Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(pkcs11-tool): add new --undestroyable #2645

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions doc/tools/pkcs11-tool.1.xml
Original file line number Diff line number Diff line change
Expand Up @@ -78,17 +78,17 @@
<listitem>
<para>
Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
also allow "SHA224". Default is "SHA-1".
</para>
<para>
<para>
Note that the input to RSA-PKCS-PSS has to be of the size equal to
the specified hash algorithm. E.g., for SHA256 the signature input must
be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
such restriction). For RSA-OAEP, the plaintext input size mLen must be
at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
</para>
</listitem>
</varlistentry>
Expand Down Expand Up @@ -355,6 +355,13 @@
<listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--undestroyable</option>
</term>
<listitem><para>Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--set-id</option> <replaceable>id</replaceable>,
Expand Down Expand Up @@ -566,7 +573,7 @@
</term>
<listitem><para>Specify the type of object to operate on.
Valid value are <literal>cert</literal>, <literal>privkey</literal>,
<literal>pubkey</literal>, <literal>secrkey</literal>
<literal>pubkey</literal>, <literal>secrkey</literal>
and <literal>data</literal>.</para></listitem>
</varlistentry>

Expand Down
2 changes: 2 additions & 0 deletions doc/tools/tools.html
Original file line number Diff line number Diff line change
Expand Up @@ -1557,6 +1557,8 @@
</span></dt><dd><p>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</p></dd><dt><span class="term">
<code class="option">--extractable</code>
</span></dt><dd><p>Set the CKA_EXTRACTABLE attribute (object can be extracted)</p></dd><dt><span class="term">
<code class="option">--undestroyable</code>
</span></dt><dd><p>Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)</p></dd><dt><span class="term">
<code class="option">--set-id</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-e</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Set the CKA_ID of the object.</p></dd><dt><span class="term">
Expand Down
1 change: 1 addition & 0 deletions src/pkcs11/pkcs11.h
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,7 @@ typedef unsigned long ck_attribute_type_t;
#define CKA_ALWAYS_SENSITIVE (0x165UL)
#define CKA_KEY_GEN_MECHANISM (0x166UL)
#define CKA_MODIFIABLE (0x170UL)
#define CKA_DESTROYABLE (0x172UL)
#define CKA_ECDSA_PARAMS (0x180UL)
#define CKA_EC_PARAMS (0x180UL)
#define CKA_EC_POINT (0x181UL)
Expand Down
15 changes: 13 additions & 2 deletions src/tools/pkcs11-tool.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ enum {
OPT_PRIVATE,
OPT_SENSITIVE,
OPT_EXTRACTABLE,
OPT_UNDESTROYABLE,
OPT_TEST_HOTPLUG,
OPT_UNLOCK_PIN,
OPT_PUK,
Expand Down Expand Up @@ -272,6 +273,7 @@ static const struct option options[] = {
{ "private", 0, NULL, OPT_PRIVATE },
{ "sensitive", 0, NULL, OPT_SENSITIVE },
{ "extractable", 0, NULL, OPT_EXTRACTABLE },
{ "undestroyable", 0, NULL, OPT_UNDESTROYABLE },
Jakuje marked this conversation as resolved.
Show resolved Hide resolved
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
{ "test-ec", 0, NULL, OPT_TEST_EC },
#ifndef _WIN32
Expand Down Expand Up @@ -359,6 +361,7 @@ static const char *option_help[] = {
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
"Set the CKA_EXTRACTABLE attribute (object can be extracted)",
"Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)",
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
"Test EC (best used with the --login or --pin option)",
#ifndef _WIN32
Expand Down Expand Up @@ -413,6 +416,7 @@ static size_t opt_allowed_mechanisms_len = 0;
static int opt_is_private = 0;
static int opt_is_sensitive = 0;
static int opt_is_extractable = 0;
static int opt_is_destroyable = 1;
static int opt_test_hotplug = 0;
static int opt_login_type = -1;
static int opt_key_usage_sign = 0;
Expand Down Expand Up @@ -1043,6 +1047,9 @@ int main(int argc, char * argv[])
case OPT_EXTRACTABLE:
opt_is_extractable = 1;
break;
case OPT_UNDESTROYABLE:
opt_is_destroyable = 0;
break;
case OPT_TEST_HOTPLUG:
opt_test_hotplug = 1;
action_count++;
Expand Down Expand Up @@ -4005,6 +4012,10 @@ static int write_object(CK_SESSION_HANDLE session)
FILL_ATTR(cert_templ[n_cert_attr], CKA_ID, opt_object_id, opt_object_id_len);
n_cert_attr++;
}
if (opt_is_destroyable == 0) {
FILL_ATTR(cert_templ[n_cert_attr], CKA_DESTROYABLE, &_false, sizeof(_false));
n_cert_attr++;
}
#ifdef ENABLE_OPENSSL
/* according to PKCS #11 CKA_SUBJECT MUST be specified */
FILL_ATTR(cert_templ[n_cert_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
Expand Down Expand Up @@ -6082,7 +6093,7 @@ static EVP_PKEY *get_public_key(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE priv
return NULL;
}
OSSL_PARAM_BLD_free(bld);

if (!(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) ||
EVP_PKEY_fromdata_init(ctx) != 1 ||
EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) != 1) {
Expand Down Expand Up @@ -8154,7 +8165,7 @@ static struct mech_info p11_mgf[] = {
{ CKG_MGF1_SHA3_256, "MGF1-SHA3_256", NULL, MF_MGF },
{ CKG_MGF1_SHA3_384, "MGF1-SHA3_384", NULL, MF_MGF },
{ CKG_MGF1_SHA3_512, "MGF1-SHA3_512", NULL, MF_MGF },

{ 0, NULL, NULL, MF_UNKNOWN }
};

Expand Down