search

p11-glue / p11-kit

Provides a way to load and enumerate PKCS#11 modules.
https://p11-glue.github.io/p11-glue/p11-kit.html
Other
150 stars 92 forks source link

`p11-kit export-object` doesn't work for public keys without SPKI stored #555

Closed ueno closed 11 months ago

ueno commented 12 months ago

Steps to reproduce:

$ cat softhsm2.conf
directories.tokendir = /tmp/softhsm/
$ mkdir /tmp/softhsm
$ export SOFTHSM2_CONF=$PWD/softhsm2.conf
$ softhsm2-util --init-token --free --label test
$ GNUTLS_PIN=12345 p11tool --login --generate-privkey=ecdsa --label foo 'pkcs11:model=SoftHSM%20v2'
...
$ p11tool --export 'pkcs11:model=SoftHSM%20v2;token=test;object=foo;type=public'
...
$ p11-kit export-object 'pkcs11:model=SoftHSM%20v2;token=test;object=foo;type=public'
p11-kit: ../common/pem.c:277: p11_pem_write: Assertion `len > 0' failed.

The current implementation only retrieves CKA_PUBLIC_KEY_INFO, but the spec says about the attribute: "DER-encoding of the SubjectPublicKeyInfo for this public key. (MAY be empty, DEFAULT derived from the underlying public key data)". I guess we would need to fallback to the algorithm specific method.