usr/src/lib/libelfsign/common/libelfsign.h

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21
  22 /*
  23  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25
  26 #ifndef _LIBELFSIGN_H
  27 #define _LIBELFSIGN_H
  28
  29 #ifdef __cplusplus
  30 extern "C" {
  31 #endif
  32
  33 /*
  34  * libelfsign Private Interfaces
  35  * This header file should not be shipped as part of Solaris binary or
  36  * source products.
  37  */
  38
  39 #include <sys/crypto/elfsign.h>
  40 #include <libelf.h>
  41 #include <fcntl.h>
  42 #include <md5.h>
  43 #include <sha1.h>
  44 #include <kmfapi.h>
  45
  46 /*
  47  * Certificate-related definitions
  48  */
  49 #define ELFSIGN_CRYPTO          "Solaris Cryptographic Framework"
  50 #define USAGELIMITED            "OU=UsageLimited"
  51
  52 typedef enum ELFCert_VStatus_e {
  53         E_UNCHECKED,
  54         E_OK,
  55         E_IS_TA,
  56         E_FAILED
  57 } ELFCert_VStatus_t;
  58
  59 typedef struct ELFCert_s {
  60         ELFCert_VStatus_t       c_verified;
  61         char                    *c_subject;
  62         char                    *c_issuer;
  63         KMF_X509_DER_CERT       c_cert;
  64         KMF_KEY_HANDLE          c_privatekey;
  65 }       *ELFCert_t;
  66
  67 #define CRYPTO_CERTS_DIR        "/etc/crypto/certs"
  68 #define ETC_CERTS_DIR           "/etc/certs"
  69
  70 /*
  71  * libelfsign actions
  72  */
  73 enum ES_ACTION {
  74         ES_GET,
  75         ES_GET_CRYPTO,
  76         ES_GET_FIPS140,
  77         ES_UPDATE,
  78         ES_UPDATE_RSA_MD5_SHA1,
  79         ES_UPDATE_RSA_SHA1
  80 };
  81 #define ES_ACTISUPDATE(a)       ((a) >= ES_UPDATE)
  82
  83 /*
  84  * Context for elfsign operation
  85  */
  86 struct ELFsign_s {
  87         Elf     *es_elf;
  88         char    *es_pathname;
  89         char    *es_certpath;
  90         int     es_fd;
  91         size_t  es_shstrndx;
  92         enum ES_ACTION  es_action;
  93         KMF_KEY_HANDLE          es_privatekey;
  94         filesig_vers_t  es_version;
  95         boolean_t       es_same_endian;
  96         boolean_t       es_has_phdr;
  97         char            es_ei_class;
  98         struct flock    es_flock;
  99         KMF_HANDLE_T    es_kmfhandle;
 100         void            *es_callbackctx;
 101         void            (*es_sigvercallback)(void *, void *, size_t, ELFCert_t);
 102         void            (*es_certCAcallback)(void *, ELFCert_t, char *);
 103         void            (*es_certvercallback)(void *, ELFCert_t, ELFCert_t);
 104 };
 105
 106 #define ES_FMT_RSA_MD5_SHA1     "rsa_md5_sha1"
 107 #define ES_FMT_RSA_SHA1         "rsa_sha1"
 108
 109 /*
 110  * ELF signature handling
 111  */
 112 typedef struct ELFsign_s *ELFsign_t;
 113 struct ELFsign_sig_info {
 114         char    *esi_format;
 115         char    *esi_signer;
 116         time_t  esi_time;
 117 };
 118
 119 extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess,
 120     struct filesignatures *fsp, const char *dn, int dn_len,
 121     const uchar_t *sig, int sig_len, const char *oid, int oid_len);
 122 extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess,
 123     struct filesignatures *fsp, uchar_t *sig, size_t *sig_len);
 124 extern ELFsign_status_t elfsign_begin(const char *,
 125     enum ES_ACTION, ELFsign_t *);
 126 extern void elfsign_end(ELFsign_t ess);
 127 extern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path);
 128 extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess,
 129     struct ELFsign_sig_info **esipp);
 130 extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash,
 131     size_t *hash_len);
 132 extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess,
 133     uchar_t *hash, size_t *hash_len);
 134 extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
 135     enum ES_ACTION action);
 136
 137 extern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx);
 138 extern void elfsign_setsigvercallback(ELFsign_t ess,
 139     void (*cb)(void *, void *, size_t, ELFCert_t));
 140 extern ELFsign_status_t elfsign_signatures(ELFsign_t ess,
 141     struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action);
 142
 143 extern char const *elfsign_strerror(ELFsign_status_t);
 144 extern boolean_t elfsign_sig_info(struct filesignatures *fssp,
 145     struct ELFsign_sig_info **esipp);
 146 extern void elfsign_sig_info_free(struct ELFsign_sig_info *);
 147
 148 /*
 149  * ELF "Certificate Library"
 150  */
 151
 152 extern const char _PATH_ELFSIGN_CERTS[];
 153
 154 #define ELFCERT_MAX_DN_LEN      255
 155
 156 extern boolean_t elfcertlib_init(ELFsign_t);
 157 extern void elfcertlib_fini(ELFsign_t);
 158 extern boolean_t elfcertlib_settoken(ELFsign_t, char *);
 159 extern void elfcertlib_setcertCAcallback(ELFsign_t ess,
 160     void (*cb)(void *, ELFCert_t, char *));
 161 extern void elfcertlib_setcertvercallback(ELFsign_t ess,
 162     void (*cb)(void *, ELFCert_t, ELFCert_t));
 163
 164 extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
 165         char *signer_DN, ELFCert_t *certp, enum ES_ACTION action);
 166 extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t);
 167 extern char *elfcertlib_getdn(ELFCert_t cert);
 168 extern char *elfcertlib_getissuer(ELFCert_t cert);
 169
 170 extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert,
 171         const char *path);
 172 extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
 173         const char *token_id, const char *pin);
 174
 175 extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
 176         const uchar_t *data, size_t data_len, uchar_t *sig,
 177         size_t *sig_len);
 178
 179 extern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert);
 180 extern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
 181         const uchar_t *sig, size_t sig_len,
 182         const uchar_t *data, size_t data_len);
 183
 184 #ifdef __cplusplus
 185 }
 186 #endif
 187
 188 #endif /* _LIBELFSIGN_H */