commit d756ba1ec270a289950e66398c7e8be59c4a594d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date:   Fri Feb 9 14:07:34 2024 +0100

    COMMON: Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
    
    An RSA key object that has no CKA_PRIVATE_EXPONENT may either don't have that
    attribute at all, or may have an empty CKA_PRIVATE_EXPONENT attribute.
    Both situations should be handed the same, and the private exponent of the
    key needs to be calculated from the other key components.
    
    Note that RSA key objects generated with a current soft or ICA token will
    always have a valid CKA_PRIVATE_EXPONENT attribute, since this is provided
    during key generation.
    
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index da515289..14c82e2d 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -5160,7 +5160,8 @@ CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
 
     rc = template_attribute_get_non_empty(key_obj->template,
                                           CKA_PRIVATE_EXPONENT, &priv_exp_attr);
-    if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE) {
+    if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE &&
+        rc != CKR_ATTRIBUTE_VALUE_INVALID) {
         TRACE_ERROR("Failed to get CKA_PRIVATE_EXPONENT\n");
         goto out;
     }