163f89caaSJens Wiklander /* SPDX-License-Identifier: BSD-2-Clause */
263f89caaSJens Wiklander /*
363f89caaSJens Wiklander * Copyright (c) 2017-2020, Linaro Limited
463f89caaSJens Wiklander */
563f89caaSJens Wiklander
663f89caaSJens Wiklander #ifndef PKCS11_TA_PKCS11_ATTRIBUTES_H
763f89caaSJens Wiklander #define PKCS11_TA_PKCS11_ATTRIBUTES_H
863f89caaSJens Wiklander
963f89caaSJens Wiklander #include <inttypes.h>
10981966bcSVesa Jääskeläinen #include <pkcs11_ta.h>
1163f89caaSJens Wiklander
1263f89caaSJens Wiklander #include "serializer.h"
1363f89caaSJens Wiklander
14*bcac2127SMarouene Boubakri /* The key check value (KCV) attribute for objects is 3 bytes */
15*bcac2127SMarouene Boubakri #define PKCS11_CKA_CHECK_VALUE_SIZE U(3)
16*bcac2127SMarouene Boubakri
1763f89caaSJens Wiklander struct obj_attrs;
1863f89caaSJens Wiklander struct pkcs11_object;
1963f89caaSJens Wiklander struct pkcs11_session;
2063f89caaSJens Wiklander
2163f89caaSJens Wiklander /*
2263f89caaSJens Wiklander * PKCS#11 directives on object attributes.
2363f89caaSJens Wiklander * Those with a '*' are optional, other must be defined, either by caller
2463f89caaSJens Wiklander * or by some known default value.
2563f89caaSJens Wiklander *
2663f89caaSJens Wiklander * [all] objects: class
2763f89caaSJens Wiklander *
2863f89caaSJens Wiklander * [stored] objects: persistent, need_authen, modifiable, copyable,
2963f89caaSJens Wiklander * destroyable, label*.
3063f89caaSJens Wiklander *
3163f89caaSJens Wiklander * [data] objects: [all], [stored], application_id*, object_id*, value.
3263f89caaSJens Wiklander *
3363f89caaSJens Wiklander * [key] objects: [all], [stored], type, id*, start_date/end_date*,
3463f89caaSJens Wiklander * derive, local, allowed_mechanisms*.
3563f89caaSJens Wiklander *
3663f89caaSJens Wiklander * [symm-key]: [key], sensitive, encrypt, decrypt, sign, verify, wrap,
3763f89caaSJens Wiklander * unwrap, extractable, wrap_with_trusted, trusted,
3863f89caaSJens Wiklander * wrap_template, unwrap_template, derive_template.
3963f89caaSJens Wiklander */
4063f89caaSJens Wiklander
4163f89caaSJens Wiklander /*
4263f89caaSJens Wiklander * Utils to check compliance of attributes at various processing steps.
4363f89caaSJens Wiklander * Any processing operation is exclusively one of the following.
4463f89caaSJens Wiklander *
4563f89caaSJens Wiklander * Case 1: Create a secret from some local random value (C_CreateKey & friends)
4663f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with
4763f89caaSJens Wiklander * default attribute values. Object is created if attributes are
4863f89caaSJens Wiklander * consistent and comply token/session state.
4963f89caaSJens Wiklander * - PKCS11 sequence:
5063f89caaSJens Wiklander * - check/set token/session state
5163f89caaSJens Wiklander * - create an attribute list from client template and default values.
5263f89caaSJens Wiklander * - check new secret attributes complies requested mechanism.
5363f89caaSJens Wiklander * - check new secret attributes complies token/session state.
5463f89caaSJens Wiklander * - Generate the value for the secret.
5563f89caaSJens Wiklander * - Set some runtime attributes in the new secret.
5663f89caaSJens Wiklander * - Register the new secret and return a handle for it.
5763f89caaSJens Wiklander *
5863f89caaSJens Wiklander * Case 2: Create a secret from a client clear data (C_CreateObject)
5963f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with
6063f89caaSJens Wiklander * default attribute values. Object is created if attributes are
6163f89caaSJens Wiklander * consistent and comply token/session state.
6263f89caaSJens Wiklander * - check/set token/session state
6363f89caaSJens Wiklander * - create an attribute list from client template and default values.
6463f89caaSJens Wiklander * - check new secret attributes complies requested mechanism (raw-import).
6563f89caaSJens Wiklander * - check new secret attributes complies token/session state.
6663f89caaSJens Wiklander * - Set some runtime attributes in the new secret.
6763f89caaSJens Wiklander * - Register the new secret and return a handle for it.
6863f89caaSJens Wiklander
6963f89caaSJens Wiklander * Case 3: Use a secret for data processing
7063f89caaSJens Wiklander * - client provides a mechanism ID and the secret handle.
7163f89caaSJens Wiklander * - PKCS11 checks mechanism and secret comply, if mechanism and token/session
7263f89caaSJens Wiklander * state comply and last if secret and token/session state comply.
7363f89caaSJens Wiklander * - check/set token/session state
7463f89caaSJens Wiklander * - check secret's parent attributes complies requested processing.
7563f89caaSJens Wiklander * - check secret's parent attributes complies token/session state.
7663f89caaSJens Wiklander * - check new secret attributes complies secret's parent attributes.
7763f89caaSJens Wiklander * - check new secret attributes complies requested mechanism.
7863f89caaSJens Wiklander * - check new secret attributes complies token/session state.
7963f89caaSJens Wiklander *
8063f89caaSJens Wiklander * Case 4: Create a secret from a client template and a secret's parent
8163f89caaSJens Wiklander * (i.e derive a symmetric key)
8263f89caaSJens Wiklander * - client args: new-key template, mechanism ID, parent-key handle.
8363f89caaSJens Wiklander * - PKCS11 create a new-key attribute list based on template + default values +
8463f89caaSJens Wiklander * inheritance from the parent key attributes.
8563f89caaSJens Wiklander * - PKCS11 checks:
8663f89caaSJens Wiklander * - token/session state
8763f89caaSJens Wiklander * - parent-key vs mechanism
8863f89caaSJens Wiklander * - parent-key vs token/session state
8963f89caaSJens Wiklander * - parent-key vs new-key
9063f89caaSJens Wiklander * - new-key vs mechanism
9163f89caaSJens Wiklander * - new-key vs token/session state
9263f89caaSJens Wiklander * - then do processing
9363f89caaSJens Wiklander * - then finalize object creation
9463f89caaSJens Wiklander */
9563f89caaSJens Wiklander
9663f89caaSJens Wiklander enum processing_func {
9763f89caaSJens Wiklander PKCS11_FUNCTION_DIGEST,
9863f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE,
9963f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE_PAIR,
10063f89caaSJens Wiklander PKCS11_FUNCTION_DERIVE,
10163f89caaSJens Wiklander PKCS11_FUNCTION_WRAP,
10263f89caaSJens Wiklander PKCS11_FUNCTION_UNWRAP,
10363f89caaSJens Wiklander PKCS11_FUNCTION_ENCRYPT,
10463f89caaSJens Wiklander PKCS11_FUNCTION_DECRYPT,
10563f89caaSJens Wiklander PKCS11_FUNCTION_SIGN,
10663f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY,
10763f89caaSJens Wiklander PKCS11_FUNCTION_SIGN_RECOVER,
10863f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY_RECOVER,
10963f89caaSJens Wiklander PKCS11_FUNCTION_IMPORT,
11063f89caaSJens Wiklander PKCS11_FUNCTION_COPY,
11163f89caaSJens Wiklander PKCS11_FUNCTION_MODIFY,
11263f89caaSJens Wiklander PKCS11_FUNCTION_DESTROY,
113eb6141b6SVesa Jääskeläinen PKCS11_FUNCTION_UNKNOWN,
11463f89caaSJens Wiklander };
11563f89caaSJens Wiklander
11663f89caaSJens Wiklander enum processing_step {
11763f89caaSJens Wiklander PKCS11_FUNC_STEP_INIT,
11863f89caaSJens Wiklander PKCS11_FUNC_STEP_ONESHOT,
11963f89caaSJens Wiklander PKCS11_FUNC_STEP_UPDATE,
1209e91a619SVesa Jääskeläinen PKCS11_FUNC_STEP_UPDATE_KEY,
12163f89caaSJens Wiklander PKCS11_FUNC_STEP_FINAL,
12263f89caaSJens Wiklander };
12363f89caaSJens Wiklander
12463f89caaSJens Wiklander /* Create an attribute list for a new object */
12563f89caaSJens Wiklander enum pkcs11_rc
12663f89caaSJens Wiklander create_attributes_from_template(struct obj_attrs **out, void *template,
12763f89caaSJens Wiklander size_t template_size, struct obj_attrs *parent,
12863f89caaSJens Wiklander enum processing_func func,
1294cfce748SRuchika Gupta enum pkcs11_mechanism_id proc_mecha,
1304cfce748SRuchika Gupta enum pkcs11_class_id template_class);
13163f89caaSJens Wiklander
13263f89caaSJens Wiklander /*
13363f89caaSJens Wiklander * The various checks to be performed before a processing:
13463f89caaSJens Wiklander * - create a new object in the current token state
13563f89caaSJens Wiklander * - use a parent object in the processing
13663f89caaSJens Wiklander * - use a mechanism with provided configuration
13763f89caaSJens Wiklander */
13863f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_token(struct pkcs11_session *session,
13963f89caaSJens Wiklander struct obj_attrs *head);
14063f89caaSJens Wiklander
14163f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_processing(uint32_t proc_id,
14263f89caaSJens Wiklander struct obj_attrs *head);
14363f89caaSJens Wiklander
144512cbf1dSJens Wiklander enum pkcs11_rc check_created_attrs(struct obj_attrs *key1,
145512cbf1dSJens Wiklander struct obj_attrs *key2);
146512cbf1dSJens Wiklander
147512cbf1dSJens Wiklander /*
148512cbf1dSJens Wiklander * Check the attributes of the parent secret (key) used in the processing
149512cbf1dSJens Wiklander * do match the target processing.
150512cbf1dSJens Wiklander *
151512cbf1dSJens Wiklander * @proc_id - PKCS11_CKM_xxx
152512cbf1dSJens Wiklander * @func - identifier of the processing function operated with @proc_id.
153512cbf1dSJens Wiklander * @head - head of the attributes of parent object.
154512cbf1dSJens Wiklander */
155512cbf1dSJens Wiklander enum pkcs11_rc
156512cbf1dSJens Wiklander check_parent_attrs_against_processing(enum pkcs11_mechanism_id proc_id,
157512cbf1dSJens Wiklander enum processing_func func,
158512cbf1dSJens Wiklander struct obj_attrs *head);
159512cbf1dSJens Wiklander
160512cbf1dSJens Wiklander enum pkcs11_rc check_access_attrs_against_token(struct pkcs11_session *session,
161512cbf1dSJens Wiklander struct obj_attrs *head);
162512cbf1dSJens Wiklander
163512cbf1dSJens Wiklander enum pkcs11_rc
164512cbf1dSJens Wiklander check_mechanism_against_processing(struct pkcs11_session *session,
165512cbf1dSJens Wiklander enum pkcs11_mechanism_id mechanism_type,
166512cbf1dSJens Wiklander enum processing_func function,
167512cbf1dSJens Wiklander enum processing_step step);
168512cbf1dSJens Wiklander
attribute_is_hidden(struct pkcs11_attribute_head * req_attr)169981966bcSVesa Jääskeläinen static inline bool attribute_is_hidden(struct pkcs11_attribute_head *req_attr)
170981966bcSVesa Jääskeläinen {
171981966bcSVesa Jääskeläinen return (req_attr->id & PKCS11_CKA_OPTEE_FLAGS_HIDDEN) ==
172981966bcSVesa Jääskeläinen PKCS11_CKA_OPTEE_FLAGS_HIDDEN;
173981966bcSVesa Jääskeläinen }
174981966bcSVesa Jääskeläinen
175783c1515SRuchika Gupta bool attribute_is_exportable(struct pkcs11_attribute_head *req_attr,
176783c1515SRuchika Gupta struct pkcs11_object *obj);
177783c1515SRuchika Gupta
17889735787SRuchika Gupta bool object_is_private(struct obj_attrs *head);
17989735787SRuchika Gupta
1802d25a9bcSRuchika Gupta bool object_is_token(struct obj_attrs *head);
1812d25a9bcSRuchika Gupta
1822d25a9bcSRuchika Gupta bool object_is_modifiable(struct obj_attrs *head);
1832d25a9bcSRuchika Gupta
1842d25a9bcSRuchika Gupta bool object_is_copyable(struct obj_attrs *head);
1852d25a9bcSRuchika Gupta
1862d25a9bcSRuchika Gupta /*
1872d25a9bcSRuchika Gupta * Check the attributes passed in template against the attributes which can be
1882d25a9bcSRuchika Gupta * modified. These are the attributes marked with * 8,10,11 or 12 in Table 10
1892d25a9bcSRuchika Gupta * in PKCS #11 Cryptographic Token InterfaceBase Specification Version 2.40.
1902d25a9bcSRuchika Gupta * Few attributes not with this marking but explicitly specified as modifiable
1912d25a9bcSRuchika Gupta * in footnote of their tables are also considered to be modifiable
1922d25a9bcSRuchika Gupta */
1932d25a9bcSRuchika Gupta enum pkcs11_rc check_attrs_against_modification(struct pkcs11_session *session,
1942d25a9bcSRuchika Gupta struct obj_attrs *head,
1952d25a9bcSRuchika Gupta struct pkcs11_object *obj,
1962d25a9bcSRuchika Gupta enum processing_func function);
1972d25a9bcSRuchika Gupta
1988c499324SRuchika Gupta enum pkcs11_rc set_key_data(struct obj_attrs **head, void *data,
1998c499324SRuchika Gupta size_t key_size);
2008c499324SRuchika Gupta
201a9aa45d8SValerii Chubar /*
202a9aa45d8SValerii Chubar * Get an allocated copy of key data to be wrapped from @head
203a9aa45d8SValerii Chubar * @head: Object attribute where to find key data to be wrapped
204a9aa45d8SValerii Chubar * @data: Output allocated and filled buffer upon success
205a9aa45d8SValerii Chubar * @sz: Key output data size in bytes upon success
206a9aa45d8SValerii Chubar * Return a pkcs11_rv compliant value
207a9aa45d8SValerii Chubar */
208a9aa45d8SValerii Chubar enum pkcs11_rc alloc_key_data_to_wrap(struct obj_attrs *head, void **data,
2095f80f270SRuchika Gupta uint32_t *sz);
2105f80f270SRuchika Gupta
2115e1d94ebSVesa Jääskeläinen /*
2125e1d94ebSVesa Jääskeläinen * Adds CKA_ID attribute from paired object if missing.
2135e1d94ebSVesa Jääskeläinen *
2145e1d94ebSVesa Jääskeläinen * @pub_head - Public key object attributes
2155e1d94ebSVesa Jääskeläinen * @priv_head - Private key object attributes
2165e1d94ebSVesa Jääskeläinen * Return a PKCS11 return code
2175e1d94ebSVesa Jääskeläinen */
2185e1d94ebSVesa Jääskeläinen enum pkcs11_rc add_missing_attribute_id(struct obj_attrs **pub_head,
2195e1d94ebSVesa Jääskeläinen struct obj_attrs **priv_head);
220*bcac2127SMarouene Boubakri /*
221*bcac2127SMarouene Boubakri * Check an object's check value (Checksum)
222*bcac2127SMarouene Boubakri * @head: Object attribute where to find KCV to be checked
223*bcac2127SMarouene Boubakri * Return a pkcs11_rv compliant value
224*bcac2127SMarouene Boubakri */
225*bcac2127SMarouene Boubakri enum pkcs11_rc set_check_value_attr(struct obj_attrs **head);
2265e1d94ebSVesa Jääskeläinen
22763f89caaSJens Wiklander #endif /*PKCS11_TA_PKCS11_ATTRIBUTES_H*/
228