[gnutls-devel] [PATCH] improve compatibility in pkcs11 key generation

Wolfgang Meyer zu Bergsten w.bergsten at sirrix.com
Mon Aug 4 15:39:04 CEST 2014


Hello,

find attached a patch for improving the compatibilty of key generation
with the "CardOS API 5.1" PKCS#11 library.

regards
Wolfgang
-------------- next part --------------
>From 85380b62e121456b188995836ced4b68b888ad20 Mon Sep 17 00:00:00 2001
From: Wolfgang Meyer zu Bergsten <w.mzb at mzb-it.de>
Date: Mon, 4 Aug 2014 15:32:53 +0200
Subject: [PATCH] improve compatibility in pkcs11 key generation

* add key wrap/unwrap key usage
* explicitly set public exponent in template
---
 devel/openssl        |  1 -
 lib/pkcs11_privkey.c | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 delete mode 160000 devel/openssl

diff --git a/devel/openssl b/devel/openssl
deleted file mode 160000
index e09ea62..0000000
--- a/devel/openssl
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit e09ea622bba106e13ab85173c205f354b0f1d481
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index aba9f9d..686a85e 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -684,6 +684,8 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 	mech.parameter_len = 0;
 	mech.mechanism = pk_to_genmech(pk, &key_type);
 
+	char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001
+
 	switch (pk) {
 	case GNUTLS_PK_RSA:
 		p[p_val].type = CKA_DECRYPT;
@@ -696,6 +698,11 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		p[p_val].value_len = sizeof(tval);
 		p_val++;
 
+		p[p_val].type = CKA_UNWRAP;
+		p[p_val].value = (void*)&tval;
+		p[p_val].value_len = sizeof(tval);
+		p_val++;
+
 		a[a_val].type = CKA_ENCRYPT;
 		a[a_val].value = (void *) &tval;
 		a[a_val].value_len = sizeof(tval);
@@ -706,10 +713,21 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		a[a_val].value_len = sizeof(tval);
 		a_val++;
 
+		a[a_val].type = CKA_WRAP;
+		a[a_val].value = (void*)&tval;
+		a[a_val].value_len = sizeof(tval);
+		a_val++;
+
 		a[a_val].type = CKA_MODULUS_BITS;
 		a[a_val].value = &_bits;
 		a[a_val].value_len = sizeof(_bits);
 		a_val++;
+		
+		a[a_val].type = CKA_PUBLIC_EXPONENT;
+		a[a_val].value = pubEx;
+		a[a_val].value_len = sizeof(pubEx);
+		a_val++;
+
 		break;
 	case GNUTLS_PK_DSA:
 		p[p_val].type = CKA_SIGN;
-- 
1.9.3



More information about the Gnutls-devel mailing list