release 2.5.0 - support for CKA_ALLOWED_MECHANISMS

Author: keldonin

.gnulib

@@ -4,10 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-=======
+# [2.5.0]
+### Added
+ - `CKA_ALLOWED_MECHANISMS` support for all key management utilities (`p11keygen`, `p11wrap`, `p11unwrap`, `p11rewrap`, `p11ls`, `p11od`)
+ 
+### Fixed
+ - `p11wrap`: fixed memory leaks
+
 # [2.4.2]
 ### Fixed
-- `p11ls`: removed duplicate `CKA_CHECK_VALUE` attribute from `C_GetAttributeValue()` call on secret keys (may cause issues on some PKCS\#11 tokens)
+ - `p11ls`: removed duplicate `CKA_CHECK_VALUE` attribute from `C_GetAttributeValue()` call on secret keys (may cause issues on some PKCS\#11 tokens)
 
 # [2.4.1]
 ### Fixed
@@ -118,6 +124,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Initial public release
 
+[2.5.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.5.0
 [2.4.2]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.2
 [2.4.1]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.1
 [2.4.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.0

CHANGELOG.md

@@ -14,7 +14,7 @@ dnl limitations under the License.
 
 
 AC_PREREQ([2.64])
-AC_INIT([pkcs11-tools], [2.4.2], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
+AC_INIT([pkcs11-tools], [2.5.0], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
 AC_CONFIG_MACRO_DIR([m4])
 
 dnl adding AM_MAINTAINER_MODE to address autotools issues with git

configure.ac

@@ -35,8 +35,8 @@
 #include "cryptoki.h"
 
 /* grammar version, for wrapped keys */
-#define  SUPPORTED_GRAMMAR_VERSION "2.1"
-#define  TOOLKIT_VERSION_SUPPORTING_GRAMMAR "2.4.0"
+#define  SUPPORTED_GRAMMAR_VERSION "2.2"
+#define  TOOLKIT_VERSION_SUPPORTING_GRAMMAR "2.5.0"
 
 /* Program Error Codes */
 #define RC_OK                    0x00
@@ -218,13 +218,15 @@ typedef enum {
 } hash_alg_t ;
 
 
-/* cmdLineCtx contains a context that can hold parameters describing attributes. */
-/* it currently supports these grammars:
+/* attribCtx contains a context that can hold parameters parsed from command line
+   that contains attributes.
+   It currently supports these grammars:
    - CKA_DERIVE=true CKA_LABEL="label" CKA_UNWRAP_TEMPLATE={ CKA_EXTRACTABLE=false ... }
    - the attributes can be shortened by removing the "CKA_" prefix
-   - boolean attributes can be true/false, CK_TRUE/CK_FALSE, 1/0, yes/no
+   - boolean attributes can be true/false, CK_TRUE/CK_FALSE, yes/no, on/off
    - boolean attributes without a value are set to CK_TRUE
    - boolean attributes prefixed with "no" are set to CK_FALSE
+   - other attributes follow the same value syntax as for wrappedKeyCtx
  */
 
 typedef struct s_p11_attribctx {
@@ -242,7 +244,11 @@ typedef struct s_p11_attribctx {
     struct {
 	CK_ATTRIBUTE *attrlist;	             
 	size_t attrnum;
-    } attrs[4];	
+    } attrs[4];
+
+    /* the following two members keep track of allowed mechanisms, when specified */
+    CK_MECHANISM_TYPE_PTR allowedmechs;
+    size_t allowedmechs_len;
 } attribCtx;
 
 /* pkcs11_unwrap / pkcs11_wrap / pkcs11_wctx */
@@ -254,6 +260,11 @@ typedef struct s_p11_wrappedkeyctx {
     char *wrappedkeylabel;	             /* inner key only - outer key will have random name and ID */
 
     char *filename;			     /* filename used to write wrapping file */
+
+    /* the following two members keep track of allowed mechanisms, when specified */
+    CK_MECHANISM_TYPE_PTR allowedmechs;
+    size_t allowedmechs_len;
+
     struct {				     /* inner or outer but never both (by design) */
 	CK_MECHANISM_TYPE aes_wrapping_mech;     /* used when wrapping_meth is w_rfc3394 or w_rfc5649 */
 	CK_BYTE_PTR iv;			     /* used for CKM_XXX_CBC_PAD and CKM_AES_KEY_WRAP_PAD */
@@ -644,6 +655,7 @@ CK_ATTRIBUTE_PTR pkcs11_get_attr_in_array ( CK_ATTRIBUTE_PTR array,
 bool pkcs11_read_attr_from_handle ( pkcs11AttrList *attrlist, CK_OBJECT_HANDLE handle);
 bool pkcs11_read_attr_from_handle_ext ( pkcs11AttrList *attrlist, CK_OBJECT_HANDLE handle, ... );
 bool pkcs11_attr_is_template(CK_ATTRIBUTE_TYPE attrtype);
+bool pkcs11_attr_is_allowed_mechanisms(CK_ATTRIBUTE_TYPE attrtype);
 
 pkcs11AttrList *pkcs11_attrlist_extend(pkcs11AttrList *attrlist, CK_ATTRIBUTE_PTR attrs, CK_ULONG numattrs);
 
@@ -712,10 +724,11 @@ CK_OBJECT_HANDLE pkcs11_import_component_final(KeyImportCtx *kctx);
 
 
 /* info functions */
-const char *get_mechanism_name(CK_MECHANISM_TYPE mech); /* pkcs11_mechanism.c */
-CK_ATTRIBUTE_TYPE get_attribute_type_from_name(char *name); /* pkcs11_attrdesc.c */
-const char *get_attribute_name_from_type(CK_ATTRIBUTE_TYPE attrtyp); 
-
+CK_MECHANISM_TYPE pkcs11_get_mechanism_type_from_name(char *name); /* pkcs11_mechanism.c */
+const char *pkcs11_get_mechanism_name_from_type(CK_MECHANISM_TYPE mech); /* pkcs11_mechanism.c */
+CK_ATTRIBUTE_TYPE pkcs11_get_attribute_type_from_name(char *name); /* pkcs11_attrdesc.c */
+const char *pkcs11_get_attribute_name_from_type(CK_ATTRIBUTE_TYPE attrtyp); /* pkcs11_attrdesc.c */
+    
 func_rc pkcs11_info_library(pkcs11Context *p11Context);
 func_rc pkcs11_info_slot(pkcs11Context *p11Context);
 func_rc pkcs11_info_ecsupport(pkcs11Context *p11Context);
@@ -740,6 +753,10 @@ const CK_OBJECT_HANDLE pkcs11_get_publickeyhandle(wrappedKeyCtx *ctx);
 
 wrappedKeyCtx *pkcs11_new_wrappedkeycontext(pkcs11Context *p11Context);
 void pkcs11_free_wrappedkeycontext(wrappedKeyCtx *wctx);
+CK_MECHANISM_TYPE_PTR pkcs11_wctx_get_allowed_mechanisms(wrappedKeyCtx *ctx);
+size_t pkcs11_wctx_get_allowed_mechanisms_len(wrappedKeyCtx *ctx);
+void pkcs11_wctx_free_mechanisms(wrappedKeyCtx *wctx); /* to free allowed mechanisms */
+void pkcs11_wctx_forget_mechanisms(wrappedKeyCtx *wctx); /* for transfer of ownership */
 
 /* pkcs11_attribctx */
 attribCtx *pkcs11_new_attribcontext();
@@ -749,6 +766,12 @@ CK_ATTRIBUTE_PTR pkcs11_get_attrlist_from_attribctx(attribCtx *ctx);
 size_t pkcs11_get_attrnum_from_attribctx(attribCtx *ctx);
 void pkcs11_adjust_attrnum_on_attribctx(attribCtx *ctx, size_t value);
 
+func_rc pkcs11_attribctx_add_mechanism(attribCtx *ctx, CK_MECHANISM_TYPE attrtype);
+func_rc pkcs11_attribctx_free_mechanisms(attribCtx *ctx);
+void pkcs11_attribctx_forget_mechanisms(attribCtx *ctx);
+CK_MECHANISM_TYPE_PTR pkcs11_attribctx_get_allowed_mechanisms(attribCtx *ctx);
+size_t pkcs11_attribctx_get_allowed_mechanisms_len(attribCtx *ctx);
+
 
 /* End - Function Prototypes */
 

docs/MANUAL.md

@@ -110,6 +110,9 @@ wrappedkey_helper.c pkcs11_wrap.c pkcs11_unwrap.c pkcs11_wctx.c: \
 			wrappedkey_parser.c wrappedkey_parser.h
 
 # The following files depends upon lexer and parser source files
+# note: _lexermech.h is actually needed by attribctx_lexer.l,
+#       but this dependency is not set directly, as it would lead
+#       to systematically invoke flex. We put it on the produced files instead.
 attribctx_lexer.c attribctx_lexer.h: attribctx_lexer.l
 attribctx_parser.c attribctx_parser.h: attribctx_parser.y
 
@@ -133,3 +136,4 @@ _attrinfo.h: Makefile gen_attrinfo_h.pl
 				>$@
 
 
+

include/oasis-pkcs11

@@ -40,6 +40,11 @@ static int compare_CKA( const void *a, const void *b)
     return ((CK_ATTRIBUTE_PTR)a)->type == ((CK_ATTRIBUTE_PTR)b)->type ? 0 : -1;
 }
 
+/* append an attribute to the attribute context */
+/* when the attribute is a template, the buffer is simply transmitted (as it remains within the attribctx structure) */
+/* when the attribute is CKM_ALLOWED_MECHANISMS, the buffer is stolen (note that the caller must free it) */
+/* when the attribute is not a template attribute, the buffer is copied */
+
 func_rc _attribctx_parser_append_attr(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrtyp, void *buffer, size_t len)
 {
     func_rc rc = rc_ok;
@@ -56,7 +61,7 @@ func_rc _attribctx_parser_append_attr(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrty
     /* we need to create the buffer and stuff it with what is passed as parameter */
     stuffing.type   = attrtyp;
 
-    if(pkcs11_attr_is_template(attrtyp)) {
+    if(pkcs11_attr_is_template(attrtyp) || pkcs11_attr_is_allowed_mechanisms(attrtyp)) {
 	stuffing.pValue = buffer; /* we pass the pointer, we don't allocate */
     } else {
 	stuffing.pValue = malloc(len);
@@ -87,8 +92,10 @@ func_rc _attribctx_parser_append_attr(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrty
 
     *attrnum = argnum; /* trick to adapt on 32 bits architecture, as size(CK_ULONG)!=sizeof int */
 
-    if( match == &stuffing) { /* match, we may need to adjust the content */
-	if(match->pValue && !pkcs11_attr_is_template(match->type)) { free(match->pValue); /* just in case */ }
+    if(match == &stuffing) { /* match, we may need to adjust the content */
+	if(match->pValue != NULL && !pkcs11_attr_is_template(match->type)) {
+	    free(match->pValue); /* just in case */
+	}
 
 	match->ulValueLen = stuffing.ulValueLen;
 	match->pValue = stuffing.pValue; /* we steal the pointer  */
@@ -102,7 +109,11 @@ func_rc _attribctx_parser_append_attr(attribCtx *clctx, CK_ATTRIBUTE_TYPE attrty
 
 error:
     /* clean up */
-    if (stuffing.pValue != NULL && !pkcs11_attr_is_template(stuffing.type)) { free(stuffing.pValue); }
+    if(stuffing.pValue != NULL
+       && !pkcs11_attr_is_template(stuffing.type)
+       && !pkcs11_attr_is_allowed_mechanisms(stuffing.type)) {
+	free(stuffing.pValue);
+    }
 
     return rc;
 }
@@ -158,4 +169,5 @@ func_rc _attribctx_parser_assign_list_to_template(attribCtx *clctx, CK_ATTRIBUTE
 }
 
 
+
 /* EOF */