Skip to content

Commit

Permalink
Merge pull request #291 from JamieHunter/main
Browse files Browse the repository at this point in the history 
CKA_ID support to enable Java / Greengrass V2
  • Loading branch information
@bryan-hunt
bryan-hunt committed Apr 15, 2022
2 parents c6e9d55 + 4d7361a commit 9a37b8d
Show file tree
Hide file tree
Showing 5 changed files with 149 additions and 36 deletions.
27 changes: 8 additions & 19 deletions lib/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,13 @@ file(GLOB HOST_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.c")
file(GLOB HOST_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.h")
file(GLOB JWT_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.c")
file(GLOB JWT_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.h")
file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c")
file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h")
file(GLOB TNG_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.c")
file(GLOB TNG_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.h")
file(GLOB SHA206_API_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.c")
file(GLOB SHA206_API_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.h")

if(ATCA_PKCS11 AND (ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT))
SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c)
if(ATCA_PKCS11)
include(cmake/pkcs11.cmake)
endif()

if(${CMAKE_VERSION} VERSION_GREATER "3.8.0")
Expand All @@ -102,7 +100,6 @@ source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${TALIB_SRC})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${CRYPTO_SRC})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${HOST_SRC})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${JWT_SRC})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC})
source_group("App/Tng" FILES ${TNG_SRC})
endif()

Expand Down Expand Up @@ -216,6 +213,7 @@ set(CRYPTOAUTH_SRC ${LIB_SRC}
${CRYPTO_SRC}
${JWT_SRC}
${TNG_SRC}
${PKCS11_SRC}
${MBEDTLS_SRC}
${WOLFSSL_SRC}
${OPENSSL_SRC}
Expand Down Expand Up @@ -317,14 +315,6 @@ if(ATCA_MBEDTLS)
set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${MBEDTLS_SRC})
endif()

if(ATCA_PKCS11)
set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${PKCS11_SRC})
set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE)
if(PKCS11_DEBUG_ENABLE)
add_definitions(-DPKCS11_DEBUG_ENABLE)
endif(PKCS11_DEBUG_ENABLE)
endif()

if(ATCA_BUILD_SHARED_LIBS)
add_definitions(-DATCA_BUILD_SHARED_LIBS)
set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} atca_utils_sizes.c)
Expand All @@ -346,14 +336,11 @@ if(BUILD_TESTS)
set(ATCA_TESTS_ENABLED ON CACHE INTERNAL "")
endif(BUILD_TESTS)

set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE)

configure_file(atca_config.h.in atca_config.h @ONLY)
set(LIB_INC ${LIB_INC} ${CMAKE_CURRENT_BINARY_DIR}/atca_config.h)

if(ATCA_PKCS11)
configure_file(pkcs11/pkcs11_config.h.in pkcs11_config.h @ONLY)
set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h)
endif()

include_directories(cryptoauth PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR} ../app/tng ../third_party ../third_party/hidapi/hidapi ${USB_INCLUDE_DIR})

if(ATCA_MBEDTLS)
Expand Down Expand Up @@ -415,7 +402,9 @@ install(FILES ${CRYPTO_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto COMPONENT Dev
install(FILES ${CRYPTO_HASHES_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto/hashes COMPONENT Development)
install(FILES ${HOST_INC} DESTINATION ${DEFAULT_INC_PATH}/host COMPONENT Development)
install(FILES ${JWT_INC} DESTINATION ${DEFAULT_INC_PATH}/jwt COMPONENT Development)
if (ATCA_PKCS11)
install(FILES ${PKCS11_INC} DESTINATION ${DEFAULT_INC_PATH}/pkcs11 COMPONENT Development)
endif()
install(FILES ${TNG_INC} DESTINATION ${DEFAULT_INC_PATH}/app/tng COMPONENT Development)
install(FILES ${SHA206_API_INC} DESTINATION ${DEFAULT_INC_PATH}/app/api_206a COMPONENT Development)
endif(DEFAULT_INC_PATH)
endif(DEFAULT_INC_PATH)
32 changes: 32 additions & 0 deletions lib/cmake/pkcs11.cmake
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Helper CMake file for PKCS11 extension to the library

# PKCS11 Configuration Options - See pkcs11_config.h.in
set(PKCS11_DEBUG_ENABLE OFF CACHE BOOL "Enable PKCS#11 Debugging Messages")
set(PKCS11_USE_STATIC_MEMORY ${ATCA_NO_HEAP} CACHE BOOL "Use Static Memory Allocation")
set(PKCS11_USE_STATIC_CONFIG OFF CACHE BOOL "Use a compiled configuration rather than loading from a filestore")
set(PKCS11_MAX_SLOTS_ALLOWED 1 CACHE STRING "Maximum number of slots allowed in the system")
set(PKCS11_MAX_SESSIONS_ALLOWED 10 CACHE STRING "Maximum number of total sessions allowed in the system")
set(PKCS11_MAX_OBJECTS_ALLOWED 16 CACHE STRING "Maximum number of cryptographic objects allowed to be cached")
set(PKCS11_MAX_LABEL_SIZE 30 CACHE STRING "Maximum label size in characters")
set(PKCS11_LOCK_PIN_SLOT OFF CACHE BOOL "Define to lock the PIN slot after writing")
set(PKCS11_PIN_KDF_ALWAYS OFF CACHE BOOL "Define to always convert PIN using KDF")
set(PKCS11_PIN_PBKDF2_EN OFF CACHE BOOL "Define to use PBKDF2 for PIN KDF")
set(PKCS11_PIN_PBKDF2_ITERATIONS 2 CACHE STRING "Define how many iterations PBKDF2 will use for PIN KDF")
set(PKCS11_SEARCH_CACHE_SIZE 250 CACHE STRING "Static Search Attribute Cache in bytes")
set(PKCS11_TOKEN_INIT_SUPPORT OFF CACHE BOOL "Support for configuring a blank or new device")
set(PKCS11_MONOTONIC_ENABLE OFF CACHE BOOL "Include the monotonic hardware feature as an object")
set(PKCS11_AUTO_ID_ENABLE ON CACHE BOOL "Generate CKA_ID values based on standards")

file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c")
file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h")

configure_file(pkcs11/pkcs11_config.h.in ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h @ONLY)
set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h)

if(ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT)
SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c)
endif()

if(${CMAKE_VERSION} VERSION_GREATER "3.8.0")
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC})
endif()
35 changes: 34 additions & 1 deletion lib/pkcs11/pkcs11_cert.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,10 @@ CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttr
else
{
pAttribute->ulValueLen = 20;
if (pAttribute->pValue == NULL)
{
return CKR_OK;
}
}
}
else
Expand Down Expand Up @@ -372,6 +376,35 @@ CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttrib
return CKR_ARGUMENTS_BAD;
}

static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
{
#if PKCS11_AUTO_ID_ENABLE
return pkcs11_cert_get_subject_key_id(pObject, pAttribute);
#elif ATCA_CA_SUPPORT
pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
CK_RV rv = CKR_ARGUMENTS_BAD;

if (obj_ptr)
{
pkcs11_cert_check_trust_data(obj_ptr);

if (obj_ptr->data)
{
atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data;
uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot);
rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
}
else
{
return pkcs11_attrib_empty(pObject, pAttribute);
}
}
return rv;
#else
return pkcs11_attrib_empty(pObject, pAttribute);
#endif
}

/**
* CKO_CERTIFICATE (Type: CKC_X_509) - X509 Public Key Certificate Model
*/
Expand Down Expand Up @@ -411,7 +444,7 @@ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = {
/** DER-encoded Certificate subject name */
{ CKA_SUBJECT, pkcs11_cert_get_subject },
/** Key identifier for public/private key pair (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_cert_get_id },
/** DER-encoded Certificate issuer name (default empty)*/
{ CKA_ISSUER, pkcs11_attrib_empty },
/** DER-encoding of the certificate serial number (default empty) */
Expand Down
32 changes: 18 additions & 14 deletions lib/pkcs11/pkcs11_config.h.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,44 +35,44 @@

/** Define to lock the PIN slot after writing */
#ifndef PKCS11_LOCK_PIN_SLOT
#define PKCS11_LOCK_PIN_SLOT 0
#cmakedefine01 PKCS11_LOCK_PIN_SLOT
#endif

/** Enable PKCS#11 Debugging Messages */
#ifndef PKCS11_DEBUG_ENABLE
#define PKCS11_DEBUG_ENABLE 0
#cmakedefine01 PKCS11_DEBUG_ENABLE
#endif

/** Use Static or Dynamic Allocation */
#ifndef PKCS11_USE_STATIC_MEMORY
#define PKCS11_USE_STATIC_MEMORY 1
#cmakedefine01 PKCS11_USE_STATIC_MEMORY
#endif

/** Use a compiled configuration rather than loading from a filestore */
#ifndef PKCS11_USE_STATIC_CONFIG
#define PKCS11_USE_STATIC_CONFIG 0
#cmakedefine01 PKCS11_USE_STATIC_CONFIG
#endif

/** Maximum number of slots allowed in the system - if static memory this will
always be the number of slots */
#ifndef PKCS11_MAX_SLOTS_ALLOWED
#define PKCS11_MAX_SLOTS_ALLOWED 1
#define PKCS11_MAX_SLOTS_ALLOWED @PKCS11_MAX_SLOTS_ALLOWED@
#endif

/** Maximum number of total sessions allowed in the system - if using static
memory then this many session contexts will be allocated */
#ifndef PKCS11_MAX_SESSIONS_ALLOWED
#define PKCS11_MAX_SESSIONS_ALLOWED 10
#define PKCS11_MAX_SESSIONS_ALLOWED @PKCS11_MAX_SESSIONS_ALLOWED@
#endif

/** Maximum number of cryptographic objects allowed to be cached */
#ifndef PKCS11_MAX_OBJECTS_ALLOWED
#define PKCS11_MAX_OBJECTS_ALLOWED 16
#define PKCS11_MAX_OBJECTS_ALLOWED @PKCS11_MAX_OBJECTS_ALLOWED@
#endif

/** Maximum label size in characters */
#ifndef PKCS11_MAX_LABEL_SIZE
#define PKCS11_MAX_LABEL_SIZE 30
#define PKCS11_MAX_LABEL_SIZE @PKCS11_MAX_LABEL_SIZE@
#endif

/** Define to always convert PIN using KDF */
Expand All @@ -83,8 +83,8 @@

/** Define how many iterations PBKDF2 will use for PIN KDF */
#if defined(PKCS11_PIN_PBKDF2_EN) && !defined(PKCS11_PIN_PBKDF2_ITERATIONS)
#define PKCS11_PIN_PBKDF2_ITERATIONS 2
#endif
#define PKCS11_PIN_PBKDF2_ITERATIONS @PKCS11_PIN_PBKDF2_ITERATIONS@
#endif

/****************************************************************************/
/* The following configuration options are for fine tuning of the library */
Expand All @@ -96,25 +96,29 @@
intends to use. Otherwise compilers will not be able to optimize out the unusued
functions */
#ifndef PKCS11_EXTERNAL_FUNCTION_LIST
#define PKCS11_EXTERNAL_FUNCTION_LIST 0
#cmakedefine01 PKCS11_EXTERNAL_FUNCTION_LIST
#endif

/** Static Search Attribute Cache in bytes (variable number of attributes based
on size and memory requirements) */
#ifndef PKCS11_SEARCH_CACHE_SIZE
#define PKCS11_SEARCH_CACHE_SIZE 250
#define PKCS11_SEARCH_CACHE_SIZE @PKCS11_SEARCH_CACHE_SIZE@
#endif

/** Support for configuring a "blank" or new device */
#ifndef PKCS11_TOKEN_INIT_SUPPORT
#define PKCS11_TOKEN_INIT_SUPPORT 1
#cmakedefine01 PKCS11_TOKEN_INIT_SUPPORT
#endif

/** Include the monotonic hardware feature as an object */
#ifndef PKCS11_MONOTONIC_ENABLE
#define PKCS11_MONOTONIC_ENABLE 0
#cmakedefine01 PKCS11_MONOTONIC_ENABLE
#endif

/** Automatically generate CKA_ID values based on standards */
#ifndef PKCS11_AUTO_ID_ENABLE
#cmakedefine01 PKCS11_AUTO_ID_ENABLE
#endif

#include "pkcs11/cryptoki.h"
#include <stddef.h>
Expand Down
59 changes: 57 additions & 2 deletions lib/pkcs11/pkcs11_key.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,61 @@ static CK_RV pkcs11_key_auth_required(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAtt
return rv;
}

static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
{
pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
CK_RV rv = CKR_ARGUMENTS_BAD;

if (obj_ptr)
{
#if PKCS11_AUTO_ID_ENABLE
if (pAttribute->pValue)
{
CK_BBOOL is_private;

if (CKR_OK == (rv = pkcs11_object_is_private(obj_ptr, &is_private)))
{
ATCA_STATUS status;
uint8_t buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = {0x04};

if (is_private)
{
status = atcab_get_pubkey(obj_ptr->slot, &buffer[1]);
PKCS11_DEBUG("atcab_get_pubkey: %x\r\n", status);
}
else
{
status = atcab_read_pubkey(obj_ptr->slot, &buffer[1]);
PKCS11_DEBUG("atcab_read_pubkey: %x\r\n", status);
}

if (ATCA_SUCCESS == status)
{
status = atcac_sw_sha1(buffer, sizeof(buffer), buffer);
}

if (ATCA_SUCCESS == status)
{
rv = pkcs11_attrib_fill(pAttribute, buffer, ATCA_SHA1_DIGEST_SIZE);
}
else
{
rv = pkcs11_util_convert_rv(status);
}
}
}
else
{
rv = pkcs11_attrib_fill(pAttribute, NULL, ATCA_SHA1_DIGEST_SIZE);
}
#else
uint16_t key_id = ATCA_UINT16_HOST_TO_BE(obj_ptr->slot);
rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
#endif
}
return rv;
}

/**
* CKO_PUBLIC_KEY - Public Key Object Model
*/
Expand All @@ -394,7 +449,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = {
/** Type of key */
{ CKA_KEY_TYPE, pkcs11_object_get_type },
/** Key identifier for key (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_key_get_id },
/** Start date for the key (default empty) */
{ CKA_START_DATE, pkcs11_attrib_empty },
/** End date for the key (default empty) */
Expand Down Expand Up @@ -484,7 +539,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = {
/** Type of key */
{ CKA_KEY_TYPE, pkcs11_object_get_type },
/** Key identifier for key (default empty) */
{ CKA_ID, pkcs11_attrib_empty },
{ CKA_ID, pkcs11_key_get_id },
/** Start date for the key (default empty) */
{ CKA_START_DATE, pkcs11_attrib_empty },
/** End date for the key (default empty) */
Expand Down

0 comments on commit 9a37b8d

Please sign in to comment.