From 59f83a100abeff58be55b277b4176891277994e9 Mon Sep 17 00:00:00 2001 From: Etienne Carriere Date: Fri, 6 Sep 2024 10:23:03 +0200 Subject: [PATCH] ta: pkcs11: add CKM_RSA_X_509 ciphering Add support for CKM_RSA_X_509 mechanism for encrypt/decrypt operations. Signed-off-by: Alexandre Marechal Signed-off-by: Etienne Carriere --- ta/pkcs11/src/processing_asymm.c | 43 ++++++++++++++++++++++++++++++ ta/pkcs11/src/token_capabilities.c | 2 +- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/ta/pkcs11/src/processing_asymm.c b/ta/pkcs11/src/processing_asymm.c index c4c7f6e4a62..2f59922b08f 100644 --- a/ta/pkcs11/src/processing_asymm.c +++ b/ta/pkcs11/src/processing_asymm.c @@ -238,9 +238,11 @@ allocate_tee_operation(struct pkcs11_session *session, if (params->id == PKCS11_CKM_RSA_X_509) { assert(!hash_algo); switch (function) { + case PKCS11_FUNCTION_ENCRYPT: case PKCS11_FUNCTION_VERIFY: mode = TEE_MODE_ENCRYPT; break; + case PKCS11_FUNCTION_DECRYPT: case PKCS11_FUNCTION_SIGN: mode = TEE_MODE_DECRYPT; break; @@ -826,6 +828,47 @@ enum pkcs11_rc step_asymm_operation(struct pkcs11_session *session, case PKCS11_CKM_RSA_X_509: switch (function) { + case PKCS11_FUNCTION_ENCRYPT: + /* + * Input message size shall be at most the key size + * As encrypting with raw RSA can be unsafe, it + * remains the responsibility of the client to + * prolerly pad the message for safe usage. + */ + if (in_size > sz) { + rc = PKCS11_CKR_DATA_LEN_RANGE; + break; + } + res = TEE_AsymmetricEncrypt(proc->tee_op_handle, + tee_attrs, tee_attrs_count, + in_buf, in_size, + out_buf, &out_size); + output_data = true; + rc = tee2pkcs_error(res); + if (rc == PKCS11_CKR_ARGUMENTS_BAD) + rc = PKCS11_CKR_DATA_LEN_RANGE; + break; + case PKCS11_FUNCTION_DECRYPT: + /* + * Input message size shall be at most the key size + * As decrypting with raw RSA can be unsafe, it + * remains the responsibility of the encryption + * instance to have prolerly padded its message. + */ + if (in_size > sz) { + rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; + break; + } + + res = TEE_AsymmetricDecrypt(proc->tee_op_handle, + tee_attrs, tee_attrs_count, + in_buf, in_size, + out_buf, &out_size); + output_data = true; + rc = tee2pkcs_error(res); + if (rc == PKCS11_CKR_ARGUMENTS_BAD) + rc = PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE; + break; case PKCS11_FUNCTION_SIGN: /* * GP TEE API only allows Decrypt, not Verify operation, diff --git a/ta/pkcs11/src/token_capabilities.c b/ta/pkcs11/src/token_capabilities.c index 95523df5aea..64c89e3ca98 100644 --- a/ta/pkcs11/src/token_capabilities.c +++ b/ta/pkcs11/src/token_capabilities.c @@ -277,7 +277,7 @@ const struct pkcs11_mechachism_modes token_mechanism[] = { TA_MECHANISM(PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN, PKCS11_CKFM_GENERATE_KEY_PAIR), TA_MECHANISM(PKCS11_CKM_RSA_PKCS, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER), - TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_AUTH_NO_RECOVER), + TA_MECHANISM(PKCS11_CKM_RSA_X_509, CKFM_CIPHER | CKFM_AUTH_NO_RECOVER), TA_MECHANISM(PKCS11_CKM_RSA_PKCS_PSS, CKFM_AUTH_NO_RECOVER), TA_MECHANISM(PKCS11_CKM_MD5_RSA_PKCS, CKFM_AUTH_NO_RECOVER), TA_MECHANISM(PKCS11_CKM_SHA1_RSA_PKCS, CKFM_AUTH_NO_RECOVER),