corePKCS11 v3.5.0
PKCS #11 Cryptoki Library
Data Structures | Macros | Functions | Variables
core_pkcs11_mbedtls.c File Reference

mbedTLS-based PKCS#11 implementation for software keys. This file deviates from the FreeRTOS style standard for some function names and data types in order to maintain compliance with the PKCS #11 standard. More...

#include "core_pkcs11_config.h"
#include "core_pkcs11_config_defaults.h"
#include "core_pkcs11.h"
#include "core_pkcs11_pal.h"
#include "core_pki_utils.h"
#include "mbedtls/pk.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/sha256.h"
#include "mbedtls/cmac.h"
#include "mbedtls/platform.h"
#include "mbedtls/threading.h"
#include "mbedtls/error.h"
#include <string.h>
Include dependency graph for core_pkcs11_mbedtls.c:

Data Structures

struct  P11Object_t
 PKCS #11 object container. More...
 
struct  P11ObjectList_t
 PKCS #11 object container list. More...
 
struct  P11Struct_t
 PKCS #11 Module Object. More...
 
struct  P11Session_t
 Session structure. More...
 

Macros

#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 Declaring MBEDTLS_ALLOW_PRIVATE_ACCESS allows access to mbedtls "private" fields.
 
#define mbedtlsHighLevelCodeOrDefault(mbedTlsCode)
 Utility for converting the high-level code in an mbedTLS error to string, if the code-contains a high-level code; otherwise, using a default string. More...
 
#define mbedtlsLowLevelCodeOrDefault(mbedTlsCode)
 Utility for converting the level-level code in an mbedTLS error to string, if the code-contains a level-level code; otherwise, using a default string. More...
 
#define pkcs11MUTEX_WAIT_MS   ( pdMS_TO_TICKS( 5000U ) )
 Delay to wait on acquiring a mutex, in ms.
 
#define pkcs11NO_OPERATION   ( ( CK_MECHANISM_TYPE ) 0xFFFFFFFFUL )
 Indicates that no PKCS #11 operation is underway for given session.
 
#define pkcs11_PRIVATE_EC_PRIME_256_DER_SIZE   160
 size of a prime256v1 EC private key in bytes, when encoded in DER.
 
#define pkcs11_PUBLIC_EC_PRIME_256_DER_SIZE   100
 size of a prime256v1 EC public key in bytes, when encoded in DER.
 
#define pkcs11_PUBLIC_RSA_2048_DER_SIZE   300
 size of a 2048 bit RSA public key in bytes, when encoded in DER.
 
#define pkcs11_PRIVATE_RSA_2048_DER_SIZE   1200
 size of a 2048 bit RSA private key in bytes, in DER encoding.
 
#define pkcs11_MAX_EC_PUBLIC_KEY_DER_SIZE   pkcs11_PUBLIC_EC_PRIME_256_DER_SIZE
 Max size of an EC public key in bytes, in DER encoding.
 
#define pkcs11_MAX_EC_PRIVATE_KEY_DER_SIZE   pkcs11_PRIVATE_EC_PRIME_256_DER_SIZE
 Max size of an EC private key in bytes, in DER encoding.
 
#define pkcs11EC_POINT_LENGTH   ( ( 32UL * 2UL ) + 1UL + 1UL + 1UL )
 Length of bytes to contain an EC point. More...
 
#define pkcs11_MAX_PUBLIC_KEY_DER_SIZE   pkcs11_PUBLIC_RSA_2048_DER_SIZE
 Max size of a public key. This macro defines the size of a key in bytes, in DER encoding. More...
 
#define pkcs11_MAX_PRIVATE_KEY_DER_SIZE   pkcs11_PRIVATE_RSA_2048_DER_SIZE
 Max key length of a key. This macro defines the size of a key in bytes, in DER format. More...
 
#define pkcs11KEY_GEN_MAX_DER_SIZE   200
 The size of the buffer malloc'ed for the exported public key in C_GenerateKeyPair.
 
#define pkcs11SLOT_ID   1
 The slot ID to be returned by this PKCS #11 implementation. More...
 
#define LABEL_IN_TEMPLATE   ( 1U )
 Private defines for checking that attribute templates are complete. More...
 
#define PRIVATE_IN_TEMPLATE   ( 1U << 1 )
 
#define SIGN_IN_TEMPLATE   ( 1U << 2 )
 
#define EC_PARAMS_IN_TEMPLATE   ( 1U << 3 )
 
#define VERIFY_IN_TEMPLATE   ( 1U << 4 )
 
#define PKCS11_INVALID_KEY_TYPE   ( ( CK_KEY_TYPE ) 0xFFFFFFFFUL )
 Macro to signify an invalid PKCS #11 key type.
 
#define PKCS11_SHA256_HMAC_MIN_SIZE   ( 32UL )
 Private define for minimum SHA256-HMAC key size.
 
#define PKCS11_AES_CMAC_MIN_SIZE   ( 16UL )
 Private define for minimum AES-CMAC key size, in bytes.
 
#define PKCS11_USING_HMAC   ( 1 )
 Private define to inform mbedtls MD module to use an HMAC for the MD context.
 
#define MBEDTLS_VERSION_NUMBER   0
 Define the MBEDTLS_VERSION_NUMBER as 0 if it is not defined, done for MISRA rule 20.9.
 

Functions

static CK_RV prvCheckValidSessionAndModule (const P11Session_t *pxSession)
 Helper to check if the current session is initialized and valid. More...
 
static P11Session_tprvSessionPointerFromHandle (CK_SESSION_HANDLE xSession)
 Maps an opaque caller session handle into its internal state structure.
 
static CK_BBOOL prvOperationActive (const P11Session_t *pxSession)
 Determines if an operation is in progress.
 
static CK_RV prvMbedTLS_Initialize (void)
 Initialize mbedTLS.
 
static CK_RV prvGetObjectClass (const CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_CLASS *pxClass)
 Searches a template for the CKA_CLASS attribute.
 
static CK_RV prvCertAttParse (CK_ATTRIBUTE *pxAttribute, CK_CERTIFICATE_TYPE *pxCertificateType, CK_BYTE_PTR *ppxCertificateValue, CK_ULONG *pxCertificateLength, CK_ATTRIBUTE **ppxLabel)
 Parses attribute values for a certificate.
 
static CK_RV prvRsaPrivKeyAttParse (const CK_ATTRIBUTE *pxAttribute)
 Parses attribute values for an RSA public Key.
 
static CK_RV prvRsaPubKeyAttParse (const CK_ATTRIBUTE *pxAttribute)
 Parses attribute values for an RSA public Key.
 
static CK_RV prvRsaContextParse (const CK_ATTRIBUTE *pxAttribute, mbedtls_rsa_context *pxRsaContext)
 Parses attribute values for an RSA key an puts them in the mbed TLS context.
 
static CK_RV prvRsaKeyAttParse (const CK_ATTRIBUTE *pxAttribute, mbedtls_rsa_context *pxRsaContext, CK_BBOOL xIsPrivate)
 Parses attribute values for a RSA Key.
 
static void prvFindObjectInListByLabel (const CK_BYTE *pcLabel, CK_ULONG xLabelLength, CK_OBJECT_HANDLE_PTR pxPalHandle, CK_OBJECT_HANDLE_PTR pxAppHandle)
 Parses attribute values for a private EC Key. More...
 
static void prvFindObjectInListByHandle (CK_OBJECT_HANDLE xAppHandle, CK_OBJECT_HANDLE_PTR pxPalHandle, CK_BYTE_PTR *ppcLabel, CK_ULONG_PTR pxLabelLength)
 Looks up a PKCS #11 object's label and PAL handle given an application handle. More...
 
static CK_RV prvDeleteObjectFromList (CK_OBJECT_HANDLE xPalHandle)
 Removes an object from the module object list (xP11Context.xObjectList) More...
 
static CK_RV prvAddObjectToList (CK_OBJECT_HANDLE xPalHandle, CK_OBJECT_HANDLE_PTR pxAppHandle, const CK_BYTE *pcLabel, CK_ULONG xLabelLength)
 Add an object that exists in NVM to the application object array. More...
 
static CK_RV prvAppendEmptyECDerKey (uint8_t *pusECPrivateKey, uint32_t ulDerBufSize, int32_t lDerKeyLength, uint32_t *pulActualKeyLength)
 Append an empty public key to DER formatted EC private key.
 
static CK_RV prvSaveDerKeyToPal (mbedtls_pk_context *pxMbedContext, CK_OBJECT_HANDLE_PTR pxObject, CK_ATTRIBUTE *pxLabel, CK_KEY_TYPE xKeyType, CK_BBOOL xIsPrivate)
 Save a DER formatted key in the PKCS #11 PAL.
 
CK_RV C_Initialize (CK_VOID_PTR pInitArgs)
 Initializes Cryptoki. More...
 
CK_RV C_Finalize (CK_VOID_PTR pReserved)
 Clean up miscellaneous Cryptoki-associated resources.
 
CK_RV C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
 Obtains entry points of Cryptoki library functions. More...
 
CK_RV C_GetSlotList (CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
 Obtains a list of slots in the system. More...
 
CK_RV C_GetTokenInfo (CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 Obtains information about a particular token. More...
 
CK_RV C_GetMechanismInfo (CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo)
 Obtains information about a particular mechanism. More...
 
CK_RV C_InitToken (CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel)
 Initializes a token. This function is not implemented for this port. More...
 
CK_RV C_OpenSession (CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession)
 Opens a connection between an application and a particular token or sets up an application callback for token insertion. More...
 
CK_RV C_CloseSession (CK_SESSION_HANDLE hSession)
 Closes a session. More...
 
CK_RV C_Login (CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen)
 Logs into a token. This function is not implemented for this port. More...
 
static CK_RV prvCreateCertificate (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for parsing the templates of device certificates for C_CreateObject. More...
 
static void prvGetKeyType (CK_KEY_TYPE *pxKeyType, const CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount)
 Helper to search an attribute for the key type attribute. More...
 
static void prvGetLabel (CK_ATTRIBUTE **ppxLabel, CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount)
 Helper to search a template for the label attribute. More...
 
static CK_RV prvCreateRsaKey (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject, CK_BBOOL xIsPrivate)
 Helper function for parsing RSA Private Key attribute templates for C_CreateObject. More...
 
static CK_RV prvHMACKeyAttParse (const CK_ATTRIBUTE *pxAttribute, CK_BYTE_PTR *ppxHmacKey, CK_ULONG *pulHmacKeyLen)
 Parses attribute values for a HMAC Key.
 
static CK_RV prvCreateSHA256HMAC (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for parsing SHA256-HMAC Key attribute templates for C_CreateObject. More...
 
static CK_RV prvCMACKeyAttParse (const CK_ATTRIBUTE *pxAttribute, CK_BYTE_PTR *ppxCmacKey, CK_ULONG *pulCmacKeyLen)
 Parses attribute values for a CMAC Key.
 
static CK_RV prvCreateAESCMAC (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for parsing AES-CMAC Key attribute templates for C_CreateObject. More...
 
static CK_RV prvCreatePrivateKey (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for importing private keys using template C_CreateObject. More...
 
static CK_RV prvCreatePublicKey (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for importing public keys using C_CreateObject. More...
 
static CK_RV prvCreateSecretKey (CK_ATTRIBUTE *pxTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR pxObject)
 Helper function for importing secret keys using template C_CreateObject. More...
 
CK_RV C_CreateObject (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject)
 Creates an object. More...
 
CK_RV C_DestroyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
 Destroys an object. More...
 
CK_RV C_GetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
 Obtains an attribute value of an object. More...
 
CK_RV C_FindObjectsInit (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
 Initializes an object search operation. More...
 
CK_RV C_FindObjects (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount)
 Initializes an object search operation. More...
 
CK_RV C_FindObjectsFinal (CK_SESSION_HANDLE hSession)
 Finishes an object search operation. More...
 
CK_RV C_DigestInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism)
 Initializes a message-digesting operation. More...
 
CK_RV C_DigestUpdate (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen)
 Continues a multiple-part digesting operation. More...
 
CK_RV C_DigestFinal (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen)
 Finishes a multiple-part digesting operation. More...
 
static void prvHMACCleanUp (P11Session_t *pxSession)
 Helper function for cleaning up a HMAC operation. More...
 
static CK_RV prvInitSHA256HMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a SHA256-HMAC operation. More...
 
static CK_RV prvSignInitSHA256HMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a sign operation for SHA256-HMAC. More...
 
static void prvCMACCleanUp (P11Session_t *pxSession)
 Helper function for cleaning up an CMAC operation. More...
 
static CK_RV prvInitAESCMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a AES-CMAC operation. More...
 
static CK_RV prvSignInitAESCMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a sign operation for AES-CMAC. More...
 
static void prvSignInitEC_RSACleanUp (P11Session_t *pxSession)
 Helper function for cleaning up a sign operation for an EC or RSA key. More...
 
static CK_RV prvSignInitEC_RSAKeys (P11Session_t *pxSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a sign operation for an EC or RSA key. More...
 
CK_RV C_SignInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
 Initializes a signature operation. More...
 
CK_RV C_Sign (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
 Signs single-part data. More...
 
static CK_RV prvVerifyInitSHA256HMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a verify operation for SHA256-HMAC. More...
 
static CK_RV prvVerifyInitAESCMAC (P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a verify operation for AES-CMAC. More...
 
static void prvVerifyInitEC_RSACleanUp (P11Session_t *pxSession)
 Helper function for cleaning up a verify operation for an EC or RSA key. More...
 
static CK_RV prvVerifyInitEC_RSAKeys (P11Session_t *pxSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
 Helper function for initializing a verify operation for an EC or RSA key. More...
 
CK_RV C_VerifyInit (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
 Initializes a verification operation. More...
 
CK_RV C_Verify (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
 Verifies a signature on single-part data. More...
 
static CK_RV prvCheckGenerateKeyPairPrivateTemplate (CK_ATTRIBUTE **ppxLabel, CK_ATTRIBUTE *pxAttribute, uint32_t *pulAttributeMap)
 Checks that the private key template provided for C_GenerateKeyPair contains all necessary attributes, and does not contain any invalid attributes. More...
 
static CK_RV prvCheckGenerateKeyPairPublicTemplate (CK_ATTRIBUTE **ppxLabel, CK_ATTRIBUTE *pxAttribute, uint32_t *pulAttributeMap)
 Checks that the public key template provided for C_GenerateKeyPair contains all necessary attributes, and does not contain any invalid attributes. More...
 
CK_RV C_GenerateKeyPair (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
 Generates a public-key/private-key pair. More...
 
CK_RV C_GenerateRandom (CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, CK_ULONG ulRandomLen)
 Generates random data. More...
 

Variables

static const char * pNoHighLevelMbedTlsCodeStr = "<No-High-Level-Code>"
 Represents string to be logged when mbedTLS returned error does not contain a high-level code.
 
static const char * pNoLowLevelMbedTlsCodeStr = "<No-Low-Level-Code>"
 Represents string to be logged when mbedTLS returned error does not contain a low-level code.
 
static P11Struct_t xP11Context
 The global PKCS #11 module object. Entropy/randomness and object lists are shared across PKCS #11 sessions.
 
static P11Session_t pxP11Sessions [pkcs11configMAX_SESSIONS] = { 0 }
 The global PKCS #11 session list.
 

Detailed Description

mbedTLS-based PKCS#11 implementation for software keys. This file deviates from the FreeRTOS style standard for some function names and data types in order to maintain compliance with the PKCS #11 standard.

Macro Definition Documentation

◆ mbedtlsHighLevelCodeOrDefault

#define mbedtlsHighLevelCodeOrDefault (   mbedTlsCode)
Value:
( mbedtls_high_level_strerr( mbedTlsCode ) != NULL ) ? \
mbedtls_high_level_strerr( mbedTlsCode ) : pNoHighLevelMbedTlsCodeStr
pNoHighLevelMbedTlsCodeStr
static const char * pNoHighLevelMbedTlsCodeStr
Represents string to be logged when mbedTLS returned error does not contain a high-level code.
Definition: core_pkcs11_mbedtls.c:76

Utility for converting the high-level code in an mbedTLS error to string, if the code-contains a high-level code; otherwise, using a default string.

◆ mbedtlsLowLevelCodeOrDefault

#define mbedtlsLowLevelCodeOrDefault (   mbedTlsCode)
Value:
( mbedtls_low_level_strerr( mbedTlsCode ) != NULL ) ? \
mbedtls_low_level_strerr( mbedTlsCode ) : pNoLowLevelMbedTlsCodeStr
pNoLowLevelMbedTlsCodeStr
static const char * pNoLowLevelMbedTlsCodeStr
Represents string to be logged when mbedTLS returned error does not contain a low-level code.
Definition: core_pkcs11_mbedtls.c:82

Utility for converting the level-level code in an mbedTLS error to string, if the code-contains a level-level code; otherwise, using a default string.

◆ PRIVATE_IN_TEMPLATE

#define PRIVATE_IN_TEMPLATE   ( 1U << 1 )

Bit set for private key in in template.

◆ SIGN_IN_TEMPLATE

#define SIGN_IN_TEMPLATE   ( 1U << 2 )

Bit set for sign in template.

◆ EC_PARAMS_IN_TEMPLATE

#define EC_PARAMS_IN_TEMPLATE   ( 1U << 3 )

Bit set for EC params in template.

◆ VERIFY_IN_TEMPLATE

#define VERIFY_IN_TEMPLATE   ( 1U << 4 )

Bit set for verify in template.

Function Documentation

◆ prvCheckValidSessionAndModule()

static CK_RV prvCheckValidSessionAndModule ( const P11Session_t pxSession)
static

Helper to check if the current session is initialized and valid.

MISRA Rule 10.5 - Cannot cast from unsigned to signed. The rule 10.5 is violated because type of the boolean macros defined by PKCS #11 are 0 and 1, which results in a signed integer, meanwhile the underlying type of CK_BBOOL is an unsigned char.

This means that our implementation conforms to the exception provided by MISRA To quote MISRA: "An integer constant expression with the value 0 or 1 of either signedness may be cast to a type which is defined as essentially Boolean. This allows the implementation of non-C99 Boolean models."

◆ prvFindObjectInListByLabel()

static void prvFindObjectInListByLabel ( const CK_BYTE *  pcLabel,
CK_ULONG  xLabelLength,
CK_OBJECT_HANDLE_PTR  pxPalHandle,
CK_OBJECT_HANDLE_PTR  pxAppHandle 
)
static

Parses attribute values for a private EC Key.

Parses attribute values for a public EC Key.

Parses attribute values for an EC Key.

Searches the PKCS #11 module's object list for label and provides handle.

Parameters
[in]pcLabelArray containing label.
[in]xLabelLengthLength of the label, in bytes.
[out]pxPalHandlePointer to the PAL handle to be provided. CK_INVALID_HANDLE if no object found.
[out]pxAppHandlePointer to the application handle to be provided. CK_INVALID_HANDLE if no object found.

◆ prvFindObjectInListByHandle()

static void prvFindObjectInListByHandle ( CK_OBJECT_HANDLE  xAppHandle,
CK_OBJECT_HANDLE_PTR  pxPalHandle,
CK_BYTE_PTR *  ppcLabel,
CK_ULONG_PTR  pxLabelLength 
)
static

Looks up a PKCS #11 object's label and PAL handle given an application handle.

Parameters
[in]xAppHandleThe handle of the object being lookedup for, used by the application.
[out]pxPalHandlePointer to the handle corresponding to xPalHandle being used by the PAL.
[out]ppcLabelPointer to an array containing label. NULL if object not found.
[out]pxLabelLengthPointer to label length (includes a string null terminator). 0 if no object found.

◆ prvDeleteObjectFromList()

static CK_RV prvDeleteObjectFromList ( CK_OBJECT_HANDLE  xPalHandle)
static

Removes an object from the module object list (xP11Context.xObjectList)

Warning
This does not delete the object from NVM.
Parameters
[in]xPalHandlePAL handle of the object to be deleted.

◆ prvAddObjectToList()

static CK_RV prvAddObjectToList ( CK_OBJECT_HANDLE  xPalHandle,
CK_OBJECT_HANDLE_PTR  pxAppHandle,
const CK_BYTE *  pcLabel,
CK_ULONG  xLabelLength 
)
static

Add an object that exists in NVM to the application object array.

Parameters
[in]xPalHandleThe handle used by the PKCS #11 PAL for object.
[out]pxAppHandleUpdated to contain the application handle corresponding to xPalHandle.
[in]pcLabelPointer to object label.
[in]xLabelLengthLength of the PKCS #11 label.

◆ C_Initialize()

CK_RV C_Initialize ( CK_VOID_PTR  pInitArgs)

Initializes Cryptoki.

Note
C_Initialize is not thread-safe.

C_Initialize should be called (and allowed to return) before any additional PKCS #11 operations are invoked.

In this implementation, all arguments are ignored. Thread protection for the rest of PKCS #11 functions default to FreeRTOS primitives.

Parameters
[in]pInitArgsThis parameter is ignored.
Returns
CKR_OK if successful. CKR_CRYPTOKI_ALREADY_INITIALIZED if C_Initialize was previously called. All other errors indicate that the PKCS #11 module is not ready to be used.

◆ C_GetFunctionList()

CK_RV C_GetFunctionList ( CK_FUNCTION_LIST_PTR_PTR  ppFunctionList)

Obtains entry points of Cryptoki library functions.

All other PKCS #11 functions should be invoked using the returned function list.

Warning
Do not overwrite the function list.
Parameters
[in]ppFunctionListPointer to the location where pointer to function list will be placed.
Returns
CKR_OK if successful.

◆ C_GetSlotList()

CK_RV C_GetSlotList ( CK_BBOOL  tokenPresent,
CK_SLOT_ID_PTR  pSlotList,
CK_ULONG_PTR  pulCount 
)

Obtains a list of slots in the system.

This port does not implement the concept of separate slots/tokens.

Parameters
[in]tokenPresentThis parameter is unused by this port.
[in]pSlotListPointer to an array of slot IDs. At this time, only 1 slot is implemented.
[in,out]pulCountLength of the slot list pxSlotList. Updated to contain the actual number of slots written to the list.
Returns
CKR_OK if successful.

◆ C_GetTokenInfo()

CK_RV C_GetTokenInfo ( CK_SLOT_ID  slotID,
CK_TOKEN_INFO_PTR  pInfo 
)

Obtains information about a particular token.

Parameters
[in]slotIDThis parameter is unused in this port.
[out]pInfoThis parameter is unused in this port.

C_GetTokenInfo() is only implemented for compatibility with other ports. All inputs to this function are ignored, and calling this function on this port does provide any information about the PKCS #11 token.

Returns
CKR_OK.

◆ C_GetMechanismInfo()

CK_RV C_GetMechanismInfo ( CK_SLOT_ID  slotID,
CK_MECHANISM_TYPE  type,
CK_MECHANISM_INFO_PTR  pInfo 
)

Obtains information about a particular mechanism.

Parameters
[in]slotIDThis parameter is unused in this port.
[in]typeThe cryptographic capability for which support information is being queried.
[out]pInfoAlgorithm sizes and flags for the requested mechanism, if supported.
Returns
CKR_OK if the mechanism is supported. Otherwise, CKR_MECHANISM_INVALID.

◆ C_InitToken()

CK_RV C_InitToken ( CK_SLOT_ID  slotID,
CK_UTF8CHAR_PTR  pPin,
CK_ULONG  ulPinLen,
CK_UTF8CHAR_PTR  pLabel 
)

Initializes a token. This function is not implemented for this port.

C_InitToken() is only implemented for compatibility with other ports. All inputs to this function are ignored, and calling this function on this port does not add any security.

Returns
CKR_OK.

◆ C_OpenSession()

CK_RV C_OpenSession ( CK_SLOT_ID  slotID,
CK_FLAGS  flags,
CK_VOID_PTR  pApplication,
CK_NOTIFY  Notify,
CK_SESSION_HANDLE_PTR  phSession 
)

Opens a connection between an application and a particular token or sets up an application callback for token insertion.

Note
PKCS #11 module must have been previously initialized with a call to C_Initialize() before calling C_OpenSession().
Parameters
[in]slotIDThis parameter is unused in this port.
[in]flagsSession flags - CKF_SERIAL_SESSION is a mandatory flag.
[in]pApplicationThis parameter is unused in this port.
[in]NotifyThis parameter is unused in this port.
[in]phSessionPointer to the location that the created session's handle will be placed.
Returns
CKR_OK if successful.

◆ C_CloseSession()

CK_RV C_CloseSession ( CK_SESSION_HANDLE  hSession)

Closes a session.

Parameters
[in]hSessionThe session handle to be terminated.
Returns
CKR_OK if successful.

◆ C_Login()

CK_RV C_Login ( CK_SESSION_HANDLE  hSession,
CK_USER_TYPE  userType,
CK_UTF8CHAR_PTR  pPin,
CK_ULONG  ulPinLen 
)

Logs into a token. This function is not implemented for this port.

C_Login() is only implemented for compatibility with other ports. All inputs to this function are ignored, and calling this function on this port does not add any security.

Returns
CKR_OK.

◆ prvCreateCertificate()

static CK_RV prvCreateCertificate ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for parsing the templates of device certificates for C_CreateObject.

Parameters
[in]pxTemplatePointer to PKCS #11 attribute template.
[in]ulCountlength of templates array.
[in]pxObjectPointer to PKCS #11 object.
Returns
CKR_OK.

◆ prvGetKeyType()

static void prvGetKeyType ( CK_KEY_TYPE *  pxKeyType,
const CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount 
)
static

Helper to search an attribute for the key type attribute.

Parameters
[out]pxKeyTypepointer to key type.
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.

◆ prvGetLabel()

static void prvGetLabel ( CK_ATTRIBUTE **  ppxLabel,
CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount 
)
static

Helper to search a template for the label attribute.

Parameters
[out]ppxLabelpointer to label.
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.

◆ prvCreateRsaKey()

static CK_RV prvCreateRsaKey ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject,
CK_BBOOL  xIsPrivate 
)
static

Helper function for parsing RSA Private Key attribute templates for C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.
[in]xIsPrivateboolean indicating whether the key is private or public.

◆ prvCreateSHA256HMAC()

static CK_RV prvCreateSHA256HMAC ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for parsing SHA256-HMAC Key attribute templates for C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.

◆ prvCreateAESCMAC()

static CK_RV prvCreateAESCMAC ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for parsing AES-CMAC Key attribute templates for C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.

◆ prvCreatePrivateKey()

static CK_RV prvCreatePrivateKey ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for importing private keys using template C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.

◆ prvCreatePublicKey()

static CK_RV prvCreatePublicKey ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for importing public keys using C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.

◆ prvCreateSecretKey()

static CK_RV prvCreateSecretKey ( CK_ATTRIBUTE *  pxTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  pxObject 
)
static

Helper function for importing secret keys using template C_CreateObject.

Parameters
[in]pxTemplatetemplates to search for a key in.
[in]ulCountlength of templates array.
[in]pxObjectPKCS #11 object handle.

◆ C_CreateObject()

CK_RV C_CreateObject ( CK_SESSION_HANDLE  hSession,
CK_ATTRIBUTE_PTR  pTemplate,
CK_ULONG  ulCount,
CK_OBJECT_HANDLE_PTR  phObject 
)

Creates an object.

Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pTemplateList of attributes of the object to be created.
[in]ulCountNumber of attributes in pTemplate.
[out]phObjectPointer to the location where the created object's handle will be placed.
Object Type Template Attributes
CertificateCKA_CLASS
CKA_VALUE
CKA_TOKEN
CKA_LABEL
CKA_CERTIFICATE_TYPE
CKA_VALUE
EC Private KeyCKA_CLASS
CKA_KEY_TYPE
CKA_TOKEN
CKA_LABEL
CKA_SIGN
CKA_EC_PARAMS
CKA_VALUE
EC Public KeyCKA_CLASS
CKA_KEY_TYPE
CKA_TOKEN
CKA_VERIFY
CKA_LABEL
CKA_EC_PARAMS
CKA_EC_POINT
RSA Private KeyCKA_CLASS
CKA_KEY_TYPE
CKA_TOKEN
CKA_LABEL
CKA_SIGN
CKA_MODULUS
CKA_PUBLIC_EXPONENT
CKA_PRIME_1
CKA_PRIME_2
CKA_PRIVATE_EXPONENT
CKA_EXPONENT_1
CKA_EXPONENT_2
CKA_COEFFICIENT
Returns
CKR_OK if successful.

◆ C_DestroyObject()

CK_RV C_DestroyObject ( CK_SESSION_HANDLE  hSession,
CK_OBJECT_HANDLE  hObject 
)

Destroys an object.

Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]hObjectHandle of the object to be destroyed.
Warning
In this implementation, if either the device public key or the device private key (labels pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS and pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS) are deleted, both keys will be destroyed.
Returns
CKR_OK if successful.

◆ C_GetAttributeValue()

CK_RV C_GetAttributeValue ( CK_SESSION_HANDLE  hSession,
CK_OBJECT_HANDLE  hObject,
CK_ATTRIBUTE_PTR  pTemplate,
CK_ULONG  ulCount 
)

Obtains an attribute value of an object.

Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]hObjectPKCS #11 object handle to be queried.
[in,out]pTemplateAttribute template. pxTemplate.pValue should be set to the attribute to be queried. pxTemplate.ulValueLen should be set to the length of the buffer allocated at pxTemplate.pValue, and will be updated to contain the actual length of the data copied. pxTemplate.pValue should be set to point to a buffer to receive the attribute value data. If parameter length is unknown, pxTemplate.pValue may be set to NULL, and this function will set the required buffer length in pxTemplate.ulValueLen.
[in]ulCountThe number of attributes in the template.
Object Type Queryable Attributes
CertificateCKA_CLASS
CKA_VALUE
EC Private KeyCKA_CLASS
CKA_KEY_TYPE
CKA_EC_PARAMS
EC Public KeyCKA_CLASS
CKA_KEY_TYPE
CKA_EC_PARAMS
CKA_EC_POINT
RSA Private KeyCKA_CLASS
CKA_KEY_TYPE
RSA Public KeyCKA_CLASS
CKA_KEY_TYPE
Returns
CKR_OK if successful.

◆ C_FindObjectsInit()

CK_RV C_FindObjectsInit ( CK_SESSION_HANDLE  hSession,
CK_ATTRIBUTE_PTR  pTemplate,
CK_ULONG  ulCount 
)

Initializes an object search operation.

See also
C_FindObjects() and C_FindObjectsFinal() which must be called after C_FindObjectsInit().
Note
FindObjects parameters are shared by a session. Calling C_FindObjectsInit(), C_FindObjects(), and C_FindObjectsFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pTemplatePointer to a template which specifies the object attributes to match. In this port, the only searchable attribute is object label. All other attributes will be ignored.
[in]ulCountThe number of attributes in pTemplate.
Returns
CKR_OK if successful.

◆ C_FindObjects()

CK_RV C_FindObjects ( CK_SESSION_HANDLE  hSession,
CK_OBJECT_HANDLE_PTR  phObject,
CK_ULONG  ulMaxObjectCount,
CK_ULONG_PTR  pulObjectCount 
)

Initializes an object search operation.

See also
C_FindObjectsInit() which must be called before calling C_FindObjects() and C_FindObjectsFinal(), which must be called after.
Note
FindObjects parameters are shared by a session. Calling C_FindObjectsInit(), C_FindObjects(), and C_FindObjectsFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[out]phObjectPoints to the handle of the object to be found.
[in]ulMaxObjectCountThe size of the phObject object handle array. In this port, this value should always be set to 1, as searching for multiple objects is not supported.
[out]pulObjectCountThe actual number of objects that are found. In this port, if an object is found this value will be 1, otherwise if the object is not found, it will be set to 0.
Note
In the event that an object does not exist, CKR_OK will be returned, but pulObjectCount will be set to 0.
Returns
CKR_OK if successful.

◆ C_FindObjectsFinal()

CK_RV C_FindObjectsFinal ( CK_SESSION_HANDLE  hSession)

Finishes an object search operation.

See also
C_FindObjectsInit(), C_FindObjects() which must be called before calling C_FindObjectsFinal().
Note
FindObjects parameters are shared by a session. Calling C_FindObjectsInit(), C_FindObjects(), and C_FindObjectsFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
Returns
CKR_OK if successful.

◆ C_DigestInit()

CK_RV C_DigestInit ( CK_SESSION_HANDLE  hSession,
CK_MECHANISM_PTR  pMechanism 
)

Initializes a message-digesting operation.

See also
C_DigestUpdate(), C_DigestFinal()
Note
Digest parameters are shared by a session. Calling C_DigestInit(), C_DigestUpdate(), and C_DigestFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pMechanismDigesting mechanism. This port only supports the mechanism CKM_SHA256.
Returns
CKR_OK if successful.

◆ C_DigestUpdate()

CK_RV C_DigestUpdate ( CK_SESSION_HANDLE  hSession,
CK_BYTE_PTR  pPart,
CK_ULONG  ulPartLen 
)

Continues a multiple-part digesting operation.

See also
C_DigestInit(), C_DigestFinal()
Note
Digest parameters are shared by a session. Calling C_DigestInit(), C_DigestUpdate(), and C_DigestFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pPartPointer to the data to be added to the digest.
[in]ulPartLenLength of the data located at pPart.
Returns
CKR_OK if successful.

◆ C_DigestFinal()

CK_RV C_DigestFinal ( CK_SESSION_HANDLE  hSession,
CK_BYTE_PTR  pDigest,
CK_ULONG_PTR  pulDigestLen 
)

Finishes a multiple-part digesting operation.

See also
C_DigestInit(), C_DigestUpdate()
Note
Digest parameters are shared by a session. Calling C_DigestInit(), C_DigestUpdate(), and C_DigestFinal() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[out]pDigestPointer to the location that receives the message digest. Memory must be allocated by the caller. Caller is responsible for allocating memory. Providing NULL for this input will cause pulDigestLen to be updated for length of buffer required.
[in,out]pulDigestLenPoints to the location that holds the length of the message digest. If pDigest is NULL, this value is updated to contain the length of the buffer needed to hold the digest. Else it is updated to contain the actual length of the digest placed in pDigest.
Returns
CKR_OK if successful.

◆ prvHMACCleanUp()

static void prvHMACCleanUp ( P11Session_t pxSession)
static

Helper function for cleaning up a HMAC operation.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.

◆ prvInitSHA256HMAC()

static CK_RV prvInitSHA256HMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a SHA256-HMAC operation.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyHMAC secret key handle.
[in]pucKeyDataHMAC secret key data.
[in]ulKeyDataLengthHMAC key Size.

◆ prvSignInitSHA256HMAC()

static CK_RV prvSignInitSHA256HMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a sign operation for SHA256-HMAC.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyHMAC secret key handle.
[in]pucKeyDataHMAC secret key data.
[in]ulKeyDataLengthHMAC key Size.

◆ prvCMACCleanUp()

static void prvCMACCleanUp ( P11Session_t pxSession)
static

Helper function for cleaning up an CMAC operation.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.

◆ prvInitAESCMAC()

static CK_RV prvInitAESCMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a AES-CMAC operation.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyCMAC secret key handle.
[in]pucKeyDataCMAC secret key data.
[in]ulKeyDataLengthCMAC key Size.

◆ prvSignInitAESCMAC()

static CK_RV prvSignInitAESCMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a sign operation for AES-CMAC.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyCMAC secret key handle.
[in]pucKeyDataCMAC secret key data.
[in]ulKeyDataLengthCMAC key Size.

◆ prvSignInitEC_RSACleanUp()

static void prvSignInitEC_RSACleanUp ( P11Session_t pxSession)
static

Helper function for cleaning up a sign operation for an EC or RSA key.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.

◆ prvSignInitEC_RSAKeys()

static CK_RV prvSignInitEC_RSAKeys ( P11Session_t pxSession,
CK_MECHANISM_PTR  pMechanism,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a sign operation for an EC or RSA key.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]pMechanismEC/RSA mechanism.
[in]hKeyEC/RSA private key handle.
[in]pucKeyDataEC/RSA public key data.
[in]ulKeyDataLengthEC/RSA public key size.

◆ C_SignInit()

CK_RV C_SignInit ( CK_SESSION_HANDLE  hSession,
CK_MECHANISM_PTR  pMechanism,
CK_OBJECT_HANDLE  hKey 
)

Initializes a signature operation.

See also
C_Sign() completes signatures initiated by C_SignInit().
Note
C_Sign() parameters are shared by a session. Calling C_SignInit() & C_Sign() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pMechanismMechanism used to sign. This port supports the following mechanisms:
  • CKM_RSA_PKCS for RSA signatures
  • CKM_ECDSA for elliptic curve signatures Note that neither of these mechanisms perform hash operations.
[in]hKeyThe handle of the private key to be used for signature. Key must be compatible with the mechanism chosen by pMechanism.
Returns
CKR_OK if successful.

◆ C_Sign()

CK_RV C_Sign ( CK_SESSION_HANDLE  hSession,
CK_BYTE_PTR  pData,
CK_ULONG  ulDataLen,
CK_BYTE_PTR  pSignature,
CK_ULONG_PTR  pulSignatureLen 
)

Signs single-part data.

See also
C_SignInit() initiates signatures signature creation.
Note
C_Sign() parameters are shared by a session. Calling C_SignInit() & C_Sign() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pDataData to be signed. Note: Some applications may require this data to be hashed before passing to C_Sign().
[in]ulDataLenLength of pucData, in bytes.
[out]pSignatureBuffer where signature will be placed. Caller is responsible for allocating memory. Providing NULL for this input will cause pulSignatureLen to be updated for length of buffer required.
[in,out]pulSignatureLenLength of pucSignature buffer. If pucSignature is non-NULL, pulSignatureLen is updated to contain the actual signature length. If pucSignature is NULL, pulSignatureLen is updated to the buffer length required for signature data.
Returns
CKR_OK if successful.

◆ prvVerifyInitSHA256HMAC()

static CK_RV prvVerifyInitSHA256HMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a verify operation for SHA256-HMAC.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyHMAC secret key handle.
[in]pucKeyDataHMAC secret key data.
[in]ulKeyDataLengthHMAC key Size.

◆ prvVerifyInitAESCMAC()

static CK_RV prvVerifyInitAESCMAC ( P11Session_t pxSession,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a verify operation for AES-CMAC.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]hKeyCMAC secret key handle.
[in]pucKeyDataCMAC secret key data.
[in]ulKeyDataLengthCMAC key Size.

◆ prvVerifyInitEC_RSACleanUp()

static void prvVerifyInitEC_RSACleanUp ( P11Session_t pxSession)
static

Helper function for cleaning up a verify operation for an EC or RSA key.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.

◆ prvVerifyInitEC_RSAKeys()

static CK_RV prvVerifyInitEC_RSAKeys ( P11Session_t pxSession,
CK_MECHANISM_PTR  pMechanism,
CK_OBJECT_HANDLE  hKey,
CK_BYTE_PTR  pucKeyData,
CK_ULONG  ulKeyDataLength 
)
static

Helper function for initializing a verify operation for an EC or RSA key.

Parameters
[in]pxSessionPointer to a valid PKCS #11 session.
[in]pMechanismEC/RSA mechanism.
[in]hKeyEC/RSA public key handle.
[in]pucKeyDataEC/RSA public key data.
[in]ulKeyDataLengthEC/RSA public key size.

◆ C_VerifyInit()

CK_RV C_VerifyInit ( CK_SESSION_HANDLE  hSession,
CK_MECHANISM_PTR  pMechanism,
CK_OBJECT_HANDLE  hKey 
)

Initializes a verification operation.

See also
C_Verify() completes verifications initiated by C_VerifyInit().
Note
C_Verify() parameters are shared by a session. Calling C_VerifyInit() & C_Verify() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pMechanismMechanism used to verify signature. This port supports the following mechanisms:
  • CKM_RSA_X_509 for RSA verifications
  • CKM_ECDSA for elliptic curve verifications
[in]hKeyThe handle of the public key to be used for verification. Key must be compatible with the mechanism chosen by pxMechanism.
Returns
CKR_OK if successful.

◆ C_Verify()

CK_RV C_Verify ( CK_SESSION_HANDLE  hSession,
CK_BYTE_PTR  pData,
CK_ULONG  ulDataLen,
CK_BYTE_PTR  pSignature,
CK_ULONG  ulSignatureLen 
)

Verifies a signature on single-part data.

Note
C_VerifyInit() must have been called previously.
C_Verify() parameters are shared by a session. Calling C_VerifyInit() & C_Verify() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pDataData who's signature is to be verified. Note: In this implementation, this is generally expected to be the hash of the data.
[in]ulDataLenLength of pucData.
[in]pSignatureThe signature to be verified.
[in]ulSignatureLenLength of pucSignature in bytes.
Returns
CKR_OK if successful.

◆ prvCheckGenerateKeyPairPrivateTemplate()

static CK_RV prvCheckGenerateKeyPairPrivateTemplate ( CK_ATTRIBUTE **  ppxLabel,
CK_ATTRIBUTE *  pxAttribute,
uint32_t *  pulAttributeMap 
)
static

Checks that the private key template provided for C_GenerateKeyPair contains all necessary attributes, and does not contain any invalid attributes.

Parameters
[out]ppxLabelPointer to PKCS #11 label.
[in]pxAttributePKCS #11 attribute to search.
[in]pulAttributeMapFlag to track whether all required attribute are in the key generation template.
Returns
CKR_OK if successful.

◆ prvCheckGenerateKeyPairPublicTemplate()

static CK_RV prvCheckGenerateKeyPairPublicTemplate ( CK_ATTRIBUTE **  ppxLabel,
CK_ATTRIBUTE *  pxAttribute,
uint32_t *  pulAttributeMap 
)
static

Checks that the public key template provided for C_GenerateKeyPair contains all necessary attributes, and does not contain any invalid attributes.

Parameters
[out]ppxLabelPointer to PKCS #11 label.
[in]pxAttributePKCS #11 attribute to search.
[in]pulAttributeMapFlag to track whether all required attribute are in the key generation template.
Returns
CKR_OK if successful.

◆ C_GenerateKeyPair()

CK_RV C_GenerateKeyPair ( CK_SESSION_HANDLE  hSession,
CK_MECHANISM_PTR  pMechanism,
CK_ATTRIBUTE_PTR  pPublicKeyTemplate,
CK_ULONG  ulPublicKeyAttributeCount,
CK_ATTRIBUTE_PTR  pPrivateKeyTemplate,
CK_ULONG  ulPrivateKeyAttributeCount,
CK_OBJECT_HANDLE_PTR  phPublicKey,
CK_OBJECT_HANDLE_PTR  phPrivateKey 
)

Generates a public-key/private-key pair.

This port only supports generating elliptic curve P-256 key pairs.

Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pMechanismPointer to a mechanism. At this time, CKM_EC_KEY_PAIR_GEN is the only supported mechanism.
[in]pPublicKeyTemplatePointer to a list of attributes that the generated public key should possess. Public key template must have the following attributes:
  • CKA_LABEL
    • Label should be no longer than pkcs11configMAX_LABEL_LENGTH and must be supported by port's PKCS #11 PAL.
  • CKA_EC_PARAMS
    • Must equal pkcs11DER_ENCODED_OID_P256. Only P-256 keys are supported.
  • CKA_VERIFY
    • Must be set to true. Only public keys used for verification are supported. Public key templates may have the following attributes:
  • CKA_KEY_TYPE
    • Must be set to CKK_EC. Only elliptic curve key generation is supported.
  • CKA_TOKEN
    • Must be set to CK_TRUE.
[in]ulPublicKeyAttributeCountNumber of attributes in pPublicKeyTemplate.
[in]pPrivateKeyTemplatePointer to a list of attributes that the generated private key should possess. Private key template must have the following attributes:
  • CKA_LABEL
    • Label should be no longer than pkcs11configMAX_LABEL_LENGTH and must be supported by port's PKCS #11 PAL.
  • CKA_PRIVATE
    • Must be set to true.
  • CKA_SIGN
    • Must be set to true. Only private keys used for signing are supported. Private key template may have the following attributes:
  • CKA_KEY_TYPE
    • Must be set to CKK_EC. Only elliptic curve key generation is supported.
  • CKA_TOKEN
    • Must be set to CK_TRUE.
[in]ulPrivateKeyAttributeCountNumber of attributes in pPrivateKeyTemplate.
[out]phPublicKeyPointer to the handle of the public key to be created.
[out]phPrivateKeyPointer to the handle of the private key to be created.
Note
Not all attributes specified by the PKCS #11 standard are supported.
CKA_LOCAL attribute is not supported.
Returns
CKR_OK if successful.

◆ C_GenerateRandom()

CK_RV C_GenerateRandom ( CK_SESSION_HANDLE  hSession,
CK_BYTE_PTR  RandomData,
CK_ULONG  ulRandomLen 
)

Generates random data.

Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[out]RandomDataPointer to location that random data will be placed. It is the responsibility of the application to allocate this memory.
[in]ulRandomLenLength of data (in bytes) to be generated.
Returns
CKR_OK if successful.