pkcs11: enhanced key generation functions to allow specifying a CKA_ID

2 files changed, 63 insertions, 20 deletions

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 9280181dbf..7facebd89c 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -400,16 +400,18 @@ int gnutls_pkcs11_privkey_export_url(gnutls_pkcs11_privkey_t key,
 				     detailed, char **url);
 int gnutls_pkcs11_privkey_status(gnutls_pkcs11_privkey_t key);
 
-int gnutls_pkcs11_privkey_generate(const char *url,
-				   gnutls_pk_algorithm_t pk,
-				   unsigned int bits,
-				   const char *label, unsigned int flags);
+#define gnutls_pkcs11_privkey_generate(url, pk, bits, label, flags) \
+	gnutls_pkcs11_privkey_generate3(url, pk, bits, label, NULL, 0, NULL, flags)
+
+#define gnutls_pkcs11_privkey_generate2(url, pk, bits, label, fmt, pubkey, flags) \
+	gnutls_pkcs11_privkey_generate3(url, pk, bits, label, NULL, fmt, pubkey, flags)
 
 int
-gnutls_pkcs11_privkey_generate2(const char *url,
+gnutls_pkcs11_privkey_generate3(const char *url,
 				gnutls_pk_algorithm_t pk,
 				unsigned int bits,
 				const char *label,
+				const gnutls_datum_t *cid,
 				gnutls_x509_crt_fmt_t fmt,
 				gnutls_datum_t * pubkey,
 				unsigned int flags);
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index d4d603fb78..834341fdcb 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -593,7 +593,7 @@ gnutls_pkcs11_privkey_export_url(gnutls_pkcs11_privkey_t key,
 	return 0;
 }
 
-
+#if 0
 /**
  * gnutls_pkcs11_privkey_generate:
  * @url: a token URL
@@ -614,10 +614,9 @@ gnutls_pkcs11_privkey_export_url(gnutls_pkcs11_privkey_t key,
 int
 gnutls_pkcs11_privkey_generate(const char *url, gnutls_pk_algorithm_t pk,
 			       unsigned int bits, const char *label,
+			       const gnutls_datum_t *cid,
 			       unsigned int flags)
 {
-	return gnutls_pkcs11_privkey_generate2(url, pk, bits, label, 0,
-					       NULL, flags);
 }
 
 /**
@@ -626,7 +625,7 @@ gnutls_pkcs11_privkey_generate(const char *url, gnutls_pk_algorithm_t pk,
  * @pk: the public key algorithm
  * @bits: the security bits
  * @label: a label
- * @fmt: the format of output params. PEM or DER.
+ * @fmt: the format of output params. PEM or DER
  * @pubkey: will hold the public key (may be %NULL)
  * @flags: zero or an OR'ed sequence of %GNUTLS_PKCS11_OBJ_FLAGs
  *
@@ -652,6 +651,43 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 				gnutls_datum_t * pubkey,
 				unsigned int flags)
 {
+}
+#endif
+
+/**
+ * gnutls_pkcs11_privkey_generate3:
+ * @url: a token URL
+ * @pk: the public key algorithm
+ * @bits: the security bits
+ * @label: a label
+ * @cid: The CKA_ID to use for the new object
+ * @fmt: the format of output params. PEM or DER
+ * @pubkey: will hold the public key (may be %NULL)
+ * @flags: zero or an OR'ed sequence of %GNUTLS_PKCS11_OBJ_FLAGs
+ *
+ * This function will generate a private key in the specified
+ * by the @url token. The private key will be generate within
+ * the token and will not be exportable. This function will
+ * store the DER-encoded public key in the SubjectPublicKeyInfo format 
+ * in @pubkey. The @pubkey should be deinitialized using gnutls_free().
+ *
+ * Note that when generating an elliptic curve key, the curve
+ * can be substituted in the place of the bits parameter using the
+ * GNUTLS_CURVE_TO_BITS() macro.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.4.0
+ **/
+int
+gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk,
+				unsigned int bits, const char *label,
+				const gnutls_datum_t *cid,
+				gnutls_x509_crt_fmt_t fmt,
+				gnutls_datum_t * pubkey,
+				unsigned int flags)
+{
 	int ret;
 	const ck_bool_t tval = 1;
 	const ck_bool_t fval = 0;
@@ -698,20 +734,25 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 	mech.parameter_len = 0;
 	mech.mechanism = pk_to_genmech(pk, &key_type);
 
-	ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
-	if (ret < 0) {
-		gnutls_assert();
-		goto cleanup;
-	}
-
 	a[a_val].type = CKA_ID;
-	a[a_val].value = (void *) id;
-	a[a_val].value_len = sizeof(id);
-	a_val++;
+	if (cid == NULL || cid->size == 0) {
+		ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+
+		a[a_val].value = (void *) id;
+		a[a_val].value_len = sizeof(id);
+	} else {
+		a[a_val].value = (void *) cid->data;
+		a[a_val].value_len = cid->size;
+	}
 
 	p[p_val].type = CKA_ID;
-	p[p_val].value = (void *) id;
-	p[p_val].value_len = sizeof(id);
+	p[p_val].value = a[a_val].value;
+	p[p_val].value_len = a[a_val].value_len;
+	a_val++;
 	p_val++;
 
 	switch (pk) {