You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 lines
2.4 KiB
63 lines
2.4 KiB
4 weeks ago
|
commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a
|
||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||
|
Date: Thu Mar 7 17:42:11 2024 +0100
|
||
|
|
||
|
EP11 pkey option: handle new PKEY_MODE parms in eligibility check
|
||
|
|
||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||
|
|
||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||
|
index d1efd8c5..a163587c 100644
|
||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||
|
@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
|
||
|
return CK_TRUE;
|
||
|
}
|
||
|
|
||
|
+/*
|
||
|
+ * Returns true if the given key object is eligible to get a protected key
|
||
|
+ * attribute, false otherwise.
|
||
|
+ */
|
||
|
+CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
|
||
|
+ OBJECT *key_obj)
|
||
|
+{
|
||
|
+ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
|
||
|
+ !object_is_pkey_extractable(key_obj)) {
|
||
|
+ return CK_FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (!ep11_data->pkey_combined_extract_supported &&
|
||
|
+ object_is_extractable(key_obj)) {
|
||
|
+ return CK_FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
+ return CK_TRUE;
|
||
|
+}
|
||
|
+
|
||
|
/**
|
||
|
* Checks if the preconditions for using the related protected key of
|
||
|
* the given secure key object are met. The caller of this routine must
|
||
|
@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
|
||
|
break;
|
||
|
case PKEY_MODE_DEFAULT:
|
||
|
case PKEY_MODE_ENABLE4NONEXTR:
|
||
|
+ case PKEY_MODE_ENABLE4EXTR:
|
||
|
+ case PKEY_MODE_ENABLE4ALL:
|
||
|
/* Use existing pkeys, re-create invalid pkeys, and also create new
|
||
|
* pkeys for secret/private keys that do not already have one. EC
|
||
|
* public keys that are pkey-extractable, can always be used via CPACF
|
||
|
@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
|
||
|
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
|
||
|
goto done;
|
||
|
|
||
|
- if (object_is_extractable(key_obj) ||
|
||
|
- !object_is_pkey_extractable(key_obj) ||
|
||
|
- object_is_attr_bound(key_obj) ||
|
||
|
- !ep11_data->pkey_wrap_supported) {
|
||
|
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
|
||
|
goto done;
|
||
|
- }
|
||
|
|
||
|
if (template_attribute_get_non_empty(key_obj->template,
|
||
|
CKA_IBM_OPAQUE_PKEY,
|