ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

3 files changed, 46 insertions, 27 deletions

diff --git a/ta/pkcs11/src/pkcs11_attributes.c b/ta/pkcs11/src/pkcs11_attributes.c
index a9fde0cd..c42d30dd 100644
--- a/ta/pkcs11/src/pkcs11_attributes.c
+++ b/ta/pkcs11/src/pkcs11_attributes.c
@@ -707,13 +707,13 @@ create_attributes_from_template(struct obj_attrs **out, void *template,
 	}
 #endif
 
-	rc = sanitize_client_object(&temp, template, template_size);
-	if (rc)
-		goto out;
-
-	/* If class/type not defined, match from mechanism */
-	if (get_class(temp) == PKCS11_UNDEFINED_ID &&
-	    get_key_type(temp) == PKCS11_UNDEFINED_ID) {
+	/*
+	 * For PKCS11_FUNCTION_GENERATE, find the class and type
+	 * based on the mechanism. These will be passed as hint
+	 * sanitize_client_object() and added in temp if not
+	 * already present
+	 */
+	if (function == PKCS11_FUNCTION_GENERATE) {
 		switch (mecha) {
 		case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
 			class = PKCS11_CKO_SECRET_KEY;
@@ -724,24 +724,18 @@ create_attributes_from_template(struct obj_attrs **out, void *template,
 			type = PKCS11_CKK_AES;
 			break;
 		default:
-			EMSG("Unable to define class/type from mechanism");
-			rc = PKCS11_CKR_TEMPLATE_INCOMPLETE;
-			goto out;
-		}
-		if (class != PKCS11_UNDEFINED_ID) {
-			rc = add_attribute(&temp, PKCS11_CKA_CLASS,
-					   &class, sizeof(uint32_t));
-			if (rc)
-				goto out;
-		}
-		if (type != PKCS11_UNDEFINED_ID) {
-			rc = add_attribute(&temp, PKCS11_CKA_KEY_TYPE,
-					   &type, sizeof(uint32_t));
-			if (rc)
-				goto out;
+			TEE_Panic(TEE_ERROR_NOT_SUPPORTED);
 		}
 	}
 
+	rc = sanitize_client_object(&temp, template, template_size, class,
+				    type);
+	if (rc)
+		goto out;
+
+	/*
+	 * Check if class and type in temp are consistent with the mechanism
+	 */
 	switch (mecha) {
 	case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
 		if (get_class(temp) != PKCS11_CKO_SECRET_KEY ||
diff --git a/ta/pkcs11/src/sanitize_object.c b/ta/pkcs11/src/sanitize_object.c
index 38b0d892..a7df610c 100644
--- a/ta/pkcs11/src/sanitize_object.c
+++ b/ta/pkcs11/src/sanitize_object.c
@@ -69,7 +69,9 @@ static enum pkcs11_rc read_attr_advance(void *buf, size_t blen, size_t *pos,
 
 /* Sanitize class/type in a client attribute list */
 static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src,
-					      size_t src_size)
+					      size_t src_size,
+					      uint32_t class_hint,
+					      uint32_t type_hint)
 {
 	uint32_t class_found = PKCS11_CKO_UNDEFINED_ID;
 	size_t pos = sizeof(struct pkcs11_object_head);
@@ -131,6 +133,13 @@ static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src,
 				   &class_found, sizeof(class_found));
 		if (rc)
 			return rc;
+	} else {
+		if (class_hint != PKCS11_CKO_UNDEFINED_ID) {
+			rc = add_attribute(dst, PKCS11_CKA_CLASS,
+					   &class_hint, sizeof(class_hint));
+			if (rc)
+				return rc;
+		}
 	}
 
 	if (type_found != PKCS11_UNDEFINED_ID) {
@@ -138,6 +147,13 @@ static enum pkcs11_rc sanitize_class_and_type(struct obj_attrs **dst, void *src,
 				   &type_found, sizeof(type_found));
 		if (rc)
 			return rc;
+	} else {
+		if (type_hint != PKCS11_UNDEFINED_ID) {
+			rc = add_attribute(dst, PKCS11_CKA_KEY_TYPE,
+					   &type_hint, sizeof(type_hint));
+			if (rc)
+				return rc;
+		}
 	}
 
 	return PKCS11_CKR_OK;
@@ -241,7 +257,9 @@ static uint32_t sanitize_indirect_attr(struct obj_attrs **dst,
 		return rc;
 
 	/* Build a new serial object while sanitizing the attributes list */
-	rc = sanitize_client_object(&obj2, data, cli_ref->size);
+	rc = sanitize_client_object(&obj2, data, cli_ref->size,
+				    PKCS11_CKO_UNDEFINED_ID,
+				    PKCS11_UNDEFINED_ID);
 	if (rc)
 		goto out;
 
@@ -253,7 +271,8 @@ out:
 }
 
 enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *src,
-				      size_t size)
+				      size_t size, uint32_t class_hint,
+				      uint32_t type_hint)
 {
 	struct pkcs11_attribute_head cli_ref = { };
 	struct pkcs11_object_head head = { };
@@ -275,7 +294,8 @@ enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *src,
 	if (rc)
 		return rc;
 
-	rc = sanitize_class_and_type(dst, src, sz_from_hdr);
+	rc = sanitize_class_and_type(dst, src, sz_from_hdr, class_hint,
+				     type_hint);
 	if (rc)
 		return rc;
 
diff --git a/ta/pkcs11/src/sanitize_object.h b/ta/pkcs11/src/sanitize_object.h
index ddbdccef..6b170a20 100644
--- a/ta/pkcs11/src/sanitize_object.h
+++ b/ta/pkcs11/src/sanitize_object.h
@@ -22,6 +22,10 @@ bool sanitize_consistent_class_and_type(struct obj_attrs *attrs);
  * @dst - output structure tracking the generated serial object
  * @head - pointer to the formatted serialized object (its head)
  * @size - byte size of the serialized binary blob
+ * @class_hint - Hint for class to be added to template if not presnet
+ *               in serialized object.
+ * @type_hint - Hint for type to be added to template if not presnet
+ *               in serialized object.
  *
  * This function copies an attribute list from a client API attribute head
  * into a PKCS11 TA internal attribute structure. It generates a serialized
@@ -33,7 +37,8 @@ bool sanitize_consistent_class_and_type(struct obj_attrs *attrs);
  * into a serializer container.
  */
 enum pkcs11_rc sanitize_client_object(struct obj_attrs **dst, void *head,
-				      size_t size);
+				      size_t size, uint32_t class_hint,
+				      uint32_t type_hint);
 
 /* Debug: dump attribute content as debug traces */
 void trace_attributes_from_api_head(const char *prefix, void *ref, size_t size);