pkcs15init: use random id for secret key

Calculating intrinsic key would probably be not wise, because it would leak out information about the secret key. Try to generate globally unique IDs just by using a random one.
LudovicRousseau · Jun 13, 2017 · 137c630 · 137c630
1 parent 023216c
commit 137c630
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
@@ -1879,12 +1879,16 @@ sc_pkcs15init_store_secret_key(struct sc_pkcs15_card *p15card, struct sc_profile
 			LOG_TEST_RET(ctx, SC_ERROR_INCOMPATIBLE_KEY, "Card does not support this key.");
 	}
 
-	/* Select a intrinsic Key ID if user didn't specify one */
-	r = sc_pkcs15init_select_intrinsic_id(p15card, profile, SC_PKCS15_TYPE_SKEY,
-			&keyargs->id, &keyargs->key);
-	LOG_TEST_RET(ctx, r, "Get intrinsic ID error");
+#ifdef ENABLE_OPENSSL
+	if (!keyargs->id.len) {
+		/* Calculating intrinsic Key ID for secret key does not make
+		 * sense - just generate random one */
+		if (RAND_bytes(keyargs->id.value, 20) == 1)
+			keyargs->id.len = 20;
+	}
+#endif
 
-	/* Make sure that private key's ID is the unique inside the PKCS#15 application */
+	/* Make sure that secret key's ID is the unique inside the PKCS#15 application */
 	r = sc_pkcs15_find_skey_by_id(p15card, &keyargs->id, NULL);
 	if (!r)
 		LOG_TEST_RET(ctx, SC_ERROR_NON_UNIQUE_ID, "Non unique ID of the secret key object");