rpm/openCryptoki
SHA256
1
0
Fork 0
forked from pool/openCryptoki
Code Pull Requests Activity
d227b6f7d5
openCryptoki/ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
Mark Post f41ca9bf97 Accepting request 1063652 from home:ngueorguiev:branches:security 
- Added patch for compile errors
	* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch 
- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
	following patches:
	* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
	* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
	* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
	* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
	* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
	* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
	* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
	* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
	* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
	* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
	* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
	* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
	* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
	* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
	* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
	* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
	* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
	* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
	* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
	* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
	* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
	* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
	* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
	* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
	* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
	* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
	* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
	* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
	* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
	* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
	* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
	* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch

OBS-URL: https://build.opensuse.org/request/show/1063652
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
2023-02-07 15:45:43 +00:00

250 lines
9.1 KiB
Diff
Raw Blame History

From 67ed25a8f7764e61647c3c31d09a1e60db38006b Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:20:54 +0100
Subject: [PATCH 18/34] COMMON: Add post-quantum algorithm OIDs
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/include/include.mk | 2 +-
usr/include/pqc_oids.h | 48 ++++++++++++++++++++++++++
usr/lib/common/common.mk | 3 +-
usr/lib/common/globals.c | 1 +
usr/lib/common/pqc_defs.h | 48 ++++++++++++++++++++++++++
usr/lib/common/pqc_supported.c | 78 ++++++++++++++++++++++++++++++++++++++++++
6 files changed, 178 insertions(+), 2 deletions(-)
create mode 100644 usr/include/pqc_oids.h
create mode 100644 usr/lib/common/pqc_defs.h
create mode 100644 usr/lib/common/pqc_supported.c
diff --git a/usr/include/include.mk b/usr/include/include.mk
index 79e593d7..a63e043f 100644
--- a/usr/include/include.mk
+++ b/usr/include/include.mk
@@ -3,7 +3,7 @@ opencryptokiincludedir = ${includedir}/opencryptoki
opencryptokiinclude_HEADERS = \
usr/include/apiclient.h usr/include/pkcs11types.h \
usr/include/pkcs11.h \
- usr/include/ec_curves.h
+ usr/include/ec_curves.h usr/include/pqc_oids.h
noinst_HEADERS += \
usr/include/apictl.h usr/include/local_types.h \
diff --git a/usr/include/pqc_oids.h b/usr/include/pqc_oids.h
new file mode 100644
index 00000000..0891373e
--- /dev/null
+++ b/usr/include/pqc_oids.h
@@ -0,0 +1,48 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2022
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+
+#ifndef _PQC_OIDS_H_
+#define _PQC_OIDS_H_
+
+/*
+ * OIDs and their DER encoding for the post-quantum crypto algorithms
+ * supported by OpenCryptoki:
+ */
+
+/* Dilithium Round 2 high-security (SHAKE-256): 1.3.6.1.4.1.2.267.1.6.5 */
+#define OCK_DILITHIUM_R2_65 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x01, 0x06, 0x05 }
+
+/* Dilithium Round 2 for outbound authentication: 1.3.6.1.4.1.2.267.1.8.7 */
+#define OCK_DILITHIUM_R2_87 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x01, 0x08, 0x07 }
+
+/* Dilithium Round 3 weak (SHAKE-256): 1.3.6.1.4.1.2.267.7.4.4 */
+#define OCK_DILITHIUM_R3_44 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x07, 0x04, 0x04 }
+
+/* Dilithium Round 3 recommended (SHAKE-256): 1.3.6.1.4.1.2.267.7.6.5 */
+#define OCK_DILITHIUM_R3_65 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x07, 0x06, 0x05 }
+
+/* Dilithium Round 3 high-security (SHAKE-256): 1.3.6.1.4.1.2.267.7.8.7 */
+#define OCK_DILITHIUM_R3_87 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x07, 0x08, 0x07 }
+
+/* Kyber Round 2 768 (SHAKE-128): 1.3.6.1.4.1.2.267.5.3.3 */
+#define OCK_KYBER_R2_768 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x05, 0x03, 0x03 }
+
+/* Kyber Round 2 1024 (SHAKE-128): 1.3.6.1.4.1.2.267.5.4.4 */
+#define OCK_KYBER_R2_1024 { 0x06, 0x0B, 0x2B, 0x06, 0x01, 0x04, \
+ 0x01, 0x02, 0x82, 0x0B, 0x05, 0x04, 0x04 }
+
+#endif // _PQC_OIDS_H_
diff --git a/usr/lib/common/common.mk b/usr/lib/common/common.mk
index 6341cb74..93f1e21f 100644
--- a/usr/lib/common/common.mk
+++ b/usr/lib/common/common.mk
@@ -7,4 +7,5 @@ noinst_HEADERS += \
usr/lib/common/p11util.h usr/lib/common/event_client.h \
usr/lib/common/list.h usr/lib/common/tok_specific.h \
usr/lib/common/uri_enc.h usr/lib/common/uri.h \
- usr/lib/common/buffer.h usr/lib/common/pin_prompt.h
+ usr/lib/common/buffer.h usr/lib/common/pin_prompt.h \
+ usr/lib/common/pqc_defs.h
diff --git a/usr/lib/common/globals.c b/usr/lib/common/globals.c
index db4d352c..5b79e785 100644
--- a/usr/lib/common/globals.c
+++ b/usr/lib/common/globals.c
@@ -27,6 +27,7 @@
#include "defs.h"
#include "host_defs.h"
#include "h_extern.h"
+#include "pqc_oids.h"
struct ST_FCN_LIST function_list;
diff --git a/usr/lib/common/pqc_defs.h b/usr/lib/common/pqc_defs.h
new file mode 100644
index 00000000..51ee1200
--- /dev/null
+++ b/usr/lib/common/pqc_defs.h
@@ -0,0 +1,48 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2022
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+#ifndef _PQC_DEFS
+#define _PQC_DEFS
+
+#include <stdio.h>
+
+#include "pqc_oids.h"
+
+extern const CK_BYTE dilithium_r2_65[];
+extern const CK_ULONG dilithium_r2_65_len;
+extern const CK_BYTE dilithium_r2_87[];
+extern const CK_ULONG dilithium_r2_87_len;
+extern const CK_BYTE dilithium_r3_44[];
+extern const CK_ULONG dilithium_r3_44_len;
+extern const CK_BYTE dilithium_r3_56[];
+extern const CK_ULONG dilithium_r3_56_len;
+extern const CK_BYTE dilithium_r3_87[];
+extern const CK_ULONG dilithium_r3_87_len;
+
+extern const CK_BYTE kyber_r2_768[];
+extern const CK_ULONG kyber_r2_768_len;
+extern const CK_BYTE kyber_r2_1024[];
+extern const CK_ULONG kyber_r2_1024_len;
+
+struct pqc_oid {
+ const CK_BYTE *oid;
+ CK_ULONG oid_len;
+ CK_ULONG keyform;
+};
+
+extern const struct pqc_oid dilithium_oids[];
+extern const struct pqc_oid kyber_oids[];
+
+const struct pqc_oid *find_pqc_by_keyform(const struct pqc_oid *pqcs,
+ CK_ULONG keyform);
+const struct pqc_oid *find_pqc_by_oid(const struct pqc_oid *pqcs,
+ CK_BYTE *oid, CK_ULONG oid_len);
+
+#endif
diff --git a/usr/lib/common/pqc_supported.c b/usr/lib/common/pqc_supported.c
new file mode 100644
index 00000000..4f048c33
--- /dev/null
+++ b/usr/lib/common/pqc_supported.c
@@ -0,0 +1,78 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2022
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+#include <string.h>
+#include "pkcs11types.h"
+#include "pqc_defs.h"
+
+const CK_BYTE dilithium_r2_65[] = OCK_DILITHIUM_R2_65;
+const CK_ULONG dilithium_r2_65_len = sizeof(dilithium_r2_65);
+const CK_BYTE dilithium_r2_87[] = OCK_DILITHIUM_R2_87;
+const CK_ULONG dilithium_r2_87_len = sizeof(dilithium_r2_87);
+const CK_BYTE dilithium_r3_44[] = OCK_DILITHIUM_R3_44;
+const CK_ULONG dilithium_r3_44_len = sizeof(dilithium_r3_44);
+const CK_BYTE dilithium_r3_65[] = OCK_DILITHIUM_R3_65;
+const CK_ULONG dilithium_r3_65_len = sizeof(dilithium_r3_65);
+const CK_BYTE dilithium_r3_87[] = OCK_DILITHIUM_R3_87;
+const CK_ULONG dilithium_r3_87_len = sizeof(dilithium_r3_87);
+
+const struct pqc_oid dilithium_oids[] = {
+ { .oid = dilithium_r2_65, .oid_len = dilithium_r2_65_len,
+ .keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_65 },
+ { .oid = dilithium_r2_87, .oid_len = dilithium_r2_87_len,
+ .keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_87 },
+ { .oid = dilithium_r3_44, .oid_len = dilithium_r3_44_len,
+ .keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_44 },
+ { .oid = dilithium_r3_65, .oid_len = dilithium_r3_65_len,
+ .keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_65 },
+ { .oid = dilithium_r3_87, .oid_len = dilithium_r3_87_len,
+ .keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_87 },
+ { .oid = NULL, .oid_len = 0, .keyform = 0 }
+};
+
+const CK_BYTE kyber_r2_768[] = OCK_KYBER_R2_768;
+const CK_ULONG kyber_r2_768_len = sizeof(kyber_r2_768);
+const CK_BYTE kyber_r2_1024[] = OCK_KYBER_R2_1024;
+const CK_ULONG kyber_r2_1024_len = sizeof(kyber_r2_1024);
+
+const struct pqc_oid kyber_oids[] = {
+ { .oid = kyber_r2_768, .oid_len = kyber_r2_768_len,
+ .keyform = CK_IBM_KYBER_KEYFORM_ROUND2_768 },
+ { .oid = kyber_r2_1024, .oid_len = kyber_r2_1024_len,
+ .keyform = CK_IBM_KYBER_KEYFORM_ROUND2_1024 },
+ { .oid = NULL, .oid_len = 0, .keyform = 0 }
+};
+
+const struct pqc_oid *find_pqc_by_keyform(const struct pqc_oid *pqcs,
+ CK_ULONG keyform)
+{
+ CK_ULONG i;
+
+ for (i = 0; pqcs[i].oid != NULL; i++) {
+ if (pqcs[i].keyform == keyform)
+ return &pqcs[i];
+ }
+
+ return NULL;
+}
+
+const struct pqc_oid *find_pqc_by_oid(const struct pqc_oid *pqcs,
+ CK_BYTE *oid, CK_ULONG oid_len)
+{
+ CK_ULONG i;
+
+ for (i = 0; pqcs[i].oid != NULL; i++) {
+ if (pqcs[i].oid_len == oid_len &&
+ memcmp(pqcs[i].oid, oid, oid_len) == 0)
+ return &pqcs[i];
+ }
+
+ return NULL;
+}
--
2.16.2.windows.1
View Git Blame Copy Permalink