[pkg-opensc-commit] [libp11] 59/67: Avoid querying public keys for CKA_SENSITIVE and CKA_EXTRACTABLE
Eric Dorland
eric at moszumanska.debian.org
Sat Jan 30 05:34:17 UTC 2016
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit 90387131801cec36ffe65625d11957f69f361dfb
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date: Thu Jan 21 17:20:02 2016 +0100
Avoid querying public keys for CKA_SENSITIVE and CKA_EXTRACTABLE
This fails at least on SoftHSM2, and possibly on other PKCS#11 providers as well.
---
src/p11_ec.c | 17 +++--------------
src/p11_rsa.c | 16 +++-------------
2 files changed, 6 insertions(+), 27 deletions(-)
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 3a7ca4d..7ff8159 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -97,7 +97,6 @@ static int ecdsa_ex_index = 0;
static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
{
EVP_PKEY *pk;
- CK_BBOOL sensitive, extractable;
EC_KEY * ec = NULL;
CK_RV ckrv;
size_t ec_paramslen = 0;
@@ -118,13 +117,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
}
EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
- if (key_getattr(key, CKA_SENSITIVE, &sensitive, sizeof(sensitive))
- || key_getattr(key, CKA_EXTRACTABLE, &extractable, sizeof(extractable))) {
- EVP_PKEY_free(pk);
- EC_KEY_free(ec);
- return NULL;
- }
-
/* For Openssl req we need at least the
* EC_KEY_get0_group(ec_key)) to return the group.
* Even if it fails will continue as a sign only does not need
@@ -179,13 +171,10 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY * key)
if (ec_params)
OPENSSL_free(ec_params);
- if (sensitive || !extractable) {
- ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
- } else if (key->isPrivate) {
- /* TODO: Extract the ECDSA private key */
- /* In the meantime lets use the card anyway */
+ if (key->isPrivate)
ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
- }
+ /* TODO: Extract the ECDSA private key instead, if the key
+ * is marked as extractable (and not private?) */
ECDSA_set_ex_data(ec, ecdsa_ex_index, key);
EC_KEY_free(ec); /* drops our reference to it */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index abab3ed..32e4871 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -89,13 +89,8 @@ static RSA *pkcs11_get_rsa(PKCS11_KEY * key)
static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY * key)
{
EVP_PKEY *pk;
- CK_BBOOL sensitive, extractable;
RSA *rsa;
- if (key_getattr(key, CKA_SENSITIVE, &sensitive, sizeof(sensitive))
- || key_getattr(key, CKA_EXTRACTABLE, &extractable, sizeof(extractable)))
- return NULL;
-
rsa = pkcs11_get_rsa(key);
if (rsa == NULL)
return NULL;
@@ -106,15 +101,10 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY * key)
}
EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
- /* If the key is not extractable, create a key object
- * that will use the card's functions to sign & decrypt */
- if (sensitive || !extractable) {
+ if (key->isPrivate)
RSA_set_method(rsa, PKCS11_get_rsa_method());
- } else if (key->isPrivate) {
- /* TODO: Extract the RSA private key */
- /* In the meantime lets use the card anyway */
- RSA_set_method(rsa, PKCS11_get_rsa_method());
- }
+ /* TODO: Extract the RSA private key instead, if the key
+ * is marked as extractable (and not private?) */
rsa->flags |= RSA_FLAG_SIGN_VER;
RSA_set_ex_data(rsa, rsa_ex_index, key);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list