SHA256
1
0
forked from pool/openCryptoki
openCryptoki/ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
Mark Post f41ca9bf97 Accepting request 1063652 from home:ngueorguiev:branches:security
- Added patch for compile errors
	* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch 
- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
	following patches:
	* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
	* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
	* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
	* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
	* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
	* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
	* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
	* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
	* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
	* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
	* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
	* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
	* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
	* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
	* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
	* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
	* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
	* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
	* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
	* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
	* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
	* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
	* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
	* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
	* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
	* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
	* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
	* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
	* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
	* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
	* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
	* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch

OBS-URL: https://build.opensuse.org/request/show/1063652
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
2023-02-07 15:45:43 +00:00

605 lines
24 KiB
Diff

From 76307be97a42f5a743e7cf0ef75a87dac0c0106f Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 16 Feb 2022 13:04:24 +0100
Subject: [PATCH 19/34] COMMON: Dilithium key BER encoding/decoding allow
different OIDs
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/cca_stdll/cca_stdll.mk | 2 +-
usr/lib/common/asn1.c | 143 ++++++++++++++++++++-----------
usr/lib/common/globals.c | 8 +-
usr/lib/common/h_extern.h | 54 ++++++------
usr/lib/common/key.c | 10 ++-
usr/lib/common/key_mgr.c | 13 ++-
usr/lib/ep11_stdll/ep11_specific.c | 6 +-
usr/lib/ep11_stdll/ep11_stdll.mk | 3 +-
usr/lib/ica_s390_stdll/ica_s390_stdll.mk | 2 +-
usr/lib/icsf_stdll/icsf_stdll.mk | 2 +-
usr/lib/soft_stdll/soft_stdll.mk | 2 +-
usr/lib/tpm_stdll/tpm_stdll.mk | 2 +-
usr/sbin/pkcscca/pkcscca.mk | 2 +-
13 files changed, 152 insertions(+), 97 deletions(-)
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
index 9b71085a..5963df59 100644
--- a/usr/lib/cca_stdll/cca_stdll.mk
+++ b/usr/lib/cca_stdll/cca_stdll.mk
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
- usr/lib/common/mech_openssl.c
+ usr/lib/common/mech_openssl.c usr/lib/common/pqc_supported.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
diff --git a/usr/lib/common/asn1.c b/usr/lib/common/asn1.c
index b3f49c41..884ef489 100644
--- a/usr/lib/common/asn1.c
+++ b/usr/lib/common/asn1.c
@@ -24,6 +24,7 @@
#include "host_defs.h"
#include "h_extern.h"
#include "trace.h"
+#include "pqc_defs.h"
//
@@ -3616,7 +3617,7 @@ cleanup:
*
* SEQUENCE (2 elem)
* SEQUENCE (2 elem)
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
* NULL
* BIT STRING (1 elem)
* SEQUENCE (2 elem)
@@ -3624,20 +3625,26 @@ cleanup:
* BIT STRING (13824 bit) = 1728 bytes
*/
CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
- CK_BYTE **data, CK_ULONG *data_len,
- CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
+ CK_BYTE **data, CK_ULONG *data_len,
+ const CK_BYTE *oid, CK_ULONG oid_len,
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
{
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL, *buf4 = NULL;
- CK_ULONG len = 0, len4, offset, total, total_len;
+ CK_BYTE *buf5 = NULL, *algid = NULL;
+ CK_ULONG len = 0, len4, offset, total, total_len, algid_len;
CK_RV rc;
UNUSED(length_only);
offset = 0;
rc = 0;
- total_len = ber_AlgIdDilithiumLen;
+ total_len = 0;
total = 0;
+ /* Calculate storage for AlgID sequence */
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &total_len, NULL,
+ oid_len + ber_NULLLen);
+
/* Calculate storage for inner sequence */
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, rho->ulValueLen);
offset += len;
@@ -3709,12 +3716,30 @@ CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
/*
* SEQUENCE (2 elem)
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
* NULL <- no parms for this oid
*/
- total_len = 0;
- memcpy(buf3 + total_len, ber_AlgIdDilithium, ber_AlgIdDilithiumLen);
- total_len += ber_AlgIdDilithiumLen;
+ buf5 = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
+ if (!buf5) {
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
+ rc = CKR_HOST_MEMORY;
+ goto error;
+ }
+ memcpy(buf5, oid, oid_len);
+ memcpy(buf5 + oid_len, ber_NULL, ber_NULLLen);
+
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, buf5,
+ oid_len + ber_NULLLen);
+ free(buf5);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
+ goto error;
+ }
+
+ total_len = algid_len;
+ memcpy(buf3, algid, algid_len);
+ free(algid);
+ algid = NULL;
/*
* BIT STRING (1 elem)
@@ -3760,16 +3785,15 @@ error:
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
- CK_ULONG data_len,
- CK_ATTRIBUTE **rho_attr,
- CK_ATTRIBUTE **t1_attr)
+ CK_ULONG data_len,
+ CK_ATTRIBUTE **rho_attr,
+ CK_ATTRIBUTE **t1_attr)
{
CK_ATTRIBUTE *rho_attr_temp = NULL;
CK_ATTRIBUTE *t1_attr_temp = NULL;
- CK_BYTE *algid_DilithiumBase = NULL;
- CK_BYTE *algid = NULL;
- CK_ULONG algid_len;
+ CK_BYTE *algoid = NULL;
+ CK_ULONG algoid_len;
CK_BYTE *param = NULL;
CK_ULONG param_len;
CK_BYTE *val = NULL;
@@ -3780,26 +3804,20 @@ CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
CK_ULONG rho_len;
CK_BYTE *t1;
CK_ULONG t1_len;
- CK_ULONG field_len, offset, len;
+ CK_ULONG field_len, offset;
CK_RV rc;
UNUSED(data_len); // XXX can this parameter be removed ?
- rc = ber_decode_SPKI(data, &algid, &algid_len, &param, &param_len,
+ rc = ber_decode_SPKI(data, &algoid, &algoid_len, &param, &param_len,
&val, &val_len);
if (rc != CKR_OK) {
TRACE_DEVEL("ber_decode_SPKI failed\n");
return rc;
}
- /* Make sure we're dealing with a Dilithium key */
- rc = ber_decode_SEQUENCE((CK_BYTE *)ber_AlgIdDilithium, &algid_DilithiumBase, &len,
- &field_len);
- if (rc != CKR_OK) {
- TRACE_DEVEL("ber_decode_SEQUENCE failed\n");
- return rc;
- }
- if (memcmp(algid, algid_DilithiumBase, len) != 0) {
+ if (algoid_len != dilithium_r2_65_len ||
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
return CKR_FUNCTION_FAILED;
}
@@ -3879,18 +3897,20 @@ cleanup:
* }
*/
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
- CK_BYTE **data,
- CK_ULONG *data_len,
- CK_ATTRIBUTE *rho,
- CK_ATTRIBUTE *seed,
- CK_ATTRIBUTE *tr,
- CK_ATTRIBUTE *s1,
- CK_ATTRIBUTE *s2,
- CK_ATTRIBUTE *t0,
- CK_ATTRIBUTE *t1)
+ CK_BYTE **data,
+ CK_ULONG *data_len,
+ const CK_BYTE *oid, CK_ULONG oid_len,
+ CK_ATTRIBUTE *rho,
+ CK_ATTRIBUTE *seed,
+ CK_ATTRIBUTE *tr,
+ CK_ATTRIBUTE *s1,
+ CK_ATTRIBUTE *s2,
+ CK_ATTRIBUTE *t0,
+ CK_ATTRIBUTE *t1)
{
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL;
- CK_ULONG len, len2 = 0, offset;
+ CK_BYTE *algid = NULL, *algid_buf = NULL;
+ CK_ULONG len, len2 = 0, offset, algid_len = 0;
CK_BYTE version[] = { 0 };
CK_RV rc;
@@ -3898,6 +3918,9 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
offset = 0;
rc = 0;
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &algid_len, NULL,
+ oid_len + ber_NULLLen);
+
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, sizeof(version));
offset += len;
rc |= ber_encode_BIT_STRING(TRUE, NULL, &len, NULL, rho->ulValueLen, 0);
@@ -3931,7 +3954,7 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
}
rc = ber_encode_PrivateKeyInfo(TRUE,
NULL, data_len,
- NULL, ber_AlgIdDilithiumLen,
+ NULL, algid_len,
NULL, len);
if (rc != CKR_OK) {
TRACE_DEVEL("ber_encode_PrivateKeyInfo failed\n");
@@ -4051,10 +4074,28 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
TRACE_ERROR("ber_encode_SEQUENCE failed\n");
goto error;
}
+
+ algid_buf = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
+ if (!algid_buf) {
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
+ rc = CKR_HOST_MEMORY;
+ goto error;
+ }
+ memcpy(algid_buf, oid, oid_len);
+ memcpy(algid_buf + oid_len, ber_NULL, ber_NULLLen);
+
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, algid_buf,
+ oid_len + ber_NULLLen);
+ free(algid_buf);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
+ goto error;
+ }
+
rc = ber_encode_PrivateKeyInfo(FALSE,
data, data_len,
- ber_AlgIdDilithium,
- ber_AlgIdDilithiumLen, buf2, len);
+ algid, algid_len,
+ buf2, len);
if (rc != CKR_OK) {
TRACE_ERROR("ber_encode_PrivateKeyInfo failed\n");
}
@@ -4066,6 +4107,8 @@ error:
free(buf2);
if (buf)
free(buf);
+ if (algid)
+ free(algid);
return rc;
}
@@ -4087,19 +4130,19 @@ error:
* }
*/
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
- CK_ULONG data_len,
- CK_ATTRIBUTE **rho,
- CK_ATTRIBUTE **seed,
- CK_ATTRIBUTE **tr,
- CK_ATTRIBUTE **s1,
- CK_ATTRIBUTE **s2,
- CK_ATTRIBUTE **t0,
- CK_ATTRIBUTE **t1)
+ CK_ULONG data_len,
+ CK_ATTRIBUTE **rho,
+ CK_ATTRIBUTE **seed,
+ CK_ATTRIBUTE **tr,
+ CK_ATTRIBUTE **s1,
+ CK_ATTRIBUTE **s2,
+ CK_ATTRIBUTE **t0,
+ CK_ATTRIBUTE **t1)
{
CK_ATTRIBUTE *rho_attr = NULL, *seed_attr = NULL;
CK_ATTRIBUTE *tr_attr = NULL, *s1_attr = NULL, *s2_attr = NULL;
CK_ATTRIBUTE *t0_attr = NULL, *t1_attr = NULL;
- CK_BYTE *alg = NULL;
+ CK_BYTE *algoid = NULL;
CK_BYTE *dilithium_priv_key = NULL;
CK_BYTE *buf = NULL;
CK_BYTE *tmp = NULL;
@@ -4107,15 +4150,15 @@ CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
CK_RV rc;
/* Check if this is a Dilithium private key */
- rc = ber_decode_PrivateKeyInfo(data, data_len, &alg, &len,
+ rc = ber_decode_PrivateKeyInfo(data, data_len, &algoid, &len,
&dilithium_priv_key);
if (rc != CKR_OK) {
TRACE_DEVEL("ber_decode_PrivateKeyInfo failed\n");
return rc;
}
- if (memcmp(alg, ber_AlgIdDilithium, ber_AlgIdDilithiumLen) != 0) {
- // probably ought to use a different error
+ if (len != dilithium_r2_65_len + ber_NULLLen ||
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
return CKR_FUNCTION_FAILED;
}
diff --git a/usr/lib/common/globals.c b/usr/lib/common/globals.c
index 5b79e785..a7197ec6 100644
--- a/usr/lib/common/globals.c
+++ b/usr/lib/common/globals.c
@@ -105,11 +105,7 @@ const CK_BYTE ber_AlgIdRSAEncryption[] = {
const CK_BYTE der_AlgIdECBase[] =
{ 0x30, 0x09, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 };
-const CK_BYTE ber_AlgIdDilithium[] =
- { 0x30, 0x0F, 0x06, 0x0B, 0x2B, 0x06, 0x01,
- 0x04, 0x01, 0x02, 0x82, 0x0B, 0x01, 0x06,
- 0x05, 0x05, 0x00
-};
+const CK_BYTE ber_NULL[] = { 0x05, 0x00 };
// ID Lengths
//
@@ -135,7 +131,7 @@ const CK_ULONG ber_AlgSha384Len = sizeof(ber_AlgSha384);
const CK_ULONG ber_AlgSha512Len = sizeof(ber_AlgSha512);
const CK_ULONG ber_AlgIdRSAEncryptionLen = sizeof(ber_AlgIdRSAEncryption);
const CK_ULONG der_AlgIdECBaseLen = sizeof(der_AlgIdECBase);
-const CK_ULONG ber_AlgIdDilithiumLen = sizeof(ber_AlgIdDilithium);
+const CK_ULONG ber_NULLLen = sizeof(ber_NULL);
const CK_ULONG des_weak_count = 4;
const CK_ULONG des_semi_weak_count = 12;
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 340ab88d..41ca12df 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -56,16 +56,14 @@ extern const CK_BYTE ber_rsaEncryption[];
extern const CK_ULONG ber_rsaEncryptionLen;
extern const CK_BYTE der_AlgIdECBase[];
extern const CK_ULONG der_AlgIdECBaseLen;
-extern const CK_BYTE ber_AlgIdDilithium[];
-extern const CK_ULONG ber_AlgIdDilithiumLen;
extern const CK_BYTE ber_idDSA[];
extern const CK_ULONG ber_idDSALen;
extern const CK_BYTE ber_idDH[];
extern const CK_ULONG ber_idDHLen;
extern const CK_BYTE ber_idEC[];
extern const CK_ULONG ber_idECLen;
-extern const CK_BYTE ber_idDilithium[];
-extern const CK_ULONG ber_idDilithiumLen;
+extern const CK_BYTE ber_NULL[];
+extern const CK_ULONG ber_NULLLen;
#if !(NOMD2)
extern const CK_BYTE ber_md2WithRSAEncryption[];
@@ -2742,35 +2740,37 @@ CK_RV ber_decode_ECDHPrivateKey(CK_BYTE *data,
CK_ATTRIBUTE **pub_key,
CK_ATTRIBUTE **priv_key);
-CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only, CK_BYTE **data,
- CK_ULONG *data_len, CK_ATTRIBUTE *rho,
- CK_ATTRIBUTE *t1);
+CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
+ CK_BYTE **data, CK_ULONG *data_len,
+ const CK_BYTE *oid, CK_ULONG oid_len,
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1);
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
- CK_ULONG data_len,
- CK_ATTRIBUTE **rho_attr,
- CK_ATTRIBUTE **t1_attr);
+ CK_ULONG data_len,
+ CK_ATTRIBUTE **rho_attr,
+ CK_ATTRIBUTE **t1_attr);
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
- CK_BYTE **data,
- CK_ULONG *data_len,
- CK_ATTRIBUTE *rho,
- CK_ATTRIBUTE *seed,
- CK_ATTRIBUTE *tr,
- CK_ATTRIBUTE *s1,
- CK_ATTRIBUTE *s2,
- CK_ATTRIBUTE *t0,
- CK_ATTRIBUTE *t1);
+ CK_BYTE **data,
+ CK_ULONG *data_len,
+ const CK_BYTE *oid, CK_ULONG oid_len,
+ CK_ATTRIBUTE *rho,
+ CK_ATTRIBUTE *seed,
+ CK_ATTRIBUTE *tr,
+ CK_ATTRIBUTE *s1,
+ CK_ATTRIBUTE *s2,
+ CK_ATTRIBUTE *t0,
+ CK_ATTRIBUTE *t1);
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
- CK_ULONG data_len,
- CK_ATTRIBUTE **rho,
- CK_ATTRIBUTE **seed,
- CK_ATTRIBUTE **tr,
- CK_ATTRIBUTE **s1,
- CK_ATTRIBUTE **s2,
- CK_ATTRIBUTE **t0,
- CK_ATTRIBUTE **t1);
+ CK_ULONG data_len,
+ CK_ATTRIBUTE **rho,
+ CK_ATTRIBUTE **seed,
+ CK_ATTRIBUTE **tr,
+ CK_ATTRIBUTE **s1,
+ CK_ATTRIBUTE **s2,
+ CK_ATTRIBUTE **t0,
+ CK_ATTRIBUTE **t1);
typedef CK_RV (*t_rsa_encrypt)(STDLL_TokData_t *, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
diff --git a/usr/lib/common/key.c b/usr/lib/common/key.c
index 6e9a839a..41857b97 100644
--- a/usr/lib/common/key.c
+++ b/usr/lib/common/key.c
@@ -81,6 +81,7 @@
#include "h_extern.h"
#include "attributes.h"
#include "trace.h"
+#include "pqc_defs.h"
#include "tok_spec_struct.h"
@@ -2688,7 +2689,10 @@ CK_RV ibm_dilithium_publ_get_spki(TEMPLATE *tmpl, CK_BBOOL length_only,
return rc;
}
- rc = ber_encode_IBM_DilithiumPublicKey(length_only, data,data_len, rho, t1);
+ rc = ber_encode_IBM_DilithiumPublicKey(length_only, data, data_len,
+ dilithium_r2_65,
+ dilithium_r2_65_len,
+ rho, t1);
if (rc != CKR_OK) {
TRACE_ERROR("ber_encode_IBM_DilithiumPublicKey failed.\n");
return rc;
@@ -2766,7 +2770,9 @@ CK_RV ibm_dilithium_priv_wrap_get_data(TEMPLATE *tmpl,
}
rc = ber_encode_IBM_DilithiumPrivateKey(length_only, data, data_len,
- rho, seed, tr, s1, s2, t0, t1);
+ dilithium_r2_65,
+ dilithium_r2_65_len,
+ rho, seed, tr, s1, s2, t0, t1);
if (rc != CKR_OK) {
TRACE_DEVEL("ber_encode_IBM_DilithiumPrivateKey failed\n");
}
diff --git a/usr/lib/common/key_mgr.c b/usr/lib/common/key_mgr.c
index 99f2a72e..01103dc2 100644
--- a/usr/lib/common/key_mgr.c
+++ b/usr/lib/common/key_mgr.c
@@ -35,6 +35,7 @@
#include "attributes.h"
#include "tok_spec_struct.h"
#include "trace.h"
+#include "pqc_defs.h"
#include "../api/policy.h"
#include "../api/statistics.h"
@@ -1368,7 +1369,7 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
{
CK_BYTE *alg = NULL;
CK_BYTE *priv_key = NULL;
- CK_ULONG alg_len;
+ CK_ULONG alg_len, i;
CK_RV rc;
rc = ber_decode_PrivateKeyInfo(keydata, keylen, &alg, &alg_len, &priv_key);
@@ -1408,10 +1409,14 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
return CKR_OK;
}
}
- // Check only the OBJECT IDENTIFIER for DILITHIUM
+ // Check only the OBJECT IDENTIFIERs for DILITHIUM
//
- if (alg_len >= ber_idDilithiumLen) {
- if (memcmp(alg, ber_idDilithium, ber_idDilithiumLen) == 0) {
+ for (i = 0; dilithium_oids[i].oid != NULL; i++) {
+ if (alg_len == dilithium_oids[i].oid_len + ber_NULLLen &&
+ memcmp(alg, dilithium_oids[i].oid,
+ dilithium_oids[i].oid_len) == 0 &&
+ memcmp(alg + dilithium_oids[i].oid_len,
+ ber_NULL, ber_NULLLen) == 0) {
*keytype = CKK_IBM_PQC_DILITHIUM;
return CKR_OK;
}
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index e3451163..45069ae8 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -37,6 +37,7 @@
#include "trace.h"
#include "ock_syslog.h"
#include "ec_defs.h"
+#include "pqc_defs.h"
#include "p11util.h"
#include "events.h"
#include "cfgparser.h"
@@ -3645,7 +3646,10 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
}
/* Encode the public key */
- rc = ber_encode_IBM_DilithiumPublicKey(0, &data, &data_len, rho, t1);
+ rc = ber_encode_IBM_DilithiumPublicKey(FALSE, &data, &data_len,
+ dilithium_r2_65,
+ dilithium_r2_65_len,
+ rho, t1);
if (rc != CKR_OK) {
TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
"data_len=0x%lx\n", __func__, class, rc, data_len);
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
index 9a8aa76a..11061f76 100644
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
@@ -43,7 +43,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/ep11_stdll/ep11_specific.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
- usr/lib/config/cfgparse.y usr/lib/config/cfglex.l
+ usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
+ usr/lib/common/pqc_supported.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
index cb9d898f..f89cd343 100644
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c \
usr/lib/common/mech_openssl.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
- usr/lib/api/policyhelper.c
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
index ee83f674..ebf24290 100644
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/icsf_stdll/icsf_specific.c \
usr/lib/icsf_stdll/icsf.c usr/lib/common/utility_common.c \
usr/lib/common/ec_supported.c usr/lib/api/policyhelper.c \
- usr/lib/config/configuration.c \
+ usr/lib/config/configuration.c usr/lib/common/pqc_supported.c \
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
usr/lib/common/mech_openssl.c
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
index 6cdf82b8..7a842ddc 100644
--- a/usr/lib/soft_stdll/soft_stdll.mk
+++ b/usr/lib/soft_stdll/soft_stdll.mk
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
- usr/lib/api/policyhelper.c
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
index 54551c1f..7fa18121 100644
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
- usr/lib/api/policyhelper.c
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
index 187a93f2..59300ef5 100644
--- a/usr/sbin/pkcscca/pkcscca.mk
+++ b/usr/sbin/pkcscca/pkcscca.mk
@@ -41,7 +41,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/dlist.c usr/sbin/pkcscca/pkcscca.c \
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
usr/lib/common/pin_prompt.c usr/lib/common/mech_openssl.c \
- usr/lib/api/policyhelper.c
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
nodist_usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/api/mechtable.c
--
2.16.2.windows.1