Update corePKCS11 and PKCS #11 PAL interfaces with latest changes (#2994

) * Remove PKCS #11 PAL destoy object config flag. * Update corePKCS11 submodule. Add Destroy object implementation to ports lacking one.
aws · Feb 25, 2021 · d52fe81 · d52fe81
1 parent 079e6a2
commit d52fe81
Show file tree

Hide file tree

Showing 57 changed files with 1,470 additions and 340 deletions.
diff --git a/libraries/abstractions/pkcs11/corePKCS11 b/libraries/abstractions/pkcs11/corePKCS11
diff --git a/tests/unit_test/linux/config_files/core_pkcs11_config.h b/tests/unit_test/linux/config_files/core_pkcs11_config.h
@@ -96,14 +96,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
-
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.
  *

diff --git a/vendors/cypress/boards/CY8CKIT_064S0S2_4343W/aws_demos/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CY8CKIT_064S0S2_4343W/aws_demos/config_files/core_pkcs11_config.h
@@ -99,13 +99,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CY8CKIT_064S0S2_4343W/aws_tests/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CY8CKIT_064S0S2_4343W/aws_tests/config_files/core_pkcs11_config.h
@@ -93,13 +93,6 @@
  */
 #define pkcs11configMAX_NUM_OBJECTS      6
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CYW943907AEVAL1F/aws_demos/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CYW943907AEVAL1F/aws_demos/config_files/core_pkcs11_config.h
@@ -99,13 +99,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CYW943907AEVAL1F/aws_tests/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CYW943907AEVAL1F/aws_tests/config_files/core_pkcs11_config.h
@@ -99,13 +99,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CYW943907AEVAL1F/ports/pkcs11/core_pkcs11_pal.c b/vendors/cypress/boards/CYW943907AEVAL1F/ports/pkcs11/core_pkcs11_pal.c
@@ -43,6 +43,7 @@
 #include "iot_crypto.h"
 #include "core_pkcs11.h"
 #include "core_pkcs11_config.h"
+#include "core_pkcs11_pal.h"
 #include "FreeRTOS.h"
 
 /* C runtime includes. */
@@ -223,10 +224,12 @@ CK_OBJECT_HANDLE PKCS11_PAL_FindObject( CK_BYTE_PTR pxLabel,
         /* Attempt to read the object to see if something valid is there. */
         xResult = PKCS11_PAL_GetObjectValue(xHandle, &pucData, &xDataSize, &xIsPrivate );
 
-        if (xResult != CK_INVALID_HANDLE)
+        if( ( xResult != CKR_OK ) || ( pucData[ 0 ] == 0x00 ) )
         {
-            xHandle = 0;
+            xHandle = eInvalidHandle;
         }
+
+        PKCS11_PAL_GetObjectValueCleanup( pucData, xDataSize );
     }
 
     return xHandle;
@@ -357,3 +360,95 @@ void PKCS11_PAL_GetObjectValueCleanup( CK_BYTE_PTR pucData,
 }
 
 /*-----------------------------------------------------------*/
+
+/* Converts a handle to its respective label. */
+void prvHandleToLabel( char ** pcLabel,
+                       CK_OBJECT_HANDLE xHandle )
+{
+    if( pcLabel != NULL )
+    {
+        switch( xHandle )
+        {
+            case eAwsDeviceCertificate:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
+                break;
+
+            case eAwsDevicePrivateKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS;
+                break;
+
+            case eAwsDevicePublicKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS;
+                break;
+
+            case eAwsCodeSigningKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_CODE_VERIFICATION_KEY;
+                break;
+
+            default:
+                *pcLabel = NULL;
+                break;
+        }
+    }
+}
+
+CK_RV PKCS11_PAL_DestroyObject( CK_OBJECT_HANDLE xHandle )
+{
+    CK_RV xResult = CKR_OK;
+    CK_BYTE_PTR pxZeroedData = NULL;
+    CK_BYTE_PTR pxObject = NULL;
+    CK_BBOOL xIsPrivate = ( CK_BBOOL ) CK_TRUE;
+    CK_OBJECT_HANDLE xPalHandle2 = CK_INVALID_HANDLE;
+    CK_ULONG ulObjectLength = sizeof( CK_BYTE );
+    char * pcLabel = NULL;
+    CK_ATTRIBUTE xLabel;
+
+    prvHandleToLabel( &pcLabel, xHandle );
+
+    if( pcLabel != NULL )
+    {
+        xLabel.type = CKA_LABEL;
+        xLabel.pValue = pcLabel;
+        xLabel.ulValueLen = strlen( pcLabel );
+
+        xResult = PKCS11_PAL_GetObjectValue( xHandle, &pxObject, &ulObjectLength, &xIsPrivate );
+    }   
+    else
+    {
+        xResult = CKR_OBJECT_HANDLE_INVALID;
+    }   
+
+    if( xResult == CKR_OK )
+    {
+        /* Some ports return a pointer to memory for which using memset directly won't work. */
+        pxZeroedData = pvPortMalloc( ulObjectLength );
+
+        if( NULL != pxZeroedData )
+        {
+            /* Zero out the object. */
+            ( void ) memset( pxZeroedData, 0x0, ulObjectLength );
+
+            /* Overwrite the object in NVM with zeros. */
+            xPalHandle2 = PKCS11_PAL_SaveObject( &xLabel, pxZeroedData, ( size_t ) ulObjectLength );
+
+            if( xPalHandle2 != xHandle )
+            {
+                xResult = CKR_GENERAL_ERROR;
+            }
+
+            vPortFree( pxZeroedData );
+        }
+        else
+        {
+            xResult = CKR_HOST_MEMORY;
+        }
+
+        PKCS11_PAL_GetObjectValueCleanup( pxObject, ulObjectLength );
+    }
+    else
+    {
+        xResult = CKR_GENERAL_ERROR;
+    }
+
+    return xResult;
+}
diff --git a/vendors/cypress/boards/CYW954907AEVAL1F/aws_demos/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CYW954907AEVAL1F/aws_demos/config_files/core_pkcs11_config.h
@@ -99,13 +99,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CYW954907AEVAL1F/aws_tests/config_files/core_pkcs11_config.h b/vendors/cypress/boards/CYW954907AEVAL1F/aws_tests/config_files/core_pkcs11_config.h
@@ -99,13 +99,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/vendors/cypress/boards/CYW954907AEVAL1F/ports/pkcs11/core_pkcs11_pal.c b/vendors/cypress/boards/CYW954907AEVAL1F/ports/pkcs11/core_pkcs11_pal.c
@@ -43,6 +43,7 @@
 #include "iot_crypto.h"
 #include "core_pkcs11.h"
 #include "core_pkcs11_config.h"
+#include "core_pkcs11_pal.h"
 #include "FreeRTOS.h"
 
 /* C runtime includes. */
@@ -224,10 +225,12 @@ CK_OBJECT_HANDLE PKCS11_PAL_FindObject( CK_BYTE_PTR pxLabel,
         /* Attempt to read the object to see if something valid is there. */
         xResult = PKCS11_PAL_GetObjectValue(xHandle, &pucData, &xDataSize, &xIsPrivate );
 
-        if (xResult != CK_INVALID_HANDLE)
+        if( ( xResult != CKR_OK ) || ( pucData[ 0 ] == 0x00 ) )
         {
-            xHandle = 0;
+            xHandle = eInvalidHandle;
         }
+
+        PKCS11_PAL_GetObjectValueCleanup( pucData, xDataSize );
     }
 
     return xHandle;
@@ -358,3 +361,95 @@ void PKCS11_PAL_GetObjectValueCleanup( CK_BYTE_PTR pucData,
 }
 
 /*-----------------------------------------------------------*/
+
+/* Converts a handle to its respective label. */
+void prvHandleToLabel( char ** pcLabel,
+                       CK_OBJECT_HANDLE xHandle )
+{
+    if( pcLabel != NULL )
+    {
+        switch( xHandle )
+        {
+            case eAwsDeviceCertificate:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
+                break;
+
+            case eAwsDevicePrivateKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS;
+                break;
+
+            case eAwsDevicePublicKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS;
+                break;
+
+            case eAwsCodeSigningKey:
+                *pcLabel = ( char * ) pkcs11configLABEL_CODE_VERIFICATION_KEY;
+                break;
+
+            default:
+                *pcLabel = NULL;
+                break;
+        }
+    }
+}
+
+CK_RV PKCS11_PAL_DestroyObject( CK_OBJECT_HANDLE xHandle )
+{
+    CK_RV xResult = CKR_OK;
+    CK_BYTE_PTR pxZeroedData = NULL;
+    CK_BYTE_PTR pxObject = NULL;
+    CK_BBOOL xIsPrivate = ( CK_BBOOL ) CK_TRUE;
+    CK_OBJECT_HANDLE xPalHandle2 = CK_INVALID_HANDLE;
+    CK_ULONG ulObjectLength = sizeof( CK_BYTE );
+    char * pcLabel = NULL;
+    CK_ATTRIBUTE xLabel;
+
+    prvHandleToLabel( &pcLabel, xHandle );
+
+    if( pcLabel != NULL )
+    {
+        xLabel.type = CKA_LABEL;
+        xLabel.pValue = pcLabel;
+        xLabel.ulValueLen = strlen( pcLabel );
+
+        xResult = PKCS11_PAL_GetObjectValue( xHandle, &pxObject, &ulObjectLength, &xIsPrivate );
+    }   
+    else
+    {
+        xResult = CKR_OBJECT_HANDLE_INVALID;
+    }   
+
+    if( xResult == CKR_OK )
+    {
+        /* Some ports return a pointer to memory for which using memset directly won't work. */
+        pxZeroedData = pvPortMalloc( ulObjectLength );
+
+        if( NULL != pxZeroedData )
+        {
+            /* Zero out the object. */
+            ( void ) memset( pxZeroedData, 0x0, ulObjectLength );
+
+            /* Overwrite the object in NVM with zeros. */
+            xPalHandle2 = PKCS11_PAL_SaveObject( &xLabel, pxZeroedData, ( size_t ) ulObjectLength );
+
+            if( xPalHandle2 != xHandle )
+            {
+                xResult = CKR_GENERAL_ERROR;
+            }
+
+            vPortFree( pxZeroedData );
+        }
+        else
+        {
+            xResult = CKR_HOST_MEMORY;
+        }
+
+        PKCS11_PAL_GetObjectValueCleanup( pxObject, ulObjectLength );
+    }
+    else
+    {
+        xResult = CKR_GENERAL_ERROR;
+    }
+
+    return xResult;
+}
diff --git a/.../espressif/boards/esp32/aws_demos/config_files/default_pkcs11_config/core_pkcs11_config.h b/.../espressif/boards/esp32/aws_demos/config_files/default_pkcs11_config/core_pkcs11_config.h
@@ -110,13 +110,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10UL
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/.../espressif/boards/esp32/aws_demos/config_files/ecc608a_pkcs11_config/core_pkcs11_config.h b/.../espressif/boards/esp32/aws_demos/config_files/ecc608a_pkcs11_config/core_pkcs11_config.h
@@ -111,13 +111,6 @@ extern const char * pcPkcs11GetThingName(void);
  */
 #define pkcs11configMAX_NUM_OBJECTS      6
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if importing device private key via C_CreateObject is supported.  0 if not.

diff --git a/.../espressif/boards/esp32/aws_tests/config_files/default_pkcs11_config/core_pkcs11_config.h b/.../espressif/boards/esp32/aws_tests/config_files/default_pkcs11_config/core_pkcs11_config.h
@@ -109,13 +109,6 @@
  */
 #define pkcs11configMAX_SESSIONS                           10
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /**
  * @brief Set to 1 if OTA image verification via PKCS #11 module is supported.

diff --git a/.../espressif/boards/esp32/aws_tests/config_files/ecc608a_pkcs11_config/core_pkcs11_config.h b/.../espressif/boards/esp32/aws_tests/config_files/ecc608a_pkcs11_config/core_pkcs11_config.h
@@ -94,13 +94,6 @@
  */
 #define pkcs11configMAX_NUM_OBJECTS                        6
 
-/**
- * @brief Set to 1 if a PAL destroy object is implemented.
- *
- * If set to 0, no PAL destroy object is implemented, and this functionality
- * is implemented in the common PKCS #11 layer.
- */
-#define pkcs11configPAL_DESTROY_SUPPORTED                  0
 
 /*
  * @brief Set to 1 if importing device private key via C_CreateObject is supported.  0 if not.
+15 −0		.github/memory_statistics_config.json
+31 −2		.github/workflows/ci.yml
+22 −0		.github/workflows/memory_statistics.yml
+3 −0		.gitignore
+2 −2		.gitmodules
+5 −2		docs/doxygen/config.doxyfile
+30 −0		docs/doxygen/include/size_table.html
+64 −41		docs/doxygen/pages.dox
+3 −2		lexicon.txt
+87 −190		source/portable/mbedtls/core_pkcs11_mbedtls.c
+28 −1		source/portable/posix/core_pkcs11_pal.c
+109 −41		source/portable/windows/core_pkcs11_pal.c
+8 −2		test/CMakeLists.txt
+0 −1		test/cbmc/aws-build-accumulator
+1 −9		test/cbmc/include/core_pkcs11_config.h
+0 −0		test/cbmc/include/mbedtls_config.h
+1 −0		test/cbmc/litani
+17 −6		test/cbmc/proofs/C_CloseSession/C_CloseSession_harness.c
+4 −1		test/cbmc/proofs/C_CloseSession/Makefile
+15 −15		test/cbmc/proofs/C_CreateObject/C_CreateObject_harness.c
+13 −3		test/cbmc/proofs/C_CreateObject/Makefile
+9 −13		test/cbmc/proofs/C_DestroyObject/C_DestroyObject_harness.c
+13 −5		test/cbmc/proofs/C_DestroyObject/Makefile
+15 −25		test/cbmc/proofs/C_DigestFinal/C_DigestFinal_harness.c
+4 −9		test/cbmc/proofs/C_DigestInit/C_DigestInit_harness.c
+9 −17		test/cbmc/proofs/C_DigestUpdate/C_DigestUpdate_harness.c
+1 −0		test/cbmc/proofs/C_FindObjects/C_FindObjects_harness.c
+1 −0		test/cbmc/proofs/C_FindObjectsFinal/C_FindObjectsFinal_harness.c
+7 −13		test/cbmc/proofs/C_GenerateKeyPair/C_GenerateKeyPair_harness.c
+1 −0		test/cbmc/proofs/C_GenerateKeyPair/Makefile
+3 −5		test/cbmc/proofs/C_GenerateRandom/C_GenerateRandom_harness.c
+11 −13		test/cbmc/proofs/C_GetAttributeValue/C_GetAttributeValue_harness.c
+5 −0		test/cbmc/proofs/C_GetAttributeValue/Makefile
+2 −3		test/cbmc/proofs/C_GetFunctionList/C_GetFunctionList_harness.c
+2 −3		test/cbmc/proofs/C_GetMechanismInfo/C_GetMechanismInfo_harness.c
+13 −10		test/cbmc/proofs/C_GetSlotList/C_GetSlotList_harness.c
+3 −0		test/cbmc/proofs/C_GetSlotList/Makefile
+7 −1		test/cbmc/proofs/C_Initialize/Makefile
+5 −7		test/cbmc/proofs/C_OpenSession/C_OpenSession_harness.c
+2 −1		test/cbmc/proofs/C_OpenSession/Makefile
+17 −26		test/cbmc/proofs/C_Sign/C_Sign_harness.c
+5 −1		test/cbmc/proofs/C_Sign/Makefile
+10 −8		test/cbmc/proofs/C_SignInit/C_SignInit_harness.c
+5 −1		test/cbmc/proofs/C_SignInit/Makefile
+13 −24		test/cbmc/proofs/C_Verify/C_Verify_harness.c
+5 −1		test/cbmc/proofs/C_Verify/Makefile
+10 −8		test/cbmc/proofs/C_VerifyInit/C_VerifyInit_harness.c
+5 −1		test/cbmc/proofs/C_VerifyInit/Makefile
+0 −1		test/cbmc/proofs/Makefile-project-defines
+1 −1		test/cbmc/proofs/Makefile-template-defines
+4 −4		test/cbmc/proofs/PKI_mbedTLSSignatureToPkcs11Signature/PKI_mbedTLSSignatureToPkcs11Signature_harness.c
+4 −4		test/cbmc/proofs/PKI_pkcs11SignatureTombedTLSSignature/PKI_pkcs11SignatureTombedTLSSignature_harness.c
+0 −0		test/cbmc/proofs/run-cbmc-proofs.py
+2 −4		test/cbmc/proofs/vAppendSHA256AlgorithmIdentifierSequence/vAppendSHA256AlgorithmIdentifierSequence_harness.c
+8 −3		test/cbmc/proofs/xFindObjectWithLabelAndClass/Makefile
+6 −6		test/cbmc/proofs/xFindObjectWithLabelAndClass/xFindObjectWithLabelAndClass_harness.c
+3 −3		test/cbmc/proofs/xGetSlotList/xGetSlotList_harness.c
+1 −4		test/cbmc/proofs/xInitializePKCS11/xInitializePKCS11_harness.c
+2 −2		test/cbmc/proofs/xInitializePkcs11Session/xInitializePkcs11Session_harness.c
+1 −3		test/cbmc/proofs/xInitializePkcs11Token/xInitializePkcs11Token_harness.c
+13 −1		test/cbmc/stubs/core_pkcs11_pal_stubs.c
+3 −3		test/cbmc/stubs/core_pki_utils_stubs.c
+31 −74		test/cbmc/stubs/pkcs11_interface_stubs.c
+0 −0		test/shared-config/logging_levels.h
+0 −0		test/shared-config/logging_stack.h
+119 −0		test/system-test/CMakeLists.txt
+2,031 −0		test/system-test/system-tests/pkcs11_system_test.c
+179 −0		test/system-test/test-config/core_pkcs11_config.h
+121 −0		test/system-test/test-config/core_test_pkcs11_config.h
+3,363 −0		test/system-test/test-config/mbedtls_config.h
+2 −2		test/unit-test/CMakeLists.txt
+0 −8		test/unit-test/config/core_pkcs11_config.h
+44 −169		test/unit-test/core_pkcs11_mbedtls_utest.c