|
|
971d89 |
From 76307be97a42f5a743e7cf0ef75a87dac0c0106f Mon Sep 17 00:00:00 2001
|
|
|
971d89 |
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
971d89 |
Date: Wed, 16 Feb 2022 13:04:24 +0100
|
|
|
971d89 |
Subject: [PATCH 19/34] COMMON: Dilithium key BER encoding/decoding allow
|
|
|
971d89 |
different OIDs
|
|
|
971d89 |
|
|
|
971d89 |
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
971d89 |
---
|
|
|
971d89 |
usr/lib/cca_stdll/cca_stdll.mk | 2 +-
|
|
|
971d89 |
usr/lib/common/asn1.c | 143 ++++++++++++++++++++-----------
|
|
|
971d89 |
usr/lib/common/globals.c | 8 +-
|
|
|
971d89 |
usr/lib/common/h_extern.h | 54 ++++++------
|
|
|
971d89 |
usr/lib/common/key.c | 10 ++-
|
|
|
971d89 |
usr/lib/common/key_mgr.c | 13 ++-
|
|
|
971d89 |
usr/lib/ep11_stdll/ep11_specific.c | 6 +-
|
|
|
971d89 |
usr/lib/ep11_stdll/ep11_stdll.mk | 3 +-
|
|
|
971d89 |
usr/lib/ica_s390_stdll/ica_s390_stdll.mk | 2 +-
|
|
|
971d89 |
usr/lib/icsf_stdll/icsf_stdll.mk | 2 +-
|
|
|
971d89 |
usr/lib/soft_stdll/soft_stdll.mk | 2 +-
|
|
|
971d89 |
usr/lib/tpm_stdll/tpm_stdll.mk | 2 +-
|
|
|
971d89 |
usr/sbin/pkcscca/pkcscca.mk | 2 +-
|
|
|
971d89 |
13 files changed, 152 insertions(+), 97 deletions(-)
|
|
|
971d89 |
|
|
|
971d89 |
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
|
|
|
971d89 |
index 9b71085a..5963df59 100644
|
|
|
971d89 |
--- a/usr/lib/cca_stdll/cca_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/cca_stdll/cca_stdll.mk
|
|
|
971d89 |
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = usr/lib/common/asn1.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
|
|
|
971d89 |
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
|
971d89 |
- usr/lib/common/mech_openssl.c
|
|
|
971d89 |
+ usr/lib/common/mech_openssl.c usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
if ENABLE_LOCKS
|
|
|
971d89 |
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
|
|
|
971d89 |
diff --git a/usr/lib/common/asn1.c b/usr/lib/common/asn1.c
|
|
|
971d89 |
index b3f49c41..884ef489 100644
|
|
|
971d89 |
--- a/usr/lib/common/asn1.c
|
|
|
971d89 |
+++ b/usr/lib/common/asn1.c
|
|
|
971d89 |
@@ -24,6 +24,7 @@
|
|
|
971d89 |
#include "host_defs.h"
|
|
|
971d89 |
#include "h_extern.h"
|
|
|
971d89 |
#include "trace.h"
|
|
|
971d89 |
+#include "pqc_defs.h"
|
|
|
971d89 |
|
|
|
971d89 |
|
|
|
971d89 |
//
|
|
|
971d89 |
@@ -3616,7 +3617,7 @@ cleanup:
|
|
|
971d89 |
*
|
|
|
971d89 |
* SEQUENCE (2 elem)
|
|
|
971d89 |
* SEQUENCE (2 elem)
|
|
|
971d89 |
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
|
|
|
971d89 |
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
|
|
|
971d89 |
* NULL
|
|
|
971d89 |
* BIT STRING (1 elem)
|
|
|
971d89 |
* SEQUENCE (2 elem)
|
|
|
971d89 |
@@ -3624,20 +3625,26 @@ cleanup:
|
|
|
971d89 |
* BIT STRING (13824 bit) = 1728 bytes
|
|
|
971d89 |
*/
|
|
|
971d89 |
CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
|
971d89 |
- CK_BYTE **data, CK_ULONG *data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
|
|
|
971d89 |
+ CK_BYTE **data, CK_ULONG *data_len,
|
|
|
971d89 |
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
|
|
|
971d89 |
{
|
|
|
971d89 |
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL, *buf4 = NULL;
|
|
|
971d89 |
- CK_ULONG len = 0, len4, offset, total, total_len;
|
|
|
971d89 |
+ CK_BYTE *buf5 = NULL, *algid = NULL;
|
|
|
971d89 |
+ CK_ULONG len = 0, len4, offset, total, total_len, algid_len;
|
|
|
971d89 |
CK_RV rc;
|
|
|
971d89 |
|
|
|
971d89 |
UNUSED(length_only);
|
|
|
971d89 |
|
|
|
971d89 |
offset = 0;
|
|
|
971d89 |
rc = 0;
|
|
|
971d89 |
- total_len = ber_AlgIdDilithiumLen;
|
|
|
971d89 |
+ total_len = 0;
|
|
|
971d89 |
total = 0;
|
|
|
971d89 |
|
|
|
971d89 |
+ /* Calculate storage for AlgID sequence */
|
|
|
971d89 |
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &total_len, NULL,
|
|
|
971d89 |
+ oid_len + ber_NULLLen);
|
|
|
971d89 |
+
|
|
|
971d89 |
/* Calculate storage for inner sequence */
|
|
|
971d89 |
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, rho->ulValueLen);
|
|
|
971d89 |
offset += len;
|
|
|
971d89 |
@@ -3709,12 +3716,30 @@ CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
|
971d89 |
|
|
|
971d89 |
/*
|
|
|
971d89 |
* SEQUENCE (2 elem)
|
|
|
971d89 |
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
|
|
|
971d89 |
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
|
|
|
971d89 |
* NULL <- no parms for this oid
|
|
|
971d89 |
*/
|
|
|
971d89 |
- total_len = 0;
|
|
|
971d89 |
- memcpy(buf3 + total_len, ber_AlgIdDilithium, ber_AlgIdDilithiumLen);
|
|
|
971d89 |
- total_len += ber_AlgIdDilithiumLen;
|
|
|
971d89 |
+ buf5 = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
|
|
|
971d89 |
+ if (!buf5) {
|
|
|
971d89 |
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
|
|
|
971d89 |
+ rc = CKR_HOST_MEMORY;
|
|
|
971d89 |
+ goto error;
|
|
|
971d89 |
+ }
|
|
|
971d89 |
+ memcpy(buf5, oid, oid_len);
|
|
|
971d89 |
+ memcpy(buf5 + oid_len, ber_NULL, ber_NULLLen);
|
|
|
971d89 |
+
|
|
|
971d89 |
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, buf5,
|
|
|
971d89 |
+ oid_len + ber_NULLLen);
|
|
|
971d89 |
+ free(buf5);
|
|
|
971d89 |
+ if (rc != CKR_OK) {
|
|
|
971d89 |
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
|
|
|
971d89 |
+ goto error;
|
|
|
971d89 |
+ }
|
|
|
971d89 |
+
|
|
|
971d89 |
+ total_len = algid_len;
|
|
|
971d89 |
+ memcpy(buf3, algid, algid_len);
|
|
|
971d89 |
+ free(algid);
|
|
|
971d89 |
+ algid = NULL;
|
|
|
971d89 |
|
|
|
971d89 |
/*
|
|
|
971d89 |
* BIT STRING (1 elem)
|
|
|
971d89 |
@@ -3760,16 +3785,15 @@ error:
|
|
|
971d89 |
|
|
|
971d89 |
|
|
|
971d89 |
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
|
971d89 |
- CK_ULONG data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE **rho_attr,
|
|
|
971d89 |
- CK_ATTRIBUTE **t1_attr)
|
|
|
971d89 |
+ CK_ULONG data_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE **rho_attr,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t1_attr)
|
|
|
971d89 |
{
|
|
|
971d89 |
CK_ATTRIBUTE *rho_attr_temp = NULL;
|
|
|
971d89 |
CK_ATTRIBUTE *t1_attr_temp = NULL;
|
|
|
971d89 |
|
|
|
971d89 |
- CK_BYTE *algid_DilithiumBase = NULL;
|
|
|
971d89 |
- CK_BYTE *algid = NULL;
|
|
|
971d89 |
- CK_ULONG algid_len;
|
|
|
971d89 |
+ CK_BYTE *algoid = NULL;
|
|
|
971d89 |
+ CK_ULONG algoid_len;
|
|
|
971d89 |
CK_BYTE *param = NULL;
|
|
|
971d89 |
CK_ULONG param_len;
|
|
|
971d89 |
CK_BYTE *val = NULL;
|
|
|
971d89 |
@@ -3780,26 +3804,20 @@ CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
|
971d89 |
CK_ULONG rho_len;
|
|
|
971d89 |
CK_BYTE *t1;
|
|
|
971d89 |
CK_ULONG t1_len;
|
|
|
971d89 |
- CK_ULONG field_len, offset, len;
|
|
|
971d89 |
+ CK_ULONG field_len, offset;
|
|
|
971d89 |
CK_RV rc;
|
|
|
971d89 |
|
|
|
971d89 |
UNUSED(data_len); // XXX can this parameter be removed ?
|
|
|
971d89 |
|
|
|
971d89 |
- rc = ber_decode_SPKI(data, &algid, &algid_len, ¶m, ¶m_len,
|
|
|
971d89 |
+ rc = ber_decode_SPKI(data, &algoid, &algoid_len, ¶m, ¶m_len,
|
|
|
971d89 |
&val, &val_len);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_DEVEL("ber_decode_SPKI failed\n");
|
|
|
971d89 |
return rc;
|
|
|
971d89 |
}
|
|
|
971d89 |
|
|
|
971d89 |
- /* Make sure we're dealing with a Dilithium key */
|
|
|
971d89 |
- rc = ber_decode_SEQUENCE((CK_BYTE *)ber_AlgIdDilithium, &algid_DilithiumBase, &len,
|
|
|
971d89 |
- &field_len);
|
|
|
971d89 |
- if (rc != CKR_OK) {
|
|
|
971d89 |
- TRACE_DEVEL("ber_decode_SEQUENCE failed\n");
|
|
|
971d89 |
- return rc;
|
|
|
971d89 |
- }
|
|
|
971d89 |
- if (memcmp(algid, algid_DilithiumBase, len) != 0) {
|
|
|
971d89 |
+ if (algoid_len != dilithium_r2_65_len ||
|
|
|
971d89 |
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
|
|
|
971d89 |
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
|
971d89 |
return CKR_FUNCTION_FAILED;
|
|
|
971d89 |
}
|
|
|
971d89 |
@@ -3879,18 +3897,20 @@ cleanup:
|
|
|
971d89 |
* }
|
|
|
971d89 |
*/
|
|
|
971d89 |
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
|
971d89 |
- CK_BYTE **data,
|
|
|
971d89 |
- CK_ULONG *data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE *rho,
|
|
|
971d89 |
- CK_ATTRIBUTE *seed,
|
|
|
971d89 |
- CK_ATTRIBUTE *tr,
|
|
|
971d89 |
- CK_ATTRIBUTE *s1,
|
|
|
971d89 |
- CK_ATTRIBUTE *s2,
|
|
|
971d89 |
- CK_ATTRIBUTE *t0,
|
|
|
971d89 |
- CK_ATTRIBUTE *t1)
|
|
|
971d89 |
+ CK_BYTE **data,
|
|
|
971d89 |
+ CK_ULONG *data_len,
|
|
|
971d89 |
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE *rho,
|
|
|
971d89 |
+ CK_ATTRIBUTE *seed,
|
|
|
971d89 |
+ CK_ATTRIBUTE *tr,
|
|
|
971d89 |
+ CK_ATTRIBUTE *s1,
|
|
|
971d89 |
+ CK_ATTRIBUTE *s2,
|
|
|
971d89 |
+ CK_ATTRIBUTE *t0,
|
|
|
971d89 |
+ CK_ATTRIBUTE *t1)
|
|
|
971d89 |
{
|
|
|
971d89 |
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL;
|
|
|
971d89 |
- CK_ULONG len, len2 = 0, offset;
|
|
|
971d89 |
+ CK_BYTE *algid = NULL, *algid_buf = NULL;
|
|
|
971d89 |
+ CK_ULONG len, len2 = 0, offset, algid_len = 0;
|
|
|
971d89 |
CK_BYTE version[] = { 0 };
|
|
|
971d89 |
CK_RV rc;
|
|
|
971d89 |
|
|
|
971d89 |
@@ -3898,6 +3918,9 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
|
971d89 |
offset = 0;
|
|
|
971d89 |
rc = 0;
|
|
|
971d89 |
|
|
|
971d89 |
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &algid_len, NULL,
|
|
|
971d89 |
+ oid_len + ber_NULLLen);
|
|
|
971d89 |
+
|
|
|
971d89 |
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, sizeof(version));
|
|
|
971d89 |
offset += len;
|
|
|
971d89 |
rc |= ber_encode_BIT_STRING(TRUE, NULL, &len, NULL, rho->ulValueLen, 0);
|
|
|
971d89 |
@@ -3931,7 +3954,7 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
|
971d89 |
}
|
|
|
971d89 |
rc = ber_encode_PrivateKeyInfo(TRUE,
|
|
|
971d89 |
NULL, data_len,
|
|
|
971d89 |
- NULL, ber_AlgIdDilithiumLen,
|
|
|
971d89 |
+ NULL, algid_len,
|
|
|
971d89 |
NULL, len);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_DEVEL("ber_encode_PrivateKeyInfo failed\n");
|
|
|
971d89 |
@@ -4051,10 +4074,28 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
|
971d89 |
TRACE_ERROR("ber_encode_SEQUENCE failed\n");
|
|
|
971d89 |
goto error;
|
|
|
971d89 |
}
|
|
|
971d89 |
+
|
|
|
971d89 |
+ algid_buf = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
|
|
|
971d89 |
+ if (!algid_buf) {
|
|
|
971d89 |
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
|
|
|
971d89 |
+ rc = CKR_HOST_MEMORY;
|
|
|
971d89 |
+ goto error;
|
|
|
971d89 |
+ }
|
|
|
971d89 |
+ memcpy(algid_buf, oid, oid_len);
|
|
|
971d89 |
+ memcpy(algid_buf + oid_len, ber_NULL, ber_NULLLen);
|
|
|
971d89 |
+
|
|
|
971d89 |
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, algid_buf,
|
|
|
971d89 |
+ oid_len + ber_NULLLen);
|
|
|
971d89 |
+ free(algid_buf);
|
|
|
971d89 |
+ if (rc != CKR_OK) {
|
|
|
971d89 |
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
|
|
|
971d89 |
+ goto error;
|
|
|
971d89 |
+ }
|
|
|
971d89 |
+
|
|
|
971d89 |
rc = ber_encode_PrivateKeyInfo(FALSE,
|
|
|
971d89 |
data, data_len,
|
|
|
971d89 |
- ber_AlgIdDilithium,
|
|
|
971d89 |
- ber_AlgIdDilithiumLen, buf2, len);
|
|
|
971d89 |
+ algid, algid_len,
|
|
|
971d89 |
+ buf2, len);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_ERROR("ber_encode_PrivateKeyInfo failed\n");
|
|
|
971d89 |
}
|
|
|
971d89 |
@@ -4066,6 +4107,8 @@ error:
|
|
|
971d89 |
free(buf2);
|
|
|
971d89 |
if (buf)
|
|
|
971d89 |
free(buf);
|
|
|
971d89 |
+ if (algid)
|
|
|
971d89 |
+ free(algid);
|
|
|
971d89 |
|
|
|
971d89 |
return rc;
|
|
|
971d89 |
}
|
|
|
971d89 |
@@ -4087,19 +4130,19 @@ error:
|
|
|
971d89 |
* }
|
|
|
971d89 |
*/
|
|
|
971d89 |
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
|
971d89 |
- CK_ULONG data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE **rho,
|
|
|
971d89 |
- CK_ATTRIBUTE **seed,
|
|
|
971d89 |
- CK_ATTRIBUTE **tr,
|
|
|
971d89 |
- CK_ATTRIBUTE **s1,
|
|
|
971d89 |
- CK_ATTRIBUTE **s2,
|
|
|
971d89 |
- CK_ATTRIBUTE **t0,
|
|
|
971d89 |
- CK_ATTRIBUTE **t1)
|
|
|
971d89 |
+ CK_ULONG data_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE **rho,
|
|
|
971d89 |
+ CK_ATTRIBUTE **seed,
|
|
|
971d89 |
+ CK_ATTRIBUTE **tr,
|
|
|
971d89 |
+ CK_ATTRIBUTE **s1,
|
|
|
971d89 |
+ CK_ATTRIBUTE **s2,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t0,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t1)
|
|
|
971d89 |
{
|
|
|
971d89 |
CK_ATTRIBUTE *rho_attr = NULL, *seed_attr = NULL;
|
|
|
971d89 |
CK_ATTRIBUTE *tr_attr = NULL, *s1_attr = NULL, *s2_attr = NULL;
|
|
|
971d89 |
CK_ATTRIBUTE *t0_attr = NULL, *t1_attr = NULL;
|
|
|
971d89 |
- CK_BYTE *alg = NULL;
|
|
|
971d89 |
+ CK_BYTE *algoid = NULL;
|
|
|
971d89 |
CK_BYTE *dilithium_priv_key = NULL;
|
|
|
971d89 |
CK_BYTE *buf = NULL;
|
|
|
971d89 |
CK_BYTE *tmp = NULL;
|
|
|
971d89 |
@@ -4107,15 +4150,15 @@ CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
|
971d89 |
CK_RV rc;
|
|
|
971d89 |
|
|
|
971d89 |
/* Check if this is a Dilithium private key */
|
|
|
971d89 |
- rc = ber_decode_PrivateKeyInfo(data, data_len, &alg, &len,
|
|
|
971d89 |
+ rc = ber_decode_PrivateKeyInfo(data, data_len, &algoid, &len,
|
|
|
971d89 |
&dilithium_priv_key);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_DEVEL("ber_decode_PrivateKeyInfo failed\n");
|
|
|
971d89 |
return rc;
|
|
|
971d89 |
}
|
|
|
971d89 |
|
|
|
971d89 |
- if (memcmp(alg, ber_AlgIdDilithium, ber_AlgIdDilithiumLen) != 0) {
|
|
|
971d89 |
- // probably ought to use a different error
|
|
|
971d89 |
+ if (len != dilithium_r2_65_len + ber_NULLLen ||
|
|
|
971d89 |
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
|
|
|
971d89 |
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
|
971d89 |
return CKR_FUNCTION_FAILED;
|
|
|
971d89 |
}
|
|
|
971d89 |
diff --git a/usr/lib/common/globals.c b/usr/lib/common/globals.c
|
|
|
971d89 |
index 5b79e785..a7197ec6 100644
|
|
|
971d89 |
--- a/usr/lib/common/globals.c
|
|
|
971d89 |
+++ b/usr/lib/common/globals.c
|
|
|
971d89 |
@@ -105,11 +105,7 @@ const CK_BYTE ber_AlgIdRSAEncryption[] = {
|
|
|
971d89 |
const CK_BYTE der_AlgIdECBase[] =
|
|
|
971d89 |
{ 0x30, 0x09, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 };
|
|
|
971d89 |
|
|
|
971d89 |
-const CK_BYTE ber_AlgIdDilithium[] =
|
|
|
971d89 |
- { 0x30, 0x0F, 0x06, 0x0B, 0x2B, 0x06, 0x01,
|
|
|
971d89 |
- 0x04, 0x01, 0x02, 0x82, 0x0B, 0x01, 0x06,
|
|
|
971d89 |
- 0x05, 0x05, 0x00
|
|
|
971d89 |
-};
|
|
|
971d89 |
+const CK_BYTE ber_NULL[] = { 0x05, 0x00 };
|
|
|
971d89 |
|
|
|
971d89 |
// ID Lengths
|
|
|
971d89 |
//
|
|
|
971d89 |
@@ -135,7 +131,7 @@ const CK_ULONG ber_AlgSha384Len = sizeof(ber_AlgSha384);
|
|
|
971d89 |
const CK_ULONG ber_AlgSha512Len = sizeof(ber_AlgSha512);
|
|
|
971d89 |
const CK_ULONG ber_AlgIdRSAEncryptionLen = sizeof(ber_AlgIdRSAEncryption);
|
|
|
971d89 |
const CK_ULONG der_AlgIdECBaseLen = sizeof(der_AlgIdECBase);
|
|
|
971d89 |
-const CK_ULONG ber_AlgIdDilithiumLen = sizeof(ber_AlgIdDilithium);
|
|
|
971d89 |
+const CK_ULONG ber_NULLLen = sizeof(ber_NULL);
|
|
|
971d89 |
|
|
|
971d89 |
const CK_ULONG des_weak_count = 4;
|
|
|
971d89 |
const CK_ULONG des_semi_weak_count = 12;
|
|
|
971d89 |
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
|
|
971d89 |
index 340ab88d..41ca12df 100644
|
|
|
971d89 |
--- a/usr/lib/common/h_extern.h
|
|
|
971d89 |
+++ b/usr/lib/common/h_extern.h
|
|
|
971d89 |
@@ -56,16 +56,14 @@ extern const CK_BYTE ber_rsaEncryption[];
|
|
|
971d89 |
extern const CK_ULONG ber_rsaEncryptionLen;
|
|
|
971d89 |
extern const CK_BYTE der_AlgIdECBase[];
|
|
|
971d89 |
extern const CK_ULONG der_AlgIdECBaseLen;
|
|
|
971d89 |
-extern const CK_BYTE ber_AlgIdDilithium[];
|
|
|
971d89 |
-extern const CK_ULONG ber_AlgIdDilithiumLen;
|
|
|
971d89 |
extern const CK_BYTE ber_idDSA[];
|
|
|
971d89 |
extern const CK_ULONG ber_idDSALen;
|
|
|
971d89 |
extern const CK_BYTE ber_idDH[];
|
|
|
971d89 |
extern const CK_ULONG ber_idDHLen;
|
|
|
971d89 |
extern const CK_BYTE ber_idEC[];
|
|
|
971d89 |
extern const CK_ULONG ber_idECLen;
|
|
|
971d89 |
-extern const CK_BYTE ber_idDilithium[];
|
|
|
971d89 |
-extern const CK_ULONG ber_idDilithiumLen;
|
|
|
971d89 |
+extern const CK_BYTE ber_NULL[];
|
|
|
971d89 |
+extern const CK_ULONG ber_NULLLen;
|
|
|
971d89 |
|
|
|
971d89 |
#if !(NOMD2)
|
|
|
971d89 |
extern const CK_BYTE ber_md2WithRSAEncryption[];
|
|
|
971d89 |
@@ -2742,35 +2740,37 @@ CK_RV ber_decode_ECDHPrivateKey(CK_BYTE *data,
|
|
|
971d89 |
CK_ATTRIBUTE **pub_key,
|
|
|
971d89 |
CK_ATTRIBUTE **priv_key);
|
|
|
971d89 |
|
|
|
971d89 |
-CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only, CK_BYTE **data,
|
|
|
971d89 |
- CK_ULONG *data_len, CK_ATTRIBUTE *rho,
|
|
|
971d89 |
- CK_ATTRIBUTE *t1);
|
|
|
971d89 |
+CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
|
971d89 |
+ CK_BYTE **data, CK_ULONG *data_len,
|
|
|
971d89 |
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1);
|
|
|
971d89 |
|
|
|
971d89 |
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
|
971d89 |
- CK_ULONG data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE **rho_attr,
|
|
|
971d89 |
- CK_ATTRIBUTE **t1_attr);
|
|
|
971d89 |
+ CK_ULONG data_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE **rho_attr,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t1_attr);
|
|
|
971d89 |
|
|
|
971d89 |
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
|
971d89 |
- CK_BYTE **data,
|
|
|
971d89 |
- CK_ULONG *data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE *rho,
|
|
|
971d89 |
- CK_ATTRIBUTE *seed,
|
|
|
971d89 |
- CK_ATTRIBUTE *tr,
|
|
|
971d89 |
- CK_ATTRIBUTE *s1,
|
|
|
971d89 |
- CK_ATTRIBUTE *s2,
|
|
|
971d89 |
- CK_ATTRIBUTE *t0,
|
|
|
971d89 |
- CK_ATTRIBUTE *t1);
|
|
|
971d89 |
+ CK_BYTE **data,
|
|
|
971d89 |
+ CK_ULONG *data_len,
|
|
|
971d89 |
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE *rho,
|
|
|
971d89 |
+ CK_ATTRIBUTE *seed,
|
|
|
971d89 |
+ CK_ATTRIBUTE *tr,
|
|
|
971d89 |
+ CK_ATTRIBUTE *s1,
|
|
|
971d89 |
+ CK_ATTRIBUTE *s2,
|
|
|
971d89 |
+ CK_ATTRIBUTE *t0,
|
|
|
971d89 |
+ CK_ATTRIBUTE *t1);
|
|
|
971d89 |
|
|
|
971d89 |
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
|
971d89 |
- CK_ULONG data_len,
|
|
|
971d89 |
- CK_ATTRIBUTE **rho,
|
|
|
971d89 |
- CK_ATTRIBUTE **seed,
|
|
|
971d89 |
- CK_ATTRIBUTE **tr,
|
|
|
971d89 |
- CK_ATTRIBUTE **s1,
|
|
|
971d89 |
- CK_ATTRIBUTE **s2,
|
|
|
971d89 |
- CK_ATTRIBUTE **t0,
|
|
|
971d89 |
- CK_ATTRIBUTE **t1);
|
|
|
971d89 |
+ CK_ULONG data_len,
|
|
|
971d89 |
+ CK_ATTRIBUTE **rho,
|
|
|
971d89 |
+ CK_ATTRIBUTE **seed,
|
|
|
971d89 |
+ CK_ATTRIBUTE **tr,
|
|
|
971d89 |
+ CK_ATTRIBUTE **s1,
|
|
|
971d89 |
+ CK_ATTRIBUTE **s2,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t0,
|
|
|
971d89 |
+ CK_ATTRIBUTE **t1);
|
|
|
971d89 |
|
|
|
971d89 |
typedef CK_RV (*t_rsa_encrypt)(STDLL_TokData_t *, CK_BYTE *in_data,
|
|
|
971d89 |
CK_ULONG in_data_len, CK_BYTE *out_data,
|
|
|
971d89 |
diff --git a/usr/lib/common/key.c b/usr/lib/common/key.c
|
|
|
971d89 |
index 6e9a839a..41857b97 100644
|
|
|
971d89 |
--- a/usr/lib/common/key.c
|
|
|
971d89 |
+++ b/usr/lib/common/key.c
|
|
|
971d89 |
@@ -81,6 +81,7 @@
|
|
|
971d89 |
#include "h_extern.h"
|
|
|
971d89 |
#include "attributes.h"
|
|
|
971d89 |
#include "trace.h"
|
|
|
971d89 |
+#include "pqc_defs.h"
|
|
|
971d89 |
|
|
|
971d89 |
#include "tok_spec_struct.h"
|
|
|
971d89 |
|
|
|
971d89 |
@@ -2688,7 +2689,10 @@ CK_RV ibm_dilithium_publ_get_spki(TEMPLATE *tmpl, CK_BBOOL length_only,
|
|
|
971d89 |
return rc;
|
|
|
971d89 |
}
|
|
|
971d89 |
|
|
|
971d89 |
- rc = ber_encode_IBM_DilithiumPublicKey(length_only, data,data_len, rho, t1);
|
|
|
971d89 |
+ rc = ber_encode_IBM_DilithiumPublicKey(length_only, data, data_len,
|
|
|
971d89 |
+ dilithium_r2_65,
|
|
|
971d89 |
+ dilithium_r2_65_len,
|
|
|
971d89 |
+ rho, t1);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_ERROR("ber_encode_IBM_DilithiumPublicKey failed.\n");
|
|
|
971d89 |
return rc;
|
|
|
971d89 |
@@ -2766,7 +2770,9 @@ CK_RV ibm_dilithium_priv_wrap_get_data(TEMPLATE *tmpl,
|
|
|
971d89 |
}
|
|
|
971d89 |
|
|
|
971d89 |
rc = ber_encode_IBM_DilithiumPrivateKey(length_only, data, data_len,
|
|
|
971d89 |
- rho, seed, tr, s1, s2, t0, t1);
|
|
|
971d89 |
+ dilithium_r2_65,
|
|
|
971d89 |
+ dilithium_r2_65_len,
|
|
|
971d89 |
+ rho, seed, tr, s1, s2, t0, t1);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_DEVEL("ber_encode_IBM_DilithiumPrivateKey failed\n");
|
|
|
971d89 |
}
|
|
|
971d89 |
diff --git a/usr/lib/common/key_mgr.c b/usr/lib/common/key_mgr.c
|
|
|
971d89 |
index 99f2a72e..01103dc2 100644
|
|
|
971d89 |
--- a/usr/lib/common/key_mgr.c
|
|
|
971d89 |
+++ b/usr/lib/common/key_mgr.c
|
|
|
971d89 |
@@ -35,6 +35,7 @@
|
|
|
971d89 |
#include "attributes.h"
|
|
|
971d89 |
#include "tok_spec_struct.h"
|
|
|
971d89 |
#include "trace.h"
|
|
|
971d89 |
+#include "pqc_defs.h"
|
|
|
971d89 |
|
|
|
971d89 |
#include "../api/policy.h"
|
|
|
971d89 |
#include "../api/statistics.h"
|
|
|
971d89 |
@@ -1368,7 +1369,7 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
|
|
|
971d89 |
{
|
|
|
971d89 |
CK_BYTE *alg = NULL;
|
|
|
971d89 |
CK_BYTE *priv_key = NULL;
|
|
|
971d89 |
- CK_ULONG alg_len;
|
|
|
971d89 |
+ CK_ULONG alg_len, i;
|
|
|
971d89 |
CK_RV rc;
|
|
|
971d89 |
|
|
|
971d89 |
rc = ber_decode_PrivateKeyInfo(keydata, keylen, &alg, &alg_len, &priv_key);
|
|
|
971d89 |
@@ -1408,10 +1409,14 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
|
|
|
971d89 |
return CKR_OK;
|
|
|
971d89 |
}
|
|
|
971d89 |
}
|
|
|
971d89 |
- // Check only the OBJECT IDENTIFIER for DILITHIUM
|
|
|
971d89 |
+ // Check only the OBJECT IDENTIFIERs for DILITHIUM
|
|
|
971d89 |
//
|
|
|
971d89 |
- if (alg_len >= ber_idDilithiumLen) {
|
|
|
971d89 |
- if (memcmp(alg, ber_idDilithium, ber_idDilithiumLen) == 0) {
|
|
|
971d89 |
+ for (i = 0; dilithium_oids[i].oid != NULL; i++) {
|
|
|
971d89 |
+ if (alg_len == dilithium_oids[i].oid_len + ber_NULLLen &&
|
|
|
971d89 |
+ memcmp(alg, dilithium_oids[i].oid,
|
|
|
971d89 |
+ dilithium_oids[i].oid_len) == 0 &&
|
|
|
971d89 |
+ memcmp(alg + dilithium_oids[i].oid_len,
|
|
|
971d89 |
+ ber_NULL, ber_NULLLen) == 0) {
|
|
|
971d89 |
*keytype = CKK_IBM_PQC_DILITHIUM;
|
|
|
971d89 |
return CKR_OK;
|
|
|
971d89 |
}
|
|
|
971d89 |
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
971d89 |
index e3451163..45069ae8 100644
|
|
|
971d89 |
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
971d89 |
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
971d89 |
@@ -37,6 +37,7 @@
|
|
|
971d89 |
#include "trace.h"
|
|
|
971d89 |
#include "ock_syslog.h"
|
|
|
971d89 |
#include "ec_defs.h"
|
|
|
971d89 |
+#include "pqc_defs.h"
|
|
|
971d89 |
#include "p11util.h"
|
|
|
971d89 |
#include "events.h"
|
|
|
971d89 |
#include "cfgparser.h"
|
|
|
971d89 |
@@ -3645,7 +3646,10 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
971d89 |
}
|
|
|
971d89 |
|
|
|
971d89 |
/* Encode the public key */
|
|
|
971d89 |
- rc = ber_encode_IBM_DilithiumPublicKey(0, &data, &data_len, rho, t1);
|
|
|
971d89 |
+ rc = ber_encode_IBM_DilithiumPublicKey(FALSE, &data, &data_len,
|
|
|
971d89 |
+ dilithium_r2_65,
|
|
|
971d89 |
+ dilithium_r2_65_len,
|
|
|
971d89 |
+ rho, t1);
|
|
|
971d89 |
if (rc != CKR_OK) {
|
|
|
971d89 |
TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
|
|
|
971d89 |
"data_len=0x%lx\n", __func__, class, rc, data_len);
|
|
|
971d89 |
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
|
971d89 |
index 9a8aa76a..11061f76 100644
|
|
|
971d89 |
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
|
971d89 |
@@ -43,7 +43,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
|
|
|
971d89 |
usr/lib/ep11_stdll/ep11_specific.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
|
|
|
971d89 |
- usr/lib/config/cfgparse.y usr/lib/config/cfglex.l
|
|
|
971d89 |
+ usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
|
971d89 |
+ usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
if ENABLE_LOCKS
|
|
|
971d89 |
opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
|
|
|
971d89 |
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
|
971d89 |
index cb9d898f..f89cd343 100644
|
|
|
971d89 |
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
|
971d89 |
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
|
|
|
971d89 |
usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c \
|
|
|
971d89 |
usr/lib/common/mech_openssl.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
- usr/lib/api/policyhelper.c
|
|
|
971d89 |
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
if ENABLE_LOCKS
|
|
|
971d89 |
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
|
|
|
971d89 |
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
|
971d89 |
index ee83f674..ebf24290 100644
|
|
|
971d89 |
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
|
971d89 |
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = usr/lib/common/asn1.c \
|
|
|
971d89 |
usr/lib/icsf_stdll/icsf_specific.c \
|
|
|
971d89 |
usr/lib/icsf_stdll/icsf.c usr/lib/common/utility_common.c \
|
|
|
971d89 |
usr/lib/common/ec_supported.c usr/lib/api/policyhelper.c \
|
|
|
971d89 |
- usr/lib/config/configuration.c \
|
|
|
971d89 |
+ usr/lib/config/configuration.c usr/lib/common/pqc_supported.c \
|
|
|
971d89 |
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
|
971d89 |
usr/lib/common/mech_openssl.c
|
|
|
971d89 |
|
|
|
971d89 |
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
|
|
|
971d89 |
index 6cdf82b8..7a842ddc 100644
|
|
|
971d89 |
--- a/usr/lib/soft_stdll/soft_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/soft_stdll/soft_stdll.mk
|
|
|
971d89 |
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
|
|
|
971d89 |
usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
|
|
|
971d89 |
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
- usr/lib/api/policyhelper.c
|
|
|
971d89 |
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
if ENABLE_LOCKS
|
|
|
971d89 |
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
|
|
|
971d89 |
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
|
971d89 |
index 54551c1f..7fa18121 100644
|
|
|
971d89 |
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
|
971d89 |
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
|
971d89 |
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
|
|
|
971d89 |
usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
|
|
|
971d89 |
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
- usr/lib/api/policyhelper.c
|
|
|
971d89 |
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
if ENABLE_LOCKS
|
|
|
971d89 |
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
|
|
|
971d89 |
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
|
|
|
971d89 |
index 187a93f2..59300ef5 100644
|
|
|
971d89 |
--- a/usr/sbin/pkcscca/pkcscca.mk
|
|
|
971d89 |
+++ b/usr/sbin/pkcscca/pkcscca.mk
|
|
|
971d89 |
@@ -41,7 +41,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/common/asn1.c \
|
|
|
971d89 |
usr/lib/common/dlist.c usr/sbin/pkcscca/pkcscca.c \
|
|
|
971d89 |
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
|
971d89 |
usr/lib/common/pin_prompt.c usr/lib/common/mech_openssl.c \
|
|
|
971d89 |
- usr/lib/api/policyhelper.c
|
|
|
971d89 |
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
971d89 |
|
|
|
971d89 |
nodist_usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/api/mechtable.c
|
|
|
971d89 |
|
|
|
971d89 |
--
|
|
|
971d89 |
2.16.2.windows.1
|
|
|
971d89 |
|