[Opencryptoki-tech] Unextractable keys should not be revealed off the token

[bugant]

Hi there,
   as reported by PKCS#11 standard on the "Security considerations" section,
unextractbale keys cannot be revealed off the token neither in plaintext
nor in encrypted form.

The attached patch prevents the opencryptoki's software token to reveal
the value of a key in plaintext when its CKA_EXTRACTABLE attribute is
set to FALSE (even if the key is not a CKA_SENSITIVE one).

The patch referes to opencryptoki-2.3.2.

ciao ciao,
matteo.

--- template.c.orig	2010-10-07 10:27:49.000000000 +0200
+++ template.c	2010-10-07 10:41:31.000000000 +0200
@@ -1213,10 +1213,12 @@
 CK_BBOOL
 template_check_exportability( TEMPLATE *tmpl, CK_ATTRIBUTE_TYPE type )
 {
-   CK_ATTRIBUTE * attr = NULL;
+   CK_ATTRIBUTE * sensitive = NULL;
+   CK_ATTRIBUTE * extractable = NULL;
    CK_ULONG       class;
    CK_ULONG       subclass;
-   CK_BBOOL       val;
+   CK_BBOOL       sensitive_val;
+   CK_BBOOL       extractable_val;
 
 
    if (!tmpl)
@@ -1232,15 +1234,18 @@
    //       and secret key objects.  If object type is any other, then
    //       by default the attribute is exportable.
    //
-   //    2) If CKA_SENSITIVE = FALSE then all attributes are exportable
+   //    2) If CKA_SENSITIVE = FALSE  and CKA_EXTRACTABLE = TRUE then
+   //       all attributes are exportable
    //
    if (class != CKO_PRIVATE_KEY && class != CKO_SECRET_KEY)
       return TRUE;
 
-   val = template_attribute_find( tmpl, CKA_SENSITIVE, &attr );
-   if (val) {
-      val = *(CK_BBOOL *)attr->pValue;
-      if (val == FALSE)
+   sensitive_val = template_attribute_find( tmpl, CKA_SENSITIVE, &sensitive );
+   extractable_val = template_attribute_find( tmpl, CKA_EXTRACTABLE, &extractable );
+   if (sensitive_val && extractable_val) {
+      sensitive_val = *(CK_BBOOL *)sensitive->pValue;
+      extractable_val = *(CK_BBOOL *)extractable->pValue;
+      if (sensitive_val == FALSE && extractable_val == TRUE)
          return TRUE;
    }
    else {
@@ -1249,7 +1254,8 @@
       return FALSE;
    }
 
-   // at this point, we know the object must have CKA_SENSITIVE = TRUE.
+   // at this point, we know the object must have CKA_SENSITIVE = TRUE
+   // or CKA_EXTRACTABLE = FALSE (or both).
    // need to determine whether the particular attribute in question is
    // a "sensitive" attribute.
    //

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech