ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.3 Elliptic Curve

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve

ta: pkcs11: Add support for elliptic curve key pair generation

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01

2.3.5 Elliptic curve key pair generation

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add generic support for key pair generation

This commit only adds common key pair generation support code.

Actual mechanism specific key pair generation codes are in their own
commits.

ta: pkcs11: Add generic support for key pair generation

This commit only adds common key pair generation support code.

Actual mechanism specific key pair generation codes are in their own
commits.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Plus
Errata 01

5.13 Key management functions
C_GenerateKeyPair

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add helper for setting up CKA_ID value

When generating a new key pair object adds CKA_ID attribute from paired
object template if value given.

Reviewed-by: Etienne Carriere <etienne.car

ta: pkcs11: Add helper for setting up CKA_ID value

When generating a new key pair object adds CKA_ID attribute from paired
object template if value given.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix get_default_value/PKCS11_CKA_PUBLIC_KEY_INFO

Default value for CKA_PUBLIC_KEY_INFO is empty unless asymmetric
mechanism is specified.

When asymmetric mechanism is specified it shoul

ta: pkcs11: Fix get_default_value/PKCS11_CKA_PUBLIC_KEY_INFO

Default value for CKA_PUBLIC_KEY_INFO is empty unless asymmetric
mechanism is specified.

When asymmetric mechanism is specified it should contribute the actual
value.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: CKA_SUBJECT is mandatory for keys but has default value

When creating a new public/private key in its template it is not mandatory
to have CKA_SUBJECT field. However in the object stored

ta: pkcs11: CKA_SUBJECT is mandatory for keys but has default value

When creating a new public/private key in its template it is not mandatory
to have CKA_SUBJECT field. However in the object stored in it must be
present.

If CKA_SUBJECT is not present it will be given empty default value.

In PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01:

4.8 Public key objects:

CKA_SUBJECT -- DER-encoding of the key subject name (default empty)

4.9 Private key objects:

CKA_SUBJECT -- DER-encoding of the key subject name (default empty)

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Remove class and key check for indirect attributes

In sanitize_indirect_attributes(), class and key check is performed
to check that the indirect attribute is provided only for particula

ta: pkcs11: Remove class and key check for indirect attributes

In sanitize_indirect_attributes(), class and key check is performed
to check that the indirect attribute is provided only for particular
type of key objects. This check causes issue in case an indirect
template further has pointer to another indirect template. It is not
essential for an indirect template to have class and key attributes.

When creating objects for classes which don't support the indirect
template, this would result in scenario where error is not returned.
However, the indirect attribute won't get added to the created object.
This is inline with how the other attributes are dealt with currently.
eg. if while creating a secret key, a public key attribute is passed,
it is currently ignored rather than returning error. A probable
fix is to check all the attributes in the user provided template with
the attributes of the type of object which needs to be created.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: use a temporary list for object under creation

This change removes the hacky handling of whether object was previously
in a list of not. This is replaced by default registering pkcs11 ob

ta: pkcs11: use a temporary list for object under creation

This change removes the hacky handling of whether object was previously
in a list of not. This is replaced by default registering pkcs11 objects
in a temporary list at object allocation so it can be blindly removed
from its list when destroyed and can be safely moved to its destination
list (either a session object list or a token object list) when
object is successfully created.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: fix comment stating no mechanism is supported

Remove the inline comment that states the implementation does not yet
support any mechanism as is it not true.

Signed-off-by: Etienne Carri

ta: pkcs11: fix comment stating no mechanism is supported

Remove the inline comment that states the implementation does not yet
support any mechanism as is it not true.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add restriction in C_GetAttributeValue()

Support for getting indirect template attributes using
C_GetAttributeValue() is not supported as of now. Explicitly
return error if such attribut

ta: pkcs11: Add restriction in C_GetAttributeValue()

Support for getting indirect template attributes using
C_GetAttributeValue() is not supported as of now. Explicitly
return error if such attribute value is requested.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add sanitize function for symmetric keys

The specification [1] mandates some rules for CKA_VALUE and
CKA_VALUE_LEN for keys of type CKO_GENERIC_SECRET in Table 45,
Table 47. These checks

ta: pkcs11: Add sanitize function for symmetric keys

The specification [1] mandates some rules for CKA_VALUE and
CKA_VALUE_LEN for keys of type CKO_GENERIC_SECRET in Table 45,
Table 47. These checks were missing in current implementation.
Add explicit checks for this when creating such objects.

[1] - PKCS #11 Cryptographic Token Interface Current Mechanisms
Specification Version 2.40 Plus Errata 01

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null arr

ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null array to optional so that this attribute
doesn't get added by default as NULL if not present in the
user supplied template.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Make it possible to disable support for C_DigestKey()

By default C_DigestKey() functions as specified in specifciation.

To disable the functionality:
CFG_PKCS11_TA_ALLOW_DIGEST_KEY = n

ta: pkcs11: Make it possible to disable support for C_DigestKey()

By default C_DigestKey() functions as specified in specifciation.

To disable the functionality:
CFG_PKCS11_TA_ALLOW_DIGEST_KEY = n

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Me

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Message digesting functions

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add API for releasing active processing

When error condition is detected in Cryptoki API side in bad argument
processing add support for terminating active processing to comply
with the

ta: pkcs11: Add API for releasing active processing

When error condition is detected in Cryptoki API side in bad argument
processing add support for terminating active processing to comply
with the specification.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add debug helper for PKCS11_CKR_ATTRIBUTE_SENSITIVE

Add debug symbol into return code table.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne

ta: pkcs11: Add debug helper for PKCS11_CKR_ATTRIBUTE_SENSITIVE

Add debug symbol into return code table.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix error code returned by entry_processing_key()

check_parent_attrs_against_processing() checks if the right attributes
are set in the key to be used for a cryptgraphic purpose. It retu

ta: pkcs11: Fix error code returned by entry_processing_key()

check_parent_attrs_against_processing() checks if the right attributes
are set in the key to be used for a cryptgraphic purpose. It returns
error - CKR_KEY_FUNCTION_NOT_PERMITTED if this is not the case.
For C_DeriveKey(), C_UnwrapKey(), CKR_KEY_FUNCTION_NOT_PERMITTED is not
specified in the error code list. So, for such errors return
CKR_KEY_TYPE_INCONSISTENT instead.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple callers which should not share
the objects use OP-TEE client session association to separate those from
each other.

Specified in:
PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
2.6 Sessions

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Rename entry_derive_key() to make it more generic

entry_derive_key() is renamed to entry_processing_key() and
parameter is added to pass processing information to it.
This is done becaus

ta: pkcs11: Rename entry_derive_key() to make it more generic

entry_derive_key() is renamed to entry_processing_key() and
parameter is added to pass processing information to it.
This is done because the flow for key derivation and key
unwrapping is very similar and this function can be reused.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just deriv

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just derive the
key and return the derived key value to calling function.
Separate function is created to add this derived key value
in the key object.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Remove check from entry_derive_key()

Explicit checking for invalid mechanism is no longer required
in entry_derive_key() as this is taken care of by call to
check_mechanism_against_proce

ta: pkcs11: Remove check from entry_derive_key()

Explicit checking for invalid mechanism is no longer required
in entry_derive_key() as this is taken care of by call to
check_mechanism_against_processing().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used in the selected token with the selected function,
the error code is expected to be CKR_MECHANISM_INVALID.
Earlier check_mechanism_against_processing()
was returning error code CKR_KEY_FUNCTION_NOT_PERMITTED when doing
such checking which is not correct.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modificatio

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modifications are done when
C_SetAttributeValue() is used.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Correct the error in tracing indirect attributes

When tracing indirect attributes, size passed in
trace_attributes_from_api_head() was not correct resulting in
error.

Reviewed-by: Etien

ta: pkcs11: Correct the error in tracing indirect attributes

When tracing indirect attributes, size passed in
trace_attributes_from_api_head() was not correct resulting in
error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Fix class check when sanitizing indirect attributes

Indirect attributes are expected only for keys. Correct this
check in sanitize_indirect_attr().

Reviewed-by: Etienne Carriere <etienn

ta: pkcs11: Fix class check when sanitizing indirect attributes

Indirect attributes are expected only for keys. Correct this
check in sanitize_indirect_attr().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...