"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.23/lib/dns/pkcs11rsa_link.c" (7 Sep 2020, 61255 Bytes) of package /linux/misc/dns/bind9/9.11.23/bind-9.11.23.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "pkcs11rsa_link.c" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 9.17.3_vs_9.17.4.

    1 /*
    2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    3  *
    4  * This Source Code Form is subject to the terms of the Mozilla Public
    5  * License, v. 2.0. If a copy of the MPL was not distributed with this
    6  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
    7  *
    8  * See the COPYRIGHT file distributed with this work for additional
    9  * information regarding copyright ownership.
   10  */
   11 
   12 #ifdef PKCS11CRYPTO
   13 
   14 #include <config.h>
   15 
   16 #include <stdbool.h>
   17 
   18 #include <isc/entropy.h>
   19 #include <isc/md5.h>
   20 #include <isc/sha1.h>
   21 #include <isc/sha2.h>
   22 #include <isc/mem.h>
   23 #include <isc/safe.h>
   24 #include <isc/string.h>
   25 #include <isc/util.h>
   26 
   27 #include <dst/result.h>
   28 
   29 #include "dst_internal.h"
   30 #include "dst_parse.h"
   31 #include "dst_pkcs11.h"
   32 
   33 #include <pk11/internal.h>
   34 #include <pk11/site.h>
   35 
   36 /*
   37  * Limit the size of public exponents.
   38  */
   39 #ifndef RSA_MAX_PUBEXP_BITS
   40 #define RSA_MAX_PUBEXP_BITS    35
   41 #endif
   42 
   43 #define DST_RET(a) {ret = a; goto err;}
   44 
   45 static CK_BBOOL truevalue = TRUE;
   46 static CK_BBOOL falsevalue = FALSE;
   47 
   48 static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data);
   49 static void pkcs11rsa_destroy(dst_key_t *key);
   50 static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine,
   51                     const char *label, dst_key_t *pub);
   52 
   53 #ifndef PK11_RSA_PKCS_REPLACE
   54 
   55 static isc_result_t
   56 pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
   57     CK_RV rv;
   58     CK_MECHANISM mech = { 0, NULL, 0 };
   59     CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
   60     CK_KEY_TYPE keyType = CKK_RSA;
   61     CK_ATTRIBUTE keyTemplate[] =
   62     {
   63         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
   64         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
   65         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
   66         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
   67         { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
   68         { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
   69         { CKA_MODULUS, NULL, 0 },
   70         { CKA_PUBLIC_EXPONENT, NULL, 0 },
   71         { CKA_PRIVATE_EXPONENT, NULL, 0 },
   72         { CKA_PRIME_1, NULL, 0 },
   73         { CKA_PRIME_2, NULL, 0 },
   74         { CKA_EXPONENT_1, NULL, 0 },
   75         { CKA_EXPONENT_2, NULL, 0 },
   76         { CKA_COEFFICIENT, NULL, 0 }
   77     };
   78     CK_ATTRIBUTE *attr;
   79     CK_SLOT_ID slotid;
   80     pk11_object_t *rsa;
   81     pk11_context_t *pk11_ctx;
   82     isc_result_t ret;
   83     unsigned int i;
   84 
   85 #ifndef PK11_MD5_DISABLE
   86     REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
   87         key->key_alg == DST_ALG_RSASHA1 ||
   88         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
   89         key->key_alg == DST_ALG_RSASHA256 ||
   90         key->key_alg == DST_ALG_RSASHA512);
   91 #else
   92     REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
   93         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
   94         key->key_alg == DST_ALG_RSASHA256 ||
   95         key->key_alg == DST_ALG_RSASHA512);
   96 #endif
   97 
   98     /*
   99      * Reject incorrect RSA key lengths.
  100      */
  101     switch (dctx->key->key_alg) {
  102     case DST_ALG_RSAMD5:
  103     case DST_ALG_RSASHA1:
  104     case DST_ALG_NSEC3RSASHA1:
  105         /* From RFC 3110 */
  106         if (dctx->key->key_size > 4096)
  107             return (ISC_R_FAILURE);
  108         break;
  109     case DST_ALG_RSASHA256:
  110         /* From RFC 5702 */
  111         if ((dctx->key->key_size < 512) ||
  112             (dctx->key->key_size > 4096))
  113             return (ISC_R_FAILURE);
  114         break;
  115     case DST_ALG_RSASHA512:
  116         /* From RFC 5702 */
  117         if ((dctx->key->key_size < 1024) ||
  118             (dctx->key->key_size > 4096))
  119             return (ISC_R_FAILURE);
  120         break;
  121     default:
  122         INSIST(0);
  123         ISC_UNREACHABLE();
  124     }
  125 
  126     rsa = key->keydata.pkey;
  127 
  128     pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
  129                           sizeof(*pk11_ctx));
  130     if (pk11_ctx == NULL)
  131         return (ISC_R_NOMEMORY);
  132     memset(pk11_ctx, 0, sizeof(*pk11_ctx));
  133     if (rsa->ontoken)
  134         slotid = rsa->slot;
  135     else
  136         slotid = pk11_get_best_token(OP_RSA);
  137     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
  138                    rsa->reqlogon, NULL, slotid);
  139     if (ret != ISC_R_SUCCESS)
  140         goto err;
  141 
  142     if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
  143         pk11_ctx->ontoken = rsa->ontoken;
  144         pk11_ctx->object = rsa->object;
  145         goto token_key;
  146     }
  147 
  148     for (attr = pk11_attribute_first(rsa);
  149          attr != NULL;
  150          attr = pk11_attribute_next(rsa, attr))
  151         switch (attr->type) {
  152         case CKA_MODULUS:
  153             INSIST(keyTemplate[6].type == attr->type);
  154             keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
  155                                 attr->ulValueLen);
  156             if (keyTemplate[6].pValue == NULL)
  157                 DST_RET(ISC_R_NOMEMORY);
  158             memmove(keyTemplate[6].pValue, attr->pValue,
  159                 attr->ulValueLen);
  160             keyTemplate[6].ulValueLen = attr->ulValueLen;
  161             break;
  162         case CKA_PUBLIC_EXPONENT:
  163             INSIST(keyTemplate[7].type == attr->type);
  164             keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
  165                                 attr->ulValueLen);
  166             if (keyTemplate[7].pValue == NULL)
  167                 DST_RET(ISC_R_NOMEMORY);
  168             memmove(keyTemplate[7].pValue, attr->pValue,
  169                 attr->ulValueLen);
  170             keyTemplate[7].ulValueLen = attr->ulValueLen;
  171             break;
  172         case CKA_PRIVATE_EXPONENT:
  173             INSIST(keyTemplate[8].type == attr->type);
  174             keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
  175                                 attr->ulValueLen);
  176             if (keyTemplate[8].pValue == NULL)
  177                 DST_RET(ISC_R_NOMEMORY);
  178             memmove(keyTemplate[8].pValue, attr->pValue,
  179                 attr->ulValueLen);
  180             keyTemplate[8].ulValueLen = attr->ulValueLen;
  181             break;
  182         case CKA_PRIME_1:
  183             INSIST(keyTemplate[9].type == attr->type);
  184             keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
  185                                 attr->ulValueLen);
  186             if (keyTemplate[9].pValue == NULL)
  187                 DST_RET(ISC_R_NOMEMORY);
  188             memmove(keyTemplate[9].pValue, attr->pValue,
  189                 attr->ulValueLen);
  190             keyTemplate[9].ulValueLen = attr->ulValueLen;
  191             break;
  192         case CKA_PRIME_2:
  193             INSIST(keyTemplate[10].type == attr->type);
  194             keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
  195                                 attr->ulValueLen);
  196             if (keyTemplate[10].pValue == NULL)
  197                 DST_RET(ISC_R_NOMEMORY);
  198             memmove(keyTemplate[10].pValue, attr->pValue,
  199                 attr->ulValueLen);
  200             keyTemplate[10].ulValueLen = attr->ulValueLen;
  201             break;
  202         case CKA_EXPONENT_1:
  203             INSIST(keyTemplate[11].type == attr->type);
  204             keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
  205                                  attr->ulValueLen);
  206             if (keyTemplate[11].pValue == NULL)
  207                 DST_RET(ISC_R_NOMEMORY);
  208             memmove(keyTemplate[11].pValue, attr->pValue,
  209                 attr->ulValueLen);
  210             keyTemplate[11].ulValueLen = attr->ulValueLen;
  211             break;
  212         case CKA_EXPONENT_2:
  213             INSIST(keyTemplate[12].type == attr->type);
  214             keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
  215                                  attr->ulValueLen);
  216             if (keyTemplate[12].pValue == NULL)
  217                 DST_RET(ISC_R_NOMEMORY);
  218             memmove(keyTemplate[12].pValue, attr->pValue,
  219                 attr->ulValueLen);
  220             keyTemplate[12].ulValueLen = attr->ulValueLen;
  221             break;
  222         case CKA_COEFFICIENT:
  223             INSIST(keyTemplate[13].type == attr->type);
  224             keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
  225                                  attr->ulValueLen);
  226             if (keyTemplate[13].pValue == NULL)
  227                 DST_RET(ISC_R_NOMEMORY);
  228             memmove(keyTemplate[13].pValue, attr->pValue,
  229                 attr->ulValueLen);
  230             keyTemplate[13].ulValueLen = attr->ulValueLen;
  231             break;
  232         }
  233     pk11_ctx->object = CK_INVALID_HANDLE;
  234     pk11_ctx->ontoken = false;
  235     PK11_RET(pkcs_C_CreateObject,
  236          (pk11_ctx->session,
  237           keyTemplate, (CK_ULONG) 14,
  238           &pk11_ctx->object),
  239          ISC_R_FAILURE);
  240 
  241     token_key:
  242 
  243     switch (dctx->key->key_alg) {
  244 #ifndef PK11_MD5_DISABLE
  245     case DST_ALG_RSAMD5:
  246         mech.mechanism = CKM_MD5_RSA_PKCS;
  247         break;
  248 #endif
  249     case DST_ALG_RSASHA1:
  250     case DST_ALG_NSEC3RSASHA1:
  251         mech.mechanism = CKM_SHA1_RSA_PKCS;
  252         break;
  253     case DST_ALG_RSASHA256:
  254         mech.mechanism = CKM_SHA256_RSA_PKCS;
  255         break;
  256     case DST_ALG_RSASHA512:
  257         mech.mechanism = CKM_SHA512_RSA_PKCS;
  258         break;
  259     default:
  260         INSIST(0);
  261         ISC_UNREACHABLE();
  262     }
  263 
  264     PK11_RET(pkcs_C_SignInit,
  265          (pk11_ctx->session, &mech, pk11_ctx->object),
  266          ISC_R_FAILURE);
  267 
  268     dctx->ctxdata.pk11_ctx = pk11_ctx;
  269 
  270     for (i = 6; i <= 13; i++)
  271         if (keyTemplate[i].pValue != NULL) {
  272             isc_safe_memwipe(keyTemplate[i].pValue,
  273                      keyTemplate[i].ulValueLen);
  274             isc_mem_put(dctx->mctx,
  275                     keyTemplate[i].pValue,
  276                     keyTemplate[i].ulValueLen);
  277         }
  278 
  279     return (ISC_R_SUCCESS);
  280 
  281     err:
  282     if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
  283         (void) pkcs_C_DestroyObject(pk11_ctx->session,
  284                         pk11_ctx->object);
  285     for (i = 6; i <= 13; i++)
  286         if (keyTemplate[i].pValue != NULL) {
  287             isc_safe_memwipe(keyTemplate[i].pValue,
  288                      keyTemplate[i].ulValueLen);
  289             isc_mem_put(dctx->mctx,
  290                     keyTemplate[i].pValue,
  291                     keyTemplate[i].ulValueLen);
  292         }
  293     pk11_return_session(pk11_ctx);
  294     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  295     isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  296 
  297     return (ret);
  298 }
  299 
  300 static isc_result_t
  301 pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
  302                dst_context_t *dctx) {
  303     CK_RV rv;
  304     CK_MECHANISM mech = { 0, NULL, 0 };
  305     CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
  306     CK_KEY_TYPE keyType = CKK_RSA;
  307     CK_ATTRIBUTE keyTemplate[] =
  308     {
  309         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
  310         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
  311         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  312         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  313         { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
  314         { CKA_MODULUS, NULL, 0 },
  315         { CKA_PUBLIC_EXPONENT, NULL, 0 },
  316     };
  317     CK_ATTRIBUTE *attr;
  318     pk11_object_t *rsa;
  319     pk11_context_t *pk11_ctx;
  320     isc_result_t ret;
  321     unsigned int i;
  322 
  323 #ifndef PK11_MD5_DISABLE
  324     REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
  325         key->key_alg == DST_ALG_RSASHA1 ||
  326         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  327         key->key_alg == DST_ALG_RSASHA256 ||
  328         key->key_alg == DST_ALG_RSASHA512);
  329 #else
  330     REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
  331         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  332         key->key_alg == DST_ALG_RSASHA256 ||
  333         key->key_alg == DST_ALG_RSASHA512);
  334 #endif
  335     REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
  336 
  337     /*
  338      * Reject incorrect RSA key lengths.
  339      */
  340     switch (dctx->key->key_alg) {
  341     case DST_ALG_RSAMD5:
  342     case DST_ALG_RSASHA1:
  343     case DST_ALG_NSEC3RSASHA1:
  344         /* From RFC 3110 */
  345         if (dctx->key->key_size > 4096)
  346             return (ISC_R_FAILURE);
  347         break;
  348     case DST_ALG_RSASHA256:
  349         /* From RFC 5702 */
  350         if ((dctx->key->key_size < 512) ||
  351             (dctx->key->key_size > 4096))
  352             return (ISC_R_FAILURE);
  353         break;
  354     case DST_ALG_RSASHA512:
  355         /* From RFC 5702 */
  356         if ((dctx->key->key_size < 1024) ||
  357             (dctx->key->key_size > 4096))
  358             return (ISC_R_FAILURE);
  359         break;
  360     default:
  361         INSIST(0);
  362         ISC_UNREACHABLE();
  363     }
  364 
  365     rsa = key->keydata.pkey;
  366 
  367     pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
  368                           sizeof(*pk11_ctx));
  369     if (pk11_ctx == NULL)
  370         return (ISC_R_NOMEMORY);
  371     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
  372                    rsa->reqlogon, NULL,
  373                    pk11_get_best_token(OP_RSA));
  374     if (ret != ISC_R_SUCCESS)
  375         goto err;
  376 
  377     for (attr = pk11_attribute_first(rsa);
  378          attr != NULL;
  379          attr = pk11_attribute_next(rsa, attr))
  380     {
  381         switch (attr->type) {
  382         case CKA_MODULUS:
  383             INSIST(keyTemplate[5].type == attr->type);
  384             keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
  385                                 attr->ulValueLen);
  386             if (keyTemplate[5].pValue == NULL)
  387                 DST_RET(ISC_R_NOMEMORY);
  388             memmove(keyTemplate[5].pValue, attr->pValue,
  389                 attr->ulValueLen);
  390             keyTemplate[5].ulValueLen = attr->ulValueLen;
  391             break;
  392         case CKA_PUBLIC_EXPONENT:
  393             INSIST(keyTemplate[6].type == attr->type);
  394             keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
  395                                 attr->ulValueLen);
  396             if (keyTemplate[6].pValue == NULL)
  397                 DST_RET(ISC_R_NOMEMORY);
  398             memmove(keyTemplate[6].pValue, attr->pValue,
  399                 attr->ulValueLen);
  400             keyTemplate[6].ulValueLen = attr->ulValueLen;
  401             unsigned int bits;
  402             ret = pk11_numbits(attr->pValue, attr->ulValueLen,
  403                        &bits);
  404             if (ret != ISC_R_SUCCESS ||
  405                 (bits > maxbits && maxbits != 0)) {
  406                 DST_RET(DST_R_VERIFYFAILURE);
  407             }
  408             break;
  409         }
  410     }
  411     pk11_ctx->object = CK_INVALID_HANDLE;
  412     pk11_ctx->ontoken = false;
  413     PK11_RET(pkcs_C_CreateObject,
  414          (pk11_ctx->session,
  415           keyTemplate, (CK_ULONG) 7,
  416           &pk11_ctx->object),
  417          ISC_R_FAILURE);
  418 
  419     switch (dctx->key->key_alg) {
  420 #ifndef PK11_MD5_DISABLE
  421     case DST_ALG_RSAMD5:
  422         mech.mechanism = CKM_MD5_RSA_PKCS;
  423         break;
  424 #endif
  425     case DST_ALG_RSASHA1:
  426     case DST_ALG_NSEC3RSASHA1:
  427         mech.mechanism = CKM_SHA1_RSA_PKCS;
  428         break;
  429     case DST_ALG_RSASHA256:
  430         mech.mechanism = CKM_SHA256_RSA_PKCS;
  431         break;
  432     case DST_ALG_RSASHA512:
  433         mech.mechanism = CKM_SHA512_RSA_PKCS;
  434         break;
  435     default:
  436         INSIST(0);
  437         ISC_UNREACHABLE();
  438     }
  439 
  440     PK11_RET(pkcs_C_VerifyInit,
  441          (pk11_ctx->session, &mech, pk11_ctx->object),
  442          ISC_R_FAILURE);
  443 
  444     dctx->ctxdata.pk11_ctx = pk11_ctx;
  445 
  446     for (i = 5; i <= 6; i++)
  447         if (keyTemplate[i].pValue != NULL) {
  448             isc_safe_memwipe(keyTemplate[i].pValue,
  449                      keyTemplate[i].ulValueLen);
  450             isc_mem_put(dctx->mctx,
  451                     keyTemplate[i].pValue,
  452                     keyTemplate[i].ulValueLen);
  453         }
  454 
  455     return (ISC_R_SUCCESS);
  456 
  457     err:
  458     if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
  459         (void) pkcs_C_DestroyObject(pk11_ctx->session,
  460                         pk11_ctx->object);
  461     for (i = 5; i <= 6; i++)
  462         if (keyTemplate[i].pValue != NULL) {
  463             isc_safe_memwipe(keyTemplate[i].pValue,
  464                      keyTemplate[i].ulValueLen);
  465             isc_mem_put(dctx->mctx,
  466                     keyTemplate[i].pValue,
  467                     keyTemplate[i].ulValueLen);
  468         }
  469     pk11_return_session(pk11_ctx);
  470     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  471     isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  472 
  473     return (ret);
  474 }
  475 
  476 static isc_result_t
  477 pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
  478     if (dctx->use == DO_SIGN)
  479         return (pkcs11rsa_createctx_sign(key, dctx));
  480     else
  481         return (pkcs11rsa_createctx_verify(key, 0U, dctx));
  482 }
  483 
  484 static isc_result_t
  485 pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
  486     if (dctx->use == DO_SIGN)
  487         return (pkcs11rsa_createctx_sign(key, dctx));
  488     else
  489         return (pkcs11rsa_createctx_verify(key,
  490                            (unsigned) maxbits, dctx));
  491 }
  492 
  493 static void
  494 pkcs11rsa_destroyctx(dst_context_t *dctx) {
  495     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  496 
  497     if (pk11_ctx != NULL) {
  498         if (!pk11_ctx->ontoken &&
  499             (pk11_ctx->object != CK_INVALID_HANDLE))
  500             (void) pkcs_C_DestroyObject(pk11_ctx->session,
  501                             pk11_ctx->object);
  502         pk11_return_session(pk11_ctx);
  503         isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  504         isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  505         dctx->ctxdata.pk11_ctx = NULL;
  506     }
  507 }
  508 
  509 static isc_result_t
  510 pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
  511     CK_RV rv;
  512     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  513     isc_result_t ret = ISC_R_SUCCESS;
  514 
  515     if (dctx->use == DO_SIGN)
  516         PK11_CALL(pkcs_C_SignUpdate,
  517               (pk11_ctx->session,
  518                (CK_BYTE_PTR) data->base,
  519                (CK_ULONG) data->length),
  520               ISC_R_FAILURE);
  521     else
  522         PK11_CALL(pkcs_C_VerifyUpdate,
  523               (pk11_ctx->session,
  524                (CK_BYTE_PTR) data->base,
  525                (CK_ULONG) data->length),
  526               ISC_R_FAILURE);
  527     return (ret);
  528 }
  529 
  530 static isc_result_t
  531 pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
  532     CK_RV rv;
  533     CK_ULONG siglen = 0;
  534     isc_region_t r;
  535     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  536     isc_result_t ret = ISC_R_SUCCESS;
  537 
  538     PK11_RET(pkcs_C_SignFinal,
  539          (pk11_ctx->session, NULL, &siglen),
  540          DST_R_SIGNFAILURE);
  541 
  542     isc_buffer_availableregion(sig, &r);
  543 
  544     if (r.length < (unsigned int) siglen)
  545         return (ISC_R_NOSPACE);
  546 
  547     PK11_RET(pkcs_C_SignFinal,
  548          (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
  549          DST_R_SIGNFAILURE);
  550 
  551     isc_buffer_add(sig, (unsigned int) siglen);
  552 
  553     err:
  554     return (ret);
  555 }
  556 
  557 static isc_result_t
  558 pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
  559     CK_RV rv;
  560     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  561     isc_result_t ret = ISC_R_SUCCESS;
  562 
  563     PK11_CALL(pkcs_C_VerifyFinal,
  564           (pk11_ctx->session,
  565            (CK_BYTE_PTR) sig->base,
  566            (CK_ULONG) sig->length),
  567           DST_R_VERIFYFAILURE);
  568     return (ret);
  569 }
  570 
  571 #else
  572 
  573 /*
  574  * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back
  575  * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand.
  576  */
  577 
  578 CK_BYTE md5_der[] =
  579     { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
  580       0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
  581       0x04, 0x10 };
  582 CK_BYTE sha1_der[] =
  583     { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
  584       0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
  585 CK_BYTE sha256_der[] =
  586     { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  587       0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
  588       0x00, 0x04, 0x20 };
  589 CK_BYTE sha512_der[] =
  590     { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  591       0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
  592       0x00, 0x04, 0x40 };
  593 #define MAX_DER_SIZE 19
  594 #define MIN_PKCS1_PADLEN 11
  595 
  596 static isc_result_t
  597 pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
  598     CK_RV rv;
  599     CK_MECHANISM mech = { 0, NULL, 0 };
  600     CK_SLOT_ID slotid;
  601     pk11_object_t *rsa = key->keydata.pkey;
  602     pk11_context_t *pk11_ctx;
  603     isc_result_t ret;
  604 
  605 #ifndef PK11_MD5_DISABLE
  606     REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
  607         key->key_alg == DST_ALG_RSASHA1 ||
  608         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  609         key->key_alg == DST_ALG_RSASHA256 ||
  610         key->key_alg == DST_ALG_RSASHA512);
  611 #else
  612     REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
  613         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  614         key->key_alg == DST_ALG_RSASHA256 ||
  615         key->key_alg == DST_ALG_RSASHA512);
  616 #endif
  617     REQUIRE(rsa != NULL);
  618 
  619     /*
  620      * Reject incorrect RSA key lengths.
  621      */
  622     switch (dctx->key->key_alg) {
  623     case DST_ALG_RSAMD5:
  624     case DST_ALG_RSASHA1:
  625     case DST_ALG_NSEC3RSASHA1:
  626         /* From RFC 3110 */
  627         if (dctx->key->key_size > 4096)
  628             return (ISC_R_FAILURE);
  629         break;
  630     case DST_ALG_RSASHA256:
  631         /* From RFC 5702 */
  632         if ((dctx->key->key_size < 512) ||
  633             (dctx->key->key_size > 4096))
  634             return (ISC_R_FAILURE);
  635         break;
  636     case DST_ALG_RSASHA512:
  637         /* From RFC 5702 */
  638         if ((dctx->key->key_size < 1024) ||
  639             (dctx->key->key_size > 4096))
  640             return (ISC_R_FAILURE);
  641         break;
  642     default:
  643         INSIST(0);
  644         ISC_UNREACHABLE();
  645     }
  646 
  647     switch (key->key_alg) {
  648 #ifndef PK11_MD5_DISABLE
  649     case DST_ALG_RSAMD5:
  650         mech.mechanism = CKM_MD5;
  651         break;
  652 #endif
  653     case DST_ALG_RSASHA1:
  654     case DST_ALG_NSEC3RSASHA1:
  655         mech.mechanism = CKM_SHA_1;
  656         break;
  657     case DST_ALG_RSASHA256:
  658         mech.mechanism = CKM_SHA256;
  659         break;
  660     case DST_ALG_RSASHA512:
  661         mech.mechanism = CKM_SHA512;
  662         break;
  663     default:
  664         INSIST(0);
  665         ISC_UNREACHABLE();
  666     }
  667 
  668     pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
  669                           sizeof(*pk11_ctx));
  670     if (pk11_ctx == NULL)
  671         return (ISC_R_NOMEMORY);
  672     memset(pk11_ctx, 0, sizeof(*pk11_ctx));
  673     if (rsa->ontoken)
  674         slotid = rsa->slot;
  675     else
  676         slotid = pk11_get_best_token(OP_RSA);
  677     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
  678                    rsa->reqlogon, NULL, slotid);
  679     if (ret != ISC_R_SUCCESS)
  680         goto err;
  681 
  682     PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
  683     dctx->ctxdata.pk11_ctx = pk11_ctx;
  684     return (ISC_R_SUCCESS);
  685 
  686     err:
  687     pk11_return_session(pk11_ctx);
  688     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  689     isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  690 
  691     return (ret);
  692 }
  693 
  694 static void
  695 pkcs11rsa_destroyctx(dst_context_t *dctx) {
  696     CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
  697     CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
  698     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  699 
  700     if (pk11_ctx != NULL) {
  701         (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
  702         isc_safe_memwipe(garbage, sizeof(garbage));
  703         pk11_return_session(pk11_ctx);
  704         isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  705         isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  706         dctx->ctxdata.pk11_ctx = NULL;
  707     }
  708 }
  709 
  710 static isc_result_t
  711 pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
  712     CK_RV rv;
  713     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  714     isc_result_t ret = ISC_R_SUCCESS;
  715 
  716     PK11_CALL(pkcs_C_DigestUpdate,
  717           (pk11_ctx->session,
  718            (CK_BYTE_PTR) data->base,
  719            (CK_ULONG) data->length),
  720           ISC_R_FAILURE);
  721 
  722     return (ret);
  723 }
  724 
  725 static isc_result_t
  726 pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
  727     CK_RV rv;
  728     CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
  729     CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
  730     CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
  731     CK_KEY_TYPE keyType = CKK_RSA;
  732     CK_ATTRIBUTE keyTemplate[] =
  733     {
  734         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
  735         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
  736         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  737         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  738         { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  739         { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
  740         { CKA_MODULUS, NULL, 0 },
  741         { CKA_PUBLIC_EXPONENT, NULL, 0 },
  742         { CKA_PRIVATE_EXPONENT, NULL, 0 },
  743         { CKA_PRIME_1, NULL, 0 },
  744         { CKA_PRIME_2, NULL, 0 },
  745         { CKA_EXPONENT_1, NULL, 0 },
  746         { CKA_EXPONENT_2, NULL, 0 },
  747         { CKA_COEFFICIENT, NULL, 0 }
  748     };
  749     CK_ATTRIBUTE *attr;
  750     CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
  751     CK_BYTE *der;
  752     CK_ULONG derlen;
  753     CK_ULONG hashlen;
  754     CK_ULONG dgstlen;
  755     CK_ULONG siglen = 0;
  756     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
  757     dst_key_t *key = dctx->key;
  758     pk11_object_t *rsa = key->keydata.pkey;
  759     isc_region_t r;
  760     isc_result_t ret = ISC_R_SUCCESS;
  761     unsigned int i;
  762 
  763 #ifndef PK11_MD5_DISABLE
  764     REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
  765         key->key_alg == DST_ALG_RSASHA1 ||
  766         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  767         key->key_alg == DST_ALG_RSASHA256 ||
  768         key->key_alg == DST_ALG_RSASHA512);
  769 #else
  770     REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
  771         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
  772         key->key_alg == DST_ALG_RSASHA256 ||
  773         key->key_alg == DST_ALG_RSASHA512);
  774 #endif
  775     REQUIRE(rsa != NULL);
  776 
  777     /*
  778      * Reject incorrect RSA key lengths.
  779      */
  780     switch (dctx->key->key_alg) {
  781     case DST_ALG_RSAMD5:
  782     case DST_ALG_RSASHA1:
  783     case DST_ALG_NSEC3RSASHA1:
  784         /* From RFC 3110 */
  785         if (dctx->key->key_size > 4096)
  786             return (ISC_R_FAILURE);
  787         break;
  788     case DST_ALG_RSASHA256:
  789         /* From RFC 5702 */
  790         if ((dctx->key->key_size < 512) ||
  791             (dctx->key->key_size > 4096))
  792             return (ISC_R_FAILURE);
  793         break;
  794     case DST_ALG_RSASHA512:
  795         /* From RFC 5702 */
  796         if ((dctx->key->key_size < 1024) ||
  797             (dctx->key->key_size > 4096))
  798             return (ISC_R_FAILURE);
  799         break;
  800     default:
  801         INSIST(0);
  802         ISC_UNREACHABLE();
  803     }
  804 
  805     switch (key->key_alg) {
  806 #ifndef PK11_MD5_DISABLE
  807     case DST_ALG_RSAMD5:
  808         der = md5_der;
  809         derlen = sizeof(md5_der);
  810         hashlen = ISC_MD5_DIGESTLENGTH;
  811         break;
  812 #endif
  813     case DST_ALG_RSASHA1:
  814     case DST_ALG_NSEC3RSASHA1:
  815         der = sha1_der;
  816         derlen = sizeof(sha1_der);
  817         hashlen = ISC_SHA1_DIGESTLENGTH;
  818         break;
  819     case DST_ALG_RSASHA256:
  820         der = sha256_der;
  821         derlen = sizeof(sha256_der);
  822         hashlen = ISC_SHA256_DIGESTLENGTH;
  823         break;
  824     case DST_ALG_RSASHA512:
  825         der = sha512_der;
  826         derlen = sizeof(sha512_der);
  827         hashlen = ISC_SHA512_DIGESTLENGTH;
  828         break;
  829     default:
  830         INSIST(0);
  831         ISC_UNREACHABLE();
  832     }
  833     dgstlen = derlen + hashlen;
  834     INSIST(dgstlen <= sizeof(digest));
  835     memmove(digest, der, derlen);
  836 
  837     PK11_RET(pkcs_C_DigestFinal,
  838          (pk11_ctx->session, digest + derlen, &hashlen),
  839          DST_R_SIGNFAILURE);
  840 
  841     isc_buffer_availableregion(sig, &r);
  842     if (r.length < (unsigned int) dgstlen + MIN_PKCS1_PADLEN)
  843         return (ISC_R_NOSPACE);
  844 
  845     if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
  846         pk11_ctx->ontoken = rsa->ontoken;
  847         pk11_ctx->object = rsa->object;
  848         goto token_key;
  849     }
  850 
  851     for (attr = pk11_attribute_first(rsa);
  852          attr != NULL;
  853          attr = pk11_attribute_next(rsa, attr))
  854         switch (attr->type) {
  855         case CKA_MODULUS:
  856             INSIST(keyTemplate[6].type == attr->type);
  857             keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
  858                                 attr->ulValueLen);
  859             if (keyTemplate[6].pValue == NULL)
  860                 DST_RET(ISC_R_NOMEMORY);
  861             memmove(keyTemplate[6].pValue, attr->pValue,
  862                 attr->ulValueLen);
  863             keyTemplate[6].ulValueLen = attr->ulValueLen;
  864             break;
  865         case CKA_PUBLIC_EXPONENT:
  866             INSIST(keyTemplate[7].type == attr->type);
  867             keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
  868                                 attr->ulValueLen);
  869             if (keyTemplate[7].pValue == NULL)
  870                 DST_RET(ISC_R_NOMEMORY);
  871             memmove(keyTemplate[7].pValue, attr->pValue,
  872                 attr->ulValueLen);
  873             keyTemplate[7].ulValueLen = attr->ulValueLen;
  874             break;
  875         case CKA_PRIVATE_EXPONENT:
  876             INSIST(keyTemplate[8].type == attr->type);
  877             keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
  878                                 attr->ulValueLen);
  879             if (keyTemplate[8].pValue == NULL)
  880                 DST_RET(ISC_R_NOMEMORY);
  881             memmove(keyTemplate[8].pValue, attr->pValue,
  882                 attr->ulValueLen);
  883             keyTemplate[8].ulValueLen = attr->ulValueLen;
  884             break;
  885         case CKA_PRIME_1:
  886             INSIST(keyTemplate[9].type == attr->type);
  887             keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
  888                                 attr->ulValueLen);
  889             if (keyTemplate[9].pValue == NULL)
  890                 DST_RET(ISC_R_NOMEMORY);
  891             memmove(keyTemplate[9].pValue, attr->pValue,
  892                 attr->ulValueLen);
  893             keyTemplate[9].ulValueLen = attr->ulValueLen;
  894             break;
  895         case CKA_PRIME_2:
  896             INSIST(keyTemplate[10].type == attr->type);
  897             keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
  898                                 attr->ulValueLen);
  899             if (keyTemplate[10].pValue == NULL)
  900                 DST_RET(ISC_R_NOMEMORY);
  901             memmove(keyTemplate[10].pValue, attr->pValue,
  902                 attr->ulValueLen);
  903             keyTemplate[10].ulValueLen = attr->ulValueLen;
  904             break;
  905         case CKA_EXPONENT_1:
  906             INSIST(keyTemplate[11].type == attr->type);
  907             keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
  908                                  attr->ulValueLen);
  909             if (keyTemplate[11].pValue == NULL)
  910                 DST_RET(ISC_R_NOMEMORY);
  911             memmove(keyTemplate[11].pValue, attr->pValue,
  912                 attr->ulValueLen);
  913             keyTemplate[11].ulValueLen = attr->ulValueLen;
  914             break;
  915         case CKA_EXPONENT_2:
  916             INSIST(keyTemplate[12].type == attr->type);
  917             keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
  918                                  attr->ulValueLen);
  919             if (keyTemplate[12].pValue == NULL)
  920                 DST_RET(ISC_R_NOMEMORY);
  921             memmove(keyTemplate[12].pValue, attr->pValue,
  922                 attr->ulValueLen);
  923             keyTemplate[12].ulValueLen = attr->ulValueLen;
  924             break;
  925         case CKA_COEFFICIENT:
  926             INSIST(keyTemplate[13].type == attr->type);
  927             keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
  928                                  attr->ulValueLen);
  929             if (keyTemplate[13].pValue == NULL)
  930                 DST_RET(ISC_R_NOMEMORY);
  931             memmove(keyTemplate[13].pValue, attr->pValue,
  932                 attr->ulValueLen);
  933             keyTemplate[13].ulValueLen = attr->ulValueLen;
  934             break;
  935         }
  936     pk11_ctx->object = CK_INVALID_HANDLE;
  937     pk11_ctx->ontoken = false;
  938     PK11_RET(pkcs_C_CreateObject,
  939          (pk11_ctx->session,
  940           keyTemplate, (CK_ULONG) 14,
  941           &hKey),
  942          ISC_R_FAILURE);
  943 
  944     token_key:
  945 
  946     PK11_RET(pkcs_C_SignInit,
  947          (pk11_ctx->session, &mech,
  948           pk11_ctx->ontoken ? pk11_ctx->object : hKey),
  949          ISC_R_FAILURE);
  950 
  951     PK11_RET(pkcs_C_Sign,
  952          (pk11_ctx->session,
  953           digest, dgstlen,
  954           NULL, &siglen),
  955          DST_R_SIGNFAILURE);
  956 
  957     if (r.length < (unsigned int) siglen)
  958         return (ISC_R_NOSPACE);
  959 
  960     PK11_RET(pkcs_C_Sign,
  961          (pk11_ctx->session,
  962           digest, dgstlen,
  963           (CK_BYTE_PTR) r.base, &siglen),
  964          DST_R_SIGNFAILURE);
  965 
  966     isc_buffer_add(sig, (unsigned int) siglen);
  967 
  968     err:
  969     if (hKey != CK_INVALID_HANDLE)
  970         (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
  971     for (i = 6; i <= 13; i++)
  972         if (keyTemplate[i].pValue != NULL) {
  973             isc_safe_memwipe(keyTemplate[i].pValue,
  974                      keyTemplate[i].ulValueLen);
  975             isc_mem_put(dctx->mctx,
  976                     keyTemplate[i].pValue,
  977                     keyTemplate[i].ulValueLen);
  978         }
  979     pk11_return_session(pk11_ctx);
  980     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
  981     isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
  982     dctx->ctxdata.pk11_ctx = NULL;
  983 
  984     return (ret);
  985 }
  986 
  987 static isc_result_t
  988 pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
  989     CK_RV rv;
  990     CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
  991     CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
  992     CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
  993     CK_KEY_TYPE keyType = CKK_RSA;
  994     CK_ATTRIBUTE keyTemplate[] =
  995     {
  996         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
  997         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
  998         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
  999         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1000         { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
 1001         { CKA_MODULUS, NULL, 0 },
 1002         { CKA_PUBLIC_EXPONENT, NULL, 0 },
 1003     };
 1004     CK_ATTRIBUTE *attr;
 1005     CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
 1006     CK_BYTE *der;
 1007     CK_ULONG derlen;
 1008     CK_ULONG hashlen;
 1009     CK_ULONG dgstlen;
 1010     pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
 1011     dst_key_t *key = dctx->key;
 1012     pk11_object_t *rsa = key->keydata.pkey;
 1013     isc_result_t ret = ISC_R_SUCCESS;
 1014     unsigned int i;
 1015 
 1016 #ifndef PK11_MD5_DISABLE
 1017     REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
 1018         key->key_alg == DST_ALG_RSASHA1 ||
 1019         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
 1020         key->key_alg == DST_ALG_RSASHA256 ||
 1021         key->key_alg == DST_ALG_RSASHA512);
 1022 #else
 1023     REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
 1024         key->key_alg == DST_ALG_NSEC3RSASHA1 ||
 1025         key->key_alg == DST_ALG_RSASHA256 ||
 1026         key->key_alg == DST_ALG_RSASHA512);
 1027 #endif
 1028     REQUIRE(rsa != NULL);
 1029 
 1030     switch (key->key_alg) {
 1031 #ifndef PK11_MD5_DISABLE
 1032     case DST_ALG_RSAMD5:
 1033         der = md5_der;
 1034         derlen = sizeof(md5_der);
 1035         hashlen = ISC_MD5_DIGESTLENGTH;
 1036         break;
 1037 #endif
 1038     case DST_ALG_RSASHA1:
 1039     case DST_ALG_NSEC3RSASHA1:
 1040         der = sha1_der;
 1041         derlen = sizeof(sha1_der);
 1042         hashlen = ISC_SHA1_DIGESTLENGTH;
 1043         break;
 1044     case DST_ALG_RSASHA256:
 1045         der = sha256_der;
 1046         derlen = sizeof(sha256_der);
 1047         hashlen = ISC_SHA256_DIGESTLENGTH;
 1048         break;
 1049     case DST_ALG_RSASHA512:
 1050         der = sha512_der;
 1051         derlen = sizeof(sha512_der);
 1052         hashlen = ISC_SHA512_DIGESTLENGTH;
 1053         break;
 1054     default:
 1055         INSIST(0);
 1056         ISC_UNREACHABLE();
 1057     }
 1058     dgstlen = derlen + hashlen;
 1059     INSIST(dgstlen <= sizeof(digest));
 1060     memmove(digest, der, derlen);
 1061 
 1062     PK11_RET(pkcs_C_DigestFinal,
 1063          (pk11_ctx->session, digest + derlen, &hashlen),
 1064          DST_R_SIGNFAILURE);
 1065 
 1066     for (attr = pk11_attribute_first(rsa);
 1067          attr != NULL;
 1068          attr = pk11_attribute_next(rsa, attr))
 1069         switch (attr->type) {
 1070         case CKA_MODULUS:
 1071             INSIST(keyTemplate[5].type == attr->type);
 1072             keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
 1073                                 attr->ulValueLen);
 1074             if (keyTemplate[5].pValue == NULL)
 1075                 DST_RET(ISC_R_NOMEMORY);
 1076             memmove(keyTemplate[5].pValue, attr->pValue,
 1077                 attr->ulValueLen);
 1078             keyTemplate[5].ulValueLen = attr->ulValueLen;
 1079             break;
 1080         case CKA_PUBLIC_EXPONENT:
 1081             unsigned int bits;
 1082             INSIST(keyTemplate[6].type == attr->type);
 1083             keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
 1084                                 attr->ulValueLen);
 1085             if (keyTemplate[6].pValue == NULL)
 1086                 DST_RET(ISC_R_NOMEMORY);
 1087             memmove(keyTemplate[6].pValue, attr->pValue,
 1088                 attr->ulValueLen);
 1089             keyTemplate[6].ulValueLen = attr->ulValueLen;
 1090             ret = pk11_numbits(attr->pValue, attr->ulValueLen,
 1091                        &bits);
 1092             if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
 1093             {
 1094                 DST_RET(DST_R_VERIFYFAILURE);
 1095             }
 1096             break;
 1097         }
 1098     pk11_ctx->object = CK_INVALID_HANDLE;
 1099     pk11_ctx->ontoken = false;
 1100     PK11_RET(pkcs_C_CreateObject,
 1101          (pk11_ctx->session,
 1102           keyTemplate, (CK_ULONG) 7,
 1103           &hKey),
 1104          ISC_R_FAILURE);
 1105 
 1106     PK11_RET(pkcs_C_VerifyInit,
 1107          (pk11_ctx->session, &mech, hKey),
 1108          ISC_R_FAILURE);
 1109 
 1110     PK11_RET(pkcs_C_Verify,
 1111          (pk11_ctx->session,
 1112           digest, dgstlen,
 1113           (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
 1114          DST_R_VERIFYFAILURE);
 1115 
 1116     err:
 1117     if (hKey != CK_INVALID_HANDLE)
 1118         (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
 1119     for (i = 5; i <= 6; i++)
 1120         if (keyTemplate[i].pValue != NULL) {
 1121             isc_safe_memwipe(keyTemplate[i].pValue,
 1122                      keyTemplate[i].ulValueLen);
 1123             isc_mem_put(dctx->mctx,
 1124                     keyTemplate[i].pValue,
 1125                     keyTemplate[i].ulValueLen);
 1126         }
 1127     pk11_return_session(pk11_ctx);
 1128     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 1129     isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 1130     dctx->ctxdata.pk11_ctx = NULL;
 1131 
 1132     return (ret);
 1133 }
 1134 #endif
 1135 
 1136 static bool
 1137 pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 1138     pk11_object_t *rsa1, *rsa2;
 1139     CK_ATTRIBUTE *attr1, *attr2;
 1140 
 1141     rsa1 = key1->keydata.pkey;
 1142     rsa2 = key2->keydata.pkey;
 1143 
 1144     if ((rsa1 == NULL) && (rsa2 == NULL))
 1145         return (true);
 1146     else if ((rsa1 == NULL) || (rsa2 == NULL))
 1147         return (false);
 1148 
 1149     attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
 1150     attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
 1151     if ((attr1 == NULL) && (attr2 == NULL))
 1152         return (true);
 1153     else if ((attr1 == NULL) || (attr2 == NULL) ||
 1154          (attr1->ulValueLen != attr2->ulValueLen) ||
 1155          !isc_safe_memequal(attr1->pValue, attr2->pValue,
 1156                     attr1->ulValueLen))
 1157         return (false);
 1158 
 1159     attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
 1160     attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
 1161     if ((attr1 == NULL) && (attr2 == NULL))
 1162         return (true);
 1163     else if ((attr1 == NULL) || (attr2 == NULL) ||
 1164          (attr1->ulValueLen != attr2->ulValueLen) ||
 1165          !isc_safe_memequal(attr1->pValue, attr2->pValue,
 1166                     attr1->ulValueLen))
 1167         return (false);
 1168 
 1169     attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
 1170     attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
 1171     if (((attr1 != NULL) || (attr2 != NULL)) &&
 1172         ((attr1 == NULL) || (attr2 == NULL) ||
 1173          (attr1->ulValueLen != attr2->ulValueLen) ||
 1174          !isc_safe_memequal(attr1->pValue, attr2->pValue,
 1175                 attr1->ulValueLen)))
 1176         return (false);
 1177 
 1178     if (!rsa1->ontoken && !rsa2->ontoken)
 1179         return (true);
 1180     else if (rsa1->ontoken || rsa2->ontoken ||
 1181          (rsa1->object != rsa2->object))
 1182         return (false);
 1183 
 1184     return (true);
 1185 }
 1186 
 1187 static isc_result_t
 1188 pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 1189     CK_RV rv;
 1190     CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
 1191     CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
 1192     CK_ULONG bits = 0;
 1193     CK_BYTE pubexp[5];
 1194     CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
 1195     CK_KEY_TYPE  keyType = CKK_RSA;
 1196     CK_ATTRIBUTE pubTemplate[] =
 1197     {
 1198         { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
 1199         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
 1200         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1201         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1202         { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
 1203         { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
 1204         { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) }
 1205     };
 1206     CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
 1207     CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
 1208     CK_ATTRIBUTE privTemplate[] =
 1209     {
 1210         { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
 1211         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
 1212         { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1213         { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1214         { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
 1215         { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
 1216         { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 1217     };
 1218     CK_ATTRIBUTE *attr;
 1219     pk11_object_t *rsa;
 1220     pk11_context_t *pk11_ctx;
 1221     isc_result_t ret;
 1222     unsigned int i;
 1223 
 1224     UNUSED(callback);
 1225 
 1226     /*
 1227      * Reject incorrect RSA key lengths.
 1228      */
 1229     switch (key->key_alg) {
 1230     case DST_ALG_RSAMD5:
 1231     case DST_ALG_RSASHA1:
 1232     case DST_ALG_NSEC3RSASHA1:
 1233         /* From RFC 3110 */
 1234         if (key->key_size > 4096)
 1235             return (ISC_R_FAILURE);
 1236         break;
 1237     case DST_ALG_RSASHA256:
 1238         /* From RFC 5702 */
 1239         if ((key->key_size < 512) ||
 1240             (key->key_size > 4096))
 1241             return (ISC_R_FAILURE);
 1242         break;
 1243     case DST_ALG_RSASHA512:
 1244         /* From RFC 5702 */
 1245         if ((key->key_size < 1024) ||
 1246             (key->key_size > 4096))
 1247             return (ISC_R_FAILURE);
 1248         break;
 1249     default:
 1250         INSIST(0);
 1251         ISC_UNREACHABLE();
 1252     }
 1253 
 1254     pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
 1255                           sizeof(*pk11_ctx));
 1256     if (pk11_ctx == NULL)
 1257         return (ISC_R_NOMEMORY);
 1258     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
 1259                    false, NULL, pk11_get_best_token(OP_RSA));
 1260     if (ret != ISC_R_SUCCESS)
 1261         goto err;
 1262 
 1263     bits = key->key_size;
 1264     if (exp == 0) {
 1265         /* RSA_F4 0x10001 */
 1266         pubexp[0] = 1;
 1267         pubexp[1] = 0;
 1268         pubexp[2] = 1;
 1269         pubTemplate[6].ulValueLen = 3;
 1270     } else {
 1271         /* F5 0x100000001 */
 1272         pubexp[0] = 1;
 1273         pubexp[1] = 0;
 1274         pubexp[2] = 0;
 1275         pubexp[3] = 0;
 1276         pubexp[4] = 1;
 1277         pubTemplate[6].ulValueLen = 5;
 1278     }
 1279 
 1280     PK11_RET(pkcs_C_GenerateKeyPair,
 1281          (pk11_ctx->session, &mech,
 1282           pubTemplate, (CK_ULONG) 7,
 1283           privTemplate, (CK_ULONG) 7,
 1284           &pub, &priv),
 1285          DST_R_CRYPTOFAILURE);
 1286 
 1287     rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
 1288     if (rsa == NULL)
 1289         DST_RET(ISC_R_NOMEMORY);
 1290     memset(rsa, 0, sizeof(*rsa));
 1291     key->keydata.pkey = rsa;
 1292     rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
 1293     if (rsa->repr == NULL)
 1294         DST_RET(ISC_R_NOMEMORY);
 1295     memset(rsa->repr, 0, sizeof(*attr) * 8);
 1296     rsa->attrcnt = 8;
 1297 
 1298     attr = rsa->repr;
 1299     attr[0].type = CKA_MODULUS;
 1300     attr[1].type = CKA_PUBLIC_EXPONENT;
 1301     attr[2].type = CKA_PRIVATE_EXPONENT;
 1302     attr[3].type = CKA_PRIME_1;
 1303     attr[4].type = CKA_PRIME_2;
 1304     attr[5].type = CKA_EXPONENT_1;
 1305     attr[6].type = CKA_EXPONENT_2;
 1306     attr[7].type = CKA_COEFFICIENT;
 1307 
 1308     PK11_RET(pkcs_C_GetAttributeValue,
 1309          (pk11_ctx->session, pub, attr, 2),
 1310          DST_R_CRYPTOFAILURE);
 1311     for (i = 0; i <= 1; i++) {
 1312         attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
 1313         if (attr[i].pValue == NULL)
 1314             DST_RET(ISC_R_NOMEMORY);
 1315         memset(attr[i].pValue, 0, attr[i].ulValueLen);
 1316     }
 1317     PK11_RET(pkcs_C_GetAttributeValue,
 1318          (pk11_ctx->session, pub, attr, 2),
 1319          DST_R_CRYPTOFAILURE);
 1320 
 1321     attr += 2;
 1322     PK11_RET(pkcs_C_GetAttributeValue,
 1323          (pk11_ctx->session, priv, attr, 6),
 1324          DST_R_CRYPTOFAILURE);
 1325     for (i = 0; i <= 5; i++) {
 1326         attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
 1327         if (attr[i].pValue == NULL)
 1328             DST_RET(ISC_R_NOMEMORY);
 1329         memset(attr[i].pValue, 0, attr[i].ulValueLen);
 1330     }
 1331     PK11_RET(pkcs_C_GetAttributeValue,
 1332          (pk11_ctx->session, priv, attr, 6),
 1333          DST_R_CRYPTOFAILURE);
 1334 
 1335     (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
 1336     (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 1337     pk11_return_session(pk11_ctx);
 1338     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 1339     isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 1340 
 1341     return (ISC_R_SUCCESS);
 1342 
 1343     err:
 1344     pkcs11rsa_destroy(key);
 1345     if (priv != CK_INVALID_HANDLE)
 1346         (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
 1347     if (pub != CK_INVALID_HANDLE)
 1348         (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 1349     pk11_return_session(pk11_ctx);
 1350     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 1351     isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 1352 
 1353     return (ret);
 1354 }
 1355 
 1356 static bool
 1357 pkcs11rsa_isprivate(const dst_key_t *key) {
 1358     pk11_object_t *rsa = key->keydata.pkey;
 1359     CK_ATTRIBUTE *attr;
 1360 
 1361     if (rsa == NULL)
 1362         return (false);
 1363     attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
 1364     return (attr != NULL || rsa->ontoken);
 1365 }
 1366 
 1367 static void
 1368 pkcs11rsa_destroy(dst_key_t *key) {
 1369     pk11_object_t *rsa = key->keydata.pkey;
 1370     CK_ATTRIBUTE *attr;
 1371 
 1372     if (rsa == NULL)
 1373         return;
 1374 
 1375     INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
 1376 
 1377     for (attr = pk11_attribute_first(rsa);
 1378          attr != NULL;
 1379          attr = pk11_attribute_next(rsa, attr))
 1380         switch (attr->type) {
 1381         case CKA_LABEL:
 1382         case CKA_ID:
 1383         case CKA_MODULUS:
 1384         case CKA_PUBLIC_EXPONENT:
 1385         case CKA_PRIVATE_EXPONENT:
 1386         case CKA_PRIME_1:
 1387         case CKA_PRIME_2:
 1388         case CKA_EXPONENT_1:
 1389         case CKA_EXPONENT_2:
 1390         case CKA_COEFFICIENT:
 1391             if (attr->pValue != NULL) {
 1392                 isc_safe_memwipe(attr->pValue,
 1393                          attr->ulValueLen);
 1394                 isc_mem_put(key->mctx,
 1395                         attr->pValue,
 1396                         attr->ulValueLen);
 1397             }
 1398             break;
 1399         }
 1400     if (rsa->repr != NULL) {
 1401         isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
 1402         isc_mem_put(key->mctx,
 1403                 rsa->repr,
 1404                 rsa->attrcnt * sizeof(*attr));
 1405     }
 1406     isc_safe_memwipe(rsa, sizeof(*rsa));
 1407     isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 1408     key->keydata.pkey = NULL;
 1409 }
 1410 
 1411 static isc_result_t
 1412 pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 1413     pk11_object_t *rsa;
 1414     CK_ATTRIBUTE *attr;
 1415     isc_region_t r;
 1416     unsigned int e_bytes = 0, mod_bytes = 0;
 1417     CK_BYTE *exponent = NULL, *modulus = NULL;
 1418 
 1419     REQUIRE(key->keydata.pkey != NULL);
 1420 
 1421     rsa = key->keydata.pkey;
 1422 
 1423     for (attr = pk11_attribute_first(rsa);
 1424          attr != NULL;
 1425          attr = pk11_attribute_next(rsa, attr))
 1426         switch (attr->type) {
 1427         case CKA_PUBLIC_EXPONENT:
 1428             exponent = (CK_BYTE *) attr->pValue;
 1429             e_bytes = (unsigned int) attr->ulValueLen;
 1430             break;
 1431         case CKA_MODULUS:
 1432             modulus = (CK_BYTE *) attr->pValue;
 1433             mod_bytes = (unsigned int) attr->ulValueLen;
 1434             break;
 1435         }
 1436     REQUIRE((exponent != NULL) && (modulus != NULL));
 1437 
 1438     isc_buffer_availableregion(data, &r);
 1439 
 1440     if (e_bytes < 256) {    /*%< key exponent is <= 2040 bits */
 1441         if (r.length < 1)
 1442             return (ISC_R_NOSPACE);
 1443         isc_buffer_putuint8(data, (uint8_t) e_bytes);
 1444         isc_region_consume(&r, 1);
 1445     } else {
 1446         if (r.length < 3)
 1447             return (ISC_R_NOSPACE);
 1448         isc_buffer_putuint8(data, 0);
 1449         isc_buffer_putuint16(data, (uint16_t) e_bytes);
 1450         isc_region_consume(&r, 3);
 1451     }
 1452 
 1453     if (r.length < e_bytes + mod_bytes)
 1454         return (ISC_R_NOSPACE);
 1455 
 1456     memmove(r.base, exponent, e_bytes);
 1457     isc_region_consume(&r, e_bytes);
 1458     memmove(r.base, modulus, mod_bytes);
 1459 
 1460     isc_buffer_add(data, e_bytes + mod_bytes);
 1461 
 1462     return (ISC_R_SUCCESS);
 1463 }
 1464 
 1465 static isc_result_t
 1466 pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 1467     pk11_object_t *rsa;
 1468     isc_region_t r;
 1469     unsigned int e_bytes, mod_bytes;
 1470     CK_BYTE *exponent = NULL, *modulus = NULL;
 1471     CK_ATTRIBUTE *attr;
 1472     unsigned int length;
 1473     unsigned int bits;
 1474     isc_result_t ret = ISC_R_SUCCESS;
 1475 
 1476     isc_buffer_remainingregion(data, &r);
 1477     if (r.length == 0)
 1478         return (ISC_R_SUCCESS);
 1479     length = r.length;
 1480 
 1481     rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
 1482     if (rsa == NULL)
 1483         return (ISC_R_NOMEMORY);
 1484 
 1485     memset(rsa, 0, sizeof(*rsa));
 1486 
 1487     e_bytes = *r.base;
 1488     isc_region_consume(&r, 1);
 1489 
 1490     if (e_bytes == 0) {
 1491         if (r.length < 2) {
 1492             DST_RET(DST_R_INVALIDPUBLICKEY);
 1493         }
 1494         e_bytes = (*r.base) << 8;
 1495         isc_region_consume(&r, 1);
 1496         e_bytes += *r.base;
 1497         isc_region_consume(&r, 1);
 1498     }
 1499 
 1500     if (r.length < e_bytes) {
 1501         DST_RET(DST_R_INVALIDPUBLICKEY);
 1502     }
 1503     exponent = r.base;
 1504     isc_region_consume(&r, e_bytes);
 1505     modulus = r.base;
 1506     mod_bytes = r.length;
 1507 
 1508     ret = pk11_numbits(modulus, mod_bytes, &bits);
 1509     if (ret != ISC_R_SUCCESS) {
 1510         goto err;
 1511     }
 1512     key->key_size = bits;
 1513 
 1514     isc_buffer_forward(data, length);
 1515 
 1516     rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
 1517     if (rsa->repr == NULL)
 1518         goto nomemory;
 1519     memset(rsa->repr, 0, sizeof(*attr) * 2);
 1520     rsa->attrcnt = 2;
 1521     attr = rsa->repr;
 1522     attr[0].type = CKA_MODULUS;
 1523     attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
 1524     if (attr[0].pValue == NULL)
 1525         goto nomemory;
 1526     memmove(attr[0].pValue, modulus, mod_bytes);
 1527     attr[0].ulValueLen = (CK_ULONG) mod_bytes;
 1528     attr[1].type = CKA_PUBLIC_EXPONENT;
 1529     attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
 1530     if (attr[1].pValue == NULL)
 1531         goto nomemory;
 1532     memmove(attr[1].pValue, exponent, e_bytes);
 1533     attr[1].ulValueLen = (CK_ULONG) e_bytes;
 1534 
 1535     key->keydata.pkey = rsa;
 1536 
 1537     return (ISC_R_SUCCESS);
 1538 
 1539     nomemory:
 1540     for (attr = pk11_attribute_first(rsa);
 1541          attr != NULL;
 1542          attr = pk11_attribute_next(rsa, attr))
 1543         switch (attr->type) {
 1544         case CKA_MODULUS:
 1545         case CKA_PUBLIC_EXPONENT:
 1546             if (attr->pValue != NULL) {
 1547                 isc_safe_memwipe(attr->pValue,
 1548                          attr->ulValueLen);
 1549                 isc_mem_put(key->mctx,
 1550                         attr->pValue,
 1551                         attr->ulValueLen);
 1552             }
 1553             break;
 1554         }
 1555     if (rsa->repr != NULL) {
 1556         isc_safe_memwipe(rsa->repr,
 1557                  rsa->attrcnt * sizeof(*attr));
 1558         isc_mem_put(key->mctx,
 1559                 rsa->repr,
 1560                 rsa->attrcnt * sizeof(*attr));
 1561     }
 1562     ret = ISC_R_NOMEMORY;
 1563 
 1564     err:
 1565     isc_safe_memwipe(rsa, sizeof(*rsa));
 1566     isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 1567     return (ret);
 1568 }
 1569 
 1570 static isc_result_t
 1571 pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
 1572     int i;
 1573     pk11_object_t *rsa;
 1574     CK_ATTRIBUTE *attr;
 1575     CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
 1576     CK_ATTRIBUTE  *d = NULL, *p = NULL, *q = NULL;
 1577     CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
 1578     dst_private_t priv;
 1579     unsigned char *bufs[10];
 1580     isc_result_t result;
 1581 
 1582     if (key->keydata.pkey == NULL)
 1583         return (DST_R_NULLKEY);
 1584 
 1585     if (key->external) {
 1586         priv.nelements = 0;
 1587         return (dst__privstruct_writefile(key, &priv, directory));
 1588     }
 1589 
 1590     rsa = key->keydata.pkey;
 1591 
 1592     for (attr = pk11_attribute_first(rsa);
 1593          attr != NULL;
 1594          attr = pk11_attribute_next(rsa, attr))
 1595         switch (attr->type) {
 1596         case CKA_MODULUS:
 1597             modulus = attr;
 1598             break;
 1599         case CKA_PUBLIC_EXPONENT:
 1600             exponent = attr;
 1601             break;
 1602         case CKA_PRIVATE_EXPONENT:
 1603             d = attr;
 1604             break;
 1605         case CKA_PRIME_1:
 1606             p = attr;
 1607             break;
 1608         case CKA_PRIME_2:
 1609             q = attr;
 1610             break;
 1611         case CKA_EXPONENT_1:
 1612             dmp1 = attr;
 1613             break;
 1614         case CKA_EXPONENT_2:
 1615             dmq1 = attr;
 1616             break;
 1617         case CKA_COEFFICIENT:
 1618             iqmp = attr;
 1619             break;
 1620         }
 1621     if ((modulus == NULL) || (exponent == NULL))
 1622         return (DST_R_NULLKEY);
 1623 
 1624     memset(bufs, 0, sizeof(bufs));
 1625 
 1626     for (i = 0; i < 10; i++) {
 1627         bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
 1628         if (bufs[i] == NULL) {
 1629             result = ISC_R_NOMEMORY;
 1630             goto fail;
 1631         }
 1632         memset(bufs[i], 0, modulus->ulValueLen);
 1633     }
 1634 
 1635     i = 0;
 1636 
 1637     priv.elements[i].tag = TAG_RSA_MODULUS;
 1638     priv.elements[i].length = (unsigned short) modulus->ulValueLen;
 1639     memmove(bufs[i], modulus->pValue, modulus->ulValueLen);
 1640     priv.elements[i].data = bufs[i];
 1641     i++;
 1642 
 1643     priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
 1644     priv.elements[i].length = (unsigned short) exponent->ulValueLen;
 1645     memmove(bufs[i], exponent->pValue, exponent->ulValueLen);
 1646     priv.elements[i].data = bufs[i];
 1647     i++;
 1648 
 1649     if (d != NULL) {
 1650         priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
 1651         priv.elements[i].length = (unsigned short) d->ulValueLen;
 1652         memmove(bufs[i], d->pValue, d->ulValueLen);
 1653         priv.elements[i].data = bufs[i];
 1654         i++;
 1655     }
 1656 
 1657     if (p != NULL) {
 1658         priv.elements[i].tag = TAG_RSA_PRIME1;
 1659         priv.elements[i].length = (unsigned short) p->ulValueLen;
 1660         memmove(bufs[i], p->pValue, p->ulValueLen);
 1661         priv.elements[i].data = bufs[i];
 1662         i++;
 1663     }
 1664 
 1665     if (q != NULL) {
 1666         priv.elements[i].tag = TAG_RSA_PRIME2;
 1667         priv.elements[i].length = (unsigned short) q->ulValueLen;
 1668         memmove(bufs[i], q->pValue, q->ulValueLen);
 1669         priv.elements[i].data = bufs[i];
 1670         i++;
 1671     }
 1672 
 1673     if (dmp1 != NULL) {
 1674         priv.elements[i].tag = TAG_RSA_EXPONENT1;
 1675         priv.elements[i].length = (unsigned short) dmp1->ulValueLen;
 1676         memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen);
 1677         priv.elements[i].data = bufs[i];
 1678         i++;
 1679     }
 1680 
 1681     if (dmq1 != NULL) {
 1682         priv.elements[i].tag = TAG_RSA_EXPONENT2;
 1683         priv.elements[i].length = (unsigned short) dmq1->ulValueLen;
 1684         memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen);
 1685         priv.elements[i].data = bufs[i];
 1686         i++;
 1687     }
 1688 
 1689     if (iqmp != NULL) {
 1690         priv.elements[i].tag = TAG_RSA_COEFFICIENT;
 1691         priv.elements[i].length = (unsigned short) iqmp->ulValueLen;
 1692         memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen);
 1693         priv.elements[i].data = bufs[i];
 1694         i++;
 1695     }
 1696 
 1697     if (key->engine != NULL) {
 1698         priv.elements[i].tag = TAG_RSA_ENGINE;
 1699         priv.elements[i].length =
 1700             (unsigned short)strlen(key->engine) + 1;
 1701         priv.elements[i].data = (unsigned char *)key->engine;
 1702         i++;
 1703     }
 1704 
 1705     if (key->label != NULL) {
 1706         priv.elements[i].tag = TAG_RSA_LABEL;
 1707         priv.elements[i].length =
 1708             (unsigned short)strlen(key->label) + 1;
 1709         priv.elements[i].data = (unsigned char *)key->label;
 1710         i++;
 1711     }
 1712 
 1713     priv.nelements = i;
 1714     result = dst__privstruct_writefile(key, &priv, directory);
 1715  fail:
 1716     for (i = 0; i < 10; i++) {
 1717         if (bufs[i] == NULL)
 1718             break;
 1719         isc_safe_memwipe(bufs[i], modulus->ulValueLen);
 1720         isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
 1721     }
 1722     return (result);
 1723 }
 1724 
 1725 static isc_result_t
 1726 pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
 1727         dst_key_t *pub)
 1728 {
 1729     CK_RV rv;
 1730     CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
 1731     CK_KEY_TYPE keyType = CKK_RSA;
 1732     CK_ATTRIBUTE searchTemplate[] =
 1733     {
 1734         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
 1735         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
 1736         { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 1737         { CKA_LABEL, NULL, 0 }
 1738     };
 1739     CK_ULONG cnt;
 1740     CK_ATTRIBUTE *attr;
 1741     CK_ATTRIBUTE *pubattr;
 1742     pk11_object_t *rsa;
 1743     pk11_object_t *pubrsa;
 1744     pk11_context_t *pk11_ctx = NULL;
 1745     isc_result_t ret;
 1746     unsigned int bits;
 1747 
 1748     if (label == NULL)
 1749         return (DST_R_NOENGINE);
 1750 
 1751     rsa = key->keydata.pkey;
 1752     pubrsa = pub->keydata.pkey;
 1753 
 1754     rsa->object = CK_INVALID_HANDLE;
 1755     rsa->ontoken = true;
 1756     rsa->reqlogon = true;
 1757     rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
 1758     if (rsa->repr == NULL)
 1759         return (ISC_R_NOMEMORY);
 1760     memset(rsa->repr, 0, sizeof(*attr) * 2);
 1761     rsa->attrcnt = 2;
 1762     attr = rsa->repr;
 1763 
 1764     attr->type = CKA_MODULUS;
 1765     pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
 1766     INSIST(pubattr != NULL);
 1767     attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
 1768     if (attr->pValue == NULL)
 1769         DST_RET(ISC_R_NOMEMORY);
 1770     memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
 1771     attr->ulValueLen = pubattr->ulValueLen;
 1772     attr++;
 1773 
 1774     attr->type = CKA_PUBLIC_EXPONENT;
 1775     pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
 1776     INSIST(pubattr != NULL);
 1777     attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
 1778     if (attr->pValue == NULL)
 1779         DST_RET(ISC_R_NOMEMORY);
 1780     memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
 1781     attr->ulValueLen = pubattr->ulValueLen;
 1782 
 1783     ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
 1784     if (ret != ISC_R_SUCCESS)
 1785         goto err;
 1786 
 1787     pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
 1788                           sizeof(*pk11_ctx));
 1789     if (pk11_ctx == NULL)
 1790         DST_RET(ISC_R_NOMEMORY);
 1791     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
 1792                    rsa->reqlogon, NULL, rsa->slot);
 1793     if (ret != ISC_R_SUCCESS)
 1794         goto err;
 1795 
 1796     attr = pk11_attribute_bytype(rsa, CKA_LABEL);
 1797     if (attr == NULL) {
 1798         attr = pk11_attribute_bytype(rsa, CKA_ID);
 1799         INSIST(attr != NULL);
 1800         searchTemplate[3].type = CKA_ID;
 1801     }
 1802     searchTemplate[3].pValue = attr->pValue;
 1803     searchTemplate[3].ulValueLen = attr->ulValueLen;
 1804 
 1805     PK11_RET(pkcs_C_FindObjectsInit,
 1806          (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
 1807          DST_R_CRYPTOFAILURE);
 1808     PK11_RET(pkcs_C_FindObjects,
 1809          (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
 1810          DST_R_CRYPTOFAILURE);
 1811     (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
 1812     if (cnt == 0)
 1813         DST_RET(ISC_R_NOTFOUND);
 1814     if (cnt > 1)
 1815         DST_RET(ISC_R_EXISTS);
 1816 
 1817     if (engine != NULL) {
 1818         key->engine = isc_mem_strdup(key->mctx, engine);
 1819         if (key->engine == NULL)
 1820             DST_RET(ISC_R_NOMEMORY);
 1821     }
 1822 
 1823     key->label = isc_mem_strdup(key->mctx, label);
 1824     if (key->label == NULL)
 1825         DST_RET(ISC_R_NOMEMORY);
 1826 
 1827     pk11_return_session(pk11_ctx);
 1828     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 1829     isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 1830 
 1831     attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 1832     INSIST(attr != NULL);
 1833     ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
 1834     if (ret != ISC_R_SUCCESS) {
 1835         goto err;
 1836     }
 1837     key->key_size = bits;
 1838 
 1839     return (ISC_R_SUCCESS);
 1840 
 1841     err:
 1842     if (pk11_ctx != NULL) {
 1843         pk11_return_session(pk11_ctx);
 1844         isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 1845         isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 1846     }
 1847 
 1848     return (ret);
 1849 }
 1850 
 1851 static isc_result_t
 1852 rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) {
 1853     CK_ATTRIBUTE *pubattr, *privattr;
 1854     CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
 1855     CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
 1856     unsigned int priv_explen = 0, priv_modlen = 0;
 1857     unsigned int pub_explen = 0, pub_modlen = 0;
 1858 
 1859     REQUIRE(rsa != NULL && pubrsa != NULL);
 1860 
 1861     privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
 1862     INSIST(privattr != NULL);
 1863     priv_exp = privattr->pValue;
 1864     priv_explen = privattr->ulValueLen;
 1865 
 1866     pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
 1867     INSIST(pubattr != NULL);
 1868     pub_exp = pubattr->pValue;
 1869     pub_explen = pubattr->ulValueLen;
 1870 
 1871     if (priv_exp != NULL) {
 1872         if (priv_explen != pub_explen)
 1873             return (DST_R_INVALIDPRIVATEKEY);
 1874         if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen))
 1875             return (DST_R_INVALIDPRIVATEKEY);
 1876     } else {
 1877         privattr->pValue = pub_exp;
 1878         privattr->ulValueLen = pub_explen;
 1879         pubattr->pValue = NULL;
 1880         pubattr->ulValueLen = 0;
 1881     }
 1882 
 1883     if (privattr->pValue == NULL)
 1884         return (DST_R_INVALIDPRIVATEKEY);
 1885 
 1886     privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 1887     INSIST(privattr != NULL);
 1888     priv_mod = privattr->pValue;
 1889     priv_modlen = privattr->ulValueLen;
 1890 
 1891     pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
 1892     INSIST(pubattr != NULL);
 1893     pub_mod = pubattr->pValue;
 1894     pub_modlen = pubattr->ulValueLen;
 1895 
 1896     if (priv_mod != NULL) {
 1897         if (priv_modlen != pub_modlen)
 1898             return (DST_R_INVALIDPRIVATEKEY);
 1899         if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen))
 1900             return (DST_R_INVALIDPRIVATEKEY);
 1901     } else {
 1902         privattr->pValue = pub_mod;
 1903         privattr->ulValueLen = pub_modlen;
 1904         pubattr->pValue = NULL;
 1905         pubattr->ulValueLen = 0;
 1906     }
 1907 
 1908     if (privattr->pValue == NULL)
 1909         return (DST_R_INVALIDPRIVATEKEY);
 1910 
 1911     return (ISC_R_SUCCESS);
 1912 }
 1913 
 1914 static isc_result_t
 1915 pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 1916     dst_private_t priv;
 1917     isc_result_t ret;
 1918     int i;
 1919     pk11_object_t *rsa;
 1920     CK_ATTRIBUTE *attr;
 1921     isc_mem_t *mctx = key->mctx;
 1922     const char *engine = NULL, *label = NULL;
 1923     unsigned int bits;
 1924 
 1925     /* read private key file */
 1926     ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 1927     if (ret != ISC_R_SUCCESS)
 1928         return (ret);
 1929 
 1930     if (key->external) {
 1931         if (priv.nelements != 0)
 1932             DST_RET(DST_R_INVALIDPRIVATEKEY);
 1933         if (pub == NULL)
 1934             DST_RET(DST_R_INVALIDPRIVATEKEY);
 1935 
 1936         key->keydata.pkey = pub->keydata.pkey;
 1937         pub->keydata.pkey = NULL;
 1938         key->key_size = pub->key_size;
 1939 
 1940         dst__privstruct_free(&priv, mctx);
 1941         isc_safe_memwipe(&priv, sizeof(priv));
 1942 
 1943         return (ISC_R_SUCCESS);
 1944     }
 1945 
 1946     for (i = 0; i < priv.nelements; i++) {
 1947         switch (priv.elements[i].tag) {
 1948         case TAG_RSA_ENGINE:
 1949             engine = (char *)priv.elements[i].data;
 1950             break;
 1951         case TAG_RSA_LABEL:
 1952             label = (char *)priv.elements[i].data;
 1953             break;
 1954         default:
 1955             break;
 1956         }
 1957     }
 1958     rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
 1959     if (rsa == NULL)
 1960         DST_RET(ISC_R_NOMEMORY);
 1961     memset(rsa, 0, sizeof(*rsa));
 1962     key->keydata.pkey = rsa;
 1963 
 1964     /* Is this key is stored in a HSM? See if we can fetch it. */
 1965     if ((label != NULL) || (engine != NULL)) {
 1966         ret = pkcs11rsa_fetch(key, engine, label, pub);
 1967         if (ret != ISC_R_SUCCESS)
 1968             goto err;
 1969         dst__privstruct_free(&priv, mctx);
 1970         isc_safe_memwipe(&priv, sizeof(priv));
 1971         return (ret);
 1972     }
 1973 
 1974     rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
 1975     if (rsa->repr == NULL)
 1976         DST_RET(ISC_R_NOMEMORY);
 1977     memset(rsa->repr, 0, sizeof(*attr) * 8);
 1978     rsa->attrcnt = 8;
 1979     attr = rsa->repr;
 1980     attr[0].type = CKA_MODULUS;
 1981     attr[1].type = CKA_PUBLIC_EXPONENT;
 1982     attr[2].type = CKA_PRIVATE_EXPONENT;
 1983     attr[3].type = CKA_PRIME_1;
 1984     attr[4].type = CKA_PRIME_2;
 1985     attr[5].type = CKA_EXPONENT_1;
 1986     attr[6].type = CKA_EXPONENT_2;
 1987     attr[7].type = CKA_COEFFICIENT;
 1988 
 1989     for (i = 0; i < priv.nelements; i++) {
 1990         CK_BYTE *bn;
 1991 
 1992         switch (priv.elements[i].tag) {
 1993         case TAG_RSA_ENGINE:
 1994             continue;
 1995         case TAG_RSA_LABEL:
 1996             continue;
 1997         default:
 1998             bn = isc_mem_get(key->mctx, priv.elements[i].length);
 1999             if (bn == NULL)
 2000                 DST_RET(ISC_R_NOMEMORY);
 2001             memmove(bn, priv.elements[i].data,
 2002                 priv.elements[i].length);
 2003         }
 2004 
 2005         switch (priv.elements[i].tag) {
 2006             case TAG_RSA_MODULUS:
 2007                 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 2008                 INSIST(attr != NULL);
 2009                 attr->pValue = bn;
 2010                 attr->ulValueLen = priv.elements[i].length;
 2011                 break;
 2012             case TAG_RSA_PUBLICEXPONENT:
 2013                 attr = pk11_attribute_bytype(rsa,
 2014                         CKA_PUBLIC_EXPONENT);
 2015                 INSIST(attr != NULL);
 2016                 attr->pValue = bn;
 2017                 attr->ulValueLen = priv.elements[i].length;
 2018                 break;
 2019             case TAG_RSA_PRIVATEEXPONENT:
 2020                 attr = pk11_attribute_bytype(rsa,
 2021                         CKA_PRIVATE_EXPONENT);
 2022                 INSIST(attr != NULL);
 2023                 attr->pValue = bn;
 2024                 attr->ulValueLen = priv.elements[i].length;
 2025                 break;
 2026             case TAG_RSA_PRIME1:
 2027                 attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
 2028                 INSIST(attr != NULL);
 2029                 attr->pValue = bn;
 2030                 attr->ulValueLen = priv.elements[i].length;
 2031                 break;
 2032             case TAG_RSA_PRIME2:
 2033                 attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
 2034                 INSIST(attr != NULL);
 2035                 attr->pValue = bn;
 2036                 attr->ulValueLen = priv.elements[i].length;
 2037                 break;
 2038             case TAG_RSA_EXPONENT1:
 2039                 attr = pk11_attribute_bytype(rsa,
 2040                                  CKA_EXPONENT_1);
 2041                 INSIST(attr != NULL);
 2042                 attr->pValue = bn;
 2043                 attr->ulValueLen = priv.elements[i].length;
 2044                 break;
 2045             case TAG_RSA_EXPONENT2:
 2046                 attr = pk11_attribute_bytype(rsa,
 2047                                  CKA_EXPONENT_2);
 2048                 INSIST(attr != NULL);
 2049                 attr->pValue = bn;
 2050                 attr->ulValueLen = priv.elements[i].length;
 2051                 break;
 2052             case TAG_RSA_COEFFICIENT:
 2053                 attr = pk11_attribute_bytype(rsa,
 2054                                  CKA_COEFFICIENT);
 2055                 INSIST(attr != NULL);
 2056                 attr->pValue = bn;
 2057                 attr->ulValueLen = priv.elements[i].length;
 2058                 break;
 2059         }
 2060     }
 2061 
 2062     if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS)
 2063         DST_RET(DST_R_INVALIDPRIVATEKEY);
 2064 
 2065     attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 2066     INSIST(attr != NULL);
 2067     ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
 2068     if (ret != ISC_R_SUCCESS) {
 2069         goto err;
 2070     }
 2071     key->key_size = bits;
 2072 
 2073     attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
 2074     INSIST(attr != NULL);
 2075 
 2076     ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
 2077     if (ret != ISC_R_SUCCESS) {
 2078         goto err;
 2079     }
 2080     if (bits > RSA_MAX_PUBEXP_BITS) {
 2081         DST_RET(ISC_R_RANGE);
 2082     }
 2083 
 2084     dst__privstruct_free(&priv, mctx);
 2085     isc_safe_memwipe(&priv, sizeof(priv));
 2086 
 2087     return (ISC_R_SUCCESS);
 2088 
 2089  err:
 2090     pkcs11rsa_destroy(key);
 2091     dst__privstruct_free(&priv, mctx);
 2092     isc_safe_memwipe(&priv, sizeof(priv));
 2093     return (ret);
 2094 }
 2095 
 2096 static isc_result_t
 2097 pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 2098             const char *pin)
 2099 {
 2100     CK_RV rv;
 2101     CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
 2102     CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
 2103     CK_KEY_TYPE keyType = CKK_RSA;
 2104     CK_ATTRIBUTE searchTemplate[] =
 2105     {
 2106         { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
 2107         { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
 2108         { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 2109         { CKA_LABEL, NULL, 0 }
 2110     };
 2111     CK_ULONG cnt;
 2112     CK_ATTRIBUTE *attr;
 2113     pk11_object_t *rsa;
 2114     pk11_context_t *pk11_ctx = NULL;
 2115     isc_result_t ret;
 2116     unsigned int i;
 2117     unsigned int bits;
 2118 
 2119     UNUSED(pin);
 2120 
 2121     rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
 2122     if (rsa == NULL)
 2123         return (ISC_R_NOMEMORY);
 2124     memset(rsa, 0, sizeof(*rsa));
 2125     rsa->object = CK_INVALID_HANDLE;
 2126     rsa->ontoken = true;
 2127     rsa->reqlogon = true;
 2128     key->keydata.pkey = rsa;
 2129 
 2130     rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
 2131     if (rsa->repr == NULL)
 2132         DST_RET(ISC_R_NOMEMORY);
 2133     memset(rsa->repr, 0, sizeof(*attr) * 2);
 2134     rsa->attrcnt = 2;
 2135     attr = rsa->repr;
 2136     attr[0].type = CKA_MODULUS;
 2137     attr[1].type = CKA_PUBLIC_EXPONENT;
 2138 
 2139     ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
 2140     if (ret != ISC_R_SUCCESS)
 2141         goto err;
 2142 
 2143     pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
 2144                           sizeof(*pk11_ctx));
 2145     if (pk11_ctx == NULL)
 2146         DST_RET(ISC_R_NOMEMORY);
 2147     ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
 2148                    rsa->reqlogon, NULL, rsa->slot);
 2149     if (ret != ISC_R_SUCCESS)
 2150         goto err;
 2151 
 2152     attr = pk11_attribute_bytype(rsa, CKA_LABEL);
 2153     if (attr == NULL) {
 2154         attr = pk11_attribute_bytype(rsa, CKA_ID);
 2155         INSIST(attr != NULL);
 2156         searchTemplate[3].type = CKA_ID;
 2157     }
 2158     searchTemplate[3].pValue = attr->pValue;
 2159     searchTemplate[3].ulValueLen = attr->ulValueLen;
 2160 
 2161     PK11_RET(pkcs_C_FindObjectsInit,
 2162          (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
 2163          DST_R_CRYPTOFAILURE);
 2164     PK11_RET(pkcs_C_FindObjects,
 2165          (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
 2166          DST_R_CRYPTOFAILURE);
 2167     (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
 2168     if (cnt == 0)
 2169         DST_RET(ISC_R_NOTFOUND);
 2170     if (cnt > 1)
 2171         DST_RET(ISC_R_EXISTS);
 2172 
 2173     attr = rsa->repr;
 2174     PK11_RET(pkcs_C_GetAttributeValue,
 2175          (pk11_ctx->session, hKey, attr, 2),
 2176          DST_R_CRYPTOFAILURE);
 2177     for (i = 0; i <= 1; i++) {
 2178         attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
 2179         if (attr[i].pValue == NULL)
 2180             DST_RET(ISC_R_NOMEMORY);
 2181         memset(attr[i].pValue, 0, attr[i].ulValueLen);
 2182     }
 2183     PK11_RET(pkcs_C_GetAttributeValue,
 2184          (pk11_ctx->session, hKey, attr, 2),
 2185          DST_R_CRYPTOFAILURE);
 2186 
 2187     keyClass = CKO_PRIVATE_KEY;
 2188     PK11_RET(pkcs_C_FindObjectsInit,
 2189          (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
 2190          DST_R_CRYPTOFAILURE);
 2191     PK11_RET(pkcs_C_FindObjects,
 2192          (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
 2193          DST_R_CRYPTOFAILURE);
 2194     (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
 2195     if (cnt == 0)
 2196         DST_RET(ISC_R_NOTFOUND);
 2197     if (cnt > 1)
 2198         DST_RET(ISC_R_EXISTS);
 2199 
 2200     if (engine != NULL) {
 2201         key->engine = isc_mem_strdup(key->mctx, engine);
 2202         if (key->engine == NULL)
 2203             DST_RET(ISC_R_NOMEMORY);
 2204     }
 2205 
 2206     key->label = isc_mem_strdup(key->mctx, label);
 2207     if (key->label == NULL)
 2208         DST_RET(ISC_R_NOMEMORY);
 2209 
 2210     attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
 2211     INSIST(attr != NULL);
 2212 
 2213     ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
 2214     if (ret != ISC_R_SUCCESS) {
 2215         goto err;
 2216     }
 2217     if (bits > RSA_MAX_PUBEXP_BITS) {
 2218         DST_RET(ISC_R_RANGE);
 2219     }
 2220 
 2221     attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
 2222     INSIST(attr != NULL);
 2223     ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
 2224     if (ret != ISC_R_SUCCESS) {
 2225         goto err;
 2226     }
 2227     key->key_size = bits;
 2228 
 2229     pk11_return_session(pk11_ctx);
 2230     isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 2231     isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 2232 
 2233     return (ISC_R_SUCCESS);
 2234 
 2235     err:
 2236     pkcs11rsa_destroy(key);
 2237     if (pk11_ctx != NULL) {
 2238         pk11_return_session(pk11_ctx);
 2239         isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 2240         isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 2241     }
 2242 
 2243     return (ret);
 2244 }
 2245 
 2246 static dst_func_t pkcs11rsa_functions = {
 2247     pkcs11rsa_createctx,
 2248 #ifndef PK11_RSA_PKCS_REPLACE
 2249     pkcs11rsa_createctx2,
 2250 #else
 2251     NULL, /*%< createctx2 */
 2252 #endif
 2253     pkcs11rsa_destroyctx,
 2254     pkcs11rsa_adddata,
 2255     pkcs11rsa_sign,
 2256     pkcs11rsa_verify,
 2257     NULL, /*%< verify2 */
 2258     NULL, /*%< computesecret */
 2259     pkcs11rsa_compare,
 2260     NULL, /*%< paramcompare */
 2261     pkcs11rsa_generate,
 2262     pkcs11rsa_isprivate,
 2263     pkcs11rsa_destroy,
 2264     pkcs11rsa_todns,
 2265     pkcs11rsa_fromdns,
 2266     pkcs11rsa_tofile,
 2267     pkcs11rsa_parse,
 2268     NULL, /*%< cleanup */
 2269     pkcs11rsa_fromlabel,
 2270     NULL, /*%< dump */
 2271     NULL, /*%< restore */
 2272 };
 2273 
 2274 isc_result_t
 2275 dst__pkcs11rsa_init(dst_func_t **funcp) {
 2276     REQUIRE(funcp != NULL);
 2277 
 2278     if (*funcp == NULL)
 2279         *funcp = &pkcs11rsa_functions;
 2280     return (ISC_R_SUCCESS);
 2281 }
 2282 
 2283 #else /* PKCS11CRYPTO */
 2284 
 2285 #include <isc/util.h>
 2286 
 2287 EMPTY_TRANSLATION_UNIT
 2288 
 2289 #endif /* PKCS11CRYPTO */
 2290 /*! \file */