15194Sjohnz /* 25194Sjohnz * CDDL HEADER START 35194Sjohnz * 45194Sjohnz * The contents of this file are subject to the terms of the 55194Sjohnz * Common Development and Distribution License (the "License"). 65194Sjohnz * You may not use this file except in compliance with the License. 75194Sjohnz * 85194Sjohnz * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 95194Sjohnz * or http://www.opensolaris.org/os/licensing. 105194Sjohnz * See the License for the specific language governing permissions 115194Sjohnz * and limitations under the License. 125194Sjohnz * 135194Sjohnz * When distributing Covered Code, include this CDDL HEADER in each 145194Sjohnz * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 155194Sjohnz * If applicable, add the following below this CDDL HEADER, with the 165194Sjohnz * fields enclosed by brackets "[]" replaced with your own identifying 175194Sjohnz * information: Portions Copyright [yyyy] [name of copyright owner] 185194Sjohnz * 195194Sjohnz * CDDL HEADER END 205194Sjohnz */ 215194Sjohnz 225194Sjohnz /* 23*12304SValerie.Fenwick@Oracle.COM * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 245194Sjohnz */ 255194Sjohnz 265194Sjohnz #ifndef _LIBELFSIGN_H 275194Sjohnz #define _LIBELFSIGN_H 285194Sjohnz 295194Sjohnz #ifdef __cplusplus 305194Sjohnz extern "C" { 315194Sjohnz #endif 325194Sjohnz 335194Sjohnz /* 345194Sjohnz * libelfsign Private Interfaces 35*12304SValerie.Fenwick@Oracle.COM * This header file should not be shipped as part of Solaris binary or 365194Sjohnz * source products. 375194Sjohnz */ 385194Sjohnz 395194Sjohnz #include <sys/crypto/elfsign.h> 405194Sjohnz #include <libelf.h> 415194Sjohnz #include <fcntl.h> 425194Sjohnz #include <md5.h> 435194Sjohnz #include <sha1.h> 445194Sjohnz #include <kmfapi.h> 455194Sjohnz 465194Sjohnz /* 475194Sjohnz * Certificate-related definitions 485194Sjohnz */ 495194Sjohnz #define ELFSIGN_CRYPTO "Solaris Cryptographic Framework" 505194Sjohnz #define USAGELIMITED "OU=UsageLimited" 515194Sjohnz 525194Sjohnz typedef enum ELFCert_VStatus_e { 535194Sjohnz E_UNCHECKED, 545194Sjohnz E_OK, 555194Sjohnz E_IS_TA, 565194Sjohnz E_FAILED 575194Sjohnz } ELFCert_VStatus_t; 585194Sjohnz 595194Sjohnz typedef struct ELFCert_s { 605194Sjohnz ELFCert_VStatus_t c_verified; 615194Sjohnz char *c_subject; 625194Sjohnz char *c_issuer; 635194Sjohnz KMF_X509_DER_CERT c_cert; 645194Sjohnz KMF_KEY_HANDLE c_privatekey; 655194Sjohnz } *ELFCert_t; 665194Sjohnz 675194Sjohnz #define CRYPTO_CERTS_DIR "/etc/crypto/certs" 685194Sjohnz #define ETC_CERTS_DIR "/etc/certs" 695194Sjohnz 705194Sjohnz /* 715194Sjohnz * libelfsign actions 725194Sjohnz */ 735194Sjohnz enum ES_ACTION { 745194Sjohnz ES_GET, 755194Sjohnz ES_GET_CRYPTO, 7610732SAnthony.Scarpino@Sun.COM ES_GET_FIPS140, 775194Sjohnz ES_UPDATE, 785194Sjohnz ES_UPDATE_RSA_MD5_SHA1, 795194Sjohnz ES_UPDATE_RSA_SHA1 805194Sjohnz }; 815194Sjohnz #define ES_ACTISUPDATE(a) ((a) >= ES_UPDATE) 825194Sjohnz 835194Sjohnz /* 845194Sjohnz * Context for elfsign operation 855194Sjohnz */ 865194Sjohnz struct ELFsign_s { 875194Sjohnz Elf *es_elf; 885194Sjohnz char *es_pathname; 895194Sjohnz char *es_certpath; 905194Sjohnz int es_fd; 915194Sjohnz size_t es_shstrndx; 925194Sjohnz enum ES_ACTION es_action; 935194Sjohnz KMF_KEY_HANDLE es_privatekey; 945194Sjohnz filesig_vers_t es_version; 955194Sjohnz boolean_t es_same_endian; 965194Sjohnz boolean_t es_has_phdr; 975194Sjohnz char es_ei_class; 985194Sjohnz struct flock es_flock; 995194Sjohnz KMF_HANDLE_T es_kmfhandle; 1005194Sjohnz void *es_callbackctx; 1015194Sjohnz void (*es_sigvercallback)(void *, void *, size_t, ELFCert_t); 1025194Sjohnz void (*es_certCAcallback)(void *, ELFCert_t, char *); 1035194Sjohnz void (*es_certvercallback)(void *, ELFCert_t, ELFCert_t); 1045194Sjohnz }; 1055194Sjohnz 1065194Sjohnz #define ES_FMT_RSA_MD5_SHA1 "rsa_md5_sha1" 1075194Sjohnz #define ES_FMT_RSA_SHA1 "rsa_sha1" 1085194Sjohnz 1095194Sjohnz /* 1105194Sjohnz * ELF signature handling 1115194Sjohnz */ 1125194Sjohnz typedef struct ELFsign_s *ELFsign_t; 1135194Sjohnz struct ELFsign_sig_info { 1145194Sjohnz char *esi_format; 1155194Sjohnz char *esi_signer; 1165194Sjohnz time_t esi_time; 1175194Sjohnz }; 1185194Sjohnz 1195194Sjohnz extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess, 1205194Sjohnz struct filesignatures *fsp, const char *dn, int dn_len, 1215194Sjohnz const uchar_t *sig, int sig_len, const char *oid, int oid_len); 1225194Sjohnz extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess, 1235194Sjohnz struct filesignatures *fsp, uchar_t *sig, size_t *sig_len); 1245194Sjohnz extern ELFsign_status_t elfsign_begin(const char *, 1255194Sjohnz enum ES_ACTION, ELFsign_t *); 1265194Sjohnz extern void elfsign_end(ELFsign_t ess); 1275194Sjohnz extern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path); 1285194Sjohnz extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess, 1295194Sjohnz struct ELFsign_sig_info **esipp); 1305194Sjohnz extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash, 1315194Sjohnz size_t *hash_len); 1325194Sjohnz extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess, 1335194Sjohnz uchar_t *hash, size_t *hash_len); 1345194Sjohnz extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp, 1355194Sjohnz enum ES_ACTION action); 1365194Sjohnz 1375194Sjohnz extern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx); 1385194Sjohnz extern void elfsign_setsigvercallback(ELFsign_t ess, 1395194Sjohnz void (*cb)(void *, void *, size_t, ELFCert_t)); 1405194Sjohnz extern ELFsign_status_t elfsign_signatures(ELFsign_t ess, 1415194Sjohnz struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action); 1425194Sjohnz 1435194Sjohnz extern char const *elfsign_strerror(ELFsign_status_t); 1445194Sjohnz extern boolean_t elfsign_sig_info(struct filesignatures *fssp, 1455194Sjohnz struct ELFsign_sig_info **esipp); 1465194Sjohnz extern void elfsign_sig_info_free(struct ELFsign_sig_info *); 1475194Sjohnz 1485194Sjohnz /* 1495194Sjohnz * ELF "Certificate Library" 1505194Sjohnz */ 1515194Sjohnz 1525194Sjohnz extern const char _PATH_ELFSIGN_CERTS[]; 1535194Sjohnz 1545194Sjohnz #define ELFCERT_MAX_DN_LEN 255 1555194Sjohnz 1565194Sjohnz extern boolean_t elfcertlib_init(ELFsign_t); 1575194Sjohnz extern void elfcertlib_fini(ELFsign_t); 1585194Sjohnz extern boolean_t elfcertlib_settoken(ELFsign_t, char *); 1595194Sjohnz extern void elfcertlib_setcertCAcallback(ELFsign_t ess, 1605194Sjohnz void (*cb)(void *, ELFCert_t, char *)); 1615194Sjohnz extern void elfcertlib_setcertvercallback(ELFsign_t ess, 1625194Sjohnz void (*cb)(void *, ELFCert_t, ELFCert_t)); 1635194Sjohnz 1645194Sjohnz extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname, 1655194Sjohnz char *signer_DN, ELFCert_t *certp, enum ES_ACTION action); 1665194Sjohnz extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t); 1675194Sjohnz extern char *elfcertlib_getdn(ELFCert_t cert); 1685194Sjohnz extern char *elfcertlib_getissuer(ELFCert_t cert); 1695194Sjohnz 1705194Sjohnz extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, 1715194Sjohnz const char *path); 1725194Sjohnz extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert, 1735194Sjohnz const char *token_id, const char *pin); 1745194Sjohnz 1755194Sjohnz extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert, 1765194Sjohnz const uchar_t *data, size_t data_len, uchar_t *sig, 1775194Sjohnz size_t *sig_len); 1785194Sjohnz 1795194Sjohnz extern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert); 1805194Sjohnz extern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert, 1815194Sjohnz const uchar_t *sig, size_t sig_len, 1825194Sjohnz const uchar_t *data, size_t data_len); 1835194Sjohnz 1845194Sjohnz #ifdef __cplusplus 1855194Sjohnz } 1865194Sjohnz #endif 1875194Sjohnz 1885194Sjohnz #endif /* _LIBELFSIGN_H */ 189