forked from pool/openCryptoki
f41ca9bf97
- Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063652 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
157 lines
6.2 KiB
Diff
157 lines
6.2 KiB
Diff
From 3f8b4270a7601b42f15f13f54b9b5fc207a14723 Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Tue, 8 Nov 2022 16:46:26 +0100
|
|
Subject: [PATCH 30/34] p11sak: Support additional Dilithium variants
|
|
|
|
Support the following Dilithium versions to be specified with the
|
|
generate-key command: r2_65 (as of today), r2_87, r3_44, r3_65, r3_87.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
---
|
|
man/man1/p11sak.1.in | 12 ++++++++++-
|
|
usr/sbin/p11sak/p11sak.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
|
|
2 files changed, 60 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/man/man1/p11sak.1.in b/man/man1/p11sak.1.in
|
|
index a2c2b879..6938b203 100644
|
|
--- a/man/man1/p11sak.1.in
|
|
+++ b/man/man1/p11sak.1.in
|
|
@@ -262,7 +262,7 @@ Use the
|
|
command and key argument to generate an IBM Dilithium key, where
|
|
.I VERSION
|
|
specifies the version of the IBM Dilithium keypair. The following arguments can be used for respective keys:
|
|
-.B r2_65
|
|
+.B r2_65 | r2_87 | r3_44 | r3_65 | r3_87
|
|
.PP
|
|
The
|
|
.B \-\-slot
|
|
@@ -368,6 +368,16 @@ to select the EC curve used to generate the key.
|
|
.
|
|
.
|
|
|
|
+.SS "r2_6|r2_87|r3_44|r3_65|r3_875"
|
|
+the
|
|
+.B ibm-dilithium
|
|
+argument has to be followed by either of these
|
|
+.I VERSION
|
|
+to select the IBM dilithium version used to generate the key.
|
|
+.PP
|
|
+.
|
|
+.
|
|
+.
|
|
.SH OPTIONS
|
|
|
|
.SS "\-\-slot SLOTID"
|
|
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
|
index 8cfcb21d..5ceb145b 100644
|
|
--- a/usr/sbin/p11sak/p11sak.c
|
|
+++ b/usr/sbin/p11sak/p11sak.c
|
|
@@ -387,7 +387,7 @@ static void print_gen_help(void)
|
|
printf(" brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | \n");
|
|
printf(" brainpoolP512r1 | brainpoolP512t1 | curve25519 | curve448 | ed25519 | \n");
|
|
printf(" ed448]\n");
|
|
- printf(" ibm-dilithium [r2_65]\n");
|
|
+ printf(" ibm-dilithium [r2_65 | r2_87 | r3_44 | r3_65 | r3_87]\n");
|
|
printf("\n Options:\n");
|
|
printf(
|
|
" --slot SLOTID openCryptoki repository token SLOTID.\n");
|
|
@@ -526,6 +526,10 @@ static void print_gen_ibm_dilithium_help(void)
|
|
printf("\n Usage: p11sak generate-key ibm-dilithium [ARGS] [OPTIONS]\n");
|
|
printf("\n Args:\n");
|
|
printf(" r2_65\n");
|
|
+ printf(" r2_87\n");
|
|
+ printf(" r3_44\n");
|
|
+ printf(" r3_65\n");
|
|
+ printf(" r3_87\n");
|
|
printf("\n Options:\n");
|
|
printf(
|
|
" --slot SLOTID openCryptoki repository token SLOTID.\n");
|
|
@@ -764,6 +768,35 @@ static CK_RV read_ec_args(const char *ECcurve, CK_ATTRIBUTE *pubattr,
|
|
|
|
return CKR_OK;
|
|
}
|
|
+/**
|
|
+ * Builds the CKA_IBM_DILITHIUM_KEYFORM attribute from the given version.
|
|
+ */
|
|
+static CK_RV read_dilithium_args(const char *dilithium_ver, CK_ULONG *keyform,
|
|
+ CK_ATTRIBUTE *pubattr, CK_ULONG *pubcount)
|
|
+{
|
|
+ if (strcasecmp(dilithium_ver, "r2_65") == 0) {
|
|
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_65;
|
|
+ } else if (strcasecmp(dilithium_ver, "r2_87") == 0) {
|
|
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_87;
|
|
+ } else if (strcasecmp(dilithium_ver, "r3_44") == 0) {
|
|
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_44;
|
|
+ } else if (strcasecmp(dilithium_ver, "r3_65") == 0) {
|
|
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_65;
|
|
+ } else if (strcasecmp(dilithium_ver, "r3_87") == 0) {
|
|
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_87;
|
|
+ } else {
|
|
+ fprintf(stderr, "Unexpected case while parsing dilithium version.\n");
|
|
+ fprintf(stderr, "Note: not all tokens support all versions.\n");
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
+ }
|
|
+
|
|
+ pubattr[*pubcount].type = CKA_IBM_DILITHIUM_KEYFORM;
|
|
+ pubattr[*pubcount].ulValueLen = sizeof(CK_ULONG);
|
|
+ pubattr[*pubcount].pValue = keyform;
|
|
+ (*pubcount)++;
|
|
+
|
|
+ return CKR_OK;
|
|
+}
|
|
/**
|
|
* Builds two CKA_LABEL attributes from given label.
|
|
*/
|
|
@@ -1096,6 +1129,8 @@ static CK_RV key_pair_gen(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
if (rc != CKR_OK) {
|
|
if (is_rejected_by_policy(rc, session))
|
|
fprintf(stderr, "Key pair generation rejected by policy\n");
|
|
+ else if (kt == kt_IBM_DILITHIUM && rc == CKR_KEY_SIZE_RANGE)
|
|
+ fprintf(stderr, "IBM Dilithum version is not supported\n");
|
|
else
|
|
fprintf(stderr, "Key pair generation failed (error code 0x%lX: %s)\n", rc,
|
|
p11_get_ckr(rc));
|
|
@@ -1845,11 +1880,15 @@ static CK_RV check_args_gen_key(p11sak_kt *kt, CK_ULONG keylength,
|
|
case kt_IBM_DILITHIUM:
|
|
if (dilithium_ver == NULL) {
|
|
fprintf(stderr,
|
|
- "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>\n",
|
|
+ "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>, <r2_87>, <r3_44>, <r3_65>, or <r3_87>\n",
|
|
*kt);
|
|
return CKR_ARGUMENTS_BAD;
|
|
}
|
|
- if (strcasecmp(dilithium_ver, "r2_65") == 0) {
|
|
+ if (strcasecmp(dilithium_ver, "r2_65") == 0 ||
|
|
+ strcasecmp(dilithium_ver, "r2_87") == 0 ||
|
|
+ strcasecmp(dilithium_ver, "r3_44") == 0 ||
|
|
+ strcasecmp(dilithium_ver, "r3_65") == 0 ||
|
|
+ strcasecmp(dilithium_ver, "r3_87") == 0) {
|
|
break;
|
|
} else {
|
|
fprintf(stderr, "IBM Dilithium version [%s] not supported \n", dilithium_ver);
|
|
@@ -2450,7 +2489,7 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
CK_ATTRIBUTE prv_attr[KEY_MAX_BOOL_ATTR_COUNT + 2];
|
|
CK_ULONG prv_acount = 0;
|
|
CK_MECHANISM mech;
|
|
- CK_ULONG i;
|
|
+ CK_ULONG i, keyform;
|
|
CK_RV rc;
|
|
const char separator = ':';
|
|
|
|
@@ -2475,6 +2514,12 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
|
|
}
|
|
break;
|
|
case kt_IBM_DILITHIUM:
|
|
+ rc = read_dilithium_args(dilithium_ver, &keyform,
|
|
+ pub_attr, &pub_acount);
|
|
+ if (rc) {
|
|
+ fprintf(stderr, "Error parsing Dilithium parameters!\n");
|
|
+ goto done;
|
|
+ }
|
|
printf("Generating Dilithium keypair with %s\n", dilithium_ver);
|
|
break;
|
|
default:
|
|
--
|
|
2.16.2.windows.1
|
|
|