-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for importing keys into the token as session ephemeral keys #441
Conversation
This slot can be used to obtain a default login session when there is not available pkcs11 URI that indicates which slot should be used. Signed-off-by: Simo Sorce <[email protected]>
@kshitizvars please check out this PR |
8b6d5e1
to
ca51975
Compare
Ubuntu fails genpkey apparently .... that's odd. |
Will have to figure out the genpkey cmdline issue for Ubuntu, meanwhile triggering a covscan to ensure the C code is fine. |
Older openssl seem to have no support for -outpubkey ... |
Coverity found issues, sticking them here so that I do not forget, and marking the PR as draft for now.
|
Private keys are stored/cached in the login session object, and not permanently on the token. This is used to handle the case where a private key is stored outside of the token, but the token is used to peform cryptographic operations. Signed-off-by: Simo Sorce <[email protected]>
@Jakuje I should have addressed all the changes I agreed on. |
OpenSSL expects to be able to create an EC PKEY and only "generate" params, then fill in the key with a public key received from a peer. So split the common gen_init into per key type ones as each type needs slightly different setup and conditions now. Also modify the code that sets public EC keys to allow setting a key on a base object that does not already have key attributes at all. Signed-off-by: Simo Sorce <[email protected]>
Below issue is reported while running TLS1.3:- p11prov_DeriveKey:Host out of memory Issue occurs because we are trying to use deallocated memory pointer after reallocating new memory due to which key->attrs get corrupted and finally cause issue in importing correct peer key. Signed-off-by: Kshitiz Varshney <[email protected]>
This allows operations that actually need to happen on a token with a stored key (unlike ECDH which just needs a buffer passed int), to be able to actually import the object as an ephemeral session object to perform the required operations. We generally do not want to store public key to avoid littering the login session (which is long lived) with too many throw-away objects as we have no way to determine when it is ok to remove session objects for long lived programs. Signed-off-by: Simo Sorce <[email protected]>
Signed-off-by: Simo Sorce <[email protected]>
Disabled in softhsm because it ends up looping on itself due to the usal problem that sofhtsm links to openssl without using a custom libctx. Signed-off-by: Simo Sorce <[email protected]>
The new codespell in CI decided to find old mispellings... Signed-off-by: Simo Sorce <[email protected]>
On Ubuntu openssl's genpkey does not have -outpubkey as a genpkey option. So avoid using it for now and just get the pubkey out in a second step. Signed-off-by: Simo Sorce <[email protected]>
Coverity decided to start investigating unused functions now ... Signed-off-by: Simo Sorce <[email protected]>
@Jakuje I'll run covscan again one you confirm all the requested changes are ok |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Covscan is happy too, merging. |
Description
In some circumstances we need to be able to import keys into the token as the caller wants the token to perform the cryptographic operation but provides the keys in PEM files, or BIO objects and does not want to permanently store these keys in the token (for whatever reason).
ECDH is an example where we need to import a key only halfway.
Importing private keys always immediately create a temporary session object on the login session (which is generally long lived). The operation assumes that a login session is already available or a pin is otherwise specified in the configuration. The login session is assumed to be opened on the default slot which is defined as the first slot that fulfill basic session storage writability. In future we may add quirks to specify a different default slot via a uri.
Importing public keys (which may happen more frequently in key exchange situations) creates a mock object by default, however requesting their token handle triggers the storage of the key into the token login session as an ephmeral key, just like for the private keys.
The handle is requested in case an actual operation needs to happen on the token, and does not happen for the ECDH case, this way we avoid littering the login session object with too many throwaway keys.
This PR also addresses some issues with ECDH.
Related #395
Fixes #305
Fixes #437
Checklist
[ ] Test suite updated with negative tests[ ] Documentation updatedReviewer's checklist: