From f0556bb5c26c1d4198b0336be9f1f5dffcc3ea95 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 12 May 2016 21:32:25 -0400
Subject: Fix RSA key length and CKA_ID lookup.

libhal RPC API takes RSA key lengths in bits, not bytes.

Insisting on receiving matching CKA_ID in both public and private
templates on key generation is probably unwise, so back down using
CKA_ID from private template if provided, otherwise from the public
template, and only raise incompete template error if both are missing.
---
 pkcs11.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/pkcs11.c b/pkcs11.c
index d2f9f8a..dc14fd9 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -1928,7 +1928,7 @@ static CK_RV generate_keypair_rsa_pkcs(p11_session_t *session,
 
   if (!hal_check(hal_rpc_pkey_generate_rsa(p11_session_hal_client(session),
                                            p11_session_hal_session(session),
-                                           &pkey, id, id_len, keysize / 8,
+                                           &pkey, id, id_len, keysize,
                                            public_exponent, public_exponent_len, 0)))
     lose(CKR_FUNCTION_FAILED);
 
@@ -2089,26 +2089,23 @@ static CK_RV generate_keypair(p11_session_t *session,
     lose(CKR_FUNCTION_FAILED);
 
   {
-    size_t public_id_len = 0, private_id_len = 0;
+    size_t id_len = 0;
 
-    if (!p11_attribute_get(public_handle,  CKA_ID, NULL, &public_id_len, 0) ||
-        !p11_attribute_get(private_handle, CKA_ID, NULL, &public_id_len, 0))
+    if (!p11_attribute_get(private_handle, CKA_ID, NULL, &id_len, 0) &&
+        !p11_attribute_get(public_handle,  CKA_ID, NULL, &id_len, 0))
       lose(CKR_TEMPLATE_INCOMPLETE);
 
-    uint8_t public_id[public_id_len], private_id[private_id_len];
+    uint8_t id[id_len];
 
-    if (!p11_attribute_get(public_handle,  CKA_ID, public_id,  NULL, public_id_len) ||
-        !p11_attribute_get(private_handle, CKA_ID, private_id, NULL, public_id_len))
+    if (!p11_attribute_get(private_handle, CKA_ID, id, NULL, id_len) &&
+        !p11_attribute_get(public_handle,  CKA_ID, id,  NULL, id_len))
       lose(CKR_TEMPLATE_INCOMPLETE);
 
-    if (public_id_len != private_id_len || memcmp(public_id, private_id, public_id_len) != 0)
-      lose(CKR_TEMPLATE_INCONSISTENT);
-
     if ((rv = mechanism_handler(session,
                                 pPublicKeyTemplate, ulPublicKeyAttributeCount,
                                 pPrivateKeyTemplate, ulPrivateKeyAttributeCount,
                                 private_handle, public_handle,
-                                public_id, public_id_len)) != CKR_OK)
+                                id, id_len)) != CKR_OK)
       goto fail;
   }
 
-- 
cgit v1.2.3