Enforce the use of id and label when generating objects.

2021-02-04 12:53:08 -08:00 · 2021-02-04 12:53:08 -08:00 · f425a81d36
commit f425a81d36
parent dd6a43ad13
2 changed files with 16 additions and 1 deletions
--- a/kms/pkcs11/pkcs11.go
+++ b/kms/pkcs11/pkcs11.go
@ -262,6 +262,7 @@ func generateKey(ctx P11, req *apiv1.CreateKeyRequest) (crypto11.Signer, error)
 	if err != nil {
 		return nil, err
 	}
+
 	signer, err := ctx.FindKeyPair(id, object)
 	if err != nil {
 		return nil, err
@ -272,6 +273,12 @@ func generateKey(ctx P11, req *apiv1.CreateKeyRequest) (crypto11.Signer, error)
 		}
 	}

+	// Enforce the use of both id and labels. This is not strictly necessary in
+	// PKCS #11, but it's a good practice.
+	if len(id) == 0 || len(object) == 0 {
+		return nil, errors.Errorf("key with uri %s is not valid, id and object are required", req.Name)
+	}
+
 	bits := req.Bits
 	if bits == 0 {
 		bits = DefaultRSASize
--- a/kms/pkcs11/pkcs11_test.go
+++ b/kms/pkcs11/pkcs11_test.go
@ -198,7 +198,6 @@ func TestPKCS11_CreateKey(t *testing.T) {
 		want    *apiv1.CreateKeyResponse
 		wantErr bool
 	}{
-		// SoftHSM2
 		{"default", args{&apiv1.CreateKeyRequest{
 			Name: testObject,
 		}}, &apiv1.CreateKeyResponse{
@ -323,6 +322,15 @@ func TestPKCS11_CreateKey(t *testing.T) {
 		{"fail name", args{&apiv1.CreateKeyRequest{
 			Name: "",
 		}}, nil, true},
+		{"fail no id", args{&apiv1.CreateKeyRequest{
+			Name: "pkcs11:object=create-key",
+		}}, nil, true},
+		{"fail no object", args{&apiv1.CreateKeyRequest{
+			Name: "pkcs11:id=9999",
+		}}, nil, true},
+		{"fail schema", args{&apiv1.CreateKeyRequest{
+			Name: "pkcs12:id=9999;object=create-key",
+		}}, nil, true},
 		{"fail bits", args{&apiv1.CreateKeyRequest{
 			Name:               "pkcs11:id=9999;object=create-key",
 			Bits:               -1,