Enforce key usage flags.

author: Rob Austein <sra@hactrn.net> 2017-04-07 13:57:56 -0400
committer: Rob Austein <sra@hactrn.net> 2017-04-07 13:57:56 -0400
commit: d52a62ab76003fffd04dfaee686aa1956e7b56a7 (patch)
tree: 9e2e7d6275c33471bd225342466232496afadedb /rpc_pkey.c
parent: a5491cb3dcd86383c242f517490781bb790fad61 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/rpc_pkey.c b/rpc_pkey.c
index e55ebf8..dca054f 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -268,7 +268,7 @@ static inline hal_error_t ks_open_from_flags(hal_ks_t **ks, const hal_key_flags_
  * return a key handle and the name.
  */
 
-#warning Convert hal_rpc_pkey_load() to use hal-asn1_guess_key_type()?
+#warning Convert hal_rpc_pkey_load() to use hal_asn1_guess_key_type()?
 
 static hal_error_t pkey_local_load(const hal_client_handle_t client,
                                    const hal_session_handle_t session,
@@ -809,6 +809,9 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
     return HAL_ERROR_UNSUPPORTED_KEY;
   }
 
+  if ((slot->flags & HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE) == 0)
+    return HAL_ERROR_FORBIDDEN;
+
   uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size ? hal_rsa_key_t_size : hal_ecdsa_key_t_size];
   uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
   size_t der_len;
@@ -957,6 +960,9 @@ static hal_error_t pkey_local_verify(const hal_pkey_handle_t pkey,
     return HAL_ERROR_UNSUPPORTED_KEY;
   }
 
+  if ((slot->flags & HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE) == 0)
+    return HAL_ERROR_FORBIDDEN;
+
   uint8_t keybuf[hal_rsa_key_t_size > hal_ecdsa_key_t_size ? hal_rsa_key_t_size : hal_ecdsa_key_t_size];
   uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
   size_t der_len;
@@ -1084,6 +1090,9 @@ static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
   if ((pkey->flags & HAL_KEY_FLAG_EXPORTABLE) == 0)
     return HAL_ERROR_FORBIDDEN;
 
+  if ((kekek->flags & HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT) == 0)
+    return HAL_ERROR_FORBIDDEN;
+
   if (kekek->type != HAL_KEY_TYPE_RSA_PRIVATE && kekek->type != HAL_KEY_TYPE_RSA_PUBLIC)
     return HAL_ERROR_UNSUPPORTED_KEY;
 
@@ -1189,6 +1198,9 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
   if (kekek == NULL)
     return HAL_ERROR_KEY_NOT_FOUND;
 
+  if ((kekek->flags & HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT) == 0)
+    return HAL_ERROR_FORBIDDEN;
+
   if (kekek->type != HAL_KEY_TYPE_RSA_PRIVATE)
     return HAL_ERROR_UNSUPPORTED_KEY;
author	Rob Austein <sra@hactrn.net>	2017-04-07 13:57:56 -0400
committer	Rob Austein <sra@hactrn.net>	2017-04-07 13:57:56 -0400
commit	d52a62ab76003fffd04dfaee686aa1956e7b56a7 (patch)
tree	9e2e7d6275c33471bd225342466232496afadedb /rpc_pkey.c
parent	a5491cb3dcd86383c242f517490781bb790fad61 (diff)