6634339 kmf_find_key returns error when searching for raw (RSA) public key

4 files changed, 115 insertions, 47 deletions

diff --git a/usr/src/cmd/cmd-crypto/pktool/export.c b/usr/src/cmd/cmd-crypto/pktool/export.c
index 28a5f0a69e..2e973f8184 100644
--- a/usr/src/cmd/cmd-crypto/pktool/export.c
+++ b/usr/src/cmd/cmd-crypto/pktool/export.c
@@ -453,10 +453,11 @@ pk_export_pk12_pk11(KMF_HANDLE_T kmfhandle, char *token_spec,
 static KMF_RETURN
 pk_export_pk11_keys(KMF_HANDLE_T kmfhandle, char *token,
 	KMF_CREDENTIAL *cred, KMF_ENCODE_FORMAT format,
-	char *label, char *filename)
+	char *label, char *filename, int oclass)
 {
 	KMF_RETURN rv = KMF_OK;
 	KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
+	KMF_KEY_CLASS kclass = KMF_KEYCLASS_NONE;
 	int numattr = 0;
 	uint32_t numkeys = 1;
 	KMF_ATTRIBUTE attrlist[16];
@@ -504,6 +505,20 @@ pk_export_pk11_keys(KMF_HANDLE_T kmfhandle, char *token,
 	    &format, sizeof (format));
 	numattr++;
 
+	/* Check to see if we are exporting private or public only */
+	if ((oclass & PK_KEY_OBJ) == PK_PRIKEY_OBJ)
+		kclass = KMF_ASYM_PRI;
+	else if ((oclass & PK_KEY_OBJ) == PK_PUBKEY_OBJ)
+		kclass = KMF_ASYM_PUB;
+	else if ((oclass & PK_KEY_OBJ) == PK_SYMKEY_OBJ)
+		kclass = KMF_SYMMETRIC;
+	else /* only 1 key at a time can be exported here, so default to pri */
+		kclass = KMF_ASYM_PRI;
+
+	kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
+	    &kclass, sizeof (kclass));
+	numattr++;
+
 	rv = kmf_find_key(kmfhandle, numattr, attrlist);
 	if (rv == KMF_OK && key.keyclass == KMF_SYMMETRIC) {
 		KMF_RAW_SYM_KEY rkey;
@@ -557,6 +572,10 @@ done:
 		    filename, strlen(filename));
 		numattr++;
 
+		kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
+		    &key.keyclass, sizeof (KMF_KEY_CLASS));
+		numattr++;
+
 		rv = kmf_store_key(kmfhandle, numattr, attrlist);
 		kmf_free_kmf_key(kmfhandle, &key);
 	}
@@ -815,6 +834,9 @@ pk_export(int argc, char *argv[])
 		if (yesno(gettext("Continue with export? "),
 		    gettext("Respond with yes or no.\n"), B_FALSE) == B_FALSE) {
 			return (0);
+		} else {
+			/* remove the file */
+			(void) unlink(filename);
 		}
 	} else {
 		rv = verify_file(filename);
@@ -866,7 +888,7 @@ pk_export(int argc, char *argv[])
 			    kfmt == KMF_FORMAT_RAWKEY)
 				rv = pk_export_pk11_keys(kmfhandle,
 				    token_spec, &tokencred, kfmt,
-				    certlabel, filename);
+				    certlabel, filename, oclass);
 			else
 				rv = pk_export_pk11_objects(kmfhandle,
 				    token_spec, certlabel,
diff --git a/usr/src/lib/libkmf/libkmf/common/pem_encode.c b/usr/src/lib/libkmf/libkmf/common/pem_encode.c
index f514e4aa9a..c80db6bdc6 100644
--- a/usr/src/lib/libkmf/libkmf/common/pem_encode.c
+++ b/usr/src/lib/libkmf/libkmf/common/pem_encode.c
@@ -490,8 +490,8 @@ Pem2Der(unsigned char *in, int inlen,
 	PEM_ENCODE_CTX ctx;
 	int i, j, k, bl = 0;
 	char buf[2048];
-	char *nameB;
-	unsigned char *dataB;
+	char *nameB = NULL;
+	unsigned char *dataB = NULL;
 	int total = 0;
 
 	if (in == NULL || inlen == 0 || out == NULL)
@@ -600,8 +600,9 @@ Pem2Der(unsigned char *in, int inlen,
 	*outlen = bl;
 
 err:
-	free(nameB);
-	if (kmf_rv != KMF_OK)
+	if (nameB != NULL)
+		free(nameB);
+	if (kmf_rv != KMF_OK && dataB != NULL)
 		free(dataB);
 
 	return (kmf_rv);
diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
index 1e7a166065..78f9af1665 100644
--- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
+++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
@@ -1416,6 +1416,8 @@ ssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out,
 		return (KMF_ERR_BAD_PARAMETER);
 
 	switch (format) {
+		case KMF_FORMAT_RAWKEY:
+			/* same as ASN.1 */
 		case KMF_FORMAT_ASN1:
 			if (pkey->type == EVP_PKEY_RSA) {
 				rsa = EVP_PKEY_get1_RSA(pkey);
@@ -2953,6 +2955,8 @@ OpenSSL_FindKey(KMF_HANDLE_T handle,
 
 	if (rv == KMF_OK && (*numkeys) == 0)
 		rv = KMF_ERR_KEY_NOT_FOUND;
+	else if (rv == KMF_ERR_KEY_NOT_FOUND && (*numkeys) > 0)
+		rv = KMF_OK;
 
 	return (rv);
 }
@@ -5133,7 +5137,6 @@ OpenSSL_StoreKey(KMF_HANDLE_T handle, int numattr,
 			}
 		}
 	} else if (rawkey != NULL) {
-		/* RAW keys are always private */
 		if (rawkey->keytype == KMF_RSA) {
 			pkey = ImportRawRSAKey(&rawkey->rawdata.rsa);
 		} else if (rawkey->keytype == KMF_DSA) {
@@ -5142,8 +5145,14 @@ OpenSSL_StoreKey(KMF_HANDLE_T handle, int numattr,
 			rv = KMF_ERR_BAD_PARAMETER;
 		}
 		if (pkey != NULL) {
+			KMF_KEY_CLASS kclass = KMF_ASYM_PRI;
+
+			rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
+			    (void *)&kclass, NULL);
+			if (rv != KMF_OK)
+				rv = KMF_OK;
 			rv = ssl_write_key(kmfh, format, out,
-			    &cred, pkey, TRUE);
+			    &cred, pkey, (kclass == KMF_ASYM_PRI));
 			EVP_PKEY_free(pkey);
 		}
 	}
diff --git a/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c b/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
index 694c4ba4da..8ce47be962 100644
--- a/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
+++ b/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
@@ -2173,6 +2173,42 @@ attr2bigint(CK_ATTRIBUTE_PTR attr, KMF_BIGINT *big)
 	big->len = attr->ulValueLen;
 }
 
+static KMF_RETURN
+get_bigint_attr(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj,
+	CK_ATTRIBUTE_TYPE attrtype, KMF_BIGINT *bigint)
+{
+	CK_RV ckrv;
+	CK_ATTRIBUTE attr;
+
+	attr.type = attrtype;
+	attr.pValue = NULL;
+	attr.ulValueLen = 0;
+
+	if ((ckrv = C_GetAttributeValue(sess, obj,
+	    &attr, 1)) != CKR_OK) {
+		/* Mask this error so the caller can continue */
+		if (ckrv == CKR_ATTRIBUTE_TYPE_INVALID)
+			return (KMF_OK);
+		else
+			return (KMF_ERR_INTERNAL);
+	}
+	if (attr.ulValueLen > 0 && bigint != NULL) {
+		attr.pValue = malloc(attr.ulValueLen);
+		if (attr.pValue == NULL)
+			return (KMF_ERR_MEMORY);
+
+		if ((ckrv = C_GetAttributeValue(sess, obj,
+		    &attr, 1)) != CKR_OK)
+		if (ckrv != CKR_OK) {
+			free(attr.pValue);
+			return (KMF_ERR_INTERNAL);
+		}
+
+		bigint->val = attr.pValue;
+		bigint->len = attr.ulValueLen;
+	}
+	return (KMF_OK);
+}
 
 static KMF_RETURN
 get_raw_rsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_RSA_KEY *rawrsa)
@@ -2180,19 +2216,17 @@ get_raw_rsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_RSA_KEY *rawrsa)
 	KMF_RETURN rv = KMF_OK;
 	CK_RV ckrv;
 	CK_SESSION_HANDLE sess = kmfh->pk11handle;
-	CK_ATTRIBUTE rsa_pri_attrs[8] = {
+	CK_ATTRIBUTE rsa_pri_attrs[2] = {
 		{ CKA_MODULUS, NULL, 0 },
-		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
-		{ CKA_PRIVATE_EXPONENT, NULL, 0 },	/* optional */
-		{ CKA_PRIME_1, NULL, 0 },		/*  |  */
-		{ CKA_PRIME_2, NULL, 0 },		/*  |  */
-		{ CKA_EXPONENT_1, NULL, 0 },		/*  |  */
-		{ CKA_EXPONENT_2, NULL, 0 },		/*  |  */
-		{ CKA_COEFFICIENT, NULL, 0 }		/*  V  */
-	    };
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
+	};
 	CK_ULONG count = sizeof (rsa_pri_attrs) / sizeof (CK_ATTRIBUTE);
 	int i;
 
+	if (rawrsa == NULL)
+		return (KMF_ERR_BAD_PARAMETER);
+
+	(void) memset(rawrsa, 0, sizeof (KMF_RAW_RSA_KEY));
 	if ((ckrv = C_GetAttributeValue(sess, obj,
 	    rsa_pri_attrs, count)) != CKR_OK) {
 		SET_ERROR(kmfh, ckrv);
@@ -2229,35 +2263,25 @@ get_raw_rsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_RSA_KEY *rawrsa)
 	attr2bigint(&(rsa_pri_attrs[i++]), &rawrsa->mod);
 	attr2bigint(&(rsa_pri_attrs[i++]), &rawrsa->pubexp);
 
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->priexp);
-	i++;
-
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->prime1);
-	i++;
-
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->prime2);
-	i++;
-
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->exp1);
-	i++;
-
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->exp2);
-	i++;
-
-	if (rsa_pri_attrs[i].ulValueLen != (CK_ULONG)-1 &&
-	    rsa_pri_attrs[i].ulValueLen != 0)
-		attr2bigint(&(rsa_pri_attrs[i]), &rawrsa->coef);
-	i++;
+	/* Now get the optional parameters */
+	rv = get_bigint_attr(sess, obj, CKA_PRIVATE_EXPONENT, &rawrsa->priexp);
+	if (rv != KMF_OK)
+		goto end;
+	rv = get_bigint_attr(sess, obj, CKA_PRIME_1, &rawrsa->prime1);
+	if (rv != KMF_OK)
+		goto end;
+	rv = get_bigint_attr(sess, obj, CKA_PRIME_2, &rawrsa->prime2);
+	if (rv != KMF_OK)
+		goto end;
+	rv = get_bigint_attr(sess, obj, CKA_EXPONENT_1, &rawrsa->exp1);
+	if (rv != KMF_OK)
+		goto end;
+	rv = get_bigint_attr(sess, obj, CKA_EXPONENT_2, &rawrsa->exp2);
+	if (rv != KMF_OK)
+		goto end;
+	rv = get_bigint_attr(sess, obj, CKA_COEFFICIENT, &rawrsa->coef);
+	if (rv != KMF_OK)
+		goto end;
 
 end:
 	if (rv != KMF_OK) {
@@ -2265,6 +2289,18 @@ end:
 			if (rsa_pri_attrs[i].pValue != NULL)
 				free(rsa_pri_attrs[i].pValue);
 		}
+		if (rawrsa->priexp.val)
+			free(rawrsa->priexp.val);
+		if (rawrsa->prime1.val)
+			free(rawrsa->prime1.val);
+		if (rawrsa->prime2.val)
+			free(rawrsa->prime2.val);
+		if (rawrsa->exp1.val)
+			free(rawrsa->exp1.val);
+		if (rawrsa->exp2.val)
+			free(rawrsa->exp2.val);
+		if (rawrsa->coef.val)
+			free(rawrsa->coef.val);
 		(void) memset(rawrsa, 0, sizeof (KMF_RAW_RSA_KEY));
 	}
 	return (rv);
@@ -2591,7 +2627,7 @@ KMFPK11_FindKey(KMF_HANDLE_T handle,
 	CK_OBJECT_CLASS class;
 	CK_BBOOL true = TRUE;
 	CK_ULONG alg;
-	boolean_t is_token, is_private;
+	boolean_t is_token = B_TRUE, is_private = B_FALSE;
 	KMF_KEY_HANDLE *keys;
 	uint32_t *numkeys;
 	KMF_CREDENTIAL cred;