|
 |
253609 |
From 3f8b4270a7601b42f15f13f54b9b5fc207a14723 Mon Sep 17 00:00:00 2001
|
|
|
253609 |
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
253609 |
Date: Tue, 8 Nov 2022 16:46:26 +0100
|
|
|
253609 |
Subject: [PATCH 30/34] p11sak: Support additional Dilithium variants
|
|
|
253609 |
|
|
|
253609 |
Support the following Dilithium versions to be specified with the
|
|
|
253609 |
generate-key command: r2_65 (as of today), r2_87, r3_44, r3_65, r3_87.
|
|
|
253609 |
|
|
|
253609 |
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
253609 |
---
|
|
|
253609 |
man/man1/p11sak.1.in | 12 ++++++++++-
|
|
|
253609 |
usr/sbin/p11sak/p11sak.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
|
|
|
253609 |
2 files changed, 60 insertions(+), 5 deletions(-)
|
|
|
253609 |
|
|
|
253609 |
diff --git a/man/man1/p11sak.1.in b/man/man1/p11sak.1.in
|
|
|
253609 |
index a2c2b879..6938b203 100644
|
|
|
253609 |
--- a/man/man1/p11sak.1.in
|
|
|
253609 |
+++ b/man/man1/p11sak.1.in
|
|
|
253609 |
@@ -262,7 +262,7 @@ Use the
|
|
|
253609 |
command and key argument to generate an IBM Dilithium key, where
|
|
|
253609 |
.I VERSION
|
|
|
253609 |
specifies the version of the IBM Dilithium keypair. The following arguments can be used for respective keys:
|
|
|
253609 |
-.B r2_65
|
|
|
253609 |
+.B r2_65 | r2_87 | r3_44 | r3_65 | r3_87
|
|
|
253609 |
.PP
|
|
|
253609 |
The
|
|
|
253609 |
.B \-\-slot
|
|
|
253609 |
@@ -368,6 +368,16 @@ to select the EC curve used to generate the key.
|
|
|
253609 |
.
|
|
|
253609 |
.
|
|
|
253609 |
|
|
|
253609 |
+.SS "r2_6|r2_87|r3_44|r3_65|r3_875"
|
|
|
253609 |
+the
|
|
|
253609 |
+.B ibm-dilithium
|
|
|
253609 |
+argument has to be followed by either of these
|
|
|
253609 |
+.I VERSION
|
|
|
253609 |
+to select the IBM dilithium version used to generate the key.
|
|
|
253609 |
+.PP
|
|
|
253609 |
+.
|
|
|
253609 |
+.
|
|
|
253609 |
+.
|
|
|
253609 |
.SH OPTIONS
|
|
|
253609 |
|
|
|
253609 |
.SS "\-\-slot SLOTID"
|
|
|
253609 |
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
|
|
253609 |
index 8cfcb21d..5ceb145b 100644
|
|
|
253609 |
--- a/usr/sbin/p11sak/p11sak.c
|
|
|
253609 |
+++ b/usr/sbin/p11sak/p11sak.c
|
|
|
253609 |
@@ -387,7 +387,7 @@ static void print_gen_help(void)
|
|
|
253609 |
printf(" brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | \n");
|
|
|
253609 |
printf(" brainpoolP512r1 | brainpoolP512t1 | curve25519 | curve448 | ed25519 | \n");
|
|
|
253609 |
printf(" ed448]\n");
|
|
|
253609 |
- printf(" ibm-dilithium [r2_65]\n");
|
|
|
253609 |
+ printf(" ibm-dilithium [r2_65 | r2_87 | r3_44 | r3_65 | r3_87]\n");
|
|
|
253609 |
printf("\n Options:\n");
|
|
|
253609 |
printf(
|
|
|
253609 |
" --slot SLOTID openCryptoki repository token SLOTID.\n");
|
|
|
253609 |
@@ -526,6 +526,10 @@ static void print_gen_ibm_dilithium_help(void)
|
|
|
253609 |
printf("\n Usage: p11sak generate-key ibm-dilithium [ARGS] [OPTIONS]\n");
|
|
|
253609 |
printf("\n Args:\n");
|
|
|
253609 |
printf(" r2_65\n");
|
|
|
253609 |
+ printf(" r2_87\n");
|
|
|
253609 |
+ printf(" r3_44\n");
|
|
|
253609 |
+ printf(" r3_65\n");
|
|
|
253609 |
+ printf(" r3_87\n");
|
|
|
253609 |
printf("\n Options:\n");
|
|
|
253609 |
printf(
|
|
|
253609 |
" --slot SLOTID openCryptoki repository token SLOTID.\n");
|
|
|
253609 |
@@ -764,6 +768,35 @@ static CK_RV read_ec_args(const char *ECcurve, CK_ATTRIBUTE *pubattr,
|
|
|
253609 |
|
|
|
253609 |
return CKR_OK;
|
|
|
253609 |
}
|
|
|
253609 |
+/**
|
|
|
253609 |
+ * Builds the CKA_IBM_DILITHIUM_KEYFORM attribute from the given version.
|
|
|
253609 |
+ */
|
|
|
253609 |
+static CK_RV read_dilithium_args(const char *dilithium_ver, CK_ULONG *keyform,
|
|
|
253609 |
+ CK_ATTRIBUTE *pubattr, CK_ULONG *pubcount)
|
|
|
253609 |
+{
|
|
|
253609 |
+ if (strcasecmp(dilithium_ver, "r2_65") == 0) {
|
|
|
253609 |
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_65;
|
|
|
253609 |
+ } else if (strcasecmp(dilithium_ver, "r2_87") == 0) {
|
|
|
253609 |
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_87;
|
|
|
253609 |
+ } else if (strcasecmp(dilithium_ver, "r3_44") == 0) {
|
|
|
253609 |
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_44;
|
|
|
253609 |
+ } else if (strcasecmp(dilithium_ver, "r3_65") == 0) {
|
|
|
253609 |
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_65;
|
|
|
253609 |
+ } else if (strcasecmp(dilithium_ver, "r3_87") == 0) {
|
|
|
253609 |
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_87;
|
|
|
253609 |
+ } else {
|
|
|
253609 |
+ fprintf(stderr, "Unexpected case while parsing dilithium version.\n");
|
|
|
253609 |
+ fprintf(stderr, "Note: not all tokens support all versions.\n");
|
|
|
253609 |
+ return CKR_ARGUMENTS_BAD;
|
|
|
253609 |
+ }
|
|
|
253609 |
+
|
|
|
253609 |
+ pubattr[*pubcount].type = CKA_IBM_DILITHIUM_KEYFORM;
|
|
|
253609 |
+ pubattr[*pubcount].ulValueLen = sizeof(CK_ULONG);
|
|
|
253609 |
+ pubattr[*pubcount].pValue = keyform;
|
|
|
253609 |
+ (*pubcount)++;
|
|
|
253609 |
+
|
|
|
253609 |
+ return CKR_OK;
|
|
|
253609 |
+}
|
|
|
253609 |
/**
|
|
|
253609 |
* Builds two CKA_LABEL attributes from given label.
|
|
|
253609 |
*/
|
|
|
253609 |
@@ -1096,6 +1129,8 @@ static CK_RV key_pair_gen(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
|
253609 |
if (rc != CKR_OK) {
|
|
|
253609 |
if (is_rejected_by_policy(rc, session))
|
|
|
253609 |
fprintf(stderr, "Key pair generation rejected by policy\n");
|
|
|
253609 |
+ else if (kt == kt_IBM_DILITHIUM && rc == CKR_KEY_SIZE_RANGE)
|
|
|
253609 |
+ fprintf(stderr, "IBM Dilithum version is not supported\n");
|
|
|
253609 |
else
|
|
|
253609 |
fprintf(stderr, "Key pair generation failed (error code 0x%lX: %s)\n", rc,
|
|
|
253609 |
p11_get_ckr(rc));
|
|
|
253609 |
@@ -1845,11 +1880,15 @@ static CK_RV check_args_gen_key(p11sak_kt *kt, CK_ULONG keylength,
|
|
|
253609 |
case kt_IBM_DILITHIUM:
|
|
|
253609 |
if (dilithium_ver == NULL) {
|
|
|
253609 |
fprintf(stderr,
|
|
|
253609 |
- "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>\n",
|
|
|
253609 |
+ "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>, <r2_87>, <r3_44>, <r3_65>, or <r3_87>\n",
|
|
|
253609 |
*kt);
|
|
|
253609 |
return CKR_ARGUMENTS_BAD;
|
|
|
253609 |
}
|
|
|
253609 |
- if (strcasecmp(dilithium_ver, "r2_65") == 0) {
|
|
|
253609 |
+ if (strcasecmp(dilithium_ver, "r2_65") == 0 ||
|
|
|
253609 |
+ strcasecmp(dilithium_ver, "r2_87") == 0 ||
|
|
|
253609 |
+ strcasecmp(dilithium_ver, "r3_44") == 0 ||
|
|
|
253609 |
+ strcasecmp(dilithium_ver, "r3_65") == 0 ||
|
|
|
253609 |
+ strcasecmp(dilithium_ver, "r3_87") == 0) {
|
|
|
253609 |
break;
|
|
|
253609 |
} else {
|
|
|
253609 |
fprintf(stderr, "IBM Dilithium version [%s] not supported \n", dilithium_ver);
|
|
|
253609 |
@@ -2450,7 +2489,7 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
|
253609 |
CK_ATTRIBUTE prv_attr[KEY_MAX_BOOL_ATTR_COUNT + 2];
|
|
|
253609 |
CK_ULONG prv_acount = 0;
|
|
|
253609 |
CK_MECHANISM mech;
|
|
|
253609 |
- CK_ULONG i;
|
|
|
253609 |
+ CK_ULONG i, keyform;
|
|
|
253609 |
CK_RV rc;
|
|
|
253609 |
const char separator = ':';
|
|
|
253609 |
|
|
|
253609 |
@@ -2475,6 +2514,12 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
|
253609 |
}
|
|
|
253609 |
break;
|
|
|
253609 |
case kt_IBM_DILITHIUM:
|
|
|
253609 |
+ rc = read_dilithium_args(dilithium_ver, &keyform,
|
|
|
253609 |
+ pub_attr, &pub_acount);
|
|
|
253609 |
+ if (rc) {
|
|
|
253609 |
+ fprintf(stderr, "Error parsing Dilithium parameters!\n");
|
|
|
253609 |
+ goto done;
|
|
|
253609 |
+ }
|
|
|
253609 |
printf("Generating Dilithium keypair with %s\n", dilithium_ver);
|
|
|
253609 |
break;
|
|
|
253609 |
default:
|
|
|
253609 |
--
|
|
|
253609 |
2.16.2.windows.1
|
|
|
253609 |
|