From c578c41ce181703ef14ceecddabc9ec45d305e6a Mon Sep 17 00:00:00 2001 From: S-P Chan Date: Thu, 22 Feb 2024 07:55:38 +0800 Subject: [PATCH] CKK_EC: optimization when private key contains CKA_EC_POINT - always attempt to fetch CKA_EC_POINT - vendor optimization (e.g. Thales Luna) to have CKA_EC_POINT in CKO_PRIVATE_KEY - avoid HSM search for public key - libp11 equivalent: https://github.com/OpenSC/libp11/commit/281ccb3d60e77366bd6ece4b8a18d5ef28cb4f45 Signed-off-by: S-P Chan --- src/objects.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/objects.c b/src/objects.c index 9fe0f33b..c1f8b55a 100644 --- a/src/objects.c +++ b/src/objects.c @@ -796,6 +796,12 @@ static CK_RV fetch_ec_key(P11PROV_CTX *ctx, P11PROV_SESSION *session, FA_SET_BUF_ALLOC(attrs, num, CKA_EC_PARAMS, true); if (key->class == CKO_PUBLIC_KEY) { FA_SET_BUF_ALLOC(attrs, num, CKA_EC_POINT, true); + } else { + /* known vendor optimization to avoid storing + * EC public key on HSM; can avoid + * find_associated_obj later + */ + FA_SET_BUF_ALLOC(attrs, num, CKA_EC_POINT, false); } FA_SET_BUF_ALLOC(attrs, num, CKA_ID, false); FA_SET_BUF_ALLOC(attrs, num, CKA_LABEL, false); @@ -2187,14 +2193,14 @@ static int match_public_keys(P11PROV_OBJ *key1, P11PROV_OBJ *key2) P11PROV_OBJ *priv_key; int ret = RET_OSSL_ERR; - if ((key1->class == CKO_PUBLIC_KEY && key2->class == CKO_PUBLIC_KEY) - || key1->data.key.type == CKK_RSA) { - /* either keys are public, match directly their public values - * OR - * CKA_RSA keys (private/public) contain CKA_MODULUS / CKA_PUBLIC_EXPONENT - * - no need to find_associated_obj - */ - return cmp_public_key_values(key1, key2); + /* avoid round-trip to HSM if keys have enough + * attributes to do the logical comparison + * CKK_RSA: MODULUS / PUBLIC_EXPONENT + * CKK_EC: EC_POINT + */ + ret = cmp_public_key_values(key1, key2); + if (ret != RET_OSSL_ERR) { + return ret; } /* one of the keys or both are private */