diff --git a/dockerfiles/feature-support/hsm-patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch b/dockerfiles/feature-support/hsm-patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch index bd940941..ccfb6d37 100644 --- a/dockerfiles/feature-support/hsm-patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch +++ b/dockerfiles/feature-support/hsm-patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch @@ -1,4 +1,4 @@ -From 236cf8101b3df3914e3986ce685b866f880f02df Mon Sep 17 00:00:00 2001 +From 420454eb9fa6f86573b5ac2d65daad6d491a325e Mon Sep 17 00:00:00 2001 From: istepic Date: Mon, 5 Dec 2022 22:44:25 +0100 Subject: [PATCH] Introduce generic keypair generation interface and engine @@ -27,10 +27,11 @@ doesn't yet exist. Instead, a generic PKCS11_generate_key interface was made that takes a structure describing the key generation algorithm. For now it only contains simple options like curve name for ECC or number -of bits for RSA key generation. This interface can then be used -as any other PKCS11 wrapper interface or using the ENGINE control -commands. Using it with ENGINE control commands is demonstrated in -the new tests/keygen.c file. +of bits for RSA key generation. It also possible to configure +CKA_SENSITIVE and CKA_EXTRACTABLE key attributes. This interface can +then be used as any other PKCS11 wrapper interface or using the ENGINE +control commands. Using it with ENGINE control commands is demonstrated +in the new tests/keygen.c file. Code for ECC keygen was taken from: https://github.com/OpenSC/libp11/pull/379 and reworked to compile and @@ -39,21 +40,22 @@ work with some new additions to libp11 i.e. templates. Upstream-Status: Rejected (OpenSC/libp11/pull/474) Signed-off-by: istepic +Signed-off-by: cps-b <136316734+cps-b@users.noreply.github.com> --- src/eng_back.c | 65 +++++++++++++ src/eng_front.c | 4 + src/engine.h | 1 + src/libp11-int.h | 15 ++- - src/libp11.h | 48 +++++++--- + src/libp11.h | 54 ++++++++--- src/p11_front.c | 32 +++++-- - src/p11_key.c | 131 +++++++++++++++++++++++--- + src/p11_key.c | 135 +++++++++++++++++++++++--- src/p11_load.c | 1 - src/p11_misc.c | 75 +++++++++++++++ src/p11_slot.c | 1 + tests/Makefile.am | 6 +- - tests/keygen.c | 215 +++++++++++++++++++++++++++++++++++++++++++ + tests/keygen.c | 221 +++++++++++++++++++++++++++++++++++++++++++ tests/keygen.softhsm | 39 ++++++++ - 13 files changed, 593 insertions(+), 40 deletions(-) + 13 files changed, 608 insertions(+), 41 deletions(-) create mode 100644 tests/keygen.c create mode 100755 tests/keygen.softhsm @@ -168,7 +170,7 @@ index 54bdcf0..740f86e 100644 typedef struct st_engine_ctx ENGINE_CTX; /* opaque */ diff --git a/src/libp11-int.h b/src/libp11-int.h -index 2d4c48a..3b5db65 100644 +index 2d4c48a..32ffb6e 100644 --- a/src/libp11-int.h +++ b/src/libp11-int.h @@ -125,6 +125,9 @@ extern int ERR_load_CKR_strings(void); @@ -192,20 +194,20 @@ index 2d4c48a..3b5db65 100644 - int algorithm, unsigned int bits, - char *label, unsigned char* id, size_t id_len); +extern int pkcs11_rsa_keygen(PKCS11_SLOT_private *tpriv, -+ unsigned int bits, const char *label, unsigned char* id, size_t id_len); ++ unsigned int bits, const char *label, unsigned char* id, size_t id_len, const PKCS11_params* params); + +extern int pkcs11_ec_keygen(PKCS11_SLOT_private *tpriv, -+ const char *curve , const char *label, unsigned char* id, size_t id_len); ++ const char *curve , const char *label, unsigned char* id, size_t id_len, const PKCS11_params* params); + +/* Internal implementation of deprecated features */ /* Get the RSA key modulus size (in bytes) */ extern int pkcs11_get_key_size(PKCS11_OBJECT_private *); diff --git a/src/libp11.h b/src/libp11.h -index bd47d67..555d67e 100644 +index bd47d67..96e7985 100644 --- a/src/libp11.h +++ b/src/libp11.h -@@ -111,6 +111,28 @@ typedef struct PKCS11_ctx_st { +@@ -111,6 +111,34 @@ typedef struct PKCS11_ctx_st { void *_private; } PKCS11_CTX; @@ -217,6 +219,11 @@ index bd47d67..555d67e 100644 + unsigned int bits; +} PKCS11_RSA_KGEN; + ++typedef struct PKCS11_params { ++ unsigned char extractable; ++ unsigned char sensitive; ++} PKCS11_params; ++ +typedef struct PKCS11_kgen_attrs_st { + /* Key generation type from OpenSSL. Given the union below this should + * be either EVP_PKEY_EC or EVP_PKEY_RSA @@ -229,12 +236,13 @@ index bd47d67..555d67e 100644 + const char *token_label; + const char *key_label; + const char *key_id; ++ const PKCS11_params *key_params; +} PKCS11_KGEN_ATTRS; + /** * Create a new libp11 context * -@@ -387,6 +409,17 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509, +@@ -387,6 +415,17 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509, char *label, unsigned char *id, size_t id_len, PKCS11_CERT **ret_cert); @@ -252,7 +260,7 @@ index bd47d67..555d67e 100644 /* Access the random number generator */ extern int PKCS11_seed_random(PKCS11_SLOT *slot, const unsigned char *s, unsigned int s_len); extern int PKCS11_generate_random(PKCS11_SLOT *slot, unsigned char *r, unsigned int r_len); -@@ -443,21 +476,6 @@ extern void ERR_load_PKCS11_strings(void); +@@ -443,21 +482,6 @@ extern void ERR_load_PKCS11_strings(void); * duplicate the functionality OpenSSL provides for EVP_PKEY objects */ @@ -275,7 +283,7 @@ index bd47d67..555d67e 100644 /* Get the RSA key modulus size (in bytes) */ P11_DEPRECATED_FUNC extern int PKCS11_get_key_size(PKCS11_KEY *); diff --git a/src/p11_front.c b/src/p11_front.c -index f74f209..f82c9a3 100644 +index f74f209..edd9ab0 100644 --- a/src/p11_front.c +++ b/src/p11_front.c @@ -16,6 +16,8 @@ @@ -316,10 +324,10 @@ index f74f209..f82c9a3 100644 + switch(kg->type) { + case EVP_PKEY_RSA: + return pkcs11_rsa_keygen(slot, kg->kgen.rsa->bits, -+ kg->key_label, out, key_id_len); ++ kg->key_label, out, key_id_len, kg->key_params); + case EVP_PKEY_EC: + return pkcs11_ec_keygen(slot, kg->kgen.ec->curve, -+ kg->key_label, out, key_id_len); ++ kg->key_label, out, key_id_len, kg->key_params); + default: + return -1; + } @@ -331,7 +339,7 @@ index f74f209..f82c9a3 100644 { PKCS11_OBJECT_private *key = PRIVKEY(pkey); diff --git a/src/p11_key.c b/src/p11_key.c -index ec7f279..eaa31c8 100644 +index ec7f279..cf35eef 100644 --- a/src/p11_key.c +++ b/src/p11_key.c @@ -252,8 +252,8 @@ int pkcs11_reload_object(PKCS11_OBJECT_private *obj) @@ -341,11 +349,11 @@ index ec7f279..eaa31c8 100644 -int pkcs11_generate_key(PKCS11_SLOT_private *slot, int algorithm, unsigned int bits, - char *label, unsigned char* id, size_t id_len) { +int pkcs11_rsa_keygen(PKCS11_SLOT_private *slot, unsigned int bits, -+ const char *label, unsigned char* id, size_t id_len) { ++ const char *label, unsigned char* id, size_t id_len, const PKCS11_params* params) { PKCS11_CTX_private *ctx = slot->ctx; CK_SESSION_HANDLE session; -@@ -262,36 +262,44 @@ int pkcs11_generate_key(PKCS11_SLOT_private *slot, int algorithm, unsigned int b +@@ -262,36 +262,45 @@ int pkcs11_generate_key(PKCS11_SLOT_private *slot, int algorithm, unsigned int b CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CK_ULONG num_bits = bits; @@ -391,20 +399,22 @@ index ec7f279..eaa31c8 100644 pkcs11_addattr_s(&privtmpl, CKA_LABEL, label); - pkcs11_addattr_bool(&privtmpl, CKA_TOKEN, TRUE); pkcs11_addattr_bool(&privtmpl, CKA_PRIVATE, TRUE); +- pkcs11_addattr_bool(&privtmpl, CKA_SENSITIVE, TRUE); + pkcs11_addattr_bool(&privtmpl, CKA_TOKEN, TRUE); - pkcs11_addattr_bool(&privtmpl, CKA_SENSITIVE, TRUE); ++ pkcs11_addattr_bool(&privtmpl, CKA_SENSITIVE, params->sensitive); ++ pkcs11_addattr_bool(&privtmpl, CKA_EXTRACTABLE, params->extractable); pkcs11_addattr_bool(&privtmpl, CKA_DECRYPT, TRUE); pkcs11_addattr_bool(&privtmpl, CKA_SIGN, TRUE); - pkcs11_addattr_bool(&privtmpl, CKA_UNWRAP, TRUE); /* call the pkcs11 module to create the key pair */ rv = CRYPTOKI_call(ctx, C_GenerateKeyPair( -@@ -310,6 +318,107 @@ int pkcs11_generate_key(PKCS11_SLOT_private *slot, int algorithm, unsigned int b +@@ -310,6 +319,108 @@ int pkcs11_generate_key(PKCS11_SLOT_private *slot, int algorithm, unsigned int b return 0; } +int pkcs11_ec_keygen(PKCS11_SLOT_private *slot, const char *curve, -+ const char *label, unsigned char *id, size_t id_len) ++ const char *label, unsigned char *id, size_t id_len, const PKCS11_params* params) +{ + PKCS11_CTX_private *ctx = slot->ctx; + CK_SESSION_HANDLE session; @@ -477,7 +487,8 @@ index ec7f279..eaa31c8 100644 + pkcs11_addattr_s(&privtmpl, CKA_LABEL, label); + pkcs11_addattr_bool(&privtmpl, CKA_PRIVATE, TRUE); + pkcs11_addattr_bool(&privtmpl, CKA_TOKEN, TRUE); -+ pkcs11_addattr_bool(&privtmpl, CKA_SENSITIVE, TRUE); ++ pkcs11_addattr_bool(&privtmpl, CKA_SENSITIVE, params->sensitive); ++ pkcs11_addattr_bool(&privtmpl, CKA_EXTRACTABLE, params->extractable); + pkcs11_addattr_bool(&privtmpl, CKA_DERIVE, TRUE); + pkcs11_addattr_bool(&privtmpl, CKA_SIGN, TRUE); + @@ -641,10 +652,10 @@ index b1bc0fb..a71327d 100644 ec-cert.der ec-prvkey.der ec-pubkey.der diff --git a/tests/keygen.c b/tests/keygen.c new file mode 100644 -index 0000000..33afdef +index 0000000..75d9b38 --- /dev/null +++ b/tests/keygen.c -@@ -0,0 +1,215 @@ +@@ -0,0 +1,221 @@ + /* + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by @@ -812,6 +823,10 @@ index 0000000..33afdef + PKCS11_EC_KGEN ec = { + .curve = "P-256" + }; ++ PKCS11_params params = { ++ .sensitive = 1, ++ .extractable = 0, ++ }; + PKCS11_KGEN_ATTRS eckg = + { + .type = EVP_PKEY_EC, @@ -819,6 +834,7 @@ index 0000000..33afdef + .token_label = argv[1], + .key_label = argv[2], + .key_id = "1234", ++ .key_params = ¶ms, + }; + + if (!ENGINE_ctrl_cmd(engine, "KEYGEN", 0, &eckg, NULL, 1)) { @@ -845,6 +861,7 @@ index 0000000..33afdef + .token_label = argv[1], + .key_label = argv[2], + .key_id = "4321", ++ .key_params = ¶ms, + }; + if (!ENGINE_ctrl_cmd(engine, "KEYGEN", 0, &rsakg, NULL, 1)) { + fprintf(stderr, "Could not generate RSA keys\n"); @@ -906,5 +923,5 @@ index 0000000..83f8175 + +exit 0 -- -2.40.0 +2.39.3 (Apple Git-145) diff --git a/src/hsm.cpp b/src/hsm.cpp index 054d00fd..8ff4e2b5 100644 --- a/src/hsm.cpp +++ b/src/hsm.cpp @@ -22,7 +22,6 @@ #include #include -#include "libp11.h" #include "mococrw/error.h" #include "mococrw/key.h" @@ -204,12 +203,51 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec, std::string keyIDHexString = utility::toHex(keyID); PKCS11_RSA_KGEN pkcs11RSASpec; pkcs11RSASpec.bits = spec.numberOfBits(); + + PKCS11_params pkcs11Params; + pkcs11Params.sensitive = 1; + pkcs11Params.extractable = 0; + PKCS11_KGEN_ATTRS pkcs11RSAKeygen; pkcs11RSAKeygen.type = EVP_PKEY_RSA; pkcs11RSAKeygen.kgen.rsa = &pkcs11RSASpec; pkcs11RSAKeygen.key_id = keyIDHexString.c_str(); pkcs11RSAKeygen.token_label = _tokenLabel.c_str(); pkcs11RSAKeygen.key_label = keyLabel.c_str(); + pkcs11RSAKeygen.key_params = &pkcs11Params; + _ENGINE_ctrl_cmd(_engine.get(), "KEYGEN", &pkcs11RSAKeygen); + return loadPrivateKey(keyID); +} + +openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) +{ + try { + // We need to make sure that we don't have 2 keys with the same ID. + // For that we need to pass empty keyLabel. Otherwise libp11 tries to find + // a key with exact keyLabel/keyID combination. This means that libp11 might + // not recognize that the key with the same ID is already there. + _ENGINE_ctrl_cmd_string(_engine.get(), "PIN", _pin); + loadPrivateKey(keyID); + throw MoCOCrWException("Key with that keyID already exists"); + } catch (const MoCOCrWException &e) { + if (e.what() != std::string(privKeyNotFoundError)) { + throw; + } + } + std::string keyIDHexString = utility::toHex(keyID); + PKCS11_RSA_KGEN pkcs11RSASpec; + pkcs11RSASpec.bits = spec.numberOfBits(); + + PKCS11_KGEN_ATTRS pkcs11RSAKeygen; + pkcs11RSAKeygen.type = EVP_PKEY_RSA; + pkcs11RSAKeygen.kgen.rsa = &pkcs11RSASpec; + pkcs11RSAKeygen.key_id = keyIDHexString.c_str(); + pkcs11RSAKeygen.token_label = _tokenLabel.c_str(); + pkcs11RSAKeygen.key_label = keyLabel.c_str(); + pkcs11RSAKeygen.key_params = ¶ms; _ENGINE_ctrl_cmd(_engine.get(), "KEYGEN", &pkcs11RSAKeygen); return loadPrivateKey(keyID); } @@ -235,13 +273,54 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec, std::string keyIDHexString = utility::toHex(keyID); PKCS11_EC_KGEN pkcs11ECCSpec; pkcs11ECCSpec.curve = curve.c_str(); + + PKCS11_params pkcs11Params; + pkcs11Params.sensitive = 1; + pkcs11Params.extractable = 0; + + PKCS11_KGEN_ATTRS pkcs11ECCKeygen; + pkcs11ECCKeygen.type = EVP_PKEY_EC; + pkcs11ECCKeygen.kgen.ec = &pkcs11ECCSpec; + pkcs11ECCKeygen.key_id = keyIDHexString.c_str(); + pkcs11ECCKeygen.token_label = _tokenLabel.c_str(); + pkcs11ECCKeygen.key_label = keyLabel.c_str(); + pkcs11ECCKeygen.key_params = &pkcs11Params; + _ENGINE_ctrl_cmd(_engine.get(), "KEYGEN", &pkcs11ECCKeygen); + return loadPrivateKey(keyID); +} + +openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) +{ + try { + // We need to make sure that we don't have 2 keys with the same ID. + // For that we need to pass empty keyLabel. Otherwise libp11 tries to find + // a key with exact keyLabel/keyID combination. This means that libp11 might + // not recognize that the key with the same ID is already there. + _ENGINE_ctrl_cmd_string(_engine.get(), "PIN", _pin); + loadPrivateKey(keyID); + throw MoCOCrWException("Key with that keyID already exists"); + } catch (const MoCOCrWException &e) { + if (e.what() != std::string(privKeyNotFoundError)) { + throw; + } + } + std::string curve = spec.curveName(); + std::string keyIDHexString = utility::toHex(keyID); + PKCS11_EC_KGEN pkcs11ECCSpec; + pkcs11ECCSpec.curve = curve.c_str(); + PKCS11_KGEN_ATTRS pkcs11ECCKeygen; pkcs11ECCKeygen.type = EVP_PKEY_EC; pkcs11ECCKeygen.kgen.ec = &pkcs11ECCSpec; pkcs11ECCKeygen.key_id = keyIDHexString.c_str(); pkcs11ECCKeygen.token_label = _tokenLabel.c_str(); pkcs11ECCKeygen.key_label = keyLabel.c_str(); + pkcs11ECCKeygen.key_params = ¶ms; _ENGINE_ctrl_cmd(_engine.get(), "KEYGEN", &pkcs11ECCKeygen); return loadPrivateKey(keyID); } + } // namespace mococrw diff --git a/src/key.cpp b/src/key.cpp index 8c71b95e..2195146b 100644 --- a/src/key.cpp +++ b/src/key.cpp @@ -225,6 +225,26 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm, } } +AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm, + const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) +{ + // libp11 uses 128 byte buffer + if (keyID.size() >= 64) { + throw MoCOCrWException("Invalid keyID - key longer than 63 bytes"); + } + try { + return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, params)}; + } catch (const openssl::OpenSSLException &e) { + throw MoCOCrWException( + // wrong token-label? using unsupported ECC curve? HSM module implementation? + std::string("Key generation failed for unknown reason. OpenSSL error: ") + + e.what()); + } +} + AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm, const ECCSpec &spec, const std::string &keyLabel, @@ -243,6 +263,26 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm, e.what()); } } + +AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm, + const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) +{ + // libp11 uses 128 byte buffer + if (keyID.size() >= 64) { + throw MoCOCrWException("Invalid keyID - key longer than 63 bytes"); + } + try { + return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, params)}; + } catch (const openssl::OpenSSLException &e) { + throw MoCOCrWException( + // wrong token-label? using unsupported ECC curve? HSM module implementation? + std::string("Key generation failed for unknown reason. OpenSSL error: ") + + e.what()); + } +} #endif AsymmetricKey RSASpec::generate() const diff --git a/src/mococrw/hsm.h b/src/mococrw/hsm.h index 3cad360b..a03aff96 100644 --- a/src/mococrw/hsm.h +++ b/src/mococrw/hsm.h @@ -19,6 +19,7 @@ #pragma once #include "openssl_wrap.h" +#include "libp11.h" namespace mococrw { @@ -91,6 +92,37 @@ class HSM virtual openssl::SSL_EVP_PKEY_Ptr generateKey(const ECCSpec &spec, const std::string &keyLabel, const std::vector &keyID) = 0; + + /** + * @brief Generate a RSA key pair on the HSM + * + * @param spec The RSA specification @ref RSASpec + * @param keyLabel String based description of an object on the token. It + * can be used in combination with keyID to identify an object. + * @param keyID Vector of raw bytes that identifies a key on the token + * @param params Struct to set key generation attributes + * @note keyID must not be empty + */ + virtual openssl::SSL_EVP_PKEY_Ptr generateKey(const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) = 0; + + + /** + * @brief Generate a ECC key pair on the HSM + * + * @param spec The ECC specification @ref ECCSpec + * @param keyLabel String based description of an object on the token. It + * can be used in combination with keyID to identify an object. + * @param keyID Vector of raw bytes that identifies a key on the token + * @param params Struct to set key generation attributes + * @note keyID must not be empty + */ + virtual openssl::SSL_EVP_PKEY_Ptr generateKey(const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) = 0; }; /** @@ -147,6 +179,16 @@ class HsmEngine : public HSM const std::string &keyLabel, const std::vector &keyID) override; + openssl::SSL_EVP_PKEY_Ptr generateKey(const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) override; + + openssl::SSL_EVP_PKEY_Ptr generateKey(const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms) override; + private: /** * @brief Construct a PKCS11 URI according to RFC 7512 diff --git a/src/mococrw/key.h b/src/mococrw/key.h index b6b9140b..fa0c00c1 100644 --- a/src/mococrw/key.h +++ b/src/mococrw/key.h @@ -320,6 +320,48 @@ class AsymmetricKeypair : public AsymmetricPublicKey const std::string &keyLabel, const std::vector &keyID); + /** + * @brief Generates RSA keypair on HSM token according to the spec given. + * @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids. + * Therefore care should be taken when generating keys with other tools on the same token. + * @param hsm HSM engine handle + * @param spec @ref RSASpec + * @param keyLabel String based description of an object on the token. It + * can be used in combination with keyID to identify an object. + * @param keyID raw bytes based key identifer + * @param Struct to set key generation attributes + * @return AsymmetricKeypair @ref AsymmetricKeypair + * @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside + * libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log + * some things to stderr, check if there's more context there + */ + static AsymmetricKeypair generateKeyOnHSM(HSM &hsm, + const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms); + + /** + * @brief Generates ECC keypair on HSM token according to the spec given. + * @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids. + * Therefore care should be taken when generating keys with other tools on the same token. + * @param hsm HSM engine handle + * @param spec @ref ECCSpec + * @param keyLabel String based description of an object on the token. It + * can be used in combination with keyID to identify an object. + * @param keyID raw bytes based key identifer + * @param Struct to set key generation attributes + * @return AsymmetricKeypair @ref AsymmetricKeypair + * @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside + * libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log + * some things to stderr, check if there's more context there + */ + static AsymmetricKeypair generateKeyOnHSM(HSM &hsm, + const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms); + /** * @brief Generates ECC keypair on HSM token according to the spec given. * @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids. diff --git a/tests/integration/CMakeLists.txt b/tests/integration/CMakeLists.txt index f7dc5812..db6d2e0a 100644 --- a/tests/integration/CMakeLists.txt +++ b/tests/integration/CMakeLists.txt @@ -18,7 +18,13 @@ if(MOCOCRW_HSM_ENABLED) # libp11 writes to stderr on unsuccessful key loading. Pipe it to devnull add_test( NAME HsmIntegrationTest - COMMAND sh -c "${CMAKE_BINARY_DIR}/tests/integration/hsm-integration-test 2>/tmp/hsm-int-test.log" + COMMAND sh -c "${CMAKE_BINARY_DIR}/tests/integration/hsm-integration-test-wrapper.sh 2>/tmp/hsm-int-test.log" ) + + add_executable(attribute_reader attribute_reader.cpp) + target_include_directories(attribute_reader PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}) + target_link_libraries(attribute_reader dl) + file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/hsm-integration-test-wrapper.sh + DESTINATION ${CMAKE_BINARY_DIR}/tests/integration) endif() diff --git a/tests/integration/attribute_reader.cpp b/tests/integration/attribute_reader.cpp new file mode 100644 index 00000000..a6c1373b --- /dev/null +++ b/tests/integration/attribute_reader.cpp @@ -0,0 +1,210 @@ +#include +#include +#include +#include +#include + +int main() { + CK_RV rv; + CK_SESSION_HANDLE session; + CK_FUNCTION_LIST_PTR pFunctionList; + CK_SLOT_ID_PTR pSlotList = NULL; + CK_ULONG ulSlotCount; + + // Load the PKCS#11 library + void *libHandle = dlopen("/usr/lib/softhsm/libsofthsm2.so", RTLD_LAZY); + if (libHandle == NULL) { + printf("Failed to load PKCS#11 library.\n"); + return 1; + } + + // Get the function list + CK_C_GetFunctionList pGetFunctionList = (CK_C_GetFunctionList)dlsym(libHandle, "C_GetFunctionList"); + if (pGetFunctionList == NULL) { + printf("Failed to get function list.\n"); + dlclose(libHandle); + return 1; + } + + // Initialize the function list + rv = pGetFunctionList(&pFunctionList); + if (rv != CKR_OK) { + printf("Failed to initialize function list. Error: %lu\n", rv); + dlclose(libHandle); + return 1; + } + + // Initialize PKCS#11 + rv = pFunctionList->C_Initialize(NULL); + if (rv != CKR_OK) { + printf("Failed to initialize PKCS#11. Error: %lu\n", rv); + dlclose(libHandle); + return 1; + } + + // Get the list of available slots + rv = pFunctionList->C_GetSlotList(CK_FALSE, NULL_PTR, &ulSlotCount); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to get slot count.\n"); + pFunctionList->C_Finalize(NULL); + return 1; + } + + if (ulSlotCount == 0) { + fprintf(stderr, "No slots available.\n"); + pFunctionList->C_Finalize(NULL); + return 1; + } + + pSlotList = (CK_SLOT_ID_PTR)malloc(ulSlotCount * sizeof(CK_SLOT_ID)); + rv = pFunctionList->C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to get slot list.\n"); + pFunctionList->C_Finalize(NULL); + free(pSlotList); + return 1; + } + + for (int slot = 0; slot < ulSlotCount; ++slot) { + + // Open a session + rv = pFunctionList->C_OpenSession( + pSlotList[slot], CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR, NULL_PTR, &session); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to open a session.\n"); + pFunctionList->C_Finalize(NULL); + free(pSlotList); + return 1; + } + + // Login to the session (you may need to modify this for your specific HSM) + CK_UTF8CHAR pin[] = "1234"; + rv = pFunctionList->C_Login(session, CKU_USER, pin, sizeof(pin) - 1); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to login.\n"); + pFunctionList->C_CloseSession(session); + pFunctionList->C_Finalize(NULL); + free(pSlotList); + return 1; + } + + // List objects + CK_OBJECT_HANDLE objHandle; + CK_ULONG objCount; + + rv = pFunctionList->C_FindObjectsInit(session, NULL_PTR, 0); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to initialize object search.\n"); + pFunctionList->C_CloseSession(session); + pFunctionList->C_Finalize(NULL); + free(pSlotList); + return 1; + } + + rv = pFunctionList->C_FindObjects(session, &objHandle, 1, &objCount); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to find objects.\n"); + pFunctionList->C_FindObjectsFinal(session); + pFunctionList->C_CloseSession(session); + pFunctionList->C_Finalize(NULL); + free(pSlotList); + return 1; + } + + //printf("Found %lu object(s):\n", objCount); + + //for (CK_ULONG i = 0; i < objCount; i++) { + int i= 0; + while(objCount != 0){ + //printf("innerloop: %d\n", i); + CK_ATTRIBUTE objTemplate[] = {{CKA_LABEL, NULL_PTR, 32}, + {CKA_CLASS, NULL_PTR, 32}, + {CKA_KEY_TYPE, NULL_PTR, 32}, + {CKA_EXTRACTABLE, NULL_PTR, 1}, + {CKA_SENSITIVE, NULL_PTR, 1} + }; + + /*CK_ATTRIBUTE objTemplate[] = {{CKA_LABEL, NULL_PTR, 32}, + {CKA_EXTRACTABLE, NULL_PTR, 1}, + {CKA_SENSITIVE, NULL_PTR, 1}};*/ + + /*objTemplate[0].pValue = NULL; + objTemplate[1].pValue = NULL; + objTemplate[2].pValue = NULL; + objTemplate[3].pValue = NULL; + objTemplate[4].pValue = NULL; + + rv = pFunctionList->C_GetAttributeValue(session, objHandle, objTemplate, 5); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to get object attributes.\n"); + break; + }*/ + + // Allocate memory for attribute values + objTemplate[0].pValue = (CK_BYTE_PTR)calloc(objTemplate[0].ulValueLen, 1); + objTemplate[1].pValue = (CK_BYTE_PTR)malloc(objTemplate[1].ulValueLen); + objTemplate[2].pValue = (CK_BYTE_PTR)malloc(objTemplate[2].ulValueLen); + objTemplate[3].pValue = (CK_BYTE_PTR)malloc(objTemplate[3].ulValueLen); + objTemplate[4].pValue = (CK_BYTE_PTR)malloc(objTemplate[4].ulValueLen); + + rv = pFunctionList->C_GetAttributeValue(session, objHandle, objTemplate, 5); + if (rv != CKR_OK) { + //fprintf(stderr, "Object %d: Failed to get object attributes -> %s.\n", i+1, (char *)objTemplate[0].pValue); + //break; + } else { + //printf("pSlotList5 %p:\n", pSlotList); + + if(strlen((char *)objTemplate[0].pValue) == 0) { + sprintf((char *)objTemplate[0].pValue, "emptylabel"); + } + + printf("%s SENSITIVE:%d EXTRACTABLE:%d\n", (char *)objTemplate[0].pValue, *(unsigned char*) objTemplate[4].pValue, *(unsigned char*) objTemplate[3].pValue); + + /*printf("Object %lu:\n", i + 1); + printf(" Label: %s\n", (char *)objTemplate[0].pValue); + printf(" Class: %lu\n", *(CK_OBJECT_CLASS *)objTemplate[1].pValue); + printf(" Key Type: %lu\n", *(CK_KEY_TYPE *)objTemplate[2].pValue); + printf(" EXTRACTABLE: %d\n", *(unsigned char*) objTemplate[3].pValue); + printf(" SENSITIVE: %d\n", *(unsigned char*) objTemplate[4].pValue);*/ + } + // Free allocated memory + free(objTemplate[0].pValue); + free(objTemplate[1].pValue); + free(objTemplate[2].pValue); + free(objTemplate[3].pValue); + free(objTemplate[4].pValue); + + + // Move to the next object + rv = pFunctionList->C_FindObjects(session, &objHandle, 1, &objCount); + if (rv != CKR_OK) { + //printf("innerloop exit2\n"); + fprintf(stderr, "Failed to find objects.\n"); + break; + } + i = i + 1; + } + + //printf("innerloop end\n"); + + pFunctionList->C_FindObjectsFinal(session); + + rv = pFunctionList->C_Logout(session); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to logout.\n"); + } + pFunctionList->C_CloseSession(session); + } + + /*rv = pFunctionList->C_Logout(session); + if (rv != CKR_OK) { + fprintf(stderr, "Failed to logout.\n"); + } + + pFunctionList->C_FindObjectsFinal(session); + pFunctionList->C_CloseSession(session);*/ + pFunctionList->C_Finalize(NULL); + free(pSlotList); + + return 0; +} \ No newline at end of file diff --git a/tests/integration/hsm-integration-test-wrapper.sh b/tests/integration/hsm-integration-test-wrapper.sh new file mode 100644 index 00000000..f914ef08 --- /dev/null +++ b/tests/integration/hsm-integration-test-wrapper.sh @@ -0,0 +1,32 @@ +# HSM Integration Test + +# Step 1 +# Run HSM Integration Test and check results +# This is needed as a first step as we need to store the keys in the HSM +./hsm-integration-test +if [ $? -eq 0 ]; then + echo "HSM Integration Test was successful" +else + echo "Error in HSM Integration Test" + exit 1; +fi + +# Step 2 +# Run attribute reader to check attributes +./attribute_reader | while read -r line; do + label="$(cut -d' ' -f1 <<< "${line}")" + if [ "${label}" == "key-rsa-att" -o "${label}" == "key-ecc-att" ]; then + if [ "${line}" != "${label} SENSITIVE:0 EXTRACTABLE:1" ]; then + echo "Manual setting of CKA_SENSITIVE and CKA_EXTRACTABLE failed: ${label}"; + exit 1; + fi + else + if [ "${line}" != "${label} SENSITIVE:1 EXTRACTABLE:0" ]; then + echo "Automatic setting of CKA_SENSITIVE and CKA_EXTRACTABLE failed: ${label}"; + exit 1; + fi + fi + +done +echo "Setting CKA_SENSITIVE and CKA_EXTRACTABLE was successful" + diff --git a/tests/integration/hsm-integration-test.cpp b/tests/integration/hsm-integration-test.cpp index 9763c973..34422c1e 100644 --- a/tests/integration/hsm-integration-test.cpp +++ b/tests/integration/hsm-integration-test.cpp @@ -448,6 +448,37 @@ int main(void) std::cout << "Decrypting the message..."; decryptData(eciesData, eccPrivKey); std::cout << "Success\n" << std::endl; + + /** + * Test adding CKA_SENSITIVE and CKA_EXTRACTABLE + */ + std::cout << "4. Testing key generation with attributes" << std::endl; + + PKCS11_params pkcs11Params; + pkcs11Params.sensitive = 0; + pkcs11Params.extractable = 1; + + // ECC + std::vector keyId_ecc_att{0x41}; + std::string keyLabel_ecc_att{"key-ecc-att"}; + + std::cout << "Generating an ECC key with CKA_SENSITIVE=False and CKA_EXTRACTABLE=True" << std::endl; + + auto keypairecc = AsymmetricPrivateKey::generateKeyOnHSM( + hsmEngine, eccSpec, keyLabel_ecc_att, keyId_ecc_att, pkcs11Params); + std::cout << "Success" << std::endl; + + // RSA + + std::vector keyId_rsa_att{0x42}; + std::string keyLabel_rsa_att{"key-rsa-att"}; + + std::cout << "Generating a RSA key with CKA_SENSITIVE=False and CKA_EXTRACTABLE=True" << std::endl; + + auto keypairrsa = AsymmetricPrivateKey::generateKeyOnHSM( + hsmEngine, rsaSpec, keyLabel_rsa_att, keyId_rsa_att, pkcs11Params); + std::cout << "Success" << std::endl; + } catch (const MoCOCrWException &e) { std::cout << "Integration test failed with MoCOCrWException: " << e.what() << std::endl; exit(1); diff --git a/tests/integration/pkcs11.h b/tests/integration/pkcs11.h new file mode 100644 index 00000000..b0044253 --- /dev/null +++ b/tests/integration/pkcs11.h @@ -0,0 +1,1526 @@ +/* pkcs11.h +Copyright 2006, 2007 g10 Code GmbH +Copyright 2006 Andreas Jellinghaus + +This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. */ + +/* Please submit changes back to the Scute project at +http://www.scute.org/ (or send them to marcus@g10code.com), so that +they can be picked up by other projects from there as well. */ + +/* This file is a modified implementation of the PKCS #11 standard by +RSA Security Inc. It is mostly a drop-in replacement, with the +following change: + +This header file does not require any macro definitions by the user +(like CK_DEFINE_FUNCTION etc). In fact, it defines those macros +for you (if useful, some are missing, let me know if you need +more). + +There is an additional API available that does comply better to the +GNU coding standard. It can be switched on by defining +CRYPTOKI_GNU before including this header file. For this, the +following changes are made to the specification: + +All structure types are changed to a "struct ck_foo" where CK_FOO +is the type name in PKCS #11. + +All non-structure types are changed to ck_foo_t where CK_FOO is the +lowercase version of the type name in PKCS #11. The basic types +(CK_ULONG et al.) are removed without substitute. + +All members of structures are modified in the following way: Type +indication prefixes are removed, and underscore characters are +inserted before words. Then the result is lowercased. + +Note that function names are still in the original case, as they +need for ABI compatibility. + +CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use +. + +If CRYPTOKI_COMPAT is defined before including this header file, +then none of the API changes above take place, and the API is the +one defined by the PKCS #11 standard. */ + +#ifndef PKCS11_H +#define PKCS11_H 1 + +#if defined(__cplusplus) + extern "C" { +#endif + + +/* The version of cryptoki we implement. The revision is changed with +each modification of this file. If you do not use the "official" +version of this file, please consider deleting the revision macro +(you may use a macro with a different name to keep track of your +versions). */ +#define CRYPTOKI_VERSION_MAJOR 2 +#define CRYPTOKI_VERSION_MINOR 20 +#define CRYPTOKI_VERSION_REVISION 6 + + +/* Compatibility interface is default, unless CRYPTOKI_GNU is +given. */ +#ifndef CRYPTOKI_GNU +#ifndef CRYPTOKI_COMPAT +#define CRYPTOKI_COMPAT 1 +#endif +#endif + + /* System dependencies. */ + +#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) + +/* There is a matching pop below. */ +#pragma pack(push, cryptoki, 1) + +#ifdef CRYPTOKI_EXPORTS +#define CK_SPEC __declspec(dllexport) +#else +#define CK_SPEC __declspec(dllimport) +#endif + +#else + +#define CK_SPEC + +#endif + +#ifdef CRYPTOKI_COMPAT + /* If we are in compatibility mode, switch all exposed names to the + PKCS #11 variant. There are corresponding #undefs below. */ + +#define ck_flags_t CK_FLAGS +#define ck_version _CK_VERSION + +#define ck_info _CK_INFO +#define cryptoki_version cryptokiVersion +#define manufacturer_id manufacturerID +#define library_description libraryDescription +#define library_version libraryVersion + +#define ck_notification_t CK_NOTIFICATION +#define ck_slot_id_t CK_SLOT_ID + +#define ck_slot_info _CK_SLOT_INFO +#define slot_description slotDescription +#define hardware_version hardwareVersion +#define firmware_version firmwareVersion + +#define ck_token_info _CK_TOKEN_INFO +#define serial_number serialNumber +#define max_session_count ulMaxSessionCount +#define session_count ulSessionCount +#define max_rw_session_count ulMaxRwSessionCount +#define rw_session_count ulRwSessionCount +#define max_pin_len ulMaxPinLen +#define min_pin_len ulMinPinLen +#define total_public_memory ulTotalPublicMemory +#define free_public_memory ulFreePublicMemory +#define total_private_memory ulTotalPrivateMemory +#define free_private_memory ulFreePrivateMemory +#define utc_time utcTime + +#define ck_session_handle_t CK_SESSION_HANDLE +#define ck_user_type_t CK_USER_TYPE +#define ck_state_t CK_STATE + +#define ck_session_info _CK_SESSION_INFO +#define slot_id slotID +#define device_error ulDeviceError + +#define ck_object_handle_t CK_OBJECT_HANDLE +#define ck_object_class_t CK_OBJECT_CLASS +#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE +#define ck_key_type_t CK_KEY_TYPE +#define ck_certificate_type_t CK_CERTIFICATE_TYPE +#define ck_attribute_type_t CK_ATTRIBUTE_TYPE + +#define ck_attribute _CK_ATTRIBUTE +#define value pValue +#define value_len ulValueLen + +#define ck_date _CK_DATE + +#define ck_mechanism_type_t CK_MECHANISM_TYPE + +#define ck_rsa_pkcs_mgf_type_t CK_RSA_PKCS_MGF_TYPE + +#define ck_mechanism _CK_MECHANISM +#define parameter pParameter +#define parameter_len ulParameterLen + +#define ck_mechanism_info _CK_MECHANISM_INFO +#define min_key_size ulMinKeySize +#define max_key_size ulMaxKeySize + +#define ck_rv_t CK_RV +#define ck_notify_t CK_NOTIFY + +#define ck_function_list _CK_FUNCTION_LIST + +#define ck_createmutex_t CK_CREATEMUTEX +#define ck_destroymutex_t CK_DESTROYMUTEX +#define ck_lockmutex_t CK_LOCKMUTEX +#define ck_unlockmutex_t CK_UNLOCKMUTEX + +#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS +#define create_mutex CreateMutex +#define destroy_mutex DestroyMutex +#define lock_mutex LockMutex +#define unlock_mutex UnlockMutex +#define reserved pReserved + +#endif /* CRYPTOKI_COMPAT */ + + + typedef unsigned long ck_flags_t; + + struct ck_version + { + unsigned char major; + unsigned char minor; + }; + + + struct ck_info + { + struct ck_version cryptoki_version; + unsigned char manufacturer_id[32]; + ck_flags_t flags; + unsigned char library_description[32]; + struct ck_version library_version; + }; + + + typedef unsigned long ck_notification_t; + +#define CKN_SURRENDER (0UL) + + + typedef unsigned long ck_slot_id_t; + + + struct ck_slot_info + { + unsigned char slot_description[64]; + unsigned char manufacturer_id[32]; + ck_flags_t flags; + struct ck_version hardware_version; + struct ck_version firmware_version; + }; + + +#define CKF_TOKEN_PRESENT (1UL << 0) +#define CKF_REMOVABLE_DEVICE (1UL << 1) +#define CKF_HW_SLOT (1UL << 2) +#define CKF_ARRAY_ATTRIBUTE (1UL << 30) + + + struct ck_token_info + { + unsigned char label[32]; + unsigned char manufacturer_id[32]; + unsigned char model[16]; + unsigned char serial_number[16]; + ck_flags_t flags; + unsigned long max_session_count; + unsigned long session_count; + unsigned long max_rw_session_count; + unsigned long rw_session_count; + unsigned long max_pin_len; + unsigned long min_pin_len; + unsigned long total_public_memory; + unsigned long free_public_memory; + unsigned long total_private_memory; + unsigned long free_private_memory; + struct ck_version hardware_version; + struct ck_version firmware_version; + unsigned char utc_time[16]; + }; + + +#define CKF_RNG (1UL << 0) +#define CKF_WRITE_PROTECTED (1UL << 1) +#define CKF_LOGIN_REQUIRED (1UL << 2) +#define CKF_USER_PIN_INITIALIZED (1UL << 3) +#define CKF_RESTORE_KEY_NOT_NEEDED (1UL << 5) +#define CKF_CLOCK_ON_TOKEN (1UL << 6) +#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8) +#define CKF_DUAL_CRYPTO_OPERATIONS (1UL << 9) +#define CKF_TOKEN_INITIALIZED (1UL << 10) +#define CKF_SECONDARY_AUTHENTICATION (1UL << 11) +#define CKF_USER_PIN_COUNT_LOW (1UL << 16) +#define CKF_USER_PIN_FINAL_TRY (1UL << 17) +#define CKF_USER_PIN_LOCKED (1UL << 18) +#define CKF_USER_PIN_TO_BE_CHANGED (1UL << 19) +#define CKF_SO_PIN_COUNT_LOW (1UL << 20) +#define CKF_SO_PIN_FINAL_TRY (1UL << 21) +#define CKF_SO_PIN_LOCKED (1UL << 22) +#define CKF_SO_PIN_TO_BE_CHANGED (1UL << 23) + +#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1) +#define CK_EFFECTIVELY_INFINITE (0UL) + + + typedef unsigned long ck_session_handle_t; + +#define CK_INVALID_HANDLE (0UL) + + + typedef unsigned long ck_user_type_t; + +#define CKU_SO (0UL) +#define CKU_USER (1UL) +#define CKU_CONTEXT_SPECIFIC (2UL) + + + typedef unsigned long ck_state_t; + +#define CKS_RO_PUBLIC_SESSION (0UL) +#define CKS_RO_USER_FUNCTIONS (1UL) +#define CKS_RW_PUBLIC_SESSION (2UL) +#define CKS_RW_USER_FUNCTIONS (3UL) +#define CKS_RW_SO_FUNCTIONS (4UL) + + + struct ck_session_info + { + ck_slot_id_t slot_id; + ck_state_t state; + ck_flags_t flags; + unsigned long device_error; + }; + +#define CKF_RW_SESSION (1UL << 1) +#define CKF_SERIAL_SESSION (1UL << 2) + + + typedef unsigned long ck_object_handle_t; + + + typedef unsigned long ck_object_class_t; + +#define CKO_DATA (0UL) +#define CKO_CERTIFICATE (1UL) +#define CKO_PUBLIC_KEY (2UL) +#define CKO_PRIVATE_KEY (3UL) +#define CKO_SECRET_KEY (4UL) +#define CKO_HW_FEATURE (5UL) +#define CKO_DOMAIN_PARAMETERS (6UL) +#define CKO_MECHANISM (7UL) +#define CKO_VENDOR_DEFINED (1UL << 31) + + + typedef unsigned long ck_hw_feature_type_t; + +#define CKH_MONOTONIC_COUNTER (1UL) +#define CKH_CLOCK (2UL) +#define CKH_USER_INTERFACE (3UL) +#define CKH_VENDOR_DEFINED (1UL << 31) + + + typedef unsigned long ck_key_type_t; + +#define CKK_RSA (0UL) +#define CKK_DSA (1UL) +#define CKK_DH (2UL) +#define CKK_ECDSA (3UL) +#define CKK_EC (3UL) +#define CKK_X9_42_DH (4UL) +#define CKK_KEA (5UL) +#define CKK_GENERIC_SECRET (0x10UL) +#define CKK_RC2 (0x11UL) +#define CKK_RC4 (0x12UL) +#define CKK_DES (0x13UL) +#define CKK_DES2 (0x14UL) +#define CKK_DES3 (0x15UL) +#define CKK_CAST (0x16UL) +#define CKK_CAST3 (0x17UL) +#define CKK_CAST128 (0x18UL) +#define CKK_RC5 (0x19UL) +#define CKK_IDEA (0x1aUL) +#define CKK_SKIPJACK (0x1bUL) +#define CKK_BATON (0x1cUL) +#define CKK_JUNIPER (0x1dUL) +#define CKK_CDMF (0x1eUL) +#define CKK_AES (0x1fUL) +#define CKK_BLOWFISH (0x20UL) +#define CKK_TWOFISH (0x21UL) +#define CKK_GOSTR3410 (0x30UL) +#define CKK_GOSTR3411 (0x31UL) +#define CKK_GOST28147 (0x32UL) +#define CKK_VENDOR_DEFINED (1UL << 31) + +// A mask for new GOST algorithms. +// For details visit https://tc26.ru/standarts/perevody/guidelines-the-pkcs-11-extensions-for-implementing-the-gost-r-34-10-2012-and-gost-r-34-11-2012-russian-standards-.html +#define NSSCK_VENDOR_PKCS11_RU_TEAM (CKK_VENDOR_DEFINED | 0x54321000) +#define CK_VENDOR_PKCS11_RU_TEAM_TK26 NSSCK_VENDOR_PKCS11_RU_TEAM + +#define CKK_GOSTR3410_512 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x003) + + typedef unsigned long ck_certificate_type_t; + +#define CKC_X_509 (0UL) +#define CKC_X_509_ATTR_CERT (1UL) +#define CKC_WTLS (2UL) +#define CKC_VENDOR_DEFINED (1UL << 31) + + + typedef unsigned long ck_attribute_type_t; + +#define CKA_CLASS (0UL) +#define CKA_TOKEN (1UL) +#define CKA_PRIVATE (2UL) +#define CKA_LABEL (3UL) +#define CKA_APPLICATION (0x10UL) +#define CKA_VALUE (0x11UL) +#define CKA_OBJECT_ID (0x12UL) +#define CKA_CERTIFICATE_TYPE (0x80UL) +#define CKA_ISSUER (0x81UL) +#define CKA_SERIAL_NUMBER (0x82UL) +#define CKA_AC_ISSUER (0x83UL) +#define CKA_OWNER (0x84UL) +#define CKA_ATTR_TYPES (0x85UL) +#define CKA_TRUSTED (0x86UL) +#define CKA_CERTIFICATE_CATEGORY (0x87UL) +#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88UL) +#define CKA_URL (0x89UL) +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL) +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8bUL) +#define CKA_NAME_HASH_ALGORITHM (0x8cUL) +#define CKA_CHECK_VALUE (0x90UL) +#define CKA_KEY_TYPE (0x100UL) +#define CKA_SUBJECT (0x101UL) +#define CKA_ID (0x102UL) +#define CKA_SENSITIVE (0x103UL) +#define CKA_ENCRYPT (0x104UL) +#define CKA_DECRYPT (0x105UL) +#define CKA_WRAP (0x106UL) +#define CKA_UNWRAP (0x107UL) +#define CKA_SIGN (0x108UL) +#define CKA_SIGN_RECOVER (0x109UL) +#define CKA_VERIFY (0x10aUL) +#define CKA_VERIFY_RECOVER (0x10bUL) +#define CKA_DERIVE (0x10cUL) +#define CKA_START_DATE (0x110UL) +#define CKA_END_DATE (0x111UL) +#define CKA_MODULUS (0x120UL) +#define CKA_MODULUS_BITS (0x121UL) +#define CKA_PUBLIC_EXPONENT (0x122UL) +#define CKA_PRIVATE_EXPONENT (0x123UL) +#define CKA_PRIME_1 (0x124UL) +#define CKA_PRIME_2 (0x125UL) +#define CKA_EXPONENT_1 (0x126UL) +#define CKA_EXPONENT_2 (0x127UL) +#define CKA_COEFFICIENT (0x128UL) +#define CKA_PRIME (0x130UL) +#define CKA_SUBPRIME (0x131UL) +#define CKA_BASE (0x132UL) +#define CKA_PRIME_BITS (0x133UL) +#define CKA_SUB_PRIME_BITS (0x134UL) +#define CKA_VALUE_BITS (0x160UL) +#define CKA_VALUE_LEN (0x161UL) +#define CKA_EXTRACTABLE (0x162UL) +#define CKA_LOCAL (0x163UL) +#define CKA_NEVER_EXTRACTABLE (0x164UL) +#define CKA_ALWAYS_SENSITIVE (0x165UL) +#define CKA_KEY_GEN_MECHANISM (0x166UL) +#define CKA_MODIFIABLE (0x170UL) +#define CKA_ECDSA_PARAMS (0x180UL) +#define CKA_EC_PARAMS (0x180UL) +#define CKA_EC_POINT (0x181UL) +#define CKA_SECONDARY_AUTH (0x200UL) +#define CKA_AUTH_PIN_FLAGS (0x201UL) +#define CKA_ALWAYS_AUTHENTICATE (0x202UL) +#define CKA_WRAP_WITH_TRUSTED (0x210UL) +#define CKA_GOSTR3410_PARAMS (0x250UL) +#define CKA_GOSTR3411_PARAMS (0x251UL) +#define CKA_GOST28147_PARAMS (0x252UL) +#define CKA_HW_FEATURE_TYPE (0x300UL) +#define CKA_RESET_ON_INIT (0x301UL) +#define CKA_HAS_RESET (0x302UL) +#define CKA_PIXEL_X (0x400UL) +#define CKA_PIXEL_Y (0x401UL) +#define CKA_RESOLUTION (0x402UL) +#define CKA_CHAR_ROWS (0x403UL) +#define CKA_CHAR_COLUMNS (0x404UL) +#define CKA_COLOR (0x405UL) +#define CKA_BITS_PER_PIXEL (0x406UL) +#define CKA_CHAR_SETS (0x480UL) +#define CKA_ENCODING_METHODS (0x481UL) +#define CKA_MIME_TYPES (0x482UL) +#define CKA_MECHANISM_TYPE (0x500UL) +#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501UL) +#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502UL) +#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503UL) +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211UL) +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212UL) +#define CKA_OTP_FORMAT (0x220UL) +#define CKA_OTP_LENGTH (0x221UL) +#define CKA_OTP_TIME_INTERVAL (0x222UL) +#define CKA_OTP_USER_FRIENDLY_MODE (0x223UL) +#define CKA_OTP_CHALLENGE_REQUIREMENT (0x224UL) +#define CKA_OTP_TIME_REQUIREMENT (0x225UL) +#define CKA_OTP_COUNTER_REQUIREMENT (0x226UL) +#define CKA_OTP_PIN_REQUIREMENT (0x227UL) +#define CKA_OTP_USER_IDENTIFIER (0x22AUL) +#define CKA_OTP_SERVICE_IDENTIFIER (0x22BUL) +#define CKA_OTP_SERVICE_LOGO (0x22CUL) +#define CKA_OTP_SERVICE_LOGO_TYPE (0x22DUL) +#define CKA_OTP_COUNTER (0x22EUL) +#define CKA_OTP_TIME (0x22FUL) +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600UL) +#define CKA_VENDOR_DEFINED (1UL << 31) + + + struct ck_attribute + { + ck_attribute_type_t type; + void *value; + unsigned long value_len; + }; + + + struct ck_date + { + unsigned char year[4]; + unsigned char month[2]; + unsigned char day[2]; + }; + + + typedef unsigned long ck_mechanism_type_t; + +#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL) +#define CKM_RSA_PKCS (1UL) +#define CKM_RSA_9796 (2UL) +#define CKM_RSA_X_509 (3UL) +#define CKM_MD2_RSA_PKCS (4UL) +#define CKM_MD5_RSA_PKCS (5UL) +#define CKM_SHA1_RSA_PKCS (6UL) +#define CKM_RIPEMD128_RSA_PKCS (7UL) +#define CKM_RIPEMD160_RSA_PKCS (8UL) +#define CKM_RSA_PKCS_OAEP (9UL) +#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xaUL) +#define CKM_RSA_X9_31 (0xbUL) +#define CKM_SHA1_RSA_X9_31 (0xcUL) +#define CKM_RSA_PKCS_PSS (0xdUL) +#define CKM_SHA1_RSA_PKCS_PSS (0xeUL) +#define CKM_DSA_KEY_PAIR_GEN (0x10UL) +#define CKM_DSA (0x11UL) +#define CKM_DSA_SHA1 (0x12UL) +#define CKM_DSA_SHA224 (0x13UL) +#define CKM_DSA_SHA256 (0x14UL) +#define CKM_DSA_SHA384 (0x15UL) +#define CKM_DSA_SHA512 (0x16UL) +#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20UL) +#define CKM_DH_PKCS_DERIVE (0x21UL) +#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30UL) +#define CKM_X9_42_DH_DERIVE (0x31UL) +#define CKM_X9_42_DH_HYBRID_DERIVE (0x32UL) +#define CKM_X9_42_MQV_DERIVE (0x33UL) +#define CKM_SHA256_RSA_PKCS (0x40UL) +#define CKM_SHA384_RSA_PKCS (0x41UL) +#define CKM_SHA512_RSA_PKCS (0x42UL) +#define CKM_SHA256_RSA_PKCS_PSS (0x43UL) +#define CKM_SHA384_RSA_PKCS_PSS (0x44UL) +#define CKM_SHA512_RSA_PKCS_PSS (0x45UL) +#define CKM_SHA224_RSA_PKCS (0x46UL) +#define CKM_SHA224_RSA_PKCS_PSS (0x47UL) +#define CKM_RC2_KEY_GEN (0x100UL) +#define CKM_RC2_ECB (0x101UL) +#define CKM_RC2_CBC (0x102UL) +#define CKM_RC2_MAC (0x103UL) +#define CKM_RC2_MAC_GENERAL (0x104UL) +#define CKM_RC2_CBC_PAD (0x105UL) +#define CKM_RC4_KEY_GEN (0x110UL) +#define CKM_RC4 (0x111UL) +#define CKM_DES_KEY_GEN (0x120UL) +#define CKM_DES_ECB (0x121UL) +#define CKM_DES_CBC (0x122UL) +#define CKM_DES_MAC (0x123UL) +#define CKM_DES_MAC_GENERAL (0x124UL) +#define CKM_DES_CBC_PAD (0x125UL) +#define CKM_DES2_KEY_GEN (0x130UL) +#define CKM_DES3_KEY_GEN (0x131UL) +#define CKM_DES3_ECB (0x132UL) +#define CKM_DES3_CBC (0x133UL) +#define CKM_DES3_MAC (0x134UL) +#define CKM_DES3_MAC_GENERAL (0x135UL) +#define CKM_DES3_CBC_PAD (0x136UL) +#define CKM_DES3_CMAC (0x138UL) +#define CKM_CDMF_KEY_GEN (0x140UL) +#define CKM_CDMF_ECB (0x141UL) +#define CKM_CDMF_CBC (0x142UL) +#define CKM_CDMF_MAC (0x143UL) +#define CKM_CDMF_MAC_GENERAL (0x144UL) +#define CKM_CDMF_CBC_PAD (0x145UL) +#define CKM_MD2 (0x200UL) +#define CKM_MD2_HMAC (0x201UL) +#define CKM_MD2_HMAC_GENERAL (0x202UL) +#define CKM_MD5 (0x210UL) +#define CKM_MD5_HMAC (0x211UL) +#define CKM_MD5_HMAC_GENERAL (0x212UL) +#define CKM_SHA_1 (0x220UL) +#define CKM_SHA_1_HMAC (0x221UL) +#define CKM_SHA_1_HMAC_GENERAL (0x222UL) +#define CKM_RIPEMD128 (0x230UL) +#define CKM_RIPEMD128_HMAC (0x231UL) +#define CKM_RIPEMD128_HMAC_GENERAL (0x232UL) +#define CKM_RIPEMD160 (0x240UL) +#define CKM_RIPEMD160_HMAC (0x241UL) +#define CKM_RIPEMD160_HMAC_GENERAL (0x242UL) +#define CKM_SHA256 (0x250UL) +#define CKM_SHA256_HMAC (0x251UL) +#define CKM_SHA256_HMAC_GENERAL (0x252UL) +#define CKM_SHA224 (0x255UL) +#define CKM_SHA224_HMAC (0x256UL) +#define CKM_SHA224_HMAC_GENERAL (0x257UL) +#define CKM_SHA384 (0x260UL) +#define CKM_SHA384_HMAC (0x261UL) +#define CKM_SHA384_HMAC_GENERAL (0x262UL) +#define CKM_SHA512 (0x270UL) +#define CKM_SHA512_HMAC (0x271UL) +#define CKM_SHA512_HMAC_GENERAL (0x272UL) +#define CKM_SHA3_256 (0x2B0UL) +#define CKM_SHA3_256_HMAC (0x2B1UL) +#define CKM_SHA3_256_HMAC_GENERAL (0x2B2UL) +#define CKM_SHA3_256_KEY_GEN (0x2B3UL) +#define CKM_SHA3_224 (0x2B5UL) +#define CKM_SHA3_224_HMAC (0x2B6UL) +#define CKM_SHA3_224_HMAC_GENERAL (0x2B7UL) +#define CKM_SHA3_224_KEY_GEN (0x2B8UL) +#define CKM_SHA3_384 (0x2C0UL) +#define CKM_SHA3_384_HMAC (0x2C1UL) +#define CKM_SHA3_384_HMAC_GENERAL (0x2C2UL) +#define CKM_SHA3_384_KEY_GEN (0x2C3UL) +#define CKM_SHA3_512 (0x2D0UL) +#define CKM_SHA3_512_HMAC (0x2D1UL) +#define CKM_SHA3_512_HMAC_GENERAL (0x2D2UL) +#define CKM_SHA3_512_KEY_GEN (0x2D3UL) +#define CKM_CAST_KEY_GEN (0x300UL) +#define CKM_CAST_ECB (0x301UL) +#define CKM_CAST_CBC (0x302UL) +#define CKM_CAST_MAC (0x303UL) +#define CKM_CAST_MAC_GENERAL (0x304UL) +#define CKM_CAST_CBC_PAD (0x305UL) +#define CKM_CAST3_KEY_GEN (0x310UL) +#define CKM_CAST3_ECB (0x311UL) +#define CKM_CAST3_CBC (0x312UL) +#define CKM_CAST3_MAC (0x313UL) +#define CKM_CAST3_MAC_GENERAL (0x314UL) +#define CKM_CAST3_CBC_PAD (0x315UL) +#define CKM_CAST5_KEY_GEN (0x320UL) +#define CKM_CAST128_KEY_GEN (0x320UL) +#define CKM_CAST5_ECB (0x321UL) +#define CKM_CAST128_ECB (0x321UL) +#define CKM_CAST5_CBC (0x322UL) +#define CKM_CAST128_CBC (0x322UL) +#define CKM_CAST5_MAC (0x323UL) +#define CKM_CAST128_MAC (0x323UL) +#define CKM_CAST5_MAC_GENERAL (0x324UL) +#define CKM_CAST128_MAC_GENERAL (0x324UL) +#define CKM_CAST5_CBC_PAD (0x325UL) +#define CKM_CAST128_CBC_PAD (0x325UL) +#define CKM_RC5_KEY_GEN (0x330UL) +#define CKM_RC5_ECB (0x331UL) +#define CKM_RC5_CBC (0x332UL) +#define CKM_RC5_MAC (0x333UL) +#define CKM_RC5_MAC_GENERAL (0x334UL) +#define CKM_RC5_CBC_PAD (0x335UL) +#define CKM_IDEA_KEY_GEN (0x340UL) +#define CKM_IDEA_ECB (0x341UL) +#define CKM_IDEA_CBC (0x342UL) +#define CKM_IDEA_MAC (0x343UL) +#define CKM_IDEA_MAC_GENERAL (0x344UL) +#define CKM_IDEA_CBC_PAD (0x345UL) +#define CKM_GENERIC_SECRET_KEY_GEN (0x350UL) +#define CKM_CONCATENATE_BASE_AND_KEY (0x360UL) +#define CKM_CONCATENATE_BASE_AND_DATA (0x362UL) +#define CKM_CONCATENATE_DATA_AND_BASE (0x363UL) +#define CKM_XOR_BASE_AND_DATA (0x364UL) +#define CKM_EXTRACT_KEY_FROM_KEY (0x365UL) +#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370UL) +#define CKM_SSL3_MASTER_KEY_DERIVE (0x371UL) +#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372UL) +#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373UL) +#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL) +#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL) +#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL) +#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377UL) +#define CKM_SSL3_MD5_MAC (0x380UL) +#define CKM_SSL3_SHA1_MAC (0x381UL) +#define CKM_MD5_KEY_DERIVATION (0x390UL) +#define CKM_MD2_KEY_DERIVATION (0x391UL) +#define CKM_SHA1_KEY_DERIVATION (0x392UL) +#define CKM_PBE_MD2_DES_CBC (0x3a0UL) +#define CKM_PBE_MD5_DES_CBC (0x3a1UL) +#define CKM_PBE_MD5_CAST_CBC (0x3a2UL) +#define CKM_PBE_MD5_CAST3_CBC (0x3a3UL) +#define CKM_PBE_MD5_CAST5_CBC (0x3a4UL) +#define CKM_PBE_MD5_CAST128_CBC (0x3a4UL) +#define CKM_PBE_SHA1_CAST5_CBC (0x3a5UL) +#define CKM_PBE_SHA1_CAST128_CBC (0x3a5UL) +#define CKM_PBE_SHA1_RC4_128 (0x3a6UL) +#define CKM_PBE_SHA1_RC4_40 (0x3a7UL) +#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8UL) +#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9UL) +#define CKM_PBE_SHA1_RC2_128_CBC (0x3aaUL) +#define CKM_PBE_SHA1_RC2_40_CBC (0x3abUL) +#define CKM_PKCS5_PBKD2 (0x3b0UL) +#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0UL) +#define CKM_KEY_WRAP_LYNKS (0x400UL) +#define CKM_KEY_WRAP_SET_OAEP (0x401UL) +#define CKM_SKIPJACK_KEY_GEN (0x1000UL) +#define CKM_SKIPJACK_ECB64 (0x1001UL) +#define CKM_SKIPJACK_CBC64 (0x1002UL) +#define CKM_SKIPJACK_OFB64 (0x1003UL) +#define CKM_SKIPJACK_CFB64 (0x1004UL) +#define CKM_SKIPJACK_CFB32 (0x1005UL) +#define CKM_SKIPJACK_CFB16 (0x1006UL) +#define CKM_SKIPJACK_CFB8 (0x1007UL) +#define CKM_SKIPJACK_WRAP (0x1008UL) +#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009UL) +#define CKM_SKIPJACK_RELAYX (0x100aUL) +#define CKM_KEA_KEY_PAIR_GEN (0x1010UL) +#define CKM_KEA_KEY_DERIVE (0x1011UL) +#define CKM_FORTEZZA_TIMESTAMP (0x1020UL) +#define CKM_BATON_KEY_GEN (0x1030UL) +#define CKM_BATON_ECB128 (0x1031UL) +#define CKM_BATON_ECB96 (0x1032UL) +#define CKM_BATON_CBC128 (0x1033UL) +#define CKM_BATON_COUNTER (0x1034UL) +#define CKM_BATON_SHUFFLE (0x1035UL) +#define CKM_BATON_WRAP (0x1036UL) +#define CKM_ECDSA_KEY_PAIR_GEN (0x1040UL) +#define CKM_EC_KEY_PAIR_GEN (0x1040UL) +#define CKM_ECDSA (0x1041UL) +#define CKM_ECDSA_SHA1 (0x1042UL) +#define CKM_ECDSA_SHA224 (0x1043UL) +#define CKM_ECDSA_SHA256 (0x1044UL) +#define CKM_ECDSA_SHA384 (0x1045UL) +#define CKM_ECDSA_SHA512 (0x1046UL) +#define CKM_ECDH1_DERIVE (0x1050UL) +#define CKM_ECDH1_COFACTOR_DERIVE (0x1051UL) +#define CKM_ECMQV_DERIVE (0x1052UL) +#define CKM_JUNIPER_KEY_GEN (0x1060UL) +#define CKM_JUNIPER_ECB128 (0x1061UL) +#define CKM_JUNIPER_CBC128 (0x1062UL) +#define CKM_JUNIPER_COUNTER (0x1063UL) +#define CKM_JUNIPER_SHUFFLE (0x1064UL) +#define CKM_JUNIPER_WRAP (0x1065UL) +#define CKM_FASTHASH (0x1070UL) +#define CKM_AES_KEY_GEN (0x1080UL) +#define CKM_AES_ECB (0x1081UL) +#define CKM_AES_CBC (0x1082UL) +#define CKM_AES_MAC (0x1083UL) +#define CKM_AES_MAC_GENERAL (0x1084UL) +#define CKM_AES_CBC_PAD (0x1085UL) +#define CKM_AES_CTR (0x1086UL) +#define CKM_AES_GCM (0x1087UL) +#define CKM_AES_CCM (0x1088UL) +#define CKM_AES_CTS (0x1089UL) +#define CKM_AES_CMAC (0x108AUL) +#define CKM_BLOWFISH_KEY_GEN (0x1090UL) +#define CKM_BLOWFISH_CBC (0x1091UL) +#define CKM_TWOFISH_KEY_GEN (0x1092UL) +#define CKM_TWOFISH_CBC (0x1093UL) +#define CKM_DES_ECB_ENCRYPT_DATA (0x1100UL) +#define CKM_DES_CBC_ENCRYPT_DATA (0x1101UL) +#define CKM_DES3_ECB_ENCRYPT_DATA (0x1102UL) +#define CKM_DES3_CBC_ENCRYPT_DATA (0x1103UL) +#define CKM_AES_ECB_ENCRYPT_DATA (0x1104UL) +#define CKM_AES_CBC_ENCRYPT_DATA (0x1105UL) +#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL) +#define CKM_GOSTR3410 (0x1201UL) +#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL) +#define CKM_GOSTR3410_KEY_WRAP (0x1203UL) +#define CKM_GOSTR3410_DERIVE (0x1204UL) +#define CKM_GOSTR3410_512_KEY_PAIR_GEN (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x005) +#define CKM_GOSTR3410_512 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x006) +#define CKM_GOSTR3410_12_DERIVE (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x007) +#define CKM_GOSTR3410_WITH_GOSTR3411_12_256 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x008) +#define CKM_GOSTR3410_WITH_GOSTR3411_12_512 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x009) +#define CKM_GOSTR3411 (0x1210UL) +#define CKM_GOSTR3411_HMAC (0x1211UL) +#define CKM_GOSTR3411_12_256 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x012) +#define CKM_GOSTR3411_12_512 (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x013) +#define CKM_GOSTR3411_12_256_HMAC (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x014) +#define CKM_GOSTR3411_12_512_HMAC (CK_VENDOR_PKCS11_RU_TEAM_TK26 | 0x015) +#define CKM_GOST28147_KEY_GEN (0x1220UL) +#define CKM_GOST28147_ECB (0x1221UL) +#define CKM_GOST28147 (0x1222UL) +#define CKM_GOST28147_MAC (0x1223UL) +#define CKM_GOST28147_KEY_WRAP (0x1224UL) + +#define CKM_DSA_PARAMETER_GEN (0x2000UL) +#define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL) +#define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL) +#define CKM_AES_KEY_WRAP (0x2109UL) +#define CKM_VENDOR_DEFINED (1UL << 31) + + + struct ck_mechanism + { + ck_mechanism_type_t mechanism; + void *parameter; + unsigned long parameter_len; + }; + + + struct ck_mechanism_info + { + unsigned long min_key_size; + unsigned long max_key_size; + ck_flags_t flags; + }; + +#define CKF_HW (1UL << 0) +#define CKF_ENCRYPT (1UL << 8) +#define CKF_DECRYPT (1UL << 9) +#define CKF_DIGEST (1UL << 10) +#define CKF_SIGN (1UL << 11) +#define CKF_SIGN_RECOVER (1UL << 12) +#define CKF_VERIFY (1UL << 13) +#define CKF_VERIFY_RECOVER (1UL << 14) +#define CKF_GENERATE (1UL << 15) +#define CKF_GENERATE_KEY_PAIR (1UL << 16) +#define CKF_WRAP (1UL << 17) +#define CKF_UNWRAP (1UL << 18) +#define CKF_DERIVE (1UL << 19) +#define CKF_EXTENSION (1UL << 31) + +#define CKF_EC_F_P (1UL << 20) +#define CKF_EC_F_2M (1UL << 21) +#define CKF_EC_ECPARAMETERS (1UL << 22) +#define CKF_EC_NAMEDCURVE (1UL << 23) +#define CKF_EC_UNCOMPRESS (1UL << 24) +#define CKF_EC_COMPRESS (1UL << 25) + +/* Flags for C_WaitForSlotEvent. */ +#define CKF_DONT_BLOCK (1UL) + +/* Flags for Key derivation */ +#define CKD_NULL (0x1UL) +#define CKD_SHA1_KDF (0x2UL) +#define CKD_SHA224_KDF (0x5UL) +#define CKD_SHA256_KDF (0x6UL) +#define CKD_SHA384_KDF (0x7UL) +#define CKD_SHA512_KDF (0x8UL) + + typedef struct CK_ECDH1_DERIVE_PARAMS { + unsigned long kdf; + unsigned long ulSharedDataLen; + unsigned char * pSharedData; + unsigned long ulPublicDataLen; + unsigned char * pPublicData; + } CK_ECDH1_DERIVE_PARAMS; + + typedef struct CK_ECMQV_DERIVE_PARAMS { + unsigned long kdf; + unsigned long ulSharedDataLen; + unsigned char * pSharedData; + unsigned long ulPublicDataLen; + unsigned char * pPublicData; + unsigned long ulPrivateDataLen; + CK_OBJECT_HANDLE hPrivateData; + unsigned long ulPublicDataLen2; + unsigned char * pPublicData2; + CK_OBJECT_HANDLE publicKey; + } CK_ECMQV_DERIVE_PARAMS; + + typedef unsigned long ck_rsa_pkcs_mgf_type_t; + typedef unsigned long CK_RSA_PKCS_OAEP_SOURCE_TYPE; + + typedef struct CK_RSA_PKCS_OAEP_PARAMS { + CK_MECHANISM_TYPE hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + CK_RSA_PKCS_OAEP_SOURCE_TYPE source; + void *pSourceData; + unsigned long ulSourceDataLen; + } CK_RSA_PKCS_OAEP_PARAMS; + + typedef struct CK_RSA_PKCS_PSS_PARAMS { + ck_mechanism_type_t hashAlg; + CK_RSA_PKCS_MGF_TYPE mgf; + unsigned long sLen; + } CK_RSA_PKCS_PSS_PARAMS; + +#define CKG_MGF1_SHA1 (0x00000001UL) +#define CKG_MGF1_SHA224 (0x00000005UL) +#define CKG_MGF1_SHA256 (0x00000002UL) +#define CKG_MGF1_SHA384 (0x00000003UL) +#define CKG_MGF1_SHA512 (0x00000004UL) +#define CKG_MGF1_SHA3_224 (0x00000006UL) +#define CKG_MGF1_SHA3_256 (0x00000007UL) +#define CKG_MGF1_SHA3_384 (0x00000008UL) +#define CKG_MGF1_SHA3_512 (0x00000009UL) + +#define CKZ_DATA_SPECIFIED (0x00000001UL) + + typedef struct CK_GCM_PARAMS { + void * pIv; + unsigned long ulIvLen; + unsigned long ulIvBits; + void * pAAD; + unsigned long ulAADLen; + unsigned long ulTagBits; + } CK_GCM_PARAMS; + + typedef unsigned long ck_rv_t; + + + typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session, + ck_notification_t event, void *application); + + /* Forward reference. */ + struct ck_function_list; + +#define _CK_DECLARE_FUNCTION(name, args) \ +typedef ck_rv_t (*CK_ ## name) args; \ +ck_rv_t CK_SPEC name args + + _CK_DECLARE_FUNCTION (C_Initialize, (void *init_args)); + _CK_DECLARE_FUNCTION (C_Finalize, (void *reserved)); + _CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info)); + _CK_DECLARE_FUNCTION (C_GetFunctionList, + (struct ck_function_list **function_list)); + + _CK_DECLARE_FUNCTION (C_GetSlotList, + (unsigned char token_present, ck_slot_id_t *slot_list, + unsigned long *count)); + _CK_DECLARE_FUNCTION (C_GetSlotInfo, + (ck_slot_id_t slot_id, struct ck_slot_info *info)); + _CK_DECLARE_FUNCTION (C_GetTokenInfo, + (ck_slot_id_t slot_id, struct ck_token_info *info)); + _CK_DECLARE_FUNCTION (C_WaitForSlotEvent, + (ck_flags_t flags, ck_slot_id_t *slot, void *reserved)); + _CK_DECLARE_FUNCTION (C_GetMechanismList, + (ck_slot_id_t slot_id, + ck_mechanism_type_t *mechanism_list, + unsigned long *count)); + _CK_DECLARE_FUNCTION (C_GetMechanismInfo, + (ck_slot_id_t slot_id, ck_mechanism_type_t type, + struct ck_mechanism_info *info)); + _CK_DECLARE_FUNCTION (C_InitToken, + (ck_slot_id_t slot_id, unsigned char *pin, + unsigned long pin_len, unsigned char *label)); + _CK_DECLARE_FUNCTION (C_InitPIN, + (ck_session_handle_t session, unsigned char *pin, + unsigned long pin_len)); + _CK_DECLARE_FUNCTION (C_SetPIN, + (ck_session_handle_t session, unsigned char *old_pin, + unsigned long old_len, unsigned char *new_pin, + unsigned long new_len)); + + _CK_DECLARE_FUNCTION (C_OpenSession, + (ck_slot_id_t slot_id, ck_flags_t flags, + void *application, ck_notify_t notify, + ck_session_handle_t *session)); + _CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session)); + _CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id)); + _CK_DECLARE_FUNCTION (C_GetSessionInfo, + (ck_session_handle_t session, + struct ck_session_info *info)); + _CK_DECLARE_FUNCTION (C_GetOperationState, + (ck_session_handle_t session, + unsigned char *operation_state, + unsigned long *operation_state_len)); + _CK_DECLARE_FUNCTION (C_SetOperationState, + (ck_session_handle_t session, + unsigned char *operation_state, + unsigned long operation_state_len, + ck_object_handle_t encryption_key, + ck_object_handle_t authentication_key)); + _CK_DECLARE_FUNCTION (C_Login, + (ck_session_handle_t session, ck_user_type_t user_type, + unsigned char *pin, unsigned long pin_len)); + _CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session)); + + _CK_DECLARE_FUNCTION (C_CreateObject, + (ck_session_handle_t session, + struct ck_attribute *templ, + unsigned long count, ck_object_handle_t *object)); + _CK_DECLARE_FUNCTION (C_CopyObject, + (ck_session_handle_t session, ck_object_handle_t object, + struct ck_attribute *templ, unsigned long count, + ck_object_handle_t *new_object)); + _CK_DECLARE_FUNCTION (C_DestroyObject, + (ck_session_handle_t session, + ck_object_handle_t object)); + _CK_DECLARE_FUNCTION (C_GetObjectSize, + (ck_session_handle_t session, + ck_object_handle_t object, + unsigned long *size)); + _CK_DECLARE_FUNCTION (C_GetAttributeValue, + (ck_session_handle_t session, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count)); + _CK_DECLARE_FUNCTION (C_SetAttributeValue, + (ck_session_handle_t session, + ck_object_handle_t object, + struct ck_attribute *templ, + unsigned long count)); + _CK_DECLARE_FUNCTION (C_FindObjectsInit, + (ck_session_handle_t session, + struct ck_attribute *templ, + unsigned long count)); + _CK_DECLARE_FUNCTION (C_FindObjects, + (ck_session_handle_t session, + ck_object_handle_t *object, + unsigned long max_object_count, + unsigned long *object_count)); + _CK_DECLARE_FUNCTION (C_FindObjectsFinal, + (ck_session_handle_t session)); + + _CK_DECLARE_FUNCTION (C_EncryptInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_Encrypt, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *encrypted_data, + unsigned long *encrypted_data_len)); + _CK_DECLARE_FUNCTION (C_EncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); + _CK_DECLARE_FUNCTION (C_EncryptFinal, + (ck_session_handle_t session, + unsigned char *last_encrypted_part, + unsigned long *last_encrypted_part_len)); + + _CK_DECLARE_FUNCTION (C_DecryptInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_Decrypt, + (ck_session_handle_t session, + unsigned char *encrypted_data, + unsigned long encrypted_data_len, + unsigned char *data, unsigned long *data_len)); + _CK_DECLARE_FUNCTION (C_DecryptUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, unsigned long *part_len)); + _CK_DECLARE_FUNCTION (C_DecryptFinal, + (ck_session_handle_t session, + unsigned char *last_part, + unsigned long *last_part_len)); + + _CK_DECLARE_FUNCTION (C_DigestInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism)); + _CK_DECLARE_FUNCTION (C_Digest, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *digest, + unsigned long *digest_len)); + _CK_DECLARE_FUNCTION (C_DigestUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); + _CK_DECLARE_FUNCTION (C_DigestKey, + (ck_session_handle_t session, ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_DigestFinal, + (ck_session_handle_t session, + unsigned char *digest, + unsigned long *digest_len)); + + _CK_DECLARE_FUNCTION (C_SignInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_Sign, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len)); + _CK_DECLARE_FUNCTION (C_SignUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); + _CK_DECLARE_FUNCTION (C_SignFinal, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long *signature_len)); + _CK_DECLARE_FUNCTION (C_SignRecoverInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_SignRecover, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long *signature_len)); + + _CK_DECLARE_FUNCTION (C_VerifyInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_Verify, + (ck_session_handle_t session, + unsigned char *data, unsigned long data_len, + unsigned char *signature, + unsigned long signature_len)); + _CK_DECLARE_FUNCTION (C_VerifyUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len)); + _CK_DECLARE_FUNCTION (C_VerifyFinal, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long signature_len)); + _CK_DECLARE_FUNCTION (C_VerifyRecoverInit, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t key)); + _CK_DECLARE_FUNCTION (C_VerifyRecover, + (ck_session_handle_t session, + unsigned char *signature, + unsigned long signature_len, + unsigned char *data, + unsigned long *data_len)); + + _CK_DECLARE_FUNCTION (C_DigestEncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); + _CK_DECLARE_FUNCTION (C_DecryptDigestUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, + unsigned long *part_len)); + _CK_DECLARE_FUNCTION (C_SignEncryptUpdate, + (ck_session_handle_t session, + unsigned char *part, unsigned long part_len, + unsigned char *encrypted_part, + unsigned long *encrypted_part_len)); + _CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate, + (ck_session_handle_t session, + unsigned char *encrypted_part, + unsigned long encrypted_part_len, + unsigned char *part, + unsigned long *part_len)); + + _CK_DECLARE_FUNCTION (C_GenerateKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + struct ck_attribute *templ, + unsigned long count, + ck_object_handle_t *key)); + _CK_DECLARE_FUNCTION (C_GenerateKeyPair, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + struct ck_attribute *public_key_template, + unsigned long public_key_attribute_count, + struct ck_attribute *private_key_template, + unsigned long private_key_attribute_count, + ck_object_handle_t *public_key, + ck_object_handle_t *private_key)); + _CK_DECLARE_FUNCTION (C_WrapKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t wrapping_key, + ck_object_handle_t key, + unsigned char *wrapped_key, + unsigned long *wrapped_key_len)); + _CK_DECLARE_FUNCTION (C_UnwrapKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t unwrapping_key, + unsigned char *wrapped_key, + unsigned long wrapped_key_len, + struct ck_attribute *templ, + unsigned long attribute_count, + ck_object_handle_t *key)); + _CK_DECLARE_FUNCTION (C_DeriveKey, + (ck_session_handle_t session, + struct ck_mechanism *mechanism, + ck_object_handle_t base_key, + struct ck_attribute *templ, + unsigned long attribute_count, + ck_object_handle_t *key)); + + _CK_DECLARE_FUNCTION (C_SeedRandom, + (ck_session_handle_t session, unsigned char *seed, + unsigned long seed_len)); + _CK_DECLARE_FUNCTION (C_GenerateRandom, + (ck_session_handle_t session, + unsigned char *random_data, + unsigned long random_len)); + + _CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session)); + _CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session)); + + + struct ck_function_list + { + struct ck_version version; + CK_C_Initialize C_Initialize; + CK_C_Finalize C_Finalize; + CK_C_GetInfo C_GetInfo; + CK_C_GetFunctionList C_GetFunctionList; + CK_C_GetSlotList C_GetSlotList; + CK_C_GetSlotInfo C_GetSlotInfo; + CK_C_GetTokenInfo C_GetTokenInfo; + CK_C_GetMechanismList C_GetMechanismList; + CK_C_GetMechanismInfo C_GetMechanismInfo; + CK_C_InitToken C_InitToken; + CK_C_InitPIN C_InitPIN; + CK_C_SetPIN C_SetPIN; + CK_C_OpenSession C_OpenSession; + CK_C_CloseSession C_CloseSession; + CK_C_CloseAllSessions C_CloseAllSessions; + CK_C_GetSessionInfo C_GetSessionInfo; + CK_C_GetOperationState C_GetOperationState; + CK_C_SetOperationState C_SetOperationState; + CK_C_Login C_Login; + CK_C_Logout C_Logout; + CK_C_CreateObject C_CreateObject; + CK_C_CopyObject C_CopyObject; + CK_C_DestroyObject C_DestroyObject; + CK_C_GetObjectSize C_GetObjectSize; + CK_C_GetAttributeValue C_GetAttributeValue; + CK_C_SetAttributeValue C_SetAttributeValue; + CK_C_FindObjectsInit C_FindObjectsInit; + CK_C_FindObjects C_FindObjects; + CK_C_FindObjectsFinal C_FindObjectsFinal; + CK_C_EncryptInit C_EncryptInit; + CK_C_Encrypt C_Encrypt; + CK_C_EncryptUpdate C_EncryptUpdate; + CK_C_EncryptFinal C_EncryptFinal; + CK_C_DecryptInit C_DecryptInit; + CK_C_Decrypt C_Decrypt; + CK_C_DecryptUpdate C_DecryptUpdate; + CK_C_DecryptFinal C_DecryptFinal; + CK_C_DigestInit C_DigestInit; + CK_C_Digest C_Digest; + CK_C_DigestUpdate C_DigestUpdate; + CK_C_DigestKey C_DigestKey; + CK_C_DigestFinal C_DigestFinal; + CK_C_SignInit C_SignInit; + CK_C_Sign C_Sign; + CK_C_SignUpdate C_SignUpdate; + CK_C_SignFinal C_SignFinal; + CK_C_SignRecoverInit C_SignRecoverInit; + CK_C_SignRecover C_SignRecover; + CK_C_VerifyInit C_VerifyInit; + CK_C_Verify C_Verify; + CK_C_VerifyUpdate C_VerifyUpdate; + CK_C_VerifyFinal C_VerifyFinal; + CK_C_VerifyRecoverInit C_VerifyRecoverInit; + CK_C_VerifyRecover C_VerifyRecover; + CK_C_DigestEncryptUpdate C_DigestEncryptUpdate; + CK_C_DecryptDigestUpdate C_DecryptDigestUpdate; + CK_C_SignEncryptUpdate C_SignEncryptUpdate; + CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate; + CK_C_GenerateKey C_GenerateKey; + CK_C_GenerateKeyPair C_GenerateKeyPair; + CK_C_WrapKey C_WrapKey; + CK_C_UnwrapKey C_UnwrapKey; + CK_C_DeriveKey C_DeriveKey; + CK_C_SeedRandom C_SeedRandom; + CK_C_GenerateRandom C_GenerateRandom; + CK_C_GetFunctionStatus C_GetFunctionStatus; + CK_C_CancelFunction C_CancelFunction; + CK_C_WaitForSlotEvent C_WaitForSlotEvent; + }; + + + typedef ck_rv_t (*ck_createmutex_t) (void **mutex); + typedef ck_rv_t (*ck_destroymutex_t) (void *mutex); + typedef ck_rv_t (*ck_lockmutex_t) (void *mutex); + typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex); + + + struct ck_c_initialize_args + { + ck_createmutex_t create_mutex; + ck_destroymutex_t destroy_mutex; + ck_lockmutex_t lock_mutex; + ck_unlockmutex_t unlock_mutex; + ck_flags_t flags; + void *reserved; + }; + + +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0) +#define CKF_OS_LOCKING_OK (1UL << 1) + +#define CKR_OK (0UL) +#define CKR_CANCEL (1UL) +#define CKR_HOST_MEMORY (2UL) +#define CKR_SLOT_ID_INVALID (3UL) +#define CKR_GENERAL_ERROR (5UL) +#define CKR_FUNCTION_FAILED (6UL) +#define CKR_ARGUMENTS_BAD (7UL) +#define CKR_NO_EVENT (8UL) +#define CKR_NEED_TO_CREATE_THREADS (9UL) +#define CKR_CANT_LOCK (0xaUL) +#define CKR_ATTRIBUTE_READ_ONLY (0x10UL) +#define CKR_ATTRIBUTE_SENSITIVE (0x11UL) +#define CKR_ATTRIBUTE_TYPE_INVALID (0x12UL) +#define CKR_ATTRIBUTE_VALUE_INVALID (0x13UL) +#define CKR_DATA_INVALID (0x20UL) +#define CKR_DATA_LEN_RANGE (0x21UL) +#define CKR_DEVICE_ERROR (0x30UL) +#define CKR_DEVICE_MEMORY (0x31UL) +#define CKR_DEVICE_REMOVED (0x32UL) +#define CKR_ENCRYPTED_DATA_INVALID (0x40UL) +#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41UL) +#define CKR_FUNCTION_CANCELED (0x50UL) +#define CKR_FUNCTION_NOT_PARALLEL (0x51UL) +#define CKR_FUNCTION_NOT_SUPPORTED (0x54UL) +#define CKR_KEY_HANDLE_INVALID (0x60UL) +#define CKR_KEY_SIZE_RANGE (0x62UL) +#define CKR_KEY_TYPE_INCONSISTENT (0x63UL) +#define CKR_KEY_NOT_NEEDED (0x64UL) +#define CKR_KEY_CHANGED (0x65UL) +#define CKR_KEY_NEEDED (0x66UL) +#define CKR_KEY_INDIGESTIBLE (0x67UL) +#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68UL) +#define CKR_KEY_NOT_WRAPPABLE (0x69UL) +#define CKR_KEY_UNEXTRACTABLE (0x6aUL) +#define CKR_MECHANISM_INVALID (0x70UL) +#define CKR_MECHANISM_PARAM_INVALID (0x71UL) +#define CKR_OBJECT_HANDLE_INVALID (0x82UL) +#define CKR_OPERATION_ACTIVE (0x90UL) +#define CKR_OPERATION_NOT_INITIALIZED (0x91UL) +#define CKR_PIN_INCORRECT (0xa0UL) +#define CKR_PIN_INVALID (0xa1UL) +#define CKR_PIN_LEN_RANGE (0xa2UL) +#define CKR_PIN_EXPIRED (0xa3UL) +#define CKR_PIN_LOCKED (0xa4UL) +#define CKR_SESSION_CLOSED (0xb0UL) +#define CKR_SESSION_COUNT (0xb1UL) +#define CKR_SESSION_HANDLE_INVALID (0xb3UL) +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4UL) +#define CKR_SESSION_READ_ONLY (0xb5UL) +#define CKR_SESSION_EXISTS (0xb6UL) +#define CKR_SESSION_READ_ONLY_EXISTS (0xb7UL) +#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8UL) +#define CKR_SIGNATURE_INVALID (0xc0UL) +#define CKR_SIGNATURE_LEN_RANGE (0xc1UL) +#define CKR_TEMPLATE_INCOMPLETE (0xd0UL) +#define CKR_TEMPLATE_INCONSISTENT (0xd1UL) +#define CKR_TOKEN_NOT_PRESENT (0xe0UL) +#define CKR_TOKEN_NOT_RECOGNIZED (0xe1UL) +#define CKR_TOKEN_WRITE_PROTECTED (0xe2UL) +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0UL) +#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1UL) +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL) +#define CKR_USER_ALREADY_LOGGED_IN (0x100UL) +#define CKR_USER_NOT_LOGGED_IN (0x101UL) +#define CKR_USER_PIN_NOT_INITIALIZED (0x102UL) +#define CKR_USER_TYPE_INVALID (0x103UL) +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104UL) +#define CKR_USER_TOO_MANY_TYPES (0x105UL) +#define CKR_WRAPPED_KEY_INVALID (0x110UL) +#define CKR_WRAPPED_KEY_LEN_RANGE (0x112UL) +#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113UL) +#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114UL) +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115UL) +#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120UL) +#define CKR_RANDOM_NO_RNG (0x121UL) +#define CKR_DOMAIN_PARAMS_INVALID (0x130UL) +#define CKR_BUFFER_TOO_SMALL (0x150UL) +#define CKR_SAVED_STATE_INVALID (0x160UL) +#define CKR_INFORMATION_SENSITIVE (0x170UL) +#define CKR_STATE_UNSAVEABLE (0x180UL) +#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190UL) +#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191UL) +#define CKR_MUTEX_BAD (0x1a0UL) +#define CKR_MUTEX_NOT_LOCKED (0x1a1UL) +#define CKR_FUNCTION_REJECTED (0x200UL) +#define CKR_VENDOR_DEFINED (1UL << 31) + + + /* Compatibility layer. */ + +#ifdef CRYPTOKI_COMPAT + +#undef CK_DEFINE_FUNCTION +#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name + +/* For NULL. */ +#include + + typedef unsigned char CK_BYTE; + typedef unsigned char CK_CHAR; + typedef unsigned char CK_UTF8CHAR; + typedef unsigned char CK_BBOOL; + typedef unsigned long int CK_ULONG; + typedef long int CK_LONG; + typedef CK_BYTE *CK_BYTE_PTR; + typedef CK_CHAR *CK_CHAR_PTR; + typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; + typedef CK_ULONG *CK_ULONG_PTR; + typedef void *CK_VOID_PTR; + typedef void **CK_VOID_PTR_PTR; +#define CK_FALSE 0 +#define CK_TRUE 1 +#ifndef CK_DISABLE_TRUE_FALSE +#ifndef FALSE +#define FALSE 0 +#endif +#ifndef TRUE +#define TRUE 1 +#endif +#endif + + typedef struct ck_version CK_VERSION; + typedef struct ck_version *CK_VERSION_PTR; + + typedef struct ck_info CK_INFO; + typedef struct ck_info *CK_INFO_PTR; + + typedef ck_slot_id_t *CK_SLOT_ID_PTR; + + typedef struct ck_slot_info CK_SLOT_INFO; + typedef struct ck_slot_info *CK_SLOT_INFO_PTR; + + typedef struct ck_token_info CK_TOKEN_INFO; + typedef struct ck_token_info *CK_TOKEN_INFO_PTR; + + typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR; + + typedef struct ck_session_info CK_SESSION_INFO; + typedef struct ck_session_info *CK_SESSION_INFO_PTR; + + typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR; + + typedef ck_object_class_t *CK_OBJECT_CLASS_PTR; + + typedef struct ck_attribute CK_ATTRIBUTE; + typedef struct ck_attribute *CK_ATTRIBUTE_PTR; + + typedef struct ck_date CK_DATE; + typedef struct ck_date *CK_DATE_PTR; + + typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR; + + typedef ck_rsa_pkcs_mgf_type_t *CK_RSA_PKCS_MGF_TYPE_PTR; + + typedef struct ck_mechanism CK_MECHANISM; + typedef struct ck_mechanism *CK_MECHANISM_PTR; + + typedef struct ck_mechanism_info CK_MECHANISM_INFO; + typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR; + + typedef struct ck_function_list CK_FUNCTION_LIST; + typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; + typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; + + typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; + typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; + +#define NULL_PTR NULL + +/* Delete the helper macros defined at the top of the file. */ +#undef ck_flags_t +#undef ck_version + +#undef ck_info +#undef cryptoki_version +#undef manufacturer_id +#undef library_description +#undef library_version + +#undef ck_notification_t +#undef ck_slot_id_t + +#undef ck_slot_info +#undef slot_description +#undef hardware_version +#undef firmware_version + +#undef ck_token_info +#undef serial_number +#undef max_session_count +#undef session_count +#undef max_rw_session_count +#undef rw_session_count +#undef max_pin_len +#undef min_pin_len +#undef total_public_memory +#undef free_public_memory +#undef total_private_memory +#undef free_private_memory +#undef utc_time + +#undef ck_session_handle_t +#undef ck_user_type_t +#undef ck_state_t + +#undef ck_session_info +#undef slot_id +#undef device_error + +#undef ck_object_handle_t +#undef ck_object_class_t +#undef ck_hw_feature_type_t +#undef ck_key_type_t +#undef ck_certificate_type_t +#undef ck_attribute_type_t + +#undef ck_attribute +#undef value +#undef value_len + +#undef ck_date + +#undef ck_mechanism_type_t + +#undef ck_rsa_pkcs_mgf_type_t + +#undef ck_mechanism +#undef parameter +#undef parameter_len + +#undef ck_mechanism_info +#undef min_key_size +#undef max_key_size + +#undef ck_rv_t +#undef ck_notify_t + +#undef ck_function_list + +#undef ck_createmutex_t +#undef ck_destroymutex_t +#undef ck_lockmutex_t +#undef ck_unlockmutex_t + +#undef ck_c_initialize_args +#undef create_mutex +#undef destroy_mutex +#undef lock_mutex +#undef unlock_mutex +#undef reserved + +#endif /* CRYPTOKI_COMPAT */ + +/* System dependencies. */ +#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) +#pragma pack(pop, cryptoki) +#endif + +#if defined(__cplusplus) +} +#endif + +#endif /* PKCS11_H */ diff --git a/tests/unit/hsm_mock.h b/tests/unit/hsm_mock.h index f8ced003..e9035589 100644 --- a/tests/unit/hsm_mock.h +++ b/tests/unit/hsm_mock.h @@ -49,6 +49,17 @@ class HSMMock final : public HSM openssl::SSL_EVP_PKEY_Ptr(const ECCSpec &spec, const std::string &keyLabel, const std::vector &keyID)); + + MOCK_METHOD4(generateKey, + openssl::SSL_EVP_PKEY_Ptr(const RSASpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms)); + MOCK_METHOD4(generateKey, + openssl::SSL_EVP_PKEY_Ptr(const ECCSpec &spec, + const std::string &keyLabel, + const std::vector &keyID, + const PKCS11_params ¶ms)); }; } // namespace mococrw