348 lines
15 KiB
Diff
348 lines
15 KiB
Diff
From b8bc3e183b43e9aeee8a8f23c8e48fffb6eedc35 Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Fri, 4 Nov 2022 10:51:08 +0100
|
|
Subject: [PATCH 08/34] EP11: Supply CKA_PUBLIC_KEY_INFO when importing private
|
|
keys
|
|
|
|
When importing private keys, the SPKI of the corresponding public key
|
|
is returned in parameters csum/cslen of the m_UnwrapKey() EP11 host
|
|
library call. Supply this SPKI as CKA_PUBLIC_KEY_INFO to the object.
|
|
|
|
For public key import, the common code already builds the SPKI from
|
|
the clear public key attributes of the imported public key.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
---
|
|
usr/lib/common/obj_mgr.c | 5 ++
|
|
usr/lib/ep11_stdll/ep11_specific.c | 113 +++++++++++++++++++++++++------------
|
|
2 files changed, 83 insertions(+), 35 deletions(-)
|
|
|
|
diff --git a/usr/lib/common/obj_mgr.c b/usr/lib/common/obj_mgr.c
|
|
index 8e61cbd4..347ec3f3 100644
|
|
--- a/usr/lib/common/obj_mgr.c
|
|
+++ b/usr/lib/common/obj_mgr.c
|
|
@@ -123,6 +123,11 @@ CK_RV object_mgr_add(STDLL_TokData_t *tokdata,
|
|
switch(class) {
|
|
case CKO_PUBLIC_KEY:
|
|
case CKO_PRIVATE_KEY:
|
|
+ /* Skip if there is already a non-empty CKA_PUBLIC_KEY_INFO */
|
|
+ if (template_attribute_get_non_empty(o->template, CKA_PUBLIC_KEY_INFO,
|
|
+ &spki_attr) == CKR_OK)
|
|
+ break;
|
|
+
|
|
rc = template_attribute_get_ulong(o->template, CKA_KEY_TYPE, &keytype);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("Could not find CKA_KEY_TYPE for the key object.\n");
|
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
|
index 886692c4..3b14a557 100644
|
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
|
@@ -2745,9 +2745,10 @@ static int get_curve_type_from_template(TEMPLATE *tmpl)
|
|
* SPKIs for public imported RSA keys.
|
|
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
*/
|
|
-static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
- OBJECT * rsa_key_obj,
|
|
- CK_BYTE * blob, size_t * blob_size)
|
|
+static CK_RV import_RSA_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ OBJECT *rsa_key_obj,
|
|
+ CK_BYTE *blob, size_t *blob_size,
|
|
+ CK_BYTE *spki, size_t *spki_size)
|
|
{
|
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
CK_RV rc;
|
|
@@ -2759,8 +2760,6 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ULONG attrs_len = 0;
|
|
CK_ATTRIBUTE_PTR new_p_attrs = NULL;
|
|
CK_ULONG new_attrs_len = 0;
|
|
- CK_BYTE csum[MAX_BLOBSIZE];
|
|
- CK_ULONG cslen = sizeof(csum);
|
|
CK_OBJECT_CLASS class;
|
|
CK_BYTE *data = NULL;
|
|
CK_ULONG data_len;
|
|
@@ -2831,6 +2830,8 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
goto import_RSA_key_end;
|
|
}
|
|
|
|
+ *spki_size = 0; /* common code will extract SPKI from object */
|
|
+
|
|
} else {
|
|
|
|
/* imported private RSA key goes here */
|
|
@@ -2884,7 +2885,7 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
ep11_data->raw2key_wrap_blob_l, NULL, ~0,
|
|
ep11_pin_blob, ep11_pin_blob_len, &mech_w,
|
|
new_p_attrs, new_attrs_len, blob, blob_size,
|
|
- csum, &cslen, target_info->target);
|
|
+ spki, spki_size, target_info->target);
|
|
RETRY_END(rc, tokdata, sess)
|
|
|
|
if (rc != CKR_OK) {
|
|
@@ -2921,9 +2922,10 @@ import_RSA_key_end:
|
|
* SPKIs for public imported EC keys.
|
|
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
*/
|
|
-static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
- OBJECT * ec_key_obj,
|
|
- CK_BYTE * blob, size_t * blob_size)
|
|
+static CK_RV import_EC_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ OBJECT *ec_key_obj,
|
|
+ CK_BYTE *blob, size_t *blob_size,
|
|
+ CK_BYTE *spki, size_t *spki_size)
|
|
{
|
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
CK_RV rc;
|
|
@@ -2935,8 +2937,6 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ULONG attrs_len = 0;
|
|
CK_ATTRIBUTE_PTR new_p_attrs = NULL;
|
|
CK_ULONG new_attrs_len = 0;
|
|
- CK_BYTE csum[MAX_BLOBSIZE];
|
|
- CK_ULONG cslen = sizeof(csum);
|
|
CK_OBJECT_CLASS class;
|
|
CK_BYTE *data = NULL;
|
|
CK_ULONG data_len;
|
|
@@ -3059,6 +3059,8 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
goto import_EC_key_end;
|
|
}
|
|
|
|
+ *spki_size = 0; /* common code will extract SPKI from object */
|
|
+
|
|
} else {
|
|
|
|
/* imported private EC key goes here */
|
|
@@ -3115,7 +3117,8 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
ep11_pin_blob,
|
|
ep11_pin_blob_len, &mech_w,
|
|
new_p_attrs, new_attrs_len, blob,
|
|
- blob_size, csum, &cslen, target_info->target);
|
|
+ blob_size, spki, spki_size,
|
|
+ target_info->target);
|
|
RETRY_END(rc, tokdata, sess)
|
|
|
|
if (rc != CKR_OK) {
|
|
@@ -3149,9 +3152,10 @@ import_EC_key_end:
|
|
* SPKIs for public imported DSA keys.
|
|
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
*/
|
|
-static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
- OBJECT * dsa_key_obj,
|
|
- CK_BYTE * blob, size_t * blob_size)
|
|
+static CK_RV import_DSA_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ OBJECT *dsa_key_obj,
|
|
+ CK_BYTE *blob, size_t *blob_size,
|
|
+ CK_BYTE *spki, size_t *spki_size)
|
|
{
|
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
CK_RV rc;
|
|
@@ -3163,8 +3167,6 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ULONG attrs_len = 0;
|
|
CK_ATTRIBUTE_PTR new_p_attrs = NULL;
|
|
CK_ULONG new_attrs_len = 0;
|
|
- CK_BYTE csum[MAX_BLOBSIZE];
|
|
- CK_ULONG cslen = sizeof(csum);
|
|
CK_OBJECT_CLASS class;
|
|
CK_BYTE *data = NULL;
|
|
CK_ULONG data_len;
|
|
@@ -3251,6 +3253,8 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
goto import_DSA_key_end;
|
|
}
|
|
|
|
+ *spki_size = 0; /* common code will extract SPKI from object */
|
|
+
|
|
} else {
|
|
|
|
/* imported private DSA key goes here */
|
|
@@ -3307,7 +3311,8 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
ep11_pin_blob,
|
|
ep11_pin_blob_len, &mech_w,
|
|
new_p_attrs, new_attrs_len, blob,
|
|
- blob_size, csum, &cslen, target_info->target);
|
|
+ blob_size, spki, spki_size,
|
|
+ target_info->target);
|
|
RETRY_END(rc, tokdata, sess)
|
|
|
|
if (rc != CKR_OK) {
|
|
@@ -3339,9 +3344,10 @@ import_DSA_key_end:
|
|
* SPKIs for public imported DH keys.
|
|
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
*/
|
|
-static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
- OBJECT * dh_key_obj,
|
|
- CK_BYTE * blob, size_t * blob_size)
|
|
+static CK_RV import_DH_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ OBJECT *dh_key_obj,
|
|
+ CK_BYTE *blob, size_t *blob_size,
|
|
+ CK_BYTE *spki, size_t *spki_size)
|
|
{
|
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
CK_RV rc;
|
|
@@ -3353,8 +3359,6 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ULONG attrs_len = 0;
|
|
CK_ATTRIBUTE_PTR new_p_attrs = NULL;
|
|
CK_ULONG new_attrs_len = 0;
|
|
- CK_BYTE csum[MAX_BLOBSIZE];
|
|
- CK_ULONG cslen = sizeof(csum);
|
|
CK_OBJECT_CLASS class;
|
|
CK_BYTE *data = NULL;
|
|
CK_ULONG data_len;
|
|
@@ -3433,6 +3437,8 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
goto import_DH_key_end;
|
|
}
|
|
|
|
+ *spki_size = 0; /* common code will extract SPKI from object */
|
|
+
|
|
} else {
|
|
CK_ATTRIBUTE *value;
|
|
CK_ATTRIBUTE *value_bits;
|
|
@@ -3500,7 +3506,8 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
ep11_pin_blob,
|
|
ep11_pin_blob_len, &mech_w,
|
|
new_p_attrs, new_attrs_len, blob,
|
|
- blob_size, csum, &cslen, target_info->target);
|
|
+ blob_size, spki, spki_size,
|
|
+ target_info->target);
|
|
RETRY_END(rc, tokdata, sess)
|
|
|
|
if (rc != CKR_OK) {
|
|
@@ -3547,9 +3554,10 @@ import_DH_key_end:
|
|
* SPKIs for public imported IBM Dilithium keys.
|
|
* Similar to rawkey_2_blob, but keys must follow a standard BER encoding.
|
|
*/
|
|
-static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
- OBJECT * dilithium_key_obj,
|
|
- CK_BYTE * blob, size_t * blob_size)
|
|
+static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ OBJECT *dilithium_key_obj,
|
|
+ CK_BYTE *blob, size_t *blob_size,
|
|
+ CK_BYTE *spki, size_t *spki_size)
|
|
{
|
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
|
CK_RV rc;
|
|
@@ -3561,8 +3569,6 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ULONG attrs_len = 0;
|
|
CK_ATTRIBUTE_PTR new_p_attrs = NULL;
|
|
CK_ULONG new_attrs_len = 0;
|
|
- CK_BYTE csum[MAX_BLOBSIZE];
|
|
- CK_ULONG cslen = sizeof(csum);
|
|
CK_OBJECT_CLASS class;
|
|
CK_BYTE *data = NULL;
|
|
CK_ULONG data_len;
|
|
@@ -3652,6 +3658,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
goto done;
|
|
}
|
|
|
|
+ *spki_size = 0; /* common code will extract SPKI from object */
|
|
+
|
|
} else {
|
|
|
|
/* imported private IBM Dilithium key goes here */
|
|
@@ -3709,7 +3717,8 @@ static CK_RV import_IBM_Dilithium_key(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
ep11_pin_blob,
|
|
ep11_pin_blob_len, &mech_w,
|
|
new_p_attrs, new_attrs_len, blob,
|
|
- blob_size, csum, &cslen, target_info->target);
|
|
+ blob_size, spki, spki_size,
|
|
+ target_info->target);
|
|
RETRY_END(rc, tokdata, sess)
|
|
|
|
if (rc != CKR_OK) {
|
|
@@ -3747,9 +3756,13 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
CK_ATTRIBUTE *attr = NULL;
|
|
CK_BYTE blob[MAX_BLOBSIZE];
|
|
size_t blobsize = sizeof(blob);
|
|
+ CK_BYTE spki[MAX_BLOBSIZE];
|
|
+ size_t spkisize = sizeof(spki);
|
|
CK_RV rc;
|
|
CK_ULONG class;
|
|
CK_BBOOL attrbound;
|
|
+ CK_BYTE *temp;
|
|
+ CK_ULONG temp_len;
|
|
|
|
/* get key type */
|
|
rc = template_attribute_get_ulong(obj->template, CKA_KEY_TYPE, &keytype);
|
|
@@ -3783,7 +3796,8 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
/* only these keys can be imported */
|
|
switch (keytype) {
|
|
case CKK_RSA:
|
|
- rc = import_RSA_key(tokdata, sess, obj, blob, &blobsize);
|
|
+ rc = import_RSA_key(tokdata, sess, obj, blob, &blobsize,
|
|
+ spki, &spkisize);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s import RSA key rc=0x%lx blobsize=0x%zx\n",
|
|
__func__, rc, blobsize);
|
|
@@ -3793,7 +3807,8 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
__func__, rc, blobsize);
|
|
break;
|
|
case CKK_EC:
|
|
- rc = import_EC_key(tokdata, sess, obj, blob, &blobsize);
|
|
+ rc = import_EC_key(tokdata, sess, obj, blob, &blobsize,
|
|
+ spki, &spkisize);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s import EC key rc=0x%lx blobsize=0x%zx\n",
|
|
__func__, rc, blobsize);
|
|
@@ -3803,7 +3818,8 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
__func__, rc, blobsize);
|
|
break;
|
|
case CKK_DSA:
|
|
- rc = import_DSA_key(tokdata, sess, obj, blob, &blobsize);
|
|
+ rc = import_DSA_key(tokdata, sess, obj, blob, &blobsize,
|
|
+ spki, &spkisize);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s import DSA key rc=0x%lx blobsize=0x%zx\n",
|
|
__func__, rc, blobsize);
|
|
@@ -3813,7 +3829,8 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
__func__, rc, blobsize);
|
|
break;
|
|
case CKK_DH:
|
|
- rc = import_DH_key(tokdata, sess, obj, blob, &blobsize);
|
|
+ rc = import_DH_key(tokdata, sess, obj, blob, &blobsize,
|
|
+ spki, &spkisize);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s import DH key rc=0x%lx blobsize=0x%zx\n",
|
|
__func__, rc, blobsize);
|
|
@@ -3823,7 +3840,8 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
__func__, rc, blobsize);
|
|
break;
|
|
case CKK_IBM_PQC_DILITHIUM:
|
|
- rc = import_IBM_Dilithium_key(tokdata, sess, obj, blob, &blobsize);
|
|
+ rc = import_IBM_Dilithium_key(tokdata, sess, obj, blob, &blobsize,
|
|
+ spki, &spkisize);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s import IBM Dilithium key rc=0x%lx blobsize=0x%zx\n",
|
|
__func__, rc, blobsize);
|
|
@@ -3891,6 +3909,31 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
return rc;
|
|
}
|
|
|
|
+ if (spkisize > 0 && (class == CKO_PRIVATE_KEY || class == CKO_PUBLIC_KEY)) {
|
|
+ /* spki may be a MACed SPKI, get length of SPKI part only */
|
|
+ rc = ber_decode_SEQUENCE(spki, &temp, &temp_len, &spkisize);
|
|
+ if (rc != CKR_OK) {
|
|
+ TRACE_ERROR("%s ber_decode_SEQUENCE failed rc=0x%lx\n",
|
|
+ __func__, rc);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
+ rc = build_attribute(CKA_PUBLIC_KEY_INFO, spki, spkisize, &attr);
|
|
+ if (rc != CKR_OK) {
|
|
+ TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", __func__,
|
|
+ rc);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
+ rc = template_update_attribute(obj->template, attr);
|
|
+ if (rc != CKR_OK) {
|
|
+ TRACE_ERROR("%s template_update_attribute failed with rc=0x%lx\n",
|
|
+ __func__, rc);
|
|
+ free(attr);
|
|
+ return rc;
|
|
+ }
|
|
+ }
|
|
+
|
|
rc = update_ep11_attrs_from_blob(tokdata, sess, obj->template);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("%s update_ep11_attrs_from_blob failed with rc=0x%lx\n",
|
|
--
|
|
2.16.2.windows.1
|
|
|