[pkg-opensc-commit] [opensc] 286/295: pkcs15init: use random id for secret key

Eric Dorland eric at moszumanska.debian.org
Sat Jun 24 21:11:41 UTC 2017


This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository opensc.

commit 137c6306d27d973103342ddf01e09d256b1eb802
Author: Timo Teräs <timo.teras at iki.fi>
Date:   Thu Apr 27 14:50:14 2017 +0300

    pkcs15init: use random id for secret key
    
    Calculating intrinsic key would probably be not wise, because
    it would leak out information about the secret key. Try to
    generate globally unique IDs just by using a random one.
---
 src/pkcs15init/pkcs15-lib.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
index 811c655..9339aeb 100644
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@@ -1879,12 +1879,16 @@ sc_pkcs15init_store_secret_key(struct sc_pkcs15_card *p15card, struct sc_profile
 			LOG_TEST_RET(ctx, SC_ERROR_INCOMPATIBLE_KEY, "Card does not support this key.");
 	}
 
-	/* Select a intrinsic Key ID if user didn't specify one */
-	r = sc_pkcs15init_select_intrinsic_id(p15card, profile, SC_PKCS15_TYPE_SKEY,
-			&keyargs->id, &keyargs->key);
-	LOG_TEST_RET(ctx, r, "Get intrinsic ID error");
+#ifdef ENABLE_OPENSSL
+	if (!keyargs->id.len) {
+		/* Calculating intrinsic Key ID for secret key does not make
+		 * sense - just generate random one */
+		if (RAND_bytes(keyargs->id.value, 20) == 1)
+			keyargs->id.len = 20;
+	}
+#endif
 
-	/* Make sure that private key's ID is the unique inside the PKCS#15 application */
+	/* Make sure that secret key's ID is the unique inside the PKCS#15 application */
 	r = sc_pkcs15_find_skey_by_id(p15card, &keyargs->id, NULL);
 	if (!r)
 		LOG_TEST_RET(ctx, SC_ERROR_NON_UNIQUE_ID, "Non unique ID of the secret key object");

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git



More information about the pkg-opensc-commit mailing list