ta: pkcs11: Add certificate object support

Adds support for:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01

4.6 Certificate objects
4.6.3 X.509 public key ce

ta: pkcs11: Add certificate object support

Adds support for:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01

4.6 Certificate objects
4.6.3 X.509 public key certificate objects

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix serialization handling for non-indirect attributes

Both sides of serialization and de-serialization must match the logic.

Only TEMPLATE based arguments has indirect attributes so de

ta: pkcs11: Fix serialization handling for non-indirect attributes

Both sides of serialization and de-serialization must match the logic.

Only TEMPLATE based arguments has indirect attributes so detect them and
handle them specifically.

Otherwise use standard attribute handling code for other attributes.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.
The RFC 2202 and 4231 specify some HMAC test vectors where key size
is greater than the sizes as supported in current TEE implementation.
For such key sizes, greater than the maximum key size supported by TEE,
first hash the key and then use the resultant as the actual key to
HMAC.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <ves

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: attribute helper functions

* Helper functions for object attributes management.
* Helper functions to safely parse client attributes template
to create a list of attributes for a objec

ta: pkcs11: attribute helper functions

* Helper functions for object attributes management.
* Helper functions to safely parse client attributes template
to create a list of attributes for a object in the PKCS11 ta.
* Helper functions for assigning or checking object attributes
according to PKCS#11 specification.
* Add id-to-string conversion for attribute/class/key types.
* Helper functions to analyze object attributes.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: helper for GPD TEE to PKCS#11 status conversion

Introduce helper function pkcs2tee_error() for the several TEE Core
Internal APIs called for which return value needs to be reported to
ca

ta: pkcs11: helper for GPD TEE to PKCS#11 status conversion

Introduce helper function pkcs2tee_error() for the several TEE Core
Internal APIs called for which return value needs to be reported to
caller in PKCS#11 return code format.

The function returns PKCS11_CKR_GENERAL_ERROR for TEE_Result values that
do not strictly match a PKCS#11 return code.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: add mechanism info and session command to helpers

Add mechanism info and session management command IDs in debug
helpers of the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carri

ta: pkcs11: add mechanism info and session command to helpers

Add mechanism info and session management command IDs in debug
helpers of the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may pro

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may provide support for a restricted list of mechanisms and processing
over these mechanisms.

Array pkcs11_modes[] is used to strictly define the processing that
are allowed for a mechanism as per PKCS#11 specification.

Conversion of a mechanism ID into a debug friendly string is implemented
in token_capabilities.c rather than pkcs11_helpers.c as for the other
string helpers since the source file already defines the list of the
valid mechanism IDs, hence an indirection from id2str_mechanism()
to mechanism_string_id().

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, relate

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, related to CK function C_GetSlotList(),
- get information from a slot, related to C_GetSlotInfo(),
- get information from a token, related to C_GetTokenInfo(),
- get the list of mechanisms supported by a token, C_GetMechanismList(),
- get information a mechanism from a token, C_GetMechanismInfo().

The TA API involves several byte serialization of invocation
parameters data inside TEE invocation input/output memory reference
parameters.

This change introduces the command APIs and some debug helpers for
the newly defined slot/token flags.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE_SUCCESS and client is expected to read effective
PKCS11 return code (which can report a success or a failure) from
invocation parameter #0 that must be a input/output memory
reference. The status is return as a 32bit value in the output
buffer.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the call

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the caller client providing a cryptoki
compliant return value for the client API functions.

There are PCSK11 TA specific return values that are defined and
used only internally in the TA: PKCS11_RVçNOT_FOUND and
PKCS11_RV_NOT_IMPLEMENTED.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: string debug trace for ta command ids

ck_helper.c/.h provide will helper functions for IDs. This change
starts with providing a string ID for a numerical command ID.

Matching IDs a stri

ta: pkcs11: string debug trace for ta command ids

ck_helper.c/.h provide will helper functions for IDs. This change
starts with providing a string ID for a numerical command ID.

Matching IDs a strings are stored in a constant array. Macros
PKCS11_ID() ease definition of ID/string conversion arrays content.
Function id2str() finds the string for a IDs possibly skip a given
prefix, i.e. printing "ENCRYPT" instead of "PKCS11_CKFM_ENCRYPT".

TA command IDs are the first introduced ID/string conversion util.
Function id2str_ta_cmd() return string "PKCS11_CMD_..." for a known
command ID.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...