163f89caaSJens Wiklander /* SPDX-License-Identifier: BSD-2-Clause */ 263f89caaSJens Wiklander /* 363f89caaSJens Wiklander * Copyright (c) 2017-2020, Linaro Limited 463f89caaSJens Wiklander */ 563f89caaSJens Wiklander 663f89caaSJens Wiklander #ifndef PKCS11_TA_PKCS11_ATTRIBUTES_H 763f89caaSJens Wiklander #define PKCS11_TA_PKCS11_ATTRIBUTES_H 863f89caaSJens Wiklander 963f89caaSJens Wiklander #include <inttypes.h> 1063f89caaSJens Wiklander 1163f89caaSJens Wiklander #include "serializer.h" 1263f89caaSJens Wiklander 1363f89caaSJens Wiklander struct obj_attrs; 1463f89caaSJens Wiklander struct pkcs11_object; 1563f89caaSJens Wiklander struct pkcs11_session; 1663f89caaSJens Wiklander 1763f89caaSJens Wiklander /* 1863f89caaSJens Wiklander * PKCS#11 directives on object attributes. 1963f89caaSJens Wiklander * Those with a '*' are optional, other must be defined, either by caller 2063f89caaSJens Wiklander * or by some known default value. 2163f89caaSJens Wiklander * 2263f89caaSJens Wiklander * [all] objects: class 2363f89caaSJens Wiklander * 2463f89caaSJens Wiklander * [stored] objects: persistent, need_authen, modifiable, copyable, 2563f89caaSJens Wiklander * destroyable, label*. 2663f89caaSJens Wiklander * 2763f89caaSJens Wiklander * [data] objects: [all], [stored], application_id*, object_id*, value. 2863f89caaSJens Wiklander * 2963f89caaSJens Wiklander * [key] objects: [all], [stored], type, id*, start_date/end_date*, 3063f89caaSJens Wiklander * derive, local, allowed_mechanisms*. 3163f89caaSJens Wiklander * 3263f89caaSJens Wiklander * [symm-key]: [key], sensitive, encrypt, decrypt, sign, verify, wrap, 3363f89caaSJens Wiklander * unwrap, extractable, wrap_with_trusted, trusted, 3463f89caaSJens Wiklander * wrap_template, unwrap_template, derive_template. 3563f89caaSJens Wiklander */ 3663f89caaSJens Wiklander 3763f89caaSJens Wiklander /* 3863f89caaSJens Wiklander * Utils to check compliance of attributes at various processing steps. 3963f89caaSJens Wiklander * Any processing operation is exclusively one of the following. 4063f89caaSJens Wiklander * 4163f89caaSJens Wiklander * Case 1: Create a secret from some local random value (C_CreateKey & friends) 4263f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 4363f89caaSJens Wiklander * default attribute values. Object is created if attributes are 4463f89caaSJens Wiklander * consistent and comply token/session state. 4563f89caaSJens Wiklander * - PKCS11 sequence: 4663f89caaSJens Wiklander * - check/set token/session state 4763f89caaSJens Wiklander * - create an attribute list from client template and default values. 4863f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 4963f89caaSJens Wiklander * - check new secret attributes complies token/session state. 5063f89caaSJens Wiklander * - Generate the value for the secret. 5163f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 5263f89caaSJens Wiklander * - Register the new secret and return a handle for it. 5363f89caaSJens Wiklander * 5463f89caaSJens Wiklander * Case 2: Create a secret from a client clear data (C_CreateObject) 5563f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 5663f89caaSJens Wiklander * default attribute values. Object is created if attributes are 5763f89caaSJens Wiklander * consistent and comply token/session state. 5863f89caaSJens Wiklander * - check/set token/session state 5963f89caaSJens Wiklander * - create an attribute list from client template and default values. 6063f89caaSJens Wiklander * - check new secret attributes complies requested mechanism (raw-import). 6163f89caaSJens Wiklander * - check new secret attributes complies token/session state. 6263f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 6363f89caaSJens Wiklander * - Register the new secret and return a handle for it. 6463f89caaSJens Wiklander 6563f89caaSJens Wiklander * Case 3: Use a secret for data processing 6663f89caaSJens Wiklander * - client provides a mechanism ID and the secret handle. 6763f89caaSJens Wiklander * - PKCS11 checks mechanism and secret comply, if mechanism and token/session 6863f89caaSJens Wiklander * state comply and last if secret and token/session state comply. 6963f89caaSJens Wiklander * - check/set token/session state 7063f89caaSJens Wiklander * - check secret's parent attributes complies requested processing. 7163f89caaSJens Wiklander * - check secret's parent attributes complies token/session state. 7263f89caaSJens Wiklander * - check new secret attributes complies secret's parent attributes. 7363f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 7463f89caaSJens Wiklander * - check new secret attributes complies token/session state. 7563f89caaSJens Wiklander * 7663f89caaSJens Wiklander * Case 4: Create a secret from a client template and a secret's parent 7763f89caaSJens Wiklander * (i.e derive a symmetric key) 7863f89caaSJens Wiklander * - client args: new-key template, mechanism ID, parent-key handle. 7963f89caaSJens Wiklander * - PKCS11 create a new-key attribute list based on template + default values + 8063f89caaSJens Wiklander * inheritance from the parent key attributes. 8163f89caaSJens Wiklander * - PKCS11 checks: 8263f89caaSJens Wiklander * - token/session state 8363f89caaSJens Wiklander * - parent-key vs mechanism 8463f89caaSJens Wiklander * - parent-key vs token/session state 8563f89caaSJens Wiklander * - parent-key vs new-key 8663f89caaSJens Wiklander * - new-key vs mechanism 8763f89caaSJens Wiklander * - new-key vs token/session state 8863f89caaSJens Wiklander * - then do processing 8963f89caaSJens Wiklander * - then finalize object creation 9063f89caaSJens Wiklander */ 9163f89caaSJens Wiklander 9263f89caaSJens Wiklander enum processing_func { 9363f89caaSJens Wiklander PKCS11_FUNCTION_DIGEST, 9463f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE, 9563f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE_PAIR, 9663f89caaSJens Wiklander PKCS11_FUNCTION_DERIVE, 9763f89caaSJens Wiklander PKCS11_FUNCTION_WRAP, 9863f89caaSJens Wiklander PKCS11_FUNCTION_UNWRAP, 9963f89caaSJens Wiklander PKCS11_FUNCTION_ENCRYPT, 10063f89caaSJens Wiklander PKCS11_FUNCTION_DECRYPT, 10163f89caaSJens Wiklander PKCS11_FUNCTION_SIGN, 10263f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY, 10363f89caaSJens Wiklander PKCS11_FUNCTION_SIGN_RECOVER, 10463f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY_RECOVER, 10563f89caaSJens Wiklander PKCS11_FUNCTION_IMPORT, 10663f89caaSJens Wiklander PKCS11_FUNCTION_COPY, 10763f89caaSJens Wiklander PKCS11_FUNCTION_MODIFY, 10863f89caaSJens Wiklander PKCS11_FUNCTION_DESTROY, 10963f89caaSJens Wiklander }; 11063f89caaSJens Wiklander 11163f89caaSJens Wiklander enum processing_step { 11263f89caaSJens Wiklander PKCS11_FUNC_STEP_INIT, 11363f89caaSJens Wiklander PKCS11_FUNC_STEP_ONESHOT, 11463f89caaSJens Wiklander PKCS11_FUNC_STEP_UPDATE, 11563f89caaSJens Wiklander PKCS11_FUNC_STEP_FINAL, 11663f89caaSJens Wiklander }; 11763f89caaSJens Wiklander 11863f89caaSJens Wiklander /* Create an attribute list for a new object */ 11963f89caaSJens Wiklander enum pkcs11_rc 12063f89caaSJens Wiklander create_attributes_from_template(struct obj_attrs **out, void *template, 12163f89caaSJens Wiklander size_t template_size, struct obj_attrs *parent, 12263f89caaSJens Wiklander enum processing_func func, 1234cfce748SRuchika Gupta enum pkcs11_mechanism_id proc_mecha, 1244cfce748SRuchika Gupta enum pkcs11_class_id template_class); 12563f89caaSJens Wiklander 12663f89caaSJens Wiklander /* 12763f89caaSJens Wiklander * The various checks to be performed before a processing: 12863f89caaSJens Wiklander * - create a new object in the current token state 12963f89caaSJens Wiklander * - use a parent object in the processing 13063f89caaSJens Wiklander * - use a mechanism with provided configuration 13163f89caaSJens Wiklander */ 13263f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_token(struct pkcs11_session *session, 13363f89caaSJens Wiklander struct obj_attrs *head); 13463f89caaSJens Wiklander 13563f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_processing(uint32_t proc_id, 13663f89caaSJens Wiklander struct obj_attrs *head); 13763f89caaSJens Wiklander 138512cbf1dSJens Wiklander enum pkcs11_rc check_created_attrs(struct obj_attrs *key1, 139512cbf1dSJens Wiklander struct obj_attrs *key2); 140512cbf1dSJens Wiklander 141512cbf1dSJens Wiklander /* 142512cbf1dSJens Wiklander * Check the attributes of the parent secret (key) used in the processing 143512cbf1dSJens Wiklander * do match the target processing. 144512cbf1dSJens Wiklander * 145512cbf1dSJens Wiklander * @proc_id - PKCS11_CKM_xxx 146512cbf1dSJens Wiklander * @func - identifier of the processing function operated with @proc_id. 147512cbf1dSJens Wiklander * @head - head of the attributes of parent object. 148512cbf1dSJens Wiklander */ 149512cbf1dSJens Wiklander enum pkcs11_rc 150512cbf1dSJens Wiklander check_parent_attrs_against_processing(enum pkcs11_mechanism_id proc_id, 151512cbf1dSJens Wiklander enum processing_func func, 152512cbf1dSJens Wiklander struct obj_attrs *head); 153512cbf1dSJens Wiklander 154512cbf1dSJens Wiklander enum pkcs11_rc check_access_attrs_against_token(struct pkcs11_session *session, 155512cbf1dSJens Wiklander struct obj_attrs *head); 156512cbf1dSJens Wiklander 157512cbf1dSJens Wiklander enum pkcs11_rc 158512cbf1dSJens Wiklander check_mechanism_against_processing(struct pkcs11_session *session, 159512cbf1dSJens Wiklander enum pkcs11_mechanism_id mechanism_type, 160512cbf1dSJens Wiklander enum processing_func function, 161512cbf1dSJens Wiklander enum processing_step step); 162512cbf1dSJens Wiklander 163783c1515SRuchika Gupta bool attribute_is_exportable(struct pkcs11_attribute_head *req_attr, 164783c1515SRuchika Gupta struct pkcs11_object *obj); 165783c1515SRuchika Gupta 166*89735787SRuchika Gupta bool object_is_private(struct obj_attrs *head); 167*89735787SRuchika Gupta 16863f89caaSJens Wiklander #endif /*PKCS11_TA_PKCS11_ATTRIBUTES_H*/ 169