feat: add HKDF mechanisms

Direktor799 · Direktor799 · commit 6ff4c8ab0bce · 2024-10-23T12:46:55.000+08:00
Signed-off-by: Direktor799 &lt;priceclaptrap@hotmail.com&gt;
diff --git a/cryptoki/src/mechanism/hkdf.rs b/cryptoki/src/mechanism/hkdf.rs
@@ -0,0 +1,116 @@
+//! Mechanisms of hash-based key derive function (HKDF)
+//! See: <https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061597>
+
+use std::{convert::TryInto, marker::PhantomData, ptr::null_mut, slice};
+
+use cryptoki_sys::{CKF_HKDF_SALT_DATA, CKF_HKDF_SALT_KEY, CKF_HKDF_SALT_NULL};
+
+use crate::object::ObjectHandle;
+
+use super::MechanismType;
+
+#[derive(Debug, Clone, Copy)]
+/// The salt for the extract stage.
+pub enum HkdfSalt<'a> {
+    /// CKF_HKDF_SALT_NULL no salt is supplied.
+    Null,
+    /// CKF_HKDF_SALT_DATA salt is supplied as a data in pSalt with length ulSaltLen.
+    Data(&'a [u8]),
+    /// CKF_HKDF_SALT_KEY salt is supplied as a key in hSaltKey
+    Key(ObjectHandle),
+}
+
+/// HKDF parameters.
+///
+/// This structure wraps a `CK_HKDF_PARAMS` structure.
+#[derive(Debug, Clone, Copy)]
+#[repr(transparent)]
+pub struct HkdfParams<'a> {
+    inner: cryptoki_sys::CK_HKDF_PARAMS,
+    /// Marker type to ensure we don't outlive the data
+    _marker: PhantomData<&'a [u8]>,
+}
+
+impl<'a> HkdfParams<'a> {
+    /// Construct parameters for hash-based key derive function (HKDF).
+    ///
+    /// # Arguments
+    ///
+    /// * `extract` - Whether to execute the extract portion of HKDF.
+    ///
+    /// * `expand` - Whether to execute the expand portion of HKDF.
+    ///
+    /// * `prf_hash_mechanism` - The base hash used for the HMAC in the underlying HKDF operation
+    ///
+    /// * `salt` - The salt for the extract stage.
+    ///
+    /// * `info` - The info string for the expand stage.
+    pub fn new(
+        extract: bool,
+        expand: bool,
+        prf_hash_mechanism: MechanismType,
+        salt: HkdfSalt,
+        info: &'a [u8],
+    ) -> Self {
+        Self {
+            inner: cryptoki_sys::CK_HKDF_PARAMS {
+                bExtract: extract as u8,
+                bExpand: expand as u8,
+                prfHashMechanism: *prf_hash_mechanism,
+                ulSaltType: match salt {
+                    HkdfSalt::Null => CKF_HKDF_SALT_NULL,
+                    HkdfSalt::Data(_) => CKF_HKDF_SALT_DATA,
+                    HkdfSalt::Key(_) => CKF_HKDF_SALT_KEY,
+                },
+                pSalt: match salt {
+                    HkdfSalt::Data(data) => data.as_ptr() as *mut _,
+                    _ => null_mut(),
+                },
+                ulSaltLen: match salt {
+                    HkdfSalt::Data(data) => data
+                        .len()
+                        .try_into()
+                        .expect("salt length does not fit in CK_ULONG"),
+                    _ => 0,
+                },
+                hSaltKey: match salt {
+                    HkdfSalt::Key(key) => key.handle(),
+                    _ => 0,
+                },
+                pInfo: info.as_ptr() as *mut _,
+                ulInfoLen: info
+                    .len()
+                    .try_into()
+                    .expect("info length does not fit in CK_ULONG"),
+            },
+            _marker: PhantomData,
+        }
+    }
+
+    /// Whether to execute the extract portion of HKDF.
+    pub fn extract(&self) -> bool {
+        self.inner.bExtract != 0
+    }
+
+    /// Whether to execute the expand portion of HKDF.
+    pub fn expand(&self) -> bool {
+        self.inner.bExpand != 0
+    }
+
+    /// The salt for the extract stage.
+    pub fn salt(&self) -> HkdfSalt<'a> {
+        match self.inner.ulSaltType {
+            CKF_HKDF_SALT_NULL => HkdfSalt::Null,
+            CKF_HKDF_SALT_DATA => HkdfSalt::Data(unsafe {
+                slice::from_raw_parts(self.inner.pSalt, self.inner.ulSaltLen as _)
+            }),
+            CKF_HKDF_SALT_KEY => HkdfSalt::Key(ObjectHandle::new(self.inner.hSaltKey)),
+            _ => unreachable!(),
+        }
+    }
+
+    /// The info string for the expand stage.
+    pub fn info(&self) -> &'a [u8] {
+        unsafe { slice::from_raw_parts(self.inner.pInfo, self.inner.ulInfoLen as _) }
+    }
+}
diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -5,6 +5,7 @@
 pub mod aead;
 pub mod ekdf;
 pub mod elliptic_curve;
+pub mod hkdf;
 mod mechanism_info;
 pub mod rsa;
 
@@ -281,6 +282,18 @@ impl MechanismType {
         val: CKM_GENERIC_SECRET_KEY_GEN,
     };
 
+    // HKDF
+    /// HKDF key generation mechanism
+    pub const HKDF_KEY_GEN: MechanismType = MechanismType {
+        val: CKM_HKDF_KEY_GEN,
+    };
+    /// HKDF-DERIVE mechanism
+    pub const HKDF_DERIVE: MechanismType = MechanismType {
+        val: CKM_HKDF_DERIVE,
+    };
+    /// HKDF-DATA mechanism
+    pub const HKDF_DATA: MechanismType = MechanismType { val: CKM_HKDF_DATA };
+
     pub(crate) fn stringify(mech: CK_MECHANISM_TYPE) -> String {
         match mech {
             CKM_RSA_PKCS_KEY_PAIR_GEN => String::from(stringify!(CKM_RSA_PKCS_KEY_PAIR_GEN)),
@@ -637,6 +650,9 @@ impl MechanismType {
                 String::from(stringify!(CKM_EC_MONTGOMERY_KEY_PAIR_GEN))
             }
             CKM_EDDSA => String::from(stringify!(CKM_EDDSA)),
+            CKM_HKDF_KEY_GEN => String::from(stringify!(CKM_HKDF_KEY_GEN)),
+            CKM_HKDF_DERIVE => String::from(stringify!(CKM_HKDF_DERIVE)),
+            CKM_HKDF_DATA => String::from(stringify!(CKM_HKDF_DATA)),
             _ => format!("unknown {mech:08x}"),
         }
     }
@@ -712,6 +728,9 @@ impl TryFrom<CK_MECHANISM_TYPE> for MechanismType {
             CKM_SHA384_HMAC => Ok(MechanismType::SHA384_HMAC),
             CKM_SHA512_HMAC => Ok(MechanismType::SHA512_HMAC),
             CKM_GENERIC_SECRET_KEY_GEN => Ok(MechanismType::GENERIC_SECRET_KEY_GEN),
+            CKM_HKDF_KEY_GEN => Ok(MechanismType::HKDF_KEY_GEN),
+            CKM_HKDF_DERIVE => Ok(MechanismType::HKDF_DERIVE),
+            CKM_HKDF_DATA => Ok(MechanismType::HKDF_DATA),
             other => {
                 error!("Mechanism type {} is not supported.", other);
                 Err(Error::NotSupported)
@@ -894,6 +913,14 @@ pub enum Mechanism<'a> {
     Sha256Hmac,
     /// GENERIC-SECRET-KEY-GEN mechanism
     GenericSecretKeyGen,
+
+    // HKDF
+    /// HKDF key gen mechanism
+    HkdfKeyGen,
+    /// HKDF-DERIVE mechanism
+    HkdfDerive(hkdf::HkdfParams<'a>),
+    /// HKDF-DATA mechanism
+    HkdfData(hkdf::HkdfParams<'a>),
 }
 
 impl Mechanism<'_> {
@@ -957,6 +984,10 @@ impl Mechanism<'_> {
             Mechanism::Sha256Hmac => MechanismType::SHA256_HMAC,
 
             Mechanism::GenericSecretKeyGen => MechanismType::GENERIC_SECRET_KEY_GEN,
+
+            Mechanism::HkdfKeyGen => MechanismType::HKDF_KEY_GEN,
+            Mechanism::HkdfDerive(_) => MechanismType::HKDF_DERIVE,
+            Mechanism::HkdfData(_) => MechanismType::HKDF_DATA,
         }
     }
 }
@@ -988,6 +1019,9 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
             | Mechanism::Sha512RsaPkcsPss(params) => make_mechanism(mechanism, params),
             Mechanism::RsaPkcsOaep(params) => make_mechanism(mechanism, params),
             Mechanism::Ecdh1Derive(params) => make_mechanism(mechanism, params),
+            Mechanism::HkdfDerive(params) | Mechanism::HkdfData(params) => {
+                make_mechanism(mechanism, params)
+            }
             // Mechanisms without parameters
             Mechanism::AesKeyGen
             | Mechanism::AesEcb
@@ -1023,7 +1057,8 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
             | Mechanism::Sha384RsaPkcs
             | Mechanism::Sha512RsaPkcs
             | Mechanism::Sha256Hmac
-            | Mechanism::GenericSecretKeyGen => CK_MECHANISM {
+            | Mechanism::GenericSecretKeyGen
+            | Mechanism::HkdfKeyGen => CK_MECHANISM {
                 mechanism,
                 pParameter: null_mut(),
                 ulParameterLen: 0,
diff --git a/cryptoki/src/object.rs b/cryptoki/src/object.rs
@@ -1192,6 +1192,9 @@ impl KeyType {
         val: CKK_EC_MONTGOMERY,
     };
 
+    /// HKDF key
+    pub const HKDF: KeyType = KeyType { val: CKK_HKDF };
+
     fn stringify(key_type: CK_KEY_TYPE) -> String {
         match key_type {
             CKK_RSA => String::from(stringify!(CKK_RSA)),
@@ -1236,6 +1239,8 @@ impl KeyType {
             CKK_GOSTR3411 => String::from(stringify!(CKK_GOSTR3411)),
             CKK_GOST28147 => String::from(stringify!(CKK_GOST28147)),
             CKK_EC_EDWARDS => String::from(stringify!(CKK_EC_EDWARDS)),
+            CKK_EC_MONTGOMERY => String::from(stringify!(CKK_EC_MONTGOMERY)),
+            CKK_HKDF => String::from(stringify!(CKK_HKDF)),
             _ => format!("unknown ({key_type:08x})"),
         }
     }
@@ -1309,6 +1314,7 @@ impl TryFrom<CK_KEY_TYPE> for KeyType {
             CKK_GOST28147 => Ok(KeyType::GOST28147),
             CKK_EC_EDWARDS => Ok(KeyType::EC_EDWARDS),
             CKK_EC_MONTGOMERY => Ok(KeyType::EC_MONTGOMERY),
+            CKK_HKDF => Ok(KeyType::HKDF),
             _ => {
                 error!("Key type {} is not supported.", key_type);
                 Err(Error::NotSupported)
