Add PKCS#11 provider support for ECDH and XDH key exchange#660
Conversation
[Medium] Provider ECDH derive fails when the peer key is also loaded from
|
|
Thanks, fixed all issues:
I also fixed dangling |
|
Review findings The previously reported provider-peer, software fallback, and XDH equality issues are fixed. I found the following remaining issues: [Medium] Oversized output buffers cause ECDH derivation to failsrc/provider.c:1974 outlen is the caller’s buffer capacity, but it is passed as the requested PKCS#11 CKA_VALUE_LEN. A caller may legally provide a buffer larger than the required secret size. For P-256, passing 64 bytes Set *secretlen = need before calling PKCS11_evp_pkey_derive(); use outlen only to verify capacity. I reproduced this by allocating 32 extra bytes after the size query: provider-ec-derive.softhsm then fails with CKR_ATTRIBUTE_TYPE_INVALID. [Medium] EVP_PKEY_derive_init_ex() parameters are silently ignoredsrc/provider_helpers.c:1871 p11_keyexch_ctx_init() discards params and resets cofactor_mode to -1. Consequently, parameters supplied through EVP_PKEY_derive_init_ex(), including OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE, are not Please process the initialization parameters using the same validation as keyexch_set_ctx_params(). [Medium] Derivation does not handle CKA_ALWAYS_AUTHENTICATEsrc/p11_pkey.c:624 pkcs11_derive_with_mechanism() calls C_DeriveKey without performing context-specific authentication. Private keys with CKA_ALWAYS_AUTHENTICATE=CK_TRUE will therefore fail key exchange even though signing and Please call pkcs11_authenticate(key, session) before C_DeriveKey, as the other private-key operation helpers do. [Medium] XDH certificate fallback rejects X25519/X448 certificatessrc/p11_eddsa.c:614 The X25519/X448 loaders use pkcs11_get_raw_public_key(), which falls back to extracting the public key from a matching certificate. However, the certificate extractor accepts only Ed25519 and Ed448. A token containing an XDH private key and certificate but no separate public-key object cannot load the private key. Please also accept EVP_PKEY_X25519 and EVP_PKEY_X448, or make this a generic ECX [Medium] Legacy XDH methods are not cleaned up correctlysrc/p11_eddsa.c:523 pkcs11_xdh_key_method_free() is never called from libp11_global_free(), leaving globally registered X25519/X448 methods after the last context is released. Additionally, the X448 loader registers Please invoke pkcs11_xdh_key_method_free() alongside pkcs11_ed_key_method_free() and correct the X448 callback. [Low] XDH security strength is reported as zerosrc/provider_helpers.c:693 p11_keydata_get_security_bits() handles Ed25519 and Ed448 but omits X25519 and X448, causing EVP_PKEY_get_security_bits() to return zero. Add X25519 → 128 and X448 → 224. [Low] XDH examples still read past argv when PIN is omittedexamples/x25519keygen.c:92 Both examples check argc < 5 but later access argv[5]. Please require at least six arguments. Tests
|
Add OSSL_OP_KEYEXCH support for EC, X25519, and X448 keys in the PKCS#11 provider path. This includes ECDH derive support, cofactor mode handling, peer public key handling, X25519/X448 key generation, and XDH derive plumbing through PKCS#11.
Store a referenced PKCS11_OBJECT_private instead of a pointer into a reallocated key array. This prevents use-after-free crashes after loading additional PKCS#11 keys.
|
I have addressed all reported findings:
|
Pull Request Type
Related Issue
Issue number: N/A
Current Behavior
The PKCS#11 provider does not implement
OSSL_OP_KEYEXCH.New Behavior
This change adds PKCS#11 provider support for key exchange operations.
The provider now implements
OSSL_OP_KEYEXCHand routes EC, X25519, and X448 derive operations through PKCS#11. For EC keys, ECDH shared-secret derivation is performed withCKM_ECDH1_DERIVEorCKM_ECDH1_COFACTOR_DERIVE, including cofactor mode handling and peer public key import.The change also adds X25519 and X448 key generation support using
CKM_EC_MONTGOMERY_KEY_PAIR_GEN, detects XDH key types fromCKA_EC_PARAMS, handles raw public key export/import for X25519 and X448, and wires XDH derive plumbing through the provider path.Scope of Changes
OSSL_OP_KEYEXCHdispatch and provider registration.PKCS11_evp_pkey_derive()as the common front-end derive helper.EC_MONTGOMERY.EVP_PKEY_METHODderive hooks for X25519/X448 on OpenSSL versions before 4.0.Testing
New SoftHSM tests generate an EC key pair with derive usage on the token and verify that:
ECDH(token_private, software_public) == ECDH(software_private, token_public)
Additional Notes
X25519/X448 derive support is wired through the provider path, but the actual hardware derive path remains untested for now because no available token/module advertises
EC_MONTGOMERYderive support.License Declaration