botan icon indicating copy to clipboard operation
botan copied to clipboard

Published 20 hours ago verified publisher icon randombit

Where is the support to C_GenerateKey of PKCS11 to generate an AES key object in the High Level API?

Open oliviervibe opened this issue 2 years ago • 2 comments

I have the following code in C to generate an AES Key object for a PKCS11 token:

CK_RV generateAESKey(CK_SESSION_HANDLE hSession, const char* tokenLabel, CK_MECHANISM_TYPE ckMechType, const char* keyLabel, CK_ULONG keyLen, CK_BBOOL token, CK_BBOOL extractable, CK_OBJECT_HANDLE_PTR phAesKey) { // Generate a Secret Key for AES (16 or 32 bytes) CK_MECHANISM ckMechanism; ckMechanism.mechanism = CKM_AES_KEY_GEN; ckMechanism.pParameter = NULL; ckMechanism.ulParameterLen = 0;

CK_ULONG secretKeyClass = CKO_SECRET_KEY;
CK_BBOOL isToken = token;
CK_BBOOL isSensitive = (CK_TRUE == extractable) ? CK_FALSE : CK_TRUE;
CK_BBOOL isExtractable = extractable;
CK_BBOOL isTrue = CK_TRUE;
CK_BBOOL isFalse = CK_FALSE;
CK_ULONG keyAes = CKK_AES;
CK_ULONG nbPar = 6;

CK_ATTRIBUTE aesTempl[] = {
	{ CKA_CLASS, &secretKeyClass, sizeof(CK_ULONG) },
	{ CKA_KEY_TYPE, &keyAes, sizeof(CK_ULONG) },
	{ CKA_TOKEN, &isToken, sizeof(CK_BBOOL) },
	{ CKA_VALUE_LEN, &keyLen, sizeof(CK_ULONG) },
	{ CKA_LABEL, (CK_VOID_PTR)keyLabel, (CK_ULONG) strlen(keyLabel) },
	{ CKA_PRIVATE, &isTrue, sizeof(CK_BBOOL) },
	{ CKA_SENSITIVE, &isSensitive, sizeof(CK_BBOOL) },
	{ CKA_EXTRACTABLE, &isExtractable, sizeof(CK_BBOOL) },
	{ CKA_ENCRYPT, &isTrue, sizeof(CK_BBOOL) },
	{ CKA_DECRYPT, &isTrue, sizeof(CK_BBOOL) }
};

nbPar = sizeof(aesTempl) / sizeof(CK_ATTRIBUTE);
CK_RV rv = pkcs11fcts->C_GenerateKey(hSession, &ckMechanism, aesTempl, sizeof(aesTempl) / sizeof(CK_ATTRIBUTE), phAesKey);
if (!rv) {
	std::ofstream aesKeyHandle(AES_KEYS_FILE, std::ios::app);
	aesKeyHandle << "Token: " << tokenLabel << "\nKey Label: " << keyLabel << "\nKey Handle: " << *phAesKey << "\n\n";
	aesKeyHandle.flush();
}

return rv;

}

I have used Botan to wrap the code for the PKCS11 library of an HSM and I already implemented all the authentication mechanisms I needed with the Public Key high-level API of Botan.

I can't find any high-level implementation to generate an AES key. Since the last version, the low-level API is no longer accessible as the includes are not public!

Do I miss something as I can't find anything to do that in the documentation, nor in the high-level API. There should be high-level access to C_GenerateKey but I can't find it.

If there is no high-level access, how can I use the low-level wrapper for PKCS now??

Thanks for your help.

oliviervibe avatar Feb 15 '22 17:02 oliviervibe

The PKCS11::LowLevel class is still accessible, but I can't find a way to initialize it with an instantiated PKCS11::FunctionListPtr.

Is there a way to create a bridge between the High-level API and the low-level API as I can't understand that it couldn't be possible to create and use AES Keys in a PKCS11 token with Botan.

oliviervibe avatar Feb 15 '22 19:02 oliviervibe

I finally found it!!

It would be nice to document that the access to the PKCS11::LowLevel API class is done through the -> operator overload... I was looking for a getLowLevel() function ;-), of course the operator overload is more elegant!

Thanks

oliviervibe avatar Feb 15 '22 20:02 oliviervibe