You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
opencryptoki/SOURCES/0030-p11sak-Support-additio...

157 lines
6.2 KiB

From 3f8b4270a7601b42f15f13f54b9b5fc207a14723 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 8 Nov 2022 16:46:26 +0100
Subject: [PATCH 30/34] p11sak: Support additional Dilithium variants
Support the following Dilithium versions to be specified with the
generate-key command: r2_65 (as of today), r2_87, r3_44, r3_65, r3_87.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
man/man1/p11sak.1.in | 12 ++++++++++-
usr/sbin/p11sak/p11sak.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 60 insertions(+), 5 deletions(-)
diff --git a/man/man1/p11sak.1.in b/man/man1/p11sak.1.in
index a2c2b879..6938b203 100644
--- a/man/man1/p11sak.1.in
+++ b/man/man1/p11sak.1.in
@@ -262,7 +262,7 @@ Use the
command and key argument to generate an IBM Dilithium key, where
.I VERSION
specifies the version of the IBM Dilithium keypair. The following arguments can be used for respective keys:
-.B r2_65
+.B r2_65 | r2_87 | r3_44 | r3_65 | r3_87
.PP
The
.B \-\-slot
@@ -368,6 +368,16 @@ to select the EC curve used to generate the key.
.
.
+.SS "r2_6|r2_87|r3_44|r3_65|r3_875"
+the
+.B ibm-dilithium
+argument has to be followed by either of these
+.I VERSION
+to select the IBM dilithium version used to generate the key.
+.PP
+.
+.
+.
.SH OPTIONS
.SS "\-\-slot SLOTID"
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 8cfcb21d..5ceb145b 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -387,7 +387,7 @@ static void print_gen_help(void)
printf(" brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | \n");
printf(" brainpoolP512r1 | brainpoolP512t1 | curve25519 | curve448 | ed25519 | \n");
printf(" ed448]\n");
- printf(" ibm-dilithium [r2_65]\n");
+ printf(" ibm-dilithium [r2_65 | r2_87 | r3_44 | r3_65 | r3_87]\n");
printf("\n Options:\n");
printf(
" --slot SLOTID openCryptoki repository token SLOTID.\n");
@@ -526,6 +526,10 @@ static void print_gen_ibm_dilithium_help(void)
printf("\n Usage: p11sak generate-key ibm-dilithium [ARGS] [OPTIONS]\n");
printf("\n Args:\n");
printf(" r2_65\n");
+ printf(" r2_87\n");
+ printf(" r3_44\n");
+ printf(" r3_65\n");
+ printf(" r3_87\n");
printf("\n Options:\n");
printf(
" --slot SLOTID openCryptoki repository token SLOTID.\n");
@@ -764,6 +768,35 @@ static CK_RV read_ec_args(const char *ECcurve, CK_ATTRIBUTE *pubattr,
return CKR_OK;
}
+/**
+ * Builds the CKA_IBM_DILITHIUM_KEYFORM attribute from the given version.
+ */
+static CK_RV read_dilithium_args(const char *dilithium_ver, CK_ULONG *keyform,
+ CK_ATTRIBUTE *pubattr, CK_ULONG *pubcount)
+{
+ if (strcasecmp(dilithium_ver, "r2_65") == 0) {
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_65;
+ } else if (strcasecmp(dilithium_ver, "r2_87") == 0) {
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND2_87;
+ } else if (strcasecmp(dilithium_ver, "r3_44") == 0) {
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_44;
+ } else if (strcasecmp(dilithium_ver, "r3_65") == 0) {
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_65;
+ } else if (strcasecmp(dilithium_ver, "r3_87") == 0) {
+ *keyform = CK_IBM_DILITHIUM_KEYFORM_ROUND3_87;
+ } else {
+ fprintf(stderr, "Unexpected case while parsing dilithium version.\n");
+ fprintf(stderr, "Note: not all tokens support all versions.\n");
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pubattr[*pubcount].type = CKA_IBM_DILITHIUM_KEYFORM;
+ pubattr[*pubcount].ulValueLen = sizeof(CK_ULONG);
+ pubattr[*pubcount].pValue = keyform;
+ (*pubcount)++;
+
+ return CKR_OK;
+}
/**
* Builds two CKA_LABEL attributes from given label.
*/
@@ -1096,6 +1129,8 @@ static CK_RV key_pair_gen(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
if (rc != CKR_OK) {
if (is_rejected_by_policy(rc, session))
fprintf(stderr, "Key pair generation rejected by policy\n");
+ else if (kt == kt_IBM_DILITHIUM && rc == CKR_KEY_SIZE_RANGE)
+ fprintf(stderr, "IBM Dilithum version is not supported\n");
else
fprintf(stderr, "Key pair generation failed (error code 0x%lX: %s)\n", rc,
p11_get_ckr(rc));
@@ -1845,11 +1880,15 @@ static CK_RV check_args_gen_key(p11sak_kt *kt, CK_ULONG keylength,
case kt_IBM_DILITHIUM:
if (dilithium_ver == NULL) {
fprintf(stderr,
- "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>\n",
+ "Cipher key type [%d] supported but Dilithium version not set in arguments. Try adding argument <r2_65>, <r2_87>, <r3_44>, <r3_65>, or <r3_87>\n",
*kt);
return CKR_ARGUMENTS_BAD;
}
- if (strcasecmp(dilithium_ver, "r2_65") == 0) {
+ if (strcasecmp(dilithium_ver, "r2_65") == 0 ||
+ strcasecmp(dilithium_ver, "r2_87") == 0 ||
+ strcasecmp(dilithium_ver, "r3_44") == 0 ||
+ strcasecmp(dilithium_ver, "r3_65") == 0 ||
+ strcasecmp(dilithium_ver, "r3_87") == 0) {
break;
} else {
fprintf(stderr, "IBM Dilithium version [%s] not supported \n", dilithium_ver);
@@ -2450,7 +2489,7 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
CK_ATTRIBUTE prv_attr[KEY_MAX_BOOL_ATTR_COUNT + 2];
CK_ULONG prv_acount = 0;
CK_MECHANISM mech;
- CK_ULONG i;
+ CK_ULONG i, keyform;
CK_RV rc;
const char separator = ':';
@@ -2475,6 +2514,12 @@ static CK_RV generate_asymmetric_key(CK_SESSION_HANDLE session, CK_SLOT_ID slot,
}
break;
case kt_IBM_DILITHIUM:
+ rc = read_dilithium_args(dilithium_ver, &keyform,
+ pub_attr, &pub_acount);
+ if (rc) {
+ fprintf(stderr, "Error parsing Dilithium parameters!\n");
+ goto done;
+ }
printf("Generating Dilithium keypair with %s\n", dilithium_ver);
break;
default:
--
2.16.2.windows.1