[SmartcardServices-Changes] [73] trunk/Tokend
source_changes at macosforge.org
source_changes at macosforge.org
Thu Dec 17 06:25:57 PST 2009
Revision: 73
http://trac.macosforge.org/projects/smartcardservices/changeset/73
Author: ludovic.rousseau at gmail.com
Date: 2009-12-17 06:25:53 -0800 (Thu, 17 Dec 2009)
Log Message:
-----------
Add the Gemalto tokend to wrap a PKCS#11 lib in a tokend.
This is used to access a smart card in from CDSA application when only a
PKCS#11 lib is available to access the smart card.
Added Paths:
-----------
trunk/Tokend/PKCS11/
trunk/Tokend/PKCS11/Gemalto.cpp
trunk/Tokend/PKCS11/GemaltoAttributeCoder.cpp
trunk/Tokend/PKCS11/GemaltoAttributeCoder.h
trunk/Tokend/PKCS11/GemaltoError.cpp
trunk/Tokend/PKCS11/GemaltoError.h
trunk/Tokend/PKCS11/GemaltoKeyHandle.cpp
trunk/Tokend/PKCS11/GemaltoKeyHandle.h
trunk/Tokend/PKCS11/GemaltoRecord.cpp
trunk/Tokend/PKCS11/GemaltoRecord.h
trunk/Tokend/PKCS11/GemaltoSchema.cpp
trunk/Tokend/PKCS11/GemaltoSchema.h
trunk/Tokend/PKCS11/GemaltoToken.cpp
trunk/Tokend/PKCS11/GemaltoToken.h
trunk/Tokend/PKCS11/Info.plist
trunk/Tokend/PKCS11/cryptoki.h
trunk/Tokend/PKCS11/gemalto_debug.sh
trunk/Tokend/PKCS11/install.sh
trunk/Tokend/PKCS11/mds/
trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities.mdsinfo
trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities_common.mds
trunk/Tokend/PKCS11/mds/gemalto_csp_primary.mdsinfo
trunk/Tokend/PKCS11/mds/gemalto_dl_primary.mdsinfo
trunk/Tokend/PKCS11/mds/gemalto_smartcard.mdsinfo
trunk/Tokend/PKCS11/pkcs11.h
trunk/Tokend/PKCS11/pkcs11f.h
trunk/Tokend/PKCS11/pkcs11t.h
Added: trunk/Tokend/PKCS11/Gemalto.cpp
===================================================================
--- trunk/Tokend/PKCS11/Gemalto.cpp (rev 0)
+++ trunk/Tokend/PKCS11/Gemalto.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * Gemalto.cpp - Gemalto.tokend main program
+ */
+
+#include "GemaltoToken.h"
+
+
+static void terminate(int /*sig*/)
+{
+ delete token;
+ _exit(0);
+}
+
+int main(int argc, const char *argv[])
+{
+ secdebug("Gemalto.tokend", "main starting with %d arguments", argc);
+ secdelay("/tmp/delay/Gemalto");
+
+ signal(SIGTERM, terminate);
+ signal(SIGINT, terminate);
+ signal(SIGQUIT, terminate);
+
+ token = new GemaltoToken();
+ return SecTokendMain(argc, argv, token->callbacks(), token->support());
+}
+
+/* arch-tag: 8B9B7BB4-124C-11D9-ACF9-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoAttributeCoder.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoAttributeCoder.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoAttributeCoder.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,548 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoAttributeCoder.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoAttributeCoder.h"
+
+#include "Attribute.h"
+#include "MetaAttribute.h"
+#include "MetaRecord.h"
+#include "GemaltoRecord.h"
+#include "GemaltoError.h"
+#include "GemaltoToken.h"
+
+#include <Security/SecKeychainItem.h>
+#include <security_cdsa_utilities/cssmkey.h>
+
+using namespace Tokend;
+
+
+//
+// KeyEncryptAttributeCoder
+//
+KeyEncryptAttributeCoder::~KeyEncryptAttributeCoder()
+{
+}
+
+
+void KeyEncryptAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyEncryptAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = false;
+ }
+ else
+ {
+ boolValue = keyRecord.encrypt();
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyEncryptAttributeCoder::decode - Class <%lu> - Value <%lu>\n", keyRecord.getClass(), boolValue );
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyEncryptAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyDecryptAttributeCoder
+//
+KeyDecryptAttributeCoder::~KeyDecryptAttributeCoder()
+{
+}
+
+
+void KeyDecryptAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyDecryptAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = keyRecord.encrypt();
+ }
+ else
+ {
+ boolValue = false;
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyDecryptAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str(), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyDecryptAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeySignAttributeCoder
+//
+KeySignAttributeCoder::~KeySignAttributeCoder()
+{
+}
+
+
+void KeySignAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeySignAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = keyRecord.verify();
+ }
+ else
+ {
+ boolValue = false;
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeySignAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeySignAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyVerifyAttributeCoder
+//
+KeyVerifyAttributeCoder::~KeyVerifyAttributeCoder()
+{
+}
+
+
+void KeyVerifyAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyVerifyAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = false;
+ }
+ else
+ {
+ boolValue = keyRecord.verify();
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyVerifyAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyVerifyAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeySignRecoverAttributeCoder
+//
+KeySignRecoverAttributeCoder::~KeySignRecoverAttributeCoder()
+{
+}
+
+
+void KeySignRecoverAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeySignRecoverAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = keyRecord.verifyRecover();
+ }
+ else
+ {
+ boolValue = false;
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeySignRecoverAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeySignRecoverAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyVerifyRecoverAttributeCoder
+//
+KeyVerifyRecoverAttributeCoder::~KeyVerifyRecoverAttributeCoder()
+{
+}
+
+
+void KeyVerifyRecoverAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyVerifyRecoverAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = false;
+ }
+ else
+ {
+ boolValue = keyRecord.verifyRecover();
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyVerifyRecoverAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyVerifyRecoverAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyWrapAttributeCoder
+//
+KeyWrapAttributeCoder::~KeyWrapAttributeCoder()
+{
+}
+
+
+void KeyWrapAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyWrapAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = false;
+ }
+ else
+ {
+ boolValue = keyRecord.wrap();
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyWrapAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str(), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyWrapAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyUnwrapAttributeCoder
+//
+KeyUnwrapAttributeCoder::~KeyUnwrapAttributeCoder()
+{
+}
+
+
+void KeyUnwrapAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyUnwrapAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = true;
+
+ if (keyRecord.getClass() == CKO_PRIVATE_KEY)
+ {
+ boolValue = keyRecord.wrap();
+ }
+ else
+ {
+ boolValue = false;
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyUnwrapAttributeCoder::decode - Label <%s> - bool <%u>\n", str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyUnwrapAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyDeriveAttributeCoder
+//
+KeyDeriveAttributeCoder::~KeyDeriveAttributeCoder()
+{
+}
+
+
+void KeyDeriveAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyDeriveAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ bool boolValue = keyRecord.derive();
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyDeriveAttributeCoder::decode - Label <%s> - keyType <%ld> - bool <%u>\n", keyRecord.getType( ),str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyDeriveAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeySensitiveAttributeCoder
+//
+KeySensitiveAttributeCoder::~KeySensitiveAttributeCoder()
+{
+}
+
+
+void KeySensitiveAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeySensitiveAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ const bool boolValue = (keyRecord.getClass() == CKO_PRIVATE_KEY);
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeySensitiveAttributeCoder::decode - Label <%s> - keyType <%ld> - bool <%u>\n", keyRecord.getType( ), str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeySensitiveAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyPrivateAttributeCoder
+//
+KeyPrivateAttributeCoder::~KeyPrivateAttributeCoder()
+{
+}
+
+
+void KeyPrivateAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyPrivateAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ const bool boolValue = (keyRecord.getClass() == CKO_PRIVATE_KEY);
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyPrivateAttributeCoder::decode - Label <%s> - keyType <%ld> - bool <%u>\n", keyRecord.getType( ), str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyPrivateAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyAlwaysSensitiveAttributeCoder
+//
+KeyAlwaysSensitiveAttributeCoder::~KeyAlwaysSensitiveAttributeCoder()
+{
+}
+
+
+void KeyAlwaysSensitiveAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyAlwaysSensitiveAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ const bool boolValue = (keyRecord.getClass() == CKO_PRIVATE_KEY);
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyAlwaysSensitiveAttributeCoder::decode - Label <%s> - keyType <%ld> - bool <%u>\n", keyRecord.getType( ), str.c_str( ), boolValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(boolValue));
+
+ GemaltoToken::log( "KeyAlwaysSensitiveAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeySizeAttributeCoder
+//
+KeySizeAttributeCoder::~KeySizeAttributeCoder()
+{
+}
+
+
+void KeySizeAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeySizeAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ const uint32 longValue = keyRecord.sizeInBits();
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeySizeAttributeCoder::decode - Label <%s> - keyType <%ld> - size <%lu>\n", str.c_str( ), keyRecord.getType( ), longValue);
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(longValue));
+
+ GemaltoToken::log( "KeySizeAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyAlgorithmAttributeCoder
+//
+KeyAlgorithmAttributeCoder::~KeyAlgorithmAttributeCoder()
+{
+}
+
+
+void KeyAlgorithmAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyAlgorithmAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+ const CK_KEY_TYPE keyType = keyRecord.getType();
+ uint32 algID;
+ switch (keyType)
+ {
+ case CKK_RSA:
+ algID = CSSM_ALGID_RSA;
+ break;
+ /*case CKK_DSA:
+ algID = CSSM_ALGID_DSA;
+ break;
+ case CKK_DH:
+ algID = CSSM_ALGID_DH;
+ break;
+ case CKK_ECDSA:
+ algID = CSSM_ALGID_ECDSA;
+ break;
+ case CKK_KEA:
+ algID = CSSM_ALGID_KEA;
+ break;
+ case CKK_GENERIC_SECRET:
+ algID = CSSM_ALGID_GenericSecret;
+ break;
+ case CKK_RC2:
+ algID = CSSM_ALGID_RC2;
+ break;
+ case CKK_RC4:
+ algID = CSSM_ALGID_RC4;
+ break;
+ case CKK_DES:
+ algID = CSSM_ALGID_DES;
+ break;
+ case CKK_DES3:
+ algID = CSSM_ALGID_3DES;
+ break;
+ case CKK_CAST:
+ algID = CSSM_ALGID_CAST;
+ break;
+ case CKK_CAST3:
+ algID = CSSM_ALGID_CAST3;
+ break;
+ case CKK_CAST5:
+ algID = CSSM_ALGID_CAST5;
+ break;
+ case CKK_RC5:
+ algID = CSSM_ALGID_RC5;
+ break;
+ case CKK_IDEA:
+ algID = CSSM_ALGID_IDEA;
+ break;
+ case CKK_SKIPJACK:
+ algID = CSSM_ALGID_SKIPJACK;
+ break;
+ case CKK_BATON:
+ algID = CSSM_ALGID_BATON;
+ break;
+ case CKK_JUNIPER:
+ algID = CSSM_ALGID_JUNIPER;
+ break;
+ case CKK_CDMF:
+ algID = CSSM_ALGID_CDMF;
+ break;
+ case CKK_AES:
+ algID = CSSM_ALGID_ECAES;
+ break;
+ case CKK_BLOWFISH:
+ algID = CSSM_ALGID_BLOWFISH;
+ break;
+*/
+ default:
+ GemaltoToken::log( "KeyAlgorithmAttributeCoder::decode - Unknown CKA_KEY_TYPE <%02lX> - r <%p> - rid <%08lX> - aid <%lu>\n", keyType, &record, metaAttribute.metaRecord().relationId(), metaAttribute.attributeId());
+ algID = CSSM_ALGID_CUSTOM;
+ break;
+ }
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyAlgorithmAttributeCoder::decode - Label <%s> - keyType <%lu> - algID <%lu>\n", str.c_str( ), keyRecord.getType( ), algID);
+
+ record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute(algID));
+
+ GemaltoToken::log( "KeyAlgorithmAttributeCoder::decode <END>\n" );
+}
+
+
+//
+// KeyNameAttributeCoder
+//
+KeyNameAttributeCoder::~KeyNameAttributeCoder()
+{
+}
+
+
+void KeyNameAttributeCoder::decode(Tokend::TokenContext */*tokenContext*/, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record)
+{
+ GemaltoToken::log( "\nKeyNameAttributeCoder::decode <BEGIN>\n" );
+
+ GemaltoKeyRecord &keyRecord = dynamic_cast<GemaltoKeyRecord &>(record);
+
+ std::string str = "";
+ GemaltoToken::toStringHex( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel().size( ), str );
+ GemaltoToken::log( "KeyNameAttributeCoder::decode - Label <%s>\n", str.c_str( ) );
+
+ record.attributeAtIndex( metaAttribute.attributeIndex(), new Attribute( keyRecord.getLabel( ).ptr( ), keyRecord.getLabel( ).size( ) ) );
+
+ GemaltoToken::log( "KeyNameAttributeCoder::decode <END>\n" );
+}
+
+/* arch-tag: C8A090EE-F61D-11D8-9622-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoAttributeCoder.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoAttributeCoder.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoAttributeCoder.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoAttributeCoder.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTOATTRIBUTECODER_H_
+#define _GEMALTOATTRIBUTECODER_H_
+
+#include "AttributeCoder.h"
+#include <string>
+
+#include "cryptoki.h"
+
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyEncryptAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyEncryptAttributeCoder)
+public:
+ KeyEncryptAttributeCoder() {}
+ virtual ~KeyEncryptAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyDecryptAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyDecryptAttributeCoder)
+public:
+ KeyDecryptAttributeCoder() {}
+ virtual ~KeyDecryptAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeySignAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeySignAttributeCoder)
+public:
+ KeySignAttributeCoder() {}
+ virtual ~KeySignAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyVerifyAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyVerifyAttributeCoder)
+public:
+ KeyVerifyAttributeCoder() {}
+ virtual ~KeyVerifyAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeySignRecoverAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeySignRecoverAttributeCoder)
+public:
+ KeySignRecoverAttributeCoder() {}
+ virtual ~KeySignRecoverAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyVerifyRecoverAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyVerifyRecoverAttributeCoder)
+public:
+ KeyVerifyRecoverAttributeCoder() {}
+ virtual ~KeyVerifyRecoverAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyWrapAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyWrapAttributeCoder)
+public:
+ KeyWrapAttributeCoder() {}
+ virtual ~KeyWrapAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyUnwrapAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyUnwrapAttributeCoder)
+public:
+ KeyUnwrapAttributeCoder() {}
+ virtual ~KeyUnwrapAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyDeriveAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyDeriveAttributeCoder)
+public:
+ KeyDeriveAttributeCoder() {}
+ virtual ~KeyDeriveAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeySensitiveAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeySensitiveAttributeCoder)
+public:
+ KeySensitiveAttributeCoder() {}
+ virtual ~KeySensitiveAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyPrivateAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyPrivateAttributeCoder)
+public:
+ KeyPrivateAttributeCoder() {}
+ virtual ~KeyPrivateAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces a boolean value based on pkcs11 attribute type
+//
+class KeyAlwaysSensitiveAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyAlwaysSensitiveAttributeCoder)
+public:
+ KeyAlwaysSensitiveAttributeCoder() {}
+ virtual ~KeyAlwaysSensitiveAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that produces the LogicalKeySizeInBits of a key
+//
+class KeySizeAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeySizeAttributeCoder)
+public:
+ KeySizeAttributeCoder() {}
+ virtual ~KeySizeAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder produces a CSSM_ALGID from a key
+//
+class KeyAlgorithmAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyAlgorithmAttributeCoder)
+public:
+ KeyAlgorithmAttributeCoder() {}
+ virtual ~KeyAlgorithmAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+//
+// A coder that reads the name of a key
+//
+class KeyNameAttributeCoder : public Tokend::AttributeCoder
+{
+ NOCOPY(KeyNameAttributeCoder)
+public:
+
+ KeyNameAttributeCoder() {}
+ virtual ~KeyNameAttributeCoder();
+
+ virtual void decode(Tokend::TokenContext *tokenContext, const Tokend::MetaAttribute &metaAttribute, Tokend::Record &record);
+};
+
+
+#endif /* !_GEMALTOATTRIBUTECODER_H_ */
+
+/* arch-tag: C909C93A-F61D-11D8-8459-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoError.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoError.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoError.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,264 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoError.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoError.h"
+#include "GemaltoToken.h"
+
+#include <Security/cssmerr.h>
+
+//#if !defined(NDEBUG)
+
+static struct pkcs11_error_name {
+ const char* name;
+ CK_ULONG value;
+} s_pkcs11_errors[] = {
+{ "CKR_OK", 0x00000000 },
+{ "CKR_CANCEL", 0x00000001 },
+{ "CKR_HOST_MEMORY", 0x00000002 },
+{ "CKR_SLOT_ID_INVALID", 0x00000003 },
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+{ "CKR_GENERAL_ERROR", 0x00000005 },
+{ "CKR_FUNCTION_FAILED", 0x00000006 },
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+{ "CKR_ARGUMENTS_BAD", 0x00000007 },
+{ "CKR_NO_EVENT", 0x00000008 },
+{ "CKR_NEED_TO_CREATE_THREADS", 0x00000009 },
+{ "CKR_CANT_LOCK", 0x0000000A },
+
+{ "CKR_ATTRIBUTE_READ_ONLY", 0x00000010 },
+{ "CKR_ATTRIBUTE_SENSITIVE", 0x00000011 },
+{ "CKR_ATTRIBUTE_TYPE_INVALID", 0x00000012 },
+{ "CKR_ATTRIBUTE_VALUE_INVALID", 0x00000013 },
+{ "CKR_DATA_INVALID", 0x00000020 },
+{ "CKR_DATA_LEN_RANGE", 0x00000021 },
+{ "CKR_DEVICE_ERROR", 0x00000030 },
+{ "CKR_DEVICE_MEMORY", 0x00000031 },
+{ "CKR_DEVICE_REMOVED", 0x00000032 },
+{ "CKR_ENCRYPTED_DATA_INVALID", 0x00000040 },
+{ "CKR_ENCRYPTED_DATA_LEN_RANGE", 0x00000041 },
+{ "CKR_FUNCTION_CANCELED", 0x00000050 },
+{ "CKR_FUNCTION_NOT_PARALLEL", 0x00000051 },
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+{ "CKR_FUNCTION_NOT_SUPPORTED", 0x00000054 },
+
+{ "CKR_KEY_HANDLE_INVALID", 0x00000060 },
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+{ "CKR_KEY_SIZE_RANGE", 0x00000062 },
+{ "CKR_KEY_TYPE_INCONSISTENT", 0x00000063 },
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+{ "CKR_KEY_NOT_NEEDED", 0x00000064 },
+{ "CKR_KEY_CHANGED", 0x00000065 },
+{ "CKR_KEY_NEEDED", 0x00000066 },
+{ "CKR_KEY_INDIGESTIBLE", 0x00000067 },
+{ "CKR_KEY_FUNCTION_NOT_PERMITTED", 0x00000068 },
+{ "CKR_KEY_NOT_WRAPPABLE", 0x00000069 },
+{ "CKR_KEY_UNEXTRACTABLE", 0x0000006A },
+
+{ "CKR_MECHANISM_INVALID", 0x00000070 },
+{ "CKR_MECHANISM_PARAM_INVALID", 0x00000071 },
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+{ "CKR_OBJECT_HANDLE_INVALID", 0x00000082 },
+{ "CKR_OPERATION_ACTIVE", 0x00000090 },
+{ "CKR_OPERATION_NOT_INITIALIZED", 0x00000091 },
+{ "CKR_PIN_INCORRECT", 0x000000A0 },
+{ "CKR_PIN_INVALID", 0x000000A1 },
+{ "CKR_PIN_LEN_RANGE", 0x000000A2 },
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+{ "CKR_PIN_EXPIRED", 0x000000A3 },
+{ "CKR_PIN_LOCKED", 0x000000A4 },
+
+{ "CKR_SESSION_CLOSED", 0x000000B0 },
+{ "CKR_SESSION_COUNT", 0x000000B1 },
+{ "CKR_SESSION_HANDLE_INVALID", 0x000000B3 },
+{ "CKR_SESSION_PARALLEL_NOT_SUPPORTED", 0x000000B4 },
+{ "CKR_SESSION_READ_ONLY", 0x000000B5 },
+{ "CKR_SESSION_EXISTS", 0x000000B6 },
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+{ "CKR_SESSION_READ_ONLY_EXISTS", 0x000000B7 },
+{ "CKR_SESSION_READ_WRITE_SO_EXISTS", 0x000000B8 },
+
+{ "CKR_SIGNATURE_INVALID", 0x000000C0 },
+{ "CKR_SIGNATURE_LEN_RANGE", 0x000000C1 },
+{ "CKR_TEMPLATE_INCOMPLETE", 0x000000D0 },
+{ "CKR_TEMPLATE_INCONSISTENT", 0x000000D1 },
+{ "CKR_TOKEN_NOT_PRESENT", 0x000000E0 },
+{ "CKR_TOKEN_NOT_RECOGNIZED", 0x000000E1 },
+{ "CKR_TOKEN_WRITE_PROTECTED", 0x000000E2 },
+{ "CKR_UNWRAPPING_KEY_HANDLE_INVALID", 0x000000F0 },
+{ "CKR_UNWRAPPING_KEY_SIZE_RANGE", 0x000000F1 },
+{ "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT", 0x000000F2 },
+{ "CKR_USER_ALREADY_LOGGED_IN", 0x00000100 },
+{ "CKR_USER_NOT_LOGGED_IN", 0x00000101 },
+{ "CKR_USER_PIN_NOT_INITIALIZED", 0x00000102 },
+{ "CKR_USER_TYPE_INVALID", 0x00000103 },
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+{ "CKR_USER_ANOTHER_ALREADY_LOGGED_IN", 0x00000104 },
+{ "CKR_USER_TOO_MANY_TYPES", 0x00000105 },
+
+{ "CKR_WRAPPED_KEY_INVALID", 0x00000110 },
+{ "CKR_WRAPPED_KEY_LEN_RANGE", 0x00000112 },
+{ "CKR_WRAPPING_KEY_HANDLE_INVALID", 0x00000113 },
+{ "CKR_WRAPPING_KEY_SIZE_RANGE", 0x00000114 },
+{ "CKR_WRAPPING_KEY_TYPE_INCONSISTENT", 0x00000115 },
+{ "CKR_RANDOM_SEED_NOT_SUPPORTED", 0x00000120 },
+
+/* These are new to v2.0 */
+{ "CKR_RANDOM_NO_RNG", 0x00000121 },
+
+/* These are new to v2.11 */
+{ "CKR_DOMAIN_PARAMS_INVALID", 0x00000130 },
+
+/* These are new to v2.0 */
+{ "CKR_BUFFER_TOO_SMALL", 0x00000150 },
+{ "CKR_SAVED_STATE_INVALID", 0x00000160 },
+{ "CKR_INFORMATION_SENSITIVE", 0x00000170 },
+{ "CKR_STATE_UNSAVEABLE", 0x00000180 },
+
+/* These are new to v2.01 */
+{ "CKR_CRYPTOKI_NOT_INITIALIZED", 0x00000190 },
+{ "CKR_CRYPTOKI_ALREADY_INITIALIZED", 0x00000191 },
+{ "CKR_MUTEX_BAD", 0x000001A0 },
+{ "CKR_MUTEX_NOT_LOCKED", 0x000001A1 },
+
+/* This is new to v2.20 */
+{ "CKR_FUNCTION_REJECTED", 0x00000200 },
+{ NULL, 0 }
+};
+
+static const char* pkcs11_error(CK_RV rv)
+{
+ int i;
+ for (i=0; s_pkcs11_errors[i].name!=NULL; i++) {
+ if (s_pkcs11_errors[i].value == rv)
+ return s_pkcs11_errors[i].name;
+ }
+
+ return "Unknown error";
+}
+
+
+void CKError::debugDiagnose(const void *id) const
+{
+ GemaltoToken::log( "### Exception - <%p> CKError debugDiagnose <%s> <%08lX>\n", this, pkcs11_error(resultValue), resultValue);
+}
+
+//#endif //NDEBUG
+
+//
+// CKError exceptions
+//
+CKError::CKError(CK_RV rv) : CommonError(), resultValue(rv)
+{
+ //IFDEBUG(debugDiagnose(this));
+ debugDiagnose(this);
+}
+
+
+OSStatus CKError::osStatus() const
+{
+ GemaltoToken::log( "### Exception - <%p> CKError osStatus <%s> <%08lX>\n", this, pkcs11_error(resultValue), resultValue);
+
+ // Map pkcs11 errors to CSSM
+ switch (resultValue)
+ {
+ case CKR_OK:
+ return CSSM_OK;
+
+ case CKR_HOST_MEMORY:
+ case CKR_BUFFER_TOO_SMALL:
+ return CSSMERR_DL_MEMORY_ERROR;
+
+ case CKR_PIN_INCORRECT:
+ case CKR_PIN_INVALID:
+ case CKR_PIN_EXPIRED:
+ return CSSMERR_DL_OPERATION_AUTH_DENIED;
+
+ case CKR_PIN_LOCKED:
+ return CSSMERR_DL_DB_LOCKED;
+
+ case CKR_KEY_FUNCTION_NOT_PERMITTED:
+ case CKR_KEY_NOT_WRAPPABLE:
+ case CKR_KEY_UNEXTRACTABLE:
+ return CSSMERR_DL_OBJECT_USE_AUTH_DENIED;
+
+ case CKR_FUNCTION_NOT_SUPPORTED:
+ case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
+ return CSSMERR_DL_FUNCTION_NOT_IMPLEMENTED;
+
+ case CKR_OBJECT_HANDLE_INVALID:
+ case CKR_KEY_HANDLE_INVALID:
+ return CSSMERR_DL_INVALID_DB_HANDLE;
+
+ case CKR_FUNCTION_FAILED:
+ return CSSMERR_DL_FUNCTION_FAILED;
+
+ case CKR_GENERAL_ERROR:
+ default:
+ return CSSMERR_DL_INTERNAL_ERROR;
+ }
+}
+
+int CKError::unixError() const
+{
+ GemaltoToken::log( "### Exception - <%p> CKError unixError <%s> <%08lX>\n", this, pkcs11_error(resultValue), resultValue);
+
+ switch (resultValue)
+ {
+ default:
+ // cannot map this to errno space
+ return -1;
+ }
+}
+
+const char *CKError::what() const throw ()
+{ return "Gemalto cryptoki error"; }
+
+void CKError::throwMe(CK_RV rv)
+{ throw CKError(rv); }
+
+
+/* arch-tag: 8B4FF59F-124C-11D9-AFF8-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoError.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoError.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoError.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoError.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTOERROR_H_
+#define _GEMALTOERROR_H_
+
+#include <security_utilities/debugging.h>
+#include <security_utilities/errors.h>
+#include "cryptoki.h"
+
+
+class CKError : public Security::CommonError
+{
+protected:
+ CKError(CK_RV rv);
+public:
+ const CK_RV resultValue;
+ virtual OSStatus osStatus() const;
+ virtual int unixError() const;
+ virtual const char *what () const throw ();
+
+ static void check(CK_RV rv) { if (rv != CKR_OK) throwMe(rv); }
+ static void throwMe(CK_RV rv) __attribute__((noreturn));
+protected:
+ //IFDEBUG(void debugDiagnose(const void *id) const;)
+ void debugDiagnose(const void *id) const;
+};
+
+#endif /* !_GEMALTOERROR_H_ */
+
+
+/* arch-tag: 8B34BC1C-124C-11D9-B7AA-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoKeyHandle.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoKeyHandle.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoKeyHandle.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoKeyHandle.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoKeyHandle.h"
+
+#include "GemaltoRecord.h"
+#include "GemaltoToken.h"
+
+#include <security_utilities/debugging.h>
+#include <security_utilities/utilities.h>
+#include <security_cdsa_utilities/cssmerrors.h>
+#include <Security/cssmerr.h>
+
+
+//
+// GemaltoKeyHandle
+//
+GemaltoKeyHandle::GemaltoKeyHandle(GemaltoToken &GemaltoToken, const Tokend::MetaRecord &metaRecord, GemaltoKeyRecord &cpsKey) :
+ Tokend::KeyHandle(metaRecord, &cpsKey),
+ mToken(GemaltoToken), mKey(cpsKey)
+{
+}
+
+
+GemaltoKeyHandle::~GemaltoKeyHandle()
+{
+}
+
+
+void GemaltoKeyHandle::getKeySize(CSSM_KEY_SIZE &keySize)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::getKeySize <BEGIN>\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::getOutputSize - sizeInBits <%lu>", mKey.sizeInBits() );
+
+ keySize.EffectiveKeySizeInBits = mKey.sizeInBits();
+ keySize.LogicalKeySizeInBits = mKey.sizeInBits();
+
+ GemaltoToken::log( "GemaltoKeyHandle::getKeySize <END>\n" );
+}
+
+
+uint32 GemaltoKeyHandle::getOutputSize(const Context &/*context*/, uint32 inputSize, bool encrypting)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::getOutputSize <BEGIN>\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::getOutputSize - inputSize <%lu> - encrypting <%d>", inputSize, encrypting );
+ GemaltoToken::log( "GemaltoKeyHandle::getOutputSize - sizeInBits / 8 <%lu>", ( mKey.sizeInBits() / 8 ) );
+
+ GemaltoToken::log( "GemaltoKeyHandle::getOutputSize <END>\n" );
+
+ return (mKey.sizeInBits() / 8);
+}
+
+
+static const unsigned char sha1sigheader[] =
+{
+ 0x30, // SEQUENCE
+ 0x21, // LENGTH
+ 0x30, // SEQUENCE
+ 0x09, // LENGTH
+ 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1a, // SHA1 OID (1 4 14 3 2 26)
+ 0x05, 0x00, // OPTIONAL ANY algorithm params (NULL)
+ 0x04, 0x14 // OCTECT STRING (20 bytes)
+};
+
+
+static const unsigned char md5sigheader[] =
+{
+ 0x30, // SEQUENCE
+ 0x20, // LENGTH
+ 0x30, // SEQUENCE
+ 0x0C, // LENGTH
+ 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, // MD5 OID (1 2 840 113549 2 5)
+ 0x05, 0x00, // OPTIONAL ANY algorithm params (NULL)
+ 0x04, 0x10 // OCTECT STRING (16 bytes)
+};
+
+
+void GemaltoKeyHandle::generateSignature(const Context &context, CSSM_ALGORITHMS signOnly, const CssmData &input, CssmData &signature)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::generateSignature <BEGIN>\n" );
+ GemaltoToken::log( "Algo <%lu> - SignOnly <%lu> Input <%s> - Signature <%s>\n", context.algorithm(), signOnly, input.toHex( ).c_str( ), signature.toHex( ).c_str( ) );
+
+ if (context.type() != CSSM_ALGCLASS_SIGNATURE)
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_INVALID_CONTEXT\n" );
+ CssmError::throwMe(CSSMERR_CSP_INVALID_CONTEXT);
+ }
+
+ if (context.algorithm() != CSSM_ALGID_RSA)
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_INVALID_ALGORITHM\n" );
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
+ }
+
+ // Find out if we are doing a SHA1 or MD5 signature and setup header to
+ // point to the right asn1 blob.
+ const unsigned char *header;
+ size_t headerLength;
+ CK_ULONG mech = CKM_RSA_PKCS;
+ if (signOnly == CSSM_ALGID_SHA1)
+ {
+ GemaltoToken::log( "Case CSSM_ALGID_SHA1\n" );
+ //secdebug("Gemalto.tokend", "GemaltoKeyHandle: CSSM_ALGID_SHA1 (%lu)", input.Length);
+
+ if (input.Length != 20)
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_BLOCK_SIZE_MISMATCH\n" );
+ CssmError::throwMe(CSSMERR_CSP_BLOCK_SIZE_MISMATCH);
+ }
+ header = sha1sigheader;
+ headerLength = sizeof(sha1sigheader);
+ }
+ else if (signOnly == CSSM_ALGID_MD5)
+ {
+ GemaltoToken::log( "Case CSSM_ALGID_MD5\n" );
+ //secdebug("Gemalto.tokend", "GemaltoKeyHandle: CSSM_ALGID_MD5 (%lu)", input.Length);
+
+ if (input.Length != 16)
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_BLOCK_SIZE_MISMATCH\n" );
+ CssmError::throwMe(CSSMERR_CSP_BLOCK_SIZE_MISMATCH);
+ }
+
+ header = md5sigheader;
+ headerLength = sizeof(md5sigheader);
+ }
+ else if (signOnly == CSSM_ALGID_NONE)
+ {
+ GemaltoToken::log( "Case CSSM_ALGID_NONE\n" );
+ //secdebug("Gemalto.tokend", "GemaltoKeyHandle: CSSM_ALGID_NONE");
+
+ // Special case used by SSL it's an RSA signature, without the ASN1 stuff
+ header = NULL;
+ headerLength = 0;
+ }
+ else
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_INVALID_DIGEST_ALGORITHM\n" );
+ //secdebug("Gemalto.tokend", "GemaltoKeyHandle: Invalid sign algo");
+ CssmError::throwMe(CSSMERR_CSP_INVALID_DIGEST_ALGORITHM);
+ }
+
+ // Create an input buffer in which we construct the data we will send to
+ // the token.
+ size_t inputDataSize = headerLength + input.Length;
+ size_t keyLength = mKey.sizeInBits() / 8;
+ auto_array<unsigned char> inputData(keyLength);
+ unsigned char *to = inputData.get();
+
+ // Get padding, but default to pkcs1 style padding
+ uint32 padding = CSSM_PADDING_PKCS1;
+ context.getInt(CSSM_ATTRIBUTE_PADDING, padding);
+ GemaltoToken::log( "Padding <%lu>\n", padding );
+
+//JCD
+/*
+ if (padding != CSSM_PADDING_PKCS1)
+ {
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+*/
+ // Gemalto pkcs11 can handle PKCS1 padding only
+ switch( padding )
+ {
+ case CSSM_PADDING_PKCS1:
+ mech = CKM_RSA_PKCS;
+ break;
+
+ case CSSM_PADDING_NONE:
+ mech = CKM_RSA_X_509;
+ break;
+
+ case CSSM_PADDING_CUSTOM:
+ case CSSM_PADDING_ZERO:
+ case CSSM_PADDING_ONE:
+ case CSSM_PADDING_ALTERNATE:
+ case CSSM_PADDING_FF:
+ case CSSM_PADDING_PKCS5:
+ case CSSM_PADDING_PKCS7:
+ case CSSM_PADDING_CIPHERSTEALING:
+ case CSSM_PADDING_RANDOM:
+ case CSSM_PADDING_VENDOR_DEFINED:
+ default:
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_INVALID_ATTR_PADDING\n" );
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+ GemaltoToken::log( "Mechanism <%lu>\n", mech );
+//JCD
+
+ // Now copy the ASN1 header into the input buffer.
+ // This header is the DER encoding of
+ // DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier,
+ // digest OCTET STRING }
+ // Where AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER,
+ // parameters OPTIONAL ANY }
+ if (headerLength)
+ {
+ memcpy(to, header, headerLength);
+ to += headerLength;
+ }
+
+ // Finally copy the passed in data to the input buffer.
+ memcpy(to, input.Data, input.Length);
+
+ // @@@ Switch to using tokend allocators
+ unsigned char *outputData = reinterpret_cast<unsigned char *>(malloc(keyLength));
+ size_t outputLength = keyLength;
+ try
+ {
+ const AccessCredentials *cred = context.get<const AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS);
+ // Sign the inputData using the token
+ mKey.computeSign(mToken, mech, cred, inputData.get(), inputDataSize, outputData, outputLength);
+ }
+ catch (...)
+ {
+ GemaltoToken::log( "## Error ## key computeSign\n" );
+
+ // @@@ Switch to using tokend allocators
+ free(outputData);
+ throw;
+ }
+
+ signature.Data = outputData;
+ signature.Length = outputLength;
+
+ GemaltoToken::log( "GemaltoKeyHandle::generateSignature <END>\n" );
+}
+
+
+void GemaltoKeyHandle::verifySignature(const Context &/*context*/, CSSM_ALGORITHMS /*signOnly*/, const CssmData &/*input*/, const CssmData &/*signature*/)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::verifySignature <BEGIN>\n" );
+ GemaltoToken::log( "## Error ## CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::verifySignature <END>\n" );
+
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
+
+void GemaltoKeyHandle::generateMac(const Context &/*context*/, const CssmData &/*input*/, CssmData &/*output*/)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::generateMac <BEGIN>\n" );
+ GemaltoToken::log( "## Error ## CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::generateMac <END>\n" );
+
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
+
+void GemaltoKeyHandle::verifyMac(const Context &, const CssmData &, const CssmData &)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::verifyMac <BEGIN>\n" );
+ GemaltoToken::log( "## Error ## CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::verifyMac <END>\n" );
+
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
+
+void GemaltoKeyHandle::encrypt(const Context &, const CssmData &, CssmData &)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::encrypt <BEGIN>\n" );
+ GemaltoToken::log( "## Error ## CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::encrypt <END>\n" );
+
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
+
+void GemaltoKeyHandle::decrypt(const Context &context, const CssmData &cipher, CssmData &clear)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::decrypt <BEGIN>\n" );
+ GemaltoToken::log( "Alg <%lu> - cipher <%s> - clear <%s>\n", context.algorithm( ), cipher.toHex( ).c_str( ), clear.toHex( ).c_str( ) );
+
+ size_t keyLength = mKey.sizeInBits() / 8;
+
+ // Get padding, but default to pkcs1 style padding
+ uint32 padding = CSSM_PADDING_PKCS1;
+ context.getInt(CSSM_ATTRIBUTE_PADDING, padding);
+ GemaltoToken::log( "Padding <%lu>\n", padding );
+
+ // Gemalto pkcs11 can handle PKCS1 padding only
+ if (padding != CSSM_PADDING_PKCS1)
+ {
+ GemaltoToken::log( "## Error ## CSSMERR_CSP_INVALID_ATTR_PADDING\n" );
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+
+ // @@@ Switch to using tokend allocators
+ unsigned char *outputData = reinterpret_cast<unsigned char *>(malloc(keyLength));
+ size_t outputLength = keyLength;
+ try
+ {
+ const AccessCredentials *cred = context.get<const AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS);
+
+ // Decrypt the inputData using the token
+ mKey.computeDecrypt(mToken, CKM_RSA_PKCS, cred, cipher.Data, cipher.Length, outputData, outputLength);
+ }
+ catch (...)
+ {
+ GemaltoToken::log( "## Error ## mKey.computeDecrypt\n" );
+
+ // @@@ Switch to using tokend allocators
+ free(outputData);
+ throw;
+ }
+
+ clear.Data = outputData;
+ clear.Length = outputLength;
+
+ GemaltoToken::log( "GemaltoKeyHandle::decrypt <END>\n" );
+}
+
+
+void GemaltoKeyHandle::exportKey(const Context &, const AccessCredentials *, CssmKey &)
+{
+ GemaltoToken::log( "\nGemaltoKeyHandle::exportKey <BEGIN>\n" );
+ GemaltoToken::log( "## Error ## CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED\n" );
+ GemaltoToken::log( "GemaltoKeyHandle::exportKey <END>\n" );
+
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
+
+//
+// GemaltoKeyHandleFactory
+//
+GemaltoKeyHandleFactory::~GemaltoKeyHandleFactory()
+{
+}
+
+
+Tokend::KeyHandle* GemaltoKeyHandleFactory::keyHandle(Tokend::TokenContext *tokenContext, const Tokend::MetaRecord &metaRecord, Tokend::Record &record) const
+{
+ GemaltoToken::log( "\nGemaltoKeyHandleFactory::keyHandle <BEGIN>\n" );
+
+ GemaltoKeyRecord &key = dynamic_cast<GemaltoKeyRecord &>(record);
+ GemaltoToken &gemaltoToken = static_cast<GemaltoToken &>(*tokenContext);
+
+ GemaltoToken::log( "GemaltoKeyHandleFactory::keyHandle <END>\n" );
+
+ return new GemaltoKeyHandle(gemaltoToken, metaRecord, key);
+}
+
+
+/* arch-tag: 8B1B6D68-124C-11D9-B5E6-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoKeyHandle.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoKeyHandle.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoKeyHandle.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoKeyHandle.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTOKEYHANDLE_H_
+#define _GEMALTOKEYHANDLE_H_
+
+#include "KeyHandle.h"
+
+class GemaltoToken;
+class GemaltoKeyRecord;
+
+
+//
+// A KeyHandle object which implements the crypto interface to Gemalto smartcards.
+//
+class GemaltoKeyHandle: public Tokend::KeyHandle
+{
+ NOCOPY(GemaltoKeyHandle)
+public:
+ GemaltoKeyHandle(GemaltoToken &GemaltoToken,
+ const Tokend::MetaRecord &metaRecord, GemaltoKeyRecord &cpsKey);
+ ~GemaltoKeyHandle();
+
+ virtual void getKeySize(CSSM_KEY_SIZE &keySize);
+ virtual uint32 getOutputSize(const Context &context, uint32 inputSize,
+ bool encrypting);
+ virtual void generateSignature(const Context &context,
+ CSSM_ALGORITHMS signOnly, const CssmData &input, CssmData &signature);
+ virtual void verifySignature(const Context &context,
+ CSSM_ALGORITHMS signOnly, const CssmData &input,
+ const CssmData &signature);
+ virtual void generateMac(const Context &context, const CssmData &input,
+ CssmData &output);
+ virtual void verifyMac(const Context &context, const CssmData &input,
+ const CssmData &compare);
+ virtual void encrypt(const Context &context, const CssmData &clear,
+ CssmData &cipher);
+ virtual void decrypt(const Context &context, const CssmData &cipher,
+ CssmData &clear);
+
+ virtual void exportKey(const Context &context,
+ const AccessCredentials *cred, CssmKey &wrappedKey);
+
+private:
+ GemaltoToken &mToken;
+ GemaltoKeyRecord &mKey;
+};
+
+
+//
+// A factory that creates GemaltoKeyHandle objects.
+//
+class GemaltoKeyHandleFactory : public Tokend::KeyHandleFactory
+{
+ NOCOPY(GemaltoKeyHandleFactory)
+public:
+ GemaltoKeyHandleFactory() {}
+ virtual ~GemaltoKeyHandleFactory();
+
+ virtual Tokend::KeyHandle *keyHandle(Tokend::TokenContext *tokenContext,
+ const Tokend::MetaRecord &metaRecord, Tokend::Record &record) const;
+};
+
+
+#endif /* !_GEMALTOKEYHANDLE_H_ */
+
+/* arch-tag: 8B057D7A-124C-11D9-92C8-000A9595DEEE */
+
Added: trunk/Tokend/PKCS11/GemaltoRecord.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoRecord.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoRecord.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,682 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoRecord.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoRecord.h"
+
+#include "GemaltoError.h"
+#include "GemaltoToken.h"
+#include "Attribute.h"
+#include "MetaAttribute.h"
+#include "MetaRecord.h"
+#include <security_cdsa_client/aclclient.h>
+#include <Security/SecKey.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+//#include <openssl/ssl.h>
+
+//
+// GemaltoRecord
+//
+GemaltoRecord::GemaltoRecord(GemaltoToken &/*gemaltoToken*/, CK_OBJECT_HANDLE handle)
+ : mHandle(handle)
+{
+}
+
+
+GemaltoRecord::GemaltoRecord( )
+{
+ mHandle = 0;
+ mClass = 0;
+}
+
+
+GemaltoRecord::~GemaltoRecord( )
+{
+}
+
+
+//
+// GemaltoCertRecord
+//
+GemaltoCertRecord::GemaltoCertRecord(GemaltoToken &gemaltoToken, CK_OBJECT_HANDLE handle)
+ : GemaltoRecord(gemaltoToken, handle),
+ mSubjectName(NULL),
+ mIssuerName(NULL),
+ mKeyType((CK_ULONG) -1),
+ mKeySize(0),
+ mKeyPubVerify(FALSE),
+ mKeyPubWrap(FALSE),
+ mKeyPubEncrypt(FALSE),
+ mKeyPrvSign(FALSE),
+ mKeyPrvUnwrap( FALSE),
+ mKeyPrvDecrypt(FALSE),
+ mSelfSigned(FALSE),
+ mCA(FALSE)
+{
+ GemaltoToken::log( "\nGemaltoCertRecord::GemaltoCertRecord <BEGIN>\n" );
+
+ mClass = CKO_CERTIFICATE;
+
+ // Get the certificate value length
+ CK_ATTRIBUTE valueAttr = {CKA_VALUE, NULL_PTR, 0};
+ CKError::check(CK_D_(C_GetAttributeValue)(gemaltoToken.session(), mHandle, &valueAttr, 1));
+
+ // Get the certificate value
+ mValue.reserve(valueAttr.ulValueLen);
+ valueAttr.pValue = mValue.ptr();
+ CKError::check(CK_D_(C_GetAttributeValue)(gemaltoToken.session(), mHandle, &valueAttr, 1));
+
+ std::string szOut = "";
+ GemaltoToken::toStringHex( mValue.ptr(), mValue.size( ), szOut );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Value - len <%lu> - value <%s>\n", mValue.size( ), szOut.c_str( ) );
+
+ // Get a X509 OpenSSL certificate instance
+ const unsigned char* p = mValue.ptr( );
+ X509* cert = d2i_X509( NULL, &p, mValue.size( ) );
+ if ( NULL == cert )
+ {
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - ## ERROR ## Cannot create OpenSSL certificate instance\n" );
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ }
+
+ // Initialize internal registers
+ X509_check_purpose( cert, -1, 0 );
+
+ // Get the subject name
+ char attr[1024];
+ memset( attr, 0, sizeof( attr ) );
+ std::string s = "Unknown subject name";
+ /*
+ X509_NAME_oneline( X509_get_subject_name( cert ), attr, sizeof( attr ) );
+ s = attr;
+ mSubject.copy( (CK_BYTE*)s.c_str( ), s.size( ) );
+ */
+ X509_NAME* pName = X509_get_subject_name( cert );
+ if ( pName )
+ {
+ X509_NAME_get_text_by_NID( pName, NID_commonName, attr, sizeof( attr ) );
+ s = attr;
+ }
+ mSubject.copy( (CK_BYTE*)s.c_str( ), s.size( ) );
+
+ szOut = "";
+ GemaltoToken::toStringHex( mSubject.ptr( ), mSubject.size( ), szOut );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Subject - len <%lu> - value <%s>\n", mSubject.size( ), szOut.c_str( ) );
+
+ // Get the issuer name
+ memset( attr, 0, sizeof( attr ) );
+ s = "";
+ X509_NAME_oneline( X509_get_issuer_name( cert ), attr, sizeof( attr ) );
+ s = attr;
+ mIssuer.copy( (CK_BYTE*)s.c_str( ), s.size( ) );
+
+ szOut = "";
+ GemaltoToken::toStringHex( mIssuer.ptr( ), mIssuer.size( ), szOut );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Issuer - len <%lu> - value <%s>\n", mIssuer.size( ), szOut.c_str( ) );
+ //GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Issuer - value <%s>\n", GemaltoDataString( mIssuer ) );
+
+ // Compute if the certificate is selfsigned
+ mSelfSigned = FALSE;
+ // First check if the issuer and the subject are the same
+ if ( 0 == X509_NAME_cmp( X509_get_subject_name( cert ), X509_get_issuer_name( cert ) ) )
+ {
+ // Then, check the signature
+ // Get the certificate public key
+ //SSL_library_init( );
+
+ // Get issuer public key and verify this signature
+ EVP_PKEY* l_CertPubKey = NULL;
+ l_CertPubKey = X509_get_pubkey( cert );
+ if ( NULL != l_CertPubKey )
+ {
+ // Verify this signature
+ int l_RetVal = X509_verify( cert, l_CertPubKey );
+ EVP_PKEY_free( l_CertPubKey );
+
+ // If signature verification is ok, issuer has been found, stop
+ if ( 0 < l_RetVal )
+ {
+ mSelfSigned = TRUE;
+ }
+ }
+
+ //mSelfSigned = TRUE;
+ }
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - mSelfSigned - value <%lu>\n", mSelfSigned );
+
+ // Check that the public key type is RSA
+ if ( NID_rsaEncryption != OBJ_obj2nid(cert->cert_info->key->algor->algorithm))
+ {
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - ## Error CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED\n" );
+ CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
+ }
+
+ mKeyType = CKK_RSA;
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Public key type RSA <%lu>\n", mKeyType );
+
+ // Get the public key
+ EVP_PKEY* pKey = X509_get_pubkey( cert );
+ if ( NULL == pKey )
+ {
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - ## ERROR ## CSSM_ERRCODE_INVALID_SAMPLE_VALUE\n" );
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ }
+
+ // Get public key size
+ mKeySize = BN_num_bits(pKey->pkey.rsa->n);
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Public key size <%lu>\n", mKeySize );
+
+ // Get the public key modulus
+ mKeyModulus.reserve( mKeySize / 8 );
+ BN_bn2bin( pKey->pkey.rsa->n, mKeyModulus.ptr( ) );
+
+ // If a keyUsage extension is present, parse it
+ if ( EXFLAG_KUSAGE == (cert->ex_flags & EXFLAG_KUSAGE) )
+ {
+ if ( KU_CRL_SIGN == (cert->ex_kusage & KU_CRL_SIGN) )
+ {
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ }
+ if ( KU_DATA_ENCIPHERMENT == (cert->ex_kusage & KU_DATA_ENCIPHERMENT) )
+ {
+ mKeyPubWrap = TRUE;
+ mKeyPubEncrypt = TRUE;
+ mKeyPrvUnwrap = TRUE;
+ mKeyPrvDecrypt = TRUE;
+ }
+ if ( KU_DIGITAL_SIGNATURE == (cert->ex_kusage & KU_DIGITAL_SIGNATURE) )
+ {
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ }
+ if ( KU_ENCIPHER_ONLY == (cert->ex_kusage & KU_ENCIPHER_ONLY) )
+ {
+ mKeyPubWrap = TRUE;
+ mKeyPubEncrypt = TRUE;
+ mKeyPrvUnwrap = TRUE;
+ mKeyPrvDecrypt = TRUE;
+ mKeyPrvSign = FALSE;
+ mKeyPubVerify = FALSE;
+ }
+ if ( KU_KEY_AGREEMENT == (cert->ex_kusage & KU_KEY_AGREEMENT) )
+ {
+ mKeyPubWrap = TRUE;
+ mKeyPubEncrypt = TRUE;
+ mKeyPrvUnwrap = TRUE;
+ mKeyPrvDecrypt = TRUE;
+ }
+ if ( KU_KEY_CERT_SIGN == (cert->ex_kusage & KU_KEY_CERT_SIGN) )
+ {
+ // Attribut de ca
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ }
+ if ( KU_KEY_ENCIPHERMENT == (cert->ex_kusage & KU_KEY_ENCIPHERMENT) )
+ {
+ mKeyPubWrap = TRUE;
+ mKeyPubEncrypt = TRUE;
+ mKeyPrvUnwrap = TRUE;
+ mKeyPrvDecrypt = TRUE;
+ }
+ if ( KU_NON_REPUDIATION == (cert->ex_kusage & KU_NON_REPUDIATION) )
+ {
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ }
+ }
+
+ // If an extendedKeyUsage extension is present parse it
+ if ( EXFLAG_XKUSAGE == (cert->ex_flags & EXFLAG_XKUSAGE) )
+ {
+ if ( ( XKU_CODE_SIGN == (cert->ex_xkusage & XKU_CODE_SIGN) )
+ || ( XKU_SSL_CLIENT == (cert->ex_xkusage & XKU_SSL_CLIENT) )
+ || ( XKU_TIMESTAMP == (cert->ex_xkusage & XKU_TIMESTAMP) )
+ || ( XKU_OCSP_SIGN == (cert->ex_xkusage & XKU_OCSP_SIGN) )
+ )
+ {
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ }
+ if ( ( XKU_SMIME == (cert->ex_xkusage & XKU_SMIME) )
+ || ( XKU_SSL_SERVER == (cert->ex_xkusage & XKU_SSL_SERVER) )
+ )
+ {
+ mKeyPrvSign = TRUE;
+ mKeyPubVerify = TRUE;
+ mKeyPubWrap = TRUE;
+ mKeyPubEncrypt = TRUE;
+ mKeyPrvUnwrap = TRUE;
+ mKeyPrvDecrypt = TRUE;
+ }
+ // Others values are not defined (EFS) or not known
+ }
+
+ BASIC_CONSTRAINTS* bs = (BASIC_CONSTRAINTS*) X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
+ mCA = (bs && bs->ca);
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - CA <%lu>\n", mCA );
+
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPrvSign <%lu>\n", mKeyPrvSign );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPubVerify <%lu>\n", mKeyPubVerify );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPubWrap <%lu>\n", mKeyPubWrap );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPubEncrypt <%lu>\n", mKeyPubEncrypt );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPrvUnwrap <%lu>\n", mKeyPrvUnwrap );
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord - Key usage mKeyPrvDecrypt <%lu>\n", mKeyPrvDecrypt );
+
+ GemaltoToken::log( "GemaltoCertRecord::GemaltoCertRecord <END>\n" );
+}
+
+
+/* GemaltoCertRecord Default constructor
+*/
+GemaltoCertRecord::GemaltoCertRecord( )
+ : GemaltoRecord(),
+ mSubjectName(NULL),
+ mIssuerName(NULL),
+ mKeyType((CK_ULONG) -1),
+ mKeySize(0),
+ mKeyPubVerify(FALSE),
+ mKeyPubWrap(FALSE),
+ mKeyPubEncrypt(FALSE),
+ mKeyPrvSign(FALSE),
+ mKeyPrvUnwrap( FALSE),
+ mKeyPrvDecrypt(FALSE),
+ mSelfSigned(FALSE),
+ mCA(FALSE)
+{
+ mClass = CKO_CERTIFICATE;
+}
+
+
+GemaltoCertRecord::~GemaltoCertRecord()
+{
+ if( NULL != mSubjectName )
+ {
+ X509_NAME_free( mSubjectName );
+ mSubjectName = NULL;
+ }
+
+ if( NULL != mIssuerName )
+ {
+ X509_NAME_free( mIssuerName );
+ mIssuerName = NULL;
+ }
+}
+
+
+Tokend::Attribute *GemaltoCertRecord::getDataAttribute( Tokend::TokenContext */*tokenContext*/ )
+{
+ GemaltoToken::log( "\nGemaltoCertRecord::getDataAttribute <BEGIN>\n" );
+
+ std::string s = "";
+ GemaltoToken::toStringHex( mValue.ptr( ), mValue.size( ), s );
+ GemaltoToken::log( "GemaltoCertRecord::getDataAttribute - size <%lu> - value <%s>\n", mValue.size( ), s.c_str( ) );
+
+ GemaltoToken::log( "GemaltoCertRecord::getDataAttribute <END>\n" );
+
+ return new Tokend::Attribute( mValue.ptr( ), mValue.size( ) );
+}
+
+
+//
+// GemaltoKeyRecord
+//
+GemaltoKeyRecord::GemaltoKeyRecord(const GemaltoCertRecord &cert)
+ : GemaltoRecord(),
+ mKeyType((CK_ULONG) -1),
+ mKeySize(0),
+ mKeyPubVerify(FALSE),
+ mKeyPubWrap(FALSE),
+ mKeyPubEncrypt(FALSE)
+{
+ GemaltoToken::log( "\nGemaltoKeyRecord::GemaltoKeyRecord <BEGIN>\n" );
+
+ mHandle = cert.getHandle();
+
+ mClass = CKO_PUBLIC_KEY;
+
+ mKeyType = cert.getType();
+ mKeySize = cert.sizeInBits();
+
+ mKeyPubVerify = cert.verify( );
+ mKeyPubWrap = cert.wrap( );
+ mKeyPubEncrypt = cert.encrypt( );
+
+ mLabel = cert.getSubject( );
+
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord - Handle <%ld>\n", mHandle );
+
+ std::string str = "";
+ GemaltoToken::toStringHex( mLabel.ptr( ), mLabel.size( ), str );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Class <%lu>\n", mClass );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key type <%lu>\n", mKeyType );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key size <%lu>\n", mKeySize );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubVerify <%lu>\n", mKeyPubVerify );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubWrap <%lu>\n", mKeyPubWrap );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubEncrypt <%lu>\n", mKeyPubEncrypt );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key label <%s>\n", str.c_str( ) );
+
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord <END>\n" );
+}
+
+
+GemaltoKeyRecord::GemaltoKeyRecord()
+ : GemaltoRecord(),
+ mKeyType((CK_ULONG) -1),
+ mKeySize(0),
+ mKeyPubVerify(FALSE),
+ mKeyPubWrap(FALSE),
+ mKeyPubEncrypt(FALSE)
+{
+ mClass = CKO_PUBLIC_KEY;
+}
+
+
+GemaltoKeyRecord::~GemaltoKeyRecord()
+{
+}
+
+
+void GemaltoKeyRecord::computeSign(GemaltoToken &/*gemaltoToken*/, CK_ULONG /*mech*/, const AccessCredentials */*cred*/, unsigned char */*data*/, size_t /*dataLength*/, unsigned char */*output*/, size_t &/*outputLength*/)
+{
+ GemaltoToken::log( "\nGemaltoKeyRecord::computeSign <BEGIN>\n" );
+ std::string str = "";
+ GemaltoToken::toStringHex( mLabel.ptr( ), mLabel.size( ), str );
+ GemaltoToken::log( "GemaltoKeyRecord::computeSign() - Label <%s>\n", str.c_str( ) );
+ GemaltoToken::log( "trow CSSMERR_CSP_KEY_USAGE_INCORRECT\n" );
+ GemaltoToken::log( "GemaltoKeyRecord::computeSign <END>\n" );
+
+ CssmError::throwMe(CSSMERR_CSP_KEY_USAGE_INCORRECT);
+}
+
+
+void GemaltoKeyRecord::computeDecrypt(GemaltoToken &/*gemaltoToken*/, CK_ULONG /*mech*/, const AccessCredentials */*cred*/, unsigned char */*data*/, size_t /*dataLength*/, unsigned char */*output*/, size_t &/*outputLength*/)
+{
+ GemaltoToken::log( "\nGemaltoKeyRecord::computeDecrypt <BEGIN>\n" );
+ std::string str = "";
+ GemaltoToken::toStringHex( mLabel.ptr( ), mLabel.size( ), str );
+ GemaltoToken::log( "GemaltoKeyRecord::computeDecrypt - Label <%s>\n", str.c_str( ) );
+ GemaltoToken::log( "trow CSSMERR_CSP_KEY_USAGE_INCORRECT\n" );
+ GemaltoToken::log( "GemaltoKeyRecord::computeDecrypt <END>\n" );
+
+ CssmError::throwMe(CSSMERR_CSP_KEY_USAGE_INCORRECT);
+}
+
+
+//
+// GemaltoPrivateKeyRecord
+//
+
+
+GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord(const GemaltoCertRecord &cert)
+ : GemaltoKeyRecord( cert )
+{
+ GemaltoToken::log( "\nGemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord <BEGIN>\n" );
+
+ secdebug("Gemalto.tokend", "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord(cert)");
+
+ mHandle = cert.getHandle();
+
+ mClass = CKO_PRIVATE_KEY;
+
+ mKeyType = cert.getType();
+ mKeySize = cert.sizeInBits();
+
+ mKeyModulus = cert.getKeyPubModulus( );
+
+ mKeyPrvSign = cert.verify( );
+ mKeyPrvUnwrap = cert.wrap( );
+ mKeyPrvDecrypt = cert.encrypt( );
+
+ mLabel = cert.getSubject( );
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord - Handle <%ld>\n", mHandle );
+ std::string str = "";
+ GemaltoToken::toStringHex( mLabel.ptr( ), mLabel.size( ), str );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord() - Class <%lu>\n", mClass );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord() - Key type <%lu>\n", mKeyType );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord() - Key size <%lu>\n", mKeySize );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubVerify <%lu>\n", mKeyPubVerify );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubWrap <%lu>\n", mKeyPubWrap );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPubEncrypt <%lu>\n", mKeyPubEncrypt );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPrvSign <%lu>\n", mKeyPrvSign );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPrvUnwrap <%lu>\n", mKeyPrvUnwrap );
+ GemaltoToken::log( "GemaltoKeyRecord::GemaltoKeyRecord() - Key mKeyPrvDecrypt <%lu>\n", mKeyPrvDecrypt );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord() - Key label <%s>\n", str.c_str( ) );
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::GemaltoPrivateKeyRecord <END>\n" );
+}
+
+
+GemaltoPrivateKeyRecord::~GemaltoPrivateKeyRecord()
+{
+}
+
+
+void GemaltoPrivateKeyRecord::computeSign(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *output, size_t &outputLength)
+{
+ GemaltoToken::log( "\nGemaltoPrivateKeyRecord::computeSign <BEGIN>\n" );
+ std::string str = "";
+ GemaltoToken::toStringHex( getLabel( ).ptr( ), getLabel().size( ), str );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeSign - Label <%s>\n", str.c_str( ) );
+ str = "";
+ GemaltoToken::toStringHex( getModulus( ).ptr( ), getModulus().size( ), str );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeSign - Modulus <%s>\n", str.c_str( ) );
+
+ if (dataLength > (mKeySize / 8))
+ {
+ GemaltoToken::log( "## Error ## Bad data length <%lu>\n", dataLength );
+ CssmError::throwMe(CSSMERR_CSP_BLOCK_SIZE_MISMATCH);
+ }
+
+ if (cred && !gemaltoToken.pinStatus(1))
+ {
+ bool found = false;
+ uint32 size = cred->size();
+ for (uint32 ix = 0; ix < size; ++ix)
+ {
+ const TypedList &sample = (*cred)[ix];
+ if (sample.type() == CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD && sample.length() == 2)
+ {
+ CssmData &pin = sample[1].data();
+ if (pin.Length >= gemaltoToken.info()->ulMinPinLen)
+ {
+ gemaltoToken.verifyPIN(1, pin.Data, pin.Length);
+ found = true;
+ break;
+ }
+ }
+ }
+
+ if (!found)
+ {
+ GemaltoToken::log( "## Error ## Credentials not found\n" );
+ CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
+ }
+ }
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeSign - Required Class <%lu>\n", mClass );
+ std::string s = "";
+ GemaltoToken::toStringHex( mKeyModulus.ptr( ), mKeyModulus.size( ), s );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeSign - Required Modulus <%s>\n", s.c_str( ) );
+
+ CK_ATTRIBUTE attrs[] =
+ {
+ {CKA_CLASS, &mClass, sizeof(mClass)},
+ //{CKA_ID, mId.ptr(), mId.size()}};
+ { CKA_MODULUS, mKeyModulus.ptr( ), mKeyModulus.size( ) }
+ };
+ CKError::check(CK_D_(C_FindObjectsInit)(gemaltoToken.session(), attrs, 2));
+
+ CK_OBJECT_HANDLE hObject = NULL_PTR;
+ try
+ {
+ CK_ULONG ulObjectCount;
+ CKError::check(CK_D_(C_FindObjects)(gemaltoToken.session(), &hObject, 1, &ulObjectCount));
+ if (ulObjectCount == 0)
+ {
+ GemaltoToken::log( "## Error ## Private key not found\n" );
+ CssmError::throwMe(CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND);
+ }
+ CK_D_(C_FindObjectsFinal)(gemaltoToken.session());
+ }
+ catch (...)
+ {
+ CK_D_(C_FindObjectsFinal)(gemaltoToken.session());
+ throw;
+ }
+
+ CK_MECHANISM mechanism = { mech, NULL_PTR, 0 };
+ CKError::check(CK_D_(C_SignInit)(gemaltoToken.session(), &mechanism, hObject));
+
+ CK_ULONG dummy = outputLength;
+ CKError::check(CK_D_(C_Sign)(gemaltoToken.session(), (unsigned char*) data, dataLength, output, &dummy));
+ outputLength = dummy;
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeSign <END>\n" );
+}
+
+
+void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *output, size_t &outputLength)
+{
+ GemaltoToken::log( "\nGemaltoPrivateKeyRecord::computeDecrypt <BEGIN>\n" );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - mechanism <%lu>\n", mech );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - cred <%p>\n", cred );
+ char strData[6000];
+ memset( strData, '\0', sizeof( strData ) );
+ char* str = strData;
+ for (size_t i=0; i<dataLength; i++)
+ {
+ str += sprintf( str, "%02x ", data[i]);
+ }
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - dataLength <%lu> - data <%s>\n", dataLength, strData );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - output <%p>\n", output );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - outputLength <%lu>\n", outputLength );
+
+ if (dataLength > (mKeySize / 8))
+ {
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - ## Error bad data length <%lu> !\n", dataLength);
+ CssmError::throwMe(CSSMERR_CSP_BLOCK_SIZE_MISMATCH);
+ }
+
+ if (cred && !gemaltoToken.pinStatus(1))
+ {
+ bool found = false;
+ uint32 size = cred->size();
+ for (uint32 ix = 0; ix < size; ++ix)
+ {
+ const TypedList &sample = (*cred)[ix];
+ if (sample.type() == CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD && sample.length() == 2)
+ {
+ CssmData &pin = sample[1].data();
+ if (pin.Length >= gemaltoToken.info()->ulMinPinLen)
+ {
+ gemaltoToken.verifyPIN(1, pin.Data, pin.Length);
+ found = true;
+ break;
+ }
+ }
+ }
+
+ if (!found)
+ {
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt - ## Error cred not found!");
+ CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
+ }
+ }
+
+/* CK_ATTRIBUTE attrs[] = {
+ {CKA_CLASS, &mClass, sizeof(mClass)},
+ {CKA_ID, mId.ptr(), mId.size()}};
+*/
+ CK_ATTRIBUTE attrs[] =
+ {
+ {CKA_CLASS, &mClass, sizeof(mClass)},
+ //{CKA_ID, mId.ptr(), mId.size()}};
+ { CKA_MODULUS, mKeyModulus.ptr( ), mKeyModulus.size( ) }
+ };
+ CKError::check(CK_D_(C_FindObjectsInit)(gemaltoToken.session(), attrs, 2));
+
+ CK_OBJECT_HANDLE hObject = NULL_PTR;
+ try
+ {
+ CK_ULONG ulObjectCount;
+ CKError::check(CK_D_(C_FindObjects)(gemaltoToken.session(), &hObject, 1, &ulObjectCount));
+ if (ulObjectCount == 0)
+ CssmError::throwMe(CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND);
+ CK_D_(C_FindObjectsFinal)(gemaltoToken.session());
+ }
+ catch (...)
+ {
+ CK_D_(C_FindObjectsFinal)(gemaltoToken.session());
+ throw;
+ }
+
+ CK_MECHANISM mechanism = { mech, NULL_PTR, 0 };
+ CKError::check(CK_D_(C_DecryptInit)(gemaltoToken.session(), &mechanism, hObject));
+
+ CK_ULONG dummy = outputLength;
+ CKError::check(CK_D_(C_Decrypt)(gemaltoToken.session(), (unsigned char*) data, dataLength, output, &dummy));
+ outputLength = dummy;
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::computeDecrypt <END>\n" );
+}
+
+
+void GemaltoPrivateKeyRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
+{
+ GemaltoToken::log( "\nGemaltoPrivateKeyRecord::getAcl <BEGIN>\n" );
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::getAcl - tag <%s>\n", tag );
+
+ // @@@ Key 1 has any acl for sign, key 2 has pin1 acl, and key3 has pin1
+ // acl with auto-lock which we express as a prompted password subject.
+ if (!mAclEntries) {
+ mAclEntries.allocator(Allocator::standard());
+ // Anyone can read the DB record for this key (which is a reference
+ // CSSM_KEY)
+ mAclEntries.add(CssmClient::AclFactory::AnySubject(
+ mAclEntries.allocator()),
+ AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
+
+ mAclEntries.add(CssmClient::AclFactory::PinSubject(
+ mAclEntries.allocator(), 1),
+ AclAuthorizationSet(
+ CSSM_ACL_AUTHORIZATION_DECRYPT,
+ CSSM_ACL_AUTHORIZATION_SIGN,
+ 0));
+ }
+ count = mAclEntries.size();
+ acls = mAclEntries.entries();
+
+ GemaltoToken::log( "GemaltoPrivateKeyRecord::getAcl <END>\n" );
+}
+
+
+/* arch-tag: 8AE701D5-124C-11D9-AE74-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoRecord.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoRecord.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoRecord.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,260 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoRecord.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTORECORD_H_
+#define _GEMALTORECORD_H_
+
+#include "Record.h"
+#include "cryptoki.h"
+
+#include <security_cdsa_utilities/cssmcred.h>
+#include <openssl/x509.h>
+
+class GemaltoToken;
+
+class GemaltoData
+{
+public:
+ GemaltoData() : _ptr(NULL), _size(0) {}
+ GemaltoData(const GemaltoData& b) : _ptr(NULL) { copy(b.ptr(), b.size()); }
+ GemaltoData(CK_BYTE_PTR ptr, CK_ULONG size) : _ptr(NULL) { copy(ptr, size); }
+ ~GemaltoData()
+ {
+ if( NULL != _ptr )
+ {
+ delete[] _ptr;
+ }
+ }
+
+ inline CK_BYTE_PTR ptr() const { return _ptr; }
+ inline CK_ULONG size() const { return _size; }
+
+ void copy(CK_BYTE_PTR ptr, CK_ULONG size)
+ {
+ if( NULL != _ptr )
+ {
+ delete[] _ptr;
+ }
+ _ptr = NULL;
+
+ if (size != 0)
+ {
+ _ptr = new CK_BYTE[size];
+ std::memcpy(_ptr, ptr, size);
+ }
+ _size = size;
+ }
+
+ void reserve(CK_ULONG n)
+ {
+ if( NULL != _ptr )
+ {
+ delete[] _ptr;
+ }
+ _ptr = NULL;
+
+ if (n != 0)
+ _ptr = new CK_BYTE[n];
+ _size = n;
+ }
+
+ inline GemaltoData& operator=(const GemaltoData& b)
+ {
+ copy(b.ptr(), b.size());
+ return *this;
+ }
+
+ inline CK_BYTE operator[](CK_ULONG n)
+ {
+ return *(_ptr + n);
+ }
+
+private:
+ CK_BYTE_PTR _ptr;
+ CK_ULONG _size;
+};
+
+inline bool operator==(const GemaltoData& a, const GemaltoData& b)
+{
+ return (a.size() == b.size() && (a.size() == 0 || std::memcmp(a.ptr(), b.ptr(), a.size()) == 0));
+}
+
+inline bool operator<(const GemaltoData& a, const GemaltoData& b)
+{
+ return (a.size() < b.size() || (b.size() != 0 && std::memcmp(a.ptr(), b.ptr(), b.size()) < 0));
+}
+
+
+class GemaltoRecord : public Tokend::Record
+{
+ NOCOPY(GemaltoRecord)
+public:
+ GemaltoRecord(GemaltoToken &gemaltoToken, CK_OBJECT_HANDLE handle);
+ virtual ~GemaltoRecord();
+
+ CK_OBJECT_HANDLE getHandle() const { return mHandle; }
+ CK_OBJECT_CLASS getClass() const { return mClass; }
+
+protected:
+ GemaltoRecord();
+
+ CK_OBJECT_HANDLE mHandle;
+ CK_OBJECT_CLASS mClass;
+};
+
+
+class GemaltoCertRecord : public GemaltoRecord
+{
+ NOCOPY(GemaltoCertRecord)
+public:
+ GemaltoCertRecord(GemaltoToken &gemaltoToken, CK_OBJECT_HANDLE handle);
+ virtual ~GemaltoCertRecord();
+
+ const GemaltoData& getSubject() const { return mSubject; }
+ const GemaltoData& getIssuer() const { return mIssuer; }
+ const X509_NAME* getSubjectName() const { return mSubjectName; }
+ const X509_NAME* getIssuerName() const { return mIssuerName; }
+
+ CK_KEY_TYPE getType() const { return mKeyType; }
+ uint32 sizeInBits() const { return mKeySize; }
+
+ const GemaltoData& getKeyPubModulus( ) const { return mKeyModulus; }
+
+ CK_BBOOL verify() const { return mKeyPubVerify; }
+ CK_BBOOL verifyRecover() const { return ( mKeyPubVerify | mKeyPrvSign); }
+ CK_BBOOL encrypt() const { return ( mKeyPubWrap | mKeyPubEncrypt); }
+ CK_BBOOL derive() const { return FALSE; }
+ CK_BBOOL wrap() const { return ( mKeyPubWrap | mKeyPubEncrypt); }
+
+ CK_BBOOL isSelfSigned() const { return mSelfSigned; }
+ CK_BBOOL isCA() const { return mCA; }
+
+ Tokend::Attribute *getDataAttribute(Tokend::TokenContext *tokenContext);
+
+protected:
+ GemaltoCertRecord();
+
+ GemaltoData mValue;
+ GemaltoData mSubject;
+ GemaltoData mIssuer;
+ X509_NAME* mSubjectName;
+ X509_NAME* mIssuerName;
+
+ GemaltoData mKeyModulus;
+ CK_KEY_TYPE mKeyType;
+ uint32 mKeySize;
+
+ CK_BBOOL mKeyPubVerify;
+ CK_BBOOL mKeyPubWrap;
+ CK_BBOOL mKeyPubEncrypt;
+ CK_BBOOL mKeyPrvSign;
+ CK_BBOOL mKeyPrvUnwrap;
+ CK_BBOOL mKeyPrvDecrypt;
+
+ CK_BBOOL mSelfSigned;
+ CK_BBOOL mCA;
+};
+
+
+class GemaltoKeyRecord : public GemaltoRecord
+{
+ NOCOPY(GemaltoKeyRecord)
+public:
+
+ GemaltoKeyRecord(const GemaltoCertRecord &certKey);
+
+ virtual ~GemaltoKeyRecord();
+
+ const GemaltoData& getLabel() const { return mLabel; }
+
+ CK_KEY_TYPE getType() const { return mKeyType; }
+ CK_ULONG sizeInBits() const { return mKeySize; }
+
+ virtual CK_BBOOL verify() const { return mKeyPubVerify; }
+ virtual CK_BBOOL verifyRecover() const { return mKeyPubVerify; }
+ virtual CK_BBOOL encrypt() const { return ( mKeyPubWrap | mKeyPubEncrypt); }
+ virtual CK_BBOOL derive() const { return FALSE; }
+ virtual CK_BBOOL wrap() const { return mKeyPubWrap; }
+
+ virtual const GemaltoData& getModulus( ) const { return mKeyModulus; }
+
+ virtual void computeSign(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *result, size_t &resultLength);
+
+ virtual void computeDecrypt(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *result, size_t &resultLength);
+
+protected:
+ GemaltoKeyRecord( );
+
+ GemaltoData mLabel;
+
+ CK_KEY_TYPE mKeyType;
+ CK_ULONG mKeySize;
+ GemaltoData mKeyModulus;
+
+ CK_BBOOL mKeyPubVerify;
+ CK_BBOOL mKeyPubWrap;
+ CK_BBOOL mKeyPubEncrypt;
+
+};
+
+
+class GemaltoPrivateKeyRecord : public GemaltoKeyRecord
+{
+ NOCOPY(GemaltoPrivateKeyRecord)
+
+public:
+ GemaltoPrivateKeyRecord(const GemaltoCertRecord &certKey);
+ virtual ~GemaltoPrivateKeyRecord();
+
+ void computeSign(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *result, size_t &resultLength);
+
+ void computeDecrypt(GemaltoToken &gemaltoToken, CK_ULONG mech, const AccessCredentials *cred, unsigned char *data, size_t dataLength, unsigned char *result, size_t &resultLength);
+
+ void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls);
+
+ CK_BBOOL verify() const { return mKeyPubVerify; }
+ CK_BBOOL verifyRecover() const { return ( mKeyPubVerify | mKeyPrvSign); }
+ CK_BBOOL encrypt() const { return ( mKeyPubWrap | mKeyPubEncrypt); }
+ CK_BBOOL derive() const { return FALSE; }
+ CK_BBOOL wrap() const { return ( mKeyPubWrap | mKeyPubEncrypt); }
+
+protected:
+ CK_BBOOL mKeyPrvSign;
+ CK_BBOOL mKeyPrvUnwrap;
+ CK_BBOOL mKeyPrvDecrypt;
+
+private:
+ AutoAclEntryInfoList mAclEntries;
+
+};
+
+
+#endif /* !_GEMALTORECORD_H_ */
+
+/* arch-tag: 8ACEDD1C-124C-11D9-90F9-000A9595DEEE */
+
Added: trunk/Tokend/PKCS11/GemaltoSchema.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoSchema.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoSchema.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoSchema.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoSchema.h"
+#include "GemaltoToken.h"
+#include "MetaAttribute.h"
+#include "MetaRecord.h"
+
+#include <Security/SecCertificate.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecKey.h>
+
+using namespace Tokend;
+
+GemaltoSchema::~GemaltoSchema()
+{
+}
+
+Tokend::Relation* GemaltoSchema::createKeyRelation(CSSM_DB_RECORDTYPE keyType)
+{
+ GemaltoToken::log( "\nGemaltoSchema::createKeyRelation <BEGIN>\n" );
+ GemaltoToken::log( "CSSM_DB_RECORDTYPE <%ld>\n", keyType );
+
+ Relation *rn = createStandardRelation(keyType);
+
+ // Set up coders for key records.
+ MetaRecord &mr = rn->metaRecord();
+ mr.keyHandleFactory(&mGemaltoKeyHandleFactory);
+
+ // Print name of a key might as well be the key name.
+ mr.attributeCoder(kSecKeyPrintName, &mKeyNameCoder);
+
+ // Other key valuess
+ mr.attributeCoder(kSecKeyKeyType, &mKeyAlgorithmCoder);
+ mr.attributeCoder(kSecKeyKeySizeInBits, &mKeySizeCoder);
+ // @@@ Should be different for 3DES keys.
+ mr.attributeCoder(kSecKeyEffectiveKeySize, &mKeySizeCoder);
+
+ // Key attributes
+ mr.attributeCoder(kSecKeyExtractable, &mFalseCoder);
+ mr.attributeCoder(kSecKeySensitive, &mKeySensitiveCoder);
+ mr.attributeCoder(kSecKeyModifiable, &mFalseCoder);
+ mr.attributeCoder(kSecKeyPrivate, &mKeyPrivateCoder);
+ mr.attributeCoder(kSecKeyNeverExtractable, &mTrueCoder);
+ mr.attributeCoder(kSecKeyAlwaysSensitive, &mKeyAlwaysSensitiveCoder);
+
+ // Key usage
+ mr.attributeCoder(kSecKeyEncrypt, &mEncryptCoder);
+ mr.attributeCoder(kSecKeyDecrypt, &mDecryptCoder);
+ mr.attributeCoder(kSecKeyWrap, &mWrapCoder);
+ mr.attributeCoder(kSecKeyUnwrap, &mUnwrapCoder);
+ mr.attributeCoder(kSecKeySign, &mSignCoder);
+ mr.attributeCoder(kSecKeyVerify, &mVerifyCoder);
+ mr.attributeCoder(kSecKeySignRecover, &mSignRecoverCoder);
+ mr.attributeCoder(kSecKeyVerifyRecover, &mVerifyRecoverCoder);
+ mr.attributeCoder(kSecKeyDerive, &mDeriveCoder);
+
+ GemaltoToken::log( "\nGemaltoSchema::createKeyRelation <END>\n" );
+
+ return rn;
+}
+
+
+void GemaltoSchema::create()
+{
+ GemaltoToken::log( "\nGemaltoSchema::create <BEGIN>\n" );
+
+ Schema::create();
+
+ createStandardRelation(CSSM_DL_DB_RECORD_X509_CERTIFICATE);
+ createKeyRelation(CSSM_DL_DB_RECORD_PRIVATE_KEY);
+ Relation *rn_publ = createKeyRelation(CSSM_DL_DB_RECORD_PUBLIC_KEY);
+
+ // @@@ We need a coder that calculates the public key hash of a public key
+ rn_publ->metaRecord().attributeCoder(kSecKeyLabel, &mZeroCoder);
+ //rn_publ->metaRecord().attributeCoder(kSecKeyLabel, &mKeyNameCoder);
+
+ GemaltoToken::log( "\nGemaltoSchema::create <END>\n" );
+}
+
+/* arch-tag: 8AB453F1-124C-11D9-B0F8-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoSchema.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoSchema.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoSchema.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoSchema.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTOSCHEMA_H_
+#define _GEMALTOSCHEMA_H_
+
+#include "Schema.h"
+#include "GemaltoAttributeCoder.h"
+#include "GemaltoKeyHandle.h"
+
+namespace Tokend
+{
+ class Relation;
+ class MetaRecord;
+ class AttributeCoder;
+}
+
+class GemaltoSchema : public Tokend::Schema
+{
+ NOCOPY(GemaltoSchema)
+public:
+ GemaltoSchema() {}
+ virtual ~GemaltoSchema();
+
+ virtual void create();
+
+protected:
+ Tokend::Relation* createKeyRelation(CSSM_DB_RECORDTYPE keyType);
+
+private:
+ // Coders we need.
+ KeyNameAttributeCoder mKeyNameCoder;
+
+ KeyAlgorithmAttributeCoder mKeyAlgorithmCoder;
+ KeySizeAttributeCoder mKeySizeCoder;
+
+ // Coders for attributes of keys
+ KeySensitiveAttributeCoder mKeySensitiveCoder;
+ KeyPrivateAttributeCoder mKeyPrivateCoder;
+ KeyAlwaysSensitiveAttributeCoder mKeyAlwaysSensitiveCoder;
+
+ // Coders for Directions (or usage bits) of keys
+ KeyEncryptAttributeCoder mEncryptCoder;
+ KeyDecryptAttributeCoder mDecryptCoder;
+ KeySignAttributeCoder mSignCoder;
+ KeyVerifyAttributeCoder mVerifyCoder;
+ KeySignRecoverAttributeCoder mSignRecoverCoder;
+ KeyVerifyRecoverAttributeCoder mVerifyRecoverCoder;
+ KeyWrapAttributeCoder mWrapCoder;
+ KeyUnwrapAttributeCoder mUnwrapCoder;
+ KeyDeriveAttributeCoder mDeriveCoder;
+
+ GemaltoKeyHandleFactory mGemaltoKeyHandleFactory;
+};
+
+#endif /* !_GEMALTOSCHEMA_H_ */
+
+/* arch-tag: 8A998081-124C-11D9-B324-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoToken.cpp
===================================================================
--- trunk/Tokend/PKCS11/GemaltoToken.cpp (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoToken.cpp 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,738 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoToken.cpp
+ * Gemalto.tokend
+ */
+
+#include "GemaltoToken.h"
+
+#include "Adornment.h"
+#include "AttributeCoder.h"
+#include "SCardError.h"
+#include "GemaltoError.h"
+#include "GemaltoRecord.h"
+#include "GemaltoSchema.h"
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include <security_cdsa_client/aclclient.h>
+#include <map>
+#include <vector>
+#include <stdarg.h>
+#include <sstream>
+#include <iostream>
+#include <iomanip>
+
+extern "C" const char *cssmErrorString(OSStatus status);
+
+using CssmClient::AclFactory;
+
+CK_FUNCTION_LIST_PTR GemaltoToken::s_CK_pFunctionList = NULL;
+
+#define gemaltoToken (*this)
+
+#define GEMALTO_MAX_SLOT_COUNT 16
+
+
+
+GemaltoToken::GemaltoToken() :
+ mPinStatus(0),
+ mCKSession(CK_INVALID_HANDLE),
+ mDLHandle(NULL)
+{
+ log( "\nGemaltoToken::GemaltoToken <BEGIN>\n" );
+
+ mTokenContext = this;
+
+ // Initialize libcrypto
+ ::ERR_load_crypto_strings();
+ ::X509V3_add_standard_extensions();
+
+ // Load Classic ATR
+ FILE* f = fopen("/etc/ClassicClient/atr.cnf", "r");
+ if (f != NULL)
+ {
+ int state=0;
+ char card[1024];
+ char atr[1024];
+ char mask[1024];
+ do {
+ char line[1024];
+ if (fgets(line, sizeof(line), f) == NULL) {
+ fclose(f);
+ break;
+ }
+ if ((state & 0x1) == 0 && strncasecmp(line, "card:", 5) == 0) {
+ char* p = trim_line(line+5);
+ strcpy(card, p);
+ state |= 0x1;
+ } else if ((state & 0x2) == 0 && strncasecmp(line, "atr:", 4) == 0) {
+ char* p = trim_line(line+4);
+ strcpy(atr, p);
+ state |= 0x2;
+ } else if ((state & 0x4) == 0 && strncasecmp(line, "atrmask:", 8) == 0) {
+ char* p = trim_line(line+8);
+ strcpy(mask, p);
+ state |= 0x4;
+ } else {
+ char* p = trim_line(line);
+ if (strlen(p) == 0)
+ state = 0;
+ }
+ if (state == 0x7)
+ {
+ state = 0;
+
+ size_t cardLength = strlen(card)+1;
+ size_t atrLength = (strlen(atr)+1) / 2;
+ size_t maskLength = (strlen(mask)+1) / 2;
+ if (atrLength == maskLength) {
+ size_t cardAtrLength = sizeof(CardAtr) + cardLength + 2 * atrLength;
+ CardAtr* cardAtr = (CardAtr*) std::malloc(cardAtrLength);
+ if (cardAtr)
+ {
+ cardAtr->name = (char*)cardAtr + sizeof(CardAtr);
+ strcpy(cardAtr->name, card);
+ cardAtr->length = atrLength;
+ cardAtr->atr = (unsigned char*)cardAtr + sizeof(CardAtr) + cardLength;
+ convert_hex(cardAtr->atr, atr);
+ cardAtr->mask = (unsigned char*)cardAtr + sizeof(CardAtr) + cardLength + atrLength;
+ convert_hex(cardAtr->mask, mask);
+
+ atrs.push_back(cardAtr);
+ }
+ }
+ }
+ } while (1);
+ }//(f != NULL)
+
+ log( "GemaltoToken::GemaltoToken <END>\n" );
+}
+
+
+GemaltoToken::~GemaltoToken()
+{
+ log( "\nGemaltoToken::~GemaltoToken <BEGIN>\n" );
+
+ if( NULL != mSchema )
+ {
+ delete mSchema;
+ }
+
+ try
+ {
+ if (s_CK_pFunctionList)
+ {
+ CK_D_(C_Logout)(mCKSession);
+ log( "GemaltoToken::~GemaltoToken <LogOut>\n" );
+
+ if (mCKSession != CK_INVALID_HANDLE)
+ {
+ CK_D_(C_CloseSession)(mCKSession);
+ mCKSession = CK_INVALID_HANDLE;
+ }
+ log( "GemaltoToken::~GemaltoToken <CloseSession>\n" );
+
+ CK_D_(C_Finalize)(NULL_PTR);
+
+ //(*(GemaltoToken::s_CK_pFunctionList->C_Finalize))(NULL_PTR);
+ log( "GemaltoToken::~GemaltoToken <Finalize>\n" );
+
+ s_CK_pFunctionList = NULL;
+ }
+ }
+ catch( ... )
+ {
+ log( "## Error ## Crash \n" );
+ }
+
+ if( NULL != mDLHandle )
+ {
+ dlclose( mDLHandle );
+ }
+
+ log( "GemaltoToken::~GemaltoToken <END>\n" );
+}
+
+
+void GemaltoToken::changePIN(int pinNum, const unsigned char *oldPin, size_t oldPinLength, const unsigned char *newPin, size_t newPinLength)
+{
+ log( "\nGemaltoToken::changePIN <BEGIN>\n" );
+ //log( "pinNum <%d> - oldPin <%.*s> - newPin <%.*s>\n", pinNum, (int) oldPinLength, oldPin, (int) newPinLength, newPin);
+
+ if (pinNum != 1)
+ CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
+
+ if (oldPinLength < mCKTokenInfo.ulMinPinLen || oldPinLength > mCKTokenInfo.ulMaxPinLen ||
+ newPinLength < mCKTokenInfo.ulMinPinLen || newPinLength > mCKTokenInfo.ulMaxPinLen)
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+
+ CK_BYTE* pOldPIN = new CK_BYTE[oldPinLength];
+ memset( pOldPIN, 0, sizeof( CK_BYTE ) * oldPinLength );
+ for( size_t i = 0 ; i < oldPinLength ; i++ )
+ {
+ pOldPIN[ i ] = (CK_BYTE)oldPin[ i ];
+ }
+
+ CK_BYTE* pNewPIN = new CK_BYTE[newPinLength];
+ memset( pNewPIN, 0, sizeof( CK_BYTE ) * newPinLength );
+ for( size_t j = 0 ; j < newPinLength ; j++ )
+ {
+ pNewPIN[ j ] = (CK_BYTE)newPin[ j ];
+ }
+
+ // Log the user only if he was not previously logged in
+ bool bUserAlreadyLoggedIn = false;
+ CK_RV rv = CK_D_(C_Login)(mCKSession, CKU_USER, pOldPIN, oldPinLength);
+ if( rv == CKR_USER_ALREADY_LOGGED_IN)
+ {
+ bUserAlreadyLoggedIn = true;
+ }
+ else if( rv != CKR_OK )
+ {
+ delete[] pOldPIN;
+ delete[] pNewPIN;
+
+ log( "GemaltoToken::changePIN - ## Error ## <%ld>\n", rv );
+
+ CKError::check( rv );
+ }
+
+ // Change PIN
+ rv = CK_D_(C_SetPIN)(mCKSession, pOldPIN, oldPinLength, pNewPIN, newPinLength);
+ delete[] pOldPIN;
+ delete[] pNewPIN;
+ CKError::check( rv );
+
+ // LogOut only if the user not previously logged in
+ if( false == bUserAlreadyLoggedIn )
+ {
+ CKError::check(CK_D_(C_Logout)(mCKSession));
+ }
+
+ mPinStatus = SCARD_SUCCESS;
+
+ log( "GemaltoToken::changePIN <END>\n" );
+}
+
+
+uint32_t GemaltoToken::pinStatus(int pinNum)
+{
+ log( "\nGemaltoToken::pinStatus <BEGIN>\n" );
+ log( "pinNum <%d>\n", pinNum );
+
+ if (pinNum != 1)
+ {
+ log( "## Error ## pinStatus CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED\n" );
+ CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
+ }
+
+ log( "GemaltoToken::pinStatus <END>\n" );
+
+ return mPinStatus;
+}
+
+
+void GemaltoToken::verifyPIN(int pinNum, const uint8_t *pin, size_t pinLength)
+{
+ log( "\nGemaltoToken::verifyPIN <BEGIN>\n" );
+ //log( "pinNum <%d> - pin <%.*s>\n", pinNum, (int) pinLength, pin );
+
+ if (pinNum != 1)
+ {
+ log( "GemaltoToken::verifyPIN - ## ERROR ## Invalid pinNum <%d>\n", pinNum );
+ CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
+ }
+
+ if ( ( pinLength < mCKTokenInfo.ulMinPinLen ) || ( pinLength > mCKTokenInfo.ulMaxPinLen ) )
+ {
+ log( "GemaltoToken::verifyPIN - ## ERROR ## Invalid PIN length\n" );
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ }
+
+ CK_BYTE* pPIN = new CK_BYTE[pinLength];
+ memset( pPIN, 0, sizeof( CK_BYTE ) * pinLength );
+ for( size_t i = 0 ; i < pinLength ; i++ )
+ {
+ pPIN[ i ] = (CK_BYTE)pin[ i ];
+ }
+
+ CK_RV rv = CK_D_(C_Login)( mCKSession, CKU_USER, pPIN, pinLength );
+
+ mPinStatus = SCARD_AUTHENTICATION_FAILED;
+ if ( ( CKR_OK == rv ) || ( CKR_USER_ALREADY_LOGGED_IN == rv ) )
+ {
+ mPinStatus = SCARD_SUCCESS;
+ }
+ else
+ {
+ log( "GemaltoToken::verifyPIN - ## Error ## <%ld>\n", rv );
+
+ if ( CKR_PIN_LOCKED == rv )
+ {
+ mPinStatus = SCARD_AUTHENTICATION_BLOCKED;
+ }
+ }
+
+ delete[ ] pPIN;
+
+
+ log( "GemaltoToken::verifyPIN <END>\n" );
+}
+
+
+void GemaltoToken::unverifyPIN(int pinNum)
+{
+ log( "\nGemaltoToken::unverifyPIN <BEGIN>\n" );
+ log( "pinNum <%d>\n", pinNum );
+
+ if (pinNum != -1)
+ CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
+
+ try
+ {
+ CKError::check(CK_D_(C_Logout)(mCKSession));
+ }
+ catch (CKError& err)
+ {
+ if (err.resultValue != CKR_USER_NOT_LOGGED_IN)
+ throw;
+ }
+
+ mPinStatus = 0;
+
+ log( "GemaltoToken::unverifyPIN <END>\n" );
+}
+
+
+uint32 GemaltoToken::probe(SecTokendProbeFlags flags, char tokenUid[TOKEND_MAX_UID])
+{
+ log( "\nGemaltoToken::probe <BEGIN>\n" );
+ log( "GemaltoToken::probe - flags <%x>\n", (unsigned int) flags );
+ log( "GemaltoToken::probe - tokenUid <%s>\n", tokenUid );
+
+ uint32 score = 0;
+
+ try
+ {
+ const SCARD_READERSTATE &readerState = *(*startupReaderInfo)();
+ if (readerState.cbAtr)
+ {
+ log( "GemaltoToken::probe - Reader <%s>\n", readerState.szReader);
+ std::string s = "";
+ GemaltoToken::toStringHex( readerState.rgbAtr, readerState.cbAtr, s );
+ log( "GemaltoToken::probe - ATR <%s>\n", s.c_str( ) );
+
+ if (!s_CK_pFunctionList)
+ {
+ const char* dlPath = "/usr/lib/pkcs11/libgtop11dotnet.dylib";
+
+ for (CardAtrVector::const_iterator it = atrs.begin(); it != atrs.end(); ++it)
+ {
+ const CardAtr* cardAtr = (*it);
+ unsigned int i;
+ for (i=0; i<cardAtr->length; i++) {
+ if (cardAtr->mask[i] == 0)
+ continue;
+ if (i >= readerState.cbAtr)
+ break;
+ if ((readerState.rgbAtr[i] & cardAtr->mask[i]) != (cardAtr->atr[i] & cardAtr->mask[i]))
+ break;
+ }
+ if (i == cardAtr->length)
+ {
+ // Found Classic Client smartcard
+ dlPath = "/usr/lib/pkcs11/libgclib.dylib";
+ break;
+ }
+ }
+
+ log( "GemaltoToken::probe - Using %s PKCS#11 library\n", dlPath );
+ mDLHandle = dlopen(dlPath, RTLD_LAZY | RTLD_GLOBAL);
+ if (!mDLHandle)
+ {
+ log( "GemaltoToken::probe - ## ERROR ## Cannot load the PKCS#11 library\n" );
+ CKError::throwMe(CKR_GENERAL_ERROR);
+ }
+
+ CK_C_GetFunctionList C_GetFunctionList_PTR = (CK_C_GetFunctionList) dlsym(mDLHandle, "C_GetFunctionList");
+ if (!C_GetFunctionList_PTR)
+ {
+ log( "GemaltoToken::probe - ## ERROR ## Cannot load the PKCS#11 function list\n" );
+ CKError::throwMe(CKR_GENERAL_ERROR);
+ }
+
+ CKError::check((*C_GetFunctionList_PTR)(&s_CK_pFunctionList));
+
+ CKError::check(CK_D_(C_Initialize)(NULL_PTR));
+ }
+
+ CK_ULONG ulSlotCount = GEMALTO_MAX_SLOT_COUNT;
+ CK_SLOT_ID pSlotID[GEMALTO_MAX_SLOT_COUNT];
+ CKError::check(CK_D_(C_GetSlotList)(CK_TRUE, pSlotID, &ulSlotCount));
+ bool found = false;
+ for (CK_ULONG i=0; i<ulSlotCount; i++) {
+ CK_SLOT_INFO slotInfo;
+ CKError::check(CK_D_(C_GetSlotInfo)(pSlotID[i], &slotInfo));
+ if (strncmp((char*) slotInfo.slotDescription, readerState.szReader, strlen(readerState.szReader)) == 0) {
+ found = true;
+ mCKSlotId = pSlotID[i];
+ break;
+ }
+ }
+
+ if (found)
+ {
+ CKError::check(CK_D_(C_GetTokenInfo)(mCKSlotId, &mCKTokenInfo));
+
+ // Verify if token is initialized
+ if ((mCKTokenInfo.flags & CKF_USER_PIN_INITIALIZED) != CKF_USER_PIN_INITIALIZED)
+ {
+ // ?????????
+ //CKError::throwMe(CKR_USER_PIN_NOT_INITIALIZED);
+ }
+
+ score = 999;
+
+ // Setup the tokendUID
+ //snprintf(tokenUid, TOKEND_MAX_UID, "Gemalto smartcard #%.*s (%.*s)", (int) sizeof(mCKTokenInfo.serialNumber), mCKTokenInfo.serialNumber, (int) sizeof(mCKTokenInfo.label), mCKTokenInfo.label );
+ char label[ 33 ];
+ memset( label, 0, sizeof( label ) );
+ memcpy( label, mCKTokenInfo.label, sizeof(mCKTokenInfo.label) );
+ char* trimLabel = trim_line( label );
+ snprintf(tokenUid, TOKEND_MAX_UID, "Gemalto smartcard %s (%.*s)", trimLabel, (int) sizeof(mCKTokenInfo.serialNumber), mCKTokenInfo.serialNumber );
+
+ for (size_t len=strlen(tokenUid); tokenUid[len-1]==' '; len--)
+ tokenUid[len-1] = '\0';
+ log( "tokenUid <%s>\n", tokenUid );
+ }
+ }
+ }
+ catch (...)
+ {
+ score = 0;
+ }
+
+ log( "GemaltoToken::probe <END>\n" );
+
+ return score;
+}
+
+
+void GemaltoToken::establish(const CSSM_GUID *guid, uint32 subserviceId, SecTokendEstablishFlags flags, const char *cacheDirectory, const char *workDirectory, char mdsDirectory[PATH_MAX], char printName[PATH_MAX])
+{
+ log( "\nGemaltoToken::establish <BEGIN>\n" );
+ log( "flags <%x> - cacheDirectory <%s> - workDirectory <%s>\n", (unsigned int)flags, cacheDirectory, workDirectory );
+
+ Token::establish(guid, subserviceId, flags, cacheDirectory, workDirectory, mdsDirectory, printName);
+
+ mSchema = new GemaltoSchema();
+ mSchema->create();
+
+ if (mCKSession == CK_INVALID_HANDLE)
+ CKError::check(CK_D_(C_OpenSession)(mCKSlotId, CKF_SERIAL_SESSION | CKF_RW_SESSION , NULL_PTR, NULL_PTR, &mCKSession));
+
+ populate();
+
+ char label[ 33 ];
+ memset( label, 0, sizeof( label ) );
+ memcpy( label, mCKTokenInfo.label, sizeof(mCKTokenInfo.label) );
+ char* trimLabel = trim_line( label );
+ snprintf(printName, PATH_MAX, "Gemalto smartcard %s (%.*s)", trimLabel, (int) sizeof(mCKTokenInfo.serialNumber), mCKTokenInfo.serialNumber );
+ for (size_t len=strlen(printName); printName[len-1]==' '; len--)
+ printName[len-1] = '\0';
+
+ log( "printName <%s>\n", printName );
+ log( "GemaltoToken::establish <END>\n" );
+}
+
+
+//
+// Database-level ACLs
+//
+void GemaltoToken::getOwner(AclOwnerPrototype &owner)
+{
+ log( "\nGemaltoToken::getOwner <BEGIN>\n" );
+
+ // we don't really know (right now), so claim we're owned by PIN #1
+ if (!mAclOwner) {
+ mAclOwner.allocator(Allocator::standard());
+ mAclOwner = AclFactory::PinSubject(mAclOwner.allocator(), 1);
+ }
+ owner = mAclOwner;
+
+ log( "GemaltoToken::getOwner <END>\n" );
+}
+
+
+void GemaltoToken::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
+{
+ log( "\nGemaltoToken::getAcl <BEGIN>\n" );
+ log( "tag <%s> - count <%lu>\n", tag, count );
+
+ Allocator &alloc = Allocator::standard();
+
+ if (uint32 pin = _pinFromAclTag(tag, "?"))
+ {
+ static AutoAclEntryInfoList acl;
+ _aclClear(acl);
+ acl.allocator(alloc);
+ uint32_t status = this->pinStatus(pin);
+ if (status == SCARD_SUCCESS)
+ {
+ _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED );
+ }
+ else if ( SCARD_AUTHENTICATION_BLOCKED == status )
+ {
+ _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_BLOCKED );
+ }
+ else
+ {
+ _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_UNKNOWN);
+ }
+ count = acl.size();
+ acls = acl.entries();
+
+ log( "count <%lu>\n", count );
+
+ log( "GemaltoToken::getAcl <END>\n" );
+ return;
+ }
+
+ // get pin list, then for each pin
+ if (!mAclEntries)
+ {
+ mAclEntries.allocator(alloc);
+
+ // Anyone can read the attributes and data of any record on this token
+ // (it's further limited by the object itself).
+ mAclEntries.add(CssmClient::AclFactory::AnySubject( mAclEntries.allocator()), AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
+
+ // We support PIN1 with either a passed in password subject or a prompted password subject.
+ mAclEntries.addPin(AclFactory::PWSubject(mAclEntries.allocator()), 1);
+ mAclEntries.addPin(AclFactory::PromptPWSubject(mAclEntries.allocator(), CssmData()), 1);
+ mAclEntries.addPin(AclFactory::PinSubject(mAclEntries.allocator(), CssmData()), 1);
+ }
+
+ count = mAclEntries.size();
+ acls = mAclEntries.entries();
+
+ log( "count <%lu>\n", count );
+ log( "GemaltoToken::getAcl <END>\n" );
+}
+
+
+#pragma mark ---------------- Gemalto Specific --------------
+
+
+void GemaltoToken::populate()
+{
+ log( "\nGemaltoToken::populate <BEGIN>\n" );
+
+ Tokend::Relation &certRelation = mSchema->findRelation(CSSM_DL_DB_RECORD_X509_CERTIFICATE);
+ Tokend::Relation &privateKeyRelation = mSchema->findRelation(CSSM_DL_DB_RECORD_PRIVATE_KEY);
+
+ // Find all certificates into the smartcard
+ CK_OBJECT_CLASS ulClass = CKO_CERTIFICATE;
+ CK_ATTRIBUTE classAttr = { CKA_CLASS, &ulClass, sizeof( CK_OBJECT_CLASS ) };
+ CKError::check( CK_D_(C_FindObjectsInit)( mCKSession, &classAttr, 1 ) );
+ while ( 1 )
+ {
+ CK_OBJECT_HANDLE ulObject = CK_INVALID_HANDLE;
+ CK_ULONG ulObjectCount = 0;
+
+ CKError::check( CK_D_(C_FindObjects)( mCKSession, &ulObject, 1, &ulObjectCount ) );
+ if ( 0 == ulObjectCount )
+ {
+ log( "GemaltoToken::populate - No more certificate into the smartcard. Nothing more to do !!!\n" );
+ break;
+ }
+
+ log( "GemaltoToken::populate - Found a certificate into the smartcard \n" );
+
+ // Create a certificate instance
+ RefPointer<GemaltoCertRecord> cert( new GemaltoCertRecord( *this, ulObject ) );
+ certRelation.insertRecord( cert );
+
+ // If the current certificate is not a ROOT CA certificate
+ if ( false == cert->isCA( ) )
+ {
+ // If the current certificat is able to perform a cryptographic operation
+ if ( cert->verify( ) || cert->verifyRecover( ) || cert->encrypt( ) || cert->wrap( ) )
+ {
+ log( "GemaltoToken::populate - The current certificate is not a ROOT and owns private key usage(s). Create associated private key.\n" );
+
+ // Create a private key
+ RefPointer<GemaltoKeyRecord> keyPrvRecord( new GemaltoPrivateKeyRecord( *cert ) );
+ privateKeyRelation.insertRecord( keyPrvRecord );
+
+ // The Adornment class links a particular CertificateRecord with its corresponding KeyRecord record
+ keyPrvRecord->setAdornment( mSchema->publicKeyHashCoder( ).certificateKey( ), new Tokend::LinkedRecordAdornment( cert ) );
+ }
+ }
+ }
+ CK_D_(C_FindObjectsFinal)( mCKSession );
+
+ log( "GemaltoToken::populate <END>\n" );
+}
+
+
+void GemaltoToken::convert_hex(unsigned char* bin, const char* hex)
+{
+ char* dummy;
+ char nibble[3];
+ nibble[2] = 0;
+
+ while (*hex) {
+ nibble[0] = *hex++;
+ if (*hex)
+ nibble[1] = *hex++;
+ else
+ nibble[1] = '0';
+ *bin++ = strtoul(nibble, &dummy, 16);
+ }
+}
+
+
+char* GemaltoToken::trim_line(char* line)
+{
+ char* p = line;
+ while (*p && isblank(*p))
+ p++;
+ char* e = p + strlen(p) - 1;
+ while (e >= p && isspace(*e))
+ *e-- = 0;
+ return p;
+}
+
+//
+// Extract the pin number from a "PIN%d?" tag.
+// Returns 0 if the tag isn't of that form.
+//
+uint32 GemaltoToken::_pinFromAclTag(const char *tag, const char *suffix)
+{
+ if (tag)
+ {
+ char format[20];
+ snprintf(format, sizeof(format), "PIN%%d%s%%n", suffix ? suffix : "");
+ uint32 pin;
+ unsigned consumed;
+ sscanf(tag, format, &pin, &consumed);
+ if (consumed == strlen(tag)) // complete and sufficient
+ return pin;
+ }
+ return 0;
+}
+
+
+void GemaltoToken::_aclClear(AutoAclEntryInfoList& acl)
+{
+ if (acl == true)
+ {
+ DataWalkers::ChunkFreeWalker w(acl.allocator());
+ for (uint32 ix = 0; ix < acl.size(); ix++)
+ walk(w, acl.at(ix));
+ acl.size(0);
+ }
+}
+
+
+void GemaltoToken::_addPinState(AutoAclEntryInfoList& acl, uint32 slot, uint32 status)
+{
+ char tag[20];
+ snprintf( tag, sizeof(tag), "PIN%d?", (int) slot );
+
+ TypedList subj( acl.allocator(), CSSM_WORDID_PIN, new(acl.allocator()) ListElement(slot), new(acl.allocator()) ListElement(status));
+
+ acl.add(subj, CSSM_WORDID_PIN, tag);
+}
+
+
+#pragma mark ---------------- Gemalto Debug --------------
+
+
+// Define to unable if you want to activate trace into the code
+#define __DEBUG_GEMALTO__
+
+void GemaltoToken::toStringHex( const unsigned char* buffer, const std::size_t& size, std::string &result )
+{
+#ifdef __DEBUG_GEMALTO__
+ if( ( NULL == buffer ) || ( 1 > size ) )
+ {
+ //result.assign( "null" );
+ return;
+ }
+
+ std::ostringstream oss;
+ oss.rdbuf( )->str( "" );
+
+ // Afficher en hexadecimal et en majuscule
+ oss << std::hex << std::uppercase;
+
+ // Remplir les blancs avec des z\x8Eros
+ oss << std::setfill('0');
+
+ for( std::size_t i = 0; i < size; ++i )
+ {
+ // Separer chaque octet par un espace
+ /*if (i != 0)
+ oss << ' ';*/
+
+ // Afficher sa valeur hexad\xE9cimale pr\xE9c\xE9d\xE9e de "0x"
+ // setw(2) permet de forcer l'affichage \xE0 2 caract\xE8res
+ oss << /*"0x" <<*/ std::setw(2) << static_cast<int>( buffer[i] );
+ }
+
+ result.assign( oss.str( ) );
+#endif
+}
+
+#define LOG_FILE "/tmp/Gemalto.TokenD.log"
+/* Log a message into the LOG_FILE file */
+void GemaltoToken::log( const char * format, ... )
+{
+#ifdef __DEBUG_GEMALTO__
+ // Try to open the file
+ FILE* pLog = fopen( LOG_FILE, "a" );
+ if ( NULL == pLog )
+ {
+ // The file does not exit
+ // Nothing to log
+ return;
+ }
+
+ va_list args;
+ va_start( args, format );
+
+ vfprintf(pLog, format, args);
+ va_end( args );
+
+ // Close the file
+ fclose( pLog );
+#endif
+}
+
+/* arch-tag: 8A7C3BAF-124C-11D9-A606-000A9595DEEE */
Added: trunk/Tokend/PKCS11/GemaltoToken.h
===================================================================
--- trunk/Tokend/PKCS11/GemaltoToken.h (rev 0)
+++ trunk/Tokend/PKCS11/GemaltoToken.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2008-2009 Gemalto <support at gemalto.com>
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * GemaltoToken.h
+ * Gemalto.tokend
+ */
+
+#ifndef _GEMALTOTOKEN_H_
+#define _GEMALTOTOKEN_H_
+
+#include "Token.h"
+
+#include <security_utilities/pcsc++.h>
+#include "cryptoki.h"
+
+
+class GemaltoSchema;
+
+//
+// "The" token
+//
+class GemaltoToken : public Tokend::Token, public Tokend::TokenContext
+{
+ NOCOPY(GemaltoToken)
+public:
+ GemaltoToken();
+ virtual ~GemaltoToken();
+
+ virtual uint32 probe(SecTokendProbeFlags flags, char tokenUid[TOKEND_MAX_UID]);
+ virtual void establish(const CSSM_GUID *guid, uint32 subserviceId, SecTokendEstablishFlags flags, const char *cacheDirectory, const char *workDirectory, char mdsDirectory[PATH_MAX], char printName[PATH_MAX]);
+ virtual void getOwner(AclOwnerPrototype &owner);
+ virtual void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls);
+
+ virtual void changePIN(int pinNum, const unsigned char *oldPin, size_t oldPinLength, const unsigned char *newPin, size_t newPinLength);
+ virtual uint32_t pinStatus(int pinNum);
+ virtual void verifyPIN(int pinNum, const unsigned char *pin, size_t pinLength);
+ virtual void unverifyPIN(int pinNum);
+
+ static CK_FUNCTION_LIST_PTR s_CK_pFunctionList;
+
+ static void log( const char * format, ... );
+ static void toStringHex( const unsigned char* pIn, const std::size_t &ulInLen, std::string &szOut );
+
+ inline CK_SESSION_HANDLE session(void) const { return mCKSession; }
+ inline const CK_TOKEN_INFO* info(void) const { return &mCKTokenInfo; }
+
+protected:
+ void populate();
+
+public:
+ uint32_t mPinStatus;
+
+ // temporary ACL cache hack - to be removed
+ AutoAclOwnerPrototype mAclOwner;
+ AutoAclEntryInfoList mAclEntries;
+
+private:
+ int FindSlotForReader(const CK_SLOT_ID* slotId, CK_ULONG slotCount, const SCARD_READERSTATE &readerState);
+
+ void convert_hex(unsigned char* bin, const char* hex);
+
+typedef struct card_atr
+{
+ char* name;
+ unsigned int length;
+ unsigned char* atr;
+ unsigned char* mask;
+} CardAtr;
+
+ typedef std::vector<CardAtr* > CardAtrVector;
+ CardAtrVector atrs;
+
+ char* trim_line(char* line);
+ uint32 _pinFromAclTag(const char *tag, const char *suffix = NULL);
+ void _aclClear(AutoAclEntryInfoList& acl);
+ void _addPinState(AutoAclEntryInfoList& acl, uint32 slot, uint32 status);
+
+ CK_SESSION_HANDLE mCKSession;
+ CK_SLOT_ID mCKSlotId;
+ CK_TOKEN_INFO mCKTokenInfo;
+
+ void* mDLHandle;
+
+};
+
+#define CK_D_(_name) \
+ (* (gemaltoToken.s_CK_pFunctionList -> _name))
+
+#endif /* !_GEMALTOTOKEN_H_ */
+
+/* arch-tag: 89FAE70D-124C-11D9-B24F-000A9595DEEE */
Added: trunk/Tokend/PKCS11/Info.plist
===================================================================
--- trunk/Tokend/PKCS11/Info.plist (rev 0)
+++ trunk/Tokend/PKCS11/Info.plist 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>CFBundleGetInfoString</key>
+ <string>1.2-01, Copyright 2008 Gemalto NV Group.</string>
+ <key>CFBundleDevelopmentRegion</key>
+ <string>English</string>
+ <key>CFBundleExecutable</key>
+ <string>PKCS11</string>
+ <key>CFBundleIdentifier</key>
+ <string>com.gemalto.tokend</string>
+ <key>CFBundleInfoDictionaryVersion</key>
+ <string>6.0</string>
+ <key>CFBundleName</key>
+ <string>PKCS11</string>
+ <key>CFBundlePackageType</key>
+ <string>????</string>
+ <key>CFBundleShortVersionString</key>
+ <string>1.2</string>
+ <key>CFBundleSignature</key>
+ <string>????</string>
+ <key>CFBundleVersion</key>
+ <string>1.2</string>
+</dict>
+</plist>
Added: trunk/Tokend/PKCS11/cryptoki.h
===================================================================
--- trunk/Tokend/PKCS11/cryptoki.h (rev 0)
+++ trunk/Tokend/PKCS11/cryptoki.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,90 @@
+/* cryptoki.h include file for PKCS #11. */
+/* $Revision: 1.3 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Win32 Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+#ifdef WIN32
+
+#pragma pack(push, cryptoki, 1)
+
+/* Specifies that the function is a DLL entry point. */
+#define CK_IMPORT_SPEC __declspec(dllimport)
+
+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
+ * not define it in applications.
+ */
+#ifdef CRYPTOKI_EXPORTS
+/* Specified that the function is an exported DLL entry point. */
+#define CK_EXPORT_SPEC __declspec(dllexport)
+#else
+#define CK_EXPORT_SPEC CK_IMPORT_SPEC
+#endif
+
+/* Ensures the calling convention for Win32 builds */
+#define CK_CALL_SPEC __cdecl
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+ returnType (CK_CALL_SPEC CK_PTR name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#include "pkcs11.h"
+
+#pragma pack(pop, cryptoki)
+
+#else /* ifdef WIN32 */
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ returnType (* name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+ returnType (* name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#include "pkcs11.h"
+
+#endif /* ifdef WIN32 */
+#endif /* ___CRYPTOKI_H_INC___ */
Added: trunk/Tokend/PKCS11/gemalto_debug.sh
===================================================================
--- trunk/Tokend/PKCS11/gemalto_debug.sh (rev 0)
+++ trunk/Tokend/PKCS11/gemalto_debug.sh 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+#export DEBUGSCOPE=all
+#export DEBUGDUMP=all
+export DEBUGSCOPE=Gemalto.tokend,populate,exception
+export DEBUGDUMP=Gemalto.tokend,populate,exception
+export DEBUGDEST=/tmp/gemalto.log
+
+exec /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto_debug "$@"
Added: trunk/Tokend/PKCS11/install.sh
===================================================================
--- trunk/Tokend/PKCS11/install.sh (rev 0)
+++ trunk/Tokend/PKCS11/install.sh 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+test `id -u` -eq 0 || { echo 'You *MUST* be root!' >&2; exit 1; }
+
+echo '*** Install tokend ...'
+rm -rf /System/Library/Security/tokend/Gemalto.tokend
+ditto Tokend.root /
+if test "$1" = "-d"; then
+ echo '*** Blessing debug token ...'
+ cp -f ./Gemalto_debug.sh \
+ /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto
+ chmod 0755 /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto
+ chmod 0555 /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto_debug
+else
+ echo '*** Blessing release token ...'
+ rm /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto_debug
+ chmod 0555 /System/Library/Security/tokend/Gemalto.tokend/Contents/MacOS/Gemalto
+fi
Added: trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities.mdsinfo
===================================================================
--- trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities.mdsinfo (rev 0)
+++ trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities.mdsinfo 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
+<plist version="0.9">
+<dict>
+ <key>Capabilities</key>
+ <string>file:gemalto_csp_capabilities_common.mds</string>
+ <key>MdsFileDescription</key>
+ <string>Gemalto Token CSPDL CSP Capabilities</string>
+ <key>MdsFileType</key>
+ <string>PluginSpecific</string>
+ <key>MdsRecordType</key>
+ <string>MDS_CDSADIR_CSP_CAPABILITY_RECORDTYPE</string>
+</dict>
+</plist>
Added: trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities_common.mds
===================================================================
--- trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities_common.mds (rev 0)
+++ trunk/Tokend/PKCS11/mds/gemalto_csp_capabilities_common.mds 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,903 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_OUTPUT_SIZE</string>
+ <key>AttributeValue</key>
+ <integer>20</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DIGEST</string>
+ <key>Description</key>
+ <string>SHA1 Digest</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_MD5</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_OUTPUT_SIZE</string>
+ <key>AttributeValue</key>
+ <integer>16</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DIGEST</string>
+ <key>Description</key>
+ <string>MD5 Digest</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_MD2</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_OUTPUT_SIZE</string>
+ <key>AttributeValue</key>
+ <integer>16</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DIGEST</string>
+ <key>Description</key>
+ <string>MD2 Digest</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>RSA Key Pair Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_DES</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_KEY_LENGTH</string>
+ <key>AttributeValue</key>
+ <integer>64</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>DES Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_3DES_3KEY</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_KEY_LENGTH</string>
+ <key>AttributeValue</key>
+ <integer>192</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>3DES Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RC2</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>RC2 Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RC4</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>RC4 Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RC5</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>RC5 Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_CAST</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>New item</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>CAST Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_BLOWFISH</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>Blowfish Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1HMAC</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>SHA1HMAC Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_MD5HMAC</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>MD5HMAC Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_AES</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_KEY_LENGTH</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>128</integer>
+ <integer>192</integer>
+ <integer>256</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>AES Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_ASC</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>ASC Key Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEE</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_KEY_LENGTH</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>31</integer>
+ <integer>127</integer>
+ <integer>128</integer>
+ <integer>161</integer>
+ <integer>192</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>FEE Key Pair Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_DSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_KEYGEN</string>
+ <key>Description</key>
+ <string>DSA Key Pair Generation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_PKCS5_PBKDF2</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DERIVEKEY</string>
+ <key>Description</key>
+ <string>PKCS5 Key Derivation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_PKCS5_PBKDF1_MD5</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DERIVEKEY</string>
+ <key>Description</key>
+ <string>PKCS5 PBKDF1 MD5 Key Derivation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_PKCS5_PBKDF1_MD2</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DERIVEKEY</string>
+ <key>Description</key>
+ <string>PKCS5 PBKDF1 MD2 Key Derivation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_PKCS5_PBKDF1_SHA1</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_DERIVEKEY</string>
+ <key>Description</key>
+ <string>PKCS5 PBKDF1 SHA1 Key Derivation</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_DES</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>DES Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_3DES_3KEY_EDE</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>3DES EDE Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_AES</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>AES Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RC4</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>0</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>RC4 Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RC5</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>RC5 Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_BLOWFISH</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>Blowfish Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_CAST</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_MODE</string>
+ <key>AttributeValue</key>
+ <array>
+ <integer>2</integer>
+ <integer>3</integer>
+ <integer>5</integer>
+ <integer>6</integer>
+ </array>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SYMMETRIC</string>
+ <key>Description</key>
+ <string>CAST Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_ASYMMETRIC</string>
+ <key>Description</key>
+ <string>RSA Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEEDEXP</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_ASYMMETRIC</string>
+ <key>Description</key>
+ <string>FEEDExp Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEED</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_ASYMMETRIC</string>
+ <key>Description</key>
+ <string>FEED Encryption</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1WithRSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>SHA1 With RSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_MD5WithRSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>MD5 With RSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_MD2WithRSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>MD2 With RSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_RSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>Raw RSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1WithDSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>SHA1 With DSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_DSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>Raw DSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEE_MD5</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>MD5 with FEE Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEE_SHA1</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>SHA1 with FEE Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_FEE</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>Raw FEE Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1WithECDSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>SHA1 with ECDSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_ECDSA</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_SIGNATURE</string>
+ <key>Description</key>
+ <string>Raw ECDSA Signature</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1HMAC</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_OUTPUT_SIZE</string>
+ <key>AttributeValue</key>
+ <integer>20</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_MAC</string>
+ <key>Description</key>
+ <string>SHA1HMAC MAC</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_SHA1HMAC_LEGACY</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_OUTPUT_SIZE</string>
+ <key>AttributeValue</key>
+ <integer>20</integer>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_MAC</string>
+ <key>Description</key>
+ <string>SHA1HMAC MAC Legacy</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+ <dict>
+ <key>AlgType</key>
+ <string>CSSM_ALGID_APPLE_YARROW</string>
+ <key>Attributes</key>
+ <array>
+ <dict>
+ <key>AttributeType</key>
+ <string>CSSM_ATTRIBUTE_NONE</string>
+ <key>AttributeValue</key>
+ <array/>
+ </dict>
+ </array>
+ <key>ContextType</key>
+ <string>CSSM_ALGCLASS_RANDOMGEN</string>
+ <key>Description</key>
+ <string>Yarrow PRNG</string>
+ <key>UseeTag</key>
+ <string>CSSM_USEE_NONE</string>
+ </dict>
+</array>
+</plist>
Added: trunk/Tokend/PKCS11/mds/gemalto_csp_primary.mdsinfo
===================================================================
--- trunk/Tokend/PKCS11/mds/gemalto_csp_primary.mdsinfo (rev 0)
+++ trunk/Tokend/PKCS11/mds/gemalto_csp_primary.mdsinfo 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
+<plist version="0.9">
+<dict>
+ <key>AclSubjectTypes</key>
+ <array>
+ <string>CSSM_ACL_SUBJECT_TYPE_PASSWORD</string>
+ <string>CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD</string>
+ <string>CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD</string>
+ </array>
+ <key>AuthTags</key>
+ <!-- @@@ complete this -->
+ <array>
+ <string>CSSM_ACL_AUTHORIZATION_ANY</string>
+ </array>
+ <key>CspCustomFlags</key>
+ <integer>0</integer>
+ <key>CspFlags</key>
+ <!-- @@@ dynamic -->
+ <string>CSSM_CSP_STORES_PRIVATE_KEYS | CSSM_CSP_STORES_PUBLIC_KEYS | CSSM_CSP_STORES_CERTIFICATES | CSSM_CSP_STORES_GENERIC</string>
+ <key>CspType</key>
+ <string>CSSM_CSP_HARDWARE</string>
+ <key>MdsFileDescription</key>
+ <string>Token CSPDL CSP Primary info</string>
+ <key>MdsFileType</key>
+ <string>PluginSpecific</string>
+ <key>MdsRecordType</key>
+ <string>MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE</string>
+ <key>ModuleName</key>
+ <string>AppleSDCSPDL</string>
+ <key>ProductVersion</key>
+ <string>0.1</string>
+ <key>SampleTypes</key>
+ <array>
+ <string>CSSM_SAMPLE_TYPE_PASSWORD</string>
+ <string>CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD</string>
+ <string>CSSM_SAMPLE_TYPE_PROTECTED_PASSWORD</string>
+ </array>
+ <key>UseeTags</key>
+ <array/>
+ <key>Vendor</key>
+ <string>Apple Computer, Inc.</string>
+</dict>
+</plist>
Added: trunk/Tokend/PKCS11/mds/gemalto_dl_primary.mdsinfo
===================================================================
--- trunk/Tokend/PKCS11/mds/gemalto_dl_primary.mdsinfo (rev 0)
+++ trunk/Tokend/PKCS11/mds/gemalto_dl_primary.mdsinfo 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
+<plist version="0.9">
+<dict>
+ <key>AclSubjectTypes</key>
+ <array>
+ <string>CSSM_ACL_SUBJECT_TYPE_PASSWORD</string>
+ <string>CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD</string>
+ <string>CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD</string>
+ </array>
+ <key>AuthTags</key>
+ <array>
+ <!-- @@@ complete this -->
+ <string>CSSM_ACL_AUTHORIZATION_ANY</string>
+ </array>
+ <key>ConjunctiveOps</key>
+ <array>
+ <string>CSSM_DB_NONE</string>
+ <string>CSSM_DB_AND</string>
+ <string>CSSM_DB_OR</string>
+ </array>
+ <key>DLType</key>
+ <string>CSSM_DL_FFS</string>
+ <key>MdsFileDescription</key>
+ <string>Token CSPDL DL Primary info</string>
+ <key>MdsFileType</key>
+ <string>PluginSpecific</string>
+ <key>MdsRecordType</key>
+ <string>MDS_CDSADIR_DL_PRIMARY_RECORDTYPE</string>
+ <key>ModuleName</key>
+ <string>AppleSDCSPDL</string>
+ <key>ProductVersion</key>
+ <string>0.1</string>
+ <key>QueryLimitsFlag</key>
+ <integer>0</integer>
+ <key>RelationalOps</key>
+ <array>
+ <string>CSSM_DB_EQUAL</string>
+ <string>CSSM_DB_LESS_THAN</string>
+ <string>CSSM_DB_GREATER_THAN</string>
+ <string>CSSM_DB_CONTAINS_FINAL_SUBSTRING</string>
+ <string>CSSM_DB_CONTAINS_INITIAL_SUBSTRING</string>
+ <string>CSSM_DB_CONTAINS</string>
+ <string></string>
+ </array>
+ <key>SampleTypes</key>
+ <array>
+ <string>CSSM_SAMPLE_TYPE_PASSWORD</string>
+ <string>CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD</string>
+ <string>CSSM_SAMPLE_TYPE_PROTECTED_PASSWORD</string>
+ </array>
+ <key>Vendor</key>
+ <string>Apple Computer, Inc.</string>
+</dict>
+</plist>
Added: trunk/Tokend/PKCS11/mds/gemalto_smartcard.mdsinfo
===================================================================
--- trunk/Tokend/PKCS11/mds/gemalto_smartcard.mdsinfo (rev 0)
+++ trunk/Tokend/PKCS11/mds/gemalto_smartcard.mdsinfo 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
+<plist version="0.9">
+<dict>
+ <key>MdsFileDescription</key>
+ <string>SD/CSPDL Generic Smartcard Information</string>
+ <key>MdsRecordType</key>
+ <string>MDS_CDSADIR_CSP_SC_INFO_RECORDTYPE</string>
+ <key>MdsFileType</key>
+ <string>PluginSpecific</string>
+ <key>ScVendor</key>
+ <string>Generic</string>
+ <key>ScVersion</key>
+ <string>unknown</string>
+ <key>ScFirmwareVersion</key>
+ <string>unknown</string>
+ <key>ScFlags</key> <!-- @@@ dynamic -->
+ <integer>0</integer>
+ <key>ScCustomFlags</key>
+ <integer>0</integer>
+</dict>
+</plist>
Added: trunk/Tokend/PKCS11/pkcs11.h
===================================================================
--- trunk/Tokend/PKCS11/pkcs11.h (rev 0)
+++ trunk/Tokend/PKCS11/pkcs11.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined. These
+ * macros are described below, and typical definitions for them
+ * are also given. Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set. The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this. You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object. It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name. It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * )
+ * {
+ * ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name. It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name. It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV. It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y) x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points. That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points. A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library. This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+ CK_VERSION version; /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
Added: trunk/Tokend/PKCS11/pkcs11f.h
===================================================================
--- trunk/Tokend/PKCS11/pkcs11f.h (rev 0)
+++ trunk/Tokend/PKCS11/pkcs11f.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes. Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
+ * cast to CK_C_INITIALIZE_ARGS_PTR
+ * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_INFO_PTR pInfo /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
+ * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_BBOOL tokenPresent, /* only slots with tokens? */
+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
+ CK_ULONG_PTR pulCount /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the ID of the slot */
+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of token's slot */
+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
+ CK_ULONG_PTR pulCount /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_MECHANISM_TYPE type, /* type of mechanism */
+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
+ CK_ULONG ulPinLen, /* length in bytes of the PIN */
+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
+ CK_ULONG ulPinLen /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
+ CK_ULONG ulOldLen, /* length of the old PIN */
+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
+ CK_ULONG ulNewLen /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the slot's ID */
+ CK_FLAGS flags, /* from CK_SESSION_INFO */
+ CK_VOID_PTR pApplication, /* passed to callback */
+ CK_NOTIFY Notify, /* callback function */
+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_SESSION_INFO_PTR pInfo /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* gets state */
+ CK_ULONG_PTR pulOperationStateLen /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* holds state */
+ CK_ULONG ulOperationStateLen, /* holds state length */
+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_USER_TYPE userType, /* the user type */
+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
+ CK_ULONG ulPinLen /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ULONG_PTR pulSize /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
+ CK_ULONG ulCount /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
+ CK_ULONG ulMaxObjectCount, /* max handles to get */
+ CK_ULONG_PTR pulObjectCount /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pData, /* the plaintext data */
+ CK_ULONG ulDataLen, /* bytes of plaintext */
+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext data len */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session handle */
+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedData, /* ciphertext */
+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
+ CK_BYTE_PTR pData, /* gets plaintext */
+ CK_ULONG_PTR pulDataLen /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
+ CK_ULONG ulEncryptedPartLen, /* input length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pLastPart, /* gets plaintext */
+ CK_ULONG_PTR pulLastPartLen /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* data to be digested */
+ CK_ULONG ulDataLen, /* bytes of data to digest */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* data to be digested */
+ CK_ULONG ulPartLen /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hKey /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* the data to sign */
+ CK_ULONG ulPartLen /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* signed data */
+ CK_ULONG ulDataLen, /* length of signed data */
+ CK_BYTE_PTR pSignature, /* signature */
+ CK_ULONG ulSignatureLen /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* signed data */
+ CK_ULONG ulPartLen /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen, /* signature length */
+ CK_BYTE_PTR pData, /* gets signed data */
+ CK_ULONG_PTR pulDataLen /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
+ CK_ULONG ulCount, /* # of attrs in template */
+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session
+ * handle */
+ CK_MECHANISM_PTR pMechanism, /* key-gen
+ * mech. */
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
+ * for pub.
+ * key */
+ CK_ULONG ulPublicKeyAttributeCount, /* # pub.
+ * attrs. */
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
+ * for priv.
+ * key */
+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
+ * attrs. */
+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
+ * key
+ * handle */
+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
+ * priv. key
+ * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
+ CK_OBJECT_HANDLE hBaseKey, /* base key */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSeed, /* the seed material */
+ CK_ULONG ulSeedLen /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR RandomData, /* receives the random data */
+ CK_ULONG ulRandomLen /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FLAGS flags, /* blocking/nonblocking flag */
+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
+);
+#endif
Added: trunk/Tokend/PKCS11/pkcs11t.h
===================================================================
--- trunk/Tokend/PKCS11/pkcs11t.h (rev 0)
+++ trunk/Tokend/PKCS11/pkcs11t.h 2009-12-17 14:25:53 UTC (rev 73)
@@ -0,0 +1,1685 @@
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE 0
+
+
+typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+typedef CK_CHAR CK_PTR CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
+typedef CK_ULONG CK_PTR CK_ULONG_PTR;
+typedef void CK_PTR CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+ CK_BYTE major; /* integer portion of version number */
+ CK_BYTE minor; /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+ /* manufacturerID and libraryDecription have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags; /* must be zero */
+
+ /* libraryDescription and libraryVersion are new for v2.0 */
+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
+ CK_VERSION libraryVersion; /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER 0
+
+
+typedef CK_ULONG CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+ /* slotDescription and manufacturerID have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR slotDescription[64]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags;
+
+ /* hardwareVersion and firmwareVersion are new for v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
+#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
+#define CKF_HW_SLOT 0x00000004 /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+ /* label, manufacturerID, and model have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR label[32]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_UTF8CHAR model[16]; /* blank padded */
+ CK_CHAR serialNumber[16]; /* blank padded */
+ CK_FLAGS flags; /* see below */
+
+ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+ * changed from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulMaxSessionCount; /* max open sessions */
+ CK_ULONG ulSessionCount; /* sess. now open */
+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
+ CK_ULONG ulMaxPinLen; /* in bytes */
+ CK_ULONG ulMinPinLen; /* in bytes */
+ CK_ULONG ulTotalPublicMemory; /* in bytes */
+ CK_ULONG ulFreePublicMemory; /* in bytes */
+ CK_ULONG ulTotalPrivateMemory; /* in bytes */
+ CK_ULONG ulFreePrivateMemory; /* in bytes */
+
+ /* hardwareVersion, firmwareVersion, and time are new for
+ * v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+ CK_CHAR utcTime[16]; /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RNG 0x00000001 /* has random #
+ * generator */
+#define CKF_WRITE_PROTECTED 0x00000002 /* token is
+ * write-
+ * protected */
+#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
+ * login */
+#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
+ * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
+ * that the token has some sort of clock. The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN 0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED 0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+ onwards. */
+#define CKF_SECONDARY_AUTHENTICATION 0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW 0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY 0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED 0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW 0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY 0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED 0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO 0
+/* Normal user */
+#define CKU_USER 1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC 2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_STATE;
+#define CKS_RO_PUBLIC_SESSION 0
+#define CKS_RO_USER_FUNCTIONS 1
+#define CKS_RW_PUBLIC_SESSION 2
+#define CKS_RW_USER_FUNCTIONS 3
+#define CKS_RW_SO_FUNCTIONS 4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+ CK_SLOT_ID slotID;
+ CK_STATE state;
+ CK_FLAGS flags; /* see below */
+
+ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulDeviceError; /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RW_SESSION 0x00000002 /* session is r/w */
+#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object */
+typedef CK_ULONG CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes. It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA 0x00000000
+#define CKO_CERTIFICATE 0x00000001
+#define CKO_PUBLIC_KEY 0x00000002
+#define CKO_PRIVATE_KEY 0x00000003
+#define CKO_SECRET_KEY 0x00000004
+#define CKO_HW_FEATURE 0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM 0x00000007
+#define CKO_VENDOR_DEFINED 0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER 0x00000001
+#define CKH_CLOCK 0x00000002
+#define CKH_USER_INTERFACE 0x00000003
+#define CKH_VENDOR_DEFINED 0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA 0x00000000
+#define CKK_DSA 0x00000001
+#define CKK_DH 0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA 0x00000003
+#define CKK_EC 0x00000003
+#define CKK_X9_42_DH 0x00000004
+#define CKK_KEA 0x00000005
+
+#define CKK_GENERIC_SECRET 0x00000010
+#define CKK_RC2 0x00000011
+#define CKK_RC4 0x00000012
+#define CKK_DES 0x00000013
+#define CKK_DES2 0x00000014
+#define CKK_DES3 0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST 0x00000016
+#define CKK_CAST3 0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5 0x00000018
+#define CKK_CAST128 0x00000018
+#define CKK_RC5 0x00000019
+#define CKK_IDEA 0x0000001A
+#define CKK_SKIPJACK 0x0000001B
+#define CKK_BATON 0x0000001C
+#define CKK_JUNIPER 0x0000001D
+#define CKK_CDMF 0x0000001E
+#define CKK_AES 0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH 0x00000020
+#define CKK_TWOFISH 0x00000021
+
+#define CKK_VENDOR_DEFINED 0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509 0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS 0x00000002
+#define CKC_VENDOR_DEFINED 0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE 0x40000000
+
+/* The following attribute types are defined: */
+#define CKA_CLASS 0x00000000
+#define CKA_TOKEN 0x00000001
+#define CKA_PRIVATE 0x00000002
+#define CKA_LABEL 0x00000003
+#define CKA_APPLICATION 0x00000010
+#define CKA_VALUE 0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID 0x00000012
+
+#define CKA_CERTIFICATE_TYPE 0x00000080
+#define CKA_ISSUER 0x00000081
+#define CKA_SERIAL_NUMBER 0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER 0x00000083
+#define CKA_OWNER 0x00000084
+#define CKA_ATTR_TYPES 0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED 0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY 0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
+#define CKA_URL 0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
+#define CKA_CHECK_VALUE 0x00000090
+
+#define CKA_KEY_TYPE 0x00000100
+#define CKA_SUBJECT 0x00000101
+#define CKA_ID 0x00000102
+#define CKA_SENSITIVE 0x00000103
+#define CKA_ENCRYPT 0x00000104
+#define CKA_DECRYPT 0x00000105
+#define CKA_WRAP 0x00000106
+#define CKA_UNWRAP 0x00000107
+#define CKA_SIGN 0x00000108
+#define CKA_SIGN_RECOVER 0x00000109
+#define CKA_VERIFY 0x0000010A
+#define CKA_VERIFY_RECOVER 0x0000010B
+#define CKA_DERIVE 0x0000010C
+#define CKA_START_DATE 0x00000110
+#define CKA_END_DATE 0x00000111
+#define CKA_MODULUS 0x00000120
+#define CKA_MODULUS_BITS 0x00000121
+#define CKA_PUBLIC_EXPONENT 0x00000122
+#define CKA_PRIVATE_EXPONENT 0x00000123
+#define CKA_PRIME_1 0x00000124
+#define CKA_PRIME_2 0x00000125
+#define CKA_EXPONENT_1 0x00000126
+#define CKA_EXPONENT_2 0x00000127
+#define CKA_COEFFICIENT 0x00000128
+#define CKA_PRIME 0x00000130
+#define CKA_SUBPRIME 0x00000131
+#define CKA_BASE 0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS 0x00000133
+#define CKA_SUBPRIME_BITS 0x00000134
+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS 0x00000160
+#define CKA_VALUE_LEN 0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE 0x00000162
+#define CKA_LOCAL 0x00000163
+#define CKA_NEVER_EXTRACTABLE 0x00000164
+#define CKA_ALWAYS_SENSITIVE 0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM 0x00000166
+
+#define CKA_MODIFIABLE 0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS 0x00000180
+#define CKA_EC_PARAMS 0x00000180
+
+#define CKA_EC_POINT 0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH 0x00000200
+#define CKA_AUTH_PIN_FLAGS 0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE 0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED 0x00000210
+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE 0x00000300
+#define CKA_RESET_ON_INIT 0x00000301
+#define CKA_HAS_RESET 0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X 0x00000400
+#define CKA_PIXEL_Y 0x00000401
+#define CKA_RESOLUTION 0x00000402
+#define CKA_CHAR_ROWS 0x00000403
+#define CKA_CHAR_COLUMNS 0x00000404
+#define CKA_COLOR 0x00000405
+#define CKA_BITS_PER_PIXEL 0x00000406
+#define CKA_CHAR_SETS 0x00000480
+#define CKA_ENCODING_METHODS 0x00000481
+#define CKA_MIME_TYPES 0x00000482
+#define CKA_MECHANISM_TYPE 0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED 0x80000000
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+ CK_ATTRIBUTE_TYPE type;
+ CK_VOID_PTR pValue;
+
+ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulValueLen; /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+ CK_CHAR year[4]; /* the year ("1900" - "9999") */
+ CK_CHAR month[2]; /* the month ("01" - "12") */
+ CK_CHAR day[2]; /* the day ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
+#define CKM_RSA_PKCS 0x00000001
+#define CKM_RSA_9796 0x00000002
+#define CKM_RSA_X_509 0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0. They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS 0x00000004
+#define CKM_MD5_RSA_PKCS 0x00000005
+#define CKM_SHA1_RSA_PKCS 0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS 0x00000007
+#define CKM_RIPEMD160_RSA_PKCS 0x00000008
+#define CKM_RSA_PKCS_OAEP 0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
+#define CKM_RSA_X9_31 0x0000000B
+#define CKM_SHA1_RSA_X9_31 0x0000000C
+#define CKM_RSA_PKCS_PSS 0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN 0x00000010
+#define CKM_DSA 0x00000011
+#define CKM_DSA_SHA1 0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
+#define CKM_DH_PKCS_DERIVE 0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
+#define CKM_X9_42_DH_DERIVE 0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
+#define CKM_X9_42_MQV_DERIVE 0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS 0x00000040
+#define CKM_SHA384_RSA_PKCS 0x00000041
+#define CKM_SHA512_RSA_PKCS 0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
+
+#define CKM_RC2_KEY_GEN 0x00000100
+#define CKM_RC2_ECB 0x00000101
+#define CKM_RC2_CBC 0x00000102
+#define CKM_RC2_MAC 0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL 0x00000104
+#define CKM_RC2_CBC_PAD 0x00000105
+
+#define CKM_RC4_KEY_GEN 0x00000110
+#define CKM_RC4 0x00000111
+#define CKM_DES_KEY_GEN 0x00000120
+#define CKM_DES_ECB 0x00000121
+#define CKM_DES_CBC 0x00000122
+#define CKM_DES_MAC 0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL 0x00000124
+#define CKM_DES_CBC_PAD 0x00000125
+
+#define CKM_DES2_KEY_GEN 0x00000130
+#define CKM_DES3_KEY_GEN 0x00000131
+#define CKM_DES3_ECB 0x00000132
+#define CKM_DES3_CBC 0x00000133
+#define CKM_DES3_MAC 0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL 0x00000135
+#define CKM_DES3_CBC_PAD 0x00000136
+#define CKM_CDMF_KEY_GEN 0x00000140
+#define CKM_CDMF_ECB 0x00000141
+#define CKM_CDMF_CBC 0x00000142
+#define CKM_CDMF_MAC 0x00000143
+#define CKM_CDMF_MAC_GENERAL 0x00000144
+#define CKM_CDMF_CBC_PAD 0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64 0x00000150
+#define CKM_DES_OFB8 0x00000151
+#define CKM_DES_CFB64 0x00000152
+#define CKM_DES_CFB8 0x00000153
+
+#define CKM_MD2 0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC 0x00000201
+#define CKM_MD2_HMAC_GENERAL 0x00000202
+
+#define CKM_MD5 0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC 0x00000211
+#define CKM_MD5_HMAC_GENERAL 0x00000212
+
+#define CKM_SHA_1 0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL 0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128 0x00000230
+#define CKM_RIPEMD128_HMAC 0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
+#define CKM_RIPEMD160 0x00000240
+#define CKM_RIPEMD160_HMAC 0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256 0x00000250
+#define CKM_SHA256_HMAC 0x00000251
+#define CKM_SHA256_HMAC_GENERAL 0x00000252
+#define CKM_SHA384 0x00000260
+#define CKM_SHA384_HMAC 0x00000261
+#define CKM_SHA384_HMAC_GENERAL 0x00000262
+#define CKM_SHA512 0x00000270
+#define CKM_SHA512_HMAC 0x00000271
+#define CKM_SHA512_HMAC_GENERAL 0x00000272
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN 0x00000300
+#define CKM_CAST_ECB 0x00000301
+#define CKM_CAST_CBC 0x00000302
+#define CKM_CAST_MAC 0x00000303
+#define CKM_CAST_MAC_GENERAL 0x00000304
+#define CKM_CAST_CBC_PAD 0x00000305
+#define CKM_CAST3_KEY_GEN 0x00000310
+#define CKM_CAST3_ECB 0x00000311
+#define CKM_CAST3_CBC 0x00000312
+#define CKM_CAST3_MAC 0x00000313
+#define CKM_CAST3_MAC_GENERAL 0x00000314
+#define CKM_CAST3_CBC_PAD 0x00000315
+#define CKM_CAST5_KEY_GEN 0x00000320
+#define CKM_CAST128_KEY_GEN 0x00000320
+#define CKM_CAST5_ECB 0x00000321
+#define CKM_CAST128_ECB 0x00000321
+#define CKM_CAST5_CBC 0x00000322
+#define CKM_CAST128_CBC 0x00000322
+#define CKM_CAST5_MAC 0x00000323
+#define CKM_CAST128_MAC 0x00000323
+#define CKM_CAST5_MAC_GENERAL 0x00000324
+#define CKM_CAST128_MAC_GENERAL 0x00000324
+#define CKM_CAST5_CBC_PAD 0x00000325
+#define CKM_CAST128_CBC_PAD 0x00000325
+#define CKM_RC5_KEY_GEN 0x00000330
+#define CKM_RC5_ECB 0x00000331
+#define CKM_RC5_CBC 0x00000332
+#define CKM_RC5_MAC 0x00000333
+#define CKM_RC5_MAC_GENERAL 0x00000334
+#define CKM_RC5_CBC_PAD 0x00000335
+#define CKM_IDEA_KEY_GEN 0x00000340
+#define CKM_IDEA_ECB 0x00000341
+#define CKM_IDEA_CBC 0x00000342
+#define CKM_IDEA_MAC 0x00000343
+#define CKM_IDEA_MAC_GENERAL 0x00000344
+#define CKM_IDEA_CBC_PAD 0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
+#define CKM_XOR_BASE_AND_DATA 0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF 0x00000378
+
+#define CKM_SSL3_MD5_MAC 0x00000380
+#define CKM_SSL3_SHA1_MAC 0x00000381
+#define CKM_MD5_KEY_DERIVATION 0x00000390
+#define CKM_MD2_KEY_DERIVATION 0x00000391
+#define CKM_SHA1_KEY_DERIVATION 0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION 0x00000393
+#define CKM_SHA384_KEY_DERIVATION 0x00000394
+#define CKM_SHA512_KEY_DERIVATION 0x00000395
+
+#define CKM_PBE_MD2_DES_CBC 0x000003A0
+#define CKM_PBE_MD5_DES_CBC 0x000003A1
+#define CKM_PBE_MD5_CAST_CBC 0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
+#define CKM_PBE_SHA1_RC4_128 0x000003A6
+#define CKM_PBE_SHA1_RC4_40 0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2 0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
+#define CKM_WTLS_PRF 0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS 0x00000400
+#define CKM_KEY_WRAP_SET_OAEP 0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG 0x00000500
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN 0x00001000
+#define CKM_SKIPJACK_ECB64 0x00001001
+#define CKM_SKIPJACK_CBC64 0x00001002
+#define CKM_SKIPJACK_OFB64 0x00001003
+#define CKM_SKIPJACK_CFB64 0x00001004
+#define CKM_SKIPJACK_CFB32 0x00001005
+#define CKM_SKIPJACK_CFB16 0x00001006
+#define CKM_SKIPJACK_CFB8 0x00001007
+#define CKM_SKIPJACK_WRAP 0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
+#define CKM_SKIPJACK_RELAYX 0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN 0x00001010
+#define CKM_KEA_KEY_DERIVE 0x00001011
+#define CKM_FORTEZZA_TIMESTAMP 0x00001020
+#define CKM_BATON_KEY_GEN 0x00001030
+#define CKM_BATON_ECB128 0x00001031
+#define CKM_BATON_ECB96 0x00001032
+#define CKM_BATON_CBC128 0x00001033
+#define CKM_BATON_COUNTER 0x00001034
+#define CKM_BATON_SHUFFLE 0x00001035
+#define CKM_BATON_WRAP 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
+#define CKM_EC_KEY_PAIR_GEN 0x00001040
+
+#define CKM_ECDSA 0x00001041
+#define CKM_ECDSA_SHA1 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE 0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
+#define CKM_ECMQV_DERIVE 0x00001052
+
+#define CKM_JUNIPER_KEY_GEN 0x00001060
+#define CKM_JUNIPER_ECB128 0x00001061
+#define CKM_JUNIPER_CBC128 0x00001062
+#define CKM_JUNIPER_COUNTER 0x00001063
+#define CKM_JUNIPER_SHUFFLE 0x00001064
+#define CKM_JUNIPER_WRAP 0x00001065
+#define CKM_FASTHASH 0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN 0x00001080
+#define CKM_AES_ECB 0x00001081
+#define CKM_AES_CBC 0x00001082
+#define CKM_AES_MAC 0x00001083
+#define CKM_AES_MAC_GENERAL 0x00001084
+#define CKM_AES_CBC_PAD 0x00001085
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN 0x00001090
+#define CKM_BLOWFISH_CBC 0x00001091
+#define CKM_TWOFISH_KEY_GEN 0x00001092
+#define CKM_TWOFISH_CBC 0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
+
+#define CKM_DSA_PARAMETER_GEN 0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
+
+#define CKM_VENDOR_DEFINED 0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism */
+typedef struct CK_MECHANISM {
+ CK_MECHANISM_TYPE mechanism;
+ CK_VOID_PTR pParameter;
+
+ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulParameterLen; /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+ CK_ULONG ulMinKeySize;
+ CK_ULONG ulMaxKeySize;
+ CK_FLAGS flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ * Bit Flag Mask Meaning */
+#define CKF_HW 0x00000001 /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0. They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT 0x00000100
+#define CKF_DECRYPT 0x00000200
+#define CKF_DIGEST 0x00000400
+#define CKF_SIGN 0x00000800
+#define CKF_SIGN_RECOVER 0x00001000
+#define CKF_VERIFY 0x00002000
+#define CKF_VERIFY_RECOVER 0x00004000
+#define CKF_GENERATE 0x00008000
+#define CKF_GENERATE_KEY_PAIR 0x00010000
+#define CKF_WRAP 0x00020000
+#define CKF_UNWRAP 0x00040000
+#define CKF_DERIVE 0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P 0x00100000
+#define CKF_EC_F_2M 0x00200000
+#define CKF_EC_ECPARAMETERS 0x00400000
+#define CKF_EC_NAMEDCURVE 0x00800000
+#define CKF_EC_UNCOMPRESS 0x01000000
+#define CKF_EC_COMPRESS 0x02000000
+
+#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_RV;
+
+#define CKR_OK 0x00000000
+#define CKR_CANCEL 0x00000001
+#define CKR_HOST_MEMORY 0x00000002
+#define CKR_SLOT_ID_INVALID 0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR 0x00000005
+#define CKR_FUNCTION_FAILED 0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD 0x00000007
+#define CKR_NO_EVENT 0x00000008
+#define CKR_NEED_TO_CREATE_THREADS 0x00000009
+#define CKR_CANT_LOCK 0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY 0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
+#define CKR_DATA_INVALID 0x00000020
+#define CKR_DATA_LEN_RANGE 0x00000021
+#define CKR_DEVICE_ERROR 0x00000030
+#define CKR_DEVICE_MEMORY 0x00000031
+#define CKR_DEVICE_REMOVED 0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID 0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041
+#define CKR_FUNCTION_CANCELED 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL 0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054
+
+#define CKR_KEY_HANDLE_INVALID 0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE 0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT 0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED 0x00000064
+#define CKR_KEY_CHANGED 0x00000065
+#define CKR_KEY_NEEDED 0x00000066
+#define CKR_KEY_INDIGESTIBLE 0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068
+#define CKR_KEY_NOT_WRAPPABLE 0x00000069
+#define CKR_KEY_UNEXTRACTABLE 0x0000006A
+
+#define CKR_MECHANISM_INVALID 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID 0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID 0x00000082
+#define CKR_OPERATION_ACTIVE 0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED 0x00000091
+#define CKR_PIN_INCORRECT 0x000000A0
+#define CKR_PIN_INVALID 0x000000A1
+#define CKR_PIN_LEN_RANGE 0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED 0x000000A3
+#define CKR_PIN_LOCKED 0x000000A4
+
+#define CKR_SESSION_CLOSED 0x000000B0
+#define CKR_SESSION_COUNT 0x000000B1
+#define CKR_SESSION_HANDLE_INVALID 0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4
+#define CKR_SESSION_READ_ONLY 0x000000B5
+#define CKR_SESSION_EXISTS 0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8
+
+#define CKR_SIGNATURE_INVALID 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE 0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE 0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT 0x000000D1
+#define CKR_TOKEN_NOT_PRESENT 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
+#define CKR_USER_NOT_LOGGED_IN 0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
+#define CKR_USER_TYPE_INVALID 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104
+#define CKR_USER_TOO_MANY_TYPES 0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID 0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG 0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID 0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL 0x00000150
+#define CKR_SAVED_STATE_INVALID 0x00000160
+#define CKR_INFORMATION_SENSITIVE 0x00000170
+#define CKR_STATE_UNSAVEABLE 0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191
+#define CKR_MUTEX_BAD 0x000001A0
+#define CKR_MUTEX_NOT_LOCKED 0x000001A1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED 0x00000200
+
+#define CKR_VENDOR_DEFINED 0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+ CK_CREATEMUTEX CreateMutex;
+ CK_DESTROYMUTEX DestroyMutex;
+ CK_LOCKMUTEX LockMutex;
+ CK_UNLOCKMUTEX UnlockMutex;
+ CK_FLAGS flags;
+ CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK 0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK 1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1 0x00000001
+#define CKG_MGF1_SHA256 0x00000002
+#define CKG_MGF1_SHA384 0x00000003
+#define CKG_MGF1_SHA512 0x00000004
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED 0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+ CK_VOID_PTR pSourceData;
+ CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_ULONG sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL 0x00000001
+#define CKD_SHA1_KDF 0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+ (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1 0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+ CK_BBOOL isSender;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pRandomB;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+ /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+
+ CK_BYTE iv[8]; /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_BYTE_PTR pIv; /* pointer to IV */
+ CK_ULONG ulIvLen; /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms. Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[8];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pPassword;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPAndGLen;
+ CK_ULONG ulQLen;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pPrimeP;
+ CK_BYTE_PTR pBaseG;
+ CK_BYTE_PTR pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+ CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+ CK_ULONG ulOldWrappedXLen;
+ CK_BYTE_PTR pOldWrappedX;
+ CK_ULONG ulOldPasswordLen;
+ CK_BYTE_PTR pOldPassword;
+ CK_ULONG ulOldPublicDataLen;
+ CK_BYTE_PTR pOldPublicData;
+ CK_ULONG ulOldRandomLen;
+ CK_BYTE_PTR pOldRandomA;
+ CK_ULONG ulNewPasswordLen;
+ CK_BYTE_PTR pNewPassword;
+ CK_ULONG ulNewPublicDataLen;
+ CK_BYTE_PTR pNewPublicData;
+ CK_ULONG ulNewRandomLen;
+ CK_BYTE_PTR pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+ CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+ CK_BYTE_PTR pInitVector;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pSalt;
+ CK_ULONG ulSaltLen;
+ CK_ULONG ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+ CK_BYTE bBC; /* block contents byte */
+ CK_BYTE_PTR pX; /* extra data */
+ CK_ULONG ulXLen; /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+ CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hClientMacSecret;
+ CK_OBJECT_HANDLE hServerMacSecret;
+ CK_OBJECT_HANDLE hClientKey;
+ CK_OBJECT_HANDLE hServerKey;
+ CK_BYTE_PTR pIVClient;
+ CK_BYTE_PTR pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_BBOOL bIsExport;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_BYTE_PTR pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hMacSecret;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_ULONG ulSequenceNumber;
+ CK_BBOOL bIsExport;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+ CK_OBJECT_HANDLE certificateHandle;
+ CK_MECHANISM_PTR pSigningMechanism;
+ CK_MECHANISM_PTR pDigestMechanism;
+ CK_UTF8CHAR_PTR pContentType;
+ CK_BYTE_PTR pRequestedAttributes;
+ CK_ULONG ulRequestedAttributesLen;
+ CK_BYTE_PTR pRequiredAttributes;
+ CK_ULONG ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+ CK_BYTE_PTR pData;
+ CK_ULONG ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+ CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED 0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ CK_VOID_PTR pSaltSourceData;
+ CK_ULONG ulSaltSourceDataLen;
+ CK_ULONG iterations;
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ CK_VOID_PTR pPrfData;
+ CK_ULONG ulPrfDataLen;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG_PTR ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+#endif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-changes/attachments/20091217/c75aa10f/attachment-0001.html>
More information about the SmartcardServices-Changes
mailing list