]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
improve compatibility in pkcs11 key generation
authorWolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
Mon, 4 Aug 2014 13:32:53 +0000 (15:32 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 6 Aug 2014 12:47:46 +0000 (14:47 +0200)
* add key wrap/unwrap key usage
* explicitly set public exponent in template

Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
lib/includes/gnutls/pkcs11.h
lib/pkcs11_privkey.c

index 87a54f28c379ea51d0c95cf5b393b377fc7bbf8b..8f2d2d7e5c00bd871d609bb48e6d3f2e1c0006f5 100644 (file)
@@ -104,6 +104,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj,
 #define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The object must be fully compared */
 #define GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE (1<<10) /* The object must be present in a marked as trusted module */
 #define GNUTLS_PKCS11_OBJ_FLAG_MARK_CA (1<<11) /* object marked as CA */
+#define GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP (1<<12) /* generated keypair shall support key wrap/unwrap */
 
 /**
  * gnutls_pkcs11_url_type_t:
index a9c473e711550d39eed8ef04ad821aa3292a5a13..5575efc0165074117858e19bfbb2f604bacf1902 100644 (file)
@@ -655,6 +655,7 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
        gnutls_pkcs11_obj_t obj = NULL;
        gnutls_datum_t der = {NULL, 0};
        ck_key_type_t key_type;
+       char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001
 
        PKCS11_CHECK_INIT;
 
@@ -710,6 +711,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
                a[a_val].value = &_bits;
                a[a_val].value_len = sizeof(_bits);
                a_val++;
+
+               a[a_val].type = CKA_PUBLIC_EXPONENT;
+               a[a_val].value = pubEx;
+               a[a_val].value_len = sizeof(pubEx);
+               a_val++;
+
                break;
        case GNUTLS_PK_DSA:
                p[p_val].type = CKA_SIGN;
@@ -760,6 +767,20 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
                goto cleanup;
        }
 
+       /*
+        * on request, add the CKA_WRAP/CKA_UNWRAP key attribute
+        */
+       if (flags & GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP) {
+               p[p_val].type = CKA_UNWRAP;
+               p[p_val].value = (void*)&tval;
+               p[p_val].value_len = sizeof(tval);
+               p_val++;
+               a[a_val].type = CKA_WRAP;
+               a[a_val].value = (void*)&tval;
+               a[a_val].value_len = sizeof(tval);
+               a_val++;
+       }
+
        /* a private key is set always as private unless
         * requested otherwise
         */