pkcs11 rt20236

f89a9bcf · Francis Dupont · b091b4bb · f89a9bcf · f89a9bcf
Commit f89a9bcf authored Oct 05, 2009 by Francis Dupont
Hide whitespace changes
Inline Side-by-side

Showing with 82 additions and 20 deletions

bin/pkcs11/pkcs11-keygen.c bin/pkcs11/pkcs11-keygen.c +53 -15

bin/pkcs11/pkcs11-keygen.docbook bin/pkcs11/pkcs11-keygen.docbook +29 -5

No files found.
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -6,7 +6,8 @@
 * it into a zone file.
 *
 * usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] -b keysize -l label [-p pin] 
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+ *               -l label [-i id] [-p pin] 
 *
 */

@@ -45,10 +46,14 @@ main(int argc, char *argv[])
    CK_ULONG modulusbits = 0;
    CK_CHAR *label = NULL;
    CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[3];
+    CK_BYTE public_exponent[5];
+    CK_ULONG expsize = 3;
    int error = 0;
    int c, errflg = 0;
    int hide = 1;
+    int idlen = 0;
+    unsigned long id = 0;
+    CK_BYTE idbuf[4];
    CK_ULONG ulObjectCount;
    /* Set search template */
    CK_ATTRIBUTE search_template[] = {
@@ -59,20 +64,24 @@ main(int argc, char *argv[])
        {CKA_VERIFY, &truevalue, sizeof (truevalue)},
        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
        {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
+        {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+	{CKA_ID, &idbuf, idlen}
    };
+    CK_ULONG publickey_attrcnt = 6;
    CK_ATTRIBUTE privatekey_template[] = {
        {CKA_LABEL, NULL_PTR, 0},
        {CKA_SIGN, &truevalue, sizeof (truevalue)},
        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
        {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
        {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
+        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)},
+	{CKA_ID, &idbuf, idlen}
    };
+    CK_ULONG privatekey_attrcnt = 7;
    extern char *optarg;
    extern int optopt;
    
-    while ((c = getopt(argc, argv, ":Pm:s:b:i:l:p:")) != -1) {
+    while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
        switch (c) {
 	case 'P':
 	    hide = 0;
@@ -83,12 +92,19 @@ main(int argc, char *argv[])
 	case 's':
 	    slot = atoi(optarg);
 	    break;
+	case 'e':
+	    expsize = 5;
+	    break;
        case 'b':
            modulusbits = atoi(optarg);
            break;
        case 'l':
            label = (CK_CHAR *)optarg;
            break;
+	case 'i':
+	    id = strtoul(optarg, NULL, 0);
+	    idlen = 4;
+	    break;
        case 'p':
            pin = (CK_UTF8CHAR *)optarg;
            break;
@@ -104,8 +120,10 @@ main(int argc, char *argv[])
    }
    if ((errflg) || (!modulusbits) || (!label)) {
        fprintf(stderr,
-		"usage: pkcs11-keygen [-P] [-m module] [-s slot] "
-		"-b keysize -l label [-p pin]\n");
+		"usage: pkcs11-keygen "
+		"[-P] [-m module] [-s slot] [-e] -b keysize\n"
+		"                     "
+		"-l label [-i id] [-p pin]\n");
        exit(2);
    }
    
@@ -116,16 +134,39 @@ main(int argc, char *argv[])
    privatekey_template[0].pValue = label;
    privatekey_template[0].ulValueLen = strlen((char *)label);

-    /* Set public exponent to 65537 */
+    /* Set public exponent to F4 or F5 */
    public_exponent[0] = 0x01;
    public_exponent[1] = 0x00;
-    public_exponent[2] = 0x01;
+    if (expsize == 3)
+	public_exponent[2] = 0x01;
+    else {
+	publickey_template[4].ulValueLen = expsize;
+	public_exponent[2] = 0x00;
+	public_exponent[3] = 0x00;
+	public_exponent[4] = 0x01;
+    }

    /* Set up mechanism for generating key pair */
    genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
    genmech.pParameter = NULL_PTR;
    genmech.ulParameterLen = 0;

+    if (idlen == 0) {
+        publickey_attrcnt--;
+        privatekey_attrcnt--;
+    } else if (id <= 0xffff) {
+	idlen = 2;
+	publickey_template[5].ulValueLen = idlen;
+	privatekey_template[6].ulValueLen = idlen;
+	idbuf[0] = id >> 8;
+	idbuf[1] = id & 0xff;
+    } else {
+        idbuf[0] = id >> 24;
+	idbuf[1] = (id >> 16) & 0xff;
+	idbuf[2] = (id >> 8) & 0xff;
+	idbuf[3] = id & 0xff;
+    }
+
    /* Initialize the CRYPTOKI library */
    rv = C_Initialize(NULL_PTR);

@@ -186,12 +227,9 @@ main(int argc, char *argv[])
    }

    /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
-			   (sizeof (publickey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   privatekey_template,
-			   (sizeof (privatekey_template) /
-			    sizeof (CK_ATTRIBUTE)),
+    rv = C_GenerateKeyPair(hSession, &genmech,
+			   publickey_template, publickey_attrcnt,
+			   privatekey_template, privatekey_attrcnt,
 			   &publickey, &privatekey);
        
    if (rv != CKR_OK) {

--- a/bin/pkcs11/pkcs11-keygen.docbook
+++ b/bin/pkcs11/pkcs11-keygen.docbook
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+               [<!ENTITY mdash "&#8212;">]>
 <!--
 - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 -
@@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: pkcs11-keygen.docbook,v 1.2 2009/10/05 12:07:08 fdupont Exp $ -->
+<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
 <refentry id="man.pkcs11-keygen">
  <refentryinfo>
    <date>Sep 18, 2009</date>
@@ -47,8 +47,10 @@
      <arg><option>-P</option></arg>
      <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
      <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+      <arg><option>-e</option></arg>
      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
      <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
      <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -98,6 +100,15 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term>-e</term>
+        <listitem>
+          <para>
+            Use a large exponent.
+          </para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>-b <replaceable class="parameter">keysize</replaceable></term>
        <listitem>
@@ -113,6 +124,17 @@
        <listitem>
          <para>
            Create key objects with the given label.
+            This name must be unique.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">id</replaceable></term>
+        <listitem>
+          <para>
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
          </para>
        </listitem>
      </varlistentry>
@@ -137,14 +159,16 @@
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
    </para>
  </refsect1>

  <refsect1>
    <title>CAVEAT</title>
-    <para>The public exponent is hard-wired to 65537.</para>
-    <para>The command should optionally set the object ID too.</para>
+    <para>Some PKCS#11 providers crash with big public exponent.</para>
  </refsect1>

  <refsect1>