[Opensc-commits] [OpenSC/libp11] c31528: Introduce generic keypair generation interface and...

[Michał T. <no...@gi...>]

  Branch: refs/heads/master
  Home:   https://github.com/OpenSC/libp11
  Commit: c315280642c48cb13e847eba777d0167715acf60
      https://github.com/OpenSC/libp11/commit/c315280642c48cb13e847eba777d0167715acf60
  Author: Rafael Junio da Cruz <raf...@pr...>
  Date:   2025-04-04 (Fri, 04 Apr 2025)

  Changed paths:
    M .gitignore
    M src/eng_back.c
    M src/eng_front.c
    M src/engine.h
    M src/libp11-int.h
    M src/libp11.exports
    M src/libp11.h
    M src/p11_front.c
    M src/p11_key.c
    M src/p11_slot.c
    M src/util.h
    M src/util_uri.c
    M tests/Makefile.am
    A tests/ec-keygen.c
    A tests/ec-keygen.softhsm
    A tests/rsa-keygen.c
    A tests/rsa-keygen.softhsm

  Log Message:
  -----------
  Introduce generic keypair generation interface and engine ctrl command

As discussed in https://github.com/OpenSC/libp11/pull/379 and
https://github.com/OpenSC/libp11/pull/378 we need a generic interface
that supports multiple algorithms for key generation. Attempt was made
to create a new keygen method and register it in PKCS11_pkey_meths() in
p11_pkey.c (so that it's possible to generate keys using OpenSSL's
EVP_PKEY_* API) but multiple design issues appeared. How and where do you
pass the key ID, token label and alike was the first question. As
suggested by the maintainer here:
https://github.com/OpenSC/libp11/pull/379#issuecomment-820588833,
app_data from EVP_PKEY_CTX was (mis)used and that worked well. The
reason why this approach was abandoned is because a good (or bad) way
to get a handle of the PKCS11_CTX_private, that is necessary for the
Cryptoki call, was not found.
The way other operations work is that they rely on the key being
loaded *_first_* through ENGINE_load_public(private)_key because this
is when the PKCS11_CTX gets initialized and a handle to
PKCS11_OBJECT_private gets set to the ex_data of the underlying key.
Key generation obviously cannot rely on that mechanism since key
doesn't yet exist.

Instead, a generic PKCS11_generate_key interface was made that
takes a structure describing the key generation algorithm. For now
it only contains simple options like curve name for ECC or number
of bits for RSA key generation. It also possible to configure
CKA_SENSITIVE and CKA_EXTRACTABLE key attributes. This interface can
then be used as any other PKCS11 wrapper interface or using the ENGINE
control commands. Using it with ENGINE control commands is demonstrated
in the new tests/keygen.c file.

Code for ECC keygen was taken from:
https://github.com/OpenSC/libp11/pull/379 and reworked to compile and
work with some new additions to libp11 i.e. templates.



To unsubscribe from these emails, change your notification settings at https://github.com/OpenSC/libp11/settings/notifications