|
Packit |
8681c6 |
/*
|
|
Packit |
8681c6 |
* COPYRIGHT (c) International Business Machines Corp. 2016-2017
|
|
Packit |
8681c6 |
*
|
|
Packit |
8681c6 |
* This program is provided under the terms of the Common Public License,
|
|
Packit |
8681c6 |
* version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
|
Packit |
8681c6 |
* software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
|
Packit |
8681c6 |
* found in the file LICENSE file or at
|
|
Packit |
8681c6 |
* https://opensource.org/licenses/cpl1.0.php
|
|
Packit |
8681c6 |
*/
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GenerateRandom_t) (CK_BYTE_PTR rnd, CK_ULONG len,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SeedRandom_t) (CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Digest_t) (const unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG len,
|
|
Packit |
8681c6 |
CK_BYTE_PTR digest, CK_ULONG_PTR dglen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DigestInit_t) (unsigned char *state, size_t * len,
|
|
Packit |
8681c6 |
const CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DigestUpdate_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DigestKey_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DigestFinal_t) (const unsigned char *state,
|
|
Packit |
8681c6 |
size_t slen, CK_BYTE_PTR digest,
|
|
Packit |
8681c6 |
CK_ULONG_PTR dlen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DigestSingle_t) (CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG len,
|
|
Packit |
8681c6 |
CK_BYTE_PTR digest, CK_ULONG_PTR dlen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_EncryptInit_t) (unsigned char *state, size_t * slen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DecryptInit_t) (unsigned char *state, size_t * slen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_EncryptUpdate_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG plen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher,
|
|
Packit |
8681c6 |
CK_ULONG_PTR clen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DecryptUpdate_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher, CK_ULONG clen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG_PTR plen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Encrypt_t) (const unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG plen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher, CK_ULONG_PTR clen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Decrypt_t) (const unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher, CK_ULONG clen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG_PTR plen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_EncryptFinal_t) (const unsigned char *state,
|
|
Packit |
8681c6 |
size_t slen, CK_BYTE_PTR output,
|
|
Packit |
8681c6 |
CK_ULONG_PTR len, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DecryptFinal_t) (const unsigned char *state,
|
|
Packit |
8681c6 |
size_t slen, CK_BYTE_PTR output,
|
|
Packit |
8681c6 |
CK_ULONG_PTR len, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_EncryptSingle_t) (const unsigned char *key,
|
|
Packit |
8681c6 |
size_t klen, CK_MECHANISM_PTR mech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG plen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher,
|
|
Packit |
8681c6 |
CK_ULONG_PTR clen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DecryptSingle_t) (const unsigned char *key,
|
|
Packit |
8681c6 |
size_t klen, CK_MECHANISM_PTR mech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR cipher, CK_ULONG clen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR plain, CK_ULONG_PTR plen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_ReencryptSingle_t) (const unsigned char *dkey,
|
|
Packit |
8681c6 |
size_t dklen,
|
|
Packit |
8681c6 |
const unsigned char *ekey,
|
|
Packit |
8681c6 |
size_t eklen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pdecrmech,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pencrmech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR in, CK_ULONG ilen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR out, CK_ULONG_PTR olen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GenerateKey_t) (CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR ptempl,
|
|
Packit |
8681c6 |
CK_ULONG templcount,
|
|
Packit |
8681c6 |
const unsigned char *pin,
|
|
Packit |
8681c6 |
size_t pinlen, unsigned char *key,
|
|
Packit |
8681c6 |
size_t * klen, unsigned char *csum,
|
|
Packit |
8681c6 |
size_t * clen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GenerateKeyPair_t) (CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR ppublic,
|
|
Packit |
8681c6 |
CK_ULONG pubattrs,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR pprivate,
|
|
Packit |
8681c6 |
CK_ULONG prvattrs,
|
|
Packit |
8681c6 |
const unsigned char *pin,
|
|
Packit |
8681c6 |
size_t pinlen, unsigned char *key,
|
|
Packit |
8681c6 |
size_t * klen,
|
|
Packit |
8681c6 |
unsigned char *pubkey,
|
|
Packit |
8681c6 |
size_t * pklen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SignInit_t) (unsigned char *state, size_t * slen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR alg,
|
|
Packit |
8681c6 |
const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_VerifyInit_t) (unsigned char *state, size_t * slen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR alg,
|
|
Packit |
8681c6 |
const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SignUpdate_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_VerifyUpdate_t) (unsigned char *state, size_t slen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SignFinal_t) (const unsigned char *state, size_t stlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR sig, CK_ULONG_PTR siglen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_VerifyFinal_t) (const unsigned char *state,
|
|
Packit |
8681c6 |
size_t stlen, CK_BYTE_PTR sig,
|
|
Packit |
8681c6 |
CK_ULONG siglen, target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Sign_t) (const unsigned char *state, size_t stlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR sig, CK_ULONG_PTR siglen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Verify_t) (const unsigned char *state, size_t stlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR sig, CK_ULONG siglen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SignSingle_t) (const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR sig, CK_ULONG_PTR slen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_VerifySingle_t) (const unsigned char *key, size_t klen,
|
|
Packit |
8681c6 |
CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR data, CK_ULONG dlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR sig, CK_ULONG slen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/* mackey is NULL for PKCS#11 formats, not for authenticated ones */
|
|
Packit |
8681c6 |
typedef CK_RV (*m_WrapKey_t) (const unsigned char *key, size_t keylen,
|
|
Packit |
8681c6 |
const unsigned char *kek, size_t keklen,
|
|
Packit |
8681c6 |
const unsigned char *mackey, size_t mklen,
|
|
Packit |
8681c6 |
const CK_MECHANISM_PTR pmech,
|
|
Packit |
8681c6 |
CK_BYTE_PTR wrapped, CK_ULONG_PTR wlen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
/**/
|
|
Packit |
8681c6 |
/* mackey is NULL for PKCS#11 formats, not for authenticated ones */
|
|
Packit |
8681c6 |
typedef CK_RV (*m_UnwrapKey_t) (const CK_BYTE_PTR wrapped, CK_ULONG wlen,
|
|
Packit |
8681c6 |
const unsigned char *kek, size_t keklen,
|
|
Packit |
8681c6 |
const unsigned char *mackey,
|
|
Packit |
8681c6 |
size_t mklen, const unsigned char *pin,
|
|
Packit |
8681c6 |
size_t pinlen,
|
|
Packit |
8681c6 |
const CK_MECHANISM_PTR uwmech,
|
|
Packit |
8681c6 |
const CK_ATTRIBUTE_PTR ptempl,
|
|
Packit |
8681c6 |
CK_ULONG pcount,
|
|
Packit |
8681c6 |
unsigned char *unwrapped, size_t * uwlen,
|
|
Packit |
8681c6 |
CK_BYTE_PTR csum, CK_ULONG * cslen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_RV (*m_DeriveKey_t) (CK_MECHANISM_PTR pderivemech,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR ptempl,
|
|
Packit |
8681c6 |
CK_ULONG templcount,
|
|
Packit |
8681c6 |
const unsigned char *basekey,
|
|
Packit |
8681c6 |
size_t bklen,
|
|
Packit |
8681c6 |
const unsigned char *data, size_t dlen,
|
|
Packit |
8681c6 |
const unsigned char *pin, size_t pinlen,
|
|
Packit |
8681c6 |
unsigned char *newkey, size_t * nklen,
|
|
Packit |
8681c6 |
unsigned char *csum, size_t * cslen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GetMechanismList_t) (CK_SLOT_ID slot,
|
|
Packit |
8681c6 |
CK_MECHANISM_TYPE_PTR mechs,
|
|
Packit |
8681c6 |
CK_ULONG_PTR count,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GetMechanismInfo_t) (CK_SLOT_ID slot,
|
|
Packit |
8681c6 |
CK_MECHANISM_TYPE mech,
|
|
Packit |
8681c6 |
CK_MECHANISM_INFO_PTR pmechinfo,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_GetAttributeValue_t) (const unsigned char *obj,
|
|
Packit |
8681c6 |
size_t olen,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR pTemplate,
|
|
Packit |
8681c6 |
CK_ULONG ulCount,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_SetAttributeValue_t) (unsigned char *obj, size_t olen,
|
|
Packit |
8681c6 |
CK_ATTRIBUTE_PTR pTemplate,
|
|
Packit |
8681c6 |
CK_ULONG ulCount,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Login_t) (CK_UTF8CHAR_PTR pin, CK_ULONG pinlen,
|
|
Packit |
8681c6 |
const unsigned char *nonce, size_t nlen,
|
|
Packit |
8681c6 |
unsigned char *pinblob, size_t * pinbloblen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_Logout_t) (const unsigned char *pin, size_t len,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef CK_RV (*m_admin_t) (unsigned char *response1, size_t * r1len,
|
|
Packit |
8681c6 |
unsigned char *response2, size_t * r2len,
|
|
Packit |
8681c6 |
const unsigned char *cmd, size_t clen,
|
|
Packit |
8681c6 |
const unsigned char *sigs, size_t slen,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
typedef int (*m_add_backend_t) (const char *name, unsigned int port);
|
|
Packit |
8681c6 |
typedef int (*m_init_t) (void);
|
|
Packit |
8681c6 |
typedef int (*m_shutdown_t) (void);
|
|
Packit |
8681c6 |
typedef int (*m_add_module_t) (XCP_Module_t module, target_t *target);
|
|
Packit |
8681c6 |
typedef int (*m_rm_module_t) (XCP_Module_t module, target_t target);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#ifndef XCP_SERIALNR_CHARS
|
|
Packit |
8681c6 |
#define XCP_SERIALNR_CHARS 8
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
#ifndef XCP_ADMCTR_BYTES
|
|
Packit |
8681c6 |
#define XCP_ADMCTR_BYTES ((size_t) (128/8))
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
#ifndef XCP_ADM_QUERY
|
|
Packit |
8681c6 |
#define XCP_ADM_QUERY 0x10000
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
#ifndef XCP_ADMQ_DOM_CTRLPOINTS
|
|
Packit |
8681c6 |
#define XCP_ADMQ_DOM_CTRLPOINTS 6 | XCP_ADM_QUERY // domain CP
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#ifndef __xcpadm_h__
|
|
Packit |
8681c6 |
typedef struct XCPadmresp {
|
|
Packit |
8681c6 |
uint32_t fn;
|
|
Packit |
8681c6 |
uint32_t domain;
|
|
Packit |
8681c6 |
uint32_t domainInst;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/* module ID || module instance */
|
|
Packit |
8681c6 |
unsigned char module[XCP_SERIALNR_CHARS + XCP_SERIALNR_CHARS];
|
|
Packit |
8681c6 |
unsigned char modNr[XCP_SERIALNR_CHARS];
|
|
Packit |
8681c6 |
unsigned char modInst[XCP_SERIALNR_CHARS];
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
unsigned char tctr[XCP_ADMCTR_BYTES]; /* transaction counter */
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_RV rv;
|
|
Packit |
8681c6 |
uint32_t reason;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
// points to original response; NULL if no payload
|
|
Packit |
8681c6 |
// make sure it's copied if used after releasing response block
|
|
Packit |
8681c6 |
//
|
|
Packit |
8681c6 |
const unsigned char *payload;
|
|
Packit |
8681c6 |
size_t pllen;
|
|
Packit |
8681c6 |
} *XCPadmresp_t;
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#ifndef XCP_CPB_ADD_CPBS
|
|
Packit |
8681c6 |
#define XCP_CPB_ADD_CPBS 0 // allow addition (activation) of CP bits
|
|
Packit |
8681c6 |
#define XCP_CPB_DELETE_CPBS 1 // allow removal (deactivation) of CP bits
|
|
Packit |
8681c6 |
// remove both ADD_CPBs and DELETE_CPBs
|
|
Packit |
8681c6 |
// to make unit read-only
|
|
Packit |
8681c6 |
#define XCP_CPB_SIGN_ASYMM 2 // sign with private keys
|
|
Packit |
8681c6 |
#define XCP_CPB_SIGN_SYMM 3 // sign with HMAC or CMAC
|
|
Packit |
8681c6 |
#define XCP_CPB_SIGVERIFY_SYMM 4 // verify with HMAC or CMAC
|
|
Packit |
8681c6 |
#define XCP_CPB_ENCRYPT_SYMM 5 // encrypt with symmetric keys
|
|
Packit |
8681c6 |
// No asymmetric counterpart: one
|
|
Packit |
8681c6 |
// may not restrict use of public keys
|
|
Packit |
8681c6 |
#define XCP_CPB_DECRYPT_ASYMM 6 // decrypt with private keys
|
|
Packit |
8681c6 |
#define XCP_CPB_DECRYPT_SYMM 7 // decrypt with symmetric keys
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_ASYMM 8 // key export with public keys
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_SYMM 9 // key export with symmetric keys
|
|
Packit |
8681c6 |
#define XCP_CPB_UNWRAP_ASYMM 10 // key import with private keys
|
|
Packit |
8681c6 |
#define XCP_CPB_UNWRAP_SYMM 11 // key import with symmetric keys
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYGEN_ASYMM 12 // generate asymmetric keypairs
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYGEN_SYMM 13 // generate or derive symmetric keys
|
|
Packit |
8681c6 |
// including DSA parameters
|
|
Packit |
8681c6 |
#define XCP_CPB_RETAINKEYS 14 // allow backend to save semi/retained
|
|
Packit |
8681c6 |
// keys
|
|
Packit |
8681c6 |
#define XCP_CPB_SKIP_KEYTESTS 15 // disable selftests on new asymmetric
|
|
Packit |
8681c6 |
// keys
|
|
Packit |
8681c6 |
#define XCP_CPB_NON_ATTRBOUND 16 // allow keywrap without attribute-binding
|
|
Packit |
8681c6 |
#define XCP_CPB_MODIFY_OBJECTS 17 // allow changes to objects
|
|
Packit |
8681c6 |
// (Booleans only)
|
|
Packit |
8681c6 |
#define XCP_CPB_RNG_SEED 18 // allow mixing external seed to RNG
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_RAW_RSA 19 // allow RSA private-key use without
|
|
Packit |
8681c6 |
// padding (highly discouraged)
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_NFIPS2009 20 // allow non-FIPS-approved algs
|
|
Packit |
8681c6 |
// (as of 2009)
|
|
Packit |
8681c6 |
// including non-FIPS keysizes
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_NBSI2009 21 // allow non-BSI algorithms (as of 2009)
|
|
Packit |
8681c6 |
// including non-FIPS keysizes
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_HMAC_ANY 22 // don't enforce minimum keysize on HMAC
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_BELOW80BIT 23 // allow algorithms below 80-bit strength
|
|
Packit |
8681c6 |
// public-key operations are still allowed
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_80BIT 24 // allow 80 to 111-bit algorithms
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_112BIT 25 // allow 112 to 127-bit algorithms
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_128BIT 26 // allow 128 to 191-bit algorithms
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_192BIT 27 // allow 192 to 255-bit algorithms
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_256BIT 28 // allow 256-bit algorithms
|
|
Packit |
8681c6 |
#define XCP_CPB_KEYSZ_RSA65536 29 // allow RSA public exponents below
|
|
Packit |
8681c6 |
// 0x10001
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_RSA 30 // RSA private-key or key-encrypt use
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_DSA 31 // DSA private-key use
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_EC 32 // EC private-key use, see also
|
|
Packit |
8681c6 |
// curve restrictions
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_EC_BPOOLCRV 33 // Brainpool (E.U.) EC curves
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_EC_NISTCRV 34 // NIST/SECG EC curves
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_NFIPS2011 35 // allow non-FIPS-approved algs
|
|
Packit |
8681c6 |
// (as of 2011)
|
|
Packit |
8681c6 |
// including non-FIPS keysizes
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_NBSI2011 36 // allow non-BSI algorithms (as of 2011)
|
|
Packit |
8681c6 |
// including non-BSI keysizes
|
|
Packit |
8681c6 |
#define XCP_CPB_USER_SET_TRUSTED 37 // allow non-admins to set TRUSTED on a
|
|
Packit |
8681c6 |
// blob/SPKI
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_SKIP_CROSSCHK 38 // do not double-check sign/decrypt ops
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_CRYPT_KEYS 39 // allow keys which can en/decrypt data
|
|
Packit |
8681c6 |
// and also un/wrap other keys
|
|
Packit |
8681c6 |
#define XCP_CPB_SIGN_CRYPT_KEYS 40 // allow keys which can en/decrypt data
|
|
Packit |
8681c6 |
// and also sign/verify
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_SIGN_KEYS 41 // allow keys which can un/wrap data
|
|
Packit |
8681c6 |
// and also sign/verify
|
|
Packit |
8681c6 |
#define XCP_CPB_USER_SET_ATTRBOUND 42 // allow non-administrators to
|
|
Packit |
8681c6 |
// Wire format 69/82
|
|
Packit |
8681c6 |
// mark public key objects ATTRBOUND
|
|
Packit |
8681c6 |
#define XCP_CPB_ALLOW_PASSPHRASE 43 // allow host to pass passprases, such as
|
|
Packit |
8681c6 |
// PKCS12 data, in the clear
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_STRONGER_KEY 44 // allow wrapping of stronger keys
|
|
Packit |
8681c6 |
// by weaker keys
|
|
Packit |
8681c6 |
#define XCP_CPB_WRAP_WITH_RAW_SPKI 45 // allow wrapping with SPKIs without
|
|
Packit |
8681c6 |
// MAC and attributes
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_DH 46 // Diffie-Hellman use (private keys)
|
|
Packit |
8681c6 |
#define XCP_CPB_DERIVE 47 // allow key derivation (symmetric+EC/DH)
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_EC_25519 55 // enable support of curve25519, c41417,
|
|
Packit |
8681c6 |
// c448 and related algorithms incl. EdDSA
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_NBSI2017 61 // allow non-BSI algorithms (as of 2017)
|
|
Packit |
8681c6 |
// including non-BSI keysizes
|
|
Packit |
8681c6 |
#define XCP_CPB_CPACF_PK 64 // support data key generation and import
|
|
Packit |
8681c6 |
// for protected key
|
|
Packit |
8681c6 |
#define XCP_CPB_ALG_PQC_DILITHIUM 65 // enable support for Dilithium algorithm
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#define XCP_CPBITS_MAX XCP_CPB_ALG_PQC_DILITHIUM // marks last used CPB
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#define XCP_CPBLOCK_BITS 128 // handle CPs in this granularity
|
|
Packit |
8681c6 |
#define XCP_CPCOUNT \
|
|
Packit |
8681c6 |
(((XCP_CPBITS_MAX + XCP_CPBLOCK_BITS-1) / XCP_CPBLOCK_BITS) * \
|
|
Packit |
8681c6 |
XCP_CPBLOCK_BITS)
|
|
Packit |
8681c6 |
#define XCP_CP_BYTES (XCP_CPCOUNT / 8) // full blocks, incl. unused bits
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef long (*xcpa_queryblock_t) (unsigned char *blk, size_t blen,
|
|
Packit |
8681c6 |
unsigned int fn, uint64_t domain,
|
|
Packit |
8681c6 |
const unsigned char *payload, size_t plen);
|
|
Packit |
8681c6 |
typedef long (*xcpa_internal_rv_t) (const unsigned char *rsp, size_t rlen,
|
|
Packit |
8681c6 |
struct XCPadmresp * rspblk, CK_RV * rv);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_RV (*m_get_xcp_info_t)(CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes,
|
|
Packit |
8681c6 |
unsigned int query, unsigned int subquery,
|
|
Packit |
8681c6 |
target_t target);
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#ifndef CK_IBM_XCP_HOSTQ_IDX
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef enum {
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_API = 0, /* API and build identifier */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_MODULE = 1, /* module-level information */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_DOMAINS = 2, /* list active domains & WK IDs */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_DOMAIN = 3,
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_SELFTEST = 4, /* integrity & algorithm tests */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_EXT_CAPS = 5, /* extended capabilities, count */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_EXT_CAPLIST = 6, /* extended capabilities, list */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_AUDITLOG = 8, /* audit record or records */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_DESCRTEXT = 9, /* human-readable text/tokens */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_EC_CURVES = 10, /* supported elliptic curves */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_COMPAT = 11, /* domains' compatibility modes */
|
|
Packit |
8681c6 |
CK_IBM_XCPQ_MAX = CK_IBM_XCPQ_COMPAT
|
|
Packit |
8681c6 |
} CK_IBM_XCPQUERY_t;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#define CK_IBM_XCP_HOSTQ_IDX 0xff000000 /* host-only queries index, min. */
|
|
Packit |
8681c6 |
typedef enum {
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_COUNT = (int)0xff000000, /* number of host-query indexes */
|
|
Packit |
8681c6 |
/* including this type itself */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_VERSION = (int)0xff000001, /* host-specific package version*/
|
|
Packit |
8681c6 |
/* such as packaging library ID */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_VERSION_HASH
|
|
Packit |
8681c6 |
= (int)0xff000002, /* Assumed-unique identifier of */
|
|
Packit |
8681c6 |
/* host code, such as version- */
|
|
Packit |
8681c6 |
/* identifying cryptographic */
|
|
Packit |
8681c6 |
/* hash (library signature */
|
|
Packit |
8681c6 |
/* field...) */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_DIAGS = (int)0xff000003, /* Host code diagnostic level. */
|
|
Packit |
8681c6 |
/* 0 if non-diagnostics host */
|
|
Packit |
8681c6 |
/* code. */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_HVERSION = (int)0xff000004, /* Human-readable host version */
|
|
Packit |
8681c6 |
/* identification (recommended: */
|
|
Packit |
8681c6 |
/* UTF-8 string) */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_TGT_MODE = (int)0xff000005, /* Host targeting modes */
|
|
Packit |
8681c6 |
/* returns supported target */
|
|
Packit |
8681c6 |
/* modes as bitmask. */
|
|
Packit |
8681c6 |
/* If not available only */
|
|
Packit |
8681c6 |
/* compat target mode is in */
|
|
Packit |
8681c6 |
/* use. See */
|
|
Packit |
8681c6 |
/* CK_IBM_XCPHQ_TGT_MODES_t. */
|
|
Packit |
8681c6 |
CK_IBM_XCPHQ_MAX = CK_IBM_XCPHQ_TGT_MODE
|
|
Packit |
8681c6 |
} CK_IBM_XCPHQUERY_t;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef struct CK_IBM_XCPAPI_INFO {
|
|
Packit |
8681c6 |
CK_ULONG firmwareApi;
|
|
Packit |
8681c6 |
CK_ULONG firmwareConfig; /* truncated firmware hash */
|
|
Packit |
8681c6 |
} CK_IBM_XCPAPI_INFO;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_IBM_XCPAPI_INFO CK_PTR CK_IBM_XCPAPI_INFO_PTR;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef struct CK_IBM_XCP_INFO {
|
|
Packit |
8681c6 |
CK_ULONG firmwareApi; /* API ordinal number */
|
|
Packit |
8681c6 |
/* major+minor pairs */
|
|
Packit |
8681c6 |
CK_ULONG firmwareId; /* truncated firmwareConfig */
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_VERSION firmwareVersion; /* xcp only, matches xcpConfig below */
|
|
Packit |
8681c6 |
CK_VERSION cspVersion;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/* hashes, possibly truncated */
|
|
Packit |
8681c6 |
CK_BYTE firmwareConfig[ 32 ];
|
|
Packit |
8681c6 |
CK_BYTE xcpConfig [ 32 ];
|
|
Packit |
8681c6 |
CK_BYTE cspConfig [ 32 ];
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_CHAR serialNumber[ 16 ]; /* device || instance */
|
|
Packit |
8681c6 |
CK_CHAR utcTime [ 16 ];
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_ULONG opMode2; /* currently, reserved 0 */
|
|
Packit |
8681c6 |
CK_ULONG opMode1; /* operational mode, card-level */
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_FLAGS flags; /* PKCS#11 capabilities */
|
|
Packit |
8681c6 |
CK_FLAGS extflags; /* non-PKCS#11 capabilities */
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_ULONG domains;
|
|
Packit |
8681c6 |
CK_ULONG symmStateBytes;
|
|
Packit |
8681c6 |
CK_ULONG digestStateBytes;
|
|
Packit |
8681c6 |
CK_ULONG pinBlockBytes;
|
|
Packit |
8681c6 |
CK_ULONG symmKeyBytes;
|
|
Packit |
8681c6 |
CK_ULONG spkiBytes;
|
|
Packit |
8681c6 |
CK_ULONG prvkeyBytes;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CK_ULONG maxPayloadBytes;
|
|
Packit |
8681c6 |
CK_ULONG cpProfileBytes;
|
|
Packit |
8681c6 |
CK_ULONG controlPoints;
|
|
Packit |
8681c6 |
} CK_IBM_XCP_INFO;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
typedef CK_IBM_XCP_INFO CK_PTR CK_IBM_XCP_INFO_PTR;
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#endif
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
#ifndef XCP_PINBLOB_BYTES
|
|
Packit |
8681c6 |
#define XCP_HMAC_BYTES ((size_t) (256 /8)) /* SHA-256 */
|
|
Packit |
8681c6 |
#define XCP_WK_BYTES ((size_t) (256 /8)) /* keypart and session sizes */
|
|
Packit |
8681c6 |
#define MOD_WRAP_BLOCKSIZE ((size_t) (128 /8)) /* blob crypt block bytecount */
|
|
Packit |
8681c6 |
#define XCP_PIN_SALT_BYTES MOD_WRAP_BLOCKSIZE
|
|
Packit |
8681c6 |
#define XCP_PINBLOB_BYTES \
|
|
Packit |
8681c6 |
(XCP_WK_BYTES + XCP_PIN_SALT_BYTES + XCP_HMAC_BYTES)
|
|
Packit |
8681c6 |
#define XCP_MIN_PINBYTES 8
|
|
Packit |
8681c6 |
#define XCP_MAX_PINBYTES 16
|
|
Packit |
8681c6 |
#endif
|