diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt index 749ee727a..340161d54 100644 --- a/lib/CMakeLists.txt +++ b/lib/CMakeLists.txt @@ -84,15 +84,13 @@ file(GLOB HOST_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.c") file(GLOB HOST_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.h") file(GLOB JWT_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.c") file(GLOB JWT_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.h") -file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c") -file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h") file(GLOB TNG_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.c") file(GLOB TNG_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.h") file(GLOB SHA206_API_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.c") file(GLOB SHA206_API_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.h") -if(ATCA_PKCS11 AND (ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT)) -SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c) +if(ATCA_PKCS11) +include(cmake/pkcs11.cmake) endif() if(${CMAKE_VERSION} VERSION_GREATER "3.8.0") @@ -102,7 +100,6 @@ source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${TALIB_SRC}) source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${CRYPTO_SRC}) source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${HOST_SRC}) source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${JWT_SRC}) -source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC}) source_group("App/Tng" FILES ${TNG_SRC}) endif() @@ -216,6 +213,7 @@ set(CRYPTOAUTH_SRC ${LIB_SRC} ${CRYPTO_SRC} ${JWT_SRC} ${TNG_SRC} + ${PKCS11_SRC} ${MBEDTLS_SRC} ${WOLFSSL_SRC} ${OPENSSL_SRC} @@ -317,14 +315,6 @@ if(ATCA_MBEDTLS) set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${MBEDTLS_SRC}) endif() -if(ATCA_PKCS11) -set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${PKCS11_SRC}) -set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE) -if(PKCS11_DEBUG_ENABLE) -add_definitions(-DPKCS11_DEBUG_ENABLE) -endif(PKCS11_DEBUG_ENABLE) -endif() - if(ATCA_BUILD_SHARED_LIBS) add_definitions(-DATCA_BUILD_SHARED_LIBS) set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} atca_utils_sizes.c) @@ -346,14 +336,11 @@ if(BUILD_TESTS) set(ATCA_TESTS_ENABLED ON CACHE INTERNAL "") endif(BUILD_TESTS) +set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE) + configure_file(atca_config.h.in atca_config.h @ONLY) set(LIB_INC ${LIB_INC} ${CMAKE_CURRENT_BINARY_DIR}/atca_config.h) -if(ATCA_PKCS11) -configure_file(pkcs11/pkcs11_config.h.in pkcs11_config.h @ONLY) -set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h) -endif() - include_directories(cryptoauth PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR} ../app/tng ../third_party ../third_party/hidapi/hidapi ${USB_INCLUDE_DIR}) if(ATCA_MBEDTLS) @@ -415,7 +402,9 @@ install(FILES ${CRYPTO_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto COMPONENT Dev install(FILES ${CRYPTO_HASHES_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto/hashes COMPONENT Development) install(FILES ${HOST_INC} DESTINATION ${DEFAULT_INC_PATH}/host COMPONENT Development) install(FILES ${JWT_INC} DESTINATION ${DEFAULT_INC_PATH}/jwt COMPONENT Development) +if (ATCA_PKCS11) install(FILES ${PKCS11_INC} DESTINATION ${DEFAULT_INC_PATH}/pkcs11 COMPONENT Development) +endif() install(FILES ${TNG_INC} DESTINATION ${DEFAULT_INC_PATH}/app/tng COMPONENT Development) install(FILES ${SHA206_API_INC} DESTINATION ${DEFAULT_INC_PATH}/app/api_206a COMPONENT Development) -endif(DEFAULT_INC_PATH) \ No newline at end of file +endif(DEFAULT_INC_PATH) diff --git a/lib/cmake/pkcs11.cmake b/lib/cmake/pkcs11.cmake new file mode 100644 index 000000000..d317bbb63 --- /dev/null +++ b/lib/cmake/pkcs11.cmake @@ -0,0 +1,32 @@ +# Helper CMake file for PKCS11 extension to the library + +# PKCS11 Configuration Options - See pkcs11_config.h.in +set(PKCS11_DEBUG_ENABLE OFF CACHE BOOL "Enable PKCS#11 Debugging Messages") +set(PKCS11_USE_STATIC_MEMORY ${ATCA_NO_HEAP} CACHE BOOL "Use Static Memory Allocation") +set(PKCS11_USE_STATIC_CONFIG OFF CACHE BOOL "Use a compiled configuration rather than loading from a filestore") +set(PKCS11_MAX_SLOTS_ALLOWED 1 CACHE STRING "Maximum number of slots allowed in the system") +set(PKCS11_MAX_SESSIONS_ALLOWED 10 CACHE STRING "Maximum number of total sessions allowed in the system") +set(PKCS11_MAX_OBJECTS_ALLOWED 16 CACHE STRING "Maximum number of cryptographic objects allowed to be cached") +set(PKCS11_MAX_LABEL_SIZE 30 CACHE STRING "Maximum label size in characters") +set(PKCS11_LOCK_PIN_SLOT OFF CACHE BOOL "Define to lock the PIN slot after writing") +set(PKCS11_PIN_KDF_ALWAYS OFF CACHE BOOL "Define to always convert PIN using KDF") +set(PKCS11_PIN_PBKDF2_EN OFF CACHE BOOL "Define to use PBKDF2 for PIN KDF") +set(PKCS11_PIN_PBKDF2_ITERATIONS 2 CACHE STRING "Define how many iterations PBKDF2 will use for PIN KDF") +set(PKCS11_SEARCH_CACHE_SIZE 250 CACHE STRING "Static Search Attribute Cache in bytes") +set(PKCS11_TOKEN_INIT_SUPPORT OFF CACHE BOOL "Support for configuring a blank or new device") +set(PKCS11_MONOTONIC_ENABLE OFF CACHE BOOL "Include the monotonic hardware feature as an object") +set(PKCS11_AUTO_ID_ENABLE ON CACHE BOOL "Generate CKA_ID values based on standards") + +file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c") +file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h") + +configure_file(pkcs11/pkcs11_config.h.in ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h @ONLY) +set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h) + +if(ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT) +SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c) +endif() + +if(${CMAKE_VERSION} VERSION_GREATER "3.8.0") +source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC}) +endif() diff --git a/lib/pkcs11/pkcs11_cert.c b/lib/pkcs11/pkcs11_cert.c index 659a4c001..a590ed0d2 100644 --- a/lib/pkcs11/pkcs11_cert.c +++ b/lib/pkcs11/pkcs11_cert.c @@ -335,6 +335,10 @@ CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttr else { pAttribute->ulValueLen = 20; + if (pAttribute->pValue == NULL) + { + return CKR_OK; + } } } else @@ -372,6 +376,35 @@ CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttrib return CKR_ARGUMENTS_BAD; } +static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute) +{ +#if PKCS11_AUTO_ID_ENABLE + return pkcs11_cert_get_subject_key_id(pObject, pAttribute); +#elif ATCA_CA_SUPPORT + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + CK_RV rv = CKR_ARGUMENTS_BAD; + + if (obj_ptr) + { + pkcs11_cert_check_trust_data(obj_ptr); + + if (obj_ptr->data) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot); + rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t)); + } + else + { + return pkcs11_attrib_empty(pObject, pAttribute); + } + } + return rv; +#else + return pkcs11_attrib_empty(pObject, pAttribute); +#endif +} + /** * CKO_CERTIFICATE (Type: CKC_X_509) - X509 Public Key Certificate Model */ @@ -411,7 +444,7 @@ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = { /** DER-encoded Certificate subject name */ { CKA_SUBJECT, pkcs11_cert_get_subject }, /** Key identifier for public/private key pair (default empty) */ - { CKA_ID, pkcs11_attrib_empty }, + { CKA_ID, pkcs11_cert_get_id }, /** DER-encoded Certificate issuer name (default empty)*/ { CKA_ISSUER, pkcs11_attrib_empty }, /** DER-encoding of the certificate serial number (default empty) */ diff --git a/lib/pkcs11/pkcs11_config.h.in b/lib/pkcs11/pkcs11_config.h.in index dbe85a3b4..71768c947 100644 --- a/lib/pkcs11/pkcs11_config.h.in +++ b/lib/pkcs11/pkcs11_config.h.in @@ -35,44 +35,44 @@ /** Define to lock the PIN slot after writing */ #ifndef PKCS11_LOCK_PIN_SLOT -#define PKCS11_LOCK_PIN_SLOT 0 +#cmakedefine01 PKCS11_LOCK_PIN_SLOT #endif /** Enable PKCS#11 Debugging Messages */ #ifndef PKCS11_DEBUG_ENABLE -#define PKCS11_DEBUG_ENABLE 0 +#cmakedefine01 PKCS11_DEBUG_ENABLE #endif /** Use Static or Dynamic Allocation */ #ifndef PKCS11_USE_STATIC_MEMORY -#define PKCS11_USE_STATIC_MEMORY 1 +#cmakedefine01 PKCS11_USE_STATIC_MEMORY #endif /** Use a compiled configuration rather than loading from a filestore */ #ifndef PKCS11_USE_STATIC_CONFIG -#define PKCS11_USE_STATIC_CONFIG 0 +#cmakedefine01 PKCS11_USE_STATIC_CONFIG #endif /** Maximum number of slots allowed in the system - if static memory this will always be the number of slots */ #ifndef PKCS11_MAX_SLOTS_ALLOWED -#define PKCS11_MAX_SLOTS_ALLOWED 1 +#define PKCS11_MAX_SLOTS_ALLOWED @PKCS11_MAX_SLOTS_ALLOWED@ #endif /** Maximum number of total sessions allowed in the system - if using static memory then this many session contexts will be allocated */ #ifndef PKCS11_MAX_SESSIONS_ALLOWED -#define PKCS11_MAX_SESSIONS_ALLOWED 10 +#define PKCS11_MAX_SESSIONS_ALLOWED @PKCS11_MAX_SESSIONS_ALLOWED@ #endif /** Maximum number of cryptographic objects allowed to be cached */ #ifndef PKCS11_MAX_OBJECTS_ALLOWED -#define PKCS11_MAX_OBJECTS_ALLOWED 16 +#define PKCS11_MAX_OBJECTS_ALLOWED @PKCS11_MAX_OBJECTS_ALLOWED@ #endif /** Maximum label size in characters */ #ifndef PKCS11_MAX_LABEL_SIZE -#define PKCS11_MAX_LABEL_SIZE 30 +#define PKCS11_MAX_LABEL_SIZE @PKCS11_MAX_LABEL_SIZE@ #endif /** Define to always convert PIN using KDF */ @@ -83,8 +83,8 @@ /** Define how many iterations PBKDF2 will use for PIN KDF */ #if defined(PKCS11_PIN_PBKDF2_EN) && !defined(PKCS11_PIN_PBKDF2_ITERATIONS) -#define PKCS11_PIN_PBKDF2_ITERATIONS 2 -#endif +#define PKCS11_PIN_PBKDF2_ITERATIONS @PKCS11_PIN_PBKDF2_ITERATIONS@ +#endif /****************************************************************************/ /* The following configuration options are for fine tuning of the library */ @@ -96,25 +96,29 @@ intends to use. Otherwise compilers will not be able to optimize out the unusued functions */ #ifndef PKCS11_EXTERNAL_FUNCTION_LIST -#define PKCS11_EXTERNAL_FUNCTION_LIST 0 +#cmakedefine01 PKCS11_EXTERNAL_FUNCTION_LIST #endif /** Static Search Attribute Cache in bytes (variable number of attributes based on size and memory requirements) */ #ifndef PKCS11_SEARCH_CACHE_SIZE -#define PKCS11_SEARCH_CACHE_SIZE 250 +#define PKCS11_SEARCH_CACHE_SIZE @PKCS11_SEARCH_CACHE_SIZE@ #endif /** Support for configuring a "blank" or new device */ #ifndef PKCS11_TOKEN_INIT_SUPPORT -#define PKCS11_TOKEN_INIT_SUPPORT 1 +#cmakedefine01 PKCS11_TOKEN_INIT_SUPPORT #endif /** Include the monotonic hardware feature as an object */ #ifndef PKCS11_MONOTONIC_ENABLE -#define PKCS11_MONOTONIC_ENABLE 0 +#cmakedefine01 PKCS11_MONOTONIC_ENABLE #endif +/** Automatically generate CKA_ID values based on standards */ +#ifndef PKCS11_AUTO_ID_ENABLE +#cmakedefine01 PKCS11_AUTO_ID_ENABLE +#endif #include "pkcs11/cryptoki.h" #include diff --git a/lib/pkcs11/pkcs11_key.c b/lib/pkcs11/pkcs11_key.c index 065947865..8c1a48c4e 100644 --- a/lib/pkcs11/pkcs11_key.c +++ b/lib/pkcs11/pkcs11_key.c @@ -373,6 +373,61 @@ static CK_RV pkcs11_key_auth_required(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAtt return rv; } +static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + CK_RV rv = CKR_ARGUMENTS_BAD; + + if (obj_ptr) + { +#if PKCS11_AUTO_ID_ENABLE + if (pAttribute->pValue) + { + CK_BBOOL is_private; + + if (CKR_OK == (rv = pkcs11_object_is_private(obj_ptr, &is_private))) + { + ATCA_STATUS status; + uint8_t buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = {0x04}; + + if (is_private) + { + status = atcab_get_pubkey(obj_ptr->slot, &buffer[1]); + PKCS11_DEBUG("atcab_get_pubkey: %x\r\n", status); + } + else + { + status = atcab_read_pubkey(obj_ptr->slot, &buffer[1]); + PKCS11_DEBUG("atcab_read_pubkey: %x\r\n", status); + } + + if (ATCA_SUCCESS == status) + { + status = atcac_sw_sha1(buffer, sizeof(buffer), buffer); + } + + if (ATCA_SUCCESS == status) + { + rv = pkcs11_attrib_fill(pAttribute, buffer, ATCA_SHA1_DIGEST_SIZE); + } + else + { + rv = pkcs11_util_convert_rv(status); + } + } + } + else + { + rv = pkcs11_attrib_fill(pAttribute, NULL, ATCA_SHA1_DIGEST_SIZE); + } +#else + uint16_t key_id = ATCA_UINT16_HOST_TO_BE(obj_ptr->slot); + rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t)); +#endif + } + return rv; +} + /** * CKO_PUBLIC_KEY - Public Key Object Model */ @@ -394,7 +449,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = { /** Type of key */ { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_attrib_empty }, + { CKA_ID, pkcs11_key_get_id }, /** Start date for the key (default empty) */ { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ @@ -484,7 +539,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = { /** Type of key */ { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_attrib_empty }, + { CKA_ID, pkcs11_key_get_id }, /** Start date for the key (default empty) */ { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */