|
|
1f6f0c |
From 5b5d1830dadfbbd310c11d26d86426ed63eed936 Mon Sep 17 00:00:00 2001
|
|
|
1f6f0c |
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
1f6f0c |
Date: Tue, 1 Mar 2022 11:09:26 +0100
|
|
|
1f6f0c |
Subject: [PATCH 26/34] EP11: Add support for generating and importing Kyber
|
|
|
1f6f0c |
keys
|
|
|
1f6f0c |
|
|
|
1f6f0c |
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
1f6f0c |
---
|
|
|
1f6f0c |
usr/lib/ep11_stdll/ep11_specific.c | 222 ++++++++++++++++++++++---------------
|
|
|
1f6f0c |
1 file changed, 134 insertions(+), 88 deletions(-)
|
|
|
1f6f0c |
|
|
|
1f6f0c |
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
1f6f0c |
index 44796dba..bc17b07a 100644
|
|
|
1f6f0c |
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
1f6f0c |
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
|
|
1f6f0c |
@@ -3664,14 +3664,14 @@ import_DH_key_end:
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/*
|
|
|
1f6f0c |
- * makes blobs for private imported IBM Dilithium keys and
|
|
|
1f6f0c |
- * SPKIs for public imported IBM Dilithium keys.
|
|
|
1f6f0c |
+ * makes blobs for private imported IBM PQC keys and
|
|
|
1f6f0c |
+ * SPKIs for public imported IBM PQC keys.
|
|
|
1f6f0c |
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
-static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
- OBJECT *dilithium_key_obj,
|
|
|
1f6f0c |
- CK_BYTE *blob, size_t *blob_size,
|
|
|
1f6f0c |
- CK_BYTE *spki, size_t *spki_size)
|
|
|
1f6f0c |
+static CK_RV import_IBM_pqc_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
+ OBJECT *pqc_key_obj, CK_KEY_TYPE keytype,
|
|
|
1f6f0c |
+ CK_BYTE *blob, size_t *blob_size,
|
|
|
1f6f0c |
+ CK_BYTE *spki, size_t *spki_size)
|
|
|
1f6f0c |
{
|
|
|
1f6f0c |
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
|
1f6f0c |
CK_RV rc;
|
|
|
1f6f0c |
@@ -3692,11 +3692,27 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
CK_ATTRIBUTE *value_attr = NULL;
|
|
|
1f6f0c |
CK_BBOOL data_alloced = TRUE;
|
|
|
1f6f0c |
const struct pqc_oid *oid;
|
|
|
1f6f0c |
+ const char *key_type_str;
|
|
|
1f6f0c |
+ CK_MECHANISM_TYPE pqc_mech;
|
|
|
1f6f0c |
+
|
|
|
1f6f0c |
+ switch (keytype) {
|
|
|
1f6f0c |
+ case CKK_IBM_PQC_DILITHIUM:
|
|
|
1f6f0c |
+ key_type_str = "Dilithium";
|
|
|
1f6f0c |
+ pqc_mech = CKM_IBM_DILITHIUM;
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ case CKK_IBM_PQC_KYBER:
|
|
|
1f6f0c |
+ key_type_str = "Kyber";
|
|
|
1f6f0c |
+ pqc_mech = CKM_IBM_KYBER;
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ default:
|
|
|
1f6f0c |
+ TRACE_ERROR("Invalid key type provided for %s\n ", __func__);
|
|
|
1f6f0c |
+ return CKR_KEY_TYPE_INCONSISTENT;
|
|
|
1f6f0c |
+ }
|
|
|
1f6f0c |
|
|
|
1f6f0c |
memcpy(iv, "1234567812345678", AES_BLOCK_SIZE);
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/* need class for secret/public key info */
|
|
|
1f6f0c |
- rc = template_attribute_get_ulong(dilithium_key_obj->template, CKA_CLASS,
|
|
|
1f6f0c |
+ rc = template_attribute_get_ulong(pqc_key_obj->template, CKA_CLASS,
|
|
|
1f6f0c |
&class);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("Could not find CKA_CLASS for the key.\n");
|
|
|
1f6f0c |
@@ -3706,20 +3722,20 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
/* m_Unwrap builds key blob in the card,
|
|
|
1f6f0c |
* tell ep11 the attributes the user specified for that key.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- rc = build_ep11_attrs(tokdata, dilithium_key_obj->template,
|
|
|
1f6f0c |
+ rc = build_ep11_attrs(tokdata, pqc_key_obj->template,
|
|
|
1f6f0c |
&p_attrs, &attrs_len,
|
|
|
1f6f0c |
- CKK_IBM_PQC_DILITHIUM, class, -1, &mech_w);
|
|
|
1f6f0c |
+ keytype, class, -1, &mech_w);
|
|
|
1f6f0c |
if (rc != CKR_OK)
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
|
|
|
1f6f0c |
if (class != CKO_PRIVATE_KEY) {
|
|
|
1f6f0c |
- /* Make an SPKI for the public IBM Dilithium key */
|
|
|
1f6f0c |
+ /* Make an SPKI for the public IBM PQC key */
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- /* A public IBM Dilithium key must either have a CKA_VALUE containing
|
|
|
1f6f0c |
+ /* A public IBM PQC key must either have a CKA_VALUE containing
|
|
|
1f6f0c |
* the SPKI, or must have a keyform/mode value and the individual
|
|
|
1f6f0c |
* attributes
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- if (template_attribute_find(dilithium_key_obj->template,
|
|
|
1f6f0c |
+ if (template_attribute_find(pqc_key_obj->template,
|
|
|
1f6f0c |
CKA_VALUE, &value_attr) &&
|
|
|
1f6f0c |
value_attr->ulValueLen > 0 && value_attr ->pValue != NULL) {
|
|
|
1f6f0c |
/* CKA_VALUE with SPKI */
|
|
|
1f6f0c |
@@ -3731,16 +3747,16 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
* Decode SPKI and add public key attributes. This also adds the
|
|
|
1f6f0c |
* keyform and mode attributes to the template.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- rc = ibm_dilithium_priv_unwrap_get_data(dilithium_key_obj->template,
|
|
|
1f6f0c |
- data, data_len, FALSE);
|
|
|
1f6f0c |
+ rc = ibm_pqc_priv_unwrap_get_data(pqc_key_obj->template, keytype,
|
|
|
1f6f0c |
+ data, data_len, FALSE);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("Failed to decode SPKI from CKA_VALUE.\n");
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
} else {
|
|
|
1f6f0c |
/* Individual attributes */
|
|
|
1f6f0c |
- rc = ibm_dilithium_publ_get_spki(dilithium_key_obj->template,
|
|
|
1f6f0c |
- FALSE, &data, &data_len);
|
|
|
1f6f0c |
+ rc = ibm_pqc_publ_get_spki(pqc_key_obj->template, keytype,
|
|
|
1f6f0c |
+ FALSE, &data, &data_len);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
|
|
|
1f6f0c |
"data_len=0x%lx\n", __func__, class, rc, data_len);
|
|
|
1f6f0c |
@@ -3751,15 +3767,13 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/* Ensure both, keyform and mode attributes are added */
|
|
|
1f6f0c |
- oid = ibm_pqc_get_keyform_mode(dilithium_key_obj->template,
|
|
|
1f6f0c |
- CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
+ oid = ibm_pqc_get_keyform_mode(pqc_key_obj->template, pqc_mech);
|
|
|
1f6f0c |
if (oid == NULL) {
|
|
|
1f6f0c |
rc = CKR_TEMPLATE_INCOMPLETE;
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = ibm_pqc_add_keyform_mode(dilithium_key_obj->template,
|
|
|
1f6f0c |
- oid, CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
+ rc = ibm_pqc_add_keyform_mode(pqc_key_obj->template, oid, pqc_mech);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("ibm_pqc_add_keyform_mode failed\n");
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
@@ -3772,7 +3786,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = template_update_attribute(dilithium_key_obj->template,
|
|
|
1f6f0c |
+ rc = template_update_attribute(pqc_key_obj->template,
|
|
|
1f6f0c |
value_attr);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("%s template_update_attribute failed with rc=0x%lx\n",
|
|
|
1f6f0c |
@@ -3786,7 +3800,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
/* save the SPKI as blob although it is not a blob.
|
|
|
1f6f0c |
* The card expects MACed-SPKIs as public keys.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- rc = make_maced_spki(tokdata, sess, dilithium_key_obj, data, data_len,
|
|
|
1f6f0c |
+ rc = make_maced_spki(tokdata, sess, pqc_key_obj, data, data_len,
|
|
|
1f6f0c |
blob, blob_size, -1);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n",
|
|
|
1f6f0c |
@@ -3798,13 +3812,13 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
|
|
|
1f6f0c |
} else {
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- /* imported private IBM Dilithium key goes here */
|
|
|
1f6f0c |
+ /* imported private IBM PQC key goes here */
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- /* A public IBM Dilithium key must either have a CKA_VALUE containing
|
|
|
1f6f0c |
+ /* A public IBM PQC key must either have a CKA_VALUE containing
|
|
|
1f6f0c |
* the PKCS#8 encoded private key, or must have a keyform/mode value
|
|
|
1f6f0c |
* and the individual attributes
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- if (template_attribute_find(dilithium_key_obj->template,
|
|
|
1f6f0c |
+ if (template_attribute_find(pqc_key_obj->template,
|
|
|
1f6f0c |
CKA_VALUE, &value_attr) &&
|
|
|
1f6f0c |
value_attr->ulValueLen > 0 && value_attr ->pValue != NULL) {
|
|
|
1f6f0c |
/* CKA_VALUE with SPKI */
|
|
|
1f6f0c |
@@ -3813,8 +3827,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
data_alloced = FALSE;
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/* Decode PKCS#8 private key and add key attributes */
|
|
|
1f6f0c |
- rc = ibm_dilithium_priv_unwrap(dilithium_key_obj->template,
|
|
|
1f6f0c |
- data, data_len, FALSE);
|
|
|
1f6f0c |
+ rc = ibm_pqc_priv_unwrap(pqc_key_obj->template, keytype,
|
|
|
1f6f0c |
+ data, data_len, FALSE);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("Failed to decode private key from CKA_VALUE.\n");
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
@@ -3824,23 +3838,22 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
* padding is done in mechanism. This also adds the keyform and mode
|
|
|
1f6f0c |
* attributes to the template.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
- rc = ibm_dilithium_priv_wrap_get_data(dilithium_key_obj->template,
|
|
|
1f6f0c |
- FALSE, &data, &data_len);
|
|
|
1f6f0c |
+ rc = ibm_pqc_priv_wrap_get_data(pqc_key_obj->template, keytype,
|
|
|
1f6f0c |
+ FALSE, &data, &data_len);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_DEVEL("%s Dilithium wrap get data failed\n", __func__);
|
|
|
1f6f0c |
+ TRACE_DEVEL("%s %s wrap get data failed\n", __func__,
|
|
|
1f6f0c |
+ key_type_str);
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/* Ensure both, keyform and mode attributes are added */
|
|
|
1f6f0c |
- oid = ibm_pqc_get_keyform_mode(dilithium_key_obj->template,
|
|
|
1f6f0c |
- CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
+ oid = ibm_pqc_get_keyform_mode(pqc_key_obj->template, pqc_mech);
|
|
|
1f6f0c |
if (oid == NULL) {
|
|
|
1f6f0c |
rc = CKR_TEMPLATE_INCOMPLETE;
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = ibm_pqc_add_keyform_mode(dilithium_key_obj->template,
|
|
|
1f6f0c |
- oid, CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
+ rc = ibm_pqc_add_keyform_mode(pqc_key_obj->template, oid, pqc_mech);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("ibm_pqc_add_keyform_mode failed\n");
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
@@ -3849,8 +3862,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
|
|
|
1f6f0c |
/* encrypt */
|
|
|
1f6f0c |
RETRY_START(rc, tokdata)
|
|
|
1f6f0c |
- if (ep11_pqc_obj_strength_supported(target_info, CKM_IBM_DILITHIUM,
|
|
|
1f6f0c |
- dilithium_key_obj))
|
|
|
1f6f0c |
+ if (ep11_pqc_obj_strength_supported(target_info, pqc_mech,
|
|
|
1f6f0c |
+ pqc_key_obj))
|
|
|
1f6f0c |
rc = dll_m_EncryptSingle(ep11_data->raw2key_wrap_blob,
|
|
|
1f6f0c |
ep11_data->raw2key_wrap_blob_l,
|
|
|
1f6f0c |
&mech_w, data, data_len,
|
|
|
1f6f0c |
@@ -3870,8 +3883,7 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = check_key_attributes(tokdata, CKK_IBM_PQC_DILITHIUM,
|
|
|
1f6f0c |
- CKO_PRIVATE_KEY,
|
|
|
1f6f0c |
+ rc = check_key_attributes(tokdata, keytype, CKO_PRIVATE_KEY,
|
|
|
1f6f0c |
p_attrs, attrs_len,
|
|
|
1f6f0c |
&new_p_attrs, &new_attrs_len, -1);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
@@ -3880,12 +3892,12 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
goto done;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- trace_attributes(__func__, "Dilithium import:", new_p_attrs, new_attrs_len);
|
|
|
1f6f0c |
+ trace_attributes(__func__, "PQC import:", new_p_attrs, new_attrs_len);
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- ep11_get_pin_blob(ep11_session, object_is_session_object(dilithium_key_obj),
|
|
|
1f6f0c |
+ ep11_get_pin_blob(ep11_session, object_is_session_object(pqc_key_obj),
|
|
|
1f6f0c |
&ep11_pin_blob, &ep11_pin_blob_len);
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- /* calls the card, it decrypts the private Dilithium key,
|
|
|
1f6f0c |
+ /* calls the card, it decrypts the private PQC key,
|
|
|
1f6f0c |
* reads its BER format and builds a blob.
|
|
|
1f6f0c |
*/
|
|
|
1f6f0c |
RETRY_START(rc, tokdata)
|
|
|
1f6f0c |
@@ -3908,12 +3920,20 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
|
1f6f0c |
__func__, rc, *blob_size);
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_VALUE);
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_SEED);
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_TR);
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_S1);
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_S2);
|
|
|
1f6f0c |
- cleanse_attribute(dilithium_key_obj->template, CKA_IBM_DILITHIUM_T0);
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_VALUE);
|
|
|
1f6f0c |
+
|
|
|
1f6f0c |
+ switch (keytype) {
|
|
|
1f6f0c |
+ case CKK_IBM_PQC_DILITHIUM:
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_SEED);
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_TR);
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_S1);
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_S2);
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_DILITHIUM_T0);
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ case CKK_IBM_PQC_KYBER:
|
|
|
1f6f0c |
+ cleanse_attribute(pqc_key_obj->template, CKA_IBM_KYBER_SK);
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ }
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
done:
|
|
|
1f6f0c |
@@ -4020,15 +4040,16 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
1f6f0c |
__func__, rc, blobsize);
|
|
|
1f6f0c |
break;
|
|
|
1f6f0c |
case CKK_IBM_PQC_DILITHIUM:
|
|
|
1f6f0c |
- rc = import_IBM_Dilithium_key(tokdata, sess, obj, blob, &blobsize,
|
|
|
1f6f0c |
- spki, &spkisize);
|
|
|
1f6f0c |
+ case CKK_IBM_PQC_KYBER:
|
|
|
1f6f0c |
+ rc = import_IBM_pqc_key(tokdata, sess, obj, keytype, blob, &blobsize,
|
|
|
1f6f0c |
+ spki, &spkisize);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s import IBM Dilithium key rc=0x%lx blobsize=0x%zx\n",
|
|
|
1f6f0c |
- __func__, rc, blobsize);
|
|
|
1f6f0c |
+ TRACE_ERROR("%s import IBM PQC key kytype=0x%lx rc=0x%lx blobsize=0x%zx\n",
|
|
|
1f6f0c |
+ __func__, keytype, rc, blobsize);
|
|
|
1f6f0c |
return rc;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
- TRACE_INFO("%s import IBM Dilithium key rc=0x%lx blobsize=0x%zx\n",
|
|
|
1f6f0c |
- __func__, rc, blobsize);
|
|
|
1f6f0c |
+ TRACE_INFO("%s import IBM PQC key kytype=0x%lx rc=0x%lx blobsize=0x%zx\n",
|
|
|
1f6f0c |
+ __func__, keytype, rc, blobsize);
|
|
|
1f6f0c |
break;
|
|
|
1f6f0c |
case CKK_DES2:
|
|
|
1f6f0c |
case CKK_DES3:
|
|
|
1f6f0c |
@@ -6582,10 +6603,10 @@ error:
|
|
|
1f6f0c |
return rc;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
-static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
- SESSION *sess,
|
|
|
1f6f0c |
- CK_MECHANISM_PTR pMechanism,
|
|
|
1f6f0c |
- TEMPLATE *publ_tmpl, TEMPLATE *priv_tmpl)
|
|
|
1f6f0c |
+static CK_RV ibm_pqc_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
+ SESSION *sess,
|
|
|
1f6f0c |
+ CK_MECHANISM_PTR pMechanism,
|
|
|
1f6f0c |
+ TEMPLATE *publ_tmpl, TEMPLATE *priv_tmpl)
|
|
|
1f6f0c |
{
|
|
|
1f6f0c |
CK_RV rc;
|
|
|
1f6f0c |
CK_ATTRIBUTE *attr = NULL;
|
|
|
1f6f0c |
@@ -6593,7 +6614,7 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
size_t privkey_blob_len = sizeof(privkey_blob);
|
|
|
1f6f0c |
unsigned char spki[MAX_BLOBSIZE];
|
|
|
1f6f0c |
size_t spki_len = sizeof(spki);
|
|
|
1f6f0c |
- CK_ULONG ktype = CKK_IBM_PQC_DILITHIUM;
|
|
|
1f6f0c |
+ CK_ULONG ktype;
|
|
|
1f6f0c |
unsigned char *ep11_pin_blob = NULL;
|
|
|
1f6f0c |
CK_ULONG ep11_pin_blob_len = 0;
|
|
|
1f6f0c |
ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data;
|
|
|
1f6f0c |
@@ -6601,9 +6622,19 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
CK_ULONG new_publ_attrs_len = 0, new_priv_attrs_len = 0;
|
|
|
1f6f0c |
CK_ATTRIBUTE *new_publ_attrs2 = NULL, *new_priv_attrs2 = NULL;
|
|
|
1f6f0c |
CK_ULONG new_publ_attrs2_len = 0, new_priv_attrs2_len = 0;
|
|
|
1f6f0c |
- const struct pqc_oid *dilithium_oid;
|
|
|
1f6f0c |
+ const struct pqc_oid *pqc_oid;
|
|
|
1f6f0c |
+ const char *key_type_str;
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- if (pMechanism->mechanism != CKM_IBM_DILITHIUM) {
|
|
|
1f6f0c |
+ switch (pMechanism->mechanism) {
|
|
|
1f6f0c |
+ case CKM_IBM_DILITHIUM:
|
|
|
1f6f0c |
+ key_type_str = "Dilithium";
|
|
|
1f6f0c |
+ ktype = CKK_IBM_PQC_DILITHIUM;
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ case CKM_IBM_KYBER:
|
|
|
1f6f0c |
+ key_type_str = "Kyber";
|
|
|
1f6f0c |
+ ktype = CKK_IBM_PQC_KYBER;
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ default:
|
|
|
1f6f0c |
TRACE_ERROR("Invalid mechanism provided for %s\n ", __func__);
|
|
|
1f6f0c |
return CKR_MECHANISM_INVALID;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
@@ -6624,25 +6655,37 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- dilithium_oid = ibm_pqc_get_keyform_mode(publ_tmpl, CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
- if (dilithium_oid == NULL)
|
|
|
1f6f0c |
- dilithium_oid = ibm_pqc_get_keyform_mode(priv_tmpl, CKM_IBM_DILITHIUM);
|
|
|
1f6f0c |
- if (dilithium_oid == NULL)
|
|
|
1f6f0c |
- dilithium_oid = find_pqc_by_keyform(dilithium_oids,
|
|
|
1f6f0c |
- CK_IBM_DILITHIUM_KEYFORM_ROUND2_65);
|
|
|
1f6f0c |
- if (dilithium_oid == NULL) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s Failed to determine Dilithium OID\n", __func__);
|
|
|
1f6f0c |
+ pqc_oid = ibm_pqc_get_keyform_mode(publ_tmpl, pMechanism->mechanism);
|
|
|
1f6f0c |
+ if (pqc_oid == NULL)
|
|
|
1f6f0c |
+ pqc_oid = ibm_pqc_get_keyform_mode(priv_tmpl, pMechanism->mechanism);
|
|
|
1f6f0c |
+ if (pqc_oid == NULL) {
|
|
|
1f6f0c |
+ switch (pMechanism->mechanism) {
|
|
|
1f6f0c |
+ case CKM_IBM_DILITHIUM:
|
|
|
1f6f0c |
+ pqc_oid = find_pqc_by_keyform(dilithium_oids,
|
|
|
1f6f0c |
+ CK_IBM_DILITHIUM_KEYFORM_ROUND2_65);
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ case CKM_IBM_KYBER:
|
|
|
1f6f0c |
+ pqc_oid = find_pqc_by_keyform(kyber_oids,
|
|
|
1f6f0c |
+ CK_IBM_KYBER_KEYFORM_ROUND2_1024);
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ default:
|
|
|
1f6f0c |
+ /* pqc_oid stays NULL */
|
|
|
1f6f0c |
+ break;
|
|
|
1f6f0c |
+ }
|
|
|
1f6f0c |
+ }
|
|
|
1f6f0c |
+ if (pqc_oid == NULL) {
|
|
|
1f6f0c |
+ TRACE_ERROR("%s Failed to determine %s OID\n", __func__, key_type_str);
|
|
|
1f6f0c |
rc = CKR_FUNCTION_FAILED;
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- TRACE_INFO("%s Generate Dilithium key with keyform %lu\n", __func__,
|
|
|
1f6f0c |
- dilithium_oid->keyform);
|
|
|
1f6f0c |
+ TRACE_INFO("%s Generate %s key with keyform %lu\n", __func__, key_type_str,
|
|
|
1f6f0c |
+ pqc_oid->keyform);
|
|
|
1f6f0c |
|
|
|
1f6f0c |
rc = add_to_attribute_array(&new_publ_attrs, &new_publ_attrs_len,
|
|
|
1f6f0c |
CKA_IBM_PQC_PARAMS,
|
|
|
1f6f0c |
- (CK_BYTE *)dilithium_oid->oid,
|
|
|
1f6f0c |
- dilithium_oid->oid_len);
|
|
|
1f6f0c |
+ (CK_BYTE *)pqc_oid->oid,
|
|
|
1f6f0c |
+ pqc_oid->oid_len);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
|
|
|
1f6f0c |
__func__, rc);
|
|
|
1f6f0c |
@@ -6651,8 +6694,8 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
|
|
|
1f6f0c |
rc = add_to_attribute_array(&new_priv_attrs, &new_priv_attrs_len,
|
|
|
1f6f0c |
CKA_IBM_PQC_PARAMS,
|
|
|
1f6f0c |
- (CK_BYTE *)dilithium_oid->oid,
|
|
|
1f6f0c |
- dilithium_oid->oid_len);
|
|
|
1f6f0c |
+ (CK_BYTE *)pqc_oid->oid,
|
|
|
1f6f0c |
+ pqc_oid->oid_len);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
|
|
|
1f6f0c |
__func__, rc);
|
|
|
1f6f0c |
@@ -6663,8 +6706,8 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
new_publ_attrs, new_publ_attrs_len,
|
|
|
1f6f0c |
&new_publ_attrs2, &new_publ_attrs2_len, -1);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s Dilithium check public key attributes failed with "
|
|
|
1f6f0c |
- "rc=0x%lx\n", __func__, rc);
|
|
|
1f6f0c |
+ TRACE_ERROR("%s %s check public key attributes failed with "
|
|
|
1f6f0c |
+ "rc=0x%lx\n", __func__, key_type_str, rc);
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
@@ -6672,14 +6715,14 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
new_priv_attrs, new_priv_attrs_len,
|
|
|
1f6f0c |
&new_priv_attrs2, &new_priv_attrs2_len, -1);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s Dilithium check private key attributes failed with "
|
|
|
1f6f0c |
- "rc=0x%lx\n", __func__, rc);
|
|
|
1f6f0c |
+ TRACE_ERROR("%s %s check private key attributes failed with "
|
|
|
1f6f0c |
+ "rc=0x%lx\n", __func__, key_type_str, rc);
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- trace_attributes(__func__, "Dilithium public key attributes:",
|
|
|
1f6f0c |
+ trace_attributes(__func__, "PQC public key attributes:",
|
|
|
1f6f0c |
new_publ_attrs2, new_publ_attrs2_len);
|
|
|
1f6f0c |
- trace_attributes(__func__, "Dilithium private key attributes:",
|
|
|
1f6f0c |
+ trace_attributes(__func__, "PQC private key attributes:",
|
|
|
1f6f0c |
new_priv_attrs2, new_priv_attrs2_len);
|
|
|
1f6f0c |
|
|
|
1f6f0c |
ep11_get_pin_blob(ep11_session,
|
|
|
1f6f0c |
@@ -6691,7 +6734,7 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
|
|
|
1f6f0c |
RETRY_START(rc, tokdata)
|
|
|
1f6f0c |
if (ep11_pqc_strength_supported(target_info, pMechanism->mechanism,
|
|
|
1f6f0c |
- dilithium_oid))
|
|
|
1f6f0c |
+ pqc_oid))
|
|
|
1f6f0c |
rc = dll_m_GenerateKeyPair(pMechanism,
|
|
|
1f6f0c |
new_publ_attrs2, new_publ_attrs2_len,
|
|
|
1f6f0c |
new_priv_attrs2, new_priv_attrs2_len,
|
|
|
1f6f0c |
@@ -6752,16 +6795,18 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t *tokdata,
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = ibm_dilithium_priv_unwrap_get_data(publ_tmpl, spki, spki_len, TRUE);
|
|
|
1f6f0c |
+ rc = ibm_pqc_priv_unwrap_get_data(publ_tmpl, ktype,
|
|
|
1f6f0c |
+ spki, spki_len, TRUE);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s ibm_dilithium_priv_unwrap_get_data with rc=0x%lx\n",
|
|
|
1f6f0c |
+ TRACE_ERROR("%s ibm_pqc_priv_unwrap_get_data with rc=0x%lx\n",
|
|
|
1f6f0c |
__func__, rc);
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
|
|
|
1f6f0c |
- rc = ibm_dilithium_priv_unwrap_get_data(priv_tmpl, spki, spki_len, FALSE);
|
|
|
1f6f0c |
+ rc = ibm_pqc_priv_unwrap_get_data(priv_tmpl, ktype,
|
|
|
1f6f0c |
+ spki, spki_len, FALSE);
|
|
|
1f6f0c |
if (rc != CKR_OK) {
|
|
|
1f6f0c |
- TRACE_ERROR("%s ibm_dilithium_priv_unwrap_get_data with rc=0x%lx\n",
|
|
|
1f6f0c |
+ TRACE_ERROR("%s ibm_pqc_priv_unwrap_get_data with rc=0x%lx\n",
|
|
|
1f6f0c |
__func__, rc);
|
|
|
1f6f0c |
goto error;
|
|
|
1f6f0c |
}
|
|
|
1f6f0c |
@@ -6854,9 +6899,10 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
1f6f0c |
private_key_obj->template);
|
|
|
1f6f0c |
break;
|
|
|
1f6f0c |
case CKM_IBM_DILITHIUM:
|
|
|
1f6f0c |
- rc = ibm_dilithium_generate_keypair(tokdata, sess, pMechanism,
|
|
|
1f6f0c |
- public_key_obj->template,
|
|
|
1f6f0c |
- private_key_obj->template);
|
|
|
1f6f0c |
+ case CKM_IBM_KYBER:
|
|
|
1f6f0c |
+ rc = ibm_pqc_generate_keypair(tokdata, sess, pMechanism,
|
|
|
1f6f0c |
+ public_key_obj->template,
|
|
|
1f6f0c |
+ private_key_obj->template);
|
|
|
1f6f0c |
break;
|
|
|
1f6f0c |
default:
|
|
|
1f6f0c |
TRACE_ERROR("%s invalid mech %s\n", __func__,
|
|
|
1f6f0c |
--
|
|
|
1f6f0c |
2.16.2.windows.1
|
|
|
1f6f0c |
|