C_GenerateKeyPair

Generates a public-key/private-key pair.

CK_DECLARE_FUNCTION( CK_RV, C_GenerateKeyPair )( CK_SESSION_HANDLE hSession,
                                                 CK_MECHANISM_PTR pMechanism,
                                                 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
                                                 CK_ULONG ulPublicKeyAttributeCount,
                                                 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
                                                 CK_ULONG ulPrivateKeyAttributeCount,
                                                 CK_OBJECT_HANDLE_PTR phPublicKey,
                                                 CK_OBJECT_HANDLE_PTR phPrivateKey )
{
    uint8_t * pucDerFile = pvPortMalloc( pkcs11KEY_GEN_MAX_DER_SIZE );
    int32_t lMbedResult = 0;
    uint32_t ulIndex = 0;
    mbedtls_pk_context xCtx = { 0 };
    CK_ATTRIBUTE_PTR pxPrivateLabel = NULL;
    CK_ATTRIBUTE_PTR pxPublicLabel = NULL;
    CK_OBJECT_HANDLE xPalPublic = CK_INVALID_HANDLE;
    CK_OBJECT_HANDLE xPalPrivate = CK_INVALID_HANDLE;
    uint32_t xPublicRequiredAttributeMap = ( LABEL_IN_TEMPLATE | EC_PARAMS_IN_TEMPLATE | VERIFY_IN_TEMPLATE );
    uint32_t xPrivateRequiredAttributeMap = ( LABEL_IN_TEMPLATE | PRIVATE_IN_TEMPLATE | SIGN_IN_TEMPLATE );
    uint32_t xAttributeMap = 0;
 
    const P11Session_t * pxSession = prvSessionPointerFromHandle( hSession );
    CK_RV xResult = prvCheckValidSessionAndModule( pxSession );
 
    #if ( pkcs11configSUPPRESS_ECDSA_MECHANISM == 1 )
        if( xResult == CKR_OK )
        {
            xResult = CKR_MECHANISM_INVALID;
        }
    #endif
 
    if( xResult == CKR_OK )
    {
        if( ( pPublicKeyTemplate == NULL ) ||
            ( pPrivateKeyTemplate == NULL ) ||
            ( phPublicKey == NULL ) ||
            ( phPrivateKey == NULL ) ||
            ( pMechanism == NULL ) )
        {
            xResult = CKR_ARGUMENTS_BAD;
        }
    }
 
    if( xResult == CKR_OK )
    {
        if( pucDerFile == NULL )
        {
            xResult = CKR_HOST_MEMORY;
        }
    }
 
    if( xResult == CKR_OK )
    {
        if( CKM_EC_KEY_PAIR_GEN != pMechanism->mechanism )
        {
            xResult = CKR_MECHANISM_INVALID;
        }
    }
 
    if( xResult == CKR_OK )
    {
        for( ulIndex = 0; ulIndex < ulPrivateKeyAttributeCount; ++ulIndex )
        {
            xResult = prvCheckGenerateKeyPairPrivateTemplate( &pxPrivateLabel,
                                                              &pPrivateKeyTemplate[ ulIndex ],
                                                              &xAttributeMap );
 
            if( xResult != CKR_OK )
            {
                break;
            }
        }
 
        if( ( xResult == CKR_OK ) && ( ( xAttributeMap & xPrivateRequiredAttributeMap ) != xPrivateRequiredAttributeMap ) )
        {
            xResult = CKR_TEMPLATE_INCOMPLETE;
        }
    }
 
    if( xResult == CKR_OK )
    {
        xAttributeMap = 0;
 
        for( ulIndex = 0; ulIndex < ulPublicKeyAttributeCount; ++ulIndex )
        {
            xResult = prvCheckGenerateKeyPairPublicTemplate( &pxPublicLabel,
                                                             &pPublicKeyTemplate[ ulIndex ],
                                                             &xAttributeMap );
 
            if( xResult != CKR_OK )
            {
                break;
            }
        }
 
        if( ( xResult == CKR_OK ) && ( ( xAttributeMap & xPublicRequiredAttributeMap ) != xPublicRequiredAttributeMap ) )
        {
            xResult = CKR_TEMPLATE_INCOMPLETE;
        }
    }
 
    if( xResult == CKR_OK )
    {
        mbedtls_pk_init( &xCtx );
        lMbedResult = mbedtls_pk_setup( &xCtx, mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) );
    }
 
    if( lMbedResult != 0 )
    {
        xResult = CKR_FUNCTION_FAILED;
    }
 
    if( xResult == CKR_OK )
    {
        if( 0 != mbedtls_ecp_gen_key( MBEDTLS_ECP_DP_SECP256R1,
                                      mbedtls_pk_ec( xCtx ),
                                      mbedtls_ctr_drbg_random,
                                      &xP11Context.xMbedDrbgCtx ) )
        {
            xResult = CKR_FUNCTION_FAILED;
        }
    }
 
    if( xResult == CKR_OK )
    {
        lMbedResult = mbedtls_pk_write_pubkey_der( &xCtx, pucDerFile, pkcs11KEY_GEN_MAX_DER_SIZE );
 
        if( lMbedResult > 0 )
        {
            xPalPublic = PKCS11_PAL_SaveObject( pxPublicLabel, pucDerFile + pkcs11KEY_GEN_MAX_DER_SIZE - lMbedResult, ( uint32_t ) lMbedResult );
        }
        else
        {
            xResult = CKR_GENERAL_ERROR;
        }
    }
 
    if( xResult == CKR_OK )
    {
        lMbedResult = mbedtls_pk_write_key_der( &xCtx, pucDerFile, pkcs11KEY_GEN_MAX_DER_SIZE );
 
        if( lMbedResult > 0 )
        {
            xPalPrivate = PKCS11_PAL_SaveObject( pxPrivateLabel, pucDerFile + pkcs11KEY_GEN_MAX_DER_SIZE - lMbedResult, ( uint32_t ) lMbedResult );
        }
        else
        {
            xResult = CKR_GENERAL_ERROR;
        }
    }
 
    if( ( xPalPublic != CK_INVALID_HANDLE ) && ( xPalPrivate != CK_INVALID_HANDLE ) )
    {
        xResult = prvAddObjectToList( xPalPrivate, phPrivateKey, pxPrivateLabel->pValue, pxPrivateLabel->ulValueLen );
 
        if( xResult == CKR_OK )
        {
            xResult = prvAddObjectToList( xPalPublic, phPublicKey, pxPublicLabel->pValue, pxPublicLabel->ulValueLen );
 
            if( xResult != CKR_OK )
            {
                ( void ) PKCS11_PAL_DestroyObject( *phPrivateKey );
            }
        }
    }
 
    /* Clean up. */
    vPortFree( pucDerFile );
    mbedtls_pk_free( &xCtx );
 
    return xResult;
}

This port only supports generating elliptic curve P-256 key pairs.

Parameters

[in]	hSession	Handle of a valid PKCS #11 session.
[in]	pMechanism	Pointer to a mechanism. At this time, CKM_EC_KEY_PAIR_GEN is the only supported mechanism.
[in]	pPublicKeyTemplate	Pointer to a list of attributes that the generated public key should possess. Public key template must have the following attributes: CKA_LABEL Label should be no longer than pkcs11configMAX_LABEL_LENGTH and must be supported by port's PKCS #11 PAL. CKA_EC_PARAMS Must equal pkcs11DER_ENCODED_OID_P256. Only P-256 keys are supported. CKA_VERIFY Must be set to true. Only public keys used for verification are supported. Public key templates may have the following attributes: CKA_KEY_TYPE Must be set to CKK_EC. Only elliptic curve key generation is supported. CKA_TOKEN Must be set to CK_TRUE.
[in]	ulPublicKeyAttributeCount	Number of attributes in pPublicKeyTemplate.
[in]	pPrivateKeyTemplate	Pointer to a list of attributes that the generated private key should possess. Private key template must have the following attributes: CKA_LABEL Label should be no longer than pkcs11configMAX_LABEL_LENGTH and must be supported by port's PKCS #11 PAL. CKA_PRIVATE Must be set to true. CKA_SIGN Must be set to true. Only private keys used for signing are supported. Private key template may have the following attributes: CKA_KEY_TYPE Must be set to CKK_EC. Only elliptic curve key generation is supported. CKA_TOKEN Must be set to CK_TRUE.
[in]	ulPrivateKeyAttributeCount	Number of attributes in pPrivateKeyTemplate.
[out]	phPublicKey	Pointer to the handle of the public key to be created.
[out]	phPrivateKey	Pointer to the handle of the private key to be created.

Note

Not all attributes specified by the PKCS #11 standard are supported.

CKA_LOCAL attribute is not supported.

Returns

CKR_OK if successful. Else, see PKCS #11 specification for more information.