Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C_GetAttributeValue: Some wrong results: CKA_EXTRACTABLE, CKA_MODIFIABLE #2175

Closed
carblue opened this issue Dec 7, 2020 · 0 comments
Closed

C_GetAttributeValue: Some wrong results: CKA_EXTRACTABLE, CKA_MODIFIABLE #2175

carblue opened this issue Dec 7, 2020 · 0 comments

Comments

@carblue
Copy link
Contributor

carblue commented Dec 7, 2020

Problem Description

This is a generalization of a remaining unsolved issue within #1805, tested with OpenSC-0.21.0.

I requested some attribute infos about keys of object types CKO_PUBLIC_KEY (card has RSA keys only), CKO_PRIVATE_KEY, CKO_SECRET_KEY (card has AES, 3DES/192 key(s) only), no session objects.
The respective "query" template array has entries for:

CKA_LABEL,
CKA_ID,
CKA_KEY_TYPE,

CKA_TOKEN,
CKA_PRIVATE,
CKA_MODIFIABLE,

CKA_SENSITIVE,
CKA_EXTRACTABLE,
CKA_ALWAYS_SENSITIVE,
CKA_NEVER_EXTRACTABLE,
CKA_LOCAL,

CKA_ENCRYPT,
CKA_DECRYPT,
CKA_SIGN,
CKA_VERIFY,
CKA_SIGN_RECOVER,
CKA_VERIFY_RECOVER,
CKA_WRAP,
CKA_UNWRAP,

Wrong results:

  1. No result for my DES3/192 key. It seems to be not registered for the PKCS#11 layer. No problem, I'll leave it as it is.
  2. CKA_MODIFIABLE attribute reported erroneously (false) for RSA key pair(s), okay for AES. All my keys are declared as modifiable in PuKDF, PrKDF, SKDF.
  3. CKA_EXTRACTABLE attribute reported erroneously (false) for public RSA key(s), (true) for AES. All my public RSA key(s) are declared as extractable in PuKDF, secret keys as not-extractable in SKDF.

All the other attributes get retrieved with correct values.
Note, that pkcs15-tool has no problem to report correct results (i.e. entries in EF.PrKDF, EF.PuKDF and EF.SKDF are okay):

$ pkcs15-tool --list-public-keys
Using reader with a card: ACS CryptoMate64 00 00
...
Public RSA Key [dummy]
        Object Flags   : [0x02], modifiable
        Usage          : [0x51], encrypt, wrap, verify
        Access Flags   : [0x12], extract, local
        ModLength      : 512
        Key ref        : -1 (0xFFFFFFFF)
        Native         : yes
        Path           : 3f00410041d0
        ID             : 08


$ pkcs15-tool --list-secret-keys
Using reader with a card: ACS CryptoMate64 00 00
Secret 3DES Key [SM1]
        Object Flags   : [0x03], private, modifiable
        Usage          : [0x03], encrypt, decrypt
        Access Flags   : [0x0D], sensitive, alwaysSensitive, neverExtract
        Size           : 192 bits
        ID             : 01
        Native         : yes
        Key ref        : 129 (0x81)
        Path           : 3f0041004102
        GUID           : 5634094c-734a-8edc-bfdd-5821c5ff4bd4

...
Secret Generic Key [AES3]
        Object Flags   : [0x03], private, modifiable
        Usage          : [0x03], encrypt, decrypt
        Access Flags   : [0x0D], sensitive, alwaysSensitive, neverExtract
        Size           : 256 bits
        ID             : 07
        Native         : yes
        Key ref        : 131 (0x83)
        Path           : 3f0041004102
        GUID           : 87c5eff4-81aa-68d3-4221-40b9dc77931c

Proposed Resolution

I have a working impl. for a fix PR, soon to come.

Steps to reproduce

(The Rust code that revealed the wrong results is in https://github.com/carblue/acos5/tree/master/project_pkcs11_example_apps, main.rs, may need slight adaption (see READ.ME) for others to use: in fn main(), the module path and login pin).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@carblue