-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool -l -O -y secrkey: Secret sym. key listing fails #1805
Comments
Hmm, I don't get the problem... Can you do |
MyEID driver/OsEID simulation, after unwrap OP pkcs15-tool -D
commit 2600f1a
commit 4614beb
blank initialized card, two AES keys and two DES keys uploaded into card:
|
This comment has been minimized.
This comment has been minimized.
or better: diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 3c845a71b..527c1b14a 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -4948,6 +4948,22 @@ pkcs15_skey_get_attribute(struct sc_pkcs11_session *session,
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) == 0
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) == 0) ? CK_TRUE : CK_FALSE;
break;
+ case CKA_ALWAYS_SENSITIVE:
+ check_attribute_buffer(attr, sizeof(CK_BBOOL));
+ *(CK_BBOOL*)attr->pValue = (skey->info->access_flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) != 0;
+ break;
+ case CKA_NEVER_EXTRACTABLE:
+ check_attribute_buffer(attr, sizeof(CK_BBOOL));
+ *(CK_BBOOL*)attr->pValue = (skey->info->access_flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) != 0;
+ break;
+ case CKA_SENSITIVE:
+ check_attribute_buffer(attr, sizeof(CK_BBOOL));
+ *(CK_BBOOL*)attr->pValue = (skey->info->access_flags & SC_PKCS15_PRKEY_ACCESS_SENSITIVE) != 0;
+ break;
+ case CKA_LOCAL:
+ check_attribute_buffer(attr, sizeof(CK_BBOOL));
+ *(CK_BBOOL*)attr->pValue = (skey->info->access_flags & SC_PKCS15_PRKEY_ACCESS_LOCAL) != 0;
+ break;
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
check_attribute_buffer(attr, sizeof(CK_BBOOL));
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent >= 1 ? CK_TRUE : CK_FALSE;
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 4a99c76bc..810af4d98 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3886,11 +3886,13 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
switch (key_type) {
case CKK_RSA:
- if (pub)
- printf("; RSA %lu bits\n",
- (unsigned long) getMODULUS_BITS(sess, obj));
- else
- printf("; RSA \n");
+ if (!sec) {
+ if (pub)
+ printf("; RSA %lu bits\n",
+ (unsigned long) getMODULUS_BITS(sess, obj));
+ else
+ printf("; RSA \n");
+ }
break;
case CKK_GOSTR3410:
case CKK_GOSTR3410_512: |
Your patch almost solves the problem for AES (as the software part of the solution)! And I get this result for my AES key, where extractable still is wrong:
The other part of the solution is, that the missed setting of the key_type=CKK_AES must/should? be ensured. It will be set in src/libopensc/pkcs15-skey.c:sc_pkcs15_decode_skdf_entry only if: Key's EF.SKDF entry has commonKeyAttributes.algReference(es) set with value(s), one of which is listed in EF.TokenInfo as supportedAlgorithms.reference and that supported algo is of type AES, declared by mandatory OID entry.
I suspect there are still problems with other sym. algorithms, I don't see a key_type setting there. |
I forgot to mention, that there was no problem listing keys with pkcs15-tool:
|
What about this patch to fix CKA_EXTRACTABLE as well:
|
@frankmorgner
|
Problem Description
With OpenSC-0.20.0-rc1 or any more recent github master:
In the log below, at least "connecting" a secret sym. key with RSA modulus bits is wrong.
Also everything below "Usage: encrypt, decrypt" is wrong.
I checked the successful parsing of sc_pkcs15_decode_skdf_entry for this (genericSecretKey AES) key with debug=6, e.g.
Proposed Resolution
The fix for the modulus bits is easily done in pkcs11-tool.c:show_key by correcting the setting of variable pub. But for whatever reason, I always receive a key_type with value 0 (CKK_RSA), thus this didn't help much. key_type never get's set to CKK_AES. Even if I manipulate that setting to be of key_type==CKK_AES, the errors in output don't change (except AES instead of RSA get's printed; maybe, because I didn't set supportedAlgorithms in EF.TokenInfo?) But this is known:
Steps to reproduce
Have an EF.SKDF with at least 1 secret sym. key (e.g. AES) defined on card and invoke
pkcs11-tool --login --list-objects --type secrkey -p ********
Logs
The text was updated successfully, but these errors were encountered: