From 9a63e03e9aadc7c9d7d878432e5bfd021743eb07 Mon Sep 17 00:00:00 2001 From: martin Date: Mon, 23 Aug 2010 14:47:07 +0000 Subject: [PATCH] pkcs11/pkcs15-init: remove automagic software key generation. Remove software based secret key handling from PKCS#11. Support for importing cleartext keys is left untouched, but all transparent key generation by either opensc-pkcs11.so or pkcs15-init is removed, to make the operation with cleartext keys visible to the user and his explicit wish. OpenSC is a PKCS#11 library for accessing keys protected by a smart card. Key material in software is not protected by smart cards and can leave a false sense of security to the user. http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013877.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4646 c6295689-39f2-0310-b995-f0e70906c6a9 --- doc/tools/pkcs15-init.xml | 6 - etc/opensc.conf.in | 6 - src/pkcs11/Makefile.am | 2 +- src/pkcs11/Makefile.mak | 2 +- src/pkcs11/framework-pkcs15.c | 66 +--------- src/pkcs11/openssl.c | 67 ---------- src/pkcs11/pkcs11-object.c | 46 +------ src/pkcs11/secretkey.c | 233 ---------------------------------- src/tools/pkcs15-init.c | 80 +----------- 9 files changed, 9 insertions(+), 499 deletions(-) delete mode 100644 src/pkcs11/secretkey.c diff --git a/doc/tools/pkcs15-init.xml b/doc/tools/pkcs15-init.xml index f0c27b61..a65dfa02 100644 --- a/doc/tools/pkcs15-init.xml +++ b/doc/tools/pkcs15-init.xml @@ -133,12 +133,6 @@ pkcs15-init will also store the the public portion of the key as a PKCS #15 public key object. - - By default, pkcs15-init will try to use the card's - on-board key generation facilities, if available. If the card does not - support on-board key generation, pkcs15-init will fall - back to software key generation. - diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in index ea19f85c..99981eb9 100644 --- a/etc/opensc.conf.in +++ b/etc/opensc.conf.in @@ -367,12 +367,6 @@ app opensc-pkcs11 { # Default: false # lock_login = true; - # Set this value to true if you want to allow off-card - # keypair generation (in software on your pc) - # - # Default: false - # soft_keygen_allowed = true; - # User PIN unblock style # none: PIN unblock is not possible with PKCS#11 API; # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: diff --git a/src/pkcs11/Makefile.am b/src/pkcs11/Makefile.am index 53151704..b8212b49 100644 --- a/src/pkcs11/Makefile.am +++ b/src/pkcs11/Makefile.am @@ -12,7 +12,7 @@ INCLUDES = -I$(top_srcdir)/src OPENSC_PKCS11_INC = sc-pkcs11.h pkcs11.h pkcs11-opensc.h OPENSC_PKCS11_SRC = pkcs11-global.c pkcs11-session.c pkcs11-object.c misc.c slot.c \ - mechanism.c openssl.c secretkey.c framework-pkcs15.c \ + mechanism.c openssl.c framework-pkcs15.c \ framework-pkcs15init.c debug.c opensc-pkcs11.exports \ pkcs11-display.c pkcs11-display.h OPENSC_PKCS11_LIBS = $(OPTIONAL_OPENSSL_LIBS) $(PTHREAD_LIBS) \ diff --git a/src/pkcs11/Makefile.mak b/src/pkcs11/Makefile.mak index 695044cd..4d361ead 100644 --- a/src/pkcs11/Makefile.mak +++ b/src/pkcs11/Makefile.mak @@ -6,7 +6,7 @@ TARGET2 = libpkcs11.lib TARGET3 = pkcs11-spy.dll OBJECTS = pkcs11-global.obj pkcs11-session.obj pkcs11-object.obj misc.obj slot.obj \ - mechanism.obj openssl.obj secretkey.obj framework-pkcs15.obj \ + mechanism.obj openssl.obj framework-pkcs15.obj \ framework-pkcs15init.obj debug.obj pkcs11-display.obj \ $(TOPDIR)\win32\versioninfo.res OBJECTS2 = libpkcs11.obj \ diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index 285332ba..365e87ca 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -1727,7 +1727,6 @@ static CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_profile *profile = NULL; struct sc_pkcs15_pin_info *pin; struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) p11card->fw_data; - struct sc_pkcs15_card *p15card = fw_data->p15_card; struct sc_pkcs15init_keygen_args keygen_args; struct sc_pkcs15init_pubkeyargs pub_args; struct sc_pkcs15_object *priv_key_obj; @@ -1852,41 +1851,6 @@ static CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, rv = sc_to_cryptoki_error(rc, "C_GenerateKeyPair"); goto kpgen_done; } - else { - /* 3.b Try key pair generation in software, if allowed */ - - if (!sc_pkcs11_conf.soft_keygen_allowed) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "On card keypair gen not supported, software keypair gen not allowed"); - rv = CKR_FUNCTION_FAILED; - goto kpgen_done; - } - - sc_debug(context, SC_LOG_DEBUG_NORMAL, "Doing key pair generation in software\n"); - rv = sc_pkcs11_gen_keypair_soft(keytype, keybits, - &keygen_args.prkey_args.key, &pub_args.key); - if (rv != CKR_OK) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "sc_pkcs11_gen_keypair_soft failed: 0x%0x\n", rv); - goto kpgen_done; - } - - rc = sc_pkcs15init_store_private_key(p15card, profile, &keygen_args.prkey_args, &priv_key_obj); - - if (rc >= 0) { - /* copy ID from private key(s) here to avoid bad link between private and public key */ - memcpy(&pub_args.id.value, &keygen_args.prkey_args.id.value, keygen_args.prkey_args.id.len); - pub_args.id.len = keygen_args.prkey_args.id.len; - rc = sc_pkcs15init_store_public_key(p15card, profile, &pub_args, &pub_key_obj); - } - - sc_pkcs15_erase_prkey(&keygen_args.prkey_args.key); - sc_pkcs15_erase_pubkey(&pub_args.key); - - if (rc < 0) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "private/public keys not stored: %d\n", rc); - rv = sc_to_cryptoki_error(rc, "C_GenerateKeyPair"); - goto kpgen_done; - } - } /* 4. Create new pkcs11 public and private key object */ @@ -2465,9 +2429,9 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *ses, void *obj, u8 decrypted[256]; int buff_too_small, rv, flags = 0; - sc_debug(context, SC_LOG_DEBUG_NORMAL, "Initiating unwrap/decryption.\n"); + sc_debug(context, SC_LOG_DEBUG_NORMAL, "Initiating decryption.\n"); - /* See which of the alternative keys supports unwrap/decrypt */ + /* See which of the alternative keys supports decrypt */ prkey = (struct pkcs15_prkey_object *) obj; while (prkey && !(prkey->prv_info->usage @@ -2507,7 +2471,7 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *ses, void *obj, sc_unlock(ses->slot->card->card); - sc_debug(context, SC_LOG_DEBUG_NORMAL, "Key unwrap/decryption complete. Result %d.\n", rv); + sc_debug(context, SC_LOG_DEBUG_NORMAL, "Key decryption complete. Result %d.\n", rv); if (rv < 0) return sc_to_cryptoki_error(rv, "C_Decrypt"); @@ -2523,28 +2487,6 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *ses, void *obj, return CKR_OK; } -static CK_RV -pkcs15_prkey_unwrap(struct sc_pkcs11_session *ses, void *obj, - CK_MECHANISM_PTR pMechanism, - CK_BYTE_PTR pData, CK_ULONG ulDataLen, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, - void **result) -{ - u8 unwrapped_key[256]; - CK_ULONG key_len = sizeof(unwrapped_key); - int rc; - - rc = pkcs15_prkey_decrypt(ses, obj, pMechanism, pData, ulDataLen, - unwrapped_key, &key_len); - - if (rc < 0) - return sc_to_cryptoki_error(rc, NULL); - return sc_pkcs11_create_secret_key(ses, - unwrapped_key, key_len, - pTemplate, ulAttributeCount, - (struct sc_pkcs11_object **) result); -} - struct sc_pkcs11_object_ops pkcs15_prkey_ops = { pkcs15_prkey_release, pkcs15_prkey_set_attribute, @@ -2553,7 +2495,7 @@ struct sc_pkcs11_object_ops pkcs15_prkey_ops = { pkcs15_any_destroy, NULL, pkcs15_prkey_sign, - pkcs15_prkey_unwrap, + NULL, /* unwrap */ pkcs15_prkey_decrypt }; diff --git a/src/pkcs11/openssl.c b/src/pkcs11/openssl.c index 69400a70..3dbe46aa 100644 --- a/src/pkcs11/openssl.c +++ b/src/pkcs11/openssl.c @@ -301,73 +301,6 @@ static void sc_pkcs11_openssl_md_release(sc_pkcs11_operation_t *op) op->priv_data = NULL; } -static int -do_convert_bignum(sc_pkcs15_bignum_t *dst, BIGNUM *src) -{ - if (src == 0) - return 0; - dst->len = BN_num_bytes(src); - dst->data = malloc(dst->len); - if (dst->data == NULL) - return 0; - BN_bn2bin(src, dst->data); - return 1; -} - -CK_RV -sc_pkcs11_gen_keypair_soft(CK_KEY_TYPE keytype, CK_ULONG keybits, - struct sc_pkcs15_prkey *privkey, struct sc_pkcs15_pubkey *pubkey) -{ - switch (keytype) { - case CKK_RSA: { - RSA *rsa; - BIO *err; - struct sc_pkcs15_prkey_rsa *sc_priv = &privkey->u.rsa; - struct sc_pkcs15_pubkey_rsa *sc_pub = &pubkey->u.rsa; - - err = BIO_new(BIO_s_mem()); - rsa = RSA_generate_key(keybits, 0x10001, NULL, err); - BIO_free(err); - if (rsa == NULL) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "RSA_generate_key() failed\n"); - return CKR_FUNCTION_FAILED; - } - - privkey->algorithm = pubkey->algorithm = SC_ALGORITHM_RSA; - - if (!do_convert_bignum(&sc_priv->modulus, rsa->n) - || !do_convert_bignum(&sc_priv->exponent, rsa->e) - || !do_convert_bignum(&sc_priv->d, rsa->d) - || !do_convert_bignum(&sc_priv->p, rsa->p) - || !do_convert_bignum(&sc_priv->q, rsa->q)) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "do_convert_bignum() failed\n"); - RSA_free(rsa); - return CKR_FUNCTION_FAILED; - } - if (rsa->iqmp && rsa->dmp1 && rsa->dmq1) { - do_convert_bignum(&sc_priv->iqmp, rsa->iqmp); - do_convert_bignum(&sc_priv->dmp1, rsa->dmp1); - do_convert_bignum(&sc_priv->dmq1, rsa->dmq1); - } - - if (!do_convert_bignum(&sc_pub->modulus, rsa->n) - || !do_convert_bignum(&sc_pub->exponent, rsa->e)) { - sc_debug(context, SC_LOG_DEBUG_NORMAL, "do_convert_bignum() failed\n"); - RSA_free(rsa); - return CKR_FUNCTION_FAILED; - } - - RSA_free(rsa); - - break; - } - default: - return CKR_MECHANISM_PARAM_INVALID; - } - - return CKR_OK; -} - #if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC) static void reverse(unsigned char *buf, size_t len) diff --git a/src/pkcs11/pkcs11-object.c b/src/pkcs11/pkcs11-object.c index 93570032..bd0d2ccf 100644 --- a/src/pkcs11/pkcs11-object.c +++ b/src/pkcs11/pkcs11-object.c @@ -966,51 +966,7 @@ CK_RV C_UnwrapKey(CK_SESSION_HANDLE hSession, /* the session's handle */ CK_ULONG ulAttributeCount, /* # of attributes in template */ CK_OBJECT_HANDLE_PTR phKey) { /* gets handle of recovered key */ - CK_RV rv; - struct sc_pkcs11_session *session; - struct sc_pkcs11_object *object, *result; - - rv = sc_pkcs11_lock(); - if (rv != CKR_OK) - return rv; - - if (pMechanism == NULL_PTR || (pTemplate == NULL_PTR && ulAttributeCount > 0)) { - rv = CKR_ARGUMENTS_BAD; - goto out; - } - - rv = get_object_from_session(hSession, hUnwrappingKey, &session, &object); - if (rv != CKR_OK) { - if (rv == CKR_OBJECT_HANDLE_INVALID) - rv = CKR_UNWRAPPING_KEY_HANDLE_INVALID; - goto out; - } - - if (!(session->flags & CKF_RW_SESSION)) { - rv = CKR_SESSION_READ_ONLY; - goto out; - } - - if (object->ops->sign == NULL_PTR) { - rv = CKR_KEY_TYPE_INCONSISTENT; - goto out; - } - - rv = object->ops->unwrap_key(session, object, pMechanism, - pWrappedKey, ulWrappedKeyLen, - pTemplate, ulAttributeCount, (void **)&result); - - sc_debug(context, SC_LOG_DEBUG_NORMAL, "C_UnwrapKey() = %s", lookup_enum ( RV_T, rv )); - - if (rv == CKR_OK) { - result->handle = (long)result; - list_append(&session->slot->objects, result); - - } - *phKey = result->handle; - -out: sc_pkcs11_unlock(); - return rv; + return CKR_FUNCTION_NOT_SUPPORTED; } CK_RV C_DeriveKey(CK_SESSION_HANDLE hSession, /* the session's handle */ diff --git a/src/pkcs11/secretkey.c b/src/pkcs11/secretkey.c deleted file mode 100644 index 7e9a8c61..00000000 --- a/src/pkcs11/secretkey.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * Secret key handling for PKCS#11 - * - * This module deals only with secret keys that have been unwrapped - * by the card. At the moment, we do not support key unwrapping - * where the key remains on the token. - * - * Copyright (C) 2002 Olaf Kirch - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#include "config.h" - -#include -#include - -#include "sc-pkcs11.h" - -struct pkcs11_secret_key { - struct sc_pkcs11_object object; - - char * label; - CK_KEY_TYPE type; - CK_BYTE_PTR value; - CK_ULONG value_len; -}; - -extern struct sc_pkcs11_object_ops pkcs11_secret_key_ops; - -#define set_attr(var, attr) \ - if (attr->ulValueLen != sizeof(var)) \ - return CKR_ATTRIBUTE_VALUE_INVALID; \ - memcpy(&var, attr->pValue, attr->ulValueLen); -#define check_attr(attr, size) \ - if (attr->pValue == NULL_PTR) { \ - attr->ulValueLen = size; \ - return CKR_OK; \ - } \ - if (attr->ulValueLen < size) { \ - attr->ulValueLen = size; \ - return CKR_BUFFER_TOO_SMALL; \ - } \ - attr->ulValueLen = size; -#define get_attr(attr, type, value) \ - check_attr(attr, sizeof(type)); \ - *(type *) (attr->pValue) = value; - -CK_RV -sc_pkcs11_create_secret_key(struct sc_pkcs11_session *session, - const u8 *value, size_t value_len, - CK_ATTRIBUTE_PTR _template, - CK_ULONG attribute_count, - struct sc_pkcs11_object **out) -{ - struct pkcs11_secret_key *key; - CK_ATTRIBUTE_PTR attr; - int n, rv; - - key = calloc(1, sizeof(*key)); - if (!key) - return CKR_HOST_MEMORY; - key->value = malloc(value_len); - if (!key->value) { - pkcs11_secret_key_ops.release(key); - return CKR_HOST_MEMORY; /* XXX correct? */ - } - memcpy(key->value, value, value_len); - key->value_len = value_len; - key->object.ops = &pkcs11_secret_key_ops; - - /* Make sure the key type is given in the template */ - for (n = attribute_count, attr = _template; n--; attr++) { - if (attr->type == CKA_KEY_TYPE) { - set_attr(key->type, attr); - break; - } - } - if (n < 0) { - pkcs11_secret_key_ops.release(key); - return CKR_TEMPLATE_INCOMPLETE; - } - - /* Set all the other attributes */ - for (n = attribute_count, attr = _template; n--; attr++) { - rv = key->object.ops->set_attribute(session, key, attr); - if (rv != CKR_OK) { - pkcs11_secret_key_ops.release(key); - return rv; - } - } - - *out = (struct sc_pkcs11_object *) key; - return CKR_OK; -} - -static void -sc_pkcs11_secret_key_release(void *object) -{ - struct pkcs11_secret_key *key; - - key = (struct pkcs11_secret_key *) object; - if (key) { - if (key->value) - free(key->value); - if (key->label) - free(key->label); - free(key); - } -} - -static CK_RV -sc_pkcs11_secret_key_set_attribute(struct sc_pkcs11_session *session, - void *object, CK_ATTRIBUTE_PTR attr) -{ - struct pkcs11_secret_key *key; - CK_OBJECT_CLASS ck_class; - CK_KEY_TYPE ck_key_type; - CK_BBOOL ck_bbool; - - key = (struct pkcs11_secret_key *) object; - switch (attr->type) { - case CKA_CLASS: - set_attr(ck_class, attr); - if (ck_class != CKO_SECRET_KEY) - return CKR_ATTRIBUTE_VALUE_INVALID; - break; - case CKA_KEY_TYPE: - set_attr(ck_key_type, attr); - if (ck_key_type != key->type) - return CKR_ATTRIBUTE_VALUE_INVALID; - break; - case CKA_LABEL: - if (key->label) - free(key->label); - key->label = strdup((const char *) attr->pValue); - break; - case CKA_TOKEN: - set_attr(ck_bbool, attr); - if (!ck_bbool) - return CKR_ATTRIBUTE_VALUE_INVALID; - break; - case CKA_VALUE: - if (key->value) - free(key->value); - key->value = malloc(attr->ulValueLen); - if (key->value == NULL) - return CKR_HOST_MEMORY; - key->value_len = attr->ulValueLen; - memcpy(key->value, attr->pValue, key->value_len); - break; - case CKA_ENCRYPT: - case CKA_DECRYPT: - case CKA_SIGN: - case CKA_VERIFY: - case CKA_WRAP: - case CKA_UNWRAP: - case CKA_EXTRACTABLE: - case CKA_ALWAYS_SENSITIVE: - case CKA_NEVER_EXTRACTABLE: - /* We ignore these for now, just making sure the argument - * has the right size */ - set_attr(ck_bbool, attr); - break; - default: - return CKR_ATTRIBUTE_TYPE_INVALID; - } - - return CKR_OK; -} - -static CK_RV -sc_pkcs11_secret_key_get_attribute(struct sc_pkcs11_session *session, - void *object, CK_ATTRIBUTE_PTR attr) -{ - struct pkcs11_secret_key *key; - - key = (struct pkcs11_secret_key *) object; - switch (attr->type) { - case CKA_CLASS: - get_attr(attr, CK_OBJECT_CLASS, CKO_SECRET_KEY); - break; - case CKA_KEY_TYPE: - get_attr(attr, CK_KEY_TYPE, key->type); - case CKA_VALUE: - check_attr(attr, key->value_len); - memcpy(attr->pValue, key->value, key->value_len); - break; - case CKA_VALUE_LEN: - get_attr(attr, CK_ULONG, key->value_len); - break; - case CKA_SENSITIVE: - case CKA_SIGN: - case CKA_VERIFY: - case CKA_WRAP: - case CKA_UNWRAP: - case CKA_NEVER_EXTRACTABLE: - get_attr(attr, CK_BBOOL, 0); - break; - case CKA_ENCRYPT: - case CKA_DECRYPT: - case CKA_EXTRACTABLE: - case CKA_ALWAYS_SENSITIVE: - get_attr(attr, CK_BBOOL, 1); - break; - default: - return CKR_ATTRIBUTE_TYPE_INVALID; - } - return CKR_OK; -} - -struct sc_pkcs11_object_ops pkcs11_secret_key_ops = { - sc_pkcs11_secret_key_release, - sc_pkcs11_secret_key_set_attribute, - sc_pkcs11_secret_key_get_attribute, - sc_pkcs11_any_cmp_attribute, - NULL, /* destroy_object */ - NULL, /* get_size */ - NULL, /* sign */ - NULL, /* unwrap_key */ - NULL /* decrypt */ -}; diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c index d75a8eaf..d2a5061e 100644 --- a/src/tools/pkcs15-init.c +++ b/src/tools/pkcs15-init.c @@ -107,7 +107,6 @@ static int get_key_callback(struct sc_profile *, int method, int reference, const u8 *, size_t, u8 *, size_t *); -static int do_generate_key_soft(int, unsigned int, EVP_PKEY **); static int do_read_private_key(const char *, const char *, EVP_PKEY **, X509 **, unsigned int); static int do_read_public_key(const char *, const char *, EVP_PKEY **); @@ -124,7 +123,6 @@ enum { OPT_EXTRACTABLE, OPT_UNPROTECTED, OPT_AUTHORITY, - OPT_SOFT_KEYGEN, OPT_ASSERT_PRISTINE, OPT_SECRET, OPT_PUBKEY_LABEL, @@ -185,7 +183,6 @@ const struct option options[] = { { "extractable", no_argument, NULL, OPT_EXTRACTABLE }, { "insecure", no_argument, NULL, OPT_UNPROTECTED }, - { "soft", no_argument, NULL, OPT_SOFT_KEYGEN }, { "use-default-transport-keys", no_argument, NULL, 'T' }, { "no-prompt", no_argument, NULL, OPT_NO_PROMPT }, @@ -319,7 +316,6 @@ static unsigned int opt_actions; static int opt_extractable = 0, opt_unprotected = 0, opt_authority = 0, - opt_softkeygen = 0, opt_no_prompt = 0, opt_no_sopin = 0, opt_use_defkeys = 0, @@ -1401,8 +1397,7 @@ static int do_generate_key(struct sc_profile *profile, const char *spec) { struct sc_pkcs15init_keygen_args keygen_args; - unsigned int evp_algo, keybits = 1024; - EVP_PKEY *pkey; + unsigned int keybits = 1024; int r; memset(&keygen_args, 0, sizeof(keygen_args)); @@ -1419,11 +1414,9 @@ do_generate_key(struct sc_profile *profile, const char *spec) /* Parse the key spec given on the command line */ if (!strncasecmp(spec, "rsa", 3)) { keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_RSA; - evp_algo = EVP_PKEY_RSA; spec += 3; } else if (!strncasecmp(spec, "dsa", 3)) { keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_DSA; - evp_algo = EVP_PKEY_DSA; spec += 3; } else if (!strncasecmp(spec, "gost2001", strlen("gost2001"))) { keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_GOSTR3410; @@ -1431,7 +1424,6 @@ do_generate_key(struct sc_profile *profile, const char *spec) /* FIXME: now only SC_PKCS15_PARAMSET_GOSTR3410_A */ keygen_args.prkey_args.gost_params.gostr3410 = SC_PKCS15_PARAMSET_GOSTR3410_A; - evp_algo = 0; /* FIXME */ spec += strlen("gost2001"); } else { util_error("Unknown algorithm \"%s\"", spec); @@ -1449,32 +1441,7 @@ do_generate_key(struct sc_profile *profile, const char *spec) return SC_ERROR_INVALID_ARGUMENTS; } } - - if (!opt_softkeygen) { - r = sc_pkcs15init_generate_key(p15card, profile, &keygen_args, - keybits, NULL); - if (r >= 0 || r != SC_ERROR_NOT_SUPPORTED) - return r; - if (verbose) - printf("Warning: card doesn't support on-board " - "key generation.\n" - "Trying software generation\n"); - } - - /* Generate the key ourselves */ - if ((r = do_generate_key_soft(evp_algo, keybits, &pkey)) < 0 - || (r = do_convert_private_key(&keygen_args.prkey_args.key, pkey) ) < 0) - goto out; - - r = sc_pkcs15init_store_private_key(p15card, - profile, &keygen_args.prkey_args, NULL); - - /* Store public key portion on card */ - if (r >= 0) - r = do_store_public_key(profile, pkey); - -out: - EVP_PKEY_free(pkey); + r = sc_pkcs15init_generate_key(p15card, profile, &keygen_args, keybits, NULL); return r; } @@ -1854,46 +1821,6 @@ get_key_callback(struct sc_profile *profile, } } -/* - * Generate a private key - */ -static int do_generate_key_soft(int algorithm, unsigned int bits, - EVP_PKEY **res) -{ - *res = EVP_PKEY_new(); - switch (algorithm) { - case EVP_PKEY_RSA: { - RSA *rsa; - BIO *err; - - err = BIO_new(BIO_s_mem()); - rsa = RSA_generate_key(bits, 0x10001, NULL, err); - BIO_free(err); - if (rsa == 0) - util_fatal("RSA key generation error"); - EVP_PKEY_assign_RSA(*res, rsa); - break; - } - case EVP_PKEY_DSA: { - DSA *dsa; - int r = 0; - - dsa = DSA_generate_parameters(bits, - NULL, 0, NULL, - NULL, NULL, NULL); - if (dsa) - r = DSA_generate_key(dsa); - if (r == 0 || dsa == 0) - util_fatal("DSA key generation error"); - EVP_PKEY_assign_DSA(*res, dsa); - break; - } - default: - util_fatal("Unable to generate key: unsupported algorithm"); - } - return 0; -} - /* * Read a private key */ @@ -2579,9 +2506,6 @@ handle_option(const struct option *opt) case OPT_AUTHORITY: opt_authority = 1; break; - case OPT_SOFT_KEYGEN: - opt_softkeygen = 1; - break; case OPT_APPLICATION_NAME: opt_application_name = optarg; break;