From: Wolfgang Meyer zu Bergsten Date: Mon, 4 Aug 2014 13:32:53 +0000 (+0200) Subject: improve compatibility in pkcs11 key generation X-Git-Tag: gnutls_3_4_0~1135 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19cf9366c174bddaf3a9cbdfd15bdd90ab12e3ca;p=thirdparty%2Fgnutls.git improve compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten --- diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 87a54f28c3..8f2d2d7e5c 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -104,6 +104,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, #define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The object must be fully compared */ #define GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE (1<<10) /* The object must be present in a marked as trusted module */ #define GNUTLS_PKCS11_OBJ_FLAG_MARK_CA (1<<11) /* object marked as CA */ +#define GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP (1<<12) /* generated keypair shall support key wrap/unwrap */ /** * gnutls_pkcs11_url_type_t: diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index a9c473e711..5575efc016 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -655,6 +655,7 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, gnutls_pkcs11_obj_t obj = NULL; gnutls_datum_t der = {NULL, 0}; ck_key_type_t key_type; + char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001 PKCS11_CHECK_INIT; @@ -710,6 +711,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, a[a_val].value = &_bits; a[a_val].value_len = sizeof(_bits); a_val++; + + a[a_val].type = CKA_PUBLIC_EXPONENT; + a[a_val].value = pubEx; + a[a_val].value_len = sizeof(pubEx); + a_val++; + break; case GNUTLS_PK_DSA: p[p_val].type = CKA_SIGN; @@ -760,6 +767,20 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, goto cleanup; } + /* + * on request, add the CKA_WRAP/CKA_UNWRAP key attribute + */ + if (flags & GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP) { + p[p_val].type = CKA_UNWRAP; + p[p_val].value = (void*)&tval; + p[p_val].value_len = sizeof(tval); + p_val++; + a[a_val].type = CKA_WRAP; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof(tval); + a_val++; + } + /* a private key is set always as private unless * requested otherwise */