- When generating a key in pkcs15init, allow the caller to specify a

public key label (Remo Inverardi)


git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1663 c6295689-39f2-0310-b995-f0e70906c6a9

src/pkcs11/framework-pkcs15.c

@@ -1195,7 +1195,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 	struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) p11card->fw_data;
 	struct pkcs15_slot_data *p15_data = slot_data(slot->fw_data);
 	struct sc_pkcs15_card *p15card = fw_data->p15_card;
-	struct sc_pkcs15init_prkeyargs	priv_args;
+	struct sc_pkcs15init_keygen_args keygen_args;
 	struct sc_pkcs15init_pubkeyargs pub_args;
 	struct sc_pkcs15_object	 *priv_key_obj;
 	struct sc_pkcs15_object	 *pub_key_obj;
@@ -1218,7 +1218,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 	if (rc < 0)
 		return sc_to_cryptoki_error(rc, p11card->reader);
 
-	memset(&priv_args, 0, sizeof(priv_args));
+	memset(&keygen_args, 0, sizeof(keygen_args));
 	memset(&pub_args, 0, sizeof(pub_args));
 
 	rc = sc_lock(p11card->card);
@@ -1230,7 +1230,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 	/* 1. Convert the pkcs11 attributes to pkcs15init args */
 
 	if ((pin = slot_data_pin_info(slot->fw_data)) != NULL)
-		priv_args.auth_id = pub_args.auth_id = pin->auth_id;
+		keygen_args.prkey_args.auth_id = pub_args.auth_id = pin->auth_id;
 
 	rv = attr_find2(pPubTpl, ulPubCnt, pPrivTpl, ulPrivCnt, CKA_KEY_TYPE,
 		&keytype, NULL);
@@ -1238,7 +1238,8 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 		rv = CKR_ATTRIBUTE_VALUE_INVALID;
 		goto kpgen_done;
 	}
-	priv_args.key.algorithm = pub_args.key.algorithm = SC_ALGORITHM_RSA;
+	keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_RSA;
+	pub_args.key.algorithm               = SC_ALGORITHM_RSA;
 
 	rv = attr_find2(pPubTpl, ulPubCnt, pPrivTpl, ulPrivCnt,	CKA_MODULUS_BITS,
 		&keybits, NULL);
@@ -1250,13 +1251,13 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 	rv = attr_find2(pPubTpl, ulPubCnt, pPrivTpl, ulPrivCnt,	CKA_ID,
 		&id.value, &id.len);
 	if (rv == CKR_OK)
-		priv_args.id = pub_args.id = id;
+		keygen_args.prkey_args.id = pub_args.id = id;
 
 	len = sizeof(priv_label) - 1;
 	rv = attr_find(pPrivTpl, ulPrivCnt, CKA_LABEL, priv_label, &len);
 	if (rv == CKR_OK) {
 		priv_label[len] = '\0';
-		priv_args.label = priv_label;
+		keygen_args.prkey_args.label = priv_label;
 	}
 	len = sizeof(pub_label) - 1;
 	rv = attr_find(pPubTpl, ulPubCnt, CKA_LABEL, pub_label, &len);
@@ -1265,12 +1266,14 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 		pub_args.label = pub_label;
 	}
 
-	rv = get_X509_usage_privk(pPrivTpl, ulPrivCnt, &priv_args.x509_usage);
+	rv = get_X509_usage_privk(pPrivTpl, ulPrivCnt,
+	    	&keygen_args.prkey_args.x509_usage);
 	if (rv == CKR_OK)
-		rv = get_X509_usage_pubk(pPubTpl, ulPubCnt, &priv_args.x509_usage);
+		rv = get_X509_usage_pubk(pPubTpl, ulPubCnt,
+			&keygen_args.prkey_args.x509_usage);
 	if (rv != CKR_OK)
 		goto kpgen_done;
-	pub_args.x509_usage = priv_args.x509_usage;
+	pub_args.x509_usage = keygen_args.prkey_args.x509_usage;
 
 	/* 2. Add the PINs the user presented so far. Some initialization
 	 * routines need to present these PINs again because some
@@ -1299,7 +1302,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 	/* 3.a Try on-card key pair generation */
 
 	rc = sc_pkcs15init_generate_key(fw_data->p15_card, profile,
-		&priv_args, keybits, &priv_key_obj);
+		&keygen_args, keybits, &priv_key_obj);
 	if (rc >= 0) {
 		id = ((struct sc_pkcs15_prkey_info *) priv_key_obj->data)->id;
 		rc = sc_pkcs15_find_pubkey_by_id(fw_data->p15_card, &id, &pub_key_obj);
@@ -1325,7 +1328,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 
 		sc_debug(context, "Doing key pair generation in software\n");
 		rv = sc_pkcs11_gen_keypair_soft(keytype, keybits,
-			&priv_args.key, &pub_args.key);
+			&keygen_args.prkey_args.key, &pub_args.key);
 		if (rv != CKR_OK) {
 			sc_debug(context, "sc_pkcs11_gen_keypair_soft failed: 0x%0x\n", rv);
 			goto kpgen_done;
@@ -1333,7 +1336,7 @@ CK_RV pkcs15_gen_keypair(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *
 
 		/* Write the new public and private keys to the pkcs15 files */
 		rc = sc_pkcs15init_store_private_key(p15card, profile,
-			&priv_args, &priv_key_obj);
+			&keygen_args.prkey_args, &priv_key_obj);
 		if (rc >= 0)
 			rc = sc_pkcs15init_store_public_key(p15card, profile,
 				&pub_args, &pub_key_obj);

src/pkcs15init/pkcs15-init.h

@@ -204,6 +204,12 @@ struct sc_pkcs15init_prkeyargs {
 	/* support for non-native keys */
 	char *			passphrase;
 };
+
+struct sc_pkcs15init_keygen_args {
+	struct sc_pkcs15init_prkeyargs prkey_args;
+	const char *                   pubkey_label;
+};
+
 #define SC_PKCS15INIT_EXTRACTABLE	0x0001
 #define SC_PKCS15INIT_NO_PASSPHRASE	0x0002
 #define SC_PKCS15INIT_SPLIT_KEY		0x0004
@@ -257,7 +263,7 @@ extern int	sc_pkcs15init_store_pin(struct sc_pkcs15_card *,
 				struct sc_pkcs15init_pinargs *);
 extern int	sc_pkcs15init_generate_key(struct sc_pkcs15_card *,
 				struct sc_profile *,
-				struct sc_pkcs15init_prkeyargs *,
+				struct sc_pkcs15init_keygen_args *,
 				unsigned int keybits,
 				struct sc_pkcs15_object **);
 extern int	sc_pkcs15init_store_private_key(struct sc_pkcs15_card *,

src/pkcs15init/pkcs15-lib.c

@@ -890,7 +890,7 @@ sc_pkcs15init_init_prkdf(sc_pkcs15_card_t *p15card,
 int
 sc_pkcs15init_generate_key(struct sc_pkcs15_card *p15card,
 		struct sc_profile *profile,
-		struct sc_pkcs15init_prkeyargs *keyargs,
+		struct sc_pkcs15init_keygen_args *keygen_args,
 		unsigned int keybits,
 		struct sc_pkcs15_object **res_obj)
 {
@@ -900,8 +900,8 @@ sc_pkcs15init_generate_key(struct sc_pkcs15_card *p15card,
 	int		r;
 
 	/* For now, we support just RSA key pair generation */
-	if (!check_key_compatibility(p15card, &keyargs->key,
+	if (!check_key_compatibility(p15card, &keygen_args->prkey_args.key,
-		 keyargs->x509_usage,
+		 keygen_args->prkey_args.x509_usage,
 		 keybits, SC_ALGORITHM_ONBOARD_KEY_GEN))
 		return SC_ERROR_NOT_SUPPORTED;
 
@@ -909,7 +909,8 @@ sc_pkcs15init_generate_key(struct sc_pkcs15_card *p15card,
 		return SC_ERROR_NOT_SUPPORTED;
 
 	/* Set the USER PIN reference from args */
-	r = set_user_pin_from_authid(p15card, profile, &keyargs->auth_id);
+	r = set_user_pin_from_authid(p15card, profile,
+	    	&keygen_args->prkey_args.auth_id);
 	if (r < 0)
 		return r;
 
@@ -918,8 +919,8 @@ sc_pkcs15init_generate_key(struct sc_pkcs15_card *p15card,
 		return r;
 
 	/* Set up the PrKDF object */
-	r = sc_pkcs15init_init_prkdf(p15card, profile,
+	r = sc_pkcs15init_init_prkdf(p15card, profile, &keygen_args->prkey_args,
-				keyargs, &keyargs->key, keybits, &object);
+		&keygen_args->prkey_args.key, keybits, &object);
 	if (r < 0)
 		return r;
 	key_info = (struct sc_pkcs15_prkey_info *) object->data;
@@ -927,13 +928,13 @@ sc_pkcs15init_generate_key(struct sc_pkcs15_card *p15card,
 	/* Set up the PuKDF info. The public key will be filled in
 	 * by the card driver's generate_key function called below */
 	memset(&pubkey_args, 0, sizeof(pubkey_args));
-	pubkey_args.id = keyargs->id;
+	pubkey_args.id = keygen_args->prkey_args.id;
 #if 0
-	pubkey_args.auth_id = keyargs->auth_id;
+	pubkey_args.auth_id = keygen_args->prkey_args.auth_id;
 #endif
-	pubkey_args.label = keyargs->label;
+	pubkey_args.label = keygen_args->pubkey_label;
-	pubkey_args.usage = keyargs->usage;
+	pubkey_args.usage = keygen_args->prkey_args.usage;
-	pubkey_args.x509_usage = keyargs->x509_usage;
+	pubkey_args.x509_usage = keygen_args->prkey_args.x509_usage;
 
 	/* Generate the private key on card */
 	if (profile->ops->create_key) {

src/tools/pkcs15-init.c

@@ -866,21 +866,21 @@ do_store_data_object(struct sc_profile *profile)
 static int
 do_generate_key(struct sc_profile *profile, const char *spec)
 {
-	struct sc_pkcs15init_prkeyargs args;
+	struct sc_pkcs15init_keygen_args keygen_args;
 	unsigned int	evp_algo, keybits = 1024;
 	EVP_PKEY	*pkey;
 	int		r, split_key = 0;
 
-	if ((r = init_keyargs(&args)) < 0)
+	if ((r = init_keyargs(&keygen_args.prkey_args)) < 0)
 		return r;
 
 	/* Parse the key spec given on the command line */
 	if (!strncasecmp(spec, "rsa", 3)) {
-		args.key.algorithm = SC_ALGORITHM_RSA;
+		keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_RSA;
 		evp_algo = EVP_PKEY_RSA;
 		spec += 3;
 	} else if (!strncasecmp(spec, "dsa", 3)) {
-		args.key.algorithm = SC_ALGORITHM_DSA;
+		keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_DSA;
 		evp_algo = EVP_PKEY_DSA;
 		spec += 3;
 	} else {
@@ -902,15 +902,16 @@ do_generate_key(struct sc_profile *profile, const char *spec)
 
 	/* If the card doesn't support keys that can both sign _and_
 	 * decipher, make sure the user specified --split-key */
-	if (sc_pkcs15init_requires_restrictive_usage(p15card, &args, keybits)) {
+	if (sc_pkcs15init_requires_restrictive_usage(p15card,
+		 &keygen_args.prkey_args, keybits)) {
 		if (!opt_split_key)
 			split_key_error();
 		split_key = 1;
 	}
 
 	if (!opt_softkeygen && !split_key) {
-		r = sc_pkcs15init_generate_key(p15card, profile,
+		r = sc_pkcs15init_generate_key(p15card, profile, &keygen_args,
-				&args, keybits, NULL);
+			keybits, NULL);
 		if (r >= 0 || r != SC_ERROR_NOT_SUPPORTED)
 			return r;
 		if (!opt_quiet)
@@ -921,15 +922,15 @@ do_generate_key(struct sc_profile *profile, const char *spec)
 
 	/* Generate the key ourselves */
 	if ((r = do_generate_key_soft(evp_algo, keybits, &pkey)) < 0
-	 || (r = do_convert_private_key(&args.key, pkey) ) < 0)
+	 || (r = do_convert_private_key(&keygen_args.prkey_args.key, pkey) ) < 0)
 		goto out;
 
 	if (split_key) {
 		sc_pkcs15init_store_split_key(p15card,
-				profile, &args, NULL, NULL);
+				profile, &keygen_args.prkey_args, NULL, NULL);
 	} else {
 		r = sc_pkcs15init_store_private_key(p15card,
-				profile, &args, NULL);
+				profile, &keygen_args.prkey_args, NULL);
 	}
 
 	/* Store public key portion on card */