Signed-off-by: Harald Freudenberger <fre...@linux.vnet.ibm.com>
---
usr/lib/pkcs11/cca_stdll/cca_specific.c | 138 ++++++++++++++++++++++++++++---
usr/lib/pkcs11/cca_stdll/csulincl.h | 35 ++++++++
2 files changed, 160 insertions(+), 13 deletions(-)
diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c
b/usr/lib/pkcs11/cca_stdll/cca_specific.c
index 893b33c..9a649d0 100644
--- a/usr/lib/pkcs11/cca_stdll/cca_specific.c
+++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c
@@ -65,20 +65,20 @@ MECH_LIST_ELEMENT mech_list[] = {
{CKM_AES_CBC_PAD, {16, 32, CKF_HW|CKF_ENCRYPT|CKF_DECRYPT|CKF_WRAP|
CKF_UNWRAP}},
{CKM_SHA512, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA512_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA512_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA512_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA512_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA384, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA384_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA384_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA384_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA384_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA256, {0, 0, CKF_HW|CKF_DIGEST}},
- {CKM_SHA256_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA256_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA256_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA256_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_SHA_1, {0, 0, CKF_DIGEST}},
- {CKM_SHA_1_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_SHA_1_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA_1_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_SHA_1_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_MD5, {0, 0, CKF_DIGEST}},
- {CKM_MD5_HMAC, {0, 0, CKF_SIGN|CKF_VERIFY}},
- {CKM_MD5_HMAC_GENERAL, {0, 0, CKF_SIGN|CKF_VERIFY}},
+ {CKM_MD5_HMAC, {80, 2048, CKF_SIGN|CKF_VERIFY}},
+ {CKM_MD5_HMAC_GENERAL, {80, 2048, CKF_SIGN|CKF_VERIFY}},
{CKM_EC_KEY_PAIR_GEN, {160, 521, CKF_HW|CKF_GENERATE_KEY_PAIR|
CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
{CKM_ECDSA, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|CKF_EC_NAMEDCURVE|
@@ -1028,7 +1028,7 @@ token_specific_aes_ecb(CK_BYTE *in_data,
return CKR_FUNCTION_FAILED;
}
- key_len = 64;
+ key_len = attr->ulValueLen;
rule_array_count = 4;
memcpy(rule_array, "AES ECB KEYIDENTINITIAL ",
rule_array_count*(size_t)CCA_KEYWORD_SIZE);
@@ -1145,7 +1145,7 @@ token_specific_aes_cbc(CK_BYTE *in_data,
}
length = in_data_len;
- key_len = 64;
+ key_len = attr->ulValueLen;
if (encrypt) {
CSNBSAE(&return_code,
&reason_code,
@@ -2445,9 +2445,99 @@ static CK_RV import_des_key(unsigned char *key, CK_ULONG
keylen,
return CKR_OK;
}
-CK_RV token_specific_object_add(OBJECT *object)
+static CK_RV import_generic_secret_key(unsigned char *key, CK_ULONG keylen,
+ TEMPLATE *obj_tmpl)
{
+ CK_RV rc;
+ long return_code, reason_code, rule_array_count;
+ unsigned char key_token[CCA_KEY_TOKEN_SIZE] = { 0 };
+ unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0 };
+ long key_name_len = 0, clr_key_len = 0;
+ long user_data_len = 0, key_part_len = 0;
+ long token_data_len = 0, verb_data_len = 0;
+ long key_token_len = sizeof(key_token);
+ CK_ATTRIBUTE *opaque_key = NULL;
+
+ /* key len needs to be 80-2048 bits */
+ if (8*keylen < 80 || 8*keylen > 2048) {
+ TRACE_ERROR("HMAC key size of %lu bits not within"
+ " CCA required range of 80-2048 bits\n",
+ 8*keylen);
+ return CKR_KEY_SIZE_RANGE;
+ }
+
+ memcpy(rule_array,
+ "INTERNALNO-KEY HMAC MAC GENERATE",
+ 5 * CCA_KEYWORD_SIZE);
+ rule_array_count = 5;
+
+ CSNBKTB2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &clr_key_len, NULL,
+ &key_name_len, NULL,
+ &user_data_len, NULL,
+ &token_data_len, NULL,
+ &verb_data_len, NULL,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKTB2 (HMAC KEY TOKEN BUILD) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ memcpy(rule_array, "HMAC FIRST MIN1PART", 3 * CCA_KEYWORD_SIZE);
+ rule_array_count = 3;
+ key_part_len = keylen * 8;
+ key_token_len = sizeof(key_token);
+
+ CSNBKPI2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &key_part_len, key,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKPI2 (HMAC KEY IMPORT FIRST) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ memcpy(rule_array, "HMAC COMPLETE", 2 * CCA_KEYWORD_SIZE);
+ rule_array_count = 2;
+ key_part_len = 0;
+ key_token_len = sizeof(key_token);
+
+ CSNBKPI2( &return_code, &reason_code,
+ NULL, NULL,
+ &rule_array_count, rule_array,
+ &key_part_len, NULL,
+ &key_token_len, key_token );
+ if (return_code != CCA_SUCCESS) {
+ TRACE_ERROR("CSNBKPI2 (HMAC KEY IMPORT COMPLETE) failed."
+ " return:%ld, reason:%ld\n",
+ return_code, reason_code);
+ return CKR_FUNCTION_FAILED;
+ }
+ /* Add the key object to the template */
+ if ((rc = build_attribute(CKA_IBM_OPAQUE, key_token,
+ key_token_len, &opaque_key))) {
+ TRACE_DEVEL("build_attribute(CKA_IBM_OPAQUE) failed\n");
+ return rc;
+ }
+ rc = template_update_attribute(obj_tmpl, opaque_key);
+ if (rc != CKR_OK) {
+ TRACE_DEVEL("template_update_attribute(CKA_IBM_OPAQUE)
failed\n");
+ return rc;
+ }
+
+ return CKR_OK;
+}
+
+CK_RV token_specific_object_add(OBJECT *object)
+{
CK_RV rc;
CK_ATTRIBUTE *attr;
CK_KEY_TYPE keytype;
@@ -2527,6 +2617,28 @@ CK_RV token_specific_object_add(OBJECT *object)
}
TRACE_INFO("AES key with len=%ld successful imported\n",
attr->ulValueLen);
+ } else if (keytype == CKK_GENERIC_SECRET) {
+
+ rc = template_attribute_find(object->template, CKA_VALUE,
&attr);
+ if (rc == FALSE) {
+ TRACE_ERROR("Incomplete Generic Secret (HMAC) key
template\n");
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ rc = import_generic_secret_key(attr->pValue, attr->ulValueLen,
+ object->template);
+ if (rc != CKR_OK) {
+ TRACE_DEVEL("Generic Secret (HMAC) key import failed
with rc=0x%lx\n", rc);
+ return CKR_FUNCTION_FAILED;
+ }
+ TRACE_INFO("Generic Secret (HMAC) key with len=%ld successful
imported\n",
+ attr->ulValueLen);
+
+ } else {
+
+ /* unknown/unsupported key type */
+ TRACE_ERROR("Unknown/unsupported key type 0x%lx\n", keytype);
+ return CKR_KEY_FUNCTION_NOT_PERMITTED;
+
}
return CKR_OK;
diff --git a/usr/lib/pkcs11/cca_stdll/csulincl.h
b/usr/lib/pkcs11/cca_stdll/csulincl.h
index 6fbf686..b189c29 100644
--- a/usr/lib/pkcs11/cca_stdll/csulincl.h
+++ b/usr/lib/pkcs11/cca_stdll/csulincl.h
@@ -34,6 +34,7 @@
#define CSNBKGN CSNBKGN_32
#define CSNBKIM CSNBKIM_32
#define CSNBKPI CSNBKPI_32
+ #define CSNBKPI2 CSNBKPI2_32
#define CSNBKRC CSNBKRC_32
#define CSNBAKRC CSNBAKRC_32
#define CSNBKRD CSNBKRD_32
@@ -55,6 +56,7 @@
#define CSNBMGN CSNBMGN_32
#define CSNBMVR CSNBMVR_32
#define CSNBKTB CSNBKTB_32
+ #define CSNBKTB2 CSNBKTB2_32
#define CSNDPKG CSNDPKG_32
#define CSNDPKB CSNDPKB_32
#define CSNBOWH CSNBOWH_32
@@ -218,6 +220,19 @@ extern void SECURITYAPI
unsigned char * key_part,
unsigned char * key_identifier);
+/* Key Part Import2 */
+extern void SECURITYAPI
+ CSNBKPI2_32(long * return_code,
+ long * reason_code,
+ long * exit_data_length,
+ unsigned char * exit_data,
+ long * rule_array_count,
+ unsigned char * rule_array,
+ long * clear_key_part_length,
+ unsigned char * clear_key_part,
+ long * key_identifier_length,
+ unsigned char * key_identifier);
+
/* Key Storage Initialization */
extern void SECURITYAPI
CSNBKSI_32(long * return_code,
@@ -527,6 +542,26 @@ extern void SECURITYAPI
unsigned char * reserved_field_6,
unsigned char * master_key_verification_number );
+/* Key Token Build2 */
+extern void SECURITYAPI
+ CSNBKTB2_32(long * return_code,
+ long * reason_code,
+ long * exit_data_length,
+ unsigned char * exit_data,
+ long * rule_array_count,
+ unsigned char * rule_array,
+ long * clear_key_bit_length,
+ unsigned char * clear_key_value,
+ long * key_name_length,
+ unsigned char * key_name,
+ long * user_associated_data_length,
+ unsigned char * user_associated_data,
+ long * token_data_length,
+ unsigned char * token_data,
+ long * reserved_length,
+ unsigned char * reserved,
+ long * target_key_token_length,
+ unsigned char * target_key_token);
/* PKA Key Generate */
extern void SECURITYAPI
--
1.7.9.5
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
