[pkg-opensc-commit] [libp11] 59/67: Avoid querying public keys for CKA_SENSITIVE and CKA_EXTRACTABLE

[Eric Dorland]

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 90387131801cec36ffe65625d11957f69f361dfb
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date:   Thu Jan 21 17:20:02 2016 +0100

    Avoid querying public keys for CKA_SENSITIVE and CKA_EXTRACTABLE
    
    This fails at least on SoftHSM2, and possibly on other PKCS#11 providers as well.
---
 src/p11_ec.c  | 17 +++--------------
 src/p11_rsa.c | 16 +++-------------
 2 files changed, 6 insertions(+), 27 deletions(-)

diff --git a/src/p11_ec.c b/src/p11_ec.c
index 3a7ca4d..7ff8159 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -97,7 +97,6 @@ static int ecdsa_ex_index = 0;
 static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
 {
 	EVP_PKEY *pk;
-	CK_BBOOL sensitive, extractable;
 	EC_KEY * ec = NULL;
 	CK_RV ckrv;
 	size_t ec_paramslen = 0;
@@ -118,13 +117,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
 	}
 	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 
-	if (key_getattr(key, CKA_SENSITIVE, &sensitive, sizeof(sensitive))
-			|| key_getattr(key, CKA_EXTRACTABLE, &extractable, sizeof(extractable))) {
-		EVP_PKEY_free(pk);
-		EC_KEY_free(ec);
-		return NULL;
-	}
-
 	/* For Openssl req we need at least the
 	 * EC_KEY_get0_group(ec_key)) to return the group.
 	 * Even if it fails will continue as a sign only does not need
@@ -179,13 +171,10 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
 	if (ec_params)
 		OPENSSL_free(ec_params);
 
-	if (sensitive || !extractable) {
-		ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
-	} else if (key->isPrivate) {
-		/* TODO: Extract the ECDSA private key */
-		/* In the meantime lets use the card anyway */
+	if (key->isPrivate)
 		ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
-	}
+	/* TODO: Extract the ECDSA private key instead, if the key
+	 * is marked as extractable (and not private?) */
 
 	ECDSA_set_ex_data(ec, ecdsa_ex_index, key);
 	EC_KEY_free(ec); /* drops our reference to it */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index abab3ed..32e4871 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -89,13 +89,8 @@ static RSA *pkcs11_get_rsa(PKCS11_KEY * key)
 static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY * key)
 {
 	EVP_PKEY *pk;
-	CK_BBOOL sensitive, extractable;
 	RSA *rsa;
 
-	if (key_getattr(key, CKA_SENSITIVE, &sensitive, sizeof(sensitive))
-			|| key_getattr(key, CKA_EXTRACTABLE, &extractable, sizeof(extractable)))
-		return NULL;
-
 	rsa = pkcs11_get_rsa(key);
 	if (rsa == NULL)
 		return NULL;
@@ -106,15 +101,10 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY * key)
 	}
 	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 
-	/* If the key is not extractable, create a key object
-	 * that will use the card's functions to sign & decrypt */
-	if (sensitive || !extractable) {
+	if (key->isPrivate)
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
-	} else if (key->isPrivate) {
-		/* TODO: Extract the RSA private key */
-		/* In the meantime lets use the card anyway */
-		RSA_set_method(rsa, PKCS11_get_rsa_method());
-	}
+	/* TODO: Extract the RSA private key instead, if the key
+	 * is marked as extractable (and not private?) */
 
 	rsa->flags |= RSA_FLAG_SIGN_VER;
 	RSA_set_ex_data(rsa, rsa_ex_index, key);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git