ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruch

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using get_attribute_ptr() is better to use as it is more
light-weight than it's counterpart get_attribute().

Suggested-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public or private class key. It is unused for now.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object i

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carri

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11_CKR_TEMPLATE_INCOMPLETE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or cla

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or class.
(CKA_CLASS and CKA_KEY_TYPE attributes). sanitize_indirect_attr()
expects these attributes to be available else gives an error.

The right way of handling this would be perhaps passing a hint
of the class and key type to this function if key is being generated
using key generated mechanisms. However, we don't have support for
wrap/derive key which uses the indirect attributes at present in the
code. So, we would not be able to test it. For now, just move the class
checking afer the attribute checking which helps avoid this error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any kind of attribute, not only boolean attributes (bp stood for
boolean property).

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix initial value for return code

Fix initial value for enumerated variable of type enum pkcs11_rc.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere

ta: pkcs11: fix initial value for return code

Fix initial value for enumerated variable of type enum pkcs11_rc.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.car

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: remove empty tee_release_ctr_operation()

Remove function tee_release_ctr_operation() that is empty since
the generic sequence already releases CTR operation extra context.

Reviewed-by:

ta: pkcs11: remove empty tee_release_ctr_operation()

Remove function tee_release_ctr_operation() that is empty since
the generic sequence already releases CTR operation extra context.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES ciphe

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES cipher modes")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute he

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute helper functions")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.
The RFC 2202 and 4231 specify some HMAC test vectors where key size
is greater than the sizes as supported in current TEE implementation.
For such key sizes, greater than the maximum key size supported by TEE,
first hash the key and then use the resultant as the actual key to
HMAC.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add minimum key size checking for HMAC Mechanisms

For HMAC mechanisms for hash operations, if the size of the key object
is less than the minimum size supported by the implementation,
er

ta: pkcs11: Add minimum key size checking for HMAC Mechanisms

For HMAC mechanisms for hash operations, if the size of the key object
is less than the minimum size supported by the implementation,
error PKCS11_CKR_KEY_SIZE_RANGE should be returned. If this check
is not done before TEE_AllocateOperation(), passing a key size not
supported by TEE results in a PKCS11_CKR_MECHANISM_INVALID error,
which is ambiguous as Mehcanism is supported here and the issue is
with key size.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix usage of CKK_GENERIC_SECRET for HMAC Functions

The use of CKK_GENERIC_SECRET is allowed with HMAC mechanisms.
In earlier implementation, CKK_GENERIC_SECRET was mapped to
TEE_GENERIC_

ta: pkcs11: Fix usage of CKK_GENERIC_SECRET for HMAC Functions

The use of CKK_GENERIC_SECRET is allowed with HMAC mechanisms.
In earlier implementation, CKK_GENERIC_SECRET was mapped to
TEE_GENERIC_KEY. TEE_AllocateOperation() would return an error
when TEE key of type TEE_GENERIC_KEY is used with HMAC algorithms.
So, special handling is required for such keys where the PKCS11
mechanism should be used to determine the corresponding TEE
KEY Type for CKK_GENERIC_SECRET when used with HMAC mechanisms.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ru

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct the key size for HMAC mechanisms

The minimum and maximum key sizes supported by HMAC mechanism
should be in sync with the Global Platform API's used for
implementing them. The si

ta: pkcs11: Correct the key size for HMAC mechanisms

The minimum and maximum key sizes supported by HMAC mechanism
should be in sync with the Global Platform API's used for
implementing them. The sizes are now in sync with the key
sizes as specified in TEE_AllocateTransientObjects() in [1].

[1] GlobalPlatform Technology TEE Internal Core API Specification
Version 1.1.2.50

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Remove unused function entry_verify_oneshot()

entry_verify_oneshot() is currently not used in any of the
flows. Hence remove it.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

ta: pkcs11: Remove unused function entry_verify_oneshot()

entry_verify_oneshot() is currently not used in any of the
flows. Hence remove it.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC methods for each hash function <h>,
CKM_<h>_HMAC and CKM_<h>_HMAC_GENERAL. Fixed tag length of the
output size of hash function i.e CKM_h_HMAC is currently supported.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...