ta: pkcs11: Add certificate object support

[vesajaaskelainen]

Adds support for:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01

4.6 Certificate objects
4.6.3 X.509 public key certificate objects

Relates to:

• PKCS#11 work merge in the upstream #4283

Related PRs:

• libckteec: Add certificate object support optee_client#283
• xtest: pkcs11: Add X.509 certificate tests optee_test#542
• libckteec: Fix X.509 certificate attribute handlings optee_client#287

Signed-off-by: Vesa Jääskeläinen vesa.jaaskelainen@vaisala.com

---

Before there is tests available here are some manual steps on how to test it out.

NSS certutil is the easiest command line tool to import certificates:

# Your token settings
export PKCS11_MODULE=/usr/lib/libckteec.so.0
export PKCS11_SLOT=0
export PKCS11_TOKEN=token
export PKCS11_SO_PIN=1234567890
export PKCS11_USER_PIN=1234

# 0. Initialize token
pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-token --label ${PKCS11_TOKEN} --so-pin ${PKCS11_SO_PIN}
pkcs11-tool --module ${PKCS11_MODULE} --slot-index ${PKCS11_SLOT} --init-pin --login --so-pin ${PKCS11_SO_PIN} --new-pin ${PKCS11_USER_PIN}

# 1. Configure NSS with OP-TEE (can also be rootfs build time thing)
modutil -dbdir sql:/etc/pki/nssdb -list

# Note: this writes to the nssdb location so needs to be writable during configuration time
modutil -dbdir sql:/etc/pki/nssdb -add "OP-TEE" -libfile ${PKCS11_MODULE} -mechanisms RSA

# 2. Some runtime helpers to make life easier with scripts
mkdir -p /run/pki && echo ${PKCS11_USER_PIN} > /run/pki/pin && dd if=/dev/random of=/run/pki/noise bs=1 count=32

# 3. Import your selected certificate (Root CA in this example)
export X509_CERT_LABEL=GlobalSign_Root_CA
export X509_CERT_FILE=/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt

certutil -d sql:/etc/pki/nssdb -h ${PKCS11_TOKEN} -f /run/pki/pin -A -n ${X509_CERT_LABEL} -i ${X509_CERT_FILE} -t "C,,"

# 4. Check that it is there with pkcs11-tool
pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects --type cert

# 5. Generate key and CSR with NSS:
export RSA_KEY_LABEL=rsa-key

# Note: -z argument makes life easier with scripting and that random is not really used for key generation
certutil -z /run/pki/noise -d sql:/etc/pki/nssdb -h ${PKCS11_TOKEN} -f /run/pki/pin -R -k rsa -g 2048 -n ${RSA_KEY_LABEL} -a -o test.csr -Z SHA256 -s "C=FI, O=Manufacture, CN=Device, serialNumber=L12345" --keyUsage digitalSignature,keyAgreement --extKeyUsage serverAuth,clientAuth

# 6. Observer all objects
pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects
# For some reason the label is lost and not stored by NSS (at least the version under testing)

# 7. Import signed certificate (for above CSR)
certutil -d sql:/etc/pki/nssdb -h ${PKCS11_TOKEN} -f /run/pki/pin -A -n ${RSA_KEY_LABEL} -i test.crt -t "C,,"

# 8. Observer all objects
pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --list-objects
# Observe that ID for public key, private key and for certificate are the same.

# 9. Dump DER of certificate and make is readable with openssl
pkcs11-tool --module ${PKCS11_MODULE} --token ${PKCS11_TOKEN} --login --pin ${PKCS11_USER_PIN} --read-object --label ${RSA_KEY_LABEL} --type cert | openssl x509 -text -noout -inform DER

[vesajaaskelainen]

Note: I try to cook up some simple xtest certificate test while the RSA test PRs are in review.

[etienne-lms]

minor: could prevent few line breaks:

	if ((rc == PKCS11_CKR_OK && !attr_size) || rc == PKCS11_RV_NOT_FOUND) {
		rc = set_attribute(out, PKCS11_CKA_CERTIFICATE_CATEGORY,
				   &cert_category, sizeof(cert_category));
		if (rc)
			return rc;
	}

[etienne-lms]

Also, prefer have cert_category defined in this block. Easier to read up:

	if ((rc == PKCS11_CKR_OK && !attr_size) || rc == PKCS11_RV_NOT_FOUND) {
+		uint32_t cert_category = PKCS11_CK_CERTIFICATE_CATEGORY_UNSPECIFIED;
+
		rc = set_attribute(out, PKCS11_CKA_CERTIFICATE_CATEGORY,
				   &cert_category, sizeof(cert_category));
		if (rc)
			return rc;
	}

ditto for name_hash_alg in the next instruction block.

[vesajaaskelainen]

Moving cert_category there causes checkpatch issue -- so I left variables where they were.

Did the line break changes.

[etienne-lms]

minor: prefer add a comma at line end. (ditto line 370)

[vesajaaskelainen]

OK

[vesajaaskelainen]

Did same for pkcs11_x509_certificate_optional

[etienne-lms]

Should maybe be renamed default_category to avoid confusion.

Same a next line: name_hash_alg => default_hash_alg.

[vesajaaskelainen]

OK

[etienne-lms]

Should we check the already existing category is a known value?

Ditto for the hash algo ID checked right below.

[vesajaaskelainen]

Good question.

For hash -- hash value and hash algo is fully processed outside of PKCS11 TA so I suppose we shouldn't touch that. We can check the size for that -> will add that.

For category we may as well validate that. -- will add code for that.

[vesajaaskelainen]

@etienne-lms sorry for the delay on changes -- now should be updated and comments addressed.

[vesajaaskelainen]

While adding test cases for error handling I noticed there was problem in libckteec so created a new PR for those:
OP-TEE/optee_client#287

[etienne-lms]

minor comment.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> once addressed.

[etienne-lms]

minor: assert(size == sizeof(uint32_t));
or I think you could even drop fetching size.

[vesajaaskelainen]

I feel better if we fetch it ;) ... but will add the assert

[vesajaaskelainen]

oh -- none of the other methods with the same construct have it -- should we add assert to those too?

[vesajaaskelainen]

get_u32_attribute() would have sanity check embedded -- shall we use this and no assert?

[etienne-lms]

I agree, get_u32_attribute() and no extra assertions.

[vesajaaskelainen]

Updated the PR with that.

[vesajaaskelainen]

Comments addressed.

Thanks for the review! Applied tags.