######################################################################## # # PKCS #11 attribute definitions. # # The architecture of PKCS #11 is heavily based on an n-level-deep # object inheritance hierarcy. Concrete object types inherit # attribute definitions, default values, usage constraints etc from # abstract types. Fine if one happens to be writing in a language # that supports this, but C doesn't, and C++ is an abomination. # # So we handle all this inheritance-related fun here, by specifying # object types and attributes in a (relatively) readable way and using # a Python script to translate from this into "descriptors" (read-only # C tables) we can use to automate some of the most tedious attribute # checking in the C code. # # A secondary goal is to provide enough of a machine-readable # description of the PKCS #11 object hierarchy that we can use it to # drive automated test scripts, but that's not implemented yet. # # The base language here is YAML, with a somewhat ad-hoc data layout # on top of it. The exact semantics are a bit of a moving target, but # the overall layout is: # # - The top-level data object is a YAML sequence (indicated in YAML by # the leading "- " marker, converts to Python list). # # - Each entry in the sequence describes one object, represented as a # YAML mapping (converts to Python dict). Each object description # has at least one required field ("name"), several optional fields, # and one or more attribute descriptions. # # - An attribute description is a YAML mapping (Python dict) # containing one or more fields describing the attribute. # # So the overall structure is a sequence of maps of maps. # # Attribute definitions within the hierarchy are combined, so that, # eg, the "rsa_public_key" type inherits the CKA_CLASS definition from # the the root object type, the CKA_KEY_TYPE definition from the "key" # type, a value of CKO_PUBLIC_KEY for the CKA_CLASS from the # "public_key" type, and provides its own value of CKK_RSA for the # CKA_KEY_TYPE. # # No doubt the error checking in the Python script could become much # more rigorous than it is now. # ######################################################################## # # Currently-defined object fields: # # - "name": String, required. Name of this object class. For # concrete object types, this controls the name of the corresponding # C descriptor. # # - "concrete": Boolean, optional, default false. If true, this # object type should generate a C descriptor. # # - "superclass": String, optional but present for all but one type. # Contains name of parent type. # # New object fields may be defined at a later date as needed. # # Any entry in an object mapping whose key starts with "CKA_" is # assumed to be an attribute description. # # Keys in an object mapping which do not start with CKA_ and are not # known object fields should result in an error during parsing. # ######################################################################## # # Currently-defined attribute fields: # # - "type": a PKCS #11 type name (CK_*) or one of a few other types # described in the PKCS #11 specification: "rfc2279string", # "biginteger", or "bytearray". # # - "default": data-value (see below) to be used as default if neither # the application template nor the PKCS #11 software itself # supplies an explicit value. As a special case, the null string # ("") means that the default value of the attribute is empty (this # is allowed for a few rfc2279string attributes such as CKA_LABEL). # # - "value": data-value (see below) for this field. If the # application specifies a value for this attribute, it must match; # otherwise, behaves like default. The special handling of the null # string ("") used with default does not apply here. # # - "footnotes": Sequence (Python list) of integers in the range 1-12. # If present, this indicates that the attribute's definition in the # PKCS #11 specification has been tagged with the listed footnote # numbers from the "common footnotes" in "Table 15" of the # specification. These footnotes specify various constraints on the # attributes behavior, and the Python script translates them into # flags with more meaningful names, but since the specification # itself is written in terms of these silly footnote numbers, using # the footnote numbers in the YAML makes it easier to check the # attribute descriptions in the YAML against the specification. # # - "unimplemented": boolean, default false. If true, the attribute # is known to be in the specification but is not (yet?) supported by # the Python script and the C code. This flag is set on a small # number of relatively obscure attributes whose internal structure # makes them tedious to represent in the attribute database; this is # a placeholder for attributes which should be implemented # eventually but which were not deemed to be on the critical path. # # As with object mappings, attribute mappings with unrecognized keys # should result in an error during parsing. # # "data-value" fields ("default" and "value") in an attribute can take # one of several forms: # # - A string value naming a PKCS #11 constant (eg, CK_TRUE); # # - A sequence of eight bit unsigned numeric values (ie, bytes) # specifying a literal value; or # # - An integer (Python long) specifying a numeric value for a # biginteger field, to be converted into a literal value using the # smallest possible number of bytes. # ######################################################################## # # Author: Rob Austein # Copyright (c) 2015, SUNET # # Redistribution and use in source and binary forms, with or # without modification, are permitted provided that the following # conditions are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ######################################################################## ### # Root of the object tree ### - name: object CKA_CLASS: footnotes: [1] type: CK_OBJECT_CLASS ### # Storage objects ### - name: storage superclass: object CKA_TOKEN: type: CK_BBOOL default: CK_FALSE CKA_PRIVATE: type: CK_BBOOL default: CK_TRUE CKA_MODIFIABLE: type: CK_BBOOL default: CK_TRUE CKA_LABEL: type: rfc2279string default: "" ### # Data objects ### - name: data superclass: storage CKA_CLASS: value: CKO_DATA CKA_APPLICATION: type: rfc2279string default: "" CKA_OBJECT_ID: type: bytearray default: "" CKA_VALUE: type: bytearray default: "" ### # Certificate objects ### - name: certificate superclass: storage CKA_CLASS: value: CKO_CERTIFICATE CKA_CERTIFICATE_TYPE: footnotes: [1] type: CK_CERTIFICATE_TYPE CKA_TRUSTED: footnotes: [10] type: CK_BBOOL default: CK_FALSE CKA_CERTIFICATE_CATEGORY: type: CK_ULONG default: 0 CKA_CHECK_VALUE: type: bytearray CKA_START_DATE: type: CK_DATE default: "" CKA_END_DATE: type: CK_DATE default: "" ### # X.509 public key certificate objects ### # NB: For some reason, numeric footnotes in the table describing X.509 # certificate attributes are NOT the common attribute footnotes # from Table 15. Be careful! - name: x509_public_key_certificate superclass: certificate CKA_SUBJECT: type: bytearray CKA_ID: type: bytearray default: "" CKA_ISSUER: type: bytearray default: "" CKA_SERIAL_NUMBER: type: bytearray default: "" CKA_VALUE: type: bytearray CKA_URL: type: rfc2279string default: "" CKA_HASH_OF_SUBJECT_PUBLIC_KEY: type: bytearray default: "" CKA_HASH_OF_ISSUER_PUBLIC_KEY: type: bytearray default: "" CKA_JAVA_MIDP_SECURITY_DOMAIN: type: CK_ULONG default: 0 ### # Key objects ### - name: key superclass: storage CKA_KEY_TYPE: footnotes: [1, 5] type: CK_KEY_TYPE CKA_ID: footnotes: [8] type: bytearray default: "" CKA_START_DATE: footnotes: [8] type: CK_DATE default: "" CKA_END_DATE: footnotes: [8] type: CK_DATE default: "" CKA_DERIVE: footnotes: [8] type: CK_BBOOL default: CK_FALSE CKA_LOCAL: footnotes: [2, 4, 6] type: CK_BBOOL default: CK_FALSE CKA_KEY_GEN_MECHANISM: footnotes: [2, 4, 6] type: CK_MECHANISM_TYPE default: CK_UNAVAILABLE_INFORMATION CKA_ALLOWED_MECHANISMS: unimplemented: true ### # Public key objects ### - name: public_key superclass: key CKA_CLASS: value: CKO_PUBLIC_KEY CKA_SUBJECT: footnotes: [8] type: bytearray default: "" CKA_ENCRYPT: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_VERIFY: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_VERIFY_RECOVER: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_WRAP: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_TRUSTED: footnotes: [10] type: CK_BBOOL default: CK_FALSE CKA_WRAP_TEMPLATE: unimplemented: true ### # Private key objects ### - name: private_key superclass: key CKA_CLASS: value: CKO_PRIVATE_KEY CKA_SUBJECT: footnotes: [8] type: bytearray default: "" CKA_SENSITIVE: footnotes: [8, 9, 11] type: CK_BBOOL default: CK_TRUE CKA_DECRYPT: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_SIGN: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_SIGN_RECOVER: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_UNWRAP: footnotes: [8, 9] type: CK_BBOOL default: CK_FALSE CKA_EXTRACTABLE: footnotes: [8, 9, 12] type: CK_BBOOL default: CK_FALSE CKA_ALWAYS_SENSITIVE: footnotes: [2, 4, 6] type: CK_BBOOL CKA_NEVER_EXTRACTABLE: footnotes: [2, 4, 6] type: CK_BBOOL CKA_WRAP_WITH_TRUSTED: footnotes: [11] type: CK_BBOOL default: CK_FALSE CKA_UNWRAP_TEMPLATE: unimplemented: true ### # Secret key objects ### - name: secret_key superclass: key CKA_CLASS: value: CKO_SECRET_KEY CKA_SENSITIVE: footnotes: [8, 11] type: CK_BBOOL default: CK_FALSE CKA_ENCRYPT: footnotes: [8, 9] type: CK_BBOOL CKA_DECRYPT: footnotes: [8, 9] type: CK_BBOOL CKA_SIGN: footnotes: [8, 9] type: CK_BBOOL CKA_VERIFY: footnotes: [8, 9] type: CK_BBOOL CKA_WRAP: footnotes: [8, 9] type: CK_BBOOL CKA_UNWRAP: footnotes: [8, 9] type: CK_BBOOL CKA_EXTRACTABLE: footnotes: [8, 9, 12] type: CK_BBOOL CKA_ALWAYS_SENSITIVE: footnotes: [2, 4, 6] type: CK_BBOOL CKA_NEVER_EXTRACTABLE: footnotes: [2, 4, 6] type: CK_BBOOL CKA_CHECK_VALUE: type: bytearray CKA_WRAP_WITH_TRUSTED: footnotes: [11] type: CK_BBOOL default: CK_FALSE CKA_TRUSTED: footnotes: [10] type: CK_BBOOL default: CK_FALSE CKA_WRAP_TEMPLATE: unimplemented: true CKA_UNWRAP_TEMPLATE: unimplemented: true ### # Domain parameter objects ### - name: domain_parameters superclass: storage CKA_CLASS: value: CKO_DOMAIN_PARAMETERS CKA_KEY_TYPE: footnotes: [1] type: CK_KEY_TYPE CKA_LOCAL: footnotes: [2, 4] type: CK_BBOOL ### # Mechanism objects ### - name: mechanism superclass: object CKA_CLASS: value: CKO_MECHANISM_INFO CKA_MECHANISM_TYPE: type: CK_MECHANISM_TYPE ### # RSA public key objects ### - name: rsa_public_key superclass: public_key concrete: true CKA_KEY_TYPE: value: CKK_RSA CKA_MODULUS: footnotes: [1, 4] type: biginteger CKA_MODULUS_BITS: footnotes: [2, 3] type: CK_ULONG CKA_PUBLIC_EXPONENT: footnotes: [1] type: biginteger value: 0x10001 # We only allow F4 as public exponent ### # RSA private key objects ### - name: rsa_private_key superclass: private_key concrete: true CKA_KEY_TYPE: value: CKK_RSA CKA_MODULUS: footnotes: [1, 4, 6] type: biginteger CKA_PUBLIC_EXPONENT: footnotes: [4, 6] type: biginteger value: 0x10001 # We only allow F4 as public exponent CKA_PRIVATE_EXPONENT: footnotes: [1, 4, 6, 7] type: biginteger CKA_PRIME_1: footnotes: [4, 6, 7] type: biginteger CKA_PRIME_2: footnotes: [4, 6, 7] type: biginteger CKA_EXPONENT_1: footnotes: [4, 6, 7] type: biginteger CKA_EXPONENT_2: footnotes: [4, 6, 7] type: biginteger CKA_COEFFICIENT: footnotes: [4, 6, 7] type: biginteger ### # Eliptic curve public key objects ### - name: ec_public_key superclass: public_key concrete: true CKA_KEY_TYPE: value: CKK_EC CKA_EC_PARAMS: footnotes: [1, 3] type: bytearray CKA_EC_POINT: footnotes: [1, 4] type: bytearray ### # Elliptic curve private key objects ### - name: ec_private_key superclass: private_key concrete: true CKA_KEY_TYPE: value: CKK_EC CKA_EC_PARAMS: footnotes: [1, 4, 6] type: bytearray CKA_VALUE: footnotes: [1, 4, 6, 7] type: biginteger t-tests.py?h=python3&id=3d3f71cae431ec4e0c5df627c525bacc475e47d7'>3d3f71c
223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727
729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833
930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964
1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367
1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634
1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708
1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836