1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <inttypes.h> 8 #include <pkcs11_ta.h> 9 #include <stdlib.h> 10 #include <string_ext.h> 11 #include <tee_internal_api_extensions.h> 12 #include <tee_internal_api.h> 13 #include <util.h> 14 15 #include "attributes.h" 16 #include "handle.h" 17 #include "pkcs11_attributes.h" 18 #include "pkcs11_helpers.h" 19 #include "pkcs11_token.h" 20 #include "sanitize_object.h" 21 #include "serializer.h" 22 #include "token_capabilities.h" 23 24 /* Byte size of CKA_ID attribute when generated locally */ 25 #define PKCS11_CKA_DEFAULT_SIZE 16 26 27 /* 28 * Object default boolean attributes as per PKCS#11 29 */ 30 static uint8_t *pkcs11_object_default_boolprop(uint32_t attribute) 31 { 32 static const uint8_t bool_true = 1; 33 static const uint8_t bool_false; 34 35 switch (attribute) { 36 /* As per PKCS#11 default value */ 37 case PKCS11_CKA_MODIFIABLE: 38 case PKCS11_CKA_COPYABLE: 39 case PKCS11_CKA_DESTROYABLE: 40 return (uint8_t *)&bool_true; 41 case PKCS11_CKA_TOKEN: 42 case PKCS11_CKA_PRIVATE: 43 /* symkey false, privkey: token specific */ 44 case PKCS11_CKA_SENSITIVE: 45 return (uint8_t *)&bool_false; 46 /* Token specific default value */ 47 case PKCS11_CKA_SIGN: 48 case PKCS11_CKA_VERIFY: 49 return (uint8_t *)&bool_true; 50 case PKCS11_CKA_DERIVE: 51 case PKCS11_CKA_ENCRYPT: 52 case PKCS11_CKA_DECRYPT: 53 case PKCS11_CKA_SIGN_RECOVER: 54 case PKCS11_CKA_VERIFY_RECOVER: 55 case PKCS11_CKA_WRAP: 56 case PKCS11_CKA_UNWRAP: 57 case PKCS11_CKA_EXTRACTABLE: 58 case PKCS11_CKA_WRAP_WITH_TRUSTED: 59 case PKCS11_CKA_ALWAYS_AUTHENTICATE: 60 case PKCS11_CKA_TRUSTED: 61 return (uint8_t *)&bool_false; 62 default: 63 DMSG("No default for boolprop attribute %#"PRIx32, attribute); 64 return NULL; 65 } 66 } 67 68 /* 69 * Object expects several boolean attributes to be set to a default value 70 * or to a validate client configuration value. This function append the input 71 * attribute (id/size/value) in the serialized object. 72 */ 73 static enum pkcs11_rc pkcs11_import_object_boolprop(struct obj_attrs **out, 74 struct obj_attrs *templ, 75 uint32_t attribute) 76 { 77 enum pkcs11_rc rc = PKCS11_CKR_OK; 78 uint8_t bbool = 0; 79 uint32_t size = sizeof(uint8_t); 80 void *attr = NULL; 81 82 rc = get_attribute(templ, attribute, &bbool, &size); 83 if (rc) { 84 if (rc != PKCS11_RV_NOT_FOUND) 85 return rc; 86 attr = pkcs11_object_default_boolprop(attribute); 87 if (!attr) 88 return PKCS11_CKR_TEMPLATE_INCOMPLETE; 89 } else { 90 attr = &bbool; 91 } 92 93 /* Boolean attributes are 1byte in the ABI, no alignment issue */ 94 return add_attribute(out, attribute, attr, sizeof(uint8_t)); 95 } 96 97 static enum pkcs11_rc set_mandatory_boolprops(struct obj_attrs **out, 98 struct obj_attrs *temp, 99 uint32_t const *bp, 100 size_t bp_count) 101 { 102 enum pkcs11_rc rc = PKCS11_CKR_OK; 103 size_t n = 0; 104 105 for (n = 0; n < bp_count; n++) { 106 rc = pkcs11_import_object_boolprop(out, temp, bp[n]); 107 if (rc) 108 return rc; 109 } 110 111 return rc; 112 } 113 114 static enum pkcs11_rc set_mandatory_attributes(struct obj_attrs **out, 115 struct obj_attrs *temp, 116 uint32_t const *bp, 117 size_t bp_count) 118 { 119 enum pkcs11_rc rc = PKCS11_CKR_OK; 120 size_t n = 0; 121 122 for (n = 0; n < bp_count; n++) { 123 uint32_t size = 0; 124 void *value = NULL; 125 126 if (get_attribute_ptr(temp, bp[n], &value, &size)) 127 return PKCS11_CKR_TEMPLATE_INCOMPLETE; 128 129 rc = add_attribute(out, bp[n], value, size); 130 if (rc) 131 return rc; 132 } 133 134 return rc; 135 } 136 137 static enum pkcs11_rc get_default_value(enum pkcs11_attr_id id, void **value, 138 uint32_t *size) 139 { 140 /* should have been taken care of already */ 141 assert(!pkcs11_attr_is_boolean(id)); 142 143 if (id == PKCS11_CKA_PUBLIC_KEY_INFO) { 144 EMSG("Cannot provide default PUBLIC_KEY_INFO"); 145 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 146 } 147 148 /* All other attributes have an empty default value */ 149 *value = NULL; 150 *size = 0; 151 return PKCS11_CKR_OK; 152 } 153 154 static enum pkcs11_rc set_optional_attributes(struct obj_attrs **out, 155 struct obj_attrs *temp, 156 uint32_t const *bp, 157 size_t bp_count) 158 { 159 enum pkcs11_rc rc = PKCS11_CKR_OK; 160 size_t n = 0; 161 162 for (n = 0; n < bp_count; n++) { 163 uint32_t size = 0; 164 void *value = NULL; 165 166 rc = get_attribute_ptr(temp, bp[n], &value, &size); 167 if (rc == PKCS11_RV_NOT_FOUND) 168 rc = get_default_value(bp[n], &value, &size); 169 if (rc) 170 return rc; 171 172 rc = add_attribute(out, bp[n], value, size); 173 if (rc) 174 return rc; 175 } 176 177 return rc; 178 } 179 180 /* 181 * Below are listed the mandated or optional expected attributes for 182 * PKCS#11 storage objects. 183 * 184 * Note: boolprops (mandated boolean attributes) PKCS11_CKA_ALWAYS_SENSITIVE, 185 * and PKCS11_CKA_NEVER_EXTRACTABLE are set by the token, not provided 186 * in the client template. 187 */ 188 189 /* PKCS#11 specification for any object (session/token) of the storage */ 190 static const uint32_t pkcs11_any_object_boolprops[] = { 191 PKCS11_CKA_TOKEN, PKCS11_CKA_PRIVATE, 192 PKCS11_CKA_MODIFIABLE, PKCS11_CKA_COPYABLE, PKCS11_CKA_DESTROYABLE, 193 }; 194 195 static const uint32_t pkcs11_any_object_optional[] = { 196 PKCS11_CKA_LABEL, 197 }; 198 199 /* PKCS#11 specification for raw data object (+pkcs11_any_object_xxx) */ 200 const uint32_t pkcs11_raw_data_optional[] = { 201 PKCS11_CKA_OBJECT_ID, PKCS11_CKA_APPLICATION, PKCS11_CKA_VALUE, 202 }; 203 204 /* PKCS#11 specification for any key object (+pkcs11_any_object_xxx) */ 205 static const uint32_t pkcs11_any_key_boolprops[] = { 206 PKCS11_CKA_DERIVE, 207 }; 208 209 static const uint32_t pkcs11_any_key_optional[] = { 210 PKCS11_CKA_ID, 211 PKCS11_CKA_START_DATE, PKCS11_CKA_END_DATE, 212 PKCS11_CKA_ALLOWED_MECHANISMS, 213 }; 214 215 /* PKCS#11 specification for any symmetric key (+pkcs11_any_key_xxx) */ 216 static const uint32_t pkcs11_symm_key_boolprops[] = { 217 PKCS11_CKA_ENCRYPT, PKCS11_CKA_DECRYPT, 218 PKCS11_CKA_SIGN, PKCS11_CKA_VERIFY, 219 PKCS11_CKA_WRAP, PKCS11_CKA_UNWRAP, 220 PKCS11_CKA_SENSITIVE, PKCS11_CKA_EXTRACTABLE, 221 PKCS11_CKA_WRAP_WITH_TRUSTED, PKCS11_CKA_TRUSTED, 222 }; 223 224 static const uint32_t pkcs11_symm_key_optional[] = { 225 PKCS11_CKA_WRAP_TEMPLATE, PKCS11_CKA_UNWRAP_TEMPLATE, 226 PKCS11_CKA_DERIVE_TEMPLATE, 227 PKCS11_CKA_VALUE, PKCS11_CKA_VALUE_LEN, 228 }; 229 230 /* PKCS#11 specification for any asymmetric public key (+pkcs11_any_key_xxx) */ 231 static const uint32_t pkcs11_public_key_boolprops[] = { 232 PKCS11_CKA_ENCRYPT, PKCS11_CKA_VERIFY, PKCS11_CKA_VERIFY_RECOVER, 233 PKCS11_CKA_WRAP, 234 PKCS11_CKA_TRUSTED, 235 }; 236 237 static const uint32_t pkcs11_public_key_mandated[] = { 238 PKCS11_CKA_SUBJECT 239 }; 240 241 static const uint32_t pkcs11_public_key_optional[] = { 242 PKCS11_CKA_WRAP_TEMPLATE, PKCS11_CKA_PUBLIC_KEY_INFO, 243 }; 244 245 /* PKCS#11 specification for any asymmetric private key (+pkcs11_any_key_xxx) */ 246 static const uint32_t pkcs11_private_key_boolprops[] = { 247 PKCS11_CKA_DECRYPT, PKCS11_CKA_SIGN, PKCS11_CKA_SIGN_RECOVER, 248 PKCS11_CKA_UNWRAP, 249 PKCS11_CKA_SENSITIVE, PKCS11_CKA_EXTRACTABLE, 250 PKCS11_CKA_WRAP_WITH_TRUSTED, PKCS11_CKA_ALWAYS_AUTHENTICATE, 251 }; 252 253 static const uint32_t pkcs11_private_key_mandated[] = { 254 PKCS11_CKA_SUBJECT 255 }; 256 257 static const uint32_t pkcs11_private_key_optional[] = { 258 PKCS11_CKA_UNWRAP_TEMPLATE, PKCS11_CKA_PUBLIC_KEY_INFO, 259 }; 260 261 /* PKCS#11 specification for any RSA key (+pkcs11_public/private_key_xxx) */ 262 static const uint32_t pkcs11_rsa_public_key_mandated[] = { 263 PKCS11_CKA_MODULUS_BITS, 264 }; 265 266 static const uint32_t pkcs11_rsa_public_key_optional[] = { 267 PKCS11_CKA_MODULUS, PKCS11_CKA_PUBLIC_EXPONENT, 268 }; 269 270 static const uint32_t pkcs11_rsa_private_key_optional[] = { 271 PKCS11_CKA_MODULUS, PKCS11_CKA_PUBLIC_EXPONENT, 272 PKCS11_CKA_PRIVATE_EXPONENT, 273 PKCS11_CKA_PRIME_1, PKCS11_CKA_PRIME_2, 274 PKCS11_CKA_EXPONENT_1, PKCS11_CKA_EXPONENT_2, PKCS11_CKA_COEFFICIENT, 275 }; 276 277 /* PKCS#11 specification for any EC key (+pkcs11_public/private_key_xxx) */ 278 static const uint32_t pkcs11_ec_public_key_mandated[] = { 279 PKCS11_CKA_EC_PARAMS, 280 }; 281 282 static const uint32_t pkcs11_ec_public_key_optional[] = { 283 PKCS11_CKA_EC_POINT, 284 }; 285 286 static const uint32_t pkcs11_ec_private_key_mandated[] = { 287 PKCS11_CKA_EC_PARAMS, 288 }; 289 290 static const uint32_t pkcs11_ec_private_key_optional[] = { 291 PKCS11_CKA_VALUE, 292 }; 293 294 static enum pkcs11_rc create_storage_attributes(struct obj_attrs **out, 295 struct obj_attrs *temp) 296 { 297 enum pkcs11_class_id class = PKCS11_CKO_UNDEFINED_ID; 298 enum pkcs11_rc rc = PKCS11_CKR_OK; 299 300 rc = init_attributes_head(out); 301 if (rc) 302 return rc; 303 304 /* Object class is mandatory */ 305 class = get_class(temp); 306 if (class == PKCS11_CKO_UNDEFINED_ID) { 307 EMSG("Class attribute not found"); 308 309 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 310 } 311 rc = add_attribute(out, PKCS11_CKA_CLASS, &class, sizeof(uint32_t)); 312 if (rc) 313 return rc; 314 315 rc = set_mandatory_boolprops(out, temp, pkcs11_any_object_boolprops, 316 ARRAY_SIZE(pkcs11_any_object_boolprops)); 317 if (rc) 318 return rc; 319 320 return set_optional_attributes(out, temp, pkcs11_any_object_optional, 321 ARRAY_SIZE(pkcs11_any_object_optional)); 322 } 323 324 static enum pkcs11_rc create_genkey_attributes(struct obj_attrs **out, 325 struct obj_attrs *temp) 326 { 327 uint32_t type = PKCS11_CKO_UNDEFINED_ID; 328 enum pkcs11_rc rc = PKCS11_CKR_OK; 329 330 rc = create_storage_attributes(out, temp); 331 if (rc) 332 return rc; 333 334 type = get_key_type(temp); 335 if (type == PKCS11_CKK_UNDEFINED_ID) { 336 EMSG("Key type attribute not found"); 337 338 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 339 } 340 rc = add_attribute(out, PKCS11_CKA_KEY_TYPE, &type, sizeof(uint32_t)); 341 if (rc) 342 return rc; 343 344 rc = set_mandatory_boolprops(out, temp, pkcs11_any_key_boolprops, 345 ARRAY_SIZE(pkcs11_any_key_boolprops)); 346 if (rc) 347 return rc; 348 349 return set_optional_attributes(out, temp, pkcs11_any_key_optional, 350 ARRAY_SIZE(pkcs11_any_key_optional)); 351 } 352 353 static enum pkcs11_rc create_symm_key_attributes(struct obj_attrs **out, 354 struct obj_attrs *temp) 355 { 356 enum pkcs11_rc rc = PKCS11_CKR_OK; 357 358 assert(get_class(temp) == PKCS11_CKO_SECRET_KEY); 359 360 rc = create_genkey_attributes(out, temp); 361 if (rc) 362 return rc; 363 364 assert(get_class(*out) == PKCS11_CKO_SECRET_KEY); 365 366 switch (get_key_type(*out)) { 367 case PKCS11_CKK_GENERIC_SECRET: 368 case PKCS11_CKK_AES: 369 case PKCS11_CKK_MD5_HMAC: 370 case PKCS11_CKK_SHA_1_HMAC: 371 case PKCS11_CKK_SHA256_HMAC: 372 case PKCS11_CKK_SHA384_HMAC: 373 case PKCS11_CKK_SHA512_HMAC: 374 case PKCS11_CKK_SHA224_HMAC: 375 break; 376 default: 377 EMSG("Invalid key type %#"PRIx32"/%s", 378 get_key_type(*out), id2str_key_type(get_key_type(*out))); 379 380 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 381 } 382 383 rc = set_mandatory_boolprops(out, temp, pkcs11_symm_key_boolprops, 384 ARRAY_SIZE(pkcs11_symm_key_boolprops)); 385 if (rc) 386 return rc; 387 388 return set_optional_attributes(out, temp, pkcs11_symm_key_optional, 389 ARRAY_SIZE(pkcs11_symm_key_optional)); 390 } 391 392 static enum pkcs11_rc create_data_attributes(struct obj_attrs **out, 393 struct obj_attrs *temp) 394 { 395 enum pkcs11_rc rc = PKCS11_CKR_OK; 396 397 assert(get_class(temp) == PKCS11_CKO_DATA); 398 399 rc = create_storage_attributes(out, temp); 400 if (rc) 401 return rc; 402 403 assert(get_class(*out) == PKCS11_CKO_DATA); 404 405 return set_optional_attributes(out, temp, pkcs11_raw_data_optional, 406 ARRAY_SIZE(pkcs11_raw_data_optional)); 407 } 408 409 static enum pkcs11_rc create_pub_key_attributes(struct obj_attrs **out, 410 struct obj_attrs *temp) 411 { 412 uint32_t const *mandated = NULL; 413 uint32_t const *optional = NULL; 414 size_t mandated_count = 0; 415 size_t optional_count = 0; 416 enum pkcs11_rc rc = PKCS11_CKR_OK; 417 418 assert(get_class(temp) == PKCS11_CKO_PUBLIC_KEY); 419 420 rc = create_genkey_attributes(out, temp); 421 if (rc) 422 return rc; 423 424 assert(get_class(*out) == PKCS11_CKO_PUBLIC_KEY); 425 426 rc = set_mandatory_boolprops(out, temp, pkcs11_public_key_boolprops, 427 ARRAY_SIZE(pkcs11_public_key_boolprops)); 428 if (rc) 429 return rc; 430 431 rc = set_mandatory_attributes(out, temp, pkcs11_public_key_mandated, 432 ARRAY_SIZE(pkcs11_public_key_mandated)); 433 if (rc) 434 return rc; 435 436 rc = set_optional_attributes(out, temp, pkcs11_public_key_optional, 437 ARRAY_SIZE(pkcs11_public_key_optional)); 438 if (rc) 439 return rc; 440 441 switch (get_key_type(*out)) { 442 case PKCS11_CKK_RSA: 443 mandated = pkcs11_rsa_public_key_mandated; 444 optional = pkcs11_rsa_public_key_optional; 445 mandated_count = ARRAY_SIZE(pkcs11_rsa_public_key_mandated); 446 optional_count = ARRAY_SIZE(pkcs11_rsa_public_key_optional); 447 break; 448 case PKCS11_CKK_EC: 449 mandated = pkcs11_ec_public_key_mandated; 450 optional = pkcs11_ec_public_key_optional; 451 mandated_count = ARRAY_SIZE(pkcs11_ec_public_key_mandated); 452 optional_count = ARRAY_SIZE(pkcs11_ec_public_key_optional); 453 break; 454 default: 455 EMSG("Invalid key type %#"PRIx32"/%s", 456 get_key_type(*out), id2str_key_type(get_key_type(*out))); 457 458 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 459 } 460 461 rc = set_mandatory_attributes(out, temp, mandated, mandated_count); 462 if (rc) 463 return rc; 464 465 return set_optional_attributes(out, temp, optional, optional_count); 466 } 467 468 static enum pkcs11_rc create_priv_key_attributes(struct obj_attrs **out, 469 struct obj_attrs *temp) 470 { 471 uint32_t const *mandated = NULL; 472 uint32_t const *optional = NULL; 473 size_t mandated_count = 0; 474 size_t optional_count = 0; 475 enum pkcs11_rc rc = PKCS11_CKR_OK; 476 477 assert(get_class(temp) == PKCS11_CKO_PRIVATE_KEY); 478 479 rc = create_genkey_attributes(out, temp); 480 if (rc) 481 return rc; 482 483 assert(get_class(*out) == PKCS11_CKO_PRIVATE_KEY); 484 485 rc = set_mandatory_boolprops(out, temp, pkcs11_private_key_boolprops, 486 ARRAY_SIZE(pkcs11_private_key_boolprops)); 487 if (rc) 488 return rc; 489 490 rc = set_mandatory_attributes(out, temp, pkcs11_private_key_mandated, 491 ARRAY_SIZE(pkcs11_private_key_mandated)); 492 if (rc) 493 return rc; 494 495 rc = set_optional_attributes(out, temp, pkcs11_private_key_optional, 496 ARRAY_SIZE(pkcs11_private_key_optional)); 497 if (rc) 498 return rc; 499 500 switch (get_key_type(*out)) { 501 case PKCS11_CKK_RSA: 502 optional = pkcs11_rsa_private_key_optional; 503 optional_count = ARRAY_SIZE(pkcs11_rsa_private_key_optional); 504 break; 505 case PKCS11_CKK_EC: 506 mandated = pkcs11_ec_private_key_mandated; 507 optional = pkcs11_ec_private_key_optional; 508 mandated_count = ARRAY_SIZE(pkcs11_ec_private_key_mandated); 509 optional_count = ARRAY_SIZE(pkcs11_ec_private_key_optional); 510 break; 511 default: 512 EMSG("Invalid key type %#"PRIx32"/%s", 513 get_key_type(*out), id2str_key_type(get_key_type(*out))); 514 515 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 516 } 517 518 rc = set_mandatory_attributes(out, temp, mandated, mandated_count); 519 if (rc) 520 return rc; 521 522 return set_optional_attributes(out, temp, optional, optional_count); 523 } 524 525 /* 526 * Create an attribute list for a new object from a template and a parent 527 * object (optional) for an object generation function (generate, copy, 528 * derive...). 529 * 530 * PKCS#11 directives on the supplied template and expected return value: 531 * - template has an invalid attribute ID: ATTRIBUTE_TYPE_INVALID 532 * - template has an invalid value for an attribute: ATTRIBUTE_VALID_INVALID 533 * - template has value for a read-only attribute: ATTRIBUTE_READ_ONLY 534 * - template+default+parent => still miss an attribute: TEMPLATE_INCONSISTENT 535 * 536 * INFO on PKCS11_CMD_COPY_OBJECT: 537 * - parent PKCS11_CKA_COPYIABLE=false => return ACTION_PROHIBITED. 538 * - template can specify PKCS11_CKA_TOKEN, PKCS11_CKA_PRIVATE, 539 * PKCS11_CKA_MODIFIABLE, PKCS11_CKA_DESTROYABLE. 540 * - SENSITIVE can change from false to true, not from true to false. 541 * - LOCAL is the parent LOCAL 542 */ 543 enum pkcs11_rc 544 create_attributes_from_template(struct obj_attrs **out, void *template, 545 size_t template_size, 546 struct obj_attrs *parent __unused, 547 enum processing_func function, 548 enum pkcs11_mechanism_id mecha __unused) 549 { 550 struct obj_attrs *temp = NULL; 551 struct obj_attrs *attrs = NULL; 552 enum pkcs11_rc rc = PKCS11_CKR_OK; 553 uint8_t local = 0; 554 uint8_t always_sensitive = 0; 555 uint8_t never_extract = 0; 556 uint32_t mechanism_id = PKCS11_CKM_UNDEFINED_ID; 557 558 #ifdef DEBUG /* Sanity: check function argument */ 559 trace_attributes_from_api_head("template", template, template_size); 560 switch (function) { 561 case PKCS11_FUNCTION_IMPORT: 562 break; 563 default: 564 TEE_Panic(TEE_ERROR_NOT_SUPPORTED); 565 } 566 #endif 567 568 rc = sanitize_client_object(&temp, template, template_size); 569 if (rc) 570 goto out; 571 572 /* If class/type not defined, match from mechanism */ 573 if (get_class(temp) == PKCS11_UNDEFINED_ID && 574 get_key_type(temp) == PKCS11_UNDEFINED_ID) { 575 EMSG("Unable to define class/type from mechanism"); 576 rc = PKCS11_CKR_TEMPLATE_INCOMPLETE; 577 goto out; 578 } 579 580 if (!sanitize_consistent_class_and_type(temp)) { 581 EMSG("Inconsistent class/type"); 582 rc = PKCS11_CKR_TEMPLATE_INCONSISTENT; 583 goto out; 584 } 585 586 switch (get_class(temp)) { 587 case PKCS11_CKO_DATA: 588 rc = create_data_attributes(&attrs, temp); 589 break; 590 case PKCS11_CKO_SECRET_KEY: 591 rc = create_symm_key_attributes(&attrs, temp); 592 break; 593 case PKCS11_CKO_PUBLIC_KEY: 594 rc = create_pub_key_attributes(&attrs, temp); 595 break; 596 case PKCS11_CKO_PRIVATE_KEY: 597 rc = create_priv_key_attributes(&attrs, temp); 598 break; 599 default: 600 DMSG("Invalid object class %#"PRIx32"/%s", 601 get_class(temp), id2str_class(get_class(temp))); 602 603 rc = PKCS11_CKR_TEMPLATE_INCONSISTENT; 604 break; 605 } 606 if (rc) 607 goto out; 608 609 if (get_attribute(attrs, PKCS11_CKA_LOCAL, NULL, NULL) != 610 PKCS11_RV_NOT_FOUND) 611 goto out; 612 613 if (get_attribute(attrs, PKCS11_CKA_KEY_GEN_MECHANISM, NULL, NULL) != 614 PKCS11_RV_NOT_FOUND) 615 goto out; 616 617 switch (function) { 618 case PKCS11_FUNCTION_IMPORT: 619 default: 620 local = PKCS11_FALSE; 621 break; 622 } 623 rc = add_attribute(&attrs, PKCS11_CKA_LOCAL, &local, sizeof(local)); 624 if (rc) 625 goto out; 626 627 switch (get_class(attrs)) { 628 case PKCS11_CKO_SECRET_KEY: 629 case PKCS11_CKO_PRIVATE_KEY: 630 case PKCS11_CKO_PUBLIC_KEY: 631 always_sensitive = PKCS11_FALSE; 632 never_extract = PKCS11_FALSE; 633 634 rc = add_attribute(&attrs, PKCS11_CKA_ALWAYS_SENSITIVE, 635 &always_sensitive, sizeof(always_sensitive)); 636 if (rc) 637 goto out; 638 639 rc = add_attribute(&attrs, PKCS11_CKA_NEVER_EXTRACTABLE, 640 &never_extract, sizeof(never_extract)); 641 if (rc) 642 goto out; 643 644 /* Keys mandate attribute PKCS11_CKA_KEY_GEN_MECHANISM */ 645 mechanism_id = PKCS11_CK_UNAVAILABLE_INFORMATION; 646 rc = add_attribute(&attrs, PKCS11_CKA_KEY_GEN_MECHANISM, 647 &mechanism_id, sizeof(mechanism_id)); 648 if (rc) 649 goto out; 650 break; 651 652 default: 653 break; 654 } 655 656 *out = attrs; 657 658 #ifdef DEBUG 659 trace_attributes("object", attrs); 660 #endif 661 662 out: 663 TEE_Free(temp); 664 if (rc) 665 TEE_Free(attrs); 666 667 return rc; 668 } 669 670 static enum pkcs11_rc check_attrs_misc_integrity(struct obj_attrs *head) 671 { 672 if (get_bool(head, PKCS11_CKA_NEVER_EXTRACTABLE) && 673 get_bool(head, PKCS11_CKA_EXTRACTABLE)) { 674 DMSG("Never/Extractable attributes mismatch %d/%d", 675 get_bool(head, PKCS11_CKA_NEVER_EXTRACTABLE), 676 get_bool(head, PKCS11_CKA_EXTRACTABLE)); 677 678 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 679 } 680 681 if (get_bool(head, PKCS11_CKA_ALWAYS_SENSITIVE) && 682 !get_bool(head, PKCS11_CKA_SENSITIVE)) { 683 DMSG("Sensitive/always attributes mismatch %d/%d", 684 get_bool(head, PKCS11_CKA_SENSITIVE), 685 get_bool(head, PKCS11_CKA_ALWAYS_SENSITIVE)); 686 687 return PKCS11_CKR_TEMPLATE_INCONSISTENT; 688 } 689 690 return PKCS11_CKR_OK; 691 } 692 693 /* 694 * Check the attributes of a to-be-created object matches the token state 695 */ 696 enum pkcs11_rc check_created_attrs_against_token(struct pkcs11_session *session, 697 struct obj_attrs *head) 698 { 699 enum pkcs11_rc rc = PKCS11_CKR_OK; 700 701 rc = check_attrs_misc_integrity(head); 702 if (rc) 703 return rc; 704 705 if (get_bool(head, PKCS11_CKA_TRUSTED) && 706 !pkcs11_session_is_so(session)) { 707 DMSG("Can't create trusted object"); 708 709 return PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED; 710 } 711 712 if (get_bool(head, PKCS11_CKA_TOKEN) && 713 !pkcs11_session_is_read_write(session)) { 714 DMSG("Can't create persistent object"); 715 716 return PKCS11_CKR_SESSION_READ_ONLY; 717 } 718 719 /* 720 * TODO: START_DATE and END_DATE: complies with current time? 721 */ 722 return PKCS11_CKR_OK; 723 } 724 725 #define DMSG_BAD_BBOOL(attr, proc, head) \ 726 do { \ 727 uint32_t __maybe_unused _attr = (attr); \ 728 uint8_t __maybe_unused _bvalue = 0; \ 729 enum pkcs11_rc __maybe_unused _rc = PKCS11_CKR_OK; \ 730 \ 731 _rc = get_attribute((head), _attr, &_bvalue, NULL); \ 732 DMSG("%s issue for %s: %sfound, value %"PRIu8, \ 733 id2str_attr(_attr), id2str_proc((proc)), \ 734 _rc ? "not " : "", _bvalue); \ 735 } while (0) 736 737 static bool __maybe_unused check_attr_bval(uint32_t proc_id __maybe_unused, 738 struct obj_attrs *head, 739 uint32_t attribute, bool val) 740 { 741 uint8_t bbool = 0; 742 uint32_t sz = sizeof(bbool); 743 744 if (!get_attribute(head, attribute, &bbool, &sz) && !!bbool == val) 745 return true; 746 747 DMSG_BAD_BBOOL(attribute, proc_id, head); 748 return false; 749 } 750 751 /* 752 * Check the attributes of a new secret match the processing/mechanism 753 * used to create it. 754 * 755 * @proc_id - PKCS11_CKM_xxx 756 * @head - head of the attributes of the to-be-created object. 757 */ 758 enum pkcs11_rc check_created_attrs_against_processing(uint32_t proc_id, 759 struct obj_attrs *head) 760 { 761 /* 762 * Processings that do not create secrets are not expected to call 763 * this function which would panic. 764 */ 765 switch (proc_id) { 766 case PKCS11_PROCESSING_IMPORT: 767 assert(check_attr_bval(proc_id, head, PKCS11_CKA_LOCAL, false)); 768 break; 769 default: 770 TEE_Panic(proc_id); 771 break; 772 } 773 774 return PKCS11_CKR_OK; 775 } 776