325 lines
12 KiB
Diff
325 lines
12 KiB
Diff
From ad66cbc52bf83ba58c43ef13169f577f7f8b172d Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Thu, 7 Apr 2022 16:22:43 +0200
|
|
Subject: [PATCH 01/11] Add IBM specific mechanism and attributes
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
---
|
|
common/attrs.c | 17 +++++++++
|
|
common/constants.c | 38 +++++++++++++++++++
|
|
common/pkcs11x.h | 51 +++++++++++++++++++++++++
|
|
p11-kit/rpc-message.c | 86 ++++++++++++++++++++++++++++++++++++++++++-
|
|
p11-kit/rpc-message.h | 12 ++++++
|
|
5 files changed, 203 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/common/attrs.c b/common/attrs.c
|
|
index ad233f4..9ce7c66 100644
|
|
--- a/common/attrs.c
|
|
+++ b/common/attrs.c
|
|
@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr,
|
|
X (CKA_TRUST_STEP_UP_APPROVED)
|
|
X (CKA_CERT_SHA1_HASH)
|
|
X (CKA_CERT_MD5_HASH)
|
|
+ X (CKA_IBM_OPAQUE)
|
|
+ X (CKA_IBM_RESTRICTABLE)
|
|
+ X (CKA_IBM_NEVER_MODIFIABLE)
|
|
+ X (CKA_IBM_RETAINKEY)
|
|
+ X (CKA_IBM_ATTRBOUND)
|
|
+ X (CKA_IBM_KEYTYPE)
|
|
+ X (CKA_IBM_CV)
|
|
+ X (CKA_IBM_MACKEY)
|
|
+ X (CKA_IBM_USE_AS_DATA)
|
|
+ X (CKA_IBM_STRUCT_PARAMS)
|
|
+ X (CKA_IBM_STD_COMPLIANCE1)
|
|
+ X (CKA_IBM_PROTKEY_EXTRACTABLE)
|
|
+ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
|
|
+ X (CKA_IBM_OPAQUE_PKEY)
|
|
+ X (CKA_IBM_DILITHIUM_KEYFORM)
|
|
+ X (CKA_IBM_DILITHIUM_RHO)
|
|
+ X (CKA_IBM_DILITHIUM_T1)
|
|
case CKA_VALUE:
|
|
return (klass != CKO_CERTIFICATE &&
|
|
klass != CKO_X_CERTIFICATE_EXTENSION);
|
|
diff --git a/common/constants.c b/common/constants.c
|
|
index 2b785b8..672ed29 100644
|
|
--- a/common/constants.c
|
|
+++ b/common/constants.c
|
|
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = {
|
|
CT (CKA_WRAP_TEMPLATE, "wrap-template")
|
|
CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
|
|
CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
|
|
+ CT (CKA_IBM_OPAQUE, "ibm-opaque")
|
|
+ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
|
|
+ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
|
|
+ CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
|
|
+ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
|
|
+ CT (CKA_IBM_KEYTYPE, "ibm-keytype")
|
|
+ CT (CKA_IBM_CV, "ibm-cv")
|
|
+ CT (CKA_IBM_MACKEY, "ibm-mackey")
|
|
+ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
|
|
+ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
|
|
+ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
|
|
+ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
|
|
+ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
|
|
+ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
|
|
+ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
|
|
+ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
|
|
+ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
|
|
+ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
|
|
+ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
|
|
+ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
|
|
+ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
|
|
+ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
|
|
CT (CKA_NSS_URL, "nss-url")
|
|
CT (CKA_NSS_EMAIL, "nss-email")
|
|
CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
|
|
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = {
|
|
CT (CKK_AES, "aes")
|
|
CT (CKK_BLOWFISH, "blowfish")
|
|
CT (CKK_TWOFISH, "twofish")
|
|
+ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
|
|
CT (CKK_NSS_PKCS8, "nss-pkcs8")
|
|
{ CKA_INVALID },
|
|
};
|
|
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = {
|
|
CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
|
|
CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
|
|
CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
|
|
+ CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
|
|
+ CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
|
|
+ CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
|
|
+ CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
|
|
+ CT (CKM_IBM_CMAC, "ibm-cmac")
|
|
+ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
|
|
+ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
|
|
+ CT (CKM_IBM_EC_X448, "ibm-ec-x448")
|
|
+ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
|
|
+ CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
|
|
+ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
|
|
+ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
|
|
+ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
|
|
+ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
|
|
+ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
|
|
{ CKA_INVALID },
|
|
};
|
|
|
|
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
|
|
index 3b12db6..4183b3d 100644
|
|
--- a/common/pkcs11x.h
|
|
+++ b/common/pkcs11x.h
|
|
@@ -181,6 +181,57 @@ typedef CK_ULONG CK_TRUST;
|
|
|
|
#endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
|
|
|
|
+/* Define this if you want the IBM specific symbols */
|
|
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
|
|
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
|
|
+
|
|
+#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023
|
|
+
|
|
+#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1)
|
|
+#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001)
|
|
+#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002)
|
|
+#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003)
|
|
+#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004)
|
|
+#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005)
|
|
+#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006)
|
|
+#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007)
|
|
+#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008)
|
|
+#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009)
|
|
+#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a)
|
|
+#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c)
|
|
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d)
|
|
+#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001)
|
|
+#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002)
|
|
+#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003)
|
|
+#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004)
|
|
+#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005)
|
|
+#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006)
|
|
+#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007)
|
|
+#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008)
|
|
+#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100)
|
|
+
|
|
+#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001)
|
|
+#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002)
|
|
+#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003)
|
|
+#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004)
|
|
+#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007)
|
|
+#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b)
|
|
+#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c)
|
|
+#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e)
|
|
+#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f)
|
|
+#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023)
|
|
+#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025)
|
|
+#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026)
|
|
+#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027)
|
|
+#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
|
|
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
|
|
+
|
|
+typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP {
|
|
+ CK_OBJECT_HANDLE hSignVerifyKey;
|
|
+} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
|
|
+
|
|
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
|
|
+
|
|
#if defined(__cplusplus)
|
|
}
|
|
#endif
|
|
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
|
|
index 8dfa30b..0923224 100644
|
|
--- a/p11-kit/rpc-message.c
|
|
+++ b/p11-kit/rpc-message.c
|
|
@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
|
|
case CKA_RESET_ON_INIT:
|
|
case CKA_HAS_RESET:
|
|
case CKA_COLOR:
|
|
+ case CKA_IBM_RESTRICTABLE:
|
|
+ case CKA_IBM_NEVER_MODIFIABLE:
|
|
+ case CKA_IBM_RETAINKEY:
|
|
+ case CKA_IBM_ATTRBOUND:
|
|
+ case CKA_IBM_USE_AS_DATA:
|
|
+ case CKA_IBM_PROTKEY_EXTRACTABLE:
|
|
+ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
|
|
return P11_RPC_VALUE_BYTE;
|
|
case CKA_CLASS:
|
|
case CKA_CERTIFICATE_TYPE:
|
|
@@ -821,6 +828,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
|
|
case CKA_CHAR_COLUMNS:
|
|
case CKA_BITS_PER_PIXEL:
|
|
case CKA_MECHANISM_TYPE:
|
|
+ case CKA_IBM_DILITHIUM_KEYFORM:
|
|
+ case CKA_IBM_STD_COMPLIANCE1:
|
|
+ case CKA_IBM_KEYTYPE:
|
|
return P11_RPC_VALUE_ULONG;
|
|
case CKA_WRAP_TEMPLATE:
|
|
case CKA_UNWRAP_TEMPLATE:
|
|
@@ -869,6 +879,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
|
|
case CKA_REQUIRED_CMS_ATTRIBUTES:
|
|
case CKA_DEFAULT_CMS_ATTRIBUTES:
|
|
case CKA_SUPPORTED_CMS_ATTRIBUTES:
|
|
+ case CKA_IBM_OPAQUE:
|
|
+ case CKA_IBM_CV:
|
|
+ case CKA_IBM_MACKEY:
|
|
+ case CKA_IBM_STRUCT_PARAMS:
|
|
+ case CKA_IBM_OPAQUE_PKEY:
|
|
+ case CKA_IBM_DILITHIUM_RHO:
|
|
+ case CKA_IBM_DILITHIUM_SEED:
|
|
+ case CKA_IBM_DILITHIUM_TR:
|
|
+ case CKA_IBM_DILITHIUM_S1:
|
|
+ case CKA_IBM_DILITHIUM_S2:
|
|
+ case CKA_IBM_DILITHIUM_T0:
|
|
+ case CKA_IBM_DILITHIUM_T1:
|
|
return P11_RPC_VALUE_BYTE_ARRAY;
|
|
}
|
|
}
|
|
@@ -1406,9 +1428,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer,
|
|
return true;
|
|
}
|
|
|
|
+void
|
|
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
|
|
+ const void *value,
|
|
+ CK_ULONG value_length)
|
|
+{
|
|
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
|
|
+
|
|
+ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
|
|
+ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
|
|
+ p11_buffer_fail (buffer);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ memcpy (¶ms, value, value_length);
|
|
+
|
|
+ /* Check if params.hSignVerifyKey can be converted to uint64_t. */
|
|
+ if (params.hSignVerifyKey > UINT64_MAX) {
|
|
+ p11_buffer_fail (buffer);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
|
|
+}
|
|
+
|
|
+bool
|
|
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
|
|
+ size_t *offset,
|
|
+ void *value,
|
|
+ CK_ULONG *value_length)
|
|
+{
|
|
+ uint64_t val;
|
|
+
|
|
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
|
|
+ return false;
|
|
+
|
|
+ if (value) {
|
|
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
|
|
+
|
|
+ params.hSignVerifyKey = val;
|
|
+
|
|
+ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
|
|
+ }
|
|
+
|
|
+ if (value_length)
|
|
+ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
|
|
+
|
|
+ return true;
|
|
+}
|
|
+
|
|
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
|
|
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
|
|
- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
|
|
+ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
|
|
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }
|
|
};
|
|
|
|
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
|
|
@@ -1533,6 +1605,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
|
|
case CKM_RIPEMD160:
|
|
case CKM_RIPEMD160_HMAC:
|
|
case CKM_KEY_WRAP_LYNKS:
|
|
+ case CKM_IBM_SHA3_224:
|
|
+ case CKM_IBM_SHA3_256:
|
|
+ case CKM_IBM_SHA3_384:
|
|
+ case CKM_IBM_SHA3_512:
|
|
+ case CKM_IBM_CMAC:
|
|
+ case CKM_IBM_DILITHIUM:
|
|
+ case CKM_IBM_SHA3_224_HMAC:
|
|
+ case CKM_IBM_SHA3_256_HMAC:
|
|
+ case CKM_IBM_SHA3_384_HMAC:
|
|
+ case CKM_IBM_SHA3_512_HMAC:
|
|
+ case CKM_IBM_ED25519_SHA512:
|
|
+ case CKM_IBM_ED448_SHA3:
|
|
return true;
|
|
default:
|
|
return false;
|
|
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
|
|
index 62e7b18..eec2927 100644
|
|
--- a/p11-kit/rpc-message.h
|
|
+++ b/p11-kit/rpc-message.h
|
|
@@ -42,6 +42,7 @@
|
|
|
|
#include "buffer.h"
|
|
#include "pkcs11.h"
|
|
+#include "pkcs11x.h"
|
|
|
|
/* The calls, must be in sync with array below */
|
|
enum {
|
|
@@ -479,4 +480,15 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value
|
|
void *value,
|
|
CK_ULONG *value_length);
|
|
|
|
+void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
|
|
+ (p11_buffer *buffer,
|
|
+ const void *value,
|
|
+ CK_ULONG value_length);
|
|
+
|
|
+bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
|
|
+ (p11_buffer *buffer,
|
|
+ size_t *offset,
|
|
+ void *value,
|
|
+ CK_ULONG *value_length);
|
|
+
|
|
#endif /* _RPC_MESSAGE_H */
|
|
--
|
|
2.38.1
|
|
|