improve compatibility in pkcs11 key generation

* add key wrap/unwrap key usage
* explicitly set public exponent in template

Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>

1 files changed, 21 insertions, 0 deletions

diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index a9c473e711..5575efc016 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -655,6 +655,7 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 	gnutls_pkcs11_obj_t obj = NULL;
 	gnutls_datum_t der = {NULL, 0};
 	ck_key_type_t key_type;
+	char pubEx[3] = { 1,0,1 }; // 65537 = 0x10001
 
 	PKCS11_CHECK_INIT;
 
@@ -710,6 +711,12 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		a[a_val].value = &_bits;
 		a[a_val].value_len = sizeof(_bits);
 		a_val++;
+
+		a[a_val].type = CKA_PUBLIC_EXPONENT;
+		a[a_val].value = pubEx;
+		a[a_val].value_len = sizeof(pubEx);
+		a_val++;
+
 		break;
 	case GNUTLS_PK_DSA:
 		p[p_val].type = CKA_SIGN;
@@ -760,6 +767,20 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		goto cleanup;
 	}
 
+	/*
+	 * on request, add the CKA_WRAP/CKA_UNWRAP key attribute
+	 */
+	if (flags & GNUTLS_PKCS11_OBJ_FLAG_KEY_WRAP) {
+		p[p_val].type = CKA_UNWRAP;
+		p[p_val].value = (void*)&tval;
+		p[p_val].value_len = sizeof(tval);
+		p_val++;
+		a[a_val].type = CKA_WRAP;
+		a[a_val].value = (void*)&tval;
+		a[a_val].value_len = sizeof(tval);
+		a_val++;
+	}
+
 	/* a private key is set always as private unless
 	 * requested otherwise
 	 */