1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #ifndef PKCS11_TA_H 7 #define PKCS11_TA_H 8 9 #include <stdbool.h> 10 #include <stdint.h> 11 12 #define PKCS11_TA_UUID { 0xfd02c9da, 0x306c, 0x48c7, \ 13 { 0xa4, 0x9c, 0xbb, 0xd8, 0x27, 0xae, 0x86, 0xee } } 14 15 /* PKCS11 trusted application version information */ 16 #define PKCS11_TA_VERSION_MAJOR 0 17 #define PKCS11_TA_VERSION_MINOR 1 18 #define PKCS11_TA_VERSION_PATCH 0 19 20 /* Attribute specific values */ 21 #define PKCS11_CK_UNAVAILABLE_INFORMATION UINT32_C(0xFFFFFFFF) 22 #define PKCS11_UNDEFINED_ID UINT32_C(0xFFFFFFFF) 23 #define PKCS11_FALSE false 24 #define PKCS11_TRUE true 25 26 /* 27 * Note on PKCS#11 TA commands ABI 28 * 29 * For evolution of the TA API and to not mess with the GPD TEE 4 parameters 30 * constraint, all the PKCS11 TA invocation commands use a subset of available 31 * the GPD TEE invocation parameter types. 32 * 33 * Param#0 is used for the so-called control arguments of the invoked command 34 * and for providing a PKCS#11 compliant status code for the request command. 35 * Param#0 is an in/out memory reference (aka memref[0]). The input buffer 36 * stores serialized arguments for the command. The output buffer store the 37 * 32bit TA return code for the command. As a consequence, param#0 shall 38 * always be an input/output memory reference of at least 32bit, more if 39 * the command expects more input arguments. 40 * 41 * When the TA returns with TEE_SUCCESS result, client shall always get the 42 * 32bit value stored in param#0 output buffer and use the value as TA 43 * return code for the invoked command. 44 * 45 * Param#1 can be used for input data arguments of the invoked command. 46 * It is unused or is an input memory reference, aka memref[1]. 47 * Evolution of the API may use memref[1] for output data as well. 48 * 49 * Param#2 is mostly used for output data arguments of the invoked command 50 * and for output handles generated from invoked commands. 51 * Few commands uses it for a secondary input data buffer argument. 52 * It is unused or is an input/output/in-out memory reference, aka memref[2]. 53 * 54 * Param#3 is currently unused and reserved for evolution of the API. 55 */ 56 57 enum pkcs11_ta_cmd { 58 /* 59 * PKCS11_CMD_PING Ack TA presence and return version info 60 * 61 * [in] memref[0] = 32bit, unused, must be 0 62 * [out] memref[0] = 32bit return code, enum pkcs11_rc 63 * [out] memref[2] = [ 64 * 32bit version major value, 65 * 32bit version minor value 66 * 32bit version patch value 67 * ] 68 */ 69 PKCS11_CMD_PING = 0, 70 71 /* 72 * PKCS11_CMD_SLOT_LIST - Get the table of the valid slot IDs 73 * 74 * [in] memref[0] = 32bit, unused, must be 0 75 * [out] memref[0] = 32bit return code, enum pkcs11_rc 76 * [out] memref[2] = 32bit array slot_ids[slot counts] 77 * 78 * The TA instance may represent several PKCS#11 slots and 79 * associated tokens. This commadn reports the IDs of embedded tokens. 80 * This command relates the PKCS#11 API function C_GetSlotList(). 81 */ 82 PKCS11_CMD_SLOT_LIST = 1, 83 84 /* 85 * PKCS11_CMD_SLOT_INFO - Get cryptoki structured slot information 86 * 87 * [in] memref[0] = 32bit slot ID 88 * [out] memref[0] = 32bit return code, enum pkcs11_rc 89 * [out] memref[2] = (struct pkcs11_slot_info)info 90 * 91 * The TA instance may represent several PKCS#11 slots/tokens. 92 * This command relates the PKCS#11 API function C_GetSlotInfo(). 93 */ 94 PKCS11_CMD_SLOT_INFO = 2, 95 96 /* 97 * PKCS11_CMD_TOKEN_INFO - Get cryptoki structured token information 98 * 99 * [in] memref[0] = 32bit slot ID 100 * [out] memref[0] = 32bit return code, enum pkcs11_rc 101 * [out] memref[2] = (struct pkcs11_token_info)info 102 * 103 * The TA instance may represent several PKCS#11 slots/tokens. 104 * This command relates the PKCS#11 API function C_GetTokenInfo(). 105 */ 106 PKCS11_CMD_TOKEN_INFO = 3, 107 108 /* 109 * PKCS11_CMD_MECHANISM_IDS - Get list of the supported mechanisms 110 * 111 * [in] memref[0] = 32bit slot ID 112 * [out] memref[0] = 32bit return code, enum pkcs11_rc 113 * [out] memref[2] = 32bit array mechanism IDs 114 * 115 * This command relates to the PKCS#11 API function 116 * C_GetMechanismList(). 117 */ 118 PKCS11_CMD_MECHANISM_IDS = 4, 119 120 /* 121 * PKCS11_CMD_MECHANISM_INFO - Get information on a specific mechanism 122 * 123 * [in] memref[0] = [ 124 * 32bit slot ID, 125 * 32bit mechanism ID (PKCS11_CKM_*) 126 * ] 127 * [out] memref[0] = 32bit return code, enum pkcs11_rc 128 * [out] memref[2] = (struct pkcs11_mechanism_info)info 129 * 130 * This command relates to the PKCS#11 API function 131 * C_GetMechanismInfo(). 132 */ 133 PKCS11_CMD_MECHANISM_INFO = 5, 134 135 /* 136 * PKCS11_CMD_OPEN_SESSION - Open a session 137 * 138 * [in] memref[0] = [ 139 * 32bit slot ID, 140 * 32bit session flags, 141 * ] 142 * [out] memref[0] = 32bit return code, enum pkcs11_rc 143 * [out] memref[2] = 32bit session handle 144 * 145 * This command relates to the PKCS#11 API function C_OpenSession(). 146 */ 147 PKCS11_CMD_OPEN_SESSION = 6, 148 149 /* 150 * PKCS11_CMD_CLOSE_SESSION - Close an opened session 151 * 152 * [in] memref[0] = 32bit session handle 153 * [out] memref[0] = 32bit return code, enum pkcs11_rc 154 * 155 * This command relates to the PKCS#11 API function C_CloseSession(). 156 */ 157 PKCS11_CMD_CLOSE_SESSION = 7, 158 159 /* 160 * PKCS11_CMD_CLOSE_ALL_SESSIONS - Close all client sessions on token 161 * 162 * [in] memref[0] = 32bit slot ID 163 * [out] memref[0] = 32bit return code, enum pkcs11_rc 164 * 165 * This command relates to the PKCS#11 API function 166 * C_CloseAllSessions(). 167 */ 168 PKCS11_CMD_CLOSE_ALL_SESSIONS = 8, 169 170 /* 171 * PKCS11_CMD_SESSION_INFO - Get Cryptoki information on a session 172 * 173 * [in] memref[0] = 32bit session handle 174 * [out] memref[0] = 32bit return code, enum pkcs11_rc 175 * [out] memref[2] = (struct pkcs11_session_info)info 176 * 177 * This command relates to the PKCS#11 API function C_GetSessionInfo(). 178 */ 179 PKCS11_CMD_SESSION_INFO = 9, 180 181 /* 182 * PKCS11_CMD_INIT_TOKEN - Initialize PKCS#11 token 183 * 184 * [in] memref[0] = [ 185 * 32bit slot ID, 186 * 32bit PIN length, 187 * byte array label[32] 188 * byte array PIN[PIN length], 189 * ] 190 * [out] memref[0] = 32bit return code, enum pkcs11_rc 191 * 192 * This command relates to the PKCS#11 API function C_InitToken(). 193 */ 194 PKCS11_CMD_INIT_TOKEN = 10, 195 196 /* 197 * PKCS11_CMD_INIT_PIN - Initialize user PIN 198 * 199 * [in] memref[0] = [ 200 * 32bit session handle, 201 * 32bit PIN byte size, 202 * byte array: PIN data 203 * ] 204 * [out] memref[0] = 32bit return code, enum pkcs11_rc 205 * 206 * This command relates to the PKCS#11 API function C_InitPIN(). 207 */ 208 PKCS11_CMD_INIT_PIN = 11, 209 210 /* 211 * PKCS11_CMD_SET_PIN - Change user PIN 212 * 213 * [in] memref[0] = [ 214 * 32bit session handle, 215 * 32bit old PIN byte size, 216 * 32bit new PIN byte size, 217 * byte array: PIN data, 218 * byte array: new PIN data, 219 * ] 220 * [out] memref[0] = 32bit return code, enum pkcs11_rc 221 * 222 * This command relates to the PKCS#11 API function C_SetPIN(). 223 */ 224 PKCS11_CMD_SET_PIN = 12, 225 226 /* 227 * PKCS11_CMD_LOGIN - Initialize user PIN 228 * 229 * [in] memref[0] = [ 230 * 32bit session handle, 231 * 32bit user identifier, enum pkcs11_user_type 232 * 32bit PIN byte size, 233 * byte array: PIN data 234 * ] 235 * [out] memref[0] = 32bit return code, enum pkcs11_rc 236 * 237 * This command relates to the PKCS#11 API function C_Login(). 238 */ 239 PKCS11_CMD_LOGIN = 13, 240 241 /* 242 * PKCS11_CMD_LOGOUT - Log out from token 243 * 244 * [in] memref[0] = [ 245 * 32bit session handle, 246 * ] 247 * [out] memref[0] = 32bit return code, enum pkcs11_rc 248 * 249 * This command relates to the PKCS#11 API function C_Logout(). 250 */ 251 PKCS11_CMD_LOGOUT = 14, 252 253 /* 254 * PKCS11_CMD_CREATE_OBJECT - Create a raw client assembled object in 255 * the session or token 256 * 257 * 258 * [in] memref[0] = [ 259 * 32bit session handle, 260 * (struct pkcs11_object_head)attribs + attributes data 261 * ] 262 * [out] memref[0] = 32bit return code, enum pkcs11_rc 263 * [out] memref[2] = 32bit object handle 264 * 265 * This command relates to the PKCS#11 API function C_CreateObject(). 266 */ 267 PKCS11_CMD_CREATE_OBJECT = 15, 268 269 /* 270 * PKCS11_CMD_DESTROY_OBJECT - Destroy an object 271 * 272 * [in] memref[0] = [ 273 * 32bit session handle, 274 * 32bit object handle 275 * ] 276 * [out] memref[0] = 32bit return code, enum pkcs11_rc 277 * 278 * This command relates to the PKCS#11 API function C_DestroyObject(). 279 */ 280 PKCS11_CMD_DESTROY_OBJECT = 16, 281 282 /* 283 * PKCS11_CMD_ENCRYPT_INIT - Initialize encryption processing 284 * PKCS11_CMD_DECRYPT_INIT - Initialize decryption processing 285 * 286 * [in] memref[0] = [ 287 * 32bit session handle, 288 * 32bit object handle of the key, 289 * (struct pkcs11_attribute_head)mechanism + mecha params 290 * ] 291 * [out] memref[0] = 32bit return code, enum pkcs11_rc 292 * 293 * These commands relate to the PKCS#11 API functions 294 * C_EncryptInit() and C_DecryptInit(). 295 */ 296 PKCS11_CMD_ENCRYPT_INIT = 17, 297 PKCS11_CMD_DECRYPT_INIT = 18, 298 299 /* 300 * PKCS11_CMD_ENCRYPT_UPDATE - Update encryption processing 301 * PKCS11_CMD_DECRYPT_UPDATE - Update decryption processing 302 * 303 * [in] memref[0] = 32bit session handle 304 * [out] memref[0] = 32bit return code, enum pkcs11_rc 305 * [in] memref[1] = input data to be processed 306 * [out] memref[2] = output processed data 307 * 308 * These commands relate to the PKCS#11 API functions 309 * C_EncryptUpdate() and C_DecryptUpdate(). 310 */ 311 PKCS11_CMD_ENCRYPT_UPDATE = 19, 312 PKCS11_CMD_DECRYPT_UPDATE = 20, 313 314 /* 315 * PKCS11_CMD_ENCRYPT_FINAL - Finalize encryption processing 316 * PKCS11_CMD_DECRYPT_FINAL - Finalize decryption processing 317 * 318 * [in] memref[0] = 32bit session handle 319 * [out] memref[0] = 32bit return code, enum pkcs11_rc 320 * [out] memref[2] = output processed data 321 * 322 * These commands relate to the PKCS#11 API functions 323 * C_EncryptFinal() and C_DecryptFinal(). 324 */ 325 PKCS11_CMD_ENCRYPT_FINAL = 21, 326 PKCS11_CMD_DECRYPT_FINAL = 22, 327 328 /* 329 * PKCS11_CMD_ENCRYPT_ONESHOT - Update and finalize encryption 330 * processing 331 * PKCS11_CMD_DECRYPT_ONESHOT - Update and finalize decryption 332 * processing 333 * 334 * [in] memref[0] = 32bit session handle 335 * [out] memref[0] = 32bit return code, enum pkcs11_rc 336 * [in] memref[1] = input data to be processed 337 * [out] memref[2] = output processed data 338 * 339 * These commands relate to the PKCS#11 API functions C_Encrypt and 340 * C_Decrypt. 341 */ 342 PKCS11_CMD_ENCRYPT_ONESHOT = 23, 343 PKCS11_CMD_DECRYPT_ONESHOT = 24, 344 345 /* 346 * PKCS11_CMD_SIGN_INIT - Initialize a signature computation 347 * processing 348 * PKCS11_CMD_VERIFY_INIT - Initialize a signature verification 349 * processing 350 * 351 * [in] memref[0] = [ 352 * 32bit session handle, 353 * 32bit key handle, 354 * (struct pkcs11_attribute_head)mechanism + 355 * mechanism params, 356 * ] 357 * [out] memref[0] = 32bit return code, enum pkcs11_rc 358 * 359 * These commands relate to the PKCS#11 API functions C_SignInit() and 360 * C_VerifyInit(). 361 */ 362 PKCS11_CMD_SIGN_INIT = 25, 363 PKCS11_CMD_VERIFY_INIT = 26, 364 365 /* 366 * PKCS11_CMD_SIGN_UPDATE - Update a signature computation processing 367 * PKCS11_CMD_VERIFY_UPDATE - Update a signature verification processing 368 * 369 * [in] memref[0] = 32bit session handle 370 * [out] memref[0] = 32bit return code, enum pkcs11_rc 371 * [in] memref[1] = input data to be processed 372 * 373 * These commands relate to the PKCS#11 API functions C_SignUpdate() and 374 * C_VerifyUpdate(). 375 */ 376 PKCS11_CMD_SIGN_UPDATE = 27, 377 PKCS11_CMD_VERIFY_UPDATE = 28, 378 379 /* 380 * PKCS11_CMD_SIGN_FINAL - Finalize a signature computation processing 381 * 382 * [in] memref[0] = 32bit session handle 383 * [out] memref[0] = 32bit return code, enum pkcs11_rc 384 * [out] memref[2] = output signature 385 * 386 * This command relates to the PKCS#11 API functions C_SignFinal(). 387 */ 388 PKCS11_CMD_SIGN_FINAL = 29, 389 390 /* 391 * PKCS11_CMD_VERIFY_FINAL - Finalize a signature verification 392 * processing 393 * 394 * [in] memref[0] = 32bit session handle 395 * [out] memref[0] = 32bit return code, enum pkcs11_rc 396 * [in] memref[2] = input signature to be processed 397 * 398 * This command relates to the PKCS#11 API functions C_VerifyFinal(). 399 */ 400 PKCS11_CMD_VERIFY_FINAL = 30, 401 402 /* 403 * PKCS11_CMD_SIGN_ONESHOT - Compute a signature 404 * 405 * [in] memref[0] = 32bit session handle 406 * [out] memref[0] = 32bit return code, enum pkcs11_rc 407 * [in] memref[1] = input data to be processed 408 * [out] memref[2] = byte array: generated signature 409 * 410 * This command relates to the PKCS#11 API function C_Sign(). 411 */ 412 PKCS11_CMD_SIGN_ONESHOT = 31, 413 414 /* 415 * PKCS11_CMD_VERIFY_ONESHOT - Compute and compare a signature 416 * 417 * [in] memref[0] = 32bit session handle 418 * [out] memref[0] = 32bit return code, enum pkcs11_rc 419 * [in] memref[1] = input data to be processed 420 * [in] memref[2] = input signature to be processed 421 * 422 * This command relates to the PKCS#11 API function C_Verify(). 423 */ 424 PKCS11_CMD_VERIFY_ONESHOT = 32, 425 426 /* 427 * PKCS11_CMD_GENERATE_KEY - Generate a symmetric key or domain 428 * parameters 429 * 430 * [in] memref[0] = [ 431 * 32bit session handle, 432 * (struct pkcs11_attribute_head)mechanism + mecha params, 433 * (struct pkcs11_object_head)attribs + attributes data 434 * ] 435 * [out] memref[0] = 32bit return code, enum pkcs11_rc 436 * [out] memref[2] = 32bit object handle 437 * 438 * This command relates to the PKCS#11 API function C_GenerateKey(). 439 */ 440 PKCS11_CMD_GENERATE_KEY = 33, 441 442 /* 443 * PKCS11_CMD_FIND_OBJECTS_INIT - Initialize an object search 444 * 445 * [in] memref[0] = [ 446 * 32bit session handle, 447 * (struct pkcs11_object_head)attribs + attributes data 448 * ] 449 * [out] memref[0] = 32bit return code, enum pkcs11_rc 450 * 451 * This command relates to the PKCS#11 API function C_FindOjectsInit(). 452 */ 453 PKCS11_CMD_FIND_OBJECTS_INIT = 34, 454 455 /* 456 * PKCS11_CMD_FIND_OBJECTS - Get handles of matching objects 457 * 458 * [in] memref[0] = 32bit session handle 459 * [out] memref[0] = 32bit return code, enum pkcs11_rc 460 * [out] memref[2] = 32bit array object_handle_array[N] 461 * 462 * This command relates to the PKCS#11 API function C_FindOjects(). 463 * The size of object_handle_array depends on the size of the output 464 * buffer provided by the client. 465 */ 466 PKCS11_CMD_FIND_OBJECTS = 35, 467 468 /* 469 * PKCS11_CMD_FIND_OBJECTS_FINAL - Finalize current objects search 470 * 471 * [in] memref[0] = 32bit session handle 472 * [out] memref[0] = 32bit return code, enum pkcs11_rc 473 * 474 * This command relates to the PKCS#11 API function C_FindOjectsFinal(). 475 */ 476 PKCS11_CMD_FIND_OBJECTS_FINAL = 36, 477 478 /* 479 * PKCS11_CMD_GET_OBJECT_SIZE - Get byte size used by object in the TEE 480 * 481 * [in] memref[0] = [ 482 * 32bit session handle, 483 * 32bit object handle 484 * ] 485 * [out] memref[0] = 32bit return code, enum pkcs11_rc 486 * [out] memref[2] = 32bit object_byte_size 487 * 488 * This command relates to the PKCS#11 API function C_GetObjectSize(). 489 */ 490 PKCS11_CMD_GET_OBJECT_SIZE = 37, 491 492 /* 493 * PKCS11_CMD_GET_ATTRIBUTE_VALUE - Get the value of object attribute(s) 494 * 495 * [in] memref[0] = [ 496 * 32bit session handle, 497 * 32bit object handle, 498 * (struct pkcs11_object_head)attribs + attributes data 499 * ] 500 * [out] memref[0] = 32bit return code, enum pkcs11_rc 501 * [out] memref[2] = (struct pkcs11_object_head)attribs + attributes 502 * data 503 * 504 * This command relates to the PKCS#11 API function C_GetAttributeValue. 505 * Caller provides an attribute template as 3rd argument in memref[0] 506 * (referred here as attribs + attributes data). Upon successful 507 * completion, the TA returns the provided template filled with expected 508 * data through output argument memref[2] (referred here again as 509 * attribs + attributes data). 510 */ 511 PKCS11_CMD_GET_ATTRIBUTE_VALUE = 38, 512 }; 513 514 /* 515 * Command return codes 516 * PKCS11_<x> relates CryptoKi client API CKR_<x> 517 */ 518 enum pkcs11_rc { 519 PKCS11_CKR_OK = 0, 520 PKCS11_CKR_CANCEL = 0x0001, 521 PKCS11_CKR_SLOT_ID_INVALID = 0x0003, 522 PKCS11_CKR_GENERAL_ERROR = 0x0005, 523 PKCS11_CKR_FUNCTION_FAILED = 0x0006, 524 PKCS11_CKR_ARGUMENTS_BAD = 0x0007, 525 PKCS11_CKR_ATTRIBUTE_READ_ONLY = 0x0010, 526 PKCS11_CKR_ATTRIBUTE_SENSITIVE = 0x0011, 527 PKCS11_CKR_ATTRIBUTE_TYPE_INVALID = 0x0012, 528 PKCS11_CKR_ATTRIBUTE_VALUE_INVALID = 0x0013, 529 PKCS11_CKR_ACTION_PROHIBITED = 0x001b, 530 PKCS11_CKR_DATA_INVALID = 0x0020, 531 PKCS11_CKR_DATA_LEN_RANGE = 0x0021, 532 PKCS11_CKR_DEVICE_ERROR = 0x0030, 533 PKCS11_CKR_DEVICE_MEMORY = 0x0031, 534 PKCS11_CKR_DEVICE_REMOVED = 0x0032, 535 PKCS11_CKR_ENCRYPTED_DATA_INVALID = 0x0040, 536 PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE = 0x0041, 537 PKCS11_CKR_KEY_HANDLE_INVALID = 0x0060, 538 PKCS11_CKR_KEY_SIZE_RANGE = 0x0062, 539 PKCS11_CKR_KEY_TYPE_INCONSISTENT = 0x0063, 540 PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED = 0x0068, 541 PKCS11_CKR_KEY_NOT_WRAPPABLE = 0x0069, 542 PKCS11_CKR_KEY_UNEXTRACTABLE = 0x006a, 543 PKCS11_CKR_MECHANISM_INVALID = 0x0070, 544 PKCS11_CKR_MECHANISM_PARAM_INVALID = 0x0071, 545 PKCS11_CKR_OBJECT_HANDLE_INVALID = 0x0082, 546 PKCS11_CKR_OPERATION_ACTIVE = 0x0090, 547 PKCS11_CKR_OPERATION_NOT_INITIALIZED = 0x0091, 548 PKCS11_CKR_PIN_INCORRECT = 0x00a0, 549 PKCS11_CKR_PIN_INVALID = 0x00a1, 550 PKCS11_CKR_PIN_LEN_RANGE = 0x00a2, 551 PKCS11_CKR_PIN_EXPIRED = 0x00a3, 552 PKCS11_CKR_PIN_LOCKED = 0x00a4, 553 PKCS11_CKR_SESSION_CLOSED = 0x00b0, 554 PKCS11_CKR_SESSION_COUNT = 0x00b1, 555 PKCS11_CKR_SESSION_HANDLE_INVALID = 0x00b3, 556 PKCS11_CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x00b4, 557 PKCS11_CKR_SESSION_READ_ONLY = 0x00b5, 558 PKCS11_CKR_SESSION_EXISTS = 0x00b6, 559 PKCS11_CKR_SESSION_READ_ONLY_EXISTS = 0x00b7, 560 PKCS11_CKR_SESSION_READ_WRITE_SO_EXISTS = 0x00b8, 561 PKCS11_CKR_SIGNATURE_INVALID = 0x00c0, 562 PKCS11_CKR_SIGNATURE_LEN_RANGE = 0x00c1, 563 PKCS11_CKR_TEMPLATE_INCOMPLETE = 0x00d0, 564 PKCS11_CKR_TEMPLATE_INCONSISTENT = 0x00d1, 565 PKCS11_CKR_TOKEN_NOT_PRESENT = 0x00e0, 566 PKCS11_CKR_TOKEN_NOT_RECOGNIZED = 0x00e1, 567 PKCS11_CKR_TOKEN_WRITE_PROTECTED = 0x00e2, 568 PKCS11_CKR_USER_ALREADY_LOGGED_IN = 0x0100, 569 PKCS11_CKR_USER_NOT_LOGGED_IN = 0x0101, 570 PKCS11_CKR_USER_PIN_NOT_INITIALIZED = 0x0102, 571 PKCS11_CKR_USER_TYPE_INVALID = 0x0103, 572 PKCS11_CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x0104, 573 PKCS11_CKR_USER_TOO_MANY_TYPES = 0x0105, 574 PKCS11_CKR_DOMAIN_PARAMS_INVALID = 0x0130, 575 PKCS11_CKR_CURVE_NOT_SUPPORTED = 0x0140, 576 PKCS11_CKR_BUFFER_TOO_SMALL = 0x0150, 577 PKCS11_CKR_SAVED_STATE_INVALID = 0x0160, 578 PKCS11_CKR_INFORMATION_SENSITIVE = 0x0170, 579 PKCS11_CKR_STATE_UNSAVEABLE = 0x0180, 580 PKCS11_CKR_PIN_TOO_WEAK = 0x01b8, 581 PKCS11_CKR_PUBLIC_KEY_INVALID = 0x01b9, 582 PKCS11_CKR_FUNCTION_REJECTED = 0x0200, 583 /* Vendor specific IDs not returned to client */ 584 PKCS11_RV_NOT_FOUND = 0x80000000, 585 PKCS11_RV_NOT_IMPLEMENTED = 0x80000001, 586 }; 587 588 /* 589 * Arguments for PKCS11_CMD_SLOT_INFO 590 */ 591 #define PKCS11_SLOT_DESC_SIZE 64 592 #define PKCS11_SLOT_MANUFACTURER_SIZE 32 593 #define PKCS11_SLOT_VERSION_SIZE 2 594 595 struct pkcs11_slot_info { 596 uint8_t slot_description[PKCS11_SLOT_DESC_SIZE]; 597 uint8_t manufacturer_id[PKCS11_SLOT_MANUFACTURER_SIZE]; 598 uint32_t flags; 599 uint8_t hardware_version[PKCS11_SLOT_VERSION_SIZE]; 600 uint8_t firmware_version[PKCS11_SLOT_VERSION_SIZE]; 601 }; 602 603 /* 604 * Values for pkcs11_slot_info::flags. 605 * PKCS11_CKFS_<x> reflects CryptoKi client API slot flags CKF_<x>. 606 */ 607 #define PKCS11_CKFS_TOKEN_PRESENT (1U << 0) 608 #define PKCS11_CKFS_REMOVABLE_DEVICE (1U << 1) 609 #define PKCS11_CKFS_HW_SLOT (1U << 2) 610 611 /* 612 * Arguments for PKCS11_CMD_TOKEN_INFO 613 */ 614 #define PKCS11_TOKEN_LABEL_SIZE 32 615 #define PKCS11_TOKEN_MANUFACTURER_SIZE 32 616 #define PKCS11_TOKEN_MODEL_SIZE 16 617 #define PKCS11_TOKEN_SERIALNUM_SIZE 16 618 619 struct pkcs11_token_info { 620 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 621 uint8_t manufacturer_id[PKCS11_TOKEN_MANUFACTURER_SIZE]; 622 uint8_t model[PKCS11_TOKEN_MODEL_SIZE]; 623 uint8_t serial_number[PKCS11_TOKEN_SERIALNUM_SIZE]; 624 uint32_t flags; 625 uint32_t max_session_count; 626 uint32_t session_count; 627 uint32_t max_rw_session_count; 628 uint32_t rw_session_count; 629 uint32_t max_pin_len; 630 uint32_t min_pin_len; 631 uint32_t total_public_memory; 632 uint32_t free_public_memory; 633 uint32_t total_private_memory; 634 uint32_t free_private_memory; 635 uint8_t hardware_version[2]; 636 uint8_t firmware_version[2]; 637 uint8_t utc_time[16]; 638 }; 639 640 /* 641 * Values for pkcs11_token_info::flags. 642 * PKCS11_CKFT_<x> reflects CryptoKi client API token flags CKF_<x>. 643 */ 644 #define PKCS11_CKFT_RNG (1U << 0) 645 #define PKCS11_CKFT_WRITE_PROTECTED (1U << 1) 646 #define PKCS11_CKFT_LOGIN_REQUIRED (1U << 2) 647 #define PKCS11_CKFT_USER_PIN_INITIALIZED (1U << 3) 648 #define PKCS11_CKFT_RESTORE_KEY_NOT_NEEDED (1U << 5) 649 #define PKCS11_CKFT_CLOCK_ON_TOKEN (1U << 6) 650 #define PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH (1U << 8) 651 #define PKCS11_CKFT_DUAL_CRYPTO_OPERATIONS (1U << 9) 652 #define PKCS11_CKFT_TOKEN_INITIALIZED (1U << 10) 653 #define PKCS11_CKFT_SECONDARY_AUTHENTICATION (1U << 11) 654 #define PKCS11_CKFT_USER_PIN_COUNT_LOW (1U << 16) 655 #define PKCS11_CKFT_USER_PIN_FINAL_TRY (1U << 17) 656 #define PKCS11_CKFT_USER_PIN_LOCKED (1U << 18) 657 #define PKCS11_CKFT_USER_PIN_TO_BE_CHANGED (1U << 19) 658 #define PKCS11_CKFT_SO_PIN_COUNT_LOW (1U << 20) 659 #define PKCS11_CKFT_SO_PIN_FINAL_TRY (1U << 21) 660 #define PKCS11_CKFT_SO_PIN_LOCKED (1U << 22) 661 #define PKCS11_CKFT_SO_PIN_TO_BE_CHANGED (1U << 23) 662 #define PKCS11_CKFT_ERROR_STATE (1U << 24) 663 664 /* Values for user identity */ 665 enum pkcs11_user_type { 666 PKCS11_CKU_SO = 0x000, 667 PKCS11_CKU_USER = 0x001, 668 PKCS11_CKU_CONTEXT_SPECIFIC = 0x002, 669 }; 670 671 /* 672 * TEE Identity based authentication for tokens 673 * 674 * When configuration CFG_PKCS11_TA_AUTH_TEE_IDENTITY is enabled TEE Identity 675 * based authentication scheme is enabled. 676 * 677 * Feature enablement per token basis is controlled by token flag: 678 * pkcs11_token_info->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH 679 * 680 * When calling C_InitToken() mode is determined based on SO PIN value. 681 * - If the PIN is empty (or NULL_PTR) then active client TEE Identity will be 682 * used as SO TEE Identity 683 * - If the PIN is given then normal PIN behavior is used 684 * 685 * Once TEE Identity based authentication is activated following operational 686 * changes happen: 687 * - PIN failure counters are disabled to prevent token authentication lockups 688 * - Switching to different authentication mode needs C_InitToken() 689 * - When C_Login() or so is performed actual PIN value is ignored and active 690 * client TEE Identity will be used 691 * 692 * Different types of TEE Identity authentication methods can be configured: 693 * - Configured with C_InitToken(), C_InitPIN() or by C_SetPIN() 694 * - PIN value follows below PIN syntax 695 * 696 * TEE Identity based authenticate PIN syntax: 697 * - PIN value: NULL_PTR or empty 698 * - Use active client TEE Identity 699 * - PIN value: public 700 * - TEE public login 701 * - PIN value: user:<client UUID string> 702 * - TEE user login with client UUID matching user credentials 703 * - PIN value: group:<client UUID string> 704 * - TEE group login with client UUID matching group credentials 705 */ 706 707 /* Keywords for protected authenticated path PIN parser */ 708 #define PKCS11_AUTH_TEE_IDENTITY_PUBLIC "public" 709 #define PKCS11_AUTH_TEE_IDENTITY_USER "user:" 710 #define PKCS11_AUTH_TEE_IDENTITY_GROUP "group:" 711 712 /* 713 * Values for 32bit session flags argument to PKCS11_CMD_OPEN_SESSION 714 * and pkcs11_session_info::flags. 715 * PKCS11_CKFSS_<x> reflects CryptoKi client API session flags CKF_<x>. 716 */ 717 #define PKCS11_CKFSS_RW_SESSION (1U << 1) 718 #define PKCS11_CKFSS_SERIAL_SESSION (1U << 2) 719 720 /* 721 * Arguments for PKCS11_CMD_SESSION_INFO 722 */ 723 724 struct pkcs11_session_info { 725 uint32_t slot_id; 726 uint32_t state; 727 uint32_t flags; 728 uint32_t device_error; 729 }; 730 731 /* Valid values for pkcs11_session_info::state */ 732 enum pkcs11_session_state { 733 PKCS11_CKS_RO_PUBLIC_SESSION = 0, 734 PKCS11_CKS_RO_USER_FUNCTIONS = 1, 735 PKCS11_CKS_RW_PUBLIC_SESSION = 2, 736 PKCS11_CKS_RW_USER_FUNCTIONS = 3, 737 PKCS11_CKS_RW_SO_FUNCTIONS = 4, 738 }; 739 740 /* 741 * Arguments for PKCS11_CMD_MECHANISM_INFO 742 */ 743 744 struct pkcs11_mechanism_info { 745 uint32_t min_key_size; 746 uint32_t max_key_size; 747 uint32_t flags; 748 }; 749 750 /* 751 * Values for pkcs11_mechanism_info::flags. 752 * PKCS11_CKFM_<x> reflects CryptoKi client API mechanism flags CKF_<x>. 753 */ 754 #define PKCS11_CKFM_HW (1U << 0) 755 #define PKCS11_CKFM_ENCRYPT (1U << 8) 756 #define PKCS11_CKFM_DECRYPT (1U << 9) 757 #define PKCS11_CKFM_DIGEST (1U << 10) 758 #define PKCS11_CKFM_SIGN (1U << 11) 759 #define PKCS11_CKFM_SIGN_RECOVER (1U << 12) 760 #define PKCS11_CKFM_VERIFY (1U << 13) 761 #define PKCS11_CKFM_VERIFY_RECOVER (1U << 14) 762 #define PKCS11_CKFM_GENERATE (1U << 15) 763 #define PKCS11_CKFM_GENERATE_KEY_PAIR (1U << 16) 764 #define PKCS11_CKFM_WRAP (1U << 17) 765 #define PKCS11_CKFM_UNWRAP (1U << 18) 766 #define PKCS11_CKFM_DERIVE (1U << 19) 767 #define PKCS11_CKFM_EC_F_P (1U << 20) 768 #define PKCS11_CKFM_EC_F_2M (1U << 21) 769 #define PKCS11_CKFM_EC_ECPARAMETERS (1U << 22) 770 #define PKCS11_CKFM_EC_NAMEDCURVE (1U << 23) 771 #define PKCS11_CKFM_EC_UNCOMPRESS (1U << 24) 772 #define PKCS11_CKFM_EC_COMPRESS (1U << 25) 773 774 /* 775 * pkcs11_object_head - Header of object whose data are serialized in memory 776 * 777 * An object is made of several attributes. Attributes are stored one next to 778 * the other with byte alignment as a serialized byte array. The byte array 779 * of serialized attributes is prepended with the size of the attrs[] array 780 * in bytes and the number of attributes in the array, yielding the struct 781 * pkcs11_object_head. 782 * 783 * @attrs_size - byte size of whole byte array attrs[] 784 * @attrs_count - number of attribute items stored in attrs[] 785 * @attrs - then starts the attributes data 786 */ 787 struct pkcs11_object_head { 788 uint32_t attrs_size; 789 uint32_t attrs_count; 790 uint8_t attrs[]; 791 }; 792 793 /* 794 * Attribute reference in the TA ABI. Each attribute starts with a header 795 * structure followed by the attribute value. The attribute byte size is 796 * defined in the attribute header. 797 * 798 * @id - the 32bit identifier of the attribute, see PKCS11_CKA_<x> 799 * @size - the 32bit value attribute byte size 800 * @data - then starts the attribute value 801 */ 802 struct pkcs11_attribute_head { 803 uint32_t id; 804 uint32_t size; 805 uint8_t data[]; 806 }; 807 808 /* 809 * Attribute identification IDs as of v2.40 excluding deprecated IDs. 810 * Valid values for struct pkcs11_attribute_head::id 811 * PKCS11_CKA_<x> reflects CryptoKi client API attribute IDs CKA_<x>. 812 */ 813 enum pkcs11_attr_id { 814 PKCS11_CKA_CLASS = 0x0000, 815 PKCS11_CKA_TOKEN = 0x0001, 816 PKCS11_CKA_PRIVATE = 0x0002, 817 PKCS11_CKA_LABEL = 0x0003, 818 PKCS11_CKA_APPLICATION = 0x0010, 819 PKCS11_CKA_VALUE = 0x0011, 820 PKCS11_CKA_OBJECT_ID = 0x0012, 821 PKCS11_CKA_CERTIFICATE_TYPE = 0x0080, 822 PKCS11_CKA_ISSUER = 0x0081, 823 PKCS11_CKA_SERIAL_NUMBER = 0x0082, 824 PKCS11_CKA_AC_ISSUER = 0x0083, 825 PKCS11_CKA_OWNER = 0x0084, 826 PKCS11_CKA_ATTR_TYPES = 0x0085, 827 PKCS11_CKA_TRUSTED = 0x0086, 828 PKCS11_CKA_CERTIFICATE_CATEGORY = 0x0087, 829 PKCS11_CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x0088, 830 PKCS11_CKA_URL = 0x0089, 831 PKCS11_CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x008a, 832 PKCS11_CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x008b, 833 PKCS11_CKA_NAME_HASH_ALGORITHM = 0x008c, 834 PKCS11_CKA_CHECK_VALUE = 0x0090, 835 PKCS11_CKA_KEY_TYPE = 0x0100, 836 PKCS11_CKA_SUBJECT = 0x0101, 837 PKCS11_CKA_ID = 0x0102, 838 PKCS11_CKA_SENSITIVE = 0x0103, 839 PKCS11_CKA_ENCRYPT = 0x0104, 840 PKCS11_CKA_DECRYPT = 0x0105, 841 PKCS11_CKA_WRAP = 0x0106, 842 PKCS11_CKA_UNWRAP = 0x0107, 843 PKCS11_CKA_SIGN = 0x0108, 844 PKCS11_CKA_SIGN_RECOVER = 0x0109, 845 PKCS11_CKA_VERIFY = 0x010a, 846 PKCS11_CKA_VERIFY_RECOVER = 0x010b, 847 PKCS11_CKA_DERIVE = 0x010c, 848 PKCS11_CKA_START_DATE = 0x0110, 849 PKCS11_CKA_END_DATE = 0x0111, 850 PKCS11_CKA_MODULUS = 0x0120, 851 PKCS11_CKA_MODULUS_BITS = 0x0121, 852 PKCS11_CKA_PUBLIC_EXPONENT = 0x0122, 853 PKCS11_CKA_PRIVATE_EXPONENT = 0x0123, 854 PKCS11_CKA_PRIME_1 = 0x0124, 855 PKCS11_CKA_PRIME_2 = 0x0125, 856 PKCS11_CKA_EXPONENT_1 = 0x0126, 857 PKCS11_CKA_EXPONENT_2 = 0x0127, 858 PKCS11_CKA_COEFFICIENT = 0x0128, 859 PKCS11_CKA_PUBLIC_KEY_INFO = 0x0129, 860 PKCS11_CKA_PRIME = 0x0130, 861 PKCS11_CKA_SUBPRIME = 0x0131, 862 PKCS11_CKA_BASE = 0x0132, 863 PKCS11_CKA_PRIME_BITS = 0x0133, 864 PKCS11_CKA_SUBPRIME_BITS = 0x0134, 865 PKCS11_CKA_VALUE_BITS = 0x0160, 866 PKCS11_CKA_VALUE_LEN = 0x0161, 867 PKCS11_CKA_EXTRACTABLE = 0x0162, 868 PKCS11_CKA_LOCAL = 0x0163, 869 PKCS11_CKA_NEVER_EXTRACTABLE = 0x0164, 870 PKCS11_CKA_ALWAYS_SENSITIVE = 0x0165, 871 PKCS11_CKA_KEY_GEN_MECHANISM = 0x0166, 872 PKCS11_CKA_MODIFIABLE = 0x0170, 873 PKCS11_CKA_COPYABLE = 0x0171, 874 PKCS11_CKA_DESTROYABLE = 0x0172, 875 PKCS11_CKA_EC_PARAMS = 0x0180, 876 PKCS11_CKA_EC_POINT = 0x0181, 877 PKCS11_CKA_ALWAYS_AUTHENTICATE = 0x0202, 878 PKCS11_CKA_WRAP_WITH_TRUSTED = 0x0210, 879 /* 880 * The leading 4 comes from the PKCS#11 spec or:ing with 881 * CKF_ARRAY_ATTRIBUTE = 0x40000000. 882 */ 883 PKCS11_CKA_WRAP_TEMPLATE = 0x40000211, 884 PKCS11_CKA_UNWRAP_TEMPLATE = 0x40000212, 885 PKCS11_CKA_DERIVE_TEMPLATE = 0x40000213, 886 PKCS11_CKA_OTP_FORMAT = 0x0220, 887 PKCS11_CKA_OTP_LENGTH = 0x0221, 888 PKCS11_CKA_OTP_TIME_INTERVAL = 0x0222, 889 PKCS11_CKA_OTP_USER_FRIENDLY_MODE = 0x0223, 890 PKCS11_CKA_OTP_CHALLENGE_REQUIREMENT = 0x0224, 891 PKCS11_CKA_OTP_TIME_REQUIREMENT = 0x0225, 892 PKCS11_CKA_OTP_COUNTER_REQUIREMENT = 0x0226, 893 PKCS11_CKA_OTP_PIN_REQUIREMENT = 0x0227, 894 PKCS11_CKA_OTP_COUNTER = 0x022e, 895 PKCS11_CKA_OTP_TIME = 0x022f, 896 PKCS11_CKA_OTP_USER_IDENTIFIER = 0x022a, 897 PKCS11_CKA_OTP_SERVICE_IDENTIFIER = 0x022b, 898 PKCS11_CKA_OTP_SERVICE_LOGO = 0x022c, 899 PKCS11_CKA_OTP_SERVICE_LOGO_TYPE = 0x022d, 900 PKCS11_CKA_GOSTR3410_PARAMS = 0x0250, 901 PKCS11_CKA_GOSTR3411_PARAMS = 0x0251, 902 PKCS11_CKA_GOST28147_PARAMS = 0x0252, 903 PKCS11_CKA_HW_FEATURE_TYPE = 0x0300, 904 PKCS11_CKA_RESET_ON_INIT = 0x0301, 905 PKCS11_CKA_HAS_RESET = 0x0302, 906 PKCS11_CKA_PIXEL_X = 0x0400, 907 PKCS11_CKA_PIXEL_Y = 0x0401, 908 PKCS11_CKA_RESOLUTION = 0x0402, 909 PKCS11_CKA_CHAR_ROWS = 0x0403, 910 PKCS11_CKA_CHAR_COLUMNS = 0x0404, 911 PKCS11_CKA_COLOR = 0x0405, 912 PKCS11_CKA_BITS_PER_PIXEL = 0x0406, 913 PKCS11_CKA_CHAR_SETS = 0x0480, 914 PKCS11_CKA_ENCODING_METHODS = 0x0481, 915 PKCS11_CKA_MIME_TYPES = 0x0482, 916 PKCS11_CKA_MECHANISM_TYPE = 0x0500, 917 PKCS11_CKA_REQUIRED_CMS_ATTRIBUTES = 0x0501, 918 PKCS11_CKA_DEFAULT_CMS_ATTRIBUTES = 0x0502, 919 PKCS11_CKA_SUPPORTED_CMS_ATTRIBUTES = 0x0503, 920 /* 921 * The leading 4 comes from the PKCS#11 spec or:ing with 922 * CKF_ARRAY_ATTRIBUTE = 0x40000000. 923 */ 924 PKCS11_CKA_ALLOWED_MECHANISMS = 0x40000600, 925 /* Vendor extension: reserved for undefined ID (~0U) */ 926 PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 927 }; 928 929 /* 930 * Valid values for attribute PKCS11_CKA_CLASS 931 * PKCS11_CKO_<x> reflects CryptoKi client API object class IDs CKO_<x>. 932 */ 933 enum pkcs11_class_id { 934 PKCS11_CKO_DATA = 0x000, 935 PKCS11_CKO_CERTIFICATE = 0x001, 936 PKCS11_CKO_PUBLIC_KEY = 0x002, 937 PKCS11_CKO_PRIVATE_KEY = 0x003, 938 PKCS11_CKO_SECRET_KEY = 0x004, 939 PKCS11_CKO_HW_FEATURE = 0x005, 940 PKCS11_CKO_DOMAIN_PARAMETERS = 0x006, 941 PKCS11_CKO_MECHANISM = 0x007, 942 PKCS11_CKO_OTP_KEY = 0x008, 943 /* Vendor extension: reserved for undefined ID (~0U) */ 944 PKCS11_CKO_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 945 }; 946 947 /* 948 * Valid values for attribute PKCS11_CKA_KEY_TYPE 949 * PKCS11_CKK_<x> reflects CryptoKi client API key type IDs CKK_<x>. 950 * Note that this is only a subset of the PKCS#11 specification. 951 */ 952 enum pkcs11_key_type { 953 PKCS11_CKK_RSA = 0x000, 954 PKCS11_CKK_DSA = 0x001, 955 PKCS11_CKK_DH = 0x002, 956 PKCS11_CKK_EC = 0x003, 957 PKCS11_CKK_GENERIC_SECRET = 0x010, 958 PKCS11_CKK_AES = 0x01f, 959 PKCS11_CKK_MD5_HMAC = 0x027, 960 PKCS11_CKK_SHA_1_HMAC = 0x028, 961 PKCS11_CKK_SHA256_HMAC = 0x02b, 962 PKCS11_CKK_SHA384_HMAC = 0x02c, 963 PKCS11_CKK_SHA512_HMAC = 0x02d, 964 PKCS11_CKK_SHA224_HMAC = 0x02e, 965 /* Vendor extension: reserved for undefined ID (~0U) */ 966 PKCS11_CKK_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 967 }; 968 969 /* 970 * Valid values for mechanism IDs 971 * PKCS11_CKM_<x> reflects CryptoKi client API mechanism IDs CKM_<x>. 972 * Note that this will be extended as needed. 973 */ 974 enum pkcs11_mechanism_id { 975 PKCS11_CKM_MD5_HMAC = 0x00211, 976 PKCS11_CKM_SHA_1_HMAC = 0x00221, 977 PKCS11_CKM_SHA256_HMAC = 0x00251, 978 PKCS11_CKM_SHA224_HMAC = 0x00256, 979 PKCS11_CKM_SHA384_HMAC = 0x00261, 980 PKCS11_CKM_SHA512_HMAC = 0x00271, 981 PKCS11_CKM_GENERIC_SECRET_KEY_GEN = 0x00350, 982 PKCS11_CKM_AES_KEY_GEN = 0x01080, 983 PKCS11_CKM_AES_ECB = 0x01081, 984 PKCS11_CKM_AES_CBC = 0x01082, 985 PKCS11_CKM_AES_CBC_PAD = 0x01085, 986 PKCS11_CKM_AES_CTR = 0x01086, 987 PKCS11_CKM_AES_CTS = 0x01089, 988 PKCS11_CKM_AES_ECB_ENCRYPT_DATA = 0x01104, 989 PKCS11_CKM_AES_CBC_ENCRYPT_DATA = 0x01105, 990 /* 991 * Vendor extensions below. 992 * PKCS11 added IDs for operation not related to a CK mechanism ID 993 */ 994 PKCS11_PROCESSING_IMPORT = 0x80000000, 995 PKCS11_CKM_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 996 }; 997 #endif /*PKCS11_TA_H*/ 998