36 #include <ldns/ldns.h>
37 #include <ldns/util.h>
39 #include <libxml/tree.h>
40 #include <libxml/parser.h>
41 #include <libxml/xpath.h>
42 #include <libxml/xpathInternals.h>
43 #include <libxml/relaxng.h>
54 #define HSM_TOKEN_LABEL_LENGTH 32
62 ldns_pkcs11_rv_str(CK_RV rv)
71 return "CKR_HOST_MEMORY";
73 return "CKR_GENERAL_ERROR";
75 return "CKR_FUNCTION_FAILED";
77 return "CKR_SLOT_ID_INVALID";
79 return "CKR_ATTRIBUTE_READ_ONLY";
81 return "CKR_ATTRIBUTE_SENSITIVE";
83 return "CKR_ATTRIBUTE_TYPE_INVALID";
85 return "CKR_ATTRIBUTE_VALUE_INVALID";
87 return "CKR_DATA_INVALID";
89 return "CKR_DATA_LEN_RANGE";
91 return "CKR_DEVICE_ERROR";
93 return "CKR_DEVICE_MEMORY";
95 return "CKR_DEVICE_REMOVED";
97 return "CKR_ENCRYPTED_DATA_INVALID";
99 return "CKR_ENCRYPTED_DATA_LEN_RANGE";
101 return "CKR_FUNCTION_CANCELED";
103 return "CKR_FUNCTION_NOT_PARALLEL";
105 return "CKR_FUNCTION_NOT_SUPPORTED";
107 return "CKR_KEY_HANDLE_INVALID";
109 return "CKR_KEY_SIZE_RANGE";
111 return "CKR_KEY_TYPE_INCONSISTENT";
113 return "CKR_MECHANISM_INVALID";
115 return "CKR_MECHANISM_PARAM_INVALID";
117 return "CKR_OBJECT_HANDLE_INVALID";
119 return "CKR_OPERATION_ACTIVE";
121 return "CKR_OPERATION_NOT_INITIALIZED";
123 return "CKR_PIN_INCORRECT";
125 return "CKR_PIN_INVALID";
127 return "CKR_PIN_LEN_RANGE";
129 return "CKR_SESSION_CLOSED";
131 return "CKR_SESSION_COUNT";
133 return "CKR_SESSION_HANDLE_INVALID";
135 return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
137 return "CKR_SESSION_READ_ONLY";
139 return "CKR_SESSION_EXISTS";
141 return "CKR_SIGNATURE_INVALID";
143 return "CKR_SIGNATURE_LEN_RANGE";
145 return "CKR_TEMPLATE_INCOMPLETE";
147 return "CKR_TEMPLATE_INCONSISTENT";
149 return "CKR_TOKEN_NOT_PRESENT";
151 return "CKR_TOKEN_NOT_RECOGNIZED";
153 return "CKR_TOKEN_WRITE_PROTECTED";
155 return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
157 return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
159 return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
161 return "CKR_USER_ALREADY_LOGGED_IN";
163 return "CKR_USER_NOT_LOGGED_IN";
165 return "CKR_USER_PIN_NOT_INITIALIZED";
167 return "CKR_USER_TYPE_INVALID";
169 return "CKR_WRAPPED_KEY_INVALID";
171 return "CKR_WRAPPED_KEY_LEN_RANGE";
173 return "CKR_WRAPPING_KEY_HANDLE_INVALID";
175 return "CKR_WRAPPING_KEY_SIZE_RANGE";
177 return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
179 return "CKR_RANDOM_SEED_NOT_SUPPORTED";
184 return "CKR_VENDOR_DEFINED";
186 return "CKR_BUFFER_TOO_SMALL";
188 return "CKR_SAVED_STATE_INVALID";
190 return "CKR_INFORMATION_SENSITIVE";
192 return "CKR_STATE_UNSAVEABLE";
194 return "CKR_CRYPTOKI_NOT_INITIALIZED";
196 return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
198 return "CKR_MUTEX_BAD";
200 return "CKR_MUTEX_NOT_LOCKED";
202 return "Unknown error";
208 const char *message, ...)
216 va_start(args, message);
235 hsm_pkcs11_check_error(
hsm_ctx_t *
ctx, CK_RV rv,
const char *action)
250 hsm_pkcs11_unload_functions(
void *handle)
253 #if defined(HAVE_LOADLIBRARY)
255 #elif defined(HAVE_DLOPEN)
256 (void) dlclose(handle);
265 CK_C_GetFunctionList pGetFunctionList = NULL;
267 if (module && module->
path) {
270 #if defined(HAVE_LOADLIBRARY)
272 HINSTANCE hDLL = LoadLibrary(_T(module->
path));
280 pGetFunctionList = (CK_C_GetFunctionList)
281 GetProcAddress(hDLL, _T(
"C_GetFunctionList"));
283 #elif defined(HAVE_DLOPEN)
285 void* pDynLib = dlopen(module->
path, RTLD_NOW | RTLD_LOCAL);
287 if (pDynLib == NULL) {
293 pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib,
"C_GetFunctionList");
302 #ifdef HAVE_PKCS11_MODULE
303 return C_GetFunctionList(pkcs11_functions);
309 if (pGetFunctionList == NULL) {
325 if (data == NULL || len == NULL)
return;
329 while ((
unsigned short int)(*p) == 0 && l > 1) {
344 const char *token_name)
353 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetTokenInfo")) {
359 memcpy(token_name_bytes, token_name, strlen(token_name));
364 result = memcmp(token_info.
label,
373 uint8_t use_pubkey, uint8_t allowextract, uint8_t require_backup)
377 if (!name || !module || !tokenlabel)
return NULL;
384 r->
name = strdup(name);
385 r->
module = strdup(module);
392 r->
pin = strdup(pin);
420 const char *token_name, CK_SLOT_ID *slotId)
428 if (token_name == NULL || slotId == NULL)
return HSM_ERROR;
431 if (hsm_pkcs11_check_error(
ctx, rv,
"get slot list")) {
437 "No slots found in HSM");
439 }
else if (slotCount > (SIZE_MAX /
sizeof(CK_SLOT_ID))) {
441 "Too many slots found in HSM");
445 slotIds = malloc(
sizeof(CK_SLOT_ID) * slotCount);
446 if(slotIds == NULL) {
448 "Could not allocate slot ID table");
453 if (hsm_pkcs11_check_error(
ctx, rv,
"get slot list")) {
457 for (cur_slot = 0; cur_slot < slotCount; cur_slot++) {
458 if (hsm_pkcs11_check_token_name(
ctx,
462 *slotId = slotIds[cur_slot];
470 "could not find token with the name %s", token_name);
479 hsm_module_new(
const char *repository,
480 const char *token_label,
486 if (!repository || !path)
return NULL;
490 if (!module)
return NULL;
504 module->
name = strdup(repository);
506 module->
path = strdup(path);
517 if (module->
name) free(module->
name);
519 if (module->
path) free(module->
path);
527 hsm_session_new(
hsm_module_t *module, CK_SESSION_HANDLE session_handle)
532 session->
session = session_handle;
556 const char *repository,
const char *token_label,
557 const char *module_path,
const char *pin,
564 CK_SESSION_HANDLE session_handle;
565 int first = 1, result;
572 module = hsm_module_new(repository, token_label, module_path, config);
574 rv = hsm_pkcs11_load_functions(module);
577 "hsm_session_init()",
578 "PKCS#11 module load failed: %s", module_path);
579 hsm_module_free(module);
586 if (hsm_pkcs11_check_error(
ctx, rv,
"Initialization")) {
587 hsm_module_free(module);
593 result = hsm_get_slot_id(
ctx, module->
sym, token_label, &
slot_id);
595 hsm_module_free(module);
603 if (hsm_pkcs11_check_error(
ctx, rv,
"Open first session")) {
604 hsm_module_free(module);
609 (
unsigned char *) pin,
610 strlen((
char *)pin));
613 *session = hsm_session_new(module, session_handle);
617 if (session_handle) {
619 C_CloseSession(session_handle);
620 if (hsm_pkcs11_check_error(
ctx, rv,
621 "finalize after failed login")) {
622 hsm_module_free(module);
630 if (hsm_pkcs11_check_error(
ctx, rv,
"finalize after failed login")) {
631 hsm_module_free(module);
635 hsm_module_free(module);
640 "hsm_session_init()",
641 "Incorrect PIN for repository %s", repository);
655 CK_SESSION_HANDLE session_handle;
659 result = hsm_get_slot_id(
ctx,
663 if (result !=
HSM_OK)
return NULL;
670 if (hsm_pkcs11_check_error(
ctx, rv,
"Clone session")) {
673 new_session = hsm_session_new(session->
module, session_handle);
722 (void) hsm_pkcs11_check_error(
ctx, rv,
"Logout");
727 (void) hsm_pkcs11_check_error(
ctx, rv,
"Close session");
732 (void) hsm_pkcs11_check_error(
ctx, rv,
"Finalize");
735 hsm_module_free(session->
module);
738 hsm_session_free(session);
771 if (!
ctx || !session)
return -1;
787 new_ctx = hsm_ctx_new();
793 hsm_ctx_close(new_ctx, 0);
796 hsm_ctx_add_session(new_ctx, new_session);
836 CK_KEY_TYPE key_type;
847 if (hsm_pkcs11_check_error(
ctx, rv,
848 "Get attr value algorithm type")) {
856 if ((
CK_LONG)
template[0].ulValueLen < 1) {
896 if (hsm_pkcs11_check_error(
ctx, rv,
897 "Get attr value algorithm type")) {
901 if ((
CK_ULONG)
template[0].ulValueLen < 1) {
911 if (hsm_pkcs11_check_error(
ctx, rv,
"Could not get the size of the modulus of the private key")) {
916 modulus = (
CK_BYTE_PTR)malloc(template2[0].ulValueLen);
917 template2[0].pValue = modulus;
918 if (modulus == NULL) {
920 "Error allocating memory for modulus");
930 if (hsm_pkcs11_check_error(
ctx, rv,
"Could not get the modulus of the private key")) {
936 modulus_bits = template2[0].ulValueLen * 8;
938 for (
int i = 0; modulus_bits && (modulus[i] & mask) == 0; modulus_bits--) {
972 if (hsm_pkcs11_check_error(
ctx, rv,
"Could not get the size of the prime of the private key")) {
976 return template2[0].ulValueLen * 8;
982 static unsigned char *
996 if (!session || !session->
module || !key || !data_len) {
1005 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetAttributeValue")) {
1013 "Error allocating memory for value");
1023 if (hsm_pkcs11_check_error(
ctx, rv,
"get attribute value")) {
1028 if(
value_len !=
template[0].ulValueLen) {
1030 "HSM returned two different length for a same CKA_EC_POINT. " \
1031 "Abnormal behaviour detected.");
1039 "The DER value is too short");
1045 if (
value[0] != 0x04) {
1047 "Invalid identifier octet in the DER value");
1054 if (
value[1] <= 0x7F) {
1056 }
else if (
value[1] == 0x80) {
1058 "Indefinite length is not supported in DER values");
1063 header_len +=
value[1] & 0x80;
1069 "The value is too short");
1076 if (
value[header_len] != 0x04) {
1078 "The value is not uncompressed");
1085 data = malloc(*data_len);
1088 "Error allocating memory for data");
1093 memcpy(data,
value + header_len, *data_len);
1111 if (
value == NULL)
return 0;
1128 static unsigned char *
1142 if (!session || !session->
module || !key || !data_len) {
1151 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetAttributeValue")) {
1159 "Error allocating memory for value");
1169 if (hsm_pkcs11_check_error(
ctx, rv,
"get attribute value")) {
1174 if(
value_len !=
template[0].ulValueLen) {
1176 "HSM returned two different length for the same CKA_EC_POINT. " \
1177 "Abnormal behaviour detected.");
1185 "The DER value is too short");
1191 if (
value[0] != 0x04) {
1193 "Invalid identifier octet in the DER value");
1200 if (
value[1] <= 0x7F) {
1202 }
else if (
value[1] == 0x80) {
1204 "Indefinite length is not supported in DER values");
1209 header_len +=
value[1] & 0x80;
1215 "The value is too short");
1221 data = malloc(*data_len);
1224 "Error allocating memory for data");
1229 memcpy(data,
value + header_len, *data_len);
1248 if (
value == NULL)
return 0;
1282 return hsm_get_key_size_rsa(
ctx, session, key);
1285 return hsm_get_key_size_dsa(
ctx, session, key);
1291 return hsm_get_key_size_ecdsa(
ctx, session, key);
1293 return hsm_get_key_size_eddsa(
ctx, session, key);
1299 static CK_OBJECT_HANDLE
1302 CK_OBJECT_CLASS key_class,
1307 CK_OBJECT_HANDLE object;
1311 {
CKA_CLASS, &key_class,
sizeof(key_class) },
1317 if (hsm_pkcs11_check_error(
ctx, rv,
"Find objects init")) {
1325 if (hsm_pkcs11_check_error(
ctx, rv,
"Find object")) {
1327 hsm_pkcs11_check_error(
ctx, rv,
"Find objects cleanup");
1332 if (hsm_pkcs11_check_error(
ctx, rv,
"Find object final")) {
1336 if (objectCount > 0) {
1348 static unsigned char *
1349 hsm_hex_parse(
const char *hex,
size_t *len)
1351 unsigned char *bytes;
1356 if (!len)
return NULL;
1359 if (!hex)
return NULL;
1360 hex_len = strlen(hex);
1361 if (hex_len % 2 != 0) {
1366 bytes = malloc(*len);
1367 for (i = 0; i < *len; i++) {
1368 bytes[i] = ldns_hexdigit_to_int(hex[2*i]) * 16 +
1369 ldns_hexdigit_to_int(hex[2*i+1]);
1379 hsm_hex_unparse(
char *dst,
const unsigned char *src,
size_t len)
1381 size_t dst_len = len*2 + 1;
1384 for (i = 0; i < len; i++) {
1385 snprintf(dst + (2*i), dst_len,
"%02x", src[i]);
1397 CK_OBJECT_HANDLE
object,
1413 if (hsm_pkcs11_check_error(
ctx, rv,
"Get attr value")) {
1418 if ((
CK_LONG)
template[0].ulValueLen < 1) {
1424 template[0].pValue = malloc(
template[0].ulValueLen);
1430 if (hsm_pkcs11_check_error(
ctx, rv,
"Get attr value 2")) {
1432 free(
template[0].pValue);
1436 *len =
template[0].ulValueLen;
1437 return template[0].pValue;
1447 CK_OBJECT_HANDLE
object)
1453 id = hsm_get_id_for_object(
ctx, session,
object, &len);
1455 if (!
id)
return NULL;
1457 key = libhsm_key_new();
1461 key->
public_key = hsm_find_object_handle_for_id(
1489 {
CKA_CLASS, &key_class,
sizeof(key_class) },
1496 CK_OBJECT_HANDLE
object[max_object_count];
1497 CK_OBJECT_HANDLE *key_handles = NULL, *new_key_handles = NULL;
1502 if (hsm_pkcs11_check_error(
ctx, rv,
"Find objects init")) {
1507 while (objectCount > 0) {
1512 if (hsm_pkcs11_check_error(
ctx, rv,
"Find first object")) {
1514 hsm_pkcs11_check_error(
ctx, rv,
"Find objects cleanup");
1518 total_count += objectCount;
1519 if (objectCount > 0 && store) {
1520 if (SIZE_MAX /
sizeof(CK_OBJECT_HANDLE) < total_count) {
1522 "Too much object handle returned by HSM to allocate key_handles");
1526 new_key_handles = realloc(key_handles, total_count *
sizeof(CK_OBJECT_HANDLE));
1527 if (new_key_handles != NULL) {
1528 key_handles = new_key_handles;
1531 "Error allocating memory for object handle (OOM)");
1535 for (i = 0; i < objectCount; i++) {
1536 key_handles[j] =
object[i];
1543 if (hsm_pkcs11_check_error(
ctx, rv,
"Find objects final")) {
1550 "Too much object handle returned by HSM to allocate keys");
1557 "Error allocating memory for keys table (OOM)");
1561 for (i = 0; i < total_count; i++) {
1562 key = libhsm_key_new_privkey_object_handle(
ctx, session,
1573 *count = total_count;
1594 return hsm_list_keys_session_internal(
ctx, session, count, 1);
1603 const unsigned char *
id,
size_t len)
1606 CK_OBJECT_HANDLE private_key_handle;
1608 private_key_handle = hsm_find_object_handle_for_id(
1614 if (private_key_handle != 0) {
1615 key = libhsm_key_new_privkey_object_handle(
ctx, session,
1616 private_key_handle);
1634 const unsigned char *
id,
1640 if (!
id)
return NULL;
1649 key = hsm_find_key_by_id_session(
ctx,
ctx->
session[i],
id, len);
1666 hsm_find_repository_session(
hsm_ctx_t *
ctx,
const char *repository)
1686 "hsm_find_repository_session()",
1687 "Can't find repository: %s", repository);
1701 unsigned long hKey = 0;
1702 unsigned char *data = NULL;
1703 size_t data_size = 0;
1711 if (!session || !session->
module) {
1726 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetAttributeValue")) {
1729 public_exponent_len =
template[0].ulValueLen;
1730 modulus_len =
template[1].ulValueLen;
1732 public_exponent =
template[0].pValue = malloc(public_exponent_len);
1733 if (!public_exponent) {
1735 "Error allocating memory for public exponent");
1739 modulus =
template[1].pValue = malloc(modulus_len);
1742 "Error allocating memory for modulus");
1743 free(public_exponent);
1752 if (hsm_pkcs11_check_error(
ctx, rv,
"get attribute value")) {
1753 free(
template[0].pValue);
1754 free(
template[1].pValue);
1759 hsm_remove_leading_zeroes(public_exponent, &public_exponent_len);
1760 hsm_remove_leading_zeroes(modulus, &modulus_len);
1762 data_size = public_exponent_len + modulus_len + 1;
1763 if (public_exponent_len <= 255) {
1764 data = malloc(data_size);
1767 "Error allocating memory for pub key rr data");
1768 free(public_exponent);
1772 data[0] = public_exponent_len;
1773 memcpy(&data[1], public_exponent, public_exponent_len);
1774 memcpy(&data[1 + public_exponent_len], modulus, modulus_len);
1775 }
else if (public_exponent_len <= 65535) {
1777 data = malloc(data_size);
1780 "Error allocating memory for pub key rr data");
1781 free(public_exponent);
1786 ldns_write_uint16(&data[1], (uint16_t) public_exponent_len);
1787 memcpy(&data[3], public_exponent, public_exponent_len);
1788 memcpy(&data[3 + public_exponent_len], modulus, modulus_len);
1791 "Public exponent too big");
1792 free(public_exponent);
1796 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1797 free(public_exponent);
1816 unsigned char *data = NULL;
1817 size_t data_size = 0;
1827 if (!session || !session->
module) {
1837 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetAttributeValue")) {
1840 prime_len =
template[0].ulValueLen;
1841 subprime_len =
template[1].ulValueLen;
1842 base_len =
template[2].ulValueLen;
1845 prime =
template[0].pValue = malloc(prime_len);
1848 "Error allocating memory for prime");
1852 subprime =
template[1].pValue = malloc(subprime_len);
1855 "Error allocating memory for subprime");
1860 base =
template[2].pValue = malloc(base_len);
1863 "Error allocating memory for base");
1872 "Error allocating memory for value");
1884 if (hsm_pkcs11_check_error(
ctx, rv,
"get attribute value")) {
1892 data_size = prime_len + subprime_len + base_len +
value_len + 1;
1893 data = malloc(data_size);
1896 "Error allocating memory for pub key rr data");
1903 data[0] = (prime_len - 64) / 8;
1904 memcpy(&data[1], subprime, subprime_len);
1905 memcpy(&data[1 + subprime_len], prime, prime_len);
1906 memcpy(&data[1 + subprime_len + prime_len], base, base_len);
1907 memcpy(&data[1 + subprime_len + prime_len + base_len],
value,
value_len);
1909 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, data_size, data);
1931 if (!session || !session->
module) {
1941 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetAttributeValue")) {
1949 "Error allocating memory for value");
1958 if (hsm_pkcs11_check_error(
ctx, rv,
"get attribute value")) {
1974 if (
value == NULL)
return NULL;
1976 ldns_rdf *rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64,
value_len,
value);
1988 if (
value == NULL)
return NULL;
1990 ldns_rdf *rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64,
value_len,
value);
1999 switch (hsm_get_key_algorithm(
ctx, session, key)) {
2001 return hsm_get_key_rdata_rsa(
ctx, session, key);
2004 return hsm_get_key_rdata_dsa(
ctx, session, key);
2007 return hsm_get_key_rdata_gost(
ctx, session, key);
2010 return hsm_get_key_rdata_ecdsa(
ctx, session, key);
2012 return hsm_get_key_rdata_eddsa(
ctx, session, key);
2023 hsm_create_prefix(
CK_ULONG digest_len,
2028 const CK_BYTE RSA_MD5_ID[] = { 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
2029 const CK_BYTE RSA_SHA1_ID[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 };
2030 const CK_BYTE RSA_SHA256_ID[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 };
2031 const CK_BYTE RSA_SHA512_ID[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 };
2033 switch((ldns_signing_algorithm)
algorithm) {
2034 case LDNS_SIGN_RSAMD5:
2035 *data_size =
sizeof(RSA_MD5_ID) + digest_len;
2036 data = malloc(*data_size);
2037 memcpy(data, RSA_MD5_ID,
sizeof(RSA_MD5_ID));
2039 case LDNS_SIGN_RSASHA1:
2040 case LDNS_SIGN_RSASHA1_NSEC3:
2041 *data_size =
sizeof(RSA_SHA1_ID) + digest_len;
2042 data = malloc(*data_size);
2043 memcpy(data, RSA_SHA1_ID,
sizeof(RSA_SHA1_ID));
2045 case LDNS_SIGN_RSASHA256:
2046 *data_size =
sizeof(RSA_SHA256_ID) + digest_len;
2047 data = malloc(*data_size);
2048 memcpy(data, RSA_SHA256_ID,
sizeof(RSA_SHA256_ID));
2050 case LDNS_SIGN_RSASHA512:
2051 *data_size =
sizeof(RSA_SHA512_ID) + digest_len;
2052 data = malloc(*data_size);
2053 memcpy(data, RSA_SHA512_ID,
sizeof(RSA_SHA512_ID));
2056 case LDNS_SIGN_DSA_NSEC3:
2057 case LDNS_SIGN_ECC_GOST:
2058 case LDNS_SIGN_ECDSAP256SHA256:
2059 case LDNS_SIGN_ECDSAP384SHA384:
2060 *data_size = digest_len;
2061 data = malloc(*data_size);
2072 CK_MECHANISM_TYPE mechanism_type,
2074 ldns_buffer *sign_buf)
2080 digest_mechanism.pParameter = NULL;
2081 digest_mechanism.ulParameterLen = 0;
2082 digest_mechanism.
mechanism = mechanism_type;
2083 digest = malloc(digest_len);
2086 if (hsm_pkcs11_check_error(
ctx, rv,
"HSM digest init")) {
2092 ldns_buffer_begin(sign_buf),
2093 ldns_buffer_position(sign_buf),
2096 if (hsm_pkcs11_check_error(
ctx, rv,
"HSM digest")) {
2105 ldns_buffer *sign_buf,
2114 int data_direct = 0;
2125 session = hsm_find_key_session(
ctx, key);
2126 if (!session)
return NULL;
2131 switch ((ldns_signing_algorithm)
algorithm) {
2132 case LDNS_SIGN_RSAMD5:
2134 digest = hsm_digest_through_hsm(
ctx, session,
2138 case LDNS_SIGN_RSASHA1:
2139 case LDNS_SIGN_RSASHA1_NSEC3:
2141 case LDNS_SIGN_DSA_NSEC3:
2142 digest_len = LDNS_SHA1_DIGEST_LENGTH;
2143 digest = malloc(digest_len);
2144 digest = ldns_sha1(ldns_buffer_begin(sign_buf),
2145 ldns_buffer_position(sign_buf),
2149 case LDNS_SIGN_RSASHA256:
2150 case LDNS_SIGN_ECDSAP256SHA256:
2151 digest_len = LDNS_SHA256_DIGEST_LENGTH;
2152 digest = malloc(digest_len);
2153 digest = ldns_sha256(ldns_buffer_begin(sign_buf),
2154 ldns_buffer_position(sign_buf),
2157 case LDNS_SIGN_ECDSAP384SHA384:
2158 digest_len = LDNS_SHA384_DIGEST_LENGTH;
2159 digest = malloc(digest_len);
2160 digest = ldns_sha384(ldns_buffer_begin(sign_buf),
2161 ldns_buffer_position(sign_buf),
2164 case LDNS_SIGN_RSASHA512:
2165 digest_len = LDNS_SHA512_DIGEST_LENGTH;
2166 digest = malloc(digest_len);
2167 digest = ldns_sha512(ldns_buffer_begin(sign_buf),
2168 ldns_buffer_position(sign_buf),
2171 case LDNS_SIGN_ECC_GOST:
2173 digest = hsm_digest_through_hsm(
ctx, session,
2177 #if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
2178 case LDNS_SIGN_ED25519:
2181 case LDNS_SIGN_ED448:
2191 if (!data_direct && !digest) {
2196 data = ldns_buffer_begin(sign_buf);
2197 data_len = ldns_buffer_position(sign_buf);
2202 data = hsm_create_prefix(digest_len,
algorithm, &data_len);
2203 memcpy(data + data_len - digest_len, digest, digest_len);
2206 sign_mechanism.pParameter = NULL;
2207 sign_mechanism.ulParameterLen = 0;
2208 switch((ldns_signing_algorithm)
algorithm) {
2209 case LDNS_SIGN_RSAMD5:
2210 case LDNS_SIGN_RSASHA1:
2211 case LDNS_SIGN_RSASHA1_NSEC3:
2212 case LDNS_SIGN_RSASHA256:
2213 case LDNS_SIGN_RSASHA512:
2217 case LDNS_SIGN_DSA_NSEC3:
2220 case LDNS_SIGN_ECC_GOST:
2223 case LDNS_SIGN_ECDSAP256SHA256:
2224 case LDNS_SIGN_ECDSAP384SHA384:
2227 #if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
2228 case LDNS_SIGN_ED25519:
2231 case LDNS_SIGN_ED448:
2247 if (hsm_pkcs11_check_error(
ctx, rv,
"sign init")) {
2258 if (hsm_pkcs11_check_error(
ctx, rv,
"sign final")) {
2266 sig_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
2280 hsm_dname_is_wildcard(
const ldns_rdf* dname)
2282 return ( ldns_dname_label_count(dname) > 0 &&
2283 ldns_rdf_data(dname)[0] == 1 &&
2284 ldns_rdf_data(dname)[1] ==
'*');
2288 hsm_create_empty_rrsig(
const ldns_rr_list *rrset,
2293 uint32_t orig_class;
2295 uint8_t label_count;
2297 label_count = ldns_dname_label_count(
2298 ldns_rr_owner(ldns_rr_list_rr(rrset, 0)));
2300 if (hsm_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) {
2304 rrsig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
2307 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
2308 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
2310 ldns_rr_set_class(rrsig, orig_class);
2311 ldns_rr_set_ttl(rrsig, orig_ttl);
2312 ldns_rr_set_owner(rrsig,
2315 ldns_rr_list_rr(rrset,
2321 (void)ldns_rr_rrsig_set_origttl(
2323 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
2326 (void)ldns_rr_rrsig_set_signame(
2328 ldns_rdf_clone(sign_params->
owner));
2330 (void)ldns_rr_rrsig_set_labels(
2332 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
2337 (void)ldns_rr_rrsig_set_inception(
2339 ldns_native2rdf_int32(
2343 (void)ldns_rr_rrsig_set_inception(
2345 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
2348 (void)ldns_rr_rrsig_set_expiration(
2350 ldns_native2rdf_int32(
2354 (void)ldns_rr_rrsig_set_expiration(
2356 ldns_native2rdf_int32(
2358 now + LDNS_DEFAULT_EXP_TIME));
2361 (void)ldns_rr_rrsig_set_keytag(
2363 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
2366 (void)ldns_rr_rrsig_set_algorithm(
2368 ldns_native2rdf_int8(
2372 (void)ldns_rr_rrsig_set_typecovered(
2374 ldns_native2rdf_int16(
2376 ldns_rr_get_type(ldns_rr_list_rr(rrset,
2389 char *(pin_callback)(
unsigned int,
const char *,
unsigned int))
2393 char* module_pin = NULL;
2396 int repositories = 0;
2407 hsm_config_default(&module_config);
2413 repo->
module, repo->
pin, &module_config);
2421 if (module_pin == NULL)
break;
2423 repo->
module, module_pin, &module_config);
2428 memset(module_pin, 0, strlen(module_pin));
2434 "No pin or callback function");
2445 if (result ==
HSM_OK && repositories == 0) {
2447 "No repositories found");
2481 CK_SESSION_HANDLE session_handle;
2489 if (session == NULL)
continue;
2495 if (hsm_pkcs11_check_error(
ctx, rv,
"get session info")) {
2503 "Session not logged in");
2514 if (hsm_pkcs11_check_error(
ctx, rv,
"test open session")) {
2519 if (hsm_pkcs11_check_error(
ctx, rv,
"test close session")) {
2532 hsm_ctx_close(
ctx, 0);
2547 params->
flags = LDNS_KEY_ZONE_KEY;
2551 params->
owner = NULL;
2559 if (params->
owner) ldns_rdf_deep_free(params->
owner);
2575 size_t key_count = 0;
2576 size_t cur_key_count;
2583 keys = realloc(keys,
2585 for (j = 0; j < cur_key_count; j++) {
2586 keys[key_count + j] = session_keys[j];
2588 key_count += cur_key_count;
2600 const char *repository)
2604 if (!repository)
return NULL;
2606 session = hsm_find_repository_session(
ctx, repository);
2611 return hsm_list_keys_session(
ctx, session, count);
2617 unsigned char *id_bytes;
2621 id_bytes = hsm_hex_parse(
id, &len);
2623 if (!id_bytes)
return NULL;
2625 key = hsm_find_key_by_id_bin(
ctx, id_bytes, len);
2631 generate_unique_id(
hsm_ctx_t *
ctx,
unsigned char *buf,
size_t bufsize)
2636 while ((key = hsm_find_key_by_id_bin(
ctx, buf, bufsize))) {
2645 const char *repository,
2646 unsigned long keysize)
2651 unsigned char id[16];
2655 CK_OBJECT_HANDLE publicKey, privateKey;
2656 CK_KEY_TYPE keyType =
CKK_RSA;
2660 CK_BYTE publicExponent[] = { 1, 0, 1 };
2666 session = hsm_find_repository_session(
ctx, repository);
2667 if (!session)
return NULL;
2670 generate_unique_id(
ctx,
id, 16);
2674 hsm_hex_unparse(id_str,
id, 16);
2686 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2696 {
CKA_SIGN, &ctrue,
sizeof (ctrue) },
2707 publicKeyTemplate, 9,
2708 privateKeyTemplate, 10,
2711 if (hsm_pkcs11_check_error(
ctx, rv,
"generate key pair")) {
2715 new_key = libhsm_key_new();
2733 const char *repository,
2734 unsigned long keysize)
2739 CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
2745 unsigned char id[16];
2749 session = hsm_find_repository_session(
ctx, repository);
2750 if (!session)
return NULL;
2753 generate_unique_id(
ctx,
id, 16);
2757 hsm_hex_unparse(id_str,
id, 16);
2759 CK_KEY_TYPE keyType =
CKK_DSA;
2779 {
CKA_BASE, dsa_g,
sizeof(dsa_g) },
2785 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2793 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2810 if (hsm_pkcs11_check_error(
ctx, rv,
"generate domain parameters")) {
2815 domainPar, publicKeyTemplate, 3);
2816 if (hsm_pkcs11_check_error(
ctx, rv,
"get domain parameters")) {
2821 if (hsm_pkcs11_check_error(
ctx, rv,
"destroy domain parameters")) {
2829 publicKeyTemplate, 10,
2830 privateKeyTemplate, 10,
2833 if (hsm_pkcs11_check_error(
ctx, rv,
"generate key pair")) {
2837 new_key = libhsm_key_new();
2847 const char *repository)
2852 CK_OBJECT_HANDLE publicKey, privateKey;
2858 unsigned char id[16];
2862 session = hsm_find_repository_session(
ctx, repository);
2863 if (!session)
return NULL;
2866 generate_unique_id(
ctx,
id, 16);
2870 hsm_hex_unparse(id_str,
id, 16);
2877 CK_BYTE oid1[] = { 0x06, 0x07, 0x2A, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 };
2878 CK_BYTE oid2[] = { 0x06, 0x07, 0x2A, 0x85, 0x03, 0x02, 0x02, 0x1E, 0x01 };
2888 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2896 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2909 publicKeyTemplate, 9,
2910 privateKeyTemplate, 10,
2913 if (hsm_pkcs11_check_error(
ctx, rv,
"generate key pair")) {
2917 new_key = libhsm_key_new();
2927 const char *repository,
2933 CK_OBJECT_HANDLE publicKey, privateKey;
2939 unsigned char id[16];
2943 session = hsm_find_repository_session(
ctx, repository);
2944 if (!session)
return NULL;
2947 generate_unique_id(
ctx,
id, 16);
2951 hsm_hex_unparse(id_str,
id, 16);
2953 CK_KEY_TYPE keyType =
CKK_EC;
2958 CK_BYTE oidP256[] = { 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07 };
2959 CK_BYTE oidP384[] = { 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 };
2968 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
2976 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
2986 if (strcmp(curve,
"P-256") == 0)
2988 publicKeyTemplate[0].pValue = oidP256;
2989 publicKeyTemplate[0].ulValueLen =
sizeof(oidP256);
2991 else if (strcmp(curve,
"P-384") == 0)
2993 publicKeyTemplate[0].pValue = oidP384;
2994 publicKeyTemplate[0].ulValueLen =
sizeof(oidP384);
3005 publicKeyTemplate, 8,
3006 privateKeyTemplate, 10,
3009 if (hsm_pkcs11_check_error(
ctx, rv,
"generate key pair")) {
3013 new_key = libhsm_key_new();
3023 const char *repository,
3029 CK_OBJECT_HANDLE publicKey, privateKey;
3035 unsigned char id[16];
3039 session = hsm_find_repository_session(
ctx, repository);
3040 if (!session)
return NULL;
3043 generate_unique_id(
ctx,
id, 16);
3047 hsm_hex_unparse(id_str,
id, 16);
3054 CK_BYTE oid25519[] = { 0x06, 0x03, 0x2B, 0x65, 0x70 };
3055 CK_BYTE oid448[] = { 0x06, 0x03, 0x2B, 0x65, 0x71 };
3064 {
CKA_WRAP, &cfalse,
sizeof(cfalse) },
3072 {
CKA_SIGN, &ctrue,
sizeof(ctrue) },
3082 if (strcmp(curve,
"edwards25519") == 0)
3084 publicKeyTemplate[0].pValue = oid25519;
3085 publicKeyTemplate[0].ulValueLen =
sizeof(oid25519);
3087 else if (strcmp(curve,
"edwards448") == 0)
3089 publicKeyTemplate[0].pValue = oid448;
3090 publicKeyTemplate[0].ulValueLen =
sizeof(oid448);
3101 publicKeyTemplate, 8,
3102 privateKeyTemplate, 10,
3105 if (hsm_pkcs11_check_error(
ctx, rv,
"generate key pair")) {
3109 new_key = libhsm_key_new();
3122 if (!key)
return -1;
3124 session = hsm_find_key_session(
ctx, key);
3125 if (!session)
return -2;
3129 if (hsm_pkcs11_check_error(
ctx, rv,
"Destroy private key")) {
3137 if (hsm_pkcs11_check_error(
ctx, rv,
"Destroy public key")) {
3150 for (i = 0; i < count; i++) {
3164 if (!key)
return NULL;
3166 session = hsm_find_key_session(
ctx, key);
3167 if (!session)
return NULL;
3169 id = hsm_get_id_for_object(
ctx, session, key->
private_key, &len);
3170 if (!
id)
return NULL;
3173 id_str = malloc(len * 2 + 1);
3179 hsm_hex_unparse(id_str,
id, len);
3193 session = hsm_find_key_session(
ctx, key);
3194 if (!session)
return NULL;
3199 if (key_info->
id == NULL) {
3200 key_info->
id = strdup(
"");
3203 key_info->
algorithm = (
unsigned long) hsm_get_key_algorithm(
ctx,
3206 key_info->
keysize = (
unsigned long) hsm_get_key_size(
ctx,
3253 const ldns_rr_list* rrset,
3258 ldns_buffer *sign_buf;
3262 if (!key)
return NULL;
3263 if (!sign_params)
return NULL;
3265 signature = hsm_create_empty_rrsig((ldns_rr_list *)rrset,
3271 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
3273 if (ldns_rrsig2buffer_wire(sign_buf, signature)
3274 != LDNS_STATUS_OK) {
3275 ldns_buffer_free(sign_buf);
3277 ldns_rr_free(signature);
3282 for(i = 0; i < ldns_rr_list_rr_count(rrset); i++) {
3283 ldns_rr2canonical(ldns_rr_list_rr(rrset, i));
3287 if (ldns_rr_list2buffer_wire(sign_buf, rrset)
3288 != LDNS_STATUS_OK) {
3289 ldns_buffer_free(sign_buf);
3290 ldns_rr_free(signature);
3294 b64_rdf = hsm_sign_buffer(
ctx, sign_buf, key, sign_params->
algorithm);
3296 ldns_buffer_free(sign_buf);
3299 ldns_rr_free(signature);
3303 ldns_rr_rrsig_set_sig(signature, b64_rdf);
3331 sign_params->
owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
"dummy");
3332 sign_params->
algorithm = (ldns_algorithm) alg;
3333 sign_params->
flags = LDNS_KEY_ZONE_KEY;
3335 sign_params->
flags |= LDNS_KEY_SEP_KEY;
3352 tag = ldns_calc_keytag(dnskey_rr);
3354 ldns_rr_free(dnskey_rr);
3382 session = hsm_find_key_session(
ctx, key);
3383 if (!session)
return NULL;
3385 dnskey = ldns_rr_new();
3386 ldns_rr_set_type(dnskey, LDNS_RR_TYPE_DNSKEY);
3388 ldns_rr_set_owner(dnskey, ldns_rdf_clone(sign_params->
owner));
3390 ldns_rr_push_rdf(dnskey,
3391 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
3392 sign_params->
flags));
3393 ldns_rr_push_rdf(dnskey,
3394 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
3395 LDNS_DNSSEC_KEYPROTO));
3396 ldns_rr_push_rdf(dnskey,
3397 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
3400 rdata = hsm_get_key_rdata(
ctx, session, key);
3401 if (rdata == NULL) {
3402 ldns_rr_free(dnskey);
3405 ldns_rr_push_rdf(dnskey, rdata);
3412 unsigned char *buffer,
3413 unsigned long length)
3418 if (!buffer)
return -1;
3442 unsigned char rnd_buf[4];
3445 memcpy(&rnd, rnd_buf, 4);
3457 unsigned char rnd_buf[8];
3460 memcpy(&rnd, rnd_buf, 8);
3473 const char *token_label,
3481 result = hsm_session_init(
_hsm_ctx,
3489 result = hsm_ctx_add_session(
_hsm_ctx, session);
3506 "hsm_token_attached()",
3507 "Can't find repository: %s", repository);
3528 if (message == NULL) {
3529 return strdup(
"libhsm memory allocation failed");
3550 printf(
"\t\tmodule at %p (sym %p)\n", (
void *) session->
module, (
void *) session->
module->
sym);
3551 printf(
"\t\tmodule path: %s\n", session->
module->
path);
3552 printf(
"\t\trepository name: %s\n", session->
module->
name);
3554 printf(
"\t\tsess handle: %u\n", (
unsigned int) session->
session);
3560 printf(
"CTX Sessions: %lu\n",
3563 printf(
"\tSession at %p\n", (
void *)
ctx->
session[i]);
3575 printf(
"\tprivkey handle: %u\n", (
unsigned int) key->
private_key);
3577 printf(
"\tpubkey handle: %u\n", (
unsigned int) key->
public_key);
3579 printf(
"\tpubkey handle: %s\n",
"NULL");
3581 printf(
"\trepository: %s\n", key->
modulename);
3583 printf(
"\tsize: %lu\n", key_info->
keysize);
3584 printf(
"\tid: %s\n", key_info->
id);
3587 printf(
"key: hsm_get_key_info() returned NULL\n");
3590 printf(
"key: <void>\n");
3602 fprintf(stderr,
"%s\n", message);
3605 fprintf(stderr,
"Unknown error\n");
3622 result = hsm_get_slot_id(
ctx,
3626 if (result !=
HSM_OK)
return;
3629 if (hsm_pkcs11_check_error(
ctx, rv,
"C_GetTokenInfo")) {
3633 printf(
"Repository: %s\n",session->
module->
name);
3635 printf(
"\tModule: %s\n", session->
module->
path);
3636 printf(
"\tSlot: %lu\n",
slot_id);
3637 printf(
"\tToken Label: %.*s\n",
3638 (
int)
sizeof(token_info.
label), token_info.
label);
3639 printf(
"\tManufacturer: %.*s\n",
3640 (
int)
sizeof(token_info.manufacturerID), token_info.manufacturerID);
3641 printf(
"\tModel: %.*s\n",
3642 (
int)
sizeof(token_info.
model), token_info.
model);
3643 printf(
"\tSerial: %.*s\n",
3644 (
int)
sizeof(token_info.serialNumber), token_info.serialNumber);
3652 keycache_cmpfunc(
const void* a,
const void* b)
3654 const char* x = (
const char*)a;
3655 const char* y = (
const char*)b;
3656 return strcmp(x, y);
3660 keycache_delfunc(ldns_rbnode_t* node,
void* cargo)
3663 free((
void*)node->key);
3665 free((
void*)node->data);
3672 ctx->
keycache = ldns_rbtree_create(keycache_cmpfunc);
3680 ldns_traverse_postorder(
ctx->
keycache, keycache_delfunc, NULL);
3690 ldns_rbnode_t* node;
3693 node = ldns_rbtree_search(
ctx->
keycache, locator);
3695 if (node == LDNS_RBTREE_NULL || node == NULL) {
3700 node = malloc(
sizeof(ldns_rbnode_t));
3701 node->key = strdup(locator);
3709 if (node == LDNS_RBTREE_NULL || node == NULL)
char * hsm_get_error(hsm_ctx_t *gctx)
void libhsm_key_list_free(libhsm_key_t **key_list, size_t count)
void hsm_ctx_set_error(hsm_ctx_t *ctx, int error, const char *action, const char *message,...)
pthread_mutex_t _hsm_ctx_mutex
libhsm_key_info_t * hsm_get_key_info(hsm_ctx_t *ctx, const libhsm_key_t *key)
libhsm_key_t * hsm_generate_gost_key(hsm_ctx_t *ctx, const char *repository)
uint64_t hsm_random64(hsm_ctx_t *ctx)
uint32_t hsm_random32(hsm_ctx_t *ctx)
char * hsm_get_key_id(hsm_ctx_t *ctx, const libhsm_key_t *key)
void hsm_print_error(hsm_ctx_t *gctx)
hsm_ctx_t * hsm_create_context()
int hsm_token_attached(hsm_ctx_t *ctx, const char *repository)
#define HSM_TOKEN_LABEL_LENGTH
ldns_rr * hsm_get_dnskey(hsm_ctx_t *ctx, const libhsm_key_t *key, const hsm_sign_params_t *sign_params)
void hsm_print_key(hsm_ctx_t *ctx, libhsm_key_t *key)
void hsm_print_ctx(hsm_ctx_t *ctx)
ldns_rr * hsm_sign_rrset(hsm_ctx_t *ctx, const ldns_rr_list *rrset, const libhsm_key_t *key, const hsm_sign_params_t *sign_params)
void hsm_repository_free(hsm_repository_t *r)
int hsm_attach(const char *repository, const char *token_label, const char *path, const char *pin, const hsm_config_t *config)
libhsm_key_t * hsm_generate_rsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
libhsm_key_t * hsm_generate_ecdsa_key(hsm_ctx_t *ctx, const char *repository, const char *curve)
void libhsm_key_info_free(libhsm_key_info_t *key_info)
libhsm_key_t ** hsm_list_keys_repository(hsm_ctx_t *ctx, size_t *count, const char *repository)
const libhsm_key_t * keycache_lookup(hsm_ctx_t *ctx, const char *locator)
int hsm_random_buffer(hsm_ctx_t *ctx, unsigned char *buffer, unsigned long length)
int hsm_open2(hsm_repository_t *rlist, char *(pin_callback)(unsigned int, const char *, unsigned int))
libhsm_key_t ** hsm_list_keys(hsm_ctx_t *ctx, size_t *count)
int hsm_keytag(const char *loc, int alg, int sep, uint16_t *keytag)
void hsm_print_session(hsm_session_t *session)
void keycache_create(hsm_ctx_t *ctx)
libhsm_key_t * hsm_generate_eddsa_key(hsm_ctx_t *ctx, const char *repository, const char *curve)
libhsm_key_t * hsm_find_key_by_id(hsm_ctx_t *ctx, const char *id)
libhsm_key_t * hsm_generate_dsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
int hsm_remove_key(hsm_ctx_t *ctx, libhsm_key_t *key)
void hsm_print_tokeninfo(hsm_ctx_t *ctx)
hsm_repository_t * hsm_repository_new(char *name, char *module, char *tokenlabel, char *pin, uint8_t use_pubkey, uint8_t allowextract, uint8_t require_backup)
void hsm_destroy_context(hsm_ctx_t *ctx)
hsm_sign_params_t * hsm_sign_params_new()
void keycache_destroy(hsm_ctx_t *ctx)
void libhsm_key_free(libhsm_key_t *key)
void hsm_sign_params_free(hsm_sign_params_t *params)
#define HSM_NO_REPOSITORIES
#define HSM_ERROR_MSGSIZE
#define HSM_MODULE_NOT_FOUND
#define HSM_REPOSITORY_NOT_FOUND
#define HSM_MAX_SIGNATURE_LENGTH
#define HSM_PIN_INCORRECT
#define CKM_DSA_PARAMETER_GEN
#define CKR_SESSION_COUNT
#define CKR_DEVICE_MEMORY
#define CKR_GENERAL_ERROR
#define CKR_MECHANISM_INVALID
#define CKR_SLOT_ID_INVALID
#define CKR_ATTRIBUTE_TYPE_INVALID
#define CKR_FUNCTION_CANCELED
#define CKR_UNWRAPPING_KEY_HANDLE_INVALID
#define CKR_WRAPPING_KEY_SIZE_RANGE
#define CKR_MECHANISM_PARAM_INVALID
#define CKR_TOKEN_NOT_RECOGNIZED
#define CKR_ATTRIBUTE_SENSITIVE
#define CKR_PIN_LEN_RANGE
#define CKR_RANDOM_SEED_NOT_SUPPORTED
#define CKR_SESSION_PARALLEL_NOT_SUPPORTED
#define CKR_ATTRIBUTE_READ_ONLY
#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT
#define CKR_SESSION_EXISTS
unsigned long int CK_ULONG
#define CKA_PUBLIC_EXPONENT
#define CKM_RSA_PKCS_KEY_PAIR_GEN
#define CKR_SESSION_READ_ONLY
#define CKA_GOSTR3410PARAMS
#define CKR_ENCRYPTED_DATA_LEN_RANGE
#define CKR_SIGNATURE_INVALID
#define CKR_SESSION_HANDLE_INVALID
struct ck_function_list * CK_FUNCTION_LIST_PTR
#define CKR_TOKEN_NOT_PRESENT
#define CKR_CRYPTOKI_NOT_INITIALIZED
#define CKR_PIN_INCORRECT
#define CKR_WRAPPED_KEY_INVALID
#define CKR_WRAPPING_KEY_HANDLE_INVALID
#define CKR_MUTEX_NOT_LOCKED
#define CKR_SESSION_CLOSED
#define CKM_DSA_KEY_PAIR_GEN
#define CKF_OS_LOCKING_OK
#define CKM_EC_EDWARDS_KEY_PAIR_GEN
#define CKR_OBJECT_HANDLE_INVALID
#define CKR_UNWRAPPING_KEY_SIZE_RANGE
#define CKR_ENCRYPTED_DATA_INVALID
#define CKR_CRYPTOKI_ALREADY_INITIALIZED
#define CKF_SERIAL_SESSION
#define CKR_FUNCTION_FAILED
#define CKR_OPERATION_NOT_INITIALIZED
#define CKM_EC_KEY_PAIR_GEN
#define CKR_KEY_SIZE_RANGE
#define CKR_TEMPLATE_INCONSISTENT
#define CKR_OPERATION_ACTIVE
#define CKR_DATA_LEN_RANGE
#define CKR_BUFFER_TOO_SMALL
#define CKS_RW_USER_FUNCTIONS
#define CKR_USER_PIN_NOT_INITIALIZED
#define CKR_USER_ALREADY_LOGGED_IN
#define CKR_STATE_UNSAVEABLE
#define CKR_INFORMATION_SENSITIVE
#define CKR_ATTRIBUTE_VALUE_INVALID
#define CKR_FUNCTION_NOT_SUPPORTED
#define CKR_USER_NOT_LOGGED_IN
#define CKR_DEVICE_REMOVED
#define CKR_TOKEN_WRITE_PROTECTED
#define CKR_TEMPLATE_INCOMPLETE
#define CKM_GOSTR3410_KEY_PAIR_GEN
#define CKR_FUNCTION_NOT_PARALLEL
#define CKR_SIGNATURE_LEN_RANGE
#define CKR_USER_TYPE_INVALID
#define CKR_KEY_HANDLE_INVALID
#define CKA_GOSTR3411PARAMS
#define CKR_SAVED_STATE_INVALID
unsigned char CK_UTF8CHAR
#define CKR_WRAPPED_KEY_LEN_RANGE
#define CKR_KEY_TYPE_INCONSISTENT
#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
CK_C_GetSlotList C_GetSlotList
CK_C_GetTokenInfo C_GetTokenInfo
ck_mechanism_type_t mechanism
unsigned int allow_extract
char error_message[HSM_ERROR_MSGSIZE]
const char * error_action
hsm_session_t * session[HSM_MAX_SESSIONS]
pthread_mutex_t * keycache_lock
unsigned int allow_extract
unsigned long private_key