feat(pkcs11-tool): add new --undestroyable option to specify that a C…

…KO_CERTIFICATE is not destroyable
OpenSC · Nov 15, 2022 · 03a409c · 03a409c
1 parent 2ea0fe4
commit 03a409c
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 6 deletions.
diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
@@ -78,17 +78,17 @@
  <listitem>
  <para>
  Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
- Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may 
+ Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
  also allow "SHA224". Default is "SHA-1".
  </para>
- <para> 
+ <para>
  Note that the input to RSA-PKCS-PSS has to be of the size equal to
  the specified hash algorithm. E.g., for SHA256 the signature input must
  be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
  such restriction). For RSA-OAEP, the plaintext input size mLen must be
  at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
  SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
- sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes. 
+ sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
  </para>
  </listitem>
  </varlistentry>
@@ -355,6 +355,13 @@
  <listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
  </varlistentry>
 
+ <varlistentry>
+ <term>
+ <option>--undestroyable</option>
+ </term>
+ <listitem><para>Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)</para></listitem>
+ </varlistentry>
+
  <varlistentry>
  <term>
  <option>--set-id</option> <replaceable>id</replaceable>,
@@ -566,7 +573,7 @@
  </term>
  <listitem><para>Specify the type of object to operate on.
  Valid value are <literal>cert</literal>, <literal>privkey</literal>,
- <literal>pubkey</literal>, <literal>secrkey</literal> 
+ <literal>pubkey</literal>, <literal>secrkey</literal>
  and <literal>data</literal>.</para></listitem>
  </varlistentry>
 

diff --git a/doc/tools/tools.html b/doc/tools/tools.html
@@ -1557,6 +1557,8 @@
  </span></dt><dd><p>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</p></dd><dt><span class="term">
  <code class="option">--extractable</code>
  </span></dt><dd><p>Set the CKA_EXTRACTABLE attribute (object can be extracted)</p></dd><dt><span class="term">
+ <code class="option">--undestroyable</code>
+ </span></dt><dd><p>Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)</p></dd><dt><span class="term">
  <code class="option">--set-id</code> <em class="replaceable"><code>id</code></em>,
  <code class="option">-e</code> <em class="replaceable"><code>id</code></em>
  </span></dt><dd><p>Set the CKA_ID of the object.</p></dd><dt><span class="term">

diff --git a/src/pkcs11/pkcs11.h b/src/pkcs11/pkcs11.h
@@ -450,6 +450,7 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_ALWAYS_SENSITIVE (0x165UL)
 #define CKA_KEY_GEN_MECHANISM (0x166UL)
 #define CKA_MODIFIABLE (0x170UL)
+#define CKA_DESTROYABLE (0x172UL)
 #define CKA_ECDSA_PARAMS (0x180UL)
 #define CKA_EC_PARAMS (0x180UL)
 #define CKA_EC_POINT (0x181UL)

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
@@ -167,6 +167,7 @@ enum {
  OPT_PRIVATE,
  OPT_SENSITIVE,
  OPT_EXTRACTABLE,
+ OPT_UNDESTROYABLE,
  OPT_TEST_HOTPLUG,
  OPT_UNLOCK_PIN,
  OPT_PUK,
@@ -272,6 +273,7 @@ static const struct option options[] = {
  { "private", 0, NULL, OPT_PRIVATE },
  { "sensitive", 0, NULL, OPT_SENSITIVE },
  { "extractable", 0, NULL, OPT_EXTRACTABLE },
+ { "undestroyable", 0, NULL, OPT_UNDESTROYABLE },
  { "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
  { "test-ec", 0, NULL, OPT_TEST_EC },
 #ifndef _WIN32
@@ -359,6 +361,7 @@ static const char *option_help[] = {
  "Set the CKA_PRIVATE attribute (object is only viewable after a login)",
  "Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
  "Set the CKA_EXTRACTABLE attribute (object can be extracted)",
+ "Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)",
  "Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
  "Test EC (best used with the --login or --pin option)",
 #ifndef _WIN32
@@ -413,6 +416,7 @@ static size_t opt_allowed_mechanisms_len = 0;
 static int opt_is_private = 0;
 static int opt_is_sensitive = 0;
 static int opt_is_extractable = 0;
+static int opt_is_destroyable = 1;
 static int opt_test_hotplug = 0;
 static int opt_login_type = -1;
 static int opt_key_usage_sign = 0;
@@ -1043,6 +1047,9 @@ int main(int argc, char * argv[])
  case OPT_EXTRACTABLE:
  opt_is_extractable = 1;
  break;
+ case OPT_UNDESTROYABLE:
+ opt_is_destroyable = 0;
+ break;
  case OPT_TEST_HOTPLUG:
  opt_test_hotplug = 1;
  action_count++;
@@ -4005,6 +4012,10 @@ static int write_object(CK_SESSION_HANDLE session)
  FILL_ATTR(cert_templ[n_cert_attr], CKA_ID, opt_object_id, opt_object_id_len);
  n_cert_attr++;
  }
+ if (opt_is_destroyable == 0) {
+ FILL_ATTR(cert_templ[n_cert_attr], CKA_DESTROYABLE, &_false, sizeof(_false));
+ n_cert_attr++;
+ }
 #ifdef ENABLE_OPENSSL
  /* according to PKCS #11 CKA_SUBJECT MUST be specified */
  FILL_ATTR(cert_templ[n_cert_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
@@ -6082,7 +6093,7 @@ static EVP_PKEY *get_public_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE priv
  return NULL;
  }
  OSSL_PARAM_BLD_free(bld);
- 
+
  if (!(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) ||
  EVP_PKEY_fromdata_init(ctx) != 1 ||
  EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) {
@@ -8154,7 +8165,7 @@ static struct mech_info p11_mgf[] = {
  { CKG_MGF1_SHA3_256, "MGF1-SHA3_256", NULL, MF_MGF },
  { CKG_MGF1_SHA3_384, "MGF1-SHA3_384", NULL, MF_MGF },
  { CKG_MGF1_SHA3_512, "MGF1-SHA3_512", NULL, MF_MGF },
- 
+
  { 0, NULL, NULL, MF_UNKNOWN }
 };