1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
* License, v. 2.0. If a copy of the MPL was not distributed with this
3
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
* This file implements audit logging required by FIPS 140-2 Security
14
* Print the value of the returned object handle in the output buffer
15
* on a successful return of the PKCS #11 function. If the PKCS #11
16
* function failed or the pointer to object handle is NULL (which is
17
* the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
18
* string is stored in the output buffer.
20
* out: the output buffer
21
* outlen: the length of the output buffer
22
* argName: the name of the "pointer to object handle" argument
23
* phObject: the pointer to object handle
24
* rv: the return value of the PKCS #11 function
26
static void sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
27
const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
29
if ((rv == CKR_OK) && phObject) {
30
PR_snprintf(out, outlen,
31
" *%s=0x%08lX", argName, (PRUint32)*phObject);
33
PORT_Assert(outlen != 0);
39
* MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
40
* which uses <= 49 bytes.
42
#define MECHANISM_BUFSIZE 64
44
static void sftk_PrintMechanism(char *out, PRUint32 outlen,
45
CK_MECHANISM_PTR pMechanism)
49
* If we change the format string, we need to make sure
50
* MECHANISM_BUFSIZE is still large enough. We allow
51
* 20 bytes for %p on a 64-bit platform.
53
PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
54
pMechanism, (PRUint32)pMechanism->mechanism);
56
PR_snprintf(out, outlen, "%p", pMechanism);
60
void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
61
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
62
CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
66
NSSAuditSeverity severity = (rv == CKR_OK) ?
67
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
69
sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
70
"phObject", phObject, rv);
71
PR_snprintf(msg, sizeof msg,
72
"C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
73
"phObject=%p)=0x%08lX%s",
74
(PRUint32)hSession, pTemplate, (PRUint32)ulCount,
75
phObject, (PRUint32)rv, shObject);
76
sftk_LogAuditMessage(severity, NSS_AUDIT_LOAD_KEY, msg);
79
void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
80
CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
81
CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
85
NSSAuditSeverity severity = (rv == CKR_OK) ?
86
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
88
sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
89
"phNewObject", phNewObject, rv);
90
PR_snprintf(msg, sizeof msg,
91
"C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
92
"pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
93
(PRUint32)hSession, (PRUint32)hObject,
94
pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
95
sftk_LogAuditMessage(severity, NSS_AUDIT_COPY_KEY, msg);
98
/* WARNING: hObject has been destroyed and can only be printed. */
99
void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
100
CK_OBJECT_HANDLE hObject, CK_RV rv)
103
NSSAuditSeverity severity = (rv == CKR_OK) ?
104
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
106
PR_snprintf(msg, sizeof msg,
107
"C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
108
(PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
109
sftk_LogAuditMessage(severity, NSS_AUDIT_DESTROY_KEY, msg);
112
void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
113
CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
116
NSSAuditSeverity severity = (rv == CKR_OK) ?
117
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
119
PR_snprintf(msg, sizeof msg,
120
"C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
121
"pulSize=%p)=0x%08lX",
122
(PRUint32)hSession, (PRUint32)hObject,
123
pulSize, (PRUint32)rv);
124
sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
127
void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
128
CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
129
CK_ULONG ulCount, CK_RV rv)
132
NSSAuditSeverity severity = (rv == CKR_OK) ?
133
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
135
PR_snprintf(msg, sizeof msg,
136
"C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
137
"pTemplate=%p, ulCount=%lu)=0x%08lX",
138
(PRUint32)hSession, (PRUint32)hObject,
139
pTemplate, (PRUint32)ulCount, (PRUint32)rv);
140
sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
143
void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
144
CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
145
CK_ULONG ulCount, CK_RV rv)
148
NSSAuditSeverity severity = (rv == CKR_OK) ?
149
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
151
PR_snprintf(msg, sizeof msg,
152
"C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
153
"pTemplate=%p, ulCount=%lu)=0x%08lX",
154
(PRUint32)hSession, (PRUint32)hObject,
155
pTemplate, (PRUint32)ulCount, (PRUint32)rv);
156
sftk_LogAuditMessage(severity, NSS_AUDIT_CHANGE_KEY, msg);
159
void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
160
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
163
char mech[MECHANISM_BUFSIZE];
164
NSSAuditSeverity severity = (rv == CKR_OK) ?
165
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
167
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
168
PR_snprintf(msg, sizeof msg,
169
"C_%sInit(hSession=0x%08lX, pMechanism=%s, "
170
"hKey=0x%08lX)=0x%08lX",
171
opName, (PRUint32)hSession, mech,
172
(PRUint32)hKey, (PRUint32)rv);
173
sftk_LogAuditMessage(severity, NSS_AUDIT_CRYPT, msg);
176
void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
177
CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
178
CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
181
char mech[MECHANISM_BUFSIZE];
183
NSSAuditSeverity severity = (rv == CKR_OK) ?
184
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
186
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
187
sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
188
PR_snprintf(msg, sizeof msg,
189
"C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
190
"pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
191
(PRUint32)hSession, mech,
192
pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
193
sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
196
void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
197
CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
198
CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
199
CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
200
CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
203
char mech[MECHANISM_BUFSIZE];
204
char shPublicKey[32];
205
char shPrivateKey[32];
206
NSSAuditSeverity severity = (rv == CKR_OK) ?
207
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
209
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
210
sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
211
"phPublicKey", phPublicKey, rv);
212
sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
213
"phPrivateKey", phPrivateKey, rv);
214
PR_snprintf(msg, sizeof msg,
215
"C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
216
"pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
217
"pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
218
"phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
219
(PRUint32)hSession, mech,
220
pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
221
pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
222
phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
223
sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
226
void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
227
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
228
CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
229
CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
232
char mech[MECHANISM_BUFSIZE];
233
NSSAuditSeverity severity = (rv == CKR_OK) ?
234
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
236
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
237
PR_snprintf(msg, sizeof msg,
238
"C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
239
"hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
240
(PRUint32)hSession, mech, (PRUint32)hWrappingKey,
241
(PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
242
sftk_LogAuditMessage(severity, NSS_AUDIT_WRAP_KEY, msg);
245
void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
246
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
247
CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
248
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
249
CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
252
char mech[MECHANISM_BUFSIZE];
254
NSSAuditSeverity severity = (rv == CKR_OK) ?
255
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
257
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
258
sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
259
PR_snprintf(msg, sizeof msg,
260
"C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
261
"hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
262
"pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
263
(PRUint32)hSession, mech,
264
(PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
265
pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
266
sftk_LogAuditMessage(severity, NSS_AUDIT_UNWRAP_KEY, msg);
269
void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
270
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
271
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
272
CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
275
char mech[MECHANISM_BUFSIZE];
278
NSSAuditSeverity severity = (rv == CKR_OK) ?
279
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
281
sftk_PrintMechanism(mech, sizeof mech, pMechanism);
282
sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
283
if ((rv == CKR_OK) &&
284
(pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
285
CK_SSL3_KEY_MAT_PARAMS *param =
286
(CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
287
CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
288
PR_snprintf(sTlsKeys, sizeof sTlsKeys,
289
" hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
290
" hClientKey=0x%08lX hServerKey=0x%08lX",
291
(PRUint32)keymat->hClientMacSecret,
292
(PRUint32)keymat->hServerMacSecret,
293
(PRUint32)keymat->hClientKey,
294
(PRUint32)keymat->hServerKey);
298
PR_snprintf(msg, sizeof msg,
299
"C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
300
"hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
301
"phKey=%p)=0x%08lX%s%s",
302
(PRUint32)hSession, mech,
303
(PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount,
304
phKey, (PRUint32)rv, shKey, sTlsKeys);
305
sftk_LogAuditMessage(severity, NSS_AUDIT_DERIVE_KEY, msg);
308
void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
309
CK_OBJECT_HANDLE hKey, CK_RV rv)
312
NSSAuditSeverity severity = (rv == CKR_OK) ?
313
NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
315
PR_snprintf(msg, sizeof msg,
316
"C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
317
(PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
318
sftk_LogAuditMessage(severity, NSS_AUDIT_DIGEST_KEY, msg);