Skip to content

Commit 7bed5e7

Browse files
simo5simo5
committed
Add PKCS#11 3.2 attribute to NSSDB storage
This catches up nssdb to the changes happenning in NSS upstream Signed-off-by: Simo Sorce <[email protected]>
1 parent 461010b commit 7bed5e7

File tree

2 files changed

+149
-75
lines changed

2 files changed

+149
-75
lines changed

src/storage/nssdb/attrs.rs

Lines changed: 145 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -43,27 +43,27 @@ const CKA_NSS_EMAIL_DISTRUST_AFTER: CK_ATTRIBUTE_TYPE = NSS_VENDOR_OFFSET + 36;
4343

4444
const NSS_VENDOR_TRUST: CK_ULONG = NSS_VENDOR_OFFSET + 0x2000;
4545

46-
const CKA_TRUST_DIGITAL_SIGNATURE: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 1;
47-
const CKA_TRUST_NON_REPUDIATION: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 2;
48-
const CKA_TRUST_KEY_ENCIPHERMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 3;
49-
const CKA_TRUST_DATA_ENCIPHERMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 4;
50-
const CKA_TRUST_KEY_AGREEMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 5;
51-
const CKA_TRUST_KEY_CERT_SIGN: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 6;
52-
const CKA_TRUST_CRL_SIGN: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 7;
53-
const CKA_TRUST_SERVER_AUTH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 8;
54-
const CKA_TRUST_CLIENT_AUTH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 9;
55-
const CKA_TRUST_CODE_SIGNING: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 10;
56-
const CKA_TRUST_EMAIL_PROTECTION: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 11;
57-
const CKA_TRUST_IPSEC_END_SYSTEM: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 12;
58-
const CKA_TRUST_IPSEC_TUNNEL: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 13;
59-
const CKA_TRUST_IPSEC_USER: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 14;
60-
const CKA_TRUST_TIME_STAMPING: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 15;
61-
const CKA_TRUST_STEP_UP_APPROVED: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 16;
46+
const CKA_NSS_TRUST_DIGITAL_SIGNATURE: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 1;
47+
const CKA_NSS_TRUST_NON_REPUDIATION: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 2;
48+
const CKA_NSS_TRUST_KEY_ENCIPHERMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 3;
49+
const CKA_NSS_TRUST_DATA_ENCIPHERMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 4;
50+
const CKA_NSS_TRUST_KEY_AGREEMENT: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 5;
51+
const CKA_NSS_TRUST_KEY_CERT_SIGN: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 6;
52+
const CKA_NSS_TRUST_CRL_SIGN: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 7;
53+
const CKA_NSS_TRUST_SERVER_AUTH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 8;
54+
const CKA_NSS_TRUST_CLIENT_AUTH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 9;
55+
const CKA_NSS_TRUST_CODE_SIGNING: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 10;
56+
const CKA_NSS_TRUST_EMAIL_PROTECTION: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 11;
57+
const CKA_NSS_TRUST_IPSEC_END_SYSTEM: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 12;
58+
const CKA_NSS_TRUST_IPSEC_TUNNEL: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 13;
59+
const CKA_NSS_TRUST_IPSEC_USER: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 14;
60+
const CKA_NSS_TRUST_TIME_STAMPING: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 15;
61+
const CKA_NSS_TRUST_STEP_UP_APPROVED: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 16;
6262

63-
const CKA_CERT_SHA1_HASH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 100;
64-
const CKA_CERT_MD5_HASH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 101;
63+
const CKA_NSS_CERT_SHA1_HASH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 100;
64+
const CKA_NSS_CERT_MD5_HASH: CK_ATTRIBUTE_TYPE = NSS_VENDOR_TRUST + 101;
6565

66-
const NSS_KA_LEN: usize = 121;
66+
const NSS_KA_LEN: usize = 191;
6767

6868
/// Static array listing all standard and NSS vendor-specific attributes
6969
/// known and potentially stored by this NSS backend implementation.
@@ -72,6 +72,7 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
7272
CKA_TOKEN,
7373
CKA_PRIVATE,
7474
CKA_LABEL,
75+
CKA_UNIQUE_ID,
7576
CKA_APPLICATION,
7677
CKA_VALUE,
7778
CKA_OBJECT_ID,
@@ -87,6 +88,7 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
8788
CKA_URL,
8889
CKA_HASH_OF_SUBJECT_PUBLIC_KEY,
8990
CKA_HASH_OF_ISSUER_PUBLIC_KEY,
91+
CKA_NAME_HASH_ALGORITHM,
9092
CKA_CHECK_VALUE,
9193
CKA_KEY_TYPE,
9294
CKA_SUBJECT,
@@ -126,12 +128,34 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
126128
CKA_ALWAYS_SENSITIVE,
127129
CKA_KEY_GEN_MECHANISM,
128130
CKA_MODIFIABLE,
131+
CKA_COPYABLE,
132+
CKA_DESTROYABLE,
129133
CKA_EC_PARAMS,
130134
CKA_EC_POINT,
131135
DEPRECATED_CKA_SECONDARY_AUTH,
132136
DEPRECATED_CKA_AUTH_PIN_FLAGS,
133137
CKA_ALWAYS_AUTHENTICATE,
134138
CKA_WRAP_WITH_TRUSTED,
139+
CKA_WRAP_TEMPLATE,
140+
CKA_UNWRAP_TEMPLATE,
141+
CKA_DERIVE_TEMPLATE,
142+
CKA_OTP_FORMAT,
143+
CKA_OTP_LENGTH,
144+
CKA_OTP_TIME_INTERVAL,
145+
CKA_OTP_USER_FRIENDLY_MODE,
146+
CKA_OTP_CHALLENGE_REQUIREMENT,
147+
CKA_OTP_TIME_REQUIREMENT,
148+
CKA_OTP_COUNTER_REQUIREMENT,
149+
CKA_OTP_PIN_REQUIREMENT,
150+
CKA_OTP_COUNTER,
151+
CKA_OTP_TIME,
152+
CKA_OTP_USER_IDENTIFIER,
153+
CKA_OTP_SERVICE_IDENTIFIER,
154+
CKA_OTP_SERVICE_LOGO,
155+
CKA_OTP_SERVICE_LOGO_TYPE,
156+
CKA_GOSTR3410_PARAMS,
157+
CKA_GOSTR3411_PARAMS,
158+
CKA_GOST28147_PARAMS,
135159
CKA_HW_FEATURE_TYPE,
136160
CKA_RESET_ON_INIT,
137161
CKA_HAS_RESET,
@@ -149,8 +173,56 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
149173
CKA_REQUIRED_CMS_ATTRIBUTES,
150174
CKA_DEFAULT_CMS_ATTRIBUTES,
151175
CKA_SUPPORTED_CMS_ATTRIBUTES,
152-
CKA_WRAP_TEMPLATE,
153-
CKA_UNWRAP_TEMPLATE,
176+
CKA_PROFILE_ID,
177+
CKA_X2RATCHET_BAG,
178+
CKA_X2RATCHET_BAGSIZE,
179+
CKA_X2RATCHET_BOBS1STMSG,
180+
CKA_X2RATCHET_CKR,
181+
CKA_X2RATCHET_CKS,
182+
CKA_X2RATCHET_DHP,
183+
CKA_X2RATCHET_DHR,
184+
CKA_X2RATCHET_DHS,
185+
CKA_X2RATCHET_HKR,
186+
CKA_X2RATCHET_HKS,
187+
CKA_X2RATCHET_ISALICE,
188+
CKA_X2RATCHET_NHKR,
189+
CKA_X2RATCHET_NHKS,
190+
CKA_X2RATCHET_NR,
191+
CKA_X2RATCHET_NS,
192+
CKA_X2RATCHET_PNS,
193+
CKA_X2RATCHET_RK,
194+
CKA_HSS_LEVELS,
195+
CKA_HSS_LMS_TYPE,
196+
CKA_HSS_LMOTS_TYPE,
197+
CKA_HSS_LMS_TYPES,
198+
CKA_HSS_LMOTS_TYPES,
199+
CKA_HSS_KEYS_REMAINING,
200+
CKA_OBJECT_VALIDATION_FLAGS,
201+
CKA_VALIDATION_TYPE,
202+
CKA_VALIDATION_VERSION,
203+
CKA_VALIDATION_LEVEL,
204+
CKA_VALIDATION_MODULE_ID,
205+
CKA_VALIDATION_FLAG,
206+
CKA_VALIDATION_AUTHORITY_TYPE,
207+
CKA_VALIDATION_COUNTRY,
208+
CKA_VALIDATION_CERTIFICATE_IDENTIFIER,
209+
CKA_VALIDATION_CERTIFICATE_URI,
210+
CKA_VALIDATION_PROFILE,
211+
CKA_VALIDATION_VENDOR_URI,
212+
CKA_ENCAPSULATE_TEMPLATE,
213+
CKA_DECAPSULATE_TEMPLATE,
214+
CKA_TRUST_SERVER_AUTH,
215+
CKA_TRUST_CLIENT_AUTH,
216+
CKA_TRUST_CODE_SIGNING,
217+
CKA_TRUST_EMAIL_PROTECTION,
218+
CKA_TRUST_IPSEC_IKE,
219+
CKA_TRUST_TIME_STAMPING,
220+
CKA_TRUST_OCSP_SIGNING,
221+
CKA_ENCAPSULATE,
222+
CKA_DECAPSULATE,
223+
CKA_HASH_OF_CERTIFICATE,
224+
CKA_PUBLIC_CRC64_VALUE,
225+
CKA_SEED,
154226
CKA_NSS_TRUST,
155227
CKA_NSS_URL,
156228
CKA_NSS_EMAIL,
@@ -168,27 +240,25 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
168240
CKA_NSS_OVERRIDE_EXTENSIONS,
169241
CKA_NSS_SERVER_DISTRUST_AFTER,
170242
CKA_NSS_EMAIL_DISTRUST_AFTER,
171-
CKA_TRUST_DIGITAL_SIGNATURE,
172-
CKA_TRUST_NON_REPUDIATION,
173-
CKA_TRUST_KEY_ENCIPHERMENT,
174-
CKA_TRUST_DATA_ENCIPHERMENT,
175-
CKA_TRUST_KEY_AGREEMENT,
176-
CKA_TRUST_KEY_CERT_SIGN,
177-
CKA_TRUST_CRL_SIGN,
178-
CKA_TRUST_SERVER_AUTH,
179-
CKA_TRUST_CLIENT_AUTH,
180-
CKA_TRUST_CODE_SIGNING,
181-
CKA_TRUST_EMAIL_PROTECTION,
182-
CKA_TRUST_IPSEC_END_SYSTEM,
183-
CKA_TRUST_IPSEC_TUNNEL,
184-
CKA_TRUST_IPSEC_USER,
185-
CKA_TRUST_TIME_STAMPING,
186-
CKA_TRUST_STEP_UP_APPROVED,
187-
CKA_CERT_SHA1_HASH,
188-
CKA_CERT_MD5_HASH,
243+
CKA_NSS_TRUST_DIGITAL_SIGNATURE,
244+
CKA_NSS_TRUST_NON_REPUDIATION,
245+
CKA_NSS_TRUST_KEY_ENCIPHERMENT,
246+
CKA_NSS_TRUST_DATA_ENCIPHERMENT,
247+
CKA_NSS_TRUST_KEY_AGREEMENT,
248+
CKA_NSS_TRUST_KEY_CERT_SIGN,
249+
CKA_NSS_TRUST_CRL_SIGN,
250+
CKA_NSS_TRUST_SERVER_AUTH,
251+
CKA_NSS_TRUST_CLIENT_AUTH,
252+
CKA_NSS_TRUST_CODE_SIGNING,
253+
CKA_NSS_TRUST_EMAIL_PROTECTION,
254+
CKA_NSS_TRUST_IPSEC_END_SYSTEM,
255+
CKA_NSS_TRUST_IPSEC_TUNNEL,
256+
CKA_NSS_TRUST_IPSEC_USER,
257+
CKA_NSS_TRUST_TIME_STAMPING,
258+
CKA_NSS_TRUST_STEP_UP_APPROVED,
259+
CKA_NSS_CERT_SHA1_HASH,
260+
CKA_NSS_CERT_MD5_HASH,
189261
CKA_NSS_DB,
190-
CKA_ENCAPSULATE,
191-
CKA_DECAPSULATE,
192262
];
193263

194264
/// Static array listing attributes that NSS protects with an internal
@@ -197,16 +267,22 @@ pub static NSS_KNOWN_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; NSS_KA_LEN] = [
197267
///
198268
/// NSS has a hardcoded list of attributes that are authenticated,
199269
/// some are vendor defined attributes */
200-
pub static AUTHENTICATED_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 10] = [
270+
pub static AUTHENTICATED_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 16] = [
201271
CKA_MODULUS,
202272
CKA_PUBLIC_EXPONENT,
203-
CKA_CERT_SHA1_HASH,
204-
CKA_CERT_MD5_HASH,
273+
CKA_NSS_CERT_SHA1_HASH,
274+
CKA_NSS_CERT_MD5_HASH,
275+
CKA_NSS_TRUST_SERVER_AUTH,
276+
CKA_NSS_TRUST_CLIENT_AUTH,
277+
CKA_NSS_TRUST_EMAIL_PROTECTION,
278+
CKA_NSS_TRUST_CODE_SIGNING,
279+
CKA_NSS_TRUST_STEP_UP_APPROVED,
280+
CKA_HASH_OF_CERTIFICATE,
281+
CKA_NAME_HASH_ALGORITHM,
205282
CKA_TRUST_SERVER_AUTH,
206283
CKA_TRUST_CLIENT_AUTH,
207284
CKA_TRUST_EMAIL_PROTECTION,
208285
CKA_TRUST_CODE_SIGNING,
209-
CKA_TRUST_STEP_UP_APPROVED,
210286
CKA_NSS_OVERRIDE_EXTENSIONS,
211287
];
212288

@@ -230,24 +306,24 @@ static NSS_VENDOR_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 36] = [
230306
CKA_NSS_OVERRIDE_EXTENSIONS,
231307
CKA_NSS_SERVER_DISTRUST_AFTER,
232308
CKA_NSS_EMAIL_DISTRUST_AFTER,
233-
CKA_TRUST_DIGITAL_SIGNATURE,
234-
CKA_TRUST_NON_REPUDIATION,
235-
CKA_TRUST_KEY_ENCIPHERMENT,
236-
CKA_TRUST_DATA_ENCIPHERMENT,
237-
CKA_TRUST_KEY_AGREEMENT,
238-
CKA_TRUST_KEY_CERT_SIGN,
239-
CKA_TRUST_CRL_SIGN,
240-
CKA_TRUST_SERVER_AUTH,
241-
CKA_TRUST_CLIENT_AUTH,
242-
CKA_TRUST_CODE_SIGNING,
243-
CKA_TRUST_EMAIL_PROTECTION,
244-
CKA_TRUST_IPSEC_END_SYSTEM,
245-
CKA_TRUST_IPSEC_TUNNEL,
246-
CKA_TRUST_IPSEC_USER,
247-
CKA_TRUST_TIME_STAMPING,
248-
CKA_TRUST_STEP_UP_APPROVED,
249-
CKA_CERT_SHA1_HASH,
250-
CKA_CERT_MD5_HASH,
309+
CKA_NSS_TRUST_DIGITAL_SIGNATURE,
310+
CKA_NSS_TRUST_NON_REPUDIATION,
311+
CKA_NSS_TRUST_KEY_ENCIPHERMENT,
312+
CKA_NSS_TRUST_DATA_ENCIPHERMENT,
313+
CKA_NSS_TRUST_KEY_AGREEMENT,
314+
CKA_NSS_TRUST_KEY_CERT_SIGN,
315+
CKA_NSS_TRUST_CRL_SIGN,
316+
CKA_NSS_TRUST_SERVER_AUTH,
317+
CKA_NSS_TRUST_CLIENT_AUTH,
318+
CKA_NSS_TRUST_CODE_SIGNING,
319+
CKA_NSS_TRUST_EMAIL_PROTECTION,
320+
CKA_NSS_TRUST_IPSEC_END_SYSTEM,
321+
CKA_NSS_TRUST_IPSEC_TUNNEL,
322+
CKA_NSS_TRUST_IPSEC_USER,
323+
CKA_NSS_TRUST_TIME_STAMPING,
324+
CKA_NSS_TRUST_STEP_UP_APPROVED,
325+
CKA_NSS_CERT_SHA1_HASH,
326+
CKA_NSS_CERT_MD5_HASH,
251327
CKA_NSS_DB,
252328
];
253329

@@ -267,14 +343,15 @@ pub fn ignore_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {
267343

268344
/// Static array listing attributes that NSS considers sensitive and encrypts
269345
/// when storing private or secret key objects in the key database (keyN.db).
270-
pub static NSS_SENSITIVE_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 7] = [
346+
pub static NSS_SENSITIVE_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 8] = [
271347
CKA_VALUE,
272348
CKA_PRIVATE_EXPONENT,
273349
CKA_PRIME_1,
274350
CKA_PRIME_2,
275351
CKA_EXPONENT_1,
276352
CKA_EXPONENT_2,
277353
CKA_COEFFICIENT,
354+
CKA_SEED,
278355
];
279356

280357
/// Checks if an attribute type is considered sensitive by NSS (and should be
@@ -288,15 +365,10 @@ pub fn is_db_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {
288365
NSS_KNOWN_ATTRIBUTES.contains(&attr)
289366
}
290367

291-
/// Static array listing attributes that are typically managed internally
292-
/// (like `CKA_UNIQUE_ID`) or derived/implicit (`CKA_ALLOWED_MECHANISMS`)
293-
/// and are not directly stored as columns in the NSS database tables.
294-
pub static NSS_SKIP_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 4] = [
295-
CKA_UNIQUE_ID,
296-
CKA_COPYABLE,
297-
CKA_DESTROYABLE,
298-
CKA_ALLOWED_MECHANISMS,
299-
];
368+
/// Static array listing attributes that are used by us but not supported by
369+
/// NSS for storage in the DB (like `CKA_ALLOWED_MECHANISMS`).
370+
pub static NSS_SKIP_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 1] =
371+
[CKA_ALLOWED_MECHANISMS];
300372

301373
/// Checks if an attribute type is one that should be skipped (not directly
302374
/// stored or retrieved as a column) when interacting with the NSS DB.

src/storage/nssdb/mod.rs

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -512,8 +512,10 @@ impl NSSStorage {
512512
}
513513
/* In NSSDB sensitive attributes are encrypted, so we can check
514514
* if the template is searching for any of the encrypted
515-
* attributes and if so just fail immediately */
516-
if is_sensitive_attribute(attr.type_) {
515+
* attributes and if so just fail immediately.
516+
* Do this only for private objects otherwise we incorrectly
517+
* match attributes like CKA_VALUE in public objects. */
518+
if do_private && is_sensitive_attribute(attr.type_) {
517519
return Err(CKR_ATTRIBUTE_SENSITIVE)?;
518520
}
519521
}

0 commit comments

Comments
 (0)