pkcs11-tool: symmetric encrypt/decrypt #2268
Conversation
Jakuje
left a comment
Jakuje
left a comment
There was a problem hiding this comment.
noticed just couple of typos, but otherwise looks good.
|
@Jakuje Thanks for the review, I will do a force push with more features - key unwrap and wrap. |
popovec
force-pushed
the
pkcs11-tool-sym-crypt
branch
from
355ac6c to
09d068b
Compare
doc/tools/pkcs11-tool.1.xml
Outdated
| </varlistentry> | ||
| <varlistentry> | ||
| <term> | ||
| <option>--Unwrap</option>, |
There was a problem hiding this comment.
Thanks for the review, I'll fix it.
But I have question.. Is command line format (for unwrap) acceptable (especially use of --application-id --application-label)? Use key id 22 to unwrap file input.key as AES key with ID 90 and label unwraped-key:
pkcs11-tool --unwrap --mechanism RSA-PKCS --id 22 -i input.key --key-type AES: --application-id 90 --applicatin-label unwraped-key
If appropriate, I can add another switch for specification of the unwrapped key.
For the wrap operation, I have similar question.. I suggest the following command line format (use key id 22 to wrap key id 90):
pkcs11-tool --wrap --mechanism RSA-PKCS --id 22 --application-id 90 -o output.key
I'll add the the wrap code soon...
There was a problem hiding this comment.
(sorry for a delay)
I do not like much the reuse of applicatin-id here. This is originally used for data objects. I think we will need a new switches for this not to confuse users. But I am not sure what would be the best terminology. --new-id and --new-label or --wrapped-key-id and --wrapped-key-label are just some ideas.
There was a problem hiding this comment.
I am aware that --application_id and --application_labelis not used in its original meaning. As an alternative, I still like it the most:
a) unwrap: use the --new-label and --new-id switches (alternative --new-key-label, --new-key-id)
example:
pkcs11-tool --unwrap --mechanism RSA-PKCS --id 22 -i input.key --key-type AES: --new-key-id 90 --new-key-label unwraped-key
b) wrap: it is possible to use the keyword --wrap with an argument, where either the id or label of the key that will be the subject of the wrapping can be used.
example:
pkcs11-tool --wrap 90 --mechanism RSA-PKCS --id 22 -o output.key
pkcs11-tool --wrap key_sign1 --mechanism RSA-PKCS --id 22 -o output.key
I would like other OpenSC developers to comment on this before applying this PR.
Thanks.
popovec
force-pushed
the
pkcs11-tool-sym-crypt
branch
2 times, most recently
from
98b8d43 to
e9dc9dc
Compare
| exit 77; | ||
| fi | ||
| # The Ubuntu has old softhsm version not supporting this feature | ||
| grep "Ubuntu 18.04" /etc/issue && echo "WARNING: Not supported on Ubuntu 18.04" && exit 77 |
There was a problem hiding this comment.
Travis already supports also Ubuntu 20.04: https://docs.travis-ci.com/user/reference/focal/ Does it already work there?
Would it make sense to try to migrate the CI to new version or add one more target which would execute also this test case? Or just write a new one in github actions, which should allow running in more up-to-date systems?
There was a problem hiding this comment.
We have new Github Actions in place already, based on Ubuntu 20 so this should work there.
popovec
force-pushed
the
pkcs11-tool-sym-crypt
branch
3 times, most recently
from
06810ef to
b0d1db1
Compare
|
Tests for symmetric encryption and wrap / unwrap operations are fully functional, tested on Ubuntu 20, against softhsm2. One of the tests that is not affected by this PR does not work (FAIL: test-pkcs11-tool-allowed-mechanisms.sh). If necessary, I can include it in this PR. |
|
Thank you for checking the new version. It looks like some bug in softhsm in Ubuntu 20. Locally in Fedora 34 it works for me fine (with or without your patch) so please, include it in the PR so we have it passing in CI. I also see that even though the check fails, the pipeline passes, which is wrong. If I am right, it is because of the log is printed, which mangles the exit code. Something like this should address this problem: |
…h error Thanks to Jakub Jelen, OpenSC#2268 (comment)
popovec
force-pushed
the
pkcs11-tool-sym-crypt
branch
3 times, most recently
from
f865bfe to
0a03a6d
Compare
|
Can you rebase the changes on current master, which introduced HMAC sigh&verify to pkcs11-tool? Otherwise I think this is good to go for the next release. |
supported mechanisms: AES-ECB, AES-CBC, AES-CBC-PAD support for initialization vector Tested - softhsm2, (test-pkcs11-tool-sym-crypt-test.sh) modified: doc/tools/pkcs11-tool.1.xml modified: src/tools/pkcs11-tool.c modified: tests/Makefile.am new file: tests/test-pkcs11-tool-sym-crypt-test.sh
support for unwrapping GENERIC SECRET / AES key
Tested: softhsm, RSA-PKCS mechanism.
Tested: MyEID 4.5.5, only partial test due to missing support
for symmetric encryption/decryption
modified: doc/tools/pkcs11-tool.1.xml
modified: src/tools/pkcs11-tool.c
modified: tests/Makefile.am
new file: tests/test-pkcs11-tool-unwrap-test.sh
support for key wrap operation Tested: softhsm, GENERIC SECRET wrapped by RSA-PKCS mechanism modified: doc/tools/pkcs11-tool.1.xml modified: src/tools/pkcs11-tool.c modified: tests/Makefile.am renamed: tests/test-pkcs11-tool-unwrap-test.sh -> tests/test-pkcs11-tool-unwrap-wrap-test.sh
Use C_DecryptUpdate/C_EncryptUpdate for large input files. modified: src/tools/pkcs11-tool.c modified: tests/test-pkcs11-tool-sym-crypt-test.sh
modified: .github/test-oseid.sh
popovec
force-pushed
the
pkcs11-tool-sym-crypt
branch
from
0a03a6d to
3ceba4b
Compare
When support for unwrapping secret keys was added in 9136878 (as part of OpenSC#2268), the `--usage-decrypt` and `--usage-wrap` options were used to toggle the `CKA_{ENCRYPT,DECRYPT}` and `CKA_{WRAP,UNWRAP}` attributes in the object template passed to the module. In contrast, when a secret key object is generated (`--keygen`) or created (`--write-object`), the same attributes are unconditionally set to true or omitted respectively, regardless of any specified `--usage-*` option. To make this handling consistent, use the approach introduced by the unwrap command and let the user specify the attributes, defaulting to only setting `CKA_{ENCRYPT,DECRYPT}` if no usage was specified. The documentation was amended to reflect the behavior of `--usage-decrypt`.
When support for unwrapping secret keys was added in 9136878 (as part of #2268), the `--usage-decrypt` and `--usage-wrap` options were used to toggle the `CKA_{ENCRYPT,DECRYPT}` and `CKA_{WRAP,UNWRAP}` attributes in the object template passed to the module. In contrast, when a secret key object is generated (`--keygen`) or created (`--write-object`), the same attributes are unconditionally set to true or omitted respectively, regardless of any specified `--usage-*` option. To make this handling consistent, use the approach introduced by the unwrap command and let the user specify the attributes, defaulting to only setting `CKA_{ENCRYPT,DECRYPT}` if no usage was specified. The documentation was amended to reflect the behavior of `--usage-decrypt`.
When support for unwrapping secret keys was added in 9136878 (as part of OpenSC#2268), the `--usage-decrypt` and `--usage-wrap` options were used to toggle the `CKA_{ENCRYPT,DECRYPT}` and `CKA_{WRAP,UNWRAP}` attributes in the object template passed to the module. In contrast, when a secret key object is generated (`--keygen`) or created (`--write-object`), the same attributes are unconditionally set to true or omitted respectively, regardless of any specified `--usage-*` option. To make this handling consistent, use the approach introduced by the unwrap command and let the user specify the attributes, defaulting to only setting `CKA_{ENCRYPT,DECRYPT}` if no usage was specified. The documentation was amended to reflect the behavior of `--usage-decrypt`.
3 participants
supported mechanisms: AES-ECB, AES-CBC, AES-CBC-PAD
support for initialization vector
Tested - softhsm2, (test-pkcs11-tool-sym-crypt-test.sh)