pkcs11-tool: fixed bad check for key parameter

this removes key length default values in general to handle parsing errors explicitly.
hhonkanen · Feb 13, 2024 · ea7bd24 · ea7bd24
1 parent 43fcbba
commit ea7bd24
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 20 deletions.
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
@@ -2870,11 +2870,10 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
 				if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
 					util_fatal("Generate RSA mechanism not supported");
 
-			if (size == NULL)
-				util_fatal("Unknown key pair type %s, expecting RSA:<nbytes>", type);
 			key_length = (unsigned long)atol(size);
-			if (key_length != 0)
-				modulusBits = key_length;
+			if (key_length == 0)
+				util_fatal("Unknown key pair type %s, expecting RSA:<nbytes>", type);
+			modulusBits = key_length;
 
 			FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits));
 			n_pubkey_attr++;
@@ -2992,9 +2991,6 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
 			size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
 			const char *p_param_set = type + strlen("GOSTR3410");
 
-			if (p_param_set == NULL)
-				util_fatal("Unknown key pair type %s, expecting GOSTR3410:<nbytes>", type);
-
 			if (!strcmp(":A", p_param_set) || !strcmp("-2001:A", p_param_set)) {
 				gost_key_type = CKK_GOSTR3410;
 				mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
@@ -3193,11 +3189,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 				if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
 					util_fatal("Generate Key mechanism not supported\n");
 
-			if (size == NULL)
-				util_fatal("Unknown key type %s, expecting AES:<nbytes>", type);
 			key_length = (unsigned long)atol(size);
 			if (key_length == 0)
-				key_length = 32;
+				util_fatal("Unknown key type %s, expecting AES:<nbytes>", type);
 
 			FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
 			n_attr++;
@@ -3213,11 +3207,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 				if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
 					util_fatal("Generate Key mechanism not supported\n");
 
-			if (size == NULL)
-				util_fatal("Unknown key type %s, expecting DES:<nbytes>", type);
 			key_length = (unsigned long)atol(size);
 			if (key_length == 0)
-				key_length = 8;
+				util_fatal("Unknown key type %s, expecting DES:<nbytes>", type);
 
 			FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
 			n_attr++;
@@ -3233,11 +3225,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 				if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
 					util_fatal("Generate Key mechanism not supported\n");
 
-			if (size == NULL)
-				util_fatal("Unknown key type %s, expecting DES3:<nbytes>", type);
 			key_length = (unsigned long)atol(size);
 			if (key_length == 0)
-				key_length = 16;
+				util_fatal("Unknown key type %s, expecting DES3:<nbytes>", type);
 
 			FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
 			n_attr++;
@@ -3253,11 +3243,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 				if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
 					util_fatal("Generate Key mechanism not supported\n");
 
-			if (size == NULL)
-				util_fatal("Unknown key type %s, expecting GENERIC:<nbytes>", type);
 			key_length = (unsigned long)atol(size);
 			if (key_length == 0)
-				key_length = 32;
+				util_fatal("Unknown key type %s, expecting GENERIC:<nbytes>", type);
 
 			FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
 			n_attr++;

diff --git a/tests/test-pkcs11-tool-allowed-mechanisms.sh b/tests/test-pkcs11-tool-allowed-mechanisms.sh
@@ -21,7 +21,7 @@ echo "======================================================="
 ID="05"
 MECHANISMS="RSA-PKCS,SHA1-RSA-PKCS,RSA-PKCS-PSS"
 # Generate key pair
-$PKCS11_TOOL --keypairgen --key-type="RSA:" --login --pin=$PIN \
+$PKCS11_TOOL --keypairgen --key-type="RSA:1024" --login --pin=$PIN \
 	--module="$P11LIB" --label="test" --id="$ID" \
 	--allowed-mechanisms="$MECHANISMS,SHA384-RSA-PKCS"
 assert $? "Failed to Generate RSA key pair"