Add IBM specific mechanism and attributes

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
p11-glue · May 16, 2022 · 4059f17 · 4059f17
1 parent 7233528
commit 4059f17
Show file tree

Hide file tree

Showing 5 changed files with 203 additions and 1 deletion.
diff --git a/common/attrs.c b/common/attrs.c
@@ -765,6 +765,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr,
 	X (CKA_TRUST_STEP_UP_APPROVED)
 	X (CKA_CERT_SHA1_HASH)
 	X (CKA_CERT_MD5_HASH)
+	X (CKA_IBM_OPAQUE)
+	X (CKA_IBM_RESTRICTABLE)
+	X (CKA_IBM_NEVER_MODIFIABLE)
+	X (CKA_IBM_RETAINKEY)
+	X (CKA_IBM_ATTRBOUND)
+	X (CKA_IBM_KEYTYPE)
+	X (CKA_IBM_CV)
+	X (CKA_IBM_MACKEY)
+	X (CKA_IBM_USE_AS_DATA)
+	X (CKA_IBM_STRUCT_PARAMS)
+	X (CKA_IBM_STD_COMPLIANCE1)
+	X (CKA_IBM_PROTKEY_EXTRACTABLE)
+	X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
+	X (CKA_IBM_OPAQUE_PKEY)
+	X (CKA_IBM_DILITHIUM_KEYFORM)
+	X (CKA_IBM_DILITHIUM_RHO)
+	X (CKA_IBM_DILITHIUM_T1)
 	case CKA_VALUE:
 		return (klass != CKO_CERTIFICATE &&
 			klass != CKO_X_CERTIFICATE_EXTENSION);

diff --git a/common/constants.c b/common/constants.c
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = {
 	CT (CKA_WRAP_TEMPLATE, "wrap-template")
 	CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
 	CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
+	CT (CKA_IBM_OPAQUE, "ibm-opaque")
+	CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
+	CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
+	CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
+	CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
+	CT (CKA_IBM_KEYTYPE, "ibm-keytype")
+	CT (CKA_IBM_CV, "ibm-cv")
+	CT (CKA_IBM_MACKEY, "ibm-mackey")
+	CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
+	CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
+	CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
+	CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
+	CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
+	CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
+	CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
+	CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
+	CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
+	CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
+	CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
+	CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
+	CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
+	CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
 	CT (CKA_NSS_URL, "nss-url")
 	CT (CKA_NSS_EMAIL, "nss-email")
 	CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = {
 	CT (CKK_AES, "aes")
 	CT (CKK_BLOWFISH, "blowfish")
 	CT (CKK_TWOFISH, "twofish")
+	CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
 	CT (CKK_NSS_PKCS8, "nss-pkcs8")
 	{ CKA_INVALID },
 };
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = {
 	CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
 	CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
 	CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
+	CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
+	CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
+	CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
+	CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
+	CT (CKM_IBM_CMAC, "ibm-cmac")
+	CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
+	CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
+	CT (CKM_IBM_EC_X448, "ibm-ec-x448")
+	CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
+	CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
+	CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
+	CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
+	CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
+	CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
+	CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
 	{ CKA_INVALID },
 };
 

diff --git a/common/pkcs11x.h b/common/pkcs11x.h
@@ -181,6 +181,57 @@ typedef CK_ULONG                        CK_TRUST;
 
 #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
 
+/* Define this if you want the IBM specific symbols */
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
+
+#define CKK_IBM_PQC_DILITHIUM    CKK_VENDOR_DEFINED + 0x10023
+
+#define CKA_IBM_OPAQUE                         (CKA_VENDOR_DEFINED + 1)
+#define CKA_IBM_RESTRICTABLE                   (CKA_VENDOR_DEFINED + 0x10001)
+#define CKA_IBM_NEVER_MODIFIABLE               (CKA_VENDOR_DEFINED + 0x10002)
+#define CKA_IBM_RETAINKEY                      (CKA_VENDOR_DEFINED + 0x10003)
+#define CKA_IBM_ATTRBOUND                      (CKA_VENDOR_DEFINED + 0x10004)
+#define CKA_IBM_KEYTYPE                        (CKA_VENDOR_DEFINED + 0x10005)
+#define CKA_IBM_CV                             (CKA_VENDOR_DEFINED + 0x10006)
+#define CKA_IBM_MACKEY                         (CKA_VENDOR_DEFINED + 0x10007)
+#define CKA_IBM_USE_AS_DATA                    (CKA_VENDOR_DEFINED + 0x10008)
+#define CKA_IBM_STRUCT_PARAMS                  (CKA_VENDOR_DEFINED + 0x10009)
+#define CKA_IBM_STD_COMPLIANCE1                (CKA_VENDOR_DEFINED + 0x1000a)
+#define CKA_IBM_PROTKEY_EXTRACTABLE            (CKA_VENDOR_DEFINED + 0x1000c)
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE      (CKA_VENDOR_DEFINED + 0x1000d)
+#define CKA_IBM_DILITHIUM_KEYFORM              (CKA_VENDOR_DEFINED + 0xd0001)
+#define CKA_IBM_DILITHIUM_RHO                  (CKA_VENDOR_DEFINED + 0xd0002)
+#define CKA_IBM_DILITHIUM_SEED                 (CKA_VENDOR_DEFINED + 0xd0003)
+#define CKA_IBM_DILITHIUM_TR                   (CKA_VENDOR_DEFINED + 0xd0004)
+#define CKA_IBM_DILITHIUM_S1                   (CKA_VENDOR_DEFINED + 0xd0005)
+#define CKA_IBM_DILITHIUM_S2                   (CKA_VENDOR_DEFINED + 0xd0006)
+#define CKA_IBM_DILITHIUM_T0                   (CKA_VENDOR_DEFINED + 0xd0007)
+#define CKA_IBM_DILITHIUM_T1                   (CKA_VENDOR_DEFINED + 0xd0008)
+#define CKA_IBM_OPAQUE_PKEY                    (CKA_VENDOR_DEFINED + 0xd0100)
+
+#define CKM_IBM_SHA3_224                       (CKM_VENDOR_DEFINED + 0x10001)
+#define CKM_IBM_SHA3_256                       (CKM_VENDOR_DEFINED + 0x10002)
+#define CKM_IBM_SHA3_384                       (CKM_VENDOR_DEFINED + 0x10003)
+#define CKM_IBM_SHA3_512                       (CKM_VENDOR_DEFINED + 0x10004)
+#define CKM_IBM_CMAC                           (CKM_VENDOR_DEFINED + 0x10007)
+#define CKM_IBM_EC_X25519                      (CKM_VENDOR_DEFINED + 0x1001b)
+#define CKM_IBM_ED25519_SHA512                 (CKM_VENDOR_DEFINED + 0x1001c)
+#define CKM_IBM_EC_X448                        (CKM_VENDOR_DEFINED + 0x1001e)
+#define CKM_IBM_ED448_SHA3                     (CKM_VENDOR_DEFINED + 0x1001f)
+#define CKM_IBM_DILITHIUM                      (CKM_VENDOR_DEFINED + 0x10023)
+#define CKM_IBM_SHA3_224_HMAC                  (CKM_VENDOR_DEFINED + 0x10025)
+#define CKM_IBM_SHA3_256_HMAC                  (CKM_VENDOR_DEFINED + 0x10026)
+#define CKM_IBM_SHA3_384_HMAC                  (CKM_VENDOR_DEFINED + 0x10027)
+#define CKM_IBM_SHA3_512_HMAC                  (CKM_VENDOR_DEFINED + 0x10028)
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP            (CKM_VENDOR_DEFINED + 0x20004)
+
+typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP {
+      CK_OBJECT_HANDLE hSignVerifyKey;
+} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
+
 #if defined(__cplusplus)
 }
 #endif

diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
@@ -807,6 +807,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
 	case CKA_RESET_ON_INIT:
 	case CKA_HAS_RESET:
 	case CKA_COLOR:
+	case CKA_IBM_RESTRICTABLE:
+	case CKA_IBM_NEVER_MODIFIABLE:
+	case CKA_IBM_RETAINKEY:
+	case CKA_IBM_ATTRBOUND:
+	case CKA_IBM_USE_AS_DATA:
+	case CKA_IBM_PROTKEY_EXTRACTABLE:
+	case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
 		return P11_RPC_VALUE_BYTE;
 	case CKA_CLASS:
 	case CKA_CERTIFICATE_TYPE:
@@ -828,6 +835,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
 	case CKA_CHAR_COLUMNS:
 	case CKA_BITS_PER_PIXEL:
 	case CKA_MECHANISM_TYPE:
+	case CKA_IBM_DILITHIUM_KEYFORM:
+	case CKA_IBM_STD_COMPLIANCE1:
+	case CKA_IBM_KEYTYPE:
 		return P11_RPC_VALUE_ULONG;
 	case CKA_WRAP_TEMPLATE:
 	case CKA_UNWRAP_TEMPLATE:
@@ -876,6 +886,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
 	case CKA_REQUIRED_CMS_ATTRIBUTES:
 	case CKA_DEFAULT_CMS_ATTRIBUTES:
 	case CKA_SUPPORTED_CMS_ATTRIBUTES:
+	case CKA_IBM_OPAQUE:
+	case CKA_IBM_CV:
+	case CKA_IBM_MACKEY:
+	case CKA_IBM_STRUCT_PARAMS:
+	case CKA_IBM_OPAQUE_PKEY:
+	case CKA_IBM_DILITHIUM_RHO:
+	case CKA_IBM_DILITHIUM_SEED:
+	case CKA_IBM_DILITHIUM_TR:
+	case CKA_IBM_DILITHIUM_S1:
+	case CKA_IBM_DILITHIUM_S2:
+	case CKA_IBM_DILITHIUM_T0:
+	case CKA_IBM_DILITHIUM_T1:
 		return P11_RPC_VALUE_BYTE_ARRAY;
 	}
 }
@@ -1413,9 +1435,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer,
 	return true;
 }
 
+void
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+						       const void *value,
+						       CK_ULONG value_length)
+{
+	CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+	/* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
+	if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
+		p11_buffer_fail (buffer);
+		return;
+	}
+
+	memcpy (&params, value, value_length);
+
+	/* Check if params.hSignVerifyKey can be converted to uint64_t. */
+	if (params.hSignVerifyKey > UINT64_MAX) {
+		p11_buffer_fail (buffer);
+		return;
+	}
+
+	p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
+}
+
+bool
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+						       size_t *offset,
+						       void *value,
+						       CK_ULONG *value_length)
+{
+	uint64_t val;
+
+	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+		return false;
+
+	if (value) {
+		CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+		params.hSignVerifyKey = val;
+
+		memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
+	}
+
+	if (value_length)
+		*value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
+
+	return true;
+}
+
 static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
 	{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
-	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
+	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
+	{ CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }
 };
 
 static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1540,6 +1612,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
 	case CKM_RIPEMD160:
 	case CKM_RIPEMD160_HMAC:
 	case CKM_KEY_WRAP_LYNKS:
+	case CKM_IBM_SHA3_224:
+	case CKM_IBM_SHA3_256:
+	case CKM_IBM_SHA3_384:
+	case CKM_IBM_SHA3_512:
+	case CKM_IBM_CMAC:
+	case CKM_IBM_DILITHIUM:
+	case CKM_IBM_SHA3_224_HMAC:
+	case CKM_IBM_SHA3_256_HMAC:
+	case CKM_IBM_SHA3_384_HMAC:
+	case CKM_IBM_SHA3_512_HMAC:
+	case CKM_IBM_ED25519_SHA512:
+	case CKM_IBM_ED448_SHA3:
 		return true;
 	default:
 		return false;

diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
@@ -42,6 +42,7 @@
 
 #include "buffer.h"
 #include "pkcs11.h"
+#include "pkcs11x.h"
 
 /* The calls, must be in sync with array below */
 enum {
@@ -479,4 +480,15 @@ bool             p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value
 							   void *value,
 							   CK_ULONG *value_length);
 
+void            p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
+							  (p11_buffer *buffer,
+							   const void *value,
+							   CK_ULONG value_length);
+
+bool            p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
+							  (p11_buffer *buffer,
+							   size_t *offset,
+							   void *value,
+							   CK_ULONG *value_length);
+
 #endif /* _RPC_MESSAGE_H */