36 #include <ldns/ldns.h> 38 #include <libxml/tree.h> 39 #include <libxml/parser.h> 40 #include <libxml/xpath.h> 41 #include <libxml/xpathInternals.h> 42 #include <libxml/relaxng.h> 52 #define HSM_TOKEN_LABEL_LENGTH 32 60 ldns_pkcs11_rv_str(CK_RV rv)
69 return "CKR_HOST_MEMORY";
71 return "CKR_GENERAL_ERROR";
73 return "CKR_FUNCTION_FAILED";
75 return "CKR_SLOT_ID_INVALID";
77 return "CKR_ATTRIBUTE_READ_ONLY";
79 return "CKR_ATTRIBUTE_SENSITIVE";
81 return "CKR_ATTRIBUTE_TYPE_INVALID";
83 return "CKR_ATTRIBUTE_VALUE_INVALID";
85 return "CKR_DATA_INVALID";
87 return "CKR_DATA_LEN_RANGE";
89 return "CKR_DEVICE_ERROR";
91 return "CKR_DEVICE_MEMORY";
93 return "CKR_DEVICE_REMOVED";
95 return "CKR_ENCRYPTED_DATA_INVALID";
97 return "CKR_ENCRYPTED_DATA_LEN_RANGE";
99 return "CKR_FUNCTION_CANCELED";
101 return "CKR_FUNCTION_NOT_PARALLEL";
103 return "CKR_FUNCTION_NOT_SUPPORTED";
105 return "CKR_KEY_HANDLE_INVALID";
107 return "CKR_KEY_SIZE_RANGE";
109 return "CKR_KEY_TYPE_INCONSISTENT";
111 return "CKR_MECHANISM_INVALID";
113 return "CKR_MECHANISM_PARAM_INVALID";
115 return "CKR_OBJECT_HANDLE_INVALID";
117 return "CKR_OPERATION_ACTIVE";
119 return "CKR_OPERATION_NOT_INITIALIZED";
121 return "CKR_PIN_INCORRECT";
123 return "CKR_PIN_INVALID";
125 return "CKR_PIN_LEN_RANGE";
127 return "CKR_SESSION_CLOSED";
129 return "CKR_SESSION_COUNT";
131 return "CKR_SESSION_HANDLE_INVALID";
133 return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
135 return "CKR_SESSION_READ_ONLY";
137 return "CKR_SESSION_EXISTS";
139 return "CKR_SIGNATURE_INVALID";
141 return "CKR_SIGNATURE_LEN_RANGE";
143 return "CKR_TEMPLATE_INCOMPLETE";
145 return "CKR_TEMPLATE_INCONSISTENT";
147 return "CKR_TOKEN_NOT_PRESENT";
149 return "CKR_TOKEN_NOT_RECOGNIZED";
151 return "CKR_TOKEN_WRITE_PROTECTED";
153 return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
155 return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
157 return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
159 return "CKR_USER_ALREADY_LOGGED_IN";
161 return "CKR_USER_NOT_LOGGED_IN";
163 return "CKR_USER_PIN_NOT_INITIALIZED";
165 return "CKR_USER_TYPE_INVALID";
167 return "CKR_WRAPPED_KEY_INVALID";
169 return "CKR_WRAPPED_KEY_LEN_RANGE";
171 return "CKR_WRAPPING_KEY_HANDLE_INVALID";
173 return "CKR_WRAPPING_KEY_SIZE_RANGE";
175 return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
177 return "CKR_RANDOM_SEED_NOT_SUPPORTED";
179 return "CKR_VENDOR_DEFINED";
181 return "CKR_BUFFER_TOO_SMALL";
183 return "CKR_SAVED_STATE_INVALID";
185 return "CKR_INFORMATION_SENSITIVE";
187 return "CKR_STATE_UNSAVEABLE";
189 return "CKR_CRYPTOKI_NOT_INITIALIZED";
191 return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
193 return "CKR_MUTEX_BAD";
195 return "CKR_MUTEX_NOT_LOCKED";
197 return "Unknown error";
214 const char *message, ...)
218 if (ctx && ctx->
error == 0) {
222 va_start(args, message);
241 hsm_pkcs11_check_error(
hsm_ctx_t *
ctx, CK_RV rv,
const char *action)
244 if (ctx && ctx->
error == 0) {
245 ctx->
error = (int) rv;
256 hsm_pkcs11_unload_functions(
void *handle)
259 #if defined(HAVE_LOADLIBRARY) 261 #elif defined(HAVE_DLOPEN) 262 (void) dlclose(handle);
271 CK_C_GetFunctionList pGetFunctionList = NULL;
273 if (module && module->
path) {
276 #if defined(HAVE_LOADLIBRARY) 278 HINSTANCE hDLL = LoadLibrary(_T(module->
path));
286 pGetFunctionList = (CK_C_GetFunctionList)
287 GetProcAddress(hDLL, _T(
"C_GetFunctionList"));
289 #elif defined(HAVE_DLOPEN) 291 void* pDynLib = dlopen(module->
path, RTLD_NOW | RTLD_LOCAL);
293 if (pDynLib == NULL) {
299 pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib,
"C_GetFunctionList");
308 #ifdef HAVE_PKCS11_MODULE 309 return C_GetFunctionList(pkcs11_functions);
315 if (pGetFunctionList == NULL) {
331 if (data == NULL || len == NULL)
return;
335 while ((
unsigned short int)(*p) == 0 && l > 1) {
347 hsm_pkcs11_check_token_name(
hsm_ctx_t *ctx,
350 const char *token_name)
359 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetTokenInfo")) {
365 memcpy(token_name_bytes, token_name, strlen(token_name));
370 result = memcmp(token_info.
label,
381 const char *token_name, CK_SLOT_ID *slotId)
389 if (token_name == NULL || slotId == NULL)
return HSM_ERROR;
392 if (hsm_pkcs11_check_error(ctx, rv,
"get slot list")) {
398 "No slots found in HSM");
400 }
else if (slotCount > (SIZE_MAX /
sizeof(CK_SLOT_ID))) {
402 "Too many slots found in HSM");
406 slotIds = malloc(
sizeof(CK_SLOT_ID) * slotCount);
407 if(slotIds == NULL) {
409 "Could not allocate slot ID table");
414 if (hsm_pkcs11_check_error(ctx, rv,
"get slot list")) {
418 for (cur_slot = 0; cur_slot < slotCount; cur_slot++) {
419 if (hsm_pkcs11_check_token_name(ctx,
423 *slotId = slotIds[cur_slot];
431 "could not find token with the name %s", token_name);
440 hsm_module_new(
const char *repository,
441 const char *token_label,
447 if (!repository || !path)
return NULL;
451 if (!module)
return NULL;
465 module->
name = strdup(repository);
467 module->
path = strdup(path);
478 if (module->
name) free(module->
name);
480 if (module->
path) free(module->
path);
488 hsm_session_new(
hsm_module_t *module, CK_SESSION_HANDLE session_handle)
493 session->
session = session_handle;
517 const char *repository,
const char *token_label,
518 const char *module_path,
const char *pin,
525 CK_SESSION_HANDLE session_handle;
526 int first = 1, result;
533 module = hsm_module_new(repository, token_label, module_path, config);
535 rv = hsm_pkcs11_load_functions(module);
538 "hsm_session_init()",
539 "PKCS#11 module load failed: %s", module_path);
540 hsm_module_free(module);
547 if (hsm_pkcs11_check_error(ctx, rv,
"Initialization")) {
548 hsm_module_free(module);
556 hsm_module_free(module);
564 if (hsm_pkcs11_check_error(ctx, rv,
"Open first session")) {
565 hsm_module_free(module);
570 (
unsigned char *) pin,
571 strlen((
char *)pin));
574 *session = hsm_session_new(module, session_handle);
578 if (session_handle) {
580 C_CloseSession(session_handle);
581 if (hsm_pkcs11_check_error(ctx, rv,
582 "finalize after failed login")) {
583 hsm_module_free(module);
591 if (hsm_pkcs11_check_error(ctx, rv,
"finalize after failed login")) {
592 hsm_module_free(module);
596 hsm_module_free(module);
601 "hsm_session_init()",
602 "Incorrect PIN for repository %s", repository);
616 CK_SESSION_HANDLE session_handle;
624 if (result !=
HSM_OK)
return NULL;
631 if (hsm_pkcs11_check_error(ctx, rv,
"Clone session")) {
634 new_session = hsm_session_new(session->
module, session_handle);
658 hsm_session_free(ctx->
session[i]);
683 (void) hsm_pkcs11_check_error(ctx, rv,
"Logout");
688 (void) hsm_pkcs11_check_error(ctx, rv,
"Close session");
693 (void) hsm_pkcs11_check_error(ctx, rv,
"Finalize");
696 hsm_module_free(session->
module);
699 hsm_session_free(session);
709 hsm_ctx_close(
hsm_ctx_t *ctx,
int unload)
718 hsm_session_close(ctx, ctx->
session[i], unload);
742 if (!ctx || !session)
return -1;
758 new_ctx = hsm_ctx_new();
760 new_session = hsm_session_clone(ctx, ctx->
session[i]);
764 hsm_ctx_close(new_ctx, 0);
767 hsm_ctx_add_session(new_ctx, new_session);
805 CK_KEY_TYPE key_type;
816 if (hsm_pkcs11_check_error(ctx, rv,
817 "Get attr value algorithm type")) {
825 if ((
CK_LONG)
template[0].ulValueLen < 1) {
865 if (hsm_pkcs11_check_error(ctx, rv,
866 "Get attr value algorithm type")) {
870 if ((
CK_ULONG)
template[0].ulValueLen < 1) {
880 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the size of the modulus of the private key")) {
885 modulus = (
CK_BYTE_PTR)malloc(template2[0].ulValueLen);
886 template2[0].pValue = modulus;
887 if (modulus == NULL) {
889 "Error allocating memory for modulus");
899 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the modulus of the private key")) {
905 modulus_bits = template2[0].ulValueLen * 8;
907 for (
int i = 0; modulus_bits && (modulus[i] & mask) == 0; modulus_bits--) {
941 if (hsm_pkcs11_check_error(ctx, rv,
"Could not get the size of the prime of the private key")) {
945 return template2[0].ulValueLen * 8;
956 return hsm_get_key_size_rsa(ctx, session, key);
959 return hsm_get_key_size_dsa(ctx, session, key);
970 static CK_OBJECT_HANDLE
971 hsm_find_object_handle_for_id(
hsm_ctx_t *ctx,
973 CK_OBJECT_CLASS key_class,
978 CK_OBJECT_HANDLE object;
982 {
CKA_CLASS, &key_class,
sizeof(key_class) },
988 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects init")) {
996 if (hsm_pkcs11_check_error(ctx, rv,
"Find object")) {
998 (void)hsm_pkcs11_check_error(ctx, rv,
"Find objects cleanup");
1003 if (hsm_pkcs11_check_error(ctx, rv,
"Find object final")) {
1007 if (objectCount > 0) {
1019 static unsigned char *
1020 hsm_hex_parse(
const char *hex,
size_t *len)
1022 unsigned char *bytes;
1027 if (!len)
return NULL;
1030 if (!hex)
return NULL;
1031 hex_len = strlen(hex);
1032 if (hex_len % 2 != 0) {
1037 bytes = malloc(*len);
1038 for (i = 0; i < *len; i++) {
1039 bytes[i] = ldns_hexdigit_to_int(hex[2*i]) * 16 +
1040 ldns_hexdigit_to_int(hex[2*i+1]);
1050 hsm_hex_unparse(
char *dst,
const unsigned char *src,
size_t len)
1052 size_t dst_len = len*2 + 1;
1055 for (i = 0; i < len; i++) {
1056 snprintf(dst + (2*i), dst_len,
"%02x", src[i]);
1068 CK_OBJECT_HANDLE
object,
1084 if (hsm_pkcs11_check_error(ctx, rv,
"Get attr value")) {
1089 if ((
CK_LONG)
template[0].ulValueLen < 1) {
1095 template[0].pValue = malloc(
template[0].ulValueLen);
1101 if (hsm_pkcs11_check_error(ctx, rv,
"Get attr value 2")) {
1103 free(
template[0].pValue);
1107 *len =
template[0].ulValueLen;
1108 return template[0].pValue;
1116 hsm_key_new_privkey_object_handle(
hsm_ctx_t *ctx,
1118 CK_OBJECT_HANDLE
object)
1124 id = hsm_get_id_for_object(ctx, session,
object, &len);
1126 if (!
id)
return NULL;
1128 key = hsm_key_new();
1133 key->
public_key = hsm_find_object_handle_for_id(
1154 hsm_list_keys_session_internal(
hsm_ctx_t *ctx,
1164 {
CKA_CLASS, &key_class,
sizeof(key_class) },
1171 CK_OBJECT_HANDLE
object[max_object_count];
1172 CK_OBJECT_HANDLE *key_handles = NULL, *key_handles_prev;
1176 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects init")) {
1181 while (objectCount > 0) {
1186 if (hsm_pkcs11_check_error(ctx, rv,
"Find first object")) {
1190 (void)hsm_pkcs11_check_error(ctx, rv,
"Find objects cleanup");
1194 total_count += objectCount;
1195 if (objectCount > 0 && store) {
1196 key_handles_prev = key_handles;
1197 if (!(key_handles = realloc(key_handles_prev, total_count *
sizeof(CK_OBJECT_HANDLE)))) {
1198 free(key_handles_prev);
1202 for (i = 0; i < objectCount; i++) {
1203 key_handles[j] =
object[i];
1210 if (hsm_pkcs11_check_error(ctx, rv,
"Find objects final")) {
1218 if (!(keys = realloc(keys_prev, total_count *
sizeof(
hsm_key_t *)))) {
1224 for (i = 0; i < total_count; i++) {
1225 key = hsm_key_new_privkey_object_handle(ctx, session,
1233 *count = total_count;
1249 return hsm_list_keys_session_internal(ctx, session, count, 1);
1262 (void) hsm_list_keys_session_internal(ctx, session, &count, 0);
1272 const unsigned char *
id,
size_t len)
1275 CK_OBJECT_HANDLE private_key_handle;
1277 private_key_handle = hsm_find_object_handle_for_id(
1283 if (private_key_handle != 0) {
1284 key = hsm_key_new_privkey_object_handle(ctx, session,
1285 private_key_handle);
1303 const unsigned char *
id,
1309 if (!
id)
return NULL;
1312 key = hsm_find_key_by_id_session(ctx, ctx->
session[i],
id, len);
1313 if (key)
return key;
1325 hsm_find_repository_session(
hsm_ctx_t *ctx,
const char *repository)
1345 "hsm_find_repository_session()",
1346 "Can't find repository: %s", repository);
1360 unsigned long hKey = 0;
1361 unsigned char *data = NULL;
1362 size_t data_size = 0;
1370 if (!session || !session->
module) {
1385 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1388 public_exponent_len =
template[0].ulValueLen;
1389 modulus_len =
template[1].ulValueLen;
1391 public_exponent =
template[0].pValue = malloc(public_exponent_len);
1392 if (!public_exponent) {
1394 "Error allocating memory for public exponent");
1398 modulus =
template[1].pValue = malloc(modulus_len);
1401 "Error allocating memory for modulus");
1402 free(public_exponent);
1411 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1412 free(
template[0].pValue);
1413 free(
template[1].pValue);
1418 hsm_remove_leading_zeroes(public_exponent, &public_exponent_len);
1419 hsm_remove_leading_zeroes(modulus, &modulus_len);
1421 data_size = public_exponent_len + modulus_len + 1;
1422 if (public_exponent_len <= 255) {
1423 data = malloc(data_size);
1426 "Error allocating memory for pub key rr data");
1427 free(public_exponent);
1431 data[0] = public_exponent_len;
1432 memcpy(&data[1], public_exponent, public_exponent_len);
1433 memcpy(&data[1 + public_exponent_len], modulus, modulus_len);
1434 }
else if (public_exponent_len <= 65535) {
1436 data = malloc(data_size);
1439 "Error allocating memory for pub key rr data");
1440 free(public_exponent);
1445 ldns_write_uint16(&data[1], (uint16_t) public_exponent_len);
1446 memcpy(&data[3], public_exponent, public_exponent_len);
1447 memcpy(&data[3 + public_exponent_len], modulus, modulus_len);
1450 "Public exponent too big");
1451 free(public_exponent);
1455 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1456 free(public_exponent);
1475 unsigned char *data = NULL;
1476 size_t data_size = 0;
1486 if (!session || !session->
module) {
1496 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1499 prime_len =
template[0].ulValueLen;
1500 subprime_len =
template[1].ulValueLen;
1501 base_len =
template[2].ulValueLen;
1502 value_len =
template[3].ulValueLen;
1504 prime =
template[0].pValue = malloc(prime_len);
1507 "Error allocating memory for prime");
1511 subprime =
template[1].pValue = malloc(subprime_len);
1514 "Error allocating memory for subprime");
1519 base =
template[2].pValue = malloc(base_len);
1522 "Error allocating memory for base");
1528 value =
template[3].pValue = malloc(value_len);
1531 "Error allocating memory for value");
1543 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1551 data_size = prime_len + subprime_len + base_len + value_len + 1;
1552 data = malloc(data_size);
1555 "Error allocating memory for pub key rr data");
1562 data[0] = (prime_len - 64) / 8;
1563 memcpy(&data[1], subprime, subprime_len);
1564 memcpy(&data[1 + subprime_len], prime, prime_len);
1565 memcpy(&data[1 + subprime_len + prime_len], base, base_len);
1566 memcpy(&data[1 + subprime_len + prime_len + base_len], value, value_len);
1568 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1590 if (!session || !session->
module) {
1600 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetAttributeValue")) {
1603 value_len =
template[0].ulValueLen;
1605 value =
template[0].pValue = malloc(value_len);
1608 "Error allocating memory for value");
1617 if (hsm_pkcs11_check_error(ctx, rv,
"get attribute value")) {
1622 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, value_len, value);
1631 switch (hsm_get_key_algorithm(ctx, session, key)) {
1633 return hsm_get_key_rdata_rsa(ctx, session, key);
1636 return hsm_get_key_rdata_dsa(ctx, session, key);
1639 return hsm_get_key_rdata_gost(ctx, session, key);
1651 hsm_create_prefix(
CK_ULONG digest_len,
1656 const CK_BYTE RSA_MD5_ID[] = { 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
1657 const CK_BYTE RSA_SHA1_ID[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 };
1658 const CK_BYTE RSA_SHA256_ID[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
1659 const CK_BYTE RSA_SHA512_ID[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 };
1662 case LDNS_SIGN_RSAMD5:
1663 *data_size =
sizeof(RSA_MD5_ID) + digest_len;
1664 data = malloc(*data_size);
1665 memcpy(data, RSA_MD5_ID,
sizeof(RSA_MD5_ID));
1667 case LDNS_SIGN_RSASHA1:
1668 case LDNS_SIGN_RSASHA1_NSEC3:
1669 *data_size =
sizeof(RSA_SHA1_ID) + digest_len;
1670 data = malloc(*data_size);
1671 memcpy(data, RSA_SHA1_ID,
sizeof(RSA_SHA1_ID));
1673 case LDNS_SIGN_RSASHA256:
1674 *data_size =
sizeof(RSA_SHA256_ID) + digest_len;
1675 data = malloc(*data_size);
1676 memcpy(data, RSA_SHA256_ID,
sizeof(RSA_SHA256_ID));
1678 case LDNS_SIGN_RSASHA512:
1679 *data_size =
sizeof(RSA_SHA512_ID) + digest_len;
1680 data = malloc(*data_size);
1681 memcpy(data, RSA_SHA512_ID,
sizeof(RSA_SHA512_ID));
1684 case LDNS_SIGN_DSA_NSEC3:
1685 case LDNS_SIGN_ECC_GOST:
1686 #if LDNS_BUILD_CONFIG_USE_ECDSA 1687 case LDNS_SIGN_ECDSAP256SHA256:
1688 case LDNS_SIGN_ECDSAP384SHA384:
1690 *data_size = digest_len;
1691 data = malloc(*data_size);
1702 CK_MECHANISM_TYPE mechanism_type,
1704 ldns_buffer *sign_buf)
1710 digest_mechanism.pParameter = NULL;
1711 digest_mechanism.ulParameterLen = 0;
1712 digest_mechanism.
mechanism = mechanism_type;
1713 digest = malloc(digest_len);
1716 if (hsm_pkcs11_check_error(ctx, rv,
"HSM digest init")) {
1722 ldns_buffer_begin(sign_buf),
1723 ldns_buffer_position(sign_buf),
1726 if (hsm_pkcs11_check_error(ctx, rv,
"HSM digest")) {
1735 ldns_buffer *sign_buf,
1753 session = hsm_find_key_session(ctx, key);
1754 if (!session)
return NULL;
1759 switch (algorithm) {
1760 case LDNS_SIGN_RSAMD5:
1762 digest = hsm_digest_through_hsm(ctx, session,
1766 case LDNS_SIGN_RSASHA1:
1767 case LDNS_SIGN_RSASHA1_NSEC3:
1769 case LDNS_SIGN_DSA_NSEC3:
1770 digest_len = LDNS_SHA1_DIGEST_LENGTH;
1771 digest = malloc(digest_len);
1772 digest = ldns_sha1(ldns_buffer_begin(sign_buf),
1773 ldns_buffer_position(sign_buf),
1777 case LDNS_SIGN_RSASHA256:
1778 #if LDNS_BUILD_CONFIG_USE_ECDSA 1779 case LDNS_SIGN_ECDSAP256SHA256:
1781 digest_len = LDNS_SHA256_DIGEST_LENGTH;
1782 digest = malloc(digest_len);
1783 digest = ldns_sha256(ldns_buffer_begin(sign_buf),
1784 ldns_buffer_position(sign_buf),
1787 #if LDNS_BUILD_CONFIG_USE_ECDSA 1788 case LDNS_SIGN_ECDSAP384SHA384:
1789 digest_len = LDNS_SHA384_DIGEST_LENGTH;
1790 digest = malloc(digest_len);
1791 digest = ldns_sha384(ldns_buffer_begin(sign_buf),
1792 ldns_buffer_position(sign_buf),
1796 case LDNS_SIGN_RSASHA512:
1797 digest_len = LDNS_SHA512_DIGEST_LENGTH;
1798 digest = malloc(digest_len);
1799 digest = ldns_sha512(ldns_buffer_begin(sign_buf),
1800 ldns_buffer_position(sign_buf),
1803 case LDNS_SIGN_ECC_GOST:
1805 digest = hsm_digest_through_hsm(ctx, session,
1822 data = hsm_create_prefix(digest_len, algorithm, &data_len);
1823 memcpy(data + data_len - digest_len, digest, digest_len);
1825 sign_mechanism.pParameter = NULL;
1826 sign_mechanism.ulParameterLen = 0;
1828 case LDNS_SIGN_RSAMD5:
1829 case LDNS_SIGN_RSASHA1:
1830 case LDNS_SIGN_RSASHA1_NSEC3:
1831 case LDNS_SIGN_RSASHA256:
1832 case LDNS_SIGN_RSASHA512:
1836 case LDNS_SIGN_DSA_NSEC3:
1839 case LDNS_SIGN_ECC_GOST:
1842 #if LDNS_BUILD_CONFIG_USE_ECDSA 1844 case LDNS_SIGN_ECDSAP256SHA256:
1845 case LDNS_SIGN_ECDSAP384SHA384:
1859 if (hsm_pkcs11_check_error(ctx, rv,
"sign init")) {
1868 if (hsm_pkcs11_check_error(ctx, rv,
"sign final")) {
1874 sig_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
1886 hsm_dname_is_wildcard(
const ldns_rdf* dname)
1888 return ( ldns_dname_label_count(dname) > 0 &&
1889 ldns_rdf_data(dname)[0] == 1 &&
1890 ldns_rdf_data(dname)[1] ==
'*');
1894 hsm_create_empty_rrsig(
const ldns_rr_list *rrset,
1899 uint32_t orig_class;
1901 uint8_t label_count;
1903 label_count = ldns_dname_label_count(
1904 ldns_rr_owner(ldns_rr_list_rr(rrset, 0)));
1906 if (hsm_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) {
1910 rrsig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
1913 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
1914 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
1916 ldns_rr_set_class(rrsig, orig_class);
1917 ldns_rr_set_ttl(rrsig, orig_ttl);
1918 ldns_rr_set_owner(rrsig,
1921 ldns_rr_list_rr(rrset,
1927 (void)ldns_rr_rrsig_set_origttl(
1929 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
1932 (void)ldns_rr_rrsig_set_signame(
1934 ldns_rdf_clone(sign_params->
owner));
1936 (void)ldns_rr_rrsig_set_labels(
1938 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
1943 (void)ldns_rr_rrsig_set_inception(
1945 ldns_native2rdf_int32(
1949 (void)ldns_rr_rrsig_set_inception(
1951 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
1954 (void)ldns_rr_rrsig_set_expiration(
1956 ldns_native2rdf_int32(
1960 (void)ldns_rr_rrsig_set_expiration(
1962 ldns_native2rdf_int32(
1964 now + LDNS_DEFAULT_EXP_TIME));
1967 (void)ldns_rr_rrsig_set_keytag(
1969 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1972 (void)ldns_rr_rrsig_set_algorithm(
1974 ldns_native2rdf_int8(
1978 (void)ldns_rr_rrsig_set_typecovered(
1980 ldns_native2rdf_int16(
1982 ldns_rr_get_type(ldns_rr_list_rr(rrset,
1995 char *(pin_callback)(
unsigned int,
const char *,
unsigned int))
1998 xmlXPathContextPtr xpath_ctx;
1999 xmlXPathObjectPtr xpath_obj;
2012 int repositories = 0;
2017 _hsm_ctx = hsm_ctx_new();
2020 config_file = strdup(config);
2022 config_file = strdup(HSM_DEFAULT_CONFIG);
2026 doc = xmlParseFile(config_file);
2033 xpath_ctx = xmlXPathNewContext(doc);
2034 if(xpath_ctx == NULL) {
2036 hsm_ctx_free(_hsm_ctx);
2042 xexpr = (xmlChar *)
"//Configuration/RepositoryList/Repository";
2043 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
2044 if(xpath_obj == NULL) {
2045 xmlXPathFreeContext(xpath_ctx);
2047 hsm_ctx_free(_hsm_ctx);
2052 if (xpath_obj->nodesetval) {
2053 for (i = 0; i < xpath_obj->nodesetval->nodeNr; i++) {
2058 hsm_config_default(&module_config);
2060 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
2061 repository = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
2062 (
const xmlChar *)
"name");
2065 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"TokenLabel"))
2066 token_label = (
char *) xmlNodeGetContent(curNode);
2067 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Module"))
2068 module_path = (
char *) xmlNodeGetContent(curNode);
2069 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"PIN"))
2070 module_pin = (
char *) xmlNodeGetContent(curNode);
2071 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SkipPublicKey"))
2073 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"AllowExtraction"))
2075 curNode = curNode->next;
2078 if (repository && token_label && module_path) {
2102 if (module_pin == NULL)
break;
2114 memset(module_pin, 0, strlen(module_pin));
2120 "No pin or callback function");
2137 xmlXPathFreeObject(xpath_obj);
2138 xmlXPathFreeContext(xpath_ctx);
2141 if (result ==
HSM_OK && repositories == 0) {
2143 "No repositories found");
2156 hsm_ctx_close(_hsm_ctx, 1);
2166 newctx = hsm_ctx_clone(_hsm_ctx);
2178 CK_SESSION_HANDLE session_handle;
2186 if (session == NULL)
continue;
2192 if (hsm_pkcs11_check_error(ctx, rv,
"get session info")) {
2200 "Session not logged in");
2211 if (hsm_pkcs11_check_error(ctx, rv,
"test open session")) {
2216 if (hsm_pkcs11_check_error(ctx, rv,
"test close session")) {
2229 hsm_ctx_close(ctx, 0);
2244 params->
flags = LDNS_KEY_ZONE_KEY;
2248 params->
owner = NULL;
2256 if (params->
owner) ldns_rdf_deep_free(params->
owner);
2265 size_t key_count = 0;
2266 size_t cur_key_count;
2274 keys = realloc(keys_prev,
2275 (key_count + cur_key_count) *
sizeof(
hsm_key_t *));
2281 for (j = 0; j < cur_key_count; j++) {
2282 keys[key_count + j] = session_keys[j];
2284 key_count += cur_key_count;
2296 const char *repository)
2300 if (!repository)
return NULL;
2302 session = hsm_find_repository_session(ctx, repository);
2325 const char *repository)
2329 if (!repository)
return 0;
2332 session = hsm_find_repository_session(ctx, repository);
2342 unsigned char *id_bytes;
2346 id_bytes = hsm_hex_parse(
id, &len);
2348 if (!id_bytes)
return NULL;
2350 key = hsm_find_key_by_id_bin(ctx, id_bytes, len);
2357 const char *repository,
2358 unsigned long keysize)
2363 unsigned char id[16];
2367 CK_OBJECT_HANDLE publicKey, privateKey;
2368 CK_KEY_TYPE keyType =
CKK_RSA;
2372 CK_BYTE publicExponent[] = { 1, 0, 1 };
2378 session = hsm_find_repository_session(ctx, repository);
2379 if (!session)
return NULL;
2387 }
while ((key = hsm_find_key_by_id_bin(ctx,
id, 16)));
2390 hsm_hex_unparse(id_str,
id, 16);
2402 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2412 {
CKA_SIGN, &ctrue,
sizeof (ctrue) },
2423 publicKeyTemplate, 9,
2424 privateKeyTemplate, 10,
2427 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2431 new_key = hsm_key_new();
2449 const char *repository,
2450 unsigned long keysize)
2455 CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
2461 unsigned char id[16];
2465 session = hsm_find_repository_session(ctx, repository);
2466 if (!session)
return NULL;
2471 }
while (hsm_find_key_by_id_bin(ctx,
id, 16));
2474 hsm_hex_unparse(id_str,
id, 16);
2477 CK_KEY_TYPE keyType =
CKK_DSA;
2497 {
CKA_BASE, dsa_g,
sizeof(dsa_g) },
2503 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2511 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2521 session = hsm_find_repository_session(ctx, repository);
2522 if (!session)
return NULL;
2531 }
while ((key = hsm_find_key_by_id_bin(ctx,
id, 16)));
2534 hsm_hex_unparse(id_str,
id, 16);
2542 if (hsm_pkcs11_check_error(ctx, rv,
"generate domain parameters")) {
2547 domainPar, publicKeyTemplate, 3);
2548 if (hsm_pkcs11_check_error(ctx, rv,
"get domain parameters")) {
2553 if (hsm_pkcs11_check_error(ctx, rv,
"destroy domain parameters")) {
2561 publicKeyTemplate, 10,
2562 privateKeyTemplate, 10,
2565 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2569 new_key = hsm_key_new();
2579 const char *repository)
2584 CK_OBJECT_HANDLE publicKey, privateKey;
2590 unsigned char id[16];
2594 session = hsm_find_repository_session(ctx, repository);
2595 if (!session)
return NULL;
2601 }
while (hsm_find_key_by_id_bin(ctx,
id, 16));
2604 hsm_hex_unparse(id_str,
id, 16);
2611 CK_BYTE oid1[] = { 0x06, 0x07, 0x2A, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 };
2612 CK_BYTE oid2[] = { 0x06, 0x07, 0x2A, 0x85, 0x03, 0x02, 0x02, 0x1E, 0x01 };
2622 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2630 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2639 session = hsm_find_repository_session(ctx, repository);
2640 if (!session)
return NULL;
2649 }
while ((key = hsm_find_key_by_id_bin(ctx,
id, 16)));
2652 hsm_hex_unparse(id_str,
id, 16);
2658 publicKeyTemplate, 9,
2659 privateKeyTemplate, 10,
2662 if (hsm_pkcs11_check_error(ctx, rv,
"generate key pair")) {
2666 new_key = hsm_key_new();
2679 if (!key)
return -1;
2681 session = hsm_find_key_session(ctx, key);
2682 if (!session)
return -2;
2686 if (hsm_pkcs11_check_error(ctx, rv,
"Destroy private key")) {
2694 if (hsm_pkcs11_check_error(ctx, rv,
"Destroy public key")) {
2715 for (i = 0; i < count; i++) {
2716 free((
void*)key_list[i]->modulename);
2730 if (!key)
return NULL;
2732 session = hsm_find_key_session(ctx, key);
2733 if (!session)
return NULL;
2735 id = hsm_get_id_for_object(ctx, session, key->
private_key, &len);
2736 if (!
id)
return NULL;
2739 id_str = malloc(len * 2 + 1);
2745 hsm_hex_unparse(id_str,
id, len);
2759 session = hsm_find_key_session(ctx, key);
2760 if (!session)
return NULL;
2765 if (key_info->
id == NULL) {
2766 key_info->
id = strdup(
"");
2769 key_info->
algorithm = (
unsigned long) hsm_get_key_algorithm(ctx,
2772 key_info->
keysize = (
unsigned long) hsm_get_key_size(ctx,
2814 const ldns_rr_list* rrset,
2819 ldns_buffer *sign_buf;
2823 if (!key)
return NULL;
2824 if (!sign_params)
return NULL;
2826 signature = hsm_create_empty_rrsig((ldns_rr_list *)rrset,
2832 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2834 if (ldns_rrsig2buffer_wire(sign_buf, signature)
2835 != LDNS_STATUS_OK) {
2836 ldns_buffer_free(sign_buf);
2838 ldns_rr_free(signature);
2843 for(i = 0; i < ldns_rr_list_rr_count(rrset); i++) {
2844 ldns_rr2canonical(ldns_rr_list_rr(rrset, i));
2848 if (ldns_rr_list2buffer_wire(sign_buf, rrset)
2849 != LDNS_STATUS_OK) {
2850 ldns_buffer_free(sign_buf);
2851 ldns_rr_free(signature);
2855 b64_rdf = hsm_sign_buffer(ctx, sign_buf, key, sign_params->
algorithm);
2857 ldns_buffer_free(sign_buf);
2860 ldns_rr_free(signature);
2864 ldns_rr_rrsig_set_sig(signature, b64_rdf);
2881 size_t *digest_length)
2889 if (hsm_pkcs11_check_error(ctx, rv,
"digest init")) {
2900 if (hsm_pkcs11_check_error(ctx, rv,
"digest to determine result size")) {
2910 if (hsm_pkcs11_check_error(ctx, rv,
"digest")) {
2924 uint16_t iterations,
2925 uint8_t salt_length,
2928 char *orig_owner_str;
2929 size_t hashed_owner_str_len;
2930 ldns_rdf *hashed_owner;
2931 char *hashed_owner_str;
2932 char *hashed_owner_b32;
2933 int hashed_owner_b32_len;
2936 size_t hash_length = 0;
2946 mechanism.pParameter = NULL;
2947 mechanism.ulParameterLen = 0;
2950 printf(
"unknown algo: %u\n", (
unsigned int)algorithm);
2965 orig_owner_str = ldns_rdf2str(name);
2967 hashed_owner_str_len = salt_length + ldns_rdf_size(name);
2968 hashed_owner_str = LDNS_XMALLOC(
char, hashed_owner_str_len);
2969 memcpy(hashed_owner_str, ldns_rdf_data(name), ldns_rdf_size(name));
2970 memcpy(hashed_owner_str + ldns_rdf_size(name), salt, salt_length);
2972 for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
2973 if (hash != NULL) free(hash);
2974 hash = (
char *) hsm_digest(ctx,
2978 hashed_owner_str_len,
2981 LDNS_FREE(hashed_owner_str);
2982 hashed_owner_str_len = salt_length + hash_length;
2983 hashed_owner_str = LDNS_XMALLOC(
char, hashed_owner_str_len);
2984 if (!hashed_owner_str) {
2989 memcpy(hashed_owner_str, hash, hash_length);
2990 memcpy(hashed_owner_str + hash_length, salt, salt_length);
2993 LDNS_FREE(hashed_owner_str);
2994 hashed_owner_str = hash;
2995 hashed_owner_str_len = hash_length;
2996 hashed_owner_b32 = LDNS_XMALLOC(
char,
2997 ldns_b32_ntop_calculate_size(
2998 hashed_owner_str_len) + 1);
2999 LDNS_FREE(orig_owner_str);
3000 hashed_owner_b32_len =
3001 (size_t) ldns_b32_ntop_extended_hex((uint8_t *) hashed_owner_str,
3002 hashed_owner_str_len,
3004 ldns_b32_ntop_calculate_size(
3005 hashed_owner_str_len));
3006 if (hashed_owner_b32_len < 1) {
3007 error_name = ldns_rdf2str(name);
3009 "Error in base32 extended hex encoding " 3010 "of hashed owner name (name: %s, return code: %d)",
3011 error_name, hashed_owner_b32_len);
3012 LDNS_FREE(error_name);
3013 LDNS_FREE(hashed_owner_b32);
3016 hashed_owner_str_len = hashed_owner_b32_len;
3017 hashed_owner_b32[hashed_owner_b32_len] =
'\0';
3019 status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
3020 if (status != LDNS_STATUS_OK) {
3022 "Error creating rdf from %s", hashed_owner_b32);
3023 LDNS_FREE(hashed_owner_b32);
3028 LDNS_FREE(hashed_owner_b32);
3029 return hashed_owner;
3050 session = hsm_find_key_session(ctx, key);
3051 if (!session)
return NULL;
3053 dnskey = ldns_rr_new();
3054 ldns_rr_set_type(dnskey, LDNS_RR_TYPE_DNSKEY);
3056 ldns_rr_set_owner(dnskey, ldns_rdf_clone(sign_params->
owner));
3058 ldns_rr_push_rdf(dnskey,
3059 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
3060 sign_params->
flags));
3061 ldns_rr_push_rdf(dnskey,
3062 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
3063 LDNS_DNSSEC_KEYPROTO));
3064 ldns_rr_push_rdf(dnskey,
3065 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
3068 rdata = hsm_get_key_rdata(ctx, session, key);
3069 if (rdata == NULL) {
3070 ldns_rr_free(dnskey);
3073 ldns_rr_push_rdf(dnskey, rdata);
3080 unsigned char *buffer,
3081 unsigned long length)
3086 if (!buffer)
return -1;
3110 unsigned char rnd_buf[4];
3113 memcpy(&rnd, rnd_buf, 4);
3125 unsigned char rnd_buf[8];
3128 memcpy(&rnd, rnd_buf, 8);
3141 const char *token_label,
3149 result = hsm_session_init(_hsm_ctx,
3157 result = hsm_ctx_add_session(_hsm_ctx, session);
3170 hsm_session_close(_hsm_ctx, _hsm_ctx->
session[i], 1);
3198 "hsm_token_attached()",
3199 "Can't find repository: %s", repository);
3207 case LDNS_SIGN_RSAMD5:
3208 case LDNS_SIGN_RSASHA1:
3209 case LDNS_SIGN_RSASHA1_NSEC3:
3210 case LDNS_SIGN_RSASHA256:
3211 case LDNS_SIGN_RSASHA512:
3213 case LDNS_SIGN_DSA_NSEC3:
3214 case LDNS_SIGN_ECC_GOST:
3217 #if LDNS_BUILD_CONFIG_USE_ECDSA 3218 case LDNS_SIGN_ECDSAP256SHA256:
3219 case LDNS_SIGN_ECDSAP384SHA384:
3243 if (message == NULL) {
3244 return strdup(
"libhsm memory allocation failed");
3260 printf(
"\t\tmodule at %p (sym %p)\n", (
void *) session->
module, (
void *) session->
module->
sym);
3261 printf(
"\t\tmodule path: %s\n", session->
module->
path);
3262 printf(
"\t\trepository name: %s\n", session->
module->
name);
3264 printf(
"\t\tsess handle: %u\n", (
unsigned int) session->
session);
3270 printf(
"CTX Sessions: %lu\n",
3273 printf(
"\tSession at %p\n", (
void *) ctx->
session[i]);
3285 printf(
"\tprivkey handle: %u\n", (
unsigned int) key->
private_key);
3286 printf(
"\trepository: %s\n", key->
modulename);
3288 printf(
"\tsize: %lu\n", key_info->
keysize);
3289 printf(
"\tid: %s\n", key_info->
id);
3292 printf(
"key: hsm_get_key_info() returned NULL\n");
3295 printf(
"key: <void>\n");
3307 fprintf(stderr,
"%s\n", message);
3310 fprintf(stderr,
"Unknown error\n");
3331 if (result !=
HSM_OK)
return;
3334 if (hsm_pkcs11_check_error(ctx, rv,
"C_GetTokenInfo")) {
3338 printf(
"Repository: %s\n",session->
module->
name);
3340 printf(
"\tModule: %s\n", session->
module->
path);
3341 printf(
"\tSlot: %lu\n", slot_id);
3342 printf(
"\tToken Label: %.*s\n",
3343 (
int)
sizeof(token_info.
label), token_info.
label);
3344 printf(
"\tManufacturer: %.*s\n",
3345 (
int)
sizeof(token_info.manufacturerID), token_info.manufacturerID);
3346 printf(
"\tModel: %.*s\n",
3347 (
int)
sizeof(token_info.
model), token_info.
model);
3348 printf(
"\tSerial: %.*s\n",
3349 (
int)
sizeof(token_info.serialNumber), token_info.serialNumber);
3357 keycache_cmpfunc(
const void* a,
const void* b)
3359 const char* x = (
const char*)a;
3360 const char* y = (
const char*)b;
3361 return strcmp(x, y);
3365 keycache_delfunc(ldns_rbnode_t* node,
void* cargo)
3368 free((
void*)node->key);
3369 free((
void*)node->data);
3375 ctx->
keycache = ldns_rbtree_create(keycache_cmpfunc);
3381 ldns_traverse_postorder(ctx->
keycache, keycache_delfunc, NULL);
3388 ldns_rbnode_t* node;
3390 node = ldns_rbtree_search(ctx->
keycache, locator);
3391 if (node == LDNS_RBTREE_NULL || node == NULL) {
3396 node = malloc(
sizeof(ldns_rbnode_t));
3397 node->key = strdup(locator);
3399 node = ldns_rbtree_insert(ctx->
keycache, node);
3403 if (node == LDNS_RBTREE_NULL)
char * hsm_get_key_id(hsm_ctx_t *ctx, const hsm_key_t *key)
#define CKR_SIGNATURE_INVALID
ldns_rdf * hsm_nsec3_hash_name(hsm_ctx_t *ctx, ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
#define CKR_SAVED_STATE_INVALID
#define CKR_SESSION_EXISTS
#define CKR_RANDOM_SEED_NOT_SUPPORTED
#define CKR_SESSION_COUNT
int hsm_attach(const char *repository, const char *token_label, const char *path, const char *pin, const hsm_config_t *config)
#define CKR_KEY_SIZE_RANGE
#define CKF_OS_LOCKING_OK
#define CKR_KEY_TYPE_INCONSISTENT
void hsm_key_free(hsm_key_t *key)
void hsm_print_session(hsm_session_t *session)
#define CKF_SERIAL_SESSION
CK_C_GetSlotList C_GetSlotList
#define CKR_SESSION_PARALLEL_NOT_SUPPORTED
#define CKM_GOSTR3410_KEY_PAIR_GEN
#define CKR_STATE_UNSAVEABLE
#define CKR_MUTEX_NOT_LOCKED
char * hsm_get_error(hsm_ctx_t *gctx)
const char * error_action
hsm_key_t * hsm_find_key_by_id(hsm_ctx_t *ctx, const char *id)
int hsm_detach(const char *repository)
#define HSM_MAX_SIGNATURE_LENGTH
hsm_key_info_t * hsm_get_key_info(hsm_ctx_t *ctx, const hsm_key_t *key)
void hsm_sign_params_free(hsm_sign_params_t *params)
#define CKR_SESSION_READ_ONLY
#define CKA_GOSTR3410PARAMS
#define CKR_WRAPPING_KEY_HANDLE_INVALID
#define CKR_USER_NOT_LOGGED_IN
unsigned long private_key
uint32_t hsm_random32(hsm_ctx_t *ctx)
#define CKR_ATTRIBUTE_SENSITIVE
#define CKR_TEMPLATE_INCOMPLETE
void hsm_ctx_set_error(hsm_ctx_t *ctx, int error, const char *action, const char *message,...)
#define CKM_DSA_PARAMETER_GEN
#define CKR_PIN_LEN_RANGE
#define CKR_INFORMATION_SENSITIVE
#define CKR_GENERAL_ERROR
unsigned long int CK_ULONG
void hsm_key_list_free(hsm_key_t **key_list, size_t count)
#define CKA_PUBLIC_EXPONENT
hsm_key_t * hsm_generate_dsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
ldns_rr * hsm_get_dnskey(hsm_ctx_t *ctx, const hsm_key_t *key, const hsm_sign_params_t *sign_params)
void keycache_destroy(hsm_ctx_t *ctx)
#define HSM_TOKEN_LABEL_LENGTH
unsigned int allow_extract
void hsm_destroy_context(hsm_ctx_t *ctx)
ck_mechanism_type_t mechanism
#define CKR_PIN_INCORRECT
void hsm_print_tokeninfo(hsm_ctx_t *ctx)
#define CKR_FUNCTION_FAILED
#define CKR_VENDOR_DEFINED
#define CKR_OPERATION_ACTIVE
#define CKR_SLOT_ID_INVALID
#define CKA_GOSTR3411PARAMS
#define CKR_UNWRAPPING_KEY_HANDLE_INVALID
int hsm_open(const char *config, char *(pin_callback)(unsigned int, const char *, unsigned int))
#define CKR_ENCRYPTED_DATA_LEN_RANGE
size_t hsm_count_keys_session(hsm_ctx_t *ctx, const hsm_session_t *session)
hsm_key_t ** hsm_list_keys(hsm_ctx_t *ctx, size_t *count)
#define HSM_MODULE_NOT_FOUND
#define CKR_MECHANISM_INVALID
void hsm_key_info_free(hsm_key_info_t *key_info)
#define CKR_FUNCTION_CANCELED
int hsm_token_attached(hsm_ctx_t *ctx, const char *repository)
#define CKR_WRAPPED_KEY_LEN_RANGE
#define CKR_KEY_HANDLE_INVALID
const hsm_key_t * keycache_lookup(hsm_ctx_t *ctx, const char *locator)
#define HSM_ERROR_MSGSIZE
CK_C_GetTokenInfo C_GetTokenInfo
#define CKR_CRYPTOKI_ALREADY_INITIALIZED
#define CKM_DSA_KEY_PAIR_GEN
#define HSM_REPOSITORY_NOT_FOUND
#define HSM_NO_REPOSITORIES
hsm_sign_params_t * hsm_sign_params_new()
#define CKM_RSA_PKCS_KEY_PAIR_GEN
#define CKR_ATTRIBUTE_VALUE_INVALID
#define CKR_FUNCTION_NOT_PARALLEL
void keycache_create(hsm_ctx_t *ctx)
void hsm_print_key(hsm_ctx_t *ctx, hsm_key_t *key)
#define CKR_SIGNATURE_LEN_RANGE
#define HSM_CONFIG_FILE_ERROR
pthread_mutex_t _hsm_ctx_mutex
#define CKR_CRYPTOKI_NOT_INITIALIZED
#define CKR_ENCRYPTED_DATA_INVALID
#define HSM_PIN_INCORRECT
hsm_key_t * hsm_generate_gost_key(hsm_ctx_t *ctx, const char *repository)
#define CKR_ATTRIBUTE_TYPE_INVALID
#define CKR_UNWRAPPING_KEY_SIZE_RANGE
#define CKR_USER_PIN_NOT_INITIALIZED
char error_message[HSM_ERROR_MSGSIZE]
#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT
#define CKR_TEMPLATE_INCONSISTENT
#define CKR_ATTRIBUTE_READ_ONLY
#define CKR_TOKEN_NOT_RECOGNIZED
#define CKR_WRAPPING_KEY_SIZE_RANGE
#define CKR_TOKEN_WRITE_PROTECTED
#define CKR_OBJECT_HANDLE_INVALID
hsm_session_t * session[HSM_MAX_SESSIONS]
unsigned char CK_UTF8CHAR
int hsm_supported_algorithm(ldns_algorithm algorithm)
uint64_t hsm_random64(hsm_ctx_t *ctx)
#define CKS_RW_USER_FUNCTIONS
#define CKR_OPERATION_NOT_INITIALIZED
#define CKR_BUFFER_TOO_SMALL
int hsm_remove_key(hsm_ctx_t *ctx, hsm_key_t *key)
hsm_ctx_t * hsm_create_context()
int hsm_random_buffer(hsm_ctx_t *ctx, unsigned char *buffer, unsigned long length)
#define CKR_SESSION_CLOSED
#define CKR_DEVICE_MEMORY
hsm_key_t ** hsm_list_keys_repository(hsm_ctx_t *ctx, size_t *count, const char *repository)
struct ck_function_list * CK_FUNCTION_LIST_PTR
void hsm_print_ctx(hsm_ctx_t *ctx)
#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
#define CKR_FUNCTION_NOT_SUPPORTED
hsm_key_t ** hsm_list_keys_session(hsm_ctx_t *ctx, const hsm_session_t *session, size_t *count)
#define CKR_USER_TYPE_INVALID
#define CKR_DEVICE_REMOVED
hsm_key_t * hsm_generate_rsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
#define CKR_TOKEN_NOT_PRESENT
#define CKR_WRAPPED_KEY_INVALID
#define CKR_USER_ALREADY_LOGGED_IN
int hsm_get_slot_id(hsm_ctx_t *ctx, CK_FUNCTION_LIST_PTR pkcs11_functions, const char *token_name, CK_SLOT_ID *slotId)
void hsm_print_error(hsm_ctx_t *gctx)
#define CKR_MECHANISM_PARAM_INVALID
size_t hsm_count_keys(hsm_ctx_t *ctx)
size_t hsm_count_keys_repository(hsm_ctx_t *ctx, const char *repository)
#define CKR_DATA_LEN_RANGE
#define CKR_SESSION_HANDLE_INVALID
ldns_rr * hsm_sign_rrset(hsm_ctx_t *ctx, const ldns_rr_list *rrset, const hsm_key_t *key, const hsm_sign_params_t *sign_params)