Unwrapped AES keys do not work

[Jakuje]

The unwrapped AES keys have empty CKA_VALUE, which can be reproduced with the following test (it fails while importing the key as the CKA_VALUE in storage is empty):

https://github.com/Jakuje/kryoptic/commit/23d2a43419624644dcb2e8501491cda80b5bf67e

I was not completely sure how to fix it as I am slightly lost in the attributes flags. There is OAFlags::UnsettableOnUnwrap, which is used only on the secret keys CKA_VALUE, according to the name it makes sense, but the function that is checking this flag now operates only on template (instead of on the created attrs vec) here: https://github.com/latchset/kryoptic/blob/b9dc257d2912042a0f28b5300d28d36667f4a51c/src/object.rs#L769

I think this should operate on &atrs but then we need to change the flags for CKA_VALUE so it can be set from this function (now it would fail).

[simo5]

No the flags are correct, the user provided template cannot pass a CKA_VALUE, the CKA_VALUE must be provided by the unwrapping function. This is also why those checks operate only on the template.

[Jakuje]

But the import_from_wrapped linked above is (i think) the AES unwrapping function, which gets the data and returns the object that is written into the storage. So it looks like there is some step missing somewhere?

[simo5]

yes the bug is exactly in import_from_wrapped() and I am working on a patch