2
* The contents of this file are subject to the Mozilla Public
3
* License Version 1.1 (the "License"); you may not use this file
4
* except in compliance with the License. You may obtain a copy of
5
* the License at http://www.mozilla.org/MPL/
7
* Software distributed under the License is distributed on an "AS
8
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
9
* implied. See the License for the specific language governing
10
* rights and limitations under the License.
12
* The Original Code is the Netscape security libraries.
14
* The Initial Developer of the Original Code is Netscape
15
* Communications Corporation. Portions created by Netscape are
16
* Copyright (C) 1994-2000 Netscape Communications Corporation. All
21
* Alternatively, the contents of this file may be used under the
22
* terms of the GNU General Public License Version 2 or later (the
23
* "GPL"), in which case the provisions of the GPL are applicable
24
* instead of those above. If you wish to allow use of your
25
* version of this file only under the terms of the GPL and not to
26
* allow others to use your version of this file under the MPL,
27
* indicate your decision by deleting the provisions above and
28
* replace them with the notice and other provisions required by
29
* the GPL. If you do not delete the provisions above, a recipient
30
* may use your version of this file under either the MPL or the
34
* This file implements PKCS 11 on top of our existing security modules
36
* For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
37
* This implementation has two slots:
38
* slot 1 is our generic crypto support. It does not require login
39
* (unless you've enabled FIPS). It supports Public Key ops, and all they
40
* bulk ciphers and hashes. It can also support Private Key ops for imported
41
* Private keys. It does not have any token storage.
42
* slot 2 is our private key support. It requires a login before use. It
43
* can store Private Keys and Certs as token objects. Currently only private
44
* keys and their associated Certificates are saved on the token.
46
* In this implementation, session objects are only visible to the session
47
* that created or generated them.
58
* ******************** Password Utilities *******************************
60
static PRBool isLoggedIn = PR_FALSE;
61
static PRBool fatalError = PR_FALSE;
63
/* Fips required checks before any useful crypto graphic services */
64
static CK_RV pk11_fipsCheck(void) {
65
if (isLoggedIn != PR_TRUE)
66
return CKR_USER_NOT_LOGGED_IN;
68
return CKR_DEVICE_ERROR;
73
#define PK11_FIPSCHECK() \
75
if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
77
#define PK11_FIPSFATALCHECK() \
78
if (fatalError) return CKR_DEVICE_ERROR;
81
/* grab an attribute out of a raw template */
83
fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate,
84
CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
88
for (i=0; i < (int) ulCount; i++) {
89
if (pTemplate[i].type == type) {
90
return pTemplate[i].pValue;
97
#define __PASTE(x,y) x##y
99
/* ------------- forward declare all the NSC_ functions ------------- */
100
#undef CK_NEED_ARG_LIST
101
#undef CK_PKCS11_FUNCTION_INFO
103
#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS,name)
104
#define CK_NEED_ARG_LIST 1
108
/* ------------- forward declare all the FIPS functions ------------- */
109
#undef CK_NEED_ARG_LIST
110
#undef CK_PKCS11_FUNCTION_INFO
112
#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F,name)
113
#define CK_NEED_ARG_LIST 1
117
/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
118
static CK_FUNCTION_LIST pk11_fipsTable = {
121
#undef CK_NEED_ARG_LIST
122
#undef CK_PKCS11_FUNCTION_INFO
124
#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(F,name),
131
#undef CK_NEED_ARG_LIST
132
#undef CK_PKCS11_FUNCTION_INFO
138
fips_login_if_key_object(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
141
CK_OBJECT_CLASS objClass;
143
class.type = CKA_CLASS;
144
class.pValue = &objClass;
145
class.ulValueLen = sizeof(objClass);
146
rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
148
if ((objClass == CKO_PRIVATE_KEY) || (objClass == CKO_SECRET_KEY)) {
149
rv = pk11_fipsCheck();
156
/**********************************************************************
158
* Start of PKCS 11 functions
160
**********************************************************************/
161
/* return the function list */
162
CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
163
*pFunctionList = &pk11_fipsTable;
167
/* sigh global so pkcs11 can read it */
168
PRBool nsf_init = PR_FALSE;
170
/* FC_Initialize initializes the PKCS #11 library. */
171
CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
175
return CKR_CRYPTOKI_ALREADY_INITIALIZED;
178
crv = nsc_CommonInitialize(pReserved, PR_TRUE);
180
/* not an 'else' rv can be set by either PK11_LowInit or PK11_SlotInit*/
182
fatalError = PR_TRUE;
186
fatalError = PR_FALSE; /* any error has been reset */
188
crv = pk11_fipsPowerUpSelfTest();
190
nsc_CommonFinalize(NULL, PR_TRUE);
191
fatalError = PR_TRUE;
199
/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
200
CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
205
crv = nsc_CommonFinalize (pReserved, PR_TRUE);
206
nsf_init = (PRBool) !(crv == CKR_OK);
211
/* FC_GetInfo returns general information about PKCS #11. */
212
CK_RV FC_GetInfo(CK_INFO_PTR pInfo) {
213
return NSC_GetInfo(pInfo);
216
/* FC_GetSlotList obtains a list of slots in the system. */
217
CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
218
CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
219
return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount,
223
/* FC_GetSlotInfo obtains information about a particular slot in the system. */
224
CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
228
crv = NSC_GetSlotInfo(slotID,pInfo);
237
/*FC_GetTokenInfo obtains information about a particular token in the system.*/
238
CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
241
crv = NSC_GetTokenInfo(slotID,pInfo);
242
pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED;
249
/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
250
CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
251
CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
252
PK11_FIPSFATALCHECK();
253
if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
254
/* FIPS Slot supports all functions */
255
return NSC_GetMechanismList(slotID,pMechanismList,pusCount);
259
/* FC_GetMechanismInfo obtains information about a particular mechanism
260
* possibly supported by a token. */
261
CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
262
CK_MECHANISM_INFO_PTR pInfo) {
263
PK11_FIPSFATALCHECK();
264
if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
265
/* FIPS Slot supports all functions */
266
return NSC_GetMechanismInfo(slotID,type,pInfo);
270
/* FC_InitToken initializes a token. */
271
CK_RV FC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
272
CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
273
return CKR_HOST_MEMORY; /*is this the right function for not implemented*/
277
/* FC_InitPIN initializes the normal user's PIN. */
278
CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
279
CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
280
return NSC_InitPIN(hSession,pPin,ulPinLen);
284
/* FC_SetPIN modifies the PIN of user that is currently logged in. */
285
/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
286
CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
287
CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
289
if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
290
return NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
293
/* FC_OpenSession opens a session between an application and a token. */
294
CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
295
CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
296
PK11_FIPSFATALCHECK();
297
return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
301
/* FC_CloseSession closes a session between an application and a token. */
302
CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
303
return NSC_CloseSession(hSession);
307
/* FC_CloseAllSessions closes all sessions with a token. */
308
CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
309
return NSC_CloseAllSessions (slotID);
313
/* FC_GetSessionInfo obtains information about the session. */
314
CK_RV FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
315
CK_SESSION_INFO_PTR pInfo) {
317
PK11_FIPSFATALCHECK();
319
rv = NSC_GetSessionInfo(hSession,pInfo);
321
if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
322
pInfo->state = CKS_RO_USER_FUNCTIONS;
324
if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
325
pInfo->state = CKS_RW_USER_FUNCTIONS;
331
/* FC_Login logs a user into a token. */
332
CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
333
CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
335
PK11_FIPSFATALCHECK();
336
rv = NSC_Login(hSession,userType,pPin,usPinLen);
338
isLoggedIn = PR_TRUE;
339
else if (rv == CKR_USER_ALREADY_LOGGED_IN)
341
isLoggedIn = PR_TRUE;
343
/* Provide FIPS PUB 140-1 power-up self-tests on demand. */
344
rv = pk11_fipsPowerUpSelfTest();
346
return CKR_USER_ALREADY_LOGGED_IN;
348
fatalError = PR_TRUE;
353
/* FC_Logout logs a user out from a token. */
354
CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
357
rv = NSC_Logout(hSession);
358
isLoggedIn = PR_FALSE;
363
/* FC_CreateObject creates a new object. */
364
CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
365
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
366
CK_OBJECT_HANDLE_PTR phObject) {
367
CK_OBJECT_CLASS * classptr;
369
classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
370
if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
372
/* FIPS can't create keys from raw key material */
373
if ((*classptr == CKO_SECRET_KEY) || (*classptr == CKO_PRIVATE_KEY)) {
374
return CKR_ATTRIBUTE_VALUE_INVALID;
376
return NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
383
/* FC_CopyObject copies an object, creating a new object for the copy. */
384
CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
385
CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
386
CK_OBJECT_HANDLE_PTR phNewObject) {
388
PK11_FIPSFATALCHECK();
389
rv = fips_login_if_key_object(hSession, hObject);
393
return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject);
397
/* FC_DestroyObject destroys an object. */
398
CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
399
CK_OBJECT_HANDLE hObject) {
401
PK11_FIPSFATALCHECK();
402
rv = fips_login_if_key_object(hSession, hObject);
406
return NSC_DestroyObject(hSession,hObject);
410
/* FC_GetObjectSize gets the size of an object in bytes. */
411
CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
412
CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) {
414
PK11_FIPSFATALCHECK();
415
rv = fips_login_if_key_object(hSession, hObject);
419
return NSC_GetObjectSize(hSession, hObject, pusSize);
423
/* FC_GetAttributeValue obtains the value of one or more object attributes. */
424
CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
425
CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
427
PK11_FIPSFATALCHECK();
428
rv = fips_login_if_key_object(hSession, hObject);
432
return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount);
436
/* FC_SetAttributeValue modifies the value of one or more object attributes */
437
CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
438
CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
440
PK11_FIPSFATALCHECK();
441
rv = fips_login_if_key_object(hSession, hObject);
445
return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount);
450
/* FC_FindObjectsInit initializes a search for token and session objects
451
* that match a template. */
452
CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
453
CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
454
/* let publically readable object be found */
457
PRBool needLogin = PR_FALSE;
459
PK11_FIPSFATALCHECK();
461
for (i=0; i < usCount; i++) {
462
CK_OBJECT_CLASS class;
463
if (pTemplate[i].type != CKA_CLASS) {
466
if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
469
if (pTemplate[i].pValue == NULL) {
472
class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
473
if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
479
if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
481
return NSC_FindObjectsInit(hSession,pTemplate,usCount);
485
/* FC_FindObjects continues a search for token and session objects
486
* that match a template, obtaining additional object handles. */
487
CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
488
CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
489
CK_ULONG_PTR pusObjectCount) {
490
/* let publically readable object be found */
491
PK11_FIPSFATALCHECK();
492
return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
498
************** Crypto Functions: Encrypt ************************
501
/* FC_EncryptInit initializes an encryption operation. */
502
CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
503
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
505
return NSC_EncryptInit(hSession,pMechanism,hKey);
508
/* FC_Encrypt encrypts single-part data. */
509
CK_RV FC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
510
CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
511
CK_ULONG_PTR pusEncryptedDataLen) {
513
return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
514
pusEncryptedDataLen);
518
/* FC_EncryptUpdate continues a multiple-part encryption operation. */
519
CK_RV FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
520
CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
521
CK_ULONG_PTR pusEncryptedPartLen) {
523
return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
524
pusEncryptedPartLen);
528
/* FC_EncryptFinal finishes a multiple-part encryption operation. */
529
CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
530
CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
533
return NSC_EncryptFinal(hSession,pLastEncryptedPart,
534
pusLastEncryptedPartLen);
538
************** Crypto Functions: Decrypt ************************
542
/* FC_DecryptInit initializes a decryption operation. */
543
CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
544
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
546
return NSC_DecryptInit(hSession,pMechanism,hKey);
549
/* FC_Decrypt decrypts encrypted data in a single part. */
550
CK_RV FC_Decrypt(CK_SESSION_HANDLE hSession,
551
CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
552
CK_ULONG_PTR pusDataLen) {
554
return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
559
/* FC_DecryptUpdate continues a multiple-part decryption operation. */
560
CK_RV FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
561
CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
562
CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
564
return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
569
/* FC_DecryptFinal finishes a multiple-part decryption operation. */
570
CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
571
CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
573
return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
578
************** Crypto Functions: Digest (HASH) ************************
581
/* FC_DigestInit initializes a message-digesting operation. */
582
CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
583
CK_MECHANISM_PTR pMechanism) {
584
PK11_FIPSFATALCHECK();
585
return NSC_DigestInit(hSession, pMechanism);
589
/* FC_Digest digests data in a single part. */
590
CK_RV FC_Digest(CK_SESSION_HANDLE hSession,
591
CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
592
CK_ULONG_PTR pusDigestLen) {
593
PK11_FIPSFATALCHECK();
594
return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
598
/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
599
CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
600
CK_ULONG usPartLen) {
601
PK11_FIPSFATALCHECK();
602
return NSC_DigestUpdate(hSession,pPart,usPartLen);
606
/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
607
CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
608
CK_ULONG_PTR pusDigestLen) {
609
PK11_FIPSFATALCHECK();
610
return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
615
************** Crypto Functions: Sign ************************
618
/* FC_SignInit initializes a signature (private key encryption) operation,
619
* where the signature is (will be) an appendix to the data,
620
* and plaintext cannot be recovered from the signature */
621
CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
622
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
624
return NSC_SignInit(hSession,pMechanism,hKey);
628
/* FC_Sign signs (encrypts with private key) data in a single part,
629
* where the signature is (will be) an appendix to the data,
630
* and plaintext cannot be recovered from the signature */
631
CK_RV FC_Sign(CK_SESSION_HANDLE hSession,
632
CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
633
CK_ULONG_PTR pusSignatureLen) {
635
return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
639
/* FC_SignUpdate continues a multiple-part signature operation,
640
* where the signature is (will be) an appendix to the data,
641
* and plaintext cannot be recovered from the signature */
642
CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
643
CK_ULONG usPartLen) {
645
return NSC_SignUpdate(hSession,pPart,usPartLen);
649
/* FC_SignFinal finishes a multiple-part signature operation,
650
* returning the signature. */
651
CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
652
CK_ULONG_PTR pusSignatureLen) {
654
return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
658
************** Crypto Functions: Sign Recover ************************
660
/* FC_SignRecoverInit initializes a signature operation,
661
* where the (digest) data can be recovered from the signature.
662
* E.g. encryption with the user's private key */
663
CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
664
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
666
return NSC_SignRecoverInit(hSession,pMechanism,hKey);
670
/* FC_SignRecover signs data in a single operation
671
* where the (digest) data can be recovered from the signature.
672
* E.g. encryption with the user's private key */
673
CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
674
CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
676
return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
680
************** Crypto Functions: verify ************************
683
/* FC_VerifyInit initializes a verification operation,
684
* where the signature is an appendix to the data,
685
* and plaintext cannot be recovered from the signature (e.g. DSA) */
686
CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
687
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
689
return NSC_VerifyInit(hSession,pMechanism,hKey);
693
/* FC_Verify verifies a signature in a single-part operation,
694
* where the signature is an appendix to the data,
695
* and plaintext cannot be recovered from the signature */
696
CK_RV FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
697
CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
698
/* make sure we're legal */
700
return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
704
/* FC_VerifyUpdate continues a multiple-part verification operation,
705
* where the signature is an appendix to the data,
706
* and plaintext cannot be recovered from the signature */
707
CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
708
CK_ULONG usPartLen) {
710
return NSC_VerifyUpdate(hSession,pPart,usPartLen);
714
/* FC_VerifyFinal finishes a multiple-part verification operation,
715
* checking the signature. */
716
CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
717
CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
719
return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
723
************** Crypto Functions: Verify Recover ************************
726
/* FC_VerifyRecoverInit initializes a signature verification operation,
727
* where the data is recovered from the signature.
728
* E.g. Decryption with the user's public key */
729
CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
730
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
732
return NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
736
/* FC_VerifyRecover verifies a signature in a single-part operation,
737
* where the data is recovered from the signature.
738
* E.g. Decryption with the user's public key */
739
CK_RV FC_VerifyRecover(CK_SESSION_HANDLE hSession,
740
CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
741
CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
743
return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
748
**************************** Key Functions: ************************
751
/* FC_GenerateKey generates a secret key, creating a new key object. */
752
CK_RV FC_GenerateKey(CK_SESSION_HANDLE hSession,
753
CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
754
CK_OBJECT_HANDLE_PTR phKey) {
759
/* all secret keys must be sensitive, if the upper level code tries to say
760
* otherwise, reject it. */
761
boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
762
if (boolptr != NULL) {
764
return CKR_ATTRIBUTE_VALUE_INVALID;
768
return NSC_GenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey);
772
/* FC_GenerateKeyPair generates a public-key/private-key pair,
773
* creating new key objects. */
774
CK_RV FC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
775
CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
776
CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
777
CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
778
CK_OBJECT_HANDLE_PTR phPrivateKey) {
783
/* all private keys must be sensitive, if the upper level code tries to say
784
* otherwise, reject it. */
785
boolptr = (CK_BBOOL *) fc_getAttribute(pPrivateKeyTemplate,
786
usPrivateKeyAttributeCount, CKA_SENSITIVE);
787
if (boolptr != NULL) {
789
return CKR_ATTRIBUTE_VALUE_INVALID;
792
return NSC_GenerateKeyPair (hSession,pMechanism,pPublicKeyTemplate,
793
usPublicKeyAttributeCount,pPrivateKeyTemplate,
794
usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
798
/* FC_WrapKey wraps (i.e., encrypts) a key. */
799
CK_RV FC_WrapKey(CK_SESSION_HANDLE hSession,
800
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
801
CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
802
CK_ULONG_PTR pusWrappedKeyLen) {
804
return NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
809
/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
810
CK_RV FC_UnwrapKey(CK_SESSION_HANDLE hSession,
811
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
812
CK_BYTE_PTR pWrappedKey, CK_ULONG usWrappedKeyLen,
813
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount,
814
CK_OBJECT_HANDLE_PTR phKey) {
819
/* all secret keys must be sensitive, if the upper level code tries to say
820
* otherwise, reject it. */
821
boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate,
822
usAttributeCount, CKA_SENSITIVE);
823
if (boolptr != NULL) {
825
return CKR_ATTRIBUTE_VALUE_INVALID;
828
return NSC_UnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
829
usWrappedKeyLen,pTemplate,usAttributeCount,phKey);
833
/* FC_DeriveKey derives a key from a base key, creating a new key object. */
834
CK_RV FC_DeriveKey( CK_SESSION_HANDLE hSession,
835
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
836
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount,
837
CK_OBJECT_HANDLE_PTR phKey) {
842
/* all secret keys must be sensitive, if the upper level code tries to say
843
* otherwise, reject it. */
844
boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate,
845
usAttributeCount, CKA_SENSITIVE);
846
if (boolptr != NULL) {
848
return CKR_ATTRIBUTE_VALUE_INVALID;
851
return NSC_DeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
852
usAttributeCount, phKey);
856
**************************** Radom Functions: ************************
859
/* FC_SeedRandom mixes additional seed material into the token's random number
861
CK_RV FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
862
CK_ULONG usSeedLen) {
865
PK11_FIPSFATALCHECK();
866
crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
868
fatalError = PR_TRUE;
874
/* FC_GenerateRandom generates random data. */
875
CK_RV FC_GenerateRandom(CK_SESSION_HANDLE hSession,
876
CK_BYTE_PTR pRandomData, CK_ULONG usRandomLen) {
879
PK11_FIPSFATALCHECK();
880
crv = NSC_GenerateRandom(hSession,pRandomData,usRandomLen);
882
fatalError = PR_TRUE;
888
/* FC_GetFunctionStatus obtains an updated status of a function running
889
* in parallel with an application. */
890
CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
892
return NSC_GetFunctionStatus(hSession);
896
/* FC_CancelFunction cancels a function running in parallel */
897
CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
899
return NSC_CancelFunction(hSession);
903
**************************** Version 1.1 Functions: ************************
906
/* FC_GetOperationState saves the state of the cryptographic
907
*operation in a session. */
908
CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession,
909
CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) {
910
PK11_FIPSFATALCHECK();
911
return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
915
/* FC_SetOperationState restores the state of the cryptographic operation
917
CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,
918
CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen,
919
CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
920
PK11_FIPSFATALCHECK();
921
return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
922
hEncryptionKey,hAuthenticationKey);
925
/* FC_FindObjectsFinal finishes a search for token and session objects. */
926
CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
927
/* let publically readable object be found */
928
PK11_FIPSFATALCHECK();
929
return NSC_FindObjectsFinal(hSession);
933
/* Dual-function cryptographic operations */
935
/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption
937
CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
938
CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
939
CK_ULONG_PTR pulEncryptedPartLen) {
941
return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
942
pulEncryptedPartLen);
946
/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting
948
CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
949
CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
950
CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) {
953
return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
957
/* FC_SignEncryptUpdate continues a multiple-part signing and encryption
959
CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
960
CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
961
CK_ULONG_PTR pulEncryptedPartLen) {
964
return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
965
pulEncryptedPartLen);
968
/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify
970
CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
971
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
972
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) {
975
return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
980
/* FC_DigestKey continues a multi-part message-digesting operation,
981
* by digesting the value of a secret key as part of the data already digested.
983
CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
985
return NSC_DigestKey(hSession,hKey);
989
CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
990
CK_VOID_PTR pReserved)
992
return NSC_WaitForSlotEvent(flags, pSlot, pReserved);