Merge branch 'main' into propq

simo5 · web-flow · commit aaa9178f83f7 · 2025-08-29T11:13:48.000-04:00
diff --git a/.github/workflows/openjdk-integration.yml b/.github/workflows/openjdk-integration.yml
@@ -26,7 +26,12 @@ jobs:
           dnf --assumeyes --disable-repo=fedora-cisco-openh264 \
             install git cargo clang-devel openssl-devel zlib-devel sed \
             sqlite-devel openssl opensc unzip wget \
-            java-${{ env.openjdk_feature }}-openjdk-devel
+            java-${{ env.openjdk_feature }}-openjdk-devel \
+            'perl(FindBin)' 'perl(lib)' 'perl(File::Compare)' \
+            'perl(File::Copy)' 'perl(bigint)' 'perl(Time::HiRes)' \
+            'perl(IPC::Cmd)' 'perl(Pod::Html)' 'perl(Digest::SHA)' \
+            'perl(Module::Load::Conditional)' 'perl(File::Temp)' \
+            'perl(Test::Harness)' 'perl(Test::More)' 'perl(Math::BigInt)'
 
       # Kryoptic build steps; try to keep in sync with relevant build.yml steps.
       - name: Checkout Repository
diff --git a/ossl/src/asymcipher.rs b/ossl/src/asymcipher.rs
@@ -28,7 +28,7 @@ pub struct RsaOaepParams {
 pub fn rsa_enc_params(
     alg: EncAlg,
     oaep_params: Option<&RsaOaepParams>,
-) -> Result<OsslParam, Error> {
+) -> Result<OsslParam<'_>, Error> {
     let mut params_builder = crate::OsslParamBuilder::new();
 
     match alg {
diff --git a/ossl/src/fips.rs b/ossl/src/fips.rs
@@ -340,7 +340,7 @@ struct MemBio<'a> {
 }
 
 impl MemBio<'_> {
-    fn new(v: &mut [u8]) -> MemBio {
+    fn new(v: &mut [u8]) -> MemBio<'_> {
         MemBio { mem: v, cursor: 0 }
     }
 
diff --git a/ossl/src/pkey.rs b/ossl/src/pkey.rs
@@ -850,7 +850,7 @@ impl EvpPkey {
     ///
     /// The `selection` argument specifies which components to export
     /// (e.g., public, private, parameters).
-    fn export_params(&self, selection: u32) -> Result<OsslParam, Error> {
+    fn export_params(&self, selection: u32) -> Result<OsslParam<'_>, Error> {
         let mut params_builder = OsslParamBuilder::new();
         params_builder.zeroize = true;
         let ret = unsafe {
diff --git a/ossl/src/signature.rs b/ossl/src/signature.rs
@@ -300,7 +300,7 @@ pub struct RsaPssParams {
 pub fn rsa_sig_params(
     alg: SigAlg,
     pss_params: &Option<RsaPssParams>,
-) -> Result<Option<OsslParam>, Error> {
+) -> Result<Option<OsslParam<'_>>, Error> {
     match alg {
         SigAlg::RsaNoPad => {
             let mut params_builder = OsslParamBuilder::new();
diff --git a/src/attribute.rs b/src/attribute.rs
@@ -462,6 +462,7 @@ impl Attribute {
     }
 
     /// Constructs an attribute passing in the value as a slice
+    #[cfg(feature = "nssdb")]
     pub fn from_attr_slice(
         id: CK_ULONG,
         at: AttrType,
diff --git a/src/fips/indicators.rs b/src/fips/indicators.rs
@@ -283,7 +283,7 @@ struct FipsMechanism {
 /// Struct that holds FIPS properties for keys and mechanisms
 struct FipsChecks {
     keys: [FipsKeyType; 17],
-    mechs: [FipsMechanism; 91],
+    mechs: [FipsMechanism; 93],
 }
 
 /// A constant instantiation of FIPS properties with a list
@@ -552,6 +552,19 @@ const FIPS_CHECKS: FipsChecks = FipsChecks {
             restrictions: [restrict!(CKK_EC), restrict!()],
             genflags: 0,
         },
+        /* EDDSA */
+        FipsMechanism {
+            mechanism: CKM_EC_EDWARDS_KEY_PAIR_GEN,
+            operations: CKF_GENERATE_KEY_PAIR,
+            restrictions: [restrict!(CKK_EC_EDWARDS), restrict!()],
+            genflags: CKF_SIGN | CKF_VERIFY,
+        },
+        FipsMechanism {
+            mechanism: CKM_EDDSA,
+            operations: CKF_SIGN | CKF_VERIFY,
+            restrictions: [restrict!(CKK_EC_EDWARDS), restrict!()],
+            genflags: 0,
+        },
         /* AES */
         FipsMechanism {
             mechanism: CKM_AES_KEY_GEN,
@@ -1315,6 +1328,17 @@ pub fn is_key_approved(key: &Object, op: CK_FLAGS) -> bool {
     check_key(key, op, None, None)
 }
 
+/// Adds validation flag to the object, if it is not yet present
+/// and if the object passes validation rules.
+pub fn add_missing_validation_flag(key: &mut Object) {
+    if let Ok(_) = key.get_attr_as_ulong(CKA_OBJECT_VALIDATION_FLAGS) {
+        return;
+    }
+    if is_key_approved(key, CK_UNAVAILABLE_INFORMATION) {
+        add_fips_flag(key);
+    }
+}
+
 /// Helper to check if an operation is approved
 ///
 /// Applies key checks as well as mechanism checks according to the
diff --git a/src/kasn1/mod.rs b/src/kasn1/mod.rs
@@ -207,7 +207,7 @@ impl PrivateKeyInfo<'_> {
     }
 
     /// Returns the key type (as an OID)
-    pub fn get_algorithm(&self) -> &pkcs::AlgorithmIdentifier {
+    pub fn get_algorithm(&self) -> &pkcs::AlgorithmIdentifier<'_> {
         &self.algorithm
     }
 
diff --git a/src/object.rs b/src/object.rs
@@ -850,6 +850,9 @@ pub trait ObjectFactory: Debug + Send + Sync {
             match attrs.iter().find(|a| a.get_type() == ck_attr.type_) {
                 None => return Err(CKR_ATTRIBUTE_TYPE_INVALID)?,
                 Some(attr) => {
+                    if attr.is(OAFlags::NeverSettable) {
+                        return Err(CKR_ACTION_PROHIBITED)?;
+                    }
                     if attr.is(OAFlags::Unchangeable) {
                         if attr.attribute.get_attrtype() == AttrType::BoolType {
                             let val = ck_attr.to_bool()?;
diff --git a/src/storage/format.rs b/src/storage/format.rs
@@ -11,6 +11,8 @@ use std::fmt::Debug;
 
 use crate::attribute::{Attribute, CkAttrs};
 use crate::error::Result;
+#[cfg(feature = "fips")]
+use crate::fips::indicators::add_missing_validation_flag;
 use crate::object::Object;
 use crate::pkcs11::*;
 use crate::storage::aci::{StorageACI, StorageAuthInfo};
@@ -297,6 +299,13 @@ impl Storage for StdStorageFormat {
              * some attributes or not */
             attrs.add_missing_ulong(CKA_SENSITIVE, &dnm);
             attrs.add_missing_ulong(CKA_EXTRACTABLE, &dnm);
+            #[cfg(feature = "fips")]
+            {
+                /* We need these to be able to derive object validation flag */
+                attrs.add_missing_ulong(CKA_EC_PARAMS, &dnm);
+                attrs.add_missing_ulong(CKA_VALUE_LEN, &dnm);
+                attrs.add_missing_ulong(CKA_MODULUS, &dnm);
+            }
         }
 
         let mut obj = self.store.fetch_by_uid(&uid, attrs.as_slice())?;
@@ -315,6 +324,9 @@ impl Storage for StdStorageFormat {
             }
         }
 
+        #[cfg(feature = "fips")]
+        add_missing_validation_flag(&mut obj);
+
         obj.set_handle(handle);
         Ok(obj)
     }
diff --git a/src/storage/nssdb/ci.rs b/src/storage/nssdb/ci.rs
@@ -128,7 +128,7 @@ impl KeysWithCaching {
     ///
     /// Returns `None` if the master key is not set (user not authenticated) or
     /// if the lock cannot be acquired.
-    fn get_cached_key(&self, id: &[u8; SHA256_LEN]) -> Option<LockedKey> {
+    fn get_cached_key(&self, id: &[u8; SHA256_LEN]) -> Option<LockedKey<'_>> {
         if self.enckey.is_none() {
             /* access to the cache is available only if enckey is set.
              * When unset it means the user logged off and no
diff --git a/src/storage/nssdb/mod.rs b/src/storage/nssdb/mod.rs
@@ -12,6 +12,8 @@ use std::sync::{Arc, Mutex, MutexGuard};
 use crate::attribute::{AttrType, Attribute, CkAttrs};
 use crate::defaults;
 use crate::error::{Error, Result};
+#[cfg(feature = "fips")]
+use crate::fips::indicators::add_missing_validation_flag;
 use crate::misc::{copy_sized_string, zeromem};
 use crate::object::Object;
 use crate::pkcs11::*;
@@ -957,6 +959,13 @@ impl Storage for NSSStorage {
                     let _ = attrs.remove_ulong(a.type_);
                 }
             }
+            #[cfg(feature = "fips")]
+            {
+                /* We need these to be able to derive object validation flag */
+                attrs.add_missing_ulong(CKA_EC_PARAMS, &dnm);
+                attrs.add_missing_ulong(CKA_VALUE_LEN, &dnm);
+                attrs.add_missing_ulong(CKA_MODULUS, &dnm);
+            }
         }
         let mut obj =
             self.fetch_by_nssid(&table, nssobjid, attrs.as_slice())?;
@@ -1000,22 +1009,14 @@ impl Storage for NSSStorage {
             match attributes.iter().position(|r| r.type_ == a) {
                 Some(_) => {
                     factory.set_attribute_default(a, &mut obj)?;
-                    #[cfg(feature = "fips")]
-                    if a == CKA_OBJECT_VALIDATION_FLAGS {
-                        /* All keys stored in the database are considered
-                         * FIPS approved, on the assumption you can't import
-                         * or create non-approved keys in the first place
-                         */
-                        obj.set_attr(Attribute::from_ulong(
-                            CKA_OBJECT_VALIDATION_FLAGS,
-                            crate::fips::indicators::KRF_FIPS,
-                        ))?;
-                    }
                 }
                 None => (),
             }
         }
 
+        #[cfg(feature = "fips")]
+        add_missing_validation_flag(&mut obj);
+
         obj.set_handle(handle);
         Ok(obj)
     }
diff --git a/src/tests/aes.rs b/src/tests/aes.rs
@@ -50,6 +50,8 @@ fn test_aes_operations() {
             (CKA_UNWRAP, true),
         ],
     ));
+    assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     {
         /* AES ECB */
@@ -690,6 +692,7 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
 
         let ciphertext = hex::decode("4154c0be71072945d8156f5f046d198d")
             .expect("Failed to decode ciphertext");
@@ -718,6 +721,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let iv = hex::decode("1dbbeb2f19abb448af849796244a19d7")
             .expect("Failed to decode IV");
         let plaintext = hex::decode(
@@ -759,6 +764,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let (iv, aad, tag, ct, plaintext) = get_gcm_test_data();
 
         let param = CK_GCM_PARAMS {
@@ -795,6 +802,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let iv = hex::decode("0007bdfd5cbd60278dcc091200000001")
             .expect("failed to decode iv");
         let plaintext = hex::decode(
@@ -911,6 +920,7 @@ fn test_aes_operations() {
             &mut wp_handle2,
         );
         assert_eq!(ret, CKR_OK);
+        assert_eq!(check_object_validation(session, wp_handle2, 1), true);
 
         let mut value = [0u8; AES_BLOCK_SIZE];
         let mut extract_template = make_ptrs_template(&[(
@@ -1033,6 +1043,7 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
         let (iv, aad, tag, ct, plaintext) = get_gcm_test_data();
 
         let ret = fn_message_decrypt_init(session, &mut mechanism, key_handle);
@@ -1272,6 +1283,7 @@ fn test_aes_macs() {
         &[],
         &[(CKA_SIGN, true), (CKA_VERIFY, true),],
     ));
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     #[cfg(not(feature = "fips"))]
     {
diff --git a/src/tests/attrs.rs b/src/tests/attrs.rs
@@ -204,7 +204,22 @@ fn test_set_attr_rsa() {
         template.as_ptr() as *mut _,
         1,
     );
-    assert_eq!(ret, CKR_ATTRIBUTE_READ_ONLY);
+    assert_eq!(ret, CKR_ACTION_PROHIBITED);
+
+    let flag: CK_ULONG = 0x03;
+    let template = make_ptrs_template(&[(
+        CKA_OBJECT_VALIDATION_FLAGS,
+        void_ptr!(std::ptr::addr_of!(flag)),
+        std::mem::size_of::<CK_ULONG>(),
+    )]);
+
+    let ret = fn_set_attribute_value(
+        session2,
+        handle,
+        template.as_ptr() as *mut _,
+        1,
+    );
+    assert_eq!(ret, CKR_ACTION_PROHIBITED);
 
     let ret = fn_close_session(session2);
     assert_eq!(ret, CKR_OK);
diff --git a/src/tests/keys.rs b/src/tests/keys.rs
@@ -447,6 +447,15 @@ fn test_ec_keys() {
                 (CKA_EXTRACTABLE, true),
             ],
         ));
+        assert_eq!(check_validation(session, t.fips_indicator), true);
+        assert_eq!(
+            check_object_validation(session, pubkey, t.fips_indicator),
+            true
+        );
+        assert_eq!(
+            check_object_validation(session, prikey, t.fips_indicator),
+            true
+        );
 
         if t.op_flags.1 == CKA_SIGN {
             let sig = ret_or_panic!(sig_gen(
@@ -526,6 +535,10 @@ fn test_ec_keys() {
         assert_eq!(ret, CKR_OK);
 
         assert_eq!(check_validation(session, t.fips_indicator), true);
+        assert_eq!(
+            check_object_validation(session, prikey2, t.fips_indicator),
+            true
+        );
 
         if t.op_flags.1 == CKA_SIGN {
             /* Test the unwrapped key can be used */
diff --git a/src/tests/rsa.rs b/src/tests/rsa.rs
@@ -392,6 +392,8 @@ fn test_rsa_operations() {
     ));
 
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, hpri, 1), true);
+    assert_eq!(check_object_validation(session, hpub, 1), true);
 
     let label = "Public Key test 1";
     let mut template = make_ptrs_template(&[(
@@ -583,6 +585,8 @@ fn test_rsa_mechs() {
     ));
 
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, pubkey, 1), true);
+    assert_eq!(check_object_validation(session, prikey, 1), true);
 
     /* Classic PKCS 1.5 */
     for mech in [
diff --git a/src/tests/simplekdf.rs b/src/tests/simplekdf.rs
diff --git a/src/tests/tls.rs b/src/tests/tls.rs
diff --git a/src/tests/token.rs b/src/tests/token.rs
diff --git a/src/tests/util.rs b/src/tests/util.rs
diff --git a/testdata/test_aes_operations.json b/testdata/test_aes_operations.json

Original file line number	Diff line number	Diff line change
`@@ -340,7 +340,7 @@ struct MemBio<'a> {`
`340`	`340`	`}`
`341`	`341`
`342`	`342`	`impl MemBio<'_> {`
`343`		`- fn new(v: &mut [u8]) -> MemBio {`
	`343`	`+ fn new(v: &mut [u8]) -> MemBio<'_> {`
`344`	`344`	`MemBio { mem: v, cursor: 0 }`
`345`	`345`	`}`
`346`	`346`
Original file line number	Diff line number	Diff line change
`@@ -462,6 +462,7 @@ impl Attribute {`
`462`	`462`	`}`
`463`	`463`
`464`	`464`	`/// Constructs an attribute passing in the value as a slice`
	`465`	`+ #[cfg(feature = "nssdb")]`
`465`	`466`	`pub fn from_attr_slice(`
`466`	`467`	`id: CK_ULONG,`
`467`	`468`	`at: AttrType,`
Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ impl PrivateKeyInfo<'_> {`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`/// Returns the key type (as an OID)`
`210`		`- pub fn get_algorithm(&self) -> &pkcs::AlgorithmIdentifier {`
	`210`	`+ pub fn get_algorithm(&self) -> &pkcs::AlgorithmIdentifier<'_> {`
`211`	`211`	`&self.algorithm`
`212`	`212`	`}`
`213`	`213`