Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for importing keys into the token as session ephemeral keys #441

Merged
merged 10 commits into from
Sep 5, 2024
Merged

Add support for importing keys into the token as session ephemeral keys #441

merged 10 commits into from
Sep 5, 2024

Conversation

simo5
Copy link
Member

@simo5 simo5 commented Sep 4, 2024
edited
Loading

Description

In some circumstances we need to be able to import keys into the token as the caller wants the token to perform the cryptographic operation but provides the keys in PEM files, or BIO objects and does not want to permanently store these keys in the token (for whatever reason).

ECDH is an example where we need to import a key only halfway.

Importing private keys always immediately create a temporary session object on the login session (which is generally long lived). The operation assumes that a login session is already available or a pin is otherwise specified in the configuration. The login session is assumed to be opened on the default slot which is defined as the first slot that fulfill basic session storage writability. In future we may add quirks to specify a different default slot via a uri.

Importing public keys (which may happen more frequently in key exchange situations) creates a mock object by default, however requesting their token handle triggers the storage of the key into the token login session as an ephmeral key, just like for the private keys.
The handle is requested in case an actual operation needs to happen on the token, and does not happen for the ECDH case, this way we avoid littering the login session object with too many throwaway keys.

This PR also addresses some issues with ECDH.

Related #395
Fixes #305
Fixes #437

Checklist

  • Code modified for feature
  • Test suite updated with functionality tests
  • [ ] Test suite updated with negative tests
  • [ ] Documentation updated

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages
  • Coverity Scan has run if needed (code PR) and no new defects were found

@simo5 simo5 requested a review from Jakuje September 4, 2024 20:38
@simo5
Add concept of a default slot
7160ddf 
This slot can be used to obtain a default login session when there
is not available pkcs11 URI that indicates which slot should be used.

Signed-off-by: Simo Sorce <[email protected]>
@simo5
Copy link
Member Author

simo5 commented Sep 4, 2024

@kshitizvars please check out this PR

@simo5 simo5 force-pushed the bug305 branch 2 times, most recently from 8b6d5e1 to ca51975 Compare September 4, 2024 21:04
@simo5
Copy link
Member Author

simo5 commented Sep 4, 2024

Ubuntu fails genpkey apparently .... that's odd.

@simo5 simo5 added the covscan Triggers Coverity Scanner label Sep 4, 2024
@simo5
Copy link
Member Author

simo5 commented Sep 4, 2024

Will have to figure out the genpkey cmdline issue for Ubuntu, meanwhile triggering a covscan to ensure the C code is fine.

@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Sep 4, 2024
@simo5
Copy link
Member Author

simo5 commented Sep 4, 2024

Older openssl seem to have no support for -outpubkey ...

@simo5
Copy link
Member Author

simo5 commented Sep 4, 2024

Coverity found issues, sticking them here so that I do not forget, and marking the PR as draft for now.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 509200:  Error handling issues  (CHECKED_RETURN)
/src/util.c: 831 in p11prov_uri_set_label()


________________________________________________________________________________________________________
*** CID 509200:  Error handling issues  (CHECKED_RETURN)
/src/util.c: 831 in p11prov_uri_set_label()
825         return uri->object;
826     }
827    
828     void p11prov_uri_set_label(P11PROV_URI *uri, CK_ATTRIBUTE *label)
829     {
830         OPENSSL_free(uri->object.pValue);
>>>     CID 509200:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "p11prov_copy_attr" without checking return value (as is done elsewhere 10 out of 12 times).
831         p11prov_copy_attr(&uri->object, label);
832     }
833    
834     char *p11prov_uri_get_serial(P11PROV_URI *uri)
835     {
836         return uri->serial;

** CID 509199:  Memory - illegal accesses  (USE_AFTER_FREE)
/src/objects.c: 2742 in digest()


________________________________________________________________________________________________________
*** CID 509199:  Memory - illegal accesses  (USE_AFTER_FREE)
/src/objects.c: 2742 in digest()
2736         dgst = NULL;
2737         rv = CKR_OK;
2738    
2739     done:
2740         OPENSSL_free(dgst);
2741         EVP_MD_CTX_free(mdctx);
>>>     CID 509199:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Passing freed pointer "md" as an argument to "EVP_MD_free".
2742         EVP_MD_free(md);
2743         return rv;
2744     }
2745    
2746     static CK_RV prep_rsa_find(P11PROV_CTX *ctx, const OSSL_PARAM params[],
2747                                struct pool_find_ctx *findctx)

** CID 509198:  Error handling issues  (CHECKED_RETURN)
/src/util.c: 820 in p11prov_uri_set_id()


________________________________________________________________________________________________________
*** CID 509198:  Error handling issues  (CHECKED_RETURN)
/src/util.c: 820 in p11prov_uri_set_id()
814         return uri->id;
815     }
816    
817     void p11prov_uri_set_id(P11PROV_URI *uri, CK_ATTRIBUTE *id)
818     {
819         OPENSSL_free(uri->id.pValue);
>>>     CID 509198:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "p11prov_copy_attr" without checking return value (as is done elsewhere 10 out of 12 times).
820         p11prov_copy_attr(&uri->id, id);
821     }
822    
823     CK_ATTRIBUTE p11prov_uri_get_label(P11PROV_URI *uri)
824     {
825         return uri->object;

@simo5 simo5 marked this pull request as draft September 4, 2024 21:31
Jakuje
Jakuje reviewed Sep 5, 2024
View reviewed changes
CONTRIBUTING.md Outdated Show resolved Hide resolved
tests/meson.build Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
@simo5 simo5 marked this pull request as ready for review September 5, 2024 12:55
@simo5 simo5 requested a review from Jakuje September 5, 2024 12:55
@simo5 simo5 added the covscan Triggers Coverity Scanner label Sep 5, 2024
@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Sep 5, 2024
@simo5 simo5 added the covscan-ok Coverity scan passed label Sep 5, 2024
Jakuje
Jakuje reviewed Sep 5, 2024
View reviewed changes
src/keymgmt.c Show resolved Hide resolved
src/objects.c Show resolved Hide resolved
src/objects.c Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
src/objects.c Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
src/objects.c Outdated Show resolved Hide resolved
@simo5
Implement the ability to import private keys
31b2ab1 
Private keys are stored/cached in the login session object,
and not permanently on the token. This is used to handle the case
where a private key is stored outside of the token, but the token
is used to peform cryptographic operations.

Signed-off-by: Simo Sorce <[email protected]>
@simo5
Copy link
Member Author

simo5 commented Sep 5, 2024

@Jakuje I should have addressed all the changes I agreed on.
Only one comment was unclear to me.

simo5 and others added 6 commits September 5, 2024 15:44
@simo5
Add support to create ECDH public key from params
e2d2d29 
OpenSSL expects to be able to create an EC PKEY and only "generate"
params, then fill in the key with a public key received from a peer.

So split the common gen_init into per key type ones as each type needs
slightly different setup and conditions now.

Also modify the code that sets public EC keys to allow setting a key on
a base object that does not already have key attributes at all.

Signed-off-by: Simo Sorce <[email protected]>
@kshitizvars @simo5
Using old pointer after reallocating new buffer
bd17ab8 
Below issue is reported while running TLS1.3:-

p11prov_DeriveKey:Host out of memory

Issue occurs because we are trying to use deallocated memory pointer after
reallocating new memory due to which key->attrs get corrupted and finally
cause issue in importing correct peer key.

Signed-off-by: Kshitiz Varshney <[email protected]>
@simo5
Add support to store public key as session objects
c850b45 
This allows operations that actually need to happen on a token with
a stored key (unlike ECDH which just needs a buffer passed int), to
be able to actually import the object as an ephemeral session object
to perform the required operations.

We generally do not want to store public key to avoid littering the
login session (which is long lived) with too many throw-away objects
as we have no way to determine when it is ok to remove session objects
for long lived programs.

Signed-off-by: Simo Sorce <[email protected]>
@simo5
Tests using imported private keys in ECDH
8dc8c44 
Signed-off-by: Simo Sorce <[email protected]>
@simo5
Add test to check that token can import keys
ca0f677 
Disabled in softhsm because it ends up looping on itself due to
the usal problem that sofhtsm links to openssl without using a custom
libctx.

Signed-off-by: Simo Sorce <[email protected]>
@simo5
Fix random spelling errors
87cb5fd 
The new codespell in CI decided to find old mispellings...

Signed-off-by: Simo Sorce <[email protected]>
simo5 added 2 commits September 5, 2024 15:44
@simo5
Handle older versions of openssl
3db160a 
On Ubuntu openssl's genpkey does not have -outpubkey as a genpkey
option. So avoid using it for now and just get the pubkey out in a
second step.

Signed-off-by: Simo Sorce <[email protected]>
@simo5
Fix Coverity reported issues on older functions
f4061f5 
Coverity decided to start investigating unused functions now ...

Signed-off-by: Simo Sorce <[email protected]>
@simo5 simo5 removed the covscan-ok Coverity scan passed label Sep 5, 2024
@simo5
Copy link
Member Author

simo5 commented Sep 5, 2024

@Jakuje I'll run covscan again one you confirm all the requested changes are ok

Jakuje
Jakuje approved these changes Sep 5, 2024
View reviewed changes
Copy link
Contributor

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@simo5 simo5 added the covscan Triggers Coverity Scanner label Sep 5, 2024
@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Sep 5, 2024
@simo5 simo5 added the covscan-ok Coverity scan passed label Sep 5, 2024
@simo5
Copy link
Member Author

simo5 commented Sep 5, 2024

Covscan is happy too, merging.
thanks for the review @Jakuje

@simo5 simo5 merged commit 8757cf2 into latchset:main Sep 5, 2024
45 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees
No one assigned
Labels
covscan-ok Coverity scan passed
Projects
None yet
Milestone
No milestone
3 participants
@simo5 @Jakuje @kshitizvars