1*63f89caaSJens Wiklander /* SPDX-License-Identifier: BSD-2-Clause */ 2*63f89caaSJens Wiklander /* 3*63f89caaSJens Wiklander * Copyright (c) 2017-2020, Linaro Limited 4*63f89caaSJens Wiklander */ 5*63f89caaSJens Wiklander 6*63f89caaSJens Wiklander #ifndef PKCS11_TA_PKCS11_ATTRIBUTES_H 7*63f89caaSJens Wiklander #define PKCS11_TA_PKCS11_ATTRIBUTES_H 8*63f89caaSJens Wiklander 9*63f89caaSJens Wiklander #include <inttypes.h> 10*63f89caaSJens Wiklander 11*63f89caaSJens Wiklander #include "serializer.h" 12*63f89caaSJens Wiklander 13*63f89caaSJens Wiklander struct obj_attrs; 14*63f89caaSJens Wiklander struct pkcs11_object; 15*63f89caaSJens Wiklander struct pkcs11_session; 16*63f89caaSJens Wiklander 17*63f89caaSJens Wiklander /* 18*63f89caaSJens Wiklander * PKCS#11 directives on object attributes. 19*63f89caaSJens Wiklander * Those with a '*' are optional, other must be defined, either by caller 20*63f89caaSJens Wiklander * or by some known default value. 21*63f89caaSJens Wiklander * 22*63f89caaSJens Wiklander * [all] objects: class 23*63f89caaSJens Wiklander * 24*63f89caaSJens Wiklander * [stored] objects: persistent, need_authen, modifiable, copyable, 25*63f89caaSJens Wiklander * destroyable, label*. 26*63f89caaSJens Wiklander * 27*63f89caaSJens Wiklander * [data] objects: [all], [stored], application_id*, object_id*, value. 28*63f89caaSJens Wiklander * 29*63f89caaSJens Wiklander * [key] objects: [all], [stored], type, id*, start_date/end_date*, 30*63f89caaSJens Wiklander * derive, local, allowed_mechanisms*. 31*63f89caaSJens Wiklander * 32*63f89caaSJens Wiklander * [symm-key]: [key], sensitive, encrypt, decrypt, sign, verify, wrap, 33*63f89caaSJens Wiklander * unwrap, extractable, wrap_with_trusted, trusted, 34*63f89caaSJens Wiklander * wrap_template, unwrap_template, derive_template. 35*63f89caaSJens Wiklander */ 36*63f89caaSJens Wiklander 37*63f89caaSJens Wiklander /* 38*63f89caaSJens Wiklander * Utils to check compliance of attributes at various processing steps. 39*63f89caaSJens Wiklander * Any processing operation is exclusively one of the following. 40*63f89caaSJens Wiklander * 41*63f89caaSJens Wiklander * Case 1: Create a secret from some local random value (C_CreateKey & friends) 42*63f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 43*63f89caaSJens Wiklander * default attribute values. Object is created if attributes are 44*63f89caaSJens Wiklander * consistent and comply token/session state. 45*63f89caaSJens Wiklander * - PKCS11 sequence: 46*63f89caaSJens Wiklander * - check/set token/session state 47*63f89caaSJens Wiklander * - create an attribute list from client template and default values. 48*63f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 49*63f89caaSJens Wiklander * - check new secret attributes complies token/session state. 50*63f89caaSJens Wiklander * - Generate the value for the secret. 51*63f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 52*63f89caaSJens Wiklander * - Register the new secret and return a handle for it. 53*63f89caaSJens Wiklander * 54*63f89caaSJens Wiklander * Case 2: Create a secret from a client clear data (C_CreateObject) 55*63f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 56*63f89caaSJens Wiklander * default attribute values. Object is created if attributes are 57*63f89caaSJens Wiklander * consistent and comply token/session state. 58*63f89caaSJens Wiklander * - check/set token/session state 59*63f89caaSJens Wiklander * - create an attribute list from client template and default values. 60*63f89caaSJens Wiklander * - check new secret attributes complies requested mechanism (raw-import). 61*63f89caaSJens Wiklander * - check new secret attributes complies token/session state. 62*63f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 63*63f89caaSJens Wiklander * - Register the new secret and return a handle for it. 64*63f89caaSJens Wiklander 65*63f89caaSJens Wiklander * Case 3: Use a secret for data processing 66*63f89caaSJens Wiklander * - client provides a mechanism ID and the secret handle. 67*63f89caaSJens Wiklander * - PKCS11 checks mechanism and secret comply, if mechanism and token/session 68*63f89caaSJens Wiklander * state comply and last if secret and token/session state comply. 69*63f89caaSJens Wiklander * - check/set token/session state 70*63f89caaSJens Wiklander * - check secret's parent attributes complies requested processing. 71*63f89caaSJens Wiklander * - check secret's parent attributes complies token/session state. 72*63f89caaSJens Wiklander * - check new secret attributes complies secret's parent attributes. 73*63f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 74*63f89caaSJens Wiklander * - check new secret attributes complies token/session state. 75*63f89caaSJens Wiklander * 76*63f89caaSJens Wiklander * Case 4: Create a secret from a client template and a secret's parent 77*63f89caaSJens Wiklander * (i.e derive a symmetric key) 78*63f89caaSJens Wiklander * - client args: new-key template, mechanism ID, parent-key handle. 79*63f89caaSJens Wiklander * - PKCS11 create a new-key attribute list based on template + default values + 80*63f89caaSJens Wiklander * inheritance from the parent key attributes. 81*63f89caaSJens Wiklander * - PKCS11 checks: 82*63f89caaSJens Wiklander * - token/session state 83*63f89caaSJens Wiklander * - parent-key vs mechanism 84*63f89caaSJens Wiklander * - parent-key vs token/session state 85*63f89caaSJens Wiklander * - parent-key vs new-key 86*63f89caaSJens Wiklander * - new-key vs mechanism 87*63f89caaSJens Wiklander * - new-key vs token/session state 88*63f89caaSJens Wiklander * - then do processing 89*63f89caaSJens Wiklander * - then finalize object creation 90*63f89caaSJens Wiklander */ 91*63f89caaSJens Wiklander 92*63f89caaSJens Wiklander enum processing_func { 93*63f89caaSJens Wiklander PKCS11_FUNCTION_DIGEST, 94*63f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE, 95*63f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE_PAIR, 96*63f89caaSJens Wiklander PKCS11_FUNCTION_DERIVE, 97*63f89caaSJens Wiklander PKCS11_FUNCTION_WRAP, 98*63f89caaSJens Wiklander PKCS11_FUNCTION_UNWRAP, 99*63f89caaSJens Wiklander PKCS11_FUNCTION_ENCRYPT, 100*63f89caaSJens Wiklander PKCS11_FUNCTION_DECRYPT, 101*63f89caaSJens Wiklander PKCS11_FUNCTION_SIGN, 102*63f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY, 103*63f89caaSJens Wiklander PKCS11_FUNCTION_SIGN_RECOVER, 104*63f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY_RECOVER, 105*63f89caaSJens Wiklander PKCS11_FUNCTION_IMPORT, 106*63f89caaSJens Wiklander PKCS11_FUNCTION_COPY, 107*63f89caaSJens Wiklander PKCS11_FUNCTION_MODIFY, 108*63f89caaSJens Wiklander PKCS11_FUNCTION_DESTROY, 109*63f89caaSJens Wiklander }; 110*63f89caaSJens Wiklander 111*63f89caaSJens Wiklander enum processing_step { 112*63f89caaSJens Wiklander PKCS11_FUNC_STEP_INIT, 113*63f89caaSJens Wiklander PKCS11_FUNC_STEP_ONESHOT, 114*63f89caaSJens Wiklander PKCS11_FUNC_STEP_UPDATE, 115*63f89caaSJens Wiklander PKCS11_FUNC_STEP_FINAL, 116*63f89caaSJens Wiklander }; 117*63f89caaSJens Wiklander 118*63f89caaSJens Wiklander /* Create an attribute list for a new object */ 119*63f89caaSJens Wiklander enum pkcs11_rc 120*63f89caaSJens Wiklander create_attributes_from_template(struct obj_attrs **out, void *template, 121*63f89caaSJens Wiklander size_t template_size, struct obj_attrs *parent, 122*63f89caaSJens Wiklander enum processing_func func, 123*63f89caaSJens Wiklander enum pkcs11_mechanism_id proc_mecha); 124*63f89caaSJens Wiklander 125*63f89caaSJens Wiklander /* 126*63f89caaSJens Wiklander * The various checks to be performed before a processing: 127*63f89caaSJens Wiklander * - create a new object in the current token state 128*63f89caaSJens Wiklander * - use a parent object in the processing 129*63f89caaSJens Wiklander * - use a mechanism with provided configuration 130*63f89caaSJens Wiklander */ 131*63f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_token(struct pkcs11_session *session, 132*63f89caaSJens Wiklander struct obj_attrs *head); 133*63f89caaSJens Wiklander 134*63f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_processing(uint32_t proc_id, 135*63f89caaSJens Wiklander struct obj_attrs *head); 136*63f89caaSJens Wiklander 137*63f89caaSJens Wiklander #endif /*PKCS11_TA_PKCS11_ATTRIBUTES_H*/ 138