forked from pool/openCryptoki
f41ca9bf97
- Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063652 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
605 lines
24 KiB
Diff
605 lines
24 KiB
Diff
From 76307be97a42f5a743e7cf0ef75a87dac0c0106f Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Wed, 16 Feb 2022 13:04:24 +0100
|
|
Subject: [PATCH 19/34] COMMON: Dilithium key BER encoding/decoding allow
|
|
different OIDs
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
---
|
|
usr/lib/cca_stdll/cca_stdll.mk | 2 +-
|
|
usr/lib/common/asn1.c | 143 ++++++++++++++++++++-----------
|
|
usr/lib/common/globals.c | 8 +-
|
|
usr/lib/common/h_extern.h | 54 ++++++------
|
|
usr/lib/common/key.c | 10 ++-
|
|
usr/lib/common/key_mgr.c | 13 ++-
|
|
usr/lib/ep11_stdll/ep11_specific.c | 6 +-
|
|
usr/lib/ep11_stdll/ep11_stdll.mk | 3 +-
|
|
usr/lib/ica_s390_stdll/ica_s390_stdll.mk | 2 +-
|
|
usr/lib/icsf_stdll/icsf_stdll.mk | 2 +-
|
|
usr/lib/soft_stdll/soft_stdll.mk | 2 +-
|
|
usr/lib/tpm_stdll/tpm_stdll.mk | 2 +-
|
|
usr/sbin/pkcscca/pkcscca.mk | 2 +-
|
|
13 files changed, 152 insertions(+), 97 deletions(-)
|
|
|
|
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
|
|
index 9b71085a..5963df59 100644
|
|
--- a/usr/lib/cca_stdll/cca_stdll.mk
|
|
+++ b/usr/lib/cca_stdll/cca_stdll.mk
|
|
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = usr/lib/common/asn1.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
|
|
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
- usr/lib/common/mech_openssl.c
|
|
+ usr/lib/common/mech_openssl.c usr/lib/common/pqc_supported.c
|
|
|
|
if ENABLE_LOCKS
|
|
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
|
|
diff --git a/usr/lib/common/asn1.c b/usr/lib/common/asn1.c
|
|
index b3f49c41..884ef489 100644
|
|
--- a/usr/lib/common/asn1.c
|
|
+++ b/usr/lib/common/asn1.c
|
|
@@ -24,6 +24,7 @@
|
|
#include "host_defs.h"
|
|
#include "h_extern.h"
|
|
#include "trace.h"
|
|
+#include "pqc_defs.h"
|
|
|
|
|
|
//
|
|
@@ -3616,7 +3617,7 @@ cleanup:
|
|
*
|
|
* SEQUENCE (2 elem)
|
|
* SEQUENCE (2 elem)
|
|
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
|
|
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
|
|
* NULL
|
|
* BIT STRING (1 elem)
|
|
* SEQUENCE (2 elem)
|
|
@@ -3624,20 +3625,26 @@ cleanup:
|
|
* BIT STRING (13824 bit) = 1728 bytes
|
|
*/
|
|
CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
- CK_BYTE **data, CK_ULONG *data_len,
|
|
- CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
|
|
+ CK_BYTE **data, CK_ULONG *data_len,
|
|
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1)
|
|
{
|
|
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL, *buf4 = NULL;
|
|
- CK_ULONG len = 0, len4, offset, total, total_len;
|
|
+ CK_BYTE *buf5 = NULL, *algid = NULL;
|
|
+ CK_ULONG len = 0, len4, offset, total, total_len, algid_len;
|
|
CK_RV rc;
|
|
|
|
UNUSED(length_only);
|
|
|
|
offset = 0;
|
|
rc = 0;
|
|
- total_len = ber_AlgIdDilithiumLen;
|
|
+ total_len = 0;
|
|
total = 0;
|
|
|
|
+ /* Calculate storage for AlgID sequence */
|
|
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &total_len, NULL,
|
|
+ oid_len + ber_NULLLen);
|
|
+
|
|
/* Calculate storage for inner sequence */
|
|
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, rho->ulValueLen);
|
|
offset += len;
|
|
@@ -3709,12 +3716,30 @@ CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
|
|
/*
|
|
* SEQUENCE (2 elem)
|
|
- * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.1.6.5
|
|
+ * OBJECT IDENTIFIER 1.3.6.1.4.1.2.267.xxx
|
|
* NULL <- no parms for this oid
|
|
*/
|
|
- total_len = 0;
|
|
- memcpy(buf3 + total_len, ber_AlgIdDilithium, ber_AlgIdDilithiumLen);
|
|
- total_len += ber_AlgIdDilithiumLen;
|
|
+ buf5 = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
|
|
+ if (!buf5) {
|
|
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
|
|
+ rc = CKR_HOST_MEMORY;
|
|
+ goto error;
|
|
+ }
|
|
+ memcpy(buf5, oid, oid_len);
|
|
+ memcpy(buf5 + oid_len, ber_NULL, ber_NULLLen);
|
|
+
|
|
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, buf5,
|
|
+ oid_len + ber_NULLLen);
|
|
+ free(buf5);
|
|
+ if (rc != CKR_OK) {
|
|
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
+ total_len = algid_len;
|
|
+ memcpy(buf3, algid, algid_len);
|
|
+ free(algid);
|
|
+ algid = NULL;
|
|
|
|
/*
|
|
* BIT STRING (1 elem)
|
|
@@ -3760,16 +3785,15 @@ error:
|
|
|
|
|
|
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
- CK_ULONG data_len,
|
|
- CK_ATTRIBUTE **rho_attr,
|
|
- CK_ATTRIBUTE **t1_attr)
|
|
+ CK_ULONG data_len,
|
|
+ CK_ATTRIBUTE **rho_attr,
|
|
+ CK_ATTRIBUTE **t1_attr)
|
|
{
|
|
CK_ATTRIBUTE *rho_attr_temp = NULL;
|
|
CK_ATTRIBUTE *t1_attr_temp = NULL;
|
|
|
|
- CK_BYTE *algid_DilithiumBase = NULL;
|
|
- CK_BYTE *algid = NULL;
|
|
- CK_ULONG algid_len;
|
|
+ CK_BYTE *algoid = NULL;
|
|
+ CK_ULONG algoid_len;
|
|
CK_BYTE *param = NULL;
|
|
CK_ULONG param_len;
|
|
CK_BYTE *val = NULL;
|
|
@@ -3780,26 +3804,20 @@ CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
CK_ULONG rho_len;
|
|
CK_BYTE *t1;
|
|
CK_ULONG t1_len;
|
|
- CK_ULONG field_len, offset, len;
|
|
+ CK_ULONG field_len, offset;
|
|
CK_RV rc;
|
|
|
|
UNUSED(data_len); // XXX can this parameter be removed ?
|
|
|
|
- rc = ber_decode_SPKI(data, &algid, &algid_len, ¶m, ¶m_len,
|
|
+ rc = ber_decode_SPKI(data, &algoid, &algoid_len, ¶m, ¶m_len,
|
|
&val, &val_len);
|
|
if (rc != CKR_OK) {
|
|
TRACE_DEVEL("ber_decode_SPKI failed\n");
|
|
return rc;
|
|
}
|
|
|
|
- /* Make sure we're dealing with a Dilithium key */
|
|
- rc = ber_decode_SEQUENCE((CK_BYTE *)ber_AlgIdDilithium, &algid_DilithiumBase, &len,
|
|
- &field_len);
|
|
- if (rc != CKR_OK) {
|
|
- TRACE_DEVEL("ber_decode_SEQUENCE failed\n");
|
|
- return rc;
|
|
- }
|
|
- if (memcmp(algid, algid_DilithiumBase, len) != 0) {
|
|
+ if (algoid_len != dilithium_r2_65_len ||
|
|
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
|
|
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
return CKR_FUNCTION_FAILED;
|
|
}
|
|
@@ -3879,18 +3897,20 @@ cleanup:
|
|
* }
|
|
*/
|
|
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
- CK_BYTE **data,
|
|
- CK_ULONG *data_len,
|
|
- CK_ATTRIBUTE *rho,
|
|
- CK_ATTRIBUTE *seed,
|
|
- CK_ATTRIBUTE *tr,
|
|
- CK_ATTRIBUTE *s1,
|
|
- CK_ATTRIBUTE *s2,
|
|
- CK_ATTRIBUTE *t0,
|
|
- CK_ATTRIBUTE *t1)
|
|
+ CK_BYTE **data,
|
|
+ CK_ULONG *data_len,
|
|
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
+ CK_ATTRIBUTE *rho,
|
|
+ CK_ATTRIBUTE *seed,
|
|
+ CK_ATTRIBUTE *tr,
|
|
+ CK_ATTRIBUTE *s1,
|
|
+ CK_ATTRIBUTE *s2,
|
|
+ CK_ATTRIBUTE *t0,
|
|
+ CK_ATTRIBUTE *t1)
|
|
{
|
|
CK_BYTE *buf = NULL, *buf2 = NULL, *buf3 = NULL;
|
|
- CK_ULONG len, len2 = 0, offset;
|
|
+ CK_BYTE *algid = NULL, *algid_buf = NULL;
|
|
+ CK_ULONG len, len2 = 0, offset, algid_len = 0;
|
|
CK_BYTE version[] = { 0 };
|
|
CK_RV rc;
|
|
|
|
@@ -3898,6 +3918,9 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
offset = 0;
|
|
rc = 0;
|
|
|
|
+ rc |= ber_encode_SEQUENCE(TRUE, NULL, &algid_len, NULL,
|
|
+ oid_len + ber_NULLLen);
|
|
+
|
|
rc |= ber_encode_INTEGER(TRUE, NULL, &len, NULL, sizeof(version));
|
|
offset += len;
|
|
rc |= ber_encode_BIT_STRING(TRUE, NULL, &len, NULL, rho->ulValueLen, 0);
|
|
@@ -3931,7 +3954,7 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
}
|
|
rc = ber_encode_PrivateKeyInfo(TRUE,
|
|
NULL, data_len,
|
|
- NULL, ber_AlgIdDilithiumLen,
|
|
+ NULL, algid_len,
|
|
NULL, len);
|
|
if (rc != CKR_OK) {
|
|
TRACE_DEVEL("ber_encode_PrivateKeyInfo failed\n");
|
|
@@ -4051,10 +4074,28 @@ CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
TRACE_ERROR("ber_encode_SEQUENCE failed\n");
|
|
goto error;
|
|
}
|
|
+
|
|
+ algid_buf = (CK_BYTE *) malloc(oid_len + ber_NULLLen);
|
|
+ if (!algid_buf) {
|
|
+ TRACE_ERROR("%s Memory allocation failed\n", __func__);
|
|
+ rc = CKR_HOST_MEMORY;
|
|
+ goto error;
|
|
+ }
|
|
+ memcpy(algid_buf, oid, oid_len);
|
|
+ memcpy(algid_buf + oid_len, ber_NULL, ber_NULLLen);
|
|
+
|
|
+ rc = ber_encode_SEQUENCE(FALSE, &algid, &algid_len, algid_buf,
|
|
+ oid_len + ber_NULLLen);
|
|
+ free(algid_buf);
|
|
+ if (rc != CKR_OK) {
|
|
+ TRACE_ERROR("%s ber_encode_SEQUENCE failed with rc=0x%lx\n", __func__, rc);
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
rc = ber_encode_PrivateKeyInfo(FALSE,
|
|
data, data_len,
|
|
- ber_AlgIdDilithium,
|
|
- ber_AlgIdDilithiumLen, buf2, len);
|
|
+ algid, algid_len,
|
|
+ buf2, len);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("ber_encode_PrivateKeyInfo failed\n");
|
|
}
|
|
@@ -4066,6 +4107,8 @@ error:
|
|
free(buf2);
|
|
if (buf)
|
|
free(buf);
|
|
+ if (algid)
|
|
+ free(algid);
|
|
|
|
return rc;
|
|
}
|
|
@@ -4087,19 +4130,19 @@ error:
|
|
* }
|
|
*/
|
|
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
- CK_ULONG data_len,
|
|
- CK_ATTRIBUTE **rho,
|
|
- CK_ATTRIBUTE **seed,
|
|
- CK_ATTRIBUTE **tr,
|
|
- CK_ATTRIBUTE **s1,
|
|
- CK_ATTRIBUTE **s2,
|
|
- CK_ATTRIBUTE **t0,
|
|
- CK_ATTRIBUTE **t1)
|
|
+ CK_ULONG data_len,
|
|
+ CK_ATTRIBUTE **rho,
|
|
+ CK_ATTRIBUTE **seed,
|
|
+ CK_ATTRIBUTE **tr,
|
|
+ CK_ATTRIBUTE **s1,
|
|
+ CK_ATTRIBUTE **s2,
|
|
+ CK_ATTRIBUTE **t0,
|
|
+ CK_ATTRIBUTE **t1)
|
|
{
|
|
CK_ATTRIBUTE *rho_attr = NULL, *seed_attr = NULL;
|
|
CK_ATTRIBUTE *tr_attr = NULL, *s1_attr = NULL, *s2_attr = NULL;
|
|
CK_ATTRIBUTE *t0_attr = NULL, *t1_attr = NULL;
|
|
- CK_BYTE *alg = NULL;
|
|
+ CK_BYTE *algoid = NULL;
|
|
CK_BYTE *dilithium_priv_key = NULL;
|
|
CK_BYTE *buf = NULL;
|
|
CK_BYTE *tmp = NULL;
|
|
@@ -4107,15 +4150,15 @@ CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
CK_RV rc;
|
|
|
|
/* Check if this is a Dilithium private key */
|
|
- rc = ber_decode_PrivateKeyInfo(data, data_len, &alg, &len,
|
|
+ rc = ber_decode_PrivateKeyInfo(data, data_len, &algoid, &len,
|
|
&dilithium_priv_key);
|
|
if (rc != CKR_OK) {
|
|
TRACE_DEVEL("ber_decode_PrivateKeyInfo failed\n");
|
|
return rc;
|
|
}
|
|
|
|
- if (memcmp(alg, ber_AlgIdDilithium, ber_AlgIdDilithiumLen) != 0) {
|
|
- // probably ought to use a different error
|
|
+ if (len != dilithium_r2_65_len + ber_NULLLen ||
|
|
+ memcmp(algoid, dilithium_r2_65, dilithium_r2_65_len) != 0) {
|
|
TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
return CKR_FUNCTION_FAILED;
|
|
}
|
|
diff --git a/usr/lib/common/globals.c b/usr/lib/common/globals.c
|
|
index 5b79e785..a7197ec6 100644
|
|
--- a/usr/lib/common/globals.c
|
|
+++ b/usr/lib/common/globals.c
|
|
@@ -105,11 +105,7 @@ const CK_BYTE ber_AlgIdRSAEncryption[] = {
|
|
const CK_BYTE der_AlgIdECBase[] =
|
|
{ 0x30, 0x09, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01 };
|
|
|
|
-const CK_BYTE ber_AlgIdDilithium[] =
|
|
- { 0x30, 0x0F, 0x06, 0x0B, 0x2B, 0x06, 0x01,
|
|
- 0x04, 0x01, 0x02, 0x82, 0x0B, 0x01, 0x06,
|
|
- 0x05, 0x05, 0x00
|
|
-};
|
|
+const CK_BYTE ber_NULL[] = { 0x05, 0x00 };
|
|
|
|
// ID Lengths
|
|
//
|
|
@@ -135,7 +131,7 @@ const CK_ULONG ber_AlgSha384Len = sizeof(ber_AlgSha384);
|
|
const CK_ULONG ber_AlgSha512Len = sizeof(ber_AlgSha512);
|
|
const CK_ULONG ber_AlgIdRSAEncryptionLen = sizeof(ber_AlgIdRSAEncryption);
|
|
const CK_ULONG der_AlgIdECBaseLen = sizeof(der_AlgIdECBase);
|
|
-const CK_ULONG ber_AlgIdDilithiumLen = sizeof(ber_AlgIdDilithium);
|
|
+const CK_ULONG ber_NULLLen = sizeof(ber_NULL);
|
|
|
|
const CK_ULONG des_weak_count = 4;
|
|
const CK_ULONG des_semi_weak_count = 12;
|
|
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
|
index 340ab88d..41ca12df 100644
|
|
--- a/usr/lib/common/h_extern.h
|
|
+++ b/usr/lib/common/h_extern.h
|
|
@@ -56,16 +56,14 @@ extern const CK_BYTE ber_rsaEncryption[];
|
|
extern const CK_ULONG ber_rsaEncryptionLen;
|
|
extern const CK_BYTE der_AlgIdECBase[];
|
|
extern const CK_ULONG der_AlgIdECBaseLen;
|
|
-extern const CK_BYTE ber_AlgIdDilithium[];
|
|
-extern const CK_ULONG ber_AlgIdDilithiumLen;
|
|
extern const CK_BYTE ber_idDSA[];
|
|
extern const CK_ULONG ber_idDSALen;
|
|
extern const CK_BYTE ber_idDH[];
|
|
extern const CK_ULONG ber_idDHLen;
|
|
extern const CK_BYTE ber_idEC[];
|
|
extern const CK_ULONG ber_idECLen;
|
|
-extern const CK_BYTE ber_idDilithium[];
|
|
-extern const CK_ULONG ber_idDilithiumLen;
|
|
+extern const CK_BYTE ber_NULL[];
|
|
+extern const CK_ULONG ber_NULLLen;
|
|
|
|
#if !(NOMD2)
|
|
extern const CK_BYTE ber_md2WithRSAEncryption[];
|
|
@@ -2742,35 +2740,37 @@ CK_RV ber_decode_ECDHPrivateKey(CK_BYTE *data,
|
|
CK_ATTRIBUTE **pub_key,
|
|
CK_ATTRIBUTE **priv_key);
|
|
|
|
-CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only, CK_BYTE **data,
|
|
- CK_ULONG *data_len, CK_ATTRIBUTE *rho,
|
|
- CK_ATTRIBUTE *t1);
|
|
+CK_RV ber_encode_IBM_DilithiumPublicKey(CK_BBOOL length_only,
|
|
+ CK_BYTE **data, CK_ULONG *data_len,
|
|
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
+ CK_ATTRIBUTE *rho, CK_ATTRIBUTE *t1);
|
|
|
|
CK_RV ber_decode_IBM_DilithiumPublicKey(CK_BYTE *data,
|
|
- CK_ULONG data_len,
|
|
- CK_ATTRIBUTE **rho_attr,
|
|
- CK_ATTRIBUTE **t1_attr);
|
|
+ CK_ULONG data_len,
|
|
+ CK_ATTRIBUTE **rho_attr,
|
|
+ CK_ATTRIBUTE **t1_attr);
|
|
|
|
CK_RV ber_encode_IBM_DilithiumPrivateKey(CK_BBOOL length_only,
|
|
- CK_BYTE **data,
|
|
- CK_ULONG *data_len,
|
|
- CK_ATTRIBUTE *rho,
|
|
- CK_ATTRIBUTE *seed,
|
|
- CK_ATTRIBUTE *tr,
|
|
- CK_ATTRIBUTE *s1,
|
|
- CK_ATTRIBUTE *s2,
|
|
- CK_ATTRIBUTE *t0,
|
|
- CK_ATTRIBUTE *t1);
|
|
+ CK_BYTE **data,
|
|
+ CK_ULONG *data_len,
|
|
+ const CK_BYTE *oid, CK_ULONG oid_len,
|
|
+ CK_ATTRIBUTE *rho,
|
|
+ CK_ATTRIBUTE *seed,
|
|
+ CK_ATTRIBUTE *tr,
|
|
+ CK_ATTRIBUTE *s1,
|
|
+ CK_ATTRIBUTE *s2,
|
|
+ CK_ATTRIBUTE *t0,
|
|
+ CK_ATTRIBUTE *t1);
|
|
|
|
CK_RV ber_decode_IBM_DilithiumPrivateKey(CK_BYTE *data,
|
|
- CK_ULONG data_len,
|
|
- CK_ATTRIBUTE **rho,
|
|
- CK_ATTRIBUTE **seed,
|
|
- CK_ATTRIBUTE **tr,
|
|
- CK_ATTRIBUTE **s1,
|
|
- CK_ATTRIBUTE **s2,
|
|
- CK_ATTRIBUTE **t0,
|
|
- CK_ATTRIBUTE **t1);
|
|
+ CK_ULONG data_len,
|
|
+ CK_ATTRIBUTE **rho,
|
|
+ CK_ATTRIBUTE **seed,
|
|
+ CK_ATTRIBUTE **tr,
|
|
+ CK_ATTRIBUTE **s1,
|
|
+ CK_ATTRIBUTE **s2,
|
|
+ CK_ATTRIBUTE **t0,
|
|
+ CK_ATTRIBUTE **t1);
|
|
|
|
typedef CK_RV (*t_rsa_encrypt)(STDLL_TokData_t *, CK_BYTE *in_data,
|
|
CK_ULONG in_data_len, CK_BYTE *out_data,
|
|
diff --git a/usr/lib/common/key.c b/usr/lib/common/key.c
|
|
index 6e9a839a..41857b97 100644
|
|
--- a/usr/lib/common/key.c
|
|
+++ b/usr/lib/common/key.c
|
|
@@ -81,6 +81,7 @@
|
|
#include "h_extern.h"
|
|
#include "attributes.h"
|
|
#include "trace.h"
|
|
+#include "pqc_defs.h"
|
|
|
|
#include "tok_spec_struct.h"
|
|
|
|
@@ -2688,7 +2689,10 @@ CK_RV ibm_dilithium_publ_get_spki(TEMPLATE *tmpl, CK_BBOOL length_only,
|
|
return rc;
|
|
}
|
|
|
|
- rc = ber_encode_IBM_DilithiumPublicKey(length_only, data,data_len, rho, t1);
|
|
+ rc = ber_encode_IBM_DilithiumPublicKey(length_only, data, data_len,
|
|
+ dilithium_r2_65,
|
|
+ dilithium_r2_65_len,
|
|
+ rho, t1);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("ber_encode_IBM_DilithiumPublicKey failed.\n");
|
|
return rc;
|
|
@@ -2766,7 +2770,9 @@ CK_RV ibm_dilithium_priv_wrap_get_data(TEMPLATE *tmpl,
|
|
}
|
|
|
|
rc = ber_encode_IBM_DilithiumPrivateKey(length_only, data, data_len,
|
|
- rho, seed, tr, s1, s2, t0, t1);
|
|
+ dilithium_r2_65,
|
|
+ dilithium_r2_65_len,
|
|
+ rho, seed, tr, s1, s2, t0, t1);
|
|
if (rc != CKR_OK) {
|
|
TRACE_DEVEL("ber_encode_IBM_DilithiumPrivateKey failed\n");
|
|
}
|
|
diff --git a/usr/lib/common/key_mgr.c b/usr/lib/common/key_mgr.c
|
|
index 99f2a72e..01103dc2 100644
|
|
--- a/usr/lib/common/key_mgr.c
|
|
+++ b/usr/lib/common/key_mgr.c
|
|
@@ -35,6 +35,7 @@
|
|
#include "attributes.h"
|
|
#include "tok_spec_struct.h"
|
|
#include "trace.h"
|
|
+#include "pqc_defs.h"
|
|
|
|
#include "../api/policy.h"
|
|
#include "../api/statistics.h"
|
|
@@ -1368,7 +1369,7 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
|
|
{
|
|
CK_BYTE *alg = NULL;
|
|
CK_BYTE *priv_key = NULL;
|
|
- CK_ULONG alg_len;
|
|
+ CK_ULONG alg_len, i;
|
|
CK_RV rc;
|
|
|
|
rc = ber_decode_PrivateKeyInfo(keydata, keylen, &alg, &alg_len, &priv_key);
|
|
@@ -1408,10 +1409,14 @@ CK_RV key_mgr_get_private_key_type(CK_BYTE *keydata,
|
|
return CKR_OK;
|
|
}
|
|
}
|
|
- // Check only the OBJECT IDENTIFIER for DILITHIUM
|
|
+ // Check only the OBJECT IDENTIFIERs for DILITHIUM
|
|
//
|
|
- if (alg_len >= ber_idDilithiumLen) {
|
|
- if (memcmp(alg, ber_idDilithium, ber_idDilithiumLen) == 0) {
|
|
+ for (i = 0; dilithium_oids[i].oid != NULL; i++) {
|
|
+ if (alg_len == dilithium_oids[i].oid_len + ber_NULLLen &&
|
|
+ memcmp(alg, dilithium_oids[i].oid,
|
|
+ dilithium_oids[i].oid_len) == 0 &&
|
|
+ memcmp(alg + dilithium_oids[i].oid_len,
|
|
+ ber_NULL, ber_NULLLen) == 0) {
|
|
*keytype = CKK_IBM_PQC_DILITHIUM;
|
|
return CKR_OK;
|
|
}
|
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
|
index e3451163..45069ae8 100644
|
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
|
@@ -37,6 +37,7 @@
|
|
#include "trace.h"
|
|
#include "ock_syslog.h"
|
|
#include "ec_defs.h"
|
|
+#include "pqc_defs.h"
|
|
#include "p11util.h"
|
|
#include "events.h"
|
|
#include "cfgparser.h"
|
|
@@ -3645,7 +3646,10 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
}
|
|
|
|
/* Encode the public key */
|
|
- rc = ber_encode_IBM_DilithiumPublicKey(0, &data, &data_len, rho, t1);
|
|
+ rc = ber_encode_IBM_DilithiumPublicKey(FALSE, &data, &data_len,
|
|
+ dilithium_r2_65,
|
|
+ dilithium_r2_65_len,
|
|
+ rho, t1);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s public key import class=0x%lx rc=0x%lx "
|
|
"data_len=0x%lx\n", __func__, class, rc, data_len);
|
|
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
index 9a8aa76a..11061f76 100644
|
|
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
|
@@ -43,7 +43,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
|
|
usr/lib/ep11_stdll/ep11_specific.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
usr/lib/api/policyhelper.c usr/lib/config/configuration.c \
|
|
- usr/lib/config/cfgparse.y usr/lib/config/cfglex.l
|
|
+ usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
+ usr/lib/common/pqc_supported.c
|
|
|
|
if ENABLE_LOCKS
|
|
opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
|
|
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
index cb9d898f..f89cd343 100644
|
|
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
|
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
|
|
usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c \
|
|
usr/lib/common/mech_openssl.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
- usr/lib/api/policyhelper.c
|
|
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
|
if ENABLE_LOCKS
|
|
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
|
|
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
index ee83f674..ebf24290 100644
|
|
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
|
|
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = usr/lib/common/asn1.c \
|
|
usr/lib/icsf_stdll/icsf_specific.c \
|
|
usr/lib/icsf_stdll/icsf.c usr/lib/common/utility_common.c \
|
|
usr/lib/common/ec_supported.c usr/lib/api/policyhelper.c \
|
|
- usr/lib/config/configuration.c \
|
|
+ usr/lib/config/configuration.c usr/lib/common/pqc_supported.c \
|
|
usr/lib/config/cfgparse.y usr/lib/config/cfglex.l \
|
|
usr/lib/common/mech_openssl.c
|
|
|
|
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
|
|
index 6cdf82b8..7a842ddc 100644
|
|
--- a/usr/lib/soft_stdll/soft_stdll.mk
|
|
+++ b/usr/lib/soft_stdll/soft_stdll.mk
|
|
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
|
|
usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
|
|
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
- usr/lib/api/policyhelper.c
|
|
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
|
if ENABLE_LOCKS
|
|
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
|
|
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
index 54551c1f..7fa18121 100644
|
|
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
|
|
@@ -38,7 +38,7 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
|
|
usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
|
|
usr/lib/common/dlist.c usr/lib/common/mech_openssl.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
- usr/lib/api/policyhelper.c
|
|
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
|
if ENABLE_LOCKS
|
|
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
|
|
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
|
|
index 187a93f2..59300ef5 100644
|
|
--- a/usr/sbin/pkcscca/pkcscca.mk
|
|
+++ b/usr/sbin/pkcscca/pkcscca.mk
|
|
@@ -41,7 +41,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/common/asn1.c \
|
|
usr/lib/common/dlist.c usr/sbin/pkcscca/pkcscca.c \
|
|
usr/lib/common/utility_common.c usr/lib/common/ec_supported.c \
|
|
usr/lib/common/pin_prompt.c usr/lib/common/mech_openssl.c \
|
|
- usr/lib/api/policyhelper.c
|
|
+ usr/lib/api/policyhelper.c usr/lib/common/pqc_supported.c
|
|
|
|
nodist_usr_sbin_pkcscca_pkcscca_SOURCES = usr/lib/api/mechtable.c
|
|
|
|
--
|
|
2.16.2.windows.1
|
|
|