This repository was archived by the owner on Oct 15, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathslot_manager_impl.h
More file actions
194 lines (163 loc) · 7.68 KB
/
slot_manager_impl.h
File metadata and controls
194 lines (163 loc) · 7.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef P11NET_SLOT_MANAGER_IMPL_H_
#define P11NET_SLOT_MANAGER_IMPL_H_
#include <map>
#include <memory>
#include <set>
#include <string>
#include <vector>
#include <boost/thread/mutex.hpp>
#include <base/macros.h>
#include "handle_generator.h"
#include "slot_manager.h"
#include "token_manager_interface.h"
#include "p11net_factory.h"
#include "object_pool.h"
namespace p11net {
class SessionFactory;
class NetUtility;
// Maintains a list of PKCS #11 slots and modifies the list according to login
// events received. Sample usage:
// SlotManagerImpl slot_manager(&my_factory, &my_tpm);
// if (!slot_manager.Init()) {
// ...
// }
// // Ready for use by SlotManager and LoginEventListener clients.
class SlotManagerImpl : public SlotManager,
public TokenManagerInterface,
public HandleGenerator,
public std::enable_shared_from_this<SlotManagerImpl> {
public:
SlotManagerImpl(std::shared_ptr<P11NetFactory> factory,
bool auto_load_system_token);
virtual ~SlotManagerImpl();
// Initializes the slot manager. Returns true on success.
virtual bool Init();
// SlotManager methods.
virtual int GetSlotCount();
virtual bool IsTokenAccessible(const brillo::SecureBlob& isolate_credential,
int slot_id) const;
virtual bool IsTokenPresent(const brillo::SecureBlob& isolate_credential,
int slot_id) const;
virtual void GetSlotInfo(const brillo::SecureBlob& isolate_credential,
int slot_id,
CK_SLOT_INFO* slot_info) const;
virtual void GetTokenInfo(const brillo::SecureBlob& isolate_credential,
int slot_id,
CK_TOKEN_INFO* token_info) const;
virtual const MechanismMap* GetMechanismInfo(
const brillo::SecureBlob& isolate_credential,
int slot_id) const;
virtual int OpenSession(const brillo::SecureBlob& isolate_credential,
int slot_id,
bool is_read_only);
virtual bool CloseSession(const brillo::SecureBlob& isolate_credential,
int session_id);
virtual void CloseAllSessions(const brillo::SecureBlob& isolate_credential,
int slot_id);
virtual bool GetSession(const brillo::SecureBlob& isolate_credential,
int session_id, Session** session) const;
// TokenManagerInterface methods.
virtual bool OpenIsolate(brillo::SecureBlob* isolate_credential,
bool* new_isolate_created);
virtual void CloseIsolate(const brillo::SecureBlob& isolate_credential);
virtual bool LoadToken(const brillo::SecureBlob& isolate_credential,
const boost::filesystem::path& path,
const brillo::SecureBlob& auth_data,
const std::string& label,
int* slot_id);
virtual void UnloadToken(const brillo::SecureBlob& isolate_credential,
const boost::filesystem::path& path);
virtual void ChangeTokenAuthData(const boost::filesystem::path& path,
const brillo::SecureBlob& old_auth_data,
const brillo::SecureBlob& new_auth_data);
virtual bool GetTokenPath(const brillo::SecureBlob& isolate_credential,
int slot_id,
boost::filesystem::path* path);
// HandleGenerator methods.
virtual int CreateHandle();
private:
// Holds all information associated with a particular isolate.
struct Isolate {
brillo::SecureBlob credential;
int open_count;
// The set of slots accessible through this isolate.
std::set<int> slot_ids;
};
// Holds all information associated with a particular slot.
struct Slot {
CK_SLOT_INFO slot_info;
CK_TOKEN_INFO token_info;
std::shared_ptr<ObjectPool> token_object_pool;
std::shared_ptr<NetUtility> net_utility;
// Key: A session identifier.
// Value: The associated session object.
std::map<int, std::shared_ptr<Session>> sessions;
};
// Internal token presence check without isolate_credential check.
bool IsTokenPresent(int slot_id) const;
// Provides default PKCS #11 slot and token information. This method fills
// the given information structures with constant default values formatted to
// be PKCS #11 compliant.
void GetDefaultInfo(CK_SLOT_INFO* slot_info, CK_TOKEN_INFO* token_info);
// Initializes a key hierarchy for a particular token. This will clobber any
// existing key hierarchy for the token. Returns true on success.
// slot_id - The slot of the token to be initialized.
// object_pool - This must be the token's persistent object pool; it will be
// used to store internal blobs related to the key hierarchy.
// auth_data - Authorization data to be used for the key hierarchy. This same
// data will be required to use the key hierarchy in the future.
// master_key - On success will be assigned the new master key for the token.
bool InitializeKeyHierarchy(int slot_id,
ObjectPool* object_pool,
const std::string& auth_data,
std::string* master_key);
// Searches for slot that does not currently contain a token. If no such slot
// exists a new slot is created. The slot identifier of the empty slot is
// returned.
int FindEmptySlot();
// Creates new slots.
// num_slots - The number of slots to be created.
void AddSlots(int num_slots);
// Creates a new isolate with the given isolate credential.
void AddIsolate(const brillo::SecureBlob& isolate_credential);
// Destroy isolate and unload any tokens in that isolate.
void DestroyIsolate(const Isolate& isolate);
// Get the path of the token loaded in the given slot.
bool PathFromSlotId(int slot_id, boost::filesystem::path* path) const;
// Performs initialization tasks that depend on the TPM SRK. If the TPM is
// not owned this cannot succeed. These tasks include seeding the software
// prng and loading the system token.
bool InitStage2();
// LoadToken for internal callers.
bool LoadTokenInternal(const brillo::SecureBlob& isolate_credential,
const boost::filesystem::path& path,
const brillo::SecureBlob& auth_data,
const std::string& label,
int* slot_id);
// Loads the master key for a software-only token.
bool LoadSoftwareToken(const brillo::SecureBlob& auth_data,
ObjectPool* object_pool);
// Initializes a new software-only token.
bool InitializeSoftwareToken(const brillo::SecureBlob& auth_data,
ObjectPool* object_pool);
std::shared_ptr<P11NetFactory> factory_;
int last_handle_;
MechanismMap mechanism_info_;
// Key: A path to a token's storage directory.
// Value: The identifier of the associated slot.
std::map<boost::filesystem::path, int> path_slot_map_;
std::vector<Slot> slot_list_;
// Key: A session identifier.
// Value: The identifier of the associated slot.
std::map<int, int> session_slot_map_;
std::map<brillo::SecureBlob, Isolate> isolate_map_;
boost::mutex handle_generator_lock_;
bool auto_load_system_token_;
bool is_initialized_;
DISALLOW_COPY_AND_ASSIGN(SlotManagerImpl);
};
} // namespace p11net
#endif // P11NET_SLOT_MANAGER_IMPL_H_