Skip to content

Commit

Permalink
Explicitly request EcDH derive return key as a session object
Browse files Browse the repository at this point in the history 
OpenSC PKCS#11 module fail C_DeriveKey operations with
CKR_TEMPLATE_INCOMPLETE error code when used with PKCS#15 smart cards
unless CKA_TOKEN attribute is set on the request template. Fix by
always requesting session keys (CKA_TOKEN=false). This is also
supposed to be the default by PKCS#11 v3.1 - thus not changing the
existing behavior.

Signed-off-by: Tero Mononen <[email protected]>
  • Loading branch information
Tero Mononen committed Jan 18, 2025
1 parent 5dec656 commit 5a20553
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/exchange.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,12 +213,13 @@ static int p11prov_ecdh_derive(void *ctx, unsigned char *secret,
CK_BBOOL val_true = CK_TRUE;
CK_BBOOL val_false = CK_FALSE;
CK_ULONG key_size = outlen;
CK_ATTRIBUTE key_template[5] = {
CK_ATTRIBUTE key_template[6] = {
{ CKA_CLASS, &key_class, sizeof(key_class) },
{ CKA_KEY_TYPE, &key_type, sizeof(key_type) },
{ CKA_SENSITIVE, &val_false, sizeof(val_false) },
{ CKA_EXTRACTABLE, &val_true, sizeof(val_true) },
{ CKA_VALUE_LEN, &key_size, sizeof(key_size) },
{ CKA_TOKEN, &val_false, sizeof(val_false) },
};
CK_MECHANISM mechanism;
P11PROV_SESSION *session = NULL;
Expand Down Expand Up @@ -280,7 +281,7 @@ static int p11prov_ecdh_derive(void *ctx, unsigned char *secret,
}

ret = p11prov_derive_key(ecdhctx->provctx, slotid, &mechanism, handle,
key_template, 5, &session, &secret_handle);
key_template, 6, &session, &secret_handle);
if (ret != CKR_OK) {
return RET_OSSL_ERR;
}
Expand Down

0 comments on commit 5a20553

Please sign in to comment.