Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7250

PKCS11 enable using CKA_LABEL also when a sun attributes file is used

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.15.0
    • Component/s: None
    • Labels:
      None
    • Sprint:
      EJBCA Sprint 18

      Description

      We set PKCS#11 attributes to nice default that works for all major HSMs. For the private key we set the following when creating the provider in Pkcs11SlotLabel.java:

      pw.println("attributes(*, CKO_PRIVATE_KEY, *) = {");
      pw.println(" CKA_DERIVE = false"); //Amazon CloudHSM will not accept that CKA_DERIVE is present in private key template and will give CKR_TEMPLATE_INCONSISTENT.
      pw.println(" CKA_TOKEN = true"); // all created private keys should be permanent. They should not only exist during the session.
      pw.println(" CKA_PRIVATE = true"); // always require logon with password to use the key
      pw.println(" CKA_SENSITIVE = true"); // not possible to read the key
      pw.println(" CKA_EXTRACTABLE = false"); // not possible to wrap the key with another key
      pw.println(" CKA_DECRYPT = true");
      pw.println(" CKA_SIGN = true");
      if (privateKeyLabel != null && privateKeyLabel.length() > 0) {
       final String labelStr = " CKA_LABEL = 0h" + new String(Hex.encode(privateKeyLabel.getBytes()));
       if (log.isDebugEnabled()) {
       log.debug("Setting CKA_LABEL to '"+labelStr+"'");
       }
       pw.println(labelStr);
      }
      pw.println(" CKA_UNWRAP = true");// for unwrapping of session keys,
      pw.println("}");

       

      Setting the label is very good. When we use an attributes file however, you can set the CKA_LABEL in your attributes file, but you have to edit it every time which is not convenient.

      We could enable the dynamic setting of CKA_LABEL if we check for a placeholder "  CKA_LABEL" in the attributes file and replace that with a real label, i.e. "  CKA_LABEL = 0h707269762d6b65796c6162656c"

      We just need to do some intelligent parsing.

        Attachments

          Activity

            People

            • Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Ulf Undmark
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 hours
                3h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours
                3h