From d369965a7fd238d983864d42bb1609e2408dd187 Mon Sep 17 00:00:00 2001 From: Doug Engert Date: Tue, 20 Oct 2020 16:07:32 -0500 Subject: [PATCH] pkcs11-tool support key-gen for GENERIC secret key Fixes #2139 Added code to support mechanism GENERIC-SECRET-KEY-GEN. Improved --help and doc/tools/pkcs11-tool.1.xml because key gen of symmetric keys pass CKA_VALUE_LEN which is length of key in bytes. Tested with: ./pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so \ --login --label generic-64 --keygen --key-type GENERIC:64 \ --mechanism GENERIC-SECRET-KEY-GEN ./pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --login -O --- doc/tools/pkcs11-tool.1.xml | 4 +++- src/tools/pkcs11-tool.c | 24 ++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml index bb8bce37..fee05864 100644 --- a/doc/tools/pkcs11-tool.1.xml +++ b/doc/tools/pkcs11-tool.1.xml @@ -146,7 +146,9 @@ specification - Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1. + Specify the type and length (bytes if symmetric) of the key to create, + for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B, + DES:8, DES3:24, AES:16 or GENERIC:64. diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c index e8e244fe..c0056744 100644 --- a/src/tools/pkcs11-tool.c +++ b/src/tools/pkcs11-tool.c @@ -275,7 +275,7 @@ static const char *option_help[] = { "Unlock User PIN (without '--login' unlock in logged in session; otherwise '--login-type' has to be 'context-specific')", "Key pair generation", "Key generation", - "Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1 or GOSTR3410-2012-256:B", + "Specify the type and length (bytes if symmetric) of the key to create, for example rsa:1024, EC:prime256v1, GOSTR3410-2012-256:B, AES:16 or GENERIC:64", "Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey)", "Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey)", "Specify 'derive' key usage flag (EC only)", @@ -2390,7 +2390,7 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session, n_privkey_attr++; } } - else if (!strncmp(type, "EC:", 3)) { + else if (strncmp(type, "EC:", strlen("EC:")) == 0 || strncmp(type, "ec:", strlen("ec:")) == 0) { CK_MECHANISM_TYPE mtypes[] = {CKM_EC_KEY_PAIR_GEN}; size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]); int ii; @@ -2693,6 +2693,26 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type)); n_attr++; } + else if (strncasecmp(type, "GENERIC:", strlen("GENERIC:")) == 0) { + CK_MECHANISM_TYPE mtypes[] = {CKM_GENERIC_SECRET_KEY_GEN}; + size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]); + const char *size = type + strlen("GENERIC:"); + + key_type = CKK_GENERIC_SECRET; + + if (!opt_mechanism_used) + if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism)) + util_fatal("Generate Key mechanism not supported\n"); + + if (size == NULL) + util_fatal("Unknown key type %s", type); + key_length = (unsigned long)atol(size); + if (key_length == 0) + key_length = 32; + + FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type)); + n_attr++; + } else { util_fatal("Unknown key type %s", type); }