Dump PKCS11 Slot Info

Recently, I needed a tool to show the detailed PKCS11 slot information. Cryptoadm is a good utility to display cryptographic provider information for a system, but it does not show me the "ulMaxSessionCount" field, which was important to me at that time, I was eager to know what's the maximum number of sessions that can be opened with the token at one time by a single application. Google did not help this time, so I had to write a simple tool by myself.

Past the code here, maybe one day, it will save me a lot time when I need such a detailed slot info.

Compile the codes with:

$gcc cryinfo.c -o slotinfo -lpkcs11

Copy (or download), save, compile the source code bellow:

#include <stdio.h>
#include <security/cryptoki.h>
#include <security/pkcs11.h>

extern void dump_info();

int main(int argc, char **argv) {
    CK_RV               rv;
    CK_MECHANISM        mechanism = {CKM_RC4, NULL_PTR, 0L};
    CK_SESSION_HANDLE   hSession;

    // initialize teh crypto library
    rv = C_Initialize(NULL_PTR);
    if (rv != CKR_OK) {
        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
        return -1;
    }

    dump_info();

    rv = C_Finalize(NULL_PTR);
    if (rv != CKR_OK) {
        fprintf(stderr, "C_Finalize: Error = 0x%.8X\n", rv);
        return -1;
    }

}

void dump_info() {
    CK_RV               rv;
    CK_SLOT_INFO        slotInfo;
    CK_TOKEN_INFO       tokenInfo;
    CK_ULONG            ulSlotCount = 0;
    CK_SLOT_ID_PTR      pSlotList = NULL_PTR;
    int                 i = 0;

    rv = C_GetSlotList(0, NULL_PTR, &ulSlotCount);
    if (rv != CKR_OK) {
        fprintf(stderr, "C_GetSlotList: Error = 0x%.8X\n", rv);
        return;
    }

    fprintf(stdout, "slotCount = %d\n", ulSlotCount);
    pSlotList = malloc(ulSlotCount * sizeof(CK_SLOT_ID));
    if (pSlotList == NULL) {
        fprintf(stderr, "System error: unable to allocate memory");
        return;
    }

    rv = C_GetSlotList(0, pSlotList, &ulSlotCount);
    if (rv != CKR_OK) {
        fprintf(stderr, "C_GetSlotList: Error = 0x%.8X\n", rv);
        free(pSlotList);
        return;
    }

    for (i = 0; i < ulSlotCount; i++) {
        fprintf(stdout, "slot found: %d ----\n", pSlotList[i]);
        rv = C_GetSlotInfo(pSlotList[i], &slotInfo);
        if (rv != CKR_OK) {
            fprintf(stderr, "C_GetSlotInfo: Error = 0x%.8X\n", rv);
            free(pSlotList);
            return;
        }

        fprintf(stdout, "slot description: %s\n", slotInfo.slotDescription);
        fprintf(stdout, "slot manufacturer: %s\n", slotInfo.manufacturerID);
        fprintf(stdout, "slot flags: 0x%.8X\n", slotInfo.flags);
        fprintf(stdout, "slot hardwareVersion: %d.%d\n",
            slotInfo.hardwareVersion.major, slotInfo.hardwareVersion.minor);
        fprintf(stdout, "slot firmwareVersion: %d.%d\n",
            slotInfo.firmwareVersion.major, slotInfo.firmwareVersion.minor);

        rv = C_GetTokenInfo(pSlotList[i], &tokenInfo);
        if (rv != CKR_OK) {
            fprintf(stderr, "C_GetTokenInfo: Error = 0x%.8X\n", rv);
            free(pSlotList);
            return;
        }

        fprintf(stdout, "Token label: %s\n", tokenInfo.label);
        fprintf(stdout, "Token manufacturer: %s\n", tokenInfo.manufacturerID);
        fprintf(stdout, "Token model: %s\n", tokenInfo.model);
        fprintf(stdout, "Token serial: %s\n", tokenInfo.serialNumber);
        fprintf(stdout, "Token flags: 0x%.8X\n", tokenInfo.flags);
        fprintf(stdout, "Token ulMaxSessionCount: %ld\n",
                                tokenInfo.ulMaxSessionCount);
        fprintf(stdout, "Token ulSessionCount: %ld\n",
                                tokenInfo.ulSessionCount);
        fprintf(stdout, "Token ulMaxRwSessionCount: %ld\n",
                                tokenInfo.ulMaxRwSessionCount);
        fprintf(stdout, "Token ulRwSessionCount: %ld\n",
                                tokenInfo.ulRwSessionCount);
        fprintf(stdout, "Token ulMaxPinLen: %ld\n", tokenInfo.ulMaxPinLen);
        fprintf(stdout, "Token ulMinPinLen: %ld\n", tokenInfo.ulMinPinLen);
        fprintf(stdout, "Token ulTotalPublicMemory: %ld\n",
                                tokenInfo.ulTotalPublicMemory);
        fprintf(stdout, "Token ulFreePublicMemory: %ld\n",
                                tokenInfo.ulFreePublicMemory);
        fprintf(stdout, "Token ulTotalPrivateMemory: %ld\n",
                                tokenInfo.ulTotalPrivateMemory);
        fprintf(stdout, "Token ulFreePrivateMemory: %ld\n",
                                tokenInfo.ulFreePrivateMemory);
        fprintf(stdout, "slot hardwareVersion: %d.%d\n",
            tokenInfo.hardwareVersion.major, tokenInfo.hardwareVersion.minor);
        fprintf(stdout, "slot firmwareVersion: %d.%d\n",
            tokenInfo.firmwareVersion.major, tokenInfo.firmwareVersion.minor);
        fprintf(stdout, "Token utcTime: %s\n", tokenInfo.utcTime);
        fprintf(stdout, "\n");
    }

    free(pSlotList);
}


Linkage to the blog entry at blogs.sun.com

Popular posts from this blog

NIST Security Strength Time Frames

Security Strength Time Frames of NIST SP 800-57 Part 1 Security Strength 80 112 128 192 256 applying processing applying processing through 2010 acceptable acceptable acceptable acceptable acceptable acceptable acceptable 2011 through2013 deprecated legacy use acceptable acceptable acceptable acceptable acceptable 2014 through 2030 disallowed legacy use acceptable acceptable acceptable acceptable acceptable 2031 and Beyond disallowed legacy use disallowed legacy use acceptable acceptable acceptable Symmetric Algorithms 2TDEA 3TDEA AES-128 AES-192 AES-256 FFC (e.g., DSA, D-H) L = 1024 N = 160 L = 2048 N = 224 L = 3072 N = 256 L = 7680 N = 384 L = 15360 N = 512 IFC (e.g., RSA) k = 1024 k = 2048 k = 3072 k = 7680 k = 15360 ECC (e.g.,ECDSA) f = 160-223 f = 224-255 f = 256-383 f = 384-511 f = 512+ Digital Signatures and hash-only applications SHA-1, SHA-224, SHA-256, SHA-384, SHA-5...
Read more

Use Braces Even For Single Line Statement

Image
On Feb. 21, 2014, Apple released security update for iOS that affected SSL/TLS connections. The impact is described as "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." And the CVSS v2 Base Score is 6.8(AV:N/AC:M/Au:N/C:P/I:P/A:P). What's the problem with it? Here is the Apple code : static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { ... if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &has...
Read more

TLS Server Name Indication Extension and Unrecognized_name

Image
Heavy Pond, Jianfengling National Forest Park, Ledong, Hainan, China It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem , the ADT handshake alert , and the jarsigner issue with timestamp.geotrust.com , etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension. Background "Unrecognized_name" is an error alert, define by RFC4366 .  In section 4 of RFC4366 : - "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the server name. This message MAY be fatal. And in section 3.1 of of RFC4366 : If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). From above sections, we see that "unrecognized...
Read more