Skip to content

pkcs15_gen_keypair: propagate SENSITIVE/EXTRACTABLE flag from PKCS11 to PKCS15 #2936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 2 commits into from
Nov 20, 2023
Merged

pkcs15_gen_keypair: propagate SENSITIVE/EXTRACTABLE flag from PKCS11 to PKCS15 #2936

Jakuje merged 2 commits into from
Nov 20, 2023

Conversation

@popovec
Copy link
Member

@popovec popovec commented Nov 14, 2023

When generating the private key, we transfer the request for the CKA_SENSITIVE and CKA_EXTRACTABLE key attributes up to the pkcs#15 layer.

When reading attributes from the PKCS#15 layer, set the CKA_EXTRACTABLE attribute for the pkcs#11 layer according to the SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE attribute.

  • Documentation is added or updated

@popovec popovec mentioned this pull request Nov 15, 2023
Closed
Jakuje
Jakuje reviewed Nov 15, 2023
View reviewed changes
doc/tools/pkcs11-tool.1.xml Outdated
tools:
<programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>

Generate new key:
Copy link
Member

@Jakuje Jakuje Nov 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be more explicit here like "generate new RSA Key pair" to be obvious both of the keys are generated and to avoid confusion with generating symmetric key. Same below.

Copy link
Member Author

@popovec popovec Nov 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'll change it..

@popovec
pkcs15_gen_keypair: propagate SENSITIVE/EXTRACTABLE flag from PKCS11 …
f31a781 
…to PKCS15

When generating the private key, we transfer the request for the
CKA_SENSITIVE and CKA_EXTRACTABLE key attributes up to the pkcs#15 layer.

When reading attributes from the PKCS#15 layer, set the CKA_EXTRACTABLE
attribute for the pkcs#11 layer according to the
SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE attribute.

	modified:   src/pkcs11/framework-pkcs15.c
@popovec
pkcs11-tool: manual page update (examples for wrap, keygen)
c8f405f 
	modified:   doc/tools/pkcs11-tool.1.xml
@popovec
Copy link
Member Author

popovec commented Nov 16, 2023

I prepared a test branch, but I have some strange problem with compilation on CI..

make[4]: *** No rule to make target 'org.opensc-project.mac.pkcs11-register.plist.in', needed by 'org.opensc-project.mac.pkcs11-register.plist'. Stop.

https://github.com/popovec/OpenSC/actions/runs/6886758679
https://github.com/popovec/OpenSC/actions/runs/6886758676

@Jakuje
Copy link
Member

Jakuje commented Nov 16, 2023

Running the logs through diff shows that all dependencies versions are the same. But going through the logs shows the following issue which goes undetected during the make dist, which prevents packing these files into the release tarball:

tar: opensc-0.24.0PKCS11_EXTRACTABLE_SENSITIVE_test/src/tools/org.opensc-project.mac.pkcs11-register.plist.in: file name is too long (max 99); not dumped   
tar: opensc-0.24.0PKCS11_EXTRACTABLE_SENSITIVE_test/src/tools/org.opensc-project.mac.opensc-notify.plist.in: file name is too long (max 99); not dumped

in short, given that the branch name is used as part of the version, too long file paths are created, which are not handled by the tar. I think just using shorter branch name should solve the issue.

@popovec
Copy link
Member Author

popovec commented Nov 16, 2023
edited
Loading

Thanks for the hint. I did not expect such a restriction at all.

@popovec popovec force-pushed the PKCS11_EXTRACTABLE_SENSITIVE branch from db5d4fa to c8f405f Compare November 16, 2023 09:28
@Jakuje
Copy link
Member

Jakuje commented Nov 16, 2023

Thanks for the hint. I did not expect such a restriction at all.

Me neither. Learning something new every day :)

@metsma
Copy link
Contributor

metsma commented Nov 16, 2023

There are ustar and pax extensions for tar to allow longer filenames. Default is 100 chars

@Jakuje Jakuje merged commit 643fd70 into OpenSC:master Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frankmorgner frankmorgner frankmorgner approved these changes

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@popovec @Jakuje @metsma @frankmorgner