diff --git a/src/hsm.cpp b/src/hsm.cpp index 286ce9da..aaa2dabd 100644 --- a/src/hsm.cpp +++ b/src/hsm.cpp @@ -188,7 +188,7 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec, const std::string &keyLabel, const std::vector &keyID) { - HsmKeyParams hsmKeyParams; + HsmKeyParams hsmKeyParams = HsmKeyParams::Builder{}.setExtractable(false).build(); return generateKey(spec, keyLabel, keyID, hsmKeyParams); } @@ -215,8 +215,8 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const RSASpec &spec, pkcs11RSASpec.bits = spec.numberOfBits(); PKCS11_params _params; - _params.extractable = static_cast(params.cka_extractable); - _params.sensitive = static_cast(params.cka_sensitive); + _params.extractable = static_cast(params.isExtractable()); + _params.sensitive = static_cast(!params.isExtractable()); PKCS11_KGEN_ATTRS pkcs11RSAKeygen; pkcs11RSAKeygen.type = EVP_PKEY_RSA; @@ -233,7 +233,7 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec, const std::string &keyLabel, const std::vector &keyID) { - HsmKeyParams hsmKeyParams; + HsmKeyParams hsmKeyParams = HsmKeyParams::Builder{}.setExtractable(false).build(); return generateKey(spec, keyLabel, keyID, hsmKeyParams); } @@ -261,8 +261,9 @@ openssl::SSL_EVP_PKEY_Ptr HsmEngine::generateKey(const ECCSpec &spec, pkcs11ECCSpec.curve = curve.c_str(); PKCS11_params _params; - _params.extractable = static_cast(params.cka_extractable); - _params.sensitive = static_cast(params.cka_sensitive); + // If the key is extractable it shouldn't be sensitive and vice versa + _params.extractable = static_cast(params.isExtractable()); + _params.sensitive = static_cast(!params.isExtractable()); PKCS11_KGEN_ATTRS pkcs11ECCKeygen; pkcs11ECCKeygen.type = EVP_PKEY_EC; diff --git a/src/mococrw/hsm.h b/src/mococrw/hsm.h index 79d7f78a..0b28dd03 100644 --- a/src/mococrw/hsm.h +++ b/src/mococrw/hsm.h @@ -26,17 +26,40 @@ class ECCSpec; class RSASpec; /** - * This struct currently contains PKCS#11 attributes which are changeable on key creation. + * This class currently contains PKCS#11 attributes which are changeable on key creation. * In the future also parameters for other keystorage interfaces can be added. */ -struct HsmKeyParams +class HsmKeyParams { +public: + class Builder; + + bool isExtractable() const { return _extractable; } + +private: + bool _extractable; + /* Default is that the key cannot be extracted and is marked as sensitive. * Check https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html * for more details. */ - bool cka_extractable = false; - bool cka_sensitive = true; + HsmKeyParams() : _extractable(false) {} +}; + +class HsmKeyParams::Builder +{ +public: + Builder() {} + Builder &setExtractable(bool extractable) + { + params_._extractable = extractable; + return *this; + } + + HsmKeyParams build() { return params_; } + +private: + HsmKeyParams params_; }; /** diff --git a/tests/integration/hsm-integration-test.cpp b/tests/integration/hsm-integration-test.cpp index a5700094..7a07ff2d 100644 --- a/tests/integration/hsm-integration-test.cpp +++ b/tests/integration/hsm-integration-test.cpp @@ -452,9 +452,9 @@ int main(void) /** * Generate extractable and non-extractable keys for ECC and RSA */ - HsmKeyParams hsmKeyParamsExtract = {/*.cka_extractable =*/true, - /* .cka_sensitive = */ false}; - HsmKeyParams hsmKeyParamsDefault; + HsmKeyParams hsmKeyParamsExtract = HsmKeyParams::Builder{}.setExtractable(true).build(); + + HsmKeyParams hsmKeyParamsDefault = HsmKeyParams::Builder{}.build(); /* We need a new token otherwise the keys generated before litter the slot */ diff --git a/tests/unit/test_hsm.cpp b/tests/unit/test_hsm.cpp index e25175ae..7e8dcd92 100644 --- a/tests/unit/test_hsm.cpp +++ b/tests/unit/test_hsm.cpp @@ -153,7 +153,7 @@ TEST_F(HSMTest, testHSMKeygenWithParams) auto hsm = initialiseEngine(); std::string keyLabel{"key-label"}; std::vector keyId{0x12}; - HsmKeyParams params{true, false}; + HsmKeyParams params = HsmKeyParams::Builder{}.setExtractable(true).build(); EXPECT_CALL(_mock(), SSL_ENGINE_ctrl_cmd_string( engine, StrEq("PIN"), StrEq(pin.c_str()), 0 /*non-optional*/))