d8e79f
commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
d8e79f
Author: Petr Spacek <pspacek@redhat.com>
d8e79f
Date:   Fri Jul 18 16:19:36 2014 +0200
d8e79f
d8e79f
    add libhsm configuration option <allowextraction/>
d8e79f
    
d8e79f
    This option allows user to generate private keys with CKA_EXTRACTABLE
d8e79f
    flag set to TRUE. Defaults to FALSE.
d8e79f
d8e79f
diff --git a/NEWS b/NEWS
d8e79f
index 4db7038..2efa176 100644
d8e79f
--- a/NEWS
d8e79f
+++ b/NEWS
d8e79f
@@ -1,3 +1,8 @@
d8e79f
+* Enforcer: New repository option <allowextraction/> allows to generate keys
d8e79f
+  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
d8e79f
+  and extracted from HSM.
d8e79f
+
d8e79f
+
d8e79f
 OpenDNSSEC 1.4.6 - 2014-07-21
d8e79f
 
d8e79f
 * Signer Engine: Print secondary server address when logging notify reply
d8e79f
diff --git a/conf/conf.rnc b/conf/conf.rnc
d8e79f
index 71d527f..65f837e 100644
d8e79f
--- a/conf/conf.rnc
d8e79f
+++ b/conf/conf.rnc
d8e79f
@@ -50,7 +50,10 @@ start = element Configuration {
d8e79f
 			element RequireBackup { empty }?,
d8e79f
 
d8e79f
 			# Do not maintain public keys in the repository (optional)
d8e79f
-			element SkipPublicKey { empty }?
d8e79f
+			element SkipPublicKey { empty }?,
d8e79f
+
d8e79f
+			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
d8e79f
+			element AllowExtraction { empty }?
d8e79f
 		}*
d8e79f
 	},
d8e79f
 
d8e79f
diff --git a/conf/conf.xml.in b/conf/conf.xml.in
d8e79f
index 0ef2ab9..0536681 100644
d8e79f
--- a/conf/conf.xml.in
d8e79f
+++ b/conf/conf.xml.in
d8e79f
@@ -9,6 +9,9 @@
d8e79f
 			<tokenlabel>OpenDNSSEC</tokenlabel>
d8e79f
 			<pin>1234</pin>
d8e79f
 			<skippublickey/>
d8e79f
+			
d8e79f
+			<allowextraction/>
d8e79f
+			-->
d8e79f
 		</repository>
d8e79f
 
d8e79f
 
d8e79f
diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
d8e79f
index d723b31..1f9720e 100644
d8e79f
--- a/libhsm/src/lib/libhsm.c
d8e79f
+++ b/libhsm/src/lib/libhsm.c
d8e79f
@@ -504,6 +504,7 @@ static void
d8e79f
 hsm_config_default(hsm_config_t *config)
d8e79f
 {
d8e79f
     config->use_pubkey = 1;
d8e79f
+    config->allow_extract = 0;
d8e79f
 }
d8e79f
 
d8e79f
 /* creates a session_t structure, and automatically adds and initializes
d8e79f
@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
d8e79f
                     module_pin = (char *) xmlNodeGetContent(curNode);
d8e79f
                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
d8e79f
                     module_config.use_pubkey = 0;
d8e79f
+                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
d8e79f
+                    module_config.allow_extract = 1;
d8e79f
                 curNode = curNode->next;
d8e79f
             }
d8e79f
 
d8e79f
@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
d8e79f
     CK_BBOOL ctrue = CK_TRUE;
d8e79f
     CK_BBOOL cfalse = CK_FALSE;
d8e79f
     CK_BBOOL ctoken = CK_TRUE;
d8e79f
+    CK_BBOOL cextractable = CK_FALSE;
d8e79f
 
d8e79f
     if (!ctx) ctx = _hsm_ctx;
d8e79f
     session = hsm_find_repository_session(ctx, repository);
d8e79f
     if (!session) return NULL;
d8e79f
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
d8e79f
 
d8e79f
     /* check whether this key doesn't happen to exist already */
d8e79f
     do {
d8e79f
@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
d8e79f
         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
d8e79f
         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
d8e79f
         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
d8e79f
-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
d8e79f
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
d8e79f
     };
d8e79f
 
d8e79f
     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
d8e79f
@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
d8e79f
     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
d8e79f
     CK_BBOOL ctrue = CK_TRUE;
d8e79f
     CK_BBOOL cfalse = CK_FALSE;
d8e79f
+    CK_BBOOL cextractable = CK_FALSE;
d8e79f
 
d8e79f
     /* ids we create are 16 bytes of data */
d8e79f
     unsigned char id[16];
d8e79f
@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
d8e79f
         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
d8e79f
         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
d8e79f
         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
d8e79f
-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
d8e79f
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
d8e79f
     };
d8e79f
 
d8e79f
     if (!ctx) ctx = _hsm_ctx;
d8e79f
     session = hsm_find_repository_session(ctx, repository);
d8e79f
     if (!session) return NULL;
d8e79f
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
d8e79f
 
d8e79f
     /* check whether this key doesn't happen to exist already */
d8e79f
 
d8e79f
@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
d8e79f
     CK_OBJECT_HANDLE publicKey, privateKey;
d8e79f
     CK_BBOOL ctrue = CK_TRUE;
d8e79f
     CK_BBOOL cfalse = CK_FALSE;
d8e79f
+    CK_BBOOL cextractable = CK_FALSE;
d8e79f
 
d8e79f
     /* ids we create are 16 bytes of data */
d8e79f
     unsigned char id[16];
d8e79f
@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
d8e79f
         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
d8e79f
         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
d8e79f
         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
d8e79f
-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
d8e79f
+        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
d8e79f
     };
d8e79f
 
d8e79f
     if (!ctx) ctx = _hsm_ctx;
d8e79f
     session = hsm_find_repository_session(ctx, repository);
d8e79f
     if (!session) return NULL;
d8e79f
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
d8e79f
 
d8e79f
     /* check whether this key doesn't happen to exist already */
d8e79f
 
d8e79f
diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
d8e79f
index 45d110a..08224b8 100644
d8e79f
--- a/libhsm/src/lib/libhsm.h
d8e79f
+++ b/libhsm/src/lib/libhsm.h
d8e79f
@@ -75,6 +75,7 @@
d8e79f
 /*! HSM configuration */
d8e79f
 typedef struct {
d8e79f
     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
d8e79f
+    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
d8e79f
 } hsm_config_t;
d8e79f
 
d8e79f
 /*! Data type to describe an HSM */
d8e79f
--- a/conf/conf.rng
d8e79f
+++ b/conf/conf.rng
d8e79f
@@ -71,6 +71,12 @@
d8e79f
                 <empty/>
d8e79f
               </element>
d8e79f
             </optional>
d8e79f
+            <optional>
d8e79f
+              
d8e79f
+              <element name="AllowExtraction">
d8e79f
+                <empty/>
d8e79f
+              </element>
d8e79f
+            </optional>
d8e79f
           </element>
d8e79f
         </zeroormore>
d8e79f
       </element>