/sgx-pkcs11 delta Secret
Last active
February 21, 2020 19:03
Star
You must be signed in to star a gist
Tweaks to Intel SGX crypto-toolkit for compatibility with OpenSC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/src/p11/enclave_config/p11Enclave.edl b/src/p11/enclave_config/p11Enclave.edl | |
index b27c808..a41d41e 100644 | |
--- a/src/p11/enclave_config/p11Enclave.edl | |
+++ b/src/p11/enclave_config/p11Enclave.edl | |
@@ -301,6 +301,11 @@ enclave { | |
[user_check] uint8_t* destBuffer, | |
uint32_t destBufferLen, | |
[user_check] uint32_t* destBufferWritten); | |
+ | |
+ public SgxStatus exportEcPoint(uint32_t keyId, | |
+ [user_check] uint8_t* destBuffer, | |
+ uint32_t destBufferLen, | |
+ [user_check] uint32_t* destBufferWritten); | |
}; | |
untrusted | |
diff --git a/src/p11/include/CryptoEnclaveDefs.h b/src/p11/include/CryptoEnclaveDefs.h | |
index f8410fd..5e26e9b 100644 | |
--- a/src/p11/include/CryptoEnclaveDefs.h | |
+++ b/src/p11/include/CryptoEnclaveDefs.h | |
@@ -61,7 +61,8 @@ static const uint8_t maxPinLength = 255; | |
static const uint8_t maxSessionsSupported = 100; | |
static const uint8_t maxRwSessionsSupported = 100; | |
static const uint8_t tokenObjectFileNameLength = 255; | |
-static const uint8_t maxEcParamsLen = 10; | |
+// EXPERIMENT(cemp): Generalize curv support | |
+static const uint8_t maxEcParamsLen = 32; | |
static const uint8_t ed25519KeyLength = 32; | |
static const uint16_t minEcKeyLen = 256; | |
static const uint16_t maxEcKeyLen = 384; | |
diff --git a/src/p11/trusted/AsymmetricCrypto.cpp b/src/p11/trusted/AsymmetricCrypto.cpp | |
index 958306b..12a1b53 100644 | |
--- a/src/p11/trusted/AsymmetricCrypto.cpp | |
+++ b/src/p11/trusted/AsymmetricCrypto.cpp | |
@@ -2848,26 +2848,33 @@ namespace CryptoSgx | |
int curveNid = OBJ_obj2nid(d2i_ASN1_OBJECT(nullptr, &oidPtr, tempCurveOid.size())); | |
switch(curveNid) | |
{ | |
- case NID_X9_62_prime256v1: | |
- case NID_secp384r1: | |
- status = generateEcKey(publicKeyId, privateKeyId, | |
+ case EVP_PKEY_ED25519: | |
+ status = generateEdKey(publicKeyId, privateKeyId, | |
curveOid, curveOidLen, | |
attributeBufferPublic, attributeBufferPublicLen, | |
attributeBufferPrivate, attributeBufferPrivateLen, | |
pinMaterial); | |
break; | |
- case EVP_PKEY_ED25519: | |
- status = generateEdKey(publicKeyId, privateKeyId, | |
+ | |
+ // Experiment: allow all supported OpenSSL curves. | |
+ /* | |
+ case NID_X9_62_prime256v1: | |
+ case NID_secp384r1: | |
+ */ | |
+ default: | |
+ status = generateEcKey(publicKeyId, privateKeyId, | |
curveOid, curveOidLen, | |
attributeBufferPublic, attributeBufferPublicLen, | |
attributeBufferPrivate, attributeBufferPrivateLen, | |
pinMaterial); | |
break; | |
+ /* | |
default: | |
status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER); | |
break; | |
+ */ | |
} | |
return status; | |
@@ -2908,11 +2915,15 @@ namespace CryptoSgx | |
const unsigned char* ptr = reinterpret_cast<const unsigned char*>(tempCurveOid.data()); | |
int curveNid = OBJ_obj2nid(d2i_ASN1_OBJECT(nullptr, &ptr, tempCurveOid.size())); | |
+ | |
+ // EXPERIMENT(cemp): Support all OpenSSL curves. | |
+ /* | |
if ((NID_X9_62_prime256v1 != curveNid) && (NID_secp384r1 != curveNid)) | |
{ | |
status = SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER; | |
break; | |
} | |
+ */ | |
EC_KEY* ecKey = EC_KEY_new(); | |
if (!ecKey) | |
@@ -3292,6 +3303,49 @@ namespace CryptoSgx | |
return static_cast<SgxStatus>(status); | |
} | |
+ //--------------------------------------------------------------------------------------------- | |
+ SgxStatus AsymmetricCrypto::getEcPoint(const uint32_t& keyId, | |
+ uint8_t* destBuffer, | |
+ const uint32_t& destBufferLen, | |
+ uint32_t* destBufferWritten) { | |
+ SgxCryptStatus status = SgxCryptStatus::SGX_CRYPT_STATUS_UNSUCCESSFUL; | |
+ | |
+ if (!destBufferWritten) | |
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER; | |
+ | |
+ AsymmetricKey asymKey; | |
+ | |
+ if (! getAsymmetricKey(keyId, &asymKey, OperationType::Public)) | |
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE; | |
+ | |
+ if (! asymKey.ecKey) | |
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE; | |
+ | |
+ // Extract private key | |
+ const EC_GROUP* ecGroup = EC_KEY_get0_group(asymKey.ecKey); | |
+ if (ecGroup == nullptr) | |
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE; | |
+ | |
+ // Extract public key | |
+ std::vector<uint8_t> publicKey = getEcPublicKey(asymKey.ecKey, ecGroup); | |
+ if (publicKey.empty()) | |
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE; | |
+ | |
+ *destBufferWritten = publicKey.size(); | |
+ | |
+ if (!destBuffer) { | |
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_SUCCESS; | |
+ } else if (destBufferLen < *destBufferWritten) { | |
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_BUFFER_TOO_SHORT; | |
+ } else { | |
+ // There is enough space available to write out public key. | |
+ memcpy(destBuffer, publicKey.data(), *destBufferWritten); | |
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_SUCCESS; | |
+ } | |
+ | |
+ return static_cast<SgxStatus>(status); | |
+ } | |
+ | |
//--------------------------------------------------------------------------------------------- | |
SgxStatus AsymmetricCrypto::setWrappingStatus(const uint32_t& keyId) | |
{ | |
diff --git a/src/p11/trusted/AsymmetricCrypto.h b/src/p11/trusted/AsymmetricCrypto.h | |
index 6f32643..518e9e9 100644 | |
--- a/src/p11/trusted/AsymmetricCrypto.h | |
+++ b/src/p11/trusted/AsymmetricCrypto.h | |
@@ -290,6 +290,11 @@ namespace CryptoSgx | |
const uint32_t& destBufferLen, | |
uint32_t* destBufferWritten); | |
+ SgxStatus getEcPoint(const uint32_t& keyId, | |
+ uint8_t* destBuffer, | |
+ const uint32_t& destBufferLen, | |
+ uint32_t* destBufferWritten); | |
+ | |
SgxStatus setWrappingStatus(const uint32_t& keyId); | |
bool checkWrappingStatus(const uint32_t& keyId, const OperationType& type); | |
diff --git a/src/p11/trusted/p11Enclave.cpp b/src/p11/trusted/p11Enclave.cpp | |
index 7aeb120..0513155 100644 | |
--- a/src/p11/trusted/p11Enclave.cpp | |
+++ b/src/p11/trusted/p11Enclave.cpp | |
@@ -2641,4 +2641,40 @@ SgxStatus exportEcParams(uint32_t keyId, | |
} while (false); | |
return status; | |
-} | |
\ No newline at end of file | |
+} | |
+ | |
+SgxStatus exportEcPoint(uint32_t keyId, | |
+ uint8_t* destBuffer, | |
+ uint32_t destBufferLen, | |
+ uint32_t* destBufferWritten) | |
+{ | |
+ SgxStatus status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_UNSUCCESSFUL); | |
+ uint32_t ptrDataSize = sizeof(std::remove_pointer<decltype(destBufferWritten)>::type); | |
+ bool result = false; | |
+ | |
+ if (!keyId || !destBufferWritten) { | |
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER); | |
+ } else if (destBuffer && !checkUserCheckPointer(destBuffer, destBufferLen)) { | |
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER); | |
+ } else { | |
+ | |
+ result = checkUserCheckPointer(reinterpret_cast<uint8_t*>(destBufferWritten), ptrDataSize); | |
+ if (!result) { | |
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER); | |
+ } else { | |
+ | |
+#ifdef _WIN32 | |
+ _mm_lfence(); | |
+#else | |
+ __builtin_ia32_lfence(); | |
+#endif | |
+ | |
+ status = asymmetricCrypto.getEcPoint(keyId, | |
+ destBuffer, | |
+ destBufferLen, | |
+ destBufferWritten); | |
+ } | |
+ } | |
+ | |
+ return status; | |
+} | |
diff --git a/src/p11/untrusted/AsymmetricProvider.cpp b/src/p11/untrusted/AsymmetricProvider.cpp | |
index 0a942a8..e52cf4c 100644 | |
--- a/src/p11/untrusted/AsymmetricProvider.cpp | |
+++ b/src/p11/untrusted/AsymmetricProvider.cpp | |
@@ -105,6 +105,7 @@ namespace P11Crypto | |
uint32_t privateKeyHandle = 0; | |
EnclaveHelpers enclaveHelpers; | |
+ | |
do | |
{ | |
if (!phPublicKey || !phPrivateKey) | |
@@ -113,6 +114,9 @@ namespace P11Crypto | |
break; | |
} | |
+ fprintf(stdout, "Calling SGX enclave for ECC key generation with %lu byte curve OID...\n", | |
+ asymKeyParams.curveOid.size()); | |
+ | |
sgxStatus = generateEccKeyPair(enclaveHelpers.getSgxEnclaveId(), | |
reinterpret_cast<int32_t*>(&enclaveStatus), | |
&publicKeyHandle, | |
diff --git a/src/p11/untrusted/AttributeUtils.cpp b/src/p11/untrusted/AttributeUtils.cpp | |
index 191f40f..f8a2e17 100644 | |
--- a/src/p11/untrusted/AttributeUtils.cpp | |
+++ b/src/p11/untrusted/AttributeUtils.cpp | |
@@ -154,6 +154,8 @@ namespace Utils | |
{ | |
asymKeyParams->curveOid = strAttrIter->second; | |
asymKeyParams->keyGenMechanism = KeyGenerationMechanism::ecGeneratePublicKey; | |
+ fprintf(stdout, "Found CKA_EC_PARAMS attribute of length %lu\n", | |
+ asymKeyParams->curveOid.size()); | |
} | |
return CKR_OK; | |
@@ -401,7 +403,8 @@ namespace Utils | |
switch(keyGenMechanism) | |
{ | |
case KeyGenerationMechanism::rsaGeneratePublicKey: | |
- result = (CKO_PUBLIC_KEY == attrValStruct.objectClass && | |
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaGeneratePublicKey...\n"); | |
+ result = (CKO_PUBLIC_KEY == attrValStruct.objectClass && | |
CKK_RSA == attrValStruct.keyType && | |
modulusBits && | |
!keyBuffer && | |
@@ -409,6 +412,8 @@ namespace Utils | |
break; | |
case KeyGenerationMechanism::rsaGeneratePrivateKey: | |
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaGeneratePrivateKey...\n"); | |
+ | |
result = (CKO_PRIVATE_KEY == attrValStruct.objectClass && | |
CKK_RSA == attrValStruct.keyType && | |
!modulusBits && | |
@@ -417,6 +422,7 @@ namespace Utils | |
break; | |
case KeyGenerationMechanism::rsaImportPublicKey: | |
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaImportPublicKey...\n"); | |
result = (CKO_PUBLIC_KEY == attrValStruct.objectClass && | |
CKK_RSA == attrValStruct.keyType && | |
!modulusBits && | |
@@ -429,6 +435,8 @@ namespace Utils | |
break; | |
} | |
+ fprintf(stderr, "Result of %s: %d\n", __FUNCTION__, result); | |
+ | |
return result; | |
} | |
@@ -440,13 +448,17 @@ namespace Utils | |
switch(keyGenMechanism) | |
{ | |
// For all keys generated on the token, CKA_LOCAL attribute should set to CK_TRUE. | |
+ case KeyGenerationMechanism::rsaGeneratePrivateKey: | |
+ boolAttributes->set(p11AttributeToBoolAttribute[CKA_DECRYPT]); | |
+ // Deliberate fall-through... | |
+ case KeyGenerationMechanism::ecGeneratePrivateKey: | |
+ case KeyGenerationMechanism::edGeneratePrivateKey: | |
+ boolAttributes->set(p11AttributeToBoolAttribute[CKA_SIGN]); | |
+ // Deliberate fall-through... | |
case KeyGenerationMechanism::aesGenerateKey: | |
case KeyGenerationMechanism::rsaGeneratePublicKey: | |
- case KeyGenerationMechanism::rsaGeneratePrivateKey: | |
case KeyGenerationMechanism::ecGeneratePublicKey: | |
- case KeyGenerationMechanism::ecGeneratePrivateKey: | |
case KeyGenerationMechanism::edGeneratePublicKey: | |
- case KeyGenerationMechanism::edGeneratePrivateKey: | |
boolAttributes->set(p11AttributeToBoolAttribute[CKA_LOCAL]); | |
break; | |
default: | |
@@ -469,6 +481,8 @@ namespace Utils | |
if (attributeBitset.test(BoolAttribute::SIGN)|| | |
attributeBitset.test(BoolAttribute::VERIFY)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
} | |
break; | |
@@ -477,6 +491,8 @@ namespace Utils | |
attributeBitset.test(BoolAttribute::SIGN) || | |
attributeBitset.test(BoolAttribute::UNWRAP)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
} | |
break; | |
@@ -485,6 +501,8 @@ namespace Utils | |
attributeBitset.test(BoolAttribute::VERIFY) || | |
attributeBitset.test(BoolAttribute::WRAP)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
} | |
break; | |
@@ -616,6 +634,7 @@ namespace Utils | |
break; | |
default: | |
+ fprintf(stderr, "Unrecognized attribute in function %s\n", __FUNCTION__); | |
rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
break; | |
} | |
@@ -682,7 +701,11 @@ namespace Utils | |
break; | |
default: | |
- rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
+ fprintf(stdout, "Unrecognized attribute %lu in function %s\n", | |
+ attributeType, __FUNCTION__); | |
+ // EXPERIMENT(cemp): Ignore unrecognized attributes. | |
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
+ rv = CKR_OK; | |
break; | |
} | |
@@ -765,7 +788,10 @@ namespace Utils | |
} | |
else | |
{ | |
- rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n", | |
+ attributeType, __FUNCTION__); | |
+ // EXPERIMENT(cemp): Ignore unrecognized attributes. | |
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
break; | |
} | |
} | |
@@ -781,8 +807,20 @@ namespace Utils | |
} | |
// Compulsory attributes to be set. | |
- if (!keyTypePresent || !objectClassPresent) | |
+ if (!keyTypePresent) { | |
+ // Or set to CKK_EC for generating elliptic-curve keypairs... | |
+ keyType = CKK_RSA; | |
+ keyTypePresent = true; | |
+ extractUlongAttributes(CKA_KEY_TYPE, | |
+ & keyType, sizeof(keyType), | |
+ &modulusLength, &keyLength, | |
+ &objectClass, &keyType, | |
+ &objectClassPresent, &keyTypePresent, | |
+ attrValStruct, ulongAttributes); | |
+ } | |
+ else if (!objectClassPresent) | |
{ | |
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__); | |
rv = CKR_TEMPLATE_INCOMPLETE; | |
break; | |
} | |
@@ -901,6 +939,8 @@ namespace Utils | |
attributes->ulongAttributes.insert(UlongAttributeType(attributeType, attributeValue)); | |
break; | |
default: | |
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n", | |
+ attributeType, __FUNCTION__); | |
rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
break; | |
} | |
@@ -934,7 +974,9 @@ namespace Utils | |
attributes->strAttributes.insert(StringAttributeType(attributeType, label)); | |
break; | |
default: | |
- rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
+ // Ignore unknown attributes. | |
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
+ fprintf(stderr, "Unrecognized attribute: %lu\n", attributeType); | |
break; | |
} | |
@@ -945,6 +987,8 @@ namespace Utils | |
} | |
else | |
{ | |
+ fprintf(stderr, "Unrecognized attribute category for %lu-- neither boolean, long or string.\n", | |
+ attributeType); | |
rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
break; | |
} | |
@@ -994,6 +1038,7 @@ namespace Utils | |
} | |
else // Only one of public and private keys have CKA_ID. | |
{ | |
+ fprintf(stderr, "Only one of public/private key has CKA_ID.\n"); | |
return false; | |
} | |
} | |
@@ -1365,9 +1410,13 @@ namespace Utils | |
sizeRequest, | |
&attributeValue, | |
&attributeSize); | |
- } | |
- else | |
- { | |
+ } else if (CKA_EC_POINT == attributeType) { | |
+ rv = Utils::EnclaveUtils::getEcPoint(keyHandle, | |
+ attributeType, | |
+ sizeRequest, | |
+ &attributeValue, | |
+ &attributeSize); | |
+ } else { | |
auto attributeAttrIt = getStrAttrIterator(objectParams.strAttributes, attributeType); | |
if (objectParams.strAttributes.end() == attributeAttrIt) | |
{ | |
@@ -1466,6 +1515,8 @@ namespace Utils | |
if (CKA_LOCAL == attributeType && // Can't change CKA_LOCAL attribute. | |
(objectParams->boolAttributes[BoolAttribute::LOCAL] != boolValue)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
break; | |
} | |
@@ -1473,6 +1524,8 @@ namespace Utils | |
if (CKA_MODIFIABLE == attributeType && // Can't change CKA_MODIFIABLE attribute. | |
(objectParams->boolAttributes[BoolAttribute::MODIFIABLE] != boolValue)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
break; | |
} | |
@@ -1482,6 +1535,8 @@ namespace Utils | |
(CKA_TOKEN == attributeType && // Can't change CKA_TOKEN attribute. | |
(objectParams->boolAttributes[BoolAttribute::TOKEN] != boolValue))) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
break; | |
} | |
@@ -1539,6 +1594,8 @@ namespace Utils | |
} | |
else | |
{ | |
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n", | |
+ attributeType, __FUNCTION__); | |
rv = CKR_ATTRIBUTE_TYPE_INVALID; | |
break; | |
} | |
diff --git a/src/p11/untrusted/AttributeUtils.h b/src/p11/untrusted/AttributeUtils.h | |
index bf15460..483c170 100644 | |
--- a/src/p11/untrusted/AttributeUtils.h | |
+++ b/src/p11/untrusted/AttributeUtils.h | |
@@ -94,6 +94,7 @@ namespace Utils | |
CKA_VALUE_KEY_BUFFER, \ | |
CKA_MODULUS, \ | |
CKA_PUBLIC_EXPONENT, \ | |
+ CKA_EC_POINT, \ | |
CKA_EC_PARAMS \ | |
}; | |
static AttributeTypeSet supportedboolAttr { | |
diff --git a/src/p11/untrusted/EnclaveUtils.cpp b/src/p11/untrusted/EnclaveUtils.cpp | |
index d59de66..1eee4b5 100644 | |
--- a/src/p11/untrusted/EnclaveUtils.cpp | |
+++ b/src/p11/untrusted/EnclaveUtils.cpp | |
@@ -353,6 +353,58 @@ namespace Utils | |
return rv; | |
} | |
+ //--------------------------------------------------------------------------------------------- | |
+ CK_RV getEcPoint(const CK_OBJECT_HANDLE& keyHandle, | |
+ const CK_ATTRIBUTE_TYPE& attributeType, | |
+ const bool& sizeRequest, | |
+ std::string* attributeValue, | |
+ uint32_t* attributeSize) { | |
+ if (!attributeValue || !attributeSize) | |
+ return CKR_ARGUMENTS_BAD; | |
+ | |
+ if (CKA_EC_POINT != attributeType) | |
+ return CKR_ATTRIBUTE_TYPE_INVALID; | |
+ | |
+ CK_RV rv = CKR_FUNCTION_FAILED; | |
+ sgx_status_t sgxStatus = sgx_status_t::SGX_ERROR_UNEXPECTED; | |
+ SgxCryptStatus enclaveStatus = SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE; | |
+ uint32_t destBufferLenRequired = 0; | |
+ P11Crypto::EnclaveHelpers enclaveHelpers; | |
+ | |
+ sgxStatus = exportEcPoint(enclaveHelpers.getSgxEnclaveId(), | |
+ reinterpret_cast<int32_t*>(&enclaveStatus), | |
+ keyHandle, | |
+ nullptr, | |
+ 0, | |
+ & destBufferLenRequired); | |
+ | |
+ rv = getPkcsStatus(sgxStatus, enclaveStatus); | |
+ if (CKR_OK != rv) | |
+ return rv; | |
+ | |
+ *attributeSize = destBufferLenRequired; | |
+ if (sizeRequest) | |
+ return rv; | |
+ | |
+ std::vector<uint8_t> destBuffer(destBufferLenRequired, 0x41); | |
+ | |
+ sgxStatus = exportEcPoint(enclaveHelpers.getSgxEnclaveId(), | |
+ reinterpret_cast<int32_t*>(&enclaveStatus), | |
+ keyHandle, | |
+ destBuffer.data(), | |
+ destBuffer.size(), | |
+ & destBufferLenRequired); | |
+ | |
+ rv = getPkcsStatus(sgxStatus, enclaveStatus); | |
+ if (CKR_OK != rv) | |
+ *attributeSize = 0; | |
+ else | |
+ (*attributeValue).assign(reinterpret_cast<const char*>(destBuffer.data()), destBufferLenRequired); | |
+ | |
+ return rv; | |
+ } | |
+ | |
+ | |
//--------------------------------------------------------------------------------------------- | |
CK_RV readTokenObject(const std::string& tokenObjectFilePath, | |
const CK_SLOT_ID& slotID, | |
diff --git a/src/p11/untrusted/EnclaveUtils.h b/src/p11/untrusted/EnclaveUtils.h | |
index a3cf112..6e12573 100644 | |
--- a/src/p11/untrusted/EnclaveUtils.h | |
+++ b/src/p11/untrusted/EnclaveUtils.h | |
@@ -66,6 +66,12 @@ namespace Utils | |
std::string* attributeValue, | |
uint32_t* attributeSize); | |
+ CK_RV getEcPoint(const CK_OBJECT_HANDLE& keyHandle, | |
+ const CK_ATTRIBUTE_TYPE& attributeType, | |
+ const bool& sizeRequest, | |
+ std::string* attributeValue, | |
+ uint32_t* attributeSize); | |
+ | |
CK_RV readTokenObject(const std::string& tokenObjectFilePath, | |
const CK_SLOT_ID& slotID, | |
uint64_t* attributeBuffer, | |
diff --git a/src/p11/untrusted/KeyManagement.cpp b/src/p11/untrusted/KeyManagement.cpp | |
index d7311fa..8c630fd 100644 | |
--- a/src/p11/untrusted/KeyManagement.cpp | |
+++ b/src/p11/untrusted/KeyManagement.cpp | |
@@ -297,6 +297,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (KeyGenerationMechanism::invalid == asymKeyParams.keyGenMechanism) | |
{ | |
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__); | |
rv = CKR_TEMPLATE_INCOMPLETE; | |
break; | |
} | |
@@ -307,8 +308,9 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
!Utils::AttributeUtils::isSupportedAsymKeyLength(asymKeyParams.modulusLength) || | |
!Utils::AttributeUtils::validateRsaKeyGenAttributes(asymKeyParams.keyGenMechanism, publicAttrValStruct))) | |
{ | |
- rv = CKR_ATTRIBUTE_VALUE_INVALID; | |
- break; | |
+ fprintf(stderr, "Attribute value invalid in function %s @ line #%d\n", __FUNCTION__, __LINE__); | |
+ // rv = CKR_ATTRIBUTE_VALUE_INVALID; | |
+ // break; | |
} | |
} | |
else if (ecKpGeneration || edKpGeneration) | |
@@ -322,6 +324,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (KeyGenerationMechanism::invalid == asymKeyParams.keyGenMechanism || | |
asymKeyParams.curveOid.empty()) | |
{ | |
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__); | |
rv = CKR_TEMPLATE_INCOMPLETE; | |
break; | |
} | |
@@ -335,6 +338,8 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (!validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, publicAttrValStruct, publicBoolAttributes)) | |
{ | |
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n", | |
+ __FUNCTION__, __LINE__); | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
break; | |
} | |
@@ -361,6 +366,24 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
break; | |
} | |
+ // EXPERIMENT(cemp): OpenSC compatibility. | |
+ // CKA_ID only specified on one side. | |
+ auto public_ID = std::find_if(publicStrAttributes.cbegin(), publicStrAttributes.cend(), [](const StringAttributeType& p) | |
+ { | |
+ return (CKA_ID == p.first); | |
+ }); | |
+ | |
+ auto private_ID = std::find_if(privateStrAttributes.cbegin(), privateStrAttributes.cend(), [](const StringAttributeType& p) | |
+ { | |
+ return (CKA_ID == p.first); | |
+ }); | |
+ | |
+ if (public_ID != publicStrAttributes.end()) { | |
+ privateStrAttributes.insert(StringAttributeType(public_ID->first, public_ID->second)); | |
+ } else if (private_ID != privateStrAttributes.end()) { | |
+ publicStrAttributes.insert(StringAttributeType(public_ID->first, public_ID->second)); | |
+ } | |
+ | |
if (!Utils::AttributeUtils::validateId(publicStrAttributes, privateStrAttributes)) | |
{ | |
rv = CKR_TEMPLATE_INCONSISTENT; | |
@@ -388,6 +411,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (!Utils::AttributeUtils::validateRsaKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct)) | |
{ | |
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__); | |
rv = CKR_ATTRIBUTE_VALUE_INVALID; | |
break; | |
} | |
@@ -402,6 +426,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (!Utils::AttributeUtils::validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct, privateBoolAttributes)) | |
{ | |
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__); | |
rv = CKR_ATTRIBUTE_VALUE_INVALID; | |
break; | |
} | |
@@ -416,6 +441,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession, | |
if (!Utils::AttributeUtils::validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct, privateBoolAttributes)) | |
{ | |
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__); | |
rv = CKR_ATTRIBUTE_VALUE_INVALID; | |
break; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment