|
|
d8e79f3 |
commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
|
|
|
d8e79f3 |
Author: Petr Spacek <pspacek@redhat.com>
|
|
|
d8e79f3 |
Date: Fri Jul 18 16:19:36 2014 +0200
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
add libhsm configuration option <AllowExtraction/>
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
This option allows user to generate private keys with CKA_EXTRACTABLE
|
|
|
d8e79f3 |
flag set to TRUE. Defaults to FALSE.
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
diff --git a/NEWS b/NEWS
|
|
|
d8e79f3 |
index 4db7038..2efa176 100644
|
|
|
d8e79f3 |
--- a/NEWS
|
|
|
d8e79f3 |
+++ b/NEWS
|
|
|
d8e79f3 |
@@ -1,3 +1,8 @@
|
|
|
d8e79f3 |
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
|
|
|
d8e79f3 |
+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
|
|
|
d8e79f3 |
+ and extracted from HSM.
|
|
|
d8e79f3 |
+
|
|
|
d8e79f3 |
+
|
|
|
d8e79f3 |
OpenDNSSEC 1.4.6 - 2014-07-21
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
* Signer Engine: Print secondary server address when logging notify reply
|
|
|
d8e79f3 |
diff --git a/conf/conf.rnc b/conf/conf.rnc
|
|
|
d8e79f3 |
index 71d527f..65f837e 100644
|
|
|
d8e79f3 |
--- a/conf/conf.rnc
|
|
|
d8e79f3 |
+++ b/conf/conf.rnc
|
|
|
d8e79f3 |
@@ -50,7 +50,10 @@ start = element Configuration {
|
|
|
d8e79f3 |
element RequireBackup { empty }?,
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
# Do not maintain public keys in the repository (optional)
|
|
|
d8e79f3 |
- element SkipPublicKey { empty }?
|
|
|
d8e79f3 |
+ element SkipPublicKey { empty }?,
|
|
|
d8e79f3 |
+
|
|
|
d8e79f3 |
+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
|
|
|
d8e79f3 |
+ element AllowExtraction { empty }?
|
|
|
d8e79f3 |
}*
|
|
|
d8e79f3 |
},
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
diff --git a/conf/conf.xml.in b/conf/conf.xml.in
|
|
|
d8e79f3 |
index 0ef2ab9..0536681 100644
|
|
|
d8e79f3 |
--- a/conf/conf.xml.in
|
|
|
d8e79f3 |
+++ b/conf/conf.xml.in
|
|
|
d8e79f3 |
@@ -9,6 +9,9 @@
|
|
|
d8e79f3 |
<TokenLabel>OpenDNSSEC</TokenLabel>
|
|
|
d8e79f3 |
<PIN>1234</PIN>
|
|
|
d8e79f3 |
<SkipPublicKey/>
|
|
|
d8e79f3 |
+
|
|
|
d8e79f3 |
+ <AllowExtraction/>
|
|
|
d8e79f3 |
+ -->
|
|
|
d8e79f3 |
</Repository>
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
|
|
|
d8e79f3 |
index d723b31..1f9720e 100644
|
|
|
d8e79f3 |
--- a/libhsm/src/lib/libhsm.c
|
|
|
d8e79f3 |
+++ b/libhsm/src/lib/libhsm.c
|
|
|
d8e79f3 |
@@ -504,6 +504,7 @@ static void
|
|
|
d8e79f3 |
hsm_config_default(hsm_config_t *config)
|
|
|
d8e79f3 |
{
|
|
|
d8e79f3 |
config->use_pubkey = 1;
|
|
|
d8e79f3 |
+ config->allow_extract = 0;
|
|
|
d8e79f3 |
}
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* creates a session_t structure, and automatically adds and initializes
|
|
|
d8e79f3 |
@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
|
|
|
d8e79f3 |
module_pin = (char *) xmlNodeGetContent(curNode);
|
|
|
d8e79f3 |
if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
|
|
|
d8e79f3 |
module_config.use_pubkey = 0;
|
|
|
d8e79f3 |
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
|
|
|
d8e79f3 |
+ module_config.allow_extract = 1;
|
|
|
d8e79f3 |
curNode = curNode->next;
|
|
|
d8e79f3 |
}
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
CK_BBOOL ctrue = CK_TRUE;
|
|
|
d8e79f3 |
CK_BBOOL cfalse = CK_FALSE;
|
|
|
d8e79f3 |
CK_BBOOL ctoken = CK_TRUE;
|
|
|
d8e79f3 |
+ CK_BBOOL cextractable = CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
if (!ctx) ctx = _hsm_ctx;
|
|
|
d8e79f3 |
session = hsm_find_repository_session(ctx, repository);
|
|
|
d8e79f3 |
if (!session) return NULL;
|
|
|
d8e79f3 |
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* check whether this key doesn't happen to exist already */
|
|
|
d8e79f3 |
do {
|
|
|
d8e79f3 |
@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
{ CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
|
|
|
d8e79f3 |
{ CKA_TOKEN, &ctrue, sizeof (ctrue) },
|
|
|
d8e79f3 |
{ CKA_PRIVATE, &ctrue, sizeof (ctrue) },
|
|
|
d8e79f3 |
- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
|
|
|
d8e79f3 |
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
|
|
|
d8e79f3 |
};
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
|
|
|
d8e79f3 |
@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
|
|
|
d8e79f3 |
CK_BBOOL ctrue = CK_TRUE;
|
|
|
d8e79f3 |
CK_BBOOL cfalse = CK_FALSE;
|
|
|
d8e79f3 |
+ CK_BBOOL cextractable = CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* ids we create are 16 bytes of data */
|
|
|
d8e79f3 |
unsigned char id[16];
|
|
|
d8e79f3 |
@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
|
|
|
d8e79f3 |
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
|
|
|
d8e79f3 |
};
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
if (!ctx) ctx = _hsm_ctx;
|
|
|
d8e79f3 |
session = hsm_find_repository_session(ctx, repository);
|
|
|
d8e79f3 |
if (!session) return NULL;
|
|
|
d8e79f3 |
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* check whether this key doesn't happen to exist already */
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
CK_OBJECT_HANDLE publicKey, privateKey;
|
|
|
d8e79f3 |
CK_BBOOL ctrue = CK_TRUE;
|
|
|
d8e79f3 |
CK_BBOOL cfalse = CK_FALSE;
|
|
|
d8e79f3 |
+ CK_BBOOL cextractable = CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* ids we create are 16 bytes of data */
|
|
|
d8e79f3 |
unsigned char id[16];
|
|
|
d8e79f3 |
@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
|
|
|
d8e79f3 |
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
|
|
|
d8e79f3 |
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
|
|
|
d8e79f3 |
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
|
|
|
d8e79f3 |
};
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
if (!ctx) ctx = _hsm_ctx;
|
|
|
d8e79f3 |
session = hsm_find_repository_session(ctx, repository);
|
|
|
d8e79f3 |
if (!session) return NULL;
|
|
|
d8e79f3 |
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/* check whether this key doesn't happen to exist already */
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
|
|
|
d8e79f3 |
index 45d110a..08224b8 100644
|
|
|
d8e79f3 |
--- a/libhsm/src/lib/libhsm.h
|
|
|
d8e79f3 |
+++ b/libhsm/src/lib/libhsm.h
|
|
|
d8e79f3 |
@@ -75,6 +75,7 @@
|
|
|
d8e79f3 |
/*! HSM configuration */
|
|
|
d8e79f3 |
typedef struct {
|
|
|
d8e79f3 |
unsigned int use_pubkey; /*!< Maintain public keys in HSM */
|
|
|
d8e79f3 |
+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
|
|
|
d8e79f3 |
} hsm_config_t;
|
|
|
d8e79f3 |
|
|
|
d8e79f3 |
/*! Data type to describe an HSM */
|
|
|
d8e79f3 |
--- a/conf/conf.rng
|
|
|
d8e79f3 |
+++ b/conf/conf.rng
|
|
|
d8e79f3 |
@@ -71,6 +71,12 @@
|
|
|
d8e79f3 |
<empty/>
|
|
|
d8e79f3 |
</element>
|
|
|
d8e79f3 |
</optional>
|
|
|
d8e79f3 |
+ <optional>
|
|
|
d8e79f3 |
+
|
|
|
d8e79f3 |
+ <element name="AllowExtraction">
|
|
|
d8e79f3 |
+ <empty/>
|
|
|
d8e79f3 |
+ </element>
|
|
|
d8e79f3 |
+ </optional>
|
|
|
d8e79f3 |
</element>
|
|
|
d8e79f3 |
</zeroOrMore>
|
|
|
d8e79f3 |
</element>
|