@tonic-gate if (i == slotcount) { 6460Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6470Sstevel@tonic-gate gettext("no cryptographic provider was " 6480Sstevel@tonic-gate "found for this algorithm -- %s"), algo_str); 6490Sstevel@tonic-gate exitcode = EXIT_FAILURE; 6500Sstevel@tonic-gate goto cleanup; 6510Sstevel@tonic-gate } 6520Sstevel@tonic-gate 6530Sstevel@tonic-gate /* Mechanism is supported. Go ahead & open a session */ 6540Sstevel@tonic-gate rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, 6550Sstevel@tonic-gate NULL_PTR, NULL, &hSession); 6560Sstevel@tonic-gate 6570Sstevel@tonic-gate if (rv != CKR_OK) { 6580Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6590Sstevel@tonic-gate gettext("can not open PKCS#11 session: %s"), 6600Sstevel@tonic-gate pkcs11_strerror(rv)); 6610Sstevel@tonic-gate exitcode = EXIT_FAILURE; 6620Sstevel@tonic-gate goto cleanup; 6630Sstevel@tonic-gate } 6640Sstevel@tonic-gate 6650Sstevel@tonic-gate /* Create a key object for mac operation */ 6660Sstevel@tonic-gate if (mac_cmd) { 6670Sstevel@tonic-gate /* 6680Sstevel@tonic-gate * If we read keybytes from a file, 6690Sstevel@tonic-gate * do NOT process them with C_GenerateKey, 6700Sstevel@tonic-gate * treat them as raw keydata bytes and 6710Sstevel@tonic-gate * create a key object for them. 6720Sstevel@tonic-gate */ 6730Sstevel@tonic-gate if (keyfile) { 6740Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY; 6750Sstevel@tonic-gate CK_KEY_TYPE tmpl_keytype = CKK_GENERIC_SECRET; 6760Sstevel@tonic-gate CK_BBOOL false = FALSE; 6770Sstevel@tonic-gate int nattr = 0; 6780Sstevel@tonic-gate CK_ATTRIBUTE template[5]; 6790Sstevel@tonic-gate 6800Sstevel@tonic-gate if (mech_type == CKM_DES_MAC) { 6810Sstevel@tonic-gate tmpl_keytype = CKK_DES; 6820Sstevel@tonic-gate } 6830Sstevel@tonic-gate template[nattr].type = CKA_CLASS; 6840Sstevel@tonic-gate template[nattr].pValue = &class; 6850Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (class); 6860Sstevel@tonic-gate nattr++; 6870Sstevel@tonic-gate 6880Sstevel@tonic-gate template[nattr].type = CKA_KEY_TYPE; 6890Sstevel@tonic-gate template[nattr].pValue = &tmpl_keytype; 6900Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (tmpl_keytype); 6910Sstevel@tonic-gate nattr++; 6920Sstevel@tonic-gate 6930Sstevel@tonic-gate template[nattr].type = CKA_SIGN; 6940Sstevel@tonic-gate template[nattr].pValue = &true; 6950Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (true); 6960Sstevel@tonic-gate nattr++; 6970Sstevel@tonic-gate 6980Sstevel@tonic-gate template[nattr].type = CKA_TOKEN; 6990Sstevel@tonic-gate template[nattr].pValue = &false; 7000Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (false); 7010Sstevel@tonic-gate nattr++; 7020Sstevel@tonic-gate 7030Sstevel@tonic-gate template[nattr].type = CKA_VALUE; 7040Sstevel@tonic-gate template[nattr].pValue = pkeydata; 7050Sstevel@tonic-gate template[nattr].ulValueLen = keylen; 7060Sstevel@tonic-gate nattr++; 7070Sstevel@tonic-gate 7080Sstevel@tonic-gate rv = C_CreateObject(hSession, template, 7090Sstevel@tonic-gate nattr, &key); 710*3812Shylee 711*3812Shylee } else if (Kflag) { 712*3812Shylee 713*3812Shylee if (mech_type == CKM_DES_MAC) { 714*3812Shylee keytype = CKK_DES; 715*3812Shylee } else { 716*3812Shylee keytype = CKK_GENERIC_SECRET; 717*3812Shylee } 718*3812Shylee 719*3812Shylee rv = get_token_key(hSession, keytype, key_label, 720*3812Shylee pkeydata, keylen, &key); 721*3812Shylee if (rv != CKR_OK) { 722*3812Shylee exitcode = EXIT_FAILURE; 723*3812Shylee goto cleanup; 724*3812Shylee } 7250Sstevel@tonic-gate } else { 7260Sstevel@tonic-gate CK_KEY_TYPE keytype; 7270Sstevel@tonic-gate if (mech_type == CKM_DES_MAC) { 7280Sstevel@tonic-gate keytype = CKK_DES; 7290Sstevel@tonic-gate keysize = 0; 7300Sstevel@tonic-gate } else { 7310Sstevel@tonic-gate keytype = CKK_GENERIC_SECRET; 7320Sstevel@tonic-gate keysize = 16; /* 128 bits */ 7330Sstevel@tonic-gate } 7340Sstevel@tonic-gate /* 7350Sstevel@tonic-gate * We use a fixed salt (0x0a, 0x0a, 0x0a ...) 7360Sstevel@tonic-gate * for creating the key so that the end user 7370Sstevel@tonic-gate * will be able to generate the same 'mac' 7380Sstevel@tonic-gate * using the same passphrase. 7390Sstevel@tonic-gate */ 7400Sstevel@tonic-gate (void) memset(salt, 0x0a, sizeof (salt)); 7410Sstevel@tonic-gate rv = generate_pkcs5_key(hSession, 7420Sstevel@tonic-gate salt, sizeof (salt), 7430Sstevel@tonic-gate iterations, pkeydata, 7440Sstevel@tonic-gate keytype, keylen, keysize, 7450Sstevel@tonic-gate &key); 7460Sstevel@tonic-gate } 7470Sstevel@tonic-gate 7480Sstevel@tonic-gate if (rv != CKR_OK) { 7490Sstevel@tonic-gate cryptoerror(LOG_STDERR, 7500Sstevel@tonic-gate gettext("unable to create key for crypto " 7510Sstevel@tonic-gate "operation: %s"), pkcs11_strerror(rv)); 7520Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7530Sstevel@tonic-gate goto cleanup; 7540Sstevel@tonic-gate } 7550Sstevel@tonic-gate } 7560Sstevel@tonic-gate 7570Sstevel@tonic-gate /* Allocate a buffer to store result. */ 7580Sstevel@tonic-gate resultlen = RESULTLEN; 7590Sstevel@tonic-gate if ((resultbuf = malloc(resultlen)) == NULL) { 7600Sstevel@tonic-gate int err = errno; 7610Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 7620Sstevel@tonic-gate strerror(err)); 7630Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7640Sstevel@tonic-gate goto cleanup; 7650Sstevel@tonic-gate } 7660Sstevel@tonic-gate 7670Sstevel@tonic-gate /* Allocate a buffer to store result string */ 7680Sstevel@tonic-gate resultstrlen = RESULTLEN; 7690Sstevel@tonic-gate if ((resultstr = malloc(resultstrlen)) == NULL) { 7700Sstevel@tonic-gate int err = errno; 7710Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 7720Sstevel@tonic-gate strerror(err)); 7730Sstevel@tonic-gate exitcode = EXIT_FAILURE; 7740Sstevel@tonic-gate goto cleanup; 7750Sstevel@tonic-gate } 7760Sstevel@tonic-gate 7770Sstevel@tonic-gate mech.mechanism = mech_type; 7780Sstevel@tonic-gate mech.pParameter = NULL_PTR; 7790Sstevel@tonic-gate mech.ulParameterLen = 0; 7800Sstevel@tonic-gate exitcode = EXIT_SUCCESS; 7810Sstevel@tonic-gate i = 0; 7820Sstevel@tonic-gate 7830Sstevel@tonic-gate do { 7840Sstevel@tonic-gate if (filecount > 0 && filelist != NULL) { 7850Sstevel@tonic-gate filename = filelist[i]; 7860Sstevel@tonic-gate if ((fd = open(filename, O_RDONLY 7870Sstevel@tonic-gate | O_NONBLOCK)) == -1) { 7880Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7890Sstevel@tonic-gate "can not open input file %s\n"), filename); 7900Sstevel@tonic-gate exitcode = EXIT_USAGE; 7910Sstevel@tonic-gate continue; 7920Sstevel@tonic-gate } 7930Sstevel@tonic-gate } else { 7940Sstevel@tonic-gate fd = 0; /* use stdin */ 7950Sstevel@tonic-gate } 7960Sstevel@tonic-gate 7970Sstevel@tonic-gate /* 7980Sstevel@tonic-gate * Perform the operation 7990Sstevel@tonic-gate */ 8000Sstevel@tonic-gate if (mac_cmd) { 8010Sstevel@tonic-gate rv = do_mac(hSession, &mech, fd, key, &resultbuf, 8020Sstevel@tonic-gate &resultlen); 8030Sstevel@tonic-gate } else { 8040Sstevel@tonic-gate rv = do_digest(hSession, &mech, fd, &resultbuf, 8050Sstevel@tonic-gate &resultlen); 8060Sstevel@tonic-gate } 8070Sstevel@tonic-gate 8080Sstevel@tonic-gate if (rv != CKR_OK) { 8090Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8100Sstevel@tonic-gate gettext("crypto operation failed for " 8110Sstevel@tonic-gate "file %s: %s\n"), 8120Sstevel@tonic-gate filename ? filename : "STDIN", 8130Sstevel@tonic-gate pkcs11_strerror(rv)); 8140Sstevel@tonic-gate exitcode = EXIT_FAILURE; 8150Sstevel@tonic-gate continue; 8160Sstevel@tonic-gate } 8170Sstevel@tonic-gate 8180Sstevel@tonic-gate /* if result size has changed, allocate a bigger resulstr buf */ 8190Sstevel@tonic-gate if (resultlen != RESULTLEN) { 8200Sstevel@tonic-gate resultstrlen = 2 * resultlen + 1; 8210Sstevel@tonic-gate resultstr = realloc(resultstr, resultstrlen); 8220Sstevel@tonic-gate 8230Sstevel@tonic-gate if (resultstr == NULL) { 8240Sstevel@tonic-gate int err = errno; 8250Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8260Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 8270Sstevel@tonic-gate exitcode = EXIT_FAILURE; 8280Sstevel@tonic-gate goto cleanup; 8290Sstevel@tonic-gate } 8300Sstevel@tonic-gate } 8310Sstevel@tonic-gate 8320Sstevel@tonic-gate /* Output the result */ 8330Sstevel@tonic-gate tohexstr(resultbuf, resultlen, resultstr, resultstrlen); 8340Sstevel@tonic-gate 8350Sstevel@tonic-gate /* Include mechanism name for verbose */ 8360Sstevel@tonic-gate if (vflag) 8370Sstevel@tonic-gate (void) fprintf(stdout, "%s ", algo_str); 8380Sstevel@tonic-gate 8390Sstevel@tonic-gate /* Include file name for multiple files, or if verbose */ 8400Sstevel@tonic-gate if (filecount > 1 || (vflag && filecount > 0)) { 8410Sstevel@tonic-gate (void) fprintf(stdout, "(%s) = ", filename); 8420Sstevel@tonic-gate } 8430Sstevel@tonic-gate 8440Sstevel@tonic-gate (void) fprintf(stdout, "%s\n", resultstr); 8450Sstevel@tonic-gate (void) close(fd); 8460Sstevel@tonic-gate 8470Sstevel@tonic-gate 8480Sstevel@tonic-gate } while (++i < filecount); 8490Sstevel@tonic-gate 8500Sstevel@tonic-gate 8510Sstevel@tonic-gate /* clear and free the key */ 8520Sstevel@tonic-gate if (mac_cmd) { 8530Sstevel@tonic-gate (void) memset(pkeydata, 0, keylen); 8540Sstevel@tonic-gate free(pkeydata); 8550Sstevel@tonic-gate pkeydata = NULL; 8560Sstevel@tonic-gate } 8570Sstevel@tonic-gate 8580Sstevel@tonic-gate cleanup: 8590Sstevel@tonic-gate if (resultbuf != NULL) { 8600Sstevel@tonic-gate free(resultbuf); 8610Sstevel@tonic-gate } 8620Sstevel@tonic-gate 8630Sstevel@tonic-gate if (resultstr != NULL) { 8640Sstevel@tonic-gate free(resultstr); 8650Sstevel@tonic-gate } 8660Sstevel@tonic-gate 8670Sstevel@tonic-gate if (pSlotList != NULL) { 8680Sstevel@tonic-gate free(pSlotList); 8690Sstevel@tonic-gate } 8700Sstevel@tonic-gate 871*3812Shylee if (!Kflag && key != (CK_OBJECT_HANDLE) 0) { 8720Sstevel@tonic-gate (void) C_DestroyObject(hSession, key); 8730Sstevel@tonic-gate } 8740Sstevel@tonic-gate 8750Sstevel@tonic-gate if (hSession != CK_INVALID_HANDLE) 8760Sstevel@tonic-gate (void) C_CloseSession(hSession); 8770Sstevel@tonic-gate 8780Sstevel@tonic-gate (void) C_Finalize(NULL_PTR); 8790Sstevel@tonic-gate 8800Sstevel@tonic-gate return (exitcode); 8810Sstevel@tonic-gate } 8820Sstevel@tonic-gate 8830Sstevel@tonic-gate /* 8840Sstevel@tonic-gate * do_digest - Compute digest of a file 8850Sstevel@tonic-gate * 8860Sstevel@tonic-gate * hSession - session 8870Sstevel@tonic-gate * pmech - ptr to mechanism to be used for digest 8880Sstevel@tonic-gate * fd - file descriptor 8890Sstevel@tonic-gate * pdigest - buffer where digest result is returned 8900Sstevel@tonic-gate * pdigestlen - length of digest buffer on input, 8910Sstevel@tonic-gate * length of result on output 8920Sstevel@tonic-gate */ 8930Sstevel@tonic-gate static CK_RV 8940Sstevel@tonic-gate do_digest(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 8950Sstevel@tonic-gate int fd, CK_BYTE_PTR *pdigest, CK_ULONG_PTR pdigestlen) 8960Sstevel@tonic-gate { 8970Sstevel@tonic-gate CK_RV rv; 8980Sstevel@tonic-gate ssize_t nread; 8990Sstevel@tonic-gate int saved_errno; 9000Sstevel@tonic-gate 9010Sstevel@tonic-gate if ((rv = C_DigestInit(hSession, pmech)) != CKR_OK) { 9020Sstevel@tonic-gate return (rv); 9030Sstevel@tonic-gate } 9040Sstevel@tonic-gate 9050Sstevel@tonic-gate while ((nread = read(fd, buf, sizeof (buf))) > 0) { 9060Sstevel@tonic-gate /* Get the digest */ 9070Sstevel@tonic-gate rv = C_DigestUpdate(hSession, buf, (CK_ULONG)nread); 9080Sstevel@tonic-gate if (rv != CKR_OK) 9090Sstevel@tonic-gate return (rv); 9100Sstevel@tonic-gate } 9110Sstevel@tonic-gate 9120Sstevel@tonic-gate saved_errno = errno; /* for later use */ 9130Sstevel@tonic-gate 9140Sstevel@tonic-gate /* 9150Sstevel@tonic-gate * Perform the C_DigestFinal, even if there is a read error. 9160Sstevel@tonic-gate * Otherwise C_DigestInit will return CKR_OPERATION_ACTIVE 9170Sstevel@tonic-gate * next time it is called (for another file) 9180Sstevel@tonic-gate */ 9190Sstevel@tonic-gate 9200Sstevel@tonic-gate rv = C_DigestFinal(hSession, *pdigest, pdigestlen); 9210Sstevel@tonic-gate 9220Sstevel@tonic-gate /* result too big to fit? Allocate a bigger buffer */ 9230Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 9240Sstevel@tonic-gate *pdigest = realloc(*pdigest, *pdigestlen); 9250Sstevel@tonic-gate 9260Sstevel@tonic-gate if (*pdigest == NULL_PTR) { 9270Sstevel@tonic-gate int err = errno; 9280Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9290Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 9300Sstevel@tonic-gate return (CKR_HOST_MEMORY); 9310Sstevel@tonic-gate } 9320Sstevel@tonic-gate 9330Sstevel@tonic-gate rv = C_DigestFinal(hSession, *pdigest, pdigestlen); 9340Sstevel@tonic-gate } 9350Sstevel@tonic-gate 9360Sstevel@tonic-gate 9370Sstevel@tonic-gate /* There was a read error */ 9380Sstevel@tonic-gate if (nread == -1) { 9390Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9400Sstevel@tonic-gate "error reading file: %s"), strerror(saved_errno)); 9410Sstevel@tonic-gate return (CKR_GENERAL_ERROR); 9420Sstevel@tonic-gate } else { 9430Sstevel@tonic-gate return (rv); 9440Sstevel@tonic-gate } 9450Sstevel@tonic-gate } 9460Sstevel@tonic-gate 9470Sstevel@tonic-gate /* 9480Sstevel@tonic-gate * do_mac - Compute mac of a file 9490Sstevel@tonic-gate * 9500Sstevel@tonic-gate * hSession - session 9510Sstevel@tonic-gate * pmech - ptr to mechanism to be used 9520Sstevel@tonic-gate * fd - file descriptor 9530Sstevel@tonic-gate * key - key to be used 9540Sstevel@tonic-gate * psignature - ptr buffer where mac result is returned 9550Sstevel@tonic-gate * returns new buf if current buf is small 9560Sstevel@tonic-gate * psignaturelen - length of mac buffer on input, 9570Sstevel@tonic-gate * length of result on output 9580Sstevel@tonic-gate */ 9590Sstevel@tonic-gate static CK_RV 9600Sstevel@tonic-gate do_mac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, 9610Sstevel@tonic-gate int fd, CK_OBJECT_HANDLE key, CK_BYTE_PTR *psignature, 9620Sstevel@tonic-gate CK_ULONG_PTR psignaturelen) 9630Sstevel@tonic-gate { 9640Sstevel@tonic-gate CK_RV rv; 9650Sstevel@tonic-gate ssize_t nread; 9660Sstevel@tonic-gate int saved_errno; 9670Sstevel@tonic-gate 9680Sstevel@tonic-gate if ((rv = C_SignInit(hSession, pmech, key)) != CKR_OK) { 9690Sstevel@tonic-gate return (rv); 9700Sstevel@tonic-gate } 9710Sstevel@tonic-gate 9720Sstevel@tonic-gate while ((nread = read(fd, buf, sizeof (buf))) > 0) { 9730Sstevel@tonic-gate /* Get the MAC */ 9740Sstevel@tonic-gate rv = C_SignUpdate(hSession, buf, (CK_ULONG)nread); 9750Sstevel@tonic-gate if (rv != CKR_OK) 9760Sstevel@tonic-gate return (rv); 9770Sstevel@tonic-gate } 9780Sstevel@tonic-gate 9790Sstevel@tonic-gate saved_errno = errno; /* for later use */ 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate /* 9820Sstevel@tonic-gate * Perform the C_SignFinal, even if there is a read error. 9830Sstevel@tonic-gate * Otherwise C_SignInit will return CKR_OPERATION_ACTIVE 9840Sstevel@tonic-gate * next time it is called (for another file) 9850Sstevel@tonic-gate */ 9860Sstevel@tonic-gate 9870Sstevel@tonic-gate rv = C_SignFinal(hSession, *psignature, psignaturelen); 9880Sstevel@tonic-gate 9890Sstevel@tonic-gate /* result too big to fit? Allocate a bigger buffer */ 9900Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 9910Sstevel@tonic-gate *psignature = realloc(*psignature, *psignaturelen); 9920Sstevel@tonic-gate 9930Sstevel@tonic-gate if (*psignature == NULL_PTR) { 9940Sstevel@tonic-gate int err = errno; 9950Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9960Sstevel@tonic-gate gettext("realloc: %s\n"), strerror(err)); 9970Sstevel@tonic-gate return (CKR_HOST_MEMORY); 9980Sstevel@tonic-gate } 9990Sstevel@tonic-gate 10000Sstevel@tonic-gate rv = C_SignFinal(hSession, *psignature, psignaturelen); 10010Sstevel@tonic-gate } 10020Sstevel@tonic-gate 10030Sstevel@tonic-gate /* There was a read error */ 10040Sstevel@tonic-gate if (nread == -1) { 10050Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("error reading file: %s"), 10060Sstevel@tonic-gate strerror(saved_errno)); 10070Sstevel@tonic-gate return (CKR_GENERAL_ERROR); 10080Sstevel@tonic-gate } else { 10090Sstevel@tonic-gate return (rv); 10100Sstevel@tonic-gate } 10110Sstevel@tonic-gate } 10120Sstevel@tonic-gate 10130Sstevel@tonic-gate 10140Sstevel@tonic-gate /* 10150Sstevel@tonic-gate * getkey - gets keydata from file specified 10160Sstevel@tonic-gate * 10170Sstevel@tonic-gate * filename - name of file, if null, prompt for pass phrase 10180Sstevel@tonic-gate * pkeydata - binary key data is returned in this buf 10190Sstevel@tonic-gate * 10200Sstevel@tonic-gate * returns length of key, or -1 if error 10210Sstevel@tonic-gate */ 10220Sstevel@tonic-gate static int 10230Sstevel@tonic-gate getkey(char *filename, CK_BYTE_PTR *pkeydata) 10240Sstevel@tonic-gate { 10250Sstevel@tonic-gate struct stat statbuf; 10260Sstevel@tonic-gate char *keybuf = NULL; 10270Sstevel@tonic-gate char *tmpbuf; 10280Sstevel@tonic-gate int keylen; 10290Sstevel@tonic-gate int fd; 10300Sstevel@tonic-gate 10310Sstevel@tonic-gate if (filename != NULL) { 10320Sstevel@tonic-gate 10330Sstevel@tonic-gate /* read the key file into a buffer */ 10340Sstevel@tonic-gate if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == -1) { 10350Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10360Sstevel@tonic-gate "can't open %s\n"), filename); 10370Sstevel@tonic-gate return (-1); 10380Sstevel@tonic-gate 10390Sstevel@tonic-gate } 10400Sstevel@tonic-gate 10410Sstevel@tonic-gate if (fstat(fd, &statbuf) == -1) { 10420Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10430Sstevel@tonic-gate "can't stat %s\n"), filename); 10440Sstevel@tonic-gate (void) close(fd); 10450Sstevel@tonic-gate return (-1); 10460Sstevel@tonic-gate } 10470Sstevel@tonic-gate 1048871Scasper if (!S_ISREG(statbuf.st_mode)) { 10490Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10500Sstevel@tonic-gate "%s not a regular file\n"), filename); 10510Sstevel@tonic-gate (void) close(fd); 10520Sstevel@tonic-gate return (-1); 10530Sstevel@tonic-gate } 10540Sstevel@tonic-gate 10550Sstevel@tonic-gate keylen = (size_t)statbuf.st_size; 10560Sstevel@tonic-gate 10570Sstevel@tonic-gate if (keylen > 0) { 10580Sstevel@tonic-gate /* allocate a buffer to hold the entire key */ 10590Sstevel@tonic-gate if ((keybuf = malloc(keylen)) == NULL) { 10600Sstevel@tonic-gate int err = errno; 10610Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s\n"), 10620Sstevel@tonic-gate strerror(err)); 10630Sstevel@tonic-gate (void) close(fd); 10640Sstevel@tonic-gate return (-1); 10650Sstevel@tonic-gate } 10660Sstevel@tonic-gate 10670Sstevel@tonic-gate if (read(fd, keybuf, keylen) != keylen) { 10680Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10690Sstevel@tonic-gate "can't read %s\n"), filename); 10700Sstevel@tonic-gate (void) close(fd); 10710Sstevel@tonic-gate return (-1); 10720Sstevel@tonic-gate } 10730Sstevel@tonic-gate } 10740Sstevel@tonic-gate (void) close(fd); 10750Sstevel@tonic-gate 10760Sstevel@tonic-gate } else { 10770Sstevel@tonic-gate 10780Sstevel@tonic-gate /* No file, prompt for a pass phrase */ 10790Sstevel@tonic-gate tmpbuf = getpassphrase(gettext("Enter key:")); 10800Sstevel@tonic-gate 10810Sstevel@tonic-gate if (tmpbuf == NULL) { 10820Sstevel@tonic-gate return (-1); /* error */ 10830Sstevel@tonic-gate } else { 10840Sstevel@tonic-gate keybuf = strdup(tmpbuf); 10850Sstevel@tonic-gate (void) memset(tmpbuf, 0, strlen(tmpbuf)); 10860Sstevel@tonic-gate } 10870Sstevel@tonic-gate keylen = strlen(keybuf); 10880Sstevel@tonic-gate } 10890Sstevel@tonic-gate 10900Sstevel@tonic-gate *pkeydata = (CK_BYTE_PTR)keybuf; 10910Sstevel@tonic-gate 10920Sstevel@tonic-gate return (keylen); 10930Sstevel@tonic-gate } 1094*3812Shylee 1095*3812Shylee static int 1096*3812Shylee getpasswd(char *token_spec, CK_BYTE_PTR *pdata, CK_ULONG *psize) 1097*3812Shylee { 1098*3812Shylee char *databuf; 1099*3812Shylee char *tmpbuf; 1100*3812Shylee char prompt[1024]; 1101*3812Shylee 1102*3812Shylee if (token_spec == NULL) 1103*3812Shylee return (-1); 1104*3812Shylee 1105*3812Shylee (void) snprintf(prompt, sizeof (prompt), DEFAULT_TOKEN_PROMPT, 1106*3812Shylee token_spec); 1107*3812Shylee tmpbuf = getpassphrase(gettext(prompt)); 1108*3812Shylee 1109*3812Shylee if (tmpbuf == NULL) { 1110*3812Shylee return (-1); /* error */ 1111*3812Shylee } 1112*3812Shylee 1113*3812Shylee databuf = strdup(tmpbuf); 1114*3812Shylee (void) memset(tmpbuf, 0, strlen(tmpbuf)); 1115*3812Shylee if (databuf == NULL) 1116*3812Shylee return (-1); 1117*3812Shylee 1118*3812Shylee *pdata = (CK_BYTE_PTR)databuf; 1119*3812Shylee *psize = (CK_ULONG)strlen(databuf); 1120*3812Shylee 1121*3812Shylee return (0); 1122*3812Shylee } 1123