[Opendnssec-develop] hsm-toolkit questions

John Dickinson jad at jadickinson.co.uk
Wed Mar 11 14:00:52 UTC 2009 

Hi,

here is a patch to hsm-toolkit to print a hash of the public key.  
Before I finish it and submit it - can anyone see any problems?

Index: hsm-toolkit.c
===================================================================
--- hsm-toolkit.c	(revision 272)
+++ hsm-toolkit.c	(working copy)
@@ -32,6 +32,7 @@
  #include <unistd.h>
  #include <dlfcn.h>
  #include "cryptoki.h"
+#include <openssl/sha.h>

  const CK_BBOOL    ctrue    = CK_TRUE;
  const CK_BBOOL    cfalse   = CK_FALSE;
@@ -358,9 +359,34 @@
  	Add_Attr(pri_temp+cnt2++,CKA_PRIVATE, &ctrue, sizeof (ctrue));
  	Add_Attr(pri_temp+cnt2++,CKA_EXTRACTABLE, &ctrue, sizeof (ctrue));
      CK_OBJECT_HANDLE ignore;
+    CK_OBJECT_HANDLE publickey;
      check_rv("C_GenerateKeyPair", sym->C_GenerateKeyPair(ses, &mech,  
pub_temp, cnt1,
-        pri_temp, cnt2, &ignore,&ignore));
+        pri_temp, cnt2, &publickey,&ignore));
+
+  /* Create a hash of the public key */
+  unsigned char md[SHA_DIGEST_LENGTH];
+  SHA_CTX sha1ctx;
+  SHA1_Init(&sha1ctx);
+  int j;
+  /* Hash the modulus bits */
+  SHA1_Update(&sha1ctx, &keysize, sizeof (keysize));
+  /* Hash the public exponent */
+  SHA1_Update(&sha1ctx, &pubex, sizeof (pubex));
+  /* Get the Modulus */
+  CK_ATTRIBUTE template[32];
+  Add_Attr(template,CKA_MODULUS,NULL_PTR,0);
+  check_rv("C_GetAttributeValue",sym->C_GetAttributeValue(ses,  
publickey, template, 1));
+  Init_Attrs(template,1);
+  check_rv("C_GetAttributeValue",sym->C_GetAttributeValue(ses,  
publickey, template, 1));
+  SHA1_Update(&sha1ctx, (char*) Get_Val_string(template,CKA_MODULUS, 
1), (int) Get_Val_Len(template,CKA_MODULUS,1) *8);
+  Flush_Attrs(template,1);
+  SHA1_Final(md, &sha1ctx);
      printf("Created RSA key pair object, labeled %s\n",label);
+    printf("HASH WAS: ");
+  for (j = 0; j < SHA_DIGEST_LENGTH; j++) {
+    printf("%02x", md[j]);
+  }
+  printf("\n");
  }

  CK_SLOT_ID GetSlot() {


John


On 11 Mar 2009, at 12:45, Jakob Schlyter wrote:

> On 11 mar 2009, at 13.41, Rickard Bondesson wrote:
>
>> Then we have to define how the public key should be hashed (in what  
>> order to hash the key material). Or perhaps there is a procedure  
>> defined by the community?
>
> no, we don't and that's a very nice property of this solution.
> the one who generates the label decides how to hash - the ones using  
> it will just get the key from the keystore (e.g. using the <locator>  
> in the signconf XML blob) and query the HSMs.
>
> 	jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

---
John Dickinson
http://www.jadickinson.co.uk

More information about the Opendnssec-develop mailing list