Blame SOURCES/0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch

1f6f0c
From 5b5d1830dadfbbd310c11d26d86426ed63eed936 Mon Sep 17 00:00:00 2001
1f6f0c
From: Ingo Franzki <ifranzki@linux.ibm.com>
1f6f0c
Date: Tue, 1 Mar 2022 11:09:26 +0100
1f6f0c
Subject: [PATCH 26/34] EP11: Add support for generating and importing Kyber
1f6f0c
 keys
1f6f0c
1f6f0c
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
1f6f0c
---
1f6f0c
 usr/lib/ep11_stdll/ep11_specific.c | 222 ++++++++++++++++++++++---------------
1f6f0c
 1 file changed, 134 insertions(+), 88 deletions(-)
1f6f0c
1f6f0c
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
1f6f0c
index 44796dba..bc17b07a 100644
1f6f0c
--- a/usr/lib/ep11_stdll/ep11_specific.c
1f6f0c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
1f6f0c
@@ -3664,14 +3664,14 @@ import_DH_key_end:
1f6f0c
 }
1f6f0c
 
1f6f0c
 /*
1f6f0c
- * makes blobs for private imported IBM Dilithium keys and
1f6f0c
- * SPKIs for public imported IBM Dilithium keys.
1f6f0c
+ * makes blobs for private imported IBM PQC keys and
1f6f0c
+ * SPKIs for public imported IBM PQC keys.
1f6f0c
  * Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
1f6f0c
  */
1f6f0c
-static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
-                                      OBJECT *dilithium_key_obj,
1f6f0c
-                                      CK_BYTE *blob, size_t *blob_size,
1f6f0c
-                                      CK_BYTE *spki, size_t *spki_size)
1f6f0c
+static CK_RV import_IBM_pqc_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
+                                OBJECT *pqc_key_obj, CK_KEY_TYPE keytype,
1f6f0c
+                                CK_BYTE *blob, size_t *blob_size,
1f6f0c
+                                CK_BYTE *spki, size_t *spki_size)
1f6f0c
 {
1f6f0c
     ep11_private_data_t *ep11_data = tokdata->private_data;
1f6f0c
     CK_RV rc;
1f6f0c
@@ -3692,11 +3692,27 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
     CK_ATTRIBUTE *value_attr = NULL;
1f6f0c
     CK_BBOOL data_alloced = TRUE;
1f6f0c
     const struct pqc_oid *oid;
1f6f0c
+    const char *key_type_str;
1f6f0c
+    CK_MECHANISM_TYPE pqc_mech;
1f6f0c
+
1f6f0c
+    switch (keytype) {
1f6f0c
+    case CKK_IBM_PQC_DILITHIUM:
1f6f0c
+        key_type_str = "Dilithium";
1f6f0c
+        pqc_mech = CKM_IBM_DILITHIUM;
1f6f0c
+        break;
1f6f0c
+    case CKK_IBM_PQC_KYBER:
1f6f0c
+        key_type_str = "Kyber";
1f6f0c
+        pqc_mech = CKM_IBM_KYBER;
1f6f0c
+        break;
1f6f0c
+    default:
1f6f0c
+        TRACE_ERROR("Invalid key type provided for %s\n ", __func__);
1f6f0c
+        return CKR_KEY_TYPE_INCONSISTENT;
1f6f0c
+    }
1f6f0c
 
1f6f0c
     memcpy(iv, "1234567812345678", AES_BLOCK_SIZE);
1f6f0c
 
1f6f0c
     /* need class for secret/public key info */
1f6f0c
-    rc = template_attribute_get_ulong(dilithium_key_obj->template, CKA_CLASS,
1f6f0c
+    rc = template_attribute_get_ulong(pqc_key_obj->template, CKA_CLASS,
1f6f0c
                                       &class);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
         TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
1f6f0c
@@ -3706,20 +3722,20 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
     /* m_Unwrap builds key blob in the card,
1f6f0c
      * tell ep11 the attributes the user specified for that key.
1f6f0c
      */
1f6f0c
-    rc = build_ep11_attrs(tokdata, dilithium_key_obj->template,
1f6f0c
+    rc = build_ep11_attrs(tokdata, pqc_key_obj->template,
1f6f0c
                           &p_attrs, &attrs_len,
1f6f0c
-                          CKK_IBM_PQC_DILITHIUM, class, -1, &mech_w);
1f6f0c
+                          keytype, class, -1, &mech_w);
1f6f0c
     if (rc != CKR_OK)
1f6f0c
         goto done;
1f6f0c
 
1f6f0c
     if (class != CKO_PRIVATE_KEY) {
1f6f0c
-        /* Make an SPKI for the public IBM Dilithium key */
1f6f0c
+        /* Make an SPKI for the public IBM PQC key */
1f6f0c
 
1f6f0c
-        /* A public IBM Dilithium key must either have a CKA_VALUE containing
1f6f0c
+        /* A public IBM PQC key must either have a CKA_VALUE containing
1f6f0c
          * the SPKI, or must have a keyform/mode value and the individual
1f6f0c
          * attributes
1f6f0c
          */
1f6f0c
-        if (template_attribute_find(dilithium_key_obj->template,
1f6f0c
+        if (template_attribute_find(pqc_key_obj->template,
1f6f0c
                                     CKA_VALUE, &value_attr) &&
1f6f0c
             value_attr->ulValueLen > 0 && value_attr ->pValue != NULL) {
1f6f0c
             /* CKA_VALUE with SPKI */
1f6f0c
@@ -3731,16 +3747,16 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
              * Decode SPKI and add public key attributes. This also adds the
1f6f0c
              * keyform and mode attributes to the template.
1f6f0c
              */
1f6f0c
-            rc = ibm_dilithium_priv_unwrap_get_data(dilithium_key_obj->template,
1f6f0c
-                                                    data, data_len, FALSE);
1f6f0c
+            rc = ibm_pqc_priv_unwrap_get_data(pqc_key_obj->template, keytype,
1f6f0c
+                                              data, data_len, FALSE);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("Failed to decode SPKI from CKA_VALUE.\n");
1f6f0c
                 goto done;
1f6f0c
             }
1f6f0c
          } else {
1f6f0c
             /* Individual attributes */
1f6f0c
-             rc = ibm_dilithium_publ_get_spki(dilithium_key_obj->template,
1f6f0c
-                                              FALSE, &data, &data_len);
1f6f0c
+             rc = ibm_pqc_publ_get_spki(pqc_key_obj->template, keytype,
1f6f0c
+                                        FALSE, &data, &data_len);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
1f6f0c
                             "data_len=0x%lx\n", __func__, class, rc, data_len);
1f6f0c
@@ -3751,15 +3767,13 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
             }
1f6f0c
 
1f6f0c
             /* Ensure both, keyform and mode attributes are added */
1f6f0c
-            oid = ibm_pqc_get_keyform_mode(dilithium_key_obj->template,
1f6f0c
-                                           CKM_IBM_DILITHIUM);
1f6f0c
+            oid = ibm_pqc_get_keyform_mode(pqc_key_obj->template, pqc_mech);
1f6f0c
             if (oid == NULL) {
1f6f0c
                 rc = CKR_TEMPLATE_INCOMPLETE;
1f6f0c
                 goto done;
1f6f0c
             }
1f6f0c
 
1f6f0c
-            rc = ibm_pqc_add_keyform_mode(dilithium_key_obj->template,
1f6f0c
-                                          oid, CKM_IBM_DILITHIUM);
1f6f0c
+            rc = ibm_pqc_add_keyform_mode(pqc_key_obj->template, oid, pqc_mech);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("ibm_pqc_add_keyform_mode failed\n");
1f6f0c
                 goto done;
1f6f0c
@@ -3772,7 +3786,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
                 goto done;
1f6f0c
             }
1f6f0c
 
1f6f0c
-            rc = template_update_attribute(dilithium_key_obj->template,
1f6f0c
+            rc = template_update_attribute(pqc_key_obj->template,
1f6f0c
                                            value_attr);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("%s template_update_attribute failed with rc=0x%lx\n",
1f6f0c
@@ -3786,7 +3800,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
         /* save the SPKI as blob although it is not a blob.
1f6f0c
          * The card expects MACed-SPKIs as public keys.
1f6f0c
          */
1f6f0c
-        rc = make_maced_spki(tokdata, sess, dilithium_key_obj, data, data_len,
1f6f0c
+        rc = make_maced_spki(tokdata, sess, pqc_key_obj, data, data_len,
1f6f0c
                              blob, blob_size, -1);
1f6f0c
         if (rc != CKR_OK) {
1f6f0c
             TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n",
1f6f0c
@@ -3798,13 +3812,13 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
 
1f6f0c
     } else {
1f6f0c
 
1f6f0c
-        /* imported private IBM Dilithium key goes here */
1f6f0c
+        /* imported private IBM PQC key goes here */
1f6f0c
 
1f6f0c
-        /* A public IBM Dilithium key must either have a CKA_VALUE containing
1f6f0c
+        /* A public IBM PQC key must either have a CKA_VALUE containing
1f6f0c
          * the PKCS#8 encoded private key, or must have a keyform/mode value
1f6f0c
          * and the individual attributes
1f6f0c
          */
1f6f0c
-        if (template_attribute_find(dilithium_key_obj->template,
1f6f0c
+        if (template_attribute_find(pqc_key_obj->template,
1f6f0c
                                     CKA_VALUE, &value_attr) &&
1f6f0c
             value_attr->ulValueLen > 0 && value_attr ->pValue != NULL) {
1f6f0c
             /* CKA_VALUE with SPKI */
1f6f0c
@@ -3813,8 +3827,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
             data_alloced = FALSE;
1f6f0c
 
1f6f0c
             /* Decode PKCS#8 private key and add key attributes */
1f6f0c
-            rc = ibm_dilithium_priv_unwrap(dilithium_key_obj->template,
1f6f0c
-                                           data, data_len, FALSE);
1f6f0c
+            rc = ibm_pqc_priv_unwrap(pqc_key_obj->template, keytype,
1f6f0c
+                                     data, data_len, FALSE);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("Failed to decode private key from CKA_VALUE.\n");
1f6f0c
                 goto done;
1f6f0c
@@ -3824,23 +3838,22 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
              * padding is done in mechanism. This also adds the keyform and mode
1f6f0c
              * attributes to the template.
1f6f0c
              */
1f6f0c
-            rc = ibm_dilithium_priv_wrap_get_data(dilithium_key_obj->template,
1f6f0c
-                                                  FALSE, &data, &data_len);
1f6f0c
+            rc = ibm_pqc_priv_wrap_get_data(pqc_key_obj->template, keytype,
1f6f0c
+                                            FALSE, &data, &data_len);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
-                TRACE_DEVEL("%s Dilithium wrap get data failed\n", __func__);
1f6f0c
+                TRACE_DEVEL("%s %s wrap get data failed\n", __func__,
1f6f0c
+                            key_type_str);
1f6f0c
                 goto done;
1f6f0c
             }
1f6f0c
 
1f6f0c
             /* Ensure both, keyform and mode attributes are added */
1f6f0c
-            oid = ibm_pqc_get_keyform_mode(dilithium_key_obj->template,
1f6f0c
-                                           CKM_IBM_DILITHIUM);
1f6f0c
+            oid = ibm_pqc_get_keyform_mode(pqc_key_obj->template, pqc_mech);
1f6f0c
             if (oid == NULL) {
1f6f0c
                 rc = CKR_TEMPLATE_INCOMPLETE;
1f6f0c
                 goto done;
1f6f0c
             }
1f6f0c
 
1f6f0c
-            rc = ibm_pqc_add_keyform_mode(dilithium_key_obj->template,
1f6f0c
-                                          oid, CKM_IBM_DILITHIUM);
1f6f0c
+            rc = ibm_pqc_add_keyform_mode(pqc_key_obj->template, oid, pqc_mech);
1f6f0c
             if (rc != CKR_OK) {
1f6f0c
                 TRACE_ERROR("ibm_pqc_add_keyform_mode failed\n");
1f6f0c
                 goto done;
1f6f0c
@@ -3849,8 +3862,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
 
1f6f0c
         /* encrypt */
1f6f0c
         RETRY_START(rc, tokdata)
1f6f0c
-            if (ep11_pqc_obj_strength_supported(target_info, CKM_IBM_DILITHIUM,
1f6f0c
-                                                dilithium_key_obj))
1f6f0c
+            if (ep11_pqc_obj_strength_supported(target_info, pqc_mech,
1f6f0c
+                                                pqc_key_obj))
1f6f0c
                 rc = dll_m_EncryptSingle(ep11_data->raw2key_wrap_blob,
1f6f0c
                                          ep11_data->raw2key_wrap_blob_l,
1f6f0c
                                          &mech_w, data, data_len,
1f6f0c
@@ -3870,8 +3883,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
             goto done;
1f6f0c
         }
1f6f0c
 
1f6f0c
-        rc = check_key_attributes(tokdata, CKK_IBM_PQC_DILITHIUM,
1f6f0c
-                            CKO_PRIVATE_KEY,
1f6f0c
+        rc = check_key_attributes(tokdata, keytype, CKO_PRIVATE_KEY,
1f6f0c
                             p_attrs, attrs_len,
1f6f0c
                             &new_p_attrs, &new_attrs_len, -1);
1f6f0c
         if (rc != CKR_OK) {
1f6f0c
@@ -3880,12 +3892,12 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
             goto done;
1f6f0c
         }
1f6f0c
 
1f6f0c
-        trace_attributes(__func__, "Dilithium import:", new_p_attrs, new_attrs_len);
1f6f0c
+        trace_attributes(__func__, "PQC import:", new_p_attrs, new_attrs_len);
1f6f0c
 
1f6f0c
-        ep11_get_pin_blob(ep11_session, object_is_session_object(dilithium_key_obj),
1f6f0c
+        ep11_get_pin_blob(ep11_session, object_is_session_object(pqc_key_obj),
1f6f0c
                           &ep11_pin_blob, &ep11_pin_blob_len);
1f6f0c
 
1f6f0c
-        /* calls the card, it decrypts the private Dilithium key,
1f6f0c
+        /* calls the card, it decrypts the private PQC key,
1f6f0c
          * reads its BER format and builds a blob.
1f6f0c
          */
1f6f0c
         RETRY_START(rc, tokdata)
1f6f0c
@@ -3908,12 +3920,20 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
1f6f0c
                        __func__, rc, *blob_size);
1f6f0c
         }
1f6f0c
 
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_VALUE);
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_SEED);
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_TR);
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_S1);
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_S2);
1f6f0c
-        cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_T0);
1f6f0c
+        cleanse_attribute(pqc_key_obj->template, CKA_VALUE);
1f6f0c
+
1f6f0c
+        switch (keytype) {
1f6f0c
+        case CKK_IBM_PQC_DILITHIUM:
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_SEED);
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_TR);
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_S1);
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_S2);
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_T0);
1f6f0c
+            break;
1f6f0c
+        case CKK_IBM_PQC_KYBER:
1f6f0c
+            cleanse_attribute(pqc_key_obj->template, CKA_IBM_KYBER_SK);
1f6f0c
+            break;
1f6f0c
+        }
1f6f0c
     }
1f6f0c
 
1f6f0c
 done:
1f6f0c
@@ -4020,15 +4040,16 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
1f6f0c
                    __func__, rc, blobsize);
1f6f0c
         break;
1f6f0c
     case CKK_IBM_PQC_DILITHIUM:
1f6f0c
-        rc = import_IBM_Dilithium_key(tokdata, sess, obj, blob, &blobsize,
1f6f0c
-                                      spki, &spkisize);
1f6f0c
+    case CKK_IBM_PQC_KYBER:
1f6f0c
+        rc = import_IBM_pqc_key(tokdata, sess, obj, keytype, blob, &blobsize,
1f6f0c
+                                spki, &spkisize);
1f6f0c
         if (rc != CKR_OK) {
1f6f0c
-            TRACE_ERROR("%s import IBM Dilithium key rc=0x%lx blobsize=0x%zx\n",
1f6f0c
-                        __func__, rc, blobsize);
1f6f0c
+            TRACE_ERROR("%s import IBM PQC key kytype=0x%lx rc=0x%lx blobsize=0x%zx\n",
1f6f0c
+                        __func__, keytype, rc, blobsize);
1f6f0c
             return rc;
1f6f0c
         }
1f6f0c
-        TRACE_INFO("%s import IBM Dilithium key rc=0x%lx blobsize=0x%zx\n",
1f6f0c
-                   __func__, rc, blobsize);
1f6f0c
+        TRACE_INFO("%s import IBM PQC key kytype=0x%lx rc=0x%lx blobsize=0x%zx\n",
1f6f0c
+                   __func__, keytype, rc, blobsize);
1f6f0c
         break;
1f6f0c
     case CKK_DES2:
1f6f0c
     case CKK_DES3:
1f6f0c
@@ -6582,10 +6603,10 @@ error:
1f6f0c
     return rc;
1f6f0c
 }
1f6f0c
 
1f6f0c
-static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
-                                     SESSION *sess,
1f6f0c
-                                     CK_MECHANISM_PTR pMechanism,
1f6f0c
-                                     TEMPLATE *publ_tmpl, TEMPLATE *priv_tmpl)
1f6f0c
+static CK_RV ibm_pqc_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
+                                      SESSION *sess,
1f6f0c
+                                      CK_MECHANISM_PTR pMechanism,
1f6f0c
+                                      TEMPLATE *publ_tmpl, TEMPLATE *priv_tmpl)
1f6f0c
 {
1f6f0c
     CK_RV rc;
1f6f0c
     CK_ATTRIBUTE *attr = NULL;
1f6f0c
@@ -6593,7 +6614,7 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
     size_t privkey_blob_len = sizeof(privkey_blob);
1f6f0c
     unsigned char spki[MAX_BLOBSIZE];
1f6f0c
     size_t spki_len = sizeof(spki);
1f6f0c
-    CK_ULONG ktype = CKK_IBM_PQC_DILITHIUM;
1f6f0c
+    CK_ULONG ktype;
1f6f0c
     unsigned char *ep11_pin_blob = NULL;
1f6f0c
     CK_ULONG ep11_pin_blob_len = 0;
1f6f0c
     ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data;
1f6f0c
@@ -6601,9 +6622,19 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
     CK_ULONG new_publ_attrs_len = 0, new_priv_attrs_len = 0;
1f6f0c
     CK_ATTRIBUTE *new_publ_attrs2 = NULL, *new_priv_attrs2 = NULL;
1f6f0c
     CK_ULONG new_publ_attrs2_len = 0, new_priv_attrs2_len = 0;
1f6f0c
-    const struct pqc_oid *dilithium_oid;
1f6f0c
+    const struct pqc_oid *pqc_oid;
1f6f0c
+    const char *key_type_str;
1f6f0c
 
1f6f0c
-    if (pMechanism->mechanism != CKM_IBM_DILITHIUM) {
1f6f0c
+    switch (pMechanism->mechanism) {
1f6f0c
+    case CKM_IBM_DILITHIUM:
1f6f0c
+        key_type_str = "Dilithium";
1f6f0c
+        ktype = CKK_IBM_PQC_DILITHIUM;
1f6f0c
+        break;
1f6f0c
+    case CKM_IBM_KYBER:
1f6f0c
+        key_type_str = "Kyber";
1f6f0c
+        ktype = CKK_IBM_PQC_KYBER;
1f6f0c
+        break;
1f6f0c
+    default:
1f6f0c
         TRACE_ERROR("Invalid mechanism provided for %s\n ", __func__);
1f6f0c
         return CKR_MECHANISM_INVALID;
1f6f0c
     }
1f6f0c
@@ -6624,25 +6655,37 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
-    dilithium_oid = ibm_pqc_get_keyform_mode(publ_tmpl, CKM_IBM_DILITHIUM);
1f6f0c
-    if (dilithium_oid == NULL)
1f6f0c
-        dilithium_oid = ibm_pqc_get_keyform_mode(priv_tmpl, CKM_IBM_DILITHIUM);
1f6f0c
-    if (dilithium_oid == NULL)
1f6f0c
-        dilithium_oid = find_pqc_by_keyform(dilithium_oids,
1f6f0c
-                                            CK_IBM_DILITHIUM_KEYFORM_ROUND2_65);
1f6f0c
-    if (dilithium_oid == NULL) {
1f6f0c
-        TRACE_ERROR("%s Failed to determine Dilithium OID\n", __func__);
1f6f0c
+    pqc_oid = ibm_pqc_get_keyform_mode(publ_tmpl, pMechanism->mechanism);
1f6f0c
+    if (pqc_oid == NULL)
1f6f0c
+        pqc_oid = ibm_pqc_get_keyform_mode(priv_tmpl, pMechanism->mechanism);
1f6f0c
+    if (pqc_oid == NULL) {
1f6f0c
+        switch (pMechanism->mechanism) {
1f6f0c
+        case CKM_IBM_DILITHIUM:
1f6f0c
+            pqc_oid = find_pqc_by_keyform(dilithium_oids,
1f6f0c
+                                          CK_IBM_DILITHIUM_KEYFORM_ROUND2_65);
1f6f0c
+            break;
1f6f0c
+        case CKM_IBM_KYBER:
1f6f0c
+            pqc_oid = find_pqc_by_keyform(kyber_oids,
1f6f0c
+                                          CK_IBM_KYBER_KEYFORM_ROUND2_1024);
1f6f0c
+            break;
1f6f0c
+        default:
1f6f0c
+            /* pqc_oid stays NULL */
1f6f0c
+            break;
1f6f0c
+        }
1f6f0c
+    }
1f6f0c
+    if (pqc_oid == NULL) {
1f6f0c
+        TRACE_ERROR("%s Failed to determine %s OID\n", __func__, key_type_str);
1f6f0c
         rc = CKR_FUNCTION_FAILED;
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
-    TRACE_INFO("%s Generate Dilithium key with keyform %lu\n", __func__,
1f6f0c
-               dilithium_oid->keyform);
1f6f0c
+    TRACE_INFO("%s Generate %s key with keyform %lu\n", __func__, key_type_str,
1f6f0c
+               pqc_oid->keyform);
1f6f0c
 
1f6f0c
     rc = add_to_attribute_array(&new_publ_attrs, &new_publ_attrs_len,
1f6f0c
                                 CKA_IBM_PQC_PARAMS,
1f6f0c
-                                (CK_BYTE *)dilithium_oid->oid,
1f6f0c
-                                dilithium_oid->oid_len);
1f6f0c
+                                (CK_BYTE *)pqc_oid->oid,
1f6f0c
+                                pqc_oid->oid_len);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
         TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
1f6f0c
                     __func__, rc);
1f6f0c
@@ -6651,8 +6694,8 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
 
1f6f0c
     rc = add_to_attribute_array(&new_priv_attrs, &new_priv_attrs_len,
1f6f0c
                                 CKA_IBM_PQC_PARAMS,
1f6f0c
-                                (CK_BYTE *)dilithium_oid->oid,
1f6f0c
-                                dilithium_oid->oid_len);
1f6f0c
+                                (CK_BYTE *)pqc_oid->oid,
1f6f0c
+                                pqc_oid->oid_len);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
         TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
1f6f0c
                     __func__, rc);
1f6f0c
@@ -6663,8 +6706,8 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
                               new_publ_attrs, new_publ_attrs_len,
1f6f0c
                               &new_publ_attrs2, &new_publ_attrs2_len, -1);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
-        TRACE_ERROR("%s Dilithium check public key attributes failed with "
1f6f0c
-                    "rc=0x%lx\n", __func__, rc);
1f6f0c
+        TRACE_ERROR("%s %s check public key attributes failed with "
1f6f0c
+                    "rc=0x%lx\n", __func__, key_type_str, rc);
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
@@ -6672,14 +6715,14 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
                               new_priv_attrs, new_priv_attrs_len,
1f6f0c
                               &new_priv_attrs2, &new_priv_attrs2_len, -1);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
-        TRACE_ERROR("%s Dilithium check private key attributes failed with "
1f6f0c
-                    "rc=0x%lx\n", __func__, rc);
1f6f0c
+        TRACE_ERROR("%s %s check private key attributes failed with "
1f6f0c
+                    "rc=0x%lx\n", __func__, key_type_str, rc);
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
-    trace_attributes(__func__, "Dilithium public key attributes:",
1f6f0c
+    trace_attributes(__func__, "PQC public key attributes:",
1f6f0c
                      new_publ_attrs2, new_publ_attrs2_len);
1f6f0c
-    trace_attributes(__func__, "Dilithium private key attributes:",
1f6f0c
+    trace_attributes(__func__, "PQC private key attributes:",
1f6f0c
                      new_priv_attrs2, new_priv_attrs2_len);
1f6f0c
 
1f6f0c
     ep11_get_pin_blob(ep11_session,
1f6f0c
@@ -6691,7 +6734,7 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
 
1f6f0c
     RETRY_START(rc, tokdata)
1f6f0c
         if (ep11_pqc_strength_supported(target_info, pMechanism->mechanism,
1f6f0c
-                                        dilithium_oid))
1f6f0c
+                                        pqc_oid))
1f6f0c
             rc = dll_m_GenerateKeyPair(pMechanism,
1f6f0c
                                        new_publ_attrs2, new_publ_attrs2_len,
1f6f0c
                                        new_priv_attrs2, new_priv_attrs2_len,
1f6f0c
@@ -6752,16 +6795,18 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
-    rc = ibm_dilithium_priv_unwrap_get_data(publ_tmpl, spki, spki_len, TRUE);
1f6f0c
+    rc = ibm_pqc_priv_unwrap_get_data(publ_tmpl, ktype,
1f6f0c
+                                      spki, spki_len, TRUE);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
-        TRACE_ERROR("%s ibm_dilithium_priv_unwrap_get_data with rc=0x%lx\n",
1f6f0c
+        TRACE_ERROR("%s ibm_pqc_priv_unwrap_get_data with rc=0x%lx\n",
1f6f0c
                     __func__, rc);
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
 
1f6f0c
-    rc = ibm_dilithium_priv_unwrap_get_data(priv_tmpl, spki, spki_len, FALSE);
1f6f0c
+    rc = ibm_pqc_priv_unwrap_get_data(priv_tmpl, ktype,
1f6f0c
+                                      spki, spki_len, FALSE);
1f6f0c
     if (rc != CKR_OK) {
1f6f0c
-        TRACE_ERROR("%s ibm_dilithium_priv_unwrap_get_data with rc=0x%lx\n",
1f6f0c
+        TRACE_ERROR("%s ibm_pqc_priv_unwrap_get_data with rc=0x%lx\n",
1f6f0c
                     __func__, rc);
1f6f0c
         goto error;
1f6f0c
     }
1f6f0c
@@ -6854,9 +6899,10 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess,
1f6f0c
                                   private_key_obj->template);
1f6f0c
         break;
1f6f0c
     case CKM_IBM_DILITHIUM:
1f6f0c
-        rc = ibm_dilithium_generate_keypair(tokdata, sess, pMechanism,
1f6f0c
-                                            public_key_obj->template,
1f6f0c
-                                            private_key_obj->template);
1f6f0c
+    case CKM_IBM_KYBER:
1f6f0c
+        rc = ibm_pqc_generate_keypair(tokdata, sess, pMechanism,
1f6f0c
+                                      public_key_obj->template,
1f6f0c
+                                      private_key_obj->template);
1f6f0c
         break;
1f6f0c
     default:
1f6f0c
         TRACE_ERROR("%s invalid mech %s\n", __func__,
1f6f0c
-- 
1f6f0c
2.16.2.windows.1
1f6f0c