ta: pkcs11: pkcs11_attributes.c: calculate KCV on key derive/unwarp

For when key is computed from a derivation or an unwrapping process, Modify set_secret_key_data() to fill in the CKA_CHECK_VALUE with the key check value (KCV) after CKA_VALUE is filled. Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
OP-TEE · Nov 30, 2023 · 99cd3c5 · 99cd3c5
1 parent 761ed24
commit 99cd3c5
Showing 1 changed file with 30 additions and 5 deletions.
diff --git a/ta/pkcs11/src/pkcs11_attributes.c b/ta/pkcs11/src/pkcs11_attributes.c
@@ -400,11 +400,11 @@ static const uint32_t symm_key_boolprops[] = {
 static const uint32_t symm_key_opt_or_null[] = {
 	PKCS11_CKA_WRAP_TEMPLATE, PKCS11_CKA_UNWRAP_TEMPLATE,
 	PKCS11_CKA_DERIVE_TEMPLATE, PKCS11_CKA_VALUE,
-	PKCS11_CKA_CHECK_VALUE,
 };
 
 static const uint32_t symm_key_optional[] = {
 	PKCS11_CKA_VALUE_LEN,
+	PKCS11_CKA_CHECK_VALUE,
 };
 
 /* PKCS#11 specification for any asymmetric public key (+any_key_xxx) */
@@ -2174,6 +2174,7 @@ static bool attr_is_modifiable_secret_key(struct pkcs11_attribute_head *attr,
 	case PKCS11_CKA_VERIFY:
 	case PKCS11_CKA_WRAP:
 	case PKCS11_CKA_UNWRAP:
+	case PKCS11_CKA_CHECK_VALUE:
 		return true;
 	/* Can't be modified once set to CK_FALSE - 12 in Table 10 */
 	case PKCS11_CKA_EXTRACTABLE:
@@ -2188,9 +2189,6 @@ static bool attr_is_modifiable_secret_key(struct pkcs11_attribute_head *attr,
 	case PKCS11_CKA_NEVER_EXTRACTABLE:
 	case PKCS11_CKA_ALWAYS_SENSITIVE:
 		return false;
-	/* CKA_CHECK_VALUE cannot be changed once it has been set. */
-	case PKCS11_CKA_CHECK_VALUE:
-		return false;
 	default:
 		return false;
 	}
@@ -2455,6 +2453,8 @@ static enum pkcs11_rc set_secret_key_data(struct obj_attrs **head, void *data,
 	uint32_t size = sizeof(uint32_t);
 	uint32_t key_length = 0;
 	enum pkcs11_rc rc = PKCS11_CKR_GENERAL_ERROR;
+	void *kcv = NULL;
+	uint32_t kcv_len = 0;
 
 	/* Get key size if present in template */
 	rc = get_attribute(*head, PKCS11_CKA_VALUE_LEN, &key_length, &size);
@@ -2482,7 +2482,32 @@ static enum pkcs11_rc set_secret_key_data(struct obj_attrs **head, void *data,
 	if (rc != PKCS11_CKR_OK && rc != PKCS11_RV_NOT_FOUND)
 		return PKCS11_CKR_GENERAL_ERROR;
 
-	return add_attribute(head, PKCS11_CKA_VALUE, data, key_length);
+	rc = add_attribute(head, PKCS11_CKA_VALUE, data, key_length);
+	if (rc != PKCS11_CKR_OK)
+		return rc;
+
+	/* Remove the default empty check value attribute if found */
+	rc = remove_empty_attribute(head, PKCS11_CKA_CHECK_VALUE);
+	if (rc != PKCS11_CKR_OK && rc != PKCS11_RV_NOT_FOUND)
+		return  PKCS11_CKR_GENERAL_ERROR;
+
+	/* Get key check value size */
+	rc = aes_get_check_value_size(data, key_length, &kcv_len);
+	if (rc)
+		return rc;
+
+	kcv = TEE_Malloc(kcv_len, TEE_MALLOC_FILL_ZERO);
+	if (!kcv)
+		return PKCS11_CKR_DEVICE_MEMORY;
+
+	/* Compute and add the key check sum value*/
+	rc = aes_compute_check_value(data, key_length, kcv, &kcv_len);
+	if (rc == PKCS11_CKR_OK)
+		rc = add_attribute(head, PKCS11_CKA_CHECK_VALUE, kcv, kcv_len);
+
+	TEE_Free(kcv);
+
+	return rc;
 }
 
 static enum pkcs11_rc set_private_key_data_rsa(struct obj_attrs **head,