Fix CKA_ALLOWED_MECHANISMS attribute generation #397
Conversation
simo5
changed the title
simo5
changed the title
|
@Jakuje |
I was writing a test for opensc for this when I introduced support for this into pkcs11-tool: https://github.com/OpenSC/OpenSC/blob/master/tests/test-pkcs11-tool-allowed-mechanisms.sh Technically, the only needed thing is to present the CKA_ALLOWED_MECHANISMS when generating/unwrapping/writing key as part of the template: https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c#L3183 I think the same think should be possible to make working with kryoptic too. |
simo5
changed the title
|
Soo it looks like Ubuntu has a version of softhsm that is too old ? |
Ugh no that is not the problem, somehow Ubuntu is getting confused by the request to use CTR-DRBG via provider ... @beldmit have you seen this before perchance? |
|
Not for rdrand... |
simo5
force-pushed
the
issue_396
branch
3 times, most recently
from
fb23c2e
to
97d5cca
Compare
|
@Jakuje I restored setting the default PSS mechanisms and added more fine-tuned error checking. PTAL. |
The current code sets the number of elements as length, but that seems incorrect. Fixes latchset#396 Signed-off-by: Simo Sorce <simo@redhat.com>
This is translated to setting the CKA_ALLOWED_MECHANISMS param. No other parameter restritctions is currently supported by PKCS#11 specs, and there is no guarantee that the restriction is supported nor respected by pkcs11 modules. Signed-off-by: Simo Sorce <simo@redhat.com>
Seem like we forgot to explicitly enable them in the past. OpenSSL considers RSA-PSS a separate key type and requires explicit encoders, will not fallback to RSA encoders/decoders from a provider and instead will try to export private keys to the default provider to use the base encoders/decoders. Signed-off-by: Simo Sorce <simo@redhat.com>
SoftHSM supports applying restrictions to keys that have CKA_ALLOWED_MECHANISMS at key generation. Softoken ingests the attribute but then performs no enforcement, so we do not enable the test for it. Signed-off-by: Simo Sorce <simo@redhat.com>
Apparently Ubuntu has some configuration that tries hard to load a rdrand engine. When the propquery is set to a hard provider=pkcs11 this fails as the tpe of DRBG being sourced becomes incompatible with the mandate property. Soften the test to only prefer the provider so that the operations we care for will come from the pkcs11 provider (we check errors anyway) and we do not get the noise of unrelated failures. Signed-off-by: Simo Sorce <simo@redhat.com>
When an application pre-hashes the content to be signed it can use the raw CKM_RSA_PKCS_PSS mechanism to apply a signature. This may be done with simple hardware tokens that do not support digest operations on board and need to rely on the software to deal with that part. We should not preclude such use for key we generate. Signed-off-by: Simo Sorce <simo@redhat.com>
|
Fixed a minor issue found by coverity and rebase on main. |
Signed-off-by: Simo Sorce <simo@redhat.com>
simo5
added
no-covscan-obsolete-label
|
Uhmm I need to fix the CI scripts to recognize that the no-covscan label is already present when a PR gets updated ... and as usual Bind test fails, but that test is not binding (pun fully intended :-) ). Thanks for the review @Jakuje |
Description
The spec says the length is the size of the data
The current code sets the number of elements as length, but that seems incorrect.
Checklist
Documentation updatedReviewer's checklist: