Skip to content

Commit

Permalink
fix: Add ID attribute - needed for Java
Browse files Browse the repository at this point in the history 
Greengrass V2 uses Java PKCS11 layer, which expects ID attribute to be implemented.
This change adds an ID field to the pkcs11 configuration file
  • Loading branch information
@JamieHunter
JamieHunter committed Apr 13, 2022
1 parent 6457c1c commit 93bfbc2
Show file tree
Hide file tree
Showing 10 changed files with 97 additions and 21 deletions.
14 changes: 7 additions & 7 deletions app/pkcs11/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,17 +122,17 @@ By default the following files will be created.
interface = i2c,0xB0
freeslots = 1,2,3
# Slot 0 is the primary private key
object = private,device,0
# Slot 0 is the primary private key, with ID 123 (optional)
object = private,device,0,123
# Slot 10 is the certificate data for the device's public key
#object = certificate,device,10
# Slot 10 is the certificate data for the device's public key, with ID 123
#object = certificate,device,10,123
# Slot 12 is the intermedate/signer certificate data
#object = certificate,signer,12
#object = certificate,signer,12,456
# Slot 15 is a public key
object = public,root,15
# Slot 15 is a public key with ID 00ABC
object = public,root,15,00ABC
```

### cryptoauthlib.conf
Expand Down
8 changes: 4 additions & 4 deletions app/pkcs11/slot.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ device = ATECC608A-TFLXTLS

# Manually configure keys into device locations (slots/handles)

# Slot 0 is the primary private key
#object = private,device,0
# Slot 0 is the primary private key, ID 00ABC (this ID is used by some applications to match keys and certs)
#object = private,device,0,00ABC

# Slot 15 is a public key
#object = public,root,15
# Slot 15 is a public key, not related to the private key
#object = public,root,15,00123
4 changes: 4 additions & 0 deletions harmony/config/pkcs11.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,10 @@ def instantiateComponent(calPkcs11Component):
calPkcs11MaxLabelSize.setLabel('Maximum length of PKCS11 labels')
calPkcs11MaxLabelSize.setDefaultValue(30)

calPkcs11MaxLabelSize = calPkcs11Component.createIntegerSymbol('CAL_PKCS11_ID_SIZE', None)
calPkcs11MaxLabelSize.setLabel('Size (bytes) of PKCS11 IDs')
calPkcs11MaxLabelSize.setDefaultValue(2)

# Configuration header file
pkcs11ConfigFile = calPkcs11Component.createFileSymbol("CAL_LIB_PKCS11_CONFIG_DATA", None)
pkcs11ConfigFile.setSourcePath("harmony/templates/pkcs11_config.h.ftl")
Expand Down
5 changes: 5 additions & 0 deletions harmony/templates/pkcs11_config.h.ftl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@
#define PKCS11_MAX_LABEL_SIZE ${CAL_PKCS11_MAX_LABEL_LENGTH}
#endif

/** Object ID size in bytes, 0 to disable */
#ifndef PKCS11_ID_SIZE
#define PKCS11_ID_SIZE ${CAL_PKCS11_ID_SIZE}
#endif

/****************************************************************************/
/* The following configuration options are for fine tuning of the library */
/****************************************************************************/
Expand Down
2 changes: 1 addition & 1 deletion lib/pkcs11/pkcs11_cert.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = {
/** DER-encoded Certificate subject name */
{ CKA_SUBJECT, pkcs11_cert_get_subject },
/** Key identifier for public/private key pair (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_object_get_id },
/** DER-encoded Certificate issuer name (default empty)*/
{ CKA_ISSUER, pkcs11_attrib_empty },
/** DER-encoding of the certificate serial number (default empty) */
Expand Down
55 changes: 49 additions & 6 deletions lib/pkcs11/pkcs11_config.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -420,16 +420,52 @@ static CK_RV pkcs11_config_parse_freeslots(pkcs11_slot_ctx_ptr slot_ctx, char* c
return CKR_OK;
}

static void pkcs11_config_parse_id(pkcs11_object_ptr pObject, char * argv[], int arg_c, int arg_id)
{
#if PKCS11_ID_SIZE > 0
// ID is hex number, of any length
// it is used to fill an id byte array of fixed length
char * id = "";
size_t id_end = 0;
size_t id_start = 0;
int i;

if (arg_c > arg_id)
{
id = argv[arg_id];
id_end = strlen(id);
}
for (int i = PKCS11_ID_SIZE-1; i >= 0; i--)
{
if (id_end <= 2) {
id_start = 0;
} else {
id_start = id_end - 2;
}
if (id_start == id_end)
{
pObject->id[i] = 0;
}
else
{
pObject->id[i] = (uint8_t)strtoul(id + id_start, NULL, 16);
id_end = id_start;
id[id_end] = '\0';
}
}
#endif
}

static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgstr)
{
char * argv[5];
int argc = (int)sizeof(argv);
char * argv[6];
int argc = 6;
CK_RV rv = CKR_GENERAL_ERROR;
pkcs11_object_ptr pObject;

pkcs11_config_split_string(cfgstr, ',', &argc, argv);

if (!strcmp(argv[0], "private") && argc == 3)
if (!strcmp(argv[0], "private") && argc >= 3 && argc <=4)
{
pkcs11_object_ptr pPubkey = NULL;
uint16_t slot = (uint16_t)strtol(argv[2], NULL, 16);
Expand All @@ -438,6 +474,7 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
if (!rv && pObject)
{
pkcs11_config_init_private(pObject, argv[1], strlen(argv[1]));
pkcs11_config_parse_id(pObject, argv, argc, 3);
pObject->slot = slot;
pObject->flags = 0;
#if ATCA_CA_SUPPORT
Expand All @@ -453,6 +490,9 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
if (!rv)
{
pkcs11_config_init_public(pPubkey, argv[1], strlen(argv[1]));
#if PKCS11_ID_SIZE > 0
memcpy(pPubkey->id, pObject->id, PKCS11_ID_SIZE);
#endif
pPubkey->slot = slot;
pPubkey->flags = 0;
#if ATCA_CA_SUPPORT
Expand All @@ -464,12 +504,13 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
pkcs11_object_free(pObject);
}
}
else if (!strcmp(argv[0], "public") && argc == 3)
else if (!strcmp(argv[0], "public") && argc >= 3 && argc <=4)
{
rv = pkcs11_object_alloc(&pObject);
if (!rv && pObject)
{
pkcs11_config_init_public(pObject, argv[1], strlen(argv[1]));
pkcs11_config_parse_id(pObject, argv, argc, 3);
pObject->slot = (uint16_t)strtol(argv[2], NULL, 16);
pObject->flags = 0;
#if ATCA_CA_SUPPORT
Expand All @@ -483,25 +524,27 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
if (!rv && pObject)
{
uint8_t keylen = 32;
if (4 == argc)
if (4 <= argc && argv[3][0])
{
keylen = (uint8_t)strtol(argv[3], NULL, 10);
}
pkcs11_config_init_secret(pObject, argv[1], strlen(argv[1]), keylen);
pkcs11_config_parse_id(pObject, argv, argc, 4);
pObject->slot = (uint16_t)strtol(argv[2], NULL, 16);
pObject->flags = 0;
#if ATCA_CA_SUPPORT
pObject->config = &slot_ctx->cfg_zone;
#endif
}
}
else if (!strcmp(argv[0], "certificate") && argc >= 3)
else if (!strcmp(argv[0], "certificate") && argc >= 3 && argc <= 4)
{

rv = pkcs11_object_alloc(&pObject);
if (!rv && pObject)
{
memmove(pObject->name, argv[1], strlen(argv[1]));
pkcs11_config_parse_id(pObject, argv, argc, 3);
pObject->slot = (uint16_t)strtol(argv[2], NULL, 16);
pObject->class_id = CKO_CERTIFICATE;
pObject->class_type = CK_CERTIFICATE_CATEGORY_TOKEN_USER;
Expand Down
5 changes: 5 additions & 0 deletions lib/pkcs11/pkcs11_config.h.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,11 @@
#define PKCS11_MAX_LABEL_SIZE 30
#endif

/** Object id size in bytes, 0 to disable */
#ifndef PKCS11_ID_SIZE
#define PKCS11_ID_SIZE 2
#endif

/** Define to always convert PIN using KDF */
#cmakedefine PKCS11_PIN_KDF_ALWAYS

Expand Down
6 changes: 3 additions & 3 deletions lib/pkcs11/pkcs11_key.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = {
/** Type of key */
{ CKA_KEY_TYPE, pkcs11_object_get_type },
/** Key identifier for key (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_object_get_id },
/** Start date for the key (default empty) */
{ CKA_START_DATE, pkcs11_attrib_empty },
/** End date for the key (default empty) */
Expand Down Expand Up @@ -484,7 +484,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = {
/** Type of key */
{ CKA_KEY_TYPE, pkcs11_object_get_type },
/** Key identifier for key (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_object_get_id },
/** Start date for the key (default empty) */
{ CKA_START_DATE, pkcs11_attrib_empty },
/** End date for the key (default empty) */
Expand Down Expand Up @@ -605,7 +605,7 @@ const pkcs11_attrib_model pkcs11_key_secret_attributes[] = {
/** Type of key */
{ CKA_KEY_TYPE, pkcs11_object_get_type },
/** Key identifier for key (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_object_get_id },
/** Start date for the key (default empty) */
{ CKA_START_DATE, pkcs11_attrib_empty },
/** End date for the key (default empty) */
Expand Down
15 changes: 15 additions & 0 deletions lib/pkcs11/pkcs11_object.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,21 @@ CK_RV pkcs11_object_get_type(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
return pkcs11_attrib_fill(pAttribute, &obj_ptr->class_type, sizeof(obj_ptr->class_type));
}

CK_RV pkcs11_object_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
{
pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;

if (!obj_ptr)
{
return CKR_ARGUMENTS_BAD;
}
#if PKCS11_ID_SIZE > 0
return pkcs11_attrib_fill(pAttribute, obj_ptr->id, sizeof(obj_ptr->id));
#else
return pkcs11_attrib_fill(pAttribute, NULL_PTR, 0);
#endif
}

CK_RV pkcs11_object_get_destroyable(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
{
pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
Expand Down
4 changes: 4 additions & 0 deletions lib/pkcs11/pkcs11_object.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ typedef struct _pkcs11_object
uint16_t slot;
CK_FLAGS flags;
CK_UTF8CHAR name[PKCS11_MAX_LABEL_SIZE + 1];
#if PKCS11_ID_SIZE > 0
uint8_t id[PKCS11_ID_SIZE];
#endif
#if ATCA_CA_SUPPORT
CK_VOID_PTR config;
CK_VOID_PTR data;
Expand Down Expand Up @@ -90,6 +93,7 @@ CK_RV pkcs11_object_is_private(pkcs11_object_ptr pObject, CK_BBOOL* is_private);
CK_RV pkcs11_object_get_class(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute);
CK_RV pkcs11_object_get_name(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute);
CK_RV pkcs11_object_get_type(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute);
CK_RV pkcs11_object_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute);
CK_RV pkcs11_object_get_destroyable(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute);
CK_RV pkcs11_object_get_size(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize);
CK_RV pkcs11_object_get_handle(pkcs11_object_ptr pObject, CK_OBJECT_HANDLE_PTR phObject);
Expand Down

0 comments on commit 93bfbc2

Please sign in to comment.