From 137c6306d27d973103342ddf01e09d256b1eb802 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Thu, 27 Apr 2017 14:50:14 +0300 Subject: [PATCH] pkcs15init: use random id for secret key Calculating intrinsic key would probably be not wise, because it would leak out information about the secret key. Try to generate globally unique IDs just by using a random one. --- src/pkcs15init/pkcs15-lib.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c index 811c6558..9339aebb 100644 --- a/src/pkcs15init/pkcs15-lib.c +++ b/src/pkcs15init/pkcs15-lib.c @@ -1879,12 +1879,16 @@ sc_pkcs15init_store_secret_key(struct sc_pkcs15_card *p15card, struct sc_profile LOG_TEST_RET(ctx, SC_ERROR_INCOMPATIBLE_KEY, "Card does not support this key."); } - /* Select a intrinsic Key ID if user didn't specify one */ - r = sc_pkcs15init_select_intrinsic_id(p15card, profile, SC_PKCS15_TYPE_SKEY, - &keyargs->id, &keyargs->key); - LOG_TEST_RET(ctx, r, "Get intrinsic ID error"); +#ifdef ENABLE_OPENSSL + if (!keyargs->id.len) { + /* Calculating intrinsic Key ID for secret key does not make + * sense - just generate random one */ + if (RAND_bytes(keyargs->id.value, 20) == 1) + keyargs->id.len = 20; + } +#endif - /* Make sure that private key's ID is the unique inside the PKCS#15 application */ + /* Make sure that secret key's ID is the unique inside the PKCS#15 application */ r = sc_pkcs15_find_skey_by_id(p15card, &keyargs->id, NULL); if (!r) LOG_TEST_RET(ctx, SC_ERROR_NON_UNIQUE_ID, "Non unique ID of the secret key object");