000021134 - Protect flag functions incorrectly in Keon Certificate Authority API 6.5.1 example code

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021134
Applies ToKeon Certificate Authority 6.5.1 API
IssueProtect flag functions incorrectly in Keon Certificate Authority API 6.5.1 example code
Error 4
CauseThe sample code provided with the API 6.5.1 has a series of examples in the "pkiSamples" folder which have an option to set a flag in tier configuration file to protect the private key written to file, for example:

        protect 1

If the sample code is run with this flag, the program will generate an error 4 and fail.  This is due to a minor error in the example code in a block of code which is executed if the protect flag is set, i.e.

        if (protectFlag)
        {
                ...
        }
ResolutionThe corrected code is as shown below. NOTE: The way the example code is written means the user will be prompted for the passphrase 3 times - this is the correct behavior and occurs in the following situations:

1. When the key pair is generated

2. When XudaKeyWriteToFile() decrypts the protected key

3. When XudaKeyWriteToFile() encodes the key and saves it to file


The corrected code reads as follows:


   if(protectFlag)
     {
          /* Set XudaResources via cryptoInfo to protect private key */

          rc = XudaCreateCryptoInfo(session, XudaCryptoDSAKeygen, 0, (XCCNonlocal),
                                    0, NULL, &cryptoInfo );
          if (rc != XrcOK)
            {
                fprintf(stderr,"XudaCreateCryptoInfo failed with error code [%d]\n", rc);
                goto cleanup;
            }
          rc = XudaModifyCryptoInfo(session, cryptoInfo,
                                    "passwordcb",
                                    XudaXPTFunctionPtrTemp((void (*)())passphraseCallback),
                                    NULL );
          if (rc != XrcOK)
            {
                fprintf(stderr,"XudaModifyCryptoInfo failed with error code [%d]\n", rc);
                goto cleanup;
            }
                
          rc = XudaSetResourceValue( session, XresCRYPTOKEYPAIRGEN, cryptoInfo, NULL );
          if (rc != XrcOK)
            {
                XudaFree(spReqObj);
                printf("unable to set KEYPAIRGEN resource\n");
                return NULL;
            }

          /* set the flag showing that we  wish to encrypt (protect) the retrieved
             Xuda key object */
          rc = XudaSetResourceValue(session, XresPROTECTSOFTWAREKEYS, 1, NULL);
          if (rc != XrcOK)
            {
                fprintf(stderr,"XudaSetResourceValue failed with error code [%d]\n", rc);
                goto cleanup;
            }
         rc = XudaSetResourceValue( session, XresCRYPTODECRYPT, cryptoInfo, NULL );
          if (rc != XrcOK)
            {
                XudaFree(spReqObj);
                printf("unable to set CRYPTODECRYPT resource\n");
                return NULL;
            }
         rc = XudaSetResourceValue( session, XresCRYPTOENCRYPT, cryptoInfo, NULL );
          if (rc != XrcOK)
            {
                XudaFree(spReqObj);
                printf("unable to set CRYPTOENCRYPT resource\n");
                return NULL;
            }
     }
Legacy Article IDa21028

Attachments

    Outcomes