CKK_EC: optimization when private key contains CKA_EC_POINT

- always attempt to fetch CKA_EC_POINT - vendor optimization (e.g. Thales Luna) to have CKA_EC_POINT in CKO_PRIVATE_KEY - avoid HSM search for public key - libp11 equivalent: OpenSC/libp11@281ccb3 Signed-off-by: S-P Chan <[email protected]>
latchset · Feb 22, 2024 · 82a5fe8 · 82a5fe8
1 parent 391cd32
commit 82a5fe8
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/src/objects.c b/src/objects.c
@@ -796,6 +796,12 @@ static CK_RV fetch_ec_key(P11PROV_CTX *ctx, P11PROV_SESSION *session,
     FA_SET_BUF_ALLOC(attrs, num, CKA_EC_PARAMS, true);
     if (key->class == CKO_PUBLIC_KEY) {
         FA_SET_BUF_ALLOC(attrs, num, CKA_EC_POINT, true);
+    } else {
+        /* known vendor optimization to avoid storing
+         * EC public key on HSM; can avoid
+         * find_associated_obj later
+         */
+        FA_SET_BUF_ALLOC(attrs, num, CKA_EC_POINT, false);
     }
     FA_SET_BUF_ALLOC(attrs, num, CKA_ID, false);
     FA_SET_BUF_ALLOC(attrs, num, CKA_LABEL, false);
@@ -2187,14 +2193,14 @@ static int match_public_keys(P11PROV_OBJ *key1, P11PROV_OBJ *key2)
     P11PROV_OBJ *priv_key;
     int ret = RET_OSSL_ERR;
 
-    if ((key1->class == CKO_PUBLIC_KEY && key2->class == CKO_PUBLIC_KEY)
-        || key1->data.key.type == CKK_RSA) {
-        /* either keys are public, match directly their public values
-         * OR
-         * CKA_RSA keys (private/public) contain CKA_MODULUS / CKA_PUBLIC_EXPONENT
-         * - no need to find_associated_obj
-         */
-        return cmp_public_key_values(key1, key2);
+    /* avoid round-trip to HSM if keys have enough
+     * attributes to do the logical comparison
+     * CKK_RSA: MODULUS / PUBLIC_EXPONENT
+     * CKK_EC key: EC_POINT
+     */
+    ret = cmp_public_key_values(key1, key2);
+    if (ret != RET_OSSL_ERR) {
+        return ret;
     }
 
     /* one of the keys or both are private */