diff --git a/kms/pkcs11/pkcs11.go b/kms/pkcs11/pkcs11.go index df1e3d10..64c1e72a 100644 --- a/kms/pkcs11/pkcs11.go +++ b/kms/pkcs11/pkcs11.go @@ -262,6 +262,7 @@ func generateKey(ctx P11, req *apiv1.CreateKeyRequest) (crypto11.Signer, error) if err != nil { return nil, err } + signer, err := ctx.FindKeyPair(id, object) if err != nil { return nil, err @@ -272,6 +273,12 @@ func generateKey(ctx P11, req *apiv1.CreateKeyRequest) (crypto11.Signer, error) } } + // Enforce the use of both id and labels. This is not strictly necessary in + // PKCS #11, but it's a good practice. + if len(id) == 0 || len(object) == 0 { + return nil, errors.Errorf("key with uri %s is not valid, id and object are required", req.Name) + } + bits := req.Bits if bits == 0 { bits = DefaultRSASize diff --git a/kms/pkcs11/pkcs11_test.go b/kms/pkcs11/pkcs11_test.go index ebecb7d0..a74fb3fe 100644 --- a/kms/pkcs11/pkcs11_test.go +++ b/kms/pkcs11/pkcs11_test.go @@ -198,7 +198,6 @@ func TestPKCS11_CreateKey(t *testing.T) { want *apiv1.CreateKeyResponse wantErr bool }{ - // SoftHSM2 {"default", args{&apiv1.CreateKeyRequest{ Name: testObject, }}, &apiv1.CreateKeyResponse{ @@ -323,6 +322,15 @@ func TestPKCS11_CreateKey(t *testing.T) { {"fail name", args{&apiv1.CreateKeyRequest{ Name: "", }}, nil, true}, + {"fail no id", args{&apiv1.CreateKeyRequest{ + Name: "pkcs11:object=create-key", + }}, nil, true}, + {"fail no object", args{&apiv1.CreateKeyRequest{ + Name: "pkcs11:id=9999", + }}, nil, true}, + {"fail schema", args{&apiv1.CreateKeyRequest{ + Name: "pkcs12:id=9999;object=create-key", + }}, nil, true}, {"fail bits", args{&apiv1.CreateKeyRequest{ Name: "pkcs11:id=9999;object=create-key", Bits: -1,