ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Curren

ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.2 RSA public key objects
and
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SH

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SHA-384
- MGF1 SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.8 PKCS #1 RSA OAEP

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
-

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.10 PKCS #1 RSA PSS

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi st

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1 RSA

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generatio

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more will be added
for RSA.

This is to help to keep it in sync with
pkcs11_mechanism_supported_key_sizes().

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for indirect templates

Add support for handling indirect template - CKA_DERIVE_TEMPLATE
and CKA_UNWRAP_TEMPLATE during key derivation/unwrapping.

Reviewed-by: Vesa Jääskeläi

ta: pkcs11: Add support for indirect templates

Add support for handling indirect template - CKA_DERIVE_TEMPLATE
and CKA_UNWRAP_TEMPLATE during key derivation/unwrapping.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add implementation for wrapping keys

Add implementation for handling C_WrapKey() for mechanisms :
CKM_AES_ECB
CKM_AES_CBC

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

ta: pkcs11: Add implementation for wrapping keys

Add implementation for handling C_WrapKey() for mechanisms :
CKM_AES_ECB
CKM_AES_CBC

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.3 Elliptic Curve

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve key pair generation

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add generic support for key pair generation

This commit only adds common key pair generation support code.

Actual mechanism specific key pair generation codes are in their own
commits.

ta: pkcs11: Add generic support for key pair generation

This commit only adds common key pair generation support code.

Actual mechanism specific key pair generation codes are in their own
commits.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Plus
Errata 01

5.13 Key management functions
C_GenerateKeyPair

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add helper for setting up CKA_ID value

When generating a new key pair object adds CKA_ID attribute from paired
object template if value given.

Reviewed-by: Etienne Carriere <etienne.car

ta: pkcs11: Add helper for setting up CKA_ID value

When generating a new key pair object adds CKA_ID attribute from paired
object template if value given.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix get_default_value/PKCS11_CKA_PUBLIC_KEY_INFO

Default value for CKA_PUBLIC_KEY_INFO is empty unless asymmetric
mechanism is specified.

When asymmetric mechanism is specified it shoul

ta: pkcs11: Fix get_default_value/PKCS11_CKA_PUBLIC_KEY_INFO

Default value for CKA_PUBLIC_KEY_INFO is empty unless asymmetric
mechanism is specified.

When asymmetric mechanism is specified it should contribute the actual
value.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: CKA_SUBJECT is mandatory for keys but has default value

When creating a new public/private key in its template it is not mandatory
to have CKA_SUBJECT field. However in the object stored

ta: pkcs11: CKA_SUBJECT is mandatory for keys but has default value

When creating a new public/private key in its template it is not mandatory
to have CKA_SUBJECT field. However in the object stored in it must be
present.

If CKA_SUBJECT is not present it will be given empty default value.

In PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01:

4.8 Public key objects:

CKA_SUBJECT -- DER-encoding of the key subject name (default empty)

4.9 Private key objects:

CKA_SUBJECT -- DER-encoding of the key subject name (default empty)

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add sanitize function for symmetric keys

The specification [1] mandates some rules for CKA_VALUE and
CKA_VALUE_LEN for keys of type CKO_GENERIC_SECRET in Table 45,
Table 47. These checks

ta: pkcs11: Add sanitize function for symmetric keys

The specification [1] mandates some rules for CKA_VALUE and
CKA_VALUE_LEN for keys of type CKO_GENERIC_SECRET in Table 45,
Table 47. These checks were missing in current implementation.
Add explicit checks for this when creating such objects.

[1] - PKCS #11 Cryptographic Token Interface Current Mechanisms
Specification Version 2.40 Plus Errata 01

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null arr

ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null array to optional so that this attribute
doesn't get added by default as NULL if not present in the
user supplied template.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Me

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Message digesting functions

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just deriv

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just derive the
key and return the derived key value to calling function.
Separate function is created to add this derived key value
in the key object.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used in the selected token with the selected function,
the error code is expected to be CKR_MECHANISM_INVALID.
Earlier check_mechanism_against_processing()
was returning error code CKR_KEY_FUNCTION_NOT_PERMITTED when doing
such checking which is not correct.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Forbid derivation by encryption from AES encryption keys

Enforce that AES keys should not be allowed for both 'derivation by
encryption' and ciphering. This is not explicitly mentioned i

ta: pkcs11: Forbid derivation by encryption from AES encryption keys

Enforce that AES keys should not be allowed for both 'derivation by
encryption' and ciphering. This is not explicitly mentioned in
the PKCS#11 specifications v2.4 and v3.0 but is essential to avoid
attacks where derived key can be revealed by doing data encryption
using parent key.

Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add implementation for key derivation

Add code for handling C_DeriveKey() for mechanisms :
CKM_AES_ECB_ENCRYPT_DATA
CKM_AES_CBC_ENCRYPT_DATA

Reviewed-by: Etienne Carriere <etienne.carri

ta: pkcs11: Add implementation for key derivation

Add code for handling C_DeriveKey() for mechanisms :
CKM_AES_ECB_ENCRYPT_DATA
CKM_AES_CBC_ENCRYPT_DATA

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: private key can also be public

Even thou normal operations should mark private key a private with
CKA_PRIVATE attribute it is possible that someone could do
unexpected choise.

Specifica

ta: pkcs11: private key can also be public

Even thou normal operations should mark private key a private with
CKA_PRIVATE attribute it is possible that someone could do
unexpected choise.

Specification does not state that private key class itself means that it
is private, specification only states that CKA_PRIVATE is in control of
the privacy of the object.

This commit moves object class CKO_PRIVATE_KEY processing to normal
handling of CKA_PRIVATE.

CKA_PRIVATE is specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
4.4 Storage Objects

Possibility of having private key object with CKA_PRIVATE as false:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
4.9 Private key objects

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add key size check for AES type of key

For AES Keys, the allowed lengths are 16, 24 or 32 bytes.
Return error if the key length passed when creating keys
is not one of these.

If not che

ta: pkcs11: Add key size check for AES type of key

For AES Keys, the allowed lengths are 16, 24 or 32 bytes.
Return error if the key length passed when creating keys
is not one of these.

If not checked when creating keys, error
CKR_MECHANISM_INVALID is returned later when trying
to use invalid keys which is ambiguous.The right approach
is to disallow creation of such keys.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize fields of the CK_MECHANISM_INFO structure
specify the supported range of key sizes, in bits.

Based on this, assumption was being made in the code that key length
specified by CKA_VALUE_LEN for keys of type CKK_GENERIC_SECRET is also
in bits. This assumption is not correct as per Section 2.6.2 in [1].
Special handling in code for CKK_GENERIC_SECRET for handling keysize
in bits has been now removed.

[1] - PKCS #11 Cryptographic Token Interface Current Mechanisms
Specification Version 2.40

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: forbid change of CKA_PRIVATE from true to false on object copy

In C_CopyObject(), forbid copying of an object with a template
which attempts to change the attribute CKA_PRIVATE from true

ta: pkcs11: forbid change of CKA_PRIVATE from true to false on object copy

In C_CopyObject(), forbid copying of an object with a template
which attempts to change the attribute CKA_PRIVATE from true to false.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...