Fix to openCryptoki PKCS#11 TPM generated key handling

dev-libs/opencryptoki/files/opencryptoki-2.2.8-tpm_pubexp.patch

Index: dev-libs/opencryptoki/files/opencryptoki-2.2.8-tpm_pubexp.patch
diff --git a/dev-libs/opencryptoki/files/opencryptoki-2.2.8-tpm_pubexp.patch b/dev-libs/opencryptoki/files/opencryptoki-2.2.8-tpm_pubexp.patch
new file mode 100644
index 0000000000000000000000000000000000000000..62aba48d03586cc178b397770b1cc645439dd26c
--- /dev/null
+++ b/dev-libs/opencryptoki/files/opencryptoki-2.2.8-tpm_pubexp.patch
@@ -0,0 +1,53 @@
+diff -ru clean/opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c
+--- clean/opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c        2010-07-29 05:28:41.000000000 -0700
++++ opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c      2010-11-16 09:30:53.075739829 -0800
+@@ -28,6 +28,9 @@
+        4/25/03    Kapil Sood (kapil@corrent.com)
+                   Added DH key pair generation and DH shared key derivation
+                   functions.
++      11/16/10    Nelson Araujo (nelsona@chromium.org)
++                  Return default public exponent if not stored and/or returned

[James Simonsen, 2010/12/07 22:32:21]

This doesn't feel like the right place to put in this specific workaround. It
seems like the default value either belongs in our TPM driver or we should pass
in the public exponent to opencryptoki. I don't really understand how this code
fits in to everything else though; are either of those ideas reasonable?

[Nelson Araujo, 2010/12/07 23:20:33]

Without this code *all* operations with a openCryptoki TPM-generated key pair
fails. The idea here is that because the exponent is always 65537 it is not
stored in the TPM (this library ensures it is this value throughout the code).

Because it is a well-known value it is not stored in the TPM. When building a
response back to the caller we need to pass the default value along. Callers of
the API does not need to know in advance the exponent, and they will all fail if
it is missing.

++                  by the TPM token device
+ ****************************************************************************/
+
+
+@@ -120,6 +124,7 @@
+
+ CK_C_INITIALIZE_ARGS cinit_args = { NULL, NULL, NULL, NULL, 0, NULL };
+
++CK_BYTE pub_exp[] = { 0x1, 0x0, 0x1 }; // 65537
+
+ extern void stlogterm();
+ extern void stloginit();
+@@ -1926,11 +1931,30 @@
+       goto done;
+    }
+
++   for (i=0; i<ulCount; i++) {
++      if (pTemplate[i].type == CKA_PUBLIC_EXPONENT) {
++         if (pTemplate[i].ulValueLen < sizeof(pub_exp)) {

[James Simonsen, 2010/12/07 22:32:21]

It seems like this should only be checked if we're actually going to use
pub_expr.

[Nelson Araujo, 2010/12/07 23:20:33]

correct. that's what the if() in the line immediately above ensures.

++            rc = CKR_BUFFER_TOO_SMALL;
++            goto done;
++         }
++      }
++   }
++
+    rc = object_mgr_get_attribute_values( sess, hObject, pTemplate, ulCount );
+    if (rc != CKR_OK){
+       st_err_log(159, __FILE__, __LINE__);
+    }
+
++   for (i=0; i<ulCount; i++) {
++      if (pTemplate[i].type == CKA_PUBLIC_EXPONENT) {
++         if (rc || pTemplate[i].ulValueLen == 0) {
++            // Use well-known exponent if value not stored by the device
++            memcpy( pTemplate[i].pValue, pub_exp, sizeof(pub_exp) );
++            pTemplate[i].ulValueLen = sizeof(pub_exp);
++           rc = 0;
++         }
++      }
++   }
+
+ done:
+    LLOCK;
+