PKCS-11v2-20rc3, page 178 states,
C_WrapKey can be used to wrap a private key with any secret key.
This patch allows that to happen.
I also cleaned up some of the rsa testcases while testing this.
I could not find where we support CKM_GENERIC_SECRET_KEY_GEN, so
removed reference to it in testcase.
I will integrate this patch Monday, July 11, if there are no objections
or comments.
Thanks!
regards,
Joy Latten
diff --git a/testcases/driver/rsa_func.c b/testcases/driver/rsa_func.c
index 5d1db7b..6f48233 100755
--- a/testcases/driver/rsa_func.c
+++ b/testcases/driver/rsa_func.c
@@ -1247,9 +1247,10 @@ CK_RV do_GenerateWrapUnwrapRSA(
goto testcase_cleanup;
}
- /* Now extract the CKA_CLASS and CKA_KEY_TYPE from generated
key *
- * We will use this for unwrapping
*
- * Take sizes first
*/
+ /* Now extract the CKA_CLASS and CKA_KEY_TYPE from generated
key
+ * We will use this for unwrapping
+ * Take sizes first
+ */
rc = funcs->C_GetAttributeValue(session, secret_key,
unwrap_tmpl, 2);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc = %s",
@@ -1306,14 +1307,11 @@ CK_RV do_GenerateWrapUnwrapRSA(
/* now recover it */
- /* x.509 + variable key length specific case:
- * x.509 can't handle lengths right, so according to page 242
from
- * the PKCS#11 spec (v2.11), "If the resulting plaintext is to
be
- * used to produce an unwrapped key, then however many bytes
are
- * specified in the template for the length of the key are
taken
- * from the end of this sequence of bytes."
- */
- if (mechtype == CKM_RSA_X_509 && keytype == CKM_AES_KEY_GEN) {
+ /* take into account that AES has varying keysize.
+ * Including CKA_VALUE_LEN will allow extracting key
+ * should there had been any padding added to what we get back.
+ */
+ if (keytype == CKM_AES_KEY_GEN) {
unwrap_tmpl[2].type = CKA_VALUE_LEN;
unwrap_tmpl[2].ulValueLen = sizeof(keylen);
unwrap_tmpl[2].pValue = &keylen;
@@ -1322,54 +1320,46 @@ CK_RV do_GenerateWrapUnwrapRSA(
wrapped_keylen, unwrap_tmpl, 3,
&unwrapped_key);
}
else {
-
rc = funcs->C_UnwrapKey(session, &mech3, priv_key,
wrapped_key,
wrapped_keylen, unwrap_tmpl, 2,
&unwrapped_key);
}
if (rc != CKR_OK) {
- testcase_fail("C_UnwrapKey() rc = %s",
- p11_get_ckr(rc));
+ testcase_fail("C_UnwrapKey() rc = %s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
- /* Get CKA_VALUE_LEN (if applicable) from both keys, *
- * compare */
- switch(keytype) {
- case CKM_GENERIC_SECRET_KEY_GEN: /* generic key
*/
- case CKM_RC4_KEY_GEN: /* RC4 */
- case CKM_RC5_KEY_GEN: /* RC5 */
- case CKM_AES_KEY_GEN: /* AES */
- /* Note that RC2, CAST, CAST3 and CAST128 also
*
- * require CKA_VALUE_LEN
*/
- rc = funcs->C_GetAttributeValue(session,
secret_key,
- secret_value_len, 1);
- if (rc != CKR_OK) {
- testcase_fail("C_GetAttributeValue() rc
= %s",
- p11_get_ckr(rc));
- goto testcase_cleanup;
- }
-
- rc = funcs->C_GetAttributeValue(session,
unwrapped_key,
- unwrapped_value_len, 1);
- if (rc != CKR_OK) {
- testcase_fail("C_GetAttributeValue() rc
= %s",
- p11_get_ckr(rc));
- goto testcase_cleanup;
- }
-
- if ( *((CK_ULONG_PTR)
secret_value_len[0].pValue) !=
- *((CK_ULONG_PTR)
unwrapped_value_len[0].pValue) ) {
- testcase_fail("CKA_VALUE_LEN value
differs (original %lu, unwrapped %lu)",
- *((CK_ULONG_PTR)
secret_value_len[0].pValue),
- *((CK_ULONG_PTR)
unwrapped_value_len[0].pValue));
- rc = -1;
- goto testcase_cleanup;
- }
- }
+ /* Get CKA_VALUE_LEN (if applicable) from both keys,
+ * compare
+ */
+ if (keytype == CKM_AES_KEY_GEN) {
+ rc = funcs->C_GetAttributeValue(session, secret_key,
+ secret_value_len, 1);
+ if (rc != CKR_OK) {
+ testcase_fail("C_GetAttributeValue() rc = %s",
+ p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+
+ rc = funcs->C_GetAttributeValue(session, unwrapped_key,
+ unwrapped_value_len, 1);
+ if (rc != CKR_OK) {
+ testcase_fail("C_GetAttributeValue() rc = %s",
+ p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+
+ if (*((CK_ULONG_PTR) secret_value_len[0].pValue) !=
+ *((CK_ULONG_PTR) unwrapped_value_len[0].pValue)) {
+ testcase_fail("CKA_VALUE_LEN value differs (original
%lu, unwrapped
%lu)", *((CK_ULONG_PTR) secret_value_len[0].pValue), *((CK_ULONG_PTR)
unwrapped_value_len[0].pValue));
+ rc = -1;
+ goto testcase_cleanup;
+ }
+ }
- /* Now need to get CKA_VALUE from both original and *
- * unwrapped keys, and compare byte-by-byte */
+ /* Now need to get CKA_VALUE from both original and
+ * unwrapped keys, and compare byte-by-byte
+ */
/* Get sizes for both the original and unwrapped key's
CKA_VALUES */
rc = funcs->C_GetAttributeValue(session, secret_key,
secret_value, 1);
@@ -1386,9 +1376,10 @@ CK_RV do_GenerateWrapUnwrapRSA(
goto testcase_cleanup;
}
- /* We're not checking if ulValueLen is the same for both
original and *
- * unwrapped keys simply because then "can" be different
(that's why *
- * we have CKA_VALUE_LEN)
*/
+ /* We're not checking if ulValueLen is the same for both
original and
+ * unwrapped keys simply because then "can" be different
(that's why
+ * we have CKA_VALUE_LEN)
+ */
/* now do some allocation */
secret_value[0].pValue = calloc(sizeof(CK_BYTE),
secret_value[0].ulValueLen);
@@ -1420,8 +1411,9 @@ CK_RV do_GenerateWrapUnwrapRSA(
goto testcase_cleanup;
}
- /* compare. For Keys with variable size, CKA_VALUE_LEN should
be the *
- * same as the original key's ulValueLen
*/
+ /* compare. For Keys with variable size, CKA_VALUE_LEN should
be the
+ * same as the original key's ulValueLen
+ */
for (i = 0; i < secret_value[0].ulValueLen; i++) {
if ( ((CK_BYTE_PTR) secret_value[0].pValue)[i] !=
((CK_BYTE_PTR) unwrapped_value[0].pValue)[i]) {
testcase_fail("Unwrapped key differs in byte %
lu", i);
@@ -2563,133 +2555,101 @@ CK_RV run_GenerateWrapUnwrapRSAPKCS()
// mod bits = 512. Secret keys up to 64 bytes
// publ exp = 3
- { CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 768. Secret keys up to 96 bytes
// publ exp = 3
- { CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 1024. Secret keys up to 128 bytes
// publ exp = 3
- { CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 2048. Secret keys up to 256 bytes
// publ exp = 3
- { CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 4096. Secret keys up to 512 bytes
// publ exp = 3
- { CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_PKCS, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
};
-
-
for (i = 0;
i < (sizeof(inputdata) / sizeof(struct _inputparam));
i++) {
@@ -2729,133 +2689,101 @@ CK_RV run_GenerateWrapUnwrapRSAX509()
// mod bits = 512. Secret keys up to 64 bytes
// publ exp = 3
- { CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 512 , 1, { 0x03, 0x00, 0x00, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 512 , 2, { 0x00, 0x11, 0x00, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 512 , 3, { 0x01, 0x00, 0x01, 0x00 },
64 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 768. Secret keys up to 96 bytes
// publ exp = 3
- { CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 768 , 1, { 0x03, 0x00, 0x00, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 768 , 2, { 0x00, 0x11, 0x00, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 768 , 3, { 0x01, 0x00, 0x01, 0x00 },
96 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 1024. Secret keys up to 128 bytes
// publ exp = 3
- { CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 1024, 1, { 0x03, 0x00, 0x00, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 1024, 2, { 0x00, 0x11, 0x00, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 1024, 3, { 0x01, 0x00, 0x01, 0x00 },
128 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 2048. Secret keys up to 256 bytes
// publ exp = 3
- { CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 2048, 1, { 0x03, 0x00, 0x00, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 2048, 2, { 0x00, 0x11, 0x00, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 2048, 3, { 0x01, 0x00, 0x01, 0x00 },
256 , CKM_GENERIC_SECRET_KEY_GEN },
// mod bits = 4096. Secret keys up to 512 bytes
// publ exp = 3
- { CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 4096, 1, { 0x03, 0x00, 0x00, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 17 (big endian format)
- { CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 4096, 2, { 0x00, 0x11, 0x00, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
// publ exp = 65537
- { CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
1 , CKM_GENERIC_SECRET_KEY_GEN },
{ CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_CDMF_KEY_GEN },
{ CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
8 , CKM_DES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
24 , CKM_DES3_KEY_GEN },
{ CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
16 , CKM_AES_KEY_GEN },
{ CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
32 , CKM_AES_KEY_GEN },
- { CKM_RSA_X_509, 4096, 3, { 0x01, 0x00, 0x01, 0x00 },
512 , CKM_GENERIC_SECRET_KEY_GEN },
};
-
-
for (i = 0;
i < (sizeof(inputdata) / sizeof(struct _inputparam));
i++) {
diff --git a/usr/lib/pkcs11/cca_stdll/key_mgr.c
b/usr/lib/pkcs11/cca_stdll/key_mgr.c
index a319236..cfe587d 100644
--- a/usr/lib/pkcs11/cca_stdll/key_mgr.c
+++ b/usr/lib/pkcs11/cca_stdll/key_mgr.c
@@ -848,10 +848,24 @@ key_mgr_wrap_key( SESSION * sess,
else
class = *(CK_OBJECT_CLASS *)attr->pValue;
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
+ //
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
#if !(NOCDMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -859,20 +873,13 @@ key_mgr_wrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- if (class != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
- return CKR_KEY_NOT_WRAPPABLE;
- }
- break;
-
-#if !(NOCDMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
- // these mechanisms can wrap any type of key
- //
+ if ((class != CKO_SECRET_KEY) && (class != CKO_PRIVATE_KEY)) {
+ OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
+ return CKR_KEY_NOT_WRAPPABLE;
+ }
break;
case CKM_RSA_PKCS:
@@ -1081,10 +1088,19 @@ key_mgr_unwrap_key( SESSION * sess,
found_class = FALSE;
found_type = FALSE;
- // some mechanisms are restricted to wrapping certain types of keys.
- // in these cases, the CKA_CLASS attribute is implied and isn't
required
- // to be specified in the template (though it still may appear)
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
//
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
case CKM_RSA_PKCS:
case CKM_RSA_X_509:
@@ -1095,6 +1111,7 @@ key_mgr_unwrap_key( SESSION * sess,
#if !(NOCMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -1102,19 +1119,16 @@ key_mgr_unwrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- keyclass = CKO_SECRET_KEY;
- found_class = TRUE;
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
// these mechanisms can wrap any type of key so nothing is
implied
//
break;
+
+ default:
+ OCK_LOG_ERR(ERR_MECHANISM_INVALID);
+ return CKR_MECHANISM_INVALID;
}
@@ -1145,47 +1159,15 @@ CKO_PRIVATE_KEY)){
return CKR_TEMPLATE_INCOMPLETE;
}
- // final check to see if mechanism is allowed to unwrap such a key
+ // Check again that a public key only wraps/unwraps a secret key.
//
- switch (mech->mechanism) {
- case CKM_RSA_PKCS:
- case CKM_RSA_X_509:
- if (keyclass != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
- return CKR_TEMPLATE_INCONSISTENT;
- }
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_ECB:
- case CKM_CDMF_CBC:
-#endif
- case CKM_DES_ECB:
- case CKM_DES_CBC:
- case CKM_DES3_ECB:
- case CKM_DES3_CBC:
- case CKM_AES_ECB:
- case CKM_AES_CBC:
- if (keyclass != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
- return CKR_TEMPLATE_INCONSISTENT;
- }
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
- case CKM_DES_CBC_PAD:
- case CKM_DES3_CBC_PAD:
- case CKM_AES_CBC_PAD:
- break;
-
- default:
- OCK_LOG_ERR(ERR_MECHANISM_INVALID);
- return CKR_MECHANISM_INVALID;
+ if ((mech->mechanism == CKM_RSA_PKCS) || (mech->mechanism ==
CKM_RSA_X_509)) {
+ if (keyclass != CKO_SECRET_KEY){
+ OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
+ return CKR_TEMPLATE_INCONSISTENT;
+ }
}
-
// looks okay...do the decryption
//
ctx = (ENCR_DECR_CONTEXT *)malloc(sizeof(ENCR_DECR_CONTEXT));
diff --git a/usr/lib/pkcs11/common/key_mgr.c
b/usr/lib/pkcs11/common/key_mgr.c
index 5666d36..2a27984 100755
--- a/usr/lib/pkcs11/common/key_mgr.c
+++ b/usr/lib/pkcs11/common/key_mgr.c
@@ -825,22 +825,35 @@ key_mgr_wrap_key( SESSION * sess,
}
}
-
// what kind of key are we trying to wrap? make sure the mechanism
is
// allowed to wrap this kind of key
//
rc = template_attribute_find( key2_obj->template, CKA_CLASS,
&attr );
- if (rc == FALSE){
+ if (rc == FALSE) {
OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
return CKR_KEY_NOT_WRAPPABLE;
}
else
class = *(CK_OBJECT_CLASS *)attr->pValue;
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
+ //
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
#if !(NOCDMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -848,28 +861,15 @@ key_mgr_wrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- if (class != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
- return CKR_KEY_NOT_WRAPPABLE;
- }
- break;
case CKM_AES_CTR:
- if (class != CKO_SECRET_KEY)
- {
- OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
- return CKR_KEY_NOT_WRAPPABLE;
- }
- break;
-
-#if !(NOCDMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
- // these mechanisms can wrap any type of key
- //
- break;
+ if ((class != CKO_SECRET_KEY) && (class != CKO_PRIVATE_KEY)) {
+ OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
+ return CKR_KEY_NOT_WRAPPABLE;
+ }
+ break;
case CKM_RSA_PKCS:
case CKM_RSA_X_509:
@@ -975,6 +975,7 @@ key_mgr_wrap_key( SESSION * sess,
#ifndef NOAES
case CKM_AES_ECB:
case CKM_AES_CBC:
+ case CKM_AES_CTR:
rc = ckm_aes_wrap_format( length_only, &data, &data_len );
if (rc != CKR_OK) {
OCK_LOG_ERR(ERR_AES_WRAP_FORMAT);
@@ -982,15 +983,6 @@ key_mgr_wrap_key( SESSION * sess,
return rc;
}
break;
- case CKM_AES_CTR:
- rc = ckm_aes_wrap_format( length_only, &data, &data_len );
- if (rc != CKR_OK)
- {
- OCK_LOG_ERR(ERR_AES_WRAP_FORMAT);
- if (data) free( data );
- return rc;
- }
- break;
#endif
#if !(NOCMF)
case CKM_CDMF_CBC_PAD:
@@ -1078,16 +1070,30 @@ key_mgr_unwrap_key( SESSION * sess,
found_class = FALSE;
found_type = FALSE;
- // some mechanisms are restricted to wrapping certain types of keys.
- // in these cases, the CKA_CLASS attribute is implied and isn't
required
- // to be specified in the template (though it still may appear)
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
//
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
case CKM_RSA_PKCS:
case CKM_RSA_X_509:
+ keyclass = CKO_SECRET_KEY;
+ found_class = TRUE;
+ break;
+
#if !(NOCMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -1095,23 +1101,17 @@ key_mgr_unwrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- keyclass = CKO_SECRET_KEY;
- found_class = TRUE;
- break;
case CKM_AES_CTR:
- keyclass = CKO_SECRET_KEY;
- found_class = TRUE;
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
// these mechanisms can wrap any type of key so nothing is
implied
//
break;
+
+ default:
+ OCK_LOG_ERR(ERR_MECHANISM_INVALID);
+ return CKR_MECHANISM_INVALID;
}
@@ -1135,55 +1135,22 @@ key_mgr_unwrap_key( SESSION * sess,
// if we're unwrapping a private key, we can extract the key type
from
// the BER-encoded information
- //
+
if (found_class == FALSE || (found_type == FALSE && keyclass !=
CKO_PRIVATE_KEY)){
OCK_LOG_ERR(ERR_TEMPLATE_INCOMPLETE);
return CKR_TEMPLATE_INCOMPLETE;
}
- // final check to see if mechanism is allowed to unwrap such a key
- //
- switch (mech->mechanism) {
- case CKM_RSA_PKCS:
- case CKM_RSA_X_509:
-#if !(NOCMF)
- case CKM_CDMF_ECB:
- case CKM_CDMF_CBC:
-#endif
- case CKM_DES_ECB:
- case CKM_DES_CBC:
- case CKM_DES3_ECB:
- case CKM_DES3_CBC:
- case CKM_AES_ECB:
- case CKM_AES_CBC:
- if (keyclass != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
- return CKR_TEMPLATE_INCONSISTENT;
- }
- break;
- case CKM_AES_CTR:
- if (keyclass != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
- return CKR_TEMPLATE_INCONSISTENT;
- }
- break;
-
+ // Check again that a public key only wraps/unwraps a secret key.
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
- case CKM_DES_CBC_PAD:
- case CKM_DES3_CBC_PAD:
- case CKM_AES_CBC_PAD:
- break;
-
- default:
- OCK_LOG_ERR(ERR_MECHANISM_INVALID);
- return CKR_MECHANISM_INVALID;
+ if ((mech->mechanism == CKM_RSA_PKCS) || (mech->mechanism ==
CKM_RSA_X_509)){
+ if (keyclass != CKO_SECRET_KEY) {
+ OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
+ return CKR_TEMPLATE_INCONSISTENT;
+ }
}
-
// looks okay...do the decryption
//
ctx = (ENCR_DECR_CONTEXT *)malloc(sizeof(ENCR_DECR_CONTEXT));
diff --git a/usr/lib/pkcs11/tpm_stdll/key_mgr.c
b/usr/lib/pkcs11/tpm_stdll/key_mgr.c
index 0b8cea4..9a5494c 100644
--- a/usr/lib/pkcs11/tpm_stdll/key_mgr.c
+++ b/usr/lib/pkcs11/tpm_stdll/key_mgr.c
@@ -572,10 +572,24 @@ key_mgr_wrap_key( SESSION * sess,
else
class = *(CK_OBJECT_CLASS *)attr->pValue;
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
+ //
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
#if !(NOCDMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -583,20 +597,13 @@ key_mgr_wrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- if (class != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
- return CKR_KEY_NOT_WRAPPABLE;
- }
- break;
-
-#if !(NOCDMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
- // these mechanisms can wrap any type of key
- //
+ if ((class != CKO_SECRET_KEY) && (class != CKO_PRIVATE_KEY)) {
+ OCK_LOG_ERR(ERR_KEY_NOT_WRAPPABLE);
+ return CKR_KEY_NOT_WRAPPABLE;
+ }
break;
case CKM_RSA_PKCS:
@@ -800,10 +807,19 @@ key_mgr_unwrap_key( SESSION * sess,
found_class = FALSE;
found_type = FALSE;
- // some mechanisms are restricted to wrapping certain types of keys.
- // in these cases, the CKA_CLASS attribute is implied and isn't
required
- // to be specified in the template (though it still may appear)
+ // pkcs-11v2-20rc3, page 178
+ // C_WrapKey can be used in following situations:
+ // To wrap any secret key with a public key that supports encryption
+ // and decryption.
+ // To wrap any secret key with any other secret key. Consideration
must
+ // be given to key size and mechanism strength or the token may
not allow
+ // the operation.
+ // To wrap a private key with any secret key.
//
+ // These can be deduced to:
+ // A public key or a secret key can be used to wrap a secret key.
+ // A secret key can be used to wrap a private key.
+
switch (mech->mechanism) {
case CKM_RSA_PKCS:
keyclass = CKO_SECRET_KEY;
@@ -813,6 +829,7 @@ key_mgr_unwrap_key( SESSION * sess,
#if !(NOCMF)
case CKM_CDMF_ECB:
case CKM_CDMF_CBC:
+ case CKM_CDMF_CBC_PAD:
#endif
case CKM_DES_ECB:
case CKM_DES_CBC:
@@ -820,13 +837,6 @@ key_mgr_unwrap_key( SESSION * sess,
case CKM_DES3_CBC:
case CKM_AES_ECB:
case CKM_AES_CBC:
- keyclass = CKO_SECRET_KEY;
- found_class = TRUE;
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_AES_CBC_PAD:
@@ -835,7 +845,6 @@ key_mgr_unwrap_key( SESSION * sess,
break;
}
-
// extract key type and key class from the template if they exist.
we
// have to scan the entire template in case the CKA_CLASS or
CKA_KEY_TYPE
// attributes are duplicated
@@ -863,46 +872,14 @@ CKO_PRIVATE_KEY)){
return CKR_TEMPLATE_INCOMPLETE;
}
- // final check to see if mechanism is allowed to unwrap such a key
- //
- switch (mech->mechanism) {
- case CKM_RSA_PKCS:
+ // Check again that a public key only wraps/unwraps a secret key.
+ if (mech->mechanism == CKM_RSA_PKCS) {
if (keyclass != CKO_SECRET_KEY){
OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
return CKR_TEMPLATE_INCONSISTENT;
}
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_ECB:
- case CKM_CDMF_CBC:
-#endif
- case CKM_DES_ECB:
- case CKM_DES_CBC:
- case CKM_DES3_ECB:
- case CKM_DES3_CBC:
- case CKM_AES_ECB:
- case CKM_AES_CBC:
- if (keyclass != CKO_SECRET_KEY){
- OCK_LOG_ERR(ERR_TEMPLATE_INCONSISTENT);
- return CKR_TEMPLATE_INCONSISTENT;
- }
- break;
-
-#if !(NOCMF)
- case CKM_CDMF_CBC_PAD:
-#endif
- case CKM_DES_CBC_PAD:
- case CKM_DES3_CBC_PAD:
- case CKM_AES_CBC_PAD:
- break;
-
- default:
- OCK_LOG_ERR(ERR_MECHANISM_INVALID);
- return CKR_MECHANISM_INVALID;
}
-
// looks okay...do the decryption
//
ctx = (ENCR_DECR_CONTEXT *)malloc(sizeof(ENCR_DECR_CONTEXT));
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Opencryptoki-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
