On Wed, Nov 10, 2010 at 03:09:03PM -0200, Klaus Heinrich Kiwi wrote: > OpenCryptoki is not correctly derivating CKA_MODULUS_BITS when > creating an object with C_ObjectCreate(). This value must be > derivated from CKA_MODULUS which is a required attribute for > C_ObjectCreate() when dealing with RSA Public Keys. > > The most obvios symptom is a CKR_FUNCTION_FAILED for the > C_VerifyRecover() function when using NSS to create a > self-signed certificate (NSS tries to import the public > key into a session object using C_ObjectCreate())
Looks good to me, Klaus. template_attribute_find will correctly return 0 when the base template passed in is NULL, so that should be safe. I noticed that the rsa_keygen test tries that validate that CKR_FUNCTION_FAILED is returned when an even RSA public exponent is passed in. That test now fails, did that check change recently? Attached is an updated rsa_keygen.c that tests the stuff in this patch. Acked-by: Kent Yoder <[email protected]> > > Signed-off-by: Klaus Heinrich Kiwi <[email protected]> > --- > usr/lib/pkcs11/common/h_extern.h | 3 ++- > usr/lib/pkcs11/common/key.c | 11 +++++++++-- > usr/lib/pkcs11/common/object.c | 9 +++++---- > usr/lib/pkcs11/common/template.c | 5 ++++- > 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/testcases/rsa_keygen/rsa_keygen.c b/testcases/rsa_keygen/rsa_keygen.c index 8f0465b..985cefa 100755 --- a/testcases/rsa_keygen/rsa_keygen.c +++ b/testcases/rsa_keygen/rsa_keygen.c @@ -102,6 +102,66 @@ do_GenerateRSAKeyPair(CK_ULONG bits) } + // try creating a key using C_CreateObject and specifying + // CKA_MODULUS_BITS, which must NOT be specified according + // to table 15 + { + CK_BYTE pub_exp[] = { 0x1, 0x0, 0x1 }; + CK_BYTE *modulus = malloc(bits/8); + CK_KEY_TYPE keyType = CKK_RSA; + CK_ULONG keyClass = CKO_PUBLIC_KEY, attr_bits; + + CK_ATTRIBUTE pub_tmpl[] = + { + {CKA_CLASS, &keyClass, sizeof(keyClass)}, + {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, + {CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp) }, + {CKA_MODULUS, modulus, bits/8 }, + {CKA_MODULUS_BITS, &bits, sizeof(bits) } + }; + CK_ATTRIBUTE mod_bits_tmpl[] = + { + {CKA_MODULUS_BITS, &attr_bits, sizeof(attr_bits) } + }; + + if (!modulus) { + testcase_error("malloc of %lu bytes failed", bits/8); + return -1; + } + + rc = funcs->C_CreateObject(session, pub_tmpl, 5, &publ_key); + if (rc != CKR_ATTRIBUTE_READ_ONLY && rc != CKR_TEMPLATE_INCONSISTENT) { + free(modulus); + show_error(" C_CreateObject", rc ); + return rc; + } + + // Create the object correctly, without CKA_MODULUS_BITS + rc = funcs->C_CreateObject(session, pub_tmpl, 4, &publ_key); + if (rc != CKR_OK) { + free(modulus); + show_error(" C_CreateObject", rc ); + return rc; + } + + // Check that PKCS#11 added the CKA_MODULUS_BITS attribute + rc = funcs->C_GetAttributeValue(session, publ_key, mod_bits_tmpl, 1); + if (rc != CKR_OK) { + free(modulus); + show_error(" C_CreateObject", rc ); + return rc; + } + + if (bits != attr_bits) { + free(modulus); + testcase_fail("modulus bits(%lu) != requested size of " + "modulus(%lu) in created object", attr_bits, bits); + return -1; + } + + free(modulus); + } + // Use an invalid pub exp { CK_BYTE pub_exp[] = { 0x1, 0x0, 0x2 }; @@ -120,7 +180,6 @@ do_GenerateRSAKeyPair(CK_ULONG bits) show_error(" C_GenerateKeyPair #3", rc ); return rc; } - } // Use no pub exp @@ -141,6 +200,25 @@ do_GenerateRSAKeyPair(CK_ULONG bits) } + // Leave out required attribute CKA_MODULUS_BITS + { + CK_BYTE pub_exp[] = { 0x1, 0x0, 0x1 }; + + CK_ATTRIBUTE pub_tmpl[] = + { + {CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp) } + }; + + rc = funcs->C_GenerateKeyPair( session, &mech, + pub_tmpl, 1, + NULL, 0, + &publ_key, &priv_key ); + if (rc != CKR_TEMPLATE_INCOMPLETE) { + show_error(" C_GenerateKeyPair #3", rc ); + return rc; + } + + } rc = funcs->C_CloseSession( session ); if (rc != CKR_OK) { show_error(" C_CloseSession #3", rc ); ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
