Skip to content

Commit

Permalink
Reintroduce deprecated cka api for compatibility (#158)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cps-b
cps-b authored Nov 23, 2023
1 parent 0169669 commit 6c90a22
Show file tree
Hide file tree
Showing 7 changed files with 115 additions and 24 deletions.
8 changes: 4 additions & 4 deletions src/hsm.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,14 +188,14 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID)
{
HsmKeyParams hsmKeyParams = HsmKeyParams::Builder{}.setExtractable(false).build();
HsmKeyParameters hsmKeyParams = HsmKeyParameters::Builder{}.setExtractable(false).build();
return generateKey(spec, keyLabel, keyID, hsmKeyParams);
}

openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
const HsmKeyParameters &params)
{
try {
// We need to make sure that we don't have 2 keys with the same ID.
Expand Down Expand Up @@ -233,14 +233,14 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID)
{
HsmKeyParams hsmKeyParams = HsmKeyParams::Builder{}.setExtractable(false).build();
HsmKeyParameters hsmKeyParams = HsmKeyParameters::Builder{}.setExtractable(false).build();
return generateKey(spec, keyLabel, keyID, hsmKeyParams);
}

openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
const HsmKeyParameters &params)
{
try {
// We need to make sure that we don't have 2 keys with the same ID.
Expand Down
49 changes: 43 additions & 6 deletions src/key.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,6 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
Expand All @@ -229,9 +228,8 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
const HsmKeyParameters &params)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
Expand All @@ -245,12 +243,31 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
{
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
try {
HsmKeyParameters parameters = HsmKeyParameters::Builder{}.setExtractable(params.cka_extractable).build();
return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, parameters)};
} catch (const openssl::OpenSSLException &e) {
throw MoCOCrWException(
// wrong token-label? using unsupported ECC curve? HSM module implementation?
std::string("Key generation failed for unknown reason. OpenSSL error: ") +
e.what());
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
Expand All @@ -268,9 +285,8 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
const HsmKeyParameters &params)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
Expand All @@ -283,6 +299,27 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
e.what());
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
{
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
try {
HsmKeyParameters parameters = HsmKeyParameters::Builder{}.setExtractable(params.cka_extractable).build();
return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, parameters)};
} catch (const openssl::OpenSSLException &e) {
throw MoCOCrWException(
// wrong token-label? using unsupported ECC curve? HSM module implementation?
std::string("Key generation failed for unknown reason. OpenSSL error: ") +
e.what());
}
}

#endif

AsymmetricKey RSASpec::generate() const
Expand Down
28 changes: 19 additions & 9 deletions src/mococrw/hsm.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,19 @@ namespace mococrw
class ECCSpec;
class RSASpec;


// Needed for old deprecated API
struct HsmKeyParams
{
bool cka_extractable = false;
bool cka_sensitive = true;
};

/**
* This class currently contains PKCS#11 attributes which are changeable on key creation.
* In the future also parameters for other keystorage interfaces can be added.
*/
class HsmKeyParams
class HsmKeyParameters
{
public:
class Builder;
Expand All @@ -43,10 +51,10 @@ class HsmKeyParams
* Check https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
* for more details.
*/
HsmKeyParams() : _extractable(false) {}
HsmKeyParameters() : _extractable(false) {}
};

class HsmKeyParams::Builder
class HsmKeyParameters::Builder
{
public:
Builder() {}
Expand All @@ -56,10 +64,10 @@ class HsmKeyParams::Builder
return *this;
}

HsmKeyParams build() { return params_; }
HsmKeyParameters build() { return params_; }

private:
HsmKeyParams params_;
HsmKeyParameters params_;
};

/**
Expand Down Expand Up @@ -143,7 +151,7 @@ class HSM
virtual openssl::SSL_EVP_PKEY_Ptr generateKey(const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params) = 0;
const HsmKeyParameters &params) = 0;

/**
* @brief Generate a ECC key pair on the HSM
Expand All @@ -158,7 +166,7 @@ class HSM
virtual openssl::SSL_EVP_PKEY_Ptr generateKey(const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params) = 0;
const HsmKeyParameters &params) = 0;
};

/**
Expand Down Expand Up @@ -218,12 +226,14 @@ class HsmEngine : public HSM
openssl::SSL_EVP_PKEY_Ptr generateKey(const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params) override;
const HsmKeyParameters &params) override;

openssl::SSL_EVP_PKEY_Ptr generateKey(const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params) override;
const HsmKeyParameters &params) override;



private:
/**
Expand Down
44 changes: 44 additions & 0 deletions src/mococrw/key.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,28 @@ class AsymmetricKeypair : public AsymmetricPublicKey
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParameters &params);

/**
* @brief Generates RSA keypair on HSM token according to the spec given.
* @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids.
* Therefore care should be taken when generating keys with other tools on the same token.
* @param hsm HSM engine handle
* @param spec @ref RSASpec
* @param keyLabel String based description of an object on the token. It
* can be used in combination with keyID to identify an object.
* @param keyID raw bytes based key identifer
* @param Struct to set key generation attributes
* @return AsymmetricKeypair @ref AsymmetricKeypair
* @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
[[deprecated]]
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
Expand Down Expand Up @@ -375,6 +397,28 @@ class AsymmetricKeypair : public AsymmetricPublicKey
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParameters &params);

/**
* @brief Generates ECC keypair on HSM token according to the spec given.
* @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids.
* Therefore care should be taken when generating keys with other tools on the same token.
* @param hsm HSM engine handle
* @param spec @ref ECCSpec
* @param keyLabel String based description of an object on the token. It
* can be used in combination with keyID to identify an object.
* @param keyID raw bytes based key identifer
* @param Struct to set key generation attributes
* @return AsymmetricKeypair @ref AsymmetricKeypair
* @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
[[deprecated]]
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
Expand Down
4 changes: 2 additions & 2 deletions tests/integration/hsm-integration-test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -452,9 +452,9 @@ int main(void)
/**
* Generate extractable and non-extractable keys for ECC and RSA
*/
HsmKeyParams hsmKeyParamsExtract = HsmKeyParams::Builder{}.setExtractable(true).build();
HsmKeyParameters hsmKeyParamsExtract = HsmKeyParameters::Builder{}.setExtractable(true).build();

HsmKeyParams hsmKeyParamsDefault = HsmKeyParams::Builder{}.build();
HsmKeyParameters hsmKeyParamsDefault = HsmKeyParameters::Builder{}.build();

/* We need a new token otherwise the keys generated before litter the slot */

Expand Down
4 changes: 2 additions & 2 deletions tests/unit/hsm_mock.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,12 @@ class HSMMock final : public HSM
openssl::SSL_EVP_PKEY_Ptr(const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params));
const HsmKeyParameters &params));
MOCK_METHOD4(generateKey,
openssl::SSL_EVP_PKEY_Ptr(const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params));
const HsmKeyParameters &params));
};

} // namespace mococrw
2 changes: 1 addition & 1 deletion tests/unit/test_hsm.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ TEST_F(HSMTest, testHSMKeygenWithParams)
auto hsm = initialiseEngine();
std::string keyLabel{"key-label"};
std::vector<uint8_t> keyId{0x12};
HsmKeyParams params = HsmKeyParams::Builder{}.setExtractable(true).build();
HsmKeyParameters params = HsmKeyParameters::Builder{}.setExtractable(true).build();
EXPECT_CALL(_mock(),
SSL_ENGINE_ctrl_cmd_string(
engine, StrEq("PIN"), StrEq(pin.c_str()), 0 /*non-optional*/))
Expand Down

0 comments on commit 6c90a22

Please sign in to comment.