Signed-off-by: Harald Freudenberger <fre...@linux.vnet.ibm.com>
---
usr/lib/pkcs11/cca_stdll/cca_specific.c | 139 ++++++++++++++++++++++++++++---
1 file changed, 126 insertions(+), 13 deletions(-)
diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c
b/usr/lib/pkcs11/cca_stdll/cca_specific.c
index ca409cd..3ce1b3a 100644
--- a/usr/lib/pkcs11/cca_stdll/cca_specific.c
+++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c
@@ -65,20 +65,20 @@ MECH_LIST_ELEMENT mech_list[] = {
{CKM_AES_CBC_PAD, {16, 32, CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|
CKF_UNWRAP}},
{CKM_SHA512, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA512_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA512_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA512_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA512_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA384, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA384_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA384_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA384_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA384_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA256, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA256_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA256_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA256_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA256_HMAC_GENERAL, 80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA_1, {0, 0, CKF_DIGEST}},
- {CKM_SHA_1_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA_1_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA_1_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA_1_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_MD5, {0, 0, CKF_DIGEST}},
- {CKM_MD5_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_MD5_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_MD5_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_MD5_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_EC_KEY_PAIR_GEN, {160, 521, CKF_HW|CKF_GENERATE_KEY_PAIR|
CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
{CKM_ECDSA, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|CKF_EC_NAMEDCURVE|
@@ -1028,7 +1028,7 @@ token_specific_aes_ecb(CK_BYTE *in_data,
return CKR_FUNCTION_FAILED;
}
- key_len = 64;
+ key_len = attr->ulValueLen;
rule_array_count = 4;
memcpy(rule_array, "AES ECB KEYIDENTINITIAL ",
rule_array_count*(size_t)CCA_KEYWORD_SIZE);
@@ -1145,7 +1145,7 @@ token_specific_aes_cbc(CK_BYTE *in_data,
}
length = in_data_len;
- key_len = 64;
+ key_len = attr->ulValueLen;
if (encrypt) {
CSNBSAE(&return_code,
&reason_code,
@@ -2446,9 +2446,100 @@ static CK_RV import_des_key(unsigned char *key,
CK_ULONG keylen,
return CKR_OK;
}
-CK_RV token_specific_object_add(OBJECT *object)
+static CK_RV import_generic_secret_key(unsigned char *key, CK_ULONG keylen,
+ TEMPLATE *obj_tmpl)
{
+ CK_RV rc;
+ long return_code, reason_code, rule_array_count;
+ unsigned char key_type[CCA_KEYWORD_SIZE];
+ unsigned char key_token[CCA_KEY_TOKEN_SIZE] = { 0 };
+ unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0 };
+ long key_name_len = 0, clr_key_len = 0;
+ long user_data_len = 0, key_part_len = 0;
+ long token_data_len = 0, verb_data_len = 0;
+ long key_token_len = sizeof(key_token);
+ CK_ATTRIBUTE *opaque_key = NULL;
+
+ /* key len needs to be 80-2048 bits */
+ if (8*keylen < 80 || 8*keylen > 2048) {
+ TRACE_ERROR("HMAC key size of %lu bits not within"
+ " CCA required range of 80-2048 bits\n",
+ 8*keylen);
+ return CKR_KEY_SIZE_RANGE;
+ }
+
+ memcpy(rule_array,
+ "INTERNALNO-KEY HMAC MAC GENERATE",
+ 5 * CCA_KEYWORD_SIZE);
+ rule_array_count = 5;
+
+ CSNBKTB2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &clr_key_len, NULL,
+ &key_name_len, NULL,
+ &user_data_len, NULL,
+ &token_data_len, NULL,
+ &verb_data_len, NULL,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKTB2 (HMAC KEY TOKEN BUILD) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ memcpy(rule_array, "HMAC FIRST MIN1PART", 3 * CCA_KEYWORD_SIZE);
+ rule_array_count = 3;
+ key_part_len = keylen * 8;
+ key_token_len = sizeof(key_token);
+
+ CSNBKPI2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &key_part_len, key,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKPI2 (HMAC KEY IMPORT FIRST) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ memcpy(rule_array, "HMAC COMPLETE", 2 * CCA_KEYWORD_SIZE);
+ rule_array_count = 2;
+ key_part_len = 0;
+ key_token_len = sizeof(key_token);
+
+ CSNBKPI2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &key_part_len, NULL,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKPI2 (HMAC KEY IMPORT COMPLETE) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ /* Add the key object to the template */
+ if ((rc = build_attribute(CKA_IBM_OPAQUE, key_token,
+ key_token_len, &opaque_key))) {
+ TRACE_DEVEL("build_attribute(CKA_IBM_OPAQUE) failed\n");
+ return rc;
+ }
+ rc = template_update_attribute(obj_tmpl, opaque_key);
+ if (rc != CKR_OK) {
+ TRACE_DEVEL("template_update_attribute(CKA_IBM_OPAQUE)
failed\n");
+ return rc;
+ }
+
+ return CKR_OK;
+}
+CK_RV token_specific_object_add(OBJECT *object)
+{
CK_RV rc;
CK_ATTRIBUTE *attr;
CK_KEY_TYPE keytype;
@@ -2528,6 +2619,28 @@ CK_RV token_specific_object_add(OBJECT *object)
}
TRACE_INFO("AES key with len=%ld successful imported\n",
attr->ulValueLen);
+ } else if (keytype == CKK_GENERIC_SECRET) {
+
+ rc = template_attribute_find(object->template, CKA_VALUE,
&attr);
+ if (rc == FALSE) {
+ TRACE_ERROR("Incomplete Generic Secret (HMAC) key
template\n");
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ rc = import_generic_secret_key(attr->pValue, attr->ulValueLen,
+ object->template);
+ if (rc != CKR_OK) {
+ TRACE_DEVEL("Generic Secret (HMAC) key import failed
with rc=0x%lx\n", rc);
+ return CKR_FUNCTION_FAILED;
+ }
+ TRACE_INFO("Generic Secret (HMAC) key with len=%ld successful
imported\n",
+ attr->ulValueLen);
+
+ } else {
+
+ /* unknown/unsupported key type */
+ TRACE_ERROR("Unknown/unsupported key type 0x%lx\n", keytype);
+ return CKR_KEY_FUNCTION_NOT_PERMITTED;
+
}
return CKR_OK;
--
1.7.9.5
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
