[Softhsm-develop] support for CKM_RSA_PKCS key un/wrapping

[Roland van Rijswijk - Deij]

Hi Petr,

Petr Spacek wrote:
> I have opened pull request #83 which adds support for CKM_RSA_PKCS key
> un/wrapping.
> https://github.com/opendnssec/SoftHSMv2/pull/83
> 
> Let's discuss about this code and your requirements :-)
> 
> Current code uses AsymmetricAlgorithm->encrypt() and decrypt() directly.
> 
> I wonder if it is really necessary to introduce new AsymmetricAlgorithm
> interface for wrap() and unwrap(). To me it seems that calling encrypt()
> and decrypt() with correct AsymMech could be enough...
> 
> Other alternative would be to add wrap() and unwrap() interface and
> simply relay calls wrap()->encrypt() etc. It would allow us to filter
> out some inappropriate mechanism from wrap() call but that is all. (E.g.
> refusing to do key wrapping if mechanism is CKM_SHA1_RSA_PKCS or
> something like that.)
> 
> Is it worth doing so? Thank you for your opinions.

I think it is worthwhile having a separate interface. Not just because
it looks cleaner, also because you can manage permissions on keys that
allow or disallow certain operations (such as wrapping/unwrapping). I
also think it is worthwhile having a constructor on AsymmetricKey
objects that allow a PKCS #8 blob as input, such that a call to unwrap
using a SymmetricKey can invoke such a constructor. Conversely, there
should be a function on AsymmetricKey objects that output a suitable
PKCS #8 blob for an invocation of wrap using a SymmetricKey object.

Cheers,

Roland

-- 
-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surfnet.nl/en/
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4412 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/softhsm-develop/attachments/20140718/89c5aed2/attachment.bin>