OASIS PKCS 11 TC

All the issues Dieter identified should be now fixed.

CKT_TRUST_ANCHOR should be the correct defined and should be updated in the spec.

I've also added CKA_SEED and renamed CKA_VALIDATION_FLAGS to CKA_OBJECT_VALIDATION_FLAGS in the header/database/proposals as we approved in the last meeting.

This results in the following autocheck between the headerfile and -08:

/parse_doc.pl pkcs11-spec-v3.2-wd08.txt
Processing header ../headers/pkcs11t.h...
#define CKA_VALIDATION_FLAGS                     UNDEFINED missing from header ../headers/pkcs11t.h
#define CKK_ECDSA                                UNDEFINED missing from header ../headers/pkcs11t.h
#define CKM_RSA_PKCS                             mismatched values, pkcs11-spec-v3.2-wd08.txt=0x00000015UL ../headers/pkcs11t.h=0x00000001UL
#define CKM_RSA_PKCS_OAEP                        mismatched values, pkcs11-spec-v3.2-wd08.txt=0x00000015UL ../headers/pkcs11t.h=0x00000009UL
#define CKM_RSA_PKCS_OAEP_TPM_1_1                mismatched values, pkcs11-spec-v3.2-wd08.txt=0x00000015UL ../headers/pkcs11t.h=0x00004002UL
#define CKM_RSA_PKCS_TPM_1_1                     mismatched values, pkcs11-spec-v3.2-wd08.txt=0x00000015UL ../headers/pkcs11t.h=0x00004001UL
#define CKM_RSA_X_509                            mismatched values, pkcs11-spec-v3.2-wd08.txt=0x00000015UL ../headers/pkcs11t.h=0x00000003UL
86 defines in header (../headers/pkcs11t.h) and not in doc (pkcs11-spec-v3.2-wd08.txt)

typedef diffs from doc(pkcs11-spec-v3.2-wd08.txt) and header file(../headers/pkcs11t.h)
typedef (typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE;) missing from doc pkcs11-spec-v3.2-wd08.txt
typedef (typedef CK_ULONG CK_HSS_LEVELS;) missing from doc pkcs11-spec-v3.2-wd08.txt
typedef (typedef CK_ULONG CK_LMOTS_TYPE;) missing from doc pkcs11-spec-v3.2-wd08.txt
typedef (typedef CK_ULONG CK_LMS_TYPE;) missing from doc pkcs11-spec-v3.2-wd08.txt
typedef (typedef CK_ULONG CK_RC2_PARAMS;) missing from doc pkcs11-spec-v3.2-wd08.txt
 108 occurances of (typedef {ID} CK_PTR {ID}_PTR;) missing from pkcs11-spec-v3.2-wd08.txt

missing struct 'CK_CCM_WRAP_PARAMS' in header ../headers/pkcs11t.h
mismatched struct entry in struct CK_HASH_SIGN_ADDITIONAL_CONTEXT line 3:
   header 'CK_MECHANISM_TYPE hash;' (../headers/pkcs11t.h)
   doc    'CK_MECHANISM_TYPE hash' (pkcs11-spec-v3.2-wd08.txt)
13 structs in header (../headers/pkcs11t.h) and not in doc (pkcs11-spec-v3.2-wd08.txt)

---------------------------

The only critical issue is the rename of CKA_VALIDATION_FLAGS, which we did after -08 was published.

I need to investigate CK_CCM_WRAP_PARAMS. It is missing from the header. I just need to make sure I should be in the spec. If so, I'll had it to the headers).

(we should also probably add the ';' to the hash description above)

The missing HSS and LMOTS and RC2 defines are likely referenced in the spec without any actual typedef in the spec (and existing issue).

CKK_ECDSA is a false positive. It's in the header, marked 'depricated' which causes it to drop out of the define list. The spec references it once saying it's deprecated in favor of CKK_EC.

I have reviewed a few more proposal for PKCS #11 v3.2 to see whether they come with new identifiers, and whether such identifiers have been allocated in header files:

• Work item 1: allocated
• Work item 4: most new identifiers have been allocated, but
• New typedefs for CK_VALIDATION_TYPE, CK_VALIDATION_TYPE_PTR, CK_VALIDATION_AUTHORITY_TYPE, CK_VALIDATION_AUTHORITY_TYPE_PTR and CK_SESSION_VALIDATION_FLAGS_TYPE are defined in the specification, but I cannot find them in any include file. Please double-check.
• The property file fips140_3.prop line 32 states "CKA_VALIDATION_VENDOR URI" instead of "CKA_VALIDATION_VENDOR_URI". As a result, pkcs11t.h includes the new identifier "CKA_VALIDATION_VENDOR" instead of "CKA_VALIDATION_VENDOR_URI". Please update the property file.

• Work item 5: allocated
• Work item 9: no new identifier
• Work item 10: allocated
• Work item 12: it seems I cannot find the new identifier CKA_PUBLIC_CRC64_VALUE. Please double-check.

In accordance to our standing rules, the following identifiers have been
allocated for your proposal "Public Private Key Object Linking".

Attributes:

 #define CKA_PUBLIC_CRC64_VALUE 0x00000636UL

This represents the following changes to your original proposal:
    CKA_PUBLIC_CRC64_VALUE was allocated 0x636 because no number was proposed

Please update your spec before sending it to ballot.

• Work item 14: allocated
• Work item 21: no new identifier

I have updated the Header File Reviewed By column on our wiki 3.2 page for work items 1, 5, 9, 10, 14 and 21 accordingly.

Continuing my review:

• Work item 6.1: allocated
• Work item 6.2: allocated
• Work item 6.3: allocated
• Work item 6.4: no new identifier
• Work item 8: allocated, but the identifier CKT_TRUSTED_DELEGATOR has been allocated as CKT_TRUST_ANCHOR in the property file trust_objects.prop

• Work item 11: allocated, but: New typedefs for CK_XMSS_OID and CK_XMSSMT_OID have been defined in the header file pkcs11t.h. But these typedefs date back to the XMSS proposal 1 from 2023. The XMSS proposal 2 from 2024 uses CK_XMSS_PARAMETER_SET_TYPE and CK_XMSSMT_PARAMETER_SET_TYPE instead. Please double-check and update the typedefs.
  

Fixed.

I have updated the Header File Reviewed By column on our wiki 3.2 page for work items 6.1, 6.2, 6.3 and 6.4 accordingly in green. This time, I have additionally marked my review for work items 4, 8, 11 and 12, and for Darren's review of work item 17, in orange to indicate that the identifier definitions for these proposals need review / updates.