Blame SOURCES/0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch

971d89
From 76307be97a42f5a743e7cf0ef75a87dac0c0106f Mon Sep 17 00:00:00 2001
971d89
From: Ingo Franzki <ifranzki@linux.ibm.com>
971d89
Date: Wed, 16 Feb 2022 13:04:24 +0100
971d89
Subject: [PATCH 19/34] COMMON: Dilithium key BER encoding/decoding allow
971d89
 different OIDs
971d89
971d89
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
971d89
---
971d89
 usr/lib/cca_stdll/cca_stdll.mk           |   2 +-
971d89
 usr/lib/common/asn1.c                    | 143 ++++++++++++++++++++-----------
971d89
 usr/lib/common/globals.c                 |   8 +-
971d89
 usr/lib/common/h_extern.h                |  54 ++++++------
971d89
 usr/lib/common/key.c                     |  10 ++-
971d89
 usr/lib/common/key_mgr.c                 |  13 ++-
971d89
 usr/lib/ep11_stdll/ep11_specific.c       |   6 +-
971d89
 usr/lib/ep11_stdll/ep11_stdll.mk         |   3 +-
971d89
 usr/lib/ica_s390_stdll/ica_s390_stdll.mk |   2 +-
971d89
 usr/lib/icsf_stdll/icsf_stdll.mk         |   2 +-
971d89
 usr/lib/soft_stdll/soft_stdll.mk         |   2 +-
971d89
 usr/lib/tpm_stdll/tpm_stdll.mk           |   2 +-
971d89
 usr/sbin/pkcscca/pkcscca.mk              |   2 +-
971d89
 13 files changed, 152 insertions(+), 97 deletions(-)
971d89
971d89
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
971d89
index 9b71085a..5963df59 100644
971d89
--- a/usr/lib/cca_stdll/cca_stdll.mk
971d89
+++ b/usr/lib/cca_stdll/cca_stdll.mk
971d89
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = usr/lib/common/asn1.c	\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
 	usr/lib/api/policyhelper.c usr/lib/config/configuration.c	\
971d89
 	usr/lib/config/cfgparse.y usr/lib/config/cfglex.l		\
971d89
-	usr/lib/common/mech_openssl.c
971d89
+	usr/lib/common/mech_openssl.c usr/lib/common/pqc_supported.c
971d89
 
971d89
 if ENABLE_LOCKS
971d89
 opencryptoki_stdll_libpkcs11_cca_la_SOURCES +=				\
971d89
diff --git a/usr/lib/common/asn1.c b/usr/lib/common/asn1.c
971d89
index b3f49c41..884ef489 100644
971d89
--- a/usr/lib/common/asn1.c
971d89
+++ b/usr/lib/common/asn1.c
971d89
@@ -24,6 +24,7 @@
971d89
 #include "host_defs.h"
971d89
 #include "h_extern.h"
971d89
 #include "trace.h"
971d89
+#include "pqc_defs.h"
971d89
 
971d89
 
971d89
 //
971d89
@@ -3616,7 +3617,7 @@ cleanup:
971d89
  *
971d89
  *  SEQUENCE (2 elem)
971d89
  *    SEQUENCE (2 elem)
971d89
- *      OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
971d89
+ *      OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
971d89
  *      NULL
971d89
  *    BIT STRING (1 elem)
971d89
  *      SEQUENCE (2 elem)
971d89
@@ -3624,20 +3625,26 @@ cleanup:
971d89
  *        BIT STRING (13824 bit) = 1728 bytes
971d89
  */
971d89
 CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
971d89
-                          CK_BYTE **data, CK_ULONG *data_len,
971d89
-                          CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
971d89
+                                        CK_BYTE **data, CK_ULONG *data_len,
971d89
+                                        const CK_BYTE *oid, CK_ULONG oid_len,
971d89
+                                        CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
971d89
 {
971d89
     CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL, *buf4 = NULL;
971d89
-    CK_ULONG len = 0, len4, offset, total, total_len;
971d89
+    CK_BYTE *buf5 = NULL, *algid = NULL;
971d89
+    CK_ULONG len = 0, len4, offset, total, total_len, algid_len;
971d89
     CK_RV rc;
971d89
 
971d89
     UNUSED(length_only);
971d89
 
971d89
     offset = 0;
971d89
     rc = 0;
971d89
-    total_len = ber_AlgIdDilithiumLen;
971d89
+    total_len = 0;
971d89
     total = 0;
971d89
 
971d89
+    /* Calculate storage for AlgID sequence */
971d89
+    rc |= ber_encode_SEQUENCE(TRUE, NULL, &total_len, NULL,
971d89
+                              oid_len + ber_NULLLen);
971d89
+
971d89
     /* Calculate storage for inner sequence */
971d89
     rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, rho->ulValueLen);
971d89
     offset += len;
971d89
@@ -3709,12 +3716,30 @@ CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
971d89
 
971d89
     /*
971d89
      * SEQUENCE (2 elem)
971d89
-     *      OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
971d89
+     *      OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
971d89
      *      NULL  <- no parms for this oid
971d89
      */
971d89
-    total_len = 0;
971d89
-    memcpy(buf3 + total_len, ber_AlgIdDilithium, ber_AlgIdDilithiumLen);
971d89
-    total_len += ber_AlgIdDilithiumLen;
971d89
+    buf5 = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
971d89
+    if (!buf5) {
971d89
+        TRACE_ERROR("%s Memory allocation failed\n", __func__);
971d89
+        rc = CKR_HOST_MEMORY;
971d89
+        goto error;
971d89
+    }
971d89
+    memcpy(buf5, oid, oid_len);
971d89
+    memcpy(buf5 + oid_len, ber_NULL, ber_NULLLen);
971d89
+
971d89
+    rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, buf5,
971d89
+                             oid_len + ber_NULLLen);
971d89
+    free(buf5);
971d89
+    if (rc != CKR_OK) {
971d89
+        TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
971d89
+        goto error;
971d89
+    }
971d89
+
971d89
+    total_len = algid_len;
971d89
+    memcpy(buf3, algid, algid_len);
971d89
+    free(algid);
971d89
+    algid = NULL;
971d89
 
971d89
     /*
971d89
      * BIT STRING (1 elem)
971d89
@@ -3760,16 +3785,15 @@ error:
971d89
 
971d89
 
971d89
 CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
971d89
-                              CK_ULONG data_len,
971d89
-                              CK_ATTRIBUTE **rho_attr,
971d89
-                              CK_ATTRIBUTE **t1_attr)
971d89
+                                        CK_ULONG data_len,
971d89
+                                        CK_ATTRIBUTE **rho_attr,
971d89
+                                        CK_ATTRIBUTE **t1_attr)
971d89
 {
971d89
     CK_ATTRIBUTE *rho_attr_temp = NULL;
971d89
     CK_ATTRIBUTE *t1_attr_temp = NULL;
971d89
 
971d89
-    CK_BYTE *algid_DilithiumBase = NULL;
971d89
-    CK_BYTE *algid = NULL;
971d89
-    CK_ULONG algid_len;
971d89
+    CK_BYTE *algoid = NULL;
971d89
+    CK_ULONG algoid_len;
971d89
     CK_BYTE *param = NULL;
971d89
     CK_ULONG param_len;
971d89
     CK_BYTE *val = NULL;
971d89
@@ -3780,26 +3804,20 @@ CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
971d89
     CK_ULONG rho_len;
971d89
     CK_BYTE *t1;
971d89
     CK_ULONG t1_len;
971d89
-    CK_ULONG field_len, offset, len;
971d89
+    CK_ULONG field_len, offset;
971d89
     CK_RV rc;
971d89
 
971d89
     UNUSED(data_len); // XXX can this parameter be removed ?
971d89
 
971d89
-    rc = ber_decode_SPKI(data, &algid, &algid_len, &param, &param_len,
971d89
+    rc = ber_decode_SPKI(data, &algoid, &algoid_len, &param, &param_len,
971d89
                          &val, &val_len);
971d89
     if (rc != CKR_OK) {
971d89
        TRACE_DEVEL("ber_decode_SPKI failed\n");
971d89
        return rc;
971d89
     }
971d89
 
971d89
-    /* Make sure we're dealing with a Dilithium key */
971d89
-    rc = ber_decode_SEQUENCE((CK_BYTE *)ber_AlgIdDilithium, &algid_DilithiumBase, &len,
971d89
-                             &field_len);
971d89
-    if (rc != CKR_OK) {
971d89
-        TRACE_DEVEL("ber_decode_SEQUENCE failed\n");
971d89
-        return rc;
971d89
-    }
971d89
-    if (memcmp(algid, algid_DilithiumBase, len) != 0) {
971d89
+    if (algoid_len != dilithium_r2_65_len ||
971d89
+        memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
971d89
         TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
971d89
         return CKR_FUNCTION_FAILED;
971d89
     }
971d89
@@ -3879,18 +3897,20 @@ cleanup:
971d89
  *     }
971d89
  */
971d89
 CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
971d89
-                               CK_BYTE **data,
971d89
-                               CK_ULONG *data_len,
971d89
-                               CK_ATTRIBUTE *rho,
971d89
-                               CK_ATTRIBUTE *seed,
971d89
-                               CK_ATTRIBUTE *tr,
971d89
-                               CK_ATTRIBUTE *s1,
971d89
-                               CK_ATTRIBUTE *s2,
971d89
-                               CK_ATTRIBUTE *t0,
971d89
-                               CK_ATTRIBUTE *t1)
971d89
+                                         CK_BYTE **data,
971d89
+                                         CK_ULONG *data_len,
971d89
+                                         const CK_BYTE *oid, CK_ULONG oid_len,
971d89
+                                         CK_ATTRIBUTE *rho,
971d89
+                                         CK_ATTRIBUTE *seed,
971d89
+                                         CK_ATTRIBUTE *tr,
971d89
+                                         CK_ATTRIBUTE *s1,
971d89
+                                         CK_ATTRIBUTE *s2,
971d89
+                                         CK_ATTRIBUTE *t0,
971d89
+                                         CK_ATTRIBUTE *t1)
971d89
 {
971d89
     CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL;
971d89
-    CK_ULONG len, len2 = 0, offset;
971d89
+    CK_BYTE *algid = NULL, *algid_buf = NULL;
971d89
+    CK_ULONG len, len2 = 0, offset, algid_len = 0;
971d89
     CK_BYTE version[] = { 0 };
971d89
     CK_RV rc;
971d89
 
971d89
@@ -3898,6 +3918,9 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
971d89
     offset = 0;
971d89
     rc = 0;
971d89
 
971d89
+    rc |= ber_encode_SEQUENCE(TRUE, NULL, &algid_len, NULL,
971d89
+                              oid_len + ber_NULLLen);
971d89
+
971d89
     rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, sizeof(version));
971d89
     offset += len;
971d89
     rc |= ber_encode_BIT_STRING(TRUE, NULL, &len, NULL, rho->ulValueLen, 0);
971d89
@@ -3931,7 +3954,7 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
971d89
         }
971d89
         rc = ber_encode_PrivateKeyInfo(TRUE,
971d89
                                        NULL, data_len,
971d89
-                                       NULL, ber_AlgIdDilithiumLen,
971d89
+                                       NULL, algid_len,
971d89
                                        NULL, len);
971d89
         if (rc != CKR_OK) {
971d89
             TRACE_DEVEL("ber_encode_PrivateKeyInfo failed\n");
971d89
@@ -4051,10 +4074,28 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
971d89
         TRACE_ERROR("ber_encode_SEQUENCE failed\n");
971d89
         goto error;
971d89
     }
971d89
+
971d89
+    algid_buf = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
971d89
+    if (!algid_buf) {
971d89
+        TRACE_ERROR("%s Memory allocation failed\n", __func__);
971d89
+        rc = CKR_HOST_MEMORY;
971d89
+        goto error;
971d89
+    }
971d89
+    memcpy(algid_buf, oid, oid_len);
971d89
+    memcpy(algid_buf + oid_len, ber_NULL, ber_NULLLen);
971d89
+
971d89
+    rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, algid_buf,
971d89
+                             oid_len + ber_NULLLen);
971d89
+    free(algid_buf);
971d89
+    if (rc != CKR_OK) {
971d89
+        TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
971d89
+        goto error;
971d89
+    }
971d89
+
971d89
     rc = ber_encode_PrivateKeyInfo(FALSE,
971d89
                                    data, data_len,
971d89
-                                   ber_AlgIdDilithium,
971d89
-                                   ber_AlgIdDilithiumLen, buf2, len);
971d89
+                                   algid, algid_len,
971d89
+                                   buf2, len);
971d89
     if (rc != CKR_OK) {
971d89
         TRACE_ERROR("ber_encode_PrivateKeyInfo failed\n");
971d89
     }
971d89
@@ -4066,6 +4107,8 @@ error:
971d89
         free(buf2);
971d89
     if (buf)
971d89
         free(buf);
971d89
+    if (algid)
971d89
+        free(algid);
971d89
 
971d89
     return rc;
971d89
 }
971d89
@@ -4087,19 +4130,19 @@ error:
971d89
  *       }
971d89
  */
971d89
 CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
971d89
-                               CK_ULONG data_len,
971d89
-                               CK_ATTRIBUTE **rho,
971d89
-                               CK_ATTRIBUTE **seed,
971d89
-                               CK_ATTRIBUTE **tr,
971d89
-                               CK_ATTRIBUTE **s1,
971d89
-                               CK_ATTRIBUTE **s2,
971d89
-                               CK_ATTRIBUTE **t0,
971d89
-                               CK_ATTRIBUTE **t1)
971d89
+                                         CK_ULONG data_len,
971d89
+                                         CK_ATTRIBUTE **rho,
971d89
+                                         CK_ATTRIBUTE **seed,
971d89
+                                         CK_ATTRIBUTE **tr,
971d89
+                                         CK_ATTRIBUTE **s1,
971d89
+                                         CK_ATTRIBUTE **s2,
971d89
+                                         CK_ATTRIBUTE **t0,
971d89
+                                         CK_ATTRIBUTE **t1)
971d89
 {
971d89
     CK_ATTRIBUTE *rho_attr = NULL, *seed_attr = NULL;
971d89
     CK_ATTRIBUTE *tr_attr = NULL, *s1_attr = NULL, *s2_attr = NULL;
971d89
     CK_ATTRIBUTE *t0_attr = NULL, *t1_attr = NULL;
971d89
-    CK_BYTE *alg = NULL;
971d89
+    CK_BYTE *algoid = NULL;
971d89
     CK_BYTE *dilithium_priv_key = NULL;
971d89
     CK_BYTE *buf = NULL;
971d89
     CK_BYTE *tmp = NULL;
971d89
@@ -4107,15 +4150,15 @@ CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
971d89
     CK_RV rc;
971d89
 
971d89
     /* Check if this is a Dilithium private key */
971d89
-    rc = ber_decode_PrivateKeyInfo(data, data_len, &alg, &len,
971d89
+    rc = ber_decode_PrivateKeyInfo(data, data_len, &algoid, &len,
971d89
                                    &dilithium_priv_key);
971d89
     if (rc != CKR_OK) {
971d89
         TRACE_DEVEL("ber_decode_PrivateKeyInfo failed\n");
971d89
         return rc;
971d89
     }
971d89
 
971d89
-    if (memcmp(alg, ber_AlgIdDilithium, ber_AlgIdDilithiumLen) != 0) {
971d89
-        // probably ought to use a different error
971d89
+    if (len != dilithium_r2_65_len + ber_NULLLen ||
971d89
+        memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
971d89
         TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
971d89
         return CKR_FUNCTION_FAILED;
971d89
     }
971d89
diff --git a/usr/lib/common/globals.c b/usr/lib/common/globals.c
971d89
index 5b79e785..a7197ec6 100644
971d89
--- a/usr/lib/common/globals.c
971d89
+++ b/usr/lib/common/globals.c
971d89
@@ -105,11 +105,7 @@ const CK_BYTE ber_AlgIdRSAEncryption[] = {
971d89
 const CK_BYTE der_AlgIdECBase[] =
971d89
     { 0x30, 0x09, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 };
971d89
 
971d89
-const CK_BYTE ber_AlgIdDilithium[] =
971d89
-    { 0x30, 0x0F, 0x06, 0x0B, 0x2B, 0x06, 0x01,
971d89
-      0x04, 0x01, 0x02, 0x82, 0x0B, 0x01, 0x06,
971d89
-      0x05, 0x05, 0x00
971d89
-};
971d89
+const CK_BYTE ber_NULL[] = { 0x05, 0x00 };
971d89
 
971d89
 // ID Lengths
971d89
 //
971d89
@@ -135,7 +131,7 @@ const CK_ULONG ber_AlgSha384Len = sizeof(ber_AlgSha384);
971d89
 const CK_ULONG ber_AlgSha512Len = sizeof(ber_AlgSha512);
971d89
 const CK_ULONG ber_AlgIdRSAEncryptionLen = sizeof(ber_AlgIdRSAEncryption);
971d89
 const CK_ULONG der_AlgIdECBaseLen = sizeof(der_AlgIdECBase);
971d89
-const CK_ULONG ber_AlgIdDilithiumLen = sizeof(ber_AlgIdDilithium);
971d89
+const CK_ULONG ber_NULLLen = sizeof(ber_NULL);
971d89
 
971d89
 const CK_ULONG des_weak_count = 4;
971d89
 const CK_ULONG des_semi_weak_count = 12;
971d89
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
971d89
index 340ab88d..41ca12df 100644
971d89
--- a/usr/lib/common/h_extern.h
971d89
+++ b/usr/lib/common/h_extern.h
971d89
@@ -56,16 +56,14 @@ extern const CK_BYTE ber_rsaEncryption[];
971d89
 extern const CK_ULONG ber_rsaEncryptionLen;
971d89
 extern const CK_BYTE der_AlgIdECBase[];
971d89
 extern const CK_ULONG der_AlgIdECBaseLen;
971d89
-extern const CK_BYTE ber_AlgIdDilithium[];
971d89
-extern const CK_ULONG ber_AlgIdDilithiumLen;
971d89
 extern const CK_BYTE ber_idDSA[];
971d89
 extern const CK_ULONG ber_idDSALen;
971d89
 extern const CK_BYTE ber_idDH[];
971d89
 extern const CK_ULONG ber_idDHLen;
971d89
 extern const CK_BYTE ber_idEC[];
971d89
 extern const CK_ULONG ber_idECLen;
971d89
-extern const CK_BYTE ber_idDilithium[];
971d89
-extern const CK_ULONG ber_idDilithiumLen;
971d89
+extern const CK_BYTE ber_NULL[];
971d89
+extern const CK_ULONG ber_NULLLen;
971d89
 
971d89
 #if !(NOMD2)
971d89
 extern const CK_BYTE ber_md2WithRSAEncryption[];
971d89
@@ -2742,35 +2740,37 @@ CK_RV ber_decode_ECDHPrivateKey(CK_BYTE *data,
971d89
                                 CK_ATTRIBUTE **pub_key,
971d89
                                 CK_ATTRIBUTE **priv_key);
971d89
 
971d89
-CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only, CK_BYTE **data,
971d89
-                              CK_ULONG *data_len, CK_ATTRIBUTE *rho,
971d89
-                              CK_ATTRIBUTE *t1);
971d89
+CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
971d89
+                                        CK_BYTE **data, CK_ULONG *data_len,
971d89
+                                        const CK_BYTE *oid, CK_ULONG oid_len,
971d89
+                                        CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1);
971d89
 
971d89
 CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
971d89
-                              CK_ULONG data_len,
971d89
-                              CK_ATTRIBUTE **rho_attr,
971d89
-                              CK_ATTRIBUTE **t1_attr);
971d89
+                                        CK_ULONG data_len,
971d89
+                                        CK_ATTRIBUTE **rho_attr,
971d89
+                                        CK_ATTRIBUTE **t1_attr);
971d89
 
971d89
 CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
971d89
-                               CK_BYTE **data,
971d89
-                               CK_ULONG *data_len,
971d89
-                               CK_ATTRIBUTE *rho,
971d89
-                               CK_ATTRIBUTE *seed,
971d89
-                               CK_ATTRIBUTE *tr,
971d89
-                               CK_ATTRIBUTE *s1,
971d89
-                               CK_ATTRIBUTE *s2,
971d89
-                               CK_ATTRIBUTE *t0,
971d89
-                               CK_ATTRIBUTE *t1);
971d89
+                                         CK_BYTE **data,
971d89
+                                         CK_ULONG *data_len,
971d89
+                                         const CK_BYTE *oid, CK_ULONG oid_len,
971d89
+                                         CK_ATTRIBUTE *rho,
971d89
+                                         CK_ATTRIBUTE *seed,
971d89
+                                         CK_ATTRIBUTE *tr,
971d89
+                                         CK_ATTRIBUTE *s1,
971d89
+                                         CK_ATTRIBUTE *s2,
971d89
+                                         CK_ATTRIBUTE *t0,
971d89
+                                         CK_ATTRIBUTE *t1);
971d89
 
971d89
 CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
971d89
-                               CK_ULONG data_len,
971d89
-                               CK_ATTRIBUTE **rho,
971d89
-                               CK_ATTRIBUTE **seed,
971d89
-                               CK_ATTRIBUTE **tr,
971d89
-                               CK_ATTRIBUTE **s1,
971d89
-                               CK_ATTRIBUTE **s2,
971d89
-                               CK_ATTRIBUTE **t0,
971d89
-                               CK_ATTRIBUTE **t1);
971d89
+                                         CK_ULONG data_len,
971d89
+                                         CK_ATTRIBUTE **rho,
971d89
+                                         CK_ATTRIBUTE **seed,
971d89
+                                         CK_ATTRIBUTE **tr,
971d89
+                                         CK_ATTRIBUTE **s1,
971d89
+                                         CK_ATTRIBUTE **s2,
971d89
+                                         CK_ATTRIBUTE **t0,
971d89
+                                         CK_ATTRIBUTE **t1);
971d89
 
971d89
 typedef CK_RV (*t_rsa_encrypt)(STDLL_TokData_t *, CK_BYTE *in_data,
971d89
                                CK_ULONG in_data_len, CK_BYTE *out_data,
971d89
diff --git a/usr/lib/common/key.c b/usr/lib/common/key.c
971d89
index 6e9a839a..41857b97 100644
971d89
--- a/usr/lib/common/key.c
971d89
+++ b/usr/lib/common/key.c
971d89
@@ -81,6 +81,7 @@
971d89
 #include "h_extern.h"
971d89
 #include "attributes.h"
971d89
 #include "trace.h"
971d89
+#include "pqc_defs.h"
971d89
 
971d89
 #include "tok_spec_struct.h"
971d89
 
971d89
@@ -2688,7 +2689,10 @@ CK_RV ibm_dilithium_publ_get_spki(TEMPLATE *tmpl, CK_BBOOL length_only,
971d89
         return rc;
971d89
     }
971d89
 
971d89
-    rc = ber_encode_IBM_DilithiumPublicKey(length_only, data,data_len, rho, t1);
971d89
+    rc = ber_encode_IBM_DilithiumPublicKey(length_only, data, data_len,
971d89
+                                           dilithium_r2_65,
971d89
+                                           dilithium_r2_65_len,
971d89
+                                           rho, t1);
971d89
     if (rc != CKR_OK) {
971d89
         TRACE_ERROR("ber_encode_IBM_DilithiumPublicKey failed.\n");
971d89
         return rc;
971d89
@@ -2766,7 +2770,9 @@ CK_RV ibm_dilithium_priv_wrap_get_data(TEMPLATE *tmpl,
971d89
     }
971d89
 
971d89
     rc = ber_encode_IBM_DilithiumPrivateKey(length_only, data, data_len,
971d89
-                                  rho, seed, tr, s1, s2, t0, t1);
971d89
+                                            dilithium_r2_65,
971d89
+                                            dilithium_r2_65_len,
971d89
+                                            rho, seed, tr, s1, s2, t0, t1);
971d89
     if (rc != CKR_OK) {
971d89
         TRACE_DEVEL("ber_encode_IBM_DilithiumPrivateKey failed\n");
971d89
     }
971d89
diff --git a/usr/lib/common/key_mgr.c b/usr/lib/common/key_mgr.c
971d89
index 99f2a72e..01103dc2 100644
971d89
--- a/usr/lib/common/key_mgr.c
971d89
+++ b/usr/lib/common/key_mgr.c
971d89
@@ -35,6 +35,7 @@
971d89
 #include "attributes.h"
971d89
 #include "tok_spec_struct.h"
971d89
 #include "trace.h"
971d89
+#include "pqc_defs.h"
971d89
 
971d89
 #include "../api/policy.h"
971d89
 #include "../api/statistics.h"
971d89
@@ -1368,7 +1369,7 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
971d89
 {
971d89
     CK_BYTE *alg = NULL;
971d89
     CK_BYTE *priv_key = NULL;
971d89
-    CK_ULONG alg_len;
971d89
+    CK_ULONG alg_len, i;
971d89
     CK_RV rc;
971d89
 
971d89
     rc = ber_decode_PrivateKeyInfo(keydata, keylen, &alg, &alg_len, &priv_key);
971d89
@@ -1408,10 +1409,14 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
971d89
             return CKR_OK;
971d89
         }
971d89
     }
971d89
-    // Check only the OBJECT IDENTIFIER for DILITHIUM
971d89
+    // Check only the OBJECT IDENTIFIERs for DILITHIUM
971d89
     //
971d89
-    if (alg_len >= ber_idDilithiumLen) {
971d89
-        if (memcmp(alg, ber_idDilithium, ber_idDilithiumLen) == 0) {
971d89
+    for (i = 0; dilithium_oids[i].oid != NULL; i++) {
971d89
+        if (alg_len == dilithium_oids[i].oid_len + ber_NULLLen &&
971d89
+            memcmp(alg, dilithium_oids[i].oid,
971d89
+                   dilithium_oids[i].oid_len) == 0 &&
971d89
+            memcmp(alg + dilithium_oids[i].oid_len,
971d89
+                   ber_NULL, ber_NULLLen) == 0) {
971d89
             *keytype = CKK_IBM_PQC_DILITHIUM;
971d89
             return CKR_OK;
971d89
         }
971d89
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
971d89
index e3451163..45069ae8 100644
971d89
--- a/usr/lib/ep11_stdll/ep11_specific.c
971d89
+++ b/usr/lib/ep11_stdll/ep11_specific.c
971d89
@@ -37,6 +37,7 @@
971d89
 #include "trace.h"
971d89
 #include "ock_syslog.h"
971d89
 #include "ec_defs.h"
971d89
+#include "pqc_defs.h"
971d89
 #include "p11util.h"
971d89
 #include "events.h"
971d89
 #include "cfgparser.h"
971d89
@@ -3645,7 +3646,10 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
971d89
         }
971d89
 
971d89
         /* Encode the public key */
971d89
-        rc = ber_encode_IBM_DilithiumPublicKey(0, &data, &data_len, rho, t1);
971d89
+        rc = ber_encode_IBM_DilithiumPublicKey(FALSE, &data, &data_len,
971d89
+                                               dilithium_r2_65,
971d89
+                                               dilithium_r2_65_len,
971d89
+                                               rho, t1);
971d89
         if (rc != CKR_OK) {
971d89
             TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
971d89
                         "data_len=0x%lx\n", __func__, class, rc, data_len);
971d89
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
971d89
index 9a8aa76a..11061f76 100644
971d89
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
971d89
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
971d89
@@ -43,7 +43,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c	\
971d89
 	usr/lib/ep11_stdll/ep11_specific.c				\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
 	usr/lib/api/policyhelper.c usr/lib/config/configuration.c	\
971d89
-	usr/lib/config/cfgparse.y usr/lib/config/cfglex.l
971d89
+	usr/lib/config/cfgparse.y usr/lib/config/cfglex.l		\
971d89
+	usr/lib/common/pqc_supported.c
971d89
 
971d89
 if ENABLE_LOCKS
971d89
 opencryptoki_stdll_libpkcs11_ep11_la_SOURCES +=				\
971d89
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
971d89
index cb9d898f..f89cd343 100644
971d89
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
971d89
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
971d89
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES =				\
971d89
 	usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c	\
971d89
 	usr/lib/common/mech_openssl.c					\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
-	usr/lib/api/policyhelper.c
971d89
+	usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
971d89
 
971d89
 if ENABLE_LOCKS
971d89
 opencryptoki_stdll_libpkcs11_ica_la_SOURCES +=				\
971d89
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
971d89
index ee83f674..ebf24290 100644
971d89
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
971d89
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
971d89
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = usr/lib/common/asn1.c	\
971d89
 	usr/lib/icsf_stdll/icsf_specific.c				\
971d89
 	usr/lib/icsf_stdll/icsf.c usr/lib/common/utility_common.c	\
971d89
 	usr/lib/common/ec_supported.c usr/lib/api/policyhelper.c	\
971d89
-	usr/lib/config/configuration.c					\
971d89
+	usr/lib/config/configuration.c usr/lib/common/pqc_supported.c	\
971d89
 	usr/lib/config/cfgparse.y usr/lib/config/cfglex.l		\
971d89
 	usr/lib/common/mech_openssl.c
971d89
 
971d89
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
971d89
index 6cdf82b8..7a842ddc 100644
971d89
--- a/usr/lib/soft_stdll/soft_stdll.mk
971d89
+++ b/usr/lib/soft_stdll/soft_stdll.mk
971d89
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES =				\
971d89
 	usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c	\
971d89
 	usr/lib/common/dlist.c usr/lib/common/mech_openssl.c		\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
-	usr/lib/api/policyhelper.c
971d89
+	usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
971d89
 
971d89
 if ENABLE_LOCKS
971d89
 opencryptoki_stdll_libpkcs11_sw_la_SOURCES +=				\
971d89
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
971d89
index 54551c1f..7fa18121 100644
971d89
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
971d89
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
971d89
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES =				\
971d89
 	usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c	\
971d89
 	usr/lib/common/dlist.c usr/lib/common/mech_openssl.c		\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
-	usr/lib/api/policyhelper.c
971d89
+	usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
971d89
 
971d89
 if ENABLE_LOCKS
971d89
 opencryptoki_stdll_libpkcs11_tpm_la_SOURCES +=				\
971d89
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
971d89
index 187a93f2..59300ef5 100644
971d89
--- a/usr/sbin/pkcscca/pkcscca.mk
971d89
+++ b/usr/sbin/pkcscca/pkcscca.mk
971d89
@@ -41,7 +41,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/common/asn1.c		\
971d89
 	usr/lib/common/dlist.c usr/sbin/pkcscca/pkcscca.c		\
971d89
 	usr/lib/common/utility_common.c usr/lib/common/ec_supported.c	\
971d89
 	usr/lib/common/pin_prompt.c usr/lib/common/mech_openssl.c	\
971d89
-	usr/lib/api/policyhelper.c
971d89
+	usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
971d89
 
971d89
 nodist_usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/api/mechtable.c
971d89
 
971d89
-- 
971d89
2.16.2.windows.1
971d89