163f89caaSJens Wiklander /* SPDX-License-Identifier: BSD-2-Clause */ 263f89caaSJens Wiklander /* 363f89caaSJens Wiklander * Copyright (c) 2017-2020, Linaro Limited 463f89caaSJens Wiklander */ 563f89caaSJens Wiklander 663f89caaSJens Wiklander #ifndef PKCS11_TA_PKCS11_ATTRIBUTES_H 763f89caaSJens Wiklander #define PKCS11_TA_PKCS11_ATTRIBUTES_H 863f89caaSJens Wiklander 963f89caaSJens Wiklander #include <inttypes.h> 10*981966bcSVesa Jääskeläinen #include <pkcs11_ta.h> 1163f89caaSJens Wiklander 1263f89caaSJens Wiklander #include "serializer.h" 1363f89caaSJens Wiklander 1463f89caaSJens Wiklander struct obj_attrs; 1563f89caaSJens Wiklander struct pkcs11_object; 1663f89caaSJens Wiklander struct pkcs11_session; 1763f89caaSJens Wiklander 1863f89caaSJens Wiklander /* 1963f89caaSJens Wiklander * PKCS#11 directives on object attributes. 2063f89caaSJens Wiklander * Those with a '*' are optional, other must be defined, either by caller 2163f89caaSJens Wiklander * or by some known default value. 2263f89caaSJens Wiklander * 2363f89caaSJens Wiklander * [all] objects: class 2463f89caaSJens Wiklander * 2563f89caaSJens Wiklander * [stored] objects: persistent, need_authen, modifiable, copyable, 2663f89caaSJens Wiklander * destroyable, label*. 2763f89caaSJens Wiklander * 2863f89caaSJens Wiklander * [data] objects: [all], [stored], application_id*, object_id*, value. 2963f89caaSJens Wiklander * 3063f89caaSJens Wiklander * [key] objects: [all], [stored], type, id*, start_date/end_date*, 3163f89caaSJens Wiklander * derive, local, allowed_mechanisms*. 3263f89caaSJens Wiklander * 3363f89caaSJens Wiklander * [symm-key]: [key], sensitive, encrypt, decrypt, sign, verify, wrap, 3463f89caaSJens Wiklander * unwrap, extractable, wrap_with_trusted, trusted, 3563f89caaSJens Wiklander * wrap_template, unwrap_template, derive_template. 3663f89caaSJens Wiklander */ 3763f89caaSJens Wiklander 3863f89caaSJens Wiklander /* 3963f89caaSJens Wiklander * Utils to check compliance of attributes at various processing steps. 4063f89caaSJens Wiklander * Any processing operation is exclusively one of the following. 4163f89caaSJens Wiklander * 4263f89caaSJens Wiklander * Case 1: Create a secret from some local random value (C_CreateKey & friends) 4363f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 4463f89caaSJens Wiklander * default attribute values. Object is created if attributes are 4563f89caaSJens Wiklander * consistent and comply token/session state. 4663f89caaSJens Wiklander * - PKCS11 sequence: 4763f89caaSJens Wiklander * - check/set token/session state 4863f89caaSJens Wiklander * - create an attribute list from client template and default values. 4963f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 5063f89caaSJens Wiklander * - check new secret attributes complies token/session state. 5163f89caaSJens Wiklander * - Generate the value for the secret. 5263f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 5363f89caaSJens Wiklander * - Register the new secret and return a handle for it. 5463f89caaSJens Wiklander * 5563f89caaSJens Wiklander * Case 2: Create a secret from a client clear data (C_CreateObject) 5663f89caaSJens Wiklander * - client provides an attributes list template, PKCS11 TA completes with 5763f89caaSJens Wiklander * default attribute values. Object is created if attributes are 5863f89caaSJens Wiklander * consistent and comply token/session state. 5963f89caaSJens Wiklander * - check/set token/session state 6063f89caaSJens Wiklander * - create an attribute list from client template and default values. 6163f89caaSJens Wiklander * - check new secret attributes complies requested mechanism (raw-import). 6263f89caaSJens Wiklander * - check new secret attributes complies token/session state. 6363f89caaSJens Wiklander * - Set some runtime attributes in the new secret. 6463f89caaSJens Wiklander * - Register the new secret and return a handle for it. 6563f89caaSJens Wiklander 6663f89caaSJens Wiklander * Case 3: Use a secret for data processing 6763f89caaSJens Wiklander * - client provides a mechanism ID and the secret handle. 6863f89caaSJens Wiklander * - PKCS11 checks mechanism and secret comply, if mechanism and token/session 6963f89caaSJens Wiklander * state comply and last if secret and token/session state comply. 7063f89caaSJens Wiklander * - check/set token/session state 7163f89caaSJens Wiklander * - check secret's parent attributes complies requested processing. 7263f89caaSJens Wiklander * - check secret's parent attributes complies token/session state. 7363f89caaSJens Wiklander * - check new secret attributes complies secret's parent attributes. 7463f89caaSJens Wiklander * - check new secret attributes complies requested mechanism. 7563f89caaSJens Wiklander * - check new secret attributes complies token/session state. 7663f89caaSJens Wiklander * 7763f89caaSJens Wiklander * Case 4: Create a secret from a client template and a secret's parent 7863f89caaSJens Wiklander * (i.e derive a symmetric key) 7963f89caaSJens Wiklander * - client args: new-key template, mechanism ID, parent-key handle. 8063f89caaSJens Wiklander * - PKCS11 create a new-key attribute list based on template + default values + 8163f89caaSJens Wiklander * inheritance from the parent key attributes. 8263f89caaSJens Wiklander * - PKCS11 checks: 8363f89caaSJens Wiklander * - token/session state 8463f89caaSJens Wiklander * - parent-key vs mechanism 8563f89caaSJens Wiklander * - parent-key vs token/session state 8663f89caaSJens Wiklander * - parent-key vs new-key 8763f89caaSJens Wiklander * - new-key vs mechanism 8863f89caaSJens Wiklander * - new-key vs token/session state 8963f89caaSJens Wiklander * - then do processing 9063f89caaSJens Wiklander * - then finalize object creation 9163f89caaSJens Wiklander */ 9263f89caaSJens Wiklander 9363f89caaSJens Wiklander enum processing_func { 9463f89caaSJens Wiklander PKCS11_FUNCTION_DIGEST, 9563f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE, 9663f89caaSJens Wiklander PKCS11_FUNCTION_GENERATE_PAIR, 9763f89caaSJens Wiklander PKCS11_FUNCTION_DERIVE, 9863f89caaSJens Wiklander PKCS11_FUNCTION_WRAP, 9963f89caaSJens Wiklander PKCS11_FUNCTION_UNWRAP, 10063f89caaSJens Wiklander PKCS11_FUNCTION_ENCRYPT, 10163f89caaSJens Wiklander PKCS11_FUNCTION_DECRYPT, 10263f89caaSJens Wiklander PKCS11_FUNCTION_SIGN, 10363f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY, 10463f89caaSJens Wiklander PKCS11_FUNCTION_SIGN_RECOVER, 10563f89caaSJens Wiklander PKCS11_FUNCTION_VERIFY_RECOVER, 10663f89caaSJens Wiklander PKCS11_FUNCTION_IMPORT, 10763f89caaSJens Wiklander PKCS11_FUNCTION_COPY, 10863f89caaSJens Wiklander PKCS11_FUNCTION_MODIFY, 10963f89caaSJens Wiklander PKCS11_FUNCTION_DESTROY, 110eb6141b6SVesa Jääskeläinen PKCS11_FUNCTION_UNKNOWN, 11163f89caaSJens Wiklander }; 11263f89caaSJens Wiklander 11363f89caaSJens Wiklander enum processing_step { 11463f89caaSJens Wiklander PKCS11_FUNC_STEP_INIT, 11563f89caaSJens Wiklander PKCS11_FUNC_STEP_ONESHOT, 11663f89caaSJens Wiklander PKCS11_FUNC_STEP_UPDATE, 1179e91a619SVesa Jääskeläinen PKCS11_FUNC_STEP_UPDATE_KEY, 11863f89caaSJens Wiklander PKCS11_FUNC_STEP_FINAL, 11963f89caaSJens Wiklander }; 12063f89caaSJens Wiklander 12163f89caaSJens Wiklander /* Create an attribute list for a new object */ 12263f89caaSJens Wiklander enum pkcs11_rc 12363f89caaSJens Wiklander create_attributes_from_template(struct obj_attrs **out, void *template, 12463f89caaSJens Wiklander size_t template_size, struct obj_attrs *parent, 12563f89caaSJens Wiklander enum processing_func func, 1264cfce748SRuchika Gupta enum pkcs11_mechanism_id proc_mecha, 1274cfce748SRuchika Gupta enum pkcs11_class_id template_class); 12863f89caaSJens Wiklander 12963f89caaSJens Wiklander /* 13063f89caaSJens Wiklander * The various checks to be performed before a processing: 13163f89caaSJens Wiklander * - create a new object in the current token state 13263f89caaSJens Wiklander * - use a parent object in the processing 13363f89caaSJens Wiklander * - use a mechanism with provided configuration 13463f89caaSJens Wiklander */ 13563f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_token(struct pkcs11_session *session, 13663f89caaSJens Wiklander struct obj_attrs *head); 13763f89caaSJens Wiklander 13863f89caaSJens Wiklander enum pkcs11_rc check_created_attrs_against_processing(uint32_t proc_id, 13963f89caaSJens Wiklander struct obj_attrs *head); 14063f89caaSJens Wiklander 141512cbf1dSJens Wiklander enum pkcs11_rc check_created_attrs(struct obj_attrs *key1, 142512cbf1dSJens Wiklander struct obj_attrs *key2); 143512cbf1dSJens Wiklander 144512cbf1dSJens Wiklander /* 145512cbf1dSJens Wiklander * Check the attributes of the parent secret (key) used in the processing 146512cbf1dSJens Wiklander * do match the target processing. 147512cbf1dSJens Wiklander * 148512cbf1dSJens Wiklander * @proc_id - PKCS11_CKM_xxx 149512cbf1dSJens Wiklander * @func - identifier of the processing function operated with @proc_id. 150512cbf1dSJens Wiklander * @head - head of the attributes of parent object. 151512cbf1dSJens Wiklander */ 152512cbf1dSJens Wiklander enum pkcs11_rc 153512cbf1dSJens Wiklander check_parent_attrs_against_processing(enum pkcs11_mechanism_id proc_id, 154512cbf1dSJens Wiklander enum processing_func func, 155512cbf1dSJens Wiklander struct obj_attrs *head); 156512cbf1dSJens Wiklander 157512cbf1dSJens Wiklander enum pkcs11_rc check_access_attrs_against_token(struct pkcs11_session *session, 158512cbf1dSJens Wiklander struct obj_attrs *head); 159512cbf1dSJens Wiklander 160512cbf1dSJens Wiklander enum pkcs11_rc 161512cbf1dSJens Wiklander check_mechanism_against_processing(struct pkcs11_session *session, 162512cbf1dSJens Wiklander enum pkcs11_mechanism_id mechanism_type, 163512cbf1dSJens Wiklander enum processing_func function, 164512cbf1dSJens Wiklander enum processing_step step); 165512cbf1dSJens Wiklander 166*981966bcSVesa Jääskeläinen static inline bool attribute_is_hidden(struct pkcs11_attribute_head *req_attr) 167*981966bcSVesa Jääskeläinen { 168*981966bcSVesa Jääskeläinen return (req_attr->id & PKCS11_CKA_OPTEE_FLAGS_HIDDEN) == 169*981966bcSVesa Jääskeläinen PKCS11_CKA_OPTEE_FLAGS_HIDDEN; 170*981966bcSVesa Jääskeläinen } 171*981966bcSVesa Jääskeläinen 172783c1515SRuchika Gupta bool attribute_is_exportable(struct pkcs11_attribute_head *req_attr, 173783c1515SRuchika Gupta struct pkcs11_object *obj); 174783c1515SRuchika Gupta 17589735787SRuchika Gupta bool object_is_private(struct obj_attrs *head); 17689735787SRuchika Gupta 1772d25a9bcSRuchika Gupta bool object_is_token(struct obj_attrs *head); 1782d25a9bcSRuchika Gupta 1792d25a9bcSRuchika Gupta bool object_is_modifiable(struct obj_attrs *head); 1802d25a9bcSRuchika Gupta 1812d25a9bcSRuchika Gupta bool object_is_copyable(struct obj_attrs *head); 1822d25a9bcSRuchika Gupta 1832d25a9bcSRuchika Gupta /* 1842d25a9bcSRuchika Gupta * Check the attributes passed in template against the attributes which can be 1852d25a9bcSRuchika Gupta * modified. These are the attributes marked with * 8,10,11 or 12 in Table 10 1862d25a9bcSRuchika Gupta * in PKCS #11 Cryptographic Token InterfaceBase Specification Version 2.40. 1872d25a9bcSRuchika Gupta * Few attributes not with this marking but explicitly specified as modifiable 1882d25a9bcSRuchika Gupta * in footnote of their tables are also considered to be modifiable 1892d25a9bcSRuchika Gupta */ 1902d25a9bcSRuchika Gupta enum pkcs11_rc check_attrs_against_modification(struct pkcs11_session *session, 1912d25a9bcSRuchika Gupta struct obj_attrs *head, 1922d25a9bcSRuchika Gupta struct pkcs11_object *obj, 1932d25a9bcSRuchika Gupta enum processing_func function); 1942d25a9bcSRuchika Gupta 1958c499324SRuchika Gupta enum pkcs11_rc set_key_data(struct obj_attrs **head, void *data, 1968c499324SRuchika Gupta size_t key_size); 1978c499324SRuchika Gupta 198a9aa45d8SValerii Chubar /* 199a9aa45d8SValerii Chubar * Get an allocated copy of key data to be wrapped from @head 200a9aa45d8SValerii Chubar * @head: Object attribute where to find key data to be wrapped 201a9aa45d8SValerii Chubar * @data: Output allocated and filled buffer upon success 202a9aa45d8SValerii Chubar * @sz: Key output data size in bytes upon success 203a9aa45d8SValerii Chubar * Return a pkcs11_rv compliant value 204a9aa45d8SValerii Chubar */ 205a9aa45d8SValerii Chubar enum pkcs11_rc alloc_key_data_to_wrap(struct obj_attrs *head, void **data, 2065f80f270SRuchika Gupta uint32_t *sz); 2075f80f270SRuchika Gupta 2085e1d94ebSVesa Jääskeläinen /* 2095e1d94ebSVesa Jääskeläinen * Adds CKA_ID attribute from paired object if missing. 2105e1d94ebSVesa Jääskeläinen * 2115e1d94ebSVesa Jääskeläinen * @pub_head - Public key object attributes 2125e1d94ebSVesa Jääskeläinen * @priv_head - Private key object attributes 2135e1d94ebSVesa Jääskeläinen * Return a PKCS11 return code 2145e1d94ebSVesa Jääskeläinen */ 2155e1d94ebSVesa Jääskeläinen enum pkcs11_rc add_missing_attribute_id(struct obj_attrs **pub_head, 2165e1d94ebSVesa Jääskeläinen struct obj_attrs **priv_head); 2175e1d94ebSVesa Jääskeläinen 21863f89caaSJens Wiklander #endif /*PKCS11_TA_PKCS11_ATTRIBUTES_H*/ 219