github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
labca/patches/ceremony_ecdsa.patch
Arjan H 37dd9184a7 Bump boulder version to v0.20251216.0
2025-12-27 16:40:48 +01:00

41 lines
2.2 KiB
Diff
Raw Permalink Blame History

diff --git a/cmd/ceremony/ecdsa.go b/cmd/ceremony/ecdsa.go
index e6d870094..3204e91ef 100644
--- a/cmd/ceremony/ecdsa.go
+++ b/cmd/ceremony/ecdsa.go
@@ -28,7 +28,7 @@ var curveToOIDDER = map[string][]byte{
// ecArgs constructs the private and public key template attributes sent to the
// device and specifies which mechanism should be used. curve determines which
// type of key should be generated.
-func ecArgs(label string, curve elliptic.Curve, keyID []byte) generateArgs {
+func ecArgs(label string, curve elliptic.Curve, keyID []byte, extractable bool) generateArgs {
encodedCurve := curveToOIDDER[curve.Params().Name]
log.Printf("\tEncoded curve parameters for %s: %X\n", curve.Params().Name, encodedCurve)
return generateArgs{
@@ -49,7 +49,7 @@ func ecArgs(label string, curve elliptic.Curve, keyID []byte) generateArgs {
// Prevent attributes being retrieved
pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true),
// Prevent the key being extracted from the device
- pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, false),
+ pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, extractable),
// Allow the key to sign data
pkcs11.NewAttribute(pkcs11.CKA_SIGN, true),
},
@@ -80,7 +80,7 @@ func ecPub(
// specified by curveStr and with the provided label. It returns the public
// part of the generated key pair as a ecdsa.PublicKey and the random key ID
// that the HSM uses to identify the key pair.
-func ecGenerate(session *pkcs11helpers.Session, label, curveStr string) (*ecdsa.PublicKey, []byte, error) {
+func ecGenerate(session *pkcs11helpers.Session, label, curveStr string, extractable bool) (*ecdsa.PublicKey, []byte, error) {
curve, present := stringToCurve[curveStr]
if !present {
return nil, nil, fmt.Errorf("curve %q not supported", curveStr)
@@ -91,7 +91,7 @@ func ecGenerate(session *pkcs11helpers.Session, label, curveStr string) (*ecdsa.
return nil, nil, err
}
log.Printf("Generating ECDSA key with curve %s and ID %x\n", curveStr, keyID)
- args := ecArgs(label, curve, keyID)
+ args := ecArgs(label, curve, keyID, extractable)
pub, _, err := session.GenerateKeyPair(args.mechanism, args.publicAttrs, args.privateAttrs)
if err != nil {
return nil, nil, err
Reference in New Issue View Git Blame Copy Permalink