diff options
author | Ruchika Gupta <ruchika.gupta@linaro.org> | 2020-12-18 13:19:10 +0530 |
---|---|---|
committer | Jérôme Forissier <jerome@forissier.org> | 2020-12-23 09:51:29 +0100 |
commit | dcad34094cfb2e608a274baa3f6fd6e7ac3ed44a (patch) | |
tree | 575ef51a928ab8ff1f1a55c7d0a8b41c4e3117d8 | |
parent | 70c78a55b8a5a4ffe5310e322bbdadfd11d7e641 (diff) |
ta: pkcs11: Add class and type hint in sanitize_client_object()
Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
-rw-r--r-- | ta/pkcs11/src/pkcs11_attributes.c | 38 | ||||
-rw-r--r-- | ta/pkcs11/src/sanitize_object.c | 28 | ||||
-rw-r--r-- | ta/pkcs11/src/sanitize_object.h | 7 |
3 files changed, 46 insertions, 27 deletions
diff --git a/ta/pkcs11/src/pkcs11_attributes.c b/ta/pkcs11/src/pkcs11_attributes.c index a9fde0cd..c42d30dd 100644 --- a/ta/pkcs11/src/pkcs11_attributes.c +++ b/ta/pkcs11/src/pkcs11_attributes.c @@ -707,13 +707,13 @@ create_attributes_from_template(struct obj_attrs **out, void *template, } #endif - rc = sanitize_client_object(&temp, template, template_size); - if (rc) - goto out; - - /* If class/type not defined, match from mechanism */ - if (get_class(temp) == PKCS11_UNDEFINED_ID && - get_key_type(temp) == PKCS11_UNDEFINED_ID) { + /* + * For PKCS11_FUNCTION_GENERATE, find the class and type + * based on the mechanism. These will be passed as hint + * sanitize_client_object() and added in temp if not + * already present + */ + if (function == PKCS11_FUNCTION_GENERATE) { switch (mecha) { case PKCS11_CKM_GENERIC_SECRET_KEY_GEN: class = PKCS11_CKO_SECRET_KEY; @@ -724,24 +724,18 @@ create_attributes_from_template(struct obj_attrs **out, void *template, type = PKCS11_CKK_AES; break; default: - EMSG("Unable to define class/type from mechanism"); - rc = PKCS11_CKR_TEMPLATE_INCOMPLETE; - goto out; - } - if (class != PKCS11_UNDEFINED_ID) { - rc = add_attribute(&temp, PKCS11_CKA_CLASS, - &class, sizeof(uint32_t)); - if (rc) - goto out; - } - if (type != PKCS11_UNDEFINED_ID) { - rc = add_attribute(&temp, PKCS11_CKA_KEY_TYPE, - &type, sizeof(uint32_t)); - if (rc) - goto out; + TEE_Panic(TEE_ERROR_NOT_SUPPORTED); } } + rc = sanitize_client_object(&temp, template, template_size, class, + type); + if (rc) + goto out; + + /* + * Check if class and type in temp are consistent with the mechanism + */ switch (mecha) { case PKCS11_CKM_GENERIC_SECRET_KEY_GEN: if (get_class(temp) != PKCS11_CKO_SECRET_KEY || diff --git a/ta/pkcs11/src/sanitize_object.c b/ta/pkcs11/src/sanitize_object.c index 38b0d892..a7df610c 100644 --- a/ta/pkcs11/src/sanitize_object.c +++ b/ta/pkcs11/src/sanitize_object.c @@ -69,7 +69,9 @@ static enum pkcs11_rc read_attr_advance(void *buf, size_t blen, size_t *pos, /* Sanitize class/type in a client attribute list */ static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src, - size_t src_size) + size_t src_size, + uint32_t class_hint, + uint32_t type_hint) { uint32_t class_found = PKCS11_CKO_UNDEFINED_ID; size_t pos = sizeof(struct pkcs11_object_head); @@ -131,6 +133,13 @@ static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src, &class_found, sizeof(class_found)); if (rc) return rc; + } else { + if (class_hint != PKCS11_CKO_UNDEFINED_ID) { + rc = add_attribute(dst, PKCS11_CKA_CLASS, + &class_hint, sizeof(class_hint)); + if (rc) + return rc; + } } if (type_found != PKCS11_UNDEFINED_ID) { @@ -138,6 +147,13 @@ static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src, &type_found, sizeof(type_found)); if (rc) return rc; + } else { + if (type_hint != PKCS11_UNDEFINED_ID) { + rc = add_attribute(dst, PKCS11_CKA_KEY_TYPE, + &type_hint, sizeof(type_hint)); + if (rc) + return rc; + } } return PKCS11_CKR_OK; @@ -241,7 +257,9 @@ static uint32_t sanitize_indirect_attr(struct obj_attrs **dst, return rc; /* Build a new serial object while sanitizing the attributes list */ - rc = sanitize_client_object(&obj2, data, cli_ref->size); + rc = sanitize_client_object(&obj2, data, cli_ref->size, + PKCS11_CKO_UNDEFINED_ID, + PKCS11_UNDEFINED_ID); if (rc) goto out; @@ -253,7 +271,8 @@ out: } enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *src, - size_t size) + size_t size, uint32_t class_hint, + uint32_t type_hint) { struct pkcs11_attribute_head cli_ref = { }; struct pkcs11_object_head head = { }; @@ -275,7 +294,8 @@ enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *src, if (rc) return rc; - rc = sanitize_class_and_type(dst, src, sz_from_hdr); + rc = sanitize_class_and_type(dst, src, sz_from_hdr, class_hint, + type_hint); if (rc) return rc; diff --git a/ta/pkcs11/src/sanitize_object.h b/ta/pkcs11/src/sanitize_object.h index ddbdccef..6b170a20 100644 --- a/ta/pkcs11/src/sanitize_object.h +++ b/ta/pkcs11/src/sanitize_object.h @@ -22,6 +22,10 @@ bool sanitize_consistent_class_and_type(struct obj_attrs *attrs); * @dst - output structure tracking the generated serial object * @head - pointer to the formatted serialized object (its head) * @size - byte size of the serialized binary blob + * @class_hint - Hint for class to be added to template if not presnet + * in serialized object. + * @type_hint - Hint for type to be added to template if not presnet + * in serialized object. * * This function copies an attribute list from a client API attribute head * into a PKCS11 TA internal attribute structure. It generates a serialized @@ -33,7 +37,8 @@ bool sanitize_consistent_class_and_type(struct obj_attrs *attrs); * into a serializer container. */ enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *head, - size_t size); + size_t size, uint32_t class_hint, + uint32_t type_hint); /* Debug: dump attribute content as debug traces */ void trace_attributes_from_api_head(const char *prefix, void *ref, size_t size); |