From c98e0536e6b4a045bfc1f48c750dd3ded534e52f Mon Sep 17 00:00:00 2001 From: Matthias Valvekens Date: Thu, 19 Jun 2025 20:44:21 +0200 Subject: [PATCH 1/2] Update header files to PKCS#11 3.1 - Expose SHA3 digests in Cython layer - Add wiring for EdDSA params --- extern/pkcs11.h | 82 +++---- extern/pkcs11f.h | 272 ++++++++++++++++++++- extern/pkcs11t.h | 554 +++++++++++++++++++++++++++++++++++++++++-- pkcs11/_pkcs11.pxd | 5 + pkcs11/_pkcs11.pyx | 49 +++- pkcs11/mechanisms.py | 44 ++++ pyproject.toml | 2 +- tests/test_ecc.py | 31 ++- uv.lock | 2 +- 9 files changed, 948 insertions(+), 93 deletions(-) diff --git a/extern/pkcs11.h b/extern/pkcs11.h index 0d78dd7..33cdee0 100644 --- a/extern/pkcs11.h +++ b/extern/pkcs11.h @@ -1,13 +1,16 @@ -/* Copyright (c) OASIS Open 2016. All Rights Reserved./ +/* + * PKCS #11 Specification Version 3.1 + * OASIS Standard + * 23 July 2023 + * Copyright (c) OASIS Open 2023. All Rights Reserved. + * Source: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/include/pkcs11-v3.1/ + * Latest stage of narrative specification: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html + * TC IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php * /Distributed under the terms of the OASIS IPR Policy, - * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * [https://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. */ - -/* Latest version of the specification: - * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - */ #ifndef _PKCS11_H_ #define _PKCS11_H_ 1 @@ -29,8 +32,7 @@ extern "C" { * convention on packing is that structures should be 1-byte * aligned. * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, this might be done by using the following + * If you're using Windows this might be done by using the following * preprocessor directive before including pkcs11.h or pkcs11t.h: * * #pragma pack(push, cryptoki, 1) @@ -40,13 +42,6 @@ extern "C" { * * #pragma pack(pop, cryptoki) * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, this might be done by using - * the following preprocessor directive before including - * pkcs11.h or pkcs11t.h: - * - * #pragma pack(1) - * * In a UNIX environment, you're on your own for this. You might * not need to do (or be able to do!) anything. * @@ -59,16 +54,10 @@ extern "C" { * * typedef CK_BYTE CK_PTR CK_BYTE_PTR; * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, it might be defined by: + * If you're using Windows, it might be defined by: * * #define CK_PTR * * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, it might be defined by: - * - * #define CK_PTR far * - * * In a typical UNIX environment, it might be defined by: * * #define CK_PTR * @@ -83,19 +72,12 @@ extern "C" { * CK_VOID_PTR pReserved * ); * - * If you're using Microsoft Developer Studio 5.0 to declare a - * function in a Win32 Cryptoki .dll, it might be defined by: + * If you're using Windows to declare a function in a Win32 Cryptoki .dll, + * it might be defined by: * * #define CK_DECLARE_FUNCTION(returnType, name) \ * returnType __declspec(dllimport) name * - * If you're using an earlier version of Microsoft Developer - * Studio to declare a function in a Win16 Cryptoki .dll, it - * might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType __export _far _pascal name - * * In a UNIX environment, it might be defined by: * * #define CK_DECLARE_FUNCTION(returnType, name) \ @@ -120,19 +102,12 @@ extern "C" { * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); * funcPtrType funcPtr; * - * If you're using Microsoft Developer Studio 5.0 to access + * If you're using Windows to access * functions in a Win32 Cryptoki .dll, in might be defined by: * * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ * returnType __declspec(dllimport) (* name) * - * If you're using an earlier version of Microsoft Developer - * Studio to access functions in a Win16 Cryptoki .dll, it might - * be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType __export _far _pascal (* name) - * * In a UNIX environment, it might be defined by: * * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ @@ -153,18 +128,11 @@ extern "C" { * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); * myCallbackType myCallback; * - * If you're using Microsoft Developer Studio 5.0 to do Win32 - * Cryptoki development, it might be defined by: + * If you're using Windows, it might be defined by: * * #define CK_CALLBACK_FUNCTION(returnType, name) \ * returnType (* name) * - * If you're using an earlier version of Microsoft Developer - * Studio to do Win16 development, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType _far _pascal (* name) - * * In a UNIX environment, it might be defined by: * * #define CK_CALLBACK_FUNCTION(returnType, name) \ @@ -240,6 +208,22 @@ extern "C" { #define CK_PKCS11_FUNCTION_INFO(name) \ __PASTE(CK_,name) name; +/* Create the 3.0 Function list */ +struct CK_FUNCTION_LIST_3_0 { + + CK_VERSION version; /* Cryptoki version */ + +/* Pile all the function pointers into the CK_FUNCTION_LIST. */ +/* pkcs11f.h has all the information about the Cryptoki + * function prototypes. + */ +#include "pkcs11f.h" + +}; + +#define CK_PKCS11_2_0_ONLY 1 + +/* Continue to define the old CK_FUNCTION_LIST */ struct CK_FUNCTION_LIST { CK_VERSION version; /* Cryptoki version */ @@ -253,6 +237,7 @@ struct CK_FUNCTION_LIST { }; #undef CK_PKCS11_FUNCTION_INFO +#undef CK_PKCS11_2_0_ONLY #undef __PASTE @@ -261,5 +246,4 @@ struct CK_FUNCTION_LIST { } #endif -#endif /* _PKCS11_H_ */ - +#endif /* _PKCS11_H_ */ \ No newline at end of file diff --git a/extern/pkcs11f.h b/extern/pkcs11f.h index ed90aff..6623e5b 100644 --- a/extern/pkcs11f.h +++ b/extern/pkcs11f.h @@ -1,13 +1,16 @@ -/* Copyright (c) OASIS Open 2016. All Rights Reserved./ +/* + * PKCS #11 Specification Version 3.1 + * OASIS Standard + * 23 July 2023 + * Copyright (c) OASIS Open 2023. All Rights Reserved. + * Source: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/include/pkcs11-v3.1/ + * Latest stage of narrative specification: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html + * TC IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php * /Distributed under the terms of the OASIS IPR Policy, - * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * [https://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. */ - -/* Latest version of the specification: - * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - */ /* This header file contains pretty much everything about all the * Cryptoki function prototypes. Because this information is @@ -937,3 +940,260 @@ CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) ); #endif +#ifndef CK_PKCS11_2_0_ONLY +/* C_GetInterfaceList returns all the interfaces supported by the module*/ +CK_PKCS11_FUNCTION_INFO(C_GetInterfaceList) +#ifdef CK_NEED_ARG_LIST +( + CK_INTERFACE_PTR pInterfacesList, /* returned interfaces */ + CK_ULONG_PTR pulCount /* number of interfaces returned */ +); +#endif + +/* C_GetInterface returns a specific interface from the module. */ +CK_PKCS11_FUNCTION_INFO(C_GetInterface) +#ifdef CK_NEED_ARG_LIST +( + CK_UTF8CHAR_PTR pInterfaceName, /* name of the interface */ + CK_VERSION_PTR pVersion, /* version of the interface */ + CK_INTERFACE_PTR_PTR ppInterface, /* returned interface */ + CK_FLAGS flags /* flags controlling the semantics + * of the interface */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_LoginUser) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_USER_TYPE userType, /* the user type */ + CK_UTF8CHAR_PTR pPin, /* the user's PIN */ + CK_ULONG ulPinLen, /* the length of the PIN */ + CK_UTF8CHAR_PTR pUsername, /* the user's name */ + CK_ULONG ulUsernameLen /*the length of the user's name */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SessionCancel) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_FLAGS flags /* flags control which sessions are cancelled */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageEncryptInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of encryption key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessage) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pPlaintext, /* plain text */ + CK_ULONG ulPlaintextLen, /* plain text length */ + CK_BYTE_PTR pCiphertext, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextLen /* gets cipher text length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessageBegin) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_EncryptMessageNext) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pPlaintextPart, /* plain text */ + CK_ULONG ulPlaintextPartLen, /* plain text length */ + CK_BYTE_PTR pCiphertextPart, /* gets cipher text */ + CK_ULONG_PTR pulCiphertextPartLen, /* gets cipher text length */ + CK_FLAGS flags /* multi mode flag */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageEncryptFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageDecryptInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ + CK_OBJECT_HANDLE hKey /* handle of decryption key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessage) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen, /* AEAD Associated data length */ + CK_BYTE_PTR pCiphertext, /* cipher text */ + CK_ULONG ulCiphertextLen, /* cipher text length */ + CK_BYTE_PTR pPlaintext, /* gets plain text */ + CK_ULONG_PTR pulPlaintextLen /* gets plain text length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessageBegin) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pAssociatedData, /* AEAD Associated data */ + CK_ULONG ulAssociatedDataLen /* AEAD Associated data length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_DecryptMessageNext) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pCiphertextPart, /* cipher text */ + CK_ULONG ulCiphertextPartLen, /* cipher text length */ + CK_BYTE_PTR pPlaintextPart, /* gets plain text */ + CK_ULONG_PTR pulPlaintextPartLen, /* gets plain text length */ + CK_FLAGS flags /* multi mode flag */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageDecryptFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageSignInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessage) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessageBegin) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_SignMessageNext) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* gets signature */ + CK_ULONG_PTR pulSignatureLen /* gets signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageSignFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageVerifyInit) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_MECHANISM_PTR pMechanism, /* the signing mechanism */ + CK_OBJECT_HANDLE hKey /* handle of signing key */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessage) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessageBegin) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen /* length of message specific parameter */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_VerifyMessageNext) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession, /* the session's handle */ + CK_VOID_PTR pParameter, /* message specific parameter */ + CK_ULONG ulParameterLen, /* length of message specific parameter */ + CK_BYTE_PTR pData, /* data to sign */ + CK_ULONG ulDataLen, /* data to sign length */ + CK_BYTE_PTR pSignature, /* signature */ + CK_ULONG ulSignatureLen /* signature length */ +); +#endif + +CK_PKCS11_FUNCTION_INFO(C_MessageVerifyFinal) +#ifdef CK_NEED_ARG_LIST +( + CK_SESSION_HANDLE hSession /* the session's handle */ +); +#endif + +#endif /* CK_PKCS11_2_0_ONLY */ \ No newline at end of file diff --git a/extern/pkcs11t.h b/extern/pkcs11t.h index 2c4fb36..bd3e7eb 100644 --- a/extern/pkcs11t.h +++ b/extern/pkcs11t.h @@ -1,14 +1,17 @@ -/* Copyright (c) OASIS Open 2016. All Rights Reserved./ +/* + * PKCS #11 Specification Version 3.1 + * OASIS Standard + * 23 July 2023 + * Copyright (c) OASIS Open 2023. All Rights Reserved. + * Source: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/include/pkcs11-v3.1/ + * Latest stage of narrative specification: https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/pkcs11-spec-v3.1.html + * TC IPR Statement: https://www.oasis-open.org/committees/pkcs11/ipr.php * /Distributed under the terms of the OASIS IPR Policy, - * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY + * [https://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others. */ -/* Latest version of the specification: - * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - */ - /* See top of pkcs11.h for information about the macros that * must be defined and the structure-packing conventions that * must be set before including this file. @@ -17,8 +20,8 @@ #ifndef _PKCS11T_H_ #define _PKCS11T_H_ 1 -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 40 +#define CRYPTOKI_VERSION_MAJOR 3 +#define CRYPTOKI_VERSION_MINOR 1 #define CRYPTOKI_VERSION_AMENDMENT 0 #define CK_TRUE 1 @@ -317,11 +320,23 @@ typedef CK_ULONG CK_OBJECT_CLASS; #define CKO_DOMAIN_PARAMETERS 0x00000006UL #define CKO_MECHANISM 0x00000007UL #define CKO_OTP_KEY 0x00000008UL +#define CKO_PROFILE 0x00000009UL #define CKO_VENDOR_DEFINED 0x80000000UL typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; +/* Profile ID's */ +#define CKP_INVALID_ID 0x00000000UL +#define CKP_BASELINE_PROVIDER 0x00000001UL +#define CKP_EXTENDED_PROVIDER 0x00000002UL +#define CKP_AUTHENTICATION_TOKEN 0x00000003UL +#define CKP_PUBLIC_CERTIFICATES_TOKEN 0x00000004UL +#define CKP_COMPLETE_PROVIDER 0x00000005UL +#define CKP_HKDF_TLS_TOKEN 0x00000006UL +#define CKP_VENDOR_DEFINED 0x80000000UL + + /* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ @@ -369,6 +384,8 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_CAMELLIA 0x00000025UL #define CKK_ARIA 0x00000026UL +/* the following definitions were added in the 2.30 header file, + * but never defined in the spec. */ #define CKK_MD5_HMAC 0x00000027UL #define CKK_SHA_1_HMAC 0x00000028UL #define CKK_RIPEMD128_HMAC 0x00000029UL @@ -382,11 +399,27 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_GOSTR3410 0x00000030UL #define CKK_GOSTR3411 0x00000031UL #define CKK_GOST28147 0x00000032UL - -/* from version 3.0 */ +#define CKK_CHACHA20 0x00000033UL +#define CKK_POLY1305 0x00000034UL +#define CKK_AES_XTS 0x00000035UL +#define CKK_SHA3_224_HMAC 0x00000036UL +#define CKK_SHA3_256_HMAC 0x00000037UL +#define CKK_SHA3_384_HMAC 0x00000038UL +#define CKK_SHA3_512_HMAC 0x00000039UL +#define CKK_BLAKE2B_160_HMAC 0x0000003AUL +#define CKK_BLAKE2B_256_HMAC 0x0000003BUL +#define CKK_BLAKE2B_384_HMAC 0x0000003CUL +#define CKK_BLAKE2B_512_HMAC 0x0000003DUL +#define CKK_SALSA20 0x0000003EUL +#define CKK_X2RATCHET 0x0000003FUL #define CKK_EC_EDWARDS 0x00000040UL +#define CKK_EC_MONTGOMERY 0x00000041UL +#define CKK_HKDF 0x00000042UL - +#define CKK_SHA512_224_HMAC 0x00000043UL +#define CKK_SHA512_256_HMAC 0x00000044UL +#define CKK_SHA512_T_HMAC 0x00000045UL +#define CKK_HSS 0x00000046UL #define CKK_VENDOR_DEFINED 0x80000000UL @@ -442,6 +475,7 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE; #define CKA_TOKEN 0x00000001UL #define CKA_PRIVATE 0x00000002UL #define CKA_LABEL 0x00000003UL +#define CKA_UNIQUE_ID 0x00000004UL #define CKA_APPLICATION 0x00000010UL #define CKA_VALUE 0x00000011UL #define CKA_OBJECT_ID 0x00000012UL @@ -559,6 +593,32 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE; #define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502UL #define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503UL #define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600UL) +#define CKA_PROFILE_ID 0x00000601UL + +#define CKA_X2RATCHET_BAG 0x00000602UL +#define CKA_X2RATCHET_BAGSIZE 0x00000603UL +#define CKA_X2RATCHET_BOBS1STMSG 0x00000604UL +#define CKA_X2RATCHET_CKR 0x00000605UL +#define CKA_X2RATCHET_CKS 0x00000606UL +#define CKA_X2RATCHET_DHP 0x00000607UL +#define CKA_X2RATCHET_DHR 0x00000608UL +#define CKA_X2RATCHET_DHS 0x00000609UL +#define CKA_X2RATCHET_HKR 0x0000060AUL +#define CKA_X2RATCHET_HKS 0x0000060BUL +#define CKA_X2RATCHET_ISALICE 0x0000060CUL +#define CKA_X2RATCHET_NHKR 0x0000060DUL +#define CKA_X2RATCHET_NHKS 0x0000060EUL +#define CKA_X2RATCHET_NR 0x0000060FUL +#define CKA_X2RATCHET_NS 0x00000610UL +#define CKA_X2RATCHET_PNS 0x00000611UL +#define CKA_X2RATCHET_RK 0x00000612UL +/* HSS */ +#define CKA_HSS_LEVELS 0x00000617UL +#define CKA_HSS_LMS_TYPE 0x00000618UL +#define CKA_HSS_LMOTS_TYPE 0x00000619UL +#define CKA_HSS_LMS_TYPES 0x0000061AUL +#define CKA_HSS_LMOTS_TYPES 0x0000061BUL +#define CKA_HSS_KEYS_REMAINING 0x0000061CUL #define CKA_VENDOR_DEFINED 0x80000000UL @@ -613,6 +673,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_DSA_SHA256 0x00000014UL #define CKM_DSA_SHA384 0x00000015UL #define CKM_DSA_SHA512 0x00000016UL +#define CKM_DSA_SHA3_224 0x00000018UL +#define CKM_DSA_SHA3_256 0x00000019UL +#define CKM_DSA_SHA3_384 0x0000001AUL +#define CKM_DSA_SHA3_512 0x0000001BUL #define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020UL #define CKM_DH_PKCS_DERIVE 0x00000021UL @@ -646,6 +710,15 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SHA512_T_HMAC_GENERAL 0x00000052UL #define CKM_SHA512_T_KEY_DERIVATION 0x00000053UL +#define CKM_SHA3_256_RSA_PKCS 0x00000060UL +#define CKM_SHA3_384_RSA_PKCS 0x00000061UL +#define CKM_SHA3_512_RSA_PKCS 0x00000062UL +#define CKM_SHA3_256_RSA_PKCS_PSS 0x00000063UL +#define CKM_SHA3_384_RSA_PKCS_PSS 0x00000064UL +#define CKM_SHA3_512_RSA_PKCS_PSS 0x00000065UL +#define CKM_SHA3_224_RSA_PKCS 0x00000066UL +#define CKM_SHA3_224_RSA_PKCS_PSS 0x00000067UL + #define CKM_RC2_KEY_GEN 0x00000100UL #define CKM_RC2_ECB 0x00000101UL #define CKM_RC2_CBC 0x00000102UL @@ -727,6 +800,24 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_ACTI 0x000002A0UL #define CKM_ACTI_KEY_GEN 0x000002A1UL +#define CKM_SHA3_256 0x000002B0UL +#define CKM_SHA3_256_HMAC 0x000002B1UL +#define CKM_SHA3_256_HMAC_GENERAL 0x000002B2UL +#define CKM_SHA3_256_KEY_GEN 0x000002B3UL +#define CKM_SHA3_224 0x000002B5UL +#define CKM_SHA3_224_HMAC 0x000002B6UL +#define CKM_SHA3_224_HMAC_GENERAL 0x000002B7UL +#define CKM_SHA3_224_KEY_GEN 0x000002B8UL +#define CKM_SHA3_384 0x000002C0UL +#define CKM_SHA3_384_HMAC 0x000002C1UL +#define CKM_SHA3_384_HMAC_GENERAL 0x000002C2UL +#define CKM_SHA3_384_KEY_GEN 0x000002C3UL +#define CKM_SHA3_512 0x000002D0UL +#define CKM_SHA3_512_HMAC 0x000002D1UL +#define CKM_SHA3_512_HMAC_GENERAL 0x000002D2UL +#define CKM_SHA3_512_KEY_GEN 0x000002D3UL + + #define CKM_CAST_KEY_GEN 0x00000300UL #define CKM_CAST_ECB 0x00000301UL #define CKM_CAST_CBC 0x00000302UL @@ -792,6 +883,18 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SHA384_KEY_DERIVATION 0x00000394UL #define CKM_SHA512_KEY_DERIVATION 0x00000395UL #define CKM_SHA224_KEY_DERIVATION 0x00000396UL +#define CKM_SHA3_256_KEY_DERIVATION 0x00000397UL +#define CKM_SHA3_224_KEY_DERIVATION 0x00000398UL +#define CKM_SHA3_384_KEY_DERIVATION 0x00000399UL +#define CKM_SHA3_512_KEY_DERIVATION 0x0000039AUL +#define CKM_SHAKE_128_KEY_DERIVATION 0x0000039BUL +#define CKM_SHAKE_256_KEY_DERIVATION 0x0000039CUL +#define CKM_SHA3_256_KEY_DERIVE CKM_SHA3_256_KEY_DERIVATION +#define CKM_SHA3_224_KEY_DERIVE CKM_SHA3_224_KEY_DERIVATION +#define CKM_SHA3_384_KEY_DERIVE CKM_SHA3_384_KEY_DERIVATION +#define CKM_SHA3_512_KEY_DERIVE CKM_SHA3_512_KEY_DERIVATION +#define CKM_SHAKE_128_KEY_DERIVE CKM_SHAKE_128_KEY_DERIVATION +#define CKM_SHAKE_256_KEY_DERIVE CKM_SHAKE_256_KEY_DERIVATION #define CKM_PBE_MD2_DES_CBC 0x000003A0UL #define CKM_PBE_MD5_DES_CBC 0x000003A1UL @@ -876,7 +979,7 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SKIPJACK_CFB8 0x00001007UL #define CKM_SKIPJACK_WRAP 0x00001008UL #define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009UL -#define CKM_SKIPJACK_RELAYX 0x0000100aUL +#define CKM_SKIPJACK_RELAYX 0x0000100AUL #define CKM_KEA_KEY_PAIR_GEN 0x00001010UL #define CKM_KEA_KEY_DERIVE 0x00001011UL #define CKM_KEA_DERIVE 0x00001012UL @@ -898,6 +1001,7 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_ECDSA_SHA256 0x00001044UL #define CKM_ECDSA_SHA384 0x00001045UL #define CKM_ECDSA_SHA512 0x00001046UL +#define CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS 0x0000140BUL #define CKM_ECDH1_DERIVE 0x00001050UL #define CKM_ECDH1_COFACTOR_DERIVE 0x00001051UL @@ -914,6 +1018,8 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_JUNIPER_WRAP 0x00001065UL #define CKM_FASTHASH 0x00001070UL +#define CKM_AES_XTS 0x00001071UL +#define CKM_AES_XTS_KEY_GEN 0x00001072UL #define CKM_AES_KEY_GEN 0x00001080UL #define CKM_AES_ECB 0x00001081UL #define CKM_AES_CBC 0x00001082UL @@ -957,12 +1063,17 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_GOST28147 0x00001222UL #define CKM_GOST28147_MAC 0x00001223UL #define CKM_GOST28147_KEY_WRAP 0x00001224UL - +#define CKM_CHACHA20_KEY_GEN 0x00001225UL +#define CKM_CHACHA20 0x00001226UL +#define CKM_POLY1305_KEY_GEN 0x00001227UL +#define CKM_POLY1305 0x00001228UL #define CKM_DSA_PARAMETER_GEN 0x00002000UL #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL #define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL -#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL +#define CKM_DSA_PROBABILISTIC_PARAMETER_GEN 0x00002003UL +#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN CKM_DSA_PROBABILISTIC_PARAMETER_GEN #define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL +#define CKM_DSA_FIPS_G_GEN 0x00002005UL #define CKM_AES_OFB 0x00002104UL #define CKM_AES_CFB64 0x00002105UL @@ -972,13 +1083,74 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_AES_CFB1 0x00002108UL #define CKM_AES_KEY_WRAP 0x00002109UL /* WAS: 0x00001090 */ #define CKM_AES_KEY_WRAP_PAD 0x0000210AUL /* WAS: 0x00001091 */ +#define CKM_AES_KEY_WRAP_KWP 0x0000210BUL +#define CKM_AES_KEY_WRAP_PKCS7 0x0000210CUL #define CKM_RSA_PKCS_TPM_1_1 0x00004001UL #define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL -/* from version 3.0 */ -#define CKM_EC_EDWARDS_KEY_PAIR_GEN 0x00001055UL +#define CKM_SHA_1_KEY_GEN 0x00004003UL +#define CKM_SHA224_KEY_GEN 0x00004004UL +#define CKM_SHA256_KEY_GEN 0x00004005UL +#define CKM_SHA384_KEY_GEN 0x00004006UL +#define CKM_SHA512_KEY_GEN 0x00004007UL +#define CKM_SHA512_224_KEY_GEN 0x00004008UL +#define CKM_SHA512_256_KEY_GEN 0x00004009UL +#define CKM_SHA512_T_KEY_GEN 0x0000400AUL +#define CKM_NULL 0x0000400BUL +#define CKM_BLAKE2B_160 0x0000400CUL +#define CKM_BLAKE2B_160_HMAC 0x0000400DUL +#define CKM_BLAKE2B_160_HMAC_GENERAL 0x0000400EUL +#define CKM_BLAKE2B_160_KEY_DERIVE 0x0000400FUL +#define CKM_BLAKE2B_160_KEY_GEN 0x00004010UL +#define CKM_BLAKE2B_256 0x00004011UL +#define CKM_BLAKE2B_256_HMAC 0x00004012UL +#define CKM_BLAKE2B_256_HMAC_GENERAL 0x00004013UL +#define CKM_BLAKE2B_256_KEY_DERIVE 0x00004014UL +#define CKM_BLAKE2B_256_KEY_GEN 0x00004015UL +#define CKM_BLAKE2B_384 0x00004016UL +#define CKM_BLAKE2B_384_HMAC 0x00004017UL +#define CKM_BLAKE2B_384_HMAC_GENERAL 0x00004018UL +#define CKM_BLAKE2B_384_KEY_DERIVE 0x00004019UL +#define CKM_BLAKE2B_384_KEY_GEN 0x0000401AUL +#define CKM_BLAKE2B_512 0x0000401BUL +#define CKM_BLAKE2B_512_HMAC 0x0000401CUL +#define CKM_BLAKE2B_512_HMAC_GENERAL 0x0000401DUL +#define CKM_BLAKE2B_512_KEY_DERIVE 0x0000401EUL +#define CKM_BLAKE2B_512_KEY_GEN 0x0000401FUL +#define CKM_SALSA20 0x00004020UL +#define CKM_CHACHA20_POLY1305 0x00004021UL +#define CKM_SALSA20_POLY1305 0x00004022UL +#define CKM_X3DH_INITIALIZE 0x00004023UL +#define CKM_X3DH_RESPOND 0x00004024UL +#define CKM_X2RATCHET_INITIALIZE 0x00004025UL +#define CKM_X2RATCHET_RESPOND 0x00004026UL +#define CKM_X2RATCHET_ENCRYPT 0x00004027UL +#define CKM_X2RATCHET_DECRYPT 0x00004028UL +#define CKM_XEDDSA 0x00004029UL +#define CKM_HKDF_DERIVE 0x0000402AUL +#define CKM_HKDF_DATA 0x0000402BUL +#define CKM_HKDF_KEY_GEN 0x0000402CUL +#define CKM_SALSA20_KEY_GEN 0x0000402DUL + +#define CKM_ECDSA_SHA3_224 0x00001047UL +#define CKM_ECDSA_SHA3_256 0x00001048UL +#define CKM_ECDSA_SHA3_384 0x00001049UL +#define CKM_ECDSA_SHA3_512 0x0000104AUL +#define CKM_EC_EDWARDS_KEY_PAIR_GEN 0x00001055UL +#define CKM_EC_MONTGOMERY_KEY_PAIR_GEN 0x00001056UL #define CKM_EDDSA 0x00001057UL +#define CKM_SP800_108_COUNTER_KDF 0x000003ACUL +#define CKM_SP800_108_FEEDBACK_KDF 0x000003ADUL +#define CKM_SP800_108_DOUBLE_PIPELINE_KDF 0x000003AEUL + +#define CKM_IKE2_PRF_PLUS_DERIVE 0x0000402EUL +#define CKM_IKE_PRF_DERIVE 0x0000402FUL +#define CKM_IKE1_PRF_DERIVE 0x00004030UL +#define CKM_IKE1_EXTENDED_DERIVE 0x00004031UL +#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL +#define CKM_HSS 0x00004033UL + #define CKM_VENDOR_DEFINED 0x80000000UL @@ -1011,6 +1183,14 @@ typedef struct CK_MECHANISM_INFO { #define CKF_HW 0x00000001UL /* performed by HW */ /* Specify whether or not a mechanism can be used for a particular task */ +#define CKF_MESSAGE_ENCRYPT 0x00000002UL +#define CKF_MESSAGE_DECRYPT 0x00000004UL +#define CKF_MESSAGE_SIGN 0x00000008UL +#define CKF_MESSAGE_VERIFY 0x00000010UL +#define CKF_MULTI_MESSAGE 0x00000020UL +#define CKF_MULTI_MESSGE CKF_MULTI_MESSAGE +#define CKF_FIND_OBJECTS 0x00000040UL + #define CKF_ENCRYPT 0x00000100UL #define CKF_DECRYPT 0x00000200UL #define CKF_DIGEST 0x00000400UL @@ -1030,9 +1210,11 @@ typedef struct CK_MECHANISM_INFO { #define CKF_EC_F_P 0x00100000UL #define CKF_EC_F_2M 0x00200000UL #define CKF_EC_ECPARAMETERS 0x00400000UL -#define CKF_EC_NAMEDCURVE 0x00800000UL +#define CKF_EC_OID 0x00800000UL +#define CKF_EC_NAMEDCURVE CKF_EC_OID /* deprecated since PKCS#11 3.00 */ #define CKF_EC_UNCOMPRESS 0x01000000UL #define CKF_EC_COMPRESS 0x02000000UL +#define CKF_EC_CURVENAME 0x04000000UL #define CKF_EXTENSION 0x80000000UL @@ -1070,6 +1252,7 @@ typedef CK_ULONG CK_RV; #define CKR_DEVICE_REMOVED 0x00000032UL #define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL #define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL +#define CKR_AEAD_DECRYPT_FAILED 0x00000042UL #define CKR_FUNCTION_CANCELED 0x00000050UL #define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL @@ -1162,6 +1345,9 @@ typedef CK_ULONG CK_RV; #define CKR_PUBLIC_KEY_INVALID 0x000001B9UL #define CKR_FUNCTION_REJECTED 0x00000200UL +#define CKR_TOKEN_RESOURCE_EXCEEDED 0x00000201UL +#define CKR_OPERATION_CANCEL_FAILED 0x00000202UL +#define CKR_KEY_EXHAUSTED 0x00000203UL #define CKR_VENDOR_DEFINED 0x80000000UL @@ -1179,10 +1365,24 @@ typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( * Cryptoki functions */ typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; +typedef struct CK_FUNCTION_LIST_3_0 CK_FUNCTION_LIST_3_0; typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; +typedef CK_FUNCTION_LIST_3_0 CK_PTR CK_FUNCTION_LIST_3_0_PTR; typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; +typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR CK_FUNCTION_LIST_3_0_PTR_PTR; + +typedef struct CK_INTERFACE { + CK_CHAR *pInterfaceName; + CK_VOID_PTR pFunctionList; + CK_FLAGS flags; +} CK_INTERFACE; + +typedef CK_INTERFACE CK_PTR CK_INTERFACE_PTR; +typedef CK_INTERFACE_PTR CK_PTR CK_INTERFACE_PTR_PTR; + +#define CKF_END_OF_MESSAGE 0x00000001UL /* CK_CREATEMUTEX is an application callback for creating a @@ -1214,6 +1414,8 @@ typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( CK_VOID_PTR pMutex /* pointer to mutex */ ); +/* Get functionlist flags */ +#define CKF_INTERFACE_FORK_SAFE 0x00000001UL /* CK_C_INITIALIZE_ARGS provides the optional arguments to * C_Initialize @@ -1236,6 +1438,7 @@ typedef struct CK_C_INITIALIZE_ARGS { typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; + /* additional flags for parameters to functions */ /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ @@ -1256,6 +1459,11 @@ typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; #define CKG_MGF1_SHA384 0x00000003UL #define CKG_MGF1_SHA512 0x00000004UL #define CKG_MGF1_SHA224 0x00000005UL +#define CKG_MGF1_SHA3_224 0x00000006UL +#define CKG_MGF1_SHA3_256 0x00000007UL +#define CKG_MGF1_SHA3_384 0x00000008UL +#define CKG_MGF1_SHA3_512 0x00000009UL + /* CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source * of the encoding parameter when formatting a message block @@ -1293,6 +1501,7 @@ typedef struct CK_RSA_PKCS_PSS_PARAMS { typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; typedef CK_ULONG CK_EC_KDF_TYPE; +typedef CK_EC_KDF_TYPE CK_PTR CK_EC_KDF_TYPE_PTR; /* The following EC Key Derivation Functions are defined */ #define CKD_NULL 0x00000001UL @@ -1306,7 +1515,23 @@ typedef CK_ULONG CK_EC_KDF_TYPE; #define CKD_SHA384_KDF 0x00000007UL #define CKD_SHA512_KDF 0x00000008UL #define CKD_CPDIVERSIFY_KDF 0x00000009UL - +#define CKD_SHA3_224_KDF 0x0000000AUL +#define CKD_SHA3_256_KDF 0x0000000BUL +#define CKD_SHA3_384_KDF 0x0000000CUL +#define CKD_SHA3_512_KDF 0x0000000DUL +#define CKD_SHA1_KDF_SP800 0x0000000EUL +#define CKD_SHA224_KDF_SP800 0x0000000FUL +#define CKD_SHA256_KDF_SP800 0x00000010UL +#define CKD_SHA384_KDF_SP800 0x00000011UL +#define CKD_SHA512_KDF_SP800 0x00000012UL +#define CKD_SHA3_224_KDF_SP800 0x00000013UL +#define CKD_SHA3_256_KDF_SP800 0x00000014UL +#define CKD_SHA3_384_KDF_SP800 0x00000015UL +#define CKD_SHA3_512_KDF_SP800 0x00000016UL +#define CKD_BLAKE2B_160_KDF 0x00000017UL +#define CKD_BLAKE2B_256_KDF 0x00000018UL +#define CKD_BLAKE2B_384_KDF 0x00000019UL +#define CKD_BLAKE2B_512_KDF 0x0000001AUL /* CK_ECDH1_DERIVE_PARAMS provides the parameters to the * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, @@ -1848,6 +2073,24 @@ typedef struct CK_GCM_PARAMS { typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR; +typedef CK_ULONG CK_GENERATOR_FUNCTION; +#define CKG_NO_GENERATE 0x00000000UL +#define CKG_GENERATE 0x00000001UL +#define CKG_GENERATE_COUNTER 0x00000002UL +#define CKG_GENERATE_RANDOM 0x00000003UL +#define CKG_GENERATE_COUNTER_XOR 0x00000004UL + +typedef struct CK_GCM_MESSAGE_PARAMS { + CK_BYTE_PTR pIv; + CK_ULONG ulIvLen; + CK_ULONG ulIvFixedBits; + CK_GENERATOR_FUNCTION ivGenerator; + CK_BYTE_PTR pTag; + CK_ULONG ulTagBits; +} CK_GCM_MESSAGE_PARAMS; + +typedef CK_GCM_MESSAGE_PARAMS CK_PTR CK_GCM_MESSAGE_PARAMS_PTR; + typedef struct CK_CCM_PARAMS { CK_ULONG ulDataLen; CK_BYTE_PTR pNonce; @@ -1859,6 +2102,18 @@ typedef struct CK_CCM_PARAMS { typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR; +typedef struct CK_CCM_MESSAGE_PARAMS { + CK_ULONG ulDataLen; /*plaintext or ciphertext*/ + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_ULONG ulNonceFixedBits; + CK_GENERATOR_FUNCTION nonceGenerator; + CK_BYTE_PTR pMAC; + CK_ULONG ulMACLen; +} CK_CCM_MESSAGE_PARAMS; + +typedef CK_CCM_MESSAGE_PARAMS CK_PTR CK_CCM_MESSAGE_PARAMS_PTR; + /* Deprecated. Use CK_GCM_PARAMS */ typedef struct CK_AES_GCM_PARAMS { CK_BYTE_PTR pIv; @@ -2006,5 +2261,266 @@ typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS { typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \ CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR; -#endif /* _PKCS11T_H_ */ +/* + * New PKCS 11 v3.0 data structures. + */ + +typedef CK_ULONG CK_PROFILE_ID; +typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR; + +/* Typedefs for Flexible KDF */ +typedef CK_ULONG CK_PRF_DATA_TYPE; +typedef CK_MECHANISM_TYPE CK_SP800_108_PRF_TYPE; +#define CK_SP800_108_ITERATION_VARIABLE 0x00000001UL +#define CK_SP800_108_OPTIONAL_COUNTER 0x00000002UL +#define CK_SP800_108_DKM_LENGTH 0x00000003UL +#define CK_SP800_108_BYTE_ARRAY 0x00000004UL +#define CK_SP800_108_COUNTER CK_SP800_108_OPTIONAL_COUNTER + +typedef struct CK_PRF_DATA_PARAM +{ + CK_PRF_DATA_TYPE type; + CK_VOID_PTR pValue; + CK_ULONG ulValueLen; +} CK_PRF_DATA_PARAM; + +typedef CK_PRF_DATA_PARAM CK_PTR CK_PRF_DATA_PARAM_PTR; + + +typedef struct CK_SP800_108_COUNTER_FORMAT +{ + CK_BBOOL bLittleEndian; + CK_ULONG ulWidthInBits; +} CK_SP800_108_COUNTER_FORMAT; + +typedef CK_SP800_108_COUNTER_FORMAT CK_PTR CK_SP800_108_COUNTER_FORMAT_PTR; + +typedef CK_ULONG CK_SP800_108_DKM_LENGTH_METHOD; +#define CK_SP800_108_DKM_LENGTH_SUM_OF_KEYS 0x00000001UL +#define CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS 0x00000002UL + +typedef struct CK_SP800_108_DKM_LENGTH_FORMAT +{ + CK_SP800_108_DKM_LENGTH_METHOD dkmLengthMethod; + CK_BBOOL bLittleEndian; + CK_ULONG ulWidthInBits; +} CK_SP800_108_DKM_LENGTH_FORMAT; + +typedef CK_SP800_108_DKM_LENGTH_FORMAT \ + CK_PTR CK_SP800_108_DKM_LENGTH_FORMAT_PTR; + +typedef struct CK_DERIVED_KEY +{ + CK_ATTRIBUTE_PTR pTemplate; + CK_ULONG ulAttributeCount; + CK_OBJECT_HANDLE_PTR phKey; +} CK_DERIVED_KEY; + +typedef CK_DERIVED_KEY CK_PTR CK_DERIVED_KEY_PTR; + +typedef struct CK_SP800_108_KDF_PARAMS +{ + CK_SP800_108_PRF_TYPE prfType; + CK_ULONG ulNumberOfDataParams; + CK_PRF_DATA_PARAM_PTR pDataParams; + CK_ULONG ulAdditionalDerivedKeys; + CK_DERIVED_KEY_PTR pAdditionalDerivedKeys; +} CK_SP800_108_KDF_PARAMS; + +typedef CK_SP800_108_KDF_PARAMS CK_PTR CK_SP800_108_KDF_PARAMS_PTR; + +typedef struct CK_SP800_108_FEEDBACK_KDF_PARAMS +{ + CK_SP800_108_PRF_TYPE prfType; + CK_ULONG ulNumberOfDataParams; + CK_PRF_DATA_PARAM_PTR pDataParams; + CK_ULONG ulIVLen; + CK_BYTE_PTR pIV; + CK_ULONG ulAdditionalDerivedKeys; + CK_DERIVED_KEY_PTR pAdditionalDerivedKeys; +} CK_SP800_108_FEEDBACK_KDF_PARAMS; + +typedef CK_SP800_108_FEEDBACK_KDF_PARAMS \ + CK_PTR CK_SP800_108_FEEDBACK_KDF_PARAMS_PTR; + +/* EDDSA */ +typedef struct CK_EDDSA_PARAMS { + CK_BBOOL phFlag; + CK_ULONG ulContextDataLen; + CK_BYTE_PTR pContextData; +} CK_EDDSA_PARAMS; + +typedef CK_EDDSA_PARAMS CK_PTR CK_EDDSA_PARAMS_PTR; + +/* Extended ChaCha20/Salsa20 support*/ +typedef struct CK_CHACHA20_PARAMS { + CK_BYTE_PTR pBlockCounter; + CK_ULONG blockCounterBits; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceBits; +} CK_CHACHA20_PARAMS; + +typedef CK_CHACHA20_PARAMS CK_PTR CK_CHACHA20_PARAMS_PTR; + +typedef struct CK_SALSA20_PARAMS { + CK_BYTE_PTR pBlockCounter; + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceBits; +} CK_SALSA20_PARAMS; +typedef CK_SALSA20_PARAMS CK_PTR CK_SALSA20_PARAMS_PTR; + +typedef struct CK_SALSA20_CHACHA20_POLY1305_PARAMS { + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pAAD; + CK_ULONG ulAADLen; +} CK_SALSA20_CHACHA20_POLY1305_PARAMS; + +typedef CK_SALSA20_CHACHA20_POLY1305_PARAMS \ + CK_PTR CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR; + +typedef struct CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS { + CK_BYTE_PTR pNonce; + CK_ULONG ulNonceLen; + CK_BYTE_PTR pTag; +} CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS; + +typedef CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS \ + CK_PTR CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS_PTR; + +typedef CK_ULONG CK_X3DH_KDF_TYPE; +typedef CK_X3DH_KDF_TYPE CK_PTR CK_X3DH_KDF_TYPE_PTR; + +/* X3dh, ratchet */ +typedef struct CK_X3DH_INITIATE_PARAMS { + CK_X3DH_KDF_TYPE kdf; + CK_OBJECT_HANDLE pPeer_identity; + CK_OBJECT_HANDLE pPeer_prekey; + CK_BYTE_PTR pPrekey_signature; + CK_BYTE_PTR pOnetime_key; + CK_OBJECT_HANDLE pOwn_identity; + CK_OBJECT_HANDLE pOwn_ephemeral; +} CK_X3DH_INITIATE_PARAMS; + +typedef struct CK_X3DH_RESPOND_PARAMS { + CK_X3DH_KDF_TYPE kdf; + CK_BYTE_PTR pIdentity_id; + CK_BYTE_PTR pPrekey_id; + CK_BYTE_PTR pOnetime_id; + CK_OBJECT_HANDLE pInitiator_identity; + CK_BYTE_PTR pInitiator_ephemeral; +} CK_X3DH_RESPOND_PARAMS; + +typedef CK_ULONG CK_X2RATCHET_KDF_TYPE; +typedef CK_X2RATCHET_KDF_TYPE CK_PTR CK_X2RATCHET_KDF_TYPE_PTR; + +typedef struct CK_X2RATCHET_INITIALIZE_PARAMS { + CK_BYTE_PTR sk; + CK_OBJECT_HANDLE peer_public_prekey; + CK_OBJECT_HANDLE peer_public_identity; + CK_OBJECT_HANDLE own_public_identity; + CK_BBOOL bEncryptedHeader; + CK_ULONG eCurve; + CK_MECHANISM_TYPE aeadMechanism; + CK_X2RATCHET_KDF_TYPE kdfMechanism; +} CK_X2RATCHET_INITIALIZE_PARAMS; + +typedef CK_X2RATCHET_INITIALIZE_PARAMS \ + CK_PTR CK_X2RATCHET_INITIALIZE_PARAMS_PTR; + +typedef struct CK_X2RATCHET_RESPOND_PARAMS { + CK_BYTE_PTR sk; + CK_OBJECT_HANDLE own_prekey; + CK_OBJECT_HANDLE initiator_identity; + CK_OBJECT_HANDLE own_public_identity; + CK_BBOOL bEncryptedHeader; + CK_ULONG eCurve; + CK_MECHANISM_TYPE aeadMechanism; + CK_X2RATCHET_KDF_TYPE kdfMechanism; +} CK_X2RATCHET_RESPOND_PARAMS; +typedef CK_X2RATCHET_RESPOND_PARAMS \ + CK_PTR CK_X2RATCHET_RESPOND_PARAMS_PTR; + +typedef CK_ULONG CK_XEDDSA_HASH_TYPE; +typedef CK_XEDDSA_HASH_TYPE CK_PTR CK_XEDDSA_HASH_TYPE_PTR; + +/* XEDDSA */ +typedef struct CK_XEDDSA_PARAMS { + CK_XEDDSA_HASH_TYPE hash; +} CK_XEDDSA_PARAMS; +typedef CK_XEDDSA_PARAMS CK_PTR CK_XEDDSA_PARAMS_PTR; + +/* HKDF params */ +typedef struct CK_HKDF_PARAMS { + CK_BBOOL bExtract; + CK_BBOOL bExpand; + CK_MECHANISM_TYPE prfHashMechanism; + CK_ULONG ulSaltType; + CK_BYTE_PTR pSalt; + CK_ULONG ulSaltLen; + CK_OBJECT_HANDLE hSaltKey; + CK_BYTE_PTR pInfo; + CK_ULONG ulInfoLen; +} CK_HKDF_PARAMS; +typedef CK_HKDF_PARAMS CK_PTR CK_HKDF_PARAMS_PTR; + +#define CKF_HKDF_SALT_NULL 0x00000001UL +#define CKF_HKDF_SALT_DATA 0x00000002UL +#define CKF_HKDF_SALT_KEY 0x00000004UL + +/* HSS */ +typedef CK_ULONG CK_HSS_LEVELS; +typedef CK_ULONG CK_LMS_TYPE; +typedef CK_ULONG CK_LMOTS_TYPE; + +typedef struct specifiedParams { + CK_HSS_LEVELS levels; + CK_LMS_TYPE lm_type[8]; + CK_LMOTS_TYPE lm_ots_type[8]; +} specifiedParams; + +/* IKE Params */ +typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasSeedKey; + CK_OBJECT_HANDLE hSeedKey; + CK_BYTE_PTR pSeedData; + CK_ULONG ulSeedDataLen; +} CK_IKE2_PRF_PLUS_DERIVE_PARAMS; +typedef CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_PTR CK_IKE2_PRF_PLUS_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bDataAsKey; + CK_BBOOL bRekey; + CK_BYTE_PTR pNi; + CK_ULONG ulNiLen; + CK_BYTE_PTR pNr; + CK_ULONG ulNrLen; + CK_OBJECT_HANDLE hNewKey; +} CK_IKE_PRF_DERIVE_PARAMS; +typedef CK_IKE_PRF_DERIVE_PARAMS CK_PTR CK_IKE_PRF_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE1_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasPrevKey; + CK_OBJECT_HANDLE hKeygxy; + CK_OBJECT_HANDLE hPrevKey; + CK_BYTE_PTR pCKYi; + CK_ULONG ulCKYiLen; + CK_BYTE_PTR pCKYr; + CK_ULONG ulCKYrLen; + CK_BYTE keyNumber; +} CK_IKE1_PRF_DERIVE_PARAMS; +typedef CK_IKE1_PRF_DERIVE_PARAMS CK_PTR CK_IKE1_PRF_DERIVE_PARAMS_PTR; + +typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasKeygxy; + CK_OBJECT_HANDLE hKeygxy; + CK_BYTE_PTR pExtraData; + CK_ULONG ulExtraDataLen; +} CK_IKE1_EXTENDED_DERIVE_PARAMS; +typedef CK_IKE1_EXTENDED_DERIVE_PARAMS CK_PTR CK_IKE1_EXTENDED_DERIVE_PARAMS_PTR; +#endif /* _PKCS11T_H_ */ diff --git a/pkcs11/_pkcs11.pxd b/pkcs11/_pkcs11.pxd index 07f3358..a5eb9e9 100644 --- a/pkcs11/_pkcs11.pxd +++ b/pkcs11/_pkcs11.pxd @@ -260,6 +260,11 @@ cdef extern from '../extern/cryptoki.h': CK_BYTE *pData CK_ULONG length + ctypedef struct CK_EDDSA_PARAMS: + CK_BBOOL phFlag + CK_ULONG ulContextDataLen + CK_BYTE *pContextData + cdef struct CK_FUNCTION_LIST: CK_VERSION version ## pointers to library functions are stored here diff --git a/pkcs11/_pkcs11.pyx b/pkcs11/_pkcs11.pyx index 5476ae9..9a2b9fc 100644 --- a/pkcs11/_pkcs11.pyx +++ b/pkcs11/_pkcs11.pyx @@ -257,12 +257,34 @@ cdef class MechanismWithParam: # FIXME: is there a better way to do this? cdef CK_RSA_PKCS_OAEP_PARAMS *oaep_params cdef CK_RSA_PKCS_PSS_PARAMS *pss_params + cdef CK_EDDSA_PARAMS *eddsa_params cdef CK_ECDH1_DERIVE_PARAMS *ecdh1_params cdef CK_KEY_DERIVATION_STRING_DATA *aes_ecb_params cdef CK_AES_CBC_ENCRYPT_DATA_PARAMS *aes_cbc_params # Unpack mechanism parameters - if mechanism is Mechanism.RSA_PKCS_OAEP: + + if mechanism == Mechanism.AES_ECB_ENCRYPT_DATA: + paramlen = sizeof(CK_KEY_DERIVATION_STRING_DATA) + self.param = aes_ecb_params = \ + PyMem_Malloc(paramlen) + aes_ecb_params.pData = param + aes_ecb_params.ulLen = len(param) + + elif isinstance(param, bytes): + # Note: this is an escape hatch of sorts that can be used to provide parameters for + # unsupported algorithms in raw binary form. + # We include it at this point in the chain for forwards compatibility reasons: + # if at a later point, "first class" support for the unsupported mechanism is added + # to the library, existing code that used this "raw mode" workaround will keep working + # because this branch takes priority. + # + # The parameter convention for AES_ECB_ENCRYPT_DATA predates this ordering decision, + # so it takes precedence over this branch for backwards compatibility. + self.data.pParameter = param + paramlen = len(param) + + elif mechanism == Mechanism.RSA_PKCS_OAEP: paramlen = sizeof(CK_RSA_PKCS_OAEP_PARAMS) self.param = oaep_params = \ PyMem_Malloc(paramlen) @@ -297,6 +319,18 @@ cdef class MechanismWithParam: (pss_params.hashAlg, pss_params.mgf, pss_params.sLen) = param + elif mechanism == Mechanism.EDDSA and param is not None: + paramlen = sizeof(CK_EDDSA_PARAMS) + self.param = eddsa_params = \ + PyMem_Malloc(paramlen) + (eddsa_params.phFlag, context_data) = param + if context_data is None: + eddsa_params.pContextData = NULL + eddsa_params.ulContextDataLen = 0 + else: + eddsa_params.pContextData = context_data + eddsa_params.ulContextDataLen = len(context_data) + elif mechanism in ( Mechanism.ECDH1_DERIVE, Mechanism.ECDH1_COFACTOR_DERIVE): @@ -316,14 +350,7 @@ cdef class MechanismWithParam: ecdh1_params.pPublicData = public_data ecdh1_params.ulPublicDataLen = len(public_data) - elif mechanism is Mechanism.AES_ECB_ENCRYPT_DATA: - paramlen = sizeof(CK_KEY_DERIVATION_STRING_DATA) - self.param = aes_ecb_params = \ - PyMem_Malloc(paramlen) - aes_ecb_params.pData = param - aes_ecb_params.ulLen = len(param) - - elif mechanism is Mechanism.AES_CBC_ENCRYPT_DATA: + elif mechanism == Mechanism.AES_CBC_ENCRYPT_DATA: paramlen = sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS) self.param = aes_cbc_params = \ PyMem_Malloc(paramlen) @@ -332,10 +359,6 @@ cdef class MechanismWithParam: aes_cbc_params.pData = data aes_cbc_params.length = len(data) - elif isinstance(param, bytes): - self.data.pParameter = param - paramlen = len(param) - elif param is None: self.data.pParameter = NULL paramlen = 0 diff --git a/pkcs11/mechanisms.py b/pkcs11/mechanisms.py index 1ab2fb7..efe3ba5 100644 --- a/pkcs11/mechanisms.py +++ b/pkcs11/mechanisms.py @@ -91,6 +91,10 @@ class KeyType(IntEnum): SHA384_HMAC = 0x0000002C SHA512_HMAC = 0x0000002D SHA224_HMAC = 0x0000002E + SHA3_224_HMAC = 0x00000036 + SHA3_256_HMAC = 0x00000037 + SHA3_384_HMAC = 0x00000038 + SHA3_512_HMAC = 0x00000039 SEED = 0x0000002F GOSTR3410 = 0x00000030 GOSTR3411 = 0x00000031 @@ -192,6 +196,10 @@ class Mechanism(IntEnum): """ .. note:: Default for signing/verification with :attr:`KeyType.RSA` keys. """ + SHA3_224_RSA_PKCS = 0x00000066 + SHA3_256_RSA_PKCS = 0x00000060 + SHA3_384_RSA_PKCS = 0x00000061 + SHA3_512_RSA_PKCS = 0x00000062 RSA_PKCS_PSS = 0x0000000D """ @@ -214,6 +222,10 @@ class Mechanism(IntEnum): SHA256_RSA_PKCS_PSS = 0x00000043 SHA384_RSA_PKCS_PSS = 0x00000044 SHA512_RSA_PKCS_PSS = 0x00000045 + SHA3_256_RSA_PKCS_PSS = 0x00000063 + SHA3_384_RSA_PKCS_PSS = 0x00000064 + SHA3_512_RSA_PKCS_PSS = 0x00000065 + SHA3_224_RSA_PKCS_PSS = 0x00000067 RSA_X9_31_KEY_PAIR_GEN = 0x0000000A RSA_X9_31 = 0x0000000B @@ -463,6 +475,13 @@ class Mechanism(IntEnum): SHA512_KEY_DERIVATION = 0x00000395 SHA224_KEY_DERIVATION = 0x00000396 + SHA3_256_KEY_DERIVATION = 0x00000397 + SHA3_224_KEY_DERIVATION = 0x00000398 + SHA3_384_KEY_DERIVATION = 0x00000399 + SHA3_512_KEY_DERIVATION = 0x0000039A + SHAKE_128_KEY_DERIVATION = 0x0000039B + SHAKE_256_KEY_DERIVATION = 0x0000039C + _PBE_MD2_DES_CBC = 0x000003A0 _PBE_MD5_DES_CBC = 0x000003A1 _PBE_MD5_CAST_CBC = 0x000003A2 @@ -707,6 +726,23 @@ class Mechanism(IntEnum): EDDSA = 0x00001057 EC_EDWARDS_KEY_PAIR_GEN = 0x00001055 + SHA3_256 = 0x000002B0 + SHA3_256_HMAC = 0x000002B1 + SHA3_256_HMAC_GENERAL = 0x000002B2 + SHA3_256_KEY_GEN = 0x000002B3 + SHA3_224 = 0x000002B5 + SHA3_224_HMAC = 0x000002B6 + SHA3_224_HMAC_GENERAL = 0x000002B7 + SHA3_224_KEY_GEN = 0x000002B8 + SHA3_384 = 0x000002C0 + SHA3_384_HMAC = 0x000002C1 + SHA3_384_HMAC_GENERAL = 0x000002C2 + SHA3_384_KEY_GEN = 0x000002C3 + SHA3_512 = 0x000002D0 + SHA3_512_HMAC = 0x000002D1 + SHA3_512_HMAC_GENERAL = 0x000002D2 + SHA3_512_KEY_GEN = 0x000002D3 + _VENDOR_DEFINED = 0x80000000 def __repr__(self): @@ -728,6 +764,10 @@ class KDF(IntEnum): SHA384 = 0x00000007 SHA512 = 0x00000008 CPDIVERSIFY = 0x00000009 + SHA3_224_KDF = 0x0000000A + SHA3_256_KDF = 0x0000000B + SHA3_384_KDF = 0x0000000C + SHA3_512_KDF = 0x0000000D def __repr__(self): return "" % self.name @@ -743,6 +783,10 @@ class MGF(IntEnum): SHA384 = 0x00000003 SHA512 = 0x00000004 SHA224 = 0x00000005 + SHA3_224 = 0x00000006 + SHA3_256 = 0x00000007 + SHA3_384 = 0x00000008 + SHA3_512 = 0x00000009 def __repr__(self): return "" % self.name diff --git a/pyproject.toml b/pyproject.toml index 8c65775..e4faa48 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ classifiers = [ "Programming Language :: Python :: 3.13", "Topic :: Security :: Cryptography", ] -dependencies = ["asn1crypto>=1.4.0"] +dependencies = ["asn1crypto>=1.5.1"] license = "MIT" requires-python = ">=3.9" dynamic = ["version"] diff --git a/tests/test_ecc.py b/tests/test_ecc.py index 39c7f29..0d96abd 100644 --- a/tests/test_ecc.py +++ b/tests/test_ecc.py @@ -4,6 +4,8 @@ import base64 +from asn1crypto.keys import PrivateKeyAlgorithmId + import pkcs11 from pkcs11 import KDF, Attribute, KeyType, Mechanism from pkcs11.util.ec import ( @@ -152,13 +154,13 @@ def test_import_key_pair(self): self.assertTrue(pub.verify(b"Example", signature, mechanism=Mechanism.ECDSA)) @requires(Mechanism.EC_EDWARDS_KEY_PAIR_GEN, Mechanism.EDDSA) - def test_sign_eddsa(self): + def test_sign_ed25519(self): parameters = self.session.create_domain_parameters( KeyType.EC_EDWARDS, { - # use "Ed25519" once https://github.com/wbond/asn1crypto/pull/134 - # is merged - Attribute.EC_PARAMS: encode_named_curve_parameters("1.3.101.112") + Attribute.EC_PARAMS: encode_named_curve_parameters( + PrivateKeyAlgorithmId.unmap("ed25519") + ) }, local=True, ) @@ -169,3 +171,24 @@ def test_sign_eddsa(self): data = b"HI BOB!" eddsa = priv.sign(data, mechanism=mechanism) self.assertTrue(pub.verify(data, eddsa, mechanism=mechanism)) + + @requires(Mechanism.EC_EDWARDS_KEY_PAIR_GEN, Mechanism.EDDSA) + def test_sign_ed448(self): + parameters = self.session.create_domain_parameters( + KeyType.EC_EDWARDS, + { + Attribute.EC_PARAMS: encode_named_curve_parameters( + PrivateKeyAlgorithmId.unmap("ed448") + ) + }, + local=True, + ) + + pub, priv = parameters.generate_keypair() + + mechanism = Mechanism.EDDSA + data = b"HI BOB!" + # As per the spec, mechanism parameters are required for Ed448: phFlag is False and + # the contextData is null for a regular Ed448 signature. + eddsa = priv.sign(data, mechanism=mechanism, mechanism_param=(False, None)) + self.assertTrue(pub.verify(data, eddsa, mechanism=mechanism, mechanism_param=(False, None))) diff --git a/uv.lock b/uv.lock index c8199f6..a4bf1ed 100644 --- a/uv.lock +++ b/uv.lock @@ -569,7 +569,7 @@ testing = [ ] [package.metadata] -requires-dist = [{ name = "asn1crypto", specifier = ">=1.4.0" }] +requires-dist = [{ name = "asn1crypto", specifier = ">=1.5.1" }] [package.metadata.requires-dev] dev = [ From b8fe284e905cb20015991283c97d88f84420c14d Mon Sep 17 00:00:00 2001 From: SPChan Date: Wed, 11 Oct 2023 06:00:48 +0800 Subject: [PATCH 2/2] Add some key wrap mechanisms Commit rebased from #164. --- pkcs11/mechanisms.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkcs11/mechanisms.py b/pkcs11/mechanisms.py index efe3ba5..6c7aa8d 100644 --- a/pkcs11/mechanisms.py +++ b/pkcs11/mechanisms.py @@ -679,6 +679,10 @@ class Mechanism(IntEnum): AES_CFB1 = 0x00002108 AES_KEY_WRAP = 0x00002109 AES_KEY_WRAP_PAD = 0x0000210A + AES_KEY_WRAP_KWP = 0x0000210B + """Bug: SoftHSMv2 mechanism AES_KEY_WRAP_PAD is actually AES_KEY_WRAP_KWP""" + AES_KEY_WRAP_PKCS7 = 0x0000210C + """PKCS #11 v3.1: AES_KEY_WRAP_PAD is deprecated due to confusion in implementation""" DES_ECB_ENCRYPT_DATA = 0x00001100 DES_CBC_ENCRYPT_DATA = 0x00001101