1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <pkcs11_ta.h> 8 #include <string.h> 9 #include <util.h> 10 #include <tee_api.h> 11 #include <tee_internal_api_extensions.h> 12 13 #include "pkcs11_helpers.h" 14 #include "token_capabilities.h" 15 16 #define ALLOWED_PKCS11_CKFM \ 17 (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT | \ 18 PKCS11_CKFM_DERIVE | PKCS11_CKFM_DIGEST | \ 19 PKCS11_CKFM_SIGN | PKCS11_CKFM_SIGN_RECOVER | \ 20 PKCS11_CKFM_VERIFY | PKCS11_CKFM_VERIFY_RECOVER | \ 21 PKCS11_CKFM_GENERATE | PKCS11_CKFM_GENERATE_KEY_PAIR | \ 22 PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP) 23 24 /* 25 * Definition of supported processings for a PKCS#11 mechanisms 26 * @id: Mechanism ID 27 * @flags: Valid PKCS11_CKFM_* for a mechanism as per PKCS#11 28 * @one_shot: true of mechanism can be used for a one-short processing 29 * @string: Helper string of the mechanism ID for debug purpose 30 */ 31 struct pkcs11_mechachism_modes { 32 uint32_t id; 33 uint32_t flags; 34 bool one_shot; 35 #if CFG_TEE_TA_LOG_LEVEL > 0 36 const char *string; 37 #endif 38 }; 39 40 #if CFG_TEE_TA_LOG_LEVEL > 0 41 #define MECHANISM(_label, _flags, _single_part) \ 42 { \ 43 .id = _label, \ 44 .one_shot = (_single_part), \ 45 .flags = (_flags), \ 46 .string = #_label, \ 47 } 48 #else 49 #define MECHANISM(_label, _flags, _single_part) \ 50 { \ 51 .id = _label, \ 52 .one_shot = (_single_part), \ 53 .flags = (_flags), \ 54 } 55 #endif 56 57 #define SINGLE_PART_ONLY true 58 #define ANY_PART false 59 60 #define CKFM_CIPHER (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT) 61 #define CKFM_WRAP_UNWRAP (PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP) 62 #define CKFM_CIPHER_WRAP (CKFM_CIPHER | CKFM_WRAP_UNWRAP) 63 #define CKFM_CIPHER_WRAP_DERIVE (CKFM_CIPHER_WRAP | PKCS11_CKFM_DERIVE) 64 #define CKFM_AUTH_NO_RECOVER (PKCS11_CKFM_SIGN | PKCS11_CKFM_VERIFY) 65 #define CKFM_AUTH_WITH_RECOVER (PKCS11_CKFM_SIGN_RECOVER | \ 66 PKCS11_CKFM_VERIFY_RECOVER) 67 68 /* PKCS#11 specificies permitted operation for each mechanism */ 69 static const struct pkcs11_mechachism_modes pkcs11_modes[] = { 70 /* AES */ 71 MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP, ANY_PART), 72 MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP, ANY_PART), 73 MECHANISM(PKCS11_CKM_AES_CBC_PAD, CKFM_CIPHER_WRAP, ANY_PART), 74 MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER_WRAP, ANY_PART), 75 MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER_WRAP, ANY_PART), 76 MECHANISM(PKCS11_CKM_AES_GCM, CKFM_CIPHER_WRAP, ANY_PART), 77 MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 78 MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART), 79 MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE, 80 ANY_PART), 81 MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE, 82 ANY_PART), 83 MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE, ANY_PART), 84 MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE, 85 ANY_PART), 86 /* Digest */ 87 MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST, ANY_PART), 88 MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST, ANY_PART), 89 MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST, ANY_PART), 90 MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST, ANY_PART), 91 MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST, ANY_PART), 92 MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST, ANY_PART), 93 /* HMAC */ 94 MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 95 MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 96 MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 97 MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 98 MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 99 MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART), 100 MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART), 101 MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, 102 ANY_PART), 103 MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, 104 ANY_PART), 105 MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, 106 ANY_PART), 107 MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, 108 ANY_PART), 109 MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, 110 ANY_PART), 111 /* EC */ 112 MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN, PKCS11_CKFM_GENERATE_KEY_PAIR, 113 ANY_PART), 114 MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE, 115 ANY_PART), 116 MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER, SINGLE_PART_ONLY), 117 MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER, ANY_PART), 118 MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER, ANY_PART), 119 MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER, ANY_PART), 120 MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER, ANY_PART), 121 MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER, ANY_PART), 122 /* EDDSA */ 123 MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN, 124 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART), 125 MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER, ANY_PART), 126 /* RSA */ 127 MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP, 128 SINGLE_PART_ONLY), 129 MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN, 130 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART), 131 MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER_WRAP | CKFM_AUTH_NO_RECOVER | 132 CKFM_AUTH_WITH_RECOVER, SINGLE_PART_ONLY), 133 MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER_WRAP, 134 SINGLE_PART_ONLY), 135 MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER_WRAP | 136 CKFM_AUTH_NO_RECOVER | CKFM_AUTH_WITH_RECOVER, 137 SINGLE_PART_ONLY), 138 MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, 139 SINGLE_PART_ONLY), 140 MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 141 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 142 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, ANY_PART), 143 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 144 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 145 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 146 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, 147 ANY_PART), 148 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, 149 ANY_PART), 150 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, 151 ANY_PART), 152 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART), 153 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, 154 ANY_PART), 155 }; 156 157 #if CFG_TEE_TA_LOG_LEVEL > 0 158 const char *mechanism_string_id(enum pkcs11_mechanism_id id) 159 { 160 const size_t offset = sizeof("PKCS11_CKM_") - 1; 161 size_t n = 0; 162 163 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) 164 if (pkcs11_modes[n].id == id) 165 return pkcs11_modes[n].string + offset; 166 167 return "Unknown ID"; 168 } 169 #endif /*CFG_TEE_TA_LOG_LEVEL*/ 170 171 /* 172 * Return true if @id is a valid mechanism ID 173 */ 174 bool mechanism_is_valid(enum pkcs11_mechanism_id id) 175 { 176 size_t n = 0; 177 178 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) 179 if (id == pkcs11_modes[n].id) 180 return true; 181 182 return false; 183 } 184 185 /* 186 * Return true if mechanism ID is valid and flags matches PKCS#11 compliancy 187 */ 188 bool __maybe_unused mechanism_flags_complies_pkcs11(uint32_t mechanism_type, 189 uint32_t flags) 190 { 191 size_t n = 0; 192 193 assert((flags & ~ALLOWED_PKCS11_CKFM) == 0); 194 195 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) { 196 if (pkcs11_modes[n].id == mechanism_type) { 197 if (flags & ~pkcs11_modes[n].flags) 198 EMSG("%s flags: 0x%"PRIx32" vs 0x%"PRIx32, 199 id2str_mechanism(mechanism_type), 200 flags, pkcs11_modes[n].flags); 201 202 return (flags & ~pkcs11_modes[n].flags) == 0; 203 } 204 } 205 206 /* Mechanism ID unexpectedly not found */ 207 return false; 208 } 209 210 bool mechanism_is_one_shot_only(uint32_t mechanism_type) 211 { 212 size_t n = 0; 213 214 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) 215 if (pkcs11_modes[n].id == mechanism_type) 216 return pkcs11_modes[n].one_shot; 217 218 /* Mechanism ID unexpectedly not found */ 219 TEE_Panic(PKCS11_RV_NOT_FOUND); 220 /* Dummy return to keep compiler happy */ 221 return false; 222 } 223 224 /* 225 * Field single_part_only is unused from array token_mechanism[], hence 226 * simply use ANY_PART for all mechanism there. 227 */ 228 #define TA_MECHANISM(_label, _flags) MECHANISM((_label), (_flags), ANY_PART) 229 230 /* 231 * Arrays that centralizes the IDs and processing flags for mechanisms 232 * supported by each embedded token. 233 */ 234 const struct pkcs11_mechachism_modes token_mechanism[] = { 235 TA_MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP), 236 TA_MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP), 237 TA_MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER), 238 TA_MECHANISM(PKCS11_CKM_AES_GCM, CKFM_CIPHER), 239 TA_MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER), 240 TA_MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER), 241 TA_MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 242 TA_MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE), 243 TA_MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE), 244 TA_MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE), 245 TA_MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE), 246 TA_MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE), 247 TA_MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST), 248 TA_MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST), 249 TA_MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST), 250 TA_MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST), 251 TA_MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST), 252 TA_MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST), 253 TA_MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER), 254 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER), 255 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER), 256 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER), 257 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER), 258 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER), 259 TA_MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 260 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 261 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 262 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 263 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 264 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER), 265 TA_MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN, 266 PKCS11_CKFM_GENERATE_KEY_PAIR), 267 TA_MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN, 268 PKCS11_CKFM_GENERATE_KEY_PAIR), 269 TA_MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER), 270 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER), 271 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER), 272 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER), 273 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER), 274 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER), 275 TA_MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER), 276 TA_MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP), 277 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN, 278 PKCS11_CKFM_GENERATE_KEY_PAIR), 279 TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER), 280 #ifdef CFG_PKCS11_TA_RSA_X_509 281 TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER), 282 #endif 283 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 284 TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 285 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 286 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER), 287 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 288 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 289 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 290 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 291 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 292 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 293 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 294 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER), 295 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), 296 }; 297 298 /* 299 * tee_malloc_mechanism_array - Allocate and fill array of supported mechanisms 300 * @count: [in] [out] Pointer to number of mechanism IDs in client resource 301 * Return allocated array of the supported mechanism IDs 302 * 303 * Allocates array with 32bit cells mechanism IDs for the supported ones only 304 * if *@count covers number mechanism IDs exposed. 305 */ 306 uint32_t *tee_malloc_mechanism_list(size_t *out_count) 307 { 308 size_t n = 0; 309 size_t count = 0; 310 uint32_t *array = NULL; 311 312 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) 313 if (token_mechanism[n].flags) 314 count++; 315 316 if (*out_count >= count) 317 array = TEE_Malloc(count * sizeof(*array), 318 TEE_USER_MEM_HINT_NO_FILL_ZERO); 319 320 *out_count = count; 321 322 if (!array) 323 return NULL; 324 325 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) { 326 if (token_mechanism[n].flags) { 327 count--; 328 array[count] = token_mechanism[n].id; 329 } 330 } 331 assert(!count); 332 333 return array; 334 } 335 336 uint32_t mechanism_supported_flags(enum pkcs11_mechanism_id id) 337 { 338 size_t n = 0; 339 340 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) { 341 if (id == token_mechanism[n].id) { 342 uint32_t flags = token_mechanism[n].flags; 343 344 assert(mechanism_flags_complies_pkcs11(id, flags)); 345 return flags; 346 } 347 } 348 349 return 0; 350 } 351 352 void pkcs11_mechanism_supported_key_sizes(uint32_t proc_id, 353 uint32_t *min_key_size, 354 uint32_t *max_key_size) 355 { 356 switch (proc_id) { 357 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN: 358 /* This mechanism expects the keysize to be returned in bits */ 359 *min_key_size = 1; /* in bits */ 360 *max_key_size = 4096; /* in bits */ 361 break; 362 case PKCS11_CKM_MD5_HMAC: 363 case PKCS11_CKM_MD5_HMAC_GENERAL: 364 *min_key_size = 8; 365 *max_key_size = 64; 366 break; 367 case PKCS11_CKM_SHA_1_HMAC: 368 case PKCS11_CKM_SHA_1_HMAC_GENERAL: 369 *min_key_size = 10; 370 *max_key_size = 64; 371 break; 372 case PKCS11_CKM_SHA224_HMAC: 373 case PKCS11_CKM_SHA224_HMAC_GENERAL: 374 *min_key_size = 14; 375 *max_key_size = 64; 376 break; 377 case PKCS11_CKM_SHA256_HMAC: 378 case PKCS11_CKM_SHA256_HMAC_GENERAL: 379 *min_key_size = 24; 380 *max_key_size = 128; 381 break; 382 case PKCS11_CKM_SHA384_HMAC: 383 case PKCS11_CKM_SHA384_HMAC_GENERAL: 384 *min_key_size = 32; 385 *max_key_size = 128; 386 break; 387 case PKCS11_CKM_SHA512_HMAC: 388 case PKCS11_CKM_SHA512_HMAC_GENERAL: 389 *min_key_size = 32; 390 *max_key_size = 128; 391 break; 392 case PKCS11_CKM_AES_KEY_GEN: 393 case PKCS11_CKM_AES_ECB: 394 case PKCS11_CKM_AES_CBC: 395 case PKCS11_CKM_AES_CBC_PAD: 396 case PKCS11_CKM_AES_CTR: 397 case PKCS11_CKM_AES_GCM: 398 case PKCS11_CKM_AES_CTS: 399 case PKCS11_CKM_AES_CMAC: 400 case PKCS11_CKM_AES_CMAC_GENERAL: 401 *min_key_size = 16; 402 *max_key_size = 32; 403 break; 404 case PKCS11_CKM_EC_KEY_PAIR_GEN: 405 case PKCS11_CKM_ECDSA: 406 case PKCS11_CKM_ECDSA_SHA1: 407 case PKCS11_CKM_ECDSA_SHA224: 408 case PKCS11_CKM_ECDSA_SHA256: 409 case PKCS11_CKM_ECDSA_SHA384: 410 case PKCS11_CKM_ECDSA_SHA512: 411 case PKCS11_CKM_ECDH1_DERIVE: 412 *min_key_size = 160; /* in bits */ 413 *max_key_size = 521; /* in bits */ 414 break; 415 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN: 416 case PKCS11_CKM_EDDSA: 417 *min_key_size = 256; /* in bits */ 418 *max_key_size = 448; /* in bits */ 419 break; 420 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN: 421 case PKCS11_CKM_RSA_PKCS: 422 case PKCS11_CKM_RSA_X_509: 423 case PKCS11_CKM_MD5_RSA_PKCS: 424 case PKCS11_CKM_SHA1_RSA_PKCS: 425 case PKCS11_CKM_RSA_PKCS_OAEP: 426 case PKCS11_CKM_SHA1_RSA_PKCS_PSS: 427 case PKCS11_CKM_SHA256_RSA_PKCS: 428 case PKCS11_CKM_SHA384_RSA_PKCS: 429 case PKCS11_CKM_SHA512_RSA_PKCS: 430 case PKCS11_CKM_SHA256_RSA_PKCS_PSS: 431 case PKCS11_CKM_SHA384_RSA_PKCS_PSS: 432 case PKCS11_CKM_SHA512_RSA_PKCS_PSS: 433 case PKCS11_CKM_SHA224_RSA_PKCS: 434 case PKCS11_CKM_SHA224_RSA_PKCS_PSS: 435 *min_key_size = 256; /* in bits */ 436 *max_key_size = 4096; /* in bits */ 437 break; 438 default: 439 *min_key_size = 0; 440 *max_key_size = 0; 441 break; 442 } 443 } 444 445 void mechanism_supported_key_sizes_bytes(uint32_t proc_id, 446 uint32_t *min_key_size, 447 uint32_t *max_key_size) 448 { 449 pkcs11_mechanism_supported_key_sizes(proc_id, min_key_size, 450 max_key_size); 451 452 switch (proc_id) { 453 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN: 454 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN: 455 case PKCS11_CKM_EC_KEY_PAIR_GEN: 456 case PKCS11_CKM_ECDSA: 457 case PKCS11_CKM_EDDSA: 458 case PKCS11_CKM_ECDSA_SHA1: 459 case PKCS11_CKM_ECDSA_SHA224: 460 case PKCS11_CKM_ECDSA_SHA256: 461 case PKCS11_CKM_ECDSA_SHA384: 462 case PKCS11_CKM_ECDSA_SHA512: 463 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN: 464 /* Size is in bits -> convert to bytes and ceil */ 465 *min_key_size = ROUNDUP(*min_key_size, 8) / 8; 466 *max_key_size = ROUNDUP(*max_key_size, 8) / 8; 467 break; 468 default: 469 /* Size is already in bytes */ 470 break; 471 } 472 } 473