OpenDNSSEC-libhsm  1.3.8
Defines | Functions
/build/buildd/opendnssec-1.3.8/libhsm/src/libhsm.c File Reference
#include "config.h"
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <dlfcn.h>
#include <libxml/tree.h>
#include <libxml/parser.h>
#include <libxml/xpath.h>
#include <libxml/xpathInternals.h>
#include <libxml/relaxng.h>
#include "libhsm.h"
#include "libhsmdns.h"
#include "compat.h"
#include <pkcs11.h>
Include dependency graph for libhsm.c:

Go to the source code of this file.

Defines

#define HSM_TOKEN_LABEL_LENGTH   32

Functions

int hsm_get_slot_id (hsm_ctx_t *ctx, CK_FUNCTION_LIST_PTR pkcs11_functions, const char *token_name, CK_SLOT_ID *slotId)
hsm_key_t ** hsm_list_keys_session (hsm_ctx_t *ctx, const hsm_session_t *session, size_t *count)
size_t hsm_count_keys_session (hsm_ctx_t *ctx, const hsm_session_t *session)
int hsm_open (const char *config, char *(pin_callback)(const char *repository, void *), void *data)
char * hsm_prompt_pin (const char *repository, void *data)
int hsm_close ()
hsm_ctx_thsm_create_context ()
int hsm_check_context (hsm_ctx_t *ctx)
void hsm_destroy_context (hsm_ctx_t *ctx)
hsm_sign_params_thsm_sign_params_new ()
void hsm_sign_params_free (hsm_sign_params_t *params)
hsm_key_t ** hsm_list_keys (hsm_ctx_t *ctx, size_t *count)
hsm_key_t ** hsm_list_keys_repository (hsm_ctx_t *ctx, size_t *count, const char *repository)
size_t hsm_count_keys (hsm_ctx_t *ctx)
size_t hsm_count_keys_repository (hsm_ctx_t *ctx, const char *repository)
hsm_key_thsm_find_key_by_id (hsm_ctx_t *ctx, const char *id)
hsm_key_thsm_generate_rsa_key (hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
int hsm_remove_key (hsm_ctx_t *ctx, hsm_key_t *key)
void hsm_key_free (hsm_key_t *key)
void hsm_key_list_free (hsm_key_t **key_list, size_t count)
char * hsm_get_key_id (hsm_ctx_t *ctx, const hsm_key_t *key)
hsm_key_info_thsm_get_key_info (hsm_ctx_t *ctx, const hsm_key_t *key)
void hsm_key_info_free (hsm_key_info_t *key_info)
ldns_rr * hsm_sign_rrset (hsm_ctx_t *ctx, const ldns_rr_list *rrset, const hsm_key_t *key, const hsm_sign_params_t *sign_params)
ldns_rdf * hsm_nsec3_hash_name (hsm_ctx_t *ctx, ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
ldns_rr * hsm_get_dnskey (hsm_ctx_t *ctx, const hsm_key_t *key, const hsm_sign_params_t *sign_params)
int hsm_random_buffer (hsm_ctx_t *ctx, unsigned char *buffer, unsigned long length)
uint32_t hsm_random32 (hsm_ctx_t *ctx)
uint64_t hsm_random64 (hsm_ctx_t *ctx)
int hsm_attach (const char *repository, const char *token_label, const char *path, const char *pin, const hsm_config_t *config)
int hsm_detach (const char *repository)
int hsm_token_attached (hsm_ctx_t *ctx, const char *repository)
int hsm_supported_algorithm (ldns_algorithm algorithm)
char * hsm_get_error (hsm_ctx_t *gctx)
void hsm_print_session (hsm_session_t *session)
void hsm_print_ctx (hsm_ctx_t *gctx)
void hsm_print_key (hsm_key_t *key)
void hsm_print_error (hsm_ctx_t *gctx)
void hsm_print_tokeninfo (hsm_ctx_t *gctx)

Define Documentation

#define HSM_TOKEN_LABEL_LENGTH   32

Fixed length from PKCS#11 specification

Definition at line 52 of file libhsm.c.


Function Documentation

int hsm_attach ( const char *  repository,
const char *  token_name,
const char *  path,
const char *  pin,
const hsm_config_t config 
)

Attached a named HSM using a PKCS#11 shared library and optional credentials (may be NULL, but then undefined) This function changes the global state, and is not threadsafe

Parameters:
repositorythe name of the repository
token_labelthe name of the token to attach
paththe path of the shared PKCS#11 library
pinthe PIN to log into the token
configoptional configuration
Returns:
0 on success, -1 on error

Definition at line 2602 of file libhsm.c.

References HSM_OK.

Referenced by hsm_open().

int hsm_check_context ( hsm_ctx_t context)

Check HSM context

Check if the associated sessions are still alive. If they are not alive, then try re-open libhsm.

Parameters:
contextHSM context
Returns:
0 if successful, !0 if failed

Definition at line 1885 of file libhsm.c.

References CKF_RW_SESSION, CKF_SERIAL_SESSION, CKS_RW_USER_FUNCTIONS, HSM_ERROR, HSM_OK, hsm_session_t::module, hsm_session_t::session, hsm_ctx_t::session, hsm_ctx_t::session_count, ck_session_info::state, and hsm_module_t::sym.

int hsm_close ( )

Close HSM library

Log out and detach from all configured HSMs This cleans up all data for libhsm, and should be the last function called.

Definition at line 1872 of file libhsm.c.

Referenced by main().

size_t hsm_count_keys ( hsm_ctx_t context)

Count all known keys in all attached HSMs

Parameters:
contextHSM context

Definition at line 2015 of file libhsm.c.

References hsm_count_keys_session(), hsm_ctx_t::session, and hsm_ctx_t::session_count.

size_t hsm_count_keys_repository ( hsm_ctx_t context,
const char *  repository 
)

Count all known keys in a HSM

Parameters:
contextHSM context
repositoryrepository in where to count the keys

Definition at line 2028 of file libhsm.c.

References hsm_count_keys_session().

size_t hsm_count_keys_session ( hsm_ctx_t ctx,
const hsm_session_t session 
)

Definition at line 1192 of file libhsm.c.

Referenced by hsm_count_keys(), and hsm_count_keys_repository().

Create new HSM context

Creates a new session for each attached HSM. The returned hsm_ctx_t * can be freed with hsm_destroy_context()

Definition at line 1879 of file libhsm.c.

Referenced by main().

void hsm_destroy_context ( hsm_ctx_t context)

Destroy HSM context

Parameters:
contextHSM context

Also destroys any associated sessions.

Definition at line 1935 of file libhsm.c.

Referenced by main(), and sign().

int hsm_detach ( const char *  repository)

Detach a named HSM

Definition at line 2626 of file libhsm.c.

References hsm_session_t::module, hsm_module_t::name, hsm_ctx_t::session, and hsm_ctx_t::session_count.

hsm_key_t* hsm_find_key_by_id ( hsm_ctx_t context,
const char *  id 
)

Find a key pair by CKA_ID (as hex string)

The returned key structure can be freed with hsm_key_free()

Parameters:
contextHSM context
idCKA_ID of key to find (null-terminated string of hex characters)
Returns:
key identifier or NULL if not found (or invalid input)

Definition at line 2044 of file libhsm.c.

Referenced by cmd_dnskey(), cmd_remove(), and main().

hsm_key_t* hsm_generate_rsa_key ( hsm_ctx_t context,
const char *  repository,
unsigned long  keysize 
)

Generate new key pair in HSM

Keys generated by libhsm will have a 16-byte identifier set as CKA_ID and the hexadecimal representation of it set as CKA_LABEL. Other stuff, like exponent, may be needed here as well.

The returned key structure can be freed with hsm_key_free()

Parameters:
contextHSM context
repositoryrepository in where to create the key
keysizeSize of RSA key
Returns:
return key identifier or NULL if key generation failed

Definition at line 2060 of file libhsm.c.

References CK_FALSE, CK_TRUE, CKA_DECRYPT, CKA_ENCRYPT, CKA_EXTRACTABLE, CKA_ID, CKA_KEY_TYPE, CKA_LABEL, CKA_MODULUS_BITS, CKA_PRIVATE, CKA_PUBLIC_EXPONENT, CKA_SENSITIVE, CKA_SIGN, CKA_TOKEN, CKA_UNWRAP, CKA_VERIFY, CKA_WRAP, CKK_RSA, CKM_RSA_PKCS_KEY_PAIR_GEN, hsm_module_t::config, hsm_random_buffer(), hsm_session_t::module, hsm_key_t::module, NULL_PTR, hsm_key_t::private_key, hsm_key_t::public_key, hsm_session_t::session, hsm_module_t::sym, and hsm_config_t::use_pubkey.

Referenced by cmd_generate(), hsm_test(), and main().

ldns_rr* hsm_get_dnskey ( hsm_ctx_t ctx,
const hsm_key_t key,
const hsm_sign_params_t sign_params 
)

Get DNSKEY RR

The returned ldns_rr structure can be freed with ldns_rr_free()

Parameters:
contextHSM context
keyKey to get DNSKEY RR from
sign_paramsthe signing parameters (flags, algorithm, etc)
Returns:
ldns_rr*

Definition at line 2494 of file libhsm.c.

References hsm_sign_params_t::algorithm, hsm_sign_params_t::flags, and hsm_sign_params_t::owner.

Referenced by cmd_dnskey(), main(), and sign().

char* hsm_get_error ( hsm_ctx_t gctx)

Return the current error message

The returned message is allocated data, and must be free()d by the caller

Parameters:
ctxHSM context
Returns:
error message string

Definition at line 2684 of file libhsm.c.

References hsm_ctx_t::error, hsm_ctx_t::error_action, hsm_ctx_t::error_message, and HSM_ERROR_MSGSIZE.

Referenced by hsm_print_error().

char* hsm_get_key_id ( hsm_ctx_t context,
const hsm_key_t key 
)

Get id as null-terminated hex string using key identifier

The returned id is allocated data, and must be free()d by the caller

Parameters:
contextHSM context
keyKey pair to get the ID from
Returns:
id of key pair

Definition at line 2194 of file libhsm.c.

References hsm_key_t::private_key.

Referenced by hsm_get_key_info(), hsm_test(), and main().

hsm_key_info_t* hsm_get_key_info ( hsm_ctx_t context,
const hsm_key_t key 
)

Get extended key information

The returned id is allocated data, and must be freed by the caller With hsm_key_info_free()

Parameters:
contextHSM context
keyKey pair to get information about
Returns:
key information

Definition at line 2222 of file libhsm.c.

References hsm_key_info_t::algorithm, hsm_key_info_t::algorithm_name, CKK_RSA, hsm_get_key_id(), HSM_MAX_ALGONAME, hsm_key_info_t::id, and hsm_key_info_t::keysize.

Referenced by cmd_generate(), cmd_list(), cmd_purge(), and hsm_print_key().

int hsm_get_slot_id ( hsm_ctx_t ctx,
CK_FUNCTION_LIST_PTR  pkcs11_functions,
const char *  token_name,
CK_SLOT_ID *  slotId 
)

Definition at line 377 of file libhsm.c.

References ck_function_list::C_GetSlotList, CK_TRUE, HSM_ERROR, HSM_OK, and NULL_PTR.

Referenced by hsm_print_tokeninfo().

void hsm_key_free ( hsm_key_t key)

Free the memory for a key structure.

Parameters:
keyThe key structure to free

Definition at line 2176 of file libhsm.c.

Referenced by cmd_dnskey(), cmd_generate(), cmd_remove(), hsm_key_list_free(), and main().

void hsm_key_info_free ( hsm_key_info_t key_info)

Frees the hsm_key_info_t structure

Parameters:
key_infoThe structure to free

Definition at line 2262 of file libhsm.c.

References hsm_key_info_t::algorithm_name, and hsm_key_info_t::id.

Referenced by cmd_generate(), cmd_list(), cmd_purge(), and hsm_print_key().

void hsm_key_list_free ( hsm_key_t **  key_list,
size_t  count 
)

Free the memory of an array of key structures, as returned by hsm_list_keys()

Parameters:
key_listThe array of keys to free
countThe number of keys in the array

Definition at line 2184 of file libhsm.c.

References hsm_key_free().

Referenced by cmd_list(), and cmd_purge().

hsm_key_t** hsm_list_keys ( hsm_ctx_t context,
size_t *  count 
)

List all known keys in all attached HSMs

After the function has run, the value at count contains the number of keys found.

The resulting key list can be freed with hsm_key_list_free() Alternatively, each individual key structure in the list could be freed with hsm_key_free()

Parameters:
contextHSM context
countlocation to store the number of keys found

Definition at line 1967 of file libhsm.c.

References hsm_list_keys_session(), hsm_ctx_t::session, and hsm_ctx_t::session_count.

Referenced by cmd_list(), and main().

hsm_key_t** hsm_list_keys_repository ( hsm_ctx_t context,
size_t *  count,
const char *  repository 
)

List all known keys in a HSM

After the function has run, the value at count contains the number of keys found.

The resulting key list can be freed with hsm_key_list_free() Alternatively, each individual key structure in the list could be freed with hsm_key_free()

Parameters:
contextHSM context
countlocation to store the number of keys found
repositoryrepository to list the keys in

Definition at line 1997 of file libhsm.c.

References hsm_list_keys_session().

Referenced by cmd_list(), and cmd_purge().

hsm_key_t** hsm_list_keys_session ( hsm_ctx_t ctx,
const hsm_session_t session,
size_t *  count 
)

Definition at line 1179 of file libhsm.c.

Referenced by hsm_list_keys(), and hsm_list_keys_repository().

ldns_rdf* hsm_nsec3_hash_name ( hsm_ctx_t ctx,
ldns_rdf *  name,
uint8_t  algorithm,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Generate a base32 encoded hashed NSEC3 name

Parameters:
ctxHSM context
nameDomain name to hash
algorithmNSEC3 algorithm (must be 1 atm)
iterationnumber of hash iterations
salt_lengththe length of the salt
saltthe salt

Definition at line 2382 of file libhsm.c.

References CKM_SHA_1, ck_mechanism::mechanism, hsm_ctx_t::session, and hsm_ctx_t::session_count.

int hsm_open ( const char *  config,
char *  pin_callback)(const char *repository, void *,
void *  data 
)

Open HSM library

Parameters:
configpath to OpenDNSSEC XML configuration file
pin_callbackThis function will be called for tokens that have no PIN configured. The default hsm_prompt_pin() can be used. If this value is NULL, these tokens will be skipped
dataoptional data that will be directly passed to the callback function
Returns:
0 if successful, !0 if failed

Attaches all configured HSMs, querying for PINs (using the given callback function) if not known. Also creates initial sessions (not part of any context; every API function that takes a context can be passed NULL, in which case the global context will be used) and log into each HSM.

Definition at line 1716 of file libhsm.c.

References hsm_attach(), HSM_CONFIG_FILE_ERROR, HSM_NO_REPOSITORIES, HSM_OK, HSM_PIN_INCORRECT, and hsm_config_t::use_pubkey.

Referenced by main().

void hsm_print_ctx ( hsm_ctx_t gctx)

Definition at line 2725 of file libhsm.c.

References hsm_print_session(), hsm_ctx_t::session, and hsm_ctx_t::session_count.

Referenced by cmd_debug(), and main().

void hsm_print_error ( hsm_ctx_t gctx)

Definition at line 2769 of file libhsm.c.

References hsm_get_error().

Referenced by cmd_generate(), cmd_list(), cmd_purge(), hsm_test(), and main().

void hsm_print_key ( hsm_key_t key)
void hsm_print_session ( hsm_session_t session)
void hsm_print_tokeninfo ( hsm_ctx_t gctx)
char* hsm_prompt_pin ( const char *  repository,
void *  data 
)

Function that queries for a PIN, can be used as callback for hsm_open()

Parameters:
repositoryThe repository name will be included in the prompt
dataThis value is unused
Returns:
The string the user enters

Definition at line 1855 of file libhsm.c.

Referenced by main().

uint32_t hsm_random32 ( hsm_ctx_t ctx)

Return unsigned 32-bit random number from any attached HSM

Parameters:
contextHSM context
Returns:
32-bit random number, or 0 if no HSM with a random generator is attached

Definition at line 2568 of file libhsm.c.

References hsm_random_buffer().

Referenced by main().

uint64_t hsm_random64 ( hsm_ctx_t ctx)

Return unsigned 64-bit random number from any attached HSM

Parameters:
contextHSM context
Returns:
64-bit random number, or 0 if no HSM with a random generator is attached

Definition at line 2583 of file libhsm.c.

References hsm_random_buffer().

Referenced by main().

int hsm_random_buffer ( hsm_ctx_t ctx,
unsigned char *  buffer,
unsigned long  length 
)

Fill a buffer with random data from any attached HSM

Parameters:
contextHSM context
bufferBuffer to fill with random data
lengthSize of random buffer
Returns:
0 if successful, !0 if failed

Definition at line 2540 of file libhsm.c.

References CKR_OK, hsm_session_t::module, hsm_session_t::session, hsm_ctx_t::session, hsm_ctx_t::session_count, and hsm_module_t::sym.

Referenced by hsm_generate_rsa_key(), hsm_random32(), and hsm_random64().

int hsm_remove_key ( hsm_ctx_t context,
hsm_key_t key 
)

Remove a key pair from HSM

When a key is removed, the module pointer is set to NULL, and the public and private key handles are set to 0. The structure still needs to be freed.

Parameters:
contextHSM context
keyKey pair to be removed
Returns:
0 if successful, !0 if failed

Definition at line 2146 of file libhsm.c.

References hsm_module_t::config, hsm_session_t::module, hsm_key_t::private_key, hsm_key_t::public_key, hsm_session_t::session, hsm_module_t::sym, and hsm_config_t::use_pubkey.

Referenced by cmd_purge(), cmd_remove(), hsm_test(), and main().

Free the signer parameters structure

If params->owner has been set, ldns_rdf_deep_free() will be called on it.

Parameters:
paramsThe signer parameters to free

Definition at line 1958 of file libhsm.c.

References hsm_sign_params_t::owner.

Referenced by cmd_dnskey(), main(), and sign().

ldns_rr* hsm_sign_rrset ( hsm_ctx_t ctx,
const ldns_rr_list *  rrset,
const hsm_key_t key,
const hsm_sign_params_t sign_params 
)

Sign RRset using key

The returned ldns_rr structure can be freed with ldns_rr_free()

Parameters:
contextHSM context
rrsetRRset to sign
keyKey pair used to sign
Returns:
ldns_rr* Signed RRset

Definition at line 2276 of file libhsm.c.

References hsm_sign_params_t::algorithm.

Referenced by main(), and sign().

int hsm_supported_algorithm ( ldns_algorithm  algorithm)

Check if a given DNSSEC algorithm is supported

Parameters:
ldns_algorithmalgorithm number
Returns:
0 if supported, -1 otherwise

Definition at line 2668 of file libhsm.c.

int hsm_token_attached ( hsm_ctx_t ctx,
const char *  repository 
)

Check whether a named token has been initialized in this context

Parameters:
ctxHSM context
token_nameThe name of the token
Returns:
1 if the token is attached, 0 if not found

Definition at line 2650 of file libhsm.c.

References HSM_REPOSITORY_NOT_FOUND, hsm_session_t::module, hsm_module_t::name, hsm_ctx_t::session, and hsm_ctx_t::session_count.

Referenced by cmd_generate(), cmd_list(), cmd_purge(), and hsm_test().