[Cryptech-Commits] [sw/pkcs11] 02/02: Key flag handling, more trailing whitespace cleanup.

git at cryptech.is git at cryptech.is
Sat May 14 20:36:17 UTC 2016


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch rpc
in repository sw/pkcs11.

commit b24ea47f610ab16fc14d9deee22cc68b7d3be214
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Sat May 14 16:23:51 2016 -0400

    Key flag handling, more trailing whitespace cleanup.
    
    At this point we are passing most of the unit tests in RPC loopback
    mode.  Remaining failure is TestKeys.test_keygen_token_vs_session(),
    which gets HAL_ERROR_KEY_NAME_IN_USE when attempting to generate a
    session key and a token key with the same CKA_ID value, so clearly
    something is not quite right yet in the keystore selection logic.
---
 GNUmakefile          |   2 +-
 pkcs11.c             | 133 ++++++++++++++++++++++++++++-----------------------
 scripts/py11-test.py |   6 +--
 3 files changed, 78 insertions(+), 63 deletions(-)

diff --git a/GNUmakefile b/GNUmakefile
index 71ca871..07eb372 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -62,7 +62,7 @@ SOFLAGS := -Wl,-Bsymbolic-functions -Wl,-Bsymbolic -Wl,-z,noexecstack
 LIBS	:= ${LIBHAL_DIR}/libhal.a ${LIBTFM_DIR}/libtfm.a ${SQLITE3_DIR}/libsqlite3.a
 
 ifeq "${ENABLE_FOOTNOTE_WARNINGS}" "no"
-  CFLAGS += -Wno-\#warnings
+  CFLAGS += -Wno-\#warnings -Wno-cpp
 endif
 
 ifeq "${ENABLE_THREADS}" "yes"
diff --git a/pkcs11.c b/pkcs11.c
index 6ed7bc3..b5878e5 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -254,19 +254,19 @@ static pid_t initialized_pid;
 
 #if DEBUG_PKCS11
 
-#define lose(_ck_rv_code_)                                              \
-  do {                                                                  \
-    rv = (_ck_rv_code_);                                                \
-    fprintf(stderr, "%s:%u: %s\n", __FILE__, __LINE__, #_ck_rv_code_);  \
-    goto fail;                                                          \
+#define lose(_ck_rv_code_)                                                      \
+  do {                                                                          \
+    rv = (_ck_rv_code_);                                                        \
+    fprintf(stderr, "\n%s:%u: %s\n", __FILE__, __LINE__, #_ck_rv_code_);        \
+    goto fail;                                                                  \
   } while (0)
 
 #else  /* DEBUG_PKCS11 */
 
-#define lose(_ck_rv_code_)                                              \
-  do {                                                                  \
-    rv = (_ck_rv_code_);                                                \
-    goto fail;                                                          \
+#define lose(_ck_rv_code_)                                                      \
+  do {                                                                          \
+    rv = (_ck_rv_code_);                                                        \
+    goto fail;                                                                  \
   } while (0)
 
 #endif  /* DEBUG_PKCS11 */
@@ -280,7 +280,7 @@ static pid_t initialized_pid;
 #if DEBUG_PKCS11 > 1
 
 #define ENTER_PUBLIC_FUNCTION(_name_) \
-  fprintf(stderr, "Entering function %s\n", #_name_)
+  fprintf(stderr, "\nEntering function %s\n", #_name_)
 
 #else  /* DEBUG_PKCS11 > 1 */
 
@@ -298,7 +298,7 @@ static int _hal_check(const hal_error_t err, const char * const expr, const char
 {
   if (err == HAL_OK)
     return 1;
-  fprintf(stderr, "%s:%u: %s returned %s\n", file, line, expr, hal_error_string(err));
+  fprintf(stderr, "\n%s:%u: %s returned %s\n", file, line, expr, hal_error_string(err));
   return 0;
 }
 
@@ -346,7 +346,7 @@ static sqlite3 *sqldb = NULL;
 #if DEBUG_SQL
 
 #define sql_whine(_expr_)                                               \
-  (fprintf(stderr, "%s:%u: %s returned %s\n",                           \
+  (fprintf(stderr, "\n%s:%u: %s returned %s\n",                         \
            __FILE__, __LINE__, #_expr_, sqlite3_errmsg(sqldb)),         \
    sql_breakpoint())
 
@@ -372,7 +372,7 @@ static sqlite3 *sqldb = NULL;
 #if DEBUG_SQL
 static void sql_breakpoint(void)
 {
-  fprintf(stderr, "[sql_breakpoint]\n");
+  fprintf(stderr, "\n[sql_breakpoint]\n");
 }
 #endif
 
@@ -389,7 +389,7 @@ static int sql_exec(const char *cmd)
 
 #if DEBUG_SQL
   if (msg != NULL)
-    fprintf(stderr, "[%s]\n", msg);
+    fprintf(stderr, "\n[%s]\n", msg);
 #endif
 
   return 0;
@@ -971,15 +971,12 @@ static void *p11_attribute_find_value_in_template(const CK_ATTRIBUTE_TYPE type,
  * after the default and mandatory values have been merged into the
  * values supplied by the application-supplied template.
  *
- * Semantics of the flags follow RFC 5280 4.2.1.3, numeric values
- * don't matter particularly as we only use them internally.
+ * Semantics of the flags follow RFC 5280 4.2.1.3.  Numeric values
+ * don't matter particularly as we only use them internally so we
+ * can simplify things a bit by reusing libhal's flag values.
  */
 
-#define KEYUSAGE_DIGITALSIGNATURE	(1 << 0)
-#define KEYUSAGE_KEYENCIPHERMENT	(1 << 1)
-#define KEYUSAGE_DATAENCIPHERMENT	(1 << 2)
-
-static void p11_attribute_apply_keyusage(unsigned *keyusage, const CK_ATTRIBUTE_TYPE type, const CK_BBOOL *value)
+static void p11_attribute_apply_keyusage(hal_key_flags_t *keyusage, const CK_ATTRIBUTE_TYPE type, const CK_BBOOL *value)
 {
   unsigned flag;
 
@@ -988,15 +985,15 @@ static void p11_attribute_apply_keyusage(unsigned *keyusage, const CK_ATTRIBUTE_
   switch (type) {
   case CKA_SIGN:                /* Generate signature */
   case CKA_VERIFY:              /* Verify signature */
-    flag = KEYUSAGE_DIGITALSIGNATURE;
+    flag = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
     break;
   case CKA_ENCRYPT:             /* Encrypt bulk data (seldom used) */
   case CKA_DECRYPT:             /* Bulk decryption (seldom used) */
-    flag = KEYUSAGE_DATAENCIPHERMENT;
+    flag = HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT;
     break;
   case CKA_WRAP:                /* Wrap key (normal way of doing encryption) */
   case CKA_UNWRAP:              /* Unwrap key (normal way of doing decryption) */
-    flag = KEYUSAGE_KEYENCIPHERMENT;
+    flag = HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT;
     break;
   default:
     return;                     /* Attribute not related to key usage */
@@ -1365,7 +1362,7 @@ static int p11_object_pkey_type(const CK_OBJECT_HANDLE object_handle,
   if (!p11_attribute_get_ulong(object_handle, CKA_CLASS, &cka_class)            ||
       !p11_attribute_get_ulong(object_handle, CKA_KEY_TYPE, &cka_key_type))
     return 0;
-  
+
   else if (cka_class == CKO_PRIVATE_KEY && cka_key_type == CKK_RSA)
     *pkey_type = HAL_KEY_TYPE_RSA_PRIVATE;
 
@@ -1394,9 +1391,11 @@ static int p11_object_pkey_type(const CK_OBJECT_HANDLE object_handle,
  * Fetch the libhal pkey handle for a key object.
  */
 
+#warning Should do something about key usage flags in p11_object_get_*_public_key()
+
 static inline int p11_object_get_rsa_public_key(const p11_session_t * const session,
                                                 const CK_OBJECT_HANDLE object_handle,
-                                                hal_pkey_handle_t *pkey_handle, 
+                                                hal_pkey_handle_t *pkey_handle,
                                                 const char *flavor,
                                                 const uint8_t * const name, const size_t name_len,
                                                 const hal_key_flags_t flags)
@@ -1814,14 +1813,14 @@ static CK_RV p11_template_check_1(const CK_ATTRIBUTE_TYPE type,
   if (atd->value != NULL && (atd->flags & P11_DESCRIPTOR_DEFAULT_VALUE) == 0 && memcmp(val, atd->value, atd->length) != 0)
     lose(CKR_TEMPLATE_INCONSISTENT);
 
-#warning Add _LATCH checks here? 
+#warning Add _LATCH checks here?
 
   rv = CKR_OK;
 
  fail:
 #if DEBUG_PKCS11
   if (rv != CKR_OK)
-    fprintf(stderr, "p11_template_check_1() rejected attribute 0x%08lx\n", (unsigned long) type);
+    fprintf(stderr, "\np11_template_check_1() rejected attribute 0x%08lx\n", (unsigned long) type);
 #endif
   return rv;
 }
@@ -1875,7 +1874,7 @@ static CK_RV p11_template_check_2(const p11_session_t *session,
     /* Required attribute missing from template */
     if (!forbidden_by_api && (required_by_api || !in_descriptor) && pos_in_template < 0) {
 #if DEBUG_PKCS11
-      fprintf(stderr, "[Missing attribute 0x%lx]\n", atd->type);
+      fprintf(stderr, "\n[Missing attribute 0x%lx]\n", atd->type);
 #endif
       lose(CKR_TEMPLATE_INCOMPLETE);
     }
@@ -1907,17 +1906,20 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
                                           const CK_ATTRIBUTE_PTR pPublicKeyTemplate,
                                           const CK_ULONG ulPublicKeyAttributeCount,
                                           const p11_descriptor_t * const public_descriptor,
+                                          hal_key_flags_t *public_flags,
                                           const CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
                                           const CK_ULONG ulPrivateKeyAttributeCount,
-                                          const p11_descriptor_t * const private_descriptor)
+                                          const p11_descriptor_t * const private_descriptor,
+                                          hal_key_flags_t *private_flags)
 {
-  unsigned public_keyusage = 0, private_keyusage = 0;
   CK_RV rv = CKR_OK;
   int i;
 
   assert(session             != NULL &&
-         pPublicKeyTemplate  != NULL && public_descriptor  != NULL &&
-         pPrivateKeyTemplate != NULL && private_descriptor != NULL);
+         pPublicKeyTemplate  != NULL && public_descriptor  != NULL && public_flags  != NULL &&
+         pPrivateKeyTemplate != NULL && private_descriptor != NULL && private_flags != NULL);
+
+  *public_flags = *private_flags = 0;
 
   /*
    * Read-only sessions can't create keys, doh.
@@ -1942,7 +1944,7 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
                                    P11_DESCRIPTOR_FORBIDDEN_BY_GENERATE)) != CKR_OK)
       goto fail;
 
-    p11_attribute_apply_keyusage(&public_keyusage, type, val);
+    p11_attribute_apply_keyusage(public_flags, type, val);
   }
 
   for (i = 0; i < ulPrivateKeyAttributeCount; i++) {
@@ -1954,7 +1956,7 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
                                    P11_DESCRIPTOR_FORBIDDEN_BY_GENERATE)) != CKR_OK)
       goto fail;
 
-    p11_attribute_apply_keyusage(&private_keyusage, type, val);
+    p11_attribute_apply_keyusage(private_flags, type, val);
   }
 
   /*
@@ -1962,7 +1964,7 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
    * key, and that they match.  May not need to be this strict.
    */
 
-  if (public_keyusage != private_keyusage || public_keyusage == 0)
+  if (*public_flags != *private_flags || *public_flags == 0)
     lose(CKR_TEMPLATE_INCONSISTENT);
 
   /*
@@ -2000,10 +2002,12 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
 static CK_RV generate_keypair_rsa_pkcs(p11_session_t *session,
                                        const CK_ATTRIBUTE_PTR pPublicKeyTemplate,
                                        const CK_ULONG ulPublicKeyAttributeCount,
+                                       const CK_OBJECT_HANDLE public_handle,
+                                       const hal_key_flags_t public_flags,
                                        const CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
                                        const CK_ULONG ulPrivateKeyAttributeCount,
                                        const CK_OBJECT_HANDLE private_handle,
-                                       const CK_OBJECT_HANDLE public_handle,
+                                       const hal_key_flags_t private_flags,
                                        const uint8_t * const id, const size_t id_len)
 {
   const uint8_t *public_exponent = const_0x010001;
@@ -2038,12 +2042,11 @@ static CK_RV generate_keypair_rsa_pkcs(p11_session_t *session,
   if (keysize == 0 || id == NULL)
     return CKR_TEMPLATE_INCOMPLETE;
 
-#warning Should do something here with pkey flags
-
   if (!hal_check(hal_rpc_pkey_generate_rsa(p11_session_hal_client(session),
                                            p11_session_hal_session(session),
                                            &pkey, id, id_len, keysize,
-                                           public_exponent, public_exponent_len, 0)))
+                                           public_exponent, public_exponent_len,
+                                           private_flags)))
     lose(CKR_FUNCTION_FAILED);
 
   {
@@ -2078,10 +2081,12 @@ static CK_RV generate_keypair_rsa_pkcs(p11_session_t *session,
 static CK_RV generate_keypair_ec(p11_session_t *session,
                                  const CK_ATTRIBUTE_PTR pPublicKeyTemplate,
                                  const CK_ULONG ulPublicKeyAttributeCount,
+                                 const CK_OBJECT_HANDLE public_handle,
+                                 const hal_key_flags_t public_flags,
                                  const CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
                                  const CK_ULONG ulPrivateKeyAttributeCount,
                                  const CK_OBJECT_HANDLE private_handle,
-                                 const CK_OBJECT_HANDLE public_handle,
+                                 const hal_key_flags_t private_flags,
                                  const uint8_t * const id, const size_t id_len)
 {
   hal_pkey_handle_t pkey = {HAL_HANDLE_NONE};
@@ -2112,7 +2117,8 @@ static CK_RV generate_keypair_ec(p11_session_t *session,
 
   if (!hal_check(hal_rpc_pkey_generate_ec(p11_session_hal_client(session),
                                           p11_session_hal_session(session),
-                                          &pkey, id, id_len, curve, 0))         ||
+                                          &pkey, id, id_len, curve,
+                                          private_flags))                       ||
       !p11_attribute_set(public_handle,  CKA_EC_PARAMS, params, params_len)     ||
       !p11_attribute_set(private_handle, CKA_EC_PARAMS, params, params_len))
     lose(CKR_FUNCTION_FAILED);
@@ -2156,10 +2162,12 @@ static CK_RV generate_keypair(p11_session_t *session,
                               CK_RV (*mechanism_handler)(p11_session_t *session,
                                                          const CK_ATTRIBUTE_PTR pPublicKeyTemplate,
                                                          const CK_ULONG ulPublicKeyAttributeCount,
+                                                         const CK_OBJECT_HANDLE public_handle,
+                                                         const hal_key_flags_t public_flags,
                                                          const CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
                                                          const CK_ULONG ulPrivateKeyAttributeCount,
                                                          const CK_OBJECT_HANDLE private_handle,
-                                                         const CK_OBJECT_HANDLE public_handle,
+                                                         const hal_key_flags_t private_flags,
                                                          const uint8_t * const id, const size_t id_len),
                               const p11_descriptor_t * const public_descriptor,
                               const p11_descriptor_t * const private_descriptor)
@@ -2168,12 +2176,14 @@ static CK_RV generate_keypair(p11_session_t *session,
   CK_OBJECT_HANDLE public_handle = CK_INVALID_HANDLE;
   handle_flavor_t public_handle_flavor = handle_flavor_session_object;
   handle_flavor_t private_handle_flavor = handle_flavor_session_object;
+  hal_key_flags_t public_flags = 0;
+  hal_key_flags_t private_flags = 0;
   CK_RV rv;
   int i;
 
   rv = p11_check_keypair_attributes(session,
-                                    pPublicKeyTemplate,  ulPublicKeyAttributeCount,  public_descriptor,
-                                    pPrivateKeyTemplate, ulPrivateKeyAttributeCount, private_descriptor);
+                                    pPublicKeyTemplate,  ulPublicKeyAttributeCount,  public_descriptor,  &public_flags,
+                                    pPrivateKeyTemplate, ulPrivateKeyAttributeCount, private_descriptor, &private_flags);
   if (rv != CKR_OK)
     return rv;
 
@@ -2189,6 +2199,12 @@ static CK_RV generate_keypair(p11_session_t *session,
     if (pPrivateKeyTemplate[i].type == CKA_TOKEN)
       private_handle_flavor = p11_handle_flavor_from_cka_token(pPrivateKeyTemplate[i].pValue);
 
+  if (public_handle_flavor == handle_flavor_session_object)
+    public_flags |= HAL_KEY_FLAG_PROXIMATE;
+
+  if (private_handle_flavor == handle_flavor_session_object)
+    private_flags |= HAL_KEY_FLAG_PROXIMATE;
+
   if (!sql_exec("BEGIN"))
     lose(CKR_FUNCTION_FAILED);
 
@@ -2203,7 +2219,7 @@ static CK_RV generate_keypair(p11_session_t *session,
     lose(CKR_FUNCTION_FAILED);
 
   {
-    size_t id_len = 0;
+    CK_ULONG id_len = 0;
 
     if (!p11_attribute_get(private_handle, CKA_ID, NULL, &id_len, 0) &&
         !p11_attribute_get(public_handle,  CKA_ID, NULL, &id_len, 0))
@@ -2211,14 +2227,13 @@ static CK_RV generate_keypair(p11_session_t *session,
 
     uint8_t id[id_len];
 
-    if (!p11_attribute_get(private_handle, CKA_ID, id, NULL, id_len) &&
-        !p11_attribute_get(public_handle,  CKA_ID, id,  NULL, id_len))
+    if (!p11_attribute_get(private_handle, CKA_ID, id, NULL, (size_t) id_len) &&
+        !p11_attribute_get(public_handle,  CKA_ID, id, NULL, (size_t) id_len))
       lose(CKR_TEMPLATE_INCOMPLETE);
 
     if ((rv = mechanism_handler(session,
-                                pPublicKeyTemplate, ulPublicKeyAttributeCount,
-                                pPrivateKeyTemplate, ulPrivateKeyAttributeCount,
-                                private_handle, public_handle,
+                                pPublicKeyTemplate,  ulPublicKeyAttributeCount,  public_handle,  public_flags,
+                                pPrivateKeyTemplate, ulPrivateKeyAttributeCount, private_handle, private_flags,
                                 id, id_len)) != CKR_OK)
       goto fail;
   }
@@ -2419,7 +2434,7 @@ static CK_RV sign_hal_rpc(p11_session_t *session,
 #warning Should pay more attention to translating error codes here
   if (pSignature != NULL &&
       !hal_check(hal_rpc_pkey_sign(p11_session_hal_session(session), pkey, session->sign_digest_handle,
-                                   pData, ulDataLen, pSignature, pulSignatureLen, signature_len)))
+                                   pData, ulDataLen, pSignature, &signature_len, signature_len)))
     lose(CKR_FUNCTION_FAILED);
 
   rv = CKR_OK;                  /* Fall through */
@@ -3113,7 +3128,7 @@ CK_RV C_CreateObject(CK_SESSION_HANDLE hSession,
   switch (*cka_class) {
   case CKO_PRIVATE_KEY:
   case CKO_SECRET_KEY:
-    if (!p11_attribute_set_bbool(handle, CKA_ALWAYS_SENSITIVE,  CK_FALSE) || 
+    if (!p11_attribute_set_bbool(handle, CKA_ALWAYS_SENSITIVE,  CK_FALSE) ||
         !p11_attribute_set_bbool(handle, CKA_NEVER_EXTRACTABLE, CK_FALSE))
       lose(CKR_FUNCTION_FAILED);
   }
@@ -3716,7 +3731,7 @@ CK_RV C_SignInit(CK_SESSION_HANDLE hSession,
   case CKM_RSA_PKCS:
   case CKM_SHA1_RSA_PKCS:
   case CKM_SHA256_RSA_PKCS:
-  case CKM_SHA384_RSA_PKCS:     
+  case CKM_SHA384_RSA_PKCS:
   case CKM_SHA512_RSA_PKCS:
     if (key_type != CKK_RSA)
       lose(CKR_KEY_TYPE_INCONSISTENT);
@@ -3746,11 +3761,11 @@ CK_RV C_SignInit(CK_SESSION_HANDLE hSession,
   case CKM_ECDSA_SHA256:
     session->sign_digest_algorithm = hal_digest_algorithm_sha256;
     break;
-  case CKM_SHA384_RSA_PKCS:     
+  case CKM_SHA384_RSA_PKCS:
   case CKM_ECDSA_SHA384:
     session->sign_digest_algorithm = hal_digest_algorithm_sha384;
     break;
-  case CKM_SHA512_RSA_PKCS:     
+  case CKM_SHA512_RSA_PKCS:
   case CKM_ECDSA_SHA512:
     session->sign_digest_algorithm = hal_digest_algorithm_sha512;
     break;
@@ -3949,7 +3964,7 @@ CK_RV C_VerifyInit(CK_SESSION_HANDLE hSession,
   case CKM_RSA_PKCS:
   case CKM_SHA1_RSA_PKCS:
   case CKM_SHA256_RSA_PKCS:
-  case CKM_SHA384_RSA_PKCS:     
+  case CKM_SHA384_RSA_PKCS:
   case CKM_SHA512_RSA_PKCS:
     if (key_type != CKK_RSA)
       lose(CKR_KEY_TYPE_INCONSISTENT);
@@ -4045,7 +4060,7 @@ CK_RV C_Verify(CK_SESSION_HANDLE hSession,
   default:
     lose(CKR_FUNCTION_FAILED);
   }
-  
+
  fail:                          /* Fall through */
 
   if (session != NULL) {
@@ -4130,7 +4145,7 @@ CK_RV C_VerifyFinal(CK_SESSION_HANDLE hSession,
   default:
     lose(CKR_FUNCTION_FAILED);
   }
-  
+
  fail:                          /* Fall through */
 
   if (session != NULL) {
diff --git a/scripts/py11-test.py b/scripts/py11-test.py
index 1719f8b..04372ec 100644
--- a/scripts/py11-test.py
+++ b/scripts/py11-test.py
@@ -112,19 +112,19 @@ print "Generating EC P256 keypair"
 ec_templates = genkeypair_templates("EC-P256", CKA_EC_PARAMS = ec_curve_oid_p256)
 ec_p256_keypair   = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
 print ec_p256_keypair
-                      
+
 print
 print "Generating EC P384 keypair"
 ec_templates = genkeypair_templates("EC-P384", CKA_EC_PARAMS = ec_curve_oid_p384)
 ec_p384_keypair   = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
 print ec_p384_keypair
-                      
+
 print
 print "Generating EC P521 keypair"
 ec_templates = genkeypair_templates("EC-P521", CKA_EC_PARAMS = ec_curve_oid_p521)
 ec_p521_keypair   = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
 print ec_p521_keypair
-                      
+
 print
 print "Listing keys"
 show_keys(session, CKO_PUBLIC_KEY,  CKA_VERIFY, CKA_ENCRYPT, CKA_WRAP)



More information about the Commits mailing list