From 2487bc18d18040b62e08de2862fe231f4bbdf30c Mon Sep 17 00:00:00 2001 From: Hannu Honkanen Date: Fri, 6 Apr 2018 14:12:05 +0300 Subject: [PATCH] When creating symmetric keys, use CKK_ definitions (key type) rather than CKM_ definitions (mechanism) to specify the key type. --- src/pkcs15init/pkcs15-lib.c | 24 +++++++++++++++++------- src/pkcs15init/pkcs15-myeid.c | 8 ++++---- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c index d706a821..eda7071e 100644 --- a/src/pkcs15init/pkcs15-lib.c +++ b/src/pkcs15init/pkcs15-lib.c @@ -1330,13 +1330,16 @@ sc_pkcs15init_init_skdf(struct sc_pkcs15_card *p15card, struct sc_profile *profi key_info->key_reference = 0; switch (keyargs->algorithm) { case SC_ALGORITHM_DES: - key_info->key_type = CKM_DES_ECB; + key_info->key_type = CKK_DES; break; case SC_ALGORITHM_3DES: - key_info->key_type = CKM_DES3_ECB; + key_info->key_type = CKK_DES3; break; case SC_ALGORITHM_AES: - key_info->key_type = CKM_AES_ECB; + key_info->key_type = CKK_AES; + break; + default: + key_info->key_type = CKK_GENERIC_SECRET; break; } key_info->value_len = keybits; @@ -1931,11 +1934,17 @@ sc_pkcs15init_store_secret_key(struct sc_pkcs15_card *p15card, struct sc_profile sc_pkcs15_free_object_content(object); - /* Now update the SKDF */ - r = sc_pkcs15init_add_object(p15card, profile, SC_PKCS15_SKDF, object); - LOG_TEST_RET(ctx, r, "Failed to add new secret key PKCS#15 object"); + /* Now update the SKDF, unless it is a session object. + If we have an on card session object, we have created the actual key object on card. + The card handles removing it when the session is finished or during the next reset. + We will maintain the object in the P15 structure in memory for duration of the session, + but we don't want it to be written into SKDF. */ + if (!object->session_object) { + r = sc_pkcs15init_add_object(p15card, profile, SC_PKCS15_SKDF, object); + LOG_TEST_RET(ctx, r, "Failed to add new secret key PKCS#15 object"); + } - if (!r && profile->ops->emu_store_data) { + if (!r && profile->ops->emu_store_data && !object->session_object) { r = profile->ops->emu_store_data(p15card, profile, object, NULL, NULL); if (r == SC_ERROR_NOT_IMPLEMENTED) r = SC_SUCCESS; @@ -2584,6 +2593,7 @@ key_pkcs15_algo(struct sc_pkcs15_card *p15card, unsigned int algorithm) case SC_ALGORITHM_3DES: return SC_PKCS15_TYPE_SKEY_3DES; case SC_ALGORITHM_AES: + case SC_ALGORITHM_UNDEFINED: return SC_PKCS15_TYPE_SKEY_GENERIC; } sc_log(ctx, "Unsupported key algorithm."); diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c index 062d6abc..e54ed2bb 100644 --- a/src/pkcs15init/pkcs15-myeid.c +++ b/src/pkcs15init/pkcs15-myeid.c @@ -481,11 +481,11 @@ myeid_fixup_supported_algos(struct sc_profile *profile, struct sc_pkcs15_card *p switch (object->type) { case SC_PKCS15_TYPE_SKEY_GENERIC: switch (skey_info->key_type | (skey_info->value_len << 16)) { - case CKM_AES_ECB | (128 << 16): + case CKK_AES | (128 << 16): _add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_ECB, &id_aes128_ecb); _add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_CBC, &id_aes128_cbc); break; - case CKM_AES_ECB | (256 << 16): + case CKK_AES | (256 << 16): _add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_ECB, &id_aes256_ecb); _add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_CBC, &id_aes256_cbc); break; @@ -539,10 +539,10 @@ myeid_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, if ((skey_info->access_flags & SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE) == SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE) extractable = TRUE; switch (skey_info->key_type) { - case CKM_AES_ECB: + case CKK_AES: ef_structure = SC_CARDCTL_MYEID_KEY_AES; break; - case CKM_DES_ECB: + case CKK_DES: ef_structure = SC_CARDCTL_MYEID_KEY_DES; break; default: