PKCS11: Add support for KDF after ECDH derivation (#388)

PKCS11: Add support for ECDH derivation with KDF functions
Yubico · Mar 25, 2024 · 5e73b19 · 5e73b19
1 parent 9bf4436
commit 5e73b19
Show file tree

Hide file tree

Showing 7 changed files with 711 additions and 39 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -436,7 +436,7 @@ jobs:
             ctest --output-on-failure -E engine
           elif [ $DOCKER_IMAGE = "centos:7" ]; then
             # we skip the ecdh_derive tests (for now) since there is an issue with generating secp224r1 keys
-            ctest --output-on-failure -E ecdh_derive\|aes
+            ctest --output-on-failure -E ecdh_derive\|aes\|ecdh_sp800
           else
             ctest --output-on-failure
           fi

diff --git a/pkcs11/pkcs11y.h b/pkcs11/pkcs11y.h
@@ -33,4 +33,10 @@
 #define CKM_YUBICO_AES_CCM_WRAP                                                \
   (CKM_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_WRAP_KEY)
 
+// TODO: These values are from PKCS11 3.0 and should be removed when we upgrade
+#define CKD_YUBICO_SHA1_KDF_SP800 0x0000000EUL
+#define CKD_YUBICO_SHA256_KDF_SP800 0x00000010UL
+#define CKD_YUBICO_SHA384_KDF_SP800 0x00000011UL
+#define CKD_YUBICO_SHA512_KDF_SP800 0x00000012UL
+
 #endif
diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt
@@ -203,6 +203,12 @@ set (
   common.c
   )
 
+set (
+        SOURCE_ECDH_SP800
+        ecdh_sp800_test.c
+        common.c
+)
+
 set (
   SOURCE_AES_ENCRYPT
   aes_encrypt_test.c
@@ -224,6 +230,7 @@ set (
 if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows")
 add_executable (aes_encrypt_test ${SOURCE_AES_ENCRYPT})
 add_executable (ecdh_derive_test ${SOURCE_ECDH_DERIVE})
+add_executable (ecdh_sp800_test ${SOURCE_ECDH_SP800})
 
 target_link_libraries(
   aes_encrypt_test
@@ -240,11 +247,21 @@ target_link_libraries (
   ${LIBCRYPTO_LDFLAGS}
   "-ldl")
 
+target_link_libraries (
+        ecdh_sp800_test
+        ${LIBCRYPTO_LDFLAGS}
+        "-ldl")
+
 add_test (
   NAME ecdh_derive_test
   COMMAND ${CMAKE_CURRENT_BINARY_DIR}/ecdh_derive_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT}
   )
 
+add_test (
+        NAME ecdh_sp800_test
+        COMMAND ${CMAKE_CURRENT_BINARY_DIR}/ecdh_sp800_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT}
+)
+
 if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1)
   add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST})