Re: [pkcs11] Broken definitions in PKCS#11 wd03 draft

[Stef Walter <stefw@redhat.com>]

On 17.09.2014 19:44, Oscar So wrote:
> Again, thank you Stef.
> 
> Quickly did a build on our code, and also reviewed your header files,
> and one major issue, and one nit issue:
> 
> 
> 1)
> Major issue is that the following PARAMS is missing:
> 
> 1322
> 1323 /*
> 1324  * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
> 1325  * CKM_ECMQV_DERIVE mechanism, where each party contributes two key
> pairs. */
> 1326 typedef struct CK_ECDH2_DERIVE_PARAMS {
> 1327   CK_EC_KDF_TYPE kdf;
> 1328   CK_ULONG ulSharedDataLen;
> 1329   CK_BYTE_PTR pSharedData;
> 1330   CK_ULONG ulPublicDataLen;
> 1331   CK_BYTE_PTR pPublicData;
> 1332   CK_ULONG ulPrivateDataLen;
> 1333   CK_OBJECT_HANDLE hPrivateData;
> 1334   CK_ULONG ulPublicDataLen2;
> 1335   CK_BYTE_PTR pPublicData2;
> 1336 } CK_ECDH2_DERIVE_PARAMS;
> 1337
> 1338 typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
> 1339
> 
> I got a build error. If the removal of this define is intended, we
> really need this back into the header file for our existing code.

This definition is not present in the Committee Specification we just
voted on here:

https://www.oasis-open.org/apps/org/workgroup/pkcs11/ballot.php?id=2668

That is, this:

http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html

Out of interest, do you know which PKCS#11 version
CK_ECDH2_DERIVE_PARAMS was this introduced in? It's missing from our
current documents.

Maybe we could you add this to the wiki as a problem that will need a
specification amendment? Here would be the place:

https://wiki.oasis-open.org/pkcs11/Definitions

This and the other amendments needed would be important material to
bring up for the next meeting.

By the way I'm tracking all these changes in git now, so it'll be
trivial to restore definitions once they arrive in an amendment.

As I noted when posting the updated WD03 header, the following
definitions were removed as they are not found in the specification:

 * CKA_DERIVE_TEMPLATE
 * CKM_CMS_SIG_PARAMS
 * CKM_ECDSA_SHA224
 * CKM_ECDSA_SHA256
 * CKM_ECDSA_SHA384
 * CKM_ECDSA_SHA512
 * CKK_MD5_HMAC
 * CKK_RIPEMD128_HMAC
 * CKK_RIPEMD160_HMAC
 * CK_CAMELLIA_CTR_PARAMS
 * CK_ECDH2_DERIVE_PARAMS
 * CK_TLS_PRF_PARAMS

More details here:

https://www.oasis-open.org/apps/org/workgroup/pkcs11/email/archives/201409/msg00031.html

The goal I understood during our TC's earlier discussion of the header
process was to have the headers reflect the specification, and that they
would be produced once the specification was final. I'm not convinced
this is the best approach, given the somewhat broken nature of our
released specification. But nevertheless it's the way we've chosen to work.

> 2)
> Nit issue for:
> /* new for v2.40 */
> #define CKM_TLS10_MAC_SERVER                0x000003D6UL
> #define CKM_TLS10_MAC_CLIENT                0x000003D7UL
> 
> Are CKM_TLS10_MAC_SERVER and CKM_TLS10_MAC_CLIENT new for v2.40 ? or
> earlier version ?

Neither of these defines are present anywhere at:

ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/

Therefore to me it seems that v2.40 is the first official version where
they are present. But if you find in another official specification
version or amendment, I would be very happy to update/remove the comment.

Cheers,

Stef