New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: add support for AES/GCM encryption and decryption #2927
base: master
Are you sure you want to change the base?
Conversation
iv = get_iv(opt_iv, &iv_size); | ||
gcm_params.pIv = iv; | ||
gcm_params.ulIvLen = iv_size; | ||
gcm_params.ulIvBits = iv_size * 8; // no one seems to know what this is for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The section 2.13.5 AES GCM and CCM Mechanism parameters says:
ulIvBits
length of initialization vector in bits. Do no use ulIvBits to specify the length of the initialization vector, but ulIvLen instead.
so I would drop this.
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061261
gcm_params.pAAD = aad; | ||
gcm_params.ulAADLen = aad_size; | ||
|
||
gcm_params.ulTagBits = opt_tag_len * 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would sanity-check that the value is in the bounds required by the specs. From the above linked section, it should be between 0 and 128
rv = p11->C_DecryptInit(session, &mech, key); | ||
if (rv != CKR_OK) | ||
p11_fatal("C_DecryptInit", rv); | ||
if ((getCLASS(session, key) == CKO_PRIVATE_KEY) && getALWAYS_AUTHENTICATE(session, key)) | ||
login(session, CKU_CONTEXT_SPECIFIC); | ||
out_len = sizeof(out_buffer); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is still a lot of duplicated code. In both of these conditions, this block is the same. Would it be possible to rewrite it to avoid the code duplication by placing this part before the newly introduced condition?
Regarding testing, I would consider to run some automated against some software token. I think NSS softoken supports GCM ciphers and given that it can now take a path to NSS db in the environment variable [1], it should not be very complicated to integrated into the CI (see for example pkcs11-provider [2]). [1] nss-dev/nss@c0bbdc4 |
Adds support for
--encrypt
and--decrypt
when using-m AES-GCM
.Note that due to AES-GCM being a cipher method with authenticated data, multipart decryption doesn't return any data until C_DecryptFinal. This implementation decrypts the entire ciphertext in memory and uses a single C_Decrypt call for inputs of all sizes.
Tested (manually) on the latest version of SoftHSMv2
Checklist