giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Edited according to PR review: CKA_ALWAYS_AUTHENTICATE only associated with private keys. Defined a custom attribute to achieve same functionality with secret keys. Updated man pages.

This commit is contained in:
Hannu Honkanen 2018-12-04 13:57:44 +02:00 committed by Frank Morgner
parent ee8c80af4f
commit 9e5a324903
6 changed files with 37 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/tools/pkcs11-tool.1.xml
View File

@ -444,6 +444,15 @@
viewable after a login).</para></listitem>
</varlistentry>
<varlistentry>
<term>
<option>--always-auth</option>
</term>
<listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--test-ec</option>

14
doc/tools/pkcs15-init.1.xml
View File

@ -873,6 +873,20 @@ puk 87654321
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--user-consent</option> <replaceable>arg</replaceable>
</term>
<listitem>
<para>
Specify user-consent. <replaceable>arg</replaceable> is an integer value.
If > 0, the value specifies how many times the
object can be accessed before a new authentication is required.
If zero, the object does not require re-authentication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--insecure</option>

6
src/pkcs11/framework-pkcs15.c
View File

@ -2323,7 +2323,7 @@ pkcs15_create_secret_key(struct sc_pkcs11_slot *slot, struct sc_profile *profile
if (pkcs15_check_bool_cka(attr, 1))
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
break;
case CKA_ALWAYS_AUTHENTICATE:
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
args.user_consent = (int) (pkcs15_check_bool_cka(attr, 1));
break;
default:
@ -4845,9 +4845,9 @@ pkcs15_skey_get_attribute(struct sc_pkcs11_session *session,
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) == 0
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) == 0) ? CK_TRUE : CK_FALSE;
break;
case CKA_ALWAYS_AUTHENTICATE:
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
check_attribute_buffer(attr, sizeof(CK_BBOOL));
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent;
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent == 1 ? CK_TRUE : CK_FALSE;
break;
case CKA_VALUE_LEN:
check_attribute_buffer(attr, sizeof(CK_ULONG));

6
src/pkcs11/pkcs11-opensc.h
View File

@ -20,4 +20,10 @@
#define CKA_SPKI (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 2UL)
/* In PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute is only associated with private keys.
* The corresponding userConsent field in PKCS#15 is allowed for any object type. This attribute can be used
* to set userConsent=1 for other objects than private keys via PKCS#11. */
#define CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 3UL)
#endif

12
src/tools/pkcs11-tool.c
View File

@ -217,12 +217,12 @@ static const struct option options[] = {
{ "verbose", 0, NULL, 'v' },
{ "private", 0, NULL, OPT_PRIVATE },
{ "sensitive", 0, NULL, OPT_SENSITIVE },
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
{ "test-ec", 0, NULL, OPT_TEST_EC },
#ifndef _WIN32
{ "test-fork", 0, NULL, OPT_TEST_FORK },
#endif
{ "generate-random", 1, NULL, OPT_GENERATE_RANDOM },
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
{ NULL, 0, NULL, 0 }
};
@ -289,12 +289,12 @@ static const char *option_help[] = {
"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
"Test EC (best used with the --login or --pin option)",
#ifndef _WIN32
"Test forking and calling C_Initialize() in the child",
#endif
"Generate given amount of random data",
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
"Generate given amount of random data"
};
static const char * app_name = "pkcs11-tool"; /* for utils.c */
@ -2511,12 +2511,6 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
FILL_ATTR(keyTemplate[n_attr], CKA_VALUE_LEN, &key_length, sizeof(key_length));
n_attr++;
if (opt_always_auth != 0) {
FILL_ATTR(keyTemplate[n_attr], CKA_ALWAYS_AUTHENTICATE,
&_true, sizeof(_true));
n_attr++;
}
mechanism.mechanism = opt_mechanism;
}

4
src/tools/pkcs15-init.c
View File

@ -206,6 +206,7 @@ const struct option options[] = {
{ "update-existing", no_argument, NULL, OPT_UPDATE_EXISTING},
{ "extractable", no_argument, NULL, OPT_EXTRACTABLE },
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
{ "insecure", no_argument, NULL, OPT_INSECURE },
{ "use-default-transport-keys",
no_argument, NULL, 'T' },
@ -219,7 +220,6 @@ const struct option options[] = {
{ "wait", no_argument, NULL, 'w' },
{ "help", no_argument, NULL, 'h' },
{ "verbose", no_argument, NULL, 'v' },
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
/* Hidden options for testing */
{ "assert-pristine", no_argument, NULL, OPT_ASSERT_PRISTINE },
@ -273,6 +273,7 @@ static const char * option_help[] = {
"Store or update existing certificate",
"Private key stored as an extractable key",
"Set userConsent. Default = 0",
"Insecure mode: do not require a PIN for private key",
"Do not ask for transport keys if the driver thinks it knows the key",
"Do not prompt the user; if no PINs supplied, pinpad will be used",
@ -285,7 +286,6 @@ static const char * option_help[] = {
"Wait for card insertion",
"Display this message",
"Verbose operation. Use several times to enable debug output.",
"Set userConsent. Default = 0",
NULL,
NULL,