1*0Sstevel@tonic-gate /* 2*0Sstevel@tonic-gate * CDDL HEADER START 3*0Sstevel@tonic-gate * 4*0Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*0Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*0Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*0Sstevel@tonic-gate * with the License. 8*0Sstevel@tonic-gate * 9*0Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*0Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*0Sstevel@tonic-gate * See the License for the specific language governing permissions 12*0Sstevel@tonic-gate * and limitations under the License. 13*0Sstevel@tonic-gate * 14*0Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*0Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*0Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*0Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*0Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*0Sstevel@tonic-gate * 20*0Sstevel@tonic-gate * CDDL HEADER END 21*0Sstevel@tonic-gate */ 22*0Sstevel@tonic-gate /* 23*0Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24*0Sstevel@tonic-gate * Use is subject to license terms. 25*0Sstevel@tonic-gate */ 26*0Sstevel@tonic-gate 27*0Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*0Sstevel@tonic-gate 29*0Sstevel@tonic-gate /* 30*0Sstevel@tonic-gate * This file implements the setpin operation for this tool. 31*0Sstevel@tonic-gate * The basic flow of the process is to load the PKCS#11 module, 32*0Sstevel@tonic-gate * finds the soft token, log into it, prompt the user for the 33*0Sstevel@tonic-gate * new PIN, change the token's PIN, and log out. 34*0Sstevel@tonic-gate */ 35*0Sstevel@tonic-gate 36*0Sstevel@tonic-gate #include <stdio.h> 37*0Sstevel@tonic-gate #include <stdlib.h> 38*0Sstevel@tonic-gate #include <string.h> 39*0Sstevel@tonic-gate #include <cryptoutil.h> 40*0Sstevel@tonic-gate #include <security/cryptoki.h> 41*0Sstevel@tonic-gate #include "common.h" 42*0Sstevel@tonic-gate 43*0Sstevel@tonic-gate static int 44*0Sstevel@tonic-gate set_token_pin(CK_SESSION_HANDLE hdl, CK_UTF8CHAR_PTR oldpin, CK_ULONG oldpinlen) 45*0Sstevel@tonic-gate { 46*0Sstevel@tonic-gate CK_UTF8CHAR_PTR pin1, pin2; 47*0Sstevel@tonic-gate int len1, len2; 48*0Sstevel@tonic-gate int rv; 49*0Sstevel@tonic-gate 50*0Sstevel@tonic-gate cryptodebug("inside set_token_pin"); 51*0Sstevel@tonic-gate 52*0Sstevel@tonic-gate if ((len1 = get_password(gettext("Enter new PIN:"), 53*0Sstevel@tonic-gate (char **)&pin1)) < 0) 54*0Sstevel@tonic-gate return (PK_ERR_NEWPIN); 55*0Sstevel@tonic-gate 56*0Sstevel@tonic-gate if ((len2 = get_password(gettext("Re-enter new PIN:"), 57*0Sstevel@tonic-gate (char **)&pin2)) < 0) { 58*0Sstevel@tonic-gate free(pin1); 59*0Sstevel@tonic-gate return (PK_ERR_PINCONFIRM); 60*0Sstevel@tonic-gate } 61*0Sstevel@tonic-gate 62*0Sstevel@tonic-gate /* NOTE: Do not use strcmp on pin1 and pin2; they are UTF strings */ 63*0Sstevel@tonic-gate if (len1 != len2 || memcmp(pin1, pin2, len1) != 0) { 64*0Sstevel@tonic-gate free(pin1); 65*0Sstevel@tonic-gate free(pin2); 66*0Sstevel@tonic-gate return (PK_ERR_PINMATCH); 67*0Sstevel@tonic-gate } 68*0Sstevel@tonic-gate 69*0Sstevel@tonic-gate if ((rv = C_SetPIN(hdl, oldpin, oldpinlen, pin1, (CK_ULONG)len1)) 70*0Sstevel@tonic-gate != CKR_OK) { 71*0Sstevel@tonic-gate pk11_errno = rv; 72*0Sstevel@tonic-gate free(pin1); 73*0Sstevel@tonic-gate free(pin2); 74*0Sstevel@tonic-gate return (PK_ERR_PK11SETPIN); 75*0Sstevel@tonic-gate } 76*0Sstevel@tonic-gate 77*0Sstevel@tonic-gate free(pin1); 78*0Sstevel@tonic-gate free(pin2); 79*0Sstevel@tonic-gate return (PK_ERR_NONE); 80*0Sstevel@tonic-gate } 81*0Sstevel@tonic-gate 82*0Sstevel@tonic-gate /* 83*0Sstevel@tonic-gate * This is the main entry point in this module. It controls the process 84*0Sstevel@tonic-gate * by which the token's PIN is changed. It relies on set_token_pin() to 85*0Sstevel@tonic-gate * handle the extra work of prompting and confirming the new PIN. 86*0Sstevel@tonic-gate */ 87*0Sstevel@tonic-gate int 88*0Sstevel@tonic-gate pk_setpin(int argc, char *argv[]) 89*0Sstevel@tonic-gate /* ARGSUSED */ 90*0Sstevel@tonic-gate { 91*0Sstevel@tonic-gate char *token_name = NULL; 92*0Sstevel@tonic-gate char *manuf_id = NULL; 93*0Sstevel@tonic-gate char *serial_no = NULL; 94*0Sstevel@tonic-gate CK_SLOT_ID slot_id; 95*0Sstevel@tonic-gate CK_FLAGS pin_state; 96*0Sstevel@tonic-gate CK_SESSION_HANDLE hdl; 97*0Sstevel@tonic-gate CK_UTF8CHAR_PTR pin; 98*0Sstevel@tonic-gate int pinlen; 99*0Sstevel@tonic-gate int rv; 100*0Sstevel@tonic-gate 101*0Sstevel@tonic-gate cryptodebug("inside pk_setpin"); 102*0Sstevel@tonic-gate 103*0Sstevel@tonic-gate /* 104*0Sstevel@tonic-gate * Token_name, manuf_id, and serial_no are all optional. 105*0Sstevel@tonic-gate * If unspecified, token_name must have a default value 106*0Sstevel@tonic-gate * at least. 107*0Sstevel@tonic-gate */ 108*0Sstevel@tonic-gate token_name = SOFT_TOKEN_LABEL; 109*0Sstevel@tonic-gate manuf_id = SOFT_MANUFACTURER_ID; 110*0Sstevel@tonic-gate 111*0Sstevel@tonic-gate /* No additional args allowed. */ 112*0Sstevel@tonic-gate if (argc != 1) 113*0Sstevel@tonic-gate return (PK_ERR_USAGE); 114*0Sstevel@tonic-gate /* Done parsing command line options. */ 115*0Sstevel@tonic-gate 116*0Sstevel@tonic-gate /* Initialize PKCS11, find the slot with token. */ 117*0Sstevel@tonic-gate if ((rv = init_pk11()) != PK_ERR_NONE) 118*0Sstevel@tonic-gate return (rv); 119*0Sstevel@tonic-gate if ((rv = find_token_slot(token_name, manuf_id, serial_no, 120*0Sstevel@tonic-gate &slot_id, &pin_state)) != PK_ERR_NONE) 121*0Sstevel@tonic-gate return (rv); 122*0Sstevel@tonic-gate 123*0Sstevel@tonic-gate /* Check if the token flags show the PIN has not be set yet. */ 124*0Sstevel@tonic-gate if (pin_state == CKF_USER_PIN_TO_BE_CHANGED) { 125*0Sstevel@tonic-gate cryptodebug("pin_state: first time pin is being set"); 126*0Sstevel@tonic-gate if ((pin = (CK_UTF8CHAR_PTR)strdup(SOFT_DEFAULT_PIN)) == NULL) 127*0Sstevel@tonic-gate return (PK_ERR_NOMEMORY); 128*0Sstevel@tonic-gate pinlen = strlen(SOFT_DEFAULT_PIN); 129*0Sstevel@tonic-gate } else { 130*0Sstevel@tonic-gate cryptodebug("pin_state: changing an existing pin "); 131*0Sstevel@tonic-gate /* Have user unlock token with correct password */ 132*0Sstevel@tonic-gate if ((pinlen = get_password(gettext("Enter token PIN:"), 133*0Sstevel@tonic-gate (char **)&pin)) < 0) 134*0Sstevel@tonic-gate return (PK_ERR_PASSPHRASE); 135*0Sstevel@tonic-gate } 136*0Sstevel@tonic-gate 137*0Sstevel@tonic-gate /* 138*0Sstevel@tonic-gate * Log into the token. If login fails with an uninitialized PIN, 139*0Sstevel@tonic-gate * it means this is the first time the token has been used. 140*0Sstevel@tonic-gate * Or if the login is successful, but all subsequent calls to 141*0Sstevel@tonic-gate * any function return with an expired PIN, then this is the 142*0Sstevel@tonic-gate * first time the token is used. In either case, use the 143*0Sstevel@tonic-gate * passphrase "changeme" as the initial PIN. 144*0Sstevel@tonic-gate */ 145*0Sstevel@tonic-gate if ((rv = login_token(slot_id, pin, (CK_ULONG)pinlen, &hdl)) 146*0Sstevel@tonic-gate != PK_ERR_NONE) { 147*0Sstevel@tonic-gate free(pin); 148*0Sstevel@tonic-gate return (rv); 149*0Sstevel@tonic-gate } 150*0Sstevel@tonic-gate 151*0Sstevel@tonic-gate /* Set the pin for the PKCS11 token. */ 152*0Sstevel@tonic-gate if ((rv = set_token_pin(hdl, pin, (CK_ULONG)pinlen)) != PK_ERR_NONE) { 153*0Sstevel@tonic-gate free(pin); 154*0Sstevel@tonic-gate logout_token(hdl); 155*0Sstevel@tonic-gate return (rv); 156*0Sstevel@tonic-gate } 157*0Sstevel@tonic-gate 158*0Sstevel@tonic-gate free(pin); 159*0Sstevel@tonic-gate logout_token(hdl); 160*0Sstevel@tonic-gate return (PK_ERR_NONE); 161*0Sstevel@tonic-gate } 162