Create keys with PKCS#11 URI instead of object

The pkcs11-provider has changed to take a PKCS#11 URI instead of an object identifier. Change the BIND 9 code accordingly to pass through the label instead of just the object identifier. See: https://github.com/latchset/pkcs11-provider/pull/284
2025-08-31 14:35:26 +00:00 · 2023-09-06 14:09:46 +02:00
parent 3dff3eac0a
commit 1e88bb0186
7 changed files with 38 additions and 58 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -644,6 +644,7 @@ AS_IF([test "$enable_doh" = "yes"],

 AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"])

+
 #
 # flockfile is usually provided by pthreads
 #
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1031,7 +1031,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
 isc_result_t
 dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
 		 unsigned int param, unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx,
+		 dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx,
 		 dst_key_t **keyp, void (*callback)(int)) {
 	dst_key_t *key;
 	isc_result_t ret;
@@ -1046,8 +1046,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
 	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0,
 			     mctx);

-	if (object != NULL) {
-		key->object = isc_mem_strdup(mctx, object);
+	if (label != NULL) {
+		key->label = isc_mem_strdup(mctx, label);
 	}

 	if (bits == 0) { /*%< NULL KEY */
@@ -1408,9 +1408,6 @@ dst_key_free(dst_key_t **keyp) {
 		if (key->label != NULL) {
 			isc_mem_free(mctx, key->label);
 		}
-		if (key->object != NULL) {
-			isc_mem_free(mctx, key->object);
-		}
 		dns_name_free(key->key_name, mctx);
 		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
 		if (key->key_tkeytoken) {
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -94,7 +94,6 @@ struct dst_key {
 	char *directory;	    /*%< key directory */
 	char *engine;		    /*%< engine name (HSM) */
 	char *label;		    /*%< engine label (HSM) */
-	char *object;		    /*%< engine object (HSM) */
 	union {
 		void *generic;
 		dns_gss_ctx_id_t gssctx;
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -629,7 +629,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
 isc_result_t
 dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
 		 unsigned int param, unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx,
+		 dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx,
 		 dst_key_t **keyp, void (*callback)(int));

 /*%<
--- a/lib/dns/keystore.c
+++ b/lib/dns/keystore.c
@@ -167,14 +167,18 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin,
 		char namebuf[DNS_NAME_FORMATSIZE];
 		char object[DNS_NAME_FORMATSIZE + 26];

-		/* Generate the key */
+		/* Create the PKCS11 URI */
 		isc_time_formatshorttimestamp(&now, timebuf, sizeof(timebuf));
 		dns_name_format(origin, namebuf, sizeof(namebuf));
 		snprintf(object, sizeof(object), "%s-%s-%s", namebuf,
 			 ksk ? "ksk" : "zsk", timebuf);
+		len = strlen(object) + strlen(uri) + 10;
+		label = isc_mem_get(mctx, len);
+		sprintf(label, "%s;object=%s;", uri, object);

+		/* Generate the key */
 		result = dst_key_generate(origin, alg, size, 0, flags,
-					  DNS_KEYPROTO_DNSSEC, rdclass, object,
+					  DNS_KEYPROTO_DNSSEC, rdclass, label,
 					  mctx, &key, NULL);
 		if (result != ISC_R_SUCCESS) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
@@ -187,9 +191,6 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin,
 		dst_key_free(&key);

 		/* Retrieve generated key from label */
-		len = strlen(object) + strlen(uri) + 10;
-		label = isc_mem_get(mctx, len);
-		sprintf(label, "%s;object=%s;", uri, object);
 		result = dst_key_fromlabel(
 			origin, alg, flags, DNS_KEYPROTO_DNSSEC,
 			dns_rdataclass_in, dns_keystore_engine(keystore), label,
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -410,26 +410,17 @@ opensslecdsa_create_pkey(unsigned int key_alg, bool private,
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L

 static isc_result_t
-opensslecdsa_generate_pkey_with_object(int group_nid, const char *object,
-				       EVP_PKEY **retkey) {
+opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label,
+				    EVP_PKEY **retkey) {
 	int status;
 	isc_result_t ret;
-	unsigned char id[16];
-	char *label = UNCONST(object);
+	char *uri = UNCONST(label);
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[3];
+	OSSL_PARAM params[2];

 	/* Generate the key's parameters. */
-	status = RAND_bytes(id, 16);
-	if (status != 1) {
-		DST_RET(dst__openssl_toresult2("RAND_bytes",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label,
-						     0);
-	params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16);
-	params[2] = OSSL_PARAM_construct_end();
+	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
+	params[1] = OSSL_PARAM_construct_end();

 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
 	if (ctx == NULL) {
@@ -476,7 +467,7 @@ err:
 }

 static isc_result_t
-opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
+opensslecdsa_generate_pkey(unsigned int key_alg, const char *label,
 			   EVP_PKEY **retkey) {
 	isc_result_t ret;
 	EVP_PKEY_CTX *ctx = NULL;
@@ -484,9 +475,9 @@ opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
 	int group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);
 	int status;

-	if (object != NULL) {
-		return (opensslecdsa_generate_pkey_with_object(group_nid,
-							       object, retkey));
+	if (label != NULL) {
+		return (opensslecdsa_generate_pkey_with_uri(group_nid, label,
+							    retkey));
 	}

 	/* Generate the key's parameters. */
@@ -570,14 +561,14 @@ opensslecdsa_extract_private_key(const dst_key_t *key, unsigned char *buf,
 #else

 static isc_result_t
-opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
+opensslecdsa_generate_pkey(unsigned int key_alg, const char *label,
 			   EVP_PKEY **retkey) {
 	isc_result_t ret;
 	EC_KEY *eckey = NULL;
 	EVP_PKEY *pkey = NULL;
 	int group_nid;

-	UNUSED(object);
+	UNUSED(label);

 	group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);

@@ -892,7 +883,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	UNUSED(unused);
 	UNUSED(callback);

-	ret = opensslecdsa_generate_pkey(key->key_alg, key->object, &pkey);
+	ret = opensslecdsa_generate_pkey(key->key_alg, key->label, &pkey);
 	if (ret != ISC_R_SUCCESS) {
 		return (ret);
 	}
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -366,14 +366,14 @@ progress_cb(int p, int n, BN_GENCB *cb) {
 }

 static isc_result_t
-opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
+opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e,
 			 void (*callback)(int), EVP_PKEY **retkey) {
 	RSA *rsa = NULL;
 	EVP_PKEY *pkey = NULL;
 	BN_GENCB *cb = NULL;
 	isc_result_t ret;

-	UNUSED(object);
+	UNUSED(label);

 	rsa = RSA_new();
 	pkey = EVP_PKEY_new();
@@ -497,26 +497,17 @@ progress_cb(EVP_PKEY_CTX *ctx) {
 }

 static isc_result_t
-opensslrsa_generate_pkey_with_object(size_t key_size, const char *object,
-				     EVP_PKEY **retkey) {
+opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label,
+				  EVP_PKEY **retkey) {
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[4];
-	unsigned char id[16];
-	char *label = UNCONST(object);
+	OSSL_PARAM params[3];
+	char *uri = UNCONST(label);
 	isc_result_t ret;
 	int status;

-	status = RAND_bytes(id, 16);
-	if (status != 1) {
-		DST_RET(dst__openssl_toresult2("RAND_bytes",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label,
-						     0);
-	params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16);
-	params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
-	params[3] = OSSL_PARAM_construct_end();
+	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
+	params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
+	params[2] = OSSL_PARAM_construct_end();

 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
 	if (ctx == NULL) {
@@ -549,14 +540,14 @@ err:
 }

 static isc_result_t
-opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
+opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e,
 			 void (*callback)(int), EVP_PKEY **retkey) {
 	EVP_PKEY_CTX *ctx;
 	isc_result_t ret;

-	if (object != NULL) {
-		return (opensslrsa_generate_pkey_with_object(key_size, object,
-							     retkey));
+	if (label != NULL) {
+		return (opensslrsa_generate_pkey_with_uri(key_size, label,
+							  retkey));
 	}

 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
@@ -731,7 +722,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		BN_set_bit(e, 32);
 	}

-	ret = opensslrsa_generate_pkey(key->key_size, key->object, e, callback,
+	ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
 				       &pkey);
 	if (ret != ISC_R_SUCCESS) {
 		goto err;