ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null arr

ta: pkcs11: Modify optional attributes for symmetric key

CKA_VALUE_LEN attribute may not be required for some
CKO_GENERIC_SECRET type keys eg CKK_DES etc. So, move the
attribute from opt_or_null array to optional so that this attribute
doesn't get added by default as NULL if not present in the
user supplied template.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Make it possible to disable support for C_DigestKey()

By default C_DigestKey() functions as specified in specifciation.

To disable the functionality:
CFG_PKCS11_TA_ALLOW_DIGEST_KEY = n

ta: pkcs11: Make it possible to disable support for C_DigestKey()

By default C_DigestKey() functions as specified in specifciation.

To disable the functionality:
CFG_PKCS11_TA_ALLOW_DIGEST_KEY = n

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Me

ta: pkcs11: Add support for digest operations

Implements support for digest operations as specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.10 Message digesting functions

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add API for releasing active processing

When error condition is detected in Cryptoki API side in bad argument
processing add support for terminating active processing to comply
with the

ta: pkcs11: Add API for releasing active processing

When error condition is detected in Cryptoki API side in bad argument
processing add support for terminating active processing to comply
with the specification.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add debug helper for PKCS11_CKR_ATTRIBUTE_SENSITIVE

Add debug symbol into return code table.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne

ta: pkcs11: Add debug helper for PKCS11_CKR_ATTRIBUTE_SENSITIVE

Add debug symbol into return code table.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix error code returned by entry_processing_key()

check_parent_attrs_against_processing() checks if the right attributes
are set in the key to be used for a cryptgraphic purpose. It retu

ta: pkcs11: Fix error code returned by entry_processing_key()

check_parent_attrs_against_processing() checks if the right attributes
are set in the key to be used for a cryptgraphic purpose. It returns
error - CKR_KEY_FUNCTION_NOT_PERMITTED if this is not the case.
For C_DeriveKey(), C_UnwrapKey(), CKR_KEY_FUNCTION_NOT_PERMITTED is not
specified in the error code list. So, for such errors return
CKR_KEY_TYPE_INCONSISTENT instead.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple callers which should not share
the objects use OP-TEE client session association to separate those from
each other.

Specified in:
PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
2.6 Sessions

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Rename entry_derive_key() to make it more generic

entry_derive_key() is renamed to entry_processing_key() and
parameter is added to pass processing information to it.
This is done becaus

ta: pkcs11: Rename entry_derive_key() to make it more generic

entry_derive_key() is renamed to entry_processing_key() and
parameter is added to pass processing information to it.
This is done because the flow for key derivation and key
unwrapping is very similar and this function can be reused.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just deriv

ta: pkcs11: Add function to set key data

Earlier derive_key_by_symm_enc() was used to derive key
by cipher operation and set the derived key value in
the object attributes. Simplify it to just derive the
key and return the derived key value to calling function.
Separate function is created to add this derived key value
in the key object.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Remove check from entry_derive_key()

Explicit checking for invalid mechanism is no longer required
in entry_derive_key() as this is taken care of by call to
check_mechanism_against_proce

ta: pkcs11: Remove check from entry_derive_key()

Explicit checking for invalid mechanism is no longer required
in entry_derive_key() as this is taken care of by call to
check_mechanism_against_processing().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used

ta: pkcs11: Correct error returned when processing mechanisms

check_mechanism_against_processing() checks if a mechanism is
supported for the selected function. If mechanism specified
cannot be used in the selected token with the selected function,
the error code is expected to be CKR_MECHANISM_INVALID.
Earlier check_mechanism_against_processing()
was returning error code CKR_KEY_FUNCTION_NOT_PERMITTED when doing
such checking which is not correct.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modificatio

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modifications are done when
C_SetAttributeValue() is used.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Correct the error in tracing indirect attributes

When tracing indirect attributes, size passed in
trace_attributes_from_api_head() was not correct resulting in
error.

Reviewed-by: Etien

ta: pkcs11: Correct the error in tracing indirect attributes

When tracing indirect attributes, size passed in
trace_attributes_from_api_head() was not correct resulting in
error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Fix class check when sanitizing indirect attributes

Indirect attributes are expected only for keys. Correct this
check in sanitize_indirect_attr().

Reviewed-by: Etienne Carriere <etienn

ta: pkcs11: Fix class check when sanitizing indirect attributes

Indirect attributes are expected only for keys. Correct this
check in sanitize_indirect_attr().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Forbid derivation by encryption from AES encryption keys

Enforce that AES keys should not be allowed for both 'derivation by
encryption' and ciphering. This is not explicitly mentioned i

ta: pkcs11: Forbid derivation by encryption from AES encryption keys

Enforce that AES keys should not be allowed for both 'derivation by
encryption' and ciphering. This is not explicitly mentioned in
the PKCS#11 specifications v2.4 and v3.0 but is essential to avoid
attacks where derived key can be revealed by doing data encryption
using parent key.

Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add implementation for key derivation

Add code for handling C_DeriveKey() for mechanisms :
CKM_AES_ECB_ENCRYPT_DATA
CKM_AES_CBC_ENCRYPT_DATA

Reviewed-by: Etienne Carriere <etienne.carri

ta: pkcs11: Add implementation for key derivation

Add code for handling C_DeriveKey() for mechanisms :
CKM_AES_ECB_ENCRYPT_DATA
CKM_AES_CBC_ENCRYPT_DATA

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Allocate command ID for key derivation

Allocate command ID for C_DeriveKey().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@lin

ta: pkcs11: Allocate command ID for key derivation

Allocate command ID for C_DeriveKey().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: private key can also be public

Even thou normal operations should mark private key a private with
CKA_PRIVATE attribute it is possible that someone could do
unexpected choise.

Specifica

ta: pkcs11: private key can also be public

Even thou normal operations should mark private key a private with
CKA_PRIVATE attribute it is possible that someone could do
unexpected choise.

Specification does not state that private key class itself means that it
is private, specification only states that CKA_PRIVATE is in control of
the privacy of the object.

This commit moves object class CKO_PRIVATE_KEY processing to normal
handling of CKA_PRIVATE.

CKA_PRIVATE is specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
4.4 Storage Objects

Possibility of having private key object with CKA_PRIVATE as false:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
4.9 Private key objects

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Correct the return type of functions and typos

Correct return types of few functions and few typos.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne C

ta: pkcs11: Correct the return type of functions and typos

Correct return types of few functions and few typos.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add key size check for AES type of key

For AES Keys, the allowed lengths are 16, 24 or 32 bytes.
Return error if the key length passed when creating keys
is not one of these.

If not che

ta: pkcs11: Add key size check for AES type of key

For AES Keys, the allowed lengths are 16, 24 or 32 bytes.
Return error if the key length passed when creating keys
is not one of these.

If not checked when creating keys, error
CKR_MECHANISM_INVALID is returned later when trying
to use invalid keys which is ambiguous.The right approach
is to disallow creation of such keys.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize fields of the CK_MECHANISM_INFO structure
specify the supported range of key sizes, in bits.

Based on this, assumption was being made in the code that key length
specified by CKA_VALUE_LEN for keys of type CKK_GENERIC_SECRET is also
in bits. This assumption is not correct as per Section 2.6.2 in [1].
Special handling in code for CKK_GENERIC_SECRET for handling keysize
in bits has been now removed.

[1] - PKCS #11 Cryptographic Token Interface Current Mechanisms
Specification Version 2.40

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Close file handle after object has been created

When creating a object file handle was left open. This was observed in
tee-supplicant as open file handles.

This fixes the situation so t

ta: pkcs11: Close file handle after object has been created

When creating a object file handle was left open. This was observed in
tee-supplicant as open file handles.

This fixes the situation so that file handles are not left open.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add implementation for random number generation

Add code for handling C_SeedRandom() and C_GenerateRandom() functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed

ta: pkcs11: Add implementation for random number generation

Add code for handling C_SeedRandom() and C_GenerateRandom() functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Allocate command ID for random number generation

Allocate command IDs for C_SeedRandom() and C_GenerateRandom()
functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Revi

ta: pkcs11: Allocate command ID for random number generation

Allocate command IDs for C_SeedRandom() and C_GenerateRandom()
functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...