Skip to content

Commit

Permalink
reintroduce old api (HsmKeyParams) struct based and exposed functions
Browse files Browse the repository at this point in the history
  • Loading branch information
@cps-b
cps-b committed Nov 22, 2023
1 parent 6d0d7b5 commit d1d88d3
Show file tree
Hide file tree
Showing 3 changed files with 91 additions and 1 deletion.
43 changes: 43 additions & 0 deletions src/key.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,27 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
try {
HsmKeyParameters parameters = HsmKeyParameters::Builder{}.setExtractable(params.cka_extractable).build();
return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, parameters)};
} catch (const openssl::OpenSSLException &e) {
throw MoCOCrWException(
// wrong token-label? using unsupported ECC curve? HSM module implementation?
std::string("Key generation failed for unknown reason. OpenSSL error: ") +
e.what());
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
Expand Down Expand Up @@ -283,6 +304,28 @@ AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
e.what());
}
}

AsymmetricKeypair AsymmetricKeypair::generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params)
{
// libp11 uses 128 byte buffer
if (keyID.size() >= 64) {
throw MoCOCrWException("Invalid keyID - key longer than 63 bytes");
}
try {
HsmKeyParameters parameters = HsmKeyParameters::Builder{}.setExtractable(params.cka_extractable).build();
return AsymmetricKeypair{hsm.generateKey(spec, keyLabel, keyID, parameters)};
} catch (const openssl::OpenSSLException &e) {
throw MoCOCrWException(
// wrong token-label? using unsupported ECC curve? HSM module implementation?
std::string("Key generation failed for unknown reason. OpenSSL error: ") +
e.what());
}
}

#endif

AsymmetricKey RSASpec::generate() const
Expand Down
7 changes: 6 additions & 1 deletion src/mococrw/hsm.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,12 @@ class ECCSpec;
class RSASpec;



// Needed for old deprecated API
struct HsmKeyParams
{
bool cka_extractable = false;
bool cka_sensitive = true;
};

/**
* This class currently contains PKCS#11 attributes which are changeable on key creation.
Expand Down
42 changes: 42 additions & 0 deletions src/mococrw/key.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,27 @@ class AsymmetricKeypair : public AsymmetricPublicKey
const std::vector<uint8_t> &keyID,
const HsmKeyParameters &params);

/** Deprecated func
* @brief Generates RSA keypair on HSM token according to the spec given.
* @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids.
* Therefore care should be taken when generating keys with other tools on the same token.
* @param hsm HSM engine handle
* @param spec @ref RSASpec
* @param keyLabel String based description of an object on the token. It
* can be used in combination with keyID to identify an object.
* @param keyID raw bytes based key identifer
* @param Struct to set key generation attributes
* @return AsymmetricKeypair @ref AsymmetricKeypair
* @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const RSASpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params);

/**
* @brief Generates ECC keypair on HSM token according to the spec given.
* @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids.
Expand Down Expand Up @@ -380,6 +401,27 @@ class AsymmetricKeypair : public AsymmetricPublicKey
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParameters &params);

/** Deprecated func
* @brief Generates ECC keypair on HSM token according to the spec given.
* @note PKCS#11 standard has no rule to avoid having keys with duplicate labels and/or ids.
* Therefore care should be taken when generating keys with other tools on the same token.
* @param hsm HSM engine handle
* @param spec @ref ECCSpec
* @param keyLabel String based description of an object on the token. It
* can be used in combination with keyID to identify an object.
* @param keyID raw bytes based key identifer
* @param Struct to set key generation attributes
* @return AsymmetricKeypair @ref AsymmetricKeypair
* @throw MoCOCrWException Since most of the logic is happening outside of OpenSSL and inside
* libp11 and HSM module implementation, we can't know exactly what went wrong. libp11 does log
* some things to stderr, check if there's more context there
*/
static AsymmetricKeypair generateKeyOnHSM(HSM &hsm,
const ECCSpec &spec,
const std::string &keyLabel,
const std::vector<uint8_t> &keyID,
const HsmKeyParams &params);
#endif

private:
Expand Down

0 comments on commit d1d88d3

Please sign in to comment.