From ce8ba928172071dc89cc1fc0520f840211bbfa0d Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 14 Apr 2017 15:22:25 -0400 Subject: Python interface API will need to be cryptech.py11 for installation. --- Makefile | 10 +- README.md | 8 +- cryptech/__init__.py | 0 cryptech/py11/__init__.py | 270 ++++++++++++++++++ cryptech/py11/attribute_map.py | 54 ++++ cryptech/py11/attributes.py | 101 +++++++ cryptech/py11/constants.py | 615 +++++++++++++++++++++++++++++++++++++++++ cryptech/py11/exceptions.py | 128 +++++++++ cryptech/py11/mutex.py | 89 ++++++ cryptech/py11/prototypes.py | 85 ++++++ cryptech/py11/types.py | 180 ++++++++++++ py11/__init__.py | 270 ------------------ py11/attribute_map.py | 54 ---- py11/attributes.py | 101 ------- py11/constants.py | 615 ----------------------------------------- py11/exceptions.py | 128 --------- py11/mutex.py | 88 ------ py11/prototypes.py | 85 ------ py11/types.py | 180 ------------ scripts/py11-test.py | 4 +- scripts/time-signature.py | 6 +- unit_tests.py | 6 +- 22 files changed, 1539 insertions(+), 1538 deletions(-) create mode 100644 cryptech/__init__.py create mode 100644 cryptech/py11/__init__.py create mode 100644 cryptech/py11/attribute_map.py create mode 100644 cryptech/py11/attributes.py create mode 100644 cryptech/py11/constants.py create mode 100644 cryptech/py11/exceptions.py create mode 100644 cryptech/py11/mutex.py create mode 100644 cryptech/py11/prototypes.py create mode 100644 cryptech/py11/types.py delete mode 100644 py11/__init__.py delete mode 100644 py11/attribute_map.py delete mode 100644 py11/attributes.py delete mode 100644 py11/constants.py delete mode 100644 py11/exceptions.py delete mode 100644 py11/mutex.py delete mode 100644 py11/prototypes.py delete mode 100644 py11/types.py diff --git a/Makefile b/Makefile index 4669c3b..954380e 100644 --- a/Makefile +++ b/Makefile @@ -138,10 +138,10 @@ ifndef OBJCOPY OBJCOPY := objcopy endif -all: ${SONAME} p11util py11/attribute_map.py +all: ${SONAME} p11util cryptech/py11/attribute_map.py clean: - rm -rf *.o ${SONAME}* p11util attributes.h py11/*.pyc + rm -rf *.o ${SONAME}* p11util attributes.h cryptech/*.pyc cryptech/py11/*.pyc ${MAKE} -C libtfm $@ ${MAKE} -C libhal $@ @@ -159,8 +159,8 @@ ${LIBHAL_BLD}/libhal.a: .FORCE ${LIBTFM_BLD}/libtfm.a attributes.h: attributes.yaml scripts/build-attributes Makefile python scripts/build-attributes attributes.yaml attributes.h -py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes Makefile - python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py +cryptech/py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes Makefile + python scripts/build-py11-attributes attributes.yaml $@ pkcs11.o: pkcs11.c attributes.h ${LIBS} ${CC} ${CFLAGS} -c $< @@ -190,7 +190,7 @@ tags: TAGS TAGS: *.[ch] etags $^ -# Basic testing, via the Python unittest library and our py11 interface code +# Basic testing, via the Python unittest library and our cryptech.py11 interface code test: all python unit_tests.py diff --git a/README.md b/README.md index 7cee87d..0671398 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,10 @@ only himself, but all of his friends, relations, and casual acquaintances. Along with the PKCS #11 library itself, the package includes a -companion Python interface ("py11"), which uses the ctypes module from -the Python standard library to talk to the PKCS #11 implementation. -The Python implementation is intended primarily to simplify testing -the C code. +companion Python interface ("cryptech.py11"), which uses the ctypes +module from the Python standard library to talk to the PKCS #11 +implementation. The Python implementation is intended primarily to +simplify testing the C code, but can be used for other purposes. ## Novel design features ## diff --git a/cryptech/__init__.py b/cryptech/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/cryptech/py11/__init__.py b/cryptech/py11/__init__.py new file mode 100644 index 0000000..46b62d6 --- /dev/null +++ b/cryptech/py11/__init__.py @@ -0,0 +1,270 @@ +""" +This is a Python interface to PKCS #11, using the ctypes module from +the Python standard library. + +This is not (yet?) a complete implementation. It's intended primarily +to simplify testing of the underlying PKCS #11 shared library. +""" + +from ctypes import * +from .exceptions import * +from .types import * +from .constants import * +from .attributes import * +from .prototypes import * + + +class PKCS11 (object): + """ + PKCS #11 API object, encapsulating the PKCS #11 library itself. + Sample usage: + + from cryptech.py11 import * + + p11 = PKCS11() + p11.C_Initialize() + session = p11.C_OpenSession() + p11.C_login(session, CK_USER, "secret") + p11.C_FindObjectsInit(session, {CKA_CLASS: CKO_PRIVATE_KEY, CKA_KEY_TYPE: CKK_EC, CKA_ID: foo}) + keys = list(p11.C_FindObjects(session)) + p11.C_FindObjectsFinal(session) + if len(keys) != 1: + raise RuntimeError + p11.C_SignInit(session, CK_ECDSA_SHA256, keys[0]) + sig = p11.Sign(session, "Your mother was a hamster") + p11.C_CloseAllSessions(slot) + p11.C_Finalize() + + The full raw PKCS #11 API is available via the .so attribute, but + using this can be tricky, both because it requires strict adherence + to the C API and because one needs to be careful not to run afoul of + the Python garbage collector. + + The example above uses a set of interface routines built on top of the + raw PKCS #11 API, which map the API into something a bit more Pythonic. + """ + + def __init__(self, so_name = "libpkcs11.so"): + self.so_name = so_name + self.so = CDLL(so_name) + def raise_on_failure(rv): + if rv != CKR_OK: + raise CKR_Exception.ckr_map[rv] + for name, args in Prototypes.iteritems(): + func = getattr(self.so, name) + func.restype = raise_on_failure + func.argtypes = args + self.adb = AttributeDB() + + def __getattr__(self, name): + return getattr(self.so, name) + + def C_GetFunctionList(self): + return self + + @property + def version(self): + info = CK_INFO() + self.so.C_GetInfo(byref(info)) + return info.cryptokiVersion + + # Be very careful if you try to provide your own locking functions. + # For most purposes, if you really just want locking, you're best + # off specifying CKF_OS_LOCKING_OK and letting the C code deal with + # it. The one case where you might want to provide your own locking + # is when writing tests to verify behavior of the locking code. + # + # We have to stash references to the callback functions passed to + # C_Initialize() to avoid dumping core when the garbage collector + # deletes the function pointer instances out from under the C code. + + def C_Initialize(self, flags = 0, create_mutex = None, destroy_mutex = None, lock_mutex = None, unlock_mutex = None): + if flags == 0 and create_mutex is None and destroy_mutex is None and lock_mutex is None and unlock_mutex is None: + self._C_Initialize_args = None + self.so.C_Initialize(None) + else: + create_mutex = CK_CREATEMUTEX() if create_mutex is None else CK_CREATEMUTEX(create_mutex) + destroy_mutex = CK_DESTROYMUTEX() if destroy_mutex is None else CK_DESTROYMUTEX(destroy_mutex) + lock_mutex = CK_LOCKMUTEX() if lock_mutex is None else CK_LOCKMUTEX(lock_mutex) + unlock_mutex = CK_UNLOCKMUTEX() if unlock_mutex is None else CK_UNLOCKMUTEX(unlock_mutex) + self._C_Initialize_args = CK_C_INITIALIZE_ARGS(create_mutex, destroy_mutex, lock_mutex, unlock_mutex, flags, None) + self.so.C_Initialize(cast(byref(self._C_Initialize_args), CK_VOID_PTR)) + + def C_Finalize(self): + self.so.C_Finalize(None) + self._C_Initialize_args = None + + def C_GetSlotList(self): + count = CK_ULONG() + self.so.C_GetSlotList(CK_TRUE, None, byref(count)) + slots = (CK_SLOT_ID * count.value)() + self.so.C_GetSlotList(CK_TRUE, slots, byref(count)) + return tuple(slots[i] for i in xrange(count.value)) + + def C_GetTokenInfo(self, slot_id): + token_info = CK_TOKEN_INFO() + self.so.C_GetTokenInfo(slot_id, byref(token_info)) + return token_info + + def C_OpenSession(self, slot, flags = CKF_RW_SESSION, application = None, notify = CK_NOTIFY()): + flags |= CKF_SERIAL_SESSION + handle = CK_SESSION_HANDLE() + self.so.C_OpenSession(slot, flags, application, notify, byref(handle)) + return handle.value + + def C_GenerateRandom(self, session, n): + buffer = create_string_buffer(n) + self.so.C_GenerateRandom(session, buffer, sizeof(buffer)) + return buffer.raw + + def C_Login(self, session, user, pin): + self.so.C_Login(session, user, pin, len(pin)) + + def C_GetAttributeValue(self, session_handle, object_handle, *attributes): + if len(attributes) == 1 and isinstance(attributes[0], (list, tuple)): + attributes = attributes[0] + template = self.adb.getvalue_create_template(attributes) + self.so.C_GetAttributeValue(session_handle, object_handle, template, len(template)) + self.adb.getvalue_allocate_template(template) + self.so.C_GetAttributeValue(session_handle, object_handle, template, len(template)) + return self.adb.from_ctypes(template) + + def C_FindObjectsInit(self, session, template = None, **kwargs): + if kwargs: + assert not template + template = kwargs + if template: + self.so.C_FindObjectsInit(session, self.adb.to_ctypes(template), len(template)) + else: + self.so.C_FindObjectsInit(session, None, 0) + + def C_FindObjects(self, session, chunk_size = 10): + objects = (CK_OBJECT_HANDLE * chunk_size)() + count = CK_ULONG(1) + while count.value > 0: + self.so.C_FindObjects(session, objects, len(objects), byref(count)) + for i in xrange(count.value): + yield objects[i] + + def FindObjects(self, session, template = None, **kwargs): + self.C_FindObjectsInit(session, template, **kwargs) + result = tuple(self.C_FindObjects(session)) + self.C_FindObjectsFinal(session) + return result + + def _parse_GenerateKeyPair_template(self, + # Attributes common to public and private templates + CKA_ID, + CKA_LABEL = None, + CKA_TOKEN = False, + # Attributes only in private template + CKA_SIGN = False, + CKA_DECRYPT = False, + CKA_UNWRAP = False, + CKA_SENSITIVE = True, + CKA_PRIVATE = True, + CKA_EXTRACTABLE = False, + # Finer-grained control for CKA_TOKEN + public_CKA_TOKEN = False, + private_CKA_TOKEN = False, + # Anything else is only in public template + **kwargs): + if CKA_LABEL is None: + CKA_LABEL = CKA_ID + return (dict(kwargs, + CKA_LABEL = CKA_LABEL, + CKA_ID = CKA_ID, + CKA_TOKEN = public_CKA_TOKEN or CKA_TOKEN), + dict(CKA_LABEL = CKA_LABEL, + CKA_ID = CKA_ID, + CKA_TOKEN = private_CKA_TOKEN or CKA_TOKEN, + CKA_SIGN = CKA_SIGN, + CKA_DECRYPT = CKA_DECRYPT, + CKA_UNWRAP = CKA_UNWRAP, + CKA_SENSITIVE = CKA_SENSITIVE, + CKA_PRIVATE = CKA_PRIVATE, + CKA_EXTRACTABLE = CKA_EXTRACTABLE)) + + def C_GenerateKeyPair(self, session, mechanism_type, public_template = None, private_template = None, **kwargs): + if kwargs: + assert not public_template and not private_template + public_template, private_template = self._parse_GenerateKeyPair_template(**kwargs) + public_template = self.adb.to_ctypes(public_template) + private_template = self.adb.to_ctypes(private_template) + mechanism = CK_MECHANISM(mechanism_type, None, 0) + public_handle = CK_OBJECT_HANDLE() + private_handle = CK_OBJECT_HANDLE() + self.so.C_GenerateKeyPair(session, byref(mechanism), + public_template, len(public_template), + private_template, len(private_template), + byref(public_handle), byref(private_handle)) + return public_handle.value, private_handle.value + + def C_SignInit(self, session, mechanism_type, private_key): + mechanism = CK_MECHANISM(mechanism_type, None, 0) + self.so.C_SignInit(session, byref(mechanism), private_key) + + def C_Sign(self, session, data): + n = CK_ULONG() + self.so.C_Sign(session, data, len(data), None, byref(n)) + sig = create_string_buffer(n.value) + self.so.C_Sign(session, data, len(data), sig, byref(n)) + return sig.raw + + def C_SignUpdate(self, session, data): + self.so.C_SignUpdate(session, data, len(data)) + + def C_SignFinal(self, session): + n = CK_ULONG() + self.so.C_SignFinal(session, None, byref(n)) + sig = create_string_buffer(n.value) + self.so.C_SignFinal(session, sig, byref(n)) + return sig.raw + + def C_VerifyInit(self, session, mechanism_type, public_key): + mechanism = CK_MECHANISM(mechanism_type, None, 0) + self.so.C_VerifyInit(session, byref(mechanism), public_key) + + def C_Verify(self, session, data, signature): + self.so.C_Verify(session, data, len(data), signature, len(signature)) + + def C_VerifyUpdate(self, session, data): + self.so.C_VerifyUpdate(session, data, len(data)) + + def C_VerifyFinal(self, session, signature): + self.so.C_VerifyFinal(session, signature, len(signature)) + + def C_CreateObject(self, session, template = None, **kwargs): + if kwargs: + assert not template + template = kwargs + template = self.adb.to_ctypes(template) + handle = CK_OBJECT_HANDLE() + self.so.C_CreateObject(session, template, len(template), byref(handle)) + return handle.value + + def C_DigestInit(self, session, mechanism_type): + mechanism = CK_MECHANISM(mechanism_type, None, 0) + self.so.C_DigestInit(session, byref(mechanism)) + + def C_Digest(self, session, data): + n = CK_ULONG() + self.so.C_Digest(session, data, len(data), None, byref(n)) + hash = create_string_buffer(n.value) + self.so.C_Digest(session, data, len(data), hash, byref(n)) + return hash.raw + + def C_DigestUpdate(self, session, data): + self.so.C_DigestUpdate(session, data, len(data)) + + def C_DigestFinal(self, session): + n = CK_ULONG() + self.so.C_DigestFinal(session, None, byref(n)) + hash = create_string_buffer(n.value) + self.so.C_DigestFinal(session, hash, byref(n)) + return hash.raw + +__all__ = ["PKCS11"] +__all__.extend(name for name in globals() + if name.startswith("CK") + or name.startswith("CRYPTOKI_")) diff --git a/cryptech/py11/attribute_map.py b/cryptech/py11/attribute_map.py new file mode 100644 index 0000000..b689d6e --- /dev/null +++ b/cryptech/py11/attribute_map.py @@ -0,0 +1,54 @@ +# This file was generated automatically from attributes.yaml by build-py11-attributes. Do not edit this file directly. + +attribute_map = { + 'CKA_COEFFICIENT': 'biginteger', + 'CKA_MECHANISM_TYPE': 'CK_MECHANISM_TYPE', + 'CKA_ID': 'bytearray', + 'CKA_VALUE': 'biginteger', + 'CKA_KEY_GEN_MECHANISM': 'CK_MECHANISM_TYPE', + 'CKA_LABEL': 'rfc2279string', + 'CKA_KEY_TYPE': 'CK_KEY_TYPE', + 'CKA_PRIME_2': 'biginteger', + 'CKA_APPLICATION': 'rfc2279string', + 'CKA_VERIFY': 'CK_BBOOL', + 'CKA_HASH_OF_ISSUER_PUBLIC_KEY': 'bytearray', + 'CKA_SIGN': 'CK_BBOOL', + 'CKA_MODULUS': 'biginteger', + 'CKA_START_DATE': 'CK_DATE', + 'CKA_CERTIFICATE_CATEGORY': 'CK_ULONG', + 'CKA_PRIVATE_EXPONENT': 'biginteger', + 'CKA_ALWAYS_SENSITIVE': 'CK_BBOOL', + 'CKA_LOCAL': 'CK_BBOOL', + 'CKA_PUBLIC_EXPONENT': 'biginteger', + 'CKA_SENSITIVE': 'CK_BBOOL', + 'CKA_WRAP_WITH_TRUSTED': 'CK_BBOOL', + 'CKA_EXTRACTABLE': 'CK_BBOOL', + 'CKA_SUBJECT': 'bytearray', + 'CKA_VERIFY_RECOVER': 'CK_BBOOL', + 'CKA_EXPONENT_1': 'biginteger', + 'CKA_TOKEN': 'CK_BBOOL', + 'CKA_DECRYPT': 'CK_BBOOL', + 'CKA_EC_PARAMS': 'bytearray', + 'CKA_END_DATE': 'CK_DATE', + 'CKA_JAVA_MIDP_SECURITY_DOMAIN': 'CK_ULONG', + 'CKA_MODIFIABLE': 'CK_BBOOL', + 'CKA_CHECK_VALUE': 'bytearray', + 'CKA_URL': 'rfc2279string', + 'CKA_SERIAL_NUMBER': 'bytearray', + 'CKA_MODULUS_BITS': 'CK_ULONG', + 'CKA_WRAP': 'CK_BBOOL', + 'CKA_SIGN_RECOVER': 'CK_BBOOL', + 'CKA_TRUSTED': 'CK_BBOOL', + 'CKA_DERIVE': 'CK_BBOOL', + 'CKA_UNWRAP': 'CK_BBOOL', + 'CKA_NEVER_EXTRACTABLE': 'CK_BBOOL', + 'CKA_PRIVATE': 'CK_BBOOL', + 'CKA_ENCRYPT': 'CK_BBOOL', + 'CKA_EXPONENT_2': 'biginteger', + 'CKA_PRIME_1': 'biginteger', + 'CKA_EC_POINT': 'bytearray', + 'CKA_ISSUER': 'bytearray', + 'CKA_CERTIFICATE_TYPE': 'CK_CERTIFICATE_TYPE', + 'CKA_CLASS': 'CK_OBJECT_CLASS', + 'CKA_OBJECT_ID': 'bytearray', + 'CKA_HASH_OF_SUBJECT_PUBLIC_KEY': 'bytearray'} diff --git a/cryptech/py11/attributes.py b/cryptech/py11/attributes.py new file mode 100644 index 0000000..56473ad --- /dev/null +++ b/cryptech/py11/attributes.py @@ -0,0 +1,101 @@ +# An attempt at a Python interface to PKCS 11 using the scary ctypes +# module from the Python standard library. + +from struct import pack, unpack +from ctypes import * +from .types import * +from .constants import * + +class Attribute(object): + + @classmethod + def new(cls, attribute_name, type_name): + from . import constants + from . import types + assert attribute_name.startswith("CKA_") + attribute_number = getattr(constants, attribute_name) + type_class = getattr(types, type_name, str) + if type_class is CK_BBOOL: + cls = Attribute_CK_BBOOL + elif type_class is CK_ULONG: + cls = Attribute_CK_ULONG + elif type_name == "biginteger": + cls = Attribute_biginteger + return cls(attribute_name, attribute_number, type_name, type_class) + + def __init__(self, attribute_name, attribute_number, type_name, type_class): + assert attribute_name.startswith("CKA_") + self.name = attribute_name + self.code = attribute_number + self.type_name = type_name + self.type_class = type_class + + def encode(self, x): return x + def decode(self, x): return x + +class Attribute_CK_BBOOL(Attribute): + def encode(self, x): return chr(int(x)) + def decode(self, x): return bool(ord(x)) + +class Attribute_CK_ULONG(Attribute): + def encode(self, x): return pack("L", x) + def decode(self, x): return unpack("L", x)[0] + +class Attribute_biginteger(Attribute): + def encode(self, x): return "\x00" if x == 0 else ("%0*x" % (((x.bit_length() + 7) / 8) * 2, x)).decode("hex") + def decode(self, x): return long(x.encode("hex"), 16) + + +class AttributeDB(object): + + def __init__(self): + from .attribute_map import attribute_map + self.db = {} + for attribute_name, type_name in attribute_map.iteritems(): + a = Attribute.new(attribute_name, type_name) + self.db[a.name] = a + self.db[a.code] = a + + def encode(self, k, v): + return self.db[k].encode(v) if k in self.db else v + + def decode(self, k, v): + return self.db[k].decode(v) if k in self.db else v + + def getvalue_create_template(self, attributes): + attributes = tuple(self.db[a].code for a in attributes) + template = (CK_ATTRIBUTE * len(attributes))() + for i in xrange(len(attributes)): + template[i].type = attributes[i] + template[i].pValue = None + template[i].ulValueLen = 0 + return template + + def getvalue_allocate_template(self, template): + for t in template: + t.pValue = create_string_buffer(t.ulValueLen) + + def from_ctypes(self, template): + return dict((t.type, self.decode(t.type, t.pValue[:t.ulValueLen])) + for t in template) + + def to_ctypes(self, attributes): + attributes = tuple(attributes.iteritems() + if isinstance(attributes, dict) else + attributes) + template = (CK_ATTRIBUTE * len(attributes))() + for i, kv in enumerate(attributes): + k, v = kv + if k in self.db: + a = self.db[k] + k, v = a.code, a.encode(v) + template[i].type = k + template[i].pValue = create_string_buffer(v) + template[i].ulValueLen = len(v) + return template + + def attribute_name(self, code): + return self.db[code].name + + def attribute_code(self, name): + return self.db[name].code diff --git a/cryptech/py11/constants.py b/cryptech/py11/constants.py new file mode 100644 index 0000000..a8392ea --- /dev/null +++ b/cryptech/py11/constants.py @@ -0,0 +1,615 @@ +# An attempt at a Python interface to PKCS 11 using the scary ctypes +# module from the Python standard library. + +# This code is derived from the RSA PKCS #11 C header files, which say: +# +# License to copy and use this software is granted provided that it is +# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface +# (Cryptoki)" in all material mentioning or referencing this software. +# +# License is also granted to make and use derivative works provided that +# such works are identified as "derived from the RSA Security Inc. PKCS #11 +# Cryptographic Token Interface (Cryptoki)" in all material mentioning or +# referencing the derived work. +# +# RSA Security Inc. makes no representations concerning either the +# merchantability of this software or the suitability of this software for +# any particular purpose. It is provided "as is" without express or implied +# warranty of any kind. + +CRYPTOKI_VERSION_MAJOR = 2 +CRYPTOKI_VERSION_MINOR = 30 +CRYPTOKI_VERSION_AMENDMENT = 0 + +CK_TRUE = 1 +CK_FALSE = 0 + +CK_UNAVAILABLE_INFORMATION = ~0 +CK_EFFECTIVELY_INFINITE = 0 + +CK_INVALID_HANDLE = 0 + +CKN_SURRENDER = 0 +CKN_OTP_CHANGED = 1 + +CKF_TOKEN_PRESENT = 0x00000001 +CKF_REMOVABLE_DEVICE = 0x00000002 +CKF_HW_SLOT = 0x00000004 +CKF_RNG = 0x00000001 +CKF_WRITE_PROTECTED = 0x00000002 +CKF_LOGIN_REQUIRED = 0x00000004 +CKF_USER_PIN_INITIALIZED = 0x00000008 +CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020 +CKF_CLOCK_ON_TOKEN = 0x00000040 +CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100 +CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200 +CKF_TOKEN_INITIALIZED = 0x00000400 +CKF_SECONDARY_AUTHENTICATION = 0x00000800 +CKF_USER_PIN_COUNT_LOW = 0x00010000 +CKF_USER_PIN_FINAL_TRY = 0x00020000 +CKF_USER_PIN_LOCKED = 0x00040000 +CKF_USER_PIN_TO_BE_CHANGED = 0x00080000 +CKF_SO_PIN_COUNT_LOW = 0x00100000 +CKF_SO_PIN_FINAL_TRY = 0x00200000 +CKF_SO_PIN_LOCKED = 0x00400000 +CKF_SO_PIN_TO_BE_CHANGED = 0x00800000 +CKF_ERROR_STATE = 0x01000000 + +CKU_SO = 0 +CKU_USER = 1 +CKU_CONTEXT_SPECIFIC = 2 + +CKS_RO_PUBLIC_SESSION = 0 +CKS_RO_USER_FUNCTIONS = 1 +CKS_RW_PUBLIC_SESSION = 2 +CKS_RW_USER_FUNCTIONS = 3 +CKS_RW_SO_FUNCTIONS = 4 + +CKF_RW_SESSION = 0x00000002 +CKF_SERIAL_SESSION = 0x00000004 + +CKO_DATA = 0x00000000 +CKO_CERTIFICATE = 0x00000001 +CKO_PUBLIC_KEY = 0x00000002 +CKO_PRIVATE_KEY = 0x00000003 +CKO_SECRET_KEY = 0x00000004 +CKO_HW_FEATURE = 0x00000005 +CKO_DOMAIN_PARAMETERS = 0x00000006 +CKO_MECHANISM = 0x00000007 +CKO_OTP_KEY = 0x00000008 +CKO_VENDOR_DEFINED = 0x80000000 + +CKH_MONOTONIC_COUNTER = 0x00000001 +CKH_CLOCK = 0x00000002 +CKH_USER_INTERFACE = 0x00000003 +CKH_VENDOR_DEFINED = 0x80000000 + +CKK_RSA = 0x00000000 +CKK_DSA = 0x00000001 +CKK_DH = 0x00000002 +CKK_ECDSA = 0x00000003 +CKK_EC = 0x00000003 +CKK_X9_42_DH = 0x00000004 +CKK_KEA = 0x00000005 +CKK_GENERIC_SECRET = 0x00000010 +CKK_RC2 = 0x00000011 +CKK_RC4 = 0x00000012 +CKK_DES = 0x00000013 +CKK_DES2 = 0x00000014 +CKK_DES3 = 0x00000015 +CKK_CAST = 0x00000016 +CKK_CAST3 = 0x00000017 +CKK_CAST5 = 0x00000018 +CKK_CAST128 = 0x00000018 +CKK_RC5 = 0x00000019 +CKK_IDEA = 0x0000001A +CKK_SKIPJACK = 0x0000001B +CKK_BATON = 0x0000001C +CKK_JUNIPER = 0x0000001D +CKK_CDMF = 0x0000001E +CKK_AES = 0x0000001F +CKK_BLOWFISH = 0x00000020 +CKK_TWOFISH = 0x00000021 +CKK_SECURID = 0x00000022 +CKK_HOTP = 0x00000023 +CKK_ACTI = 0x00000024 +CKK_CAMELLIA = 0x00000025 +CKK_ARIA = 0x00000026 +CKK_MD5_HMAC = 0x00000027 +CKK_SHA_1_HMAC = 0x00000028 +CKK_RIPEMD128_HMAC = 0x00000029 +CKK_RIPEMD160_HMAC = 0x0000002A +CKK_SHA256_HMAC = 0x0000002B +CKK_SHA384_HMAC = 0x0000002C +CKK_SHA512_HMAC = 0x0000002D +CKK_SHA224_HMAC = 0x0000002E +CKK_SEED = 0x0000002F +CKK_GOSTR3410 = 0x00000030 +CKK_GOSTR3411 = 0x00000031 +CKK_GOST28147 = 0x00000032 +CKK_VENDOR_DEFINED = 0x80000000 + +CKC_X_509 = 0x00000000 +CKC_X_509_ATTR_CERT = 0x00000001 +CKC_WTLS = 0x00000002 +CKC_VENDOR_DEFINED = 0x80000000 + +CKF_ARRAY_ATTRIBUTE = 0x40000000 + +CK_OTP_FORMAT_DECIMAL = 0 +CK_OTP_FORMAT_HEXADECIMAL = 1 +CK_OTP_FORMAT_ALPHANUMERIC = 2 +CK_OTP_FORMAT_BINARY = 3 + +CK_OTP_PARAM_IGNORED = 0 +CK_OTP_PARAM_OPTIONAL = 1 +CK_OTP_PARAM_MANDATORY = 2 + +CKA_CLASS = 0x00000000 +CKA_TOKEN = 0x00000001 +CKA_PRIVATE = 0x00000002 +CKA_LABEL = 0x00000003 +CKA_APPLICATION = 0x00000010 +CKA_VALUE = 0x00000011 +CKA_OBJECT_ID = 0x00000012 +CKA_CERTIFICATE_TYPE = 0x00000080 +CKA_ISSUER = 0x00000081 +CKA_SERIAL_NUMBER = 0x00000082 +CKA_AC_ISSUER = 0x00000083 +CKA_OWNER = 0x00000084 +CKA_ATTR_TYPES = 0x00000085 +CKA_TRUSTED = 0x00000086 +CKA_CERTIFICATE_CATEGORY = 0x00000087 +CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x00000088 +CKA_URL = 0x00000089 +CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x0000008A +CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x0000008B +CKA_CHECK_VALUE = 0x00000090 +CKA_KEY_TYPE = 0x00000100 +CKA_SUBJECT = 0x00000101 +CKA_ID = 0x00000102 +CKA_SENSITIVE = 0x00000103 +CKA_ENCRYPT = 0x00000104 +CKA_DECRYPT = 0x00000105 +CKA_WRAP = 0x00000106 +CKA_UNWRAP = 0x00000107 +CKA_SIGN = 0x00000108 +CKA_SIGN_RECOVER = 0x00000109 +CKA_VERIFY = 0x0000010A +CKA_VERIFY_RECOVER = 0x0000010B +CKA_DERIVE = 0x0000010C +CKA_START_DATE = 0x00000110 +CKA_END_DATE = 0x00000111 +CKA_MODULUS = 0x00000120 +CKA_MODULUS_BITS = 0x00000121 +CKA_PUBLIC_EXPONENT = 0x00000122 +CKA_PRIVATE_EXPONENT = 0x00000123 +CKA_PRIME_1 = 0x00000124 +CKA_PRIME_2 = 0x00000125 +CKA_EXPONENT_1 = 0x00000126 +CKA_EXPONENT_2 = 0x00000127 +CKA_COEFFICIENT = 0x00000128 +CKA_PRIME = 0x00000130 +CKA_SUBPRIME = 0x00000131 +CKA_BASE = 0x00000132 +CKA_PRIME_BITS = 0x00000133 +CKA_SUBPRIME_BITS = 0x00000134 +CKA_SUB_PRIME_BITS = CKA_SUBPRIME_BITS +CKA_VALUE_BITS = 0x00000160 +CKA_VALUE_LEN = 0x00000161 +CKA_EXTRACTABLE = 0x00000162 +CKA_LOCAL = 0x00000163 +CKA_NEVER_EXTRACTABLE = 0x00000164 +CKA_ALWAYS_SENSITIVE = 0x00000165 +CKA_KEY_GEN_MECHANISM = 0x00000166 +CKA_MODIFIABLE = 0x00000170 +CKA_ECDSA_PARAMS = 0x00000180 +CKA_EC_PARAMS = 0x00000180 +CKA_EC_POINT = 0x00000181 +CKA_SECONDARY_AUTH = 0x00000200 +CKA_AUTH_PIN_FLAGS = 0x00000201 +CKA_ALWAYS_AUTHENTICATE = 0x00000202 +CKA_WRAP_WITH_TRUSTED = 0x00000210 +CKA_WRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000211) +CKA_UNWRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000212) +CKA_DERIVE_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000213) +CKA_OTP_FORMAT = 0x00000220 +CKA_OTP_LENGTH = 0x00000221 +CKA_OTP_TIME_INTERVAL = 0x00000222 +CKA_OTP_USER_FRIENDLY_MODE = 0x00000223 +CKA_OTP_CHALLENGE_REQUIREMENT = 0x00000224 +CKA_OTP_TIME_REQUIREMENT = 0x00000225 +CKA_OTP_COUNTER_REQUIREMENT = 0x00000226 +CKA_OTP_PIN_REQUIREMENT = 0x00000227 +CKA_OTP_COUNTER = 0x0000022E +CKA_OTP_TIME = 0x0000022F +CKA_OTP_USER_IDENTIFIER = 0x0000022A +CKA_OTP_SERVICE_IDENTIFIER = 0x0000022B +CKA_OTP_SERVICE_LOGO = 0x0000022C +CKA_OTP_SERVICE_LOGO_TYPE = 0x0000022D +CKA_GOSTR3410_PARAMS = 0x00000250 +CKA_GOSTR3411_PARAMS = 0x00000251 +CKA_GOST28147_PARAMS = 0x00000252 +CKA_HW_FEATURE_TYPE = 0x00000300 +CKA_RESET_ON_INIT = 0x00000301 +CKA_HAS_RESET = 0x00000302 +CKA_PIXEL_X = 0x00000400 +CKA_PIXEL_Y = 0x00000401 +CKA_RESOLUTION = 0x00000402 +CKA_CHAR_ROWS = 0x00000403 +CKA_CHAR_COLUMNS = 0x00000404 +CKA_COLOR = 0x00000405 +CKA_BITS_PER_PIXEL = 0x00000406 +CKA_CHAR_SETS = 0x00000480 +CKA_ENCODING_METHODS = 0x00000481 +CKA_MIME_TYPES = 0x00000482 +CKA_MECHANISM_TYPE = 0x00000500 +CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501 +CKA_DEFAULT_CMS_ATTRIBUTES = 0x00000502 +CKA_SUPPORTED_CMS_ATTRIBUTES = 0x00000503 +CKA_ALLOWED_MECHANISMS = (CKF_ARRAY_ATTRIBUTE|0x00000600) +CKA_VENDOR_DEFINED = 0x80000000 + +CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000 +CKM_RSA_PKCS = 0x00000001 +CKM_RSA_9796 = 0x00000002 +CKM_RSA_X_509 = 0x00000003 +CKM_MD2_RSA_PKCS = 0x00000004 +CKM_MD5_RSA_PKCS = 0x00000005 +CKM_SHA1_RSA_PKCS = 0x00000006 +CKM_RIPEMD128_RSA_PKCS = 0x00000007 +CKM_RIPEMD160_RSA_PKCS = 0x00000008 +CKM_RSA_PKCS_OAEP = 0x00000009 +CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000A +CKM_RSA_X9_31 = 0x0000000B +CKM_SHA1_RSA_X9_31 = 0x0000000C +CKM_RSA_PKCS_PSS = 0x0000000D +CKM_SHA1_RSA_PKCS_PSS = 0x0000000E +CKM_DSA_KEY_PAIR_GEN = 0x00000010 +CKM_DSA = 0x00000011 +CKM_DSA_SHA1 = 0x00000012 +CKM_DSA_SHA224 = 0x00000013 +CKM_DSA_SHA256 = 0x00000014 +CKM_DSA_SHA384 = 0x00000015 +CKM_DSA_SHA512 = 0x00000016 +CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020 +CKM_DH_PKCS_DERIVE = 0x00000021 +CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030 +CKM_X9_42_DH_DERIVE = 0x00000031 +CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032 +CKM_X9_42_MQV_DERIVE = 0x00000033 +CKM_SHA256_RSA_PKCS = 0x00000040 +CKM_SHA384_RSA_PKCS = 0x00000041 +CKM_SHA512_RSA_PKCS = 0x00000042 +CKM_SHA256_RSA_PKCS_PSS = 0x00000043 +CKM_SHA384_RSA_PKCS_PSS = 0x00000044 +CKM_SHA512_RSA_PKCS_PSS = 0x00000045 +CKM_SHA224_RSA_PKCS = 0x00000046 +CKM_SHA224_RSA_PKCS_PSS = 0x00000047 +CKM_RC2_KEY_GEN = 0x00000100 +CKM_RC2_ECB = 0x00000101 +CKM_RC2_CBC = 0x00000102 +CKM_RC2_MAC = 0x00000103 +CKM_RC2_MAC_GENERAL = 0x00000104 +CKM_RC2_CBC_PAD = 0x00000105 +CKM_RC4_KEY_GEN = 0x00000110 +CKM_RC4 = 0x00000111 +CKM_DES_KEY_GEN = 0x00000120 +CKM_DES_ECB = 0x00000121 +CKM_DES_CBC = 0x00000122 +CKM_DES_MAC = 0x00000123 +CKM_DES_MAC_GENERAL = 0x00000124 +CKM_DES_CBC_PAD = 0x00000125 +CKM_DES2_KEY_GEN = 0x00000130 +CKM_DES3_KEY_GEN = 0x00000131 +CKM_DES3_ECB = 0x00000132 +CKM_DES3_CBC = 0x00000133 +CKM_DES3_MAC = 0x00000134 +CKM_DES3_MAC_GENERAL = 0x00000135 +CKM_DES3_CBC_PAD = 0x00000136 +CKM_DES3_CMAC_GENERAL = 0x00000137 +CKM_DES3_CMAC = 0x00000138 +CKM_CDMF_KEY_GEN = 0x00000140 +CKM_CDMF_ECB = 0x00000141 +CKM_CDMF_CBC = 0x00000142 +CKM_CDMF_MAC = 0x00000143 +CKM_CDMF_MAC_GENERAL = 0x00000144 +CKM_CDMF_CBC_PAD = 0x00000145 +CKM_DES_OFB64 = 0x00000150 +CKM_DES_OFB8 = 0x00000151 +CKM_DES_CFB64 = 0x00000152 +CKM_DES_CFB8 = 0x00000153 +CKM_MD2 = 0x00000200 +CKM_MD2_HMAC = 0x00000201 +CKM_MD2_HMAC_GENERAL = 0x00000202 +CKM_MD5 = 0x00000210 +CKM_MD5_HMAC = 0x00000211 +CKM_MD5_HMAC_GENERAL = 0x00000212 +CKM_SHA_1 = 0x00000220 +CKM_SHA_1_HMAC = 0x00000221 +CKM_SHA_1_HMAC_GENERAL = 0x00000222 +CKM_RIPEMD128 = 0x00000230 +CKM_RIPEMD128_HMAC = 0x00000231 +CKM_RIPEMD128_HMAC_GENERAL = 0x00000232 +CKM_RIPEMD160 = 0x00000240 +CKM_RIPEMD160_HMAC = 0x00000241 +CKM_RIPEMD160_HMAC_GENERAL = 0x00000242 +CKM_SHA256 = 0x00000250 +CKM_SHA256_HMAC = 0x00000251 +CKM_SHA256_HMAC_GENERAL = 0x00000252 +CKM_SHA224 = 0x00000255 +CKM_SHA224_HMAC = 0x00000256 +CKM_SHA224_HMAC_GENERAL = 0x00000257 +CKM_SHA384 = 0x00000260 +CKM_SHA384_HMAC = 0x00000261 +CKM_SHA384_HMAC_GENERAL = 0x00000262 +CKM_SHA512 = 0x00000270 +CKM_SHA512_HMAC = 0x00000271 +CKM_SHA512_HMAC_GENERAL = 0x00000272 +CKM_SECURID_KEY_GEN = 0x00000280 +CKM_SECURID = 0x00000282 +CKM_HOTP_KEY_GEN = 0x00000290 +CKM_HOTP = 0x00000291 +CKM_ACTI = 0x000002A0 +CKM_ACTI_KEY_GEN = 0x000002A1 +CKM_CAST_KEY_GEN = 0x00000300 +CKM_CAST_ECB = 0x00000301 +CKM_CAST_CBC = 0x00000302 +CKM_CAST_MAC = 0x00000303 +CKM_CAST_MAC_GENERAL = 0x00000304 +CKM_CAST_CBC_PAD = 0x00000305 +CKM_CAST3_KEY_GEN = 0x00000310 +CKM_CAST3_ECB = 0x00000311 +CKM_CAST3_CBC = 0x00000312 +CKM_CAST3_MAC = 0x00000313 +CKM_CAST3_MAC_GENERAL = 0x00000314 +CKM_CAST3_CBC_PAD = 0x00000315 +CKM_CAST5_KEY_GEN = 0x00000320 +CKM_CAST128_KEY_GEN = 0x00000320 +CKM_CAST5_ECB = 0x00000321 +CKM_CAST128_ECB = 0x00000321 +CKM_CAST5_CBC = 0x00000322 +CKM_CAST128_CBC = 0x00000322 +CKM_CAST5_MAC = 0x00000323 +CKM_CAST128_MAC = 0x00000323 +CKM_CAST5_MAC_GENERAL = 0x00000324 +CKM_CAST128_MAC_GENERAL = 0x00000324 +CKM_CAST5_CBC_PAD = 0x00000325 +CKM_CAST128_CBC_PAD = 0x00000325 +CKM_RC5_KEY_GEN = 0x00000330 +CKM_RC5_ECB = 0x00000331 +CKM_RC5_CBC = 0x00000332 +CKM_RC5_MAC = 0x00000333 +CKM_RC5_MAC_GENERAL = 0x00000334 +CKM_RC5_CBC_PAD = 0x00000335 +CKM_IDEA_KEY_GEN = 0x00000340 +CKM_IDEA_ECB = 0x00000341 +CKM_IDEA_CBC = 0x00000342 +CKM_IDEA_MAC = 0x00000343 +CKM_IDEA_MAC_GENERAL = 0x00000344 +CKM_IDEA_CBC_PAD = 0x00000345 +CKM_GENERIC_SECRET_KEY_GEN = 0x00000350 +CKM_CONCATENATE_BASE_AND_KEY = 0x00000360 +CKM_CONCATENATE_BASE_AND_DATA = 0x00000362 +CKM_CONCATENATE_DATA_AND_BASE = 0x00000363 +CKM_XOR_BASE_AND_DATA = 0x00000364 +CKM_EXTRACT_KEY_FROM_KEY = 0x00000365 +CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370 +CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371 +CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372 +CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373 +CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374 +CKM_TLS_MASTER_KEY_DERIVE = 0x00000375 +CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376 +CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377 +CKM_TLS_PRF = 0x00000378 +CKM_SSL3_MD5_MAC = 0x00000380 +CKM_SSL3_SHA1_MAC = 0x00000381 +CKM_MD5_KEY_DERIVATION = 0x00000390 +CKM_MD2_KEY_DERIVATION = 0x00000391 +CKM_SHA1_KEY_DERIVATION = 0x00000392 +CKM_SHA256_KEY_DERIVATION = 0x00000393 +CKM_SHA384_KEY_DERIVATION = 0x00000394 +CKM_SHA512_KEY_DERIVATION = 0x00000395 +CKM_SHA224_KEY_DERIVATION = 0x00000396 +CKM_PBE_MD2_DES_CBC = 0x000003A0 +CKM_PBE_MD5_DES_CBC = 0x000003A1 +CKM_PBE_MD5_CAST_CBC = 0x000003A2 +CKM_PBE_MD5_CAST3_CBC = 0x000003A3 +CKM_PBE_MD5_CAST5_CBC = 0x000003A4 +CKM_PBE_MD5_CAST128_CBC = 0x000003A4 +CKM_PBE_SHA1_CAST5_CBC = 0x000003A5 +CKM_PBE_SHA1_CAST128_CBC = 0x000003A5 +CKM_PBE_SHA1_RC4_128 = 0x000003A6 +CKM_PBE_SHA1_RC4_40 = 0x000003A7 +CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8 +CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9 +CKM_PBE_SHA1_RC2_128_CBC = 0x000003AA +CKM_PBE_SHA1_RC2_40_CBC = 0x000003AB +CKM_PKCS5_PBKD2 = 0x000003B0 +CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0 +CKM_WTLS_PRE_MASTER_KEY_GEN = 0x000003D0 +CKM_WTLS_MASTER_KEY_DERIVE = 0x000003D1 +CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC = 0x000003D2 +CKM_WTLS_PRF = 0x000003D3 +CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE = 0x000003D4 +CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE = 0x000003D5 +CKM_KEY_WRAP_LYNKS = 0x00000400 +CKM_KEY_WRAP_SET_OAEP = 0x00000401 +CKM_CMS_SIG = 0x00000500 +CKM_KIP_DERIVE = 0x00000510 +CKM_KIP_WRAP = 0x00000511 +CKM_KIP_MAC = 0x00000512 +CKM_CAMELLIA_KEY_GEN = 0x00000550 +CKM_CAMELLIA_ECB = 0x00000551 +CKM_CAMELLIA_CBC = 0x00000552 +CKM_CAMELLIA_MAC = 0x00000553 +CKM_CAMELLIA_MAC_GENERAL = 0x00000554 +CKM_CAMELLIA_CBC_PAD = 0x00000555 +CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556 +CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557 +CKM_CAMELLIA_CTR = 0x00000558 +CKM_ARIA_KEY_GEN = 0x00000560 +CKM_ARIA_ECB = 0x00000561 +CKM_ARIA_CBC = 0x00000562 +CKM_ARIA_MAC = 0x00000563 +CKM_ARIA_MAC_GENERAL = 0x00000564 +CKM_ARIA_CBC_PAD = 0x00000565 +CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566 +CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567 +CKM_SEED_KEY_GEN = 0x00000650 +CKM_SEED_ECB = 0x00000651 +CKM_SEED_CBC = 0x00000652 +CKM_SEED_MAC = 0x00000653 +CKM_SEED_MAC_GENERAL = 0x00000654 +CKM_SEED_CBC_PAD = 0x00000655 +CKM_SEED_ECB_ENCRYPT_DATA = 0x00000656 +CKM_SEED_CBC_ENCRYPT_DATA = 0x00000657 +CKM_SKIPJACK_KEY_GEN = 0x00001000 +CKM_SKIPJACK_ECB64 = 0x00001001 +CKM_SKIPJACK_CBC64 = 0x00001002 +CKM_SKIPJACK_OFB64 = 0x00001003 +CKM_SKIPJACK_CFB64 = 0x00001004 +CKM_SKIPJACK_CFB32 = 0x00001005 +CKM_SKIPJACK_CFB16 = 0x00001006 +CKM_SKIPJACK_CFB8 = 0x00001007 +CKM_SKIPJACK_WRAP = 0x00001008 +CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009 +CKM_SKIPJACK_RELAYX = 0x0000100a +CKM_KEA_KEY_PAIR_GEN = 0x00001010 +CKM_KEA_KEY_DERIVE = 0x00001011 +CKM_FORTEZZA_TIMESTAMP = 0x00001020 +CKM_BATON_KEY_GEN = 0x00001030 +CKM_BATON_ECB128 = 0x00001031 +CKM_BATON_ECB96 = 0x00001032 +CKM_BATON_CBC128 = 0x00001033 +CKM_BATON_COUNTER = 0x00001034 +CKM_BATON_SHUFFLE = 0x00001035 +CKM_BATON_WRAP = 0x00001036 +CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 +CKM_EC_KEY_PAIR_GEN = 0x00001040 +CKM_ECDSA = 0x00001041 +CKM_ECDSA_SHA1 = 0x00001042 +CKM_ECDSA_SHA224 = 0x00001043 +CKM_ECDSA_SHA256 = 0x00001044 +CKM_ECDSA_SHA384 = 0x00001045 +CKM_ECDSA_SHA512 = 0x00001046 +CKM_ECDH1_DERIVE = 0x00001050 +CKM_ECDH1_COFACTOR_DERIVE = 0x00001051 +CKM_ECMQV_DERIVE = 0x00001052 +CKM_JUNIPER_KEY_GEN = 0x00001060 +CKM_JUNIPER_ECB128 = 0x00001061 +CKM_JUNIPER_CBC128 = 0x00001062 +CKM_JUNIPER_COUNTER = 0x00001063 +CKM_JUNIPER_SHUFFLE = 0x00001064 +CKM_JUNIPER_WRAP = 0x00001065 +CKM_FASTHASH = 0x00001070 +CKM_AES_KEY_GEN = 0x00001080 +CKM_AES_ECB = 0x00001081 +CKM_AES_CBC = 0x00001082 +CKM_AES_MAC = 0x00001083 +CKM_AES_MAC_GENERAL = 0x00001084 +CKM_AES_CBC_PAD = 0x00001085 +CKM_AES_CTR = 0x00001086 +CKM_AES_CTS = 0x00001089 +CKM_AES_CMAC = 0x0000108A +CKM_AES_CMAC_GENERAL = 0x0000108B +CKM_BLOWFISH_KEY_GEN = 0x00001090 +CKM_BLOWFISH_CBC = 0x00001091 +CKM_TWOFISH_KEY_GEN = 0x00001092 +CKM_TWOFISH_CBC = 0x00001093 +CKM_AES_GCM = 0x00001087 +CKM_AES_CCM = 0x00001088 +CKM_AES_KEY_WRAP = 0x00001090 +CKM_AES_KEY_WRAP_PAD = 0x00001091 +CKM_BLOWFISH_CBC_PAD = 0x00001094 +CKM_TWOFISH_CBC_PAD = 0x00001095 +CKM_DES_ECB_ENCRYPT_DATA = 0x00001100 +CKM_DES_CBC_ENCRYPT_DATA = 0x00001101 +CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102 +CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103 +CKM_AES_ECB_ENCRYPT_DATA = 0x00001104 +CKM_AES_CBC_ENCRYPT_DATA = 0x00001105 +CKM_GOSTR3410_KEY_PAIR_GEN = 0x00001200 +CKM_GOSTR3410 = 0x00001201 +CKM_GOSTR3410_WITH_GOSTR3411 = 0x00001202 +CKM_GOSTR3410_KEY_WRAP = 0x00001203 +CKM_GOSTR3410_DERIVE = 0x00001204 +CKM_GOSTR3411 = 0x00001210 +CKM_GOSTR3411_HMAC = 0x00001211 +CKM_GOST28147_KEY_GEN = 0x00001220 +CKM_GOST28147_ECB = 0x00001221 +CKM_GOST28147 = 0x00001222 +CKM_GOST28147_MAC = 0x00001223 +CKM_GOST28147_KEY_WRAP = 0x00001224 +CKM_DSA_PARAMETER_GEN = 0x00002000 +CKM_DH_PKCS_PARAMETER_GEN = 0x00002001 +CKM_X9_42_DH_PARAMETER_GEN = 0x00002002 +CKM_AES_OFB = 0x00002104 +CKM_AES_CFB64 = 0x00002105 +CKM_AES_CFB8 = 0x00002106 +CKM_AES_CFB128 = 0x00002107 +CKM_RSA_PKCS_TPM_1_1 = 0x00004001 +CKM_RSA_PKCS_OAEP_TPM_1_1 = 0x00004002 +CKM_VENDOR_DEFINED = 0x80000000 + +CKF_HW = 0x00000001 +CKF_ENCRYPT = 0x00000100 +CKF_DECRYPT = 0x00000200 +CKF_DIGEST = 0x00000400 +CKF_SIGN = 0x00000800 +CKF_SIGN_RECOVER = 0x00001000 +CKF_VERIFY = 0x00002000 +CKF_VERIFY_RECOVER = 0x00004000 +CKF_GENERATE = 0x00008000 +CKF_GENERATE_KEY_PAIR = 0x00010000 +CKF_WRAP = 0x00020000 +CKF_UNWRAP = 0x00040000 +CKF_DERIVE = 0x00080000 +CKF_EC_F_P = 0x00100000 +CKF_EC_F_2M = 0x00200000 +CKF_EC_ECPARAMETERS = 0x00400000 +CKF_EC_NAMEDCURVE = 0x00800000 +CKF_EC_UNCOMPRESS = 0x01000000 +CKF_EC_COMPRESS = 0x02000000 +CKF_EXTENSION = 0x80000000 + +CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001 +CKF_OS_LOCKING_OK = 0x00000002 + +CKF_DONT_BLOCK = 1 + +CKG_MGF1_SHA1 = 0x00000001 +CKG_MGF1_SHA256 = 0x00000002 +CKG_MGF1_SHA384 = 0x00000003 +CKG_MGF1_SHA512 = 0x00000004 +CKG_MGF1_SHA224 = 0x00000005 + +CKZ_DATA_SPECIFIED = 0x00000001 + +CKD_NULL = 0x00000001 +CKD_SHA1_KDF = 0x00000002 + +CKD_SHA1_KDF_ASN1 = 0x00000003 +CKD_SHA1_KDF_CONCATENATE = 0x00000004 +CKD_SHA224_KDF = 0x00000005 +CKD_SHA256_KDF = 0x00000006 +CKD_SHA384_KDF = 0x00000007 +CKD_SHA512_KDF = 0x00000008 +CKD_CPDIVERSIFY_KDF = 0x00000009 + +CK_OTP_VALUE = 0 +CK_OTP_PIN = 1 +CK_OTP_CHALLENGE = 2 +CK_OTP_TIME = 3 +CK_OTP_COUNTER = 4 +CK_OTP_FLAGS = 5 +CK_OTP_OUTPUT_LENGTH = 6 +CK_OTP_OUTPUT_FORMAT = 7 + +CKF_NEXT_OTP = 0x00000001 +CKF_EXCLUDE_TIME = 0x00000002 +CKF_EXCLUDE_COUNTER = 0x00000004 +CKF_EXCLUDE_CHALLENGE = 0x00000008 +CKF_EXCLUDE_PIN = 0x00000010 +CKF_USER_FRIENDLY_OTP = 0x00000020 diff --git a/cryptech/py11/exceptions.py b/cryptech/py11/exceptions.py new file mode 100644 index 0000000..7f86fe4 --- /dev/null +++ b/cryptech/py11/exceptions.py @@ -0,0 +1,128 @@ +# An attempt at a Python interface to PKCS 11 using the scary ctypes +# module from the Python standard library. + +# This code is derived from the RSA PKCS #11 C header files, which say: +# +# License to copy and use this software is granted provided that it is +# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface +# (Cryptoki)" in all material mentioning or referencing this software. +# +# License is also granted to make and use derivative works provided that +# such works are identified as "derived from the RSA Security Inc. PKCS #11 +# Cryptographic Token Interface (Cryptoki)" in all material mentioning or +# referencing the derived work. +# +# RSA Security Inc. makes no representations concerning either the +# merchantability of this software or the suitability of this software for +# any particular purpose. It is provided "as is" without express or implied +# warranty of any kind. + +class CKR_Exception(Exception): + """ + Base class for PKCS #11 exceptions. + """ + + ckr_code = None + ckr_map = {} + + def __int__(self): + return self.ckr_code + +CKR_OK = 0x00000000 + +class CKR_CANCEL (CKR_Exception): ckr_code = 0x00000001 +class CKR_HOST_MEMORY (CKR_Exception): ckr_code = 0x00000002 +class CKR_SLOT_ID_INVALI (CKR_Exception): ckr_code = 0x00000003 +class CKR_GENERAL_ERROR (CKR_Exception): ckr_code = 0x00000005 +class CKR_FUNCTION_FAILED (CKR_Exception): ckr_code = 0x00000006 +class CKR_ARGUMENTS_BAD (CKR_Exception): ckr_code = 0x00000007 +class CKR_NO_EVENT (CKR_Exception): ckr_code = 0x00000008 +class CKR_NEED_TO_CREATE_THREADS (CKR_Exception): ckr_code = 0x00000009 +class CKR_CANT_LOCK (CKR_Exception): ckr_code = 0x0000000A +class CKR_ATTRIBUTE_READ_ONLY (CKR_Exception): ckr_code = 0x00000010 +class CKR_ATTRIBUTE_SENSITIVE (CKR_Exception): ckr_code = 0x00000011 +class CKR_ATTRIBUTE_TYPE_INVALID (CKR_Exception): ckr_code = 0x00000012 +class CKR_ATTRIBUTE_VALUE_INVALID (CKR_Exception): ckr_code = 0x00000013 +class CKR_DATA_INVALID (CKR_Exception): ckr_code = 0x00000020 +class CKR_DATA_LEN_RANGE (CKR_Exception): ckr_code = 0x00000021 +class CKR_DEVICE_ERROR (CKR_Exception): ckr_code = 0x00000030 +class CKR_DEVICE_MEMORY (CKR_Exception): ckr_code = 0x00000031 +class CKR_DEVICE_REMOVED (CKR_Exception): ckr_code = 0x00000032 +class CKR_ENCRYPTED_DATA_INVALID (CKR_Exception): ckr_code = 0x00000040 +class CKR_ENCRYPTED_DATA_LEN_RANGE (CKR_Exception): ckr_code = 0x00000041 +class CKR_FUNCTION_CANCELED (CKR_Exception): ckr_code = 0x00000050 +class CKR_FUNCTION_NOT_PARALLEL (CKR_Exception): ckr_code = 0x00000051 +class CKR_FUNCTION_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x00000054 +class CKR_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000060 +class CKR_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x00000062 +class CKR_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x00000063 +class CKR_KEY_NOT_NEEDED (CKR_Exception): ckr_code = 0x00000064 +class CKR_KEY_CHANGED (CKR_Exception): ckr_code = 0x00000065 +class CKR_KEY_NEEDED (CKR_Exception): ckr_code = 0x00000066 +class CKR_KEY_INDIGESTIBLE (CKR_Exception): ckr_code = 0x00000067 +class CKR_KEY_FUNCTION_NOT_PERMITTED (CKR_Exception): ckr_code = 0x00000068 +class CKR_KEY_NOT_WRAPPABLE (CKR_Exception): ckr_code = 0x00000069 +class CKR_KEY_UNEXTRACTABLE (CKR_Exception): ckr_code = 0x0000006A +class CKR_MECHANISM_INVALID (CKR_Exception): ckr_code = 0x00000070 +class CKR_MECHANISM_PARAM_INVALID (CKR_Exception): ckr_code = 0x00000071 +class CKR_OBJECT_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000082 +class CKR_OPERATION_ACTIVE (CKR_Exception): ckr_code = 0x00000090 +class CKR_OPERATION_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000091 +class CKR_PIN_INCORRECT (CKR_Exception): ckr_code = 0x000000A0 +class CKR_PIN_INVALID (CKR_Exception): ckr_code = 0x000000A1 +class CKR_PIN_LEN_RANGE (CKR_Exception): ckr_code = 0x000000A2 +class CKR_PIN_EXPIRED (CKR_Exception): ckr_code = 0x000000A3 +class CKR_PIN_LOCKED (CKR_Exception): ckr_code = 0x000000A4 +class CKR_SESSION_CLOSED (CKR_Exception): ckr_code = 0x000000B0 +class CKR_SESSION_COUNT (CKR_Exception): ckr_code = 0x000000B1 +class CKR_SESSION_HANDLE_INVALID (CKR_Exception): ckr_code = 0x000000B3 +class CKR_SESSION_PARALLEL_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x000000B4 +class CKR_SESSION_READ_ONLY (CKR_Exception): ckr_code = 0x000000B5 +class CKR_SESSION_EXISTS (CKR_Exception): ckr_code = 0x000000B6 +class CKR_SESSION_READ_ONLY_EXISTS (CKR_Exception): ckr_code = 0x000000B7 +class CKR_SESSION_READ_WRITE_SO_EXISTS (CKR_Exception): ckr_code = 0x000000B8 +class CKR_SIGNATURE_INVALID (CKR_Exception): ckr_code = 0x000000C0 +class CKR_SIGNATURE_LEN_RANGE (CKR_Exception): ckr_code = 0x000000C1 +class CKR_TEMPLATE_INCOMPLETE (CKR_Exception): ckr_code = 0x000000D0 +class CKR_TEMPLATE_INCONSISTENT (CKR_Exception): ckr_code = 0x000000D1 +class CKR_TOKEN_NOT_PRESENT (CKR_Exception): ckr_code = 0x000000E0 +class CKR_TOKEN_NOT_RECOGNIZED (CKR_Exception): ckr_code = 0x000000E1 +class CKR_TOKEN_WRITE_PROTECTED (CKR_Exception): ckr_code = 0x000000E2 +class CKR_UNWRAPPING_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x000000F0 +class CKR_UNWRAPPING_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x000000F1 +class CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x000000F2 +class CKR_USER_ALREADY_LOGGED_IN (CKR_Exception): ckr_code = 0x00000100 +class CKR_USER_NOT_LOGGED_IN (CKR_Exception): ckr_code = 0x00000101 +class CKR_USER_PIN_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000102 +class CKR_USER_TYPE_INVALID (CKR_Exception): ckr_code = 0x00000103 +class CKR_USER_ANOTHER_ALREADY_LOGGED_IN (CKR_Exception): ckr_code = 0x00000104 +class CKR_USER_TOO_MANY_TYPES (CKR_Exception): ckr_code = 0x00000105 +class CKR_WRAPPED_KEY_INVALID (CKR_Exception): ckr_code = 0x00000110 +class CKR_WRAPPED_KEY_LEN_RANGE (CKR_Exception): ckr_code = 0x00000112 +class CKR_WRAPPING_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000113 +class CKR_WRAPPING_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x00000114 +class CKR_WRAPPING_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x00000115 +class CKR_RANDOM_SEED_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x00000120 +class CKR_RANDOM_NO_RNG (CKR_Exception): ckr_code = 0x00000121 +class CKR_DOMAIN_PARAMS_INVALID (CKR_Exception): ckr_code = 0x00000130 +class CKR_BUFFER_TOO_SMALL (CKR_Exception): ckr_code = 0x00000150 +class CKR_SAVED_STATE_INVALID (CKR_Exception): ckr_code = 0x00000160 +class CKR_INFORMATION_SENSITIVE (CKR_Exception): ckr_code = 0x00000170 +class CKR_STATE_UNSAVEABLE (CKR_Exception): ckr_code = 0x00000180 +class CKR_CRYPTOKI_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000190 +class CKR_CRYPTOKI_ALREADY_INITIALIZED (CKR_Exception): ckr_code = 0x00000191 +class CKR_MUTEX_BAD (CKR_Exception): ckr_code = 0x000001A0 +class CKR_MUTEX_NOT_LOCKED (CKR_Exception): ckr_code = 0x000001A1 +class CKR_NEW_PIN_MODE (CKR_Exception): ckr_code = 0x000001B0 +class CKR_NEXT_OTP (CKR_Exception): ckr_code = 0x000001B1 +class CKR_EXCEEDED_MAX_ITERATIONS (CKR_Exception): ckr_code = 0x000001B5 +class CKR_FIPS_SELF_TEST_FAILED (CKR_Exception): ckr_code = 0x000001B6 +class CKR_LIBRARY_LOAD_FAILED (CKR_Exception): ckr_code = 0x000001B7 +class CKR_PIN_TOO_WEAK (CKR_Exception): ckr_code = 0x000001B8 +class CKR_PUBLIC_KEY_INVALID (CKR_Exception): ckr_code = 0x000001B9 +class CKR_FUNCTION_REJECTED (CKR_Exception): ckr_code = 0x00000200 +class CKR_VENDOR_DEFINED (CKR_Exception): ckr_code = 0x80000000 + +for e in globals().values(): + if isinstance(e, type) and issubclass(e, CKR_Exception) and e is not CKR_Exception: + CKR_Exception.ckr_map[e.ckr_code] = e diff --git a/cryptech/py11/mutex.py b/cryptech/py11/mutex.py new file mode 100644 index 0000000..da2123c --- /dev/null +++ b/cryptech/py11/mutex.py @@ -0,0 +1,89 @@ +""" +Optional Python mutex implementation for cryptech.py11 library, +using the threading.Lock primitive to provide the mutex itself. + +Most of the code in this module has to do with mapping between the +Python and PKCS #11 APIs. + +If you just want locking, it's probably simpler to let the C code +handle it, by passing CKF_OS_LOCKING_OK to C_Initialize(). + +The main reason for having a complete implementation in Python is to +test the API. + +Sample usage: + + from cryptech.py11 import * + from cryptech.py11.mutex import MutexDB + + p11 = PKCS11() + mdb = MutexDB() + p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) + +""" + +from struct import pack, unpack +from .types import * +from .exceptions import * + +# This controls how big our mutex handles are. +encoded_format = "=L" + +# These are all determined by encoded_format, don't touch. + +encoded_length = len(pack(encoded_format, 0)) +encoded_type = CK_BYTE * encoded_length +handle_max = unpack(encoded_format, chr(0xff) * encoded_length)[0] + +class Mutex(object): + + def __init__(self, handle): + from threading import Lock + self.encoded = encoded_type(*handle) + self.lock = Lock() + +def p11_callback(func): + from threading import ThreadError + def wrapper(self, arg): + try: + func(self, arg) + except ThreadError, e: + print "Failed: %s" % e + return CKR_MUTEX_NOT_LOCKED.ckr_code + except Exception, e: + print "Failed: %s" % e + return CKR_FUNCTION_FAILED.ckr_code + else: + return CKR_OK + return wrapper + +class MutexDB(object): + + def __init__(self): + self.mutexes = {} + self.next_handle = 0 + + def find_free_handle(self): + if len(self.mutexes) > handle_max: + raise RuntimeError + while self.next_handle in self.mutexes: + self.next_handle = (self.next_handle + 1) & handle_max + return pack(encoded_format, self.next_handle) + + @p11_callback + def create(self, handle_ptr): + handle = self.find_free_handle() + self.mutexes[handle] = Mutex(handle) + handle_ptr[0] = self.mutexes[handle].encoded + + @p11_callback + def destroy(self, handle): + del self.mutexes[handle[:encoded_length]] + + @p11_callback + def lock(self, handle): + self.mutexes[handle[:encoded_length]].lock.acquire() + + @p11_callback + def unlock(self, handle): + self.mutexes[handle[:encoded_length]].lock.release() diff --git a/cryptech/py11/prototypes.py b/cryptech/py11/prototypes.py new file mode 100644 index 0000000..7951515 --- /dev/null +++ b/cryptech/py11/prototypes.py @@ -0,0 +1,85 @@ +# An attempt at a Python interface to PKCS 11 using the scary ctypes +# module from the Python standard library. + +from ctypes import * +from .types import * + +# Prototypes for the PKCS #11 public functions. +# +# We don't bother implementing C_GetFunctionList(), because it would +# be extremely tedious and it's not all that useful to us in Python. +# Instead, we emulate its behavior in the PKCS11 class. + +Prototypes = dict( + C_Initialize = [CK_VOID_PTR], + C_Finalize = [CK_VOID_PTR], + C_GetInfo = [CK_INFO_PTR], +# C_GetFunctionList = [CK_FUNCTION_LIST_PTR_PTR], + C_GetSlotList = [CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR], + C_GetSlotInfo = [CK_SLOT_ID, CK_SLOT_INFO_PTR], + C_GetTokenInfo = [CK_SLOT_ID, CK_TOKEN_INFO_PTR], + C_GetMechanismList = [CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR], + C_GetMechanismInfo = [CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR], + C_InitToken = [CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR], + C_InitPIN = [CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG], + C_SetPIN = [CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR, CK_ULONG], + C_OpenSession = [CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, CK_SESSION_HANDLE_PTR], + C_CloseSession = [CK_SESSION_HANDLE], + C_CloseAllSessions = [CK_SLOT_ID], + C_GetSessionInfo = [CK_SESSION_HANDLE, CK_SESSION_INFO_PTR], + C_GetOperationState = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], + C_SetOperationState = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_OBJECT_HANDLE, CK_OBJECT_HANDLE], + C_Login = [CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG], + C_Logout = [CK_SESSION_HANDLE], + C_CreateObject = [CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], + C_CopyObject = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], + C_DestroyObject = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE], + C_GetObjectSize = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR], + C_GetAttributeValue = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], + C_SetAttributeValue = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], + C_FindObjectsInit = [CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], + C_FindObjects = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, CK_ULONG_PTR], + C_FindObjectsFinal = [CK_SESSION_HANDLE], + C_EncryptInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_Encrypt = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_EncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_EncryptFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], + C_DecryptInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_Decrypt = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DecryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DecryptFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], + C_DigestInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR], + C_Digest = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DigestUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_DigestKey = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE], + C_DigestFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], + C_SignInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_Sign = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_SignUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_SignFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], + C_SignRecoverInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_SignRecover = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_VerifyInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_Verify = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG], + C_VerifyUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_VerifyFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_VerifyRecoverInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], + C_VerifyRecover = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DigestEncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DecryptDigestUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_SignEncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_DecryptVerifyUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], + C_GenerateKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], + C_GenerateKeyPair = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR], + C_WrapKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_OBJECT_HANDLE, + CK_BYTE_PTR, CK_ULONG_PTR], + C_UnwrapKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], + C_DeriveKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR], + C_SeedRandom = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_GenerateRandom = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], + C_GetFunctionStatus = [CK_SESSION_HANDLE], + C_CancelFunction = [CK_SESSION_HANDLE], + C_WaitForSlotEvent = [CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR]) diff --git a/cryptech/py11/types.py b/cryptech/py11/types.py new file mode 100644 index 0000000..4d0b279 --- /dev/null +++ b/cryptech/py11/types.py @@ -0,0 +1,180 @@ +# An attempt at a Python interface to PKCS 11 using the scary ctypes +# module from the Python standard library. + +from ctypes import * + +# This code is derived from the RSA PKCS #11 C header files, which say: +# +# License to copy and use this software is granted provided that it is +# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface +# (Cryptoki)" in all material mentioning or referencing this software. +# +# License is also granted to make and use derivative works provided that +# such works are identified as "derived from the RSA Security Inc. PKCS #11 +# Cryptographic Token Interface (Cryptoki)" in all material mentioning or +# referencing the derived work. +# +# RSA Security Inc. makes no representations concerning either the +# merchantability of this software or the suitability of this software for +# any particular purpose. It is provided "as is" without express or implied +# warranty of any kind. + +# This is not a complete set of PKCS #11 types, because the full set +# with all the optional mechanisms is tediously long and each +# structure type requires hand conversion. Goal at the moment is to +# cover stuff we care about in the base specification. Add other +# mechanism-specific stuff later as needed. + +# Mapping beween C and Python at the lowest level isn't perfect +# because characters are integer types in C while they're strings in +# Python. It looks like we want the string handling in most cases +# other than CK_BBOOL and CK_VERSION, map lowest-level PKCS #11 types +# accordingly. + +CK_BYTE = c_char +CK_CHAR = CK_BYTE +CK_UTF8CHAR = CK_BYTE +CK_BBOOL = c_ubyte +CK_ULONG = c_ulong +CK_LONG = c_long +CK_FLAGS = CK_ULONG +CK_VOID_PTR = POINTER(c_char) + +CK_BYTE_PTR = POINTER(CK_BYTE) +CK_CHAR_PTR = POINTER(CK_CHAR) +CK_UTF8CHAR_PTR = POINTER(CK_UTF8CHAR) +CK_ULONG_PTR = POINTER(CK_ULONG) +CK_VOID_PTR_PTR = POINTER(CK_VOID_PTR) + +class CK_VERSION (Structure): + _fields_ = [("major", c_ubyte), + ("minor", c_ubyte)] + +CK_VERSION_PTR = POINTER(CK_VERSION) + +class CK_INFO (Structure): + _fields_ = [("cryptokiVersion", CK_VERSION), + ("manufacturerID", CK_UTF8CHAR * 32), + ("flags", CK_FLAGS), + ("libraryDescription", CK_UTF8CHAR * 32), + ("libraryVersion", CK_VERSION)] + +CK_INFO_PTR = POINTER(CK_INFO) + +CK_NOTIFICATION = CK_ULONG + +CK_SLOT_ID = CK_ULONG + +CK_SLOT_ID_PTR = POINTER(CK_SLOT_ID) + +class CK_SLOT_INFO (Structure): + _fields_ = [("slotDescription", CK_UTF8CHAR * 64), + ("manufacturerID", CK_UTF8CHAR * 32), + ("flags", CK_FLAGS), + ("hardwareVersion", CK_VERSION), + ("firmwareVersion", CK_VERSION)] + +CK_SLOT_INFO_PTR = POINTER(CK_SLOT_INFO) + +class CK_TOKEN_INFO (Structure): + _fields_ = [("label", CK_UTF8CHAR * 32), + ("manufacturerID", CK_UTF8CHAR * 32), + ("model", CK_UTF8CHAR * 16), + ("serialNumber", CK_CHAR * 16), + ("flags", CK_FLAGS), + ("ulMaxSessionCount", CK_ULONG), + ("ulSessionCount", CK_ULONG), + ("ulMaxRwSessionCount", CK_ULONG), + ("ulRwSessionCount", CK_ULONG), + ("ulMaxPinLen", CK_ULONG), + ("ulMinPinLen", CK_ULONG), + ("ulTotalPublicMemory", CK_ULONG), + ("ulFreePublicMemory", CK_ULONG), + ("ulTotalPrivateMemory", CK_ULONG), + ("ulFreePrivateMemory", CK_ULONG), + ("hardwareVersion", CK_VERSION), + ("firmwareVersion", CK_VERSION), + ("utcTime", CK_CHAR * 16)] + +CK_TOKEN_INFO_PTR = POINTER(CK_TOKEN_INFO) + +CK_SESSION_HANDLE = CK_ULONG + +CK_SESSION_HANDLE_PTR = POINTER(CK_SESSION_HANDLE) + +CK_USER_TYPE = CK_ULONG + +CK_STATE = CK_ULONG + +class CK_SESSION_INFO (Structure): + _fields_ = [("slotID", CK_SLOT_ID), + ("state", CK_STATE), + ("flags", CK_FLAGS), + ("ulDeviceError", CK_ULONG)] + +CK_SESSION_INFO_PTR = POINTER(CK_SESSION_INFO) + +CK_OBJECT_HANDLE = CK_ULONG + +CK_OBJECT_HANDLE_PTR = POINTER(CK_OBJECT_HANDLE) + +CK_OBJECT_CLASS = CK_ULONG + +CK_OBJECT_CLASS_PTR = POINTER(CK_OBJECT_CLASS) + +CK_HW_FEATURE_TYPE = CK_ULONG + +CK_KEY_TYPE = CK_ULONG + +CK_CERTIFICATE_TYPE = CK_ULONG + +CK_ATTRIBUTE_TYPE = CK_ULONG + +class CK_ATTRIBUTE (Structure): + _fields_ = [("type", CK_ATTRIBUTE_TYPE), + ("pValue", CK_VOID_PTR), + ("ulValueLen", CK_ULONG)] + +CK_ATTRIBUTE_PTR = POINTER(CK_ATTRIBUTE) + +class CK_DATE (Structure): + _fields_ = [("year", CK_CHAR * 4), + ("month", CK_CHAR * 2), + ("day", CK_CHAR * 2)] + +CK_MECHANISM_TYPE = CK_ULONG + +CK_MECHANISM_TYPE_PTR = POINTER(CK_MECHANISM_TYPE) + +class CK_MECHANISM (Structure): + _fields_ = [("mechanism", CK_MECHANISM_TYPE), + ("pParameter", CK_VOID_PTR), + ("ulParameterLen", CK_ULONG)] + +CK_MECHANISM_PTR = POINTER(CK_MECHANISM) + +class CK_MECHANISM_INFO (Structure): + _fields_ = [("ulMinKeySize", CK_ULONG), + ("ulMaxKeySize", CK_ULONG), + ("flags", CK_FLAGS)] + +CK_MECHANISM_INFO_PTR = POINTER(CK_MECHANISM_INFO) + +CK_RV = CK_ULONG + +CK_NOTIFY = CFUNCTYPE(CK_RV, CK_SESSION_HANDLE, CK_NOTIFICATION, CK_VOID_PTR) + +CK_CREATEMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR_PTR) +CK_DESTROYMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) +CK_LOCKMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) +CK_UNLOCKMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) + +class CK_C_INITIALIZE_ARGS (Structure): + _fields_ = [("CreateMutex", CK_CREATEMUTEX), + ("DestroyMutex", CK_DESTROYMUTEX), + ("LockMutex", CK_LOCKMUTEX), + ("UnlockMutex", CK_UNLOCKMUTEX), + ("flags", CK_FLAGS), + ("pReserved", CK_VOID_PTR)] + +CK_C_INITIALIZE_ARGS_PTR = POINTER(CK_C_INITIALIZE_ARGS) diff --git a/py11/__init__.py b/py11/__init__.py deleted file mode 100644 index da79e34..0000000 --- a/py11/__init__.py +++ /dev/null @@ -1,270 +0,0 @@ -""" -This is a Python interface to PKCS #11, using the ctypes module from -the Python standard library. - -This is not (yet?) a complete implementation. It's intended primarily -to simplify testing of the underlying PKCS #11 shared library. -""" - -from ctypes import * -from .exceptions import * -from .types import * -from .constants import * -from .attributes import * -from .prototypes import * - - -class PKCS11 (object): - """ - PKCS #11 API object, encapsulating the PKCS #11 library itself. - Sample usage: - - from py11 import * - - p11 = PKCS11() - p11.C_Initialize() - session = p11.C_OpenSession() - p11.C_login(session, CK_USER, "secret") - p11.C_FindObjectsInit(session, {CKA_CLASS: CKO_PRIVATE_KEY, CKA_KEY_TYPE: CKK_EC, CKA_ID: foo}) - keys = list(p11.C_FindObjects(session)) - p11.C_FindObjectsFinal(session) - if len(keys) != 1: - raise RuntimeError - p11.C_SignInit(session, CK_ECDSA_SHA256, keys[0]) - sig = p11.Sign(session, "Your mother was a hamster") - p11.C_CloseAllSessions(slot) - p11.C_Finalize() - - The full raw PKCS #11 API is available via the .so attribute, but - using this can be tricky, both because it requires strict adherence - to the C API and because one needs to be careful not to run afoul of - the Python garbage collector. - - The example above uses a set of interface routines built on top of the - raw PKCS #11 API, which map the API into something a bit more Pythonic. - """ - - def __init__(self, so_name = "libpkcs11.so"): - self.so_name = so_name - self.so = CDLL(so_name) - def raise_on_failure(rv): - if rv != CKR_OK: - raise CKR_Exception.ckr_map[rv] - for name, args in Prototypes.iteritems(): - func = getattr(self.so, name) - func.restype = raise_on_failure - func.argtypes = args - self.adb = AttributeDB() - - def __getattr__(self, name): - return getattr(self.so, name) - - def C_GetFunctionList(self): - return self - - @property - def version(self): - info = CK_INFO() - self.so.C_GetInfo(byref(info)) - return info.cryptokiVersion - - # Be very careful if you try to provide your own locking functions. - # For most purposes, if you really just want locking, you're best - # off specifying CKF_OS_LOCKING_OK and letting the C code deal with - # it. The one case where you might want to provide your own locking - # is when writing tests to verify behavior of the locking code. - # - # We have to stash references to the callback functions passed to - # C_Initialize() to avoid dumping core when the garbage collector - # deletes the function pointer instances out from under the C code. - - def C_Initialize(self, flags = 0, create_mutex = None, destroy_mutex = None, lock_mutex = None, unlock_mutex = None): - if flags == 0 and create_mutex is None and destroy_mutex is None and lock_mutex is None and unlock_mutex is None: - self._C_Initialize_args = None - self.so.C_Initialize(None) - else: - create_mutex = CK_CREATEMUTEX() if create_mutex is None else CK_CREATEMUTEX(create_mutex) - destroy_mutex = CK_DESTROYMUTEX() if destroy_mutex is None else CK_DESTROYMUTEX(destroy_mutex) - lock_mutex = CK_LOCKMUTEX() if lock_mutex is None else CK_LOCKMUTEX(lock_mutex) - unlock_mutex = CK_UNLOCKMUTEX() if unlock_mutex is None else CK_UNLOCKMUTEX(unlock_mutex) - self._C_Initialize_args = CK_C_INITIALIZE_ARGS(create_mutex, destroy_mutex, lock_mutex, unlock_mutex, flags, None) - self.so.C_Initialize(cast(byref(self._C_Initialize_args), CK_VOID_PTR)) - - def C_Finalize(self): - self.so.C_Finalize(None) - self._C_Initialize_args = None - - def C_GetSlotList(self): - count = CK_ULONG() - self.so.C_GetSlotList(CK_TRUE, None, byref(count)) - slots = (CK_SLOT_ID * count.value)() - self.so.C_GetSlotList(CK_TRUE, slots, byref(count)) - return tuple(slots[i] for i in xrange(count.value)) - - def C_GetTokenInfo(self, slot_id): - token_info = CK_TOKEN_INFO() - self.so.C_GetTokenInfo(slot_id, byref(token_info)) - return token_info - - def C_OpenSession(self, slot, flags = CKF_RW_SESSION, application = None, notify = CK_NOTIFY()): - flags |= CKF_SERIAL_SESSION - handle = CK_SESSION_HANDLE() - self.so.C_OpenSession(slot, flags, application, notify, byref(handle)) - return handle.value - - def C_GenerateRandom(self, session, n): - buffer = create_string_buffer(n) - self.so.C_GenerateRandom(session, buffer, sizeof(buffer)) - return buffer.raw - - def C_Login(self, session, user, pin): - self.so.C_Login(session, user, pin, len(pin)) - - def C_GetAttributeValue(self, session_handle, object_handle, *attributes): - if len(attributes) == 1 and isinstance(attributes[0], (list, tuple)): - attributes = attributes[0] - template = self.adb.getvalue_create_template(attributes) - self.so.C_GetAttributeValue(session_handle, object_handle, template, len(template)) - self.adb.getvalue_allocate_template(template) - self.so.C_GetAttributeValue(session_handle, object_handle, template, len(template)) - return self.adb.from_ctypes(template) - - def C_FindObjectsInit(self, session, template = None, **kwargs): - if kwargs: - assert not template - template = kwargs - if template: - self.so.C_FindObjectsInit(session, self.adb.to_ctypes(template), len(template)) - else: - self.so.C_FindObjectsInit(session, None, 0) - - def C_FindObjects(self, session, chunk_size = 10): - objects = (CK_OBJECT_HANDLE * chunk_size)() - count = CK_ULONG(1) - while count.value > 0: - self.so.C_FindObjects(session, objects, len(objects), byref(count)) - for i in xrange(count.value): - yield objects[i] - - def FindObjects(self, session, template = None, **kwargs): - self.C_FindObjectsInit(session, template, **kwargs) - result = tuple(self.C_FindObjects(session)) - self.C_FindObjectsFinal(session) - return result - - def _parse_GenerateKeyPair_template(self, - # Attributes common to public and private templates - CKA_ID, - CKA_LABEL = None, - CKA_TOKEN = False, - # Attributes only in private template - CKA_SIGN = False, - CKA_DECRYPT = False, - CKA_UNWRAP = False, - CKA_SENSITIVE = True, - CKA_PRIVATE = True, - CKA_EXTRACTABLE = False, - # Finer-grained control for CKA_TOKEN - public_CKA_TOKEN = False, - private_CKA_TOKEN = False, - # Anything else is only in public template - **kwargs): - if CKA_LABEL is None: - CKA_LABEL = CKA_ID - return (dict(kwargs, - CKA_LABEL = CKA_LABEL, - CKA_ID = CKA_ID, - CKA_TOKEN = public_CKA_TOKEN or CKA_TOKEN), - dict(CKA_LABEL = CKA_LABEL, - CKA_ID = CKA_ID, - CKA_TOKEN = private_CKA_TOKEN or CKA_TOKEN, - CKA_SIGN = CKA_SIGN, - CKA_DECRYPT = CKA_DECRYPT, - CKA_UNWRAP = CKA_UNWRAP, - CKA_SENSITIVE = CKA_SENSITIVE, - CKA_PRIVATE = CKA_PRIVATE, - CKA_EXTRACTABLE = CKA_EXTRACTABLE)) - - def C_GenerateKeyPair(self, session, mechanism_type, public_template = None, private_template = None, **kwargs): - if kwargs: - assert not public_template and not private_template - public_template, private_template = self._parse_GenerateKeyPair_template(**kwargs) - public_template = self.adb.to_ctypes(public_template) - private_template = self.adb.to_ctypes(private_template) - mechanism = CK_MECHANISM(mechanism_type, None, 0) - public_handle = CK_OBJECT_HANDLE() - private_handle = CK_OBJECT_HANDLE() - self.so.C_GenerateKeyPair(session, byref(mechanism), - public_template, len(public_template), - private_template, len(private_template), - byref(public_handle), byref(private_handle)) - return public_handle.value, private_handle.value - - def C_SignInit(self, session, mechanism_type, private_key): - mechanism = CK_MECHANISM(mechanism_type, None, 0) - self.so.C_SignInit(session, byref(mechanism), private_key) - - def C_Sign(self, session, data): - n = CK_ULONG() - self.so.C_Sign(session, data, len(data), None, byref(n)) - sig = create_string_buffer(n.value) - self.so.C_Sign(session, data, len(data), sig, byref(n)) - return sig.raw - - def C_SignUpdate(self, session, data): - self.so.C_SignUpdate(session, data, len(data)) - - def C_SignFinal(self, session): - n = CK_ULONG() - self.so.C_SignFinal(session, None, byref(n)) - sig = create_string_buffer(n.value) - self.so.C_SignFinal(session, sig, byref(n)) - return sig.raw - - def C_VerifyInit(self, session, mechanism_type, public_key): - mechanism = CK_MECHANISM(mechanism_type, None, 0) - self.so.C_VerifyInit(session, byref(mechanism), public_key) - - def C_Verify(self, session, data, signature): - self.so.C_Verify(session, data, len(data), signature, len(signature)) - - def C_VerifyUpdate(self, session, data): - self.so.C_VerifyUpdate(session, data, len(data)) - - def C_VerifyFinal(self, session, signature): - self.so.C_VerifyFinal(session, signature, len(signature)) - - def C_CreateObject(self, session, template = None, **kwargs): - if kwargs: - assert not template - template = kwargs - template = self.adb.to_ctypes(template) - handle = CK_OBJECT_HANDLE() - self.so.C_CreateObject(session, template, len(template), byref(handle)) - return handle.value - - def C_DigestInit(self, session, mechanism_type): - mechanism = CK_MECHANISM(mechanism_type, None, 0) - self.so.C_DigestInit(session, byref(mechanism)) - - def C_Digest(self, session, data): - n = CK_ULONG() - self.so.C_Digest(session, data, len(data), None, byref(n)) - hash = create_string_buffer(n.value) - self.so.C_Digest(session, data, len(data), hash, byref(n)) - return hash.raw - - def C_DigestUpdate(self, session, data): - self.so.C_DigestUpdate(session, data, len(data)) - - def C_DigestFinal(self, session): - n = CK_ULONG() - self.so.C_DigestFinal(session, None, byref(n)) - hash = create_string_buffer(n.value) - self.so.C_DigestFinal(session, hash, byref(n)) - return hash.raw - -__all__ = ["PKCS11"] -__all__.extend(name for name in globals() - if name.startswith("CK") - or name.startswith("CRYPTOKI_")) diff --git a/py11/attribute_map.py b/py11/attribute_map.py deleted file mode 100644 index b689d6e..0000000 --- a/py11/attribute_map.py +++ /dev/null @@ -1,54 +0,0 @@ -# This file was generated automatically from attributes.yaml by build-py11-attributes. Do not edit this file directly. - -attribute_map = { - 'CKA_COEFFICIENT': 'biginteger', - 'CKA_MECHANISM_TYPE': 'CK_MECHANISM_TYPE', - 'CKA_ID': 'bytearray', - 'CKA_VALUE': 'biginteger', - 'CKA_KEY_GEN_MECHANISM': 'CK_MECHANISM_TYPE', - 'CKA_LABEL': 'rfc2279string', - 'CKA_KEY_TYPE': 'CK_KEY_TYPE', - 'CKA_PRIME_2': 'biginteger', - 'CKA_APPLICATION': 'rfc2279string', - 'CKA_VERIFY': 'CK_BBOOL', - 'CKA_HASH_OF_ISSUER_PUBLIC_KEY': 'bytearray', - 'CKA_SIGN': 'CK_BBOOL', - 'CKA_MODULUS': 'biginteger', - 'CKA_START_DATE': 'CK_DATE', - 'CKA_CERTIFICATE_CATEGORY': 'CK_ULONG', - 'CKA_PRIVATE_EXPONENT': 'biginteger', - 'CKA_ALWAYS_SENSITIVE': 'CK_BBOOL', - 'CKA_LOCAL': 'CK_BBOOL', - 'CKA_PUBLIC_EXPONENT': 'biginteger', - 'CKA_SENSITIVE': 'CK_BBOOL', - 'CKA_WRAP_WITH_TRUSTED': 'CK_BBOOL', - 'CKA_EXTRACTABLE': 'CK_BBOOL', - 'CKA_SUBJECT': 'bytearray', - 'CKA_VERIFY_RECOVER': 'CK_BBOOL', - 'CKA_EXPONENT_1': 'biginteger', - 'CKA_TOKEN': 'CK_BBOOL', - 'CKA_DECRYPT': 'CK_BBOOL', - 'CKA_EC_PARAMS': 'bytearray', - 'CKA_END_DATE': 'CK_DATE', - 'CKA_JAVA_MIDP_SECURITY_DOMAIN': 'CK_ULONG', - 'CKA_MODIFIABLE': 'CK_BBOOL', - 'CKA_CHECK_VALUE': 'bytearray', - 'CKA_URL': 'rfc2279string', - 'CKA_SERIAL_NUMBER': 'bytearray', - 'CKA_MODULUS_BITS': 'CK_ULONG', - 'CKA_WRAP': 'CK_BBOOL', - 'CKA_SIGN_RECOVER': 'CK_BBOOL', - 'CKA_TRUSTED': 'CK_BBOOL', - 'CKA_DERIVE': 'CK_BBOOL', - 'CKA_UNWRAP': 'CK_BBOOL', - 'CKA_NEVER_EXTRACTABLE': 'CK_BBOOL', - 'CKA_PRIVATE': 'CK_BBOOL', - 'CKA_ENCRYPT': 'CK_BBOOL', - 'CKA_EXPONENT_2': 'biginteger', - 'CKA_PRIME_1': 'biginteger', - 'CKA_EC_POINT': 'bytearray', - 'CKA_ISSUER': 'bytearray', - 'CKA_CERTIFICATE_TYPE': 'CK_CERTIFICATE_TYPE', - 'CKA_CLASS': 'CK_OBJECT_CLASS', - 'CKA_OBJECT_ID': 'bytearray', - 'CKA_HASH_OF_SUBJECT_PUBLIC_KEY': 'bytearray'} diff --git a/py11/attributes.py b/py11/attributes.py deleted file mode 100644 index 56473ad..0000000 --- a/py11/attributes.py +++ /dev/null @@ -1,101 +0,0 @@ -# An attempt at a Python interface to PKCS 11 using the scary ctypes -# module from the Python standard library. - -from struct import pack, unpack -from ctypes import * -from .types import * -from .constants import * - -class Attribute(object): - - @classmethod - def new(cls, attribute_name, type_name): - from . import constants - from . import types - assert attribute_name.startswith("CKA_") - attribute_number = getattr(constants, attribute_name) - type_class = getattr(types, type_name, str) - if type_class is CK_BBOOL: - cls = Attribute_CK_BBOOL - elif type_class is CK_ULONG: - cls = Attribute_CK_ULONG - elif type_name == "biginteger": - cls = Attribute_biginteger - return cls(attribute_name, attribute_number, type_name, type_class) - - def __init__(self, attribute_name, attribute_number, type_name, type_class): - assert attribute_name.startswith("CKA_") - self.name = attribute_name - self.code = attribute_number - self.type_name = type_name - self.type_class = type_class - - def encode(self, x): return x - def decode(self, x): return x - -class Attribute_CK_BBOOL(Attribute): - def encode(self, x): return chr(int(x)) - def decode(self, x): return bool(ord(x)) - -class Attribute_CK_ULONG(Attribute): - def encode(self, x): return pack("L", x) - def decode(self, x): return unpack("L", x)[0] - -class Attribute_biginteger(Attribute): - def encode(self, x): return "\x00" if x == 0 else ("%0*x" % (((x.bit_length() + 7) / 8) * 2, x)).decode("hex") - def decode(self, x): return long(x.encode("hex"), 16) - - -class AttributeDB(object): - - def __init__(self): - from .attribute_map import attribute_map - self.db = {} - for attribute_name, type_name in attribute_map.iteritems(): - a = Attribute.new(attribute_name, type_name) - self.db[a.name] = a - self.db[a.code] = a - - def encode(self, k, v): - return self.db[k].encode(v) if k in self.db else v - - def decode(self, k, v): - return self.db[k].decode(v) if k in self.db else v - - def getvalue_create_template(self, attributes): - attributes = tuple(self.db[a].code for a in attributes) - template = (CK_ATTRIBUTE * len(attributes))() - for i in xrange(len(attributes)): - template[i].type = attributes[i] - template[i].pValue = None - template[i].ulValueLen = 0 - return template - - def getvalue_allocate_template(self, template): - for t in template: - t.pValue = create_string_buffer(t.ulValueLen) - - def from_ctypes(self, template): - return dict((t.type, self.decode(t.type, t.pValue[:t.ulValueLen])) - for t in template) - - def to_ctypes(self, attributes): - attributes = tuple(attributes.iteritems() - if isinstance(attributes, dict) else - attributes) - template = (CK_ATTRIBUTE * len(attributes))() - for i, kv in enumerate(attributes): - k, v = kv - if k in self.db: - a = self.db[k] - k, v = a.code, a.encode(v) - template[i].type = k - template[i].pValue = create_string_buffer(v) - template[i].ulValueLen = len(v) - return template - - def attribute_name(self, code): - return self.db[code].name - - def attribute_code(self, name): - return self.db[name].code diff --git a/py11/constants.py b/py11/constants.py deleted file mode 100644 index a8392ea..0000000 --- a/py11/constants.py +++ /dev/null @@ -1,615 +0,0 @@ -# An attempt at a Python interface to PKCS 11 using the scary ctypes -# module from the Python standard library. - -# This code is derived from the RSA PKCS #11 C header files, which say: -# -# License to copy and use this software is granted provided that it is -# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -# (Cryptoki)" in all material mentioning or referencing this software. -# -# License is also granted to make and use derivative works provided that -# such works are identified as "derived from the RSA Security Inc. PKCS #11 -# Cryptographic Token Interface (Cryptoki)" in all material mentioning or -# referencing the derived work. -# -# RSA Security Inc. makes no representations concerning either the -# merchantability of this software or the suitability of this software for -# any particular purpose. It is provided "as is" without express or implied -# warranty of any kind. - -CRYPTOKI_VERSION_MAJOR = 2 -CRYPTOKI_VERSION_MINOR = 30 -CRYPTOKI_VERSION_AMENDMENT = 0 - -CK_TRUE = 1 -CK_FALSE = 0 - -CK_UNAVAILABLE_INFORMATION = ~0 -CK_EFFECTIVELY_INFINITE = 0 - -CK_INVALID_HANDLE = 0 - -CKN_SURRENDER = 0 -CKN_OTP_CHANGED = 1 - -CKF_TOKEN_PRESENT = 0x00000001 -CKF_REMOVABLE_DEVICE = 0x00000002 -CKF_HW_SLOT = 0x00000004 -CKF_RNG = 0x00000001 -CKF_WRITE_PROTECTED = 0x00000002 -CKF_LOGIN_REQUIRED = 0x00000004 -CKF_USER_PIN_INITIALIZED = 0x00000008 -CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020 -CKF_CLOCK_ON_TOKEN = 0x00000040 -CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100 -CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200 -CKF_TOKEN_INITIALIZED = 0x00000400 -CKF_SECONDARY_AUTHENTICATION = 0x00000800 -CKF_USER_PIN_COUNT_LOW = 0x00010000 -CKF_USER_PIN_FINAL_TRY = 0x00020000 -CKF_USER_PIN_LOCKED = 0x00040000 -CKF_USER_PIN_TO_BE_CHANGED = 0x00080000 -CKF_SO_PIN_COUNT_LOW = 0x00100000 -CKF_SO_PIN_FINAL_TRY = 0x00200000 -CKF_SO_PIN_LOCKED = 0x00400000 -CKF_SO_PIN_TO_BE_CHANGED = 0x00800000 -CKF_ERROR_STATE = 0x01000000 - -CKU_SO = 0 -CKU_USER = 1 -CKU_CONTEXT_SPECIFIC = 2 - -CKS_RO_PUBLIC_SESSION = 0 -CKS_RO_USER_FUNCTIONS = 1 -CKS_RW_PUBLIC_SESSION = 2 -CKS_RW_USER_FUNCTIONS = 3 -CKS_RW_SO_FUNCTIONS = 4 - -CKF_RW_SESSION = 0x00000002 -CKF_SERIAL_SESSION = 0x00000004 - -CKO_DATA = 0x00000000 -CKO_CERTIFICATE = 0x00000001 -CKO_PUBLIC_KEY = 0x00000002 -CKO_PRIVATE_KEY = 0x00000003 -CKO_SECRET_KEY = 0x00000004 -CKO_HW_FEATURE = 0x00000005 -CKO_DOMAIN_PARAMETERS = 0x00000006 -CKO_MECHANISM = 0x00000007 -CKO_OTP_KEY = 0x00000008 -CKO_VENDOR_DEFINED = 0x80000000 - -CKH_MONOTONIC_COUNTER = 0x00000001 -CKH_CLOCK = 0x00000002 -CKH_USER_INTERFACE = 0x00000003 -CKH_VENDOR_DEFINED = 0x80000000 - -CKK_RSA = 0x00000000 -CKK_DSA = 0x00000001 -CKK_DH = 0x00000002 -CKK_ECDSA = 0x00000003 -CKK_EC = 0x00000003 -CKK_X9_42_DH = 0x00000004 -CKK_KEA = 0x00000005 -CKK_GENERIC_SECRET = 0x00000010 -CKK_RC2 = 0x00000011 -CKK_RC4 = 0x00000012 -CKK_DES = 0x00000013 -CKK_DES2 = 0x00000014 -CKK_DES3 = 0x00000015 -CKK_CAST = 0x00000016 -CKK_CAST3 = 0x00000017 -CKK_CAST5 = 0x00000018 -CKK_CAST128 = 0x00000018 -CKK_RC5 = 0x00000019 -CKK_IDEA = 0x0000001A -CKK_SKIPJACK = 0x0000001B -CKK_BATON = 0x0000001C -CKK_JUNIPER = 0x0000001D -CKK_CDMF = 0x0000001E -CKK_AES = 0x0000001F -CKK_BLOWFISH = 0x00000020 -CKK_TWOFISH = 0x00000021 -CKK_SECURID = 0x00000022 -CKK_HOTP = 0x00000023 -CKK_ACTI = 0x00000024 -CKK_CAMELLIA = 0x00000025 -CKK_ARIA = 0x00000026 -CKK_MD5_HMAC = 0x00000027 -CKK_SHA_1_HMAC = 0x00000028 -CKK_RIPEMD128_HMAC = 0x00000029 -CKK_RIPEMD160_HMAC = 0x0000002A -CKK_SHA256_HMAC = 0x0000002B -CKK_SHA384_HMAC = 0x0000002C -CKK_SHA512_HMAC = 0x0000002D -CKK_SHA224_HMAC = 0x0000002E -CKK_SEED = 0x0000002F -CKK_GOSTR3410 = 0x00000030 -CKK_GOSTR3411 = 0x00000031 -CKK_GOST28147 = 0x00000032 -CKK_VENDOR_DEFINED = 0x80000000 - -CKC_X_509 = 0x00000000 -CKC_X_509_ATTR_CERT = 0x00000001 -CKC_WTLS = 0x00000002 -CKC_VENDOR_DEFINED = 0x80000000 - -CKF_ARRAY_ATTRIBUTE = 0x40000000 - -CK_OTP_FORMAT_DECIMAL = 0 -CK_OTP_FORMAT_HEXADECIMAL = 1 -CK_OTP_FORMAT_ALPHANUMERIC = 2 -CK_OTP_FORMAT_BINARY = 3 - -CK_OTP_PARAM_IGNORED = 0 -CK_OTP_PARAM_OPTIONAL = 1 -CK_OTP_PARAM_MANDATORY = 2 - -CKA_CLASS = 0x00000000 -CKA_TOKEN = 0x00000001 -CKA_PRIVATE = 0x00000002 -CKA_LABEL = 0x00000003 -CKA_APPLICATION = 0x00000010 -CKA_VALUE = 0x00000011 -CKA_OBJECT_ID = 0x00000012 -CKA_CERTIFICATE_TYPE = 0x00000080 -CKA_ISSUER = 0x00000081 -CKA_SERIAL_NUMBER = 0x00000082 -CKA_AC_ISSUER = 0x00000083 -CKA_OWNER = 0x00000084 -CKA_ATTR_TYPES = 0x00000085 -CKA_TRUSTED = 0x00000086 -CKA_CERTIFICATE_CATEGORY = 0x00000087 -CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x00000088 -CKA_URL = 0x00000089 -CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x0000008A -CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x0000008B -CKA_CHECK_VALUE = 0x00000090 -CKA_KEY_TYPE = 0x00000100 -CKA_SUBJECT = 0x00000101 -CKA_ID = 0x00000102 -CKA_SENSITIVE = 0x00000103 -CKA_ENCRYPT = 0x00000104 -CKA_DECRYPT = 0x00000105 -CKA_WRAP = 0x00000106 -CKA_UNWRAP = 0x00000107 -CKA_SIGN = 0x00000108 -CKA_SIGN_RECOVER = 0x00000109 -CKA_VERIFY = 0x0000010A -CKA_VERIFY_RECOVER = 0x0000010B -CKA_DERIVE = 0x0000010C -CKA_START_DATE = 0x00000110 -CKA_END_DATE = 0x00000111 -CKA_MODULUS = 0x00000120 -CKA_MODULUS_BITS = 0x00000121 -CKA_PUBLIC_EXPONENT = 0x00000122 -CKA_PRIVATE_EXPONENT = 0x00000123 -CKA_PRIME_1 = 0x00000124 -CKA_PRIME_2 = 0x00000125 -CKA_EXPONENT_1 = 0x00000126 -CKA_EXPONENT_2 = 0x00000127 -CKA_COEFFICIENT = 0x00000128 -CKA_PRIME = 0x00000130 -CKA_SUBPRIME = 0x00000131 -CKA_BASE = 0x00000132 -CKA_PRIME_BITS = 0x00000133 -CKA_SUBPRIME_BITS = 0x00000134 -CKA_SUB_PRIME_BITS = CKA_SUBPRIME_BITS -CKA_VALUE_BITS = 0x00000160 -CKA_VALUE_LEN = 0x00000161 -CKA_EXTRACTABLE = 0x00000162 -CKA_LOCAL = 0x00000163 -CKA_NEVER_EXTRACTABLE = 0x00000164 -CKA_ALWAYS_SENSITIVE = 0x00000165 -CKA_KEY_GEN_MECHANISM = 0x00000166 -CKA_MODIFIABLE = 0x00000170 -CKA_ECDSA_PARAMS = 0x00000180 -CKA_EC_PARAMS = 0x00000180 -CKA_EC_POINT = 0x00000181 -CKA_SECONDARY_AUTH = 0x00000200 -CKA_AUTH_PIN_FLAGS = 0x00000201 -CKA_ALWAYS_AUTHENTICATE = 0x00000202 -CKA_WRAP_WITH_TRUSTED = 0x00000210 -CKA_WRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000211) -CKA_UNWRAP_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000212) -CKA_DERIVE_TEMPLATE = (CKF_ARRAY_ATTRIBUTE|0x00000213) -CKA_OTP_FORMAT = 0x00000220 -CKA_OTP_LENGTH = 0x00000221 -CKA_OTP_TIME_INTERVAL = 0x00000222 -CKA_OTP_USER_FRIENDLY_MODE = 0x00000223 -CKA_OTP_CHALLENGE_REQUIREMENT = 0x00000224 -CKA_OTP_TIME_REQUIREMENT = 0x00000225 -CKA_OTP_COUNTER_REQUIREMENT = 0x00000226 -CKA_OTP_PIN_REQUIREMENT = 0x00000227 -CKA_OTP_COUNTER = 0x0000022E -CKA_OTP_TIME = 0x0000022F -CKA_OTP_USER_IDENTIFIER = 0x0000022A -CKA_OTP_SERVICE_IDENTIFIER = 0x0000022B -CKA_OTP_SERVICE_LOGO = 0x0000022C -CKA_OTP_SERVICE_LOGO_TYPE = 0x0000022D -CKA_GOSTR3410_PARAMS = 0x00000250 -CKA_GOSTR3411_PARAMS = 0x00000251 -CKA_GOST28147_PARAMS = 0x00000252 -CKA_HW_FEATURE_TYPE = 0x00000300 -CKA_RESET_ON_INIT = 0x00000301 -CKA_HAS_RESET = 0x00000302 -CKA_PIXEL_X = 0x00000400 -CKA_PIXEL_Y = 0x00000401 -CKA_RESOLUTION = 0x00000402 -CKA_CHAR_ROWS = 0x00000403 -CKA_CHAR_COLUMNS = 0x00000404 -CKA_COLOR = 0x00000405 -CKA_BITS_PER_PIXEL = 0x00000406 -CKA_CHAR_SETS = 0x00000480 -CKA_ENCODING_METHODS = 0x00000481 -CKA_MIME_TYPES = 0x00000482 -CKA_MECHANISM_TYPE = 0x00000500 -CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501 -CKA_DEFAULT_CMS_ATTRIBUTES = 0x00000502 -CKA_SUPPORTED_CMS_ATTRIBUTES = 0x00000503 -CKA_ALLOWED_MECHANISMS = (CKF_ARRAY_ATTRIBUTE|0x00000600) -CKA_VENDOR_DEFINED = 0x80000000 - -CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000 -CKM_RSA_PKCS = 0x00000001 -CKM_RSA_9796 = 0x00000002 -CKM_RSA_X_509 = 0x00000003 -CKM_MD2_RSA_PKCS = 0x00000004 -CKM_MD5_RSA_PKCS = 0x00000005 -CKM_SHA1_RSA_PKCS = 0x00000006 -CKM_RIPEMD128_RSA_PKCS = 0x00000007 -CKM_RIPEMD160_RSA_PKCS = 0x00000008 -CKM_RSA_PKCS_OAEP = 0x00000009 -CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000A -CKM_RSA_X9_31 = 0x0000000B -CKM_SHA1_RSA_X9_31 = 0x0000000C -CKM_RSA_PKCS_PSS = 0x0000000D -CKM_SHA1_RSA_PKCS_PSS = 0x0000000E -CKM_DSA_KEY_PAIR_GEN = 0x00000010 -CKM_DSA = 0x00000011 -CKM_DSA_SHA1 = 0x00000012 -CKM_DSA_SHA224 = 0x00000013 -CKM_DSA_SHA256 = 0x00000014 -CKM_DSA_SHA384 = 0x00000015 -CKM_DSA_SHA512 = 0x00000016 -CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020 -CKM_DH_PKCS_DERIVE = 0x00000021 -CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030 -CKM_X9_42_DH_DERIVE = 0x00000031 -CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032 -CKM_X9_42_MQV_DERIVE = 0x00000033 -CKM_SHA256_RSA_PKCS = 0x00000040 -CKM_SHA384_RSA_PKCS = 0x00000041 -CKM_SHA512_RSA_PKCS = 0x00000042 -CKM_SHA256_RSA_PKCS_PSS = 0x00000043 -CKM_SHA384_RSA_PKCS_PSS = 0x00000044 -CKM_SHA512_RSA_PKCS_PSS = 0x00000045 -CKM_SHA224_RSA_PKCS = 0x00000046 -CKM_SHA224_RSA_PKCS_PSS = 0x00000047 -CKM_RC2_KEY_GEN = 0x00000100 -CKM_RC2_ECB = 0x00000101 -CKM_RC2_CBC = 0x00000102 -CKM_RC2_MAC = 0x00000103 -CKM_RC2_MAC_GENERAL = 0x00000104 -CKM_RC2_CBC_PAD = 0x00000105 -CKM_RC4_KEY_GEN = 0x00000110 -CKM_RC4 = 0x00000111 -CKM_DES_KEY_GEN = 0x00000120 -CKM_DES_ECB = 0x00000121 -CKM_DES_CBC = 0x00000122 -CKM_DES_MAC = 0x00000123 -CKM_DES_MAC_GENERAL = 0x00000124 -CKM_DES_CBC_PAD = 0x00000125 -CKM_DES2_KEY_GEN = 0x00000130 -CKM_DES3_KEY_GEN = 0x00000131 -CKM_DES3_ECB = 0x00000132 -CKM_DES3_CBC = 0x00000133 -CKM_DES3_MAC = 0x00000134 -CKM_DES3_MAC_GENERAL = 0x00000135 -CKM_DES3_CBC_PAD = 0x00000136 -CKM_DES3_CMAC_GENERAL = 0x00000137 -CKM_DES3_CMAC = 0x00000138 -CKM_CDMF_KEY_GEN = 0x00000140 -CKM_CDMF_ECB = 0x00000141 -CKM_CDMF_CBC = 0x00000142 -CKM_CDMF_MAC = 0x00000143 -CKM_CDMF_MAC_GENERAL = 0x00000144 -CKM_CDMF_CBC_PAD = 0x00000145 -CKM_DES_OFB64 = 0x00000150 -CKM_DES_OFB8 = 0x00000151 -CKM_DES_CFB64 = 0x00000152 -CKM_DES_CFB8 = 0x00000153 -CKM_MD2 = 0x00000200 -CKM_MD2_HMAC = 0x00000201 -CKM_MD2_HMAC_GENERAL = 0x00000202 -CKM_MD5 = 0x00000210 -CKM_MD5_HMAC = 0x00000211 -CKM_MD5_HMAC_GENERAL = 0x00000212 -CKM_SHA_1 = 0x00000220 -CKM_SHA_1_HMAC = 0x00000221 -CKM_SHA_1_HMAC_GENERAL = 0x00000222 -CKM_RIPEMD128 = 0x00000230 -CKM_RIPEMD128_HMAC = 0x00000231 -CKM_RIPEMD128_HMAC_GENERAL = 0x00000232 -CKM_RIPEMD160 = 0x00000240 -CKM_RIPEMD160_HMAC = 0x00000241 -CKM_RIPEMD160_HMAC_GENERAL = 0x00000242 -CKM_SHA256 = 0x00000250 -CKM_SHA256_HMAC = 0x00000251 -CKM_SHA256_HMAC_GENERAL = 0x00000252 -CKM_SHA224 = 0x00000255 -CKM_SHA224_HMAC = 0x00000256 -CKM_SHA224_HMAC_GENERAL = 0x00000257 -CKM_SHA384 = 0x00000260 -CKM_SHA384_HMAC = 0x00000261 -CKM_SHA384_HMAC_GENERAL = 0x00000262 -CKM_SHA512 = 0x00000270 -CKM_SHA512_HMAC = 0x00000271 -CKM_SHA512_HMAC_GENERAL = 0x00000272 -CKM_SECURID_KEY_GEN = 0x00000280 -CKM_SECURID = 0x00000282 -CKM_HOTP_KEY_GEN = 0x00000290 -CKM_HOTP = 0x00000291 -CKM_ACTI = 0x000002A0 -CKM_ACTI_KEY_GEN = 0x000002A1 -CKM_CAST_KEY_GEN = 0x00000300 -CKM_CAST_ECB = 0x00000301 -CKM_CAST_CBC = 0x00000302 -CKM_CAST_MAC = 0x00000303 -CKM_CAST_MAC_GENERAL = 0x00000304 -CKM_CAST_CBC_PAD = 0x00000305 -CKM_CAST3_KEY_GEN = 0x00000310 -CKM_CAST3_ECB = 0x00000311 -CKM_CAST3_CBC = 0x00000312 -CKM_CAST3_MAC = 0x00000313 -CKM_CAST3_MAC_GENERAL = 0x00000314 -CKM_CAST3_CBC_PAD = 0x00000315 -CKM_CAST5_KEY_GEN = 0x00000320 -CKM_CAST128_KEY_GEN = 0x00000320 -CKM_CAST5_ECB = 0x00000321 -CKM_CAST128_ECB = 0x00000321 -CKM_CAST5_CBC = 0x00000322 -CKM_CAST128_CBC = 0x00000322 -CKM_CAST5_MAC = 0x00000323 -CKM_CAST128_MAC = 0x00000323 -CKM_CAST5_MAC_GENERAL = 0x00000324 -CKM_CAST128_MAC_GENERAL = 0x00000324 -CKM_CAST5_CBC_PAD = 0x00000325 -CKM_CAST128_CBC_PAD = 0x00000325 -CKM_RC5_KEY_GEN = 0x00000330 -CKM_RC5_ECB = 0x00000331 -CKM_RC5_CBC = 0x00000332 -CKM_RC5_MAC = 0x00000333 -CKM_RC5_MAC_GENERAL = 0x00000334 -CKM_RC5_CBC_PAD = 0x00000335 -CKM_IDEA_KEY_GEN = 0x00000340 -CKM_IDEA_ECB = 0x00000341 -CKM_IDEA_CBC = 0x00000342 -CKM_IDEA_MAC = 0x00000343 -CKM_IDEA_MAC_GENERAL = 0x00000344 -CKM_IDEA_CBC_PAD = 0x00000345 -CKM_GENERIC_SECRET_KEY_GEN = 0x00000350 -CKM_CONCATENATE_BASE_AND_KEY = 0x00000360 -CKM_CONCATENATE_BASE_AND_DATA = 0x00000362 -CKM_CONCATENATE_DATA_AND_BASE = 0x00000363 -CKM_XOR_BASE_AND_DATA = 0x00000364 -CKM_EXTRACT_KEY_FROM_KEY = 0x00000365 -CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370 -CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371 -CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372 -CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373 -CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374 -CKM_TLS_MASTER_KEY_DERIVE = 0x00000375 -CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376 -CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377 -CKM_TLS_PRF = 0x00000378 -CKM_SSL3_MD5_MAC = 0x00000380 -CKM_SSL3_SHA1_MAC = 0x00000381 -CKM_MD5_KEY_DERIVATION = 0x00000390 -CKM_MD2_KEY_DERIVATION = 0x00000391 -CKM_SHA1_KEY_DERIVATION = 0x00000392 -CKM_SHA256_KEY_DERIVATION = 0x00000393 -CKM_SHA384_KEY_DERIVATION = 0x00000394 -CKM_SHA512_KEY_DERIVATION = 0x00000395 -CKM_SHA224_KEY_DERIVATION = 0x00000396 -CKM_PBE_MD2_DES_CBC = 0x000003A0 -CKM_PBE_MD5_DES_CBC = 0x000003A1 -CKM_PBE_MD5_CAST_CBC = 0x000003A2 -CKM_PBE_MD5_CAST3_CBC = 0x000003A3 -CKM_PBE_MD5_CAST5_CBC = 0x000003A4 -CKM_PBE_MD5_CAST128_CBC = 0x000003A4 -CKM_PBE_SHA1_CAST5_CBC = 0x000003A5 -CKM_PBE_SHA1_CAST128_CBC = 0x000003A5 -CKM_PBE_SHA1_RC4_128 = 0x000003A6 -CKM_PBE_SHA1_RC4_40 = 0x000003A7 -CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8 -CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9 -CKM_PBE_SHA1_RC2_128_CBC = 0x000003AA -CKM_PBE_SHA1_RC2_40_CBC = 0x000003AB -CKM_PKCS5_PBKD2 = 0x000003B0 -CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0 -CKM_WTLS_PRE_MASTER_KEY_GEN = 0x000003D0 -CKM_WTLS_MASTER_KEY_DERIVE = 0x000003D1 -CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC = 0x000003D2 -CKM_WTLS_PRF = 0x000003D3 -CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE = 0x000003D4 -CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE = 0x000003D5 -CKM_KEY_WRAP_LYNKS = 0x00000400 -CKM_KEY_WRAP_SET_OAEP = 0x00000401 -CKM_CMS_SIG = 0x00000500 -CKM_KIP_DERIVE = 0x00000510 -CKM_KIP_WRAP = 0x00000511 -CKM_KIP_MAC = 0x00000512 -CKM_CAMELLIA_KEY_GEN = 0x00000550 -CKM_CAMELLIA_ECB = 0x00000551 -CKM_CAMELLIA_CBC = 0x00000552 -CKM_CAMELLIA_MAC = 0x00000553 -CKM_CAMELLIA_MAC_GENERAL = 0x00000554 -CKM_CAMELLIA_CBC_PAD = 0x00000555 -CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556 -CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557 -CKM_CAMELLIA_CTR = 0x00000558 -CKM_ARIA_KEY_GEN = 0x00000560 -CKM_ARIA_ECB = 0x00000561 -CKM_ARIA_CBC = 0x00000562 -CKM_ARIA_MAC = 0x00000563 -CKM_ARIA_MAC_GENERAL = 0x00000564 -CKM_ARIA_CBC_PAD = 0x00000565 -CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566 -CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567 -CKM_SEED_KEY_GEN = 0x00000650 -CKM_SEED_ECB = 0x00000651 -CKM_SEED_CBC = 0x00000652 -CKM_SEED_MAC = 0x00000653 -CKM_SEED_MAC_GENERAL = 0x00000654 -CKM_SEED_CBC_PAD = 0x00000655 -CKM_SEED_ECB_ENCRYPT_DATA = 0x00000656 -CKM_SEED_CBC_ENCRYPT_DATA = 0x00000657 -CKM_SKIPJACK_KEY_GEN = 0x00001000 -CKM_SKIPJACK_ECB64 = 0x00001001 -CKM_SKIPJACK_CBC64 = 0x00001002 -CKM_SKIPJACK_OFB64 = 0x00001003 -CKM_SKIPJACK_CFB64 = 0x00001004 -CKM_SKIPJACK_CFB32 = 0x00001005 -CKM_SKIPJACK_CFB16 = 0x00001006 -CKM_SKIPJACK_CFB8 = 0x00001007 -CKM_SKIPJACK_WRAP = 0x00001008 -CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009 -CKM_SKIPJACK_RELAYX = 0x0000100a -CKM_KEA_KEY_PAIR_GEN = 0x00001010 -CKM_KEA_KEY_DERIVE = 0x00001011 -CKM_FORTEZZA_TIMESTAMP = 0x00001020 -CKM_BATON_KEY_GEN = 0x00001030 -CKM_BATON_ECB128 = 0x00001031 -CKM_BATON_ECB96 = 0x00001032 -CKM_BATON_CBC128 = 0x00001033 -CKM_BATON_COUNTER = 0x00001034 -CKM_BATON_SHUFFLE = 0x00001035 -CKM_BATON_WRAP = 0x00001036 -CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 -CKM_EC_KEY_PAIR_GEN = 0x00001040 -CKM_ECDSA = 0x00001041 -CKM_ECDSA_SHA1 = 0x00001042 -CKM_ECDSA_SHA224 = 0x00001043 -CKM_ECDSA_SHA256 = 0x00001044 -CKM_ECDSA_SHA384 = 0x00001045 -CKM_ECDSA_SHA512 = 0x00001046 -CKM_ECDH1_DERIVE = 0x00001050 -CKM_ECDH1_COFACTOR_DERIVE = 0x00001051 -CKM_ECMQV_DERIVE = 0x00001052 -CKM_JUNIPER_KEY_GEN = 0x00001060 -CKM_JUNIPER_ECB128 = 0x00001061 -CKM_JUNIPER_CBC128 = 0x00001062 -CKM_JUNIPER_COUNTER = 0x00001063 -CKM_JUNIPER_SHUFFLE = 0x00001064 -CKM_JUNIPER_WRAP = 0x00001065 -CKM_FASTHASH = 0x00001070 -CKM_AES_KEY_GEN = 0x00001080 -CKM_AES_ECB = 0x00001081 -CKM_AES_CBC = 0x00001082 -CKM_AES_MAC = 0x00001083 -CKM_AES_MAC_GENERAL = 0x00001084 -CKM_AES_CBC_PAD = 0x00001085 -CKM_AES_CTR = 0x00001086 -CKM_AES_CTS = 0x00001089 -CKM_AES_CMAC = 0x0000108A -CKM_AES_CMAC_GENERAL = 0x0000108B -CKM_BLOWFISH_KEY_GEN = 0x00001090 -CKM_BLOWFISH_CBC = 0x00001091 -CKM_TWOFISH_KEY_GEN = 0x00001092 -CKM_TWOFISH_CBC = 0x00001093 -CKM_AES_GCM = 0x00001087 -CKM_AES_CCM = 0x00001088 -CKM_AES_KEY_WRAP = 0x00001090 -CKM_AES_KEY_WRAP_PAD = 0x00001091 -CKM_BLOWFISH_CBC_PAD = 0x00001094 -CKM_TWOFISH_CBC_PAD = 0x00001095 -CKM_DES_ECB_ENCRYPT_DATA = 0x00001100 -CKM_DES_CBC_ENCRYPT_DATA = 0x00001101 -CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102 -CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103 -CKM_AES_ECB_ENCRYPT_DATA = 0x00001104 -CKM_AES_CBC_ENCRYPT_DATA = 0x00001105 -CKM_GOSTR3410_KEY_PAIR_GEN = 0x00001200 -CKM_GOSTR3410 = 0x00001201 -CKM_GOSTR3410_WITH_GOSTR3411 = 0x00001202 -CKM_GOSTR3410_KEY_WRAP = 0x00001203 -CKM_GOSTR3410_DERIVE = 0x00001204 -CKM_GOSTR3411 = 0x00001210 -CKM_GOSTR3411_HMAC = 0x00001211 -CKM_GOST28147_KEY_GEN = 0x00001220 -CKM_GOST28147_ECB = 0x00001221 -CKM_GOST28147 = 0x00001222 -CKM_GOST28147_MAC = 0x00001223 -CKM_GOST28147_KEY_WRAP = 0x00001224 -CKM_DSA_PARAMETER_GEN = 0x00002000 -CKM_DH_PKCS_PARAMETER_GEN = 0x00002001 -CKM_X9_42_DH_PARAMETER_GEN = 0x00002002 -CKM_AES_OFB = 0x00002104 -CKM_AES_CFB64 = 0x00002105 -CKM_AES_CFB8 = 0x00002106 -CKM_AES_CFB128 = 0x00002107 -CKM_RSA_PKCS_TPM_1_1 = 0x00004001 -CKM_RSA_PKCS_OAEP_TPM_1_1 = 0x00004002 -CKM_VENDOR_DEFINED = 0x80000000 - -CKF_HW = 0x00000001 -CKF_ENCRYPT = 0x00000100 -CKF_DECRYPT = 0x00000200 -CKF_DIGEST = 0x00000400 -CKF_SIGN = 0x00000800 -CKF_SIGN_RECOVER = 0x00001000 -CKF_VERIFY = 0x00002000 -CKF_VERIFY_RECOVER = 0x00004000 -CKF_GENERATE = 0x00008000 -CKF_GENERATE_KEY_PAIR = 0x00010000 -CKF_WRAP = 0x00020000 -CKF_UNWRAP = 0x00040000 -CKF_DERIVE = 0x00080000 -CKF_EC_F_P = 0x00100000 -CKF_EC_F_2M = 0x00200000 -CKF_EC_ECPARAMETERS = 0x00400000 -CKF_EC_NAMEDCURVE = 0x00800000 -CKF_EC_UNCOMPRESS = 0x01000000 -CKF_EC_COMPRESS = 0x02000000 -CKF_EXTENSION = 0x80000000 - -CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001 -CKF_OS_LOCKING_OK = 0x00000002 - -CKF_DONT_BLOCK = 1 - -CKG_MGF1_SHA1 = 0x00000001 -CKG_MGF1_SHA256 = 0x00000002 -CKG_MGF1_SHA384 = 0x00000003 -CKG_MGF1_SHA512 = 0x00000004 -CKG_MGF1_SHA224 = 0x00000005 - -CKZ_DATA_SPECIFIED = 0x00000001 - -CKD_NULL = 0x00000001 -CKD_SHA1_KDF = 0x00000002 - -CKD_SHA1_KDF_ASN1 = 0x00000003 -CKD_SHA1_KDF_CONCATENATE = 0x00000004 -CKD_SHA224_KDF = 0x00000005 -CKD_SHA256_KDF = 0x00000006 -CKD_SHA384_KDF = 0x00000007 -CKD_SHA512_KDF = 0x00000008 -CKD_CPDIVERSIFY_KDF = 0x00000009 - -CK_OTP_VALUE = 0 -CK_OTP_PIN = 1 -CK_OTP_CHALLENGE = 2 -CK_OTP_TIME = 3 -CK_OTP_COUNTER = 4 -CK_OTP_FLAGS = 5 -CK_OTP_OUTPUT_LENGTH = 6 -CK_OTP_OUTPUT_FORMAT = 7 - -CKF_NEXT_OTP = 0x00000001 -CKF_EXCLUDE_TIME = 0x00000002 -CKF_EXCLUDE_COUNTER = 0x00000004 -CKF_EXCLUDE_CHALLENGE = 0x00000008 -CKF_EXCLUDE_PIN = 0x00000010 -CKF_USER_FRIENDLY_OTP = 0x00000020 diff --git a/py11/exceptions.py b/py11/exceptions.py deleted file mode 100644 index 7f86fe4..0000000 --- a/py11/exceptions.py +++ /dev/null @@ -1,128 +0,0 @@ -# An attempt at a Python interface to PKCS 11 using the scary ctypes -# module from the Python standard library. - -# This code is derived from the RSA PKCS #11 C header files, which say: -# -# License to copy and use this software is granted provided that it is -# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -# (Cryptoki)" in all material mentioning or referencing this software. -# -# License is also granted to make and use derivative works provided that -# such works are identified as "derived from the RSA Security Inc. PKCS #11 -# Cryptographic Token Interface (Cryptoki)" in all material mentioning or -# referencing the derived work. -# -# RSA Security Inc. makes no representations concerning either the -# merchantability of this software or the suitability of this software for -# any particular purpose. It is provided "as is" without express or implied -# warranty of any kind. - -class CKR_Exception(Exception): - """ - Base class for PKCS #11 exceptions. - """ - - ckr_code = None - ckr_map = {} - - def __int__(self): - return self.ckr_code - -CKR_OK = 0x00000000 - -class CKR_CANCEL (CKR_Exception): ckr_code = 0x00000001 -class CKR_HOST_MEMORY (CKR_Exception): ckr_code = 0x00000002 -class CKR_SLOT_ID_INVALI (CKR_Exception): ckr_code = 0x00000003 -class CKR_GENERAL_ERROR (CKR_Exception): ckr_code = 0x00000005 -class CKR_FUNCTION_FAILED (CKR_Exception): ckr_code = 0x00000006 -class CKR_ARGUMENTS_BAD (CKR_Exception): ckr_code = 0x00000007 -class CKR_NO_EVENT (CKR_Exception): ckr_code = 0x00000008 -class CKR_NEED_TO_CREATE_THREADS (CKR_Exception): ckr_code = 0x00000009 -class CKR_CANT_LOCK (CKR_Exception): ckr_code = 0x0000000A -class CKR_ATTRIBUTE_READ_ONLY (CKR_Exception): ckr_code = 0x00000010 -class CKR_ATTRIBUTE_SENSITIVE (CKR_Exception): ckr_code = 0x00000011 -class CKR_ATTRIBUTE_TYPE_INVALID (CKR_Exception): ckr_code = 0x00000012 -class CKR_ATTRIBUTE_VALUE_INVALID (CKR_Exception): ckr_code = 0x00000013 -class CKR_DATA_INVALID (CKR_Exception): ckr_code = 0x00000020 -class CKR_DATA_LEN_RANGE (CKR_Exception): ckr_code = 0x00000021 -class CKR_DEVICE_ERROR (CKR_Exception): ckr_code = 0x00000030 -class CKR_DEVICE_MEMORY (CKR_Exception): ckr_code = 0x00000031 -class CKR_DEVICE_REMOVED (CKR_Exception): ckr_code = 0x00000032 -class CKR_ENCRYPTED_DATA_INVALID (CKR_Exception): ckr_code = 0x00000040 -class CKR_ENCRYPTED_DATA_LEN_RANGE (CKR_Exception): ckr_code = 0x00000041 -class CKR_FUNCTION_CANCELED (CKR_Exception): ckr_code = 0x00000050 -class CKR_FUNCTION_NOT_PARALLEL (CKR_Exception): ckr_code = 0x00000051 -class CKR_FUNCTION_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x00000054 -class CKR_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000060 -class CKR_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x00000062 -class CKR_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x00000063 -class CKR_KEY_NOT_NEEDED (CKR_Exception): ckr_code = 0x00000064 -class CKR_KEY_CHANGED (CKR_Exception): ckr_code = 0x00000065 -class CKR_KEY_NEEDED (CKR_Exception): ckr_code = 0x00000066 -class CKR_KEY_INDIGESTIBLE (CKR_Exception): ckr_code = 0x00000067 -class CKR_KEY_FUNCTION_NOT_PERMITTED (CKR_Exception): ckr_code = 0x00000068 -class CKR_KEY_NOT_WRAPPABLE (CKR_Exception): ckr_code = 0x00000069 -class CKR_KEY_UNEXTRACTABLE (CKR_Exception): ckr_code = 0x0000006A -class CKR_MECHANISM_INVALID (CKR_Exception): ckr_code = 0x00000070 -class CKR_MECHANISM_PARAM_INVALID (CKR_Exception): ckr_code = 0x00000071 -class CKR_OBJECT_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000082 -class CKR_OPERATION_ACTIVE (CKR_Exception): ckr_code = 0x00000090 -class CKR_OPERATION_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000091 -class CKR_PIN_INCORRECT (CKR_Exception): ckr_code = 0x000000A0 -class CKR_PIN_INVALID (CKR_Exception): ckr_code = 0x000000A1 -class CKR_PIN_LEN_RANGE (CKR_Exception): ckr_code = 0x000000A2 -class CKR_PIN_EXPIRED (CKR_Exception): ckr_code = 0x000000A3 -class CKR_PIN_LOCKED (CKR_Exception): ckr_code = 0x000000A4 -class CKR_SESSION_CLOSED (CKR_Exception): ckr_code = 0x000000B0 -class CKR_SESSION_COUNT (CKR_Exception): ckr_code = 0x000000B1 -class CKR_SESSION_HANDLE_INVALID (CKR_Exception): ckr_code = 0x000000B3 -class CKR_SESSION_PARALLEL_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x000000B4 -class CKR_SESSION_READ_ONLY (CKR_Exception): ckr_code = 0x000000B5 -class CKR_SESSION_EXISTS (CKR_Exception): ckr_code = 0x000000B6 -class CKR_SESSION_READ_ONLY_EXISTS (CKR_Exception): ckr_code = 0x000000B7 -class CKR_SESSION_READ_WRITE_SO_EXISTS (CKR_Exception): ckr_code = 0x000000B8 -class CKR_SIGNATURE_INVALID (CKR_Exception): ckr_code = 0x000000C0 -class CKR_SIGNATURE_LEN_RANGE (CKR_Exception): ckr_code = 0x000000C1 -class CKR_TEMPLATE_INCOMPLETE (CKR_Exception): ckr_code = 0x000000D0 -class CKR_TEMPLATE_INCONSISTENT (CKR_Exception): ckr_code = 0x000000D1 -class CKR_TOKEN_NOT_PRESENT (CKR_Exception): ckr_code = 0x000000E0 -class CKR_TOKEN_NOT_RECOGNIZED (CKR_Exception): ckr_code = 0x000000E1 -class CKR_TOKEN_WRITE_PROTECTED (CKR_Exception): ckr_code = 0x000000E2 -class CKR_UNWRAPPING_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x000000F0 -class CKR_UNWRAPPING_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x000000F1 -class CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x000000F2 -class CKR_USER_ALREADY_LOGGED_IN (CKR_Exception): ckr_code = 0x00000100 -class CKR_USER_NOT_LOGGED_IN (CKR_Exception): ckr_code = 0x00000101 -class CKR_USER_PIN_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000102 -class CKR_USER_TYPE_INVALID (CKR_Exception): ckr_code = 0x00000103 -class CKR_USER_ANOTHER_ALREADY_LOGGED_IN (CKR_Exception): ckr_code = 0x00000104 -class CKR_USER_TOO_MANY_TYPES (CKR_Exception): ckr_code = 0x00000105 -class CKR_WRAPPED_KEY_INVALID (CKR_Exception): ckr_code = 0x00000110 -class CKR_WRAPPED_KEY_LEN_RANGE (CKR_Exception): ckr_code = 0x00000112 -class CKR_WRAPPING_KEY_HANDLE_INVALID (CKR_Exception): ckr_code = 0x00000113 -class CKR_WRAPPING_KEY_SIZE_RANGE (CKR_Exception): ckr_code = 0x00000114 -class CKR_WRAPPING_KEY_TYPE_INCONSISTENT (CKR_Exception): ckr_code = 0x00000115 -class CKR_RANDOM_SEED_NOT_SUPPORTED (CKR_Exception): ckr_code = 0x00000120 -class CKR_RANDOM_NO_RNG (CKR_Exception): ckr_code = 0x00000121 -class CKR_DOMAIN_PARAMS_INVALID (CKR_Exception): ckr_code = 0x00000130 -class CKR_BUFFER_TOO_SMALL (CKR_Exception): ckr_code = 0x00000150 -class CKR_SAVED_STATE_INVALID (CKR_Exception): ckr_code = 0x00000160 -class CKR_INFORMATION_SENSITIVE (CKR_Exception): ckr_code = 0x00000170 -class CKR_STATE_UNSAVEABLE (CKR_Exception): ckr_code = 0x00000180 -class CKR_CRYPTOKI_NOT_INITIALIZED (CKR_Exception): ckr_code = 0x00000190 -class CKR_CRYPTOKI_ALREADY_INITIALIZED (CKR_Exception): ckr_code = 0x00000191 -class CKR_MUTEX_BAD (CKR_Exception): ckr_code = 0x000001A0 -class CKR_MUTEX_NOT_LOCKED (CKR_Exception): ckr_code = 0x000001A1 -class CKR_NEW_PIN_MODE (CKR_Exception): ckr_code = 0x000001B0 -class CKR_NEXT_OTP (CKR_Exception): ckr_code = 0x000001B1 -class CKR_EXCEEDED_MAX_ITERATIONS (CKR_Exception): ckr_code = 0x000001B5 -class CKR_FIPS_SELF_TEST_FAILED (CKR_Exception): ckr_code = 0x000001B6 -class CKR_LIBRARY_LOAD_FAILED (CKR_Exception): ckr_code = 0x000001B7 -class CKR_PIN_TOO_WEAK (CKR_Exception): ckr_code = 0x000001B8 -class CKR_PUBLIC_KEY_INVALID (CKR_Exception): ckr_code = 0x000001B9 -class CKR_FUNCTION_REJECTED (CKR_Exception): ckr_code = 0x00000200 -class CKR_VENDOR_DEFINED (CKR_Exception): ckr_code = 0x80000000 - -for e in globals().values(): - if isinstance(e, type) and issubclass(e, CKR_Exception) and e is not CKR_Exception: - CKR_Exception.ckr_map[e.ckr_code] = e diff --git a/py11/mutex.py b/py11/mutex.py deleted file mode 100644 index f71e006..0000000 --- a/py11/mutex.py +++ /dev/null @@ -1,88 +0,0 @@ -""" -Optional Python mutex implementation for py11 library, using the -threading.Lock primitive to provide the mutex itself. - -Most of the code in this module has to do with mapping between the -Python and PKCS #11 APIs. - -If you just want locking, it's probably simpler to let the C code -handle it, by passing CKF_OS_LOCKING_OK to C_Initialize(). - -The main reason for having a complete implementation in Python is to -test the API. - -Sample usage: - - from p11 import * - from py11.mutex import MutexDB - - p11 = PKCS11() - mdb = MutexDB() - p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) -""" - -from struct import pack, unpack -from .types import * -from .exceptions import * - -# This controls how big our mutex handles are. -encoded_format = "=L" - -# These are all determined by encoded_format, don't touch. - -encoded_length = len(pack(encoded_format, 0)) -encoded_type = CK_BYTE * encoded_length -handle_max = unpack(encoded_format, chr(0xff) * encoded_length)[0] - -class Mutex(object): - - def __init__(self, handle): - from threading import Lock - self.encoded = encoded_type(*handle) - self.lock = Lock() - -def p11_callback(func): - from threading import ThreadError - def wrapper(self, arg): - try: - func(self, arg) - except ThreadError, e: - print "Failed: %s" % e - return CKR_MUTEX_NOT_LOCKED.ckr_code - except Exception, e: - print "Failed: %s" % e - return CKR_FUNCTION_FAILED.ckr_code - else: - return CKR_OK - return wrapper - -class MutexDB(object): - - def __init__(self): - self.mutexes = {} - self.next_handle = 0 - - def find_free_handle(self): - if len(self.mutexes) > handle_max: - raise RuntimeError - while self.next_handle in self.mutexes: - self.next_handle = (self.next_handle + 1) & handle_max - return pack(encoded_format, self.next_handle) - - @p11_callback - def create(self, handle_ptr): - handle = self.find_free_handle() - self.mutexes[handle] = Mutex(handle) - handle_ptr[0] = self.mutexes[handle].encoded - - @p11_callback - def destroy(self, handle): - del self.mutexes[handle[:encoded_length]] - - @p11_callback - def lock(self, handle): - self.mutexes[handle[:encoded_length]].lock.acquire() - - @p11_callback - def unlock(self, handle): - self.mutexes[handle[:encoded_length]].lock.release() diff --git a/py11/prototypes.py b/py11/prototypes.py deleted file mode 100644 index 7951515..0000000 --- a/py11/prototypes.py +++ /dev/null @@ -1,85 +0,0 @@ -# An attempt at a Python interface to PKCS 11 using the scary ctypes -# module from the Python standard library. - -from ctypes import * -from .types import * - -# Prototypes for the PKCS #11 public functions. -# -# We don't bother implementing C_GetFunctionList(), because it would -# be extremely tedious and it's not all that useful to us in Python. -# Instead, we emulate its behavior in the PKCS11 class. - -Prototypes = dict( - C_Initialize = [CK_VOID_PTR], - C_Finalize = [CK_VOID_PTR], - C_GetInfo = [CK_INFO_PTR], -# C_GetFunctionList = [CK_FUNCTION_LIST_PTR_PTR], - C_GetSlotList = [CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR], - C_GetSlotInfo = [CK_SLOT_ID, CK_SLOT_INFO_PTR], - C_GetTokenInfo = [CK_SLOT_ID, CK_TOKEN_INFO_PTR], - C_GetMechanismList = [CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR], - C_GetMechanismInfo = [CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR], - C_InitToken = [CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR], - C_InitPIN = [CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG], - C_SetPIN = [CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR, CK_ULONG], - C_OpenSession = [CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, CK_SESSION_HANDLE_PTR], - C_CloseSession = [CK_SESSION_HANDLE], - C_CloseAllSessions = [CK_SLOT_ID], - C_GetSessionInfo = [CK_SESSION_HANDLE, CK_SESSION_INFO_PTR], - C_GetOperationState = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], - C_SetOperationState = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_OBJECT_HANDLE, CK_OBJECT_HANDLE], - C_Login = [CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG], - C_Logout = [CK_SESSION_HANDLE], - C_CreateObject = [CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], - C_CopyObject = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], - C_DestroyObject = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE], - C_GetObjectSize = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR], - C_GetAttributeValue = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], - C_SetAttributeValue = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], - C_FindObjectsInit = [CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG], - C_FindObjects = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, CK_ULONG_PTR], - C_FindObjectsFinal = [CK_SESSION_HANDLE], - C_EncryptInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_Encrypt = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_EncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_EncryptFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], - C_DecryptInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_Decrypt = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DecryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DecryptFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], - C_DigestInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR], - C_Digest = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DigestUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_DigestKey = [CK_SESSION_HANDLE, CK_OBJECT_HANDLE], - C_DigestFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], - C_SignInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_Sign = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_SignUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_SignFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR], - C_SignRecoverInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_SignRecover = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_VerifyInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_Verify = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG], - C_VerifyUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_VerifyFinal = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_VerifyRecoverInit = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE], - C_VerifyRecover = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DigestEncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DecryptDigestUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_SignEncryptUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_DecryptVerifyUpdate = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR], - C_GenerateKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], - C_GenerateKeyPair = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, CK_ULONG, - CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR], - C_WrapKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_OBJECT_HANDLE, - CK_BYTE_PTR, CK_ULONG_PTR], - C_UnwrapKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR], - C_DeriveKey = [CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, - CK_OBJECT_HANDLE_PTR], - C_SeedRandom = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_GenerateRandom = [CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG], - C_GetFunctionStatus = [CK_SESSION_HANDLE], - C_CancelFunction = [CK_SESSION_HANDLE], - C_WaitForSlotEvent = [CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR]) diff --git a/py11/types.py b/py11/types.py deleted file mode 100644 index 4d0b279..0000000 --- a/py11/types.py +++ /dev/null @@ -1,180 +0,0 @@ -# An attempt at a Python interface to PKCS 11 using the scary ctypes -# module from the Python standard library. - -from ctypes import * - -# This code is derived from the RSA PKCS #11 C header files, which say: -# -# License to copy and use this software is granted provided that it is -# identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -# (Cryptoki)" in all material mentioning or referencing this software. -# -# License is also granted to make and use derivative works provided that -# such works are identified as "derived from the RSA Security Inc. PKCS #11 -# Cryptographic Token Interface (Cryptoki)" in all material mentioning or -# referencing the derived work. -# -# RSA Security Inc. makes no representations concerning either the -# merchantability of this software or the suitability of this software for -# any particular purpose. It is provided "as is" without express or implied -# warranty of any kind. - -# This is not a complete set of PKCS #11 types, because the full set -# with all the optional mechanisms is tediously long and each -# structure type requires hand conversion. Goal at the moment is to -# cover stuff we care about in the base specification. Add other -# mechanism-specific stuff later as needed. - -# Mapping beween C and Python at the lowest level isn't perfect -# because characters are integer types in C while they're strings in -# Python. It looks like we want the string handling in most cases -# other than CK_BBOOL and CK_VERSION, map lowest-level PKCS #11 types -# accordingly. - -CK_BYTE = c_char -CK_CHAR = CK_BYTE -CK_UTF8CHAR = CK_BYTE -CK_BBOOL = c_ubyte -CK_ULONG = c_ulong -CK_LONG = c_long -CK_FLAGS = CK_ULONG -CK_VOID_PTR = POINTER(c_char) - -CK_BYTE_PTR = POINTER(CK_BYTE) -CK_CHAR_PTR = POINTER(CK_CHAR) -CK_UTF8CHAR_PTR = POINTER(CK_UTF8CHAR) -CK_ULONG_PTR = POINTER(CK_ULONG) -CK_VOID_PTR_PTR = POINTER(CK_VOID_PTR) - -class CK_VERSION (Structure): - _fields_ = [("major", c_ubyte), - ("minor", c_ubyte)] - -CK_VERSION_PTR = POINTER(CK_VERSION) - -class CK_INFO (Structure): - _fields_ = [("cryptokiVersion", CK_VERSION), - ("manufacturerID", CK_UTF8CHAR * 32), - ("flags", CK_FLAGS), - ("libraryDescription", CK_UTF8CHAR * 32), - ("libraryVersion", CK_VERSION)] - -CK_INFO_PTR = POINTER(CK_INFO) - -CK_NOTIFICATION = CK_ULONG - -CK_SLOT_ID = CK_ULONG - -CK_SLOT_ID_PTR = POINTER(CK_SLOT_ID) - -class CK_SLOT_INFO (Structure): - _fields_ = [("slotDescription", CK_UTF8CHAR * 64), - ("manufacturerID", CK_UTF8CHAR * 32), - ("flags", CK_FLAGS), - ("hardwareVersion", CK_VERSION), - ("firmwareVersion", CK_VERSION)] - -CK_SLOT_INFO_PTR = POINTER(CK_SLOT_INFO) - -class CK_TOKEN_INFO (Structure): - _fields_ = [("label", CK_UTF8CHAR * 32), - ("manufacturerID", CK_UTF8CHAR * 32), - ("model", CK_UTF8CHAR * 16), - ("serialNumber", CK_CHAR * 16), - ("flags", CK_FLAGS), - ("ulMaxSessionCount", CK_ULONG), - ("ulSessionCount", CK_ULONG), - ("ulMaxRwSessionCount", CK_ULONG), - ("ulRwSessionCount", CK_ULONG), - ("ulMaxPinLen", CK_ULONG), - ("ulMinPinLen", CK_ULONG), - ("ulTotalPublicMemory", CK_ULONG), - ("ulFreePublicMemory", CK_ULONG), - ("ulTotalPrivateMemory", CK_ULONG), - ("ulFreePrivateMemory", CK_ULONG), - ("hardwareVersion", CK_VERSION), - ("firmwareVersion", CK_VERSION), - ("utcTime", CK_CHAR * 16)] - -CK_TOKEN_INFO_PTR = POINTER(CK_TOKEN_INFO) - -CK_SESSION_HANDLE = CK_ULONG - -CK_SESSION_HANDLE_PTR = POINTER(CK_SESSION_HANDLE) - -CK_USER_TYPE = CK_ULONG - -CK_STATE = CK_ULONG - -class CK_SESSION_INFO (Structure): - _fields_ = [("slotID", CK_SLOT_ID), - ("state", CK_STATE), - ("flags", CK_FLAGS), - ("ulDeviceError", CK_ULONG)] - -CK_SESSION_INFO_PTR = POINTER(CK_SESSION_INFO) - -CK_OBJECT_HANDLE = CK_ULONG - -CK_OBJECT_HANDLE_PTR = POINTER(CK_OBJECT_HANDLE) - -CK_OBJECT_CLASS = CK_ULONG - -CK_OBJECT_CLASS_PTR = POINTER(CK_OBJECT_CLASS) - -CK_HW_FEATURE_TYPE = CK_ULONG - -CK_KEY_TYPE = CK_ULONG - -CK_CERTIFICATE_TYPE = CK_ULONG - -CK_ATTRIBUTE_TYPE = CK_ULONG - -class CK_ATTRIBUTE (Structure): - _fields_ = [("type", CK_ATTRIBUTE_TYPE), - ("pValue", CK_VOID_PTR), - ("ulValueLen", CK_ULONG)] - -CK_ATTRIBUTE_PTR = POINTER(CK_ATTRIBUTE) - -class CK_DATE (Structure): - _fields_ = [("year", CK_CHAR * 4), - ("month", CK_CHAR * 2), - ("day", CK_CHAR * 2)] - -CK_MECHANISM_TYPE = CK_ULONG - -CK_MECHANISM_TYPE_PTR = POINTER(CK_MECHANISM_TYPE) - -class CK_MECHANISM (Structure): - _fields_ = [("mechanism", CK_MECHANISM_TYPE), - ("pParameter", CK_VOID_PTR), - ("ulParameterLen", CK_ULONG)] - -CK_MECHANISM_PTR = POINTER(CK_MECHANISM) - -class CK_MECHANISM_INFO (Structure): - _fields_ = [("ulMinKeySize", CK_ULONG), - ("ulMaxKeySize", CK_ULONG), - ("flags", CK_FLAGS)] - -CK_MECHANISM_INFO_PTR = POINTER(CK_MECHANISM_INFO) - -CK_RV = CK_ULONG - -CK_NOTIFY = CFUNCTYPE(CK_RV, CK_SESSION_HANDLE, CK_NOTIFICATION, CK_VOID_PTR) - -CK_CREATEMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR_PTR) -CK_DESTROYMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) -CK_LOCKMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) -CK_UNLOCKMUTEX = CFUNCTYPE(CK_RV, CK_VOID_PTR) - -class CK_C_INITIALIZE_ARGS (Structure): - _fields_ = [("CreateMutex", CK_CREATEMUTEX), - ("DestroyMutex", CK_DESTROYMUTEX), - ("LockMutex", CK_LOCKMUTEX), - ("UnlockMutex", CK_UNLOCKMUTEX), - ("flags", CK_FLAGS), - ("pReserved", CK_VOID_PTR)] - -CK_C_INITIALIZE_ARGS_PTR = POINTER(CK_C_INITIALIZE_ARGS) diff --git a/scripts/py11-test.py b/scripts/py11-test.py index 04372ec..87af29d 100644 --- a/scripts/py11-test.py +++ b/scripts/py11-test.py @@ -1,7 +1,7 @@ # Initial test script using py11. About 2/3 testing PKCS #11, 1/3 # doodles figuring out what else py11 should be automating for us. -from py11 import * +from cryptech.py11 import * from struct import pack, unpack def show_token(i, t, strip = True): @@ -77,7 +77,7 @@ elif False: else: print "Using our own pseudo-MUTEXes" - from py11.mutex import MutexDB + from cryptech.py11.mutex import MutexDB mdb = MutexDB() p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) diff --git a/scripts/time-signature.py b/scripts/time-signature.py index eef646d..99ec718 100755 --- a/scripts/time-signature.py +++ b/scripts/time-signature.py @@ -15,12 +15,12 @@ from Crypto.Hash.SHA384 import SHA384Hash as SHA384 from Crypto.Hash.SHA512 import SHA512Hash as SHA512 try: - from py11 import * + from cryptech.py11 import * except ImportError: - # Kludge to let us run script from repo without installing py11 + # Kludge to let us run script from repo without installing cryptech.py11 from os.path import dirname, abspath sys.path.append(dirname(dirname(abspath(sys.argv[0])))) - from py11 import * + from cryptech.py11 import * if platform.system() == "Darwin": diff --git a/unit_tests.py b/unit_tests.py index 2fc9d3f..1a7470d 100644 --- a/unit_tests.py +++ b/unit_tests.py @@ -1,7 +1,7 @@ #!/usr/bin/env python """ -PKCS #11 unit tests, using Py11 and the Python unit_test framework. +PKCS #11 unit tests, using cryptech.py11 and the Python unit_test framework. """ import unittest @@ -9,8 +9,8 @@ import datetime import platform import sys -from py11 import * -from py11.mutex import MutexDB +from cryptech.py11 import * +from cryptech.py11.mutex import MutexDB try: from Crypto.Util.number import inverse -- cgit v1.2.3