diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2019-02-28 14:46:35 -0800 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-12-06 12:53:32 -0500 |
commit | e0f454f7d8cd1211a5dfcefe19e60cd4e43fc04c (patch) | |
tree | 254daeb1408337ee72ad56555a5ac8910f74273e | |
parent | 6fb062d7cd63172c0a5bc7b2f9e779d6cb86d70b (diff) | |
download | openssl-pkcs11-export-next.tar.gz |
pkcs11: gate functions by attributesnext
Make sure we have CKA_SIGN set to sign keys and CKA_DECRYPT set to
decrypt from them.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | pkcs11.c | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -639,6 +639,8 @@ C_SignInit(CK_SESSION_HANDLE handle, CK_MECHANISM_PTR mech, { if (obj_type(key) != KEY_PRIVATE || obj_to_section(key) != handle) return CKR_ARGUMENTS_BAD; + if (cache_get_by_secnum(handle, "CKA_SIGN", NULL) == NULL) + return CKR_KEY_FUNCTION_NOT_PERMITTED; opstate = crypto_sign_init(handle, mech); if (opstate) return CKR_OK; @@ -649,6 +651,8 @@ CK_RV C_Sign(CK_SESSION_HANDLE handle, CK_BYTE_PTR data, CK_ULONG data_len, CK_BYTE_PTR sig, CK_ULONG_PTR sig_len) { + if (cache_get_by_secnum(handle, "CKA_SIGN", NULL) == NULL) + return CKR_KEY_FUNCTION_NOT_PERMITTED; if (crypto_sign(handle, opstate, data, data_len, sig, sig_len)) return CKR_ARGUMENTS_BAD; return CKR_OK; @@ -660,6 +664,8 @@ C_DecryptInit(CK_SESSION_HANDLE handle, CK_MECHANISM_PTR mech, { if (obj_type(key) != KEY_PRIVATE || obj_to_section(key) != handle) return CKR_ARGUMENTS_BAD; + if (cache_get_by_secnum(handle, "CKA_DECRYPT", NULL) == NULL) + return CKR_KEY_FUNCTION_NOT_PERMITTED; opstate = crypto_decrypt_init(handle, mech); if (opstate) return CKR_OK; @@ -670,6 +676,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE handle, CK_BYTE_PTR enc_data, CK_ULONG enc_len, CK_BYTE_PTR data, CK_ULONG_PTR data_len) { + if (cache_get_by_secnum(handle, "CKA_DECRYPT", NULL) == NULL) + return CKR_KEY_FUNCTION_NOT_PERMITTED; if (crypto_decrypt(opstate, enc_data, enc_len, data, data_len)) return CKR_ARGUMENTS_BAD; return CKR_OK; |