summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-02-12 09:34:22 +1100
committerDamien Miller <djm@mindrot.org>2010-02-12 09:34:22 +1100
commitd8f60022727f1d57efe7261b856d5e84a4b28cbe (patch)
tree33fa78e6f77a15258305f121378609de0eea2a3a
parentd400da5ba8d7e5822647c472c7dfbfecb55c2152 (diff)
- (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] Remove obsolete smartcard support
Diffstat
-rw-r--r--ChangeLog3
-rw-r--r--INSTALL6
-rw-r--r--Makefile.in13
-rw-r--r--README.smartcard93
-rw-r--r--configure.ac73
-rw-r--r--pkcs11.h1356
-rw-r--r--scard-opensc.c532
-rw-r--r--scard.c571
-rw-r--r--scard.h39
-rw-r--r--scard/Makefile.in29
-rw-r--r--scard/Ssh.bin.uu17
-rw-r--r--scard/Ssh.java164
12 files changed, 1367 insertions, 1529 deletions
diff --git a/ChangeLog b/ChangeLog
index f2bad9360..ce4ef1343 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,9 @@
37 - jmc@cvs.openbsd.org 2010/02/11 13:23:29 37 - jmc@cvs.openbsd.org 2010/02/11 13:23:29
38 [ssh.1] 38 [ssh.1]
39 libarary -> library; 39 libarary -> library;
40 - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
41 [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
42 Remove obsolete smartcard support
40 43
4120100210 4420100210
42 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for 45 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
diff --git a/INSTALL b/INSTALL
index 001ebb666..09dfd666d 100644
--- a/INSTALL
+++ b/INSTALL
@@ -208,10 +208,6 @@ are installed.
208--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 208--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
209real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 209real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
210 210
211--with-opensc=DIR
212--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to
213be used with OpenSSH. See 'README.smartcard' for more details.
214
215If you need to pass special options to the compiler or linker, you 211If you need to pass special options to the compiler or linker, you
216can specify these as environment variables before running ./configure. 212can specify these as environment variables before running ./configure.
217For example: 213For example:
@@ -266,4 +262,4 @@ Please refer to the "reporting bugs" section of the webpage at
266http://www.openssh.com/ 262http://www.openssh.com/
267 263
268 264
269$Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $ 265$Id: INSTALL,v 1.85 2010/02/11 22:34:22 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 0c45bfca6..1e4f64a64 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.304 2010/02/11 22:21:02 djm Exp $ 1# $Id: Makefile.in,v 1.305 2010/02/11 22:34:22 djm Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -72,8 +72,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
72 readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ 72 readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
73 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 73 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
74 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ 74 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
75 kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ 75 kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
76 entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \ 76 entropy.o gss-genr.o umac.o jpake.o schnorr.o \
77 ssh-pkcs11.o 77 ssh-pkcs11.o
78 78
79SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 79SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
@@ -215,7 +215,6 @@ distclean: regressclean
215 rm -f survey.sh openbsd-compat/regress/Makefile *~ 215 rm -f survey.sh openbsd-compat/regress/Makefile *~
216 rm -rf autom4te.cache 216 rm -rf autom4te.cache
217 (cd openbsd-compat && $(MAKE) distclean) 217 (cd openbsd-compat && $(MAKE) distclean)
218 (cd scard && $(MAKE) distclean)
219 if test -d pkg ; then \ 218 if test -d pkg ; then \
220 rm -fr pkg ; \ 219 rm -fr pkg ; \
221 fi 220 fi
@@ -238,7 +237,6 @@ catman-do:
238distprep: catman-do 237distprep: catman-do
239 $(AUTORECONF) 238 $(AUTORECONF)
240 -rm -rf autom4te.cache 239 -rm -rf autom4te.cache
241 (cd scard && $(MAKE) -f Makefile.in distprep)
242 240
243install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config 241install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
244install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf 242install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
@@ -247,10 +245,7 @@ install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) insta
247check-config: 245check-config:
248 -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config 246 -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
249 247
250scard-install: 248install-files:
251 (cd scard && env DESTDIR=$(DESTDIR) $(MAKE) DESTDIR=$(DESTDIR) install)
252
253install-files: scard-install
254 $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) 249 $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
255 $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) 250 $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
256 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) 251 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
diff --git a/README.smartcard b/README.smartcard
deleted file mode 100644
index fdf83ecab..000000000
--- a/README.smartcard
+++ /dev/null
@@ -1,93 +0,0 @@
1How to use smartcards with OpenSSH?
2
3OpenSSH contains experimental support for authentication using
4Cyberflex smartcards and TODOS card readers, in addition to the cards
5with PKCS#15 structure supported by OpenSC. To enable this you
6need to:
7
8Using libsectok:
9
10(1) enable sectok support in OpenSSH:
11
12 $ ./configure --with-sectok
13
14(2) If you have used a previous version of ssh with your card, you
15 must remove the old applet and keys.
16
17 $ sectok
18 sectok> login -d
19 sectok> junload Ssh.bin
20 sectok> delete 0012
21 sectok> delete sh
22 sectok> quit
23
24(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
25
26 $ sectok
27 sectok> login -d
28 sectok> jload /usr/libdata/ssh/Ssh.bin
29 sectok> setpass
30 Enter new AUT0 passphrase:
31 Re-enter passphrase:
32 sectok> quit
33
34 Do not forget the passphrase. There is no way to
35 recover if you do.
36
37 IMPORTANT WARNING: If you attempt to login with the
38 wrong passphrase three times in a row, you will
39 destroy your card.
40
41(4) load a RSA key to the card:
42
43 $ ssh-keygen -f /path/to/rsakey -U 1
44 (where 1 is the reader number, you can also try 0)
45
46 In spite of the name, this does not generate a key.
47 It just loads an already existing key on to the card.
48
49(5) Optional: If you don't want to use a card passphrase, change the
50 acl on the private key file:
51
52 $ sectok
53 sectok> login -d
54 sectok> acl 0012 world: w
55 world: w
56 AUT0: w inval
57 sectok> quit
58
59 If you do this, anyone who has access to your card
60 can assume your identity. This is not recommended.
61
62
63Using OpenSC:
64
65(1) install OpenSC:
66
67 Sources and instructions are available from
68 http://www.opensc.org/
69
70(2) enable OpenSC support in OpenSSH:
71
72 $ ./configure --with-opensc[=/path/to/opensc] [options]
73
74(3) load a RSA key to the card:
75
76 Not supported yet.
77
78
79Common operations:
80
81(1) tell the ssh client to use the card reader:
82
83 $ ssh -I 1 otherhost
84
85(2) or tell the agent (don't forget to restart) to use the smartcard:
86
87 $ ssh-add -s 1
88
89
90-markus,
91Tue Jul 17 23:54:51 CEST 2001
92
93$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $
diff --git a/configure.ac b/configure.ac
index 717d315fd..40b58c64f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.441 2010/02/11 22:21:02 djm Exp $ 1# $Id: configure.ac,v 1.442 2010/02/11 22:34:22 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) 17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
18AC_REVISION($Revision: 1.441 $) 18AC_REVISION($Revision: 1.442 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20 20
21AC_CONFIG_HEADER(config.h) 21AC_CONFIG_HEADER(config.h)
@@ -3263,73 +3263,6 @@ if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
3263 AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr]) 3263 AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
3264fi 3264fi
3265 3265
3266SCARD_MSG="no"
3267# Check whether user wants sectok support
3268AC_ARG_WITH(sectok,
3269 [ --with-sectok Enable smartcard support using libsectok],
3270 [
3271 if test "x$withval" != "xno" ; then
3272 if test "x$withval" != "xyes" ; then
3273 CPPFLAGS="$CPPFLAGS -I${withval}"
3274 LDFLAGS="$LDFLAGS -L${withval}"
3275 if test ! -z "$need_dash_r" ; then
3276 LDFLAGS="$LDFLAGS -R${withval}"
3277 fi
3278 if test ! -z "$blibpath" ; then
3279 blibpath="$blibpath:${withval}"
3280 fi
3281 fi
3282 AC_CHECK_HEADERS(sectok.h)
3283 if test "$ac_cv_header_sectok_h" != yes; then
3284 AC_MSG_ERROR(Can't find sectok.h)
3285 fi
3286 AC_CHECK_LIB(sectok, sectok_open)
3287 if test "$ac_cv_lib_sectok_sectok_open" != yes; then
3288 AC_MSG_ERROR(Can't find libsectok)
3289 fi
3290 AC_DEFINE(SMARTCARD, 1,
3291 [Define if you want smartcard support])
3292 AC_DEFINE(USE_SECTOK, 1,
3293 [Define if you want smartcard support
3294 using sectok])
3295 SCARD_MSG="yes, using sectok"
3296 fi
3297 ]
3298)
3299
3300# Check whether user wants OpenSC support
3301OPENSC_CONFIG="no"
3302AC_ARG_WITH(opensc,
3303 [ --with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
3304 [
3305 if test "x$withval" != "xno" ; then
3306 AC_PATH_PROG(PKGCONFIG, pkg-config, no)
3307 AC_MSG_CHECKING(how to get opensc config)
3308 if test "x$withval" != "xyes" -a "x$PKGCONFIG" = "xno"; then
3309 OPENSC_CONFIG="$withval/bin/opensc-config"
3310 elif test -f "$withval/src/libopensc/libopensc.pc"; then
3311 OPENSC_CONFIG="$PKGCONFIG $withval/src/libopensc/libopensc.pc"
3312 elif test "x$PKGCONFIG" != "xno"; then
3313 OPENSC_CONFIG="$PKGCONFIG libopensc"
3314 else
3315 AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
3316 fi
3317 AC_MSG_RESULT($OPENSC_CONFIG)
3318 if test "$OPENSC_CONFIG" != "no"; then
3319 LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
3320 LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
3321 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
3322 LIBS="$LIBS $LIBOPENSC_LIBS"
3323 AC_DEFINE(SMARTCARD)
3324 AC_DEFINE(USE_OPENSC, 1,
3325 [Define if you want smartcard support
3326 using OpenSC])
3327 SCARD_MSG="yes, using OpenSC"
3328 fi
3329 fi
3330 ]
3331)
3332
3333# Check libraries needed by DNS fingerprint support 3266# Check libraries needed by DNS fingerprint support
3334AC_SEARCH_LIBS(getrrsetbyname, resolv, 3267AC_SEARCH_LIBS(getrrsetbyname, resolv,
3335 [AC_DEFINE(HAVE_GETRRSETBYNAME, 1, 3268 [AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
@@ -4204,7 +4137,7 @@ fi
4204AC_EXEEXT 4137AC_EXEEXT
4205AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ 4138AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
4206 openbsd-compat/Makefile openbsd-compat/regress/Makefile \ 4139 openbsd-compat/Makefile openbsd-compat/regress/Makefile \
4207 scard/Makefile ssh_prng_cmds survey.sh]) 4140 ssh_prng_cmds survey.sh])
4208AC_OUTPUT 4141AC_OUTPUT
4209 4142
4210# Print summary of options 4143# Print summary of options
diff --git a/pkcs11.h b/pkcs11.h
new file mode 100644
index 000000000..223f20ff3
--- /dev/null
+++ b/pkcs11.h
@@ -0,0 +1,1356 @@
1/* pkcs11.h
2 Copyright 2006, 2007 g10 Code GmbH
3 Copyright 2006 Andreas Jellinghaus
4
5 This file is free software; as a special exception the author gives
6 unlimited permission to copy and/or distribute it, with or without
7 modifications, as long as this notice is preserved.
8
9 This file is distributed in the hope that it will be useful, but
10 WITHOUT ANY WARRANTY, to the extent permitted by law; without even
11 the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
12 PURPOSE. */
13
14/* Please submit changes back to the Scute project at
15 http://www.scute.org/ (or send them to marcus@g10code.com), so that
16 they can be picked up by other projects from there as well. */
17
18/* This file is a modified implementation of the PKCS #11 standard by
19 RSA Security Inc. It is mostly a drop-in replacement, with the
20 following change:
21
22 This header file does not require any macro definitions by the user
23 (like CK_DEFINE_FUNCTION etc). In fact, it defines those macros
24 for you (if useful, some are missing, let me know if you need
25 more).
26
27 There is an additional API available that does comply better to the
28 GNU coding standard. It can be switched on by defining
29 CRYPTOKI_GNU before including this header file. For this, the
30 following changes are made to the specification:
31
32 All structure types are changed to a "struct ck_foo" where CK_FOO
33 is the type name in PKCS #11.
34
35 All non-structure types are changed to ck_foo_t where CK_FOO is the
36 lowercase version of the type name in PKCS #11. The basic types
37 (CK_ULONG et al.) are removed without substitute.
38
39 All members of structures are modified in the following way: Type
40 indication prefixes are removed, and underscore characters are
41 inserted before words. Then the result is lowercased.
42
43 Note that function names are still in the original case, as they
44 need for ABI compatibility.
45
46 CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute. Use
47 <stdbool.h>.
48
49 If CRYPTOKI_COMPAT is defined before including this header file,
50 then none of the API changes above take place, and the API is the
51 one defined by the PKCS #11 standard. */
52
53#ifndef PKCS11_H
54#define PKCS11_H 1
55
56#if defined(__cplusplus)
57extern "C" {
58#endif
59
60
61/* The version of cryptoki we implement. The revision is changed with
62 each modification of this file. If you do not use the "official"
63 version of this file, please consider deleting the revision macro
64 (you may use a macro with a different name to keep track of your
65 versions). */
66#define CRYPTOKI_VERSION_MAJOR 2
67#define CRYPTOKI_VERSION_MINOR 20
68#define CRYPTOKI_VERSION_REVISION 6
69
70
71/* Compatibility interface is default, unless CRYPTOKI_GNU is
72 given. */
73#ifndef CRYPTOKI_GNU
74#ifndef CRYPTOKI_COMPAT
75#define CRYPTOKI_COMPAT 1
76#endif
77#endif
78
79/* System dependencies. */
80
81#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
82
83/* There is a matching pop below. */
84#pragma pack(push, cryptoki, 1)
85
86#ifdef CRYPTOKI_EXPORTS
87#define CK_SPEC __declspec(dllexport)
88#else
89#define CK_SPEC __declspec(dllimport)
90#endif
91
92#else
93
94#define CK_SPEC
95
96#endif
97
98
99#ifdef CRYPTOKI_COMPAT
100 /* If we are in compatibility mode, switch all exposed names to the
101 PKCS #11 variant. There are corresponding #undefs below. */
102
103#define ck_flags_t CK_FLAGS
104#define ck_version _CK_VERSION
105
106#define ck_info _CK_INFO
107#define cryptoki_version cryptokiVersion
108#define manufacturer_id manufacturerID
109#define library_description libraryDescription
110#define library_version libraryVersion
111
112#define ck_notification_t CK_NOTIFICATION
113#define ck_slot_id_t CK_SLOT_ID
114
115#define ck_slot_info _CK_SLOT_INFO
116#define slot_description slotDescription
117#define hardware_version hardwareVersion
118#define firmware_version firmwareVersion
119
120#define ck_token_info _CK_TOKEN_INFO
121#define serial_number serialNumber
122#define max_session_count ulMaxSessionCount
123#define session_count ulSessionCount
124#define max_rw_session_count ulMaxRwSessionCount
125#define rw_session_count ulRwSessionCount
126#define max_pin_len ulMaxPinLen
127#define min_pin_len ulMinPinLen
128#define total_public_memory ulTotalPublicMemory
129#define free_public_memory ulFreePublicMemory
130#define total_private_memory ulTotalPrivateMemory
131#define free_private_memory ulFreePrivateMemory
132#define utc_time utcTime
133
134#define ck_session_handle_t CK_SESSION_HANDLE
135#define ck_user_type_t CK_USER_TYPE
136#define ck_state_t CK_STATE
137
138#define ck_session_info _CK_SESSION_INFO
139#define slot_id slotID
140#define device_error ulDeviceError
141
142#define ck_object_handle_t CK_OBJECT_HANDLE
143#define ck_object_class_t CK_OBJECT_CLASS
144#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
145#define ck_key_type_t CK_KEY_TYPE
146#define ck_certificate_type_t CK_CERTIFICATE_TYPE
147#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
148
149#define ck_attribute _CK_ATTRIBUTE
150#define value pValue
151#define value_len ulValueLen
152
153#define ck_date _CK_DATE
154
155#define ck_mechanism_type_t CK_MECHANISM_TYPE
156
157#define ck_mechanism _CK_MECHANISM
158#define parameter pParameter
159#define parameter_len ulParameterLen
160
161#define ck_mechanism_info _CK_MECHANISM_INFO
162#define min_key_size ulMinKeySize
163#define max_key_size ulMaxKeySize
164
165#define ck_rv_t CK_RV
166#define ck_notify_t CK_NOTIFY
167
168#define ck_function_list _CK_FUNCTION_LIST
169
170#define ck_createmutex_t CK_CREATEMUTEX
171#define ck_destroymutex_t CK_DESTROYMUTEX
172#define ck_lockmutex_t CK_LOCKMUTEX
173#define ck_unlockmutex_t CK_UNLOCKMUTEX
174
175#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
176#define create_mutex CreateMutex
177#define destroy_mutex DestroyMutex
178#define lock_mutex LockMutex
179#define unlock_mutex UnlockMutex
180#define reserved pReserved
181
182#endif /* CRYPTOKI_COMPAT */
183
184
185
186typedef unsigned long ck_flags_t;
187
188struct ck_version
189{
190 unsigned char major;
191 unsigned char minor;
192};
193
194
195struct ck_info
196{
197 struct ck_version cryptoki_version;
198 unsigned char manufacturer_id[32];
199 ck_flags_t flags;
200 unsigned char library_description[32];
201 struct ck_version library_version;
202};
203
204
205typedef unsigned long ck_notification_t;
206
207#define CKN_SURRENDER (0)
208
209
210typedef unsigned long ck_slot_id_t;
211
212
213struct ck_slot_info
214{
215 unsigned char slot_description[64];
216 unsigned char manufacturer_id[32];
217 ck_flags_t flags;
218 struct ck_version hardware_version;
219 struct ck_version firmware_version;
220};
221
222
223#define CKF_TOKEN_PRESENT (1 << 0)
224#define CKF_REMOVABLE_DEVICE (1 << 1)
225#define CKF_HW_SLOT (1 << 2)
226#define CKF_ARRAY_ATTRIBUTE (1 << 30)
227
228
229struct ck_token_info
230{
231 unsigned char label[32];
232 unsigned char manufacturer_id[32];
233 unsigned char model[16];
234 unsigned char serial_number[16];
235 ck_flags_t flags;
236 unsigned long max_session_count;
237 unsigned long session_count;
238 unsigned long max_rw_session_count;
239 unsigned long rw_session_count;
240 unsigned long max_pin_len;
241 unsigned long min_pin_len;
242 unsigned long total_public_memory;
243 unsigned long free_public_memory;
244 unsigned long total_private_memory;
245 unsigned long free_private_memory;
246 struct ck_version hardware_version;
247 struct ck_version firmware_version;
248 unsigned char utc_time[16];
249};
250
251
252#define CKF_RNG (1 << 0)
253#define CKF_WRITE_PROTECTED (1 << 1)
254#define CKF_LOGIN_REQUIRED (1 << 2)
255#define CKF_USER_PIN_INITIALIZED (1 << 3)
256#define CKF_RESTORE_KEY_NOT_NEEDED (1 << 5)
257#define CKF_CLOCK_ON_TOKEN (1 << 6)
258#define CKF_PROTECTED_AUTHENTICATION_PATH (1 << 8)
259#define CKF_DUAL_CRYPTO_OPERATIONS (1 << 9)
260#define CKF_TOKEN_INITIALIZED (1 << 10)
261#define CKF_SECONDARY_AUTHENTICATION (1 << 11)
262#define CKF_USER_PIN_COUNT_LOW (1 << 16)
263#define CKF_USER_PIN_FINAL_TRY (1 << 17)
264#define CKF_USER_PIN_LOCKED (1 << 18)
265#define CKF_USER_PIN_TO_BE_CHANGED (1 << 19)
266#define CKF_SO_PIN_COUNT_LOW (1 << 20)
267#define CKF_SO_PIN_FINAL_TRY (1 << 21)
268#define CKF_SO_PIN_LOCKED (1 << 22)
269#define CKF_SO_PIN_TO_BE_CHANGED (1 << 23)
270
271#define CK_UNAVAILABLE_INFORMATION ((unsigned long) -1)
272#define CK_EFFECTIVELY_INFINITE (0)
273
274
275typedef unsigned long ck_session_handle_t;
276
277#define CK_INVALID_HANDLE (0)
278
279
280typedef unsigned long ck_user_type_t;
281
282#define CKU_SO (0)
283#define CKU_USER (1)
284#define CKU_CONTEXT_SPECIFIC (2)
285
286
287typedef unsigned long ck_state_t;
288
289#define CKS_RO_PUBLIC_SESSION (0)
290#define CKS_RO_USER_FUNCTIONS (1)
291#define CKS_RW_PUBLIC_SESSION (2)
292#define CKS_RW_USER_FUNCTIONS (3)
293#define CKS_RW_SO_FUNCTIONS (4)
294
295
296struct ck_session_info
297{
298 ck_slot_id_t slot_id;
299 ck_state_t state;
300 ck_flags_t flags;
301 unsigned long device_error;
302};
303
304#define CKF_RW_SESSION (1 << 1)
305#define CKF_SERIAL_SESSION (1 << 2)
306
307
308typedef unsigned long ck_object_handle_t;
309
310
311typedef unsigned long ck_object_class_t;
312
313#define CKO_DATA (0)
314#define CKO_CERTIFICATE (1)
315#define CKO_PUBLIC_KEY (2)
316#define CKO_PRIVATE_KEY (3)
317#define CKO_SECRET_KEY (4)
318#define CKO_HW_FEATURE (5)
319#define CKO_DOMAIN_PARAMETERS (6)
320#define CKO_MECHANISM (7)
321#define CKO_VENDOR_DEFINED ((unsigned long) (1 << 31))
322
323
324typedef unsigned long ck_hw_feature_type_t;
325
326#define CKH_MONOTONIC_COUNTER (1)
327#define CKH_CLOCK (2)
328#define CKH_USER_INTERFACE (3)
329#define CKH_VENDOR_DEFINED ((unsigned long) (1 << 31))
330
331
332typedef unsigned long ck_key_type_t;
333
334#define CKK_RSA (0)
335#define CKK_DSA (1)
336#define CKK_DH (2)
337#define CKK_ECDSA (3)
338#define CKK_EC (3)
339#define CKK_X9_42_DH (4)
340#define CKK_KEA (5)
341#define CKK_GENERIC_SECRET (0x10)
342#define CKK_RC2 (0x11)
343#define CKK_RC4 (0x12)
344#define CKK_DES (0x13)
345#define CKK_DES2 (0x14)
346#define CKK_DES3 (0x15)
347#define CKK_CAST (0x16)
348#define CKK_CAST3 (0x17)
349#define CKK_CAST128 (0x18)
350#define CKK_RC5 (0x19)
351#define CKK_IDEA (0x1a)
352#define CKK_SKIPJACK (0x1b)
353#define CKK_BATON (0x1c)
354#define CKK_JUNIPER (0x1d)
355#define CKK_CDMF (0x1e)
356#define CKK_AES (0x1f)
357#define CKK_BLOWFISH (0x20)
358#define CKK_TWOFISH (0x21)
359#define CKK_VENDOR_DEFINED ((unsigned long) (1 << 31))
360
361typedef unsigned long ck_certificate_type_t;
362
363#define CKC_X_509 (0)
364#define CKC_X_509_ATTR_CERT (1)
365#define CKC_WTLS (2)
366#define CKC_VENDOR_DEFINED ((unsigned long) (1 << 31))
367
368
369typedef unsigned long ck_attribute_type_t;
370
371#define CKA_CLASS (0)
372#define CKA_TOKEN (1)
373#define CKA_PRIVATE (2)
374#define CKA_LABEL (3)
375#define CKA_APPLICATION (0x10)
376#define CKA_VALUE (0x11)
377#define CKA_OBJECT_ID (0x12)
378#define CKA_CERTIFICATE_TYPE (0x80)
379#define CKA_ISSUER (0x81)
380#define CKA_SERIAL_NUMBER (0x82)
381#define CKA_AC_ISSUER (0x83)
382#define CKA_OWNER (0x84)
383#define CKA_ATTR_TYPES (0x85)
384#define CKA_TRUSTED (0x86)
385#define CKA_CERTIFICATE_CATEGORY (0x87)
386#define CKA_JAVA_MIDP_SECURITY_DOMAIN (0x88)
387#define CKA_URL (0x89)
388#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8a)
389#define CKA_HASH_OF_ISSUER_PUBLIC_KEY (0x8b)
390#define CKA_CHECK_VALUE (0x90)
391#define CKA_KEY_TYPE (0x100)
392#define CKA_SUBJECT (0x101)
393#define CKA_ID (0x102)
394#define CKA_SENSITIVE (0x103)
395#define CKA_ENCRYPT (0x104)
396#define CKA_DECRYPT (0x105)
397#define CKA_WRAP (0x106)
398#define CKA_UNWRAP (0x107)
399#define CKA_SIGN (0x108)
400#define CKA_SIGN_RECOVER (0x109)
401#define CKA_VERIFY (0x10a)
402#define CKA_VERIFY_RECOVER (0x10b)
403#define CKA_DERIVE (0x10c)
404#define CKA_START_DATE (0x110)
405#define CKA_END_DATE (0x111)
406#define CKA_MODULUS (0x120)
407#define CKA_MODULUS_BITS (0x121)
408#define CKA_PUBLIC_EXPONENT (0x122)
409#define CKA_PRIVATE_EXPONENT (0x123)
410#define CKA_PRIME_1 (0x124)
411#define CKA_PRIME_2 (0x125)
412#define CKA_EXPONENT_1 (0x126)
413#define CKA_EXPONENT_2 (0x127)
414#define CKA_COEFFICIENT (0x128)
415#define CKA_PRIME (0x130)
416#define CKA_SUBPRIME (0x131)
417#define CKA_BASE (0x132)
418#define CKA_PRIME_BITS (0x133)
419#define CKA_SUB_PRIME_BITS (0x134)
420#define CKA_VALUE_BITS (0x160)
421#define CKA_VALUE_LEN (0x161)
422#define CKA_EXTRACTABLE (0x162)
423#define CKA_LOCAL (0x163)
424#define CKA_NEVER_EXTRACTABLE (0x164)
425#define CKA_ALWAYS_SENSITIVE (0x165)
426#define CKA_KEY_GEN_MECHANISM (0x166)
427#define CKA_MODIFIABLE (0x170)
428#define CKA_ECDSA_PARAMS (0x180)
429#define CKA_EC_PARAMS (0x180)
430#define CKA_EC_POINT (0x181)
431#define CKA_SECONDARY_AUTH (0x200)
432#define CKA_AUTH_PIN_FLAGS (0x201)
433#define CKA_ALWAYS_AUTHENTICATE (0x202)
434#define CKA_WRAP_WITH_TRUSTED (0x210)
435#define CKA_HW_FEATURE_TYPE (0x300)
436#define CKA_RESET_ON_INIT (0x301)
437#define CKA_HAS_RESET (0x302)
438#define CKA_PIXEL_X (0x400)
439#define CKA_PIXEL_Y (0x401)
440#define CKA_RESOLUTION (0x402)
441#define CKA_CHAR_ROWS (0x403)
442#define CKA_CHAR_COLUMNS (0x404)
443#define CKA_COLOR (0x405)
444#define CKA_BITS_PER_PIXEL (0x406)
445#define CKA_CHAR_SETS (0x480)
446#define CKA_ENCODING_METHODS (0x481)
447#define CKA_MIME_TYPES (0x482)
448#define CKA_MECHANISM_TYPE (0x500)
449#define CKA_REQUIRED_CMS_ATTRIBUTES (0x501)
450#define CKA_DEFAULT_CMS_ATTRIBUTES (0x502)
451#define CKA_SUPPORTED_CMS_ATTRIBUTES (0x503)
452#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x211)
453#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE | 0x212)
454#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE | 0x600)
455#define CKA_VENDOR_DEFINED ((unsigned long) (1 << 31))
456
457
458struct ck_attribute
459{
460 ck_attribute_type_t type;
461 void *value;
462 unsigned long value_len;
463};
464
465
466struct ck_date
467{
468 unsigned char year[4];
469 unsigned char month[2];
470 unsigned char day[2];
471};
472
473
474typedef unsigned long ck_mechanism_type_t;
475
476#define CKM_RSA_PKCS_KEY_PAIR_GEN (0)
477#define CKM_RSA_PKCS (1)
478#define CKM_RSA_9796 (2)
479#define CKM_RSA_X_509 (3)
480#define CKM_MD2_RSA_PKCS (4)
481#define CKM_MD5_RSA_PKCS (5)
482#define CKM_SHA1_RSA_PKCS (6)
483#define CKM_RIPEMD128_RSA_PKCS (7)
484#define CKM_RIPEMD160_RSA_PKCS (8)
485#define CKM_RSA_PKCS_OAEP (9)
486#define CKM_RSA_X9_31_KEY_PAIR_GEN (0xa)
487#define CKM_RSA_X9_31 (0xb)
488#define CKM_SHA1_RSA_X9_31 (0xc)
489#define CKM_RSA_PKCS_PSS (0xd)
490#define CKM_SHA1_RSA_PKCS_PSS (0xe)
491#define CKM_DSA_KEY_PAIR_GEN (0x10)
492#define CKM_DSA (0x11)
493#define CKM_DSA_SHA1 (0x12)
494#define CKM_DH_PKCS_KEY_PAIR_GEN (0x20)
495#define CKM_DH_PKCS_DERIVE (0x21)
496#define CKM_X9_42_DH_KEY_PAIR_GEN (0x30)
497#define CKM_X9_42_DH_DERIVE (0x31)
498#define CKM_X9_42_DH_HYBRID_DERIVE (0x32)
499#define CKM_X9_42_MQV_DERIVE (0x33)
500#define CKM_SHA256_RSA_PKCS (0x40)
501#define CKM_SHA384_RSA_PKCS (0x41)
502#define CKM_SHA512_RSA_PKCS (0x42)
503#define CKM_SHA256_RSA_PKCS_PSS (0x43)
504#define CKM_SHA384_RSA_PKCS_PSS (0x44)
505#define CKM_SHA512_RSA_PKCS_PSS (0x45)
506#define CKM_RC2_KEY_GEN (0x100)
507#define CKM_RC2_ECB (0x101)
508#define CKM_RC2_CBC (0x102)
509#define CKM_RC2_MAC (0x103)
510#define CKM_RC2_MAC_GENERAL (0x104)
511#define CKM_RC2_CBC_PAD (0x105)
512#define CKM_RC4_KEY_GEN (0x110)
513#define CKM_RC4 (0x111)
514#define CKM_DES_KEY_GEN (0x120)
515#define CKM_DES_ECB (0x121)
516#define CKM_DES_CBC (0x122)
517#define CKM_DES_MAC (0x123)
518#define CKM_DES_MAC_GENERAL (0x124)
519#define CKM_DES_CBC_PAD (0x125)
520#define CKM_DES2_KEY_GEN (0x130)
521#define CKM_DES3_KEY_GEN (0x131)
522#define CKM_DES3_ECB (0x132)
523#define CKM_DES3_CBC (0x133)
524#define CKM_DES3_MAC (0x134)
525#define CKM_DES3_MAC_GENERAL (0x135)
526#define CKM_DES3_CBC_PAD (0x136)
527#define CKM_CDMF_KEY_GEN (0x140)
528#define CKM_CDMF_ECB (0x141)
529#define CKM_CDMF_CBC (0x142)
530#define CKM_CDMF_MAC (0x143)
531#define CKM_CDMF_MAC_GENERAL (0x144)
532#define CKM_CDMF_CBC_PAD (0x145)
533#define CKM_MD2 (0x200)
534#define CKM_MD2_HMAC (0x201)
535#define CKM_MD2_HMAC_GENERAL (0x202)
536#define CKM_MD5 (0x210)
537#define CKM_MD5_HMAC (0x211)
538#define CKM_MD5_HMAC_GENERAL (0x212)
539#define CKM_SHA_1 (0x220)
540#define CKM_SHA_1_HMAC (0x221)
541#define CKM_SHA_1_HMAC_GENERAL (0x222)
542#define CKM_RIPEMD128 (0x230)
543#define CKM_RIPEMD128_HMAC (0x231)
544#define CKM_RIPEMD128_HMAC_GENERAL (0x232)
545#define CKM_RIPEMD160 (0x240)
546#define CKM_RIPEMD160_HMAC (0x241)
547#define CKM_RIPEMD160_HMAC_GENERAL (0x242)
548#define CKM_SHA256 (0x250)
549#define CKM_SHA256_HMAC (0x251)
550#define CKM_SHA256_HMAC_GENERAL (0x252)
551#define CKM_SHA384 (0x260)
552#define CKM_SHA384_HMAC (0x261)
553#define CKM_SHA384_HMAC_GENERAL (0x262)
554#define CKM_SHA512 (0x270)
555#define CKM_SHA512_HMAC (0x271)
556#define CKM_SHA512_HMAC_GENERAL (0x272)
557#define CKM_CAST_KEY_GEN (0x300)
558#define CKM_CAST_ECB (0x301)
559#define CKM_CAST_CBC (0x302)
560#define CKM_CAST_MAC (0x303)
561#define CKM_CAST_MAC_GENERAL (0x304)
562#define CKM_CAST_CBC_PAD (0x305)
563#define CKM_CAST3_KEY_GEN (0x310)
564#define CKM_CAST3_ECB (0x311)
565#define CKM_CAST3_CBC (0x312)
566#define CKM_CAST3_MAC (0x313)
567#define CKM_CAST3_MAC_GENERAL (0x314)
568#define CKM_CAST3_CBC_PAD (0x315)
569#define CKM_CAST5_KEY_GEN (0x320)
570#define CKM_CAST128_KEY_GEN (0x320)
571#define CKM_CAST5_ECB (0x321)
572#define CKM_CAST128_ECB (0x321)
573#define CKM_CAST5_CBC (0x322)
574#define CKM_CAST128_CBC (0x322)
575#define CKM_CAST5_MAC (0x323)
576#define CKM_CAST128_MAC (0x323)
577#define CKM_CAST5_MAC_GENERAL (0x324)
578#define CKM_CAST128_MAC_GENERAL (0x324)
579#define CKM_CAST5_CBC_PAD (0x325)
580#define CKM_CAST128_CBC_PAD (0x325)
581#define CKM_RC5_KEY_GEN (0x330)
582#define CKM_RC5_ECB (0x331)
583#define CKM_RC5_CBC (0x332)
584#define CKM_RC5_MAC (0x333)
585#define CKM_RC5_MAC_GENERAL (0x334)
586#define CKM_RC5_CBC_PAD (0x335)
587#define CKM_IDEA_KEY_GEN (0x340)
588#define CKM_IDEA_ECB (0x341)
589#define CKM_IDEA_CBC (0x342)
590#define CKM_IDEA_MAC (0x343)
591#define CKM_IDEA_MAC_GENERAL (0x344)
592#define CKM_IDEA_CBC_PAD (0x345)
593#define CKM_GENERIC_SECRET_KEY_GEN (0x350)
594#define CKM_CONCATENATE_BASE_AND_KEY (0x360)
595#define CKM_CONCATENATE_BASE_AND_DATA (0x362)
596#define CKM_CONCATENATE_DATA_AND_BASE (0x363)
597#define CKM_XOR_BASE_AND_DATA (0x364)
598#define CKM_EXTRACT_KEY_FROM_KEY (0x365)
599#define CKM_SSL3_PRE_MASTER_KEY_GEN (0x370)
600#define CKM_SSL3_MASTER_KEY_DERIVE (0x371)
601#define CKM_SSL3_KEY_AND_MAC_DERIVE (0x372)
602#define CKM_SSL3_MASTER_KEY_DERIVE_DH (0x373)
603#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374)
604#define CKM_TLS_MASTER_KEY_DERIVE (0x375)
605#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376)
606#define CKM_TLS_MASTER_KEY_DERIVE_DH (0x377)
607#define CKM_SSL3_MD5_MAC (0x380)
608#define CKM_SSL3_SHA1_MAC (0x381)
609#define CKM_MD5_KEY_DERIVATION (0x390)
610#define CKM_MD2_KEY_DERIVATION (0x391)
611#define CKM_SHA1_KEY_DERIVATION (0x392)
612#define CKM_PBE_MD2_DES_CBC (0x3a0)
613#define CKM_PBE_MD5_DES_CBC (0x3a1)
614#define CKM_PBE_MD5_CAST_CBC (0x3a2)
615#define CKM_PBE_MD5_CAST3_CBC (0x3a3)
616#define CKM_PBE_MD5_CAST5_CBC (0x3a4)
617#define CKM_PBE_MD5_CAST128_CBC (0x3a4)
618#define CKM_PBE_SHA1_CAST5_CBC (0x3a5)
619#define CKM_PBE_SHA1_CAST128_CBC (0x3a5)
620#define CKM_PBE_SHA1_RC4_128 (0x3a6)
621#define CKM_PBE_SHA1_RC4_40 (0x3a7)
622#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8)
623#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9)
624#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa)
625#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
626#define CKM_PKCS5_PBKD2 (0x3b0)
627#define CKM_PBA_SHA1_WITH_SHA1_HMAC (0x3c0)
628#define CKM_KEY_WRAP_LYNKS (0x400)
629#define CKM_KEY_WRAP_SET_OAEP (0x401)
630#define CKM_SKIPJACK_KEY_GEN (0x1000)
631#define CKM_SKIPJACK_ECB64 (0x1001)
632#define CKM_SKIPJACK_CBC64 (0x1002)
633#define CKM_SKIPJACK_OFB64 (0x1003)
634#define CKM_SKIPJACK_CFB64 (0x1004)
635#define CKM_SKIPJACK_CFB32 (0x1005)
636#define CKM_SKIPJACK_CFB16 (0x1006)
637#define CKM_SKIPJACK_CFB8 (0x1007)
638#define CKM_SKIPJACK_WRAP (0x1008)
639#define CKM_SKIPJACK_PRIVATE_WRAP (0x1009)
640#define CKM_SKIPJACK_RELAYX (0x100a)
641#define CKM_KEA_KEY_PAIR_GEN (0x1010)
642#define CKM_KEA_KEY_DERIVE (0x1011)
643#define CKM_FORTEZZA_TIMESTAMP (0x1020)
644#define CKM_BATON_KEY_GEN (0x1030)
645#define CKM_BATON_ECB128 (0x1031)
646#define CKM_BATON_ECB96 (0x1032)
647#define CKM_BATON_CBC128 (0x1033)
648#define CKM_BATON_COUNTER (0x1034)
649#define CKM_BATON_SHUFFLE (0x1035)
650#define CKM_BATON_WRAP (0x1036)
651#define CKM_ECDSA_KEY_PAIR_GEN (0x1040)
652#define CKM_EC_KEY_PAIR_GEN (0x1040)
653#define CKM_ECDSA (0x1041)
654#define CKM_ECDSA_SHA1 (0x1042)
655#define CKM_ECDH1_DERIVE (0x1050)
656#define CKM_ECDH1_COFACTOR_DERIVE (0x1051)
657#define CKM_ECMQV_DERIVE (0x1052)
658#define CKM_JUNIPER_KEY_GEN (0x1060)
659#define CKM_JUNIPER_ECB128 (0x1061)
660#define CKM_JUNIPER_CBC128 (0x1062)
661#define CKM_JUNIPER_COUNTER (0x1063)
662#define CKM_JUNIPER_SHUFFLE (0x1064)
663#define CKM_JUNIPER_WRAP (0x1065)
664#define CKM_FASTHASH (0x1070)
665#define CKM_AES_KEY_GEN (0x1080)
666#define CKM_AES_ECB (0x1081)
667#define CKM_AES_CBC (0x1082)
668#define CKM_AES_MAC (0x1083)
669#define CKM_AES_MAC_GENERAL (0x1084)
670#define CKM_AES_CBC_PAD (0x1085)
671#define CKM_DSA_PARAMETER_GEN (0x2000)
672#define CKM_DH_PKCS_PARAMETER_GEN (0x2001)
673#define CKM_X9_42_DH_PARAMETER_GEN (0x2002)
674#define CKM_VENDOR_DEFINED ((unsigned long) (1 << 31))
675
676
677struct ck_mechanism
678{
679 ck_mechanism_type_t mechanism;
680 void *parameter;
681 unsigned long parameter_len;
682};
683
684
685struct ck_mechanism_info
686{
687 unsigned long min_key_size;
688 unsigned long max_key_size;
689 ck_flags_t flags;
690};
691
692#define CKF_HW (1 << 0)
693#define CKF_ENCRYPT (1 << 8)
694#define CKF_DECRYPT (1 << 9)
695#define CKF_DIGEST (1 << 10)
696#define CKF_SIGN (1 << 11)
697#define CKF_SIGN_RECOVER (1 << 12)
698#define CKF_VERIFY (1 << 13)
699#define CKF_VERIFY_RECOVER (1 << 14)
700#define CKF_GENERATE (1 << 15)
701#define CKF_GENERATE_KEY_PAIR (1 << 16)
702#define CKF_WRAP (1 << 17)
703#define CKF_UNWRAP (1 << 18)
704#define CKF_DERIVE (1 << 19)
705#define CKF_EXTENSION ((unsigned long) (1 << 31))
706
707
708/* Flags for C_WaitForSlotEvent. */
709#define CKF_DONT_BLOCK (1)
710
711
712typedef unsigned long ck_rv_t;
713
714
715typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
716 ck_notification_t event, void *application);
717
718/* Forward reference. */
719struct ck_function_list;
720
721#define _CK_DECLARE_FUNCTION(name, args) \
722typedef ck_rv_t (*CK_ ## name) args; \
723ck_rv_t CK_SPEC name args
724
725_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
726_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
727_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
728_CK_DECLARE_FUNCTION (C_GetFunctionList,
729 (struct ck_function_list **function_list));
730
731_CK_DECLARE_FUNCTION (C_GetSlotList,
732 (unsigned char token_present, ck_slot_id_t *slot_list,
733 unsigned long *count));
734_CK_DECLARE_FUNCTION (C_GetSlotInfo,
735 (ck_slot_id_t slot_id, struct ck_slot_info *info));
736_CK_DECLARE_FUNCTION (C_GetTokenInfo,
737 (ck_slot_id_t slot_id, struct ck_token_info *info));
738_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
739 (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
740_CK_DECLARE_FUNCTION (C_GetMechanismList,
741 (ck_slot_id_t slot_id,
742 ck_mechanism_type_t *mechanism_list,
743 unsigned long *count));
744_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
745 (ck_slot_id_t slot_id, ck_mechanism_type_t type,
746 struct ck_mechanism_info *info));
747_CK_DECLARE_FUNCTION (C_InitToken,
748 (ck_slot_id_t slot_id, unsigned char *pin,
749 unsigned long pin_len, unsigned char *label));
750_CK_DECLARE_FUNCTION (C_InitPIN,
751 (ck_session_handle_t session, unsigned char *pin,
752 unsigned long pin_len));
753_CK_DECLARE_FUNCTION (C_SetPIN,
754 (ck_session_handle_t session, unsigned char *old_pin,
755 unsigned long old_len, unsigned char *new_pin,
756 unsigned long new_len));
757
758_CK_DECLARE_FUNCTION (C_OpenSession,
759 (ck_slot_id_t slot_id, ck_flags_t flags,
760 void *application, ck_notify_t notify,
761 ck_session_handle_t *session));
762_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
763_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
764_CK_DECLARE_FUNCTION (C_GetSessionInfo,
765 (ck_session_handle_t session,
766 struct ck_session_info *info));
767_CK_DECLARE_FUNCTION (C_GetOperationState,
768 (ck_session_handle_t session,
769 unsigned char *operation_state,
770 unsigned long *operation_state_len));
771_CK_DECLARE_FUNCTION (C_SetOperationState,
772 (ck_session_handle_t session,
773 unsigned char *operation_state,
774 unsigned long operation_state_len,
775 ck_object_handle_t encryption_key,
776 ck_object_handle_t authentiation_key));
777_CK_DECLARE_FUNCTION (C_Login,
778 (ck_session_handle_t session, ck_user_type_t user_type,
779 unsigned char *pin, unsigned long pin_len));
780_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
781
782_CK_DECLARE_FUNCTION (C_CreateObject,
783 (ck_session_handle_t session,
784 struct ck_attribute *templ,
785 unsigned long count, ck_object_handle_t *object));
786_CK_DECLARE_FUNCTION (C_CopyObject,
787 (ck_session_handle_t session, ck_object_handle_t object,
788 struct ck_attribute *templ, unsigned long count,
789 ck_object_handle_t *new_object));
790_CK_DECLARE_FUNCTION (C_DestroyObject,
791 (ck_session_handle_t session,
792 ck_object_handle_t object));
793_CK_DECLARE_FUNCTION (C_GetObjectSize,
794 (ck_session_handle_t session,
795 ck_object_handle_t object,
796 unsigned long *size));
797_CK_DECLARE_FUNCTION (C_GetAttributeValue,
798 (ck_session_handle_t session,
799 ck_object_handle_t object,
800 struct ck_attribute *templ,
801 unsigned long count));
802_CK_DECLARE_FUNCTION (C_SetAttributeValue,
803 (ck_session_handle_t session,
804 ck_object_handle_t object,
805 struct ck_attribute *templ,
806 unsigned long count));
807_CK_DECLARE_FUNCTION (C_FindObjectsInit,
808 (ck_session_handle_t session,
809 struct ck_attribute *templ,
810 unsigned long count));
811_CK_DECLARE_FUNCTION (C_FindObjects,
812 (ck_session_handle_t session,
813 ck_object_handle_t *object,
814 unsigned long max_object_count,
815 unsigned long *object_count));
816_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
817 (ck_session_handle_t session));
818
819_CK_DECLARE_FUNCTION (C_EncryptInit,
820 (ck_session_handle_t session,
821 struct ck_mechanism *mechanism,
822 ck_object_handle_t key));
823_CK_DECLARE_FUNCTION (C_Encrypt,
824 (ck_session_handle_t session,
825 unsigned char *data, unsigned long data_len,
826 unsigned char *encrypted_data,
827 unsigned long *encrypted_data_len));
828_CK_DECLARE_FUNCTION (C_EncryptUpdate,
829 (ck_session_handle_t session,
830 unsigned char *part, unsigned long part_len,
831 unsigned char *encrypted_part,
832 unsigned long *encrypted_part_len));
833_CK_DECLARE_FUNCTION (C_EncryptFinal,
834 (ck_session_handle_t session,
835 unsigned char *last_encrypted_part,
836 unsigned long *last_encrypted_part_len));
837
838_CK_DECLARE_FUNCTION (C_DecryptInit,
839 (ck_session_handle_t session,
840 struct ck_mechanism *mechanism,
841 ck_object_handle_t key));
842_CK_DECLARE_FUNCTION (C_Decrypt,
843 (ck_session_handle_t session,
844 unsigned char *encrypted_data,
845 unsigned long encrypted_data_len,
846 unsigned char *data, unsigned long *data_len));
847_CK_DECLARE_FUNCTION (C_DecryptUpdate,
848 (ck_session_handle_t session,
849 unsigned char *encrypted_part,
850 unsigned long encrypted_part_len,
851 unsigned char *part, unsigned long *part_len));
852_CK_DECLARE_FUNCTION (C_DecryptFinal,
853 (ck_session_handle_t session,
854 unsigned char *last_part,
855 unsigned long *last_part_len));
856
857_CK_DECLARE_FUNCTION (C_DigestInit,
858 (ck_session_handle_t session,
859 struct ck_mechanism *mechanism));
860_CK_DECLARE_FUNCTION (C_Digest,
861 (ck_session_handle_t session,
862 unsigned char *data, unsigned long data_len,
863 unsigned char *digest,
864 unsigned long *digest_len));
865_CK_DECLARE_FUNCTION (C_DigestUpdate,
866 (ck_session_handle_t session,
867 unsigned char *part, unsigned long part_len));
868_CK_DECLARE_FUNCTION (C_DigestKey,
869 (ck_session_handle_t session, ck_object_handle_t key));
870_CK_DECLARE_FUNCTION (C_DigestFinal,
871 (ck_session_handle_t session,
872 unsigned char *digest,
873 unsigned long *digest_len));
874
875_CK_DECLARE_FUNCTION (C_SignInit,
876 (ck_session_handle_t session,
877 struct ck_mechanism *mechanism,
878 ck_object_handle_t key));
879_CK_DECLARE_FUNCTION (C_Sign,
880 (ck_session_handle_t session,
881 unsigned char *data, unsigned long data_len,
882 unsigned char *signature,
883 unsigned long *signature_len));
884_CK_DECLARE_FUNCTION (C_SignUpdate,
885 (ck_session_handle_t session,
886 unsigned char *part, unsigned long part_len));
887_CK_DECLARE_FUNCTION (C_SignFinal,
888 (ck_session_handle_t session,
889 unsigned char *signature,
890 unsigned long *signature_len));
891_CK_DECLARE_FUNCTION (C_SignRecoverInit,
892 (ck_session_handle_t session,
893 struct ck_mechanism *mechanism,
894 ck_object_handle_t key));
895_CK_DECLARE_FUNCTION (C_SignRecover,
896 (ck_session_handle_t session,
897 unsigned char *data, unsigned long data_len,
898 unsigned char *signature,
899 unsigned long *signature_len));
900
901_CK_DECLARE_FUNCTION (C_VerifyInit,
902 (ck_session_handle_t session,
903 struct ck_mechanism *mechanism,
904 ck_object_handle_t key));
905_CK_DECLARE_FUNCTION (C_Verify,
906 (ck_session_handle_t session,
907 unsigned char *data, unsigned long data_len,
908 unsigned char *signature,
909 unsigned long signature_len));
910_CK_DECLARE_FUNCTION (C_VerifyUpdate,
911 (ck_session_handle_t session,
912 unsigned char *part, unsigned long part_len));
913_CK_DECLARE_FUNCTION (C_VerifyFinal,
914 (ck_session_handle_t session,
915 unsigned char *signature,
916 unsigned long signature_len));
917_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
918 (ck_session_handle_t session,
919 struct ck_mechanism *mechanism,
920 ck_object_handle_t key));
921_CK_DECLARE_FUNCTION (C_VerifyRecover,
922 (ck_session_handle_t session,
923 unsigned char *signature,
924 unsigned long signature_len,
925 unsigned char *data,
926 unsigned long *data_len));
927
928_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
929 (ck_session_handle_t session,
930 unsigned char *part, unsigned long part_len,
931 unsigned char *encrypted_part,
932 unsigned long *encrypted_part_len));
933_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
934 (ck_session_handle_t session,
935 unsigned char *encrypted_part,
936 unsigned long encrypted_part_len,
937 unsigned char *part,
938 unsigned long *part_len));
939_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
940 (ck_session_handle_t session,
941 unsigned char *part, unsigned long part_len,
942 unsigned char *encrypted_part,
943 unsigned long *encrypted_part_len));
944_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
945 (ck_session_handle_t session,
946 unsigned char *encrypted_part,
947 unsigned long encrypted_part_len,
948 unsigned char *part,
949 unsigned long *part_len));
950
951_CK_DECLARE_FUNCTION (C_GenerateKey,
952 (ck_session_handle_t session,
953 struct ck_mechanism *mechanism,
954 struct ck_attribute *templ,
955 unsigned long count,
956 ck_object_handle_t *key));
957_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
958 (ck_session_handle_t session,
959 struct ck_mechanism *mechanism,
960 struct ck_attribute *public_key_template,
961 unsigned long public_key_attribute_count,
962 struct ck_attribute *private_key_template,
963 unsigned long private_key_attribute_count,
964 ck_object_handle_t *public_key,
965 ck_object_handle_t *private_key));
966_CK_DECLARE_FUNCTION (C_WrapKey,
967 (ck_session_handle_t session,
968 struct ck_mechanism *mechanism,
969 ck_object_handle_t wrapping_key,
970 ck_object_handle_t key,
971 unsigned char *wrapped_key,
972 unsigned long *wrapped_key_len));
973_CK_DECLARE_FUNCTION (C_UnwrapKey,
974 (ck_session_handle_t session,
975 struct ck_mechanism *mechanism,
976 ck_object_handle_t unwrapping_key,
977 unsigned char *wrapped_key,
978 unsigned long wrapped_key_len,
979 struct ck_attribute *templ,
980 unsigned long attribute_count,
981 ck_object_handle_t *key));
982_CK_DECLARE_FUNCTION (C_DeriveKey,
983 (ck_session_handle_t session,
984 struct ck_mechanism *mechanism,
985 ck_object_handle_t base_key,
986 struct ck_attribute *templ,
987 unsigned long attribute_count,
988 ck_object_handle_t *key));
989
990_CK_DECLARE_FUNCTION (C_SeedRandom,
991 (ck_session_handle_t session, unsigned char *seed,
992 unsigned long seed_len));
993_CK_DECLARE_FUNCTION (C_GenerateRandom,
994 (ck_session_handle_t session,
995 unsigned char *random_data,
996 unsigned long random_len));
997
998_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
999_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
1000
1001
1002struct ck_function_list
1003{
1004 struct ck_version version;
1005 CK_C_Initialize C_Initialize;
1006 CK_C_Finalize C_Finalize;
1007 CK_C_GetInfo C_GetInfo;
1008 CK_C_GetFunctionList C_GetFunctionList;
1009 CK_C_GetSlotList C_GetSlotList;
1010 CK_C_GetSlotInfo C_GetSlotInfo;
1011 CK_C_GetTokenInfo C_GetTokenInfo;
1012 CK_C_GetMechanismList C_GetMechanismList;
1013 CK_C_GetMechanismInfo C_GetMechanismInfo;
1014 CK_C_InitToken C_InitToken;
1015 CK_C_InitPIN C_InitPIN;
1016 CK_C_SetPIN C_SetPIN;
1017 CK_C_OpenSession C_OpenSession;
1018 CK_C_CloseSession C_CloseSession;
1019 CK_C_CloseAllSessions C_CloseAllSessions;
1020 CK_C_GetSessionInfo C_GetSessionInfo;
1021 CK_C_GetOperationState C_GetOperationState;
1022 CK_C_SetOperationState C_SetOperationState;
1023 CK_C_Login C_Login;
1024 CK_C_Logout C_Logout;
1025 CK_C_CreateObject C_CreateObject;
1026 CK_C_CopyObject C_CopyObject;
1027 CK_C_DestroyObject C_DestroyObject;
1028 CK_C_GetObjectSize C_GetObjectSize;
1029 CK_C_GetAttributeValue C_GetAttributeValue;
1030 CK_C_SetAttributeValue C_SetAttributeValue;
1031 CK_C_FindObjectsInit C_FindObjectsInit;
1032 CK_C_FindObjects C_FindObjects;
1033 CK_C_FindObjectsFinal C_FindObjectsFinal;
1034 CK_C_EncryptInit C_EncryptInit;
1035 CK_C_Encrypt C_Encrypt;
1036 CK_C_EncryptUpdate C_EncryptUpdate;
1037 CK_C_EncryptFinal C_EncryptFinal;
1038 CK_C_DecryptInit C_DecryptInit;
1039 CK_C_Decrypt C_Decrypt;
1040 CK_C_DecryptUpdate C_DecryptUpdate;
1041 CK_C_DecryptFinal C_DecryptFinal;
1042 CK_C_DigestInit C_DigestInit;
1043 CK_C_Digest C_Digest;
1044 CK_C_DigestUpdate C_DigestUpdate;
1045 CK_C_DigestKey C_DigestKey;
1046 CK_C_DigestFinal C_DigestFinal;
1047 CK_C_SignInit C_SignInit;
1048 CK_C_Sign C_Sign;
1049 CK_C_SignUpdate C_SignUpdate;
1050 CK_C_SignFinal C_SignFinal;
1051 CK_C_SignRecoverInit C_SignRecoverInit;
1052 CK_C_SignRecover C_SignRecover;
1053 CK_C_VerifyInit C_VerifyInit;
1054 CK_C_Verify C_Verify;
1055 CK_C_VerifyUpdate C_VerifyUpdate;
1056 CK_C_VerifyFinal C_VerifyFinal;
1057 CK_C_VerifyRecoverInit C_VerifyRecoverInit;
1058 CK_C_VerifyRecover C_VerifyRecover;
1059 CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
1060 CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
1061 CK_C_SignEncryptUpdate C_SignEncryptUpdate;
1062 CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
1063 CK_C_GenerateKey C_GenerateKey;
1064 CK_C_GenerateKeyPair C_GenerateKeyPair;
1065 CK_C_WrapKey C_WrapKey;
1066 CK_C_UnwrapKey C_UnwrapKey;
1067 CK_C_DeriveKey C_DeriveKey;
1068 CK_C_SeedRandom C_SeedRandom;
1069 CK_C_GenerateRandom C_GenerateRandom;
1070 CK_C_GetFunctionStatus C_GetFunctionStatus;
1071 CK_C_CancelFunction C_CancelFunction;
1072 CK_C_WaitForSlotEvent C_WaitForSlotEvent;
1073};
1074
1075
1076typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
1077typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
1078typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
1079typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
1080
1081
1082struct ck_c_initialize_args
1083{
1084 ck_createmutex_t create_mutex;
1085 ck_destroymutex_t destroy_mutex;
1086 ck_lockmutex_t lock_mutex;
1087 ck_unlockmutex_t unlock_mutex;
1088 ck_flags_t flags;
1089 void *reserved;
1090};
1091
1092
1093#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1 << 0)
1094#define CKF_OS_LOCKING_OK (1 << 1)
1095
1096#define CKR_OK (0)
1097#define CKR_CANCEL (1)
1098#define CKR_HOST_MEMORY (2)
1099#define CKR_SLOT_ID_INVALID (3)
1100#define CKR_GENERAL_ERROR (5)
1101#define CKR_FUNCTION_FAILED (6)
1102#define CKR_ARGUMENTS_BAD (7)
1103#define CKR_NO_EVENT (8)
1104#define CKR_NEED_TO_CREATE_THREADS (9)
1105#define CKR_CANT_LOCK (0xa)
1106#define CKR_ATTRIBUTE_READ_ONLY (0x10)
1107#define CKR_ATTRIBUTE_SENSITIVE (0x11)
1108#define CKR_ATTRIBUTE_TYPE_INVALID (0x12)
1109#define CKR_ATTRIBUTE_VALUE_INVALID (0x13)
1110#define CKR_DATA_INVALID (0x20)
1111#define CKR_DATA_LEN_RANGE (0x21)
1112#define CKR_DEVICE_ERROR (0x30)
1113#define CKR_DEVICE_MEMORY (0x31)
1114#define CKR_DEVICE_REMOVED (0x32)
1115#define CKR_ENCRYPTED_DATA_INVALID (0x40)
1116#define CKR_ENCRYPTED_DATA_LEN_RANGE (0x41)
1117#define CKR_FUNCTION_CANCELED (0x50)
1118#define CKR_FUNCTION_NOT_PARALLEL (0x51)
1119#define CKR_FUNCTION_NOT_SUPPORTED (0x54)
1120#define CKR_KEY_HANDLE_INVALID (0x60)
1121#define CKR_KEY_SIZE_RANGE (0x62)
1122#define CKR_KEY_TYPE_INCONSISTENT (0x63)
1123#define CKR_KEY_NOT_NEEDED (0x64)
1124#define CKR_KEY_CHANGED (0x65)
1125#define CKR_KEY_NEEDED (0x66)
1126#define CKR_KEY_INDIGESTIBLE (0x67)
1127#define CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
1128#define CKR_KEY_NOT_WRAPPABLE (0x69)
1129#define CKR_KEY_UNEXTRACTABLE (0x6a)
1130#define CKR_MECHANISM_INVALID (0x70)
1131#define CKR_MECHANISM_PARAM_INVALID (0x71)
1132#define CKR_OBJECT_HANDLE_INVALID (0x82)
1133#define CKR_OPERATION_ACTIVE (0x90)
1134#define CKR_OPERATION_NOT_INITIALIZED (0x91)
1135#define CKR_PIN_INCORRECT (0xa0)
1136#define CKR_PIN_INVALID (0xa1)
1137#define CKR_PIN_LEN_RANGE (0xa2)
1138#define CKR_PIN_EXPIRED (0xa3)
1139#define CKR_PIN_LOCKED (0xa4)
1140#define CKR_SESSION_CLOSED (0xb0)
1141#define CKR_SESSION_COUNT (0xb1)
1142#define CKR_SESSION_HANDLE_INVALID (0xb3)
1143#define CKR_SESSION_PARALLEL_NOT_SUPPORTED (0xb4)
1144#define CKR_SESSION_READ_ONLY (0xb5)
1145#define CKR_SESSION_EXISTS (0xb6)
1146#define CKR_SESSION_READ_ONLY_EXISTS (0xb7)
1147#define CKR_SESSION_READ_WRITE_SO_EXISTS (0xb8)
1148#define CKR_SIGNATURE_INVALID (0xc0)
1149#define CKR_SIGNATURE_LEN_RANGE (0xc1)
1150#define CKR_TEMPLATE_INCOMPLETE (0xd0)
1151#define CKR_TEMPLATE_INCONSISTENT (0xd1)
1152#define CKR_TOKEN_NOT_PRESENT (0xe0)
1153#define CKR_TOKEN_NOT_RECOGNIZED (0xe1)
1154#define CKR_TOKEN_WRITE_PROTECTED (0xe2)
1155#define CKR_UNWRAPPING_KEY_HANDLE_INVALID (0xf0)
1156#define CKR_UNWRAPPING_KEY_SIZE_RANGE (0xf1)
1157#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2)
1158#define CKR_USER_ALREADY_LOGGED_IN (0x100)
1159#define CKR_USER_NOT_LOGGED_IN (0x101)
1160#define CKR_USER_PIN_NOT_INITIALIZED (0x102)
1161#define CKR_USER_TYPE_INVALID (0x103)
1162#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN (0x104)
1163#define CKR_USER_TOO_MANY_TYPES (0x105)
1164#define CKR_WRAPPED_KEY_INVALID (0x110)
1165#define CKR_WRAPPED_KEY_LEN_RANGE (0x112)
1166#define CKR_WRAPPING_KEY_HANDLE_INVALID (0x113)
1167#define CKR_WRAPPING_KEY_SIZE_RANGE (0x114)
1168#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT (0x115)
1169#define CKR_RANDOM_SEED_NOT_SUPPORTED (0x120)
1170#define CKR_RANDOM_NO_RNG (0x121)
1171#define CKR_DOMAIN_PARAMS_INVALID (0x130)
1172#define CKR_BUFFER_TOO_SMALL (0x150)
1173#define CKR_SAVED_STATE_INVALID (0x160)
1174#define CKR_INFORMATION_SENSITIVE (0x170)
1175#define CKR_STATE_UNSAVEABLE (0x180)
1176#define CKR_CRYPTOKI_NOT_INITIALIZED (0x190)
1177#define CKR_CRYPTOKI_ALREADY_INITIALIZED (0x191)
1178#define CKR_MUTEX_BAD (0x1a0)
1179#define CKR_MUTEX_NOT_LOCKED (0x1a1)
1180#define CKR_FUNCTION_REJECTED (0x200)
1181#define CKR_VENDOR_DEFINED ((unsigned long) (1 << 31))
1182
1183
1184
1185/* Compatibility layer. */
1186
1187#ifdef CRYPTOKI_COMPAT
1188
1189#undef CK_DEFINE_FUNCTION
1190#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
1191
1192/* For NULL. */
1193#include <stddef.h>
1194
1195typedef unsigned char CK_BYTE;
1196typedef unsigned char CK_CHAR;
1197typedef unsigned char CK_UTF8CHAR;
1198typedef unsigned char CK_BBOOL;
1199typedef unsigned long int CK_ULONG;
1200typedef long int CK_LONG;
1201typedef CK_BYTE *CK_BYTE_PTR;
1202typedef CK_CHAR *CK_CHAR_PTR;
1203typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
1204typedef CK_ULONG *CK_ULONG_PTR;
1205typedef void *CK_VOID_PTR;
1206typedef void **CK_VOID_PTR_PTR;
1207#define CK_FALSE 0
1208#define CK_TRUE 1
1209#ifndef CK_DISABLE_TRUE_FALSE
1210#ifndef FALSE
1211#define FALSE 0
1212#endif
1213#ifndef TRUE
1214#define TRUE 1
1215#endif
1216#endif
1217
1218typedef struct ck_version CK_VERSION;
1219typedef struct ck_version *CK_VERSION_PTR;
1220
1221typedef struct ck_info CK_INFO;
1222typedef struct ck_info *CK_INFO_PTR;
1223
1224typedef ck_slot_id_t *CK_SLOT_ID_PTR;
1225
1226typedef struct ck_slot_info CK_SLOT_INFO;
1227typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
1228
1229typedef struct ck_token_info CK_TOKEN_INFO;
1230typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
1231
1232typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
1233
1234typedef struct ck_session_info CK_SESSION_INFO;
1235typedef struct ck_session_info *CK_SESSION_INFO_PTR;
1236
1237typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
1238
1239typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
1240
1241typedef struct ck_attribute CK_ATTRIBUTE;
1242typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
1243
1244typedef struct ck_date CK_DATE;
1245typedef struct ck_date *CK_DATE_PTR;
1246
1247typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
1248
1249typedef struct ck_mechanism CK_MECHANISM;
1250typedef struct ck_mechanism *CK_MECHANISM_PTR;
1251
1252typedef struct ck_mechanism_info CK_MECHANISM_INFO;
1253typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
1254
1255typedef struct ck_function_list CK_FUNCTION_LIST;
1256typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
1257typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
1258
1259typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
1260typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
1261
1262#define NULL_PTR NULL
1263
1264/* Delete the helper macros defined at the top of the file. */
1265#undef ck_flags_t
1266#undef ck_version
1267
1268#undef ck_info
1269#undef cryptoki_version
1270#undef manufacturer_id
1271#undef library_description
1272#undef library_version
1273
1274#undef ck_notification_t
1275#undef ck_slot_id_t
1276
1277#undef ck_slot_info
1278#undef slot_description
1279#undef hardware_version
1280#undef firmware_version
1281
1282#undef ck_token_info
1283#undef serial_number
1284#undef max_session_count
1285#undef session_count
1286#undef max_rw_session_count
1287#undef rw_session_count
1288#undef max_pin_len
1289#undef min_pin_len
1290#undef total_public_memory
1291#undef free_public_memory
1292#undef total_private_memory
1293#undef free_private_memory
1294#undef utc_time
1295
1296#undef ck_session_handle_t
1297#undef ck_user_type_t
1298#undef ck_state_t
1299
1300#undef ck_session_info
1301#undef slot_id
1302#undef device_error
1303
1304#undef ck_object_handle_t
1305#undef ck_object_class_t
1306#undef ck_hw_feature_type_t
1307#undef ck_key_type_t
1308#undef ck_certificate_type_t
1309#undef ck_attribute_type_t
1310
1311#undef ck_attribute
1312#undef value
1313#undef value_len
1314
1315#undef ck_date
1316
1317#undef ck_mechanism_type_t
1318
1319#undef ck_mechanism
1320#undef parameter
1321#undef parameter_len
1322
1323#undef ck_mechanism_info
1324#undef min_key_size
1325#undef max_key_size
1326
1327#undef ck_rv_t
1328#undef ck_notify_t
1329
1330#undef ck_function_list
1331
1332#undef ck_createmutex_t
1333#undef ck_destroymutex_t
1334#undef ck_lockmutex_t
1335#undef ck_unlockmutex_t
1336
1337#undef ck_c_initialize_args
1338#undef create_mutex
1339#undef destroy_mutex
1340#undef lock_mutex
1341#undef unlock_mutex
1342#undef reserved
1343
1344#endif /* CRYPTOKI_COMPAT */
1345
1346
1347/* System dependencies. */
1348#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
1349#pragma pack(pop, cryptoki)
1350#endif
1351
1352#if defined(__cplusplus)
1353}
1354#endif
1355
1356#endif /* PKCS11_H */
diff --git a/scard-opensc.c b/scard-opensc.c
deleted file mode 100644
index 36dae05fd..000000000
--- a/scard-opensc.c
+++ /dev/null
@@ -1,532 +0,0 @@
1/*
2 * Copyright (c) 2002 Juha Yrjölä. All rights reserved.
3 * Copyright (c) 2001 Markus Friedl.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
27#if defined(SMARTCARD) && defined(USE_OPENSC)
28
29#include <sys/types.h>
30
31#include <openssl/evp.h>
32#include <openssl/x509.h>
33
34#include <stdarg.h>
35#include <string.h>
36
37#include <opensc/opensc.h>
38#include <opensc/pkcs15.h>
39
40#include "key.h"
41#include "log.h"
42#include "xmalloc.h"
43#include "misc.h"
44#include "scard.h"
45
46#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
47#define USE_ENGINE
48#define RSA_get_default_method RSA_get_default_openssl_method
49#else
50#endif
51
52#ifdef USE_ENGINE
53#include <openssl/engine.h>
54#define sc_get_rsa sc_get_engine
55#else
56#define sc_get_rsa sc_get_rsa_method
57#endif
58
59static int sc_reader_id;
60static sc_context_t *ctx = NULL;
61static sc_card_t *card = NULL;
62static sc_pkcs15_card_t *p15card = NULL;
63
64static char *sc_pin = NULL;
65
66struct sc_priv_data
67{
68 struct sc_pkcs15_id cert_id;
69 int ref_count;
70};
71
72void
73sc_close(void)
74{
75 if (p15card) {
76 sc_pkcs15_unbind(p15card);
77 p15card = NULL;
78 }
79 if (card) {
80 sc_disconnect_card(card, 0);
81 card = NULL;
82 }
83 if (ctx) {
84 sc_release_context(ctx);
85 ctx = NULL;
86 }
87}
88
89static int
90sc_init(void)
91{
92 int r;
93
94 r = sc_establish_context(&ctx, "openssh");
95 if (r)
96 goto err;
97 if (sc_reader_id >= ctx->reader_count) {
98 r = SC_ERROR_NO_READERS_FOUND;
99 error("Illegal reader number %d (max %d)", sc_reader_id,
100 ctx->reader_count -1);
101 goto err;
102 }
103 r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card);
104 if (r)
105 goto err;
106 r = sc_pkcs15_bind(card, &p15card);
107 if (r)
108 goto err;
109 return 0;
110err:
111 sc_close();
112 return r;
113}
114
115/* private key operations */
116
117static int
118sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
119 unsigned int usage)
120{
121 int r;
122 struct sc_priv_data *priv;
123 struct sc_pkcs15_object *key_obj;
124 struct sc_pkcs15_prkey_info *key;
125 struct sc_pkcs15_object *pin_obj;
126 struct sc_pkcs15_pin_info *pin;
127
128 priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
129 if (priv == NULL)
130 return -1;
131 if (p15card == NULL) {
132 sc_close();
133 r = sc_init();
134 if (r) {
135 error("SmartCard init failed: %s", sc_strerror(r));
136 goto err;
137 }
138 }
139 r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id,
140 usage, &key_obj);
141 if (r) {
142 error("Unable to find private key from SmartCard: %s",
143 sc_strerror(r));
144 goto err;
145 }
146 key = key_obj->data;
147 r = sc_pkcs15_find_pin_by_auth_id(p15card, &key_obj->auth_id,
148 &pin_obj);
149 if (r == SC_ERROR_OBJECT_NOT_FOUND) {
150 /* no pin required */
151 r = sc_lock(card);
152 if (r) {
153 error("Unable to lock smartcard: %s", sc_strerror(r));
154 goto err;
155 }
156 *key_obj_out = key_obj;
157 return 0;
158 } else if (r) {
159 error("Unable to find PIN object from SmartCard: %s",
160 sc_strerror(r));
161 goto err;
162 }
163 pin = pin_obj->data;
164 r = sc_lock(card);
165 if (r) {
166 error("Unable to lock smartcard: %s", sc_strerror(r));
167 goto err;
168 }
169 if (sc_pin != NULL) {
170 r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
171 strlen(sc_pin));
172 if (r) {
173 sc_unlock(card);
174 error("PIN code verification failed: %s",
175 sc_strerror(r));
176 goto err;
177 }
178 }
179 *key_obj_out = key_obj;
180 return 0;
181err:
182 sc_close();
183 return -1;
184}
185
186#define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \
187 SC_PKCS15_PRKEY_USAGE_UNWRAP
188
189static int
190sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
191 int padding)
192{
193 struct sc_pkcs15_object *key_obj;
194 int r;
195
196 if (padding != RSA_PKCS1_PADDING)
197 return -1;
198 r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
199 if (r)
200 return -1;
201 r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1,
202 from, flen, to, flen);
203 sc_unlock(card);
204 if (r < 0) {
205 error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));
206 goto err;
207 }
208 return r;
209err:
210 sc_close();
211 return -1;
212}
213
214#define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \
215 SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
216
217static int
218sc_sign(int type, u_char *m, unsigned int m_len,
219 unsigned char *sigret, unsigned int *siglen, RSA *rsa)
220{
221 struct sc_pkcs15_object *key_obj;
222 int r;
223 unsigned long flags = 0;
224
225 /* XXX: sc_prkey_op_init will search for a pkcs15 private
226 * key object with the sign or signrecover usage flag set.
227 * If the signing key has only the non-repudiation flag set
228 * the key will be rejected as using a non-repudiation key
229 * for authentication is not recommended. Note: This does not
230 * prevent the use of a non-repudiation key for authentication
231 * if the sign or signrecover flag is set as well.
232 */
233 r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);
234 if (r)
235 return -1;
236 /* FIXME: length of sigret correct? */
237 /* FIXME: check 'type' and modify flags accordingly */
238 flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1;
239 r = sc_pkcs15_compute_signature(p15card, key_obj, flags,
240 m, m_len, sigret, RSA_size(rsa));
241 sc_unlock(card);
242 if (r < 0) {
243 error("sc_pkcs15_compute_signature() failed: %s",
244 sc_strerror(r));
245 goto err;
246 }
247 *siglen = r;
248 return 1;
249err:
250 sc_close();
251 return 0;
252}
253
254static int
255sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
256 int padding)
257{
258 error("Private key encryption not supported");
259 return -1;
260}
261
262/* called on free */
263
264static int (*orig_finish)(RSA *rsa) = NULL;
265
266static int
267sc_finish(RSA *rsa)
268{
269 struct sc_priv_data *priv;
270
271 priv = RSA_get_app_data(rsa);
272 priv->ref_count--;
273 if (priv->ref_count == 0) {
274 free(priv);
275 sc_close();
276 }
277 if (orig_finish)
278 orig_finish(rsa);
279 return 1;
280}
281
282/* engine for overloading private key operations */
283
284static RSA_METHOD *
285sc_get_rsa_method(void)
286{
287 static RSA_METHOD smart_rsa;
288 const RSA_METHOD *def = RSA_get_default_method();
289
290 /* use the OpenSSL version */
291 memcpy(&smart_rsa, def, sizeof(smart_rsa));
292
293 smart_rsa.name = "opensc";
294
295 /* overload */
296 smart_rsa.rsa_priv_enc = sc_private_encrypt;
297 smart_rsa.rsa_priv_dec = sc_private_decrypt;
298 smart_rsa.rsa_sign = sc_sign;
299
300 /* save original */
301 orig_finish = def->finish;
302 smart_rsa.finish = sc_finish;
303
304 return &smart_rsa;
305}
306
307#ifdef USE_ENGINE
308static ENGINE *
309sc_get_engine(void)
310{
311 static ENGINE *smart_engine = NULL;
312
313 if ((smart_engine = ENGINE_new()) == NULL)
314 fatal("ENGINE_new failed");
315
316 ENGINE_set_id(smart_engine, "opensc");
317 ENGINE_set_name(smart_engine, "OpenSC");
318
319 ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
320 ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
321 ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
322 ENGINE_set_RAND(smart_engine, RAND_SSLeay());
323 ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
324
325 return smart_engine;
326}
327#endif
328
329static void
330convert_rsa_to_rsa1(Key * in, Key * out)
331{
332 struct sc_priv_data *priv;
333
334 out->rsa->flags = in->rsa->flags;
335 out->flags = in->flags;
336 RSA_set_method(out->rsa, RSA_get_method(in->rsa));
337 BN_copy(out->rsa->n, in->rsa->n);
338 BN_copy(out->rsa->e, in->rsa->e);
339 priv = RSA_get_app_data(in->rsa);
340 priv->ref_count++;
341 RSA_set_app_data(out->rsa, priv);
342 return;
343}
344
345static int
346sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
347{
348 int r;
349 sc_pkcs15_cert_t *cert = NULL;
350 struct sc_priv_data *priv = NULL;
351 sc_pkcs15_cert_info_t *cinfo = cert_obj->data;
352
353 X509 *x509 = NULL;
354 EVP_PKEY *pubkey = NULL;
355 u8 *p;
356 char *tmp;
357
358 debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
359 r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
360 if (r) {
361 logit("Certificate read failed: %s", sc_strerror(r));
362 goto err;
363 }
364 x509 = X509_new();
365 if (x509 == NULL) {
366 r = -1;
367 goto err;
368 }
369 p = cert->data;
370 if (!d2i_X509(&x509, &p, cert->data_len)) {
371 logit("Unable to parse X.509 certificate");
372 r = -1;
373 goto err;
374 }
375 sc_pkcs15_free_certificate(cert);
376 cert = NULL;
377 pubkey = X509_get_pubkey(x509);
378 X509_free(x509);
379 x509 = NULL;
380 if (pubkey->type != EVP_PKEY_RSA) {
381 logit("Public key is of unknown type");
382 r = -1;
383 goto err;
384 }
385 k->rsa = EVP_PKEY_get1_RSA(pubkey);
386 EVP_PKEY_free(pubkey);
387
388 k->rsa->flags |= RSA_FLAG_SIGN_VER;
389 RSA_set_method(k->rsa, sc_get_rsa_method());
390 priv = xmalloc(sizeof(struct sc_priv_data));
391 priv->cert_id = cinfo->id;
392 priv->ref_count = 1;
393 RSA_set_app_data(k->rsa, priv);
394
395 k->flags = KEY_FLAG_EXT;
396 tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
397 debug("fingerprint %d %s", key_size(k), tmp);
398 xfree(tmp);
399
400 return 0;
401err:
402 if (cert)
403 sc_pkcs15_free_certificate(cert);
404 if (pubkey)
405 EVP_PKEY_free(pubkey);
406 if (x509)
407 X509_free(x509);
408 return r;
409}
410
411Key **
412sc_get_keys(const char *id, const char *pin)
413{
414 Key *k, **keys;
415 int i, r, real_count = 0, key_count;
416 sc_pkcs15_id_t cert_id;
417 sc_pkcs15_object_t *certs[32];
418 char *buf = xstrdup(id), *p;
419
420 debug("sc_get_keys called: id = %s", id);
421
422 if (sc_pin != NULL)
423 xfree(sc_pin);
424 sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
425
426 cert_id.len = 0;
427 if ((p = strchr(buf, ':')) != NULL) {
428 *p = 0;
429 p++;
430 sc_pkcs15_hex_string_to_id(p, &cert_id);
431 }
432 r = sscanf(buf, "%d", &sc_reader_id);
433 xfree(buf);
434 if (r != 1)
435 goto err;
436 if (p15card == NULL) {
437 sc_close();
438 r = sc_init();
439 if (r) {
440 error("Smartcard init failed: %s", sc_strerror(r));
441 goto err;
442 }
443 }
444 if (cert_id.len) {
445 r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &certs[0]);
446 if (r < 0)
447 goto err;
448 key_count = 1;
449 } else {
450 r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509,
451 certs, 32);
452 if (r == 0) {
453 logit("No certificates found on smartcard");
454 r = -1;
455 goto err;
456 } else if (r < 0) {
457 error("Certificate enumeration failed: %s",
458 sc_strerror(r));
459 goto err;
460 }
461 key_count = r;
462 }
463 if (key_count > 1024)
464 fatal("Too many keys (%u), expected <= 1024", key_count);
465 keys = xcalloc(key_count * 2 + 1, sizeof(Key *));
466 for (i = 0; i < key_count; i++) {
467 sc_pkcs15_object_t *tmp_obj = NULL;
468 cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id;
469 if (sc_pkcs15_find_prkey_by_id(p15card, &cert_id, &tmp_obj))
470 /* skip the public key (certificate) if no
471 * corresponding private key is present */
472 continue;
473 k = key_new(KEY_RSA);
474 if (k == NULL)
475 break;
476 r = sc_read_pubkey(k, certs[i]);
477 if (r) {
478 error("sc_read_pubkey failed: %s", sc_strerror(r));
479 key_free(k);
480 continue;
481 }
482 keys[real_count] = k;
483 real_count++;
484 k = key_new(KEY_RSA1);
485 if (k == NULL)
486 break;
487 convert_rsa_to_rsa1(keys[real_count-1], k);
488 keys[real_count] = k;
489 real_count++;
490 }
491 keys[real_count] = NULL;
492
493 return keys;
494err:
495 sc_close();
496 return NULL;
497}
498
499int
500sc_put_key(Key *prv, const char *id)
501{
502 error("key uploading not yet supported");
503 return -1;
504}
505
506char *
507sc_get_key_label(Key *key)
508{
509 int r;
510 const struct sc_priv_data *priv;
511 struct sc_pkcs15_object *key_obj;
512
513 priv = (const struct sc_priv_data *) RSA_get_app_data(key->rsa);
514 if (priv == NULL || p15card == NULL) {
515 logit("SmartCard key not loaded");
516 /* internal error => return default label */
517 return xstrdup("smartcard key");
518 }
519 r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
520 if (r) {
521 logit("Unable to find private key from SmartCard: %s",
522 sc_strerror(r));
523 return xstrdup("smartcard key");
524 }
525 if (key_obj == NULL || key_obj->label == NULL)
526 /* the optional PKCS#15 label does not exists
527 * => return the default label */
528 return xstrdup("smartcard key");
529 return xstrdup(key_obj->label);
530}
531
532#endif /* SMARTCARD */
diff --git a/scard.c b/scard.c
deleted file mode 100644
index 9fd3ca1b4..000000000
--- a/scard.c
+++ /dev/null
@@ -1,571 +0,0 @@
1/* $OpenBSD: scard.c,v 1.36 2006/11/06 21:25:28 markus Exp $ */
2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
27#if defined(SMARTCARD) && defined(USE_SECTOK)
28
29#include <sys/types.h>
30
31#include <sectok.h>
32#include <stdarg.h>
33#include <string.h>
34
35#include <openssl/evp.h>
36
37#include "xmalloc.h"
38#include "key.h"
39#include "log.h"
40#include "misc.h"
41#include "scard.h"
42
43#if OPENSSL_VERSION_NUMBER < 0x00907000L
44#define USE_ENGINE
45#define RSA_get_default_method RSA_get_default_openssl_method
46#else
47#endif
48
49#ifdef USE_ENGINE
50#include <openssl/engine.h>
51#define sc_get_rsa sc_get_engine
52#else
53#define sc_get_rsa sc_get_rsa_method
54#endif
55
56#define CLA_SSH 0x05
57#define INS_DECRYPT 0x10
58#define INS_GET_KEYLENGTH 0x20
59#define INS_GET_PUBKEY 0x30
60#define INS_GET_RESPONSE 0xc0
61
62#define MAX_BUF_SIZE 256
63
64u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63};
65
66static int sc_fd = -1;
67static char *sc_reader_id = NULL;
68static char *sc_pin = NULL;
69static int cla = 0x00; /* class */
70
71static void sc_mk_digest(const char *pin, u_char *digest);
72static int get_AUT0(u_char *aut0);
73static int try_AUT0(void);
74
75/* interface to libsectok */
76
77static int
78sc_open(void)
79{
80 int sw;
81
82 if (sc_fd >= 0)
83 return sc_fd;
84
85 sc_fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
86 if (sc_fd < 0) {
87 error("sectok_open failed: %s", sectok_get_sw(sw));
88 return SCARD_ERROR_FAIL;
89 }
90 if (! sectok_cardpresent(sc_fd)) {
91 debug("smartcard in reader %s not present, skipping",
92 sc_reader_id);
93 sc_close();
94 return SCARD_ERROR_NOCARD;
95 }
96 if (sectok_reset(sc_fd, 0, NULL, &sw) <= 0) {
97 error("sectok_reset failed: %s", sectok_get_sw(sw));
98 sc_fd = -1;
99 return SCARD_ERROR_FAIL;
100 }
101 if ((cla = cyberflex_inq_class(sc_fd)) < 0)
102 cla = 0;
103
104 debug("sc_open ok %d", sc_fd);
105 return sc_fd;
106}
107
108static int
109sc_enable_applet(void)
110{
111 static u_char aid[] = {0xfc, 0x53, 0x73, 0x68, 0x2e, 0x62, 0x69, 0x6e};
112 int sw = 0;
113
114 /* select applet id */
115 sectok_apdu(sc_fd, cla, 0xa4, 0x04, 0, sizeof aid, aid, 0, NULL, &sw);
116 if (!sectok_swOK(sw)) {
117 error("sectok_apdu failed: %s", sectok_get_sw(sw));
118 sc_close();
119 return -1;
120 }
121 return 0;
122}
123
124static int
125sc_init(void)
126{
127 int status;
128
129 status = sc_open();
130 if (status == SCARD_ERROR_NOCARD) {
131 return SCARD_ERROR_NOCARD;
132 }
133 if (status < 0) {
134 error("sc_open failed");
135 return status;
136 }
137 if (sc_enable_applet() < 0) {
138 error("sc_enable_applet failed");
139 return SCARD_ERROR_APPLET;
140 }
141 return 0;
142}
143
144static int
145sc_read_pubkey(Key * k)
146{
147 u_char buf[2], *n;
148 char *p;
149 int len, sw, status = -1;
150
151 len = sw = 0;
152 n = NULL;
153
154 if (sc_fd < 0) {
155 if (sc_init() < 0)
156 goto err;
157 }
158
159 /* get key size */
160 sectok_apdu(sc_fd, CLA_SSH, INS_GET_KEYLENGTH, 0, 0, 0, NULL,
161 sizeof(buf), buf, &sw);
162 if (!sectok_swOK(sw)) {
163 error("could not obtain key length: %s", sectok_get_sw(sw));
164 goto err;
165 }
166 len = (buf[0] << 8) | buf[1];
167 len /= 8;
168 debug("INS_GET_KEYLENGTH: len %d sw %s", len, sectok_get_sw(sw));
169
170 n = xmalloc(len);
171 /* get n */
172 sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
173
174 if (sw == 0x6982) {
175 if (try_AUT0() < 0)
176 goto err;
177 sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
178 }
179 if (!sectok_swOK(sw)) {
180 error("could not obtain public key: %s", sectok_get_sw(sw));
181 goto err;
182 }
183
184 debug("INS_GET_KEYLENGTH: sw %s", sectok_get_sw(sw));
185
186 if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
187 error("c_read_pubkey: BN_bin2bn failed");
188 goto err;
189 }
190
191 /* currently the java applet just stores 'n' */
192 if (!BN_set_word(k->rsa->e, 35)) {
193 error("c_read_pubkey: BN_set_word(e, 35) failed");
194 goto err;
195 }
196
197 status = 0;
198 p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
199 debug("fingerprint %u %s", key_size(k), p);
200 xfree(p);
201
202err:
203 if (n != NULL)
204 xfree(n);
205 sc_close();
206 return status;
207}
208
209/* private key operations */
210
211static int
212sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
213 int padding)
214{
215 u_char *padded = NULL;
216 int sw, len, olen, status = -1;
217
218 debug("sc_private_decrypt called");
219
220 olen = len = sw = 0;
221 if (sc_fd < 0) {
222 status = sc_init();
223 if (status < 0)
224 goto err;
225 }
226 if (padding != RSA_PKCS1_PADDING)
227 goto err;
228
229 len = BN_num_bytes(rsa->n);
230 padded = xmalloc(len);
231
232 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
233
234 if (sw == 0x6982) {
235 if (try_AUT0() < 0)
236 goto err;
237 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
238 }
239 if (!sectok_swOK(sw)) {
240 error("sc_private_decrypt: INS_DECRYPT failed: %s",
241 sectok_get_sw(sw));
242 goto err;
243 }
244 olen = RSA_padding_check_PKCS1_type_2(to, len, padded + 1, len - 1,
245 len);
246err:
247 if (padded)
248 xfree(padded);
249 sc_close();
250 return (olen >= 0 ? olen : status);
251}
252
253static int
254sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
255 int padding)
256{
257 u_char *padded = NULL;
258 int sw, len, status = -1;
259
260 len = sw = 0;
261 if (sc_fd < 0) {
262 status = sc_init();
263 if (status < 0)
264 goto err;
265 }
266 if (padding != RSA_PKCS1_PADDING)
267 goto err;
268
269 debug("sc_private_encrypt called");
270 len = BN_num_bytes(rsa->n);
271 padded = xmalloc(len);
272
273 if (RSA_padding_add_PKCS1_type_1(padded, len, (u_char *)from, flen) <= 0) {
274 error("RSA_padding_add_PKCS1_type_1 failed");
275 goto err;
276 }
277 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
278 if (sw == 0x6982) {
279 if (try_AUT0() < 0)
280 goto err;
281 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
282 }
283 if (!sectok_swOK(sw)) {
284 error("sc_private_encrypt: INS_DECRYPT failed: %s",
285 sectok_get_sw(sw));
286 goto err;
287 }
288err:
289 if (padded)
290 xfree(padded);
291 sc_close();
292 return (len >= 0 ? len : status);
293}
294
295/* called on free */
296
297static int (*orig_finish)(RSA *rsa) = NULL;
298
299static int
300sc_finish(RSA *rsa)
301{
302 if (orig_finish)
303 orig_finish(rsa);
304 sc_close();
305 return 1;
306}
307
308/* engine for overloading private key operations */
309
310static RSA_METHOD *
311sc_get_rsa_method(void)
312{
313 static RSA_METHOD smart_rsa;
314 const RSA_METHOD *def = RSA_get_default_method();
315
316 /* use the OpenSSL version */
317 memcpy(&smart_rsa, def, sizeof(smart_rsa));
318
319 smart_rsa.name = "sectok";
320
321 /* overload */
322 smart_rsa.rsa_priv_enc = sc_private_encrypt;
323 smart_rsa.rsa_priv_dec = sc_private_decrypt;
324
325 /* save original */
326 orig_finish = def->finish;
327 smart_rsa.finish = sc_finish;
328
329 return &smart_rsa;
330}
331
332#ifdef USE_ENGINE
333static ENGINE *
334sc_get_engine(void)
335{
336 static ENGINE *smart_engine = NULL;
337
338 if ((smart_engine = ENGINE_new()) == NULL)
339 fatal("ENGINE_new failed");
340
341 ENGINE_set_id(smart_engine, "sectok");
342 ENGINE_set_name(smart_engine, "libsectok");
343
344 ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
345 ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
346 ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
347 ENGINE_set_RAND(smart_engine, RAND_SSLeay());
348 ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
349
350 return smart_engine;
351}
352#endif
353
354void
355sc_close(void)
356{
357 if (sc_fd >= 0) {
358 sectok_close(sc_fd);
359 sc_fd = -1;
360 }
361}
362
363Key **
364sc_get_keys(const char *id, const char *pin)
365{
366 Key *k, *n, **keys;
367 int status, nkeys = 2;
368
369 if (sc_reader_id != NULL)
370 xfree(sc_reader_id);
371 sc_reader_id = xstrdup(id);
372
373 if (sc_pin != NULL)
374 xfree(sc_pin);
375 sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
376
377 k = key_new(KEY_RSA);
378 if (k == NULL) {
379 return NULL;
380 }
381 status = sc_read_pubkey(k);
382 if (status == SCARD_ERROR_NOCARD) {
383 key_free(k);
384 return NULL;
385 }
386 if (status < 0) {
387 error("sc_read_pubkey failed");
388 key_free(k);
389 return NULL;
390 }
391 keys = xcalloc((nkeys+1), sizeof(Key *));
392
393 n = key_new(KEY_RSA1);
394 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
395 (BN_copy(n->rsa->e, k->rsa->e) == NULL))
396 fatal("sc_get_keys: BN_copy failed");
397 RSA_set_method(n->rsa, sc_get_rsa());
398 n->flags |= KEY_FLAG_EXT;
399 keys[0] = n;
400
401 n = key_new(KEY_RSA);
402 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
403 (BN_copy(n->rsa->e, k->rsa->e) == NULL))
404 fatal("sc_get_keys: BN_copy failed");
405 RSA_set_method(n->rsa, sc_get_rsa());
406 n->flags |= KEY_FLAG_EXT;
407 keys[1] = n;
408
409 keys[2] = NULL;
410
411 key_free(k);
412 return keys;
413}
414
415#define NUM_RSA_KEY_ELEMENTS 5+1
416#define COPY_RSA_KEY(x, i) \
417 do { \
418 len = BN_num_bytes(prv->rsa->x); \
419 elements[i] = xmalloc(len); \
420 debug("#bytes %d", len); \
421 if (BN_bn2bin(prv->rsa->x, elements[i]) < 0) \
422 goto done; \
423 } while (0)
424
425static void
426sc_mk_digest(const char *pin, u_char *digest)
427{
428 const EVP_MD *evp_md = EVP_sha1();
429 EVP_MD_CTX md;
430
431 EVP_DigestInit(&md, evp_md);
432 EVP_DigestUpdate(&md, pin, strlen(pin));
433 EVP_DigestFinal(&md, digest, NULL);
434}
435
436static int
437get_AUT0(u_char *aut0)
438{
439 char *pass;
440
441 pass = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
442 if (pass == NULL)
443 return -1;
444 if (!strcmp(pass, "-")) {
445 memcpy(aut0, DEFAUT0, sizeof DEFAUT0);
446 return 0;
447 }
448 sc_mk_digest(pass, aut0);
449 memset(pass, 0, strlen(pass));
450 xfree(pass);
451 return 0;
452}
453
454static int
455try_AUT0(void)
456{
457 u_char aut0[EVP_MAX_MD_SIZE];
458
459 /* permission denied; try PIN if provided */
460 if (sc_pin && strlen(sc_pin) > 0) {
461 sc_mk_digest(sc_pin, aut0);
462 if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
463 error("smartcard passphrase incorrect");
464 return (-1);
465 }
466 } else {
467 /* try default AUT0 key */
468 if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
469 /* default AUT0 key failed; prompt for passphrase */
470 if (get_AUT0(aut0) < 0 ||
471 cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
472 error("smartcard passphrase incorrect");
473 return (-1);
474 }
475 }
476 }
477 return (0);
478}
479
480int
481sc_put_key(Key *prv, const char *id)
482{
483 u_char *elements[NUM_RSA_KEY_ELEMENTS];
484 u_char key_fid[2];
485 u_char AUT0[EVP_MAX_MD_SIZE];
486 int len, status = -1, i, fd = -1, ret;
487 int sw = 0, cla = 0x00;
488
489 for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
490 elements[i] = NULL;
491
492 COPY_RSA_KEY(q, 0);
493 COPY_RSA_KEY(p, 1);
494 COPY_RSA_KEY(iqmp, 2);
495 COPY_RSA_KEY(dmq1, 3);
496 COPY_RSA_KEY(dmp1, 4);
497 COPY_RSA_KEY(n, 5);
498 len = BN_num_bytes(prv->rsa->n);
499 fd = sectok_friendly_open(id, STONOWAIT, &sw);
500 if (fd < 0) {
501 error("sectok_open failed: %s", sectok_get_sw(sw));
502 goto done;
503 }
504 if (! sectok_cardpresent(fd)) {
505 error("smartcard in reader %s not present", id);
506 goto done;
507 }
508 ret = sectok_reset(fd, 0, NULL, &sw);
509 if (ret <= 0) {
510 error("sectok_reset failed: %s", sectok_get_sw(sw));
511 goto done;
512 }
513 if ((cla = cyberflex_inq_class(fd)) < 0) {
514 error("cyberflex_inq_class failed");
515 goto done;
516 }
517 memcpy(AUT0, DEFAUT0, sizeof(DEFAUT0));
518 if (cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
519 if (get_AUT0(AUT0) < 0 ||
520 cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
521 memset(AUT0, 0, sizeof(DEFAUT0));
522 error("smartcard passphrase incorrect");
523 goto done;
524 }
525 }
526 memset(AUT0, 0, sizeof(DEFAUT0));
527 key_fid[0] = 0x00;
528 key_fid[1] = 0x12;
529 if (cyberflex_load_rsa_priv(fd, cla, key_fid, 5, 8*len, elements,
530 &sw) < 0) {
531 error("cyberflex_load_rsa_priv failed: %s", sectok_get_sw(sw));
532 goto done;
533 }
534 if (!sectok_swOK(sw))
535 goto done;
536 logit("cyberflex_load_rsa_priv done");
537 key_fid[0] = 0x73;
538 key_fid[1] = 0x68;
539 if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5],
540 &sw) < 0) {
541 error("cyberflex_load_rsa_pub failed: %s", sectok_get_sw(sw));
542 goto done;
543 }
544 if (!sectok_swOK(sw))
545 goto done;
546 logit("cyberflex_load_rsa_pub done");
547 status = 0;
548
549done:
550 memset(elements[0], '\0', BN_num_bytes(prv->rsa->q));
551 memset(elements[1], '\0', BN_num_bytes(prv->rsa->p));
552 memset(elements[2], '\0', BN_num_bytes(prv->rsa->iqmp));
553 memset(elements[3], '\0', BN_num_bytes(prv->rsa->dmq1));
554 memset(elements[4], '\0', BN_num_bytes(prv->rsa->dmp1));
555 memset(elements[5], '\0', BN_num_bytes(prv->rsa->n));
556
557 for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
558 if (elements[i])
559 xfree(elements[i]);
560 if (fd != -1)
561 sectok_close(fd);
562 return (status);
563}
564
565char *
566sc_get_key_label(Key *key)
567{
568 return xstrdup("smartcard key");
569}
570
571#endif /* SMARTCARD && USE_SECTOK */
diff --git a/scard.h b/scard.h
deleted file mode 100644
index 82efe4839..000000000
--- a/scard.h
+++ /dev/null
@@ -1,39 +0,0 @@
1/* $OpenBSD: scard.h,v 1.14 2006/08/03 03:34:42 deraadt Exp $ */
2
3/*
4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#ifndef SCARD_H
28#define SCARD_H
29
30#define SCARD_ERROR_FAIL -1
31#define SCARD_ERROR_NOCARD -2
32#define SCARD_ERROR_APPLET -3
33
34Key **sc_get_keys(const char *, const char *);
35void sc_close(void);
36int sc_put_key(Key *, const char *);
37char *sc_get_key_label(Key *);
38
39#endif
diff --git a/scard/Makefile.in b/scard/Makefile.in
deleted file mode 100644
index 8519e208b..000000000
--- a/scard/Makefile.in
+++ /dev/null
@@ -1,29 +0,0 @@
1# $Id: Makefile.in,v 1.5 2006/10/23 21:44:47 tim Exp $
2
3prefix=@prefix@
4datadir=@datadir@
5datarootdir=@datarootdir@
6srcdir=@srcdir@
7top_srcdir=@top_srcdir@
8
9INSTALL=@INSTALL@
10
11VPATH=@srcdir@
12
13all:
14
15#Ssh.bin: Ssh.bin.uu
16# uudecode Ssh.bin.uu
17
18clean:
19# rm -rf Ssh.bin
20
21distprep:
22 uudecode Ssh.bin.uu
23
24distclean: clean
25 rm -f Makefile *~
26
27install: $(srcdir)/Ssh.bin
28 $(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
29 $(INSTALL) -m 0644 $(srcdir)/Ssh.bin $(DESTDIR)$(datadir)/Ssh.bin
diff --git a/scard/Ssh.bin.uu b/scard/Ssh.bin.uu
deleted file mode 100644
index ea3986a69..000000000
--- a/scard/Ssh.bin.uu
+++ /dev/null
@@ -1,17 +0,0 @@
1begin 644 Ssh.bin
2M`P)!&P`801X`>``!`E@"`/Y@\`4`_J'P!0!!&T$=`?Z@\`4`01M!'`'^>/,!
3M`4$;01X!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$;L`4`_F'3``#^8=,%
4M`/ZAT`$!_J#0)P'^H],*`?ZCTPD`_G/5"P7^8=,'`OZAT`H`_J#0$@3^:-,@
5M`T$;`P`%`/Y@`<P``$$<\@\``$$=\B$``$$>\A```/`0__(%`@8!`0H``&``
6M0205!!D)I$L`"0J0`&``*!4$&58``````.P````%____P````.D````0````
7M,P```"````#'````,````(T````R````V!4#&0A*``D*;@!@`"@5!QD*`/\]
8M(6``1A)*``D*9P!@`"@*/P!@`$LK"1)@`$LK!6``4!P$#00#2@`.#01@`%5@
9M`%I@`"@37``>%0@2%0A>`%\($F``9%(`:`H_`&``2RL*<VA@`$LK8`!I"1`U
10M(14#`Q)@`&X<!`T$`TL`"P,28`!D4@`.#01@`%5@`%I@`"A2`"X5`PH$`&``
11M<RL#!6``9%(`'14#"@$"8`!S*P,%8`!D4@`,4@`)"FT`8``H60``\`+_\@$!
12M`0D`"```"I``8``H60#P$__R`0$""0`,``!B01LM7P`\*UD```#P$O_V`0$#
13M`0`8```37``>7@`R10`/$UP`'@H`R`D07@`W!%>P!?_R`0$$`@`\```37P``
14M$V+^H2U?``5=``H38OZ@+5\`#UT`%!-B_G@M"@0`7P`970`>"@0`8``C10`)
15/"F<`8``H$UX`+5D`````
16`
17end
diff --git a/scard/Ssh.java b/scard/Ssh.java
deleted file mode 100644
index 6418957c2..000000000
--- a/scard/Ssh.java
+++ /dev/null
@@ -1,164 +0,0 @@
1// $Id: Ssh.java,v 1.3 2002/05/22 04:24:02 djm Exp $
2//
3// Ssh.java
4// SSH / smartcard integration project, smartcard side
5//
6// Tomoko Fukuzawa, created, Feb., 2000
7//
8// Naomaru Itoi, modified, Apr., 2000
9//
10
11// copyright 2000
12// the regents of the university of michigan
13// all rights reserved
14//
15// permission is granted to use, copy, create derivative works
16// and redistribute this software and such derivative works
17// for any purpose, so long as the name of the university of
18// michigan is not used in any advertising or publicity
19// pertaining to the use or distribution of this software
20// without specific, written prior authorization. if the
21// above copyright notice or any other identification of the
22// university of michigan is included in any copy of any
23// portion of this software, then the disclaimer below must
24// also be included.
25//
26// this software is provided as is, without representation
27// from the university of michigan as to its fitness for any
28// purpose, and without warranty by the university of
29// michigan of any kind, either express or implied, including
30// without limitation the implied warranties of
31// merchantability and fitness for a particular purpose. the
32// regents of the university of michigan shall not be liable
33// for any damages, including special, indirect, incidental, or
34// consequential damages, with respect to any claim arising
35// out of or in connection with the use of the software, even
36// if it has been or is hereafter advised of the possibility of
37// such damages.
38
39import javacard.framework.*;
40import javacardx.framework.*;
41import javacardx.crypto.*;
42
43public class Ssh extends javacard.framework.Applet
44{
45 // Change this when the applet changes; hi byte is major, low byte is minor
46 static final short applet_version = (short)0x0102;
47
48 /* constants declaration */
49 // code of CLA byte in the command APDU header
50 static final byte Ssh_CLA =(byte)0x05;
51
52 // codes of INS byte in the command APDU header
53 static final byte DECRYPT = (byte) 0x10;
54 static final byte GET_KEYLENGTH = (byte) 0x20;
55 static final byte GET_PUBKEY = (byte) 0x30;
56 static final byte GET_VERSION = (byte) 0x32;
57 static final byte GET_RESPONSE = (byte) 0xc0;
58
59 static final short keysize = 1024;
60 static final short root_fid = (short)0x3f00;
61 static final short privkey_fid = (short)0x0012;
62 static final short pubkey_fid = (short)(('s'<<8)|'h');
63
64 /* instance variables declaration */
65 AsymKey rsakey;
66 CyberflexFile file;
67 CyberflexOS os;
68
69 private Ssh()
70 {
71 file = new CyberflexFile();
72 os = new CyberflexOS();
73
74 rsakey = new RSA_CRT_PrivateKey (keysize);
75
76 if ( ! rsakey.isSupportedLength (keysize) )
77 ISOException.throwIt (ISO.SW_WRONG_LENGTH);
78
79 register();
80 } // end of the constructor
81
82 public boolean select() {
83 if (!rsakey.isInitialized())
84 rsakey.setKeyInstance ((short)0xc8, (short)0x10);
85
86 return true;
87 }
88
89 public static void install(APDU apdu)
90 {
91 new Ssh(); // create a Ssh applet instance (card)
92 } // end of install method
93
94 public static void main(String args[]) {
95 ISOException.throwIt((short) 0x9000);
96 }
97
98 public void process(APDU apdu)
99 {
100 // APDU object carries a byte array (buffer) to
101 // transfer incoming and outgoing APDU header
102 // and data bytes between card and CAD
103 byte buffer[] = apdu.getBuffer();
104 short size, st;
105
106 // verify that if the applet can accept this
107 // APDU message
108 // NI: change suggested by Wayne Dyksen, Purdue
109 if (buffer[ISO.OFFSET_INS] == ISO.INS_SELECT)
110 ISOException.throwIt(ISO.SW_NO_ERROR);
111
112 switch (buffer[ISO.OFFSET_INS]) {
113 case DECRYPT:
114 if (buffer[ISO.OFFSET_CLA] != Ssh_CLA)
115 ISOException.throwIt(ISO.SW_CLA_NOT_SUPPORTED);
116 //decrypt (apdu);
117 size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
118
119 if (apdu.setIncomingAndReceive() != size)
120 ISOException.throwIt (ISO.SW_WRONG_LENGTH);
121
122 // check access; depends on bit 2 (x/a)
123 file.selectFile(root_fid);
124 file.selectFile(privkey_fid);
125 st = os.checkAccess(ACL.EXECUTE);
126 if (st != ST.ACCESS_CLEARED) {
127 CyberflexAPDU.prepareSW1SW2(st);
128 ISOException.throwIt(CyberflexAPDU.getSW1SW2());
129 }
130
131 rsakey.cryptoUpdate (buffer, (short) ISO.OFFSET_CDATA, size,
132 buffer, (short) ISO.OFFSET_CDATA);
133
134 apdu.setOutgoingAndSend ((short) ISO.OFFSET_CDATA, size);
135 break;
136 case GET_PUBKEY:
137 file.selectFile(root_fid); // select root
138 file.selectFile(pubkey_fid); // select public key file
139 size = (short)(file.getFileSize() - 16);
140 st = os.readBinaryFile(buffer, (short)0, (short)0, size);
141 if (st == ST.SUCCESS)
142 apdu.setOutgoingAndSend((short)0, size);
143 else {
144 CyberflexAPDU.prepareSW1SW2(st);
145 ISOException.throwIt(CyberflexAPDU.getSW1SW2());
146 }
147 break;
148 case GET_KEYLENGTH:
149 Util.setShort(buffer, (short)0, keysize);
150 apdu.setOutgoingAndSend ((short)0, (short)2);
151 break;
152 case GET_VERSION:
153 Util.setShort(buffer, (short)0, applet_version);
154 apdu.setOutgoingAndSend ((short)0, (short)2);
155 break;
156 case GET_RESPONSE:
157 break;
158 default:
159 ISOException.throwIt (ISO.SW_INS_NOT_SUPPORTED);
160 }
161
162 } // end of process method
163
164} // end of class Ssh
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 19:00:00 +0000