Ignore CKA_TOKEN in the public key template for C_GenerateKeyPair. Ad…

…d tests. (#435) * Test setting CKA_TOKEN false for RSA key gen * Test setting CKA_TOKEN false for EC key gen * Ignore CKA_TOKEN in pubkey template for RSA and EC key gen Also fix some typos in debug logging
Yubico · Dec 2, 2024 · 8b03831 · 8b03831
1 parent 0e9d294
commit 8b03831
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 25 deletions.
diff --git a/examples/p11_generate_rsa.c b/examples/p11_generate_rsa.c
@@ -72,7 +72,7 @@ int main(int argc, char *argv[]) {
     {CKA_VERIFY, &ck_true, sizeof(ck_true)},
     {CKA_WRAP, &ck_true, sizeof(ck_true)},
     {CKA_UNWRAP, &ck_false, sizeof(ck_false)},
-    {CKA_TOKEN, &ck_true, sizeof(ck_true)},
+    {CKA_TOKEN, &ck_false, sizeof(ck_false)},
     {CKA_PRIVATE, &ck_false, sizeof(ck_false)},
     {CKA_EXTRACTABLE, &ck_true, sizeof(ck_true)},
     {CKA_MODIFIABLE, &ck_false, sizeof(ck_false)},

diff --git a/pkcs11/tests/ecdh_derive_test.c b/pkcs11/tests/ecdh_derive_test.c
@@ -36,14 +36,16 @@ CK_BYTE P256_PARAMS[] = {0x06, 0x08, 0x2a, 0x86, 0x48,
                          0xce, 0x3d, 0x03, 0x01, 0x07};
 CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22};
 CK_BYTE P521_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23};
+CK_BYTE BP256_PARAMS[] = {0x06, 0x09, 0x2b, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07};
 
 static CK_FUNCTION_LIST_3_0_PTR p11;
 static CK_SESSION_HANDLE session;
 
-char *CURVES[] = {"secp224r1", "prime256v1", "secp384r1", "secp521r1"};
-CK_BYTE *CURVE_PARAMS[] = {P224_PARAMS, P256_PARAMS, P384_PARAMS, P521_PARAMS};
+char *CURVES[] = {"secp224r1", "prime256v1", "secp384r1", "secp521r1", "brainpoolP256r1"};
+CK_BYTE *CURVE_PARAMS[] = {P224_PARAMS, P256_PARAMS, P384_PARAMS, P521_PARAMS, BP256_PARAMS};
 CK_ULONG CURVE_LENS[] = {sizeof(P224_PARAMS), sizeof(P256_PARAMS),
-                         sizeof(P384_PARAMS), sizeof(P521_PARAMS)};
+                         sizeof(P384_PARAMS), sizeof(P521_PARAMS),
+                         sizeof(BP256_PARAMS)};
 int CURVE_COUNT = sizeof(CURVE_PARAMS) / sizeof(CURVE_PARAMS[0]);
 
 static void success(const char *message) { printf("%s. OK\n", message); }
@@ -56,27 +58,31 @@ static void generate_keypair_yh(CK_BYTE *curve, CK_ULONG curve_len,
   CK_MECHANISM mechanism = {CKM_EC_KEY_PAIR_GEN, NULL_PTR, 0};
 
   CK_BBOOL ck_true = CK_TRUE;
+  CK_BBOOL ck_false = CK_FALSE;
 
   CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
   CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
   CK_KEY_TYPE key_type = CKK_EC;
   char *label = "ecdhtest";
 
-  CK_ATTRIBUTE publicKeyTemplate[] = {{CKA_CLASS, &pubkey_class,
-                                       sizeof(pubkey_class)},
-                                      {CKA_VERIFY, &ck_true, sizeof(ck_true)},
-                                      {CKA_KEY_TYPE, &key_type,
-                                       sizeof(key_type)},
+  CK_ATTRIBUTE publicKeyTemplate[] = {
+                                      {CKA_CLASS, &pubkey_class, sizeof(pubkey_class)},
+                                      {CKA_TOKEN, &ck_false, sizeof(ck_false)},
                                       {CKA_LABEL, label, strlen(label)},
-                                      {CKA_EC_PARAMS, curve, curve_len}};
-
-  CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &privkey_class,
-                                        sizeof(privkey_class)},
+                                      {CKA_KEY_TYPE, &key_type, sizeof(key_type)},
+                                      {CKA_EC_PARAMS, curve, curve_len},
+                                      {CKA_VERIFY, &ck_true, sizeof(ck_true)}
+                                    };
+
+  CK_ATTRIBUTE privateKeyTemplate[] = {
+                                       {CKA_CLASS, &privkey_class, sizeof(privkey_class)},
+                                       {CKA_TOKEN, &ck_true, sizeof(ck_true)},
                                        {CKA_LABEL, label, strlen(label)},
-                                       {CKA_DERIVE, &ck_true, sizeof(ck_true)}};
+                                       {CKA_DERIVE, &ck_true, sizeof(ck_true)}
+                                      };
 
-  if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5,
-                              privateKeyTemplate, 3, publicKeyPtr,
+  if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 6,
+                              privateKeyTemplate, 4, publicKeyPtr,
                               privateKeyPtr)) != CKR_OK) {
     fail("Failed to generate EC key pair on YubiHSM");
     exit(EXIT_FAILURE);

diff --git a/pkcs11/util_pkcs11.c b/pkcs11/util_pkcs11.c
@@ -4885,7 +4885,6 @@ CK_RV parse_rsa_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
         }
         break;
 
-      case CKA_TOKEN:
       case CKA_EXTRACTABLE:
       case CKA_DESTROYABLE:
         if ((rv = check_bool_attribute(pPublicKeyTemplate[i].pValue, true)) !=
@@ -4914,6 +4913,7 @@ CK_RV parse_rsa_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
         }
         break;
 
+      case CKA_TOKEN:
       case CKA_WRAP:   // pkcs11-tool sets this on public keys
       case CKA_UNWRAP: // pkcs11-tool sets this on public keys
       case CKA_VERIFY:
@@ -5115,7 +5115,7 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
           ecparams = (CK_BYTE_PTR) pPublicKeyTemplate[i].pValue;
           ecparams_len = pPublicKeyTemplate[i].ulValueLen;
         } else {
-          DBG_ERR("CKA_PUBLIC_EXPONENT inconsistent in PublicKeyTemplate");
+          DBG_ERR("CKA_EC_PARAMS inconsistent in PublicKeyTemplate");
           return CKR_TEMPLATE_INCONSISTENT;
         }
         break;
@@ -5129,7 +5129,6 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
         }
         break;
 
-      case CKA_TOKEN:
       case CKA_EXTRACTABLE:
       case CKA_DESTROYABLE:
         if ((rv = check_bool_attribute(pPublicKeyTemplate[i].pValue, true)) !=
@@ -5160,6 +5159,7 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
         }
         break;
 
+      case CKA_TOKEN:
       case CKA_VERIFY:
       case CKA_DERIVE: // pkcs11-tool sets this on public keys
         break;
@@ -5273,14 +5273,14 @@ CK_RV parse_ec_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
   }
 
   if (ecparams == NULL) {
-    DBG_ERR("CKA_ECPARAMS not set");
+    DBG_ERR("CKA_EC_PARAMS not set");
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
   uint16_t key_len;
   rv = parse_ecparams(ecparams, ecparams_len, &template->algorithm, &key_len);
   if (rv != CKR_OK) {
-    DBG_ERR("Failed to parse CKA_ECPARAMS");
+    DBG_ERR("Failed to parse CKA_EC_PARAMS");
     return rv;
   }
 
@@ -5481,14 +5481,14 @@ CK_RV parse_ed_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,
   }
 
   if (ecparams == NULL) {
-    DBG_ERR("CKA_ECPARAMS not set");
+    DBG_ERR("CKA_EC_PARAMS not set");
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
   uint16_t key_len;
   rv = parse_edparams(ecparams, ecparams_len, &template->algorithm, &key_len);
   if (rv != CKR_OK) {
-    DBG_ERR("Failed to parse CKA_ECPARAMS");
+    DBG_ERR("Failed to parse CKA_EC_PARAMS");
     return rv;
   }
 
@@ -5721,7 +5721,7 @@ parse_rsa_wrappedkey_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
           ecparams = (CK_BYTE_PTR) pTemplate[i].pValue;
           ecparams_len = pTemplate[i].ulValueLen;
         } else {
-          DBG_ERR("CKA_PUBLIC_EXPONENT inconsistent in PublicKeyTemplate");
+          DBG_ERR("CKA_EC_PARAMS inconsistent in PublicKeyTemplate");
           return CKR_TEMPLATE_INCONSISTENT;
         }
         break;
@@ -5814,7 +5814,7 @@ parse_rsa_wrappedkey_template(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
       return CKR_TEMPLATE_INCONSISTENT;
     }
     if (rv != CKR_OK) {
-      DBG_ERR("Failed to parse CKA_ECPARAMS");
+      DBG_ERR("Failed to parse CKA_EC_PARAMS");
       return rv;
     }
   }