rpms / opencryptoki

Clone
Source Code
GIT

Blame SOURCES/0030-p11sak-Support-additional-Dilithium-variants.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   0030-p11sak-Support-additional-Dilithium-variants.patch
Blob History Raw
1f6f0c 
From 3f8b4270a7601b42f15f13f54b9b5fc207a14723 Mon Sep 17 00:00:00 2001
1f6f0c 
From: Ingo Franzki <ifranzki@linux.ibm.com>
1f6f0c 
Date: Tue, 8 Nov 2022 16:46:26 +0100
1f6f0c 
Subject: [PATCH 30/34] p11sak: Support additional Dilithium variants
1f6f0c
1f6f0c 
Support the following Dilithium versions to be specified with the
1f6f0c 
generate-key command: r2_65 (as of today), r2_87, r3_44, r3_65, r3_87.
1f6f0c
1f6f0c 
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
1f6f0c 
---
1f6f0c 
 man/man1/p11sak.1.in     | 12 ++++++++++-
1f6f0c 
 usr/sbin/p11sak/p11sak.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
1f6f0c 
 2 files changed, 60 insertions(+), 5 deletions(-)
1f6f0c
1f6f0c 
diff --git a/man/man1/p11sak.1.in b/man/man1/p11sak.1.in
1f6f0c 
index a2c2b879..6938b203 100644
1f6f0c 
--- a/man/man1/p11sak.1.in
1f6f0c 
+++ b/man/man1/p11sak.1.in
1f6f0c 
@@ -262,7 +262,7 @@ Use the
1f6f0c 
 command and key argument to generate an IBM Dilithium key, where
1f6f0c 
 .I VERSION
1f6f0c 
 specifies the version of the IBM Dilithium keypair. The following arguments can be used for respective keys:
1f6f0c 
-.B r2_65
1f6f0c 
+.B r2_65 | r2_87 | r3_44 | r3_65 | r3_87
1f6f0c 
 .PP
1f6f0c 
 The
1f6f0c 
 .B \-\-slot
1f6f0c 
@@ -368,6 +368,16 @@ to select the EC curve used to generate the key.
1f6f0c 
 .
1f6f0c 
 .
1f6f0c
1f6f0c 
+.SS "r2_6|r2_87|r3_44|r3_65|r3_875"
1f6f0c 
+the
1f6f0c 
+.B ibm-dilithium
1f6f0c 
+argument has to be followed by either of these
1f6f0c 
+.I VERSION
1f6f0c 
+to select the IBM dilithium version used to generate the key.
1f6f0c 
+.PP
1f6f0c 
+.
1f6f0c 
+.
1f6f0c 
+.
1f6f0c 
 .SH OPTIONS
1f6f0c
1f6f0c 
 .SS "\-\-slot SLOTID"
1f6f0c 
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
1f6f0c 
index 8cfcb21d..5ceb145b 100644
1f6f0c 
--- a/usr/sbin/p11sak/p11sak.c
1f6f0c 
+++ b/usr/sbin/p11sak/p11sak.c
1f6f0c 
@@ -387,7 +387,7 @@ static void print_gen_help(void)
1f6f0c 
     printf("          brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | \n");
1f6f0c 
     printf("          brainpoolP512r1 | brainpoolP512t1 | curve25519 | curve448 | ed25519 | \n");
1f6f0c 
     printf("          ed448]\n");
1f6f0c 
-    printf("      ibm-dilithium [r2_65]\n");
1f6f0c 
+    printf("      ibm-dilithium [r2_65 | r2_87 | r3_44 | r3_65 | r3_87]\n");
1f6f0c 
     printf("\n Options:\n");
1f6f0c 
     printf(
1f6f0c 
             "      --slot SLOTID                           openCryptoki repository token SLOTID.\n");
1f6f0c 
@@ -526,6 +526,10 @@ static void print_gen_ibm_dilithium_help(void)
1f6f0c 
     printf("\n Usage: p11sak generate-key ibm-dilithium [ARGS] [OPTIONS]\n");
1f6f0c 
     printf("\n Args:\n");
1f6f0c 
     printf("      r2_65\n");
1f6f0c 
+    printf("      r2_87\n");
1f6f0c 
+    printf("      r3_44\n");
1f6f0c 
+    printf("      r3_65\n");
1f6f0c 
+    printf("      r3_87\n");
1f6f0c 
     printf("\n Options:\n");
1f6f0c 
     printf(
1f6f0c 
             "      --slot SLOTID                           openCryptoki repository token SLOTID.\n");
1f6f0c 
@@ -764,6 +768,35 @@ static CK_RV read_ec_args(const char *ECcurve, CK_ATTRIBUTE *pubattr,
1f6f0c
1f6f0c 
     return CKR_OK;
1f6f0c 
 }
1f6f0c 
+/**
1f6f0c 
+ * Builds the CKA_IBM_DILITHIUM_KEYFORM attribute from the given version.
1f6f0c 
+ */
1f6f0c 
+static CK_RV read_dilithium_args(const char *dilithium_ver, CK_ULONG *keyform,
1f6f0c 
+                                 CK_ATTRIBUTE *pubattr, CK_ULONG *pubcount)
1f6f0c 
+{
1f6f0c 
+    if (strcasecmp(dilithium_ver, "r2_65") == 0) {
1f6f0c 
+        *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_65;
1f6f0c 
+    } else if (strcasecmp(dilithium_ver, "r2_87") == 0) {
1f6f0c 
+        *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_87;
1f6f0c 
+    } else if (strcasecmp(dilithium_ver, "r3_44") == 0) {
1f6f0c 
+        *keyform =  CK_IBM_DILITHIUM_KEYFORM_ROUND3_44;
1f6f0c 
+    } else if (strcasecmp(dilithium_ver, "r3_65") == 0) {
1f6f0c 
+        *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_65;
1f6f0c 
+    } else if (strcasecmp(dilithium_ver, "r3_87") == 0) {
1f6f0c 
+        *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_87;
1f6f0c 
+    } else {
1f6f0c 
+        fprintf(stderr, "Unexpected case while parsing dilithium version.\n");
1f6f0c 
+        fprintf(stderr, "Note: not all tokens support all versions.\n");
1f6f0c 
+        return CKR_ARGUMENTS_BAD;
1f6f0c 
+    }
1f6f0c 
+
1f6f0c 
+    pubattr[*pubcount].type = CKA_IBM_DILITHIUM_KEYFORM;
1f6f0c 
+    pubattr[*pubcount].ulValueLen = sizeof(CK_ULONG);
1f6f0c 
+    pubattr[*pubcount].pValue = keyform;
1f6f0c 
+    (*pubcount)++;
1f6f0c 
+
1f6f0c 
+    return CKR_OK;
1f6f0c 
+}
1f6f0c 
 /**
1f6f0c 
  * Builds two CKA_LABEL attributes from given label.
1f6f0c 
  */
1f6f0c 
@@ -1096,6 +1129,8 @@ static CK_RV key_pair_gen(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
1f6f0c 
     if (rc != CKR_OK) {
1f6f0c 
         if (is_rejected_by_policy(rc, session))
1f6f0c 
             fprintf(stderr, "Key pair generation rejected by policy\n");
1f6f0c 
+        else if (kt == kt_IBM_DILITHIUM && rc == CKR_KEY_SIZE_RANGE)
1f6f0c 
+            fprintf(stderr, "IBM Dilithum version is not supported\n");
1f6f0c 
         else
1f6f0c 
             fprintf(stderr, "Key pair generation failed (error code 0x%lX: %s)\n", rc,
1f6f0c 
                     p11_get_ckr(rc));
1f6f0c 
@@ -1845,11 +1880,15 @@ static CK_RV check_args_gen_key(p11sak_kt *kt, CK_ULONG keylength,
1f6f0c 
     case kt_IBM_DILITHIUM:
1f6f0c 
         if (dilithium_ver == NULL) {
1f6f0c 
             fprintf(stderr,
1f6f0c 
-                    "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>\n",
1f6f0c 
+                    "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>, <r2_87>, <r3_44>, <r3_65>, or <r3_87>\n",
1f6f0c 
                     *kt);
1f6f0c 
             return CKR_ARGUMENTS_BAD;
1f6f0c 
         }
1f6f0c 
-        if (strcasecmp(dilithium_ver, "r2_65") == 0) {
1f6f0c 
+        if (strcasecmp(dilithium_ver, "r2_65") == 0 ||
1f6f0c 
+            strcasecmp(dilithium_ver, "r2_87") == 0 ||
1f6f0c 
+            strcasecmp(dilithium_ver, "r3_44") == 0 ||
1f6f0c 
+            strcasecmp(dilithium_ver, "r3_65") == 0 ||
1f6f0c 
+            strcasecmp(dilithium_ver, "r3_87") == 0) {
1f6f0c 
             break;
1f6f0c 
         } else {
1f6f0c 
             fprintf(stderr, "IBM Dilithium version [%s] not supported \n", dilithium_ver);
1f6f0c 
@@ -2450,7 +2489,7 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
1f6f0c 
     CK_ATTRIBUTE prv_attr[KEY_MAX_BOOL_ATTR_COUNT + 2];
1f6f0c 
     CK_ULONG prv_acount = 0;
1f6f0c 
     CK_MECHANISM mech;
1f6f0c 
-    CK_ULONG i;
1f6f0c 
+    CK_ULONG i, keyform;
1f6f0c 
     CK_RV rc;
1f6f0c 
     const char separator = ':';
1f6f0c
1f6f0c 
@@ -2475,6 +2514,12 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
1f6f0c 
         }
1f6f0c 
         break;
1f6f0c 
     case kt_IBM_DILITHIUM:
1f6f0c 
+        rc = read_dilithium_args(dilithium_ver, &keyform,
1f6f0c 
+                                 pub_attr, &pub_acount);
1f6f0c 
+        if (rc) {
1f6f0c 
+            fprintf(stderr, "Error parsing Dilithium parameters!\n");
1f6f0c 
+            goto done;
1f6f0c 
+        }
1f6f0c 
         printf("Generating Dilithium keypair with %s\n", dilithium_ver);
1f6f0c 
         break;
1f6f0c 
     default:
1f6f0c 
--
1f6f0c 
2.16.2.windows.1
1f6f0c

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation