Add option to specify CKA_ID in generate-keypair and import-object

Signed-off-by: Zoltan Fridrich <[email protected]>
p11-glue · Jan 5, 2024 · 3a6977d · 3a6977d
1 parent 304db35
commit 3a6977d
Show file tree

Hide file tree

Showing 6 changed files with 175 additions and 20 deletions.
diff --git a/common/hex.c b/common/hex.c
@@ -35,8 +35,10 @@
 
 #include "config.h"
 #include "hex.h"
+#include <limits.h>
 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 
 static const char HEXC_LOWER[] = "0123456789abcdef";
 
@@ -64,3 +66,44 @@ hex_encode (const unsigned char *data,
 	result[o] = 0;
 	return result;
 }
+
+unsigned char *
+hex_decode (const char *hex,
+            size_t *bin_len)
+{
+	size_t i, j;
+	unsigned long val;
+	unsigned char *bin;
+	char hex2[3] = { 0 };
+        size_t hex_len = strlen (hex);
+
+	bin = malloc (hex_len / 2);
+	if (bin == NULL)
+		return NULL;
+
+        for (i = j = 0; i < hex_len;) {
+		if (hex[i] == ':') {
+			++i;
+			continue;
+		}
+
+		if (i + 1 >= hex_len) {
+			free (bin);
+			return NULL;
+		}
+
+		hex2[0] = hex[i++];
+		hex2[1] = hex[i++];
+
+		val = strtoul (hex2, NULL, 16);
+		if (val == ULONG_MAX) {
+			free (bin);
+			return NULL;
+		}
+
+		bin[j++] = val;
+        }
+
+        *bin_len = j;
+	return bin;
+}
diff --git a/common/hex.h b/common/hex.h
@@ -38,7 +38,12 @@
 
 #include <stddef.h>
 
-char *hex_encode (const unsigned char *data,
-		  size_t n_data);
+char *
+hex_encode (const unsigned char *data,
+	    size_t n_data);
+
+unsigned char *
+hex_decode (const char *hex,
+	    size_t *bin_len);
 
 #endif /* P11_HEX_H */
diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
@@ -176,7 +176,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Import object into PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Takes either an X.509 certificate or a public key in the form of a PEM file
@@ -199,6 +199,10 @@ $ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the imported object.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the imported object. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>
@@ -276,7 +280,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Generate key-pair on a PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Generate private-public key-pair of given type on the first
@@ -311,6 +315,10 @@ $ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &l
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the generated key-pair objects.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the generated key-pair objects. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>

diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
@@ -39,6 +39,7 @@
 #include "attrs.h"
 #include "compat.h"
 #include "debug.h"
+#include "hex.h"
 #include "iter.h"
 #include "message.h"
 #include "options.h"
@@ -160,6 +161,7 @@ check_args (CK_MECHANISM_TYPE type,
 
 static bool
 get_templates (const char *label,
+	       const char *id,
 	       CK_MECHANISM_TYPE type,
 	       CK_ULONG bits,
 	       const uint8_t *ec_params,
@@ -207,6 +209,36 @@ get_templates (const char *label,
 		priv = tmp;
 	}
 
+	if (id != NULL) {
+		size_t bin_len = 0;
+		unsigned char *bin = NULL;
+		CK_ATTRIBUTE attr_id = { CKA_ID, NULL, 0 };
+
+		bin = hex_decode (id, &bin_len);
+		if (bin == NULL) {
+			p11_message (_("failed to decode hex value: %s"), id);
+			goto error;
+		}
+
+		attr_id.pValue = (void *)bin;
+		attr_id.ulValueLen = bin_len;
+
+		tmp = p11_attrs_build (pub, &attr_id, NULL);
+		if (tmp == NULL) {
+			free (bin);
+			p11_message (_("failed to allocate memory"));
+			goto error;
+		}
+		pub = tmp;
+		tmp = p11_attrs_build (priv, &attr_id, NULL);
+		free (bin);
+		if (tmp == NULL) {
+			p11_message (_("failed to allocate memory"));
+			goto error;
+		}
+		priv = tmp;
+	}
+
 	switch (type) {
 #ifdef P11_KIT_TESTABLE
 	case CKM_MOCK_GENERATE:
@@ -254,6 +286,7 @@ get_templates (const char *label,
 static int
 generate_keypair (p11_tool *tool,
 		  const char *label,
+		  const char *id,
 		  CK_MECHANISM mechanism,
 		  CK_ULONG bits,
 		  const uint8_t *ec_params,
@@ -267,7 +300,7 @@ generate_keypair (p11_tool *tool,
 	CK_ATTRIBUTE *pubkey = NULL, *privkey = NULL;
 	CK_OBJECT_HANDLE pubkey_obj, privkey_obj;
 
-	if (!get_templates (label, mechanism.mechanism, bits,
+	if (!get_templates (label, id, mechanism.mechanism, bits,
 			    ec_params, ec_params_len, &pubkey, &privkey)) {
 	        p11_message (_("failed to create key templates"));
 		return 1;
@@ -318,7 +351,8 @@ p11_kit_generate_keypair (int argc,
 			  char *argv[])
 {
 	int opt, ret = 2;
-	char *label = NULL;
+	const char *label = NULL;
+	const char *id = NULL;
 	CK_ULONG bits = 0;
 	const uint8_t *ec_params = NULL;
 	size_t ec_params_len = 0;
@@ -332,6 +366,7 @@ p11_kit_generate_keypair (int argc,
 		opt_quiet = 'q',
 		opt_help = 'h',
 		opt_label = 'L',
+		opt_id = CHAR_MAX + 3,
 		opt_type = 't',
 		opt_bits = 'b',
 		opt_curve = 'c',
@@ -344,6 +379,7 @@ p11_kit_generate_keypair (int argc,
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
 		{ "label", required_argument, NULL, opt_label },
+		{ "id", required_argument, NULL, opt_id },
 		{ "type", required_argument, NULL, opt_type },
 		{ "bits", required_argument, NULL, opt_bits },
 		{ "curve", required_argument, NULL, opt_curve },
@@ -356,6 +392,7 @@ p11_kit_generate_keypair (int argc,
 		{ 0, "usage: p11-kit generate-keypair [--label=<label>]"
 		     " --type=<algorithm> {--bits=<n>|--curve=<name>} pkcs11:token" },
 		{ opt_label, "label to be associated with generated key objects" },
+		{ opt_id, "id to be associated with generated key objects" },
 		{ opt_type, "type of keys to generate" },
 		{ opt_bits, "number of bits for key generation" },
 		{ opt_curve, "name of the curve for key generation" },
@@ -369,6 +406,9 @@ p11_kit_generate_keypair (int argc,
 		case opt_label:
 			label = optarg;
 			break;
+		case opt_id:
+			id = optarg;
+			break;
 		case opt_type:
 			mechanism = get_mechanism (optarg);
 			if (mechanism.mechanism == CKA_INVALID) {
@@ -442,7 +482,7 @@ p11_kit_generate_keypair (int argc,
 
 	p11_tool_set_login (tool, login);
 
-	ret = generate_keypair (tool, label, mechanism, bits, ec_params, ec_params_len);
+	ret = generate_keypair (tool, label, id, mechanism, bits, ec_params, ec_params_len);
 
  cleanup:
 	p11_tool_free (tool);