20a5cf8c33
- Added support for "pin-source" within PKCS#11 URI (bz#1670026) - Search objects in all matching tokens (bz#1760751) - Set flag RSA_FLAG_EXT_PKEY for RSA keys (bz#1760541) - Fixed various bugs Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From e7ecd9298c8744a7e3f253178e6d1f12c5310dde Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Levin <slev@altlinux.org>
|
|
Date: Tue, 17 Sep 2019 10:05:28 +0300
|
|
Subject: [PATCH] Set RSA_FLAG_EXT_PKEY flag
|
|
|
|
From docs:
|
|
"""
|
|
This flag means the private key operations will be handled by
|
|
rsa_mod_exp and that they do not depend on the private key
|
|
components being present:
|
|
for example a key stored in external hardware. Without this flag
|
|
bn_mod_exp gets called when private key components are absent.
|
|
"""
|
|
|
|
Setting this flag allows BIND to identify RSA key (stored on a HSM)
|
|
as a private key. Otherwise, BIND fails to sign and to verify signs.
|
|
|
|
Fixes: https://github.com/OpenSC/libp11/issues/304
|
|
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
(cherry picked from commit b487da5a0f69576139949d7235b988e822137cab)
|
|
---
|
|
src/p11_rsa.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
|
index e699009..66db996 100644
|
|
--- a/src/p11_rsa.c
|
|
+++ b/src/p11_rsa.c
|
|
@@ -273,8 +273,14 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
|
}
|
|
EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
|
|
|
- if (key->isPrivate)
|
|
+ if (key->isPrivate) {
|
|
RSA_set_method(rsa, PKCS11_get_rsa_method());
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
+ RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY);
|
|
+#else
|
|
+ rsa->flags |= RSA_FLAG_EXT_PKEY;
|
|
+#endif
|
|
+ }
|
|
/* TODO: Retrieve the RSA private key object attributes instead,
|
|
* unless the key has the "sensitive" attribute set */
|
|
|
|
--
|
|
2.21.0
|
|
|