From 598e75956634f33ede687da796d5b6c583048a5e Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sat, 14 May 2016 02:59:32 -0400 Subject: Add mixed-mode key support, for PKCS #11 "session" (ie, not "token") keys. --- hal_internal.h | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) (limited to 'hal_internal.h') diff --git a/hal_internal.h b/hal_internal.h index 8c0b0bc..c460ed8 100644 --- a/hal_internal.h +++ b/hal_internal.h @@ -39,6 +39,12 @@ #include "hal.h" #include "verilog_constants.h" +/* + * Everything in this file is part of the internal API, that is, + * subject to change without notice. Nothing outside of libhal itself + * should be looking at this file. + */ + /* * Longest hash block and digest we support at the moment. */ @@ -46,12 +52,6 @@ #define HAL_MAX_HASH_BLOCK_LENGTH SHA512_BLOCK_LEN #define HAL_MAX_HASH_DIGEST_LENGTH SHA512_DIGEST_LEN -/* - * Everything in this file is part of the internal API, that is, - * subject to change without notice. Nothing outside of libhal itself - * should be looking at this file. - */ - /* * Dispatch structures for RPC implementation. * @@ -81,6 +81,17 @@ * taking a hash context instead of a literal hash value, in which * case we have to extract the hash value from the context and * supply it to the pkey RPC client code as a literal value. + * + * ...Except that for PKCS #11 we also have to handle the case of + * "session keys", ie, keys which are not stored on the HSM. + * Apparently people really do use these, mostly for public keys, in + * order to conserve expensive memory on the HSM. So this is another + * feature of mixed mode: keys with HAL_KEY_FLAG_PROXIMATE set live on + * the host, not in the HSM, and the mixed-mode pkey handlers deal + * with the routing. In the other two modes we ignore the flag and + * send everything where we were going to send it anyway. Restricting + * the fancy key handling to mixed mode lets us drop this complexity + * out entirely for applications which have no use for it. */ typedef struct { @@ -145,7 +156,8 @@ typedef struct { const hal_session_handle_t session, hal_pkey_handle_t *pkey, const hal_key_type_t type, - const uint8_t * const name, const size_t name_len); + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags); hal_error_t (*generate_rsa)(const hal_client_handle_t client, const hal_session_handle_t session, @@ -191,7 +203,8 @@ typedef struct { hal_error_t (*list)(hal_pkey_info_t *result, unsigned *result_len, - const unsigned result_max); + const unsigned result_max, + hal_key_flags_t flags); } hal_rpc_pkey_dispatch_t; @@ -200,6 +213,12 @@ extern const hal_rpc_misc_dispatch_t hal_rpc_local_misc_dispatch, hal_rpc_remote extern const hal_rpc_hash_dispatch_t hal_rpc_local_hash_dispatch, hal_rpc_remote_hash_dispatch, *hal_rpc_hash_dispatch; extern const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch, hal_rpc_remote_pkey_dispatch, hal_rpc_mixed_pkey_dispatch, *hal_rpc_pkey_dispatch; +/* + * See code in rpc_pkey.c for how this flag fits into the pkey handle. + */ + +#define HAL_PKEY_HANDLE_PROXIMATE_FLAG (1 << 31) + /* * Keystore API. * -- cgit v1.2.3