1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2017-2020, Linaro Limited
4 */
5
6 #include <assert.h>
7 #include <pkcs11_ta.h>
8 #include <string.h>
9 #include <util.h>
10 #include <tee_api.h>
11 #include <tee_internal_api_extensions.h>
12
13 #include "pkcs11_helpers.h"
14 #include "token_capabilities.h"
15
16 #define ALLOWED_PKCS11_CKFM \
17 (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT | \
18 PKCS11_CKFM_DERIVE | PKCS11_CKFM_DIGEST | \
19 PKCS11_CKFM_SIGN | PKCS11_CKFM_SIGN_RECOVER | \
20 PKCS11_CKFM_VERIFY | PKCS11_CKFM_VERIFY_RECOVER | \
21 PKCS11_CKFM_GENERATE | PKCS11_CKFM_GENERATE_KEY_PAIR | \
22 PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP)
23
24 /*
25 * Definition of supported processings for a PKCS#11 mechanisms
26 * @id: Mechanism ID
27 * @flags: Valid PKCS11_CKFM_* for a mechanism as per PKCS#11
28 * @one_shot: true of mechanism can be used for a one-short processing
29 * @string: Helper string of the mechanism ID for debug purpose
30 */
31 struct pkcs11_mechachism_modes {
32 uint32_t id;
33 uint32_t flags;
34 bool one_shot;
35 #if CFG_TEE_TA_LOG_LEVEL > 0
36 const char *string;
37 #endif
38 };
39
40 #if CFG_TEE_TA_LOG_LEVEL > 0
41 #define MECHANISM(_label, _flags, _single_part) \
42 { \
43 .id = _label, \
44 .one_shot = (_single_part), \
45 .flags = (_flags), \
46 .string = #_label, \
47 }
48 #else
49 #define MECHANISM(_label, _flags, _single_part) \
50 { \
51 .id = _label, \
52 .one_shot = (_single_part), \
53 .flags = (_flags), \
54 }
55 #endif
56
57 #define SINGLE_PART_ONLY true
58 #define ANY_PART false
59
60 #define CKFM_CIPHER (PKCS11_CKFM_ENCRYPT | PKCS11_CKFM_DECRYPT)
61 #define CKFM_WRAP_UNWRAP (PKCS11_CKFM_WRAP | PKCS11_CKFM_UNWRAP)
62 #define CKFM_CIPHER_WRAP (CKFM_CIPHER | CKFM_WRAP_UNWRAP)
63 #define CKFM_CIPHER_WRAP_DERIVE (CKFM_CIPHER_WRAP | PKCS11_CKFM_DERIVE)
64 #define CKFM_AUTH_NO_RECOVER (PKCS11_CKFM_SIGN | PKCS11_CKFM_VERIFY)
65 #define CKFM_AUTH_WITH_RECOVER (PKCS11_CKFM_SIGN_RECOVER | \
66 PKCS11_CKFM_VERIFY_RECOVER)
67
68 /* PKCS#11 specificies permitted operation for each mechanism */
69 static const struct pkcs11_mechachism_modes pkcs11_modes[] = {
70 /* AES */
71 MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP, ANY_PART),
72 MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP, ANY_PART),
73 MECHANISM(PKCS11_CKM_AES_CBC_PAD, CKFM_CIPHER_WRAP, ANY_PART),
74 MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER_WRAP, ANY_PART),
75 MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER_WRAP, ANY_PART),
76 MECHANISM(PKCS11_CKM_AES_GCM, CKFM_CIPHER_WRAP, ANY_PART),
77 MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
78 MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART),
79 MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE,
80 ANY_PART),
81 MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE,
82 ANY_PART),
83 MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE, ANY_PART),
84 MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE,
85 ANY_PART),
86 /* Digest */
87 MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST, ANY_PART),
88 MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST, ANY_PART),
89 MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST, ANY_PART),
90 MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST, ANY_PART),
91 MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST, ANY_PART),
92 MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST, ANY_PART),
93 /* HMAC */
94 MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
95 MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
96 MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
97 MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
98 MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
99 MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER, ANY_PART),
100 MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER, ANY_PART),
101 MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
102 ANY_PART),
103 MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
104 ANY_PART),
105 MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
106 ANY_PART),
107 MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
108 ANY_PART),
109 MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER,
110 ANY_PART),
111 /* EC */
112 MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN, PKCS11_CKFM_GENERATE_KEY_PAIR,
113 ANY_PART),
114 MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE,
115 ANY_PART),
116 MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER, SINGLE_PART_ONLY),
117 MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER, ANY_PART),
118 MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER, ANY_PART),
119 MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER, ANY_PART),
120 MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER, ANY_PART),
121 MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER, ANY_PART),
122 /* EDDSA */
123 MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN,
124 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART),
125 MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER, ANY_PART),
126 /* RSA */
127 MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP,
128 SINGLE_PART_ONLY),
129 MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN,
130 PKCS11_CKFM_GENERATE_KEY_PAIR, ANY_PART),
131 MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER_WRAP | CKFM_AUTH_NO_RECOVER |
132 CKFM_AUTH_WITH_RECOVER, SINGLE_PART_ONLY),
133 MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER_WRAP,
134 SINGLE_PART_ONLY),
135 MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER_WRAP |
136 CKFM_AUTH_NO_RECOVER | CKFM_AUTH_WITH_RECOVER,
137 SINGLE_PART_ONLY),
138 MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
139 SINGLE_PART_ONLY),
140 MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
141 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
142 MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER, ANY_PART),
143 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
144 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
145 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
146 MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
147 ANY_PART),
148 MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
149 ANY_PART),
150 MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
151 ANY_PART),
152 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER, ANY_PART),
153 MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER,
154 ANY_PART),
155 };
156
157 #if CFG_TEE_TA_LOG_LEVEL > 0
mechanism_string_id(enum pkcs11_mechanism_id id)158 const char *mechanism_string_id(enum pkcs11_mechanism_id id)
159 {
160 const size_t offset = sizeof("PKCS11_CKM_") - 1;
161 size_t n = 0;
162
163 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
164 if (pkcs11_modes[n].id == id)
165 return pkcs11_modes[n].string + offset;
166
167 return "Unknown ID";
168 }
169 #endif /*CFG_TEE_TA_LOG_LEVEL*/
170
171 /*
172 * Return true if @id is a valid mechanism ID
173 */
mechanism_is_valid(enum pkcs11_mechanism_id id)174 bool mechanism_is_valid(enum pkcs11_mechanism_id id)
175 {
176 size_t n = 0;
177
178 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
179 if (id == pkcs11_modes[n].id)
180 return true;
181
182 return false;
183 }
184
185 /*
186 * Return true if mechanism ID is valid and flags matches PKCS#11 compliancy
187 */
mechanism_flags_complies_pkcs11(uint32_t mechanism_type,uint32_t flags)188 bool __maybe_unused mechanism_flags_complies_pkcs11(uint32_t mechanism_type,
189 uint32_t flags)
190 {
191 size_t n = 0;
192
193 assert((flags & ~ALLOWED_PKCS11_CKFM) == 0);
194
195 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++) {
196 if (pkcs11_modes[n].id == mechanism_type) {
197 if (flags & ~pkcs11_modes[n].flags)
198 EMSG("%s flags: 0x%"PRIx32" vs 0x%"PRIx32,
199 id2str_mechanism(mechanism_type),
200 flags, pkcs11_modes[n].flags);
201
202 return (flags & ~pkcs11_modes[n].flags) == 0;
203 }
204 }
205
206 /* Mechanism ID unexpectedly not found */
207 return false;
208 }
209
mechanism_is_one_shot_only(uint32_t mechanism_type)210 bool mechanism_is_one_shot_only(uint32_t mechanism_type)
211 {
212 size_t n = 0;
213
214 for (n = 0; n < ARRAY_SIZE(pkcs11_modes); n++)
215 if (pkcs11_modes[n].id == mechanism_type)
216 return pkcs11_modes[n].one_shot;
217
218 /* Mechanism ID unexpectedly not found */
219 TEE_Panic(PKCS11_RV_NOT_FOUND);
220 /* Dummy return to keep compiler happy */
221 return false;
222 }
223
224 /*
225 * Field single_part_only is unused from array token_mechanism[], hence
226 * simply use ANY_PART for all mechanism there.
227 */
228 #define TA_MECHANISM(_label, _flags) MECHANISM((_label), (_flags), ANY_PART)
229
230 /*
231 * Arrays that centralizes the IDs and processing flags for mechanisms
232 * supported by each embedded token.
233 */
234 const struct pkcs11_mechachism_modes token_mechanism[] = {
235 TA_MECHANISM(PKCS11_CKM_AES_ECB, CKFM_CIPHER_WRAP),
236 TA_MECHANISM(PKCS11_CKM_AES_CBC, CKFM_CIPHER_WRAP),
237 TA_MECHANISM(PKCS11_CKM_AES_CTR, CKFM_CIPHER),
238 TA_MECHANISM(PKCS11_CKM_AES_GCM, CKFM_CIPHER),
239 TA_MECHANISM(PKCS11_CKM_AES_CTS, CKFM_CIPHER),
240 TA_MECHANISM(PKCS11_CKM_AES_CMAC, CKFM_AUTH_NO_RECOVER),
241 TA_MECHANISM(PKCS11_CKM_AES_CMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
242 TA_MECHANISM(PKCS11_CKM_AES_ECB_ENCRYPT_DATA, PKCS11_CKFM_DERIVE),
243 TA_MECHANISM(PKCS11_CKM_AES_CBC_ENCRYPT_DATA, PKCS11_CKFM_DERIVE),
244 TA_MECHANISM(PKCS11_CKM_ECDH1_DERIVE, PKCS11_CKFM_DERIVE),
245 TA_MECHANISM(PKCS11_CKM_AES_KEY_GEN, PKCS11_CKFM_GENERATE),
246 TA_MECHANISM(PKCS11_CKM_GENERIC_SECRET_KEY_GEN, PKCS11_CKFM_GENERATE),
247 TA_MECHANISM(PKCS11_CKM_MD5, PKCS11_CKFM_DIGEST),
248 TA_MECHANISM(PKCS11_CKM_SHA_1, PKCS11_CKFM_DIGEST),
249 TA_MECHANISM(PKCS11_CKM_SHA224, PKCS11_CKFM_DIGEST),
250 TA_MECHANISM(PKCS11_CKM_SHA256, PKCS11_CKFM_DIGEST),
251 TA_MECHANISM(PKCS11_CKM_SHA384, PKCS11_CKFM_DIGEST),
252 TA_MECHANISM(PKCS11_CKM_SHA512, PKCS11_CKFM_DIGEST),
253 TA_MECHANISM(PKCS11_CKM_MD5_HMAC, CKFM_AUTH_NO_RECOVER),
254 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC, CKFM_AUTH_NO_RECOVER),
255 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC, CKFM_AUTH_NO_RECOVER),
256 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC, CKFM_AUTH_NO_RECOVER),
257 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC, CKFM_AUTH_NO_RECOVER),
258 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC, CKFM_AUTH_NO_RECOVER),
259 TA_MECHANISM(PKCS11_CKM_MD5_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
260 TA_MECHANISM(PKCS11_CKM_SHA_1_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
261 TA_MECHANISM(PKCS11_CKM_SHA224_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
262 TA_MECHANISM(PKCS11_CKM_SHA256_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
263 TA_MECHANISM(PKCS11_CKM_SHA384_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
264 TA_MECHANISM(PKCS11_CKM_SHA512_HMAC_GENERAL, CKFM_AUTH_NO_RECOVER),
265 TA_MECHANISM(PKCS11_CKM_EC_KEY_PAIR_GEN,
266 PKCS11_CKFM_GENERATE_KEY_PAIR),
267 TA_MECHANISM(PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN,
268 PKCS11_CKFM_GENERATE_KEY_PAIR),
269 TA_MECHANISM(PKCS11_CKM_ECDSA, CKFM_AUTH_NO_RECOVER),
270 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA1, CKFM_AUTH_NO_RECOVER),
271 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA224, CKFM_AUTH_NO_RECOVER),
272 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA256, CKFM_AUTH_NO_RECOVER),
273 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA384, CKFM_AUTH_NO_RECOVER),
274 TA_MECHANISM(PKCS11_CKM_ECDSA_SHA512, CKFM_AUTH_NO_RECOVER),
275 TA_MECHANISM(PKCS11_CKM_EDDSA, CKFM_AUTH_NO_RECOVER),
276 TA_MECHANISM(PKCS11_CKM_RSA_AES_KEY_WRAP, CKFM_CIPHER_WRAP),
277 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN,
278 PKCS11_CKFM_GENERATE_KEY_PAIR),
279 TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
280 #ifdef CFG_PKCS11_TA_RSA_X_509
281 TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
282 #endif
283 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
284 TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
285 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
286 TA_MECHANISM(PKCS11_CKM_RSA_PKCS_OAEP, CKFM_CIPHER),
287 TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
288 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
289 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
290 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
291 TA_MECHANISM(PKCS11_CKM_SHA256_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
292 TA_MECHANISM(PKCS11_CKM_SHA384_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
293 TA_MECHANISM(PKCS11_CKM_SHA512_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
294 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
295 TA_MECHANISM(PKCS11_CKM_SHA224_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
296 };
297
298 /*
299 * tee_malloc_mechanism_array - Allocate and fill array of supported mechanisms
300 * @count: [in] [out] Pointer to number of mechanism IDs in client resource
301 * Return allocated array of the supported mechanism IDs
302 *
303 * Allocates array with 32bit cells mechanism IDs for the supported ones only
304 * if *@count covers number mechanism IDs exposed.
305 */
tee_malloc_mechanism_list(size_t * out_count)306 uint32_t *tee_malloc_mechanism_list(size_t *out_count)
307 {
308 size_t n = 0;
309 size_t count = 0;
310 uint32_t *array = NULL;
311
312 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++)
313 if (token_mechanism[n].flags)
314 count++;
315
316 if (*out_count >= count)
317 array = TEE_Malloc(count * sizeof(*array),
318 TEE_USER_MEM_HINT_NO_FILL_ZERO);
319
320 *out_count = count;
321
322 if (!array)
323 return NULL;
324
325 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) {
326 if (token_mechanism[n].flags) {
327 count--;
328 array[count] = token_mechanism[n].id;
329 }
330 }
331 assert(!count);
332
333 return array;
334 }
335
mechanism_supported_flags(enum pkcs11_mechanism_id id)336 uint32_t mechanism_supported_flags(enum pkcs11_mechanism_id id)
337 {
338 size_t n = 0;
339
340 for (n = 0; n < ARRAY_SIZE(token_mechanism); n++) {
341 if (id == token_mechanism[n].id) {
342 uint32_t flags = token_mechanism[n].flags;
343
344 assert(mechanism_flags_complies_pkcs11(id, flags));
345 return flags;
346 }
347 }
348
349 return 0;
350 }
351
pkcs11_mechanism_supported_key_sizes(uint32_t proc_id,uint32_t * min_key_size,uint32_t * max_key_size)352 void pkcs11_mechanism_supported_key_sizes(uint32_t proc_id,
353 uint32_t *min_key_size,
354 uint32_t *max_key_size)
355 {
356 switch (proc_id) {
357 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
358 /* This mechanism expects the keysize to be returned in bits */
359 *min_key_size = 1; /* in bits */
360 *max_key_size = 4096; /* in bits */
361 break;
362 case PKCS11_CKM_MD5_HMAC:
363 case PKCS11_CKM_MD5_HMAC_GENERAL:
364 *min_key_size = 8;
365 *max_key_size = 64;
366 break;
367 case PKCS11_CKM_SHA_1_HMAC:
368 case PKCS11_CKM_SHA_1_HMAC_GENERAL:
369 *min_key_size = 10;
370 *max_key_size = 64;
371 break;
372 case PKCS11_CKM_SHA224_HMAC:
373 case PKCS11_CKM_SHA224_HMAC_GENERAL:
374 *min_key_size = 14;
375 *max_key_size = 64;
376 break;
377 case PKCS11_CKM_SHA256_HMAC:
378 case PKCS11_CKM_SHA256_HMAC_GENERAL:
379 *min_key_size = 24;
380 *max_key_size = 128;
381 break;
382 case PKCS11_CKM_SHA384_HMAC:
383 case PKCS11_CKM_SHA384_HMAC_GENERAL:
384 *min_key_size = 32;
385 *max_key_size = 128;
386 break;
387 case PKCS11_CKM_SHA512_HMAC:
388 case PKCS11_CKM_SHA512_HMAC_GENERAL:
389 *min_key_size = 32;
390 *max_key_size = 128;
391 break;
392 case PKCS11_CKM_AES_KEY_GEN:
393 case PKCS11_CKM_AES_ECB:
394 case PKCS11_CKM_AES_CBC:
395 case PKCS11_CKM_AES_CBC_PAD:
396 case PKCS11_CKM_AES_CTR:
397 case PKCS11_CKM_AES_GCM:
398 case PKCS11_CKM_AES_CTS:
399 case PKCS11_CKM_AES_CMAC:
400 case PKCS11_CKM_AES_CMAC_GENERAL:
401 *min_key_size = 16;
402 *max_key_size = 32;
403 break;
404 case PKCS11_CKM_EC_KEY_PAIR_GEN:
405 case PKCS11_CKM_ECDSA:
406 case PKCS11_CKM_ECDSA_SHA1:
407 case PKCS11_CKM_ECDSA_SHA224:
408 case PKCS11_CKM_ECDSA_SHA256:
409 case PKCS11_CKM_ECDSA_SHA384:
410 case PKCS11_CKM_ECDSA_SHA512:
411 case PKCS11_CKM_ECDH1_DERIVE:
412 *min_key_size = 160; /* in bits */
413 *max_key_size = 521; /* in bits */
414 break;
415 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN:
416 case PKCS11_CKM_EDDSA:
417 *min_key_size = 256; /* in bits */
418 *max_key_size = 448; /* in bits */
419 break;
420 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN:
421 case PKCS11_CKM_RSA_PKCS:
422 case PKCS11_CKM_RSA_X_509:
423 case PKCS11_CKM_MD5_RSA_PKCS:
424 case PKCS11_CKM_SHA1_RSA_PKCS:
425 case PKCS11_CKM_RSA_PKCS_OAEP:
426 case PKCS11_CKM_SHA1_RSA_PKCS_PSS:
427 case PKCS11_CKM_SHA256_RSA_PKCS:
428 case PKCS11_CKM_SHA384_RSA_PKCS:
429 case PKCS11_CKM_SHA512_RSA_PKCS:
430 case PKCS11_CKM_SHA256_RSA_PKCS_PSS:
431 case PKCS11_CKM_SHA384_RSA_PKCS_PSS:
432 case PKCS11_CKM_SHA512_RSA_PKCS_PSS:
433 case PKCS11_CKM_SHA224_RSA_PKCS:
434 case PKCS11_CKM_SHA224_RSA_PKCS_PSS:
435 *min_key_size = 256; /* in bits */
436 *max_key_size = 4096; /* in bits */
437 break;
438 default:
439 *min_key_size = 0;
440 *max_key_size = 0;
441 break;
442 }
443 }
444
mechanism_supported_key_sizes_bytes(uint32_t proc_id,uint32_t * min_key_size,uint32_t * max_key_size)445 void mechanism_supported_key_sizes_bytes(uint32_t proc_id,
446 uint32_t *min_key_size,
447 uint32_t *max_key_size)
448 {
449 pkcs11_mechanism_supported_key_sizes(proc_id, min_key_size,
450 max_key_size);
451
452 switch (proc_id) {
453 case PKCS11_CKM_GENERIC_SECRET_KEY_GEN:
454 case PKCS11_CKM_EC_EDWARDS_KEY_PAIR_GEN:
455 case PKCS11_CKM_EC_KEY_PAIR_GEN:
456 case PKCS11_CKM_ECDSA:
457 case PKCS11_CKM_EDDSA:
458 case PKCS11_CKM_ECDSA_SHA1:
459 case PKCS11_CKM_ECDSA_SHA224:
460 case PKCS11_CKM_ECDSA_SHA256:
461 case PKCS11_CKM_ECDSA_SHA384:
462 case PKCS11_CKM_ECDSA_SHA512:
463 case PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN:
464 /* Size is in bits -> convert to bytes and ceil */
465 *min_key_size = ROUNDUP_DIV(*min_key_size, 8);
466 *max_key_size = ROUNDUP_DIV(*max_key_size, 8);
467 break;
468 default:
469 /* Size is already in bytes */
470 break;
471 }
472 }
473