Age | Commit message (Collapse) | Author |
|
libhal and PKCS #11 have slightly different models of private keys: in
libhal, a "private key" object is really a keypair, while in PKCS #11
a private key really is a naked private key. This was a deliberate
design decision in libhal, both for simplicity and to better support
user interfaces other than PKCS #11, so we'd rather not change it.
This difference doesn't matter very much for RSA keys in PKCS #11,
where the private key components are a superset of the public key
components anyway, but the PKCS #11 template for ECDSA private keys
doesn't allow setting public key components with C_CreateObject().
Fortunately, computing the public components of an ECDSA key pair from
the private key is straightforward, so we just do that when needed.
|
|
|
|
|
|
|
|
Fixed handling of deletion actions: code was still using the
zero-length attribute convention instead of HAL_PKEY_ATTRIBUTE_NIL.
Track existing attributes more closely while copying data from old
chunks to new ones in the slow path: the old algorithm had a few
dangerous corner cases which could have resulted in the wrong values
being written to the new chunks.
Single-block-update fast path now under compile-time conditional; in
the long run, we probably want this enabled, but it's disabled for now
in order to force use and testing of the slow path.
This function probably needs to be broken up into a collection of
smaller inline functions for readability.
|
|
PKCS #11 supports zero-length attributes (eg, CKA_LABEL) so hack of
using zero length attribute as NIL value won't work, instead we use a
slightly more portable version of the hack PKCS #11 uses (PKCS #11
stuffs -1 into a CK_ULONG, we stuff 0xFFFFFFFF into a uint32_t).
ks_attribute.c code was trying too hard and tripping over its own
socks. Instead of trying to maintain attributes[] in place during
modification, we now perform the minimum necessary change then re-scan
the block. This is (very slightly) slower but more robust, both
because the scan code has better error checking and because it's the
scan code that we want to be sure is happy before committing a change.
Rename hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
|
|
|
|
|
|
Calling hal_rpc_pkey_get_attributes() with attribute_buffer_len = 0
now changes the return behavior so that it reports the lengths of
attributes listed in the query, with a length of zero for attributes
not present at all. This is mostly to support C_GetAttributeValue()
in PKCS #11, but we also use it to make the Python interface a bit
kinder to the user.
|
|
Wiping the keystore flash requires reinitializing the keystore, but we
don't want to allocate new static memory when we do this.
|
|
The current pkey access control rules are a bit complex, because they
need to support the somewhat complex rules required by PKCS #11. This
is fine, as far as it goes, but a strict interpretation leaves
HAL_USER_NORMAL as the only user able to see many keys. This is
confusing when using the CLI, to put it mildly.
HAL_USER_WHEEL is intended for exactly this sort of thing: it's a user
ID which, by definition, can never appear in an RPC call from PKCS
to see the same keys that HAL_USER_NORMAL would.
HAL_USER_SO remains restricted per the PKCS #11 rules.
|
|
hal_rpc_pkey_list() was a simplistic solution that worked when the
keystore only supported a handful of keys and we needed a quick
temporary solution in time for a workshop. It doesn't handle large
numbers of keys well, and while we could fix that, all of its
functionality is now available via more robust API functions, so
simplifying the API by deleting it seems best.
Since this change required mucking with dispatch vectors yet again, it
converts them to use C99 "designated initializer" syntax.
|
|
|
|
This check made sense when attribute deletion was a separate
operation, but now that it has been folded into set_attributes(), this
check was worse than useless.
|
|
|
|
pkey attribute API is now just set_attributes() and get_attributes().
|
|
Passes minimal unit-testing and the same minimal tests report that it
does deliver the desired performance speed-up. More testing and much
cleanup still needed.
Attribute API not quite stable yet, we're probably going to want to
remove all the singleton attribute operations from the RPC protocol,
and it turns out that ks_delete_attributes() has enough code in common
with ks_set_attributes() that it makes more sense to handle the former
as a special case of the latter.
|
|
This is not yet complete, only the ks_volatile driver supports it,
ks_flash will be a bit more complicated and isn't written yet.
At the moment, this adds a complete duplicate set of
{set,get,delete}_attributes() functions in parallel to the earlier
{set,get,delete}_attribute() functions. We will almost certainly want
to get rid of the duplicates, probably (but not necessarily) the
entire single-attribute suite. At the moment, though, we want both
sets so we can compare execution speeds of the two sets of functions.
|
|
|
|
|
|
Result of running all these timing tests is about what theory would
have predicted: read time does not vary significantly between RAM and
flash, but write time sure does.
|
|
|
|
|
|
|
|
Watching the pinwheel makes it clear that the painfully slow execution
of test_attribute_bloat_flash_many() isn't a single hidously long
delay anywhere, rather it's a long steady stream of slow operations
and it's the cumulative time that's hurting us. Most likely this is
entirely dominated by flash write time, and suggests that it may be
worth the additional API and implementation complexity to handle
setting a complete set of attributes in a single operation, so that we
only have to pay the flash write toll once.
Will probably require further testing before we can make an informed
decision.
|
|
New test class to thrash the keystore attribute mechanism.
Added wrapper classes to encapsulate the more obscure bits of the
multiple Python public key APIs we're using in a single uniform API,
which lets us simplify some of the tests considerably.
|
|
ks_set_attribute() was written before hal_ks_index_fsck(), and was
violating the latter's assumptions for no particularly good reason.
Writing out new chunks in the expected order is no more work, and
simplifies the consistency checks, so do it that way.
|
|
ks_name_cmp() was reporting inverted order when comparing two names
which differ only by chunk number.
hal_ks_index_fsck() was both broken and more complex than needed.
|
|
|
|
|
|
|
|
|
|
|
|
pkey_get_attribute() wasn't passing value_max, resulting in an XDR error.
XDR encoding of built-in types now uses isinstance() rather than
playing nasty games with the string names of base types.
|
|
Incidental minor refactoring of hal_rpc_server_dispatch().
|
|
PKey objects can now be used as context managers, in which case the
key handle will be closed when the block exits.
HSM.pkey_find() now returns a generator which will iterate through the
full set of results, making additional RPC calls as necessary.
NIST ECDSA test vector test refactored to remove duplicated code.
|
|
Old calling sequence didn't quite work, caller had no sane way to know
how large the buffer needed to be. Revised sequence is similar to
what the PKCS #11 C_FindObject() call does: return the next batch of
UUIDs, up to the number specified, end of data indicated by getting
back something less than a full block of UUIDs.
|
|
|
|
The debugging code was for tracking down what turned out to be a race
condition in the Alpha's flash driver code (see sw/stm32); much of
this was temporary, and will be removed in a (near) future commit, but
some of the techniques were useful and belong in the repository in
case we need to pull them back for something similar in the future.
hal_ks_index_fsck() attempts to diagnose all the things I found wrong
in the ks_flash index after one long series of errors. As presently
written, it doesn't attempt to fix anything, just diagnose errors: the
intent is that we can call this, before and after every modification
if necessary, to poinpoint exactly which calls introduce errors. Once
things stablize a bit, we may want to crank down the number of calls
to this (it's a bit expensive, since it checks the entire index), and
perhaps add the ability to clean up whatever errors it might find; the
latter might be a good candidate for a CLI command.
|
|
|
|
|
|
|
|
The rpc_server code used to bypass the public API calls by using the
RPC dispatch vectors directly, but doing so bypasses various checks
for trivial argument errors. It's not safe for the HSM to trust the
client to check these, and duplicating the checks in the client and
server code is error prone, so the best solution is for the server
code to dispatch via the public API, as it was originally designed to
do, and not try to micro-optimize the dispatch calls.
|
|
|
|
|
|
This is very incomplete. Portions of it are still verbatim copies of
the PKCS #11 unit tests, and have not yet been pruned for relevance,
much less converted to the corresponding libhal tests.
|
|
|
|
Pure-remote-mode (where even the hashing is done in the HSM) did not
work, because XDR passes zero length strings rather than NULL string
pointers. Mostly, we use fixed mode, so nobody noticed.
|
|
|
|
This is more complicated than I'd have liked, because the PKCS #11
semantics are (much) more complicated than just "are you logged in?"
New code passes basic testing with libhal.py and the PKCS #11 unit
tests, but there are still unexplored corner cases to be checked.
Private token objects remain simple. Code which does not need PKCS
HAL_KEY_FLAG_TOKEN and avoid HAL_KEY_FLAG_PUBLIC.
|