Enable options to populate CKA_ID by subjectKeyIdentifier or by device location (slot/handle)

Author: bryan-hunt

lib/cmake/pkcs11.cmake

@@ -15,6 +15,7 @@ set(PKCS11_PIN_PBKDF2_ITERATIONS  2 CACHE STRING "Define how many iterations PBK
 set(PKCS11_SEARCH_CACHE_SIZE    250 CACHE STRING "Static Search Attribute Cache in bytes")
 set(PKCS11_TOKEN_INIT_SUPPORT   OFF CACHE BOOL   "Support for configuring a blank or new device")
 set(PKCS11_MONOTONIC_ENABLE     OFF CACHE BOOL   "Include the monotonic hardware feature as an object")
+set(PKCS11_AUTO_ID_ENABLE       ON  CACHE BOOL   "Generate CKA_ID values based on standards")
 
 file(GLOB PKCS11_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.c")
 file(GLOB PKCS11_INC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "pkcs11/*.h")

lib/pkcs11/pkcs11_cert.c

@@ -372,6 +372,35 @@ CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttrib
     return CKR_ARGUMENTS_BAD;
 }
 
+static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
+{
+#if PKCS11_AUTO_ID_ENABLE
+    return pkcs11_cert_get_subject_key_id(pObject, pAttribute);
+#elif ATCA_CA_SUPPORT
+    pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
+    CK_RV rv = CKR_ARGUMENTS_BAD;
+
+    if (obj_ptr)
+    {
+        pkcs11_cert_check_trust_data(obj_ptr);
+
+        if (obj_ptr->data)
+        {
+            atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data;
+            uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot);
+            rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
+        }
+        else
+        {
+            return pkcs11_attrib_empty(NULL, pAttribute);
+        }
+    }
+    return rv;
+#else
+    return pkcs11_attrib_empty(pObject, pAttribute);
+#endif
+}
+
 /**
  * CKO_CERTIFICATE (Type: CKC_X_509) - X509 Public Key Certificate Model
  */
@@ -411,7 +440,7 @@ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = {
     /** DER-encoded Certificate subject name */
     { CKA_SUBJECT,                    pkcs11_cert_get_subject                                                                                                                                                                                                                           },
     /** Key identifier for public/private key pair (default empty) */
-    { CKA_ID,                         pkcs11_attrib_empty                                                                                                                                                                                                                               },
+    { CKA_ID,                         pkcs11_cert_get_id                                                                                                                                                                                                                                },
     /** DER-encoded Certificate issuer name (default empty)*/
     { CKA_ISSUER,                     pkcs11_attrib_empty                                                                                                                                                                                                                               },
     /** DER-encoding of the certificate serial number (default empty) */

lib/pkcs11/pkcs11_config.h.in

@@ -115,6 +115,10 @@
 #cmakedefine01 PKCS11_MONOTONIC_ENABLE
 #endif
 
+/** Automatically generate CKA_ID values based on standards */
+#ifndef PKCS11_AUTO_ID_ENABLE
+#cmakedefine01 PKCS11_AUTO_ID_ENABLE
+#endif
 
 #include "pkcs11/cryptoki.h"
 #include <stddef.h>

lib/pkcs11/pkcs11_key.c

@@ -373,6 +373,61 @@ static CK_RV pkcs11_key_auth_required(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAtt
     return rv;
 }
 
+static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute)
+{
+    pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject;
+    CK_RV rv = CKR_ARGUMENTS_BAD;
+
+    if (obj_ptr)
+    {
+#if PKCS11_AUTO_ID_ENABLE
+        if (pAttribute->pValue)
+        {
+            CK_BBOOL is_private;
+
+            if (CKR_OK == (rv = pkcs11_object_is_private(obj_ptr, &is_private)))
+            {
+                ATCA_STATUS status;
+                uint8_t buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = {0x04};
+
+                if (is_private)
+                {
+                    status = atcab_get_pubkey(obj_ptr->slot, &buffer[1]);
+                    PKCS11_DEBUG("atcab_get_pubkey: %x\r\n", status);
+                }
+                else
+                {
+                    status = atcab_read_pubkey(obj_ptr->slot, &buffer[1]);
+                    PKCS11_DEBUG("atcab_read_pubkey: %x\r\n", status);
+                }
+
+                if (ATCA_SUCCESS == status)
+                {
+                    status = atcac_sw_sha1(buffer, sizeof(buffer), buffer);
+                }
+
+                if (ATCA_SUCCESS == status)
+                {
+                    rv = pkcs11_attrib_fill(pAttribute, buffer, ATCA_SHA1_DIGEST_SIZE);
+                }
+                else
+                {
+                    rv = pkcs11_util_convert_rv(status);
+                }
+            }
+        }
+        else
+        {
+            rv = pkcs11_attrib_fill(pAttribute, NULL, ATCA_SHA1_DIGEST_SIZE);
+        }
+#else
+        uint16_t key_id = ATCA_UINT16_HOST_TO_BE(obj_ptr->slot);
+        rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t));
+#endif
+    }
+    return rv;
+}
+
 /**
  * CKO_PUBLIC_KEY - Public Key Object Model
  */
@@ -394,7 +449,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = {
     /** Type of key */
     { CKA_KEY_TYPE,           pkcs11_object_get_type                                                                                                                                                              },
     /** Key identifier for key (default empty) */
-    { CKA_ID,                 pkcs11_attrib_empty                                                                                                                                                                 },
+    { CKA_ID,                 pkcs11_key_get_id                                                                                                                                                                 },
     /** Start date for the key (default empty) */
     { CKA_START_DATE,         pkcs11_attrib_empty                                                                                                                                                                 },
     /** End date for the key (default empty) */
@@ -484,7 +539,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = {
     /** Type of key */
     { CKA_KEY_TYPE,            pkcs11_object_get_type                                                                                                                                                                                       },
     /** Key identifier for key (default empty) */
-    { CKA_ID,                  pkcs11_attrib_empty                                                                                                                                                                                          },
+    { CKA_ID,                  pkcs11_key_get_id                                                                                                                                                                                          },
     /** Start date for the key (default empty) */
     { CKA_START_DATE,          pkcs11_attrib_empty                                                                                                                                                                                          },
     /** End date for the key (default empty) */