-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ta: pkcs11: Add certificate object support #4797
ta: pkcs11: Add certificate object support #4797
Conversation
Note: I try to cook up some simple xtest certificate test while the RSA test PRs are in review. |
af6ce4a
to
c72dd62
Compare
ta/pkcs11/src/pkcs11_attributes.c
Outdated
rc = get_attribute_ptr(*out, PKCS11_CKA_CERTIFICATE_CATEGORY, NULL, | ||
&attr_size); | ||
if ((rc == PKCS11_CKR_OK && attr_size == 0) || | ||
rc == PKCS11_RV_NOT_FOUND) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: could prevent few line breaks:
if ((rc == PKCS11_CKR_OK && !attr_size) || rc == PKCS11_RV_NOT_FOUND) {
rc = set_attribute(out, PKCS11_CKA_CERTIFICATE_CATEGORY,
&cert_category, sizeof(cert_category));
if (rc)
return rc;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, prefer have cert_category
defined in this block. Easier to read up:
if ((rc == PKCS11_CKR_OK && !attr_size) || rc == PKCS11_RV_NOT_FOUND) {
+ uint32_t cert_category = PKCS11_CK_CERTIFICATE_CATEGORY_UNSPECIFIED;
+
rc = set_attribute(out, PKCS11_CKA_CERTIFICATE_CATEGORY,
&cert_category, sizeof(cert_category));
if (rc)
return rc;
}
ditto for name_hash_alg
in the next instruction block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving cert_category there causes checkpatch issue -- so I left variables where they were.
Did the line break changes.
ta/pkcs11/src/pkcs11_attributes.c
Outdated
|
||
static const uint32_t pkcs11_certificate_optional[] = { | ||
PKCS11_CKA_CERTIFICATE_CATEGORY, PKCS11_CKA_CHECK_VALUE, | ||
PKCS11_CKA_START_DATE, PKCS11_CKA_END_DATE, PKCS11_CKA_PUBLIC_KEY_INFO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: prefer add a comma at line end. (ditto line 370)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did same for pkcs11_x509_certificate_optional
c72dd62
to
65d6b86
Compare
ta/pkcs11/src/pkcs11_attributes.c
Outdated
size_t mandated_count = 0; | ||
size_t optional_count = 0; | ||
uint32_t attr_size = 0; | ||
uint32_t cert_category = PKCS11_CK_CERTIFICATE_CATEGORY_UNSPECIFIED; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should maybe be renamed default_category
to avoid confusion.
Same a next line: name_hash_alg
=> default_hash_alg
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
ta/pkcs11/src/pkcs11_attributes.c
Outdated
if ((rc == PKCS11_CKR_OK && !attr_size) || rc == PKCS11_RV_NOT_FOUND) { | ||
rc = set_attribute(out, PKCS11_CKA_CERTIFICATE_CATEGORY, | ||
&cert_category, | ||
sizeof(cert_category)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check the already existing category is a known value?
Ditto for the hash algo ID checked right below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question.
For hash -- hash value and hash algo is fully processed outside of PKCS11 TA so I suppose we shouldn't touch that. We can check the size for that -> will add that.
For category we may as well validate that. -- will add code for that.
65d6b86
to
98b0aca
Compare
@etienne-lms sorry for the delay on changes -- now should be updated and comments addressed. |
While adding test cases for error handling I noticed there was problem in libckteec so created a new PR for those: |
98b0aca
to
03c0e9e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor comment.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
once addressed.
|
||
if (get_attribute(head, PKCS11_CKA_CERTIFICATE_TYPE, &type, &size)) | ||
return PKCS11_CKC_UNDEFINED_ID; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: assert(size == sizeof(uint32_t));
or I think you could even drop fetching size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel better if we fetch it ;) ... but will add the assert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh -- none of the other methods with the same construct have it -- should we add assert to those too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get_u32_attribute()
would have sanity check embedded -- shall we use this and no assert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, get_u32_attribute()
and no extra assertions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the PR with that.
Adds support for: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 4.6 Certificate objects 4.6.3 X.509 public key certificate objects Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
03c0e9e
to
264748b
Compare
Comments addressed. Thanks for the review! Applied tags. |
Adds support for:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
4.6 Certificate objects
4.6.3 X.509 public key certificate objects
Relates to:
Related PRs:
Signed-off-by: Vesa Jääskeläinen vesa.jaaskelainen@vaisala.com
Before there is tests available here are some manual steps on how to test it out.
NSS certutil is the easiest command line tool to import certificates: