search

randombit / botan

Cryptography Toolkit
https://botan.randombit.net
BSD 2-Clause "Simplified" License
2.6k stars 570 forks source link

Where is the support to C_GenerateKey of PKCS11 to generate an AES key object in the High Level API? #2916

Open oliviervibe opened 2 years ago

oliviervibe commented 2 years ago

I have the following code in C to generate an AES Key object for a PKCS11 token:

CK_RV generateAESKey(CK_SESSION_HANDLE hSession, const char tokenLabel, CK_MECHANISM_TYPE ckMechType, const char keyLabel, CK_ULONG keyLen, CK_BBOOL token, CK_BBOOL extractable, CK_OBJECT_HANDLE_PTR phAesKey) { // Generate a Secret Key for AES (16 or 32 bytes) CK_MECHANISM ckMechanism; ckMechanism.mechanism = CKM_AES_KEY_GEN; ckMechanism.pParameter = NULL; ckMechanism.ulParameterLen = 0;

CK_ULONG secretKeyClass = CKO_SECRET_KEY;
CK_BBOOL isToken = token;
CK_BBOOL isSensitive = (CK_TRUE == extractable) ? CK_FALSE : CK_TRUE;
CK_BBOOL isExtractable = extractable;
CK_BBOOL isTrue = CK_TRUE;
CK_BBOOL isFalse = CK_FALSE;
CK_ULONG keyAes = CKK_AES;
CK_ULONG nbPar = 6;

CK_ATTRIBUTE aesTempl[] = {
    { CKA_CLASS, &secretKeyClass, sizeof(CK_ULONG) },
    { CKA_KEY_TYPE, &keyAes, sizeof(CK_ULONG) },
    { CKA_TOKEN, &isToken, sizeof(CK_BBOOL) },
    { CKA_VALUE_LEN, &keyLen, sizeof(CK_ULONG) },
    { CKA_LABEL, (CK_VOID_PTR)keyLabel, (CK_ULONG) strlen(keyLabel) },
    { CKA_PRIVATE, &isTrue, sizeof(CK_BBOOL) },
    { CKA_SENSITIVE, &isSensitive, sizeof(CK_BBOOL) },
    { CKA_EXTRACTABLE, &isExtractable, sizeof(CK_BBOOL) },
    { CKA_ENCRYPT, &isTrue, sizeof(CK_BBOOL) },
    { CKA_DECRYPT, &isTrue, sizeof(CK_BBOOL) }
};

nbPar = sizeof(aesTempl) / sizeof(CK_ATTRIBUTE);
CK_RV rv = pkcs11fcts->C_GenerateKey(hSession, &ckMechanism, aesTempl, sizeof(aesTempl) / sizeof(CK_ATTRIBUTE), phAesKey);
if (!rv) {
    std::ofstream aesKeyHandle(AES_KEYS_FILE, std::ios::app);
    aesKeyHandle << "Token: " << tokenLabel << "\nKey Label: " << keyLabel << "\nKey Handle: " << *phAesKey << "\n\n";
    aesKeyHandle.flush();
}

return rv;

}

I have used Botan to wrap the code for the PKCS11 library of an HSM and I already implemented all the authentication mechanisms I needed with the Public Key high-level API of Botan.

I can't find any high-level implementation to generate an AES key. Since the last version, the low-level API is no longer accessible as the includes are not public!

Do I miss something as I can't find anything to do that in the documentation, nor in the high-level API. There should be high-level access to C_GenerateKey but I can't find it.

If there is no high-level access, how can I use the low-level wrapper for PKCS now??

Thanks for your help.

oliviervibe commented 2 years ago

The PKCS11::LowLevel class is still accessible, but I can't find a way to initialize it with an instantiated PKCS11::FunctionListPtr.

Is there a way to create a bridge between the High-level API and the low-level API as I can't understand that it couldn't be possible to create and use AES Keys in a PKCS11 token with Botan.

oliviervibe commented 2 years ago

I finally found it!!

It would be nice to document that the access to the PKCS11::LowLevel API class is done through the -> operator overload... I was looking for a getLowLevel() function ;-), of course the operator overload is more elegant!

Thanks