aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-03-01Compute public key if necessary when loading a private key.Rob Austein
libhal and PKCS #11 have slightly different models of private keys: in libhal, a "private key" object is really a keypair, while in PKCS #11 a private key really is a naked private key. This was a deliberate design decision in libhal, both for simplicity and to better support user interfaces other than PKCS #11, so we'd rather not change it. This difference doesn't matter very much for RSA keys in PKCS #11, where the private key components are a superset of the public key components anyway, but the PKCS #11 template for ECDSA private keys doesn't allow setting public key components with C_CreateObject(). Fortunately, computing the public components of an ECDSA key pair from the private key is straightforward, so we just do that when needed.
2016-12-21Add hal_ks_init_read_only_pins_only() so bootloader can use PINs.Rob Austein
2016-12-19Merge broke forced selection of software-only hash cores in client builds.Rob Austein
2016-12-19Merge branch 'master' into ksngRob Austein
2016-11-22Clean up ks_set_attributes() a bit.Rob Austein
Fixed handling of deletion actions: code was still using the zero-length attribute convention instead of HAL_PKEY_ATTRIBUTE_NIL. Track existing attributes more closely while copying data from old chunks to new ones in the slow path: the old algorithm had a few dangerous corner cases which could have resulted in the wrong values being written to the new chunks. Single-block-update fast path now under compile-time conditional; in the long run, we probably want this enabled, but it's disabled for now in order to force use and testing of the slow path. This function probably needs to be broken up into a collection of smaller inline functions for readability.
2016-11-21Whack attribute code with a club until it works with PKCS #11.Rob Austein
PKCS #11 supports zero-length attributes (eg, CKA_LABEL) so hack of using zero length attribute as NIL value won't work, instead we use a slightly more portable version of the hack PKCS #11 uses (PKCS #11 stuffs -1 into a CK_ULONG, we stuff 0xFFFFFFFF into a uint32_t). ks_attribute.c code was trying too hard and tripping over its own socks. Instead of trying to maintain attributes[] in place during modification, we now perform the minimum necessary change then re-scan the block. This is (very slightly) slower but more robust, both because the scan code has better error checking and because it's the scan code that we want to be sure is happy before committing a change. Rename hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
2016-11-21pkey_match() should just skip keys it lacks permission to read.Rob Austein
2016-11-20Move UUID utilities to hal.h; change attribute values to (const void *).Rob Austein
2016-11-19Support queries for attribute length and presence.Rob Austein
Calling hal_rpc_pkey_get_attributes() with attribute_buffer_len = 0 now changes the return behavior so that it reports the lengths of attributes listed in the query, with a length of zero for attributes not present at all. This is mostly to support C_GetAttributeValue() in PKCS #11, but we also use it to make the Python interface a bit kinder to the user.
2016-11-15Allow keystore reinitialization without re-allocating static memory.Rob Austein
Wiping the keystore flash requires reinitializing the keystore, but we don't want to allocate new static memory when we do this.
2016-11-14Tweak pkey access control to allow wheel to see keys.Rob Austein
The current pkey access control rules are a bit complex, because they need to support the somewhat complex rules required by PKCS #11. This is fine, as far as it goes, but a strict interpretation leaves HAL_USER_NORMAL as the only user able to see many keys. This is confusing when using the CLI, to put it mildly. HAL_USER_WHEEL is intended for exactly this sort of thing: it's a user ID which, by definition, can never appear in an RPC call from PKCS to see the same keys that HAL_USER_NORMAL would. HAL_USER_SO remains restricted per the PKCS #11 rules.
2016-11-14More API cleanup: remove hal_rpc_pkey_list().Rob Austein
hal_rpc_pkey_list() was a simplistic solution that worked when the keystore only supported a handful of keys and we needed a quick temporary solution in time for a workshop. It doesn't handle large numbers of keys well, and while we could fix that, all of its functionality is now available via more robust API functions, so simplifying the API by deleting it seems best. Since this change required mucking with dispatch vectors yet again, it converts them to use C99 "designated initializer" syntax.
2016-11-14hal_rpc_pkey_find() -> hal_rpc_pkey_open().Rob Austein
2016-11-14Remove now-gratuitous check which kept attribute deletion from working.Rob Austein
This check made sense when attribute deletion was a separate operation, but now that it has been folded into set_attributes(), this check was worse than useless.
2016-11-11Drag C pkey test code up to current RPC API.Rob Austein
2016-11-10Clean out huge swacks of RPC API we don't need anymore.Rob Austein
pkey attribute API is now just set_attributes() and get_attributes().
2016-11-10First cut at ks_flash support for attribute get/set/delete API.Rob Austein
Passes minimal unit-testing and the same minimal tests report that it does deliver the desired performance speed-up. More testing and much cleanup still needed. Attribute API not quite stable yet, we're probably going to want to remove all the singleton attribute operations from the RPC protocol, and it turns out that ks_delete_attributes() has enough code in common with ks_set_attributes() that it makes more sense to handle the former as a special case of the latter.
2016-11-08First cut at multi-attribute get/set/delete API.Rob Austein
This is not yet complete, only the ks_volatile driver supports it, ks_flash will be a bit more complicated and isn't written yet. At the moment, this adds a complete duplicate set of {set,get,delete}_attributes() functions in parallel to the earlier {set,get,delete}_attribute() functions. We will almost certainly want to get rid of the duplicates, probably (but not necessarily) the entire single-attribute suite. At the moment, though, we want both sets so we can compare execution speeds of the two sets of functions.
2016-11-05Add hal_rpc_pkey_match() tests to C client test code.Rob Austein
2016-11-05Debug most recent changes to C client RPC API.Rob Austein
2016-11-05Add attribute read timing tests.Rob Austein
Result of running all these timing tests is about what theory would have predicted: read time does not vary significantly between RAM and flash, but write time sure does.
2016-11-05ks_list() was returning garbage for keys not visible to current session.Rob Austein
2016-11-04.set_attribute() speed tests.Rob Austein
2016-11-04Doh, tests should not assume an empty keystore.Rob Austein
2016-11-04More attribute bloat tests, pinwheel to monitor progress.Rob Austein
Watching the pinwheel makes it clear that the painfully slow execution of test_attribute_bloat_flash_many() isn't a single hidously long delay anywhere, rather it's a long steady stream of slow operations and it's the cumulative time that's hurting us. Most likely this is entirely dominated by flash write time, and suggests that it may be worth the additional API and implementation complexity to handle setting a complete set of attributes in a single operation, so that we only have to pay the flash write toll once. Will probably require further testing before we can make an informed decision.
2016-11-03Add keystore attribute tests; add wrapper for Python crypto.Rob Austein
New test class to thrash the keystore attribute mechanism. Added wrapper classes to encapsulate the more obscure bits of the multiple Python public key APIs we're using in a single uniform API, which lets us simplify some of the tests considerably.
2016-11-03Reorder writing of new chunks in ks_set_attribute().Rob Austein
ks_set_attribute() was written before hal_ks_index_fsck(), and was violating the latter's assumptions for no particularly good reason. Writing out new chunks in the expected order is no more work, and simplifies the consistency checks, so do it that way.
2016-11-03Fix sign error in ks_name_cmp(), confusion in hal_ks_index_fsck().Rob Austein
ks_name_cmp() was reporting inverted order when comparing two names which differ only by chunk number. hal_ks_index_fsck() was both broken and more complex than needed.
2016-11-02Convert pkey_match() test into a proper assertion-based unit test.Rob Austein
2016-11-02Get rid of libhal.Attribute (dict suffices).Rob Austein
2016-11-02Archive verbose version of pkey_match() tests before reducing to assertions.Rob Austein
2016-11-02Debug dict() support, add set() support.Rob Austein
2016-11-02Test pkey_match() attribute handling.Rob Austein
2016-11-02Fix pkey_get_attribute(), handle XDR encoding of base types properly.Rob Austein
pkey_get_attribute() wasn't passing value_max, resulting in an XDR error. XDR encoding of built-in types now uses isinstance() rather than playing nasty games with the string names of base types.
2016-11-01Add hal_rpc_pkey_get_key_curve().Rob Austein
Incidental minor refactoring of hal_rpc_server_dispatch().
2016-11-01More Pythonic API for certain pkey calls.Rob Austein
PKey objects can now be used as context managers, in which case the key handle will be closed when the block exits. HSM.pkey_find() now returns a generator which will iterate through the full set of results, making additional RPC calls as necessary. NIST ECDSA test vector test refactored to remove duplicated code.
2016-11-01Fix hal_rpc_pkey_match() calling convention.Rob Austein
Old calling sequence didn't quite work, caller had no sane way to know how large the buffer needed to be. Revised sequence is similar to what the PKCS #11 C_FindObject() call does: return the next batch of UUIDs, up to the number specified, end of data indicated by getting back something less than a full block of UUIDs.
2016-11-01Clean out debugging code (flash I/O ring log).Rob Austein
2016-11-01hal_ks_index_fsck() and a pile of debugging code.Rob Austein
The debugging code was for tracking down what turned out to be a race condition in the Alpha's flash driver code (see sw/stm32); much of this was temporary, and will be removed in a (near) future commit, but some of the techniques were useful and belong in the repository in case we need to pull them back for something similar in the future. hal_ks_index_fsck() attempts to diagnose all the things I found wrong in the ks_flash index after one long series of errors. As presently written, it doesn't attempt to fix anything, just diagnose errors: the intent is that we can call this, before and after every modification if necessary, to poinpoint exactly which calls introduce errors. Once things stablize a bit, we may want to crank down the number of calls to this (it's a bit expensive, since it checks the entire index), and perhaps add the ability to clean up whatever errors it might find; the latter might be a good candidate for a CLI command.
2016-10-30Interop tests against Python RSA and ECDSA implementations.Rob Austein
2016-10-30Continue fleshing out libhal Python unit tests.Rob Austein
2016-10-30Preliminary libhal.py test code superseded by unit-tests.pyRob Austein
2016-10-30Use public RPC API when dispatching from RPC server.Rob Austein
The rpc_server code used to bypass the public API calls by using the RPC dispatch vectors directly, but doing so bypasses various checks for trivial argument errors. It's not safe for the HSM to trust the client to check these, and duplicating the checks in the client and server code is error prone, so the best solution is for the server code to dispatch via the public API, as it was originally designed to do, and not try to micro-optimize the dispatch calls.
2016-10-29Add a bunch of static key tests, including a mixed-mode workout suite.Rob Austein
2016-10-29Mixed mode needs to support PKCS #1.5 DigestInfo for RSA.Rob Austein
2016-10-26Version 0.1 of a set of HSM unit tests, using the Python RPC API.Rob Austein
This is very incomplete. Portions of it are still verbatim copies of the PKCS #11 unit tests, and have not yet been pruned for relevance, much less converted to the corresponding libhal tests.
2016-10-26Add PyCrypto-based mixed-mode support to Python RPC client.Rob Austein
2016-10-26Fix pure-remote-mode hal_rpc_pkey_{sign,verify}().Rob Austein
Pure-remote-mode (where even the hashing is done in the HSM) did not work, because XDR passes zero length strings rather than NULL string pointers. Mostly, we use fixed mode, so nobody noticed.
2016-10-25Uppercase HAL_DIGEST_ALGORITHM_ symbols for API consistency.Rob Austein
2016-10-24Flesh out key object access control.Rob Austein
This is more complicated than I'd have liked, because the PKCS #11 semantics are (much) more complicated than just "are you logged in?" New code passes basic testing with libhal.py and the PKCS #11 unit tests, but there are still unexplored corner cases to be checked. Private token objects remain simple. Code which does not need PKCS HAL_KEY_FLAG_TOKEN and avoid HAL_KEY_FLAG_PUBLIC.