Skip to content

Commit

Permalink
ta: pkcs11: add CKM_RSA_X_509 ciphering
Browse files Browse the repository at this point in the history
Add support for CKM_RSA_X_509 mechanism for encrypt/decrypt operations.

Signed-off-by: Alexandre Marechal <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
Acked-by: Rouven Czerwinski <[email protected]>
  • Loading branch information
etienne-lms authored and jforissier committed Nov 22, 2024
1 parent e02f17f commit b7abff7
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
43 changes: 43 additions & 0 deletions ta/pkcs11/src/processing_asymm.c
Original file line number Diff line number Diff line change
Expand Up @@ -238,9 +238,11 @@ allocate_tee_operation(struct pkcs11_session *session,
if (params->id == PKCS11_CKM_RSA_X_509) {
assert(!hash_algo);
switch (function) {
case PKCS11_FUNCTION_ENCRYPT:
case PKCS11_FUNCTION_VERIFY:
mode = TEE_MODE_ENCRYPT;
break;
case PKCS11_FUNCTION_DECRYPT:
case PKCS11_FUNCTION_SIGN:
mode = TEE_MODE_DECRYPT;
break;
Expand Down Expand Up @@ -826,6 +828,47 @@ enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session,

case PKCS11_CKM_RSA_X_509:
switch (function) {
case PKCS11_FUNCTION_ENCRYPT:
/*
* Input message size shall be at most the key size
* As encrypting with raw RSA can be unsafe, it
* remains the responsibility of the client to
* prolerly pad the message for safe usage.
*/
if (in_size > sz) {
rc = PKCS11_CKR_DATA_LEN_RANGE;
break;
}
res = TEE_AsymmetricEncrypt(proc->tee_op_handle,
tee_attrs, tee_attrs_count,
in_buf, in_size,
out_buf, &out_size);
output_data = true;
rc = tee2pkcs_error(res);
if (rc == PKCS11_CKR_ARGUMENTS_BAD)
rc = PKCS11_CKR_DATA_LEN_RANGE;
break;
case PKCS11_FUNCTION_DECRYPT:
/*
* Input message size shall be at most the key size
* As decrypting with raw RSA can be unsafe, it
* remains the responsibility of the encryption
* instance to have prolerly padded its message.
*/
if (in_size > sz) {
rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
break;
}

res = TEE_AsymmetricDecrypt(proc->tee_op_handle,
tee_attrs, tee_attrs_count,
in_buf, in_size,
out_buf, &out_size);
output_data = true;
rc = tee2pkcs_error(res);
if (rc == PKCS11_CKR_ARGUMENTS_BAD)
rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE;
break;
case PKCS11_FUNCTION_SIGN:
/*
* GP TEE API only allows Decrypt, not Verify operation,
Expand Down
2 changes: 1 addition & 1 deletion ta/pkcs11/src/token_capabilities.c
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ const struct pkcs11_mechachism_modes token_mechanism[] = {
PKCS11_CKFM_GENERATE_KEY_PAIR),
TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
#ifdef CFG_PKCS11_TA_RSA_X_509
TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_AUTH_NO_RECOVER),
TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER),
#endif
TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER),
TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER),
Expand Down

0 comments on commit b7abff7

Please sign in to comment.