Added ECDSA SHA2 support to EP11 and CCA tokens
Signed-off-by: Ingo Franzki <ifran...@de.ibm.com>
diff --git a/misc/mech_types.h b/misc/mech_types.h
index 122288e..ff75562 100644
--- a/misc/mech_types.h
+++ b/misc/mech_types.h
@@ -507,6 +507,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_EC_KEY_PAIR_GEN 0x00001040
#define CKM_ECDSA 0x00001041
#define CKM_ECDSA_SHA1 0x00001042
+/* The following are new for v2.3 */
+#define CKM_ECDSA_SHA256 0x00001044
+#define CKM_ECDSA_SHA384 0x00001045
+#define CKM_ECDSA_SHA512 0x00001046
/* The following are new for v2.11 */
#define CKM_ECDH1_DERIVE 0x00001050
#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
diff --git a/testcases/crypto/ec_func.c b/testcases/crypto/ec_func.c
index 1f61e1b..06c1501 100644
--- a/testcases/crypto/ec_func.c
+++ b/testcases/crypto/ec_func.c
@@ -134,18 +134,27 @@ _ec_struct der_ec_notsupported[NUMECINVAL] = {
typedef struct signVerifyParam {
CK_MECHANISM_TYPE mechtype;
CK_ULONG inputlen;
+ CK_ULONG parts; /* 0 means process in 1 chunk via
C_Sign, >0 means process in n chunks via C_SignUpdate/C_SignFinal */
}_signVerifyParam;
_signVerifyParam signVerifyInput[] = {
- { CKM_ECDSA, 20 },
- { CKM_ECDSA, 32 },
- { CKM_ECDSA, 48 },
- { CKM_ECDSA, 64 }
+ { CKM_ECDSA, 20, 0},
+ { CKM_ECDSA, 32, 0},
+ { CKM_ECDSA, 48, 0 },
+ { CKM_ECDSA, 64, 0 },
+ { CKM_ECDSA_SHA1, 100, 0 },
+ { CKM_ECDSA_SHA1, 100, 4 },
+ { CKM_ECDSA_SHA256, 100, 0 },
+ { CKM_ECDSA_SHA256, 100, 4 },
+ { CKM_ECDSA_SHA384, 100, 0 },
+ { CKM_ECDSA_SHA384, 100, 4 },
+ { CKM_ECDSA_SHA512, 100, 0 },
+ { CKM_ECDSA_SHA512, 100, 4 }
};
CK_RV
-run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE
mechType, CK_ULONG inputlen, CK_OBJECT_HANDLE priv_key, CK_OBJECT_HANDLE
publ_key)
+run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE
mechType, CK_ULONG inputlen, CK_ULONG parts, CK_OBJECT_HANDLE priv_key,
CK_OBJECT_HANDLE publ_key)
{
CK_MECHANISM mech2;
CK_BYTE_PTR data = NULL, signature = NULL;
@@ -153,7 +162,7 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
CK_MECHANISM_INFO mech_info;
CK_RV rc;
- testcase_begin("Starting with mechtype='%s', inputlen=%lu",
p11_get_ckm(mechType), inputlen);
+ testcase_begin("Starting with mechtype='%s', inputlen=%lu parts=%lu",
p11_get_ckm(mechType), inputlen, parts);
mech2.mechanism = mechType;
mech2.ulParameterLen = 0;
@@ -192,11 +201,28 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- /* get signature length */
- rc = funcs->C_Sign(session, data, inputlen, NULL, &signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_SignUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ /* get signature length */
+ rc = funcs->C_SignFinal(session, signature, &signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Sign(session, data, inputlen, NULL,
&signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
signature = calloc(sizeof(CK_BYTE), signaturelen);
@@ -207,10 +233,19 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Sign(session, data, inputlen, signature, &signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ rc = funcs->C_SignFinal(session,signature, &signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Sign(session, data, inputlen, signature,
&signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
/****** Verify *******/
@@ -220,10 +255,27 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_VerifyUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ rc = funcs->C_VerifyFinal(session, signature, signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Verify(session, data, inputlen, signature,
signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
// corrupt the signature and re-verify
@@ -235,11 +287,29 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen);
- if (rc != CKR_SIGNATURE_INVALID) {
- testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
- PRINT_ERR(" Expected CKR_SIGNATURE_INVALID\n");
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_VerifyUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ rc = funcs->C_VerifyFinal(session, signature, signaturelen);
+ if (rc != CKR_SIGNATURE_INVALID) {
+ testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc));
+ PRINT_ERR(" Expected
CKR_SIGNATURE_INVALID\n");
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Verify(session, data, inputlen, signature,
signaturelen);
+ if (rc != CKR_SIGNATURE_INVALID) {
+ testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
+ PRINT_ERR(" Expected
CKR_SIGNATURE_INVALID\n");
+ goto testcase_cleanup;
+ }
}
rc = CKR_OK;
@@ -318,6 +388,7 @@ run_GenerateECCKeyPairSignVerify()
session,
signVerifyInput[j].mechtype,
signVerifyInput[j].inputlen,
+ signVerifyInput[j].parts,
priv_key,
publ_key);
if (rc != 0) {
diff --git a/testcases/include/mech_to_str.h b/testcases/include/mech_to_str.h
index 79a1848..9f0eff1 100644
--- a/testcases/include/mech_to_str.h
+++ b/testcases/include/mech_to_str.h
@@ -372,6 +372,12 @@ mech_to_str(CK_ULONG mech)
return "CKM_ECDSA";
if (mech == CKM_ECDSA_SHA1)
return "CKM_ECDSA_SHA1";
+ if (mech == CKM_ECDSA_SHA256)
+ return "CKM_ECDSA_SHA256";
+ if (mech == CKM_ECDSA_SHA384)
+ return "CKM_ECDSA_SHA384";
+ if (mech == CKM_ECDSA_SHA512)
+ return "CKM_ECDSA_SHA512";
if (mech == CKM_ECDH1_DERIVE)
return "CKM_ECDH1_DERIVE";
if (mech == CKM_ECDH1_COFACTOR_DERIVE)
diff --git a/usr/include/pkcs11/pkcs11types.h b/usr/include/pkcs11/pkcs11types.h
index 885f29a..a555c24 100755
--- a/usr/include/pkcs11/pkcs11types.h
+++ b/usr/include/pkcs11/pkcs11types.h
@@ -1064,6 +1064,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_EC_KEY_PAIR_GEN 0x00001040
#define CKM_ECDSA 0x00001041
#define CKM_ECDSA_SHA1 0x00001042
+/* The following are new for v2.3 */
+#define CKM_ECDSA_SHA256 0x00001044
+#define CKM_ECDSA_SHA384 0x00001045
+#define CKM_ECDSA_SHA512 0x00001046
/* The following are new for v2.11 */
#define CKM_ECDH1_DERIVE 0x00001050
#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c
b/usr/lib/pkcs11/cca_stdll/cca_specific.c
index 671ab16..71a8bc9 100644
--- a/usr/lib/pkcs11/cca_stdll/cca_specific.c
+++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c
@@ -177,10 +177,19 @@ MECH_LIST_ELEMENT mech_list[] = {
{CKM_EC_KEY_PAIR_GEN, {160, 521, CKF_HW|CKF_GENERATE_KEY_PAIR|
CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
{CKM_ECDSA, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|CKF_EC_NAMEDCURVE|
- CKF_EC_F_P}},
+ CKF_EC_F_P}},
{CKM_ECDSA_SHA1, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
- CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
- {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA256, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA384, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA512, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}
};
CK_ULONG mech_list_len = (sizeof(mech_list) / sizeof(MECH_LIST_ELEMENT));
diff --git a/usr/lib/pkcs11/common/mech_ec.c b/usr/lib/pkcs11/common/mech_ec.c
index 175c637..223f515 100644
--- a/usr/lib/pkcs11/common/mech_ec.c
+++ b/usr/lib/pkcs11/common/mech_ec.c
@@ -272,7 +272,7 @@ ec_hash_sign( SESSION * sess,
CK_BYTE * signature,
CK_ULONG * sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
DIGEST_CONTEXT digest_ctx;
SIGN_VERIFY_CONTEXT sign_ctx;
CK_MECHANISM digest_mech;
@@ -287,16 +287,38 @@ ec_hash_sign( SESSION * sess,
memset( &digest_ctx, 0x0, sizeof(digest_ctx) );
memset( &sign_ctx, 0x0, sizeof(sign_ctx) );
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
+ rc = get_sha_size(digest_mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_init( sess, &digest_ctx, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
return rc;
}
- hash_len = sizeof(hash);
+
rc = digest_mgr_digest( sess, length_only, &digest_ctx, in_data,
in_data_len, hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Digest failed.\n");
@@ -339,7 +361,23 @@ ec_hash_sign_update( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
if (context->flag == FALSE) {
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
@@ -366,7 +404,7 @@ ec_hash_sign_final( SESSION * sess,
CK_BYTE * signature,
CK_ULONG * sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
RSA_DIGEST_CONTEXT * context = NULL;
CK_ULONG hash_len;
CK_MECHANISM sign_mech;
@@ -382,7 +420,12 @@ ec_hash_sign_final( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
- hash_len = sizeof(hash);
+ rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_digest_final( sess, length_only, &context->hash_context,
hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Final failed.\n");
@@ -422,7 +465,7 @@ ec_hash_verify( SESSION * sess,
CK_BYTE * signature,
CK_ULONG sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
DIGEST_CONTEXT digest_ctx;
SIGN_VERIFY_CONTEXT verify_ctx;
CK_MECHANISM digest_mech;
@@ -437,16 +480,38 @@ ec_hash_verify( SESSION * sess,
memset( &digest_ctx, 0x0, sizeof(digest_ctx) );
memset( &verify_ctx, 0x0, sizeof(verify_ctx) );
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
+ rc = get_sha_size(digest_mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_init( sess, &digest_ctx, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
return rc;
}
- hash_len = sizeof(hash);
+
rc = digest_mgr_digest( sess, FALSE, &digest_ctx, in_data, in_data_len,
hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Digest failed.\n");
@@ -492,7 +557,23 @@ ec_hash_verify_update( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
if (context->flag == FALSE) {
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
@@ -518,7 +599,7 @@ ec_hash_verify_final( SESSION * sess,
CK_BYTE * signature,
CK_ULONG sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
RSA_DIGEST_CONTEXT * context = NULL;
CK_ULONG hash_len;
CK_MECHANISM verify_mech;
@@ -533,7 +614,12 @@ ec_hash_verify_final( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
- hash_len = sizeof(hash);
+ rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_digest_final( sess, FALSE, &context->hash_context, hash,
&hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Final failed.\n");
diff --git a/usr/lib/pkcs11/common/p11util.c b/usr/lib/pkcs11/common/p11util.c
index b359b80..27d9365 100755
--- a/usr/lib/pkcs11/common/p11util.c
+++ b/usr/lib/pkcs11/common/p11util.c
@@ -637,6 +637,9 @@ p11_get_ckm(CK_ULONG mechanism)
_sym2str(CKM_EC_KEY_PAIR_GEN);
_sym2str(CKM_ECDSA);
_sym2str(CKM_ECDSA_SHA1);
+ _sym2str(CKM_ECDSA_SHA256);
+ _sym2str(CKM_ECDSA_SHA384);
+ _sym2str(CKM_ECDSA_SHA512);
_sym2str(CKM_ECDH1_DERIVE);
_sym2str(CKM_ECDH1_COFACTOR_DERIVE);
_sym2str(CKM_ECMQV_DERIVE);
diff --git a/usr/lib/pkcs11/common/sign_mgr.c b/usr/lib/pkcs11/common/sign_mgr.c
index 01fd424..4bc3659 100755
--- a/usr/lib/pkcs11/common/sign_mgr.c
+++ b/usr/lib/pkcs11/common/sign_mgr.c
@@ -428,6 +428,9 @@ sign_mgr_init( SESSION * sess,
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
{
if (mech->ulParameterLen != 0){
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
@@ -1083,6 +1086,9 @@ sign_mgr_sign( SESSION * sess,
in_data, in_data_len,
out_data, out_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign( sess, length_only, ctx,
in_data, in_data_len,
out_data, out_data_len );
@@ -1163,6 +1169,9 @@ sign_mgr_sign_update( SESSION * sess,
return aes_mac_sign_update( sess, ctx, in_data, in_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign_update( sess, ctx, in_data, in_data_len );
case CKM_SHA_1_HMAC:
@@ -1236,6 +1245,9 @@ sign_mgr_sign_final( SESSION * sess,
return aes_mac_sign_final( sess, length_only, ctx, signature, sig_len
);
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign_final (sess, length_only, ctx, signature, sig_len
);
case CKM_SHA_1_HMAC:
case CKM_SHA256_HMAC:
diff --git a/usr/lib/pkcs11/common/verify_mgr.c
b/usr/lib/pkcs11/common/verify_mgr.c
index 605bd0d..1aad58d 100755
--- a/usr/lib/pkcs11/common/verify_mgr.c
+++ b/usr/lib/pkcs11/common/verify_mgr.c
@@ -425,6 +425,9 @@ verify_mgr_init( SESSION * sess,
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
{
if (mech->ulParameterLen != 0){
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
@@ -1081,6 +1084,9 @@ verify_mgr_verify( SESSION * sess,
in_data, in_data_len, signature, sig_len);
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify( sess, ctx,
in_data, in_data_len,
signature, sig_len );
@@ -1149,6 +1155,9 @@ verify_mgr_verify_update( SESSION * sess,
return aes_mac_verify_update( sess, ctx, in_data, in_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify_update( sess, ctx, in_data, in_data_len );
case CKM_SHA_1_HMAC:
@@ -1218,6 +1227,9 @@ verify_mgr_verify_final( SESSION * sess,
return aes_mac_verify_final( sess, ctx, signature, sig_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify_final( sess, ctx, signature, sig_len );
case CKM_SHA_1_HMAC:
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 7e484b0..8a346dc 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -478,6 +478,34 @@ static CK_ULONG ep11_pin_blob_len = 0;
#define CKM_SHA224_HMAC 0x00000256
#define CKM_SHA384_KEY_DERIVATION 0x00000394
#define CKM_SHA512_KEY_DERIVATION 0x00000395
+#define CKM_SHA512_224 0x000002B0
+#define CKM_SHA512_224_HMAC 0x000002B1
+#define CKM_SHA512_224_HMAC_GENERAL 0x000002B2
+#define CKM_SHA512_256 0x000002C0
+#define CKM_SHA512_256_HMAC 0x000002C1
+#define CKM_SHA512_256_HMAC_GENERAL 0x000002C2
+#define CKM_ECDSA_SHA224 0x00001043
+
+/* Vendor specific mechanisms unknown by ock, but known by EP11 */
+#define CKA_IBM_MACKEY CKM_VENDOR_DEFINED + 0x00010007
+#define CKM_IBM_ECDSA_SHA224 CKM_VENDOR_DEFINED + 0x00010008
+#define CKM_IBM_ECDSA_SHA256 CKM_VENDOR_DEFINED + 0x00010009
+#define CKM_IBM_ECDSA_SHA384 CKM_VENDOR_DEFINED + 0x0001000A
+#define CKM_IBM_ECDSA_SHA512 CKM_VENDOR_DEFINED + 0x0001000B
+#define CKM_IBM_EC_MULTIPLY CKM_VENDOR_DEFINED + 0x0001000C
+#define CKM_IBM_EAC CKM_VENDOR_DEFINED + 0x0001000D
+#define CKM_IBM_SHA512_256 CKM_VENDOR_DEFINED + 0x00010012
+#define CKM_IBM_SHA512_224 CKM_VENDOR_DEFINED + 0x00010013
+#define CKM_IBM_SHA512_256_HMAC CKM_VENDOR_DEFINED + 0x00010014
+#define CKM_IBM_SHA512_224_HMAC CKM_VENDOR_DEFINED + 0x00010015
+#define CKM_IBM_SHA512_256_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010016
+#define CKM_IBM_SHA512_224_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010017
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP CKM_VENDOR_DEFINED + 0x00020004
+#define CKM_IBM_TRANSPORTKEY CKM_VENDOR_DEFINED + 0x00020005
+#define CKM_IBM_DH_PKCS_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020006
+#define CKM_IBM_ECDH1_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020007
+#define CKM_IBM_RETAINKEY CKM_VENDOR_DEFINED + 0x00040001
+
static CK_BBOOL ep11_initialized = FALSE;
@@ -986,6 +1014,10 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
case CKM_EC_KEY_PAIR_GEN: return "CKM_EC_KEY_PAIR_GEN";
case CKM_ECDSA: return "CKM_ECDSA";
case CKM_ECDSA_SHA1: return "CKM_ECDSA_SHA1";
+ case CKM_ECDSA_SHA224: return "CKM_ECDSA_SHA224";
+ case CKM_ECDSA_SHA256: return "CKM_ECDSA_SHA256";
+ case CKM_ECDSA_SHA384: return "CKM_ECDSA_SHA384";
+ case CKM_ECDSA_SHA512: return "CKM_ECDSA_SHA512";
case CKM_ECDH1_DERIVE: return "CKM_ECDH1_DERIVE";
case CKM_ECDH1_COFACTOR_DERIVE: return "CKM_ECDH1_COFACTOR_DERIVE";
case CKM_ECMQV_DERIVE: return "CKM_ECMQV_DERIVE";
@@ -1017,24 +1049,30 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
case CKM_SHA224_HMAC: return "CKM_SHA224_HMAC";
case CKM_SHA384_KEY_DERIVATION: return "CKM_SHA384_KEY_DERIVATION";
case CKM_SHA512_KEY_DERIVATION: return "CKM_SHA512_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x10007: return "CKA_IBM_MACKEY";
- case CKM_VENDOR_DEFINED + 0x10008: return "CKM_IBM_ECDSA_SHA224";
- case CKM_VENDOR_DEFINED + 0x10009: return "CKM_IBM_ECDSA_SHA256";
- case CKM_VENDOR_DEFINED + 0x1000a: return "CKM_IBM_ECDSA_SHA384";
- case CKM_VENDOR_DEFINED + 0x1000b: return "CKM_IBM_ECDSA_SHA512";
- case CKR_VENDOR_DEFINED + 0x1000c: return "CKM_IBM_EC_MULTIPLY";
- case CKM_VENDOR_DEFINED + 0x1000d: return "CKM_IBM_EAC";
- case CKM_VENDOR_DEFINED + 0x10012: return "CKM_IBM_SHA512_256";
- case CKM_VENDOR_DEFINED + 0x10013: return "CKM_IBM_SHA512_224";
- case CKM_VENDOR_DEFINED + 0x10014: return "CKM_IBM_SHA512_256_HMAC";
- case CKM_VENDOR_DEFINED + 0x10015: return "CKM_IBM_SHA512_224_HMAC";
- case CKM_VENDOR_DEFINED + 0x10016: return
"CKM_IBM_SHA512_256_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x10017: return
"CKM_IBM_SHA512_224_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x20004: return "CKM_IBM_ATTRIBUTEBOUND_WRAP";
- case CKM_VENDOR_DEFINED + 0x20005: return "CKM_IBM_TRANSPORTKEY";
- case CKM_VENDOR_DEFINED + 0x20006: return "CKM_IBM_DH_PKCS_DERIVE_RAW";
- case CKM_VENDOR_DEFINED + 0x20007: return "CKM_IBM_ECDH1_DERIVE_RAW";
- case CKM_VENDOR_DEFINED + 0x40001: return "CKM_IBM_RETAINKEY";
+ case CKM_SHA512_224: return "CKM_SHA512_224";
+ case CKM_SHA512_224_HMAC: return "CKM_SHA512_224_HMAC";
+ case CKM_SHA512_224_HMAC_GENERAL: return "CKM_SHA512_224_HMAC_GENERAL";
+ case CKM_SHA512_256: return "CKM_SHA512_256";
+ case CKM_SHA512_256_HMAC: return "CKM_SHA512_256_HMAC";
+ case CKM_SHA512_256_HMAC_GENERAL: return "CKM_SHA512_256_HMAC_GENERAL";
+ case CKA_IBM_MACKEY: return "CKA_IBM_MACKEY";
+ case CKM_IBM_ECDSA_SHA224: return "CKM_IBM_ECDSA_SHA224";
+ case CKM_IBM_ECDSA_SHA256: return "CKM_IBM_ECDSA_SHA256";
+ case CKM_IBM_ECDSA_SHA384: return "CKM_IBM_ECDSA_SHA384";
+ case CKM_IBM_ECDSA_SHA512: return "CKM_IBM_ECDSA_SHA512";
+ case CKM_IBM_EC_MULTIPLY: return "CKM_IBM_EC_MULTIPLY";
+ case CKM_IBM_EAC: return "CKM_IBM_EAC";
+ case CKM_IBM_SHA512_256: return "CKM_IBM_SHA512_256";
+ case CKM_IBM_SHA512_224: return "CKM_IBM_SHA512_224";
+ case CKM_IBM_SHA512_256_HMAC: return "CKM_IBM_SHA512_256_HMAC";
+ case CKM_IBM_SHA512_224_HMAC: return "CKM_IBM_SHA512_224_HMAC";
+ case CKM_IBM_SHA512_256_KEY_DERIVATION: return
"CKM_IBM_SHA512_256_KEY_DERIVATION";
+ case CKM_IBM_SHA512_224_KEY_DERIVATION: return
"CKM_IBM_SHA512_224_KEY_DERIVATION";
+ case CKM_IBM_ATTRIBUTEBOUND_WRAP: return "CKM_IBM_ATTRIBUTEBOUND_WRAP";
+ case CKM_IBM_TRANSPORTKEY: return "CKM_IBM_TRANSPORTKEY";
+ case CKM_IBM_DH_PKCS_DERIVE_RAW: return "CKM_IBM_DH_PKCS_DERIVE_RAW";
+ case CKM_IBM_ECDH1_DERIVE_RAW: return "CKM_IBM_ECDH1_DERIVE_RAW";
+ case CKM_IBM_RETAINKEY: return "CKM_IBM_RETAINKEY";
default:
TRACE_WARNING("%s unknown mechanism %lx\n", __func__,
mechanism);
return "UNKNOWN";
@@ -3666,14 +3704,30 @@ CK_MECHANISM_TYPE ep11_banned_mech_list[] =
CKM_SHA224_KEY_DERIVATION,
CKM_SHA384_KEY_DERIVATION,
CKM_SHA512_KEY_DERIVATION,
+ CKM_ECDSA_SHA224,
+ CKM_SHA512_224,
+ CKM_SHA512_224_HMAC,
+ CKM_SHA512_224_HMAC_GENERAL,
+ CKM_SHA512_256,
+ CKM_SHA512_256_HMAC,
+ CKM_SHA512_256_HMAC_GENERAL,
+
/* Vendor specific */
- 0x80020006,
- 0x80020007,
- 0x8001000C,
- 0x80020004,
- 0x8001000D,
- 0x80040001,
- 0x80010007,
+ CKM_IBM_DH_PKCS_DERIVE_RAW,
+ CKM_IBM_ECDH1_DERIVE_RAW,
+ CKM_IBM_EC_MULTIPLY,
+ CKM_IBM_ATTRIBUTEBOUND_WRAP,
+ CKM_IBM_EAC,
+ CKM_IBM_RETAINKEY,
+ CKA_IBM_MACKEY,
+ CKM_IBM_ECDSA_SHA224,
+ CKM_IBM_ECDSA_SHA256,
+ CKM_IBM_ECDSA_SHA384,
+ CKM_IBM_ECDSA_SHA512,
+ CKM_IBM_SHA512_256,
+ CKM_IBM_SHA512_224,
+ CKM_IBM_SHA512_256_HMAC,
+ CKM_IBM_SHA512_224_HMAC,
#endif
};
diff --git a/usr/sbin/pkcsconf/pkcsconf_msg.h b/usr/sbin/pkcsconf/pkcsconf_msg.h
index 56972a7..b95c226 100755
--- a/usr/sbin/pkcsconf/pkcsconf_msg.h
+++ b/usr/sbin/pkcsconf/pkcsconf_msg.h
@@ -511,6 +511,9 @@ struct _pkcs11_mech_list {
{ "CKM_EC_KEY_PAIR_GEN", CKM_EC_KEY_PAIR_GEN },
{ "CKM_ECDSA", CKM_ECDSA },
{ "CKM_ECDSA_SHA1", CKM_ECDSA_SHA1 },
+ { "CKM_ECDSA_SHA256", CKM_ECDSA_SHA256 },
+ { "CKM_ECDSA_SHA384", CKM_ECDSA_SHA384 },
+ { "CKM_ECDSA_SHA512", CKM_ECDSA_SHA512 },
{ "CKM_ECDH1_DERIVE", CKM_ECDH1_DERIVE },
{ "CKM_ECDH1_COFACTOR_DERIVE", CKM_ECDH1_COFACTOR_DERIVE },
{ "CKM_ECMQV_DERIVE", CKM_ECMQV_DERIVE },
diff --git a/usr/sbin/pkcsslotd/err.c b/usr/sbin/pkcsslotd/err.c
index 6ec7c41..db56714 100755
--- a/usr/sbin/pkcsslotd/err.c
+++ b/usr/sbin/pkcsslotd/err.c
@@ -761,6 +761,9 @@
CONSTINFO(CKM_ECDSA_KEY_PAIR_GEN),
CONSTINFO(CKM_ECDSA),
CONSTINFO(CKM_ECDSA_SHA1),
+ CONSTINFO(CKM_ECDSA_SHA256),
+ CONSTINFO(CKM_ECDSA_SHA384),
+ CONSTINFO(CKM_ECDSA_SHA512),
CONSTINFO(CKM_JUNIPER_KEY_GEN),
CONSTINFO(CKM_JUNIPER_ECB128),
CONSTINFO(CKM_JUNIPER_CBC128),
--
Ingo Franzki
eMail: ifran...@linux.vnet.ibm.com
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on z Systems Development, IBM z Systems, Schoenaicher Str. 220, 71032
Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats:
Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB
243294
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
