Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ta: pkcs11: CKM_RSA_X_509 ("raw RSA") support #7030

Merged
merged 2 commits into from
Nov 22, 2024

Conversation

etienne-lms
Copy link
Contributor

Add support for raw RSA operation in the pkcs11 TA.

These changes are mainly driven by the need to support CKM_RSA_X_509 signing operation for devices using PKCS#11 API with some TLSv1.2 connections.

This is somewhat related to old #3701.

Copy link

github-actions bot commented Oct 7, 2024

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions bot added the Stale label Oct 7, 2024
@jforissier jforissier removed the Stale label Oct 7, 2024
@etienne-lms
Copy link
Contributor Author

Dear pkcs11 TA contributor, any comments on this change?

Copy link

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions bot added the Stale label Nov 14, 2024
@etienne-lms
Copy link
Contributor Author

etienne-lms commented Nov 14, 2024

It seems there is no much interest in this change. If so, i guess i'll drop it.

@github-actions github-actions bot removed the Stale label Nov 15, 2024
@etienne-lms
Copy link
Contributor Author

I propose to add a config switch to embed or not raw RSA support in the pkcs11 TA.
@Emantor, @vesajaaskelainen, any feedback?

Copy link
Contributor

@Emantor Emantor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, introduction of a CFG_ switch also looks good.
Do you still plan to revive the test PR?

@etienne-lms
Copy link
Contributor Author

Yes.
May I add your Acked-by: tag on these commits?

@Emantor
Copy link
Contributor

Emantor commented Nov 21, 2024

Sure!
Acked-by: Rouven Czerwinski <[email protected]>

AMARSTM and others added 2 commits November 21, 2024 15:56
Add support for CKM_RSA_X_509 mechanism for sing/verify operations.

Sign and verify operations are processed using TEE decrypt/encrypt
operation since GP TEE Internal Core API specification only allows
these modes for TEE_ALG_RSA_NOPAD algorithm. The pkcs11 TA only support
sign operation when the provided payload is exactly of the same size
as the RSA key used and checks the generate signature is of right size.

This mechanism can be needed to support CKM_RSA_X_509 for TLSv1.2
connections.

Add CFG_PKCS11_TA_RSA_X_509 to allow configuring the pkcs11 TA
with or without raw RSA crypto support. The config switch is default
enabled.

Signed-off-by: Alexandre Marechal <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
Acked-by: Rouven Czerwinski <[email protected]>
Add support for CKM_RSA_X_509 mechanism for encrypt/decrypt operations.

Signed-off-by: Alexandre Marechal <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
Acked-by: Rouven Czerwinski <[email protected]>
@etienne-lms
Copy link
Contributor Author

Thanks. Review tag applied.
I've created OP-TEE/optee_test#762 to revive the test part.

@jforissier jforissier merged commit b7abff7 into OP-TEE:master Nov 22, 2024
9 checks passed
@etienne-lms etienne-lms deleted the pkcs11-raw-rsa branch December 11, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants