From 6c46a30165b0b15dcd9992f34df21277202803b5 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Fri, 7 Jul 2023 00:46:12 +0200
Subject: [PATCH 1/2] Add support for (legacy) `KeySpec` key creation
 configuration

---
 kms/capi/capi.go | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/kms/capi/capi.go b/kms/capi/capi.go
index ebf37906..07fda612 100644
--- a/kms/capi/capi.go
+++ b/kms/capi/capi.go
@@ -41,6 +41,7 @@ const (
 	KeyIDArg         = "key-id"
 	SerialNumberArg  = "serial"
 	IssuerNameArg    = "issuer"
+	KeySpec          = "key-spec" // 0, 1, 2; none/NONE, at_keyexchange/AT_KEYEXCHANGE, at_signature/AT_SIGNATURE
 )
 
 var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]string{
@@ -79,6 +80,7 @@ var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]string{
 // "key-id"           X509v3 Subject Key Identifier of the certificate to load in hex format
 // "serial"           serial number of the certificate to load in hex format
 // "issuer"           Common Name of the certificate issuer
+// "key-spec"		  the (legacy) KeySpec to use - 0, 1 or 2 (or none, at_keyexchange, at_signature)
 type CAPIKMS struct {
 	providerName   string
 	providerHandle uintptr
@@ -285,7 +287,7 @@ func (k *CAPIKMS) Close() error {
 	return nil
 }
 
-// CreateSigner returns a nce crypto.Signer that will sign using the key passed in via the URI.
+// CreateSigner returns a crypto.Signer that will sign using the key passed in via the URI.
 func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
 	u, err := uri.ParseWithScheme(Scheme, req.SigningKey)
 	if err != nil {
@@ -333,6 +335,25 @@ func (k *CAPIKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	return newCAPISigner(kh, containerName, pinOrPass)
 }
 
+func setKeySpec(u *uri.URI) (uint32, error) {
+	keySpec := uint32(0) // default KeySpec value is NONE
+	value := u.Get(KeySpec)
+	if v := strings.ReplaceAll(strings.ToLower(value), "_", ""); v != "" {
+		switch v {
+		case "0", "none", "null":
+			break // already set as the default
+		case "1", "atkeyexchange":
+			keySpec = uint32(1) // AT_KEYEXCHANGE
+		case "2", "atsignature":
+			keySpec = uint32(2) // AT_SIGNATURE
+		default:
+			return 0, fmt.Errorf("invalid value set for key-spec: %q", value)
+		}
+	}
+
+	return keySpec, nil
+}
+
 // CreateKey generates a new key in the storage provider using nCryptCreatePersistedKey
 func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
 	if req.Name == "" {
@@ -364,8 +385,13 @@ func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespon
 		return nil, fmt.Errorf("unsupported algorithm %v", req.SignatureAlgorithm)
 	}
 
+	keySpec, err := setKeySpec(u)
+	if err != nil {
+		return nil, fmt.Errorf("failed determinging KeySpec to use: %w", err)
+	}
+
 	//TODO: check whether RSA keys require legacyKeySpec set to AT_KEYEXCHANGE
-	kh, err := nCryptCreatePersistedKey(k.providerHandle, containerName, alg, 0, 0)
+	kh, err := nCryptCreatePersistedKey(k.providerHandle, containerName, alg, keySpec, 0)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create persisted key: %w", err)
 	}

From 4c6012771c6242e0379427c64c9675c00a19878a Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Fri, 7 Jul 2023 00:55:09 +0200
Subject: [PATCH 2/2] Fix typo

---
 kms/capi/capi.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kms/capi/capi.go b/kms/capi/capi.go
index 07fda612..ce8164be 100644
--- a/kms/capi/capi.go
+++ b/kms/capi/capi.go
@@ -80,7 +80,7 @@ var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]string{
 // "key-id"           X509v3 Subject Key Identifier of the certificate to load in hex format
 // "serial"           serial number of the certificate to load in hex format
 // "issuer"           Common Name of the certificate issuer
-// "key-spec"		  the (legacy) KeySpec to use - 0, 1 or 2 (or none, at_keyexchange, at_signature)
+// "key-spec"         the (legacy) KeySpec to use - 0, 1 or 2 (or none, at_keyexchange, at_signature)
 type CAPIKMS struct {
 	providerName   string
 	providerHandle uintptr
@@ -387,7 +387,7 @@ func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespon
 
 	keySpec, err := setKeySpec(u)
 	if err != nil {
-		return nil, fmt.Errorf("failed determinging KeySpec to use: %w", err)
+		return nil, fmt.Errorf("failed determining KeySpec to use: %w", err)
 	}
 
 	//TODO: check whether RSA keys require legacyKeySpec set to AT_KEYEXCHANGE