Closed Jakuje closed 6 months ago
No the flags are correct, the user provided template cannot pass a CKA_VALUE, the CKA_VALUE must be provided by the unwrapping function. This is also why those checks operate only on the template.
But the import_from_wrapped
linked above is (i think) the AES unwrapping function, which gets the data and returns the object that is written into the storage. So it looks like there is some step missing somewhere?
yes the bug is exactly in import_from_wrapped() and I am working on a patch
The unwrapped AES keys have empty
CKA_VALUE
, which can be reproduced with the following test (it fails while importing the key as theCKA_VALUE
in storage is empty):https://github.com/Jakuje/kryoptic/commit/23d2a43419624644dcb2e8501491cda80b5bf67e
I was not completely sure how to fix it as I am slightly lost in the attributes flags. There is
OAFlags::UnsettableOnUnwrap
, which is used only on the secret keysCKA_VALUE
, according to the name it makes sense, but the function that is checking this flag now operates only on template (instead of on the createdattrs
vec) here: https://github.com/latchset/kryoptic/blob/b9dc257d2912042a0f28b5300d28d36667f4a51c/src/object.rs#L769I think this should operate on
&atrs
but then we need to change the flags forCKA_VALUE
so it can be set from this function (now it would fail).