search

miekg / pkcs11

pkcs11 wrapper for Go
BSD 3-Clause "New" or "Revised" License
376 stars 133 forks source link

Add CK_RSA_AES_KEY_WRAP_PARAMS to params.go #155

Open cryptojerp opened 2 years ago

cryptojerp commented 2 years ago

I'm building a tool that calls the WrapKey/UnwrapKey. I'm able to perform Wrapping/Unwrapping against:

  1. An AES key with RSA Keypair.
  2. An RSA Private Key with AES Key.

But I'm unable to perform Wrapping/Unwrapping of an RSA Private Key with another RSA Key Pair. According to the PKCS 11 documentation (both 2.40 and 3.0 versions), section called "RSA AES KEY WRAP mechanism parameters" requires the use of parameter called "CK_RSA_AES_KEY_WRAP_PARAMS".

Could the "CK_RSA_AES_KEY_WRAP_PARAMS" be added to the library?

miekg commented 2 years ago

[ Quoting @.***> in "[miekg/pkcs11] Add CK_RSA_AES_KEY_W..." ]

I'm building a tool that calls the WrapKey/UnwrapKey. I'm able to perform Wrapping/Unwrapping against:

  1. An AES key with RSA Keypair.
  2. An RSA Private Key with AES Key.

But I'm unable to perform Wrapping/Unwrapping of an RSA Private Key with another RSA Key Pair. According to the PKCS 11 documentation (both 2.40 and 3.0 versions), section called "RSA AES KEY WRAP mechanism parameters" requires the use of parameter called "CK_RSA_AES_KEY_WRAP_PARAMS".

Could the "CK_RSA_AES_KEY_WRAP_PARAMS" be added to the library?

Oh, this is a typedef. Unsure how to programmatically include them in zconst.go

cryptojerp commented 2 years ago

I was thinking more on creating a new type in params.go. Like GMCParams or OAEPParams. Something like the following:

// ----------- suggested changes in param.go -----------
// RsaAesKeyWrapParams represents the parameters for the CKM_RSA_AES_KEY_WRAP mechanism.
type RsaAesKeyWrapParams struct {
    aesKeyBits uint
    params  *OAEPParams
}

// NewRsaAesKeyWrapParams creates a CK_RSA_AES_KEY_WRAP_PARAMS structure suitable for use with the CKM_RSA_AES_KEY_WRAP mechanism.
func NewRsaAesKeyWrapParams(aesKeySize, hashAlg, mgf, sourceType uint, sourceData []byte) *RsaAesKeyWrapParams {
    return &RsaAesKeyWrapParams{
        aesKeyBits:    aesKeySize,
        params  :        NewGCMParams(hashAlg, mgf, sourceType, sourceData),
    }
}

func cRsaAesKeyWrapParams(p *RsaAesKeyWrapParams) []byte {
// TODO: Rest of code.

And then:

// ----------- suggested changes in types.go -----------
func cMechanism(mechList []*Mechanism) (arena, *C.CK_MECHANISM) {
// add existing code.
    case *RsaAesKeyWrapParams:
        param = cRsaAesKeyWrapParams(p)
// add existing code.

Does this make sence?

miekg commented 2 years ago

But why does this wrapping need new code, while the other ones just work?

cryptojerp commented 2 years ago

The wrap mechanism denoted _CKM_RSA_AES_KEYWRAP, has the parameter _CK_RSA_AES_KEY_WRAPPARAMS structure.

Without this parameter, I'm unable to use this mechanism.

miekg commented 2 years ago

[ Quoting @.***> in "Re: [miekg/pkcs11] Add CK_RSA_AES_K..." ]

The wrap mechanism denoted CKM_RSA_AES_KEY_WRAP, has the parameter CK_RSA_AES_KEY_WRAP_PARAMS structure.

Without this parameter, I'm unable to use this mechanism.

hmm, there is a bunch of manual code in params.go, wish that could also be generated, but looks too complex to make that happen.

varder commented 1 year ago

Please have a look at the PR https://github.com/miekg/pkcs11/pull/166