From f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2a Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Mon, 5 Oct 2009 12:23:11 +0000
Subject: [PATCH] pkcs11 rt20236

---
 bin/pkcs11/pkcs11-keygen.c       | 68 +++++++++++++++++++++++++-------
 bin/pkcs11/pkcs11-keygen.docbook | 34 +++++++++++++---
 2 files changed, 82 insertions(+), 20 deletions(-)

diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index cd951e3fd6..230ec1aef3 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -6,7 +6,8 @@
  * it into a zone file.
  *
  * usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] -b keysize -l label [-p pin] 
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+ *               -l label [-i id] [-p pin] 
  *
  */
 
@@ -45,10 +46,14 @@ main(int argc, char *argv[])
     CK_ULONG modulusbits = 0;
     CK_CHAR *label = NULL;
     CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[3];
+    CK_BYTE public_exponent[5];
+    CK_ULONG expsize = 3;
     int error = 0;
     int c, errflg = 0;
     int hide = 1;
+    int idlen = 0;
+    unsigned long id = 0;
+    CK_BYTE idbuf[4];
     CK_ULONG ulObjectCount;
     /* Set search template */
     CK_ATTRIBUTE search_template[] = {
@@ -59,20 +64,24 @@ main(int argc, char *argv[])
         {CKA_VERIFY, &truevalue, sizeof (truevalue)},
         {CKA_TOKEN, &truevalue, sizeof (truevalue)},
         {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
+        {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+	{CKA_ID, &idbuf, idlen}
     };
+    CK_ULONG publickey_attrcnt = 6;
     CK_ATTRIBUTE privatekey_template[] = {
         {CKA_LABEL, NULL_PTR, 0},
         {CKA_SIGN, &truevalue, sizeof (truevalue)},
         {CKA_TOKEN, &truevalue, sizeof (truevalue)},
         {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
         {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
+        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)},
+	{CKA_ID, &idbuf, idlen}
     };
+    CK_ULONG privatekey_attrcnt = 7;
     extern char *optarg;
     extern int optopt;
     
-    while ((c = getopt(argc, argv, ":Pm:s:b:i:l:p:")) != -1) {
+    while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
         switch (c) {
 	case 'P':
 	    hide = 0;
@@ -83,12 +92,19 @@ main(int argc, char *argv[])
 	case 's':
 	    slot = atoi(optarg);
 	    break;
+	case 'e':
+	    expsize = 5;
+	    break;
         case 'b':
             modulusbits = atoi(optarg);
             break;
         case 'l':
             label = (CK_CHAR *)optarg;
             break;
+	case 'i':
+	    id = strtoul(optarg, NULL, 0);
+	    idlen = 4;
+	    break;
         case 'p':
             pin = (CK_UTF8CHAR *)optarg;
             break;
@@ -104,8 +120,10 @@ main(int argc, char *argv[])
     }
     if ((errflg) || (!modulusbits) || (!label)) {
         fprintf(stderr,
-		"usage: pkcs11-keygen [-P] [-m module] [-s slot] "
-		"-b keysize -l label [-p pin]\n");
+		"usage: pkcs11-keygen "
+		"[-P] [-m module] [-s slot] [-e] -b keysize\n"
+		"                     "
+		"-l label [-i id] [-p pin]\n");
         exit(2);
     }
     
@@ -116,16 +134,39 @@ main(int argc, char *argv[])
     privatekey_template[0].pValue = label;
     privatekey_template[0].ulValueLen = strlen((char *)label);
 
-    /* Set public exponent to 65537 */
+    /* Set public exponent to F4 or F5 */
     public_exponent[0] = 0x01;
     public_exponent[1] = 0x00;
-    public_exponent[2] = 0x01;
+    if (expsize == 3)
+	public_exponent[2] = 0x01;
+    else {
+	publickey_template[4].ulValueLen = expsize;
+	public_exponent[2] = 0x00;
+	public_exponent[3] = 0x00;
+	public_exponent[4] = 0x01;
+    }
 
     /* Set up mechanism for generating key pair */
     genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
     genmech.pParameter = NULL_PTR;
     genmech.ulParameterLen = 0;
 
+    if (idlen == 0) {
+        publickey_attrcnt--;
+        privatekey_attrcnt--;
+    } else if (id <= 0xffff) {
+	idlen = 2;
+	publickey_template[5].ulValueLen = idlen;
+	privatekey_template[6].ulValueLen = idlen;
+	idbuf[0] = id >> 8;
+	idbuf[1] = id & 0xff;
+    } else {
+        idbuf[0] = id >> 24;
+	idbuf[1] = (id >> 16) & 0xff;
+	idbuf[2] = (id >> 8) & 0xff;
+	idbuf[3] = id & 0xff;
+    }
+
     /* Initialize the CRYPTOKI library */
     rv = C_Initialize(NULL_PTR);
 
@@ -186,12 +227,9 @@ main(int argc, char *argv[])
     }
 
     /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
-			   (sizeof (publickey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   privatekey_template,
-			   (sizeof (privatekey_template) /
-			    sizeof (CK_ATTRIBUTE)),
+    rv = C_GenerateKeyPair(hSession, &genmech,
+			   publickey_template, publickey_attrcnt,
+			   privatekey_template, privatekey_attrcnt,
 			   &publickey, &privatekey);
         
     if (rv != CKR_OK) {
diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook
index 8c62aba039..7c4ba084c8 100644
--- a/bin/pkcs11/pkcs11-keygen.docbook
+++ b/bin/pkcs11/pkcs11-keygen.docbook
@@ -1,6 +1,6 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+               [<!ENTITY mdash "&#8212;">]>
 <!--
  - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  -
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: pkcs11-keygen.docbook,v 1.2 2009/10/05 12:07:08 fdupont Exp $ -->
+<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
 <refentry id="man.pkcs11-keygen">
   <refentryinfo>
     <date>Sep 18, 2009</date>
@@ -47,8 +47,10 @@
       <arg><option>-P</option></arg>
       <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+      <arg><option>-e</option></arg>
       <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
       <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -98,6 +100,15 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-e</term>
+        <listitem>
+          <para>
+            Use a large exponent.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
         <listitem>
@@ -113,6 +124,17 @@
         <listitem>
           <para>
             Create key objects with the given label.
+            This name must be unique.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">id</replaceable></term>
+        <listitem>
+          <para>
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
           </para>
         </listitem>
       </varlistentry>
@@ -137,14 +159,16 @@
       </citerefentry>,
       <citerefentry>
         <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
     </para>
   </refsect1>
 
   <refsect1>
     <title>CAVEAT</title>
-    <para>The public exponent is hard-wired to 65537.</para>
-    <para>The command should optionally set the object ID too.</para>
+    <para>Some PKCS#11 providers crash with big public exponent.</para>
   </refsect1>
 
   <refsect1>