ta: pkcs11: Add support for modifying objects

Implement command PKCS11_CMD_SET_ATTRIBUTE_VALUE.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carrie

ta: pkcs11: Add support for modifying objects

Implement command PKCS11_CMD_SET_ATTRIBUTE_VALUE.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout succe

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout successfully executes, any of the application’s
handles to private objects should become invalid (even if a user
is later logged back into the token, those handles remain invalid).
In addition, all private session objects from sessions belonging
to the application should also be destroyed.

In addition, also release any ongoing cryptographic or
object-finding operations that may be associated with the session
while logging out.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Access check for private objects

Private objects of a session/token are accessible only
in a R/O or R/W user session i.e if a user is logged in.
R/O or R/W public session or a R/W SO ses

ta: pkcs11: Access check for private objects

Private objects of a session/token are accessible only
in a R/O or R/W user session i.e if a user is logged in.
R/O or R/W public session or a R/W SO session cannot
access these private objects. Check for SO session
was missing in the logic when checking for access of
private objects. This has now been added.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for getting object size and attribute value

Implement commands
- PKCS11_CMD_GET_OBJECT_SIZE
- PKCS11_CMD_GET_ATTRIBUTE_VALUE

Co-developed-by: Etienne Carriere <etienne.carri

ta: pkcs11: Add support for getting object size and attribute value

Implement commands
- PKCS11_CMD_GET_OBJECT_SIZE
- PKCS11_CMD_GET_ATTRIBUTE_VALUE

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruch

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using get_attribute_ptr() is better to use as it is more
light-weight than it's counterpart get_attribute().

Suggested-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public or private class key. It is unused for now.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object i

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11_CKR_TEMPLATE_INCOMPLETE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any kind of attribute, not only boolean attributes (bp stood for
boolean property).

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.car

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute he

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute helper functions")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ru

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC methods for each hash function <h>,
CKM_<h>_HMAC and CKM_<h>_HMAC_GENERAL. Fixed tag length of the
output size of hash function i.e CKM_h_HMAC is currently supported.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11: fix return code on one-shot process of a updated operation

Fix return value when one-short processing is requested over an operation
that has already gone through a operation update proc

ta: pkcs11: fix return code on one-shot process of a updated operation

Fix return value when one-short processing is requested over an operation
that has already gone through a operation update processing. Prior this
change the PKCS11 TA return PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED which
is not accurate when key permits the operation but not the specification.

For clarity, this change splits one-shot and update steps case in
check_mechanism_against_processing().

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then somet

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then something
is broken. This cannot happen hence panic.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only sign and verify support default to true.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specificat

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specification.
No functional change.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned
empty value by default. This works fine for the attributes where
specification mentions that default value is empty or the
attribute is modifiable later.

However for attributes like CKA_ALLOWED_MECHANISM, adding an empty
default value results in a failure later in crypto operations when
attribute of the object are checked against the mechanism.

To avoid such errors, the optional attributes array are split in 2 parts,
one with the default empty value and ones which don't require a
default value. All attributes in the specification which either should
have default empty value or are allowed to be modified later by call to
C_SetAttributes() or C_CopyObjects() would fall in the former category
and be initialized with empty/NULL value.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <ves

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: attribute helper functions

* Helper functions for object attributes management.
* Helper functions to safely parse client attributes template
to create a list of attributes for a objec

ta: pkcs11: attribute helper functions

* Helper functions for object attributes management.
* Helper functions to safely parse client attributes template
to create a list of attributes for a object in the PKCS11 ta.
* Helper functions for assigning or checking object attributes
according to PKCS#11 specification.
* Add id-to-string conversion for attribute/class/key types.
* Helper functions to analyze object attributes.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...