Merge pull request #291 from JamieHunter/main

bryan-hunt · web-flow · commit 9a37b8d685c3 · 2022-04-15T08:54:19.000-06:00
CKA_ID support to enable Java / Greengrass V2
diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
@@ -84,15 +84,13 @@ file(GLOB HOST_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.c")
 file(GLOB HOST_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "host/*.h")
 file(GLOB JWT_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.c")
 file(GLOB JWT_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "jwt/*.h")
-file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c")
-file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h")
 file(GLOB TNG_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.c")
 file(GLOB TNG_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/tng/*.h")
 file(GLOB SHA206_API_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.c")
 file(GLOB SHA206_API_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../app/api_206a/*.h")
 
-if(ATCA_PKCS11 AND (ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT))
-SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c)
+if(ATCA_PKCS11)
+include(cmake/pkcs11.cmake)
 endif()
 
 if(${CMAKE_VERSION} VERSION_GREATER "3.8.0")
@@ -102,7 +100,6 @@ source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${TALIB_SRC})
 source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${CRYPTO_SRC})
 source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${HOST_SRC})
 source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${JWT_SRC})
-source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC})
 source_group("App/Tng" FILES ${TNG_SRC})
 endif()
 
@@ -216,6 +213,7 @@ set(CRYPTOAUTH_SRC ${LIB_SRC}
                    ${CRYPTO_SRC}
                    ${JWT_SRC}
                    ${TNG_SRC}
+                   ${PKCS11_SRC}
                    ${MBEDTLS_SRC}
                    ${WOLFSSL_SRC}
                    ${OPENSSL_SRC}
@@ -317,14 +315,6 @@ if(ATCA_MBEDTLS)
 set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${MBEDTLS_SRC})
 endif()
 
-if(ATCA_PKCS11)
-set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} ${PKCS11_SRC})
-set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE)
-if(PKCS11_DEBUG_ENABLE)
-add_definitions(-DPKCS11_DEBUG_ENABLE)
-endif(PKCS11_DEBUG_ENABLE)
-endif()
-
 if(ATCA_BUILD_SHARED_LIBS)
 add_definitions(-DATCA_BUILD_SHARED_LIBS)
 set(CRYPTOAUTH_SRC ${CRYPTOAUTH_SRC} atca_utils_sizes.c)
@@ -346,14 +336,11 @@ if(BUILD_TESTS)
 set(ATCA_TESTS_ENABLED ON CACHE INTERNAL "")
 endif(BUILD_TESTS)
 
+set(ATCA_LIBRARY_CONF ${DEFAULT_CONF_PATH}/${DEFAULT_CONF_FILE_NAME} CACHE STRING "" FORCE)
+
 configure_file(atca_config.h.in atca_config.h @ONLY)
 set(LIB_INC ${LIB_INC} ${CMAKE_CURRENT_BINARY_DIR}/atca_config.h)
 
-if(ATCA_PKCS11)
-configure_file(pkcs11/pkcs11_config.h.in pkcs11_config.h @ONLY)
-set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h)
-endif()
-
 include_directories(cryptoauth PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR} ../app/tng ../third_party ../third_party/hidapi/hidapi ${USB_INCLUDE_DIR})
 
 if(ATCA_MBEDTLS)
@@ -415,7 +402,9 @@ install(FILES ${CRYPTO_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto COMPONENT Dev
 install(FILES ${CRYPTO_HASHES_INC} DESTINATION ${DEFAULT_INC_PATH}/crypto/hashes COMPONENT Development)
 install(FILES ${HOST_INC} DESTINATION ${DEFAULT_INC_PATH}/host COMPONENT Development)
 install(FILES ${JWT_INC} DESTINATION ${DEFAULT_INC_PATH}/jwt COMPONENT Development)
+if (ATCA_PKCS11)
 install(FILES ${PKCS11_INC} DESTINATION ${DEFAULT_INC_PATH}/pkcs11 COMPONENT Development)
+endif()
 install(FILES ${TNG_INC} DESTINATION ${DEFAULT_INC_PATH}/app/tng COMPONENT Development)
 install(FILES ${SHA206_API_INC} DESTINATION ${DEFAULT_INC_PATH}/app/api_206a COMPONENT Development)
-endif(DEFAULT_INC_PATH)
+endif(DEFAULT_INC_PATH)
diff --git a/lib/cmake/pkcs11.cmake b/lib/cmake/pkcs11.cmake
@@ -0,0 +1,32 @@
+# Helper CMake file for PKCS11 extension to the library
+
+# PKCS11 Configuration Options - See pkcs11_config.h.in
+set(PKCS11_DEBUG_ENABLE         OFF CACHE BOOL   "Enable PKCS#11 Debugging Messages")
+set(PKCS11_USE_STATIC_MEMORY    ${ATCA_NO_HEAP}  CACHE BOOL   "Use Static Memory Allocation")
+set(PKCS11_USE_STATIC_CONFIG    OFF CACHE BOOL   "Use a compiled configuration rather than loading from a filestore")
+set(PKCS11_MAX_SLOTS_ALLOWED    1   CACHE STRING "Maximum number of slots allowed in the system")
+set(PKCS11_MAX_SESSIONS_ALLOWED 10  CACHE STRING "Maximum number of total sessions allowed in the system")
+set(PKCS11_MAX_OBJECTS_ALLOWED  16  CACHE STRING "Maximum number of cryptographic objects allowed to be cached")
+set(PKCS11_MAX_LABEL_SIZE       30  CACHE STRING "Maximum label size in characters")
+set(PKCS11_LOCK_PIN_SLOT        OFF CACHE BOOL   "Define to lock the PIN slot after writing")
+set(PKCS11_PIN_KDF_ALWAYS       OFF CACHE BOOL   "Define to always convert PIN using KDF")
+set(PKCS11_PIN_PBKDF2_EN        OFF CACHE BOOL   "Define to use PBKDF2 for PIN KDF")
+set(PKCS11_PIN_PBKDF2_ITERATIONS  2 CACHE STRING "Define how many iterations PBKDF2 will use for PIN KDF")
+set(PKCS11_SEARCH_CACHE_SIZE    250 CACHE STRING "Static Search Attribute Cache in bytes")
+set(PKCS11_TOKEN_INIT_SUPPORT   OFF CACHE BOOL   "Support for configuring a blank or new device")
+set(PKCS11_MONOTONIC_ENABLE     OFF CACHE BOOL   "Include the monotonic hardware feature as an object")
+set(PKCS11_AUTO_ID_ENABLE       ON  CACHE BOOL   "Generate CKA_ID values based on standards")
+
+file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c")
+file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h")
+
+configure_file(pkcs11/pkcs11_config.h.in ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h @ONLY)
+set(PKCS11_INC ${PKCS11_INC} ${CMAKE_CURRENT_BINARY_DIR}/pkcs11_config.h)
+
+if(ATCA_TNGTLS_SUPPORT OR ATCA_TNGLORA_SUPPORT OR ATCA_TFLEX_SUPPORT)
+SET(TNG_SRC ${TNG_SRC} ../app/pkcs11/trust_pkcs11_config.c)
+endif()
+
+if(${CMAKE_VERSION} VERSION_GREATER "3.8.0")
+source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${PKCS11_SRC})
+endif()
diff --git a/lib/pkcs11/pkcs11_cert.c b/lib/pkcs11/pkcs11_cert.c
@@ -335,6 +335,10 @@ CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttr
             else
             {
                 pAttribute->ulValueLen = 20;
+                if (pAttribute->pValue == NULL)
+                {
+                    return CKR_OK;
+                }
             }
         }
         else
@@ -372,6 +376,35 @@ CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttrib
     return CKR_ARGUMENTS_BAD;
 }
 
+static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
+{
+#if PKCS11_AUTO_ID_ENABLE
+    return pkcs11_cert_get_subject_key_id(pObject, pAttribute);
+#elif ATCA_CA_SUPPORT
+    pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
+    CK_RV rv = CKR_ARGUMENTS_BAD;
+
+    if (obj_ptr)
+    {
+        pkcs11_cert_check_trust_data(obj_ptr);
+
+        if (obj_ptr->data)
+        {
+            atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data;
+            uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot);
+            rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
+        }
+        else
+        {
+            return pkcs11_attrib_empty(pObject, pAttribute);
+        }
+    }
+    return rv;
+#else
+    return pkcs11_attrib_empty(pObject, pAttribute);
+#endif
+}
+
 /**
  * CKO_CERTIFICATE (Type: CKC_X_509) - X509 Public Key Certificate Model
  */
@@ -411,7 +444,7 @@ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = {
     /** DER-encoded Certificate subject name */
     { CKA_SUBJECT,                    pkcs11_cert_get_subject                                                                                                                                                                                                                           },
     /** Key identifier for public/private key pair (default empty) */
-    { CKA_ID,                         pkcs11_attrib_empty                                                                                                                                                                                                                               },
+    { CKA_ID,                         pkcs11_cert_get_id                                                                                                                                                                                                                                },
     /** DER-encoded Certificate issuer name (default empty)*/
     { CKA_ISSUER,                     pkcs11_attrib_empty                                                                                                                                                                                                                               },
     /** DER-encoding of the certificate serial number (default empty) */
diff --git a/lib/pkcs11/pkcs11_config.h.in b/lib/pkcs11/pkcs11_config.h.in
@@ -35,44 +35,44 @@
 
 /** Define to lock the PIN slot after writing */
 #ifndef PKCS11_LOCK_PIN_SLOT
-#define PKCS11_LOCK_PIN_SLOT            0
+#cmakedefine01 PKCS11_LOCK_PIN_SLOT
 #endif
 
 /** Enable PKCS#11 Debugging Messages */
 #ifndef PKCS11_DEBUG_ENABLE
-#define PKCS11_DEBUG_ENABLE             0
+#cmakedefine01 PKCS11_DEBUG_ENABLE
 #endif
 
 /** Use Static or Dynamic Allocation */
 #ifndef PKCS11_USE_STATIC_MEMORY
-#define PKCS11_USE_STATIC_MEMORY        1
+#cmakedefine01 PKCS11_USE_STATIC_MEMORY
 #endif
 
 /** Use a compiled configuration rather than loading from a filestore */
 #ifndef PKCS11_USE_STATIC_CONFIG
-#define PKCS11_USE_STATIC_CONFIG        0
+#cmakedefine01 PKCS11_USE_STATIC_CONFIG
 #endif
 
 /** Maximum number of slots allowed in the system - if static memory this will
    always be the number of slots */
 #ifndef PKCS11_MAX_SLOTS_ALLOWED
-#define PKCS11_MAX_SLOTS_ALLOWED        1
+#define PKCS11_MAX_SLOTS_ALLOWED        @PKCS11_MAX_SLOTS_ALLOWED@
 #endif
 
 /** Maximum number of total sessions allowed in the system - if using static
    memory then this many session contexts will be allocated */
 #ifndef PKCS11_MAX_SESSIONS_ALLOWED
-#define PKCS11_MAX_SESSIONS_ALLOWED     10
+#define PKCS11_MAX_SESSIONS_ALLOWED     @PKCS11_MAX_SESSIONS_ALLOWED@
 #endif
 
 /** Maximum number of cryptographic objects allowed to be cached */
 #ifndef PKCS11_MAX_OBJECTS_ALLOWED
-#define PKCS11_MAX_OBJECTS_ALLOWED      16
+#define PKCS11_MAX_OBJECTS_ALLOWED      @PKCS11_MAX_OBJECTS_ALLOWED@
 #endif
 
 /** Maximum label size in characters */
 #ifndef PKCS11_MAX_LABEL_SIZE
-#define PKCS11_MAX_LABEL_SIZE           30
+#define PKCS11_MAX_LABEL_SIZE           @PKCS11_MAX_LABEL_SIZE@
 #endif
 
 /** Define to always convert PIN using KDF */
@@ -83,8 +83,8 @@
 
 /** Define how many iterations PBKDF2 will use for PIN KDF */
 #if defined(PKCS11_PIN_PBKDF2_EN) && !defined(PKCS11_PIN_PBKDF2_ITERATIONS)
-#define PKCS11_PIN_PBKDF2_ITERATIONS    2
-#endif    
+#define PKCS11_PIN_PBKDF2_ITERATIONS    @PKCS11_PIN_PBKDF2_ITERATIONS@
+#endif
 
 /****************************************************************************/
 /* The following configuration options are for fine tuning of the library   */
@@ -96,25 +96,29 @@
    intends to use. Otherwise compilers will not be able to optimize out the unusued
    functions */
 #ifndef PKCS11_EXTERNAL_FUNCTION_LIST
-#define PKCS11_EXTERNAL_FUNCTION_LIST    0
+#cmakedefine01 PKCS11_EXTERNAL_FUNCTION_LIST
 #endif
 
 /** Static Search Attribute Cache in bytes (variable number of attributes based
    on size and memory requirements) */
 #ifndef PKCS11_SEARCH_CACHE_SIZE
-#define PKCS11_SEARCH_CACHE_SIZE        250
+#define PKCS11_SEARCH_CACHE_SIZE        @PKCS11_SEARCH_CACHE_SIZE@
 #endif
 
 /** Support for configuring a "blank" or new device */
 #ifndef PKCS11_TOKEN_INIT_SUPPORT
-#define PKCS11_TOKEN_INIT_SUPPORT       1
+#cmakedefine01 PKCS11_TOKEN_INIT_SUPPORT
 #endif
 
 /** Include the monotonic hardware feature as an object */
 #ifndef PKCS11_MONOTONIC_ENABLE
-#define PKCS11_MONOTONIC_ENABLE         0
+#cmakedefine01 PKCS11_MONOTONIC_ENABLE
 #endif
 
+/** Automatically generate CKA_ID values based on standards */
+#ifndef PKCS11_AUTO_ID_ENABLE
+#cmakedefine01 PKCS11_AUTO_ID_ENABLE
+#endif
 
 #include "pkcs11/cryptoki.h"
 #include <stddef.h>
diff --git a/lib/pkcs11/pkcs11_key.c b/lib/pkcs11/pkcs11_key.c
@@ -373,6 +373,61 @@ static CK_RV pkcs11_key_auth_required(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAtt
     return rv;
 }
 
+static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
+{
+    pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
+    CK_RV rv = CKR_ARGUMENTS_BAD;
+
+    if (obj_ptr)
+    {
+#if PKCS11_AUTO_ID_ENABLE
+        if (pAttribute->pValue)
+        {
+            CK_BBOOL is_private;
+
+            if (CKR_OK == (rv = pkcs11_object_is_private(obj_ptr, &is_private)))
+            {
+                ATCA_STATUS status;
+                uint8_t buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = {0x04};
+
+                if (is_private)
+                {
+                    status = atcab_get_pubkey(obj_ptr->slot, &buffer[1]);
+                    PKCS11_DEBUG("atcab_get_pubkey: %x\r\n", status);
+                }
+                else
+                {
+                    status = atcab_read_pubkey(obj_ptr->slot, &buffer[1]);
+                    PKCS11_DEBUG("atcab_read_pubkey: %x\r\n", status);
+                }
+
+                if (ATCA_SUCCESS == status)
+                {
+                    status = atcac_sw_sha1(buffer, sizeof(buffer), buffer);
+                }
+
+                if (ATCA_SUCCESS == status)
+                {
+                    rv = pkcs11_attrib_fill(pAttribute, buffer, ATCA_SHA1_DIGEST_SIZE);
+                }
+                else
+                {
+                    rv = pkcs11_util_convert_rv(status);
+                }
+            }
+        }
+        else
+        {
+            rv = pkcs11_attrib_fill(pAttribute, NULL, ATCA_SHA1_DIGEST_SIZE);
+        }
+#else
+        uint16_t key_id = ATCA_UINT16_HOST_TO_BE(obj_ptr->slot);
+        rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
+#endif
+    }
+    return rv;
+}
+
 /**
  * CKO_PUBLIC_KEY - Public Key Object Model
  */
@@ -394,7 +449,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = {
     /** Type of key */
     { CKA_KEY_TYPE,           pkcs11_object_get_type                                                                                                                                                              },
     /** Key identifier for key (default empty) */
-    { CKA_ID,                 pkcs11_attrib_empty                                                                                                                                                                 },
+    { CKA_ID,                 pkcs11_key_get_id                                                                                                                                                                 },
     /** Start date for the key (default empty) */
     { CKA_START_DATE,         pkcs11_attrib_empty                                                                                                                                                                 },
     /** End date for the key (default empty) */
@@ -484,7 +539,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = {
     /** Type of key */
     { CKA_KEY_TYPE,            pkcs11_object_get_type                                                                                                                                                                                       },
     /** Key identifier for key (default empty) */
-    { CKA_ID,                  pkcs11_attrib_empty                                                                                                                                                                                          },
+    { CKA_ID,                  pkcs11_key_get_id                                                                                                                                                                                          },
     /** Start date for the key (default empty) */
     { CKA_START_DATE,          pkcs11_attrib_empty                                                                                                                                                                                          },
     /** End date for the key (default empty) */
