PSARC 2005/074 Solaris Key Management Framework

6224192 Solaris needs unified key management interfaces

--HG--
rename : usr/src/cmd/cmd-crypto/pktool/biginteger.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/biginteger.h
rename : usr/src/cmd/cmd-crypto/pktool/derparse.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.c
rename : usr/src/cmd/cmd-crypto/pktool/derparse.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.h
rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.c
rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.h
rename : usr/src/cmd/cmd-crypto/pktool/p12common.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.c
rename : usr/src/cmd/cmd-crypto/pktool/p12common.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.h

5 files changed, 306 insertions, 7 deletions

diff --git a/usr/src/lib/libcryptoutil/Makefile.com b/usr/src/lib/libcryptoutil/Makefile.com
index 2beda723bb..cffe48fc23 100644
--- a/usr/src/lib/libcryptoutil/Makefile.com
+++ b/usr/src/lib/libcryptoutil/Makefile.com
@@ -34,7 +34,8 @@ OBJECTS= \
 	config_parsing.o \
 	tohexstr.o \
 	mechkeytype.o\
-	pkcserror.o
+	pkcserror.o \
+	util.o
 
 include $(SRC)/lib/Makefile.lib
 
diff --git a/usr/src/lib/libcryptoutil/common/config_parsing.c b/usr/src/lib/libcryptoutil/common/config_parsing.c
index 1c01db6de5..92eccf35dd 100644
--- a/usr/src/lib/libcryptoutil/common/config_parsing.c
+++ b/usr/src/lib/libcryptoutil/common/config_parsing.c
@@ -211,7 +211,7 @@ parse_policylist(char *buf, uentry_t *pent)
 		if (value = strpbrk(buf, SEP_EQUAL)) {
 			value++; /* get rid of = */
 			(void) strlcpy((char *)pent->metaslot_ks_token, value,
-			    TOKEN_LABEL_SIZE);
+			    sizeof (pent->metaslot_ks_token));
 			return (SUCCESS);
 		} else {
 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
@@ -223,7 +223,7 @@ parse_policylist(char *buf, uentry_t *pent)
 		if (value = strpbrk(buf, SEP_EQUAL)) {
 			value++; /* get rid of = */
 			(void) strlcpy((char *)pent->metaslot_ks_slot, value,
-			    SLOT_DESCRIPTION_SIZE);
+			    sizeof (pent->metaslot_ks_slot));
 			return (SUCCESS);
 		} else {
 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
@@ -376,3 +376,174 @@ free_uentrylist(uentrylist_t *entrylist)
 		entrylist = pnext;
 	}
 }
+
+
+
+/*
+ * Duplicate an UEF mechanism list.  A NULL pointer is returned if out of
+ * memory or the input argument is NULL.
+ */
+static umechlist_t *
+dup_umechlist(umechlist_t *plist)
+{
+	umechlist_t *pres = NULL;
+	umechlist_t *pcur;
+	umechlist_t *ptmp;
+	int rc = SUCCESS;
+
+	while (plist != NULL) {
+		if (!(ptmp = create_umech(plist->name))) {
+			rc = FAILURE;
+			break;
+		}
+
+		if (pres == NULL) {
+			pres = pcur = ptmp;
+		} else {
+			pcur->next = ptmp;
+			pcur = pcur->next;
+		}
+		plist = plist->next;
+	}
+
+	if (rc != SUCCESS) {
+		free_umechlist(pres);
+		return (NULL);
+	}
+
+	return (pres);
+}
+
+
+/*
+ * Duplicate an uentry.  A NULL pointer is returned if out of memory
+ * or the input argument is NULL.
+ */
+static uentry_t *
+dup_uentry(uentry_t *puent1)
+{
+	uentry_t *puent2 = NULL;
+
+	if (puent1 == NULL) {
+		return (NULL);
+	}
+
+	if ((puent2 = malloc(sizeof (uentry_t))) == NULL) {
+		cryptoerror(LOG_STDERR, gettext("out of memory."));
+		return (NULL);
+	} else {
+		(void) strlcpy(puent2->name, puent1->name,
+		    sizeof (puent2->name));
+		puent2->flag_norandom = puent1->flag_norandom;
+		puent2->flag_enabledlist = puent1->flag_enabledlist;
+		puent2->policylist = dup_umechlist(puent1->policylist);
+		puent2->flag_metaslot_enabled = puent1->flag_metaslot_enabled;
+		puent2->flag_metaslot_auto_key_migrate
+		    = puent1->flag_metaslot_auto_key_migrate;
+		(void) memcpy(puent2->metaslot_ks_slot,
+		    puent1->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE);
+		(void) memcpy(puent2->metaslot_ks_token,
+		    puent1->metaslot_ks_token, TOKEN_LABEL_SIZE);
+		puent2->count = puent1->count;
+		return (puent2);
+	}
+}
+
+/*
+ * Find the entry in the "pkcs11.conf" file with "libname" as the provider
+ * name. Return the entry if found, otherwise return NULL.
+ */
+uentry_t *
+getent_uef(char *libname)
+{
+	uentrylist_t	*pliblist = NULL;
+	uentrylist_t	*plib = NULL;
+	uentry_t	*puent = NULL;
+	boolean_t	found = B_FALSE;
+
+	if (libname == NULL) {
+		return (NULL);
+	}
+
+	if ((get_pkcs11conf_info(&pliblist)) == FAILURE) {
+		return (NULL);
+	}
+
+	plib = pliblist;
+	while (plib) {
+		if (strcmp(plib->puent->name, libname) == 0) {
+			found = B_TRUE;
+			break;
+		} else {
+			plib = plib->next;
+		}
+	}
+
+	if (found) {
+		puent = dup_uentry(plib->puent);
+	}
+
+	free_uentrylist(pliblist);
+	return (puent);
+}
+
+
+
+/*
+ * Retrieve the metaslot information from the pkcs11.conf file.
+ * This function returns SUCCESS if successfully done; otherwise it returns
+ * FAILURE.   If successful, the caller is responsible to free the space
+ * allocated for objectstore_slot_info and objectstore_token_info.
+ */
+int
+get_metaslot_info(boolean_t  *status_enabled, boolean_t *migrate_enabled,
+    char **objectstore_slot_info, char **objectstore_token_info)
+{
+
+	int rc = SUCCESS;
+	uentry_t *puent;
+	char *buf1 = NULL;
+	char *buf2 = NULL;
+
+	if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
+		/* metaslot entry doesn't exist */
+		return (FAILURE);
+	}
+
+	*status_enabled = puent->flag_metaslot_enabled;
+	*migrate_enabled = puent->flag_metaslot_auto_key_migrate;
+
+	buf1 = malloc(SLOT_DESCRIPTION_SIZE);
+	if (buf1 == NULL) {
+		cryptoerror(LOG_ERR, "get_metaslot_info() - out of memory.\n");
+		rc = FAILURE;
+		goto out;
+	}
+	(void) strcpy(buf1, (const char *) puent->metaslot_ks_slot);
+	*objectstore_slot_info = buf1;
+
+	buf2 = malloc(TOKEN_LABEL_SIZE);
+	if (objectstore_slot_info == NULL) {
+		cryptoerror(LOG_ERR, "get_metaslot_info() - out of memory.\n");
+		rc = FAILURE;
+		goto out;
+	}
+	(void) strcpy(buf2, (const char *) puent->metaslot_ks_token);
+	*objectstore_token_info = buf2;
+
+out:
+	if (puent != NULL) {
+		free_uentry(puent);
+	}
+
+	if (rc == FAILURE) {
+		if (buf1 != NULL) {
+			free(buf1);
+		}
+		if (buf2 != NULL) {
+			free(buf2);
+		}
+	}
+
+	return (rc);
+}
diff --git a/usr/src/lib/libcryptoutil/common/cryptoutil.h b/usr/src/lib/libcryptoutil/common/cryptoutil.h
index 18a82bcdc0..c322ea76af 100644
--- a/usr/src/lib/libcryptoutil/common/cryptoutil.h
+++ b/usr/src/lib/libcryptoutil/common/cryptoutil.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -121,12 +120,20 @@ extern umechlist_t *create_umech(char *);
 extern void free_umechlist(umechlist_t *);
 extern void free_uentrylist(uentrylist_t *);
 extern void free_uentry(uentry_t *);
+extern uentry_t *getent_uef(char *);
 
 extern void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen);
 extern CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type,
     CK_KEY_TYPE *ktype);
 extern char *pkcs11_strerror(CK_RV rv);
 
+extern int
+get_metaslot_info(boolean_t  *status_enabled, boolean_t *migrate_enabled,
+    char **objectstore_slot_info, char **objectstore_token_info);
+
+extern char *get_fullpath(char *dir, char *filepath);
+extern int str2lifetime(char *ltimestr, uint32_t *ltime);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/usr/src/lib/libcryptoutil/common/mapfile-vers b/usr/src/lib/libcryptoutil/common/mapfile-vers
index 92e53197af..9ff8c3eec6 100644
--- a/usr/src/lib/libcryptoutil/common/mapfile-vers
+++ b/usr/src/lib/libcryptoutil/common/mapfile-vers
@@ -34,11 +34,15 @@ SUNWprivate_1.1 {
 	free_uentry;
 	free_uentrylist;
 	free_umechlist;
+	getent_uef;
+	get_fullpath;
+	get_metaslot_info;
 	get_pkcs11conf_info;
 	pkcs11_mech2keytype;
 	pkcs11_mech2str;
 	pkcs11_str2mech;
 	pkcs11_strerror;
+	str2lifetime;
 	tohexstr;
     local:
 	*;
diff --git a/usr/src/lib/libcryptoutil/common/util.c b/usr/src/lib/libcryptoutil/common/util.c
new file mode 100644
index 0000000000..6fbf175d77
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/util.c
@@ -0,0 +1,116 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <cryptoutil.h>
+#include <strings.h>
+#include <stdio.h>
+#include <tzfile.h>
+
+/*
+ * This function returns a fullpath based on the "dir" and "filepath" input
+ * arugments.
+ * - If the filepath specified does not start with a "/" and the directory
+ *   is also given, prepend the directory to the filename.
+ * - If only dir or filepath is given, this function returns a copy of the
+ *   given argument.
+ * - If the filepath is fully qualified already and the "dir" is also
+ *   given, return NULL to indicate an error.
+ */
+char *
+get_fullpath(char *dir, char *filepath)
+{
+	char *fullpath = NULL;
+	int pathlen = 0;
+	int dirlen = 0;
+
+	if (filepath != NULL)
+		pathlen = strlen(filepath);
+
+	if (dir != NULL)
+		dirlen = strlen(dir);
+
+	if (pathlen > 0 && dirlen > 0) {
+		if (filepath[0] != '/') {
+			int len = pathlen + dirlen + 2;
+			fullpath = (char *)malloc(len);
+			if (fullpath != NULL)
+				(void) snprintf(fullpath, len, "%s/%s",
+				    dir, filepath);
+		} else {
+			return (NULL);
+		}
+	} else if (pathlen > 0) {
+		fullpath = (char *)strdup(filepath);
+	} else if (dirlen > 0) {
+		fullpath = (char *)strdup(dir);
+	}
+
+	return (fullpath);
+}
+
+/*
+ * This function converts the input string to the value of time
+ * in seconds.
+ * - If the input string is NULL, return zero second.
+ * - The input string needs to be in the form of:
+ *   number-second(s), number-minute(s), number-hour(s) or
+ *   number-day(s).
+ */
+int
+str2lifetime(char *ltimestr, uint32_t *ltime)
+{
+	int num;
+	char timetok[10];
+
+	if (ltimestr == NULL || !strlen(ltimestr)) {
+		*ltime = 0;
+		return (0);
+	}
+
+	(void) memset(timetok, 0, sizeof (timetok));
+	if (sscanf(ltimestr, "%d-%08s", &num, timetok) != 2)
+		return (-1);
+
+	if (!strcasecmp(timetok, "second") ||
+		!strcasecmp(timetok, "seconds")) {
+		*ltime = num;
+	} else if (!strcasecmp(timetok, "minute") ||
+		!strcasecmp(timetok, "minutes")) {
+		*ltime = num * SECSPERMIN;
+	} else if (!strcasecmp(timetok, "day") ||
+	    !strcasecmp(timetok, "days")) {
+		*ltime = num * SECSPERDAY;
+	} else if (!strcasecmp(timetok, "hour") ||
+		!strcasecmp(timetok, "hours")) {
+		*ltime = num * SECSPERHOUR;
+	} else {
+		*ltime = 0;
+		return (-1);
+	}
+
+	return (0);
+}