From f28dc082ad7a7a431d1b66a0de87b5e484fe08b9 Mon Sep 17 00:00:00 2001 From: Ingo Tuchscherer Date: Tue, 21 Oct 2014 10:00:52 -0500 Subject: [PATCH 1/2] pkcsep11_migrate: Fixed parameter handling for pkcsep11_migrate tool - Hexadecimal values allowed for input parameters - Non digit input parameters will be rejected - Extended Error messages with ock error strings - improved man-page Signed-off-by: Ingo Tuchscherer --- man/man1/pkcsep11_migrate.1.in | 8 +++++-- usr/sbin/pkcsep11_migrate/Makefile.am | 4 ++-- usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c | 36 +++++++++++++++++++--------- 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/man/man1/pkcsep11_migrate.1.in b/man/man1/pkcsep11_migrate.1.in index 0dffb1b..d1b21b0 100644 --- a/man/man1/pkcsep11_migrate.1.in +++ b/man/man1/pkcsep11_migrate.1.in @@ -25,8 +25,8 @@ Trusted Key Entry console (TKE) before using this utility. .br 3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/. .br -4. After successfully appling the utility and before (re)starting programs -using the EP11 token the new master key must be activated using the TKE. +4. After successfully execution of the migrate utility and before (re)starting + programs using the EP11 token the new master key must be activated using the TKE. .SH "COMMAND SUMMARY" .IP "\fB-slot\fP \fIslot-number\fP" 10 @@ -35,8 +35,12 @@ specifies the token slot of the EP11 token specifies an EP11 adapter ID. (Refer to lszcrypt to get a list of installed crypto adapters. The adapter ID will be the number xx in 'card\fBxx\fP' from the output.) +This value can be provided either in hexadecimal (e.g. 0x0A) or decimal (10) +notation. .IP "\fB-domain\fP \fIdomain-ID\fP" 10 specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.) +This value can be provided either in hexadecimal (e.g. 0x0B) or decimal (11) +notation. .IP "\fB-h\fP" 10 show usage information diff --git a/usr/sbin/pkcsep11_migrate/Makefile.am b/usr/sbin/pkcsep11_migrate/Makefile.am index 49deb74..b43756c 100644 --- a/usr/sbin/pkcsep11_migrate/Makefile.am +++ b/usr/sbin/pkcsep11_migrate/Makefile.am @@ -1,9 +1,9 @@ sbin_PROGRAMS=pkcsep11_migrate -pkcsep11_migrate_SOURCES = pkcsep11_migrate.c +pkcsep11_migrate_SOURCES = ../../lib/pkcs11/common/p11util.c pkcsep11_migrate.c pkcsep11_migrate_CFLAGS = -I ../../include/pkcs11/ -I../../lib/pkcs11/ep11_stdll/ -DLINUX -DPROGRAM_NAME=\"$(@)\" pkcsep11_migrate_LDFLAGS = -lc -ldl -lpthread -INCLUDES = -I. +INCLUDES = -I. -I../../lib/pkcs11/common # Not all versions of automake observe sbinname_CFLAGS # AM_CFLAGS = -DLINUX -DPROGRAM_NAME=\"$(@)\" diff --git a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c index aa1c3f1..4325b9d 100644 --- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c +++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c @@ -17,6 +17,7 @@ #include #include #include +#include #define EP11SHAREDLIB "libep11.so" #define PKCS11_MAX_PIN_LEN 128 @@ -180,16 +181,16 @@ check_card_status() if (rc != CKR_OK) { - fprintf(stderr,"m_get_ep11_info rc %lx, valid apapter/domain %lx/%lx?.\n", + fprintf(stderr,"m_get_ep11_info rc 0x%lx, valid apapter/domain 0x%02lx/%ld?.\n", rc,adapter,domain); return -1; } if (CK_IBM_DOM_COMMITTED_NWK & dinf.flags) { - fprintf(stderr,"Card ID %ld, domain ID %ld has committed pending(next) WK\n", + fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has committed pending(next) WK\n", adapter, domain); } else { - fprintf(stderr,"Card ID %ld, domain ID %ld has no committed pending WK\n", + fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has no committed pending WK\n", adapter, domain); return -1; } @@ -277,15 +278,27 @@ do_ParseArgs(int argc, char **argv) return 0; } else if (strcmp (argv[i], "-slot") == 0) { - SLOT_ID = atoi (argv[i+1]); + if (!isdigit(*argv[i+1])) { + printf("Slot parameter is not numeric!\n"); + return -1; + } + SLOT_ID = (int)strtol(argv[i+1], NULL, 0); i++; } else if (strcmp (argv[i], "-adapter") == 0) { - adapter = atoi (argv[i+1]); + if (!isdigit(*argv[i+1])) { + printf("Adapter parameter is not numeric!\n"); + return -1; + } + adapter = (int)strtol(argv[i+1], NULL, 0); i++; } else if (strcmp (argv[i], "-domain") == 0) { - domain = atoi (argv[i+1]); + if (!isdigit(*argv[i+1])) { + printf("Domain parameter is not numeric!\n"); + return -1; + } + domain = (int)strtol(argv[i+1], NULL, 0); i++; } else { @@ -374,7 +387,7 @@ int main (int argc, char **argv){ rc = funcs->C_OpenSession(SLOT_ID, flags, NULL, NULL, &session ); if (rc != CKR_OK) { - fprintf(stderr,"C_OpenSession() rc = %x\n",rc); + fprintf(stderr,"C_OpenSession() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); session = CK_INVALID_HANDLE; return rc; } @@ -384,7 +397,7 @@ int main (int argc, char **argv){ fprintf(stderr,"get_user_pin() failed\n"); rc = funcs->C_CloseAllSessions(SLOT_ID); if (rc != CKR_OK) - fprintf(stderr,"C_CloseAllSessions() rc = %x\n",rc); + fprintf(stderr,"C_CloseAllSessions() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); return rc; } @@ -392,7 +405,7 @@ int main (int argc, char **argv){ rc = funcs->C_Login(session, CKU_USER, user_pin, user_pin_len); if (rc != CKR_OK) { - fprintf(stderr,"C_Login() rc = %x\n",rc); + fprintf(stderr,"C_Login() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); return rc; } @@ -410,7 +423,7 @@ int main (int argc, char **argv){ if (rc != CKR_OK) { - fprintf(stderr,"C_FindObjects() rc = %x\n",rc); + fprintf(stderr,"C_FindObjects() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); return rc; } @@ -443,7 +456,8 @@ int main (int argc, char **argv){ if (rc != CKR_OK) { - fprintf(stderr,"second C_GetAttributeValue failed %x\n",rc); + fprintf(stderr,"second C_GetAttributeValue failed rc = 0x%02x [%s]\n", + rc, p11_get_ckr(rc)); return rc; } else -- 2.1.0