Ability to use mechanisms for keypairgen in pkcs11-tool

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Ability to use mechanisms for keypairgen in pkcs11-tool

Alexandre Aufrere
Dear OpenSC developers,

I need to be able to specify manually the mechanism used for key pair
generation in pkcs11-tool.

Please consider the following patch, that does the job for RSA:
--- pkcs11-tool.c.orig    2014-09-25 11:18:04.551217752 +0400
+++ pkcs11-tool.c    2014-09-25 11:19:10.043924851 +0400
@@ -1539,7 +1539,12 @@
              FILL_ATTR(publicKeyTemplate[n_pubkey_attr],
CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent));
              n_pubkey_attr++;

-            mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+                        if (opt_mechanism_used) {
+                                printf("Using key generation mechanism
%s\n", p11_mechanism_to_name(opt_mechanism));
+                                mechanism.mechanism = opt_mechanism;
+                        } else {
+                                mechanism.mechanism =
CKM_RSA_PKCS_KEY_PAIR_GEN;
+                        }
          }
          else if (!strncmp(type, "EC:", 3))   {
              int ii;

With this patch, pkcs11-tool now passes on the mechanism when added on
the command line e.g. -m RSA-X9-31-KEY-PAIR-GEN .
I think it could be adapted to be used for EC curves as well, because
same issue can potentially be faced, e.g. CKM_ECDSA_KEY_PAIR_GEN vs
CKM_EC_KEY_PAIR_GEN.

Regards,
Alexandre Aufrere


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Ability to use mechanisms for keypairgen in pkcs11-tool

Douglas E Engert


On 9/25/2014 2:33 AM, Alexandre Aufrere wrote:

> Dear OpenSC developers,
>
> I need to be able to specify manually the mechanism used for key pair
> generation in pkcs11-tool.
>
> Please consider the following patch, that does the job for RSA:
> --- pkcs11-tool.c.orig    2014-09-25 11:18:04.551217752 +0400
> +++ pkcs11-tool.c    2014-09-25 11:19:10.043924851 +0400
> @@ -1539,7 +1539,12 @@
>                FILL_ATTR(publicKeyTemplate[n_pubkey_attr],
> CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent));
>                n_pubkey_attr++;
>
> -            mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
> +                        if (opt_mechanism_used) {
> +                                printf("Using key generation mechanism
> %s\n", p11_mechanism_to_name(opt_mechanism));
> +                                mechanism.mechanism = opt_mechanism;
> +                        } else {
> +                                mechanism.mechanism =
> CKM_RSA_PKCS_KEY_PAIR_GEN;
> +                        }
>            }
>            else if (!strncmp(type, "EC:", 3))   {
>                int ii;
>
> With this patch, pkcs11-tool now passes on the mechanism when added on
> the command line e.g. -m RSA-X9-31-KEY-PAIR-GEN .

But does OpenSC need additional code, or are you using this with
some other PKCS#11 module that understands RSA-X9-31-KEY-PAIR-GEN


Your patch does not match the github source.
Can you submit this as a pull request?



> I think it could be adapted to be used for EC curves as well, because
> same issue can potentially be faced, e.g. CKM_ECDSA_KEY_PAIR_GEN vs
> CKM_EC_KEY_PAIR_GEN.


CKM_EC_KEY_PAIR_GEN and CKM_ECDSA_KEY_PAIR_GEN are the same

  #define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
  #define CKM_EC_KEY_PAIR_GEN 0x00001040

See PkCS#11 v2.20 12.3.5

>
> Regards,
> Alexandre Aufrere
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Ability to use mechanisms for keypairgen in pkcs11-tool

Alexandre Aufrere

Le 25/09/2014 13:45, Douglas E Engert a écrit :

>
> On 9/25/2014 2:33 AM, Alexandre Aufrere wrote:
>> Dear OpenSC developers,
>>
>> I need to be able to specify manually the mechanism used for key pair
>> generation in pkcs11-tool.
>>
>> Please consider the following patch, that does the job for RSA:
>> --- pkcs11-tool.c.orig    2014-09-25 11:18:04.551217752 +0400
>> +++ pkcs11-tool.c    2014-09-25 11:19:10.043924851 +0400
>> @@ -1539,7 +1539,12 @@
>>                 FILL_ATTR(publicKeyTemplate[n_pubkey_attr],
>> CKA_PUBLIC_EXPONENT, publicExponent, sizeof(publicExponent));
>>                 n_pubkey_attr++;
>>
>> -            mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
>> +                        if (opt_mechanism_used) {
>> +                                printf("Using key generation mechanism
>> %s\n", p11_mechanism_to_name(opt_mechanism));
>> +                                mechanism.mechanism = opt_mechanism;
>> +                        } else {
>> +                                mechanism.mechanism =
>> CKM_RSA_PKCS_KEY_PAIR_GEN;
>> +                        }
>>             }
>>             else if (!strncmp(type, "EC:", 3))   {
>>                 int ii;
>>
>> With this patch, pkcs11-tool now passes on the mechanism when added on
>> the command line e.g. -m RSA-X9-31-KEY-PAIR-GEN .
> But does OpenSC need additional code, or are you using this with
> some other PKCS#11 module that understands RSA-X9-31-KEY-PAIR-GEN
I'm using for now another PKCS#11 module, but since the issue seems to
come from the cryptodevice itself, it could be possible that OpenSC
itself needs some additional code.

Anyway, at least for coherence i think it's good that the -m parameter
isn't silently ignored during key pair generation...

>
> Your patch does not match the github source.
> Can you submit this as a pull request?
>
I submitted the patch to Viktor, as anyway i don't have a github
account. I think it's better anyway that he'll handle it.

Regards,
Alexandre

>
>> I think it could be adapted to be used for EC curves as well, because
>> same issue can potentially be faced, e.g. CKM_ECDSA_KEY_PAIR_GEN vs
>> CKM_EC_KEY_PAIR_GEN.
>
> CKM_EC_KEY_PAIR_GEN and CKM_ECDSA_KEY_PAIR_GEN are the same
>
>    #define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
>    #define CKM_EC_KEY_PAIR_GEN 0x00001040
>
> See PkCS#11 v2.20 12.3.5
>
>> Regards,
>> Alexandre Aufrere
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>



------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel