From a7cbf7db884d5938a4898f4a4533f95c788e219b Mon Sep 17 00:00:00 2001 From: Jamie Hunter <2569012+JamieHunter@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:17:37 -0700 Subject: [PATCH 1/3] fix: When PKCS11 C_Sign is passed null pSignature, it is expected to fill pulSignatureLen with required buffer length. --- lib/pkcs11/pkcs11_signature.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/pkcs11/pkcs11_signature.c b/lib/pkcs11/pkcs11_signature.c index aa4d4c2a8..761fe1d56 100644 --- a/lib/pkcs11/pkcs11_signature.c +++ b/lib/pkcs11/pkcs11_signature.c @@ -148,6 +148,21 @@ CK_RV pkcs11_signature_sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_UL return pkcs11_util_convert_rv(status); } } + else + { + switch (pSession->active_mech) + { + case CKM_SHA256_HMAC: + *pulSignatureLen = ATCA_SHA256_DIGEST_SIZE; + break; + case CKM_ECDSA: + *pulSignatureLen = ATCA_SIG_SIZE; + break; + default: + status = ATCA_GEN_FAIL; + break; + } + } } else { From 4cf67b4556b677f09142a1bc26d0055534b2c02c Mon Sep 17 00:00:00 2001 From: Jamie Hunter <2569012+JamieHunter@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:21:23 -0700 Subject: [PATCH 2/3] fix: Java PKCS11 requires CKA_EXTRACTABLE to return extractable status of a private key. Provider library is not expected to fail with CKR_ATTRIBUTE_SENSITIVE. --- lib/pkcs11/pkcs11_key.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/pkcs11/pkcs11_key.c b/lib/pkcs11/pkcs11_key.c index 21b03347c..065947865 100644 --- a/lib/pkcs11/pkcs11_key.c +++ b/lib/pkcs11/pkcs11_key.c @@ -513,12 +513,12 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = { { CKA_SIGN_RECOVER, NULL_PTR }, /** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9 */ { CKA_UNWRAP, NULL_PTR }, - /** CK_TRUE if key is extractable and can be wrapped 9 */ - { CKA_EXTRACTABLE, NULL_PTR }, + /** CK_TRUE if key is extractable and can be wrapped */ + { CKA_EXTRACTABLE, pkcs11_attrib_false }, /** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */ { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */ - { CKA_NEVER_EXTRACTABLE, NULL_PTR }, + { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, /** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */ { CKA_WRAP_WITH_TRUSTED, NULL_PTR }, /** For wrapping keys. The attribute template to match against any keys @@ -639,11 +639,11 @@ const pkcs11_attrib_model pkcs11_key_secret_attributes[] = { /** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys) */ { CKA_UNWRAP, NULL_PTR }, /** CK_TRUE if key is extractable and can be wrapped */ - { CKA_EXTRACTABLE, NULL_PTR }, + { CKA_EXTRACTABLE, pkcs11_attrib_false }, /** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */ { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */ - { CKA_NEVER_EXTRACTABLE, NULL_PTR }, + { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, /** Key checksum */ { CKA_CHECK_VALUE, pkcs11_key_get_check_value }, /** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */ From 6457c1ceac18459dd342dc2925030e6a4de89f20 Mon Sep 17 00:00:00 2001 From: Jamie Hunter <2569012+JamieHunter@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:30:33 -0700 Subject: [PATCH 3/3] fix: Java honors ulMaxSessionCount constant and needs to create at least 2 sessions. When used with Greengrass V2, at least 3 sessions are needed. --- lib/pkcs11/pkcs11_token.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/pkcs11/pkcs11_token.c b/lib/pkcs11/pkcs11_token.c index 962a877cc..2fae57757 100644 --- a/lib/pkcs11/pkcs11_token.c +++ b/lib/pkcs11/pkcs11_token.c @@ -428,8 +428,8 @@ CK_RV pkcs11_token_get_info(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) pInfo->ulMinPinLen = 0; pInfo->flags = CKF_RNG;// | CKF_LOGIN_REQUIRED; - pInfo->ulMaxSessionCount = 1; - pInfo->ulMaxRwSessionCount = 1; + pInfo->ulMaxSessionCount = PKCS11_MAX_SESSIONS_ALLOWED; + pInfo->ulMaxRwSessionCount = PKCS11_MAX_SESSIONS_ALLOWED; pInfo->ulSessionCount = (slot_ctx->session) ? TRUE : FALSE; pInfo->ulRwSessionCount = (slot_ctx->session) ? TRUE : FALSE;