1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #ifndef PKCS11_TA_H 7 #define PKCS11_TA_H 8 9 #include <stdbool.h> 10 #include <stdint.h> 11 12 #define PKCS11_TA_UUID { 0xfd02c9da, 0x306c, 0x48c7, \ 13 { 0xa4, 0x9c, 0xbb, 0xd8, 0x27, 0xae, 0x86, 0xee } } 14 15 /* PKCS11 trusted application version information */ 16 #define PKCS11_TA_VERSION_MAJOR 0 17 #define PKCS11_TA_VERSION_MINOR 1 18 #define PKCS11_TA_VERSION_PATCH 0 19 20 /* Attribute specific values */ 21 #define PKCS11_CK_UNAVAILABLE_INFORMATION UINT32_C(0xFFFFFFFF) 22 #define PKCS11_UNDEFINED_ID UINT32_C(0xFFFFFFFF) 23 #define PKCS11_FALSE false 24 #define PKCS11_TRUE true 25 26 /* 27 * Note on PKCS#11 TA commands ABI 28 * 29 * For evolution of the TA API and to not mess with the GPD TEE 4 parameters 30 * constraint, all the PKCS11 TA invocation commands use a subset of available 31 * the GPD TEE invocation parameter types. 32 * 33 * Param#0 is used for the so-called control arguments of the invoked command 34 * and for providing a PKCS#11 compliant status code for the request command. 35 * Param#0 is an in/out memory reference (aka memref[0]). The input buffer 36 * stores serialized arguments for the command. The output buffer store the 37 * 32bit TA return code for the command. As a consequence, param#0 shall 38 * always be an input/output memory reference of at least 32bit, more if 39 * the command expects more input arguments. 40 * 41 * When the TA returns with TEE_SUCCESS result, client shall always get the 42 * 32bit value stored in param#0 output buffer and use the value as TA 43 * return code for the invoked command. 44 * 45 * Param#1 can be used for input data arguments of the invoked command. 46 * It is unused or is an input memory reference, aka memref[1]. 47 * Evolution of the API may use memref[1] for output data as well. 48 * 49 * Param#2 is mostly used for output data arguments of the invoked command 50 * and for output handles generated from invoked commands. 51 * Few commands uses it for a secondary input data buffer argument. 52 * It is unused or is an input/output/in-out memory reference, aka memref[2]. 53 * 54 * Param#3 is currently unused and reserved for evolution of the API. 55 */ 56 57 enum pkcs11_ta_cmd { 58 /* 59 * PKCS11_CMD_PING Ack TA presence and return version info 60 * 61 * [in] memref[0] = 32bit, unused, must be 0 62 * [out] memref[0] = 32bit return code, enum pkcs11_rc 63 * [out] memref[2] = [ 64 * 32bit version major value, 65 * 32bit version minor value 66 * 32bit version patch value 67 * ] 68 */ 69 PKCS11_CMD_PING = 0, 70 71 /* 72 * PKCS11_CMD_SLOT_LIST - Get the table of the valid slot IDs 73 * 74 * [in] memref[0] = 32bit, unused, must be 0 75 * [out] memref[0] = 32bit return code, enum pkcs11_rc 76 * [out] memref[2] = 32bit array slot_ids[slot counts] 77 * 78 * The TA instance may represent several PKCS#11 slots and 79 * associated tokens. This commadn reports the IDs of embedded tokens. 80 * This command relates the PKCS#11 API function C_GetSlotList(). 81 */ 82 PKCS11_CMD_SLOT_LIST = 1, 83 84 /* 85 * PKCS11_CMD_SLOT_INFO - Get cryptoki structured slot information 86 * 87 * [in] memref[0] = 32bit slot ID 88 * [out] memref[0] = 32bit return code, enum pkcs11_rc 89 * [out] memref[2] = (struct pkcs11_slot_info)info 90 * 91 * The TA instance may represent several PKCS#11 slots/tokens. 92 * This command relates the PKCS#11 API function C_GetSlotInfo(). 93 */ 94 PKCS11_CMD_SLOT_INFO = 2, 95 96 /* 97 * PKCS11_CMD_TOKEN_INFO - Get cryptoki structured token information 98 * 99 * [in] memref[0] = 32bit slot ID 100 * [out] memref[0] = 32bit return code, enum pkcs11_rc 101 * [out] memref[2] = (struct pkcs11_token_info)info 102 * 103 * The TA instance may represent several PKCS#11 slots/tokens. 104 * This command relates the PKCS#11 API function C_GetTokenInfo(). 105 */ 106 PKCS11_CMD_TOKEN_INFO = 3, 107 108 /* 109 * PKCS11_CMD_MECHANISM_IDS - Get list of the supported mechanisms 110 * 111 * [in] memref[0] = 32bit slot ID 112 * [out] memref[0] = 32bit return code, enum pkcs11_rc 113 * [out] memref[2] = 32bit array mechanism IDs 114 * 115 * This command relates to the PKCS#11 API function 116 * C_GetMechanismList(). 117 */ 118 PKCS11_CMD_MECHANISM_IDS = 4, 119 120 /* 121 * PKCS11_CMD_MECHANISM_INFO - Get information on a specific mechanism 122 * 123 * [in] memref[0] = [ 124 * 32bit slot ID, 125 * 32bit mechanism ID (PKCS11_CKM_*) 126 * ] 127 * [out] memref[0] = 32bit return code, enum pkcs11_rc 128 * [out] memref[2] = (struct pkcs11_mechanism_info)info 129 * 130 * This command relates to the PKCS#11 API function 131 * C_GetMechanismInfo(). 132 */ 133 PKCS11_CMD_MECHANISM_INFO = 5, 134 135 /* 136 * PKCS11_CMD_OPEN_SESSION - Open a session 137 * 138 * [in] memref[0] = [ 139 * 32bit slot ID, 140 * 32bit session flags, 141 * ] 142 * [out] memref[0] = 32bit return code, enum pkcs11_rc 143 * [out] memref[2] = 32bit session handle 144 * 145 * This command relates to the PKCS#11 API function C_OpenSession(). 146 */ 147 PKCS11_CMD_OPEN_SESSION = 6, 148 149 /* 150 * PKCS11_CMD_CLOSE_SESSION - Close an opened session 151 * 152 * [in] memref[0] = 32bit session handle 153 * [out] memref[0] = 32bit return code, enum pkcs11_rc 154 * 155 * This command relates to the PKCS#11 API function C_CloseSession(). 156 */ 157 PKCS11_CMD_CLOSE_SESSION = 7, 158 159 /* 160 * PKCS11_CMD_CLOSE_ALL_SESSIONS - Close all client sessions on token 161 * 162 * [in] memref[0] = 32bit slot ID 163 * [out] memref[0] = 32bit return code, enum pkcs11_rc 164 * 165 * This command relates to the PKCS#11 API function 166 * C_CloseAllSessions(). 167 */ 168 PKCS11_CMD_CLOSE_ALL_SESSIONS = 8, 169 170 /* 171 * PKCS11_CMD_SESSION_INFO - Get Cryptoki information on a session 172 * 173 * [in] memref[0] = 32bit session handle 174 * [out] memref[0] = 32bit return code, enum pkcs11_rc 175 * [out] memref[2] = (struct pkcs11_session_info)info 176 * 177 * This command relates to the PKCS#11 API function C_GetSessionInfo(). 178 */ 179 PKCS11_CMD_SESSION_INFO = 9, 180 181 /* 182 * PKCS11_CMD_INIT_TOKEN - Initialize PKCS#11 token 183 * 184 * [in] memref[0] = [ 185 * 32bit slot ID, 186 * 32bit PIN length, 187 * byte array label[32] 188 * byte array PIN[PIN length], 189 * ] 190 * [out] memref[0] = 32bit return code, enum pkcs11_rc 191 * 192 * This command relates to the PKCS#11 API function C_InitToken(). 193 */ 194 PKCS11_CMD_INIT_TOKEN = 10, 195 196 /* 197 * PKCS11_CMD_INIT_PIN - Initialize user PIN 198 * 199 * [in] memref[0] = [ 200 * 32bit session handle, 201 * 32bit PIN byte size, 202 * byte array: PIN data 203 * ] 204 * [out] memref[0] = 32bit return code, enum pkcs11_rc 205 * 206 * This command relates to the PKCS#11 API function C_InitPIN(). 207 */ 208 PKCS11_CMD_INIT_PIN = 11, 209 210 /* 211 * PKCS11_CMD_SET_PIN - Change user PIN 212 * 213 * [in] memref[0] = [ 214 * 32bit session handle, 215 * 32bit old PIN byte size, 216 * 32bit new PIN byte size, 217 * byte array: PIN data, 218 * byte array: new PIN data, 219 * ] 220 * [out] memref[0] = 32bit return code, enum pkcs11_rc 221 * 222 * This command relates to the PKCS#11 API function C_SetPIN(). 223 */ 224 PKCS11_CMD_SET_PIN = 12, 225 226 /* 227 * PKCS11_CMD_LOGIN - Initialize user PIN 228 * 229 * [in] memref[0] = [ 230 * 32bit session handle, 231 * 32bit user identifier, enum pkcs11_user_type 232 * 32bit PIN byte size, 233 * byte array: PIN data 234 * ] 235 * [out] memref[0] = 32bit return code, enum pkcs11_rc 236 * 237 * This command relates to the PKCS#11 API function C_Login(). 238 */ 239 PKCS11_CMD_LOGIN = 13, 240 241 /* 242 * PKCS11_CMD_LOGOUT - Log out from token 243 * 244 * [in] memref[0] = [ 245 * 32bit session handle, 246 * ] 247 * [out] memref[0] = 32bit return code, enum pkcs11_rc 248 * 249 * This command relates to the PKCS#11 API function C_Logout(). 250 */ 251 PKCS11_CMD_LOGOUT = 14, 252 253 /* 254 * PKCS11_CMD_CREATE_OBJECT - Create a raw client assembled object in 255 * the session or token 256 * 257 * 258 * [in] memref[0] = [ 259 * 32bit session handle, 260 * (struct pkcs11_object_head)attribs + attributes data 261 * ] 262 * [out] memref[0] = 32bit return code, enum pkcs11_rc 263 * [out] memref[2] = 32bit object handle 264 * 265 * This command relates to the PKCS#11 API function C_CreateObject(). 266 */ 267 PKCS11_CMD_CREATE_OBJECT = 15, 268 269 /* 270 * PKCS11_CMD_DESTROY_OBJECT - Destroy an object 271 * 272 * [in] memref[0] = [ 273 * 32bit session handle, 274 * 32bit object handle 275 * ] 276 * [out] memref[0] = 32bit return code, enum pkcs11_rc 277 * 278 * This command relates to the PKCS#11 API function C_DestroyObject(). 279 */ 280 PKCS11_CMD_DESTROY_OBJECT = 16, 281 282 /* 283 * PKCS11_CMD_ENCRYPT_INIT - Initialize encryption processing 284 * PKCS11_CMD_DECRYPT_INIT - Initialize decryption processing 285 * 286 * [in] memref[0] = [ 287 * 32bit session handle, 288 * 32bit object handle of the key, 289 * (struct pkcs11_attribute_head)mechanism + mecha params 290 * ] 291 * [out] memref[0] = 32bit return code, enum pkcs11_rc 292 * 293 * These commands relate to the PKCS#11 API functions 294 * C_EncryptInit() and C_DecryptInit(). 295 */ 296 PKCS11_CMD_ENCRYPT_INIT = 17, 297 PKCS11_CMD_DECRYPT_INIT = 18, 298 299 /* 300 * PKCS11_CMD_ENCRYPT_UPDATE - Update encryption processing 301 * PKCS11_CMD_DECRYPT_UPDATE - Update decryption processing 302 * 303 * [in] memref[0] = 32bit session handle 304 * [out] memref[0] = 32bit return code, enum pkcs11_rc 305 * [in] memref[1] = input data to be processed 306 * [out] memref[2] = output processed data 307 * 308 * These commands relate to the PKCS#11 API functions 309 * C_EncryptUpdate() and C_DecryptUpdate(). 310 */ 311 PKCS11_CMD_ENCRYPT_UPDATE = 19, 312 PKCS11_CMD_DECRYPT_UPDATE = 20, 313 314 /* 315 * PKCS11_CMD_ENCRYPT_FINAL - Finalize encryption processing 316 * PKCS11_CMD_DECRYPT_FINAL - Finalize decryption processing 317 * 318 * [in] memref[0] = 32bit session handle 319 * [out] memref[0] = 32bit return code, enum pkcs11_rc 320 * [out] memref[2] = output processed data 321 * 322 * These commands relate to the PKCS#11 API functions 323 * C_EncryptFinal() and C_DecryptFinal(). 324 */ 325 PKCS11_CMD_ENCRYPT_FINAL = 21, 326 PKCS11_CMD_DECRYPT_FINAL = 22, 327 328 /* 329 * PKCS11_CMD_ENCRYPT_ONESHOT - Update and finalize encryption 330 * processing 331 * PKCS11_CMD_DECRYPT_ONESHOT - Update and finalize decryption 332 * processing 333 * 334 * [in] memref[0] = 32bit session handle 335 * [out] memref[0] = 32bit return code, enum pkcs11_rc 336 * [in] memref[1] = input data to be processed 337 * [out] memref[2] = output processed data 338 * 339 * These commands relate to the PKCS#11 API functions C_Encrypt and 340 * C_Decrypt. 341 */ 342 PKCS11_CMD_ENCRYPT_ONESHOT = 23, 343 PKCS11_CMD_DECRYPT_ONESHOT = 24, 344 345 /* 346 * PKCS11_CMD_SIGN_INIT - Initialize a signature computation 347 * processing 348 * PKCS11_CMD_VERIFY_INIT - Initialize a signature verification 349 * processing 350 * 351 * [in] memref[0] = [ 352 * 32bit session handle, 353 * 32bit key handle, 354 * (struct pkcs11_attribute_head)mechanism + 355 * mechanism params, 356 * ] 357 * [out] memref[0] = 32bit return code, enum pkcs11_rc 358 * 359 * These commands relate to the PKCS#11 API functions C_SignInit() and 360 * C_VerifyInit(). 361 */ 362 PKCS11_CMD_SIGN_INIT = 25, 363 PKCS11_CMD_VERIFY_INIT = 26, 364 365 /* 366 * PKCS11_CMD_SIGN_UPDATE - Update a signature computation processing 367 * PKCS11_CMD_VERIFY_UPDATE - Update a signature verification processing 368 * 369 * [in] memref[0] = 32bit session handle 370 * [out] memref[0] = 32bit return code, enum pkcs11_rc 371 * [in] memref[1] = input data to be processed 372 * 373 * These commands relate to the PKCS#11 API functions C_SignUpdate() and 374 * C_VerifyUpdate(). 375 */ 376 PKCS11_CMD_SIGN_UPDATE = 27, 377 PKCS11_CMD_VERIFY_UPDATE = 28, 378 379 /* 380 * PKCS11_CMD_SIGN_FINAL - Finalize a signature computation processing 381 * 382 * [in] memref[0] = 32bit session handle 383 * [out] memref[0] = 32bit return code, enum pkcs11_rc 384 * [out] memref[2] = output signature 385 * 386 * This command relates to the PKCS#11 API functions C_SignFinal(). 387 */ 388 PKCS11_CMD_SIGN_FINAL = 29, 389 390 /* 391 * PKCS11_CMD_VERIFY_FINAL - Finalize a signature verification 392 * processing 393 * 394 * [in] memref[0] = 32bit session handle 395 * [out] memref[0] = 32bit return code, enum pkcs11_rc 396 * [in] memref[2] = input signature to be processed 397 * 398 * This command relates to the PKCS#11 API functions C_VerifyFinal(). 399 */ 400 PKCS11_CMD_VERIFY_FINAL = 30, 401 402 /* 403 * PKCS11_CMD_SIGN_ONESHOT - Compute a signature 404 * 405 * [in] memref[0] = 32bit session handle 406 * [out] memref[0] = 32bit return code, enum pkcs11_rc 407 * [in] memref[1] = input data to be processed 408 * [out] memref[2] = byte array: generated signature 409 * 410 * This command relates to the PKCS#11 API function C_Sign(). 411 */ 412 PKCS11_CMD_SIGN_ONESHOT = 31, 413 414 /* 415 * PKCS11_CMD_VERIFY_ONESHOT - Compute and compare a signature 416 * 417 * [in] memref[0] = 32bit session handle 418 * [out] memref[0] = 32bit return code, enum pkcs11_rc 419 * [in] memref[1] = input data to be processed 420 * [in] memref[2] = input signature to be processed 421 * 422 * This command relates to the PKCS#11 API function C_Verify(). 423 */ 424 PKCS11_CMD_VERIFY_ONESHOT = 32, 425 426 /* 427 * PKCS11_CMD_GENERATE_KEY - Generate a symmetric key or domain 428 * parameters 429 * 430 * [in] memref[0] = [ 431 * 32bit session handle, 432 * (struct pkcs11_attribute_head)mechanism + mecha params, 433 * (struct pkcs11_object_head)attribs + attributes data 434 * ] 435 * [out] memref[0] = 32bit return code, enum pkcs11_rc 436 * [out] memref[2] = 32bit object handle 437 * 438 * This command relates to the PKCS#11 API function C_GenerateKey(). 439 */ 440 PKCS11_CMD_GENERATE_KEY = 33, 441 442 /* 443 * PKCS11_CMD_FIND_OBJECTS_INIT - Initialize an object search 444 * 445 * [in] memref[0] = [ 446 * 32bit session handle, 447 * (struct pkcs11_object_head)attribs + attributes data 448 * ] 449 * [out] memref[0] = 32bit return code, enum pkcs11_rc 450 * 451 * This command relates to the PKCS#11 API function C_FindOjectsInit(). 452 */ 453 PKCS11_CMD_FIND_OBJECTS_INIT = 34, 454 455 /* 456 * PKCS11_CMD_FIND_OBJECTS - Get handles of matching objects 457 * 458 * [in] memref[0] = 32bit session handle 459 * [out] memref[0] = 32bit return code, enum pkcs11_rc 460 * [out] memref[2] = 32bit array object_handle_array[N] 461 * 462 * This command relates to the PKCS#11 API function C_FindOjects(). 463 * The size of object_handle_array depends on the size of the output 464 * buffer provided by the client. 465 */ 466 PKCS11_CMD_FIND_OBJECTS = 35, 467 468 /* 469 * PKCS11_CMD_FIND_OBJECTS_FINAL - Finalize current objects search 470 * 471 * [in] memref[0] = 32bit session handle 472 * [out] memref[0] = 32bit return code, enum pkcs11_rc 473 * 474 * This command relates to the PKCS#11 API function C_FindOjectsFinal(). 475 */ 476 PKCS11_CMD_FIND_OBJECTS_FINAL = 36, 477 478 /* 479 * PKCS11_CMD_GET_OBJECT_SIZE - Get byte size used by object in the TEE 480 * 481 * [in] memref[0] = [ 482 * 32bit session handle, 483 * 32bit object handle 484 * ] 485 * [out] memref[0] = 32bit return code, enum pkcs11_rc 486 * [out] memref[2] = 32bit object_byte_size 487 * 488 * This command relates to the PKCS#11 API function C_GetObjectSize(). 489 */ 490 PKCS11_CMD_GET_OBJECT_SIZE = 37, 491 492 /* 493 * PKCS11_CMD_GET_ATTRIBUTE_VALUE - Get the value of object attribute(s) 494 * 495 * [in] memref[0] = [ 496 * 32bit session handle, 497 * 32bit object handle, 498 * (struct pkcs11_object_head)attribs + attributes data 499 * ] 500 * [out] memref[0] = 32bit return code, enum pkcs11_rc 501 * [out] memref[2] = (struct pkcs11_object_head)attribs + attributes 502 * data 503 * 504 * This command relates to the PKCS#11 API function C_GetAttributeValue. 505 * Caller provides an attribute template as 3rd argument in memref[0] 506 * (referred here as attribs + attributes data). Upon successful 507 * completion, the TA returns the provided template filled with expected 508 * data through output argument memref[2] (referred here again as 509 * attribs + attributes data). 510 */ 511 PKCS11_CMD_GET_ATTRIBUTE_VALUE = 38, 512 513 /* 514 * PKCS11_CMD_SET_ATTRIBUTE_VALUE - Set the value of object attribute(s) 515 * 516 * [in] memref[0] = [ 517 * 32bit session handle, 518 * 32bit object handle, 519 * (struct pkcs11_object_head)attribs + attributes data 520 * ] 521 * [out] memref[0] = 32bit return code, enum pkcs11_rc 522 * 523 * This command relates to the PKCS#11 API function C_SetAttributeValue. 524 * Caller provides an attribute template as 3rd argument in memref[0] 525 * (referred here as attribs + attributes data). 526 */ 527 PKCS11_CMD_SET_ATTRIBUTE_VALUE = 39, 528 529 /* 530 * PKCS11_CMD_COPY_OBJECT - Copies an object, creating a new object for 531 * the copy. 532 * 533 * [in] memref[0] = [ 534 * 32bit session handle, 535 * 32bit object handle, 536 * (struct pkcs11_object_head)attribs + attributes data 537 * ] 538 * [out] memref[0] = 32bit return code, enum pkcs11_rc 539 * [out] memref[2] = 32bit object handle 540 * 541 * This command relates to the PKCS#11 API function C_CopyObject(). 542 * Caller provides an attribute template as 3rd argument in memref[0] 543 * (referred here as attribs + attributes data). 544 */ 545 PKCS11_CMD_COPY_OBJECT = 40, 546 547 /* 548 * PKCS11_CMD_SEED_RANDOM - Seed random data generator 549 * 550 * [in] memref[0] = 32bit session handle 551 * [out] memref[0] = 32bit return code, enum pkcs11_rc 552 * [in] memref[1] = byte array: seed material to feed into the RNG 553 * 554 * This command relates to the PKCS#11 API function C_SeedRandom(). 555 */ 556 PKCS11_CMD_SEED_RANDOM = 41, 557 558 /* 559 * PKCS11_CMD_GENERATE_RANDOM - Generate random data 560 * 561 * [in] memref[0] = 32bit session handle 562 * [out] memref[0] = 32bit return code, enum pkcs11_rc 563 * [out] memref[2] = byte array: generated random 564 * 565 * This command relates to the PKCS#11 API function C_GenerateRandom(). 566 */ 567 PKCS11_CMD_GENERATE_RANDOM = 42, 568 569 /* 570 * PKCS11_CMD_DERIVE_KEY - Derive a key from a parent key. 571 * 572 * [in] memref[0] = [ 573 * 32bit session handle, 574 * 32bit parent key handle, 575 * (struct pkcs11_attribute_head)mechanism + mecha params, 576 * (struct pkcs11_object_head)attribs + attributes data 577 * ] 578 * [out] memref[0] = 32bit return code, enum pkcs11_rc 579 * [out] memref[2] = 32bit object handle 580 * 581 * This command relates to the PKCS#11 API function C_DeriveKey(). 582 */ 583 PKCS11_CMD_DERIVE_KEY = 43, 584 585 /* 586 * PKCS11_CMD_RELEASE_ACTIVE_PROCESSING - Release active processing 587 * 588 * [in] memref[0] = [ 589 * 32bit session handle, 590 * 32bit enum pkcs11_ta_cmd 591 * ] 592 * [out] memref[0] = 32bit return code, enum pkcs11_rc 593 * 594 * This command is used to release active processing in case of 595 * Cryptoki API invocation error is detected in user space processing. 596 * Function derived from pkcs11_ta_cmd is used to verify that active 597 * processing matches. 598 */ 599 PKCS11_CMD_RELEASE_ACTIVE_PROCESSING = 44, 600 601 /* 602 * PKCS11_CMD_DIGEST_INIT - Initialize a digest computation processing 603 * 604 * [in] memref[0] = [ 605 * 32bit session handle, 606 * (struct pkcs11_attribute_head)mechanism + mecha params 607 * ] 608 * [out] memref[0] = 32bit return code, enum pkcs11_rc 609 * 610 * This command relates to the PKCS#11 API function C_DigestInit(). 611 */ 612 PKCS11_CMD_DIGEST_INIT = 45, 613 614 /* 615 * PKCS11_CMD_DIGEST_KEY - Update digest with a key 616 * 617 * [in] memref[0] = [ 618 * 32bit session handle, 619 * 32bit key handle 620 * ] 621 * [out] memref[0] = 32bit return code, enum pkcs11_rc 622 * 623 * This command relates to the PKCS#11 API function C_DigestKey(). 624 */ 625 PKCS11_CMD_DIGEST_KEY = 46, 626 627 /* 628 * PKCS11_CMD_DIGEST_UPDATE - Update digest with data 629 * 630 * [in] memref[0] = 32bit session handle 631 * [out] memref[0] = 32bit return code, enum pkcs11_rc 632 * [in] memref[1] = input data to be processed 633 * 634 * This command relates to the PKCS#11 API function C_DigestUpdate(). 635 */ 636 PKCS11_CMD_DIGEST_UPDATE = 47, 637 638 /* 639 * PKCS11_CMD_DIGEST_FINAL - Finalize a digest computation processing 640 * 641 * [in] memref[0] = 32bit session handle 642 * [out] memref[0] = 32bit return code, enum pkcs11_rc 643 * [out] memref[2] = output digest 644 * 645 * This command relates to the PKCS#11 API function C_DigestFinal(). 646 */ 647 PKCS11_CMD_DIGEST_FINAL = 48, 648 649 /* 650 * PKCS11_CMD_DIGEST_ONESHOT - Compute a digest 651 * 652 * [in] memref[0] = 32bit session handle 653 * [out] memref[0] = 32bit return code, enum pkcs11_rc 654 * [in] memref[1] = input data to be processed 655 * [out] memref[2] = byte array: generated digest 656 * 657 * This command relates to the PKCS#11 API function C_Digest(). 658 */ 659 PKCS11_CMD_DIGEST_ONESHOT = 49, 660 661 /* 662 * PKCS11_CMD_GENERATE_KEY_PAIR - Generate an asymmetric key pair 663 * 664 * [in] memref[0] = [ 665 * 32bit session handle, 666 * (struct pkcs11_attribute_head)mechanism + mecha params, 667 * (struct pkcs11_object_head)public key attribs + 668 * attributes data, 669 * (struct pkcs11_object_head)private key attribs + 670 * attributes data 671 * ] 672 * [out] memref[0] = 32bit return code, enum pkcs11_rc 673 * [out] memref[2] = [ 674 * 32bit public key object handle, 675 * 32bit private key object handle 676 * ] 677 * 678 * This command relates to the PKCS#11 API function 679 * C_GenerateKeyPair(). 680 */ 681 PKCS11_CMD_GENERATE_KEY_PAIR = 50, 682 683 /* 684 * PKCS11_CMD_WRAP_KEY - Wraps a private or secret key. 685 * 686 * [in] memref[0] = [ 687 * 32bit session handle, 688 * 32bit wrapping key handle, 689 * 32bit key handle, 690 * (struct pkcs11_attribute_head)mechanism + mecha params 691 * ] 692 * [out] memref[0] = 32bit return code, enum pkcs11_rc 693 * [out] memref[2] = wrapped key 694 * 695 * This command relates to the PKCS#11 API function C_WrapKey(). 696 */ 697 PKCS11_CMD_WRAP_KEY = 51, 698 699 /* 700 * PKCS11_CMD_UNWRAP_KEY - Unwraps a wrapped key, creating a new 701 * private or secret key object. 702 * 703 * [in] memref[0] = [ 704 * 32bit session handle, 705 * 32bit unwrapping key handle, 706 * (struct pkcs11_attribute_head)mechanism + mecha params, 707 * (struct pkcs11_object_head)attribs + attributes data 708 * ] 709 * [out] memref[0] = 32bit return code, enum pkcs11_rc 710 * [in] memref[1] = wrapped key 711 * [out] memref[2] = 32bit object handle 712 * 713 * This command relates to the PKCS#11 API function C_UnwrapKey(). 714 */ 715 PKCS11_CMD_UNWRAP_KEY = 52, 716 }; 717 718 /* 719 * Command return codes 720 * PKCS11_<x> relates CryptoKi client API CKR_<x> 721 */ 722 enum pkcs11_rc { 723 PKCS11_CKR_OK = 0, 724 PKCS11_CKR_CANCEL = 0x0001, 725 PKCS11_CKR_SLOT_ID_INVALID = 0x0003, 726 PKCS11_CKR_GENERAL_ERROR = 0x0005, 727 PKCS11_CKR_FUNCTION_FAILED = 0x0006, 728 PKCS11_CKR_ARGUMENTS_BAD = 0x0007, 729 PKCS11_CKR_ATTRIBUTE_READ_ONLY = 0x0010, 730 PKCS11_CKR_ATTRIBUTE_SENSITIVE = 0x0011, 731 PKCS11_CKR_ATTRIBUTE_TYPE_INVALID = 0x0012, 732 PKCS11_CKR_ATTRIBUTE_VALUE_INVALID = 0x0013, 733 PKCS11_CKR_ACTION_PROHIBITED = 0x001b, 734 PKCS11_CKR_DATA_INVALID = 0x0020, 735 PKCS11_CKR_DATA_LEN_RANGE = 0x0021, 736 PKCS11_CKR_DEVICE_ERROR = 0x0030, 737 PKCS11_CKR_DEVICE_MEMORY = 0x0031, 738 PKCS11_CKR_DEVICE_REMOVED = 0x0032, 739 PKCS11_CKR_ENCRYPTED_DATA_INVALID = 0x0040, 740 PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE = 0x0041, 741 PKCS11_CKR_KEY_HANDLE_INVALID = 0x0060, 742 PKCS11_CKR_KEY_SIZE_RANGE = 0x0062, 743 PKCS11_CKR_KEY_TYPE_INCONSISTENT = 0x0063, 744 PKCS11_CKR_KEY_INDIGESTIBLE = 0x0067, 745 PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED = 0x0068, 746 PKCS11_CKR_KEY_NOT_WRAPPABLE = 0x0069, 747 PKCS11_CKR_KEY_UNEXTRACTABLE = 0x006a, 748 PKCS11_CKR_MECHANISM_INVALID = 0x0070, 749 PKCS11_CKR_MECHANISM_PARAM_INVALID = 0x0071, 750 PKCS11_CKR_OBJECT_HANDLE_INVALID = 0x0082, 751 PKCS11_CKR_OPERATION_ACTIVE = 0x0090, 752 PKCS11_CKR_OPERATION_NOT_INITIALIZED = 0x0091, 753 PKCS11_CKR_PIN_INCORRECT = 0x00a0, 754 PKCS11_CKR_PIN_INVALID = 0x00a1, 755 PKCS11_CKR_PIN_LEN_RANGE = 0x00a2, 756 PKCS11_CKR_PIN_EXPIRED = 0x00a3, 757 PKCS11_CKR_PIN_LOCKED = 0x00a4, 758 PKCS11_CKR_SESSION_CLOSED = 0x00b0, 759 PKCS11_CKR_SESSION_COUNT = 0x00b1, 760 PKCS11_CKR_SESSION_HANDLE_INVALID = 0x00b3, 761 PKCS11_CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x00b4, 762 PKCS11_CKR_SESSION_READ_ONLY = 0x00b5, 763 PKCS11_CKR_SESSION_EXISTS = 0x00b6, 764 PKCS11_CKR_SESSION_READ_ONLY_EXISTS = 0x00b7, 765 PKCS11_CKR_SESSION_READ_WRITE_SO_EXISTS = 0x00b8, 766 PKCS11_CKR_SIGNATURE_INVALID = 0x00c0, 767 PKCS11_CKR_SIGNATURE_LEN_RANGE = 0x00c1, 768 PKCS11_CKR_TEMPLATE_INCOMPLETE = 0x00d0, 769 PKCS11_CKR_TEMPLATE_INCONSISTENT = 0x00d1, 770 PKCS11_CKR_TOKEN_NOT_PRESENT = 0x00e0, 771 PKCS11_CKR_TOKEN_NOT_RECOGNIZED = 0x00e1, 772 PKCS11_CKR_TOKEN_WRITE_PROTECTED = 0x00e2, 773 PKCS11_CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x00f0, 774 PKCS11_CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x00f1, 775 PKCS11_CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x00f2, 776 PKCS11_CKR_USER_ALREADY_LOGGED_IN = 0x0100, 777 PKCS11_CKR_USER_NOT_LOGGED_IN = 0x0101, 778 PKCS11_CKR_USER_PIN_NOT_INITIALIZED = 0x0102, 779 PKCS11_CKR_USER_TYPE_INVALID = 0x0103, 780 PKCS11_CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x0104, 781 PKCS11_CKR_USER_TOO_MANY_TYPES = 0x0105, 782 PKCS11_CKR_WRAPPED_KEY_INVALID = 0x0110, 783 PKCS11_CKR_WRAPPED_KEY_LEN_RANGE = 0x0112, 784 PKCS11_CKR_WRAPPING_KEY_HANDLE_INVALID = 0x0113, 785 PKCS11_CKR_WRAPPING_KEY_SIZE_RANGE = 0x0114, 786 PKCS11_CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x0115, 787 PKCS11_CKR_RANDOM_SEED_NOT_SUPPORTED = 0x0120, 788 PKCS11_CKR_RANDOM_NO_RNG = 0x0121, 789 PKCS11_CKR_DOMAIN_PARAMS_INVALID = 0x0130, 790 PKCS11_CKR_CURVE_NOT_SUPPORTED = 0x0140, 791 PKCS11_CKR_BUFFER_TOO_SMALL = 0x0150, 792 PKCS11_CKR_SAVED_STATE_INVALID = 0x0160, 793 PKCS11_CKR_INFORMATION_SENSITIVE = 0x0170, 794 PKCS11_CKR_STATE_UNSAVEABLE = 0x0180, 795 PKCS11_CKR_PIN_TOO_WEAK = 0x01b8, 796 PKCS11_CKR_PUBLIC_KEY_INVALID = 0x01b9, 797 PKCS11_CKR_FUNCTION_REJECTED = 0x0200, 798 /* Vendor specific IDs not returned to client */ 799 PKCS11_RV_NOT_FOUND = 0x80000000, 800 PKCS11_RV_NOT_IMPLEMENTED = 0x80000001, 801 }; 802 803 /* 804 * Arguments for PKCS11_CMD_SLOT_INFO 805 */ 806 #define PKCS11_SLOT_DESC_SIZE 64 807 #define PKCS11_SLOT_MANUFACTURER_SIZE 32 808 #define PKCS11_SLOT_VERSION_SIZE 2 809 810 struct pkcs11_slot_info { 811 uint8_t slot_description[PKCS11_SLOT_DESC_SIZE]; 812 uint8_t manufacturer_id[PKCS11_SLOT_MANUFACTURER_SIZE]; 813 uint32_t flags; 814 uint8_t hardware_version[PKCS11_SLOT_VERSION_SIZE]; 815 uint8_t firmware_version[PKCS11_SLOT_VERSION_SIZE]; 816 }; 817 818 /* 819 * Values for pkcs11_slot_info::flags. 820 * PKCS11_CKFS_<x> reflects CryptoKi client API slot flags CKF_<x>. 821 */ 822 #define PKCS11_CKFS_TOKEN_PRESENT (1U << 0) 823 #define PKCS11_CKFS_REMOVABLE_DEVICE (1U << 1) 824 #define PKCS11_CKFS_HW_SLOT (1U << 2) 825 826 /* 827 * Arguments for PKCS11_CMD_TOKEN_INFO 828 */ 829 #define PKCS11_TOKEN_LABEL_SIZE 32 830 #define PKCS11_TOKEN_MANUFACTURER_SIZE 32 831 #define PKCS11_TOKEN_MODEL_SIZE 16 832 #define PKCS11_TOKEN_SERIALNUM_SIZE 16 833 834 struct pkcs11_token_info { 835 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 836 uint8_t manufacturer_id[PKCS11_TOKEN_MANUFACTURER_SIZE]; 837 uint8_t model[PKCS11_TOKEN_MODEL_SIZE]; 838 uint8_t serial_number[PKCS11_TOKEN_SERIALNUM_SIZE]; 839 uint32_t flags; 840 uint32_t max_session_count; 841 uint32_t session_count; 842 uint32_t max_rw_session_count; 843 uint32_t rw_session_count; 844 uint32_t max_pin_len; 845 uint32_t min_pin_len; 846 uint32_t total_public_memory; 847 uint32_t free_public_memory; 848 uint32_t total_private_memory; 849 uint32_t free_private_memory; 850 uint8_t hardware_version[2]; 851 uint8_t firmware_version[2]; 852 uint8_t utc_time[16]; 853 }; 854 855 /* 856 * Values for pkcs11_token_info::flags. 857 * PKCS11_CKFT_<x> reflects CryptoKi client API token flags CKF_<x>. 858 */ 859 #define PKCS11_CKFT_RNG (1U << 0) 860 #define PKCS11_CKFT_WRITE_PROTECTED (1U << 1) 861 #define PKCS11_CKFT_LOGIN_REQUIRED (1U << 2) 862 #define PKCS11_CKFT_USER_PIN_INITIALIZED (1U << 3) 863 #define PKCS11_CKFT_RESTORE_KEY_NOT_NEEDED (1U << 5) 864 #define PKCS11_CKFT_CLOCK_ON_TOKEN (1U << 6) 865 #define PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH (1U << 8) 866 #define PKCS11_CKFT_DUAL_CRYPTO_OPERATIONS (1U << 9) 867 #define PKCS11_CKFT_TOKEN_INITIALIZED (1U << 10) 868 #define PKCS11_CKFT_SECONDARY_AUTHENTICATION (1U << 11) 869 #define PKCS11_CKFT_USER_PIN_COUNT_LOW (1U << 16) 870 #define PKCS11_CKFT_USER_PIN_FINAL_TRY (1U << 17) 871 #define PKCS11_CKFT_USER_PIN_LOCKED (1U << 18) 872 #define PKCS11_CKFT_USER_PIN_TO_BE_CHANGED (1U << 19) 873 #define PKCS11_CKFT_SO_PIN_COUNT_LOW (1U << 20) 874 #define PKCS11_CKFT_SO_PIN_FINAL_TRY (1U << 21) 875 #define PKCS11_CKFT_SO_PIN_LOCKED (1U << 22) 876 #define PKCS11_CKFT_SO_PIN_TO_BE_CHANGED (1U << 23) 877 #define PKCS11_CKFT_ERROR_STATE (1U << 24) 878 879 /* Values for user identity */ 880 enum pkcs11_user_type { 881 PKCS11_CKU_SO = 0x000, 882 PKCS11_CKU_USER = 0x001, 883 PKCS11_CKU_CONTEXT_SPECIFIC = 0x002, 884 }; 885 886 /* 887 * TEE Identity based authentication for tokens 888 * 889 * When configuration CFG_PKCS11_TA_AUTH_TEE_IDENTITY is enabled TEE Identity 890 * based authentication scheme is enabled. 891 * 892 * Feature enablement per token basis is controlled by token flag: 893 * pkcs11_token_info->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH 894 * 895 * When calling C_InitToken() mode is determined based on SO PIN value. 896 * - If the PIN is empty (or NULL_PTR) then active client TEE Identity will be 897 * used as SO TEE Identity 898 * - If the PIN is given then normal PIN behavior is used 899 * 900 * Once TEE Identity based authentication is activated following operational 901 * changes happen: 902 * - PIN failure counters are disabled to prevent token authentication lockups 903 * - Switching to different authentication mode needs C_InitToken() 904 * - When C_Login() or so is performed actual PIN value is ignored and active 905 * client TEE Identity will be used 906 * 907 * Different types of TEE Identity authentication methods can be configured: 908 * - Configured with C_InitToken(), C_InitPIN() or by C_SetPIN() 909 * - PIN value follows below PIN syntax 910 * 911 * TEE Identity based authenticate PIN syntax: 912 * - PIN value: NULL_PTR or empty 913 * - Use active client TEE Identity 914 * - PIN value: public 915 * - TEE public login 916 * - PIN value: user:<client UUID string> 917 * - TEE user login with client UUID matching user credentials 918 * - PIN value: group:<client UUID string> 919 * - TEE group login with client UUID matching group credentials 920 */ 921 922 /* Keywords for protected authenticated path PIN parser */ 923 #define PKCS11_AUTH_TEE_IDENTITY_PUBLIC "public" 924 #define PKCS11_AUTH_TEE_IDENTITY_USER "user:" 925 #define PKCS11_AUTH_TEE_IDENTITY_GROUP "group:" 926 927 /* 928 * Values for 32bit session flags argument to PKCS11_CMD_OPEN_SESSION 929 * and pkcs11_session_info::flags. 930 * PKCS11_CKFSS_<x> reflects CryptoKi client API session flags CKF_<x>. 931 */ 932 #define PKCS11_CKFSS_RW_SESSION (1U << 1) 933 #define PKCS11_CKFSS_SERIAL_SESSION (1U << 2) 934 935 /* 936 * Arguments for PKCS11_CMD_SESSION_INFO 937 */ 938 939 struct pkcs11_session_info { 940 uint32_t slot_id; 941 uint32_t state; 942 uint32_t flags; 943 uint32_t device_error; 944 }; 945 946 /* Valid values for pkcs11_session_info::state */ 947 enum pkcs11_session_state { 948 PKCS11_CKS_RO_PUBLIC_SESSION = 0, 949 PKCS11_CKS_RO_USER_FUNCTIONS = 1, 950 PKCS11_CKS_RW_PUBLIC_SESSION = 2, 951 PKCS11_CKS_RW_USER_FUNCTIONS = 3, 952 PKCS11_CKS_RW_SO_FUNCTIONS = 4, 953 }; 954 955 /* 956 * Arguments for PKCS11_CMD_MECHANISM_INFO 957 */ 958 959 struct pkcs11_mechanism_info { 960 uint32_t min_key_size; 961 uint32_t max_key_size; 962 uint32_t flags; 963 }; 964 965 /* 966 * Values for pkcs11_mechanism_info::flags. 967 * PKCS11_CKFM_<x> reflects CryptoKi client API mechanism flags CKF_<x>. 968 */ 969 #define PKCS11_CKFM_HW (1U << 0) 970 #define PKCS11_CKFM_ENCRYPT (1U << 8) 971 #define PKCS11_CKFM_DECRYPT (1U << 9) 972 #define PKCS11_CKFM_DIGEST (1U << 10) 973 #define PKCS11_CKFM_SIGN (1U << 11) 974 #define PKCS11_CKFM_SIGN_RECOVER (1U << 12) 975 #define PKCS11_CKFM_VERIFY (1U << 13) 976 #define PKCS11_CKFM_VERIFY_RECOVER (1U << 14) 977 #define PKCS11_CKFM_GENERATE (1U << 15) 978 #define PKCS11_CKFM_GENERATE_KEY_PAIR (1U << 16) 979 #define PKCS11_CKFM_WRAP (1U << 17) 980 #define PKCS11_CKFM_UNWRAP (1U << 18) 981 #define PKCS11_CKFM_DERIVE (1U << 19) 982 #define PKCS11_CKFM_EC_F_P (1U << 20) 983 #define PKCS11_CKFM_EC_F_2M (1U << 21) 984 #define PKCS11_CKFM_EC_ECPARAMETERS (1U << 22) 985 #define PKCS11_CKFM_EC_NAMEDCURVE (1U << 23) 986 #define PKCS11_CKFM_EC_UNCOMPRESS (1U << 24) 987 #define PKCS11_CKFM_EC_COMPRESS (1U << 25) 988 989 /* 990 * pkcs11_object_head - Header of object whose data are serialized in memory 991 * 992 * An object is made of several attributes. Attributes are stored one next to 993 * the other with byte alignment as a serialized byte array. The byte array 994 * of serialized attributes is prepended with the size of the attrs[] array 995 * in bytes and the number of attributes in the array, yielding the struct 996 * pkcs11_object_head. 997 * 998 * @attrs_size - byte size of whole byte array attrs[] 999 * @attrs_count - number of attribute items stored in attrs[] 1000 * @attrs - then starts the attributes data 1001 */ 1002 struct pkcs11_object_head { 1003 uint32_t attrs_size; 1004 uint32_t attrs_count; 1005 uint8_t attrs[]; 1006 }; 1007 1008 /* 1009 * Attribute reference in the TA ABI. Each attribute starts with a header 1010 * structure followed by the attribute value. The attribute byte size is 1011 * defined in the attribute header. 1012 * 1013 * @id - the 32bit identifier of the attribute, see PKCS11_CKA_<x> 1014 * @size - the 32bit value attribute byte size 1015 * @data - then starts the attribute value 1016 */ 1017 struct pkcs11_attribute_head { 1018 uint32_t id; 1019 uint32_t size; 1020 uint8_t data[]; 1021 }; 1022 1023 /* 1024 * Attribute identification IDs as of v2.40 excluding deprecated IDs. 1025 * Valid values for struct pkcs11_attribute_head::id 1026 * PKCS11_CKA_<x> reflects CryptoKi client API attribute IDs CKA_<x>. 1027 */ 1028 enum pkcs11_attr_id { 1029 PKCS11_CKA_CLASS = 0x0000, 1030 PKCS11_CKA_TOKEN = 0x0001, 1031 PKCS11_CKA_PRIVATE = 0x0002, 1032 PKCS11_CKA_LABEL = 0x0003, 1033 PKCS11_CKA_APPLICATION = 0x0010, 1034 PKCS11_CKA_VALUE = 0x0011, 1035 PKCS11_CKA_OBJECT_ID = 0x0012, 1036 PKCS11_CKA_CERTIFICATE_TYPE = 0x0080, 1037 PKCS11_CKA_ISSUER = 0x0081, 1038 PKCS11_CKA_SERIAL_NUMBER = 0x0082, 1039 PKCS11_CKA_AC_ISSUER = 0x0083, 1040 PKCS11_CKA_OWNER = 0x0084, 1041 PKCS11_CKA_ATTR_TYPES = 0x0085, 1042 PKCS11_CKA_TRUSTED = 0x0086, 1043 PKCS11_CKA_CERTIFICATE_CATEGORY = 0x0087, 1044 PKCS11_CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x0088, 1045 PKCS11_CKA_URL = 0x0089, 1046 PKCS11_CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x008a, 1047 PKCS11_CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x008b, 1048 PKCS11_CKA_NAME_HASH_ALGORITHM = 0x008c, 1049 PKCS11_CKA_CHECK_VALUE = 0x0090, 1050 PKCS11_CKA_KEY_TYPE = 0x0100, 1051 PKCS11_CKA_SUBJECT = 0x0101, 1052 PKCS11_CKA_ID = 0x0102, 1053 PKCS11_CKA_SENSITIVE = 0x0103, 1054 PKCS11_CKA_ENCRYPT = 0x0104, 1055 PKCS11_CKA_DECRYPT = 0x0105, 1056 PKCS11_CKA_WRAP = 0x0106, 1057 PKCS11_CKA_UNWRAP = 0x0107, 1058 PKCS11_CKA_SIGN = 0x0108, 1059 PKCS11_CKA_SIGN_RECOVER = 0x0109, 1060 PKCS11_CKA_VERIFY = 0x010a, 1061 PKCS11_CKA_VERIFY_RECOVER = 0x010b, 1062 PKCS11_CKA_DERIVE = 0x010c, 1063 PKCS11_CKA_START_DATE = 0x0110, 1064 PKCS11_CKA_END_DATE = 0x0111, 1065 PKCS11_CKA_MODULUS = 0x0120, 1066 PKCS11_CKA_MODULUS_BITS = 0x0121, 1067 PKCS11_CKA_PUBLIC_EXPONENT = 0x0122, 1068 PKCS11_CKA_PRIVATE_EXPONENT = 0x0123, 1069 PKCS11_CKA_PRIME_1 = 0x0124, 1070 PKCS11_CKA_PRIME_2 = 0x0125, 1071 PKCS11_CKA_EXPONENT_1 = 0x0126, 1072 PKCS11_CKA_EXPONENT_2 = 0x0127, 1073 PKCS11_CKA_COEFFICIENT = 0x0128, 1074 PKCS11_CKA_PUBLIC_KEY_INFO = 0x0129, 1075 PKCS11_CKA_PRIME = 0x0130, 1076 PKCS11_CKA_SUBPRIME = 0x0131, 1077 PKCS11_CKA_BASE = 0x0132, 1078 PKCS11_CKA_PRIME_BITS = 0x0133, 1079 PKCS11_CKA_SUBPRIME_BITS = 0x0134, 1080 PKCS11_CKA_VALUE_BITS = 0x0160, 1081 PKCS11_CKA_VALUE_LEN = 0x0161, 1082 PKCS11_CKA_EXTRACTABLE = 0x0162, 1083 PKCS11_CKA_LOCAL = 0x0163, 1084 PKCS11_CKA_NEVER_EXTRACTABLE = 0x0164, 1085 PKCS11_CKA_ALWAYS_SENSITIVE = 0x0165, 1086 PKCS11_CKA_KEY_GEN_MECHANISM = 0x0166, 1087 PKCS11_CKA_MODIFIABLE = 0x0170, 1088 PKCS11_CKA_COPYABLE = 0x0171, 1089 PKCS11_CKA_DESTROYABLE = 0x0172, 1090 PKCS11_CKA_EC_PARAMS = 0x0180, 1091 PKCS11_CKA_EC_POINT = 0x0181, 1092 PKCS11_CKA_ALWAYS_AUTHENTICATE = 0x0202, 1093 PKCS11_CKA_WRAP_WITH_TRUSTED = 0x0210, 1094 /* 1095 * The leading 4 comes from the PKCS#11 spec or:ing with 1096 * CKF_ARRAY_ATTRIBUTE = 0x40000000. 1097 */ 1098 PKCS11_CKA_WRAP_TEMPLATE = 0x40000211, 1099 PKCS11_CKA_UNWRAP_TEMPLATE = 0x40000212, 1100 PKCS11_CKA_DERIVE_TEMPLATE = 0x40000213, 1101 PKCS11_CKA_OTP_FORMAT = 0x0220, 1102 PKCS11_CKA_OTP_LENGTH = 0x0221, 1103 PKCS11_CKA_OTP_TIME_INTERVAL = 0x0222, 1104 PKCS11_CKA_OTP_USER_FRIENDLY_MODE = 0x0223, 1105 PKCS11_CKA_OTP_CHALLENGE_REQUIREMENT = 0x0224, 1106 PKCS11_CKA_OTP_TIME_REQUIREMENT = 0x0225, 1107 PKCS11_CKA_OTP_COUNTER_REQUIREMENT = 0x0226, 1108 PKCS11_CKA_OTP_PIN_REQUIREMENT = 0x0227, 1109 PKCS11_CKA_OTP_COUNTER = 0x022e, 1110 PKCS11_CKA_OTP_TIME = 0x022f, 1111 PKCS11_CKA_OTP_USER_IDENTIFIER = 0x022a, 1112 PKCS11_CKA_OTP_SERVICE_IDENTIFIER = 0x022b, 1113 PKCS11_CKA_OTP_SERVICE_LOGO = 0x022c, 1114 PKCS11_CKA_OTP_SERVICE_LOGO_TYPE = 0x022d, 1115 PKCS11_CKA_GOSTR3410_PARAMS = 0x0250, 1116 PKCS11_CKA_GOSTR3411_PARAMS = 0x0251, 1117 PKCS11_CKA_GOST28147_PARAMS = 0x0252, 1118 PKCS11_CKA_HW_FEATURE_TYPE = 0x0300, 1119 PKCS11_CKA_RESET_ON_INIT = 0x0301, 1120 PKCS11_CKA_HAS_RESET = 0x0302, 1121 PKCS11_CKA_PIXEL_X = 0x0400, 1122 PKCS11_CKA_PIXEL_Y = 0x0401, 1123 PKCS11_CKA_RESOLUTION = 0x0402, 1124 PKCS11_CKA_CHAR_ROWS = 0x0403, 1125 PKCS11_CKA_CHAR_COLUMNS = 0x0404, 1126 PKCS11_CKA_COLOR = 0x0405, 1127 PKCS11_CKA_BITS_PER_PIXEL = 0x0406, 1128 PKCS11_CKA_CHAR_SETS = 0x0480, 1129 PKCS11_CKA_ENCODING_METHODS = 0x0481, 1130 PKCS11_CKA_MIME_TYPES = 0x0482, 1131 PKCS11_CKA_MECHANISM_TYPE = 0x0500, 1132 PKCS11_CKA_REQUIRED_CMS_ATTRIBUTES = 0x0501, 1133 PKCS11_CKA_DEFAULT_CMS_ATTRIBUTES = 0x0502, 1134 PKCS11_CKA_SUPPORTED_CMS_ATTRIBUTES = 0x0503, 1135 /* 1136 * The leading 4 comes from the PKCS#11 spec or:ing with 1137 * CKF_ARRAY_ATTRIBUTE = 0x40000000. 1138 */ 1139 PKCS11_CKA_ALLOWED_MECHANISMS = 0x40000600, 1140 /* Vendor extension: reserved for undefined ID (~0U) */ 1141 PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1142 }; 1143 1144 /* 1145 * Valid values for attribute PKCS11_CKA_CLASS 1146 * PKCS11_CKO_<x> reflects CryptoKi client API object class IDs CKO_<x>. 1147 */ 1148 enum pkcs11_class_id { 1149 PKCS11_CKO_DATA = 0x000, 1150 PKCS11_CKO_CERTIFICATE = 0x001, 1151 PKCS11_CKO_PUBLIC_KEY = 0x002, 1152 PKCS11_CKO_PRIVATE_KEY = 0x003, 1153 PKCS11_CKO_SECRET_KEY = 0x004, 1154 PKCS11_CKO_HW_FEATURE = 0x005, 1155 PKCS11_CKO_DOMAIN_PARAMETERS = 0x006, 1156 PKCS11_CKO_MECHANISM = 0x007, 1157 PKCS11_CKO_OTP_KEY = 0x008, 1158 /* Vendor extension: reserved for undefined ID (~0U) */ 1159 PKCS11_CKO_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1160 }; 1161 1162 /* 1163 * Valid values for attribute PKCS11_CKA_KEY_TYPE 1164 * PKCS11_CKK_<x> reflects CryptoKi client API key type IDs CKK_<x>. 1165 * Note that this is only a subset of the PKCS#11 specification. 1166 */ 1167 enum pkcs11_key_type { 1168 PKCS11_CKK_RSA = 0x000, 1169 PKCS11_CKK_DSA = 0x001, 1170 PKCS11_CKK_DH = 0x002, 1171 PKCS11_CKK_EC = 0x003, 1172 PKCS11_CKK_GENERIC_SECRET = 0x010, 1173 PKCS11_CKK_AES = 0x01f, 1174 PKCS11_CKK_MD5_HMAC = 0x027, 1175 PKCS11_CKK_SHA_1_HMAC = 0x028, 1176 PKCS11_CKK_SHA256_HMAC = 0x02b, 1177 PKCS11_CKK_SHA384_HMAC = 0x02c, 1178 PKCS11_CKK_SHA512_HMAC = 0x02d, 1179 PKCS11_CKK_SHA224_HMAC = 0x02e, 1180 /* Vendor extension: reserved for undefined ID (~0U) */ 1181 PKCS11_CKK_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1182 }; 1183 1184 /* 1185 * Valid values for attribute PKCS11_CKA_CERTIFICATE_TYPE 1186 */ 1187 enum pkcs11_certificate_type { 1188 PKCS11_CKC_X_509 = 0x00000000UL, 1189 PKCS11_CKC_X_509_ATTR_CERT = 0x00000001UL, 1190 PKCS11_CKC_WTLS = 0x00000002UL, 1191 /* Vendor extension: reserved for undefined ID (~0U) */ 1192 PKCS11_CKC_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1193 }; 1194 1195 /* 1196 * Valid values for attribute PKCS11_CKA_CERTIFICATE_CATEGORY 1197 */ 1198 enum pkcs11_certificate_category { 1199 PKCS11_CK_CERTIFICATE_CATEGORY_UNSPECIFIED = 0UL, 1200 PKCS11_CK_CERTIFICATE_CATEGORY_TOKEN_USER = 1UL, 1201 PKCS11_CK_CERTIFICATE_CATEGORY_AUTHORITY = 2UL, 1202 PKCS11_CK_CERTIFICATE_CATEGORY_OTHER_ENTITY = 3UL, 1203 }; 1204 1205 /* 1206 * Valid values for mechanism IDs 1207 * PKCS11_CKM_<x> reflects CryptoKi client API mechanism IDs CKM_<x>. 1208 * Note that this will be extended as needed. 1209 */ 1210 enum pkcs11_mechanism_id { 1211 PKCS11_CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000, 1212 PKCS11_CKM_RSA_PKCS = 0x00001, 1213 PKCS11_CKM_MD5_RSA_PKCS = 0x00005, 1214 PKCS11_CKM_SHA1_RSA_PKCS = 0x00006, 1215 PKCS11_CKM_RSA_PKCS_OAEP = 0x00009, 1216 PKCS11_CKM_RSA_PKCS_PSS = 0x0000d, 1217 PKCS11_CKM_SHA1_RSA_PKCS_PSS = 0x0000e, 1218 PKCS11_CKM_SHA256_RSA_PKCS = 0x00040, 1219 PKCS11_CKM_SHA384_RSA_PKCS = 0x00041, 1220 PKCS11_CKM_SHA512_RSA_PKCS = 0x00042, 1221 PKCS11_CKM_SHA256_RSA_PKCS_PSS = 0x00043, 1222 PKCS11_CKM_SHA384_RSA_PKCS_PSS = 0x00044, 1223 PKCS11_CKM_SHA512_RSA_PKCS_PSS = 0x00045, 1224 PKCS11_CKM_SHA224_RSA_PKCS = 0x00046, 1225 PKCS11_CKM_SHA224_RSA_PKCS_PSS = 0x00047, 1226 PKCS11_CKM_MD5 = 0x00210, 1227 PKCS11_CKM_MD5_HMAC = 0x00211, 1228 PKCS11_CKM_MD5_HMAC_GENERAL = 0x00212, 1229 PKCS11_CKM_SHA_1 = 0x00220, 1230 PKCS11_CKM_SHA_1_HMAC = 0x00221, 1231 PKCS11_CKM_SHA_1_HMAC_GENERAL = 0x00222, 1232 PKCS11_CKM_SHA256 = 0x00250, 1233 PKCS11_CKM_SHA256_HMAC = 0x00251, 1234 PKCS11_CKM_SHA256_HMAC_GENERAL = 0x00252, 1235 PKCS11_CKM_SHA224 = 0x00255, 1236 PKCS11_CKM_SHA224_HMAC = 0x00256, 1237 PKCS11_CKM_SHA224_HMAC_GENERAL = 0x00257, 1238 PKCS11_CKM_SHA384 = 0x00260, 1239 PKCS11_CKM_SHA384_HMAC = 0x00261, 1240 PKCS11_CKM_SHA384_HMAC_GENERAL = 0x00262, 1241 PKCS11_CKM_SHA512 = 0x00270, 1242 PKCS11_CKM_SHA512_HMAC = 0x00271, 1243 PKCS11_CKM_SHA512_HMAC_GENERAL = 0x00272, 1244 PKCS11_CKM_GENERIC_SECRET_KEY_GEN = 0x00350, 1245 PKCS11_CKM_EC_KEY_PAIR_GEN = 0x01040, 1246 PKCS11_CKM_ECDSA = 0x01041, 1247 PKCS11_CKM_ECDSA_SHA1 = 0x01042, 1248 PKCS11_CKM_ECDSA_SHA224 = 0x01043, 1249 PKCS11_CKM_ECDSA_SHA256 = 0x01044, 1250 PKCS11_CKM_ECDSA_SHA384 = 0x01045, 1251 PKCS11_CKM_ECDSA_SHA512 = 0x01046, 1252 PKCS11_CKM_AES_KEY_GEN = 0x01080, 1253 PKCS11_CKM_AES_ECB = 0x01081, 1254 PKCS11_CKM_AES_CBC = 0x01082, 1255 PKCS11_CKM_AES_CBC_PAD = 0x01085, 1256 PKCS11_CKM_AES_CTR = 0x01086, 1257 PKCS11_CKM_AES_CTS = 0x01089, 1258 PKCS11_CKM_AES_CMAC = 0x0108a, 1259 PKCS11_CKM_AES_CMAC_GENERAL = 0x0108b, 1260 PKCS11_CKM_AES_ECB_ENCRYPT_DATA = 0x01104, 1261 PKCS11_CKM_AES_CBC_ENCRYPT_DATA = 0x01105, 1262 /* 1263 * Vendor extensions below. 1264 * PKCS11 added IDs for operation not related to a CK mechanism ID 1265 */ 1266 PKCS11_PROCESSING_IMPORT = 0x80000000, 1267 PKCS11_CKM_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1268 }; 1269 1270 /* 1271 * PKCS11_CKD_<x> reflects CryptoKi client API key diff function IDs CKD_<x>. 1272 */ 1273 enum pkcs11_keydiff_id { 1274 PKCS11_CKD_NULL = 0x0001, 1275 /* Vendor extension: reserved for undefined ID (~0U) */ 1276 PKCS11_CKD_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1277 }; 1278 1279 /* 1280 * Valid values MG function identifiers 1281 * PKCS11_CKG_<x> reflects CryptoKi client API MG function IDs CKG_<x>. 1282 */ 1283 enum pkcs11_mgf_id { 1284 PKCS11_CKG_MGF1_SHA1 = 0x0001, 1285 PKCS11_CKG_MGF1_SHA224 = 0x0005, 1286 PKCS11_CKG_MGF1_SHA256 = 0x0002, 1287 PKCS11_CKG_MGF1_SHA384 = 0x0003, 1288 PKCS11_CKG_MGF1_SHA512 = 0x0004, 1289 /* Vendor extension: reserved for undefined ID (~0U) */ 1290 PKCS11_CKG_UNDEFINED_ID = PKCS11_UNDEFINED_ID, 1291 }; 1292 1293 /* 1294 * Valid values for RSA PKCS/OAEP source type identifier 1295 * PKCS11_CKZ_<x> reflects CryptoKi client API source type IDs CKZ_<x>. 1296 */ 1297 #define PKCS11_CKZ_DATA_SPECIFIED 0x0001 1298 1299 #endif /*PKCS11_TA_H*/ 1300