1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2017-2020, Linaro Limited
4 */
5
6 #include <assert.h>
7 #include <pkcs11_ta.h>
8 #include <string.h>
9 #include <util.h>
10 #include <tee_api.h>
11 #include <tee_internal_api_extensions.h>
12
13 #include "pkcs11_helpers.h"
14 #include "token_capabilities.h"
15
16 #define ALLOWED_PKCS11_CKFM \
17 (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT | \
18 PKCS11_CKFM_DERIVE | PKCS11_CKFM_DIGEST | \
19 PKCS11_CKFM_SIGN | PKCS11_CKFM_SIGN_RECOVER | \
20 PKCS11_CKFM_VERIFY | PKCS11_CKFM_VERIFY_RECOVER | \
21 PKCS11_CKFM_GENERATE | PKCS11_CKFM_GENERATE_KEY_PAIR | \
22 PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP)
23
24 /*
25 * Definition of supported processings for a PKCS#11 mechanisms
26 * @id: Mechanism ID
27 * @flags: Valid PKCS11_CKFM_* for a mechanism as per PKCS#11
28 * @one_shot: true of mechanism can be used for a one-short processing
29 * @string: Helper string of the mechanism ID for debug purpose
30 */
31 struct pkcs11_mechachism_modes {
32 uint32_t id;
33 uint32_t flags;
34 bool one_shot;
35 #if CFG_TEE_TA_LOG_LEVEL > 0
36 const char *string;
37 #endif
38 };
39
40 #if CFG_TEE_TA_LOG_LEVEL > 0
41 #define MECHANISM(_label, _flags, _single_part) \
42 { \
43 .id = _label, \
44 .one_shot = (_single_part), \
45 .flags = (_flags), \
46 .string = #_label, \
47 }
48 #else
49 #define MECHANISM(_label, _flags, _single_part) \
50 { \
51 .id = _label, \
52 .one_shot = (_single_part), \
53 .flags = (_flags), \
54 }
55 #endif
56
57 #define SINGLE_PART_ONLY true
58 #define ANY_PART false
59
60 #define CKFM_CIPHER (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT)
61 #define CKFM_WRAP_UNWRAP (PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP)
62 #define CKFM_CIPHER_WRAP (CKFM_CIPHER | CKFM_WRAP_UNWRAP)
63 #define CKFM_CIPHER_WRAP_DERIVE (CKFM_CIPHER_WRAP | PKCS11_CKFM_DERIVE)
64 #define CKFM_AUTH_NO_RECOVER (PKCS11_CKFM_SIGN | PKCS11_CKFM_VERIFY)
65 #define CKFM_AUTH_WITH_RECOVER (PKCS11_CKFM_SIGN_RECOVER | \
66 PKCS11_CKFM_VERIFY_RECOVER)
67
68 /* PKCS#11 specificies permitted operation for each mechanism */
69 static const struct pkcs11_mechachism_modes pkcs11_modes[] = {
70 /* AES */
71 MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP, ANY_PART),
72 MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP, ANY_PART),
73 MECHANISM(PKCS11_CKM_AES_CBC_PAD, CKFM_CIPHER_WRAP, ANY_PART),
74 MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER_WRAP, ANY_PART),
75 MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER_WRAP, ANY_PART),
76 MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
77 MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART),
78 MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE,
79 ANY_PART),
80 MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE,
81 ANY_PART),
82 MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE, ANY_PART),
83 MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE,
84 ANY_PART),
85 /* Digest */
86 MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST, ANY_PART),
87 MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST, ANY_PART),
88 MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST, ANY_PART),
89 MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST, ANY_PART),
90 MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST, ANY_PART),
91 MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST, ANY_PART),
92 /* HMAC */
93 MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
94 MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
95 MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
96 MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
97 MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
98 MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
99 MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART),
100 MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
101 ANY_PART),
102 MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
103 ANY_PART),
104 MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
105 ANY_PART),
106 MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
107 ANY_PART),
108 MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
109 ANY_PART),
110 /* EC */
111 MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN, PKCS11_CKFM_GENERATE_KEY_PAIR,
112 ANY_PART),
113 MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE,
114 ANY_PART),
115 MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER, SINGLE_PART_ONLY),
116 MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER, ANY_PART),
117 MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER, ANY_PART),
118 MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER, ANY_PART),
119 MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER, ANY_PART),
120 MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER, ANY_PART),
121 /* EDDSA */
122 MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN,
123 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART),
124 MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER, ANY_PART),
125 /* RSA */
126 MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP,
127 SINGLE_PART_ONLY),
128 MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN,
129 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART),
130 MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER_WRAP | CKFM_AUTH_NO_RECOVER |
131 CKFM_AUTH_WITH_RECOVER, SINGLE_PART_ONLY),
132 MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER_WRAP,
133 SINGLE_PART_ONLY),
134 MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
135 SINGLE_PART_ONLY),
136 MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
137 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
138 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, ANY_PART),
139 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
140 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
141 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
142 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
143 ANY_PART),
144 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
145 ANY_PART),
146 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
147 ANY_PART),
148 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
149 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
150 ANY_PART),
151 };
152
153 #if CFG_TEE_TA_LOG_LEVEL > 0
mechanism_string_id(enum pkcs11_mechanism_id id)154 const char *mechanism_string_id(enum pkcs11_mechanism_id id)
155 {
156 const size_t offset = sizeof("PKCS11_CKM_") - 1;
157 size_t n = 0;
158
159 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
160 if (pkcs11_modes[n].id == id)
161 return pkcs11_modes[n].string + offset;
162
163 return "Unknown ID";
164 }
165 #endif /*CFG_TEE_TA_LOG_LEVEL*/
166
167 /*
168 * Return true if @id is a valid mechanism ID
169 */
mechanism_is_valid(enum pkcs11_mechanism_id id)170 bool mechanism_is_valid(enum pkcs11_mechanism_id id)
171 {
172 size_t n = 0;
173
174 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
175 if (id == pkcs11_modes[n].id)
176 return true;
177
178 return false;
179 }
180
181 /*
182 * Return true if mechanism ID is valid and flags matches PKCS#11 compliancy
183 */
mechanism_flags_complies_pkcs11(uint32_t mechanism_type,uint32_t flags)184 bool __maybe_unused mechanism_flags_complies_pkcs11(uint32_t mechanism_type,
185 uint32_t flags)
186 {
187 size_t n = 0;
188
189 assert((flags & ~ALLOWED_PKCS11_CKFM) == 0);
190
191 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) {
192 if (pkcs11_modes[n].id == mechanism_type) {
193 if (flags & ~pkcs11_modes[n].flags)
194 EMSG("%s flags: 0x%"PRIx32" vs 0x%"PRIx32,
195 id2str_mechanism(mechanism_type),
196 flags, pkcs11_modes[n].flags);
197
198 return (flags & ~pkcs11_modes[n].flags) == 0;
199 }
200 }
201
202 /* Mechanism ID unexpectedly not found */
203 return false;
204 }
205
mechanism_is_one_shot_only(uint32_t mechanism_type)206 bool mechanism_is_one_shot_only(uint32_t mechanism_type)
207 {
208 size_t n = 0;
209
210 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
211 if (pkcs11_modes[n].id == mechanism_type)
212 return pkcs11_modes[n].one_shot;
213
214 /* Mechanism ID unexpectedly not found */
215 TEE_Panic(PKCS11_RV_NOT_FOUND);
216 /* Dummy return to keep compiler happy */
217 return false;
218 }
219
220 /*
221 * Field single_part_only is unused from array token_mechanism[], hence
222 * simply use ANY_PART for all mechanism there.
223 */
224 #define TA_MECHANISM(_label, _flags) MECHANISM((_label), (_flags), ANY_PART)
225
226 /*
227 * Arrays that centralizes the IDs and processing flags for mechanisms
228 * supported by each embedded token.
229 */
230 const struct pkcs11_mechachism_modes token_mechanism[] = {
231 TA_MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP),
232 TA_MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP),
233 TA_MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER),
234 TA_MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER),
235 TA_MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER),
236 TA_MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
237 TA_MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE),
238 TA_MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE),
239 TA_MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE),
240 TA_MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE),
241 TA_MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE),
242 TA_MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST),
243 TA_MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST),
244 TA_MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST),
245 TA_MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST),
246 TA_MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST),
247 TA_MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST),
248 TA_MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER),
249 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER),
250 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER),
251 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER),
252 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER),
253 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER),
254 TA_MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
255 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
256 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
257 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
258 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
259 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
260 TA_MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN,
261 PKCS11_CKFM_GENERATE_KEY_PAIR),
262 TA_MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN,
263 PKCS11_CKFM_GENERATE_KEY_PAIR),
264 TA_MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER),
265 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER),
266 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER),
267 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER),
268 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER),
269 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER),
270 TA_MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER),
271 TA_MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP),
272 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN,
273 PKCS11_CKFM_GENERATE_KEY_PAIR),
274 TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
275 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
276 TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
277 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
278 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER),
279 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
280 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
281 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
282 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
283 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
284 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
285 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
286 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
287 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
288 };
289
290 /*
291 * tee_malloc_mechanism_array - Allocate and fill array of supported mechanisms
292 * @count: [in] [out] Pointer to number of mechanism IDs in client resource
293 * Return allocated array of the supported mechanism IDs
294 *
295 * Allocates array with 32bit cells mechanism IDs for the supported ones only
296 * if *@count covers number mechanism IDs exposed.
297 */
tee_malloc_mechanism_list(size_t * out_count)298 uint32_t *tee_malloc_mechanism_list(size_t *out_count)
299 {
300 size_t n = 0;
301 size_t count = 0;
302 uint32_t *array = NULL;
303
304 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++)
305 if (token_mechanism[n].flags)
306 count++;
307
308 if (*out_count >= count)
309 array = TEE_Malloc(count * sizeof(*array),
310 TEE_USER_MEM_HINT_NO_FILL_ZERO);
311
312 *out_count = count;
313
314 if (!array)
315 return NULL;
316
317 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) {
318 if (token_mechanism[n].flags) {
319 count--;
320 array[count] = token_mechanism[n].id;
321 }
322 }
323 assert(!count);
324
325 return array;
326 }
327
mechanism_supported_flags(enum pkcs11_mechanism_id id)328 uint32_t mechanism_supported_flags(enum pkcs11_mechanism_id id)
329 {
330 size_t n = 0;
331
332 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) {
333 if (id == token_mechanism[n].id) {
334 uint32_t flags = token_mechanism[n].flags;
335
336 assert(mechanism_flags_complies_pkcs11(id, flags));
337 return flags;
338 }
339 }
340
341 return 0;
342 }
343
pkcs11_mechanism_supported_key_sizes(uint32_t proc_id,uint32_t * min_key_size,uint32_t * max_key_size)344 void pkcs11_mechanism_supported_key_sizes(uint32_t proc_id,
345 uint32_t *min_key_size,
346 uint32_t *max_key_size)
347 {
348 switch (proc_id) {
349 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
350 /* This mechanism expects the keysize to be returned in bits */
351 *min_key_size = 1; /* in bits */
352 *max_key_size = 4096; /* in bits */
353 break;
354 case PKCS11_CKM_MD5_HMAC:
355 case PKCS11_CKM_MD5_HMAC_GENERAL:
356 *min_key_size = 8;
357 *max_key_size = 64;
358 break;
359 case PKCS11_CKM_SHA_1_HMAC:
360 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
361 *min_key_size = 10;
362 *max_key_size = 64;
363 break;
364 case PKCS11_CKM_SHA224_HMAC:
365 case PKCS11_CKM_SHA224_HMAC_GENERAL:
366 *min_key_size = 14;
367 *max_key_size = 64;
368 break;
369 case PKCS11_CKM_SHA256_HMAC:
370 case PKCS11_CKM_SHA256_HMAC_GENERAL:
371 *min_key_size = 24;
372 *max_key_size = 128;
373 break;
374 case PKCS11_CKM_SHA384_HMAC:
375 case PKCS11_CKM_SHA384_HMAC_GENERAL:
376 *min_key_size = 32;
377 *max_key_size = 128;
378 break;
379 case PKCS11_CKM_SHA512_HMAC:
380 case PKCS11_CKM_SHA512_HMAC_GENERAL:
381 *min_key_size = 32;
382 *max_key_size = 128;
383 break;
384 case PKCS11_CKM_AES_KEY_GEN:
385 case PKCS11_CKM_AES_ECB:
386 case PKCS11_CKM_AES_CBC:
387 case PKCS11_CKM_AES_CBC_PAD:
388 case PKCS11_CKM_AES_CTR:
389 case PKCS11_CKM_AES_CTS:
390 case PKCS11_CKM_AES_CMAC:
391 case PKCS11_CKM_AES_CMAC_GENERAL:
392 *min_key_size = 16;
393 *max_key_size = 32;
394 break;
395 case PKCS11_CKM_EC_KEY_PAIR_GEN:
396 case PKCS11_CKM_ECDSA:
397 case PKCS11_CKM_ECDSA_SHA1:
398 case PKCS11_CKM_ECDSA_SHA224:
399 case PKCS11_CKM_ECDSA_SHA256:
400 case PKCS11_CKM_ECDSA_SHA384:
401 case PKCS11_CKM_ECDSA_SHA512:
402 case PKCS11_CKM_ECDH1_DERIVE:
403 *min_key_size = 160; /* in bits */
404 *max_key_size = 521; /* in bits */
405 break;
406 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN:
407 case PKCS11_CKM_EDDSA:
408 *min_key_size = 256; /* in bits */
409 *max_key_size = 448; /* in bits */
410 break;
411 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN:
412 case PKCS11_CKM_RSA_PKCS:
413 case PKCS11_CKM_MD5_RSA_PKCS:
414 case PKCS11_CKM_SHA1_RSA_PKCS:
415 case PKCS11_CKM_RSA_PKCS_OAEP:
416 case PKCS11_CKM_SHA1_RSA_PKCS_PSS:
417 case PKCS11_CKM_SHA256_RSA_PKCS:
418 case PKCS11_CKM_SHA384_RSA_PKCS:
419 case PKCS11_CKM_SHA512_RSA_PKCS:
420 case PKCS11_CKM_SHA256_RSA_PKCS_PSS:
421 case PKCS11_CKM_SHA384_RSA_PKCS_PSS:
422 case PKCS11_CKM_SHA512_RSA_PKCS_PSS:
423 case PKCS11_CKM_SHA224_RSA_PKCS:
424 case PKCS11_CKM_SHA224_RSA_PKCS_PSS:
425 *min_key_size = 256; /* in bits */
426 *max_key_size = 4096; /* in bits */
427 break;
428 default:
429 *min_key_size = 0;
430 *max_key_size = 0;
431 break;
432 }
433 }
434
mechanism_supported_key_sizes_bytes(uint32_t proc_id,uint32_t * min_key_size,uint32_t * max_key_size)435 void mechanism_supported_key_sizes_bytes(uint32_t proc_id,
436 uint32_t *min_key_size,
437 uint32_t *max_key_size)
438 {
439 pkcs11_mechanism_supported_key_sizes(proc_id, min_key_size,
440 max_key_size);
441
442 switch (proc_id) {
443 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
444 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN:
445 case PKCS11_CKM_EC_KEY_PAIR_GEN:
446 case PKCS11_CKM_ECDSA:
447 case PKCS11_CKM_EDDSA:
448 case PKCS11_CKM_ECDSA_SHA1:
449 case PKCS11_CKM_ECDSA_SHA224:
450 case PKCS11_CKM_ECDSA_SHA256:
451 case PKCS11_CKM_ECDSA_SHA384:
452 case PKCS11_CKM_ECDSA_SHA512:
453 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN:
454 /* Size is in bits -> convert to bytes and ceil */
455 *min_key_size = ROUNDUP(*min_key_size, 8) / 8;
456 *max_key_size = ROUNDUP(*max_key_size, 8) / 8;
457 break;
458 default:
459 /* Size is already in bytes */
460 break;
461 }
462 }
463