From d257df88500b3e55156d198ec305042799e2bff9 Mon Sep 17 00:00:00 2001

From: Ingo Franzki <ifranzki@linux.ibm.com>

Date: Tue, 8 Nov 2022 17:03:11 +0100

Subject: [PATCH 31/34] p11sak: Add support for IBM Kyber key type

Support the following Kyber versions to be specified with the

generate-key command: r2_768, r2_1024.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

---

 man/man1/p11sak.1.in                      |  65 ++++++++++++--

 usr/sbin/p11sak/p11sak.c                  | 141 +++++++++++++++++++++++++-----

 usr/sbin/p11sak/p11sak.h                  |   1 +

 usr/sbin/p11sak/p11sak_defined_attrs.conf |   6 +-

 4 files changed, 183 insertions(+), 30 deletions(-)

diff --git a/man/man1/p11sak.1.in b/man/man1/p11sak.1.in

index 6938b203..2b75b117 100644

--- a/man/man1/p11sak.1.in

+++ b/man/man1/p11sak.1.in

@@ -16,7 +16,7 @@ p11sak \- generate and list token keys in an openCryptoki token repository.

 .SH DESCRIPTION

 .B p11sak can be used to generate, list and delete the token keys in an openCryptoki token repository.

-The utility provides a flexible key management tool in openCryptoki to list and generate symmetric (DES; 3DES, AES) and asymetric (RSA, EC) keys.

+The utility provides a flexible key management tool in openCryptoki to list and generate symmetric (DES, 3DES, AES) and asymmetric (RSA, EC, IBM Dilithium, IBM Kyber) keys.

 This tool is especially capable of a well defined listing of keys with their PKCS #11 attributes.

 .

 .

@@ -282,11 +282,54 @@ attribute of the key and

 can be used to set the binary attributes of the key (see below for detailed description of the attributes). 

 .

 .PP

+.SS "Generating IBM Kyber keys"

+.

+.B p11sak

+.BR generate-key | gen-key | gen

+.BR ibm-kyber

+.BR VERSION

+.B \-\-slot

+.IR SLOTID

+.B \-\-pin

+.IR PIN

+.B \-\-label

+.IR LABEL

+.B \-\-attr

+.I [M R L S E D G V W U A X N T]

+.B \-\-help | \-h

+.PP

+Use the

+.B generate-key

+.B ibm-kyber

+.B VERSION

+command and key argument to generate an IBM Kyber key, where

+.I VERSION

+specifies the version of the IBM Kyber keypair. The following arguments can be used for respective keys:

+.B r2_768 | r2_1024

+.PP

+The

+.B \-\-slot

+.IR SLOTID

+and

+.B \-\-pin

+.IR PIN

+options are required to set the token to

+.IR SLOTID

+and the token PIN. The

+.B \-\-label

+option allows the user to set the

+.IR LABEL

+attribute of the key and

+.B \-\-attr

+.I [M R L S E D G V W U A X N T]

+can be used to set the binary attributes of the key (see below for detailed description of the attributes). 

+.

+.PP

 .SS "Listing symmetric and asymmetric keys"

 .

 .B p11sak

 .BR list-key | ls-key | ls

-.BR des | 3des | aes | rsa | ec | ibm-dilithium | public | private | secret | all

+.BR des | 3des | aes | rsa | ec | ibm-dilithium | ibm-kyber | public | private | secret | all

 .B \-\-slot

 .IR SLOTID

 .B \-\-pin

@@ -298,14 +341,14 @@ can be used to set the binary attributes of the key (see below for detailed desc

 .PP

 Use the

 .B list-key | ls-key | ls

-command and key argument to list DES, 3DES, AES, RSA, EC, or IBM Dilithium keys, respectively. Public, private, secret, or all keys can also be listed irrespective of key type.

+command and key argument to list DES, 3DES, AES, RSA, EC, IBM Dilithium, or IBM Kyber keys, respectively. Public, private, secret, or all keys can also be listed irrespective of key type.

 .

 .PP

 .SS "Deleting symmetric and asymmetric keys"

 .

 .B p11sak

 .BR remove-key | rm-key | rm

-.BR des | 3des | aes | rsa | ec | ibm-dilithium

+.BR des | 3des | aes | rsa | ec | ibm-dilithium | ibm-kyber

 .B \-\-slot

 .IR SLOTID

 .B \-\-pin

@@ -317,7 +360,7 @@ command and key argument to list DES, 3DES, AES, RSA, EC, or IBM Dilithium keys,

 .PP

 Use the

 .B remove-key | rm-key | rm

-command and key argument to delete DES, 3DES, AES, RSA, EC, or IBM Dilithium keys, respectively. All specified cipher keys will be prompted to be deleted unless 

+command and key argument to delete DES, 3DES, AES, RSA, EC, IBM Dilithium, or IBM Kyber keys, respectively. All specified cipher keys will be prompted to be deleted unless 

 a specific key with the 

 .B \-\-label

 .IR LABEL

@@ -331,7 +374,7 @@ option.

 .

 .SH ARGS

 .

-.SS "des | 3des | aes | rsa | ec | ibm-dilithium | public | private | secret | all"

+.SS "des | 3des | aes | rsa | ec | ibm-dilithium | ibm-kyber | public | private | secret | all"

 selects the respective symmetric or asymetric key to be generated or listed. The

 .B public|private|secret|all

@@ -378,6 +421,16 @@ to select the IBM dilithium version used to generate the key.

 .

 .

 .

+.SS "r2_768|r2_1024"

+the

+.B ibm-kyber

+argument has to be followed by either of these

+.I VERSION

+to select the IBM kyber version used to generate the key.

+.PP

+.

+.

+.

 .SH OPTIONS

 .SS "\-\-slot SLOTID"

diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c

index 5ceb145b..38564155 100644

--- a/usr/sbin/p11sak/p11sak.c

+++ b/usr/sbin/p11sak/p11sak.c

@@ -130,6 +130,8 @@ static const char* kt2str(p11sak_kt ktype)

         return "EC";

     case kt_IBM_DILITHIUM:

         return "IBM DILITHIUM";

+    case kt_IBM_KYBER:

+        return "IBM KYBER";

     case kt_GENERIC:

         return "GENERIC";

     case kt_SECRET:

@@ -170,6 +172,9 @@ static CK_RV kt2CKK(p11sak_kt ktype, CK_KEY_TYPE *a_key_type)

     case kt_IBM_DILITHIUM:

         *a_key_type = CKK_IBM_PQC_DILITHIUM;

         break; 

+    case kt_IBM_KYBER:

+        *a_key_type = CKK_IBM_PQC_KYBER;

+        break;

     case kt_GENERIC:

         *a_key_type = CKK_GENERIC_SECRET;

         break;

@@ -277,6 +282,8 @@ static const char* CKK2a(CK_KEY_TYPE t)

         return "EC";

     case CKK_IBM_PQC_DILITHIUM:

         return "IBM DILILTHIUM";

+    case CKK_IBM_PQC_KYBER:

+        return "IBM KYBER";

     case CKK_RSA:

         return "RSA";

     case CKK_DH:

@@ -358,6 +365,7 @@ static void print_listkeys_help(void)

     printf("      rsa\n");

     printf("      ec\n");

     printf("      ibm-dilithium\n");

+    printf("      ibm-kyber\n");

     printf("      public\n");

     printf("      private\n");

     printf("      secret\n");

@@ -388,6 +396,7 @@ static void print_gen_help(void)

     printf("          brainpoolP512r1 | brainpoolP512t1 | curve25519 | curve448 | ed25519 | \n");

     printf("          ed448]\n");

     printf("      ibm-dilithium [r2_65 | r2_87 | r3_44 | r3_65 | r3_87]\n");

+    printf("      ibm-kyber [r2_768 | r2_1024]\n");

     printf("\n Options:\n");

     printf(

             "      --slot SLOTID                           openCryptoki repository token SLOTID.\n");

@@ -415,6 +424,7 @@ static void print_removekeys_help(void)

     printf("      rsa\n");

     printf("      ec\n");

     printf("      ibm-dilithium\n");

+    printf("      ibm-kyber\n");

     printf("\n Options:\n");

     printf(

             "      --slot SLOTID                           openCryptoki repository token SLOTID.\n");

@@ -545,6 +555,25 @@ static void print_gen_ibm_dilithium_help(void)

     printf("      -h, --help                              Show this help\n\n");

 }

+static void print_gen_ibm_kyber_help(void)

+{

+    printf("\n Usage: p11sak generate-key ibm-kyber [ARGS] [OPTIONS]\n");

+    printf("\n Args:\n");

+    printf("      r2_768\n");

+    printf("      r2_1024\n");

+    printf("\n Options:\n");

+    printf("      --slot SLOTID                           openCryptoki repository token SLOTID.\n");

+    printf("      --pin PIN                               pkcs11 user PIN\n");

+    printf("      --force-pin-prompt                      enforce user PIN prompt\n");

+    printf("      --label LABEL                           key label LABEL to be listed\n");

+    printf("      --label PUB_LABEL:PRIV_LABEL\n");

+    printf("              for asymmetric keys: set individual labels for public and private key\n");

+    printf("      --attr [M R L S E D G V W U A X N]      set key attributes\n");

+    printf("      --attr [[pub_attrs]:[priv_attrs]] \n");

+    printf("             for asymmetric keys: set individual key attributes, values see above\n");

+    printf("      -h, --help                              Show this help\n\n");

+}

+

 /**

  * Print help for generate-key command

  */

@@ -572,6 +601,9 @@ static CK_RV print_gen_keys_help(p11sak_kt *kt)

     case kt_IBM_DILITHIUM:

         print_gen_ibm_dilithium_help();

         break;

+    case kt_IBM_KYBER:

+        print_gen_ibm_kyber_help();

+        break;

     case no_key_type:

         print_gen_help();

         break;

@@ -797,6 +829,29 @@ static CK_RV read_dilithium_args(const char *dilithium_ver, CK_ULONG *keyform,

     return CKR_OK;

 }

+/**

+ * Builds the CKA_IBM_KYBER_KEYFORM attribute from the given version.

+ */

+static CK_RV read_kyber_args(const char *kyber_ver, CK_ULONG *keyform,

+                             CK_ATTRIBUTE *pubattr, CK_ULONG *pubcount)

+{

+    if (strcasecmp(kyber_ver, "r2_768") == 0) {

+        *keyform = CK_IBM_KYBER_KEYFORM_ROUND2_768;

+    } else if (strcasecmp(kyber_ver, "r2_1024") == 0) {

+        *keyform = CK_IBM_KYBER_KEYFORM_ROUND2_1024;

+    } else {

+        fprintf(stderr, "Unexpected case while parsing kyber version.\n");

+        fprintf(stderr, "Note: not all tokens support all versions.\n");

+        return CKR_ARGUMENTS_BAD;

+    }

+

+    pubattr[*pubcount].type = CKA_IBM_KYBER_KEYFORM;

+    pubattr[*pubcount].ulValueLen = sizeof(CK_ULONG);

+    pubattr[*pubcount].pValue = keyform;

+    (*pubcount)++;

+

+    return CKR_OK;

+}

 /**

  * Builds two CKA_LABEL attributes from given label.

  */

@@ -860,6 +915,9 @@ static CK_RV key_pair_gen_mech(p11sak_kt kt, CK_MECHANISM *pmech)

     case kt_IBM_DILITHIUM:

         pmech->mechanism = CKM_IBM_DILITHIUM;

         break;

+    case kt_IBM_KYBER:

+        pmech->mechanism = CKM_IBM_KYBER;

+        break;

     default:

         return CKR_MECHANISM_INVALID;

         break;

@@ -1131,6 +1189,8 @@ static CK_RV key_pair_gen(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

             fprintf(stderr, "Key pair generation rejected by policy\n");

         else if (kt == kt_IBM_DILITHIUM && rc == CKR_KEY_SIZE_RANGE)

             fprintf(stderr, "IBM Dilithum version is not supported\n");

+        else if (kt == kt_IBM_KYBER && rc == CKR_KEY_SIZE_RANGE)

+            fprintf(stderr, "IBM Kyber version is not supported\n");

         else

             fprintf(stderr, "Key pair generation failed (error code 0x%lX: %s)\n", rc,

                     p11_get_ckr(rc));

@@ -1191,6 +1251,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt,

     case kt_RSAPKCS:

     case kt_EC:

     case kt_IBM_DILITHIUM:

+    case kt_IBM_KYBER:

         tmplt[count].type = CKA_KEY_TYPE;

         tmplt[count].pValue = &a_key_type;

         tmplt[count].ulValueLen = sizeof(CK_KEY_TYPE);

@@ -1871,27 +1932,42 @@ static CK_RV tok_key_get_key_type(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE hk

  * Check args for gen_key command.

  */

 static CK_RV check_args_gen_key(p11sak_kt *kt, CK_ULONG keylength,

-                                char *ECcurve, char *dilithium_ver)

+                                char *ECcurve, char *pqc_ver)

 {

     switch (*kt) {

     case kt_DES:

     case kt_3DES:

         break;

     case kt_IBM_DILITHIUM:

-        if (dilithium_ver == NULL) {

+        if (pqc_ver == NULL) {

             fprintf(stderr,

                     "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>, <r2_87>, <r3_44>, <r3_65>, or <r3_87>\n",

                     *kt);

             return CKR_ARGUMENTS_BAD;

         }

-        if (strcasecmp(dilithium_ver, "r2_65") == 0 ||

-            strcasecmp(dilithium_ver, "r2_87") == 0 ||

-            strcasecmp(dilithium_ver, "r3_44") == 0 ||

-            strcasecmp(dilithium_ver, "r3_65") == 0 ||

-            strcasecmp(dilithium_ver, "r3_87") == 0) {

+        if (strcasecmp(pqc_ver, "r2_65") == 0 ||

+            strcasecmp(pqc_ver, "r2_87") == 0 ||

+            strcasecmp(pqc_ver, "r3_44") == 0 ||

+            strcasecmp(pqc_ver, "r3_65") == 0 ||

+            strcasecmp(pqc_ver, "r3_87") == 0) {

             break;

         } else {

-            fprintf(stderr, "IBM Dilithium version [%s] not supported \n", dilithium_ver);

+            fprintf(stderr, "IBM Dilithium version [%s] not supported \n", pqc_ver);

+            return CKR_ARGUMENTS_BAD;

+        }

+        break;

+    case kt_IBM_KYBER:

+        if (pqc_ver == NULL) {

+            fprintf(stderr,

+                    "Cipher key type [%d] supported but Kyber version not set in arguments. Try adding argument <r2_1024> or <r2_1024>\n",

+                    *kt);

+            return CKR_ARGUMENTS_BAD;

+        }

+        if (strcasecmp(pqc_ver, "r2_768") == 0 ||

+            strcasecmp(pqc_ver, "r2_1024") == 0) {

+            break;

+        } else {

+            fprintf(stderr, "IBM Kyber version [%s] not supported \n", pqc_ver);

             return CKR_ARGUMENTS_BAD;

         }

         break;

@@ -1947,6 +2023,7 @@ static CK_RV check_args_list_key(p11sak_kt *kt)

     case kt_3DES:

     case kt_EC:

     case kt_IBM_DILITHIUM:

+    case kt_IBM_KYBER:

     case kt_GENERIC:

     case kt_SECRET:

     case kt_PUBLIC:

@@ -1973,6 +2050,7 @@ static CK_RV check_args_remove_key(p11sak_kt *kt)

     case kt_RSAPKCS:

     case kt_EC:

     case kt_IBM_DILITHIUM:

+    case kt_IBM_KYBER:

     case kt_GENERIC:

     case kt_SECRET:

     case kt_PUBLIC:

@@ -2069,6 +2147,8 @@ static CK_RV parse_list_key_args(char *argv[], int argc, p11sak_kt *kt,

             *kt = kt_EC;

         } else if (strcasecmp(argv[i], "ibm-dilithium") == 0) {

             *kt = kt_IBM_DILITHIUM;

+        } else if (strcasecmp(argv[i], "ibm-kyber") == 0) {

+            *kt = kt_IBM_KYBER;

         } else if (strcasecmp(argv[i], "generic") == 0) {

             *kt = kt_GENERIC;

         } else if (strcasecmp(argv[i], "secret") == 0) {

@@ -2158,7 +2238,7 @@ static CK_RV parse_gen_key_args(char *argv[], int argc, p11sak_kt *kt,

                                 CK_ULONG *keylength, char **ECcurve,

                                 CK_SLOT_ID *slot, const char **pin,

                                 CK_ULONG *exponent, char **label,

-                                char **attr_string, char **dilithium_ver,

+                                char **attr_string, char **pqc_ver,

                                 int *force_pin_prompt)

 {

     CK_RV rc;

@@ -2190,7 +2270,11 @@ static CK_RV parse_gen_key_args(char *argv[], int argc, p11sak_kt *kt,

             i++;

         } else if (strcasecmp(argv[i], "ibm-dilithium") == 0) {

             *kt = kt_IBM_DILITHIUM;

-            *dilithium_ver = get_string_arg(i + 1, argv, argc);

+            *pqc_ver = get_string_arg(i + 1, argv, argc);

+            i++;

+        } else if (strcasecmp(argv[i], "ibm-kyber") == 0) {

+            *kt = kt_IBM_KYBER;

+            *pqc_ver = get_string_arg(i + 1, argv, argc);

             i++;

             /* Get options */

         } else if (strcmp(argv[i], "--slot") == 0) {

@@ -2281,7 +2365,7 @@ static CK_RV parse_gen_key_args(char *argv[], int argc, p11sak_kt *kt,

     }

     /* Check args */

-    rc = check_args_gen_key(kt, *keylength, *ECcurve, *dilithium_ver);

+    rc = check_args_gen_key(kt, *keylength, *ECcurve, *pqc_ver);

     /* Check required options */

     if (*label == NULL) {

@@ -2331,6 +2415,8 @@ static CK_RV parse_remove_key_args(char *argv[], int argc, p11sak_kt *kt,

             *kt = kt_EC;

         } else if (strcasecmp(argv[i], "ibm-dilithium") == 0) {

             *kt = kt_IBM_DILITHIUM;

+        } else if (strcasecmp(argv[i], "ibm-kyber") == 0) {

+            *kt = kt_IBM_KYBER;

             /* Get options */

         } else if (strcmp(argv[i], "--slot") == 0) {

             if (i + 1 < argc) {

@@ -2415,7 +2501,7 @@ static CK_RV parse_cmd_args(p11sak_cmd cmd, char *argv[], int argc,

                             CK_SLOT_ID *slot, const char **pin,

                             CK_ULONG *exponent, char **label,

                             char **attr_string, int *long_print, int *full_uri,

-                            CK_BBOOL *forceAll, char **dilithium_ver,

+                            CK_BBOOL *forceAll, char **pqc_ver,

                             int *force_pin_prompt)

 {

     CK_RV rc;

@@ -2423,7 +2509,7 @@ static CK_RV parse_cmd_args(p11sak_cmd cmd, char *argv[], int argc,

     switch (cmd) {

     case gen_key:

         rc = parse_gen_key_args(argv, argc, kt, keylength, ECcurve, slot, pin,

-                exponent, label, attr_string, dilithium_ver, force_pin_prompt);

+                exponent, label, attr_string, pqc_ver, force_pin_prompt);

         break;

     case list_key:

         rc = parse_list_key_args(argv, argc, kt, keylength, slot, pin,

@@ -2481,7 +2567,7 @@ done:

 static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

                                      p11sak_kt kt, CK_ULONG keylength,

                                      CK_ULONG exponent, char *ECcurve,

-                                     char *label, char *attr_string, char *dilithium_ver)

+                                     char *label, char *attr_string, char *pqc_ver)

 {

     CK_OBJECT_HANDLE pub_keyh, prv_keyh;

     CK_ATTRIBUTE pub_attr[KEY_MAX_BOOL_ATTR_COUNT + 2];

@@ -2514,13 +2600,21 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

         }

         break;

     case kt_IBM_DILITHIUM:

-        rc = read_dilithium_args(dilithium_ver, &keyform,

+        rc = read_dilithium_args(pqc_ver, &keyform,

                                  pub_attr, &pub_acount);

         if (rc) {

             fprintf(stderr, "Error parsing Dilithium parameters!\n");

             goto done;

         }

-        printf("Generating Dilithium keypair with %s\n", dilithium_ver);

+        printf("Generating Dilithium keypair with %s\n", pqc_ver);

+        break;

+    case kt_IBM_KYBER:

+        rc = read_kyber_args(pqc_ver, &keyform, pub_attr, &pub_acount);

+        if (rc) {

+            fprintf(stderr, "Error parsing Kyber parameters!\n");

+            goto done;

+        }

+        printf("Generating Kyber keypair with %s\n", pqc_ver);

         break;

     default:

         fprintf(stderr, "The key type %d is not yet supported.\n", kt);

@@ -2626,7 +2720,7 @@ done:

 static CK_RV generate_ckey(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

                            p11sak_kt kt, CK_ULONG keylength, char *ECcurve,

                            CK_ULONG exponent, char *label, char *attr_string,

-                           char *dilithium_ver)

+                           char *pqc_ver)

 {

     switch (kt) {

     case kt_DES:

@@ -2637,8 +2731,9 @@ static CK_RV generate_ckey(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

     case kt_RSAPKCS:

     case kt_EC:

     case kt_IBM_DILITHIUM:

+    case kt_IBM_KYBER:

         return generate_asymmetric_key(session, slot, kt, keylength, exponent,

-                ECcurve, label, attr_string, dilithium_ver);

+                ECcurve, label, attr_string, pqc_ver);

     default:

         fprintf(stderr, "Error: cannot create a key of type %i (%s)\n", kt, kt2str(kt));

         return CKR_ARGUMENTS_BAD;

@@ -3030,13 +3125,13 @@ static CK_RV execute_cmd(CK_SESSION_HANDLE session, CK_SLOT_ID slot,

                          p11sak_cmd cmd, p11sak_kt kt, CK_ULONG keylength,

                          CK_ULONG exponent, char *ECcurve, char *label,

                          char *attr_string, int long_print, int full_uri,

-                         CK_BBOOL *forceAll, char *dilithium_ver)

+                         CK_BBOOL *forceAll, char *pqc_ver)

 {

     CK_RV rc;

     switch (cmd) {

     case gen_key:

         rc = generate_ckey(session, slot, kt, keylength, ECcurve, exponent,

-                label, attr_string, dilithium_ver);

+                label, attr_string, pqc_ver);

         break;

     case list_key:

         rc = list_ckey(session, slot, kt, long_print, label, full_uri);

@@ -3177,7 +3272,7 @@ int main(int argc, char *argv[])

     char *ECcurve = NULL;

     char *attr_string = NULL;

     CK_ULONG keylength = 0;

-    char *dilithium_ver = NULL;

+    char *pqc_ver = NULL;

     CK_RV rc = CKR_OK;

     CK_SESSION_HANDLE session;

     const char *pin = NULL;

@@ -3203,7 +3298,7 @@ int main(int argc, char *argv[])

     /* Parse command args */

     rc = parse_cmd_args(cmd, argv, argc, &kt, &keylength, &ECcurve, &slot, &pin,

             &exponent, &label, &attr_string, &long_print, &full_uri, &forceAll,

-            &dilithium_ver, &force_pin_prompt);

+            &pqc_ver, &force_pin_prompt);

     if (rc != CKR_OK) {

         goto done;

     }

@@ -3240,7 +3335,7 @@ int main(int argc, char *argv[])

     /* Execute command */

     rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,

-            label, attr_string, long_print, full_uri, &forceAll, dilithium_ver);

+            label, attr_string, long_print, full_uri, &forceAll, pqc_ver);

     if (rc == CKR_CANCEL) {

         fprintf(stderr, "Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,

                 p11_get_ckr(rc));

diff --git a/usr/sbin/p11sak/p11sak.h b/usr/sbin/p11sak/p11sak.h

index 2b7e9c64..9d5a461a 100644

--- a/usr/sbin/p11sak/p11sak.h

+++ b/usr/sbin/p11sak/p11sak.h

@@ -25,6 +25,7 @@ typedef enum {

     kt_RSAPKCS,

     kt_EC,

     kt_IBM_DILITHIUM,

+    kt_IBM_KYBER,

     kt_GENERIC,

     kt_SECRET,

     kt_PUBLIC,

diff --git a/usr/sbin/p11sak/p11sak_defined_attrs.conf b/usr/sbin/p11sak/p11sak_defined_attrs.conf

index 520d28d5..53080ef5 100644

--- a/usr/sbin/p11sak/p11sak_defined_attrs.conf

+++ b/usr/sbin/p11sak/p11sak_defined_attrs.conf

@@ -33,10 +33,14 @@ attribute {

    id = 0x00000120

    type = CK_BYTE

 }

-

 attribute {

    name = CKA_IBM_DILITHIUM_KEYFORM

    id = 0x800d0001

    type = CK_ULONG

 }

+attribute {

+   name = CKA_IBM_KYBER_KEYFORM

+   id = 0x800d0009

+   type = CK_ULONG

+}

-- 

2.16.2.windows.1