PSARC 2005/074 Solaris Key Management Framework

6224192 Solaris needs unified key management interfaces

--HG--
rename : usr/src/cmd/cmd-crypto/pktool/biginteger.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/biginteger.h
rename : usr/src/cmd/cmd-crypto/pktool/derparse.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.c
rename : usr/src/cmd/cmd-crypto/pktool/derparse.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/derparse.h
rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.c
rename : usr/src/cmd/cmd-crypto/pktool/osslcommon.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/osslcommon.h
rename : usr/src/cmd/cmd-crypto/pktool/p12common.c => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.c
rename : usr/src/cmd/cmd-crypto/pktool/p12common.h => deleted_files/usr/src/cmd/cmd-crypto/pktool/p12common.h

1 files changed, 348 insertions, 0 deletions

diff --git a/usr/src/lib/libkmf/include/kmfapiP.h b/usr/src/lib/libkmf/include/kmfapiP.h
new file mode 100644
index 0000000000..64b524b6a7
--- /dev/null
+++ b/usr/src/lib/libkmf/include/kmfapiP.h
@@ -0,0 +1,348 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+#ifndef _KMFAPIP_H
+#define	_KMFAPIP_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <kmfapi.h>
+#include <kmfpolicy.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Plugin function table */
+typedef struct {
+	ushort_t	version;
+	KMF_RETURN	(*ConfigureKeystore) (
+			KMF_HANDLE_T,
+			KMF_CONFIG_PARAMS *);
+
+	KMF_RETURN	(*FindCert) (
+			KMF_HANDLE_T,
+			KMF_FINDCERT_PARAMS	*,
+			KMF_X509_DER_CERT *,
+			uint32_t *);
+
+	void		(*FreeKMFCert) (
+			KMF_HANDLE_T,
+			KMF_X509_DER_CERT *);
+
+	KMF_RETURN	(*StoreCert) (
+			KMF_HANDLE_T,
+			KMF_STORECERT_PARAMS *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*ImportCert) (
+			KMF_HANDLE_T,
+			KMF_IMPORTCERT_PARAMS *);
+
+	KMF_RETURN	(*ImportCRL) (
+			KMF_HANDLE_T,
+			KMF_IMPORTCRL_PARAMS *);
+
+	KMF_RETURN	(*DeleteCert) (
+			KMF_HANDLE_T,
+			KMF_DELETECERT_PARAMS *);
+
+	KMF_RETURN	(*DeleteCRL) (
+			KMF_HANDLE_T,
+			KMF_DELETECRL_PARAMS *);
+
+	KMF_RETURN	(*CreateKeypair) (
+			KMF_HANDLE_T,
+			KMF_CREATEKEYPAIR_PARAMS *,
+			KMF_KEY_HANDLE *,
+			KMF_KEY_HANDLE *);
+
+	KMF_RETURN	(*FindKey) (
+			KMF_HANDLE_T,
+			KMF_FINDKEY_PARAMS *,
+			KMF_KEY_HANDLE *,
+			uint32_t *);
+
+	KMF_RETURN	(*EncodePubkeyData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*SignData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_OID *,
+			KMF_DATA *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*DeleteKey) (
+			KMF_HANDLE_T,
+			KMF_DELETEKEY_PARAMS *,
+			KMF_KEY_HANDLE *,
+			boolean_t);
+
+	KMF_RETURN	(*ListCRL) (
+			KMF_HANDLE_T,
+			KMF_LISTCRL_PARAMS *,
+			char **);
+
+	KMF_RETURN	(*FindCRL) (
+			KMF_HANDLE_T,
+			KMF_FINDCRL_PARAMS *,
+			char **,
+			int *);
+
+	KMF_RETURN	(*FindCertInCRL) (
+			KMF_HANDLE_T,
+			KMF_FINDCERTINCRL_PARAMS *);
+
+	KMF_RETURN	(*GetErrorString) (
+			KMF_HANDLE_T,
+			char **);
+
+	KMF_RETURN	(*GetPrikeyByCert) (
+			KMF_HANDLE_T,
+			KMF_CRYPTOWITHCERT_PARAMS *,
+			KMF_DATA *,
+			KMF_KEY_HANDLE *,
+			KMF_KEY_ALG);
+
+	KMF_RETURN	(*DecryptData) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_OID *,
+			KMF_DATA *,
+			KMF_DATA *);
+
+	KMF_RETURN	(*ExportP12)(
+			KMF_HANDLE_T,
+			KMF_EXPORTP12_PARAMS *,
+			int, KMF_X509_DER_CERT *,
+			int, KMF_KEY_HANDLE *,
+			char *);
+
+	KMF_RETURN	(*StorePrivateKey)(
+			KMF_HANDLE_T,
+			KMF_STOREKEY_PARAMS *,
+			KMF_RAW_KEY_DATA *);
+
+	KMF_RETURN	(*CreateSymKey) (
+			KMF_HANDLE_T,
+			KMF_CREATESYMKEY_PARAMS *,
+			KMF_KEY_HANDLE *);
+
+	KMF_RETURN	(*GetSymKeyValue) (
+			KMF_HANDLE_T,
+			KMF_KEY_HANDLE *,
+			KMF_RAW_SYM_KEY *);
+
+	KMF_RETURN	(*SetTokenPin) (
+			KMF_HANDLE_T,
+			KMF_SETPIN_PARAMS *,
+			KMF_CREDENTIAL *);
+
+	void		(*Finalize) ();
+
+} KMF_PLUGIN_FUNCLIST;
+
+typedef struct {
+	KMF_KEYSTORE_TYPE	type;
+	char			*applications;
+	char 			*path;
+	void 			*dldesc;
+	KMF_PLUGIN_FUNCLIST	*funclist;
+} KMF_PLUGIN;
+
+typedef struct _KMF_PLUGIN_LIST {
+	KMF_PLUGIN		*plugin;
+	struct _KMF_PLUGIN_LIST *next;
+} KMF_PLUGIN_LIST;
+
+typedef struct _kmf_handle {
+	/*
+	 * session handle opened by KMF_SelectToken() to talk
+	 * to a specific slot in Crypto framework. It is used
+	 * by pkcs11 plugin module.
+	 */
+	CK_SESSION_HANDLE	pk11handle;
+	KMF_ERROR		lasterr;
+	KMF_POLICY_RECORD	*policy;
+	KMF_PLUGIN_LIST		*plugins;
+} KMF_HANDLE;
+
+#define	CLEAR_ERROR(h, rv) { \
+	if (h == NULL) { \
+		rv = KMF_ERR_BAD_PARAMETER; \
+	} else { \
+		h->lasterr.errcode = 0; \
+		h->lasterr.kstype = 0; \
+		rv = KMF_OK; \
+	} \
+}
+
+#define	KMF_PLUGIN_INIT_SYMBOL	"KMF_Plugin_Initialize"
+
+#ifndef KMF_PLUGIN_PATH
+#if defined(__sparcv9)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/sparcv9/"
+#elif defined(__sparc)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/"
+#elif defined(__i386)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/"
+#elif defined(__amd64)
+#define	KMF_PLUGIN_PATH "/usr/lib/security/amd64/"
+#endif
+#endif /* !KMF_PLUGIN_PATH */
+
+KMF_PLUGIN_FUNCLIST *KMF_Plugin_Initialize();
+
+KMF_RETURN
+SignCert(KMF_HANDLE_T, const KMF_DATA *, KMF_KEY_HANDLE *, KMF_DATA *);
+
+KMF_RETURN
+VerifyCertWithKey(KMF_HANDLE_T, KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyCertWithCert(KMF_HANDLE_T, const KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyDataWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_DATA *, const KMF_DATA *);
+
+KMF_RETURN
+VerifyDataWithKey(KMF_HANDLE_T, KMF_DATA *, KMF_ALGORITHM_INDEX, KMF_DATA *,
+	KMF_DATA *);
+
+KMF_RETURN
+EncryptWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN
+DecryptWithCert(KMF_HANDLE_T, KMF_DATA *, KMF_KEY_HANDLE *, KMF_DATA *,
+	KMF_DATA *);
+
+KMF_RETURN
+SignCsr(KMF_HANDLE_T, const KMF_DATA *, KMF_KEY_HANDLE *,
+		KMF_X509_ALGORITHM_IDENTIFIER *, KMF_DATA *);
+
+KMF_BOOL PKCS_ConvertAlgorithmId2PKCSKeyType(
+	KMF_ALGORITHM_INDEX, CK_KEY_TYPE *);
+
+KMF_RETURN PKCS_VerifyData(
+	KMF_HANDLE *,
+	KMF_ALGORITHM_INDEX,
+	KMF_X509_SPKI *,
+	KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN PKCS_EncryptData(
+	KMF_HANDLE *,
+	KMF_ALGORITHM_INDEX,
+	KMF_X509_SPKI *,
+	KMF_DATA *,
+	KMF_DATA *);
+
+KMF_PLUGIN *FindPlugin(KMF_HANDLE_T, KMF_KEYSTORE_TYPE);
+
+KMF_BOOL IsEqualOid(KMF_OID *, KMF_OID *);
+
+KMF_OID *X509_AlgIdToAlgorithmOid(KMF_ALGORITHM_INDEX);
+
+KMF_ALGORITHM_INDEX X509_AlgorithmOidToAlgId(KMF_OID *);
+KMF_RETURN GetIDFromSPKI(KMF_X509_SPKI *, KMF_DATA *);
+CK_RV DigestData(CK_SESSION_HANDLE, KMF_DATA *, KMF_DATA *);
+
+KMF_RETURN KMF_SetAltName(KMF_X509_EXTENSIONS *,
+	KMF_OID *, int, KMF_GENERALNAMECHOICES, char *);
+KMF_RETURN GetSequenceContents(char *, size_t, char **, size_t *);
+KMF_X509_EXTENSION *FindExtn(KMF_X509_EXTENSIONS *, KMF_OID *);
+KMF_RETURN add_an_extension(KMF_X509_EXTENSIONS *exts,
+	KMF_X509_EXTENSION *newextn);
+KMF_RETURN set_integer(KMF_DATA *, void *, int);
+void free_keyidlist(KMF_OID *, int);
+KMF_RETURN copy_data(KMF_DATA *, KMF_DATA *);
+void Cleanup_PK11_Session(KMF_HANDLE_T handle);
+void free_dp_name(KMF_CRL_DIST_POINT *);
+void free_dp(KMF_CRL_DIST_POINT *);
+KMF_RETURN set_key_usage_extension(KMF_X509_EXTENSIONS *,
+	int, uint32_t);
+int is_pk11_ready();
+KMF_RETURN KMF_SelectToken(KMF_HANDLE_T, char *, int);
+
+
+/* Indexes into the key parts array for RSA keys */
+#define	KMF_RSA_MODULUS			(0)
+#define	KMF_RSA_PUBLIC_EXPONENT		(1)
+#define	KMF_RSA_PRIVATE_EXPONENT	(2)
+#define	KMF_RSA_PRIME1			(3)
+#define	KMF_RSA_PRIME2			(4)
+#define	KMF_RSA_EXPONENT1		(5)
+#define	KMF_RSA_EXPONENT2		(6)
+#define	KMF_RSA_COEFFICIENT		(7)
+
+/* Key part counts for RSA keys */
+#define	KMF_NUMBER_RSA_PUBLIC_KEY_PARTS		(2)
+#define	KMF_NUMBER_RSA_PRIVATE_KEY_PARTS	(8)
+
+/* Key part counts for DSA keys */
+#define	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS		(4)
+#define	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS	(4)
+
+/* Indexes into the key parts array for DSA keys */
+#define	KMF_DSA_PRIME		(0)
+#define	KMF_DSA_SUB_PRIME	(1)
+#define	KMF_DSA_BASE		(2)
+#define	KMF_DSA_PUBLIC_VALUE	(3)
+
+#ifndef max
+#define	max(a, b) ((a) < (b) ? (b) : (a))
+#endif
+
+/* Maximum key parts for all algorithms */
+#define	KMF_MAX_PUBLIC_KEY_PARTS \
+	(max(KMF_NUMBER_RSA_PUBLIC_KEY_PARTS, \
+	KMF_NUMBER_DSA_PUBLIC_KEY_PARTS))
+
+#define	KMF_MAX_PRIVATE_KEY_PARTS \
+	(max(KMF_NUMBER_RSA_PRIVATE_KEY_PARTS, \
+	KMF_NUMBER_DSA_PRIVATE_KEY_PARTS))
+
+#define	KMF_MAX_KEY_PARTS \
+	(max(KMF_MAX_PUBLIC_KEY_PARTS, KMF_MAX_PRIVATE_KEY_PARTS))
+
+typedef enum {
+	KMF_ALGMODE_NONE	= 0,
+	KMF_ALGMODE_CUSTOM,
+	KMF_ALGMODE_PUBLIC_KEY,
+	KMF_ALGMODE_PRIVATE_KEY,
+	KMF_ALGMODE_PKCS1_EMSA_V15
+} KMF_SIGNATURE_MODE;
+
+#define	KMF_CERT_PRINTABLE_LEN	1024
+#define	SHA1_HASH_LENGTH 20
+
+#define	OCSPREQ_TEMPNAME	"/tmp/ocsp.reqXXXXXX"
+#define	OCSPRESP_TEMPNAME	"/tmp/ocsp.respXXXXXX"
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* _KMFAPIP_H */