Skip to content

Instantly share code, notes, and snippets.

@randomoracle
Last active February 21, 2020 19:03
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save randomoracle/94ed089df62fd7a432d262b864e7be12 to your computer and use it in GitHub Desktop.
Tweaks to Intel SGX crypto-toolkit for compatibility with OpenSC
diff --git a/src/p11/enclave_config/p11Enclave.edl b/src/p11/enclave_config/p11Enclave.edl
index b27c808..a41d41e 100644
--- a/src/p11/enclave_config/p11Enclave.edl
+++ b/src/p11/enclave_config/p11Enclave.edl
@@ -301,6 +301,11 @@ enclave {
[user_check] uint8_t* destBuffer,
uint32_t destBufferLen,
[user_check] uint32_t* destBufferWritten);
+
+ public SgxStatus exportEcPoint(uint32_t keyId,
+ [user_check] uint8_t* destBuffer,
+ uint32_t destBufferLen,
+ [user_check] uint32_t* destBufferWritten);
};
untrusted
diff --git a/src/p11/include/CryptoEnclaveDefs.h b/src/p11/include/CryptoEnclaveDefs.h
index f8410fd..5e26e9b 100644
--- a/src/p11/include/CryptoEnclaveDefs.h
+++ b/src/p11/include/CryptoEnclaveDefs.h
@@ -61,7 +61,8 @@ static const uint8_t maxPinLength = 255;
static const uint8_t maxSessionsSupported = 100;
static const uint8_t maxRwSessionsSupported = 100;
static const uint8_t tokenObjectFileNameLength = 255;
-static const uint8_t maxEcParamsLen = 10;
+// EXPERIMENT(cemp): Generalize curv support
+static const uint8_t maxEcParamsLen = 32;
static const uint8_t ed25519KeyLength = 32;
static const uint16_t minEcKeyLen = 256;
static const uint16_t maxEcKeyLen = 384;
diff --git a/src/p11/trusted/AsymmetricCrypto.cpp b/src/p11/trusted/AsymmetricCrypto.cpp
index 958306b..12a1b53 100644
--- a/src/p11/trusted/AsymmetricCrypto.cpp
+++ b/src/p11/trusted/AsymmetricCrypto.cpp
@@ -2848,26 +2848,33 @@ namespace CryptoSgx
int curveNid = OBJ_obj2nid(d2i_ASN1_OBJECT(nullptr, &oidPtr, tempCurveOid.size()));
switch(curveNid)
{
- case NID_X9_62_prime256v1:
- case NID_secp384r1:
- status = generateEcKey(publicKeyId, privateKeyId,
+ case EVP_PKEY_ED25519:
+ status = generateEdKey(publicKeyId, privateKeyId,
curveOid, curveOidLen,
attributeBufferPublic, attributeBufferPublicLen,
attributeBufferPrivate, attributeBufferPrivateLen,
pinMaterial);
break;
- case EVP_PKEY_ED25519:
- status = generateEdKey(publicKeyId, privateKeyId,
+
+ // Experiment: allow all supported OpenSSL curves.
+ /*
+ case NID_X9_62_prime256v1:
+ case NID_secp384r1:
+ */
+ default:
+ status = generateEcKey(publicKeyId, privateKeyId,
curveOid, curveOidLen,
attributeBufferPublic, attributeBufferPublicLen,
attributeBufferPrivate, attributeBufferPrivateLen,
pinMaterial);
break;
+ /*
default:
status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER);
break;
+ */
}
return status;
@@ -2908,11 +2915,15 @@ namespace CryptoSgx
const unsigned char* ptr = reinterpret_cast<const unsigned char*>(tempCurveOid.data());
int curveNid = OBJ_obj2nid(d2i_ASN1_OBJECT(nullptr, &ptr, tempCurveOid.size()));
+
+ // EXPERIMENT(cemp): Support all OpenSSL curves.
+ /*
if ((NID_X9_62_prime256v1 != curveNid) && (NID_secp384r1 != curveNid))
{
status = SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER;
break;
}
+ */
EC_KEY* ecKey = EC_KEY_new();
if (!ecKey)
@@ -3292,6 +3303,49 @@ namespace CryptoSgx
return static_cast<SgxStatus>(status);
}
+ //---------------------------------------------------------------------------------------------
+ SgxStatus AsymmetricCrypto::getEcPoint(const uint32_t& keyId,
+ uint8_t* destBuffer,
+ const uint32_t& destBufferLen,
+ uint32_t* destBufferWritten) {
+ SgxCryptStatus status = SgxCryptStatus::SGX_CRYPT_STATUS_UNSUCCESSFUL;
+
+ if (!destBufferWritten)
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER;
+
+ AsymmetricKey asymKey;
+
+ if (! getAsymmetricKey(keyId, &asymKey, OperationType::Public))
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE;
+
+ if (! asymKey.ecKey)
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE;
+
+ // Extract private key
+ const EC_GROUP* ecGroup = EC_KEY_get0_group(asymKey.ecKey);
+ if (ecGroup == nullptr)
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE;
+
+ // Extract public key
+ std::vector<uint8_t> publicKey = getEcPublicKey(asymKey.ecKey, ecGroup);
+ if (publicKey.empty())
+ return (SgxStatus) SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE;
+
+ *destBufferWritten = publicKey.size();
+
+ if (!destBuffer) {
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_SUCCESS;
+ } else if (destBufferLen < *destBufferWritten) {
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_BUFFER_TOO_SHORT;
+ } else {
+ // There is enough space available to write out public key.
+ memcpy(destBuffer, publicKey.data(), *destBufferWritten);
+ status = SgxCryptStatus::SGX_CRYPT_STATUS_SUCCESS;
+ }
+
+ return static_cast<SgxStatus>(status);
+ }
+
//---------------------------------------------------------------------------------------------
SgxStatus AsymmetricCrypto::setWrappingStatus(const uint32_t& keyId)
{
diff --git a/src/p11/trusted/AsymmetricCrypto.h b/src/p11/trusted/AsymmetricCrypto.h
index 6f32643..518e9e9 100644
--- a/src/p11/trusted/AsymmetricCrypto.h
+++ b/src/p11/trusted/AsymmetricCrypto.h
@@ -290,6 +290,11 @@ namespace CryptoSgx
const uint32_t& destBufferLen,
uint32_t* destBufferWritten);
+ SgxStatus getEcPoint(const uint32_t& keyId,
+ uint8_t* destBuffer,
+ const uint32_t& destBufferLen,
+ uint32_t* destBufferWritten);
+
SgxStatus setWrappingStatus(const uint32_t& keyId);
bool checkWrappingStatus(const uint32_t& keyId, const OperationType& type);
diff --git a/src/p11/trusted/p11Enclave.cpp b/src/p11/trusted/p11Enclave.cpp
index 7aeb120..0513155 100644
--- a/src/p11/trusted/p11Enclave.cpp
+++ b/src/p11/trusted/p11Enclave.cpp
@@ -2641,4 +2641,40 @@ SgxStatus exportEcParams(uint32_t keyId,
} while (false);
return status;
-}
\ No newline at end of file
+}
+
+SgxStatus exportEcPoint(uint32_t keyId,
+ uint8_t* destBuffer,
+ uint32_t destBufferLen,
+ uint32_t* destBufferWritten)
+{
+ SgxStatus status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_UNSUCCESSFUL);
+ uint32_t ptrDataSize = sizeof(std::remove_pointer<decltype(destBufferWritten)>::type);
+ bool result = false;
+
+ if (!keyId || !destBufferWritten) {
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER);
+ } else if (destBuffer && !checkUserCheckPointer(destBuffer, destBufferLen)) {
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER);
+ } else {
+
+ result = checkUserCheckPointer(reinterpret_cast<uint8_t*>(destBufferWritten), ptrDataSize);
+ if (!result) {
+ status = static_cast<SgxStatus>(SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_PARAMETER);
+ } else {
+
+#ifdef _WIN32
+ _mm_lfence();
+#else
+ __builtin_ia32_lfence();
+#endif
+
+ status = asymmetricCrypto.getEcPoint(keyId,
+ destBuffer,
+ destBufferLen,
+ destBufferWritten);
+ }
+ }
+
+ return status;
+}
diff --git a/src/p11/untrusted/AsymmetricProvider.cpp b/src/p11/untrusted/AsymmetricProvider.cpp
index 0a942a8..e52cf4c 100644
--- a/src/p11/untrusted/AsymmetricProvider.cpp
+++ b/src/p11/untrusted/AsymmetricProvider.cpp
@@ -105,6 +105,7 @@ namespace P11Crypto
uint32_t privateKeyHandle = 0;
EnclaveHelpers enclaveHelpers;
+
do
{
if (!phPublicKey || !phPrivateKey)
@@ -113,6 +114,9 @@ namespace P11Crypto
break;
}
+ fprintf(stdout, "Calling SGX enclave for ECC key generation with %lu byte curve OID...\n",
+ asymKeyParams.curveOid.size());
+
sgxStatus = generateEccKeyPair(enclaveHelpers.getSgxEnclaveId(),
reinterpret_cast<int32_t*>(&enclaveStatus),
&publicKeyHandle,
diff --git a/src/p11/untrusted/AttributeUtils.cpp b/src/p11/untrusted/AttributeUtils.cpp
index 191f40f..f8a2e17 100644
--- a/src/p11/untrusted/AttributeUtils.cpp
+++ b/src/p11/untrusted/AttributeUtils.cpp
@@ -154,6 +154,8 @@ namespace Utils
{
asymKeyParams->curveOid = strAttrIter->second;
asymKeyParams->keyGenMechanism = KeyGenerationMechanism::ecGeneratePublicKey;
+ fprintf(stdout, "Found CKA_EC_PARAMS attribute of length %lu\n",
+ asymKeyParams->curveOid.size());
}
return CKR_OK;
@@ -401,7 +403,8 @@ namespace Utils
switch(keyGenMechanism)
{
case KeyGenerationMechanism::rsaGeneratePublicKey:
- result = (CKO_PUBLIC_KEY == attrValStruct.objectClass &&
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaGeneratePublicKey...\n");
+ result = (CKO_PUBLIC_KEY == attrValStruct.objectClass &&
CKK_RSA == attrValStruct.keyType &&
modulusBits &&
!keyBuffer &&
@@ -409,6 +412,8 @@ namespace Utils
break;
case KeyGenerationMechanism::rsaGeneratePrivateKey:
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaGeneratePrivateKey...\n");
+
result = (CKO_PRIVATE_KEY == attrValStruct.objectClass &&
CKK_RSA == attrValStruct.keyType &&
!modulusBits &&
@@ -417,6 +422,7 @@ namespace Utils
break;
case KeyGenerationMechanism::rsaImportPublicKey:
+ fprintf(stderr, "Switch branch KeyGenerationMechanism::rsaImportPublicKey...\n");
result = (CKO_PUBLIC_KEY == attrValStruct.objectClass &&
CKK_RSA == attrValStruct.keyType &&
!modulusBits &&
@@ -429,6 +435,8 @@ namespace Utils
break;
}
+ fprintf(stderr, "Result of %s: %d\n", __FUNCTION__, result);
+
return result;
}
@@ -440,13 +448,17 @@ namespace Utils
switch(keyGenMechanism)
{
// For all keys generated on the token, CKA_LOCAL attribute should set to CK_TRUE.
+ case KeyGenerationMechanism::rsaGeneratePrivateKey:
+ boolAttributes->set(p11AttributeToBoolAttribute[CKA_DECRYPT]);
+ // Deliberate fall-through...
+ case KeyGenerationMechanism::ecGeneratePrivateKey:
+ case KeyGenerationMechanism::edGeneratePrivateKey:
+ boolAttributes->set(p11AttributeToBoolAttribute[CKA_SIGN]);
+ // Deliberate fall-through...
case KeyGenerationMechanism::aesGenerateKey:
case KeyGenerationMechanism::rsaGeneratePublicKey:
- case KeyGenerationMechanism::rsaGeneratePrivateKey:
case KeyGenerationMechanism::ecGeneratePublicKey:
- case KeyGenerationMechanism::ecGeneratePrivateKey:
case KeyGenerationMechanism::edGeneratePublicKey:
- case KeyGenerationMechanism::edGeneratePrivateKey:
boolAttributes->set(p11AttributeToBoolAttribute[CKA_LOCAL]);
break;
default:
@@ -469,6 +481,8 @@ namespace Utils
if (attributeBitset.test(BoolAttribute::SIGN)||
attributeBitset.test(BoolAttribute::VERIFY))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
}
break;
@@ -477,6 +491,8 @@ namespace Utils
attributeBitset.test(BoolAttribute::SIGN) ||
attributeBitset.test(BoolAttribute::UNWRAP))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
}
break;
@@ -485,6 +501,8 @@ namespace Utils
attributeBitset.test(BoolAttribute::VERIFY) ||
attributeBitset.test(BoolAttribute::WRAP))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
}
break;
@@ -616,6 +634,7 @@ namespace Utils
break;
default:
+ fprintf(stderr, "Unrecognized attribute in function %s\n", __FUNCTION__);
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
@@ -682,7 +701,11 @@ namespace Utils
break;
default:
- rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ fprintf(stdout, "Unrecognized attribute %lu in function %s\n",
+ attributeType, __FUNCTION__);
+ // EXPERIMENT(cemp): Ignore unrecognized attributes.
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ rv = CKR_OK;
break;
}
@@ -765,7 +788,10 @@ namespace Utils
}
else
{
- rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n",
+ attributeType, __FUNCTION__);
+ // EXPERIMENT(cemp): Ignore unrecognized attributes.
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
}
@@ -781,8 +807,20 @@ namespace Utils
}
// Compulsory attributes to be set.
- if (!keyTypePresent || !objectClassPresent)
+ if (!keyTypePresent) {
+ // Or set to CKK_EC for generating elliptic-curve keypairs...
+ keyType = CKK_RSA;
+ keyTypePresent = true;
+ extractUlongAttributes(CKA_KEY_TYPE,
+ & keyType, sizeof(keyType),
+ &modulusLength, &keyLength,
+ &objectClass, &keyType,
+ &objectClassPresent, &keyTypePresent,
+ attrValStruct, ulongAttributes);
+ }
+ else if (!objectClassPresent)
{
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__);
rv = CKR_TEMPLATE_INCOMPLETE;
break;
}
@@ -901,6 +939,8 @@ namespace Utils
attributes->ulongAttributes.insert(UlongAttributeType(attributeType, attributeValue));
break;
default:
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n",
+ attributeType, __FUNCTION__);
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
@@ -934,7 +974,9 @@ namespace Utils
attributes->strAttributes.insert(StringAttributeType(attributeType, label));
break;
default:
- rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ // Ignore unknown attributes.
+ // rv = CKR_ATTRIBUTE_TYPE_INVALID;
+ fprintf(stderr, "Unrecognized attribute: %lu\n", attributeType);
break;
}
@@ -945,6 +987,8 @@ namespace Utils
}
else
{
+ fprintf(stderr, "Unrecognized attribute category for %lu-- neither boolean, long or string.\n",
+ attributeType);
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
@@ -994,6 +1038,7 @@ namespace Utils
}
else // Only one of public and private keys have CKA_ID.
{
+ fprintf(stderr, "Only one of public/private key has CKA_ID.\n");
return false;
}
}
@@ -1365,9 +1410,13 @@ namespace Utils
sizeRequest,
&attributeValue,
&attributeSize);
- }
- else
- {
+ } else if (CKA_EC_POINT == attributeType) {
+ rv = Utils::EnclaveUtils::getEcPoint(keyHandle,
+ attributeType,
+ sizeRequest,
+ &attributeValue,
+ &attributeSize);
+ } else {
auto attributeAttrIt = getStrAttrIterator(objectParams.strAttributes, attributeType);
if (objectParams.strAttributes.end() == attributeAttrIt)
{
@@ -1466,6 +1515,8 @@ namespace Utils
if (CKA_LOCAL == attributeType && // Can't change CKA_LOCAL attribute.
(objectParams->boolAttributes[BoolAttribute::LOCAL] != boolValue))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
break;
}
@@ -1473,6 +1524,8 @@ namespace Utils
if (CKA_MODIFIABLE == attributeType && // Can't change CKA_MODIFIABLE attribute.
(objectParams->boolAttributes[BoolAttribute::MODIFIABLE] != boolValue))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
break;
}
@@ -1482,6 +1535,8 @@ namespace Utils
(CKA_TOKEN == attributeType && // Can't change CKA_TOKEN attribute.
(objectParams->boolAttributes[BoolAttribute::TOKEN] != boolValue)))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
break;
}
@@ -1539,6 +1594,8 @@ namespace Utils
}
else
{
+ fprintf(stderr, "Unrecognized attribute type %lu in function %s\n",
+ attributeType, __FUNCTION__);
rv = CKR_ATTRIBUTE_TYPE_INVALID;
break;
}
diff --git a/src/p11/untrusted/AttributeUtils.h b/src/p11/untrusted/AttributeUtils.h
index bf15460..483c170 100644
--- a/src/p11/untrusted/AttributeUtils.h
+++ b/src/p11/untrusted/AttributeUtils.h
@@ -94,6 +94,7 @@ namespace Utils
CKA_VALUE_KEY_BUFFER, \
CKA_MODULUS, \
CKA_PUBLIC_EXPONENT, \
+ CKA_EC_POINT, \
CKA_EC_PARAMS \
};
static AttributeTypeSet supportedboolAttr {
diff --git a/src/p11/untrusted/EnclaveUtils.cpp b/src/p11/untrusted/EnclaveUtils.cpp
index d59de66..1eee4b5 100644
--- a/src/p11/untrusted/EnclaveUtils.cpp
+++ b/src/p11/untrusted/EnclaveUtils.cpp
@@ -353,6 +353,58 @@ namespace Utils
return rv;
}
+ //---------------------------------------------------------------------------------------------
+ CK_RV getEcPoint(const CK_OBJECT_HANDLE& keyHandle,
+ const CK_ATTRIBUTE_TYPE& attributeType,
+ const bool& sizeRequest,
+ std::string* attributeValue,
+ uint32_t* attributeSize) {
+ if (!attributeValue || !attributeSize)
+ return CKR_ARGUMENTS_BAD;
+
+ if (CKA_EC_POINT != attributeType)
+ return CKR_ATTRIBUTE_TYPE_INVALID;
+
+ CK_RV rv = CKR_FUNCTION_FAILED;
+ sgx_status_t sgxStatus = sgx_status_t::SGX_ERROR_UNEXPECTED;
+ SgxCryptStatus enclaveStatus = SgxCryptStatus::SGX_CRYPT_STATUS_INVALID_KEY_HANDLE;
+ uint32_t destBufferLenRequired = 0;
+ P11Crypto::EnclaveHelpers enclaveHelpers;
+
+ sgxStatus = exportEcPoint(enclaveHelpers.getSgxEnclaveId(),
+ reinterpret_cast<int32_t*>(&enclaveStatus),
+ keyHandle,
+ nullptr,
+ 0,
+ & destBufferLenRequired);
+
+ rv = getPkcsStatus(sgxStatus, enclaveStatus);
+ if (CKR_OK != rv)
+ return rv;
+
+ *attributeSize = destBufferLenRequired;
+ if (sizeRequest)
+ return rv;
+
+ std::vector<uint8_t> destBuffer(destBufferLenRequired, 0x41);
+
+ sgxStatus = exportEcPoint(enclaveHelpers.getSgxEnclaveId(),
+ reinterpret_cast<int32_t*>(&enclaveStatus),
+ keyHandle,
+ destBuffer.data(),
+ destBuffer.size(),
+ & destBufferLenRequired);
+
+ rv = getPkcsStatus(sgxStatus, enclaveStatus);
+ if (CKR_OK != rv)
+ *attributeSize = 0;
+ else
+ (*attributeValue).assign(reinterpret_cast<const char*>(destBuffer.data()), destBufferLenRequired);
+
+ return rv;
+ }
+
+
//---------------------------------------------------------------------------------------------
CK_RV readTokenObject(const std::string& tokenObjectFilePath,
const CK_SLOT_ID& slotID,
diff --git a/src/p11/untrusted/EnclaveUtils.h b/src/p11/untrusted/EnclaveUtils.h
index a3cf112..6e12573 100644
--- a/src/p11/untrusted/EnclaveUtils.h
+++ b/src/p11/untrusted/EnclaveUtils.h
@@ -66,6 +66,12 @@ namespace Utils
std::string* attributeValue,
uint32_t* attributeSize);
+ CK_RV getEcPoint(const CK_OBJECT_HANDLE& keyHandle,
+ const CK_ATTRIBUTE_TYPE& attributeType,
+ const bool& sizeRequest,
+ std::string* attributeValue,
+ uint32_t* attributeSize);
+
CK_RV readTokenObject(const std::string& tokenObjectFilePath,
const CK_SLOT_ID& slotID,
uint64_t* attributeBuffer,
diff --git a/src/p11/untrusted/KeyManagement.cpp b/src/p11/untrusted/KeyManagement.cpp
index d7311fa..8c630fd 100644
--- a/src/p11/untrusted/KeyManagement.cpp
+++ b/src/p11/untrusted/KeyManagement.cpp
@@ -297,6 +297,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (KeyGenerationMechanism::invalid == asymKeyParams.keyGenMechanism)
{
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__);
rv = CKR_TEMPLATE_INCOMPLETE;
break;
}
@@ -307,8 +308,9 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
!Utils::AttributeUtils::isSupportedAsymKeyLength(asymKeyParams.modulusLength) ||
!Utils::AttributeUtils::validateRsaKeyGenAttributes(asymKeyParams.keyGenMechanism, publicAttrValStruct)))
{
- rv = CKR_ATTRIBUTE_VALUE_INVALID;
- break;
+ fprintf(stderr, "Attribute value invalid in function %s @ line #%d\n", __FUNCTION__, __LINE__);
+ // rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ // break;
}
}
else if (ecKpGeneration || edKpGeneration)
@@ -322,6 +324,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (KeyGenerationMechanism::invalid == asymKeyParams.keyGenMechanism ||
asymKeyParams.curveOid.empty())
{
+ fprintf(stderr, "Incomplete template in function %s\n", __FUNCTION__);
rv = CKR_TEMPLATE_INCOMPLETE;
break;
}
@@ -335,6 +338,8 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (!validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, publicAttrValStruct, publicBoolAttributes))
{
+ fprintf(stderr, "Inconsistent template at %s @ line #%d\n",
+ __FUNCTION__, __LINE__);
rv = CKR_TEMPLATE_INCONSISTENT;
break;
}
@@ -361,6 +366,24 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
break;
}
+ // EXPERIMENT(cemp): OpenSC compatibility.
+ // CKA_ID only specified on one side.
+ auto public_ID = std::find_if(publicStrAttributes.cbegin(), publicStrAttributes.cend(), [](const StringAttributeType& p)
+ {
+ return (CKA_ID == p.first);
+ });
+
+ auto private_ID = std::find_if(privateStrAttributes.cbegin(), privateStrAttributes.cend(), [](const StringAttributeType& p)
+ {
+ return (CKA_ID == p.first);
+ });
+
+ if (public_ID != publicStrAttributes.end()) {
+ privateStrAttributes.insert(StringAttributeType(public_ID->first, public_ID->second));
+ } else if (private_ID != privateStrAttributes.end()) {
+ publicStrAttributes.insert(StringAttributeType(public_ID->first, public_ID->second));
+ }
+
if (!Utils::AttributeUtils::validateId(publicStrAttributes, privateStrAttributes))
{
rv = CKR_TEMPLATE_INCONSISTENT;
@@ -388,6 +411,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (!Utils::AttributeUtils::validateRsaKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct))
{
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__);
rv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
@@ -402,6 +426,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (!Utils::AttributeUtils::validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct, privateBoolAttributes))
{
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__);
rv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
@@ -416,6 +441,7 @@ CK_RV generateKeyPair(CK_SESSION_HANDLE hSession,
if (!Utils::AttributeUtils::validateEcKeyGenAttributes(asymKeyParams.keyGenMechanism, privateAttrValStruct, privateBoolAttributes))
{
+ fprintf(stderr, "Attribute value invalid in function %s @ line %d\n", __FUNCTION__, __LINE__);
rv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment