OpenCryptoki is not correctly derivating CKA_MODULUS_BITS when creating an object with C_ObjectCreate(). This value must be derivated from CKA_MODULUS which is a required attribute for C_ObjectCreate() when dealing with RSA Public Keys.
The most obvios symptom is a CKR_FUNCTION_FAILED for the C_VerifyRecover() function when using NSS to create a self-signed certificate (NSS tries to import the public key into a session object using C_ObjectCreate()) Signed-off-by: Klaus Heinrich Kiwi <[email protected]> --- usr/lib/pkcs11/common/h_extern.h | 3 ++- usr/lib/pkcs11/common/key.c | 11 +++++++++-- usr/lib/pkcs11/common/object.c | 9 +++++---- usr/lib/pkcs11/common/template.c | 5 ++++- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/usr/lib/pkcs11/common/h_extern.h b/usr/lib/pkcs11/common/h_extern.h index abb66ec..be2a275 100755 --- a/usr/lib/pkcs11/common/h_extern.h +++ b/usr/lib/pkcs11/common/h_extern.h @@ -2006,6 +2006,7 @@ CK_RV template_add_attributes( TEMPLATE * tmpl, CK_ULONG ulCount ); CK_RV template_add_default_attributes( TEMPLATE * tmpl, + TEMPLATE * basetmpl, CK_ULONG class, CK_ULONG subclass, CK_ULONG mode ); @@ -2126,7 +2127,7 @@ CK_RV secret_key_validate_attribute ( TEMPLATE *tmpl, CK_ATTRIBUTE *at // CK_RV rsa_publ_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode ); CK_RV rsa_publ_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode ); -CK_RV rsa_publ_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode ); +CK_RV rsa_publ_set_default_attributes( TEMPLATE *tmpl, TEMPLATE *basetmpl, CK_ULONG mode ); CK_BBOOL rsa_priv_check_exportability( CK_ATTRIBUTE_TYPE type ); CK_RV rsa_priv_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode ); CK_RV rsa_priv_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode ); diff --git a/usr/lib/pkcs11/common/key.c b/usr/lib/pkcs11/common/key.c index dffb792..6da170c 100755 --- a/usr/lib/pkcs11/common/key.c +++ b/usr/lib/pkcs11/common/key.c @@ -1350,12 +1350,13 @@ rsa_publ_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode ) // rsa_publ_set_default_attributes() // CK_RV -rsa_publ_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode ) +rsa_publ_set_default_attributes( TEMPLATE *tmpl, TEMPLATE *basetmpl, CK_ULONG mode ) { CK_ATTRIBUTE *type_attr = NULL; CK_ATTRIBUTE *modulus_attr = NULL; CK_ATTRIBUTE *modulus_bits_attr = NULL; CK_ATTRIBUTE *public_exp_attr = NULL; + CK_ATTRIBUTE *tmpattr = NULL; CK_ULONG bits = 0L; publ_key_set_default_attributes( tmpl, mode ); @@ -1387,7 +1388,13 @@ rsa_publ_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode ) modulus_bits_attr->type = CKA_MODULUS_BITS; modulus_bits_attr->ulValueLen = sizeof(CK_ULONG); modulus_bits_attr->pValue = (CK_BYTE *)modulus_bits_attr + sizeof(CK_ATTRIBUTE); - *(CK_ULONG *)modulus_bits_attr->pValue = bits; + + if (template_attribute_find( basetmpl, CKA_MODULUS, &tmpattr)) { + *(CK_ULONG *)modulus_bits_attr->pValue = 8 * tmpattr->ulValueLen; + } + else { + *(CK_ULONG *)modulus_bits_attr->pValue = bits; + } public_exp_attr->type = CKA_PUBLIC_EXPONENT; public_exp_attr->ulValueLen = 0; diff --git a/usr/lib/pkcs11/common/object.c b/usr/lib/pkcs11/common/object.c index c73f22b..a14ad6c 100755 --- a/usr/lib/pkcs11/common/object.c +++ b/usr/lib/pkcs11/common/object.c @@ -993,10 +993,6 @@ object_create_skel( CK_ATTRIBUTE * pTemplate, memset( tmpl2, 0x0, sizeof(TEMPLATE) ); - rc = template_add_default_attributes( tmpl, class, subclass, mode ); - if (rc != CKR_OK) - goto done; - rc = template_add_attributes( tmpl2, pTemplate, ulCount ); if (rc != CKR_OK) goto done; @@ -1022,6 +1018,11 @@ object_create_skel( CK_ATTRIBUTE * pTemplate, goto done; } + rc = template_add_default_attributes( tmpl, tmpl2, class, subclass, mode ); + if (rc != CKR_OK) + goto done; + + rc = template_merge( tmpl, &tmpl2 ); if (rc != CKR_OK){ st_err_log(165, __FILE__, __LINE__); diff --git a/usr/lib/pkcs11/common/template.c b/usr/lib/pkcs11/common/template.c index 42d7554..1ae8189 100755 --- a/usr/lib/pkcs11/common/template.c +++ b/usr/lib/pkcs11/common/template.c @@ -369,9 +369,12 @@ template_add_attributes( TEMPLATE * tmpl, // template_add_default_attributes() +// Add default attributes to '*tmpl'. +// '*basetmpl' may be used to derive values to the default attributes // CK_RV template_add_default_attributes( TEMPLATE * tmpl, + TEMPLATE * basetmpl, CK_ULONG class, CK_ULONG subclass, CK_ULONG mode ) @@ -401,7 +404,7 @@ template_add_default_attributes( TEMPLATE * tmpl, switch (subclass) { case CKK_RSA: - return rsa_publ_set_default_attributes( tmpl, mode ); + return rsa_publ_set_default_attributes( tmpl, basetmpl, mode ); case CKK_DSA: return dsa_publ_set_default_attributes( tmpl, mode ); -- 1.7.2.3 ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
