support for AWS CloudHSM

CHANGELOG.md

@@ -4,9 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-# [UNRELEASED]
+# [2.6.0]
+### Added
+- support for AWS Cloud HSM. See [README.md] for limitations.
+
 ### Fixed
 - with recent versions of GCC, compilation issue with lexx and yacc produced source code.
+- when `automake`<1.14 is used, use an older, compatible commit for `gnulib`
 
 ### Updated
 - `gnulib` in now built from a stable branch, `stable-202307`
@@ -18,7 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 # [2.5.0]
 ### Added
  - `CKA_ALLOWED_MECHANISMS` support for all key management utilities (`p11keygen`, `p11wrap`, `p11unwrap`, `p11rewrap`, `p11ls`, `p11od`)
- 
+
 ### Fixed
  - `p11wrap`: fixed memory leaks
 
@@ -135,6 +139,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Initial public release
 
+[2.6.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.6.0
 [2.5.1]: https://github.com/Mastercard/pkcs11-tools/tree/v2.5.1
 [2.5.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.5.0
 [2.4.2]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.2

Makefile.am

@@ -16,7 +16,7 @@ EXTRA_DIST = \
 	m4/ax_create_target_h.m4 \
 	m4/ax_lib_socket_nsl.m4  \
 	m4/ax_with_dmalloc.m4	 \
-	include/cryptoki         \
+	include/cryptoki	 \
 	include/pkcs11lib.h      \
 	include/oasis-pkcs11/working/3-00-current \
 	with_beid	         \
@@ -25,9 +25,11 @@ EXTRA_DIST = \
 	with_nss                 \
 	with_softhsm             \
 	with_utimaco	         \
+	with_aws		 \
 	docs/INSTALL.md	         \
 	docs/CONTRIBUTING.md     \
 	docs/MANUAL.md           \
+	docs/TPLICENSES.md	 \
 	README.md                \
 	LICENSE.md               \
 	CHANGELOG.md             \
@@ -47,6 +49,7 @@ install-exec-hook:
 		$(srcdir)/with_nss     \
 		$(srcdir)/with_softhsm \
 		$(srcdir)/with_utimaco \
+		$(srcdir)/with_aws     \
 		$(DESTDIR)$(bindir)
 
 dist-hook:
@@ -58,7 +61,7 @@ dist-solaris: install
 	pkgmk -o -f dist/solaris/pkgproto -p @pkginfo_timestamp@ -r . -d pkg
 	@echo
 	pkgtrans pkg ../$(distdir).pkg @pkginfo_pkgname@
-	rm docs/COPYING docs/README.md docs/CHANGELOG.md docs/LICENSE.md
+	rm docs/COPYING docs/README.md docs/CHANGELOG.md docs/LICENSE.md docs/TPLICENSES.md
 	@echo "----------------------------------"
 	@echo "package saved under $(distdir).pkg"
 	@echo

README.md

@@ -13,6 +13,18 @@ Some features:
  - support for key rewrapping (i.e. key unwrapping and key wrapping)
 
 ## News
+### July 2023
+Version 2.6 brings support for the AWS CloudHSM platform, library version 5.9.
+Limitations are:
+ - Certificates are not supported by the platform, therefore any command handling certificates will fail
+ - Changing attributes values is not supported by the platform; several commands rely on that capability to adjust `CKA_ID` accross objects. These commands may occasionally report an error when executed; key material is usually created.
+ - For the same reason, `p11mv` and `p11setattr`  will not operate on this platform.
+ - The platform does not allow for duplicate `CKA_ID` attributes, which occasionally brings issues when generating key material. This will be adjusted in a later release.
+ - `p11od` command will not work, due to the way CloudHSM handles attributes.
+ - When using wrapped key files, `CKA_SIGN_RECOVER` and `CKA_VERIFY_RECOVER` are not supported, and should be commented out.
+ - Wrap and unwrap templates are not supported by this platform. These should also be commented out in wrapped key files.
+AWS CloudHSM support is disabled by default; please refer to [installation instructions](docs/INSTALL.md) for more details.
+
 ### October 2021
 Version 2.5, that brings support for `CKA_ALLOWED_MECHANISMS`, on many key management commands: `p11keygen`, `p11wrap`, `p11unwrap`, `p11rewrap`, `p11od`, `p11ls`.
 Note that the wrapped key grammar has changed; the grammar version number has been incremented to `2.2`.

bootstrap.sh

@@ -39,6 +39,14 @@ if [ -d .git ]; then
     git submodule update --init
     #    git submodule update --init .gnulib
     #    git submodule update --init include/oasis-pkcs11
+
+    # if running automake 1.13, checkout specific (older) commit
+    if (automake --version  | head -1 | grep -q 1\.13); then
+	echo "Automake 1.13 detected, using an older, compatible version of gnulib"
+	cd .gnulib
+	git checkout 34e1754363b105180e7a85d319c2e1f464b93fb2
+	cd ..
+    fi
 else
     # if not a git repo, then two possibilities:
     # 1) we are building a FreeBSD port, in which case

configure.ac

@@ -14,7 +14,7 @@ dnl limitations under the License.
 
 
 AC_PREREQ([2.64])
-AC_INIT([pkcs11-tools], [2.5.1], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
+AC_INIT([pkcs11-tools], [2.6.0], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
 AC_CONFIG_MACRO_DIR([m4])
 
 dnl adding AM_MAINTAINER_MODE to address autotools issues with git
@@ -75,6 +75,10 @@ PKG_PROG_PKG_CONFIG
 dnl for libcrypto, we are first detecting libcrypo11,
 dnl as older distros may still run on top of openssl 1.0,
 dnl but have v1.1.x accessible through libcrypto11.pc file
+dnl if libcrypto11 is detected, a guess is made that for redhat-based systems,
+dnl the rpm package will have a "11" suffix in the nam; openssl_rpm_suffix variable
+dnl is substituted for that purpose.
+
 PKG_CHECK_MODULES([LIBCRYPTO],
 	          [libcrypto11 >= 1.1.1e],
 		  [ ac_save_CPPFLAGS=$CPPFLAGS
@@ -83,7 +87,9 @@ PKG_CHECK_MODULES([LIBCRYPTO],
 		                  [AC_MSG_FAILURE([The OpenSSL crypto library is missing features/algorithm to allow compilation])],
     				  [],
 				  [[ #include <openssl/opensslconf.h> ]])
-		    CPPFLAGS=${ac_save_CPPFLAGS} ],
+		    CPPFLAGS=${ac_save_CPPFLAGS}
+		    AC_SUBST([openssl_rpm_suffix],[11])
+		    ],
 		    [ PKG_CHECK_MODULES([LIBCRYPTO],
 					[libcrypto >= 1.1.1e],
 				    	[ ac_save_CPPFLAGS=$CPPFLAGS
@@ -92,7 +98,8 @@ PKG_CHECK_MODULES([LIBCRYPTO],
 		                      	  	     	 [AC_MSG_FAILURE([The OpenSSL crypto library is missing features/algorithm to allow compilation])],
 						     	 [],
 						     	 [[ #include <openssl/opensslconf.h> ]])
-					  CPPFLAGS=${ac_save_CPPFLAGS} ])])
+					  CPPFLAGS=${ac_save_CPPFLAGS}
+					  AC_SUBST([openssl_rpm_suffix],[]) ])])
 
 dnl on UNIX platforms, check for dynamic loader lib
 AM_COND_IF( [TARGET_OS_MINGW32],
@@ -112,7 +119,7 @@ dnl support for pthread is needed if we link with a statically-linked version of
 AX_PTHREAD( [], [ AC_MSG_WARN(Caution: no pthread library found, might be an issue when linking)] )
 
 
-dnl check if nCipher extensions can be compiled. If requested, specific file
+dnl check if nCipher extensions can be compiled. If requested, specific file must exist in include/cryptoki
 AC_ARG_WITH([ncipher],
 	[AS_HELP_STRING([--with-ncipher],
 	[enable support for the nCipher extensions (requires a separate ncipher.h header file inside include/cryptoki to compile)])],
@@ -131,7 +138,7 @@ AS_IF([test "x$with_ncipher" != xno],
                fi
               ] )])
 
-dnl check if Gemalto Luna extensions can be compiled. If requested, specific file
+dnl check if Gemalto Luna extensions can be compiled. If requested, specific file must exist in include/cryptoki
 AC_ARG_WITH([luna],
 	[AS_HELP_STRING([--with-luna],
 	[enable support for the Gemalto Safenet Luna extensions (requires a separate luna.h header file inside include/cryptoki to compile)])],
@@ -150,13 +157,33 @@ AS_IF([test "x$with_luna" != xno],
                fi
               ] )])
 
+dnl check if aws CloudHSM extensions can be compiled. If requested, specific file must exist in include/cryptoki
+dnl Note that awscloudhsm is set to "no" instead of "check" by default, as the file is shipped with source code
+dnl and as enabling awscloudhsm disable support for template attributes on p11ls.
+AC_ARG_WITH([awscloudhsm],
+	[AS_HELP_STRING([--with-awscloudhsm],
+	[enable support for the AWS CloudHSM extensions (requires a separate awscloudhsm.h header file inside include/cryptoki to compile)])],
+        [],
+        [with_awscloudhsm=no])
+
+hasawscloudhsm="no"
+AS_IF([test "x$with_awscloudhsm" != xno],
+      [AS_IF([test -r $srcdir/include/cryptoki/awscloudhsm.h],
+              [AC_DEFINE([HAVE_AWSCLOUDHSM], [1], [define to compile with the AWS CloudHSM extensions.])
+	      hasawscloudhsm="yes"
+              ],
+              [if test "x$with_awscloudhsm" != xcheck; then
+                 AC_MSG_FAILURE(
+                   [--with-awscloudhsm was given, but required awscloudhsm.h include file missing])
+               fi
+              ] )])
+
 dnl check if a specific rpath is provided when linking.
 dnl this option is needed when openssl is not deployed to a system-wide location
 AC_ARG_VAR([LIBCRYPTO_RPATH], 	[provide RPATH to LIBCRYPTO, e.g. LIBCRYPTO_RPATH=/usr/local/ssl/lib (useful when openssl is not deployed to a system-wide location)])
 AM_CONDITIONAL([HAS_LIBCRYPTO_RPATH], [test "x$LIBCRYPTO_RPATH" != "x"])
 
 
-#### TODO HERE
 AS_IF([test "x$with_libcrypto_rpath" != xno] && [test "x$with_libcrypto_rpath" != xyes],
       [AC_DEFINE([LIBCRYPTO_RPATH], [$with_libcrypto_rpath], [RPATH to libcrypto]) ])
 
@@ -181,16 +208,17 @@ AC_OUTPUT
 AX_CREATE_TARGET_H([include/target.h])
 
 AC_MSG_NOTICE([------------------------------------------------------------------------])
-AC_MSG_NOTICE([compiler       : $CC])
-AC_MSG_NOTICE([compiler flags : ${LIBCRYPTO_CFLAGS} ${PTHREAD_CFLAGS} $CFLAGS])
-AC_MSG_NOTICE([linker         : $LD])
-AC_MSG_NOTICE([linker flags   : $LDFLAGS])
-AC_MSG_NOTICE([libraries      : ${LIBCRYPTO_LIBS} ${PTHREAD_LIBS} $LIBS])
-AC_MSG_NOTICE([lexer          : $LEX])
-AC_MSG_NOTICE([parser         : $YACC])
-AC_MSG_NOTICE([parser flags   : $YFLAGS])
-AC_MSG_NOTICE([with_luna      : $hasluna])
-AC_MSG_NOTICE([with_ncipher   : $hasncipher])
-AC_MSG_NOTICE([libcrypto rpath: $LIBCRYPTO_RPATH])
+AC_MSG_NOTICE([compiler           : $CC])
+AC_MSG_NOTICE([compiler flags     : ${LIBCRYPTO_CFLAGS} ${PTHREAD_CFLAGS} $CFLAGS])
+AC_MSG_NOTICE([linker             : $LD])
+AC_MSG_NOTICE([linker flags       : $LDFLAGS])
+AC_MSG_NOTICE([libraries          : ${LIBCRYPTO_LIBS} ${PTHREAD_LIBS} $LIBS])
+AC_MSG_NOTICE([lexer              : $LEX])
+AC_MSG_NOTICE([parser             : $YACC])
+AC_MSG_NOTICE([parser flags       : $YFLAGS])
+AC_MSG_NOTICE([with_luna          : $hasluna])
+AC_MSG_NOTICE([with_ncipher       : $hasncipher])
+AC_MSG_NOTICE([with_awscloudhsm   : $hasawscloudhsm])
+AC_MSG_NOTICE([libcrypto rpath    : $LIBCRYPTO_RPATH])
 AC_MSG_NOTICE([------------------------------------------------------------------------])
 

dist/redhat/pkcs11-tools.spec.in

@@ -21,8 +21,8 @@ License:	http://www.apache.org/licenses/LICENSE-2.0
 URL:		https://github.com/Mastercard/pkcs11-toolkit
 Source0:	%{name}-%{version}.tar.gz
 
-BuildRequires:	openssl-devel
-Requires:	openssl
+BuildRequires:	openssl@openssl_rpm_suffix@-devel
+Requires:	openssl@openssl_rpm_suffix@
 Packager:       Eric Devolder <eric.devolder@mastercard.com>
 
 %description
@@ -33,11 +33,15 @@ widely supported formats.
 
 Supported platforms include Linux, MacOS, AIX, Solaris and Windows
 
+%bcond_with awscloudhsm
+
 %prep
 %setup -q
 
 %build
-%configure
+%configure \
+    %{?_with_awscloudhsm}
+
 make %{?_smp_mflags}
 
 %install

dist/solaris/pkgproto.in

@@ -52,3 +52,4 @@ f docs COPYING
 f docs docs/CONTRIBUTING.md
 f docs docs/INSTALL.md
 f docs docs/MANUAL.md
+f docs docs/TPLICENSES.md

docs/INSTALL.md

@@ -223,6 +223,13 @@ $ ./configure PKG_CONFIG_PATH=/usr/local/opt/openssl@1.1/lib/pkgconfig LIBCRYPTO
 $ make
 $ sudo make install
 ```
+
+### AWS CloudHSM support
+By default, AWS CloudHSM support is disabled, as it removes some functionality from the `p11ls` command. If you want to build the toolkit with AWS CloudHSM support, add the `--with-awscloudhsm` argument to `configure`:
+```bash
+$ ./configure --with-awscloudhsm
+```
+
 ## Packaging
 ### all platforms
 To build a generic binary distribution tarball (all platforms):
@@ -250,3 +257,9 @@ $ rpmbuild -ba $HOME/rpmbuild/SPECS/pkcs11-tools.spec
 ```
 
 RPMs and SRPMs are found in `$HOME/rpmbuild/RPMS` and `$HOME/rpmbuild/SRPMS`, respectively.
+
+#### AWS CloudHSM support in RPM
+To build the RPM package with AWS CloudHSM support, use the following command when building:
+```bash
+$ rpmbuild -ba $HOME/rpmbuild/SPECS/pkcs11-tools.spec --with awscloudhsm
+```

docs/TPLICENSES.md

@@ -0,0 +1,33 @@
+# Third-party licensing terms
+
+## AWS CloudHSM
+
+AWS CloudHSM support requires using derived work from header files found at [github.com/aws-samples](https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/blob/9026b84691435e59759ffee1bcf7323605920994/include/pkcs11/v2.40/cloudhsm_pkcs11_vendor_defs.h).
+
+### licensing terms
+
+```
+Copyright (c) 2017, Cavium, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the Cavium, Inc. nor the
+   names of its contributors may be used to endorse or promote products
+   derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY CAVIUM INC. ''AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL CAVIUM, INC. BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+```

include/cryptoki/awscloudhsm.h

@@ -0,0 +1,68 @@
+/* -*- mode: c; c-file-style:"stroustrup"; -*- */
+
+/*
+ * Copyright (c) 2023 Mastercard
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+/* This source code was built up from aws-cloudhsm-pkcs11-vendor-defs.h */
+/* https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/blob/9026b84691435e59759ffee1bcf7323605920994/include/pkcs11/v2.40/cloudhsm_pkcs11_vendor_defs.h */
+/* It has been modified to fit the need of the PKCS#11 toolkit */
+/* The original license is stated here below. */
+
+/*
+ * Copyright (c) 2017, Cavium, Inc. All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Cavium, Inc. nor the
+ *    names of its contributors may be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY CAVIUM INC. ''AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL CAVIUM, INC. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#if !defined(_AWS_CLOUDHSM_H_)
+#define _AWS_CLOUDHSM_H_
+
+/* HMAC KDF Mechanism, defined by PKCS#11 3.00 */
+#define CKM_CLOUDHSM_SP800_108_COUNTER_KDF      0x80000001UL /* original name is CKM_SP800_108_COUNTER_KDF */
+
+#define CKM_CLOUDHSM_AES_GCM                    0x80001087UL
+
+// More information can be found at https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-aes-key-wrapping.html
+#define CKM_CLOUDHSM_AES_KEY_WRAP_NO_PAD        0x80002109UL
+#define CKM_CLOUDHSM_AES_KEY_WRAP_PKCS5_PAD     0x8000210AUL
+#define CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD      0x8000216FUL
+
+#define CKM_CLOUDHSM_DES3_NIST_WRAP             0x80008000UL
+
+
+#endif  /* _AWS_CLOUDHSM_H_ */