pkcs11: Fix object creation with specified CKA_ID

It is fully allowed to have pre-defined CKA_ID values during key-pair generation. Specified in: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 C_GenerateKeyPair Fixes: c3c16294 ("pkcs11: Fix object creation to have only one ID") Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
vesajaaskelainen · Dec 17, 2020 · d2a177c · d2a177c
1 parent 7bfba0e
commit d2a177c
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/ta/pkcs11/src/pkcs11_attributes.c b/ta/pkcs11/src/pkcs11_attributes.c
@@ -1580,27 +1580,31 @@ enum pkcs11_rc add_missing_attribute_id(struct obj_attrs **attrs1,
 	void *id2 = NULL;
 	uint32_t id2_size = 0;
 
-	rc = remove_empty_attribute(attrs1, PKCS11_CKA_ID);
-	if (rc)
-		return rc;
-
 	rc = get_attribute_ptr(*attrs1, PKCS11_CKA_ID, &id1, &id1_size);
 	if (rc) {
 		if (rc != PKCS11_RV_NOT_FOUND)
 			return rc;
 		id1 = NULL;
-	}
-
-	if (attrs2) {
-		rc = remove_empty_attribute(attrs2, PKCS11_CKA_ID);
+	} else if (!id1_size) {
+		// Remove empty CKA_ID to allow value to be filled
+		rc = remove_empty_attribute(attrs1, PKCS11_CKA_ID);
 		if (rc)
 			return rc;
+		id1 = NULL;
+	}
 
+	if (attrs2) {
 		rc = get_attribute_ptr(*attrs2, PKCS11_CKA_ID, &id2, &id2_size);
 		if (rc) {
 			if (rc != PKCS11_RV_NOT_FOUND)
 				return rc;
 			id2 = NULL;
+		} else if (!id2_size) {
+			// Remove empty CKA_ID to allow value to be filled
+			rc = remove_empty_attribute(attrs2, PKCS11_CKA_ID);
+			if (rc)
+				return rc;
+			id2 = NULL;
 		}
 
 		if (id1 && id2)