ta: pkcs11: set TA version ID to 1.0.0

PKCS#11 TA version ID is 0.1.0 since its early integration. Let's
set it 1.0.0 since it now mature enough to deserve a non-zero major
version number.

Signed-o

ta: pkcs11: set TA version ID to 1.0.0

PKCS#11 TA version ID is 0.1.0 since its early integration. Let's
set it 1.0.0 since it now mature enough to deserve a non-zero major
version number.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: add CKM_RSA_X_509 authentication

Add support for CKM_RSA_X_509 mechanism for sing/verify operations.

Sign and verify operations are processed using TEE decrypt/encrypt
operation since G

ta: pkcs11: add CKM_RSA_X_509 authentication

Add support for CKM_RSA_X_509 mechanism for sing/verify operations.

Sign and verify operations are processed using TEE decrypt/encrypt
operation since GP TEE Internal Core API specification only allows
these modes for TEE_ALG_RSA_NOPAD algorithm. The pkcs11 TA only support
sign operation when the provided payload is exactly of the same size
as the RSA key used and checks the generate signature is of right size.

This mechanism can be needed to support CKM_RSA_X_509 for TLSv1.2
connections.

Add CFG_PKCS11_TA_RSA_X_509 to allow configuring the pkcs11 TA
with or without raw RSA crypto support. The config switch is default
enabled.

Signed-off-by: Alexandre Marechal <alexandre.marechal@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: pkcs11_ta.h: define PKCS11_CKM_AES_GCM

Define PKCS11_CKM_AES_GCM setting its value to 0x01087 according
to libckteec/include/pkcs11_ta.h from OP-TEE Client API.

Reviewed-by: Jerome Fori

ta: pkcs11: pkcs11_ta.h: define PKCS11_CKM_AES_GCM

Define PKCS11_CKM_AES_GCM setting its value to 0x01087 according
to libckteec/include/pkcs11_ta.h from OP-TEE Client API.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: add hidden EC point support

The PKCS#11 standard does not allow one to have CKA_EC_POINT for private
keys but TEE internal API requires one to be present when performing
private key oper

ta: pkcs11: add hidden EC point support

The PKCS#11 standard does not allow one to have CKA_EC_POINT for private
keys but TEE internal API requires one to be present when performing
private key operations. Instead of calculating it each time it is needed
store it as hidden attribute.

This fixes EC private key generation to function as specified in standard.

There is backwards support for existing keys that has been created
inadvertently with CKA_EC_POINT included.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Tested-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: add OP-TEE hidden attribute extension

Attributes which has hidden OP-TEE vendor flag specified are not exported
to user space nor can be imported from user space.

Signed-off-by: Vesa Jä

ta: pkcs11: add OP-TEE hidden attribute extension

Attributes which has hidden OP-TEE vendor flag specified are not exported
to user space nor can be imported from user space.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Tested-by: Ayoub Zaki <ayoub.zaki@embetrix.com>

show more ...

ta: pkcs11: specify OP-TEE's vendor specific attribute scheme

Add vendor allocation specification for OP-TEE specific attributes.

Specifies which bits of attribute identifier is for what purpose.

ta: pkcs11: specify OP-TEE's vendor specific attribute scheme

Add vendor allocation specification for OP-TEE specific attributes.

Specifies which bits of attribute identifier is for what purpose.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Tested-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: introduce PKCS11_CKF_ARRAY_ATTRIBUTE

Add own define for PKCS11_CKF_ARRAY_ATTRIBUTE to keep attribute defines
clear.

Adjust users to new define.

Value is same as CKF_ARRAY_ATTRIBUTE in

ta: pkcs11: introduce PKCS11_CKF_ARRAY_ATTRIBUTE

Add own define for PKCS11_CKF_ARRAY_ATTRIBUTE to keep attribute defines
clear.

Adjust users to new define.

Value is same as CKF_ARRAY_ATTRIBUTE in standard.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Tested-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: Allow authentication mode switch with PIN change

In order to enable one to switch from PIN mode to TEE Identity mode or
vice versa enable the mode switch when token has just been initial

ta: pkcs11: Allow authentication mode switch with PIN change

In order to enable one to switch from PIN mode to TEE Identity mode or
vice versa enable the mode switch when token has just been initialized but
not taken in use (eg. no user PIN set).

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix token initialization's authentication

When token has been initialized make sure that SO is properly
authenticated based on authentication mode setting to follow PKCS#11 2.40
specific

ta: pkcs11: Fix token initialization's authentication

When token has been initialized make sure that SO is properly
authenticated based on authentication mode setting to follow PKCS#11 2.40
specification for C_InitToken().

This makes it impossible to change authentication mode with C_InitToken().

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta: pkcs11: Add RSA AES key wrap

The PKCS#11 Specification:
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/
pkcs11-spec-v3.1-cs01.pdf

6.1.23 RSA AES KEY WRAP

The mechanism requires AES K

ta: pkcs11: Add RSA AES key wrap

The PKCS#11 Specification:
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/
pkcs11-spec-v3.1-cs01.pdf

6.1.23 RSA AES KEY WRAP

The mechanism requires AES KWP mechanism CKM_AES_KEY_WRAP_KWP
which is not currently implemented in OP-TEE nor mentioned in
Global Platform specification.

Use the MBedTLS to wrap/unwrap the target key.

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add Ed25519 support

Add functionality to generate, import keys, sign/verify for
ED25519, ED25519ctx and ED25519ph.

The values for the object identifies originates from:
https://www.rfc-

ta: pkcs11: Add Ed25519 support

Add functionality to generate, import keys, sign/verify for
ED25519, ED25519ctx and ED25519ph.

The values for the object identifies originates from:
https://www.rfc-editor.org/rfc/rfc8420.html
A.1. ASN.1 Object for Ed25519

The PKCS#11 Specification:
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/
pkcs11-spec-v3.1-cs01.pdf

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: support for ECDH1_DERIVE

Add support for ECDH1_DERIVE operation.

Only the key derivation function CKD_NULL is supported: the raw shared
secret value is therefore generated without apply

ta: pkcs11: support for ECDH1_DERIVE

Add support for ECDH1_DERIVE operation.

Only the key derivation function CKD_NULL is supported: the raw shared
secret value is therefore generated without applying any key
derivation function.

Tested with pkcs11_tool -m ECDH1-DERIVE

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Co-developed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add certificate object support

Adds support for:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01

4.6 Certificate objects
4.6.3 X.509 public key ce

ta: pkcs11: Add certificate object support

Adds support for:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01

4.6 Certificate objects
4.6.3 X.509 public key certificate objects

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for AES CMAC mechanisms

Add support for CKM_AES_CMAC* mechanisms.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linar

ta: pkcs11: Add support for AES CMAC mechanisms

Add support for CKM_AES_CMAC* mechanisms.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add support for more HMAC mechanisms

Add support for *_GENERAL MD5 and SHA based HMAC mechanisms.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Etienne Carriere <et

ta: pkcs11: Add support for more HMAC mechanisms

Add support for *_GENERAL MD5 and SHA based HMAC mechanisms.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SH

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SHA-384
- MGF1 SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.8 PKCS #1 RSA OAEP

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
-

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.10 PKCS #1 RSA PSS

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi st

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1 RSA

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generatio

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add missing error codes

Some error codes related with wrap, unwrap and random number
API's were missing from the list. These have been added.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaske

ta: pkcs11: Add missing error codes

Some error codes related with wrap, unwrap and random number
API's were missing from the list. These have been added.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Allocate command ID's for wrapping/unwrapping keys

Allocate command ID's for C_WrapKey() and C_UnwrapKey().

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: E

ta: pkcs11: Allocate command ID's for wrapping/unwrapping keys

Allocate command ID's for C_WrapKey() and C_UnwrapKey().

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.3 Elliptic Curve

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve key pair generation

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Allocate command ID for key pair generation

Allocate command ID for C_GenerateKeyPair() functionality.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carri

ta: pkcs11: Allocate command ID for key pair generation

Allocate command ID for C_GenerateKeyPair() functionality.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Me

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Message digesting functions

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...