File 0001-Add-IBM-specific-mechanism-and-attributes.patch of Package p11-kit.31290
From ad66cbc52bf83ba58c43ef13169f577f7f8b172d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 7 Apr 2022 16:22:43 +0200
Subject: [PATCH 01/11] Add IBM specific mechanism and attributes
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
common/attrs.c | 17 +++++++++
common/constants.c | 38 +++++++++++++++++++
common/pkcs11x.h | 51 +++++++++++++++++++++++++
p11-kit/rpc-message.c | 86 ++++++++++++++++++++++++++++++++++++++++++-
p11-kit/rpc-message.h | 12 ++++++
5 files changed, 203 insertions(+), 1 deletion(-)
diff --git a/common/attrs.c b/common/attrs.c
index ad233f4..9ce7c66 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr,
X (CKA_TRUST_STEP_UP_APPROVED)
X (CKA_CERT_SHA1_HASH)
X (CKA_CERT_MD5_HASH)
+ X (CKA_IBM_OPAQUE)
+ X (CKA_IBM_RESTRICTABLE)
+ X (CKA_IBM_NEVER_MODIFIABLE)
+ X (CKA_IBM_RETAINKEY)
+ X (CKA_IBM_ATTRBOUND)
+ X (CKA_IBM_KEYTYPE)
+ X (CKA_IBM_CV)
+ X (CKA_IBM_MACKEY)
+ X (CKA_IBM_USE_AS_DATA)
+ X (CKA_IBM_STRUCT_PARAMS)
+ X (CKA_IBM_STD_COMPLIANCE1)
+ X (CKA_IBM_PROTKEY_EXTRACTABLE)
+ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
+ X (CKA_IBM_OPAQUE_PKEY)
+ X (CKA_IBM_DILITHIUM_KEYFORM)
+ X (CKA_IBM_DILITHIUM_RHO)
+ X (CKA_IBM_DILITHIUM_T1)
case CKA_VALUE:
return (klass != CKO_CERTIFICATE &&
klass != CKO_X_CERTIFICATE_EXTENSION);
diff --git a/common/constants.c b/common/constants.c
index 2b785b8..672ed29 100644
--- a/common/constants.c
+++ b/common/constants.c
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = {
CT (CKA_WRAP_TEMPLATE, "wrap-template")
CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
+ CT (CKA_IBM_OPAQUE, "ibm-opaque")
+ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
+ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
+ CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
+ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
+ CT (CKA_IBM_KEYTYPE, "ibm-keytype")
+ CT (CKA_IBM_CV, "ibm-cv")
+ CT (CKA_IBM_MACKEY, "ibm-mackey")
+ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
+ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
+ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
+ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
+ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
+ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
+ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
+ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
+ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
+ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
+ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
+ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
+ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
+ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
CT (CKA_NSS_URL, "nss-url")
CT (CKA_NSS_EMAIL, "nss-email")
CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = {
CT (CKK_AES, "aes")
CT (CKK_BLOWFISH, "blowfish")
CT (CKK_TWOFISH, "twofish")
+ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
CT (CKK_NSS_PKCS8, "nss-pkcs8")
{ CKA_INVALID },
};
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = {
CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
+ CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
+ CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
+ CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
+ CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
+ CT (CKM_IBM_CMAC, "ibm-cmac")
+ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
+ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
+ CT (CKM_IBM_EC_X448, "ibm-ec-x448")
+ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
+ CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
+ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
+ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
+ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
+ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
+ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
{ CKA_INVALID },
};
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index 3b12db6..4183b3d 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -181,6 +181,57 @@ typedef CK_ULONG CK_TRUST;
#endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+/* Define this if you want the IBM specific symbols */
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
+
+#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023
+
+#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1)
+#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001)
+#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002)
+#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003)
+#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004)
+#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005)
+#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006)
+#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007)
+#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008)
+#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009)
+#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a)
+#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c)
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d)
+#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001)
+#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002)
+#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003)
+#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004)
+#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005)
+#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006)
+#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007)
+#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008)
+#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100)
+
+#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001)
+#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002)
+#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003)
+#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004)
+#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007)
+#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b)
+#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c)
+#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e)
+#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f)
+#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023)
+#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025)
+#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026)
+#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027)
+#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
+
+typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP {
+ CK_OBJECT_HANDLE hSignVerifyKey;
+} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
+
#if defined(__cplusplus)
}
#endif
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 8dfa30b..0923224 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_RESET_ON_INIT:
case CKA_HAS_RESET:
case CKA_COLOR:
+ case CKA_IBM_RESTRICTABLE:
+ case CKA_IBM_NEVER_MODIFIABLE:
+ case CKA_IBM_RETAINKEY:
+ case CKA_IBM_ATTRBOUND:
+ case CKA_IBM_USE_AS_DATA:
+ case CKA_IBM_PROTKEY_EXTRACTABLE:
+ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
return P11_RPC_VALUE_BYTE;
case CKA_CLASS:
case CKA_CERTIFICATE_TYPE:
@@ -821,6 +828,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_CHAR_COLUMNS:
case CKA_BITS_PER_PIXEL:
case CKA_MECHANISM_TYPE:
+ case CKA_IBM_DILITHIUM_KEYFORM:
+ case CKA_IBM_STD_COMPLIANCE1:
+ case CKA_IBM_KEYTYPE:
return P11_RPC_VALUE_ULONG;
case CKA_WRAP_TEMPLATE:
case CKA_UNWRAP_TEMPLATE:
@@ -869,6 +879,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_REQUIRED_CMS_ATTRIBUTES:
case CKA_DEFAULT_CMS_ATTRIBUTES:
case CKA_SUPPORTED_CMS_ATTRIBUTES:
+ case CKA_IBM_OPAQUE:
+ case CKA_IBM_CV:
+ case CKA_IBM_MACKEY:
+ case CKA_IBM_STRUCT_PARAMS:
+ case CKA_IBM_OPAQUE_PKEY:
+ case CKA_IBM_DILITHIUM_RHO:
+ case CKA_IBM_DILITHIUM_SEED:
+ case CKA_IBM_DILITHIUM_TR:
+ case CKA_IBM_DILITHIUM_S1:
+ case CKA_IBM_DILITHIUM_S2:
+ case CKA_IBM_DILITHIUM_T0:
+ case CKA_IBM_DILITHIUM_T1:
return P11_RPC_VALUE_BYTE_ARRAY;
}
}
@@ -1406,9 +1428,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
+ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (¶ms, value, value_length);
+
+ /* Check if params.hSignVerifyKey can be converted to uint64_t. */
+ if (params.hSignVerifyKey > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
+}
+
+bool
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (value) {
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ params.hSignVerifyKey = val;
+
+ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
+ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1533,6 +1605,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_RIPEMD160:
case CKM_RIPEMD160_HMAC:
case CKM_KEY_WRAP_LYNKS:
+ case CKM_IBM_SHA3_224:
+ case CKM_IBM_SHA3_256:
+ case CKM_IBM_SHA3_384:
+ case CKM_IBM_SHA3_512:
+ case CKM_IBM_CMAC:
+ case CKM_IBM_DILITHIUM:
+ case CKM_IBM_SHA3_224_HMAC:
+ case CKM_IBM_SHA3_256_HMAC:
+ case CKM_IBM_SHA3_384_HMAC:
+ case CKM_IBM_SHA3_512_HMAC:
+ case CKM_IBM_ED25519_SHA512:
+ case CKM_IBM_ED448_SHA3:
return true;
default:
return false;
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 62e7b18..eec2927 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -42,6 +42,7 @@
#include "buffer.h"
#include "pkcs11.h"
+#include "pkcs11x.h"
/* The calls, must be in sync with array below */
enum {
@@ -479,4 +480,15 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
#endif /* _RPC_MESSAGE_H */
--
2.38.1
