Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fixes to cryptoauthlib to support Java PKCS11 requirements, to support Greengrass V2 #290

Merged
merged 3 commits into from
Apr 13, 2022
Merged

Add fixes to cryptoauthlib to support Java PKCS11 requirements, to support Greengrass V2 #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a7cbf7d
fix: When PKCS11 C_Sign is passed null pSignature, it is expected to …
JamieHunter Apr 12, 2022
4cf67b4
fix: Java PKCS11 requires CKA_EXTRACTABLE to return extractable statu…
JamieHunter Apr 12, 2022
6457c1c
fix: Java honors ulMaxSessionCount constant and needs to create at le…
JamieHunter Apr 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions lib/pkcs11/pkcs11_key.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -513,12 +513,12 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = {
{ CKA_SIGN_RECOVER, NULL_PTR },
/** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9 */
{ CKA_UNWRAP, NULL_PTR },
/** CK_TRUE if key is extractable and can be wrapped 9 */
{ CKA_EXTRACTABLE, NULL_PTR },
/** CK_TRUE if key is extractable and can be wrapped */
{ CKA_EXTRACTABLE, pkcs11_attrib_false },
/** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */
{ CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type },
/** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */
{ CKA_NEVER_EXTRACTABLE, NULL_PTR },
{ CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type },
/** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */
{ CKA_WRAP_WITH_TRUSTED, NULL_PTR },
/** For wrapping keys. The attribute template to match against any keys
Expand Down Expand Up @@ -639,11 +639,11 @@ const pkcs11_attrib_model pkcs11_key_secret_attributes[] = {
/** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys) */
{ CKA_UNWRAP, NULL_PTR },
/** CK_TRUE if key is extractable and can be wrapped */
{ CKA_EXTRACTABLE, NULL_PTR },
{ CKA_EXTRACTABLE, pkcs11_attrib_false },
/** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */
{ CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type },
/** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */
{ CKA_NEVER_EXTRACTABLE, NULL_PTR },
{ CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type },
/** Key checksum */
{ CKA_CHECK_VALUE, pkcs11_key_get_check_value },
/** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */
Expand Down
15 changes: 15 additions & 0 deletions lib/pkcs11/pkcs11_signature.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,21 @@ CK_RV pkcs11_signature_sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_UL
return pkcs11_util_convert_rv(status);
}
}
else
{
switch (pSession->active_mech)
{
case CKM_SHA256_HMAC:
*pulSignatureLen = ATCA_SHA256_DIGEST_SIZE;
break;
case CKM_ECDSA:
*pulSignatureLen = ATCA_SIG_SIZE;
break;
default:
status = ATCA_GEN_FAIL;
break;
}
}
}
else
{
Expand Down
4 changes: 2 additions & 2 deletions lib/pkcs11/pkcs11_token.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -428,8 +428,8 @@ CK_RV pkcs11_token_get_info(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
pInfo->ulMinPinLen = 0;
pInfo->flags = CKF_RNG;// | CKF_LOGIN_REQUIRED;

pInfo->ulMaxSessionCount = 1;
pInfo->ulMaxRwSessionCount = 1;
pInfo->ulMaxSessionCount = PKCS11_MAX_SESSIONS_ALLOWED;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on bug reports, there is risk that setting this to PKCS11_MAX_SESSIONS_ALLOWED might break something?

pInfo->ulMaxRwSessionCount = PKCS11_MAX_SESSIONS_ALLOWED;

pInfo->ulSessionCount = (slot_ctx->session) ? TRUE : FALSE;
pInfo->ulRwSessionCount = (slot_ctx->session) ? TRUE : FALSE;
Expand Down