PSARC/2010/188 PKCS#11 URI parser for libcryptoutil

6924687 teach libcryptoutil to parse a PKCS#11 URI
illumos · Jun 7, 2010 · ccd81fd · ccd81fd
1 parent f7327bb
commit ccd81fd
Show file tree

Hide file tree

Showing 5 changed files with 391 additions and 17 deletions.
diff --git a/usr/src/lib/libcryptoutil/Makefile.com b/usr/src/lib/libcryptoutil/Makefile.com
@@ -18,8 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 LIBRARY= libcryptoutil.a
@@ -36,7 +35,8 @@ OBJECTS= \
 	passutils.o \
 	random.o \
 	keyfile.o \
-	util.o
+	util.o \
+	pkcs11_uri.o
 
 include $(SRC)/lib/Makefile.lib
 include $(SRC)/lib/Makefile.rootfs

diff --git a/usr/src/lib/libcryptoutil/README b/usr/src/lib/libcryptoutil/README
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -19,14 +18,13 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
 
 This is an internal library for use only by:
 	usr/src/cmd/cmd-crypto
 	usr/src/lib/pkcs11
+	usr/src/lib/libkmf
 
 The library and the header file are installed into the proto area but
 are not included in any pacakges.
@@ -191,13 +189,30 @@ Consumers:
 
 	pkcs11_strerror()
 
-This function returnes a string representation of any given PKCS11 return
+This function returns a string representation of any given PKCS11 return
 code.
 
 Consumer:
 
 	encrypt(1) and decrypt(1) uses this function for reporting errors.
 
+2.5 PKCS#11 URI parsing code
+
+	pkcs11_parse_uri()
+	pkcs11_free_uri()
+
+This function parses a PKCS#11 URI and fills up a pkcs11_uri_t structure. It
+also reads the PIN if the PKCS#11 URI specifies a passphrase dialog. The
+pkcs11_uri_t is described in cryptoutil.h, explanation of the return codes for
+the pkcs11_parse_uri() function is in the function's comment in pk11_uri.c. The
+pkcs11_parse_uri() function allocates the URI's fields and the caller is
+responsible for calling pkcs11_free_uri() after it's done with the URI
+structure.
+
+Consumer:
+
+	SunSSH will use the functions for parsing PKCS#11 URIs.
+
 3. Non-Contents
 
 Code for cryptographic algorithms does not belong in here.  That

diff --git a/usr/src/lib/libcryptoutil/common/cryptoutil.h b/usr/src/lib/libcryptoutil/common/cryptoutil.h
@@ -17,10 +17,8 @@
  * information: Portions Copyright [yyyy] [name of copyright owner]
  *
  * CDDL HEADER END
- */
-/*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ *
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #ifndef _CRYPTOUTIL_H
@@ -114,6 +112,67 @@ typedef struct uentrylist {
 	struct uentrylist	*next;
 } uentrylist_t;
 
+/* Return codes for pkcs11_parse_uri() */
+#define	PK11_URI_OK		0
+#define	PK11_URI_INVALID	1
+#define	PK11_MALLOC_ERROR	2
+#define	PK11_URI_VALUE_OVERFLOW	3
+#define	PK11_NOT_PKCS11_URI	4
+
+/*
+ * There is no limit for the attribute length in the spec. 256 bytes should be
+ * enough for the object name.
+ */
+#define	PK11_MAX_OBJECT_LEN		256
+/*
+ * CKA_ID is of type "byte array" which can be of arbitrary length. 256 bytes
+ * should be sufficient though.
+ */
+#define	PK11_MAX_ID_LEN			256
+
+/* Structure for the PKCS#11 URI. */
+typedef struct pkcs11_uri_t {
+	/* CKA_LABEL attribute to the C_FindObjectsInit function. */
+	CK_UTF8CHAR_PTR	object;
+	/*
+	 * CKA_CLASS attribute to the C_FindObjectsInit function. The
+	 * "objecttype" URI attribute can have a value one of "private",
+	 * "public", "cert", "secretkey", and "data". The "objecttype" field can
+	 * have a value of CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, CKO_CERTIFICATE,
+	 * CKO_SECRET_KEY, and CKO_DATA. This attribute cannot be empty in the
+	 * URI.
+	 */
+	CK_ULONG	objecttype;
+	/* CKO_DATA is 0 so we need this flag. Not part of the URI itself. */
+	boolean_t	objecttype_present;
+	/*
+	 * Token, manufufacturer, serial and model are of fixed size length in
+	 * the specification. We allocate memory on the fly to distinguish
+	 * between an attribute not present and an empty value. We check for
+	 * overflows. We always terminate the string with '\0' even when that is
+	 * not used in the PKCS#11's CK_TOKEN_INFO structure (fields are padded
+	 * with spaces).
+	 */
+	/* Token label from CK_TOKEN_INFO. */
+	CK_UTF8CHAR_PTR	token;
+	/* ManufacturerID from CK_TOKEN_INFO. */
+	CK_UTF8CHAR_PTR	manuf;
+	/* SerialNumber from CK_TOKEN_INFO. */
+	CK_CHAR_PTR	serial;
+	/* Model from CK_TOKEN_INFO. */
+	CK_UTF8CHAR_PTR	model;
+	/* This is a byte array, we need a length parameter as well. */
+	CK_BYTE_PTR	id;
+	int		id_len;
+	/*
+	 * Location of the file with a token PIN. Application can overload this,
+	 * eg. "/bin/askpass|" may mean to read the PIN from a command. However,
+	 * the pkcs11_parse_uri() function does not interpret this field in any
+	 * way.
+	 */
+	char		*pinfile;
+} pkcs11_uri_t;
+
 extern void cryptodebug(const char *fmt, ...);
 extern void cryptoerror(int priority, const char *fmt, ...);
 extern void cryptodebug_init(const char *prefix);
@@ -166,6 +225,9 @@ extern int update_conf(char *conf_file, char *entry);
 
 extern CK_RV get_fips_mode(int *);
 
+extern int pkcs11_parse_uri(const char *str, pkcs11_uri_t *uri);
+extern void pkcs11_free_uri(pkcs11_uri_t *uri);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/usr/src/lib/libcryptoutil/common/mapfile-vers b/usr/src/lib/libcryptoutil/common/mapfile-vers
@@ -18,9 +18,7 @@
 #
 # CDDL HEADER END
 #
-#
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 #
@@ -59,13 +57,15 @@ SUNWprivate {
 	pkcs11_close_urandom;
 	pkcs11_close_urandom_seed;
 	pkcs11_default_token;
+	pkcs11_free_uri;
 	pkcs11_get_nzero_urandom;
 	pkcs11_get_pass;
 	pkcs11_get_random;
 	pkcs11_get_urandom;
 	pkcs11_mech2keytype;
 	pkcs11_mech2keygen;
 	pkcs11_mech2str;
+	pkcs11_parse_uri;
 	pkcs11_read_data;
 	pkcs11_seed_random;
 	pkcs11_seed_urandom;