From 3a6977d24520e2749039077a8d6f460d43f8ad7b Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 5 Jan 2024 15:07:52 +0100
Subject: [PATCH] Add option to specify CKA_ID in generate-keypair and
 import-object

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 common/hex.c                  | 43 +++++++++++++++++++++
 common/hex.h                  |  9 ++++-
 doc/manual/p11-kit.xml        | 12 +++++-
 p11-kit/generate-keypair.c    | 46 ++++++++++++++++++++--
 p11-kit/import-object.c       | 73 +++++++++++++++++++++++++++++++----
 p11-kit/test-import-public.sh | 12 +++---
 6 files changed, 175 insertions(+), 20 deletions(-)

diff --git a/common/hex.c b/common/hex.c
index 4cecf4b4d..371c617a1 100644
--- a/common/hex.c
+++ b/common/hex.c
@@ -35,8 +35,10 @@
 
 #include "config.h"
 #include "hex.h"
+#include <limits.h>
 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 
 static const char HEXC_LOWER[] = "0123456789abcdef";
 
@@ -64,3 +66,44 @@ hex_encode (const unsigned char *data,
 	result[o] = 0;
 	return result;
 }
+
+unsigned char *
+hex_decode (const char *hex,
+            size_t *bin_len)
+{
+	size_t i, j;
+	unsigned long val;
+	unsigned char *bin;
+	char hex2[3] = { 0 };
+        size_t hex_len = strlen (hex);
+
+	bin = malloc (hex_len / 2);
+	if (bin == NULL)
+		return NULL;
+
+        for (i = j = 0; i < hex_len;) {
+		if (hex[i] == ':') {
+			++i;
+			continue;
+		}
+
+		if (i + 1 >= hex_len) {
+			free (bin);
+			return NULL;
+		}
+
+		hex2[0] = hex[i++];
+		hex2[1] = hex[i++];
+
+		val = strtoul (hex2, NULL, 16);
+		if (val == ULONG_MAX) {
+			free (bin);
+			return NULL;
+		}
+
+		bin[j++] = val;
+        }
+
+        *bin_len = j;
+	return bin;
+}
diff --git a/common/hex.h b/common/hex.h
index 2d7232860..43303b116 100644
--- a/common/hex.h
+++ b/common/hex.h
@@ -38,7 +38,12 @@
 
 #include <stddef.h>
 
-char *hex_encode (const unsigned char *data,
-		  size_t n_data);
+char *
+hex_encode (const unsigned char *data,
+	    size_t n_data);
+
+unsigned char *
+hex_decode (const char *hex,
+	    size_t *bin_len);
 
 #endif /* P11_HEX_H */
diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
index 4d78976b5..137bee1fd 100644
--- a/doc/manual/p11-kit.xml
+++ b/doc/manual/p11-kit.xml
@@ -176,7 +176,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Import object into PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Takes either an X.509 certificate or a public key in the form of a PEM file
@@ -199,6 +199,10 @@ $ p11-kit import-object --file=file.pem &lsqb;--label=label&rsqb; pkcs11:token
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the imported object.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the imported object. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>
@@ -276,7 +280,7 @@ $ <command>pkg-config p11-kit-1 --variable p11_module_path</command>
 	<para>Generate key-pair on a PKCS#11 token.</para>
 
 <programlisting>
-$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; pkcs11:token
+$ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &lsqb;--label=label&rsqb; &lsqb;--id=object_id&rsqb; pkcs11:token
 </programlisting>
 
 	<para>Generate private-public key-pair of given type on the first
@@ -311,6 +315,10 @@ $ p11-kit generate-keypair --type=algorithm &lcub;--bits=n|--curve=name&rcub; &l
 			<term><option>--label=&lt;label&gt;</option></term>
 			<listitem><para>Assigns label to the generated key-pair objects.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--id=&lt;object_id&gt;</option></term>
+			<listitem><para>Assigns ID to the generated key-pair objects. The ID should be specified in hexadecimal format without '0x' prefix.</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>--login</option></term>
 			<listitem><para>Authenticate to the token before enumerating objects. The PIN value is read from either the <literal>pin-value</literal> attribute in the URI or from the terminal.</para></listitem>
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
index bcb94fa01..847d775db 100644
--- a/p11-kit/generate-keypair.c
+++ b/p11-kit/generate-keypair.c
@@ -39,6 +39,7 @@
 #include "attrs.h"
 #include "compat.h"
 #include "debug.h"
+#include "hex.h"
 #include "iter.h"
 #include "message.h"
 #include "options.h"
@@ -160,6 +161,7 @@ check_args (CK_MECHANISM_TYPE type,
 
 static bool
 get_templates (const char *label,
+	       const char *id,
 	       CK_MECHANISM_TYPE type,
 	       CK_ULONG bits,
 	       const uint8_t *ec_params,
@@ -207,6 +209,36 @@ get_templates (const char *label,
 		priv = tmp;
 	}
 
+	if (id != NULL) {
+		size_t bin_len = 0;
+		unsigned char *bin = NULL;
+		CK_ATTRIBUTE attr_id = { CKA_ID, NULL, 0 };
+
+		bin = hex_decode (id, &bin_len);
+		if (bin == NULL) {
+			p11_message (_("failed to decode hex value: %s"), id);
+			goto error;
+		}
+
+		attr_id.pValue = (void *)bin;
+		attr_id.ulValueLen = bin_len;
+
+		tmp = p11_attrs_build (pub, &attr_id, NULL);
+		if (tmp == NULL) {
+			free (bin);
+			p11_message (_("failed to allocate memory"));
+			goto error;
+		}
+		pub = tmp;
+		tmp = p11_attrs_build (priv, &attr_id, NULL);
+		free (bin);
+		if (tmp == NULL) {
+			p11_message (_("failed to allocate memory"));
+			goto error;
+		}
+		priv = tmp;
+	}
+
 	switch (type) {
 #ifdef P11_KIT_TESTABLE
 	case CKM_MOCK_GENERATE:
@@ -254,6 +286,7 @@ get_templates (const char *label,
 static int
 generate_keypair (p11_tool *tool,
 		  const char *label,
+		  const char *id,
 		  CK_MECHANISM mechanism,
 		  CK_ULONG bits,
 		  const uint8_t *ec_params,
@@ -267,7 +300,7 @@ generate_keypair (p11_tool *tool,
 	CK_ATTRIBUTE *pubkey = NULL, *privkey = NULL;
 	CK_OBJECT_HANDLE pubkey_obj, privkey_obj;
 
-	if (!get_templates (label, mechanism.mechanism, bits,
+	if (!get_templates (label, id, mechanism.mechanism, bits,
 			    ec_params, ec_params_len, &pubkey, &privkey)) {
 	        p11_message (_("failed to create key templates"));
 		return 1;
@@ -318,7 +351,8 @@ p11_kit_generate_keypair (int argc,
 			  char *argv[])
 {
 	int opt, ret = 2;
-	char *label = NULL;
+	const char *label = NULL;
+	const char *id = NULL;
 	CK_ULONG bits = 0;
 	const uint8_t *ec_params = NULL;
 	size_t ec_params_len = 0;
@@ -332,6 +366,7 @@ p11_kit_generate_keypair (int argc,
 		opt_quiet = 'q',
 		opt_help = 'h',
 		opt_label = 'L',
+		opt_id = CHAR_MAX + 3,
 		opt_type = 't',
 		opt_bits = 'b',
 		opt_curve = 'c',
@@ -344,6 +379,7 @@ p11_kit_generate_keypair (int argc,
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
 		{ "label", required_argument, NULL, opt_label },
+		{ "id", required_argument, NULL, opt_id },
 		{ "type", required_argument, NULL, opt_type },
 		{ "bits", required_argument, NULL, opt_bits },
 		{ "curve", required_argument, NULL, opt_curve },
@@ -356,6 +392,7 @@ p11_kit_generate_keypair (int argc,
 		{ 0, "usage: p11-kit generate-keypair [--label=<label>]"
 		     " --type=<algorithm> {--bits=<n>|--curve=<name>} pkcs11:token" },
 		{ opt_label, "label to be associated with generated key objects" },
+		{ opt_id, "id to be associated with generated key objects" },
 		{ opt_type, "type of keys to generate" },
 		{ opt_bits, "number of bits for key generation" },
 		{ opt_curve, "name of the curve for key generation" },
@@ -369,6 +406,9 @@ p11_kit_generate_keypair (int argc,
 		case opt_label:
 			label = optarg;
 			break;
+		case opt_id:
+			id = optarg;
+			break;
 		case opt_type:
 			mechanism = get_mechanism (optarg);
 			if (mechanism.mechanism == CKA_INVALID) {
@@ -442,7 +482,7 @@ p11_kit_generate_keypair (int argc,
 
 	p11_tool_set_login (tool, login);
 
-	ret = generate_keypair (tool, label, mechanism, bits, ec_params, ec_params_len);
+	ret = generate_keypair (tool, label, id, mechanism, bits, ec_params, ec_params_len);
 
  cleanup:
 	p11_tool_free (tool);
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index 28cb964a6..e774ff007 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -40,6 +40,7 @@
 #include "compat.h"
 #include "debug.h"
 #include "dict.h"
+#include "hex.h"
 #include "iter.h"
 #include "message.h"
 #include "pem.h"
@@ -76,6 +77,7 @@ typedef struct {
 	CK_FUNCTION_LIST *module;
 	CK_SESSION_HANDLE session;
 	const char *label;
+	const char *id;
 } import_data;
 
 static bool
@@ -134,6 +136,29 @@ import_x509_cert (const unsigned char *der,
 		attrs = tmp;
 	}
 
+	if (data->id != NULL) {
+		size_t bin_len = 0;
+		unsigned char *bin = NULL;
+		CK_ATTRIBUTE attr_id = { CKA_ID, NULL, 0 };
+
+		bin = hex_decode (data->id, &bin_len);
+		if (bin == NULL) {
+			p11_message (_("failed to decode hex value: %s"), data->id);
+			goto cleanup;
+		}
+
+		attr_id.pValue = (void *)bin;
+		attr_id.ulValueLen = bin_len;
+
+		tmp = p11_attrs_build (attrs, &attr_id, NULL);
+		free (bin);
+		if (tmp == NULL) {
+			p11_message (_("failed to allocate memory"));
+			goto cleanup;
+		}
+		attrs = tmp;
+	}
+
 	rv = data->module->C_CreateObject (data->session, attrs, p11_attrs_count (attrs), &object);
 	if (rv != CKR_OK) {
 		p11_message (_("failed to create object: %s"), p11_kit_strerror (rv));
@@ -167,14 +192,42 @@ init_attrs_pubkey (const unsigned char *info,
 
 	attrs = p11_attrs_build (NULL, &attr_class, &attr_token, &attr_private,
 				 &attr_verify, &attr_info, NULL);
-	if (attrs == NULL)
+	if (attrs == NULL) {
+		p11_message (_("failed to allocate memory"));
 		return NULL;
+	}
 
 	if (data->label != NULL) {
 		CK_ATTRIBUTE attr_label = { CKA_LABEL, (void *)data->label, strlen (data->label) };
 
 		tmp = p11_attrs_build (attrs, &attr_label, NULL);
 		if (tmp == NULL) {
+			p11_message (_("failed to allocate memory"));
+			p11_attrs_free (attrs);
+			return NULL;
+		}
+		attrs = tmp;
+	}
+
+	if (data->id != NULL) {
+		size_t bin_len = 0;
+		unsigned char *bin = NULL;
+		CK_ATTRIBUTE attr_id = { CKA_ID, NULL, 0 };
+
+		bin = hex_decode (data->id, &bin_len);
+		if (bin == NULL) {
+			p11_message (_("failed to decode hex value: %s"), data->id);
+			p11_attrs_free (attrs);
+			return NULL;
+		}
+
+		attr_id.pValue = (void *)bin;
+		attr_id.ulValueLen = bin_len;
+
+		tmp = p11_attrs_build (attrs, &attr_id, NULL);
+		free (bin);
+		if (tmp == NULL) {
+			p11_message (_("failed to allocate memory"));
 			p11_attrs_free (attrs);
 			return NULL;
 		}
@@ -364,10 +417,8 @@ import_pubkey (const unsigned char *der,
 	}
 
 	attrs = init_attrs_pubkey (der, der_len, data);
-	if (attrs == NULL) {
-		p11_message (_("failed to allocate memory"));
+	if (attrs == NULL)
 		goto cleanup;
-	}
 
 	if (strcmp (oid, P11_OID_PKIX1_RSA_STR) == 0)
 		tmp = add_attrs_pubkey_rsa (attrs, asn, data->defs);
@@ -422,7 +473,8 @@ import_pem (const char *type,
 static int
 import_object (p11_tool *tool,
 	       const char *file,
-	       const char *label)
+	       const char *label,
+	       const char *id)
 {
 	int ret = 1;
 	void *data = NULL;
@@ -431,7 +483,7 @@ import_object (p11_tool *tool,
 	CK_RV rv;
 	p11_mmap *mmap = NULL;
 	P11KitIter *iter = NULL;
-	import_data user_data = { false, NULL, NULL, 0, label };
+	import_data user_data = { false, NULL, NULL, 0, label, id };
 
 	iter = p11_tool_begin_iter (tool, P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_SESSIONS | P11_KIT_ITER_WITHOUT_OBJECTS);
 	if (iter == NULL) {
@@ -493,6 +545,7 @@ p11_kit_import_object (int argc,
 	char *file = NULL;
 	bool login = false;
 	p11_tool *tool = NULL;
+	const char *id = NULL;
 	const char *provider = NULL;
 
 	enum {
@@ -500,6 +553,7 @@ p11_kit_import_object (int argc,
 		opt_quiet = 'q',
 		opt_help = 'h',
 		opt_label = 'L',
+		opt_id = CHAR_MAX + 3,
 		opt_file = 'f',
 		opt_login = 'l',
 		opt_provider = CHAR_MAX + 2,
@@ -510,6 +564,7 @@ p11_kit_import_object (int argc,
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
 		{ "label", required_argument, NULL, opt_label },
+		{ "id", required_argument, NULL, opt_id },
 		{ "file", required_argument, NULL, opt_file },
 		{ "login", no_argument, NULL, opt_login },
 		{ "provider", required_argument, NULL, opt_provider },
@@ -520,6 +575,7 @@ p11_kit_import_object (int argc,
 		{ 0, "usage: p11-kit import-object --file=<file.pem>"
 		     " [--label=<label>] [--login] pkcs11:token" },
 		{ opt_label, "label to be associated with imported object" },
+		{ opt_id, "id to be associated with imported object" },
 		{ opt_file, "object data to import" },
 		{ opt_login, "login to the token" },
 		{ opt_provider, "specify the module to use" },
@@ -531,6 +587,9 @@ p11_kit_import_object (int argc,
 		case opt_label:
 			label = optarg;
 			break;
+		case opt_id:
+			id = optarg;
+			break;
 		case opt_file:
 			file = optarg;
 			break;
@@ -588,7 +647,7 @@ p11_kit_import_object (int argc,
 
 	p11_tool_set_login (tool, login);
 
-	ret = import_object (tool, file, label);
+	ret = import_object (tool, file, label, id);
 
  cleanup:
 	p11_tool_free (tool);
diff --git a/p11-kit/test-import-public.sh b/p11-kit/test-import-public.sh
index 1972a8ba5..afe5ab4a2 100755
--- a/p11-kit/test-import-public.sh
+++ b/p11-kit/test-import-public.sh
@@ -23,11 +23,11 @@ teardown() {
 }
 
 test_import_cert() {
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="$abs_top_srcdir"/trust/fixtures/cacert3.pem --label=cert "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="$abs_top_srcdir"/trust/fixtures/cacert3.pem --label=cert --id="1a:bc:f6:9a" "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=cert?pin-value=booo" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=cert;id=%1A%BC%F6%9A?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi
 
@@ -54,11 +54,11 @@ fQIDAQAB
 -----END PUBLIC KEY-----
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa --id="2a:bc:f6:9a" "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=rsa?pin-value=booo" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=rsa;id=%2A%BC%F6%9A?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi
 
@@ -80,11 +80,11 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsaTJt0debXaW7Hpcrpn7X07SsTk9
 -----END PUBLIC KEY-----
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec --id="3a:bc:f6:9a" "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=ec?pin-value=booo" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=ec;id=%3A%BC%F6%9A?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi