Problem with x509_usage maping in opensc-trunk

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with x509_usage maping in opensc-trunk

Tarasov Viktor
Hi,

I have a problem with the email decryption, when using
private key, generated with Mozilla.

Mozilla's key generation template contains the CKA_DECRYPT attr.,
but not the resulted key object.

It seems, that the reason is the mapping of 'x509_usage' to 'pkcs15init
usage'.

This mapping converts the template CKA_DECRYPT, CKA_SIGN, CKA_UNWRAP (0x0D)
to the pkcs15init usage 0x10C
(SC_PKCS15_PRKEY_USAGE_DERIVE, SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
SC_PKCS15_PRKEY_USAGE_SIGN).


There is a short mapping that works for me (src/pkcs15init/pkcs15-lib.c
+1682) :
static unsigned int x509_to_pkcs15_private_key_usage[16] = {
    0,
    0,
    0,
    SC_PKCS15_PRKEY_USAGE_DERIVE,       /* keyAgreement */
    SC_PKCS15_PRKEY_USAGE_DECRYPT,      /* dataEncipherment */
    SC_PKCS15_PRKEY_USAGE_UNWRAP,       /* keyEncipherment */
    0,
    SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER, /*
keyCertSign */
};

Kind wishes,
Viktor.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with x509_usage maping in opensc-trunk

Nils Larsch
Tarasov Viktor wrote:

> Hi,
>
> I have a problem with the email decryption, when using
> private key, generated with Mozilla.
>
> Mozilla's key generation template contains the CKA_DECRYPT attr.,
> but not the resulted key object.
>
> It seems, that the reason is the mapping of 'x509_usage' to 'pkcs15init
> usage'.
ops, again ;-) Could you please test the attached patch.

Cheers,
Nils

Index: src/pkcs11/framework-pkcs15.c
===================================================================
--- src/pkcs11/framework-pkcs15.c (Revision 2536)
+++ src/pkcs11/framework-pkcs15.c (Arbeitskopie)
@@ -1214,13 +1214,13 @@
  if (val == NULL)
  continue;
  if (typ == CKA_SIGN && *val)
- *x509_usage |= 1;
+ *x509_usage |= SC_PKCS15INIT_X509_DIGITAL_SIGNATURE;
  if (typ == CKA_UNWRAP && *val)
- *x509_usage |= 4;
+ *x509_usage |= SC_PKCS15INIT_X509_KEY_ENCIPHERMENT;
  if (typ == CKA_DECRYPT && *val)
- *x509_usage |= 8;
+ *x509_usage |= SC_PKCS15INIT_X509_DATA_ENCIPHERMENT;
  if (typ == CKA_DERIVE && *val)
- *x509_usage |= 16;
+ *x509_usage |= SC_PKCS15INIT_X509_KEY_AGREEMENT;
  if (typ == CKA_VERIFY || typ == CKA_WRAP || typ == CKA_ENCRYPT) {
  sc_debug(context, "get_X509_usage_privk(): invalid typ = 0x%0x\n", typ);
  return CKR_ATTRIBUTE_TYPE_INVALID;
@@ -1239,13 +1239,13 @@
  if (val == NULL)
  continue;
  if (typ == CKA_VERIFY && *val)
- *x509_usage |= 1;
+ *x509_usage |= SC_PKCS15INIT_X509_DIGITAL_SIGNATURE;
  if (typ == CKA_WRAP && *val)
- *x509_usage |= 4;
+ *x509_usage |= SC_PKCS15INIT_X509_KEY_ENCIPHERMENT;
  if (typ == CKA_ENCRYPT && *val)
- *x509_usage |= 8;
+ *x509_usage |= SC_PKCS15INIT_X509_DATA_ENCIPHERMENT;
  if (typ == CKA_DERIVE && *val)
- *x509_usage |= 16;
+ *x509_usage |= SC_PKCS15INIT_X509_KEY_AGREEMENT;
  if (typ == CKA_SIGN || typ == CKA_UNWRAP || typ == CKA_DECRYPT) {
  sc_debug(context, "get_X509_usage_pubk(): invalid typ = 0x%0x\n", typ);
  return CKR_ATTRIBUTE_TYPE_INVALID;
Index: src/pkcs15init/pkcs15-lib.c
===================================================================
--- src/pkcs15init/pkcs15-lib.c (Revision 2536)
+++ src/pkcs15init/pkcs15-lib.c (Arbeitskopie)
@@ -1679,42 +1679,48 @@
 /*
  * Map X509 keyUsage extension bits to PKCS#15 keyUsage bits
  */
-static unsigned int x509_to_pkcs15_private_key_usage[16] = {
- SC_PKCS15_PRKEY_USAGE_SIGN
- | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER, /* digitalSignature */
- SC_PKCS15_PRKEY_USAGE_NONREPUDIATION, /* NonRepudiation */
- SC_PKCS15_PRKEY_USAGE_UNWRAP, /* keyEncipherment */
- SC_PKCS15_PRKEY_USAGE_DECRYPT, /* dataEncipherment */
- SC_PKCS15_PRKEY_USAGE_DERIVE, /* keyAgreement */
- SC_PKCS15_PRKEY_USAGE_SIGN
- | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER, /* keyCertSign */
- SC_PKCS15_PRKEY_USAGE_SIGN
- | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER, /* cRLSign */
+typedef struct {
+ unsigned long x509_usage;
+ unsigned int p15_usage;
+} sc_usage_map;
+
+static sc_usage_map x509_to_pkcs15_private_key_usage[16] = {
+ { SC_PKCS15INIT_X509_DIGITAL_SIGNATURE,
+  SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER },
+ { SC_PKCS15INIT_X509_NON_REPUDIATION, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION },
+ { SC_PKCS15INIT_X509_KEY_ENCIPHERMENT, SC_PKCS15_PRKEY_USAGE_UNWRAP },
+ { SC_PKCS15INIT_X509_DATA_ENCIPHERMENT, SC_PKCS15_PRKEY_USAGE_DECRYPT },
+ { SC_PKCS15INIT_X509_KEY_AGREEMENT, SC_PKCS15_PRKEY_USAGE_DERIVE },
+ { SC_PKCS15INIT_X509_KEY_CERT_SIGN,
+  SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER },
+ { SC_PKCS15INIT_X509_CRL_SIGN,
+  SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER }
 };
 
-static unsigned int x509_to_pkcs15_public_key_usage[16] = {
- SC_PKCS15_PRKEY_USAGE_VERIFY
- | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER, /* digitalSignature */
- SC_PKCS15_PRKEY_USAGE_NONREPUDIATION, /* NonRepudiation */
- SC_PKCS15_PRKEY_USAGE_WRAP, /* keyEncipherment */
- SC_PKCS15_PRKEY_USAGE_ENCRYPT, /* dataEncipherment */
- SC_PKCS15_PRKEY_USAGE_DERIVE, /* keyAgreement */
- SC_PKCS15_PRKEY_USAGE_VERIFY
- | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER, /* keyCertSign */
- SC_PKCS15_PRKEY_USAGE_VERIFY
- | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER, /* cRLSign */
+static sc_usage_map x509_to_pkcs15_public_key_usage[16] = {
+ { SC_PKCS15INIT_X509_DIGITAL_SIGNATURE,
+  SC_PKCS15_PRKEY_USAGE_VERIFY | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER },
+ { SC_PKCS15INIT_X509_NON_REPUDIATION, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION },
+ { SC_PKCS15INIT_X509_KEY_ENCIPHERMENT, SC_PKCS15_PRKEY_USAGE_WRAP },
+ { SC_PKCS15INIT_X509_DATA_ENCIPHERMENT, SC_PKCS15_PRKEY_USAGE_ENCRYPT },
+ { SC_PKCS15INIT_X509_KEY_AGREEMENT, SC_PKCS15_PRKEY_USAGE_DERIVE },
+ { SC_PKCS15INIT_X509_KEY_CERT_SIGN,
+  SC_PKCS15_PRKEY_USAGE_VERIFY | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER },
+ { SC_PKCS15INIT_X509_CRL_SIGN,
+  SC_PKCS15_PRKEY_USAGE_VERIFY | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER }
 };
 
 static int
 sc_pkcs15init_map_usage(unsigned long x509_usage, int _private)
 {
- unsigned int p15_usage, n, *bits;
+ unsigned int p15_usage = 0, n;
+ sc_usage_map   *map;
 
- bits = _private? x509_to_pkcs15_private_key_usage
+ map = _private ? x509_to_pkcs15_private_key_usage
       : x509_to_pkcs15_public_key_usage;
- for (n = p15_usage = 0; n < 16; n++) {
- if (x509_usage & ((0x80 >> (n % 8)) << (n / 8)))
- p15_usage |= bits[n];
+ for (n = 0; n < 16; n++) {
+ if (x509_usage & map[n].x509_usage)
+ p15_usage |= map[n].p15_usage;
  }
  return p15_usage;
 }
Index: src/pkcs15init/pkcs15-init.h
===================================================================
--- src/pkcs15init/pkcs15-init.h (Revision 2536)
+++ src/pkcs15init/pkcs15-init.h (Arbeitskopie)
@@ -13,6 +13,14 @@
 
 #include <opensc/pkcs15.h>
 
+#define SC_PKCS15INIT_X509_DIGITAL_SIGNATURE     0x0080UL
+#define SC_PKCS15INIT_X509_NON_REPUDIATION       0x0040UL
+#define SC_PKCS15INIT_X509_KEY_ENCIPHERMENT      0x0020UL
+#define SC_PKCS15INIT_X509_DATA_ENCIPHERMENT     0x0010UL
+#define SC_PKCS15INIT_X509_KEY_AGREEMENT         0x0008UL
+#define SC_PKCS15INIT_X509_KEY_CERT_SIGN         0x0004UL
+#define SC_PKCS15INIT_X509_CRL_SIGN              0x0002UL
+
 typedef struct sc_profile sc_profile_t; /* opaque type */
 
 struct sc_pkcs15init_operations {
Index: src/tools/pkcs15-init.c
===================================================================
--- src/tools/pkcs15-init.c (Revision 2545)
+++ src/tools/pkcs15-init.c (Arbeitskopie)
@@ -2047,13 +2047,13 @@
  const char* name;
  unsigned int flag;
  } x509_usage_names[] = {
- { "digitalSignature", 0x0080 },
- { "nonRepudiation",   0x0040 },
- { "keyEncipherment",  0x0020 },
- { "dataEncipherment", 0x0010 },
- { "keyAgreement",     0x0008 },
- { "keyCertSign",      0x0004 },
- { "cRLSign",          0x0002 },
+ { "digitalSignature", SC_PKCS15INIT_X509_DIGITAL_SIGNATURE },
+ { "nonRepudiation",   SC_PKCS15INIT_X509_NON_REPUDIATION   },
+ { "keyEncipherment",  SC_PKCS15INIT_X509_KEY_ENCIPHERMENT  },
+ { "dataEncipherment", SC_PKCS15INIT_X509_DATA_ENCIPHERMENT },
+ { "keyAgreement",     SC_PKCS15INIT_X509_KEY_AGREEMENT     },
+ { "keyCertSign",      SC_PKCS15INIT_X509_KEY_CERT_SIGN     },
+ { "cRLSign",          SC_PKCS15INIT_X509_CRL_SIGN          },
  { NULL, 0 }
  };
  static struct {

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with x509_usage maping in opensc-trunk

Tarasov Viktor
Nils Larsch wrote:

> Tarasov Viktor wrote:
>
>> Hi,
>>
>> I have a problem with the email decryption, when using
>> private key, generated with Mozilla.
>>
>> Mozilla's key generation template contains the CKA_DECRYPT attr.,
>> but not the resulted key object.
>>
>> It seems, that the reason is the mapping of 'x509_usage' to 'pkcs15init
>> usage'.
>
>
> ops, again ;-) Could you please test the attached patch.

OK for me.

>
> Cheers,
> Nils

Regards,
Viktor.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with x509_usage maping in opensc-trunk

Nils Larsch
Tarasov Viktor wrote:

> Nils Larsch wrote:
>
>
>>Tarasov Viktor wrote:
>>
>>
>>>Hi,
>>>
>>>I have a problem with the email decryption, when using
>>>private key, generated with Mozilla.
>>>
>>>Mozilla's key generation template contains the CKA_DECRYPT attr.,
>>>but not the resulted key object.
>>>
>>>It seems, that the reason is the mapping of 'x509_usage' to 'pkcs15init
>>>usage'.
>>
>>
>>ops, again ;-) Could you please test the attached patch.
>
>
> OK for me.

ok, committed.

Thanks,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel