Enhance tkstool for capabilities and security

The key is now generated with the flags needed to keep the data from being displayed with simple tools such as symkeyutil. As per cfu's instructions, I was able to test this with the nethsm only. I also was able to make the key des3 and everything works fine with the master key. This will help all the warnings we get about insecure des2 keys. If there is a problem with luna, we can file another ticket. Also there could be a built in tool for luna to generate keys such as is present on hsm.
author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> 2016-05-12 14:46:39 -0700
committer: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> 2016-05-12 14:54:20 -0700
commit: ce83d2ae2b33cca1e8b035474142fcbe2369ccc4 (patch)
tree: 185d77cdae40dd020798c0327f8957630d600ebb /base/native-tools
parent: b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b (diff)
download: pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.tar.gz
pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.tar.xz
pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.zip
2 files changed, 13 insertions, 9 deletions
diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c
index 5368b2e7b..6fd2a9774 100644
--- a/base/native-tools/src/tkstool/tkstool.c
+++ b/base/native-tools/src/tkstool/tkstool.c
@@ -1682,13 +1682,14 @@ main( int argc, char **argv )
                     "on the specified token . . .\n\n" );
 
         if( MASTER_KEY_LENGTH == ( 2 * DES_LENGTH ) ) {
-            masterKey = PK11_TokenKeyGen(
+            masterKey = PK11_TokenKeyGenWithFlags(
             /* slot                     */  slot,
             /* mechanism                */  CKM_DES2_KEY_GEN,
             /* param                    */  0,
             /* keySize                  */  0,
             /* keyid                    */  0,
-            /* isToken (i. e. - isPerm) */  PR_TRUE,
+            /* opFlags */ CKF_SIGN | CKF_DECRYPT | CKF_ENCRYPT | CKF_DERIVE,
+            /* pk11AtrFlags */ PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE | PK11_ATTR_TOKEN,
             /* wincx                    */  &pwdata );
             if( masterKey == NULL ) {
                 PR_fprintf( PR_STDERR,
@@ -1701,13 +1702,14 @@ main( int argc, char **argv )
                 goto shutdown;
             }
         } else if( MASTER_KEY_LENGTH == ( 3 * DES_LENGTH ) ) {
-            masterKey = PK11_TokenKeyGen(
+            masterKey = PK11_TokenKeyGenWithFlags(
             /* slot                     */  slot,
             /* mechanism                */  CKM_DES3_KEY_GEN,
             /* param                    */  0,
             /* keySize                  */  0,
             /* keyid                    */  0,
-            /* isToken (i. e. - isPerm) */  PR_TRUE,
+            /* opFlags */ CKF_SIGN | CKF_DECRYPT | CKF_ENCRYPT | CKF_DERIVE,
+            /* pk11AtrFlags */ PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE | PK11_ATTR_TOKEN,
             /* wincx                    */  &pwdata );
             if( masterKey == NULL ) {
                 PR_fprintf( PR_STDERR,
@@ -2307,13 +2309,14 @@ main( int argc, char **argv )
                     "on the specified token . . .\n\n" );
 
         if( WRAPPED_KEY_LENGTH == ( 2 * DES_LENGTH ) ) {
-            masterKey = PK11_TokenKeyGen(
+            masterKey = PK11_TokenKeyGenWithFlags(
             /* slot                     */  slot,
             /* mechanism                */  CKM_DES2_KEY_GEN,
             /* param                    */  0,
             /* keySize                  */  0,
             /* keyid                    */  0,
-            /* isToken (i. e. - isPerm) */  PR_TRUE,
+            /* opFlags */ CKF_SIGN | CKF_DECRYPT | CKF_ENCRYPT | CKF_DERIVE,
+            /* pk11AtrFlags */ PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE | PK11_ATTR_TOKEN,
             /* wincx                    */  &pwdata );
             if( masterKey == NULL ) {
                 PR_fprintf( PR_STDERR,
@@ -2326,13 +2329,14 @@ main( int argc, char **argv )
                 goto shutdown;
             }
         } else if( WRAPPED_KEY_LENGTH == ( 3 * DES_LENGTH ) ) {
-            masterKey = PK11_TokenKeyGen(
+            masterKey = PK11_TokenKeyGenWithFlags(
             /* slot                     */  slot,
             /* mechanism                */  CKM_DES3_KEY_GEN,
             /* param                    */  0,
             /* keySize                  */  0,
             /* keyid                    */  0,
-            /* isToken (i. e. - isPerm) */  PR_TRUE,
+            /* opFlags */ CKF_SIGN | CKF_DECRYPT |  CKF_ENCRYPT | CKF_DERIVE,
+            /* pk11AtrFlags */ PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE | PK11_ATTR_TOKEN,
             /* wincx                    */  &pwdata );
             if( masterKey == NULL ) {
                 PR_fprintf( PR_STDERR,
diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h
index 3b0407227..4c276b040 100644
--- a/base/native-tools/src/tkstool/tkstool.h
+++ b/base/native-tools/src/tkstool/tkstool.h
@@ -94,7 +94,7 @@
 #define HEX_SESSION_KEY_BUF_LENGTH             32
 #define HEX_SESSION_KEY_KCV_BUF_LENGTH         8
 
-#define MASTER_KEY_LENGTH                      16
+#define MASTER_KEY_LENGTH                      24 
 
 #define WRAPPED_KEY_LENGTH                     16
 #define HEX_WRAPPED_KEY_LENGTH                 32
author	Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>	2016-05-12 14:46:39 -0700
committer	Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>	2016-05-12 14:54:20 -0700
commit	ce83d2ae2b33cca1e8b035474142fcbe2369ccc4 (patch)
tree	185d77cdae40dd020798c0327f8957630d600ebb /base/native-tools
parent	b5b2ea7762b2fb3a7248aa779ce4f4ebd1e7ef9b (diff)
download	pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.tar.gz pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.tar.xz pki-ce83d2ae2b33cca1e8b035474142fcbe2369ccc4.zip