pkcs11: gate functions by attributesnext

Make sure we have CKA_SIGN set to sign keys and CKA_DECRYPT set to
decrypt from them.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/pkcs11.c b/pkcs11.c
index 7f90821..ef7e54d 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -639,6 +639,8 @@ C_SignInit(CK_SESSION_HANDLE handle, CK_MECHANISM_PTR mech,
 {
 	if (obj_type(key) != KEY_PRIVATE || obj_to_section(key) != handle)
 		return CKR_ARGUMENTS_BAD;
+	if (cache_get_by_secnum(handle, "CKA_SIGN", NULL) == NULL)
+		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 	opstate = crypto_sign_init(handle, mech);
 	if (opstate)
 		return CKR_OK;
@@ -649,6 +651,8 @@ CK_RV
 C_Sign(CK_SESSION_HANDLE handle, CK_BYTE_PTR data, CK_ULONG data_len,
        CK_BYTE_PTR sig, CK_ULONG_PTR sig_len)
 {
+	if (cache_get_by_secnum(handle, "CKA_SIGN", NULL) == NULL)
+		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 	if (crypto_sign(handle, opstate, data, data_len, sig, sig_len))
 		return CKR_ARGUMENTS_BAD;
 	return CKR_OK;
@@ -660,6 +664,8 @@ C_DecryptInit(CK_SESSION_HANDLE handle, CK_MECHANISM_PTR mech,
 {
 	if (obj_type(key) != KEY_PRIVATE || obj_to_section(key) != handle)
 		return CKR_ARGUMENTS_BAD;
+	if (cache_get_by_secnum(handle, "CKA_DECRYPT", NULL) == NULL)
+		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 	opstate = crypto_decrypt_init(handle, mech);
 	if (opstate)
 		return CKR_OK;
@@ -670,6 +676,8 @@ CK_RV
 C_Decrypt(CK_SESSION_HANDLE handle, CK_BYTE_PTR enc_data, CK_ULONG enc_len,
 	  CK_BYTE_PTR data, CK_ULONG_PTR data_len)
 {
+	if (cache_get_by_secnum(handle, "CKA_DECRYPT", NULL) == NULL)
+		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 	if (crypto_decrypt(opstate, enc_data, enc_len, data, data_len))
 		return CKR_ARGUMENTS_BAD;
 	return CKR_OK;